WO2024017798A1 - Fourniture de preuve et vérification de données d'entrée - Google Patents

Fourniture de preuve et vérification de données d'entrée Download PDF

Info

Publication number
WO2024017798A1
WO2024017798A1 PCT/EP2023/069699 EP2023069699W WO2024017798A1 WO 2024017798 A1 WO2024017798 A1 WO 2024017798A1 EP 2023069699 W EP2023069699 W EP 2023069699W WO 2024017798 A1 WO2024017798 A1 WO 2024017798A1
Authority
WO
WIPO (PCT)
Prior art keywords
transaction
data
output
blockchain
midstate
Prior art date
Application number
PCT/EP2023/069699
Other languages
English (en)
Inventor
Michaella PETTIT
Original Assignee
Nchain Licensing Ag
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Priority claimed from GBGB2210764.3A external-priority patent/GB202210764D0/en
Priority claimed from GBGB2219575.4A external-priority patent/GB202219575D0/en
Application filed by Nchain Licensing Ag filed Critical Nchain Licensing Ag
Publication of WO2024017798A1 publication Critical patent/WO2024017798A1/fr

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
    • G06F21/6245Protecting personal data, e.g. for financial or medical purposes
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/64Protecting data integrity, e.g. using checksums, certificates or signatures
    • G06F21/645Protecting data integrity, e.g. using checksums, certificates or signatures using a third party
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/50Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols using hash chains, e.g. blockchains or hash trees

Definitions

  • the present disclosure relates to proving to a verifier that at least one data section is part of an input to a function, which outputs an output value when receiving the input, without revealing at least one further data section of the input to the verifier.
  • the present disclosure also relates to verifying that at least one data section is part of an input to a function, which outputs an output value when receiving the input, without knowledge of at least one further data section of the input.
  • a blockchain refers to a form of distributed data structure, wherein a duplicate copy of the blockchain is maintained at each of a plurality of nodes in a distributed peer-to-peer (P2P) network (referred to below as a "blockchain network") and widely publicised.
  • the blockchain comprises a chain of blocks of data, wherein each block comprises one or more transactions.
  • Each transaction other than so-called “coinbase transactions”, points back to a preceding transaction in a sequence which may span one or more blocks going back to one or more coinbase transactions.
  • Coinbase transactions are discussed further below. Transactions that are submitted to the blockchain network are included in new blocks.
  • New blocks are created by a process often referred to as “mining”, which involves each of a plurality of the nodes competing to perform "proof-of-work", i.e. solving a cryptographic puzzle based on a representation of a defined set of ordered and validated pending transactions waiting to be included in a new block of the blockchain.
  • mining involves each of a plurality of the nodes competing to perform "proof-of-work", i.e. solving a cryptographic puzzle based on a representation of a defined set of ordered and validated pending transactions waiting to be included in a new block of the blockchain.
  • the blockchain may be pruned at some nodes, and the publication of blocks can be achieved through the publication of mere block headers.
  • the transactions in the blockchain may be used for one or more of the following purposes: to convey a digital asset (i.e. a number of digital tokens), to order a set of entries in a virtualised ledger or registry, to receive and process timestamp entries, and/or to time-order index pointers.
  • a blockchain can also be exploited in order to layer additional functionality on top of the blockchain.
  • blockchain protocols may allow for storage of additional user data or indexes to data in a transaction.
  • the data structure of a given transaction comprises one or more inputs and one or more outputs.
  • Any spendable output comprises an element specifying an amount of the digital asset that is derivable from the proceeding sequence of transactions.
  • the spendable output is sometimes referred to as a UTXO ("unspent transaction output").
  • the output may further comprise a locking script specifying a condition for the future redemption of the output.
  • a locking script is a predicate defining the conditions necessary to validate and transfer digital tokens or assets.
  • Each input of a transaction (other than a coinbase transaction) comprises a pointer (i.e.
  • a reference to such an output in a preceding transaction, and may further comprise an unlocking script for unlocking the locking script of the pointed-to output.
  • the first transaction comprises at least one output specifying an amount of the digital asset, and comprising a locking script defining one or more conditions of unlocking the output.
  • the second, target transaction comprises at least one input, comprising a pointer to the output of the first transaction, and an unlocking script for unlocking the output of the first transaction.
  • one of the criteria for validity applied at each node will be that the unlocking script meets all of the one or more conditions defined in the locking script of the first transaction. Another will be that the output of the first transaction has not already been redeemed by another, earlier valid transaction. Any node that finds the target transaction invalid according to any of these conditions will not propagate it (as a valid transaction, but possibly to register an invalid transaction) nor include it in a new block to be recorded in the blockchain.
  • An alternative type of transaction model is an account-based model.
  • each transaction does not define the amount to be transferred by referring back to the UTXO of a preceding transaction in a sequence of past transactions, but rather by reference to an absolute account balance.
  • the current state of all accounts is stored by the nodes separate to the blockchain and is updated constantly.
  • a method of proving to a verifier that at least one data section is part of an input to a function, which outputs an output value when receiving the input, without revealing at least one further data section of the input to the verifier the method performed on a computing device and comprising: creating a first transaction, the first transaction comprising: a locking script comprising at least one set of commands, wherein each of the at least one set of commands in the locking script is associated with an operation performed on a respective one of the at least one data section to be revealed to the verifier, and each of the at least one set of commands in the locking script enforces that the first transaction is in an unlocking script in a second transaction; a further locking script comprising at least one set of commands, wherein each of the at least one set of commands in the further locking script is associated with an operation performed on a respective one of the at least one further data section to be hidden from the verifier, and each of the at least one set of commands in the further locking script enforces that the first transaction is
  • a method of verifying that at least one data section is part of an input to a function, which outputs an output value when receiving the input, without knowledge of at least one further data section of the input the method performed on a verifying computing device associated with a verifier and comprising: receiving a first transaction; verifying that the first transaction comprises a locking script comprising at least one set of commands, wherein each of the at least one set of commands in the locking script is associated with an operation performed on a respective one of the at least one data section to be revealed to the verifier, and each of the at least one set of commands in the locking script enforces that the first transaction is in an unlocking script in a second transaction; verifying that the first transaction comprises a further locking script comprising at least one set of commands, wherein each of the at least one set of commands in the further locking script is associated with an operation performed on a respective one of at least one further data section to be hidden from the verifier, and each of the at least one set of commands in the further locking script enforce
  • a method of proving a calculation included a hidden data section of an input data comprising the steps of: generating a first and second transaction, wherein the first and/or second transaction comprise a first midstate (midi), the second midstate (mid2), and a final value (outl); the second transaction comprising unlocking scripts that unlock at least a subset of the locking scripts of the first transaction; and broadcasting the first and second transactions to the blockchain, obtaining confirmation data that the second transaction is included on the blockchain, generating a proof to prove that the input data, including the hidden data section, was used to generate the final value, the proof comprising: (i) a third midstate (midr X 2) associated with the second transaction, the third midstate computed based on partially conducting a further hash function (partialSHA256) of at least the section of the second transaction comprising the hidden data section (lcf 2> ); (ii) the remainder of the data of the second transaction that was not included in the calculation of the third
  • a method of verifying a hash function output without accessing the preimage to said hash function comprising the steps of: obtaining a proof comprising (i) a third midstate (midrxz) associated with a second transaction, the third midstate computed based on partially conducting a hash function (partialSHA256) of at least a section of the second transaction comprising a data section hidden to a verifier (lcf 2> ); (ii) the remainder of the second transaction that was not included in the calculation of the third midstate (PPITX2); (iii) a blockchain confirmation proof (Proofrxz), and (iv) a first transaction, determining a transcation id of the first transaction and that the second transaction spends at least a subset of the outputs of the first transaction, determining that, upon execution of each associated locking and unlocking scripts of the first and second transactions, a hash of an input data is calculated, determining a transcation id of
  • Figure 1 is a schematic block diagram of a system for implementing a blockchain
  • Figure 2 schematically illustrates some examples of transactions which may be recorded in a blockchain
  • Figure 3A is a schematic block diagram of a client application
  • Figure 3B is a schematic mock-up of an example user interface that may be presented by the client application of Figure 3A;
  • Figure 3c is a schematic block diagram of some node software for processing transactions
  • Figure 4 illustrates a first and second transaction message
  • Figure 5 illustrates a Merkle-Damgard construction of a hash function
  • Figure 6 illustrates a format of first and second transactions
  • Figure 7 illustrates a method performed on a proving computing device
  • Figure 8 illustrates an example first transaction
  • Figure 9 illustrates an example second transaction
  • Figure 10 illustrates how a proof is generated using the example second transaction shown in Figure 9;
  • Figure 11 illustrates another example second transaction
  • Figure 12 illustrates how a proof is generated using the example second transaction shown in Figure 11;
  • Figure 13 illustrates a method performed on a verifying computing device
  • Figure 14 illustrates a generalized structure of a first transaction
  • Figure 15 illustrates a generalized structure of a second transaction.
  • Figures 16A to 161 illustrate example transaction layouts according to further example embodiments.
  • EXAMPLE SYSTEM OVERVIEW Figure 1 shows an example system 100 for implementing a blockchain 150.
  • the system 100 may comprise a packet-switched network 101, typically a wide-area internetwork such as the Internet.
  • the packet-switched network 101 comprises a plurality of blockchain nodes 104 that may be arranged to form a peer-to-peer (P2P) network 106 within the packet-switched network 101.
  • P2P peer-to-peer
  • the blockchain nodes 104 may be arranged as a near-complete graph. Each blockchain node 104 is therefore highly connected to other blockchain nodes 104.
  • Each blockchain node 104 comprises computer equipment of a peer, with different ones of the nodes 104 belonging to different peers.
  • Each blockchain node 104 comprises processing apparatus comprising one or more processors, e.g. one or more central processing units (CPUs), accelerator processors, application specific processors and/or field programmable gate arrays (FPGAs), and other equipment such as application specific integrated circuits (ASICs).
  • Each node also comprises memory, i.e. computer- readable storage in the form of a non-transitory computer-readable medium or media.
  • the memory may comprise one or more memory units employing one or more memory media, e.g. a magnetic medium such as a hard disk; an electronic medium such as a solid-state drive (SSD), flash memory or EEPROM; and/or an optical medium such as an optical disk drive.
  • the blockchain 150 comprises a chain of blocks of data 151, wherein a respective copy of the blockchain 150 is maintained at each of a plurality of blockchain nodes 104 in the distributed or blockchain network 106.
  • maintaining a copy of the blockchain 150 does not necessarily mean storing the blockchain 150 in full. Instead, the blockchain 150 may be pruned of data so long as each blockchain node 150 stores the block header (discussed below) of each block 151.
  • Each block 151 in the chain comprises one or more transactions 152, wherein a transaction in this context refers to a kind of data structure. The nature of the data structure will depend on the type of transaction protocol used as part of a transaction model or scheme. A given blockchain will use one particular transaction protocol throughout.
  • a blockchain node 104 may be configured to forward transactions 152 to other blockchain nodes 104, and thereby cause transactions 152 to be propagated throughout the network 106.
  • a blockchain node 104 may be configured to create blocks 151 and to store a respective copy of the same blockchain 150 in their respective memory.
  • a blockchain node 104 may also maintain an ordered set (or "pool") 154 of transactions 152 waiting to be incorporated into blocks 151.
  • the ordered pool 154 is often referred to as a "mempool”. This term herein is not intended to limit to any particular blockchain, protocol or model. It refers to the ordered set of transactions which a node 104 has accepted as valid and for which the node 104 is obliged not to accept any other transactions attempting to spend the same output.
  • the (or each) input comprises a pointer referencing the output of a preceding transaction 152i in the sequence of transactions, specifying that this output is to be redeemed or "spent" in the present transaction 152j.
  • the preceding transaction could be any transaction in the ordered set 154 or any block 151.
  • the preceding transaction 152i need not necessarily exist at the time the present transaction 152j is created or even sent to the network 106, though the preceding transaction 152i will need to exist and be validated in order for the present transaction to be valid.
  • preceding refers to a predecessor in a logical sequence linked by pointers, not necessarily the time of creation or sending in a temporal sequence, and hence it does not necessarily exclude that the transactions 152i, 152j be created or sent out-of-order (see discussion below on orphan transactions).
  • the preceding transaction 152i could equally be called the antecedent or predecessor transaction.
  • each of the blockchain nodes 104 takes the form of a server comprising one or more physical server units, or even whole a data centre.
  • any given blockchain node 104 could take the form of a user terminal or a group of user terminals networked together.
  • the memory of each blockchain node 104 stores software configured to run on the processing apparatus of the blockchain node 104 in order to perform its respective role or roles and handle transactions 152 in accordance with the blockchain node protocol. It will be understood that any action attributed herein to a blockchain node 104 may be performed by the software run on the processing apparatus of the respective computer equipment.
  • the node software may be implemented in one or more applications at the application layer, or a lower layer such as the operating system layer or a protocol layer, or any combination of these.
  • Any given blockchain node may be configured to perform one or more of the following operations: validating transactions, storing transactions, propagating transactions to other peers, performing consensus (e.g. proof-of-work) / mining operations.
  • each type of operation is performed by a different node 104. That is, nodes may emphasize in particular operation. For example, a node 104 may focus on transaction validation and propagation, or on block mining.
  • a blockchain node 104 may perform more than one of these operations in parallel. Any reference to a blockchain node 104 may refer to an entity that is configured to perform at least one of these operations.
  • Some or all of the parties 103 may be connected as part of a different network, e.g. a network overlaid on top of the blockchain network 106.
  • Users of the blockchain network (often referred to as “clients") may be said to be part of a system that includes the blockchain network 106; however, these users are not blockchain nodes 104 as they do not perform the roles required of the blockchain nodes. Instead, each party 103 may interact with the blockchain network 106 and thereby utilize the blockchain 150 by connecting to (i.e. communicating with) a blockchain node 106.
  • Two parties 103 and their respective equipment 102 are shown for illustrative purposes: a first party 103a and his/her respective computer equipment 102a, and a second party 103b and his/her respective computer equipment 102b. It will be understood that many more such parties 103 and their respective computer equipment 102 may be present and participating in the system 100, but for convenience they are not illustrated.
  • Each party 103 may be an individual or an organization. Purely by way of illustration the first party 103a is referred to herein as Alice and the second party 103b is referred to as Bob, but it will be appreciated that this is not limiting and any reference herein to Alice or Bob may be replaced with "first party" and "second "party” respectively.
  • the computer equipment 102 of each party 103 comprises respective processing apparatus comprising one or more processors, e.g. one or more CPUs, GPUs, other accelerator processors, application specific processors, and/or FPGAs.
  • the computer equipment 102 of each party 103 further comprises memory, i.e. computer-readable storage in the form of a non-transitory computer-readable medium or media.
  • This memory may comprise one or more memory units employing one or more memory media, e.g. a magnetic medium such as hard disk; an electronic medium such as an SSD, flash memory or EEPROM; and/or an optical medium such as an optical disc drive.
  • the memory on the computer equipment 102 of each party 103 stores software comprising a respective instance of at least one client application 105 arranged to run on the processing apparatus.
  • any action attributed herein to a given party 103 may be performed using the software run on the processing apparatus of the respective computer equipment 102.
  • the computer equipment 102 of each party 103 comprises at least one user terminal, e.g. a desktop or laptop computer, a tablet, a smartphone, or a wearable device such as a smartwatch.
  • the computer equipment 102 of a given party 103 may also comprise one or more other networked resources, such as cloud computing resources accessed via the user terminal.
  • the client application 105 may be initially provided to the computer equipment 102 of any given party 103 on suitable computer-readable storage medium or media, e.g.
  • a removable storage device such as a removable SSD, flash memory key, removable EEPROM, removable magnetic disk drive, magnetic floppy disk or tape, optical disk such as a CD or DVD ROM, or a removable optical drive, etc.
  • the client application 105 comprises at least a "wallet” function.
  • This has two main functionalities. One of these is to enable the respective party 103 to create, authorise (for example sign) and send transactions 152 to one or more bitcoin nodes 104 to then be propagated throughout the network of blockchain nodes 104 and thereby included in the blockchain 150. The other is to report back to the respective party the amount of the digital asset that he or she currently owns.
  • this second functionality comprises collating the amounts defined in the outputs of the various 152 transactions scattered throughout the blockchain 150 that belong to the party in question.
  • client functionality may be described as being integrated into a given client application 105, this is not necessarily limiting and instead any client functionality described herein may instead be implemented in a suite of two or more distinct applications, e.g. interfacing via an API, or one being a plug-in to the other. More generally the client functionality could be implemented at the application layer or a lower layer such as the operating system, or any combination of these. The following will be described in terms of a client application 105 but it will be appreciated that this is not limiting.
  • the instance of the client application or software 105 on each computer equipment 102 is operatively coupled to at least one of the blockchain nodes 104 of the network 106. This enables the wallet function of the client 105 to send transactions 152 to the network 106.
  • the client 105 is also able to contact blockchain nodes 104 in order to query the blockchain 150 for any transactions of which the respective party 103 is the recipient (or indeed inspect other parties' transactions in the blockchain 150, since in embodiments the blockchain 150 is a public facility which provides trust in transactions in part through its public visibility).
  • the wallet function on each computer equipment 102 is configured to formulate and send transactions 152 according to a transaction protocol.
  • each blockchain node 104 runs software configured to validate transactions 152 according to the blockchain node protocol, and to forward transactions 152 in order to propagate them throughout the blockchain network 106.
  • the transaction protocol and the node protocol correspond to one another, and a given transaction protocol goes with a given node protocol, together implementing a given transaction model.
  • the same transaction protocol is used for all transactions 152 in the blockchain 150.
  • the same node protocol is used by all the nodes 104 in the network 106.
  • An alternative type of transaction protocol operated by some blockchain networks may be referred to as an "account-based" protocol, as part of an account-based transaction model.
  • each transaction does not define the amount to be transferred by referring back to the UTXO of a preceding transaction in a sequence of past transactions, but rather by reference to an absolute account balance.
  • the current state of all accounts is stored, by the nodes of that network, separate to the blockchain and is updated constantly.
  • transactions are ordered using a running transaction tally of the account (also called the "position" or “nonce”).
  • This value is signed by the sender as part of their cryptographic signature and is hashed as part of the transaction reference calculation.
  • an optional data field may also be signed the transaction. This data field may point back to a previous transaction, for example if the previous transaction ID is included in the data field.
  • Some account-based transaction models share several similarities with the outputbased transaction model described herein. For example, as mentioned above, the data field of an account-based transaction may point back to a previous transaction, which is equivalent to the input of an output-based transaction which references an outpoint a previous transaction. Thus both models enable linking between transactions.
  • an account-based transaction contains a "recipient” field (in which a receiving address of an account is specified) and a "value” field (in which an amount of digital asset may be specified). Together the recipient and value fields are equivalent to the output of an output-based transaction which may be used to assign an amount of digital asset to a blockchain address.
  • an account-based transaction has a "signature" field which includes a signature for the transaction.
  • the signature is generated using the sender's private key and confirms the sender has authorized this transaction.
  • This is equivalent to an input / unlocking script of an output-based transaction which, typically, includes a signature for the transaction.
  • the signatures are checked to determine whether the transaction is valid and can be recorded on the blockchain.
  • a "smart contact” refers to a transaction that contains a script configured to perform one or more actions (e.g. send or "release" a digital asset to a recipient address) in response to one or more inputs (provided by a transaction) meeting one or more conditions defined by the smart contact's script.
  • the smart contract exists as a transaction on the blockchain, and can be called (or triggered) by subsequent transactions.
  • a smart contract may be considered equivalent to a locking script of an output-based transaction, which can be triggered by a subsequent transaction, and checks whether one or more conditions defined by the locking script are met by the input of the subsequent transaction.
  • FIG. 2 illustrates an example transaction protocol.
  • a transaction 152 (abbreviated "Tx") is the fundamental data structure of the blockchain 150 (each block 151 comprising one or more transactions 152). The following will be described by reference to an output-based or "UTXO" based protocol. However, this is not limiting to all possible embodiments. Note that while the example UTXO- based protocol is described with reference to bitcoin, it may equally be implemented on other example blockchain networks.
  • each transaction (“Tx”) 152 comprises a data structure comprising one or more inputs 202, and one or more outputs 203.
  • Each output 203 may comprise an unspent transaction output (UTXO), which can be used as the source for the input 202 of another new transaction (if the UTXO has not already been redeemed).
  • the UTXO includes a value specifying an amount of a digital asset. This represents a set number of tokens on the distributed ledger.
  • the UTXO may also contain the transaction ID of the transaction from which it came, amongst other information.
  • the transaction data structure may also comprise a header 201, which may comprise an indicator of the size of the input field(s) 202 and output field(s) 203.
  • the header 201 may also include an ID of the transaction. In embodiments the transaction ID is the hash of the transaction data (excluding the transaction ID itself) and stored in the header 201 of the raw transaction 152 submitted to the nodes 104.
  • Txl Alice's new transaction 152j
  • the preceding transaction 152i is labelled "TxO" in Figure 2.
  • Tx0 and Txl are just arbitrary labels. They do not necessarily mean that TxO is the first transaction in the blockchain 151, nor that Txl is the immediate next transaction in the pool 154. Txl could point back to any preceding (i.e. antecedent) transaction that still has an unspent output 203 locked to Alice.
  • One of the one or more outputs 203 of the preceding transaction TxO comprises a particular UTXO, labelled here UTXOO.
  • Each UTXO comprises a value specifying an amount of the digital asset represented by the UTXO, and a locking script which defines a condition which must be met by an unlocking script in the input 202 of a subsequent transaction in order for the subsequent transaction to be validated, and therefore for the UTXO to be successfully redeemed.
  • the locking script (aka scriptPubKey) is a piece of code written in the domain specific language recognized by the node protocol. A particular example of such a language is called "Script" (capital S) which is used by the blockchain network.
  • the locking script specifies what information is required to spend a transaction output 203, for example the requirement of Alice's signature. Unlocking scripts appear in the outputs of transactions.
  • the unlocking script (aka scriptSig) is a piece of code written the domain specific language that provides the information required to satisfy the locking script criteria. For example, it may contain Bob's signature. Unlocking scripts appear in the input 202 of transactions.
  • UTXOO in the output 203 of TxO comprises a locking script [Checksig PA] which requires a signature Sig PA of Alice in order for UTXOO to be redeemed (strictly, in order for a subsequent transaction attempting to redeem UTXOO to be valid).
  • [Checksig PA] contains a representation (i.e. a hash) of the public key PA from a public-private key pair of Alice.
  • the input 202 of Txl comprises a pointer pointing back to Txl (e.g. by means of its transaction ID, TxIDO, which in embodiments is the hash of the whole transaction TxO).
  • the input 202 of Txl comprises an index identifying UTXOO within TxO, to identify it amongst any other possible outputs of TxO.
  • the input 202 of Txl further comprises an unlocking script ⁇ Sig PA> which comprises a cryptographic signature of Alice, created by Alice applying her private key from the key pair to a predefined portion of data (sometimes called the "message" in cryptography).
  • the data (or "message") that needs to be signed by Alice to provide a valid signature may be defined by the locking script, or by the node protocol, or by a combination of these.
  • the node applies the node protocol. This comprises running the locking script and unlocking script together to check whether the unlocking script meets the condition defined in the locking script (where this condition may comprise one or more criteria).
  • script code is often represented schematically (i.e. not using the exact language).
  • operation codes opcodes
  • "OP_" refers to a particular opcode of the Script language.
  • OP_RETURN is an opcode of the Script language that when preceded by OP_FALSE at the beginning of a locking script creates an unspendable output of a transaction that can store data within the transaction, and thereby record the data immutably in the blockchain 150.
  • the data could comprise a document which it is desired to store in the blockchain.
  • an input of a transaction contains a digital signature corresponding to a public key PA. In embodiments this is based on the ECDSA using the elliptic curve secp256kl.
  • a digital signature signs a particular piece of data. In some embodiments, for a given transaction the signature will sign part of the transaction input, and some or all of the transaction outputs. The particular parts of the outputs it signs depends on the SIGHASH flag.
  • the SIGHASH flag is usually a 4-byte code included at the end of a signature to select which outputs are signed (and thus fixed at the time of signing).
  • the locking script is sometimes called "scriptPubKey” referring to the fact that it typically comprises the public key of the party to whom the respective transaction is locked.
  • the unlocking script is sometimes called “scriptSig” referring to the fact that it typically supplies the corresponding signature.
  • the scripting language could be used to define any one or more conditions. Hence the more general terms “locking script” and “unlocking script” may be preferred.
  • FIG 3A illustrates an example implementation of the client application 105 for implementing embodiments of the presently disclosed scheme.
  • the client application 105 comprises a transaction engine 401 and a user interface (Ul) layer 402.
  • the transaction engine 401 is configured to implement the underlying transaction-related functionality of the client 105, such as to formulate transactions 152, send transactions to one or more nodes 104 to be propagated through the blockchain network 106, in accordance with the schemes discussed above and as discussed in further detail shortly.
  • the Ul layer 402 is configured to render a user interface via a user input/output (I/O) means of the respective user's computer equipment 102, including outputting information to the respective user 103 via a user output means of the equipment 102, and receiving inputs back from the respective user 103 via a user input means of the equipment 102.
  • the user output means could comprise one or more display screens (touch or non-touch screen) for providing a visual output, one or more speakers for providing an audio output, and/or one or more haptic output devices for providing a tactile output, etc.
  • the user input means could comprise for example the input array of one or more touch screens (the same or different as that/those used for the output means); one or more cursor-based devices such as mouse, trackpad or trackball; one or more microphones and speech or voice recognition algorithms for receiving a speech or vocal input; one or more gesture-based input devices for receiving the input in the form of manual or bodily gestures; or one or more mechanical buttons, switches or joysticks, etc.
  • touch screens the same or different as that/those used for the output means
  • cursor-based devices such as mouse, trackpad or trackball
  • microphones and speech or voice recognition algorithms for receiving a speech or vocal input
  • one or more gesture-based input devices for receiving the input in the form of manual or bodily gestures
  • one or more mechanical buttons, switches or joysticks etc.
  • the functionality of the transaction engine 401 may be implemented in a separate application than the Ul layer 402, or the functionality of a given module such as the transaction engine 401 could be split between more than one application.
  • some or all of the described functionality could be implemented at, say, the operating system layer.
  • Figure 3B gives a mock-up of an example of the user interface (Ul) 500 which may be rendered by the Ul layer 402 of the client application 105a on Alice's equipment 102a. It will be appreciated that a similar Ul may be rendered by the client 105b on Bob's equipment 102b, or that of any other party.
  • Ul user interface
  • FIG. 3B shows the Ul 500 from Alice's perspective.
  • the Ul 500 may comprise one or more Ul elements 501, 502, 502 rendered as distinct Ul elements via the user output means.
  • the Ul elements may comprise one or more user-selectable elements 501 which may be, such as different on-screen buttons, or different options in a menu, or such like.
  • the user input means is arranged to enable the user 103 (in this case Alice 103a) to select or otherwise operate one of the options, such as by clicking or touching the Ul element on-screen, or speaking a name of the desired option (N.B. the term "manual" as used herein is meant only to contrast against automatic, and does not necessarily limit to the use of the hand or hands).
  • the Ul elements may comprise one or more data entry fields 502, through which the user can formulate transactions 152 and send transactions to one or more nodes 104 to be propagated through the blockchain network 106.
  • These data entry fields are rendered via the user output means, e.g. on-screen, and the data can be entered into the fields through the user input means, e.g. a keyboard or touchscreen. Alternatively the data could be received orally for example based on speech recognition.
  • the Ul elements may comprise one or more information elements 503 output to output information to the user. E.g. this/these could be rendered on screen or audibly.
  • Figure 3c illustrates an example of the node software 450 that is run on each blockchain node 104 of the network 106, in the example of a UTXO- or output-based model. Note that another entity may run node software 450 without being classed as a node 104 on the network 106, i.e. without performing the actions required of a node 104.
  • the node software 450 may contain, but is not limited to, a protocol engine 451, a script engine 452, a stack 453, an application-level decision engine 454, and a set of one or more blockchain-related functional modules 455.
  • Each node 104 may run node software that contains one or more of: a consensus module 455C (for example, proof-of-work), a propagation module 455P and a storage module 455S (for example, a database).
  • the consensus module 455C may contain a validation module (not shown) configured to validate transactions according to the blockchain protocol.
  • the validation module may instead be separate from the consensus module 455C.
  • One or more of the modules may operate in parallel.
  • a node 104 may contain additional modules.
  • the protocol engine 401 is typically configured to recognize the different fields of a transaction 152 and process them in accordance with the node protocol. When a transaction 152j (Txj) is received having an input pointing to an output (e.g.
  • the protocol engine 451 identifies the unlocking script in Txj and passes it to the script engine 452.
  • the protocol engine 451 also identifies and retrieves Tx L based on the pointer in the input of Txj.
  • Tx L may be published on the blockchain 150, in which case the protocol engine may retrieve Tx L from a copy of a block 151 of the blockchain 150 stored at the node 104. Alternatively, Tx L may yet to have been published on the blockchain 150. In that case, the protocol engine 451 may retrieve Tx L from the ordered set 154 of unpublished transactions maintained by the nodel04. Either way, the script engine 451 identifies the locking script in the referenced output of Txi and passes this to the script engine 452.
  • the script engine 452 thus has the locking script of Tx L and the unlocking script from the corresponding input of Txj.
  • transactions labelled Tx 0 and Tx ⁇ are illustrated in Figure 2, but the same could apply for any pair of transactions.
  • the script engine 452 runs the two scripts together as discussed previously, which will include placing data onto and retrieving data from the stack 453 in accordance with the stackbased scripting language being used (e.g. Script).
  • the script engine 452 determines whether or not the unlocking script meets the one or more criteria defined in the locking script - i.e. does it "unlock” the output in which the locking script is included? The script engine 452 returns a result of this determination to the protocol engine 451. If the script engine 452 determines that the unlocking script does meet the one or more criteria specified in the corresponding locking script, then it returns the result "true”. Otherwise it returns the result "false”.
  • the result "true” from the script engine 452 is one of the conditions for validity of the transaction.
  • protocol-level conditions evaluated bythe protocol engine 451 that must be met aswell; such as that the total amount of digital asset specified in the output(s) of Txj does not exceed the total amount pointed to by its inputs, and that the pointed-to output of Tx L has not already been spent by another valid transaction.
  • the protocol engine 451 evaluates the result from the script engine 452 together with the one or more protocollevel conditions, and only if they are all true does it validate the transaction Txj.
  • the protocol engine 451 outputs an indication of whether the transaction is valid to the application-level decision engine 454.
  • the decision engine 454 may select to control both of the consensus module 455C and the propagation module 455P to perform their respective blockchain-related function in respect of Txj. This comprises the consensus module 455C adding Txj to the node's respective ordered set of transactions 154 for incorporating in a block 151, and the propagation module 455P forwarding Txj to another blockchain node 104 in the network 106.
  • the application-level decision engine 454 may apply one or more additional conditions before triggering either or both of these functions. E.g. the decision engine may only select to publish the transaction on condition that the transaction is both valid and leaves enough of a transaction fee.
  • true and “false” herein do not necessarily limit to returning a result represented in the form of only a single binary digit (bit), though that is certainly one possible implementation. More generally, “true” can refer to any state indicative of a successful or affirmative outcome, and “false” can refer to any state indicative of an unsuccessful or non-affirmative outcome. For instance in an account-based model, a result of "true” could be indicated by a combination of an implicit, protocol-level validation of a signature and an additional affirmative output of a smart contract (the overall result being deemed to signal true if both individual outcomes are true).
  • PUSHTX is a pseudo-opcode, i.e. it is not a single opcode of a blockchain scripting language (e.g. Script) but rather a collection of opcodes (or functions/commands more generally) that together are configured to perform a corresponding collection of operations when executed.
  • PUSHTX The PUSHTX technique was first disclosed in international patent applications PCT/IB2018/053335, PCT/IB2018/053337, PCT/IB2018/053339, PCT/IB2018/053336, PCT/IB2018/056430, PCT/IB2018/056432 and PCT/IB2018/056431.
  • the core idea of PUSHTX is to generate a signature in-script on a data element on the stack and call OP_CHECKSIG to verify the signature. If it passes, it implies that the message constructed by OP_CHECKSIG is identical to the data element pushed to the stack. Therefore, it achieves the effect of pushing the current spending transaction (i.e.
  • Pushing the current transaction to the stack enables the enforcement of conditions, e.g. by checking that certain fields (e.g. inputs, outputs, locktime, etc.) of the current transaction include certain data, values, opcodes, scripts, etc.
  • a first transaction Tx ⁇ that has a locking script may be created, whereby in order for the locking script to be unlocked, a representation of the spending transaction must be output to memory (e.g. a stack) during execution.
  • the verification sub-script may comprise an OP_CHECKSIG or an OP_CHECKSIGVERIFY opcode that is configured to verify that the signature is valid for the target message.
  • OP_CHECKSIG outputs 1 or 0 to the stack depending on whether the signature is a valid (1) or not (0). 0 indicates that the signature is not valid.
  • OP_CHECKSIGVERIFY consumes the output and causes the execution to fail if it is 0. These opcodes are used to secure transactions in Bitcoin.
  • the opcode Given a locking script in Tx r containing OP_CHECKSIG and a fixed public key PK 1 , the opcode outputs TRUE if a valid signature Sig ⁇ corresponding to PK 1 , and a first transaction message ml is given as an input. The opcode also outputs TRUE if a valid signature Sig 2 corresponding to PK 2 and a second transaction message m2 is given as an input.
  • the first transaction message ml can be considered a "candidate message” and is based on several "candidate fields" of a second transaction Tx 2 , as well as a “candidate first output” of the first transaction Tx ⁇ .
  • the candidate message is a "candidate” in the sense that at the point that it is output to memory, it is not yet known (or at least has not yet been verified in-script) that the candidate message has been constructed based on the actual fields of the second transaction and the actual first output of the first transaction.
  • the candidate fields and the candidate first output are candidates in a similar sense, i.e. that until verified in-script it is not known that they are correct.
  • the second transaction message m2 can be considered a "candidate message” and is based on several "candidate fields" of the second transaction Tx 2 , as well as a "candidate first output" of the first transaction Tx ⁇ .
  • the first transaction message ml is included in an unlocking script of the second transaction Tx 2 .
  • the second transaction message m2 is included in a further unlocking script of the second transaction Tx 2 .
  • the first transaction message ml may comprise a first output of the first transaction Tx ⁇ (e.g. value assigned to the first output, the first locking script of the first output) which is positioned first in an output list, and all contents of the second transaction Tx 2 except all unlocking scripts of the second transaction.
  • the first transaction message ml may comprise at least the first output of the first transaction Tx 1 , all inputs ofthe second transaction excluding unlocking scripts, and an output of the second transaction (e.g. value assigned to the first output, the first locking script of the first output) which is positioned first in an output list of the second transaction Tx 2 .
  • the second transaction message m2 may comprise a second output of the first transaction Tx ⁇ (e.g. value assigned to the second output, the second locking script of the second output) which is positioned second in the output list of the first transaction Tx r , and all contents of the second transaction Tx 2 except all unlocking scripts of the second transaction.
  • the second transaction message m2 may comprise at least the second output of the first transaction Tx lt and all outputs of the second transaction.
  • the signature Sig r input to OP_CHECKSIG is given in the unlocking script of the spending transaction Tx 2 .
  • the first transaction message ml signed by Sig ⁇ depends on fields in the first transaction Tx ⁇ and the spending transaction Tx 2 .
  • the second transaction message m2 signed by Sig 2 depends on fields in the first transaction Tx ⁇ and the spending transaction Tx 2 .
  • the dependence on these fields ensures that the second transaction Tx 2 has not been changed since signing and sending to the Bitcoin network.
  • the unlocking scripts in the second transaction Tx 2 are not signed (e.g. according to Bitcoin rules).
  • the combination of opcodes labelled PUSHTX in a locking script of the first transaction Tx r evaluates to TRUE given a transaction message m of the second transaction Tx 2 as input, where the input of the second transaction Tx 2 is spending the first transaction Tx r .
  • the PUSHTX opcodes construct the transaction message m and provide an output of TRUE/FALSE.
  • the PUSHTX opcodes construct and verify a signature on the transaction message m.
  • the PUSHTX opcodes compute an ECDSA signature sig with the candidate transaction message m as the message (whereby the transaction message m is extracted from an unlocking script of the second transaction Tx 2 ⁇
  • the PUSHTX opcodes comprise the OP_CHECKSIG opcodes which take the signature sig and the public key PK as inputs, and verifies the constructed signature sig.
  • the opcode OP_CHECKSIG evaluates to TRUE if a signature with a corresponding public key is input, and the signature sig is a valid signature, where the signature is over the candidate transaction message m extracted from the serialised transaction itself (second transaction Tx 2 ), otherwise OP_CHECKSIG evaluates to FALSE.
  • the OP_CHECKSIG opcode constructs the transaction message m using the relevant fields of the first transaction Tx r and the second transaction Tx 2 , (ii) verifies the signature sig using the public key PK and the constructed transaction message m ; (iii) returns TRUE to the stack if the signature sig is successfully verified.
  • OP_CHECKSIG returns TRUE this means that the candidate transaction message m in an unlocking script of the second transaction Tx 2 matches the relevant fields of the first transaction Tx ⁇ and the second transaction Tx 2 (shown in Figure 4).
  • each transaction message m is constructed from various fields in the first transaction Tx r and Tx 2 as shown.
  • the fields in which embodiments of the present disclosure exploit are the outpoints of the second transaction Tx 2 (which reference the first transaction Tx ⁇ ) and a locking script of the second transaction Tx 2 (to extract at least midstate values and the output of the hash function).
  • PUSHTX the transaction messages of the spending transaction Tx 2 are provably on the stack. This means that any of these fields can have conditions enforced on them, such as containing certain combinations of opcodes, or serial numbers. If these conditions are unmet, then the spending transaction is not valid.
  • the PUSHTXPARENT opcodes receives the candidate transaction message m and the first transaction T ⁇ as inputs and provides an output of TRUE/FALSE.
  • the PUSHTXPARENT opcodes enforces that the first transaction is in an unlocking script in a second transaction
  • the serialised transaction Tx ⁇ contains all fields in Tx r .
  • the implication of including PUSHTXPARENT is that the serialised transaction Tx r that is being spent is provably on the stack. This means that data from any of these fields can be extracted as part of the spending condition on Tx r . For example, this can be used to verify the appearance of data in a transaction.
  • Embodiments of the present disclosure relate to proving to a verifier that at least one data section is part of an input to a function (which outputs an output value when receiving the input), without revealing at least one further data section of the input to the verifier. Embodiments of the present disclosure further relate to verifying that at least one data section is part of an input to a function, which outputs an output value when receiving the input, without knowledge of at least one further data section of the input.
  • Embodiments of the present disclosure are described in relation to this function being a compression function using the Merkle-Damgard construction. However, it will be appreciated that this is merely an example, and the techniques described herein can be applied when the input is applied to other functions (e.g. those not involving hash functions).
  • SHA224 As mere examples, we describe two different hash functions which are part of the SHA2 family, SHA224 and SHA256.
  • SHA224 As the hash function applied to the input data, to avoid confusion with the SHA256 hash function used to compute the TxID of a transaction. This may be replaced with any cryptographic hash function that can be written explicitly in terms of opcodes and that uses the Merkle-Damgard construction.
  • a hash function maps data of arbitrary size D to data of fixed size.
  • the execution of the SHA224 or SHA256 hash function processes the data iteratively by a compression function using the Merkle-Damgard construction as shown in Figure 5.
  • the compression function is used to compute SHA224(J)) in the following way:
  • the computation of the above steps can be executed up to the jth iteration and halted.
  • the remaining partial preimage PPI i4 7+1
  • the first two iterations may be computed, and the output of the second stored, which we refer to herein as a "midstate".
  • the computation is continued given this midstate and the remainder of the preimage.
  • the first transaction Tx x illustrated in Figure 6 comprises a first input 3Q 602, a first output (lo ⁇ GOA, a second output O ⁇ eOS and a third output
  • the second transaction Tx 2 650 illustrated in Figure 6 comprises a first input 3 ⁇ 652, a second input 3 ⁇ 654, a third input 3 ⁇ 2 ' > 656, a first output and a second output O® 660.
  • outputs of the first transaction Tx ⁇ comprise one or more opcodes.
  • Each of these opcodes is a pseudo-opcode, i.e. it is not a single opcode of a blockchain scripting language (e.g. Script) but rather a collection of opcodes (or a set of functions/commands more generally) that together are configured to perform a corresponding collection of operations when executed.
  • transaction message m which is part of a preimage used to generate a signature on the second transaction Tx 2 .
  • the transaction message m corresponds to either the first transaction message ml or the second transaction message m2.
  • the function (which receives the input which comprises portions that are not to be revealed to a verifier) is a compression function using the Merkle-Damgard construction
  • the outputs of the first transaction Tx ⁇ contain rounds of the compression function.
  • the computation of the rounds of the compression functions will be executed in opcodes (each opcode corresponding to a set of functions/commands).
  • the "COMPFUNCIV” opcode is the first round of the compression function using the predefined initialisation vector IV, and the "COMPFUNC” opcode is used to compute all remaining rounds that are computed.
  • the "COMPFUNC” opcode receives the candidate transaction message m, the first transaction T ⁇ and the message block A i+1 as inputs, and provides an output of TRUE/FALSE.
  • the "COMPFUNC” opcode contains the "PUSHTX” opcode that outputs TRUE, given the candidate transaction message m as input, and then computes the compression function of the midstate midi with A i+1 outputting the next midstate or the output of the hash function if this is the final round of the compression function.
  • the "COMPFUNCIV” opcode receives the candidate transaction message m , the first transaction Tx 1 , and the message block Ai as inputs; and provides an output of TRUE/FALSE.
  • the "COMPFUNCIV” opcode contains the "PUSHTX” opcode that outputs TRUE, given the candidate transaction message m as input, and then computes the compression function of the predefined initialisation vector IV with A t , outputting the first midstate value midi.
  • the "COMPFUNC" opcode When the "COMPFUNC” opcode is provided in the first locking script of the first output of the first transaction Tx ⁇ (which is positioned first in the output list of the first transaction Tx ⁇ , the "COMPFUNC” opcode receives the first transaction message ml. When the "COMPFUNC” opcode is provided in the second locking script of the second output of the first transaction Tx ⁇ (which is positioned second in the output list of the first transaction Tx ⁇ , the "COMPFUNC” opcode receives the second transaction message m2.
  • the "COMPFUNCIV" opcode when the "COMPFUNCIV" opcode is provided in the first locking script of the first output of the first transaction Tx ⁇ (which is positioned first in the output list of the first transaction Tx r ), the "COMPFUNCIV” opcode receives the first transaction message ml.
  • the "COMPFUNCIV" opcode is provided in the second locking script of the second output of the first transaction Tx ⁇ (which is positioned second in the output list of the first transaction Tx ⁇ , the "COMPFUNCIV” opcode receives the second transaction message m2.
  • COMPFUNCIV or COMPFUNC will immediately be used as input to a COMPFUNC execution in the same script.
  • Another set of opcodes are required to ensure that the protocol is secure. This set of opcodes (which we refer to as "SAMEOUTPOINTS”) enforces that the three outputs of the first transaction Tx ⁇ are all spent in the second transaction Tx 2 .
  • the "SAMEOUTPOINTS” opcode outputs TRUE given m as input, if all three outpoints in the second transaction Tx 2 are the first three outputs from the first transaction Tx r , and fails otherwise.
  • the "SAMEOUTPOINTS” opcode contains the "PUSHTX” opocde which outputs TRUE, given the transaction message m as input. If the input m to PUSHTX is accepted, the "SAMEOUTPOINTS" opcode then verifies that the outpoints in the transaction message m contain the same TxID and the output indices are equal to 0, 1, and 2.
  • the "SAMEOUTPOINTS” opcode may be provided in one or more of the locking scripts of the first transaction Tx ⁇ . If the "SAMEOUTPOINTS" opcode is provided in the first locking script of the first output of the first transaction Tx ⁇ (which is positioned first in the output list of the first transaction Tx ⁇ ), the "SAMEOUTPOINTS” opcode receives the first transaction message ml. Whereas if the "SAMEOUTPOINTS" opcode is provided in the second locking script of the second output of the first transaction Tx ⁇ (which is positioned second in the output list of the first transaction Tx ⁇ ), the "SAMEOUTPOINTS” opcode receives the second transaction message m2.
  • PROVER Embodiments of the present disclosure relate to a method of proving to a verifier that at least one data section is part of an input to a function, which outputs an output value when receiving the input, without revealing at least one further data section of the input to the verifier.
  • the verifier will be a different party to the prover. This typical scenario will now be described with reference to the process 700 illustrated in Figure 7.
  • the process 700 is performed on a proving computing device associated with a proving party.
  • the proving party will be referred to as Alice 103a and the verifying party will be referred to as Bob 103b.
  • the process 700 may be performed on the computing device 102a associated with Alice 103a.
  • Alice 103a has arbitrary data D.
  • Alice 103a wants to prove to Bob 103b that message blocks A lt A 3 are in the preimage of outl which is the output of the hash function, but Bob 103b does not learn the message block zl 2 .
  • Bob 103b also has knowledge of the expected output to compare with outl.
  • the computing device 102a creates a first transaction Tx r .
  • the first transaction Tx ⁇ comprises an input list with each input in the input list comprising an outpoint, an unlocking script and a sequence number.
  • the first transaction Tx r comprises an output list with each output in the output list comprising a value assigned to the output, and a locking script of the output.
  • the input of the first transaction Tx 1 can be any arbitrary input controlled by Alice 103a.
  • the first output of the first transaction Tx r (which is positioned first in the output list of the first transaction Tx ⁇ ) contains the second round of the compression function by including the COMPFUNC opcode in the first locking script of the first output. This will execute the round corresponding to the input (message block A?) that will be hidden from Bob 103b.
  • the second output of the first transaction Tx ⁇ (which is positioned second in the output list of the first transaction Tx ⁇ ) contains the first and third rounds of the compression function by including both the COMPFUNC and COMPFUNCIV opcodes in the second locking script of the second output. This will execute the rounds of which the input will be revealed to Bob 103b.
  • the SAMEOUTPOINTS opcode is provided in the second locking script, however this is merely an example.
  • the SAMEOUTPOINTS opcode could additionally or alternatively be provided in the first locking script.
  • the SAMEOUTPOINTS opcode could also be provided in its own dedicated output of the second transaction Tx 2 , however this would create a longer transaction (resulting in a higher transaction fee).
  • the transaction message that it receives will contain all the same fields of the second transaction Tx 2 as described above with reference to the first transaction message ml and the second transaction message m2, but also the output corresponding to the outpoint it is spending e.g. a third output of the first transaction Tx ⁇ .
  • the first transaction Tx r may optionally comprise a third output of the first transaction Tx r (which is positioned third in the output list of the first transaction Tx ⁇ ) including a third locking script containing a P2PKH output that is locked to Alice's public key PKA. This ensure that only Alice can spend the first two locking scripts.
  • the SAMEOUTPOINTS opcode could additionally or alternatively be provided in the third locking script. Whilst the outputs of the first transaction Tx ⁇ are shown in Figure 8 in a particular order, this is merely an example and the outputs of the first transaction Tx ⁇ can be in any order.
  • the first transaction Tx r also comprises the midstates mid 1 , mid 2 and output of the hash function outl.
  • a locking script of the first transaction Tx ⁇ may comprise mid 1 ,mid 2 and outl.
  • a final output of the first transaction Tx ⁇ containing a P2PKH output that is locked to Alice's public key PKA may comprise mid 1 , mid 2 and outl. It will be appreciated that the mid 1 ,mid 2 and outl may alternatively be provided in another locking script of the first transaction Tx ⁇ .
  • the computing device 102a associated with Alice 103a can obtain the midstates mid ⁇ , mid 2 and output of the hash function outl for insertion into the first transaction Tx ⁇ in a number of different ways.
  • the computing device 102a may compute the midstates mid 1 , mid 2 and the output of the hash function outl.
  • the computing device 102a may receive the midstates mid 1 , mid 2 and the output of the hash function outl from a remote computing device.
  • the purpose of the first transaction Tx ⁇ is for Alice 103a to set-up the function that they want computed.
  • the computing device 102a transmits the first transaction Tx ⁇ o one or more blockchain nodes 104 to then be propagated throughout the network of blockchain nodes 104 and thereby included in the blockchain 150.
  • the computing device 102a creates a second transaction Tx 2 .
  • An example second transaction Tx 2 is shown in Figure 9.
  • the second transaction Tx 2 comprises an input list with each input in the input list comprising an outpoint, an unlocking script and a sequence number.
  • An outpoint is a pointer to an output, the pointer identified by the transaction identifier of the transaction that the output is in, and an index number indicating the exact output of the transaction.
  • the second transaction Tx 2 comprises an output list with each output in the output list comprising a value assigned to the output, and a locking script of the output.
  • the outputs of the first transaction Tx ⁇ will be spent by the second transaction Tx 2 as the following inputs:
  • the first input of the second transaction Tx 2 shown in Figure 9a contains an outpoint and an unlocking script.
  • This input data is also referred to herein as "further input data" 902.
  • the outpoint comprises a transaction identifier of the first transaction Tx ⁇ and an index number.
  • the unlocking script comprises the redacted portion of the input to the hash function .4 2 , the first transaction Tx r , and the first transaction message ml.
  • the second input of the second transaction Tx 2 shown in Figure 9a contains an outpoint and an unlocking script.
  • This input data is also referred to herein as "input data" 904.
  • the outpoint comprises a transaction identifier of the first transaction Tx ⁇ and an index number.
  • the unlocking script comprises the second transaction message m2, and the first transaction Tx ⁇ .
  • the second transaction Tx 2 may optionally comprise a third input which contains an outpoint and an unlocking script.
  • This input data is also referred to herein as "prover input data" 906.
  • the outpoint comprises a transaction identifier of the first transaction Tx r and an index number.
  • the unlocking script comprises a signature of Alice 103a and her corresponding public key.
  • Figure 9 illustrates an output of the second transaction Tx 2 having a locking script comprising the revealed portions of the input to the hash function i4 1 ,i4 3 (otherwise referred to herein as "output data" 908 due to the revealed portions of the input to the hash function i4 1 M 3 being present in an output of the second transaction Tx 2 ).
  • the output data 908 and mid 1 , mid 2 , outl will be extracted from the input to the PUSHTX opcodes (contained in the COMPFUNC opcode) to ensure that the output of the previous compression function is the same as the input to the next compression function. Without this, Bob 103b cannot be sure that the hash function has been executed correctly. As described in more detail below, Bob 103b also compares the value outl given in the first transaction Tx ⁇ to an expected output of the hash function.
  • the second transaction Tx 2 may optionally comprise an output having a locking script containing a P2PKH output 910 that is locked to Alice's public key PK A .
  • Figure 9 illustrates the first output of the second transaction Tx 2 (which is positioned first in the output list of the second transaction Tx 2 ⁇ including the locking script containing the P2PKH output 910, and the second output of the second transaction Tx 2 (which is positioned second in the output list of the second transaction Tx 2 ⁇ including the locking script comprising the revealed portions of the input to the hash function
  • the revealed portions of the input to the hash function i4 1 ,i4 3 are to be provided in a final output in the output list of the second transaction Tx 2 . That is, the output list of the second transaction Tx 2 should not comprise another locking script appearing after (i.e. lower down the output list) the locking script comprising the revealed portions of the input to the hash function
  • the computing device 102a transmits the second transaction Tx 2 to one or more blockchain nodes 104 to then be propagated throughout the network of blockchain nodes 104 and thereby included in the blockchain 150.
  • the blockchain nodes 104 receives both the first transaction T ⁇ and the second transaction Tx 2 (they could be received in any order).
  • a blockchain node 104 receiving both the first transaction Tx ⁇ and the second transaction Tx 2 will execute the opcodes provided in the first transaction Tx r using the relevant data provided in the first transaction Tx r and the second transaction Tx 2 (thereby computing the hash function).
  • the blockchain node 104 will only accept the second transaction Tx 2 if its inputs are such that the opcodes provided in the first transaction Tx r all output TRUE. This indicates that the blockchain node 104, after performing the computation of the hash function, is content with the input that is provided to the hash function i.e. the input corresponds to the expected output of the hash function.
  • the first transaction T ⁇ and the second transaction Tx 2 will be committed to a block (or different blocks) on the blockchain 150.
  • the computing device 102a associated with Alice 103a receives confirmation data Proo/ T%2 indicating that the second transaction Tx 2 is valid.
  • Alice 103a Upon receipt of the confirmation data (Proof TX2 ) Alice 103a knows that the unlocking script (comprising the second transaction message m2 and the first transaction Tx r ⁇ of the input data 904 successfully unlocks the second locking script (comprising COMPFUNCIV, COMPFUNC, SAMEOUTPOINTS) of the second output of the first transaction Tx r ,- and the further unlocking script (comprising ml, Tx r , and A?) of the further input data 902 successfully unlocks the further locking script (comprising COMPFUNC) of the first output of the first transaction Tx ⁇ .
  • the unlocking script comprising the second transaction message m2 and the first transaction Tx r ⁇ of the input data 904 successfully unlocks the second locking script (comprising COMPFUNCIV, COMPFUNC, SAMEOUTPOINTS) of the second output of the first transaction Tx r ,- and the further unlocking script (comprising ml, Tx r
  • the confirmation data Proof TX2 may comprise an acceptance message received from a blockchain node 104 indicating that the second transaction is valid, the acceptance message signed with a signature of the blockchain node 104. This acceptance message indicates that the blockchain node 104 will put the second transaction Tx 2 in a block if the blockchain node 104 sees that the second transaction Tx 2 is not present on the blockchain 150.
  • the confirmation data Proof TX2 may be a Merkle proof of the second transaction Tx 2 , received from a blockchain node 104 once the second transaction Tx 2 has been committed into a block on the blockchain 150.
  • the computing device 102a associated with Alice 103a is in possession of confirmation data (Proof TX2 )
  • the computing device 102a does not need confirmation data indicating that the first transaction Tx ⁇ is valid because if a blockchain node 104 has accepted the second transaction Tx 2 , then by default they have also accepted the first transaction Tx ⁇ .
  • step S712 the computing device 102a associated with Alice 103a generates a proof.
  • the proof preferably comprises: the first transaction Tx ⁇ , a midstate value associated with the second transaction Tx 2 ; a remaining partial preimage PPI TX2 ; and the confirmation data Proof TX2
  • the proof does not comprise the first transaction Tx ⁇ .
  • the computing device 102a associated with Alice 103a sends a proof the computing device 102b associated with Bob 103b.
  • Figure 10 also shows the computation of the compression function using the Merkle- Damgard construction to provide the output value outl corresponding to SHA224(D).
  • the midstate value mid TX2 is computed using a compression function which takes an initialization vector and the first input 652 of the second transaction Tx 2 (corresponding to the further input data 902) as inputs:
  • the first input 652 comprises the message block A2 that is to be hidden from Bob 103b.
  • the computation of the midstate value mid TX2 may (2) require a single compression function stage (if the first input JQ 652 is less than or equal
  • the computing device 102a associated with Alice 103a can obtain the midstate value mid TX2 'in a number of different ways.
  • the computing device 102a may compute the midstate value mid TX2 .
  • the computing device 102a may receive the midstate value mid TX2 from a remote computing device.
  • anyone except Bob 103b can compute the midstate value mid TX2 .
  • the remaining partial preimage PPI TX2 comprises the second input 7 ⁇ 654 of the second transaction Tx 2 (corresponding to the input data 904), and the second (2) output 0 ⁇ 660 of the second transaction Tx 2 (corresponding to the output data 908) which comprises the message blocks Ai and A3.
  • the remaining partial preimage PPI TX2 may also comprise the third input 656 of the second transaction Tx 2 (corresponding to the prover input data 906).
  • the remaining partial preimage PPI TX2 may also comprise
  • the computing device 102a associated with Alice 103a can obtain the remaining partial preimage PPI TX2 'in a number of different ways. In one example, the computing device 102a may compute the remaining partial preimage PPI TX2 . Alternatively, the computing device 102a may receive the remaining partial preimage PPI Tx Jrom a remote computing device.
  • the data forming the proof that is sent from the computing device 102a associated with Alice 103a to the computing device 102b associated with Bob 103b, may be sent in a single transmission or multiple transmissions.
  • the computing device 102b associated with Bob 103b will use this proof to verify that message blocks A 1 ,A 3 are contained in the preimage of SHA224(J)) without learning the message block J4 2 since this is hidden in the computation of the midstate value mid TX2 .
  • FIG. 7 shows steps of the process 700 being performed in a particular order, embodiments of the present disclosure are not limited to the steps being performed in the order shown in Figure 7.
  • transmittal of the first transaction Tx ⁇ o one or more blockchain nodes 104 at step S704 may occur after creation of the second transaction Tx 2 at step S706.
  • the inputs of the second transaction Tx 2 are shown in Figure 9 in a particular order, alternative ordering of the inputs of the second transaction Tx 2 can be utilised provided that certain requirements are met.
  • the input data 904 (comprising the unredacted message blocks) should appear in an input of the second transaction Tx 2 after (i.e. further down the input list) the input of the second transaction TX 2 comprising the the further input data 902. Any input of the second transaction Tx 2 may be redacted as long as there is also an unredacted input afterwards. If a second input is redacted it implies the first input of the second transaction Tx 2 ⁇ s also redacted, due to the nature of the computation of the hash function.
  • Figures 9 illustrates the prover input data 906 being provided in a third input of the second transaction Tx 2 , if present, the prover input data 906 can be provided in any input of the second transaction Tx 2 .
  • FIG. 11 Another example second transaction Tx 2 is shown in Figure 11.
  • the first input of the second transaction Tx 2 shown in Figure 11 contains the prover input data 906.
  • the second input of the second transaction Tx 2 shown in Figure 11 contains the further input data 902.
  • the third input of the second transaction Tx 2 shown in Figure 11 contains the input data 904.
  • the example second transaction Tx 2 shown in Figure 11 illustrates that the inputs of the second transaction Tx 2 shown in Figure 9 can be rearranged.
  • Figure 12 also shows the computation of the compression function using the Merkle- Damgard construction to provide the output value outl corresponding to SHA224(D).
  • the midstate value mid TX2 is computed using a compression function which takes as inputs an initialization vector and a concatenated input.
  • the concatenated input comprises the first input 652 of the second transaction Tx 2
  • midstate value mid TX2 is defined as:
  • the second input 7 ⁇ 654 comprises the message block A2 that is to be hidden from Bob 103b.
  • the computation of the midstate value mid TX2 may require a single compression function stage (if the concatenated input is less than or equal to 512 bits) or multiple stage compression function stages (if the concatenated input is greater than or equal to 512 bits).
  • the remaining partial preimage PPI TX2 comprises the third input 7 ⁇ 656 of the second transaction Tx 2 (corresponding to the input data 904), the first output O Q 658 of the second transaction Tx 2 (corresponding to the P2PKH output 910 that is locked to Alice's public key PKA), and the second output 660 of the second transaction Tx 2 (corresponding to the output data 908 which comprises the message blocks Ai and A3).
  • the locking scripts which comprise COMPFUNC (and related) opcodes which operate on and use the data provided in the locking and unlocking scripts (any or all of Al, A2, A3, ml, and m2 associated with transactions Txl and Tx2) to conduct the hash (using Al, A2, and A3) (and preferably also subsequently verify these calculations using the various midstates (midi, mid2) and final outputs (outl)).
  • This can also be described as the execution of the appropriate combination of the locking scripts of Txl with the associated scripts/data of Tx2 which enables at least the determination of the various midpoints and the final hash of the data as described throughout this specification.
  • additional verification/validation that the calculated mid points and final output hash match the stored midpoints and final output hash is similarly confirmed.
  • the use of script op codes to compare the script determined midstates and final output of the function, with the midstates and final output included on the transaction further enables the verifier to trust that, if the transactions (Txl and Tx2) have been included on the blockchain, the appropriate data must have been provided. The verifier can trust this without obtaining the second transaction itself - only proof of the second transaction is stored on the blockchain is required.
  • Embodiments of the present disclosure also relate to a method of method of verifying that at least one data section is part of an input to a function, which outputs an output value when receiving the input, without knowledge of at least one further data section of the input. This will now be described with reference to the process 1300 illustrated in Figure 13.
  • the process 1300 is performed on a verifying computing device associated with a verifying party. Thus the process 1300 may be performed on the computing device 102b associated with Bob 103b.
  • the computing device 102b associated with Bob 103b performs the process 1300 to verify that the message blocks A lt A 3 are part of the preimage to a hash function that outputs outl which is known to him, given (Tx ⁇ midi-x , PPI TX2 , Proof TX2 ).
  • the computing device 102b associated with Bob 103b receives the proof.
  • the proof preferably comprises: the first transaction Tx ⁇ , the midstate value associated with the second transaction Tx 2 ; the remaining partial preimage, PPI TX2 ; and the confirmation data, Proof TX2 .
  • the computing device 102b may receive each of the above components of the proof from either (i) the computing device 102a associated with Alice 103a, (ii) a blockchain node 104; (iii) a remote computing device associated with a third party.
  • the computing device 102b verifies the contents of the first transaction.
  • the computing device 102b check that the outputs of the first transaction Tx ⁇ contain expected scripts.
  • the computing device 102b checks that the outputs of the first transaction Tx ⁇ contain two COMPFUNC opcodes, one COMPFUNCIV opcode and one SAMEOUTPOINTS opcode). If Bob 103b finds that the outputs of the first transaction Tx r contain the expected scripts, then this will imply (if step S1312 is accepted) that the hash function in script has been executed correctly.
  • the computing device 102b verifies that the remaining partial preimage PPI T X 2 comprises the output data 908 (which comprises a locking script which comprises the message blocks i4 1 M 3 to be revealed to Bob 103b), and that the first transaction Tx ⁇ comprises the output value outl. That is, the computing device 102b verifies that the remaining partial preimage PPI TX2 and the first transaction Tx ⁇ comprises the expected values as claimed by Alice 103a.
  • the computing device 102b computes a transaction identifier TxID 1 of the first transaction Tx ⁇ .
  • the transaction identifier TxlD 1 may be computed using:
  • TxID 1 SHA256d(Tx 1 ) where SHA2S6d is the double SHA256 hash function. This is the standard way of computing the TxID of a transaction in Bitcoin.
  • the computing device 102b verifies that the input data 904 comprises the transaction identifier TxlD 1 of the first transaction Tx ⁇ .
  • the computing device 102b checks that the transaction identifier TxlD 1 is the outpoint of the second transaction Tx 2 from the remaining partial preimage PPI TX2 . Ifthis holds, then it implies (in combination with step S1312) that the hash function (performed using the opcodes identified in step S1304) takes the inputs identified in step 1306.
  • the computing device 102b verifies the confirmation data, Proof TX2 . If this verification is successful it implies that the second transaction Tx 2 has been committed onto the blockchain 150.
  • the confirmation data, Proof TX2 may comprise the Merkle proof of the second transaction Tx 2 .
  • the computing device 102b first computes a transaction identifier TxID 2 of the second transaction Tx 2 using:
  • TXID 2 SHA(jjartialSHA(mid TX2 , PPI TX2 y)
  • the computing device 102b computes the Merkle root of the second transaction Tx 2 , using the transaction identifier TXID 2 and the received Merkle proof Proof TX2 .
  • the computing device 102b compares the computed Merkle root of the second transaction Tx 2 with the received Merkle proof Proof TX2 .
  • the verification as step S1312 is successful if the computed Merkle root of the second transaction Tx 2 matches the received Merkle proof Proof TX2 .
  • the confirmation data, Proof TX2 may comprise an acceptance message received from a blockchain node 104 indicting that the second transaction is valid, the acceptance message signed with a signature of the blockchain node 104.
  • the computing device 102b verifies the signature of the blockchain node using a public key associated with the blockchain node 104. The verification as step S1312 is successful if the signature of the blockchain node is deemed to be valid.
  • Figure 14 illustrates a generalized structure of the first transaction Tx lt and Figure 15 illustrates a generalized structure of the second transaction Tx 2 (that spends the first transaction Tx ⁇ .
  • the k redacted parts correspond to the first output of the first transaction Tx ⁇ and the first input of the second transaction Tx 2
  • the I non-redacted parts correspond to the second output of the first transaction Tx ⁇ and the second output of the second transaction Tx 2 .
  • this ordering can be modified.
  • the opcode COMPFUNCIV does not appear in the first transaction Tx r .
  • the SAMEOUTPOINTS opcode only needs to appear in one output of the first transaction Tx r since Bob sees all outputs of the first transaction Tx r . If that output can be spent, it must be that all the outputs are spent in the same transaction. It may additionally be added to the first and last outputs to ensure that they are not accidentally spent (which would render the second outpoint unspendable).
  • Alice 103a may generate a proof using the process 700 on her computing device 102a for future verification by herself on computing device 102a using the process 1300.
  • Alice 103a has data of arbitrary size D comprising message blocks i4 1 ,i4 2 M 3 stored on her computing device 102a. She may wish to delete J4 2 ( e -g- due to its length) if for example her computing device 102a has limited storage capabilities (e.g. if it is a mobile device). Alice 103a may generate a proof using the process 700 on her computing device 102a to prove that message blocks i4 1 M 3 stored on her device are part of an input to a function without needing to know the message block J4 2 . Once the proof has been generated, Alice 103a is able to store the proof for her later use and delete the message block /1 2 from her computing device 102a.
  • Alice 103a may then verify the poof using the process 1300 on her computing device 102a (e.g. to verify that the message blocks A 1 ,A 3 have not been corrupted).
  • Alice 103a first acts as the prover and then later acts as the verifier.
  • the computing device 102a operates as both the proving computing device, and then at a later time, the verifying computing device.
  • Embodiments of the present disclosure have a number of applications.
  • Alice 103a can claim that she has knowledge of the preimage of a given hash function, that is stored on chain without yet proving it e.g. she can timestamp the data and claim to Bob 103b that she knows the input which provides the hash function output, outl, specified in the first transaction Tx ⁇ . If Bob 103b acknowledges that he wants to know the input, Alice 103a can then prove that knowledge. Bob 103b knows that the data Alice 103a knows must have been the same as the one she claims, as otherwise the first transaction T x ⁇ wouldn't be accepted. What is being proved by Alice is fixed by the hash function output, outl, being specified in the first transaction Tx ⁇ .
  • the input data may correspond to a large document including a section that shows that a user Alice is registered on the electoral roll in Blockland.
  • Alice can utilize embodiments of the invention to prove the integrity of this section to a verifying entity (e.g. a credit card company or other institution), thus she can reveal this section of the document without needing to provide the remaining sections of the document to the verifying entity, with the verifying entity still being able to confirm that the document is valid.
  • a verifying entity e.g. a credit card company or other institution
  • Another example may be proving ownership of funds in a Bitcoin output that is part of a large transaction without learning the whole transaction.
  • the function is the SHA256 compression function (comprising multiple rounds of compression), outputting a TxID which can be verified with a Merkle proof on that TxID.
  • the blockchain storing the transactions is a permissioned or private blockchain such that Bob, the verifier, is unable to view the contents of any blocks, other than their headers.
  • Bob is able to prove to himself that the hidden data (A?) was used in determining the final hash (and/or that the non-hidden data (Ai, A3) was used in the determination of the final hash) without the hidden data being revealed to him.
  • the blockchain storing the transactions is a modified blockchain such that transaction generators can select certain inputs to be hidden from others without sufficient access rights.
  • Alice picks the inputs (or outputs) which comprise the hidden data (A2) to be hidden from other users.
  • the hiding of inputs could be conducted by encrypting the inputs such that only blockchain miners and/or nodes (or others with the appropriate keys) are able to access them for transaction verification.
  • Embodiments of the present disclosure should not be used for sensitive data, as the whole input to the function will appear on chain. However, it can be used for data that can only be shared in certain jurisdictions (provided miners are able to store the data) or for data that is not sensitive.
  • the mechanism Due to its construction, the mechanism also has the property that the integrity check can only occur in intervals that are equivalent to the length of the blocksize of the hash function. For example, SHA256 can be used to verify sections of data of length in multiples of 64 bytes only. This construction does not change any property of Bitcoin, instead utilising the ability to do long partial SHA computations in script. Other variants or use cases of the disclosed techniques may become apparent to the person skilled in the art once given the disclosure herein. The scope of the disclosure is not limited by the described embodiments but only by the accompanying claims.
  • bitcoin network 106 Some embodiments above have been described in terms of a bitcoin network 106, bitcoin blockchain 150 and bitcoin nodes 104.
  • the bitcoin blockchain is one particular example of a blockchain 150 and the above description may apply generally to any blockchain. That is, the present invention is in by no way limited to the bitcoin blockchain. More generally, any reference above to bitcoin network 106, bitcoin blockchain 150 and bitcoin nodes 104 may be replaced with reference to a blockchain network 106, blockchain 150 and blockchain node 104 respectively.
  • the blockchain, blockchain network and/or blockchain nodes may share some or all of the described properties of the bitcoin blockchain 150, bitcoin network 106 and bitcoin nodes 104 as described above.
  • the blockchain network 106 is the bitcoin network and bitcoin nodes 104 perform at least all of the described functions of creating, publishing, propagating and storing blocks 151 of the blockchain 150. It is not excluded that there may be other network entities (or network elements) that only perform one or some but not all of these functions. That is, a network entity may perform the function of propagating and/or storing blocks without creating and publishing blocks (recall that these entities are not considered nodes of the preferred Bitcoin network 106).
  • the blockchain network 106 may not be the bitcoin network.
  • a node may perform at least one or some but not all of the functions of creating, publishing, propagating and storing blocks 151 of the blockchain 150.
  • a "node” may be used to refer to a network entity that is configured to create and publish blocks 151 but not store and/or propagate those blocks 151 to other nodes.
  • any reference to the term "bitcoin node” 104 above may be replaced with the term "network entity” or "network element", wherein such an entity/element is configured to perform some or all of the roles of creating, publishing, propagating and storing blocks.
  • the functions of such a network entity/element may be implemented in hardware in the same way described above with reference to a blockchain node 104.
  • Embodiments of the present disclosure relate to a method of proving to a verifier that at least one data section is part of an input to a function, which outputs an output value when receiving the input, without revealing at least one further data section of the input to the verifier. This will now be described with reference to the process 700 illustrated in Figure 7.
  • the process 700 is performed on a proving computing device associated with a proving party.
  • the proving party will be referred to as Alice 103a and the verifying party will be referred to as Bob 103b.
  • the process 700 may be performed on the computing device 102a associated with Alice 103a.
  • Alice 103a has arbitrary data D.
  • Alice 103a wants to prove to Bob 103b that message blocks A lt A 3 are in the preimage of outl which is the output of the hash function, but Bob 103b does not learn the message block J4 2 .
  • Bob 103b also has knowledge of the expected output to compare with outl.
  • the computing device 102a creates a first transaction Tx ⁇ .
  • the first transaction Tx ⁇ comprises an input list with each input in the input list comprising an outpoint, an unlocking script and a sequence number.
  • the first transaction Tx ⁇ comprises an output list with each output in the output list comprising a value assigned to the output, and a locking script of the output.
  • the input of the first transaction Tx ⁇ can be any arbitrary input controlled by Alice 103a.
  • the first output of the first transaction Tx r (which is positioned first in the output list of the first transaction Tx ⁇ ) contains the second round of the compression function by including the COMPFUNC opcode in the first locking script of the first output. This will execute the round corresponding to the input (message block A?) that will be hidden from Bob 103b.
  • the second output of the first transaction Tx ⁇ (which is positioned second in the output list of the first transaction Tx ⁇ ) contains the first and third rounds of the compression function by including both the COMPFUNC and COMPFUNCIV opcodes in the second locking script of the second output. This will execute the rounds of which the input will be revealed to Bob 103b.
  • the SAMEOUTPOINTS opcode is provided in the second locking script, however this is merely an example.
  • the SAMEOUTPOINTS opcode could be provided in the first locking script.
  • the SAMEOUTPOINTS opcode could also be provided in its own dedicated output of the second transaction Tx 2 , however this would create a longer transaction (resulting in a higher transaction fee).
  • the transaction message that it receives will contain all the same fields of the second transaction Tx 2 as described above with reference to the first transaction message ml and the second transaction message m2, but also the output corresponding to the outpoint it is spending e.g. a third output of the first transaction Tx r .
  • the first transaction Tx ⁇ may optionally comprise a third output of the first transaction Tx r (which is positioned third in the output list of the first transaction Tx r ⁇ containing a P2PKH output that is locked to Alice's public key PKA. This ensure that only Alice can spend the first two locking scripts.
  • the purpose of the first transaction Tx r is for Alice 103a to set-up the function that they want computed.
  • the computing device 102a transmits the first transaction Tx ⁇ o one or more blockchain nodes 104 to then be propagated throughout the network of blockchain nodes 104 and thereby included in the blockchain 150.
  • the computing device 102a creates a second transaction Tx 2 .
  • a first example second transaction Tx 2 is shown in Figure 16B.
  • the second transaction Tx 2 comprises an input list with each input in the input list comprising an outpoint, an unlocking script and a sequence number.
  • An outpoint is a pointer to an output, the pointer identified by the transaction identifier of the transaction that the output is in, and an index number indicating the exact output of the transaction.
  • the second transaction Tx 2 com P r i ses an output list with each output in the output list comprising a value assigned to the output, and a locking script of the output.
  • the outputs of the first transaction Tx ⁇ will be spent by the second transaction Tx 2 as the following inputs:
  • the first input of the second transaction Tx 2 shown in Figure 16B contains an outpoint and an unlocking script.
  • This input data is also referred to herein as "further input data" 902.
  • the outpoint comprises a transaction identifier of the first transaction Tx ⁇ and an index number.
  • the unlocking script comprises the redacted portion of the input to the hash function ?1 2 and the first transaction message ml.
  • the second input of the second transaction Tx 2 shown in Figure 16B contains an outpoint and an unlocking script.
  • This input data is also referred to herein as "input data" 904.
  • the outpoint comprises a transaction identifier of the first transaction Tx ⁇ and an index number.
  • the unlocking script comprises the second transaction message m2.
  • the second transaction Tx 2 may optionally comprise a third input which contains an outpoint and an unlocking script.
  • This input data is also referred to herein as "prover input data" 906.
  • the outpoint comprises a transaction identifier of the first transaction Tx ⁇ and an index number.
  • the unlocking script comprises a signature of Alice 103a and her corresponding public key.
  • FIG. 16B illustrates the first output of the second transaction Tx 2 comprising the midstates mid 1 , mid 2 and output of the hash function outl (otherwise referred to herein as "output data" 908).
  • the first output of the second transaction Tx 2 additionally comprises the revealed portion of the input to the hash function i4 1 ,i4 3 .
  • the output data 908 will be used in the PUSHTX opcodes (contained in the COMPFUNC opcode) to ensure that the output of the previous compression function is the same as the input to the next compression function. Without this, Bob 103b cannot be sure that the hash function has been executed correctly. As described in more detail below, Bob 103b also compares the value outl given in Tx 2 to an expected output of the hash function.
  • the computing device 102a associated with Alice 103a can obtain the midstates mid 1 ,mid 2 and output of the hash function outl for insertion into the second transaction Tx 2 in a number of different ways.
  • the computing device 102a may compute the midstates mid 1 , mid 2 and the output of the hash function outl.
  • the computing device 102a may receive the midstates mid ⁇ mid 2 and the output of the hash function outl from a remote computing device.
  • the second transaction Tx 2 may optionally comprise a second output containing a P2PKH output 910 that is locked to Alice's public key PKA. This ensures that only Alice can spend the first locking script.
  • the output data 908 is preferably provided within a predefined number of bits/bytes from the end of the second transaction Tx 2 . This can be achieved by the output data 908 being provided in a final output of the second transaction Tx 2 . However, it will be appreciated that if the P2PKH output 910 is present and provided in a final output of the second transaction Tx 2 , the size of the P2PKH output 910 may be small enough such that the output data 908 is still provided within the predefined number of bits/bytes from the end of the second transaction Tx 2 .
  • a malicious prover may attempt to insert the message blocks i4 1 ,i4 3 into the second transaction Tx 2 in such a way that it could appear to the verifier that once the proof it receives is verified, the message blocks A lt A 3 are inputs to the function to provide the output value outl, when in fact arbitrary data (not seen by the verifier) has been supplied as input to the function.
  • the malicious prover may attempt to insert the message blocks A lt A 3 at the end of the output list of the second transaction T x 2 after an OP_RETURN statement, such that the verifier sees that the message blocks A 1 ,A 3 are present in the second transaction Tx 2 .
  • the blockchain nodes 104 will not consider it in the computation that they perform using the COMPFUNC and COMPFUNCIV opcodes, the blockchain nodes 104 will instead be performing the computation of the hash function using the arbitrary data.
  • the verifier By having the COMPFUNC and COMPFUNCIV opcodes extracting (from the second transaction message m2) the relevant data of a locking script of the second transaction TX 2 (within a predefined number of bits/bytes from the end of the second transaction TX 2 ), the verifier knows that the functions in the locking scripts of the first transaction Tx ⁇ are using the "last" or "end” bytes of the transaction, and therefore the verifier knows that those last/end bytes are being used to unlock the first transaction Tx ⁇ and therefore the verifier is verifying what is being alleged by the prover.
  • a second example of the second transaction Tx 2 is shown in Figure 16C.
  • the unlocking script of the second input of the second transaction Tx 2 comprises the revealed portion of the input to the hash function i4 1 M 3 and the second transaction message m2.
  • the unlocking script of the second input of the second transaction Tx 2 comprises the revealed portion of the input to the hash function i4 1 ,i4 3 .
  • the computing device 102a transmits the second transaction Tx 2 to one or more blockchain nodes 104 to then be propagated throughout the network of blockchain nodes 104 and thereby included in the blockchain 150.
  • the blockchain nodes 104 receives both the first transaction Tx ⁇ and the second transaction Tx 2 (they could be received in any order).
  • a blockchain node 104 receiving both the first transaction Tx ⁇ and the second transaction Tx 2 will execute the opcodes provided in the first transaction Tx r using the relevant data provided in the first transaction Tx r and the second transaction Tx 2 (thereby computing the hash function).
  • the blockchain node 104 will only accept the second transaction Tx 2 if its inputs are such that the opcodes provided in the first transaction Tx r all output TRUE. This indicates that the blockchain node 104, after performing the computation of the hash function, is content with the input that is provided to the hash function i.e. the input corresponds to the expected output of the hash function.
  • the first transaction Tx ⁇ nd the second transaction Tx 2 will be committed to a block (or different blocks) on the blockchain 150.
  • the computing device 102a associated with Alice 103a receives confirmation data Proo/ T%2 indicating that the second transaction Tx 2 is valid.
  • Alice 103a Upon receipt of the confirmation data (Proof TX2 ) Alice 103a knows that the unlocking script (comprising the second transaction message m2 and Ai, A3 included within, or separate to, the second transaction message m2) of the input data 904 successfully unlocks the second locking script (comprising COMPFUNCIV, COMPFUNC, SAMEOUTPOINTS) of the second output of the first transaction Tx ⁇ ; and the further unlocking script (comprising ml, A2) of the further input data 902 successfully unlocks the further locking script (comprising COMPFUNC) of the first output of the first transaction Tx ⁇ .
  • the confirmation data Proof TX2 may comprise an acceptance message received from a blockchain node 104 indicating that the second transaction is valid, the acceptance message signed with a signature of the blockchain node 104. This acceptance message indicates that the blockchain node 104 will put the second transaction Tx 2 in a block if the blockchain node 104 sees that the second transaction Tx 2 is not present on the blockchain 150.
  • the confirmation data Proof TX2 may be a Merkle proof of the second transaction Tx 2 , received from a blockchain node 104 once the second transaction Tx 2 has been committed into a block on the blockchain 150.
  • the computing device 102a associated with Alice 103a is in possession of confirmation data (Proof TX2 )
  • the computing device 102a does not need confirmation data indicating that the first transaction Tx ⁇ is valid because if a blockchain node 104 has accepted the second transaction Tx 2 , then by default they have also accepted the first transaction Tx ⁇ .
  • the computing device 102a associated with Alice 103a sends a proof the computing device 102b associated with Bob 103b.
  • the proof comprises: the first transaction Tx ⁇ , a midstate value associated with the second transaction Tx 2 ; a remaining partial preimage PPI TX2 ; and the confirmation data Proof TX2
  • Figure 16D also shows the computation of the compression function using the Merkle- Damgard construction to provide the output value outl corresponding to SHA224(D).
  • the first input 652 comprises the message block A2 that is to be hidden from Bob 103b.
  • the computation of the midstate value mid TX2 may (2) require a single compression function stage (if the first input JQ 652 is less than or equal
  • the computing device 102a associated with Alice 103a can obtain the midstate value mid TX2 'in a number of different ways.
  • the computing device 102a may compute the midstate value mid TX2 .
  • the computing device 102a may receive the midstate value mid TX2 from a remote computing device.
  • anyone except Bob 103b can compute the midstate value mid TX2 .
  • the remaining partial preimage PPI TX2 is defined as:
  • the remaining partial preimage PPI TX2 comprises the second input 7 ⁇ 654 of the second transaction Tx 2 (corresponding to the input data 904), and the first output O Q 658 of the second transaction Tx 2 (corresponding to the output data 908) which comprises the message blocks Ai and A3.
  • the remaining partial preimage PPI TX2 may
  • the remaining partial preimage PPI TX2 may also comprise the second output 660 of the second transaction Tx 2 .
  • the computing device 102a associated with Alice 103a can obtain the remaining partial preimage PPI TX2 'in a number of different ways. In one example, the computing device 102a may compute the remaining partial preimage PPI TX2 . Alternatively, the computing device 102a may receive the remaining partial preimage PPI Tx Jrom a remote computing device.
  • the data forming the proof that is sent from the computing device 102a associated with Alice 103a to the computing device 102b associated with Bob 103b, may be sent in a single transmission or multiple transmissions.
  • the computing device 102b associated with Bob 103b will use this proof to verify that message blocks A 1 ,A 3 are contained in the preimage of SHA224(J)) without learning the message block i4 2 since this is hidden in the computation of the midstate value mid TX2 .
  • FIG. 7 shows steps of the process 700 being performed in a particular, embodiments of the present disclosure are not limited to the steps being performed in the order shown in Figure 7.
  • transmittal of the first transaction Tx ⁇ o one or more blockchain nodes 104 at step S704 may occur after creation of the second transaction Tx 2 at step S706.
  • the inputs of the second transaction Tx 2 are shown in Figure 16B in a particular order, alternative ordering of the inputs of the second transaction Tx 2 can be utilised provided that certain requirements are met.
  • the input data 904 (comprising the unredacted message blocks) should appear in an input of the second transaction Tx 2 after (i.e. further down the input list) the input of the second transaction Tx 2 comprising the the further input data 902.
  • Any input of the second transaction TX 2 ma Y be redacted as long as there is also an unredacted input afterwards. If a second input is redacted (as in the second example second transaction Tx 2 shown in Figure 16E) it implies the first input of the second transaction Tx 2 ⁇ s also redacted, due to the nature of the computation of the hash function.
  • Figures 16B and 16C illustrates the prover input data 906 being provided in a third input of the second transaction Tx 2 , if present, the prover input data 906 can be provided in any input of the second transaction Tx 2 .
  • a third example second transaction Tx 2 is shown in Figure 16E.
  • the first input of the second transaction Tx 2 shown in Figure 16E contains the prover input data 906.
  • the second input of the second transaction Tx 2 shown in Figure 16E contains the further input data 902.
  • the third input of the second transaction Tx 2 shown in Figure 16E contains the input data 904.
  • the third example second transaction Tx 2 shown in Figure 16E illustrates that the inputs of the second example second transaction Tx 2 shown in Figure 16C can be rearranged, the same applies to the inputs of the first example second transaction Tx 2 shown in Figure 16B.
  • Figure 16F also shows the computation of the compression function using the Merkle- Damgard construction to provide the output value outl corresponding to SHA224(D).
  • the midstate value mid TX2 is computed using a compression function which takes as inputs an initialization vector and a concatenated input.
  • the concatenated input comprises the first input 652 of the second transaction Tx 2
  • midstate value mid TX2 is defined as:
  • the second input 7 ⁇ 654 comprises the message block A2 that is to be hidden from Bob 103b.
  • the computation of the midstate value mid TX2 may require a single compression function stage (if the concatenated input is less than or equal to 512 bits) or multiple stage compression function stages (if the concatenated input is greater than or equal to 512 bits).
  • the remaining partial preimage PPI TX2 comprises the third input 7 ⁇ 656 of the second transaction Tx 2 (corresponding to the input data 904) which comprises the message blocks Ai and A3, and the first output O () 658 of the second transaction Tx 2 (corresponding to the output data 908).
  • the remaining partial preimage PPI TX2 may
  • (2) also comprise the second output 660 of the second transaction Tx 2 .
  • Embodiments of the present disclosure also relate to a method of method of verifying that at least one data section is part of an input to a function, which outputs an output value when receiving the input, without knowledge of at least one further data section of the input.
  • the process 1300 is performed on a verifying computing device associated with a verifying party.
  • the process 1300 may be performed on the computing device 102b associated with Bob 103b.
  • the computing device 102b associated with Bob 103b performs the process 1300 to verify that the message blocks A lt A 3 are part of the preimage to a hash function that outputs out which is known to him, given (Tx 1 , mid Tx2 , PP l Tx2 , Proof Tx2 ).
  • step S1302 the computing device 102b associated with Bob 103b receives the proof.
  • the proof comprises: the first transaction Tx ⁇ , the midstate value associated with the second transaction Tx 2 ; the remaining partial preimage, PPI TX2 ; and the confirmation data, Proof TX2 .
  • the computing device 102b may receive each of the above components of the proof from either (i) the computing device 102a associated with Alice 103a, (ii) a blockchain node 104; (iii) a remote computing device associated with a third party.
  • the computing device 102b verifies the contents of the first transaction.
  • the computing device 102b check that the outputs of the first transaction Tx ⁇ contain expected scripts.
  • the computing device 102b checks that the outputs of the first transaction Tx ⁇ contain two COMPFUNC opcodes, one COMPFUNCIV opcode and one SAMEOUTPOINTS opcode).
  • step S1306 the computing device 102b verifies that the remaining partial preimage PPI T X 2 comprises the input data 904 (which comprises an unlocking script which comprises the message blocks A 1 ,A 3 to be revealed to Bob 103b), and also comprises the output data 908 (which comprises a locking script which comprises the output value outl). That is, the computing device 102b verifies that the remaining partial preimage PPI T X 2 comprises the expected values as claimed by Alice 103a.
  • step S1312 If Bob 103b finds that the remaining partial preimage PPI TX2 of the second transaction Tx 2 contains the relevant data of D, it will imply (if step S1312 is accepted) that the input to the hash function (performed using the opcodes identified in step S1304) is correct.
  • the computing device 102b computes a transaction identifier TxlD 1 of the first transaction Tx ⁇ .
  • the transaction identifier TxlD 1 may be computed using:
  • TxID 1 SHA256d(Tx 1 ) where SHA2S6d is the double SHA256 hash function. This is the standard way of computing the TxID of a transaction in Bitcoin.
  • the computing device 102b verifies that the input data 904 comprises the transaction identifier TxlD 1 of the first transaction Tx ⁇ .
  • the computing device 102b checks that the transaction identifier TxlD 1 is the outpoint of the second transaction Tx 2 from the remaining partial preimage PPI TX2 . Ifthis holds, then it implies (in combination with step S1312) that the hash function (performed using the opcodes identified in step S1304) takes the inputs identified in step 1306.
  • the computing device 102b verifies the confirmation data, Proof TX2 . If this verification is successful it implies that the second transaction Tx 2 has been committed onto the blockchain 150.
  • the confirmation data, Proof TX2 may comprise the Merkle proof of the second transaction Tx 2 .
  • the computing device 102b first computes a transaction identifier TxID 2 of the second transaction Tx 2 using:
  • TXID 2 SHA(partialSHA(mid Tx2 , PPI Tx2 y)
  • TXID 2 SHA(out2)
  • the computing device 102b computes the Merkle root of the second transaction Tx 2 , using the transaction identifier TXID 2 and the received Merkle proof Proof TX2 .
  • the computing device 102b compares the computed Merkle root of the second transaction Tx 2 with the received Merkle proof Proof TX2 .
  • the verification as step S1312 is successful if the computed Merkle root of the second transaction Tx 2 matches the received Merkle proof Proof TX2 .
  • the confirmation data, Proof TX2 may comprise an acceptance message received from a blockchain node 104 indicting that the second transaction is valid, the acceptance message signed with a signature of the blockchain node 104.
  • the computing device 102b verifies the signature of the blockchain node using a public key associated with the blockchain node 104.
  • the verification as step S1312 is successful if the signature of the blockchain node is deemed to be valid. If all the verification steps shown in the process 1300 are successful, Bob is convinced that the message block and J4 3 are part of the preimage of the hash function which provides the output value outl without learning the message block J4 2 .
  • Bob is convinced that the input data 904 of the second transaction Tx 2 comprises an unlocking script that has been used to spend the first transaction Tx r (based on steps 1310 and 1312). Given steps S1304 and S1306 it must be that the hash function has been computed correctly, without Bob needing to learn the input to the compression function in JQ 652. Bob is therefore convinced that the hash function given D as an input has been verified by blockchain nodes (miners) resulting in the expected outl, without the Bob needing to explicitly do any computation of the hash function himself.
  • blockchain nodes miners
  • embodiments of the present disclosure can be generalised to any preimage and verifying the integrity of any sections of it (provided the integrity is checked in sections with the length of a multiple of the block size).
  • the k redacted parts correspond to the first output of the first transaction Tx r and the first input of the second transaction Tx 2
  • the I non-redacted parts correspond to the second output of the first transaction Tx ⁇ and the second input of the second transaction Tx 2 .
  • this ordering can be modified.
  • the opcode COMPFUNCIV does not appear in the first transaction Tx r .
  • the SAMEOUTPOINTS opcode only needs to appear in one output of the first transaction Tx r since Bob sees all outputs of the first transaction Tx r . If that output can be spent, it must be that all the outputs are spent in the same transaction. It may additionally be added to the first and last outputs to ensure that they are not accidentally spent (which would render the second outpoint unspendable).
  • confirmation data comprises an acceptance message indicting that the second transaction is valid, the acceptance message signed with a signature of a blockchain node of a blockchain network.
  • the first transaction further comprises: an unlocking script comprising a signature of a prover associated with the computing device, and a public key associated with the prover.
  • the first transaction further comprises a third locking script comprising a hash of a public key associated with the p rover.
  • the third locking script comprises the output value and at least one midstate of the function 13.
  • the second transaction further comprises prover input data, the prover input data comprising: an unlocking script comprising a signature of a prover associated with the computing device, and a public key associated with the prover.
  • the output data of the second transaction further comprises: a locking script comprising a hash of a public key associated with the prover.
  • the first transaction message comprises an output of the first transaction which is positioned first in an output list of the first transaction, all inputs of the second transaction excluding unlocking scripts, and an output of the second transaction which is positioned first in an output list of the second transaction; and the second transaction message comprises an output of the first transaction which is positioned second in the output list, and all outputs of the second transaction.
  • a method of verifying that at least one data section is part of an input to a function, which outputs an output value when receiving the input, without knowledge of at least one further data section of the input the method performed on a verifying computing device associated with a verifier and comprising: receiving a first transaction; verifying that the first transaction comprises a locking script comprising at least one set of commands, wherein each of the at least one set of commands in the locking script is associated with an operation performed on a respective one of the at least one data section to be revealed to the verifier, and each of the at least one set of commands in the locking script enforces that the first transaction is in an unlocking script in a second transaction; verifying that the first transaction comprises a further locking script comprising at least one set of commands, wherein each of the at least one set of commands in the further locking script is associated with an operation performed on a respective one of at least one further data section to be hidden from the verifier, and each of the at least one set of commands in the further locking script enforces that the first transaction is in an unlocking script
  • a non-transitory computer readable storage medium comprising computer readable instructions that, when read by a computing device, cause the computing device to perform the method of any of clauses 1 to 27.
  • a computing device comprising a processor and memory, the memory storing instructions which, when executed by the processor cause the computing device to perform the method of any of clauses 1 to 27.
  • 31. A method of proving a calculation included a hidden data section of an input data, the method comprising the steps of: generating a first and second transaction, wherein the first and/or second transaction comprise a first midstate, the second midstate, and a final value; and the second transaction comprises unlocking scripts that unlock at least a subset of the locking scripts of the first transaction; broadcasting the first and second transactions to a blockchain, obtaining confirmation data that the second transaction is included on the blockchain, generating a proof to prove that the input data, including the hidden data section, was used to generate the final value, the proof comprising: (i) a third midstate associated with the second transaction, the third midstate computed based on partially conducting a further hash function of at least the section of the second transaction comprising the hidden data section; (ii) the remainder of the data of the second transaction that was not
  • execution of each associated locking and unlocking scripts of the first and second transactions further comprises: a further final hash value being determined; and a comparison of the final hash value to the further final hash value.
  • a method according to any one or more of clauses 31 to 46, further comprising the steps of: receiving the input data to be hashed, the input data comprising the hidden data section wherein the hidden data section is to be hidden from a third party, obtaining the first midstate by partially conducting the hash function on the input data up to but not including the hidden data section, obtaining the second midstate based on the first partial hash value and the hidden data section, and obtaining the final hash value based on the second midstate and a remainder of the input data, and preferably the remainder of the input data is input data which has not been inputted to the hash function.
  • a method of verifying a hash function output without accessing the preimage to said hash function comprising the steps of: obtaining a proof comprising (i) a third midstate associated with a second transaction, the third midstate computed based on partially conducting a hash function of at least a section of the second transaction comprising a data section hidden to a verifier; (ii) the remainder of the second transaction that was not included in the calculation of the third midstate; (iii) a blockchain confirmation proof, and (iv) a first transaction, determining a transaction id of a first transaction and that the second transaction spends at least a subset of the outputs of the first transaction, determining that, upon execution of each associated locking and unlocking scripts of the first and second transactions, a hash of an input data is calculated, determining a transaction id of the second transaction based on the third midstate and the remainder of the second transaction, verifying the blockchain transaction proof is associated with the determined transaction id, verifying that the second transaction is included
  • step of verifying that the second transaction is included in the blockchain comprises: verifying a Merkle root associated with the second transaction and the blockchain transaction proof, obtaining a blockchain block header associated with the second transaction, verifying that the second transaction is included in the blockchain based on the blockchain block header and the Merkle root.
  • a computer implemented data structure associated with blockchain-based data comprising the first and second transactions of any one or more of clauses 31 to 50.
  • a computer program that, when read by a computing device, causes the computing device to perform the method of any one or more of clauses 31 to 50 or the method of clause 51 to 53.
  • a non-transitory computer readable storage medium comprising computer readable instructions that, when read by a computing device, cause the computing device to perform the method of any one or more of clauses 31 to 50 or the method of clause 51 to 53.
  • a computing device comprising a processor and memory, the memory storing instructions which, when executed by the processor cause the computing device to perform the method of any or more of clauses 31 to 50, or the method of clause 51 to 53.
  • a computer system comprising: a proving device configured to conduct the method of any one or more of clauses 31 to 50, and a verifier device configured to conduct the method of any one or more of clauses

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Theoretical Computer Science (AREA)
  • Bioethics (AREA)
  • General Health & Medical Sciences (AREA)
  • Health & Medical Sciences (AREA)
  • Software Systems (AREA)
  • Computer Hardware Design (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Databases & Information Systems (AREA)
  • Medical Informatics (AREA)
  • Information Retrieval, Db Structures And Fs Structures Therefor (AREA)

Abstract

L'invention concerne un procédé consistant à prouver à un vérificateur qu'au moins une section de données est entrée dans une fonction, qui délivre une valeur de sortie lors de la réception de l'entrée, sans révéler au moins une autre section de données de l'entrée. Une première transaction est créée et transmise à un réseau de chaîne de blocs pour la valider vers une chaîne de blocs. La première transaction comprend la valeur de sortie et au moins un état intermédiaire de la fonction. Une seconde transaction est créée et transmise au réseau pour valider la seconde transaction vers la chaîne de blocs. La seconde transaction comprend : des données d'entrée comprenant la première transaction et un second message de transaction ; d'autres données d'entrée comprenant la ou les autres sections de données, la première transaction et un premier message de transaction ; et des données de sortie comprenant la ou les sections de données. Des données de confirmation sont reçues et une preuve est générée pour prouver que la ou les sections de données sont dans l'entrée.
PCT/EP2023/069699 2022-07-22 2023-07-14 Fourniture de preuve et vérification de données d'entrée WO2024017798A1 (fr)

Applications Claiming Priority (4)

Application Number Priority Date Filing Date Title
GB2210764.3 2022-07-22
GBGB2210764.3A GB202210764D0 (en) 2022-07-22 2022-07-22 Proving and verifying input data
GBGB2219575.4A GB202219575D0 (en) 2022-12-22 2022-12-22 Proving and veryfying input data
GB2219575.4 2022-12-22

Publications (1)

Publication Number Publication Date
WO2024017798A1 true WO2024017798A1 (fr) 2024-01-25

Family

ID=87418850

Family Applications (2)

Application Number Title Priority Date Filing Date
PCT/EP2023/069628 WO2024017786A1 (fr) 2022-07-22 2023-07-14 Fourniture de preuve et vérification de données d'entrée
PCT/EP2023/069699 WO2024017798A1 (fr) 2022-07-22 2023-07-14 Fourniture de preuve et vérification de données d'entrée

Family Applications Before (1)

Application Number Title Priority Date Filing Date
PCT/EP2023/069628 WO2024017786A1 (fr) 2022-07-22 2023-07-14 Fourniture de preuve et vérification de données d'entrée

Country Status (1)

Country Link
WO (2) WO2024017786A1 (fr)

Citations (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2018053339A1 (fr) 2016-09-16 2018-03-22 Qualcomm Incorporated Commutation de faisceau
WO2018053337A1 (fr) 2016-09-16 2018-03-22 Oracle International Corporation Injection de politique dynamique et visualisation d'accès pour la détection de menaces
WO2018053336A1 (fr) 2016-09-16 2018-03-22 Medtronic, Inc. Système de caractérisation de colonne vertébrale dorsale utilisant des potentiels évoqués
WO2018053335A1 (fr) 2016-09-16 2018-03-22 Iogen Llc Composition orale d'iode moléculaire et procédé associé
WO2018056431A1 (fr) 2016-09-26 2018-03-29 池田食研株式会社 Procédé de mesure de l-kynurénine et kit de mesure
WO2018056430A1 (fr) 2016-09-23 2018-03-29 株式会社Dnaチップ研究所 Procédé de détection de troubles de l'humeur
WO2018056432A1 (fr) 2016-09-26 2018-03-29 東レ株式会社 Procédé de détection d'hémolyse dans un échantillon sanguin et puce de détection d'hémolyse
CN111399993A (zh) * 2020-03-25 2020-07-10 百度国际科技(深圳)有限公司 一种关联事务请求的跨链实现方法、装置、设备和介质
US20220200792A1 (en) * 2020-12-14 2022-06-23 Commissariat A L'energie Atomique Et Aux Energies Alternatives Selective data disclosure via a block chain
WO2022137173A1 (fr) * 2020-12-22 2022-06-30 Nchain Holdings Ltd Blocage de données sensibles

Patent Citations (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2018053339A1 (fr) 2016-09-16 2018-03-22 Qualcomm Incorporated Commutation de faisceau
WO2018053337A1 (fr) 2016-09-16 2018-03-22 Oracle International Corporation Injection de politique dynamique et visualisation d'accès pour la détection de menaces
WO2018053336A1 (fr) 2016-09-16 2018-03-22 Medtronic, Inc. Système de caractérisation de colonne vertébrale dorsale utilisant des potentiels évoqués
WO2018053335A1 (fr) 2016-09-16 2018-03-22 Iogen Llc Composition orale d'iode moléculaire et procédé associé
WO2018056430A1 (fr) 2016-09-23 2018-03-29 株式会社Dnaチップ研究所 Procédé de détection de troubles de l'humeur
WO2018056431A1 (fr) 2016-09-26 2018-03-29 池田食研株式会社 Procédé de mesure de l-kynurénine et kit de mesure
WO2018056432A1 (fr) 2016-09-26 2018-03-29 東レ株式会社 Procédé de détection d'hémolyse dans un échantillon sanguin et puce de détection d'hémolyse
CN111399993A (zh) * 2020-03-25 2020-07-10 百度国际科技(深圳)有限公司 一种关联事务请求的跨链实现方法、装置、设备和介质
US20220200792A1 (en) * 2020-12-14 2022-06-23 Commissariat A L'energie Atomique Et Aux Energies Alternatives Selective data disclosure via a block chain
WO2022137173A1 (fr) * 2020-12-22 2022-06-30 Nchain Holdings Ltd Blocage de données sensibles

Also Published As

Publication number Publication date
WO2024017786A1 (fr) 2024-01-25

Similar Documents

Publication Publication Date Title
JP2023531048A (ja) ブロックチェーンネットワークにおけるデータを妥当性確認する方法及び装置
EP4088424A1 (fr) Procédé de génération d'une clé publique
CN116508291A (zh) 默克尔证明实体
US20240064020A1 (en) Blocking sensitive data
US20230134619A1 (en) Method of generating a hash-based message authentication code
JP2024518079A (ja) マルチパーティブロックチェーンアドレス方式
WO2022268429A1 (fr) Chaîne de blocs multi-niveaux
WO2024017798A1 (fr) Fourniture de preuve et vérification de données d'entrée
US20240235848A1 (en) Multi-party blockchain address scheme
JP2024516895A (ja) マルチパーティブロックチェーンアドレス方式
JP2024516894A (ja) マルチパーティブロックチェーンアドレス方式
JP2024524652A (ja) ブロックチェーン・ブロック及び存在証明
GB2609194A (en) Enforcing conditions on blockchain transactions
WO2023135217A1 (fr) Preuve et vérification d'une séquence ordonnée d'événements
KR20240037243A (ko) 블록체인 트랜잭션들에 대한 조건들의 시행
WO2023194189A1 (fr) Preuve et vérification de déclaration
WO2023194187A1 (fr) Preuve et vérification de déclaration
JP2024525887A (ja) ブロックチェーントランザクションに対する条件の強制

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 23744132

Country of ref document: EP

Kind code of ref document: A1