CN108021821A

CN108021821A - Multicenter block chain transaction intimacy protection system and method

Info

Publication number: CN108021821A
Application number: CN201711218249.XA
Authority: CN
Inventors: 伍前红; 王沁
Original assignee: Beihang University
Current assignee: Beihang University
Priority date: 2017-11-28
Filing date: 2017-11-28
Publication date: 2018-05-11

Abstract

The invention discloses a kind of multicenter block chain transaction intimacy protection system and method, wherein, system includes：Alliance's management and control module is used for multi-party joint generation alliance parameter；Number authentication module is used to verify that encrypted ciphertext number is equal in outputting and inputting for transaction；Scope authentication module is used to verify that encrypted ciphertext number to be in specific sections in transaction so that perseverance is just；Encrypting module and deciphering module are used to send and receive process for number progress homomorphic cryptography and decryption；Block catenary system transaction modules are used for complete class bit coin digital cash transaction system, possess the transaction process that transmission, reception, broadcast and block confirm.The system can strengthen general construction by the block chain transaction privacy under multicenter regulatory format; so as to realize under multi-party joint management and control for the secret protection in trapdoor parameter and process of exchange for metadata of merchandising, effectively strengthen the plaintext number safety in multicenter class block catenary system process of exchange.

Description

Multicenter block chain transaction intimacy protection system and method

Technical field

The present invention relates to the cryptography in information security and cryptography currency technical field, more particularly to a kind of multicenter Block chain transaction intimacy protection system and method.

Background technology

Class block chain transaction system is set something afoot in bit coin digital coin systems.2008, this acute hearing in Japan PROCEDURE person (Satoshi Nakamoto) is designed and has been issued a kind of point-to-point decentralization digital cash --- bit coin.Bit coin system System proposes the trusted-authority for based on point-to-point new distribution type pattern, eliminating conditional electronic currency.Bit coin Concealment and decentralization, have driven a series of the Internet moneys based on cryptography to rise.According to the difference of operation principle, bag Bit coin, Lay spy coin, dog dog coin based on PoW (Proof of Work, proof of work) are included, based on PoS (Proof of Stake, equity prove) bit stock, the intelligent black coin in mill, and the ether mill based on PoW+PoS, point point coin etc..

Bottom layer realization of the block chain technology as bit coin system, the decentralization shown, information can not distort, information Wide-scale distribution, information anonymity characteristic are gradually paid close attention to by academia and industrial quarters and further investigation and extensive use are unfolded.Block chain In 1.0 epoch, be the bottom industrial structure formed using digital cash such as bit coin as core, forms ore deposit machine, ore deposit pond, digital goods Coin, pay wallet, exchange, the industrial colony of digital cash gateway and industrial chain.In 2.0 epoch of block chain, technology and application The application that focus is transferred to Floor layer Technology block chain technology from simple electronic money comes up, and forms the ecology of block chain+X industries Circle, classification and industry across it is big, degree of independence is high, be related to assets verification, financial service, charitable, media and community, study and The fields such as investment, intelligent contract, just false proof, e-commerce, social communication, Internet of Things, file storage.

However, propagated with the large area of class block chain transaction system, in system design bring two with operation Disclosed privacy leakage problem：1) for the trust problem of member in multi-party supervision, such as the cooperation of alliance's interchain；2) process of exchange The privacy leakage problem of middle metadata, such as the exposure of plaintext number in merchandising.

The content of the invention

It is contemplated that solve at least some of the technical problems in related technologies.

For this reason, an object of the present invention is to provide a kind of multicenter block chain transaction intimacy protection system, the system It can realize under multi-party joint management and control for the secret protection in trapdoor parameter and process of exchange for metadata of merchandising, effectively increase Plaintext number safety in strong multicenter class block catenary system process of exchange.

It is another object of the present invention to propose a kind of multicenter block chain transaction method for secret protection.

To reach above-mentioned purpose, one aspect of the present invention embodiment proposes a kind of multicenter block chain transaction secret protection system System, including：Alliance's management and control module, combines generation alliance parameter for multi-party；Number authentication module, after verifying encryption Ciphertext number it is equal in outputting and inputting for transaction；Scope authentication module, for verifying encrypted ciphertext number in transaction In specific sections so that perseverance is just；Encrypting module and deciphering module, add for sending and receiving process for number progress homomorphism Close and decryption；Block catenary system transaction modules, for complete class bit coin digital cash transaction system, possess transmission, reception, The transaction process that broadcast and block confirm.

The multicenter block chain transaction intimacy protection system of the embodiment of the present invention, can utilize thresholding encryption and decryption system to realize For the secret protection in multi-party joint management and control for generation trapdoor parameter, realized using homomorphic cryptography system to number Number privacy in encryption and decryption computing enhancing transmitting procedure, utilization scope, which is promised to undertake, to be proved to prove to ensure process of exchange with the property shown promise In ensure that hiding trading value be always on the occasion of and number of deals before and after sum it is consistent, so as to realize multi-party joint management and control Under in trapdoor parameter and process of exchange for merchandise metadata secret protection, effectively strengthen multicenter class block catenary system Plaintext number safety in process of exchange.

In addition, multicenter block chain according to the above embodiment of the present invention is merchandised, intimacy protection system can also have following Additional technical characteristic：

Further, in one embodiment of the invention, Π is made₁=(rdmPara, coN, BipriTest, KeyGen) RSA thresholding cipher key schemes are represented, wherein rdmPara, coN, BipriTest and KeyGen is respectively the RSA thresholdings key side Threshold parameter distribution, joint generation mould integer, double primality tests and alliance's parameter generation in case；Make Π₂=(PKeyGen, PEnc, PDec) homomorphism encryption and decryption scheme is represented, wherein PKeyGen, PEnc and PDec is respectively in the homomorphism encryption and decryption scheme Key generation, algorithms for encryption and decryption；Make Π₃=(TKeyGen, TCom, TVer, TIndic) promises to undertake proof side for representative Case, wherein TKeyGen, TCom, TVer and TIndic be respectively the property shown promise to undertake key generation in proof scheme, promise to undertake, Verify and the property shown algorithm；Make Π₄=(RKeyGen, RCom, RVer, RInact) represents scope and promises to undertake proof scheme, wherein RKeyGen, RCom, RVer and RInact are respectively key generation, promise, verification and interactive algorithm in scheme；Make Π₅= (TIn, TOut, TBroad, BCfm) represents class block chain transaction system scheme, and wherein TIn, TOut, TBroad and BCfm distinguishes Confirm for the transaction transmission in the class block chain transaction system scheme, transaction acceptance, transaction broadcast and block.

Further, in one embodiment of the invention, the block chain transaction system includes transaction layer and validation layer, Wherein, the transaction layer is used for the transaction step to performing the block chain transaction system, including trading card generation, inputs defeated Go out, broadcast acknowledgements, and by encrypted metadata substitution original plaintext, be shown among trading card；The validation layer is used for Verify whether encrypted data meet value consistency and be present in particular range.

Further, in one embodiment of the invention, alliance's management and control module is used for allied member according to distribution Obtained piecemeal parameter, the parameter N of joint of reaching common understanding generation system transaction, wherein any member is in not up to threshold condition In the case of can not learn its trapdoor decompose；The block catenary system transaction modules be used for the transaction system input security parameter and Alliance's parameter, output for encryption and decryption computing generation public key and private key to (pk_i,sk_i), while export and be used to verify Public key pk_d, the public key is without pairing private key；The block catenary system transaction modules are used to calculate total input value of merchandising, wherein, If trading card is as the block newly confirmed, the trading card will obtain extra bit coin expense as reward, described total The summation that input value is mutually operated with former ciphertext in plain text for the part；If the trading card is not that new confirmation block is first single, no volume Outer income, total input value are the value that upper single cross is easily transmitted；The encrypting module is used for parallel encryption and represents transaction metadata Through being carried out at the same time encryption in the transaction layer and the validation layer, wherein, system uses recipient's public key point in the transaction layer Other encrypted transmission number, while use each number of the identical number of system public key encryption in the validation layer；In the transaction The encrypted number of layer will be sent to each recipient's account in the validation layer by rear, it is noted that sent in the validation layer Encryption number will enter validation layer account, it is noted that the account abandons after this authentication without private key, the amount of money；The encrypting module and The number that deciphering module is used for after validation layer verification is hidden whether be on the occasion of, and whether input and output total value equal, Wherein, the validation layer is divided into two steps, and the first step proves that the hiding amount of money begins by commitment value in the method for proof of specific sections Eventually be on the occasion of；When for it is true when, whether the number after validation layer verification is hidden is on the occasion of rear, and system validation layer enters second Step, sum is equal before and after the equal method of proof of used two commitment values proves hiding amount of money input and output；When step is all When true, into the sending link of the transaction layer；The deciphering module carries out the whole network broadcast and hands over after checking and finding correct for recipient Yi Dan etc. is to be confirmed, wherein, original cleartext information will hide ciphertext for that can not distinguish on trading card after treatment, with Ensure the privacy of the only possible analyzed processing of process of exchange；The block catenary system transaction modules are verified for the validation layer By rear, encrypted number is sent to recipient by the transaction layer, and the recipient is decrypted according to the private key of oneself； The recipient check oneself the reception amount of money it is correct after, continue next single transaction, under the reception value of the recipient is One single input value.

Further, in one embodiment of the invention, allied member is secret chooses integer p_iAnd q_i, run Π₁'s RdmPara algorithms；Mould Integer N is calculated, wherein, run Π₁CoN algorithms；Double primality tests, wherein, the allied member leads to Cross algorithm and ensure product of the big Integer N for two prime numbers, wherein, run Π₁BipriTest algorithms；Alliance's parameter and thresholding Key generates, and runs Π₁KeyGen algorithms, draw alliance's key.

Further, in one embodiment of the invention, the transaction metadata is encrypted, wherein, run Π₂ PEnc algorithms；The transaction metadata is decrypted, wherein, run Π₂PDec algorithms；Homomorphism behaviour is carried out to ciphertext Make, wherein, run Π₃POper algorithms.

Further, in one embodiment of the invention, (m, m') is given, promise calculating is carried out to plaintext secret, its In, run Π₃TCom algorithms；Verify the validity of commitment value, wherein, run Π₃TVer algorithms；Transaction is produced not The property shown promise is carried out with ciphertext value to verify whether containing same metadata, wherein, run Π₃TIndic algorithms.

Further, in one embodiment of the invention, transaction input terminal total value is calculated, wherein, run Π₅TIn Algorithm；Transaction output terminal is directed toward according to path, wherein, run Π₅TOut algorithms；Trading card is subjected to the whole network broadcast, wherein, Run Π₅TBroad algorithms；Absence from work without reason confirms trading card generation block according to common recognition mechanism, wherein, run Π₅BCfm algorithms.

To reach above-mentioned purpose, another aspect of the present invention embodiment proposes a kind of multicenter block chain transaction secret protection Method, comprises the following steps：The piecemeal parameter that allied member obtains according to distribution, the ginseng of joint of reaching common understanding generation system transaction Number N, wherein any member can not learn that its trapdoor decomposes in the case of not up to threshold condition；Transaction system input safety ginseng Number and alliance's parameter, output for encryption and decryption computing generation public key and private key to (pk_i,sk_i), while output is used for The public key pk of verification_d, the public key is without pairing private key；The total input value of merchandising is calculated, wherein, if trading card is as newly confirming Block, then it is part plaintext and original that the trading card, which will obtain extra bit coin expense as reward, total input value, The summation that ciphertext mutually operates；If the trading card is not that new confirmation block is first single, no additional income, total input value is upper The value that single cross is easily transmitted；Parallel encryption represents transaction metadata through being carried out at the same time encryption in the transaction layer and the validation layer, Wherein, system distinguishes encrypted transmission number in the transaction layer using recipient's public key, while uses system in the validation layer Each number of the identical number of public key encryption；It will be sent extremely by rear in the validation layer in the encrypted number of the transaction layer Each recipient's account, it is noted that validation layer account will be entered in the encryption number that the validation layer is sent, it is noted that the account Without private key, the amount of money abandons after this authentication；Whether number after validation layer verification is hidden is on the occasion of and input and output are total Whether volume is equal, wherein, the validation layer is divided into two steps, and the first step is proved hidden by commitment value in the method for proof of specific sections The amount of money of Tibetan be always on the occasion of；When for it is true when, whether the number after validation layer verification is hidden is the system verification on the occasion of rear Layer enters second step, and sum is equal before and after the equal method of proof of used two commitment values proves hiding amount of money input and output； When step is true, into the sending link of the transaction layer；Recipient carries out the whole network broadcast trading card etc. after checking and finding correct It is to be confirmed, wherein, original cleartext information will hide ciphertext for that can not distinguish on trading card after treatment, to ensure to hand over The privacy of the only possible analyzed processing of easy process；After the validation layer is verified, the transaction layer is by encrypted number Recipient is sent to, the recipient is decrypted according to the private key of oneself；The reception amount of money of oneself is checked in the recipient After correct, continue next single transaction, the reception value of the recipient is next single input value.

The multicenter block chain transaction method for secret protection of the embodiment of the present invention, can utilize thresholding encryption and decryption system to realize For the secret protection in multi-party joint management and control for generation trapdoor parameter, realized using homomorphic cryptography system to number Number privacy in encryption and decryption computing enhancing transmitting procedure, utilization scope, which is promised to undertake, to be proved to prove to ensure process of exchange with the property shown promise In ensure that hiding trading value be always on the occasion of and number of deals before and after sum it is consistent, so as to realize multi-party joint management and control Under in trapdoor parameter and process of exchange for merchandise metadata secret protection, effectively strengthen multicenter class block catenary system Plaintext number safety in process of exchange.

In addition, multicenter block chain according to the above embodiment of the present invention is merchandised, method for secret protection can also have following Additional technical characteristic：

Further, in one embodiment of the invention, the block chain transaction system includes the transaction layer and institute Validation layer is stated, wherein, the transaction layer is used for the transaction step to performing the block chain transaction system, including trading card life Into, input and output, broadcast acknowledgements, and by encrypted metadata substitution original plaintext, be shown among trading card；It is described to test Card layer is used to verify whether encrypted data meet value consistency and be present in particular range.

The additional aspect of the present invention and advantage will be set forth in part in the description, and will partly become from the following description Obtain substantially, or recognized by the practice of the present invention.

Brief description of the drawings

Of the invention above-mentioned and/or additional aspect and advantage will become from the following description of the accompanying drawings of embodiments Substantially and it is readily appreciated that, wherein：

Fig. 1 is the structure diagram according to the multicenter block chain of one embodiment of the invention transaction intimacy protection system；

Fig. 2 is the general scheme flow chart according to one embodiment of the invention；

Fig. 3 is the concrete scheme flow chart according to one embodiment of the invention；

Fig. 4 is the system transaction flow figure according to one embodiment of the invention；

Fig. 5 is the flow chart according to the multicenter block chain of one embodiment of the invention transaction method for secret protection.

Embodiment

The embodiment of the present invention is described below in detail, the example of the embodiment is shown in the drawings, wherein from beginning to end Same or similar label represents same or similar element or has the function of same or like element.Below with reference to attached The embodiment of figure description is exemplary, it is intended to for explaining the present invention, and is not considered as limiting the invention.

Before multicenter block chain transaction intimacy protection system and method is introduced, first class block linkwork is simply introduced The design principle of system.

The embodiment of the present invention analyses in depth the design principle of such block catenary system, by cryptography threshold generation mechanism, Homomorphism encryption and decryption system, promise and zero-knowledge proof method, it is proposed that method is solved to the general construction of the above problem, and is combined Existing cryptography instrument gives instantiation scheme construction.

Threshold generation mechanism is used to adopt the secret protection under multi-party joint management and control for generation trapdoor parameter, scheme Combine the RSA of generation system (RSA algorithm, RSA cryptographic algorithms) mould integer with the agreement of Dan Boheh propositions.Should Agreement makes the parameter of multi-party joint generation system, the i.e. big Integer Ns of RSA, but any one party does not know the decomposition of integer The factor p and q.If want to make system normal operation, it is necessary to the common recognition of multiple participants is obtained, its parameter could be generated and ensure operation, But any one party can not learn the trapdoor prime factor after generation.The mechanism protects the profit for having ensured multiple participants of justice Benefit, makes the transmission that operates in of system conveniently obtain distributivity, while has also carried out secret protection to trapdoor parameter, ensure that system Overall security.

Homomorphic cryptography system is used for the hidden protection to plaintext number in transaction, and scheme uses Paillier encryption systems pair Transmission is encrypted in plaintext number of deals.The system is to be proposed by Pascal Paillier for 1999, the difficulty of encryption system Based on number rank residue class difficult problem is closed, there is the anti-chosen -plain attact safety under master pattern.The system, which has, to be added together Step response so that realize that corresponding plus-minus in plain text operates by carrying out multiplying operation to encrypted ciphertext, which applies to Verification process in the case of privacy is not revealed.Except homomorphic characteristic, which is also equipped with high efficiency so that scheme can pass through Carry out precomputation and quickly calculated with Chinese remainder theorem, meet the encrypting and decrypting step in bit coin exchange hour Suddenly.

After being encrypted with encryption system, the ciphertext of generation will be present in each trading card, corresponding close to ensure On the occasion of and with equal requirement, scheme proves and zero-knowledge proof is tested with promising to undertake the satisfaction of the hiding plaintext of text Card.Red et al. the method proposed, the party before the scope commitment value of specific sections proves (Range Proof) using 2004 5 Method ensure that small extension field under the relatively simple process of step, secret number is remained on the occasion of can demonstrate,prove.Two commitment values The equal property shown, which is promised to undertake, proves (Balance) with the equal thought of Hash mapping value, in the case where not revealing by promise number Two commitment values of verification include same secret value.Two proof schemes all possess Zero Knowledge characteristic, ensure that encrypted number Volume is not compromised in verification process, improves the secret protection to metadata in transaction.

Demand for security of the embodiment of the present invention towards State-level, it then follows mentioned above principle is a kind of general more by designing The block chain transaction secret protection scheme of square tube control, is realized in such transaction system for the reality of joint management and control and privacy enhancing Demand.

Be based on above-mentioned reason, the embodiment of the present invention propose a kind of multicenter block chain transaction intimacy protection system and Method.

The multicenter block chain transaction intimacy protection system that describes to propose according to embodiments of the present invention with reference to the accompanying drawings and Method, describes the multicenter block chain transaction intimacy protection system proposed according to embodiments of the present invention with reference to the accompanying drawings first.

Fig. 1 is the structure diagram of the multicenter block chain transaction intimacy protection system of one embodiment of the invention.

As shown in Figure 1, multicenter block chain transaction intimacy protection system 10 includes：Alliance's management and control module 100, number are tested Demonstrate,prove module 200, scope authentication module 300, encrypting module 400, deciphering module 500 and block catenary system transaction modules 600.

Wherein, alliance's management and control module 100 is used for multi-party joint generation alliance parameter.Number authentication module 200 is used for Verify that encrypted ciphertext number is equal in outputting and inputting for transaction.Scope authentication module 300 is used to verify to be encrypted in transaction Ciphertext number afterwards is in specific sections so that perseverance is just.Encrypting module 400 and deciphering module 500 are used to send and receive process Homomorphic cryptography and decryption are carried out for number.Block catenary system transaction modules 600 are handed over for complete class bit coin digital cash Easy system, possesses the transaction process that transmission, reception, broadcast and block confirm.The system 10 of the embodiment of the present invention can lead to Cross under multicenter regulatory format block chain transaction privacy enhancing general construction, so as to realize under multi-party joint management and control for For the secret protection for metadata of merchandising in trapdoor parameter and process of exchange, effectively strengthen multicenter class block catenary system and merchandised Plaintext number safety in journey.

It is understood that the embodiment of the present invention can be used for strengthen multicenter class block catenary system process of exchange in it is bright Literary number safety, especially suitable for the transaction secret protection under alliance's chain mode, and designs one kind and possesses and combining in many ways The general construction of transaction privacy protection function under pipe diameter design.This is configured with modular construction and builds, and according to modular character one It is secondary to realize alliance's management and control, homomorphic cryptography, zero knowledge proof, the function of credible transaction.Wherein module includes：1. joint management and control module 100：Multi-party joint generation alliance trapdoor parameter；2. number authentication module 200：Verify that encrypted ciphertext number is being merchandised Output and input it is equal；3 scope authentication modules 300：Encrypted ciphertext number is in specific sections, i.e. perseverance in verification transaction Just；4. homomorphism encryption/decryption module includes encrypting module 400 and deciphering module 500：Process is sent and received to carry out together for number State encryption and decryption；5. block chain transaction modules 600：Complete class bit coin digital cash transaction system, possesses transmission, receptions, extensively Broadcast the transaction process confirmed with block.The embodiment of the present invention can realize multi-party joint pipe by thresholding encryption and decryption system For the secret protection of trapdoor parameter under control, realized by homomorphic cryptography system i.e. bright for transaction metadata in process of exchange The secret protection of literary number, while by zero-knowledge proof with promising to undertake that proof ensure that it is always just and defeated that number is hidden in transaction Enter to export the equal requirement of total value.

Further, in one embodiment of the invention, Π is made₁=(rdmPara, coN, BipriTest, KeyGen) RSA thresholding cipher key schemes are represented, wherein rdmPara, coN, BipriTest and KeyGen is respectively in RSA thresholding cipher key schemes Threshold parameter distribution, joint generation mould integer, double primality tests and alliance's parameter generation；Make Π₂=(PKeyGen, PEnc, PDec homomorphism encryption and decryption scheme) is represented, wherein PKeyGen, PEnc and PDec is respectively the key life in homomorphism encryption and decryption scheme Into, algorithms for encryption and decryption；Make Π₃=(TKeyGen, TCom, TVer, TIndic) promises to undertake proof scheme for representative, wherein TKeyGen, TCom, TVer and TIndic respectively property shown promise to undertake that the key in proof scheme is generated, promised to undertake, verifying and the property shown is calculated Method；Make Π₄=(RKeyGen, RCom, RVer, RInact) represent scope promise to undertake proof scheme, wherein RKeyGen, RCom, RVer and RInact is respectively key generation, promise, verification and interactive algorithm in scheme；Make Π₅=(TIn, TOut, TBroad, BCfm) class block chain transaction system scheme is represented, wherein TIn, TOut, TBroad and BCfm is respectively class block chain Transaction transmission, transaction acceptance, transaction broadcast and block in transaction system scheme confirm.

It is understood that as shown in Fig. 2, the embodiment of the present invention can list the cryptography instrument that general construction is used, And the cryptography master tool used is needed when mainly providing construction universal architecture, including threshold generation system, homomorphism encryption and decryption System, promise to undertake proof system, zero-knowledge proof system and block chain transaction system.The simple of these master tools is provided first Definition, then respectively describes each cipher system in detail, wherein, it will be situated between in detail to each cipher system below Continue.The simple definition of master tool：

Make Π₁=(rdmPara, coN, BipriTest, KeyGen) represents RSA thresholding cipher key schemes, wherein rdmPara, CoN, BipriTest and KeyGen are respectively threshold parameter distribution, joint generation mould integer, double primality tests and connection in scheme Alliance's parameter generation.

Make Π₂=(PKeyGen, PEnc, PDec) represents homomorphism encryption and decryption scheme, and wherein PKeyGen, PEnc and PDec divide Key generation that Wei be in scheme, algorithms for encryption and decryption.

Make Π₃=(TKeyGen, TCom, TVer, TIndic) promises to undertake proof, wherein TKeyGen, TCom for representative, TVer and TIndic is respectively that the key in scheme is generated, promised to undertake, verifying and the property shown algorithm.

Make Π₄=(RKeyGen, RCom, RVer, RInact) represent scope promise to undertake proof scheme, wherein RKeyGen, RCom, RVer and RInact are respectively key generation, promise, verification and interactive algorithm in scheme.

Make Π₅=(TIn, TOut, TBroad, BCfm) represents class block chain transaction system scheme, wherein TIn, TOut, TBroad and BCfm is respectively that the transaction in scheme sends (input terminal of trading card), transaction acceptance (output terminal of trading card), Transaction broadcast and block confirm.

Further, in one embodiment of the invention, block chain transaction system includes transaction layer and validation layer, its In, transaction layer is used for the transaction step to performing block chain transaction system, including trading card generates, input and output, broadcast acknowledgements, And by encrypted metadata substitution original plaintext, it is shown among trading card；Validation layer is used to verify encrypted data Whether meet value consistency and be present in particular range.

It is understood that block chain transaction system is divided into two levels：1. transaction layer/Transaction layer：Hand over Easy layer is used for the transaction step to performing block chain transaction system, including trading card generation, input and output, broadcast acknowledgements etc..Through Encrypted metadata substitution original plaintext is crossed, is shown among trading card.The main calling module MEnc and Tx of the level.2. verification Layer/Verification layer：It is parallel construction with transaction layer, for verifying it is consistent whether encrypted data meet numerical value Property and it is present in particular range.The level main calling module MEnc, BalanceVer and RangeVer.Need what is illustrated It is that relationship trading layer and validation layer have invoked module MEnc jointly, while encrypt transaction metadata, simply both use different Public key, generates different ciphertext/commitment values.The ciphertext of transaction layer is used for true sale, the ciphertext of validation layer be used for uniformity with Scope is verified.

Further, in one embodiment of the invention, alliance's management and control module 100 is distributed for allied member's foundation The piecemeal parameter arrived, the parameter N of joint of reaching common understanding generation system transaction, wherein feelings of any member in not up to threshold condition It can not learn that its trapdoor decomposes under condition；Block catenary system transaction modules 600 are used for transaction system input security parameter and alliance's ginseng Number, output for encryption and decryption computing generation public key and private key to (pk_i,sk_i), while export the public key pk for verifying_d, Public key is without pairing private key；Block catenary system transaction modules 600 are used to calculate total input value of merchandising, wherein, if trading card is conduct The block newly confirmed, then trading card will obtain extra bit coin expense as reward, total input value for the part in plain text and original The summation that ciphertext mutually operates；If trading card is not that new confirmation block is first single, no additional income, total input value easily passes for upper single cross The value come；Encrypting module 400 is used for parallel encryption and represents transaction metadata through being carried out at the same time encryption in transaction layer and validation layer, its In, system distinguishes encrypted transmission number in transaction layer using recipient's public key, while uses system public key encryption phase in validation layer With each number of number；It will be sent in the encrypted number of transaction layer in validation layer by rear to each recipient's account, note Validation layer account will be entered to the encryption number sent in validation layer by anticipating, it is noted that the account loses after this authentication without private key, the amount of money Abandon；Whether the number that encrypting module 400 and deciphering module 500 are used for after validation layer verification is hidden is on the occasion of and input is defeated Whether equal go out total value, wherein, validation layer is divided into two steps, and the first step is proved hidden by commitment value in the method for proof of specific sections The amount of money of Tibetan be always on the occasion of；When for it is true when, number after validation layer verification is hidden whether be on the occasion of rear, system validation layer into Enter second step, sum is equal before and after the equal method of proof of used two commitment values proves hiding amount of money input and output；Work as step When being true suddenly, into the sending link of transaction layer；Deciphering module 500 carries out the whole network broadcast and hands over after checking and finding correct for recipient Yi Dan etc. is to be confirmed, wherein, original cleartext information will hide ciphertext for that can not distinguish on trading card after treatment, with Ensure the privacy of the only possible analyzed processing of process of exchange；Block catenary system transaction modules 600 are verified for validation layer Afterwards, encrypted number is sent to recipient by transaction layer, and recipient is decrypted according to the private key of oneself；Checked in recipient After oneself the reception amount of money is correct, continue next single transaction, the reception value of recipient is next single input value.

Specifically, block chain transaction system can be divided into eight steps：

Step 1：Alliance's parameter generation/ParaGen：The piecemeal parameter that allied member obtains according to distribution, connection of reaching common understanding The parameter N that symphysis is merchandised into system, wherein any member can not learn that its trapdoor decomposes in the case of not up to threshold condition.

Step 2：Transaction system initialization/KeyGen：The alliance that transaction system inputs security parameter and previous step is generated Parameter, output for encryption and decryption computing generation public key and private key to (pk_i,sk_i), while export the public key for verifying pk_d, pay attention to this public key without pairing private key；

Step 3：Calculate input total value/Insum：Total input value of merchandising is calculated, i.e., upper single cross is easily (non-first with digging ore deposit total income Beginning block chain then take in by no this item)；If the trading card is as the block newly confirmed, which will obtain extra bit The summation that coin expense is mutually operated with former ciphertext in plain text as reward, total income for the part；If the trading card is not new confirmation area Block is first single, then without additional income, total income is the value that upper single cross is easily transmitted；

Step 4：Parallel encryption/Parallel Encrypt：Parallel encryption represents that transaction metadata is passed through in transaction layer and tested Card layer is carried out at the same time encryption.System distinguishes encrypted transmission number in transaction layer using recipient's public key, while is used in validation layer Each number of the identical number of system public key encryption；It will be sent in the encrypted number of transaction layer in validation layer by rear to each Recipient's account, it is noted that will enter validation layer account in the encryption number that validation layer is sent, it is noted that the account is without private key, gold Volume abandons after this authentication；

Step 5：Scope promises to undertake verification/Range Proof：Validation layer verification hide after number whether be on the occasion of, with And whether input and output total value is equal；Validation layer is divided into two steps, and the first step is demonstrate,proved by method of proof of the commitment value in specific sections The bright hiding amount of money be always on the occasion of；When the step is true, verification enters in next step；

Step 6：The property shown promises to undertake verification/Balance：Whether the number after validation layer verification is hidden is on the occasion of rear, system Validation layer enters second step, and the equal method of proof of used two commitment values proves total phase before and after hiding amount of money input and output Deng；When two steps are true, into the sending link of transaction layer；The step is called

Step 7：Broadcast acknowledgements/Broadcast：I.e. it is true to carry out the whole network broadcast trading card wait by recipient after checking and finding correct Recognize；Original cleartext information will hide ciphertext for that can not distinguish on trading card after the program is handled, ensure that transaction The privacy of the only possible analyzed processing of process.

Step 8：Decryption/Decrypt：After validation layer is verified, encrypted number is sent to recipient by transaction layer, Recipient is decrypted according to the private key of oneself；Recipient check oneself the reception amount of money it is correct after, continue next single friendship Easily；The reception value of the recipient is next single input value.

Further, Π=(CoParaGen, MEnc, RangeVer, BalanceVer, Tx) is defined to supervise for multicenter Block chain transaction secret protection scheme general construction, represents alliance's parameter generation, encrypting metadata number item, ciphertext scope successively Promise to undertake that proof, the ciphertext property shown promise to undertake proof and the transaction of block chain.It will describe in detail below to each cipher system.

Alternatively, in one embodiment of the invention, allied member is secret chooses integer p_iAnd q_i, run Π₁'s RdmPara algorithms；Mould Integer N is calculated, wherein, run Π₁CoN algorithms；Double primality tests, wherein, allied member passes through calculation Method ensures product of the big Integer N for two prime numbers, wherein, run Π₁BipriTest algorithms；Alliance's parameter and thresholding key Generation, runs Π₁KeyGen algorithms, draw alliance's key.

It is understood that (1) allied member is secret to choose integer p_iAnd q_i, run Π₁RdmPara algorithms, distribution ginseng Number；(2) mould Integer N is calculated, runs Π₁CoN algorithms, N=pq=(p_i+...+p_k)(q_i+...+q_k).(3) double primality tests, Allied member ensures product of the big Integer N for two prime numbers by algorithm, runs Π₁BipriTest algorithms, verification need to lead to Cross.(4) alliance's parameter and the generation of thresholding key, run Π₁KeyGen algorithms, draw alliance's key, MEnc (m, pk, c, sk)：Define message m ∈ { 0,1 }^*。

Specifically, RSA thresholdings key (Generation of Shared RSA Key) is generated

Allied member joint generation alliance trapdoor parameter N, do not know its decomposition but, which prevent independent or a small amount of malice into Attack of the member to transaction system；Only after allied member reaches common understanding, just can to drawing the factorization of big Integer N, into And decrypt encrypted turnover ciphertext.This function is very suitable for the supervision under multicenter.

Define 1 (threshold RSA)：Define Π₁=(rdmPara, coN, BipriTest, KeyGen) represents RSA thresholding keys Scheme, wherein rdmPara, coN, BipriTest and KeyGen are respectively that threshold parameter distribution, joint generation in scheme are big whole Several, double primality tests and alliance's parameter generation.It is respectively defined as：

rdmPara(1^k)：Allied member is secret to choose integer p_iAnd q_i, and grown except range test.

coN(p_i,q_i)：Mould Integer N is calculated, and is grown except range test.Wherein：N=pq=(p_i+...+p_k)(q_i +...+q_k)。

BipriTest(N)：Double primality tests.Allied member ensures product of the big Integer N for two prime numbers by algorithm.

KeyGen(N,d)：Alliance's parameter and the generation of thresholding key.

Alternatively, in one embodiment of the invention, transaction metadata is encrypted, wherein, run Π₂PEnc Algorithm；Transaction metadata is decrypted, wherein, run Π₂PDec algorithms；Homomorphism operation is carried out to ciphertext, wherein, operation Π₃POper algorithms.

It is understood that it is divided into following components for transaction data enciphering and deciphering algorithm：

(1) transaction metadata is encrypted.Run Π₂PEnc algorithms, c=PEnc (pk, m).

(2) transaction metadata is decrypted.Run Π₂PDec algorithms, m=PDec (sk, c).

(3) homomorphism operation is carried out to ciphertext.Run Π₃POper algorithms, PDec (PEnc (m_i)·PEnc(m_j)modn²) =m_i+m_j modn。

Specifically, homomorphism encryption and decryption system (Homomorphic Cryptosystem)

Homomorphic cryptography is one kind of public encryption system, is the cryptography skill of the computational complexity theory based on difficult math question Art.The encryption system possesses isomorphism, and it is that ciphertext operates that will can operate in plain text hidden, i.e., to by encrypted data Reason obtains an output, this output is decrypted, its result with the initial data of Same Way processing unencryption with being obtained Output result remain unchanged.Homomorphic cryptography system is divided into by computing mode plus homomorphic algorithm, multiplies homomorphic algorithm with mixing homomorphism Algorithm.Homomorphic encryption scheme generally comprises four (probability) polynomial time algorithms.

Define 2 (homomorphic cryptographies)：Define Π₂=(PKeyGen, PEnc, PDec, POper), which is represented, possesses adding for isomorphism Close scheme, wherein PKeyGen, PEnc and PDec are respectively key generation, encryption, decryption and operative algorithm in scheme.Point It is not defined as：

PKeyGen(1^k)：It is a probabilistic polynomial time algorithm.It inputs 1^k, export recipient public private key pair (pk, sk)。

PEnc(pk,m)：It is a probabilistic polynomial time algorithm.It inputs public key pk and message m ∈ M, output ciphertext c =PEnc (pk, m).

PDec(sk,c)：It is a definite polynomial time algorithm.It input private key sk and ciphertext c, output message m or Symbol ⊥ (represents that c is an invalid ciphertext).

POper(c_i,c_j)：It is a probabilistic polynomial algorithm.Its input two is encrypted close by homomorphic encryption algorithm The step of text carries out multinomial operation, its formula meets homomorphism operation, meets PDec (PEnc (m by result_i)·PEnc(m_j) modn²)=m_i+m_j modn。

Also, homomorphic encryption scheme must is fulfilled for correctness and isomorphism.Correctness i.e. for all (pk, sk) ← PKeyGen(1^k) and message m ∈ M, meet PDec (sk, PEnc (pk, m))=m, isomorphism meets PDec_sk(PEnc_pk (m_i)·PEnc_pk(m_j)modn²)=m_i+m_j modn。

Alternatively, in one embodiment of the invention, (m, m') is given, promise calculating is carried out to plaintext secret, wherein, Run Π₃TCom algorithms；Verify the validity of commitment value, wherein, run Π₃TVer algorithms；Transaction is produced different close Literary value carries out the property shown promise and verifies whether containing same metadata, wherein, run Π₃TIndic algorithms.

It is understood that BalanceVer (m, m ', pk)：Number uniformity confirmation is carried out to commitment value.Specifically include：

(1) (m, m') is given, promise calculating is carried out to plaintext secret.Run Π₃TCom algorithms, TCom (pk, r, r', m,m')→(C,C')。

(2) validity of commitment value is verified.Run Π₃TVer algorithms, TVer (pk, r, m, C) → 1/0, if output be 1, illustrate that the commitment value of generation is effective, otherwise export 0 terminator.

(3) property shown promise is carried out to the different ciphertext values produced of merchandising to verify whether containing same metadata.Run Π₃'s TIndic algorithms, TIndic (sk, C, C') → 1/0, if output is 1, illustrates in two commitment values comprising the identical first number of secret According to otherwise exporting 0 terminator.

In addition, RangeVer (m, [a, b], pk)：Commitment value is confirmed into line range.Specifically include：

(1) plaintext metadata m is given, promise calculating is carried out to plaintext secret.Run Π₄RCom algorithms, RCom (pk, r,m)→C。

(2) validity of commitment value is verified.Run Π₄TVer algorithms, RVer (pk, r, m, C) → 1/0, if output be 1, illustrate that the commitment value of generation is effective, otherwise export 0 terminator,

(3) the different ciphertext values that transaction produces are promised to undertake into line range and verified whether in specific sections.Run Π₄Interaction Formula RInact algorithms, RInact (sk, [a, b], C) → 1/0, if output is 1, the secret metadata for illustrating to include in commitment value exists Between section [a, b], 0 terminator is otherwise exported.

Specifically, the property shown, which is promised to undertake, proves (Indicative Commitment Proof)

The property shown, which is promised to undertake, is proved to be a kind of special commitment scheme.Tradition promise to undertake for commitment value according to trap door information into Row computing, and the trapdoor property shown is promised to undertake and operated for two commitment values, its characteristics only allows the people for possessing trap door information It can interpolate that out whether the secret value in two promises is equal, cannot but open promise.Characteristics i.e. in concept are embodied in The output of scheme is the result is that judging result 1 or 0, rather than specific commitment value.And if only if possess trap door key and promise to undertake in Secret value equal situation when occurring, scheme output 1, other situations output 0.

Define 3 (property shown, which is promised to undertake, to be proved)：Define Π₃=(TKeyGen, TCom, TVer, TIndic) is promised to undertake for representative and demonstrate,proved Bright, wherein TKeyGen, TCom, TVer and TIndic are respectively that the key in scheme is generated, promised to undertake, verifying and the property shown algorithm.

TKeyGen(1^k)：Input 1^k, export open parameter pk and trap door key sk.

TCom(pk,m)：The open parameter pk and commitment value m of input, output promise to undertake C=TCom (pk, m) and verify what is promised to undertake Parameter (r, m).

TVer(pk,C,r,m)：The open parameter pk of input, promise to undertake C and the parameter (r, m) that verification is promised to undertake, checks whether satisfaction Verify function TVer (pk, C, r, m).

TIndic(sk,C,C')：Input trap door key sk and two and promise to undertake C, C ', judge the promise secret value in promise C, C ' Whether m, m ' are identical.If identical, 1 is exported at this time, otherwise exports 0.

Scope, which is promised to undertake, proves (Range Commitment Proof)

Scope, which is promised to undertake, to be proved to be used to prove commitment value in a specific section.Commitment scheme typically refers to sending direction and connects Debit sends a secret value, and recipient does not know the secret value, and then sender can open the secret value, recipient into Row verification.Commitment scheme includes two stages, promises to undertake stage and opening stage (or disclosing the stage).Scope promises to undertake proof scheme In the case where not opening commitment value, to the approximate range of ciphertext value into line justification, possesses good crypticity.

Define 4 (scope, which is promised to undertake, to be proved)：Define Π₄=(RKeyGen, RCom, RVer, RInact) represents scope and promises to undertake card Bright scheme, wherein RKeyGen, RCom, RVer and RInact are respectively that key generation, promise, verification and interaction in scheme are calculated Method.

RKeyGen(1^k)：Input 1^k, export open parameter pk and trap door key sk.

RCom(pk,m)：The open parameter pk and commitment value m of input, output promise to undertake C=RCom (pk, m) and verify what is promised to undertake Parameter (r, m).

RVer(pk,C,r,m)：The open parameter pk of input, promise to undertake C and the parameter (r, m) that verification is promised to undertake, checks whether satisfaction Verify function RVer (pk, C, r, m).

RInact(a,b,sk,C)：Input trap door key sk and commitment value C, judge promise to undertake C in promise secret value m whether Among section [a, b].If so, exporting 1 at this time, 0 is otherwise exported.

Alternatively, in one embodiment of the invention, transaction input terminal total value is calculated, wherein, run Π₅TIn calculate Method；Transaction output terminal is directed toward according to path, wherein, run Π₅TOut algorithms；Trading card is subjected to the whole network broadcast, wherein, fortune Row Π₅TBroad algorithms；Absence from work without reason confirms trading card generation block according to common recognition mechanism, wherein, run Π₅BCfm algorithms.

It is understood that Tx (TIn, TOut)：The general operation level of class block chain transaction system：

(1) transaction input terminal total value is calculated.Run Π₅TIn algorithms, Insum=TIn (TOut_i-1,reward)；

(2) it is directed toward transaction output terminal according to path.Run Π₅TOut algorithms,

(3) trading card is subjected to the whole network broadcast.Run Π₅TBroad algorithms, Comfirm=TBroad (Tx)；

(4) absence from work without reason confirms trading card generation block according to common recognition mechanism.Run Π₅BCfm algorithms, Block=BCfm (Tx_i,Tx_j...)。

Specifically, class block chain transaction system (Blockchain-based System)

Class block chain transaction system refers to the intermediate item for being designed and being issued token using block chain form.The system Middle clever framework is employed, credibleization distributed storage and open transaction are carried out to data, and using token as measurement unit.Such Transaction system is unidirectional irreversible chain structure by trading card, data block and block link layer layer architecture.

Define 5 (class block chain transaction systems)：Define Π₅=(TIn, TOut, TBroad, BCfm) represents the friendship of class block chain Easy system schema, wherein TIn, TOut, TBroad and BCfm are respectively that the transaction in scheme sends (input terminal of trading card), are handed over (output terminal of trading card) easily is received, transaction broadcast and block confirm.

TIn(TOut_i-1,reward)：System input accept it is upper one merchandise output, if block first transaction then There is the premiums reward for digging ore deposit, the summation for obtaining input terminal is transmitted.

TOut(TIn,address)：It is output valve that the input summation of system, which is sent to receiving terminal, according to specified public key Address address is traded direction.

TBroad(Tx)：System carries out the whole network broadcast for the trading card produced, waits absence from work without reason to be confirmed.

BCfm(Tx_i,Tx_j...)：Stay away from work without leave and the trading card in ore deposit pond is confirmed, and according to common recognition mechanism by countless trading cards Pack, the new block of a block is chained in generation.

In one particular embodiment of the present invention, as shown in figure 3, the embodiment of the present invention gives multicenter supervision block A kind of instantiation specific configuration of chain transaction secret protection scheme, i.e., after the algorithm of each module is instantiated, the step of scheme It can be achieved.The specific implementation of the program is described below：

1. the concrete scheme construction of tool model

1.1 specific alliance's parameter generation algorithm/ParaGen, the i.e. embodiment of the present invention provide the connection of DanBoneh propositions Symphysis is into RSA thresholding cipher key schemes.

1) allied member is secret chooses integer p_iAnd q_i。

A) allied member is secret chooses integer p_i

B) p=p is calculated_i+...+p_k, ensure that alliance's integer and p can not be by less than B₁Prime decomposition

C) allied member chooses integer q_iAnd verified

2) mould Integer N is calculated.

A) N=pq=(p_i+...+p_k)(_i+...+q_k), generate parameter N when can not extraneous information

B) allied member can be ensured not by [B by trial division algorithms₁,B₂] between prime decomposition factor

3) double primality tests.Allied member ensures product of the big Integer N for two prime numbers by algorithm.

4) alliance's parameter generates.Allied member's joint generation is used for the parameter N of encryption system in transaction system, but arbitrarily Member can not learn its factorization.

1.2 specific homomorphic encryption algorithms/Homomorphic Cryptosystem, the i.e. embodiment of the present invention provide Paillier encipherment schemes.

Paillier encryption systems provide the anti-chosen -plain attact safety under master pattern, possess efficient encryption solution Close efficiency and the characteristic for adding homomorphism, the system encryption and decryption step are as follows：

PKeyGen：If p and q is Big prime, g is system generation member, makes n=pq, calculates λ=λ (n)=lcm (p-1, q- 1), wherein public key is (n, g), private key λ.

PEnc：C=g^m·rⁿ modn², wherein r is any selection.

POper(c_i,c_j)：Dec_sk(Enc_pk(m₁)·Enc_pk(m₂)modn²)=m₁+m₂modn。

The 1.3 specific property shown commitment scheme/Indicative Commitment Proof, the i.e. embodiment of the present invention provide The non-interactive type property shown commitment scheme：

PK{x,r₁,r₂:E=E₁(x,r₁)modn₁∧ F=E₂(x,r₂)modn₂}。

1) .Alice randomly choose ω ∈ 1 ..., 2^i+tb-1},η_α∈{1,...,2^l+t+sn-1},η_β∈{1,...,2^l ^+t+sn-1}；Then calculate：

2) Alice calculates u=H (W_α||W_β)；

3) Alice is calculated：

D=ω+um, D_α=η_α+ur_α,D_β=η_β+ur_β

And send (u, D, D_α,D_β) give validation layer account "；

4) Bob checks whether u=u ', wherein

If the part steps are proved to be successful, two commitment values include same secret value.

1.4 specific scope commitment schemes/Range Commitment Proof, the i.e. embodiment of the present invention provide Wu and exist 2004 scope promises to undertake identification protocol

PK{x,r:E=E (x, r) mod n ∧ x ∈ [a, b] }.

1) Alice sets v=α²y+ω>2^t+l+s+T, wherein arbitrarily selection α ≠ 0,0<ω≤2^s+T；R is set₃-rα²+r₁α+ r₂∈[-2^sn+1,...,2^sN-1], wherein arbitrarily selection r₁,r₂,r₃∈[-2^sn+1,...,2^sn-1]；Then calculate：

Alice sends (V, E₂,E₃, F) and give recipient；

2) recipient calculates：

E₁=E₀(m_i,r)/g^a=g^yh^rMod n,

3) Alice and recipient each calculate：

Wherein r^*=-r α²-r₁α-r₂；

4) recipient verifies PK1, the correctness of PK2, PK3, and whether meets v>2^t+l+s+T, recipient can if meeting To firmly believe x>a；Proving by the same methods obtains x<b.

1.5 specific block chain trading scheme/Blockchain-based System, i.e., using bit coin transaction system Exemplary carrier as general construction.

2nd, concrete scheme implementation steps are as follows：

As shown in figure 4, the embodiment of the present invention can the instantiation algorithm based on modules, and the double-deck level of system Structure, final instantiation scheme implementation steps are as follows：

Step 1：Alliance's parameter generation/ParaGen：The piecemeal parameter that allied member obtains according to distribution, connection of reaching common understanding The parameter N that symphysis is merchandised into system, wherein any member can not learn that its trapdoor decomposes in the case of not up to threshold condition. Allied member is secret first chooses integer p_i, and calculate p=p_i+...+p_k, ensure that alliance's integer and p can not be by less than in scopes Limit B₁Prime decomposition.Similarly, allied member chooses integer q_iAnd verified.Then, member chooses integer and finishes, and calculates mould Integer N=pq=(p_i+...+p_k)(q_i+...+q_k), during this period, generation parameter N will not reveal extraneous information.To ensure Parameter is being specified in section, and allied member can be ensured not by [B by trial division algorithms₁,B₂] between prime decomposition Factor.Similarly, to ensure product that parameter is two prime numbers, allied member carries out double primality tests, ensures its product property.Most Afterwards, under the conditions of guarantee parameter N is correctly available, the trapdoor that allied member's joint generation is used for encryption system in transaction system is joined Number d, and two parameter N are passed to system, the encryption for below step.

Step 2：Transaction system initialization/KeyGen：Security parameter is inputted, output is for encryption and decryption computing and verification Parameter.In transaction layer, for each different recipient i, system is generated generates two Big prime p to each recipient_iAnd q_i。 Recipient's private key is sk_i=λ_i, public key pk_i=(n_i,g_i), wherein n_i=p_iq_i；

At the same time in validation layer, system output is for the public key pk for the account verified_d=(n_d,g_d), it is noted that this public key without with To private key.I.e. the system account cannot operate the received amount of money；System generation option V_α(g_α,h_α) and V_β(g_β,h_β) use In verification.It is noted that since validation layer account and commitment value prove to be in validation layer together, and its parameter is generated by system, Design of scheme g_β=g_dAndNumber is promised to undertake to ensure that the ciphertext after operation can become；

Step 3：Calculate total input value/Insum：Total input value of merchandising is calculated, i.e., upper single cross is easily with digging ore deposit total income.If should Trading card is as the block newly confirmed, then the trading card will obtain extra number expense as reward, and total income is the portion The number summation that clearly demarcated Wen Yuyuan ciphertexts mutually operate, is expressed asIf the trading card It is not the new value for confirming that block is first single, then easily being transmitted without additional income, the as upper single cross of total income, is expressed as

Step 4：Parallel encrypted entry/ParallelEncrypt：In transaction layer, scheme uses the public key of different recipients pk₁,pk₂,...,pk_iThe plaintext number m of transmission is encrypted using Paillier encryption systems₁,m₂,...,m_iFor c₁,c₂,..., c_i, it is expressed as：Meanwhile use the same public key pk of system in validation layer, scheme_dWill The number m that each in transaction layer is sent₁,m₂,...,m_iIt is encrypted, is expressed as：Its Middle design of scheme random number r_d=h_β；Two layers of common ground is to have encrypted identical number of deals m_i, difference is transaction layer Use the different public key pk from recipient_i, validation layer used the identical public key pk from system_dIt is used for realization Paillier systems add homomorphic characteristic.In identical number m in it_iIt ensure that recipient is worth correct after this authentication Property；

Step 5：Scope promises to undertake verification/Range Proof：Whether number of the system after validation layer verification is hidden is just Value.Whole validation layer is divided into two steps, and the first step proves the hiding amount of money all the time by method of proof of the commitment value in specific sections For on the occasion of.Aspects, which are promised to undertake, to be proved to ensure encrypted number m_iFor on the occasion of sender Alice is for different recipients I, makes promise respectivelyTo put it more simply, use E₀, E₁, E₂, E₃, F, V replace E_i0, E_i1, E_i2, E_i3, F_i, V_i。

1) Alice sets v=α²y+ω>2^t+l+s+T, wherein arbitrarily selection α ≠ 0,0<ω≤2^s+T；R is set₃-rα²+r₁α+ r₂∈[-2^sn+1,...,2^sN-1], wherein arbitrarily selection r₁,r₂,r₃∈[-2^sn+1,...,2^sn-1]；And calculate：

Alice sends (V, E₂,E₃, F) and give recipient；

2) recipient calculates：E₁=E₀(m_i,r)/g^a=g^yh^rModn,

3) Alice and recipient each calculate：

Wherein r^*=-r α²-r₁α-r₂；

4) recipient verifies PK1, the correctness of PK2, PK3, and whether meets v>2^t+l+s+T, recipient can if meeting To firmly believe x>a；

5) for each recipient m_i, scheme repeat step 1-4, that is, provable m_i>0 (i=1,2 ..., i }).

The proof part is by the m of each recipient_iRepeat i times, arbitrarily once fail if wherein had, transaction is lost Lose；If all successes, system returns to 1, and continues the verification of next step.

Step 6：The property shown promises to undertake verification/Balance：System verifies that the number input and output total value after hiding is in validation layer It is no equal.Validation layer is divided into two steps, which is second step, and the equal method of proof of used two commitment values proves the hiding amount of money Sum is equal before and after input and output.Scheme is ensured one before and after transaction output input using the equal proof of two commitment values is proved Cause, i.e. m=m₁+m₂+...+m_i=∑ m_i.Now, it is as follows to make two promises by Alice：

Wherein r_α∈{-2^sn+1,...,2^sN-1 }, r_β=n_d∈{-2^sn+1,...,2^sn-1}；If receive identical number " mute's account " want to verify in its received ciphertext whether contained plaintext number equal with the value that Alice is sent, then it Need to carry out following two steps：

A the equal m=∑s m of secret value) being hidden in commitment value E and F_i；

B the ciphertext H=∏ c after) operating_idF is promised to undertake equal to one of.

In order to realize above-mentioned steps 1), we carry out following algorithm：

2) .Alice calculates u=H (W_α||W_β)；

3) .Alice is calculated：D=ω+um, D_α=η_α+ur_α,D_β=η_β+ur_β；

And send (u, D, D_α,D_β) give validation layer account；

4 validation layer accounts check whether u=u ', wherein

If the part steps are proved to be successful, continue lower part proves step by step：

A) validation layer account calculates received ciphertext：

B) is from the above it can be seen that we arbitrarily can choose r in ciphering process_d=h_β, it is any in verification process Choose r_β=n_d；And in system initialization process, we are setAnd g_d=g_β, it is event：

C) checks whether H is equal to F, if not, Fail Transaction, if returning to 1, and carries out in next step.

To sum up verify, when being true the step of two parts, into the sending link of transaction layer；

Step 7：Broadcast acknowledgements/Broadcast：Validation layer carries out the whole network broadcast trading card etc. after checking and finding correct to be confirmed. Original cleartext information will hide ciphertext for that can not distinguish on trading card after the program is handled, ensure that process of exchange The privacy of only possible analyzed processing.This trading card mark can be T by we_Alice, the process be equally applicable to it is any its His single cross is easy.

Step 8：Decrypt item/Dcrypt：For broadcast acknowledgements by rear, recipient receives encrypted number c_i, recipient according to According to the private key sk of oneself_iIt is decrypted：

Whereinx∈S_n={ u<n²| x=1modn }；The reception amount of money that oneself is checked in recipient is correct Afterwards, next single transaction can be continued.The reception value of the recipient is next single input value.It is worth noting that, when transaction After the completion of, the ciphertext number in validation layer account will be dropped, it is acted on only makes the value of validation layer and the value sent as bridge Produce contact.

In addition, the embodiment of the present invention can with combining cipher Threshold, homomorphic cryptography technology and promise to undertake proof mechanism, The existing transaction Privacy Protection under multi-party management and control is solved in existing class block chain transaction system, the embodiment of the present invention System 10 includes system architecture and the definition of multicenter block chain transaction intimacy protection system；Multicenter block chain transaction privacy is protected The general scheme construction of protecting system；The concrete scheme construction of multicenter block chain transaction intimacy protection system.Wherein, it is involved Multicenter block chain transaction privacy system is made of five cryptography modules, and particular transactions flow is divided into two levels, eight steps Suddenly.The cryptography instrument being related to includes threshold generation system, homomorphism encryption and decryption system, promises to undertake proof system, zero-knowledge proof body System and block chain transaction system.With following functions：

(1) secret protection to trapdoor parameter under multi-party joint management and control is realized.Alliance side reaches in acquirement common recognition The parameter that system starts is generated after threshold condition, but any one party can not learn the factoring of parameter.

(2) secret protection to metadata of merchandising is realized.The plaintext number in metadata of merchandising is added in process of exchange It is close to be traded for ciphertext, and ciphertext computing can be carried out to it.

(3) verification of correctness to ciphertext of merchandising is realized.System can ensure that hiding trading value in transaction is always On the occasion of, and sum is consistent before and after the number merchandised.

To sum up, system of the embodiment of the present invention 10 has the characteristics that：

(1) design of the lower block chain transaction secret protection system of multicenter supervision is a kind of generalization in the embodiment of the present invention Construction, any fundamental cryptographic instrument for meeting application claims all can be combined realization and possess joint management and control and privacy protection function Class block chain transaction system concrete scheme.

(2) embodiment of the present invention gives the construction step of a specific lower block chain privacy enhanced scheme of multicenter supervision Rapid and construction example, for those of ordinary skill in the art, can be imitated according to oneself desired performance and demand for security According to this instance constructs others block chain trading scheme.

(3) privacy for trapdoor parameter that structural scheme is realized by thresholding encryption and decryption system under joint management and control is protected Shield, the encrypting and decrypting computing realized by homomorphic cryptography system to number ensure the number privacy in transmitting procedure, lead at the same time Crossing scope promise proves to promise to undertake that proof ensure that hiding number is always just in transaction and input and output total value is equal with the property shown It is required that.

The multicenter block chain transaction intimacy protection system proposed according to embodiments of the present invention, can utilize thresholding encryption and decryption System is realized for the secret protection in multi-party joint management and control for generation trapdoor parameter, utilizes homomorphic cryptography system to realize The number privacy in encryption and decryption computing enhancing transmitting procedure to number, utilization scope, which is promised to undertake, to be proved to prove to ensure with the property shown promise Ensure that in process of exchange hiding trading value be always on the occasion of and number of deals before and after sum it is consistent, it is multi-party so as to realize For the secret protection in trapdoor parameter and process of exchange for metadata of merchandising under joint management and control, effectively strengthen multicenter class area Plaintext number safety in block catenary system process of exchange.

The multicenter block chain transaction method for secret protection proposed according to embodiments of the present invention referring next to attached drawing description Flow chart.

As shown in figure 5, multicenter block chain transaction method for secret protection comprises the following steps：

In step S501, allied member's foundation distributes obtained piecemeal parameter, the transaction of joint of reaching common understanding generation system Parameter N, wherein any member can not be learnt in the case of not up to threshold condition its trapdoor decompose.

In step S502, transaction system input security parameter and alliance's parameter, generation of the output for encryption and decryption computing Public key and private key to (pk_i,sk_i), while export the public key pk for verifying_d, public key is without pairing private key.

In step S503, total input value of merchandising is calculated, wherein, if trading card is as the block newly confirmed, merchandise Single summation that will be obtained extra bit coin expense and mutually operated with former ciphertext in plain text for the part as reward, total input value；If Trading card is not that new confirmation block is first single, then without additional income, total input value is the value that upper single cross is easily transmitted.

In step S504, parallel encryption represents that transaction metadata is passed through and is carried out at the same time encryption in transaction layer and validation layer, its In, system distinguishes encrypted transmission number in transaction layer using recipient's public key, while uses system public key encryption phase in validation layer With each number of number；It will be sent in the encrypted number of transaction layer in validation layer by rear to each recipient's account, note Validation layer account will be entered to the encryption number sent in validation layer by anticipating, it is noted that the account loses after this authentication without private key, the amount of money Abandon.

In step S505, validation layer verification hide after number whether be on the occasion of, and input and output total value whether It is equal, wherein, validation layer is divided into two steps, and the first step proves that the hiding amount of money begins by commitment value in the method for proof of specific sections Eventually be on the occasion of；When for it is true when, whether the number after validation layer verification is hidden is on the occasion of rear, and system validation layer enters second step, Sum is equal before and after the equal method of proof of used two commitment values proves hiding amount of money input and output；When step is true When, into the sending link of transaction layer.

In step S506, progress the whole network broadcast trading card etc. is to be confirmed after recipient checks and find correct, wherein, by processing Original cleartext information will hide ciphertext for that can not distinguish on trading card afterwards, to ensure that process of exchange is only possible analyzed The privacy of processing.

In step s 507, after validation layer is verified, encrypted number is sent to recipient, recipient by transaction layer Private key according to oneself is decrypted；Recipient check oneself the reception amount of money it is correct after, continue next single transaction, receive The reception value of person is next single input value.

It should be noted that the foregoing explanation to multicenter block chain transaction privacy protection device embodiment is also suitable In the multicenter block chain transaction method for secret protection of the embodiment, details are not described herein again.

The multicenter block chain transaction method for secret protection proposed according to embodiments of the present invention, can utilize thresholding encryption and decryption System is realized for the secret protection in multi-party joint management and control for generation trapdoor parameter, utilizes homomorphic cryptography system to realize The number privacy in encryption and decryption computing enhancing transmitting procedure to number, utilization scope, which is promised to undertake, to be proved to prove to ensure with the property shown promise Ensure that in process of exchange hiding trading value be always on the occasion of and number of deals before and after sum it is consistent, it is multi-party so as to realize For the secret protection in trapdoor parameter and process of exchange for metadata of merchandising under joint management and control, effectively strengthen multicenter class area Plaintext number safety in block catenary system process of exchange.

In the description of the present invention, it is to be understood that term " " center ", " longitudinal direction ", " transverse direction ", " length ", " width ", " thickness ", " on ", " under ", "front", "rear", "left", "right", " vertical ", " level ", " top ", " bottom " " interior ", " outer ", " up time The orientation or position relationship of the instruction such as pin ", " counterclockwise ", " axial direction ", " radial direction ", " circumferential direction " be based on orientation shown in the drawings or Position relationship, is for only for ease of and describes the present invention and simplify description, rather than indicates or imply that signified device or element must There must be specific orientation, with specific azimuth configuration and operation, therefore be not considered as limiting the invention.

In addition, term " first ", " second " are only used for description purpose, and it is not intended that instruction or hint relative importance Or the implicit quantity for indicating indicated technical characteristic.Thus, define " first ", the feature of " second " can be expressed or Implicitly include at least one this feature.In the description of the present invention, " multiple " are meant that at least two, such as two, three It is a etc., unless otherwise specifically defined.

In the present invention, unless otherwise clearly defined and limited, term " installation ", " connected ", " connection ", " fixation " etc. Term should be interpreted broadly, for example, it may be fixedly connected or be detachably connected, or integrally；Can be that machinery connects Connect or be electrically connected；It can be directly connected, can also be indirectly connected by intermediary, can be in two elements The connection in portion or the interaction relationship of two elements, unless otherwise restricted clearly.For those of ordinary skill in the art For, the concrete meaning of above-mentioned term in the present invention can be understood as the case may be.

In the present invention, unless otherwise clearly defined and limited, fisrt feature can be with "above" or "below" second feature It is that the first and second features directly contact, or the first and second features pass through intermediary mediate contact.Moreover, fisrt feature exists Second feature " on ", " top " and " above " but fisrt feature are directly over second feature or oblique upper, or be merely representative of Fisrt feature level height is higher than second feature.Fisrt feature second feature " under ", " lower section " and " below " can be One feature is immediately below second feature or obliquely downward, or is merely representative of fisrt feature level height and is less than second feature.

In the description of this specification, reference term " one embodiment ", " some embodiments ", " example ", " specifically show The description of example " or " some examples " etc. means specific features, structure, material or the spy for combining the embodiment or example description Point is contained at least one embodiment of the present invention or example.In the present specification, schematic expression of the above terms is not It must be directed to identical embodiment or example.Moreover, particular features, structures, materials, or characteristics described can be in office Combined in an appropriate manner in one or more embodiments or example.In addition, without conflicting with each other, the skill of this area Art personnel can be tied the different embodiments or example described in this specification and different embodiments or exemplary feature Close and combine.

Although the embodiment of the present invention has been shown and described above, it is to be understood that above-described embodiment is example Property, it is impossible to limitation of the present invention is interpreted as, those of ordinary skill in the art within the scope of the invention can be to above-mentioned Embodiment is changed, changes, replacing and modification.

Claims

The intimacy protection system 1. a kind of multicenter block chain is merchandised, it is characterised in that including：

Alliance's management and control module, combines generation alliance parameter for multi-party；

Number authentication module, for verifying that encrypted ciphertext number is equal in outputting and inputting for transaction；

Scope authentication module, for verifying that encrypted ciphertext number is in specific sections in transaction so that perseverance is just；

Encrypting module and deciphering module, homomorphic cryptography and decryption are carried out for sending and receiving process for number；And

Block catenary system transaction modules, for complete class bit coin digital cash transaction system, possess transmission, reception, broadcast The transaction process confirmed with block.
The intimacy protection system 2. multicenter block chain according to claim 1 is merchandised, it is characterised in that

Make Π₁=(rdmPara, coN, BipriTest, KeyGen) represents RSA thresholding cipher key schemes, wherein rdmPara, coN, BipriTest and KeyGen is respectively that the threshold parameter in the RSA thresholdings cipher key scheme distributes, joint generates mould integer, double Primality test and alliance's parameter generation；

Make Π₂=(PKeyGen, PEnc, PDec) represents homomorphism encryption and decryption scheme, and wherein PKeyGen, PEnc and PDec is respectively Key generation in the homomorphism encryption and decryption scheme, algorithms for encryption and decryption；

Make Π₃=(TKeyGen, TCom, TVer, TIndic) for representative promise to undertake proof scheme, wherein TKeyGen, TCom, Key in the respectively described property the shown promise proof schemes of TVer and TIndic is generated, promised to undertake, verifying and the property shown algorithm；

Make Π₄=(RKeyGen, RCom, RVer, RInact) represent scope promise to undertake proof scheme, wherein RKeyGen, RCom, RVer and RInact is respectively key generation, promise, verification and interactive algorithm in scheme；

Make Π₅=(TIn, TOut, TBroad, BCfm) represents class block chain transaction system scheme, wherein TIn, TOut, TBroad It is respectively transaction transmission, transaction acceptance, transaction broadcast and block confirmation in the class block chain transaction system scheme with BCfm.
The intimacy protection system 3. multicenter block chain according to claim 2 is merchandised, it is characterised in that the block chain is handed over Easy system includes transaction layer and validation layer, wherein, the transaction layer is used to walk the transaction for performing the block chain transaction system Suddenly, including trading card generates, input and output, broadcast acknowledgements, and by encrypted metadata substitution original plaintext, is shown in friendship Among Yi Dan；The validation layer is used to verify whether encrypted data meet value consistency and be present in particular range.
The intimacy protection system 4. multicenter block chain according to claim 3 is merchandised, it is characterised in that

Alliance's management and control module is used for the piecemeal parameter that allied member obtains according to distribution, and joint of reaching common understanding generation system is handed over Easy parameter N, wherein any member can not learn that its trapdoor decomposes in the case of not up to threshold condition；

The block catenary system transaction modules are used for transaction system input security parameter and alliance's parameter, output are used for The public key and private key of the generation of encryption and decryption computing are to (pk_i,sk_i), while export the public key pk for verifying_d, the public key without with To private key；

The block catenary system transaction modules are used to calculate total input value of merchandising, wherein, if trading card is as the area newly confirmed Block, then it is that the part is close with original in plain text that the trading card, which will obtain extra bit coin expense as reward, total input value, The summation of literary mutually operation；If the trading card is not that new confirmation block is first single, no additional income, total input value is upper list The value that transaction is transmitted；

The encrypting module is used for parallel encryption and represents transaction metadata through being carried out at the same time in the transaction layer and the validation layer Encryption, wherein, system distinguishes encrypted transmission number in the transaction layer using recipient's public key, while is used in the validation layer Each number of the identical number of system public key encryption；It will pass through rear hair in the validation layer in the encrypted number of the transaction layer Send to each recipient's account, it is noted that validation layer account will be entered in the encryption number that the validation layer is sent, it is noted that should Account abandons after this authentication without private key, the amount of money；

Whether the number that the encrypting module and deciphering module are used for after validation layer verification is hidden is on the occasion of and input Whether equal export total value, wherein, the validation layer is divided into two steps, the first step by commitment value specific sections method of proof Prove the hiding amount of money be always on the occasion of；When for it is true when, whether the number after validation layer verification is hidden is on the occasion of rear, is System validation layer enters second step, and the equal method of proof of used two commitment values proves sum before and after hiding amount of money input and output It is equal；When step is true, into the sending link of the transaction layer；

Progress the whole network broadcast trading card etc. is to be confirmed after the deciphering module checks and find correct for recipient, wherein, by processing Original cleartext information will hide ciphertext for that can not distinguish on trading card afterwards, to ensure that process of exchange is only possible analyzed The privacy of processing；

After the block catenary system transaction modules are verified for the validation layer, the transaction layer sends out encrypted number Recipient is given, the recipient is decrypted according to the private key of oneself；The reception amount of money of oneself is being checked in the recipient just After really, continue next single transaction, the reception value of the recipient is next single input value.
The intimacy protection system 5. multicenter block chain according to claim 4 is merchandised, it is characterised in that

Allied member is secret to choose integer p_iAnd q_i, run Π₁RdmPara algorithms；

Mould Integer N is calculated, wherein, run Π₁CoN algorithms；

Double primality tests, wherein, the allied member ensures product of the big Integer N for two prime numbers by algorithm, wherein, operation Π₁BipriTest algorithms；

Alliance's parameter and the generation of thresholding key, run Π₁KeyGen algorithms, draw alliance's key.
The intimacy protection system 6. multicenter block chain according to claim 4 is merchandised, it is characterised in that

The transaction metadata is encrypted, wherein, run Π₂PEnc algorithms；

The transaction metadata is decrypted, wherein, run Π₂PDec algorithms；

Homomorphism operation is carried out to ciphertext, wherein, run Π₃POper algorithms；

Given (m, m'), promise calculating is carried out to plaintext secret, wherein, run Π₃TCom algorithms；

Verify the validity of commitment value, wherein, run Π₃TVer algorithms；

The different ciphertext values produced to transaction carry out the property shown promise and verify whether containing same metadata, wherein, run Π₃'s TIndic algorithms.
The intimacy protection system 7. multicenter block chain according to claim 4 is merchandised, it is characterised in that

Transaction input terminal total value is calculated, wherein, run Π₅TIn algorithms；

Transaction output terminal is directed toward according to path, wherein, run Π₅TOut algorithms；

Trading card is subjected to the whole network broadcast, wherein, run Π₅TBroad algorithms；

Absence from work without reason confirms trading card generation block according to common recognition mechanism, wherein, run Π₅BCfm algorithms.
The method for secret protection 8. a kind of multicenter block chain is merchandised, it is characterised in that comprise the following steps：

Allied member is according to the obtained piecemeal parameter of distribution, the parameter N of joint of reaching common understanding generation system transaction, wherein arbitrarily into Member can not learn that its trapdoor decomposes in the case of not up to threshold condition；

Transaction system inputs security parameter and alliance's parameter, public key and private key pair of the output for the generation of encryption and decryption computing (pk_i,sk_i), while export the public key pk for verifying_d, the public key is without pairing private key；

Total input value of merchandising is calculated, wherein, if trading card will be obtained additionally as the block newly confirmed, the trading card The summation that bit coin expense is mutually operated with former ciphertext in plain text as reward, total input value for the part；If the trading card It is not that new confirmation block is first single, then without additional income, total input value is the value that upper single cross is easily transmitted；

Parallel encryption represents transaction metadata through being carried out at the same time encryption in the transaction layer and the validation layer, wherein, system exists The transaction layer uses system public key encryption identical using recipient's public key difference encrypted transmission number, while in the validation layer Each number of number；It will be sent in the encrypted number of the transaction layer in the validation layer by rear to each recipient's account Family, it is noted that validation layer account will be entered in the encryption number that the validation layer is sent, it is noted that the account exists without private key, the amount of money Abandoned after verification；

Number after validation layer verification is hidden whether be on the occasion of, and whether input and output total value equal, wherein, it is described Validation layer is divided into two steps, the first step by commitment value the method for proof of specific sections prove the hiding amount of money be always on the occasion of； When for it is true when, whether number after validation layer verification is hidden is on the occasion of rear, and system validation layer enters second step, used two Sum is equal before and after the equal method of proof of a commitment value proves hiding amount of money input and output；When step is true, enter The sending link of the transaction layer；

Progress the whole network broadcast trading card etc. is to be confirmed after recipient checks and find correct, wherein, it is original on trading card after treatment Cleartext information will hide ciphertext for that can not distinguish, to ensure the privacy of the only possible analyzed processing of process of exchange；And

After the validation layer is verified, encrypted number is sent to recipient, recipient's foundation by the transaction layer The private key of oneself is decrypted；The recipient check oneself the reception amount of money it is correct after, continue next single transaction, it is described The reception value of recipient is next single input value.
The method for secret protection 9. multicenter block chain according to claim 8 is merchandised, it is characterised in that

Make Π₁=(rdmPara, coN, BipriTest, KeyGen) represents RSA thresholding cipher key schemes, wherein rdmPara, coN, BipriTest and KeyGen is respectively that the threshold parameter in the RSA thresholdings cipher key scheme distributes, joint generates mould integer, double Primality test and alliance's parameter generation；

Make Π₂=(PKeyGen, PEnc, PDec) represents homomorphism encryption and decryption scheme, and wherein PKeyGen, PEnc and PDec is respectively Key generation in the homomorphism encryption and decryption scheme, algorithms for encryption and decryption；

Make Π₃=(TKeyGen, TCom, TVer, TIndic) for representative promise to undertake proof scheme, wherein TKeyGen, TCom, Key in the respectively described property the shown promise proof schemes of TVer and TIndic is generated, promised to undertake, verifying and the property shown algorithm；

Make Π₄=(RKeyGen, RCom, RVer, RInact) represent scope promise to undertake proof scheme, wherein RKeyGen, RCom, RVer and RInact is respectively key generation, promise, verification and interactive algorithm in scheme；

Make Π₅=(TIn, TOut, TBroad, BCfm) represents class block chain transaction system scheme, wherein TIn, TOut, TBroad It is respectively transaction transmission, transaction acceptance, transaction broadcast and block confirmation in the class block chain transaction system scheme with BCfm.
10. multicenter block chain transaction method for secret protection according to claim 8 or claim 9, it is characterised in that the block Chain transaction system includes the transaction layer and the validation layer, wherein, the transaction layer is used to merchandise to performing the block chain The transaction step of system, including trading card generation, input and output, broadcast acknowledgements, and it is original by the substitution of encrypted metadata In plain text, it is shown among trading card；The validation layer is used to verify whether encrypted data meet value consistency and deposit It is particular range.