CN111008836A - Privacy safe transfer payment method, device and system based on monitorable block chain and storage medium - Google Patents

Abstract

Translated fromChinese

本发明提供了一种基于可监管区块链的隐私安全转账支付方法、装置、系统及存储介质，该隐私安全转账支付方法包括：交易金额的隐私保护步骤：对交易中的交易金额进行隐私保护；交易地址保护步骤：对交易双方的地址进行保护；以及交易监管步骤。本发明的有益效果是：本发明解决了传统转账支付方案中过度依赖第三方机构的问题；明确了交易中需要保护的隐私信息，针对交易块中的交易金额、交易双方的交易余额、交易发起方的地址信息和交易接收方的地址信息，设计了相对应的隐私保护方案；建立对区块链用户监管体系，监管者可以保留追究在区块链上进行买卖双方的责任。

The present invention provides a privacy and security transfer payment method, device, system and storage medium based on a supervised blockchain. The privacy security transfer payment method includes: a privacy protection step of transaction amount: privacy protection of transaction amount in the transaction ; Transaction address protection steps: protect the addresses of both parties to the transaction; and transaction supervision steps. The beneficial effects of the present invention are: the present invention solves the problem of over-reliance on third-party institutions in the traditional transfer payment scheme; clarifies the privacy information that needs to be protected in the transaction, and aims at the transaction amount in the transaction block, the transaction balance of both parties, and the transaction initiation. According to the address information of the party and the address information of the transaction recipient, a corresponding privacy protection scheme has been designed; a supervision system for blockchain users has been established, and the supervisor can retain the responsibility of both buyers and sellers on the blockchain.

Description

Privacy safe transfer payment method, device and system based on monitorable block chain and storage medium

Technical Field

The invention relates to the technical field of network transfer payment, in particular to a private safe transfer payment method, device and system based on a supervisor block chain and a storage medium.

Background

Abbreviations and key term definitions:

UTXO: unused Transaction Output.

Ring signature: ring signatures are a digital signature scheme, originally proposed by Rivest et al, which is a simplified group signature in which only ring members have no administrator and no cooperation between ring members is required.

Homomorphic encryption: homomorphic encryption is a cryptographic technique based on the theory of computational complexity of mathematical problems. The homomorphic encrypted data is processed to produce an output, which is decrypted, the result being the same as the output obtained by processing the unencrypted original data in the same way.

The following detailed description of the background art is provided:

1. background of the related Art (background of the invention)

With the development of the internet, the life style of people is greatly influenced, and most commodity transactions are carried out in a mode of network transfer payment. In conventional transfer payment transaction systems, when a transaction is made, the transaction is confirmed by a third party institution, and the asset is also stored in a database of the third party institution. This storage and transaction approach places high demands on the stability and security of third party institutions. On one hand, since the system is completely centralized and has only one central mechanism, the system needs to confirm all transactions in the system, and once a fault occurs, the whole system is paralyzed and cannot operate normally. On the other hand, an attacker and a manager can modify the database data, and the data recovery difficulty and the cost of the database are high. Therefore, the traditional transfer payment system depends on the trust and the safety of a third party, and certain potential safety hazards exist.

In 2008, NakamotoS published a paper about electronic cash systems, and the paper proposed bitcoin network. With the advent and development of cryptocurrency such as Bingpene, blockchain technology is slowly known, and more experts and scholars are beginning to research and explore blockchain related technologies and applications. The blockchain technique is generated by combining database techniques and various cryptographic techniques, including elliptic curve encryption, asymmetric key encryption mechanisms, hash algorithms, consensus algorithms, and the like. The blockchain may be regarded as a Distributed Shared Ledger (Distributed Shared Ledger), and the recording and storing of transaction information are jointly performed by all nodes in the blockchain network. That is, any node in the blockchain network can record the transaction information in the transaction block and write the transaction information into the blockchain after the transaction information passes the verification, instead of a completely centralized third-party organization completing the confirmation and recording of the transaction information; any node in the blockchain network may store all transaction information after the self-created block, rather than being centrally stored by a fully centralized third party. The transaction data of the block chain is stored according to the time sequence, and the adjacent transaction blocks are mutually connected through the cryptography technology, so that the formed block chain is credible and cannot be tampered.

The blockchain fundamentally solves the problem of relying on a third party in the transfer payment transaction, and modern cryptography which is proved to be safe by theory and practice is used. The method has higher safety and can protect the privacy of the identity of the user transaction to a certain extent. The distributed account book reduces the pressure of storing asset transaction information in the traditional database, and the stability of a block chain system is ensured through multi-node combined maintenance.

In the blockchain, accounts of the blockchain are commonly maintained by all nodes in the network, any node can participate in the generation of the block and connect the block to the blockchain, and even nodes which are not trusted mutually can verify transaction data in the block and achieve the agreement through a consensus mechanism. The account balance of the user can be checked in the blockchain, and the plaintext information is not encrypted, so that all nodes in the blockchain can obtain the public information. Meanwhile, when the user conducts the transfer payment transaction, the verification of the transaction needs to be participated by other nodes on the chain, so that the information such as the transaction amount in the block main body is also in the clear text. This results in the user's transaction privacy data being exposed on the blockchain, and it is clear that no one wishes to have his own privacy information revealed. For example, from the generation of the BiBingche System founded blocks to date, all transaction data in the system was roughly 190G. If the attacker analyzes and integrates the historical transaction data, all transaction information of any one designated account can be acquired. Even if the same user has a plurality of account addresses, the adversary can analyze which addresses belong to the same user with high probability through technologies such as clustering-based behavior analysis and the like. And since all transactions conducted with the corresponding account addresses can be found in the blockchain, if the transactions are associated with real identities, the identity information of the transactants in the transactions and the related transaction records can be revealed.

Therefore, on the basis of the blockchain technology, the characteristics of anonymity, distrust removal, non-tampering and the like of the blockchain are researched, and privacy protection is carried out on transaction data through a technical means, so that the blockchain technology can be more reasonably applied to the aspect of transfer payment transaction. Due to the fully decentralized nature of blockchain, which results in illegal transactions on the chain not being effectively supervised, the supervision of blockchain technology also needs to be studied from a technical level.

2. Prior art relating to the invention

2.1) technical solution of the prior art

Payment is the fundamental link in the circulation of funds. In the cross-border transfer and clearing field, the transaction has the problems of high cost, time consumption, safety and the like. With the development of the blockchain technology, underlying technology developers and traditional financial institutions pay attention to the blockchain, and whether the blockchain can play advantages in aspects of reducing settlement risks, improving payment efficiency, saving bank resources and the like is achieved, so that the existing transfer payment mode is improved. The characteristics of decentralization, distrust, collective maintenance, data transparency and the like of the block chain can be well combined with the financial field, particularly in the aspect of transfer payment transaction. The data of fund transfer is completely recorded on a digital classification book, and each transaction can be traced, so that the safety and reliability of the transaction are ensured; by using the block chain and distributed account book technology, an intermediate mechanism does not exist, the step of manual processing by bank staff does not exist, the transfer payment becomes point-to-point, and the processing time is directly reduced; canceling an intermediate mechanism to ensure that the transaction flows and the transaction information of payment and collection are transparent to both transaction parties; and no intermediate mechanism participates, so that the cost is reduced, and the operating efficiency of the system is improved.

2.2) evaluation of the disadvantages of the prior art

Existing blockchain techniques do not provide privacy protection well for users. Androuaki E et al evaluate the ability of traditional blockchain techniques to protect user privacy by simulating the trading of bitcoin, and experimental results show that 40% of users' true identities can be exposed through a behavior-based clustering method. There are two main reasons why user privacy is compromised. One is open transaction amount, transaction metadata and a whole network ledger, which allows an attacker to acquire a large amount of identity information about a user, and the other is obvious correlation characteristics between an account of a transaction initiator and an account of a transaction receiver in a transaction, so that the attacker can trace corresponding historical transactions.

The prior art has no effective supervision mechanism. In addition to paying attention to the development and application of the block chain technology, the illegal transactions on the chain cannot be effectively supervised and cannot be checked for sensitive transactions due to the completely decentralized characteristic of the block chain.

Disclosure of Invention

The invention provides a private safe transfer payment method based on a manageable block chain, which comprises the following steps:

privacy protection of transaction amount: privacy protection is carried out on the transaction amount in the transaction;

transaction address protection: protecting the addresses of both parties of the transaction;

transaction supervision steps: the system comprises a central bank, three roles of an mintette and a user, wherein the mintette is authorized by the central bank to record transactions, a central bank can generate a public key for each mintette and regularly issues an authorized mintettes list to the whole system, each mintette maintains a low-level account book, direct or indirect communication is realized among the mintettes, the mintettes can send the low-level account books to the central bank in the process of regulation, so that a global account book is generated, and the global account book has visibility to the outside.

As a further improvement of the invention, in the privacy protection step of the transaction amount, a privacy protection algorithm based on homomorphic encryption is adopted: let x be₁,y₁,x₂,y₂Each represents P₁Pre-transaction balance, P₂Pre-transaction balance, P₁Post-transaction balance and P₂Post-transaction balance of), P)₁And P₂Respectively representing two institutions participating in the transfer transaction, there being currently two pairs of cryptograms (E)_pk(x₁),E_pk(y₁)),(E_pk(x₂),E_pk(y₂) The goal is to guarantee x₁,y₁,x₂,y₂While privacy is obtained_pk(x₁+y₁),E_pk(x₂+y₂) And judges whether the two are equal.

As a further improvement of the invention, the transaction address protection step adopts a mixed currency algorithm based on a one-time hidden address, P₁Initiating a transaction to P₂Payment, P₁By analysis of P₂Wallet address of P₂The public key (a, B) of (a), wherein a ═ aG, B ═ bG; p₁Generating a random number r e [1, l-1 ∈ ]]And calculates a one-time public key P ═ H_s(rA)G+B；P₁Using P as the output destination address public key, and writing R-rG into the transaction block, and aiming at the same address, P₁Different one-time public key addresses, P, can be generated by selecting different random numbers r₁Will be provided with

And

writing the result into the transaction block; p₁Broadcasting the transaction all over the network; p₂Calculate P' ═ H using his private key (a, b)_s(aR) G + B when P is detected₁The transaction issued to him, P' ═ P since aR arG rA; p₂Calculating a disposable private key x H corresponding to the disposable public key P xG according to the private keys (a, b)_s(aR)+b；P₂Received P using its one-time public key₁Payment of (2); for other users in the system, the one-time public key address of the transaction is not related to the true identity of the user;

and

for supervision by a third-party supervision authority, the supervision party uses the sk when the current transaction needs to be reviewed_BCPCan be decrypted to obtain r and rA, combined with P ═ H_s(rA) G + B to obtain (A, B), namely the real address of the receiver;

g represents a base point of the elliptic curve, l represents a prime order of the base point, H_sRepresenting an encrypted hash function 0,1^*→F_qAnd E represents an elliptic curve expression.

As a further improvement of the present invention, the transaction address protection step adopts a mixed currency algorithm based on revocable anonymity ring signature, which includes: (x, P) ← Gen (1)^k) Gen is a polynomial time algorithm, k is a security parameter, a pair of keys (x, P) is output, x is a private key, P is a public key, and a key image I is obtained through calculation according to (x, P);

σ←Sig(1^kx, L, m), Sig is a polynomial time algorithm, k is a security parameter, x is a private key, L is n user public key sets participating in ring signature, the user public key sets comprise public keys corresponding to x, m is a signed message, and the output is signature sigma;

1/0←Ver(1^kl, m, σ), Ver is a polynomial time algorithm, k is a security parameter, L is a set of n user public keys participating in ring signature, m is a signed message, σ is a signature, output 1 indicates that the verification is passed, and output 0 indicates that the verification is not passed;

1/0←Lnk(1^kk, σ), Lnk is a polynomial time algorithm, K is a security parameter, K is the set of all I generated by the history, σ is a signature, output 1 indicates that the signature is linked, and output 0 indicates that the signature is not linked;

1/0←Rev(1^kσ, sk), Rev is a polynomial time algorithm, k is a security parameter, σ is a signature, sk is a private key in the hands of the supervisor, output 1 indicates that the signature is valid and the identity of the signer is confirmed, and output 0 indicates that the signature is invalid.

As a further improvement of the invention, in the transaction supervision step, the minsites are firstly divided into a plurality of groups, and the minsites of each group only maintain the account book content in the jurisdiction area; when a user initiates a transaction, the system delivers corresponding mintes to process according to corresponding rules; the information exchange between the end user and the central bank does not take place directly, but the transaction records are summarized through this mintettes middle layer; the central bank plays a vital role in the system, and has unique supervision and audit authority on the global account book when transaction disputes or illegal transactions occur; in the transaction in each mintette jurisdiction range, if the transaction flow is according to a previously designed transfer payment transaction scheme, the verification and confirmation of the user transfer payment transaction are completed by other users in the system, the mintette does not independently verify and record the transaction, but plays a role in bottom layer supervision, and sends a low-layer ledger to a central bank in a specific time period; the transactions in different mintette areas are not interfered with each other, each mintette can only decrypt the transaction data in the jurisdiction area, and the central bank has the highest supervision right and can decrypt any transaction data.

The invention also provides a private safe transfer payment system based on the supervisor block chain, which comprises:

privacy protection module of transaction amount: the system is used for privacy protection of transaction amount in the transaction;

the transaction address protection module: the system is used for protecting the addresses of both transaction parties;

the transaction supervision module: the system comprises a central bank, three roles of an mintette and a user, wherein the mintette is authorized by the central bank to record transactions, a central bank can generate a public key for each mintette and regularly issues an authorized mintettes list to the whole system, each mintette maintains a low-level account book, direct or indirect communication is realized among the mintettes, the mintettes can send the low-level account books to the central bank in the process of regulation, so that a global account book is generated, and the global account book has visibility to the outside.

As a further improvement of the invention, in the privacy protection module of the transaction amount, a privacy protection algorithm based on homomorphic encryption is adopted: let x be₁,y₁,x₂,y₂Each represents P₁Pre-transaction balance, P₂Pre-transaction balance, P₁Post-transaction balance and P₂Post-transaction balance of), P)₁And P₂Respectively representing two institutions participating in the transfer transaction, there being currently two pairs of cryptograms (E)_pk(x₁),E_pk(y₁)),(E_pk(x₂),E_pk(y₂) The goal is to guarantee x₁,y₁,x₂,y₂While privacy is obtained_pk(x₁+y₁),E_pk(x₂+y₂) And judges whether the two are equal.

As a further improvement of the invention, in the transaction supervision module, the minutes are firstly divided into a plurality of groups, and the minutes of each group only maintain the account book content in the jurisdiction area; when a user initiates a transaction, the system delivers corresponding mintes to process according to corresponding rules; the information exchange between the end user and the central bank does not take place directly, but the transaction records are summarized through this mintettes middle layer; the central bank plays a vital role in the system, and has unique supervision and audit authority on the global account book when transaction disputes or illegal transactions occur; in the transaction in each mintette jurisdiction range, if the transaction flow is according to a previously designed transfer payment transaction scheme, the verification and confirmation of the user transfer payment transaction are completed by other users in the system, the mintette does not independently verify and record the transaction, but plays a role in bottom layer supervision, and sends a low-layer ledger to a central bank in a specific time period; the transactions in different mintette areas are not interfered with each other, each mintette can only decrypt the transaction data in the jurisdiction area, and the central bank has the highest supervision right and can decrypt any transaction data.

The invention also provides a private safe transfer payment device based on the supervisor block chain, which comprises: memory, a processor, and a computer program stored on the memory, the computer program configured to implement the steps of the private secure transfer payment method of the present invention when invoked by the processor.

The present invention also provides a computer readable storage medium having stored thereon a computer program configured to, when invoked by a processor, perform the steps of the private secure transfer payment method of the present invention.

The invention has the beneficial effects that: the invention solves the problem that the traditional transfer payment scheme excessively depends on a third party mechanism; defining privacy information to be protected in the transaction, and designing a corresponding privacy protection scheme aiming at the transaction amount in a transaction block, the transaction balance of both transaction parties, the address information of a transaction initiator and the address information of a transaction receiver; a block chain user supervision system is established, and a supervisor can reserve the responsibility of researching both parties of buying and selling on the block chain.

Drawings

FIG. 1 is a diagram of a melting block chain model.

Fig. 2 is a schematic diagram of a standard transaction structure.

Fig. 3 is a two-level policing architecture diagram.

Fig. 4 is a system architecture diagram.

Fig. 5 is a method flow diagram.

Fig. 6 is a schematic diagram of an initialization phase.

Fig. 7 is a schematic diagram of a ring signature.

Fig. 8 is a schematic diagram of the verification phase.

Detailed Description

The invention discloses a private safe transfer payment method based on a monitorable block chain, which is specifically explained as follows:

brief description of the technical principles:

in the transfer payment transaction scenario, assume that the participant has P₁,P₂,P₃Three institutions and a supervisor S, as shown in fig. 1. When P is present₁To P₂A transaction is made with a transfer amount x, then the account T ═ P₁,P₂X) will be broadcast in the network, P₁,P₂,P₃T transactions are received. However, the transaction is only P₁,P₂Transaction between, and P₃Has no relation, therefore P₃The actual content of the transaction should not be known. But P is₃It is still necessary to record the transaction, ensure the ledger record and P₁,P₂The account book is consistent.

(1) At the moment of unknown P₁,P₂In the case of address information and transaction contents, P₃The legitimacy of the transfer may be confirmed. Here, legitimacy has two implications: p₁The method can prove that the user owns one asset, the asset is abstracted to an asset identifier corresponding to a certain specific and globally unique ID, and the asset identifier is still invisible and hidden for others; p₁The assets can be proved to be legal in the network, namely, the assets have uniqueness and are not used, P₁A proof needs to be provided.

(2) At the moment of unknown P₁,P₂In the case of inter-transaction amounts, P₃The fund transaction settlement of the account book can be carried out, and the accounting balance is confirmed. According to accounting rules, P₁And P₂After the transaction, the balance totals of the assets (e.g., deposits) in hand are equal. That is, the following equation holds:

P₁(Pre-transaction balance) + P₂(Pre-trade balance) P₁(post-transaction balance) + P₂(post-transaction balance)

(3) And the supervisor party S can decrypt all encrypted transaction data and perform supervision and audit on each transaction.

1. The invention is directed to transaction amountsThe disclosed problem is to provide a privacy protection algorithm based on homomorphic encryption, and the validity of the transaction can be verified under the condition of protecting transaction data by utilizing homomorphic characteristics of the algorithm. Specifically, assume x₁,y₁,x₂,y₂Each represents P₁(Pre-transaction balance), P₂(Pre-transaction balance), P₁(post-transaction balance) and P₂(post-transaction balance). There are currently two pairs of ciphertext (E)_pk(x₁),E_pk(y₁)),(E_pk(x₂),E_pk(y₂) The goal is to guarantee x₁,y₁,x₂,y₂While privacy is obtained_pk(x₁+y₁),E_pk(x₂+y₂) And judges whether the two are equal.

2. Aiming at the problem of address disclosure of two parties of a transaction, the invention provides a mixed currency algorithm based on a one-time hidden address and a mixed currency algorithm based on a revocable anonymous ring signature on the basis of a CryptoNote protocol, and the address of a transaction initiator can be effectively protected by utilizing the characteristic of the ring signature, and meanwhile, a signer needs to encrypt a private key to participate in the construction of the signature, thereby guaranteeing the revocation of the anonymity under special conditions.

Based on the mixed currency algorithm of the one-time hidden address, in the process of generating the one-time public key, EdDSA is selected as the digital signature algorithm of the scheme, and the meanings of relevant parameters are shown in Table 1.

TABLE 1 EdDSA related parameters and meanings

1)P₁Initiating a transaction to P₂And (6) payment. P₁By analysis of P₂Wallet address of P₂The public key (a, B) of (a), wherein a ═ aG, B ═ bG;

2)P₁generating a random number r e [1, l-1 ∈ ]]And calculates a one-time public key P ═ H_s(rA)G+B；

3)P₁Using P as outputAnd writing R-rG into the transaction block. Here, P is for the same address₁Different one-time public key addresses can be generated by choosing different random numbers r. Furthermore, to ensure effective supervision of the transaction, P₁Need to be provided with

And

writing the result into the transaction block;

4)P₁broadcasting the transaction all over the network;

5)P₂calculate P' ═ H using his private key (a, b)_s(aR) G + B when P is detected₁The transaction issued to him, P' ═ P since aR arG rA;

6)P₂the private key (a, b) may be used to calculate a private key x ═ H corresponding to public one-time key P ═ xG_s(aR) + b, which also means that he has the right to own and use the money.

FIG. 2 is a diagram of a standard transaction structure, to which, P₂Received P using its one-time public key₁The payment of (2). The one-time public key address of the transaction is not associated with the user's true identity to other users in the system.

And

for supervision by a third-party supervision authority, the supervision party uses the sk when the current transaction needs to be reviewed_BCPCan be decrypted to obtain r and rA, combined with P ═ H_s(rA) G + B in turn gets (A, B), the real address of the recipient.

The use of ring signatures is to hide the connection between user input and output addresses (untraceability). With ring signatures, a user can sign a message anonymously, and others can verify the signature without knowing which member of the ring the signature was signed by. Although ring signatures guarantee the anonymity of the users, they present another problem, how to prevent "double spending", which prevents the sender from sending the same money to different recipients. We can improve the traditional ring signature to have linkability, that is, if the user creates multiple ring signatures using the same private key of the user (the public keys of other users in the ring signatures can be arbitrarily selected), the signatures will be linked together, which represents that the user has double cost for an asset.

To make ring signatures linkable, we introduce the concept of key mirroring, which is a special label that the user generates when creating ring signatures. The private key and the public key of the user are subjected to one-way hash operation by a certain rule to obtain a value, namely the key image. Unidirectional here means that an attacker cannot reverse derive the user's private key simply by key mirroring and other public information. The key image can be regarded as an anonymous mark of the private key of the signer, all users keep the key images generated in all historical transactions in the system, and when the validity of the ring signature is verified, if the key images are already present in the historical key image library, the new ring signature is rejected whether the new ring signature is verified or not.

In the following, a mixed currency scheme is designed by using the characteristic of the ring signature, and the anonymity of the block chain is enhanced by hiding the transaction address of the user. The safety model of the scheme comprises the following five algorithms:

1)(x,P)←Gen(1^k) Gen is a polynomial time algorithm, k is a security parameter; and outputting a pair of secret keys (x, P), wherein x is a private key, P is a public key, and I is obtained by calculation according to (x, P).

2)σ←Sig(1^kX, L, m) Sig is a polynomial time algorithm, k is a security parameter, x is a private key, L is n user public key sets (including public keys corresponding to x) participating in ring signature, and m is a signed message; the output is the signature σ.

3)1/0←Ver(1^kL, m, σ) Ver is a polynomial time algorithm, k is a security parameter, L is a set of n user public keys participating in ring signature, m is a signed message, and σ is a signature; output 1 represents verificationAn output of 0 indicates that the verification failed.

4)1/0←Lnk(1^kK, σ) Lnk is a polynomial time algorithm, K is a security parameter, K is the set of all I generated historically, σ is a signature; output 1 indicates that the signature is linked and output 0 indicates that the signature is not linked.

5)1/0←Rev(1^kσ, sk) Rev is a polynomial time algorithm, k is a security parameter, σ is a signature, sk is a private key in the hands of a supervisor; an output of 1 indicates that the signature is valid and the identity of the signer is confirmed, and an output of 0 indicates that the signature is invalid.

3. The invention provides a scheme of a two-stage supervision architecture aiming at the problem of transaction supervision on a block chain, and a supervisor can reserve the responsibility of pursuing buyers and sellers on the block chain.

The system comprises three roles, namely a central bank, a mintette and a user. At first sight mintette and miners look like they are both to confirm the occurrence of the transaction and then to bill. However, the most critical point is that mintette does not solve the computational difficulty problem, but is authorized by the central bank to record the transaction. The authorization is completed by PK public key encryption, and the central bank generates a public key for each mintette and periodically issues an authorized mintettes list to the whole system. Each mintette maintains a low-level ledger, with direct or indirect communication between mintettes. At a specific time, minsites can send the low-level accounts to a central bank, so that a global account is generated, and the global account has visibility to the outside.

FIG. 3 is a diagram of a two-level supervisory architecture, wherein the system utilizes multi-thread design to improve the processing power of the system. Firstly, the mintettes are divided into a plurality of groups, and the mintettes of each group only maintain the account book content in the jurisdiction area. When a user initiates a transaction, the system is processed by corresponding minutes according to corresponding rules, so that the operating efficiency of the system can be greatly improved. The exchange of information between the end user and the central bank does not take place directly, but the transaction records are aggregated through this mintettes middle layer. The central bank plays a vital role in the system, and has unique supervision and audit authority on the global account book when transaction disputes or illegal transactions occur.

In the transaction in each mintette jurisdiction, if the transaction flow is according to the previously designed transfer payment transaction scheme, the verification and confirmation of the user transfer payment transaction are completed by other users in the system, the mintette does not verify and record the transaction independently, but plays a bottom layer supervision role, and sends a low-layer ledger to a central bank in a specific time period. The transactions in different mintette areas are not interfered with each other, each mintette can only decrypt the transaction data in the jurisdiction area, and the central bank has the highest supervision right and can decrypt any transaction data.

For the privacy protection step of the transaction amount, a zero-knowledge proof scheme with better privacy protection effect can be used for privacy protection of the transaction amount in the transaction, but the performance of the system can be reduced.

For the transaction address protection step of the present invention, other mixed currency schemes, such as a Mixcoin protocol, a coin shuffle protocol, a coin protocol, etc., may also be adopted for the protection of the addresses of both parties to the transaction.

The invention also discloses a private safe transfer payment system based on the supervisor block chain, which comprises:

privacy protection module of transaction amount: the system is used for privacy protection of transaction amount in the transaction;

the transaction address protection module: the system is used for protecting the addresses of both transaction parties;

the transaction supervision module: the system comprises a central bank, three roles of an mintette and a user, wherein the mintette is authorized by the central bank to record transactions, a central bank can generate a public key for each mintette and regularly issues an authorized mintettes list to the whole system, each mintette maintains a low-level account book, direct or indirect communication is realized among the mintettes, the mintettes can send the low-level account books to the central bank in the process of regulation, so that a global account book is generated, and the global account book has visibility to the outside.

In the amount of the transactionIn the privacy protection module, a privacy protection algorithm based on homomorphic encryption is adopted: let x be₁,y₁,x₂,y₂Each represents P₁Pre-transaction balance, P₂Pre-transaction balance, P₁Post-transaction balance and P₂Post-transaction balance of), P)₁And P₂Respectively representing two institutions participating in the transfer transaction, there being currently two pairs of cryptograms (E)_pk(x₁),E_pk(y₁)),(E_pk(x₂),E_pk(y₂) The goal is to guarantee x₁,y₁,x₂,y₂While privacy is obtained_pk(x₁+y₁),E_pk(x₂+y₂) And judges whether the two are equal.

The transaction address protection module adopts a mixed currency algorithm based on a one-time hidden address, P₁Initiating a transaction to P₂Payment, P₁By analysis of P₂Wallet address of P₂The public key (a, B) of (a), wherein a ═ aG, B ═ bG; p₁Generating a random number r e [1, l-1 ∈ ]]And calculates a one-time public key P ═ H_s(rA)G+B；P₁Using P as the output destination address public key, and writing R-rG into the transaction block, and aiming at the same address, P₁By selecting different random numbers_rGenerating different one-time public key addresses, P₁Will be provided with

And

writing the result into the transaction block; p₁Broadcasting the transaction all over the network; p₂Calculate P' ═ H using his private key (a, b)_s(aR) G + B when P is detected₁The transaction issued to him, P' ═ P since aR arG rA; p₂Calculating a disposable private key x H corresponding to the disposable public key P xG according to the private keys (a, b)_s(aR)+b；P₂Received P using its one-time public key₁Payment of (2); for in the systemFor other users, the one-time public key address of the transaction is not related to the real identity of the user;

and

for supervision by a third-party supervision authority, the supervision party uses the sk when the current transaction needs to be reviewed_BCPCan be decrypted to obtain r and rA, combined with P ═ H_s(rA) G + B to obtain (A, B), namely the real address of the receiver;

g represents a base point of the elliptic curve, l represents a prime order of the base point, H_sRepresenting an encrypted hash function 0,1^*→F_qAnd E represents an elliptic curve expression.

The transaction address protection module adopts a mixed currency algorithm based on a revocable anonymity ring signature, and comprises the following steps: (x, P) ← Gen (1)^k) Gen is a polynomial time algorithm, k is a security parameter, a pair of keys (x, P) is output, x is a private key, P is a public key, and a key image I is obtained through calculation according to (x, P);

σ←Sig(1^kx, L, m), Sig is a polynomial time algorithm, k is a security parameter, x is a private key, L is n user public key sets participating in ring signature, the user public key sets comprise public keys corresponding to x, m is a signed message, and the output is signature sigma;

1/0←Ver(1^kl, m, σ), Ver is a polynomial time algorithm, k is a security parameter, L is a set of n user public keys participating in ring signature, m is a signed message, σ is a signature, output 1 indicates that the verification is passed, and output 0 indicates that the verification is not passed;

1/0←Lnk(1^kk, σ), Lnk is a polynomial time algorithm, K is a security parameter, K is the set of all I generated by the history, σ is a signature, output 1 indicates that the signature is linked, and output 0 indicates that the signature is not linked;

1/0←Rev(1^kσ, sk), Rev is a polynomial time algorithm, k is a security parameter, σ is a signature, sk is a supervisorThe private key in the hand, output 1 indicates that the signature is valid and the identity of the signer is confirmed, and output 0 indicates that the signature is invalid.

In the transaction supervision module, firstly, minutes are divided into a plurality of groups, and the minutes of each group only maintain the account book content in the jurisdiction area of the group; when a user initiates a transaction, the system delivers corresponding mintes to process according to corresponding rules; the information exchange between the end user and the central bank does not take place directly, but the transaction records are summarized through this mintettes middle layer; the central bank plays a vital role in the system, and has unique supervision and audit authority on the global account book when transaction disputes or illegal transactions occur; in the transaction in each mintette jurisdiction range, if the transaction flow is according to a previously designed transfer payment transaction scheme, the verification and confirmation of the user transfer payment transaction are completed by other users in the system, the mintette does not independently verify and record the transaction, but plays a role in bottom layer supervision, and sends a low-layer ledger to a central bank in a specific time period; the transactions in different mintette areas are not interfered with each other, each mintette can only decrypt the transaction data in the jurisdiction area, and the central bank has the highest supervision right and can decrypt any transaction data.

The invention also discloses a private safe transfer payment device based on the supervisor block chain, which comprises: memory, a processor, and a computer program stored on the memory, the computer program configured to, when invoked by the processor, perform the steps of the private secure transfer payment method of the present invention.

The invention also discloses a computer readable storage medium storing a computer program configured to, when invoked by a processor, perform the steps of the private secure transfer payment method of the invention.

The invention has the beneficial effects that: the invention solves the problem that the traditional transfer payment scheme excessively depends on a third party mechanism; defining privacy information to be protected in the transaction, and designing a corresponding privacy protection scheme aiming at the transaction amount in a transaction block, the transaction balance of both transaction parties, the address information of a transaction initiator and the address information of a transaction receiver; a block chain user supervision system is established, and a supervisor can reserve the responsibility of researching both parties of buying and selling on the block chain.

The foregoing is a more detailed description of the invention in connection with specific preferred embodiments and it is not intended that the invention be limited to these specific details. For those skilled in the art to which the invention pertains, several simple deductions or substitutions can be made without departing from the spirit of the invention, and all shall be considered as belonging to the protection scope of the invention.

Claims (10)

Translated fromChinese

1.一种基于可监管区块链的隐私安全转账支付方法，其特征在于，包括：1. A privacy security transfer payment method based on a regulated blockchain, characterized in that, comprising:交易金额的隐私保护步骤：对交易中的交易金额进行隐私保护；Privacy protection steps of transaction amount: privacy protection of transaction amount in transaction;交易地址保护步骤：对交易双方的地址进行保护；Transaction address protection steps: protect the addresses of both parties to the transaction;交易监管步骤：包括中心银行、mintette和用户三种角色，mintette被中心银行授权来记录交易，中心银行会对每一个mintette生成公钥，并定期向整个系统发布授权的mintettes列表，每个mintette都维护一个低层账本，mintettes之间会有直接或间接的交流，在规定的时候，mintettes会把这些低层账本发给中心银行，从而生成全局账本，全局账本才对外界具有可见性。Transaction supervision steps: including three roles of central bank, mintette and user. Mintette is authorized by the central bank to record transactions. The central bank will generate a public key for each mintette and regularly publish a list of authorized mintettes to the entire system. To maintain a low-level ledger, there will be direct or indirect communication between mintettes. When specified, mintettes will send these low-level ledger to the central bank to generate a global ledger, which is visible to the outside world.2.根据权利要求1所述的隐私安全转账支付方法，其特征在于，在交易金额的隐私保护步骤中，采用基于同态加密的隐私保护算法：假设x₁,y₁,x₂,y₂分别代表P₁的交易前余额、P₂的交易前余额、P₁的交易后余额和P₂的交易后余额)，P₁和P₂分别表示参加转账交易的两家机构，当前有两对密文(E_pk(x₁),E_pk(y₁)),(E_pk(x₂),E_pk(y₂))，目标是在保证x₁,y₁,x₂,y₂隐私性的同时，得到E_pk(x₁+y₁),E_pk(x₂+y₂)并判断两者是否相等；2. The privacy security transfer payment method according to claim 1, wherein in the privacy protection step of the transaction amount, a privacy protection algorithm based on homomorphic encryption is adopted: assuming x₁ , y₁ , x₂ , y₂ respectively represent the pre-transaction balance of P₁ , the pre-transaction balance of P₂ , the post-transaction balance of P₁ and the post-transaction balance of P₂ ), P₁ and P₂ respectively represent the two institutions participating in the transfer transaction, and there are currently two pairs of Ciphertext (E_pk (x₁ ),E_pk (y₁ )),(E_pk (x₂ ),E_pk (y₂ )), the goal is to guarantee the privacy of x₁ ,y₁ ,x₂ ,y₂ At the same time, get E_pk (x₁ +y₁ ), E_pk (x₂ +y₂ ) and judge whether the two are equal;E_pk(x₁)表示用密钥pk加密x1所得到的密文，E_pk(y₁)表示用密钥pk加密y1所得到的密文，E_pk(x₂)表示用密钥pk加密x2所得到的密文，E_pk(y₁)表示用密钥pk加密y1所得到的密文。E_pk (x₁ ) represents the ciphertext obtained by encrypting x1 with the key pk, E_pk (y₁ ) represents the ciphertext obtained by encrypting y1 with the key pk, and E_pk (x₂ ) represents the ciphertext encrypted with the key pk For the ciphertext obtained by x2, E_pk (y₁ ) represents the ciphertext obtained by encrypting y1 with the key pk.3.根据权利要求1所述的隐私安全转账支付方法，其特征在于，所述交易地址保护步骤采用基于一次性隐匿地址的混币算法，P₁发起一笔交易，需要向P₂付款，P₁通过分析P₂的钱包地址得到P₂的公钥(A,B)，其中A＝aG,B＝bG，(a，b)表示P₂的私钥；P₁产生一个随机数r∈[1,l-1]，并计算一次性公钥P＝H_s(rA)G+B，rA表示随机数r与A在椭圆曲线上的乘积；P₁使用P作为输出的目的地址公钥，同时将R＝rG写入交易块，R为公共参数，针对同一个地址，P₁可以通过选取不同的随机数r产生不同的一次性公钥地址，P₁将

和

结果写入交易块，

和

表示使用BCP公钥加密得到的密文；P₁全网广播这笔交易；P₂使用他的私钥(a,b)计算P′＝H_s(aR)G+B，P′表示交易的接收者通过计算得到的一次性公钥，用来验证交易发送者发送的信息是否正确，当检测到P₁发给他的这笔交易，由于aR＝arG＝rA，所以P′＝P；P₂根据私钥(a,b)计算出一次性公钥P＝xG对应的一次性私钥x＝H_s(aR)+b；P₂使用自己的一次性公钥收到了P₁的付款；对于系统中的其他用户来说，该笔交易的一次性公钥地址与用户的真实身份是不关联的；

和

用于第三方监管机构的监管，当需要对当前交易进行审计时，监管方使用sk_BCP可解密得到r及rA，结合P＝H_s(rA)G+B进而得到(A,B)，即接收方的真实地址，sk_BCP表示BCP私钥；G表示椭圆曲线的一个基点，l表示基点的一个素数阶，H_s表示一个加密的哈希函数{0,1}^*→F_q，E表示一个椭圆曲线表达式。3. The privacy and security transfer payment method according to claim 1, wherein the transaction address protection step adopts a currency mixing algorithm based on a one-time hidden address, and P₁ initiates a transaction and needs to pay to P₂ , and P₁ Obtain the public key (A, B) of P₂ by analyzing the wallet address of P₂ , where A=aG, B=bG, (a, b) represents the private key of P₂ ; P₁ generates a random number r∈[ 1,l-1], and calculate the one-time public key P=H_s (rA)G+B, rA represents the product of the random number r and A on the elliptic curve; P₁ uses P as the output destination address public key, At the same time, R=rG is written into the transaction block, R is a public parameter, for the same address, P₁ can generate different one-time public key addresses by selecting different random numbers r, and P₁ will

and

The result is written into the transaction block,

and

Represents the ciphertext encrypted with the BCP public key; P₁ broadcasts the transaction on the entire network; P₂ uses his private key (a, b) to calculate P′=H_s (aR)G+B, P′ represents the transaction The one-time public key obtained by the receiver through calculation is used to verify whether the information sent by the transaction sender is correct. When the transaction sent to him by P₁ is detected, since aR=arG=rA, P′=P; P₂ Calculate the one-time private key x=H_s (aR)+b corresponding to the one-time public key P=xG according to the private key (a, b); P₂ uses its one-time public key to receive the payment from P₁ ; For other users in the system, the one-time public key address of the transaction is not associated with the real identity of the user;

and

It is used for the supervision of third-party regulators. When the current transaction needs to be audited, the regulator can decrypt r and rA using sk_BCP , and combine P=H_s (rA)G+B to obtain (A, B), namely The real address of the receiver, sk_BCP represents the BCP private key; G represents a base point of the elliptic curve, l represents a prime order of the base point, H_s represents an encrypted hash function {0,1}^* →F_q , E represents An elliptic curve expression.4.根据权利要求1所述的隐私安全转账支付方法，其特征在于，所述交易地址保护步骤采用基于可撤销匿名性环签名的混币算法，包括：(x,P)←Gen(1^k)，Gen是一个多项式时间算法，k是安全参数，输出一对密钥(x,P)，x为私钥，P为公钥，根据(x,P)计算得到密钥镜像I；4. The privacy and security transfer payment method according to claim 1, wherein the transaction address protection step adopts a currency mixing algorithm based on a revocable anonymous ring signature, comprising: (x, P)←Gen(1^k ), Gen is a polynomial time algorithm, k is a security parameter, outputs a pair of keys (x, P), x is the private key, P is the public key, and the key image I is calculated according to (x, P);σ←Sig(1^k,x,L,m)，Sig是一个多项式时间算法，k是安全参数，x为私钥，L为参与环签名的n个用户公钥集合，用户公钥集合包含x对应的公钥，m为签名的消息，输出为签名σ；σ←Sig(1^k ,x,L,m), Sig is a polynomial time algorithm, k is the security parameter, x is the private key, L is the public key set of n users participating in the ring signature, and the user public key set contains x The corresponding public key, m is the signed message, and the output is the signature σ;1/0←Ver(1^k,L,m,σ)，Ver是一个多项式时间算法，k是安全参数，L为参与环签名的n个用户公钥集合，m为签名的消息，σ为签名，输出1表示验证通过，输出0表示验证不通过；1/0←Ver(1^k ,L,m,σ), Ver is a polynomial time algorithm, k is a security parameter, L is the public key set of n users participating in the ring signature, m is the signed message, and σ is the signature , the output 1 indicates that the verification is passed, and the output 0 indicates that the verification is not passed;1/0←Lnk(1^k,K,σ)，Lnk是一个多项式时间算法，k是安全参数，K为历史产生的所有I的集合，σ为签名，输出1表示签名被链接，输出0表示签名未被链接；1/0←Lnk(1^k ,K,σ), Lnk is a polynomial time algorithm, k is the security parameter, K is the set of all Is generated in history, σ is the signature, the output 1 means the signature is linked, and the output 0 means The signature is not linked;1/0←Rev(1^k,σ,sk)，Rev是一个多项式时间算法，k是安全参数，σ为签名，sk是监管者手中的私钥，输出1表示签名有效且签名者的身份被确认，输出0表示签名无效。1/0←Rev(1^k ,σ,sk), Rev is a polynomial time algorithm, k is the security parameter, σ is the signature, sk is the private key in the hands of the supervisor, the output 1 indicates that the signature is valid and the identity of the signer is confirmed. Confirm, output 0 means the signature is invalid.5.根据权利要求1至4任一项所述的隐私安全转账支付方法，其特征在于，在所述交易监管步骤中，首先将mintettes分成多个小组，每个小组的mintettes只维护自己管辖区域内的账本内容；当用户发起交易时，系统按照相应的规则交由对应的mintettes来处理；最终用户和中心银行之间的信息交换不是直接发生的，而是通过这个mintettes中间层来汇总交易记录；中心银行在系统中有着至关重要的作用，当出现交易纠纷或者不合法的交易时，中心银行对全局账本有唯一的监管和审计权限；在每个mintette管辖范围内的交易，如果交易流程按照之前设计的转账支付交易方案，用户转账支付交易的验证和确认由系统中的其他用户完成，mintette不再单独验证和记录交易，而是起到一个底层的监管作用，在特定时间段将低层账本发送给中心银行；不同mintette区域的交易互不干扰，每个mintette只能解密自己管辖区域的交易数据，中心银行具有最高的监管权，它可对任意一笔交易数据进行解密。5. The privacy security transfer payment method according to any one of claims 1 to 4, characterized in that, in the transaction supervision step, mintettes are first divided into multiple groups, and the mintettes of each group only maintain their own jurisdiction area When a user initiates a transaction, the system hands it over to the corresponding mintettes for processing according to the corresponding rules; the information exchange between the end user and the central bank does not happen directly, but through the middle layer of the mintettes to aggregate transaction records ; The central bank plays a vital role in the system. When there is a transaction dispute or illegal transaction, the central bank has the only supervision and audit authority for the global ledger; transactions within the jurisdiction of each mintette, if the transaction process According to the previously designed transfer payment transaction scheme, the verification and confirmation of the user's transfer payment transaction is completed by other users in the system. Mintette no longer verifies and records the transaction separately, but plays an underlying supervisory role. The ledger is sent to the central bank; transactions in different mintette areas do not interfere with each other, each mintette can only decrypt the transaction data in its own jurisdiction, and the central bank has the highest supervision power, which can decrypt any transaction data.6.一种基于可监管区块链的隐私安全转账支付系统，其特征在于，包括：交易金额的隐私保护模块：用于对交易中的交易金额进行隐私保护；6. A privacy security transfer payment system based on a regulated blockchain, characterized in that it comprises: a privacy protection module for transaction amount: for privacy protection of transaction amount in the transaction;交易地址保护模块：用于对交易双方的地址进行保护；Transaction address protection module: used to protect the addresses of both parties to the transaction;交易监管模块：包括中心银行、mintette和用户三种角色，mintette被中心银行授权来记录交易，中心银行会对每一个mintette生成公钥，并定期向整个系统发布授权的mintettes列表，每个mintette都维护一个低层账本，mintettes之间会有直接或间接的交流，在规定的时候，mintettes会把这些低层账本发给中心银行，从而生成全局账本，全局账本才对外界具有可见性。Transaction supervision module: including three roles of central bank, mintette and user. The mintette is authorized by the central bank to record transactions. The central bank will generate a public key for each mintette and regularly publish a list of authorized mintettes to the entire system. To maintain a low-level ledger, there will be direct or indirect communication between mintettes. When specified, mintettes will send these low-level ledger to the central bank to generate a global ledger, which is visible to the outside world.7.根据权利要求6所述的隐私安全转账支付系统，其特征在于，在交易金额的隐私保护模块中，采用基于同态加密的隐私保护算法：假设x₁,y₁,x₂,y₂分别代表P₁的交易前余额、P₂的交易前余额、P₁的交易后余额和P₂的交易后余额)，P₁和P₂分别表示参加转账交易的两家机构，当前有两对密文(E_pk(x₁),E_pk(y₁)),(E_pk(x₂),E_pk(y₂))，目标是在保证x₁,y₁,x₂,y₂隐私性的同时，得到E_pk(x₁+y₁),E_pk(x₂+y₂)并判断两者是否相等；7. The privacy security transfer payment system according to claim 6, wherein, in the privacy protection module of the transaction amount, a privacy protection algorithm based on homomorphic encryption is adopted: assuming x₁ , y₁ , x₂ , y₂ respectively represent the pre-transaction balance of P₁ , the pre-transaction balance of P₂ , the post-transaction balance of P₁ and the post-transaction balance of P₂ ), P₁ and P₂ respectively represent the two institutions participating in the transfer transaction, and there are currently two pairs of Ciphertext (E_pk (x₁ ),E_pk (y₁ )),(E_pk (x₂ ),E_pk (y₂ )), the goal is to guarantee the privacy of x₁ ,y₁ ,x₂ ,y₂ At the same time, get E_pk (x₁ +y₁ ), E_pk (x₂ +y₂ ) and judge whether the two are equal;E_pk(x₁)表示用密钥pk加密x1所得到的密文，E_pk(y₁)表示用密钥pk加密y1所得到的密文，E_pk(x₂)表示用密钥pk加密x2所得到的密文，E_pk(y₁)表示用密钥pk加密y1所得到的密文。E_pk (x₁ ) represents the ciphertext obtained by encrypting x1 with the key pk, E_pk (y₁ ) represents the ciphertext obtained by encrypting y1 with the key pk, and E_pk (x₂ ) represents the ciphertext encrypted with the key pk For the ciphertext obtained by x2, E_pk (y₁ ) represents the ciphertext obtained by encrypting y1 with the key pk.8.根据权利要求6至7任一项所述的隐私安全转账支付系统，其特征在于，在所述交易监管模块中，首先将mintettes分成多个小组，每个小组的mintettes只维护自己管辖区域内的账本内容；当用户发起交易时，系统按照相应的规则交由对应的mintettes来处理；最终用户和中心银行之间的信息交换不是直接发生的，而是通过这个mintettes中间层来汇总交易记录；中心银行在系统中有着至关重要的作用，当出现交易纠纷或者不合法的交易时，中心银行对全局账本有唯一的监管和审计权限；在每个mintette管辖范围内的交易，如果交易流程按照之前设计的转账支付交易方案，用户转账支付交易的验证和确认由系统中的其他用户完成，mintette不再单独验证和记录交易，而是起到一个底层的监管作用，在特定时间段将低层账本发送给中心银行；不同mintette区域的交易互不干扰，每个mintette只能解密自己管辖区域的交易数据，中心银行具有最高的监管权，它可对任意一笔交易数据进行解密。8. The privacy security transfer payment system according to any one of claims 6 to 7, characterized in that, in the transaction supervision module, mintettes are first divided into multiple groups, and the mintettes of each group only maintain their own jurisdiction When a user initiates a transaction, the system hands it over to the corresponding mintettes for processing according to the corresponding rules; the information exchange between the end user and the central bank does not happen directly, but through the middle layer of the mintettes to aggregate transaction records ; The central bank plays a vital role in the system. When there is a transaction dispute or illegal transaction, the central bank has the only supervision and audit authority for the global ledger; transactions within the jurisdiction of each mintette, if the transaction process According to the previously designed transfer payment transaction scheme, the verification and confirmation of the user's transfer payment transaction is completed by other users in the system. Mintette no longer verifies and records the transaction separately, but plays an underlying supervisory role. The ledger is sent to the central bank; transactions in different mintette areas do not interfere with each other, each mintette can only decrypt the transaction data in its own jurisdiction, and the central bank has the highest supervision power, which can decrypt any transaction data.9.一种基于可监管区块链的隐私安全转账支付装置，其特征在于：包括：存储器、处理器以及存储在所述存储器上的计算机程序，所述计算机程序配置为由所述处理器调用时实现权利要求1－5中任一项所述的隐私安全转账支付方法的步骤。9. A privacy and security transfer payment device based on a supervised blockchain, characterized in that it comprises: a memory, a processor and a computer program stored on the memory, the computer program being configured to be called by the processor When implementing the steps of the privacy and security transfer payment method described in any one of claims 1-5.10.一种计算机可读存储介质，其特征在于：所述计算机可读存储介质存储有计算机程序，所述计算机程序配置为由处理器调用时实现权利要求1－5中任一项所述的隐私安全转账支付方法的步骤。10 . A computer-readable storage medium, characterized in that: the computer-readable storage medium stores a computer program, and the computer program is configured to implement the method according to any one of claims 1 to 5 when invoked by a processor. The steps of the privacy and secure transfer payment method.

Images