CN119809826A

CN119809826A - A privacy transaction method and device

Info

Publication number: CN119809826A
Application number: CN202510003709.5A
Authority: CN
Inventors: 吴世晨; 李昊轩; 白兴强; 李辉忠; 张开翔; 姚辉亚
Original assignee: WeBank Co Ltd
Current assignee: WeBank Co Ltd
Priority date: 2025-01-02
Filing date: 2025-01-02
Publication date: 2025-04-11

Abstract

The embodiment of the application provides a privacy transaction method and a privacy transaction device, which are applied to the technical field of blockchain application and aim at reinforcement learning of any round, and comprise the steps of obtaining a transaction record and a transaction evidence sent by a transaction initiator, wherein the transaction record is determined by the transaction initiator based on privacy transaction, and comprises transaction amount information, first evidence information pointing to the transaction initiator and second evidence information pointing to a transaction receiver; the method comprises the steps of taking the address of at least one party of a transaction initiator and a transaction receiver participating in a transaction as a privacy address, carrying out zero knowledge proof verification on a transaction proof by calling a privacy transaction contract, and storing a transaction record into a transaction record set of a blockchain and updating the total account amount of the privacy transaction contract after the verification is passed. The application utilizes the zero knowledge proof technology to selectively hide all the privacy transaction information, ensures that the sensitive transaction details are not revealed, and effectively protects the privacy of the user while guaranteeing the validity of the privacy transaction.

Description

Privacy transaction method and device

Technical Field

The embodiment of the invention relates to the technical field of blockchain application, in particular to a privacy transaction method and device.

Background

Early blockchain ledger transaction information is completely public and transparent. This design, while guaranteeing verifiability of the system, presents serious privacy concerns in that anyone can track transaction history and view account balances, which is unacceptable to many users and businesses. Thus, as people's demand for privacy increases, some blockchain projects focused on privacy protection have grown. Two of the best known examples are:

Monero (door coin) using ring signature and hidden address techniques to hide the transaction participant identity and transaction amount.

Zflash, adopting zero knowledge proof technology (zk-SNARKs) to allow user to initiate trade, but the trade information can not be seen by other people, thus protecting the privacy of trade.

These early privacy coin items are all based on the UTXO model (Unspent Transaction Output Model), which has some obvious disadvantages including difficulty in implementing complex intelligent contracts, difficulty in expressing complex state transitions, and limited extensibility, namely that as the amount of transactions increases, the UTXO set expands rapidly, affecting system performance. These disadvantages have prompted researchers to begin focusing on account model-based privacy trading schemes. The account model is easier to realize complex intelligent contracts and is more in line with the visual understanding of people on the account.

However, existing account model privacy schemes still have problems. They are typically only partially privacy-preserving, e.g. only hiding the transaction amount, but not completely hiding the addresses of the sender and receiver, and e.g. some schemes, while preserving privacy in a single transaction, may reveal information through long-term analysis. Such incomplete privacy protection can still pose serious problems in financial and business applications. Thus, there is a need for a solution that simultaneously hides the identity (address) and transaction amount of the transaction participants and that protects the account balance from the privacy operation of the smart contracts.

Disclosure of Invention

The embodiment of the application provides a privacy transaction method and a privacy transaction device, which are used for ensuring that privacy transaction information is not leaked while proving information is verified by all people in the privacy transaction process.

In a first aspect, an embodiment of the present application provides a method for private transaction, including:

The method comprises the steps of obtaining a transaction record and a transaction certificate sent by a transaction initiator, wherein the transaction record is determined by the transaction initiator based on private transaction, and the transaction record comprises transaction amount information, first certificate information pointing to the transaction initiator and second certificate information pointing to a transaction receiver;

and if the verification is passed, storing the transaction record into a transaction record set of a blockchain and updating the total account amount of the privacy transaction contract.

The application uses zero knowledge proof technology to selectively hide all transaction information, ensures sensitive transaction details not to be revealed, effectively protects the privacy of users, ensures the validity of transactions, and maintains the integrity and credibility of the system. And interaction between the privacy monetary pool and the transparent monetary pool is allowed through the intelligent contract, so that seamless conversion of privacy funds and transparent funds is realized, more choices are provided for users, transaction modes can be flexibly switched according to different scenes, and compatibility and practicability of the blockchain transaction system are enhanced.

Optionally, the address of the transaction initiator participating in the transaction is a transparent address, the address of the transaction receiver participating in the transaction is a private address,

The transaction amount information is transaction amount;

the first certification information is a transparent address of the transaction initiator;

the second proving information is generated by encrypting the private transaction according to a secret key derived by the transaction initiator through the private address of the transaction receiver, the private transaction comprises the transaction amount and the derived address, and the derived address is derived by the transaction initiator according to the private address of the transaction receiver.

Optionally, before the verifying of the zero-knowledge proof of transaction proof by invoking the privacy transaction contract, the method further comprises:

Acquiring a transaction signature aiming at the transaction record and sent by the transaction initiator;

Determining the legitimacy of the transaction signature by invoking a transparent transaction contract;

the updating the total account amount of the private transaction contract includes:

and reducing the account amount indicated by the transparent address of the transaction initiator by the transaction amount by calling the transparent transaction contract, and increasing the total account amount of the privacy transaction contract by the transaction amount.

Optionally, the private transaction further includes a random seed, and the transaction record further includes a commitment of the private transaction, the commitment of the private transaction being generated by the random seed and the private transaction;

the saving the transaction record into a transaction record set of a blockchain includes:

saving a commitment record in the transaction records of the private transaction to a commitment merck tree in a collection of transaction records of the blockchain.

Optionally, the private transaction further comprises a random identifier for identifying the private transaction;

The transaction receiver is used for locally increasing the account amount indicated by the privacy address of the transaction receiver by the transaction amount after decrypting the second proof information in the transaction record and determining that the random identifier in the decryption result is legal after acquiring the transaction record from the transaction record set.

Optionally, the transaction proof is a zero knowledge proof generated based on the transaction record, comprising:

The transaction proof is generated from the public parameters of the zero knowledge proof, the commitments of the latest private transaction in the merck tree of commitments of the time of initiation of the private transaction, and the transaction record.

Optionally, the address of the transaction initiator participating in the transaction is a private address, the address of the transaction receiver participating in the transaction is a transparent address,

The transaction amount information is transaction amount;

The first proving information is generated by the transaction initiator according to at least one historical privacy transaction, wherein the sum of the amounts in the historical privacy transaction is not less than the transaction amount;

The second certification information is a transparent address of the transaction receiver;

The transaction record and the transaction proof are sent by the transaction initiator via a temporary address, the temporary address being generated based on a private key of the transaction initiator.

Optionally, the historical privacy transaction further comprises a derived address, a random seed, and a random identifier for identifying the historical privacy transaction;

the first attestation information is generated by the transaction initiator from at least one historical privacy transaction, including:

generating a commitment for each historical private transaction based on the random seed for each historical private transaction;

Generating a use identifier for each historical private transaction based on the random identifier for each historical private transaction and the promise of each historical private transaction, the use identifier being used to characterize whether the historical private transaction has been used;

the first attestation information is a use identifier of the at least one historical private transaction.

Optionally, the saving the transaction record to the transaction record set of the blockchain includes:

the usage identifier of the at least one historical privacy transaction is placed into a set of used identifiers in the set of transaction records on a chain.

Optionally, the updating the total account amount of the private transaction contract includes:

The transaction amount is reduced by the total account amount of the private transaction contract.

Optionally, the transaction receiver is configured to determine that the transparent address exists in the transaction record after the transaction record is acquired from the transaction record set, and locally reduce the account amount indicated by the transparent address of the transaction receiver by the transaction amount.

Optionally, the address where the transaction initiator participates in the transaction is a private address, the address where the transaction receiver participates in the transaction is a private address,

The transaction amount information is obtained by encrypting the transaction amount by the transaction initiator;

Optionally, the historical private transaction further comprises a derived address, a random seed, and a random identifier for identifying the private transaction;

saving a commitment record in the transaction records of the private transaction to a commitment merck tree in a collection of transaction records of the blockchain;

In a second aspect, an embodiment of the present application provides a private transaction apparatus, including:

The system comprises an acquisition module, a transaction record generation module and a transaction verification module, wherein the acquisition module is used for acquiring a transaction record and a transaction verification sent by a transaction initiator, the transaction record is determined by the transaction initiator based on private transaction, and the transaction record comprises transaction amount information, first verification information pointing to the transaction initiator and second verification information pointing to a transaction receiver;

And the processing module is used for verifying zero knowledge proof of the transaction evidence by calling a privacy transaction contract, and if the verification is passed, the transaction record is saved in a transaction record set of a blockchain and the total account amount of the privacy transaction contract is updated.

The beneficial effects are that:

optionally, the acquiring module is specifically configured to:

The address of the transaction initiator participating in the transaction is a transparent address, the address of the transaction receiver participating in the transaction is a privacy address,

The transaction amount information is transaction amount;

Optionally, the acquiring module is specifically configured to:

The private transaction further comprises a random seed, and the transaction record further comprises a promise of the private transaction, wherein the promise of the private transaction is generated through the random seed and the private transaction;

Optionally, the acquiring module is specifically configured to:

The private transaction further includes a random identifier for identifying the private transaction;

Optionally, the processing module is configured to:

The transaction proof is a zero-knowledge proof generated based on the transaction record, comprising:

Optionally, the acquiring module is configured to:

The address of the transaction initiator participating in the transaction is a privacy address, the address of the transaction receiver participating in the transaction is a transparent address,

The transaction amount information is transaction amount;

Optionally, the processing module is configured to:

The historical privacy transaction further includes a derived address, a random seed, and a random identifier for identifying the historical privacy transaction;

Optionally, the processing module is configured to:

And the transaction receiver is used for determining that the transparent address exists in the transaction record after acquiring the transaction record from the transaction record set, and locally reducing the account amount indicated by the transparent address of the transaction receiver by the transaction amount.

Optionally, the acquiring module is configured to:

the address of the transaction initiator participating in the transaction is a privacy address, the address of the transaction receiver participating in the transaction is a privacy address,

Optionally, the acquiring module is configured to:

the historical privacy transaction further includes a derived address, a random seed, and a random identifier for identifying the privacy transaction;

Optionally, the acquiring module is configured to:

In a third aspect, an embodiment of the present application provides a computer device, including a memory, a processor, and a computer program stored on the memory and executable on the processor, the processor performing the method of privacy trading as described in any of the first aspects above.

In a fourth aspect, an embodiment of the present application provides a computer readable storage medium storing a computer program executable by a computer device, the program when run on the computer device causing the computer device to perform the method of privacy trading as described in any of the first aspects above.

In a fifth aspect, embodiments of the present application provide a computer program product comprising computer programs/instructions which when executed by a processor implement the method of private transaction as described in any of the first aspects above.

Drawings

In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings that are needed in the description of the embodiments will be briefly described below, it will be apparent that the drawings in the following description are only some embodiments of the present invention, and that other drawings can be obtained according to these drawings without inventive effort for a person skilled in the art.

Fig. 1 is a schematic structural diagram of a privacy trading system according to an embodiment of the present application;

Fig. 2 is a flow chart of a privacy trading method according to an embodiment of the present application;

Fig. 3 is a flow chart of a privacy trading method according to an embodiment of the present application;

Fig. 4 is a flow chart of a privacy trading method according to an embodiment of the present application;

Fig. 5 is a flow chart of a privacy trading method according to an embodiment of the present application;

fig. 6 is a schematic diagram of a privacy trading device according to an embodiment of the present application;

fig. 7 is a schematic structural diagram of a computer device according to an embodiment of the present application.

Detailed Description

In order to make the objects, technical solutions and advantageous effects of the present invention more apparent, the present invention will be further described in detail with reference to the accompanying drawings and examples. It should be understood that the specific embodiments described herein are for purposes of illustration only and are not intended to limit the scope of the invention.

The terms appearing in the present application are explained below:

Zero-knowledge proof of technology is a cryptographic method that allows one party (prover) to prove to another party (verifier) that a certain "statement" is truly correct without revealing any information about the statement other than the fact that it is true. This technique enables the prover to prove that it knows that a certain secret or information satisfies certain conditions without revealing the specific contents of the secret to the verifier. The method has the significance that various application scenes such as identity authentication, asset certification and the like can be realized while privacy is protected, and the method is particularly suitable for a block chain and the like decentralization system. An effective Zero Knowledge proof system needs to meet three properties, completeness (Completeness), reliability (Soundness) and Zero Knowledge (Zero-knowledges). Such a certification system allows a prover to trust the authenticity of a statement without revealing secret information.

Zero-knowledge compact non-interactive knowledge proof (zero-knowledge succinct non-INTERACTIVE ARGUMENT OF KNOWLEDGE, abbreviated zk-SNARKs) is a special implementation of zero-knowledge proof technology, which is characterized by "compact" and "non-interactive" features. "succinct" means that the size of the proof generated by the prover is less than a linear level and that the verification time is likewise small, independent of the length of the statement to be proved. By "non-interactive" it is meant that the prover need only generate a proof once and then send it to the verifier to complete the protocol flow without having to interact back and forth multiple times with the two. Let us assume that a zk-snarks attestation system is provided, the public parameter pp being obtained by means of an initial trusted setting Setup (1 lambda), the attester generating attestation pi= Prove (pp, s, w) using the public parameter pp, the public input s and the secret information (witness) w, the verifier verifying using the public parameter pp, the public input s and the attestation pi, resulting in a result v=verify (pp, s, pi), v=1 or 0, representing that the verification is passed or not passed.

An Account Model (Account Model) is a blockchain ledger structure that represents the state of a blockchain ledger as a set of accounts and their corresponding states. Each account has a unique address and status information associated therewith, including balances, smart contract codes, etc. Such models allow the system to directly operate on accounts, such as transfers, execution of smart contracts, etc., which can result in changes in account status. This architecture enables the blockchain to function like a traditional bank account system without relying on transaction information for state changes, while having the properties of decentralization, transparency, and non-tamper ability. This model simplifies implementation of complex transactions on blockchains, and is suitable for application scenarios requiring frequent status updates, such as decentralised finance (DeFi) and smart contract platforms.

The account model privacy schemes of the prior art still have problems. Privacy is typically only partially protected, e.g. only the transaction amount is hidden, but not the addresses of the sender and the receiver are completely hidden, and e.g. some schemes, while protecting privacy in a single transaction, may reveal information through long-term analysis. Such incomplete privacy protection can still pose serious problems in financial and business applications. Thus, there is a need for a solution that simultaneously hides the identity (address) and transaction amount of the transaction participants and that protects the account balance from the privacy operation of the smart contracts.

As shown in fig. 1, a private transaction system provided by the present application specifically includes a transaction initiator 101, a transaction receiver 102, and a blockchain 103, where the blockchain 103 includes a plurality of blockchain nodes 104, and a private transaction contract and a transparent account smart contract are deployed on the blockchain, and the smart contract is just like an automatically executed protocol, which defines rules and conditions of a transaction. For example, in a simple commodity purchase contract, terms such as commodity price, delivery method, payment method, etc. are specified. The private transaction contract stores the total amount of private accounts of all transaction sponsors 101 and transaction receivers 102 related to the private transaction contract, and the transparent intelligent contract stores transparent addresses of each transaction sponsor 101 and each transaction receiver 102 and public transparent account amounts corresponding to the addresses. The transaction initiator 101 and the transaction recipient 102 automatically process the transaction by invoking pre-written code in the private transaction contract and/or transparent account smart contract through the blockchain node 104.

The application aims at the transaction between the transaction initiator and the transaction receiver, mainly relates to four situations, namely the address of the transaction initiator participating in the transaction is a transparent address, the address of the transaction receiver participating in the transaction is a transparent address, the address of the transaction initiator participating in the transaction is a transparent address, the address of the transaction receiver participating in the transaction is a privacy address, the address of the transaction initiator participating in the transaction is a privacy address, the address of the transaction receiver participating in the transaction is a transparent address, and the address of the transaction initiator participating in the transaction is a privacy address. The transaction from transparent address to transparent address is directly completed by the transparent account intelligent contract, and other three cases relate to the transaction process of the private address, and the three processes of the private transaction are described in detail below.

As shown in fig. 2, the method for privacy transaction provided by the application is applicable to a blockchain node, and specifically comprises the following steps:

Step S201, a transaction record and a transaction proof sent by a transaction initiator are obtained, wherein the transaction record is determined by the transaction initiator based on private transaction, and comprises transaction amount information, first proof information pointing to the transaction initiator and second proof information pointing to a transaction receiver;

Specifically, a transaction initiator initiates a transaction request to generate a transaction record, the transaction initiator locally generates the transaction record, the transaction record includes first attestation information and second attestation information, the first attestation information is used for pointing to the transaction and is initiated by the transaction initiator, and the second attestation information is used for pointing to the transaction and is received by a transaction receiver. The transaction initiator sends the transaction request to a node in the blockchain network, and the node on the blockchain network needs to verify whether the transaction request accords with the rules of the blockchain network, so the transaction initiator also needs to generate a zero knowledge proof according to the transaction record, and the transaction proof is used for the node on the blockchain network to prove the validity of the private transaction.

And step S202, carrying out zero-knowledge proof verification on the transaction evidence by calling the privacy transaction contract, and if the verification is passed, storing the transaction record into a transaction record set of the blockchain and updating the total account amount of the privacy transaction contract.

The node on the blockchain network verifies the transaction proof by calling the validity of the privacy transaction contract, and in particular verifies the transaction proof by zero knowledge proof, when the verification is passed, namely the transaction is proved to be legal, the transaction record is stored into the transaction record set of the blockchain, and the total account amount in the privacy transaction contract is updated according to the transaction amount information in the transaction record.

The first scenario is described below, where the address where the transaction initiator participates in the transaction is a transparent address and the address where the transaction receiver participates in the transaction is a private address.

The method comprises the steps of obtaining transaction amount information, obtaining first certification information, obtaining second certification information, obtaining privacy information, wherein the transaction amount information is transaction amount, the first certification information is a transparent address of a transaction initiator, the second certification information is generated after the privacy transaction is encrypted according to a secret key derived by the transaction initiator through a privacy address of a transaction receiver, the privacy transaction comprises transaction amount and a derived address, the derived address is derived by the transaction initiator according to the privacy address of the transaction receiver, and a disposable address for the transaction is derived according to the address of the receiver every time of the privacy transaction, so that privacy is enhanced.

Before zero knowledge proof verification is carried out on the transaction evidence by calling the privacy transaction contract, the method further comprises the steps of obtaining a transaction signature which is sent by a transaction initiator and aims at a transaction record, determining validity of the transaction signature by calling the transparent transaction contract, and updating the total account amount of the privacy transaction contract, wherein the method comprises the steps of reducing the account amount indicated by the transparent address of the transaction initiator by calling the transparent transaction contract, and increasing the total account amount of the privacy transaction contract by the transaction amount.

The privacy transaction further comprises a random seed, the transaction record further comprises a promise of the privacy transaction, the promise of the privacy transaction is generated through the random seed and the privacy transaction, and the storing of the transaction record into the transaction record set of the blockchain comprises the step of storing promise records in the transaction record of the privacy transaction into a promise merck tree in the transaction record set of the blockchain.

The private transaction further comprises a random identifier for identifying the private transaction, and the transaction receiver is used for locally increasing the account amount indicated by the private address of the transaction receiver by the transaction amount after decrypting the second proof information in the transaction record and determining that the random identifier in the decryption result is legal after acquiring the transaction record from the transaction record set.

The transaction proof is a zero-knowledge proof generated based on the transaction record, and is generated by common parameters of the zero-knowledge proof, commitments of the latest privacy transaction in the merck tree of commitments of the time of initiating the privacy transaction, and the transaction record.

For example, alice at the transaction receiver uses a transparent address to transfer 100 elements to Bob's private address, and as shown in the flow chart of the private transaction method shown in fig. 3, the transaction process further includes a transparent contract and a private transaction contract, and the transaction process is illustrated by a transparent contract Erc and a private transaction contract 0xHiddenTransfer, and it is to be noted that the address of the transparent account smart contract Erc on the blockchain is 0xErc, and the contract stores the address of each user including Alice and Bob and the corresponding public transparent account amount, and stores 0xHiddenTransfer and the corresponding total private account amount. The blockchain node maintains a promised merck tree CMT on the blockchain, and a set of used identifiers UID.

The transaction process specifically comprises the following steps:

alice calls a private key sk_a corresponding to a transparent address 0xAlice to generate a zero knowledge proof transfer request;

Step 301, alice obtains, offline, a private address zBob of Bob in a certain way, derives, according to the address, the Bob address bound to the transaction at this time, (d b, pk_d b) represents the derived address generated, and each private transaction derives, according to the address of the receiver, a disposable address for the transaction at this time, so as to enhance privacy.

Step 302, alice generates a private transaction sent to Bob based on the transfer amount 100 and Bob's address, denoted ptx_b, where ptx_b (d b, pk_d b, m, p, \psi, rcm), where m represents the amount 100, p and\psi are random identifiers for the transaction, the uniqueness of the transaction can be demonstrated when Bob uses ptx_b subsequently, and rcm is a random seed for the promise of generating the transaction.

Step 303, alice calculates a commitment cm_b of ptx_b using a commitment algorithm (PTXCommit) based on the random seed rcm, the algorithm is expressed as cm_b= PTXCommit (ptx_b), calculates a secret key symKey _b by using a private address zBob of the bob and auxiliary information enc_info generated randomly, and symmetrically encrypts the ptx_b by using the secret key to obtain a symmetric encrypted ciphertext enc (ptx_b);

Step 304, alice generates a transaction record according to its own transparent address 0xAlice and the above information, record= (amount 100,0 xaalice, cm_b, enc (ptx_b), enc_info), and generates proof pi= Prove (pp, s, record) of the record according to the transaction record using zk-snarks algorithm halo2, wherein the input pp is a common parameter fixed by the algorithm, s is public information on the chain, for example, can be a commitment merck tree CMT of the previous privacy transaction, and the zero knowledge proof pi can prove validity of the privacy transaction, wherein validity means that the transaction record accords with a prescribed format, the account address is legal and the amount is valid.

Step 305, alice generates an authorization signature for the transaction record based on the private key sk_a, marks the authorization signature as SpendAuthSig, and packages and sends the transaction record, the zero knowledge proof pi and the signature SpendAuthSig to the Erc contract;

second stage Erc contract interactions with private trade contract

Step 306, erc, after the contract receives the packaged transaction, firstly verifying the signature SpendAuthSig, confirming that the signature is initiated by Alice, and calling 0xHiddenTransfer privacy contract address verification pi after verification is passed;

Step 307, privacy contract 0xHiddenTransfer verifies the validity v=verify (pp, s, pi) of the transaction record by using zk-snarks verification algorithm, returns the result v to Erc contract, if v=1 represents verification is passed, the blockchain node will put the promise cm_b into the promise tree CMT on the chain, and records the transaction;

Step 308, erc contract receives verification result v, if verification is successful, reducing account balance corresponding to 0xAlice address by 100, and increasing total account balance of 0xHiddenTransfer contract by 100;

Third stage, bob obtains transaction information

Step 309, bob finds the public transaction record on the contract 0xHiddenTransfer, and then cannot directly know that the receiver of the transaction record is his own, bob needs to generate a key symKey _b based on his own privacy address zBob and decryption information enc_info in the transaction record, and tries to decrypt enc (ptx_b) to obtain transaction information ptx_b, and then locally save the transaction information and update his own privacy amount by 100. In this step, virtually all nodes will attempt to decrypt the encrypted ciphertext enc (ptx_b), but only Bob will successfully decrypt.

The second case is described below in which the address where the transaction initiator participates in the transaction is a private address and the address where the transaction receiver participates in the transaction is a transparent address.

The transaction amount information is transaction amount, the first proving information is generated by a transaction initiator according to at least one historical privacy transaction, the sum of the amount in the historical privacy transaction is not smaller than the transaction amount, the second proving information is a transparent address of a transaction receiver, the transaction record and the transaction proof are sent by the transaction initiator through temporary addresses, and the temporary addresses are generated based on a private key of the transaction initiator.

The historical privacy transaction further includes a derived address, a random seed, and a random identifier for identifying the historical privacy transaction, the first attestation information is generated by the transaction initiator based on the at least one historical privacy transaction, including generating a commitment for each historical privacy transaction based on the random seed for each historical privacy transaction, generating a use identifier for each historical privacy transaction based on the random identifier for each historical privacy transaction and the commitment for each historical privacy transaction, the use identifier being used to characterize whether the historical privacy transaction has been used, and the first attestation information is the use identifier for the at least one historical privacy transaction.

Saving the transaction records into a collection of transaction records of the blockchain includes placing a use identifier of at least one historical private transaction into a set of used identifiers in the collection of transaction records on the chain.

Updating the total account amount of the private transaction contract includes reducing the total account amount of the private transaction contract by the transaction amount.

The transaction receiver is used for determining that a transparent address exists in the transaction record after the transaction record is acquired from the transaction record set, and reducing the account amount indicated by the transparent address of the transaction receiver by the transaction amount locally.

For example, alice at the transaction receiver uses the private address to transfer 100 elements to Bob's transparent address, and as shown in the flow chart of the private transaction method shown in fig. 4, the transaction process further includes a transparent contract and a private transaction contract, and the transaction process is illustrated by a transparent contract Erc and a private transaction contract 0xHiddenTransfer, and it is to be noted that the address of the transparent account smart contract of Erc on the blockchain is 0xErc, and the contract stores the address of each user including Alice and Bob and the corresponding public transparent account amount, and stores 0xHiddenTransfer and the corresponding total private account amount. The blockchain node maintains a promised merck tree CMT on the blockchain, and a set of used identifiers UID. The method specifically comprises the following steps:

alice calls a private key sk_a corresponding to the private address zAlice to generate a zero knowledge proof transfer request;

Step 401, alice directly obtains a transparent address 0xBob of Bob through a chain, and derives a temporary address Taddress based on a private key sk_a of zAlice, wherein the temporary address is a disposable address, so as to enhance privacy;

Step 402, alice looks locally for n private transactions previously transferred to Alice's private address by others, representing these transactions as ptx_a-1, ptx_a-2..ptx_a-n, wherein ptx_a-i, (d a-i, pk_d a-i, v_i, p_a-i, \psi_a-i, rcm_a-i), i=1, 2..n, the amount of these private transactions being different, the sum of the amounts of the transactions from the n private transactions needing to be completed equals 100, representing m=m_1+m_2..m_n;

step 403, alice calculates the used identifier uid_i= DeriveNullifiernk (p_a-i, \psi_a-i, cm_a-i) for each ptx_a-i, wherein DeriveNullifiernk is a random identifier generation algorithm, cm_a is the promise PTXCommit (ptx_a-i) of ptx_a-i;

Step 404, alice generates a transaction record = (amount 100, random identifiers uid_1, uid_2,., uid_n,0 xBob), and generates proof pi= Prove (pp, s, record) of the record using zk-snarks algorithm halo2, wherein s contains a set UID of random identifiers of previously used private transactions, the set representing that the transactions in the set have been used, and reuse of one private transaction has been prevented;

Step 405, generating an authorization signature SpendAuthSig for the transaction according to the temporary address Taddress, packaging the transaction record, the proof pi and the signature, and sending the packaged transaction record, the proof pi and the signature to the Erc contract by using the temporary address Taddress;

second stage Erc contract interactions with private trade contract

Step 406, erc, after receiving the package transaction, the contract needs to verify the correctness of the signature, and then, the 0xHiddenTransfer privacy contract address is called to verify the proof pi;

Step 407, 0xHiddenTransfer the privacy contract verifies the legitimacy of the transaction record v=verify (pp, s, pi) with a halo2 verification algorithm, returns the result v to the Erc contract, if the verification passes, the blockchain node will put all uid_1, uid_2, uid_n into the UID set on the chain, representing that these transactions have been used;

Step 408, erc contract receives verification result v, if verification is successful, the account balance corresponding to 0xBob address is increased by 100, the total account balance of 0xHiddenTransfer contract is reduced by 100, and alice locally reduces own privacy account by 100 yuan. Note that the total account balance of the contract 0xHiddenTransfer is reduced by 100, only Alice can know that the private account of Alice is reduced by 100 elements, and other nodes cannot know.

Third stage, bob obtains transaction information

Step 409, bob checks that there is a receiving address 0xBob on the transaction record, saves the information locally and increases the amount by 100 locally.

A third scenario is described in which the address where the transaction initiator participates in the transaction is a private address and the location where the transaction recipient participates in the transaction is a private address.

The transaction amount information is obtained by encrypting the transaction amount by the transaction initiator, the first proving information is generated by the transaction initiator according to at least one historical privacy transaction, the sum of the amounts in the historical privacy transaction is not smaller than the transaction amount, the second proving information is generated by encrypting the privacy transaction according to a secret key derived by the transaction initiator through a privacy address of the transaction receiver, the privacy transaction comprises the transaction amount and a derived address, and the derived address is derived by the transaction initiator according to the privacy address of the transaction receiver.

The historical privacy transaction further includes a derived address, a random seed, and a random identifier for identifying the privacy transaction, the first attestation information is generated by the transaction initiator based on the at least one historical privacy transaction, including generating a commitment for each historical privacy transaction based on the random seed for each historical privacy transaction, generating a use identifier for each historical privacy transaction based on the random identifier for each historical privacy transaction and the commitment for each historical privacy transaction, the use identifier being used to characterize whether the historical privacy transaction has been used, and the first attestation information is the use identifier for the at least one historical privacy transaction.

The private transaction further includes a random seed, and the transaction record further includes a commitment of the private transaction generated by the random seed and the private transaction, and the saving of the transaction record to the collection of transaction records of the blockchain includes saving the commitment record in the transaction record of the private transaction to a commitment merck tree in the collection of transaction records of the blockchain, and placing the use identifier of the at least one historical private transaction into the set of used identifiers in the collection of transaction records on the chain.

For example, alice at the transaction receiver uses the private address to transfer 100 elements to Bob's private address, and as shown in the flow chart of the private transaction method shown in fig. 5, a transparent contract and a private transaction contract are included in the transaction process, the transaction process is illustrated by a transparent contract Erc and a private transaction contract 0xHiddenTransfer, it is to be noted that the address of the intelligent contract of the transparent account Erc on the blockchain is 0xErc, and the contract stores the address of each user including Alice and Bob and the corresponding public transparent account amount, and stores 0xHiddenTransfer and the corresponding total private account amount. The blockchain node maintains a promised merck tree CMT on the blockchain, and a set of used identifiers UID. The transaction process specifically comprises the following steps:

In the first stage, alice calls a private key sk_a corresponding to the private address zAlice address to generate a zero knowledge proof transfer request.

In step 501, alice obtains the private address zBob of Bob offline in a certain way, derives the derived address (dxb, pk_dxb) according to the address, and derives a disposable address for the transaction according to the address of the receiver in each private transaction, so as to enhance privacy.

Step 502, alice looks locally for n private transactions previously transferred to Alice's private address by others, representing these transactions as ptx_a-1, ptx_a-2..ptx_a-n, where ptx_a-i, (d a-i, pk_d a-i, v_i, p_a-i, \psi_a-i, rcm_a-i), i=1, 2..n; a transaction with a sum m equal to 100, denoted m=m_1+m_2+), m_n, needs to be completed from n private transactions. Alice calculates the used identifier uid_i= DeriveNullifiernk (p_a-i, \psi_a-i, cm_a-i) for each ptx_a-i, where DeriveNullifiernk is a random identifier generation algorithm and cm_a is the promise PTXCommit (ptx_a-i) of ptx_a-i;

Step 503, alice generates a private transaction ptx_b (d≡b, pk_d≡b, m, p-b, \psi_b, rcm_b) to be sent to Bob based on the transfer amount 100 and the generated derivative address (d≡b, pk_d≡b), where m represents the amount 100, p_b and\psi_b are random identifiers of the transaction, and rcm_b is a random seed for commitment to generate the transaction. Alice calculates a commitment cm_b= PTXCommit (ptx_b) of ptx_b by using a commitment algorithm based on a random seed rcm_b, calculates a secret key symKey _b by using a privacy address zBob of the bob and auxiliary information enc_info generated randomly, and symmetrically encrypts the ptx_b by using the secret key, wherein ciphertext is enc (ptx_b);

step 504, alice calculates peserdon commitment cv of the amount 100 using peserdon commitment algorithm, and inputs the above information to generate transaction records record= (cv, uid_1, uid_2,.), uid_n, cm_b, enc (ptx_b), enc_info) and a zk-snarks algorithm halo2 was used to generate proof pi= Prove (pp, s, record) of the record, where s contains CMT and UID.

Step 505, alice derives a temporary address Taddress based on the key sk_a of zAlice and generates a signature SpendAuthSig of the transaction with the temporary address. Alice sends transaction records record, pi and signature package to a 0xHiddenTransfer privacy contract;

second stage 0xHiddenTransfer privacy contract verification zkp

Step 506, 0xHiddenTransfer privacy contract verifies the correctness of authorization signature SpendAuthSig and verifies the legitimacy of transaction record v=verify (pp, s, pi), if verification passes, put uid_1, uid_2, uid_n into UID set on chain and cm_b into CMT;

Third stage, bob obtains transaction information

Step 507, bob generates a key symKey _b based on the own privacy address zBob and the decryption information enc_info in the transaction record, and tries to decrypt enc (ptx_b) to obtain transaction information ptx_b, and then locally saves the transaction information and updates the own privacy amount by 100. In this step, virtually all nodes will attempt to decrypt the encrypted ciphertext enc (ptx_b), but only Bob will successfully decrypt.

As shown in fig. 6, a privacy trading device 600 according to an embodiment of the present application is provided, including:

The system comprises an acquisition module 601, a transaction record and a transaction certification, wherein the transaction record and the transaction certification are sent by a transaction initiator, the transaction record is determined by the transaction initiator based on private transaction, and the transaction record comprises transaction amount information, first certification information pointing to the transaction initiator and second certification information pointing to a transaction receiver;

And the processing module 602 is used for carrying out zero-knowledge proof verification on the transaction evidence by calling a privacy transaction contract, and if the verification is passed, storing the transaction record into a transaction record set of a blockchain and updating the total account amount of the privacy transaction contract.

Optionally, the acquiring module 601 is specifically configured to:

The transaction amount information is transaction amount;

Optionally, the acquiring module 601 is specifically configured to:

Optionally, the processing module 602 is configured to:

Optionally, the acquiring module 601 is configured to:

The transaction amount information is transaction amount;

Optionally, the processing module 602 is configured to:

Optionally, the acquiring module 601 is configured to:

Based on the same technical concept, the embodiment of the present application provides a computer device, where the computer device is shown in fig. 7, and includes at least one processor 701 and a memory 702 connected to the at least one processor, and in the embodiment of the present application, a specific connection medium between the processor 701 and the memory 702 is not limited, and in fig. 7, the processor 701 and the memory 702 are connected by a bus, for example. The buses may be divided into address buses, data buses, control buses, etc.

In an embodiment of the present application, the memory 702 stores instructions executable by the at least one processor 701, and the at least one processor 701 may perform the steps of the above-described privacy transaction method by executing the instructions stored in the memory 702.

The processor 701 is a control center of the computer device, and may utilize various interfaces and lines to connect various parts of the computer device, by executing or executing instructions stored in the memory 702 and invoking data stored in the memory 702, for ensuring that the private transaction information is not leaked while allowing the certification information to be verified by the owner during the private transaction. Alternatively, the processor 701 may include one or more processing units, and the processor 701 may integrate an application processor and a modem processor, wherein the application processor primarily processes an operating system, a user interface, and application programs, etc., and the modem processor primarily processes wireless communications. It will be appreciated that the modem processor described above may not be integrated into the processor 701. In some embodiments, processor 701 and memory 702 may be implemented on the same chip, or they may be implemented separately on separate chips in some embodiments.

The processor 701 may be a general purpose processor such as a Central Processing Unit (CPU), digital signal processor, application SPECIFIC INTEGRATED Circuit (ASIC), field programmable gate array or other programmable logic device, discrete gate or transistor logic, discrete hardware components, or a combination thereof, that may implement or perform the methods, steps, and logic blocks disclosed in embodiments of the application. The general purpose processor may be a microprocessor or any conventional processor or the like. The steps of a method disclosed in connection with the embodiments of the present application may be embodied directly in a hardware processor for execution, or in a combination of hardware and software modules in the processor for execution.

The memory 702 is a non-volatile computer-readable storage medium that can be used to store non-volatile software programs, non-volatile computer-executable programs, and modules. The Memory 702 may include at least one type of storage medium, and may include, for example, flash Memory, hard disk, multimedia card, card Memory, random access Memory (Random Access Memory, RAM), static random access Memory (Static Random Access Memory, SRAM), programmable Read-Only Memory (Programmable Read Only Memory, PROM), read-Only Memory (ROM), charged erasable programmable Read-Only Memory (ELECTRICALLY ERASABLE PROGRAMMABLE READ-Only Memory, EEPROM), magnetic Memory, magnetic disk, optical disk, and the like. Memory 702 is any other medium that can be used to carry or store desired program code in the form of instructions or data structures and that can be accessed by a computer device, but is not limited to such. The memory 702 in embodiments of the present application may also be circuitry or any other device capable of performing storage functions for storing program instructions and/or data.

Based on the same inventive concept, an embodiment of the present application provides a computer-readable storage medium storing a computer program executable by a computer device, which when run on the computer device, causes the computer device to perform the steps of the above-described privacy trading method.

It will be appreciated by those skilled in the art that embodiments of the present application may be provided as a method, system, or computer program product. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present application may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.

The present application is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems) and computer program products according to the application. It will be understood that each flow and/or block of the flowchart illustrations and/or block diagrams, and combinations of flows and/or blocks in the flowchart illustrations and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.

These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.

These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.

It will be apparent to those skilled in the art that various modifications and variations can be made to the present application without departing from the spirit or scope of the application. Thus, it is intended that the present application also include such modifications and alterations insofar as they come within the scope of the appended claims or the equivalents thereof.

Claims

1. A method of private transaction, the method being applicable to blockchain nodes, comprising:

2. The method of claim 1, wherein the transaction initiator participates in the transaction at a transparent address, the transaction receiver participates in the transaction at a private address,

The transaction amount information is transaction amount;

3. The method of claim 2, wherein prior to the verifying the proof of zero knowledge of the proof of transaction by invoking a privacy transaction contract, further comprising:

4. The method of claim 2, wherein the private transaction further comprises a random seed, and wherein the transaction record further comprises a commitment to the private transaction, the commitment to the private transaction generated by the random seed and the private transaction;

5. The method of claim 2, wherein the private transaction further comprises a random identifier for identifying the private transaction;

6. The method of claim 2, wherein the proof of transaction is a zero-knowledge proof generated based on the transaction record, comprising:

7. The method of claim 1, wherein the transaction initiator participates in the transaction at a private address, the transaction receiver participates in the transaction at a transparent address,

The transaction amount information is transaction amount;

8. The method of claim 7, wherein the historical privacy transaction further comprises a derived address, a random seed, and a random identifier for identifying the historical privacy transaction;

9. The method of claim 8, wherein the saving the transaction record into a collection of transaction records for a blockchain comprises:

10. The method of claim 7, wherein the updating the total account amount of the private transaction contract comprises:

11. The method as recited in claim 7, further comprising:

12. The method of claim 1, wherein the address where the transaction initiator participates in the transaction is a private address, the location where the transaction receiver participates in the transaction is a private address,

13. The method of claim 12, wherein the historical privacy transaction further comprises a derived address, a random seed, and a random identifier for identifying a privacy transaction;

14. The method of claim 12, wherein the private transaction further comprises a random seed, and wherein the transaction record further comprises a commitment to the private transaction, the commitment to the private transaction generated by the random seed and the private transaction;

15. The method of claim 12, wherein the private transaction further comprises a random identifier for identifying the private transaction;

16. A private transaction apparatus, comprising:

17. A computer device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, characterized in that the processor implements the steps of the method of any of claims 1-15 when the program is executed by the processor.

18. A computer readable storage medium, characterized in that it stores a computer program executable by a computer device, which when run on the computer device causes the computer device to perform the steps of the method of any of claims 1-15.

19. A computer program product comprising computer programs/instructions which, when executed by a processor, implement the steps of the method of any of claims 1 to 15.