A Traceable Method of the Blockchain Data

Information

  • Patent Application
  • 20210144006
  • Publication Number
    20210144006
  • Date Filed
    October 29, 2018
    6 years ago
  • Date Published
    May 13, 2021
    3 years ago
Abstract
A traceable method for the blockchain data is disclosed. A regulator generates the public parameters pp. Each user generates his own registration information and sends it to the regulator. The regulator verifies the registration information of each user, and makes some information public. When the data in the blockchain application needs the public information and identity proofs of the users who indirectly participate in data creation, each user in Acreate obtains the identity proofs of the users in Bother; each user in Acreate creates his own identity proof, then generates the data datatrace=[{proofid}id∈I, databody]crytool and sends it to the node network. The node network verifies the received user data and adds it to the block. The regulator then obtains data from the blockchain and decrypts the ciphertexts in the data to determine the identity set corresponding to each data.
Description
TECHNICAL FIELD

The present application relates to the field of information security technology and to a design scheme of the blockchain traceability mechanism. Specifically, the present application leverages chameleon hash, zero-knowledge Succinct Non-interactive Argument of Knowledge (zk-SNARK), and other technologies to trace blockchain users' privacy information, and to ensure the security and overall efficiency of protocol execution.


BACKGROUND OF THE INVENTION

In the 21st century, with the rapid development of the Internet, cloud computing, big data, artificial intelligence, and other technologies, the entire society is becoming more and more digital, networked, and intelligent. The blockchain technology, which has received much attention from industry and academia, has the properties of digitalization, networking, intelligence, and immutability of data. These properties make the blockchain better meet the needs of today's social development. Nowadays, the blockchain technology has good application prospects in many fields, such as, military, finance, Internet of Things, cloud computing, artificial intelligence, communications, insurance, and medical care.


The blockchain is originated from Bitcoin proposed by Satoshi Nakamoto, which is the core supporting technology of Bitcoin. It enables direct peer-to-peer payment between users without the existence of a central institution. The blockchain can be considered a distributed database (distributed ledger) that only appends data. The data is stored in the block that contains the block header and block body. Every block header includes the hash of the previous block, forming a chain. The blockchain includes a variety of features: distributed, decentralized, anonymity, safe, reliable, transparency, and so on. The blockchain is not a single technology, but an integration of multiple technologies, such as, cryptography and peer-to-peer networking.


Presently, research on blockchain primarily focuses on enhancing blockchain privacy protection, improving blockchain scalability, and analyzing blockchain security. However, it ignores providing a regulatory mechanism for the blockchain data. Strong privacy protection facilitates criminal activities (e.g., ransomware, money laundering). The lack of effective supervision in blockchain has seriously hindered the development and application of the blockchain.


SUMMARY OF THE INVENTION

Therefore, for the actual needs of the development of the blockchain, the presently application disclose a blockchain traceable scheme. This scheme allows only the regulator to monitor data in the blockchain, and obtain the user's private information, such as user identity, data content, while others cannot obtain user's private information. Therefore, the regulator can effectively crack down on illegal and criminal activities in the blockchain by supervising the blockchain data via the traceable scheme, which ensures healthy and stable development of the blockchain.


The presently disclosed method leverages cryptographic techniques (e.g., chameleon hash, zk-SNARK) to realize the construction of a traceable scheme for blockchain:


1. Chameleon Hash Scheme

Definition 1.1 A chameleon hash scheme cham_hash=(Setup, KeyGen, Chash, UForge) described below:

    • Setup(λ): On input a security parameter λ, the algorithm returns the public parameters pp;
    • KeyGen(pp): On input the public parameters pp, the algorithm returns a pair of public/private keys (HK,CK), where CK is also known as the trapdoor;
    • Chash(HK, m, r): On input the public key HK, a message m, and a random number r, the algorithm returns a chameleon hash CH;
    • UForge(CK, m, r, m′): On input the private key CK, two messages m, m′, and a random number r, the algorithm returns r′ that satisfies CH=Chash(HK, m, r)=Chash(HK, m′, r′).


Definition 1.2 A chameleon hash scheme satisfies the following secure properties.

    • Collision resistance: On input the public key HK, there is no effective algorithm that can find two pairs (m1, r1) and (m2, r2) such that Chash(HK, m1, r1)=Chash(HK, m2, r2).
    • Trapdoor collisions: In the case of knowing the trapdoor, for any m1, r1, given m2, there is an effective algorithm to calculate r2, which satisfies Chash(HK, m1, r1)=Chash(HK, m2, r2).
    • Semantic security: For any messages m1, m2, the probability distribution of Chash(HK, m1, rip and Chash(HK, m2, r2) is indistinguishable. In particular, when r is randomly selected, the arbitrary probabilistic polynomial-time algorithm cannot obtain any information concerning m from Chash(HK, m, r).


The presently disclosed method uses the chameleon hash scheme proposed by Hugo Krawczyk and Tal Rabin:

    • Setup(λ): On input a security parameter λ, this algorithm constructs two large prime number p, q such that p=kq+1, and then selects the element g of order q in the multiplication cyclic group Zp*. Finally, this algorithm outputs a public parameter pp=(p, q, g);
    • KeyGen(pp): On input the public parameter pp, this algorithm randomly samples x in the multiplication cyclic group Zq*, and computes h=gx. Finally, this algorithm returns private key CK=x and public key HK=h;
    • Chash(HK, m, r): On input public key HK=h, a message m, and a random number r, where m, r e Zq*, this algorithm returns the chameleon hash CH=gmhr mod p;
    • UForge(CK, m, r, m′): On input private key CK=x, a message m, a random number r, and a message m′, where m, r, m′∈Zq*, this algorithm obtains m+xr=m′+xr′ mod q according to CH=gmhr=gm′hr′ mod p. Therefore, this algorithm can compute r′.


2. Zero-Knowledge Succinct Non-Interactive Arguments of Knowledge

Definition 2.1 The arithmetic circuit satisfiability problem of an F-arithmetic circuit AC: Fn×Fh→Fl is captured by the relation RAC={(statement, witness)∈Fn×Fh|AC(statement,witness)=0l}; its language is LAC={statement∈Fn|∃witness∈Fh s.t. AC(statement,witness)=0l}.


Definition 2.2 A zk-SNARK scheme Å=(Gen, Prove, Verify) of the language LAC (with the relation RAC) is described below:

    • Gen: On input a security parameter λ and an F-arithmetic circuit AC, this algorithm returns a pair of proving/verification key (pk, vk);
    • Prove: On input the proving key pk, (statement, witness), this algorithm returns a proof π for the statement using the witness;
    • Verify: On input vk, statement, π, this algorithm returns 1 if the verification succeeds, or 0 if the verification fails.


In addition, the presently disclosed method uses the publicly verifiable zk-SNARK. That is, (pk, vk) is disclosed as public parameters.


3. Public Key Encryption Scheme

Definition 3.1 A public key encryption scheme Γ=(Setup, KeyGen, ENC, DEC) is described below:

    • Setup(λ): Given a security parameter λ, this algorithm returns the public parameters ppenc.
    • KeyGen(ppenc): Given the public parameters ppenc, this algorithm returns a pair of public/private keys (pkenc, skenc).
    • ENC (pkenc, m): Given the public key pkenc and a message m, this algorithm returns a ciphertext C.
    • DEC (skenc, C): Given the private key skenc and the ciphertext C, this algorithm returns a message m, or returns ⊥ if decryption fails.


Aiming at the problem that the data in the existing blockchain cannot be effectively monitored, the purpose of the presently disclosed method is to provide a data traceable scheme in the blockchain.


The technical scheme of the presently disclosed method is:


The steps of the presently disclosed data traceable method for blockchain include:


1) The regulator first generates the public parameters pp; Each user generates his own registration information Cloginfo and sends it to the regulator;


2) The regulator verifies the registration information of each user, and publishes the h∥CHid corresponding to each user's identity, where h is the chameleon hash public key, and CHid is the chameleon hash value of the identity id.


3) When the data in the blockchain application needs to the public information and identity proof of the users who indirectly participate in data creation, each user in Acreate directly obtains the identity proof of the users in Bother; each user in Acreate creates his own identity proof, generates the data datatrace=[{proofid}id∈I, databody]crytool, and sends it to the node network, where {proofid}id∈I denotes the identity proof set of users, proofid is the identity proof of the user whose identity is id, I is the user identity set that requires identity proofs, Acreate={a1, . . . , an} denotes the public information set of the users who directly participate in data creation, Bother={b1, . . . , bn′} denotes the public information set of the users who indirectly participate in data creation, databody denotes the data body, which is also includes the users' public information set that does not require any identity proof, and crytool denotes the cryptographic tools.


4) Whenever the verification node in the node network receives the data, it verifies the identity proof of each user and the data contents. If the verification is successful, the data is added in the block that is created by the verification node. And then the node network according to a consensus mechanism selects a final block which is added to the blockchain;


5) The regulator obtains the data from the blockchain, and decrypts the corresponding ciphertext in the data, and then queries the relevant records to obtain the identity set corresponding to each data.


Further, the public parameter


pp=(pkloginfo, vkloginfo, pkidproof, vkidproof, pkau, ppchash) where (pkloginfo, vkloginfo) is the zk-SNARK proving/verification key for proving (statement, witness)∈Rloginfo, (pkidproof, vkidproof) is the zk-SNARK proving/verification key for proving (statement′, witness′)∈Ridproof, pkau is the public key of the regulator, ppchash is the chameleon hash public parameter, statement=(id, g, h, CHid), witness=(x, r), the relation Rloginfo={(statement, witness)|h=gxΛCHid=gidhr}; statement′=(rt, pub, g, pkau, Cid), witness'=(pathid, CHid, x, h, priv, r′, rn), the relation Ridproof={(statement′, witness′)|pub=gen(priv)Λh=gxΛCHid=cham_hash. CHash(h, priv, r′)ΛCid=Γ.ENC(pkau, rn, h)ΛTreeBranch(rt, pathid, h∥CHid)}; g is the element of order q in the multiplication cyclic group Zp*, x that is the private key of computing CHid is a random element in the multiplication cyclic group Zq*, r is the random number of computing CHid, rt is the root of the Merkle tree, pathid is the path from h∥CHid to rt, pub is the public information, priv is the private information, rn is the random number for encryption, h∥CHid corresponding to the identity of the registered user is exposed in the form of a Merkle tree.


Further, the user uses the zk-SNARK proving algorithm Prove(pkloginfo,statement,witness) to generate the proof πloginfo. πloginfo is used to prove to the regulator that the user knows that witness makes the (statement, witness) satisfy the relation Rloginfo, but does not disclose any information about the witness. Next, the user stores (id, g, h, CHid, x, r), encrypts (statement, πloginfo) using the public key of the regulator to obtain the registration information Cloginfo, and sends Cloginfo to the regulator.


Further, when the regulator receives the registration information Cloginfo, it will decrypt the Cloginfo and obtain (statement, πloginfo) Next, the regulator first verifies the identity id and then invokes the zk-SNARK verification algorithm Verify(vkloginfo, statement, πloginfo) to verify whether the user knows that the witness makes the (statement, witness) satisfy the relation Rloginfo. If the verification is successful, the regulator stores (h, id, CHid), and publishes h∥CHid stored in the Merkle tree.


Further, the method of generating identity proof: After a user whose identity is id has successfully registered, the user can obtain the path pathid about his h∥CHid from the Merkle tree published by the regulator. Then, according to the public/private information (pub, priv), the user can calculate a value r′=cham_hash.UForge(CK, id, r, priv). Next, the user computes ciphertext Cid=Γ.ENC(pkawrn, h), where rn is the random number used for encryption. Therefore, the user can obtain statement′=(rt, pub, g, pkau, Cid) and witness'=(pathid, CHid, x, h, priv, r′, rn). The user uses the zk-SNARK proving algorithm Prove(pkidproof, statement′, witness′) to generate the proof πid. Finally, the user gets the identity proof proofid=(statement′, πid) about the identity id.


Further, the method of verifying identity proof: each verification node invokes the zk-SNARK verification algorithm Verify(vkidproof, proofid) to verify whether the user knows that the witness' makes (statement′, witness′) satisfy the relation Ridproof If the verification is successful, the identity proof is valid; otherwise, the verification of the identity proof fails.


Further, the regulator extracts the ciphertext set C={Cidi}idi∈I from the blockchain data datatrace. For each ciphertext Cidi in C, the regulator computes hi=Γ.DEC (skau, Cid), searches the (h, id, CHid) record, obtains the idi corresponding to hi and adds the idi to the users' identity set ID. Finally, the regulator obtains the users' identity set ID corresponding to datatrace.


The presently disclosed method can include following main components:


1. A Blockchain Data Model

In many blockchain applications, every user generally has public information (pub), such as public key address, serial number, and corresponding private information, for example, private key address, signing private key. The public information is generated by the private information. For example, the public address and private key are the ECDSA's public/private key in Bitcoin, or the public key address is generated by the private key address via pseudorandom function in Zerocash. Therefore, there is a generation relationship between the users' public information and private information, i.e., pub=gen(priv). However, whatever way the blockchain uses to generate public/private information, the user who wants to operate some data of the blockchain must have the corresponding private information. In other words, the private information guarantees the user's unique power of operating data.


The blockchain can be viewed as a distributed database, on which data is stored. The untraceable data model in the blockchain is as follows:





datauntrace=[U,databody]crytool.


where U denotes the users' public information set that requires identity proofs, databody denotes the data body, which is also includes the users' public information set that does not require any identity proof, and crytool denotes the cryptographic tools that guarantee blockchain features such as tamper-resistance and privacy protection.


U={Acreate, Bother), Acreate={a1, . . . , an} denotes the public information set of the users who directly participate in data creation. ai(1≤i≤n) denotes the public information of the user Pi, such as public address, serial number. Acreate may be empty. For example, because of the linkability among transactions in Bitcoin, the users only provide identity proofs for output addresses to achieve the trackable goal. Bother={b1, . . . , bn′} denotes the public information set of the users who indirectly participate in data creation. Bother is used to receive data, such as the output addresses in Bitcoin. Bother may be empty, such as in some blockchain applications, a user only creates the data stored in the blockchain and does not require others to participate.


A main aspect of the presently disclosed traceable mechanism is that identity proofs are added to the blockchain data. FIG. 1 shows the data model in the traceable mechanism of the blockchain:





datatrace=[{proofid}id∈I,databody]crytool


where {proofid}id∈I denotes the identity proof set of users and is used to replace the U in datauntrace. I is the user identity set that requires identity proofs, |I|=|U|.


proofid denotes the identity proof of the user whose identity is id.


2. An Overview of the Blockchain Traceable Scheme

It is assumed that the regulator has generated the public parameter pp=(pkloginfo, vkloginfo, pkidproof, vkidproof, pkau, ppchash) according to the Setup algorithm of the traceable scheme in the next section, where (pkloginfo, vkloginfo) is the zk-SNARK proving/verification key for proving (statement, witness)∈Rloginfo, (pkidproof, vkidproof) is the zk-SNARK proving/verification key for proving (statement′, witness′)∈Ridproof the relation Rloginfo and Ridproof are described below, pkau is the public key of the regulator, and ppchash=(p, q, g) is the chameleon hash public parameter. The traceable scheme of the presently disclosed method is briefly outlined from the following aspects.


1) User Registration


The user obtains the chameleon hash public and private key pair (h, x) by invoking cham_hash.KeyGen(ppchash) algorithm, and then computes his id's chameleon hash value: CHta=cham_hash.Chash(h, id, r)=gidhr mod p. Therefore, the user can obtain statement=(id, g, h, CHid) and witness=(x, r). The user must prove to the regulator that (statement, witness) satisfies the relation Rloginfo: h=gx and CHid=gid hr, that is, “given the statement, the user knows that the witness satisfies: (1) the chameleon hash public key is computed correctly: h=gx; (2) the chameleon hash value CHid is computed correctly: CHid=gidhr”.


The user uses the zk-SNARK proving algorithm Prove (pkloginfo, statement, witness) to generate the proof πloginfo. πloginfo is used to prove to the regulator that the user knows that the witness makes the (statement, witness) satisfy the relation Rloginfo, but does not disclose any information about the witness. Next, the user stores (id, g, h, CHid, x, r), encrypts (statement, πloginfo) using the public key of the regulator to obtain the registration information Cloginfo, and sends Cloginfo to the regulator.


When the regulator receives the registration information Cloginfo, it will decrypt the Cloginfo and obtain (statement, πloginfo). Next, the regulator first verifies the identity id and then invokes the zk-SNARK verification algorithm Verify(vkloginfo, statement, πloginfo) to verify whether the user knows that the witness makes (statement, witness) satisfy the relation Rloginfo If the verification is successful, the regulator stores (h, id, CHid), and publishes h∥CHid stored in the Merkle tree. Once the user finds that his h∥CHid is made public, it means that he has successfully registered.


2) Generating and Verifying the Identity Proof


Generating identity proof: a user who registers successfully can obtain the path pathid about his h∥CHid from the Merkle tree published by the regulator. Then, according to the public/private information (pub, priv), the user can calculate a value r′=cham_hash. UForge(CK, id, r, priv). Next, the user computes ciphertext Cid=Γ.ENC (pkau, rn, h), where rn is the random number used for encryption. Therefore, the user can obtain statement′=(rt, pub, g, pkau, Cid) and witness'=(pathid, r′, rn). The user must prove to the verification nodes that (statement′,witness′) satisfies the relation Ridproof: pub=gen(priv), h=gx, CHid=chamhash. CHash(h, priv, r′), Cid=Γ.ENC(pkau, rn, h), and TreeBranch(rt, pathid, h∥CHid), that is, “given the statement’, the user knows that the witness' satisfies: (1) The private information matches the public information: pub=gen(priv); (2) The chameleon hash private key x matches the chameleon hash public key h: h=gx; (3) The chameleon hash CHid is computed correctly:


CHid=cham_hash. CHash(h, priv, r′); (4) The ciphertext Cid corresponds to the plaintext


h: Cid=Γ.ENC (pkau, rn, h); (5) h∥CHid appears as a leaf of a Merkle tree with the root rt: TreeBranch(rt, pathid, h∥CHid)”.


The user uses the zk-SNARK proving algorithm Prove (pkidproof, statement′, witness′) to generate the proof πid. πid is used to prove to the verification nodes that the user knows that witness' makes the (statement′,witness′) satisfy the relation Ridproof, but does not disclose any information about the witness′. Finally, the user gets the identity proof proofid=(statement′, πid) about the identity id.


Verifying identity proof: each verification nodes invokes the zk-SNARK verification algorithm Verify(vkidproof, proofid) to verify whether the user knows that the witness' makes (statement′,witness′) satisfy the relation Ridproof. If the verification is successful, the identity proof is valid; otherwise, the verification of the identity proof fails.


3) Tracing of the Regulator


The regulator extracts the ciphertext set C={Cidi}idi∈I from the blockchain data datatrace and obtains hi corresponding to idi in identity set I by decrypting every ciphertext Cidi. Then according to the record that stores each user's (h, id, CHid), the regulator can determine the idi corresponding to hi and add the idi to the users' identity set ID. Finally, the regulator obtains the users' identity set ID corresponding to datatrace.


As can be observed from the above overview of the traceable scheme, using the traceable scheme proposed by the presently disclosed method requires users participating in data creation to display public information (such as public key addresses, serial numbers) in the data. However, because public/private information pairs can be created arbitrarily, so as long as each public/private information is used only once, the privacy protection of the blockchain is not affected.


3. Construction of the Blockchain Traceable Scheme

Let Å=(Gen, Prove, Verify) denote the zk-SNARK scheme, Γ=(Setup, KeyGen, ENC, DEC) denote the public key encryption scheme, and cham_hash=(Setup, KeyGen, Chash, UForge) denote the chameleon hash scheme proposed by Hugo Krawczyk and Tal Rabin. The traceable scheme (Setup, Genloginfo, Verifyloginfo, Genidproof, Verifyidproof, Trace) is constructed below:


Setup

    • Input: security parameter λ
    • Output: public parameters pp
    • 1. construct arithmetic circuit ACloginfo for relation Rloginfo;
    • 2. construct arithmetic circuit ACidproof for relation Ridproof;
    • 3. compute (pkloginfo, vkloginfo)=Å.Gen(λ, ACloginfo)
    • 4. compute (pkloginfo, vkidproof)=Å.Gen(λ, ACidproof)
    • 5. compute public parameters of public encryption scheme ppenc=Γ.Setup (λ);
    • 6. compute regulator's public/private key (pkau, skon)=Γ.KeyGen(ppenc);
    • 7. compute public parameters of chameleon hash scheme ppmash=(p, q, g)=cham_hash. Setup(λ);
    • 8. output pp=(pkloginfo, vkloginfo, pkidproof, vkidproof, pkau, ppchash)custom-character


Genloginfo

    • Input: public parameters pp, user identity id
    • Output: ciphertext Cloginfo
    • 1. compute chameleon hash scheme's public/private key (HK, CK)=(h, x)=cham_hash. KeyGen(ppchash);
    • 2. compute chameleon hash value CHid=cham_hash. CHash(HK, id, r);
    • 3. set statement=(id, g, HK, CHid), witness=(CK, r);
    • 4. compute πloginfo=Å.Prove(pkloginfo, statement, witness);
    • 5. compute Cloginfo=Γ.ENC(pkau, m), where m=(statement, πloginfo)
    • 6. user stores (id, g, HK, CK, r, CHid), and output Cloginfocustom-character


Verifyloginfo

    • Input: ciphertext Cloginfo, regulator's private key skau, and public parameters pp
    • Output: b, if b=1, verification succeeds; otherwise, verification fails.
    • 1. compute m=Γ.DEC(skau, Cloginfo);
    • 2. verify the validation of the identity id, if id is not valid, output b=0;
    • 3. else:
      • if Å.Verify(vkloginfo, statement, πloginfo)=0, output b=0;
      • else:
        • (a) store(h, id, CHid);
        • (b) publish h∥CHid via Merkle tree;
        • (c) output b=1custom-character


Genidproof

    • Input:
      • user public information pub
      • user private information priv
      • chameleon hash CHid
      • user public/private key (HK, CK) for computing chameleon hash
      • user identity id
      • random element r for computing chameleon hash CHid
      • Merkle tree root rt
      • path pathid from h∥CHid to rt
      • public parameters pp
    • Output: the identity proof proofid
    • 1. compute r′=cham_hash.UForge(CK, id, r, priv);
    • 2. compute ciphertext Cid=Γ.Enc(pkau, rn, h), rn is a random number that is used for encrypting;
    • 3. set statement′=(rt, pub, g, pkau, Cid), witness′=(pathid, CHid, x, h, priv, r′, rn);
    • 4. compute πid=Å.Prove(pkidproof statement′, witness′);
    • 5. output proofid=(statement′, πid)custom-character


Verifyidproof

    • Input: the identity proof proofid, public parameters pp
    • Output: b, if b=1, verification succeeds; otherwise, verification fails.
    • 1. parse proofid as (statement′, πid);
    • 2. if Å.Verify(vkidproof, statement′, πidproof)=0, output b=0;
    • else, output b=1.


Trace

    • input: the blockchain data datatrace
    • output: identity set ID for datatrace
    • 1. set ID=Ø;
    • 2. extract C={Cidi}idi∈I from the blockchain data datatrace;
    • 3. for each Cidi∈C;
      • compute hi=Γ.DEC(skau, Cidi);
      • search (h, id, CHid) records, get idi for hi;
      • put idi in ID;
    • 4. output ID.


The above scheme realizes the traceability of identity. However, certain blockchain applications hide sensitive information (sensinfo). To permit a regulator to perform sensitive information analysis for determining whether the user operation is legal, the users who are directly involved in data creation must add sensitive information to the ciphertext Cid, i.e., Cid=Γ.Enc(pkon, rn, h∥sensinfo), However, the user must prove that Cid is the ciphertext of h∥sensinfo.


Compared with the existing techniques, the presently disclosed method can include one or more of the following benefits:


In user registration, the user generates registration information, encrypts the information and sends it to the regulator. The regulator only needs to perform the verification work, which reduces the workload of the regulator, and there is no need for a secure channel between each user and the regulator; the user uses zk-SNARK to make the regulator not aware of the secret information (i.e., evidence) that generated the registration information during the user registration process. In this way, as long as the regulator honestly performs the registration process, no one except the user can forge the identity proof of the user, which provides a degree of security guarantee; when the user creates the identity proof, because of knowing the trapdoor, the user can use other values such as the user's private key and other private information to construct CHid via the chameleon hash scheme. This process does not reveal his own identity id and eliminates the need for the user to register with the regulator every time when the user wants to generate the identity proof. That is, the user only needs to register with the regulator only once, which reduces the overhead for the user and the regulator; when generating the user's identity proof, the user's private information priv is used to generate the chameleon hash value CHid, and pub=gen(priv) is proved in the relation Ridproof. This way guarantees that only the user who knows the private information priv can generate proofid, and others cannot tamper with the user's proofid. Therefore, the user can expose his own proofid, so that when others create data, they do not need to interact with the user to get proofid, reducing overhead.


The positive effects of the presently disclosed method are as following. For the actual needs of the development of the blockchain, the presently disclosed method proposes a blockchain traceable scheme, which can combine existing privacy protection technology to provide controllable anonymity mechanism. This scheme allows only the regulator to monitor data in the blockchain, and obtain the user's private information, such as user identity, data content, while others cannot obtain user private information. Therefore, the regulator can effectively crack down on illegal and criminal activities in the blockchain by supervising the blockchain data via the traceable scheme, which ensures healthy and stable development of the blockchain.





BRIEF DESCRIPTION OF THE DRAWINGS


FIG. 1 shows a data model in the blockchain traceable mechanism in accordance with some embodiments of the present invention.



FIG. 2 shows a process of the blockchain traceable mechanism in accordance with some embodiments of the present invention.





DETAILED DESCRIPTION OF IMPLEMENTATIONS

The blockchain traceable scheme in the presently disclosed method can combine existing privacy protection technology to provide controllable anonymity mechanism for blockchain. With reference to FIG. 2, concrete implementing ways of the presently disclosed method are described as follows:


1) The regulator first calls the Setup algorithm to generate the public parameters pp;


2) Each user invokes the Genloginfo algorithm to generate his own registration information Cloginfo and sends it to the regulator;


3) The regulator calls the Verifyloginfo algorithm to verify the registration information of each user, and then publishes h∥CHid corresponding to each user's identity. Once the user finds that his h∥CHid is made public, it means that he has successfully registered.


4) After the user is successfully registered, if the data in the blockchain application needs to the public information and identity proof of the users who indirectly participate in data creation, such as the output addresses in Bitcoin. At this time, each user, who indirectly participates in data creation, calls the Genidproof algorithm in advance to generate the user's identity proof proofid and makes it public. In this way, each user in Acreate can directly obtain the identity proof of the users in Bother without having to interact with indirectly participating users. Next, each user in Acreate invokes the Genidproof algorithm to create his own identity proof. Finally, the data datatrace=[{proofid}id∈I, databody]crytool is generated and sent to the node network;


5) Whenever the verification node in the node network receives the data, it first calls the algorithm Verifyidproof to verify the identity of the user, and then verifies the data contents. If the verification is successful, it is added in the block that is created by the verification node. And then the node network according to a consensus mechanism selects a final block which is added to the blockchain;


6) Once there is a new block on the blockchain, the regulator can obtain all the data in the new block and call the Trace algorithm to obtain the identity set corresponding to each data in the block, thereby achieving the blockchain supervision purpose.


The above implementing example are only used to illustrate the technical scheme of the present invention and not to limit it. Those skilled in the art can modify or equivalently replace the technical scheme of the present invention without departing from the spirit and scope of the present invention. The protection scope of the present invention shall be subject to the claims.

Claims
  • 1. A method of data traceable for blockchain, comprising: 1) generating a public parameter pp by a regulator; generating the registration information Cloginfo by each user and sending it to the regulator;2) verifying the registration information of each user by the regulator, and publishing h∥CHid corresponding to each user's identity, where h is the chameleon hash public key, and CHid is the chameleon hash value of the identity id;3) when the data in the blockchain application needs to public information and identity proof of the users who indirectly participate in data creation, directly obtaining, by each user in Acreate, the identity proof of the users in Bother; creating, by each user in Acreate, his own identity proof, generating the data datatrace=[{profid}id∈I, databody]crytool, and sending the data to a node network, where {proofid}id∈I denotes the identity proof set of users, proofid is the identity proof of the user whose identity is id, I is the user identity set that requires identity proofs, Acreate={a1, . . . , an} denotes the public information set of the users who directly participate in data creation, Bother={b1, . . . , bn′} denotes the public information set of the users who indirectly participate in data creation, databody denotes the data body, which includes the users' public information set that does not require any identity proof, and crytool denotes the cryptographic tools;4) when a verification node in the node network receives the data, verifying the identity proof of each user and the data contents; if the verification is successful, adding the data in the block that is created by the verification node according to a consensus mechanism, selecting a final block which is added to the blockchain by the node network; and5) obtaining, by the regulator, the data from the blockchain, and decrypting a corresponding ciphertext in the data, and then querying relevant records to obtain the identity set corresponding to each data.
  • 2. The method of claim 1, wherein the public parameter pp=(pkloginfo, vkloginfo, pkidproof, vkidproof, pkau, ppchash), where (pkloginfo, vkloginfo) is the zk-SNARK proving/verification key for proving (statement, witness)∈Rloginfo, (pkidproof, vkidproof) is the zk-SNARK proving/verification key for proving (statement′, witness′)∈Ridproof, pkau is the public key of the regulator, wherein ppchash is the chameleon hash public parameter, statement=(id, g, h, CHid), witness=(x, r), the relation Rloginfo={(statement, witness)|h=gxΛCHid=gidhr }, wherein statement′=(rt, pub, g, pkau, Cid), witness′=(pathid, CHid, x, h, priv, r′, rn), wherein the relation Ridproof={(statement′, witness′)|pub=gen(priv)Λh=gxΛCHid=cham_hash.CHash(h, priv, r′)ΛCid=Γ.ENC(pkau, rn, h)ΛTreeBranch(rt, pathid, h∥CHid)}, wherein g is the element of order q in the multiplication cyclic group Zp*, x that is the private key of computing CHid is a random element in the multiplication cyclic group Zq*, r is the random number of computing CHid, rt is the root of the Merkle tree, pathid is the path from h∥CHid to rt, pub is the public information, priv is the private information, rn is the random number for encryption, wherein h∥CHid corresponding to the identity of the registered user is exposed in the form of a Merkle tree.
  • 3. The method of claim 2, wherein the user uses the zk-SNARK proving algorithm Prove(pkloginfo) statement, witness) to generate the proof πloginfo, wherein πloginfo is used to prove to the regulator that the user knows that witness makes the (statement, witness) satisfy the relation Rloginfo but does not disclose any information about the witness, wherein the user next stores (id, g, h, CHid, x, r), encrypts (statement, πloginfo) using the public key of the regulator to obtain the registration information Cloginfo and sends Cloginfo to the regulator.
  • 4. The method of claim 3, wherein when the regulator receives the registration information Cloginfo the regulator decrypts the Cloginfo and obtains (statement, πloginfo), wherein the regulator verifies the identity id and invokes the zk-SNARK verification algorithm Verify(vkloginfo, statement, πloginfo) to verify whether the user knows that the witness makes the (statement, witness) satisfy the relation Rloginfo, wherein if the verification is successful, the regulator stores (h, id, CHid), and publishes h∥CHid stored in the Merkle tree.
  • 5. The method of claim 3, wherein in the step of generating identity proof, after a user whose identity is id has successfully registered, the user obtains the path pathid about his h∥CHid from the Merkle tree published by the regulator, based on the public/private information(pub, priv), the user calculates a value r′=cham_hash. UForge(CK, id, r, priv), wherein the user computes ciphertext Cid=Γ.ENC(pkau, rn, h), where m is the random number used for encryption, wherein the user obtains statement′=(rt, pub, g, pkau, Cid) and witness'=(pathid, CHid, x, h, priv, r′, rn), wherein the user uses the zk-SNARK proving algorithm Prove(pkidproof, statement′, witness′) to generate the proof πid, wherein the user obtains the identity proof proofid=(statement′, πid) about the identity id.
  • 6. The method of claim 5, wherein the step of verifying identity proof: each verification node invokes the zk-SNARK verification algorithm Verify(vkidproof, proofid) to verify whether the user knows that the witness' makes (statement′, witness′) satisfy the relation Ridproof, wherein if the verification is successful, the identity proof is valid; otherwise, the verification of the identity proof fails.
  • 7. The method of claim 2, wherein the regulator extracts the ciphertext set C={Cidi}idi∈I from the blockchain data datatrace, wherein for each ciphertext Cidi in C, the regulator computes hi=Γ.DEC(skau, Cidi), searches the (h, id, CHid) record, obtains the idi corresponding to hi and adds the idi to the users' identity set ID, wherein the regulator obtains the users' identity set ID corresponding to datatrace.
Priority Claims (1)
Number Date Country Kind
2018108620640 Aug 2018 CN national
PCT Information
Filing Document Filing Date Country Kind
PCT/CN2018/112283 10/29/2018 WO 00