TECHNICAL FIELD
The present disclosure relates to the technical field of digital asset security, and more particularly, relates to a method for confirming ownership of digital assets based on hash algorithm and a method for tracing to a source of digital assets based on hash algorithm.
BACKGROUND
In the fast-developing digital network era, with the rapid advancement of digitalized information, people have higher and higher requirements for ownership confirmation and protection, authenticity and anti-tampering of digital assets in the Internet of Value. According to conservation of matter, material assets in human society possess the characteristic of uniqueness, and it takes a certain amount of cost to replicate or consume one piece of material asset. Nevertheless, if it is a piece of data asset, the marginal cost to replicate the piece of data asset is almost zero and it may be almost infinitely replicable, which is very unfavorable for defining the attributes of the asset. On the other hand, as digitalization permeates every corner of the current development, data capitalization and asset digitalization have gradually become a trend, and digital asset protection has been a very significant proposition and challenge in the industry. In order to protect valuable digital asset information, it is primary to guarantee the integrity of the information, ensuring that the information is not tampered. Therefore, it is compulsory to investigate a real-time integrity protection method for digital assets and to create a safer method for confirming ownership of the digital assets.
Hash algorithm is an effective way to achieve information integrity. For example, when transmitting information between two parties, a hash algorithm based on a Toeplitz matrix is an effective and unconditionally secure authentication solution for message. For a digital asset in the Internet of Value, there may be different users accessing this digital asset in different scenarios, and corresponding subsidiary documents will undoubtedly be generated while different users accessing this digital asset with different purposes. Therefore, it is required to preserve the integrity of the digital asset all the time. To realize this purpose, it is compulsory to assign a real-time and unique asset identity to the digital asset. The real-time identity of the digital asset reflects real-time integrity of the digital asset, which may further reflect the traceability of the digital asset.
As for products, basic characteristic of traceability is: being able to realize a full-range tracing, including tracing for early warning of product security, a traceable source, a searchable direction, responsibility identification and product recall. For a digital asset in the Internet of Value, fundamental characteristic of traceability is embodied in the real-time identity of the digital asset, and once a real-time identity of the digital asset is given, the integrity of the digital asset and the above-mentioned basic characteristic of traceability are given. How to achieve traceability of a digital asset? Obviously, as long as the real-time identity of the digital asset is implemented, the traceability is achieved. At present, no relevant research on real-time and unique identity of a digital asset may be found in related technologies. In view of this, the present disclosure provides a method for confirming ownership of digital assets based on hash algorithm and a method for tracing to a source of digital assets based on hash algorithm, so that the topic of information integrity is further enriched, and the high-efficiency development of digital information is better promoted.
SUMMARY
Objective of the present disclosure: objective of the present disclosure is to provide a method for confirming ownership and tracing to a source of digital assets based on hash algorithm, in order to solve the problem that a real-time and unique identity of a digital asset has not yet been studied in existing technologies. The present disclosure may confirm the ownership of a digital asset in real time in the Internet of Value, while constructing a real-time and unique identity of the digital asset for tracing to a source.
Technical solution: a method for confirming ownership and tracing to a source of digital assets based on hash algorithm is provided, which include the following steps:
- (1) issuing a CA user certificate to an original user and generating a service serial number o1 by a CA authentication center; authenticating a private CA user certificate CA2 of the CA user certificate with the original user by the CA authentication center; after the authentication is successful, generating a one-time CA certificate otCA by each of the CA authentication center and the original user;
- (2) sending a digital asset M to a digital asset authentication center and meanwhile generating a service serial number o2 by the original user; performing authentication on the digital asset M with the original user by the digital asset authentication center, and after the authentication is successful, generating an authentication document of the digital asset M by each of the digital asset authentication center and the original user;
- (3) generating a service serial number o3 of quantum digital signature and generating a signature document docM by the original user; conducting a three-party quantum digital signature for the signature document docM by the CA authentication center, the digital asset authentication center and the original user, where the original user is a signing party, the CA authentication center and the digital asset authentication center are signature verification parties; after successfully verifying the signature by both the CA authentication center and the digital asset authentication center, conducting an identity verification by the CA authentication center and conducting a document verification by the digital asset verification center; when both the identity verification and the document verification are successful, ownership confirmation of the digital asset is successful while producing a service serial number o4 and entering next step; otherwise, verification of the signature is unsuccessful, the current process of confirming ownership of the digital asset is terminated or a new process of confirming ownership is initiated; and
- (4) generating an ownership confirmation document of the digital asset M by the original user.
Further, the authenticating private CA user certificate CA2 of the CA user certificate with the original user by the CA authentication center includes:
- Approach 1: 1) obtaining and choosing a set of n-bit true random number s1 locally by the CA authentication center; generating an irreducible polynomial p(x) of order n using the n-bit true random number s1, and denoting the n-bit character string, formed by coefficients of terms of respective orders except the highest order of the irreducible polynomial, as str1;
- 2) sharing two sets of quantum secret keys s2 and ν by the CA authentication center and the original user; the length of s2 being n and the length of ν being 2n, and respectively using the two secret keys as an input random number for a hash function and for encryption for the hash function;
- 3) obtaining a hash function hp,s2 based on a linear feedback shift register by the CA authentication center from choosing the irreducible polynomial p(x) of order n and the shared secret key s2 as an input random number; then computing a hash value of the private CA user certificate, which is denoted as hp,s2(CA2), using the hash function; encrypting the hash value and the character string str1 by using the shared secret key ν, and the encryption is performed using an XOR operation to obtain an encryption result ν⊕(hp,s2(CA2),str1) by the CA authentication center;
- 4) sending the encryption result a ν⊕(hp,s2(CA2),str1) to the original user by the CA authentication center; after receiving the encryption result by the original user, decrypting the encryption result using the shared secret key by the original user to obtain the hash value hp,s2(CA2) and the character string str1; generating an irreducible polynomial p′(x) of order n on the GF(2) domain by successively corresponding respective bits in the character string str1 to coefficients of terms of respective orders other than a highest order of the polynomial, where a coefficient of the highest order of term of the polynomial is 1 by the original user; generating a hash function h′hp,s2 based on a linear feedback shift register by further choosing the irreducible polynomial p′(x) and the shared secret key string s2 as an input random number by the original user; computing a hash value of the private CA user certificate CA2, which is denoted as hp,s2(CA2), using the hash function h′p,s2; in the case that the computed hash value h′p,s2(CA2) by the original user is equal to the hash value hp,s2(CA2) obtained through decryption, the authentication is successful; otherwise, the authentication is unsuccessful, returning and re-issuing the CA user certificate to the original user by the CA authentication center; or
- approach 2: 1) sharing a string of n-bit true random number s1 and performing a pre-generation of an irreducible polynomial p(x) by the CA authentication center and the original user;
- 2) sharing secret keys s2 and ν between the CA authentication center and the original user; generating a hash function hp,s2 based on a linear feedback shift register by the CA authentication center using its own secret key s2, serving as an input random number together with the pre-generated irreducible polynomial p(x); then computing a hash value of the private CA user certificate CA2, which is denoted as hp,s2(CA2), using the hash function;
- 3) encrypting the hash value hp,s2(CA2) using the secret key ν of the CA authentication center, and sending an encrypted hash value hp,s2(CA2)⊕ν to the original user from the CA authentication center; performing decryption of the received result using the shared secret key ν to obtain hp,s2(CA2) by the original user; subsequently, generating a hash function h′p,s2 based on a linear feedback shift register by the original user using its own secret key s2, serving as an input random number together with the pre-generated irreducible polynomial p(x); computing a hash value of the private CA user certificate CA2, which is denoted as h′p,s2(CA2), using the hash function h′p,s2; in the case that the hash value h′p,s2(CA2) being equal to the hash value hp,s2(CA2) obtained through decryption, the authentication is successful; otherwise, the authentication is unsuccessful, returning and re-issuing the CA user certificate to the original user by the CA authentication center.
Further, generating the irreducible polynomial p(x) of order n using the n-bit true random number s1 in the approach 1 includes:
- a) firstly, generating a polynomial of order n in the GF(2) domain by successively corresponding respective bits in the n-bit true random number s1 to coefficients of terms of respective orders other than a highest order of the polynomial, where a coefficient of the highest order is 1;
- b) furthermore, verifying whether the polynomial is an irreducible polynomial; in the case that a verification result being no, re-generating another set of true random number by the CA authentication center; with this newly generated true random number, returning to step a) to re-generate the polynomial and to verify; if the verification result is yes, stopping the verification and obtaining the irreducible polynomial by the CA authentication center.
Further, pre-generation of the irreducible polynomial p(x) in the approach 2 includes:
- a) firstly, generating a polynomial of order n in the GF(2) domain by each of the CA authentication center and the original user by successively corresponding respective bits in the n-bit true random number to coefficients of terms of respective orders other than a highest order of the polynomial, where a coefficient of the highest order is 1;
- b) furthermore, verifying whether the polynomial is an irreducible polynomial; in the case that the verification result is no, sharing another set of re-generated true random number by the CA authentication center with the original user; with this newly generated true random number, return to step a) to re-generate the polynomial and to verify; in the case that the verification result is yes, stopping the verification and obtaining the respective irreducible polynomial by both the CA authentication center and the original user.
Further, prior to step a), in the case that the last bit of the true random number is 0, then letting the last bit of the true random number to be 1; or, in the case that the last bit of the true random number is 0, then re-generating a true random number until the last bit of the generated true random number is 1.
Further, generating the one-time CA certificate otCA respectively by each of the CA authentication center and the original user includes:
- firstly, after verifying the private CA user certificate CA2 by the CA authentication center and the original user, sharing an encryption secret key R between the CA authentication center and the original user; obtaining an encryption value hp,s2(CA2)⊕R by both the CA authentication center and the original user using the encryption secret key R to encrypt hp,s2(CA2) which is obtained during the process of verification;
- then, generating, by each of the CA authentication center and the original user, a one-time CA certificate otCA using the encryption value hp,s2(CA2)⊕R, the service serial number o1 of issuance of the CA user certificate and institution information ca of the CA authentication center, that is:
Further, the performing authentication with the original user by the digital asset authentication center includes:
- approach 3: 1) obtaining and choosing a set of n-bit true random number k1 locally by the digital asset authentication center; generating an irreducible polynomial q(x) of order n using the n-bit true random number k1, and denoting an n-bit character string as str2, which is formed by coefficients of terms of respective orders except the highest order of the irreducible polynomial;
- 2) sharing two sets of quantum secret keys k2 and u between the digital asset authentication center and the original user; the length of k2 being n and the length of u being 2n, and using the two secret keys respectively as an input random number for a hash function and for encryption of the hash function;
- 3) obtaining a hash function hq,k2 based on a linear feedback shift register by the digital asset authentication center by choosing the irreducible polynomial q(x) of order n and the shared secret key k2 as an input random number; computing a hash value of the digital asset M, which is denoted as hq,k2(M), by using the hash function; encrypting, by the digital asset authentication center, the hash value and the character string str2 by using the shared secret key u, and performing the encryption using an XOR operation to obtain an encryption result u⊕(hq,k2(M),str2);
- 4) sending the encryption result u⊕(hq,k2(M),str2) to the original user from the digital asset authentication center; after receiving the encryption result by the original user, decrypting, by the original user, the encryption result using the shared secret key u to obtain the hash value hq,k2(M) and the character string str2; generating, by the original user, an irreducible polynomial q′(x) of order n on the GF(2) domain by successively corresponding respective bits in the character string str2 to coefficients of terms of respective orders other than a highest order of the polynomial, where a coefficient of the highest order is 1; generating a hash function h′q,k2 based on a linear feedback shift register by further choosing the irreducible polynomial q′(x) along with the shared secret key string k2 as an input random number; computing a hash value of the digital asset M, which is denoted as hq,k2(M), using the hash function h′q,k2; in a case that the computed hash value h′q,k2(M) by the original user is equal to the hash value hq,k2(M) obtained through decryption, the authentication succeeds; otherwise, the authentication fails, returning and authenticating again; or
- approach 4: 1) sharing a string of n-bit true random number k1 between the digital asset authentication center and the original user and performing pre-generation of the irreducible polynomial q(x);
- 2) sharing secret keys k2 and u between the digital asset authentication center and the original user; obtaining a hash function hq,k2 based on a linear feedback shift register by the digital asset authentication center from using the secret key k2 of the digital asset authentication center as an input random number together with the pre-generated irreducible polynomial q(x); then computing a hash value of the digital asset M, which is denoted as hq,k2(M), by using the hash function hq,k2;
- 3) encrypting the hash value hq,k2(M) using its own secret key u by the digital asset authentication center, and sending an encrypted hash value hq,k2(M)⊕u to the original user from the digital asset authentication center; performing decryption of a received result using the shared secret key u to obtain hq,k2(M) by the original user; subsequently, obtaining, by the original user, a hash function h′q,k2 based on a linear feedback shift register using the secret key k2, serving as an input random number together with the pre-generated irreducible polynomial; computing a hash value of the digital asset M, which is denoted as h′q,k2(M), using the hash function h′q,k2; in a case that the hash value h′q,ks(M) is equal to the hash value hq,ks(M) obtained through decryption, authentication succeeds; otherwise, authentication fails, returning and authenticating again.
Further, generating the authentication document of the digital asset M by each of the digital asset authentication center and the original user includes:
- after the authentication of the digital M is successful, generating an authentication document HM of the digital asset M by each of the digital asset authentication center and the original user, each using the hash value hq,k2(M), the service serial number o2: of sending the digital asset M and institution information da of the digital asset authentication center, that is:
Further, generating the signature document docM includes:
- generating the signature document docM by the original user, using the authentication document HM of the digital asset M, the one-time CA certification otCA, the service serial number o3 of quantum digital signature, the institution information ca of the CA authentication center and the institution information da of the digital asset authentication center, that is:
Further, conducting the three-party quantum digital signature for the signature document docM by the CA authentication center, the digital asset authentication center and the original user, where the original user is a signing party, the CA authentication center and the digital asset authentication center are signature verification parties; when successfully verifying the signature by both the CA authentication center and the digital asset authentication center, conducting an identity verification by the CA authentication center and conducting a document verification by the digital asset verification center includes:
- S1. Obtaining, by the original user, a true random number locally to generate an irreducible polynomial (x), and denoting a character string as str3, which is formed by coefficients of terms of respective orders except the highest order of the irreducible polynomial (x);
- S2. performing a secret key negotiation between the original user and the CA authentication center, and respectively obtaining a shared secret key x1 and a shared secret key y1 by the original user and the CA authentication center; performing a secret key negotiation between the original user and the digital asset authentication center, and respectively obtaining a shared secret key x2 and a shared secret key y2 by the original user and the digital asset authentication center; where, the length of x1 is identical to the length of x2, the length of y1 is identical to the length of y2, and the length of y1 is twice as long as the length of x1; performing an XOR operation on the secret keys x1, y1, x2 and y2 by the original user to obtain secret keys x3 and y3 as follows:
- S3. generating a hash function hl,xs by the original user by choosing the irreducible polynomial l(x) and the secret key x3 used as an input random number; performing a hash operation on the signature document docM using the hash function hl,xs to obtain a hash value hl,xs(docM); encrypting, by the original user, the hash value hl,x3(docM) and the character string str3 using the secret key y3, and transmitting an encrypted value (hl,x2(docM),str3)⊕y3 and the signature document docM to the CA authentication center by the original user;
- S4. after receiving (hl,xs(docM),str3)⊕y3 and the signature document docM by the CA authentication center, sending its secret keys x1, y1, (hl,xs(docM),str3)⊕y3 and the signature document docM from CA authentication center to the digital asset authentication center; the digital asset authentication center, upon reception of the secret keys and the signature document, sending its secret keys x2 and y2 to the CA authentication center; an exchange of information of the two parties taking place over an authenticated channel to prevent information from being tampered; at this time, the CA authentication center and the digital asset authentication center both possess the secret keys x1, y1, x2, y2, (hl,xs(docM),str3)⊕y3 and the signature document docM;
- S5. after completing the exchange of information, performing an XOR operation on the secret keys x1, y1, x2, y2 owned by the CA authentication center to obtain secret keys x and y3′, where:
- decrypting the encrypted value (hl,xs(docM),str3)⊕y3 using the secret key y3′ by the CA authentication center to obtain hl,xs(docM) and the character string str3; then generating an irreducible polynomial l′(x) by successively corresponding respective bits in the character string str3 to coefficients of terms of respective orders other than a highest order of the polynomial, where a coefficient of the highest order is 1; generating a hash function
using the irreducible polynomial l′(x) and the secret key x3′ as an input random number by the CA authentication center; performing, by the CA authentication center, a hash operation using the hash function
on the signature document docM to obtain a hash value
comparing the computed hash value
with the decrypted hl,xs(docM) by the CA authentication center; when being equal, the signature verification succeeds, otherwise the signature verification fails;
- S6. verifying the signature by the digital asset authentication center by using the same way as the CA authentication center;
- S7 in a case that the signature is successfully verified by both the CA authentication center and the digital asset authentication center, conducting an identity verification by the CA authentication center and conducting a document verification by the digital asset verification center; the specific procedure is: comparing the otCA in the signature document docM of the CA authentication center with the otCA generated by the CA authentication center to determine consistency, in a case of being consistent, an identity verification succeeds; comparing the HM in the signature document docM of the digital asset authentication center with the HM generated by the digital asset authentication center to determine consistency, in a case of being consistent, a document verification succeeds; when the signature verification, the identity verification and the document verification are all successful, ownership confirmation of the digital asset is successful while producing a service serial number o4 and entering next step; otherwise, a current ownership confirmation of the digital asset is unsuccessful, and the ownership confirmation of the digital asset is terminated or a new ownership confirmation is initiated.
Further, the generating the ownership confirmation document of the digital asset M by the original user includes:
- denoting the timestamp corresponding to a successfully confirming ownership operation of the digital asset as timestamp1 by the original user; next, generating an ownership confirmation document M of the digital asset M using the hash value hl,xs(docM) of the signature document, the signature document docM, the timestamp tmestamp1, and the service serial number o4 by the original user:
Further, the digital asset authentication center includes a first interface unit, a first quantum security unit connected to the first interface unit, and a digital asset authentication unit connected to the first quantum security unit;
- the first interface unit is configured to allow connection and communication interaction between the digital asset authentication center and other exterior systems;
- the first quantum security unit includes a first hash algorithm module, a first encryption module, a first decryption module, a first true quantum random number generator and a first secret key storage module which are sequentially connected; the first hash algorithm module is configured to generate hash functions to perform hash computation of information; the first encryption module is configured to perform encryption operation; the first decryption module is configured to perform decryption operation; the first true quantum random number generator is configured to generate true quantum random numbers; the first secret key storage module is configured to store secret keys;
- the digital asset authentication unit includes a digital asset storage module, a first authentication module, a quantum digital signature module, a first logging module and a first backup module which are sequentially connected; the digital asset storage module is configured to store documents; the first authentication module is configured to perform authentication operations; the quantum digital signature module is configured to perform quantum digital signing operation for generated signature documents; the first logging module is configured to record a signature verification result of a quantum digital signature and a result of authentication; the first backup module is configured to back up recorded data of the first logging module.
A method for tracing to a source of digital assets based on hash algorithm is also provided, which includes steps as follows:
- (1) an initial access moment: confirming an ownership of digital asset M by the original user using the above-mentioned method for confirming ownership; after the confirmation is successful, obtaining an ownership confirmation document, which is a unique identity of the digital asset at the initial access moment; and uploading the digital asset M along with the ownership confirmation document to a digital asset server;
- (2) an access moment: when accessing the digital asset M on the digital asset server by an access user, generating a subsidiary document in real time by the digital asset server; the subsidiary document includes but is not limited to a timestamp and identity information of the access user;
- (3) constructing a unique identity of the digital asset at the access moment: conducting an authentication of an identity document by the digital asset server and the digital asset authentication center, obtaining a hash value of the identity document, which is a unique identity of the digital asset at a current access moment; forming the identity document by nesting a unique identity of the digital asset of a previous access moment and a subsidiary document of the current access moment;
- (4) traceability analysis: obtaining a unique identity of the digital asset at a final access moment by repeating step (2) and step (3) a multitude of times; tracing the history of the unique identity of the digital asset at the final access moment, thus completing the traceability analysis of the digital asset.
Further, when accessing the digital asset M on the digital asset server by an access user, generating the subsidiary document in real time by the digital asset server includes:
- denoting the initial access moment as moment t0, at which the digital asset M is confirmed and uploaded to the digital asset server;
- 1) when the access user accessing the digital asset M at a moment t1, generating a subsidiary document c1 with a length of n1 in real time by the digital asset server;
- 2) when the access user accessing the digital asset M at a moment t2, generating a subsidiary document c2 with a length of n2 in real time by the digital asset server;
- 3) in a similar manner, when the access user accessing the digital asset M at a moment tk, generating a subsidiary document ck with a length of nk in real time by the digital asset server; after undergoing the above-mentioned procedure, generating a subsidiary document correspondingly every time the digital asset M is accessed.
Further, conducting the authentication of the identity document by the digital asset server and the digital asset authentication center, obtaining a hash value of the identity document, which is a unique identity of the digital asset at a current access moment; forming the unique identity by nesting a unique identity of the digital asset of a previous access moment and a subsidiary document of the current access moment includes:
- 1) at moment t0, confirming the ownership of the digital asset M to obtain an ownership confirmation document c0 of the digital asset M; c0 is a unique identity of the digital asset accessed at moment to;
- 2) at moment t1, forming an identity document {tilde over (c)}1=(c0,c1) by nesting the unique identity c0 of the digital asset M accessed at access moment t0, with the subsidiary document c1 of length n1 generated in real time by accessing the digital asset M by the access user at moment t1; authenticating the identity document {tilde over (c)}1 by the digital asset server and the digital asset authentication center; obtaining, after authentication, a hash value c1 of the identity document {tilde over (c)}1; the hash value c1 is a unique identity of the digital asset accessed at moment t1;
- 3) in a similar manner, at moment tk, forming an identity document {tilde over (c)}k=(ck-1,ck) by nesting a unique identity ck-1 of the digital asset accessed at access moment tk-1 by the digital asset M, with a subsidiary document ck of length nk generated in real time by the digital asset M accessed by the access user at moment tk; authenticating the identity document {tilde over (c)}k=(ck-1,ck) by the digital asset server and the digital asset authentication center using the same approach used to authenticate the identity document {tilde over (c)}1; obtaining, after authentication, a hash value ck of the identity document {tilde over (c)}k; the hash value ck is a unique identity of the digital asset accessed at moment tk.
Further, the authenticating the identity document {tilde over (c)}1 by the digital asset server and the digital asset authentication center; obtaining, after authentication, the hash value c1 of the identity document {tilde over (c)}1 includes:
- approach 5: 1) obtaining and choosing a set of n-bit true random number z1 locally by the digital asset server; generating an irreducible polynomial f(x) of order n using the n-bit true random number z1, and denoting an n-bit character string as str4, formed by coefficients of terms of respective orders except the highest order of the irreducible polynomial;
- 2) sharing two sets of quantum secret keys z2 and j by the digital asset server and the digital asset authentication center; the length of z2 is n and the length of f is 2n, and using the two secret keys respectively as an input random number for a hash function and for encryption of the hash function.
- 3) obtaining a hash function hf,z2 based on a linear feedback shift register by the digital asset server from choosing the irreducible polynomial f(x) of order n and the shared secret key z2 as an input random number; then computing a hash value of {tilde over (c)}1, which is denoted as hf,z2({tilde over (c)}1), using the hash function; encrypting, by the digital asset server, the hash value and the character string str4 by using the shared secret key j, and performing the encryption using an XOR operation to obtain an encryption result j⊕(hf,z2({tilde over (c)}1),str4);
4) sending the encryption result j⊕(hf,z2({tilde over (c)}1),str4) from the digital asset server to the digital asset authentication center; after the digital asset authentication center receiving the encryption result, decrypting the encryption result using the shared secret key j by the digital asset authentication center to obtain the hash value hf,z2 ({tilde over (c)}1) and the character string str4; generating an irreducible polynomial f′(x) of order n on the GF(2) domain by the digital asset authentication center by successively corresponding respective bits in the character string str4 to coefficients of terms of respective orders other than a highest order of the polynomial, where a coefficient of the highest order is 1; generating a hash function h′f,z2 based on a linear feedback shift register by the digital asset authentication center from further choosing the irreducible polynomial f′(x) and the shared secret key string z2 which is used as an input random number; computing a hash value of {tilde over (c)}1 which is denoted as h′f,z2({tilde over (c)}1), by using the hash function h′f,z2; in a case that the computed hash value h′f,z2({tilde over (c)}1) by the digital asset authentication center is equal to the hash value hf,z2({tilde over (c)}1) obtained through decryption, the authentication succeeds, the digital asset server storing the hash value hf,z2 ({tilde over (c)}1), that being c1; otherwise, the authentication fails, returning and authenticating again; or,
- approach 6: 1) sharing a string of n-bit true random number z1 and performing pre-generation of an irreducible polynomial f(x) by the digital asset server and the digital asset authentication center;
2) sharing secret keys z2 and j between the digital asset server and the digital asset authentication center; using the secret key z2 of the digital asset server as an input random number, together with the pre-generated irreducible polynomial f(x) to obtain a hash function hf,z2 based on a linear feedback shift register; computing a hash value of {tilde over (c)}1, which is denoted as hf,z2({tilde over (c)}1), using the hash function hf,z2;
- 3) encrypting the hash value hf,z2({tilde over (c)}1) using the secret key j of the digital asset server, and sending an encrypted hash value hf,z2 ({tilde over (c)}1)⊕j and {tilde over (c)}1 from the digital asset server to the digital asset authentication center; performing decryption of a received result using the shared secret key j to obtain hf,z2 ({tilde over (c)}1) by the digital asset authentication center; subsequently, obtaining a hash function h′f,z2 based on a linear feedback shift register by the digital asset authentication center, using the secret key z2 of the digital asset authentication center as an input random number together with the pre-generated irreducible polynomial p(x); computing a hash value of {tilde over (c)}1, which is denoted as hf,z2({tilde over (c)}1), using the hash function h′f,z2; in a case that the hash value h′f,z2({tilde over (c)}1) is equal to the hash value hf,z2 ({tilde over (c)}1) obtained through decryption, the authentication succeeds; otherwise, the authentication fails, returning and authenticating again.
Beneficial effects of the present disclosure are as follows:
- (1) the present disclosure may be used to confirm the ownerships of digital assets and original user identities, raising the security of ownership confirmation to a same level as quantum security. Meanwhile according to the solution of the present disclosure, a digital asset in the Internet of Value may obtain a real-time and unique identity by a successful authorization, and a forward tracing may be performed through the real-time and unique identity of the digital asset, completing the traceability analysis of the digital asset;
- (2) the present disclosure ensures the integrity and real-time uniqueness of digital assets being accessed. An identity document processed at a current accessing moment is formed by nesting a unique identity of digital assets from a previous accessing moment with a subsidiary document from the current accessing moment. A hash value obtained by hashing the identity document is the unique identity of digital assets at the current accessing moment. The unique identity therefore represents the integrity of the digital asset;
- (3) solution provided by the present disclosure is easy and convenient to implement, and may be generalized to apply to general information security areas such as information authorization in digital network, digital signature, digital currency, blockchains and the like, which is practically meaningful to further promoting the fast development of digital informatization.
BRIEF DESCRIPTION OF THE DRAWINGS
FIG. 1 schematically illustrates entities involved in a method for confirming ownership of digital assets;
FIG. 2 schematically illustrates a structure of a digital asset authentication center; and
FIG. 3 schematically illustrates processes of constructing a unique identity of a digital asset at an accessing moment.
DETAILED DESCRIPTION OF THE EMBODIMENTS
The disclosure is further described in detail in conjunction with the drawings and embodiments.
To confirm ownership of a digital asset, to ensure integrity and real-time uniqueness of digital asset information when being utilized, and to ensure that the information may not be mutated, an method for confirming ownership and a method for tracing to a source of digital assets based on hash algorithm are provided by the present disclosure, such that legitimate ownership of digital assets by an original user and the integrity of the digital assets may be protected. Here the digital assets include purely digital assets, digitalized physical assets, legal documents and other digitizable assets, and any combination thereof.
Assume an original user has a binary document in digital format. The binary document is a digital asset M, and entities to confirm ownership of the digital asset M are shown in FIG. 1, which include a Certificate Authority (CA2) authentication center 1, a digital asset authentication center 2, and an original user 3 possessing the digital asset M. Steps of confirming the ownership of the digital asset are as follows.
(1) The CA authentication center 1 issues a CA user certificate to the original user 3 and generates a service serial number o3. The CA authentication center 1 authenticates a private CA user certificate CA2 of the CA user certificate with the original user 3. After the authentication succeeds, the CA authentication center 1 and the original user 3 each generate a one-time CA certificate otCA.
The CA authentication center 1 is a CA authentication center disclosed in “Digital certificate generation, identity authentication method and quantum CA authentication center and system” with a Chinese patent application number of 2022101851462, and adopts the method from the above application to issue the CA user certificate to the original user 3. The CA user certificate includes a public CA user certificate CA1 and a private CA user certificate CA2, where the public CA user certificate CA1 is generated according to authentic identity information provided by a user, which may include, for example, information that may be displayable to the public such as a user name or a workplace name (and a domain name thereof if it is a network service operator), a certificate serial number (needs to be unique on the entire web), a certificate issuing institution and a domain name or an IP address thereof, and a validity period of the certificate. The private CA user certificate CA2 is included of the public CA user certificate CA1, a timestamp timestamp2 when the CA certificate is generated, and a quantum random number QRN, that is,
CA2=(CA1, timestamp2, QRN).
Privateness of the private CA user certificate CA2 is ensured by privateness of the quantum random number QRN. In the meantime, the CA authentication center 1 and the original user 3 share the service serial number o1 of the current issuance of the CA user certificate.
Upon completion of issuing, the CA authentication center 1 and the original user 3 both store the CA user certificate CA1 and the private CA user certificate CA2.
The CA authentication center 1 and the original user 3 perform authentication against the private CA user certificate CA2 of the CA user certificate, which specifically includes two approaches as follows.
Approach 1: 1) The CA authentication center 1 obtains and chooses a set of n-bit true random number s1 locally. The n-bit true random number s1 is used to generate an irreducible polynomial p(x) of order n, and an n-bit character string, formed by coefficients of terms of respective orders except the highest order of the irreducible polynomial, is denoted as str1.
Detailed procedure of generating the irreducible polynomial p(x) using the n-bit true random number s1 is as follows.
a) Firstly, the CA authentication center 1 generates a polynomial of order n in the GF(2) domain by successively corresponding respective bits in the n-bit true random number s1 to coefficients of terms of respective orders other than a highest order of the polynomial, where a coefficient of the highest order is 1. For example, when a true random number of n-bit is (an-1, an-2, . . . , a1, a0), polynomial
is generated. Preferably, only when a0=1 may a generated polynomial be an irreducible polynomial. Therefore, to reduce computation workload of verifying the irreducible polynomial at a later stage, determination of the true random number may be first conducted: in the case that the last bit of the true random number is 0, then let the last bit of the true random number to be 1; or, in the case that the last bit of the true random number is 0, then re-generate a true random number until the last bit of the generated true random number is 1. This may reduce the computation workload of verifying the irreducible polynomial at a later stage, eventually yielding a0=1, and the generated polynomial to be
b) Furthermore, whether the polynomial is an irreducible polynomial is verified. If a verification result is “no”, the CA authentication center 1 re-generates another set of true random number. With this newly generated true random number, the CA authentication center 1 return to step a) to re-generate the polynomial and to verify; If the verification result is “yes”, the verification is stopped and the CA authentication center 1 obtains the irreducible polynomial p(x).
There are multiple ways that may use to verify the irreducible polynomial. Preferably two ways are presented in the present disclosure.
Way A: verify in turn whether gcd(p(x),x2i−x)=1 is true, wherein
means rounding of
If verifications for all values of i are successful, it means that p(x) is an irreducible polynomial of order n on GF(2) domain; gcd(f(x),g(x)) represents a greatest common factor of f(x) and g(x) on GF(2) domain, where f(x) and g(x) are two arbitrary polynomials.
Way B: verify whether condition (1)=x2n=mod p(x) and condition (2) gcd(p(x),x2n/d−x)=1 are both true at the same time, where x2n=x mod p(x) indicates a remainder of x2n mod p(x) and a remainder of x mod p(x) are identical, d is an arbitrary prime factor of n, gcd(f(x),g(x)) represents a greatest common factor of f(x) and g(x) on GF(2) domain, where f(x) and g(x) are two arbitrary polynomials. When the two verification conditions are both satisfied at the same time, p(x) is an irreducible polynomial of order n on GF(2) domain.
Generally, the CA authentication center 1 may take n=2k, therefore only d=2 needs to be taken in condition (2). Optionally, the CA authentication center 1 may take n=27=128. Because this way only needs to verify the two conditions, Fast Modular Composition (FMC) algorithm is adopted to obtain x2n mod p(x) and x2n/2 mod p(x) quickly. The CA authentication center 1 replaces x2n/2 in condition (2) with x2n/2 nod p(x) for computation. This obtains a computation result faster by lowering the order.
2) The CA authentication center 1 and the original user 3 share two sets of quantum secret keys s2 and ν. The length of s2 is n and the length of ν is 2n, and the two secret keys are respectively used as an input random number for a hash function and used for encryption for the hash function.
3) The CA authentication center 1 chooses the irreducible polynomial P(x) of order n and the shared secret key s2 which is used as an input random number, to obtain a hash function hp,z2 based on a linear feedback shift register, and uses the hash function to compute a hash value of the private CA user certificate CA2, which is denoted as hp,z2(CA2). Then the CA authentication center 1 encrypts the hash value and the character string str1 by using the shared secret key ν, and the encryption is performed using an XOR operation to obtain an encryption result ν⊕(hp,z2 (CA2),str1).
4) The CA authentication center 1 sends the encryption result ν⊕(hp,z2(CA2),str1) to the original user 3. After the original user 3 receives the encryption result, the original user 3 decrypts the encryption result using the shared secret key ν, to obtain the hash value hp,z2(CA2) and the character string str1. The original user 3 generates an irreducible polynomial p′(x) of order n on the GF(2) domain, where a coefficient of a highest order of term of the polynomial is 1, and coefficients of terms other than the highest order of term successively correspond to respective bits in the character string str1. The original user 3 further chooses the irreducible polynomial p′(x) and the shared secret key string s2 as an input random number, to generate a hash function h′p,z2 based on a linear feedback shift register, and uses the hash function h′p,z2 to compute a hash value of the private CA user certificate CA2, which is denoted as h′p,z2 (CA2). If the computed hash value h′p,z2 (CA2) by the original user 3 is equal to the hash value hp,z2 (CA2) obtained through decryption, the authentication succeeds; otherwise, the authentication fails, and it is needed to return and re-issue the CA user certificate.
Approach 2: 1) The CA authentication center 1 and the original user 3 share a string of n-bit true random number s1 and perform pre-generation of an irreducible polynomial p(x).
Detailed procedure to pre-generate the irreducible polynomial p(x) is as follows.
a) Firstly, the CA authentication center 1 and the original user 3 each generates a polynomial of order n in the GF(2) domain by successively corresponding respective bits in the n-bit true random number to coefficients of terms of respective orders other than a highest order of the polynomial, where a coefficient of the highest order is 1. For example, when a true random number of n-bit is (an-1, an-2, . . . , a1, a0), a polynomial
is generated. Preferably, only when a0=1 may a generated polynomial be an irreducible polynomial. Therefore, to reduce computation workload of verifying the irreducible polynomial at a later stage, determination of the true random number may be first conducted: in the case that the last bit of the true random number is 0, then let the last bit of the true random number to be 1; or, in the case that the last bit of the true random number is 0, then re-generate the true random number until the last bit of the generated true random number is 1. This may reduce the computation workload of verifying the irreducible polynomial at a later stage, eventually yielding a0=1, and the generated polynomial to be
b) Furthermore, whether the polynomial is an irreducible polynomial is verified. If a verification result is “no”, the CA authentication center 1 and the original user 3 share another set of true random number which is re-generated. With this newly generated true random number, the CA authentication center 1 and the original user 3 return to step a) to re-generate the polynomial and to verify; If the verification result is “yes”, the verification is stopped and the CA authentication center 1 and the original user 3 obtain the respective irreducible polynomial.
There are multiple ways that may be used to verify the irreducible polynomial.
Preferably two ways are presented in the present disclosure:
Way A: verify in turn whether gcd(p(x),x2i−x)=1 is true, wherein
and means rounding of
If verifications for all values of i are successful, it means that p(x) is an irreducible polynomial of order n on GF(2) domain; gcd(f(x),g(x)) represents a greatest common factor of f(x) and E(x) on GF(2) domain, where f(x) and (x) are two arbitrary polynomials.
Way B: verify whether condition (1): x2n=x mod p (x) and condition (2) gcd(p(x),x2n/d−x)=1 are both true at the same time, where x2n=x mod p(X) indicates a remainder of x2n mod p(x) and a remainder of x mod p(x) are identical, d is an arbitrary prime factor of n, gcd(f(x),g(x)) represents a greatest common factor of f(x) and g(x) on GF(2) domain, where f(x) and g(x) are two arbitrary polynomials. When the two verification conditions are both satisfied at the same time, p(x) is an irreducible polynomial of order n on GF(2) domain.
Generally, the CA authentication center 1 and the original user 3 may take n=2k, therefore only d=2 needs to be taken in condition (2). Optionally, the CA authentication center 1 and the original user 3 may take n=27=128. Because this way only needs to verify the two conditions, Fast Modular Composition (FMC) algorithm is adopted to obtain x2n mod p(x) and x2n/d mod p(x) quickly. the CA authentication center 1 and the original user 3 replace x2n/d in condition (2) with x2n/d mod p(x) to perform computation. This obtains a computation result faster by lowering the order.
2) The CA authentication center 1 and the original user 3 share secret keys s2 and ν. The CA authentication center 1 uses its own secret key s2, serving as an input random number, together with the pre-generated irreducible polynomial p(x) to generate a hash function hp,z2 based on a linear feedback shift register, then uses the hash function to compute a hash value of the private CA user certificate CA2, which is denoted as hp,z2(CA2).
3) The CA authentication center 1 encrypts the hash value hp,z2(CA2) using its own secret key ν, and sends an encrypted hash value hp,z2(CA2)⊕ν to the original user 3. The original user 3 performs decryption of a received result using the shared secret key ν to obtain hp,z2(CA2). Subsequently, the original user 3 uses its own secret key s2, serving as an input random number, together with the pre-generated irreducible polynomial p(x) to obtain a hash function h′p,z2 based on a linear feedback shift register, uses the hash function h′p,z2 to compute a hash value of the private CA user certificate CA2, which is denoted as h′p,z2(CA2). If the hash value h′p,z2(CA2) is equal to the hash value hp,z2(CA2) obtained through decryption, the authentication succeeds; otherwise, the authentication fails, and it is needed to return and re-issue the CA user certificate.
After the private CA user certificate CA2 is verified, the CA authentication center 1 and the original user 3 each generate a one-time CA certificate otCA. Detailed procedure is as follows.
Firstly, after the private CA user certificate CA2 is verified, the CA authentication center 1 and the original user 3 share an encryption secret key R. Both the CA authentication center 1 and the original user 3 use the encryption secret key R to encrypt hp,z2 (CA2) during the process of verification to obtain an encryption value hp,z2 (CA2)⊕R.
Then, the CA authentication center 1 and the original user 3 each generate a one-time CA certificate otCA using the encryption value hp,z2(CA2)⊕R, the service serial number o1 of issuance of the CA user certificate and institution information ca of the CA authentication center, that is:
An expiration date of the one-time CA certificate otCA may be set, meaning that the one-time CA certificate otCA expires when the expiration date is exceeded.
(2) The original user 3 sends the digital asset M to the digital asset authentication center 2 and meanwhile generates a service serial number o2. The digital asset authentication center 2 performs authentication on the digital asset M with the original user 3, and after the authentication is successful, the digital asset authentication center 2 and the original user 3 each generate an authentication document of the digital asset M.
Authentication of the digital asset M by the digital asset authentication center 2 and the original user 3 specifically includes two approaches which are respectively shown as follows.
Approach 3: 1) The digital asset authentication center 2 obtains and chooses a set of n-bit true random number k1 locally. The n-bit true random number k1 is used to generate an irreducible polynomial q(x) of order n, and an n-bit character string, formed by coefficients of terms of respective orders in addition to a highest order of the irreducible polynomial, is denoted as str2. The generation of the irreducible polynomial q(x) of order n is identical to the generation of the irreducible polynomial in Approach 1, and thus description of which is not to be repeated.
2) The digital asset authentication center 2 and the original user 3 share two sets of quantum secret keys k2 and u. The length of k2 is n and the length of u is 2n, and the two secret keys are respectively used as an input random number for a hash function and used for encryption for the hash function.
3) The digital asset authentication center 2 chooses the irreducible polynomial q(x) of order n and the shared secret key k2 which is used as an input random number, to obtain a hash function hq,k2 based on a linear feedback shift register, and uses the hash function to compute a hash value of the digital asset M, which is denoted as hq,k2 (M). Then the digital asset authentication center 2 encrypts the hash value and the character string str2 by using the shared secret key u, and the encryption is performed using an XOR operation to obtain an encryption result u⊕(hq,k2(M),str2).
4) The digital asset authentication center 2 sends the encryption result u⊕(hq,k2 (M),str2) to the original user 3. After the original user 3 receives the encryption result, the original user 3 decrypts the encryption result using the shared secret key u, to obtain the hash value hq,k2 (M) and the character string str2. The original user 3 generates an irreducible polynomial q′(x) of order n on the GF(2) domain, where a coefficient of a highest order of term of the polynomial is 1, and coefficients of terms other than the highest order of term successively correspond to respective bits of the character string str2. The irreducible polynomial q′(x) is further chosen along with the shared secret key string k2, which is used as an input random number, to generate a hash function h′q,k2 based on a linear feedback shift register, and uses the hash function h′q,k2 to compute a hash value of the digital asset M, which is denoted as h′q,k2 (M). If the computed hash value h′q,k2 (M) by the original user 3 is equal to the hash value hq,k2 (N) obtained through decryption, the authentication succeeds; otherwise, the authentication fails, and it is needed to return and authenticate again.
Or, Approach 4: 1) the digital asset authentication center 2 and the original user 3 share a string of n-bit true random number k1 and perform pre-generation of an irreducible polynomial q(x). Pre-generation of the irreducible polynomial q(x) of order n is identical to pre-generation of the irreducible polynomial in Approach 2, and thus description of which is not to be repeated.
2) The digital asset authentication center 2 and the original user 3 share secret keys k2, and u. The digital asset authentication center 2 uses its own secret key k2, serving as an input random number, together with the pre-generated irreducible polynomial q(x) to obtain a hash function hq,k2 based on a linear feedback shift register, then uses the hash function to compute a hash value of the digital asset M, which is denoted as hq,k2 (M).
3) The digital asset authentication center 2 encrypts the hash value hq,k2(M) using its own secret key u, and sends an encrypted hash value hq,ks(M)⊕u to the original user 3. The original user 3 performs decryption of a received result using the shared secret key u to obtain hq,k2 (M). Subsequently, the original user 3 uses its own secret key k2, serving as an input random number, together with the pre-generated irreducible polynomial to generate a hash function h′q,k2 based on a linear feedback shift register, and uses the hash function h′q,k2 to compute a hash value of the digital asset M, which is denoted as h′q,k2(M). If the hash value h′q,k2 (M) is equal to the hash value hq,k2 (M) obtained through decryption, authentication succeeds; otherwise, authentication fails, and it is needed to return and authenticate again.
Authentication of the digital asset M is performed and after the authentication is successful, the digital asset M and the original user 3 each generates an authentication document of the digital asset M. Detailed procedure is as follows.
After the authentication of the digital M is successful, each of the digital asset authentication center 2 and the original user 3 uses the hash value hq,k2 (M), the service serial number o2 of sending the digital asset M and institution information da of the digital asset authentication center, to generate an authentication document HM of the digital asset M, that is:
Structure of the digital asset authentication center 2 is shown in FIG. 2, which includes a first interface unit 21, a first quantum security unit 22 connected to the first interface unit 21, and a digital asset authentication unit 23 connected to the first quantum security unit 22.
The first interface unit 21 is configured to allow connection and communication interaction between the digital asset authentication center 2 and other exterior systems, for example, allowing authentication of the digital asset M with the original user 3.
The first quantum security unit 22 includes a first hash algorithm module 221, a first encryption module 222, a first decryption module 223, a first true quantum random number generator 224 and a first secret key storage module 225 which are sequentially connected. The first hash algorithm module 221 is configured to generate a hash function to perform hash computation of information. The first encryption module 222 is configured to perform encryption operation. The first decryption module 223 is configured to perform decryption operation. The first true quantum random number generator 224 is configured to generate true quantum random numbers. The first secret key storage module 225 is configured to store secret keys.
The digital asset authentication unit 23 includes a digital asset storage module 231, a first authentication module 232, a quantum digital signature module 223, a first logging module 234 and a first backup module 235 which are sequentially connected. The digital asset storage module 231 is configured to store documents. The first authentication module 232 is configured to perform authentication operations. The quantum digital signature module 223 is configured to perform quantum digital signing operation for generated signature documents. The first logging module 234 is configured to record a signature verification result of a quantum digital signature and a result of authentication. In order to prevent the digital asset authentication center 2 from data loss, the first backup module 235 is configured to back up recorded data of the first logging module 234.
(3) The original user 3 generates a service serial number o3 of quantum digital signature and generates a signature document docM. The CA authentication center 1, the digital asset authentication center 2 and the original user 3 conduct a three-party quantum digital signature for the signature document doc1, where the original user 3 is a signing party, the CA authentication center 1 and the digital asset authentication center 2 are signature verification parties. When the signature is successfully verified by both the CA authentication center 1 and the digital asset authentication center 2, the CA authentication center 1 conducts an identity verification and the digital asset verification center 2 conducts a document verification. When both the identity verification and the document verification are successful, ownership confirmation of the digital asset succeeds while producing a service serial number o4 and entering next step. Otherwise, verification of the signature fails, a current ownership confirmation of the digital asset is terminated or a new ownership confirmation is initiated.
Firstly, the specific procedure to generate the signature document docM by the original user 3 may be as follows.
The authentication document HM of the digital asset M, the one-time CA certification otCA, the service serial number o3 of quantum digital signature, the institution information ca of the CA authentication center 1 and the institution information da of the digital asset authentication center 2 are used to generate the signature document docM by the original user 3, that is:
The CA authentication center 1, the digital asset authentication center 2 and the original user 3 conduct a three-party quantum digital signature for the signature document docM, where the original user 3 is a signing party, the CA authentication center 1 and the digital asset authentication center 2 each is a signature verification party. When the signature is successfully verified by both the CA authentication center 1 and the digital asset authentication center 2, the CA authentication center 1 conducts an identity verification and the digital asset verification center 2 conducts a document verification, of which the specific procedure is as follows.
S1. The original user 3 obtains a true random number locally to generate an irreducible polynomial l(x), and a character string, formed by coefficients of terms of respective orders except the highest order of the irreducible polynomial l(x), is denoted as str3. The method for generating the irreducible polynomial f) of order n is identical to the method for generating the irreducible polynomial in Method 1, and thus description of which is not to be repeated.
S2. A secret key negotiation is performed between the original user 3 and the CA authentication center 1, and a shared secret key x1 and a shared secret key y2 are obtained respectively. A secret key negotiation is performed between the original user 3 and the digital asset authentication center 2, and a shared secret key x2 and a shared secret key y1 are obtained respectively. The length of x1 is identical to the length of x2, the length of y1 is identical to the length of y2, and the length of y1 is twice as long as the length of x1. The original user 3 performs XOR operation on the secret keys x1, y1, x2 and y2, to obtain secret keys x3 and y3 as follows:
S3. The irreducible polynomial l(x) and the secret key x3 used as an input random number are chosen to generate a hash function hl,xs by the original user 3. A hash operation is performed by the original user 3 on the signature document docM, using the hash function hl,xs to obtain a hash value hl,xs(docM). The hash value hl,xs (docM) and the character string str3 are encrypted using the secret key y3 by the original user 3. The encryption is performed using an XOR operation, and an encrypted value (hl,xs(docM),str3)⊕y3 and the signature document docM are transmitted to the CA authentication center 1.
S4. After receiving (hl,xs (docM),str3)⊕y3 and the signature document docM by the CA authentication center 1, the CA authentication center 1 sends its own secret keys x1 and y1, (hl,xs (docM),str3)⊕y3 and the signature document docM to the digital asset authentication center 2. The digital asset authentication center 2, upon reception of the secret keys and the signature document, sends its own secret keys x2 and y2 to the CA authentication center 1. An exchange of information of the two parties takes place over an authenticated channel to prevent information tampering. At this time, the CA authentication center 1 and the digital asset authentication center 2 both possess the secret keys x1, y1, x2, y2, (hl,xs(docM),str3)⊕y3 and the signature document docM.
S5. After the exchange of information is completed, an XOR operation on the secret keys x1, y1, x2, y2 owned by the CA authentication center 1 is performed by the CA authentication center 1 to obtain secret keys x3′ and y3′, where:
The encrypted value (hl,xs(docM),str3)⊕y3 is decrypted using the secret key y by the CA authentication center 1 to obtain hl,xs (docM) and the character string str3. Then the CA authentication center 1 generates an irreducible polynomial l′(x) by successively corresponding respective bits in the character string str3 to coefficients of terms of respective orders other than a highest order of the polynomial, where a coefficient of the highest order is 1. The irreducible polynomial l′(x) and the secret key x3′ used as an input random number are chosen by the CA authentication center 1 to generate a hash function hl,xs′. A hash operation is performed by the CA authentication center 1 using the hash function hl,xs′ on the signature document docM, to obtain a hash value hl,xs′(docM). The computed hash value hl,xs′(docM) and the decrypted hl,xs(docM) are compared by the CA authentication center 1. If they are equal, then a signature verification succeeds, otherwise a signature verification fails.
S6. The digital asset authentication center 2 adopts the same way to verify signature as the CA authentication center 1.
S7. When the signature is successfully verified by both the CA authentication center 1 and the digital asset authentication center 2, the CA authentication center 1 conducts an identity verification and the digital asset verification center 2 conducts a document verification. The specific procedure is: the CA authentication center 1 compares the otCA in the signature document docM with the otCA generated by the CA authentication center 1 to observe their consistency, if they are consistent, an identity verification is successful; the digital asset authentication center 2 compares the Hz, in the signature document docM with the HM generated by the digital asset authentication center 2 to observe their consistency, if they are consistent, a document verification is successful. When the signature verification, the identity verification and the document verification are all successful, ownership confirmation of the digital asset succeeds while producing a service serial number o4 and entering next step. Otherwise, a current ownership confirmation of the digital asset fails, and the ownership confirmation of the digital asset is terminated or a new ownership confirmation is initiated.
(4) An ownership confirmation document of the digital asset M is generated by the original user 3. The specific procedure may be as follows.
Firstly, a timestamp corresponds to a successful ownership confirmation operation of the digital asset is recorded as timestamp1 by the original user 3. Next, the hash value hi,xs(docM) of the signature document, the signature document docM the timestamp timestamp, and the service serial number o4 are used by the original user 3 to generate an ownership confirmation document M of the digital asset M:
Where, the hash value hl,xs(docM) represents the integrity of the signature document docM. This integrity binds the relationship between the identity of the original user 3 (i.e., the one-time CA certificate otCA) and the digital asset M (i.e., the authentication document HM), and the hash value hq,ks(M) of the digital asset M indicates the integrity of the digital asset M. The resulting ownership confirmation document M is a digital identity of the digital asset M in the present disclosure, which maintains an inseparable relationship with the digital asset M, may be the basis for confirming ownership of the digital asset M and has a highest known security level.
After successful ownership confirmation of the digital asset M, the digital asset M of the original user 3 may be accessed multiple times. In order to achieve the traceability of accessing the digital asset M, as shown in FIG. 3, a method for tracing to a source of digital assets based on hash algorithm is further provided by the present disclosure, which includes the following steps.
(1) An initial access moment: the above-mentioned method for confirming ownership is used by the original user 3 to confirm an ownership of the digital asset M. After the confirmation is successful, the ownership confirmation document is obtained, which is a unique identity of the digital asset at the initial access moment, and the digital asset M along with the ownership confirmation document are uploaded to a digital asset server.
(2) An access moment: when an access user accesses the digital asset M on the digital asset server, the digital asset server generates a subsidiary document in real time. The subsidiary document includes but is not limited to a timestamp and identity information of the access user. The specific procedure for generating the subsidiary document in real time may be as follows.
The initial access moment when an ownership of the digital asset M is confirmed and the digital asset M is uploaded to the digital asset server is denoted as moment t0.
1) When the access user accesses the digital asset M at a moment t1, the digital asset server generates a subsidiary document c1 with a length of n1 in real time. The subsidiary document c1 includes but is not limited to the timestamp ti and related information of the access user such as the identity information of the access user.
2) When the access user accesses the digital asset M at a moment t2, the digital asset server generates a subsidiary document c2 with a length of n2 in real time. The subsidiary document c2 includes but is not limited to the timestamp t2 and related information of the access user such as the identity information of the access user.
3) In a similar manner, when the access user accesses the digital asset M at a moment tk, the digital asset server generates a subsidiary document ck with a length of nk in real time. The subsidiary document ck includes but is not limited to the timestamp tk and related information of the access user such as the identity information of the access user. After undergoing the above-mentioned procedure, a subsidiary document is generated correspondingly every time the digital asset M is accessed.
The digital asset M is replicable, and may be replicated on different servers, denoted as M′. Subsidiary documents are generated on other servers in the same manner as previously mentioned.
(3) A unique identity of the digital asset at the access moment is constructed: an authentication of an identity document is conducted by the digital asset server and the digital asset authentication center 2 and a hash value of the identity document is obtained, which is a unique identity of the digital asset at a current access moment; where the identity document is formed by nesting a unique identity of the digital asset of a previous access moment and a subsidiary document of the current access moment. The specific process is as follows.
At moment t0, ownership of the digital asset M is confirmed to obtain an ownership confirmation document c0 of the digital asset M. c0 is a unique identity of the digital asset accessed at moment t0. The ownership confirmation document c0 obtained at moment t0 is the above-mentioned ownership confirmation document M of the digital asset M, that is c0=M.
At moment t1, the unique identity c0 of the digital asset M accessed at access moment t0 and the subsidiary document c1 of length n1 generated in real time by accessing the digital asset M by the access user at moment t1, are nested to form an identity document {tilde over (c)}1=(c0,c1). The identity document {tilde over (c)}1 is authenticated by the digital asset server and the digital asset authentication center 2. A hash value c0 of the identity document {tilde over (c)}1 is obtained after authentication, and the hash value c0 is a unique identity of the digital asset accessed at moment t1.
Authenticating the identity document {tilde over (c)}1 and obtaining the hash value c0 of the identity document {tilde over (c)}1 after authentication may include two approaches respectively as follows.
Approach 5: a) The digital asset server obtains and chooses a set of n-bit true random number z1 locally. The n-bit true random number z1 is used to generate an irreducible polynomial f(x) of order n, and an n-bit character string, formed by coefficients of terms of respective orders except the highest order of the irreducible polynomial, is denoted as str4. Generation of the irreducible polynomial f(x) of order n is identical to generation of the irreducible polynomial in Approach 1, and thus description of which is not to be repeated.
b) The digital asset server and the digital asset authentication center 2 share two sets of quantum secret keys z2 and j. The length of z2 is n and the length of j is 2n, and the two secret keys are respectively used as an input random number for a hash function and used for encryption for the hash function.
c) The digital asset server chooses the irreducible polynomial f(x) of order n and the shared secret key z2 which is used as an input random number, to obtain a hash function hf,z2 based on a linear feedback shift register, and uses the hash function to compute a hash value of {tilde over (c)}1, which is denoted as hf,z2({tilde over (c)}1). The hash value and the character string str4 are encrypted by the digital asset server using the shared secret key j, and the encryption is performed using an XOR operation to obtain an encryption result j⊕(hf,z2({tilde over (c)}1),str4).
d) The digital asset server sends the encryption result j⊕(hf,z2({tilde over (c)}1),str4) to the digital asset authentication center 2. After the digital asset authentication center 2 receives the encryption result, the digital asset authentication center 2 decrypts the encryption result using the shared secret key j, obtaining the hash value hf,z2({tilde over (c)}1) and the character string str4. The digital asset authentication center 2 generates a polynomial f′(x) of order n in the GF(2) domain by successively corresponding respective bits in the character string str4 to coefficients of terms of respective orders other than a highest order of the polynomial, where a coefficient of the highest order is 1. The digital asset authentication center 2 further chooses the irreducible polynomial f′(x) and the shared secret key string z2 which is used as an input random number, to generate a hash function h′f,z2 based on a linear feedback shift register. The hash function h′f,z2 is used to compute a hash value, which is denoted as h′f,z2({tilde over (c)}1), of {tilde over (c)}1. If the computed hash value h′f,z2({tilde over (c)}1) by the digital asset authentication center 2 is equal to the hash value hf,z2 ({tilde over (c)}1) obtained through decryption, the authentication is successful and the digital asset server stores the hash value hf,z2 ({tilde over (c)}1), that is c1; otherwise, the authentication is unsuccessful, and it is needed to return and perform authentication again.
Or, Approach 6: a) The digital asset server and the digital asset authentication center 2 share a string of n-bit true random number z1 and perform pre-generation of an irreducible polynomial f(x). Pre-generation of the irreducible polynomial f(x) of order n is identical to the method for generating the irreducible polynomial in Approach 2, and thus description of which is not to be repeated.
b) The digital asset server and the digital asset authentication center 2 share secret keys z2 and j. The digital asset server uses its own secret key z2, serving as an input random number, together with the pre-generated irreducible polynomial f(x) to obtain a hash function hf,z2 based on a linear feedback shift register, and then uses the hash function hf,z2 to compute a hash value of {tilde over (c)}1, which is denoted as hf,z2 ({tilde over (c)}1).
c) The digital asset server encrypts the hash value hf,z2({tilde over (c)}1) using its own secret key j, and sends an encrypted hash value hf,z2 ({tilde over (c)}1)⊕f and {tilde over (c)}1 to the digital asset authentication center 2. The digital asset authentication center 2 performs decryption of a received result using the shared secret key j to obtain hf,z2 ({tilde over (c)}1). Subsequently, the digital asset authentication center 2 uses its own secret key z2, serving as an input random number, together with the pre-generated irreducible polynomial p(x) to obtain a hash function h′f,z2 based on a linear feedback shift register, and uses the hash function h′f,z2 to compute a hash value of {tilde over (c)}1, which is denoted as h′f,z2({tilde over (c)}1). If the hash value h′f,z2({tilde over (c)}1) is equal to the hash value hf,z2({tilde over (c)}1) obtained through decryption, the authentication is successful; otherwise, the authentication is unsuccessful, and it is needed to return and authenticate again.
Eventually, the hash value hf,z2 ({tilde over (c)}1), that is c1, is stored, which is the unique identity of the digital asset accessed at moment t1.
3) In a similar manner, at moment tk, a unique identity ck-1 of the digital asset M accessed at access moment tk-1, and a subsidiary document ck of length nk generated in real time when the access user accesses the digital asset M at moment tk, are nested to form an identity document {tilde over (c)}k=(ck-1, ck). The identity document {tilde over (c)}k=(ck-1, ck) is authenticated by the digital asset server and the digital asset authentication center 2 using the same approach used to authenticate the identity document {tilde over (c)}1. A hash value ck of the identity document {tilde over (c)}k is obtained after authentication, and the hash value ck is a unique identity of the digital asset accessed at moment tk.
(4) Traceability analysis: the above step (2) and step (3) are repeated multiple times to obtain a unique identity of the digital asset at a final access moment, that is, to obtain the unique identity ck of the digital asset at moment tk. The history of the unique identity of the digital asset at the final access moment is traced, that is to trace the history of the unique identity of the digital asset at moments t<tk. So that the traceability analysis of the digital asset is thus completed.
According to the solution proposed by the present disclosure, the identity document at the current access moment is formed by nesting the unique identity of the digital asset at the previous access moment and the subsidiary document at the current access moment. The identity document at the current access moment is authenticated, and the hash value is obtained by hashing the unique identity of the digital asset at the current access moment, and the unique identity represents the integrity of the digital asset. Meanwhile, the unique identity of digital asset may be traced forward to complete the traceability analysis of the entire life cycle of digital asset.
To satisfy the needs of information theory security or unconditional security, hash function chosen by the present disclosure is preferably a hash function based on a Toeplitz matrix. Nevertheless, there are many alternative hash functions that may be chosen to meet the requirements of the present disclosure, as long as the chosen hash function satisfies four functions which are fast forward, difficult backward, sensitive input and collision avoidance. The fast forward means that given a plaintext and hash algorithm, a hash value may be obtained under limited time and limited resources quickly. The difficult backward means that given some hash values, a plaintext may be difficult or even impossible to be backward deduced under limited time. The sensitive input means that if there are any changes happened to an original input information, the corresponding hash value should be different. The collision avoidance means that it is very difficult to find two distinct pieces of plaintext that have the same hash value. As it provides a wide range of choices for hash value computation, the implementation of the solution provided by the present disclosure is easy and convenient, which may be widely applied to generalized information security areas such as information authentication on digital network, digital signature, digital currency and blockchain, possessing significant practical meaning to further promote the rapid development of digital informatization.