CN114154989A

CN114154989A - Transaction processing method, equipment and system

Info

Publication number: CN114154989A
Application number: CN202111483903.6A
Authority: CN
Inventors: 郭锐; 莫楠; 李辉忠; 范瑞彬; 张开翔; 胡朝新
Original assignee: WeBank Co Ltd
Current assignee: WeBank Co Ltd
Priority date: 2021-12-07
Filing date: 2021-12-07
Publication date: 2022-03-08
Anticipated expiration: 2041-12-07
Also published as: CN114154989B

Abstract

The application provides a transaction processing method, equipment and system. The method comprises the following steps: encrypting input transaction data of a first user through a first input blinding factor to obtain a first input commitment, and encrypting output transaction data of the first user through a first output blinding factor to obtain a first output commitment; determining the ratio of the first output blinding factor to the first input blinding factor as first check information; hashing the first check information to obtain first signature content; signing the first signature content through the difference value of the first output blinding factor and the first input blinding factor to obtain first signature information; generating first transaction information, the first transaction information comprising: the first input commitment, the first output commitment, the first verification information, the first signature information and the first signature content. According to the embodiment of the application, the commitment and the signature can be combined, so that blind factors are required to be used in the calculation processes of the commitment and the signature, and the transaction safety is improved.

Description

Transaction processing method, device and system

Technical Field

The embodiment of the application relates to the technical field of financial science and technology, in particular to a transaction processing method, device and system.

Background

In the field of financial technology (Fintech), blockchain (Block chain) technology is a common technology for storing transaction data through a chain structure, which may be referred to as a blockchain. Transaction data on the blockchain is typically stored in encrypted form and can only be used after verification of the transaction data has passed.

The encryption algorithm and the verification algorithm of the transaction data may affect the security of the transaction data, i.e., the transaction security. Therefore, how to improve the transaction security in the encryption process and the verification process is an urgent problem to be solved.

Disclosure of Invention

The application provides a transaction processing method, equipment and a system, which are used for improving transaction safety.

In a first aspect, the present application provides a transaction processing method, the method comprising:

the first electronic equipment encrypts input transaction data of a first user through a first input blinding factor to obtain a first input commitment, and encrypts output transaction data of the first user through a first output blinding factor to obtain a first output commitment;

the first electronic device determines a ratio of the first output blinding factor to the first input blinding factor as first verification information;

the first electronic equipment hashes the first verification information to obtain first signature content;

the first electronic device signs the first signature content through the difference value of the first output blinding factor and the first input blinding factor to obtain first signature information;

the first electronic device generates first transaction information, wherein the first transaction information comprises: the first input commitment, the first output commitment, the first verification information, the first signature information, and first signature content.

Optionally, the first user is an arbitrary user in a first user group, where the first user group includes a plurality of users, and the method further includes:

the first electronic device receives first transaction information of a second user, which is sent by at least one second electronic device, wherein the first transaction information of the second user is generated by the second electronic device according to information of the second user, the manner of generating the first transaction information of the second user by the second electronic device is the same as the manner of generating the first transaction information of the first user by the first electronic device, and the second user is a user except the first user in the first user group;

the first electronic device aggregates the first transaction information of each user in the first user group to obtain first aggregated transaction information of the first user group, where the first aggregated transaction information includes at least one of the following information: the first aggregated input commitment is obtained by aggregating the first input commitments of the users, the first aggregated output commitment is obtained by aggregating the first output commitments of the users, the first aggregated check information is obtained by aggregating the first check information of the users, the first aggregated signature information is obtained by aggregating the first signature information of the users, and the first aggregated signature content is obtained by aggregating the first signature content of the users.

the first electronic device sends the first transaction information to a third electronic device, so that the third electronic device aggregates the first transaction information of each user in the first user group to obtain first aggregated transaction information of the first user group, wherein the first aggregated transaction information includes at least one of the following information: the first aggregation input commitment is obtained by aggregating the first input commitments of the users, the first aggregation output commitment is obtained by aggregating the first output commitments of the users, the first aggregation check information is obtained by aggregating the first check information of the users, the first aggregation signature information is obtained by aggregating the first signature information of the users, and the first aggregation signature content is obtained by aggregating the first signature content of the users.

Optionally, the hashing the first verification information by the first electronic device to obtain a first signature content includes:

and the first electronic equipment hashes the first verification information and the public keys of the users in the first user group to obtain the first signature content.

Optionally, the public key of the first user is generated by:

the first electronic equipment randomly selects an initial private key of the first user from a preset integer finite field;

the first electronic equipment generates an initial public key of the first user according to the initial private key;

the first electronic device determines a private key of the first user according to a first target hash value and the initial private key, wherein the first target hash value is obtained by hashing an initial public key of the first user and an initial public key set of each user of the first user group;

and the first electronic equipment generates a public key of the first user according to the private key of the first user.

In a second aspect, the present application provides a transaction processing method, comprising:

the fourth electronic device obtains first aggregated transaction information of a first user group, wherein the first aggregated transaction information comprises: a first aggregation input commitment obtained by aggregating first input commitments of users in the first user group, a first aggregation output commitment obtained by aggregating first output commitments of the users, first aggregation check information obtained by aggregating first check information of the users, first aggregation signature information obtained by aggregating first signature information of the users, and first aggregation signature content obtained by aggregating first signature content of the users;

the fourth electronic device performs bilinear pairing on the first aggregated signature information and the generation sub of the first user group to obtain a first pairing result, and performs bilinear pairing on the first aggregated signature content and the first aggregated verification information to obtain a second pairing result;

if the first pairing result is consistent with the second pairing result, and the ratio of the first aggregate output commitment to the first aggregate input commitment is consistent with the first aggregate verification information, the fourth electronic device determines that the first aggregate transaction information is successfully verified.

Optionally, after determining that the first aggregated transaction information is successfully verified, the fourth electronic device further includes:

the fourth electronic device takes the sum of the first output blinding factors of the users in the first user group as a second input blinding factor;

when a third user carries out transaction, the fourth electronic device encrypts the input transaction data of the third user through the second input blinding factor to obtain a second input commitment;

and the fourth electronic equipment generates second transaction information of the third user, wherein the second transaction information comprises the second input commitment.

Optionally, the third user is any user in a second user group, where the second user group includes a plurality of users, the second transaction information further includes a second output commitment, and before the fourth electronic device generates the second transaction information of the third user, the method further includes:

the fourth electronic equipment selects an initial blinding factor of the third user in a preset integer finite field;

the fourth electronic device hashes the initial blinding factor and the public key set of each user in the second user group to obtain a second target hash value;

the fourth electronic device determines a second output blinding factor of the third user according to the initial blinding factor and the second target hash value;

and the fourth electronic equipment encrypts the output transaction data of the third user through the second output blinding factor to obtain the second output commitment.

Optionally, the method further comprises:

the fourth electronic device determines real verification information according to the first output blinding factor of each user in the first user group and the first input blinding factor of each user in the first user group;

if the first pairing result is consistent with the second pairing result, and the ratio of the first aggregate output commitment to the first aggregate input commitment is consistent with the first aggregate verification information, the fourth electronic device determines that the first aggregate transaction information is successfully verified, including:

if the first pairing result is consistent with the second pairing result, the ratio of the first aggregate output commitment to the first aggregate input commitment is consistent with the first aggregate verification information, and the real verification information is consistent with the first aggregate verification information, the fourth electronic device determines that the first aggregate transaction information is successfully verified.

In a third aspect, the present application provides a first electronic device, comprising: at least one processor and memory;

the memory stores computer-executable instructions;

the at least one processor executes computer-executable instructions stored by the memory to cause the first electronic device to implement a method as in the preceding first aspect.

In a fourth aspect, the present application provides a fourth electronic device, comprising: at least one processor and memory;

the memory stores computer-executable instructions;

the at least one processor executes the computer-executable instructions stored by the memory such that the fourth electronic device implements the method of the second aspect as previously described.

In a fifth aspect, the present application provides a transaction processing system comprising the first electronic device of the third aspect and the fourth electronic device of the fourth aspect.

In a sixth aspect, the present application provides a computer-readable storage medium having stored thereon computer-executable instructions that, when executed by a processor, cause a computing device to implement a method according to the first or second aspect.

In a seventh aspect, the present application provides a computer program for implementing the method of the first or second aspect.

The application provides a transaction processing method, a device and a system, wherein the method comprises the following steps: encrypting input transaction data of a first user through a first input blinding factor to obtain a first input commitment, and encrypting output transaction data of the first user through a first output blinding factor to obtain a first output commitment; determining the ratio of the first output blinding factor to the first input blinding factor as first check information; hashing the first check information to obtain first signature content; signing the first signature content through the difference value of the first output blinding factor and the first input blinding factor to obtain first signature information; generating first transaction information, the first transaction information comprising: the first input commitment, the first output commitment, the first verification information, the first signature information and the first signature content. The embodiment of the application can combine the commitment and the signature, namely, a blinding factor is required to be used in the calculation process of the commitment and the signature. Thus, even though the blinding factor and commitment may be modified to satisfy the commitment formula, the signature verification formula cannot be satisfied. Therefore, verification can be guaranteed not to pass, the influence of malicious attack on the transaction is avoided, and the security of the transaction is improved.

Drawings

In order to more clearly illustrate the embodiments of the present application or the technical solutions in the prior art, the drawings needed to be used in the description of the embodiments or the prior art will be briefly introduced below, and it is obvious that the drawings in the following description are some embodiments of the present application, and those skilled in the art can also obtain other drawings according to the drawings without inventive exercise.

FIG. 1 is a relational diagram of a plurality of transactions provided by the prior art;

FIG. 2 is a schematic diagram of a transaction process based on commitment and aggregated signatures provided by the prior art;

FIG. 3 is a schematic diagram of an aggregated transaction process provided by the prior art;

FIG. 4 is a flowchart illustrating steps of a transaction processing method according to an embodiment of the present disclosure;

FIG. 5 is a flowchart illustrating steps of another transaction processing method according to an embodiment of the present disclosure;

fig. 6 is a block diagram of an electronic device according to an embodiment of the present disclosure.

Detailed Description

To make the objects, technical solutions and advantages of the embodiments of the present application clearer, the technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application, and it is obvious that the described embodiments are some but not all embodiments of the present application. All other embodiments obtained by a person of ordinary skill in the art without any inventive work based on the embodiments in the present application are within the scope of protection of the present application.

The embodiment of the application can be applied to the transaction process of electronic money, and each transaction has one input data and a plurality of output data. In the process of electronic money transaction, the input data of each transaction is the output data of the previous transaction or the money data rewarded by the system, and the output data of each transaction can be used as the input data of the next transaction. The input data and the output data here may be the number of electronic money.

In practical applications, the output data of the transaction may be stored in an unused transaction output (UTXO), and the input data may be part or all of the output data of the previous transaction. FIG. 1 is a relational diagram of a plurality of transactions provided by the prior art.

Referring to FIG. 1, a first transaction TX0 has one input data IPT00 and two output data OPT00, OPT 01. The input data IPT00 is the

system reward

100, 40 of the output data OPT00 is used as the input data IPT10 of the next transaction TX1, and 50 of the output data OPT01 is used as the input data IPT20 of the next transaction TX 2.

Referring to FIG. 1, the next transaction TX1 of TX0 has one input data IPT10 and one output data OPT 10. The input data IPT10 is 40 of the output data OPT00 of the previous transaction TX0, and 30 of the output data OPT10 is used as the input data IPT30 of the next transaction TX 3.

Referring to FIG. 1, the next transaction TX3 of TX1 has one input data IPT30 and one output data OPT 30. The input data IPT30 is 30 of the output data OPT10 of the previous transaction TX1, and the output data OPT30 is not used by the next transaction.

Referring to FIG. 1, the next transaction TX2 of TX0 has one input data IPT20 and two output data OPT20, OPT 21. The input data IPT20 is 50 of the output data OPT01 of the previous transaction TX1, 20 of the output data OPT20 is used as the input data TX4 of the next transaction TX4, and 20 of the output data OPT21 is used as the input data IPT50 of the next transaction TX 5.

Referring to FIG. 1, the next transaction TX4 of TX2 has one input data IPT40 and one output data OPT 40. The input data IPT40 is 20 of the output data OPT20 of the previous transaction TX2, and 10 of the output data OPT40 is used as the input data IPT60 of the next transaction TX 6.

Referring to FIG. 1, the next transaction TX5 of TX2 has one input data IPT50 and one output data OPT 50. The input data IPT50 is 20 of the output data OPT21 of the previous transaction TX2, and 10 of the output data OPT50 is used as the input data IPT61 of the next transaction TX 6.

Referring to FIG. 1, the next transaction TX6 of TX4 and TX5 has two input data IPT60, IPT61 and one output data OPT 60. The input data IPT60 is 10 of the output data OPT40 of the previous transaction TX4, the input data IPT61 is 10 of the output data OPT50 of the previous transaction TX5, and the output data OPT60 is not used by the next transaction.

It can be seen from the above process that the output data of each transaction can be used as the input data of the next transaction, i.e. used by the next transaction. After the output data is used, the output data for that transaction is no longer stored in the UTXO. If the output data is not used up, the output data for the transaction is stored in the UTXO.

To ensure the security of the transaction process described above, the input data and the output data may be encrypted by commitment. The data obtained by encrypting the input data may be referred to as an input commitment, the data obtained by encrypting the output data may be referred to as an output commitment, and the input commitment and the output commitment of the previous transaction are transmitted to the receiving party so that the receiving party can use the output data of the previous transaction through the next transaction.

In the commitment process, the transaction needs to be signed, and the transaction process based on the commitment and the aggregated signature can involve two user groups: the system comprises a sender user group and a receiver user group, wherein the sender user group carries out transfer transaction to the receiver user group. The sender user group and the receiver user group are relative and may be different for different transaction processes. For example, during transfer of the user group UG1 to the user group UG2, UG1 is the sender user group and UG2 is the recipient user group. For another example, in the process of transferring the user group UG2 to the user group UG3, UG2 is the sender user group and UG3 is the receiver user group.

The user groups may be obtained by dividing all users in any manner, for example, the user groups UG1, UG2, and UG3 may be obtained by dividing the user groups according to regions.

Fig. 2 is a schematic diagram of a transaction process based on commitment and aggregated signature provided by the prior art. Referring to fig. 2, the transaction process may include the following steps:

s1: the electronic device of each user in the sender user group generates an input commitment and an output commitment.

Specifically, the electronic device of the ith user USR _ i in the sender user group encrypts input data IPT _ i of the USR _ i through a randomly generated input blinding factor IK _ i of the USR _ i to obtain an input commitment ICO _ i of the USR _ i, and encrypts output data OPT _ i of the USR _ i through a randomly generated output blinding factor OK _ i of the USR _ i to obtain an output commitment OCO _ i of the USR _ i.

The encryption process here may use the following formula:

CO＝(g^k·h^v)(mod q) (1)

where CO may be an input commitment or an output commitment, g and h are generators of a group with q as an order, k is an input blinding factor or an output blinding factor, and v is input data or output data.

It can be understood that when the input data IPT _ i is encrypted, replacing v with IPT _ i and replacing k with IK _ i, CO can be calculated by the above formula (1), and the CO is an input commitment of USR1_ i and is denoted as ICO _ i. When the output data OPT _ i is encrypted, v is replaced by OPT _ i, and k is replaced by OK _ i, so that CO can be obtained through calculation of the formula (1), wherein CO is an output commitment of USR _ i and is marked as OCO _ i.

S2: and the electronic equipment of each user in the sender user group signs the empty character string to obtain signature information.

Specifically, the signature information may be calculated by the following formula:

SGN_i＝[Hash(m)]^SK_i (2)

wherein, SGN _ i is signature information, Hash (m) is used for hashing a blank character string m, and SK _ i is a private key of a user.

After obtaining the input commitment, the output commitment and the signature information, the electronic device of each user in the sender user group may send the input commitment, the output commitment and the signature information of the electronic device to the untrusted aggregator, so that the untrusted aggregator aggregates the transactions to obtain aggregated transaction information.

The untrusted aggregator may be an electronic device of one target user in the sender user group, or may be an electronic device of a third party. Wherein the target user may be any user in the sender user group.

When the untrusted aggregator is the electronic device of the target user, the electronic device of the target user may send the aggregated transaction information obtained by aggregation to the electronic device of the recipient user group or the electronic device of the third party, so as to verify the aggregated transaction information. The above process of generating input and output commitments may be referred to as a commitment phase, followed by an open phase. In the opening phase, the electronic device of each user in the sender user group needs to send the input blinding factor and the output blinding factor used for encryption to the electronic device of the target user, so that the electronic device forwards the input blinding factor and the output blinding factor to the receiver user group or the electronic device of the third party. The electronic device of the receiving party user group or the third party can carry out commitment verification on the aggregated transaction information, and the generation sub-g and the generation sub-h required by the commitment verification are also disclosed in advance by the sending party user group.

When the untrusted aggregator is an electronic device of a third party, the electronic device of the third party may send the aggregated transaction information obtained by aggregation to an electronic device of the receiving party user group, so that the electronic device of the receiving party user group verifies the aggregated transaction information. The electronic device of the third party may also verify the aggregated transaction information obtained by aggregation. In the opening phase, the electronic device of each user in the sender user group needs to send the input blinding factor and the output blinding factor used for encryption to the electronic device of the third party, so that the electronic device forwards the input blinding factor and the output blinding factor to the receiver user group or verifies the electronic device for use. The electronic device of the receiving party user group or the third party can perform commitment verification on the aggregated transaction information, and the generation sub-g and the generation sub-h required by the commitment verification are also disclosed in advance by the sending party user group.

In fig. 2 of the embodiment of the present application, an example is described in which the untrusted aggregator is an electronic device of a target user and a device for verifying aggregated transaction information is an electronic device of a recipient user group.

S3: the electronic equipment of the target user aggregates input commitment, output commitment and signature information of each user in the user group of the sender to obtain aggregated transaction information, wherein the aggregated transaction information comprises: aggregate input commitments, aggregate output commitments, and aggregate signature information.

The aggregated input commitment may be a product of input commitments of users in the sending user group, the aggregated output commitment may be a product of output commitments of users in the sending user group, and the aggregated signature information may be a product of signature information of users in the sending user group.

S4: and the electronic equipment of the receiver user group performs commitment verification on the aggregated transaction information and performs signature verification on the aggregated signature information.

The electronic device of the receiving party user group may be an electronic device of any user in the receiving party user group. The electronic devices of all or a part of the users in the recipient user group may perform the authentication in S4 described above.

In the commitment verification process, firstly, the input blinding factors of all users in the sender user group can be summed to obtain a total input blinding factor, and the output blinding factors of all users in the sender user group can be summed to obtain a total output blinding factor; then, replacing k in formula (1) with the total input blinding factor to obtain one commitment, which can be called as a verification input commitment, and replacing k in formula (1) with the total output blinding factor to obtain another commitment, which can be called as a verification output commitment; finally, if the verification input commitment is consistent with the aggregation input commitment and the verification output commitment is consistent with the aggregation output commitment, determining that the commitment verification is passed, otherwise, determining that the commitment verification is not passed.

In the signature verification process, the product of the public keys PK _ i of all users in the sender user group is obtained to obtain an aggregate public key PK, whether the following formula (3) is established or not is verified, if the formula (3) is established, the signature verification is determined to be passed, and if not, the signature verification is determined not to be passed.

e(Hash(Y)，PK)＝e(g,SGN) (3)

Wherein, Y is a null character string, e is a bilinear pairing algorithm, g is the above generator, and SGN is aggregated signature information.

If the acceptance verification and the signature verification pass, the verification is successful, namely the transfer transaction from the sending user group to the receiving user group is successful. Therefore, the user group of the receiving party can use the output data corresponding to the transfer transaction of the user group of the sending party through the transaction, which is the next transaction process, and the process is the same as the process shown in fig. 2, except that the user group of the sending party and the user group of the receiving party need to be adjusted.

It can be seen that the above-described aggregated transaction process requires the electronic devices of all users of the sending user group to send transaction information to the untrusted aggregator. Fig. 3 is a schematic diagram of an aggregate transaction process provided by the prior art, fig. 3 is an example of an aggregate transaction between a sending user group and a receiving user group, and the untrusted aggregator in fig. 3 is an electronic device of a user USR _ m in the sending user group. Referring to fig. 3, the electronic devices of the users USR2_1 to USR2_ m-1 in the sender user group send transaction information TX2_1 to TX2_ m-1 to the untrusted aggregator, the untrusted aggregator aggregates the transaction information TX2_1 to TX2_ m-1 and TX2_ m to obtain aggregated transaction information TX2, and then the untrusted aggregator sends TX2 to the receiver user group, so that the electronic devices of the users USR3_1 to USR3_ n in the receiver user group use the total output data of the sender user group.

However, the untrusted aggregator may modify the transmitted transaction information. In the prior art, the commitment and the signature information are independent, and common parameters do not exist, so that after the commitment in the transaction information is modified, the corresponding modification blinding factor is used, so that the commitment verification and the signature verification are successful. In this case, the malicious attack can be successful by modifying the commitment attack, and the safety of the transaction is reduced.

For example, first, the user group UG1 is a sender user group, and a transaction is made with the receiver user group UG2 according to the process of fig. 2 described above. After the transaction of UG1 and UG2 is completed, UG2 acts as the sender user group and needs to be transacted with the recipient user group UG3 according to the process described above in fig. 2.

Assume that two users USR2_1 and USR2_2 are included in the user group UG 2. After the electronic devices of the user group UG2 verify the aggregated transaction information of the user group UG1 by the method of fig. 2, the electronic devices of USR2_1 and USR2_2 need to generate new transactions to transfer the output data of the user group UG2 using the user group UG 1. When new transactions are generated, the electronic devices of the USR2_1 and the USR2_2 respectively generate transaction information and uniformly transmit the transaction information to the electronic device of one user (for example, the USR2_ 1). If the electronic device of USR2_1 receives the input commitment g from the electronic device of USR2_2^IK_2·h⁵(mod q) input commitment g of USR2_1^IK_1·h⁵(mod q) is modified to g^IK_1·h¹⁰(mod q)/g^IK_2·h⁵(mod q), and the electronic device of USR2_1 outputs commitment g as per USR2_2^OK_2·h⁵(mod q), commitment g of output of USR2_1^OK ^_1·h⁵(mod q) is modified to g^OK_1·h¹⁰(mod q)/g^OK_2·h⁵(mod q), then g is added^IK_1·h¹⁰(mod q)/g^IK_2·h⁵(mod q) with input commitment g of USR2_2^IK_2·h⁵(mod q) to get an aggregated input commitment g^IK ^_1·h¹⁰(mod q), mixing g^OK_1·h¹⁰(mod q)/g^OK_2·h⁵(mod q) with output commitment g of USR2_2^OK_2·h⁵(mod q) to get an aggregate output commitment g^OK_1·h¹⁰(mod q); finally, signature information Hash (m) to USR2_1^SK_1And signature information Hash (m) of USR2_1^SK_2Is polymerized to obtainTo aggregate signature information Hash (m)^SK_1·Hash(m)^SK_2。

In this way, after the aggregated input commitment, the aggregated output commitment and the aggregated signature information, the input blinding factor IK _1 and the output blinding factor OK _1 are transmitted to the user group UG3, the user group UG3 verifies them.

When the electronic device of UG3 verifies the aggregate input commitment, the input blinding factors IK _1 of the user group UG2 are aggregated to obtain an aggregate input blinding factor, and then the aggregate input blinding factor IK _1 and the total input data 10 are input into the formula (1), so that the verification input commitment g can be obtained^IK_1·h¹⁰(mod q). It can be seen that the verification input commitment is the same as the aggregated input commitment, so that the input commitment verification passes.

Similarly, when verifying the aggregate output commitment, the output blinding factors OK _1 of the user group UG2 are aggregated to obtain the aggregate output blinding factor, and then the aggregate output blinding factor OK _1 and the total output data 10 are input into the formula (1) to obtain the verification output commitment g^OK_1·h¹⁰(mod q). As can be seen, the verification output commitment is the same as the aggregated output commitment, so that the output commitment verifies.

Finally, when the aggregated signature information is verified, the aggregated signature information is still verified successfully because the signature information is not modified.

Through the verification process, the users in the user group UG3 can use the output data of the USR2_2 without using the blinding factor of the USR2_2, that is, the users in the user group UG3 can use the data even if the users are not authorized by the USR2_2, thereby reducing the security of the transaction.

In order to solve the above problem, the embodiments of the present application may combine the commitment and the signature, that is, a blinding factor is required to be used in the calculation process of both the commitment and the signature. Thus, even though the blinding factor and commitment may be modified to satisfy the commitment formula, the signature verification formula cannot be satisfied. Therefore, the verification can be ensured not to pass, the influence of malicious attack on the transaction is avoided, and the security of the transaction is improved.

Fig. 4 is a flowchart illustrating specific steps of a transaction processing method according to an embodiment of the present application, which is applied to a first electronic device. Referring to fig. 4, the method may include:

s101: the first electronic device encrypts the input transaction data of the first user through the first input blinding factor to obtain a first input commitment, and encrypts the output transaction data of the first user through the first output blinding factor to obtain a first output commitment.

The first user is any user in a first user group, and the first user group comprises a plurality of users. The first user group in the embodiment of the present application may be a sending user group, and the first user is a sending user. In the embodiment of the present application, it is assumed that the first user is the ith user USR _ i in the first user group.

Specifically, for each transaction of the first user, a first input blinding factor of the first user for the transaction is randomly generated, so that K in formula (1) is replaced by the first input blinding factor, v in formula (1) is replaced by first input data of the transaction of the first user, and CO calculated by formula (1) is a first input commitment of the transaction of the first user.

Similarly, for each transaction of the first user, a first output blinding factor of the first user for the transaction is randomly generated, so that K in formula (1) is replaced by the first output blinding factor, v in formula (1) is replaced by the first output data of the transaction of the first user, and CO obtained through calculation of formula (1) is a first output commitment of the transaction of the first user.

Of course, if there are multiple transactions for the same user, the first input commitment and the first output commitment for the multiple transactions are generated correspondingly, each transaction corresponds to the first input blinding factor, and each transaction corresponds to the first output blinding factor. In this way, a first set of input commitments for the first user, a first set of output commitments for the first user, a first set of input blinding factors for the first user, and a first set of output blinding factors for the first user are obtained. Thus, the first input commitment of the first user may be a product of first input commitments for a plurality of transactions in the first set of input commitments of the first user, and the first output commitment of the first user may be a product of first output commitments for a plurality of transactions in the first set of output commitments of the first user.

S102: the first electronic device determines a ratio of the first output blinding factor to the first input blinding factor as first verification information.

Here, the first verification information may be understood as not only verification information committed to input and output but also a public key of the first signature information.

S103: and the first electronic equipment hashes the first verification information to obtain first signature content.

The hash algorithm is an algorithm commonly used in cryptography, and is not described herein again.

Optionally, the first signature content may be obtained by hashing only the first verification information, or may be obtained by hashing the first verification information and a public key of each user in the first user group.

S104: the first electronic device signs the first signature content through the difference value of the first output blinding factor and the first input blinding factor to obtain first signature information.

Specifically, for a first user USR _ i, the first signature information of the first user may be calculated by the following formula:

the method includes the steps that SGN _ i is first signature information of USR _ i, E _ i is first verification information of USR _ i, PK is a public key set of a first user group formed by public keys of users in the first user group, Kout _ i _ J is a first output blinding factor of jth transaction of USR _ i, Kin _ i _ J is a first input blinding factor of jth transaction of USR _ i, and J _ i is transaction number of USR _ i.

The Hash (E _ i, PK) in the above formula (3) is the first signature content M _ i of USR _ i. In the embodiment of the present application, when calculating the first signature content, it is also possible to use the Hash (E _ i) as the first signature content without using the public key set PK, that is, calculate the first signature information of the first user by the following formula (4).

It can be seen that the first signature content in formula (3) is obtained by hashing the first verification information and the public key of each user in the first user group, and the first signature content in formula (4) is obtained by hashing the first verification information. In this way, the public keys of all users in the first user group are required to be used for verifying the first signature content of formula (3), so that the reliability of formula (3) is better than that of formula (4), which helps to further improve the security of the transaction.

S105: the first electronic device generates first transaction information, wherein the first transaction information comprises: the first input commitment, the first output commitment, the first verification information, the first signature information and the first signature content.

Specifically, the first transaction information TX _ i ═ ICO _ i, OCO _ i, ei, sgni, and M _ i may be generated according to the first input commitment ICO _ i, the first output commitment OCO _ i, the first verification information eii, the first signature information sgni, and the first signature content M _ i obtained as described above.

It should be noted that, since the first user is any user in the first user group, the electronic devices of the users in S101 to S105 can generate the first transaction information of the user. Based on this, the first transaction information of each user in the first user group may be aggregated to obtain the first aggregated transaction information of the first user group. The aggregation process is performed by a non-trusted aggregator, which may be performed by the electronic device of the first user or may be performed by an electronic device of a third party.

When the untrusted aggregator is the foregoing first electronic device, in order to aggregate the first transaction information of each user in the first user group, the first electronic device further needs to receive the first transaction information of the second user sent by at least one second electronic device. The first transaction information of the second user is generated by the second electronic device according to the information of the second user, the mode of generating the first transaction information of the second user by the second electronic device is the same as the mode of generating the first transaction information of the first user by the first electronic device, and the second user is a user except the first user in the first user group.

After the first electronic device receives the first transaction information sent by the second electronic device, the first electronic device may aggregate the first transaction information of each user in the first user group to obtain first aggregated transaction information of the first user group, where the first aggregated transaction information includes at least one of the following information: the first aggregated input commitment is obtained by aggregating the first input commitments of the users, the first aggregated output commitments are obtained by aggregating the first output commitments of the users, the first aggregated check information is obtained by aggregating the first check information of the users, the first aggregated signature information is obtained by aggregating the first signature information of the users, and the first aggregated signature content is obtained by aggregating the first signature content of the users.

When the untrusted aggregator is an electronic device of the third party (hereinafter referred to as a third electronic device), the first electronic device sends the first transaction information to the third electronic device, so that the third electronic device aggregates the first transaction information of each user in the first user group to obtain first aggregated transaction information of the first user group, where the first aggregated transaction information includes at least one of the following information: the first aggregation input commitment is obtained by aggregating the first input commitments of the users, the first aggregation output commitment is obtained by aggregating the first output commitments of the users, the first aggregation verification information is obtained by aggregating the first verification information of the users, the first aggregation signature information is obtained by aggregating the first signature information of the users, and the first aggregation signature content is obtained by aggregating the first signature content of the users.

The first aggregated input commitment is a product of first input commitments of users in the first user group, the first aggregated output commitment is a product of first output commitments of the users in the first user group, the first aggregated check information is a product of first check information of the users in the first user group, the first aggregated signature information is a product of first signature information of the users in the first user group, and the first aggregated signature content is a product of first signature content aggregation of the users in the first user group.

The method and the device for verifying the first aggregated transaction information can aggregate the first transaction information of each user of the first user group to obtain the first aggregated transaction information so as to verify the first aggregated transaction information. The aggregation process can effectively reduce the verification times, thereby reducing the verification complexity. In practical applications, before the first electronic device generates the first transaction information, the first electronic device needs to perform a cryptographic environment initialization, where the cryptographic environment initialization process is the same as that of the prior art. Specific examples may include the following signature environment initialization, commitment environment initialization, and scope attestation environment initialization.

Specifically, the following process may be included:

first, the first electronic device selects an elliptic curve, G1, G2 and Gt are public point sets on the curve, and are finite groups with the order of p, and Zp is an integer finite field with the order of p. G1 and G2 are the points disclosed on the above curves and are the values in G1 and G2, respectively, the producers of G1 and G2, respectively, G and h are the producers of group G2.

The first electronic device then determines a bilinear mapping function e G1 XG 2- > Gt on the elliptic curve.

Then, the first electronic device determines a Hash function Hash.

After the above initialization of the first electronic device, a key pair also needs to be generated. In particular, each user participating in the transaction need only generate a key pair.

Specifically, first, the first electronic device randomly selects an integer from the preset integer finite field Zp as an initial private key KL _ i to calculate an initial public key PL _ i of the first user according to the initial private key (g2)^KL_i(ii) a Then, the first electronic device sends its initial public key to the first userElectronic devices of the remaining users of the group of users such that each user of the first group of users has an initial set of public keys PL ═ { PL _1, … PL _ i, …, PL _ m }; then, the first electronic device generates a private key SK _ i of the first user as Hash (PL _ i, PK) · KL _ i according to a first target Hash value and the initial private key, where the Hash (PL _ i, PL) is the first target Hash value, that is, the first target Hash value is obtained by the first electronic device hashing the initial public key of the first user and the initial public key set of each user of the first user group; finally, the first electronic device generates a public key P _ i of the first user g2 · SK _ i and a public key set PK { P _1, … P _ i, …, P _ m } according to the private key of the first user.

It can be seen that, compared with the prior art that the initial private key and the initial public key in the above process are used as the final private key and the final public key, the embodiment of the present application regenerates the final private key according to the initial private key and the first target hash value. Therefore, the randomness of the private key can be improved, the private key is prevented from being cracked, the safety of the private key is improved, and the safety of transaction is improved.

Fig. 4 shows a process of generating transaction information and aggregating the transaction information, and accordingly, fig. 5 is a flowchart of specific steps of another transaction processing method provided in this embodiment, which is applied to a fourth electronic device. The method shown in fig. 5 is a verification process of the first aggregated transaction information, and the fourth electronic device may be the third electronic device, or may be an electronic device in which part or all of the users in the receiving-party user group are located. Referring to fig. 5, the method may include:

s201: the fourth electronic device obtains first aggregated transaction information of the first user group, wherein the first aggregated transaction information comprises: the first aggregation input commitment is obtained by aggregating the first input commitments of all users in the first user group, the first aggregation output commitment is obtained by aggregating the first output commitments of all users, the first aggregation check information is obtained by aggregating the first check information of all users, the first aggregation signature information is obtained by aggregating the first signature information of all users, and the first aggregation signature content is obtained by aggregating the first signature content of all users.

It will be appreciated that the first aggregated transaction information herein is sent by the aforementioned untrusted aggregator.

S202: and the fourth electronic equipment performs bilinear pairing on the first aggregate signature information and the generation son of the first user group to obtain a first pairing result, and performs bilinear pairing on the first aggregate signature content and the first aggregate verification information to obtain a second pairing result.

The first pairing result is E (SGN, g2), the second pairing result is E (M, E), and E is a bilinear pairing algorithm. SGN is the first aggregate signature information, g2 is the generator of the first user group obtained during the initialization, M is the first aggregate signature content, and E is the first aggregate verification information.

When E (SGN, g2) ═ E (M, E), the fourth generation electronic device determines that the first pairing result coincides with the second pairing result. Otherwise, the fourth electronic device determines that the first pairing result and the second pairing result are inconsistent.

S203: if the first pairing result is consistent with the second pairing result, and the ratio of the first aggregate output commitment to the first aggregate input commitment is consistent with the first aggregate verification information, the fourth electronic device determines that the first aggregate transaction information is successfully verified.

According to the definition of the first aggregation check information, the first aggregation check information

Wherein E _ i is the first check information of USR _ i.

And according to the definition of the first checking information E _ i

Thereby, the first aggregation check information can be determined

Wherein, OCO _ i and ICO _ i are the first output commitment and the first input commitment of USR _ i, respectively, and OCO and ICO are the first aggregate output commitment and the first aggregate input commitment, respectively.That is, if the ratio of the first aggregate output commitment and the first aggregate input commitment is consistent with the first verification information, the representative commitment and the verification information are corresponding, and thus the commitment verification is successful. Otherwise, the first aggregated output commitment and the first aggregated input commitment are not corresponding, so that the commitment validation fails.

Optionally, the fourth electronic device of the embodiment of the application may further determine the real verification information according to the first output blinding factor of each user in the first user group and the first input blinding factor of each user in the first user group. Specifically, firstly, calculating the sum of first output blinding factors of each user in the first user group, and then calculating the sum of first input blinding factors of each user in the first user group; then, taking the sum of the first output blinding factors as an index, and g as a base number to calculate an index result, which is called a first index result, and taking the sum of the first input blinding factors as an index, and g as a base number to calculate an index result, which is called a second index result; and finally, calculating the ratio of the second index result to the first index result as real verification information.

Thus, the fourth electronic device may verify the first aggregated transaction information by combining the real verification information, the first pairing result, the second pairing result, a ratio of the first aggregated output commitment to the first aggregated input commitment, and the first aggregated verification information. Specifically, if the first pairing result is consistent with the second pairing result, the ratio of the first aggregate output commitment to the first aggregate input commitment is consistent with the first aggregate verification information, and the real verification information is consistent with the first aggregate verification information, the fourth electronic device determines that the first aggregate transaction information is successfully verified.

The real verification information is determined according to the first output blinding factor of each user in the first user group and the first input blinding factor of each user in the first user group, so that whether the real verification information is consistent with the first aggregation verification information represents whether the first aggregation verification information is determined according to the first output blinding factor of each user in the first user group and the first input blinding factor of each user in the first user group, the accuracy of the first aggregation verification information is improved, and the safety of transactions is further improved.

It is understood that, when the verification process is performed by the electronic device of the third party, the electronic device of the third party may send the verification result to the electronic devices of the users of the second group of users, so that the electronic devices of the users of the second group of users use the output data of the first group of users. When the verification process is executed by the electronic device of the user of the second user group, the fourth electronic device is the electronic device of the user of the second user group, and the fourth electronic device can directly use the output data of the pair of users of the first user group. The second group of users may be a group of recipient users.

The process of using the output data of the first user group by the fourth electronic device may include: firstly, the fourth electronic device takes the sum of the first output blinding factors of each user in the first user group as a second input blinding factor; then, when a third user carries out transaction, the fourth electronic device encrypts input data of the third user through a second input blinding factor to obtain a second input commitment, wherein the third user is a user in a second user group, namely the user of the fourth electronic device; finally, the fourth electronic device generates second transaction information of the third user, wherein the second transaction information comprises the second input commitment.

Specifically, the second input blinding factor is substituted by k in formula (1), the input data of the third user is substituted by v in formula (1), and the generators g and h of the second user group and the order q are substituted into formula (1) to obtain the second input commitment.

Similarly, replacing k in formula (1) with the second output blinding factor, replacing v in formula (1) with the output data of the third user, and substituting the generators g and h of the second user group and the order q into formula (1) may obtain the second output commitment.

In the prior art, the second output blinding factor is randomly selected from a predetermined integer finite field. This may cause the second output blinding factor to be easily attacked, thereby reducing the security of the second output blinding factor and further reducing the transaction security.

In order to improve the transaction security, the fourth electronic device in the embodiment of the application may improve the security of the second output blinding factor through secondary blinding, so as to improve the transaction security.

Specifically, first, the fourth electronic device may select an initial blinding factor of a third user in a preset integer limited domain; then, the fourth electronic device hashes the initial blinding factor and the public key set of each user in the second user group to obtain a second target hash value; then, the fourth electronic device determines a second output blinding factor of the third user according to the initial blinding factor and the second target hash value; and finally, the fourth electronic device encrypts the output data of the third user through the second output blinding factor to obtain a second output commitment.

Of course, the fourth electronic device needs to determine a ratio of the second output commitment to the second input commitment as the second verification information and generate the second signature information and the second signature content, where the second input commitment, the second output commitment, the second verification information, the second signature information and the second signature content constitute the second transaction information, in addition to generating the second output commitment and the second input commitment. And aggregating the second transaction information of each user in the second user group to obtain second aggregated transaction information, and sending the second aggregated transaction information to a third party or a third user group.

It can be seen that the above process is a transaction process in which the second user group serves as a new sender user group, the third user group serves as a new receiver user group, and the third user group needs to verify the second aggregated transaction information. And circulating until the user group does not have transactions.

It is to be understood that when any user group is used as the sending user group, the process of generating the transaction information may refer to the process of generating the first transaction information in fig. 4. When any user group is the receiving user group, the verification process of the transaction information can refer to the verification process in fig. 5.

The first electronic device and the fourth electronic device may be collectively referred to as an electronic device, and fig. 6 is a block diagram of a structure of an electronic device provided in an embodiment of the present application. The electronic device 600 comprises a memory 602 and at least one processor 601.

The memory 602 stores, among other things, computer-executable instructions. The at least one processor 601 executes computer-executable instructions stored by the memory 602 to cause the first electronic device 601 to implement the method of fig. 4 or to cause the fourth electronic device 601 to implement the method of fig. 5.

In addition, the electronic device may further include a receiver 603 and a transmitter 604, where the receiver 603 is configured to receive information from the remaining apparatuses or devices and forward the information to the processor 601, and the transmitter 604 is configured to transmit the information to the remaining apparatuses or devices.

An embodiment of the present application further provides a transaction processing system, including: a first electronic device and a fourth electronic device.

Wherein the first electronic device is to:

encrypting input transaction data of a first user through a first input blinding factor to obtain a first input commitment, and encrypting output transaction data of the first user through a first output blinding factor to obtain a first output commitment; determining a ratio of the first output blinding factor to the first input blinding factor as first check information; hashing the first check information to obtain first signature content; signing the first signature content according to the difference value of the first output blinding factor and the first input blinding factor to obtain first signature information; generating first transaction information, the first transaction information comprising: the first input commitment, the first output commitment, the first verification information, the first signature information, and first signature content.

Optionally, the first user is an arbitrary user in a first user group, the first user group includes a plurality of users, and the first electronic device is further configured to:

first, first transaction information of a second user sent by at least one second electronic device is received, the first transaction information of the second user is generated by the second electronic device according to information of the second user, a manner of generating the first transaction information of the second user by the second electronic device is the same as a manner of generating the first transaction information of the first user by the first electronic device, and the second user is a user except the first user in the first user group.

Then, aggregating the first transaction information of each user in the first user group to obtain first aggregated transaction information of the first user group, where the first aggregated transaction information includes at least one of the following information: the first aggregation input commitment is obtained by aggregating the first input commitments of the users, the first aggregation output commitment is obtained by aggregating the first output commitments of the users, the first aggregation check information is obtained by aggregating the first check information of the users, the first aggregation signature information is obtained by aggregating the first signature information of the users, and the first aggregation signature content is obtained by aggregating the first signature content of the users.

sending the first transaction information to a third electronic device, so that the third electronic device aggregates the first transaction information of each user in the first user group to obtain first aggregated transaction information of the first user group, where the first aggregated transaction information includes at least one of the following information: the first aggregation input commitment is obtained by aggregating the first input commitments of the users, the first aggregation output commitment is obtained by aggregating the first output commitments of the users, the first aggregation check information is obtained by aggregating the first check information of the users, the first aggregation signature information is obtained by aggregating the first signature information of the users, and the first aggregation signature content is obtained by aggregating the first signature content of the users.

Optionally, the first electronic device is further configured to:

and hashing the first verification information and the public key of each user in the first user group to obtain the first signature content.

Optionally, the first electronic device is further configured to generate the public key of the first user by:

randomly selecting an initial private key of the first user from a preset integer finite field; generating an initial public key of the first user according to the initial private key; determining a private key of the first user according to a first target hash value and the initial private key, wherein the first target hash value is obtained by hashing an initial public key of the first user and an initial public key set of each user of the first user group; and generating the public key of the first user according to the private key of the first user.

The fourth electronic device is configured to:

first, first aggregated transaction information of a first user group is obtained, wherein the first aggregated transaction information comprises: the first aggregated input commitment obtained by aggregating the first input commitments of the users in the first user group, the first aggregated output commitment obtained by aggregating the first output commitments of the users, the first aggregated check information obtained by aggregating the first check information of the users, the first aggregated signature information obtained by aggregating the first signature information of the users, and the first aggregated signature content obtained by aggregating the first signature content of the users.

Then, performing bilinear pairing on the first aggregate signature information and the generator of the first user group to obtain a first pairing result, and performing bilinear pairing on the first aggregate signature content and the first aggregate verification information to obtain a second pairing result.

Finally, if the first pairing result is consistent with the second pairing result, and the ratio of the first aggregate output commitment to the first aggregate input commitment is consistent with the first aggregate verification information, it is determined that the first aggregate transaction information is successfully verified.

Optionally, the fourth electronic device is further configured to:

after the first aggregated transaction information is determined to be successfully verified, taking the sum of first output blinding factors of all users in the first user group as a second input blinding factor; when a third user carries out transaction, encrypting input transaction data of the third user through the second input blinding factor to obtain a second input acceptance; and generating second transaction information of the third user, wherein the second transaction information comprises the second input commitment.

Optionally, the third user is any user in a second user group, the second user group includes a plurality of users, the second transaction information further includes a second output commitment, and the fourth electronic device is further configured to:

before generating second transaction information of the third user, selecting an initial blinding factor of the third user from a preset integer finite field; hashing the initial blinding factor and a public key set of each user in the second user group to obtain a second target hash value; determining a second output blinding factor of the third user according to the initial blinding factor and the second target hash value; and encrypting the output transaction data of the third user through the second output blinding factor to obtain the second output acceptance.

Optionally, the fourth electronic device is further configured to:

determining real verification information according to the first output blinding factor of each user in the first user group and the first input blinding factor of each user in the first user group; thus, if the first pairing result is consistent with the second pairing result, the ratio of the first aggregate output commitment to the first aggregate input commitment is consistent with the first aggregate verification information, and the real verification information is consistent with the first aggregate verification information, it is determined that the first aggregate transaction information is successfully verified.

Embodiments of the present application further provide a computer-readable storage medium, in which computer-executable instructions are stored, and when a processor executes the computer-executable instructions, a computing device is caused to implement the method shown in fig. 4 or fig. 5.

The embodiment of the present application further provides a computer program, where the computer program is used to implement the method shown in fig. 4 or fig. 5.

Finally, it should be noted that: the above embodiments are only used for illustrating the technical solutions of the present application, and not for limiting the same; although the present application has been described in detail with reference to the foregoing embodiments, it should be understood by those of ordinary skill in the art that: the technical solutions described in the foregoing embodiments may still be modified, or some or all of the technical features may be equivalently replaced; and the modifications or the substitutions do not make the essence of the corresponding technical solutions depart from the scope of the technical solutions of the embodiments of the present application.

Claims

1. A transaction processing method, the method comprising:

the method comprises the steps that a first electronic device encrypts input transaction data of a first user through a first input blinding factor to obtain a first input commitment, and encrypts output transaction data of the first user through a first output blinding factor to obtain a first output commitment;

2. The method of claim 1, wherein the first user is any user in a first group of users, the first group of users including a plurality of users, the method further comprising:

the first electronic device receives first transaction information of a second user, which is sent by at least one second electronic device, wherein the first transaction information of the second user is generated by the second electronic device according to information of the second user, the way of generating the first transaction information of the second user by the second electronic device is the same as the way of generating the first transaction information of the first user by the first electronic device, and the second user is a user except the first user in the first user group;

the first electronic device aggregates the first transaction information of each user in the first user group to obtain first aggregated transaction information of the first user group, where the first aggregated transaction information includes at least one of the following information: the first aggregation input commitment is obtained by aggregating the first input commitments of the users, the first aggregation output commitment is obtained by aggregating the first output commitments of the users, the first aggregation check information is obtained by aggregating the first check information of the users, the first aggregation signature information is obtained by aggregating the first signature information of the users, and the first aggregation signature content is obtained by aggregating the first signature content of the users.

3. The method of claim 1, wherein the first user is any user in a first group of users, the first group of users including a plurality of users, the method further comprising:

4. The method according to any one of claims 1 to 3, wherein the hashing, by the first electronic device, the first verification information to obtain first signature content includes:

and the first electronic equipment hashes the first verification information and the public key of each user in the first user group to obtain the first signature content.

5. The method of claim 4, wherein the public key of the first user is generated by:

6. A transaction processing method, comprising:

the fourth electronic device performs bilinear pairing on the first aggregated signature information and the first user group generating element to obtain a first pairing result, and performs bilinear pairing on the first aggregated signature content and the first aggregated verification information to obtain a second pairing result;

7. The method of claim 6, wherein after the fourth electronic device determines that the first aggregated transaction information is successfully verified, further comprising:

the fourth electronic device takes the sum of the first output blinding factors of each user in the first user group as a second input blinding factor;

when a third user conducts transaction, the fourth electronic device encrypts the input transaction data of the third user through the second input blinding factor to obtain a second input commitment;

8. The method of claim 7, wherein the third user is any user in a second group of users, the second group of users includes a plurality of users, the second transaction information further includes a second output commitment, and before the fourth electronic device generates the second transaction information of the third user, the method further includes:

9. The method according to any one of claims 6 to 8, further comprising:

10. A first electronic device, characterized in that the electronic device comprises: at least one processor and memory;

the memory stores computer-executable instructions;

the at least one processor executing the computer-executable instructions stored by the memory causes the first electronic device to implement the method of any of claims 1-5.

11. A fourth electronic device, the electronic device comprising: at least one processor and memory;

the memory stores computer-executable instructions;

the at least one processor executing the computer-executable instructions stored by the memory causes the fourth electronic device to implement the method of any of claims 6-9.

12. A transaction processing system comprising the first electronic device of claim 10 and the fourth electronic device of claim 11.

13. A computer-readable storage medium having computer-executable instructions stored thereon, which, when executed by a processor, cause a computing device to implement the method of any of claims 1 to 5, or the method of any of claims 6 to 9.