An attribute verification method
Patent Information
- Authority / Receiving Office
- CN · China
- Patent Type
- Applications(China)
- Current Assignee / Owner
- BEIJING PUSH TIMES TECH CO LTD
- Filing Date
- 2026-03-18
- Publication Date
- 2026-06-19
AI Technical Summary
现有的基于环签名的区间证明,只能实现对某一数字属于区间[0,2n]的证明,不够灵活
[0014] In this embodiment, the proving device represents the value to be verified as a set of prefixes and constructs a corresponding commitment. Simultaneously, it decomposes the interval into the smallest set of prefixes that completely cover it—the covering prefix set. Using the intersection of these two prefix sets, the proving device can generate a set of public keys and use the corresponding random number it possesses as its private key to perform a ring signature on the service request message. Because ring signatures are anonymous and untraceable, the verifying device can only confirm that the signer possesses the private key of a certain legitimate prefix in the set, but cannot know which one specifically, thus ensuring the privacy of the original value. A matching private key is only possible when the path of the value to be verified falls within the coverage area of the interval. Therefore, a successful signature means that the value to be verified is indeed within the interval, enabling this application to achieve interval proof without disclosing the value to be verified.
Smart Images

Figure CN122247628A_ABST
Abstract
Description
Technical Field
[0001] This application relates to the fields of network technology and security technology, and in particular to an attribute verification method. Background Technology
[0002] Range proofs, an important branch of zero-knowledge proofs, can prove that a number belongs to a specified range without revealing the number itself. They have significant practical value in areas such as privacy transactions. Existing range proofs based on ring signatures can only prove that a number belongs to the range [0, 2]. n The current method of proving that a number falls within any interval is inflexible. In many cases, it's necessary to prove that a number belongs to any interval. For example, in a credit card application scenario, bank Y1 pays a user's salary, and bank Y2 applies for the credit card. Bank Y2 needs to verify with bank Y1 whether a user's salary falls within the interval [a, b]. Bank Y1 cannot reveal the user's salary to bank Y2. Another example is when a user watches a video using video software; it needs to be proven that the user's age falls within a certain interval [a, b], but the specific age cannot be revealed. Yet another example is when a user needs to pay a certain amount of security deposit; the user wants to prove that this amount falls within the interval [a, b], but does not want to reveal the amount. Therefore, there is an urgent need for a method to achieve precise inter-interval proofs without disclosing the value to be verified. Summary of the Invention
[0003] This application provides an attribute verification method that offers a more accurate and flexible range proof method without revealing the numerical values to be verified.
[0004] In a first aspect, embodiments of this application provide an attribute verification method applied to a proof-making device, the method comprising: Obtain the attributes of the value to be verified and the range for verifying the attributes; based on the prefixes of different lengths of the value to be verified under a preset format, obtain the prefix set of the value to be verified, and determine the covering prefix set of the range, wherein any covering prefix included in the covering prefix set is a prefix of at least one value in the range, and does not overlap with any prefix of other values outside the range. Obtain the first commitment set corresponding to the prefix set; wherein each commitment value in the first commitment set is generated by combining a prefix in the prefix set, the first base point of the elliptic curve, the second base point of the elliptic curve, and a random number using a commitment algorithm; for each covering prefix in the covering prefix set, determine a first target prefix in the prefix set with the same length as the covering prefix, and determine the public key based on the commitment value corresponding to the first target prefix in the first commitment set; determine the second target prefix corresponding to the intersection of the prefix set and the covering prefix set, and determine the random number used to generate the commitment value corresponding to the second target prefix as the private key; The message of the service request sent to the verifier device is signed according to the public key set of the public key obtained based on each covering prefix, the private key, and the ring signature generation algorithm to obtain the ring signature. The ring signature, the message, and the identifier of the first commitment set are sent to the verifier device. The identifier of the first commitment set is used to obtain the first commitment set, and the first commitment set is used to combine with the covering prefix set corresponding to the interval to obtain the public key set for verifying the ring signature.
[0005] In one possible implementation, determining the public key based on the commitment value corresponding to the first target prefix in the first commitment set includes: Determine the commitment value corresponding to the first target prefix in the first commitment set, and the product of the first base point and the covering prefix; The public key is determined based on the difference between the commitment value and the product.
[0006] In one possible implementation, after obtaining the attribute of the value to be verified and the range for verifying the attribute, and before determining the public key based on the commitment value corresponding to the first target prefix in the first commitment set, the method further includes: Obtain a predetermined number of unrevoked second commitment sets from the blockchain; combine each obtained second commitment set with the first commitment set to obtain a hybrid commitment set; The step of determining the public key based on the commitment value corresponding to the first target prefix in the first commitment set includes: For each commitment set included in the hybrid commitment set, a public key is determined based on the commitment value corresponding to the first target prefix in that commitment set; Sending the ring signature, the message, and the identifier of the first commitment set to the verifier device includes: The ring signature, the message, and the identifier of the hybrid commitment set are sent to the verifier device.
[0007] In one possible implementation, obtaining the first commitment set corresponding to the prefix set includes: Obtain the first set of commitments corresponding to the proving device and the value to be verified from the blockchain.
[0008] In one possible implementation, the first commitment set generates a corresponding on-chain transaction number when it is uploaded to the blockchain.
[0009] Secondly, embodiments of this application also provide an attribute verification method applied to a verification device, the method comprising: Obtain the ring signature and service request message sent by the proving device, and obtain the first commitment set corresponding to the identifier sent by the proving device; Determine the set of covering prefixes for the interval that passed the verification, wherein any covering prefix included in the set of covering prefixes is a prefix of at least one value in the interval and does not overlap with any prefix of other values outside the interval; For each covering prefix in the covering prefix set, based on the correspondence between each commitment value and the prefix length, a target commitment value is determined where the length of the corresponding prefix in the first commitment set is the same as the length of the covering prefix; the public key is determined based on the target commitment value. The ring signature verification algorithm is executed based on the public key set obtained from each overlay prefix, the message, and the ring signature. If the verification result is correct, the value to be verified of the proving device is determined to be within the range.
[0010] In one possible implementation, determining the public key based on the target commitment value includes: Determine the product of the first base point and the overlay prefix; determine the public key based on the difference between the target commitment value and the product.
[0011] In one possible implementation, obtaining the first commitment set corresponding to the identifier sent by the certifying device includes: Obtain the hybrid commitment set corresponding to the identifier sent by the proving device; wherein, the hybrid commitment set is obtained by combining the first commitment value of the proving device and multiple second commitment values on the blockchain; Determining the target commitment value whose length is the same as the length of the covering prefix in the first commitment set includes: In each of the commitment sets contained in the hybrid commitment set, determine the target commitment value for which the length of the corresponding prefix is the same as the length of the covering prefix.
[0012] In one possible implementation, the correspondence between each commitment value and the prefix length is obtained in the following manner: For each commitment value, determine the order of the commitment value in the set of commitments to which it belongs, and determine the length of the prefix stored for the order as the length of the prefix stored for the commitment value.
[0013] In one possible implementation, the identifier is a set of transaction numbers, and obtaining the hybrid commitment set corresponding to the identifier sent by the certifying device includes: Obtain the set of transaction numbers sent by the proving device; For each on-chain transaction number in the transaction number set, obtain the commitment set corresponding to that on-chain transaction number from the blockchain, and obtain a hybrid commitment set composed of each commitment set.
[0014] In this embodiment, the proving device represents the value to be verified as a set of prefixes and constructs a corresponding commitment. Simultaneously, it decomposes the interval into the smallest set of prefixes that completely cover it—the covering prefix set. Using the intersection of these two prefix sets, the proving device can generate a set of public keys and use the corresponding random number it possesses as its private key to perform a ring signature on the service request message. Because ring signatures are anonymous and untraceable, the verifying device can only confirm that the signer possesses the private key of a certain legitimate prefix in the set, but cannot know which one specifically, thus ensuring the privacy of the original value. A matching private key is only possible when the path of the value to be verified falls within the coverage area of the interval. Therefore, a successful signature means that the value to be verified is indeed within the interval, enabling this application to achieve interval proof without disclosing the value to be verified. Attached Figure Description
[0015] To more clearly illustrate the technical solutions in the embodiments of this application, the accompanying drawings used in the description of the embodiments will be briefly introduced below. Obviously, the accompanying drawings described below are only some embodiments of this application. For those skilled in the art, other drawings can be obtained based on these drawings without creative effort.
[0016] Figure 1 This is a schematic diagram of an attribute verification process provided in an embodiment of this application; Figure 2 A schematic diagram of a structure provided for an embodiment of this application; Figure 3 This is a schematic diagram illustrating another attribute verification process provided in an embodiment of this application; Figure 4 This is a schematic diagram of the structure of an attribute verification device provided in an embodiment of this application; Figure 5 This is a schematic diagram of another attribute verification device provided in an embodiment of this application; Figure 6 This is a schematic diagram of the structure of an electronic device provided in an embodiment of this application. Detailed Implementation
[0017] The present application will now be described in further detail with reference to the accompanying drawings. Obviously, the described embodiments are only some embodiments of the present application, and not all embodiments. Based on the embodiments of the present application, all other embodiments obtained by those skilled in the art without creative effort are within the scope of protection of the present application.
[0018] In order to accurately and effectively prove that the value to be verified is within the range, this application provides an attribute verification method, apparatus, device and medium.
[0019] The attribute verification method includes: the proving device acquiring the attribute of the value to be verified and the interval for verifying the attribute; obtaining a prefix set of the value to be verified based on prefixes of different lengths in a preset format, and determining a covering prefix set for the interval, wherein any covering prefix included in the covering prefix set is a prefix of at least one value in the interval and does not overlap with any prefix of other values outside the interval; acquiring a first commitment set corresponding to the prefix set; wherein each commitment value in the first commitment set is a prefix combined with a random number in the prefix set, generated using a commitment algorithm; and for each covering prefix in the covering prefix set, determining a prefix in the prefix set with the same length as that covering prefix. The first target prefix is determined by identifying the public key based on the commitment value corresponding to the first target prefix in the first commitment set; the second target prefix corresponding to the intersection of the prefix set and the covering prefix set is determined, and the random number used to generate the commitment value corresponding to the second target prefix is determined as the private key; the service request message sent to the verification device is signed based on the public key set obtained from each covering prefix, the private key, and the ring signature generation algorithm to obtain the ring signature, and the ring signature, the message, and the identifier of the first commitment set are sent to the verification device; wherein, the identifier of the first commitment set is used to obtain the first commitment set, and the first commitment set is used to combine with the covering prefix set corresponding to the interval to obtain the public key set for verifying the ring signature.
[0020] Figure 1 This application provides a schematic diagram of an attribute verification process, which includes the following steps: S101: Obtain the attributes of the value to be verified and the interval for verifying the attributes; according to the prefixes of different lengths of the value to be verified under a preset format, obtain the prefix set of the value to be verified, and determine the covering prefix set of the interval, wherein any covering prefix included in the covering prefix set is a prefix of at least one value in the interval, and does not overlap with any prefix of other values outside the interval.
[0021] The attribute verification method provided in this application is applied to a proof-proving device, which can be a user's mobile phone, tablet, or other smart device.
[0022] In practical applications, it is often necessary to verify whether a value falls within a specific range. For example, a user might want to watch a video on a video website that is only accessible to users aged 18 and over, or they might want to enter a venue that is only open to people aged 18 and over. In such cases, the user can operate the proof device to perform attribute verification.
[0023] The proving device first acquires the attributes of the value to be verified, which may include age, income, etc. After acquiring the attribute, the proving device further acquires a range for verifying that attribute. In one possible implementation, this verification range may be sent from the proving device to the validating device. In this way, the proving device can effectively verify whether the user's attributes meet specific requirements.
[0024] The proving device can determine the representation of the value to be verified in a preset format, which can be a binary format. In this embodiment, the proving device can generate a binary value with a preset number of bits. For example, generating an 8-bit binary value, the binary representation of 19 is 00010011. Thus, by using the preset number of bits, it can be ensured that the value is processed and verified in a uniform format. The proving device can generate a set of prefixes for the value to be verified based on prefixes of different lengths in the preset format. In one possible implementation, a set of prefixes with lengths from n to m can be generated. Here, n can be 1 and m can be 8. Taking the binary representation 00010011 as an example, the prefixes in the generated prefix set are as follows: prefix of length 1: 0; prefix of length 2: 00; prefix of length 3: 000; prefix of length 4: 0001; prefix of length 5: 00010; prefix of length 6: 000100; prefix of length 7: 0001001; prefix of length 8: 00010011.
[0025] In one possible implementation, the proving device can call GetPrefixes(age) A The function (m=8) retrieves the age. A The set of binary prefixes: P=GetPrefixes(age A m=8)={p1,p2,...p m} Among them, age A Let P be the value to be verified, and let P be the prefix set. i for age AThe i-th prefix, where m is the number of prefixes.
[0026] The proving device also determines a set of covering prefixes for the intervals used to verify the attributes. In one possible implementation, the proving device may call the Get Binary Range Check (GetBRC) function to compute the minimum set of binary prefixes for the interval. Given the number of integer bits m, the lower bound a, and the upper bound b, the algorithm corresponding to this function can generate the minimum set of binary prefixes BRC that completely covers the integer interval [a, b]. Any covering prefix included in this set is a prefix of at least one value in the interval and does not overlap with any prefix of other values outside the interval. The interval can be [18, 255].
[0027] Taking the interval [18, 255] as an example, the set of covering prefixes can be determined as follows: BRC=GetBRC(a=18,b=255,m=8)={brc i |i=1,2,...,n brc} Where, n brc Let _m_ represent the number of covered prefixes, _a_ represent the minimum value of the interval, _b_ represent the maximum value of the interval, _m_ represent the maximum length of the acquired prefixes, and _BRC_ represent the set of covered prefixes. i Let i be the i-th covering prefix, where i is the number of the covering prefix.
[0028] The function takes an integer number of bits *m* (i.e., the number of bits in the generated binary number), a lower bound of the interval *a*, and an upper bound of the interval *b* as input. The output is the set of the minimum covering binary prefixes. Algorithm steps: Initialize BRC to an empty set to store the final binary prefixes; initialize a counter *i* to control the loop; check if the upper bound of the interval is exceeded: if b ≥ 2... m If so, an error message will be returned because 2 m It cannot cover the upper bound b of the interval; for example, when m=8, 2 8 =256. If b≥256, it cannot be represented by 8 bits, so it needs to be intercepted in advance.
[0029] Convert integers a and b to their m-bit binary representations. The loop continues as long as the first mi bits of a are less than the first mi bits of b. Process the current least significant bit of a: if the mi-th bit of a (counting from right to left, the least significant bit is the m-th bit) is 1, add the first mi bits of a as a prefix to the set BRC. Process the current least significant bit of b: if the mi-th bit of b is 0, add the first mi bits of b as a prefix to the set BRC. Update a and b: increment the first mi bits of a by 1 (binary addition). Decrement the first mi bits of b by 1 (binary subtraction). Increment the counter: increment the value of i by 1 to process shorter binary prefixes in the next loop iteration.
[0030] The processing after the loop ends includes: checking the remaining parts: when the loop condition is no longer met, checking if the first mi bits of the binary numbers of a and b are equal. Adding an equality prefix: if they are equal, adding this equality binary prefix to the set BRC.
[0031] For example, if m=8, a=18, b=31, then the calculation process of GetBRC(18,31,8) is as follows: Initially: a = 18 (binary 00010010), b = 31 (binary 00011111), m = 8. First loop (i = 0): The least significant bit (8th bit) of a is 0, so it is not added. The least significant bit of b is 1, so it is not added. a is updated to 0001001 + 1 = 0001010 (but actually only the first mi = 8 bits are processed; this is simplified for illustration. In reality, it's a right shift followed by processing, but the logic is similar). b is updated to 0001111 - 1 = 0001110 (again, simplified explanation). i becomes 1.
[0032] Subsequent loops: After several loops, when i=3, the first 5 bits of a (mi=5) are 00010, and the first 5 bits of b are 00011. The 5th bit of a (from right to left, now processed to a shorter length, but logically it's the mi-th bit) can be considered as 1 under certain processing (actually the right-shifted logic) (because the lowest bit of the original a changes after right shift). Add the logical prefix corresponding to 0001001 (7 bits, because the processing length decreases after i increases, but here, to correspond to the original length description, it's actually adding a prefix of the current processing length) (actually adding the binary prefix corresponding to the value of a right-shifted by i bits, i.e., 0001001 is no longer complete after i increases, but the algorithm ensures coverage through gradual processing). Similarly, the corresponding bits of b are processed. After calculation, 0001001 (corresponding to a certain stage of a), 000101 (a certain prefix after a is updated), 00011 related (processed by b), etc., will be added.
[0033] Final equality check: After a and b have been updated multiple times, at a certain value of i, the first mi bits of a and b may be equal, for example, 00011, which is added to the BRC.
[0034] It is understandable that each covering prefix in the returned covering prefix set BRC is a binary prefix. The binary representation of any value within this interval is at least an extension of some prefix in the BRC. The BRC is the set of prefixes for this interval; that is, there is no smaller set of prefixes that can cover this interval.
[0035] S102: Obtain the first commitment set corresponding to the prefix set; wherein each commitment value in the first commitment set is generated by combining a prefix in the prefix set, the first base point of the elliptic curve, the second base point, and a random number using a commitment algorithm; for each covering prefix in the covering prefix set, determine a first target prefix in the prefix set with the same length as the covering prefix, and determine the public key based on the commitment value corresponding to the first target prefix in the first commitment set; determine the second target prefix corresponding to the intersection of the prefix set and the covering prefix set, and determine the random number used to generate the commitment value corresponding to the second target prefix as the private key.
[0036] A first commitment set corresponding to the prefix set of the value to be verified can be obtained. In one possible implementation, a random number can be randomly generated for each prefix in the prefix set. Based on the prefix, the random number, the first base point of the elliptic curve, and the second base point, a commitment algorithm is used to generate a commitment value. This commitment algorithm can be the Pedersen commitment algorithm. The random number r... i ∈ Z n , where n is the order of the second base point, Z n Let be a set of integers, and the first base point and the second base point have the same order, which can both be n.
[0037] In one possible implementation, the commitment value of a prefix can be determined by the following formula: N i =p i ·H+r i ·G Where i represents the prefix and commitment value number, which can be the order of the prefix in the prefix set and the order of the generated commitment value in the first commitment set; N i For the generated i-th commitment value and the commitment value corresponding to the i-th prefix, p i Let r be the i-th prefix in the prefix set. i Let H be the random number corresponding to the i-th prefix generated, H be a fixed point on the elliptic curve, i.e., the first base point, and G be another fixed point on the elliptic curve, i.e., the second base point.
[0038] After all calculations are completed, the proving device can obtain the prefix commitment set, namely the first commitment set described in the embodiments of this application, wherein the first commitment set can be represented as: C u ={N u1 N u2 ,...,N um}, where N u1 Let N be the commitment value corresponding to the first prefix in the prefix set. um Let be the commitment value corresponding to the m-th prefix in the prefix set. In one possible implementation, the order of a prefix in the prefix set is the same as the order of the commitment value corresponding to that prefix in the first commitment set.
[0039] The proving device can, for each covering prefix in the covering prefix set, determine a prefix in the prefix set with the same length as the covering prefix. For ease of distinction, this prefix can be referred to as the first target prefix. The public key is then determined based on the commitment value corresponding to the first target prefix in the first commitment set. In one possible implementation, the proving device can determine the commitment value corresponding to the first target prefix in the first commitment set, as well as the product of the first base point and the covering prefix; the public key is then determined based on the difference between the commitment value and the product.
[0040] Specifically, the public key can be determined using the following formula: PK i,u =getPrefix(C u ,l i )-brc i ·H Among them, PK i,u For the determined public key, getPrefix(C u ,l i ) represents the value of this commitment, brc i Let H be the first base point, i be the index of the covering prefix in the covering prefix set, and C be the covering prefix. u For the first set of commitments, l i The length of the covering prefix.
[0041] In one possible implementation, a set of public keys based on the public keys obtained for each overlay prefix can be obtained, and the public keys corresponding to each overlay prefix can be arranged sequentially according to the order of each overlay prefix in the overlay prefix set; thus obtaining the set of public keys.
[0042] Specifically, for each BRC i ∈BRC (that is, each prefix in the prefix set), denoted by its binary length l. i =binLen(brci). Defines the operation getPrefix(C u,l i ) is from the first commitment set C u Extracting bit length l i The prefix corresponds to the commitment value. The public key is determined based on this commitment value.
[0043] In one possible implementation, the product of the first base point and the overlay prefix can be determined, and the difference between the commitment value and the product can be determined as the public key. The corresponding public key can be calculated using the following formula: PK i,u =getPrefix(C u ,l i )-brc i ·H, where H is the first base point of the elliptic curve, brc i For this overriding prefix, getPrefix(C u ,l i C is the value of this commitment. u For the first set of commitments, l i Let u be the length of the i-th covering prefix, where i is the number of the covering prefix and u is the number of the first commitment set.
[0044] The proving device also determines the intersection of the prefix set and the overlay prefix set, and identifies the intersection as the corresponding second target prefix. Since the random number generated when the corresponding commitment value was generated is stored when the first commitment set was generated, the random number generated when the commitment value corresponding to the second target prefix was obtained, and the random number was identified as the private key.
[0045] In one possible implementation, the second target prefix can be determined by the following formula: I=P U ∩BRC Where I is the determined intersection, and P U Let I be the prefix set, and BRC be the covering prefix set. Since BRC is the minimum prefix set of the covering interval, if the value to be verified lies within this interval, according to the properties of binary prefixes, I contains one and only one element, denoted as brc. And satisfy BRC ∈P U And BRC ∈BRC.
[0046] It is understandable that, for this second target prefix, since it exists in the set of overlay prefixes, meaning that among the determined public keys, there exists a public key corresponding to this second target prefix, and the public key corresponding to this second target prefix is getPrefix(C u ,l i )-brc ·H=r ·G, and the determined random number is r Therefore, this private key has a corresponding public key among the identified multiple public keys.
[0047] S103: Sign the service request message sent to the verification device according to the public key set of the public key obtained based on each covering prefix, the private key, and the ring signature generation algorithm to obtain a ring signature, and send the ring signature, the message, and the identifier of the first commitment set to the verification device; wherein, the identifier of the first commitment set is used to obtain the first commitment set, and the first commitment set is used to combine with the covering prefix set corresponding to the interval to obtain the public key set for verifying the ring signature.
[0048] After obtaining the public key set based on each overlay prefix, the service request message sent to the authenticator device can be signed using this public key set, the private key, and a ring signature generation algorithm to obtain a ring signature. In one possible implementation, the hash value of the service request can be signed.
[0049] In one possible implementation, the ring signature can be obtained as follows: σ←RingSign(z,r ,PK) Where σ is the ring signature, RingSign is the ring signature generation algorithm, z is the service request message, and r PK is the private key, and PK is the set of public keys.
[0050] After obtaining the ring signature, the ring signature, the message, and the identifier of the first commitment set are sent to the verifier device. The verifier device can obtain the first commitment set based on the identifier of the first commitment set, and the first commitment set can be combined with the overlay prefix sum to obtain the public key set for verifying the ring signature.
[0051] In this embodiment, the proving device represents the value to be verified as a set of prefixes and constructs a corresponding commitment. Simultaneously, it decomposes the interval into the smallest set of prefixes that completely cover it—the covering prefix set. The proving device can obtain the intersection of these two prefix sets and use its own random number as the private key to perform a ring signature on the service request message. Because ring signatures are anonymous and untraceable, the verifying device can only confirm that the signer possesses the private key of a certain legitimate prefix in the set, but cannot know which one specifically, thus ensuring the privacy of the original value. A matching private key is only possible when the path of the value to be verified falls within the coverage area of the interval. Therefore, a successful signature means that the value to be verified is indeed within the interval, enabling this application to achieve interval proof without disclosing the value to be verified.
[0052] To ensure the privacy of the value to be verified, based on the above embodiments, in this embodiment, after obtaining the attributes of the value to be verified and the range for verifying the attributes, and before determining the public key based on the commitment value corresponding to the first target prefix in the first commitment set, the method further includes: Obtain a predetermined number of unrevoked second commitment sets from the blockchain; combine each obtained second commitment set with the first commitment set to obtain a hybrid commitment set; The step of determining the public key based on the commitment value corresponding to the first target prefix in the first commitment set includes: For each commitment set included in the hybrid commitment set, a public key is determined based on the commitment value corresponding to the first target prefix in that commitment set; Sending the ring signature, the message, and the identifier of the first commitment set to the verifier device includes: The ring signature, the message, and the identifier of the hybrid commitment set are sent to the verifier device.
[0053] In real-world scenarios, to enable the verifying device to perform verification, the proving device sends the identifier of the first commitment set used to generate the public key to the verifying device. An attacker device might use this identifier to determine which proving device is performing verification. To hide the proving device, the proving device can obtain a preset number of unrevoked second commitment sets from the blockchain. In one possible implementation, the preset number of unrevoked second commitment sets with the same attributes as the value to be verified are obtained. It can be noted that if a commitment in the commitment set corresponding to the value is leaked by the proving device or other proving devices, or if the value expires (e.g., age or income increases expire), a revocation request carrying the corresponding attributes of the value will be sent to the blockchain. The blockchain can then mark the corresponding commitment set as revoked.
[0054] After obtaining multiple sets of second commitments, each set of second commitments can be combined with the first set of commitments to obtain a mixed set of commitments.
[0055] In one possible implementation, to further conceal the first commitment set of the authenticating device and enhance anonymity, the order of each commitment set (the first commitment set and each second commitment set) in the mixed commitment set can be shuffled and randomly arranged, making it impossible for an attacker's device to infer which commitment belongs to the authenticating device based on the position of each commitment set. For example, the first commitment set is C. u If there are multiple second commitment sets D1, D2, and D3, then the order of the multiple commitment sets in the mixed commitment set can be C. uD1, D2, D3, or D1, C u D2, D3, etc., can be arranged in any order.
[0056] The proving device can determine a public key based on each commitment set in the hybrid commitment set, and send the identifier of the hybrid commitment set to the verifying device. In other words, a public key is determined based on each commitment set contained in the hybrid commitment set.
[0057] Understandably, when determining the private key, the first commitment set corresponding to the prefix set is still used.
[0058] Specifically, the public key can be determined using the following formula: PK i,j =getPrefix(C j ,l i )-brc i ·H Among them, PK i,j For the determined public key, getPrefix(C j ,l i ) represents the commitment value, indicating that from C j Get the corresponding length l i The commitment value, brc i Let H be the first base point, i be the index of the covering prefix in the covering prefix set, j be the index of the corresponding determined commitment set in the mixed commitment set, and C be the number of the covering prefix. j For the j-th commitment set contained in the mixed commitment set, l i Where C is the length of the coverage prefix. In one possible implementation, C j It could be the first set of commitments, or it could be any second set of commitments.
[0059] For example, the attribute of the value to be verified is age, and the pre-selected privacy parameter is n. u n u The number used to conceal identity is the total number of commitments to be acquired (the sum of a preset number and 1). The proving device randomly selects n from the blockchain. u -1 set of publicly committed commitments C whose attribute is "age" and which have not been revoked. k (k=1,...,n) u -1), and combine it with its own first commitment set C u Merge to form a structure of size n u The set of mixed commitments: {C j |j=1,2,...,n u}
[0060] Furthermore, a public key matrix can be generated based on the public key set. The public key matrix is determined as follows: [The text abruptly ends here, likely due to an incomplete sentence or a formatting error.] i,j The organization uses a public key matrix PK: PK = {PK} i,j |i=1,...,n brc j=1,...,n u}, where n brc n is the number of covering prefixes in the set of covering prefixes. u The number of members in the mixed commitment set (i.e., the sum of the number of members in the second commitment set and the number of members in the first commitment set). In other words, if the commitment value obtained based on the x-th covering prefix is located in the y-th commitment set in the mixed commitment set (a mixed commitment set consisting of the first commitment set of the proving device and multiple second commitment sets), then the value in the x-th row and y-th column of the public key matrix is the determined public key.
[0061] In one possible implementation, the public key matrix (PK) can be defined as follows: the size of the public key matrix PK is n. brc ×n u , where n brc n is the number of covering prefixes in the set of covering prefixes. u This represents the number of members in the mixed commitment set (i.e., the sum of the number of members in the second commitment set and the number of members in the first commitment set). For each covering prefix `brc`... i Determine the commitment value N corresponding to the coverage prefix. j Calculate the corresponding public key PK i,j If the commitment value determined based on the i-th overlay prefix is located in the j-th commitment set of the mixed commitment set, and a public key is determined accordingly, then the public key is placed in the i-th row and j-th column of the public key matrix.
[0062] In other words, the proving device possesses the second target prefix brc. The corresponding random number r (Preserved when generating the first set of commitments), such that: getPrefix(C u ,l )=brc ·H+r ·G, where C u For the first set of commitments, l For the length of the second target prefix, getPrefix(C u ,l ) represents the commitment value corresponding to the second objective prefix in the first commitment set, brc For the second target prefix, r Let H be the corresponding random number, H be the first base point of the elliptic curve, and G be the second base point of the elliptic curve. =binLen(brc In other words, the second target prefix brc The length is determined to be l Let j be the position of the first commitment set within the mixed commitment set after random permutation. (1≤j) ≤n u Then we have: PK i ,j =r ·G, where i Satisfy BRC i =brc The private key is r. .
[0063] To perform attribute verification, based on the above embodiments, in this embodiment of the application, obtaining the first commitment set corresponding to the prefix set includes: Obtain the first set of commitments corresponding to the proving device and the value to be verified from the blockchain.
[0064] In this embodiment of the application, the proving device may obtain a first set of commitments from the blockchain.
[0065] In one possible implementation, the proving device can randomly generate a random number for each prefix in the prefix set of the value to be verified, and calculate the commitment value corresponding to the Pedersen commitment of the prefix based on the random number, the first base point and the second base point of the elliptic curve and the prefix.
[0066] In one possible implementation, the commitment value of a prefix can be determined by the following formula: N i =p i ·H+r i ·G Where i represents the prefix and commitment value number, which can be the order of the prefix in the prefix set and the order of the generated commitment value in the first commitment set; N i For the generated i-th commitment value and the commitment value corresponding to the i-th prefix, p i Let r be the i-th prefix in the prefix set. i Let H be the random number corresponding to the i-th prefix generated, H be a fixed point on the elliptic curve, i.e., the first base point, and G be another fixed point on the elliptic curve, i.e., the second base point.
[0067] Determine the first commitment set consisting of the commitment values corresponding to each prefix; determine the set of random numbers corresponding to the random numbers of each prefix; generate a corresponding zero-knowledge proof for each commitment value in the first commitment set; prove that you do know that relation N is satisfied. i -p i ·H=r i · Random number r of G i Where i is the prefix number, H is the first base point of the elliptic curve, G is the second base point of the elliptic curve, and N is the second base point of the elliptic curve. i p is the commitment value for the i-th prefix. i For the i-th prefix, r i Given random numbers, the proof process can be abstractly represented as: π i ←Prove(r i |N i ,p i :N i -p i ·H=r i ·G), where π i Provide a zero-knowledge proof for the commitment value corresponding to the i-th prefix.
[0068] For each prefix i = 1, 2, ..., m, the proving device performs the above proof generation process, ultimately obtaining the proof set: Π = {π1, π2, ..., π} m These proofs of π i This will be used in subsequent verification processes to ensure that r is not leaked. i Under the premise of verifying each promised value N to the authorized device. i It does indeed correspond to the prefix p i A valid Pedersen commitment, and the proving device possesses the correct random number r. i .
[0069] The proving device sends the first commitment set, zero-knowledge proof, and materials proving the value to be verified to the authorizing device. If the attribute of the value to be verified is age, the materials proving the value to be verified can be such as ID card photos, scanned copies, or other officially certified documents. The authorizing device performs material verification, commitment consistency verification, and prefix set consistency verification on the materials proving the value to be verified. If all verifications pass, the first commitment set and the corresponding identifier of the proving device are uploaded to the blockchain.
[0070] Upon receiving the aforementioned materials, the authorized device will perform the following verification process: Material verification: Verify the materials submitted by the verification equipment to prove the value to be verified, and confirm the authenticity of the value to be verified; Commitment consistency verification: For each prefix i=1,2,...,m, verify π iDoes the relationship being proven hold?: Verify(π) i |N i ,p i :N i -p i ·H=r i Is G) correct (True)? Specifically, how do you verify π? i Whether the proven relationship is valid is prior art, which will not be elaborated here; Prefix set consistency verification: confirm that the prefix set P={p1,p2,...,p...} submitted by the proving device is valid. m} is indeed equal to the prefix set corresponding to the value to be verified. GetPrefixes(age) A 8). If all verifications pass, the certifying device confirms that the verification value of the proving device is true and valid, and the first commitment set C u To verify the value age A Correct Pedersen commitments for all binary prefixes. Subsequently, the licensor device will provide the first set of commitments, C. u Stored on the blockchain to ensure its immutability and public verifiability.
[0071] After being on-chain, C u It serves as a verifiable privacy credential for the value to be verified of the attribute of the proving device, which can be used for privacy protection verification in subsequent scenarios without disclosing the specific value of the value to be verified.
[0072] When the authorizing device uploads the first set of commitments to the blockchain, it can generate an on-chain transaction number corresponding to the first set of commitments. This on-chain transaction number is the identifier described in this application.
[0073] Figure 2 This is a schematic diagram of a structure provided for an embodiment of this application.
[0074] Figure 2 The user in this application refers to the proving device described in the embodiments. The proving device can apply to the authorizing device (i.e., the authorizing device). This application involves sending the first commitment set, zero-knowledge proof, and materials to be verified to the authorizing device. The authorizing device issues the certificate through the Decentralized Identity (DID) platform, i.e., performs material verification, commitment consistency verification, and prefix set consistency verification. If all verifications pass, the first commitment set and the corresponding identifier of the proving device are uploaded to the blockchain. The proving device can apply to the service provider (i.e., the verifying device) for services, i.e., determining the public key set, private key, and ring signature, and sending the ring signature, message, and the identifier of the first commitment set to the verifying device. The verifying device obtains the first commitment set through the DID platform and verifies the ring signature.
[0075] Figure 3 This application provides another schematic diagram of an attribute verification process, which includes the following steps: S301: Obtain the ring signature and service request message sent by the certifying device, and obtain the first commitment set corresponding to the identifier sent by the certifying device.
[0076] The attribute verification method provided in this application embodiment is applied to a verification device, which is a device that provides services.
[0077] The verifying device can obtain the ring signature and service request message sent by the proving device, and obtain the identifier sent by the proving device, and obtain the first commitment set corresponding to the identifier.
[0078] In practical applications, the identifier received by the validator device is the identifier of a hybrid commitment set, which is obtained by combining the first commitment set of the validator device and multiple second commitment sets on the blockchain.
[0079] S302: Determine the set of covering prefixes for the interval that passed the verification, wherein any covering prefix included in the set of covering prefixes is a prefix of at least one value in the interval and does not overlap with any prefix of other values outside the interval.
[0080] The proving device also determines a set of covering prefixes for the intervals used to verify the attributes. In one possible implementation, the proving device can call the GetBRC function to compute the minimum binary prefix set of the interval. Given an integer number of bits m, a lower bound a, and an upper bound b, the algorithm corresponding to this function can generate a minimum binary prefix set BRC that completely covers the integer interval [a, b]. Any covering prefix included in this set is a prefix of at least one value within the interval and does not overlap with any prefix of other values outside the interval. This interval can be [18, 255]. Specifically, how to determine this covering prefix set has been described in the above embodiments and will not be repeated here.
[0081] S303: For each covering prefix in the covering prefix set, based on the correspondence between each commitment value and the prefix length, determine a target commitment value in the first commitment set whose length is the same as the length of the covering prefix; determine the public key based on the target commitment value.
[0082] It is understandable that the first commitment set of the proving device, and the commitment values in each of the second commitment sets, are respectively the commitment values of each prefix in the corresponding prefix set. Each prefix in the prefix set is a prefix of length n to m, where n can be 1. In the mixed commitment set obtained by the verifying device (i.e., the set after the proving device's own commitment set and the multiple second commitment sets are mixed), the prefix lengths corresponding to the commitment values in each commitment set are respectively n to m. If the mixed commitment set consists of the proving device's commitment set and two second commitment sets, the prefix lengths corresponding to the commitment values in each commitment set in the mixed commitment set are respectively n to m.
[0083] The system can pre-store the correspondence between each commitment value and its corresponding prefix length. The verifying device can, for each covering prefix in the covering prefix set, determine a target commitment value whose prefix length in the first commitment set is the same as the length of the covering prefix, based on the correspondence between each commitment value and its prefix length. For example, if the length of the covering prefix is 5, and the length of the prefix corresponding to a certain commitment value in the first commitment set is 5, then that commitment value is determined as the target commitment value. To improve security, the proving device may send an identifier of a mixed commitment set. In this case, the verifying device can, for each commitment set included in the mixed commitment set, determine a target commitment value whose prefix length is the same as the length of the covering prefix. That is, multiple target commitment values can be determined.
[0084] After determining the target commitment value, the public key is determined based on the target commitment value. In one possible implementation, the authenticating device can determine the product of a first base point and the overlay prefix, and determine the public key based on the difference between the target commitment value and the product, wherein the first base point is the base point used when generating the commitment value. A set of public keys is determined, consisting of the public keys corresponding to each overlay prefix.
[0085] Furthermore, a public key matrix can be generated based on the public key set. The public key matrix is determined as follows: [The text abruptly ends here, likely due to an incomplete sentence or a formatting error.] i,j The organization uses a public key matrix PK: PK = {PK} i,j |i=1,...,n brc j=1,...,n u}, where n brc n is the number of covering prefixes in the set of covering prefixes. u The number of hidden members in the hybrid commitment set is the sum of the number of multiple second commitment sets and the number of the first commitment set. In other words, if the commitment value obtained based on the x-th covering prefix is located in the y-th commitment set in the hybrid commitment set, then the value in the x-th row and y-th column of the public key matrix is the determined public key.
[0086] S304: Execute a ring signature verification algorithm based on the public key set obtained from the public key obtained from each overlay prefix, the message, and the ring signature. If the verification result is correct, determine that the value to be verified of the proving device is within the range.
[0087] After obtaining the public key set based on each overlay prefix, the ring signature verification algorithm can be executed based on the public key set, the service request message sent by the proving device, and the received ring signature to obtain the verification result. If the verification result is correct, it is determined that the output to be verified that the proving device wants to verify is located within the interval.
[0088] In one possible implementation, the verification results can be obtained in the following way: result←RingVerify(z,σ,PK) Wherein, result is the obtained verification result, which includes two types: correct and failed; z is the service request message; PK is the public key set; and RingVerify is the ring signature verification algorithm.
[0089] If the result is True, the verification passes. This indicates that: the proving device requesting the service is indeed among the submitted sets of commitments (i.e., the first set of commitments from the proving device and multiple sets of second commitments obtained from the blockchain); the value to be verified for the corresponding attribute of the proving device is indeed within the corresponding range; and the proving device does possess the corresponding private key, thus proving that its value to be verified is within the range. Therefore, the verifying device should allow the proving device to access the resource. If the result is False, the verification fails. This indicates that the requesting proving device cannot prove that the value to be verified for its corresponding attribute meets the requirements, and the verifying device should refuse access.
[0090] In this embodiment, the security of ring signatures ensures that only the proving device, which knows the private key corresponding to a public key, can generate a valid signature. Furthermore, the verifying device directly retrieves the commitment set from the blockchain, ensuring the authenticity and immutability of the data.
[0091] To ensure accurate and effective attribute verification, based on the above embodiments, in this application embodiment, the correspondence between each commitment value and the prefix length is obtained in the following manner: For each commitment value, determine the order of the commitment value in the set of commitments to which it belongs, and determine the length of the prefix stored for the order as the length of the prefix stored for the commitment value.
[0092] In this embodiment of the application, the commitment set of the proving device and the commitment value in each second commitment set are, in turn, the commitment value of each prefix in the corresponding prefix set. Each prefix in the prefix set is a prefix of length n to m, where n can be 1. In the mixed commitment set obtained by the verifying device (i.e., the set after mixing the first commitment set of the proving device itself and multiple second commitment sets), the prefix length corresponding to the commitment value in each commitment set is from n to m. If the mixed commitment set consists of the commitment set of the proving device and two second commitment sets, the prefix length corresponding to the commitment value in each commitment set in the mixed commitment set is from n to m.
[0093] In this embodiment, the verification device can determine each commitment set included in the mixed commitment set based on the number of prefixes corresponding to each pre-saved prefix set. For example, if the mixed commitment set contains 7 commitment sets and the number of prefixes is 8, then each commitment set in the mixed commitment set contains 8 commitment values. In one possible implementation, each commitment set included in the mixed commitment set can be obtained. For each commitment value in each obtained commitment set, the length of the prefix saved for that order is determined as the length of the prefix saved for that commitment value, based on the order of that commitment value in its respective commitment set. For example, when generating a prefix set for a certain value, if the prefixes in the prefix set are prefixes of length n to m in sequence, then the correspondence between the saved order and the length of the prefixes is: order 1 corresponds to length n, order 2 corresponds to length n+1, ..., order 1+mn corresponds to length m.
[0094] For example, the mixed commitment set contains the first commitment set C. u Given the second commitment sets D1 and D2, then C u The lengths of the prefixes corresponding to the commitment values contained in D1 are from n to m respectively; the lengths of the prefixes corresponding to the commitment values contained in D2 are from n to m respectively.
[0095] To ensure accurate and effective attribute verification, based on the above embodiments, in this embodiment, the identifier is a set of transaction numbers, and obtaining the set of mixed commitments corresponding to the identifier sent by the proving party device includes: Obtain the set of transaction numbers sent by the proving device; For each on-chain transaction number in the transaction number set, obtain the commitment set corresponding to that on-chain transaction number from the blockchain, and obtain a hybrid commitment set composed of each commitment set.
[0096] In this embodiment, the identifier sent by the proving device is a set of transaction numbers, where each on-chain transaction number in the set corresponds to the transaction number used when the corresponding commitment set was uploaded to the blockchain. The verifying device can obtain the set of transaction numbers sent by the proving device and, for each on-chain transaction number in the set, retrieve the commitment set corresponding to that on-chain transaction number from the blockchain. The commitment sets corresponding to each obtained on-chain transaction number are combined into a hybrid commitment set. In one possible implementation, the commitment sets corresponding to each obtained on-chain transaction number are combined into a hybrid commitment set according to the order of each on-chain transaction number in the set of transaction numbers. After obtaining each commitment set, the proving device can verify the validity of each commitment set (e.g., signature, not revoked, etc.). If each commitment set is valid, subsequent steps can be executed.
[0097] With the attribute being age, the value to be verified is age. A Taking an 8-bit binary value in the range [18, 255] as an example, the following introduction will be provided: The application process is as follows: Targeting age A ∈[0, 255] (using 8 bits), the proving device performs the following steps: First, call GetPrefixes(age) A The function (m=8) retrieves the age. A The set of all binary prefixes: P=GetPrefixes(age A m=8)={p1,p2,...,p m} Where, p i for age A The binary prefix, where m is the number of prefixes.
[0098] For each prefix p i ∈P, the proving device executes: 1. Randomly select r i ∈Z n , where n is the order of the base point G of the elliptic curve; 2. Calculate p i Pedersen commitment: N i =p i ·H+r i ·G; After all calculations are completed, the proving device will obtain a set of prefix commitments: C = {N1, N2, ..., N} m} and the corresponding set of random numbers: R={r1,r2,...,r m}, after obtaining all prefix commitments N i , corresponding prefix value p i and random number r i Then, the proving device generates a zero-knowledge proof for each commitment, proving that it does indeed know that relation N is satisfied. i -p i ·H=r i · Random number r of G i The proof process can be abstractly represented as follows: π i ←Prove(r i |N i ,p i :N i -p i ·H=r i ·G) where π i This is the zero-knowledge proof corresponding to the i-th prefix commitment.
[0099] For each i = 1, 2, ..., m, the proving device performs the above proof generation process, ultimately obtaining the proof set: Π = {π1, π2, ..., π} m}
[0100] These proofs of π i This will be used in subsequent verification processes to ensure that r is not leaked. i Under the premise of verifying each N to the verification device i It does indeed correspond to p i A valid Pedersen commitment, and the proving device possesses the correct random number r. i .
[0101] The issuance process is as follows: After completing all prefix commitments C={N1,N2,...,N... m} and the corresponding zero-knowledge proof Π={π1,π2,...,π m After the generation of}, the proving device prepares the following materials and submits them to the authorizing device: a set of commitments C, a set of zero-knowledge proofs Π, and materials to prove that its age is indeed age. A Identity documents (such as ID card photos, scanned copies, or other officially certified documents). Upon receiving the aforementioned materials, the authorized device will perform the following verification process: 1. Identity Verification: Verify the identity documents submitted by the verification device to confirm the age. A The authenticity.
[0102] 2. Commitment Consistency Verification: For each i = 1, 2, ..., m, verify π. i Does the relationship being proven hold true? Verify(π i |N i ,p i :N i -p i ·H=r i ·G)=?True 3. Prefix set consistency verification: Confirm the user-submitted P={p1,p2,...,p...} m} is indeed equivalent to GetPrefixes(age) A ,8).
[0103] If all verifications pass, the authenticator's device confirms the age of the certifier's device. A It is true and valid, and the set of commitments C is for age. A A correct Pedersen commitment for all binary prefixes. Subsequently, the authorizing device will store the commitment set C on-chain, ensuring its immutability and public verifiability.
[0104] Once on-chain, C becomes a verifiable privacy credential proving the age of the device, which can be used for privacy protection verification in subsequent scenarios without disclosing the age. A The specific value.
[0105] The application process is as follows: Suppose a user needs to use an online video service, but this service is restricted to users aged 18 and above. Let the user's actual age be age. U (In 8-bit representation), its corresponding prefix commitment set is C. U .
[0106] The proving device performs the following steps to generate an anonymous and verifiable proof of age: 1. Calculate the age threshold coverage prefix set: Call the GetBRC function to calculate the minimum binary prefix set covering the interval [18, 255]. BRC=GetBRC(a=18,b=255,m=8)={brci|i=1,2,...,n brc}where n brc This represents the number of prefixes covered.
[0107] 2. Construct a hybrid commitment set: Let the selected privacy parameter be n. u (Number of users used to conceal their identities). The proving device randomly selects n from the blockchain. u -1 publicly committed C whose attribute is "age" and which has not been revoked. k (k=1,...,n) u-1 ), and combine it with its own set of commitments C U Merge to form a structure of size nu The set of mixed commitments: {C j |j=1,2,...,n u To enhance anonymity, the proving device randomly arranges the set, shuffling the order so that an attacker cannot infer which commitment belongs to the user based on its position.
[0108] 3. Extract the prefix-corresponding commitment: For each BRC i ∈BRC, let its binary length be l i =binLen(brc i Define the operation getPrefix(C) j ,l i ) is from the commitment set C j Extracting bit length l i The commitment value corresponding to the prefix. For each j=1,...,n u ,calculate: PK i,j =getPrefix(C j ,l i )-brc i H will put all PKs i,j Organization for public key matrix PK: PK={PK i,j |i=1,...,n brc j=1,...,n u} 4. Determine the signing private key: Let P be the key. U =GetPrefixes(age U ,8) is the set of true prefixes for user ages. Calculate the intersection: I=P U ∩BRC Note: Since BRC is the smallest prefix set covering [18, 255] and ageU ≥ 18, according to the properties of binary prefixes, I contains one and only one element, denoted as brc. And satisfy BRC ∈P U And BRC ∈BRC.
[0109] The proving party's equipment possesses the BRC The corresponding random number r (in generating C) U (Time retention), so that: getPrefix(C U ,l )=brc ·H+r ·G; where l =binLen(brc Suppose that after random permutation, C... U The position in the mixed set is j. (1≤j) ≤n u Then we have: PK i j =r ·G, where i Satisfy BRC i =brc The private key of the proving device is r. .
[0110] 5. Generate ring signature: The proving device uses PK as the public key set and r as the ring key set. Use the private key to generate a ring signature for message z (e.g., the hash of a service request): σ←RingSign(z,r) ,PK); 6. Submission of Verification Materials: The proving device submits the following materials to the video service provider (i.e., the verifying device): ring signature σ, message z, and hybrid commitment set {C}. j The set of identifiers {txid} on the blockchain j |j=1,...,n u}, each txid j The on-chain transaction number corresponds to a set of commitments.
[0111] Ultimately, the proving device proves that it knows a certain C through ring signature σ. j The corresponding age is not less than 18 years old, without needing to disclose the specific age or one's position in the mixed set, and in n u The identity of each user is hidden, ensuring strong privacy.
[0112] The verification process is as follows: The verification device's operating procedure is as follows: After receiving the verification materials submitted by the verification device, the video service provider (verifying device) performs the following complete operating procedure to verify that the user's age is not less than 18 years old: 1. Received Materials: Receive the following materials submitted by the certifying device: ring signature σ, message z (usually a unique identifier or hash value of the service request), and commitment set identifier {txid}. j |j=1,...,n u}, where each txid j A transaction number for a set of commitments stored on the blockchain.
[0113] 2. Retrieve the commitment set: For each j=1,...,n uAccording to txid j Retrieve the corresponding commitment set C from the blockchain. j Verify each C j The validity of the commitments (such as signature, not revoked, etc.) yields the complete set of mixed commitments: {C j |j=1,2,...,n u}; 3. Calculate the age threshold coverage prefix set: Consistent with the proving device, calculate the minimum binary prefix set covering the interval [18, 255]: BRC=GetBRC(a=18,b=255,m=8)={brc i |i=1,2,...,nbrc} 4. Reconstruct the public key matrix: For each BRC i ∈BRC, let l i =binLen(brc i For each j=1,...,n u ,implement: From C j Extracting length l i The prefix corresponds to the commitment: C j,li =getPrefix(Cj,l i ) Calculate the elements of the public key matrix: PK i,j =C j ,l i -brc i H obtains the public key matrix: PK={PK i,j |i=1,...,n brc j=1,...,n u} 5. Verify the ring signature: Using the reconstructed public key matrix PK, message z, and ring signature σ, execute the ring signature verification algorithm: result←RingVerify(z,σ,PK) RingVerify returns either True or False.
[0114] 6. Decision-making and response: If result=True, then the validation passed. This indicates that: (a) The equipment used to prove the application for service is indeed in the submitted n u A set of users {C j} in; (b) The user's real age U Not less than 18 years old (i.e., age) U ≥18); (c) The user does indeed possess their age commitment set C u The middle corresponds to a certain BRC Private key r of ∈BRC This proves that his age is within the coverage range [18, 255].
[0115] In one possible implementation, if result=True, then the above conclusion (c) can be obtained, and based on the above conclusion (c), the above conclusions (a) and (b) can be obtained.
[0116] Therefore, the service provider should allow the user to access age-restricted video resources.
[0117] If result=False, the verification failed. This indicates that the applicant cannot prove their age meets the requirements, and the service provider should refuse access.
[0118] Security statement: Interpretation of verification conclusion: If result=True, then the verification device can confirm the following facts: 1. The users who applied for the service are indeed included in the submitted n u A set of user commitments {C j}middle; 2. The user's actual age U Not less than 18 years old (i.e., age) U ≥18); 3. The user possesses their age commitment set C. u The private key corresponding to the intersection element with the BRC can be used to generate a valid ring signature.
[0119] Therefore, service providers can verify user age compliance while ensuring privacy.
[0120] It can be noted that existing DID-based identity and access control solutions have significant shortcomings in privacy protection, specifically as follows: Complete exposure of credential content: In traditional solutions, credentials issued by authorized institutions to users (such as age certificates, income certificates, etc.) are stored in plaintext or decryptable ciphertext on the DID platform or the user's end. When a user presents the credentials to a service provider (SP), all attribute information within the credentials (such as specific age values, precise income amounts, etc.) is exposed to the SP, leading to user privacy leaks. Linkability between identity and behavior: Even if some solutions encrypt the credential content, because users use the same DID identifier or the same set of credentials each time they access the service, service providers can easily correlate and analyze different user access behaviors to form user profiles, violating the user's unlinkability. Lack of fine-grained, verifiable privacy statements: Existing solutions struggle to support users in proving to the service provider that their attributes meet certain conditions (such as "age ≥ 18 years old" or "income ≥ 300,000") without exposing specific attribute values. Users either have to disclose all their information or are unable to complete the verification process, lacking the ability to verify the privacy statement.
[0121] In summary, current technologies lack a complete solution that can be systematically integrated into the DID framework to achieve both privacy-preserving verification of attribute conditions and ensure the non-linkability of multiple user visits. This leaves room for privacy analysis by attackers and limits the widespread application of DID technology in scenarios requiring strong privacy protection (such as finance, healthcare, and content rating services).
[0122] This application's embodiments design an identity management system based on DID. In the certification documents signed by the permission management authority, plaintext permissions are not directly stored; instead, a Pedersen commitment regarding the permissions is stored, protecting user privacy. Furthermore, when users access services, they do not directly provide their permissions to the service provider; instead, they provide zero-knowledge proofs demonstrating that their permissions comply with the service's permission requirements, preventing privacy exposure.
[0123] Figure 4 This application provides a schematic diagram of an attribute verification device; applied to a proof-of-proof device, the device includes: The acquisition and determination module 401 is used to acquire the attributes of the value to be verified and the range for verifying the attributes; according to the prefixes of different lengths of the value to be verified under a preset format, the prefix set of the value to be verified is obtained, and the covering prefix set of the range is determined, wherein any covering prefix included in the covering prefix set is a prefix of at least one value in the range and does not overlap with any prefix of other values outside the range. The first processing module 402 is used to obtain a first commitment set corresponding to the prefix set; wherein each commitment value in the first commitment set is generated by combining a prefix in the prefix set, a first base point of the elliptic curve, a second base point, and a random number using a commitment algorithm; for each covering prefix in the covering prefix set, a first target prefix with the same length as the covering prefix in the prefix set is determined, and a public key is determined based on the commitment value corresponding to the first target prefix in the first commitment set; a second target prefix corresponding to the intersection of the prefix set and the covering prefix set is determined, and the random number used to generate the commitment value corresponding to the second target prefix is determined as the private key; a service request message sent to the verification device is signed based on the public key set obtained from the public key obtained based on each covering prefix, the private key, and a ring signature generation algorithm to obtain a ring signature, and the ring signature, the message, and the identifier of the first commitment set are sent to the verification device; wherein the identifier of the first commitment set is used to obtain the first commitment set, and the first commitment set is used to combine with the covering prefix set corresponding to the interval to obtain a public key set for verifying the ring signature.
[0124] In one possible implementation, the first processing module 402 is specifically used to determine the commitment value corresponding to the first target prefix in the first commitment set, and the product of the first base point and the overlay prefix; and to determine the public key based on the difference between the commitment value and the product.
[0125] In one possible implementation, the first processing module 402 is further configured to obtain a preset number of unrevoked second commitment sets from the blockchain; and combine each obtained second commitment set with the first commitment set to obtain a hybrid commitment set; The first processing module 402 is specifically used to determine the public key based on the commitment value corresponding to the first target prefix in the hybrid commitment set determined based on the first commitment set; The first processing module 402 is specifically used to send the ring signature, the message, and the identifier of the hybrid commitment set to the verifier device.
[0126] In one possible implementation, the first processing module 402 is specifically used to obtain from the blockchain the first commitment set corresponding to the proving device and the value to be verified.
[0127] In one possible implementation, specifically when the first commitment set is uploaded to the blockchain, a corresponding on-chain transaction number is generated.
[0128] Figure 5 This is a schematic diagram of another attribute verification device provided in an embodiment of this application; applied to a verification device, the device includes: The acquisition module 501 is used to acquire the ring signature and service request message sent by the certifying device, and to acquire the first commitment set corresponding to the identifier sent by the certifying device; The determining module 502 is used to determine the set of covering prefixes for the interval that has passed the verification, wherein any covering prefix included in the set of covering prefixes is a prefix of at least one value in the interval and does not overlap with any prefix of other values outside the interval. The second processing module 503 is configured to, for each covering prefix in the covering prefix set, determine a target commitment value whose length is the same as the length of the corresponding prefix in the first commitment set, based on the correspondence between each commitment value and the prefix length; determine a public key based on the target commitment value; execute a ring signature verification algorithm based on the public key set obtained from the public key obtained from each covering prefix, the message, and the ring signature; and if the verification result is correct, determine that the value to be verified of the proving party device is within the interval.
[0129] In one possible implementation, the second processing module 502 is specifically used to determine the product of the first base point and the overlay prefix; and to determine the public key based on the difference between the target commitment value and the product.
[0130] In one possible implementation, the second processing module 502 is specifically used to obtain a hybrid commitment set corresponding to the identifier sent by the proving party device; wherein, the hybrid commitment set is obtained by combining the first commitment set of the proving party device and multiple second commitment sets on the blockchain; The second processing module 502 is specifically used to determine the target commitment value in each commitment set included in the hybrid commitment set, where the length of the corresponding prefix is the same as the length of the covering prefix.
[0131] In one possible implementation, the second processing module 503 is further configured to obtain the correspondence between each commitment value and the prefix length in the following manner: For each commitment value, determine the order of the commitment value in the set of commitments to which it belongs, and determine the length of the prefix stored for the order as the length of the prefix stored for the commitment value.
[0132] In one possible implementation, the acquisition module 501 is specifically used to acquire the set of transaction numbers sent by the certifying device; based on each on-chain transaction number in the set of transaction numbers, to acquire the commitment set corresponding to that on-chain transaction number from the blockchain, and to acquire a hybrid commitment set composed of each commitment set.
[0133] Figure 6This application provides a schematic diagram of an electronic device structure based on an embodiment of the present application. In addition to the above embodiments, this application also provides an electronic device, such as... Figure 6 As shown, it includes: processor 601, communication interface 602, memory 603 and communication bus 604, wherein processor 601, communication interface 602 and memory 603 communicate with each other through communication bus 604. The memory 603 stores a computer program, which, when executed by the processor 601, causes the processor 601 to perform the following steps: Obtain the attributes of the value to be verified and the range for verifying the attributes; based on the prefixes of different lengths of the value to be verified under a preset format, obtain the prefix set of the value to be verified, and determine the covering prefix set of the range, wherein any covering prefix included in the covering prefix set is a prefix of at least one value in the range, and does not overlap with any prefix of other values outside the range. Obtain the first commitment set corresponding to the prefix set; wherein each commitment value in the first commitment set is generated by combining a prefix in the prefix set, the first base point of the elliptic curve, the second base point of the elliptic curve, and a random number using a commitment algorithm; for each covering prefix in the covering prefix set, determine a first target prefix in the prefix set with the same length as the covering prefix, and determine the public key based on the commitment value corresponding to the first target prefix in the first commitment set; determine the second target prefix corresponding to the intersection of the prefix set and the covering prefix set, and determine the random number used to generate the commitment value corresponding to the second target prefix as the private key; The message of the service request sent to the verifier device is signed according to the public key set of the public key obtained based on each covering prefix, the private key, and the ring signature generation algorithm to obtain the ring signature. The ring signature, the message, and the identifier of the first commitment set are sent to the verifier device. The identifier of the first commitment set is used to obtain the first commitment set, and the first commitment set is used to combine with the covering prefix set corresponding to the interval to obtain the public key set for verifying the ring signature.
[0134] In one possible implementation, determining the public key based on the commitment value corresponding to the first target prefix in the first commitment set includes: Determine the commitment value corresponding to the first target prefix in the first commitment set, and the product of the first base point and the covering prefix; The public key is determined based on the difference between the commitment value and the product.
[0135] In one possible implementation, after obtaining the attribute of the value to be verified and the range for verifying the attribute, and before determining the public key based on the commitment value corresponding to the first target prefix in the first commitment set, the method further includes: Obtain a predetermined number of unrevoked second commitment sets from the blockchain; combine each obtained second commitment set with the first commitment set to obtain a hybrid commitment set; The step of determining the public key based on the commitment value corresponding to the first target prefix in the first commitment set includes: For each commitment set included in the hybrid commitment set, a public key is determined based on the commitment value corresponding to the first target prefix in that commitment set; Sending the ring signature, the message, and the identifier of the first commitment set to the verifier device includes: The ring signature, the message, and the identifier of the hybrid commitment set are sent to the verifier device.
[0136] In one possible implementation, obtaining the first commitment set corresponding to the prefix set includes: Obtain the first set of commitments corresponding to the proving device and the value to be verified from the blockchain.
[0137] In one possible implementation, the first commitment set generates a corresponding on-chain transaction number when it is uploaded to the blockchain.
[0138] The processor 601 also performs the following steps: Obtain the ring signature and service request message sent by the proving device, and obtain the first commitment set corresponding to the identifier sent by the proving device; Determine the set of covering prefixes for the interval that passed the verification, wherein any covering prefix included in the set of covering prefixes is a prefix of at least one value in the interval and does not overlap with any prefix of other values outside the interval; For each covering prefix in the covering prefix set, based on the correspondence between each commitment value and the prefix length, a target commitment value is determined where the length of the corresponding prefix in the first commitment set is the same as the length of the covering prefix; the public key is determined based on the target commitment value. The ring signature verification algorithm is executed based on the public key set obtained from each overlay prefix, the message, and the ring signature. If the verification result is correct, the value to be verified of the proving device is determined to be within the range.
[0139] In one possible implementation, determining the public key based on the target commitment value includes: Determine the product of the first base point and the overlay prefix; determine the public key based on the difference between the target commitment value and the product.
[0140] In one possible implementation, obtaining the first commitment set corresponding to the identifier sent by the certifying device includes: Obtain the hybrid commitment set corresponding to the identifier sent by the proving device; wherein, the hybrid commitment set is obtained by combining the first commitment set of the proving device and multiple second commitment sets on the blockchain; Determining the target commitment value whose length is the same as the length of the covering prefix in the first commitment set includes: Determine the target commitment value in the mixed commitment set whose corresponding prefix length is the same as the length of the covering prefix.
[0141] In one possible implementation, the correspondence between each commitment value and the prefix length in the hybrid commitment set is obtained in the following manner: Based on the number of prefixes corresponding to each pre-saved prefix set, each commitment set included in the hybrid commitment set is determined; wherein, each commitment set includes a first commitment set of the proving party device and multiple second commitment sets obtained from the blockchain; For each commitment value in the mixed commitment set, determine the order of the commitment value in its respective commitment set, and determine the length of the prefix stored for the order as the length of the prefix stored for the commitment value.
[0142] In one possible implementation, the identifier is a set of transaction numbers, and obtaining the hybrid commitment set corresponding to the identifier sent by the certifying device includes: Obtain the set of transaction numbers sent by the proving device; For each on-chain transaction number in the transaction number set, obtain the commitment set corresponding to that on-chain transaction number from the blockchain, and obtain a hybrid commitment set composed of each commitment set.
[0143] In one possible implementation, the correspondence between each commitment value and the prefix length in the first commitment set is obtained in the following manner: For each commitment value in the first commitment set, a sub-commitment set corresponding to the commitment value is determined based on the order of the commitment value in the first commitment set and the number of prefixes corresponding to each pre-saved prefix set; the target order of the commitment value in the sub-commitment set is determined, and the length of the prefix saved for the target order is determined as the length of the prefix saved for the commitment value.
[0144] In one possible implementation, the identifier is a set of transaction numbers, and obtaining the first commitment set corresponding to the identifier sent by the certifying device includes: Obtain the set of transaction numbers sent by the proving device; For each on-chain transaction number in the transaction number set, obtain the commitment set corresponding to that on-chain transaction number from the blockchain, and obtain the first commitment set composed of each commitment set.
[0145] The communication bus mentioned in the above server can be a Peripheral Component Interconnect (PCI) bus or an Extended Industry Standard Architecture (EISA) bus, etc. This communication bus can be divided into address bus, data bus, control bus, etc. For ease of illustration, only one thick line is used to represent it in the diagram, but this does not mean that there is only one bus or one type of bus.
[0146] The communication interface is used for communication between the aforementioned electronic devices and other devices.
[0147] The memory may include random access memory (RAM) or non-volatile memory (NVM), such as at least one disk storage device. Optionally, the memory may also be at least one storage device located remotely from the aforementioned processor.
[0148] The processors mentioned above can be general-purpose processors, including central processing units, network processors (NPs), etc.; they can also be digital signal processors (DSPs), application-specific integrated circuits, field-programmable gate arrays or other programmable logic devices, discrete gate or transistor logic devices, discrete hardware components, etc.
[0149] This application also provides a computer-readable storage medium storing a computer program executable by an electronic device, which, when run on the electronic device, causes the electronic device to perform any of the above method steps.
[0150] This application provides a computer program product, which includes an executable program that, when executed by a processor, implements the method described herein.
[0151] Although preferred embodiments of this application have been described, those skilled in the art, upon learning the basic inventive concept, can make other changes and modifications to these embodiments. Therefore, the appended claims are intended to be interpreted as including the preferred embodiments as well as all changes and modifications falling within the scope of this application.
[0152] Obviously, those skilled in the art can make various modifications and variations to this application without departing from the spirit and scope of this application. Therefore, if such modifications and variations fall within the scope of the claims of this application and their equivalents, this application also intends to include such modifications and variations.
Claims
1. An attribute verification method characterized by, Applied to a proving device, the method includes: Obtain the attributes of the value to be verified and the range for verifying the attributes; based on the prefixes of different lengths of the value to be verified under a preset format, obtain the prefix set of the value to be verified, and determine the covering prefix set of the range, wherein any covering prefix included in the covering prefix set is a prefix of at least one value in the range, and does not overlap with any prefix of other values outside the range. Obtain the first commitment set corresponding to the prefix set; wherein each commitment value in the first commitment set is generated by combining a prefix in the prefix set, the first base point of the elliptic curve, the second base point of the elliptic curve, and a random number using a commitment algorithm; for each covering prefix in the covering prefix set, determine a first target prefix in the prefix set with the same length as the covering prefix, and determine the public key based on the commitment value corresponding to the first target prefix in the first commitment set; determine the second target prefix corresponding to the intersection of the prefix set and the covering prefix set, and determine the random number used to generate the commitment value corresponding to the second target prefix as the private key; The message of the service request sent to the verifier device is signed according to the public key set of the public key obtained based on each covering prefix, the private key, and the ring signature generation algorithm to obtain the ring signature. The ring signature, the message, and the identifier of the first commitment set are sent to the verifier device. The identifier of the first commitment set is used to obtain the first commitment set, and the first commitment set is used to combine with the covering prefix set corresponding to the interval to obtain the public key set for verifying the ring signature.
2. The method of claim 1, wherein, The step of determining the public key based on the commitment value corresponding to the first target prefix in the first commitment set includes: Determine the commitment value corresponding to the first target prefix in the first commitment set, and the product of the first base point and the covering prefix; The public key is determined based on the difference between the commitment value and the product.
3. The method of claim 1, wherein, After obtaining the attribute of the value to be verified and the range for verifying the attribute, and before determining the public key based on the commitment value corresponding to the first target prefix in the first commitment set, the method further includes: Obtain a predetermined number of unrevoked second commitment sets from the blockchain; combine each obtained second commitment set with the first commitment set to obtain a hybrid commitment set; The step of determining the public key based on the commitment value corresponding to the first target prefix in the first commitment set includes: For each commitment set included in the hybrid commitment set, a public key is determined based on the commitment value corresponding to the first target prefix in that commitment set; Sending the ring signature, the message, and the identifier of the first commitment set to the verifier device includes: The ring signature, the message, and the identifier of the hybrid commitment set are sent to the verifier device.
4. The method of claim 1, wherein, Obtaining the first commitment set corresponding to the prefix set includes: Obtain the first set of commitments corresponding to the proving device and the value to be verified from the blockchain.
5. The method of claim 4, wherein, When the first set of commitments is uploaded to the blockchain, a corresponding on-chain transaction number is generated.
6. An attribute verification method characterized by, Applied to a verification device, the method includes: Obtain the ring signature and service request message sent by the proving device, and obtain the first commitment set corresponding to the identifier sent by the proving device; Determine the set of covering prefixes for the interval that passed the verification, wherein any covering prefix included in the set of covering prefixes is a prefix of at least one value in the interval and does not overlap with any prefix of other values outside the interval; For each covering prefix in the covering prefix set, based on the correspondence between each commitment value and the prefix length, a target commitment value is determined where the length of the corresponding prefix in the first commitment set is the same as the length of the covering prefix; the public key is determined based on the target commitment value. The ring signature verification algorithm is executed based on the public key set obtained from each overlay prefix, the message, and the ring signature. If the verification result is correct, the value to be verified of the proving device is determined to be within the range.
7. The method of claim 6, wherein, The step of determining the public key based on the target commitment value includes: Determine the product of the first base point and the overlay prefix; determine the public key based on the difference between the target commitment value and the product.
8. The method according to claim 6, characterized in that, The step of obtaining the first commitment set corresponding to the identifier sent by the certifying device includes: Obtain the hybrid commitment set corresponding to the identifier sent by the proving device; wherein, the hybrid commitment set is obtained by combining the first commitment set of the proving device and multiple second commitment sets on the blockchain; Determining the target commitment value whose length is the same as the length of the covering prefix in the first commitment set includes: In each of the commitment sets contained in the hybrid commitment set, determine the target commitment value for which the length of the corresponding prefix is the same as the length of the covering prefix.
9. The method according to claim 8, characterized in that, The correspondence between each commitment value and the prefix length is obtained in the following way: For each commitment value, determine the order of the commitment value in the set of commitments to which it belongs, and determine the length of the prefix stored for the order as the length of the prefix stored for the commitment value.
10. The method according to claim 8, characterized in that, The identifier is a set of transaction numbers, and obtaining the set of hybrid commitments corresponding to the identifiers sent by the proving party device includes: Obtain the set of transaction numbers sent by the proving device; For each on-chain transaction number in the transaction number set, obtain the commitment set corresponding to that on-chain transaction number from the blockchain, and obtain a hybrid commitment set composed of each commitment set.