阅读说明：本技术 使用区块链的方法 (Method for using block chain ) 是由 克雷格·史蒂文·赖特 欧文·沃恩 布洛克·多伊龙 于 2020-03-04 设计创作，主要内容包括：本发明公开了一种方法,其包括：第二方接收第一方同意语句的确认；所述第二方在所述确认以及所述第一方加密签名后收到一条信息。为了证明这一点,所述第二方通过签署包含所述信息或其转换的部分数据生成其自身的加密签名。然后,向节点网络发送包含所述第一和第二签名的一个或多个交易。在满足验证条件的情况下,交易通过网络传播,以记录在区块链中。所述一个或多个交易中的一个的验证条件包括：第一签名包括在所述一个或多个交易的一个中,第二签名包括在所述一个或多个交易的一个中,所述第二签名通过签署特定部分数据而生成。(The invention discloses a method, which comprises the following steps: the second party receiving confirmation of the agreement statement of the first party; the second party receives a message after the confirmation and the first party cryptographic signature. To prove this, the second party generates its own cryptographic signature by signing the part of the data containing the information or its transformation. One or more transactions containing the first and second signatures are then sent to the network of nodes. In the event that the validation condition is satisfied, the transaction is propagated through the network to be recorded in the blockchain. The validation condition for one of the one or more transactions includes: a first signature is included in one of the one or more transactions and a second signature is included in one of the one or more transactions, the second signature being generated by signing the particular partial data.)

1. A computer-implemented method of using a blockchain to prove a consent statement of a first party, the method comprising, on a computer device of a second party:

the second party receiving confirmation of the first party agreement statement;

said second party receiving a message from said first party, said message being made available to said second party only after said confirmation and after said first party has generated a cryptographic signature for said first party to indicate said agreement in addition to said confirmation;

to indicate that the second party verifies receipt of the confirmation of the first party, the second party generates a cryptographic signature of the second party by signing partial data containing the information or a transformation of the information; and the number of the first and second groups,

sending or causing to be sent one or more transactions to a network of nodes in a form including the first party signature included in at least one of the one or more transactions and the second party signature included in at least one of the one or more transactions, the network being configured to propagate each transaction through the network to be recorded in a blockchain copy maintained by each of at least some of the nodes when a verification condition is satisfied;

wherein the validation condition is configured to validate one of the one or more transactions under the following conditions: the signature of the first party is included in one of the one or more transactions and the signature of the second party is included in one of the one or more transactions, the signature of the second party being generated by signing the partial data.

2. The method of claim 1, wherein the statement is a statement in a file.

3. The method of claim 2, wherein the record of the file is contained in one of the one or more transactions and is stored in a blockchain accordingly.

4. The method of claim 3, wherein the record of the file is cryptographically signed by one or both of the first and second parties.

5. The method of claim 4, wherein the portion of data signed by the second party to generate the second party signature comprises a record of the file, and/or the data signed by the first party to generate the first party signature comprises a record of the file.

6. The method according to any one of the preceding claims,

further comprising establishing a video call between the first party and the second party,

wherein the receiving of the confirmation comprises the second party receiving a confirmation from the first party via a video call in a visual or audible manner.

7. The method of claim 6, wherein the recording of the video is stored for future reference, including at least one segment of video containing the visual or audible confirmation.

8. The method of claim 7, wherein the recording of the video is contained in one of the one or more transactions and is stored in a blockchain accordingly.

9. The method of claim 8, wherein the recording of the video is cryptographically signed by one or both of the first and second parties.

10. The method of any preceding claim, wherein the verification condition is configured to be used for each transaction at least in part by a respective code contained in the transaction and/or the blockchain previous transaction.

11. The method of any preceding claim, wherein:

the one or more transactions consist of one transaction that includes signatures of both the first and second parties;

the verification condition is configured to verify the one transaction under the following conditions: signatures of both the first and second parties are included in the transaction, the signature of the second party being generated by signing the partial data.

12. The method of claim 11, wherein:

the input of the one transaction comprises a pointer to an output of a previous transaction in the blockchain or to be included in the blockchain, wherein the output of the previous transaction comprises a lock script that requires a signature of the first party and a signature of the second party to unlock the output of the previous transaction;

the one transaction includes an unlocking script in an input of the one transaction, the unlocking script including signatures of the first and second parties, configured to effect verification by unlocking the previous transaction using the first and second signatures.

13. A method according to claim 11 or 12, wherein said information comprises a secret piece of information of said first party in addition to said first party's signature.

14. The method of claim 13, comprising including and forwarding the secret information in the one transaction, or forwarding the secret information for inclusion in the one transaction, before the second party sends to the network for propagation; wherein the validation condition is configured to validate the one transaction under further conditions: the secret information is contained in the one transaction.

15. The method of claim 14, wherein the one transaction comprises a hash value of the secret information, the condition that the secret information is contained in the one transaction comprising: the secret information forwarded by the second party is a solution to a hash value of the secret information contained in the code.

16. The method of claim 13 as dependent on claim 12, wherein:

the locking script comprising a code separator separating first and second parts of the locking script, wherein the second part comprises the information, wherein the locking script is configured to enable verification of the one transaction requiring a signature of the first party to sign at least the first part but not the second part and a signature of the second party to sign at least the second part;

the receiving of the information comprises receiving at least a second portion of the locking script;

the generation of the second party signature includes signing at least the second portion.

17. The method of claim 16, comprising:

prior to the second party receiving the information, the second party receiving a first portion of the locked script, wherein the first party's signature at least signs the first portion;

verifying a signature of the first party based on the received first portion.

18. The method of any one of claims 13 to 17 as dependent on claim 12, wherein:

the lock script also requires the secret information to unlock the output of the previous transaction;

the unlocking script in the input of the one transaction includes the secret information configured for using the secret information in the unlocking script.

19. A method according to any of claims 12 to 18 when dependent on claim 3, wherein the record of the file is contained in the output of the one transaction.

20. A method according to any one of claims 12 to 19 when dependent on claim 8, wherein the recording of the video is included in the output of the one transaction.

21. The method of any of claims 1 to 10, wherein:

the one or more transactions include a first transaction and a second transaction;

the verification condition is configured to verify the first transaction on condition that the signature of the first party is included in the first transaction; and verifying the second transaction on condition that the signature of the second party is included in the second transaction, and the second signature is generated by signing the partial data.

22. The method of claim 21, wherein:

the input of the first transaction comprises a pointer to an output of a previous transaction in the blockchain or to be included in the blockchain, wherein the output of the previous transaction comprises a lock script that requires a signature of the first party to unlock the output of the previous transaction;

the input of the second transaction comprises a pointer to the output of the first transaction, wherein the output of the first transaction comprises a lock script that requires the signature of the second party to unlock the output of the first transaction;

the first transaction comprises a first unlock script in an input of the first transaction and a second unlock script in an input of the second transaction, the first unlock script comprising a signature of the first party, the second unlock script comprising a signature of the second party, configured to unlock an output of the previous transaction using the signature of the first party and unlock an output of the first transaction using the signature of the second party to enable verification;

the information withheld by the first party includes a signature of the first party.

23. A method according to claim 21 or 22 as dependent on claim 3, wherein a record of the file is included in the output of the second transaction.

24. A method according to claim 21, 22 or 23 as dependent on claim 8, wherein the recording of the video is included in the output of the second transaction.

25. A computer program product embodied on a computer readable memory comprising code configured to perform operations according to any preceding claim when run on a computer device of the second party.

26. Computer apparatus of the second party, comprising processing means including one or more processors and memory including one or more storage means, the memory storing software arranged for execution on the processors, the software being configured to perform operations in accordance with any of claims 1 to 24 when executed.

27. A computer-implemented method executed on a first-party computer device, the method comprising:

the first party generating a cryptographic signature of the first party indicating agreement by the first party;

confirming to a second party, separately from the signature of the first party, that the first party agrees with the statement;

after the first party has generated the signature of the first party and sent the confirmation to the second party, making information of the first party available to the second party and then sending the information to the second party, thereby causing the second party to generate an encrypted signature of the second party by signing a portion of data containing the information or a transformation thereof; and the number of the first and second groups,

causing the one or more transactions to be sent to a network of nodes by sending the information in a form including the first party signature included in at least one of the one or more transactions and the second party signature included in at least one of the one or more transactions, the network being configured to propagate each transaction through the network when a verification condition is satisfied and to record each transaction in a blockchain copy maintained by each of at least some of the nodes;

wherein the validation condition is configured to validate one of the one or more transactions under the following conditions: the signature of the first party is included in one of the one or more transactions and the signature of the second party is included in one of the one or more transactions, the signature of the second party being generated by signing the partial data.

28. A method performed by a first node in a network of nodes, comprising:

receiving one or more transactions including a cryptographic signature of a first party included in one of the one or more transactions and a cryptographic signature of a second party included in at least one of the one or more transactions;

verifying that both the first party's signature and the second party's signature are included in one of the one or more transactions, the first party's signature signing a portion of data, the portion of data including or originating from a piece of information of the first party, the information being made available to the second party after the first party generated the first signature;

recording the one or more transactions in a blockchain copy maintained by the first node;

subsequently propagating the one or more transactions to one or more other nodes to be recorded in blockchain copies recorded at each of the one or more other nodes;

wherein the first node is configured to perform the logging and subsequent propagation of at least one of the one or more transactions by the first node subject to the verification.

Technical Field

The present disclosure discloses a specific new second layer application of blockchains, i.e. adding secondary functions on blockchains.

Background

Blockchain refers to a series of data chunks, where each of a plurality of nodes in a peer-to-peer (P2P) network maintains a respective copy of the blockchain. At least some of the nodes may also act as miners, as will be explained in more detail later. Each chunk in the chain includes one or more transactions, where a transaction in this context refers to a data structure. The nature of the data structure will depend on the type of transaction protocol used as part of the transaction model or plan. A given blockchain typically uses a particular transaction protocol all the way through. In one common transaction protocol, the data structure for each transaction includes at least one input and at least one output. Each output specifies an amount representing the digital asset value belonging to the user whose output is cryptographically locked (requiring the user's signature to be unlocked for redemption or spending). Each input points to the output of a previous transaction, linking the transactions.

In a given current transaction, the input (or each input) includes a pointer that references the output of a previous transaction in the transaction sequence, specifying that the output is to be redeemed or "spent" in the current transaction. The input for the current transaction also includes the signature of the user whose previous transaction output was locked. In turn, the output of the current transaction may be cryptographically locked to the new user. Thus, the current transaction may transfer the amount defined in the previous transaction input to the new user defined in the current transaction output. In some cases, a transaction may have multiple outputs to split the input amount among multiple users (one of which may be the original user in order to make the change). In some cases, the transaction may also have multiple inputs, aggregating the amounts of multiple outputs of one or more previous transactions together, and reassigning to one or more outputs of the current transaction.

The above may be referred to as an "output-based" transaction protocol, sometimes also referred to as an unspent transaction output (UTXO) type protocol (where the output is referred to as UTXO). The total balance of the user is not defined by any number stored in the blockchain; instead, the user needs a special "wallet" application to consolidate all UTXO values for that user, which are spread across many different transactions in the blockchain.

As part of an account-based transaction model, another type of transaction protocol may be referred to as an "account-based" protocol. In the case of account-based, each transaction is not defined by reference to the UTXO previously transacted in the past transaction sequence to define the amount of transfer, but by reference to an absolute account balance. The current status of all accounts is stored separately by miners into the blockchain and is constantly updated. In such systems, the transactions are ordered using a running transaction record (also referred to as a "position") for the account. The value is signed by the sender as part of its cryptographic signature and hashed as part of the transaction reference calculation. In addition, optional data fields may also be signed in the transaction. This data field may point to the previous transaction, for example, if the data field contains the previous transaction ID.

Regardless of the type of transaction protocol employed, when a user wishes to perform a new transaction, he wishes to send the new transaction from his computer terminal to one of the nodes of the P2P network (now typically a server or data center, but could in principle be other user terminals). The node checks whether the transaction is valid according to the node protocol applied to each node. The details of the node protocols will correspond to the type of transaction protocol used in the relevant blockchain, together forming the overall transaction model. Node protocols typically require a node to check whether the cryptographic signature in a new transaction matches the expected signature, depending on the last transaction in an ordered sequence of transactions. In the output-based version, this may include checking whether the user's cryptographic signature contained in the new transaction input matches a condition defined in the previous transaction output for the new transaction to spend, where the condition typically includes at least checking whether the cryptographic signature in the new transaction input unlocks the output of the last transaction to which the new transaction input points. In some transaction protocols, conditions may be defined at least in part by custom scripts included in the input and/or output. Alternatively, this may be fixed only by the node protocol alone, or may be fixed by a combination thereof. Either way, if the transaction is valid, the current node forwards the new transaction to one or more other nodes in the P2P network. At least some of these nodes also act as forwarding nodes, applying the same tests according to the same node protocol, forwarding the new transaction to one or more further nodes, and so on. In this way, new transactions are propagated throughout the network of nodes.

In an output-based model, the definition of whether a given output (e.g., UTXO) is spent is whether it is validly redeemed by another subsequently transacted input, according to the node protocol. Another condition for a transaction to be valid is that the output of a previous transaction that it attempted to spend or redeem has not been spent/redeemed by another valid transaction. Likewise, if invalid, the transaction will not propagate or be recorded in the blockchain. This prevents duplicate costs, i.e. more than one output cost of the spender for the same transaction. On the other hand, the account-based model prevents duplicate costs by maintaining account balances. Because there is also a defined sequence of transactions, the account balance has a single defined status at any time.

In addition to verification, at least some of the nodes strive to create a block of transactions during a mine excavation process that is based on "proof of workload". At the mine excavation node, new transactions are added to the active transaction pool that has not yet appeared in the block. Miners then strive to assemble new valid transaction blocks in the transaction pool by attempting to solve encryption challenges. Typically, this involves searching for a "random number" value such that when the random number is juxtaposed with the transaction pool and hashed, the output of the hash value satisfies a predetermined condition. For example, the predetermined may be that the output of the hash value has a predefined leading zero number. The nature of the hash function is that it has an unpredictable output relative to its input. Therefore, the search can only be performed with a strong force, and thus each node needs to consume a large amount of processing resources when solving the problem.

The first miner node to resolve the problem announces the problem resolution on the network, provides the solution as evidence, and then other nodes in the network can easily check the solution (once the solution for the hash value is given, it is simpler to check the output of the hash value to satisfy the condition). Based on the solution published by the winner being checked at each node, the transaction pool of winners who resolved the problem is then recorded as a new chunk in the chunk chain by at least some of the nodes as storage nodes. The block pointer is also assigned to a new block that points to a previously created block in the chain. The workload justification helps to reduce the risk of duplicate costs because much work is required to create a new block and any block containing duplicate costs may be rejected by other nodes, so the mine excavation node is motivated to not allow duplicate costs to be contained in its block. Once created, the tile cannot be modified because it is identified and maintained at each storage node in the P2P network according to the same protocol. The block pointer also applies an order to the blocks. Because the transactions are recorded in ordered blocks at the storage nodes of the P2P network, an immutable common ledger for transactions is provided.

Note that the different miners competing for a problem at any given time may be based on different snapshots of the undrilled trading pool at any given time, depending on when to start looking for a solution. The person who solves the corresponding problem first defines the transactions contained in the new block and updates the current untagged transaction pool. Miners then continue to strive to create blocks from the newly defined incomplete pool, and so on. In addition, there are protocols that resolve any "bifurcation" that may occur, where two miners resolve the problem in a very short time of each other, propagating conflicting views of the blockchain (in short, the one with the longest direction of bifurcation becomes the final chain).

In most blockchains, winning miners will automatically receive as a reward a special type of new transaction that creates a new digital asset value (as opposed to a normal transaction that transfers the amount of digital assets from one user to another). Thus, the winning node is said to "dig" some digital assets. This particular type of transaction is sometimes referred to as a "currency-based" transaction. Which automatically forms part of the new block. The reward may encourage miners to participate in a workload proving contest. Typically, the deal will also specify an additional deal fee in one of its outputs to further reward the creation of winning miners containing the block in which the deal is located.

Transactions in blockchains are typically used to transfer digital assets, i.e., data that is a means of value storage. But hierarchical additional functionality on the blockchain may also be implemented using the blockchain. For example, the blockchain protocol may allow additional user data to be stored in the transaction output. Modern blockchains are increasingly able to store an increased maximum amount of data in a single transaction, thereby enabling the incorporation of more complex data. Assuming that the transaction is validated and thus accepted on the blockchain, the additional user data will continue to be stored at various nodes in the P2P network as an immutable public record. This may be used, for example, to store electronic files in a blockchain. The fact that the transaction is cryptographically signed increases the trust in the file to some extent, thus providing a degree of security by using the blockchain as a way of storing the file, particularly in combination with the fact that the blockchain provides immutable public records.

Disclosure of Invention

However, this provides only a certain degree of security. To further increase security, it is recognized herein that there is a need to provide a system that allows a second party to electronically prove the fact that a first party has agreed to a file or similar (e.g., agreed to a statement or statement in the content of the file). The technical challenge in this respect is to provide a mechanism for proof of trust. In particular, when a second party proves that a first party has agreed to certain statements or claims, it is considered herein to be necessary to computationally or cryptographically prove that the second party generated its cryptographic signature after the first party. It is further recognized herein that this can be accomplished using the role of node verification.

According to an aspect disclosed herein, there is provided a computer-implemented method of proving a consent statement of a first party using a blockchain. The method comprises the following steps performed on the second party computer device. The second party receives confirmation of agreement of the first party on the statement; the second party receives a piece of information of the first party, which is available to the second party only after said confirmation and after the first party has generated its own cryptographic signature to indicate said agreement. To indicate that the second party proves that the confirmation of the first party has been received, the second party generates its own cryptographic signature by signing the part of the data containing the information or its transformation. The second party, or another party using the device, then sends one or more transactions to the network of nodes. The one or more transactions include a signature of a first party included in at least one of the one or more transactions and a signature of a second party included in at least one of the one or more transactions. The network is configured to propagate each transaction through the network to be recorded in the blockchain copy maintained by each of at least some of the nodes when the validation condition is satisfied. The validation condition is configured to validate one of the one or more transactions under the following conditions: the signature of the first party is contained in one of the one or more transactions and the signature of the second party is contained in one of the one or more transactions, the signature of the second party being generated by signing the portion of data.

Since the second party only receives the first party's information after the first party signs and confirms his agreement, and since it is necessary to generate the second party's signature by signing the information, it cryptographically proves that the second party signed after the first party. Once the transaction is propagated through the entire network, the transaction will remain in the blockchain (in the copy maintained by each storage node) as an immutable record of the evidence. But if the condition is not met, the forwarding node will not verify the transaction and therefore will not propagate. This therefore uses a verification process to prove the order of the signatures, since only transactions that prove the correct order of the signatures will be propagated and recorded in the blockchain.

Drawings

To assist in understanding embodiments of the present disclosure and to show how such embodiments may be carried into effect, reference will now be made, by way of example only, to the accompanying drawings, in which:

figure 1 is a schematic block diagram of a system implementing a blockchain,

figure 2 schematically shows some examples of transactions that may be recorded in a blockchain,

figure 3 is a schematic block diagram of another system implementing a blockchain,

figure 4 schematically shows a pair of terminals used in the system shown in figure 3,

figure 5 schematically shows a set of transaction examples for proving consent to a file in a blockchain according to a first method,

figure 6 schematically shows exemplary details of some steps in the first method,

figure 7 is a schematic flow chart diagram showing the steps of a first method using the set of transactions shown in figures 5 and 6,

figure 8 schematically shows another set of exemplary transactions for proving consent to a file in a blockchain according to a second method,

figure 9 schematically shows exemplary details of some steps in the second method,

figure 10 is a schematic flow chart diagram illustrating a second method of using the set of transactions shown in figures 8 and 9,

figure 11 schematically shows a set of transaction examples for proving consent to a file in a blockchain according to a variant of the first method,

fig. 12 is a schematic flow chart showing the steps of the first method variation using the set of transactions shown in fig. 11.

Detailed Description

Fig. 1 illustrates an exemplary system 100 that is generally used to implement blockchain 150. The system 100 includes a packet-switched network 101, typically a wide area internet such as the internet. The packet switched network 101 comprises a plurality of nodes 104 arranged to form a peer-to-peer (P2P) overlay network 106 within the packet switched network 101. Each node 104 comprises a computer device of a peer, with different nodes 104 belonging to different peers. Each node 104 includes a processing device comprising one or more processors, such as one or more Central Processing Units (CPUs), accelerator processors, application specific processors, and/or Field Programmable Gate Arrays (FPGAs). Each node also includes memory, i.e., computer-readable memory in the form of non-transitory computer-readable media. The memory may include one or more memory units employing one or more memory media, for example, magnetic media such as hard disks, electronic media such as Solid State Disks (SSDs), flash memory or electrically erasable read-only memory, and/or optical media such as optical disk drives.

At least some of nodes 104 play the role of forwarding nodes 104F, which forward and thus propagate transaction 152. At least some of the nodes 104 play the role of miners 104M who mine the block 151. At least some of the nodes 104 play the role of storage nodes 104S (also sometimes referred to as "full copy" nodes), each storing a respective copy of the same block chain 150 in a respective memory. A given node 104 may be a forwarding node 104, a mineworker 104M, a storage node 104S, or any combination of two or all of them.

Because of the computing resources involved in mining, typically at least each miner node 104M takes the form of a server that includes one or more physical server units, or even the entire data center. Each forwarding node 104M and/or storage node 104S may also take the form of a server or data center. In principle, however, any given node 104 may comprise a user terminal or a group of networked user terminals.

The memory of each node 104 stores software configured to run on the processing device of the node 104 to perform its respective role and process transaction 152 according to the node protocol. It should be understood that any of the actions of node 104 herein may be performed by software running on a processing means of the respective computer device. Furthermore, the term "blockchain" herein refers to a generic term of a general technical type, not limited to any particular proprietary blockchain, protocol or service of any particular entity.

Also connected to network 101 is a computer device 102 that includes each of a plurality of parties 103 in the role of consuming users. They act as payers and payees in the transaction, but do not necessarily participate in the mine excavation or propagation transaction on behalf of others. They do not necessarily run a mine excavation protocol. For illustration purposes, both parties 103 and their respective devices 102 are shown: a first party 103a and its corresponding computer device 102a, and a second party 103b and its corresponding computer device 102 b. It should be understood that more such parties 103 and their corresponding computer devices 102 may be present and participate in the system, but are not illustrated for convenience. Each party 103 may be an individual or an organization. For purposes of illustration, the first party 103a is referred to herein as Alice and the second party 103b is referred to as Bob, although it should be understood that this is not limited to Alice or Bob, and any reference herein to Alice or Bob may be replaced with "first party" and "second party," respectively.

The computer device 102 of each party 103 comprises respective processing means comprising one or more processors, such as one or more central processing units, accelerator processors, application specific processors and/or field programmable gate arrays. The computer device 102 of each party 103 further comprises a memory, i.e. a computer readable memory in the form of a non-transitory computer readable medium. The memory may include one or more memory units employing one or more memory media, for example, magnetic media such as a hard disk, electronic media such as a solid state disk, flash memory or electrically erasable read-only memory, and/or optical media such as an optical disk drive. The memory storage on the computer device 102 of each party 103 contains a respective instance of at least one client application 105 arranged to run on the processing means. It should be understood that any of the actions of a given party 103 herein may be performed by software running on processing means of the respective computer device 102. The computer device 102 of each party 103 comprises at least one user terminal, e.g. a desktop or laptop computer, a tablet computer, a smartphone or a wearable device such as a smart watch. The computer device 102 of a given party 103 may also include one or more other network resources, such as cloud computing resources accessed through a user terminal.

The client application or software 105 may be initially provided to the computer device 102 of any given party 103 by way of an appropriate computer readable storage medium, e.g., downloaded from a server, or provided on a removable storage device, such as a removable solid state drive, flash memory key, removable electrically erasable read only memory, removable magnetic disk drive, floppy disk or tape, optical disk (such as a CD or DVD ROM), or removable optical disk drive, etc.

The client application 105 includes at least "wallet" functionality. This has two main functions. One of these functions is for the respective user party 103 to create, sign and send a transaction 152 to be propagated throughout the node network 104 and thus be included in the blockchain 150. Another function is to report to the respective party the amount of the digital assets that they currently own. In an output-based system, this second function includes organizing the amounts defined in the output of the various 152 transactions belonging to the interested party dispersed in blockchain 150.

An instance of client application 105 on each computer device 102 is operatively coupled to at least one forwarding node 104F of P2P network 106. This may enable the wallet functionality of the client 105 to send the transaction 152 to the network 106. Client 105 may also contact one, some, or all storage nodes 104 to query blockchain 150 for any transactions for which corresponding party 103 is a recipient (or indeed to check other party transactions in blockchain 150, since blockchain 150 is a public facility that provides transaction trust to some extent through its public visibility in embodiments). The wallet functionality on each computer device 102 is configured to formulate and transmit transactions 152 according to a transaction protocol. Each node 104, with forwarding node 104F forwarding transaction 152, runs software configured to validate transaction 152 according to the node protocol for propagation throughout network 106. The transaction protocol and the node protocol correspond to each other, and the given transaction protocol and the given node protocol together implement a given transaction model. All transactions 152 in blockchain 150 employ the same transaction protocol (although the transaction protocol may allow different transaction subtypes to exist within it). All nodes 104 in the network 106 employ the same node protocol (although they may process different transaction subtypes differently according to their rules, and different nodes may also play different roles, thus implementing different corresponding aspects of the protocol).

Block chain 150 includes a series of blocks 151. Each block 151 includes a set of one or more transactions 152 that have been created by the workload certification process discussed previously. Each chunk 151 also includes a chunk pointer 155 that points to a previously created chunk 151 in the chain to define the order of chunks 151. Blockchain 150 also includes a valid transaction pool 154 that waits to be included in a new block through the workload certification process. Each transaction 152 includes a pointer to the last transaction to define the order of the sequence of transactions (note: the sequence of transactions 152 may branch). The chain of blocks 151 traces back to the starting block (Gb)153, which is the first block in the chain. One or more original transactions 152 in early chain 150 point to origination block 153, rather than previous transactions.

When a given party 103 (say alice) wishes to send a new transaction 152m intended for inclusion in the blockchain 150, she formulates the new transaction according to the relevant transaction protocol (using the wallet functionality in her client application 105). She then sends transaction 152 from client application 105 to one of the one or more forwarding nodes 104F to which she is connected. This may be, for example, the forwarding node 104F that is the closest or best connected to alice's computer 102. When any given node 104 receives a new transaction 152m, it processes according to the node protocol and its corresponding role. This includes first checking whether the newly received transaction 152m meets certain conditions of "valid," specific examples of which will be described in detail later. In some transaction protocols, the validation conditions may be configured on a per transaction basis through scripts contained in the transactions 152. Alternatively, the condition may be only a built-in function of the node protocol, or defined by combining a script and the node protocol.

If the newly received transaction 152m passes the validity test (i.e., under a "verified" condition), any storage node 104S receiving the transaction 152m will add the newly verified transaction 152 to the pool 154 of copies of blockchain 150 maintained at node 104S. Further, any forwarding node 104F receiving transaction 152m will then propagate verification transaction 152 to one or more other nodes 104 in P2P network 106. Since each forwarding node 104F applies the same protocol, it is assumed that transaction 152m is valid, which means that the transaction will soon propagate through the entire P2P network 106.

Upon entering the pool 154 of copies of the blockchain 150 maintained at one or more storage nodes 104, the mineworker node 104M will begin to compete to resolve the workload-justified puzzle in the latest version of the pool 154 that includes the new transaction 152 (other mineworkers 104M may continue to attempt to resolve the puzzle based on the old perspective of the pool 154, but the mineworker who first resolved the puzzle will define the end location of the next new block 151 and the start location of the new pool 154, and eventually someone will resolve the puzzle present in the portion of the pool 154 that includes alice transaction 152M). Once pool 154, which includes new transaction 152m, completes the workload proof, it will become part of block 151 in block chain 150 immutably. Each transaction 152 includes a pointer to an earlier transaction, and thus the order of the transactions is also recorded unchanged.

Fig. 2 illustrates an exemplary transaction protocol. This is an example based on the UTXO protocol. Transactions ("Tx" for short) are the basic data structure of blockchain 150 (each block 151 includes one or more transactions 152). The following description refers to an output-based or "UTXO" based protocol. But this is not limited to all possible embodiments.

In the UTXO-based model, each transaction ("Tx") 152 includes a data structure that includes one or more inputs 202 and one or more outputs 203. Each output 203 may comprise an unspent transaction output (UTXO) that may be used as a source of another input 202 for a new transaction if the UTXO is not redeemed. The UTXO contains the transaction ID of its source transaction, as well as other information. The transaction data structure may include a header 201, which may include size indicators for an input field 202 and an output field 203. The header 201 may also include the ID of the transaction. In an embodiment, the transaction ID is a hash of the transaction data (not including the transaction ID itself) and is stored in the header 201 of the original transaction 152 submitted to the mineworker 104M.

I.e., alice 103a wishes to create a transaction that transfers the amount of the associated digital asset to bob 103 b. In FIG. 2, Alice's new transaction 152m is labeled "Tx₁". It takes the amount of digital assets that the previous transaction output 203 locked to alice in the sequence and transfers at least a portion of these amounts to bob. The previous transaction in FIG. 2 is labeled "Tx₀”。Tx₀And Tx₁But only an arbitrary label. It does not necessarily mean Tx₀Refers to the first transaction and Tx in blockchain 151₁Refers to the next transaction in the pool 154. Tx₁May point to any previous transactions that still have an unspent output 203 locked to alice.

When alice creates its new transaction Tx₁When, or at least when she sends it to the network 106, the previous transaction Tx₀May have been verified and included in blockchain 150. Which may already be included in one block 151 at this time, or may still wait in the pool 154, in which case it will soon be included in a new block 151. Or, Tx₀And Tx₁May be created and sent to network 102 together, or Tx if the node protocol allows buffering of "orphan" transactions₀May even be at Tx₁And then transmitted. The terms "prior" and "subsequent" as used in the context of transaction order herein refer to the order of transactions in the sequence defined by the transaction pointer specified in the transaction (which transaction points to which other transaction, etc.). This does not necessarily refer to the order in which it is created, sent to the network 106, or reached at any given node 104. However, subsequent transactions ("child transactions") directed to previous transactions ("parent transactions") are not verified before the parent transaction is verified. A child transaction that reaches node 104 before the parent transaction is considered an isolated transaction. Depending on the node protocol and/or the mineworker's behavior, it may be dropped or buffered by a segmentTime to wait for the parent transaction.

Previous transaction Tx₀Comprises a particular UTXO, labeled UTXO₀. Each UTXO includes a value specifying the amount of digital asset represented by the UTXO and a lock script defining conditions that must be met by the unlock script in the subsequent transaction input 202 for the subsequent transaction to be verified for successful redemption of the UTXO. Typically, a lock script locks an amount to a particular party (the beneficiary of a transaction for that amount). That is, the lock script defines the unlock condition: the unlock script in the subsequent transaction input includes a cryptographic signature of the party that was locked in the previous transaction.

A lock script (also known as a scriptPubKey) is a piece of code written in a domain-specific language identified by a node protocol. A specific example of such languages is called "script" (S capitalization). The lock script specifies information required for spending transaction output 203, such as the requirements for alice signatures. An unlock script appears in the output of the transaction. An unlock script (also known as a scriptSig) is a piece of code written in a domain specific language that provides the information needed to satisfy the lock script criteria. For example, it may contain Bob's signature. An unlock script appears in the input 202 of the transaction.

Thus in the illustrated example, Tx₀UTXO in output 203₀Including a locking script [ Checksig P_A]The lock script requires Alice's signature Sig P_ATo redeem UTXO₀(strictly speaking, to allow attempted redemption of UTXO₀Is valid). [ Checksig P_A]Public key P in public-private key pair comprising Alice_A。Tx₁Includes pointing to Tx₁By its transaction ID (TxID), for example₀) Which in an embodiment is the entire transaction Tx₀Hash value of). Tx₁Is included at Tx₀Middle mark UTXO₀At Tx to₀Is identified in any other possible output. Tx₁Further includes an unlock script<Sig P_A>It includes a cryptographic signature of alice, which is applied by alice with the private key of its key pairTo a predetermined portion of data (sometimes referred to in cryptography as a "message"). Data (or "messages") that alice needs to sign to provide a valid signature may be defined by a lock script, a node protocol, or a combination thereof.

When a new transaction Tx₁Upon reaching node 104, the node applies the node protocol. This includes running the lock script and the unlock script together to check if the unlock script satisfies a condition (where the condition may include one or more criteria) defined in the lock script. In an embodiment, this involves concatenating (concatenate) two scripts:

<Sig P_A>||[Checksig P_A]

wherein "|" represents juxtaposition (collocation), ".<…>"indicates that data is placed on the stack," [ …]"represents a function (referred to in this example as a stack-based language) consisting of an unlock script. When run together, the script uses Alice's public key P_A(is included in Tx₀In the outgoing lock script) to validate Tx₁Whether the lock script in the input contains a signature for alice to sign the expected portion of data. It is expected that part of the data itself ("message") also needs to be included at the Tx₀In order to perform this verification. In an embodiment, the signed data contains the entire Tx₀(and therefore needs to contain a separate element, the plaintext specifies the signed part of the data, as it exists itself).

Those skilled in the art will be familiar with the details of authentication by public-private cryptography. Basically, if alice has signed a message by encrypting using its private key, given alice's public key and the message in plain text (unencrypted message), other entities such as node 104 can verify that the encrypted version of the message must have been signed by alice. Signing typically involves hashing the message, signing the hash value and signing this to the clear text version of the message as a signature, thereby enabling any holder of the public key to verify the signature.

If Tx₁The unlocking script in (1) satisfies Tx₀Is determined (thus, in the illustrated example, if at Tx, in the example shown) is the condition or conditions specified in the lock script₁Alice's signature is provided and verified), node 104 considers Tx to be₁Is effective. If it is the storage node 104S, this means that it will be added to the transaction 154 pool waiting for a workload proof. If it is a forwarding node 104F, it will trade Tx₁To one or more other nodes 104 in the network 106 and will thus propagate throughout the network. Once Tx₁Is verified and included in blockchain 150, which will be Tx₀UTXO in (1)₀Defined as spent. Note that Tx₁Only valid when the unspent transaction is output 203. If an attempt is made to spend the output that another transaction 152 has already spent, Tx even if all other conditions are met₁Will also be ineffective. Therefore, node 104 also needs to check for previous transactions Tx₀Whether the UTXO referenced in (1) has been spent (has formed a valid input for another valid transaction). This is one of the reasons why it is important that blockchain 150 impose a defined order on transactions 152. In practice, a given node 104 may maintain a separate database, marking the UTXO 203 that has spent a transaction 152, but ultimately defining whether the UTXO has spent depends on whether a valid input for another valid transaction is formed in the blockchain 150.

Note that in the UTXO based transaction model, a given UTXO needs to be used as a whole. One portion of the amount defined as spent in the UTXO cannot be "left" while another portion is spent. The amount of the UTXO may be split between the outputs of the next transaction. For example, Tx₀UTXO of₀The amount defined in (1) may be at Tx₁Is divided among a plurality of UTXOs. Therefore, if alice does not want to use UTXO₀All of the amounts defined in (1) are given to Bob, she can use the remaining portion in Tx₁Or to pay change by itself, or to another party.

In practice alice will also need to include the cost of the winning miner because the bonus currency alone is now often insufficient to encourage mining. If Alice does not include mining costs, Tx₀May be rejected by the miner node 104M and therefore, although technically efficient, will not be propagated and contained in the blockchain 150 (if the miner is present)Unwilling, the mineworker agreement does not force the miners 104M to accept the transaction 152). In some protocols, the excavation fee does not require its own separate output 203 (i.e., does not require a separate UTXO). Rather, any difference between the total amount pointed to by the input 202 and the total amount specified by the output 203 of the given transaction 152 will be automatically provided to the winning miner 104. For example, suppose pointing to UTXO₀Is Tx₁Is only input of, and Tx₁With only one output UTXO₁. If UTXO₀Wherein the amount of the specified digital asset is greater than UTXO₁The difference will be automatically transferred to the winning miner 104M. Additionally or alternatively, this does not necessarily preclude that the miner's fee could be specified explicitly in one UTXO 203 of its own transaction 152.

Alice and bob's digital assets consist of any of their transaction locked uneconomical UTXOs in blockchain 150. Thus, typically, assets of a given party 103 are scattered throughout the UTXO for various transactions 152 of the blockchain 150. None of blockchain 150 defines the overall balance of given party 103. The wallet function of client application 105 is to marshal together different UTXO values that are locked to the respective party and have not been spent in other subsequent transactions. This may be accomplished by querying any copy of blockchain 150 stored by storage node 104S, such as storage node 104S that is most recently or optimally connected to the respective party' S computer device 102.

Note that script code is typically represented schematically (i.e., in a non-precise language). For example, write [ Checksig P_A]Means [ Checksig P_A]＝OP_DUP OP_HASH160<H(P_a)>OP _ EQUALVERIFY OP _ CHECKSIG. "OP _." refers to a specific opcode of the scripting language. OP _ cheksig (also known as CHECKSIG) is a script opcode that takes two inputs (a signature and a public key) and verifies the validity of the signature using the Elliptic Curve Digital Signature Algorithm (ECDSA). At run-time, any signatures that occur in the script ('sig') are removed, but additional requirements remain in the transaction verified by the 'sig' input, such as a hash puzzle. As another example, OP _ RETURN is a scripting language opcode used to create an incurable output for a transaction that can store metadata in the transaction from where it is storedWhile the metadata is recorded in blockchain 150 unchanged. For example, the metadata may include files to be stored in the blockchain.

Signature P_AIs a digital signature. In an embodiment, this is based on an elliptic curve digital signature algorithm using an elliptic curve secp256k 1. The digital signature signs a particular piece of data. In an embodiment, for a given transaction, the signature will sign part of the transaction input, all or part of the transaction output. The specific part of its signed output depends on the SIGHASH flag. The SIGHASH flag is 4-byte code contained at the end of the signature for selecting the output signed (and thus fixed at signature time).

Note: the locking script, sometimes referred to as "scriptPubKey," means that it includes the public key of the corresponding transaction locker. The unlock script is sometimes referred to as "scriptSig," meaning that it provides a corresponding signature. But more generally speaking, the conditions under which the UTXO is redeemed do not necessarily include verifying the signature in all applications of the blockchain 150. More generally, a scripting language may be used to define any one or more conditions. Thus, the more general terms "lock script" and "unlock script" may be preferred.

According to the present disclosure, a security mechanism is provided by means of the node authentication process, whereby the second party 103a ("bob") can prove the fact that the first party 103a ("alice") agreed to the file. In this scenario, alice indicates agreement, bob for the benefit of the other party to prove. A consent document may refer to one, some, or all of one or more statements in the content of the consent document. For example, the file may include an agreement, a sworn book, or a will. It may be present in paper, electronic or any other form. Alice will provide its encrypted signature associated with the document, and bob will then provide its encrypted signature associated with the document to prove that alice agrees with the document. The signature is included in one or more transactions 152 of blockchain 150 as proof of consent and proof. The transaction 152 for recording such content may or may not pay bob for his or her service fee.

Further, the disclosed process provides a mechanism to prevent bob from applying his signature before alice. This is important because if bob witnessed alice's protocol, bob had to sign alice before signing and represented bob agreement (bob had to claim witness something that has not happened and was not observed). Transactions 152 formed and recorded based on the published mechanism are saved as immutable records in blockchain 150 for use in certifying the order of application of the signatures.

As described above, metadata may be included in the non-expendable output of the transaction 152 to store user content such as files. In the embodiments disclosed herein, such mechanisms are used to store an electronic copy of a witness file in blockchain 150.

Further, according to embodiments disclosed herein, the blockchain functionality is combined with additional multiparty communication functionality, such as a video call functionality, that provides bob with a channel to see the fact that alice agrees with the document.

Examples of this are shown in fig. 3 and 4. Fig. 3 shows a system 100' for implementing a blockchain 150. The system 100' is substantially the same as that shown in fig. 1, except for the additional communication functionality. In contrast to that shown in FIG. 1, the client applications on each of Alice and Bob's computer devices 102a,120b, respectively, include additional functionality, and are therefore labeled 105' (in the example Alice is 105a 'and Bob is 105 b'). In particular, as shown in FIG. 4, a client application 105 'running on each of Alice and Bob's computer devices 102a,102b, including a wallet function 401 and a multiparty communication function 402, such as a VoIP function, preferably with a video call function. Each of these functions 401,402 may be implemented in the form of a software module, an example of which is stored in the memory of each computer device 102a,102b of Alice and Bob and is configured to run on a corresponding processing device.

The wallet function 401 is configured to interface with the P2P network 106 to perform the functions of formulating and transmitting the transaction 152 and collating UTXO values as described above in relation to fig. 1 and the background section. In another aspect, multi-party communication function 402 may cause alice 103a to establish a separate multi-party communication channel 301 with bob 103b (under the instigation of either party or a third party). For example, this multi-party communication channel 301 may include a VoIP channel and/or a video link for voice and/or video calls between Alice 103a and Bob 103 b. The multi-party communication channel 301 may be established over the same packet-switched network 101 as the P2P overlay network 106. In addition and/or alternatively, the multi-party communication channel 301 may be established over a different network, such as a mobile cellular network.

While the multi-party communication function 402 may also provide a side channel 302, separate from the main multi-party communication channel 301, for transmitting data. In embodiments, this may include a non-user-oriented data channel via which client 105a 'on alice's device 102a may send "behind the scenes" data to client 105b 'on bob's device 102 b. Alternatively, it may comprise, for example, an Instant Messaging (IM) channel, an email service, or other channel suitable for sending text and/or numbers. In an embodiment, the side channel 302 may be used to send alice's signature and/or a piece of secret information "X" (discussed in more detail later) to bob. The side channel 302 may be established over the same packet-switched network 101 as the P2P overlay network 106. In addition, or alternatively, the side channel 302 may be established over a different network, such as a mobile cellular network. The side channel 302 may or may not be established over the same network as the multi-party communication channel 301.

The wallet functionality 401 and the communication functionality 402 (as shown in fig. 3 and 4) are integrated into the same client application 105'. This is not limiting and may instead be implemented in a different application or the wallet function 401 may be a plug-in to the communication application 402 or vice versa. Further, when side channel 302 is used, the side channel may or may not be established through the same application as multi-party communication channel 301, or the same application as offering wallet functionality 401. Which may be integrated in the same application as the multiparty communication function 401, the wallet function 401 or a plug-in to one of them or a separate third party application.

The various functions are implemented in any manner. Consider now the following scenario.

Alice 103a wants to sign a contract or the like with witness Bob 103b over multiparty communication channel 301And (4) protocol. They will sign with a digital signature and store this information on blockchain 150. Alice is a signatory. She has the public key P_A. Bob is a witness. He has the public key P_B. Alice may have an electronic file related to the compact it wants to sign.

In an embodiment, the communication channel 301 comprises a video link. In an embodiment alice and bob will record the signature process using the video link 301. Optionally, they may also store such recorded video information on blockchain 150.

Two methods are described below: m1 and M2. In a first method M1, Alice and Bob each sign a transaction. In the second method M2, there are two transactions: alice signs the first transaction first and bob can sign the second transaction.

FIG. 5 shows an exemplary pair of transactions that method M1 may use. As will be discussed in more detail later, Alice constructs an initial transaction Tx₀The transaction generates UTXO using the required lock script₁. This is done at transaction Tx by providing, in order, Alice's signature, H (X) pre-image, and Bob's signature₁To a cost.

FIG. 7 is a flowchart listing the steps in method M1. FIG. 6 shows the transaction state at certain steps during method M1.

In step S1, alice 103a and bob 103b open the video channel 301 between them. This is the channel that bob will witness alice's consent. More generally, they may communicate with each other using any form of multiparty communication channel 301. For example, or the multiparty communication channel 301 may be a voice channel, wherein Alice and Bob's voices may be recognized. However, for higher security, a video may be preferred so that images of alice and bob may be identified in the video. Preferably, the video may also include audio for exchanging voice. This also provides evidence of the ability and mental state of the two parties at the time of signing. Optionally, video or other such media exchanged over the channel 301 is recorded in a data store (not already in the blockchain 150 at the node 104). For example, it may be stored in memory of alice and/or bob's computer devices 102a,102b, a third party's device, or a server (e.g., cloud).

In step S2, alice creates a secret X known only to himself and hashes the secret, i.e., h (X). Hashing herein refers to a cryptographic hash function, such as SHA256, BLAKE2, and the like. H (X) refers to the hash function calculated at X. The secret X may be any data, data known only to alice, or at least data not known to bob, and not guessable by bob. For example, in an embodiment, X may be a numeric value or a text string. For example, it may be a random number, or a number or other value generated by some deterministic process unknown to bob. For example, X may be a 512-bit number, with 2^512 possible values, and therefore Bob cannot guess.

In step S3, alice creates UTXO₁It can be redeemed by providing her signature, a pre-image of H (X), and a signature of Bob. The original image of H (X) refers to the value of H (X) which will yield the value of H (X) for the given value H (X), in other words, a solution for H (X). In an embodiment, the locking script may be written in the following schematic form:

Locking UTXO₁＝[Checksig P_A][Solve H(X)][Checksig P_B]。

at redemption, subsequent transaction Tx₁Will require alice and bob signed unlock scripts, which can be written in the following schematic form:

Unlocking＝<Sig P_B><X><Sig P_A>。

when node 104 receives a Tx₁The node tests whether it is valid. To this end, according to the interpretation rules of the scripting language, the node 104 concatenates the lock script and the unlock script as follows:

<Sig P_B><X><Sig P_A>||[ChecksigP_A][Solve H(X)][Checksig P_B]

the interpreter at node 104 will then process the lock script and unlock script together to determine Tx₁Whether it is valid. According to the solutionThe rule applied by the node protocol of the interpreted scripting language is first checked for the rightmost input of the unlock script (in this case Sig P)_A) And the leftmost input of the lock script (Checksig P in this example)_A) Then the next rightmost input of the unlock script (X in this example) is checked against the next leftmost input of the lock script (Solve H (X) in this example), and so on. Checksig is for checking Tx₁Whether the input signature in (1) passes Tx₀The corresponding public key P in the locking script of (1) performs the verification function. Solve H (X) is for checking Tx₁Whether the value of X provided in the input is a function of the solution of H (X). It should also be remembered that the function Checksig (including the opcode OP _ cheksig) removes its checked signature after performing the check. In another aspect, Solve H (X) does not remove X. Thus, when the interpreter starts checking the leftmost input of the unlock script (Sig P)_B) And the rightmost entry of the Lock script (Checksig P)_B) When, Alice's signature (Sig P)_A) Will be deleted, but X will not be deleted. Thus, bob need not sign anything including alice's signature because the node protocol interprets the way the lock script and unlock script according to the rules of the scripting language. However, according to the embodiments disclosed herein, he needs to sign the content containing X.

In an embodiment, alice may need to sign at least UTXO₁Locking script of [ Checksig P ]_A][Solve H(X)][Checksig P_B]. Optionally, alice may also include UTXO for the data it needs to sign₁The unlock script of (a) minus the signatures of Alice and Bob, i.e.<X>. Bob may need to sign partial data, including UTXO₁Locking script plus UTXO₁Minus signatures of bob and alice. I.e. bob signs<X>||[Checksig P_A][Solve H(X)][Checksig P_B]。

Since Alice and Bob are signing Tx as inputs₁While signing the TxID₀。[Checksig P_A][Solve H(X)][Checksig P_B]Included as part of a transaction in the TxID₀In the calculation of (2). Thus, Alice and BobThe condition is signed indirectly.

The content that needs to be signed can be set using the SIGHASH flag. It should also be noted that when a party is said to sign a given partial data ("message"), in embodiments this may refer to the fact that the party has signed a transformation of the data or message, such as a data or message hash value (the hash value is typically considered read when referencing a signature). I.e., it first hashes or otherwise transforms the data and then signs the hashed or transformed version with its private key. This has the advantage that hashing can generally reduce the amount of data being signed before signing with the private key. For example, alice may sign a transaction TxID₀It is the entire Tx₀The hash value of (1). Bob can sign the following hash values:<x>||[Checksig P_A][Solve H(X)][Checksig P_B]。

if Alice and Bob do not offer to deal with Tx₀Is signed effectively, Tx₁Will not be verified and thus will not be propagated throughout the network 106 for recording in the blockchain 150 copy of each storage node 104S.

It should be understood that the above is only one example of a scripting language and corresponding node protocol. More generally, other languages may be used at Tx₀Contains similar verification conditions in its output. To implement method M1 in a broader sense, at least a condition is created whereby bob must sign partial data containing at least some definition of X and alice must sign partial data containing some definition of any content (depending on the protocol used). The part of the data bob and alice need to sign can be set as part of the scripting language and the node protocol, or can be fixed by the node protocol of a given transaction structure.

In step S4, alice creates a cost UTXO₁Transaction Tx of₁Partial version of (a). In an embodiment, the electronic file (or its hash value) may be included in the transaction, for example in the non-expendable output (OP _ RETURN). This means if Tx₁Transaction Tx, verified that the document will be stored unalterably in blockchain 150₁In (1). However, this is optional.

Alice has not yet added its signature or H (X) pre-image to Tx₁。

Tx₀The reason for including h (X) instead of X in the lock script of (a) is that if not, the original value of X is revealed (it should be remembered that bob can check blockchain 150).

In step S5, Alice transacts part of Tx through the side channel 302₁Sent to bob. Alternatively, communication may be via the main channel 301, for example by alice showing a visual code such as a QR code in the video, or by embedding an invisible or inaudible signal in the video or audio, respectively.

Note: at this time Bob cannot be Tx₁A valid signature is provided because he does not know the pre-image of h (x). This is because, although bob ignores alice's signature when constructing its signature (explained above), it cannot ignore the original image of the hash problem. That is, Bob needs to sign for Tx₁The valid partial data contains X.

In step S6, bob asks alice whether he agrees with the terms of the contract (or, more colloquially, the file), and alice confirms. This is done via the multiparty communication channel 301, preferably via video with voice. But a pure audio channel may be used, especially when speech is recognizable in the audio. Bob can verbally ask alice whether he agrees with the document, and alice can answer it orally. Additionally or alternatively, one or both parties may use a visual communication means, such as sign language. The communication may even be over another form of media channel 301, such as a shared virtual whiteboard that allows both parties to write their recognizable writing on a shared work area, for example, through a tablet and electronic pen at each party's terminal 102a,102 b. Whatever the way, it should at least be allowed that alice's consent statement can be identified as originating from alice to a reasonable degree of certainty. Preferably, Bob's problem may also be identified as originating from Bob. But in other scenarios, bob's question may be optional (i.e., alice may declare without prompting) as long as bob witnessed her consent over channel 301.

Whatever form of media is employed, the agreement is to be captured on the media link 301. Optionally, this medium is at least temporarily recorded in alice, bob, or a third party's data storage (e.g., in alice's or bob's local storage drive or a traditional cloud storage account). In which at least a part of the media is recorded, including alice's consent, and preferably also bob's question. Whether or not it is a record, which provides a record of proof of consent, will be stored in block chain 150.

In step S7, Alice provides Tx₁And the solution of the hash problem h (x). She sends these to bob through side channel 302. Alternatively, communication may be through the main channel 301, for example by alice showing a visual code such as a two-dimensional code in video, or by embedding an invisible or inaudible signal in video or audio, respectively. Alice can even communicate verbally or manually by himself over a video or audio channel if X takes a form that is meaningful to humans. For example, X may be a password or a section of a book, alice may read or let bob look up.

In an embodiment, alice's client application 105 a' (or more colloquially, software including one or more applications) may be configured to automatically hide X and send it to bob, automatically send or allow it to send on conditions that automatically detect that alice has provided its signature and/or that she has expressed consent over channel 301 (e.g., the latter may be detected using machine intelligence techniques). Alternatively, alice manually sends or triggers the sending of X. In general, any method that temporarily disables Bob from using X may be employed.

In step S8, Bob now knows X and can be Tx₁A valid signature is provided. Bob signs Tx₁Thus completing Tx₁。

In optional step S9, the video data or hash value of the video data may be stored at transaction Tx₁E.g., OP _ RETURN. This means that if verified, the approved video or otherwise is certifiedTransaction Tx which the medium will store in blockchain 150 immutably₁In (1). However, this is optional. Note that: this part of the output must not be signed by alice and bob before, which can be done using the SIGHASH flag, not SIGHASH _ ALL. The reason is that the signature signs the message (i.e. the transaction data). Alice signs the document and is recorded to sign the document. If the video is added later, a recording will be added, which will result in a message change. Thus alice should sign documents alone and bob can sign videos and documents using the SIGHASH flag.

The video data may be signed by alice, bob, or both using a different signature than steps S7 and S8.

In step S10, transaction Tx₁Is now complete and may be sent to network 106 via alice or bob to be recorded unalterably on blockchain 150.

Alice declares consent to Bob and provides its signature Sig P_AThe fact that X was previously hidden means that bob's signature could not be effectively provided at least until then. Since bob signs X according to the locked script (in embodiments, X itself is contained separately in Tx₁In) is Tx₁Effective conditions, which means that Bob or anyone else cannot make Tx₁Propagate through network 106 and join blockchain 150 until bob is provided with X. Until then, bob was unable to provide a valid signature in an encrypted manner. Tx₁And still be recorded in blockchain 150 as an encrypted demonstration of the signature sequence, unchanged. For greater security, it may optionally be at Tx₁With a copy of the file and/or video or other such media (or hash value or other such transformation thereof).

Method M1 provides for using only a single transaction Tx₁A method of recording evidence. This has the advantage that all evidence is recorded at one point in the blockchain 150, so that evidence can be efficiently searched and looked up when any party, such as alice, bob or other member of the public, wishes to query later. It should be kept in mind that blockchain 150 does not include a transaction index and therefore does not separately maintain a self-burdensome ticketIndexing alone, searching the blockchain requires traversing the blockchain transactions to search for the desired transaction. A transaction at a point in blockchain 150 finds computing resources more easily than two transactions spread out at any corresponding point in the chain. A few transactions require less propagation and therefore place less burden on the network 101,106.

Method M2 provides a method that achieves similar results to method M1 using two transactions. An advantage of this is that although described below in the example of a scripting language, method 2 may also be implemented using account-based transaction models and other protocols that do not allow scripts to define custom conditions of validity.

FIG. 8 shows an exemplary set of transactions that method M2 may use. As will be discussed in more detail later, Alice constructs an initial transaction Tx₀Providing its signature in transaction Tx through Alice₁To a cost. Transaction Tx₂Offer its signature cost Tx through Bob₁To output of (c).

FIG. 10 is a flowchart listing the steps in method M2. FIG. 9 shows the transaction state at certain steps during method M2.

In step S1, alice and bob open a video channel or other media channel 301 between them. The video or other medium may be recorded.

In step T2, Alice creates a UTXO that can be redeemed by providing its signature₁。

In step T3 alice created the cost UTXO₁Partial transaction Tx of₁. The transaction comprises a costable output UTXO₂It can be redeemed by providing a signature of bob. Optionally, the electronic file (or its hash value) may also be included at Tx₁E.g., OP _ RETURN.

In the scenario of method M2, Alice needs to be paired with Tx₀Transaction ID (TxID) of₀) Signing is carried out, and the signature (Sig P) is obtained_A) Is included in Tx₁In order to make Tx₁Is effective. TxID₀Is the whole Tx₀The hash value of (1). Bob will need to sign Tx₁Transaction I ofD(TxID₁) And sign the signature (Sig P)_B) Involved in further transactions Tx₂In order to efficiently redeem Tx₁Output of UTXO₂。TxID₁Is the whole Tx₁Including the signature Sig P of alice_A. Therefore, Bob is at Tx₂The provision of a valid signature depends on alice at Tx₁The signature of (1). Tx if Bob does not provide a signature or signs the wrong content₂It is not considered valid by node 104 and therefore is not propagated and recorded in blockchain 150.

Alice has not added its signature to Tx₁。

In step T4, Alice trades its parts for Tx₁Sent to bob. Note: at this time bob cannot offer to redeem UTXO₂Because he does not know the transaction Tx₁Transaction ID (TxID) of₁). (please remember that the transaction ID is the hash of the transaction data.) this is because alice has not yet been Tx₁A signature is provided.

In step T5, Bob verbally asks alice whether alice agreed to the terms of the contract (or more colloquially, the document). Alice was orally confirmed. This is captured on the video link 301. Additionally or alternatively, another form of communication and/or medium, such as sign language or the like, may be used over link 301 (see the discussion above regarding method M1).

In step T6, Alice is Tx₁A signature is provided, which is now a complete transaction. She sends it to bob through side channel 302. Alternatively, communication may be via the primary media channel 301 (see also the corresponding discussion regarding method M1).

In step T7, Bob spends UTXO creation₂UTXO of₂. Bob signs Tx₂。

In optional step T8, the recorded video or other media data may be stored in Tx in a manner similar to step S9 in method M1₂In (1). Likewise, this data may be signed by alice, bob, or both.

In step T9, transaction Tx₁And Tx₂Is now complete and may be sent to network 106 via alice or bob. Which is unchangeably recorded on the block chain 150. In the M2 method, X is not needed, but the order of signatures is still mandatory because TxID must be present₁Can Tx be efficiently generated₂。

Method M2 may even use an account-based model and transaction protocol that does not allow scripts to define customizable validation conditions. Note that all transactions involved in method M2 use only standard scripts, which correspond to a number of common or standard validation criteria for non-script-based and account-based transaction protocols.

Methods M1 and M2 have a number of unified features. First, the signature order is fixed: alice must provide his signature before bob can provide his signature. Further, in embodiments of both methods, the video of the signed transaction may prove the signer's abilities of alice and witness bob. The inclusion of video data or a hash value of video data in a transaction is optional. It is also optional to include any electronic copy of the contract-related file or hash value of the file.

In both methods, the signed record and optional supplemental data (file and/or video data) are stored on the blockchain and are not changeable. When the transaction is submitted to the blockchain, the digital signature is checked by the node 104. Only transactions with valid signatures will be stored on blockchain 150. Therefore, the third party cannot check by itself and can trust the validity of the signature. The records are replicated by the full replica node 104S on the distributed network and are therefore readily available to third parties.

In an embodiment, both parties may transmit a partially filled transaction despite the use of a hash-based message authentication code (HMAC) and verify that the transaction has not been accidentally altered or transmitted with errors.

Note: the amount of digital assets transferred in the costable UTXO output for the transaction is independent of the current purpose. Thus, in method 1, it is Tx₀(UTXO₁) Outputs 0 and Tx of₁Output 0 of (1). In method M2, see Tx₀(UTXO₁) Output 0, Tx of₁(UTXO₂) Outputs 0 and Tx of₂Output 0 of (1). There may be more expendable outputs in any given one transaction to split up input values or other inputs not shown. Alice may transfer some or all of the digital assets defined in the UTXO to itself, the service provider bob, or another party. In practice, alice may need to set aside sufficient miner fees to ensure that the miners successfully accept the transaction, and in embodiments pay a fee to store the files and/or video records (stored on all storage nodes 104S in the blockchain 150 copy of each node 104, but only the winning miner 104M (and possibly storage node 104S as well) gets the mine digging fee). In other use cases, such as private or corporate blockchains, however, the mineworker 104M does not necessarily need a reward for incentives.

Fig. 11 and 12 show an alternative implementation of method M1, using a single transaction with a code separator, rather than a hash value of X.

Fig. 11 is a schematic diagram of a transaction used in this method variant example. Alice constructs an initial transaction Tx₀Which generates UTXO with the required lock script₁. By providing Alice's signature and Bob's signature in sequence, transaction Tx is possible₁To a cost. In this example, secret X is not actually a transaction Tx₁A part of (a). However, to keep Bob at Tx₁Creates a valid signature that needs to know X.

Fig. 12 shows a corresponding flow chart.

This embodiment is at Tx₀Uses a code separator to control the content of the locking script that bob needs to sign. Alice then hides the portion of the locked script that bob needs to sign in a similar manner as hiding X in the previously described embodiment.

The signature will sign Tx₁To output of (c). In an embodiment, a sighash flag in the unlock script may set the pair Tx₁Which parts are signed. However, the signature also signs part of the lock script, and the lock script is included in Tx₀In (1). Without using code delimiters, then in at least one protocol, the entire lock is signed all the way by defaultAnd (4) scripting. On the other hand, in the case of using code delimiters, Tx is formulated₀The party may control the signed part.

In step U1 alice and bob open the video channel between them. The video may be recorded.

In step U2 alice creates a secret X that only knows itself.

In step U3, Alice creates a UTXO₁It can be redeemed by providing alice's signature for a portion of the locked script, starting with the code separator, and by providing bob's signature for the entire locked script containing the secret X.

The locking script may be written in the following schematic form:

Locking UTXO₁＝[Checksig P_B]<X>OP_DROP OP_CODESEPARATOR[Checksig P_A]。

to create a valid transaction, Alice must sign a divide in the lock script [ Checksig P ]_B]<X>All contents except OP _ DROP. Bob must sign all the contents in the lock script, including [ Checksig P ]_B]<X>OP_DROP。

Alice does not disclose all UTXO to Bob₁(may not have been sent to the network 106 and mined in block 151).

In step U4, Alice creates a cost UTXO₁Partial transaction Tx of₁. The electronic file may be included in the transaction, for example in an output (OP _ RETURN) that is not expendable.

Alice has not added its signature.

In step U5, Alice sends UTXO to Bob₁A partial version of (1) containing the lock script following the code delimiter. She also disclosed UTXO to Bob₁Affiliated transaction Tx₀The rest of (1), including the transaction ID.

Alice sends partial transaction Tx to Bob₁。

Note: at this time, Bob cannot be Tx₁Provide a valid signature because he does not know UTXO₁The entire locking script (Tx)₀UTXO) of (1). In particular, he does not know the secret X that appears before the code separator.

Alice does not need to send a partial version to bob ahead of time (i.e., step U5 is optional). However, one advantage of doing so is that when she provides her own signature, bob can check whether the signature is valid because bob knows all parts of alice's signing transaction.

In step U6, Bob verbally asks alice whether alice agrees with the terms of the contract. Alice was orally confirmed. This may be recorded on the video link.

In step U7, Alice is Tx₁The signature and its secret X are provided. She sends this to bob.

In step U8, Bob now knows X, and can construct the entire lock script UTXO₁And verifies whether the transaction ID to which it belongs is correct. He can now provide a valid signature. Bob signs Tx₁。

In step U9, the video data or hash value of the data may optionally be stored in the transaction Tx₁E.g., OP _ RETURN. This part of the output must not be signed in advance by alice and bob, which can be done using the SIGHASH flag, not SIGHASH _ ALL.

The video data may be signed by alice, bob, or both, using a different signature than steps U7 and U8.

In step U10, transaction Tx₁Can be sent to the network via alice or bob so as to be unchangeably recorded on the blockchain 150. Tx₀May be transmitted simultaneously, or at Tx₁Front or Tx₁And then transmitted.

It should be understood that the above embodiments are described by way of example only.

For example, as described above, the party 103a,103b signing a given transaction need not be the party that first creates the transaction, assembles the complete transaction, and sends the complete transaction to the network 106. Likewise, a third party may represent alice and bob draft written contracts, requiring only alice and bob to sign. As does the electronic transaction 152. Similarly, others may send the signed compact to their storage location.

The first party must provide at least the signature of the second party, and the second party must provide at least the signature of the second party. Other elements of the transaction may be created by the first party, the second party, or other third parties, or any combination of these parties. In embodiments using X, X is preferably also provided by the first party to the second party, but alternatively X may be a shared secret shared between the first party and the trusted third party, and the secret X may be provided by the trusted third party to the second party.

The elements of the transaction may be assembled by the first party, the second party, any third party, or a combination thereof. The complete transaction may be sent directly to the network by the first or second party, or may be forwarded to the network 106 via a third party.

Further, the scope of the present disclosure is not limited to the particular transaction protocols or node protocols discussed above. For example, similar functionality associated with methods M1 and M2 may be implemented using other scripting languages, depending on the language identified by the node protocol applied by the node 104 associated with the particular system.

In some blockchains, transactions use an account-based protocol that does not use the notion of "spending" or redeeming the output of one transaction in a sequence for another transaction in the sequence. In an account-based blockchain, an account is typically identified by an account address. The current status of all accounts is stored separately by miners into the blockchain and is constantly updated. The transaction has a sender and a receiver field and is known to be transferred from an account in the sender field to an account in the receiver field (although in practice the transaction is sent from the terminal to the blockchain node for verification and propagation to other blockchain nodes; the account itself is a logical structure defined by a blockchain state which in turn is defined by the sequence of transactions it contains). The transaction may, for example, transfer an amount of digital assets between the sender and receiver accounts such that the amount is deducted from the balance of the sender account and added to the balance of the receiver account. By sending the transaction to an account address that did not exist before (i.e., an account address never contained in any earlier transaction of the blockchain), an account may be created, and subsequent transactions involving the account will specify their address in either their sender or receiver fields. Thus, all transactions on the blockchain associated with a given account (including the transaction that created the account) are linked by a common account address.

Thus, in the account-based model, the transaction does not work on a UTXO-based system or similar, so each transaction costs or redeems the output of a previous transaction. Instead, the transactions are ordered using the running transaction records (also known as "position" or "random number nonce", not to be confused with the workload manifest random number) of the account. The value is signed by the sender as part of its cryptographic signature and hashed as part of the transaction reference calculation. Thus, method M2 may still be implemented in an account-based protocol, even though custom scripts are allowed.

In the account-based case, the transaction ID for transaction 1 may optionally be included in the data field for transaction 2. Then, the procedure is simplified to the same case as in method M2. In some account-based protocols, intelligent contracts may be used to take the role of locking scripts. In a smart contract, signing of a particular data bit may be required. Thus, a smart contract may be signed, asking alice for a signature, and then signed by bob specifically signing alice's signature. In this case, the information unknown to bob is itself the signature of alice, as described above in the version of method M2 based on UTXO.

In a further variation, all variations of conditional verification may be programmed into one or more transactions if the transaction protocol and node protocol allow for more flexible scripting languages. For example, a custom script may be written that requires bob to sign a portion of the data containing alice's signature (or its conversion) in the same transaction. This would provide a single transaction test in method M1, but not require X in method M2. Alice hides her signature from bob only after signing and declaring consent over the communication channel 301.

Still further, while described above with respect to public blockchains, this does not constitute any limitation, and blockchain 150 may instead be, for example, a conglomerate blockchain used between selected organizations, or even a private blockchain within a given organization.

It should also be noted that the order described above is not necessary for all the steps in methods M1 and M2. For example, referring to step S5 in method M1, alice does not have to send a partial transaction to Bob at this time. She may wait until step S7 before transacting Tx in part₁X and its signature are sent together. Similarly, for example, in method M2, Alice does not have to send part Tx to Bob in step T4₁But may wait until step T6 to be sent with its signature. Furthermore, as mentioned above, the other party may provide part of the transaction, or the other party, alice trusts, may even be responsible for sending X to bob. More colloquially, the key is that bob is hidden and a signature is required to provide information of a valid signature to be verified by the node 104. Furthermore, the information (such as secret information, e.g., X) that is hidden or not available to bob does not mean that the information is already present in advance. In some embodiments, it may be generated after alice provides his signature and/or indicates consent to bob.

Another example variation of method M1 is shown below. As described above, Tx₀The reason for including h (X) instead of X in the lock script of (a) is that if this is not done, the original value of X is revealed in blockchain 150. However, in principle alice could also hide Tx₀Up to Tx₀And Tx₁May be sent to the network 106 (keeping in mind that some systems have provisions for isolated transactions). In this case, Tx₀In the locking script [ Solve H (X) ]]A function that simply checks if X is equal (e.g., using the opcode OP _ equal) may be substituted.

Other variations of methods M1 and/or M2 may become apparent to the skilled artisan once given the basic principles explained herein.

Furthermore, although the above is described with respect to alice consent document content, this is not required. For example, alice consent may simply be consent to a verbal contract or other set of one or more conditions. More generally, the method can be applied to any statement in any form (written or otherwise) specified on any medium (electronic or otherwise). The term "statement" as used herein does not limit the nature of the agreed upon content. For example, it may be alice, bob, or another party's any statement as to the fact or view; or bob or any claim made to alice by another party.

More generally, according to an aspect disclosed herein, there is provided a computer-implemented method of proving a consent statement of a first party using a blockchain; the method is performed on a computer device of a second party, comprising: the second party receiving confirmation of the agreement statement of the first party; the second party receiving a message from the first party, the message being available to the second party only after said confirmation and after the first party has generated its own cryptographic signature to indicate said agreement in addition to said confirmation; to indicate that the second party proves that the confirmation of the first party has been received, the second party generates its own cryptographic signature by signing the partial data containing the information or the transformed partial data of the information; sending one or more transactions to the network of nodes or causing one or more transactions to be sent to the network in a form including a first party signature included in at least one of the one or more transactions and a second party signature included in at least one of the one or more transactions, the network being configured to propagate each transaction through the network when a verification condition is satisfied and to record each transaction in a blockchain copy maintained by each of at least some of the nodes; wherein the validation condition is configured to validate one of the one or more transactions under the following conditions: the signature of the first party is contained in one of the one or more transactions and the signature of the second party is contained in one of the one or more transactions, the signature of the second party being generated by signing the portion of data.

Note that in method M2, the second transaction to be verified requires that the first transaction also be valid. When a node verifies a transaction, it checks whether the previously verified transaction is spending and has an unspent output. Thus, in method M2, the second transaction is verified on condition that the signature of the first party is included in one transaction (the first transaction), and the signature of the second party is required to be included in the second transaction and generated by signing the partial data. In method M1, the personal transaction is verified on condition that both signatures are contained in the same transaction.

The concealed information may comprise the signature of the first party, or separate information, such as a random number, received together with or separately from the signature of the first party. This may also be included in one of the one or more transactions to be sent to and recorded in the blockchain, if separate information.

In embodiments, the method may comprise the second party receiving at least one of the one or more transactions in partial form. The partial form may be received from the first party or a third party facilitating the recording. In an embodiment, the method may include the second party receiving a signature from the first party. The signature of the first party may be received as part of the form of part of one or more transactions, or separately. In an embodiment, the second party completes one or more transactions by including the second party signature in the partial form. The second party, if received separately, may also add the first party's signature to complete the transaction. The sending to the network may then comprise the second party forwarding the completed transaction for propagation in the network of nodes and thus recording in a blockchain. The forwarding may include sending directly to one of the nodes, or to a computer device of a third party for subsequent direct or indirect forwarding to one of the nodes.

In an alternative embodiment, upon receipt of the first party's signature and the first party's information (if separate), the second party may create one or more transactions involving the node on the second party's computer device. The second party may then forward the one or more transactions in full form for propagation through the network of nodes and thus recording in the blockchain (again, where the forwarding may include sending directly to one of the nodes, or to a computer device of a third party for subsequent forwarding directly or indirectly to one of the nodes).

In a further alternative embodiment, the first party may send the partial form of the one or more transactions, the signature of the first party and the confidential information (if separate from the signature) to the third party, and the second party may send the signature of the second party to the third party to enable the third party to assemble the complete form of the one or more transactions from the elements received from the first and second parties. The third party may then forward one or more transactions directly or indirectly to one of the nodes for propagation throughout the network and thus recording in the blockchain. Or the first party may forward the first party's signature and, if separated, confidential information to a third party, and the second party may forward the second party's signature to the third party for the third party to assemble one or more transitions. Likewise, the third party may then forward one or more transactions directly or indirectly to one of the nodes to propagate throughout the network and thus be recorded in the blockchain.

The first party's signature may be generated by the first party signing at least a portion of at least one of the one or more transactions or a transformation thereof (e.g., a hash of part or all of one or both transactions). The portion of data signed by the second party may also include part or all of at least one transaction or a transformation thereof, such as a hash value. In embodiments, the portion of data signed by the second party may be specified by the protocol applied to each node, the code included in one or more transactions, or a combination of these.

In an embodiment, the statement may be a statement in a file.

In an embodiment, the record of the file is contained in one of the one or more transactions and is thus stored in the blockchain.

The record of the file may include the file itself in a clear format, a file transform such as a file hash value, or an encrypted form of the file.

In an embodiment, the record of the file may be cryptographically signed by one or both of the first and second parties.

To accomplish this, in an embodiment, the data signed to generate the first and/or second signature may comprise a record of the file. Additionally or alternatively, the first party and/or the second party may apply a separate cryptographic signature to the file record.

In an embodiment, the part of the data signed by the second party to generate the second party signature may comprise a record of the file, and/or the data signed by the first party to generate the first party signature comprises a record of the file.

In an embodiment, the method may further comprise establishing a video call between the first party and the second party, wherein the receiving of the confirmation may comprise the second party receiving a confirmation from the first party via the video call in a visual or audible manner.

In an embodiment, a recording of video may be stored for future reference, including at least one segment of video containing the visual or audible confirmation.

In an embodiment, the recording of the video may be contained in one of the one or more transactions and thus stored in the blockchain.

The recording of the video may include the video itself in a clear format, a video transform such as a hash value of the relevant portion of the video, or an encrypted form of the video.

In an embodiment, the recording of the video may be cryptographically signed by one or both of the first and second parties.

To accomplish this, in an embodiment, the data signed to generate the first and/or second signature may comprise a recording of the video. Alternatively, the first party and/or the second party may apply a separate cryptographic signature to the video recording.

In an embodiment, the validation condition is configured for each transaction at least in part by a respective code contained in the transaction and/or a blockchain previous transaction. For example, the previous transaction may be the transaction directed by the related transaction.

Additionally or alternatively, the validation condition may be defined at least in part by a common node protocol implemented at each node.

When one or more transactions are created and/or sent, or previous transactions may have been ready to be included in the blockchain, the previous transactions may have been included in the blockchain.

In a first class of embodiments, one or more transactions may consist of one transaction that contains both the first party and the second party signatures; the validation condition may be configured to validate the one transaction under the following conditions: the signatures of both the first and second parties are included in the transaction, the signature of the second party being generated by signing the partial data.

The advantage of using only one transaction is that the proofs are all kept in the same transaction, so that it can be queried again later with fewer look-up operations.

In an embodiment, the input of the one transaction may comprise a pointer to an output of a previous transaction in the blockchain or to be included in the blockchain, wherein the output of the previous transaction comprises a lock script that requires a signature of the first party and a signature of the second party to unlock the output of the previous transaction. The one transaction may include an unlocking script in the input of the one transaction, the unlocking script including signatures of the first and second parties, configured to effect verification by unlocking the previous transaction using the first and second signatures.

In an embodiment, the information may comprise a secret piece of information of the first party in addition to the signature of the first party.

In an embodiment, the method may comprise: the second party includes and forwards the secret information in the one transaction or forwards the secret information for inclusion in the one transaction before sending to the network for propagation. The validation condition may be configured to validate the one transaction under further conditions: the secret information is contained in the one transaction.

In an embodiment, the one transaction may include a hash value of the secret information, and the condition that the secret information is included in the one transaction may include: the secret information forwarded by the second party is a solution to the hash value of the secret information contained in the code.

This has the advantage that the first party does not need to reveal the original value of the secret information in the one transaction.

In an embodiment, the lock script may further require secret information to unlock the output of a previous transaction, and the unlock script in the input of the one transaction may include the secret information configured for use in the unlock script.

In an alternative embodiment, the locking script may comprise a code separator separating first and second parts of the locking script, wherein the second part comprises said information, wherein the locking script is configured to enable verification of said one transaction requiring a signature of the first party to sign at least the first part and not the second part, and a signature of the second party to sign at least the second part. In this case, the receiving of the information includes receiving a second portion of the locked script, and the generating of the second party signature includes signing at least the second portion.

In some such embodiments, the method may comprise: prior to the second party receiving the information, the second party receiving a first portion of the locked script, wherein the first party's signature at least signs the first portion; based on the received first portion, the second party verifies the signature of the first party.

In an embodiment, the previous transaction may be created by the first party. In an embodiment, the previous transaction may be sent by the first party directly or indirectly to the network for propagation and thus recorded in the blockchain instance of each node. Alternatively, the previous transaction may be partially created by a third party or even a second party and sent to the first party for signing and sending; or the first party may send its signature to a third party or a second party to assemble and send the previous transaction.

In an embodiment, the second party may receive the one transaction from the first party in partial form including at least the unlocking script, and may be completed by the second party, including the second party's signature and secret information (e.g., usage) in the one transaction. The signature of the first party may be received in the one transaction or may be separately received and included in the one transaction by the second party. Once completed, the one transaction may be sent directly to the network by the second party, or the one transaction may be sent by the second party to a third party for forwarding to the network. In another alternative, the first party may send the first party's signature and secret information to a third party, and the second party may send the second party's signature to the third party. In this case, the unlock script may be generated by a third party or received by the third party from the first party. These elements may be assembled into the one transaction by a third party, which may then send the one transaction directly or indirectly to a network feed.

In an embodiment, the record of the file may be included in the output of the one transaction.

In an embodiment, the recording of the video may be included in the output of the one transaction.

The second party's signature may be formed by signing a portion of the one transaction that contains the secret information in plaintext, or by signing a portion of the data that contains a hash of the secret information. In embodiments, the part data signed by the second party may also comprise one or more other elements of the one transaction, such as a lock script and/or an unlock script or a part thereof; or a transformation such as a hash value of this or its technique. In a particular embodiment, the second party signs at least the secret information and the lock script, or only the secret information and the lock script. In an embodiment, the part of the data signed by the second party does not comprise the signature of the first party.

The first party's signature may be generated by signing at least a portion of the data from the one transaction or a transformation thereof (e.g., a hash value). In embodiments, the data signed by the first party may include the lock script, and/or one or more other outputs of previous transactions, and/or one or more other inputs of the one transaction, rather than the input including the unlock script; or a hash value such as any or all of these. In an embodiment, the data signed by the first party does not comprise secret information.

In a second class of embodiments, the one or more transactions may include a first transaction and a second transaction; the verification condition is configured to verify the first transaction on condition that the signature of the first party is included in the first transaction; verifying the second transaction on condition that the signature of the second party is included in the second transaction, the second signature being generated by signing the portion of data.

In an embodiment, the input of the first transaction may comprise a pointer to an output of a previous transaction in the blockchain or to be included in the blockchain, wherein the output of the previous transaction comprises a lock script that requires a signature of the first party to unlock the output of the previous transaction. The input to the second transaction may include a pointer to the output of the first transaction, where the output of the first transaction includes a locking script that requires a signature of the second party to unlock the output of the first transaction. The first transaction may include a first unlock script in an input of the first transaction and a second unlock script in an input of the second transaction, the first unlock script including a signature of the first party, the second unlock script including a signature of the second party, configured to unlock an output of a previous transaction using the signature of the first party and unlock an output of the first transaction using the signature of the second party to enable verification. The information concealed by the first party may include a signature of the first party.

In an embodiment, the record of the file may be included in the output of the second transaction.

In an embodiment, the recording of the video may be included in the output of the second transaction.

The signature of the first party may be generated by signing data from the first transaction and/or a previous transaction. The signature for the second transaction may be generated by signing data from the second transaction and/or a previous transaction. In an embodiment, the portion of data signed by the second party may include a transaction ID for the first transaction, which may be a hash value of the entire first transaction during the signing of the first transaction. The data signed by the first party may include a transaction ID of the previous transaction, which may be a hash value of the entire previous transaction.

According to another aspect disclosed herein, there is provided a computer program product embodied on a computer-readable memory, comprising code configured to, when run on a computer device of a second party, perform an operation according to any requirement of the second party.

According to another aspect disclosed herein, there is provided a computer device of a second party, comprising processing means including one or more processors and memory including one or more memory means, the memory storing software arranged for execution on the processor, the software being configured to perform an operation according to any requirements of the second party when executed.

According to another aspect disclosed herein, there is provided a computer-implemented method performed on a first-party computer device, the method comprising: the first party generates its own cryptographic signature indicating that the first party agrees to the statement; confirming to the second party, separately from the signature of the first party, that the first party agrees with the statement; after a first party has generated its own signature and sent the confirmation to a second party, making information of the first party available to the second party, and then sending the information to the second party, thereby causing the second party to generate its own encrypted signature by signing a portion of data containing the information or a transformation thereof; causing one or more transactions to be sent to a network of nodes by sending said information in a form including a first party signature included in at least one of the one or more transactions and a second party signature included in at least one of the one or more transactions, the network being configured to propagate each transaction through the network when a verification condition is satisfied and to record each transaction in a blockchain copy maintained by each of at least some of the nodes; wherein the validation condition is configured to validate one of the one or more transactions under the following conditions: the signature of the first party is contained in one of the one or more transactions and the signature of the second party is contained in one of the one or more transactions, the signature of the second party being generated by signing the portion of data.

In embodiments, the method may comprise additional steps corresponding to any embodiment of the method performed by the second party and/or the third party or node.

According to another aspect, there is provided a computer program product embodied on a computer-readable memory, comprising code configured to, when run on a computer device of a first party, perform operations according to the respective method of the first party.

According to another aspect, there is provided a computer device of a first party, comprising processing means including one or more processors, and memory including one or more storage means, the memory storing software arranged for execution on the processors, the software being configured to perform operations according to the method of the first party when executed.

According to another aspect, there is provided a computer program embodied on a computer readable memory configured so as when run on a computer device of a first party to perform operations according to the method of the first party.

According to another aspect disclosed herein, there is provided a method performed by a first node in a network of nodes, comprising: receiving one or more transactions including a cryptographic signature of a first party included in one of the one or more transactions and a cryptographic signature of a second party included in at least one of the one or more transactions; verifying that both the first party's signature and the second party's signature are included in one of the one or more transactions, the first party's signature signing a portion of data, the portion of data including or originating from a piece of information of the first party that is available to the second party after the first party generates the first signature; recording one or more transactions in a blockchain copy maintained by a first node; and then propagating the one or more transactions to the one or more other nodes to be recorded in the blockchain copy recorded at each of the one or more other nodes; wherein the first node is configured to perform said recording and subsequent propagation of at least one of the one or more transactions by said first node under said verified condition.

In embodiments, the method performed by the first node may comprise additional steps corresponding to any embodiment of the method performed by the first party, the second party and/or the third party.

According to another aspect, a network node arranged to perform the method of the node is provided.

According to another aspect, a computer program embodied on a computer readable memory is provided that is configured when run on a node to perform a method of the node.

According to another aspect, there is provided a network of nodes, each node being configured to operate in accordance with a method associated with a first node, thereby being configured to propagate one or more transactions throughout the network and to be recorded in blockchain copies of the nodes subject to said verification.

According to another aspect disclosed herein, a method may be provided that includes the actions of a first party, a second party, any third parties that may be involved, and a network of nodes.

According to another aspect disclosed herein, a system may be provided that includes a computer device of a first party, a computer device of a second party, a computer device of any third party, and a network of nodes.

Other variations or uses of the disclosed technology may become apparent to those skilled in the art once the disclosure herein is given. The scope of the present disclosure is not limited by the described embodiments, but only by the appended claims.