BLOCKCHAIN-IMPLEMENTED METHOD AND SYSTEM

Abstract

This invention relates generally to distributed ledger technology (including blockchain related technologies), particularly a method and corresponding system for providing a blockchain transaction comprising a redeem script for an output that comprises: i) a plurality of public keys, each associated with a corresponding private key, wherein each public key is uniquely associated with a potential state of at least one data source; and ii) logic arranged to provide a result based on: A) a determination of which of the plurality of associated private key(s) is/are used to sign the unlocking script, so as to provide an interim result: and B) a comparison of a parameter supplied via the unlocking script against the interim result, and further attempting to spend the transaction output more than once, each attempt supplying a different parameter.

Claims

1. A computer-implemented control method comprising steps of: providing a blockchain transaction for a blockchain network, the blockchain transaction comprising a redeem script for an output, wherein the redeem script comprises: i) a plurality of public keys, each associated with a corresponding private key, wherein each public key is uniquely associated with a potential state of at least one data source, wherein the at least one data source comprises a sensor or a signal generation component associated with a respective computing agent of a plurality of computing agents directly controlled by a blockchain of the blockchain network, wherein the computing agents are each configured to: monitor a separate potential state of the at least one data source via the sensor or signal generation component to provide an input indicating a state of the at least one data source; and derive a separate private key for each possible state; and wherein a minimum number of said private keys must be used to sign an unlocking script of a further blockchain transaction in order to spend the output; and ii) logic arranged to provide a result based on: a determination of which of the plurality of associated private keys is used to sign the unlocking script, so as to provide an interim result; and a comparison of a parameter supplied via the unlocking script against the interim result; and attempting to spend the output more than once, each attempt supplying a different parameter.

2. The method according to claim 1, wherein the logic is arranged to implement functionality of a logic gate.

3. The method according to claim 2, wherein the logic gate is a NOT, AND, OR, NOR, XOR, IMPLY, NAND, NONIMPLY or XNOR gate.

4. The method according to claim 1, wherein the state of the at least one data source is determined by a computing agent.

5. The method according to claim 4, wherein the computing agent is in communication with a control computing agent.

6. The method according to claim 1, wherein the result is a Boolean result.

7. The method according to claim 1, wherein there are at least two data sources.

8. The method according to claim 1, wherein two potential states associated with each data source, each potential state being further associated with, or represented by, a public key.

9. The method according to claim 1, further comprising the step: for each of the at least one data source: associating a public key in the plurality with a potential state of the data source such that all possible states of the data source are represented by a respective public key.

10. The method according to claim 1, wherein the at least one data source comprises a sensor or a signal generation component.

11. The method according to claim 1, wherein each public key represents a Boolean value indicative of a potential state of the at least one data source.

12. The method according to claim 1, wherein the parameter is a value, or a puzzle, or a value embedded in a key.

13. The method according to claim 1, wherein the logic is arranged to perform an equality check to compare an intermediate result with the parameter.

14. The method according to claim 1, wherein the interim result is derived from the logic provided within the redeem script, and/or is a Boolean value which is calculated by determining which of the associated private keys were used to sign the unlocking script.

15. The method according to claim 1, and further comprising the step of: generating or deriving one or more cryptographic keys from a base or master key.

16. The method according to claim 15, wherein: a key generation or derivation step is performed using a deterministic key generation technique.

17. A computer-implemented system comprising: at least one computer-based resource arranged to performstep(s) of claim 1; and a blockchain.

18. The computer-implemented system according to claim 17, wherein the at least one computer-based resource is arranged to: submit a transaction to a blockchain network; generate a transaction; digitally sign a locking script; and/or generate a public/private cryptographic key.

19. The computer-implemented system according to claim 17, wherein the result is used to control or influence an execution or operation of a process or apparatus.

20. The computer-implemented system according to claim 17, further comprising at least one sensor or signal generation component arranged and configured to provide an input to the at least one computer-based resource.

Description

[0052] These and other aspects of the present invention will be apparent from and elucidated with reference to, the embodiment described herein. An embodiment of the present invention will now be described, by way of example only, and with reference to the accompany drawings, in which:

[0053] FIG. 1 shows an illustration of an embodiment of the invention.

[0054] FIG. 2 shows an illustrative embodiment of the invention in which a plurality of independent computing agents perform the monitoring of the external environments to provide inputs into the logic gate transaction.

[0055] FIG. 3 shows an overview of a preferred embodiment of the present invention.

[0056] FIG. 4 shows an example Blockchain transaction arranged in accordance with an embodiment of the invention, and in which transaction output 1 implements the NOR gate with transaction output 2 paying change back to the Controller.

[0057] FIG. 5 shows an overview of another embodiment of the invention.

[0058] FIGS. 6 to 10 show a technique for generating a cryptographic key from a base key.

[0059] FIG. 11 shows a redeem script in accordance with at least one embodiment.

[0060] FIG. 12 shows a redeem script in accordance with at least one embodiment.

[0061] FIG. 13 shows shows an unlocking script in accordance with at least one embodiment.

[0062] FIG. 14 shows a redeem script in accordance with at least one embodiment.

[0063] FIG. 15 shows an unlocking script in accordance with at least one embodiment.

[0064] The invention provides a novel and advantageous solution for using a blockchain to implement a function. The blockchain is used to provide a record of the execution of the function and/or a result of its result. A function can be a subroutine or procedure (i.e. a process or portion of logic) which is applied to a set of inputs and returns a set of outputs. In one possible embodiment, the function can be executed ‘off block’ ie its performance is not blockchain-dependent. The function is performed by a computer-based resource.

[0065] A blockchain (e.g. Bitcoin) transaction is a transfer of (e.g. Bitcoin) value which typically references previous transaction outputs as new transaction inputs and dedicates all input values to new outputs. Transactions are not encrypted, so it is possible to browse and view every transaction ever collected into a block. It would be highly advantageous, however, to be able to construct a blockchain transaction which acts as a function, where the transaction output(s) are conditional or dependent on information supplied. This would enable a sophisticated level of behaviour via a blockchain.

[0066] Important aspects of the present invention include (but are not limited to) a method for creating a blockchain transaction that represents a function where function input(s) are represented by the public keys used within a redeem script of the transaction’s output and wherein actual values are represented by signatures associated with one or more of the public keys.

[0067] The invention will be illustrated via use case examples provided below, in which blockchain (e.g. Bitcoin) transactions can be used to represent the functionality provided by a logic gate. This functionality can then be used to control some technical process or apparatus.

[0068] This invention provides a number of generic novel features above the Blockchain, including: [0069] The ability to create agents against sensors or other signal/input generators where the agent is controlled directly from the Blockchain and requires no other network access in order to operate; [0070] The ability to determine, on a transaction secured by multiple signatures, which public keys were involved in the transaction signing process; and [0071] The ability to embed a limited, discrete, range of payload values within the signing keys that can be used to determine behaviour (i.e. how code executes) within the redeem script.

[0072] In addition, embodiments of the invention can make use of the above elements to deliver a logic gate (e.g. NOR gate) where the input values from A and B are embedded within, or represented by, the key used for signing.

Benefits

[0073] The proposed invention offers the following benefits: [0074] inherently secure by design (the Bitcoin protocol requires no trusted parties); [0075] distributed, so avoids a large single point of failure and is not vulnerable to attack; [0076] easy to manage and maintain, the Bitcoin network is straightforward to use; [0077] inexpensive (just a small transaction fee is usually expected under the Bitcoin protocol); [0078] global and can be used at any time by anyone with access to the Internet; [0079] transparency: once data has been written to the blockchain, anyone can see it; [0080] immutable, once data has been written to the blockchain, no one can change it; and [0081] privacy is maintained, no personally identifying information is involved.

[0082] In order for the invention to operate, it must conform to the existing constructs and behaviours of the Bitcoin protocol and wallet. FIG. 1 shows how a standard Bitcoin transaction (TX) is constructed in accordance with an embodiment of the invention. (bitcoin is used for illustration only, and other ledgers and associated protocols may be used while still falling within the scope of the invention).

Agent Configuration

[0083] An embodiment of the invention comprises the use of a number of independent (computing) agents that are arranged to perform the monitoring of external environments to provide inputs into this logic gate transaction, as shown in FIG. 2. Thus, the computing agents are designed to monitor some condition. An input may be received from a sensor for this purpose. For example, the agent may monitor a condition such as “is the temperature below zero degrees Celsius?” or any other type of testable condition. The agent may be arranged, therefore, to monitor the state of its observed condition.

[0084] The agents are in communication with a control or master agent, hereafter referred to as a “controller”. The Controller is arranged to for operation with the blockchain protocol.

[0085] In one or more embodiments, the subordinate agents (e.g. A and B) may comprise keys which are derived from the controller. However, it should be noted that it is possible for Agent A and Agent B to have self-generated keys and not derive these from the Controller. This restricts the functionality that the Controller can use on the keys.

[0086] In one or more embodiments, each condition being monitored has a separate monitoring agent set-up with their own key. From this key, they derive a separate key for the output from their monitoring condition (i.e. for each possible state). These values are deterministically derivable from their base key, which could be done at the point of monitoring or the agent could pre-derive the values (for example, it may be more efficient for a true / false sensor to simply pre-define). The key may be derived from the base key using the technique described below in the section entitled “Creating a Key Using a shared Secret”.

Agent Behaviour

[0087] The embodiment described above allows Agents to have a very tightly defined behaviour; at their base point they are sensors that are detecting a single condition and responding on demand to that condition. The following table demonstrates the behaviour pattern for these agents.

TABLE-US-00001 Step Description 1 Startup agent, and derive new key from start-up parameters. 2 Wait for transaction signing request. 3 On receipt of transaction signing request, get data from attached sensor 4 Using data from attached sensor, derive new signing key 5 Sign transaction request 6 Go to step 2

[0088] Note that step 2 is the standard process to implement multi-signature transactions as known in the prior art. An inventive step can be seen in Steps 3 and 4 which allow the agent to embed the sensor value in the signature returned from the Agent.

Data Value Extraction & Transaction Evaluation

[0089] The redeem script in the transaction then allows the effective de-facto extraction of the values embedded by the autonomous agents. However, this only works where the range of possible values is known in advance; the examples herein are where Agents A and B provide ‘true’ / ‘false’ values but a broader range of values is also possible using this method (e.g. 1,2,3,4,5). The point is that a unique key is used to represent each possible value or state, so that the redeem script can determine what the value is based on which key was used to sign the unlocking script. However, as the logic provided within the redeem script must be arranged to perform this analysis, the method does not support an infinite range of possible values.

[0090] The method works by evaluating the signatures supplied by the agent against the possible derived public keys for that agent. So, when the redeem script was first constructed by the Controller, it would have determined what the public key for each possible input value (state) was and included these within the payload of the redeem script.

[0091] In order for the script to extract this data, it does so by determining which of the public keys was used to sign the transaction and since the script has been coded to implicitly understand the value that this public key represents, it has effectively extracted that value for the purpose of utilisation within the confines of the script.

[0092] Within the Blockchain standard, the built-in OP_CHECKMULTISIG transaction function allows the evaluation of signatures in order to determine that enough signatures were collected via the unlocking script. However, this does not allow the explicit determination of which were used. Therefore, the invention provides an improvement over the prior art because it presents a technique for using a Tx to explicitly match against particular keys to determine which were used, and therefore allows much more complexity to be implemented via transactions. In other words, by determining which subset of the plurality of keys is used in the signing process, it is possible to produce a more sophisticated behaviour via the blockchain.

[0093] For example, in an escrow function it is possible to effectively create an escrow with multiple escrow agents but define a scripting rule that requires the provision of a signature of the buyer plus the seller, or the buyer plus one of the escrow agents or the seller plus one of the escrow agents. This is not possible in the known standard Bitcoin protocol since the standard construct would allow both of the escrow agents to sign the transaction.

Redeem Script Pseudo Code

[0094] In accordance with an embodiment of the invention, logic within the redeem script may be arranged as follows:

TABLE-US-00002 IF Validate(sig-Controller,pubK-Controller) =TRUE THEN      SET Variable-A = INDETERMINED      SET Variable-B = INDETERMINED      IF Validate (sig-A, PubK-A-true) =TRUE THEN       SET Variable-A=TRUE      ELSE IF Validate(sig-A, PubK-A-false) =TRUE THEN       IF Variable-A=TRUE THEN               Return FALSE // A is both true and false which is rubbish       ELSE               SET Variable-A=FALSE      IF Validate (sig-B, PubK-B-True) =TRUE THEN       SET Variable-B=TRUE      ELSE IF Validate(sig-B, PubK-B-False) =TRUE THEN       IF Variable-B=TRUE THEN               Return FALSE // B is both true and false which is rubbish       ELSE               SET Variable-B=FALSE      IF Variable-A = INDETERMINED OR Variable-B = INDETERMINED THEN       Return FALSE      ELSE             RETURN Variable-A NOR Variable-B ELSE       RETURN FALSE

Example Transaction

[0095] In an example transaction, transaction output (TxO) 1 implements a NOR gate with transaction output 2 paying change back to the Controller. The Transaction is shown in FIG. 4.

Redeem Script

[0096] The full redeem script is shown in FIG. 11. This is then broken down into logical components.

[0097] The instruction codes within the box demonstrate the NOR gate payload code (block 7 below) which are provided above the signature manipulation logic required to bring the data into a format which can be validated.

[0098] In order to partition into logical ‘sub-functions’ the script is broken down into a sequence of blocks as shown in the following table for the convenience of the reader.

TABLE-US-00003 Name Script Block Purpose RS Block 1 OP_DUP This pushes the data bearing signatures across onto the alternative stack, before confirming that the controller authorised the transaction. OP_TOALTSTACK OP_TOALTSTACK OP_DUP OP_TOALTSTACK OP_TOALTSTACK <PubK-Controller> OP_CHECKSIGVERIFY <RS Block 2> RS Block 2 OP_FROMALTSTACK This block evaluates which of the A public keys has been used to sign this transaction. The script does not care (at this point) whether any signatures have been used or not. <PubK-A-True> OP_CHECKSIG OP_FROMALTSTACK <PubK-A-False> OP_CHECKSIG <RS Block 3> RS Block 3 OP_FROMALTSTACK This block evaluates whether, and which, of the two B public keys has been used to sign the transaction. The script does not care (at this point) whether any signatures have been used or not. <PubK-B-True> OP_CHECKSIG OP_FROMALTSTACK <PubK-B-False> OP_CHECKSIG <RS Block 4> RS Block 4 OP_DUP This block of code checks to make sure that: OP_TOALTSTACK • One, and only one, of the A public keys was used to sign the transaction. OP_SWAP OP_DUP OP_TOALTSTACK OP_NUMNOTEQUAL OP_VERIFY <RS Block 5> RS Block 5 OP_DUP This block of code checks to make sure that: OP_TOALTSTACK • One, and only one, of the B public keys was used to sign the transaction. OP_SWAP OP_DUP OP_TOALTSTACK OP_NUMNOTEQUAL OP_VERIFY <RS Block 6> RS Block 6 OP_FROMALTSTACK This block brings back the validated key information from the alternative stack and aligns the signals. OP_FROMALTSTACK OP_FROMALTSTACK OP_SWAP OP_FROMALTSTACK <RS Block 7> RS Block 7 (NOR) OP_EQUAL This block implements the NOR logic within the script. Note that it can take some shortcuts as it knows that either: OP_TOALTSTACK • <B-False-Result> is true OR <B-True-Result> is true but they can’t both have the same value; OP_DROP • <A-False-Result> is true OR <A-True-Result> is true, but they can’t both have the same value. OP_DROP OP_FROMALTSTACK

Locking Script

[0099] The locking script is a standard Pay-to-Script-Hash model:

TABLE-US-00004 OP_HASH160 <Redeem Script Hash> OP_EQUAL

Unlocking Script

[0100] The required unlocking script is:

TABLE-US-00005 <Sig-Controller> <Sig-A-Used> <Sig-B-Used> <RS Block 1>

Where:

TABLE-US-00006 <Sig-A-Used> is either:        <Sig-A-True>; or        <Sig-A-False> <Sig-B-Used> is either:        <Sig-B-True>; or        <Sig-B-False>

Illustration: NOR Logic Gate

[0101] The NOR gate is a logic gate that implements a NOT OR. That is, if both inputs are false, then the output will be true, otherwise the output will be false.

TABLE-US-00007 A B X 0 0 1 0 1 0 1 0 0 1 1 0

[0102] The NOR logic is implemented within a single Bitcoin transaction output which requires a controller signature, plus a signature from the A agent representing either the true or false value, and another signature from the B agent (again either true or false). FIG. 1 shows an overview of how this NOR method can be implemented via the Bitcoin protocol.

[0103] It is possible to implement alternative gates, by replacing RB Block 7 as shown in the subsequent sections.

AND Gate

[0104] TABLE-US-00008 A B X 0 0 0 0 1 0 1 0 0 1 1 1

TABLE-US-00009 Name Script Block Purpose RS Block 7 (AND) OP_DROP This block implements the AND logic within the script. Note that it can take some shortcuts as it knows that either: OP_DROP • <B-False-Result> is true OR <B-True-Result> is true but they can’t both have the same value; OP_1 • <A-False-Result> is true OR <A-True-Result> is true, but they can’t both have the same value. OP_EQUAL OP_EQUAL

NAND Gate

[0105] TABLE-US-00010 A B X 0 0 1 0 1 1 1 0 1 1 1 0

TABLE-US-00011 Name Script Block Purpose RS Block 7 (NAND) OP_1 This block implements the NAND logic within the script. Note that it can take some shortcuts as it knows that either: OP_EQUAL • <B-False-Result> is true OR <B-True-Result> is true but they can’t both have the same value; OP_EQUAL • <A-False-Result> is true OR <A-True-Result> is true, but they can’t both have the same value. OP_TOALTSTACK OP_DROP OP_DROP OP_FROMALTSTACK

OR Gate

[0106] TABLE-US-00012 A B X 0 0 0 0 1 1 1 0 1 1 1 1

TABLE-US-00013 Name Script Block Purpose RS Block 7 (OR) OP_TOALTSTACK This block implements the OR logic within the script. Note that it can take some shortcuts as it knows that either: OP_0 • <B-False-Result> is true OR <B-True-Result> is true but they can’t both have the same value; OP_EQUAL • <A-False-Result> is true OR <A-True-Result> is true, but they can’t both have the same value. OP_FROMALTSTACK OP_0 OP_EQUAL OP_EQUAL OP_NOT OP_TOALTSTACK OP_DROP OP_DROP OP_FROMALTSTACK

XOR Gate

[0107] TABLE-US-00014 A B X 0 0 0 0 1 1 1 0 1 1 1 0

TABLE-US-00015 Name Script Block Purpose RS Block 7 (XOR) OP_1 This block implements the XOR logic within the script. Note that it can take some shortcuts as it knows that either: OP_EQUAL • <B-False-Result> is true OR <B-True-Result> is true but they can’t both have the same value; OP_EQUAL • <A-False-Result> is true OR <A-True-Result> is true, but they can’t both have the same value. OP_NOT

XNOR Gate

[0108] TABLE-US-00016 A B X 0 0 1 0 1 0 1 0 0 1 1 1

TABLE-US-00017 Name Script Block Purpose RS Block 7 (XNOR) OP_1 This block implements the XNOR logic within the script. Note that it can take some shortcuts as it knows that either: OP_EQUAL • <B-False-Result> is true OR <B-True-Result> is true but they can’t both have the same value; OP_EQUAL • <A-False-Result> is true OR <A-True-Result> is true, but they can’t both have the same value.

NOT Gate

[0109] The implementation of this gate is slightly more complicated since it only has a single input.

TABLE-US-00018 A X 0 1 1 0

[0110] As a result, the Unlocking Script changes to:

TABLE-US-00019 <Sig-Controller> <Sig-A-Used> <RS Block 1>

[0111] As a result of a single input, the following block changes occur:

TABLE-US-00020 Name Script Block Purpose RS Block 1 OP_DUP This pushes the data bearing signatures across onto the alternative stack, before confirming that the controller authorised the transaction. OP_TOALTSTACK OP_TOALTSTACK <PubK-Controller> OP_CHECKSIGVERIFY <RS Block 2> RS Block 2 OP_FROMALTSTACK This block evaluates which of the A public keys has been used to sign this transaction. The script does not care (at this point) whether any signatures have been used or not. <PubK-A-True> OP_CHECKSIG OP_FROMALTSTACK <PubK-A-False> OP_CHECKSIG <RS Block 4> RS Block 3 Entire block removed RS Block 4 OP_DUP This block of code checks to make sure that: OP_TOALTSTACK • One, and only one, of the A public keys was used to sign the transaction. OP_SWAP OP_DUP OP_TOALTSTACK OP_NUMNOTEQUAL OP_VERIFY <RS Block 6> RS Block 5 Entire block removed RS Block 6 OP_FROMALTSTACK This block brings back the validated key information from the alternative stack and aligns the signals. OP_FROMALTSTACK <RS Block 7> RS Block 7 (NOT) OP_NOT This block implements the NOT logic within the script.

[0112] A number of varying embodiments may be provided, as described below.

Variant 1: Generating a TRUE & FALSE SIGNAL

[0113] This embodiment may be, substantially, the subject of the present invention.

[0114] The embodiments described above allow the unsigned transaction output (UTXO) representing the logic gate to be spent only where the gate conditions evaluate to TRUE. In a number of situations, however, it would be advantageous to spend the output (albeit to different recipient addresses) regardless of the actual output of the circuit.

[0115] This is possible using this Embodiment. Effectively the embodiment shown in FIG. 1 is amended as shown in the FIG. 3 to provide the presently claimed invention. In this embodiment, there is an extra parameter supplied to the redeem script of the first transaction (Tx). This extra parameter can be either a puzzle, or a value embedded in a key or a value supplied explicitly (as it is in the example). This defines the Controller’s desired outcome to spend the UTXO.

[0116] Therefore, for a simple logic gate, the Controller would attempt to spend the transaction twice using the same signatures; one with an expected TRUE outcome and once with an expected FALSE outcome.

[0117] The redeem script will be expanded such that at the end of the gate calculation it applies an equality check on the output of the gate to the output requested by the Controller, such that: [0118] If the embedded gate logic returns FALSE, and the desired outcome is FALSE, then the redeem script will evaluate to TRUE and the UTXO can be spent; [0119] If the embedded gate logic returns TRUE, and the desired outcome is TRUE, then the redeem script will evaluate to TRUE and the UTXO can be spent; [0120] If the embedded gate logic returns TRUE, but the desired outcome is FALSE, then the redeem script will evaluate to FALSE and the UTXO cannot be spent; and [0121] If the embedded gate logic returns FALSE, but the desired outcome is TRUE, then the redeem script will evaluate to FALSE and the UTXO cannot be spent.

Variant Scripts

[0122] The full redeem script is shown in FIG. 12. This is then broken down into logical components for the convenience of the reader.

[0123] The instruction codes within the box demonstrate the NOR gate payload code above the signature manipulation logic to bring the data into a format which can be validated.

Locking Script

[0124] The locking script is a standard Pay-to-Script-Hash model:

TABLE-US-00021 OP_HASH160 <Redeem Script Hash> OP_EQUAL

Unlocking Script

[0125] The unlocking script for this pattern of logic gates is shown in FIG. 13.

Variant 2: Generating a Concealed TRUE & FALSE Signal

[0126] Variant 1 has a minor disadvantage that it is public knowledge (from the redeem script) whether a true or false condition was signalled from the script. Embedding the desired signal inside the signature from the Controller avoids this issue. In variant 2, the Controller has two public keys derived from its primary key as shown in FIG. 5.

Variant Scripts

[0127] The full redeem script is shown in FIG. 14. This is then broken down into logical components.

[0128] The instruction codes within the box demonstrate the NOR gate payload code above the signature manipulation logic to bring the data into a format which can be validated.

Locking Script

[0129] The locking script is a standard Pay-to-Script-Hash model:

TABLE-US-00022 OP_HASH160 <Redeem Script Hash> OP_EQUAL

Unlocking Script

[0130] The unlocking script for this pattern of logic gates is shown in FIG. 15.

Variant 3: Single Code Stack

[0131] It is possible to implement these gates using the single stack, rather than making use of the alt stack.

Redeem Script: Overview and NOR

[0132] The full redeem script is shown below. This is then broken down into logical components.

TABLE-US-00023 <PubK-Controller> OP_CHECKSIGVERIFY OP_DUP <PubK-A-True>           OP_CHECKSIG OP_DUP                  OP_3                OP_ROLL <PubK-A-false>          OP_CHECKSIG OP_NUMNOTEQUAL          OP_VERIFY OP_SWAP                 OP_DUP <PubK-B-true>           OP_CHECKSIG OP_DUP                  OP_3                OP_ROLL <PubK-B-false>          OP_CHECKSIG OP_NUMNOTEQUAL          OP_VERIFY OP_BOOLOR               OP_NOT

[0133] The instruction codes within the box demonstrate the NOR gate payload code above the signature manipulation logic to bring the data into a format which can be validated.

[0134] All stacks are shown in top to bottom ordering.

Locking Script

[0135] The locking script is a standard Pay-to-Script-Hash model:

TABLE-US-00024 OP_HASH160 <Redeem Script Hash> OP_EQUAL

Unlocking Script

[0136] The unlocking script for this pattern of logic gates is (note the different ordering of the signature blocks):

TABLE-US-00025 <Sig-B-Used> <Sig-A-Used> <Sig-Controller> <RS Block 1>

Where:

TABLE-US-00026 <Sig-A-Used> is either <Sig-A-True> or <Sig-A-False> <Sig-B-Used> is either <Sig-B-True> or <Sig-B-False>

Alternative Gates

[0137] To implement the alternative logic gates, replace the explicit NOR code in the blue rectangle with the following:

TABLE-US-00027 Name Block Purpose AND OP_BOOLAND OR OP_BOOLOR NAND OP_BOOLAND OP_NOT XOR OP_NUMNOTEQUAL XNOR OP_NUMEQUAL

TABLE-US-00028 Name Block Purpose IMPLY OP_SWAP OP_NOT OP_BOOLOR Converse Implication OP_NOT OP_BOOLOR Material Non-implication OP_NOT OP_BOOLAND Converse Non-implication OP_SWAP OP_NOT OP_BOOLAND

Scenario: Burglar Alarm Setting (NOR Gate)

[0138] A simple example for the above embodiment utilising the NOR gate is the setting of a burglar alarm.

[0139] In this example, Agent A is a door sensor on the loading bay door that signals TRUE when the door is open and FALSE when closed.

[0140] Agent B is also a door sensor, but on the cash safe within the building. It also signals TRUE when the door is open and FALSE when closed. The controller is the central alarm system and it will only set the alarm if all doors within the building are closed. So, when the controller is requested to set the alarm, it will broadcast a transaction to the various monitoring agents. The transaction will complete only when Agent A and Agent B signal that their respective doors are closed.

[0141] We now describe a technique for generating a new key from a base key, as discussed above.

Creating a Key Using a Shared Secret

[0142] The following technique is described with reference to FIGS. 5 to 9.

[0143] Using the following technique, a key may be securely held or recreated. Particularly, in the case of a private key which may be used to derive a public key, the private key may be stored in parts.

[0144] The user, i.e. Alice or Bob, may keep one part of their private key, a service provider may keep a second part and a third part may be kept at a remote secure site. The private key may be reconstituted using any two of the three parts, or, more generally, the private key may be reconstituted using any m of n parts.

[0145] If the private key can be reconstituted then it can be used to recreate a public key at the point of use and then the private key and the public key can be discarded again after use.

[0146] Splitting private keys may be achieved using Shamir’s Secret Sharing Scheme. Private key-public key pairs may be deterministically derived from a master key using the following method. This method enables secret values to be shared by participants without ever transmitting them.

[0147] The system may generate a public key for a participant using a method of sub-key generation as now described.

[0148] FIG. 5 illustrates a system 1 that includes a first node 3 which is in communication with a second node 7 over a communications network 5. The first node 3 has an associated first processing device 23 and the second node 5 has an associated second processing device 27. The first and second nodes 3, 7 may include an electronic device, such as a computer, phone, tablet computer, mobile communication device, computer server etc. In one example, the first node 3 may be a client (user) device and the second node 7 may be a server. The server may be a digital wallet provider’s server.

[0149] The first node 3 is associated with a first asymmetric cryptography pair having a first node master private key (V.sub.1C) and a first node master public key (P.sub.1C). The second node (7) is associated with a second asymmetric cryptography pair having a second node master private key (V.sub.1S) and a second node master public key (P.sub.1S). In other words, the first and second nodes are each in possession of respective public-private key pairs.

[0150] The first and second asymmetric cryptography pairs for the respective first and second nodes 3, 7 may be generated during a registration process, such as registration for a wallet. The public key for each node may be shared publicly, such as over communications network 5.

[0151] To determine a common secret (CS) at both the first node 3 and second node 7, the nodes 3, 7 perform steps of respective methods 300, 400 without communicating private keys over the communications network 5.

[0152] The method 300 performed by the first node 3 includes determining 330 a first node second private key (V.sub.2C) based on at least the first node master private key (V.sub.1C) and a Generator Value (GV). The Generator Value may be based on a message (M) that is a shared between the first and second nodes, which may include sharing the message over the communications network 5 as described in further detail below. The method 300 also includes determining 370 a second node second public key (P.sub.2S) based on at least the second node master public key (P.sub.1S) and the Generator Value (GV). The method 300 includes determining 380 the common secret (CS) based on the first node second private key (V.sub.2C) and the second node second public key (P.sub.2S).

[0153] Importantly, the same common secret (CS) can also be determined at the second node 7 by method 400. The method 400 includes determining 430 a first node second public key (P.sub.2C) based on the first node master public key (P.sub.1C) and the Generator Value (GV). The method 400 further include determining 470 a second node second private key (V.sub.2S) based on the second node master private key (V.sub.1S) and the Generator Value (GV). The method 400 includes determining 480 the common secret (CS) based on the second node second private key (V.sub.2S) and the first node second public key (P.sub.2C).

[0154] The communications network 5 may include a local area network, a wide area network, cellular networks, radio communication network, the internet, etc. These networks, where data may be transmitted via communications medium such as electrical wire, fibre optic, or wirelessly may be susceptible to eavesdropping, such as by an eavesdropper 11. The method 300, 400 may allow the first node 3 and second node 7 to both independently determine a common secret without transmitting the common secret over the communications network 5.

[0155] Thus one advantage is that the common secret (CS) may be determined securely and independently by each node without having to transmit a private key over a potentially unsecure communications network 5. In turn, the common secret may be used as a secret key (or as the basis of a secret key).

[0156] The methods 300, 400 may include additional steps. The method 300 may include, at the first node 3, generating a signed message (SM1) based on the message (M) and the first node second private key (V.sub.2C). The method 300 further includes sending 360 the first signed message (SM1), over the communications network, to the second node 7. In turn, the second node 7 may perform the steps of receiving 440 the first signed message (SM1). The method 400 also includes the step of validating 450 the first signed message (SM2) with the first node second public key (P.sub.2C) and authenticating 460 the first node 3 based on the result of validating the first signed message (SM1). Advantageously, this allows the second node 7 to authenticate that the purported first node (where the first signed message was generated) is the first node 3. This is based on the assumption that only the first node 3 has access to the first node master private key (V.sub.1C) and therefore only the first node 3 can determine the first node second private key (V.sub.2C) for generating the first signed message (SM1). It is to be appreciated that similarly, a second signed message (SM2) can be generated at the second node 7 and sent to the first node 3 such that the first node 3 can authenticate the second node 7, such as in a peer-to-peer scenario.

[0157] Sharing the message (M) between the first and second nodes may be achieved in a variety of ways. In one example, the message may be generated at the first node 3 which is then sent, over the communications network 5, the second node 7. Alternatively, the message may be generated at the second node 7 and then sent, over the communications network 5, to the second node 7. In some examples, the message (M) may be public and therefore may be transmitted over an unsecure network 5. One or more messages (M) may be stored in a data store 13, 17, 19. The skilled person will realise that sharing of the message can be achieved in a variety of ways.

[0158] Advantageously, a record to allow recreation of the common secret (CS) may be kept without the record by itself having to be stored privately or transmitted securely.

Method of Registration 100, 200

[0159] An example of a method of registration 100, 200 is now described in which method 100 is performed by the first node 3 and method 200 is performed by the second node 7. This includes establishing the first and second asymmetric cryptography pairs for the respective first and second nodes 3, 7. The asymmetric cryptography pairs include associated private and public keys, such as those used in public-key encryption. In this example, the asymmetric cryptography pairs are generated using Elliptic Curve Cryptography (ECC) and properties of elliptic curve operations.

[0160] In the method 100, 200, this includes the first and second nodes agreeing 110, 210 on a common ECC system and using a base point (G). (Note: the base point could be referred to as a Common Generator, but the term ‘base point’ is used to avoid confusion with the Generator Value GV). In one example, the common ECC system may be based on secp256K1 which is an ECC system used by Bitcoin. The base point (G) may be selected, randomly generated, or assigned.

[0161] Turning now to the first node 3, the method 100 includes settling 110 on the common ECC system and base point (G). This may include receiving the common ECC system and base point from the second node 7, or a third node 9. Alternatively, a user interface 15 may be associated with the first node 3, whereby a user may selectively provide the common ECC system and/or base point (G). In yet another alternative one or both of the common ECC system and/or base point (G) may be randomly selected by the first node 3. The first node 3 may send, over the communications network 5, a notice indicative of using the common ECC system with a base point (G) to the second node 7. In turn, the second node 7 may settle 210 by sending a notice indicative of an acknowledgment to using the common ECC system and base point (G).

[0162] The method 100 also includes the first node 3 generating 120 a first asymmetric cryptography pair that includes the first node master private key (V.sub.1C) and the first node master public key (P.sub.1C). This includes generating the first master private key (V.sub.1C) based, at least in part, on a random integer in an allowable range specified in the common ECC system. This also includes determining the first node master public key (P.sub.1C) based on elliptic curve point multiplication of the first node master private key (P.sub.1C) and the base point (G) according to the formula:

[00001]${\text{P}}_{\text{1C}}={\text{V}}_{\text{1C}}\times \text{G}$

[0163] Thus the first asymmetric cryptography pair includes: [0164] V.sub.1C : The first node master private key that is kept secret by the first node. [0165] P.sub.1C: The first node master public key that is made publicly known.

[0166] The first node 3 may store the first node master private key (V.sub.1C) and the first node master public key (P.sub.1C) in a first data store 13 associated with the first node 3. For security, the first node master private key (V.sub.1C) may be stored in a secure portion of the first data store 13 to ensure the key remains private.

[0167] The method 100 further includes sending 130 the first node master public key (P.sub.1C), over the communications network 5, to the second node 7, as shown in FIG. 6. The second node 7 may, on receiving 220 the first node master public key (P.sub.1C), store 230 the first node master public key (P.sub.1C) in a second data store 17 associated with the second node 7.

[0168] Similar to the first node 3, the method 200 of the second 7 includes generating 240 a second asymmetric cryptography pair that includes the second node master private key (V.sub.1S) and the second node master public key (P.sub.1S). The second node master private key (V.sub.1S) is also a random integer within the allowable range. In turn, the second node master public key (P.sub.1S) is determined by the following formula:

[00002]${\text{P}}_{\text{1S}}={\text{V}}_{\text{1S}}\times \text{G}$

[0169] Thus the second asymmetric cryptography pair includes: [0170] V.sub.1S : The second node master private key that is kept secret by the second node. [0171] P.sub.1S: The second node master public key that is made publicly known.

[0172] The second node 7 may store the second asymmetric cryptography pair in the second data store 17. The method 200 further includes sending 250 the second node master public key (P.sub.1S) to the first node 3. In turn, the first node 3 may receive 140 and stores 150 the second node master public key (P.sub.1S).

[0173] It is to be appreciated that in some alternatives, the respective public master keys may be received and stored at a third data store 19 associated with the third node 9 (such as a trusted third party). This may include a third party that acts as a public directory, such as a certification authority. Thus in some examples, the first node master public key (P.sub.1C) may requested and received by the second node 7 only when determining the common secret (CS) is required (and vice versa).

[0174] The registration steps may only need to occur once as an initial setup.

Session Initiation and Determining the Common Secret by the First Node 3

[0175] An example of determining a common secret (CS) will now be described. The common secret (CS) may be used for a particular session, time, transaction, or other purpose between the first node 3 and the second node 7 and it may not be desirable, or secure, to use the same common secret (CS). Thus the common secret (CS) may be changed between different sessions, time, transactions, etc.

[0176] The following is provided for illustration of the secure transmission technique which has been described above.

Generating a Message (M) 310

[0177] In this example, the method 300 performed by the first node 3 includes generating 310 a message (M). The message (M) may be random, pseudo random, or user defined. In one example, the message (M) is based on Unix time and a nonce (and arbitrary value). For example, the message (M) may be provided as:

[00003]$\text{Message}\left(\text{M}\right)=\text{UnixTime + nonce}$

[0178] In some examples, the message (M) is arbitrary. However it is to be appreciated that the message (M) may have selective values (such as Unix Time, etc.) that may be useful in some applications.

[0179] The method 300 includes sending 315 the message (M), over the communications network 3, to the second node 7. The message (M) may be sent over an unsecure network as the message (M) does not include information on the private keys.

Determining a Generator Value (GV) 320

[0180] The method 300 further includes the step of determining 320 a Generator Value (GV) based on the message (M). In this example, this includes determining a cryptographic hash of the message. An example of a cryptographic hash algorithm includes SHA-256 to create a 256-bit Generator Value (GV). That is:

[00004]$\text{GV = SHA-256}\left(\text{M}\right)$

[0181] It is to be appreciated that other hash algorithms may be used. This may include other has algorithms in the Secure Hash Algorithm (SHA) family. Some particular examples include instances in the SHA-3 subset, including SHA3-224, SHA3-256, SHA3-384, SHA3-512,

[0182] SHAKE128, SHAKE256. Other hash algorithms may include those in the RACE Integrity Primitives Evaluation Message Digest (RIPEMD) family. A particular example may include RIPEMD-160. Other hash functions may include families based on Zemor-Tillich hash function and knapsack-based hash functions.

Determining a First Node Second Private Key 330

[0183] The method 300 then includes the step 330 of determining 330 the first node second private key (V.sub.2C) based on the second node master private key (V.sub.1C) and the Generator Value (GV). This can be based on a scalar addition of the first node master private key (V.sub.1C) and the Generator Value (GV) according to the following formula:

[00005]${\text{V}}_{\text{2C}}={\text{V}}_{\text{1C}}+\text{GV}$

[0184] Thus the first node second private key (V.sub.2C) is not a random value but is instead deterministically derived from the first node master private key. The corresponding public key in the cryptographic pair, namely the first node second public key (P.sub.2C), has the following relationship:

[00006]${\text{P}}_{2\text{C}}={\text{V}}_{\text{2C}}\times \text{G}$

[0185] Substitution of V.sub.2C from Equation 5 into Equation 6 provides:

[00007]${\text{P}}_{2\text{C}}=\left({\text{V}}_{\text{1C}}+\text{GV}\right)\times \text{G}$

where the ‘+’ operator refers to elliptic curve point addition. Noting that elliptic curve cryptography algebra is distributive, Equation 7 may be expressed as:

[00008]${\text{P}}_{2\text{C}}={\text{V}}_{\text{1C}}\times \text{G}+\text{GV}\times \text{G}$

[0186] Finally, Equation 1 may be substituted into Equation 7 to provide:

[00009]${\text{P}}_{2\text{C}}={\text{P}}_{\text{1C}}+\text{GV}\times \text{G}$

[00010]${\text{P}}_{2\text{C}}={\text{P}}_{\text{1C}}+\text{SHA-256}\left(\text{M}\right)\times \text{G}$

[0187] Thus the corresponding first node second public key (P.sub.2C) can be derivable given knowledge of the first node master public key (P.sub.1C) and the message (M). The second node 7 may have such knowledge to independently determine the first node second public key (P.sub.2C) as will be discussed in further detail below with respect to the method 400.

Generate a First Signed Message (SM1) Based on the Message and the First Node Second Private Key 350

[0188] The method 300 further includes generating 350 a first signed message (SM1) based on the message (M) and the determined first node second private key (V.sub.2C). Generating a signed message includes applying a digital signature algorithm to digitally sign the message (M). In one example, this includes applying the first node second private key (V.sub.2C) to the message in an Elliptic Curve Digital Signature Algorithm (ECDSA) to obtain the first signed message (SM1). Examples of ECDSA include those based on ECC systems with secp256k1, secp256r1, secp384r1, se3cp521r1.

[0189] The first signed message (SM1) can be verified with the corresponding first node second public key (P.sub.2C) at the second node 7. This verification of the first signed message (SM1) may be used by the second node 7 to authenticate the first node 3, which will be discussed in the method 400 below.

Determine a Second Node Second Public Key 370′

[0190] The first node 3 may then determine 370 a second node second public key (P.sub.2S). As discussed above, the second node second public key (P.sub.2S) may be based at least on the second node master public key (P.sub.1S) and the Generator Value (GV). In this example, since the public key is determined 370′ as the private key with elliptic curve point multiplication with the base point (G), the second node second public key (P.sub.2S) can be expressed, in a fashion similar to Equation 6, as:

[00011]${\text{P}}_{2\text{S}}={\text{V}}_{\text{2S}}\times \text{G}$

[00012]${\text{P}}_{2\text{S}}={\text{P}}_{\text{1S}}+\text{GV}\times \text{G}$

[0191] The mathematical proof for Equation 10.2 is the same as described above for deriving Equation 9.1 for the first node second public key (P.sub.2C). It is to be appreciated that the first node 3 can determine 370 the second node second public key independently of the second node 7.

Determine the Common Secret 380 at the First Node 3

[0192] The first node 3 may then determine 380 the common secret (CS) based on the determined first node second private key (V.sub.2C) and the determined second node second public key (P.sub.2S). The common secret (CS) may be determined by the first node 3 by the following formula:

[00013]${\text{S = V}}_{\text{2C}}\times {\text{P}}_{\text{2S}}$

Method 400 Performed at the Second Node 7

[0193] The corresponding method 400 performed at the second node 7 will now be described. It is to be appreciated that some of these steps are similar to those discussed above that were performed by the first node 3.

[0194] The method 400 includes receiving 410 the message (M), over the communications network 5, from the first node 3. This may include the message (M) sent by the first node 3 at step 315. The second node 7 then determines 420 a Generator Value (GV) based on the message (M). The step of determining 420 the Generator Value (GV) by the second node 7 is similar to the step 320 performed by the first node described above. In this example, the second node 7 performs this determining step 420 independent of the first node 3.

[0195] The next step includes determining 430 a first node second public key (P.sub.2C) based on the first node master public key (P.sub.1C) and the Generator Value (GV). In this example, since the public key is determined 430′ as the private key with elliptic curve point multiplication with the base point (G), the first node second public key (P.sub.2C) can be expressed, in a fashion similar to Equation 9, as:

[00014]${\text{P}}_{2\text{C}}={\text{V}}_{\text{2C}}\times \text{G}$

[00015]${\text{P}}_{2\text{C}}={\text{P}}_{\text{1C}}+\text{GV}\times \text{G}$

[0196] The mathematical proof for Equations 12.1 and 12.2 is the same as those discussed above for Equations 10.1 and 10.2.

The Second Node 7 Authenticating the First Node 3

[0197] The method 400 may include steps performed by the second node 7 to authenticate that the alleged first node 3, is the first node 3. As discussed previously, this includes receiving 440 the first signed message (SM1) from the first node 3. The second node 7 may then validate 450 the signature on the first signed message (SM1) with the first node second public key (P.sub.2C) that was determined at step 430.

[0198] Verifying the digital signature may be done in accordance with an Elliptic Curve Digital Signature Algorithm (ECDSA) as discussed above. Importantly, the first signed message (SM1) that was signed with the first node second private key (V.sub.2C) should only be correctly verified with the corresponding first node second public key (P.sub.2C), since V.sub.2C and P.sub.2C form a cryptographic pair. Since these keys are deterministic on the first node master private key (V.sub.1C) and the first node master public key (P.sub.1C) that were generated at registration of the first node 3, verifying first signed message (SM1) can be used as a basis of authenticating that an alleged first node sending the first signed message (SM1) is the same first node 3 during registration. Thus the second node 7 may further perform the step of authenticating (460) the first node 3 based on the result of validating (450) the first signed message.

The Second Node 7 Determining the Common Secret

[0199] The method 400 may further include the second node 7 determining 470 a second node second private key (V.sub.2S) based on the second node master private key (V.sub.1S) and the Generator Value (GV). Similar to step 330 performed by the first node 3, the second node second private key (V.sub.2S) can be based on a scalar addition of the second node master private key (V.sub.1S) and the Generator Value (GV) according to the following formulas:

[00016]${\text{V}}_{\text{2S}}={\text{V}}_{\text{1S}}+\text{GV}$

[00017]${\text{V}}_{2\text{S}}={\text{V}}_{\text{1S}}+\text{SHA-256}\left(\text{M}\right)$

[0200] The second node 7 may then, independent of the first node 3, determine 480 the common secret (CS) based on the second node second private key (V.sub.2S) and the first node second public key (P.sub.2C) based on the following formula:

[00018]${\text{S = V}}_{\text{2S}}\times {\text{P}}_{\text{2C}}$

Proof of the Common Secret (CS) Determined by the First Node 3 and Second Node 7

[0201] The common secret (CS) determined by the first node 3 is the same as the common secret (CS) determined at the second node 7. Mathematical proof that Equation 11 and Equation 14 provide the same common secret (CS) will now be described.

[0202] Turning to the common secret (CS) determined by the first node 3, Equation 10.1 can be substituted into Equation 11 as follows:

[00019]${\text{S = V}}_{\text{2C}}\times {\text{P}}_{\text{2S}}$

[00020]${\text{S = V}}_{\text{2C}}\times \left({\text{V}}_{\text{2S}}\times \text{G}\right)$

[00021]$\text{S =}\left({\text{V}}_{\text{2C}}\times {\text{V}}_{\text{2S}}\right)\times \text{G}$

[0203] Turning to the common secret (CS) determined by the second node 7, Equation 12.1 can be substituted into Equation 14 as follows:

[00022]${\text{S = V}}_{\text{2S}}\times {\text{P}}_{\text{2C}}$

[00023]${\text{S =V}}_{\text{2S}}\times \left({\text{V}}_{\text{2C}}\times \text{G}\right)$

[00024]$\text{S =}\left({\text{V}}_{\text{2S}}\times {\text{V}}_{\text{2C}}\right)\times \text{G}$

[0204] Since ECC algebra is commutative, Equation 15 and Equation 16 are equivalent, since:

[00025]$\text{S =}\left({\text{V}}_{\text{2C}}\times {\text{V}}_{\text{2S}}\right)\times \text{G =}\left({\text{V}}_{\text{2S}}\times {\text{V}}_{\text{2C}}\right)\times \text{G}$

The Common Secret (CS) and Secret Key

[0205] The common secret (CS) may now be used as a secret key, or as the basis of a secret key in a symmetric-key algorithm for secure communication between the first node 3 and second node 7.

[0206] The common secret (CS) may be in the form of an elliptic curve point (xs, ys). This may be converted into a standard key format using standard publicly known operations agreed by the nodes 3, 7. For example, the xs value may be a 256-bit integer that could be used as a key for AES.sub.256 encryption. It could also be converted into a 160-bit integer using RIPEMD160 for any applications requiring this length key.

[0207] The common secret (CS) may be determined as required. Importantly, the first node 3 does not need to store the common secret (CS) as this can be re-determined based on the message (M). In some examples, the message(s) (M) used may be stored in data store 13, 17, 19 (or other data store) without the same level of security as required for the master private keys. In some examples, the message (M) may be publicly available.

[0208] However depending on some application, the common secret (CS) could be stored in the first data store (X) associated with the first node provided the common secret (CS) is kept as secure as the first node master private key (V.sub.1C).

[0209] Advantageously, this technique can be used to determine multiple common secrets that may correspond to multiple secure secret keys based on a single master key cryptography pair.

[0210] It should be noted that the above-mentioned embodiments illustrate rather than limit the invention, and that those skilled in the art will be capable of designing many alternative embodiments without departing from the scope of the invention as defined by the appended claims. In the claims, any reference signs placed in parentheses shall not be construed as limiting the claims. The word “comprising” and “comprises”, and the like, does not exclude the presence of elements or steps other than those listed in any claim or the specification as a whole. In the present specification, “comprises” means “includes or consists of” and “comprising” means “including or consisting of”. The singular reference of an element does not exclude the plural reference of such elements and vice-versa. The invention may be implemented by means of hardware comprising several distinct elements, and by means of a suitably programmed computer. In a device claim enumerating several means, several of these means may be embodied by one and the same item of hardware. The mere fact that certain measures are recited in mutually different dependent claims does not indicate that a combination of these measures cannot be used to advantage.