CN111414634B

CN111414634B - Information processing method and device

Info

Publication number: CN111414634B
Application number: CN202010189778.7A
Authority: CN
Inventors: 王云浩; 过晓冰; 马逸龙; 郭青霄
Original assignee: Lenovo Beijing Ltd
Current assignee: Lenovo Beijing Ltd
Priority date: 2020-03-18
Filing date: 2020-03-18
Publication date: 2023-09-19
Anticipated expiration: 2040-03-18
Also published as: CN111414634A

Abstract

The embodiment of the application discloses an information processing method, which comprises the following steps: determining a first node based on a preset rule; the preset rule is obtained by combining a target attribute set and preset logic; encrypting the target data based on the first security information to obtain a ciphertext; wherein, the first security information has a corresponding relation with the attribute set of the first node; sending the ciphertext to the first node; each attribute in the attribute set of the first node and the target attribute set is stored in a first blockchain, and information in the first blockchain is endorsed by at least one node participating in the first blockchain. The embodiment of the application also provides an information processing device.

Description

Information processing method and device

Technical Field

The present application relates to the field of blockchain technologies, and in particular, to an information processing method and apparatus.

Background

When the blockchain performs information interaction, all data needs to be sent to all endorsement nodes, so that the risk of acquiring private data by illegal related parties on the endorsement node side is high, a certain potential safety hazard is caused, and the safety of the blockchain is reduced.

Disclosure of Invention

The embodiment of the application provides an information processing method and device.

In a first aspect, a method of information processing, the method comprising:

determining a first node based on a preset rule; the preset rule is obtained by combining a target attribute set and preset logic;

encrypting the target data based on the first security information to obtain a ciphertext; wherein, the first security information has a corresponding relation with the attribute set of the first node;

sending the ciphertext to the first node;

each attribute in the attribute set of the first node and the target attribute set is stored in a first blockchain, and information in the first blockchain is endorsed by at least one node participating in the first blockchain.

Optionally, the preset logic includes at least one of the following logic: and, or, not, nand, nor, exclusive or, nor; or alternatively, the first and second heat exchangers may be,

the preset logic is composed of at least one sub-logic.

Optionally, the preset rule is obtained by combining a target attribute set and preset logic, and includes:

and combining at least one attribute in the target attribute set through preset logic to form the preset rule.

Optionally, before the determining the first node based on the preset rule, the method further includes:

determining the access requirement corresponding to the target data;

and determining the target attribute set and the preset logic based on the access requirement corresponding to the target data.

Optionally, the method further comprises:

acquiring the first safety information;

the acquiring the first security information includes:

acquiring the first security information from a local database or a public database; or alternatively, the first and second heat exchangers may be,

sending an information interaction application to the first node; the information interaction application is used for requesting first security information of the first node;

receiving an application response sent by a first node; wherein the application response includes the first security information.

Optionally, after the ciphertext is sent to the first node, the method further includes:

receiving a receipt sent by the first node; the receipt comprises an endorsement result, wherein the endorsement result is obtained by performing simulation execution on the target data and endorsing after the first node decrypts the ciphertext to obtain the target data;

and packaging the endorsement result in the return license to obtain a packaged result, and sending the packaged result to a sequencing node, so that the endorsement result in the packaged result is sequenced by the sequencing node, a corresponding block is generated, and the generated block is linked to a second block chain, wherein the second block chain is used for storing a transaction result between the second node and the first node.

In another aspect, a method of information processing, the method comprising:

receiving ciphertext transmitted by the second node; the ciphertext is generated by encrypting target data by the second node by using the first security information, and the first security information has a corresponding relation with an attribute set of the first node;

decrypting the ciphertext by using second security information to obtain the target data; wherein the first security information and the second security information have a correspondence;

each attribute in the attribute set is stored in a first blockchain, and information in the first blockchain is endorsed by at least one node participating in the first blockchain.

Optionally, the decrypting the ciphertext using the second security information includes, after obtaining the target data:

processing the target data to obtain a processing result;

endorsing and signing the processing result to obtain an endorsing result;

sending a receipt including the endorsement result to the second node; the endorsement result is used for generating a block after being sent to the ordering node through the second node for ordering, and linking the generated block to a second block chain, wherein the second block chain is used for recording the transaction result between the second node and the first node.

Optionally, before receiving the ciphertext sent by the second node, the method further includes:

receiving an information interaction application sent by a second node;

responding to the information interaction application, and sending an application response to the second node; the application response comprises first security information, and the first security information has a corresponding relation with an attribute set of the self node;

the response to the information interaction application, sending an application response to the second node, including:

responding to the information interaction application, and acquiring the first safety information;

generating an application response comprising the first security information, and sending the application response to the second node.

Optionally, the acquiring the first security information includes:

and receiving the first security information sent by the authentication node with the attribute authority function.

In yet another aspect, a first information processing apparatus includes: a determining unit, an encrypting unit and a first transmitting unit; wherein:

the determining unit is used for determining the first node based on a preset rule; the preset rule is obtained by combining a target attribute set and preset logic;

The encryption unit is used for encrypting the target data based on the first security information to obtain a ciphertext; wherein, the first security information has a corresponding relation with the attribute set of the first node;

the first sending unit is configured to send the ciphertext to the first node;

The embodiment of the application provides an information processing method and device, wherein a first node is determined through a second node based on a preset rule, target data is encrypted based on first security information to obtain ciphertext, the ciphertext is sent to the first node, then the first node receives the ciphertext sent by the second node, and the ciphertext is decrypted by using the second security information, so that the target data is obtained. In this way, the second node sends the encrypted ciphertext to the first node determined according to the preset rule, so that the first node decrypts the ciphertext based on the second security information to obtain the target data, the target data sent to the first node by the second node is sent by the ciphertext, and the target data can be obtained only if the ciphertext is successfully decrypted by the first node, thereby solving the problem that information leakage is easy to occur at the endorsement node side due to the fact that all contents of transactions are visible at all endorsement node sides in the current blockchain, such as a license chain, reducing the risk that private data is obtained at the endorsement node side, and improving the security of the blockchain.

Drawings

Fig. 1 is a schematic diagram of a network architecture of an information processing method according to an embodiment of the present application;

fig. 2 is a schematic diagram of a composition structure of an information processing apparatus provided in an embodiment of the present application;

fig. 3 is a schematic flow chart of an information processing method according to an embodiment of the present application;

FIG. 4 is a flowchart of another information processing method according to an embodiment of the present application;

FIG. 5 is a flowchart of another information processing method according to an embodiment of the present application;

FIG. 6 is a flowchart of another information processing method according to an embodiment of the present application;

FIG. 7 is a flowchart of an information processing method according to another embodiment of the present application;

FIG. 8 is a flowchart of another information processing method according to another embodiment of the present application;

FIG. 9 is a flowchart of another information processing method according to another embodiment of the present application;

FIG. 10 is a flowchart of another information processing method according to another embodiment of the present application;

fig. 11 is a schematic view of an application scenario of an information processing method according to an embodiment of the present application;

fig. 12 is a schematic structural diagram of a first information processing apparatus according to an embodiment of the present application;

Fig. 13 is a schematic structural diagram of a second information processing apparatus according to an embodiment of the present application;

fig. 14 is a schematic structural diagram of an information processing system according to an embodiment of the present application.

Detailed Description

The technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the accompanying drawings in the embodiments of the present application.

Before describing embodiments of the present application in further detail, the terms and terminology involved in the embodiments of the present application will be described, and the terms and terminology involved in the embodiments of the present application will be used in the following explanation.

1) Blockchain (Blockchain) is a distributed ledger that combines blocks of data in a sequential manner into a chain data structure, and that is cryptographically secured against tampering and counterfeiting.

2) Nodes, which are communication entities of a blockchain, are a logical concept, and multiple nodes of different types can run on the same physical server. The nodes mainly have the following four types: (1) client nodes, (2) common nodes, (3) ordering service nodes, and (4) certificate authority (Certificate Authority, CA) nodes.

Wherein (1) the client node: the client must connect to a peer node or ordering service node to communicate with the blockchain network. The client submits a transaction proposal (transaction proposal) to an endorsement node (endorser), and after collecting endorsement results of sufficient degree, the client broadcasts the transaction proposal to a sequencing service node for sequencing, and a block is generated.

(2) Common node: the common nodes can be further divided into accounting nodes (compilers), endorsement nodes (endorses) and master nodes (leader) according to the roles assumed. All peer nodes are accounting nodes, the accounting nodes are responsible for verifying transactions in the sequencing service node blocks, maintaining state and copies of general ledgers (ledgers) and periodically acquiring blocks containing the transactions from the sequencing service node, after verifying the blocks, the blocks are added into a blockchain, and a plurality of accounting nodes can be provided. Endorsement node: the method comprises the steps that a part of peer nodes execute transactions and sign and endorse transaction results, the endorsement nodes are dynamic roles, and the nodes are designated by an endorsement policy set when a specific chain code is instantiated, wherein the endorsement nodes are only used when an application program initiates a transaction endorsement request to the endorsement nodes, and are all common accounting nodes at other times and are only responsible for verifying transactions and accounting, and the endorsement nodes can be multiple.

(3) Ordering service node (orderer): and receiving transaction results containing endorsement signatures, ordering unpacked transaction results to generate blocks, broadcasting the blocks to peer nodes, and providing atomic broadcasting by ordering service nodes to ensure that nodes on the same chain receive the same information and have the same logic sequence.

(4) CA node: the certificate authority of fabric1.0 consists of a server and a client. The CA node receives the registration application of the client and returns a registration password for user login so as to acquire an identity certificate. All operations on the blockchain require verification of the user identity.

3) And the endorsement policy is used for defining a judging condition of whether the transaction is legal or not.

4) An attribute authority (Attribute Authority, AU), which is an organization used to generate and issue attribute certificates (Attribute Certificate, AC), is responsible for managing the entire lifecycle of the attribute certificates.

For a better understanding of the embodiments of the present application, first, an information processing method and existing drawbacks in the related art will be described.

Blockchain technology, whose goal is to achieve distributed reliable storage of data, can be generally categorized into public and license chains, where the license chains can in turn be categorized into federated and private chains depending on whether the data maintainer is a single entity. Data on public chains is shared publicly. While inside the license chain, data, while shared, is often left open to some parties and kept secret from others, depending on business needs.

However, in the implementation process of the current blockchain (such as a license chain), an endorsement node (endorsement node) is preset to implement an endorsement mechanism, after a client node submits a new transaction request, the endorsement node performs a simulation chain code (chaincode) on the new transaction, after determining that the transaction is legal and compliant, signs an endorsement result and returns the endorsement result to the client node, and the client node finally gathers and generates final submitted information, submits the final submitted information to all nodes through a sequencing service, and implements a confirmation operation (commit) of the transaction uplink. When the endorsement node is preset, the whole network preset is mainly adopted. In this way, in the process of executing the simulation chain code on the new transaction by the preset endorsement node, the whole content of the transaction can be completely seen, so that the endorsement node becomes a main channel for information leakage, the risk that the privacy data is acquired by an illegal relevant party at the endorsement node side is high, a certain potential safety hazard is caused, and the safety of a permission chain is reduced.

Moreover, the endorsement policy corresponding to the mode can be only represented by a simple Boolean expression, cannot be used for making complex logic expression, can be defined only during initialization, and cannot be flexibly configured during operation.

In order to solve the technical problems, the embodiment of the application provides an information processing method, which comprises the steps of determining a first node based on a preset rule through a second node, encrypting target data based on first security information to obtain ciphertext, sending the ciphertext to the first node, receiving the ciphertext sent by the second node by the first node, and decrypting the ciphertext by using second security information to obtain the target data. Therefore, because the first node is determined by the second node based on the preset rule, the second node can determine the corresponding first node according to different preset rules, and only the first node with the second security information can decrypt the corresponding ciphertext to obtain the target data, so that the problem that the information leakage is easy to occur at the endorsement node side due to the fact that all content of information interaction is visible at all preset endorsement node sides in the current blockchain such as a license chain is needed, the risk of acquiring private data at the endorsement node side is reduced, and the security of the blockchain is improved. The first security information for encryption is stored in the first blockchain, and the first blockchain can be trusted by each organization or node participating in the first blockchain, so that the encryption and decryption actions by adopting the first security information and the second security information can be trusted, and further, the first node can endorse decrypted data by itself without endorsement confirmation of other nodes.

An exemplary application of the apparatus implementing the embodiment of the present application is described below, and the apparatus provided in the embodiment of the present application may be implemented as a terminal device. In the following, an exemplary application covering a terminal device when the apparatus is implemented as a terminal device will be described.

The network architecture of the information processing method provided in this embodiment may include at least one organization terminal, each organization terminal subordinate to at least one user terminal, and all organization terminals and all user terminals subordinate to each organization terminal may perform information interaction based on a network. The organization terminal can be used for realizing functions of generating, managing, storing, distributing, withdrawing and the like of attributes, authorities and certificates, and the user terminal can be used for realizing functions of information processing and the like. All attributes that each organization terminal can issue are stored in the attribute blockchain, i.e., the first blockchain. The organization terminal can generate the safety information corresponding to each user terminal according to all or part of the attributes of each user terminal, and the information interaction between different user terminals can be performed based on the safety information, so that the safety of the information is improved.

Referring to fig. 1, fig. 1 is a schematic diagram of a network architecture of an information processing method according to an embodiment of the present application, as shown in fig. 1, where the network architecture includes at least a first node 100, a second node 200, a third node 300, and a network 400. To enable support for one exemplary application, the first node 100, the second node 200, and the third node 300 are connected by a network 400, the network 400 may be a wide area network or a local area network, or a combination of both, using wireless links to enable data transmission.

The third node 300 may be an organization terminal, the first node 100 may be a user terminal belonging to the third node 300, the second node 200 may be a user terminal different from the first node 100, a user terminal belonging to the third node 300, or a user terminal belonging to another organization terminal except the third node 300.

When the second node 200 needs to perform information interaction, first, the second node 200 determines the first node 100 based on a preset rule, and obtains first security information corresponding to the first node 100. And then encrypting the target data based on the first security information to obtain a ciphertext, transmitting the ciphertext to the first node 100, and finally decrypting the ciphertext by using the second security information after the first node 100 receives the ciphertext transmitted by the second node 200 to obtain the target data.

The preset rule is determined according to a target attribute set and preset logic, and further, the target attribute set and the preset logic are determined according to access requirements of target data in the second node. That is, the target attribute set and the preset logic have a correspondence relationship with the access requirement of the target data.

And the second node 200 is configured to encrypt first security information of the target data: the second node 200 may be obtained from a local database or a public database (e.g., a first blockchain storing first security information); or may be requested by the second node 200 from the first node 100. The method comprises the following steps: the second node 200 determines the first node 100 based on the preset rule, and then sends an information interaction application to the first node 100, and after the first node 100 receives the information interaction application, obtains the first security information and generates an application response, and then sends an application response including the first security information to the second node 200.

After receiving the information interaction application, the process of obtaining the first security information by the first node 100 may be: if the first node 100 does not store the first security information, the first node 100 sends information to the third node 300 to obtain the first security information having a correspondence with the attribute set of the first node 100 from the third node 300. The first security information in the third node 300, which has a corresponding relationship with the attribute set of the first node 100, may be obtained by performing calculation processing by using an attribute encryption algorithm on the basis of the attribute set of the first node 100 by the third node 300, or may be obtained by the third node 300 from a node having a higher attribute authority than the third node 300. Correspondingly, a node having a higher authority attribute than the third node 300 may generate the first security information based on the attribute set of the first node 100 and the attribute encryption algorithm. The attribute set of the first node 100 in the third node 300 or the node having higher attribute authority than the third node 300 may be obtained from each local database, or may be obtained from a common database (such as a blockchain storing security information).

In fig. 1, the first node 100 does not store the first security information, and needs to request the third node 300, and the second node 200 does not store the first security information, and needs to request the first node 100. The specific implementation process comprises the following steps: the second node 200 does not store the first security information corresponding to the first node 100, and the second node 200 sends an information interaction application to the first node 100; after receiving the information interaction application, the first node 100 confirms that the first security information is not stored, and sends a request instruction to the third node 300; the third node 300 acquires the first security information and the second security information corresponding to the first node 100 in response to the request instruction, generates a request response including the first security information and the second security information based on the first security information and the second security information, and transmits the request response value to the first node 100; then, the first node 100 responds to the information interaction application sent by the second node 200, and sends first security information to the second node 200, so that the second node encrypts the target data by adopting the first security information to obtain ciphertext, and sends the ciphertext to the first node 100, and after receiving the ciphertext, the first node 100 decrypts the ciphertext by adopting the second security information to obtain the target data.

It should be noted that, the preset rule in the second node 200 is obtained from the target attribute set and the preset logic result, the first security information has a corresponding relationship with the attribute set of the first node 100, each attribute in the target attribute set and the first attribute set is stored in the first blockchain, and the information in the first blockchain is endorsed by at least one organization or node participating in the first blockchain. Therefore, the attribute set of the first node can be endorsed by each organization or node participating in the first blockchain, so that the attribute set corresponding to the first node can be trusted, the corresponding actions of encrypting and decrypting by adopting the first security information and the second security information can be trusted, and the first node can automatically endorse decrypted data without the need of endorsement confirmation by other nodes.

And the second node 200 can dynamically determine the target attribute set and the preset rule according to the difference of each target data and the change of the corresponding access requirement, so that the first node 100 which can obtain the target data can be dynamically determined, the target data sent by the second node 200 is sent to the first node 100 in the form of ciphertext, and the target data can be obtained only if the first node 100 can decrypt the received ciphertext, thereby ensuring the security of the sent target data.

In summary, the method solves the problem that the information leakage is easy to occur at the endorsement node side due to the fact that the endorsement node needs to be preset in the current blockchain such as the license chain and all the endorsement node side can see the whole content of information interaction, reduces the risk of acquiring private data at the endorsement node side, and improves the security of the blockchain.

Meanwhile, in the implementation, in order to further improve the credibility of the information in the first blockchain, the first blockchain is endorsed by all nodes participating in the first blockchain. Based on the network architecture provided in the present embodiment, the first node 100, the second node 200 or the third node 300 may directly or indirectly participate in the first blockchain and endorse the information therein. Further, when the second node 200 does not belong to the third node 300, the organization terminal of the organization to which the second node 200 belongs also directly or indirectly participates in the first blockchain. Or in other embodiments, the first blockchain may be jointly participated in and maintained by organization terminals of multiple organizations, so that each participated organization and subordinate users can use information in the first blockchain to encrypt and decrypt interaction data.

The apparatus provided in the embodiments of the present application may be implemented in hardware or a combination of hardware and software, and various exemplary implementations of the apparatus provided in the embodiments of the present application are described below.

Other exemplary structures of the second node 200 may be envisioned in accordance with the exemplary structure of the second node 200 illustrated in fig. 2, and thus the structures described herein should not be considered limiting, e.g., some of the components described below may be omitted, or components not described below may be added to accommodate the special needs of certain applications.

The second node 200 shown in fig. 2 includes: at least one processor 210, a memory 240, at least one network interface 220, and a user interface 230. Each of the components in the second node 200 are coupled together by a bus system 250. It is understood that the bus system 250 is used to enable connected communications between these components. The bus system 250 includes a power bus, a control bus, and a status signal bus in addition to the data bus. But for clarity of illustration the various buses are labeled as bus system 250 in fig. 2.

The user interface 230 may include a display, keyboard, mouse, touch pad, touch screen, and the like.

The memory 240 may be volatile memory or nonvolatile memory, and may include both volatile and nonvolatile memory. The nonvolatile Memory may be a Read Only Memory (ROM). The volatile memory may be random access memory (RAM, random Access Memory). The memory 240 described in embodiments of the present application is intended to comprise any suitable type of memory.

The memory 240 in an embodiment of the present application is capable of storing data to support the operation of the second node 200. Examples of such data include: any computer program, such as an operating system and application programs, for operation on the second node 200. The operating system includes various system programs, such as a framework layer, a core library layer, a driver layer, and the like, for implementing various basic services and processing hardware-based tasks. The application may comprise various applications.

As an example of implementation of the method provided by the embodiment of the present application by software, the method provided by the embodiment of the present application may be directly embodied as a combination of software modules executed by the processor 210, the software modules may be located in a storage medium, the storage medium is located in the memory 240, and the processor 210 reads executable instructions included in the software modules in the memory 240, and the method provided by the embodiment of the present application is completed by combining necessary hardware (including, for example, the processor 210 and other components connected to the bus 250).

By way of example, the processor 210 may be an integrated circuit chip having signal processing capabilities such as a general purpose processor, such as a microprocessor or any conventional processor, a digital signal processor (DSP, digital Signal Processor), or other programmable logic device, discrete gate or transistor logic device, discrete hardware components, or the like.

An embodiment of the present application provides an information processing method, referring to fig. 3, the method being applied to a second node, the method including the steps of:

step 301, determining a first node based on a preset rule.

The preset rule is obtained by combining a target attribute set with preset logic.

In the embodiment of the application, the second node may be a node for providing data in the information interaction process. The preset rule is a rule set in the second node and used for screening the node for endorsing. It should be noted that, because some of the preset endorsement nodes are selected to endorse in the existing scheme, the endorsement node can be selected only by adopting simple boolean logic, such as "and" or "two logics. In the application, the first node selected by the preset rule can be allowed to endorse by itself, and no fixed endorse node exists.

In addition to the two logics of and or being used in preset rules to select the node for self-endorsing from all nodes in the current blockchain network, more complex logic relationships such as not, nand, nor, exclusive or, etc. may be used, and selecting the node for self-endorsing from all nodes in the current blockchain network by forming a preset rule by combining the logic relation of logic combination of AND, OR, NOT, NAND, NOR, AND, NOR, XOR, AND, OR and the like and combining the attributes in the target attribute set.

The target attribute set is a set comprising at least one attribute, wherein the screened attribute of the first node has an association relationship with the target attribute set and accords with preset logic. The first node may be a node screened by a second node in the blockchain system based on a preset rule, and is used for reading data shared by the second node, and specifically is used for performing simulated transaction on the data shared by the second node to obtain a transaction result and performing signature endorsement on the transaction result.

The second node selects at least one node meeting preset rules from all nodes included in a blockchain system where the second node is currently located as a first node.

It should be noted that the roles of the first node and the second node may be interchanged according to the actual application scenario, for example, in some application scenarios, the a node is the second node for providing the target data, and the corresponding B node is the first node screened by the a node and used as the endorsement; in some other application scenarios, the node B is a second node that provides another target data, and the corresponding node a may be a first node that is screened by the node B and used as an endorsement.

And 302, encrypting the target data based on the first security information to obtain a ciphertext.

The first security information has a corresponding relation with the attribute set of the first node.

In the embodiment of the present application, the first security information may be an attribute set of the first node, or may be obtained by processing the attribute set of the first node. When the first security information is obtained by processing the attribute set of the first node, the first security information may be an attribute public key generated based on the attribute set of the first node, or may be a combination of the attribute set of the first node and the attribute public key generated based on the attribute set of the first node.

Correspondingly, if the first security information is the attribute set of the first node, the second node may encrypt the target data by using some or all of the attributes in the attribute set of the first node to obtain a ciphertext, or after the second node processes the attribute set of the first node to obtain an attribute public key, encrypt the target data by using the attribute public key obtained by the processing to obtain the ciphertext. And if the first security information is an attribute public key generated for the attribute set of the first node, the second node adopts the attribute public key to encrypt the target data to obtain a ciphertext. If the first security information is an attribute public key generated for the attribute set of the first node and the attribute set of the first node, the second node may encrypt the target data by using the attribute public key in the first security information to obtain a ciphertext, or the second node may encrypt the target data by using the first attribute set in the first security information to obtain a ciphertext, or the second node encrypts the target data by using the attribute public key in the first security information and the attribute set of the first node to obtain a ciphertext.

The target data is data information shared by the second node, and can be in a format of text, figures, pictures and the like, for example, can be cases of a hospital, or some application statistical information based on internet users and the like. The attributes in the attribute set of the first node may be some or all of the attributes corresponding to the first node.

Step 303, sending ciphertext to the first node.

Each attribute in the attribute set and the target attribute set of the first node is stored in the first blockchain, and information in the first blockchain is endorsed by at least one node participating in the first blockchain.

In the embodiment of the present application, the manner in which the second node sends the ciphertext to the first node may be a wired communication manner, or may be a wireless communication manner, or may be implemented in a broadcast manner.

The first blockchain is used to store attributes of all nodes commonly shared within the whole network, wherein the first blockchain is endorsed by at least one or all of the nodes participating in the first blockchain in the whole network (typically authentication nodes for each organization participate in the first blockchain). That is, all the authentication nodes corresponding to the first blockchain can acquire all the attribute information in the corresponding organizations, upload all the acquired attribute information to the first blockchain, and perform endorsement authentication on the attribute information uploaded to the first blockchain by other authentication nodes, so that corresponding blocks are generated after the endorsement authentication passes, and the first blockchain storing the attribute information of all the organizations participating in the first blockchain is obtained.

In this way, all attribute information within the first blockchain can be trusted by all organizations and subordinate nodes participating in the first blockchain. The second node encrypts the target data to be transmitted to the first node in an encryption mode to obtain the ciphertext, and transmits the ciphertext to the first node. And after receiving the ciphertext, the first node can successfully decrypt the received ciphertext only when the first node has the second security information corresponding to the first security information, so that even if other nodes receive the ciphertext, the target data can not be obtained due to the fact that the ciphertext can not be decrypted, the security of the target data is ensured, and the risk that the target data is leaked at the node receiving the ciphertext is reduced.

The embodiment of the application provides an information processing method, which comprises the steps of determining a first node based on a preset rule through a second node, encrypting target data based on first safety information to obtain ciphertext, and sending the ciphertext to the first node. In this way, the second node sends the encrypted ciphertext to the first node determined according to the preset rule, and the second node sends the target data of the first node by using the ciphertext, so that the safety of the sent target data is ensured. And the first node can automatically endorse the decrypted target data without the need of presetting an endorsing node to endorse. The problem that information leakage is easy to occur at the endorsement node side due to the fact that all contents of transactions are visible at all endorsement node sides in the existing blockchain such as a license chain is solved, the risk that private data is acquired at the endorsement node side is reduced, and the safety of the blockchain is improved. Further, the attribute or the attribute set for encryption is stored in the corresponding attribute blockchain, and the security of the encryption process is higher and more trustworthy because the security of the attribute blockchain is higher.

Based on the foregoing embodiments, an embodiment of the present application provides an information processing method, referring to fig. 4, the method is applied to a second node, and the method includes the following steps:

step 401, determining an access requirement corresponding to the target data.

In the embodiment of the application, when the second node is controlled by the first user, the access requirement corresponding to the target data is that the first user performs corresponding operation on the second node to set the sharing requirement of the target data of the second node. The sharing requirement may be, for example, setting which specific users or specific organizations or specific users within a specific organization are desired to be able to obtain the target data. An organization refers to a system in which elements are linked to each other in a certain manner, and may be, for example, an educational union composed of a certain company, a plurality of schools, or a medical system. The access requirement corresponding to the target data can be obtained by setting a user during each target data sharing, or can be obtained by storing the target data in a storage unit corresponding to the second node after setting the target data during the first sharing, and acquiring the target data from the corresponding storage unit by the second node when the second node determines to share the target data. The storage unit corresponding to the second node may be a local storage unit of the second node or a cloud storage unit.

Illustratively, the second node is denoted as DO, and assuming that the DO is sharing the target data, the access requirement set by the user is: and sharing the target data to the users belonging to the Y category and the users belonging to the Z category.

Step 402, determining a target attribute set and preset logic based on the access requirement corresponding to the target data.

In the embodiment of the application, the second node analyzes the access requirement and determines the target attribute set and the preset logic corresponding to the access requirement. However, in some application scenarios, the access requirement corresponding to the target data may directly include the attribute of the target attribute set, and the access requirement also includes the preset logic.

Illustratively, the DO analyzes the Z-class user and the Z-class user in the access requirement corresponding to the target data, and determines that the attribute set corresponding to the Y-class user is (P, R), and the attribute set corresponding to the Z-class user is (Q, R). Thus, it is confirmed that the target attribute set is (P, Q, R), and corresponding preset logic (a and (B or C)) is obtained, wherein A, B, C represents a variable.

Step 403, at least one attribute in the target attribute set is combined through preset logic to form a preset rule.

In the embodiment of the application, since the target attribute set and the determined preset logic have a corresponding relationship, at least one attribute in the target attribute set and the corresponding preset logic can be combined, so that a preset rule is obtained. In some application scenarios, when at least one attribute in the target attribute set is combined with preset logic to determine a preset rule, the relationship between the attribute and the preset logic may also be determined according to the access requirement. In some other application scenarios, the access requirement may also be directly used as a preset rule.

Illustratively, the set of target attributes (P, Q, R) are combined according to preset logic (a and (B or C)) to obtain preset rules (P and (B or C)).

Step 404, determining a first node based on a preset rule.

In the embodiment of the application, the second node screens all nodes which can communicate with the second node or are in the network according to the preset rule, and the screened nodes meeting the preset rule are taken as the first node. The second node determines that the node with the P attribute is the first node from all nodes corresponding to the second node based on a preset rule (P and (B or C)), and at least one of the node with the B attribute and the C attribute is the first node.

Step 405, acquiring first security information.

In the embodiment of the application, the first security information is encryption information adopted when the second node encrypts the target data, and the first security information has a corresponding relation with the attribute set of the first node. The first security information may be an attribute public key generated based on the attribute set of the first node, may be an attribute public key generated based on the attribute set of the first node and the attribute set of the first node, or may also be an attribute set of the first node.

When the second node obtains the first security information, it is first determined whether the second node stores the first security information, if the second node stores the first security information, the second node may be obtained from a storage unit corresponding to the second node, and if the second node does not store the first security information, the second node may be obtained from the first node, and the specific implementation process is implemented in steps 405b to 405 c:

step 405a, obtaining first security information from a local database or a public database.

Step 405b, sending an information interaction application to the first node.

The information interaction application is used for requesting first security information of the first node.

In the embodiment of the application, since the second node does not store the first security information, the second node sends an information interaction application to the first node, so that the first node is expected to send the first security information to the second node. The mode of sending the information interaction application by the second node comprises wired communication, wireless communication or broadcast communication.

Step 405c, receiving an application response sent by the first node.

Wherein the application response includes the first security information.

In the embodiment of the application, the application response is that after the first node receives the information interaction application sent by the second node, the first node obtains the application response generated by the first security information, and the application response is used for feeding back the first security information to the second node. When the first node acquires the first security information, if the first node stores the first security information, the first node acquires the stored first security information from the corresponding storage unit; if the first node does not store the first security information, the first node may acquire the first security information from the first blockchain, or the first node transmits a request instruction for applying to acquire the first security information to the third node, so as to apply to acquire the first security information of the first node from the third node.

It should be noted that, in the application scenario where the first node stores the first security information, the first security information may be that the third node sends the first security information to the first node, and the first node stores the received first security information. The implementation process of the third node sending the first security information to the first node may be: when the first node accesses the organization network where the third node is located for the first time, the first node needs to be subjected to authentication processing of the third node, and after the third node authenticates the first node, the third node generates corresponding first security information based on the attribute set of the first node and sends the first security information to the first node.

And step 406, encrypting the target data based on the first security information to obtain a ciphertext.

The first security information has a corresponding relation with the attribute set of the first node. The first security information includes at least one of: the public key of the attribute, the attribute set of the first node.

In the embodiment of the application, the second node adopts the first security information to encrypt the target data, so as to obtain the encrypted ciphertext.

Step 407, send ciphertext to the first node.

In other embodiments of the present application, referring to fig. 5, after the second node performs step 407, the following steps 408 to 409 may be further performed:

step 408, receiving a receipt sent by the first node.

The receipt comprises an endorsement result, wherein the endorsement result is obtained by performing a simulation execution on target data after the first node decrypts the ciphertext to obtain the target data.

In the embodiment of the application, after the first node receives the ciphertext sent by the second node, the first node adopts the second security information stored by the first node to decrypt the ciphertext. And if the first node adopts the second security information to decrypt the received ciphertext, and after the target data is successfully obtained by decryption, carrying out simulated transaction on the target data to obtain a transaction result. The first node endorses and signs the transaction result to obtain an endorsement result, generates a receipt based on the endorsement result and sends the receipt to the first node.

And 409, packaging the endorsement result in the return execution to obtain a packaged result, and sending the packaged result to a sequencing node, so that the endorsement result in the packaged result is sequenced by the sequencing node, a corresponding block is generated, and the generated block is linked to a second block chain.

Wherein the second blockchain is used for storing a transaction result between the second node and the first node.

In the embodiment of the application, after receiving the receipts sent by a certain number of first nodes, the second nodes obtain the first number of receipts. The second node obtains a certain number of endorsement results sent by the first node from a certain number of receipts, packages the certain number of endorsement results to obtain a packaged result, sends the packaged result to the sequencing node, sequences the endorsement results in the received packaged result by the sequencing node, creates blocks, sends the created blocks to all nodes corresponding to the sequencing node in a broadcast mode, and links the created blocks to the chain tail of the second block chain after all the nodes verify the created blocks, so that the second block chain records the transaction result between the first node and the second node.

It should be noted that, in this embodiment, the descriptions of the same steps and the same content as those in other embodiments may refer to the descriptions in other embodiments, and are not repeated here.

The embodiment of the application provides an information processing method, which comprises the steps of determining a first node based on a preset rule through a second node, encrypting target data based on first security information to obtain ciphertext, sending the ciphertext to the first node, receiving the ciphertext sent by the second node by the first node, and decrypting the ciphertext by using the second security information to obtain the target data. Therefore, because the first node is determined by the second node based on the preset rule, the second node can determine the corresponding first node according to different preset rules, and only the first node with the second security information can decrypt the corresponding ciphertext to obtain the target data, so that the problem that the information leakage is easy to occur at the endorsement node side due to the fact that all content of information interaction is visible at all preset endorsement node sides in the current blockchain such as a license chain is needed, the risk of acquiring private data at the endorsement node side is reduced, and the security of the blockchain is improved. The first security information for encryption is stored in the first blockchain, and the first blockchain can be trusted by each organization or node participating in the first blockchain, so that the encryption and decryption actions by adopting the first security information and the second security information can be trusted, and further, the first node can endorse decrypted data by itself without endorsement confirmation of other nodes.

Based on the foregoing embodiments, an embodiment of the present application provides an information processing method, referring to fig. 6, the method being applied to a first node, the method including the steps of:

step 501, receiving ciphertext sent by the second node.

The ciphertext is generated by encrypting the target data by the second node by using first security information, and the first security information has a corresponding relation with the attribute set of the first node.

In the embodiment of the application, the target data is sent between the first node and the second node in the form of ciphertext, so that the risk of using the target data by lawless persons after the target data is stolen in the transmission process between the first node and the second node is reduced, and the safety of the target data in the transmission process is ensured.

And step 502, decrypting the ciphertext by using the second security information to obtain the target data.

The first security information and the second security information have a corresponding relationship.

Each attribute in the attribute set is stored in the first blockchain, and information in the first blockchain is endorsed by at least one node participating in the first blockchain.

In the embodiment of the present application, the first security information used for encryption and the second security information used for decryption may be symmetrical, for example, when the first security information used for encrypting the target data by the second node is the a attribute information of the first node, the second security information used for decrypting the corresponding first node is the same as the first security information, and may also be the a attribute information of the first node; the first security information used for encryption and the second security information used for decryption may also be asymmetric, for example, the first security information is an attribute public key obtained based on attribute information of the first node, and the corresponding second security information is an attribute private key corresponding to the attribute public key.

Wherein when the first security information and the second security information are asymmetric, the first security information and the second security information are generated generally simultaneously, for example, the first node may simultaneously receive the first security information from the third node, including: when the first node is accessed into a network system to which the third node belongs for the first time, after the first node is authenticated by the third node, the third node sends the generated first safety information and second safety information to the first node after generating the first safety information and the second safety information based on the attribute set of the first node, and the first node stores the generated first safety information and second safety information in the first node; or after the first node is authenticated by the third node, the third node does not generate the first security information and the second security information based on the attribute set of the first node, but applies for the third node when the first node needs the first security information and the second security information, specifically: the first node sends a request instruction for requesting the first security information and the second security information to the third node, and the third node responds to the request instruction, generates the first security information and the second security information based on the attribute set of the first node, and then sends the first security information and the second security information to the first node.

Wherein the first security information includes at least one of: the public key of the attribute, the attribute set of the first node. The corresponding second security information includes at least one of: the attribute private key, the attribute set of the first node, and any attribute in the attribute set of the first node.

For example, if the first security information includes an attribute public key and an attribute set of the first node, the second node includes an attribute private key; if the first security information comprises an attribute public key, the second node comprises an attribute private key and an attribute set of the first node; if the first security information comprises an attribute public key and any attribute in the attribute set of the first node, the second node comprises an attribute private key; if the first security information comprises the attribute public key, the second node comprises the attribute private key and an attribute corresponding to the attribute public key in the attribute set of the first node; if the first security information comprises an attribute set of the first node, the second node also comprises the attribute set; if the first security information includes at least one attribute in the attribute set of the first node, the second node also includes the at least one attribute, etc.

The embodiment of the application provides an information processing method, which is characterized in that a first node receives a ciphertext sent by a second node, and the ciphertext is decrypted by using second security information, so that target data is obtained. Therefore, only the first node with the second security information can decrypt the ciphertext based on the second security information to obtain the target data, the security of the target data sent by the second node is guaranteed, the problem that information leakage is easy to occur at the endorsement node side due to the fact that all transaction contents are visible at all endorsement node sides in the current blockchain such as a license chain is solved, the risk that private data is acquired at the endorsement node side is reduced, and the security of the blockchain is improved.

Based on the foregoing embodiments, an embodiment of the present application provides an information processing method, referring to fig. 7, the method being applied to a first node, the method including the steps of:

step 601, receiving ciphertext sent by the second node.

In the embodiment of the application, the first node receives the ciphertext carrying the target data, which is sent by the second node.

And 602, decrypting the ciphertext by using the second security information to obtain the target data.

In the embodiment of the application, the first node adopts the second security information stored in the first node to decrypt the received ciphertext, if the decryption is successful, the first node can obtain the target data, and if the decryption is failed, the first node cannot obtain the target data. Therefore, only if the first node has the second security information which corresponds to the first security information and is used for decryption, the received ciphertext can be successfully decrypted to obtain the target data, and the security of the target data in the first node is ensured.

And 603, processing the target data to obtain a processing result.

In the embodiment of the application, a first node executes preset simulated transaction operation on target data obtained through decryption to obtain a processing result, wherein the processing result comprises a simulated transaction result.

And step 604, endorsing and signing the processing result to obtain an endorsement result.

In the embodiment of the application, the first node carries out endorsement signature on the processing result comprising the simulated transaction result to obtain an endorsement result, and generates a receipt comprising the endorsement result based on the endorsement result.

Step 605, sending a receipt including the endorsement result to the second node.

The endorsement result is used for generating a block after being sent to the ordering node through the second node for ordering, and the generated block is linked to a second block chain, and the second block chain is used for recording the transaction result between the second node and the first node.

In the embodiment of the application, the first node sends the generated receipt including the endorsement result to the second node, so that after the second node receives a certain number of endorsement results or all endorsement results sent by the first node, the second node packages the received endorsement results to obtain a packaged result and sends the packaged result to the sorting node, the sorting node sorts a certain number of endorsement results in the packaged result and generates a block, and after the generated block passes verification by the node corresponding to the sorting node, the generated block is linked to the second block chain.

In other embodiments of the present application, referring to fig. 8, before the first node performs step 601, the following steps 606 to 607 are further performed:

step 606, receiving an information interaction application sent by the second node.

In the embodiment of the application, the information interaction application is used for requesting the first security information of the first node from the first node by the second node so as to encrypt the target data by the first security information of the first node sent by the first node.

Step 607, in response to the information interaction application, sending an application response to the second node.

The application response comprises first security information, and the first security information has a corresponding relation with an attribute set of the self node.

In the embodiment of the application, a first node responds to an information interaction application, acquires first safety information, generates an application response based on the first safety information, and sends the application response to a second node.

In other embodiments of the present application, the first node performing step 607 may be implemented by:

step 607a, in response to the information interaction application, acquiring the first security information.

In the embodiment of the present application, the first node obtaining the first security information includes at least the following implementation manners: and if the first security information is stored in the first node, the first node acquires the security information of the first node from a local storage unit or a cloud storage unit of the first node. The implementation process of the first security information of the first node stored in the local storage unit or the cloud storage unit may include: when the first node accesses the network system where the first node is located for the first time, after passing the authentication through a third node of the network system where the first node is located, the third node generates and sends the authentication to the first node based on the attribute set of the first node; if the first security information is not stored in the first node, the first node sends a request instruction for indicating to acquire the first security information and the second security information to a third node in a network system where the first node is located, the third node responds to the request instruction, generates the first security information and the second security information with corresponding relations based on an attribute set of the first node, and sends the first security information and the second security information to the first node.

Step 607b, generating an application response comprising the first security information, and sending the application response to the second node.

In the embodiment of the application, a first node acquires first security information from a local storage unit or a cloud storage unit, generates an application response based on the first security information, and sends the application response to a second node; or after receiving the first security information and the second security information sent by the third node, the first node stores the second security information in a local storage unit or a cloud storage unit corresponding to the first node, generates an application response based on the first security information, and then sends the application response to the second node.

Based on the foregoing embodiments, an embodiment of the present application provides an information processing method, where when first security information acquired by a second node is acquired from a local database or a public database, the information interaction process between the first node, the second node, and a sorting node is shown in fig. 9, and the method includes the following steps:

in step 701, the second node determines an access requirement corresponding to the target data.

In the embodiment of the application, the access requirement corresponding to the target data can be used for indicating the requirement of the second node on the sharing object capable of acquiring the target data when the target data is shared, and the access requirement can be specifically set by a user controlling the second node.

Step 702, the second node determines a target attribute set and preset logic based on the access requirement corresponding to the target data.

Wherein the preset logic at least comprises one of the following logic: and, or, not, nand, nor, exclusive or, nor; or, the preset logic is composed of at least one sub-logic.

In the embodiment of the application, the target attribute set and the preset logic are obtained by analyzing the access requirement by the second node. The access requirement comprises the attribute of the target attribute set, and the access requirement also comprises preset logic. The sub-logic also includes at least one of the following logic: and, or, not, nand, nor, exclusive or, nor. Correspondingly, the preset logic may be represented by a disjunctive normal form (Disjunctive Normal Form, DNF), a conjunctive normal form (Conjunctive Normal Form), a linear secret sharing scheme (LinearSecret-SharingSchemes, LSSS), and the like.

In step 703, the second node combines at least one attribute in the target attribute set through a preset logic to form a preset rule.

In the embodiment of the application, the second node connects at least one attribute in the target attribute set by adopting a preset logic combination according to the logic relation among the attributes in the target attribute set in the access requirement, so as to obtain a preset rule. Exemplary, the preset rules are: attribute a and attribute B and/or attribute C.

Step 704, the second node determines the first node based on a preset rule.

The preset rule is obtained by combining a target attribute set and preset logic.

In the embodiment of the application, the second node selects the node conforming to the preset rule from all the nodes in the regional block chain system to which the second node belongs based on the determined preset rule. For example, the second node selects, from all the nodes in the blockchain system described by the second node, a node having both attributes a and B, both attributes a and C, or both attributes A, B and C as the first node.

Step 705, the second node obtains the first security information.

Wherein the first security information includes at least one of: the public key of the attribute, the attribute set of the first node.

In an embodiment of the present application, step 705 may be implemented by the following steps: the first security information is obtained from a local database or a public database.

In the embodiment of the present application, the first security information may be obtained by the second node from a local storage database or a public database storing first security information corresponding to the first node, where the corresponding first security information may be stored by the first node in the local database or the public database, or may be stored in the local database or the public database after the first security information is generated by an authentication node corresponding to an organization to which the first node belongs based on an attribute set of the first node. The public storage database may be disposed in a local storage unit accessible to the second node, the first node, and/or the third node, or may be disposed in a public storage unit accessible to the second node, the first node, and/or the third node, such as a cloud storage unit.

In step 706, the second node encrypts the target data based on the first security information to obtain a ciphertext.

In the embodiment of the application, the second node encrypts the target data based on the first security information by adopting a symmetric encryption algorithm or an asymmetric encryption algorithm. The Encryption process may be implemented, for example, using an Attribute-based Encryption (ABE) algorithm.

Step 707, the second node sends ciphertext to the first node.

In the embodiment of the present application, when the second node sends the ciphertext to the first node, it may be implemented that the second node sends the ciphertext to all the fourth nodes, where the fourth node includes the first node. In some application scenarios, it may also be that the second node only sends ciphertext to the determined first node, and does not send ciphertext to other nodes than the first node.

Step 708, the first node receives the ciphertext sent by the second node.

Step 709, the first node decrypts the ciphertext using the second security information to obtain the target data.

In the embodiment of the application, the second security information and the first security information have a certain corresponding relation with the attribute set of the first node. If the first security information and the second security information are generated by the third node based on the attribute set of the first node, the first security information and the second security information are generally generated simultaneously.

Illustratively, the first security information is an attribute public key and the second security information is an attribute private key. In this way, the first node decrypts the ciphertext by using the second security information, if the decryption is successful, the first node can decrypt the ciphertext to obtain the target data, and if the decryption is unsuccessful, the first node cannot obtain the target data, so that the security of the target data at the first node is ensured, and the risk of leakage of the target data is reduced.

When the second node sends the ciphertext to the fourth node, only part of the nodes, namely the first node, have the second security information, so that the ciphertext can be decrypted, and the target data can be obtained.

And step 710, the first node processes the target data to obtain a processing result.

In the embodiment of the application, the first node processes the target data by adopting the preset operation corresponding to the target data, so as to realize the simulated transaction and obtain the simulated transaction result. Wherein the processing results include simulated transaction results.

And 711, the first node endorsing and signing the processing result to obtain an endorsing result.

Step 712, the first node sends a receipt including the endorsement result to the second node.

The endorsement result is used for generating a block after being sent to the ordering node through the second node for ordering, and the generated block is linked to the chain tail of the second block chain, and the second block chain is used for recording the transaction result between the second node and the first node.

In other embodiments of the present application, the receipt may include some other corresponding information besides the endorsement result, such as some operation instruction for the endorsement result, and the like, which is not limited herein. The second blockchain is used for recording the final transaction result. In some application scenarios, the second blockchain may be used to record each information interaction process between the first node, the second node, and the third node in addition to recording the final transaction result. The manner in which the first node sends the response piece to the second node may include wired communication, wireless communication, and broadcast.

Step 713, the second node receives the receipt sent by the first node.

In the embodiment of the application, the second node analyzes the received receipt to obtain an endorsement result.

Step 714, the second node performs packaging processing on the endorsement result in the return execution to obtain a packaging result, and sends the packaging result to the sorting node, so that the ordering node sorts the endorsement result in the packaging result and generates a corresponding block, and links the generated block to the second block chain.

In the embodiment of the present application, the process of generating the block after the ordering node orders the endorsement result and linking the generated block to the chain tail of the second block chain is the same as the current implementation method, and detailed description thereof is omitted here.

Based on the foregoing embodiments, an embodiment of the present application provides an information processing method, where the method is applied to a first security information acquired by a second node, the first security information being acquired by the second node from the first node, and referring to fig. 10, the method includes the following steps:

step 801, the second node determines an access requirement corresponding to the target data.

Step 802, the second node determines a target attribute set and preset logic based on the access requirement corresponding to the target data.

Step 803, the second node combines at least one attribute in the target attribute set through preset logic to form a preset rule.

Step 804, the second node determines the first node based on a preset rule.

The preset rule is obtained by combining a target attribute set and preset logic. The preset logic at least comprises one of the following logic: and, or, not, nand, nor, exclusive or, nor; or, the preset logic is composed of at least one sub-logic.

Step 805, the second node sends an information interaction application to the first node.

In the embodiment of the application, the second node sends an information interaction application for requesting the first security information of the first node to the first node.

Step 806, the first node receives the information interaction application sent by the second node.

Step 807, the first node responds to the information interaction application and sends an application response to the second node.

In other embodiments of the present application, step 807 may be implemented by the following steps a11 to a 12:

step a11, the first node responds to the information interaction application to acquire first safety information.

In other embodiments of the present application, the step of obtaining the first security information may be implemented by the following steps: and receiving the first security information sent by the authentication node with the attribute authority function.

In the embodiment of the application, the first node responds to the information interaction application and acquires the first security information corresponding to the first node. When the first security information corresponding to the first node is stored in the storage unit corresponding to the first node, the process of storing the first security information by the first node is as follows: when the first node applies for accessing to the current network for the first time, the authentication node of the organization where the first node is located, namely, the third node authenticates the first node, and after the authentication node authenticates the first node, namely, when the authentication node allows the first node to access to the current network, the authentication node acquires an attribute set corresponding to the first node from a first blockchain, generates first security fine information corresponding to the first node based on the attribute set corresponding to the first node, and sends the first security fine information to the first node, so that the first node stores the received first security information in a storage unit corresponding to the first node, or the authentication node responds to a request instruction, sends the first security information corresponding to the first node stored in the authentication node to the first node, so that the first node stores the received first security information in the storage unit corresponding to the first node.

Or when the first security information is not stored in the storage unit corresponding to the first node, after the first node receives the information interaction application, the first node sends a request instruction for requesting the authentication node to distribute the first security information to the authentication node, after the authentication node receives the request instruction, the authentication node responds to the request instruction, acquires an attribute set corresponding to the first node from the first blockchain, generates first security information corresponding to the first node based on the attribute set corresponding to the first node, and sends the first security information corresponding to the first node, or the authentication node responds to the request instruction, and sends the first security information corresponding to the first node stored in the authentication node to the first node.

The first security information may be determined by an agreed encryption and decryption algorithm between the first node and the second node, for example, when the agreed encryption and decryption algorithm is a key policy-based attribute encryption algorithm (KP-ABE), the first security information includes an attribute public key, and the corresponding second security information includes an attribute private key and an attribute set of the first node; if the agreed encryption and decryption algorithm is a ciphertext-policy-based attribute encryption algorithm (CP-ABE), the first security information includes an attribute set and an attribute public key of the first node, and the corresponding second security information includes an attribute private key.

Step a12, the first node generates an application response comprising the first security information and sends the application response to the second node.

Step 808, the second node receives the application response sent by the first node.

Wherein the application response includes the first security information.

And step 809, the second node encrypts the target data based on the first security information to obtain a ciphertext.

Step 810, the second node sends ciphertext to the first node.

Step 811, the first node receives the ciphertext sent by the second node.

And step 812, the first node decrypts the ciphertext by using the second security information to obtain the target data.

In the embodiment of the present application, for example, when the agreed encryption and decryption algorithm is a key policy based attribute encryption algorithm (KP-ABE), the second security information includes an attribute private key and an attribute set of the first node; if the agreed encryption and decryption algorithm is a ciphertext policy based attribute encryption algorithm (CP-ABE), the second security information includes an attribute private key. Wherein the attribute public key in the first security information and the attribute private key in the second security information belong to a key pair with a corresponding relationship.

Step 813, the first node processes the target data to obtain a processing result.

Step 814, the first node endorses and signs the processing result to obtain an endorsement result.

Step 815, the first node sends a receipt including the endorsement result to the second node.

Step 816, the second node receives the receipt sent by the first node.

Step 817, the second node performs packaging processing on the endorsement result in the return execution to obtain a packaging result, and sends the packaging result to the sorting node, so that the ordering node sorts the endorsement result in the packaging result and generates a corresponding block, and links the generated block to a second blockchain, wherein the second blockchain is used for storing the transaction result between the second node and the first node.

Based on the foregoing embodiments, an embodiment of the present application provides an application scenario including a plurality of authentication nodes, data Reader (DR) nodes. Wherein an organization may include at least one authentication node, one for each DR. When a certain DR in an organization to which the authentication node belongs accesses a network corresponding to the organization for the first time, the DR needs to perform authentication and authorization processing in the authentication node, after the DR passes authentication of the authentication node, the authentication node can generate first security information and second security information based on an attribute set of the DR and send the first security information and the second security information to the DR, and then the DR stores the first security information and the second security information in a storage unit corresponding to the DR.

Or when the authentication node receives a request instruction which is sent by the DR and is authenticated by the authentication node and is used for requesting to acquire the first security information and the second security information, wherein the request instruction can comprise an attribute set corresponding to the DR, the authentication node acquires the attribute set of the DR from the request instruction and generates the first security information and the second security based on the attribute set of the DR, and then the authentication node sends the first security information and the second security information to the DR. Or after receiving a request instruction of acquiring the first security information and the second security information, which is sent by the DR after the authentication of the authentication node, the authentication node allocates a corresponding attribute set for the DR, generates the first security information and the second security based on the attribute set allocated for the DR, and then sends the attribute set, the first security information and the second security information allocated for the DR to the DR.

Further, the embodiment of the present application further provides an application scenario, where the authentication node is further managed by a node having a higher attribute authority than the authentication node, and specifically as shown in fig. 11, the application scenario includes a root authentication node a having a root attribute authority function, a sub authentication node B and a Data Reader (DR) node C, where the sub authentication node B includes AU1, AU2, … …, AUn, and the DR C includes DR1, DR2, … …, and DRn, respectively. The root authentication node a is used for managing the sub authentication nodes B, and a specific management process is stated later, and it should be noted that, generally, only one root authentication node a exists, and the sub authentication nodes correspond to the authentication nodes described above.

The process shown in fig. 11 is a process of acquiring the first security information and the second security information by the DR, and specifically may be: the root authentication node has the function of generating an attribute public key and an attribute private key for each sub authentication node, and is also used for creating a first blockchain and allowing all the sub authentication nodes to access the first blockchain. And after the root authentication node generates the attribute public key and the attribute private key corresponding to each sub authentication node, the attribute public key and the attribute private key are sent to the corresponding sub authentication node.

Taking DR1 as an example for illustration, after receiving a request instruction sent by DR1 and used for requesting attribute allocation, or when DR1 is connected to a network to which the sub-authentication node AU1 currently belongs, the sub-authentication node AU1 applies from the root authentication node a for obtaining an attribute public key PK1 and an attribute private key SK1 corresponding to attribute information a of DR1, and then sends the attribute public key PK1, the attribute information a and the attribute private key SK1 to DR1. Correspondingly, each operation between the sub authentication node AU1, the root authentication nodes RAA and DR1 may be recorded in the third blockchain. It should be noted that, the communication process between the root authentication node, AU2 and DR2, or the communication process between the root authentication node, AUn and DRn is the same as the communication process between the root authentication node, AU1 and DR1, and will not be described in detail here. Wherein DR1 corresponds to a first node in the previous embodiments of the present application, and Data Owner (DO) is not shown in fig. 11, and the corresponding DO corresponds to a second node in the previous embodiments of the present application.

The DO has target data for sharing, and the user performs related requirement setting on a first user terminal corresponding to the DO to perform related requirement setting on a sharing object of the target data, so that the DO obtains an access requirement corresponding to the target data, for example, the access requirement is that the target data is shared to a user in a target class in a b company, and correspondingly, the DO may perform attribute analysis on the user in the target class in the b company in the access requirement to obtain a target attribute set { (b, c, d), (b, c, e) }, and corresponding preset logic includes: (AND) or (AND) and DO is further combined according to preset logic corresponding to the target attribute set to obtain preset rules as follows: (b and c and d) or (b and c and e), so that DO can screen out n first nodes according to a preset rule, for example, the first nodes may be denoted as DR1, … …, DRn, n being greater than or equal to 1.

After the DO sends the information interaction application to the DR1, … …, DRn, taking the DR1 as an example to specifically describe, the DR1 sends first security information to the DO, where the first security information includes at least one of an attribute public key PK1 and attribute information a received by the DR1, and an object included in the specific first security information may be determined according to a specifically adopted attribute encryption algorithm. The attribute information a may be represented by one attribute assigned to DR1, or may be represented by two or more attributes assigned to DR1. The DO adopts the first security information sent by the DR1 to encrypt the target data shared to the DR1 to obtain a ciphertext, and sends the ciphertext to the DR1. It should be noted here that the first security information may be different for different DRs, that is, the attribute public key and the attribute information may be partially the same or may be all different. After the DR1 receives the ciphertext, the received ciphertext is decrypted by adopting the second security information stored by itself,

It should be noted that, if the first security information sent to DO by DR1 is the attribute public key PK1 and the attribute information a, the second security information for decrypting by DR1 is the attribute private key SK1, and if the first security information sent to DO by DR1 is the attribute public key PK1, the second security information for decrypting by DR1 is the attribute private key SK1 and the attribute information a. Therefore, the DR1 decrypts the received target data based on the second security information, the target data is obtained after the decryption is successful, and then the DR1 executes preset operation corresponding to the target data on the target data to realize simulated transaction, so that a transaction result is obtained. And DR1 endorsing and signing the transaction result to obtain an endorsement result and sending the endorsement result to DO. And after receiving a certain number of endorsement results sent by DR1, … … and DRn, DO packages the received first number of endorsement results to obtain a packaged result, and sends the packaged result to a sequencing node, the sequencing node sequences the received packaged result to obtain a sequencing result, and sends the sequencing result to a block generating node, and the block generating node performs corresponding verification processing on the sequencing result, generates a corresponding block after verification is passed, and links the generated block at the tail of a second block chain.

The embodiment of the application provides an information processing method, which comprises the steps of determining a first node based on a preset rule through a second node, encrypting target data based on first security information to obtain ciphertext, sending the ciphertext to the first node, receiving the ciphertext sent by the second node by the first node, and decrypting the ciphertext by using the second security information to obtain the target data. In this way, the second node sends the encrypted ciphertext to the first node determined according to the preset rule, so that the first node decrypts the ciphertext based on the second security information to obtain the target data, the target data sent to the first node by the second node is sent by the ciphertext, and the target data can be obtained only if the ciphertext is successfully decrypted by the first node, thereby solving the problem that information leakage is easy to occur at the endorsement node side due to the fact that all contents of transactions are visible at all endorsement node sides in the current blockchain, such as a license chain, reducing the risk that private data is obtained at the endorsement node side, and improving the security of the blockchain. Further, the attribute or the attribute set for encryption and decryption is stored in the corresponding attribute blockchain, and the security of the encryption and decryption process is higher and more trustworthy because the security of the attribute blockchain is higher.

Based on the foregoing embodiments, an embodiment of the present application provides a first information processing apparatus that can be applied to the information processing methods provided in the embodiments corresponding to fig. 3 to 5 and 9, and referring to fig. 12, the first information processing apparatus 9 includes: a determination unit 91, an encryption unit 92, and a first transmission unit 93; wherein:

a determining unit 91, configured to determine a first node based on a preset rule; the preset rule is obtained by combining a target attribute set and preset logic;

an encryption sheet 92 for encrypting the target data based on the first security information to obtain a ciphertext; the first security information has a corresponding relation with the attribute set of the first node;

a first transmitting unit 93 for transmitting ciphertext to the first node;

In other embodiments of the present application, the preset logic includes at least one of the following logic: and, or, not, nand, nor, exclusive or, nor; or alternatively, the first and second heat exchangers may be,

the preset logic is composed of at least one sub-logic.

In other embodiments of the application, the determining unit is further configured to:

and combining at least one attribute in the target attribute set through preset logic to form a preset rule.

In other embodiments of the present application, before the determining unit is configured to determine the first node based on the preset rule, the determining unit is further configured to:

determining the access requirement corresponding to the target data;

and determining a target attribute set and preset logic based on the access requirement corresponding to the target data.

In other embodiments of the present application, the first information processing apparatus further includes: an acquisition unit; wherein:

the acquisition unit is used for acquiring the first safety information;

in other embodiments of the present application, the obtaining unit is specifically configured to:

acquiring first security information from a local database or a public database; or alternatively, the first and second heat exchangers may be,

sending an information interaction application to a first node; the information interaction application is used for requesting first security information of the first node;

receiving an application response sent by a first node; wherein the application response includes first security information;

in other embodiments of the present application, the first information processing apparatus further includes: a first receiving unit; wherein:

the first receiving unit is used for receiving the receipt sent by the first node; the receipt comprises an endorsement result, wherein the endorsement result is obtained by performing simulation execution on target data and endorsing after the target data is obtained by performing decryption processing on ciphertext by a first node;

The first sending unit is further used for packaging the endorsement result in the return execution to obtain a packaging result, and sending the packaging result to the ordering node, so that the ordering node is used for ordering the endorsement result in the packaging result and generating corresponding blocks, and the generated blocks are linked to the second blockchain, and the second blockchain is used for storing the transaction result between the second node and the first node.

It should be noted that, in the embodiment of the present application, explanation of steps between modules or units may refer to implementation procedures in the information processing method provided in the embodiments corresponding to fig. 3 to 5 and 9, and are not repeated herein.

The embodiment of the application provides a first information processing device, which is characterized in that a first node is determined by a second node based on preset rules, target data is encrypted based on first security information to obtain ciphertext, and the ciphertext is sent to the first node. In this way, the second node sends the encrypted ciphertext to the first node determined according to the preset rule, and the second node sends the target data of the first node by using the ciphertext, so that the safety of the sent target data is ensured, the problem that information leakage is easy to occur at the endorsement node side due to the fact that all transaction contents are visible at all endorsement node sides in a current blockchain such as a license chain is solved, the risk that private data is acquired at the endorsement node side is reduced, and the safety of the blockchain is improved. Further, the attribute or the attribute set for encryption is stored in the corresponding attribute blockchain, and the security of the encryption process is higher and more trustworthy because the security of the attribute blockchain is higher.

Based on the foregoing embodiments, the embodiment of the present application provides a second information processing apparatus that can be applied to the information processing method provided by the embodiments corresponding to fig. 6 to 8, 10, referring to fig. 13, the second information processing apparatus 1001 includes: a second receiving unit 10011 and a decrypting unit 10012; wherein:

a second receiving unit 10011, configured to receive the ciphertext sent by the second node; the ciphertext is generated by encrypting target data by a second node by using first security information, wherein the first security information has a corresponding relation with an attribute set of the first node;

a decryption unit 10012, configured to decrypt the ciphertext using the second security information to obtain the target data; the first security information and the second security information have a corresponding relationship;

In other embodiments of the present application, the second information processing apparatus further includes: the device comprises a processing unit, an endorsement unit and a second sending unit; wherein:

the processing unit is used for processing the target data to obtain a processing result;

The endorsing unit is used for endorsing and signing the processing result to obtain an endorsing result;

the second sending unit is used for sending a receipt including an endorsement result to the second node; the endorsement result is used for generating a block after being sent to the ordering node through the second node for ordering, and the generated block is linked to the chain tail of the second block chain, and the second block chain is used for recording the transaction result between the second node and the first node.

In other embodiments of the present application, before the second receiving unit is configured to receive the ciphertext sent by the second node, the second receiving unit is further configured to:

receiving an information interaction application sent by a second node;

in other embodiments of the present application, the second receiving unit is specifically configured to, in response to an information interaction application, send an application response to the second node, and specifically further be configured to:

responding to the information interaction application, and acquiring first safety information;

and generating an application response comprising the first security information, and sending the application response to the second node.

In other embodiments of the present application, the second receiving unit is further specifically configured to:

It should be noted that, the specific implementation process of the steps executed by the modules or units in this embodiment may refer to the implementation process in the information processing method provided in the embodiment corresponding to fig. 6 to 8 and 10, which is not described herein again.

The embodiment of the application provides a second information processing device, which is characterized in that a first node is determined based on a preset rule through a second node, target data is encrypted based on first safety information to obtain ciphertext, the ciphertext is sent to the first node, then the first node receives the ciphertext sent by the second node, and the ciphertext is decrypted by using the second safety information, so that the target data is obtained. In this way, the second node sends the encrypted ciphertext to the first node determined according to the preset rule, so that the first node decrypts the ciphertext based on the second security information to obtain the target data, the target data sent to the first node by the second node is sent by the ciphertext, and the target data can be obtained only if the ciphertext is successfully decrypted by the first node, thereby solving the problem that information leakage is easy to occur at the endorsement node side due to the fact that all contents of transactions are visible at all endorsement node sides in the current blockchain, such as a license chain, reducing the risk that private data is obtained at the endorsement node side, and improving the security of the blockchain. Further, the attribute or the attribute set for encryption and decryption is stored in the corresponding attribute blockchain, and the security of the encryption and decryption process is higher and more trustworthy because the security of the attribute blockchain is higher.

Based on the foregoing embodiments, the embodiments of the present application provide an information processing system, which may be applied to the information processing methods provided in the embodiments corresponding to fig. 3 to 10, and referring to fig. 14, the information processing system 1100 includes at least: a first node 11001 and a second node 11002; wherein:

a first node 11001 is configured to implement an implementation procedure in the information processing method provided in the embodiments corresponding to fig. 3 to 5 and 9, and will not be described in detail herein;

the second node 11002 is configured to implement the implementation procedure in the information processing method provided in the embodiments corresponding to fig. 6 to 8 and 10, and will not be described in detail herein.

Based on the foregoing embodiments, embodiments of the present application provide a computer-readable storage medium, simply referred to as a storage medium, which may be applied to the methods provided in the embodiments corresponding to fig. 3 to 10, where the storage medium stores one or more programs, and the one or more programs may be executed by one or more processors, so as to implement the implementation procedure in the information processing method provided in the embodiments corresponding to fig. 3 to 10, which is not described herein.

It will be appreciated by those skilled in the art that embodiments of the present application may be provided as a method, system, or computer program product. Accordingly, the present application may take the form of a hardware embodiment, a software embodiment, or an embodiment combining software and hardware aspects. Furthermore, the present application may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, magnetic disk storage, optical storage, and the like) having computer-usable program code embodied therein.

The present application is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems) and computer program products according to embodiments of the application. It will be understood that each flow and/or block of the flowchart illustrations and/or block diagrams, and combinations of flows and/or blocks in the flowchart illustrations and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.

These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.

These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.

The foregoing description is only of the preferred embodiments of the present application, and is not intended to limit the scope of the present application.

Claims

1. An information processing method, the method comprising:

determining the access requirement corresponding to the target data;

determining a target attribute set and preset logic based on the access requirement corresponding to the target data;

determining a first node based on a preset rule; wherein the preset rule is obtained by combining the target attribute set and the preset logic;

sending the ciphertext to the first node;

2. The method of claim 1, the preset logic comprising at least one of: and, or, not, nand, nor, exclusive or, nor; or alternatively, the first and second heat exchangers may be,

the preset logic is composed of at least one sub-logic.

3. The method of claim 1, the preset rule resulting from a combination of a set of target attributes and preset logic, comprising:

4. The method of claim 1, the method further comprising:

acquiring the first safety information;

the acquiring the first security information includes:

5. The method of claim 1, after the sending the ciphertext to the first node, the method further comprising:

6. An information processing method, the method comprising:

determining an access requirement corresponding to the target data by a second node; determining a target attribute set and preset logic based on the access requirement corresponding to the target data;

determining a first node according to a preset rule obtained by combining the target attribute set and the preset logic;

receiving ciphertext transmitted by the second node; the ciphertext is generated by encrypting target data by the second node by using first security information, and the first security information has a corresponding relation with an attribute set of the first node;

7. The method of claim 6, wherein the decrypting the ciphertext using the second security information, after obtaining the target data, comprises:

processing the target data to obtain a processing result;

endorsing and signing the processing result to obtain an endorsing result;

8. The method of claim 6, further comprising, prior to receiving ciphertext transmitted by the second node:

receiving an information interaction application sent by a second node;

9. An information processing apparatus, the apparatus comprising: the device comprises a determining unit, an encrypting unit, a first transmitting unit and a first receiving unit; wherein:

the determining unit is used for determining the access requirement corresponding to the target data; determining a target attribute set and preset logic based on the access requirement corresponding to the target data; the method is also used for determining a first node based on preset rules; wherein the preset rule is obtained by combining the target attribute set and the preset logic;

the first sending unit is configured to send the ciphertext to the first node;