CN113658005A - Method for executing transaction in block chain and block chain system - Google Patents
Method for executing transaction in block chain and block chain system Download PDFInfo
- Publication number
- CN113658005A CN113658005A CN202111109486.9A CN202111109486A CN113658005A CN 113658005 A CN113658005 A CN 113658005A CN 202111109486 A CN202111109486 A CN 202111109486A CN 113658005 A CN113658005 A CN 113658005A
- Authority
- CN
- China
- Prior art keywords
- data
- block
- reading
- read
- trusted
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 34
- 238000012795 verification Methods 0.000 claims abstract description 30
- 238000004590 computer program Methods 0.000 claims description 3
- 230000006870 function Effects 0.000 description 14
- 238000013475 authorization Methods 0.000 description 12
- 238000010586 diagram Methods 0.000 description 7
- 238000005516 engineering process Methods 0.000 description 4
- 230000008569 process Effects 0.000 description 3
- 230000009471 action Effects 0.000 description 2
- 230000006399 behavior Effects 0.000 description 2
- 230000005540 biological transmission Effects 0.000 description 1
- 230000008859 change Effects 0.000 description 1
- 238000013500 data storage Methods 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 230000000977 initiatory effect Effects 0.000 description 1
- 230000007246 mechanism Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000012545 processing Methods 0.000 description 1
- 230000000750 progressive effect Effects 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06Q—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
- G06Q40/00—Finance; Insurance; Tax strategies; Processing of corporate or income taxes
- G06Q40/04—Trading; Exchange, e.g. stocks, commodities, derivatives or currency exchange
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F16/00—Information retrieval; Database structures therefor; File system structures therefor
- G06F16/20—Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
- G06F16/27—Replication, distribution or synchronisation of data between databases or within a distributed database system; Distributed database system architectures therefor
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/602—Providing cryptographic facilities or services
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/64—Protecting data integrity, e.g. using checksums, certificates or signatures
Abstract
The embodiment of the specification provides a method for executing transaction in a blockchain and a blockchain system, wherein the method comprises the following steps: the method comprises the steps that a trusted execution environment obtains a first transaction, the first transaction is sent by user equipment based on a first account, a first contract is called in the first transaction, authority information and first data of the first account are requested to be read in the first contract, and the authority information and the first data are limited to correspond to the same block; the trusted execution environment sends a data reading request in the first contract to a trusted storage device through the computing device; the trusted storage device reads data after receiving the data reading request and sends a reading result to the trusted execution environment through the computing device; and after receiving the reading result, the trusted execution environment verifies the authority of the first account based on the authority information according to verification logic in the first contract, and in the case of passing the verification, first data is returned to the user equipment through the computing device.
Description
This application is a divisional application of the invention patent application entitled "method and blockchain system for performing transactions in blockchain" filed on 28/4/2021 under application number 202110465875.9.
Technical Field
Embodiments of the present disclosure relate to the field of blockchain technology, and more particularly, to a method and a blockchain system for performing transactions in a blockchain.
Background
The Blockchain (Blockchain) is a novel application mode of computer technologies such as distributed data storage, point-to-point transmission, a consensus mechanism, an encryption algorithm and the like. The block chain is a chain data structure formed by combining data blocks in a sequential connection mode according to a time sequence, and is a distributed account book which is guaranteed in a cryptographic mode and cannot be tampered and forged. Because the blockchain has the characteristics of decentralization, information non-tampering, autonomy and the like, the blockchain is also paid more and more attention and is applied by people.
In a blockchain system supporting privacy transaction, a blockchain node executes transaction in a Trusted Execution Environment (TEE), and the TEE can ensure that data related to privacy transaction cannot be snooped outside, but can not ensure the credibility of a transaction execution result because the TEE cannot ensure that a credible stored data input can be obtained. In particular, in the case where a blockchain node is a malicious node, the stored data input provided to the TEE by the blockchain node may be spurious. A malicious node may attempt to trick the TEE into outputting information that the user is currently unable to access by initiating query transactions to the TEE and providing partially outdated information for those query transactions.
Disclosure of Invention
Embodiments of the present disclosure are directed to providing a more efficient scheme for executing transactions in a blockchain to provide more reliable transaction execution results.
To achieve the above object, one aspect of the present specification provides a method of performing transactions in a blockchain, performed by a blockchain nexus comprising a trusted execution environment in a computing device, the method comprising:
the trusted execution environment acquires a first transaction, the first transaction is sent by user equipment based on a first account, a first contract is called in the first transaction, the first contract comprises a data reading request for requesting to read authority information and first data of the first account, and the authority information and the first data are limited to correspond to the same block through the data reading request;
the trusted execution environment sends a data reading request in the first contract to a trusted storage device through the computing device, wherein the trusted storage device stores data of the block chain;
the trusted storage device reads data after receiving the data reading request, and sends a reading result to the trusted execution environment through the computing device, wherein the reading result comprises the authority information and the first data corresponding to the same block;
after receiving the reading result, the trusted execution environment verifies the authority of the first account based on the authority information according to verification logic in the first contract, and if the verification is passed, the first data is returned to the user equipment through the computing device.
In one embodiment, the first contract includes a first read request requesting a batch read of the permission information and the first data.
In one embodiment, the first contract includes a second read request and a third read request, wherein the second read request is used for requesting to read the permission information corresponding to the first block, and the third read request is used for requesting to read the first data corresponding to the first block.
In one embodiment, the trusted execution environment sending, by the computing device, the data read request in the first contract to a trusted storage device includes the trusted execution environment signing the data read request, sending, by the computing device, the data read request and its signature to a trusted storage device;
the trusted storage device reads data after receiving the data reading request and sends a reading result to the trusted execution environment through the computing device, and the trusted storage device verifies the signature after receiving the data reading request and the signature thereof, and when the signature passes, reads data based on the data reading request, signs the reading result and sends the reading result and the signature thereof to the trusted execution environment through the computing device.
In one embodiment, the first data is a second variable, and the first contract defines that the values of the permission information and the second variable correspond to world states determined by the same block.
In one embodiment, the first data is a first block, and the first contract defines that the permission information corresponds to the first block.
In an embodiment, the first data is a second variable, the data read request further includes a block identifier of a second block, the trusted storage device reads data based on the data read request includes the trusted storage device reads data corresponding to the second block based on the block identifier of the second block.
In one embodiment, the read result includes a block identifier of the second block, and the method further includes the trusted execution environment verifying, after receiving the read result, whether the block identifier in the read result is consistent with the block identifier in the data read request.
In one embodiment, the block link point comprises the trusted storage.
Another aspect of this specification provides a blockchain system comprising a computing device including a trusted execution environment therein and a trusted storage device having data of the blockchain stored therein, wherein,
the trusted execution environment is used for acquiring a first transaction, the first transaction is sent by user equipment based on a first account, a first contract is called in the first transaction, the first contract comprises a data reading request for requesting to read authority information and first data of the first account, and the authority information and the first data are limited to correspond to the same block through the data reading request; sending, by the computing device, a data read request in the first contract to the trusted storage device;
the trusted storage device is used for reading data after receiving the data reading request and sending a reading result to the trusted execution environment through the computing device, wherein the reading result comprises the authority information and the first data corresponding to the same block;
the trusted execution environment is further configured to verify the authority of the first account based on the authority information according to verification logic in the first contract after receiving the reading result, and in case of passing the verification, return the first data to the user equipment through the computing device.
In one embodiment, the first contract includes a first read request requesting a batch read of the permission information and the first data.
In one embodiment, the first contract includes a second read request and a third read request, wherein the second read request is used for requesting to read the permission information corresponding to the first block, and the third read request is used for requesting to read the first data corresponding to the first block.
In one embodiment, the trusted execution environment being configured to send, by the computing device, a data read request in the first contract to a trusted storage device includes the trusted execution environment being configured to sign the data read request, send the data read request and its signature to the trusted storage device by the computing device;
the trusted storage device is used for reading data after receiving the data reading request and sending a reading result to the trusted execution environment through the computing device, and the trusted storage device is used for verifying the signature after receiving the data reading request and the signature thereof, and in the case of passing the verification, reading the data based on the data reading request, signing the reading result and sending the reading result and the signature thereof to the trusted execution environment through the computing device.
In one embodiment, the first data is a second variable, and the first contract defines that the values of the permission information and the second variable correspond to world states determined by the same block.
In one embodiment, the first data is a first block, and the first contract defines that the permission information corresponds to the first block.
In an embodiment, the first data is a second variable, the data read request further includes a block identifier of a second block, the trusted storage device is configured to perform data reading based on the data read request, and the trusted storage device is configured to read data corresponding to the second block based on the block identifier of the second block.
In one embodiment, the read result includes a block identifier of the second block, and the trusted execution environment is further configured to verify, after receiving the read result, whether the block identifier in the read result is consistent with the block identifier in the data read request.
In one embodiment, the blockchain system includes blockchain nodes that include the computing device and the trusted storage device.
Another aspect of the present specification provides a computer readable storage medium having a computer program stored thereon, which, when executed in a computer, causes the computer to perform any one of the above methods.
Another aspect of the present specification provides a computing device comprising a memory having stored therein executable code, and a processor that, when executing the executable code, implements any of the methods described above.
According to the scheme for executing the transaction, the authority information access request and the data access request are mutually bound and sent to the trusted storage access, so that the trusted storage access sends the matched authority information and access data to the trusted execution environment, and the trusted execution environment verifies the authority of the user, so that the malicious block link points cannot use the expired authority to access the newly added data of the block chain, and the transaction execution result is more trusted.
Drawings
The embodiments of the present specification may be made more clear by describing the embodiments with reference to the attached drawings:
FIG. 1 illustrates a schematic diagram of a blockchain system in accordance with embodiments of the present disclosure;
fig. 2 is a flow diagram of a method of performing transactions in a blockchain in accordance with an embodiment of the present disclosure;
fig. 3 is an architecture diagram of a blockchain system according to an embodiment of the present disclosure;
fig. 4 illustrates a block chain node structure diagram according to an embodiment of the present specification.
Detailed Description
The embodiments of the present specification will be described below with reference to the accompanying drawings.
Fig. 1 shows a schematic diagram of a blockchain system according to an embodiment of the present disclosure. As shown in fig. 1, the blockchain system includes a computing device 11 and a trusted storage device 12. The computing device 11 includes a TEE that enables a user to verify that data is processed in an expected manner in the TEE, where the TEE is in a specific form such as an Enclave (secure container) based on a trusted computing base (SGX) technology, a trusted space based on a TrustZone technology, and a hardware private key is provided inside the TEE, and the TEE uses its private key to sign output data, so that a receiver of the data can verify that the data is not tampered with by a public key of the TEE. The trusted storage device 12 may provide trusted storage services, for example, through user-mode storage access (SPDK), and similarly, the trusted storage device 12 may ensure that data is not tampered with by signing the data that is output. In the blockchain system, in one embodiment, the computing device 11 is a blockchain link point, and the trusted storage device 12 is a device independent of a blockchain node that accesses blockchain data by connecting to the trusted storage device 12. In another embodiment, the computing apparatus 11 and the trusted storage 12 together form a block chain node, where the computing apparatus 11 and the trusted storage 12 may be two separate physical devices, or the computing apparatus 11 and the trusted storage 12 may be two virtual or physical modules in a single physical device.
In one scheme for executing transaction in the blockchain system shown in fig. 1, the user device 13 sends a transaction for querying data to the blockchain, and in the transaction, a contract is invoked to query data in the blockchain, and the contract needs to read authority information of a sending account of the transaction, and determines whether to return the queried data to the user device 13 based on the authority information. Specifically, when the TEE in the computing device 11 executes the transaction, the TEE requests the computing device 11 to read the authorization information of the transaction sending account for verifying the authorization of sending the account, after receiving the read request from the TEE, the receiving device 11 may send a request for reading the account authorization information to the trusted storage device through operation (i) in fig. 1, so that the trusted device 12 returns the signed account authorization information to the computing device 11, and then the computing device 11 provides the received account authorization information to the TEE through operation (i) in fig. 1, and after receiving the account authorization information, the TEE may verify the account authorization information. However, in this process, if the block link node is a malicious node, the computing device 11 of the block link node may do a malicious action by operation (r) or operation (r). For example, the computing device 11 operates (i) to send past authorization information of the account, which has been received from the trusted storage device 12 in the past, to the TEE, the past authorization information also having a signature of the trusted storage device 12, or the storage access request is tampered with, and the storage system is requested to return authorization information based on the past block, and therefore the TEE cannot verify the correctness of the authorization information.
In the scheme of performing a transaction in a block chain according to an embodiment of the present specification, by defining that permission information to be read and data to be read correspond to the same block in a data read request included in a contract, a block link point cannot provide a permission that does not match the data to be read, so that an attacker cannot access the newly added data with an old permission.
The scheme of performing transactions in a blockchain according to embodiments of the present specification will be described in detail below.
Fig. 2 is a flowchart of a method for performing a transaction in a blockchain according to an embodiment of the present disclosure, including:
step S201, a TEE acquires a transaction Tx1, the transaction Tx1 is sent by user equipment based on an account A, a contract 1 is called in the transaction Tx1, authority information and data D1 of the account A are requested to be read in the contract 1, and the authority information and the data D1 are bound to correspond to the same block through a data reading request;
in step S203, the TEE sends a data read request of the binding data in the contract 1 to a trusted storage device, which provides, for example, an SPDK service, hereinafter denoted as SPDK instead. The SPDK stores the data of the block chain, and the reason for adopting the SPDK is as follows: the trusted storage access is convenient to realize;
step S205, the SPDK reads data after receiving the data reading request;
step S207, the SPDK sends a read result to the trusted execution environment through the computing device, where the read result includes the permission information and the data D1 corresponding to the same tile;
step S209, after receiving the reading result, the TEE verifies the authority of the account A based on the authority information according to the verification logic in the contract 1;
step S211, in case of passing the verification, the TEE returns the data D1 to the user equipment through the computing device.
First, at step S201, the TEE obtains a transaction Tx1, the transaction Tx1 is sent by the user equipment based on the account a, a contract 1 is called in the transaction Tx1, permission information and data D1 of the account a are requested to be read in the contract 1, and the permission information and the data D1 are bound to correspond to the same block.
In the blockchain of the embodiment of the present specification, an intelligent contract (for example, contract 1) for performing data query may be deployed in advance, and the intelligent contract may be used to read data and return data to a user after the verification of the authority of the user passes. In one embodiment, the blockchain is used to store private data, that is, the data stored in the blockchain are all encrypted data, in which case, the intelligent contract may also decrypt the read encrypted data and return the decrypted data to the user after the authorization verification of the user passes.
Referring to fig. 1, a user corresponding to account a, when wishing to query data from the blockchain, may send a transaction Tx1 to any node in the blockchain that invokes contract 1 as described above. The node of the blockchain executes the transaction Tx1 after receiving it and returns the execution result of the transaction to the user. For example, for transaction Tx1, the billing node returns the data queried by contract 1 to the user device. Since the transaction Tx1 is a query transaction, the node receiving the transaction Tx1 does not need to broadcast the transaction Tx1 to other nodes in the blockchain, nor does it need to pack the transaction Tx1 into blocks for storage, and the execution of the transaction Tx1 does not change the world state.
In order to prevent the block link point from doing malicious behavior as described above during the execution of the transaction, in the embodiment of the present specification, the transaction Tx1 invoking the contract 1 is executed in the TEE, and the read authority information of the account a and the data to be read by the user are bound in the data read request in the contract 1. Thus, as shown in fig. 1, the computing device 11 of the blockchain node, after acquiring the transaction Tx1 to be executed, provides the transaction Tx1 to the TEE therein, causing the transaction Tx1 to be executed in the TEE. Where the sending account of transaction Tx1 is account a, the receiving account is the contract address of contract 1, and the Data (Data) field includes a call to a function in contract 1, such as the Data Read function Read (). The function is executed to firstly read the bound authority information of the account A and the data D1 to be read, namely the authority information and the data D1 to be read correspond to the same block, then the authority of the account A is verified based on the authority information, and in the case of passing the verification, the read data D1 is returned.
In order to bind the rights information and the data to be read, in one embodiment, the contract 1 includes, for example, the following read function read (b):
Read(b)
{
GetMultiKey(a,b)
if(Value a>10){return Value b}
else { return "not sufficient" right },
}
the GetMultiKey (a, b) is a bulk data access interface provided for a block chain node, which can read at least two data and make the read at least two data correspond to the same block, and the binding of the read at least two data is realized by using the bulk data access interface in contract 1.
In another embodiment, GetMultiKey (a, b/block 100) may be included in the read function read (b) to indicate that values of the variable a and the variable b corresponding to the block 100 are read.
For example, "a" represents a variable a corresponding to the authority information of the account a, for example, the variable a is the balance of the account a, and "b" represents a variable b, which is the variable to be read. In the blockchain, generally, after a new block is stored each time, the values of the variables in the state database are updated based on the execution results of the transactions in the block, and thus, a plurality of values of the variables corresponding to the blocks can be stored in the blockchain. By binding the variable a and the variable b to correspond to the same block, it is defined that the authority of the account a matches the value of the variable b, and there is no case where the updated value of the variable b is read by the past authority of the account a (i.e., the authority corresponding to the previous block of the above-mentioned block).
It is to be understood that, although the variable b is described as an example, the embodiments of the present disclosure are not limited to reading the variable, and for example, data such as blocks, transactions, etc. may also be read. For example, the b may represent a block number of the block to be Read, e.g., when the function Read (b) of contract 1 is called in transaction Tx1, Read (100) may be included in a data field of transaction Tx1 to indicate reading of block 100, in which case the function Read (100) includes an interface GetMultiKey (a,100) representing binding of variable a to block 100, i.e., reading a value of variable a corresponding to block 100.
In the read (b) function, after values of a variable a and a variable b corresponding to the same block are read through a GetMultiKey (a, b) interface, authority verification is performed based on the value of the variable a. For example, it is preset that an account has access to data only if the balance is greater than 10, in this case, it is determined in the read (b) function whether the value of the variable a is greater than 10 through if … else … statement, if so, the value of the variable b is returned, otherwise, the return of the right is insufficient, that is, the read fails.
In another embodiment, contract 1 includes, for example, the following read function read (b):
in this embodiment, the read interfaces GetKey (a/block 100) and GetKey (b/block 100) provided by the block chain node are called, and when the read interface is called, the value of the variable a to be read is bound to the block 100, and the value of the variable b to be read is bound to the block 100, that is, the value of the variable a to be read and the value of the variable b are bound to the same block, so that the malicious behavior of the node can be similarly prevented. Similarly, if a block (e.g., block 100) is Read by the Read function, the variable a may be bound to the block 100 by the GetKey (a/block 100), and the data of the block 100 is Read by the GetKey (block 100).
In step S203, the TEE sends a data read request for the bound data in the contract 1 to the SPDK through the computing device, where the data of the block chain is stored.
The TEE executes the transaction Tx1 after acquiring the transaction Tx1, and executes the data read function read (b) in the contract 1 called by the transaction Tx1 in the process of executing the transaction Tx 1. In the first embodiment, the function read (b) includes a call to the interface GetMultiKey (a, b), which corresponds to a batch data read request for the variable a and the variable b. As shown in fig. 1, the TEE can sign the interface GetMultiKey (a, b) using a private key, and send the interface GetMultiKey (a, b) and its signature to the SPDK through operation (r) in fig. 1. In this way, an access request for permission information and an access request for data to be read D1 are sent to the SPDK as a whole and the whole is guaranteed to be untrustworthy by the signature, the SPDK will also return signed permission information corresponding to a tile and read data D1, so that the tile link point cannot provide the TEE with the expired permission of account a that does not match data D1, thereby making it impossible for the tile link node to access the newly added data with the old permission.
In the above another embodiment, the function read (b) includes GetKey (a/block 100) and GetKey (b/block 100), and the TEE can use a private key to sign the GetKey (a/block 100) and the GetKey (b/block 100), respectively, and send the GetKey (a/block 100) and the GetKey (b/block 100) and their respective signatures to the SPDK. In this embodiment, the access request for the right information and the access request for the data to be read D1 are bound to the same tile, respectively, thereby ensuring matching of the right information and the read data D1, and achieving the same effects as those of the above-described embodiment.
In step S205, the SPDK performs data reading after receiving the data reading request.
In one embodiment, the SPDK receives the GetMultiKey (a, b) and its signature, and the SPDK first verifies the signature using the TEE's public key, and by this verification, it can be determined whether the GetMultiKey (a, b) has been tampered, thereby preventing an attack on the blockchain node. After the signature passes, the SPDK reads the value of the variable a and the value of the variable b corresponding to the same block based on the setting of the batch data reading interface. If the computing device 11 does not specify the corresponding block when sending the GetMultiKey (a, b) and its signature, the SPDK can read the value of variable a and the value of variable b corresponding to the latest block. If the computing device 11 specifies the corresponding block when sending the GetMultiKey (a, b) and its signature, the SPDK can read the value of the variable a and the value of the variable b corresponding to the specified block.
In another embodiment, the SPDK receives the GetMultiKey (a, b/block 100) and its signature, which the SPDK first signs using the TEE's public key, and after the signature passes, the SPDK reads the value of variable a corresponding to block 100 and the value of variable b corresponding to block 100, respectively.
In another embodiment, the SPDK receives GetKey (a/block 100) and GetKey (b/block 100) and their respective signatures, the SPDK first verifies each signature using the public key of the TEE, and after the verification passes, the SPDK reads the value of variable a corresponding to block 100 and the value of variable b corresponding to block 100, respectively.
In step S207, the SPDK sends a read result to the trusted execution environment through the computing device, where the read result includes the permission information and the data D1 corresponding to the same tile.
Referring to fig. 1, after reading the values of the variable a and the variable b corresponding to the same block, the SPDK signs the read result formed by the value of the variable a and the value of the variable b using its own private key, sends the read result and the signature thereof to the computing device 11, and provides the read result and the signature thereof to the TEE by the computing device, where the value of the variable a corresponds to the authority of the account a and the value of the variable b is the data D1 to be read, as described above.
In one embodiment, in the case that a block corresponding to data is defined in the data read request, the SPDK may further include a block number of the block in the read result. For example, for the read request GetMultiKey (a, b/block 100), GetMultiKey (a,100), GetKey (a/block 100), or the like, the SPDK may include the block number of the block 100 in the corresponding read result. It is to be understood that the identification of the block is represented by a block number example, and the embodiments of the present specification are not limited thereto.
Step S209, after receiving the reading result, the TEE verifies the authority of the account A based on the authority information according to the verification logic in the contract 1.
And after receiving the reading result and the signature thereof, the TEE verifies the signature by using the public key of the SPDK, and if the signature passes the verification, the TEE verifies the authority of the account A by using the value of the variable a. For example, in read (b) described above, the permission verification logic is defined by an if … else … statement, i.e. if the value of variable a is greater than 10, the value of variable b is returned, otherwise "insufficient permission" is returned, according to which it is first determined whether the value of variable a is greater than 10, if greater than 10, the computing means 11 is instructed to return the value of variable b to the user device, otherwise the computing means 11 is instructed to return insufficient permission to the user device.
In one embodiment, to protect private data, the SPDK stores encrypted data, in which case the TEE, after performing the verification, first decrypts the read encrypted data using a predetermined key, thereby obtaining the value of variable a and the value of variable b, and verifies the authority of account a based on the value of variable a.
In another embodiment, in the case that the read result includes a block number, the TEE may verify whether the block number is consistent with the block number in the data read request, and in the case of consistency, verify the account authority.
Step S211, in case of passing the verification, the TEE returns the data D1 to the user equipment through the computing device.
In the case of a verification pass, the TEE signs the value of the variable b and provides the value of the variable b to the computing means 11, instructing the computing means 11 to return the value of the variable b and its signature to the user equipment. By providing the value of the variable b and its signature, tampering of the value of the variable b by block link points is prevented.
According to the scheme for executing the transaction, the authority information access request and the data access request are mutually bound and sent to the trusted storage access, so that the trusted storage access sends the matched authority information and access data to the trusted execution environment, and the trusted execution environment verifies the authority of the user, so that the malicious block link points cannot use the expired authority to access the newly added data of the block chain, and the transaction execution result is more trusted.
Fig. 3 is an architecture diagram of a blockchain system according to an embodiment of the present disclosure, including a computing device 31 and a trusted storage device 32, where the computing device 31 includes a trusted execution environment 311 therein, and the trusted storage device 32 stores therein data of the blockchain, and the blockchain system is configured to perform the method shown in fig. 2, where,
the trusted execution environment 311 is configured to obtain a first transaction, where the first transaction is sent by a user equipment based on a first account, a first contract is invoked in the first transaction, the first contract includes a data read request requesting to read permission information and first data of the first account, and the permission information and the first data are limited to correspond to the same block by the data read request; sending, by the computing device 31, a data read request in the first contract to the trusted storage 32;
the trusted storage device 32 is configured to perform data reading after receiving the data reading request, and send a reading result to the trusted execution environment 311 through the computing device 31, where the reading result includes the authority information and the first data corresponding to the same block;
the trusted execution environment 311 is further configured to verify the authority of the first account based on the authority information according to a verification logic in the first contract after receiving the reading result, and in case of passing the verification, return the first data to the user equipment through the computing device 31.
In one embodiment, the first contract includes a first read request requesting a batch read of the permission information and the first data.
In one embodiment, the first contract includes a second read request and a third read request, wherein the second read request is used for requesting to read the permission information corresponding to the first block, and the third read request is used for requesting to read the first data corresponding to the first block.
In one embodiment, the trusted execution environment 311 is configured to send, by the computing device, the data read request in the first contract to a trusted storage device, and the trusted execution environment is configured to sign the data read request, send the data read request and its signature to the trusted storage device by the computing device;
the trusted storage device 32 is configured to, after receiving the data read request, perform data reading and send a read result to the trusted execution environment through the computing device, where the trusted storage device is configured to, after receiving the data read request and a signature thereof, perform signature verification on the signature, and in a case that the signature verification passes, perform data reading based on the data read request, perform signature on a read result, and send the read result and the signature thereof to the trusted execution environment through the computing device.
In one embodiment, the first data is a second variable, and the first contract defines that the values of the permission information and the second variable correspond to world states determined by the same block.
In one embodiment, the first data is a first block, and the first contract defines that the permission information corresponds to the first block.
In an embodiment, the first data is a second variable, the data read request further includes a block identifier of a second block, the trusted storage device 32 is configured to perform data reading based on the data read request, and the trusted storage device 32 is configured to read data corresponding to the second block based on the block identifier of the second block.
In one embodiment, the read result includes a block identifier of the second block, and the trusted execution environment 311 is further configured to verify whether the block identifier in the read result is consistent with the block identifier in the data read request after receiving the read result.
Fig. 4 shows a block chain node structure diagram according to an embodiment of the present disclosure, where the block chain node includes the above-mentioned computing device 31 and the trusted storage device 32, where the computing device 31 includes the trusted execution environment 311 therein, and the block chain node is used for executing the method shown in fig. 2.
Another aspect of the present specification provides a computer readable storage medium having a computer program stored thereon, which, when executed in a computer, causes the computer to perform any one of the above methods.
Another aspect of the present specification provides a computing device comprising a memory having stored therein executable code, and a processor that, when executing the executable code, implements any of the methods described above.
It is to be understood that the terms "first," "second," and the like, herein are used for descriptive purposes only and not for purposes of limitation, to distinguish between similar concepts.
The embodiments in the present specification are described in a progressive manner, and the same and similar parts among the embodiments are referred to each other, and each embodiment focuses on the differences from the other embodiments. In particular, for the system embodiment, since it is substantially similar to the method embodiment, the description is simple, and for the relevant points, reference may be made to the partial description of the method embodiment.
The foregoing description has been directed to specific embodiments of this disclosure. Other embodiments are within the scope of the following claims. In some cases, the actions or steps recited in the claims may be performed in a different order than in the embodiments and still achieve desirable results. In addition, the processes depicted in the accompanying figures do not necessarily require the particular order shown, or sequential order, to achieve desirable results. In some embodiments, multitasking and parallel processing may also be possible or may be advantageous.
It will be further appreciated by those of ordinary skill in the art that the elements and algorithm steps of the examples described in connection with the embodiments disclosed herein may be embodied in electronic hardware, computer software, or combinations of both, and that the components and steps of the examples have been described in a functional general in the foregoing description for the purpose of illustrating clearly the interchangeability of hardware and software. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the implementation. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present application. The software modules may reside in Random Access Memory (RAM), memory, Read Only Memory (ROM), electrically programmable ROM, electrically erasable programmable ROM, registers, hard disk, a removable disk, a CD-ROM, or any other form of storage medium known in the art.
The above-mentioned embodiments are intended to illustrate the objects, technical solutions and advantages of the present invention in further detail, and it should be understood that the above-mentioned embodiments are merely exemplary embodiments of the present invention, and are not intended to limit the scope of the present invention, and any modifications, equivalent substitutions, improvements and the like made within the spirit and principle of the present invention should be included in the scope of the present invention.
Claims (17)
1. A method of performing transactions in a blockchain, performed by a blockchain nexus comprising a trusted execution environment in a computing device, the method comprising:
the trusted execution environment acquires a first transaction, the first transaction is sent by user equipment based on a first account, a first contract is called in the first transaction, the first contract comprises a data reading request for requesting to read authority information used for verifying the authority of the first account and first data, and the authority information and the first data are limited to correspond to the same block through the data reading request;
the trusted execution environment sends the data reading request to a trusted storage device through the computing device, and the trusted storage device stores the data of the block chain;
the trusted storage device reads data after receiving the data reading request, and sends a reading result to the trusted execution environment through the computing device, wherein the reading result comprises the authority information and the first data corresponding to the same block;
after receiving the reading result, the trusted execution environment verifies the authority of the first account based on the authority information according to verification logic in the first contract, and if the verification is passed, the first data is returned to the user equipment through the computing device.
2. The method of claim 1, wherein the first contract comprises a first read request requesting bulk reading of the permission information and the first data.
3. The method of claim 1, wherein the first contract comprises a second read request and a third read request, wherein the second read request requests reading of permission information corresponding to a first block, and the third read request requests reading of first data corresponding to the first block.
4. The method of any of claims 1-3, wherein the trusted execution environment sending, by the computing device, the data read request in the first contract to a trusted storage device comprises the trusted execution environment signing the data read request, sending the data read request and its signature to a trusted storage device by the computing device;
the trusted storage device reads data after receiving the data reading request and sends a reading result to the trusted execution environment through the computing device, and the trusted storage device verifies the signature after receiving the data reading request and the signature thereof, and when the signature passes, reads data based on the data reading request, signs the reading result and sends the reading result and the signature thereof to the trusted execution environment through the computing device.
5. A method as claimed in any one of claims 1 to 3, wherein the first data is a first block and the first contract defines that the rights information corresponds to the first block.
6. The method of claim 2, wherein the first data is a second variable, the data read request further includes a block identifier of a second block, and the trusted storage device reads data based on the data read request includes the trusted storage device reading data corresponding to the second block based on the block identifier of the second block.
7. The method of claim 6, wherein the read result includes a block identification of the second chunk, the method further comprising the trusted execution environment verifying, after receiving the read result, whether the block identification in the read result is consistent with the block identification in the data read request.
8. The method of any of claims 1-3, wherein the blockchain node comprises the trusted storage.
9. A blockchain system comprising a computing device including a trusted execution environment therein and a trusted storage device having data of the blockchain stored therein, wherein,
the trusted execution environment is used for acquiring a first transaction, the first transaction is sent by user equipment based on a first account, a first contract is called in the first transaction, the first contract comprises a permission information requesting to read permission for the first account and a data reading request of first data, and the permission information and the first data are limited to correspond to the same block through the data reading request; sending, by the computing device, the data read request to the trusted storage;
the trusted storage device is used for reading data after receiving the data reading request and sending a reading result to the trusted execution environment through the computing device, wherein the reading result comprises the authority information and the first data corresponding to the same block;
the trusted execution environment is further configured to verify the authority of the first account based on the authority information according to verification logic in the first contract after receiving the reading result, and in case of passing the verification, return the first data to the user equipment through the computing device.
10. The system of claim 9, wherein the first contract comprises a first read request requesting bulk reads of the permission information and the first data.
11. The system of claim 9, wherein the first contract comprises a second read request and a third read request, wherein the second read request requests reading of permission information corresponding to a first block, and the third read request requests reading of first data corresponding to the first block.
12. The system of any of claims 9-11, wherein the trusted execution environment to send, by the computing device, the data read request in the first contract to a trusted storage device comprises the trusted execution environment to sign the data read request, send the data read request and its signature to a trusted storage device by the computing device;
the trusted storage device is used for reading data after receiving the data reading request and sending a reading result to the trusted execution environment through the computing device, and the trusted storage device is used for verifying the signature after receiving the data reading request and the signature thereof, and in the case of passing the verification, reading the data based on the data reading request, signing the reading result and sending the reading result and the signature thereof to the trusted execution environment through the computing device.
13. The system of any of claims 9-11, wherein the first data is a first block, the first contract defining the privilege information to correspond to the first block.
14. The system of claim 10, wherein the first data is a second variable, the data read request further includes a block identifier of a second block, the trusted storage device is configured to read data based on the data read request includes the trusted storage device is configured to read data corresponding to the second block based on the block identifier of the second block.
15. The system of claim 14, wherein the read result includes a block identification of the second chunk, the trusted execution environment further to verify, after receiving the read result, whether the block identification in the read result is consistent with the block identification in the data read request.
16. The system of any of claims 9-11, wherein the blockchain system includes blockchain nodes that include the computing device and the trusted storage device.
17. A computer-readable storage medium, on which a computer program is stored which, when executed in a computer, causes the computer to carry out the method of any one of claims 1-8.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111109486.9A CN113658005A (en) | 2021-04-28 | 2021-04-28 | Method for executing transaction in block chain and block chain system |
Applications Claiming Priority (2)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111109486.9A CN113658005A (en) | 2021-04-28 | 2021-04-28 | Method for executing transaction in block chain and block chain system |
| CN202110465875.9A CN112884585B (en) | 2021-04-28 | 2021-04-28 | Method for executing transaction in block chain and block chain system |
Related Parent Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202110465875.9A Division CN112884585B (en) | 2021-04-28 | 2021-04-28 | Method for executing transaction in block chain and block chain system |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN113658005A true CN113658005A (en) | 2021-11-16 |
Family
ID=76040206
Family Applications (2)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111109486.9A Pending CN113658005A (en) | 2021-04-28 | 2021-04-28 | Method for executing transaction in block chain and block chain system |
| CN202110465875.9A Active CN112884585B (en) | 2021-04-28 | 2021-04-28 | Method for executing transaction in block chain and block chain system |
Family Applications After (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202110465875.9A Active CN112884585B (en) | 2021-04-28 | 2021-04-28 | Method for executing transaction in block chain and block chain system |
Country Status (1)
| Country | Link |
|---|---|
| CN (2) | CN113658005A (en) |
Families Citing this family (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113658005A (en) * | 2021-04-28 | 2021-11-16 | 支付宝(杭州)信息技术有限公司 | Method for executing transaction in block chain and block chain system |
| CN113379419B (en) * | 2021-06-25 | 2022-08-16 | 远光软件股份有限公司 | Transaction information access method and system and computer equipment |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110580418A (en) * | 2019-11-08 | 2019-12-17 | 支付宝(杭州)信息技术有限公司 | Private data query method and device based on block chain account |
| CN110580413A (en) * | 2019-11-08 | 2019-12-17 | 支付宝(杭州)信息技术有限公司 | Private data query method and device based on down-link authorization |
| CN110602050A (en) * | 2018-04-28 | 2019-12-20 | 腾讯科技(深圳)有限公司 | Authentication method and device for block chain access, storage medium and electronic device |
| CN111767097A (en) * | 2020-08-31 | 2020-10-13 | 支付宝(杭州)信息技术有限公司 | Method and device for calling intelligent contract, electronic equipment and storage medium |
| WO2020238255A1 (en) * | 2019-05-30 | 2020-12-03 | 创新先进技术有限公司 | Smart contract management method and apparatus based on blockchain, and electronic device |
| CN112884585A (en) * | 2021-04-28 | 2021-06-01 | 支付宝(杭州)信息技术有限公司 | Method for executing transaction in block chain and block chain system |
Family Cites Families (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111008228A (en) * | 2020-03-09 | 2020-04-14 | 支付宝(杭州)信息技术有限公司 | Method and device for inquiring account privacy information in block chain |
| CN111797415A (en) * | 2020-06-30 | 2020-10-20 | 远光软件股份有限公司 | Block chain based data sharing method, electronic device and storage medium |
| CN111753311B (en) * | 2020-08-28 | 2020-12-15 | 支付宝(杭州)信息技术有限公司 | Method and device for safely entering trusted execution environment in hyper-thread scene |
-
2021
- 2021-04-28 CN CN202111109486.9A patent/CN113658005A/en active Pending
- 2021-04-28 CN CN202110465875.9A patent/CN112884585B/en active Active
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110602050A (en) * | 2018-04-28 | 2019-12-20 | 腾讯科技(深圳)有限公司 | Authentication method and device for block chain access, storage medium and electronic device |
| WO2020238255A1 (en) * | 2019-05-30 | 2020-12-03 | 创新先进技术有限公司 | Smart contract management method and apparatus based on blockchain, and electronic device |
| CN110580418A (en) * | 2019-11-08 | 2019-12-17 | 支付宝(杭州)信息技术有限公司 | Private data query method and device based on block chain account |
| CN110580413A (en) * | 2019-11-08 | 2019-12-17 | 支付宝(杭州)信息技术有限公司 | Private data query method and device based on down-link authorization |
| CN111767097A (en) * | 2020-08-31 | 2020-10-13 | 支付宝(杭州)信息技术有限公司 | Method and device for calling intelligent contract, electronic equipment and storage medium |
| CN112884585A (en) * | 2021-04-28 | 2021-06-01 | 支付宝(杭州)信息技术有限公司 | Method for executing transaction in block chain and block chain system |
Non-Patent Citations (3)
| Title |
|---|
| YONG WANG ETC.: "Hybridchain: A Novel Architecture for Confidentiality-Preserving and Performant Permissioned Blockchain Using Trusted Execution Environment", IEEE ACCESS, vol. 8, 19 October 2020 (2020-10-19), XP011816982, DOI: 10.1109/ACCESS.2020.3031889 * |
| 张青禾: "区块链中的身份识别和访问控制技术研究", 中国优秀硕士论文电子期刊网, 15 January 2019 (2019-01-15) * |
| 黄洁华;高灵超;许玉壮;白晓敏;胡凯;: "众筹区块链上的智能合约设计", 信息安全研究, no. 03, 5 March 2017 (2017-03-05) * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN112884585B (en) | 2021-08-20 |
| CN112884585A (en) | 2021-06-01 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11531732B2 (en) | Systems and methods for providing identity assurance for decentralized applications | |
| US8560857B2 (en) | Information processing apparatus, a server apparatus, a method of an information processing apparatus, a method of a server apparatus, and an apparatus executable program | |
| JP6371919B2 (en) | Secure software authentication and verification | |
| CN113572715B (en) | Data transmission method and system based on block chain | |
| CN111143890A (en) | Calculation processing method, device, equipment and medium based on block chain | |
| US20090138699A1 (en) | Software module management device and program | |
| US8369526B2 (en) | Device, system, and method of securely executing applications | |
| KR20070112432A (en) | Method for using trusted, hardware-based identity credentials in runtime package signature to secure mobile communications and high-value transaction execution | |
| CN112257086B (en) | User privacy data protection method and electronic equipment | |
| JP2007512787A (en) | Trusted mobile platform architecture | |
| CN112884585B (en) | Method for executing transaction in block chain and block chain system | |
| KR20050056204A (en) | System and method for guaranteeing software integrity | |
| CN111311258A (en) | Block chain based trusted transaction method, device, system, equipment and medium | |
| CN111783051A (en) | Identity authentication method and device and electronic equipment | |
| CN117453343A (en) | Virtual machine measurement and secret calculation authentication method, device, system and storage medium | |
| US11743055B2 (en) | Storing data on target data processing devices | |
| CN111651740B (en) | Trusted platform sharing system for distributed intelligent embedded system | |
| CN112597458B (en) | Method, device and related product for identity authentication based on trusted authentication | |
| Quaresma | TrustZone Based Attestation in Secure Runtime Verification for Embedded Systems | |
| CN115828223A (en) | Operating system login method, electronic device and storage medium | |
| NZ750907B2 (en) | Systems and methods for providing identity assurance for decentralized applications | |
| CN115618306A (en) | Software protection method, device and system, CPU chip and electronic equipment | |
| CN116975919A (en) | Authorization method and device based on trusted UI service, electronic equipment and medium | |
| CN110059489A (en) | Safe electronic equipment |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |