CN114070584B - Secret calculation method, device, equipment and storage medium - Google Patents

Secret calculation method, device, equipment and storage medium Download PDF

Info

Publication number
CN114070584B
CN114070584B CN202111204187.3A CN202111204187A CN114070584B CN 114070584 B CN114070584 B CN 114070584B CN 202111204187 A CN202111204187 A CN 202111204187A CN 114070584 B CN114070584 B CN 114070584B
Authority
CN
China
Prior art keywords
data
contract
confidential
engine
execution environment
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202111204187.3A
Other languages
Chinese (zh)
Other versions
CN114070584A (en
Inventor
舒俊宜
郭京申
朱晓旻
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Zhirong Yunhe Technology Co ltd
Original Assignee
Beijing Zhirong Yunhe Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Zhirong Yunhe Technology Co ltd filed Critical Beijing Zhirong Yunhe Technology Co ltd
Priority to CN202111204187.3A priority Critical patent/CN114070584B/en
Publication of CN114070584A publication Critical patent/CN114070584A/en
Application granted granted Critical
Publication of CN114070584B publication Critical patent/CN114070584B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/602Providing cryptographic facilities or services
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
    • G06F21/6236Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database between heterogeneous systems
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/10Protocols in which an application is distributed across nodes in the network
    • H04L67/104Peer-to-peer [P2P] networks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/10Protocols in which an application is distributed across nodes in the network
    • H04L67/1095Replication or mirroring of data, e.g. scheduling or transport for data synchronisation between network nodes
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/10Protocols in which an application is distributed across nodes in the network
    • H04L67/1097Protocols in which an application is distributed across nodes in the network for distributed storage of data in networks, e.g. transport arrangements for network file system [NFS], storage area networks [SAN] or network attached storage [NAS]

Landscapes

  • Engineering & Computer Science (AREA)
  • Signal Processing (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Computer Security & Cryptography (AREA)
  • General Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • General Health & Medical Sciences (AREA)
  • Physics & Mathematics (AREA)
  • Software Systems (AREA)
  • General Physics & Mathematics (AREA)
  • Bioethics (AREA)
  • Health & Medical Sciences (AREA)
  • Computing Systems (AREA)
  • Databases & Information Systems (AREA)
  • Storage Device Security (AREA)

Abstract

The application provides a secret calculation method, a secret calculation device, secret calculation equipment and a storage medium, and belongs to the technical field of distributed account books. The method solves the problem of how to complete the calculation of confidential data based on a single node of a distributed account book. The method comprises the following steps: after the data using contract passes the audit of the data holding node, receiving the data acquisition contract sent by the data holding node; the data access contract is used for restricting the use process of the confidential data, and the data acquisition contract is used for calling the data management contract of the data holding node to obtain the confidential data; running the data usage contract with a first contract engine, splitting a confidential portion of the data usage contract into a trusted execution environment; and running the confidential part of the data using contract and the data acquisition contract by using an execution engine in the trusted execution environment to generate a data calculation result.

Description

Secret calculation method, device, equipment and storage medium
Technical Field
The present disclosure relates to the field of distributed ledger processing, and in particular, to a secret computing method, apparatus, device, and storage medium.
Background
The block chain has the characteristics of decentralization, traceability, non-repudiation and the like, the nodes in the block chain can adopt a block generation mode to store data use details so as to carry out subsequent data use verification, the characteristics enable the block chain technology to naturally fit data sharing in a big data environment, the block chain technology records all states of original data, a data use method and the like on an account book, and the whole network storage achieves the credibility of data and calculation, so that a holder of the data can inquire the original data and the data use method from the account book through any node, and further the data use process can be supervised and verified.
However, in a big data environment, different data originate from different platforms, and the original data is stored in the block in a public manner, so that confidentiality of the original data is sacrificed, and damage is caused to a holder of the original data. Even some information pertaining to confidential data is not even usable at all, for example, abuse of high-precision map data may jeopardize national security.
How to complete the computation of confidential data based on a single node of a blockchain is a current urgent problem to be solved.
Disclosure of Invention
The embodiment of the application provides a secret calculation method, a device, equipment and a storage medium, which solve the problem of how to finish secret data calculation based on a single node of a distributed ledger.
An embodiment of the present application provides a secret calculation method, applied to any node in a distributed ledger system, including: after the data using contract passes the audit of the data holding node, receiving the data acquisition contract sent by the data holding node; the data access contract is used for restricting the use process of the confidential data, and the data acquisition contract is used for calling the data management contract of the data holding node to obtain the confidential data;
running the data usage contract with a first contract engine, splitting a confidential portion of the data usage contract into a trusted execution environment;
and running the confidential part of the data using contract and the data acquisition contract by using an execution engine in the trusted execution environment to generate a data calculation result.
Optionally, running the confidential portion of the data usage contract and the data acquisition contract with an execution engine in the trusted execution environment generates a data calculation result, including:
Operating the data acquisition contract by using an execution engine in the trusted execution environment to obtain an encryption method; the encryption method is operated when a second contract engine intercepts a public method marked with encryption notes in the data management contract; the second contract engine is an intelligent contract engine of the data holding node;
operating the encryption method by using an execution engine in the trusted execution environment to generate the confidential data;
the data computation result is generated by running the confidential portion of the data usage contract and the confidential data with an execution engine in the trusted execution environment.
Optionally, the method further comprises:
operating the data management contract by using the first contract engine to obtain a node identifier of the data holding node so that the data using contract obtains a first server address of the data holding node according to the node identifier;
adding the first server address to a configuration file of the trusted execution environment, so that after the trusted execution environment is generated, a decryption key is obtained from the first server address;
running the encryption method with an execution engine in the trusted execution environment, generating the confidential data, comprising:
And operating the decryption key and the encryption method by using the execution engine so as to decrypt the encryption method by using the decryption key to obtain the confidential data.
Optionally, the method further comprises:
writing at least one analysis method according to the data use logic and the data application scene; carrying out confidentiality annotation on the analysis method related to confidentiality calculation in the at least one analysis method to obtain at least one analysis method carrying confidentiality annotation;
generating the data usage contract according to the at least one analysis method carrying confidentiality notes;
running the data usage contract with a first contract engine, splitting a confidential portion of the data usage contract into a trusted execution environment, comprising:
intercepting the at least one analysis method carrying the confidentiality annotation by using a first contract engine operation, obtaining a confidential part of the data use contract, and loading the confidential part of the data use contract into the trusted execution environment.
Optionally, the method further comprises:
adding a second server address to a configuration file of the trusted execution environment, so that after the trusted execution environment is generated, an encryption key is obtained from the second server address;
Running the confidential portion of the data usage contract and the data acquisition contract with an execution engine in the trusted execution environment to generate a data calculation result, comprising:
and running the encryption key and the at least one analysis method carrying the confidentiality annotation by using an execution engine in the trusted execution environment to obtain a confidentiality calculation result.
A second aspect of an embodiment of the present application provides a confidential computing device located at any node in a distributed ledger system, the device comprising:
the receiving module is used for receiving the data acquisition contract sent by the data holding node after the data use contract passes the audit of the data holding node; the data access contract is used for restricting the use process of the confidential data, and the data acquisition contract is used for calling the data management contract of the data holding node to obtain the confidential data; a splitting module for running the data usage contract with a first contract engine to split a confidential portion of the data usage contract into a trusted execution environment;
and the first operation module is used for utilizing an execution engine in the trusted execution environment to operate the confidential part of the data use contract and the data acquisition contract to generate a data calculation result.
Optionally, the first operation module includes:
the first operation submodule is used for operating the data acquisition contract by utilizing an execution engine in the trusted execution environment to obtain an encryption method; the encryption method is operated when a second contract engine intercepts a public method marked with encryption notes in the data management contract; the second contract engine is an intelligent contract engine of the data holding node;
a second operation sub-module, configured to operate the encryption method with an execution engine in the trusted execution environment, and generate and obtain the confidential data;
and a third execution sub-module for executing the confidential part of the data use contract and the confidential data by using an execution engine in the trusted execution environment to generate the data calculation result.
Optionally, the apparatus further comprises:
the second operation module is used for operating the data management contract by utilizing the first contract engine to obtain the node identification of the data holding node so that the data using contract obtains the first server address of the data holding node according to the node identification;
the first adding module is used for adding the first server address to the configuration file of the trusted execution environment so that the decryption key is obtained from the first server address after the trusted execution environment is generated;
The second operation submodule comprises: and the operation subunit is used for utilizing the execution engine to operate the decryption key and the encryption method to generate the confidential data.
Optionally, the apparatus further comprises:
the writing module is used for writing at least one analysis method according to the data use logic and the data application scene;
the annotation module is used for carrying out confidentiality annotation on the analysis method related to confidential calculation in the at least one analysis method to obtain at least one analysis method carrying the confidentiality annotation;
a generation module for generating the data use contract according to the at least one analysis method carrying confidentiality annotation;
the splitting module comprises:
and the interception sub-module is used for intercepting the at least one analysis method carrying the confidentiality annotation by utilizing the first contract engine operation, obtaining the confidential part of the data use contract, and loading the confidential part of the data use contract into the trusted execution environment.
Optionally, the apparatus further comprises:
the second adding module is used for adding a second server address to the configuration file of the trusted execution environment so as to obtain an encryption key from the second server address after the trusted execution environment is generated;
The operation module comprises:
and the third operation submodule is used for utilizing an execution engine in the trusted execution environment to operate the encryption key and the at least one analysis method carrying the confidentiality annotation to generate a confidentiality calculation result.
A third aspect of the embodiments of the present application provides a readable storage medium having stored thereon a computer program which, when executed by a processor, implements the steps of the method as described in the first aspect of the present application.
A fourth aspect of the present application provides an electronic device, including a memory, a processor, and a computer program stored on the memory and executable on the processor, where the processor implements the steps of the method described in the first aspect of the present application when the processor executes the computer program.
According to the data holding node, the data management contract is operated through the intelligent contract engine of the node, the analysis method of labels carried in the data management contract is intercepted, the data management contract recorded with the encryption method is obtained, and therefore other nodes can obtain the encrypted data in the data management contract when the data acquisition contract is operated. And then the encrypted data of the data holding node is acquired at the data using node by acquiring the data acquisition contract, the data sharing node transmitted by the data holding node is received at the data using node, the data acquisition contract is operated in the trusted execution environment to copy the confidential data from the data holding node, namely, the encrypted data is acquired from the data holding node by operating the data acquisition contract, and then the encrypted data is decrypted by operating the encrypted method in the trusted execution environment to obtain the confidential data. Meanwhile, the data using node defines the using method of the confidential data by generating the annotated data using contract, the encrypted data and the confidential part of the data using contract are operated by executing the contract in the trusted execution environment, the encrypted data is applied to the analysis method of the confidential part of the using contract to obtain the calculation result, the steps of developing the related confidential data calculation applicable to the trusted execution environment are not needed in the whole process, and the calculation steps related to the confidential data can be simply and quickly split into the trusted execution environment by only operating the data using contract, the data management contract and the data acquisition contract through the intelligent contract engine.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present application, the drawings that are needed in the description of the embodiments of the present application will be briefly described below, it being obvious that the drawings in the following description are only some embodiments of the present application, and that other drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.
FIG. 1 is a flow chart of steps of a secret calculation method of an embodiment of the present application;
FIG. 2 is a schematic diagram of a confidential computing framework in accordance with an embodiment of the present application;
FIG. 3 is a functional block diagram of a confidential computing device in an embodiment of the present application.
Detailed Description
The following description of the embodiments of the present application will be made clearly and fully with reference to the accompanying drawings, in which it is evident that the embodiments described are some, but not all, of the embodiments of the present application. All other embodiments, which can be made by one of ordinary skill in the art based on the embodiments herein without making any inventive effort, are intended to be within the scope of the present application.
In order to simultaneously consider the confidentiality calculation of the confidential data and the supervision of the confidential data calculation process, the related field sets a trusted execution environment in the nodes of the distributed ledger, further calculates the confidential data acquired from different data holding nodes in the trusted execution environment, ensures that the data is acquired by the verifiability of the blockchain technology, records the history of participation in calculation, and ensures that the calculation details of the confidential data cannot be maliciously acquired by the trusted execution environment.
However, the data application process is complex, the trusted execution environment is different from the block link point conventional operation environment, the steps related to the confidential data are split into the trusted execution environment in the complex calculation, the steps related to the confidential data are necessarily recompiled in the trusted execution environment, the development amount is huge, and the manpower and material resources are consumed.
For example, in the development of precision maps, data computation involved includes, but is not limited to: the steps of calculating the geographic data of the secret related units, such as longitude and latitude calculation of each region, longitude and latitude calculation of each landmark building, satellite data calculation, altitude calculation and the like, are extracted from complex steps, and a calculation method of the secret related units in a trusted execution environment is independently developed, so that the workload is huge.
In view of the above problems, an embodiment of the present application proposes a secret calculation method, which runs an intelligent contract by using an intelligent contract engine of a node in a distributed ledger system, and splits a calculation step involving secret data into trusted execution environments, without re-developing a calculation step applicable to the trusted execution environments, and is simple and fast.
FIG. 1 is a flowchart illustrating steps of a secret calculation method according to an embodiment of the present application, as shown in FIG. 1, applied to any node in a distributed ledger system, including:
the data sharing method provided by the embodiment of the application is applied to any node in the distributed ledger system. The distributed account system is a distributed network formed by a plurality of nodes according to a point-to-point communication protocol (P2P), a central server does not exist in the distributed account system, and the characteristics of the nature, the function, the transmission mode and the like of each node are the same.
The nodes may be computers, mobile terminals or other intelligent devices provided with a blockchain system.
Step S11: after the data using contract passes the audit of the data holding node, receiving the data acquisition contract sent by the data holding node; the data access contract is used for restricting the use process of the confidential data, and the data acquisition contract is used for calling the data management contract of the data holding node to obtain the confidential data; the data acquisition contract data is a contract written by the holding node for sending to other nodes in order to obtain confidential data from the data holding node, and provides calling data management contracts local to the data holding node for the other nodes.
When a user wants to acquire data from different data holders and uses the data to perform operation of local projects, any node in the distributed ledger system can be used as a data using node; and taking the node holding the related data in the distributed ledger system as a data holding node, and acquiring the data from the data holding node. And finally, the acquired data and the data are loaded into a trusted execution environment together by using contracts to finish the operation of the project. The trusted execution environment may be at the point of use node, or at other nodes of the distributed ledger system.
The data use process comprises the following steps: data application logic, data usage scenarios, data usage conditions, etc. In embodiments of the present application, the data usage process also includes data application logic to which the confidential data relates.
The data using node writes and obtains a data using contract according to the data application logic and the data using scene so as to obtain a logic program which can be automatically executed on the basis of obtaining the triggering condition, and the logic program runs on the node with the trusted execution environment under the condition that the auditing is passed, so that the splitting of the calculation steps is realized.
After the data using node obtains the data using contract, the data using contract is sent to the data holding node for checking, after the data holding node passes the data using contract checking, the data holding node writes a plurality of read-write interfaces for related data provided by the data holding node, defines a public method for the plurality of read-write interfaces, encrypts the public method related to confidential data by utilizing a local key to obtain a data management contract, and writes a data acquisition contract capable of calling data in the data management contract for the data management contract. The node having the authority may invoke the public method to obtain confidential data. The encrypted data is provided by means of a data management contract, which provides a basis for decryption of the encrypted data in a trusted execution environment.
In another embodiment of the present application, a specific method for generating a data usage contract is provided, and fig. 2 is a schematic diagram of a confidential computing framework in an embodiment of the present application, and as shown in fig. 2, a confidential part suitable for a trusted execution environment and a part capable of running in a node general environment can be obtained by running the data usage contract based on the method for generating a data usage contract provided in the embodiment of the present application with an intelligent contract engine. The node general environment refers to a distributed environment of nodes.
The method comprises the following steps: step S21: at least one analysis method is written according to the data usage logic and the data application scenario. Illustratively, comparing sales of platform A and platform B, four analysis methods were written: the first analysis method involves presetting that platform A sales is the sum of city 1 and city 2 sales according to the comparison range; the second analysis method calculates the sales of the platform A according to the original sales data of the computing platform A; the third analysis method is used for calculating the sales of the platform B according to the original sales data of the computing platform B; fourth analysis method, compare sales of platform a and platform B.
Step S22: and carrying out confidentiality annotation on the analysis method related to confidentiality calculation in the at least one analysis method to obtain the at least one analysis method carrying the confidentiality annotation. In one example of the present application, the confidentiality annotation may be @ Confiducial.
Step S23: generating the data use contract according to the at least one analysis method carrying the confidentiality notes.
In one example of the present application, the specific computing task includes four analysis methods, wherein the second analysis method to the fourth analysis method involve the use of confidential data, and the data usage node is required to annotate the second analysis method to the fourth analysis method with a confidentiality annotation, and then obtain a data usage contract according to the first analysis method to the fourth analysis method.
Step S12: running the data usage contract with a first contract engine, splitting a confidential portion of the data usage contract into a trusted execution environment.
The first contract engine is an intelligent contract engine of the computing node, and the contract engine of the computing node is an intelligent contract engine preset by all nodes in the distributed ledger system. The computing node is a node supporting a trusted execution environment generation technology in the distributed ledger system, and the computing node can be a data use node or other nodes in the distributed ledger system.
The data use contract comprises at least one analysis method carrying a security annotation, so that running the data use contract with the first contract engine intercepts at least one analysis method, i.e. intercepts analysis methods relating to confidential data, in dependence on the security annotation, whereby the intercepted analysis methods relating to confidential data are taken as the confidential part of the data use contract to load the confidential part of the data use contract into the trusted execution environment.
Step S12-1: intercepting the at least one analysis method carrying the confidentiality annotation by using a first contract engine operation, obtaining a confidential part of the data use contract, and loading the confidential part of the data use contract into the trusted execution environment.
In one example of the present application, the specific steps of the first contract engine intercepting at least one analysis method carrying confidentiality annotations include: performing lexical analysis on at least one analysis method, and dividing the at least one analysis method into lexical units. And analyzing the lexical unit to obtain an analysis tree. The lexical unit comprises call identifications of function names and brackets, dynamic call identifications of apply and call constructor call identifications. Traversing the parse tree with the regular expression to obtain a dependency function associated with the at least one analysis method. The dependent functions are split out as a confidential portion of the data usage contract to achieve a complete split of the computational steps in the data usage contract to design confidential data.
Step S13: and running the confidential part of the data using contract and the data acquisition contract by using an execution engine in the trusted execution environment to generate a data calculation result.
Referring to fig. 2, a data interface method may be set at a computing node, through which a data-using node reads data computation results generated in a trusted execution environment. The method for setting the data interface in the non-confidential part of the data using contract can be used for operating the non-confidential part of the data using contract sent to the computing node by the first contract engine of the computing node, so that the data using node can acquire the encrypted data computing result in an intelligent contract operation mode.
The execution engine in the trusted execution environment is an intelligent contract engine which is set for the steps of encryption, decryption, signature and the like running in the trusted execution environment and can give consideration to the functions, and the execution engine in the trusted execution environment can multiplex the calling capability of the I/O of the execution engine and can realize the calling of a read-write interface in a data management contract.
According to the data holding node, the data management contract is operated through the intelligent contract engine of the node, the analysis method of labels carried in the data management contract is intercepted, the data management contract recorded with the encryption method is obtained, and therefore other nodes can obtain the encrypted data in the data management contract when the data acquisition contract is operated. And then the encrypted data of the data holding node is acquired at the data using node by acquiring the data acquisition contract, the data sharing node transmitted by the data holding node is received at the data using node, the data acquisition contract is operated in the trusted execution environment to copy the confidential data from the data holding node, namely, the encrypted data is acquired from the data holding node by operating the data acquisition contract, and then the encrypted data is decrypted by operating the encrypted method in the trusted execution environment to obtain the confidential data. Meanwhile, the data using node defines the using method of the confidential data by generating the annotated data using contract, the encrypted data and the confidential part of the data using contract are operated by executing the contract in the trusted execution environment, the encrypted data is applied to the analysis method of the confidential part of the using contract to obtain the calculation result, the steps of developing the related confidential data calculation applicable to the trusted execution environment are not needed in the whole process, and the calculation steps related to the confidential data can be simply and quickly split into the trusted execution environment by only operating the data using contract, the data management contract and the data acquisition contract through the intelligent contract engine.
In another embodiment of the present application, running the confidential portion of the data usage contract and the data acquisition contract with an execution engine in the trusted execution environment to obtain a data calculation result includes:
operating the data acquisition contract by using an execution engine in the trusted execution environment to obtain an encryption method; the encryption method is a method operated when a second contract engine intercepts a public method marked with encryption notes in the data management contract; the second contract engine is an intelligent contract engine of the data holding node.
Operating the encryption method by using an execution engine in the trusted execution environment to generate the confidential data;
the encryption annotation may be @ Encrypt. The @ Encrypt annotation takes a string as a parameter, the basic format of the string being: the algorithm english abbreviation-key length-encryption mode is consistent with the format of the key parameter library (crypto library) of the execution engine in the trusted execution environment.
The data computation result is generated by running the confidential portion of the data usage contract and the confidential data with an execution engine in the trusted execution environment.
In order to simply and quickly determine the method for calling the public method of the confidential data in a plurality of public methods respectively corresponding to a plurality of read-write interfaces, namely, determine the method for calling the public method of the read-write interfaces corresponding to the confidential data, simply and quickly encrypt the method for calling the public method of the confidential data, a data holding node annotates the method for calling the public method of the confidential data, an intelligent contract engine of the data holding node is used for operating a data management contract to intercept the method for carrying the annotation, and then a local secret key is used for encrypting the method for carrying the annotation to obtain the confidential method, namely, the encrypted confidential data is obtained, and the time and labor loss caused by independently developing the method for calling the confidential data is avoided.
An execution engine in a trusted execution environment runs a data acquisition contract, calls a read-write interface corresponding to confidential data in a data management contract through the data acquisition contract to acquire the confidential data, then applies the confidential data to a confidential part of a data use contract, calculates the confidential data according to an analysis method of the confidential part, and generates a calculation result.
Another embodiment of the present application proposes a specific method for an execution engine to run a data management contract to generate encrypted data, with continued reference to the confidential computational framework shown in fig. 2, the data management contract including a public method in which the result is encrypted, a node identification of a data holding node, an encryption algorithm, and so on.
And operating the data management contract by using the first contract engine to obtain the node identification of the data holding node so that the data use contract obtains the first server address of the data holding node according to the node identification.
The first contract engine of the computing node operates the data management contract to obtain the node identification of the data holding node, and the first server address is obtained from the key registry according to the node identification of the data holding node. The first server address is obtained by registering a local key server of the data holding node when the data holding node joins the distributed ledger system, namely, the first server address enables the key server of the data holding node.
Adding the first server address to a configuration file of the trusted execution environment, so that after the trusted execution environment is generated, a decryption key is obtained from the first server address; the decryption key is a key of the data holding node for decrypting encrypted confidential data in a trusted execution environment.
The intelligent contract engine of the computing node runs the non-confidential part of the data using contract and generates a trusted execution environment in a new process, so that before the computing node generates the trusted execution environment, the first server address in the data management contract is obtained by running the data obtaining contract and is added into the configuration file, after the trusted execution environment is generated according to the configuration file, the trusted execution environment can directly obtain the first server address from the configuration file, a self-certification report obtained during generation of the first server address is sent to a key server corresponding to the first server address, and a key for encrypting the public method by the data holding node is obtained, namely a decryption key is obtained.
Running the encryption method with an execution engine in the trusted execution environment, generating the confidential data, comprising: and running the decryption key and the encryption method by using the execution engine to decrypt the encryption method by using the decryption key to obtain the confidential data.
The execution engine in the trusted execution environment operates a decryption key and an encryption method, decrypts an encrypted analysis method (a confidential method) in the data management contract by using the decryption key to obtain plaintext confidential data, and the encrypted analysis method in the data management contract is obtained by calling from the data management contract after operating the data acquisition contract, so that the execution engine in the trusted execution environment operates the confidential part of the data use contract on the basis, and can calculate the plaintext confidential data according to the confidential part of the data use contract to generate a calculation result.
In one example of the present application, a data management contract generated by a data holding node a includes: the method comprises the steps of correspondingly acquiring a disclosure method of a read-write interface of longitude and latitude data of each region, correspondingly acquiring a disclosure method of a read-write interface of longitude and latitude data of each landmark building, correspondingly acquiring a disclosure method of a read-write interface of satellite data, correspondingly acquiring geographic data of a secret unit, marking confidentiality annotation by the disclosure method of the read-write interface of the geographic data of the secret unit, and enabling a data holding node A to adopt a disclosure method of a local intelligent contract engine for carrying confidentiality annotation: the method for obtaining the public method of the read-write interface of the geographical data of the secret related unit is correspondingly intercepted, and a local secret key is used, namely, the public method carrying the encryption annotation is encrypted by using the decryption secret key of the data holding node A, so that encrypted confidential data is obtained.
In another embodiment of the present application, before the computing node generates the trusted execution environment, the second server address is obtained from the key registry according to the node identifier of the data usage node, and then the second server address is added to the configuration file. The node identification of the data use node may be obtained by running the data use contract using the first contract engine, or may be obtained by requesting a node that transmits the data use contract when receiving the data use contract.
Adding a second server address to a configuration file of the trusted execution environment, so that after the trusted execution environment is generated, an encryption key is obtained from the second server address; running the confidential portion of the data usage contract and the data acquisition contract with an execution engine in the trusted execution environment to generate a data calculation result, comprising: and running the encryption key and the at least one analysis method carrying the confidentiality annotation by using an execution engine in the trusted execution environment to obtain a confidentiality calculation result.
The encryption key is a key of the data use node for encrypting the calculation result in the trusted execution environment.
In the embodiment of the application, the encryption key of the data using node is obtained from the key registry, the encryption key of the data using node is used for carrying out confidential calculation on the encrypted data in a trusted execution environment, and the calculation result is encrypted and returned to the data using node, so that the data using node directly obtains the calculation result, the calculation result is transmitted among all nodes in the distributed account system in a ciphertext mode, the calculation result cannot be illegally obtained by the outside, and only the data using node can decrypt the calculation result ciphertext file by using the local encryption key, thereby obtaining the plaintext file of the calculation result.
Based on the same inventive concept, embodiments of the present application provide a confidential computing device. FIG. 3 is a functional block diagram of a confidential computing device in an embodiment of the present application. As shown in fig. 3, the apparatus includes:
a receiving module 31, configured to receive a data acquisition contract sent by a data holding node after a data usage contract passes an audit of the data holding node; the data access contract is used for restricting the use process of the confidential data, and the data acquisition contract is used for calling the data management contract of the data holding node to obtain the confidential data; a splitting module 32 for running the data usage contract with the first contract engine to split the confidential portion of the data usage contract into trusted execution environments;
a first execution module 33 for executing the confidential part of the data usage contract and the data acquisition contract by using an execution engine in the trusted execution environment to generate a data calculation result.
Optionally, the first operation module includes:
the first operation submodule is used for operating the data acquisition contract by utilizing an execution engine in the trusted execution environment to obtain an encryption method; the encryption method is a method operated when a second contract engine intercepts a public method marked with encryption notes in the data management contract; the second contract engine is an intelligent contract engine of the data holding node;
A second operation sub-module, configured to operate the encryption method with an execution engine in the trusted execution environment, and generate and obtain the confidential data;
and a third execution sub-module for executing the confidential part of the data use contract and the confidential data by using an execution engine in the trusted execution environment to generate the data calculation result.
Optionally, the apparatus further comprises:
the second operation module is used for operating the data management contract by utilizing the first contract engine to obtain the node identification of the data holding node so that the data using contract obtains the first server address of the data holding node according to the node identification;
the first adding module is used for adding the first server address to the configuration file of the trusted execution environment so that the decryption key is obtained from the first server address after the trusted execution environment is generated;
the second operation submodule comprises: and the operation subunit is used for utilizing the execution engine to operate the decryption key and the encryption method to generate the confidential data.
Optionally, the apparatus further comprises:
the writing module is used for writing at least one analysis method according to the data use logic and the data application scene;
The annotation module is used for carrying out confidentiality annotation on the analysis method related to confidential calculation in the at least one analysis method to obtain at least one analysis method carrying the confidentiality annotation;
a generation module for generating the data use contract according to the at least one analysis method carrying confidentiality annotation;
the splitting module comprises:
and the interception sub-module is used for intercepting the at least one analysis method carrying the confidentiality annotation by utilizing the first contract engine operation, obtaining the confidential part of the data use contract, and loading the confidential part of the data use contract into the trusted execution environment.
Optionally, the apparatus further comprises:
the second adding module is used for adding a second server address to the configuration file of the trusted execution environment so as to obtain an encryption key from the second server address after the trusted execution environment is generated;
the operation module comprises:
and the third operation submodule is used for operating the encryption key and the at least one analysis method carrying the confidentiality annotation by using an execution engine in the trusted execution environment to obtain a confidentiality calculation result.
Based on the same inventive concept, another embodiment of the present application provides a readable storage medium having stored thereon a computer program which, when executed by a processor, implements the steps of the secret calculation method according to any of the embodiments of the present application.
Based on the same inventive concept, another embodiment of the present application provides an electronic device, including a memory, a processor, and a computer program stored on the memory and executable on the processor, wherein the processor executes the steps in the secret calculation method according to any one of the foregoing embodiments of the present application.
For the device embodiments, since they are substantially similar to the method embodiments, the description is relatively simple, and reference is made to the description of the method embodiments for relevant points.
In this specification, each embodiment is described in a progressive or illustrative manner, and each embodiment is mainly described by the differences from other embodiments, and identical and similar parts between the embodiments are mutually referred.
It will be apparent to those skilled in the art that embodiments of the present application may be provided as a method, apparatus, or computer program product. Accordingly, the present embodiments may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, embodiments of the present application may take the form of a computer program product on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, etc.) having computer-usable program code embodied therein.
Embodiments of the present application are described with reference to flowchart illustrations and/or block diagrams of methods, apparatus, and computer program products according to embodiments of the application. It will be understood that each flow and/or block of the flowchart illustrations and/or block diagrams, and combinations of flows and/or blocks in the flowchart illustrations and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing terminal device to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing terminal device, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
While preferred embodiments of the present embodiments have been described, additional variations and modifications in those embodiments may occur to those skilled in the art once they learn of the basic inventive concepts. It is therefore intended that the following claims be interpreted as including the preferred embodiments and all such alterations and modifications as fall within the scope of the embodiments of the present application.
Finally, it is further noted that relational terms such as first and second, and the like are used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Moreover, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or terminal that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or terminal. Without further limitation, an element defined by the phrase "comprising one … …" does not exclude the presence of other like elements in a process, method, article or terminal device comprising the element.
The foregoing detailed description of a secret calculation method, apparatus, device and storage medium provided in the present application has been presented only to assist in understanding the method and core ideas of the present application; meanwhile, as those skilled in the art will have modifications in the specific embodiments and application scope in accordance with the ideas of the present application, the present description should not be construed as limiting the present application in view of the above.

Claims (8)

1. A secret calculation method applied to any node in a distributed ledger system, the method comprising:
after the data using contract passes the audit of the data holding node, receiving the data acquisition contract sent by the data holding node; the data access contract is used for restricting the use process of the confidential data, and the data acquisition contract is used for calling the data management contract of the data holding node to obtain the confidential data;
running the data usage contract with a first contract engine, splitting a confidential portion of the data usage contract into a trusted execution environment;
operating the data acquisition contract by using an execution engine in the trusted execution environment to obtain an encryption method; the encryption method is a method operated when a second contract engine intercepts a public method marked with encryption notes in the data management contract; the second contract engine is an intelligent contract engine of the data holding node;
Running the encryption method with an execution engine in the trusted execution environment to generate the confidential data;
and running the confidential part of the data using contract and the confidential data by using an execution engine in the trusted execution environment to generate a data calculation result.
2. The method according to claim 1, wherein the method further comprises:
operating the data management contract by using the first contract engine to obtain a node identifier of the data holding node so that the data using contract obtains a first server address of the data holding node according to the node identifier;
adding the first server address to a configuration file of the trusted execution environment, so that after the trusted execution environment is generated, a decryption key is obtained from the first server address;
running the encryption method with an execution engine in the trusted execution environment, generating the confidential data, comprising:
and operating the decryption key and the encryption method by using the execution engine so as to decrypt the encryption method by using the decryption key to obtain the confidential data.
3. The method according to claim 1, wherein the method further comprises:
Writing at least one analysis method according to the data use logic and the data application scene;
carrying out confidentiality annotation on the analysis method related to confidentiality calculation in the at least one analysis method to obtain at least one analysis method carrying confidentiality annotation;
generating the data usage contract according to the at least one analysis method carrying confidentiality notes;
running the data usage contract with a first contract engine, splitting a confidential portion of the data usage contract into a trusted execution environment, comprising:
intercepting the at least one analysis method carrying the confidentiality annotation by using a first contract engine operation, obtaining a confidential part of the data use contract, and loading the confidential part of the data use contract into the trusted execution environment.
4. A method according to claim 3, characterized in that the method further comprises:
adding a second server address to a configuration file of the trusted execution environment, so that after the trusted execution environment is generated, an encryption key is obtained from the second server address;
running the confidential portion of the data usage contract and the data acquisition contract with an execution engine in the trusted execution environment to generate a data calculation result, comprising:
And running the encryption key and the at least one analysis method carrying the confidentiality annotation by using an execution engine in the trusted execution environment to obtain a confidentiality calculation result.
5. A confidential computing device, located at any node in a distributed ledger system, the device comprising:
the receiving module is used for receiving the data acquisition contract sent by the data holding node after the data use contract passes the audit of the data holding node; the data access contract is used for restricting the use process of the confidential data, and the data acquisition contract is used for calling the data management contract of the data holding node to obtain the confidential data;
a splitting module for running the data usage contract with a first contract engine to split a confidential portion of the data usage contract into a trusted execution environment;
a first execution module for executing the confidential part of the data use contract and the data acquisition contract by using an execution engine in the trusted execution environment to generate a data calculation result;
the first operation module comprises:
the first operation submodule is used for operating the data acquisition contract by utilizing an execution engine in the trusted execution environment to obtain an encryption method; the encryption method is a method operated when a second contract engine intercepts a public method marked with encryption notes in the data management contract; the second contract engine is an intelligent contract engine of the data holding node;
A second operation sub-module, configured to operate the encryption method with an execution engine in the trusted execution environment, and generate and obtain the confidential data;
and a third execution sub-module for executing the confidential part of the data use contract and the confidential data by using an execution engine in the trusted execution environment to generate the data calculation result.
6. The apparatus of claim 5, wherein the apparatus further comprises:
the second operation module is used for operating the data management contract by utilizing the first contract engine to obtain the node identification of the data holding node so that the data using contract obtains the first server address of the data holding node according to the node identification;
the first adding module is used for adding the first server address to the configuration file of the trusted execution environment so that the decryption key is obtained from the first server address after the trusted execution environment is generated;
the second operation submodule comprises: and the operation subunit is used for utilizing the execution engine to operate the decryption key and the encryption method to generate the confidential data.
7. A readable storage medium, on which a computer program is stored, characterized in that the program, when being executed by a processor, implements the steps of the method according to any of claims 1-4.
8. An electronic device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, wherein the processor performs the steps of the method according to any of claims 1-4.
CN202111204187.3A 2021-10-15 2021-10-15 Secret calculation method, device, equipment and storage medium Active CN114070584B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202111204187.3A CN114070584B (en) 2021-10-15 2021-10-15 Secret calculation method, device, equipment and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202111204187.3A CN114070584B (en) 2021-10-15 2021-10-15 Secret calculation method, device, equipment and storage medium

Publications (2)

Publication Number Publication Date
CN114070584A CN114070584A (en) 2022-02-18
CN114070584B true CN114070584B (en) 2024-02-06

Family

ID=80234745

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202111204187.3A Active CN114070584B (en) 2021-10-15 2021-10-15 Secret calculation method, device, equipment and storage medium

Country Status (1)

Country Link
CN (1) CN114070584B (en)

Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110245506A (en) * 2019-05-30 2019-09-17 阿里巴巴集团控股有限公司 Intelligent contract administration method and device based on block chain, electronic equipment

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20210273812A1 (en) * 2020-03-02 2021-09-02 The Trustees Of Dartmouth College Data system with information provenance

Patent Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110245506A (en) * 2019-05-30 2019-09-17 阿里巴巴集团控股有限公司 Intelligent contract administration method and device based on block chain, electronic equipment

Also Published As

Publication number Publication date
CN114070584A (en) 2022-02-18

Similar Documents

Publication Publication Date Title
EP3688634B1 (en) System and method for implementing a resolver service for decentralized identifiers
CN113742782B (en) Block chain access authority control method based on privacy protection and block chain system
CN110199288A (en) Crossover-platform surrounds area's seal data
CN110199287A (en) It is unsealed using the data that area is surrounded in sealing
CN110199284A (en) Crossover-platform surrounds area's identity
CN101627390B (en) Method for the secure storing of program state data in an electronic device
CN110199286A (en) The seal data in area is surrounded using sealing
CN110214324A (en) Key vault surrounds area
CN109450620B (en) Method for sharing security application in mobile terminal and mobile terminal
CN111740966B (en) Data processing method based on block chain network and related equipment
CN110226167A (en) It is abstract to surround area's identity
CN111274611A (en) Data desensitization method, device and computer readable storage medium
CN110214321A (en) Nesting surrounds area's identity
CN114070584B (en) Secret calculation method, device, equipment and storage medium
CN113901498B (en) Data sharing method, device, equipment and storage medium
CN114896635A (en) Data processing method and device, electronic equipment and storage medium
CN113946864B (en) Confidential information acquisition method, device, equipment and storage medium
CN113132328A (en) Data processing method, system, equipment and computer readable storage medium
CN113824555B (en) Key processing method and device
CN116032494B (en) Data interaction method, blockchain predictor, device and medium
CN114301710B (en) Method for determining whether message is tampered, secret pipe platform and secret pipe system
CN116028965B (en) Data protection method, server and storage medium in distributed LVC training environment
CN117056943A (en) Data processing method, system, device and readable storage medium
CN115242538A (en) Data transmission method and device
CN116455567A (en) Data providing method, device and system

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant