WO2020259635A1 - Method and apparatus for sharing blockchain data - Google Patents

Method and apparatus for sharing blockchain data Download PDF

Info

Publication number
WO2020259635A1
WO2020259635A1 PCT/CN2020/098289 CN2020098289W WO2020259635A1 WO 2020259635 A1 WO2020259635 A1 WO 2020259635A1 CN 2020098289 W CN2020098289 W CN 2020098289W WO 2020259635 A1 WO2020259635 A1 WO 2020259635A1
Authority
WO
WIPO (PCT)
Prior art keywords
file
sharing
organization
exchange public
key
Prior art date
Application number
PCT/CN2020/098289
Other languages
French (fr)
Chinese (zh)
Inventor
毛嘉宇
范瑞彬
张开翔
张龙
Original Assignee
深圳前海微众银行股份有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 深圳前海微众银行股份有限公司 filed Critical 深圳前海微众银行股份有限公司
Publication of WO2020259635A1 publication Critical patent/WO2020259635A1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/0442Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply asymmetric encryption, i.e. different keys for encryption and decryption
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/10Protocols in which an application is distributed across nodes in the network
    • H04L67/1097Protocols in which an application is distributed across nodes in the network for distributed storage of data in networks, e.g. transport arrangements for network file system [NFS], storage area networks [SAN] or network attached storage [NAS]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/06Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols the encryption apparatus using shift registers or memories for block-wise or stream coding, e.g. DES systems or RC4; Hash functions; Pseudorandom sequence generators
    • H04L9/0643Hash functions, e.g. MD5, SHA, HMAC or f9 MAC

Definitions

  • the embodiment of the present invention relates to the field of financial technology (Fintech), and in particular to a method and device for sharing data on a blockchain (BlockChain).
  • the existing blockchain system does not directly send encrypted data to the blockchain, but only uploads the Hash (hash) result of the plaintext data to the chain to achieve a certain degree of tamper-proof and verifiable effects; the specific process is as follows : Use Hash algorithm (commonly used but not limited to SHA-2 algorithm) to encrypt the plaintext data, store the plaintext Hash result on the blockchain, and store the plaintext data off-chain.
  • Use Hash algorithm commonly used but not limited to SHA-2 algorithm
  • the data in the above scheme is not really stored on the blockchain, and it is impossible to truly share data on the blockchain and control the data sharing authority, but only stores the verification data; it is impossible to restore the ciphertext to plaintext from the blockchain .
  • the data stored on the blockchain is only used for verification, not for sharing.
  • the embodiment of the present invention provides a blockchain data sharing method and device, which are used to store shared data on the blockchain, realize that data sharing cannot be tampered with, and control the scope of data sharing.
  • a blockchain data sharing method provided by an embodiment of the present invention includes:
  • the sharing institution obtains the first file and determines the hash value of the first file, where the first file is a file to be shared;
  • the sharing organization determines the exchange public key corresponding to the first file according to the hash value, the index number of the first file, and the private key of the sharing organization;
  • the sharing organization obtains the exchange public keys of a plurality of first sharing organizations, and the first sharing organization is an organization that jointly owns the common authority of the first file with the sharing organization; the exchange public keys of the plurality of first sharing organizations The keys are respectively determined by the plurality of first sharing institutions according to the hash value, the index number of the first file, and the private keys of the plurality of first sharing institutions;
  • the sharing mechanism encrypts the first file using the encryption key of the first file, obtains the encrypted ciphertext of the first file, and sends the encrypted ciphertext to the data sharing of the blockchain
  • a second sharing organization requests to download the first file, and the second sharing organization is an organization other than the sharing organization and the plurality of first sharing organizations.
  • the sharing organization determining the exchange public key corresponding to the first file according to the hash value, index number of the first file and the private key of the sharing organization includes:
  • the sharing organization determines the exchange private key of the first file according to the private key of the sharing organization and the index number of the first file;
  • the sharing agency determines the exchange public key of the first file according to the exchange private key, prime number, and original root of the first file.
  • the sharing mechanism further includes:
  • the sharing mechanism composes the prime number and the primitive root into a string according to a preset separator
  • the sharing organization encrypts the character string according to the hash value of the first file to obtain the exchange public number of the first file;
  • the sharing institution sends the exchange public number to the data sharing smart contract of the blockchain, so that the second sharing institution determines the exchange public number and the hash value of the first file. State the prime numbers and primitive roots of the first file.
  • the method further includes:
  • the sharing organization generates the private key of the sharing organization
  • the sharing agency creates the data sharing smart contract on the blockchain.
  • the method further includes:
  • the sharing agency obtains the encrypted ciphertext of the second file from the data sharing smart contract of the blockchain, exchanges public data, authority information, and manager information;
  • the sharing institution requests the manager of the second file for the hash value of the second file and the exchange public key of the manager of the second file according to the manager information of the second file;
  • the sharing organization requests the exchange public key of the organization having the common authority of the second file from the organization having the common authority of the second file;
  • the sharing organization is based on the exchange public number of the second file, the hash value of the second file, the exchange public key of the administrator of the second file, and the shared authority of the second file
  • the exchange public key of the institution which determines the encryption key of the second file
  • the sharing agency decrypts the encrypted ciphertext of the second file according to the encryption key of the second file to obtain the second file.
  • the sharing institution is based on the exchange public number of the second file, the hash value of the second file, the exchange public key of the manager of the second file, and the share of the second file
  • To determine the encryption key of the second file by the exchange public key of the organization with the common authority including:
  • the sharing mechanism determines the prime number and primitive root of the second file according to the interactive common number of the second file and the hash value of the second file;
  • the sharing institution determines the second file based on the original root of the second file, the exchange public key of the administrator of the second file, and the exchange public key of the institution with the common authority of the second file.
  • the encryption key of the file is the encryption key of the file.
  • an embodiment of the present invention provides a blockchain data sharing device, including:
  • An obtaining unit configured to obtain a first file and determine a hash value of the first file, where the first file is a file to be shared;
  • a processing unit configured to determine the exchange public key corresponding to the first file according to the hash value, the index number and the private key of the sharing organization of the first file;
  • the obtaining unit is further configured to obtain the exchange public keys of a plurality of first sharing institutions, the first sharing institution being an institution that jointly owns the common authority of the first file with the sharing institution; the multiple first sharing institutions
  • the exchange public keys of the institutions are respectively determined by the multiple first sharing institutions according to the hash value, the index number of the first file, and the private keys of the multiple first sharing institutions;
  • the processing unit is further configured to determine the encryption key of the first file according to the exchange public key corresponding to the first file and the exchange public keys of the plurality of first sharing institutions; use the first file Encrypt the first file with the encryption key to obtain the encrypted ciphertext of the first file, and send the encrypted ciphertext to the data sharing smart contract of the blockchain, so that the second sharing organization The download of the first file is requested, and the second sharing organization is an organization other than the sharing organization and the plurality of first sharing organizations.
  • an embodiment of the present invention also provides a computing device, including:
  • Memory used to store program instructions
  • the processor is configured to call the program instructions stored in the memory, and execute the above blockchain data sharing method according to the obtained program.
  • embodiments of the present invention also provide a computer-readable non-volatile storage medium, including computer-readable instructions, which when the computer reads and executes the computer-readable instructions, cause the computer to execute the aforementioned blockchain Data sharing method.
  • the embodiments of the present invention also provide a computer program product, the computer program product includes a calculation program stored on a non-transitory computer-readable storage medium, the computer program includes program instructions, when the program instructions When executed by a computer, the computer is caused to execute the blockchain data sharing method as described above.
  • FIG. 1 is a schematic diagram of a system architecture provided by an embodiment of the present invention
  • FIG. 2 is a schematic flowchart of a blockchain data sharing method provided by an embodiment of the present invention.
  • FIG. 3 is a schematic diagram of another data encryption process provided by an embodiment of the present invention.
  • FIG. 4 is a schematic diagram of a data decryption process provided by an embodiment of the present invention.
  • Figure 5 is a schematic diagram of a digital envelope provided by an embodiment of the present invention.
  • FIG. 6 is a schematic structural diagram of a block chain data sharing device provided by an embodiment of the present invention.
  • FIG. 7 is a schematic structural diagram of an electronic device provided by an embodiment of the present invention.
  • FIG. 1 exemplarily shows a system architecture to which an embodiment of the present invention is applicable.
  • the system architecture may include multiple sharing institutions 100 and a blockchain system 200.
  • the blockchain system 200 is a consortium chain built by multiple sharing institutions 100, and the consortium chain may include one or more blockchain nodes 210, so as to achieve more data activities in the institution.
  • the sharing organization 100 communicates with the blockchain system 200, and manages data sharing smart contracts in the blockchain system 200.
  • the blockchain system 200 is composed of multiple blockchain nodes 210, which respectively communicate with multiple sharing institutions 100, and are used to store data sent by the sharing institution 100, and to accept the sharing institutions 100 to deploy on the blockchain node 210. Data sharing smart contract for management.
  • the multiple blockchain nodes 210 can be connected to each other for communication.
  • Each blockchain node 210 includes multiple blocks, and the blocks are used for transaction data.
  • FIG. 1 is only an example, which is not limited in the embodiment of the present invention.
  • FIG. 2 exemplarily shows the flow of a blockchain data sharing method provided by an embodiment of the present invention, and the flow can be executed by a blockchain data sharing device.
  • the process specifically includes:
  • Step 201 The sharing institution obtains the first file and determines the hash value of the first file.
  • the sharing organization When the sharing organization needs to share the first file, it may first obtain the shared first file, and then use a hash algorithm to calculate the hash value of the first file.
  • the hash value of the first file may be stored in the local database for later use when requested by the second sharing organization.
  • the sharing organization needs to generate its own private key, which is the use of the sharing organization, and create a data sharing smart contract for data sharing on the blockchain.
  • each sharing organization in the consortium chain needs to generate its own private key.
  • the private key can automatically generate a random number with a fixed bit length (for example, 256 bits), or be based on BIP -32 protocol/BIP-44 protocol standard generates mnemonic words, generates seeds through mnemonic words, and generates master key and main chain code through seeds.
  • the aforementioned data sharing smart contract may include basic file information (name, size, creation date, etc.) of the file, file authority information, and file manager information.
  • the permission information of the file can reflect the information of the co-owner of the file, that is, which sharing organization jointly owns the file, and the shared permissions.
  • the file manager information can reflect which organization is responsible for uploading and managing the file.
  • Step 202 The sharing organization determines the exchange public key corresponding to the first file according to the hash value, the index number of the first file, and the private key of the sharing organization.
  • the sharing organization may first generate the prime number and original root of the first file, and then determine the exchange private key of the first file according to the private key of the sharing organization and the index number of the first file, and finally according to the exchange private key of the first file.
  • the key, prime number and primitive root determine the exchange public key of the first file.
  • the prime number and the original root can also be formed into a string according to a preset separator, and then the string is encrypted according to the hash value of the first file to obtain the first file.
  • the preset separator can be set based on experience, for example, it can be a separator such as a comma, a semicolon, and a comma.
  • the sharing organization generates the prime number and primitive root of the first file.
  • the prime number can usually be 2 or 5, and the prime number can be a number greater than 200 digits long. Separate the prime number and the original root with a comma to form a string, and then use a symmetric encryption algorithm to encrypt the string to obtain the exchange public number, and the encryption key is the hash value of the first file.
  • the sharing organization can send the exchange public number to the blockchain for storage.
  • the sharing organization calculates and obtains the exchange private key of the first file by using the MAC (Message Authentication Codes) algorithm or other hash algorithms based on the above-mentioned private key of the first file in combination with the index number of the first file.
  • the exchange public key of the first file can be calculated.
  • the exchange public key of the first file can be obtained by formula (1).
  • g is the prime number of the first file
  • Msa is the exchange private key of the first file
  • p is the original root of the first file
  • Mpa is the exchange public key of the first file.
  • the sharing organization may store the exchange public key of the first file in a local database, and it does not need to be saved.
  • the exchange private key and the prime number and original root of the first file can be obtained at any time.
  • the exchange public key of the first file is also the exchange public key of the sharing organization.
  • the embodiment of the present invention can generate different exchange secrets for different files without the private key of the sharing organization. key.
  • the sharing organization can choose to store the interactive exchange public key in the aforementioned data sharing smart contract for some relatively insensitive data or data that does not require authorization.
  • Step 203 The sharing organization obtains the exchange public keys of multiple first sharing organizations.
  • the first sharing organization is an organization that shares the common authority of the first file with the sharing organization, that is, an organization that has the common authority of the first file together with the sharing organization.
  • the exchange public keys of the plurality of first sharing institutions are respectively determined by the plurality of first sharing institutions according to the hash value, index number and respective private keys of the first file and then sent to the sharing institution.
  • the method for each first sharing organization to determine its own exchange of public keys can be found in the steps described in step 202 above.
  • the hash value of the first file can be sent to each first sharing organization through a secure data channel or off-chain by the sharing organization. mechanism.
  • the exchange public key of each first sharing institution can also be stored in the aforementioned data sharing smart contract.
  • Step 204 The sharing organization determines the encryption key of the first file according to the exchange public key corresponding to the first file and the exchange public keys of the multiple first sharing organizations.
  • the encryption key of the first file can be calculated through the encryption algorithm.
  • the encryption key can be obtained by formula (2).
  • Mpb is the exchange public key of the first shared institution b
  • Mpa is the exchange public key of the shared institution a
  • p is the original root of the first file
  • Mpab is the intermediate exchange public key
  • Mpc is the exchange public key of the first shared institution c.
  • Key Ms is the encryption key of the first file.
  • Step 205 The sharing organization encrypts the first file using the encryption key of the first file, obtains the encrypted ciphertext of the first file, and sends the encrypted ciphertext to the blockchain Data sharing smart contract.
  • the sharing organization After the sharing organization calculates the encryption key of the first file, it can use the encryption key of the first file to encrypt the first file to obtain the encrypted ciphertext of the first file, and send the encrypted ciphertext to the district Block chain data sharing smart contract.
  • the second sharing organization In order to enable the second sharing organization to request the download of the first file to complete the sharing of the first file, the second sharing organization is an organization other than the foregoing sharing organization and the multiple first sharing organizations.
  • the data sharing smart contract of the blockchain can include but is not limited to the following:
  • it may also include the exchange public key of the sharing organization and the exchange public key of each first sharing organization.
  • the sharing organization can also download files shared by other second organizations in the data sharing smart contract in the blockchain, specifically:
  • the sharing organization can obtain the encrypted ciphertext of the second file from the data sharing smart contract of the blockchain, exchange public data, authority information and manager information. Then, according to the manager information of the second file, request the manager of the second file for the hash value of the second file and the exchange public key of the manager of the second file.
  • the organization with the common authority requests the exchange public key of the organization with the common authority of the second file. According to the exchange public number of the second file, the hash value of the second file, the exchange public key of the administrator of the second file, and the exchange public key of the organization with the common authority of the second file, the encryption secret of the second file is determined. key. Finally, the encrypted ciphertext of the second file is decrypted according to the encryption key of the second file to obtain the second file.
  • the exchange public key of the institution with the common authority of the second file is stored in the data sharing smart contract, the data sharing smart contract can also be directly called for downloading and obtaining.
  • the sharing organization can send request information to each organization with the common authority of the second file through the secure data channel to request the exchange public key of each organization with the common authority of the second file, and each organization with the common authority of the second file After the sharing organization is approved, the exchange public key can be sent to the sharing organization.
  • the sharing organization can then determine the second file based on the exchange public number of the second file, the hash value of the second file, the exchange public key of the administrator of the second file, and the exchange public key of the organization with the common authority of the second file. 2.
  • the encryption key of the file is based on the exchange public number of the second file, the hash value of the second file, the exchange public key of the administrator of the second file, and the exchange public key of the organization with the common authority of the second file.
  • the prime number and original root of the second file can be determined based on the interactive public number of the second file and the hash value of the second file, and then based on the original root of the second file and the exchange public key of the administrator of the second file Exchange the public key with the organization that has the common authority of the second file to determine the encryption key of the second file.
  • the encrypted ciphertext of the second file can be decrypted to obtain the second file.
  • organization D When organization D needs to download file M, it can request organizations A, B, and C to obtain the corresponding keys; combined with the encrypted ciphertext stored on the blockchain, file M can be re-decrypted by executing a preset calculation method The plaintext.
  • the process specifically includes:
  • Step 301 Each participating organization on the blockchain generates its own private key.
  • the blockchain nodes of each participating organization of the blockchain generate a fixed-bit length (for example, 256-bit) number as the private key S.
  • a fixed-bit length for example, 256-bit
  • Sa, Sb, and Sc will be generated respectively.
  • the generation of the private key can be to automatically generate a random number; it can also be based on the BIP-32/BIP-44 standard to generate mnemonic words, generate seeds from mnemonics, and generate master keys and main chain codes from seeds.
  • Step 302 The data uploader creates a data sharing smart contract.
  • the data uploader is institution A, and institution A creates a file sharing data sharing smart contract Cm.
  • the data sharing smart contract Cm contains basic file information (file name, size, creation date, etc.), and file authority management information , File co-owner information and other information.
  • Step 303 Generate the exchange public number and related keys of the data uploader.
  • the data uploader A calculates the Hash value h of the file M and stores it in the local database.
  • the data uploader A generates the prime number P and the primitive root g of the file M.
  • g is 2 or 5
  • the prime number P is at least 200 bits long.
  • the organization A uses the MAC algorithm (such as HMAC-SHA512) to calculate and obtain the organization A's exchange private key Msa for the file M according to the organization private key Sa generated in step 1, combined with the index number n of the file M.
  • MAC algorithm such as HMAC-SHA512
  • Institution A obtains the exchange public key Mpa through the above formula (1).
  • Institution A initiates an on-chain request and saves the exchange public number Mn into the previously created data sharing smart contract Cm.
  • Institution A can save the exchange public key Mpa in a local database or file; it does not need to be stored locally. If it is not stored, institution A can calculate and restore the value of Mpa at any time based on Msa and g, p. At the same time, institution A can also consider the encryption level of data privacy. For some relatively insensitive data or data that does not require authorization, it can choose to store the exchange public key Mpa in the data sharing smart contract Cm.
  • Step 304 Request to obtain the exchange public keys of other data owners.
  • Institution A can automatically send messages to the data owners B and C through the event notification function mechanism of the data sharing smart contract Cm; it can also initiate to the data owners through the secure data transmission channel on the chain or off-chain Key application.
  • Institutions B and C can use the data sharing smart contract Cm to download the key exchange public number Mn and basic information of the file. Institutions B and C can respectively retrieve file M based on the existing file information to calculate the hash value of file M; if M is not saved, they can apply to institution A to obtain the hash value h through the secure data transmission channel.
  • institutions B and C can generate exchange public keys Mpb and Mpc corresponding to file M. Under the premise of approving the encryption and sharing of data, the above-mentioned institutions can send corresponding Mpb and Mpc information to institution A. Institutions B and C can save the specific data of Mpb and Mpc locally, so that they can be retransmitted when institution A fails to receive it or sent when other participants initiate a decryption request; they can also not be stored locally. If not, institution B And C can repeat the process of calculating Mpb or Mpc in this step when receiving the request.
  • institutions A, B, and C can also consider the encryption level of data privacy. For some relatively insensitive data or data that does not require authorization, they can choose to store all or part of the exchange public keys Mpa, Mpb, and Mpc in the data sharing intelligence. Contract Cm.
  • Step 305 Calculate the encryption key and encrypt the file.
  • organization A can calculate the final encryption key Ms of the file by formula (2).
  • the organization A uses the above-mentioned key Ms to encrypt the file M using a symmetric encryption algorithm (such as AES), and finally obtains the ciphertext S.
  • a symmetric encryption algorithm such as AES
  • step 306 the encrypted ciphertext of the file is sent to the blockchain.
  • Institution A calls the interface of the blockchain smart contract and sends the encrypted ciphertext to the data sharing smart contract Cm corresponding to the blockchain.
  • the data sharing smart contract Cm also stores the encrypted ciphertext of the file M.
  • the content of file M that is finally saved on the data sharing smart contract includes but is not limited to the following main content:
  • Organization A the basic information of the file, the index number of the file, the owner of the file, the manager of the file; the public number Mn in the key exchange protocol, the interactive public key Mpa of the organization A (optional).
  • the final ciphertext The basic information of the file, the index number of the file, the owner of the file, the manager of the file; the public number Mn in the key exchange protocol, the interactive public key Mpa of the organization A (optional).
  • Institutions B and C data signatures agreed to be shared; public keys of each institution in the key exchange agreement (optional).
  • the data decryption process specifically includes:
  • Step 401 Apply to the data manager to obtain file information.
  • Organization D can obtain the basic information, authority information and manager information of file M through the data sharing smart contract Cm. If the public keys Mpa, Mpb, and Mpc have been saved on the chain, you can directly call the data sharing smart contract to download and obtain.
  • Organization D first applies to data manager A to obtain file M through the secure data channel. If organization A passes the review, it returns the hash value h and exchange public key Mpa of the file to organization D.
  • Institution D downloads the exchange public number Mn corresponding to the file through the data sharing smart contract of the blockchain, and uses h to decrypt it to obtain the corresponding values of g and p.
  • Step 402 Apply to other data owners to obtain file information.
  • Institution D first applies to other data holder institutions B and C to obtain file M through the secure data channel. If institutions B and C pass the review, they will return their respective interactive public keys Mpb and Mpc to institution D (if Mpb and Mpc have been stored in the chain Above, you can get it directly through the chain, you can skip this step).
  • Step 403 Decrypt the file.
  • step 305 of the encryption scheme After the organization D has completed the above two steps, it can refer to step 305 of the encryption scheme to obtain the encryption key Ms of the file M.
  • Institution D can download the final file cipher text S through the data sharing smart contract Cm, and can decrypt the final plain text M by using the same symmetric encryption algorithm (such as AES) used in the encryption process.
  • AES symmetric encryption algorithm
  • the data sharing method provided by the embodiments of the present invention can be extended to scenarios where the owner of the data sharing is one or more institutions, and in conjunction with the blockchain smart contract, the authorization scope, flow and authority of the data sharing can be accurately controlled.
  • the data sharing method provided by the embodiment of the present invention has the following specific points:
  • the encrypted data is actually on the chain, and the plaintext data can be restored through decryption.
  • the embodiment of the present invention shows that the sharing organization obtains the first file and determines the hash value of the first file.
  • the first file is the file to be shared.
  • Determine the exchange public key corresponding to the first file obtain the exchange public keys of multiple first sharing institutions, and determine the encryption secret of the first file based on the exchange public keys corresponding to the first file and the exchange public keys of the multiple first sharing institutions Key, use the encryption key of the first file to encrypt the first file to obtain the encrypted ciphertext of the first file, and send the encrypted ciphertext to the data sharing smart contract of the blockchain, so that the second sharing organization can A file is requested to download.
  • the private key of the key exchange algorithm (such as Msa) can not only be generated by the HMAC (Hash-based Message Authentication Code) algorithm by using the master private key + index, but also
  • the CKD (child key derivation) equation can be used in the BIP32 protocol to derive the child key from the parent key.
  • the subkey derivation equation is based on a single hash equation.
  • the above data sharing method can also use the digital envelope scheme, as shown in Figure 5:
  • the sender A uses the symmetric key K to encrypt the plaintext M to generate ciphertext information S.
  • the sender A puts the ciphertext information S on the chain, uses B's public key to encrypt the symmetric key K, and sends it to the receiver B through a secure data transmission channel.
  • the receiver B After receiving the encrypted information of the sender A, the receiver B uses its own private key to decrypt it to obtain the symmetric key K.
  • the receiver B obtains the ciphertext information on the chain, uses the symmetric key K to decrypt the ciphertext information, and obtains the original plaintext M.
  • FIG. 6 exemplarily shows the structure of a blockchain data sharing device provided by an embodiment of the present invention, and the device can execute a blockchain data sharing process.
  • the device specifically includes:
  • the obtaining unit 601 is configured to obtain a first file and determine a hash value of the first file, where the first file is a file to be shared;
  • the processing unit 602 is configured to determine the exchange public key corresponding to the first file according to the hash value, the index number and the private key of the sharing organization of the first file;
  • the obtaining unit 601 is further configured to obtain the exchange public keys of multiple first sharing institutions, the first sharing institutions being institutions that jointly own the common authority of the first file with the sharing institutions;
  • the exchange public keys of the shared institutions are respectively determined by the multiple first shared institutions according to the hash value, the index number of the first file, and the private keys of the multiple first shared institutions;
  • the processing unit 602 is further configured to determine the encryption key of the first file according to the public exchange key corresponding to the first file and the public exchange keys of the multiple first sharing institutions;
  • the encryption key of the file encrypts the first file to obtain the encrypted ciphertext of the first file, and sends the encrypted ciphertext to the data sharing smart contract of the blockchain, so that the second sharing An organization requests to download the first file, and the second sharing organization is an organization other than the sharing organization and the multiple first sharing organizations.
  • the present invention also provides an electronic device, as shown in FIG. 7, including:
  • It includes a processor 701, a memory 702, a transceiver 703, and a bus interface 704, wherein the processor 701, the memory 702 and the transceiver 703 are connected through the bus interface 704;
  • the processor 701 is configured to read a program in the memory 702 and execute the blockchain data sharing method described above, and the method includes:
  • the control transceiver 703 obtains the exchange public keys of a plurality of first sharing institutions, the first sharing institution being an institution that jointly owns the common authority of the first file with the sharing institution; the exchange public keys of the multiple first sharing institutions The keys are respectively determined by the plurality of first sharing institutions according to the hash value, the index number of the first file, and the private keys of the plurality of first sharing institutions;
  • the second sharing organization is an organization other than the sharing organization and the plurality of first sharing organizations.
  • the processor 701 may be a central processing unit (central processing unit, CPU for short), a network processor (NP for short), or a combination of CPU and NP. It can also be a hardware chip.
  • the aforementioned hardware chip may be an application-specific integrated circuit (ASIC for short), a programmable logic device (PLD for short), or a combination thereof.
  • ASIC application-specific integrated circuit
  • PLD programmable logic device
  • the above-mentioned PLD can be a complex programmable logic device (CPLD), a field-programmable gate array (FPGA), a generic array logic (generic array logic, GAL), or any of them combination.
  • the memory 702 is configured to store one or more executable programs, and can store data used by the processor 701 when performing operations.
  • the program may include program code, and the program code includes computer operation instructions.
  • the memory 702 may include a volatile memory (volatile memory), such as random-access memory (random-access memory, RAM for short); the memory 702 may also include a non-volatile memory (non-volatile memory), such as flash memory ( flash memory), hard disk drive (HDD for short) or solid-state drive (SSD for short); the memory 702 may also include a combination of the foregoing types of memories.
  • the memory 702 stores the following elements, executable modules or data structures, or their subsets, or their extended sets:
  • Operating instructions including various operating instructions, used to implement various operations.
  • Operating system including various system programs, used to implement various basic services and process hardware-based tasks.
  • the bus interface 704 may be a wired communication access port, a wireless bus interface or a combination thereof, where the wired bus interface may be, for example, an Ethernet interface.
  • the Ethernet interface can be an optical interface, an electrical interface or a combination thereof.
  • the wireless bus interface may be a WLAN interface.
  • an embodiment of the present invention also provides a computing device, including:
  • Memory used to store program instructions
  • the processor is configured to call the program instructions stored in the memory, and execute the above blockchain data sharing method according to the obtained program.
  • the embodiments of the present invention also provide a computer-readable non-volatile storage medium, including computer-readable instructions.
  • the computer reads and executes the computer-readable instructions, the computer executes the above-mentioned areas.
  • Block chain data sharing method When the computer reads and executes the computer-readable instructions, the computer executes the above-mentioned areas. Block chain data sharing method.
  • embodiments of the present invention also provide a computer program product, the computer program product includes a calculation program stored on a non-transitory computer-readable storage medium, the computer program includes program instructions, when the program When the instructions are executed by a computer, the computer is caused to execute the above-mentioned blockchain data sharing method.
  • These computer program instructions can also be stored in a computer-readable memory that can guide a computer or other programmable data processing equipment to work in a specific manner, so that the instructions stored in the computer-readable memory produce an article of manufacture including the instruction device.
  • the device implements the functions specified in one process or multiple processes in the flowchart and/or one block or multiple blocks in the block diagram.
  • These computer program instructions can also be loaded on a computer or other programmable data processing equipment, so that a series of operation steps are executed on the computer or other programmable equipment to produce computer-implemented processing, so as to execute on the computer or other programmable equipment.
  • the instructions provide steps for implementing functions specified in a flow or multiple flows in the flowchart and/or a block or multiple blocks in the block diagram.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Power Engineering (AREA)
  • Storage Device Security (AREA)
  • Financial Or Insurance-Related Operations Such As Payment And Settlement (AREA)

Abstract

The present invention relates to the field of fintech, and discloses a method and an apparatus for sharing blockchain data, the method comprising: a sharing mechanism acquires a first file and determines a hash value of the first file, determines an exchange public key corresponding to the first file, acquires an exchange public key of a plurality of first sharing mechanisms, determines an encryption key on the basis of the exchange public key corresponding to the first file and the exchange public key of the plurality of first sharing mechanisms, uses the encryption key to encrypt the first file to obtain an encrypted ciphertext of the first file, and sends the encrypted ciphertext to a data sharing smart contract of the blockchain. As the exchange public key corresponding to the first file is obtained by means of a private key of the sharing mechanism and an index number, different exchange public keys can be produced for different files without changing the private key of the sharing mechanism, thereby flexibly, conveniently, securely, and efficiently protecting the privacy of the user. Sending the encrypted file to the blockchain implements real placement of the encrypted file on the blockchain and implements real data sharing.

Description

一种区块链数据共享方法及装置Block chain data sharing method and device
相关申请的交叉引用Cross references to related applications
本申请要求在2019年06月27日提交中国专利局、申请号为201910569907.2、申请名称为“一种区块链数据共享方法及装置”的中国专利申请的优先权,其全部内容通过引用结合在本申请中。This application claims the priority of a Chinese patent application filed with the Chinese Patent Office on June 27, 2019, the application number is 201910569907.2, and the application name is "a blockchain data sharing method and device", the entire content of which is incorporated by reference In this application.
技术领域Technical field
本发明实施例涉及金融科技(Fintech)领域,尤其涉及一种区块链(BlockChain)数据共享方法及装置。The embodiment of the present invention relates to the field of financial technology (Fintech), and in particular to a method and device for sharing data on a blockchain (BlockChain).
背景技术Background technique
随着计算机技术的发展,越来越多的技术应用在金融领域,传统金融业正在逐步向金融科技(Finteh)转变,区块链技术也不例外,但由于金融行业的安全性、实时性要求,也对技术提出的更高的要求。With the development of computer technology, more and more technologies are applied in the financial field. The traditional financial industry is gradually changing to Finteh. Blockchain technology is no exception, but due to the security and real-time requirements of the financial industry , But also higher requirements for technology.
现有的区块链系统不直接将加密数据发送到区块链上,而仅将明文数据的Hash(哈希)结果上链,达到一定的防篡改和可校验的效果;其具体过程如下:将明文数据采用Hash算法(常用但不限于SHA-2算法)加密,把明文的Hash结果存储到区块链上,将明文数据在链下存储。当其他用户需要该获取数据的明文时,向数据所有方通过链下或链上点对点的安全通讯通道请求明文数据;同时,从区块链上下载该数据所预先存储的Hash密文,对明文进行校验。The existing blockchain system does not directly send encrypted data to the blockchain, but only uploads the Hash (hash) result of the plaintext data to the chain to achieve a certain degree of tamper-proof and verifiable effects; the specific process is as follows : Use Hash algorithm (commonly used but not limited to SHA-2 algorithm) to encrypt the plaintext data, store the plaintext Hash result on the blockchain, and store the plaintext data off-chain. When other users need the plaintext of the data to be obtained, they request the plaintext data from the data owner through the off-chain or on-chain point-to-point secure communication channel; at the same time, download the Hash ciphertext pre-stored in the data from the blockchain. Perform verification.
但是,上述方案中的数据并未真正存储在区块链上,无法真正在区块链上共享数据和控制数据分享的权限,而只是存储了验证数据;无法从区块链恢复密文为明文。区块链上所存储的数据仅用于验证,而非真正用于分享。However, the data in the above scheme is not really stored on the blockchain, and it is impossible to truly share data on the blockchain and control the data sharing authority, but only stores the verification data; it is impossible to restore the ciphertext to plaintext from the blockchain . The data stored on the blockchain is only used for verification, not for sharing.
发明内容Summary of the invention
本发明实施例提供一种区块链数据共享方法及装置,用以将共享数据存储在区块链上,实现数据共享无法篡改,并控制数据分享的范围。The embodiment of the present invention provides a blockchain data sharing method and device, which are used to store shared data on the blockchain, realize that data sharing cannot be tampered with, and control the scope of data sharing.
第一方面,本发明实施例提供的一种区块链数据共享方法,包括:In the first aspect, a blockchain data sharing method provided by an embodiment of the present invention includes:
共享机构获取第一文件,并确定所述第一文件的哈希值,所述第一文件为待共享的文件;The sharing institution obtains the first file and determines the hash value of the first file, where the first file is a file to be shared;
所述共享机构根据所述第一文件的哈希值、索引号和所述共享机构的私钥,确定所述第一文件对应的交换公钥;The sharing organization determines the exchange public key corresponding to the first file according to the hash value, the index number of the first file, and the private key of the sharing organization;
所述共享机构获取多个第一共享机构的交换公钥,所述第一共享机构为与共享机构共同拥有所述第一文件的共有权限的机构;所述多个第一共享机构的交换公钥为所述多个第一共享机构根据所述第一文件的哈希值、索引号和所述多个第一共享机构的私钥分别确定的;The sharing organization obtains the exchange public keys of a plurality of first sharing organizations, and the first sharing organization is an organization that jointly owns the common authority of the first file with the sharing organization; the exchange public keys of the plurality of first sharing organizations The keys are respectively determined by the plurality of first sharing institutions according to the hash value, the index number of the first file, and the private keys of the plurality of first sharing institutions;
所述共享机构根据所述第一文件对应的交换公钥和所述多个第一共享机构的交换公钥,确定所述第一文件的加密密钥;Determining, by the sharing organization, the encryption key of the first file according to the exchange public key corresponding to the first file and the exchange public keys of the multiple first sharing organizations;
所述共享机构使用所述第一文件的加密密钥对所述第一文件加密,得到所述第一文件的加密密文,并将所述加密密文发送至所述区块链的数据共享智能合约上,以使第二共享机构对所述第一文件请求下载,所述第二共享机构为除所述共享机构和所述多个第一共享机构之外的机构。The sharing mechanism encrypts the first file using the encryption key of the first file, obtains the encrypted ciphertext of the first file, and sends the encrypted ciphertext to the data sharing of the blockchain In the smart contract, a second sharing organization requests to download the first file, and the second sharing organization is an organization other than the sharing organization and the plurality of first sharing organizations.
上述技术方案中,由于通过共享机构的私钥和索引号得到第一文件对应的交换公钥,可以实现在共享机构的私钥不变的情况下,针对不同的文件产生不同的交换密钥,减少了海量秘钥的存储压力,可以灵活、方便、有效的保护用户隐私。将加密后的文件发送至区块链,实现了加密文件的真正上链,实现了真正的数据共享。In the above technical solution, since the public exchange key corresponding to the first file is obtained through the private key and the index number of the shared institution, it is possible to generate different exchange keys for different files under the condition that the private key of the shared institution remains unchanged. It reduces the storage pressure of massive secret keys, and can protect user privacy flexibly, conveniently and effectively. Sending the encrypted file to the blockchain realizes the real winding of the encrypted file and real data sharing.
可选的,所述共享机构根据所述第一文件的哈希值、索引号和所述共享机构的私钥,确定所述第一文件对应的交换公钥,包括:Optionally, the sharing organization determining the exchange public key corresponding to the first file according to the hash value, index number of the first file and the private key of the sharing organization includes:
所述共享机构生成所述第一文件的素数和原根;Generating the prime numbers and primitive roots of the first file by the sharing mechanism;
所述共享机构根据所述共享机构的私钥和所述第一文件的索引号,确定所述第一文件的交换私钥;The sharing organization determines the exchange private key of the first file according to the private key of the sharing organization and the index number of the first file;
所述共享机构根据所述第一文件的交换私钥、素数和原根,确定所述第一文件的交换公钥。The sharing agency determines the exchange public key of the first file according to the exchange private key, prime number, and original root of the first file.
可选的,所述共享机构在生成所述第一文件的素数和原根之后,还包括:Optionally, after generating the prime numbers and primitive roots of the first file, the sharing mechanism further includes:
所述共享机构根据预设分隔符将所述素数和原根组成字符串;The sharing mechanism composes the prime number and the primitive root into a string according to a preset separator;
所述共享机构根据所述第一文件的哈希值对所述字符串进行加密处理,得到所述第一文件的交换公共数;The sharing organization encrypts the character string according to the hash value of the first file to obtain the exchange public number of the first file;
所述共享机构将所述交换公共数发送至所述区块链的数据共享智能合约上,以使所述第二共享机构根据所述交换公共数和所述第一文件的哈希值确定所述第一文件的素数和原根。The sharing institution sends the exchange public number to the data sharing smart contract of the blockchain, so that the second sharing institution determines the exchange public number and the hash value of the first file. State the prime numbers and primitive roots of the first file.
可选的,在所述共享机构获取第一文件之前,还包括:Optionally, before the sharing agency obtains the first file, the method further includes:
所述共享机构生成所述共享机构的私钥;The sharing organization generates the private key of the sharing organization;
所述共享机构在所述区块链上创建所述数据共享智能合约。The sharing agency creates the data sharing smart contract on the blockchain.
可选的,所述方法还包括:Optionally, the method further includes:
所述共享机构从所述区块链的数据共享智能合约上获取第二文件的加密密文、交换公共数、权限信息和管理者信息;The sharing agency obtains the encrypted ciphertext of the second file from the data sharing smart contract of the blockchain, exchanges public data, authority information, and manager information;
所述共享机构根据所述第二文件的管理者信息,向所述第二文件的管理者请求所述第二文件的哈希值和所述第二文件的管理者的交换公钥;The sharing institution requests the manager of the second file for the hash value of the second file and the exchange public key of the manager of the second file according to the manager information of the second file;
所述共享机构根据所述第二文件的权限信息,向具有所述第二文件的共有权限的机构请求所述具有所述第二文件的共有权限的机构的交换公钥;According to the authority information of the second file, the sharing organization requests the exchange public key of the organization having the common authority of the second file from the organization having the common authority of the second file;
所述共享机构根据所述第二文件的交换公共数、所述第二文件的哈希值、所述第二文件的管理者的交换公钥和所述具有所述第二文件的共有权限的机构的交换公钥,确定所述第二文件的加密密钥;The sharing organization is based on the exchange public number of the second file, the hash value of the second file, the exchange public key of the administrator of the second file, and the shared authority of the second file The exchange public key of the institution, which determines the encryption key of the second file;
所述共享机构根据所述第二文件的加密密钥对所述第二文件的加密密文进行解密,得到所述第二文件。The sharing agency decrypts the encrypted ciphertext of the second file according to the encryption key of the second file to obtain the second file.
可选的,所述共享机构根据所述第二文件的交换公共数、所述第二文件的哈希值、所述第二文件的管理者的交换公钥和所述具有所述第二文件的共有权限的机构的交换公钥,确定所述第二文件的加密密钥,包括:Optionally, the sharing institution is based on the exchange public number of the second file, the hash value of the second file, the exchange public key of the manager of the second file, and the share of the second file To determine the encryption key of the second file by the exchange public key of the organization with the common authority, including:
所述共享机构根据所述第二文件的交互公共数和所述第二文件的哈希值,确定所述第二文件的素数和原根;The sharing mechanism determines the prime number and primitive root of the second file according to the interactive common number of the second file and the hash value of the second file;
所述共享机构根据所述第二文件的原根、所述第二文件的管理者的交换公钥和所述具有所述第二文件的共有权限的机构的交换公钥,确定所述第二文件的加密密钥。The sharing institution determines the second file based on the original root of the second file, the exchange public key of the administrator of the second file, and the exchange public key of the institution with the common authority of the second file. The encryption key of the file.
第二方面,本发明实施例提供一种区块链数据共享装置,包括:In the second aspect, an embodiment of the present invention provides a blockchain data sharing device, including:
获取单元,用于获取第一文件,并确定所述第一文件的哈希值,所述第一文件为待共享的文件;An obtaining unit, configured to obtain a first file and determine a hash value of the first file, where the first file is a file to be shared;
处理单元,用于根据所述第一文件的哈希值、索引号和共享机构的私钥,确定所述第一文件对应的交换公钥;A processing unit, configured to determine the exchange public key corresponding to the first file according to the hash value, the index number and the private key of the sharing organization of the first file;
所述获取单元,还用于获取多个第一共享机构的交换公钥,所述第一共享机构为与共享机构共同拥有所述第一文件的共有权限的机构;所述多个第一共享机构的交换公钥为所述多个第一共享机构根据所述第一文件的哈希值、索引号和所述多个第一共享机构的私钥分别确定的;The obtaining unit is further configured to obtain the exchange public keys of a plurality of first sharing institutions, the first sharing institution being an institution that jointly owns the common authority of the first file with the sharing institution; the multiple first sharing institutions The exchange public keys of the institutions are respectively determined by the multiple first sharing institutions according to the hash value, the index number of the first file, and the private keys of the multiple first sharing institutions;
所述处理单元,还用于根据所述第一文件对应的交换公钥和所述多个第一共享机构的 交换公钥,确定所述第一文件的加密密钥;使用所述第一文件的加密密钥对所述第一文件加密,得到所述第一文件的加密密文,并将所述加密密文发送至所述区块链的数据共享智能合约上,以使第二共享机构对所述第一文件请求下载,所述第二共享机构为除所述共享机构和所述多个第一共享机构之外的机构。The processing unit is further configured to determine the encryption key of the first file according to the exchange public key corresponding to the first file and the exchange public keys of the plurality of first sharing institutions; use the first file Encrypt the first file with the encryption key to obtain the encrypted ciphertext of the first file, and send the encrypted ciphertext to the data sharing smart contract of the blockchain, so that the second sharing organization The download of the first file is requested, and the second sharing organization is an organization other than the sharing organization and the plurality of first sharing organizations.
第三方面,本发明实施例还提供了一种计算设备,包括:In the third aspect, an embodiment of the present invention also provides a computing device, including:
存储器,用于存储程序指令;Memory, used to store program instructions;
处理器,用于调用所述存储器中存储的程序指令,按照获得的程序执行上述区块链数据共享方法。The processor is configured to call the program instructions stored in the memory, and execute the above blockchain data sharing method according to the obtained program.
第四方面,本发明实施例还提供了一种计算机可读非易失性存储介质,包括计算机可读指令,当计算机读取并执行所述计算机可读指令时,使得计算机执行上述区块链数据共享方法。In a fourth aspect, embodiments of the present invention also provide a computer-readable non-volatile storage medium, including computer-readable instructions, which when the computer reads and executes the computer-readable instructions, cause the computer to execute the aforementioned blockchain Data sharing method.
第五方面,本发明实施例还提供一种计算机程序产品,所述计算机程序产品包括存储在非暂态计算机可读存储介质上的计算程序,所述计算机程序包括程序指令,当所述程序指令被计算机执行时,使所述计算机执行如上所述区块链数据共享方法。In a fifth aspect, the embodiments of the present invention also provide a computer program product, the computer program product includes a calculation program stored on a non-transitory computer-readable storage medium, the computer program includes program instructions, when the program instructions When executed by a computer, the computer is caused to execute the blockchain data sharing method as described above.
附图说明Description of the drawings
为了更清楚地说明本发明实施例中的技术方案,下面将对实施例描述中所需要使用的附图作简要介绍,显而易见地,下面描述中的附图仅仅是本发明的一些实施例,对于本领域的普通技术人员来讲,在不付出创造性劳动的前提下,还可以根据这些附图获得其他的附图。In order to more clearly describe the technical solutions in the embodiments of the present invention, the following will briefly introduce the drawings needed in the description of the embodiments. Obviously, the drawings in the following description are only some embodiments of the present invention. For those of ordinary skill in the art, without creative work, other drawings can be obtained from these drawings.
图1为本发明实施例提供的一种系统架构的示意图;FIG. 1 is a schematic diagram of a system architecture provided by an embodiment of the present invention;
图2为本发明实施例提供的一种区块链数据共享方法的流程示意图;2 is a schematic flowchart of a blockchain data sharing method provided by an embodiment of the present invention;
图3为本发明实施例提供的另一种数据加密的流程示意图;FIG. 3 is a schematic diagram of another data encryption process provided by an embodiment of the present invention;
图4为本发明实施例提供的一种数据解密的流程示意图;4 is a schematic diagram of a data decryption process provided by an embodiment of the present invention;
图5为本发明实施例提供的一种数字信封的示意图;Figure 5 is a schematic diagram of a digital envelope provided by an embodiment of the present invention;
图6为本发明实施例提供的一种区块链数据共享装置的结构示意图;6 is a schematic structural diagram of a block chain data sharing device provided by an embodiment of the present invention;
图7为本发明实施例提供的一种电子设备的结构示意图。FIG. 7 is a schematic structural diagram of an electronic device provided by an embodiment of the present invention.
具体实施方式Detailed ways
为了使本发明的目的、技术方案和优点更加清楚,下面将结合附图对本发明作进一步地详细描述,显然,所描述的实施例仅仅是本发明一部分实施例,而不是全部的实施例。 基于本发明中的实施例,本领域普通技术人员在没有做出创造性劳动前提下所获得的所有其它实施例,都属于本发明保护的范围。In order to make the objectives, technical solutions and advantages of the present invention clearer, the present invention will be further described in detail below with reference to the accompanying drawings. Obviously, the described embodiments are only a part of the embodiments of the present invention, rather than all of them. Based on the embodiments of the present invention, all other embodiments obtained by those of ordinary skill in the art without creative work shall fall within the protection scope of the present invention.
图1示例性的示出了本发明实施例所适用的一种系统架构,该系统架构可以包括多个共享机构100和区块链系统200。该区块链系统200是由多个共享机构100搭建的联盟链,该联盟链可以包括一个或多个区块链节点210,以此能够做到机构内数据多活。FIG. 1 exemplarily shows a system architecture to which an embodiment of the present invention is applicable. The system architecture may include multiple sharing institutions 100 and a blockchain system 200. The blockchain system 200 is a consortium chain built by multiple sharing institutions 100, and the consortium chain may include one or more blockchain nodes 210, so as to achieve more data activities in the institution.
其中,共享机构100与区块链系统200进行通信,在区块链系统200中管理数据共享智能合约。Among them, the sharing organization 100 communicates with the blockchain system 200, and manages data sharing smart contracts in the blockchain system 200.
区块链系统200由多个区块链节点210组成,分别与多个共享机构100进行通信,用于存储共享机构100发送的数据,以及接受共享机构100对部署在区块链节点210上的数据共享智能合约进行管理。该多个区块链节点210可以相互连接通信,每个区块链节点210中包括多个区块,区块用于交易数据。The blockchain system 200 is composed of multiple blockchain nodes 210, which respectively communicate with multiple sharing institutions 100, and are used to store data sent by the sharing institution 100, and to accept the sharing institutions 100 to deploy on the blockchain node 210. Data sharing smart contract for management. The multiple blockchain nodes 210 can be connected to each other for communication. Each blockchain node 210 includes multiple blocks, and the blocks are used for transaction data.
需要说明的是,上述图1所示的结构仅是一种示例,本发明实施例对此不做限定。It should be noted that the structure shown in FIG. 1 is only an example, which is not limited in the embodiment of the present invention.
基于上述描述,图2示例性的示出了本发明实施例提供的一种区块链数据共享方法的流程,该流程可以由区块链数据共享装置执行。Based on the foregoing description, FIG. 2 exemplarily shows the flow of a blockchain data sharing method provided by an embodiment of the present invention, and the flow can be executed by a blockchain data sharing device.
如图2所示,该流程具体包括:As shown in Figure 2, the process specifically includes:
步骤201,共享机构获取第一文件,并确定所述第一文件的哈希值。Step 201: The sharing institution obtains the first file and determines the hash value of the first file.
共享机构在需要共享第一文件时,可以先得到该共享的第一文件,然后使用哈希算法,计算出该第一文件的哈希值。该第一文件的哈希值可以存在本地数据库中,以便后期第二共享机构请求的时候使用。When the sharing organization needs to share the first file, it may first obtain the shared first file, and then use a hash algorithm to calculate the hash value of the first file. The hash value of the first file may be stored in the local database for later use when requested by the second sharing organization.
需要注意的是,在获取该第一文件之前,共享机构需要先生成自身的私钥,也就是该共享机构的使用,并在区块链上创建用于数据共享的数据共享智能合约。在进行数据共享之前,位于联盟链中的每个共享机构都需要生成自身的私钥,在生成私钥时,可以是自动生成一个固定位长(例如256位)的随机数,或是基于BIP-32协议/BIP-44协议的标准生成助记词,通过助记词生成种子,通过种子生成主密钥和主链码。It should be noted that, before obtaining the first file, the sharing organization needs to generate its own private key, which is the use of the sharing organization, and create a data sharing smart contract for data sharing on the blockchain. Before data sharing, each sharing organization in the consortium chain needs to generate its own private key. When generating the private key, it can automatically generate a random number with a fixed bit length (for example, 256 bits), or be based on BIP -32 protocol/BIP-44 protocol standard generates mnemonic words, generates seeds through mnemonic words, and generates master key and main chain code through seeds.
在本发明实施例中,上述数据共享智能合约中可以包括文件基本信息(本机名、大小、创建日期等),文件的权限信息,文件的管理者信息。文件的权限信息可以体现出文件的共有人信息,也就是由哪些共享机构来共同拥有该文件,以及共有权限。文件的管理者信息可以体现文件是由哪个机构负责上传管理的。In the embodiment of the present invention, the aforementioned data sharing smart contract may include basic file information (name, size, creation date, etc.) of the file, file authority information, and file manager information. The permission information of the file can reflect the information of the co-owner of the file, that is, which sharing organization jointly owns the file, and the shared permissions. The file manager information can reflect which organization is responsible for uploading and managing the file.
步骤202,所述共享机构根据所述第一文件的哈希值、索引号和所述共享机构的私钥,确定所述第一文件对应的交换公钥。Step 202: The sharing organization determines the exchange public key corresponding to the first file according to the hash value, the index number of the first file, and the private key of the sharing organization.
具体的,共享机构可以先生成该第一文件的素数和原根,然后根据共享机构的私钥和 第一文件的索引号,确定第一文件的交换私钥,最后根据第一文件的交换私钥、素数和原根,确定第一文件的交换公钥。可选的,在得到第一文件的素数和原根之后,还可以根据预设分隔符将素数和原根组成字符串,再根据第一文件的哈希值对字符串进行加密处理,得到第一文件的交换公共数,最后将交换公共数发送至区块链的数据共享智能合约上,以使第二共享机构根据交换公共数和第一文件的哈希值确定第一文件的素数和原根。其中,预设分隔符可以依据经验设置,例如可以为逗号、分号、顿号等分隔符。Specifically, the sharing organization may first generate the prime number and original root of the first file, and then determine the exchange private key of the first file according to the private key of the sharing organization and the index number of the first file, and finally according to the exchange private key of the first file. The key, prime number and primitive root determine the exchange public key of the first file. Optionally, after obtaining the prime number and the original root of the first file, the prime number and the original root can also be formed into a string according to a preset separator, and then the string is encrypted according to the hash value of the first file to obtain the first file. The exchange public number of a file, and finally the exchange public number is sent to the data sharing smart contract of the blockchain, so that the second sharing institution can determine the prime number and original number of the first file based on the exchange public number and the hash value of the first file. root. Among them, the preset separator can be set based on experience, for example, it can be a separator such as a comma, a semicolon, and a comma.
也就是说,共享机构生成该第一文件的素数和原根,该素数通常可以为2或5,素数可以为至少大于200位长的数字。将素数和原根使用逗号隔开,组成一个字符串,然后使用对称加密算法,对该字符串进行加密,得到交换公共数,加密密钥为第一文件的哈希值。共享机构可以将该交换公共数发送至区块链进行存储。That is, the sharing organization generates the prime number and primitive root of the first file. The prime number can usually be 2 or 5, and the prime number can be a number greater than 200 digits long. Separate the prime number and the original root with a comma to form a string, and then use a symmetric encryption algorithm to encrypt the string to obtain the exchange public number, and the encryption key is the hash value of the first file. The sharing organization can send the exchange public number to the blockchain for storage.
共享机构基于上述自身的私钥,结合该第一文件的索引号,使用MAC(Message Authentication Codes,消息验证码)算法或其他hash算法计算并获得该第一文件的交换私钥。再根据第一文件的素数和原根,就可以计算得到该第一文件的交换公钥。例如可以通过公式(1)来得到第一文件的交换公钥。The sharing organization calculates and obtains the exchange private key of the first file by using the MAC (Message Authentication Codes) algorithm or other hash algorithms based on the above-mentioned private key of the first file in combination with the index number of the first file. According to the prime number and primitive root of the first file, the exchange public key of the first file can be calculated. For example, the exchange public key of the first file can be obtained by formula (1).
g Msa mod p=Mpa…………………………(1) g Msa mod p=Mpa…………………………(1)
其中,g为第一文件的素数,Msa为第一文件的交换私钥,p为第一文件的原根,Mpa为第一文件的交换公钥。Among them, g is the prime number of the first file, Msa is the exchange private key of the first file, p is the original root of the first file, and Mpa is the exchange public key of the first file.
可选的,共享机构可以将该第一文件的交换公钥存储在本地数据库中,可以不保存,此时可以根据交互私钥和第一文件的素数和原根,随时得到该第一文件的交换公钥。该第一文件的交换公钥也是该共享机构的交换公钥。Optionally, the sharing organization may store the exchange public key of the first file in a local database, and it does not need to be saved. In this case, the exchange private key and the prime number and original root of the first file can be obtained at any time. Exchange public keys. The exchange public key of the first file is also the exchange public key of the sharing organization.
由于每个共享机构的私钥是固定的,但是每个文件的索引号是唯一的,本发明实施例可以实现在共享机构的私钥不变的情况下,针对不同的文件产生不同的交换密钥。Since the private key of each sharing organization is fixed, but the index number of each file is unique, the embodiment of the present invention can generate different exchange secrets for different files without the private key of the sharing organization. key.
需要说明的是,共享机构可以视共享的文件的隐私等级,对一些相对不太敏感的数据或无需授权的数据,可以选择将该交互交换公钥存储在上述数据共享智能合约中。It should be noted that, depending on the privacy level of the shared files, the sharing organization can choose to store the interactive exchange public key in the aforementioned data sharing smart contract for some relatively insensitive data or data that does not require authorization.
步骤203,所述共享机构获取多个第一共享机构的交换公钥。Step 203: The sharing organization obtains the exchange public keys of multiple first sharing organizations.
在本发明实施例中,该第一共享机构为与共享机构共同拥有第一文件的共有权限的机构,也就是和共享机构一起拥有对该第一文件共有权限的机构。In the embodiment of the present invention, the first sharing organization is an organization that shares the common authority of the first file with the sharing organization, that is, an organization that has the common authority of the first file together with the sharing organization.
该多个第一共享机构的交换公钥是由该多个第一共享机构根据该第一文件的哈希值、索引号和各自的私钥分别确定之后发送给该共享机构的。每个第一共享机构确定各自交换公钥的方式可以见上述步骤202所述的步骤,其中第一文件的哈希值可以由共享机构通过安全数据通道或者链下的方式发送给各个第一共享机构。其中,各第一共享机构的交换公 钥也是可以存储在上述数据共享智能合约中。The exchange public keys of the plurality of first sharing institutions are respectively determined by the plurality of first sharing institutions according to the hash value, index number and respective private keys of the first file and then sent to the sharing institution. The method for each first sharing organization to determine its own exchange of public keys can be found in the steps described in step 202 above. The hash value of the first file can be sent to each first sharing organization through a secure data channel or off-chain by the sharing organization. mechanism. Among them, the exchange public key of each first sharing institution can also be stored in the aforementioned data sharing smart contract.
步骤204,所述共享机构根据所述第一文件对应的交换公钥和所述多个第一共享机构的交换公钥,确定所述第一文件的加密密钥。Step 204: The sharing organization determines the encryption key of the first file according to the exchange public key corresponding to the first file and the exchange public keys of the multiple first sharing organizations.
当共享机构得到各个第一共享机构的交换公钥之后,就可以通过加密算法计算第一文件的加密密钥。例如可以通过公式(2)来得到加密密钥。After the sharing organization obtains the exchange public key of each first sharing organization, the encryption key of the first file can be calculated through the encryption algorithm. For example, the encryption key can be obtained by formula (2).
Figure PCTCN2020098289-appb-000001
Figure PCTCN2020098289-appb-000001
其中,Mpb为第一共享机构b的交换公钥,Mpa为共享机构a的交换公钥,p为第一文件的原根,Mpab为中间交换公钥,Mpc为第一共享机构c的交换公钥,Ms为第一文件的加密密钥。Among them, Mpb is the exchange public key of the first shared institution b, Mpa is the exchange public key of the shared institution a, p is the original root of the first file, Mpab is the intermediate exchange public key, and Mpc is the exchange public key of the first shared institution c. Key, Ms is the encryption key of the first file.
步骤205,所述共享机构使用所述第一文件的加密密钥对所述第一文件加密,得到所述第一文件的加密密文,并将所述加密密文发送至所述区块链的数据共享智能合约上。Step 205: The sharing organization encrypts the first file using the encryption key of the first file, obtains the encrypted ciphertext of the first file, and sends the encrypted ciphertext to the blockchain Data sharing smart contract.
共享机构计算出第一文件的加密密钥之后,就可以使用该第一文件的加密密钥对该第一文件进行加密,得到该第一文件的加密密文,并将加密密文发送至区块链的数据共享智能合约上。以使第二共享机构对该第一文件请求下载,从而完成对该第一文件的共享,该第二共享机构为除上述共享机构和多个第一共享机构之外的机构。After the sharing organization calculates the encryption key of the first file, it can use the encryption key of the first file to encrypt the first file to obtain the encrypted ciphertext of the first file, and send the encrypted ciphertext to the district Block chain data sharing smart contract. In order to enable the second sharing organization to request the download of the first file to complete the sharing of the first file, the second sharing organization is an organization other than the foregoing sharing organization and the multiple first sharing organizations.
至此,区块链的数据共享智能合约中可以包括但不限于以下内容:So far, the data sharing smart contract of the blockchain can include but is not limited to the following:
文件的基本信息、文件的索引号、文件的所有者(文件的权限信息)、文件的管理者;交换公共数、加密密文、文件的所有者同意分享的数据签名。可选的,还可以包括共享机构的交换公钥、各第一共享机构的交换公钥。The basic information of the file, the index number of the file, the owner of the file (the authority information of the file), the administrator of the file; the exchange of public numbers, encrypted ciphertext, and the data signature that the owner of the file agrees to share. Optionally, it may also include the exchange public key of the sharing organization and the exchange public key of each first sharing organization.
进一步的,共享机构也可以对区块链中数据共享智能合约中的其它第二机构共享的文件进行下载,具体的:Further, the sharing organization can also download files shared by other second organizations in the data sharing smart contract in the blockchain, specifically:
共享机构可以从区块链的数据共享智能合约上获取第二文件的加密密文、交换公共数、权限信息和管理者信息。然后根据第二文件的管理者信息,向第二文件的管理者请求第二文件的哈希值和第二文件的管理者的交换公钥,根据第二文件的权限信息,向具有第二文件的共有权限的机构请求具有第二文件的共有权限的机构的交换公钥。再根据第二文件的交换公共数、第二文件的哈希值、第二文件的管理者的交换公钥和具有第二文件的共有权限的机构的交换公钥,确定第二文件的加密密钥。最后根据第二文件的加密密钥对第二文件的加密密文进行解密,得到第二文件。The sharing organization can obtain the encrypted ciphertext of the second file from the data sharing smart contract of the blockchain, exchange public data, authority information and manager information. Then, according to the manager information of the second file, request the manager of the second file for the hash value of the second file and the exchange public key of the manager of the second file. The organization with the common authority requests the exchange public key of the organization with the common authority of the second file. According to the exchange public number of the second file, the hash value of the second file, the exchange public key of the administrator of the second file, and the exchange public key of the organization with the common authority of the second file, the encryption secret of the second file is determined. key. Finally, the encrypted ciphertext of the second file is decrypted according to the encryption key of the second file to obtain the second file.
需要说明的是,如果该具有第二文件的共有权限的机构的交换公钥都是存储在数据共享智能合约中的,也可以直接调用数据共享智能合约进行下载获取。It should be noted that if the exchange public key of the institution with the common authority of the second file is stored in the data sharing smart contract, the data sharing smart contract can also be directly called for downloading and obtaining.
共享机构可以通过安全数据通道向各具有第二文件的共有权限的机构发出请求信息,用来请求各具有第二文件的共有权限的机构的交换公钥,各具有第二文件的共有权限的机构在对该共享机构审核通过之后,就可以将交换公钥发送给该共享机构。共享机构就可以根据第二文件的交换公共数、第二文件的哈希值、第二文件的管理者的交换公钥和具有所述第二文件的共有权限的机构的交换公钥,确定第二文件的加密密钥。具体的,可以根据第二文件的交互公共数和第二文件的哈希值,确定第二文件的素数和原根,然后根据第二文件的原根、第二文件的管理者的交换公钥和具有第二文件的共有权限的机构的交换公钥,确定第二文件的加密密钥。The sharing organization can send request information to each organization with the common authority of the second file through the secure data channel to request the exchange public key of each organization with the common authority of the second file, and each organization with the common authority of the second file After the sharing organization is approved, the exchange public key can be sent to the sharing organization. The sharing organization can then determine the second file based on the exchange public number of the second file, the hash value of the second file, the exchange public key of the administrator of the second file, and the exchange public key of the organization with the common authority of the second file. 2. The encryption key of the file. Specifically, the prime number and original root of the second file can be determined based on the interactive public number of the second file and the hash value of the second file, and then based on the original root of the second file and the exchange public key of the administrator of the second file Exchange the public key with the organization that has the common authority of the second file to determine the encryption key of the second file.
当得到第二文件的加密密钥之后,就可以对该第二文件的加密密文进行解密,从而得到第二文件。After the encryption key of the second file is obtained, the encrypted ciphertext of the second file can be decrypted to obtain the second file.
为了更好的解释本发明实施例,下面将在具体的实施场景下来描述上述数据共享的流程。In order to better explain the embodiments of the present invention, the above data sharing process will be described below in a specific implementation scenario.
在本发明实施例中,假设在一个联盟链中,存在A、B、C、D四个对等的机构,各自拥有联盟链的区块链节点。假设存在一个文件M(该文件M也可以是任何文本的明文文本信息或其他格式的信息),该文件归属于机构A,在机构A中,该文件M的索引号为n,且机构B和C拥有对该文件的共有权限。现在机构A需要发起数据上链的请求,该操作同时会触发智能合约,调用文件存储的相关智能合约的功能函数;需要获得机构B和C的文件交换公钥,将文件M加密存储到区块链上。In the embodiment of the present invention, it is assumed that in a consortium chain, there are four peer institutions A, B, C, and D, each having a blockchain node of the consortium chain. Suppose there is a file M (the file M can also be any text in plain text information or other format information), the file belongs to organization A, in organization A, the index number of file M is n, and organization B and C has common permissions to the file. Now institution A needs to initiate a request for data on the chain. This operation will also trigger a smart contract to call the function function of the related smart contract for file storage; it needs to obtain the file exchange public key of institutions B and C, and encrypt the file M to the block. On the chain.
当机构D需要下载文件M时,可分别请求机构A、B、C,获得对应的密钥;结合存储在区块链上的加密密文,可通过执行预设的计算方法重新解密获得文件M的明文。When organization D needs to download file M, it can request organizations A, B, and C to obtain the corresponding keys; combined with the encrypted ciphertext stored on the blockchain, file M can be re-decrypted by executing a preset calculation method The plaintext.
以下是实现本发明实施例的详细步骤:分别为数据加密的过程和数据解密的过程。其中数据加密的过程可以如图3所示,数据解密的过程可以如图4所示。The following are the detailed steps for implementing the embodiment of the present invention: the data encryption process and the data decryption process respectively. The process of data encryption can be shown in Figure 3, and the process of data decryption can be shown in Figure 4.
需要说明的是,本发明实施例中涉及到的算法以及算法的参数(如密钥长度)仅是示例作用,不限于所述,在具体实施过程中,也可以扩展至其它同类的应用算法。It should be noted that the algorithms and algorithm parameters (such as key length) involved in the embodiments of the present invention are only exemplary and are not limited to the above. In the specific implementation process, they can also be extended to other similar application algorithms.
如图3所示,该流程具体包括:As shown in Figure 3, the process specifically includes:
步骤301,区块链上各参与机构生成各自的私钥。Step 301: Each participating organization on the blockchain generates its own private key.
区块链各参与机构的区块链节点生成一个固定位长(例如256位)的数字作为私钥S。对于机构A、机构B、机构C,将分别生成Sa、Sb和Sc等。The blockchain nodes of each participating organization of the blockchain generate a fixed-bit length (for example, 256-bit) number as the private key S. For organization A, organization B, and organization C, Sa, Sb, and Sc will be generated respectively.
私钥的生成可以是自动生成一个随机数;也可以是基于BIP-32/BIP-44的标准生成助记词,通过助记词生成种子,通过种子生成主密钥和主链码。The generation of the private key can be to automatically generate a random number; it can also be based on the BIP-32/BIP-44 standard to generate mnemonic words, generate seeds from mnemonics, and generate master keys and main chain codes from seeds.
步骤302,数据上传者创建数据共享智能合约。Step 302: The data uploader creates a data sharing smart contract.
数据上传者为机构A,机构A创建一个文件分享的数据共享智能合约Cm,在该数据共享智能合约Cm中,包含了文件基本信息(文件名、大小、创建日期等),文件的权限管理信息,文件共有人信息等信息。The data uploader is institution A, and institution A creates a file sharing data sharing smart contract Cm. The data sharing smart contract Cm contains basic file information (file name, size, creation date, etc.), and file authority management information , File co-owner information and other information.
步骤303,生成数据上传者的交换公共数和相关的密钥。Step 303: Generate the exchange public number and related keys of the data uploader.
数据上传者A计算获得该文件M的Hash值h,并存储到本地数据库中。The data uploader A calculates the Hash value h of the file M and stores it in the local database.
数据上传者A生成该文件M的素数P和原根g。通常g为2或5,素数P至少大于200位长。The data uploader A generates the prime number P and the primitive root g of the file M. Usually g is 2 or 5, and the prime number P is at least 200 bits long.
将P和g使用分隔符(如,)分割,组成字符串P,g;然后使用对称加密算法(如AES(Advanced Encryption Standard,高级加密标准)),加密密钥为h,获得交换公共数Mn。Separate P and g with a separator (such as,) to form a string of P, g; then use a symmetric encryption algorithm (such as AES (Advanced Encryption Standard, Advanced Encryption Standard)), and the encryption key is h to obtain the exchange public number Mn .
机构A根据步骤一生成的机构私钥Sa,结合该文件M的索引号n,使用MAC算法(如HMAC-SHA512)计算并获得机构A的对于文件M的交换私钥Msa。The organization A uses the MAC algorithm (such as HMAC-SHA512) to calculate and obtain the organization A's exchange private key Msa for the file M according to the organization private key Sa generated in step 1, combined with the index number n of the file M.
机构A通过上述公式(1)获得交换公钥Mpa。Institution A obtains the exchange public key Mpa through the above formula (1).
由于机构私钥Sa是固定的,但是每条数据的索引号是唯一的,因此,此机制可以在机构私钥Sa不变的情况下针对不同的数据产生不同的交换密钥。Since the organization private key Sa is fixed, but the index number of each piece of data is unique, this mechanism can generate different exchange keys for different data without changing the organization private key Sa.
机构A发起上链请求,将交换公共数Mn保存到之前所创建的数据共享智能合约Cm中。Institution A initiates an on-chain request and saves the exchange public number Mn into the previously created data sharing smart contract Cm.
机构A可将交换公钥Mpa保存到本地数据库或文件中保存;也可不在本地保存,如果不保存的话,机构A可以根据Msa和g、p随时计算还原出Mpa的值。同时,机构A也可以视数据隐私的加密等级,对于一些相对不太敏感的数据或无需授权的数据,可以选择将交换公钥Mpa存储到数据共享智能合约Cm上。Institution A can save the exchange public key Mpa in a local database or file; it does not need to be stored locally. If it is not stored, institution A can calculate and restore the value of Mpa at any time based on Msa and g, p. At the same time, institution A can also consider the encryption level of data privacy. For some relatively insensitive data or data that does not require authorization, it can choose to store the exchange public key Mpa in the data sharing smart contract Cm.
步骤304,请求获取其他数据所有者的交换公钥。Step 304: Request to obtain the exchange public keys of other data owners.
机构A可通过数据共享智能合约Cm的事件通知函数机制,自动将消息发送给数据的所有者B、C;也可通过链上的安全数据传输通道或链下的方式,向数据的所有者发起密钥申请。Institution A can automatically send messages to the data owners B and C through the event notification function mechanism of the data sharing smart contract Cm; it can also initiate to the data owners through the secure data transmission channel on the chain or off-chain Key application.
机构B、C可通过数据共享智能合约Cm下载密钥交互公共数Mn和文件的基本信息。机构B、C可分别根据已有的文件信息,检索到文件M,从而计算出文件M的Hash值;如未保存M,则可通过安全数据传输通道向机构A申请获得Hash值h。Institutions B and C can use the data sharing smart contract Cm to download the key exchange public number Mn and basic information of the file. Institutions B and C can respectively retrieve file M based on the existing file information to calculate the hash value of file M; if M is not saved, they can apply to institution A to obtain the hash value h through the secure data transmission channel.
参考步骤303,机构B、C可生成文件M对应的交换公钥Mpb、Mpc。上述机构在批准数据加密分享的前提下,可将对应的Mpb和Mpc的信息发送给机构A。机构B和C可在本地保存Mpb和Mpc的具体数据,便于在机构A接收失败的时候重发或当存在其他参与者发起解密请求时发送;也可不在本地保存,如果不保存的话,机构B和C可在收到请 求时重复本步骤计算Mpb或Mpc的过程。Referring to step 303, institutions B and C can generate exchange public keys Mpb and Mpc corresponding to file M. Under the premise of approving the encryption and sharing of data, the above-mentioned institutions can send corresponding Mpb and Mpc information to institution A. Institutions B and C can save the specific data of Mpb and Mpc locally, so that they can be retransmitted when institution A fails to receive it or sent when other participants initiate a decryption request; they can also not be stored locally. If not, institution B And C can repeat the process of calculating Mpb or Mpc in this step when receiving the request.
同时,机构A、B、C也可以视数据隐私的加密等级,对于一些相对不太敏感的数据或无需授权的数据,可以选择将交换公钥Mpa、Mpb、Mpc全部或部分存储到数据共享智能合约Cm上。At the same time, institutions A, B, and C can also consider the encryption level of data privacy. For some relatively insensitive data or data that does not require authorization, they can choose to store all or part of the exchange public keys Mpa, Mpb, and Mpc in the data sharing intelligence. Contract Cm.
步骤305,计算加密密钥并加密文件。Step 305: Calculate the encryption key and encrypt the file.
基于上述信息,机构A可通过公式(2)计算出文件最终的加密密钥Ms。Based on the above information, organization A can calculate the final encryption key Ms of the file by formula (2).
然后,机构A使用上述密钥Ms,使用对称加密算法(例如AES)对文件M进行加密,最终获得密文S。Then, the organization A uses the above-mentioned key Ms to encrypt the file M using a symmetric encryption algorithm (such as AES), and finally obtains the ciphertext S.
步骤306,文件的加密密文发送至区块链。In step 306, the encrypted ciphertext of the file is sent to the blockchain.
机构A调用区块链智能合约的接口,将上述加密密文发送到区块链对应的数据共享智能合约Cm上,数据共享智能合约Cm中同时保存了文件M的加密密文。Institution A calls the interface of the blockchain smart contract and sends the encrypted ciphertext to the data sharing smart contract Cm corresponding to the blockchain. The data sharing smart contract Cm also stores the encrypted ciphertext of the file M.
总结,最终保存到数据共享智能合约上的文件M的内容包括但不限于以下主要内容:In summary, the content of file M that is finally saved on the data sharing smart contract includes but is not limited to the following main content:
机构A:文件的基本信息、文件的索引号、文件的所有者、文件的管理者;密钥交换协议中的公共数字Mn、机构A的交互公钥Mpa(可选)。最终的密文。Organization A: the basic information of the file, the index number of the file, the owner of the file, the manager of the file; the public number Mn in the key exchange protocol, the interactive public key Mpa of the organization A (optional). The final ciphertext.
机构B、C:同意分享的数据签名;密钥交互协议中各机构的公钥(可选)。Institutions B and C: data signatures agreed to be shared; public keys of each institution in the key exchange agreement (optional).
如图4所示,数据解密的流程具体包括:As shown in Figure 4, the data decryption process specifically includes:
步骤401,向数据管理者申请获取文件信息。Step 401: Apply to the data manager to obtain file information.
机构D可通过数据共享智能合约Cm获得文件M的基本信息、权限信息和管理者信息。如果公钥Mpa、Mpb、Mpc已保存到链上,则可直接调用数据共享智能合约下载获取。Organization D can obtain the basic information, authority information and manager information of file M through the data sharing smart contract Cm. If the public keys Mpa, Mpb, and Mpc have been saved on the chain, you can directly call the data sharing smart contract to download and obtain.
机构D通过安全数据通道首先向数据管理者A申请获取文件M,如果机构A审核通过,向机构D返回该文件的Hash值h和交换公钥Mpa。Organization D first applies to data manager A to obtain file M through the secure data channel. If organization A passes the review, it returns the hash value h and exchange public key Mpa of the file to organization D.
机构D通过区块链的数据共享智能合约下载该文件对应的交换公共数Mn,并使用h进行解密,可获得对应的g和p的值。Institution D downloads the exchange public number Mn corresponding to the file through the data sharing smart contract of the blockchain, and uses h to decrypt it to obtain the corresponding values of g and p.
步骤402,向其他数据所有者申请获取文件信息。Step 402: Apply to other data owners to obtain file information.
机构D通过安全数据通道首先向其他数据者机构B和C申请获取文件M,如果机构B和C审核通过,将向机构D返回各自的交互公钥Mpb和Mpc(如果Mpb和Mpc已存储在链上,则可直接通过链上获取,可跳过此步骤)。Institution D first applies to other data holder institutions B and C to obtain file M through the secure data channel. If institutions B and C pass the review, they will return their respective interactive public keys Mpb and Mpc to institution D (if Mpb and Mpc have been stored in the chain Above, you can get it directly through the chain, you can skip this step).
步骤403,解密文件。Step 403: Decrypt the file.
机构D在完成了上述两个步骤后,可参考加密方案的步骤305获得文件M的加密密钥Ms。After the organization D has completed the above two steps, it can refer to step 305 of the encryption scheme to obtain the encryption key Ms of the file M.
机构D可通过数据共享智能合约Cm下载最终的文件密文S,通过使用与加密过程中 相同的对称加密算法(例如AES),可以解密得到最终的明文M。Institution D can download the final file cipher text S through the data sharing smart contract Cm, and can decrypt the final plain text M by using the same symmetric encryption algorithm (such as AES) used in the encryption process.
本发明实施例提供的数据共享方法可以推广到数据共享的所有者为一个或多个机构的场景,配合区块链智能合约,能够精准地控制数据共享的授权范围、流程和权限。The data sharing method provided by the embodiments of the present invention can be extended to scenarios where the owner of the data sharing is one or more institutions, and in conjunction with the blockchain smart contract, the authorization scope, flow and authority of the data sharing can be accurately controlled.
相比现有的数据共享方法,本发明实施例提供的数据共享方法具体一下有点:Compared with the existing data sharing method, the data sharing method provided by the embodiment of the present invention has the following specific points:
1、相比数字信封方案,无需在链下存储海量的对称密钥。1. Compared with the digital envelope scheme, there is no need to store massive symmetric keys off-chain.
2、加密数据真正上链,可通过解密还原明文数据。2. The encrypted data is actually on the chain, and the plaintext data can be restored through decryption.
3、只要妥善保存用户的私钥,数据就不会丢失。3. As long as the user's private key is properly stored, the data will not be lost.
4、可实现灵活、方便的数据共享机制。4. A flexible and convenient data sharing mechanism can be realized.
5、有利于有效保护用户隐私。5. Conducive to effective protection of user privacy.
6、灵活的权限控制机制,保证链上数据的共享得到了充分的授权。6. Flexible permission control mechanism ensures that the sharing of data on the chain is fully authorized.
7、数据分享的加解密计算量较小,效率较高。7. The encryption and decryption calculation of data sharing is small and the efficiency is high.
本发明实施例表明,共享机构获取第一文件,并确定第一文件的哈希值,第一文件为待共享的文件,根据第一文件的哈希值、索引号和共享机构的私钥,确定第一文件对应的交换公钥,获取多个第一共享机构的交换公钥,根据第一文件对应的交换公钥和多个第一共享机构的交换公钥,确定第一文件的加密密钥,使用第一文件的加密密钥对第一文件加密,得到第一文件的加密密文,并将加密密文发送至区块链的数据共享智能合约上,以使第二共享机构对第一文件请求下载。由于通过共享机构的私钥和索引号得到第一文件对应的交换公钥,可以实现在共享机构的私钥不变的情况下,针对不同的文件产生不同的交换密钥,可以灵活、方便、有效的保护用户隐私。将加密后的文件发送至区块链,实现了加密文件的真正上链,实现了真正的数据共享。The embodiment of the present invention shows that the sharing organization obtains the first file and determines the hash value of the first file. The first file is the file to be shared. According to the hash value, index number, and private key of the sharing organization, Determine the exchange public key corresponding to the first file, obtain the exchange public keys of multiple first sharing institutions, and determine the encryption secret of the first file based on the exchange public keys corresponding to the first file and the exchange public keys of the multiple first sharing institutions Key, use the encryption key of the first file to encrypt the first file to obtain the encrypted ciphertext of the first file, and send the encrypted ciphertext to the data sharing smart contract of the blockchain, so that the second sharing organization can A file is requested to download. Since the exchange public key corresponding to the first file is obtained through the private key and index number of the shared organization, different exchange keys can be generated for different files under the condition that the private key of the shared organization remains unchanged, which can be flexible, convenient, Effectively protect user privacy. Sending the encrypted file to the blockchain realizes the real winding of the encrypted file and real data sharing.
需要说明的是,上述方案中,密钥交换算法的私钥(如Msa)不仅可以通过使用主私钥+索引通过HMAC(Hash-based Message Authentication Code,哈希消息认证码)的算法生成,也可以使用BIP32协议的方式使用CKD(child key derivation,子密钥衍生)方程去从母密钥衍生出子密钥。子密钥衍生方程是基于单项哈希方程。It should be noted that in the above scheme, the private key of the key exchange algorithm (such as Msa) can not only be generated by the HMAC (Hash-based Message Authentication Code) algorithm by using the master private key + index, but also The CKD (child key derivation) equation can be used in the BIP32 protocol to derive the child key from the parent key. The subkey derivation equation is based on a single hash equation.
上述数据共享方法也可以使用数字信封的方案,具体如图5所示:The above data sharing method can also use the digital envelope scheme, as shown in Figure 5:
1、发送方A使用对称密钥K对明文M进行加密,生成密文信息S。1. The sender A uses the symmetric key K to encrypt the plaintext M to generate ciphertext information S.
2、发送方A将密文信息S上链,使用B的公钥将对称密钥K加密,通过安全数据传输通道发送给接收方B。2. The sender A puts the ciphertext information S on the chain, uses B's public key to encrypt the symmetric key K, and sends it to the receiver B through a secure data transmission channel.
3、接收方B接收到发送方A的加密信息后,使用自己的私钥解密得到对称密钥K。3. After receiving the encrypted information of the sender A, the receiver B uses its own private key to decrypt it to obtain the symmetric key K.
4、接收方B在链上获取密文信息,使用对称密钥K对密文信息进行解密,得到最初的明文M。4. The receiver B obtains the ciphertext information on the chain, uses the symmetric key K to decrypt the ciphertext information, and obtains the original plaintext M.
基于相同的技术构思,图6示例性的示出了本发明实施例提供的一种区块链数据共享装置的结构,该装置可以执行区块链数据共享的流程。Based on the same technical concept, FIG. 6 exemplarily shows the structure of a blockchain data sharing device provided by an embodiment of the present invention, and the device can execute a blockchain data sharing process.
如图6所示,该装置具体包括:As shown in Figure 6, the device specifically includes:
获取单元601,用于获取第一文件,并确定所述第一文件的哈希值,所述第一文件为待共享的文件;The obtaining unit 601 is configured to obtain a first file and determine a hash value of the first file, where the first file is a file to be shared;
处理单元602,用于根据所述第一文件的哈希值、索引号和共享机构的私钥,确定所述第一文件对应的交换公钥;The processing unit 602 is configured to determine the exchange public key corresponding to the first file according to the hash value, the index number and the private key of the sharing organization of the first file;
所述获取单元601,还用于获取多个第一共享机构的交换公钥,所述第一共享机构为与共享机构共同拥有所述第一文件的共有权限的机构;所述多个第一共享机构的交换公钥为所述多个第一共享机构根据所述第一文件的哈希值、索引号和所述多个第一共享机构的私钥分别确定的;The obtaining unit 601 is further configured to obtain the exchange public keys of multiple first sharing institutions, the first sharing institutions being institutions that jointly own the common authority of the first file with the sharing institutions; The exchange public keys of the shared institutions are respectively determined by the multiple first shared institutions according to the hash value, the index number of the first file, and the private keys of the multiple first shared institutions;
所述处理单元602,还用于根据所述第一文件对应的交换公钥和所述多个第一共享机构的交换公钥,确定所述第一文件的加密密钥;使用所述第一文件的加密密钥对所述第一文件加密,得到所述第一文件的加密密文,并将所述加密密文发送至所述区块链的数据共享智能合约上,以使第二共享机构对所述第一文件请求下载,所述第二共享机构为除所述共享机构和所述多个第一共享机构之外的机构。The processing unit 602 is further configured to determine the encryption key of the first file according to the public exchange key corresponding to the first file and the public exchange keys of the multiple first sharing institutions; The encryption key of the file encrypts the first file to obtain the encrypted ciphertext of the first file, and sends the encrypted ciphertext to the data sharing smart contract of the blockchain, so that the second sharing An organization requests to download the first file, and the second sharing organization is an organization other than the sharing organization and the multiple first sharing organizations.
基于相同的原理,本发明还提供一种电子设备,如图7所示,包括:Based on the same principle, the present invention also provides an electronic device, as shown in FIG. 7, including:
包括处理器701、存储器702、收发机703、总线接口704,其中处理器701、存储器702与收发机703之间通过总线接口704连接;It includes a processor 701, a memory 702, a transceiver 703, and a bus interface 704, wherein the processor 701, the memory 702 and the transceiver 703 are connected through the bus interface 704;
所述处理器701,用于读取所述存储器702中的程序,执行上述区块链数据共享方法,所述方法包括:The processor 701 is configured to read a program in the memory 702 and execute the blockchain data sharing method described above, and the method includes:
控制收发机703获取第一文件,并确定所述第一文件的哈希值,所述第一文件为待共享的文件;Control the transceiver 703 to obtain the first file and determine the hash value of the first file, where the first file is a file to be shared;
根据所述第一文件的哈希值、索引号和共享机构的私钥,确定所述第一文件对应的交换公钥;Determine the exchange public key corresponding to the first file according to the hash value, the index number of the first file, and the private key of the sharing organization;
控制收发机703获取多个第一共享机构的交换公钥,所述第一共享机构为与共享机构共同拥有所述第一文件的共有权限的机构;所述多个第一共享机构的交换公钥为所述多个第一共享机构根据所述第一文件的哈希值、索引号和所述多个第一共享机构的私钥分别确定的;The control transceiver 703 obtains the exchange public keys of a plurality of first sharing institutions, the first sharing institution being an institution that jointly owns the common authority of the first file with the sharing institution; the exchange public keys of the multiple first sharing institutions The keys are respectively determined by the plurality of first sharing institutions according to the hash value, the index number of the first file, and the private keys of the plurality of first sharing institutions;
根据所述第一文件对应的交换公钥和所述多个第一共享机构的交换公钥,确定所述第一文件的加密密钥;使用所述第一文件的加密密钥对所述第一文件加密,得到所述第一文 件的加密密文,并将所述加密密文发送至所述区块链的数据共享智能合约上,以使第二共享机构对所述第一文件请求下载,所述第二共享机构为除所述共享机构和所述多个第一共享机构之外的机构。Determine the encryption key of the first file according to the public exchange key corresponding to the first file and the public exchange keys of the multiple first sharing institutions; use the encryption key of the first file to pair the first file A file is encrypted, the encrypted ciphertext of the first file is obtained, and the encrypted ciphertext is sent to the data sharing smart contract of the blockchain, so that the second sharing agency requests to download the first file , The second sharing organization is an organization other than the sharing organization and the plurality of first sharing organizations.
所述处理器701可以是中央处理器(central processing unit,简称CPU),网络处理器(network processor,简称NP)或者CPU和NP的组合。还可以是硬件芯片。上述硬件芯片可以是专用集成电路(application-specific integrated circuit,简称ASIC),可编程逻辑器件(programmable logic device,简称PLD)或其组合。上述PLD可以是复杂可编程逻辑器件(complex programmable logic device,简称CPLD),现场可编程逻辑门阵列(field-programmable gate array,简称FPGA),通用阵列逻辑(generic array logic,简称GAL)或其任意组合。The processor 701 may be a central processing unit (central processing unit, CPU for short), a network processor (NP for short), or a combination of CPU and NP. It can also be a hardware chip. The aforementioned hardware chip may be an application-specific integrated circuit (ASIC for short), a programmable logic device (PLD for short), or a combination thereof. The above-mentioned PLD can be a complex programmable logic device (CPLD), a field-programmable gate array (FPGA), a generic array logic (generic array logic, GAL), or any of them combination.
所述存储器702,用于存储一个或多个可执行程序,可以存储所述处理器701在执行操作时所使用的数据。The memory 702 is configured to store one or more executable programs, and can store data used by the processor 701 when performing operations.
具体地,程序可以包括程序代码,程序代码包括计算机操作指令。存储器702可以包括易失性存储器(volatile memory),例如随机存取存储器(random-access memory,简称RAM);存储器702也可以包括非易失性存储器(non-volatile memory),例如快闪存储器(flash memory),硬盘(hard disk drive,简称HDD)或固态硬盘(solid-state drive,简称SSD);存储器702还可以包括上述种类的存储器的组合。Specifically, the program may include program code, and the program code includes computer operation instructions. The memory 702 may include a volatile memory (volatile memory), such as random-access memory (random-access memory, RAM for short); the memory 702 may also include a non-volatile memory (non-volatile memory), such as flash memory ( flash memory), hard disk drive (HDD for short) or solid-state drive (SSD for short); the memory 702 may also include a combination of the foregoing types of memories.
存储器702存储了如下的元素,可执行模块或者数据结构,或者它们的子集,或者它们的扩展集:The memory 702 stores the following elements, executable modules or data structures, or their subsets, or their extended sets:
操作指令:包括各种操作指令,用于实现各种操作。Operating instructions: including various operating instructions, used to implement various operations.
操作系统:包括各种系统程序,用于实现各种基础业务以及处理基于硬件的任务。Operating system: including various system programs, used to implement various basic services and process hardware-based tasks.
总线接口704可以为有线通信接入口,无线总线接口或其组合,其中,有线总线接口例如可以为以太网接口。以太网接口可以是光接口,电接口或其组合。无线总线接口可以为WLAN接口。The bus interface 704 may be a wired communication access port, a wireless bus interface or a combination thereof, where the wired bus interface may be, for example, an Ethernet interface. The Ethernet interface can be an optical interface, an electrical interface or a combination thereof. The wireless bus interface may be a WLAN interface.
基于相同的技术构思,本发明实施例还提供了一种计算设备,包括:Based on the same technical concept, an embodiment of the present invention also provides a computing device, including:
存储器,用于存储程序指令;Memory, used to store program instructions;
处理器,用于调用所述存储器中存储的程序指令,按照获得的程序执行上述区块链数据共享方法。The processor is configured to call the program instructions stored in the memory, and execute the above blockchain data sharing method according to the obtained program.
基于相同的技术构思,本发明实施例还提供了一种计算机可读非易失性存储介质,包括计算机可读指令,当计算机读取并执行所述计算机可读指令时,使得计算机执行上述区块链数据共享方法。Based on the same technical concept, the embodiments of the present invention also provide a computer-readable non-volatile storage medium, including computer-readable instructions. When the computer reads and executes the computer-readable instructions, the computer executes the above-mentioned areas. Block chain data sharing method.
基于相同的原理,本发明实施例还提供一种计算机程序产品,所述计算机程序产品包括存储在非暂态计算机可读存储介质上的计算程序,所述计算机程序包括程序指令,当所述程序指令被计算机执行时,使所述计算机执行上述区块链数据共享方法。Based on the same principle, embodiments of the present invention also provide a computer program product, the computer program product includes a calculation program stored on a non-transitory computer-readable storage medium, the computer program includes program instructions, when the program When the instructions are executed by a computer, the computer is caused to execute the above-mentioned blockchain data sharing method.
本发明是参照根据本发明实施例的方法、设备(系统)、和计算机程序产品的流程图和/或方框图来描述的。应理解可由计算机程序指令实现流程图和/或方框图中的每一流程和/或方框、以及流程图和/或方框图中的流程和/或方框的结合。可提供这些计算机程序指令到通用计算机、专用计算机、嵌入式处理机或其他可编程数据处理设备的处理器以产生一个机器,使得通过计算机或其他可编程数据处理设备的处理器执行的指令产生用于实现在流程图一个流程或多个流程和/或方框图一个方框或多个方框中指定的功能的装置。The present invention is described with reference to flowcharts and/or block diagrams of methods, devices (systems), and computer program products according to embodiments of the present invention. It should be understood that each process and/or block in the flowchart and/or block diagram, and the combination of processes and/or blocks in the flowchart and/or block diagram can be implemented by computer program instructions. These computer program instructions can be provided to the processor of a general-purpose computer, a special-purpose computer, an embedded processor, or other programmable data processing equipment to generate a machine, so that the instructions executed by the processor of the computer or other programmable data processing equipment are generated It is a device that realizes the functions specified in one process or multiple processes in the flowchart and/or one block or multiple blocks in the block diagram.
这些计算机程序指令也可存储在能引导计算机或其他可编程数据处理设备以特定方式工作的计算机可读存储器中,使得存储在该计算机可读存储器中的指令产生包括指令装置的制造品,该指令装置实现在流程图一个流程或多个流程和/或方框图一个方框或多个方框中指定的功能。These computer program instructions can also be stored in a computer-readable memory that can guide a computer or other programmable data processing equipment to work in a specific manner, so that the instructions stored in the computer-readable memory produce an article of manufacture including the instruction device. The device implements the functions specified in one process or multiple processes in the flowchart and/or one block or multiple blocks in the block diagram.
这些计算机程序指令也可装载到计算机或其他可编程数据处理设备上,使得在计算机或其他可编程设备上执行一系列操作步骤以产生计算机实现的处理,从而在计算机或其他可编程设备上执行的指令提供用于实现在流程图一个流程或多个流程和/或方框图一个方框或多个方框中指定的功能的步骤。These computer program instructions can also be loaded on a computer or other programmable data processing equipment, so that a series of operation steps are executed on the computer or other programmable equipment to produce computer-implemented processing, so as to execute on the computer or other programmable equipment. The instructions provide steps for implementing functions specified in a flow or multiple flows in the flowchart and/or a block or multiple blocks in the block diagram.
尽管已描述了本发明的优选实施例,但本领域内的技术人员一旦得知了基本创造性概念,则可对这些实施例作出另外的变更和修改。所以,所附权利要求意欲解释为包括优选实施例以及落入本发明范围的所有变更和修改。Although the preferred embodiments of the present invention have been described, those skilled in the art can make additional changes and modifications to these embodiments once they learn the basic creative concept. Therefore, the appended claims are intended to be interpreted as including the preferred embodiments and all changes and modifications falling within the scope of the present invention.
显然,本领域的技术人员可以对本发明进行各种改动和变型而不脱离本发明的精神和范围。这样,倘若本发明的这些修改和变型属于本发明权利要求及其等同技术的范围之内,则本发明也意图包含这些改动和变型在内。Obviously, those skilled in the art can make various changes and modifications to the present invention without departing from the spirit and scope of the present invention. In this way, if these modifications and variations of the present invention fall within the scope of the claims of the present invention and their equivalent technologies, the present invention is also intended to include these modifications and variations.

Claims (15)

  1. 一种区块链数据共享方法,其特征在于,包括:A blockchain data sharing method is characterized in that it includes:
    共享机构获取第一文件,并确定所述第一文件的哈希值,所述第一文件为待共享的文件;The sharing institution obtains the first file and determines the hash value of the first file, where the first file is a file to be shared;
    所述共享机构根据所述第一文件的哈希值、索引号和所述共享机构的私钥,确定所述第一文件对应的交换公钥;The sharing organization determines the exchange public key corresponding to the first file according to the hash value, the index number of the first file, and the private key of the sharing organization;
    所述共享机构获取多个第一共享机构的交换公钥,所述第一共享机构为与共享机构共同拥有所述第一文件的共有权限的机构;所述多个第一共享机构的交换公钥为所述多个第一共享机构根据所述第一文件的哈希值、索引号和所述多个第一共享机构的私钥分别确定的;The sharing organization obtains the exchange public keys of a plurality of first sharing organizations, and the first sharing organization is an organization that jointly owns the common authority of the first file with the sharing organization; the exchange public keys of the plurality of first sharing organizations The keys are respectively determined by the plurality of first sharing institutions according to the hash value, the index number of the first file, and the private keys of the plurality of first sharing institutions;
    所述共享机构根据所述第一文件对应的交换公钥和所述多个第一共享机构的交换公钥,确定所述第一文件的加密密钥;Determining, by the sharing organization, the encryption key of the first file according to the exchange public key corresponding to the first file and the exchange public keys of the multiple first sharing organizations;
    所述共享机构使用所述第一文件的加密密钥对所述第一文件加密,得到所述第一文件的加密密文,并将所述加密密文发送至所述区块链的数据共享智能合约上,以使第二共享机构对所述第一文件请求下载,所述第二共享机构为除所述共享机构和所述多个第一共享机构之外的机构。The sharing mechanism encrypts the first file using the encryption key of the first file, obtains the encrypted ciphertext of the first file, and sends the encrypted ciphertext to the data sharing of the blockchain In the smart contract, a second sharing organization requests to download the first file, and the second sharing organization is an organization other than the sharing organization and the plurality of first sharing organizations.
  2. 如权利要求1所述的方法,其特征在于,所述共享机构根据所述第一文件的哈希值、索引号和所述共享机构的私钥,确定所述第一文件对应的交换公钥,包括:The method according to claim 1, wherein the sharing organization determines the exchange public key corresponding to the first file based on the hash value, index number and private key of the sharing organization of the first file ,include:
    所述共享机构生成所述第一文件的素数和原根;Generating the prime numbers and primitive roots of the first file by the sharing mechanism;
    所述共享机构根据所述共享机构的私钥和所述第一文件的索引号,确定所述第一文件的交换私钥;The sharing organization determines the exchange private key of the first file according to the private key of the sharing organization and the index number of the first file;
    所述共享机构根据所述第一文件的交换私钥、素数和原根,确定所述第一文件的交换公钥。The sharing agency determines the exchange public key of the first file according to the exchange private key, prime number, and original root of the first file.
  3. 如权利要求2所述的方法,其特征在于,所述共享机构在生成所述第一文件的素数和原根之后,还包括:3. The method of claim 2, wherein after the sharing mechanism generates the prime numbers and primitive roots of the first file, the method further comprises:
    所述共享机构根据预设分隔符将所述素数和原根组成字符串;The sharing mechanism composes the prime number and the primitive root into a string according to a preset separator;
    所述共享机构根据所述第一文件的哈希值对所述字符串进行加密处理,得到所述第一文件的交换公共数;The sharing organization encrypts the character string according to the hash value of the first file to obtain the exchange public number of the first file;
    所述共享机构将所述交换公共数发送至所述区块链的数据共享智能合约上,以使所述第二共享机构根据所述交换公共数和所述第一文件的哈希值确定所述第一文件的素数和 原根。The sharing institution sends the exchange public number to the data sharing smart contract of the blockchain, so that the second sharing institution determines the exchange public number and the hash value of the first file. State the prime numbers and primitive roots of the first file.
  4. 如权利要求1所述的方法,其特征在于,在所述共享机构获取第一文件之前,还包括:The method according to claim 1, characterized in that, before the sharing organization obtains the first file, further comprising:
    所述共享机构生成所述共享机构的私钥;The sharing organization generates the private key of the sharing organization;
    所述共享机构在所述区块链上创建所述数据共享智能合约。The sharing agency creates the data sharing smart contract on the blockchain.
  5. 如权利要求1至4任一项所述的方法,其特征在于,所述方法还包括:The method according to any one of claims 1 to 4, wherein the method further comprises:
    所述共享机构从所述区块链的数据共享智能合约上获取第二文件的加密密文、交换公共数、权限信息和管理者信息;The sharing agency obtains the encrypted ciphertext of the second file from the data sharing smart contract of the blockchain, exchanges public data, authority information, and manager information;
    所述共享机构根据所述第二文件的管理者信息,向所述第二文件的管理者请求所述第二文件的哈希值和所述第二文件的管理者的交换公钥;The sharing institution requests the manager of the second file for the hash value of the second file and the exchange public key of the manager of the second file according to the manager information of the second file;
    所述共享机构根据所述第二文件的权限信息,向具有所述第二文件的共有权限的机构请求所述具有所述第二文件的共有权限的机构的交换公钥;According to the authority information of the second file, the sharing organization requests the exchange public key of the organization having the common authority of the second file from the organization having the common authority of the second file;
    所述共享机构根据所述第二文件的交换公共数、所述第二文件的哈希值、所述第二文件的管理者的交换公钥和所述具有所述第二文件的共有权限的机构的交换公钥,确定所述第二文件的加密密钥;The sharing organization is based on the exchange public number of the second file, the hash value of the second file, the exchange public key of the administrator of the second file, and the shared authority of the second file The exchange public key of the institution, which determines the encryption key of the second file;
    所述共享机构根据所述第二文件的加密密钥对所述第二文件的加密密文进行解密,得到所述第二文件。The sharing agency decrypts the encrypted ciphertext of the second file according to the encryption key of the second file to obtain the second file.
  6. 如权利要求5所述的方法,其特征在于,所述共享机构根据所述第二文件的交换公共数、所述第二文件的哈希值、所述第二文件的管理者的交换公钥和所述具有所述第二文件的共有权限的机构的交换公钥,确定所述第二文件的加密密钥,包括:The method of claim 5, wherein the sharing organization is based on the exchange public number of the second file, the hash value of the second file, and the exchange public key of the manager of the second file. Exchanging the public key with the institution having the shared authority of the second file to determine the encryption key of the second file includes:
    所述共享机构根据所述第二文件的交互公共数和所述第二文件的哈希值,确定所述第二文件的素数和原根;The sharing mechanism determines the prime number and primitive root of the second file according to the interactive common number of the second file and the hash value of the second file;
    所述共享机构根据所述第二文件的原根、所述第二文件的管理者的交换公钥和所述具有所述第二文件的共有权限的机构的交换公钥,确定所述第二文件的加密密钥。The sharing institution determines the second file based on the original root of the second file, the exchange public key of the administrator of the second file, and the exchange public key of the institution with the common authority of the second file. The encryption key of the file.
  7. 一种区块链数据共享装置,其特征在于,包括:A block chain data sharing device is characterized in that it comprises:
    获取单元,用于获取第一文件,并确定所述第一文件的哈希值,所述第一文件为待共享的文件;An obtaining unit, configured to obtain a first file and determine a hash value of the first file, where the first file is a file to be shared;
    处理单元,用于根据所述第一文件的哈希值、索引号和共享机构的私钥,确定所述第一文件对应的交换公钥;A processing unit, configured to determine the exchange public key corresponding to the first file according to the hash value, the index number and the private key of the sharing organization of the first file;
    所述获取单元,还用于获取多个第一共享机构的交换公钥,所述第一共享机构为与共享机构共同拥有所述第一文件的共有权限的机构;所述多个第一共享机构的交换公钥为所 述多个第一共享机构根据所述第一文件的哈希值、索引号和所述多个第一共享机构的私钥分别确定的;The obtaining unit is further configured to obtain the exchange public keys of a plurality of first sharing institutions, the first sharing institution being an institution that jointly owns the common authority of the first file with the sharing institution; the multiple first sharing institutions The exchange public keys of the institutions are respectively determined by the multiple first sharing institutions according to the hash value, the index number of the first file, and the private keys of the multiple first sharing institutions;
    所述处理单元,还用于根据所述第一文件对应的交换公钥和所述多个第一共享机构的交换公钥,确定所述第一文件的加密密钥;使用所述第一文件的加密密钥对所述第一文件加密,得到所述第一文件的加密密文,并将所述加密密文发送至所述区块链的数据共享智能合约上,以使第二共享机构对所述第一文件请求下载,所述第二共享机构为除所述共享机构和所述多个第一共享机构之外的机构。The processing unit is further configured to determine the encryption key of the first file according to the exchange public key corresponding to the first file and the exchange public keys of the plurality of first sharing institutions; use the first file Encrypt the first file with the encryption key to obtain the encrypted ciphertext of the first file, and send the encrypted ciphertext to the data sharing smart contract of the blockchain, so that the second sharing organization The download of the first file is requested, and the second sharing organization is an organization other than the sharing organization and the plurality of first sharing organizations.
  8. 如权利要求7所述的装置,其特征在于,所述处理单元具体用于:The device according to claim 7, wherein the processing unit is specifically configured to:
    生成所述第一文件的素数和原根;Generating prime numbers and primitive roots of the first file;
    根据所述共享机构的私钥和所述第一文件的索引号,确定所述第一文件的交换私钥;Determine the exchange private key of the first file according to the private key of the sharing organization and the index number of the first file;
    根据所述第一文件的交换私钥、素数和原根,确定所述第一文件的交换公钥。Determine the exchange public key of the first file according to the exchange private key, prime number and original root of the first file.
  9. 如权利要求8所述的装置,其特征在于,所述处理单元还用于:The device according to claim 8, wherein the processing unit is further configured to:
    在生成所述第一文件的素数和原根之后,根据预设分隔符将所述素数和原根组成字符串;After generating the prime numbers and primitive roots of the first file, compose the prime numbers and primitive roots into a character string according to a preset separator;
    根据所述第一文件的哈希值对所述字符串进行加密处理,得到所述第一文件的交换公共数;Encrypting the character string according to the hash value of the first file to obtain the exchange public number of the first file;
    将所述交换公共数发送至所述区块链的数据共享智能合约上,以使所述第二共享机构根据所述交换公共数和所述第一文件的哈希值确定所述第一文件的素数和原根。Send the exchange public number to the data sharing smart contract of the blockchain, so that the second sharing agency determines the first file based on the exchange public number and the hash value of the first file The prime numbers and primitive roots of.
  10. 如权利要求7所述的装置,其特征在于,所述处理单元还用于:The device according to claim 7, wherein the processing unit is further configured to:
    在获取第一文件之前,生成所述共享机构的私钥;Before obtaining the first file, generate the private key of the sharing organization;
    在所述区块链上创建所述数据共享智能合约。Create the data sharing smart contract on the blockchain.
  11. 如权利要求7至10任一项所述的装置,其特征在于,所述处理单元还用于:The device according to any one of claims 7 to 10, wherein the processing unit is further configured to:
    从所述区块链的数据共享智能合约上获取第二文件的加密密文、交换公共数、权限信息和管理者信息;Obtain the encrypted ciphertext of the second file from the data sharing smart contract of the blockchain, exchange public numbers, authority information and manager information;
    根据所述第二文件的管理者信息,向所述第二文件的管理者请求所述第二文件的哈希值和所述第二文件的管理者的交换公钥;Request the hash value of the second file and the exchange public key of the manager of the second file from the manager of the second file according to the manager information of the second file;
    根据所述第二文件的权限信息,向具有所述第二文件的共有权限的机构请求所述具有所述第二文件的共有权限的机构的交换公钥;According to the authority information of the second file, request the exchange public key of the organization having the common authority of the second file from an organization having the common authority of the second file;
    根据所述第二文件的交换公共数、所述第二文件的哈希值、所述第二文件的管理者的交换公钥和所述具有所述第二文件的共有权限的机构的交换公钥,确定所述第二文件的加密密钥;According to the exchange public number of the second file, the hash value of the second file, the exchange public key of the administrator of the second file, and the exchange public of the institution with the common authority of the second file Key, which determines the encryption key of the second file;
    根据所述第二文件的加密密钥对所述第二文件的加密密文进行解密,得到所述第二文件。Decrypt the encrypted ciphertext of the second file according to the encryption key of the second file to obtain the second file.
  12. 如权利要求11所述的装置,其特征在于,所述处理单元具体用于:The device according to claim 11, wherein the processing unit is specifically configured to:
    根据所述第二文件的交互公共数和所述第二文件的哈希值,确定所述第二文件的素数和原根;Determining the prime number and primitive root of the second file according to the interactive common number of the second file and the hash value of the second file;
    根据所述第二文件的原根、所述第二文件的管理者的交换公钥和所述具有所述第二文件的共有权限的机构的交换公钥,确定所述第二文件的加密密钥。Determine the encryption secret of the second file according to the original root of the second file, the exchange public key of the administrator of the second file, and the exchange public key of the institution with the common authority of the second file key.
  13. 一种计算设备,其特征在于,包括:A computing device, characterized by comprising:
    存储器,用于存储程序指令;Memory, used to store program instructions;
    处理器,用于调用所述存储器中存储的程序指令,按照获得的程序执行权利要求1至6任一项所述的方法。The processor is configured to call the program instructions stored in the memory, and execute the method according to any one of claims 1 to 6 according to the obtained program.
  14. 一种计算机可读非易失性存储介质,其特征在于,包括计算机可读指令,当计算机读取并执行所述计算机可读指令时,使得计算机执行如权利要求1至6任一项所述的方法。A computer-readable non-volatile storage medium, characterized by comprising computer-readable instructions, when the computer reads and executes the computer-readable instructions, the computer is caused to execute any one of claims 1 to 6 Methods.
  15. 一种计算机程序产品,其特征在于,所述计算机程序产品包括存储在非暂态计算机可读存储介质上的计算程序,所述计算机程序包括程序指令,当所述程序指令被计算机执行时,使所述计算机执行权利要求1至6任一所述方法。A computer program product, characterized in that, the computer program product includes a calculation program stored on a non-transitory computer-readable storage medium, the computer program includes program instructions, when the program instructions are executed by a computer, The computer executes the method described in any one of claims 1 to 6.
PCT/CN2020/098289 2019-06-27 2020-06-24 Method and apparatus for sharing blockchain data WO2020259635A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201910569907.2A CN110224814B (en) 2019-06-27 2019-06-27 Block chain data sharing method and device
CN201910569907.2 2019-06-27

Publications (1)

Publication Number Publication Date
WO2020259635A1 true WO2020259635A1 (en) 2020-12-30

Family

ID=67815232

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2020/098289 WO2020259635A1 (en) 2019-06-27 2020-06-24 Method and apparatus for sharing blockchain data

Country Status (2)

Country Link
CN (1) CN110224814B (en)
WO (1) WO2020259635A1 (en)

Cited By (12)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112910638A (en) * 2021-01-19 2021-06-04 上海布沁网络科技有限公司 Block chain system key retrieving method
CN113239376A (en) * 2021-05-14 2021-08-10 北京邮电大学 Data sharing method, request method and device based on block chain
CN113312647A (en) * 2021-06-23 2021-08-27 东北大学秦皇岛分校 Multi-agent data sharing method based on block chain storage
CN113392162A (en) * 2021-07-14 2021-09-14 上海旺链信息科技有限公司 Information sharing method, device, equipment and storage medium
CN114124402A (en) * 2021-11-03 2022-03-01 国家工业信息安全发展研究中心 Distributed data secure exchange sharing method under resource-constrained environment
CN114528601A (en) * 2022-04-25 2022-05-24 中国工商银行股份有限公司 Access method and device based on block chain data, processor and electronic equipment
CN115114658A (en) * 2022-06-24 2022-09-27 深圳大学 Verifiable data transaction method, device, equipment and medium based on block chain
CN115118734A (en) * 2022-07-11 2022-09-27 京东科技信息技术有限公司 File sharing method, device and equipment
CN115174590A (en) * 2022-06-28 2022-10-11 安徽科大国创慧联运科技有限公司 Logistics data sharing method and system based on block chain
CN115277690A (en) * 2022-05-12 2022-11-01 安徽超清科技股份有限公司 Industrial data supervisory systems based on block chain
CN115604035A (en) * 2022-12-13 2023-01-13 杭州城市大脑有限公司(Cn) City brain data sharing method based on alliance chain
CN117332395A (en) * 2023-11-23 2024-01-02 江西财经大学 Data management method and system for data sharing

Families Citing this family (17)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110224814B (en) * 2019-06-27 2022-01-14 深圳前海微众银行股份有限公司 Block chain data sharing method and device
CN110598435B (en) * 2019-09-17 2021-11-19 上海保险交易所股份有限公司 Method, apparatus and readable medium for managing insurance agent history through blockchain
CN110569670B (en) * 2019-09-17 2021-11-19 上海保险交易所股份有限公司 Encryption and design method of enterprise annuity based on block chain
CN110825797B (en) * 2019-10-25 2022-12-16 烨链(上海)科技有限公司 Data exchange method and device
CN110798315B (en) * 2019-11-11 2021-04-13 腾讯科技(深圳)有限公司 Data processing method and device based on block chain and terminal
CN110838924B (en) * 2019-11-19 2022-04-12 北京沃东天骏信息技术有限公司 Block transmission method and device
CN111010265B (en) * 2019-12-21 2023-04-18 上海中和软件有限公司 Block chain organization key management method based on hierarchical key and BLS digital signature
CN111427958A (en) * 2020-03-26 2020-07-17 北京链化未来科技有限公司 Decentralized data sharing method based on block chain
CN111984615B (en) * 2020-08-04 2024-05-28 中国人民银行数字货币研究所 File sharing method, device and system
CN112069479B (en) * 2020-08-04 2021-06-22 网思科技股份有限公司 Face data calling method and device based on block chain
CN112084536B (en) * 2020-09-01 2023-07-21 中国银行股份有限公司 Key storage method and device based on blockchain
CN112187767A (en) * 2020-09-23 2021-01-05 上海万向区块链股份公司 Multi-party contract consensus system, method and medium based on block chain
CN112511515B (en) * 2020-11-19 2023-03-10 成都无右区块链科技有限公司 Chain number cube for data chaining
CN114629901A (en) * 2020-12-14 2022-06-14 北京金山云网络技术有限公司 BaaS-based block chain data sharing method, device and equipment
CN112861147A (en) * 2021-01-28 2021-05-28 罗子尧 Medical big data sharing and analysis management system based on block chain and 5G
CN113468570A (en) * 2021-07-15 2021-10-01 湖北央中巨石信息技术有限公司 Private data sharing method based on intelligent contract
CN115514479A (en) * 2022-09-29 2022-12-23 致信互链(北京)科技有限公司 Data information processing method, device and equipment based on block chain

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20090041249A1 (en) * 2007-04-09 2009-02-12 Tomonari Tanaka Method and system for managing a key for encryption or decryption of data
CN108462568A (en) * 2018-02-11 2018-08-28 西安电子科技大学 A kind of secure file storage and sharing method based on block chain
CN109144961A (en) * 2018-08-22 2019-01-04 矩阵元技术(深圳)有限公司 Authority sharing method and device
CN109768987A (en) * 2019-02-26 2019-05-17 重庆邮电大学 A kind of storage of data file security privacy and sharing method based on block chain
CN110224814A (en) * 2019-06-27 2019-09-10 深圳前海微众银行股份有限公司 A kind of block chain data sharing method and device

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107273455B (en) * 2017-05-31 2020-12-18 深圳前海微众银行股份有限公司 Block chain data access method and device
CN108471404B (en) * 2018-02-28 2020-10-16 深圳市达仁基因科技有限公司 File sharing method and device, computer equipment and storage medium
CN109639753B (en) * 2018-10-26 2021-08-17 众安信息技术服务有限公司 Data sharing method and system based on block chain

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20090041249A1 (en) * 2007-04-09 2009-02-12 Tomonari Tanaka Method and system for managing a key for encryption or decryption of data
CN108462568A (en) * 2018-02-11 2018-08-28 西安电子科技大学 A kind of secure file storage and sharing method based on block chain
CN109144961A (en) * 2018-08-22 2019-01-04 矩阵元技术(深圳)有限公司 Authority sharing method and device
CN109768987A (en) * 2019-02-26 2019-05-17 重庆邮电大学 A kind of storage of data file security privacy and sharing method based on block chain
CN110224814A (en) * 2019-06-27 2019-09-10 深圳前海微众银行股份有限公司 A kind of block chain data sharing method and device

Cited By (18)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112910638A (en) * 2021-01-19 2021-06-04 上海布沁网络科技有限公司 Block chain system key retrieving method
CN113239376A (en) * 2021-05-14 2021-08-10 北京邮电大学 Data sharing method, request method and device based on block chain
CN113239376B (en) * 2021-05-14 2023-01-20 北京邮电大学 Data sharing method, request method and device based on block chain
CN113312647A (en) * 2021-06-23 2021-08-27 东北大学秦皇岛分校 Multi-agent data sharing method based on block chain storage
CN113392162B (en) * 2021-07-14 2022-09-23 上海旺链信息科技有限公司 Information sharing method, device, equipment and storage medium
CN113392162A (en) * 2021-07-14 2021-09-14 上海旺链信息科技有限公司 Information sharing method, device, equipment and storage medium
CN114124402A (en) * 2021-11-03 2022-03-01 国家工业信息安全发展研究中心 Distributed data secure exchange sharing method under resource-constrained environment
CN114124402B (en) * 2021-11-03 2024-05-14 国家工业信息安全发展研究中心 Distributed data security exchange sharing method under resource-limited environment
CN114528601A (en) * 2022-04-25 2022-05-24 中国工商银行股份有限公司 Access method and device based on block chain data, processor and electronic equipment
CN115277690A (en) * 2022-05-12 2022-11-01 安徽超清科技股份有限公司 Industrial data supervisory systems based on block chain
CN115114658A (en) * 2022-06-24 2022-09-27 深圳大学 Verifiable data transaction method, device, equipment and medium based on block chain
CN115114658B (en) * 2022-06-24 2024-04-05 深圳大学 Verifiable data transaction method, device, equipment and medium based on blockchain
CN115174590A (en) * 2022-06-28 2022-10-11 安徽科大国创慧联运科技有限公司 Logistics data sharing method and system based on block chain
CN115118734A (en) * 2022-07-11 2022-09-27 京东科技信息技术有限公司 File sharing method, device and equipment
CN115604035A (en) * 2022-12-13 2023-01-13 杭州城市大脑有限公司(Cn) City brain data sharing method based on alliance chain
CN115604035B (en) * 2022-12-13 2023-03-28 杭州城市大脑有限公司 City brain data sharing method based on alliance chain
CN117332395A (en) * 2023-11-23 2024-01-02 江西财经大学 Data management method and system for data sharing
CN117332395B (en) * 2023-11-23 2024-03-08 江西财经大学 Data management method and system for data sharing

Also Published As

Publication number Publication date
CN110224814A (en) 2019-09-10
CN110224814B (en) 2022-01-14

Similar Documents

Publication Publication Date Title
WO2020259635A1 (en) Method and apparatus for sharing blockchain data
CN109144961B (en) Authorization file sharing method and device
US11818262B2 (en) Method and system for one-to-many symmetric cryptography and a network employing the same
Barsoum et al. Enabling dynamic data and indirect mutual trust for cloud computing storage systems
Hota et al. Capability-based cryptographic data access control in cloud computing
WO2019214070A1 (en) Encryption method for user communication on block chain, apparatus, terminal device and storage medium
CN111523133B (en) Block chain and cloud data collaborative sharing method
JP2019531630A (en) Method and system for data security based on quantum communication and trusted computing
CN110289968B (en) Private key recovery method, collaborative address creation method, collaborative address signature device and storage medium
CN111130757A (en) Multi-cloud CP-ABE access control method based on block chain
US9800556B2 (en) Systems and methods for providing data security services
CN111526197B (en) Cloud data secure sharing method
JP6363032B2 (en) Key change direction control system and key change direction control method
CN104158880B (en) User-end cloud data sharing solution
US10887085B2 (en) System and method for controlling usage of cryptographic keys
CN108696518B (en) Block chain user communication encryption method and device, terminal equipment and storage medium
CN115242555A (en) Supervisable cross-chain private data sharing method and device
CN115495768A (en) Secret-related information processing method and system based on block chain and multi-party security calculation
CN105721146B (en) A kind of big data sharing method towards cloud storage based on SMC
WO2021098152A1 (en) Blockchain-based data processing method, device, and computer apparatus
TWI597960B (en) Key splitting
US11290277B2 (en) Data processing system
CN106257859A (en) A kind of password using method
Mohammed et al. Secure third party auditor (tpa) for ensuring data integrity in fog computing
US11973861B2 (en) Secure key generation

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 20831252

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

32PN Ep: public notification in the ep bulletin as address of the adressee cannot be established

Free format text: NOTING OF LOSS OF RIGHTS PURSUANT TO RULE 112(1) EPC (EPO FORM 1205A DATED 19/04/2022)

122 Ep: pct application non-entry in european phase

Ref document number: 20831252

Country of ref document: EP

Kind code of ref document: A1