CN110008736A - The method and node, storage medium of secret protection are realized in block chain - Google Patents

The method and node, storage medium of secret protection are realized in block chain Download PDF

Info

Publication number
CN110008736A
CN110008736A CN201910101449.XA CN201910101449A CN110008736A CN 110008736 A CN110008736 A CN 110008736A CN 201910101449 A CN201910101449 A CN 201910101449A CN 110008736 A CN110008736 A CN 110008736A
Authority
CN
China
Prior art keywords
block chain
key
chain node
transaction
intelligent contract
Prior art date
Application number
CN201910101449.XA
Other languages
Chinese (zh)
Inventor
闫莺
魏长征
Original Assignee
阿里巴巴集团控股有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 阿里巴巴集团控股有限公司 filed Critical 阿里巴巴集团控股有限公司
Priority to CN201910101449.XA priority Critical patent/CN110008736A/en
Publication of CN110008736A publication Critical patent/CN110008736A/en

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/52Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow
    • G06F21/53Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow by executing in a restricted environment, e.g. sandbox or secure virtual machine
    • GPHYSICS
    • G06COMPUTING; CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/602Providing cryptographic facilities or services
    • GPHYSICS
    • G06COMPUTING; CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
    • G06F21/6245Protecting personal data, e.g. for financial or medical purposes

Abstract

This specification one or more embodiment provides the method and node, storage medium that secret protection is realized in a kind of block chain, and this method may include: that block chain node determines the corresponding intelligent contract of the transaction received;The block chain node executes the intelligent contract in credible performing environment;The block chain node is encrypted when storing implementing result with key, and the key is generated by the block chain node according to the security key and at least one impact factor for being stored in the credible performing environment.

Description

The method and node, storage medium of secret protection are realized in block chain

Technical field

This specification one or more embodiment is related to realizing in block chain technical field more particularly to a kind of block chain hidden The method and node, storage medium of private protection.

Background technique

Block chain technology constructs on transmission network (such as point to point network).Network node in transmission network utilizes Linked data structure is verified and storing data, and knows together algorithm using distributed node to generate and more new data.These areas Node in block chain network is sometimes for increase.

Technically maximum two challenges are exactly privacy and performance to the block platform chain of enterprise-level at present, and often the two are chosen War is difficult to solve simultaneously.Most solutions are all to exchange privacy for by losing performance, or less consider that privacy goes the property pursued Energy.The encryption technology of common solution privacy concern, as homomorphic cryptography (Homomorphic encryption) and Zero Knowledge are demonstrate,proved Complexities such as bright (Zero-knowledge proof) are high, poor universality, but also may bring serious performance loss.

In terms of solving privacy, credible performing environment (Trusted Execution Environment, TEE) is another Kind settling mode.TEE can play the role of the black box in hardware, the code and data operating system layer executed in TEE all without Method is peeped, and interface predetermined can just operate on it only in code.In terms of efficiency, due to the black box property of TEE, Carry out operation in TEE is clear data, rather than the complicated cryptography arithmetic in homomorphic cryptography, calculating process efficiency do not have Loss, thus combine with TEE the safety that block chain can be largely promoted under the premise of performance loss is lesser and Privacy.Industry very pays close attention to the scheme of TEE at present, and the chip and software league of nearly all mainstream have the TEE of oneself Solution, TPM (Trusted Platform Module, reliable platform module) and hardware side including software aspects Intel SGX (Software Guard Extensions, software protection extension), the ARM Trustzone (trusted domain) in face and AMD PSP (Platform Security Processor, platform safety processor).

Summary of the invention

In view of this, this specification one or more embodiment provide a kind of method that secret protection is realized in block chain and Node, storage medium.

To achieve the above object, it is as follows to provide technical solution for this specification one or more embodiment:

Secret protection is realized in a first aspect, proposing in a kind of block chain according to this specification one or more embodiment Method, comprising:

Block chain node determines the corresponding intelligent contract of the transaction received;

The block chain node executes the intelligent contract in credible performing environment;

The block chain node is encrypted when storing implementing result with key, the key by the block chain node according to Be stored in the credible performing environment security key and at least one impact factor and generate.

According to the second aspect of this specification one or more embodiment, proposes in a kind of block chain and realize secret protection Node, comprising:

Determination unit, for determining the corresponding intelligent contract of transaction received;

Execution unit, for executing the intelligent contract in credible performing environment;

Encryption unit, for being encrypted when storing implementing result with key, the key is by block chain node according to preservation In the credible performing environment security key and at least one impact factor and generate.

According to the third aspect of this specification one or more embodiment, a kind of computer readable storage medium is proposed, The step of being stored thereon with computer instruction, method as described in relation to the first aspect realized when which is executed by processor.

Detailed description of the invention

Fig. 1 is a kind of schematic diagram for creation intelligence contract that an exemplary embodiment provides.

Fig. 2 is a kind of schematic diagram for calling intelligence contract that an exemplary embodiment provides.

Fig. 3 is the schematic diagram of a kind of creation and the intelligent contract of calling that an exemplary embodiment provides.

Fig. 4 is the flow chart that the method for secret protection is realized in a kind of block chain of exemplary embodiment offer.

Fig. 5 is a kind of schematic diagram for processing block chain transaction that an exemplary embodiment provides.

Fig. 6 is the composition figure that the node of secret protection is realized in a kind of block chain of exemplary embodiment offer.

Specific embodiment

Example embodiments are described in detail here, and the example is illustrated in the accompanying drawings.Following description is related to When attached drawing, unless otherwise indicated, the same numbers in different drawings indicate the same or similar elements.Following exemplary embodiment Described in embodiment do not represent all embodiments consistent with this specification one or more embodiment.Phase Instead, they are only some aspects phases with the one or more embodiments of as detailed in the attached claim, this specification The example of consistent device and method.

It should be understood that the sequence that might not show and describe according to this specification in other embodiments executes The step of correlation method.In some other embodiments, step included by method can than described in this specification more It is more or less.In addition, single step described in this specification, may be broken down into other embodiments multiple steps into Row description;And multiple steps described in this specification, it may also be merged into single step progress in other embodiments Description.

Block chain is normally divided into three types: publicly-owned chain (Public Blockchain), privately owned chain (Private ) and alliance's chain (Consortium Blockchain) Blockchain.In addition, there are also a plurality of types of combinations, such as privately owned chain The different combinations such as+alliance chain, alliance's chain+publicly-owned chain.It is publicly-owned chain that wherein decentralization degree is highest.Publicly-owned chain with than Special coin, ether mill are representative, and the participant that publicly-owned chain is added can read data record on chain, participate in business and compete newly Book keeping operation power of block etc..Moreover, each participant's (i.e. node) freely can be added and exit network, and carry out relevant operation.It is private There is chain then on the contrary, the write-in permission of the network is by some tissue or mechanism controls, reading data permission is by organization prescribed.Simply For, privately owned chain can be weak center's system, and participating in node has stringent limitation and less.Such block chain is more It is suitable for using inside particular organization.Alliance's chain is then block chain between publicly-owned chain and privately owned chain, it can be achieved that " part Decentralization ".Each node usually has corresponding physical mechanism or tissue in alliance's chain;Participant is added by authorization Enter network and composition interests correlation alliance, it is common to safeguard the operation of block chain.

Whether publicly-owned chain, privately owned chain or alliance's chain may all provide the function of intelligent contract.Intelligence on block chain Contract is the contract that can be executed by transaction triggering on block catenary system.Intelligent contract can pass through the formal definition of code.

By taking ether mill as an example, user is supported to create in the network of ether mill and call the logic of some complexity, this is ether Mill is different from the ultimate challenge of bit coin block chain technology.Ether mill is ether mill void as the core of a programmable block chain Quasi- machine (EVM), each ether mill node can run EVM.EVM is the complete virtual machine of figure spirit, it means that can be with The logic of various complexity is realized by it.It is exactly to run on EVM that user, which issues in ether mill and call intelligent contract,.It is real On border, what virtual machine was directly run is virtual machine code (Virtual Machine bytecodes, lower abbreviation " bytecode ").It is deployed on block chain Intelligent contract can be the form of bytecode.

Such as shown in Fig. 1, after a transaction comprising the intelligent contract information of creation is sent ether mill network by Bob, section The EVM of point 1 can execute this and trade and generate corresponding contract example.What the data field of transaction saved can be byte Code, the to field of transaction are an empty account.After being reached an agreement between node by common recognition mechanism, this contract is successfully created, Subsequent user can call this contract.

Contract creation after, on block chain occur a contract account corresponding with the intelligence contract, and possess one it is specific Address, contract code and account storage will be stored in the contract account.The behavior of intelligent contract is controlled by contract code, and The account storage of intelligent contract then saves the state of contract.In other words, intelligent contract to generate on block chain comprising closing The about virtual account of code and account storage (Storage).

In addition, as shown in Fig. 2, Bob is by one comprising calling the transaction of intelligent contract information to send still by taking ether mill as an example To after the network of ether mill, the EVM of node 1 can execute this and trade and generate corresponding contract example.It trades in 2 in figure From field is the address for initiating to call the account of intelligent contract, and " 0x692a70d2 ... " in field represents called The address of intelligent contract, value field are the value of ether coin in ether mill, and the calling that the data field of transaction saves intelligently is closed Method and parameter about.After calling intelligent contract, the value of balance may change.Subsequent, some client can be by a certain Block chain node checks the current value of balance.

Intelligent contract can be executed by each node disjoint of the defined mode in block chain network, all execution Record and data are all stored on block chain, so just saving on block chain can not distort, no after the completion of such transaction The transaction certificate that can be lost.

It creates intelligent contract and calls the schematic diagram of intelligent contract as shown in Figure 3.An intelligence is created in ether mill to close About, it needs by writing intelligent contract, becoming bytecode, be deployed to the processes such as block chain.Intelligent contract is called in ether mill, is The transaction for being directed toward intelligent contract address is initiated, intelligent contract code operates in each node in the network of ether mill in a distributed manner Virtual machine in.

Below in conjunction with the realization for the embodiment of the method for illustrating to realize that contract calls in one block chain of this specification shown in Fig. 4 Journey:

Step 402, the first block chain node determines the corresponding intelligent contract of the transaction received.

In one embodiment, transaction can be committed to the first block chain node by client.For example, user is raw in client After the transaction, transaction is committed to by the first block chain node by the client.By taking Fig. 5 as an example, in the first block chain node Comprising transaction/query interface, which can dock with client, and client is submitted to the first block chain node and is handed over Easily.

The transaction can also be forwarded to the first block chain node by the second block chain node.For example, user is raw in client After the transaction, which is committed to by the second block chain node by the client;Then, the second block chain link point is further The transaction is forwarded to the first block chain node.By taking Fig. 5 as an example, above-mentioned interface can be docked with other block chain nodes, such as should Other block chain nodes may include the second above-mentioned block chain node, allow the second block chain node to the first block chain Node transmitted transaction.Similarly, the second block chain node can also be docked by the transaction/query interface of itself with client, with Receive the transaction that client is submitted.

Such as proved using proof of work (Proof of Work, POW) and equity (Proof of Stake, POS), equity is appointed to prove in the block chain network of the common recognition such as (Delegated Proof of Stake, DPOS) algorithm, second Block chain node is after the transaction for receiving client submission, other blocks of diffusion immediately (as broadcasted) into ether mill network Chain node.

Using practical Byzantine failure tolerance (Practical Byzantine Fault Tolerance, PBFT) for another example Etc. in the block chain network of mechanism, accounting nodes have been agreed upon before epicycle book keeping operation, so that the second block chain node is receiving After the transaction that client is submitted, if itself not being accounting nodes, which is sent to fixed accounting nodes, so that The accounting nodes transmit transaction (including the transaction) to each verifying node in the further common recognition stage.And when second It, can be with after other block chain link points receive the transaction of client submission when block chain node itself is fixed accounting nodes Transaction is forwarded to the second block chain node;Then, the second block chain node can common recognition the stage by above-mentioned transaction (or also Including other transaction) it transmits to each verifying node, including the first block chain node.

In one embodiment, the transaction can be labeled as, so that first by privacy transaction by the mark of transaction level Block chain node determines that the corresponding implementing result of the intelligent contract needs to store after encrypting.For example, can be added in transaction Type field allows the first block chain to identify type of transaction for transaction in plain text or privacy transaction accordingly.In the related art, Such as in the network of ether mill, transaction generally comprises the fields such as to, value, data.And the present embodiment is on the basis of the relevant technologies On, increase by a type field in transaction, for example be characterized as type field, and the value based on the type field, shows correlation The type of transaction;For example, showing relationship trading to trade in plain text, when type field is the when type field is the first value When two values, show relationship trading for privacy transaction.

In one embodiment, the intelligent contract can be labeled as by privacy processing type by the mark of contract rank, So that the first block chain node determines that the corresponding implementing result of the intelligent contract needs to store after encrypting.For example, can in transaction There is the processing type to the intelligent contract mark of required calling, the first block chain node is got the bid for the transaction The processing type of note uses corresponding processing operation to the intelligent contract that the transaction is called.For example, in the code of intelligent contract It may include a type field, the first block chain node contained type field can take in the code based on each intelligent contract Value determines that the intelligence contract is privacy processing type or handles type in plain text;For another example, the intelligent contract of privacy processing type In may include privacy identifier, in plain text processing type intelligent contract can not include the privacy identifier;For another example, in plain text The intelligent contract of processing type may include plaintext identifier, the intelligent contract of privacy processing type can not include the plaintext and mark Know symbol;Correspondingly, the first block chain node can be based on above-mentioned difference, distinguish the intelligent contract of different disposal type.

In one embodiment, when the transaction is in encrypted state, the first block chain node can be in credible execution ring The decryption transaction in border (Trusted Execution Environment, TEE).TEE is that the safety based on CPU hardware expands Exhibition, and the credible performing environment completely isolated with outside.TEE is the concept proposed by Global Platform earliest, for solving Certainly in mobile device resource security isolation, be parallel to operating system and credible and secure performing environment be provided for application program.ARM Trust Zone technology realize the TEE technology of real commercialization earliest.

Along with the high speed development of internet, safe demand is higher and higher, is not limited only to mobile device, cloud device, Data center all proposes more demands to TEE.The concept of TEE has also obtained the development and expansion of high speed.Now described TEE is compared to the TEE for the concept initially proposed being more broad sense.For example, server chips manufacturer Intel, AMD etc. are first It is proposed the TEE of hardware auxiliary afterwards and enriches the concept and characteristic of TEE, is had been widely recognized in industry.It mentions now The TEE risen usually more refers to the TEE technology of this kind of hardware auxiliary.Different from mobile terminal, cloud access needs to remotely access, terminal User is invisible to hardware platform, therefore seeks to the genuine and believable of confirmation TEE using the first step of TEE.Therefore present TEE Technology all introduces remote proving mechanism, is endorsed by hardware vendor (mainly CPU manufacturer) and is ensured by digital signature technology User can verify that TEE state.It is simultaneously only the demand for security that the resource isolation of safety is also unable to satisfy, further data Secret protection is also suggested.Including Intel SGX, the commercial TEE including AMD SEV also both provides memory encryption technology, will Reliable hardware is limited to inside CPU, and the data of bus and memory are that ciphertext prevents malicious user from being spied upon.For example, Ying Te Your software protection extends code execution, remote proving, security configuration, the secure storage of data such as (SGX) TEE technology insulation And the trusted path for executing code.The application program run in TEE is kept safe, as a consequence it is hardly possible to by third Side's access.

By taking Intel SGX technology as an example, SGX provides enclosure (enclave, also referred to as enclave), i.e., one adds in memory Close credible execution region, protects data not to be stolen by CPU.By taking the first block chain node is using the CPU for supporting SGX as an example, Using newly-increased processor instruction, a part of region EPC (Enclave Page Cache, enclosure page can be distributed in memory Face caching or enclave page cache), by the crypto engine MEE (Memory Encryption Engine) in CPU to wherein Data encrypted.The content encrypted in EPC, which only enters after CPU, can just be decrypted into plain text.Therefore, in SGX, user It can distrust operating system, VMM (Virtual Machine Monitor, monitor of virtual machine), even BIOS (Basic Input Output System, basic input output system), it is only necessary to trust CPU just and can ensure that private data will not leak. It in practical application, is transferred in enclosure after private data being encrypted with ciphertext form, and will be corresponding by remote proving Code key is also passed to enclosure.Then, operation is carried out using data under the encipherment protection of CPU, as a result can be returned with ciphertext form.This Under kind mode, powerful calculating power not only can use, but also do not have to concern of data and leak.

It is assumed that above-mentioned transaction is generated by user in a certain client, which can be firstly generated in transaction in plain text Hold, then encrypts the plaintext transaction content with key.The encryption can use symmetric cryptography, can also use asymmetric Encryption.Correspondingly, the first block chain node can decrypt the transaction with corresponding key, to obtain plaintext transaction content.Such as Fruit client symmetric cryptography mode encrypts plaintext transaction content with the private key of symmetric encipherment algorithm, then correspondingly, first Block chain node can decrypt the transaction with the private key of the symmetric encipherment algorithm.The Encryption Algorithm that symmetric cryptography uses, example DES algorithm in this way, 3DES algorithm, TDEA algorithm, Blowfish algorithm, RC5 algorithm, IDEA algorithm etc..Symmetric encipherment algorithm Key, such as can be and negotiate to determine by client and the first block chain node.

If encrypted with the public key of rivest, shamir, adelman to plaintext transaction content, then phase with asymmetric encryption mode Ying Di, the first block chain node can decrypt the transaction with the private key of the rivest, shamir, adelman.Rivest, shamir, adelman, E.g. RSA, Elgamal, knapsack algorithm, Rabin, D-H, ECC (elliptic curve encryption algorithm) etc..Rivest, shamir, adelman Key, such as can be and a pair of of public key and private key are generated by the first block chain node, and public key is sent to before step 402 The client, so that client described in step 402 can encrypt plaintext transaction content with key.

The key of rivest, shamir, adelman can also be generated by a Key Management server.Pass through the side of remote proving Private key is sent to the first block chain node by formula, Key Management server, specifically, can be incoming first block chain node In enclosure.First block chain node may include multiple enclosures, and the safety that above-mentioned private key can be passed into these enclosures is enclosed Circle;For example, the safe enclosure can be QE (Quoting Enclave) enclosure, rather than AE (Application Enclave) encloses Circle.For the public key of asymmetric encryption, the client can be sent to by Key Management server.Thus in step 402, The client can use the public key encryption plaintext transaction content, and correspondingly, the first block chain node can use the private key solution The close transaction, to obtain the plaintext transaction content that the transaction includes.

Client can also be in such a way that symmetric cryptography combination asymmetric encryption combines.For example, client use pair Claim Encryption Algorithm encrypting plaintext transaction content, that is, uses the private key encryption plaintext transaction content of symmetric encipherment algorithm, and with non-right Claim the private key used in Encryption Algorithm cryptographic symmetrical Encryption Algorithm.In general, using the public key encryption pair of rivest, shamir, adelman Claim the private key used in Encryption Algorithm.In this way, after the first block chain node receives the transaction of encryption, it can be first using asymmetric The private key of Encryption Algorithm is decrypted, and obtains the private key of symmetric encipherment algorithm, and then decrypted with the private key of symmetric encipherment algorithm To plaintext transaction content.

For example, the private key of rivest, shamir, adelman can be sent to the firstth area by remote proving by Key Management server The enclosure of block chain node, and the public key of rivest, shamir, adelman is sent to the client.Thus, the client can adopt With symmetric cryptography mode encrypting plaintext transaction content, that is, the private key encryption plaintext transaction content of symmetric encipherment algorithm is used, is used in combination The private key used in the public key encryption symmetric encipherment algorithm of rivest, shamir, adelman.In turn, the client can be by the friendship Easily (obtained after being encrypted by the public key of rivest, shamir, adelman to the private key used in the symmetric encipherment algorithm with encryption key To) it is sent to the first block chain node.It, can be first with non-right after first block chain node receives the transaction and encryption key Claim the private key of Encryption Algorithm that the encryption key is decrypted to obtain the private key of symmetric encipherment algorithm, and then is calculated with the symmetric cryptography The private key of method decrypts the transaction, obtains plaintext transaction content.Here cipher mode is commonly referred to as digital envelope encryption.

Step 404, the first block chain node executes the intelligent contract in credible performing environment.

In one embodiment, for creating intelligent contract, which may include the code of intelligent contract for the transaction.The One block chain node is completed by the code of the contained intelligent contract of the execution transaction in credible performing environment to intelligent contract Creation.

In one embodiment, for calling intelligent contract, which may include called intelligent contract for the transaction Contract address.First block chain node is according to the contract address of the contained intelligent contract of transaction, to the generation of corresponding intelligent contract Code is called.If called intelligent contract is plaintext contract, i.e. the code of the intelligence contract is stored in plaintext version External memory space, the first block chain node, which can directly read in the plaintext code in credible performing environment, to be executed;Such as The called intelligent contract of fruit is privacy contract, i.e. the code of the intelligence contract is stored in external memory space with ciphertext form, First block chain node the ciphertext code can be decrypted according to the key pair saved in credible performing environment, and hold credible The plaintext code obtained in row environment for decryption is executed.

Step 406, the first block chain node is encrypted when storing implementing result with key, and the key is by the first block chain Node is generated according to the security key and at least one impact factor for being stored in the credible performing environment.

In one embodiment, the first block chain node generates key according to security key and at least one impact factor, with For being encrypted to the implementing result of transaction so that the data stored on the first block chain node using differentiation key into Row encryption can protect the data of the first block chain node storage from smaller particle size, be protected with obtaining more preferably safety Shield.It is all made of identical security key compared to the implementing result of All Activity to be encrypted, the above scheme of this specification increases Used number of keys is added, even if so that also can only expose added by this key after a certain key broken through by criminal Close data still are able to guarantee other overwhelming majority as long as the security key being located in credible performing environment is not stolen The safety of data.

Meanwhile when criminal grasps a certain value and is A, the use of the ciphertext after secure key encryption is a, if all The corresponding implementing result of intelligent contract is all made of security key and is encrypted, then other contract states for being a for ciphertext, no Method molecule can deduce other contract states value be A, and if using differentiation in this specification key, can keep away Exempt from criminal and speculate based on ciphertext value the plaintext value of contract state.

In one embodiment, the first block chain node can splice security key and at least one impact factor Afterwards, Hash calculation carried out to concatenation information, and by a part of the cryptographic Hash being calculated or the cryptographic Hash (such as first 128 Or other parts) it is used as the key, it is encrypted with the plaintext implementing result for transaction, obtains corresponding ciphertext and execute knot Fruit.

In one embodiment, security key can be the key of symmetric cryptography, e.g. seal (Simple Encrypted Arithmetic Library) key.The seal key, for example, can be by after remote proving by Key Management server It is sent to the first block chain node, then for example can be each node (such as the first block chain node and other areas in block chain Block chain node) between negotiate to obtain.The security key can be stored in the enclosure of the first block chain node.First block Chain node may include multiple enclosures, and above-mentioned security key can be passed into the safe enclosure in these enclosures;For example, the peace Full enclosure can be QE enclosure, rather than AE enclosure.

When generating above-mentioned key, quantity, the type of the impact factor of use are unrestricted.By selecting different influences The secret protection of different stage may be implemented in combination between the factor or impact factor, to meet corresponding secret protection demand.

In one embodiment, impact factor may include: the contract address of the intelligent contract.When transaction is for creating intelligence Can contract when, the first block chain node can execute intelligent contract by the code of the execution transaction intelligent contract for including Creation operation, and determine the information of contract address corresponding to the intelligence contract, thus according to security key and the contract address Information generate the key, encrypted by the intelligent contract that the key pair is created.When transaction is for calling intelligent conjunction When about, the contract address for the intelligent contract that the first block chain node is called by acquisition, by the contract address and security key It is generated as the key, is encrypted with the contract state that the intelligent contract being called by the key pair is related to.

Correspondingly, when user A initiates transaction R1, R2 relevant to intelligence and about S1, intelligent and about S2 respectively, the firstth area For block chain node after executing intelligence and about S1 in response to transaction R1, the contract address using security key and intelligence and about S1 is raw It is encrypted at corresponding key K1, and the first block chain node uses after executing intelligence and about S2 in response to transaction R2 Security key key K2 corresponding with the contract address generation of intelligence and about S2 is encrypted.So, even if key K1 is broken, Using the data of key K2 encryption still in safe condition.Meanwhile even if the state value Z1 and transaction R2 that transaction R1 is related to is related to And state value Z2 plaintext it is identical, but due to use differentiation key K1, K2 so that state value Z1 it is corresponding plus It is not identical between data Z1m, the corresponding encrypted data Z2m of state value Z2 after close, thus encrypted data can not be passed through The value of Z1m, Z2m carry out the value relationship between speculative status value Z1, Z2.Similarly, when the friendship that different user is initiated respectively When easily corresponding to different intelligent contracts, also the key of available differentiation, specific situation can refer to above-mentioned example.

In one embodiment, impact factor may include: the account address of the contract founder of the intelligent contract.Work as conjunction About founder submits a transaction when creating intelligent contract, to block chain, and the from field of the transaction is contract founder Account address, to field be code empty, that data field includes intelligent contract, contract founder can be known from from field Account address.In turn, the account address that can be recorded according to security key and from field generates the key, with for pair The implementing result of the transaction of the intelligence contract is called to be encrypted.Although same contract founder can create multiple intelligence and close About, but all users (or at least more than one user) can create intelligent contract on block chain, thus still at least Key differentiation is realized between the intelligent contract for enabling to different user to create, and reduces the risk of leaking data.

Correspondingly, when user B initiates transaction R3, R4 relevant to intelligence and about S3, intelligent and about S4 respectively, the firstth area Block chain node is after executing intelligence and about S3 in response to transaction R3, using the contract founder of security key and intelligence and about S3 Account address generate corresponding key K3 and encrypted, and the first block chain node is executing intelligent conjunction in response to transaction R4 After about S4, added using security key key K4 corresponding with the account address generation of contract founder of intelligence and about S4 It is close.So, even if key K3 is broken, using the data of key K4 encryption still in safe condition.Meanwhile even if transaction R3 is related to And state value Z3 it is identical as the plaintext of state value Z4 that is related to of transaction R4, but the key K3 due to using differentiation, K4, so that not phase between the corresponding encrypted data Z3m of state value Z3, the corresponding encrypted data Z4m of state value Z4 It together, thus can not be by the value of encrypted data Z3m, Z4m come the value relationship between speculative status value Z3, Z4.It is similar Ground, when the transaction that different user is initiated respectively corresponds to the intelligent contract of different user creation, also available differentiation Key, specific situation can refer to above-mentioned example.

In one embodiment, impact factor may include: the code cryptographic Hash of the intelligent contract.When different intelligence is closed When about for realizing different functions, contained code also certainly exists more or less difference, so that code cryptographic Hash is completely not Together;Even if if having, different user is write or even same user is in different moments for realizing the intelligent contract of identical function It is write, contained code can also have at least part difference, so that code cryptographic Hash is entirely different.Therefore, it is based on code The difference of cryptographic Hash enables different intelligent contract to correspond to entirely different key.So, contract address is used with above-mentioned Embodiment it is similar, can be in the generation for trading corresponding intelligent contract when transaction is for creating or calling intelligent contract When code cryptographic Hash difference, transaction implementing result is encrypted based on different keys.

Correspondingly, when user C initiates transaction R5, R6 relevant to intelligence and about S5, intelligent and about S6 respectively, the firstth area Block chain node is after executing intelligence and about S5 in response to transaction R5, using the code cryptographic Hash of security key and intelligence and about S5 Corresponding key K5 is generated to be encrypted, and the first block chain node is adopted after executing intelligence and about S6 in response to transaction R6 It is encrypted with security key key K6 corresponding with the code cryptographic Hash generation of intelligence and about S6.So, even if key K5 quilt It breaks through, using the data of key K6 encryption still in safe condition.Meanwhile even if trading the state value Z5 and transaction that R5 is related to The plaintext for the state value Z6 that R6 is related to is identical, but key K5, K6 due to using differentiation, so that state value Z5 is corresponding The corresponding encrypted data Z6m of encrypted data Z5m, state value Z6 between it is not identical, thus can not by encryption after The value of data Z5m, Z6m carrys out the value relationship between speculative status value Z5, Z6.Similarly, when different user is initiated respectively Transaction when corresponding to the different intelligent contracts of code, also the key of available differentiation, specific situation can refer to above-mentioned Example.

In one embodiment, impact factor may include: the account address of the initiator of the transaction.When initiating direction the When one block chain node initiates transaction, the from field of the transaction is the account address of initiator, i.e., the first block chain node can To know the account address of initiator from the from field of transaction, to be used for key corresponding with security key generation.By adopting Use the account address of the initiator of transaction as impact factor, even if so that different user is called same intelligent contract When, the account address difference due to initiator is also used to the key of differentiation.Therefore, the account of the initiator based on transaction The difference of address, even if so that identical intelligence contract can also correspond to entirely different key.

Correspondingly, when user D, user E initiate transaction R7, R8 relevant to intelligence and about S7 respectively, the first block chain Node is corresponding with the generation of the account address of user D using security key after executing intelligence and about S7 in response to transaction R7 Key K7 is encrypted, and the first block chain node is being executed in response to transaction R8 intelligently and after about S7, using security key Key K8 corresponding with the generation of the account address of user E is encrypted.So, even if key K7 is broken, added using key K8 Close data are still in safe condition.Meanwhile the even if state value that the state value Z7 and transaction R8 that transaction R7 is related to are related to The plaintext of Z8 is identical, but key K7, K8 due to using differentiation, so that the corresponding encrypted data Z7m of state value Z7, It is not identical between the corresponding encrypted data Z8m of state value Z8, thus the value of encrypted data Z7m, Z8m can not be passed through Carry out the value relationship between speculative status value Z7, Z8.Similarly, when what different user was initiated respectively trades corresponding to different When intelligent contract, also the key of available differentiation, specific situation can refer to above-mentioned example.

In one embodiment, the conjunction of contract address, the intelligent contract that shadow may include: the intelligent contract is influenced About the account address of founder, the code cryptographic Hash of the intelligent contract, the transaction initiator account address between Combination, for example simultaneously include any the two, simultaneously comprising any three, simultaneously comprising four etc..It is possible to by will be safe Key and each influence shadow carry out after successively splicing, and generate the key.

For example, when influencing shadow includes contract address and code cryptographic Hash, unless same intelligent contract is called, Even if otherwise the code of two intelligent contracts is identical, different keys can also be generated by the difference of contract address.

For another example when influencing shadow includes account address and the code cryptographic Hash of contract founder, unless to same intelligence Energy contract is called, even if the multiple intelligent contracts otherwise created by same user, can also pass through the difference of code cryptographic Hash It is different and generate different keys, even if the code cryptographic Hash phase of multiple intelligent contracts that is respectively created of multiple contract founders Together, different keys can also be generated by the difference of the account address of contract founder.

In another example when impact factor include contract address, transaction initiator account address when, unless by same initiation Policy is called same intelligent contract, even if being otherwise directed to different intelligent contracts by same initiator, or by difference Initiator initiates to call for same intelligent contract, also can produce different keys.

First block chain node can use the processor instruction increased newly in CPU, can distribute a part of area in memory Domain EPC carries out encryption to above-mentioned plaintext code by the crypto engine MEE in CPU and is stored in the EPC.It is encrypted in EPC Content is decrypted into plain text after entering CPU.In CPU, operation is carried out to the code of the plaintext, completes implementation procedure.

In SGX technology, the code of the intelligent contract is executed, EVM can be loaded into the enclosure.In remote proving In the process, the Key Management server can calculate the hash value of local EVM code, and with loaded in the first block chain node The hash value of EVM code compare, comparison result is correctly as by a necessary condition of remote proving, so that completion is to the The measurement of the code of one block chain node SGX enclosure load.Through excess vol, correct EVM can execute the intelligence in SGX Contract code.

In general, the contract state can change after CPU executes the plaintext code.Contract state is stored in area Block chain is that database, such as local database is written in the contract state from the angle of block chain node.The database, It is generally stored among storage medium, more common is persistent storage medium.The persistent storage medium, can be magnetic Disk, floppy disk are also possible to the memory etc that can restore data after being powered so as to persistent storage.

The operation that database is written, if being indicated with code, such as setstorage (key, ENC (value, secret_ key)).In setstorage (key, ENC (value, secret_key)), key (key) can be with traditional key writing mode phase Together.As for the write-in of value, Intel SGX technology can be used, ENC indicates that enclave, secret_key indicate to use SGX The key used when database is written in technology, the key are raw by security key and at least one impact factor in the present specification At.

In one embodiment, after the first block chain node obtains plaintext implementing result in credible performing environment, with described The plaintext implementing result is encrypted as ciphertext implementing result by key, and is exported the ciphertext from the credible performing environment and held Row result;First block chain node except the credible performing environment by executing store function code, by the ciphertext Implementing result is stored to the external memory space except the credible performing environment.

First block chain node is by running the code for realizing a certain function, to realize the function.Therefore, for needing The function to realize in credible performing environment also needs to execute correlative code.And for being executed in credible performing environment Code, need to meet the related specifications and requirement of credible performing environment;Accordingly in the related technology for realizing a certain The code of function needs the specification and requirement in conjunction with credible performing environment to re-start written in code, and there is only relatively bigger Exploitation amount, and be easy during rewriting generate loophole (bug), influence function realization reliability and stability.

Therefore, the first block chain node is by being encrypted as ciphertext implementing result by key for plaintext implementing result, and is somebody's turn to do Ciphertext implementing result is only decrypted by credible performing environment, it can be ensured that ciphertext implementing result safe enough itself. On this basis, the first block chain node, will be described close by executing store function code except the credible performing environment Literary implementing result is stored to the external memory space except the credible performing environment, and the store function code is allowed to be phase Code is re-started in the technology of pass for realizing the code of store function, the specification and requirement not needed in conjunction with credible performing environment It writes, can realize safe and reliable storage for the ciphertext implementing result, can not only not influence safe and reliable degree On the basis of, the exploitation amount of correlative code is reduced, and TCB can be reduced by reducing the correlative code of credible performing environment (Trusted Computing Base, trusted computing base), so that during TEE technology and block chain technology are combined, Security risk caused by additional is in controlled range.

In one embodiment, the first block chain node can execute write buffer function code in credible performing environment, with The plaintext implementing result is stored in the write buffer in the credible performing environment, for example the write buffer can correspond to such as figure " caching " shown in 5.Further, the first block chain node by after the data encryption in the write buffer from the credible execution Environment output, to store to the external memory space.Wherein, the write buffer function code can be stored in plaintext version In the credible performing environment, the caching function code of the plaintext version can be directly executed in credible performing environment;Or, institute Stating write buffer function code can be stored in except the credible performing environment with ciphertext form, for example be stored in above-mentioned outside The write buffer function code of the ciphertext form can be read in credible hold by memory space (such as " memory space " shown in fig. 5) Row environment is decrypted as plaintext code in credible performing environment, and executes the plaintext code.

Write buffer refers to when writing data into external memory space, in order to avoid causing " the punching to external memory space Hit " and " buffering " mechanism of offer.For example, can realize above-mentioned write buffer using buffer;Certainly, write buffer can also adopt It is realized with cache, this specification is limited not to this.In fact, due to the safety collar that credible performing environment is isolation Border, and external memory space is located at except credible performing environment, so that by using write buffer mechanism, it can be to the number in caching External memory space is written according to batch is carried out, so that the interaction times between credible performing environment and external memory space are reduced, Promote data storage efficiency.Meanwhile credible performing environment is during constantly executing each intelligent contract, it may be necessary to transfer Generated data (such as value of contract state) can be directly from writing if the data that need to be called are located exactly in write buffer It reads the data in caching, on the one hand can reduce the interaction between external memory space in this way, on the other hand eliminate pair From the decrypting process of external memory space data streams read, to be lifted at the data-handling efficiency in credible performing environment.

It is of course also possible to write buffer is built on except credible performing environment, for example the first block chain node can be can Believe and execute write buffer function code except performing environment, so that the ciphertext implementing result is stored in outside the credible performing environment Write buffer in, and further the data in the write buffer are stored to the external memory space.

In one embodiment, the inquiry request that the first block chain node can be initiated according to client, holds the plaintext It is exported after the encryption of row result from credible performing environment, to be back to the client.

For example, the first block chain node can read the ciphertext implementing result from the external memory space, by institute The decryption of ciphertext implementing result is stated the credible performing environment to be read in, then being held to the plaintext after the plaintext implementing result It is exported after the encryption of row result from credible performing environment, for example is returned and encrypted to client by transaction/query interface shown in fig. 5 Plaintext implementing result afterwards.

For another example the first block chain node can read the plaintext from the read buffer in credible performing environment executes knot Fruit, and exported to after plaintext implementing result encryption from credible performing environment;Wherein, the plaintext implementing result is by the firstth area Block chain node executes read buffer function code in credible performing environment in advance, reads from the external memory space described close Literary implementing result decrypts the ciphertext implementing result to read in the credible performing environment simultaneously after the plaintext implementing result It is stored in the read buffer.In other words, the first block chain node reads the ciphertext from the external memory space and executes knot Fruit decrypts the ciphertext implementing result for after the plaintext implementing result, can be by executing reading in credible performing environment The plaintext implementing result is stored in the read buffer in credible performing environment by caching function code, for example the read buffer can be right It should be in " caching " shown in fig. 5;Further, the inquiry request initiated for client, or exist for credible performing environment Data required when intelligent contract are executed, reading data can be preferentially carried out from the read buffer, if it can read related data Without being read from external memory space, to reduce and the interaction times of external memory space, release data decrypting process.

Read buffer refers to after data are read in credible performing environment from external memory space, in order to reduce and external storage The data read can be stored in the read buffer space in credible performing environment by the interaction times in space with plaintext version It is interior.For example, can realize above-mentioned read buffer using cache;Certainly, read buffer can also be realized using buffer, this theory Bright book is limited not to this.

First block chain node can support above-mentioned read buffer mechanism and write buffer mechanism simultaneously.And with caching technology Continuous development, same caching can be applied not only to realize reading data or data write-in, it might even be possible to while support data Read-write operation, so that the boundary line between read buffer and write buffer is not sometimes very clear, thus only with " caching " progress in Fig. 5 Signal, and its concrete type is not distinguished specifically, it can be configured and be adjusted according to actual needs.

The node embodiment that secret protection is realized in a kind of block chain of this specification is introduced below in conjunction with Fig. 6, comprising:

Determination unit 601, for determining the corresponding intelligent contract of transaction received;

Execution unit 602, for executing the intelligent contract in credible performing environment;

Encryption unit 603, for being encrypted when storing implementing result with key, the key is by block chain node according to guarantor Be stored in the credible performing environment security key and at least one impact factor and generate.

Optionally, the security key includes seal key.

Optionally, the seal key is after the SGX of the block chain node passes through remote proving by cipher key management services Device is sent;Or, the seal key between the block chain node and other block chain nodes by negotiating to obtain.

Optionally, the security key is stored in the enclosure of the block chain node.

Optionally, there are several enclosures, the security key to be stored in safe enclosure for the block chain node.

Optionally, the safe enclosure includes QE enclosure.

Optionally, the impact factor includes at least one of: the contract address of the intelligence contract, the intelligence are closed The account address of contract founder about, the code cryptographic Hash of the intelligent contract, the transaction initiator account address.

Optionally, the transaction is that encrypted privacy is traded, so that the block chain node is when storing implementing result It is encrypted with key;Or, the intelligent contract is labeled as privacy processing type by the transaction, so that the block chain node is being deposited It is encrypted when storing up implementing result with key.

Optionally, the transaction is for creating or calling intelligent contract.

Optionally, it is described transaction encrypted by the private key of symmetric encipherment algorithm, the block chain node with it is described symmetrically The private key of Encryption Algorithm is to the plaintext transaction content traded and be decrypted;Or, the transaction is calculated by asymmetric encryption The public key of method is encrypted, and the transaction is decrypted in the private key of the block chain node rivest, shamir, adelman To the plaintext transaction content.

Optionally, the transaction is encrypted by the private key of symmetric encipherment algorithm, and the private key of the symmetric encipherment algorithm It is encrypted by the public key of rivest, shamir, adelman;The block chain node is decrypted with the private key of the rivest, shamir, adelman To the private key of the symmetric encipherment algorithm, and with the private key of the symmetric encipherment algorithm transaction is decrypted to obtain described Plaintext transaction content.

Optionally, the private key of the symmetric encipherment algorithm is negotiated by the initiator of the transaction and the block chain node It obtains, or sends to obtain by Key Management server.

Optionally, the private key of the rivest, shamir, adelman is sent to described by Key Management server by remote proving The public key of the rivest, shamir, adelman is sent to the initiator of the privacy transaction by the enclosure of block chain node.

It optionally, will with the key after the block chain node obtains plaintext implementing result in credible performing environment The plaintext implementing result is encrypted as ciphertext implementing result, and exports the ciphertext from the credible performing environment and execute knot Fruit;The block chain node is executed the ciphertext by executing store function code except the credible performing environment As a result it stores to the external memory space except the credible performing environment.

In the 1990s, the improvement of a technology can be distinguished clearly be on hardware improvement (for example, Improvement to circuit structures such as diode, transistor, switches) or software on improvement (improvement for method flow).So And with the development of technology, the improvement of current many method flows can be considered as directly improving for hardware circuit. Designer nearly all obtains corresponding hardware circuit by the way that improved method flow to be programmed into hardware circuit.Cause This, it cannot be said that the improvement of a method flow cannot be realized with hardware entities module.For example, programmable logic device (Programmable Logic Device, PLD) (such as field programmable gate array (Field Programmable Gate Array, FPGA)) it is exactly such a integrated circuit, logic function determines device programming by user.By designer Voluntarily programming comes a digital display circuit " integrated " on a piece of PLD, designs and makes without asking chip maker Dedicated IC chip.Moreover, nowadays, substitution manually makes IC chip, this programming is also used instead mostly " is patrolled Volume compiler (logic compiler) " software realizes that software compiler used is similar when it writes with program development, And the source code before compiling also write by handy specific programming language, this is referred to as hardware description language (Hardware Description Language, HDL), and HDL is also not only a kind of, but there are many kind, such as ABEL (Advanced Boolean Expression Language)、AHDL(Altera Hardware Description Language)、Confluence、CUPL(Cornell University Programming Language)、HDCal、JHDL (Java Hardware Description Language)、Lava、Lola、MyHDL、PALASM、RHDL(Ruby Hardware Description Language) etc., VHDL (Very-High-Speed is most generally used at present Integrated Circuit Hardware Description Language) and Verilog.Those skilled in the art also answer This understands, it is only necessary to method flow slightly programming in logic and is programmed into integrated circuit with above-mentioned several hardware description languages, The hardware circuit for realizing the logical method process can be readily available.

Controller can be implemented in any suitable manner, for example, controller can take such as microprocessor or processing The computer for the computer readable program code (such as software or firmware) that device and storage can be executed by (micro-) processor can Read medium, logic gate, switch, specific integrated circuit (Application Specific Integrated Circuit, ASIC), the form of programmable logic controller (PLC) and insertion microcontroller, the example of controller includes but is not limited to following microcontroller Device: ARC 625D, Atmel AT91SAM, Microchip PIC18F26K20 and Silicone Labs C8051F320 are deposited Memory controller is also implemented as a part of the control logic of memory.It is also known in the art that in addition to Pure computer readable program code mode is realized other than controller, can be made completely by the way that method and step is carried out programming in logic Controller is obtained to come in fact in the form of logic gate, switch, specific integrated circuit, programmable logic controller (PLC) and insertion microcontroller etc. Existing identical function.Therefore this controller is considered a kind of hardware component, and to including for realizing various in it The device of function can also be considered as the structure in hardware component.Or even, it can will be regarded for realizing the device of various functions For either the software module of implementation method can be the structure in hardware component again.

System, device, module or the unit that above-described embodiment illustrates can specifically realize by computer chip or entity, Or it is realized by the product with certain function.It is a kind of typically to realize that equipment is computer.Specifically, computer for example may be used Think personal computer, laptop computer, cellular phone, camera phone, smart phone, personal digital assistant, media play It is any in device, navigation equipment, electronic mail equipment, game console, tablet computer, wearable device or these equipment The combination of equipment.

For convenience of description, it is divided into various units when description apparatus above with function to describe respectively.Certainly, implementing this The function of each unit can be realized in the same or multiple software and or hardware when specification.

It should be understood by those skilled in the art that, the embodiment of the present invention can provide as method, system or computer program Product.Therefore, complete hardware embodiment, complete software embodiment or reality combining software and hardware aspects can be used in the present invention Apply the form of example.Moreover, it wherein includes the computer of computer usable program code that the present invention, which can be used in one or more, The computer program implemented in usable storage medium (including but not limited to magnetic disk storage, CD-ROM, optical memory etc.) produces The form of product.

The present invention be referring to according to the method for the embodiment of the present invention, the process of equipment (system) and computer program product Figure and/or block diagram describe.It should be understood that every one stream in flowchart and/or the block diagram can be realized by computer program instructions The combination of process and/or box in journey and/or box and flowchart and/or the block diagram.It can provide these computer programs Instruct the processor of general purpose computer, special purpose computer, Embedded Processor or other programmable data processing devices to produce A raw machine, so that being generated by the instruction that computer or the processor of other programmable data processing devices execute for real The device for the function of being specified in present one or more flows of the flowchart and/or one or more blocks of the block diagram.

This specification can describe in the general context of computer-executable instructions executed by a computer, such as journey Sequence module.Generally, program module include routines performing specific tasks or implementing specific abstract data types, programs, objects, Component, data structure etc..This specification can also be practiced in a distributed computing environment, in these distributed computing environment In, by executing task by the connected remote processing devices of communication network.In a distributed computing environment, program module It can be located in the local and remote computer storage media including storage equipment.

These computer program instructions, which may also be stored in, is able to guide computer or other programmable data processing devices with spy Determine in the computer-readable memory that mode works, so that it includes referring to that instruction stored in the computer readable memory, which generates, Enable the manufacture of device, the command device realize in one box of one or more flows of the flowchart and/or block diagram or The function of being specified in multiple boxes.

These computer program instructions also can be loaded onto a computer or other programmable data processing device, so that counting Series of operation steps are executed on calculation machine or other programmable devices to generate computer implemented processing, thus in computer or The instruction executed on other programmable devices is provided for realizing in one or more flows of the flowchart and/or block diagram one The step of function of being specified in a box or multiple boxes.In a typical configuration, computer includes at one or more Manage device (CPU), input/output interface, network interface and memory.

Memory may include the non-volatile memory in computer-readable medium, random access memory (RAM) and/or The forms such as Nonvolatile memory, such as read-only memory (ROM) or flash memory (flash RAM).Memory is computer-readable medium Example.

Computer-readable medium includes permanent and non-permanent, removable and non-removable media can be by any method Or technology come realize information store.Information can be computer readable instructions, data structure, the module of program or other data. The example of the storage medium of computer includes, but are not limited to phase change memory (PRAM), static random access memory (SRAM), moves State random access memory (DRAM), other kinds of random access memory (RAM), read-only memory (ROM), electric erasable Programmable read only memory (EEPROM), flash memory or other memory techniques, read-only disc read only memory (CD-ROM) (CD-ROM), Digital versatile disc (DVD) or other optical storage, magnetic cassettes, disk storage, quantum memory, based on graphene Storage medium or other magnetic storage devices or any other non-transmission medium, can be used for storing can be accessed by a computing device Information.As defined in this article, computer-readable medium does not include temporary computer readable media (transitory media), Such as the data-signal and carrier wave of modulation.

It should also be noted that, the terms "include", "comprise" or its any other variant are intended to nonexcludability It include so that the process, method, commodity or the equipment that include a series of elements not only include those elements, but also to wrap Include other elements that are not explicitly listed, or further include for this process, method, commodity or equipment intrinsic want Element.In the absence of more restrictions, the element limited by sentence "including a ...", it is not excluded that including described want There is also other identical elements in the process, method of element, commodity or equipment.

It is above-mentioned that this specification specific embodiment is described.Other embodiments are in the scope of the appended claims It is interior.In some cases, the movement recorded in detail in the claims or step can be come according to the sequence being different from embodiment It executes and desired result still may be implemented.In addition, process depicted in the drawing not necessarily require show it is specific suitable Sequence or consecutive order are just able to achieve desired result.In some embodiments, multitasking and parallel processing be also can With or may be advantageous.

The term that this specification one or more embodiment uses be only merely for for the purpose of describing particular embodiments, and It is not intended to be limiting this specification one or more embodiment.In this specification one or more embodiment and the appended claims Used in the "an" of singular, " described " and "the" be also intended to including most forms, unless context understands earth's surface Show other meanings.It is also understood that term "and/or" used herein refers to and includes one or more associated list Any or all of project may combine.

It will be appreciated that though this specification one or more embodiment may using term first, second, third, etc. come Various information are described, but these information should not necessarily be limited by these terms.These terms are only used to same type of information area each other It separates.For example, the first information can also be referred to as in the case where not departing from this specification one or more scope of embodiments Two information, similarly, the second information can also be referred to as the first information.Depending on context, word as used in this is " such as Fruit " can be construed to " ... when " or " when ... " or " in response to determination ".

The foregoing is merely the preferred embodiments of this specification one or more embodiment, not to limit this theory Bright book one or more embodiment, all within the spirit and principle of this specification one or more embodiment, that is done is any Modification, equivalent replacement, improvement etc. should be included within the scope of the protection of this specification one or more embodiment.

Claims (13)

1. realizing the method for secret protection in a kind of block chain, comprising:
Block chain node determines the corresponding intelligent contract of the transaction received;
The block chain node executes the intelligent contract in credible performing environment;
The block chain node is encrypted when storing implementing result with key, and the key is by the block chain node according to preservation In the credible performing environment security key and at least one impact factor and generate.
2. according to the method described in claim 1, the security key includes seal key.
3. according to the method described in claim 2,
The seal key the block chain node SGX by remote proving after sent by Key Management server;Or,
The seal key between the block chain node and other block chain nodes by negotiating to obtain.
4. according to the method described in claim 1, the security key is stored in the enclosure of the block chain node.
5. according to the method described in claim 4, the block chain node, there are several enclosures, the security key is stored in peace In full enclosure.
6. according to the method described in claim 5, the safe enclosure includes QE enclosure.
7. according to the method described in claim 1, the impact factor includes at least one of: the contract of the intelligence contract Address, the code cryptographic Hash of the intelligent contract, the account address of the contract founder of the intelligent contract, the transaction hair Play the account address of side.
8. according to the method described in claim 1,
The transaction is that encrypted privacy is traded, so that the block chain node is encrypted when storing implementing result with key; Or,
The intelligent contract is labeled as privacy processing type by the transaction, so that the block chain node is in storage implementing result When encrypted with key.
9. according to the method described in claim 1, the transaction is for creating or calling intelligent contract.
10. according to the method described in claim 1, the block chain node is encrypted when storing implementing result with key, comprising:
After the block chain node obtains plaintext implementing result in credible performing environment, the plaintext is executed with the key As a result it is encrypted as ciphertext implementing result, and exports the ciphertext implementing result from the credible performing environment;
The block chain node is executed the ciphertext by executing store function code except the credible performing environment As a result it stores to the external memory space except the credible performing environment.
11. realizing the node of secret protection in a kind of block chain, comprising:
Determination unit, for determining the corresponding intelligent contract of transaction received;
Execution unit, for executing the intelligent contract in credible performing environment;
Encryption unit, for being encrypted when storing implementing result with key, the key is by block chain node according to being stored in State credible performing environment security key and at least one impact factor and generate.
12. according to the method for claim 11, the impact factor includes at least one of: the conjunction of the intelligence contract About address, the code cryptographic Hash of the intelligent contract, the account address of the contract founder of the intelligent contract, the transaction The account address of initiator.
13. a kind of computer readable storage medium, is stored thereon with computer instruction, realized such as when which is executed by processor The step of any one of claim 1-10 the method.
CN201910101449.XA 2019-01-31 2019-01-31 The method and node, storage medium of secret protection are realized in block chain CN110008736A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201910101449.XA CN110008736A (en) 2019-01-31 2019-01-31 The method and node, storage medium of secret protection are realized in block chain

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201910101449.XA CN110008736A (en) 2019-01-31 2019-01-31 The method and node, storage medium of secret protection are realized in block chain

Publications (1)

Publication Number Publication Date
CN110008736A true CN110008736A (en) 2019-07-12

Family

ID=67165695

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201910101449.XA CN110008736A (en) 2019-01-31 2019-01-31 The method and node, storage medium of secret protection are realized in block chain

Country Status (1)

Country Link
CN (1) CN110008736A (en)

Citations (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102473224A (en) * 2009-12-22 2012-05-23 英特尔公司 Method and apparatus to provide secure application execution
CN107294709A (en) * 2017-06-27 2017-10-24 阿里巴巴集团控股有限公司 A kind of block chain data processing method, apparatus and system
CN107342858A (en) * 2017-07-05 2017-11-10 武汉凤链科技有限公司 A kind of intelligent contract guard method and system based on trusted context
CN107506659A (en) * 2017-07-27 2017-12-22 西安电子科技大学 A kind of data protection system and method for the Universal Database based on SGX
US20180068091A1 (en) * 2016-09-06 2018-03-08 Intel Corporation Blockchain-Based Shadow Images to Facilitate Copyright Protection of Digital Content
WO2018058441A1 (en) * 2016-09-29 2018-04-05 Nokia Technologies Oy Method and apparatus for trusted computing
CN107896150A (en) * 2017-12-21 2018-04-10 善林(上海)金融信息服务有限公司 Link block chain network and the system of Internet of Things
CN108235772A (en) * 2017-12-29 2018-06-29 深圳前海达闼云端智能科技有限公司 Data processing method, device, storage medium and electronic equipment based on block chain
CN109284185A (en) * 2017-07-21 2019-01-29 英特尔公司 The device, method and system accelerated for the transaction of block chain

Patent Citations (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102473224A (en) * 2009-12-22 2012-05-23 英特尔公司 Method and apparatus to provide secure application execution
US20180068091A1 (en) * 2016-09-06 2018-03-08 Intel Corporation Blockchain-Based Shadow Images to Facilitate Copyright Protection of Digital Content
WO2018058441A1 (en) * 2016-09-29 2018-04-05 Nokia Technologies Oy Method and apparatus for trusted computing
CN107294709A (en) * 2017-06-27 2017-10-24 阿里巴巴集团控股有限公司 A kind of block chain data processing method, apparatus and system
CN107342858A (en) * 2017-07-05 2017-11-10 武汉凤链科技有限公司 A kind of intelligent contract guard method and system based on trusted context
CN109284185A (en) * 2017-07-21 2019-01-29 英特尔公司 The device, method and system accelerated for the transaction of block chain
CN107506659A (en) * 2017-07-27 2017-12-22 西安电子科技大学 A kind of data protection system and method for the Universal Database based on SGX
CN107896150A (en) * 2017-12-21 2018-04-10 善林(上海)金融信息服务有限公司 Link block chain network and the system of Internet of Things
CN108235772A (en) * 2017-12-29 2018-06-29 深圳前海达闼云端智能科技有限公司 Data processing method, device, storage medium and electronic equipment based on block chain

Similar Documents

Publication Publication Date Title
US10255444B2 (en) Method and system for utilizing secure profiles in event detection
US10461933B2 (en) Methods for secure credential provisioning
Cheng et al. Ekiden: A platform for confidentiality-preserving, trustworthy, and performant smart contracts
JP6665113B2 (en) Secure transport of encrypted virtual machines with continuous owner access
US10491379B2 (en) System, device, and method of secure entry and handling of passwords
JP2016189626A (en) System and method for wireless data protection
Arora et al. Secure user data in cloud computing using encryption algorithms
US20180343114A1 (en) A system and method for blockchain smart contract data privacy
JP6692234B2 (en) System and method for issuing security domain key management using global platform specifications
US10277591B2 (en) Protection and verification of user authentication credentials against server compromise
KR101687275B1 (en) Trusted data processing in the public cloud
Eguro et al. FPGAs for trusted cloud computing
JP6538570B2 (en) System and method for cloud data security
CN103051664B (en) A kind of file management method of cloud storage system, device and this cloud storage system
CN102271037B (en) Based on the key protectors of online key
CN104778794B (en) mobile payment device and method
CN104969234B (en) For the root of trust of the measurement of virtual machine
CN1914849B (en) Trusted mobile platform architecture
CN101661544B (en) Method and apparatus for providing a secure display window inside the primary display
JP2020516104A (en) Off-chain smart contract service based on trusted execution environment
US8856504B2 (en) Secure virtual machine bootstrap in untrusted cloud infrastructures
CA3050329C (en) Key establishment and data sending method and apparatus
CN106716914A (en) Secure key management for roaming protected content
US8879731B2 (en) Binding of protected video content to video player with block cipher hash
CN103221961B (en) Comprise the method and apparatus of the framework for the protection of multi-ser sensitive code and data

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination