CN110008737A - Method, node and the storage medium of secret protection are realized in block chain - Google Patents

Method, node and the storage medium of secret protection are realized in block chain Download PDF

Info

Publication number
CN110008737A
CN110008737A CN201910124771.4A CN201910124771A CN110008737A CN 110008737 A CN110008737 A CN 110008737A CN 201910124771 A CN201910124771 A CN 201910124771A CN 110008737 A CN110008737 A CN 110008737A
Authority
CN
China
Prior art keywords
transaction
plaintext
block chain
key
receipt
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201910124771.4A
Other languages
Chinese (zh)
Other versions
CN110008737B (en
Inventor
刘琦
魏长征
闫莺
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Advanced New Technologies Co Ltd
Advantageous New Technologies Co Ltd
Original Assignee
Alibaba Group Holding Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Alibaba Group Holding Ltd filed Critical Alibaba Group Holding Ltd
Priority to CN202010429988.9A priority Critical patent/CN111639362B/en
Priority to CN201910124771.4A priority patent/CN110008737B/en
Publication of CN110008737A publication Critical patent/CN110008737A/en
Application granted granted Critical
Publication of CN110008737B publication Critical patent/CN110008737B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
    • G06F21/6245Protecting personal data, e.g. for financial or medical purposes
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/602Providing cryptographic facilities or services

Abstract

This specification one or more embodiment provides method, node and the storage medium that secret protection is realized in a kind of block chain; this method may include: that the first block chain node receives the transaction that client is initiated, and the transaction has one or more corresponding intelligent contracts;First block chain node executes the transaction to obtain plaintext receipt data, and the plaintext receipt data includes corresponding respectively to the plaintext receipt subdata of each intelligent contract;There are when encryption identification determining the corresponding first intelligent contract of the transaction for first block chain node, the corresponding plaintext receipt subdata of the first intelligent contract is encrypted as ciphertext receipt subdata using key, the corresponding ciphertext receipt data of the plaintext receipt data includes the ciphertext receipt subdata;First block chain node stores the ciphertext receipt data.

Description

Method, node and the storage medium of secret protection are realized in block chain
Technical field
This specification one or more embodiment is related to realizing in block chain technical field more particularly to a kind of block chain hidden Method, node and the storage medium of private protection.
Background technique
Block chain technology constructs on transmission network (such as point to point network).Network node in transmission network utilizes Linked data structure is verified and storing data, and knows together algorithm using distributed node to generate and more new data.These areas Node in block chain network is sometimes for increase.
Technically maximum two challenges are exactly privacy and performance to the block platform chain of enterprise-level at present, and often the two are chosen War is difficult to solve simultaneously.Most solutions are all to exchange privacy for by losing performance, or less consider that privacy goes the property pursued Energy.The encryption technology of common solution privacy concern, as homomorphic cryptography (Homomorphic encryption) and Zero Knowledge are demonstrate,proved Complexities such as bright (Zero-knowledge proof) are high, poor universality, but also may bring serious performance loss.
In terms of solving privacy, credible performing environment (Trusted Execution Environment, TEE) is another Kind settling mode.TEE can play the role of the black box in hardware, and the code and data executed in TEE all can not be by operation System layer is peeped, and only can just be operated on it by interface predetermined in code.It is black due to TEE in terms of efficiency Case property, carry out operation in TEE is clear data, rather than the complicated cryptography arithmetic in homomorphic cryptography, calculating process Inefficent loss, therefore combined with TEE and can largely promote block chain under the premise of performance loss is lesser Safety and privacy.Industry very pays close attention to the scheme of TEE at present, and the chip and software league of nearly all mainstream have certainly Oneself TEE solution, TPM (Trusted Platform Module, reliable platform module) including software aspects and Intel SGX (Software Guard Extensions, software protection extension), the ARMTrustzone of hardware aspect (trust Area) and AMD PSP (Platform Security Processor, platform safety processor).
Summary of the invention
In view of this, this specification one or more embodiment provide realized in a kind of block chain secret protection method, Node and storage medium.
To achieve the above object, it is as follows to provide technical solution for this specification one or more embodiment:
Secret protection is realized in a first aspect, proposing in a kind of block chain according to this specification one or more embodiment Method, comprising:
First block chain node receives the transaction that client is initiated, and the transaction has one or more corresponding intelligence and closes About;
First block chain node executes the transaction to obtain plaintext receipt data, and the plaintext receipt data includes difference Plaintext receipt subdata corresponding to each intelligent contract;
First block chain node is determining that the corresponding first intelligent contract of the transaction there are when encryption identification, uses key The corresponding plaintext receipt subdata of first intelligence contract is encrypted as ciphertext receipt subdata, the plaintext receipt data is corresponding Ciphertext receipt data includes the ciphertext receipt subdata;
First block chain node stores the ciphertext receipt data.
According to the second aspect of this specification one or more embodiment, proposes in a kind of block chain and realize secret protection Node, comprising:
Receiving unit, for receiving the transaction of client initiation, there are one or more corresponding intelligence and close in the transaction About;
Execution unit, for the transaction to obtain plaintext receipt data, the plaintext receipt data includes respectively corresponding In the plaintext receipt subdata of each intelligent contract;
Encryption unit, for determining that the corresponding first intelligent contract of the transaction there are when encryption identification, uses key The corresponding plaintext receipt subdata of first intelligence contract is encrypted as ciphertext receipt subdata, the plaintext receipt data is corresponding Ciphertext receipt data includes the ciphertext receipt subdata;
Storage unit, for storing the ciphertext receipt data.
According to the third aspect of this specification one or more embodiment, a kind of computer readable storage medium is proposed, The step of being stored thereon with computer instruction, method as described in relation to the first aspect realized when which is executed by processor.
Detailed description of the invention
Fig. 1 is the flow chart that the method for secret protection is realized in a kind of block chain of exemplary embodiment offer.
Fig. 2 is a kind of schematic diagram for transaction scene that an exemplary embodiment provides.
Fig. 3 is the composition figure that the node of secret protection is realized in a kind of block chain of exemplary embodiment offer.
Specific embodiment
Example embodiments are described in detail here, and the example is illustrated in the accompanying drawings.Following description is related to When attached drawing, unless otherwise indicated, the same numbers in different drawings indicate the same or similar elements.Following exemplary embodiment Described in embodiment do not represent all embodiments consistent with this specification one or more embodiment.Phase Instead, they are only some aspects phases with the one or more embodiments of as detailed in the attached claim, this specification The example of consistent device and method.
It should be understood that the sequence that might not show and describe according to this specification in other embodiments executes The step of correlation method.In some other embodiments, step included by method can than described in this specification more It is more or less.In addition, single step described in this specification, may be broken down into other embodiments multiple steps into Row description;And multiple steps described in this specification, it may also be merged into single step progress in other embodiments Description.
Block chain is normally divided into three types: publicly-owned chain (Public Blockchain), privately owned chain (Private ) and alliance's chain (Consortium Blockchain) Blockchain.In addition, there are also a plurality of types of combinations, such as privately owned chain The different combinations such as+alliance chain, alliance's chain+publicly-owned chain.It is publicly-owned chain that wherein decentralization degree is highest.Publicly-owned chain with than Special coin, ether mill are representative, and the participant that publicly-owned chain is added can read data record on chain, participate in business and compete newly Book keeping operation power of block etc..Moreover, each participant's (i.e. node) freely can be added and exit network, and carry out relevant operation.It is private There is chain then on the contrary, the write-in permission of the network is by some tissue or mechanism controls, reading data permission is by organization prescribed.Simply For, privately owned chain can be weak center's system, and participating in node has stringent limitation and less.Such block chain is more It is suitable for using inside particular organization.Alliance's chain is then block chain between publicly-owned chain and privately owned chain, it can be achieved that " part Decentralization ".Each node usually has corresponding physical mechanism or tissue in alliance's chain;Participant is added by authorization Enter network and composition interests correlation alliance, it is common to safeguard the operation of block chain.
Whether publicly-owned chain, privately owned chain or alliance's chain can generate corresponding receipt after transaction executes (receipt) data, for recording the relevant receipt information of the transaction.By taking ether mill as an example, it is resulting that node executes transaction Receipt data may include following fields:
BlockHash field indicates exchange in the cryptographic Hash of block;
BlockNumber field indicates transaction in the serial number of locating block;
TransactionHash field indicates the cryptographic Hash of transaction;
TransactionIndex field indicates serial number of the transaction in locating block;
From field indicates the account address of transaction generation side;
To field indicates the account address of trading object (when transaction is for creating intelligent contract, To field is sky);
ContractAddress field indicates the ground for creating intelligent contract when transaction is for creating intelligent contract Otherwise location is sky;
Logs field indicates the log of transaction.
For node when executing each transaction contained by a certain block, each transaction can all generate corresponding receipt after being performed Data, and node can organize each corresponding receipts of trading contained by the block according to predefined tree and processing logic According to data, a receipt tree is formed.Receipt tree is generated by tissue, so that when being inquired or being verified for receipt data, Corresponding inquiry or verification efficiency can greatly be promoted.For example, using MPT (Merkle Patricia Tree) in ether mill Structure organization generates above-mentioned receipt tree, and the leaf of the receipt tree is the Kazakhstan of each corresponding receipt data of trading contained by the block Uncommon value, and receipt tree root (receiptRoot) is to be breathed out according to the root that the cryptographic Hash of the receipt data of leaf generates upwards in turn It is uncommon.Certainly, other kinds of tree can also be used in other block chain networks.
Below in conjunction with the realization process for illustrating that this specification one realizes the embodiment of the method for secret protection shown in Fig. 1:
Step 102, the first block chain node receives the transaction that client is initiated, and the transaction exists one or more corresponding Intelligent contract.
Transaction can be committed to the first block chain node by client.For example, user is by corresponding account in client After generating the transaction, transaction is committed to by the first block chain node by the client.By taking Fig. 2 as an example, the first block chain node In include transaction/query interface, which can dock with client, and client is allowed to submit friendship to the first block chain node Easily.
Step 104, the first block chain node executes the transaction to obtain plaintext receipt data, the plaintext receipt data Plaintext receipt subdata including corresponding respectively to each intelligent contract.
After first block chain node executes above-mentioned transaction, other than obtaining corresponding transaction implementing result, can also it generate Receipt data, the receipt data are plaintext version, i.e., above-mentioned plaintext receipt data.
It, can be by the plaintext transaction, privacy type that be divided into plaintext type of trading based on different secret protection demands Privacy transaction.Type field can be added in transaction, and the first block chain node is allowed to identify that type of transaction is bright accordingly Text transaction or privacy transaction.In the related art, such as in the network of ether mill, transaction generally comprises to, value, data etc. Field.And the present embodiment increases by a type field on the basis of the relevant technologies in transaction, for example is characterized as type field, And the value based on the type field, show the type of relationship trading;For example, showing phase when type field is the first value Transaction is closed to trade in plain text, when type field is the second value, shows relationship trading for privacy transaction.
All the elements of transaction are all made of plaintext version in plain text, i.e. each field of the transaction is all made of plaintext version, makes Can directly each field of plaintext transaction be read out by obtaining the first block chain node, to implement relevant treatment;Meanwhile it is bright Text transaction is packaged blocking with plaintext version, and then is recorded in block chain with plaintext version.Privacy is traded in addition to type field Except plaintext version, other fields are all made of ciphertext form, enable the first block chain node of one side without solution In the case where close, type of transaction is quickly identified, to implement differentiation processing for transaction in plain text and privacy transaction, on the other hand Make it only by using ciphertext form and can be held the object of key to be decrypted and read, Transaction Information is avoided to let out Dew, and privacy transaction is packaged blocking with ciphertext form, and then is recorded in block chain with ciphertext form.
All Activity in the network of ether mill is to trade in plain text.And the first block chain node can extend on this basis The mixed processing scheme of transaction in plain text with privacy transaction is taken into account out.Such as shown in Fig. 2, the first block chain node can be divided into often Advise performing environment and credible performing environment, the transaction that client is submitted initially enter in conventional performing environment " transaction/inquiry connects Mouthful " type identification (for example identifying type field described above) is carried out, the plaintext transaction that will identify that stays in conventional execution ring It is handled in border, and the privacy transaction transport that will identify that is handled into credible performing environment.When the first block chain link When point encrypts plaintext receipt data in credible performing environment, in order to ensure cryptographic operation is smoothly implemented, some scenes Under plaintext transaction can be passed in credible performing environment and be executed, the differentiation with privacy transaction is only that without handing over plaintext It is easily decrypted, without being encrypted to corresponding plaintext implementing result.
When conventional performing environment handles plaintext transaction, entire treatment process uses clear-text way, i.e., first completely After block chain node handles plaintext transaction, above-mentioned plaintext receipt data is obtained, and to this in conventional performing environment Plaintext receipt data is directly stored.And credible performing environment and conventional performing environment are mutually isolated, privacy transaction is entering It is in encrypted state (in addition to above-mentioned type field) before credible performing environment, and is then decrypted as in credible performing environment Plaintext transaction content, to enable the plaintext transaction content in credible performing environment under the premise of ensuring data safety Middle realization efficient process, and corresponding plaintext receipt data is generated in credible performing environment;Further, for the plaintext When receipt data is stored, then needs to be encrypted as corresponding ciphertext receipt data, then store into conventional performing environment, example If storage location and above-mentioned plaintext corresponding plaintext receipt data of trading are identical, " packing+storage " that all can be as shown in Figure 2 Module.
Transaction in this specification can be used to implement relatively simple processing logic, for example be similar in the related technology It transfers accounts logic.Plaintext transaction or privacy transaction either above-mentioned at this time, can be unrelated with intelligent contract.
Transaction in this specification can be also used for realizing relative complex processing logic, here can be by means of above-mentioned Intelligent contract is realized.By taking ether mill as an example, user is supported to create and/or call patrolling for some complexity in the network of ether mill Volume, this is the ultimate challenge that ether mill is different from bit coin block chain technology.Core of the ether mill as a programmable block chain The heart is ether mill virtual machine (EVM), and each ether mill node can run EVM.EVM is the complete virtual machine of a figure spirit, This means that can realize the logic of various complexity by it.User issue and call in ether mill intelligent contract be exactly It is run on EVM.In fact, what virtual machine directly ran is virtual machine code (Virtual Machine bytecodes, lower abbreviation " bytecode "). The intelligent contract being deployed on block chain can be the form of bytecode.
In one embodiment, the intelligent contract of this specification can be divided into the plaintext contract of plaintext type, privacy type Privacy contract.The contract code and contract state of plaintext contract are stored at node with plaintext version, and privacy contract Contract code and contract state are stored at node with ciphertext form, so that privacy contract has relatively higher privacy. When transaction is for creating and/or calling intelligent contract, which be may be considered that corresponding to the transaction.
Since the first block chain node is handled plaintext transaction except credible performing environment, and will directly handle To plaintext implementing result (such as changed contract state) store to external memory space, thus when in plain text transaction be used for When creating intelligent contract, the intelligence contract is inevitable to be stored in external memory space with plaintext version, thus the intelligence contract is inevitable For plaintext contract.Meanwhile when plaintext trades and calls intelligent contract, due to only can be to privacy contract in credible performing environment It is decrypted, thus the intelligent contract that transaction is called in plain text only can be plaintext contract.
First block chain node can be in credible performing environment (Trusted Execution Environment, TEE) Decrypt privacy transaction.TEE is the security extension based on CPU hardware, and the credible performing environment completely isolated with outside.TEE is most It is early the concept proposed by Global Platform, for solving the security isolation of resource in mobile device, is parallel to operation system System provides credible and secure performing environment for application program.The Trust Zone technology of ARM realizes the TEE of real commercialization earliest Technology.
Along with the high speed development of internet, safe demand is higher and higher, is not limited only to mobile device, cloud device, Data center all proposes more demands to TEE.The concept of TEE has also obtained the development and expansion of high speed.Now described TEE is compared to the TEE for the concept initially proposed being more broad sense.For example, server chips manufacturer Intel, AMD etc. are first It is proposed the TEE of hardware auxiliary afterwards and enriches the concept and characteristic of TEE, is had been widely recognized in industry.It mentions now The TEE risen usually more refers to the TEE technology of this kind of hardware auxiliary.Different from mobile terminal, cloud access needs to remotely access, terminal User is invisible to hardware platform, therefore seeks to the genuine and believable of confirmation TEE using the first step of TEE.Therefore present TEE Technology all introduces remote proving mechanism, is endorsed by hardware vendor (mainly CPU manufacturer) and is ensured by digital signature technology User can verify that TEE state.It is simultaneously only the demand for security that the resource isolation of safety is also unable to satisfy, further data Secret protection is also suggested.Including Intel SGX, the commercial TEE including AMD SEV also both provides memory encryption technology, will Reliable hardware is limited to inside CPU, and the data of bus and memory are that ciphertext prevents malicious user from being spied upon.For example, Ying Te Your software protection extends code execution, remote proving, security configuration, the secure storage of data such as (SGX) TEE technology insulation And the trusted path for executing code.The application program run in TEE is kept safe, as a consequence it is hardly possible to by third Side's access.
By taking Intel SGX technology as an example, SGX provides enclosure (enclave, also referred to as enclave), i.e., one adds in memory Close credible execution region, protects data not to be stolen by CPU.By taking the first block chain node is using the CPU for supporting SGX as an example, Using newly-increased processor instruction, a part of region EPC (Enclave Page Cache, enclosure page can be distributed in memory Face caching or enclave page cache), by the crypto engine MEE (Memory Encryption Engine) in CPU to wherein Data encrypted.The content encrypted in EPC, which only enters after CPU, can just be decrypted into plain text.Therefore, in SGX, user It can distrust operating system, VMM (Virtual Machine Monitor, monitor of virtual machine), even BIOS (Basic Input Output System, basic input output system), it is only necessary to trust CPU just and can ensure that private data will not leak. It in practical application, is transferred in enclosure after private data being encrypted with ciphertext form, and will be corresponding by remote proving Code key is also passed to enclosure.Then, operation is carried out using data under the encipherment protection of CPU, as a result can be returned with ciphertext form.This Under kind mode, powerful calculating power not only can use, but also do not have to concern of data and leak.
Since privacy transaction executes in TEE, thus the corresponding intelligent contract of privacy transaction can be privacy contract, such as Privacy transaction can create in TEE intelligence contract, the contract code and contract state of the intelligence contract can in TEE quilt Encryption, to create corresponding privacy contract;Privacy transaction for another example can be with invoking privacy contract, and the privacy contract is in TEE The contract state for being decrypted and executing, and updating after executing can be updated simultaneously re-encrypted storage;For another example privacy is handed over Plaintext contract can easily be called, after which is performed in TEE, the contract state updated still with plaintext version into Row storage.
It is generated at a certain client it is assumed that above-mentioned privacy is traded, which can firstly generate in transaction in plain text Hold, then encrypts the plaintext transaction content with key.The encryption can use symmetric cryptography, can also use asymmetric Encryption.Correspondingly, the first block chain node can decrypt the privacy with corresponding key and trade, to obtain in transaction in plain text Hold.If client symmetric cryptography mode, i.e., plaintext transaction content is encrypted with the symmetric key of symmetric encipherment algorithm, then phase Ying Di, the first block chain node can the transaction of privacy described in the symmetric key decryption with the symmetric encipherment algorithm.Symmetric cryptography The Encryption Algorithm of use, e.g. DES algorithm, 3DES algorithm, TDEA algorithm, Blowfish algorithm, RC5 algorithm, IDEA algorithm Deng.The symmetric key of symmetric encipherment algorithm, such as can be the generation side to be traded by the privacy and generate, or by client and the One block chain node is negotiated to determine, or sends to obtain by Key Management server.
If encrypted with the public key of rivest, shamir, adelman to plaintext transaction content, then phase with asymmetric encryption mode Ying Di, the first block chain node can decrypt the privacy with the private key of the rivest, shamir, adelman and trade.Asymmetric encryption Algorithm, e.g. RSA, Elgamal, knapsack algorithm, Rabin, D-H, ECC (elliptic curve encryption algorithm) etc..Asymmetric encryption The key of algorithm, such as can be and a pair of of public key and private key are generated by the first block chain node, and public key is sent to institute in advance Client is stated, so that the client can be by the plaintext transaction content public key encryption.
The key of rivest, shamir, adelman can also be generated by a Key Management server.Pass through the side of remote proving Private key is sent to the first block chain node by formula, Key Management server, specifically, can be incoming first block chain node In enclosure.First block chain node may include multiple enclosures, and the safety that above-mentioned private key can be passed into these enclosures is enclosed Circle;For example, the safe enclosure can be QE (Quoting Enclave) enclosure, rather than AE (Application Enclave) encloses Circle.For the public key of asymmetric encryption, the client can be sent to by Key Management server.Thus client can be used The public key encryption plaintext transaction content, correspondingly, the first block chain node can decrypt the privacy with the private key and trade, with Obtain the plaintext transaction content that privacy transaction includes.
Client can also be in such a way that symmetric cryptography combination asymmetric encryption combines.For example, client use pair Claim Encryption Algorithm encrypting plaintext transaction content, that is, uses the symmetric key encryption plaintext transaction content of symmetric encipherment algorithm, be used in combination The symmetric key used in rivest, shamir, adelman cryptographic symmetrical Encryption Algorithm.In general, using the public affairs of rivest, shamir, adelman The symmetric key used in key cryptographic symmetrical Encryption Algorithm.It, can be in this way, after the first block chain node receives the transaction of encryption It is first decrypted using the private key of rivest, shamir, adelman, obtains the symmetric key of symmetric encipherment algorithm, and then use symmetric cryptography The symmetric key decryption of algorithm obtains plaintext transaction content.
For example, the private key of rivest, shamir, adelman can be sent to the firstth area by remote proving by Key Management server The enclosure of block chain node, and the private key of rivest, shamir, adelman is sent to the client.Thus, the client can adopt With the symmetric key encryption plaintext transaction content of symmetric encipherment algorithm, that is, use the symmetric key encryption of symmetric encipherment algorithm in plain text Transaction content, and with the symmetric key used in the public key encryption symmetric encipherment algorithm of rivest, shamir, adelman.In turn, the visitor Family end the privacy can be traded and encryption key (public key by rivest, shamir, adelman in the symmetric encipherment algorithm to adopting Symmetric key obtains after being encrypted) it is sent to the first block chain node.First block chain node receives the privacy After transaction and encryption key, first the encryption key can be decrypted to obtain symmetric cryptography with the private key of rivest, shamir, adelman The symmetric key of algorithm, and then privacy described in the symmetric key decryption with the symmetric encipherment algorithm is traded, and is obtained in transaction in plain text Hold.Here cipher mode is commonly referred to as digital envelope encryption.
After privacy transaction is decrypted in first block chain node, plaintext transaction content is obtained.Plaintext transaction content can be with Code comprising intelligent contract, for creating intelligent contract in block chain;Plaintext transaction content may include in block chain The contract address of a certain intelligent contract created, for calling the intelligence contract.
Either for creating or calling intelligent contract, the first block chain node can be by executing generation of the intelligence contract Code, to complete to trade.First block chain node can execute the code of the intelligent contract in credible performing environment.Work as intelligence When the code of contract is located in privacy transaction, the first block chain node to privacy transaction by being decrypted to obtain above-mentioned plaintext Transaction content, the code of the intelligent contract in the plaintext transaction content comprising plaintext;When intelligent contract has created in advance, privacy is handed over When being easy for calling the intelligence contract, if the intelligence contract carries out encryption storage by the first block chain link point in advance, and this One block chain node can be by reading in the code of the intelligent contract of ciphertext in credible performing environment, and decrypts and obtain plaintext The code of intelligent contract.Multinest structure may be implemented between intelligent contract;Such as the code in intelligence and about 1 has invoked intelligence Can be with about 2, and the code in intelligence and about 2 has been directed toward the contract address 3 through creating intelligent contract code building, to work as privacy When the code in intelligence and about 1 is called in transaction, the intelligent contract code in the contract address 3 is had invoked indirectly.
When privacy is traded for creating intelligent contract, the code comprising intelligence contract in privacy transaction, the first block Chain node can be decrypted to obtain the code of intelligence contract contained by it in credible performing environment to privacy transaction, and in turn The plaintext code is executed in credible performing environment.When privacy transaction is used for the intelligent contract of invoking privacy type, the firstth area Block chain node can be decrypted to obtain corresponding plaintext code in credible performing environment to the intelligence contract, and in turn can The plaintext code is executed in letter performing environment.When privacy trades the intelligent contract for calling plaintext type, the first block chain Node directly reads the plaintext code of the intelligence contract, and the plaintext code is executed in credible performing environment.Specifically, first Block chain node can use the processor instruction increased newly in CPU, a part of region EPC be distributed in memory, by CPU Crypto engine MEE carries out encryption to above-mentioned plaintext code and is stored in the EPC.The content encrypted in EPC is solved after entering CPU Close Cheng Mingwen.In CPU, operation is carried out to the plaintext code, completes implementation procedure.
In SGX technology, the plaintext code of the intelligent contract is executed, EVM can be loaded into the enclosure.Long-range In proof procedure, the Key Management server can calculate the hash value of local EVM code, and in the first block chain node The hash value of the EVM code of load compares, and comparison result is correctly as a necessary condition for passing through remote proving, to complete To the measurement of the code of the first block chain node SGX enclosure load.Through excess vol, described in correct EVM can be executed in SGX Intelligent contract code.
Step 106, the first block chain node determine the corresponding first intelligent contract of the transaction there are when encryption identification, The corresponding plaintext receipt subdata of the first intelligence contract is encrypted as ciphertext receipt subdata, the plaintext receipt number using key It include the ciphertext receipt subdata according to corresponding ciphertext receipt data.
Step 108, the first block chain node stores the ciphertext receipt data.
After CPU executes the plaintext code, other than generating corresponding plaintext implementing result, plaintext receipt number is also generated According to.The content of plaintext receipt data may include several field information contained or other extension information described above, this theory Bright book is limited not to this.
First block chain node is by encrypting ciphertext receipt data, so that only partial objects are (as initiated transaction Client) can decrypt to obtain corresponding plaintext receipt data, and plaintext receipt data is avoided to be exposed.For example, when a certain User initiates a transaction to the first block chain node by client, which is used to inquire the value of a certain contract state, Then while the transaction can't cause to change after executing to the value of the contract state, but the receipts that the transaction generates after executing According to data, by exposure, the user implements relevant inquiring operation, thus by being encrypted to plaintext receipt data, it can protect The privacy of the user.
Similar with the generation process of receipt tree in the related technology, above-mentioned ciphertext receipt data equally be used to calculate receipts According to the tree root of tree, and the tree root is contained in the block head of block locating for the transaction.For example, when using MPT tree When, the cryptographic Hash of above-mentioned ciphertext receipt data will be used to constitute the leaf of receipt tree;It certainly, can also be direct under some cases Plaintext receipt data is stored, then the cryptographic Hash of these plaintext receipt datas equally be used to constitute the leaf of receipt tree, this portion Point situation will be explained below.
First block chain node firstly generates plaintext receipt data, then encrypts the plaintext receipt data with key.Institute Encryption is stated, symmetric cryptography can be used, asymmetric encryption can also be used.If the first block chain node symmetric cryptography side Formula encrypts plaintext receipt data with the symmetric key of symmetric encipherment algorithm, then (or other hold pair of key to client As) can ciphertext receipt data described in the symmetric key decryption with the symmetric encipherment algorithm.
When the symmetric key of first block chain node symmetric encipherment algorithm encrypts plaintext receipt data, this is symmetrical Key can be provided previously to the first block chain node by client.So, due to only having client (actually to should be in client The corresponding user of logon account) and the first block chain node grasp the symmetric key, enable only the client decrypt Corresponding encryption receipt data avoids unrelated user even criminal that encryption receipt data is decrypted.
For example, client, when initiating to trade to the first block chain node, if the transaction is privacy transaction, client can To be encrypted with the initial key of symmetric encipherment algorithm to plaintext transaction content, to obtain privacy transaction;Correspondingly, first Block chain node can be by obtaining the initial key, for directly or indirectly encrypting to plaintext receipt data.For example, The initial key can be negotiated to obtain in advance by client and the first block chain node, or be sent to by Key Management server Client and the first block chain node, or the first block chain node is sent to by client.When initial key is sent out by client When sending to the first block chain node, client can be encrypted the initial key by the public key of rivest, shamir, adelman Afterwards, encrypted initial key is sent to the first block chain node, and the first block chain node passes through rivest, shamir, adelman Private key the encrypted initial key is decrypted, obtain initial key, i.e., digital envelope encryption described above, herein It repeats no more.
First block chain node can encrypt plaintext receipt data using above-mentioned initial key.Difference transaction is adopted Initial key can be identical, so that the All Activity that same user is submitted is all made of the initial key and encrypts, or The initial key of person's difference transaction use can be different, for example client can be initial close for the random generation one of each transaction Key, to promote safety.
First block chain node can generate derivative key according to initial key and impact factor, and pass through the derivative key Plaintext receipt data is encrypted.It being encrypted compared to initial key is directlyed adopt, derivative key can increase degree of randomness, To promote the difficulty being broken, facilitate the safeguard protection for optimizing data.Impact factor can be related to transaction;For example, shadow The specific bit that the factor may include transaction cryptographic Hash is rung, for example the first block chain node can be by initial key and transaction cryptographic Hash First 16 (or first 32,16 latter, rear 32 or other positions) spliced, and spliced character string is breathed out Uncommon operation, to generate derivative key.
First block chain node can also use asymmetric encryption mode, i.e., with the public key of rivest, shamir, adelman in plain text Receipt data encryption, then correspondingly, client can decrypt the ciphertext receipt number with the private key of the rivest, shamir, adelman According to.The key of rivest, shamir, adelman, such as can be and a pair of of public key and private key are generated by client, and public key is sent in advance To the first block chain node, so that the first block chain node can be by the plaintext receipt data public key encryption.
Although the first block chain node can encrypt the corresponding plaintext receipt data of All Activity, difference is used The demand at family is often different, for example in contrast a part of user focuses more in efficiency, can receive to plaintext receipt data It is stored, in contrast another part user focuses more in privacy, can receive to the encryption and decryption of receipt data to efficiency Influence, then can determine the need for encrypting plaintext receipt data for different scenes.
For client when generating transaction, there may be one or more corresponding intelligent contracts for each transaction.Correspondingly, it hands over Plaintext receipt data caused by being easily performed may include corresponding respectively to the plaintext receipt subdata of each intelligent contract.With Family can determine whether the corresponding plaintext receipt subdata of each intelligent contract needs to encrypt when generating transaction respectively, and be The intelligent contract for needing to encrypt adds corresponding encryption identification.With it is above-mentioned comprising the transaction of encryption identification compared with, the present embodiment can To realize the safeguard protection of contract rank, granularity is relatively thinner, and more preferably safety protective effect may be implemented.So, the firstth area Block chain node can may be not present and add for there are the corresponding plaintext receipt subdatas of the intelligent contract of encryption identification to be encrypted The corresponding plaintext receipt subdata of intelligent contract that secret mark is known then is not necessarily to encrypt.For the encryption identification of each intelligent contract addition It should be cleartext information, it, can " transaction/inquiry connects by such as shown in Fig. 2 so that after the first block chain link point receives transaction Mouth " module is identified that there are corresponding encryption identifications to determine whether at least one intelligent contract, and which specific intelligence Contract there are corresponding encryption identification, which is not present.
When the first block chain node determines that at least one corresponding intelligent contract of the transaction, can be with there are when encryption identification The transaction is passed in credible performing environment by above-mentioned " transaction/query interface " module, thus in credible performing environment pair The transaction is handled.If the transaction is to trade in plain text, the transaction can be directly executed without decryption, difference can be obtained Plaintext receipt subdata corresponding to each intelligent contract;If the transaction is privacy transaction, can be in credible performing environment Decryption obtains corresponding plaintext transaction content, and the plaintext transaction content is executed in credible performing environment, to be distinguished Plaintext receipt subdata corresponding to each intelligent contract.Then, the first block chain node can be to there are the intelligence of encryption identification The corresponding plaintext receipt subdata of energy contract is encrypted, and obtains corresponding ciphertext receipt subdata, encryption identification may be not present The corresponding plaintext receipt subdata of intelligent contract without encryption.
When the first block chain node determines that encryption identification is not present in the corresponding all intelligent contracts of the transaction, need The type for further determining that the transaction can pass through above-mentioned " transaction/query interface " mould if the transaction is to trade in plain text Block is executed the incoming conventional performing environment of the transaction, if the transaction is privacy transaction can by it is above-mentioned " transaction/ The transaction is passed to credible performing environment and is executed by query interface " module.In conventional performing environment, the first block chain node It directly executes and trades in plain text, obtain the corresponding plaintext receipt subdata of each intelligent contract, these plaintext receipt subdatas It does not need to encrypt.In credible performing environment, the first block chain node is decrypted privacy transaction to obtain corresponding friendship in plain text Easy content, and the corresponding plaintext receipt subdata of each intelligent contract is obtained by executing the plaintext transaction content, this A little plaintext receipt subdatas do not need to encrypt.
First block chain node obtains corresponding plaintext receipt data by executing transaction, and passes through key for plaintext receipt After data encryption is corresponding ciphertext receipt data, ciphertext receipt data actively can feed back to the client for initiating the transaction End, using the receipt as the transaction.First block chain node can store the ciphertext receipt data, allow client at any time It is requested to the first block chain node and obtains the ciphertext receipt data.Certainly, if corresponding plaintext receipt data of trading is not required to Encrypt, then the first block chain node plaintext receipt data or the first block chain node can be returned to client can be with Store plaintext receipt data, and it is client-based response and return to the plaintext receipt data.
First block chain node is by running the code for realizing a certain function, to realize the function.Therefore, for needing The function to realize in credible performing environment also needs to execute correlative code.And for being executed in credible performing environment Code, need to meet the related specifications and requirement of credible performing environment;Accordingly in the related technology for realizing a certain The code of function needs the specification and requirement in conjunction with credible performing environment to re-start written in code, and there is only relatively bigger Exploitation amount, and be easy during rewriting generate loophole (bug), influence function realization reliability and stability.
Therefore, the first block chain node can be by executing store function code except the credible performing environment, will The ciphertext receipt data generated in credible performing environment store to except the credible performing environment external memory space (when So, the plaintext receipt data in credible performing environment may not be needed to encrypt, and above-mentioned store function code equally can be by this portion Clearly demarcated text receipt data is stored to external memory space;This is illustrated for sentencing the storing process of ciphertext receipt data), make The store function code can in the related technology for realizing the code of store function, do not need combine credible performing environment Specification and requirement re-start written in code, can realize safe and reliable storage for the ciphertext receipt data, not only may be used On the basis of not influencing safe and reliable degree, to reduce the exploitation amount of correlative code, and can be by reducing credible execution The correlative code of environment and reduce TCB (Trusted Computing Base, trusted computing base) so that TEE technology and block During chain technology is combined, it is additional caused by security risk be in controlled range.
In one embodiment, the first block chain node can execute write buffer function code in credible performing environment, with The plaintext receipt data is stored in the write buffer in the credible performing environment, for example the write buffer can correspond to such as figure " caching " shown in 2.Further, the first block chain node by after the data encryption in the write buffer from the credible execution Environment output, to store to the external memory space.Wherein, the write buffer function code can be stored in plaintext version In the credible performing environment, the caching function code of the plaintext version can be directly executed in credible performing environment;Or, institute Stating write buffer function code can be stored in except the credible performing environment with ciphertext form, for example be stored in above-mentioned outside Memory space (such as " packing+storage " shown in Fig. 2, wherein " packing " indicates the first block chain node in credible performing environment Except transaction be packaged it is blocking), the write buffer function code of the ciphertext form can be read in credible performing environment, can It is decrypted in letter performing environment as plaintext code, and executes the plaintext code.
Write buffer refers to when writing data into external memory space, in order to avoid causing " the punching to external memory space Hit " and " buffering " mechanism of offer.For example, can realize above-mentioned write buffer using buffer;Certainly, write buffer can also adopt It is realized with cache, this specification is limited not to this.In fact, due to the safety collar that credible performing environment is isolation Border, and external memory space is located at except credible performing environment, so that by using write buffer mechanism, it can be to the number in caching External memory space is written according to batch is carried out, so that the interaction times between credible performing environment and external memory space are reduced, Promote data storage efficiency.Meanwhile credible performing environment is during constantly executing each item plaintext transaction content, it may be necessary to Generated data are transferred, if the data that need to be called are located exactly in write buffer, the number can be directly read from write buffer According on the one hand can reducing interaction between external memory space in this way, on the other hand eliminate to from external memory space The decrypting process of data streams read, to be lifted at the data-handling efficiency in credible performing environment.
It is of course also possible to write buffer is built on except credible performing environment, for example the first block chain node can be can Believe and execute write buffer function code except performing environment, so that the ciphertext receipt data is stored in outside the credible performing environment Write buffer in, and further the data in the write buffer are stored to the external memory space.
In one embodiment, the inquiry request that the first block chain node can be initiated according to client, receives the plaintext It is exported according to after data encryption from credible performing environment, to be back to the client.
For example, the first block chain node can read the ciphertext receipt data from the external memory space, pass through Transaction/query interface shown in Fig. 2 returns to encrypted plaintext receipt data to client.
For another example the first block chain node can read the plaintext receipt number from the read buffer in credible performing environment According to, and exported to after plaintext receipt data encryption from credible performing environment;Wherein, the plaintext receipt data is by the firstth area Block chain node executes read buffer function code in credible performing environment in advance, reads from the external memory space described close Literary receipt data decrypts the ciphertext receipt data to read in the credible performing environment simultaneously after the plaintext receipt data It is stored in the read buffer.In other words, the first block chain node reads the ciphertext receipt number from the external memory space According to, the ciphertext receipt data is decrypted as after the plaintext receipt data, it can be by executing reading in credible performing environment The plaintext receipt data is stored in the read buffer in credible performing environment by caching function code, for example the read buffer can be right It should be in " caching " shown in Fig. 2;Further, the inquiry request initiated for client, or exist for credible performing environment Data required when plaintext transaction content are executed, reading data can be preferentially carried out from the read buffer, if dependency number can be read According to being then not necessarily to read from external memory space, to reduce and the interaction times of external memory space, release data deciphering mistake Journey.
Read buffer refers to after data are read in credible performing environment from external memory space, in order to reduce and external storage The data read can be stored in the read buffer space in credible performing environment by the interaction times in space with plaintext version It is interior.For example, can realize above-mentioned read buffer using cache;Certainly, read buffer can also be realized using buffer, this theory Bright book is limited not to this.
First block chain node can support above-mentioned read buffer mechanism and write buffer mechanism simultaneously.And with caching technology Continuous development, same caching can be applied not only to realize reading data or data write-in, it might even be possible to while support data Read-write operation, so that the boundary line between read buffer and write buffer is not sometimes very clear, thus only with " caching " progress in Fig. 2 Signal, and its concrete type is not distinguished specifically, it can be configured and be adjusted according to actual needs.
Certainly, the caching mechanism in above-mentioned credible performing environment, can be applied equally in conventional performing environment, such as logical " caching " Lai Shixian in conventional performing environment shown in Fig. 2 is crossed, but reading and writing data at this time relates only to read and write in plain text, no Need to implement data encrypting and deciphering operation, details are not described herein again.
The node embodiment that three handed deal is realized in a kind of block chain of this specification is introduced below in conjunction with Fig. 3, comprising:
Receiving unit 301, for receiving the transaction of client initiation, there are one or more corresponding intelligence in the transaction Contract;
Execution unit 302, for the transaction to obtain plaintext receipt data, the plaintext receipt data includes right respectively It should be in the plaintext receipt subdata of each intelligent contract;
Encryption unit 303, for determining the corresponding first intelligent contract of the transaction there are when encryption identification, use is close The corresponding plaintext receipt subdata of first intelligence contract is encrypted as ciphertext receipt subdata by key, and the plaintext receipt data is corresponding Ciphertext receipt data include the ciphertext receipt subdata;
Storage unit 304, for storing the ciphertext receipt data.
In the 1990s, the improvement of a technology can be distinguished clearly be on hardware improvement (for example, Improvement to circuit structures such as diode, transistor, switches) or software on improvement (improvement for method flow).So And with the development of technology, the improvement of current many method flows can be considered as directly improving for hardware circuit. Designer nearly all obtains corresponding hardware circuit by the way that improved method flow to be programmed into hardware circuit.Cause This, it cannot be said that the improvement of a method flow cannot be realized with hardware entities module.For example, programmable logic device (Programmable Logic Device, PLD) (such as field programmable gate array (Field Programmable Gate Array, FPGA)) it is exactly such a integrated circuit, logic function determines device programming by user.By designer Voluntarily programming comes a digital display circuit " integrated " on a piece of PLD, designs and makes without asking chip maker Dedicated IC chip.Moreover, nowadays, substitution manually makes IC chip, this programming is also used instead mostly " is patrolled Volume compiler (logic compiler) " software realizes that software compiler used is similar when it writes with program development, And the source code before compiling also write by handy specific programming language, this is referred to as hardware description language (Hardware Description Language, HDL), and HDL is also not only a kind of, but there are many kind, such as ABEL (Advanced Boolean Expression Language)、AHDL(Altera Hardware Description Language)、Confluence、CUPL(Cornell University Programming Language)、HDCal、JHDL (Java Hardware Description Language)、Lava、Lola、MyHDL、PALASM、RHDL(Ruby Hardware Description Language) etc., VHDL (Very-High-Speed is most generally used at present Integrated Circuit Hardware Description Language) and Verilog.Those skilled in the art also answer This understands, it is only necessary to method flow slightly programming in logic and is programmed into integrated circuit with above-mentioned several hardware description languages, The hardware circuit for realizing the logical method process can be readily available.
Controller can be implemented in any suitable manner, for example, controller can take such as microprocessor or processing The computer for the computer readable program code (such as software or firmware) that device and storage can be executed by (micro-) processor can Read medium, logic gate, switch, specific integrated circuit (Application Specific Integrated Circuit, ASIC), the form of programmable logic controller (PLC) and insertion microcontroller, the example of controller includes but is not limited to following microcontroller Device: ARC 625D, Atmel AT91SAM, Microchip PIC18F26K20 and Silicone Labs C8051F320 are deposited Memory controller is also implemented as a part of the control logic of memory.It is also known in the art that in addition to Pure computer readable program code mode is realized other than controller, can be made completely by the way that method and step is carried out programming in logic Controller is obtained to come in fact in the form of logic gate, switch, specific integrated circuit, programmable logic controller (PLC) and insertion microcontroller etc. Existing identical function.Therefore this controller is considered a kind of hardware component, and to including for realizing various in it The device of function can also be considered as the structure in hardware component.Or even, it can will be regarded for realizing the device of various functions For either the software module of implementation method can be the structure in hardware component again.
System, device, module or the unit that above-described embodiment illustrates can specifically realize by computer chip or entity, Or it is realized by the product with certain function.It is a kind of typically to realize that equipment is computer.Specifically, computer for example may be used Think personal computer, laptop computer, cellular phone, camera phone, smart phone, personal digital assistant, media play It is any in device, navigation equipment, electronic mail equipment, game console, tablet computer, wearable device or these equipment The combination of equipment.
For convenience of description, it is divided into various units when description apparatus above with function to describe respectively.Certainly, implementing this The function of each unit can be realized in the same or multiple software and or hardware when specification.
It should be understood by those skilled in the art that, the embodiment of the present invention can provide as method, system or computer program Product.Therefore, complete hardware embodiment, complete software embodiment or reality combining software and hardware aspects can be used in the present invention Apply the form of example.Moreover, it wherein includes the computer of computer usable program code that the present invention, which can be used in one or more, The computer program implemented in usable storage medium (including but not limited to magnetic disk storage, CD-ROM, optical memory etc.) produces The form of product.
The present invention be referring to according to the method for the embodiment of the present invention, the process of equipment (system) and computer program product Figure and/or block diagram describe.It should be understood that every one stream in flowchart and/or the block diagram can be realized by computer program instructions The combination of process and/or box in journey and/or box and flowchart and/or the block diagram.It can provide these computer programs Instruct the processor of general purpose computer, special purpose computer, Embedded Processor or other programmable data processing devices to produce A raw machine, so that being generated by the instruction that computer or the processor of other programmable data processing devices execute for real The device for the function of being specified in present one or more flows of the flowchart and/or one or more blocks of the block diagram.
This specification can describe in the general context of computer-executable instructions executed by a computer, such as journey Sequence module.Generally, program module include routines performing specific tasks or implementing specific abstract data types, programs, objects, Component, data structure etc..This specification can also be practiced in a distributed computing environment, in these distributed computing environment In, by executing task by the connected remote processing devices of communication network.In a distributed computing environment, program module It can be located in the local and remote computer storage media including storage equipment.
These computer program instructions, which may also be stored in, is able to guide computer or other programmable data processing devices with spy Determine in the computer-readable memory that mode works, so that it includes referring to that instruction stored in the computer readable memory, which generates, Enable the manufacture of device, the command device realize in one box of one or more flows of the flowchart and/or block diagram or The function of being specified in multiple boxes.
These computer program instructions also can be loaded onto a computer or other programmable data processing device, so that counting Series of operation steps are executed on calculation machine or other programmable devices to generate computer implemented processing, thus in computer or The instruction executed on other programmable devices is provided for realizing in one or more flows of the flowchart and/or block diagram one The step of function of being specified in a box or multiple boxes.In a typical configuration, computer includes at one or more Manage device (CPU), input/output interface, network interface and memory.
Memory may include the non-volatile memory in computer-readable medium, random access memory (RAM) and/or The forms such as Nonvolatile memory, such as read-only memory (ROM) or flash memory (flash RAM).Memory is computer-readable medium Example.
Computer-readable medium includes permanent and non-permanent, removable and non-removable media can be by any method Or technology come realize information store.Information can be computer readable instructions, data structure, the module of program or other data. The example of the storage medium of computer includes, but are not limited to phase change memory (PRAM), static random access memory (SRAM), moves State random access memory (DRAM), other kinds of random access memory (RAM), read-only memory (ROM), electric erasable Programmable read only memory (EEPROM), flash memory or other memory techniques, read-only disc read only memory (CD-ROM) (CD-ROM), Digital versatile disc (DVD) or other optical storage, magnetic cassettes, disk storage, quantum memory, based on graphene Storage medium or other magnetic storage devices or any other non-transmission medium, can be used for storing can be accessed by a computing device Information.As defined in this article, computer-readable medium does not include temporary computer readable media (transitory media), Such as the data-signal and carrier wave of modulation.
It should also be noted that, the terms "include", "comprise" or its any other variant are intended to nonexcludability It include so that the process, method, commodity or the equipment that include a series of elements not only include those elements, but also to wrap Include other elements that are not explicitly listed, or further include for this process, method, commodity or equipment intrinsic want Element.In the absence of more restrictions, the element limited by sentence "including a ...", it is not excluded that including described want There is also other identical elements in the process, method of element, commodity or equipment.
It is above-mentioned that this specification specific embodiment is described.Other embodiments are in the scope of the appended claims It is interior.In some cases, the movement recorded in detail in the claims or step can be come according to the sequence being different from embodiment It executes and desired result still may be implemented.In addition, process depicted in the drawing not necessarily require show it is specific suitable Sequence or consecutive order are just able to achieve desired result.In some embodiments, multitasking and parallel processing be also can With or may be advantageous.
The term that this specification one or more embodiment uses be only merely for for the purpose of describing particular embodiments, and It is not intended to be limiting this specification one or more embodiment.In this specification one or more embodiment and the appended claims Used in the "an" of singular, " described " and "the" be also intended to including most forms, unless context understands earth's surface Show other meanings.It is also understood that term "and/or" used herein refers to and includes one or more associated list Any or all of project may combine.
It will be appreciated that though this specification one or more embodiment may using term first, second, third, etc. come Various information are described, but these information should not necessarily be limited by these terms.These terms are only used to same type of information area each other It separates.For example, the first information can also be referred to as in the case where not departing from this specification one or more scope of embodiments Two information, similarly, the second information can also be referred to as the first information.Depending on context, word as used in this is " such as Fruit " can be construed to " ... when " or " when ... " or " in response to determination ".
The foregoing is merely the preferred embodiments of this specification one or more embodiment, not to limit this theory Bright book one or more embodiment, all within the spirit and principle of this specification one or more embodiment, that is done is any Modification, equivalent replacement, improvement etc. should be included within the scope of the protection of this specification one or more embodiment.

Claims (14)

1. realizing the method for secret protection in a kind of block chain, comprising:
First block chain node receives the transaction that client is initiated, and the transaction has one or more corresponding intelligent contracts;
First block chain node executes the transaction to obtain plaintext receipt data, and the plaintext receipt data includes respectively corresponding In the plaintext receipt subdata of each intelligent contract;
First block chain node is determining the corresponding first intelligent contract of the transaction there are when encryption identification, using key by the The corresponding plaintext receipt subdata of one intelligent contract is encrypted as ciphertext receipt subdata, the corresponding ciphertext of the plaintext receipt data Receipt data includes the ciphertext receipt subdata;
First block chain node stores the ciphertext receipt data.
2. according to the method described in claim 1, the first block chain node executes the transaction, comprising:
First block chain node is determining that at least one corresponding intelligent contract of the transaction there are when encryption identification, holds credible The transaction is executed in row environment;
Wherein, at least one described corresponding plaintext receipt subdata of intelligence contract is encrypted in the credible performing environment.
3. according to the method described in claim 1, when not there is no encryption identification in the corresponding second intelligent contract of the transaction, institute Stating ciphertext receipt data includes the corresponding plaintext receipt subdata of the second intelligence contract.
4. according to the method described in claim 1, further include:
First block chain node is when determining that the corresponding all intelligent contracts of the transaction do not have encryption identification, described in identification The type of transaction;
When the transaction is privacy transaction, the first block chain node solves privacy transaction in credible performing environment It is close and to execute the plaintext transaction content to obtain corresponding plaintext transaction content, to obtain plaintext receipt data;
When the transaction is trades in plain text, the first block chain node executes the transaction except credible performing environment, with To plaintext receipt data;
First block chain node stores the plaintext receipt data.
5. according to the method described in claim 1, the key includes the key or rivest, shamir, adelman of symmetric encipherment algorithm Key.
6. according to the method described in claim 5, the key of the symmetric encipherment algorithm includes the initial of the client offer Key;Or, the key of the symmetric encipherment algorithm includes the derivative key that the initial key and impact factor generate.
7. according to the method described in claim 6, the privacy transaction is by described initial close when the transaction is privacy transaction Key is encrypted, and the initial key is encrypted by the public key of rivest, shamir, adelman;
First block chain node decrypts to obtain the initial key with the private key of the rivest, shamir, adelman, and with described initial The transaction of privacy described in key pair is decrypted to obtain plaintext transaction content, and the plaintext transaction content obtains being stated clearly after being performed Literary receipt data.
8. according to the method described in claim 6, the impact factor is related to the transaction.
9. according to the method described in claim 8, the impact factor includes: the specific bit of the cryptographic Hash of the transaction.
10. according to the method described in claim 1, the first block chain node stores ciphertext receipt data, comprising:
First block chain node executes store function code except the credible performing environment, by the ciphertext receipt data It stores to the external memory space except the credible performing environment.
11. according to the method described in claim 1, the ciphertext receipt data be used to calculate the tree root of receipt tree, the tree Root is contained in the block head of block locating for the transaction.
12. according to the method described in claim 1, the transaction is for creating and/or calling intelligent contract.
13. realizing the node of secret protection in a kind of block chain, comprising:
Receiving unit, for receiving the transaction of client initiation, there are one or more corresponding intelligent contracts in the transaction;
Execution unit, for the transaction to obtain plaintext receipt data, the plaintext receipt data includes corresponding respectively to often The plaintext receipt subdata of one intelligent contract;
Encryption unit, for determining the corresponding first intelligent contract of the transaction there are when encryption identification, using key by the The corresponding plaintext receipt subdata of one intelligent contract is encrypted as ciphertext receipt subdata, the corresponding ciphertext of the plaintext receipt data Receipt data includes the ciphertext receipt subdata;
Storage unit, for storing the ciphertext receipt data.
14. a kind of computer readable storage medium, is stored thereon with computer instruction, realized such as when which is executed by processor The step of any one of claim 1-12 the method.
CN201910124771.4A 2019-02-19 2019-02-19 Method, node and storage medium for implementing privacy protection in block chain Active CN110008737B (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
CN202010429988.9A CN111639362B (en) 2019-02-19 2019-02-19 Method, node and storage medium for implementing privacy protection in blockchain
CN201910124771.4A CN110008737B (en) 2019-02-19 2019-02-19 Method, node and storage medium for implementing privacy protection in block chain

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201910124771.4A CN110008737B (en) 2019-02-19 2019-02-19 Method, node and storage medium for implementing privacy protection in block chain

Related Child Applications (1)

Application Number Title Priority Date Filing Date
CN202010429988.9A Division CN111639362B (en) 2019-02-19 2019-02-19 Method, node and storage medium for implementing privacy protection in blockchain

Publications (2)

Publication Number Publication Date
CN110008737A true CN110008737A (en) 2019-07-12
CN110008737B CN110008737B (en) 2020-04-07

Family

ID=67165823

Family Applications (2)

Application Number Title Priority Date Filing Date
CN201910124771.4A Active CN110008737B (en) 2019-02-19 2019-02-19 Method, node and storage medium for implementing privacy protection in block chain
CN202010429988.9A Active CN111639362B (en) 2019-02-19 2019-02-19 Method, node and storage medium for implementing privacy protection in blockchain

Family Applications After (1)

Application Number Title Priority Date Filing Date
CN202010429988.9A Active CN111639362B (en) 2019-02-19 2019-02-19 Method, node and storage medium for implementing privacy protection in blockchain

Country Status (1)

Country Link
CN (2) CN110008737B (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111859457A (en) * 2020-07-31 2020-10-30 联想(北京)有限公司 Intelligent contract setting method and system
CN112925853A (en) * 2021-03-08 2021-06-08 宁波金狮科技有限公司 Trusted data exchange method and device based on block chain, terminal equipment and medium

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110008737B (en) * 2019-02-19 2020-04-07 阿里巴巴集团控股有限公司 Method, node and storage medium for implementing privacy protection in block chain

Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106296390A (en) * 2016-08-05 2017-01-04 布比(北京)网络技术有限公司 A kind of bill that improves processes method and the bill processing system of safety
CN106506493A (en) * 2016-10-27 2017-03-15 摩登大道时尚电子商务有限公司 Data processing method based on block platform chain
CN106559211A (en) * 2016-11-22 2017-04-05 中国电子科技集团公司第三十研究所 Secret protection intelligence contract method in a kind of block chain
US20170285633A1 (en) * 2016-04-01 2017-10-05 Lntel Corporation Drone control registration
CN107294709A (en) * 2017-06-27 2017-10-24 阿里巴巴集团控股有限公司 A kind of block chain data processing method, apparatus and system
CN107342858A (en) * 2017-07-05 2017-11-10 武汉凤链科技有限公司 A kind of intelligent contract guard method and system based on trusted context
CN108881261A (en) * 2018-07-02 2018-11-23 山东汇贸电子口岸有限公司 Service authentication method and system based on block chain technology under a kind of container environment
US20190020480A1 (en) * 2017-07-14 2019-01-17 International Business Machines Corporation Establishing trust in an attribute authentication system

Family Cites Families (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US10447478B2 (en) * 2016-06-06 2019-10-15 Microsoft Technology Licensing, Llc Cryptographic applications for a blockchain system
US20180276626A1 (en) * 2017-03-21 2018-09-27 Dappsters, LLC Blockchain systems and methods
CN107911216B (en) * 2017-10-26 2020-07-14 矩阵元技术(深圳)有限公司 Block chain transaction privacy protection method and system
CN107967557B (en) * 2017-11-17 2021-06-22 西安电子科技大学 Modifiable credit evaluation system and method based on block chain and electronic payment system
CN110008737B (en) * 2019-02-19 2020-04-07 阿里巴巴集团控股有限公司 Method, node and storage medium for implementing privacy protection in block chain

Patent Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20170285633A1 (en) * 2016-04-01 2017-10-05 Lntel Corporation Drone control registration
CN106296390A (en) * 2016-08-05 2017-01-04 布比(北京)网络技术有限公司 A kind of bill that improves processes method and the bill processing system of safety
CN106506493A (en) * 2016-10-27 2017-03-15 摩登大道时尚电子商务有限公司 Data processing method based on block platform chain
CN106559211A (en) * 2016-11-22 2017-04-05 中国电子科技集团公司第三十研究所 Secret protection intelligence contract method in a kind of block chain
CN107294709A (en) * 2017-06-27 2017-10-24 阿里巴巴集团控股有限公司 A kind of block chain data processing method, apparatus and system
CN107342858A (en) * 2017-07-05 2017-11-10 武汉凤链科技有限公司 A kind of intelligent contract guard method and system based on trusted context
US20190020480A1 (en) * 2017-07-14 2019-01-17 International Business Machines Corporation Establishing trust in an attribute authentication system
CN108881261A (en) * 2018-07-02 2018-11-23 山东汇贸电子口岸有限公司 Service authentication method and system based on block chain technology under a kind of container environment

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
蚂蚁金服金融科技: "TEE硬件隐私合约链", 《HTTPS://TECH.ANTFIN.COM/DOCS/2/107263#H2-TEE-7》 *

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111859457A (en) * 2020-07-31 2020-10-30 联想(北京)有限公司 Intelligent contract setting method and system
CN112925853A (en) * 2021-03-08 2021-06-08 宁波金狮科技有限公司 Trusted data exchange method and device based on block chain, terminal equipment and medium
CN112925853B (en) * 2021-03-08 2022-08-02 山东审核通信息科技有限公司 Trusted data exchange method and device based on block chain, terminal equipment and medium

Also Published As

Publication number Publication date
CN111639362A (en) 2020-09-08
CN111639362B (en) 2023-12-22
CN110008737B (en) 2020-04-07

Similar Documents

Publication Publication Date Title
CN109936626A (en) Method, node and the storage medium of secret protection are realized in block chain
CN110032885A (en) Method, node and the storage medium of secret protection are realized in block chain
CN110032876A (en) Method, node and the storage medium of secret protection are realized in block chain
CN110020549A (en) Method, node and the storage medium of secret protection are realized in block chain
CN109831298A (en) The method of security update key and node, storage medium in block chain
CN110033267A (en) Method, node, system and the storage medium of secret protection are realized in block chain
CN110033266A (en) Method, node and the storage medium of secret protection are realized in block chain
CN110020855A (en) Method, the node, storage medium of secret protection are realized in block chain
CN110008736A (en) The method and node, storage medium of secret protection are realized in block chain
CN109886682A (en) The method and node, storage medium that contract calls are realized in block chain
CN110032883A (en) Method, system and the node of secret protection are realized in block chain
CN110008735A (en) The method and node, storage medium that contract calls are realized in block chain
CN110060054A (en) Method, node, system and the storage medium of secret protection are realized in block chain
CN110263544A (en) In conjunction with the receipt storage method and node of type of transaction and Rule of judgment
CN110223172A (en) The receipt storage method and node of conditional combination code mark and type dimension
CN110020856A (en) Method, node and the storage medium of three handed deal are realized in block chain
CN110264195A (en) It is marked and transaction, the receipt storage method of user type and node in conjunction with code
CN110032884A (en) The method and node, storage medium of secret protection are realized in block chain
CN110059497A (en) Method, node and the storage medium of secret protection are realized in block chain
CN110263086A (en) In conjunction with the receipt storage method and node of user type and event functions type
CN110245490A (en) The receipt storage method and node of conditional combination code mark and type dimension
CN110263087A (en) Receipt storage method and node based on various dimensions information and with condition limitation
CN110264196A (en) In conjunction with the conditional receipt storage method and node of code mark and user type
CN110245504A (en) The receipt storage method and node limited in conjunction with the condition of polymorphic type dimension
CN110245942A (en) In conjunction with the receipt storage method and node of user type and Rule of judgment

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant
REG Reference to a national code

Ref country code: HK

Ref legal event code: DE

Ref document number: 40010711

Country of ref document: HK

TR01 Transfer of patent right

Effective date of registration: 20201019

Address after: Cayman Enterprise Centre, 27 Hospital Road, George Town, Grand Cayman Islands

Patentee after: Innovative advanced technology Co.,Ltd.

Address before: Cayman Enterprise Centre, 27 Hospital Road, George Town, Grand Cayman Islands

Patentee before: Advanced innovation technology Co.,Ltd.

Effective date of registration: 20201019

Address after: Cayman Enterprise Centre, 27 Hospital Road, George Town, Grand Cayman Islands

Patentee after: Advanced innovation technology Co.,Ltd.

Address before: A four-storey 847 mailbox in Grand Cayman Capital Building, British Cayman Islands

Patentee before: Alibaba Group Holding Ltd.

TR01 Transfer of patent right