CN114491637A - Data query method and device, computer equipment and storage medium - Google Patents
Data query method and device, computer equipment and storage medium Download PDFInfo
- Publication number
- CN114491637A CN114491637A CN202210109193.9A CN202210109193A CN114491637A CN 114491637 A CN114491637 A CN 114491637A CN 202210109193 A CN202210109193 A CN 202210109193A CN 114491637 A CN114491637 A CN 114491637A
- Authority
- CN
- China
- Prior art keywords
- data
- mapping
- key
- query
- result
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
- G06F21/6218—Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
- G06F21/6227—Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database where protection concerns the structure of data, e.g. records, types, queries
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/602—Providing cryptographic facilities or services
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Software Systems (AREA)
- General Health & Medical Sciences (AREA)
- Computer Hardware Design (AREA)
- Computer Security & Cryptography (AREA)
- Health & Medical Sciences (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Bioethics (AREA)
- Databases & Information Systems (AREA)
- Storage Device Security (AREA)
Abstract
The application relates to a data query method, a data query device, a computer device, a storage medium and a computer program product, which can protect data security. The data storage party generates an encryption key and first key alignment data based on a first mapping result obtained by mapping the candidate object identification through the first mapping reference data, and sends ciphertext object data respectively corresponding to each candidate object identification and the first key alignment data obtained by encrypting plaintext object data through the encryption key to the data inquiry party. The data inquiring party decrypts the ciphertext object data corresponding to the first key alignment data successfully matched with the second key alignment data based on the decryption key to obtain target object data; the second mapping result for generating the decryption key and the second key alignment data is obtained by mapping the query object identifier based on the second mapping reference data, and the same object identifier is mapped based on the first mapping reference data and the second mapping reference data to obtain the same result.
Description
Technical Field
The present application relates to the field of computer technologies, and in particular, to a data query method, an apparatus, a computer device, a storage medium, and a computer program product.
Background
With the development of computer technology, data stored on a network is increasing, and data query on the network is more common. The data inquiring party can provide the contents to be inquired to the data storing party, and the data storing party carries out retrieval and statistics in the database and then returns the results to the data inquiring party.
However, the data inquiring party directly exposes the data which the data inquiring party wants to inquire to the data storage party, so that information leakage risks exist, and the data storage party may leak the inquiry information of the data inquiring party to other equipment, so that the data of the data inquiring party is leaked, and certain potential safety hazards exist.
Disclosure of Invention
In view of the above, it is necessary to provide a data query method, an apparatus, a computer device, a computer readable storage medium, and a computer program product, which can protect data security of both parties when querying data.
The application provides a data query method, which is applied to a data storage device and comprises the following steps:
acquiring at least two candidate object identifications and plaintext object data corresponding to each candidate object identification;
mapping each candidate object identifier based on first mapping reference data to obtain a first mapping result corresponding to each candidate object identifier;
generating an encryption key and first key alignment data based on a first mapping result corresponding to the same candidate object identifier, and encrypting corresponding plaintext object data based on the encryption key corresponding to the same candidate object identifier to obtain ciphertext object data;
sending the ciphertext object data and the first key alignment data respectively corresponding to each candidate object identifier to data query equipment, so that the data query equipment matches the second key alignment data corresponding to the query object identifier with each first key alignment data, and based on a decryption key corresponding to the query object identifier, decrypting the ciphertext object data corresponding to the successfully matched first key alignment data to obtain target object data corresponding to the query object identifier;
the decryption key and the second key alignment data are obtained based on a second mapping result, the second mapping result is obtained by mapping the query object identifier based on second mapping reference data, the first mapping reference data and the second mapping reference data are different, and the mapping results obtained by mapping the same object identifier based on the first mapping reference data and the second mapping reference data are the same.
The present application also provides a data query apparatus, the apparatus including:
the data acquisition module is used for acquiring at least two candidate object identifications and plaintext object data corresponding to each candidate object identification;
the first data mapping module is used for respectively mapping each candidate object identifier based on first mapping reference data to obtain a first mapping result corresponding to each candidate object identifier;
the data encryption module is used for generating an encryption key and first key alignment data based on a first mapping result corresponding to the same candidate object identifier, and encrypting corresponding plaintext object data based on the encryption key corresponding to the same candidate object identifier to obtain ciphertext object data;
the data sending module is used for sending the ciphertext object data and the first key alignment data corresponding to each candidate object identifier to data query equipment so that the data query equipment matches the second key alignment data corresponding to the query object identifier with each first key alignment data, and decrypts the ciphertext object data corresponding to the successfully matched first key alignment data based on the decryption key corresponding to the query object identifier to obtain the target object data corresponding to the query object identifier;
the decryption key and the second key alignment data are obtained based on a second mapping result, the second mapping result is obtained by mapping the query object identifier based on second mapping reference data, the first mapping reference data and the second mapping reference data are different, and the mapping results obtained by mapping the same object identifier based on the first mapping reference data and the second mapping reference data are the same.
The application provides a data query method, which is applied to data query equipment and comprises the following steps:
acquiring a query object identifier corresponding to target object data to be queried;
mapping the query object identifier based on second mapping reference data to obtain a second mapping result;
based on the second mapping result, obtaining a decryption key and second key alignment data corresponding to the query object identifier;
acquiring encrypted data sent by data storage equipment; the encrypted data comprises ciphertext object data and first key alignment data which correspond to at least two candidate object identifications respectively, the ciphertext object data are obtained by encrypting plaintext object data corresponding to the candidate object identifications based on encryption keys corresponding to the candidate object identifications, the encryption keys and the first key alignment data corresponding to the candidate object identifications are obtained based on first mapping results corresponding to the candidate object identifications, the first mapping results are obtained by mapping the candidate object identifications based on first mapping reference data, the first mapping reference data and the second mapping reference data are different, and mapping results obtained by mapping the same object identification based on the first mapping reference data and the second mapping reference data respectively are the same;
and matching the second key alignment data with each first key alignment data, and decrypting ciphertext object data corresponding to the successfully matched first key alignment data based on the decryption key to obtain the target object data.
The application also provides a data query device. The device comprises:
the identification acquisition module is used for acquiring a query object identification corresponding to target object data to be queried;
the second data mapping module is used for mapping the query object identifier based on second mapping reference data to obtain a second mapping result;
a key data generation module, configured to obtain, based on the second mapping result, a decryption key and second key alignment data corresponding to the query object identifier;
the encrypted data acquisition module is used for acquiring encrypted data sent by the data storage equipment; the encrypted data comprises ciphertext object data and first key alignment data which correspond to at least two candidate object identifications respectively, the ciphertext object data are obtained by encrypting plaintext object data corresponding to the candidate object identifications based on encryption keys corresponding to the candidate object identifications, the encryption keys and the first key alignment data corresponding to the candidate object identifications are obtained based on first mapping results corresponding to the candidate object identifications, the first mapping results are obtained by mapping the candidate object identifications based on first mapping reference data, the first mapping reference data and the second mapping reference data are different, and mapping results obtained by mapping the same object identification based on the first mapping reference data and the second mapping reference data respectively are the same;
and the data decryption module is used for matching the second key alignment data with each first key alignment data, and decrypting ciphertext object data corresponding to the successfully matched first key alignment data based on the decryption key to obtain the target object data.
A computer device comprising a memory and a processor, wherein the memory stores a computer program, and the processor implements the steps of the above-mentioned data query methods when executing the computer program.
A computer-readable storage medium, on which a computer program is stored, which, when being executed by a processor, carries out the steps of the various data query methods described above.
A computer program product comprising a computer program which, when executed by a processor, carries out the steps of the various data query methods described above.
The data query method and the data query device, the data storage device obtains at least two candidate object identifications and plaintext object data corresponding to each candidate object identification, mapping processing is respectively carried out on each candidate object identification based on first mapping reference data to obtain a first mapping result corresponding to each candidate object identification, an encryption key and first key alignment data are generated based on the first mapping result corresponding to the same candidate object identification to obtain an encryption key and first key alignment data corresponding to each candidate object identification, the corresponding plaintext object data is encrypted to obtain ciphertext object data based on the encryption key corresponding to the same candidate object identification, and the ciphertext object data and the first key alignment data corresponding to each candidate object identification are sent to the data query device. And the data query equipment performs mapping processing on the query object identifier based on the second mapping reference data to obtain a second mapping result, and obtains the decryption key and second key alignment data based on the second mapping result. And the data query equipment matches the second key alignment data corresponding to the query object identifier with each first key alignment data, and decrypts the ciphertext object data corresponding to the successfully matched first key alignment data based on the decryption key corresponding to the query object identifier, so as to obtain the target object data corresponding to the query object identifier. The first mapping reference data and the second mapping reference data are different, but mapping results obtained by mapping the same object identifier are the same based on the first mapping reference data and the second mapping reference data respectively. Thus, if the query object identifier is consistent with a candidate object identifier, the second mapping result corresponding to the query object identifier is consistent with the first mapping result corresponding to the candidate object identifier, and if the query object identifier is inconsistent with a candidate object identifier, the second mapping result corresponding to the query object identifier is inconsistent with the first mapping result corresponding to the candidate object identifier. Further, if the mapping results are the same, the generated key and the key alignment data are also the same. Then, after acquiring ciphertext object data and first key alignment data corresponding to at least two candidate object identifiers on the data storage device, the data query device matches second key alignment data corresponding to the query object identifiers with each first key alignment data, if the data successfully matched exist, it is indicated that an object identifier consistent with the query object identifier exists in each candidate object identifier, each ciphertext object data includes ciphertext data obtained by encrypting plaintext object data corresponding to the query object identifier, and further, the data query device can decrypt the ciphertext object data corresponding to the successfully matched first key alignment data based on a decryption key corresponding to the query object identifier to obtain plaintext object data corresponding to the query object identifier. Further, since the first mapping reference data and the second mapping reference data are different, even if the data query device acquires a plurality of ciphertext object data, the ciphertext object data corresponding to the object identifier other than the query object identifier cannot be successfully decrypted. In summary, in the whole data interaction process, the data storage device cannot acquire the query object of the data query device, and the data query device cannot acquire the plaintext data of other objects besides the plaintext object data of the query object, so that the data security of the data storage device and the data query device is ensured.
Drawings
FIG. 1 is a diagram of an application environment of a data query method in one embodiment;
FIG. 2 is a flow diagram that illustrates a methodology for querying data in one embodiment;
FIG. 3 is a schematic diagram of a process for obtaining first mapping reference data according to an embodiment;
FIG. 4 is a timing diagram illustrating the acquisition of first mapping reference data according to one embodiment;
FIG. 5 is a diagram illustrating generation of first mapping reference data in one embodiment;
FIG. 6 is a flow chart illustrating a data query method according to another embodiment;
FIG. 7 is a flowchart illustrating a data query performed by a data querying party according to an embodiment;
FIG. 8 is a schematic diagram illustrating a flowchart of data interaction between a data querying party and a data storing party in one embodiment;
FIG. 9 is a block diagram showing the structure of a data search device according to an embodiment;
FIG. 10 is a block diagram showing the structure of a data search device according to an embodiment;
FIG. 11 is a diagram of the internal structure of a computer device in one embodiment;
FIG. 12 is a diagram illustrating an internal structure of a computer device according to an embodiment.
Detailed Description
In order to make the objects, technical solutions and advantages of the present application more apparent, the present application is described in further detail below with reference to the accompanying drawings and embodiments. It should be understood that the specific embodiments described herein are merely illustrative of the present application and are not intended to limit the present application.
The data query method provided by the embodiment of the application can be applied to the application environment shown in fig. 1. Where data querying device 102 communicates with data storage device 104 over a network. The data query device is a device for initiating data query and represents a data query party. The data storage device is a device storing data that a data inquiring party wants to inquire, and represents a data holder. The data inquiry equipment and the data storage equipment can be terminals or servers. The terminal can be but not limited to various personal computers, notebook computers, smart phones, tablet computers, internet of things equipment and portable wearable equipment, and the internet of things equipment can be intelligent sound boxes, intelligent televisions, intelligent air conditioners, intelligent vehicle-mounted equipment and the like. The portable wearable device can be a smart watch, a smart bracelet, a head-mounted device, and the like. The server may be implemented as a stand-alone server or a server cluster consisting of a plurality of servers or a cloud server.
Specifically, the data storage device obtains at least two candidate object identifiers and plaintext object data corresponding to each candidate object identifier, and performs mapping processing on each candidate object identifier based on first mapping reference data to obtain a first mapping result corresponding to each candidate object identifier. The data storage device generates an encryption key and first key alignment data based on a first mapping result corresponding to the same candidate object identifier, and encrypts corresponding plaintext object data based on the encryption key corresponding to the same candidate object identifier to obtain ciphertext object data. And the data storage equipment sends the ciphertext object data and the first key alignment data which respectively correspond to each candidate object identifier to the data query equipment.
And the data query equipment performs mapping processing on the query object identifier based on the second mapping reference data to obtain a second mapping result, and obtains the decryption key and second key alignment data based on the second mapping result. And the data query equipment matches the second key alignment data with each first key alignment data, decrypts the ciphertext object data corresponding to the successfully matched first key alignment data based on the decryption key to obtain the target object data corresponding to the query object identifier, and then obtains the plaintext object data corresponding to the query object identifier.
In one embodiment, as shown in fig. 2, a data query method is provided, which is described by taking the method as an example applied to the data storage device in fig. 1, and includes the following steps:
step S202, at least two candidate object identifications and plaintext object data corresponding to each candidate object identification are obtained.
The candidate object identification refers to the object identification stored on the data storage device. The object identifier is an identifier for uniquely identifying an object, and may specifically include a character string of at least one character of letters, numbers and symbols. The object may refer to a living being, for example, a human being, an animal, a plant, or the like, and the object may also refer to an article, for example, an electronic device, a mechanical device, an office supply, or the like. For example, if the object is an animal, the object identifier is an animal identifier, if the object is a person, the object identifier is a user identifier, and if the object is an electronic device, the object identifier is an electronic device identifier.
The plaintext object data refers to object data that is not encrypted. The object data refers to related data of the object, for example, attribute information, behavior information, test information, and the like of the object.
Specifically, the data storage device refers to a device storing data that a data inquiring party wants to inquire, and represents a data holding party. The data storage device stores plaintext object data corresponding to a plurality of candidate object identifications respectively. The data query device is a device for initiating data query and represents a data query party. The data query device may send a data query request to the data storage device, and the data storage device generates encrypted data corresponding to the candidate object identifier based on the candidate object identifier and the plaintext object data corresponding to the candidate object identifier according to the data query request, and sends the encrypted data corresponding to at least two candidate object identifiers to the data query device. And the data query equipment determines an object identifier which is shared by the query information and the data storage equipment based on the encrypted data, decrypts the encrypted data corresponding to the shared object identifier, and takes the plaintext object data obtained by decryption as a query result.
Step S204, mapping each candidate object identifier based on the first mapping reference data to obtain a first mapping result corresponding to each candidate object identifier.
The first mapping reference data is used for mapping the candidate object identifier, and mapping the candidate object identifier into new data, so as to prevent the data from being directly exposed if the original candidate object identifier is directly sent to the data query device. The first mapping result refers to a mapping result corresponding to the candidate object identifier. And each candidate object identifier has a corresponding mapping result.
Specifically, the data storage device may perform mapping processing on local candidate object identifiers based on the first mapping reference data, and map at least two candidate object identifiers as new data to protect data security of the candidate object identifiers. The data storage device may perform mapping processing on the candidate object identifier through a mapping formula based on the first mapping reference data to obtain a first mapping result. The data storage device may also determine a corresponding first mapping result from the first mapping reference data based on the candidate object identifier, using a file in which correspondence between data before and after mapping is recorded as the first mapping reference data.
Step S206, generating an encryption key and first key alignment data based on the first mapping result corresponding to the same candidate object identifier, and encrypting the corresponding plaintext object data to obtain ciphertext object data based on the encryption key corresponding to the same candidate object identifier.
The encryption key is used for encrypting plaintext data to obtain ciphertext data. The encryption key is a symmetric key, which means the same key is used for encryption and decryption. The first key alignment data refers to key alignment data corresponding to the candidate object identifier. The key alignment data is used to determine whether the two object identifiers are the same object identifier, and if the two object identifiers are the same object identifier, the symmetric keys generated based on the mapping result are also the same, and therefore, the key alignment data is also used to determine whether the two symmetric keys are the same key. The ciphertext object data is object data subjected to encryption processing.
Specifically, the data storage device may generate an encryption key and first key alignment data based on a first mapping result corresponding to the same candidate object identifier, so as to obtain the encryption key and the first key alignment data corresponding to each candidate object identifier. The data storage device may perform data segmentation on the first mapping result to obtain an encryption key and first key alignment data. The data storage device may also fuse the first mapping result and the shared data to obtain a fused mapping result, and perform data segmentation on the fused mapping result to obtain the encryption key and the first key alignment data. Shared data refers to data that is shared between the data storage device and the data querying device, i.e., data that is known by both. For example, the first mapping result and the shared data may be spliced to obtain a fusion mapping result, the fusion mapping result is subjected to data segmentation, a part of data is obtained from the fusion mapping result and is used as an encryption key, and a part of data is obtained and is used as first key alignment data. It will be appreciated that there may or may not be a partial data overlap between the encryption key and the first key alignment data.
Further, the data storage device may encrypt plaintext object data corresponding to the candidate object identifier based on an encryption key corresponding to the candidate object identifier to obtain ciphertext object data corresponding to the candidate object identifier. It is to be understood that the data storage device may employ a conventional symmetric Encryption algorithm, such as an AES Encryption algorithm (Advanced Encryption Standard), or the data storage device may employ a custom Encryption algorithm.
Step S208, sending the ciphertext object data and the first key alignment data corresponding to each candidate object identifier to the data query device, so that the data query device matches the second key alignment data corresponding to the query object identifier with each first key alignment data, and based on the decryption key corresponding to the query object identifier, decrypts the ciphertext object data corresponding to the successfully matched first key alignment data, to obtain the target object data corresponding to the query object identifier.
The decryption key and the second key alignment data are obtained based on a second mapping result, and the second mapping result is obtained by mapping the query object identifier based on second mapping reference data.
The query object identifier refers to an object identifier to be queried. The second mapping result refers to a mapping result corresponding to the query object identifier. And the data query equipment performs mapping processing on the query object identifier based on the second mapping reference data to obtain a second mapping result, and obtains the decryption key and second key alignment data based on the second mapping result. The decryption key is used for encrypting the ciphertext data to obtain plaintext data, and the decryption key is a symmetric key. The second key alignment data refers to key alignment data corresponding to the query object identifier. The data querying device may obtain the decryption key and the second key alignment data based on the second mapping result in the same data processing manner as the data storage device.
The first mapping reference data and the second mapping reference data are different mapping reference data, but mapping results obtained by mapping the same object identifier are the same based on the first mapping reference data and the second mapping reference data respectively. In this way, the data storage device and the data query device respectively have their own mapping reference data, and although the mapping reference data of the data storage device and the data query device are not completely consistent, the mapping result obtained by mapping the same object identifier based on the mapping reference data is consistent, so that the data query device can be effectively prevented from acquiring the plaintext data on the data storage device except the plaintext object data corresponding to the object identifier shared by the two devices, and the data security of the data storage device is protected.
The target object data refers to plaintext object data corresponding to the query object identifier.
Specifically, similar to the operation of the data storage device, the data query device may perform mapping processing on the query object identifier based on the second mapping reference data to obtain a second mapping result, for example, perform mapping processing on the query object identifier through a mapping formula based on the second mapping reference data to obtain the second mapping result. The data querying device may obtain the decryption key and the second key alignment data based on the second mapping result, for example, perform data slicing on the second mapping result to obtain the decryption key and the second key alignment data.
After the data query device obtains the ciphertext object data and the first key alignment data sent by the data storage device, the second key alignment data corresponding to the query object identifier may be matched with each first key alignment data, whether data identical to the second key alignment data exists in each first key alignment data is determined, and the first key alignment data identical to the second key alignment data is used as the successfully matched first key alignment data. It is to be understood that, if a certain first key alignment data and a certain second key alignment data are the same, it indicates that a first mapping result used for generating the first key alignment data and a second mapping result used for generating the second key alignment data are consistent, a candidate object identifier used for generating the first mapping result and a query object identifier used for generating the second mapping result are consistent, and an encryption key and a decryption key generated based on the first mapping result and the second mapping result are also consistent. Therefore, the data query device can decrypt the ciphertext object data corresponding to the successfully matched first key alignment data based on the decryption key corresponding to the query object identifier to obtain the target object data corresponding to the query object identifier.
It is to be understood that there may be at least two query object identifications. The data query equipment matches each first key alignment data with each second key alignment data respectively, common object identifiers between all query object identifiers and the data storage equipment can be determined according to matching results, and then ciphertext object data corresponding to the common object identifiers are decrypted based on decryption keys corresponding to the common object identifiers, and plaintext object data corresponding to each common object identifier can be obtained.
In one embodiment, the data storage device may perform data interaction with the data query device based on an Oblivious Transfer (OT) protocol, and generate first mapping reference data which has the same effect as the second mapping reference data but does not completely correspond to the second mapping reference data. The data storage device may perform data screening on the second mapping reference data and the third mapping reference data on the data query device based on the oblivious transmission protocol to obtain the first mapping reference data. The third mapping reference data is generated based on the second mapping result. Finally, the mapping results for mapping the same object identifier are the same based on the first mapping reference data, the second mapping reference data and the third mapping reference data.
The first mapping reference data and the second mapping reference data can also be generated by a third-party device, the data storage device acquires the first mapping reference data from the third-party device, and the data query device acquires the second mapping reference data from the third-party device.
In the above data query method, if the query object identifier is consistent with a candidate object identifier, the second mapping result corresponding to the query object identifier is consistent with the first mapping result corresponding to the candidate object identifier, and if the query object identifier is inconsistent with a candidate object identifier, the second mapping result corresponding to the query object identifier is inconsistent with the first mapping result corresponding to the candidate object identifier. Further, if the mapping results are the same, the generated key and the key alignment data are also the same. Then, after acquiring ciphertext object data and first key alignment data corresponding to at least two candidate object identifiers on the data storage device, the data query device matches second key alignment data corresponding to the query object identifiers with each first key alignment data, if the data successfully matched exist, it is indicated that an object identifier consistent with the query object identifier exists in each candidate object identifier, each ciphertext object data includes ciphertext data obtained by encrypting plaintext object data corresponding to the query object identifier, and further, the data query device can decrypt the ciphertext object data corresponding to the successfully matched first key alignment data based on a decryption key corresponding to the query object identifier to obtain plaintext object data corresponding to the query object identifier. Further, since the first mapping reference data and the second mapping reference data are different, even if the data query device acquires a plurality of ciphertext object data, the ciphertext object data corresponding to the object identifier other than the query object identifier cannot be successfully decrypted. In summary, in the whole data interaction process, the data storage device cannot acquire the query object of the data query device, and the data query device cannot acquire the plaintext data of other objects besides the plaintext object data of the query object, so that the data security of the data storage device and the data query device is ensured.
In one embodiment, the mapping each candidate object identifier based on the first mapping reference data to obtain a first mapping result corresponding to each candidate object identifier includes:
acquiring a public key between the data query device and the data storage device; based on the public key, performing data conversion on the current object identifier to obtain first conversion data corresponding to the current object identifier; the first conversion data comprises a plurality of first subdata which are arranged in sequence; acquiring mapping subdata corresponding to each first subdata from the first mapping reference data based on the first subdata and the sequencing information of the first subdata; and obtaining a first mapping result corresponding to the current object identifier based on each mapping subdata.
The public key refers to a key known to both the data query device and the data storage device, that is, a key shared between the data query device and the data storage device. The data query device may generate a public key and send the public key to the data storage device, the data storage device may generate a public key and send the public key to the data query device, or the data query device and the data storage device may obtain the public key from another device.
The current object identifier refers to any one of the candidate object identifiers.
Specifically, the data storage device may obtain a public key shared with the data query device, and perform data conversion on the current object identifier based on the public key to obtain first conversion data corresponding to the current object identifier. The data storage device may perform fusion processing on the public key and the current object identifier to obtain first conversion data, or may perform hash processing on the current object identifier first, and then fuse hash processing results of the public key and the current object identifier to obtain the first conversion data.
The first converted data includes a plurality of sequentially arranged first sub data. That is, the first conversion data is long data composed of a plurality of first sub data. The first mapping reference data is composed of a plurality of first mapping subdata which are orderly arranged, and each first subdata can search the corresponding first mapping subdata. The data storage device may obtain mapping sub-data corresponding to each first sub-data from the first mapping reference data based on the first sub-data and the ordering information of the first sub-data. For example, the data storage device may first obtain a first mapped sub-data set corresponding to the ordering information of the first sub-data from the first mapped reference data, and then obtain, from the first mapped sub-data set, first mapped sub-data corresponding to a specific numerical value of the first sub-data as mapped sub-data corresponding to the first sub-data. The first mapped sub data set corresponding to the ordering information of the first sub data may include a plurality of first mapped sub data matched with the ordering information of the first sub data, and the first mapped sub data matched with the ordering information of the first sub data may be the first mapped sub data whose ordering information is consistent with the ordering information of the first sub data, or may be the first mapped sub data whose difference between the ordering information and the ordering information of the first sub data is smaller than a preset difference. The first map sub-data corresponding to the specific value of the first sub-data may be data in which the ranking information matches the specific value of the first sub-data in the first map sub-data set. In summary, the data storage device may obtain the mapping sub-data corresponding to each first sub-data from the first mapping reference data based on the first sub-data and the ordering information of the first sub-data.
Finally, the data storage device may obtain a first mapping result corresponding to the current object identifier based on each mapping sub-data, for example, each mapping sub-data may be directly spliced to obtain the first mapping result, or each mapping sub-data may be spliced to obtain first spliced data, and then the first spliced data is subjected to hash processing to obtain the first mapping result.
In the above embodiment, when performing mapping processing, data conversion is performed first, and then mapping sub-data is searched from the first mapping reference data to generate a mapping result. The object identifier is subjected to multiple processing to obtain a mapping result, so that the data security of the object identifier is protected.
In one embodiment, the data conversion of the current object identifier based on the public key to obtain first conversion data corresponding to the current object identifier includes:
performing hash processing on the current object identifier to obtain a first hash processing result; and fusing the public key and the first hash processing result to obtain first conversion data.
Specifically, when data conversion is performed, the data storage device may perform hash processing on the current object identifier to obtain a first hash processing result, and then fuse the public key to the first hash processing result to obtain first conversion data.
The hash processing is to convert input data into output data with a fixed length through a hash algorithm, and the hash processing can convert irregular data into regular data and convert the irregular data into a preset value range so as to facilitate subsequent data processing. The hash process converts an object id composed of data of an arbitrary length into data composed of data of a fixed length, and can normalize various object ids. The data storage device can perform hash processing based on a custom formula, and can also perform hash processing based on a traditional hash algorithm.
When data fusion is performed, the data storage device may perform encryption processing on the first hash processing result based on the public key to obtain first conversion data. The data storage device may also fuse the public key and the first hash processing result based on a user-defined formula to obtain the first conversion data.
In one embodiment, the calculation formula of the first conversion data is as follows:
(v1,v2,…vw)=F(k,H1(x))
H1:{0,1}*→{0,1}256
F:{0,1}128×{0,1}256→[m]w
wherein (v)1,v2,…vw) Representing first conversion data, viIndicating the ith first subdata, and the first conversion data is composed of w first subdata. H1Representing a hash function, H1The input data of (A) is binary data of an arbitrary length, H1Is a 256-bit binary data. Denotes an arbitrary length, x denotes a candidate mark, H1(x) Indicating the first hash process result. F represents a fusion function, eitherThe input data of F includes a binary data of 128 bits and a binary data of 256 bits, and the output data of F is a binary data with w values in the range of [0, m-1 ] in the form of a pseudo-random function]The data of (2) are spliced to form the data.
It is understood that 128 bits and 256 bits are only examples, and other number of bit limits may be adopted, and the specific configuration may be set according to actual needs.
In the above embodiment, when data conversion is performed, hash processing is performed first, different types of object identifiers can be normalized, and then a public key is fused, so that the data complexity of the first conversion data can be increased, and the data security can be improved.
In one embodiment, the first mapping reference data is a first mapping reference matrix. Based on the first subdata and the sequencing information of the first subdata, obtaining mapping subdata corresponding to each first subdata from the first mapping reference data, wherein the mapping subdata comprises:
taking the first subdata as first position information corresponding to a first matrix direction, and taking the sequencing information of the first subdata as second position information corresponding to a second matrix direction, wherein the first matrix direction and the second matrix direction are mutually vertical; and acquiring matrix data positioned by the first position information and the second position information corresponding to the same first subdata from the first mapping reference matrix as mapping subdata to obtain the mapping subdata corresponding to each first subdata.
The first mapping reference data may be a first mapping reference matrix, that is, the first mapping reference data is data in a matrix form. The first matrix direction and the second matrix direction represent two directions of the matrix, the first matrix direction and the second matrix direction are perpendicular to each other, for example, the first matrix direction represents a row direction of the matrix, and the second matrix direction represents a column direction of the matrix; it is also possible that the first matrix direction represents a column direction of the matrix and the second matrix direction represents a row direction of the matrix.
Specifically, when matrix data is queried in a matrix, the matrix data can be quickly positioned based on the row and column information of the matrix data in the matrix. If the first mapping reference data is a first mapping reference matrix, the data storage device may generate coordinate information of mapping sub-data to be searched in the matrix based on the first sub-data and the ordering information of the first sub-data, and quickly locate the mapping sub-data corresponding to the first sub-data in the first mapping reference matrix based on the generated coordinate information. The data storage device may use the first sub-data as first location information corresponding to a first matrix direction, use the ordering information of the first sub-data as second location information corresponding to a second matrix direction, perform data positioning in the first mapping reference matrix based on the first location information and the second location information, and use the positioned matrix data as mapping sub-data. Finally, mapping subdata corresponding to each first subdata can be obtained by positioning based on each first subdata and the sequencing information of the first subdata.
For example, the first mapping reference matrix is represented by matrix C, and the first sub-data of each ordered arrangement is represented by v1,v2,…vwIs represented by viRepresents the ith first sub-data, viFor the corresponding first mapped sub-data
It is shown that,
represents the v-th in the matrix CiRow ith column of matrix data.
It will be appreciated that instead of representing the first mapping reference data in a matrix form, the first mapping reference data may be represented in other data forms, for example, a table form, a vector form, etc.
In the above embodiment, if the first mapping reference data is the first mapping reference matrix, the matrix coordinate is generated based on the numerical value of the first sub-data and the ordering information of the first sub-data, and the mapping sub-data corresponding to the first sub-data can be quickly found in the first mapping reference matrix based on the matrix coordinate.
In one embodiment, obtaining a first mapping result corresponding to the current object identifier based on each mapping sub-data includes:
splicing the mapping subdata based on the sequencing information of the first subdata to obtain first spliced data; and carrying out Hash processing on the first spliced data to obtain a first mapping result.
Specifically, in order to improve data complexity and protect data security, when a first mapping result is obtained based on each mapped subdata, the data storage device may first splice each mapped subdata based on the ordering information of the first subdata to obtain first spliced data, and then perform hash processing on the first spliced data to obtain the first mapping result. It can be understood that each first subdata is ordered, and then the mapping subdata corresponding to each first subdata can also be considered as ordered, and the first spliced data can be obtained by splicing the mapping subdata in order.
In one embodiment, the calculation formula of the first mapping result is as follows:
H2:{0,1}w→{0,1}256
where ψ represents the first mapping result, | | represents splicing,
a first one of the map sub-data is represented,
a second one of the mapped sub-data is represented,
represents the w-th mapped sub-data,
and representing first splicing data obtained by sequentially splicing the mapping subdata. H2Representing a hash function, H2The input data of (A) is a binary data of w bits, H2Is output data ofA 256-bit binary data.
It is understood that 256 bits are only an example, and other number of bit limitation may be adopted, and the specific configuration may be set according to the actual requirement.
In the above embodiment, based on the sorting information of the first sub-data, the mapping sub-data are spliced to obtain first spliced data, and the first spliced data is subjected to hash processing to obtain a first mapping result. The mapping subdata can be hidden through hash processing, the finally generated first mapping result is beneficial to protecting the data security of the data storage device, and other devices are difficult to crack original data from the data generated based on the first mapping result.
In one embodiment, as shown in fig. 3, the obtaining process of the first mapping reference data comprises the following steps:
step S302, a first asymmetric key and a second asymmetric key sent by the data query device are obtained.
The asymmetric key is different keys used for encryption and decryption. The asymmetric key is used for encryption, and the private key corresponding to the asymmetric key is used for decryption. The first asymmetric key and the second asymmetric key may be generated by the data query device itself, or may be obtained by the data query device from another device. The data query device sends the first asymmetric key and the second asymmetric key to the data storage device, and the first asymmetric key and the second asymmetric key are used for encrypting plaintext data on the data storage device to protect data security of the data storage device.
Step S304, a target asymmetric key is determined from the first asymmetric key and the second asymmetric key based on the key reference information corresponding to the target mapping position, and the target symmetric key is encrypted based on the target asymmetric key to obtain a first encryption result.
The target mapping position refers to a data position corresponding to at least one mapping sub-data in the mapping reference data. For example, if the mapping reference data is a mapping reference matrix, the target mapping position may be a certain row or a certain column in the matrix. The key reference information is used for carrying out key screening on the first asymmetric key and the second asymmetric key, and one asymmetric key is determined to be used as a target asymmetric key. The key reference information corresponding to different mapping positions may be the same or different, so that the finally determined target asymmetric key may also be the same or different.
The target symmetric key is a symmetric key that is known to the data storage device but not known to the data querying device. The target symmetric key may be generated by the data storage device itself, or may be obtained by the data storage device from another device.
Specifically, the first mapping reference data is composed of a plurality of first mapping sub-data, and the data storage device may sequentially determine the first mapping sub-data corresponding to each mapping position through data interaction with the data query device, so as to finally obtain the first mapping reference data.
The data storage device can obtain key reference information corresponding to each mapping position, a target mapping position is determined from each mapping position, first mapping subdata corresponding to the target mapping position is determined through one round of data interaction with the data query device, the data storage device obtains a next mapping position as a new target mapping position, first mapping subdata corresponding to the new target mapping position is determined through the new round of data interaction with the data query device, and by analogy, the data storage device can finally obtain first mapping subdata corresponding to each mapping position, and the first mapping subdata are combined to obtain first mapping reference data.
Step S306, sending the first encryption result to the data query device, so that the data query device decrypts the first encryption result based on the first private key corresponding to the first asymmetric key and the second private key corresponding to the second asymmetric key, respectively, to obtain a first decryption result and a second decryption result, encrypts the second mapping sub-data corresponding to the target mapping position in the second mapping reference data based on the first decryption result, to obtain a second encryption result, and encrypts the third mapping sub-data corresponding to the target mapping position in the third mapping reference data based on the second decryption result, to obtain a third encryption result.
Wherein the second mapping reference data and the third mapping reference data are data known by the data query device but not known by the data storage device. And the mapping results obtained by mapping the same object identifier are the same based on the second mapping reference data and the third mapping reference data, respectively. It can be understood that the first mapping reference data, the second mapping reference data and the third mapping reference data are not completely the same data, but mapping results obtained by mapping the same object identifier based on the first mapping reference data, the second mapping reference data and the third mapping reference data are the same. The second mapping reference data may be randomly generated or may be preset.
First, the data storage device obtains a first asymmetric key and a second asymmetric key sent by the data query device. In a complete round of data interaction process, the data storage device screens an asymmetric key from the first asymmetric key and the second asymmetric key as a target asymmetric key based on key reference information corresponding to a target mapping position, and encrypts the target symmetric key based on the target asymmetric key to obtain a first encryption result. Then, the data storage device sends the first encryption result to the data query device. And the data query equipment decrypts the first encryption result based on a first private key corresponding to the first asymmetric key to obtain a first decryption result, and decrypts the first encryption result based on a second private key corresponding to the second asymmetric key to obtain a second decryption result. It can be understood that the data querying device does not know which asymmetric key is used by the data storage device for encryption processing, and therefore, the data querying device cannot know which of the first decryption result and the second decryption result obtained by decryption is a useful decryption result. Further, the data query device encrypts, based on the first decryption result, second mapping sub-data corresponding to the target mapping position in the second mapping reference data to obtain a second encryption result, and encrypts, based on the second decryption result, third mapping sub-data corresponding to the target mapping position in the third mapping reference data to obtain a third encryption result. It will be appreciated that there is a correspondence between the first asymmetric key and the second mapping reference data, and a correspondence between the second asymmetric key and the third mapping reference data. The data query device sends the second encryption result and the third encryption result to the data storage device, and the data storage device decrypts useful encryption results in the second encryption result and the third encryption result based on the target symmetric key, so as to obtain first mapping sub-data corresponding to the target mapping position in the first mapping reference data.
Step S308, a second encryption result and a third encryption result sent by the data query device are obtained.
Step S310, determining a target encryption result from the second encryption result and the third encryption result based on the key reference information corresponding to the target mapping position, and decrypting the target encryption result based on the target symmetric key to obtain first mapping sub-data corresponding to the target mapping position in the first mapping reference data.
Specifically, the data storage device obtains the second encryption result and the third encryption result sent by the data query device. And in the second encryption result and the third encryption result, the encryption result obtained by encrypting based on the decryption result which is successful in decryption is a useful encryption result, and the data storage device can screen out the useful encryption result from the second encryption result and the third encryption result as a target encryption result based on the key reference information corresponding to the target mapping position. And the data storage equipment decrypts the target encryption result based on the target symmetric key to finally obtain first mapping subdata corresponding to the target mapping position in the first mapping reference data.
It can be understood that, if the first asymmetric key is used as the target asymmetric key based on the key reference information corresponding to the target mapping position, the first decryption result is valid data obtained by decryption based on the correct private key, the second decryption result is scrambled data obtained by decryption based on the wrong key, the second encryption result is a valid encryption result obtained by encryption based on the valid data, and the third encryption result is an invalid encryption result obtained by encryption based on the scrambled data. Accordingly, based on the key reference information corresponding to the target mapping position, the second encryption result corresponding to the first asymmetric key can be obtained from the second encryption result and the third encryption result as the target encryption result.
In one embodiment, at each data processing, the data query device may send the second encryption result corresponding to the first asymmetric key first, and then send the third encryption result corresponding to the second asymmetric key. Accordingly, the data storage device can accurately determine the target encryption result from the second encryption result and the third encryption result based on the key reference information corresponding to the target mapping position.
Step S312, using the next mapping position as an updated mapping position, using the updated mapping position as a target mapping position, returning to the key reference information corresponding to the target mapping position, and performing the step of determining the target asymmetric key from the first asymmetric key and the second asymmetric key until determining the first mapping sub-data corresponding to each mapping position in the first mapping reference data, so as to obtain the first mapping reference data.
Specifically, through a round of data interaction, the data storage device may obtain first mapping sub-data corresponding to a certain mapping position in the first mapping reference data. And then, the data storage device takes the next mapping position as an updated mapping position, takes the updated mapping position as a new target mapping position, and performs a new round of data interaction again to obtain first mapping subdata corresponding to the next mapping position in the first mapping reference data, and so on until all mapping positions are taken as target mapping positions, and the data storage device determines the first mapping subdata corresponding to each mapping position in the first mapping reference data. Finally, the data storage device combines the first mapping sub-data corresponding to each mapping position to obtain first mapping reference data.
A complete data interaction round is described with reference to fig. 4. Where k0 denotes the first asymmetric key, k1 denotes the second asymmetric key, and k2 denotes the target symmetric key. The second mapping reference data is represented by matrix a, the third mapping reference data by matrix B and the first mapping reference data by matrix C. The key reference information is represented by binary data s, and if s is 0, k0 is defined as the target asymmetric key, and if s is 1, k1 is defined as the target asymmetric key.
Assuming that the target mapping position is the first column of the matrix, a1 represents the first column of the matrix a, B1 represents the first column of the matrix B, C1 represents the first column of the matrix C, and s1 represents the key reference information corresponding to the first column of data. The data querying device sends k0 and k1 to the data storage device. Assuming that s1 is 0, the data storage device obtains a first encryption result m0 by encrypting k2 based on k0, and sends m0 to the data query device. The data query device decrypts m0 based on the private key corresponding to k0 to obtain a first decryption result j0, and decrypts m0 based on the private key corresponding to k1 to obtain a second decryption result j 1. Where j0 is k2, but the data querying device is not aware of it. The data query device obtains a second encryption result m1 by encrypting A1 based on j0, obtains a third encryption result m2 by encrypting B1 based on j1, and sends m1 and m2 to the data storage device. Because s1 is 0, the data storage device decrypts m1 based on k0 to yield C1, where C1 is a1, but the data storage device is not aware of. Similarly, if s1 is equal to 1, then C1 is equal to B1. By analogy, the matrix C is finally composed of several columns of the matrix a and several columns of the matrix B.
In the above embodiment, in the process of acquiring the first mapping reference data, only the encrypted data and the secret key are transmitted between the data storage device and the data query device, and no specific plaintext data is involved, so that data security of both parties is protected. Through data interaction, the data storage device can only acquire the first mapping reference data and does not know the second mapping reference data and the third mapping reference data.
In one embodiment, determining the target asymmetric key from the first asymmetric key and the second asymmetric key based on the key reference information corresponding to the target mapping position includes:
when the key reference information corresponding to the target mapping position is first preset information, taking the first asymmetric key as a target asymmetric key; and when the key reference information corresponding to the target mapping position is second preset information, taking the second asymmetric key as a target asymmetric key.
Specifically, when the key reference information corresponding to the target mapping position is the first preset information, the data storage device may use the first asymmetric key as the target asymmetric key. When the key reference information corresponding to the target mapping position is the second preset information, the data storage device may use the second asymmetric key as the target asymmetric key. The first preset information and the second preset information may be set according to actual needs, for example, the first preset information is set to 0, and the second preset information is set to 1; alternatively, the first preset information is set to 1, and the second preset information is set to 0.
In the above embodiment, according to whether the key reference information is the first preset information or the second preset information, it may be quickly determined whether to use the first asymmetric key or the second asymmetric key as the target asymmetric key.
In one embodiment, determining the target encryption result from the second encryption result and the third encryption result based on the key reference information corresponding to the target mapping position includes:
when the key reference information corresponding to the target mapping position is first preset information, taking a second encryption result as a target encryption result; and when the key reference information corresponding to the target mapping position is second preset information, taking the third encryption result as a target encryption result.
Specifically, when the key reference information corresponding to the target mapping position is the first preset information, the data storage device may use the second encryption result as the target encryption result, so that if the key reference information corresponding to the target mapping position is the first preset information, the data storage device uses the first asymmetric key as the target asymmetric key. When the key reference information corresponding to the target mapping position is the second preset information, the data storage device may use the third encryption result as the target encryption result, because if the key reference information corresponding to the target mapping position is the second preset information, the data storage device uses the second asymmetric key as the target asymmetric key.
In the above-described embodiment, in accordance with the method of determining the target asymmetric key, determining whether to take the second encryption result or the third encryption result as the target encryption result according to whether the key reference information is the first preset information or the second preset information can ensure correct decryption of data based on the symmetric key.
In an embodiment, the third mapping reference data is obtained by fusing, by the data query device, the second mapping reference data and the target mapping reference data, the target mapping reference data is obtained by updating, by the data query device, the initial mapping reference data based on the second conversion data corresponding to the query object identifier, and the second conversion data is obtained by performing data conversion on the query object identifier based on the public key.
Specifically, the data query device may generate third mapping reference data based on the second mapping reference data and the target mapping reference data, and may specifically perform fusion processing on the second mapping reference data and the target mapping reference data to obtain the third mapping reference data. For example, if the mapping reference data is a matrix, the second mapping reference data and corresponding matrix data in the target mapping reference data may be subjected to xor processing, so as to obtain third mapping reference data. For the target mapping reference data, the data query device may perform data conversion on the query object identifier based on the public key to obtain second conversion data, and perform data update on the initial mapping reference data based on the second conversion data to obtain the target mapping reference data.
The initial mapping reference data is initialized mapping reference data, and in the initial mapping reference data, each mapping sub-data may be initialized to first preset sub-data. When data updating is performed, the data query device may convert mapping sub-data corresponding to second conversion data in the initial mapping reference data from first preset sub-data to second preset sub-data. It is to be understood that the second conversion data includes a plurality of second sub data arranged in order, and the mapping sub data corresponding to each second sub data may be determined in the initial mapping reference data based on the second sub data and the ordering information of the second sub data. The first preset sub data and the second preset sub data may be set as needed, for example, the first preset sub data may be set to 1, and the second preset sub data may be set to 0.
In one embodiment, the second mapping reference data may be randomly generated. Even if the second mapping reference data is randomly generated, the mapping results obtained by mapping the same object identifier are the same based on the second mapping reference data, the third mapping reference data obtained by fusing the second mapping reference data and the target mapping reference data, and the first mapping reference data obtained by the second mapping reference data and the third mapping reference data.
In one embodiment, referring to fig. 5, the target mapping reference data is D, the second mapping reference data is a, the third mapping reference data is B, the first mapping reference data is C, and the key reference information is S. The map sub-data having a value of 0 in the target map reference data is determined based on the first conversion data, and the second map reference data is randomly generated. And carrying out XOR processing on the second mapping reference data A and the target mapping reference data D to obtain third mapping reference data B. The first mapping reference data C may be derived based on the key reference information S, the second mapping reference data a and the third mapping reference data B. The first mapping reference data C is composed of the first three columns of data of B and the fourth column of data of a. In the first mapping reference data C, the second mapping reference data a and the third mapping reference data B, the mapping sub-data corresponding to the first conversion data are the same, so that the mapping results obtained by mapping the same object identifier based on the first mapping reference data, the second mapping reference data and the third mapping reference data are the same.
In the above embodiment, the initial mapping reference data is updated based on the second conversion data corresponding to the query object identifier to obtain the target mapping reference data, and then the second mapping reference data and the target mapping reference data are subjected to fusion processing to obtain the third mapping reference data, so that the same mapping result can be obtained by performing mapping processing on the query object identifier based on the second mapping reference data and the third mapping reference data.
In one embodiment, generating an encryption key and first key alignment data based on a corresponding first mapping result of the same candidate object identification includes:
and performing data segmentation on the first mapping result corresponding to the current object identifier to obtain an encryption key corresponding to the current object identifier and first key alignment data.
In particular, the data storage device may data-slice the first mapping result to generate the encryption key and the first key alignment data. The current object identifier refers to any one object identifier of at least two candidate object identifiers. The data storage device may perform data segmentation on the first mapping result corresponding to the current object identifier to obtain an encryption key corresponding to the current object identifier and first key alignment data. For example, the first mapping result may be divided into two parts of data, the first part of data is used as the encryption key, and the second part of data is used as the first key alignment data, which may be an average division or a non-average division. Or acquiring data from the first mapping result to the second preset position as an encryption key, and acquiring data from the third preset position to the fourth preset position as first key alignment data, where the first preset position, the second preset position, the third preset position, and the fourth preset position may be set according to actual needs.
In the above embodiment, the data slicing is performed on the first mapping result, so that the encryption key and the first key alignment data can be quickly generated.
In one embodiment, encrypting the corresponding plaintext object data to obtain ciphertext object data based on the encryption key corresponding to the same candidate object identifier includes:
acquiring encryption reference information, and acquiring initial ciphertext data corresponding to each candidate object identifier based on an encryption key and the encryption reference information corresponding to the same candidate object identifier; and fusing the initial ciphertext data and the plaintext object data corresponding to the same candidate object identifier to obtain ciphertext object data corresponding to each candidate object identifier.
The encryption reference information may be randomly generated data or preset data.
Specifically, when encrypting plaintext object data, the data storage device may first obtain the encryption reference information, generate initial ciphertext data based on the encryption key and the encryption reference information, and then fuse the initial ciphertext data and the plaintext object data to obtain ciphertext object data. The generation of the initial ciphertext data based on the encryption key and the encryption reference information may be inputting the encryption key and the encryption reference information into a pseudorandom function, taking an output result of the pseudorandom function as the initial ciphertext data, or generating the initial ciphertext data based on a custom formula. The fusion of the initial ciphertext data and the plaintext object data may be performed by performing xor processing on the initial ciphertext data and the plaintext object data, or by fusing the initial ciphertext data and the plaintext object data based on a user-defined formula.
In one embodiment, the encrypted reference information may include a plurality of reference sub-information, and the value of each reference sub-information is sequentially incremented, for example, each reference sub-information is a counter whose value is sequentially incremented. The data storage device may perform data processing on the encrypted key and each piece of reference sub-information to generate ciphertext sub-data, obtain initial sub-data corresponding to each piece of reference sub-information, and combine each initial sub-data into initial ciphertext data. That is, the initial ciphertext data may include a plurality of initial sub-data. Correspondingly, when data fusion is performed, the plaintext object data can be segmented into a plurality of plaintext subdata, the initial subdata and the plaintext subdata with consistent sequencing information are subjected to fusion processing to obtain ciphertext subdata corresponding to each plaintext subdata, and each ciphertext subdata is combined into ciphertext object data.
It is understood that other data encryption processes in the present application may refer to data processing processes in which encryption keys encrypt plaintext object data.
In the above embodiment, the initial ciphertext data generated based on the encryption key and the encryption reference information may be considered as a random number approximately, and then the initial ciphertext data and the plaintext object data are fused, so that the plaintext object data may be hidden, and thus the ciphertext object data is obtained.
In one embodiment, the encryption reference information identifies corresponding first key alignment data for the candidate object.
Specifically, the data storage device may use first key alignment data generated based on the first mapping result as encryption reference information employed at the time of encryption processing. That is, when encrypting plaintext object data based on the encryption key, initial ciphertext data may be generated based on the encryption key and the first key alignment data, and then the initial ciphertext data and the plaintext object data may be fused to obtain ciphertext object data.
In one embodiment, the calculation formula of the ciphertext object data is as follows:
c=CTREnciv,(d)
where c denotes ciphertext object data, d denotes plaintext object data, iv denotes first key alignment data, and key denotes an encryption key. CTREnc () represents the CTR mode of a symmetric cryptographic algorithm.
In the above embodiment, the first key alignment data is used as the encryption reference information, so that data generated based on the first mapping result can be fully used, the data utilization rate is improved, and other data does not need to be additionally acquired.
In one embodiment, as shown in fig. 6, a data query method is provided, which is described by taking the data query device in fig. 1 as an example, and includes the following steps:
step S602, a query object identifier corresponding to target object data to be queried is obtained.
The target object data to be queried is plaintext object data corresponding to the query object identifier. The data query device does not know the plaintext object data corresponding to the query object identifier at first, and the plaintext object data corresponding to the query object identifier is finally obtained through data interaction with the data storage device.
Step S604, mapping the query object identifier based on the second mapping reference data to obtain a second mapping result.
Step S606, based on the second mapping result, a decryption key corresponding to the query object identifier and second key alignment data are obtained.
Specifically, when the data query device initiates data query, the data query device may perform mapping processing on the query object identifier based on the second mapping reference data to obtain a second mapping result, and generate a decryption key and second key alignment data corresponding to the query object identifier based on the second mapping result, where the decryption key and the second key alignment data are used to screen and decrypt the target object data from the data sent by the data storage device.
It is to be understood that the data processing procedure for mapping the query object identifier based on the second mapping reference data may refer to the data processing procedure for mapping the candidate object identifier based on the first mapping reference data. The data processing procedure of obtaining the decryption key and the second key alignment data based on the second mapping result may refer to the data processing procedure of obtaining the encryption key and the first key alignment data based on the first mapping result.
Step S608, acquiring encrypted data sent by the data storage device; the encrypted data comprises ciphertext object data and first key alignment data which correspond to at least two candidate object identifications respectively, the ciphertext object data are obtained by encrypting plaintext object data corresponding to the candidate object identifications based on encryption keys corresponding to the candidate object identifications, the encryption keys and the first key alignment data corresponding to the candidate object identifications are obtained by mapping the candidate object identifications based on first mapping results corresponding to the candidate object identifications, the first mapping results are obtained by mapping the candidate object identifications based on first mapping reference data, the first mapping reference data and the second mapping reference data are different, and the mapping results obtained by mapping the same object identification based on the first mapping reference data and the second mapping reference data are the same.
Specifically, the data querying device may send a data querying request to the data storage device to prompt the data storage device to send the encrypted data to the data querying device. The data storage device may perform mapping processing on at least two local candidate data identifiers based on the first mapping reference data to obtain first mapping results corresponding to the candidate object identifiers, and generate an encryption key and first key alignment data based on the first mapping results to obtain an encryption key and first key alignment data corresponding to the candidate object identifiers. The data storage device may encrypt the corresponding plaintext object data based on the encryption key corresponding to the same candidate object identifier to generate ciphertext object data, so as to obtain ciphertext object data corresponding to each candidate object identifier. And the data storage equipment takes the calculated first key alignment data and the ciphertext object data as encrypted data to the data query equipment.
It will be appreciated that the specific data processing procedures of the data storage device may refer to the contents of the various related embodiments in the data query method applied to the data storage device.
Step S610, matching the second key alignment data with each first key alignment data, and decrypting ciphertext object data corresponding to the successfully matched first key alignment data based on the decryption key to obtain target object data.
Specifically, after the data query device obtains the encrypted data sent by the data storage device, the second key alignment data corresponding to the query device identifier are respectively matched with the first key alignment data corresponding to each candidate object identifier, and the first key alignment data consistent with the second key alignment data are used as the successfully matched first key alignment data. And then, the data query device decrypts the ciphertext object data corresponding to the successfully matched first key alignment data based on the decryption key corresponding to the query device identifier, and finally obtains plaintext object data corresponding to the query device identifier, namely the target object data.
In the above data query method, if the query object identifier is consistent with a candidate object identifier, the second mapping result corresponding to the query object identifier is consistent with the first mapping result corresponding to the candidate object identifier, and if the query object identifier is inconsistent with a candidate object identifier, the second mapping result corresponding to the query object identifier is inconsistent with the first mapping result corresponding to the candidate object identifier. Further, if the mapping results are the same, the generated key and the key alignment data are also the same. Then, after acquiring ciphertext object data and first key alignment data corresponding to at least two candidate object identifiers on the data storage device, the data query device matches second key alignment data corresponding to the query object identifiers with each first key alignment data, if the data successfully matched exist, it is indicated that an object identifier consistent with the query object identifier exists in each candidate object identifier, each ciphertext object data includes ciphertext data obtained by encrypting plaintext object data corresponding to the query object identifier, and further, the data query device can decrypt the ciphertext object data corresponding to the successfully matched first key alignment data based on a decryption key corresponding to the query object identifier to obtain plaintext object data corresponding to the query object identifier. Further, since the first mapping reference data and the second mapping reference data are different, even if the data query device acquires a plurality of ciphertext object data, the ciphertext object data corresponding to the object identifier other than the query object identifier cannot be successfully decrypted. In summary, in the whole data interaction process, the data storage device cannot acquire the query object of the data query device, and the data query device cannot acquire the plaintext data of other objects besides the plaintext object data of the query object, so that the data security of the data storage device and the data query device is ensured.
In a specific embodiment, the data query method of the application can be applied to a financial wind control scene. Taking a financial wind-control scenario as an example, in the process of evaluating the credit level of the user, the company a wants to query the credit information (e.g., losing records, long-term loan, etc.) of the user on the platform b, and if the data on the platform b is directly retrieved by the user id, the platform b may obtain the user id and may generate a leakage risk, for example, resell the user id to a competitor of the company a. However, by the data query method, the company A and the platform B can perform collaborative calculation, the platform B can not provide user data of all users, only provides user data of intersection users in a query list of the company A, privacy information of non-intersection users of the platform B is protected, and meanwhile, a platform side cannot sense the query list of the company A, and the privacy information of user id of the company A is protected. The company A is a data inquiring party, and the platform B is a data storing party.
Referring to fig. 7, the Guest party represents a data inquiring party, the Host party represents a data storing party and a data holding party, and the data inquiring method includes the following steps:
1. the list of queries of the Guest party is { id _1, id _3, id _5}, which is used as an input of the collaborative computation. The Host party takes the local data as the input of the collaborative computation. The local data of the Host party comprises id and data corresponding to the id (namely plaintext object data), and specifically comprises id _0, corresponding data _0, id _1, corresponding data _1, id _2, corresponding data _2, id _3 and corresponding data _ 3.
2. Through cooperative computing, the Guest party and the Host party respectively obtain the iv value and the key of the symmetric password corresponding to the id of each party.
Where iv _ i | |, key _ i ═ OPRF (id _ i). OPRF (id _ i) represents a collaborative calculation result corresponding to id _ i, iv _ i represents an iv value corresponding to id _ i, namely key alignment data corresponding to id _ i, and key _ i represents a key corresponding to id _ i.
3. The Host party encrypts the corresponding data by using iv and key, and transmits the iv and encrypted data to the Guest party. The Host party does not send the key to the Guest party.
Wherein, the iv _ i | | key _ i [ data _ i ] represents data obtained by encrypting the data _ i corresponding to the id _ i based on the iv value corresponding to the id _ i and the key, namely the encrypted data _ i.
4. Guest's party compares local iv with Host's party iv, and the intersection part is taken as queryable data. And the Guest party decrypts the encrypted data corresponding to the iv value based on the key corresponding to the iv value of the intersection part to obtain a query result.
Wherein, the data of the non-intersection part can not be decrypted, and is equivalent to random noise for Guest.
5. And the Guest party finally obtains the query result data _1 of id _1 and the query result data _3 of id _3, and the query result corresponding to id _5 is empty.
The specific process of the above-described steps 2 to 4 is explained with reference to fig. 8.
1. The Host side and the Guest side negotiate parameters
The Host side and the Guest side negotiate security parameters lambda and sigmaProtocol parameters m, w, two hash functions H1:{0,1}*→{0,1}256,H2:{0,1}w→{0,1}256A pseudorandom function F: {0,1}128×{0,1}256→[m]w. In one embodiment, m may be set to 220W may be set to 400 to 600, λ may be set to 128, and σ may be set to 40.
2. Precalculation process
Guest squares set the m x w bit matrix D to all 1's first. W columns corresponding to the matrix D are D1,D2,…,Dw,D1=D2=…=Dw=1m. Guest square uniform random selection key k ←R{0,1}λFor each Y ∈ Y, (v) is calculated1,v2,…vw)=F(k,H1(y)), converting the v-th of DjSetting column j to zero, i.e. order
Finally, the matrix D is a matrix consisting of 0 and 1.
Wherein, k ← cR{0,1}λThe expression k is a key with the length of lambda, k is a vector, and the value range of each number in the vector is 0 or 1. That is, k is a binary number of λ bits. Y comprises id corresponding to all plaintext data to be inquired of Guest party, and Y represents any id in Y.
Host side randomly selects bit string s ←R{0,1}w。
Wherein s ← cR{0,1}wThe representation s is a binary number of w bits.
3. The Guest party and the Host party execute w OT protocols.
Guest side randomly selects m × w bit matrix A ← {0,1}m×wThen calculate the matrix
Host partyAnd the Guest party performs w OT (Oblivious Transfer) protocols, where the Guest party as the sender will { A }i,Bi}i∈[w]As an input of the protocol, the Host side as a receiving side sets s to(s)1,s2,…,sw) As the input of the protocol, after the protocol is finished, the Host side obtains w columns { Ci∈{0,1}m}i∈[w]Here, the
Concatenating the w columns to form m × w bit matrix C ═ C (C)1,C2,…,Cw)。
Wherein the content of the first and second substances,
representing a bitwise exclusive-or, and a bitwise and.
4. Inadvertent pseudorandom function computation
The Guest party sends the pseudo-random function key k to the Host party.
(v) is calculated for each (X, d) ∈ X, Host square1,v2,…,vw)=F(k,H1(x) Then calculate
Here, the
V-th of the representation matrix CjThe row and column j values are then split in half 256 bits psi, with the first 128 bits as iv and the last 128 bits as key. The Host side calls the CTR mode encrypted data d of the symmetric encryption algorithm to obtain c ═ CTREnciv,key(d) And finally, sending the set Ψ { (iv, c) } to the Guest party by calculation.
Wherein, X includes the id corresponding to all plaintext data of Host party, X represents any one id in X, d represents the data corresponding to id.
For each Y ∈ Y, Guest square calculation (v)1′,v2′,…,vw′)=F(k,H1(y)), then calculating
Here, the
V-th representing the matrix AjThe row and column j values are then split in half 256 bits psi, with the first 128 bits as iv' and the last 128 bits as key. After the Guest party receives the set psi from the Host party, when iv in psi is compared with the calculated iv ', if iv is equal to iv', a CTR mode of a symmetric encryption algorithm is called, and a plaintext b is obtained by decrypting a corresponding ciphertext civ,key(c) Then b obtained by decryption is the query value corresponding to y.
Further, through actual measurement, the data query method can achieve high-performance calculation of the concealed query scene with hundred million-level data volume. The execution environment is 20 servers, each server is allocated with 2 cores and 15G memory, the driver-memory is allocated with 10G memory, and the test data refers to the table 1. Wherein, the algorithm (N-N) represents inquiring the data of N scale from the data of N scale.
TABLE 1
| Algorithm (N-N) | 10 ten thousand to 1 hundred million | 1 hundred million to 1 hundred million |
| Query time in the scheme | 5min | 21min |
| Query time for conventional schemes | 1h | 1h30min |
The data query method can obtain the following advantages:
1. reduction of traffic and improvement of security. The scheme provided by the invention uses an OPRF (optimal Pseudo Random Function) Function to replace asymmetric encryption, processes hundred million-level data volume, only needs to use a plurality of times of asymmetric encryption and decryption calculation (generally hundreds of times) in a data preprocessing stage, and the rest calculation is symmetric encryption, so that the communication traffic can be greatly reduced in a massive data scene.
2. The calculation speed is improved, the traditional secret query scheme is realized by using asymmetric passwords and 1 out of N inadvertent transmission, and for the problem scales N and N, the required calculation is as follows: n + N asymmetric encryption/decryption calculations, N times 1 out of N inadvertent transmission calculations. Wherein both single asymmetric encryption and 1 out of n OT require a relatively high computational effort. The scheme provided by the invention uses an OPRF function, only hundreds of times of 1 out of 2 OT are needed to realize equivalent hundreds of times of 1 out of N OT calculation, and the calculation speed can be improved by more than 10 times.
It can be understood that the data query method of the application can also be applied to scenes such as marketing, identity verification, anti-fraud, financial wind control, equipment testing and the like. For example, in an anti-fraud scenario, the Guest party queries behavior information corresponding to the user id from the Host party, and identifies the behavior risk of the user based on the behavior information. In a marketing scene, a Guest party inquires behavior information corresponding to a user id from a Host party, and behavior characteristics of the user are identified based on the behavior information. In the device test, the Guest party inquires test information corresponding to the device id from the Host party, and the reliability and the safety of the device are detected based on the test information.
It should be understood that, although the steps in the flowcharts related to the embodiments as described above are sequentially displayed as indicated by arrows, the steps are not necessarily performed sequentially as indicated by the arrows. The steps are not performed in the exact order shown and described, and may be performed in other orders, unless explicitly stated otherwise. Moreover, at least a part of the steps in the flowcharts related to the embodiments described above may include multiple steps or multiple stages, which are not necessarily performed at the same time, but may be performed at different times, and the execution order of the steps or stages is not necessarily sequential, but may be rotated or alternated with other steps or at least a part of the steps or stages in other steps.
Based on the same inventive concept, the embodiment of the present application further provides a data query device for implementing the above-mentioned data query method. The implementation scheme for solving the problem provided by the device is similar to the implementation scheme described in the above method, so specific limitations in one or more embodiments of the data query device provided below can be referred to the limitations of the data query method in the foregoing, and details are not described here.
In one embodiment, as shown in fig. 9, there is provided a data query apparatus 900, including: a data acquisition module 902, a first data mapping module 904, a data encryption module 906, and a data transmission module 908, wherein:
a data obtaining module 902, configured to obtain at least two candidate object identifiers and plaintext object data corresponding to each candidate object identifier.
The first data mapping module 904 is configured to perform mapping processing on each candidate object identifier based on the first mapping reference data, so as to obtain a first mapping result corresponding to each candidate object identifier.
The data encryption module 906 is configured to generate an encryption key and first key alignment data based on the first mapping result corresponding to the same candidate object identifier, and encrypt corresponding plaintext object data based on the encryption key corresponding to the same candidate object identifier to obtain ciphertext object data.
The data sending module 908 is configured to send the ciphertext object data and the first key alignment data corresponding to each candidate object identifier to the data query device, so that the data query device matches the second key alignment data corresponding to the query object identifier with each first key alignment data, and decrypts, based on the decryption key corresponding to the query object identifier, the ciphertext object data corresponding to the first key alignment data that is successfully matched, to obtain the target object data corresponding to the query object identifier.
The decryption key and the second key alignment data are obtained based on a second mapping result, the second mapping result is obtained by mapping the query object identifier based on second mapping reference data, the first mapping reference data and the second mapping reference data are different, and the mapping results obtained by mapping the same object identifier based on the first mapping reference data and the second mapping reference data are the same.
According to the data query device, in the whole data interaction process, the data storage device cannot acquire the query object of the data query device, and the data query device cannot acquire the plaintext data of other objects except the plaintext object data of the query object, so that the data safety of the data storage device and the data query device is guaranteed.
In one embodiment, the first data mapping module includes:
and the public key acquisition unit is used for acquiring a public key between the data inquiry equipment and the data storage equipment.
The data conversion unit is used for performing data conversion on the current object identifier based on the public key to obtain first conversion data corresponding to the current object identifier; the first converted data includes a plurality of sequentially arranged first sub data.
And the mapping sub-data obtaining unit is used for obtaining the mapping sub-data corresponding to each first sub-data from the first mapping reference data based on the first sub-data and the sequencing information of the first sub-data.
And the mapping result determining unit is used for obtaining a first mapping result corresponding to the current object identifier based on each mapping subdata.
In one embodiment, the data conversion unit is further configured to perform hash processing on the current object identifier to obtain a first hash processing result; and fusing the public key and the first hash processing result to obtain first conversion data.
In one embodiment, the first mapping reference data is a first mapping reference matrix, the mapping sub-data obtaining unit is further configured to use the first sub-data as first position information corresponding to a first matrix direction, use sequencing information of the first sub-data as second position information corresponding to a second matrix direction, and the first matrix direction and the second matrix direction are perpendicular to each other; and acquiring matrix data positioned by the first position information and the second position information corresponding to the same first subdata from the first mapping reference matrix as mapping subdata to obtain the mapping subdata corresponding to each first subdata.
In an embodiment, the mapping result determining unit is further configured to splice the mapping sub-data based on the sorting information of the first sub-data to obtain first spliced data; and carrying out Hash processing on the first spliced data to obtain a first mapping result.
In one embodiment, the data querying device 900 further comprises:
the first mapping reference data acquisition module is used for acquiring a first asymmetric key and a second asymmetric key sent by the data query equipment; determining a target asymmetric key from the first asymmetric key and the second asymmetric key based on key reference information corresponding to the target mapping position, and encrypting the target symmetric key based on the target asymmetric key to obtain a first encryption result; sending the first encryption result to data query equipment, so that the data query equipment decrypts the first encryption result based on a first private key corresponding to the first asymmetric key and a second private key corresponding to the second asymmetric key respectively to obtain a first decryption result and a second decryption result, encrypts second mapping subdata corresponding to a target mapping position in second mapping reference data based on the first decryption result to obtain a second encryption result, and encrypts third mapping subdata corresponding to the target mapping position in third mapping reference data based on the second decryption result to obtain a third encryption result; the mapping results obtained by mapping the same object identifier are the same based on the second mapping reference data and the third mapping reference data respectively; acquiring a second encryption result and a third encryption result sent by the data query equipment; determining a target encryption result from the second encryption result and the third encryption result based on the key reference information corresponding to the target mapping position, and decrypting the target encryption result based on the target symmetric key to obtain first mapping subdata corresponding to the target mapping position in the first mapping reference data; and taking the next mapping position as an updated mapping position, taking the updated mapping position as a target mapping position, returning key reference information corresponding to the target mapping position, and executing the step of determining the target asymmetric key from the first asymmetric key and the second asymmetric key until determining first mapping sub-data corresponding to each mapping position in the first mapping reference data to obtain the first mapping reference data.
In one embodiment, the first mapping reference data obtaining module is further configured to, when the key reference information corresponding to the target mapping position is first preset information, take the first asymmetric key as the target asymmetric key; and when the key reference information corresponding to the target mapping position is second preset information, taking the second asymmetric key as a target asymmetric key.
In one embodiment, the first mapping reference data obtaining module is further configured to take the second encryption result as the target encryption result when the key reference information corresponding to the target mapping position is the first preset information; and when the key reference information corresponding to the target mapping position is second preset information, taking the third encryption result as a target encryption result.
In an embodiment, the third mapping reference data is obtained by fusing, by the data query device, the second mapping reference data and the target mapping reference data, the target mapping reference data is obtained by performing data update on the initial mapping reference data based on second conversion data corresponding to the query object identifier, and the second conversion data is obtained by performing data conversion on the query object identifier based on a public key.
In an embodiment, the data encryption module is further configured to perform data segmentation on the first mapping result corresponding to the current object identifier, so as to obtain an encryption key corresponding to the current object identifier and first key alignment data.
In one embodiment, the data encryption module is further configured to obtain encryption reference information, and obtain initial ciphertext data corresponding to each candidate object identifier based on an encryption key and the encryption reference information corresponding to the same candidate object identifier; and fusing the initial ciphertext data and the plaintext object data corresponding to the same candidate object identifier to obtain ciphertext object data corresponding to each candidate object identifier.
In one embodiment, the encryption reference information identifies corresponding first key alignment data for the candidate object.
In one embodiment, as shown in fig. 10, there is provided a data query apparatus 1000, including: an identity obtaining module 1002, a second data mapping module 1004, a key data generating module 1006, an encrypted data obtaining module 1008, and a data decrypting module 1010, wherein:
an identifier obtaining module 1002, configured to obtain a query object identifier corresponding to target object data to be queried;
the second data mapping module 1004 is configured to map the query object identifier based on the second mapping reference data to obtain a second mapping result.
The key data generating module 1006 is configured to obtain, based on the second mapping result, a decryption key corresponding to the query object identifier and second key alignment data.
An encrypted data obtaining module 1008, configured to obtain encrypted data sent by the data storage device; the encrypted data comprises ciphertext object data and first key alignment data which correspond to at least two candidate object identifications respectively, the ciphertext object data are obtained by encrypting plaintext object data corresponding to the candidate object identifications based on encryption keys corresponding to the candidate object identifications, the encryption keys and the first key alignment data corresponding to the candidate object identifications are obtained by mapping the candidate object identifications based on first mapping results corresponding to the candidate object identifications, the first mapping results are obtained by mapping the candidate object identifications based on first mapping reference data, the first mapping reference data and the second mapping reference data are different, and the mapping results obtained by mapping the same object identification based on the first mapping reference data and the second mapping reference data are the same.
The data decryption module 1010 is configured to match the second key alignment data with each of the first key alignment data, and decrypt, based on the decryption key, ciphertext object data corresponding to the successfully matched first key alignment data to obtain target object data.
According to the data query device, in the whole data interaction process, the data storage device cannot acquire the query object of the data query device, and the data query device cannot acquire the plaintext data of other objects except the plaintext object data of the query object, so that the data safety of the data storage device and the data query device is guaranteed.
The modules in the data query device can be wholly or partially implemented by software, hardware and a combination thereof. The modules can be embedded in a hardware form or independent from a processor in the computer device, and can also be stored in a memory in the computer device in a software form, so that the processor can call and execute operations corresponding to the modules.
In one embodiment, a computer device is provided, which may be a server, and its internal structure diagram may be as shown in fig. 11. The computer device includes a processor, a memory, an Input/Output interface (I/O for short), and a communication interface. The processor, the memory and the input/output interface are connected through a system bus, and the communication interface is connected to the system bus through the input/output interface. Wherein the processor of the computer device is configured to provide computing and control capabilities. The memory of the computer device includes a non-volatile storage medium and an internal memory. The non-volatile storage medium stores an operating system, a computer program, and a database. The internal memory provides an environment for the operation of an operating system and computer programs in the non-volatile storage medium. The database of the computer device is used for storing data such as object identification, mapping reference data, plaintext object data and the like. The input/output interface of the computer device is used for exchanging information between the processor and an external device. The communication interface of the computer device is used for connecting and communicating with an external terminal through a network. The computer program is executed by a processor to implement a data query method.
In one embodiment, a computer device is provided, which may be a terminal, and its internal structure diagram may be as shown in fig. 12. The computer apparatus includes a processor, a memory, an input/output interface, a communication interface, a display unit, and an input device. The processor, the memory and the input/output interface are connected by a system bus, and the communication interface, the display unit and the input device are connected by the input/output interface to the system bus. Wherein the processor of the computer device is configured to provide computing and control capabilities. The memory of the computer device comprises a nonvolatile storage medium and an internal memory. The non-volatile storage medium stores an operating system and a computer program. The internal memory provides an environment for the operation of an operating system and computer programs in the non-volatile storage medium. The input/output interface of the computer device is used for exchanging information between the processor and an external device. The communication interface of the computer device is used for communicating with an external terminal in a wired or wireless manner, and the wireless manner can be realized through WIFI, a mobile cellular network, NFC (near field communication) or other technologies. The computer program is executed by a processor to implement a data query method. The display unit of the computer equipment is used for forming a visual and visible picture, and can be a display screen, a projection device or a virtual reality imaging device, the display screen can be a liquid crystal display screen or an electronic ink display screen, the input device of the computer equipment can be a touch layer covered on the display screen, a key, a track ball or a touch pad arranged on the shell of the computer equipment, and can also be an external keyboard, a touch pad or a mouse and the like.
It will be appreciated by those skilled in the art that the configurations shown in fig. 11 and 12 are block diagrams of only some of the configurations relevant to the present disclosure, and do not constitute a limitation on the computing devices to which the present disclosure may be applied, and that a particular computing device may include more or less components than those shown, or may combine certain components, or have a different arrangement of components.
In one embodiment, a computer device is further provided, which includes a memory and a processor, the memory stores a computer program, and the processor implements the steps of the above method embodiments when executing the computer program.
In an embodiment, a computer-readable storage medium is provided, in which a computer program is stored which, when being executed by a processor, carries out the steps of the above-mentioned method embodiments.
In one embodiment, a computer program product or computer program is provided that includes computer instructions stored in a computer-readable storage medium. The computer instructions are read by a processor of the computer device from a computer-readable storage medium, and the computer instructions are executed by the processor to cause the computer device to perform the steps of the above-described method embodiments.
It should be noted that, the user information (including but not limited to user equipment information, user personal information, etc.) and data (including but not limited to data for analysis, stored data, displayed data, etc.) referred to in the present application are information and data authorized by the user or sufficiently authorized by each party, and the collection, use and processing of the related data need to comply with the relevant laws and regulations and standards of the relevant country and region.
It will be understood by those skilled in the art that all or part of the processes of the methods of the embodiments described above can be implemented by hardware instructions of a computer program, which can be stored in a non-volatile computer-readable storage medium, and when executed, can include the processes of the embodiments of the methods described above. Any reference to memory, databases, or other media used in the embodiments provided herein can include at least one of non-volatile and volatile memory. The nonvolatile Memory may include Read-Only Memory (ROM), magnetic tape, floppy disk, flash Memory, optical Memory, high-density embedded nonvolatile Memory, resistive Random Access Memory (ReRAM), Magnetic Random Access Memory (MRAM), Ferroelectric Random Access Memory (FRAM), Phase Change Memory (PCM), graphene Memory, and the like. Volatile Memory can include Random Access Memory (RAM), external cache Memory, and the like. By way of illustration and not limitation, RAM can take many forms, such as Static Random Access Memory (SRAM) or Dynamic Random Access Memory (DRAM), among others. The databases referred to in various embodiments provided herein may include at least one of relational and non-relational databases. The non-relational database may include, but is not limited to, a block chain based distributed database, and the like. The processors referred to in the embodiments provided herein may be general purpose processors, central processing units, graphics processors, digital signal processors, programmable logic devices, quantum computing based data processing logic devices, etc., without limitation.
The technical features of the above embodiments can be arbitrarily combined, and for the sake of brevity, all possible combinations of the technical features in the above embodiments are not described, but should be considered as the scope of the present specification as long as there is no contradiction between the combinations of the technical features.
The above-mentioned embodiments only express several embodiments of the present application, and the description thereof is more specific and detailed, but not construed as limiting the scope of the present application. It should be noted that, for a person skilled in the art, several variations and modifications can be made without departing from the concept of the present application, which falls within the scope of protection of the present application. Therefore, the protection scope of the present application shall be subject to the appended claims.
Claims (18)
1. A method for querying data, applied to a data storage device, the method comprising:
acquiring at least two candidate object identifications and plaintext object data corresponding to each candidate object identification;
mapping each candidate object identifier based on first mapping reference data to obtain a first mapping result corresponding to each candidate object identifier;
generating an encryption key and first key alignment data based on a first mapping result corresponding to the same candidate object identifier, and encrypting corresponding plaintext object data based on the encryption key corresponding to the same candidate object identifier to obtain ciphertext object data;
sending the ciphertext object data and the first key alignment data respectively corresponding to each candidate object identifier to data query equipment, so that the data query equipment matches the second key alignment data corresponding to the query object identifier with each first key alignment data, and based on a decryption key corresponding to the query object identifier, decrypting the ciphertext object data corresponding to the successfully matched first key alignment data to obtain target object data corresponding to the query object identifier;
the decryption key and the second key alignment data are obtained based on a second mapping result, the second mapping result is obtained by mapping the query object identifier based on second mapping reference data, the first mapping reference data and the second mapping reference data are different, and the mapping results obtained by mapping the same object identifier based on the first mapping reference data and the second mapping reference data are the same.
2. The method according to claim 1, wherein the mapping each candidate object id based on the first mapping reference data to obtain a first mapping result corresponding to each candidate object id comprises:
acquiring a public key between the data query device and the data storage device;
performing data conversion on the current object identifier based on the public key to obtain first conversion data corresponding to the current object identifier; the first conversion data comprises a plurality of first subdata which are arranged in sequence;
acquiring mapping subdata corresponding to each first subdata from the first mapping reference data based on the first subdata and the sequencing information of the first subdata;
and obtaining a first mapping result corresponding to the current object identifier based on each mapping subdata.
3. The method according to claim 2, wherein performing data conversion on the current object identifier based on the public key to obtain first conversion data corresponding to the current object identifier comprises:
performing hash processing on the current object identifier to obtain a first hash processing result;
and fusing the public key and the first hash processing result to obtain the first conversion data.
4. The method of claim 2, wherein the first mapping reference data is a first mapping reference matrix, and the obtaining the mapping sub-data corresponding to each first sub-data from the first mapping reference data based on the first sub-data and the ordering information of the first sub-data comprises:
taking the first subdata as first position information corresponding to a first matrix direction, and taking sequencing information of the first subdata as second position information corresponding to a second matrix direction, wherein the first matrix direction and the second matrix direction are perpendicular to each other;
and acquiring matrix data positioned by the first position information and the second position information corresponding to the same first subdata from the first mapping reference matrix as mapping subdata to obtain the mapping subdata corresponding to each first subdata.
5. The method of claim 2, wherein obtaining the first mapping result corresponding to the current object identifier based on the mapping sub-data comprises:
splicing the mapping subdata based on the sequencing information of the first subdata to obtain first spliced data;
and carrying out Hash processing on the first splicing data to obtain the first mapping result.
6. The method according to claim 1, wherein the obtaining of the first mapping reference data comprises the steps of:
acquiring a first asymmetric key and a second asymmetric key sent by the data query equipment;
determining a target asymmetric key from the first asymmetric key and the second asymmetric key based on key reference information corresponding to a target mapping position, and encrypting the target symmetric key based on the target asymmetric key to obtain a first encryption result;
sending the first encryption result to the data query device, so that the data query device decrypts the first encryption result based on a first private key corresponding to the first asymmetric key and a second private key corresponding to the second asymmetric key respectively to obtain a first decryption result and a second decryption result, encrypts second mapping sub-data corresponding to a target mapping position in the second mapping reference data based on the first decryption result to obtain a second encryption result, and encrypts third mapping sub-data corresponding to the target mapping position in third mapping reference data based on the second decryption result to obtain a third encryption result; the mapping results obtained by mapping the same object identifier based on the second mapping reference data and the third mapping reference data are the same;
acquiring the second encryption result and the third encryption result sent by the data query equipment;
determining a target encryption result from the second encryption result and the third encryption result based on key reference information corresponding to a target mapping position, and decrypting the target encryption result based on the target symmetric key to obtain first mapping sub-data corresponding to the target mapping position in the first mapping reference data;
and taking the next mapping position as an updated mapping position, taking the updated mapping position as a target mapping position, returning key reference information corresponding to the target mapping position, and executing the step of determining the target asymmetric key from the first asymmetric key and the second asymmetric key until determining first mapping sub-data corresponding to each mapping position in the first mapping reference data to obtain the first mapping reference data.
7. The method of claim 6, wherein determining the target asymmetric key from the first asymmetric key and the second asymmetric key based on the key reference information corresponding to the target mapping position comprises:
when the key reference information corresponding to the target mapping position is first preset information, taking the first asymmetric key as the target asymmetric key;
and when the key reference information corresponding to the target mapping position is second preset information, taking the second asymmetric key as the target asymmetric key.
8. The method according to claim 6, wherein the determining a target encryption result from the second encryption result and the third encryption result based on the key reference information corresponding to the target mapping position comprises:
when the key reference information corresponding to the target mapping position is first preset information, taking the second encryption result as the target encryption result;
and when the key reference information corresponding to the target mapping position is second preset information, taking the third encryption result as the target encryption result.
9. The method according to claim 6, wherein the third mapping reference data is obtained by fusing, by the data query device, the second mapping reference data and target mapping reference data, the target mapping reference data is obtained by performing data update on initial mapping reference data by the data query device based on second conversion data corresponding to the query object identifier, and the second conversion data is obtained by performing data conversion on the query object identifier based on a public key.
10. The method according to any one of claims 1 to 9, wherein generating the encryption key and the first key alignment data based on the first mapping result corresponding to the same candidate object identifier comprises:
and performing data segmentation on the first mapping result corresponding to the current object identifier to obtain an encryption key corresponding to the current object identifier and first key alignment data.
11. The method according to any one of claims 1 to 9, wherein encrypting the corresponding plaintext object data to obtain ciphertext object data based on the encryption key corresponding to the same candidate object identifier comprises:
acquiring encryption reference information, and acquiring initial ciphertext data corresponding to each candidate object identifier based on an encryption key and the encryption reference information corresponding to the same candidate object identifier;
and fusing the initial ciphertext data and the plaintext object data corresponding to the same candidate object identifier to obtain ciphertext object data corresponding to each candidate object identifier.
12. The method of claim 11, wherein the encryption reference information identifies corresponding first key alignment data for the candidate object.
13. A data query method, applied to a data query device, the method comprising:
acquiring a query object identifier corresponding to target object data to be queried;
mapping the query object identifier based on second mapping reference data to obtain a second mapping result;
obtaining a decryption key and second key alignment data corresponding to the query object identifier based on the second mapping result;
acquiring encrypted data sent by data storage equipment; the encrypted data comprises ciphertext object data and first key alignment data which correspond to at least two candidate object identifications respectively, the ciphertext object data are obtained by encrypting plaintext object data corresponding to the candidate object identifications based on encryption keys corresponding to the candidate object identifications, the encryption keys and the first key alignment data corresponding to the candidate object identifications are obtained based on first mapping results corresponding to the candidate object identifications, the first mapping results are obtained by mapping the candidate object identifications based on first mapping reference data, the first mapping reference data and the second mapping reference data are different, and mapping results obtained by mapping the same object identification based on the first mapping reference data and the second mapping reference data respectively are the same;
and matching the second key alignment data with each first key alignment data, and decrypting ciphertext object data corresponding to the successfully matched first key alignment data based on the decryption key to obtain the target object data.
14. A data query apparatus, characterized in that the apparatus comprises:
the data acquisition module is used for acquiring at least two candidate object identifications and plaintext object data corresponding to each candidate object identification;
the first data mapping module is used for respectively mapping each candidate object identifier based on first mapping reference data to obtain a first mapping result corresponding to each candidate object identifier;
the data encryption module is used for generating an encryption key and first key alignment data based on a first mapping result corresponding to the same candidate object identifier, and encrypting corresponding plaintext object data to obtain ciphertext object data based on the encryption key corresponding to the same candidate object identifier;
the data sending module is used for sending the ciphertext object data and the first key alignment data corresponding to each candidate object identifier to data query equipment so that the data query equipment matches the second key alignment data corresponding to the query object identifier with each first key alignment data, and decrypts the ciphertext object data corresponding to the successfully matched first key alignment data based on the decryption key corresponding to the query object identifier to obtain the target object data corresponding to the query object identifier;
the decryption key and the second key alignment data are obtained based on a second mapping result, the second mapping result is obtained by mapping the query object identifier based on second mapping reference data, the first mapping reference data and the second mapping reference data are different, and the mapping results obtained by mapping the same object identifier based on the first mapping reference data and the second mapping reference data are the same.
15. A data query apparatus, characterized in that the apparatus comprises:
the identification acquisition module is used for acquiring a query object identification corresponding to target object data to be queried;
the second data mapping module is used for mapping the query object identifier based on second mapping reference data to obtain a second mapping result;
a key data generation module, configured to obtain, based on the second mapping result, a decryption key and second key alignment data corresponding to the query object identifier;
the encrypted data acquisition module is used for acquiring encrypted data sent by the data storage equipment; the encrypted data comprises ciphertext object data and first key alignment data which correspond to at least two candidate object identifications respectively, the ciphertext object data are obtained by encrypting plaintext object data corresponding to the candidate object identifications based on encryption keys corresponding to the candidate object identifications, the encryption keys and the first key alignment data corresponding to the candidate object identifications are obtained based on first mapping results corresponding to the candidate object identifications, the first mapping results are obtained by mapping the candidate object identifications based on first mapping reference data, the first mapping reference data and the second mapping reference data are different, and mapping results obtained by mapping the same object identification based on the first mapping reference data and the second mapping reference data respectively are the same;
and the data decryption module is used for matching the second key alignment data with each first key alignment data, and decrypting ciphertext object data corresponding to the successfully matched first key alignment data based on the decryption key to obtain the target object data.
16. A computer device comprising a memory and a processor, the memory storing a computer program, characterized in that the processor, when executing the computer program, implements the steps of the method of any of claims 1 to 12 or 13.
17. A computer-readable storage medium, on which a computer program is stored which, when being executed by a processor, carries out the steps of the method according to any one of claims 1 to 12 or 13.
18. A computer program product comprising a computer program, characterized in that the computer program realizes the steps of the method of any one of claims 1 to 12 or 13 when executed by a processor.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210109193.9A CN114491637A (en) | 2022-01-28 | 2022-01-28 | Data query method and device, computer equipment and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210109193.9A CN114491637A (en) | 2022-01-28 | 2022-01-28 | Data query method and device, computer equipment and storage medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN114491637A true CN114491637A (en) | 2022-05-13 |
Family
ID=81477748
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202210109193.9A Pending CN114491637A (en) | 2022-01-28 | 2022-01-28 | Data query method and device, computer equipment and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114491637A (en) |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115118458A (en) * | 2022-05-31 | 2022-09-27 | 腾讯科技(深圳)有限公司 | Data processing method and device, computer equipment and storage medium |
| CN115935429A (en) * | 2022-12-30 | 2023-04-07 | 上海零数众合信息科技有限公司 | Data processing method, device, medium and electronic equipment |
-
2022
- 2022-01-28 CN CN202210109193.9A patent/CN114491637A/en active Pending
Cited By (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115118458A (en) * | 2022-05-31 | 2022-09-27 | 腾讯科技(深圳)有限公司 | Data processing method and device, computer equipment and storage medium |
| WO2023231817A1 (en) * | 2022-05-31 | 2023-12-07 | 腾讯科技(深圳)有限公司 | Data processing method and apparatus, and computer device and storage medium |
| CN115118458B (en) * | 2022-05-31 | 2024-04-19 | 腾讯科技(深圳)有限公司 | Data processing method, device, computer equipment and storage medium |
| CN115935429A (en) * | 2022-12-30 | 2023-04-07 | 上海零数众合信息科技有限公司 | Data processing method, device, medium and electronic equipment |
| CN115935429B (en) * | 2022-12-30 | 2023-08-22 | 上海零数众合信息科技有限公司 | Data processing method, device, medium and electronic equipment |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11658814B2 (en) | System and method for encryption and decryption based on quantum key distribution | |
| WO2021114927A1 (en) | Method and apparatus for multiple parties jointly performing feature assessment to protect privacy security | |
| JP6547079B1 (en) | Registration / authorization method, device and system | |
| KR101843340B1 (en) | Privacy-preserving collaborative filtering | |
| JP6180177B2 (en) | Encrypted data inquiry method and system capable of protecting privacy | |
| US10476662B2 (en) | Method for operating a distributed key-value store | |
| CN108811519A (en) | System and method for establishing the link between identifier in the case of underground identification information specific | |
| US20130262863A1 (en) | Searchable encryption processing system | |
| JP2014119486A (en) | Secret retrieval processing system, secret retrieval processing method, and secret retrieval processing program | |
| CN114491637A (en) | Data query method and device, computer equipment and storage medium | |
| TW202042526A (en) | Reliable user service system and method | |
| CN114036565A (en) | Private information retrieval system and private information retrieval method | |
| US10594473B2 (en) | Terminal device, database server, and calculation system | |
| CN111368328A (en) | Data storage method and device, computer readable storage medium and electronic equipment | |
| US20170200020A1 (en) | Data management system, program recording medium, communication terminal, and data management server | |
| CN114398656A (en) | File encryption method, file decryption method, file encryption device, file decryption device, computer equipment and storage medium | |
| CN114240347A (en) | Business service secure docking method and device, computer equipment and storage medium | |
| CN108650268A (en) | It is a kind of realize multistage access can search for encryption method and system | |
| CN117371011A (en) | Data hiding query method, electronic device and readable storage medium | |
| US11133926B2 (en) | Attribute-based key management system | |
| CN116132065A (en) | Key determination method, device, computer equipment and storage medium | |
| CN109409111A (en) | It is a kind of to search for method generally towards encrypted image | |
| CN113193954A (en) | Key management method | |
| CN115296808B (en) | Key replacing method, device, computer equipment and storage medium | |
| CN110830252A (en) | Data encryption method, device, equipment and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |