CN115567326A - A blockchain-based data transaction method and device - Google Patents

A blockchain-based data transaction method and device Download PDF

Info

Publication number
CN115567326A
CN115567326A CN202211544709.9A CN202211544709A CN115567326A CN 115567326 A CN115567326 A CN 115567326A CN 202211544709 A CN202211544709 A CN 202211544709A CN 115567326 A CN115567326 A CN 115567326A
Authority
CN
China
Prior art keywords
data
key
ciphertext
private
blockchain
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202211544709.9A
Other languages
Chinese (zh)
Other versions
CN115567326B (en
Inventor
马兆丰
王晶宇
段鹏飞
胡绍洲
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing University of Posts and Telecommunications
Original Assignee
Beijing University of Posts and Telecommunications
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing University of Posts and Telecommunications filed Critical Beijing University of Posts and Telecommunications
Priority to CN202211544709.9A priority Critical patent/CN115567326B/en
Publication of CN115567326A publication Critical patent/CN115567326A/en
Application granted granted Critical
Publication of CN115567326B publication Critical patent/CN115567326B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/045Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply hybrid encryption, i.e. combination of symmetric and asymmetric encryption
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0823Network architectures or network communication protocols for network security for authentication of entities using certificates
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/108Network architectures or network communication protocols for network security for controlling access to devices or network resources when the policy decisions are valid for a limited amount of time
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/10Protocols in which an application is distributed across nodes in the network
    • H04L67/1097Protocols in which an application is distributed across nodes in the network for distributed storage of data in networks, e.g. transport arrangements for network file system [NFS], storage area networks [SAN] or network attached storage [NAS]

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Storage Device Security (AREA)

Abstract

The invention provides a data transaction method and a device based on a block chain. The method fully utilizes symmetric encryption and asymmetric encryption to finish the transmission of the initial key and the private data for the identity authentication of the main body, thereby improving the safety performance. Meanwhile, by introducing verification for limiting decryption time, time-limited sharing of specified data can be realized. According to the data transaction method based on the block chain, a transmission encryption mechanism is constructed, and the method can be suitable for various block chain platforms on the basis of meeting the privacy requirements of special subjects so as to enhance the service expansion capability.

Description

一种基于区块链的数据交易方法及装置A blockchain-based data transaction method and device

技术领域technical field

本发明涉及数据通信技术领域,尤其涉及一种基于区块链的数据交易方法及装置。The present invention relates to the technical field of data communication, in particular to a blockchain-based data transaction method and device.

背景技术Background technique

区块链本质上是一种分布式账本技术,以去中心化的方式对交易进行存储与验证,由大量的对等节点来共同维护其一致性,从而使得链上交易数据公开透明。区块链中的交易数据以区块形式进行打包存储,各区块之间通过哈希值进行相连,保证了链上数据的不可篡改性和可追溯性。由于区块链消除了对第三方参与验证和记录交易的依赖性,因此可以作为现有应用系统的信任基础,在金融、教育、医疗等领域发挥用武之地。Blockchain is essentially a distributed ledger technology, which stores and verifies transactions in a decentralized manner, and a large number of peer nodes jointly maintain its consistency, thus making the transaction data on the chain open and transparent. The transaction data in the blockchain is packaged and stored in the form of blocks, and the blocks are connected by hash values to ensure the immutability and traceability of the data on the chain. Since the blockchain eliminates the dependence on third parties to participate in verification and record transactions, it can be used as the basis of trust in existing application systems and play a role in fields such as finance, education, and medical care.

密码学技术作为区块链的核心,用于确保交易信息的完整性、不可抵赖性和不可篡改性。区块链技术底层的密码学算法主要包括哈希算法和非对称加密算法。利用哈希算法对前一个区块进行哈希计算,将得到的固定长度摘要保存在当前区块中,从而实现区块链的完整性和不可篡改性。在非对称加密算法中,交易发起者会利用自己的私钥对交易进行数字签名,来确保交易传输的完整性和交易发送者的不可抵赖性。As the core of blockchain, cryptography technology is used to ensure the integrity, non-repudiation and non-tampering of transaction information. The underlying cryptographic algorithms of blockchain technology mainly include hash algorithms and asymmetric encryption algorithms. Use the hash algorithm to perform hash calculation on the previous block, and save the obtained fixed-length summary in the current block, so as to realize the integrity and non-tamperable modification of the blockchain. In the asymmetric encryption algorithm, the transaction initiator will use its own private key to digitally sign the transaction to ensure the integrity of the transaction transmission and the non-repudiation of the transaction sender.

现有的公共区块链平台缺少用于支持企业级应用的加密算法,无法应对特定主体的隐私需求,无法特定主体对隐私数据安全和限时共享的需求。Existing public blockchain platforms lack encryption algorithms to support enterprise-level applications, cannot meet the privacy needs of specific subjects, and cannot specify the subject's needs for private data security and time-limited sharing.

发明内容Contents of the invention

鉴于此,本发明实施例提供了一种基于区块链的数据交易方法及装置,以消除或改善现有技术中存在的一个或更多个缺陷,提供一种基于区块链的加密传输方法,以满足特定主体的隐私传输需求。In view of this, the embodiments of the present invention provide a blockchain-based data transaction method and device, to eliminate or improve one or more defects in the prior art, and provide a blockchain-based encrypted transmission method , to meet the privacy transmission needs of specific subjects.

本发明的一个方面提供了一种基于区块链的数据交易方法,该方法包括以下步骤:One aspect of the present invention provides a blockchain-based data transaction method, the method comprising the following steps:

由数据提供者生成基于对称加密的初始密钥,采用预设密钥扩展算法根据所述初始密钥生成轮密钥;The data provider generates an initial key based on symmetric encryption, and uses a preset key expansion algorithm to generate a round key based on the initial key;

由所述数据提供者利用所述轮密钥加密隐私数据得到第一密文;The data provider uses the round key to encrypt private data to obtain a first ciphertext;

由所述数据提供者根据预设隐蔽传输规则对初始密钥进行编码与调制,得到隐蔽信息;The data provider encodes and modulates the initial key according to preset covert transmission rules to obtain covert information;

由区块链网络中的验证节点根据系统参数获取第一公钥和对应的第一私钥,公开所述第一公钥,本地存储所述第一私钥;The verification node in the blockchain network obtains the first public key and the corresponding first private key according to the system parameters, discloses the first public key, and stores the first private key locally;

由所述数据提供者生成所述隐私数据的限制解密时间,利用所述第一公钥加密所述隐蔽信息和所述限制解密时间得到第二密文,利用所述第一公钥加密所述第一密文得到所述第三密文;The data provider generates the limited decryption time of the private data, encrypts the concealed information and the limited decryption time with the first public key to obtain a second ciphertext, and encrypts the private data with the first public key obtaining said third ciphertext from the first ciphertext;

由所述数据提供者向设定证书颁发机构申请登记并获取第一数字证书和第一签名私钥,由所述数据接收者向设定证书颁发机构申请登记并获取第二数字证书和第二签名私钥;The data provider applies for registration to the set certificate authority and obtains the first digital certificate and the first signature private key, and the data receiver applies for registration to the set certificate authority and obtains the second digital certificate and the second signature private key. signature private key;

由所述数据提供者结合所述第一数字证书和所述第一签名私钥将所述第二密文和所述第三密文上传至所述区块链网络,所述区块链网络的记账节点对所述第一数字证书和所述第一签名私钥进行认证,认证通过后将所述第二密文和所述第三密文上链存储;The data provider uploads the second ciphertext and the third ciphertext to the block chain network in combination with the first digital certificate and the first signature private key, and the block chain network The bookkeeping node authenticates the first digital certificate and the first signature private key, and stores the second ciphertext and the third ciphertext on-chain after passing the authentication;

由所述数据接收者结合所述第二数字证书和所述第二签名私钥向所述区块链网络的验证节点发送数据请求;sending a data request to a verification node of the blockchain network by the data receiver in combination with the second digital certificate and the second signature private key;

所述区块链网络的验证节点对所述第二数字证书和所述第二签名私钥进行认证,在认证通过后,查询链上存储的所述第二密文和所述第三密文,通过所述第一私钥解密所述第二密文和所述第三密文,恢复得到所述隐蔽信息、所述限制解密时间以及所述第一密文;The verification node of the blockchain network authenticates the second digital certificate and the second signature private key, and after the authentication is passed, queries the second ciphertext and the third ciphertext stored on the chain Decrypting the second ciphertext and the third ciphertext by using the first private key, recovering and obtaining the concealed information, the limited decryption time, and the first ciphertext;

由所述区块链网络的验证节点根据所述限制解密时间查验当前是否超时,在未超时的情况下,将恢复得到的所述隐蔽信息和所述第一密文发送至所述数据接收者;The verification node of the blockchain network checks whether the timeout is currently overtime according to the limited decryption time, and if the timeout is not overtime, send the recovered hidden information and the first ciphertext to the data receiver ;

所述数据接收者根据所述预设隐蔽传输规则对恢复得到的所述隐蔽信息进行解调与解码,恢复所述初始密钥,采用所述预设密钥扩展算法根据恢复得到的所述初始密钥重新生成所述轮密钥,利用重新生成的所述轮密钥解密恢复得到的所述第一密文得到所述隐私数据。The data receiver demodulates and decodes the recovered concealed information according to the preset concealed transmission rules, recovers the initial key, and uses the preset key expansion algorithm to obtain the recovered initial key. The key regenerates the round key, and uses the regenerated round key to decrypt the recovered first ciphertext to obtain the private data.

在一些实施例中,由数据提供者生成基于对称加密的初始密钥,采用预设密钥扩展算法根据所述初始密钥生成轮密钥之前,还包括:In some embodiments, the data provider generates an initial key based on symmetric encryption, and before using a preset key expansion algorithm to generate a round key based on the initial key, it also includes:

由所述数据提供者和所述数据接收者共同确定和初始化隐蔽传输规则,并确定用于隐蔽传输的编码表和调制符号表。The data provider and the data receiver jointly determine and initialize the covert transmission rules, and determine the code table and modulation symbol table for covert transmission.

在一些实施例中,所述预设密钥扩展算法中,所述初始密钥表达式为:

Figure 537149DEST_PATH_IMAGE001
In some embodiments, in the preset key expansion algorithm, the initial key expression is:
Figure 537149DEST_PATH_IMAGE001

系统参数表达式为:

Figure 140168DEST_PATH_IMAGE002
The system parameter expression is:
Figure 140168DEST_PATH_IMAGE002

固定参数表达式为:

Figure 314798DEST_PATH_IMAGE003
The fixed parameter expression is:
Figure 314798DEST_PATH_IMAGE003

所述轮密钥计算式为:The formula for calculating the round key is:

Figure 977860DEST_PATH_IMAGE004
Figure 977860DEST_PATH_IMAGE004

Figure 500590DEST_PATH_IMAGE005
Figure 500590DEST_PATH_IMAGE005

其中,可逆变换

Figure 907300DEST_PATH_IMAGE006
,其中
Figure 264332DEST_PATH_IMAGE007
是非线性变换,
Figure 832717DEST_PATH_IMAGE008
是线性变换。Among them, the reversible transformation
Figure 907300DEST_PATH_IMAGE006
,in
Figure 264332DEST_PATH_IMAGE007
is a nonlinear transformation,
Figure 832717DEST_PATH_IMAGE008
is a linear transformation.

在一些实施例中,由区块链网络中的验证节点根据系统参数获取第一公钥和对应的第一私钥中,所述第一公钥和所述第一私钥采用SM2椭圆曲线公钥密码算法获得。In some embodiments, the verification node in the blockchain network obtains the first public key and the corresponding first private key according to the system parameters, and the first public key and the first private key adopt SM2 elliptic curve public key encryption algorithm.

在一些实施例中,由数据提供者生成基于对称加密的初始密钥,采用预设密钥扩展算法根据所述初始密钥生成轮密钥之前,还包括:由所述数据提供者区分待传输的数据是普通数据或隐私数据,若待传输的数据是普通数据,直接发送至所述区块链网络进行上链存储。In some embodiments, the initial key based on symmetric encryption is generated by the data provider, and before using the preset key expansion algorithm to generate the round key according to the initial key, it also includes: distinguishing the data to be transmitted by the data provider If the data to be transmitted is ordinary data or private data, it will be sent directly to the blockchain network for storage on the chain.

在一些实施例中,所述限制解密时间根据所述隐私数据的业务类型预设,所述限制解密时间可以采用时间戳直接标记,也可以通过设置解密期限结合所述数据提供者上传所述隐私数据的时间戳进行约束。In some embodiments, the limited decryption time is preset according to the business type of the private data, and the limited decryption time can be directly marked with a timestamp, or the private data can be uploaded by setting the decryption period in combination with the data provider. The timestamp of the data is constrained.

在一些实施例中,由所述区块链网络的记账节点对所述第一数字证书和所述第一签名私钥进行认证,认证通过后将所述第二密文和所述第三密文上链存储之后,还包括:对所述第二密文和所述第三密文采用SM3算法计算哈希值,并进行上链存储。In some embodiments, the first digital certificate and the first signature private key are authenticated by the accounting node of the blockchain network, and after the authentication is passed, the second ciphertext and the third After the ciphertext is stored on the chain, it also includes: using the SM3 algorithm to calculate hash values for the second ciphertext and the third ciphertext, and storing them on the chain.

在一些实施例中,所述方法采用BCCSP密码模块提供密钥生成、消息签名与验证、哈希算法和加解密。In some embodiments, the method employs a BCCSP cryptographic module to provide key generation, message signing and verification, hashing, and encryption and decryption.

另一方面,本发明还提供一种基于区块链的数据交易的装置,包括处理器和存储器,所述存储器中存储有计算机指令,所述处理器用于执行所述存储器中存储的计算机指令,当所述计算机指令被处理器执行时该装置实现上述方法的步骤。On the other hand, the present invention also provides a block chain-based data transaction device, including a processor and a memory, wherein computer instructions are stored in the memory, and the processor is used to execute the computer instructions stored in the memory, The apparatus implements the steps of the above method when said computer instructions are executed by a processor.

另一方面,本发明还提供一种计算机可读存储介质,其上存储有计算机程序,其特征在于,该程序被处理器执行时实现如上述方法的步骤。On the other hand, the present invention also provides a computer-readable storage medium on which a computer program is stored, which is characterized in that, when the program is executed by a processor, the steps of the above method are realized.

本发明的有益效果至少是:The beneficial effects of the present invention are at least:

本发明所述基于区块链的数据交易方法及装置中,基于预设密钥扩展算法根据初始密钥生成轮密钥加密隐私数据并上链存储,通过预设隐蔽传输规则在数据提供者和数据接收者之间加密传输初始密钥,并由数据接收者基于预设密钥扩展算法根据初始密钥重新生成轮密钥并解密得到隐私数据。充分利用对称加密和非对称加密完成主体身份认证提及初始密钥和隐私数据传输,提高的安全性能。同时,通过引入限制解密时间的验证,能够实现对指定数据的限时共享。In the blockchain-based data transaction method and device of the present invention, based on the preset key expansion algorithm, the round key is generated according to the initial key to encrypt the private data and store it on the chain, and the preset concealed transmission rules are used between the data provider and the The initial key is encrypted and transmitted between the data receivers, and the data receiver regenerates the round key according to the initial key based on the preset key expansion algorithm and decrypts it to obtain the private data. Make full use of symmetric encryption and asymmetric encryption to complete subject identity authentication, mention initial key and private data transmission, and improve security performance. At the same time, by introducing a verification that limits the decryption time, time-limited sharing of specified data can be achieved.

进一步的,通过本发明所述基于区块链的数据交易方法,构建传输加密机制,能够在满足特殊主体的隐私需求的基础上,适应各种区块链平台,以增强业务拓展能力。Further, by constructing a transmission encryption mechanism through the blockchain-based data transaction method described in the present invention, it can adapt to various blockchain platforms on the basis of meeting the privacy requirements of special subjects, so as to enhance business expansion capabilities.

本发明的附加优点、目的,以及特征将在下面的描述中将部分地加以阐述,且将对于本领域普通技术人员在研究下文后部分地变得明显,或者可以根据本发明的实践而获知。本发明的目的和其它优点可以通过在说明书以及附图中具体指出的结构实现到并获得。Additional advantages, objects, and features of the present invention will be set forth in part in the following description, and will be partly apparent to those of ordinary skill in the art after studying the following text, or can be learned from the practice of the present invention. The objectives and other advantages of the invention may be realized and attained by the structure particularly pointed out in the written description and appended drawings.

本领域技术人员将会理解的是,能够用本发明实现的目的和优点不限于以上具体所述,并且根据以下详细说明将更清楚地理解本发明能够实现的上述和其他目的。It will be understood by those skilled in the art that the objects and advantages that can be achieved by the present invention are not limited to the above specific ones, and the above and other objects that can be achieved by the present invention will be more clearly understood from the following detailed description.

附图说明Description of drawings

此处所说明的附图用来提供对本发明的进一步理解,构成本申请的一部分,并不构成对本发明的限定。在附图中:The drawings described here are used to provide further understanding of the present invention, constitute a part of the application, and do not limit the present invention. In the attached picture:

图1为本发明一实施例实施所述基于区块链的数据交易方法的国密区块链网络体系图。Fig. 1 is a diagram of the national secret blockchain network system implementing the blockchain-based data transaction method according to an embodiment of the present invention.

图2为本发明一实施例所述基于区块链的数据交易方法的流程图。Fig. 2 is a flow chart of the blockchain-based data transaction method according to an embodiment of the present invention.

具体实施方式detailed description

为使本发明的目的、技术方案和优点更加清楚明白,下面结合实施方式和附图,对本发明做进一步详细说明。在此,本发明的示意性实施方式及其说明用于解释本发明,但并不作为对本发明的限定。In order to make the object, technical solution and advantages of the present invention clearer, the present invention will be described in further detail below in conjunction with the embodiments and accompanying drawings. Here, the exemplary embodiments and descriptions of the present invention are used to explain the present invention, but not to limit the present invention.

在此,还需要说明的是,为了避免因不必要的细节而模糊了本发明,在附图中仅仅示出了与根据本发明的方案密切相关的结构和/或处理步骤,而省略了与本发明关系不大的其他细节。Here, it should also be noted that, in order to avoid obscuring the present invention due to unnecessary details, only the structures and/or processing steps closely related to the solution according to the present invention are shown in the drawings, and the related Other details are not relevant to the invention.

应该强调,术语“包括/包含”在本文使用时指特征、要素、步骤或组件的存在,但并不排除一个或更多个其它特征、要素、步骤或组件的存在或附加。It should be emphasized that the term "comprising/comprising" when used herein refers to the presence of a feature, element, step or component, but does not exclude the presence or addition of one or more other features, elements, steps or components.

在此,还需要说明的是,如果没有特殊说明,术语“连接”在本文不仅可以指直接连接,也可以表示存在中间物的间接连接。Here, it should also be noted that, unless otherwise specified, the term "connection" herein may refer not only to a direct connection, but also to an indirect connection with an intermediate.

在下文中,将参考附图描述本发明的实施例。在附图中,相同的附图标记代表相同或类似的部件,或者相同或类似的步骤。Hereinafter, embodiments of the present invention will be described with reference to the accompanying drawings. In the drawings, the same reference numerals represent the same or similar components, or the same or similar steps.

为了满足如医疗、税务、政府和招投标机构的特殊隐私需求,适应不同种类的区块链平台,便于拓展业务。通过构建新的加密传输机制,可以引入国密算法结合现有的区块链平台进行业务部署。In order to meet the special privacy needs of medical, taxation, government and bidding agencies, adapt to different types of blockchain platforms, and facilitate business expansion. By building a new encrypted transmission mechanism, the national secret algorithm can be introduced and combined with the existing blockchain platform for business deployment.

例如,Hyperledger Fabric是由Linux 基金会托管的企业级开源许可区块链平台,目前在区块链领域内是联盟链的代表性平台。Fabric平台的体系架构高度模块化,因此各模块之间可以独立升级,以提高可扩展性。Fabric平台由Fabric网络、Fabric-CA和Fabric-SDK三部分组成,各部分之间通过交互连接得到完整的Fabric平台交易流程。For example, Hyperledger Fabric is an enterprise-level open source licensed blockchain platform hosted by the Linux Foundation, and it is currently a representative platform for alliance chains in the blockchain field. The architecture of the Fabric platform is highly modular, so each module can be upgraded independently to improve scalability. The Fabric platform consists of three parts: Fabric network, Fabric-CA and Fabric-SDK. The complete Fabric platform transaction process can be obtained through interactive connection between each part.

首先,Fabric-SDK应用程序客户端会向证书颁发机构Fabric-CA申请登记注册,获取身份证书。然后,客户端可以向Fabric区块链网络中的背书节点提交交易提案。当客户端收集到足够的背书结果后,会将其打包并向排序节点发起交易。排序节点使用PBFT共识算法(实用拜占庭容错算法)对所有的交易打包并生成区块。最后,排序节点使用Gossip协议将区块广播给所有的对等节点,每个对等节点验证块内交易无误后会更新分布式账本。Fabric平台提供了客户端SDK、链码API等调用接口,向Fabric应用提供了身份管理、账户管理等服务。在Fabric区块链网络交易流程涉及到的每一个交易环节中,都存在数字签名和签名验证操作,以确保客户端私钥的所有权和交易的不可抵赖性。而交易的签名与验证的功能是由底层安全与密码服务所提供。该服务包含BCCSP组件,为Fabric提供了密钥生成、消息的签名与验证、哈希算法和加解密等服务。First, the Fabric-SDK application client will apply for registration to the certificate authority Fabric-CA to obtain an identity certificate. Clients can then submit transaction proposals to endorsers in the Fabric blockchain network. When the client collects enough endorsement results, it will package them and initiate a transaction to the ordering node. The ordering node uses the PBFT consensus algorithm (Practical Byzantine Fault Tolerant Algorithm) to package all transactions and generate blocks. Finally, the ordering node uses the Gossip protocol to broadcast the block to all peer nodes, and each peer node will update the distributed ledger after verifying that the transaction in the block is correct. The Fabric platform provides calling interfaces such as client SDK and chaincode API, and provides services such as identity management and account management to Fabric applications. In every transaction link involved in the Fabric blockchain network transaction process, there are digital signatures and signature verification operations to ensure the ownership of the client's private key and the non-repudiation of the transaction. The functions of transaction signature and verification are provided by the underlying security and cryptographic services. This service includes BCCSP components, which provide services such as key generation, message signature and verification, hash algorithm, and encryption and decryption for Fabric.

Hyperledger Fabric平台缺乏一种有效的加密算法,无法满足企业级特定主体的需求,保障链上隐私数据的安全和限时共享,为了构建国密区块链安全共享模型,Fabric平台在国内的企业级应用,可以构建新的加密算法体系。The Hyperledger Fabric platform lacks an effective encryption algorithm, which cannot meet the needs of specific entities at the enterprise level, and ensures the security and time-limited sharing of private data on the chain. In order to build a national secret blockchain security sharing model, the application of the Fabric platform in domestic enterprises , a new encryption algorithm system can be constructed.

具体的,本发明的一个方面提供了一种基于区块链的数据交易方法,该方法包括以下步骤S101~S111:Specifically, one aspect of the present invention provides a blockchain-based data transaction method, the method including the following steps S101~S111:

步骤S101:由数据提供者生成基于对称加密的初始密钥,采用预设密钥扩展算法根据初始密钥生成轮密钥。Step S101: The data provider generates an initial key based on symmetric encryption, and uses a preset key expansion algorithm to generate a round key based on the initial key.

步骤S102:由数据提供者利用轮密钥加密隐私数据得到第一密文。Step S102: The data provider uses the round key to encrypt the private data to obtain the first ciphertext.

步骤S103:由数据提供者根据预设隐蔽传输规则对初始密钥进行编码与调制,得到隐蔽信息。Step S103: The data provider encodes and modulates the initial key according to the preset covert transmission rules to obtain covert information.

步骤S104:由区块链网络中的验证节点根据系统参数获取第一公钥和对应的第一私钥,公开第一公钥,本地存储第一私钥。Step S104: The verification node in the blockchain network obtains the first public key and the corresponding first private key according to the system parameters, discloses the first public key, and stores the first private key locally.

步骤S105:由数据提供者生成隐私数据的限制解密时间,利用第一公钥加密隐蔽信息和限制解密时间得到第二密文,利用第一公钥加密第一密文得到第三密文。Step S105: The data provider generates a limited decryption time for the private data, uses the first public key to encrypt the concealed information and the limited decryption time to obtain a second ciphertext, and uses the first public key to encrypt the first ciphertext to obtain a third ciphertext.

步骤S106:由数据提供者向设定证书颁发机构申请登记并获取第一数字证书和第一签名私钥,由数据接收者向设定证书颁发机构申请登记并获取第二数字证书和第二签名私钥。Step S106: The data provider applies for registration with the set certificate authority and obtains the first digital certificate and the first signature private key, and the data receiver applies for registration with the set certificate authority and obtains the second digital certificate and the second signature private key.

步骤S107:由数据提供者结合第一数字证书和第一签名私钥将第二密文和第三密文上传至区块链网络,区块链网络的记账节点对第一数字证书和第一签名私钥进行认证,认证通过后将第二密文和第三密文上链存储。Step S107: The data provider uploads the second ciphertext and the third ciphertext to the blockchain network in combination with the first digital certificate and the first signature private key, and the accounting node of the blockchain network checks the first digital certificate and the second ciphertext A signature private key is used for authentication, and after the authentication is passed, the second ciphertext and the third ciphertext are stored on the chain.

步骤S108:由数据接收者结合第二数字证书和第二签名私钥向区块链网络的验证节点发送数据请求。Step S108: The data receiver sends a data request to the verification node of the blockchain network in combination with the second digital certificate and the second signature private key.

步骤S109:区块链网络的验证节点对第二数字证书和第二签名私钥进行认证,在认证通过后,查询链上存储的第二密文和第三密文,通过第一私钥解密第二密文和第三密文,恢复得到隐蔽信息、限制解密时间以及第一密文。Step S109: The verification node of the blockchain network authenticates the second digital certificate and the second signature private key. After the authentication is passed, query the second ciphertext and the third ciphertext stored on the chain, and decrypt it through the first private key The second ciphertext and the third ciphertext are recovered to obtain the hidden information, limit the decryption time and the first ciphertext.

步骤S110:由区块链网络的验证节点根据限制解密时间查验当前是否超时,在未超时的情况下,将恢复得到的隐蔽信息和第一密文发送至数据接收者。Step S110: The verification node of the blockchain network checks whether the decryption time limit is currently timed out, and if it is not timed out, send the recovered concealed information and the first ciphertext to the data receiver.

步骤S111:数据接收者根据预设隐蔽传输规则对恢复得到的隐蔽信息进行解调与解码,恢复初始密钥,采用预设密钥扩展算法根据恢复得到的初始密钥重新生成轮密钥,利用重新生成的轮密钥解密恢复得到的第一密文得到隐私数据。Step S111: The data receiver demodulates and decodes the recovered covert information according to the preset covert transmission rules, recovers the initial key, and uses the preset key expansion algorithm to regenerate the round key based on the recovered initial key, using The regenerated round key decrypts the recovered first ciphertext to obtain private data.

在一些实施例中,步骤S101之前,即由数据提供者生成基于对称加密的初始密钥,采用预设密钥扩展算法根据初始密钥生成轮密钥之前,还包括:由数据提供者和数据接收者共同确定和初始化隐蔽传输规则,并确定用于隐蔽传输的编码表和调制符号表。隐蔽传输规则由数据提供者和数据接受者之间进行约定和设置,专门用于传输初始密钥。通过约定规则在数据提供者端进行编码与调制,在数据接受者端通过约定规则进行解码与解调,实现初始密钥的加密传输。In some embodiments, before step S101, that is, before the data provider generates the initial key based on symmetric encryption, and uses the preset key expansion algorithm to generate the round key according to the initial key, it also includes: the data provider and the data The receiver jointly determines and initializes the covert transmission rules, and determines the code table and modulation symbol table for covert transmission. The covert transmission rules are agreed and set between the data provider and the data receiver, and are specially used to transmit the initial key. Encoding and modulation are performed on the data provider side through the agreed rules, and decoding and demodulation are performed on the data receiver side through the agreed rules to realize the encrypted transmission of the initial key.

在一些实施例中,步骤S101中,预设密钥扩展算法中,可以将初始密钥表达为:

Figure 845672DEST_PATH_IMAGE009
In some embodiments, in step S101, in the preset key expansion algorithm, the initial key can be expressed as:
Figure 845672DEST_PATH_IMAGE009

系统参数表达式为:

Figure 790494DEST_PATH_IMAGE010
The system parameter expression is:
Figure 790494DEST_PATH_IMAGE010

固定参数表达式为:

Figure 205295DEST_PATH_IMAGE011
The fixed parameter expression is:
Figure 205295DEST_PATH_IMAGE011

轮密钥计算式为:The round key calculation formula is:

Figure 944581DEST_PATH_IMAGE012
Figure 944581DEST_PATH_IMAGE012

Figure 116937DEST_PATH_IMAGE013
Figure 116937DEST_PATH_IMAGE013

其中,可逆变换

Figure 868379DEST_PATH_IMAGE014
,其中
Figure 137687DEST_PATH_IMAGE015
是非线性变换,
Figure 47874DEST_PATH_IMAGE016
是线性变换。Among them, the reversible transformation
Figure 868379DEST_PATH_IMAGE014
,in
Figure 137687DEST_PATH_IMAGE015
is a nonlinear transformation,
Figure 47874DEST_PATH_IMAGE016
is a linear transformation.

在步骤S102中,利用轮密钥加密隐私数据得到第一密文,已知明文输入是

Figure 35421DEST_PATH_IMAGE017
,轮密钥
Figure 118784DEST_PATH_IMAGE018
;可逆变换
Figure 242598DEST_PATH_IMAGE019
,其中
Figure 589265DEST_PATH_IMAGE015
是非线性变换,
Figure 470634DEST_PATH_IMAGE020
是线性变换。则加密算法的运算过程是:In step S102, use the round key to encrypt the private data to obtain the first ciphertext, and the known plaintext input is
Figure 35421DEST_PATH_IMAGE017
, the round key
Figure 118784DEST_PATH_IMAGE018
; reversible transformation
Figure 242598DEST_PATH_IMAGE019
,in
Figure 589265DEST_PATH_IMAGE015
is a nonlinear transformation,
Figure 470634DEST_PATH_IMAGE020
is a linear transformation. Then the operation process of the encryption algorithm is:

Figure 295370DEST_PATH_IMAGE021
,密文输出
Figure 536340DEST_PATH_IMAGE022
。将加密算法的运算过程记为:
Figure 850647DEST_PATH_IMAGE023
Figure 295370DEST_PATH_IMAGE021
, the ciphertext output
Figure 536340DEST_PATH_IMAGE022
. The operation process of the encryption algorithm is recorded as:
Figure 850647DEST_PATH_IMAGE023
.

在步骤S103中,预设隐蔽传输规则中,主要包括约定编码表

Figure 812787DEST_PATH_IMAGE024
和调制符号表
Figure 441214DEST_PATH_IMAGE025
。In step S103, the preset covert transmission rules mainly include the agreed code table
Figure 812787DEST_PATH_IMAGE024
and modulation symbol table
Figure 441214DEST_PATH_IMAGE025
.

在一些实施例中,在步骤S104中,由区块链网络中的验证节点根据系统参数获取第一公钥和对应的第一私钥中,第一公钥和第一私钥采用SM2椭圆曲线公钥密码算法获得。In some embodiments, in step S104, the verification node in the blockchain network obtains the first public key and the corresponding first private key according to the system parameters, the first public key and the first private key adopt SM2 elliptic curve Obtained by public key cryptography algorithm.

在一些实施例中,由数据提供者生成基于对称加密的初始密钥,采用预设密钥扩展算法根据初始密钥生成轮密钥之前,还包括:由数据提供者区分待传输的数据是普通数据或隐私数据,若待传输的数据是普通数据,直接发送至区块链网络进行上链存储。In some embodiments, the initial key based on symmetric encryption is generated by the data provider, and before using the preset key expansion algorithm to generate the round key according to the initial key, it also includes: the data provider distinguishes whether the data to be transmitted is ordinary Data or private data, if the data to be transmitted is ordinary data, it is directly sent to the blockchain network for storage on the chain.

区别普通数据和隐私数据,针对不同的数据设置同的处理方式,普通数据不需要隐私保护,可以直接经行上链存储和传输,而隐私数据采用上述步骤S101~S111上链存储并由数据接收者获取。Differentiate between ordinary data and private data, and set different processing methods for different data. Ordinary data does not need privacy protection and can be stored and transmitted directly on the chain, while private data is stored on the chain and received by the data using the above steps S101~S111 acquired.

步骤S105中,限制解密时间是对隐私数据可读取时间所设置的限制,对于敏感数据或者具有特定时效的数据,通过人为设置限制解密时间进行约束管理,实现限时分享。In step S105, the limited decryption time is a limit set on the readable time of private data. For sensitive data or data with a specific time limit, the limited decryption time is artificially set for constraint management to realize time-limited sharing.

具体的,在一些实施例中,限制解密时间根据隐私数据的业务类型预设,限制解密时间可以采用时间戳直接标记,也可以通过设置解密期限结合数据提供者上传隐私数据的时间戳进行约束。Specifically, in some embodiments, the limited decryption time is preset according to the business type of the private data, and the limited decryption time can be directly marked with a timestamp, or can be constrained by setting the decryption period combined with the timestamp of the private data uploaded by the data provider.

在步骤S106中,由第三方认证机构向数据提供者和数据接收者提供数字证书和签名,例如,Hyperledger Fabric中Fabric-CA用于进行申请登记注册,获取身份证书。In step S106, a third-party certification body provides digital certificates and signatures to data providers and data receivers. For example, the Fabric-CA in Hyperledger Fabric is used to apply for registration and obtain identity certificates.

在一些实施例中,步骤S107中,由区块链网络的记账节点对第一数字证书和第一签名私钥进行认证,认证通过后将第二密文和第三密文上链存储之后,还包括:对第二密文和第三密文采用SM3算法计算哈希值,并进行上链存储。In some embodiments, in step S107, the first digital certificate and the first signature private key are authenticated by the accounting node of the blockchain network, and after the authentication is passed, the second ciphertext and the third ciphertext are stored on the chain , and also includes: calculating the hash value using the SM3 algorithm for the second ciphertext and the third ciphertext, and storing them on the chain.

在步骤S108~S111中,有数据接收者根据实际需要,在区块链上查询所需的隐私数据并按照加密流程的相反顺序逐步解密得到最初的隐私数据。In steps S108~S111, the data receiver queries the required privacy data on the blockchain according to actual needs, and gradually decrypts the original privacy data in the reverse order of the encryption process.

在一些实施例中,所述方法采用BCCSP密码模块提供密钥生成、消息签名与验证、哈希算法和加解密。In some embodiments, the method employs a BCCSP cryptographic module to provide key generation, message signing and verification, hashing, and encryption and decryption.

另一方面,本发明还提供一种基于区块链的数据交易的装置,包括处理器和存储器,所述存储器中存储有计算机指令,所述处理器用于执行所述存储器中存储的计算机指令,当所述计算机指令被处理器执行时该装置实现上述方法的步骤。On the other hand, the present invention also provides a block chain-based data transaction device, including a processor and a memory, wherein computer instructions are stored in the memory, and the processor is used to execute the computer instructions stored in the memory, The apparatus implements the steps of the above method when said computer instructions are executed by a processor.

另一方面,本发明还提供一种计算机可读存储介质,其上存储有计算机程序,其特征在于,该程序被处理器执行时实现如上述方法的步骤。On the other hand, the present invention also provides a computer-readable storage medium on which a computer program is stored, which is characterized in that, when the program is executed by a processor, the steps of the above method are realized.

下面结合以具体实施例对本发明进行说明:Below in conjunction with specific embodiment the present invention is described:

为实现国密区块链平台下交易数据的安全共享,如图1所示,本发明提供了一种基于区块链的数据交易方法。本方法的系统模型主要包括三类实体:数据提供者、国密区块链网络和数据接收者。其中,数据提供者是指向需求方提供数据的医疗、税务、政府和投标等机构;国密区块链网络是指利用国密算法替换Fabric平台底层密码学算法的Fabric区块链平台;数据接收者是指实现各种业务应用而需要数据的一方,包括利用用户数据进行医疗研究、对用户信用评级、获取用户个人信息完成各种业务、项目的招标投标等。In order to realize the safe sharing of transaction data under the national secret blockchain platform, as shown in Figure 1, the present invention provides a data transaction method based on blockchain. The system model of this method mainly includes three types of entities: data provider, national secret blockchain network and data receiver. Among them, the data provider refers to the medical, taxation, government and bidding institutions that provide data to the demand side; the national secret blockchain network refers to the Fabric blockchain platform that uses the national secret algorithm to replace the underlying cryptographic algorithm of the Fabric platform; the data receiving A party refers to a party that needs data to realize various business applications, including using user data for medical research, rating users' credit, obtaining users' personal information to complete various businesses, bidding for projects, etc.

本实施例提供一种基于区块链的数据交易方法,如图2所示,包括步骤如下:This embodiment provides a blockchain-based data transaction method, as shown in Figure 2, including the following steps:

步骤1. 隐蔽传输规则初始化, 生成隐蔽传输时对消息的处理规则。数据提供者和数据接收者事先初始化生成隐蔽传输时对消息的处理规则,包括编码表

Figure 274041DEST_PATH_IMAGE024
和调制符号表
Figure 634615DEST_PATH_IMAGE025
。Step 1. Initialize the covert transmission rules, and generate the processing rules for messages during covert transmission. Data providers and data receivers initialize the processing rules for messages when generating covert transmissions in advance, including encoding tables
Figure 274041DEST_PATH_IMAGE024
and modulation symbol table
Figure 634615DEST_PATH_IMAGE025
.

步骤2. 数据提供者生成SM4对称加密散发的初始密钥。数据提供者生成SM4对称加密算法所需要的初始密钥

Figure 818472DEST_PATH_IMAGE026
。Step 2. Data provider generates initial key for SM4 symmetric encryption distribution. The data provider generates the initial key required by the SM4 symmetric encryption algorithm
Figure 818472DEST_PATH_IMAGE026
.

步骤3. 数据提供者根据初始密钥生成轮密钥,对隐私数据进行加密。数据提供者根据步骤2中生成的初始密钥来生成轮密钥

Figure 250590DEST_PATH_IMAGE027
;利用轮密钥
Figure 203503DEST_PATH_IMAGE028
加密用户
Figure 65804DEST_PATH_IMAGE029
,得到密文
Figure 533694DEST_PATH_IMAGE030
,即
Figure 238345DEST_PATH_IMAGE031
。Step 3. The data provider generates a round key based on the initial key to encrypt the private data. The data provider generates a round key based on the initial key generated in step 2
Figure 250590DEST_PATH_IMAGE027
; use the round key
Figure 203503DEST_PATH_IMAGE028
encrypted user
Figure 65804DEST_PATH_IMAGE029
, get the ciphertext
Figure 533694DEST_PATH_IMAGE030
,Right now
Figure 238345DEST_PATH_IMAGE031
.

步骤4. 数据提供者对初始密钥编码和调制,生成隐蔽信息。数据提供者根据与数据接收者约定的消息处理规则对初始密钥

Figure 311343DEST_PATH_IMAGE032
进行编码与调制,得到隐蔽信息
Figure 13720DEST_PATH_IMAGE033
,即:
Figure 172169DEST_PATH_IMAGE034
。Step 4. The data provider encodes and modulates the initial key to generate covert information. According to the message processing rules agreed with the data receiver, the data provider assigns the initial key
Figure 311343DEST_PATH_IMAGE032
Coding and modulation to obtain hidden information
Figure 13720DEST_PATH_IMAGE033
,which is:
Figure 172169DEST_PATH_IMAGE034
.

步骤5. 区块链网络中的验证节点根据系统参数获取到SM2算法的公私钥对。区块链网络中的验证节点根据系统参数获取到SM2算法的公私钥对

Figure 680511DEST_PATH_IMAGE035
,并对
Figure 873595DEST_PATH_IMAGE036
进行广播公开,
Figure 871507DEST_PATH_IMAGE037
本地存储。Step 5. The verification node in the blockchain network obtains the public-private key pair of the SM2 algorithm according to the system parameters. The verification node in the blockchain network obtains the public-private key pair of the SM2 algorithm according to the system parameters
Figure 680511DEST_PATH_IMAGE035
, and for
Figure 873595DEST_PATH_IMAGE036
to broadcast publicly,
Figure 871507DEST_PATH_IMAGE037
local storage.

步骤6. 数据提供者利用验证节点的公钥加密隐蔽信息和数据到期时间。数据提供者生成限制解密隐私数据的时间

Figure 983163DEST_PATH_IMAGE038
,然后利用验证节点的公钥
Figure 560775DEST_PATH_IMAGE039
分别对数据
Figure 280470DEST_PATH_IMAGE040
Figure 980441DEST_PATH_IMAGE041
进行加密,得到密文
Figure 847903DEST_PATH_IMAGE042
Figure 635731DEST_PATH_IMAGE043
。即:Step 6. The data provider uses the validator's public key to encrypt the hidden information and data expiration time. The data provider generates a time limit to decrypt private data
Figure 983163DEST_PATH_IMAGE038
, and then use the public key of the verification node
Figure 560775DEST_PATH_IMAGE039
Separate data
Figure 280470DEST_PATH_IMAGE040
and
Figure 980441DEST_PATH_IMAGE041
Encrypt to get the ciphertext
Figure 847903DEST_PATH_IMAGE042
and
Figure 635731DEST_PATH_IMAGE043
. which is:

Figure 537827DEST_PATH_IMAGE044
Figure 537827DEST_PATH_IMAGE044
.

Figure 80804DEST_PATH_IMAGE045
Figure 80804DEST_PATH_IMAGE045
.

步骤7. 数据提供者和数据接收者对应的SDK客户端分别向证书颁发机构申请登记注册。用户登记注册:数据提供者和数据接收者对应的SDK客户端分别向证书颁发机构申请登记注册,获取数字证书

Figure 435562DEST_PATH_IMAGE046
Figure 92327DEST_PATH_IMAGE047
和签名私钥
Figure 911247DEST_PATH_IMAGE048
。Step 7. The SDK clients corresponding to the data provider and data receiver apply to the certificate authority for registration respectively. User registration: The SDK clients corresponding to the data provider and data receiver apply to the certificate authority for registration and obtain a digital certificate
Figure 435562DEST_PATH_IMAGE046
,
Figure 92327DEST_PATH_IMAGE047
and signing private key
Figure 911247DEST_PATH_IMAGE048
.

步骤8. 数据提供者发起交易上传加密后的数据。数据提供者客户端发起交易

Figure 625126DEST_PATH_IMAGE049
,将加密后的密文
Figure 467180DEST_PATH_IMAGE050
Figure 659127DEST_PATH_IMAGE051
上传到区块链中。具体的交易形式如下:Step 8. The data provider initiates a transaction to upload encrypted data. The data provider client initiates a transaction
Figure 625126DEST_PATH_IMAGE049
, the encrypted ciphertext
Figure 467180DEST_PATH_IMAGE050
and
Figure 659127DEST_PATH_IMAGE051
uploaded to the blockchain. The specific transaction form is as follows:

Figure 207920DEST_PATH_IMAGE052
Figure 207920DEST_PATH_IMAGE052
.

在上传区块链之前,各个记账节点利用数据提供者客户端的公钥

Figure 92699DEST_PATH_IMAGE053
对交易
Figure 422049DEST_PATH_IMAGE054
的签名进行验证,验证通过则将交易利用SM3哈希后加入区块,验证失败则拒绝将交易上传到区块链中。Before uploading the blockchain, each accounting node uses the public key of the data provider client
Figure 92699DEST_PATH_IMAGE053
pair transaction
Figure 422049DEST_PATH_IMAGE054
If the verification is passed, the transaction will be added to the block using SM3 hash, and if the verification fails, the transaction will not be uploaded to the blockchain.

步骤9. 数据接收者向验证节点发起数据请求。数据接收者需要数据提供者上传的隐私数据

Figure 417687DEST_PATH_IMAGE055
时,其客户端向验证节点客户端发起数据请求。Step 9. The data receiver initiates a data request to the verification node. The data receiver needs the private data uploaded by the data provider
Figure 417687DEST_PATH_IMAGE055
, its client initiates a data request to the verification node client.

步骤10. 验证节点客户端发起交易查询数据。验证节点客户端接收请求后,发起交易

Figure 169390DEST_PATH_IMAGE056
,查询区块链中的数据
Figure 225071DEST_PATH_IMAGE050
Figure 838455DEST_PATH_IMAGE051
,即:
Figure 903363DEST_PATH_IMAGE057
,具体的交易形式如下:Step 10. The verification node client initiates a transaction query data. After the verification node client receives the request, it initiates a transaction
Figure 169390DEST_PATH_IMAGE056
, to query the data in the blockchain
Figure 225071DEST_PATH_IMAGE050
and
Figure 838455DEST_PATH_IMAGE051
,which is:
Figure 903363DEST_PATH_IMAGE057
, the specific transaction form is as follows:

Figure 223486DEST_PATH_IMAGE058
Figure 223486DEST_PATH_IMAGE058
.

步骤11. 验证节点解密相关数据,验证时间是否到期。验证节点利用私钥分别解密

Figure 450068DEST_PATH_IMAGE050
Figure 754010DEST_PATH_IMAGE051
:Step 11. The verification node decrypts the relevant data and verifies whether the time has expired. The verification node uses the private key to decrypt respectively
Figure 450068DEST_PATH_IMAGE050
and
Figure 754010DEST_PATH_IMAGE051
:

Figure 29134DEST_PATH_IMAGE059
Figure 29134DEST_PATH_IMAGE059
.

Figure 469342DEST_PATH_IMAGE060
Figure 469342DEST_PATH_IMAGE060
.

解密后,验证节点判断是否超过当前时间。若超出当前时间,验证节点客户端则给数据需求者返回

Figure 869755DEST_PATH_IMAGE061
。发起交易
Figure 192152DEST_PATH_IMAGE062
,上传
Figure 598863DEST_PATH_IMAGE063
Figure 893578DEST_PATH_IMAGE064
,具体的交易形式如下:After decryption, the verification node judges whether the current time is exceeded. If the current time is exceeded, the verification node client will return to the data requester
Figure 869755DEST_PATH_IMAGE061
. Initiate a transaction
Figure 192152DEST_PATH_IMAGE062
, upload
Figure 598863DEST_PATH_IMAGE063
and
Figure 893578DEST_PATH_IMAGE064
, the specific transaction form is as follows:

Figure 461963DEST_PATH_IMAGE065
Figure 461963DEST_PATH_IMAGE065
.

步骤12. 数据接收者发起交易,查询相关数据。验证节点客户端向数据接收者发起数据可查询的信息,然后数据接收者发起交易,查询区块链中的数据

Figure 474918DEST_PATH_IMAGE066
Figure 419740DEST_PATH_IMAGE067
,即:
Figure 506645DEST_PATH_IMAGE068
,具体的交易形式如下:Step 12. The data receiver initiates a transaction and queries relevant data. The verification node client initiates data query information to the data receiver, and then the data receiver initiates a transaction to query the data in the blockchain
Figure 474918DEST_PATH_IMAGE066
and
Figure 419740DEST_PATH_IMAGE067
,which is:
Figure 506645DEST_PATH_IMAGE068
, the specific transaction form is as follows:

Figure 511510DEST_PATH_IMAGE069
Figure 511510DEST_PATH_IMAGE069
.

步骤13. 数据接收者利用处理规则对数隐蔽信息进行恢复。数据接收者根据与数据提供者约定的消息处理规则对隐蔽信息进行解调与解码,得到初始对称密钥

Figure 743253DEST_PATH_IMAGE070
,即:
Figure 491766DEST_PATH_IMAGE071
。Step 13. The data receiver uses the processing rules to recover the logarithm concealed information. The data receiver demodulates and decodes the concealed information according to the message processing rules agreed with the data provider, and obtains the initial symmetric key
Figure 743253DEST_PATH_IMAGE070
,which is:
Figure 491766DEST_PATH_IMAGE071
.

步骤14. 数据接收者根据恢复出的初始对称密钥生成轮密钥并解密数据。根据接收者根据恢复出的初始对称密钥

Figure 761073DEST_PATH_IMAGE070
生成轮密钥
Figure 733577DEST_PATH_IMAGE072
;利用轮密钥
Figure 721125DEST_PATH_IMAGE073
解密用户密文隐私数据
Figure 742170DEST_PATH_IMAGE074
,得到解密文
Figure 131563DEST_PATH_IMAGE075
,即
Figure 884756DEST_PATH_IMAGE076
。至此,数据提供者与数据接收者的隐私数据共享过程完成。Step 14. The data receiver generates a round key based on the recovered initial symmetric key and decrypts the data. According to the receiver based on the recovered initial symmetric key
Figure 761073DEST_PATH_IMAGE070
Generate round key
Figure 733577DEST_PATH_IMAGE072
; use the round key
Figure 721125DEST_PATH_IMAGE073
Decrypt user ciphertext private data
Figure 742170DEST_PATH_IMAGE074
, get the decrypted text
Figure 131563DEST_PATH_IMAGE075
,Right now
Figure 884756DEST_PATH_IMAGE076
. So far, the private data sharing process between the data provider and the data receiver is completed.

为了更加清楚地描述本发明的技术方案,现对照附图详细说明本发明的具体实施方式,其中图1 是国密区块链隐私保护系统模型,图2 是基于国密算法的交易数据隐私保护方法流程。In order to describe the technical solution of the present invention more clearly, the specific implementation of the present invention will be described in detail with reference to the accompanying drawings, in which Figure 1 is the privacy protection system model of the national secret blockchain, and Figure 2 is the transaction data privacy protection based on the national secret algorithm method flow.

本实施例首先构建出国密区块链下交易数据隐私安全共享模型,随后给出支持国密算法体系的区块链交易数据隐私保护方法。本实施例将要上链的数据分为普通数据和隐私数据,交易发送者需要将隐私数据进行加密。本实施例采用对称加密算法对隐私数据加密,保证只有交易接收者能够获取到隐私数据。同时交易双方共享的对称密钥通过区块链隐蔽通道进行传输,有效保证对称密钥的安全性。而且,本实施例利用SM2公钥加密算法来实现对数据有效期的验证,适用于投标、文件下载等场景。This embodiment first constructs a transaction data privacy and security sharing model under the national secret blockchain, and then provides a blockchain transaction data privacy protection method that supports the national secret algorithm system. In this embodiment, the data to be uploaded to the chain is divided into ordinary data and private data, and the transaction sender needs to encrypt the private data. In this embodiment, a symmetric encryption algorithm is used to encrypt the private data, so as to ensure that only the transaction receiver can obtain the private data. At the same time, the symmetric key shared by both parties to the transaction is transmitted through the blockchain covert channel, effectively ensuring the security of the symmetric key. Moreover, this embodiment uses the SM2 public key encryption algorithm to verify the validity period of the data, which is applicable to scenarios such as bidding and file downloading.

本实施例中涉及到的参数如下表1:The parameters involved in this embodiment are as follows in Table 1:

表1为本实施例中涉及的参数含义Table 1 is the parameter meaning involved in the present embodiment

Figure 359599DEST_PATH_IMAGE078
Figure 359599DEST_PATH_IMAGE078

本实施例首先给出国密区块链下交易数据隐私安全共享模型,该模型主要包含三类实体:数据提供者、国密区块链网络和数据接收者:This embodiment first gives the transaction data privacy and security sharing model under the national secret blockchain, which mainly includes three types of entities: data provider, national secret blockchain network and data receiver:

数据提供者是指向需求方提供数据的医疗、税务、政府和投标等机构;数据提供者将数据分为普通数据和隐私数据,在上传到区块链网络前对隐私数据进行加密处理。Data providers are medical, taxation, government and bidding agencies that provide data to the demand side; data providers divide the data into common data and private data, and encrypt the private data before uploading to the blockchain network.

国密区块链网络是指利用本发明中的加密算法替换Fabric平台底层密码学算法的Fabric区块链平台;数据提供者通过登记注册后,作为对等节点添加到网络的不同组织中;区块链网络中存在验证节点,该节点的主要功能为验证签名验证交易的正确性与数据提供者上传到区块链的密文数据是否处于有效期内;对等节点可以发起交易调用智能合约实现相关密文数据的上传和数据的加密共享,保证交易数据的安全性、完整性和时效性。数据接收者是指实现各种业务应用而需要数据的一方,包括利用用户数据进行医疗研究、对用户信用评级、获取用户个人信息完成各种业务、项目的招标投标等;数据接收者通过发起数据请求交易来获取密文数据,在客户端可以解密获取数据。The national secret block chain network refers to the Fabric block chain platform that uses the encryption algorithm in the present invention to replace the underlying cryptographic algorithm of the Fabric platform; after the data provider is registered, it is added to different organizations in the network as a peer node; There is a verification node in the block chain network. The main function of this node is to verify the correctness of the signature verification transaction and whether the ciphertext data uploaded to the block chain by the data provider is within the validity period; peer nodes can initiate transactions and call smart contracts to achieve related The upload of ciphertext data and the encrypted sharing of data ensure the security, integrity and timeliness of transaction data. The data receiver refers to the party that needs data to realize various business applications, including using user data for medical research, user credit rating, obtaining user personal information to complete various businesses and project bidding, etc.; Request a transaction to obtain ciphertext data, and the client can decrypt and obtain the data.

在本实施例中,用户数据被划分为普通数据与隐私数据,数据提供者自行决定数据的类型。普通数据可以直接上链,不会对用户隐私造成威胁。隐私数据由用户对称加密算法进行加密,保证其在链上的安全性。利用区块链隐蔽信道对交易双方采用的对称密钥进行传输,可以保证对称密钥的隐蔽性、不可篡改性和抗干扰性。另外,本文利用SM2加密算法来时间隐私数据的有效性验证。即只有在规定的时间之内允许解密数据,一旦超出时间该数据就无法被解密,保证数据的时效性。In this embodiment, user data is divided into common data and private data, and the data provider decides the type of data by itself. Ordinary data can be directly uploaded to the chain without posing a threat to user privacy. Private data is encrypted by the user's symmetric encryption algorithm to ensure its security on the chain. Using the blockchain covert channel to transmit the symmetric key used by both parties to the transaction can ensure the concealment, non-tamperability and anti-interference of the symmetric key. In addition, this paper uses SM2 encryption algorithm to verify the validity of time privacy data. That is, the data is only allowed to be decrypted within the specified time, and once the time is exceeded, the data cannot be decrypted to ensure the timeliness of the data.

本实施例提出的支持国密算法体系的区块链交易数据隐私保护方法,如图2所示,其具体实施过程如下:The blockchain transaction data privacy protection method that supports the national secret algorithm system proposed in this embodiment is shown in Figure 2, and its specific implementation process is as follows:

步骤a. 隐蔽传输规则初始化:数据提供者和数据接收者事先初始化生成隐蔽传输时对消息的处理规则,包括编码表

Figure 187266DEST_PATH_IMAGE079
和调制符号表
Figure 227903DEST_PATH_IMAGE080
。Step a. Initialization of covert transmission rules: the data provider and data receiver initialize in advance the processing rules for messages when generating covert transmission, including the encoding table
Figure 187266DEST_PATH_IMAGE079
and modulation symbol table
Figure 227903DEST_PATH_IMAGE080
.

步骤b.密钥生成:数据提供者生成SM4对称加密算法所需要的初始密钥

Figure 745472DEST_PATH_IMAGE081
。Step b. Key generation: The data provider generates the initial key required by the SM4 symmetric encryption algorithm
Figure 745472DEST_PATH_IMAGE081
.

步骤c. 加密:数据提供者根据初始密钥生成轮密钥

Figure 442032DEST_PATH_IMAGE082
;利用轮密钥
Figure 70460DEST_PATH_IMAGE083
加密用户
Figure 168866DEST_PATH_IMAGE084
,得到密文
Figure 529440DEST_PATH_IMAGE085
,即
Figure 713297DEST_PATH_IMAGE086
。Step c. Encryption: The data provider generates a round key based on the initial key
Figure 442032DEST_PATH_IMAGE082
; use the round key
Figure 70460DEST_PATH_IMAGE083
encrypted user
Figure 168866DEST_PATH_IMAGE084
, get the ciphertext
Figure 529440DEST_PATH_IMAGE085
,Right now
Figure 713297DEST_PATH_IMAGE086
.

步骤d. 生成隐蔽信息:数据提供者根据与数据接收者约定的消息处理规则对初始密钥

Figure 879836DEST_PATH_IMAGE087
进行编码与调制,得到隐蔽信息
Figure 360977DEST_PATH_IMAGE088
,即:
Figure 954769DEST_PATH_IMAGE089
。Step d. Generate concealed information: The data provider performs the initial key encryption according to the message processing rules agreed with the data receiver.
Figure 879836DEST_PATH_IMAGE087
Coding and modulation to obtain hidden information
Figure 360977DEST_PATH_IMAGE088
,which is:
Figure 954769DEST_PATH_IMAGE089
.

步骤e. 公私钥对生成:区块链网络中的验证节点根据系统参数获取到SM2算法的公私钥对

Figure 422660DEST_PATH_IMAGE090
,并对
Figure 392890DEST_PATH_IMAGE091
进行广播公开,
Figure 200309DEST_PATH_IMAGE092
本地存储。Step e. Public-private key pair generation: the verification node in the blockchain network obtains the public-private key pair of the SM2 algorithm according to the system parameters
Figure 422660DEST_PATH_IMAGE090
, and for
Figure 392890DEST_PATH_IMAGE091
to broadcast publicly,
Figure 200309DEST_PATH_IMAGE092
local storage.

步骤f. 加密数据:数据提供者生成限制解密隐私数据的时间

Figure 230582DEST_PATH_IMAGE093
,然后利用验证节点的公钥
Figure 654610DEST_PATH_IMAGE094
分别对数据
Figure 428531DEST_PATH_IMAGE095
Figure 93386DEST_PATH_IMAGE096
进行加密,得到密文
Figure 294560DEST_PATH_IMAGE097
Figure 612409DEST_PATH_IMAGE098
。即:Step f. Encrypted data: The data provider generates a time limit to decrypt the private data
Figure 230582DEST_PATH_IMAGE093
, and then use the public key of the verification node
Figure 654610DEST_PATH_IMAGE094
Separate data
Figure 428531DEST_PATH_IMAGE095
and
Figure 93386DEST_PATH_IMAGE096
Encrypt to get the ciphertext
Figure 294560DEST_PATH_IMAGE097
and
Figure 612409DEST_PATH_IMAGE098
. which is:

Figure 783496DEST_PATH_IMAGE099
Figure 783496DEST_PATH_IMAGE099
.

Figure 299928DEST_PATH_IMAGE100
Figure 299928DEST_PATH_IMAGE100
.

步骤g. 用户登记注册:数据提供者和数据接收者对应的SDK客户端分别向证书颁发机构申请登记注册,获取数字证书

Figure 344108DEST_PATH_IMAGE101
Figure 477149DEST_PATH_IMAGE102
和签名私钥
Figure 327293DEST_PATH_IMAGE103
。Step g. User registration: The SDK clients corresponding to the data provider and data receiver apply to the certificate authority for registration and obtain a digital certificate
Figure 344108DEST_PATH_IMAGE101
,
Figure 477149DEST_PATH_IMAGE102
and signing private key
Figure 327293DEST_PATH_IMAGE103
.

步骤h. 数据上链:数据提供者客户端发起交易

Figure 26128DEST_PATH_IMAGE104
,将加密后的密文
Figure 769437DEST_PATH_IMAGE097
Figure 186512DEST_PATH_IMAGE098
上传到区块链中。具体的交易形式如下:Step h. Data on-chain: the data provider client initiates a transaction
Figure 26128DEST_PATH_IMAGE104
, the encrypted ciphertext
Figure 769437DEST_PATH_IMAGE097
and
Figure 186512DEST_PATH_IMAGE098
uploaded to the blockchain. The specific transaction form is as follows:

Figure 574768DEST_PATH_IMAGE105
Figure 574768DEST_PATH_IMAGE105
.

在上传区块链之前,各个记账节点利用数据提供者客户端的公钥

Figure 3475DEST_PATH_IMAGE106
对交易
Figure 982933DEST_PATH_IMAGE107
的签名进行验证,验证通过则将交易利用SM3哈希后加入区块,验证失败则拒绝将交易上传到区块链中。Before uploading the blockchain, each accounting node uses the public key of the data provider client
Figure 3475DEST_PATH_IMAGE106
pair transaction
Figure 982933DEST_PATH_IMAGE107
If the verification is passed, the transaction will be added to the block using SM3 hash, and if the verification fails, the transaction will not be uploaded to the blockchain.

步骤i. 数据请求:数据接收者需要数据提供者上传的隐私数据

Figure 559408DEST_PATH_IMAGE108
时,其客户端向验证节点客户端发起数据请求;Step i. Data request: the data receiver needs the private data uploaded by the data provider
Figure 559408DEST_PATH_IMAGE108
, its client initiates a data request to the verification node client;

步骤j. 验证节点数据查询:验证节点客户端接收请求后,发起交易

Figure 282513DEST_PATH_IMAGE109
,查询区块链中的数据
Figure 893623DEST_PATH_IMAGE097
Figure 778402DEST_PATH_IMAGE098
,即:
Figure 907420DEST_PATH_IMAGE110
,具体的交易形式如下:Step j. Verification node data query: After receiving the request, the verification node client initiates a transaction
Figure 282513DEST_PATH_IMAGE109
, to query the data in the blockchain
Figure 893623DEST_PATH_IMAGE097
and
Figure 778402DEST_PATH_IMAGE098
,which is:
Figure 907420DEST_PATH_IMAGE110
, the specific transaction form is as follows:

Figure 168637DEST_PATH_IMAGE111
Figure 168637DEST_PATH_IMAGE111
.

步骤k. 时间验证:验证节点利用私钥分别解密

Figure 634253DEST_PATH_IMAGE097
Figure 955513DEST_PATH_IMAGE098
:Step k. Time verification: the verification node uses the private key to decrypt respectively
Figure 634253DEST_PATH_IMAGE097
and
Figure 955513DEST_PATH_IMAGE098
:

Figure 506580DEST_PATH_IMAGE112
Figure 506580DEST_PATH_IMAGE112
.

Figure 978013DEST_PATH_IMAGE113
Figure 978013DEST_PATH_IMAGE113
.

解密后,验证节点判断是否超过当前时间。若超出当前时间,验证节点客户端则给数据需求者返回

Figure 563715DEST_PATH_IMAGE114
。否则发起交易
Figure 790297DEST_PATH_IMAGE115
,上传
Figure 94239DEST_PATH_IMAGE116
Figure 717767DEST_PATH_IMAGE117
,具体的交易形式如下:After decryption, the verification node judges whether the current time is exceeded. If the current time is exceeded, the verification node client will return to the data requester
Figure 563715DEST_PATH_IMAGE114
. Otherwise initiate a transaction
Figure 790297DEST_PATH_IMAGE115
, upload
Figure 94239DEST_PATH_IMAGE116
and
Figure 717767DEST_PATH_IMAGE117
, the specific transaction form is as follows:

Figure 157975DEST_PATH_IMAGE118
Figure 157975DEST_PATH_IMAGE118
.

步骤l. 数据接收者数据查询:验证节点客户端向数据接收者发起数据可查询的信息,然后数据接收者发起交易,查询区块链中的数据

Figure 352196DEST_PATH_IMAGE116
Figure 143435DEST_PATH_IMAGE117
,即:
Figure 18987DEST_PATH_IMAGE119
。具体的交易形式如下:Step l. Data receiver data query: the verification node client initiates data query information to the data receiver, and then the data receiver initiates a transaction to query the data in the blockchain
Figure 352196DEST_PATH_IMAGE116
and
Figure 143435DEST_PATH_IMAGE117
,which is:
Figure 18987DEST_PATH_IMAGE119
. The specific transaction form is as follows:

Figure 579281DEST_PATH_IMAGE120
Figure 579281DEST_PATH_IMAGE120
.

步骤m. 密钥恢复:数据接收者根据与数据提供者约定的消息处理规则对隐蔽信息进行解调与解码,得到初始对称密钥

Figure 678824DEST_PATH_IMAGE121
,即:
Figure 691780DEST_PATH_IMAGE122
。Step m. Key recovery: The data receiver demodulates and decodes the concealed information according to the message processing rules agreed with the data provider to obtain the initial symmetric key
Figure 678824DEST_PATH_IMAGE121
,which is:
Figure 691780DEST_PATH_IMAGE122
.

步骤n. 解密:数据接收者根据恢复处的初始对称密钥

Figure 373952DEST_PATH_IMAGE121
生成轮密钥
Figure 460857DEST_PATH_IMAGE123
;利用轮密钥
Figure 465722DEST_PATH_IMAGE124
解密用户密文隐私数据
Figure 293870DEST_PATH_IMAGE125
,得到解密文
Figure 448908DEST_PATH_IMAGE126
,即
Figure 983794DEST_PATH_IMAGE127
。至此,数据提供者与数据接收者的隐私数据共享过程完成。Step n. Decryption: The data receiver decrypts the data according to the original symmetric key at the recovery site
Figure 373952DEST_PATH_IMAGE121
Generate round key
Figure 460857DEST_PATH_IMAGE123
; use the round key
Figure 465722DEST_PATH_IMAGE124
Decrypt user ciphertext private data
Figure 293870DEST_PATH_IMAGE125
, get the decrypted text
Figure 448908DEST_PATH_IMAGE126
,Right now
Figure 983794DEST_PATH_IMAGE127
. So far, the private data sharing process between the data provider and the data receiver is completed.

综上所述,本发明所述基于区块链的数据交易方法及装置,基于预设密钥扩展算法根据初始密钥生成轮密钥加密隐私数据并上链存储,通过预设隐蔽传输规则在数据提供者和数据接收者之间加密传输初始密钥,并由数据接收者基于预设密钥扩展算法根据初始密钥重新生成轮密钥并解密得到隐私数据。充分利用对称加密和非对称加密完成主体身份认证提及初始密钥和隐私数据传输,提高的安全性能。同时,通过引入限制解密时间的验证,能够实现对指定数据的限时共享。In summary, the blockchain-based data transaction method and device of the present invention, based on the preset key expansion algorithm, generates a round key based on the initial key to encrypt private data and store it on the chain. The initial key is encrypted and transmitted between the data provider and the data receiver, and the data receiver regenerates the round key according to the initial key based on the preset key expansion algorithm and decrypts it to obtain the private data. Make full use of symmetric encryption and asymmetric encryption to complete subject identity authentication, mention initial key and private data transmission, and improve security performance. At the same time, by introducing a verification that limits the decryption time, time-limited sharing of specified data can be achieved.

进一步的,通过本发明所述基于区块链的数据交易方法,构建传输加密机制,能够在满足特殊主体的隐私需求的基础上,适应各种区块链平台,以增强业务拓展能力。Further, by constructing a transmission encryption mechanism through the blockchain-based data transaction method described in the present invention, it can adapt to various blockchain platforms on the basis of meeting the privacy requirements of special subjects, so as to enhance business expansion capabilities.

与上述方法相应地,本发明还提供了一种基于区块链的数据交易装置/系统,该装置/系统包括计算机设备,所述计算机设备包括处理器和存储器,所述存储器中存储有计算机指令,所述处理器用于执行所述存储器中存储的计算机指令,当所述计算机指令被处理器执行时该装置/系统实现如前所述方法的步骤。Corresponding to the above method, the present invention also provides a block chain-based data transaction device/system, the device/system includes computer equipment, the computer equipment includes a processor and a memory, and computer instructions are stored in the memory , the processor is configured to execute the computer instructions stored in the memory, and when the computer instructions are executed by the processor, the device/system implements the steps of the aforementioned method.

本发明实施例还提供一种计算机可读存储介质,其上存储有计算机程序,该计算机程序被处理器执行时以实现前述边缘计算服务器部署方法的步骤。该计算机可读存储介质可以是有形存储介质,诸如随机存储器(RAM)、内存、只读存储器(ROM)、电可编程ROM、电可擦除可编程ROM、寄存器、软盘、硬盘、可移动存储盘、CD-ROM、或技术领域内所公知的任意其它形式的存储介质。An embodiment of the present invention also provides a computer-readable storage medium, on which a computer program is stored, and when the computer program is executed by a processor, the steps of the aforementioned method for deploying an edge computing server can be implemented. The computer readable storage medium may be a tangible storage medium such as random access memory (RAM), internal memory, read only memory (ROM), electrically programmable ROM, electrically erasable programmable ROM, registers, floppy disk, hard disk, removable storage disk, CD-ROM, or any other form of storage medium known in the art.

本领域普通技术人员应该可以明白,结合本文中所公开的实施方式描述的各示例性的组成部分、系统和方法,能够以硬件、软件或者二者的结合来实现。具体究竟以硬件还是软件方式来执行,取决于技术方案的特定应用和设计约束条件。专业技术人员可以对每个特定的应用来使用不同方法来实现所描述的功能,但是这种实现不应认为超出本发明的范围。当以硬件方式实现时,其可以例如是电子电路、专用集成电路(ASIC)、适当的固件、插件、功能卡等等。当以软件方式实现时,本发明的元素是被用于执行所需任务的程序或者代码段。程序或者代码段可以存储在机器可读介质中,或者通过载波中携带的数据信号在传输介质或者通信链路上传送。Those of ordinary skill in the art should understand that each exemplary component, system and method described in conjunction with the embodiments disclosed herein can be implemented by hardware, software or a combination of the two. Whether it is implemented in hardware or software depends on the specific application and design constraints of the technical solution. Those skilled in the art may use different methods to implement the described functions for each specific application, but such implementation should not be regarded as exceeding the scope of the present invention. When implemented in hardware, it may be, for example, an electronic circuit, an application specific integrated circuit (ASIC), suitable firmware, a plug-in, a function card, or the like. When implemented in software, the elements of the invention are the programs or code segments employed to perform the required tasks. Programs or code segments can be stored in machine-readable media, or transmitted over transmission media or communication links by data signals carried in carrier waves.

需要明确的是,本发明并不局限于上文所描述并在图中示出的特定配置和处理。为了简明起见,这里省略了对已知方法的详细描述。在上述实施例中,描述和示出了若干具体的步骤作为示例。但是,本发明的方法过程并不限于所描述和示出的具体步骤,本领域的技术人员可以在领会本发明的精神后,作出各种改变、修改和添加,或者改变步骤之间的顺序。It is to be understood that the invention is not limited to the specific arrangements and processes described above and shown in the drawings. For conciseness, detailed descriptions of known methods are omitted here. In the above embodiments, several specific steps are described and shown as examples. However, the method process of the present invention is not limited to the specific steps described and shown, and those skilled in the art can make various changes, modifications and additions, or change the sequence of steps after understanding the spirit of the present invention.

本发明中,针对一个实施方式描述和/或例示的特征,可以在一个或更多个其它实施方式中以相同方式或以类似方式使用,和/或与其他实施方式的特征相结合或代替其他实施方式的特征。In the present invention, features described and/or exemplified for one embodiment can be used in the same or similar manner in one or more other embodiments, and/or can be combined with features of other embodiments or replace other Features of the implementation.

以上所述仅为本发明的优选实施例,并不用于限制本发明,对于本领域的技术人员来说,本发明实施例可以有各种更改和变化。凡在本发明的精神和原则之内,所作的任何修改、等同替换、改进等,均应包含在本发明的保护范围之内。The above descriptions are only preferred embodiments of the present invention, and are not intended to limit the present invention. For those skilled in the art, various modifications and changes may be made to the embodiments of the present invention. Any modifications, equivalent replacements, improvements, etc. made within the spirit and principles of the present invention shall be included within the protection scope of the present invention.

Claims (10)

1.一种基于区块链的数据交易方法,其特征在于,该方法包括以下步骤:1. A blockchain-based data transaction method, characterized in that the method comprises the following steps: 由数据提供者生成基于对称加密的初始密钥,采用预设密钥扩展算法根据所述初始密钥生成轮密钥;The data provider generates an initial key based on symmetric encryption, and uses a preset key expansion algorithm to generate a round key based on the initial key; 由所述数据提供者利用所述轮密钥加密隐私数据得到第一密文;The data provider uses the round key to encrypt private data to obtain a first ciphertext; 由所述数据提供者根据预设隐蔽传输规则对初始密钥进行编码与调制,得到隐蔽信息;The data provider encodes and modulates the initial key according to preset covert transmission rules to obtain covert information; 由区块链网络中的验证节点根据系统参数获取第一公钥和对应的第一私钥,公开所述第一公钥,本地存储所述第一私钥;The verification node in the blockchain network obtains the first public key and the corresponding first private key according to the system parameters, discloses the first public key, and stores the first private key locally; 由所述数据提供者生成所述隐私数据的限制解密时间,利用所述第一公钥加密所述隐蔽信息和所述限制解密时间得到第二密文,利用所述第一公钥加密所述第一密文得到所述第三密文;The data provider generates the limited decryption time of the private data, encrypts the concealed information and the limited decryption time with the first public key to obtain a second ciphertext, and encrypts the private data with the first public key obtaining said third ciphertext from the first ciphertext; 由所述数据提供者向设定证书颁发机构申请登记并获取第一数字证书和第一签名私钥,由所述数据接收者向设定证书颁发机构申请登记并获取第二数字证书和第二签名私钥;The data provider applies for registration to the set certificate authority and obtains the first digital certificate and the first signature private key, and the data receiver applies for registration to the set certificate authority and obtains the second digital certificate and the second signature private key. signature private key; 由所述数据提供者结合所述第一数字证书和所述第一签名私钥将所述第二密文和所述第三密文上传至所述区块链网络,所述区块链网络的记账节点对所述第一数字证书和所述第一签名私钥进行认证,认证通过后将所述第二密文和所述第三密文上链存储;The data provider uploads the second ciphertext and the third ciphertext to the block chain network in combination with the first digital certificate and the first signature private key, and the block chain network The bookkeeping node authenticates the first digital certificate and the first signature private key, and stores the second ciphertext and the third ciphertext on-chain after passing the authentication; 由所述数据接收者结合所述第二数字证书和所述第二签名私钥向所述区块链网络的验证节点发送数据请求;sending a data request to a verification node of the blockchain network by the data receiver in combination with the second digital certificate and the second signature private key; 所述区块链网络的验证节点对所述第二数字证书和所述第二签名私钥进行认证,在认证通过后,查询链上存储的所述第二密文和所述第三密文,通过所述第一私钥解密所述第二密文和所述第三密文,恢复得到所述隐蔽信息、所述限制解密时间以及所述第一密文;The verification node of the blockchain network authenticates the second digital certificate and the second signature private key, and after the authentication is passed, queries the second ciphertext and the third ciphertext stored on the chain Decrypting the second ciphertext and the third ciphertext by using the first private key, recovering and obtaining the concealed information, the limited decryption time, and the first ciphertext; 由所述区块链网络的验证节点根据所述限制解密时间查验当前是否超时,在未超时的情况下,将恢复得到的所述隐蔽信息和所述第一密文发送至所述数据接收者;The verification node of the blockchain network checks whether the timeout is currently overtime according to the limited decryption time, and if the timeout is not overtime, send the recovered hidden information and the first ciphertext to the data receiver ; 所述数据接收者根据所述预设隐蔽传输规则对恢复得到的所述隐蔽信息进行解调与解码,恢复所述初始密钥,采用所述预设密钥扩展算法根据恢复得到的所述初始密钥重新生成所述轮密钥,利用重新生成的所述轮密钥解密恢复得到的所述第一密文得到所述隐私数据。The data receiver demodulates and decodes the recovered concealed information according to the preset concealed transmission rules, recovers the initial key, and uses the preset key expansion algorithm to obtain the recovered initial key. The key regenerates the round key, and uses the regenerated round key to decrypt the recovered first ciphertext to obtain the private data. 2.根据权利要求1所述的基于区块链的数据交易方法,其特征在于,由数据提供者生成基于对称加密的初始密钥,采用预设密钥扩展算法根据所述初始密钥生成轮密钥之前,还包括:2. The data transaction method based on block chain according to claim 1, characterized in that, the initial key based on symmetric encryption is generated by the data provider, and the preset key expansion algorithm is used to generate the round key according to the initial key. Before the key, also include: 由所述数据提供者和所述数据接收者共同确定和初始化隐蔽传输规则,并确定用于隐蔽传输的编码表和调制符号表。The data provider and the data receiver jointly determine and initialize the covert transmission rules, and determine the code table and modulation symbol table for covert transmission. 3.根据权利要求1所述的基于区块链的数据交易方法,其特征在于,所述预设密钥扩展算法中,所述初始密钥表达式为:
Figure 706555DEST_PATH_IMAGE002
3. The blockchain-based data transaction method according to claim 1, wherein, in the preset key expansion algorithm, the initial key expression is:
Figure 706555DEST_PATH_IMAGE002
 系统参数表达式为:
Figure 420433DEST_PATH_IMAGE004
The system parameter expression is:
Figure 420433DEST_PATH_IMAGE004
 固定参数表达式为:
Figure 747640DEST_PATH_IMAGE006
The fixed parameter expression is:
Figure 747640DEST_PATH_IMAGE006
 所述轮密钥计算式为:The formula for calculating the round key is:
Figure 939587DEST_PATH_IMAGE008
Figure 939587DEST_PATH_IMAGE008
Figure 550697DEST_PATH_IMAGE010
Figure 550697DEST_PATH_IMAGE010
 其中,可逆变换
Figure 941137DEST_PATH_IMAGE012
,其中
Figure 4908DEST_PATH_IMAGE014
是非线性变换,
Figure 16858DEST_PATH_IMAGE016
是线性变换。Among them, the reversible transformation
Figure 941137DEST_PATH_IMAGE012
,in
Figure 4908DEST_PATH_IMAGE014
is a nonlinear transformation,
Figure 16858DEST_PATH_IMAGE016
is a linear transformation. 4.根据权利要求1所述的基于区块链的数据交易方法,其特征在于,由区块链网络中的验证节点根据系统参数获取第一公钥和对应的第一私钥中,所述第一公钥和所述第一私钥采用SM2椭圆曲线公钥密码算法获得。4. The data transaction method based on block chain according to claim 1, wherein the verification node in the block chain network obtains the first public key and the corresponding first private key according to the system parameters, said The first public key and the first private key are obtained using the SM2 elliptic curve public key cryptographic algorithm. 5.根据权利要求1所述的基于区块链的数据交易方法,其特征在于,由数据提供者生成基于对称加密的初始密钥,采用预设密钥扩展算法根据所述初始密钥生成轮密钥之前,还包括:5. The data transaction method based on blockchain according to claim 1, characterized in that, the initial key based on symmetric encryption is generated by the data provider, and the preset key expansion algorithm is used to generate the round key according to the initial key Before the key, also include: 由所述数据提供者区分待传输的数据是普通数据或隐私数据,若待传输的数据是普通数据,直接发送至所述区块链网络进行上链存储。The data provider distinguishes whether the data to be transmitted is ordinary data or private data, and if the data to be transmitted is ordinary data, it is directly sent to the blockchain network for on-chain storage. 6.根据权利要求1所述的基于区块链的数据交易方法,其特征在于,所述限制解密时间根据所述隐私数据的业务类型预设,所述限制解密时间可以采用时间戳直接标记,也可以通过设置解密期限结合所述数据提供者上传所述隐私数据的时间戳进行约束。6. The blockchain-based data transaction method according to claim 1, wherein the limited decryption time is preset according to the business type of the private data, and the limited decryption time can be directly marked with a timestamp, It may also be constrained by setting a decryption time limit combined with the time stamp when the data provider uploads the private data. 7.根据权利要求1所述的基于区块链的数据交易方法,其特征在于,由所述区块链网络的记账节点对所述第一数字证书和所述第一签名私钥进行认证,认证通过后将所述第二密文和所述第三密文上链存储之后,还包括:7. The blockchain-based data transaction method according to claim 1, wherein the first digital certificate and the first signature private key are authenticated by an accounting node of the blockchain network After the authentication is passed, after the second ciphertext and the third ciphertext are stored on the chain, it also includes: 对所述第二密文和所述第三密文采用SM3算法计算哈希值,并进行上链存储。The SM3 algorithm is used to calculate hash values for the second ciphertext and the third ciphertext, and store them on the chain. 8.根据权利要求1所述的基于区块链的数据交易方法,其特征在于,所述方法采用BCCSP密码模块提供密钥生成、消息签名与验证、哈希算法和加解密。8. The data transaction method based on block chain according to claim 1, characterized in that, the method adopts BCCSP cryptographic module to provide key generation, message signature and verification, hash algorithm and encryption and decryption. 9.一种基于区块链的数据交易的装置,包括处理器和存储器,其特征在于,所述存储器中存储有计算机指令,所述处理器用于执行所述存储器中存储的计算机指令,当所述计算机指令被处理器执行时该装置实现如权利要求1至8中任一项所述方法的步骤。9. A block chain-based data transaction device, comprising a processor and a memory, wherein computer instructions are stored in the memory, and the processor is used to execute the computer instructions stored in the memory, when the When the computer instructions are executed by the processor, the device implements the steps of the method according to any one of claims 1 to 8. 10.一种计算机可读存储介质,其上存储有计算机程序,其特征在于,该程序被处理器执行时实现如权利要求1至8中任一项所述方法的步骤。10. A computer-readable storage medium, on which a computer program is stored, wherein, when the program is executed by a processor, the steps of the method according to any one of claims 1 to 8 are realized.
CN202211544709.9A 2022-11-21 2022-11-21 Data transaction method and device based on block chain Active CN115567326B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202211544709.9A CN115567326B (en) 2022-11-21 2022-11-21 Data transaction method and device based on block chain

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202211544709.9A CN115567326B (en) 2022-11-21 2022-11-21 Data transaction method and device based on block chain

Publications (2)

Publication Number Publication Date
CN115567326A true CN115567326A (en) 2023-01-03
CN115567326B CN115567326B (en) 2023-03-14

Family

ID=84770265

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202211544709.9A Active CN115567326B (en) 2022-11-21 2022-11-21 Data transaction method and device based on block chain

Country Status (1)

Country Link
CN (1) CN115567326B (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116112293A (en) * 2023-04-12 2023-05-12 中国信息通信研究院 Block chain-based data trusted transaction method and device, equipment and medium
CN116471053A (en) * 2023-03-24 2023-07-21 河北新冀网络传媒有限公司 Data security encryption transmission method and system based on block chain
CN116846539A (en) * 2023-09-01 2023-10-03 奇点数联(北京)科技有限公司 Data acquisition method, electronic device and storage medium

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112989415A (en) * 2021-03-23 2021-06-18 广东工业大学 Private data storage and access control method and system based on block chain
US20210297272A1 (en) * 2020-03-19 2021-09-23 Jinan University Method and system for maintaining privacy and traceability of blockchain-based system
CN114615095A (en) * 2022-05-12 2022-06-10 北京邮电大学 Block chain cross-chain data processing method, relay chain, application chain and cross-chain network
CN115242555A (en) * 2022-09-21 2022-10-25 北京邮电大学 A supervised cross-chain privacy data sharing method and device

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20210297272A1 (en) * 2020-03-19 2021-09-23 Jinan University Method and system for maintaining privacy and traceability of blockchain-based system
CN112989415A (en) * 2021-03-23 2021-06-18 广东工业大学 Private data storage and access control method and system based on block chain
CN114615095A (en) * 2022-05-12 2022-06-10 北京邮电大学 Block chain cross-chain data processing method, relay chain, application chain and cross-chain network
CN115242555A (en) * 2022-09-21 2022-10-25 北京邮电大学 A supervised cross-chain privacy data sharing method and device

Non-Patent Citations (4)

* Cited by examiner, † Cited by third party
Title
刘嘉微 等: "基于区块链的隐私信用数据受限共享技术研究" *
刘嘉微 等: "基于区块链的隐私信用数据受限共享技术研究", 《信息网络安全》 *
彭俊霞 等: "区块链应用中AES和RSA混合加密算法分析" *
彭俊霞 等: "区块链应用中AES和RSA混合加密算法分析", 《电子技术与软件工程》 *

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116471053A (en) * 2023-03-24 2023-07-21 河北新冀网络传媒有限公司 Data security encryption transmission method and system based on block chain
CN116471053B (en) * 2023-03-24 2023-10-20 河北新冀网络传媒有限公司 Data security encryption transmission method and system based on block chain
CN116112293A (en) * 2023-04-12 2023-05-12 中国信息通信研究院 Block chain-based data trusted transaction method and device, equipment and medium
CN116112293B (en) * 2023-04-12 2023-06-23 中国信息通信研究院 Block chain-based data trusted transaction method and device, equipment and medium
CN116846539A (en) * 2023-09-01 2023-10-03 奇点数联(北京)科技有限公司 Data acquisition method, electronic device and storage medium
CN116846539B (en) * 2023-09-01 2023-11-10 奇点数联(北京)科技有限公司 Data acquisition method, electronic device and storage medium

Also Published As

Publication number Publication date
CN115567326B (en) 2023-03-14

Similar Documents

Publication Publication Date Title
CN115567326B (en) Data transaction method and device based on block chain
CN110022217B (en) Advertisement media service data credible storage system based on block chain
Roy et al. A survey on digital signatures and its applications
CN114710275B (en) Cross-domain authentication and key negotiation method based on blockchain in Internet of things environment
CN104301108B (en) It is a kind of from identity-based environment to the label decryption method without certificate environment
CN111740989A (en) A blockchain-oriented lightweight data encryption method for IoT chips
Wang et al. Data integrity checking with reliable data transfer for secure cloud storage
CN110278088A (en) A kind of SM2 collaboration endorsement method
CN110113150A (en) The encryption method and system of deniable authentication based on no certificate environment
Benantar The Internet public key infrastructure
CN107172043A (en) A kind of smart power grid user sale of electricity method based on homomorphic cryptography
CN116432204B (en) Supervision transaction privacy protection method based on homomorphic encryption and zero knowledge proof
CN110690969B (en) Method and system for achieving bidirectional SSL/TLS authentication through multiparty cooperation
Zhang et al. Multi-party electronic contract signing protocol based on blockchain
CN110519040B (en) Anti-quantum computation digital signature method and system based on identity
CN101984626A (en) Method and system for safely exchanging files
Zhu A Provable One-way Authentication Key Agreement Scheme with User Anonymity for Multi-server Environment.
CN115396096A (en) Encryption and decryption method and protection system for secret file based on national cryptographic algorithm
CN117118633A (en) Method for realizing distributed digital certificate, computer equipment and storage medium
CN114301612B (en) Information processing method, communication device and encryption device
CN116070287A (en) Multiparty online electronic contract signing and tamper-proof traceability method
CN114584975A (en) Anti-quantum satellite network access authentication method based on SDN
Xu et al. Timed‐release oblivious transfer
KR101042834B1 (en) Self-Authentication Signature Encryption Method for Mobile Environment
Li et al. A cloud based dual-root trust model for secure mobile online transactions

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant