CN116167092B - Secret state data query method and device, storage medium and electronic equipment - Google Patents
Secret state data query method and device, storage medium and electronic equipment Download PDFInfo
- Publication number
- CN116167092B CN116167092B CN202310451320.8A CN202310451320A CN116167092B CN 116167092 B CN116167092 B CN 116167092B CN 202310451320 A CN202310451320 A CN 202310451320A CN 116167092 B CN116167092 B CN 116167092B
- Authority
- CN
- China
- Prior art keywords
- data
- node
- secret
- data set
- target
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
- Y02D—CLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
- Y02D10/00—Energy efficient computing, e.g. low power processors, power management or thermal management
Abstract
The specification discloses a method, a device, a storage medium and an electronic device for inquiring secret data, wherein a data set containing secret data and a secret access address corresponding to the secret data is stored in a terminal in a tree structure, when the secret data is to be inquired, a designated leaf node corresponding to a target node of the data set storing the target secret data is determined from the tree structure based on the target secret access address of the target secret data, then the data set matched with the target secret access address is determined from the data sets stored by all nodes on a path between the designated leaf node and a root node, and the secret data in the determined data set is used as the inquired target secret data. According to the method, the target secret state data can be determined without traversing the secret state access addresses corresponding to the data groups stored in the terminal according to the target secret state access addresses, so that the demand of the query process on the computing resources is reduced, and the query efficiency is ensured.
Description
Technical Field
The present disclosure relates to the field of computer technologies, and in particular, to a method and apparatus for querying encrypted data, a storage medium, and an electronic device.
Background
The multiparty secure computation is to realize the computation and fusion of data between a plurality of non-mutually trusted devices under the premise of mutual confidentiality of the data aiming at the situation of no trusted third party.
Multiparty security calculations typically provide basic addition, multiplication, comparison, etc. calculations to suit various scenarios, e.g., model training, application of models, etc. Compared with the calculation of addition, comparison and the like of multiparty security calculation, in the scene of multiparty security calculation, the realization process of carrying out data query corresponding based on the address in the form of ciphertext data, namely, based on the password access address is generally complex, and more calculation resources are required to be consumed. Therefore, how to reduce the demand for computing resources when data query is performed based on the secret access address in multiparty security computing, and ensure the computing efficiency is a problem to be solved at present.
Based on the above, the present specification provides a method for performing a secret data query based on a secret access address.
Disclosure of Invention
The present disclosure provides a method, an apparatus, a storage medium, and an electronic device for querying encrypted data, so as to partially solve the foregoing problems in the prior art.
The technical scheme adopted in the specification is as follows:
the present disclosure provides a method for querying a secret data, where the method is applied to a terminal, where the terminal stores a plurality of data sets in a tree structure, one data set is composed of secret data and a secret access address corresponding to the secret data, the tree structure includes a plurality of nodes, and each node stores a plurality of data sets, including:
determining a target secret access address of target secret data to be queried;
determining a designated leaf node corresponding to a target node storing a data set containing the target secret data in the tree structure, and determining a path in the tree structure according to the designated leaf node and a root node; wherein the designated leaf node is a leaf node of a subtree corresponding to the target node;
migrating each data group stored by each node in the path to a cache of the terminal for storage;
and respectively matching each data group stored in the cache with the target secret access address, and determining secret data contained in the data group matched with the target secret access address as the inquired target secret data according to a matching result.
The present disclosure provides a secret data query device, the device is applied to a terminal, the terminal stores a plurality of data sets in a tree structure, one data set is composed of secret data and a secret access address corresponding to the secret data, the tree structure includes a plurality of nodes, each node stores a plurality of data sets, and the device includes:
the address determining module is used for determining a target secret access address of target secret data to be queried;
the path determining module is used for determining a specified leaf node corresponding to a target node storing a data set containing the target secret state data in the tree structure, and determining a path in the tree structure according to the specified leaf node and a root node; wherein the designated leaf node is a leaf node of a subtree corresponding to the target node;
the migration module is used for migrating each data group stored by each node in the path to the cache of the terminal for storage;
and the query module is used for respectively matching each data group stored in the cache with the target secret access address, and determining secret state data contained in the data group matched with the target secret access address as the queried target secret state data according to a matching result.
The present specification provides a computer readable storage medium storing a computer program which when executed by a processor implements the above-described method of cryptographic data querying.
The present specification provides an electronic device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, the processor implementing the above-described method of cryptographic data querying when executing the program.
The above-mentioned at least one technical scheme that this specification adopted can reach following beneficial effect:
according to the secret data query method provided by the specification, a data group containing secret data and a secret access address corresponding to the secret data is stored in a terminal in a tree structure, when the target secret data is required to be queried, based on the target secret access address of the target secret data, leaf nodes of subtrees corresponding to target nodes of the data group storing the target secret data are determined from the tree structure and serve as designated leaf nodes, the data group stored by each node on a path between the designated leaf nodes and a root node is migrated to a cache of the terminal to be stored, the data group matched with the target secret access address is determined from the data groups stored in the cache, and the secret data in the determined data group are taken as queried target secret data.
According to the method, the target secret state data can be determined without traversing the secret state access addresses corresponding to the data groups stored in the terminal according to the target secret state access addresses, so that the demand of the query process on the computing resources is reduced, and the query efficiency is ensured.
Drawings
The accompanying drawings, which are included to provide a further understanding of the specification, illustrate and explain the exemplary embodiments of the present specification and their description, are not intended to limit the specification unduly. In the drawings:
FIG. 1 is a schematic flow chart of a method for querying the encrypted data provided in the present specification;
FIG. 2 is a schematic diagram of a tree structure provided herein;
FIG. 3 is a schematic flow chart of determining a final tree structure provided in the present specification;
fig. 4 is a schematic structural diagram of the device for querying the encrypted data provided in the present specification;
fig. 5 is a schematic view of the electronic device corresponding to fig. 1 provided in the present specification.
Detailed Description
For the purposes of making the objects, technical solutions and advantages of the present specification more apparent, the technical solutions of the present specification will be clearly and completely described below with reference to specific embodiments of the present specification and corresponding drawings. It will be apparent that the described embodiments are only some, but not all, of the embodiments of the present specification. All other embodiments, which can be made by one of ordinary skill in the art without undue burden from the present disclosure, are intended to be within the scope of the present disclosure.
It should be noted that, all actions of acquiring signals, information or data in the present invention are performed under the condition of conforming to the corresponding data protection rule policy of the country of the location and obtaining the authorization given by the owner of the corresponding device.
With the explosive development of digital economies, the value of data has gained widespread acceptance by society. In the context of large data, since data can be copied and the copying cost is low, if the data is developed and circulated in a plaintext form, the risk of large-scale leakage of the data is increased drastically, and even personal privacy and national security are violated.
Based on the above practical situation, in order to overcome the problem that the data is easy to copy, a data encryption mode can be adopted, so that the data circulate in a ciphertext mode, and the safety and the controllability of the data in all links such as circulation, calculation, fusion and the like are ensured. The non-reference ciphertext may be in a form of encrypted data, and a plurality of holders of the non-reference ciphertext cannot obtain any information of the original data from the encrypted data, and in general, the non-reference ciphertext may be used for performing addition, multiplication, logic operation, comparison and other secret state calculations.
On the premise of calculating or executing the service based on the secret state data (i.e. the data in the ciphertext form), the secret state data is obtained. However, when the terminal accesses the encrypted data, in order to avoid copying the encrypted data, the terminal may generally set the storage address of the data to be the encrypted data, and query the data of the terminal itself through the storage address in the form of ciphertext data. That is, the terminal may query the corresponding data by using a secret data query manner based on the secret access address.
Under the condition that the address is the secret state data, the terminal can determine the target secret state data only by matching the target secret state access address of the target secret state data to be queried with the secret state access addresses of all secret state data stored by the terminal, and taking the secret state data corresponding to the matched secret state access address as the target secret state data. The method ensures the data security, but under the condition that the data volume of the target secret data stored by the terminal is large, the demand on computing resources is high, or the target secret data can be determined only after a long time is required, so that the query efficiency is low.
Based on the above, the present disclosure provides a method for querying the secret data, so that the terminal can query the target secret data without traversing the secret access addresses corresponding to each secret data stored by the terminal, thereby improving the query efficiency and reducing the requirement of querying the target secret data on computing resources.
It should be noted that in the scenario of multiparty security computation, the service is generally executed based on the secret data. However, the secret data query method described in the specification can be applied to a scenario in which secret data query is required based on a secret access address, and the scenario is not limited to a multiparty secure computing scenario. The specific application scenario of the method for querying the encrypted data in the present specification can be set according to the needs, and the present specification does not limit the specific application scenario.
The following describes in detail the technical solutions provided by the embodiments of the present specification with reference to the accompanying drawings.
Fig. 1 is a flow chart of a method for querying the encrypted data provided in the present specification, which specifically includes the following steps:
s100: and determining the target secret access address of the target secret data to be queried.
The method is characterized in that the method is different from matching a target secret access address with secret access addresses respectively corresponding to secret data stored by the terminal, and the secret data corresponding to the target secret access address is determined, so that the method has higher requirement on computing resources and lower query efficiency. The present specification provides a method for querying secret data, in which, when a terminal stores a data set including secret data and a secret access address corresponding to the secret data in a tree structure, a designated leaf node corresponding to a target node storing the data set including the target secret access address is determined from the tree structure according to a target secret access address of target secret data to be queried. And determining the path of the designated leaf node and the root node in the tree structure, and determining the data set containing the target secret access address from the data sets stored by the nodes on the path, thereby determining the target secret data. The target secret state data can be determined without matching the secret state access addresses corresponding to all the data groups stored in the terminal with the target secret state access addresses, so that the query efficiency is improved, and the demand on computing resources when data query is performed based on the secret state access addresses is reduced.
Based on the above brief description of the method for querying the encrypted data provided in the present specification, the method for querying the encrypted data provided in the present specification may be applied in a scenario where a terminal needs to execute a service based on encrypted data stored in the terminal itself. The method for inquiring the secret state data can be executed by the terminal. The terminal may be an electronic device such as an intelligent device, a server, or the like, and specifically, the type of the electronic device corresponding to the terminal may be set according to needs, which is not limited in this specification.
Based on the above, the terminal can determine the target secret data access address of the target secret data to be queried.
In particular, the terminal may receive a service request, where the service request is used to cause the terminal to perform a service based at least on the secret data stored by the terminal itself. The service may be a variety of services such as a query service, an authentication service, and the like.
The terminal can analyze the service request and determine a target secret access address corresponding to target secret data to be acquired for executing the service corresponding to the service request. The terminal may then determine target secret data based on the determined secret access address.
Further, the service request may also be a service identifier corresponding to a service to be executed by the terminal, so that the terminal may analyze the service request to determine a service identifier corresponding to the service to be executed by the terminal. Then, the terminal can determine the target secret access address corresponding to the service identifier from the corresponding relation between each service identifier and the secret access address stored in advance according to the service identifier. In particular, how the target secret access address is determined can be set according to needs, and this specification does not limit the present disclosure.
Of course, the service request may also be a preset service initiation condition in the terminal, and when the service initiation condition is satisfied, the service request is generated by the terminal itself. The service start condition may be that a certain pre-service is executed, or a certain time is reached, and the service start condition and how the service request is generated specifically may be set as required, which is not limited in this specification.
S102: and determining a designated leaf node corresponding to a target node storing the data group containing the target encrypted data in the tree structure, and determining a path in the tree structure according to the designated leaf node and a root node, wherein the designated leaf node is a leaf node of a subtree corresponding to the target node.
In one or more embodiments provided herein, the present disclosure may store a data set including the secret data based on the tree structure, and when the target secret data needs to be acquired, quickly determine the target secret data according to the tree structure. The data group containing the target secret state data is stored in the target node of the tree structure, and when the target secret state data needs to be determined, the data group containing the target secret state data can be determined from the obtained data group only by obtaining the data group stored by each node in the path containing the target node.
For each node in the tree structure, each node in the path between the leaf node of the subtree corresponding to the node and the root node of the tree structure contains the node. Based on the thought, the terminal can determine the designated leaf node from the leaf nodes of the subtrees corresponding to the target nodes after determining the target secret access address, and then determine the path between the designated leaf node and the root node of the tree structure, so as to realize the purpose of determining the data group containing the target secret data in the data groups acquired subsequently based on the determined path.
Specifically, in the terminal, the secret data and the secret access address corresponding to the secret data are stored in the form of a data set, that is, a data set includes one secret data and the secret access address corresponding to the secret data. Taking the secret data as 0 and the secret access address as 1 as an example, the corresponding data set can be (1, 0), and of course, can also be (0, 1)、()、(/>) And the like, and particularly how the data set is determined and stored in the terminal can be set according to needs, and the specification is not limited thereto.
And as previously mentioned, each data set is stored in a tree structure in this specification. Wherein the tree structure comprises a plurality of nodes. Specifically, the root node, the intermediate node, the leaf node and the like can be adopted. For each node, one or more data sets may be stored in the node, or the data sets may not be stored in the node, and specifically, how to store each data set in the node may be set according to needs, which is not limited in this specification.
The terminal may determine a correspondence between the target secret access address and a leaf node corresponding to the target node including the target secret access address after determining the target secret access address. As shown in fig. 2.
Fig. 2 is a schematic diagram of a tree structure provided in the present specification. The ellipse is each node, the number under the ellipse is the identification of the node, and the content in the ellipse is the data group stored in the ellipse. Taking the leaf node 0 as an example, the data set stored in the leaf node 0 is (1, 1), the corresponding secret access address of the data set is 1, and the secret data is 1.
If the target secret access address is 4 and the correspondence between the secret access address 4 and the leaf node 1 is stored in advance, it may be determined that the leaf node 1 is the leaf node corresponding to the target node storing the secret access address 4, that is, the target node is in the path between the leaf node 1 and the root node 6 of the tree structure. Therefore, the terminal can determine the designated leaf node corresponding to the target secret access address based on the corresponding relation between the prestored secret access address and the designated leaf node corresponding to the target node, and then determine the path according to the designated leaf node and the root node of the tree structure.
Of course, for each data set stored by the terminal itself, the terminal may randomly generate a correspondence between the secret access address included in the data set and the designated leaf node corresponding to the target node storing the data set. Or after the data set is filled into the tree structure, the terminal determines a target node for storing the data set, determines a subtree corresponding to the target node, and then randomly determines any leaf node from leaf nodes corresponding to the subtree as a designated leaf node corresponding to the target node. The present specification does not limit how the correspondence between the secret access address and the specified leaf node corresponding to the target node storing the data set is determined and may be set as needed.
Further, taking the designated leaf node corresponding to the node 3 in fig. 2 as the target node as an example, the terminal needs to acquire the data set stored by each node on the path between the node 3 and the node 6. But it is clear that node 5 and node 6 are empty, the terminal may only acquire the data set containing the target secret access address when acquiring the data set of each node on the path. In this case, the attacker can determine the service performed by the terminal and determine that the terminal only acquired the (3, 2) data set while performing the service. The attacker can determine that the (3, 2) data set stores the target secret data required for executing the service, thereby establishing the correspondence between the service and the target secret data. It can be seen that the target secret data is compromised to some extent. Then for each node in each tree structure, an invalid data set may be stored in that node in order to avoid the above.
Specifically, for each data set, the data set may include three parts of content: the method comprises the steps of encrypting the encrypted data, and judging whether the encrypted access address corresponding to the encrypted data and the encrypted data are valid or not.
Taking the secret data as 1, the access address corresponding to the secret data as 1, the secret data valid as 1, the secret data invalid as 0 as an example, and assuming that the secret data is valid, the data set can be (1, 1). If the secret data is invalid, the data set may be (1, 0). Wherein the secret data is valid, the secret data can be used to execute the service. If the secret data is invalid, the secret data can be the secret data randomly generated by the terminal, and the service cannot be executed based on the secret data.
Then, based on the above data sets, the valid data set and the invalid data set may be stored in the tree structure, and if the attacker determines the service executed by the terminal, the data sets acquired by the terminal are also plural. Since the attacker cannot determine whether the data set acquired in the terminal is a valid data set, and cannot determine whether the data sets stored in the tree structure in the terminal are all valid data sets, even if the valid data sets in the data sets acquired by the terminal are only (3, 2, 1). The attacker cannot determine the corresponding relation between the business and the target secret state data, so that the information security is ensured. The valid data set is a data set containing valid secret state data, and the invalid data set is a data set containing invalid secret state data.
Of course, how to characterize the validity of the secret data and how to determine the data set based on the validity of the secret data can be set according to the need, which is not limited in this specification.
S104: and migrating each data group stored by each node in the path to a cache of the terminal for storage.
In one or more embodiments provided herein, as described above, the target node storing the data set including the target secret access address is a certain node in the path determined in step S102. That is, the data group including the target secret access address is stored in a certain node in the path determined in step S102. Thus, the terminal can acquire each data set stored by each node in the path.
Based on the above, the terminal can migrate each data group stored by each node in the path to the buffer memory of the terminal for storage.
Specifically, the terminal may copy each data set stored in each node in the path, store the copy result in the buffer of the terminal, and delete each data set stored in each node in the path in the tree structure.
In order to avoid the data stored in the tree structure from being lost after the terminal is powered down, the terminal generally stores the data corresponding to the tree structure in the nonvolatile memory. The nonvolatile Memory may be a hard disk or a Read-Only Memory (ROM). Taking the example that the data in the tree structure is stored in the hard disk, the terminal can delete the data set stored by each node in the path of the tree structure after copying the data set stored by each node in the path into the cache.
Of course, the terminal may copy and store only each data group stored in each node in the path into the buffer of the terminal. The buffer may be a volatile memory in the terminal, or may be a separate storage space for storing a data set, which is divided by the terminal from its own nonvolatile memory for executing a service. The volatile memory may be a random access memory (Random Access Memory, RAM). The type corresponding to the cache can be set according to the requirement, and the specification does not limit the type.
S106: and respectively matching each data group stored in the cache with the target secret access address, and determining secret data contained in the data group matched with the target secret access address as the inquired target secret data according to a matching result.
In one or more embodiments provided herein, the terminal may determine the target secret data after acquiring each data set stored by each node in the path.
Specifically, the terminal may determine the secret access address included in each data set stored in the cache, traverse each data set, and match the target secret access address with the secret access address included in each data set. The terminal may determine the data set that matches the cryptographic access address based on the result of the match by traversing the data sets. Finally, the terminal can determine the secret data contained in the matched data set as the queried target secret data.
That is, the present disclosure does not need to match the target secret access address with the secret access addresses corresponding to all the secret data stored in the terminal when determining the target secret data, but determines a path in the tree structure based on the specified leaf node and the root node after determining the specified leaf node corresponding to the target node storing the data set including the target secret access address, and then obtains the data set stored by each node in the path from the obtained data set, so as to achieve the purpose of querying the target secret data. The computing resources required during the query are reduced, and the query efficiency of the target secret state data is ensured.
According to the method for inquiring the secret data, a data group containing secret data and a secret access address corresponding to the secret data is stored in a terminal in a tree structure, when the secret data is to be inquired, based on the secret access address of the secret data, leaf nodes of subtrees corresponding to target nodes of the data group storing the secret data are determined from the tree structure and serve as designated leaf nodes, the data group stored by each node on a path between the designated leaf nodes and a root node is migrated to a cache of the terminal to be stored, the data group matched with the secret access address of the secret data is determined from the data groups stored in the cache, and the secret data in the determined data group serve as inquired secret data. According to the method, the target secret state data can be determined without traversing the secret state access addresses corresponding to the data groups stored in the terminal according to the target secret state access addresses, so that the demand of the query process on the computing resources is reduced, and the query efficiency is ensured.
In one or more embodiments provided in the present specification, a terminal to which the method for querying the secret data in the present specification is applied may be applied in various scenarios. Taking the multiparty security computing scenario as an example, in the multiparty security computing scenario, a plurality of terminals exist, each terminal holds different secret state data, and the terminals participate in multiparty security computing together through the secret state data held by the terminals.
The terminal may then determine a target secret access task for the target secret data to be queried in response to the multiparty secure computing task. The multiparty secure computing task may be initiated by the terminal according to the received service request, or may be sent by other terminals participating in the multiparty secure computing task.
The terminal can process the target secret state data according to the processing mode carried in the multiparty security calculation task when the target secret state data is queried, and returns the processing result to other terminals participating in the multiparty security calculation.
Of course, the terminal may also send a service request or a multiparty security processing task to other terminals participating in multiparty security computation, and receive processing results sent by other terminals. The specific how the terminal participates in the multiparty security calculation and the specific flow of the multiparty security calculation can be set according to the needs, and the specification is not limited.
In addition, since the terminal obtains the target secret data, the terminal performs the service based on the target secret data. Therefore, in step S106, after determining the target secret data, the terminal may process the target secret data to execute the service.
Specifically, the processing mode may be carried in the service request received by the terminal, so that the terminal may determine to parse the acquired service request, determine the processing mode corresponding to the service request, and process the service request based on the processing mode corresponding to the processing request.
Of course, the terminal may store the corresponding relation between each service and the processing mode in advance, so the terminal may directly determine the service corresponding to the service identifier and the processing mode corresponding to the service according to the determined service identifier, and then process the target secret state data based on the processing mode. In particular, how to determine the processing manner can be set according to needs, and this specification is not limited thereto.
Further, if the target secret data is only processed after the target secret data is determined, the attacker can determine the corresponding relationship between the data set where the target secret data is located and the service based on the information such as the processing record, so that information leakage is caused. Therefore, the terminal can process the target secret data and pseudo-process the secret data in other data groups stored in the cache. The result of pseudo processing is the secret data itself, which is the secret data for each secret data.
The target secret state data is processed based on the processing mode, and the secret state data of other data groups stored in the cache is subjected to pseudo processing, so that under the condition that an attacker acquires a log corresponding to the terminal, the corresponding relation between the service and the secret state data can not be determined, and the information security is ensured.
Further, after the target secret data is processed, the target secret data may be changed, so as to ensure that the obtained target secret data is the secret data after the last processing when the target secret data is obtained later. The terminal may also backfill each data set into a tree structure storing each data set after processing the target secret data.
Specifically, the terminal may select, for each node in the path between the designated leaf node and the root node, a number of data sets to be backfilled into the node from among the data sets stored in its own cache. The terminal may update the tree structure according to the backfilled path.
Further, if the terminal historically migrates the data set including the target secret access address into the cache, but the data set in the cache is not backfilled into the tree structure in the process of backfilling the data set into the node, even if the data set is acquired from each node corresponding to the path in the tree structure, the acquired data set does not include the data set including the target secret access address. If the terminal is based on each data set stored in the cache, the terminal can determine the data set containing the target secret access address.
Therefore, the terminal's cache may store a historical data set, which is a data set that the terminal historically migrates into the cache, but is not backfilled back into the tree structure during the process of backfilling the data set in the cache into the node.
That is, the cache of the terminal may store two parts of data, one part is a data set that is historically migrated to the cache and is not backfilled to the tree structure, and the other part is a data set stored by each node in the path that the terminal determines based on the target secret access address.
The terminal may then determine each data set stored in each node in the path as a current data set and match the target secret access address with the current data set and the historical data set, respectively. Then based on the matching result, a data set containing the target cryptographic access address and the target cryptographic data may be determined.
Further, if the data set including the target secret data is stored in a node of the path of the tree structure, and if the data set including the target secret data is directly backfilled into the path, an attacker may monitor the service executed by the terminal for multiple times, and determine the corresponding relationship between each service and the designated leaf node corresponding to the target node storing the data set required for executing each service by the terminal, which may result in information leakage. Therefore, in order to avoid the occurrence of the above situation, after determining the data set containing the target secret access address, the terminal may further determine, from the leaf nodes contained in the tree structure, the target node storing the data set, and the designated leaf node corresponding to the target node.
Specifically, the terminal may redetermine the target node storing the data set including the target secret access address from each leaf node included in the tree structure.
Then, the terminal can randomly determine any leaf node from the leaf nodes of the subtrees corresponding to the target node according to the redetermined target node, and the determined leaf node is used as the designated leaf node corresponding to the redetermined target node.
Finally, the terminal may backfill the data set into the path according to the redefined designated leaf node. That is, when the newly determined designated leaf node matches the node, the terminal may regard the data set including the target secret access address as the data set corresponding to the node. If the designated leaf node is the same as the original leaf node, the data set may be backfilled into the leaf node of the path, and if the leaf node is not the same as the original leaf node, the data set may not be backfilled into the leaf node of the path.
Based on the above manner, since the target node corresponding to the data set containing the target secret data and the designated leaf node corresponding to the target node may change in each process of executing the service, even if an attacker monitors the service executed by the terminal for multiple times and obtains the corresponding path when the data set is obtained in the process of executing the service by the terminal, the corresponding relationship between the data set stored in the node in each path in the tree structure and each service cannot be determined, and information security is ensured.
Of course, the terminal may also determine any leaf node directly from the leaf nodes corresponding to the tree structure, use the determined leaf node as the designated leaf node corresponding to the data set, and select any node from the paths between the designated leaf node and the root node as the target node. How to redetermine the designated leaf node corresponding to the data group containing the target access data can be set according to the need, which is not limited in this specification.
In addition, during the backfilling of the data set to each node in the path, the data set may determine, for each node in the path, a data set corresponding to the node from the data sets stored in the cache, and backfill the data set corresponding to the node.
And because the storage space of each tree structure is limited, the storage space corresponding to each node is limited, and in the process of backfilling the data set corresponding to the node, the terminal can determine the number of the backfilled data sets in the node in real time, and judge whether the data set backfilled by the node reaches the upper storage limit of the node according to the determined number.
If so, the terminal can determine that the node backfilling is finished, and continue to backfill the data set for the next node in the path until the backfilling of all the nodes in the path is finished.
If not, the terminal may continue to backfill the node with the data set until the data set backfilled by the node reaches the upper storage limit of the node.
Further, since the leaf nodes corresponding to the data sets stored in the cache of the terminal may not be identical, when the data sets stored in the cache are backfilled into the nodes, if the data sets of each node in the path are backfilled into the root node, the data sets corresponding to other leaf nodes stored in the cache may not be backfilled into the path, and the storage space of the leaf nodes in the path may not reach the upper storage limit. More data is stored in the cache, and the utilization rate of the tree structure is low. Thus, the terminal may backfill the data set corresponding to each node in the path for that node in turn, starting from the leaf node, in a direction from the leaf node toward the root node.
Thus, in the manner described above, the data sets stored in the cache may be filled into the nodes on the path to the maximum extent. The situation that the cache is slow in processing when the data sets are processed due to the fact that more data sets are stored in the cache is avoided. The utilization rate of the tree structure is guaranteed, and meanwhile, the query efficiency is also guaranteed.
Further, for each node, there may be a case where the data set corresponding to the node is filled into the node, but still the storage upper limit corresponding to the node is not reached. In this case, if the tree structure is updated based on the path including the nodes that do not reach the upper limit of storage, and if the attacker acquires the remaining storage spaces corresponding to the nodes in the tree structure, the attacker can estimate the correspondence between the service and the data sets based on the remaining storage spaces corresponding to the nodes and the leaf nodes corresponding to the data sets acquired when the terminal executes the service, and information leakage is caused. Therefore, in order to avoid the above situation, when the data set corresponding to the node in the cache is all backfilled to the node, and the data set backfilled by the node still does not reach the upper storage limit of the node, the terminal may generate an empty data set according to the remaining storage space of the node, and continuously backfill the generated empty data set to the node.
The empty data set may be randomly generated by the terminal, or may be generated by the terminal by copying a valid data set stored in its own cache and changing a flag in a copy result, which is used to indicate whether the encrypted data included in the data set is valid, from valid to invalid. Taking the secret data as 4, the access address corresponding to the secret data as 5, the secret data as 1, the secret data as 0, and assuming that the valid data set stored in the cache is (5,4,1), the terminal can generate an invalid data set (5, 4, 0) as an empty data set according to the valid data set.
Then, the node includes a data set and a null data set corresponding to the node, and since an attacker cannot determine the distinction between the data set and the null data set, naturally cannot determine the data storage condition corresponding to each node, and cannot determine the correspondence between each node and each data set based on the data storage condition.
It should be noted that, for each node, the terminal may define in advance a storage upper limit corresponding to the node, that is, may store several data sets. The terminal may determine the number of data sets that the node may also store based on the remaining storage space of the node when determining the null data set based on the remaining storage space of the node, and then generate the null data set based on the number. Of course, the number of data sets corresponding to the storage upper limits corresponding to the nodes in the tree structure may be the same number or different numbers. How to set the storage upper limits corresponding to the nodes respectively can be set according to the needs, and the specification does not limit the storage upper limits.
In one or more embodiments provided herein, for each node, it may also occur that the node has been backfilled, but the data set corresponding to the node remains in the cache. In this case, the terminal may continue to store the remaining data set corresponding to the node that has not been backfilled into the node in the cache, and delete the data set that has been backfilled into the node. The terminal may then continue to determine data sets corresponding to other nodes for other nodes corresponding to the path and backfill the data sets stored in the terminal to the nodes. Or when the terminal inquires the secret state data next time and backfills each data set stored in the cache into the path, backfilling the rest data sets which correspond to the node and are not backfilled into the node.
Of course, for each data set backfilled to the node, the terminal may also change the valid data set stored in the cache to an invalid data set by changing a flag of whether the data set stored in the cache is valid. In particular, how to process the data set stored in the cache after backfilling the data set to the node may be set according to needs, which is not limited in this specification.
Further, for each data set, the terminal can determine the data set corresponding to each node before backfilling the data set to the node in the path, and then backfill each data set to the corresponding node when backfilling the data set to the node in the path, thereby improving the efficiency of data backfilling.
Specifically, the terminal may determine, for each node, a position of the node in the tree structure, and determine, for each data set, whether a leaf node corresponding to the data set matches a position of the node in the tree structure. I.e. whether the path between the leaf node and the root node to which the data set corresponds contains the node.
If yes, the terminal can use the data set as the data set corresponding to the node.
If not, the terminal can continue to determine the data set corresponding to the node.
Furthermore, since the encrypted access address and the encrypted data in the data set stored in each node in the tree structure stored in the terminal are in the ciphertext form, the node identifier corresponding to each node is also in the ciphertext form. Therefore, for each node, when the node identifier of the node and the node identifiers of the data sets are both in ciphertext form, it is obvious that the data set corresponding to the node cannot be directly determined. Based on this, the present description provides a way to determine a data set corresponding to a node based on the level and rank of the node in the tree structure.
Specifically, for each node, the terminal may determine an order corresponding to the node in a direction from the leaf node to the root node, and use the order as a hierarchy of the node. Meanwhile, the terminal may determine the order of the node in each node in its own hierarchy in the order from left to right, and regard the order as the rank of the node.
Taking node 0 in fig. 2 as an example, the level of node 0 is 0 and the order is 0. Whereas for node 4 in fig. 2, the level of this node 4 is 1 and the order is 0.
The terminal may then determine, for each data set, plaintext information for a leaf node corresponding to the data set, and determine a binary code corresponding to the plaintext information.
Finally, the terminal can judge whether the result of right shifting the binary code by the level bit is the bit number according to the determined level and order of the node.
If yes, the terminal can use the data set as the data set corresponding to the node.
If not, the terminal may not use the data set as the data set corresponding to the node.
Taking a binary code corresponding to plaintext information of a leaf node corresponding to a data set as an example, assuming that the level corresponding to the node is 1 and the bit order is 1, the result of right shifting the binary code 0010 by 1 bit is 0001, and the bit order corresponding to the node exactly corresponds to the bit order, so that the data set can be used as the data set corresponding to the node. It should be noted that, the plaintext information of a leaf node may be the rank of the leaf node in its own hierarchy.
Of course, the above description is made with the tree structure as a binary tree, and therefore, when determining the data group corresponding to the node, a binary code scheme based on the plaintext information corresponding to the leaf node is adopted.
In the practical application process, the corresponding structure of the tree structure can be a plurality of structures such as a three-fork tree, a four-fork tree, a multi-fork tree and the like. Obviously, when the tree structure is a plurality of structures such as a three-tree, a four-tree, a multi-tree, etc., the binary code based on the plaintext information corresponding to the leaf node of the data set is not appropriate. Thus, when backfilling a data set, the data set may first determine the type of tree structure to which the tree structure corresponds. And determining a system corresponding to the type according to the type, and determining data sets respectively corresponding to the nodes according to the system corresponding to the type.
Taking the tree structure type corresponding to the tree structure as a trigeminal tree as an example, the terminal can determine that the system corresponding to the trigeminal tree type is ternary according to the trigeminal tree type. The terminal may then determine, for each data set, the ternary code of the plaintext information for the leaf node to which the data set corresponds. Assuming that the ternary code corresponding to the plaintext information of the leaf node corresponding to the data set is 0012, if the level corresponding to the node is 1 and the rank is 1, the result of right shifting the ternary code 0012 by 1 bit is 0001, and the data set just corresponds to the rank corresponding to the node, and can be used as the data set corresponding to the node.
The type of tree structure corresponding to the tree structure and what kind of binary code is used to backfill the data set into each node in the path can be set according to the need, and the present specification does not limit the present specification.
In addition, as described above, in order to avoid information leakage, valid data sets and invalid data sets may be stored in the tree structure. Whether valid or invalid, may be a data set corresponding to a node. Therefore, if the data set can be backfilled into the node based on whether the data set is the data set corresponding to the node, a large number of invalid data sets may be stored in the tree structure, and more valid data sets are stored in the cache, so that the situation that the computing resources of the cache are occupied may occur. Based on this, in order to avoid the occurrence of the above, the terminal may further backfill the data group based on whether the data group is valid or not in the process of backfilling the data group to the node.
Specifically, for each data set stored in the tree structure, the data set may include three items of content: the method comprises the steps of encrypting the data, accessing addresses corresponding to the encrypted data and a first identification of a data set. Wherein the first identifier is used for representing whether the secret data in the data set is valid or not, and the first identifier can be a valid identifier and an invalid identifier. For each data group, if the first identifier of the data group is a valid identifier, the data group is a valid data group, and the secret data stored in the data group is also valid secret data. If the first identifier of the data set is an invalid identifier, the data set is an invalid data set, and the encrypted data stored in the data set is also invalid encrypted data. The valid identifier and the invalid identifier can be represented by numbers, character strings and Chinese characters. In particular, how the valid identifier and the invalid identifier are characterized can be set according to needs, and this specification does not limit the present invention.
The terminal may then determine, for each of the previously determined data sets corresponding to the node, a second identification of the data set as a valid identifier. Wherein the second identifier is used to characterize whether the data set corresponds to the node. For each data set, if the second identifier of the data set is a valid identifier, the data set is the data set corresponding to the node. If the second identifier of the data set is an invalid identifier, the data set is not the data set corresponding to the node. The valid identifier and the invalid identifier corresponding to the second identifier and the valid identifier and the invalid identifier corresponding to the first identifier can be represented by the same content or different content. Taking the effective identifier of the first identifier as 1 as an example, the effective identifier of the second identifier may be 1, 0, other character strings, etc. The effective identifier and the ineffective identifier of the first identifier and the second identifier can be set according to the needs, and the specification is not limited.
After determining the second identifier corresponding to each data set, the terminal may determine, from each data set stored in the cache, that the first identifier and the second identifier are both data sets of valid identifiers, and use the determined data sets of the first identifier and the second identifier, and , which are the valid identifiers, as each data set to be selected. Wherein, for each data set to be selected, the data set is both a valid data set and corresponds to the node.
And because the storage space corresponding to the node is limited, the situation that the number of the data groups to be selected is not matched with the storage space corresponding to the node may occur in the process of backfilling the node. If the data set stored in the node does not reach the upper storage limit of the node, information may be leaked. Therefore, the terminal can determine the storage upper limit corresponding to the preset data set, and then judge whether the number of each data set to be selected is smaller than the storage upper limit based on the storage upper limit and the number of each data set to be selected.
If not, the terminal can determine that the appointed number of the data sets to be selected are backfilled into the node from the data sets to be selected.
If the data set is smaller than the selected data set, the node also needs to store some invalid data sets. The terminal may generate a null data set according to the upper storage limit of the node and the number of each data set to be selected. The terminal may backfill the generated null data set and each of the candidate data sets into the node.
Wherein the sum of the number of empty data groups and the number of data groups to be selected is the number corresponding to the upper limit of storage. And either the first identifier or the second identifier corresponding to the null data set is an invalid identifier.
Based on the mode, the effective data set corresponding to the node can be backfilled into the node as much as possible, so that the condition of low query efficiency caused by more data stored in the cache is avoided, the information safety is ensured, and the utilization rate of the tree structure is improved.
Further, the terminal may generate the null data set in the following manner.
Specifically, the terminal may sort the data groups according to the first identifier and the second identifier corresponding to each data group stored in the cache. Taking the number as an example, the valid identifier and the invalid identifier are both assumed to be larger than the invalid identifier, if the sorting result is from high to low, the sorting result is sequentially from front to back: the first identifier and the second identifier are both data sets of valid identifiers, the first identifier or the second identifier is a data set of valid identifiers, and the first identifier and the second identifier are both data sets of invalid identifiers.
The terminal may then determine a specified number of data sets from the ranking result based on the upper storage limit of the node. Wherein the upper storage limit of the node is a data group which can store a specified number.
The determined specified number of data sets includes each data set to be selected, and the first identifier or the second identifier is the data set of the valid identifier. These data sets, of which the first or second identity is a valid identifier, are invalid for the node. The terminal may determine other data sets than each of the candidate data sets of the specified number of data sets as null data sets and determine a third identification of the null data sets as an invalid identifier.
Of course, the terminal may determine the null data set by randomly generating a data set including the first identifier as the null identifier, or randomly generating a data set including the second identifier as the null identifier, or both the first identifier and the second identifier as the null data set. The empty data sets may also be determined by sorting the data sets and determining the empty data sets based on the sorting result. How to generate the null data set can be set as required, which is not limited in this specification.
Further, after determining the null data set and the data set to be selected, the terminal may update the first identifier of the null data set stored in the node to an invalid identifier when backfilling the null data set into the node for each null data set. And for each data set to be selected, when the data set to be selected is backfilled to the node, the terminal can update the first identification of the data set to be selected stored in the cache to be an invalid identifier.
Based on the mode, for the data set to be selected which is backfilled into the node, the data set is updated into an invalid data set in the cache, and no deleting action exists, so that the information safety is ensured. And under the condition that the residual computing resources in the cache are low, invalid data groups stored in the cache can be emptied, so that the resource utilization rate in the cache is improved. For the empty data set backfilled into the node, the first identifier corresponding to the empty data set in the node is an invalid identifier, and if the empty data set in the node is subsequently migrated into the cache, the terminal can distinguish the empty data set from other valid data sets according to the first identifier corresponding to the empty data set, so that other services are executed, and the processing efficiency and the information safety are ensured.
In addition, in the present specification, when the number of data sets stored in the tree structure is large, the storage space occupied by the correspondence between the leaf node corresponding to the node storing the data set including the secret access address and the secret access address in the tree structure is also large, and the data set is easily stolen by an attacker. In this case, the terminal may store the correspondence between the leaf node corresponding to the node storing the secret access address in the tree structure and each secret access address in the form of ciphertext, that is, as new secret data, and store the data set including the new secret data in the new tree structure.
Specifically, the terminal can determine leaf nodes corresponding to nodes storing each secret access address as leaf nodes corresponding to each secret access address, and sort the corresponding relation between each secret access address and each leaf node according to the sequence of each secret access address to obtain an initial mapping table. The order of the secret access addresses in the initial mapping table may be from low to high or from high to low. Because the secret access addresses in the initial mapping table are in the form of ciphertext data, the terminal can compare the secret access addresses in pairs and sort the secret access addresses based on the comparison results so as to determine the initial mapping table.
Secondly, the terminal can group the initial mapping table according to the preset grouping size to obtain a grouping result. Wherein, for each grouping result, the number of the correspondence contained in the grouping result and the grouping size are positively correlated. The grouping size is used to indicate that a specified number of correspondences are divided into a group.
Taking the initial mapping table containing 100 corresponding relations and the grouping size being 5 as an example, the number of the corresponding grouping results is 20, and each grouping result contains 5 corresponding relations. If the packet size is 10, the number of corresponding packet results is 10, and each packet result contains 10 corresponding relations.
In order to avoid information leakage of the grouping results, the terminal can also determine the secret state data corresponding to each grouping result as each secret state grouping result. And aiming at each secret state grouping result, the secret state grouping result is in a ciphertext data form of the grouping result corresponding to the secret state grouping result.
Then, after determining the secret grouping result, the terminal can determine the secret access address corresponding to the secret grouping result. The terminal can determine the intermediate tree structure according to the determined number of the dense state grouping results and the storage space corresponding to the preset node. And determining the corresponding relation between the secret access address corresponding to each secret grouping result and each leaf node in the intermediate tree structure as an intermediate mapping table. For each data set, the storage space occupied by the data set when stored in the node is the same, so that the preset storage space corresponding to the node can be the preset number of data sets storable in the node.
After determining the intermediate mapping table, the terminal can fill the data sets corresponding to the secret grouping results into the intermediate tree structure according to the intermediate mapping table.
The secret access address corresponding to the secret grouping result may be determined according to the ordering of the grouping result corresponding to the secret grouping result in the initial mapping table in each grouping result, or may be randomly generated by the terminal. The corresponding relation between the secret access address corresponding to each secret grouping result and each leaf node in the intermediate tree structure can be randomly generated by the terminal, or can be determined based on the filling result after the terminal directly fills each data group into each node contained in the intermediate tree structure. In particular, how to determine the secret access address corresponding to the secret grouping result and determine the correspondence relationship contained in the intermediate mapping table can be set according to the needs, which is not limited in this specification.
Finally, the terminal can determine whether the size of the intermediate mapping table satisfies the end condition after filling the intermediate tree structure.
If yes, the terminal can take the intermediate mapping table as a final mapping table, and determine the intermediate tree structure corresponding to the intermediate mapping table as a final tree structure.
If not, the terminal needs to re-use the intermediate mapping table as an initial mapping table, and continues grouping according to the re-determined initial mapping table until the determined size of the intermediate mapping table meets the preset ending condition. The ending condition may be that the size of the intermediate mapping table is smaller than a preset first threshold. As shown in fig. 3.
Fig. 3 is a schematic flow chart of determining a final tree structure provided in the present specification. The upper tree structure in the figure is a tree structure in which a terminal stores a data group containing the secret data and the secret access address corresponding to the secret data, the middle tree structure is a tree structure in which the corresponding relationship between leaf nodes corresponding to nodes storing the data group containing the secret access address and the secret access addresses is stored, and the lower tree structure in the figure is a tree structure in which the mapping relationship of the middle tree structure is stored.
The terminal may sort the leaf nodes corresponding to the nodes storing the data set including the secret access addresses and the correspondence between the secret access addresses in the order from low to high, and group the sorting results according to a preset group size. The packet size in the figure is 2, and one packet result contains the corresponding relation of two secret access addresses. Taking re0 as an example, re0 is a secret grouping result corresponding to the grouping result including the correspondence of the secret access address 0 and the correspondence of the secret access address 1.
After each secret grouping result is determined, the terminal can determine the structure of the intermediate tree according to the number of the secret grouping results, determine the secret access address corresponding to each secret grouping result, and determine the corresponding relationship between each secret access address and each leaf node in the intermediate tree structure as an intermediate mapping table.
The structure of the intermediate tree may be determined for the terminal, by determining a minimum number of nodes required for storing the above-mentioned each secret grouping result, and then determining according to the minimum number and the tree structure of the intermediate number. The corresponding relation between the secret access address and the leaf nodes in the intermediate tree structure is the corresponding relation between the leaf nodes corresponding to the nodes storing the data group containing the secret access address and the secret grouping result corresponding to the secret access address and the secret access address.
After determining the intermediate mapping table, the terminal may fill the intermediate tree structure according to the intermediate mapping table, and determine whether the ending condition is satisfied according to the size of the intermediate mapping table. The end condition illustrated in the figure is that the size of the intermediate mapping table is smaller than 8 pieces of data, and it is apparent that the size of the intermediate mapping table does not satisfy the end condition.
The terminal can use the intermediate mapping table as the initial mapping table which is determined again, and continue grouping according to the initial mapping table which is determined again, so as to obtain a secret grouping result corresponding to the grouping result, and repeat the above process to determine the intermediate tree structure and the intermediate mapping table shown in the lower part of the diagram. The terminal may determine whether the intermediate mapping table satisfies the end condition after determining the intermediate mapping table. Obviously, the size of the intermediate mapping table satisfies the end condition.
The terminal may then determine the intermediate mapping table as the final mapping table and the intermediate tree structure as the final tree structure. Wherein re is used to characterize the relationship, i.e. the correspondence, fi is used to characterize the final relationship, i.e. the final correspondence.
Further, based on the specific tree structure stored in the tree structure, the terminal may determine the data set corresponding to the target secret access address in the following manner.
Specifically, the terminal may determine, according to the packet size, an address corresponding to the target secret access address in the final mapping table, as a decompressed address. Taking fig. 3 as an example, assuming that the target secret access address is 3, the terminal may divide the value corresponding to the target secret access address by (2×2), to obtain the address of the target secret access address in the final mapping table as 0. Wherein 2 x 2 is used to characterize the packet size of 2 employed by the terminal in determining the intermediate tree structure, and the terminal determines the intermediate tree structure twice in determining the final tree structure. If the packet size adopted by the terminal in determining the intermediate tree structure is 3, and the terminal determines the intermediate tree structure twice in determining the final tree structure, the corresponding value is 3×3. Of course, the packet size adopted by the terminal in determining each intermediate tree structure may also be different, and if the packet size adopted by the terminal in determining the intermediate tree structure for the first time is 2 and the packet size adopted in determining the intermediate tree structure for the second time is 2, the value corresponding to the target secret access address needs to be divided by (2×3) in determining the decompressed address.
Then, the terminal may determine, according to the final mapping table and the decompressed address, a correspondence between the decompressed address and leaf nodes in the final tree structure, and determine a path between a leaf node and a root node in the final tree structure as a first path.
And then, the terminal can determine each node in the first path, migrate the data group stored by each node in the first path into the cache, and determine the data group containing the decompression address as an intermediate data group according to the decompression address and each data group stored in the cache.
The terminal may further determine whether a packet result corresponding to the secret state packet result included in the intermediate data set includes a correspondence between the target secret state access address and a leaf node in the tree structure after determining the intermediate data set.
If so, the terminal can determine the corresponding relation between the secret access address and the leaf nodes in the tree structure from the grouping result corresponding to the secret grouping result.
If the node is not included, the terminal can use the intermediate tree structure for determining the final tree structure as the final tree structure, and redetermine the decompressed address according to the packet size and the target secret access address, and further continuously determine the secret packet result based on the redetermined decompressed address and the final tree structure until the packet result corresponding to the secret packet result determined by the terminal includes the corresponding relation between the designated leaf node corresponding to the target node and the target secret access address.
The terminal may determine a designated leaf node of the target node storing the data set including the target cryptographic access address according to a correspondence of the target cryptographic access address and the leaf node of the tree structure.
It should be noted that, in this specification, all actions of acquiring signals, information or data are performed under the condition of conforming to the corresponding data protection rule policy of the country of the location and obtaining the authorization given by the owner of the corresponding device.
Based on the same thought, the present disclosure further provides a device for querying the encrypted data, as shown in fig. 4.
Fig. 4 is a schematic diagram of a secret data query device provided in the present disclosure, where the device is applied to a terminal, and the terminal stores a plurality of data sets in a tree structure, and one data set is composed of secret data and a secret access address corresponding to the secret data, and the tree structure includes a plurality of nodes, and each node stores a plurality of data sets, where:
the address determining module 200 is configured to determine a target secret access address of target secret data to be queried.
A path determining module 202, configured to determine, in the tree structure, a designated leaf node corresponding to a target node storing a data set including the target secret data, and determine a path in the tree structure according to the designated leaf node and a root node; wherein the designated leaf node is a leaf node of the subtree corresponding to the target node.
And the migration module 204 is configured to migrate each data set stored by each node in the path to a cache of the terminal for storing.
And the query module 206 is configured to match each data set stored in the cache with the target secret access address, and determine, according to a matching result, secret data included in the data set matched with the target secret access address as the queried target secret data.
Optionally, the address determining module 200 is configured to determine, according to a received service request, a target secret access address carried in the service request as a target secret access address of target secret data to be queried.
Optionally, the query module 206 is configured to process the target secret data according to a processing manner carried in the service request, and perform pseudo processing on the secret data in other data sets stored in the cache, where a result of performing pseudo processing on the secret data in the other data sets is secret data in the other data sets, and backfill at least part of the processed data sets to each node in the path of the tree structure.
Optionally, one data set is composed of secret state data, a secret state access address corresponding to the secret state data, and a first identifier of the data set, where the first identifier is used to characterize whether the secret state data is valid, and the query module 206 is used to determine, for each data set corresponding to the node, a second identifier of the data set as a valid identifier, where the second identifier is used to characterize whether the data set corresponds to the node, determine, from the data sets, whether the first identifier and the second identifier are both data sets with valid identifiers, as each data set to be selected, determine whether the number of the data sets to be selected is less than a preset storage upper limit of the data set in the node, if so, generate each empty data set according to the storage upper limit of the node and the number of the data sets to be selected, and determine whether the generated empty data set and the data sets to be selected are backfilled into the node, and if not, determine whether the number of data sets to be selected is designated in the data sets to be backfilled into the node.
Optionally, the query module 206 is configured to sort the data sets according to the first identifier and the second identifier of each data set in the cache, select a specified number of data sets from the sorted result according to the upper storage limit of the node, determine, as each empty data set, other data sets except for each data set to be selected, and determine, as an invalid identifier, a third identifier of each empty data set, update, for each empty data set, the first identifier of the data set to be selected stored in the cache to be an invalid identifier when the data set to be selected is backfilled into the node, and update, for each empty data set, the first identifier of the empty data set stored in the node to be an invalid identifier when the empty data set is backfilled into the node.
Optionally, the number of the terminals is multiple, each terminal holds different secret state data, and the multiple terminals participate in multiparty security calculation together through secret state data held by the terminals, and the address determining module 200 is used for determining a target secret state access address of target secret state data to be queried in response to multiparty security calculation tasks; and the query module 206 is configured to process the target secret data according to the multiparty security calculation task when the target secret data is queried, and return a processing result to other terminals participating in the multiparty security calculation.
Optionally, the migration module 204 is configured to copy and store each data set stored by each node in the path of the tree structure into the cache of the terminal, and delete each data set stored by each node in the path of the tree structure from the hard disk of the terminal.
Optionally, a history data set is stored in the cache, where the history data set is a data set that is historically migrated to the cache but not backfilled to the tree structure, and a query module 206 is configured to determine each data set stored in each node in the path as a current data set, and match the target secret access address with the current data set and the history data set respectively.
Optionally, the query module 206 is configured to determine, for each node in the path in turn, a data set corresponding to the node from the data sets stored in the cache, backfill the data set corresponding to the node, determine, according to the number of data sets backfilled by the node, whether the data set backfilled by the node reaches the upper storage limit of the node, if yes, determine that the node backfills completely, and continue backfilling the data set on the next node in the path until backfilling all the nodes in the path is completed, and if no, continue backfilling the data set on the node.
Optionally, the query module 206 is configured to redetermine, from among the leaf nodes included in the tree structure, a target node storing the data set including the target secret access address, redetermine, according to the redetermined target node, a designated leaf node corresponding to the target node, and when the redetermined designated leaf node matches the node, use the data set including the target secret access address as the data set corresponding to the node.
Optionally, the query module 206 is configured to generate an empty data set according to the remaining storage space of the node when the data sets corresponding to the node in the cache are all backfilled to the node and the data sets backfilled by the node still do not reach the upper storage limit of the node, and continuously backfill the generated empty data set to the node.
Optionally, a correspondence between a secret access address and a node identifier of a leaf node in the tree structure is pre-stored in the terminal, where the identifier of the leaf node is secret data, a query module 206 is configured to determine a level and a rank of the node in the tree structure, where the level is an order of the node in a direction from the leaf node to a root node, the rank is an order of the node in each node in the level in a left-to-right order, for each data set, according to the secret access address included in the data set, determine a leaf node corresponding to the data set, determine plaintext information of the leaf node corresponding to the data set, determine a binary code corresponding to the plaintext information, where the leaf node corresponding to the data set is a leaf node of a subtree corresponding to the node storing the data set, determine whether a result of right shifting the binary code by the level is the rank, and if so, regard the data set as the data set corresponding to the node.
Optionally, the path determining module 202 is configured to determine leaf nodes corresponding to nodes storing each of the secret access addresses, order the corresponding relationships between each of the secret access addresses and each of the leaf nodes according to the order of each of the secret access addresses to obtain an initial mapping table, group the initial mapping table according to a preset group size, determine a grouping result, determine each of the secret grouping results according to each of the grouping results, determine a secret access address corresponding to each of the secret grouping results, determine an intermediate tree structure according to the number of the determined secret grouping results, determine the corresponding relationship between each of the secret access addresses corresponding to each of the secret grouping results and each of the leaf nodes in the intermediate tree structure, fill the intermediate tree structure according to the intermediate mapping table, determine whether the size of the intermediate mapping table meets an end condition, if so, determine the intermediate mapping table as a final mapping table, determine the intermediate tree structure corresponding to each of the secret grouping results, and if not, and resume the mapping table is determined again according to the end condition until the initial mapping table is met.
Optionally, the path determining module 202 is configured to determine, according to the packet size, a decompressed address corresponding to the target secret access address in the final mapping table, determine, according to the final mapping table, the final tree structure, and the decompressed address, a data set storing the decompressed address, determine a secret grouping result included in the data set storing the decompressed address, use an intermediate tree structure used for determining the final tree structure as a final tree structure, determine, according to the packet size and the target secret access address again, the decompressed address, continue to determine the secret grouping result until the determined secret grouping result includes a correspondence between a leaf node corresponding to the target node and the target secret access address, and determine, according to a correspondence between a specified leaf node corresponding to the target node and the target secret access address, a specified leaf node of the target node storing the data set including the target secret access address.
The present specification also provides a computer readable storage medium storing a computer program operable to perform the method of querying cryptographic data provided in fig. 1, as described above.
The present specification also provides a schematic structural diagram of the electronic device shown in fig. 5. At the hardware level, the electronic device includes a processor, an internal bus, a network interface, a memory, and a non-volatile storage, as illustrated in fig. 5, although other hardware required by other services may be included. The processor reads the corresponding computer program from the nonvolatile memory into the memory and then runs the computer program to implement the method for querying the secret data described in fig. 1. Of course, other implementations, such as logic devices or combinations of hardware and software, are not excluded from the present description, that is, the execution subject of the following process flows is not limited to each logic unit application container, but may be hardware or logic devices.
In the 90 s of the 20 th century, improvements to one technology could clearly be distinguished as improvements in hardware (e.g., improvements to circuit structures such as diodes, transistors, switches, etc.) or software (improvements to the process flow). However, with the development of technology, many improvements of the current method flows can be regarded as direct improvements of hardware circuit structures. Designers almost always obtain corresponding hardware circuit structures by programming improved method flows into hardware circuits. Therefore, an improvement of a method flow cannot be said to be realized by a hardware entity module. For example, a programmable logic device (Programmable Logic Device, PLD) (e.g., field programmable gate array (Field Programmable Gate Array, FPGA)) is an integrated circuit whose logic function is determined by the programming of the device by a user. A designer programs to "integrate" a digital system onto a PLD without requiring the chip manufacturer to design and fabricate application-specific integrated circuit chips. Moreover, nowadays, instead of manually manufacturing integrated circuit chips, such programming is mostly implemented by using "logic compiler" software, which is similar to the software compiler used in program development and writing, and the original code before the compiling is also written in a specific programming language, which is called hardware description language (Hardware Description Language, HDL), but not just one of the hdds, but a plurality of kinds, such as ABEL (Advanced Boolean Expression Language), AHDL (Altera Hardware Description Language), confluence, CUPL (Cornell University Programming Language), HDCal, JHDL (Java Hardware Description Language), lava, lola, myHDL, PALASM, RHDL (Ruby Hardware Description Language), etc., VHDL (Very-High-Speed Integrated Circuit Hardware Description Language) and Verilog are currently most commonly used. It will also be apparent to those skilled in the art that a hardware circuit implementing the logic method flow can be readily obtained by merely slightly programming the method flow into an integrated circuit using several of the hardware description languages described above.
The controller may be implemented in any suitable manner, for example, the controller may take the form of, for example, a microprocessor or processor and a computer readable medium storing computer readable program code (e.g., software or firmware) executable by the (micro) processor, logic gates, switches, application specific integrated circuits (Application Specific Integrated Circuit, ASIC), programmable logic controllers, and embedded microcontrollers, examples of which include, but are not limited to, the following microcontrollers: ARC 625D, atmel AT91SAM, microchip PIC18F26K20, and Silicone Labs C8051F320, the memory controller may also be implemented as part of the control logic of the memory. Those skilled in the art will also appreciate that, in addition to implementing the controller in a pure computer readable program code, it is well possible to implement the same functionality by logically programming the method steps such that the controller is in the form of logic gates, switches, application specific integrated circuits, programmable logic controllers, embedded microcontrollers, etc. Such a controller may thus be regarded as a kind of hardware component, and means for performing various functions included therein may also be regarded as structures within the hardware component. Or even means for achieving the various functions may be regarded as either software modules implementing the methods or structures within hardware components.
The system, apparatus, module or unit set forth in the above embodiments may be implemented in particular by a computer chip or entity, or by a product having a certain function. One typical implementation is a computer. In particular, the computer may be, for example, a personal computer, a laptop computer, a cellular telephone, a camera phone, a smart phone, a personal digital assistant, a media player, a navigation device, an email device, a game console, a tablet computer, a wearable device, or a combination of any of these devices.
For convenience of description, the above devices are described as being functionally divided into various units, respectively. Of course, the functions of each element may be implemented in one or more software and/or hardware elements when implemented in the present specification.
It will be appreciated by those skilled in the art that embodiments of the present description may be provided as a method, system, or computer program product. Accordingly, the present specification may take the form of an entirely hardware embodiment, an entirely software embodiment, or an embodiment combining software and hardware aspects. Furthermore, the present description can take the form of a computer program product on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, etc.) having computer-usable program code embodied therein.
The present description is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems) and computer program products according to embodiments of the specification. It will be understood that each flow and/or block of the flowchart illustrations and/or block diagrams, and combinations of flows and/or blocks in the flowchart illustrations and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
In one typical configuration, a computing device includes one or more processors (CPUs), input/output interfaces, network interfaces, and memory.
The memory may include volatile memory in a computer-readable medium, random Access Memory (RAM) and/or nonvolatile memory, such as Read Only Memory (ROM) or flash memory (flash RAM). Memory is an example of computer-readable media.
Computer readable media, including both non-transitory and non-transitory, removable and non-removable media, may implement information storage by any method or technology. The information may be computer readable instructions, data structures, modules of a program, or other data. Examples of storage media for a computer include, but are not limited to, phase change memory (PRAM), static Random Access Memory (SRAM), dynamic Random Access Memory (DRAM), other types of Random Access Memory (RAM), read Only Memory (ROM), electrically Erasable Programmable Read Only Memory (EEPROM), flash memory or other memory technology, compact disc read only memory (CD-ROM), digital Versatile Discs (DVD) or other optical storage, magnetic cassettes, magnetic tape magnetic disk storage or other magnetic storage devices, or any other non-transmission medium, which can be used to store information that can be accessed by a computing device. Computer-readable media, as defined herein, does not include transitory computer-readable media (transmission media), such as modulated data signals and carrier waves.
It should also be noted that the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising one … …" does not exclude the presence of other like elements in a process, method, article or apparatus that comprises the element.
It will be appreciated by those skilled in the art that embodiments of the present description may be provided as a method, system, or computer program product. Accordingly, the present specification may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present description can take the form of a computer program product on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, etc.) having computer-usable program code embodied therein.
The description may be described in the general context of computer-executable instructions, such as program modules, being executed by a computer. Generally, program modules include routines, programs, objects, components, data structures, etc. that perform particular tasks or implement particular abstract data types. The specification may also be practiced in distributed computing environments where tasks are performed by remote processing devices that are linked through a communications network. In a distributed computing environment, program modules may be located in both local and remote computer storage media including memory storage devices.
In this specification, each embodiment is described in a progressive manner, and identical and similar parts of each embodiment are all referred to each other, and each embodiment mainly describes differences from other embodiments. In particular, for system embodiments, since they are substantially similar to method embodiments, the description is relatively simple, as relevant to see a section of the description of method embodiments.
The foregoing is merely exemplary of the present disclosure and is not intended to limit the disclosure. Various modifications and alterations to this specification will become apparent to those skilled in the art. Any modifications, equivalent substitutions, improvements, or the like, which are within the spirit and principles of the present description, are intended to be included within the scope of the claims of the present description.
Claims (15)
1. The method is applied to a terminal, the terminal stores a plurality of data sets in a tree structure, one data set consists of the secret data and a secret access address corresponding to the secret data, the tree structure comprises a plurality of nodes, and each node stores a plurality of data sets, and the method comprises the following steps:
determining a target secret access address of target secret data to be queried;
determining a designated leaf node corresponding to a target node storing a data set containing the target secret access address in the tree structure, and determining a path in the tree structure according to the designated leaf node and a root node; wherein the designated leaf node is a leaf node of a subtree corresponding to the target node;
migrating each data group stored by each node in the path to a cache of the terminal for storage;
matching each data group stored in the cache with the target secret access address respectively, and determining secret data contained in the data group matched with the target secret access address according to a matching result to serve as the inquired target secret data;
the correspondence between each secret access address and each leaf node in the tree structure is stored in the following manner:
Determining leaf nodes corresponding to nodes storing each secret access address as the leaf nodes corresponding to each secret access address;
ordering the corresponding relation between each secret access address and each leaf node according to the sequence of each secret access address to obtain an initial mapping table;
grouping the initial mapping table according to a preset grouping size, and determining a grouping result;
determining each secret state grouping result according to each grouping result;
aiming at each secret grouping result, determining a secret access address corresponding to the secret grouping result;
according to the number of the determined secret grouping results, determining an intermediate tree structure, and determining the corresponding relation between the secret access address corresponding to each secret grouping result and each leaf node in the intermediate tree structure as an intermediate mapping table;
filling the intermediate tree structure according to the intermediate mapping table;
judging whether the size of the intermediate mapping table meets an ending condition or not;
if yes, determining the intermediate mapping table as a final mapping table, and determining an intermediate tree structure corresponding to the intermediate mapping table as a final tree structure;
and if not, the intermediate mapping table is used as an initial mapping table again, and grouping is continued according to the newly determined initial mapping table until the ending condition is met.
2. The method of claim 1, determining a target secret access address of target secret data to be queried, specifically comprising:
according to the received service request, determining a target secret access address carried in the service request as a target secret access address of target secret data to be queried;
the method further comprises the steps of:
processing the target secret state data according to the processing mode carried in the service request, and performing pseudo-processing on the secret state data in other data sets stored in the cache, wherein the result of performing pseudo-processing on the secret state data in the other data sets is secret state data in the other data sets;
backfilling the processed at least partial data set to each node in the path of the tree structure.
3. The method of claim 1, wherein each data group stored by each node in the path is migrated to a cache of the terminal for storage, and specifically comprises:
and copying and storing each data group stored by each node in the path of the tree structure into a cache of the terminal, and deleting the data group stored by each node in the path of the tree structure from a hard disk of the terminal.
4. The method of claim 1, wherein the cache has stored therein a historical data set that was historically migrated to the cache but was not backfilled to the tree structure;
matching each data group stored in the cache with the target secret access address respectively, wherein the method specifically comprises the following steps:
determining each data set stored in each node in the path as a current data set;
and matching the target secret access address with the current data set and the historical data set respectively.
5. The method according to claim 2, backfilling the processed at least partial data set to each node in the path, comprising in particular:
for each node in the path in turn, determining a data group corresponding to the node from the data groups stored in the cache;
backfilling the data set corresponding to the node into the node;
judging whether the data set backfilled by the node reaches the upper storage limit of the node according to the number of the data sets backfilled by the node;
if yes, determining that the node is completely backfilled, and continuing to backfill the data set for the next node in the path until all the nodes in the path are completely backfilled;
If not, continuing backfilling the data set for the node.
6. The method of claim 5, determining the data set corresponding to the node, comprising:
re-determining a target node storing a data set containing the target secret access address from each leaf node contained in the tree structure;
according to the redetermined target node, redetermining a designated leaf node corresponding to the target node;
and when the redefined designated leaf node is matched with the node, taking the data group containing the target secret access address as the data group corresponding to the node.
7. The method of claim 5, the method further comprising:
when the data sets corresponding to the node in the cache are all backfilled to the node and the data sets backfilled by the node still do not reach the upper storage limit of the node, generating an empty data set according to the residual storage space of the node;
and backfilling the generated empty data set to the node.
8. The method of claim 5, wherein the terminal pre-stores a correspondence between a secret access address and a node identifier of a leaf node in the tree structure, and the identifier of the leaf node is secret data;
From the data sets stored in the cache, determining the data set corresponding to the node specifically includes:
determining a hierarchy of the node in the tree structure, the hierarchy being an order of the node in a direction from the leaf node to the root node, and a rank of the node in the hierarchy in a left-to-right order;
for each data group, determining a leaf node corresponding to the data group according to a secret access address contained in the data group, determining plaintext information of the leaf node corresponding to the data group, and determining a binary code corresponding to the plaintext information, wherein the leaf node corresponding to the data group is a leaf node of a subtree corresponding to a node storing the data group;
judging whether the result of right shifting the binary code by the level bit is the bit order;
if yes, the data set is used as the data set corresponding to the node.
9. The method of claim 8, wherein a data set is composed of secret data, a secret access address corresponding to the secret data, and a first identifier of the data set, wherein the first identifier is used for representing whether the secret data is valid;
Backfilling the data set corresponding to the node into the node, wherein the backfilling comprises the following steps:
for each data set corresponding to the node, determining a second identifier of the data set as a valid identifier, wherein the second identifier is used for representing whether the data set corresponds to the node or not;
determining the data groups of which the first identifier and the second identifier are valid identifiers from the data groups as data groups to be selected;
judging whether the number of the data groups to be selected is smaller than the preset upper limit of the data groups in the nodes or not;
if yes, generating each empty data group according to the storage upper limit of the node and the number of the data groups to be selected, and backfilling each generated empty data group and each data group to be selected into the node;
if not, determining a specified number of data sets to be selected from the data sets to be selected, and backfilling the data sets to be selected into the node.
10. The method according to claim 9, generating a null data set according to the upper storage limit of the node and the number of the candidate data sets, specifically comprising:
sorting the data sets according to the first identification and the second identification of the data sets in the cache, and selecting a specified number of data sets from the sorting result according to the upper storage limit of the node;
Determining other data groups except the data groups to be selected in the specified number of data groups as empty data groups, and determining a third mark of each empty data group as an invalid identifier;
the method further comprises the steps of:
for each data set to be selected, when the data set to be selected is backfilled into the node, updating the first identification of the data set to be selected stored in the cache to be an invalid identifier;
for each null data set, updating a first identification of the null data set stored in the node to an invalid identifier when the null data set is backfilled into the node.
11. The method of claim 1, wherein determining, in the tree structure, a designated leaf node corresponding to a target node storing a data set including the target cryptographic access address, comprises:
determining a decompression address corresponding to the target secret access address in the final mapping table according to the packet size;
determining a data set storing the decompressed address according to the final mapping table, the final tree structure and the decompressed address, and determining a secret state grouping result contained in the data set storing the decompressed address;
The intermediate tree structure used for determining the final tree structure is used as a final tree structure, so that a decompressed address is determined again according to the packet size and the target secret access address, and a secret packet result is continuously determined until the determined secret packet result contains the corresponding relation between the leaf node corresponding to the target node and the target secret access address;
and determining the designated leaf node of the target node storing the data set containing the target secret access address according to the corresponding relation between the designated leaf node corresponding to the target node and the target secret access address.
12. The method of claim 1, wherein the number of the terminals is a plurality, each terminal holds different secret state data, and the terminals participate in multiparty security calculation together through the secret state data held by the terminals;
the method for determining the target secret access address of the target secret data to be queried specifically comprises the following steps:
responding to the multiparty security calculation task, and determining a target secret access address of target secret data to be queried;
the method further comprises the steps of:
and when the target secret state data is queried, processing the target secret state data according to the multiparty security calculation task, and returning a processing result to other terminals participating in the multiparty security calculation.
13. A secret data querying device, the device being applied to a terminal, the terminal storing a plurality of data sets in a tree structure, one data set being composed of secret data and its corresponding secret access address, the tree structure comprising a plurality of nodes, each node storing a plurality of data sets therein, the device comprising:
the address determining module is used for determining a target secret access address of target secret data to be queried;
the path determining module is used for determining a specified leaf node corresponding to a target node storing a data set containing the target secret state data in the tree structure, and determining a path in the tree structure according to the specified leaf node and a root node; wherein the designated leaf node is a leaf node of a subtree corresponding to the target node;
the migration module is used for migrating each data group stored by each node in the path to the cache of the terminal for storage;
the query module is used for respectively matching each data group stored in the cache with the target secret access address, and determining secret state data contained in the data group matched with the target secret access address according to a matching result to serve as the queried target secret state data;
The correspondence between each secret access address and each leaf node in the tree structure is stored in the following manner:
determining leaf nodes corresponding to nodes storing each secret access address as the leaf nodes corresponding to each secret access address;
ordering the corresponding relation between each secret access address and each leaf node according to the sequence of each secret access address to obtain an initial mapping table;
grouping the initial mapping table according to a preset grouping size, and determining a grouping result;
determining each secret state grouping result according to each grouping result;
aiming at each secret grouping result, determining a secret access address corresponding to the secret grouping result;
according to the number of the determined secret grouping results, determining an intermediate tree structure, and determining the corresponding relation between the secret access address corresponding to each secret grouping result and each leaf node in the intermediate tree structure as an intermediate mapping table;
filling the intermediate tree structure according to the intermediate mapping table;
judging whether the size of the intermediate mapping table meets an ending condition or not;
if yes, determining the intermediate mapping table as a final mapping table, and determining an intermediate tree structure corresponding to the intermediate mapping table as a final tree structure;
And if not, the intermediate mapping table is used as an initial mapping table again, and grouping is continued according to the newly determined initial mapping table until the ending condition is met.
14. A computer readable storage medium storing a computer program which, when executed by a processor, implements the method of any of the preceding claims 1-12.
15. An electronic device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, the processor implementing the method of any of the preceding claims 1-12 when executing the program.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310451320.8A CN116167092B (en) | 2023-04-21 | 2023-04-21 | Secret state data query method and device, storage medium and electronic equipment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310451320.8A CN116167092B (en) | 2023-04-21 | 2023-04-21 | Secret state data query method and device, storage medium and electronic equipment |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN116167092A CN116167092A (en) | 2023-05-26 |
| CN116167092B true CN116167092B (en) | 2023-07-18 |
Family
ID=86416698
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202310451320.8A Active CN116167092B (en) | 2023-04-21 | 2023-04-21 | Secret state data query method and device, storage medium and electronic equipment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN116167092B (en) |
Families Citing this family (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN116418600B (en) * | 2023-06-09 | 2023-08-15 | 安徽华云安科技有限公司 | Node security operation and maintenance method, device, equipment and storage medium |
| CN117171401B (en) * | 2023-11-03 | 2024-01-26 | 之江实验室 | Query method and device for shortest path in graph data based on hierarchical pre-calculation |
Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115982246A (en) * | 2023-03-03 | 2023-04-18 | 阿里云计算有限公司 | Data query method, equipment, system and storage medium |
Family Cites Families (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US9747456B2 (en) * | 2013-03-15 | 2017-08-29 | Microsoft Technology Licensing, Llc | Secure query processing over encrypted data |
| US11243881B2 (en) * | 2018-08-03 | 2022-02-08 | University of Pittsburgh—of the Commonwealth System of Higher Education | Practical ORAM delegation for untrusted memory on cloud servers |
| CN110837650B (en) * | 2019-10-25 | 2021-08-31 | 华中科技大学 | Cloud storage ORAM access system and method under untrusted network environment |
| CN111898157B (en) * | 2020-07-23 | 2024-03-26 | 东南大学 | Unintentional storage access method for machine learning multisource training set |
| CN114117506B (en) * | 2020-08-27 | 2024-04-05 | 东北大学秦皇岛分校 | ORAM access method suitable for TEE confusion calculation |
| CN112084519B (en) * | 2020-09-18 | 2022-04-12 | 支付宝(杭州)信息技术有限公司 | GBDT model training method and device based on access mode protection |
| CN113157821B (en) * | 2021-04-09 | 2022-03-15 | 电子科技大学 | Inquirable encryption method suitable for relational database |
| CN114039990B (en) * | 2021-11-01 | 2022-07-29 | 上海交通大学 | Inadvertent access to storage systems |
| CN115238281A (en) * | 2022-08-10 | 2022-10-25 | 东北大学秦皇岛分校 | Efficient side channel defense method based on hybrid ORAM |
| CN115577370A (en) * | 2022-09-20 | 2023-01-06 | 西安电子科技大学 | Safe storage method supporting intelligent unmanned cluster data access mode protection |
-
2023
- 2023-04-21 CN CN202310451320.8A patent/CN116167092B/en active Active
Patent Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115982246A (en) * | 2023-03-03 | 2023-04-18 | 阿里云计算有限公司 | Data query method, equipment, system and storage medium |
Also Published As
| Publication number | Publication date |
|---|---|
| CN116167092A (en) | 2023-05-26 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN116167092B (en) | Secret state data query method and device, storage medium and electronic equipment | |
| KR102226257B1 (en) | Method and device for writing service data to a blockchain system | |
| US10929845B2 (en) | Method and apparatus for consensus verification | |
| KR102098548B1 (en) | Method and device for verifying block data in blockchain | |
| CN107579951B (en) | Service data processing method, service processing method and equipment | |
| CN113079200A (en) | Data processing method, device and system | |
| CN109726563B (en) | Data statistics method, device and equipment | |
| CN106844288B (en) | Random character string generation method and device | |
| TW202008763A (en) | Data processing method and apparatus, and client | |
| CN108616361A (en) | A kind of method and device of identification equipment uniqueness | |
| CN110430255A (en) | The processing method of service request, system and electronic equipment in distributed type assemblies | |
| CN116166693B (en) | Data query method, device and equipment based on secret state range index | |
| CN116010992A (en) | Data processing method and device, readable storage medium and electronic equipment | |
| CN115129728A (en) | File checking method and device | |
| CN117473133A (en) | Secret state data query method and device, storage medium and electronic equipment | |
| TW202008153A (en) | Data processing method and apparatus, and server | |
| CN116166216A (en) | Data sorting method, device, equipment and readable storage medium | |
| CN113282542B (en) | Verifiable searchable encryption method, device and equipment with forward security | |
| CN115134349B (en) | Method, device, medium and equipment for executing transmission task | |
| CN113282543B (en) | Verifiable searchable encryption method, device and equipment with forward security | |
| CN117453969A (en) | Secret state data query method and device, storage medium and electronic equipment | |
| CN116226902A (en) | Data query method and device, storage medium and electronic equipment | |
| CN116366667A (en) | Data transmission method and device of block chain network, electronic equipment and storage medium | |
| CN117421771A (en) | Structured data-oriented searchable encryption method and device and electronic equipment | |
| CN114546271A (en) | Data reading and writing method, device and system based on block chain |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |