CN116340999A - Data processing method based on collaborative calculation - Google Patents
Data processing method based on collaborative calculation Download PDFInfo
- Publication number
- CN116340999A CN116340999A CN202310238511.6A CN202310238511A CN116340999A CN 116340999 A CN116340999 A CN 116340999A CN 202310238511 A CN202310238511 A CN 202310238511A CN 116340999 A CN116340999 A CN 116340999A
- Authority
- CN
- China
- Prior art keywords
- data
- signature
- user
- party
- verification
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
- G06F21/6218—Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
- G06F21/6245—Protecting personal data, e.g. for financial or medical purposes
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/602—Providing cryptographic facilities or services
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Health & Medical Sciences (AREA)
- Bioethics (AREA)
- General Health & Medical Sciences (AREA)
- Computer Hardware Design (AREA)
- Computer Security & Cryptography (AREA)
- Software Systems (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Databases & Information Systems (AREA)
- Medical Informatics (AREA)
- Storage Device Security (AREA)
Abstract
The application provides a data processing method based on collaborative computing, wherein the method comprises the following steps: under the condition that the user equipment authorizes the data source equipment to encrypt and transmit the user data, the three-party encrypted data and the signature data of the three-party encrypted data are obtained; the data encryption method comprises the steps that three-party encryption data comprise data obtained after user data are encrypted by data source equipment, user equipment and demand party equipment; signing verification is carried out on signature data of the three-party encrypted data based on the stored public key of the demand party; under the condition that signature data of the three-party encrypted data passes verification, updated data of a user side and first signature data of the user side are obtained based on the three-party encrypted data; the updated data of the user side and the first signature data of the user side are used for obtaining specific data required by the equipment of the requiring party, and the user data comprise the specific data.
Description
Technical Field
The embodiment of the application relates to the technical field of data processing of financial science and technology (Fintech), and relates to a data processing method based on cooperative computing, but is not limited to the technical field of data processing.
Background
With the development of computer computing, more and more technologies are applied in the financial field, and the traditional financial industry is gradually changed to the financial technology (Fintech), but due to the requirements of safety and real-time performance of the financial industry, higher requirements are also put on the technologies.
In the field of finance and technology, when data is transmitted among multiple parties at present, the data is realized in a cooperative computing mode. In the related art, when implementing a collaborative computing scheme, a trusted environment is mostly introduced to participate in data transmission among multiple parties, so as to improve the credibility of the data. The trusted environment holds all data acquired from the data source after authorization by the user. However, the trusted environment acts as an intermediary, providing the demander with plain text data, with the risk of user data leakage.
Disclosure of Invention
The embodiment of the application provides a data processing method based on collaborative computing, which aims to solve the problem that a trusted environment is taken as an intermediate party, plaintext data is provided for a demand party, and the risk of user data leakage exists.
The technical scheme of the embodiment of the application is realized as follows:
in a first aspect, an embodiment of the present application provides a data processing method based on collaborative computing, including:
under the condition that the user equipment authorizes the data source equipment to encrypt and transmit the user data, the three-party encrypted data and the signature data of the three-party encrypted data are obtained; the data source equipment, the user equipment and the user equipment encrypt the user data to obtain data;
Signing verification is carried out on signature data of the three-party encrypted data based on the stored public key of the demand party;
under the condition that signature data of the three-party encrypted data passes verification, updated data of a user side and first signature data of the user side are obtained based on the three-party encrypted data; the updated data of the user side and the first signature data of the user side are used for obtaining specific data required by the device of the requiring party, and the user data comprise the specific data.
In a second aspect, an embodiment of the present application provides a data processing method based on collaborative computing, including:
under the condition that user equipment authorizes data source equipment to encrypt and transmit user data, receiving the transmitted signature data of a user side and the updated data of the user side after the first signature data of the user side passes verification by the user side; the updated data of the user side is data obtained based on the three-party encrypted data after signature verification of the user equipment on the three-party encrypted data is passed;
signing the signature data of the requiring party based on the stored public key of the requiring party;
under the condition that signature verification of the signature data of the requiring party passes, decrypting the data updated on the user side based on a data source random verification factor to obtain data source data;
Signing the data source data based on the data source private key to obtain data source signature data;
and sending the data source data and the data source signature data to the demand side equipment so that the demand side equipment decrypts the data source data after the data source signature data passes the verification, and specific data required by the demand side equipment is obtained.
In a third aspect, an embodiment of the present application provides a data processing method based on collaborative computing, including:
under the condition that user equipment authorizes data source equipment to encrypt and transmit user data, receiving data source data and data source signature data which are transmitted after signature verification of the signature data of a requiring party by the data source equipment is passed; the data source data are obtained by decrypting the data updated by the user side by the data source equipment; the updated data of the user side is data obtained based on the three-party encrypted data after signature verification of the user equipment on the three-party encrypted data is passed;
signing the data source signature data based on the stored data source public key;
and under the condition that signature verification of the data source signature data is passed, decrypting the data source data based on a random verification factor of the requiring party to obtain specific data required by the requiring party equipment.
In a fourth aspect, an embodiment of the present application provides a user side data processing apparatus, where the user side data processing apparatus includes:
the first obtaining unit is used for obtaining the three-party encrypted data and the signature data of the three-party encrypted data under the condition that the user equipment authorizes the data source equipment to encrypt and transmit the user data; the data source equipment, the user equipment and the user equipment encrypt the user data to obtain data;
the first processing unit is used for checking signature data of the three-party encrypted data based on the stored public key of the demand party;
the first processing unit is used for obtaining updated data of a user side and first signature data of the user side based on the three-party encrypted data under the condition that signature data of the three-party encrypted data passes verification; the updated data of the user side and the first signature data of the user side are used for obtaining specific data required by the device of the requiring party, and the user data comprise the specific data.
In a fifth aspect, embodiments of the present application provide a data source data processing apparatus, including:
The second obtaining unit is used for receiving the transmitted signature data of the requiring party and the updated data of the user side after the first signature data of the user side passes the signature verification by the requiring party equipment under the condition that the user equipment authorizes the data source equipment to encrypt and transmit the user data; the updated data of the user side is data obtained based on the three-party encrypted data after signature verification of the user equipment on the three-party encrypted data is passed;
the second processing unit is used for checking signature of the signature data of the requiring party based on the stored public key of the requiring party;
the second processing unit is used for decrypting the data updated by the user side based on a data source random verification factor under the condition that signature data of the requiring party passes verification, so as to obtain data source data;
the second processing unit is used for signing the data source data based on the data source private key to obtain data source signature data;
and the second sending unit is used for sending the data source data and the data source signature data to the equipment of the requiring party, so that the equipment of the requiring party decrypts the data source data after the signature verification of the data source signature data is passed, and specific data required by the equipment of the requiring party is obtained.
In a sixth aspect, an embodiment of the present application provides a data processing apparatus for a demander, including:
a third obtaining unit, configured to receive, when the user equipment authorizes the data source equipment to encrypt and transmit the user data, the data source data and the data source signature data that are sent after the data source equipment passes the signature verification of the demand party signature data; the data source data are obtained by decrypting the data updated by the user side by the data source equipment; the updated data of the user side is data obtained based on the three-party encrypted data after signature verification of the user equipment on the three-party encrypted data is passed;
the third processing unit is used for checking signature of the data source signature data based on the stored data source public key;
and the third processing unit is used for decrypting the data source data based on the random verification factor of the requiring party under the condition that the signature data of the data source passes verification, so as to obtain the specific data required by the equipment of the requiring party.
In a sixth aspect, an embodiment of the present application provides a data processing apparatus, including:
a memory for storing executable instructions; and a processor configured to implement the method of the first aspect, the second aspect, or the third aspect when executing the executable instructions stored in the memory.
A computer readable storage medium storing executable instructions for causing a processor to perform the method of the first, second or third aspects described above.
The embodiment of the application has the following beneficial effects:
under the condition that user equipment authorizes data source equipment to encrypt and transmit user data, three-party encrypted data and signature data of the three-party encrypted data are obtained; the data encryption method comprises the steps that three-party encryption data comprise data obtained after user data are encrypted by data source equipment, user equipment and demand party equipment; signing verification is carried out on signature data of the three-party encrypted data based on the stored public key of the demand party; under the condition that signature data of the three-party encrypted data passes verification, updated data of a user side and first signature data of the user side are obtained based on the three-party encrypted data; the updated data of the user side and the first signature data of the user side are used for obtaining specific data required by the equipment of the requiring party, and the user data comprise the specific data; therefore, the data processing method based on collaborative computing, provided by the application, directly enables the party requiring device, the data source device and the user device to participate in data encryption transmission, avoids introducing a trusted environment, and improves data transmission efficiency under the condition of protecting user data security transmission.
Drawings
Fig. 1 is a schematic diagram of an alternative architecture of a terminal provided in an embodiment of the present application;
FIG. 2 is a flowchart illustrating a data processing method based on collaborative computing according to an embodiment of the present application;
FIG. 3 is a second flow chart of a collaborative computing-based data processing method according to an embodiment of the present disclosure;
FIG. 4 is a flowchart illustrating a data processing method based on collaborative computing according to an embodiment of the present application;
FIG. 5 is a flowchart illustrating a data processing method based on collaborative computing according to an embodiment of the present application;
fig. 6 is a flowchart of a data processing method based on collaborative computing according to an embodiment of the present application;
fig. 7 is a flowchart of a data processing method based on collaborative computing according to an embodiment of the present application;
FIG. 8 is a flowchart of a data processing method based on collaborative computing according to an embodiment of the present application;
FIG. 9 is a schematic flowchart eighth embodiment of a collaborative computing-based data processing method according to the present disclosure;
FIG. 10 is a schematic diagram of a collaborative computing-based data processing scenario provided by an embodiment of the present application;
FIG. 11 is a schematic structural diagram of a user side data processing device according to an embodiment of the present application;
FIG. 12 is a schematic diagram of a data source data processing apparatus according to an embodiment of the present application;
fig. 13 is a schematic structural diagram of a data processing device of a client according to an embodiment of the present application.
Detailed Description
For the purpose of making the objects, technical solutions and advantages of the present application more apparent, the present application will be described in further detail with reference to the accompanying drawings, and the described embodiments should not be construed as limiting the present application, and all other embodiments obtained by those skilled in the art without making any inventive effort are within the scope of the present application.
In the following description, reference is made to "some embodiments" which describe a subset of all possible embodiments, but it is to be understood that "some embodiments" can be the same subset or different subsets of all possible embodiments and can be combined with one another without conflict. Unless defined otherwise, all technical and scientific terms used in the embodiments of the present application have the same meaning as commonly understood by one of ordinary skill in the art to which the embodiments of the present application belong. The terminology used in the embodiments of the present application is for the purpose of describing the embodiments of the present application only and is not intended to be limiting of the present application.
An exemplary application of the collaborative computing-based data processing device provided in the embodiments of the present application is described below, and the collaborative computing-based data processing device provided in the embodiments of the present application may be implemented as a notebook computer, a tablet computer, a desktop computer, a mobile device (for example, a mobile phone, a portable music player, a personal digital assistant, a dedicated messaging device, a portable game device), an intelligent robot, or any terminal having a screen display function, or may be implemented as a server. In the following, an exemplary application when the data processing apparatus based on collaborative computing is implemented as a terminal will be described.
Referring to fig. 1, fig. 1 is a schematic structural diagram of a terminal 100 provided in an embodiment of the present application, and the terminal 100 shown in fig. 1 includes: at least one processor 110, at least one network interface 120, a user interface 130, and a memory 150. The various components in terminal 100 are coupled together by bus system 140. It is understood that the bus system 140 is used to enable connected communications between these components. The bus system 140 includes a power bus, a control bus, and a status signal bus in addition to the data bus. But for clarity of illustration the various buses are labeled in fig. 1 as bus system 140.
The processor 110 may be an integrated circuit chip with signal processing capabilities such as a general purpose processor, which may be a microprocessor or any conventional processor, or the like, a digital signal processor (DSP, digital Signal Processor), or other programmable logic device, discrete gate or transistor logic, discrete hardware components, or the like.
The user interface 130 includes one or more output devices 131, including one or more speakers and/or one or more visual displays, that enable presentation of media content. The user interface 130 also includes one or more input devices 132, including user interface components that facilitate user input, such as a keyboard, mouse, microphone, touch screen display, camera, other input buttons and controls.
The memory 150 may be removable, non-removable, or a combination thereof. Exemplary hardware devices include solid state memory, hard drives, optical drives, and the like. Memory 150 optionally includes one or more storage devices physically located remote from processor 110. Memory 150 includes volatile memory or nonvolatile memory, and may also include both volatile and nonvolatile memory. The nonvolatile Memory may be a Read Only Memory (ROM), and the volatile Memory may be a random access Memory (Random Access Memory, RAM). The memory 150 described in embodiments of the present application is intended to comprise any suitable type of memory. In some embodiments, memory 150 is capable of storing data to support various operations, examples of which include programs, modules and data structures, or subsets or supersets thereof, as exemplified below.
An operating system 151 including system programs for handling various basic system services and performing hardware-related tasks, such as a framework layer, a core library layer, a driver layer, etc., for implementing various basic services and handling hardware-based tasks;
network communication module 152 for reaching other computing devices via one or more (wired or wireless) network interfaces 120, exemplary network interfaces 120 include: bluetooth, wireless compatibility authentication (WiFi), and universal serial bus (Universal Serial Bus, USB), etc.;
an input processing module 153 for detecting one or more user inputs or interactions from one of the one or more input devices 132 and translating the detected inputs or interactions.
In some embodiments, the apparatus provided in the embodiments of the present application may be implemented in software, and fig. 1 shows a data processing apparatus 154 stored in a memory 150, where the data processing apparatus 154 may be a data processing apparatus in a terminal 100, and may be software in the form of a program, a plug-in, or the like, where it is to be noted that, when the terminal 100 is a user equipment, the data processing apparatus 154 is a user side data processing apparatus; when the terminal 100 is a data source device, the data processing means 154 is a data source data processing means; when the terminal 100 is a demand side device, the data processing apparatus 154 is a demand side data processing apparatus.
In other embodiments, the apparatus provided by the embodiments of the present application may be implemented in hardware, and by way of example, the apparatus provided by the embodiments of the present application may be a processor in the form of a hardware decoding processor programmed to perform the collaborative computing-based data processing method provided by the embodiments of the present application, e.g., the processor in the form of a hardware decoding processor may employ one or more application specific integrated circuits (Application Specific Integrated Circuit, ASIC), DSP, programmable logic device (Programmable Logic Device, PLD), complex programmable logic device (Complex Programmable Logic Device, CPLD), field programmable gate array (Field-Programmable Gate Array, FPGA), or other electronic component.
Here, a further explanation is made on a scenario of collaborative computing in the related art, taking a process that a demander obtains important or even sensitive data such as user social security, driving license, etc. to predict, where the related parties include:
the user equipment, such as a mobile phone only, has very limited functions, and users worry about misuse of own user data by a third party mechanism.
The data source device has data of the user, such as driving license and social security.
The data of the user needs to be used by the consumer device, but the user device is not trusted, and the data from the user device may be faked.
And the blockchain is used for storing the certificate and displaying the data.
In the above scene model, there are the following problems:
a consumer device that needs to verify that the user's data is authentic; the demand side device cannot directly take the data from the data source; the user equipment needs to ensure that its own data is not compromised.
In this regard, a trusted environment, referred to as a clean environment, has been introduced in the related art. Wherein the clean environment will hold all data acquired from the data source after authorization by the user. In this way, the process of obtaining the verification user data by the requesting party is approximately as follows:
(1) The user logs in and authorizes through the mobile phone end, so that the cleaning environment obtains personal information of the user such as social security, driving license and the like from the data source equipment; (2) The user equipment downloads the personal information of the clear text from the clean environment; (3) the clean environment stores the clear text personal information to the cloud platform; (4) the consumer device obtains plaintext source data for the user: one is obtained from a clean environment; one is obtained directly from the user side; (5) And the consumer equipment verifies the authenticity and validity of the user data through the cloud platform.
As can be seen from the above-described data system calculation process, the clean environment corresponds to the middle party, and the clean environment stores all the user data, and transmits all the user data to the requesting party, so that there is data that is not needed by the requesting party. For example, the user social security information is only provided for the demander, but the clean environment also provides the user information such as a driving license, an identity card, credit card and the like which are invalid for the demander. It can be seen that the role of introducing a clean environment increases the cost of collaborative computing, including the cost of service, maintenance, and communication. Also, the data source device transmits plain text data to the demander. The plaintext data may be intercepted during the network transmission process, resulting in leakage risk of the user data, and poor security and privacy.
It can be seen that introducing a clean environment, i.e. a trusted environment, as an intermediate has at least the following problems: provided to the demander is plain text data, with the risk of user data leakage. In addition, introducing a clean environment may also present problems of data invalidity and increased costs.
Therefore, the data processing method based on collaborative computing directly enables the party equipment of the demand party, the data source equipment and the user equipment to participate in data encryption transmission, avoids the introduction of a trusted environment, and improves the data transmission efficiency under the condition of protecting the safe transmission of user data.
The data processing method based on collaborative computing provided in the embodiment of the present application will be described below in conjunction with exemplary applications and implementations of the terminal 100 provided in the embodiment of the present application, where the terminal 100 is implemented as a user equipment. Referring to fig. 2, fig. 2 is a schematic flow chart of an alternative method for collaborative computing-based data processing provided in an embodiment of the present application, which will be described in connection with the steps shown in fig. 2,
in step S201, in the case that the user device authorizes the data source device to encrypt the user data, the three-party encrypted data and the signature data of the three-party encrypted data are obtained.
The data encryption method comprises the steps that three-party encryption data comprise data obtained after user data are encrypted by data source equipment, user equipment and demand party equipment. Here, the three-party encrypted data is denoted as e_seed, and the signature data of the three-party encrypted data is denoted as signature_e_seed.
In the embodiment of the application, the three parties participating in collaborative computing include data source equipment, user equipment and consumer equipment. Wherein the data source device has all the data of the user. The user data is needed by the demand side equipment, so that the needed data is analyzed and processed, and event prediction and the like can be performed based on the needed data.
In one scenario of collaborative computing that may be implemented, taking the example of a consumer obtaining user social security, credit information, the consumer is a consumer data querying party, e.g., finance company a, desiring to make an event prediction, e.g., risk assessment, for consumer C.
Step S202, signature verification is carried out on signature data of the three-party encrypted data based on the stored public key of the requiring party.
In step S203, when signature data of the three-party encrypted data passes the verification, updated data of the user side and first signature data of the user side are obtained based on the three-party encrypted data.
The updated data of the user side and the first signature data of the user side are used for obtaining specific data required by the equipment of the requiring party, and the user data comprise the specific data.
In the embodiment of the application, signature verification of data refers to a process of encrypting data by using a private key and decrypting the data by using a public key.
Among them, the signature algorithm involved in the signature process includes, but is not limited to, elliptic curve digital signature algorithm (Elliptic Curve Digital Signature Algorithm, ECDSA), which is an encryption algorithm based on elliptic curve cryptography. The digital signature algorithm is transplanted onto elliptic curve, and the elliptic curve digital signature algorithm is generated. Its security is based on discrete logarithm problems over the prime domain. The security of elliptic curve cryptosystems is based on the difficulty of Elliptic Curve Discrete Logarithm Problem (ECDLP). The elliptic curve discrete logarithm problem is far harder than the discrete logarithm problem, and the unit bit strength of the elliptic curve cryptosystem is far higher than that of the traditional discrete logarithm system. The ECDSA is adopted to realize the characteristics of small calculation parameters, short key, high operation speed and short signature.
Further, the signing and signature verification process is described by combining ECDSA, the user equipment, the data source equipment and the demand party equipment are used as three parties of cooperative computation, and the same node.pem file for signing and signature verification, namely a shared node.pem private key file, is generated by using a tool.
Illustratively, the node. Pep file is generated as follows: the deployment tool of the underlying blockchain framework is build_chain. Sh or account generation script get_account. Sh, which is generated based on tassel, by the financial blockchain collaboration alliance (FISCO BCOS). The node. Pem file is a random string file, and the data format is similar to a public and private key file.
The signing process is as follows: when signing, the original data (originData) is input, and then the interface of the fisco-bcos-java-sdk is called, and a class instance PEMKEKey store is generated through the file path of the input node, so that a key pair (keypair) based on an ECDSA digital signature algorithm is generated. The key pair has public key publicKey and private key. When signing, the shared keypair and the data to be signed originData are input to generate signature data signature Data, and the signature data is a string of random characters. And then the originData, signatureData is sent to the label verification party needing label verification.
The signature checking process comprises the following steps: the signer receives originData, signatureData data, and transmits originData, signatureData the data to a blockchain bottom encryption and decryption component (such as webank-blockchain-java-crypto) to obtain a public key siglutublickey for signing the data. And then comparing with public key publicKey in the shared keypair: if the signaturepublic Key is the same as the publicKey, the signification is signed by using a keypair, otherwise, the signification fails.
Here, specific data and user data are exemplified in connection with the above-described scenario of the achievable collaborative calculation, and specific data required by the demander includes user social security, credit information. The data source device has the capability to provide user data including, but not limited to, data from credit bureau, data from social security bureau. For example, the data source device may also provide user data as follows: license data from the car management, accumulation fund data from the accumulation fund management, etc.
It should be noted that, the user data obtained in the embodiment of the present application all conform to legal requirements, and all indicate the current party and obtain the consent of the party.
Here, the updated data on the user side is denoted as t_user, and the first signature data on the user side is denoted as signature_t_user.
In the above scenario of collaborative computing, by using the collaborative computing-based data processing method provided in the present application, the credit investigation mechanism in the data source B provides the credit investigation situation of the user (Zhang san) and the social security mechanism provides the social security situation of the user C (Zhang san), and the finance company a finally decrypts and obtains only the credit investigation information and the social security information that it wants, but does not obtain other information, such as driving license, identity card, and house property information. Meanwhile, data are transmitted in a ciphertext mode among the user C (Zhang three), the data source B (credit investigation organization, social security organization) and the demander (financial company A) ABC, so that the safety of data transmission is improved, the introduction of a trusted environment is avoided, the trusted environment is not required to be maintained, and the maintenance cost is saved.
According to the collaborative computing-based data processing method, under the condition that user equipment authorizes data source equipment to encrypt and transmit user data, three-party encrypted data and signature data of the three-party encrypted data are obtained; the data encryption method comprises the steps that three-party encryption data comprise data obtained after user data are encrypted by data source equipment, user equipment and demand party equipment; signing verification is carried out on signature data of the three-party encrypted data based on the stored public key of the demand party; under the condition that signature data of the three-party encrypted data passes verification, updated data of a user side and first signature data of the user side are obtained based on the three-party encrypted data; the updated data of the user side and the first signature data of the user side are used for obtaining specific data required by the equipment of the requiring party, and the user data comprise the specific data; therefore, the data processing method based on collaborative computing, provided by the application, directly enables the party requiring device, the data source device and the user device to participate in data encryption transmission, avoids introducing a trusted environment, and improves data transmission efficiency under the condition of protecting user data security transmission.
In some embodiments of the present application, step S203 may further execute the following steps after obtaining the updated data on the user side and the first signature data on the user side based on the three-party encrypted data when signature data of the three-party encrypted data passes verification:
and sending the updated data of the user side and the first signature data of the user side to the demand side equipment so that the demand side equipment sends the signature data of the demand side and the updated data of the user side to the data source equipment after checking and signing the first signature data of the user side.
Here, the demand side signature data is denoted as signature_t_need, and the data updated on the user side is denoted as t_user.
In some embodiments of the present application, step S201 may be implemented by the steps shown in fig. 3, where the user equipment authorizes the data source device to encrypt the user data, to obtain the three-party encrypted data and the signature data of the three-party encrypted data:
in step S2011, in the case that the user device authorizes the data source device to encrypt and transmit the user data, the encrypted verification data of the original data item data, the signature data of the original data item data, and the signature data of the verification data sent by the data source device are received.
Here, the encrypted verification data of the original data item data is denoted as m_source, the signature data of the original data item data is denoted as signature_m, and the signature data of the verification data is denoted as signature_m_source.
Step S2012, signature verification is performed on the signature data of the original data item data and the signature data of the verification data based on the stored data source public key.
In the embodiment of the application, after receiving encrypted data of a data source, user equipment performs signature verification on the data by using a stored public key publicKey of the data source in order to verify the validity of the data; illustratively, the process of signing is as follows: the public key sigeaturepublic key that signed the data is obtained by a blockchain-underlying encryption and decryption component (e.g., webank-blockchain-java-crypto) and imported originData, signatureData (including signature_m and signature_m_source). And comparing with public key publicKey in the shared keypair, if the signaturepublicKey is the same as publicKey, the signification is passed by the signification by using the keypair signature.
In step S2013, when signature verification is passed on the signature data of the original data item data and the signature data of the verification data, hash offset processing is performed on the verification data based on the user random verification factor, so as to obtain user side data.
In this embodiment of the present application, the user-side data is denoted as m_user, and the user random authentication factor is denoted as k 2 。
Here, signature data of the original data item data and signature data of the verification data are checked and signed, and the user equipment is characterized to confirm that the received data is from a valid data source. Here, the user equipment imports a fixed value (seed) and generates a random verification factor k using a deterministic algorithm such as a linear congruence generator 2 。
Further, the user equipment is based on k 2 Hash offset processing is performed on M_source to obtain M_user=M_source+k 2 。
In some embodiments, the hash offset process may offset using a hash function to obtain m_user=h (m_source, k) 2 ) Random verification factor k 2 The M_user generated is different, which is equivalent to the random verification of the data by the user equipmentFactor k 2 And the encryption is carried out, so that the security of the data is improved.
In an embodiment of the present application, a pseudo-random number generator (pseudo random number generator, PRNG) is an algorithm that generates a sequence of numbers with characteristics that approximate those of a random number sequence. The PRNG generated sequence is not truly Random and is therefore determined by an initial value called the Random seed (Random seed) of the PRNG, where the seed, i.e., the seed, may contain truly Random numbers. Although sequences close to true randomness can be generated by a hardware random number generator, the generation speed can be improved by generating a pseudo random number generator, and the reproducible advantage is achieved.
In the embodiment of the present application, when encryption is performed, an encryption algorithm different from the hash offset may be used, for example, an international encryption and decryption algorithm (Advanced Encryption Standard, AES), for example, SM4 may be used, and encryption may be performed by a hardware cryptosystem.
And step S2014, signing the user side data based on the user private key to obtain second signature data of the user side.
In this embodiment of the present application, the second signature data on the user side is denoted as signature_m_user.
Here, the user device signs the m_user with its private key privateKey to obtain signed data signature_m_user.
Step S2015, the user side data and the user side second signature data are sent to the demand side equipment, so that after the demand side equipment passes the signature verification of the user side second signature data, the user side data are subjected to the secret state operation processing, and the secret state operation result is subjected to the Hash offset processing based on the random verification factor of the demand side, so that the three-party encrypted data are obtained.
In the embodiment of the application, the random verification factor of the demander is denoted as k 3 The result of the dense state operation is denoted as E.
Here, the user device sends the m_user, the signature_m_user to the consumer device, so that the consumer device receives the m_user, the signature_m_user, and based on the saved user public The key publicKey is used for verifying signature_M_user through a block chain bottom encryption and decryption component (such as webank-blockchain-java-crypto), and verifying the identity of a sent message, namely verifying whether the message comes from user equipment or not. Further, after the signature of the user side signature_M_user passes, the device of the demand side performs a secret operation process on the M_user to obtain a secret operation result E, and is based on k 3 Hash offset processing is carried out on E to obtain three-party encrypted data E_seed, wherein E_seed=E+k 3 。
The E_seed obtaining process is directly participated by the data source equipment, the user equipment and the demand side equipment, and the original data cannot be restored without the participation of all the three parties.
Step S2016, the three-party encrypted data and the signature data of the three-party encrypted data sent by the requiring party device are received.
Here, the user equipment receives e_need and signature_e_need transmitted by the requester equipment.
In some embodiments of the present application, step S203 may be implemented by steps shown in fig. 4 to obtain, based on the three-party encrypted data, updated data on the user side and first signature data on the user side when signature data of the three-party encrypted data passes verification:
Step S2031, signing the signature data of the three-party encrypted data based on the saved public key of the requiring party.
In the embodiment of the application, in order to verify the validity and decryption of data, the user equipment performs signature verification on signature_E_needs through a stored public key of a demand party and a block chain bottom encryption and decryption component (webrank-block chain-java-crypto) so as to verify the validity of the data.
Step S2032, in the case that signature data of the three-party encrypted data passes the verification, decrypting the three-party encrypted data based on the user random verification factor, and removing data not needed by the device of the requiring party from the decrypted data, so as to obtain updated data of the user side.
In this embodiment of the present application, the updated data at the user side is denoted as t_user.
Here, the user device decrypts the three-party encrypted data after the verification of the signature is successful, and calculates t_user=e_need-k 2 M 'by letting the user device decrypt and at the same time eliminate the data M' not needed by the requesting party, only the data item data needed by the requesting party are retained.
Step S2033, signing the updated data on the user side based on the user private key, to obtain first signature data on the user side.
In this embodiment of the present application, the first signature data on the user side is denoted as signature_t_user.
Here, the user equipment signs the updated t_user based on the user private key to obtain a signature_t_user; the user equipment then returns the T_user, signature_T_user to the requesting party.
The data processing method based on collaborative computing provided in the embodiment of the present application will be described below in conjunction with exemplary applications and implementations of the terminal 100 provided in the embodiment of the present application, where the terminal 100 is implemented as a data source device. Referring to fig. 5, fig. 5 is a schematic flow chart of an alternative method for collaborative computing-based data processing provided in an embodiment of the present application, which will be described in connection with the steps shown in fig. 5,
in step S301, when the user equipment authorizes the data source device to encrypt and transmit the user data, the user equipment receives the transmitted signature data of the user and the updated data of the user after the user side first signature data passes the signature verification.
The updated data t_user at the user side is data obtained based on the three-party encrypted data e_seed after signature data signature_e_seed of the three-party encrypted data is passed by the user equipment.
Step S302, signing the signature data of the demander based on the stored public key of the demander.
In the embodiment of the application, in order to enable the data source device to decrypt, the data source device signs the signature_t_seed through a block chain bottom encryption and decryption component (for example, a webank-blockchain-java-crypto) based on the stored public key publicKey.
Step S303, under the condition that signature verification of the signature data of the requiring party is passed, the updated data of the user side is decrypted based on the data source random verification factor, and data source data is obtained.
In the embodiment of the application, the data source random verification factor is denoted as k 1 。
Here, after the signature verification of the signature data of the requiring party is successful, the data source device updates t_source=t_user-k 1 。
And step S304, signing the data source data based on the data source private key to obtain data source signature data.
Here, the data source device signs the t_source based on its private key, and acquires signature data signature_t_source, after which the data source device returns the t_source, signature_t_source to the requester device.
And step S305, the data source data and the data source signature data are sent to the equipment of the demand party, so that the equipment of the demand party decrypts the data source data after the signature verification of the data source signature data is passed, and specific data required by the equipment of the demand party is obtained.
In some embodiments of the present application, after receiving the first signature data on the user side and checking the signature by the client device in step S301, the steps shown in fig. 6 may be executed before the transmitted client signature data and the updated data on the user side:
In step S401, in the case that the user device authorizes the data source device to encrypt the transmission user data, the original data item data is obtained.
In the embodiment of the application, the original data item data is denoted as m.
Here, the data source device has personal information such as credit, social security, public accumulation, and license of the user. The data source device may represent user data as follows: m=a n-1 ...a 2 a 1 The method comprises the steps of carrying out a first treatment on the surface of the Where an denotes user data items, each of which has user data recorded, and m is obtained by concatenating different data compression by multiplication. For example: m= (social security), (driver license) (public accumulation fund).
In some embodiments of the present application, after obtaining the original data item data, the data source device may further obtain data item field information of the original data item data; and signing the field information of the data item based on the data source private key to obtain signed field information, and sending the signed field information to the blockchain. That is, the data source device may ul the fields of the user data, exposing the user data type but not the specific information. For example, user information obtained from a data source is disclosed as: driver license, ID card, social security, public accumulation, etc., but specific personal information of the user is not revealed.
Step S402, hash offset processing is carried out on the original data item data and the data source random verification factor, and verification data of the original data item data after encryption is obtained.
In the embodiment of the present application, the encrypted verification data of the original data item data is set to be m_source, where m_source=a is set n-1 x n-1 +...+a 2 x 2 +a 1 x+k 1 . Wherein, M_source contains P needed by the requiring party and M' not needed by the requiring party.
It will be appreciated that the power of each x is a one-dimensional space, which is an n-dimensional vector space. The physical world can be represented in three dimensions in the display, e.g., a particular location in physical space can be located using a three-dimensional space vector (x, y, z). The mathematical expansion is n-dimensional, so that all user data can be well represented by using one n-dimensional space vector in mathematics through addition operation of the vector space. And where the operation of M is based on a lattice-based cryptographic scheme, with lattice Λ ε R m For arbitrary real number r>0,c∈R m Then the distribution is called
For c centered on Λ, the parameter is σ, which conforms to a probability distribution (a lattice can be understood as a portion of a key) that is exponentially nearly uniformly distributed, so that M_source appears very random.
Further description is made herein of an n-dimensional vector space, where the definition of a vector is a quantity having a magnitude and a direction, and where the vector under such definition has a very significant geometric meaning, the translation of this concept into physics is called a vector. In the physical world, it is in three-dimensional (x, y, z) space, so three-dimensional ordered real pairs are enough to describe the physical world. However, the development of mathematics is not limited to the physical world, and is inspired by two-dimensional and three-dimensional vectors, and mathematics expands the vectors to n dimensions, i.e., any n-dimensional vector can be mapped by an n-ary ordered real number (x 1, x2, x3,..xn) pair. Ring of vector space: let R be a non-null set, there are two algebraic operations on R, let F be a set containing at least two elements. Ring of n-dimensional vector space: abstracting the common points of the operations of the integer ring, the polynomial ring and the n-order square matrix, the ring concept of the n-dimensional vector space is obtained. Let R be a non-null set, there are two algebraic operations on R, called addition and multiplication, respectively. R is said to be a ring if the following conditions are satisfied:
Law of addition exchange
Addition combining law
F has a zero element 0, which satisfies
For any element a in F, there is an element b of F, such that a+b=0, b being referred to as a negative element of a;
multiplication combining law
F has a zero element 1, which satisfies
a (b+c) =ab+ac
Wherein the discrete gaussian distribution is a probability distribution of a lattice-based cryptographic scheme.
In the embodiments of the present application, reference is made to the following definitions: lattice lambda E R m For arbitrary real number r>0,c∈R m Then the distribution is called
A discrete gaussian distribution centered at c and having a parameter σ on Λ.
Based on the above, in the embodiment of the application, the cryptographic technical means such as n-dimensional vector space, discrete gaussian distribution, and dense running are utilized, so that the user data becomes random, thereby further improving the data security.
Step S403, the original data item data is signed based on the data source private key, and signature data of the original data item data is obtained.
And step S404, signing the verification data based on the data source private key to obtain signature data of the verification data.
Step S405, transmitting verification data, signature data of the original data item data, and signature data of the verification data to the user device.
In this embodiment of the present application, the data source device signs M and m_source with its own private key, for example, a private key file in a pep format and data origin to be signed, generates signature data, and then sends m_source, signature_m, and signature_m_source to the user device. In this way, the user equipment can verify the identity validity of the sender.
The data processing method based on cooperative computing provided in the embodiment of the present application will be described below in conjunction with exemplary applications and implementations of the terminal 100 provided in the embodiment of the present application, where the terminal 100 is implemented as a device of a demander. Referring to fig. 7, fig. 7 is a schematic flow chart of an alternative method for collaborative computing-based data processing provided in an embodiment of the present application, which will be described in connection with the steps shown in fig. 7,
in step S501, when the user equipment authorizes the data source equipment to encrypt and transmit the user data, the data source equipment receives the data source data and the data source signature data sent after the signature verification of the data source equipment on the demand side passes.
The data source data T_source is obtained by decrypting the updated data T_user of the user side by the data source equipment; the updated data T_user at the user side is data obtained based on the three-party encrypted data after signature data verification of the three-party encrypted data by the user equipment passes.
Step S502, signing the data source signature data based on the stored data source public key.
In step S503, in the case that the signature verification of the data source signature data passes, the data source data is decrypted based on the random verification factor of the demander, so as to obtain specific data required by the demander device.
In the embodiment of the application, in order to verify the validity of the data from the data source and the decryption in the last step, the device on the demand side calculates d=t_source-k for decryption after signature_t_source verification is successful through a blockchain-based encryption and decryption component (such as webrank-blockchain-java-crypto) based on the stored public key publicKey of the data source 3 The requester device completes the final decryption. So far, the encryption and decryption process of all three parties participation is completed, and finally the demand side equipment decodes the data item a which is finally wanted by the demand side equipment by calculating the parameters corresponding to each coefficient 2 a 1 Is a specific data of (a).
In some embodiments of the present application, after the receiving data source device verifies and signs the signature data of the requiring party, the steps shown in fig. 8 may be executed before the sending data source data and the data source signature data in step S501:
step S601, receiving updated data from the user side and first signature data from the user side.
Here, the demand side device receives t_user and signature_t_user. Here, the data received by the client device includes data that the user decrypts the three-party encrypted data and returns to the client after removing the data that is not required by the client.
Step S602, signing is checked on the first signature data of the user side based on the saved public key of the user.
Step S603, in the case that the signature verification of the first signature data of the user side passes, the updated data of the user side is signed based on the private key of the requester to obtain signature data of the requester.
Step S604, the updated data of the user side and the signature data of the demander are sent to the data source equipment.
In the embodiment of the application, in order to verify the validity and signature of data, the device of the requiring party carries out signature verification on the signature_t_user through a block chain bottom encryption and decryption component (such as webank-blockchain-java-crypto) based on a stored public key, after the signature verification is successful, the updated t_user of the user device is signed by using a private key of the requiring party, signature data of the requiring party, namely the signature_t_need, is obtained, and the device of the requiring party sends the t_user and the signature_t_need to the data source device.
In some embodiments of the present application, after the receiving data source device verifies and signs the signature data of the requiring party, the steps shown in fig. 9 may be executed before the sending data source data and the data source signature data in step S501:
step S701, receiving user side data and user side second signature data sent by a user device.
Step S702, signing is performed on the second signature data of the user side based on the saved public key of the user.
In step S703, in the case that the signature verification of the second signature data on the user side passes, the encrypted operation processing is performed on the data on the user side, and the hash offset processing is performed on the encrypted operation result based on the random verification factor of the requiring party, so as to obtain the three-party encrypted data.
And step S704, signing the three-party encrypted data based on the private key of the requiring party to obtain signature data of the three-party encrypted data.
Step S705, sending the three-party encrypted data and the signature data of the three-party encrypted data to the user equipment.
In the embodiment of the application, in order to verify the validity of the message, after the user side data m_user and the user side second signature data signature_m_user are received by the device of the requiring side, signature verification is performed on the signature_m_user through a block chain bottom encryption and decryption component (for example, a webank-blockchain-java-crypto) based on a public key stored by the device of the requiring side, so that the identity of the sent message is verified, namely, whether the message comes from the user device is verified.
After the authentication message comes from the correct user equipment, the requiring party device imports a fixed value (seed) and generates a random authentication factor k using deterministic algorithms such as linear congruence generators 3 For the next step of offset encryption.
In order to screen the data desired by the consumer, the consumer performs encryption operation in combination with the M_user, for example, a is needed 2 a 1 The data of each dimension in the polynomial are respectively calculated by the device of the demand side, and the model is calculated by using M_user to obtain a secret state operation result E.
Further, the demand side device encrypts the encrypted running result E again, and the demand side device shifts E to obtain e_seed=e+k 3 . E.g. using a hash function for offset to e_need=h (E, k 3 ). Thus, after encryption of the data source device, the user device and the consumer device, the E_user cannot be restored to the original data without participation of all three parties.
In the embodiment of the application, in order to achieve the encryption effect of the device of the requiring party, the requiring party signs the e_new by using the private key of the requiring party to obtain the signature_e_new, and the device of the requiring party sends the e_new and the signature_e_new to the user equipment.
In one possible collaborative computing-based data processing scenario, as shown in fig. 10, the collaborative computing of data is completed through the following 8 steps, and finally, the data required by the device of the consumer is obtained:
step1, the user logs in the user equipment.
Here, the user login mode includes, but is not limited to, account password authorization, user equipment verification code authorization, third party authorization code, face recognition, and the like. The user login user equipment is completed, and user login authorization is achieved.
Step2, the user equipment authorizes access to the data source data to realize data authorization.
Here, the client device informs the user device through the interface call, and the client device needs data item data (such as social security and identity card information of the client). After the data source equipment acquires the user information and successfully verifies the user identity information, the authorization process of the user data is completed.
Step3, the data source device is based on k 1 After the offset encryption, M_source, signal_m, signal_M_source are sent.
Here, the data source device performs offset encryption on the user data, the data source imports a fixed value (seed), and generates a random verification factor k using a deterministic algorithm such as a linear congruence generator 1 As a data source random verification factor. Wherein k is 1 Each item of data a of the specific user data n (e.g., social insurance, medical insurance) is much larger (because the secure random number algorithm can extend the length of the original data item and fill the random number), so that the data can be well encrypted randomly. For example, a pseudo-random number generator (Cryptographically Secure Pseudo-Random Number Generator, CSPRNG) is a PRNG suitable for use in the cryptography field. Due to the number theory based design, it relies on the high difficulty of integer decomposition problem (Integer Factorisation Problem, IFP), discrete logarithm problem (Discrete logarithm Problem, DLP) or elliptic curve discrete logarithm problem (Elliptic Curve Discrete Logarithm Problem, ECDLP) to ensure security. Most CSPRNGs use entropy from the OS in combination with high quality PRNGs, and once the system generates new entropy, e.g., from user input, disk IO, system interrupt, or hardware RNGs, the CSPRNG immediately uses the new entropy as a new seed for the PRNG. This constantly resetting the PRNG seed behavior makes random numbers very difficult to predict.
For subsequent encryption and decryption, the other two user devices and the consumer device generate respective random verification factors for shifting the data, for example, hash shifting is performed on the original data item M and the random verification factor k by using a hash algorithm, so as to obtain m=h (M, k).
Here, the following definitions are made for the relevant symbols: generating user data expression as M, namely original data item data, generating verification data as M, namely the verification data after encryption of the original data item data, wherein the data required by a demand party is P, and the data not required by the demand party is M'.
Where m is denoted as m=a n-1 ...a 2 a 1 Each item is data of the user, for example, m= (social security), (driver license) (accumulation fund).
Here, the verification data generated by the data source device is set to m_source, which is M described above, and m_source=a n-1 x n-1 +...+a 2 x 2 +a 1 x+k 1 The method comprises the steps of carrying out a first treatment on the surface of the In this way, it can be ensured that the authentication data appears very random and that the user data is better encrypted.
In the embodiment of the application, the data source device generates P, M'.
Therefore, the data source equipment generates verification data P for the data items required by the requiring party according to the requirement of the requiring party, so that the invalidity and screening cost of the user data acquired by the requiring party are reduced.
P=a 2 x 2 +a 1 x, P represents data items required by the requesting party (these data items are provided by data sources such as social security bureaus). But the party may need only a 2 a 1 These two data, such as social security and credit investigation;
M’=M_source-P=a n-1 x n-1 +...+a 3 x 3 +k 1 the method comprises the steps of carrying out a first treatment on the surface of the I.e. M' represents data item data not required by the demander; similarly, P and M' are very random data.
Further, the data source device signs M and m_source with its own private key (the private key file in the pep format, the data origin to be signed, and the signature data are generated), and then sends m_source, signature_m, and signature_m_source to the user; thereby letting the user equipment verify the identity validity of the transmitted message.
Step4, the data source device links the summary information of the user data.
In some embodiments of the present application, to save the user information profile, the data source device signs the summary information of the user data, that is, the data item field information of the original data item data, with the private key privateKey, and then sends the signed data item field information to the blockchain. The data item field information of the original data item data includes: social security, driving license, public accumulation, identity card and other field information. It should be noted that, after the data item field information of the original data item data is uplink, specific user personal information is not displayed.
Step5, the user equipment is based on k 2 After the offset encryption, M_user, signature_M_user is sent to the requesting device.
After receiving the encrypted data of the data source, the user performs signature verification on the data by using a public key publicKey, and transmits the encrypted data into originData, signatureData by using a block chain bottom encryption and decryption component (such as webank-blockchain-java-crypto) to obtain a public key sigeaturepublicKey for signing the data. And then comparing with public key publicKey in the shared keypair: if the signature public key is the same as the publicKey, the description is signed by a keypair, and the verification passes.
After the confirmation message is from the valid data source, the user equipment enters a fixed value (seed) and generates a random verification factor k using a deterministic algorithm such as a linear congruence generator 2 As a user random authentication factor, for the next step of offset encryption.
User equipment in order to encrypt data once, the user equipment receives verification data M_source from a data source, and k is used for the verification data M_source 2 Hash offset is performed such that m_user=m_source+k 2 The method comprises the steps of carrying out a first treatment on the surface of the For example, using a hash function to offset to obtain m_user=h (m_source, k 2 ) Random verification factor k 2 The M_user generated is different, which is equivalent to the random verification factor k of the user equipment for the data 2 Encryption is performed.
The user equipment signs the M_user by using the private key of the user equipment to obtain signed data signature_M_user, and then the user equipment sends the M_user and the signature_M_user to the equipment of the demand party.
Step6, consumer deviceE is obtained by running M_user in a secret state and is based on k 3 The offset encryption obtains E_NEED, and sends E_NEED and signature_E_NEED to the user equipment.
In order to verify the validity of the message, the device of the requiring party receives the data M_user and the data signature_M_user, and uses the public key publicKey of the user stored by the device of the requiring party to verify the identity of the sent message by checking the data through a block chain bottom encryption and decryption component (such as webank-blockchain-java-crypto), and verifies whether the message comes from the user device.
After the authentication message comes from the correct user equipment, the requiring party imports a fixed value (seed) and generates a random authentication factor k using deterministic algorithms such as linear congruence generators 3 For the next step of offset encryption.
In order to screen the data desired by the consumer, the consumer device performs encryption operations in conjunction with the m_user, such as requiring the use of a 2 a 1 The data of each dimension in the polynomial are respectively calculated by the device of the demand side, and the model is calculated by using M_user to obtain a secret state operation result E.
Since the secret operation result E is to be further encrypted, the device of the demand party shifts E to obtain e_need=e+k 3 . E.g. using a hash function for offset to e_need=h (E, k 3 ). So far, the random data M_user of the user data is encrypted by the data source equipment, the user equipment and the equipment of the demand party, and E_need is not participated by all the three parties and cannot be restored into the original data.
In the embodiment of the application, the network transmits the ciphertext data, and the three parties participate in encryption and decryption of the user data: the data transmitted on the network is encrypted, so that the security of data decryption is ensured, three parties are required to participate in the data decryption at the same time, the situation is inexhaustible, and multiple encryption ensures the multiparty participation in the decryption process.
In order to achieve the effect of encrypting the demand side equipment, the demand side equipment uses the private key of the demand side equipment to sign E_NEED and then obtains signature data signature_E_NEED, and the demand side equipment sends the E_NEED and the signature_E_NEED to the user equipment.
Step7, the user equipment verifies and decrypts, and returns the T_user, signature_T_user to the demand side equipment.
In order to verify the validity and decryption of data, the user equipment performs signature verification on the data signature_E_seed through a stored public key publicKey of a demander and a block chain bottom encryption and decryption component webank-blockchain-java-crypto. After verification success, t_user=e_need-k is calculated 2 -M', signing the updated t_user, and the user device returns t_user, signature_t_user to the requesting device. This step enables the user device to decrypt and at the same time eliminates the unwanted data M' of the requesting party, only the data item data required by the requesting party are retained.
Step8, the demand side equipment verifies the data from the user equipment after verification, and if the data is correct, the demand side equipment sends T_user and signature_T_seed to the data source equipment.
In order to verify the validity and signature of data, the device of the requiring party uses the public key of the saved user, after the verification of the signature is successful through the block chain bottom encryption and decryption component webank-block chain-java-crypto, the updated T_user of the user is signed by the private key of the device of the requiring party to obtain signature data signature_T_seed, and the requiring party sends the T_user and the signature_T_seed to the data source.
Step9, after the data source device decrypts, the data source device sends the T_source, the signal_T_source to the demand side device.
In order to decrypt the data source, the data source device updates t_source=t_user-k after successful signature verification by using the stored public key publicKey of the demand party through a block chain bottom encryption and decryption component webrank-blockchain-java-crypto 1 And then the private key of the data source equipment is used for signing, signature data signature_T_source is obtained, and the T_source and the signature_T_source are returned to the equipment of the demand party.
Step10, the device of the requesting party obtains the specific data wanted by the requesting party after encryption and decryption of the three parties.
To verify the validity of data from a data source and the final step of decryption, the consumer device uses the public key publicKey of the stored data source to encrypt and decrypt the data through the blockchain underlying encryption and decryption component (e.g., webank-blockchain-java-crypto) verification is successful, d=t_source-k is calculated for decryption 3 The requester device completes the final decryption. So far, the encryption and decryption process of all three parties is completed, and finally the demander decodes the data item a which is finally wanted by calculating the parameters corresponding to each coefficient 2 a 1 。
In the related art, collaborative computing introduces a clean environment as a trusted environment, so that the problem that a demander cannot directly acquire data from a data source and verify the correctness of user data is solved, but the problem of validity and screening of the data are brought at the same time, for example, 2 to 3 data items are needed by the demander, but all the data items of the user are given to the demander by the clean environment. In addition, in the collaborative calculation of the related art, plaintext data in the data transmission process has a leakage risk. According to the collaborative computing-based data processing method, encryption and decryption operations are carried out among the demand party, the data source and the user party, so that the participation of the three parties is ensured, and the data security of the user is better protected.
From the above, the present application proposes to encrypt data in the data transmission process, and to use cryptographic techniques such as n-dimensional vector space, discrete gaussian distribution, and dense running to make the user data very random and improve data security, aiming at how to effectively verify the validity of the user transmitting data and how to obtain the user data desired by the user under the condition of not revealing the user data. And the encryption process user equipment, the data source equipment and the demand party equipment participate in three parties, and the decryption process is also participated in three parties, so that the multiparty participation of the encryption and decryption process is ensured.
Continuing with the description below of the exemplary structure in which the data processing apparatus 154 provided in the embodiments of the present application is implemented as a software module, in some embodiments, as shown in fig. 11, when the data processing apparatus 154 stored in the memory 150 is a user-side data processing apparatus 1541, the software module in the user-side data processing apparatus 1541 may be a data processing apparatus in a user device when the terminal 100 is a user device, including:
a first obtaining unit 15411, configured to obtain the three-party encrypted data and the signature data of the three-party encrypted data when the user equipment authorizes the data source equipment to encrypt the user data; the data encryption method comprises the steps that three-party encryption data comprise data obtained after user data are encrypted by data source equipment, user equipment and demand party equipment;
A first processing unit 15412, configured to sign the signature data of the three-party encrypted data based on the stored public key of the requiring party;
the first processing unit 15412 is configured to obtain, based on the three-party encrypted data, updated data on the user side and first signature data on the user side when signature data of the three-party encrypted data passes verification; the updated data of the user side and the first signature data of the user side are used for obtaining specific data required by the equipment of the requiring party, and the user data comprise the specific data.
In some embodiments of the present application, the first obtaining unit 15411 is configured to receive, when the user equipment authorizes the data source device to encrypt the user data, the encrypted verification data of the original data item data sent by the data source device, the signature data of the original data item data, and the signature data of the verification data.
A first processing unit 15412, configured to sign the signature data of the original data item data and the signature data of the verification data based on the stored data source public key;
a first processing unit 15412, configured to perform hash offset processing on verification data based on a user random verification factor to obtain user side data when signature data of the original data item data and signature data of the verification data pass verification;
A first processing unit 15412, configured to sign the user-side data based on the user private key, to obtain second signature data of the user side;
the first sending unit 15413 is configured to send the user side data and the user side second signature data to the device of the requiring party, so that after the device of the requiring party passes the signature verification of the user side second signature data, the device of the requiring party performs the cryptographic operation on the user side data, and performs the hash offset processing on the cryptographic operation result based on the random verification factor of the requiring party, so as to obtain the three-party encrypted data;
the first obtaining unit 15411 is configured to receive the three-party encrypted data and the signature data of the three-party encrypted data sent by the device of the requiring party.
In some embodiments of the present application, the first processing unit 15412 is configured to sign the signature data of the three-party encrypted data based on the stored public key of the requiring party; under the condition that signature data of the three-party encrypted data passes verification, decrypting the three-party encrypted data based on a user random verification factor, and removing unnecessary data of the device of the requiring party from the decrypted data to obtain updated data of the user side; and signing the updated data of the user side based on the user private key to obtain first signature data of the user side.
In some embodiments of the present application, the first sending unit 15413 is configured to send the updated data on the user side and the first signature data on the user side to the device on the client side, so that after the device on the client side verifies and signs the first signature data on the user side, the device on the client side sends the signature data on the client side and the updated data on the client side to the data source device.
Continuing with the description below of an exemplary structure in which the data processing apparatus 154 provided in the embodiments of the present application is implemented as a software module, in some embodiments, when the data processing apparatus 154 stored in the memory 150 is a data source data processing apparatus 1542, as shown in fig. 12, the software module in the data source data processing apparatus 1542 may be the data processing apparatus in the data source device when the terminal 100 is a data source device, including:
a second obtaining unit 15421, configured to receive, when the user equipment authorizes the data source device to encrypt and transmit the user data, the transmitted signature data of the user and the updated data of the user after the user side first signature data passes through the signature verification by the user side device; the updated data of the user side is data obtained based on the three-party encrypted data after signature data of the three-party encrypted data passes verification by the user equipment; a second processing unit 15422, configured to check the signature data of the demander based on the stored public key of the demander; the second processing unit 15422 is configured to decrypt the data updated on the user side based on the data source random verification factor to obtain data source data when the signature data of the requiring party passes the verification; the second processing unit 15422 is configured to sign the data source data based on the data source private key to obtain data source signature data; the second sending unit 15423 is configured to send the data source data and the data source signature data to the device of the requiring party, so that the device of the requiring party decrypts the data source data after the signature of the data source signature data passes, and specific data required by the device of the requiring party is obtained.
In some embodiments of the present application, the second obtaining unit 15421 is configured to obtain the original data item data when the user equipment authorizes the data source device to encrypt the transmission user data; the second processing unit 15422 is configured to perform hash offset processing on the original data item data and the data source random verification factor, so as to obtain verification data after the original data item data is encrypted; signing the original data item data based on the data source private key to obtain signature data of the original data item data; signing the verification data based on the data source private key to obtain signature data of the verification data; the second transmitting unit 15423 is configured to transmit verification data, signature data of the original data item data, and signature data of the verification data to the user device.
In some embodiments of the present application, the second obtaining unit 15421 is configured to obtain data item field information of the original data item data; the second processing unit 15422 is used for signing the field information of the data item based on the data source private key to obtain signed field information; the second transmitting unit 15423 is configured to transmit the signed field information to the blockchain.
Continuing with the description below of an exemplary structure in which the data processing apparatus 154 provided in the embodiments of the present application is implemented as a software module, in some embodiments, when the data processing apparatus 154 stored in the memory 150 is the data processing apparatus 1543 on the demand side, the software module in the data processing apparatus 1543 on the demand side may be the data processing apparatus in the demand side device when the terminal 100 is the demand side device, as shown in fig. 13, including:
A third obtaining unit 15431, configured to receive, when the user equipment authorizes the data source equipment to encrypt and transmit the user data, the data source data and the data source signature data sent after the data source equipment verifies and signs the signature data of the requiring party; the data source data are obtained by decrypting the data updated by the user side by the data source equipment; the updated data of the user side is data obtained based on the three-party encrypted data after signature data of the three-party encrypted data passes verification by the user equipment; a third processing unit 15432, configured to sign the data source signature data based on the stored data source public key; and the third processing unit 15432 is configured to decrypt the data source data based on the random verification factor of the demander to obtain specific data required by the demander device when the signature data of the data source passes.
In some embodiments of the present application, a third obtaining unit 15431 is configured to receive updated data of a user side and first signature data of the user side; a third processing unit 15432, configured to check the signature of the user-side first signature data based on the stored user public key; under the condition that the first signature data of the user side passes the signature verification, the updated data of the user side is signed based on a private key of the requiring party, so that signature data of the requiring party is obtained; and a third sending unit 15433, configured to send the updated data on the user side and the signature data of the requester to the data source device.
In some embodiments of the present application, the third obtaining unit 15431 is configured to receive user side data and user side second signature data sent by the user equipment; a third processing unit 15432, configured to sign the second signature data on the user side based on the stored public key of the user; under the condition that the second signature data of the user side passes the signature verification, carrying out the encryption operation processing on the data of the user side, and carrying out the Hash offset processing on the encryption operation result based on the random verification factor of the requiring party to obtain the three-party encryption data; signing the three-party encrypted data based on the private key of the requiring party to obtain signature data of the three-party encrypted data; the third transmitting unit 15433 is configured to transmit the three-party encrypted data and signature data of the three-party encrypted data to the user device.
The software modules referred to in the present application are logical, and thus may be arbitrarily combined or further split according to the implemented functions.
It should be noted that, the description of the apparatus in the embodiment of the present application is similar to the description of the embodiment of the method described above, and has similar beneficial effects as the embodiment of the method, so that a detailed description is omitted. For technical details not disclosed in the embodiments of the present apparatus, please refer to the description of the embodiments of the method of the present application for understanding.
The present embodiments provide a storage medium having stored therein executable instructions that, when executed by a processor, cause the processor to perform a method provided by the embodiments of the present application, for example, the methods shown in fig. 2, 5, 7.
The computer readable storage medium obtains the three-party encrypted data and the signature data of the three-party encrypted data under the condition that the user equipment authorizes the data source equipment to encrypt and transmit the user data; the data encryption method comprises the steps that three-party encryption data comprise data obtained after user data are encrypted by data source equipment, user equipment and demand party equipment; signing verification is carried out on signature data of the three-party encrypted data based on the stored public key of the demand party; under the condition that signature data of the three-party encrypted data passes verification, updated data of a user side and first signature data of the user side are obtained based on the three-party encrypted data; the updated data of the user side and the first signature data of the user side are used for obtaining specific data required by the equipment of the requiring party, and the user data comprise the specific data; therefore, the data processing method based on collaborative computing, provided by the application, directly enables the party requiring device, the data source device and the user device to participate in data encryption transmission, avoids introducing a trusted environment, and improves data transmission efficiency under the condition of protecting user data security transmission.
The computer readable storage medium provided by the application receives the signature data of a user and the updated data of the user after the user side first signature data passes the signature verification by the user side equipment under the condition that the user equipment authorizes the data source equipment to encrypt and transmit the user data; the updated data of the user side is data obtained based on the three-party encrypted data after signature verification of the user equipment on the three-party encrypted data is passed; signing the signature data of the requiring party based on the stored public key of the requiring party; under the condition that signature verification of the signature data of the requiring party passes, decrypting the data updated on the user side based on a data source random verification factor to obtain data source data; signing the data source data based on the data source private key to obtain data source signature data; the data source data and the data source signature data are sent to the demand side equipment, so that the demand side equipment decrypts the data source data after the data source signature data passes through signature verification, and specific data required by the demand side equipment are obtained; therefore, the data processing method based on collaborative computing, provided by the application, directly enables the party requiring device, the data source device and the user device to participate in data encryption transmission, avoids introducing a trusted environment, and improves data transmission efficiency under the condition of protecting user data security transmission.
The computer readable storage medium receives data source data and data source signature data sent after signature verification of the data source equipment on a demand side passes under the condition that user equipment authorizes the data source equipment to encrypt and transmit user data; the data source data are obtained by decrypting the data updated by the user side by the data source equipment; the updated data of the user side is data obtained based on the three-party encrypted data after signature verification of the user equipment on the three-party encrypted data is passed;
signing the data source signature data based on the stored data source public key;
under the condition that signature verification of the data source signature data is passed, decrypting the data source data based on a random verification factor of a demand party to obtain specific data required by the demand party equipment; therefore, the data processing method based on collaborative computing, provided by the application, directly enables the party requiring device, the data source device and the user device to participate in data encryption transmission, avoids introducing a trusted environment, and improves data transmission efficiency under the condition of protecting user data security transmission.
In some embodiments, the storage medium may be a computer readable storage medium, such as a ferroelectric Memory (FRAM, ferromagnetic Random Access Memory), read Only Memory (ROM), programmable Read Only Memory (PROM, programmable Read Only Memory), erasable programmable Read Only Memory (EPROM, erasable Programmable Read Only Memory), electrically erasable programmable Read Only Memory (EEPROM, electrically Erasable Programmable Read Only Memory), flash Memory, magnetic surface Memory, optical Disk, or Compact Disk-Read Only Memory (CD-ROM), or the like; but may be a variety of devices including one or any combination of the above memories.
In some embodiments, the executable instructions may be in the form of programs, software modules, scripts, or code, written in any form of programming language (including compiled or interpreted languages, or declarative or procedural languages), and they may be deployed in any form, including as stand-alone programs or as modules, components, subroutines, or other units suitable for use in a computing environment.
As an example, the executable instructions may, but need not, correspond to files in a file system, but may also be stored as part of a file that holds other programs or data, e.g., in one or more scripts in a hypertext markup language (hypertext markup language ) document, in a single file dedicated to the program in question, or in multiple coordinated files (e.g., files that store one or more modules, sub-programs, or portions of code). As an example, executable instructions may be deployed to be executed on one computing device or on multiple computing devices located at one site or, alternatively, distributed across multiple sites and interconnected by a communication network.
The foregoing is merely exemplary embodiments of the present application and is not intended to limit the scope of the present application. Any modifications, equivalent substitutions, improvements, etc. that are within the spirit and scope of the present application are intended to be included within the scope of the present application.
Claims (10)
1. A data processing method based on collaborative computing, the method comprising:
under the condition that the user equipment authorizes the data source equipment to encrypt and transmit the user data, the three-party encrypted data and the signature data of the three-party encrypted data are obtained; the data source equipment, the user equipment and the user equipment encrypt the user data to obtain data;
signing verification is carried out on signature data of the three-party encrypted data based on the stored public key of the demand party;
under the condition that signature data of the three-party encrypted data passes verification, updated data of a user side and first signature data of the user side are obtained based on the three-party encrypted data; the updated data of the user side and the first signature data of the user side are used for obtaining specific data required by the device of the requiring party, and the user data comprise the specific data.
2. The method according to claim 1, wherein obtaining the three-party encrypted data and the signature data of the three-party encrypted data in case the user device authorizes the data source device to transmit the user data in an encrypted manner, comprises:
receiving encrypted verification data of original data item data, signature data of the original data item data and signature data of the verification data sent by the data source equipment under the condition that the user equipment authorizes the data source equipment to encrypt and transmit user data;
signing verification is carried out on signature data of the original data item data and signature data of verification data based on the stored data source public key;
under the condition that signature data of the original data item data and signature data of the verification data pass verification, hash offset processing is carried out on the verification data based on a user random verification factor, so that user side data is obtained;
signing the user side data based on a user private key to obtain second signature data of the user side;
sending the user side data and the user side second signature data to the demand side equipment, so that the demand side equipment performs the secret state operation processing on the user side data after the user side second signature data passes the signature verification, and performs the hash offset processing on the secret state operation result based on the demand side random verification factor to obtain the three-party encrypted data;
And receiving the three-party encrypted data and signature data of the three-party encrypted data, which are sent by the requiring party equipment.
3. The method according to claim 1 or 2, wherein, in the case that signature data of the three-party encrypted data passes verification, obtaining updated data on the user side and first signature data on the user side based on the three-party encrypted data includes:
signing verification is carried out on signature data of the three-party encrypted data based on the stored public key of the requiring party;
under the condition that signature data of the three-party encrypted data passes verification, decrypting the three-party encrypted data based on a user random verification factor, and removing data which are not needed by a device of a requiring party from the decrypted data to obtain updated data of the user side;
and signing the updated data of the user side based on a user private key to obtain the first signature data of the user side.
4. A method according to claim 3, wherein in case of verification of signature data of the three-party encrypted data, after obtaining updated data on the user side and first signature data on the user side based on the three-party encrypted data, the method comprises:
And sending the updated data of the user side and the first signature data of the user side to the demand side equipment so that the demand side equipment sends the signature data of the demand side and the updated data of the user side to the data source equipment after checking and signing the first signature data of the user side.
5. A data processing method based on collaborative computing, the method comprising:
under the condition that user equipment authorizes data source equipment to encrypt and transmit user data, receiving the transmitted signature data of a user side and updated data of the user side after the first signature data of the user side passes verification by the user side; the updated data of the user side is data obtained based on the three-party encrypted data after signature verification of the user equipment on the three-party encrypted data is passed;
signing the signature data of the requiring party based on the stored public key of the requiring party;
under the condition that signature verification of the signature data of the requiring party passes, decrypting the data updated on the user side based on a data source random verification factor to obtain data source data;
signing the data source data based on a data source private key to obtain data source signature data;
And sending the data source data and the data source signature data to the demand side equipment so that the demand side equipment decrypts the data source data after the data source signature data passes the verification, and specific data required by the demand side equipment is obtained.
6. The method according to claim 5, wherein the method includes, after the receiving the request side device verifies and signs the first signature data on the user side, before the sending request side signature data and the updated data on the user side:
under the condition that the user equipment authorizes the data source equipment to transmit user data in an encrypted mode, obtaining original data item data;
carrying out hash offset processing on the original data item data and the data source random verification factor to obtain verification data of the encrypted original data item data;
signing the original data item data based on the data source private key to obtain signature data of the original data item data;
signing the verification data based on the data source private key to obtain signature data of the verification data;
and sending the verification data, signature data of the original data item data and signature data of the verification data to the user equipment.
7. The method of claim 6, wherein after the obtaining the raw data item data, the method comprises:
obtaining data item field information of the original data item data;
and signing the field information of the data item based on the data source private key to obtain signed field information, and sending the signed field information to a blockchain.
8. A data processing method based on collaborative computing, the method comprising:
under the condition that user equipment authorizes data source equipment to encrypt and transmit user data, receiving data source data and data source signature data which are transmitted after signature verification of the signature data of a requiring party by the data source equipment is passed; the data source data are obtained by decrypting the data updated by the user side by the data source equipment; the updated data of the user side is data obtained based on the three-party encrypted data after signature verification of the user equipment on the three-party encrypted data is passed;
signing the data source signature data based on the stored data source public key;
and under the condition that signature verification of the data source signature data is passed, decrypting the data source data based on a random verification factor of the requiring party to obtain specific data required by the requiring party equipment.
9. The method of claim 8, wherein the receiving the source data and the source signature data after the source device verifies the source signature data, the method comprises:
receiving the updated data of the user side and first signature data of the user side;
signing the first signature data of the user side based on the stored user public key;
under the condition that the first signature data of the user side passes the signature verification, the updated data of the user side is signed based on a private key of the requiring party, so that signature data of the requiring party is obtained;
and sending the updated data of the user side and the signature data of the demander to data source equipment.
10. A method according to claim 8 or 9, wherein said receiving said source device verifies that the source signature data passes, and said method comprises:
receiving user side data and user side second signature data sent by the user equipment;
signing the second signature data of the user side based on the stored user public key;
under the condition that the second signature data of the user side passes the signature verification, carrying out the encrypted operation processing on the data of the user side, and carrying out the Hash offset processing on the encrypted operation result based on the random verification factor of the requiring party to obtain the three-party encrypted data;
Signing the three-party encrypted data based on a private key of a requiring party to obtain signature data of the three-party encrypted data;
and sending the three-party encrypted data and signature data of the three-party encrypted data to the user equipment.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310238511.6A CN116340999A (en) | 2023-03-03 | 2023-03-03 | Data processing method based on collaborative calculation |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310238511.6A CN116340999A (en) | 2023-03-03 | 2023-03-03 | Data processing method based on collaborative calculation |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN116340999A true CN116340999A (en) | 2023-06-27 |
Family
ID=86890888
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202310238511.6A Pending CN116340999A (en) | 2023-03-03 | 2023-03-03 | Data processing method based on collaborative calculation |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN116340999A (en) |
-
2023
- 2023-03-03 CN CN202310238511.6A patent/CN116340999A/en active Pending
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| RU2376651C2 (en) | Using isogenies to design cryptosystems | |
| CN110545279A (en) | block chain transaction method, device and system with privacy and supervision functions | |
| CN106134128B (en) | Use the system and method for the faster public key encryption in associated private key part | |
| US11979492B2 (en) | Computer-implemented system and method for distributing shares of digitally signed data | |
| US20150288527A1 (en) | Verifiable Implicit Certificates | |
| US20180227278A1 (en) | Communication of Messages Over Networks | |
| CN109936456B (en) | Anti-quantum computation digital signature method and system based on private key pool | |
| WO2020212796A1 (en) | Computer implemented method and system for encrypting data | |
| CN109905229B (en) | Anti-quantum computing Elgamal encryption and decryption method and system based on group asymmetric key pool | |
| CN111769938A (en) | Key management system and data verification system of block chain sensor | |
| CN111555880A (en) | Data collision method and device, storage medium and electronic equipment | |
| CN107104788B (en) | Terminal and non-repudiation encryption signature method and device thereof | |
| CN118160275A (en) | Threshold signature scheme | |
| CN114257366B (en) | Information homomorphic processing method, device, equipment and computer readable storage medium | |
| Klimushyn et al. | Hardware support procedures for asymmetric authentication of the internet of things | |
| CN116318696B (en) | Proxy re-encryption digital asset authorization method under condition of no initial trust of two parties | |
| CN111245594A (en) | Homomorphic operation-based collaborative signature method and system | |
| EP3664361A1 (en) | Methods and devices for secured identity-based encryption systems with two trusted centers | |
| CN116318784A (en) | Identity authentication method, identity authentication device, computer equipment and storage medium | |
| Barker | Cryptographic Standards in the Federal Government: Cryptographic Mechanisms | |
| CN117795901A (en) | Generating digital signature shares | |
| CN116340999A (en) | Data processing method based on collaborative calculation | |
| WO2023055371A1 (en) | Replicated secret share generation for distributed symmetric cryptography | |
| JP2011250335A (en) | Efficient mutual authentication method, program, and device | |
| Fugkeaw et al. | Proxy-assisted digital signing scheme for mobile cloud computing |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication |