CN116684091B

CN116684091B - Relay multi-level data blockchain sharing method and system based on quantum key distribution

Info

Publication number: CN116684091B
Application number: CN202310904332.1A
Authority: CN
Inventors: 朱典; 杨阳; 陶峰; 余达; 俞正博
Original assignee: Anhui Big Data Center
Current assignee: Anhui Big Data Center
Priority date: 2023-07-24
Filing date: 2023-07-24
Publication date: 2023-10-31
Anticipated expiration: 2043-07-24
Also published as: CN116684091A

Abstract

The invention provides a system and a method for sharing a relay multi-level data blockchain based on quantum key distribution, wherein the system comprises the following steps: the provincial password service platform generates a traditional symmetric Key Key1, and the quantum password system utilizes a quantum Key distribution technology and a quantum Key relay technology to realize negotiation generation of the provincial password service platform and a platform quantum Key2 of each level node; the password service platform distributes the traditional symmetric key ciphertext C_key1 to each level of witness nodes of the blockchain through API interface service; the password service platform encrypts a traditional symmetric Key Key1 by a quantum Key Key2 through a national encryption algorithm SM4 to generate a Key ciphertext C_key1, and encrypts the Key ciphertext to generate a shared data ciphertext; and the data receiver decrypts the traditional symmetric Key Key1 by using the quantum Key Key2 to obtain a traditional symmetric Key1 plaintext, and decrypts the traditional symmetric Key1 plaintext to obtain a shared data plaintext. The invention solves the technical problem of lower security of symmetric key distribution used for encryption of data on a chain.

Description

Relay multi-level data blockchain sharing method and system based on quantum key distribution

Technical Field

The invention relates to the field of data security interaction, in particular to a relay multi-level data blockchain sharing method and system based on quantum key distribution.

Background

The external network data exchange platform takes data exchange as a main line, builds full-province uniform resource sharing exchange and data management, and realizes cross-department, cross-system and cross-platform information sharing. The current system has the functions of isomorphic data, data extraction among heterogeneous data, format conversion, content filtration, content conversion, synchronous and asynchronous transmission, dynamic deployment, visual exchange management and monitoring, service integrated management, data management and the like, and can realize the unified scheduling and monitoring of collection exchange and analysis warehousing of various data sources and the unified management functions of data exchange tasks such as on-line task configuration, task scheduling, execution log inquiry, error alarm and the like through registration, scheduling and monitoring of the data exchange tasks. The data exchange platform provides comprehensive data service and platform support for big data application, and can better solve the data exchange process of each service domain in the province.

The key management is mainly realized by calling part of functions of the password security service platform. The password security service platform provides a national encryption algorithm to ensure the data security in the process of landing and transmission, provides basic password creation and related services, interacts with the data exchange platform through a security gateway and accesses the password security service platform. The password security service platform registers the relevant address to the security authentication gateway, the security authentication gateway is converted into Https, and the transmission channel is encrypted, so that the security of the platform is ensured.

For example, the prior patent application publication No. CN110581763a, a quantum key service blockchain network system, which includes a network layer, a block layer and a service layer, wherein the network layer is used for establishing a quantum key distribution link between any two adjacent nodes, the block layer is used for generating a quantum key relay state block, and the service layer is used for negotiating a shared key between any two nodes based on the quantum key relay state block. And the prior patent application publication No. CN103763099A discloses a power safety communication network based on a quantum key distribution technology, which comprises a power longitudinal encryption authentication device, a key generation control server, a classical switch and a QKD system, wherein the key generation control server is connected to the QKD system through the classical switch, each power longitudinal encryption authentication device is provided with a QKD system connected with the QKD system, quantum key distribution is completed among the QKD systems through quantum channels, the power longitudinal encryption authentication devices communicate through classical channels, and each power longitudinal encryption authentication device comprises a quantum key transmission unit, a quantum key processing unit and a power communication data encryption and decryption unit which are sequentially connected. In a multi-user application scenario, all QKD systems are interconnected through an all-pass optical quantum switch.

The symmetric key used for encrypting the data on the chain in the prior art mainly uses an asymmetric cryptographic algorithm to ensure the security of the key, but because the design of the asymmetric cryptographic algorithm is based on complex mathematical problems, for example, an RSA encryption algorithm is based on a factorization problem, and an elliptic curve encryption algorithm is based on a discrete logarithm problem, the complexity of the problems makes the traditional computer take tens of years to crack them, but the quantum computer can solve the problem that the traditional computer can only solve in hundreds of years in extremely short time, and the crack is currently regarded as a secure encryption algorithm and password, so that the security of the blockchain technology can be greatly threatened.

In summary, the prior art has the technical problem that the distribution security of symmetric keys used for on-chain data encryption is low.

Disclosure of Invention

The technical problem to be solved by the invention is how to solve: the technical problem of the prior art that the distribution security of symmetric keys used for on-link data encryption is low.

The invention adopts the following technical scheme to solve the technical problems: the relay multi-level data blockchain sharing system based on quantum key distribution comprises:

The provincial level data exchange platform is used for uplink of the superior level shared data, so that the superior level shared data is sent to the provincial level witness node of the blockchain, the plaintext of the inferior level shared data is received from the provincial level witness node of the blockchain, so that the distribution flow of the superior level shared data is completed, and the provincial level data exchange platform is connected with the provincial level witness node of the blockchain;

the block chain provincial witness node is used for initiating a symmetric encryption Key generation request to a traditional password service platform, receiving a traditional symmetric Key ciphertext C_key1 distributed by an upper password service platform, and receiving a platform quantum Key Key2 distributed by a quantum password system to decrypt the traditional symmetric Key ciphertext C_key1 so as to obtain a plaintext of the traditional symmetric Key Key 1; encrypting the upper-level shared data to obtain an upper-level shared data ciphertext; receiving and decrypting a lower-level shared data ciphertext of a block chain earth city participation node to obtain a lower-level shared data plaintext, wherein the block chain provincial level witness node is connected with a traditional password service platform, a quantum password system and the block chain earth city participation node;

the block chain management platform is used for managing the block chain provincial level witness nodes and the block chain local market participation nodes, displaying the shared data process of the up-stream of the chain and the specific content of the shared data, and accordingly carrying out transparent tracing on the whole flow of the shared data process, and is connected with the block chain provincial level witness nodes;

A quantum cryptography system comprising: the superior QKD device, the inferior QKD device, and the quantum Key distribution network system perform quantum Key negotiation among the superior cryptographic service platform, the blockchain provincial witness node, and the blockchain earth city participation node through quantum Key distribution and relay operations to generate a platform quantum Key2, so as to perform encryption and decryption operations on a traditional symmetric Key1, the quantum Key distribution network system includes: the bare optical fiber resource, the quantum cryptography system is connected with the superior cryptography service platform, the provincial witness node of the blockchain and the participation node of the blockchain city;

the upper-level password service platform is used for generating a traditional symmetric Key Key1 according to a symmetric encryption Key generation request, carrying out symmetric encryption on the traditional symmetric Key Key1 by using a platform quantum Key Key2, generating a traditional symmetric Key ciphertext C_key1 by using a national encryption algorithm SM4, and sending the traditional symmetric Key ciphertext C_key1 to a blockchain provincial witness node and a blockchain earth market participation node so as to carry out encryption and decryption operation on upper-level shared data, wherein the upper-level password service platform is connected with the blockchain provincial witness node and the blockchain earth market participation node;

the block chain earth city participating node is used for receiving a traditional symmetric Key ciphertext C_key1 distributed by an upper-level quantum cryptography platform, receiving a platform quantum Key Key2 distributed by a quantum cryptography system, and decrypting the traditional symmetric Key ciphertext C_key1 to obtain a plaintext of the traditional symmetric Key Key 1; encrypting the lower-level shared data to obtain a lower-level shared data ciphertext; receiving an upper-level shared data ciphertext of a block chain provincial level witness node, decrypting the upper-level shared data ciphertext to obtain an upper-level shared data plaintext, and connecting a block chain local market participation node with a traditional password service platform, a quantum password system node and the block chain provincial level witness node;

The lower-level sharing exchange platform is used for uplink of lower-level sharing data, so that the lower-level sharing data are sent to the block chain municipality participating node, the upper-level sharing data plaintext is received from the block chain municipality participating node, the distribution flow of the lower-level sharing data is completed, and the lower-level sharing exchange platform is connected with the block chain municipality participating node.

The invention deploys a precompiled contract for public key checking on the chain to support verification of zero knowledge proof. The method solves the problem of safe distribution of symmetric keys used for encryption of the data on the chain, and the encryption protection is carried out on the encryption keys of the data on the chain by utilizing the quantum keys generated by quantum communication.

In a more specific technical scheme, the provincial level witness node of the blockchain encrypts the upper-level shared data by using an SM2 algorithm to obtain which level of shared data ciphertext.

After the traditional symmetric Key Key1 and the platform quantum Key Key2 are generated, the quantum Key Key2 obtained by the provincial password service platform through the quantum password system carries out symmetric encryption on the traditional symmetric Key Key1 through the national password algorithm SM4, so that the traditional symmetric Key ciphertext C_key1 is generated, and confidentiality of sensitive information is guaranteed.

In a more specific technical scheme, a provincial level witness node of a blockchain initiates a symmetric encryption key generation request to a password service platform through API interface service, and an upper password service platform distributes a traditional symmetric key ciphertext C_key1 to the provincial level witness node of the blockchain according to the API interface service

According to the invention, the traditional symmetric key ciphertext C_key1 is sent to the block chain node corresponding to the data sharing platform in an API interface service mode. The whole process has no key plaintext transmission, and the quantum key in each key request interaction process is generated in real time, so that the method has unpredictability and can prevent replay attack.

In a more specific technical scheme, the superior cryptographic service platform invokes a Key generation interface of the server cryptographic engine according to the symmetric encryption Key generation request to generate a traditional symmetric Key1.

In a more specific technical scheme, a block chain provincial witness node and an upper password service platform generate a first relay key K12 by using preset quantum key distribution equipment;

generating a second relay key K23 by using preset quantum key distribution equipment through the block chain ground participating node and the superior password service platform;

and performing exclusive OR operation on the platform quantum Key Key2 by using the first relay Key K12 and the second relay Key K23 respectively so as to share the platform quantum Key Key2 among the provincial level witness node of the blockchain, the local market participation node of the blockchain and the upper password service platform.

In a more specific technical scheme, the ciphertext of the traditional symmetric Key Key1 is decrypted on the chain by utilizing block chain link points, the lower-level shared data and the upper-level shared data are encrypted on the chain, and the quantum symmetric Key identification, the upper-level shared data ciphertext and the lower-level shared data ciphertext are encrypted in a block package binding manner on the chain by virtue of Playload and Code so as to carry out chain binding sharing.

The invention generates a shared key among multiple persons, calculates the promise of the key, links the public key corresponding to the promise of the key, generates zero knowledge proof about the key for the user holding the private key corresponding to the promise of the key, transmits the proof into an intelligent contract for identity check in the form of contract call, and the contract completes the verification of the public key without revealing the information of the key itself.

In a more specific technical scheme, after receiving a shared data ciphertext C_msg and a traditional symmetric Key ciphertext C_key1 on an upper chain, a blockchain earth city participation node realizes quantum Key negotiation by using QKD equipment based on the traditional symmetric Key ciphertext C_key1 and a quantum cryptography system to obtain a platform quantum Key Key2;

decrypting the traditional symmetric Key ciphertext C_key1 by using the platform quantum Key Key2 to obtain a plaintext of the traditional symmetric Key Key 1;

and then the traditional symmetric Key Key1 is utilized to generate an SM2 Key pair.

In a more specific technical scheme, a blockchain earth city participating node proves an intelligent contract according to zero knowledge, and checks and judges the encrypted data access right of a current key;

and (3) using an SM2 cryptographic algorithm to decrypt the ciphertext C_msg of the shared data on the chain and restoring to obtain the plaintext of the data to be shared.

According to the invention, through the intelligent contract of the blockchain, zero knowledge is used for proving that the access authority verification is performed on the encrypted data again under the condition that the private key is not exposed, so that the security of the access operation of the encrypted data is further improved.

In a more specific technical scheme, a block chain provincial witness node is realized by QKD equipment according to a traditional symmetric Key ciphertext C_key1 and a quantum cryptography system to obtain a platform quantum Key Key2;

decrypting by using the platform quantum Key Key2 to obtain a plaintext of the traditional symmetric Key ciphertext C_key 1;

generating an SM2 Key pair by using a traditional symmetric Key Key1, and encrypting lower-level shared data by using an SM2 cryptographic algorithm to obtain a shared data ciphertext on a lower-level chain;

and storing the shared data ciphertext and the SM2 key pair on the lower link in a preset uplink transaction field so as to broadcast the shared data ciphertext and the SM2 key pair on the lower link by using the block chain management platform.

In a more specific technical scheme, the relay multi-level data blockchain sharing method based on quantum key distribution comprises the following steps:

s1, uplink is carried out on upper-level shared data so as to send the upper-level shared data to a provincial witness node of a block chain, and a lower-level shared data plaintext is received from the provincial witness node of the block chain so as to complete a distribution flow of the upper-level shared data;

S2, a symmetric encryption Key generation request is initiated to a traditional password service platform, so that a traditional symmetric Key ciphertext C_key1 distributed by an upper password service platform is received, a platform quantum Key Key2 distributed by a quantum password system is received, and the traditional symmetric Key ciphertext C_key1 is decrypted, so that a plaintext of the traditional symmetric Key Key1 is obtained; encrypting the upper-level shared data to obtain an upper-level shared data ciphertext; receiving and decrypting a lower-level shared data ciphertext of the block chain earth city participation node to obtain a lower-level shared data plaintext;

s3, managing a provincial level witness node of the blockchain and a local market participation node of the blockchain, displaying a sharing data process of the upward transfer of the chain and specific content of the sharing data, and accordingly carrying out transparent tracing on the whole flow of the sharing data process;

s4, carrying out quantum Key negotiation among an upper-level password service platform, a blockchain provincial witness node and a blockchain earth city participation node through quantum Key distribution and relay operation to generate a platform quantum Key Key2, so as to carry out encryption and decryption operation on a traditional symmetric Key Key1, wherein the quantum Key distribution network system comprises: bare fiber resources;

s5, generating a traditional symmetric Key Key1 according to a symmetric encryption Key generation request, wherein the traditional symmetric Key Key1 is used for carrying out symmetric encryption on the traditional symmetric Key Key1 by using a platform quantum Key Key2 and a national encryption algorithm SM4 to generate a traditional symmetric Key ciphertext C_ke1, and sending the traditional symmetric Key ciphertext C_ke1 to a block chain provincial witness node and a block chain local market participation node to carry out encryption and decryption operation on upper shared data;

S6, receiving a traditional symmetric Key ciphertext C_key1 distributed by an upper-level quantum cryptography platform, receiving a platform quantum Key2 distributed by a quantum cryptography system, and decrypting the traditional symmetric Key ciphertext C_key1 to obtain a plaintext of the traditional symmetric Key Key 1; encrypting the lower-level shared data to obtain a lower-level shared data ciphertext; receiving a superordinate shared data ciphertext of the provincial witness node of the block chain, and decrypting the superordinate shared data ciphertext to obtain a superordinate shared data plaintext;

and S7, uplink is carried out on the lower-level shared data so as to send the lower-level shared data to the block chain ground participating node, and the upper-level shared data plaintext is received from the block chain ground participating node so as to complete the distribution flow of the lower-level shared data.

Compared with the prior art, the invention has the following advantages: the invention deploys a precompiled contract for public key checking on the chain to support verification of zero knowledge proof. The method solves the problem of safe distribution of symmetric keys used for encryption of the data on the chain, and the encryption protection is carried out on the encryption keys of the data on the chain by utilizing the quantum keys generated by quantum communication.

After the traditional symmetric Key Key1 and the platform quantum Key Key2 are generated, the provincial level password service platform 3 uses the platform quantum Key Key2 to carry out symmetric encryption on the traditional symmetric Key Key1 by using the national encryption algorithm SM4, so that the traditional symmetric Key ciphertext C_key1 is generated, and the confidentiality of sensitive information is ensured.

According to the invention, the traditional symmetric key ciphertext C_key1 is sent to the block chain provincial witness node corresponding to the provincial witness platform in an API interface service mode. The whole process has no key plaintext transmission, and the quantum key in each key request interaction process is generated in real time, so that the method has unpredictability and can prevent replay attack.

The invention generates a shared key among multiple persons, calculates promise of the key, uplinks (blockchain) a public key corresponding to the promise of the key, generates zero knowledge proof about the key for a user holding the private key corresponding to the promise of the key, transmits the proof into an intelligent contract for identity check in a contract calling mode, and the contract completes verification of the public key without revealing information of the key. The invention solves the technical problem of lower distribution security of symmetric keys used for on-chain data encryption in the prior art.

Drawings

Fig. 1 is a schematic diagram of data interaction of a quantum key distribution-based relay multi-level data blockchain sharing system according to embodiment 1 of the present invention;

fig. 2 is a key negotiation operation schematic diagram of embodiment 1 of the present invention;

FIG. 3 is a schematic diagram showing the specific steps of generating a key zero knowledge proof in embodiment 1 of the present invention;

FIG. 4 is a schematic diagram showing the steps of the zero knowledge proof verification of example 1 of the present invention;

fig. 5 is a schematic diagram of QKD principle based on BB84 protocol according to embodiment 2 of the present invention;

fig. 6 is a schematic diagram of basic steps of a quantum key distribution-based relay multi-level data blockchain sharing method according to embodiment 2 of the present invention;

FIG. 7 is a key relay schematic diagram of embodiment 2 of the present invention;

fig. 8 is a schematic diagram of QKD operation mechanism according to embodiment 2 of the present invention.

Detailed Description

For the purpose of making the objects, technical solutions and advantages of the embodiments of the present invention more apparent, the technical solutions in the embodiments of the present invention will be clearly and completely described in the following in conjunction with the embodiments of the present invention, and it is apparent that the described embodiments are some embodiments of the present invention, but not all embodiments. All other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to be within the scope of the invention.

Example 1

As shown in fig. 1, the quantum key distribution-based relay multi-level data blockchain sharing system provided by the present invention includes: the system comprises a provincial data exchange platform 1, a provincial cryptographic service platform 3, a provincial chain provincial witness node 2, a provincial chain city participation node 4, a blockchain management platform 5, a provincial QKD key negotiation hardware device 6, a city QKD key negotiation hardware device 7 and a city sharing exchange platform 8. In this embodiment, provincial QKD key negotiation hardware 6 and municipal QKD key negotiation hardware 7 constitute a quantum cryptography system.

Compared with the existing security alliance chain platform, the security alliance chain has improvement in key generation security and use security.

In the key generation aspect in the present embodiment, a quantum key agreement technique is employed to generate a symmetric key that is limited to use between two communicating parties and has perfect forward confidentiality. The two communication parties can negotiate and ensure the security of the key through a quantum key distribution protocol. The data is then encrypted using the key and the encrypted data is then uplinked.

In the aspect of key use in this embodiment, the present patent verifies the validity of the zero-knowledge proof generated by the private key sk_sm2 through the zero-knowledge proof technology under the condition that the private key sk_sm2 is not revealed, that is, the user holding the private key can self-verify the identity without presenting the private key, and the identity verification logic is executed in the decentralizing environment of the blockchain through the intelligent contract, so that the security in the aspect of key use is realized.

Key request:

the provincial level data exchange platform 1 distributes the provincial level shared data in an uplink encryption manner to the provincial level witness node 2 of the blockchain and receives the ground and city shared data subjected to downlink decryption operation;

the provincial shared data is encrypted by the provincial chain provincial level witness node 2 through an SM2 algorithm to obtain provincial level shared data ciphertext, and the provincial level shared data ciphertext and the traditional symmetric Key Key1 are subjected to uplink operation and distributed to the provincial chain management platform 5; the provincial level witness node 2 decrypts the underground city shared data downlink shared by the provincial earth city participation node 4 and sends the downlink shared data to the provincial level data exchange platform 1;

In this embodiment, the provincial chain provincial level witness node 2 initiates a symmetric encryption key generation request to the provincial level password service platform 3 through an API interface service mode. The provincial level cipher service platform 3 sends a request for obtaining the quantum key to the vector sub-cipher system.

And (3) key generation:

the provincial level password service platform 3 performs Key generation, key encryption and Key distribution operations, calls the platform quantum Key2 to encrypt the traditional symmetric Key1, and sends the traditional symmetric Key1 to the provincial level witness node 2 and the provincial level earth-moving main participation node 4;

the blockchain provincial witness node 2 designates a traditional encryption mode or a quantum encryption mode in an API (application program interface) according to the security level required to be achieved by different environments or the security requirement of a special environment, and the password service platform generates a secret key according to the received encryption mode. 1. And 2, if the quantum encryption mode is used, the provincial level cipher service platform 3 sends a request for acquiring the platform quantum Key2 to the vector sub-cipher system of the provincial level cipher service platform 3, and after the platform quantum Key2 is acquired by the provincial level cipher service platform, the platform quantum Key2 is shared among all nodes, the traditional symmetric Key1 can be directly encrypted by using the platform quantum Key2 symmetrically, and the encrypted traditional symmetric Key ciphertext C_key1 is sent to the blockchain management platform 5.

In this embodiment, as shown in fig. 2, the provincial password service platform 3 invokes the Key generation interface of the server crypto engine to generate the traditional symmetric Key1, and then the quantum cryptosystem uses the quantum Key distribution technology and the quantum Key relay technology to realize the negotiation generation of the provincial password service platform 3, the blockchain provincial witness node 2 corresponding to the provincial witness platform, and the blockchain local market participation node 4 to participate in the platform quantum Key2.

In this embodiment, the blockchain provincial witness node 2 and the provincial password service platform 3 corresponding to the provincial witness platform generate the key K12 using the quantum key distribution device;

in the embodiment, the blockchain earth-city participation node 4 and the provincial password service platform 3 generate a key K23 by using a quantum key distribution device;

in this embodiment, it is now necessary to share the platform quantum Key2 between the blockchain provincial witness node 2, the blockchain municipality participation node 4, and the provincial cryptographic service platform 3. In the embodiment, K12 and K23 are used for exclusive OR operation on the platform quantum Key Key2, and sharing of the platform quantum Key Key2 among the provincial level witness node 2, the blockchain local market participation node 4 and the provincial level password service platform 3 corresponding to the provincial level witness platform is realized based on a quantum Key relay principle.

Key distribution:

performing downlink decryption on provincial shared data ciphertext and ciphertext of a traditional symmetric Key Key1 by using a blockchain management platform 5, and performing chain binding sharing on provincial shared data ciphertext and traditional symmetric Key Key1 ciphertext;

in this embodiment, https is used in the communication process to ensure confidentiality and integrity of data transmission.

Generating a quantum platform Key Key2 by using not less than 2 provincial QKD Key negotiation hardware devices 6, and sending the quantum platform Key Key2 to the provincial password service platform 3; performing QKD Key negotiation by the QKD Key negotiation hardware to share the quantum platform Key Key2 to the blockchain provincial level witness node 2 and the municipal QKD Key negotiation hardware device 7;

QKD Key negotiation is carried out through a provincial QKD Key negotiation hardware device 6, the quantum platform Key Key2 is shared to a municipal QKD Key negotiation hardware device 7, and the municipal QKD Key negotiation hardware shares the quantum platform Key Key2 to at least 2 blockchain earth-city participating nodes 4;

decrypting data:

the block chain municipality participating node 4 performs downlink decryption on the traditional symmetric key ciphertext C_key1 through downlink decryption operation to send the decrypted encrypted symmetric key ciphertext C_key1 to each municipality sharing exchange platform 8;

After receiving the on-chain shared data ciphertext C_msg and the traditional symmetric Key ciphertext C_key1 which are shared on the provincial chain, the blockchain ground participating node 4 carries out QKD quantum Key negotiation with the provincial password service platform 3 based on the traditional symmetric Key ciphertext C_key1 to obtain a platform quantum Key Key2, decrypts the traditional symmetric Key ciphertext C_key1 by using the platform quantum Key Key2 to obtain a plaintext of the traditional symmetric Key Key1, and then generates an SM2 Key pair by using the traditional symmetric Key Key1, and the method comprises the following steps: SM2 private key sk and SM2 public key pk.

And verifying whether the current key has access right to encrypted data or not through the zero knowledge proof intelligent contract, decrypting the shared data ciphertext C_msg on the chain by using an SM2 national encryption algorithm after verification, and recovering a shared data plaintext. And then the shared data plaintext is sent to the grounded city shared exchange platform 8.

As shown in fig. 3, in the present embodiment, for the result after quantum key agreement: the platform quantum Key Key2 is mapped into a large integer through hash operation, is used as a private Key sk_sm2 of SM2, and calculates a public Key pk_sm2 through a Key function in an SM2 algorithm to be used as a promised uplink certification of the Key.

The user holding the private key generates a zero knowledge proof about the key by:

s1' randomly selecting an integer R, and calculating R=R×G; in this embodiment, r is smaller than the order of the SM2 curve, G is the generator of the SM2 elliptic curve, sign is elliptic curve scalar multiplication, and pk_sm2 is the private key of SM 2.

S2', calculate c=hash (R, pk_sm2);

s3', calculating z=r+c×sk;

s4', taking (z, R, pk_sm2) as a parameter of zero knowledge proof, creating a contract call transaction, and calling a precompiled contract of public key checking.

As shown in fig. 4, in this embodiment, the pre-compiled contract of the public key check is an intelligent contract preset in the block link point program, which is automatically deployed after the block link point program is started for the first time, and generates a fixed block chain address, and receives a zero knowledge proof parameter to complete the verification of the following steps:

s101, for the incoming zero knowledge proof parameter (z, R, pk_sm2), calculating c=hash (R, pk_sm2);

s102, calculating v1=z×G, wherein G is a generator of an SM2 elliptic curve;

s103, calculating v2=r+c×pk_sm2;

s104, judging whether v1 and v2 are equal;

s105, if v1=v2, passing the verification, the contract returns 1, indicating that the zero knowledge proof verification of the public key check passes;

S106, if not, the contract returns to 0.

In the logic, c is a promise value of zero knowledge proof, and is used for constructing cryptographic promise to realize non-repudiation of a prover; r is a random number in the zero knowledge proof for preventing the prover from forging illegal proof; r is a random value promise in the zero knowledge proving process, which is used for preventing a prover from forging illegal proving and meanwhile, the random value is not revealed; z is a secret protection value in the zero knowledge proof, and a random value is adopted to hide a secret v1 to be protected from the zero knowledge proof, and verification parameters calculated by parameters provided by a prover are used for verifying the validity of the zero knowledge proof; v2 is the verification parameter calculated by the verifier according to the public parameter and the parameter provided by the verifier in the zero knowledge proof for verifying the validity of the zero knowledge proof.

In the above process, the holder of the private key sk_sm2 completes the verification of zero knowledge proof in a contract calling mode, and the private key sk_sm2 cannot be calculated from all the public parameters, so that the protection of secret data is realized.

Data encryption:

the public place sharing exchange platform 8 encrypts the plaintext of the traditional symmetric key C_key1 into ciphertext through uplink encryption operation, and sends the ciphertext of the market-level sharing data to the blockchain public place participation node 4.

The provincial level witness node 2 corresponding to the provincial level witness platform acquires the traditional symmetric Key ciphertext C_key1, QKD quantum Key negotiation is carried out with the provincial level cipher service platform 3 to acquire a platform quantum Key Key2, and then the traditional symmetric Key ciphertext C_key1 is decrypted by the platform quantum Key Key2 to acquire the plaintext of the traditional symmetric Key Key 1. The SM2 Key pair is generated using the conventional symmetric Key1, and in this embodiment, the SM2 Key pair includes: the SM2 private key sk and the SM2 public key pk encrypt the uplink data by using an SM2 cryptographic algorithm, and in this embodiment, the operation of encrypting the uplink data by using the SM2 cryptographic algorithm is consistent with the operation label and specification of the provincial level cryptographic service platform 3, so as to form the on-chain shared data ciphertext c_msg. Storing the encrypted on-chain shared data ciphertext C_msg in a code field in a uplink transaction, storing the traditional symmetric key ciphertext C_key1 and SM2 public key pk in a payload field in a corresponding uplink transaction, and broadcasting and sharing in on-chain nodes.

Example 2

As shown in fig. 5, the method for sharing multi-layer data based on quantum key distribution relay provided by the invention comprises the following basic steps:

s1, a block chain provincial witness node 2 initiates a symmetric encryption key generation request to a traditional password service platform;

S2, a provincial password service platform 3 calls a Key generation interface of a server password machine to generate a symmetric Key Key1, and then a quantum password system can realize negotiation generation of the provincial password service platform 3, a blockchain provincial witness node 2 and a blockchain local market participation node 4 quantum Key Key2 by utilizing a quantum Key distribution technology and a quantum Key relay technology;

quantum key relay technology:

as shown in fig. 6, in this embodiment, point-to-point quantum key distribution is formed by quantum key generation, and the point-to-point quantum key is redistributed to form a multi-point-to-multi-point key by using a key relay technology, limited by the distance and the pairing number of quantum key generation.

The relay principle includes: 1. node a: firstly, exclusive OR is carried out on a key Kab between a to-be-relayed key Kr and a node A, B to obtain a first relay key (Kr Kab) and the first relay key is transmitted to a node B; 2. node B: the received first relay key (Kr) and the key between nodes A, B are exclusive-or ' ed with the key between nodes B, C (Kab's Pi Kbc), and a second relay key (Kr's Pi Kbc) is obtained and transmitted to the node C; in the present embodiment, there is no process of producing Kr; 3. the node C, D repeats the operation of the node B and finally transmits the key Kr to be relayed to the node E; 4. node E: the received key to be relayed is exclusive-or (Kr is a key Kde) between the key to be relayed and the node D, E, and is exclusive-or (Kr is a key Kde) between the node D, E, and the key to be relayed Kr is obtained by relay;

Relay security description: 1. the quantum key distribution network adopts a one-time-cipher or key relay mode; 2. the relay node does not store the plaintext key; 3. the relay node stores an exclusive or key of the quantum key between the relay node and the adjacent nodes at two sides; as node B stores the exclusive or key (Kab Kbc) between node A, B and node B, C; i.e. the node B does not know the key Kr to be relayed;

the key relay technology can enable any two points to have shared key pairs, so that the limitation on distance during quantum key generation is eliminated, and a remote quantum key distribution system is possible to be built.

In this embodiment, the nodes mainly involved in provincial and municipal shared data sharing include provincial level password service platforms, blockchain provincial level witness platforms and blockchain local and municipal participation nodes, and it is required to ensure that sharing of the platform quantum Key2 is realized among the nodes, and a quantum Key distribution infrastructure is required to be built or multiplexed to construct a quantum password system. On the basis of realizing the sharing of the platform quantum Key Key2, each related node needs to have the authority of calling the quantum Key2 from the quantum cryptography system, and can call the platform quantum Key Key2 to decrypt the traditional symmetric Key ciphertext C_key 1. S3, distributing the traditional symmetric key ciphertext C_key1 to the provincial level witness node 2 and the regional chain city participation node 4 by the provincial level password service platform 3 through an API interface service mode;

Quantum key distribution technology:

as shown in fig. 7, in this embodiment, QKD is a process in which both communication parties negotiate to generate a shared key. Although there are many different QKD protocols for BB84, GG02, etc., it is necessary to implement both the transmit and receive devices connected by a quantum channel and an authenticated classical channel. Transmitted in the quantum channel is a qubit signal carried by a quantum state, and can be transmitted by using optical fibers, free space (including satellite links) and other physical media. The classical channel is used for information interaction of the post-processing steps of the base vector ratio peer-to-peer data by the sender Alice and the receiver Bob. Both quantum and classical channels can be transmitted over public communication networks without fear of eavesdroppers, since Alice and Bob can discover eavesdropping using the QKD-specific process.

In this embodiment, as shown in fig. 8, when quantum secret communication is performed between Alice and Bob, first, distribution of a symmetric key is performed by QKD. The first step of QKD is quantum communication, i.e., the preparation (or encoding), transfer, and measurement (or decoding) of quantum states over a quantum channel. Both Alice and Bob are here provided with dedicated optical devices required to establish the quantum channel. Alice continually sends individual photons (carriers of quantum states) to Bob through a single/weak photon source, each of which can be seen as carrying 1 qubit (Qbit) of information. Alice, when transmitting these photons, randomly selects one of two different types of "bases" to perform the quantum encoding process. In the BB84 protocol, a "basis" is a polarization angle that encodes or measures photons, each type of basis comprising two mutually orthogonal basis vectors, and the two types of basis are non-orthogonal, such as a vertically orthogonal basis consisting of {0 °,90 ° } polarization and a diagonally orthogonal basis consisting of {45 °, -45 ° } polarization.

Bob, the receiving party, needs to randomly select one of two possible "bases" like Alice to measure the photons in order to obtain the information carried by each photon it receives over the quantum channel. The choice of measurement basis here must be random and independent of the basis used by Alice in preparing the photon. Alice and Bob can then publicly align the bases used by both parties in the preparation and measurement of photons through a classical channel. If and only if Alice and Bob randomly select the same base, both sides will get the same information according to the hessian bias principle, which can be used to generate the key. When Alice and Bob randomly select different bases, the information obtained by both parties is random and should be discarded, and the base vector comparison process based on the BB84 protocol is shown in fig. 8.

S4, the password service platform symmetrically encrypts a traditional symmetric Key Key1 by using a national encryption algorithm SM4 by using a quantum Key Key2 to generate a Key ciphertext C_key1, and encrypts the Key ciphertext C_key1 to generate a shared data ciphertext;

s5, decrypting the traditional symmetric Key Key1 by using the quantum Key Key2 by the data receiver to obtain a traditional symmetric Key1 plaintext, and decrypting to obtain a shared data plaintext.

In summary, the present invention deploys a precompiled contract for public key checking on the chain to support verification of zero knowledge proof. The method solves the problem of safe distribution of symmetric keys used for encryption of the data on the chain, and the encryption protection is carried out on the encryption keys of the data on the chain by utilizing the quantum keys generated by quantum communication.

The traditional replay attack prevention method is mainly based on means of random number and timestamp control, checking by using Token, checking by using buffer memory, encrypting transmission by using HTTPS and the like. Both of these approaches rely on the reliability of current encryption techniques, which are difficult to defend effectively once a large scale quantum computing attack is encountered. In contrast, quantum computing replay prevention has stronger security and feasibility for quantum computing attacks.

The main advantages of quantum computing replay protection are as follows:

1. long-term safety: while the traditional replay prevention method is likely to be attacked because the encryption technology is cracked, the quantum computing replay prevention is researched based on quantum mechanical phenomenon, the safety is far higher than that of the traditional technology, and the long-term safety is better.

2. Disposable: the traditional method often needs to use a certain time sequence mechanism and a cache mechanism to ensure playback prevention, thereby greatly increasing the complexity of the system. The quantum computing anti-replay system generally adopts a one-time password system based on a quantum key distribution technology, and two communication parties can realize data transmission by only obtaining a one-time symmetric key through a quantum key exchange protocol, so that the method has the characteristics of simplicity and high efficiency.

3. True random number: the conventional random number generation method often depends on the generation of pseudo random numbers, and a certain probability is predicted by an attacker so as to generate an attack behavior. The quantum computing replay prevention is based on the uncertainty of quantum entanglement, so that a true random number can be realized, and the quantum computing replay prevention is more difficult to predict by an attacker.

In conclusion, compared with the traditional replay prevention method, the quantum computing replay prevention method has the characteristics of higher safety, simplicity, high efficiency and better long-term safety.

The above embodiments are only for illustrating the technical solution of the present invention, and are not limiting; although the invention has been described in detail with reference to the foregoing embodiments, it will be understood by those of ordinary skill in the art that: the technical scheme described in the foregoing embodiments can be modified or some technical features thereof can be replaced by equivalents; such modifications and substitutions do not depart from the spirit and scope of the technical solutions of the embodiments of the present invention.

Claims

1. A quantum key distribution based relay multi-level data blockchain sharing system, the system comprising:

the provincial level data exchange platform is used for uplink of the superior level shared data, so that the superior level shared data is sent to the provincial level witness node of the blockchain, the plain text of the inferior level shared data is received from the provincial level witness node of the blockchain, so that the distribution flow of the superior level shared data is completed, and the provincial level data exchange platform is connected with the provincial level witness node of the blockchain;

the provincial chain provincial witness node is used for initiating a symmetric encryption Key generation request to the provincial password service platform, receiving a traditional symmetric Key ciphertext C_key1 distributed by the provincial password service platform, and receiving a platform quantum Key Key2 distributed by the quantum password platform to decrypt the traditional symmetric Key ciphertext C_key1 so as to obtain a plaintext of the traditional symmetric Key Key 1; encrypting the upper-level shared data to obtain an upper-level shared data ciphertext; receiving and decrypting a lower-level shared data ciphertext of a blockchain local market participation node to obtain the lower-level shared data plaintext, wherein the blockchain provincial witness node is connected with the provincial password service platform, the quantum password platform and the blockchain local market participation node;

The system comprises a block chain management platform, a block chain provincial level witness node, a block chain local market participation node and a block chain management system, wherein the block chain management platform is used for managing the block chain provincial level witness node and the block chain local market participation node, displaying a shared data process of chain up-flow and the specific content of shared data, and accordingly carrying out transparent tracing on the whole flow of the shared data process;

a quantum cryptography platform, comprising: the superior QKD device, the inferior QKD device, and the quantum Key distribution network system perform quantum Key negotiation among the provincial cryptography service platform, the provincial chain provincial witness node, and the blockchain local market participation node through quantum Key distribution and relay operations to generate the platform quantum Key2, so as to perform encryption and decryption operations on the traditional symmetric Key1, the quantum Key distribution network system includes: the bare optical fiber resource, the quantum cryptography platform is connected with the provincial cryptography service platform, the provincial witness node of the blockchain and the participation node of the blockchain ground city;

the provincial level cipher service platform is configured to generate the traditional symmetric Key1 according to the symmetric encryption Key generation request, and is configured to perform symmetric encryption on the traditional symmetric Key1 by using the platform quantum Key2 and using a cryptographic algorithm SM4 to generate a traditional symmetric Key ciphertext c_key1, and send the traditional symmetric Key ciphertext c_key1 to the provincial level witness node and the provincial chain earth city participation node, so as to perform encryption and decryption operations on the upper level shared data, where the provincial level cipher service platform is connected with the provincial level witness node and the provincial chain earth city participation node;

The blockchain earth market participation node is used for receiving the traditional symmetric Key ciphertext C_key1 distributed by the quantum cryptography platform, receiving the platform quantum Key Key2 distributed by the quantum cryptography platform, and decrypting the traditional symmetric Key ciphertext C_key1 to obtain a plaintext of the traditional symmetric Key Key 1; encrypting the lower-level shared data to obtain a lower-level shared data ciphertext; receiving the upper-level shared data ciphertext of the provincial level witness node of the blockchain, decrypting the upper-level shared data ciphertext to obtain an upper-level shared data plaintext, wherein the blockchain local market participation node is connected with the provincial level password service platform, the quantum password platform node and the provincial level witness node of the blockchain;

the lower-level sharing exchange platform is used for uplink the lower-level sharing data, so that the lower-level sharing data are sent to the block chain municipality participating node, the upper-level sharing data plaintext is received from the block chain municipality participating node, so that the distribution flow of the lower-level sharing data is completed, and the lower-level sharing exchange platform is connected with the block chain municipality participating node.

2. The quantum key distribution relay multi-level data blockchain sharing system of claim 1, wherein the blockchain provincial witness node encrypts the superior shared data using SM2 algorithm to obtain a level of the shared data ciphertext.

3. The quantum key distribution relay multi-level data blockchain sharing system of claim 1, wherein the blockchain provincial witness node initiates the symmetric encryption key generation request to the cryptographic service platform through an API interface service, and wherein the provincial cryptographic service platform distributes the traditional symmetric key ciphertext c_key1 to the blockchain provincial witness node according to the API interface service.

4. The quantum Key distribution relay multi-level data blockchain sharing system of claim 1, wherein the provincial cryptographic service platform invokes a Key generation interface of a server cryptographic engine to generate the traditional symmetric Key1 according to the symmetric encryption Key generation request.

5. The quantum key distribution relay multi-level data blockchain sharing system of claim 1, wherein the blockchain provincial witness node and the provincial password service platform generate a first relay key K12 using a preset quantum key distribution device;

generating a second relay key K23 by using preset quantum key distribution equipment through the block chain ground participating node and the provincial password service platform;

And performing exclusive OR operation on the platform quantum Key Key2 by using the first relay Key K12 and the second relay Key K23 respectively so as to share the platform quantum Key Key2 among the provincial chain witness node, the provincial chain earth city participation node and the provincial password service platform.

6. The quantum Key distribution relay multi-level data blockchain sharing system of claim 1, wherein the ciphertext of the traditional symmetric Key1 is decrypted on-chain using a blockchain node, the lower-level shared data and the upper-level shared data are encrypted on-chain, and the quantum symmetric Key identification, the upper-level shared data ciphertext and the lower-level shared data ciphertext are encrypted by means of Playload and Code in a block-on-chain package binding manner, so as to perform chain binding sharing.

7. The system for sharing the multi-level data blockchain based on the quantum Key distribution relay according to claim 1, wherein after receiving the shared data ciphertext c_msg and the traditional symmetric Key ciphertext c_key1 on the upper chain, the blockchain local market participation node uses QKD equipment to realize quantum Key negotiation based on the traditional symmetric Key ciphertext c_key1 and the quantum cryptographic platform to obtain the platform quantum Key2;

8. The quantum key distribution relay multi-level data blockchain sharing system of claim 7, wherein the blockchain municipality participating node verifies and determines the encrypted data access rights of the current key according to a zero knowledge proof intelligent contract;

and decrypting the ciphertext C_msg of the shared data on the chain by using an SM2 cryptographic algorithm, and restoring to obtain a plaintext of the data to be shared.

9. The quantum Key distribution relay multi-level data blockchain sharing system of claim 1, wherein a blockchain provincial witness node is implemented with the quantum cryptography platform using QKD devices according to the traditional symmetric Key ciphertext c_ke1 to obtain the platform quantum Key2;

generating an SM2 Key pair by using a traditional symmetric Key Key1, and encrypting the lower-level shared data by using an SM2 cryptographic algorithm to obtain a shared data ciphertext on a lower-level chain;

And storing the shared data ciphertext on the lower link and the SM2 key pair in a preset uplink transaction field so as to share the shared data ciphertext on the lower link and the SM2 key pair by using the block chain management platform.

10. A method for relay multi-level data blockchain sharing based on quantum key distribution, the method comprising:

s1, uplink is carried out on upper-level shared data so as to send the upper-level shared data to a provincial chain witness node, and a lower-level shared data plaintext is received from the provincial chain provincial witness node so as to complete the distribution flow of the upper-level shared data;

s2, initiating a symmetric encryption Key generation request to a provincial password service platform, wherein the symmetric encryption Key generation request is used for receiving a traditional symmetric Key ciphertext C_key1 distributed by the provincial password service platform, and receiving a platform quantum Key Key2 distributed by a quantum password platform so as to decrypt the traditional symmetric Key ciphertext C_key1 to obtain a plaintext of the traditional symmetric Key Key 1; encrypting the upper-level shared data to obtain an upper-level shared data ciphertext; receiving and decrypting a lower-level shared data ciphertext of a block chain earth city participation node to obtain a lower-level shared data plaintext;

S3, managing the provincial level witness nodes of the blockchain and the participating nodes of the local market of the blockchain, displaying the uplink shared data process and the specific content of the shared data, and accordingly carrying out transparent tracing on the whole flow of the shared data process;

s4, performing quantum Key negotiation among the provincial password service platform, the provincial chain provincial witness node and the blockchain earth city participation node through quantum Key distribution and relay operation to generate a platform quantum Key Key2, so as to perform encryption and decryption operation on the traditional symmetric Key Key1, wherein the quantum Key distribution network system comprises: bare fiber resources;

s5, generating the traditional symmetric Key Key1 according to the symmetric encryption Key generation request, wherein the traditional symmetric Key Key1 is used for carrying out symmetric encryption on the traditional symmetric Key Key1 by using the platform quantum Key Key2 by using a cryptographic algorithm SM4 to generate a traditional symmetric Key ciphertext C_key1, and sending the traditional symmetric Key ciphertext C_key1 to the block chain provincial witness node and the block chain local market participation node so as to carry out encryption and decryption operation on the upper-level shared data;

s6, receiving the traditional symmetric Key ciphertext C_key1 distributed by the quantum cryptography platform, receiving the platform quantum Key Key2 distributed by the quantum cryptography platform, and decrypting the traditional symmetric Key ciphertext C_key1 to obtain a plaintext of the traditional symmetric Key Key 1; encrypting the lower-level shared data to obtain a lower-level shared data ciphertext; receiving the upper-level shared data ciphertext of the provincial level witness node of the blockchain, and decrypting the upper-level shared data ciphertext to obtain an upper-level shared data plaintext;

And S7, uplink is carried out on the lower-level shared data so as to send the lower-level shared data to the block chain municipality-oriented nodes, and the upper-level shared data plaintext is received from the block chain municipality-oriented nodes so as to complete the distribution flow of the lower-level shared data.