CN116800435A - Access control method, system and storage medium based on zero knowledge proof and cross-chain - Google Patents
Access control method, system and storage medium based on zero knowledge proof and cross-chain Download PDFInfo
- Publication number
- CN116800435A CN116800435A CN202311047221.XA CN202311047221A CN116800435A CN 116800435 A CN116800435 A CN 116800435A CN 202311047221 A CN202311047221 A CN 202311047221A CN 116800435 A CN116800435 A CN 116800435A
- Authority
- CN
- China
- Prior art keywords
- access
- proof
- key
- physical domain
- gateway
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000000034 method Methods 0.000 title claims abstract description 47
- 238000012795 verification Methods 0.000 claims abstract description 68
- 238000004806 packaging method and process Methods 0.000 claims description 15
- 238000007781 pre-processing Methods 0.000 claims description 13
- 238000004590 computer program Methods 0.000 claims description 8
- 230000000977 initiatory effect Effects 0.000 claims description 5
- 230000008569 process Effects 0.000 abstract description 12
- 238000004422 calculation algorithm Methods 0.000 abstract description 11
- 230000002452 interceptive effect Effects 0.000 abstract description 11
- 238000005516 engineering process Methods 0.000 description 13
- 230000004048 modification Effects 0.000 description 11
- 238000012986 modification Methods 0.000 description 11
- 238000010586 diagram Methods 0.000 description 6
- 238000004364 calculation method Methods 0.000 description 4
- 230000006872 improvement Effects 0.000 description 4
- 238000006243 chemical reaction Methods 0.000 description 3
- 230000003993 interaction Effects 0.000 description 3
- 230000006978 adaptation Effects 0.000 description 2
- 239000003795 chemical substances by application Substances 0.000 description 2
- 238000010276 construction Methods 0.000 description 2
- 238000002955 isolation Methods 0.000 description 2
- 238000011160 research Methods 0.000 description 2
- 241000579895 Chlorostilbon Species 0.000 description 1
- 230000004075 alteration Effects 0.000 description 1
- 230000004888 barrier function Effects 0.000 description 1
- 238000012217 deletion Methods 0.000 description 1
- 230000037430 deletion Effects 0.000 description 1
- 239000010976 emerald Substances 0.000 description 1
- 229910052876 emerald Inorganic materials 0.000 description 1
- 230000006870 function Effects 0.000 description 1
- 239000003999 initiator Substances 0.000 description 1
- 238000009434 installation Methods 0.000 description 1
- 239000010977 jade Substances 0.000 description 1
- 239000000463 material Substances 0.000 description 1
- ZLIBICFPKPWGIZ-UHFFFAOYSA-N pyrimethanil Chemical compound CC1=CC(C)=NC(NC=2C=CC=CC=2)=N1 ZLIBICFPKPWGIZ-UHFFFAOYSA-N 0.000 description 1
- 239000010979 ruby Substances 0.000 description 1
- 229910001750 ruby Inorganic materials 0.000 description 1
Abstract
The application provides an access control method, a system and a storage medium based on zero knowledge proof and cross-chain, which belong to the technical field of block chain access control, wherein the access control method based on zero knowledge proof and cross-chain comprises the following steps: s1, registering identities of an access subject and an access object; s2, registering the identity of the member domain; s3, access pretreatment of an access main body; s4, verifying the access rights of the access main body; s5, returning an access right verification result. According to the application, the simple non-interactive zero-knowledge proof is combined with the access control based on the attribute, the data with privacy related to the attribute or the access strategy in the access control process is converted into the statement to be proved in the simple non-interactive zero-knowledge proof, and the characteristic that any private data is not leaked in the zero-knowledge proof algorithm process is utilized to prevent the leakage of the private data. The method can better realize the data security of cross-domain access, and resist various threat attack modes such as man-in-the-middle attack, collusion attack and the like.
Description
Technical Field
The application relates to the technical field of blockchain access control, in particular to an access control method, system and storage medium based on zero knowledge proof and cross-chain.
Background
The access control technology is an important means for guaranteeing data security, and is widely applied to enterprises or institutions for strictly controlling data access rights. The traditional access control technology is a centralized structure, and the inherent problems of single-point failure, data privacy security and the like cause the access control technology to have the limitation that is difficult to break through, but the blockchain technology endows the access control technology with the capability of breaking through the limitation by virtue of the characteristics of decentralization, non-falsifiability of data on a chain and disclosure transparency. Intelligent contracts enable ideas for implementing access control logic on blockchains, such as blockchain and role-based access control, blockchain and attribute-based access control, blockchain and task-based access control, all with corresponding research, which enable viable access control logic by programming and deploying intelligent contracts with corresponding functionality on blockchains. Thus, the security and performance problems brought by the centralized structure in the traditional access control technology are effectively solved.
At present, the research on the block chain combination access control technology is not few, the traditional access control technology is optimized, however, the security of the whole scheme and the actual demands facing the society are not met, and the method is mainly characterized in that the access control technology is used for protecting some data privacy problems and information sharing in the system.
In addition, under the conditions that the current blockchain platform is numerous and value island phenomenon is aggravated, an isolation barrier is also formed between different physical domains based on the blockchain, so that information sharing between the physical domains based on the blockchain is extremely difficult, and under the environment that the current information interaction is deepened, the control of the access authority is not limited to a single physical domain, but is expanded between the physical domains. The cross-chain technology is a key technology for information interaction among different block chains, and is a saber for information isolation among physical domains belonging to different block chain platforms, so that cross-domain access control is realized by means of the cross-chain technology. How to implement a highly secure and reliable blockchain-based cross-domain access control by means of a cross-chain technology would be a problem that needs to be explored further.
Disclosure of Invention
The application provides an access control method, a system and a storage medium based on zero knowledge proof and cross-chain, which are divided into a block chain layer and a gateway layer, wherein each layer has different functions in a domain and between domains; in a single physical domain, the blockchain layer is responsible for storing related data related to a zero knowledge proof algorithm, an access control system and a cross domain, and verifying zero knowledge proof sent by an access subject; the network management layer is responsible for calculating related keys under the access strategy based on zero knowledge proof, which is used for generating proof data required by the object when the object performs authority verification on the access subject, and is also responsible for signature authentication and cross-domain request forwarding. On this architecture, an access control scheme based on zero knowledge proof and attributes is deployed. According to the scheme, the concise non-interactive zero-knowledge proof is combined with the access control based on the attribute, the data with privacy such as the attribute or the access policy in the access control process is converted into the statement to be proved in the concise non-interactive zero-knowledge proof, and the characteristic that any private data is not leaked in the zero-knowledge proof algorithm process is utilized to prevent the leakage of the private data. The method can better realize the data security of cross-domain access, and resist various threat attack modes such as man-in-the-middle attack, collusion attack and the like.
In order to achieve the above purpose, the application adopts the following technical scheme:
the first aspect of the embodiment of the application discloses an access control method based on zero knowledge proof and cross-chain, which comprises the following steps:
s1, registering identities of an access subject and an access object;
s2, registering the identity of the member domain;
s3, access pretreatment of an access main body;
s31, an access subject initiates an access request to an access object, namely the access object, through a physical domain gateway;
s32, accessing a physical domain gateway GW where a main body is located domainA Obtaining a corresponding zero knowledge proof proving Key Key from a physical domain where an access object is located proof The method comprises the steps of carrying out a first treatment on the surface of the Physical domain gateway GW domainA Initiating a key acquisition request to a physical domain where an access object is located, signing the key acquisition request and sending the key acquisition request to a relay gateway GW relayer ;
S33, relay gateway GW relayer After receiving the key acquisition request, verifying the signature, and after verification, constructing a merck Proof for the access subject Merkle The key acquisition request and the Merker Proof are further processed Merkle Packaging and signing the physical domain where the access object is located;
s34, accessing a physical domain gateway GW where the object is located domainB After receiving the key acquisition request, verify the signature and the merck Proof Merkle If the verification is successful, the KRC contract is called from the blockchain to acquire the Key Key proof The key is packed and signed and sent to the relay gateway GW relayer ;
S35, relay gateway GW relayer Receipt of a certification Key Key proof After sending the request, the signature is verified, if by then constructing the merck Proof of the physical domain where the access object is located Merkle And Key Key proof And merck Proof of Proof Merkle Information packaging and signature sending to physical domain gateway GW domainA ;
S36, physical domain gateway GW domainA Receipt of a Key proof And merck Proof of Proof Merkle After the information, verifying the signature and the Merker proof, and if the verification is passed, using zero knowledge to prove the Key Key proof And constructing a zero knowledge Proof of property set of the access subject zk And Proof of zero knowledge Proof of zk Packaging and signing to send to the relay gateway GW relayer ;
S4, verifying the access rights of the access main body;
s5, returning an access right verification result.
In some embodiments, S1 comprises:
s11, an access subject and an access object in a physical domain initiate a registration request;
s12, distributing public key PK for digital signature to access subject s And private key SK s ;
S13, distributing an access strategy to the access object.
In some embodiments, S2 comprises:
s21, after each physical domain initiates a joining application, a pair of keys are generated for each physical domain, wherein each pair of keys comprises a public key and a private key;
s22, using the public key of the added physical domain to generate a merck tree, and sending the MTRoot of the merck tree to each added physical domain.
In some embodiments, S4 comprises:
s41, relay gateway GW relayer After receiving the access request of the access subject, verifying the signature, if the verification is passed, calling MTC contracts from the blockchain to obtain a Merker tree, and constructing a Merker Proof by combining a public key of a physical domain where the access subject is located Merkle The method comprises the steps of carrying out a first treatment on the surface of the The zero knowledge Proof contained in the access request is then provided zk And merck Proof of Proof Merkle Packaging and signing the physical domain gateway GW where the access object is located domainB ;
S42, physical domain gateway GW domainB Received relay gateway GW relayer The transmitted information related to the access request verifies whether the signature is correct, if so, the signature passes verification, and then the zero knowledge Proof contained in the access request zk Sent to block chainBC domainB On, call PDC contract zero knowledge Proof zk Performing verification, and returning the verification result to the physical domain gateway GW domainB 。
In some embodiments, S5 comprises:
S51.GW domainB BC will be added domainB The returned verification result and the public key of the current domain are packaged into returned information, and the returned information is signed and sent to the relay gateway GW relayer ;
S52.GW relayer Receipt of BC domainB After the return message of (2), verifying the signature, and calling BC if the verification passes relayer Acquiring Merker tree according to MTC contract on the MTC contract, and obtaining Merker tree according to domain public key PK B Generating a merck proof; finally, the returned information and the Merker certification are packaged and signed and sent to GW domainA ;
S53.GW domainA Received GW relayer After the message is sent, the signature and the merck tree evidence are verified, and the access request result is obtained after verification is passed.
A second aspect of an embodiment of the present application discloses a zero knowledge proof and cross-chain based access control system comprising:
the first registration module is used for registering the identity of the access subject and the identity of the access object;
the second registration module is used for registering membership domain identities;
the preprocessing module is used for performing access preprocessing of the access main body;
the verification module is used for verifying the access rights of the access main body;
the result returning module is used for returning an access right verification result;
the processor is respectively connected with the first registration module, the second registration module, the preprocessing module, the verification module and the result return module; and
a memory coupled to the processor and storing a computer program executable on the processor;
wherein when the processor executes the computer program, the processor controls the first registration module, the second registration module, the preprocessing module, the verification module and the result return module to work so as to realize the zero knowledge proof and cross-chain based access control method.
A third aspect of an embodiment of the present application discloses a computer-readable storage medium storing computer instructions that, when read by a computer, perform a zero-knowledge proof and cross-chain based access control method as described above.
In summary, the application has at least the following advantages:
the application is based on a blockchain and an attribute-based access control method, combines a simple non-interactive zero knowledge proof, converts the access strategy of the access object into an arithmetic circuit in a zero knowledge proof algorithm, and hides the access strategy and the attribute in a proof key and a verification key, so that the access authority verification of the access object is put in the proof verification process of the zero knowledge proof, and the attribute information of the access object and the access strategy of the access object in the access process can be well protected. Secondly, the application is divided into a gateway layer and a blockchain layer two-layer cross-domain access structure, most of zero knowledge proof calculation is put in the gateway layer, the running efficiency of the system is effectively improved, the identity of member domains in the system is managed through the merck tree, trust between domains is built, the management of the member domains of the system is convenient, and the addition and deletion of the member domains can be directly achieved through updating the merck tree. The whole application not only realizes safe and reliable cross-domain access control and effectively protects the attribute and policy privacy in the system, but also can well resist man-in-the-middle attack and collusion attack.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present application, the drawings required for the description of the embodiments will be briefly described below, and it is obvious that the drawings in the following description are only some embodiments of the present application, and other drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.
Fig. 1 is a schematic diagram of steps of a zero knowledge proof and cross-chain based access control method in accordance with the present application.
Fig. 2 is a block diagram of a zero knowledge proof and cross-chain based access control system in accordance with the present application.
Fig. 3 is a schematic diagram of a model system structure according to the present application.
Fig. 4 is a schematic diagram showing the conversion of an access policy tree into an arithmetic circuit according to the present application.
Fig. 5 is a flow chart of a zero knowledge proof and cross-chain based access control method in accordance with the present application.
Detailed Description
Hereinafter, only certain exemplary embodiments are briefly described. As will be recognized by those of skill in the pertinent art, the described embodiments may be modified in numerous different ways without departing from the spirit or scope of the embodiments of the present application. Accordingly, the drawings and description are to be regarded as illustrative in nature and not as restrictive.
The following disclosure provides many different implementations, or examples, for implementing different configurations of embodiments of the application. In order to simplify the disclosure of embodiments of the present application, components and arrangements of specific examples are described below. Of course, they are merely examples and are not intended to limit embodiments of the present application. Furthermore, embodiments of the present application may repeat reference numerals and/or letters in the various examples, which are for the purpose of brevity and clarity, and which do not themselves indicate the relationship between the various embodiments and/or arrangements discussed.
Embodiments of the present application will be described in detail below with reference to the accompanying drawings.
As shown in fig. 1 and 5, a first aspect of the embodiment of the present application discloses a zero knowledge proof and cross-chain based access control method, which includes the following steps:
s1, registering identities of an access subject and an access object;
s2, registering the identity of the member domain;
s3, access pretreatment of an access main body;
s4, verifying the access rights of the access main body;
s5, returning an access right verification result.
In some embodiments, S1 comprises:
s11, an access subject and an access object in a physical domain initiate a registration request;
s12, distributing public key PK for digital signature to access subject s And private key SK s ;
S13, distributing an access strategy to the access object.
In some embodiments, S2 comprises:
s21, after each physical domain initiates a joining application, a pair of keys are generated for each physical domain, wherein each pair of keys comprises a public key and a private key;
s22, using the public key of the added physical domain to generate a merck tree, and sending the MTRoot of the merck tree to each added physical domain.
In some embodiments, S3 comprises:
s31, an access subject initiates an access request to an access object, namely the access object, through a physical domain gateway;
s32, accessing a physical domain gateway GW where a main body is located domainA Obtaining a corresponding zero knowledge proof proving Key Key from a physical domain where an access object is located proof The method comprises the steps of carrying out a first treatment on the surface of the Physical domain gateway GW domainA Initiating a key acquisition request to a physical domain where an access object is located, signing the key acquisition request and sending the key acquisition request to a relay gateway GW relayer ;
S33, relay gateway GW relayer After receiving the key acquisition request, verifying the signature, and after verification, constructing a merck Proof for the access subject Merkle The key acquisition request and the Merker Proof are further processed Merkle Packaging and signing the physical domain where the access object is located;
s34, accessing a physical domain gateway GW where the object is located domainB After receiving the key acquisition request, verify the signature and the merck Proof Merkle If the verification is successful, the KRC contract is called from the blockchain to acquire the Key Key proof The key is packed and signed and sent to the relay gateway GW relayer ;
S35, relay gateway GW relayer Receipt of a certification Key Key proof After sending the request, the signature is verified, if by then constructing the merck Proof of the physical domain where the access object is located Merkle And Key Key proof And merck Proof of Proof Merkle Information packaging and signature sending to physical domain gateway GW domainA ;
S36, physical domain gateway GW domainA Receipt of a Key proof And merck Proof of Proof Merkle After the information, verifying the signature and the Merker proof, and if the verification is passed, using zero knowledge to prove the Key Key proof And constructing a zero knowledge Proof of property set of the access subject zk And Proof of zero knowledge Proof of zk Packaging and signing to send to the relay gateway GW relayer 。
In some embodiments, S4 comprises:
s41, relay gateway GW relayer After receiving the access request of the access subject, verifying the signature, if the verification is passed, calling MTC contracts from the blockchain to obtain a Merker tree, and constructing a Merker Proof by combining a public key of a physical domain where the access subject is located Merkle The method comprises the steps of carrying out a first treatment on the surface of the The zero knowledge Proof contained in the access request is then provided zk And merck Proof of Proof Merkle Packaging and signing the physical domain gateway GW where the access object is located domainB ;
S42, physical domain gateway GW domainB Received relay gateway GW relayer The transmitted information related to the access request verifies whether the signature is correct, if so, the signature passes verification, and then the zero knowledge Proof contained in the access request zk Sent to blockchain BC domainB On, call PDC contract zero knowledge Proof zk Performing verification, and returning the verification result to the physical domain gateway GW domainB 。
In some embodiments, S5 comprises:
S51.GW domainB BC will be added domainB The returned verification result and the public key of the current domain are packaged into returned information, and the returned information is signed and sent to the relay gateway GW relayer ;
S52.GW relayer Receipt of BC domainB After the return message of (2), verifying the signature, and calling BC if the verification passes relayer Acquiring Merker tree according to MTC contract on the MTC contract, and obtaining Merker tree according to domain public key PK B Generating a merck proof; finally, the returned information and the Merker certification are packaged and signed and sent to GW domainA ;
S53.GW domainA Received GW relayer After the message is sent, the signature and the merck tree evidence are verified, and the access request result is obtained after verification is passed.
As shown in fig. 2, a second aspect of an embodiment of the present application discloses a zero knowledge proof and cross-chain based access control system comprising:
the first registration module is used for registering the identity of the access subject and the identity of the access object;
the second registration module is used for registering membership domain identities;
the preprocessing module is used for performing access preprocessing of the access main body;
the verification module is used for verifying the access rights of the access main body;
the result returning module is used for returning an access right verification result;
the processor is respectively connected with the first registration module, the second registration module, the preprocessing module, the verification module and the result return module; and
a memory coupled to the processor and storing a computer program executable on the processor;
wherein when the processor executes the computer program, the processor controls the first registration module, the second registration module, the preprocessing module, the verification module and the result return module to work so as to realize the zero knowledge proof and cross-chain based access control method.
A third aspect of an embodiment of the present application discloses a computer-readable storage medium storing computer instructions that, when read by a computer, perform a zero-knowledge proof and cross-chain based access control method as described above.
The technical conception of the application is as follows:
in the present application, seven parts including a physical domain gateway, a physical domain blockchain, a relay gateway, a relay blockchain, a Policy Decision Contract (PDC), a key management contract (KAC), a Key Retrieval Contract (KRC), a Merck Tree Contract (MTC), an access subject and an access object (target resource) are included, and a specific model system structure is shown in fig. 3.
Physical domain Gateway (GW) domain ): the physical domain refers to two domains for cross-domain access, and the physical domain includes general users, namely an access subject and an access object. An access request is typically initiated by an access subject to an access object. The physical domain gateway is responsible for registration of the access subject and the access object in the physical domain, calculation of a proof key, a verification key and a proof of zero knowledge proof of whether the access subject has access rights to the access object or not, and verification of merck proof in the zero knowledge proof algorithm.
Physical domain blockchain: the physical domain blockchain is responsible for verifying the zero knowledge proof related to the access subject, and storing the zero knowledge proof key corresponding to the access subject and the merck tree root sent by the relay gateway.
Relay Gateway (GW) relayer ): upon system relay initialization, the gateway layer will distribute a pair of keys for each domain for signing and construction of trust between domains. The construction of inter-domain trust is accomplished using public key sets for each domain to construct a merck tree. After the gateway layer generates the merck tree, the merck root is sent to the domains at the first time and stored in the blockchain in each domain. The trunking gateway may give a merck proof of domain members that can verify whether the physical domain in which the accessing agent is located belongs to the network. Also, the merck tree maintained by the relay chain may be updated in real time, which will update domain members of the entire network at the first time.
Relay Block Chain (BC) relayer ): the relay blockchain is responsible for storing the relevant data of the merck tree and the identity information of the domain members. When the gateway layer receives the request of the main domain, the gateway layer can send the request of the cross-domain accessThe merck root is fetched from the blockchain and merck certification is generated in combination with the identity information of the subject.
Policy Decision Contracts (PDC): the policy decision contract is responsible for verifying the zero knowledge proof corresponding to the access subject, and the process obtains the zero knowledge proof verification key from the physical domain blockchain where the access subject is located. This contract is deployed in the blockchain of each physical domain.
Key management contract (KAC): the key management contract is responsible for storing the zero knowledge proof keys corresponding to the access objects in the physical domain in a chain. This contract is deployed in the blockchain of each physical domain.
Key Retrieval Contract (KRC): the key retrieval contract is responsible for retrieving keys from the chain and returning when an external request gets a zero knowledge proof key. This contract is deployed in the blockchain of each physical domain.
Merck Tree Contract (MTC): the merck is the contract responsible for storing the root of the merck tree on the blockchain after the trunking gateway generates the merck tree for the identities of all member domains. This contract is deployed across the blockchain of all physical domains and relays.
Access subject (S): the access subject is the initiator of the access control. When the access subject enters the physical domain registration, the physical domain gateway allocates attributes for the access subject, wherein the attributes represent the identity relationship of the access subject in the system and are used for the calculation of zero knowledge proof so as to verify the access authority of the access subject.
Access object (O): an access object is a resource in the physical domain and is an object to be accessed. The access guests in the physical domain may be assigned attributes and given an access policy defining which access principals can access the access guests. After the access object is registered in the physical domain, a given access policy is converted into an attribute arithmetic circuit for performing calculation of the zero knowledge proof key.
The description of a specific procedure is in the context of a user (access subject) on physical domain a accessing a resource (access object) on physical domain B. In order to describe the specific flow of the access control method of the present application, the definition of the relevant symbols is given:
GW domainA : representing the gateway of the physical domain a where the accessing agent is located.
GW domainB : indicating the gateway accessing the physical domain B where the object is located.
BC domainA : representing the blockchain of the physical domain a in which the access subject resides.
BC domainB : blockchain representing physical domain B where access object resides
PK S 、SK S : representing the public and private keys assigned by the physical domain gateway at registration of the accessing agent S.
PK A 、SK A : representing the public and private keys assigned by the relay gateway when the physical domain a joins the system.
PK B 、SK B : representing public and private keys allocated by a relay gateway when a physical domain B joins a system
PK R 、SK R : representing the public and private keys of the relay gateway.
Key proof : a certification key in a compact non-interactive zero-knowledge certification algorithm is used to calculate a certification for a statement to be certified.
Key verify : a verification key in a compact non-interactive zero-knowledge proof algorithm for verifying a proof on a statement to be proved.
Proof zk : the proving obtained by calculating the statement to be proving in the concise non-interactive zero knowledge proving algorithm reflects the authenticity of the statement to be proving.
Proof Merkle : when the cross-domain access is performed, the merck certification generated by the relay gateway according to the physical domain public key initiating interaction shows that the physical domain belongs to members of the whole system. When the certification is verified, the verification passes to certify that the counterpart is a member domain from the system.
As shown in fig. 1 and 5, the specific flow of the present application is as follows:
stage one: system initialization
Step 1: access subject and access object identity registration
And 11, initiating a registration request after the access subject and the access object in the physical domain enter the system. The access master may be assigned the specified attribute SA= { sattr i |i∈[1,……,n]},sattr i Representing each item attribute of the access subject. In addition, the access entity is assigned a public key PK for digital signing s And private key SK s 。
Step 12. Access objects are also assigned the specified attribute OA= { oattr i |i∈[1,……,n]},oattr i Representing each property of the access object and giving an access policy. The physical domain gateway enters a compact non-interactive zero knowledge proof algorithm to calculate a proof key and a verification key according to the attribute arithmetic circuit obtained by conversion of the access strategy of the access object, the conversion mode is shown in fig. 4, a strategy tree on the left side in the figure is an access rule of the access object, the right side is the converted attribute arithmetic circuit, and the numerical value represented by two attribute values in the left diagram is two solutions of an equation represented by the right diagram circuit. Next, the KAC contract in the physical domain blockchain is invoked to store the key in the physical domain blockchain.
Step 2: membership domain identity registration
Step 21. After each physical domain initiates a join application to the system, the trunking gateway generates a pair of keys for each physical domain, e.g., physical domain A and physical domain B, and the trunking gateway generates a Pair of Keys (PK) for each of the two physical domains domainA 、SK domainA ) Sum (PK) domainB 、SK domainB )。
Step 22. The public key of the physical domain that has been added to the system is used to generate the merck tree, whose merck tree MTRoot will be sent to each physical domain that has been added.
Stage two: system operation
Step 3: access subject access preprocessing
Step 31. The access subject initiates an access request to the access subject, i.e. the access subject, through the physical domain gateway.
Step 32, accessing the physical domain gateway GW where the main body is located domainA The corresponding zero knowledge proof proving Key Key needs to be obtained from the physical domain where the access object is located proof . Article (B)Domain gateway GW domainA Firstly, a key acquisition request initiated to a physical domain where an access object is located is packaged, signed and sent to a relay gateway GW relayer 。
Step 33, relay gateway GW relayer After receiving the request, verifying the signature, and after verification, constructing a merck Proof for the access subject Merkle And packaging the key acquisition request and the merck certificate and signing the package and sending the package to the physical domain where the access object is located.
Step 34. Accessing the physical Domain gateway GW where the object is located domainB After receiving the request, the signature and the merck Proof are first verified Merkle If the verification is successful, the KRC contract is called from the blockchain to acquire the Key Key proof . The key is then packaged and signed and sent to GW relayer 。
Step 35 GW relayer Receipt of a certification Key Key proof After sending the request, the signature is verified, if by then constructing the merck Proof of the physical domain where the access object is located Merkle And will Key proof And Proof of Merkle Packaging the information and signing the information and sending the information to the GW domainA 。
Step 36 GW domainA After receiving information such as a Key, firstly verifying a signature and a merck certificate, and if the verification is passed, using zero knowledge to prove the Key Key proof And constructing a zero knowledge Proof of property set of the access subject zk . Finally, proof zk And packaging and signing the information and sending the information to the relay gateway.
Step 4: access principal access rights verification
Step 41, relay gateway GW relayer After receiving an access request of an access subject, firstly verifying a signature, if the signature passes the verification, calling an MTC contract from a blockchain to acquire a Merker tree, and constructing a Merker Proof by combining a public key of a physical domain where the access subject is located Merkle . The zero knowledge Proof contained in the access request is then provided zk And the merck certificate is packed and signed and sent to the gateway GW of the physical domain where the access object is located domainB 。
Step 42 GW domainB The related information of the access request sent by the relay gateway is received, whether the signature is correct or not is firstly verified, if the signature is correct, the verification is passed, and then zero knowledge Proof contained in the access request is carried out zk Sent to blockchain BC domainB On, call PDC contract pair Proof zk And (5) performing verification. Subsequently returning the verification result to GW domainB 。
Step 5: returning access rights verification results
Step 51 GW domainB BC will be added domainB The returned verification result and the public key of the current domain are packaged into returned information, and the returned information is signed and sent to the relay gateway GW relayer 。
Step 52 GW relayer Receipt of BC domainB After the return message of (2), verifying the signature, and calling BC if the verification passes relayer Acquiring Merker tree according to MTC contract on the MTC contract, and obtaining Merker tree according to domain public key PK B A merck proof is generated. Finally, the returned information and the Merker certification are packaged and signed and sent to GW domainA 。
Step 53 GW domainA Received GW relayer After the message is sent, the signature and the merck tree evidence are verified, and the access request result is obtained after verification is passed.
The application focuses on: according to the application, the attribute of an access subject and an access object in a system and the access strategy of the access object are perfectly hidden in the verification process of a simple non-interactive zero knowledge proof algorithm by utilizing the zero knowledge characteristic of the simple non-interactive zero knowledge proof, the access rule of the access object is expressed through an arithmetic circuit, in the whole access control process, except for the generation of a zero knowledge proof key and the generation of zero knowledge proof, the attribute value of the access subject and the attribute value of the access object are not involved in other processes, so that the attribute privacy and the access strategy privacy are well protected, and collusion attack and man-in-the-middle attack can be effectively resisted.
The application manages the member domain of the system based on the Merker tree and the asymmetric cryptographic algorithm, and is convenient for the system to add and delete the member domain. Meanwhile, the merck tree is distributed to each member domain, and the member domains are managed together by a plurality of domains, so that trust among the member domains is conveniently constructed.
The above embodiments are provided to illustrate the present application and not to limit the present application, so that the modification of the exemplary values or the replacement of equivalent elements should still fall within the scope of the present application.
From the foregoing detailed description, it will be apparent to those skilled in the art that the present application can be practiced without these specific details, and that the present application meets the requirements of the patent statutes.
While preferred embodiments of the present application have been described, additional variations and modifications in those embodiments may occur to those skilled in the art once they learn of the basic inventive concepts. It is therefore intended that the following claims be interpreted as including the preferred embodiments and all such alterations and modifications as fall within the scope of the application. The foregoing description of the preferred embodiment of the application is not intended to be limiting, but rather to cover all modifications, equivalents, and alternatives falling within the spirit and principles of the application.
It should be noted that the above description of the flow is only for the purpose of illustration and description, and does not limit the application scope of the present specification. Various modifications and changes to the flow may be made by those skilled in the art under the guidance of this specification. However, such modifications and variations are still within the scope of the present description.
While the basic concepts have been described above, it will be apparent to those of ordinary skill in the art after reading this application that the above disclosure is by way of example only and is not intended to be limiting. Although not explicitly described herein, various modifications, improvements, and adaptations of the application may occur to one of ordinary skill in the art. Such modifications, improvements, and modifications are intended to be suggested within the present disclosure, and therefore, such modifications, improvements, and adaptations are intended to be within the spirit and scope of the exemplary embodiments of the present disclosure.
Meanwhile, the present application uses specific words to describe embodiments of the present application. For example, "one embodiment," "an embodiment," and/or "some embodiments" means a particular feature, structure, or characteristic in connection with at least one embodiment of the application. Thus, it should be emphasized and should be appreciated that two or more references to "an embodiment" or "one embodiment" or "an alternative embodiment" in various positions in this specification are not necessarily referring to the same embodiment. Furthermore, certain features, structures, or characteristics of one or more embodiments of the application may be combined as suitable.
Furthermore, those of ordinary skill in the art will appreciate that aspects of the application are illustrated and described in the context of a number of patentable categories or conditions, including any novel and useful processes, machines, products, or materials, or any novel and useful improvements thereof. Accordingly, aspects of the present application may be implemented entirely in hardware, entirely in software (including firmware, resident software, micro-code, etc.) or a combination of hardware and software. The above hardware or software may be referred to as a "unit," module, "or" system. Furthermore, aspects of the present application may take the form of a computer program product embodied in one or more computer-readable media, wherein the computer-readable program code is embodied therein.
Computer program code required for operation of portions of the present application may be written in any one or more programming languages, including an object oriented programming language such as Java, scala, smalltalk, eiffel, JADE, emerald, C ++, C#, VB.NET, python, etc., a conventional programming language such as C programming language, visualBasic, fortran2103, perl, COBOL2102, PHP, ABAP, a dynamic programming language such as Python, ruby and Groovy, or other programming languages, etc. The program code may execute entirely on the user's computer, or as a stand-alone software package, partly on the user's computer and partly on a remote computer or entirely on the remote computer or server. In the latter scenario, the remote computer may be connected to the user's computer through any form of network, such as a Local Area Network (LAN) or a Wide Area Network (WAN), or the connection may be made to an external computer (for example, through the Internet), or the use of services such as software as a service (SaaS) in a cloud computing environment.
Furthermore, the order in which the elements and sequences are presented, the use of numerical letters, or other designations are used in the application is not intended to limit the sequence of the processes and methods unless specifically recited in the claims. While certain presently useful inventive embodiments have been discussed in the foregoing disclosure, by way of example, it is to be understood that such details are merely illustrative and that the appended claims are not limited to the disclosed embodiments, but, on the contrary, are intended to cover all modifications and equivalent arrangements included within the spirit and scope of the embodiments of the application. For example, while the implementation of the various components described above may be embodied in a hardware device, it may also be implemented as a purely software solution, e.g., an installation on an existing server or mobile device.
Likewise, it should be noted that in order to simplify the presentation of the disclosure and thereby aid in understanding one or more inventive embodiments, various features are sometimes grouped together in a single embodiment, figure, or description thereof. This method of disclosure, however, is not to be interpreted as reflecting an intention that the claimed subject matter requires more features than are expressly recited in each claim. Rather, the inventive subject matter should be provided with fewer features than the single embodiments described above.
Claims (7)
1. The access control method based on zero knowledge proof and cross-chain is characterized by comprising the following steps:
s1, registering identities of an access subject and an access object;
s2, registering the identity of the member domain;
s3, access pretreatment of an access main body;
s31, an access subject initiates an access request to an access object, namely the access object, through a physical domain gateway;
s32, accessing a physical domain gateway GW where a main body is located domainA Obtaining a corresponding zero knowledge proof proving Key Key from a physical domain where an access object is located proof The method comprises the steps of carrying out a first treatment on the surface of the Physical domain gateway GW domainA Initiating a key acquisition request to a physical domain where an access object is located, signing the key acquisition request, and sending the signature to the access objectRelay gateway GW relayer ;
S33, relay gateway GW relayer After receiving the key acquisition request, verifying the signature, and after verification, constructing a merck Proof for the access subject Merkle The key acquisition request and the Merker Proof are further processed Merkle Packaging and signing the physical domain where the access object is located;
s34, accessing a physical domain gateway GW where the object is located domainB After receiving the key acquisition request, verify the signature and the merck Proof Merkle If the verification is successful, the KRC contract is called from the blockchain to acquire the Key Key proof The key is packed and signed and sent to the relay gateway GW relayer ;
S35, relay gateway GW relayer Receipt of a certification Key Key proof After sending the request, the signature is verified, if by then constructing the merck Proof of the physical domain where the access object is located Merkle And Key Key proof And merck Proof of Proof Merkle Information packaging and signature sending to physical domain gateway GW domainA ;
S36, physical domain gateway GW domainA Receipt of a Key proof And merck Proof of Proof Merkle After the information, verifying the signature and the Merker proof, and if the verification is passed, using zero knowledge to prove the Key Key proof And constructing a zero knowledge Proof of property set of the access subject zk And Proof of zero knowledge Proof of zk Packaging and signing to send to the relay gateway GW relayer ;
S4, verifying the access rights of the access main body;
s5, returning an access right verification result.
2. The zero-knowledge proof and cross-chain based access control method of claim 1, wherein S1 comprises:
s11, an access subject and an access object in a physical domain initiate a registration request;
s12, distributing public key PK for digital signature to access subject s And private key SK s ;
S13, distributing an access strategy to the access object.
3. The zero-knowledge proof and cross-chain based access control method of claim 1, wherein S2 comprises:
s21, after the physical domain initiates a joining application, generating a pair of keys for the physical domain, wherein the pair of keys comprises a public key and a private key;
s22, using the public key of the added physical domain to generate a merck tree, and sending the MTRoot of the merck tree to each added physical domain.
4. The zero-knowledge proof and cross-chain based access control method of claim 1, wherein S4 comprises:
s41, relay gateway GW relayer After receiving the access request of the access subject, verifying the signature, if the verification is passed, calling MTC contracts from the blockchain to obtain a Merker tree, and constructing a Merker Proof by combining a public key of a physical domain where the access subject is located Merkle The method comprises the steps of carrying out a first treatment on the surface of the The zero knowledge Proof contained in the access request is then provided zk And merck Proof of Proof Merkle Packaging and signing the physical domain gateway GW where the access object is located domainB ;
S42, physical domain gateway GW domainB Received relay gateway GW relayer The transmitted information related to the access request verifies whether the signature is correct, if so, the signature passes verification, and then the zero knowledge Proof contained in the access request zk Sent to blockchain BC domainB On, call PDC contract zero knowledge Proof zk Performing verification, and returning the verification result to the physical domain gateway GW domainB 。
5. The zero-knowledge proof and cross-chain based access control method of claim 1, wherein S5 comprises:
S51.GW domainB BC will be added domainB The returned authentication result and the public key of the current domain are packaged into returned information,and signature is sent to the relay gateway GW relayer ;
S52.GW relayer Receipt of BC domainB After the return message of (2), verifying the signature, and calling BC if the verification passes relayer Acquiring Merker tree according to MTC contract on the MTC contract, and obtaining Merker tree according to domain public key PK B Generating a merck proof; finally, the returned information and the Merker certification are packaged and signed and sent to GW domainA ;
S53.GW domainA Received GW relayer After the message is sent, the signature and the merck tree evidence are verified, and the access request result is obtained after verification is passed.
6. An access control system based on zero knowledge proof and cross-chain, comprising:
the first registration module is used for registering the identity of the access subject and the identity of the access object;
the second registration module is used for registering membership domain identities;
the preprocessing module is used for performing access preprocessing of the access main body;
the verification module is used for verifying the access rights of the access main body;
the result returning module is used for returning an access right verification result;
the processor is respectively connected with the first registration module, the second registration module, the preprocessing module, the verification module and the result return module; and
a memory coupled to the processor and storing a computer program executable on the processor;
wherein when the processor executes the computer program, the processor controls the first registration module, the second registration module, the preprocessing module, the verification module and the result return module to work so as to realize the zero-knowledge proof and cross-chain based access control method according to any one of claims 1 to 5.
7. A computer-readable storage medium storing computer instructions that, when read by a computer, perform the zero-knowledge proof and cross-chain based access control method of any one of claims 1-5.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311047221.XA CN116800435B (en) | 2023-08-21 | 2023-08-21 | Access control method, system and storage medium based on zero knowledge proof and cross-chain |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311047221.XA CN116800435B (en) | 2023-08-21 | 2023-08-21 | Access control method, system and storage medium based on zero knowledge proof and cross-chain |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN116800435A true CN116800435A (en) | 2023-09-22 |
| CN116800435B CN116800435B (en) | 2023-12-19 |
Family
ID=88049954
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202311047221.XA Active CN116800435B (en) | 2023-08-21 | 2023-08-21 | Access control method, system and storage medium based on zero knowledge proof and cross-chain |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN116800435B (en) |
Citations (16)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109246137A (en) * | 2018-10-23 | 2019-01-18 | 北京航空航天大学 | The safety protecting method and device of naval warfare data based on block chain |
| CN112003889A (en) * | 2020-07-10 | 2020-11-27 | 南京邮电大学 | Distributed cross-chain system and cross-chain information interaction and system access control mechanism |
| CN112989415A (en) * | 2021-03-23 | 2021-06-18 | 广东工业大学 | Private data storage and access control method and system based on block chain |
| CN113364735A (en) * | 2021-05-01 | 2021-09-07 | 西安电子科技大学 | Data cross-link access control method, system, equipment and terminal under multi-link scene |
| CN113507458A (en) * | 2021-06-28 | 2021-10-15 | 电子科技大学 | Cross-domain identity authentication method based on block chain |
| WO2022109851A1 (en) * | 2020-11-25 | 2022-06-02 | Alipay (Hangzhou) Information Technology Co., Ltd. | Blockchain-based trusted platform |
| CN114666067A (en) * | 2022-05-23 | 2022-06-24 | 成都信息工程大学 | Cross-domain fine-grained attribute access control method and system based on block chain |
| US20220210061A1 (en) * | 2018-10-16 | 2022-06-30 | Eluvio, Inc. | Access control and ownership transfer of digital content using a decentralized content fabric and ledger |
| CN115664760A (en) * | 2022-10-19 | 2023-01-31 | 中国人民解放军军事科学院国防科技创新研究院 | Data transmission system based on cross-chain architecture and identity privacy protection |
| CN115694838A (en) * | 2022-10-31 | 2023-02-03 | 重庆大学 | Anonymous trusted access control method based on verifiable certificate and zero-knowledge proof |
| CN115714669A (en) * | 2022-10-20 | 2023-02-24 | 云南师范大学 | Private data cross-domain sharing method based on PURH-CP-ABE under block chain |
| CN115865418A (en) * | 2022-11-03 | 2023-03-28 | 北京航空航天大学 | Cross-domain access control scheme based on block chain and Byzantine fault-tolerant algorithm |
| CN115906149A (en) * | 2022-09-23 | 2023-04-04 | 电子科技大学 | KP-ABE based on directed acyclic graph and user data credible sharing method of block chain |
| CN115913647A (en) * | 2022-10-21 | 2023-04-04 | 北京航空航天大学 | Cross-domain device access control policy enforcement method and device based on block chain |
| CN115941221A (en) * | 2021-09-16 | 2023-04-07 | 郑州轻工业大学 | Access control method based on block chain in mobile edge cloud cooperation |
| CN116015706A (en) * | 2022-10-27 | 2023-04-25 | 东南大学 | Block chain enabled industrial Internet of things authentication and key negotiation method |
-
2023
- 2023-08-21 CN CN202311047221.XA patent/CN116800435B/en active Active
Patent Citations (16)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20220210061A1 (en) * | 2018-10-16 | 2022-06-30 | Eluvio, Inc. | Access control and ownership transfer of digital content using a decentralized content fabric and ledger |
| CN109246137A (en) * | 2018-10-23 | 2019-01-18 | 北京航空航天大学 | The safety protecting method and device of naval warfare data based on block chain |
| CN112003889A (en) * | 2020-07-10 | 2020-11-27 | 南京邮电大学 | Distributed cross-chain system and cross-chain information interaction and system access control mechanism |
| WO2022109851A1 (en) * | 2020-11-25 | 2022-06-02 | Alipay (Hangzhou) Information Technology Co., Ltd. | Blockchain-based trusted platform |
| CN112989415A (en) * | 2021-03-23 | 2021-06-18 | 广东工业大学 | Private data storage and access control method and system based on block chain |
| CN113364735A (en) * | 2021-05-01 | 2021-09-07 | 西安电子科技大学 | Data cross-link access control method, system, equipment and terminal under multi-link scene |
| CN113507458A (en) * | 2021-06-28 | 2021-10-15 | 电子科技大学 | Cross-domain identity authentication method based on block chain |
| CN115941221A (en) * | 2021-09-16 | 2023-04-07 | 郑州轻工业大学 | Access control method based on block chain in mobile edge cloud cooperation |
| CN114666067A (en) * | 2022-05-23 | 2022-06-24 | 成都信息工程大学 | Cross-domain fine-grained attribute access control method and system based on block chain |
| CN115906149A (en) * | 2022-09-23 | 2023-04-04 | 电子科技大学 | KP-ABE based on directed acyclic graph and user data credible sharing method of block chain |
| CN115664760A (en) * | 2022-10-19 | 2023-01-31 | 中国人民解放军军事科学院国防科技创新研究院 | Data transmission system based on cross-chain architecture and identity privacy protection |
| CN115714669A (en) * | 2022-10-20 | 2023-02-24 | 云南师范大学 | Private data cross-domain sharing method based on PURH-CP-ABE under block chain |
| CN115913647A (en) * | 2022-10-21 | 2023-04-04 | 北京航空航天大学 | Cross-domain device access control policy enforcement method and device based on block chain |
| CN116015706A (en) * | 2022-10-27 | 2023-04-25 | 东南大学 | Block chain enabled industrial Internet of things authentication and key negotiation method |
| CN115694838A (en) * | 2022-10-31 | 2023-02-03 | 重庆大学 | Anonymous trusted access control method based on verifiable certificate and zero-knowledge proof |
| CN115865418A (en) * | 2022-11-03 | 2023-03-28 | 北京航空航天大学 | Cross-domain access control scheme based on block chain and Byzantine fault-tolerant algorithm |
Non-Patent Citations (3)
| Title |
|---|
| SAMIA MASOOD AWAN ET AL.: "A Blockchain-Inspired Attribute-Based Zero-Trust Access Control Model for IoT", INFORMATION, vol. 14, no. 2 * |
| 周波等: "基于属性加密的软件定义网络域间访问控制方法", 高技术通讯, no. 04 * |
| 董贵山等: "区块链应用中的隐私保护策略研究", 计算机科学, no. 05 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN116800435B (en) | 2023-12-19 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| WO2021184973A1 (en) | External data accessing method and device | |
| Yang et al. | A zero-knowledge-proof-based digital identity management scheme in blockchain | |
| Yu et al. | Identity-based remote data integrity checking with perfect data privacy preserving for cloud storage | |
| Li et al. | Privacy-preserving public auditing protocol for low-performance end devices in cloud | |
| Huang et al. | Scalable and redactable blockchain with update and anonymity | |
| CN103856477A (en) | Trusted computing system, corresponding attestation method and corresponding devices | |
| CN109413078B (en) | Anonymous authentication method based on group signature under standard model | |
| CN114186248A (en) | Zero-knowledge proof verifiable certificate digital identity management system and method based on block chain intelligent contracts | |
| Das et al. | AI-envisioned blockchain-enabled signature-based key management scheme for industrial cyber–physical systems | |
| Paladi et al. | Trusted launch of virtual machine instances in public iaas environments | |
| Hong et al. | Service outsourcing in F2C architecture with attribute-based anonymous access control and bounded service number | |
| Thokchom et al. | Privacy preserving integrity checking of shared dynamic cloud data with user revocation | |
| Li et al. | A privacy-protecting authorization system based on blockchain and zk-SNARK | |
| Xie et al. | A novel blockchain-based and proxy-oriented public audit scheme for low performance terminal devices | |
| Hou et al. | Fine-grained and controllably redactable blockchain with harmful data forced removal | |
| Chen et al. | A blockchain-based dynamic and traceable data integrity verification scheme for smart homes | |
| CN110012024A (en) | A kind of data sharing method, system, equipment and computer readable storage medium | |
| de Meer et al. | Scope of security properties of sanitizable signatures revisited | |
| CN116800435B (en) | Access control method, system and storage medium based on zero knowledge proof and cross-chain | |
| Park et al. | Beyond the blockchain address: Zero-knowledge address abstraction | |
| Feng et al. | One-stop efficient PKI authentication service model based on blockchain | |
| Ding et al. | An efficient and secure scheme of verifiable computation for intel SGX | |
| CN116366259A (en) | Public verifiable Boolean search system and method for ciphertext data | |
| Wu et al. | A Reputation-based identity management model for cloud computing | |
| Zhai et al. | Fine-grained and fair identity authentication scheme for mobile networks based on blockchain |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |