WO2022156588A1 - Procédé, dispositif et système de gestion de données - Google Patents

Procédé, dispositif et système de gestion de données Download PDF

Info

Publication number
WO2022156588A1
WO2022156588A1 PCT/CN2022/071757 CN2022071757W WO2022156588A1 WO 2022156588 A1 WO2022156588 A1 WO 2022156588A1 CN 2022071757 W CN2022071757 W CN 2022071757W WO 2022156588 A1 WO2022156588 A1 WO 2022156588A1
Authority
WO
WIPO (PCT)
Prior art keywords
ciphertext
data
plaintext
index value
space
Prior art date
Application number
PCT/CN2022/071757
Other languages
English (en)
Chinese (zh)
Inventor
刘佳阳
郭亮
朱金伟
Original Assignee
华为技术有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 华为技术有限公司 filed Critical 华为技术有限公司
Publication of WO2022156588A1 publication Critical patent/WO2022156588A1/fr

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/602Providing cryptographic facilities or services
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/20Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
    • G06F16/22Indexing; Data structures therefor; Storage structures
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/20Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
    • G06F16/22Indexing; Data structures therefor; Storage structures
    • G06F16/2228Indexing structures
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
    • G06F21/6227Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database where protection concerns the structure of data, e.g. records, types, queries
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/70Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
    • G06F21/78Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure storage of data

Definitions

  • the present application relates to the technical field of databases, and in particular, to a method, device and system for data management.
  • the solution of fully encrypted database means that user data is encrypted by the user key on the client side, and then the encrypted ciphertext data is stored in the database. Because only the client side has the user key, it can be guaranteed to be stored in the database. Security of ciphertext data in Chinese.
  • the encryption scheme of user data usually adopts symmetric encryption.
  • Symmetric encryption cannot guarantee the sequential operation based on sequentially encrypted data.
  • the database will provide the data with order preservation requirements.
  • a new data column is added to store the data with the order-preserving requirement, which will lead to the expansion of the data column used for storing the data with the order-preserving requirement, which reduces the scalability of the database.
  • Embodiments of the present application provide a data management method, device, and system, which are used to reduce the space occupied by the expansion of a table for storing ciphertext data, and improve the scalability of stored data in a cloud device.
  • Embodiments of the present application also provide corresponding apparatuses, systems, computer-readable storage media, computer program products, and the like.
  • a first aspect of the present application provides a data management method, including: acquiring a first statement, where the first statement includes plaintext data; determining a ciphertext index value according to information of the plaintext data; sending a second statement, the second statement to a cloud device Including the ciphertext index value, the ciphertext index value is used by the cloud device to establish the correspondence between the ciphertext index value and the information of the storage location of the ciphertext data in the index structure, or to query the ciphertext data from the index structure.
  • the information of the storage location, the ciphertext data is the encrypted data of the plaintext data, and the information of the storage location indicates the storage location of the ciphertext data corresponding to the plaintext data.
  • the first statement is a first statement based on sequential operations.
  • the solution provided in the first aspect above can be applied to a database end-to-cloud scenario, and can also be applied to a non-database end-to-cloud scenario.
  • the client side can be a client, and the client can be hardware (such as a terminal device) or software (such as an application (APP)), and the cloud side can be a cloud device, and the cloud device can be a physical machine or a physical machine. It can be a virtual machine (VM) or a container (container).
  • the plaintext data on the terminal side can be encrypted by the user key to obtain the ciphertext data, and then the ciphertext data is sent to the cloud side for storage.
  • Operations such as insert (insert), update (update), query (select/query), and delete (delete) can be performed between devices and clouds for ciphertext data.
  • Many of the plaintext data on the terminal side are based on sequential records, such as employee information lists, student information lists, and other data, which are all recorded based on sequential records. These sequential recorded data also need to be sorted in order after being encrypted by the user key. These data can also be called data with sequential requirements.
  • the encryption method for these order-required data can be order-preserving encryption (OPE), order-revealing encryption (ORE), or other order-based encryption methods.
  • OEPE order-preserving encryption
  • ORE order-revealing encryption
  • statements for operations on these sequence-related data may be referred to as statements based on sequence operations.
  • Input conditions based on sequential operations can include comparison operators, range queries, ordering (ORDER BY), minimum (minimum, MIN), maximum (maximum, MAX), and sorting (SORT), etc.
  • both the first statement and the second statement may be structured query language (structured query language, SQL) statements.
  • the first statement is typically a statement generated based on user input. For example: a statement generated by a query condition input by a user, or a statement generated by an insert instruction, an update instruction, or a delete instruction input by the user.
  • the operation indicated by the second statement is the same as the operation indicated by the first statement.
  • plaintext data may also be described as "plaintext of data”
  • ciphertext data may also be described as "ciphertext of data”.
  • the ciphertext index value refers to an index value that has a pointing relationship with the ciphertext data.
  • the index structure is a structure established by the cloud device to store the correspondence between the ciphertext index value and the information of the storage location of the ciphertext data, and the index structure may be a tree structure or other types of structures.
  • the information on the storage location of the ciphertext data may include an address of the storage location or an identification of the ciphertext data in the stored list.
  • the cloud device will establish a correspondence between the ciphertext index value and the information of the storage location of the ciphertext data in the index structure. For a query operation, an update operation or a deletion operation, the cloud device will query the information of the storage location of the ciphertext data from the index structure, and then can query the ciphertext data according to the information of the storage location.
  • the client can generate a ciphertext index value for plaintext data based on sequential operations, and then the cloud device can store the ciphertext index value in an index structure to establish a storage location for the ciphertext index value and the ciphertext data
  • the cloud device can store the ciphertext index value in an index structure to establish a storage location for the ciphertext index value and the ciphertext data
  • the corresponding ciphertext data can be queried according to the corresponding relationship in the index structure, and then the corresponding operations on the ciphertext data can be performed.
  • the ciphertext index value is used instead of the field in the data column as the key value in the conventional ordered index to realize the search for ciphertext data, and the ciphertext stored in the table can be searched without adding data table fields.
  • the data is queried based on the order, thereby reducing the space occupied by the expansion of the table used to store the ciphertext data, and improving the scalability of the stored data in the cloud device. That is to say, the solution of the present application has the advantages of not changing the interaction mode, not increasing the number of extra interactions, maintaining the efficiency of conventional queries, not adding data table fields, not changing the conventional index function, and not adding additional SQL statements to change the query mode.
  • the function based on sequential operation is implemented.
  • the information of the plaintext data includes the value of the plaintext data, the type of the plaintext data, and the value range of the plaintext data.
  • the types of plaintext data may include integer (int), floating point (float), string (string), and character (char), and the integer type can also be subdivided into int1 , int2, int4 and int8, etc.
  • floating-point types can also be subdivided into floating-point types with different granularities
  • string types can also be subdivided into long strings and short strings
  • character types can also be subdivided into readable characters and full characters, etc.
  • the value range of the plaintext data is related to the type of the plaintext data. For example, if the type of the plaintext data is int4, the value range of the plaintext data can be [-2 31 , 2 31 ].
  • the ciphertext index value determined by the value of the plaintext data, the type of the plaintext data and the value range of the plaintext data not only ensures the security of the ciphertext, but also improves the obtaining efficiency of the ciphertext index value.
  • the above step determining the ciphertext index value according to the information of the plaintext data, including: normalizing the value of the plaintext data, the type of the plaintext data and the value range of the plaintext data process to obtain the plaintext value, plaintext space and ciphertext space; determine the ciphertext index value according to the plaintext value, plaintext space and ciphertext space.
  • the normalization process may be to determine the normalization parameter of the plaintext data according to the type of the plaintext data and the value range of the plaintext data; according to the normalization parameter, the value of the plaintext data is normalized processing to obtain the plaintext value, plaintext space and ciphertext space.
  • the plaintext value is the normalized plaintext value
  • the plaintext space is also the normalized plaintext space.
  • the normalization process can be performed using different processing methods for different types, such as translation or shift for integer types. Normalization processing methods such as truncation and compression are used for string types, and normalization processing methods such as truncation and translation are used for floating point types.
  • the ciphertext space is obtained by enlarging the plaintext space according to the expansion coefficient.
  • normalization parameters are added for different types of plaintext data and different normalization processing methods are adopted, so that the ciphertext index value generation algorithm of this application can be adapted to all data types without input range limitation.
  • the above steps determining the ciphertext index value according to the plaintext value, the plaintext space and the ciphertext space, including: sampling in the sampling interval of the ciphertext space to obtain sampling points, The sampling interval corresponds to the midpoint of the plaintext space; according to the midpoint and the plaintext value, the plaintext space and the ciphertext space are reduced to obtain a reduced plaintext space and a reduced ciphertext space.
  • the reduced plaintext space is bounded by the midpoint and contains The plaintext value
  • the reduced ciphertext space is bounded by the sampling point; the above steps of sampling and reducing the plaintext space and the ciphertext space are repeated until the upper boundary and the lower boundary of the reduced plaintext space coincide, and the upper boundary coincides with the lower boundary.
  • the corresponding sampling point of the reduced ciphertext space is the ciphertext index value.
  • the plaintext space is a numerical range, including upper and lower boundaries.
  • the plaintext space is expressed as [a1, a2]
  • the ciphertext space is obtained by enlarging the plaintext space according to the expansion coefficient.
  • the ratio can be 1.3 times, 1.5 times or other multiples.
  • the ciphertext space can also be as large as the plaintext space.
  • the ciphertext space can be expressed as [b1,b2].
  • the plaintext space corresponds to the ciphertext space.
  • the midpoint of the plaintext space refers to the midpoint (mid) determined by the upper and lower boundaries of the plaintext space, that is, half of the sum of the upper and lower boundaries of the plaintext space is The midpoint of this plaintext space.
  • the midpoint of [a1, a2] is (a1+a2)/2. Because the ciphertext space is larger than the plaintext space, the midpoint of the plaintext space corresponds to an interval of the ciphertext space, and the client can perform deterministic sampling in this sampling interval, or it can be understood as pseudo-random sampling, that is, according to the user The key is sampled, and the sampling point (y) is obtained in the sampling interval.
  • determining the reduced plaintext space and the reduced ciphertext space may include the case where the plaintext value is greater than the midpoint, or may include the case where the plaintext value is smaller than the midpoint, if m >mid, the reduced plaintext space is the next number from the midpoint to the lower boundary of the original plaintext space, which can be expressed as [mid+1, a2], and the reduced ciphertext space is the next number from the sampling point From the beginning to the lower boundary of the ciphertext space, it can be expressed as [y+1,b2].
  • the reduced plaintext space is from the upper boundary of the plaintext space to the midpoint, which can be expressed as [a1,mid]
  • the reduced ciphertext space is from the upper boundary of the ciphertext space to the sampling point, which can be Represented as [b1,y].
  • the reduced plaintext space corresponds to
  • the sampling point of the ciphertext space is the ciphertext index value.
  • obtaining the ciphertext index value in a recursive manner can reduce the probability of leaking the ciphertext index value and improve the security of the ciphertext index value.
  • the above steps sampling in a sampling interval of the ciphertext space to obtain sampling points, including: performing modulo calculation on the size of the sampling interval by using an unpredictable pseudo-random number, to obtain the modulo value; determine the corresponding sampling point from the sampling interval according to the modulo value.
  • sampling is performed by taking a modulo value, which can improve the sampling efficiency, thereby improving the calculation efficiency of the ciphertext index value.
  • the sampling of the reduced ciphertext space is non-deterministic sampling.
  • the last sampling of the ciphertext space adopts non-deterministic sampling to determine the ciphertext index value, which can resist inference attacks.
  • the first statement indicates an insert operation or an update operation
  • the method further includes: performing symmetric encryption processing on the plaintext data to obtain ciphertext data of the plaintext data
  • the second statement further includes: Or indicate the ciphertext data, and the ciphertext data is stored in the corresponding storage location by the cloud device.
  • the client when the first statement instructs to perform an insert operation or an update operation, the client will also send the ciphertext data corresponding to the plaintext data to the cloud device for storage, and the second statement may directly include the ciphertext data.
  • the ciphertext data may also include a link to the storage location of the ciphertext data, and the link indicates the storage location of the ciphertext data.
  • the method when the first statement is used to perform a query operation, the method further includes: scrambling the second statement; receiving the query result returned by the cloud device, and descrambling the query result .
  • scrambling the second statement before sending the second statement can reduce the probability of query leakage. If the client performs scramble, after the cloud device returns the query result, the client decrypts the symmetric ciphertext. The decrypted query result may have some false positive results, but no false negative results. Then, the decrypted result will be filtered and checked, and then the final result will be output.
  • the method further includes: sending an index creation statement to the cloud device, where the index creation statement indicates the specified column of the specified table of the first statement; receiving the cloud device The existing data on the specified column returned by the device; determine the ciphertext index value of the existing data; send the ciphertext index value of the existing data to the cloud device.
  • the ciphertext index value of the existing data can be determined by sampling the above method, and the ciphertext index value is inserted into the index structure, so that the stock data can be adapted The data management process for this application.
  • a second aspect of the present application provides a data management method, comprising: receiving a second statement from a client, where the second statement includes a ciphertext index value determined by the client according to information of plaintext data in response to the first statement, the first The statement includes plaintext data; in response to the second statement, establish a correspondence between the ciphertext index value and the information of the storage location of the ciphertext data in the index structure according to the ciphertext index value, or query the ciphertext data from the index structure
  • the information of the storage location of the ciphertext data is the encrypted data corresponding to the plaintext data, and the information of the storage location indicates the storage location of the ciphertext data.
  • the solution provided in the second aspect is applied to a cloud device corresponding to the client of the first aspect, and the cloud device may be a physical machine or a virtual machine or a container.
  • the cloud device may be a physical machine or a virtual machine or a container.
  • the cloud device can store the ciphertext index value determined by the client in the index structure, establish a correspondence between the ciphertext index value and the information of the storage location of the ciphertext data, and query the ciphertext data when it needs to be queried.
  • the ciphertext data corresponding to the text index value is retrieved, the corresponding ciphertext data can be queried according to the corresponding relationship in the index structure, and then corresponding operations on the ciphertext data can be performed.
  • the ciphertext index value is used instead of the field in the data column as the key value in the conventional ordered index to realize the search for ciphertext data, and the ciphertext stored in the table can be searched without adding data table fields.
  • the data is queried based on the order, thereby reducing the space occupied by the expansion of the table used to store the ciphertext data, and improving the scalability of the stored data in the cloud device. That is to say, the solution of the present application has the advantages of not changing the interaction mode, not increasing the number of extra interactions, maintaining the efficiency of conventional queries, not adding data table fields, not changing the conventional index function, and not adding additional SQL statements to change the query mode.
  • the function based on sequential operation is implemented.
  • the second statement indicates an insert operation
  • the method further includes: determining ciphertext data corresponding to the plaintext data according to the second statement; storing the ciphertext data in a The corresponding storage location, where the storage location is the location indicated by the storage location information in the corresponding relationship.
  • the cloud device when the second statement sent by the client indicates an insert operation, the cloud device will first store the ciphertext data in a corresponding storage location, and the storage location may be a table for storing ciphertext data One or more rows of a certain column, and then the cloud device establishes the corresponding relationship between the ciphertext index value and the information of the storage location of the ciphertext data in the index structure. In this way, when querying the ciphertext data in the future, The ciphertext data can be queried from the table for storing the ciphertext data through the corresponding relationship in the index structure, so that the ciphertext data can be quickly searched in the normal query mode.
  • the second statement indicates a query operation
  • the method further includes: querying the ciphertext data according to the information of the storage location ; Return ciphertext data to the client.
  • the cloud device when the second statement sent by the client indicates a query operation, the cloud device will query the index structure according to the ciphertext index value in the second statement, and use the ciphertext already established in the index structure to query.
  • the corresponding relationship between the index value and the information of the storage location query the information of the storage location of the ciphertext data, and then query the ciphertext data in the table according to the information of the storage location, and then return the ciphertext data to the client. text data.
  • the fast search for ciphertext data can be achieved in the manner of maintaining the conventional query.
  • the second statement instructs to update the index value
  • the second statement further includes the original ciphertext index value of the plaintext data
  • the method further includes: querying the original ciphertext index value according to the original ciphertext index value The correspondence between the ciphertext index and the information of the storage location; the correspondence between the original ciphertext index value in the index structure and the information of the storage location is updated according to the ciphertext index value.
  • the second statement instructs to update the ciphertext index value
  • the second statement will include the old ciphertext index value and the new ciphertext index value of the plaintext data.
  • the text index value finds the correspondence between the established old ciphertext index value and the information of the storage location of the ciphertext data in the index structure, and then replaces the old ciphertext index value in the corresponding relationship with the new ciphertext index value.
  • the ciphertext index value in this way, enhances the flexibility of managing the correspondence between the ciphertext index value and the information of the storage location of the ciphertext data.
  • the second statement indicates to update the ciphertext data
  • the second statement further includes or indicates the ciphertext data of the plaintext data
  • the ciphertext index value of the plaintext data before the update the The method further includes: querying the correspondence between the ciphertext index value of the plaintext data before the update and the information of the storage location according to the ciphertext index value of the plaintext data before the update; updating the plaintext before the update according to the ciphertext index value of the plaintext data
  • the correspondence between the ciphertext index value of the data and the information of the storage location; the ciphertext data of the storage location is updated according to the ciphertext data of the plaintext data.
  • the ciphertext index value and the ciphertext index value before the update are sent to the cloud device, so that the cloud device can find the corresponding relationship in the index structure according to the ciphertext index value before the update, and replace the corresponding relationship with the new ciphertext index value
  • the ciphertext index value before the update is used in the corresponding storage location to update the old ciphertext data with the new ciphertext data according to the information of the storage location in the corresponding relationship.
  • the update solution provided in this possible implementation manner can realize flexible management of the ciphertext data and the ciphertext index value in the cloud device.
  • the second statement indicates to delete the index value
  • the method further includes: deleting the ciphertext index value from the correspondence between the ciphertext index value of the index structure and the information of the storage location .
  • the client terminal will send a second statement indicating deletion of the ciphertext index value to the cloud device.
  • the text index value finds a corresponding relationship in the index structure, and then deletes the ciphertext index value in the corresponding relationship, or deletes the corresponding relationship.
  • the second statement indicates to delete the ciphertext data
  • the method further includes: deleting the ciphertext data in the storage location according to the information of the storage location, and deleting the ciphertext index from the index structure Correspondence between the value and the information of the storage location of the ciphertext data.
  • the client terminal will send a second statement indicating deletion of the ciphertext data to the cloud device, and the cloud device will index the ciphertext data according to the second statement.
  • the corresponding corresponding relationship is found in the index structure, and then the ciphertext data is deleted from the corresponding position according to the information of the storage location in the corresponding relationship, and the corresponding relationship is deleted from the index structure.
  • the method further includes: receiving a statement of creating an index; querying a specified column of a specified table of the second statement according to the statement of creating an index; when there is existing data in the specified column, reporting to the client
  • the terminal sends the existing data; receives the ciphertext index value of the existing data; establishes the correspondence between the ciphertext index value of the existing data and the information of the storage location of the existing data in the index structure.
  • the ciphertext index value of the existing data can be determined by sampling the above method, and the ciphertext index value is inserted into the index structure, so that the stock data can be adapted The data management process for this application.
  • a client for executing the method in the first aspect or any possible implementation manner of the first aspect.
  • the apparatus includes modules or units for executing the method in the first aspect or any possible implementation manner of the first aspect, such as: an acquiring unit, a processing unit, a sending unit, and a receiving unit.
  • a cloud device for executing the method in the second aspect or any possible implementation manner of the second aspect.
  • the apparatus includes modules or units for executing the method in the second aspect or any possible implementation manner of the second aspect, such as a receiving unit, a processing unit, and a sending unit.
  • a fifth aspect of the present application provides a client.
  • the client may include at least one processor, memory and a communication interface.
  • the processor is coupled with the memory and the communication interface.
  • the memory is used to store instructions
  • the processor is used to execute the instructions
  • the communication interface is used to communicate with other network elements under the control of the processor.
  • the instructions when executed by the processor, cause the processor to perform the method of the first aspect or any possible implementation of the first aspect.
  • a cloud device may include at least one processor, memory, and a communication interface.
  • the processor is coupled with the memory and the communication interface.
  • the memory is used to store instructions
  • the processor is used to execute the instructions
  • the communication interface is used to communicate with other network elements under the control of the processor.
  • the instructions when executed by the processor, cause the processor to perform the method of the second aspect or any possible implementation of the second aspect.
  • a seventh aspect of the present application provides a computer-readable storage medium, where a program is stored in the computer-readable storage medium, and the program causes a processor to execute the first aspect and any one of the various implementation manners thereof.
  • a computer-readable storage medium where a program is stored in the computer-readable storage medium, and the program causes a processor to execute the second aspect and any one of the various implementation manners thereof.
  • a computer program product includes computer-executable instructions, and the computer-executable instructions are stored in a computer-readable storage medium; at least one processor of the device can be read from the computer-readable storage medium.
  • the computer executes instructions, and at least one processor executes the computer execute instructions to cause the device to implement the first aspect or a method provided by any possible implementation manner of the first aspect.
  • a tenth aspect provides a computer program product comprising computer-executable instructions stored in a computer-readable storage medium; at least one processor of the device can read the computer from the computer-readable storage medium Executing the instructions, at least one processor executes the computer-executable instructions to cause the device to implement the second aspect or a method provided by any possible implementation manner of the second aspect.
  • An eleventh aspect of the present application provides a chip system, where the chip system includes a processor for supporting a client to implement the functions involved in the first aspect or any possible implementation manner of the first aspect.
  • the chip system may further include a memory for storing necessary program instructions and data of the client.
  • the chip system may be composed of chips, or may include chips and other discrete devices.
  • a twelfth aspect of the present application provides a chip system, where the chip system includes a processor for supporting a cloud device to implement the functions involved in the second aspect or any possible implementation manner of the second aspect.
  • the chip system may further include a memory for storing necessary program instructions and data of the cloud device.
  • the chip system may be composed of chips, or may include chips and other discrete devices.
  • a nineteenth aspect of the present application provides a data management system.
  • the data management includes a client and a cloud device, the client is used to execute the functions involved in the first aspect or any possible implementation manner of the first aspect, and the cloud device is used to execute the second aspect or the second aspect The functions involved in any of the possible implementations.
  • the client, cloud device, computer storage medium, computer program product or chip system provided above are all used to execute the corresponding data management method provided above. Therefore, the beneficial effects that can be achieved can be referred to. The beneficial effects in the corresponding methods provided above will not be repeated here.
  • FIG. 1 is a schematic structural diagram of a data management system provided by an embodiment of the present application.
  • 2A is a schematic diagram of a stand-alone database system
  • 2B is a schematic diagram of a cluster database system using a shared disk architecture
  • 2C is a schematic diagram of a cluster database system using a shared-nothing architecture
  • FIG. 3 is a schematic diagram of an embodiment of a data management method provided by an embodiment of the present application.
  • FIG. 4 is a schematic diagram of another embodiment of the data management method provided by an embodiment of the present application.
  • FIG. 5 is a schematic diagram of another embodiment of the data management method provided by the embodiment of the present application.
  • FIG. 6 is a schematic diagram of another embodiment of the data management method provided by an embodiment of the present application.
  • FIG. 7 is a schematic diagram of another embodiment of the data management method provided by an embodiment of the present application.
  • FIG. 8 is a schematic diagram of another embodiment of a data management method provided by an embodiment of the present application.
  • FIG. 9 is a schematic diagram of another embodiment of the data management method provided by an embodiment of the present application.
  • FIG. 10 is a schematic diagram of another embodiment of the data management method provided by the embodiment of the present application.
  • FIG. 11 is a schematic structural diagram of a client provided by an embodiment of the present application.
  • FIG. 12 is a schematic structural diagram of a cloud device provided by an embodiment of the present application.
  • FIG. 13 is a schematic structural diagram of a client provided by an embodiment of the present application.
  • FIG. 14 is a schematic structural diagram of a cloud device provided by an embodiment of the present application.
  • Embodiments of the present application provide a data management method, device, and system, which are used to reduce the space occupied by the expansion of a table for storing ciphertext data, and improve the scalability of stored data in a cloud device.
  • Embodiments of the present application also provide corresponding apparatuses, systems, computer-readable storage media, computer program products, and the like. Each of them will be described in detail below.
  • the user data of the client is usually stored in the cloud device.
  • these user data are usually stored in cloud devices in the form of ciphertext data.
  • the cloud device can manage the stored ciphertext data.
  • the system formed by the client and the cloud device related to the embodiment of the present application is called a data management system, and the data management system can be understood with reference to FIG. 1 .
  • the data management system can include clients and cloud devices. There can be one or more clients and one or more cloud devices. Different cloud devices can manage data on different clients, such as : Cloud device 1 can manage data on clients in region 1, and cloud device 2 can manage data on clients in region 2. Different cloud devices may also manage different types of user data, for example, cloud device 1 manages data of type A generated by the client, and cloud device 2 manages data of type B generated by the client.
  • the client may be hardware (eg, a terminal device) or software (eg, an application (application, APP)).
  • software eg, an application (application, APP)
  • the terminal device (also referred to as user equipment (UE)) is a device with wireless transceiver functions that can be deployed on land, including indoor or outdoor, handheld or vehicle-mounted; Can be deployed on water (such as ships, etc.); can also be deployed in the air (such as aircraft, balloons and satellites, etc.).
  • the terminal may be a mobile phone (mobile phone), a tablet computer (pad), a computer with a wireless transceiver function, a virtual reality (VR) terminal, an augmented reality (AR) terminal, or a terminal in an industrial control (industrial control).
  • VR virtual reality
  • AR augmented reality
  • Wireless terminal wireless terminal in self driving, wireless terminal in remote medical, wireless terminal in smart grid, wireless terminal in transportation safety, smart city Wireless terminals in (smart city), wireless terminals in smart homes (smart home), wireless terminals in the Internet of Things (IoT), etc.
  • Cloud devices can be physical machines or virtual machines (VMs) or containers.
  • the above-mentioned cloud device can be a device carrying a database management system (database management system, DBMS) in a database system (database system), and the method provided in the embodiment of the present application can be implemented as a part of the database management system, or as an independent component .
  • the methods provided by the embodiments of the present application can be applied to a single-machine database system or a cluster database system.
  • a database system generally consists of the following three parts: (1) Database (DB), which refers to a collection of organized and sharable data stored in a computer for a long time.
  • DB Database
  • the data in the database is organized, described and stored according to a certain mathematical model, with less redundancy, high data independence and easy expansion, and can be shared by various users.
  • Hardware including data storage required to store data, such as memory and/or disk.
  • Software including DBMS, DBMS is the core software of the database system, is used to scientifically organize and store data, and efficiently acquire and maintain data.
  • the database engine is the core component of DBMS.
  • FIG. 2A is a schematic diagram of a stand-alone database system, including a database management system and a data storage (data storage), the database management system is used to provide services such as database query and modification, and the database management system stores data in the data storage.
  • the database management system and data storage are usually located on a single server, such as a symmetric multi-processor (SMP) server.
  • the SMP server includes multiple processors, all of which share resources such as bus, memory, and I/O systems.
  • the functions of the database management system may be implemented by one or more processors executing in-memory programs.
  • FIG. 2B is a schematic diagram of a cluster database system using a shared-storage architecture, including multiple nodes (nodes 1-N in FIG. 2B ), each node is deployed with a database management system, which provides database queries for users respectively and modification services, multiple database management systems store shared data in the shared data storage, and perform read and write operations on the data in the data storage through the switch.
  • Shared data storage can be a shared disk array.
  • Nodes in a clustered database system can be physical machines, such as database servers, or virtual machines (virtual machines, VMs) or containers (containers) running on abstract hardware resources.
  • the database management system deployed in the node is a DBMS instance (instance), and the DBMS may be a process or a thread.
  • the switch is a storage area network (storage area network, SAN) switch, an Ethernet switch, a fiber optic switch or other physical switching devices.
  • the switch is a virtual switch.
  • FIG. 2C is a schematic diagram of a cluster database system using a shared-nothing architecture
  • each node has its own exclusive hardware resources (such as data storage), an operating system and a database, and the nodes communicate through a network.
  • data will be allocated to each node according to the database model and application characteristics, and the query task will be divided into several parts, which will be executed in parallel on all nodes, and calculated in cooperation with each other, providing database services as a whole, and all communication functions are in It is implemented on a high-bandwidth network interconnection system.
  • the nodes can be either physical machines or virtual machines.
  • the data storage (data storage) of the database system includes but is not limited to solid state drives (SSD), disk arrays or other types of non-transitory computer-readable media.
  • SSD solid state drives
  • the database is not shown in FIGS. 2A-2C, it should be understood that the database is stored in the data storage.
  • a database system may include fewer or more components than those shown in FIGS. 2A-2C, or components that are different from those shown in FIGS. 2A-2C.
  • FIG. 2C only shows components more related to the implementations disclosed in the embodiments of the present application.
  • a clustered database system may include any number of nodes.
  • the database management system functions of each node may be implemented by an appropriate combination of software, hardware and/or firmware running on each node, respectively.
  • the above database systems in FIGS. 2A to 2C all include nodes, and the structures of the nodes are described below with reference to the accompanying drawings.
  • the node may include at least one processor, a non-transitory computer-readable medium storing executable code, and a database management system.
  • the executable code when executed by the at least one processor, is configured to implement the components and functions of the database management system.
  • a non-transitory computer-readable medium may include one or more non-volatile memories including, by way of example, semiconductor memory devices such as erasable programmable read only memory (EPROM), Electrically erasable programmable read only memory (EEPROM) and flash memory (flash memory); magnetic disks, such as internal hard disks or removable disks, magneto optical disks, As well as CD-ROM and DVD-ROM.
  • a non-transitory computer-readable medium can also include any device configured as main memory.
  • the at least one processor may include any type of general purpose computing circuit or special purpose logic circuit, such as a field-programmable gate array (FPGA) or an application specific integrated circuit (ASIC).
  • At least one processor 104 may also be one or more processors, such as a CPU, coupled to one or more semiconductor substrates.
  • SQL structured query language
  • SQL can refer to various types of data-related languages, including, for example, data definition languages and data manipulation languages, where the scope of SQL can include data insertion, query, update and delete, schema creation and modification, and data access control.
  • SQL may include descriptions related to various language elements, including clauses, expressions, predicates, and query statements, which are also often referred to simply as "query”.
  • clauses can refer to various components of statements and queries, and in some cases, clauses can be considered optional.
  • expressions may be configured to produce scalar values and/or tables that include columns and/or rows of data.
  • predicates can be configured to specify conditions for adjusting the effects of statements and queries.
  • a query statement is a request to view, access and/or manipulate data stored in a database.
  • a database management system can receive queries in SQL format (called SQL queries) from clients.
  • the SQL query may also be referred to as an SQL statement.
  • the database management system generates query results corresponding to the query by accessing relevant data from the database and manipulating the relevant data, and returning the query results to the database client.
  • a database is a collection of data organized, described and stored according to a certain mathematical model.
  • a database can include one or more database structures or formats, such as row storage and column storage.
  • the above cloud device can be applied to a database scenario or a non-database scenario. Regardless of whether the cloud device is applied to a database scenario, the data management method provided by the embodiment of the present application can be applied.
  • the data management method provided by the embodiments of the present application will be introduced below with reference to the accompanying drawings.
  • FIG. 3 A schematic diagram of an embodiment of a data management method is shown in FIG. 3 .
  • An embodiment of the data management method provided by the embodiment of the present application includes:
  • the client obtains a first statement, where the first statement includes plaintext data.
  • the first statement may be a first statement based on sequential operations.
  • Plaintext data can also be described as "the plaintext of the data”. Many plaintext data are based on sequential records, such as employee information lists, student information lists and other data, which are all recorded based on sequential records. These sequential records also need to be arranged in order after being encrypted by the user key. Data can also be referred to as data with sequential requirements.
  • the table is based on sequential records and can be understood by referring to Table 1 below.
  • the plaintext data may be any column in Table 1, or may be information of a certain row or certain rows in a certain column.
  • the encryption method for these order-required data can be order-preserving encryption (OPE), order-revealing encryption (ORE), or other order-based encryption methods.
  • OPE order-preserving encryption
  • ORE order-revealing encryption
  • statements for operations on these sequence-related data may be referred to as statements based on sequence operations.
  • Input conditions based on sequential operations can include comparison operators, range queries, sorting (ORDER BY), minimum (minimum, MIN), maximum (maximum, MAX), and sorting (SORT), etc.
  • the first statement may be a structured query language (SQL) statement.
  • the first statement is typically a statement generated based on user input. For example: a statement generated by a query condition input by a user, or a statement generated by an insert instruction, an update instruction or a delete instruction input by the user.
  • the client determines the ciphertext index value according to the information of the plaintext data.
  • the ciphertext index value refers to an index value that has a pointing relationship with the ciphertext data.
  • the client sends a second sentence to the cloud device, where the second sentence includes a ciphertext index value. Accordingly, the cloud device receives the second sentence.
  • the second statement may also be an SQL statement.
  • the operation indicated by the second statement is the same as the operation indicated by the first statement.
  • the cloud device establishes a correspondence between the ciphertext index value and the information of the storage location of the ciphertext data in the index structure according to the ciphertext index value, or queries the index structure for the information of the ciphertext data.
  • the information of the storage location, the ciphertext data is the encrypted data corresponding to the plaintext data, and the information of the storage location indicates the storage location of the ciphertext data.
  • the ciphertext data is encrypted data corresponding to the plaintext data, and the storage location information indicates the storage location of the ciphertext data.
  • the index structure is a structure established by the cloud device to store the correspondence between the ciphertext index value and the information of the storage location of the ciphertext data.
  • the index structure can be a tree structure, such as a B-tree, or other type of structure.
  • the information on the storage location of the ciphertext data may include an address of the storage location or an identification of the ciphertext data in the stored list. If the operation indicated by the second statement is an insert operation, the cloud device will establish a correspondence between the ciphertext index value and the information of the storage location of the ciphertext data in the index structure. For a query operation, an update operation or a deletion operation, the cloud device will query the information of the storage location of the ciphertext data from the index structure, and then can query the ciphertext data according to the information of the storage location.
  • the client can generate a ciphertext index value for plaintext data based on sequential operations, and then the cloud device can store the ciphertext index value in an index structure to establish a relationship between the ciphertext index value and the ciphertext data.
  • the corresponding relationship between the information of the storage location when the ciphertext data corresponding to the ciphertext index value needs to be queried, the corresponding ciphertext data can be queried according to the corresponding relationship in the index structure, and then the corresponding ciphertext data can be executed. operate.
  • the ciphertext index value is used instead of the field in the data column as the key value in the conventional ordered index to realize the search for ciphertext data without adding data table fields, and the ciphertext data stored in the table can be searched Sequence-based queries are performed, thereby reducing the space occupied by the expansion of tables used to store ciphertext data, and improving the scalability of stored data in cloud devices. That is to say, the solution of the present application has the advantages of not changing the interaction mode, not increasing the number of extra interactions, maintaining the efficiency of conventional queries, not adding data table fields, not changing the conventional index function, and not adding additional SQL statements to change the query mode.
  • the function based on sequential operation is implemented.
  • the information of the plaintext data involved in the foregoing step 102 may include the value of the plaintext data, the type of the plaintext data, and the value range of the plaintext data.
  • the value range of the plaintext data may include the size of the plaintext data or the lower boundary of the plaintext data.
  • the value of the plaintext data, the type of the plaintext data, and the value range of the plaintext data can be normalized to obtain the plaintext value, the plaintext space and the ciphertext space; Text space, determine the ciphertext index value.
  • the plaintext value is the normalized plaintext value
  • the plaintext space is also the normalized plaintext space.
  • the above process of determining the ciphertext index value according to the plaintext value, the plaintext space and the ciphertext space can be performed by a binary recursion method, and the process can include: sampling in a sampling interval of the ciphertext space to obtain sampling points, sampling intervals Corresponds to the midpoint of the plaintext space; according to the midpoint and the plaintext value, the plaintext space and the ciphertext space are reduced to obtain the reduced plaintext space and the reduced ciphertext space, and the reduced plaintext space is bounded by the midpoint and contains the plaintext value , the reduced ciphertext space is bounded by the sampling point; the above steps of sampling and reducing the plaintext space and the ciphertext space are repeated until the upper and lower boundaries of the reduced plaintext space coincide, and the corresponding The sampling point of the reduced ciphertext space is the ciphertext index value.
  • the process of determining the ciphertext index value can be understood by referring to FIG. 4 .
  • the process of determining the ciphertext index value may include:
  • the client parses the first statement, and determines the value of the plaintext data, the data type of the plaintext data, and the value range of the plaintext data.
  • the value range of the plaintext data may be determined according to the data type of the plaintext data, or may be a preconfigured default range, or may be a range dynamically input by the user.
  • the types of plaintext data can include integer (int), floating-point (float), string (string), and character (char). Moreover, integers can also be subdivided into int4 and int8, etc. It can be subdivided into floating-point types with different granularities, string types can also be subdivided into long strings and short strings, and character types can also be subdivided into readable characters and full characters.
  • the value range of the plaintext data is related to the type of the plaintext data. For example, if the type of the plaintext data is int4, the value range of the plaintext data can be [-2 31 , 2 31 ].
  • the client determines the normalization parameter of the plaintext data according to the type of the plaintext data and the value range of the plaintext data.
  • the client performs normalization processing on the value of the plaintext data according to the normalization parameter, so as to obtain the plaintext value, the plaintext space and the ciphertext space.
  • the process of normalization processing can be different processing methods for different types, such as: normalization processing methods such as translation or shift for integer types, and normalization processing methods such as truncation and compression for string types. For floating-point types, normalization methods such as truncation and translation are used.
  • Integer (int1, int2, int4, int8): Negative numbers need to be translated into non-negative numbers according to the normalization parameters.
  • the BN library in the openssl open source library can be uniformly used before encryption (the BIGNUM library is used for those beyond the range of int8 after conversion), which makes the actual application data range of this application unlimited.
  • Character type (text, varchar(n), char, char(n), varchar2(n), bytea): first note n is the size of the valid character space of the current type + 1, and the full valid character space such as bytea is 256.
  • the long string intercepts the high-order fixed-length string according to the normalization parameter, and the low-order complement of the short string is 0, and then converts the string to an n-ary number, and then transfers it to the BN structure.
  • Floating-point number types float4, float8, double precision:
  • the normalized structure is a concatenated significand of the exponent bit, and negative numbers and negative exponents are supported. Note that the current type maximum exponent is emax, and the exponent is exp.
  • the exponent bit is corrected to emax-exp for negative numbers, and 3*emax+exp for positive numbers.
  • the significant digits (decimal) of negative numbers are corrected digit-by-digit to 9-native significant digits. In the case of different precisions, if the number of significant digits is insufficient, the low digits of the significant digits should be filled with 0 according to the normalization parameter and then cascaded. If the significant digits are too long, the low digits should be truncated.
  • the normalized plaintext value can be uniformly multiplied by the same ratio (for example, 8) to limit the existence of two ciphertexts that differ by less than the multiplication ratio.
  • the multiplication ratio refers to the normalization ratio. The scale by which the normalized plaintext value is multiplied.
  • the plaintext space is determined by the type of plaintext data and the upper and lower boundaries of the plaintext data determined by the normalization parameter.
  • the size of the ciphertext space can generally be a fixed multiple of the bit length of the size of the plaintext space (such as 1.3 times, 1.5 times, of course, other multiples, which are not limited in this application), and exceed a certain lower limit (for example, limit).
  • the bit length of the ciphertext space is at least 10 bits longer than the plaintext), and the lower bound of the ciphertext space can be 1.
  • the ciphertext space is obtained by enlarging the plaintext space according to the expansion coefficient.
  • normalization parameters are added for different types of plaintext data and different normalization processing methods are adopted, so that the ciphertext index value generation algorithm of this application can be adapted to all data types without input range limitation.
  • the plaintext space is a range of values, including upper and lower boundaries.
  • the plaintext space is expressed as [a1, a2]
  • the ciphertext space is obtained by enlarging the plaintext space according to the expansion coefficient.
  • the ciphertext space can be expressed as [ b1,b2].
  • the client performs sampling in the sampling interval of the ciphertext space to obtain sampling points, and the sampling interval corresponds to the midpoint of the plaintext space.
  • the plaintext space corresponds to the ciphertext space.
  • the midpoint of the plaintext space refers to the midpoint (mid) determined by the upper and lower boundaries of the plaintext space, that is, half of the sum of the upper and lower boundaries of the plaintext space is The midpoint of this plaintext space. For example: the midpoint of [a1, a2] is (a1+a2)/2. Because the ciphertext space is larger than the plaintext space, the midpoint of the plaintext space corresponds to a sampling interval of the ciphertext space.
  • the client can perform deterministic sampling in this sampling interval, or it can be understood as pseudo-random sampling, that is, according to The user key is sampled, and the sampling point (y) is obtained in the sampling interval.
  • K sam is a parameter added before sampling. For example, the value can be 0.9. Adding this K sam parameter can increase the smoothness of the actual ciphertext distribution.
  • key is a secure random number or user key.
  • the client reduces the plaintext space and the ciphertext space according to the midpoint and the plaintext value, so as to obtain a reduced plaintext space and a reduced ciphertext space.
  • the reduced plaintext space is bounded by the midpoint and contains the plaintext value, and the reduced ciphertext space is bounded by the sampling point.
  • determining the reduced plaintext space and the reduced ciphertext space may include the case where the plaintext value is greater than the midpoint, or may include the case where the plaintext value is smaller than the midpoint.
  • the comparison relationship and the corresponding result can be expressed as: if m>mid, the reduced plaintext space is [mid+1, a2], and the reduced ciphertext space is [y+1, b2]; if m ⁇ mid, then The reduced plaintext space is [a1,mid], and the reduced ciphertext space is [b1,y].
  • the reduced plaintext space starts from the next number from the midpoint to the lower boundary of the original plaintext space, which can be expressed as [mid+1, a2], and the reduced ciphertext space is From the next number of the sampling point to the lower boundary of the ciphertext space, it can be expressed as [y+1,b2].
  • the reduced plaintext space is from the upper boundary of the plaintext space to the midpoint, which can be expressed as [a1,mid]
  • the reduced ciphertext space is from the upper boundary of the ciphertext space to the sampling point, which can be Represented as [b1,y].
  • the client performs multiple recursion, the upper and lower boundaries of the reduced plaintext space are equal, and the output sampling point is the ciphertext index value.
  • obtaining the ciphertext index value in a recursive manner can reduce the probability of leakage of the ciphertext index value and improve the security of the ciphertext index value.
  • sampling in the sampling interval corresponding to the midpoint of the plaintext space to obtain the sampling point may include: performing a modulo calculation on the size of the sampling interval by using an unpredictable pseudo-random number to obtain a modulo value; The corresponding sampling point is determined from the sampling interval according to the modulo value.
  • sampling is performed by taking the modulo value, which can improve the sampling efficiency, thereby improving the calculation efficiency of the ciphertext index value.
  • the sampling of the reduced ciphertext space is non-deterministic sampling.
  • This last sampling of the ciphertext space uses non-deterministic sampling to determine the ciphertext index value, which can resist inference attacks.
  • the client may further scramble the second statement, which can reduce the probability of query leakage. If the client performs scramble, after the cloud device returns the query result, the client decrypts the symmetric ciphertext. The decrypted query result may have some false positive results, but no false negative results. Then, the decrypted result will be filtered and checked, and then the final result will be output.
  • the above-mentioned first statement and second statement may indicate various operations such as insert, query, update, and delete.
  • operations such as insert, query, update, and delete.
  • the data management processes of the client and the cloud device are somewhat different.
  • the statement and the second statement indicating an insert operation, a query operation, an update operation, and a delete operation introduce the data management process provided by the embodiments of the present application.
  • the first statement and the second statement indicate an insert operation.
  • another embodiment of the data management method provided by the embodiment of the present application may include:
  • the client side symmetrically encrypts the plaintext data in the first sentence to obtain ciphertext data.
  • the client determines the ciphertext index value according to the information of the plaintext data.
  • This step can be understood by referring to the previous process of determining the ciphertext index value, and details are not repeated here.
  • the client adds the ciphertext data and the ciphertext index value to the second statement.
  • a link to the storage location of the ciphertext data can be added to the second sentence, so that the cloud device can obtain the ciphertext data through the link of the storage location.
  • the client sends the second sentence to the cloud device.
  • the cloud device receives the second sentence.
  • the cloud device parses the second sentence, and stores the ciphertext data in a corresponding storage location.
  • the second statement may carry the identifier of the table where the ciphertext data is to be stored, and the identifier of the column in the table.
  • the cloud device can find the corresponding table according to the table identifier, then insert the data carried by the second statement into the corresponding column, and store the ciphertext data in the column indicated by the column identifier.
  • the cloud device establishes a correspondence between the ciphertext index value and the information of the storage location where the ciphertext data is located in the index structure.
  • the corresponding relationship is a key-value (key-value, KV) relationship, wherein the ciphertext index value is the key, and the information of the storage location is the value.
  • the cloud device returns an execution message to the client.
  • the ciphertext index value can be inserted into the index structure, so that the ciphertext data can be quickly searched when the ciphertext data query is performed.
  • the first statement and the second statement indicate a query operation.
  • another embodiment of the data management method provided by the embodiment of the present application may include:
  • the client determines the ciphertext index value according to the information of the plaintext data in the first sentence.
  • This step can be understood by referring to the previous process of determining the ciphertext index value, and details are not repeated here.
  • the client adds the ciphertext index value to the second statement.
  • the client sends a second sentence to the cloud device.
  • the cloud device receives the second sentence.
  • the cloud device parses the second sentence, and searches for the KV relationship of the ciphertext index value from the index structure according to the ciphertext index value.
  • the cloud device queries the ciphertext data from the corresponding storage location according to the storage location information in the KV relationship of the ciphertext index value.
  • the cloud device returns a query result to the client, where the query result includes ciphertext data.
  • ciphertext data can be quickly searched through the ciphertext index value and the KV relationship.
  • the first statement and the second statement indicate the operation of updating the index value.
  • another embodiment of the data management method provided by the embodiment of the present application may include:
  • the client determines the ciphertext index value according to the information of the plaintext data in the first sentence.
  • the ciphertext index value is a new ciphertext index value.
  • the client adds the ciphertext index value of the plaintext data and the original ciphertext index value of the plaintext data to the second statement.
  • the client sends a second sentence to the cloud device.
  • the cloud device receives the second sentence.
  • the second sentence includes the original ciphertext index value and the new ciphertext index value of the plaintext data.
  • the cloud device searches the index structure for the KV relationship including the original ciphertext index value according to the original ciphertext index value.
  • the cloud device replaces the original ciphertext index value in the KV relationship according to the new ciphertext index value.
  • the cloud device returns the execution result to the client.
  • the execution result may be a response to an index value update.
  • the solution provided by the embodiment of the present application enhances the flexibility of the management of the correspondence between the ciphertext index value and the information of the storage location of the ciphertext data.
  • the first statement and the second statement indicate the operation of updating the ciphertext data.
  • another embodiment of the data management method provided by this embodiment of the present application may include:
  • the client determines the ciphertext index value according to the information of the plaintext data in the first sentence.
  • the plaintext data is the updated plaintext data
  • the ciphertext index value is a new ciphertext index value
  • the client performs symmetric encryption on the plaintext data to generate ciphertext data.
  • the ciphertext data is the ciphertext data corresponding to the plaintext data updated by the client.
  • the client adds the ciphertext data corresponding to the updated plaintext data, the new ciphertext index value and the ciphertext index value of the plaintext data before the update to the second sentence.
  • the client sends the second sentence to the cloud device.
  • the cloud device receives the second sentence.
  • the second sentence includes the ciphertext data corresponding to the updated plaintext data, as well as the new ciphertext index value and the ciphertext index value of the plaintext data before the update.
  • the cloud device searches the index structure for the KV relationship including the ciphertext index value of the plaintext data before the update according to the ciphertext index value of the plaintext data before the update.
  • the cloud device replaces the ciphertext data at the corresponding location with the ciphertext data corresponding to the updated plaintext data according to the storage location information in the KV relationship.
  • the cloud device replaces the ciphertext index value of the plaintext data before the update in the KV relationship according to the new ciphertext index value.
  • the cloud device returns the execution result to the client.
  • the execution result may be a response of updating the ciphertext data.
  • the solutions provided by the embodiments of the present application can realize flexible management of ciphertext data and ciphertext index values in the cloud device.
  • the first statement and the second statement indicate the operation of deleting the index value or the operation of deleting the ciphertext data.
  • another embodiment of the data management method provided by the embodiment of the present application may include:
  • the client determines the ciphertext index value according to the information of the plaintext data in the first sentence.
  • the client adds the ciphertext index value to the second statement.
  • the client sends a second sentence to the cloud device.
  • the cloud device receives the second sentence.
  • the cloud device searches for the corresponding KV relationship from the index structure according to the ciphertext index value in the second sentence.
  • the cloud device deletes the ciphertext index value from the KV relationship, or deletes the ciphertext data according to the information of the storage location in the KV relationship, and deletes the KV relationship.
  • the cloud device returns the execution result to the client.
  • the execution result may be a successful deletion response.
  • another embodiment of the data management method provided by this embodiment of the present application may include:
  • the client sends an index creation statement to the cloud device.
  • the cloud device receives the create index statement.
  • Create index statement (create index).
  • the CREATE INDEX statement indicates the specified column of the specified table of the first statement.
  • the create statement will contain the identifier of the specified table (table ID) and the identifier of the specified column (column ID).
  • the cloud device queries the specified column of the specified table of the second statement according to the index creation statement.
  • the cloud device sends the existing data to the client.
  • the client receives the existing data on the specified column returned by the cloud device.
  • the client determines the ciphertext index value of the existing data.
  • the client sends the ciphertext index value of the existing data to the cloud device.
  • the cloud device receives the ciphertext index value of the existing data sent by the client.
  • the ciphertext index value of the existing data may be sent through an update statement.
  • the cloud device establishes a correspondence between the ciphertext index value of the existing data and the information of the storage location of the existing data in the index structure.
  • the existing data in the cloud device can be adapted to the above-mentioned data management process. This process can be performed before the above insert, query, update and delete operations.
  • a Gauss order preserving encryption (GSOPE) algorithm is configured in the client, and the GSOPE algorithm is higher in computational efficiency than the existing BCLO algorithm or the Lewi-Wu algorithm. , and a set of experimental data is taken as an example for comparison and description.
  • GOPE Gauss order preserving encryption
  • GSOPE BCLO Lewi-Wu (blocks of 10) INT4 88 3000+ 300 INT8 360 7000+ 527 FLOAT8 343 not support not support 0-1 string[25] 99 not support 223 CHAR[15] (readable characters) 515 not support 900+ CHAR[15] (full character) 728 not support 1200+
  • Lewi-Wu is a trapdoor block evolution algorithm used by the CLWW algorithm to reduce ciphertext leakage.
  • the GSOPE algorithm provided in the embodiment of the present application supports all data types of plaintext data, and there is no limitation on the data range objectively, and the range is controllable subjectively.
  • an embodiment of the client terminal 90 provided by this embodiment of the present application includes:
  • the obtaining unit 901 is configured to obtain a first sentence, where the first sentence includes plaintext data.
  • the processing unit 902 is configured to determine the ciphertext index value according to the information of the plaintext data acquired by the acquiring unit 901 .
  • the sending unit 903 is configured to send a second statement to the cloud device, where the second statement includes the ciphertext index value determined by the processing unit 902, and the ciphertext index value is used by the cloud device to establish the ciphertext index value and the ciphertext data in the index structure
  • the corresponding relationship between the information of the storage location of the ciphertext data, or query the information of the storage location of the ciphertext data from the index structure, the ciphertext data is the encrypted data corresponding to the plaintext data, and the information of the storage location indicates the storage location of the ciphertext data.
  • the client can generate a ciphertext index value for plaintext data based on sequential operations, and then the cloud device can store the ciphertext index value in an index structure to establish a relationship between the ciphertext index value and the ciphertext data.
  • the corresponding relationship between the information of the storage location when the ciphertext data corresponding to the ciphertext index value needs to be queried, the corresponding ciphertext data can be queried according to the corresponding relationship in the index structure, and then the corresponding ciphertext data can be executed. operate.
  • the ciphertext index value is used instead of the field in the data column as the key value in the conventional ordered index to realize the search for ciphertext data, and the ciphertext stored in the table can be searched without adding a data table field.
  • the data is queried based on the order, thereby reducing the space occupied by the expansion of the table used to store the ciphertext data, and improving the scalability of the stored data in the cloud device. That is to say, the solution of the present application has the advantages of not changing the interaction mode, not increasing the number of extra interactions, maintaining the efficiency of conventional queries, not adding data table fields, not changing the conventional index function, and not adding additional SQL statements to change the query mode.
  • the function based on sequential operation is implemented.
  • the information of the plaintext data includes the value of the plaintext data, the type of the plaintext data, and the value range of the plaintext data.
  • the processing unit 902 is configured to perform normalization processing on the value of the plaintext data, the type of the plaintext data and the value range of the plaintext data to obtain the plaintext value, the plaintext space and the ciphertext space; space and ciphertext space, determine the ciphertext index value.
  • the processing unit 902 is configured to perform sampling in the sampling interval of the ciphertext space to obtain a sampling point, and the sampling interval corresponds to the midpoint of the plaintext space; according to the midpoint and the plaintext value, reduce the plaintext space and the ciphertext space, In order to obtain the reduced plaintext space and the reduced ciphertext space, the reduced plaintext space is bounded by the midpoint and contains the plaintext value, and the reduced ciphertext space is bounded by the sampling point; repeat the above sampling and reduced plaintext space and ciphertext Space steps until the upper boundary of the reduced plaintext space and the lower boundary coincide, and the sampling point of the reduced ciphertext space corresponding to the coincidence of the upper boundary and the lower boundary is the ciphertext index value.
  • the processing unit 902 is configured to perform modulo calculation on the size of the sampling interval by using an unpredictable pseudo-random number to obtain a modulo value; and determine a corresponding sampling point from the sampling interval according to the modulo value.
  • the sampling of the reduced ciphertext space is non-deterministic sampling.
  • the processing unit 902 is also used for the first statement to indicate an insert operation or an update operation, and symmetric encryption processing is performed on the plaintext data to obtain the ciphertext data of the plaintext data; the second statement also includes the ciphertext data, the ciphertext data. Stored in the corresponding storage location by the cloud device.
  • processing unit 902 is further configured for the first statement to indicate a query operation, and to scramble the second statement.
  • the receiving unit 904 is configured to receive the query result returned by the cloud device.
  • the processing unit 902 is further configured to descramble the query result.
  • the sending unit 903 is further configured to send a create index statement to the cloud device, where the create index statement indicates the specified column of the specified table of the first statement.
  • the receiving unit 904 is configured to receive the existing data on the specified column returned by the cloud device.
  • the processing unit 902 is further configured to determine the ciphertext index value of the existing data.
  • the sending unit 903 is also used to send the ciphertext index value of the existing data to the cloud device.
  • an embodiment of the cloud device 100 provided by this embodiment of the present application includes:
  • the receiving unit 1001 is configured to receive a second sentence from a client, where the second sentence includes a ciphertext index value determined by the client according to information of plaintext data in response to the first sentence, and the first sentence includes plaintext data.
  • the processing unit 1002 is configured to, in response to the second statement received by the receiving unit 1001, establish a correspondence between the ciphertext index value and the information of the storage location of the ciphertext data in the index structure according to the ciphertext index value, or, from the index In the structure, the information of the storage location of the ciphertext data is queried, the ciphertext data is the encrypted data corresponding to the plaintext data, and the information of the storage location indicates the storage location of the ciphertext data.
  • the cloud device may store the ciphertext index value determined by the client in the index structure, and establish a correspondence between the ciphertext index value and the information of the storage location of the ciphertext data.
  • the ciphertext index value is used instead of the field in the data column as the key value in the conventional ordered index to realize the search for ciphertext data, and the ciphertext stored in the table can be searched without adding data table fields.
  • the data is queried based on the order, thereby reducing the space occupied by the expansion of the table used to store the ciphertext data, and improving the scalability of the stored data in the cloud device. That is to say, the solution of the present application has the advantages of not changing the interaction mode, not increasing the number of extra interactions, maintaining the efficiency of conventional queries, not adding data table fields, not changing the conventional index function, and not adding additional SQL statements to change the query mode.
  • the function based on sequential operation is implemented.
  • the processing unit 1002 is further configured to, if the second statement indicates an insert operation, before establishing the corresponding relationship, determine the ciphertext data corresponding to the plaintext data according to the second statement; store the ciphertext data in a corresponding storage location, and store the The position is the position indicated by the information of the storage position in the corresponding relationship.
  • the processing unit 1002 is further configured to query the ciphertext data according to the information of the storage location after querying the information of the storage location of the ciphertext data from the index structure if the second statement indicates a query operation.
  • the sending unit 1003 is configured to return ciphertext data to the client.
  • the processing unit 1002 is further configured to query the original ciphertext index and store the original ciphertext index according to the original ciphertext index value if the second statement indicates to update the index value, and the second statement also includes the original ciphertext index value of the plaintext data. Correspondence between the information of the location; update the correspondence between the original ciphertext index value in the index structure and the information of the storage location according to the ciphertext index value.
  • the processing unit 1002 is further configured to, if the second statement indicates to update the ciphertext data, the second statement also includes or indicates the ciphertext data of the plaintext data, and the ciphertext index value of the plaintext data before the update, according to The ciphertext index value of the plaintext data before the update is to query the correspondence between the ciphertext index value of the plaintext data before the update and the information of the storage location; update the ciphertext index of the plaintext data before the update according to the ciphertext index value of the plaintext data Correspondence between the value and the information of the storage location; update the ciphertext data of the storage location according to the ciphertext data of the plaintext data.
  • the processing unit 1002 is further configured to delete the ciphertext index value from the correspondence between the ciphertext index value of the index structure and the information of the storage location if the second statement indicates to delete the index value.
  • the processing unit 1002 is further configured to delete the ciphertext data in the storage location according to the information of the storage location if the second statement indicates to delete the ciphertext data, and delete the difference between the ciphertext index value and the ciphertext data from the index structure. The correspondence between the information of the storage location.
  • the receiving unit 1001 is further configured to receive an index creation statement.
  • the processing unit 1002 is further configured to query the specified column of the specified table of the second statement according to the index creation statement.
  • the sending unit 1003 is configured to send the existing data to the client when existing data exists in the specified column.
  • the receiving unit 1001 is further configured to receive the ciphertext index value of the existing data.
  • the processing unit 1002 is further configured to establish a correspondence between the ciphertext index value of the existing data and the information of the storage location of the existing data in the index structure.
  • FIG. 13 is a block diagram showing a partial structure of a mobile phone provided by an embodiment of the present application.
  • the mobile phone includes: a radio frequency (: Radio Frequency,: RF) circuit 810, a memory 820, an input unit 830, a display unit 840, a sensor 850, an audio circuit 860, a wireless fidelity (WiFi) module 870, a processing 880, and the power supply 890 and other components.
  • the RF circuit 810 can be used for receiving and sending signals during sending and receiving of information or during a call. In particular, after receiving the downlink information of the base station, it is processed by the processor 880; in addition, the designed uplink data is sent to the base station.
  • the RF circuit 810 includes, but is not limited to, an antenna, at least one amplifier, a transceiver, a coupler, a Low Noise Amplifier (LNA), a duplexer, and the like.
  • LNA Low Noise Amplifier
  • the memory 820 can be used to store software programs and modules, and the processor 880 executes various functional applications and data processing of the mobile phone by running the software programs and modules stored in the memory 820 .
  • the memory 820 may mainly include a stored program area and a stored data area, wherein the stored program area may store an operating system, an application program required for at least one function (such as a sound playback function, an image playback function, etc.), etc.; According to the data created by the mobile phone (such as audio data, phone book, etc.) and so on.
  • memory 820 may include high-speed random access memory, and may also include non-volatile memory, such as at least one magnetic disk storage device, flash memory device, or other volatile solid state storage device.
  • the input unit 830 can be used to receive information input by the user, such as a user password, and generate key signal input related to user settings and function control of the mobile phone.
  • the input unit 830 may include a touch panel 831 and other input devices 832 .
  • the touch panel 831 also referred to as a touch screen, can collect the user's touch operations on or near it (such as the user's finger, stylus, etc., any suitable object or attachment on or near the touch panel 831). operation), and drive the corresponding connection device according to the preset program.
  • the touch panel 831 may include two parts, a touch detection device and a touch controller.
  • the touch detection device detects the user's touch orientation, detects the signal brought by the touch operation, and transmits the signal to the touch controller; the touch controller receives the touch information from the touch detection device, converts it into contact coordinates, and then sends it to the touch controller.
  • the touch panel 831 can be implemented in various types such as resistive, capacitive, infrared, and surface acoustic waves.
  • the input unit 830 may further include other input devices 832 .
  • other input devices 832 may include, but are not limited to, one or more of physical keyboards, function keys (such as volume control keys, switch keys, etc.), trackballs, mice, joysticks, and the like.
  • the display unit 840 may be used to display the interface content of the APP.
  • the display unit 840 may include a display panel 841.
  • a liquid crystal display (English full name: Liquid Crystal Display, English abbreviation: LCD), an organic light-emitting diode (English full name: Organic Light-Emitting Diode, English abbreviation: OLED), etc.
  • the display panel 841 is configured in the form.
  • the touch panel 831 can cover the display panel 841, and when the touch panel 831 detects a touch operation on or near it, it transmits it to the processor 880 to determine the type of the touch event, and then the processor 880 determines the type of the touch event according to the touch event. Type provides corresponding visual output on display panel 841 .
  • the touch panel 831 and the display panel 841 are used as two independent components to realize the input and input functions of the mobile phone, in some embodiments, the touch panel 831 and the display panel 841 can be integrated to form Realize the input and output functions of the mobile phone.
  • the cell phone may also include at least one sensor 850, such as a light sensor, a motion sensor, and other sensors.
  • the light sensor may include an ambient light sensor and a proximity sensor, wherein the ambient light sensor may adjust the brightness of the display panel 841 according to the brightness of the ambient light, and the proximity sensor may turn off the display panel 841 and/or when the mobile phone is moved to the ear. or backlight.
  • the accelerometer sensor can detect the magnitude of acceleration in all directions (usually three axes), and can detect the magnitude and direction of gravity when it is stationary. games, magnetometer attitude calibration), vibration recognition related functions (such as pedometer, tapping), etc.; as for other sensors such as gyroscope, barometer, hygrometer, thermometer, infrared sensor, etc. Repeat.
  • the audio circuit 860, the speaker 861, and the microphone 862 can provide an audio interface between the user and the mobile phone.
  • the audio circuit 860 can transmit the received audio data converted electrical signals to the speaker 861, and the speaker 861 converts them into sound signals for output; on the other hand, the microphone 862 converts the collected sound signals into electrical signals, and the audio circuit 860 converts the collected sound signals into electrical signals. After receiving, it is converted into audio data, and then the audio data is output to the processor 880 for processing, and then sent to, for example, another mobile phone through the RF circuit 810, or the audio data is output to the memory 820 for further processing.
  • WiFi is a short-distance wireless transmission technology.
  • the mobile phone can help users to send and receive emails, browse web pages, and access streaming media through the WiFi module 870. It provides users with wireless broadband Internet access.
  • FIG. 13 shows the WiFi module 870, it can be understood that it is not a necessary component of the mobile phone, and can be completely omitted as required within the scope of not changing the essence of the invention.
  • the processor 880 is the control center of the mobile phone, using various interfaces and lines to connect various parts of the entire mobile phone, by running or executing the software programs and/or modules stored in the memory 820, and calling the data stored in the memory 820.
  • the processor 880 may include one or more processing units; preferably, the processor 880 may integrate an application processor and a modem processor, wherein the application processor mainly processes the operating system, user interface, and application programs, etc. , the modem processor mainly deals with wireless communication. It can be understood that, the above-mentioned modulation and demodulation processor may not be integrated into the processor 880.
  • the mobile phone also includes a power supply 890 (such as a battery) for supplying power to various components.
  • a power supply 890 (such as a battery) for supplying power to various components.
  • the power supply can be logically connected to the processor 880 through a power management system, so as to manage charging, discharging, and power consumption management functions through the power management system.
  • the mobile phone may also include a camera, a Bluetooth module, and the like, which will not be repeated here.
  • the processor 880 also has the function of data management of the client described above.
  • FIG. 14 is a schematic diagram of a possible logical structure of the cloud device involved in the above-mentioned embodiment provided by the embodiment of the present application.
  • the cloud device 110 includes: a processor 1101 , a communication interface 1102 , a memory 1103 and a bus 1104 .
  • the processor 1101 , the communication interface 1102 , and the memory 1103 are connected to each other through a bus 1104 .
  • the processor 1101 is configured to control and manage the actions of the cloud device 110.
  • the processor 1101 is configured to perform the verification process of the token by the cloud device in FIG. 3 to FIG. 10, and/or Additional procedures for the techniques described herein.
  • the communication interface 1102 is used to support the cloud device 110 to communicate, for example, the communication interface 1102 can perform the steps of sending and receiving data in the above method embodiments.
  • the memory 1103 is used to store program codes and data of the cloud device 110 .
  • the processor 1101 may be a central processing unit, a general-purpose processor, a digital signal processor, an application-specific integrated circuit, a field programmable gate array, or other programmable logic devices, transistor logic devices, hardware components, or any combination thereof. It may implement or execute the various exemplary logical blocks, modules and circuits described in connection with this disclosure.
  • a processor may also be a combination that performs computing functions, such as a combination comprising one or more microprocessors, a combination of a digital signal processor and a microprocessor, and the like.
  • the bus 1104 may be a Peripheral Component Interconnect (PCI) bus or an Extended Industry Standard Architecture (Extended Industry Standard Architecture, EISA) bus or the like. The bus can be divided into address bus, data bus, control bus and so on. For ease of presentation, only one thick line is shown in FIG. 14, but it does not mean that there is only one bus or one type of bus.
  • PCI Peripheral Component Interconnect
  • EISA Extended Industry Standard Architecture
  • a computer-readable storage medium is also provided, where computer-executable instructions are stored in the computer-readable storage medium, and when at least one processor of a device executes the computer-executable instructions, the device executes the above diagram 3 to FIG. 10 describe the data management method in some embodiments.
  • a computer program product in another embodiment, includes computer-executable instructions, and the computer-executable instructions are stored in a computer-readable storage medium; at least one processor of the device can be obtained from a computer-readable storage medium. Reading the storage medium reads the computer-executable instructions, and at least one processor executes the computer-executable instructions to cause the device to perform the data management methods described in the above-mentioned partial embodiments of FIG. 3 to FIG. 10 .
  • a chip system is further provided, where the chip system includes a processor, and is configured to support a client to implement the data management methods described in the above-mentioned partial embodiments of FIG. 3 to FIG. 10 .
  • the system-on-chip may also include memory for storing necessary program instructions and data.
  • the chip system may be composed of chips, or may include chips and other discrete devices.
  • a chip system in another embodiment of the present application, includes a processor, and is configured to support a cloud device to implement the data management methods described in the above-mentioned partial embodiments of FIG. 3 to FIG. 10 .
  • the chip system may further include a memory for storing necessary program instructions and data.
  • the chip system may be composed of chips, or may include chips and other discrete devices.
  • Units described as separate components may or may not be physically separated, and components shown as units may or may not be physical units, that is, may be located in one place, or may be distributed to multiple network units. Some or all of the units may be selected according to actual needs to achieve the purpose of the solution in this embodiment.
  • each functional unit in each embodiment of the embodiments of the present application may be integrated into one processing unit, or each unit may exist physically alone, or two or more units may be integrated into one unit.
  • the functions, if implemented in the form of software functional units and sold as stand-alone products or based, may be stored in a computer-readable storage medium.
  • the technical solutions of the embodiments of the present application can be embodied in the form of software products in essence, or the parts that make contributions to the prior art or the parts of the technical solutions, and the computer software products are stored in a storage medium , including several instructions to cause a computer device (which may be a personal computer, a server, or a network device, etc.) to execute all or part of the steps of the methods in the embodiments of the present application.
  • the aforementioned storage medium includes: U disk, mobile hard disk, read-only memory (Read-Only Memory, ROM), random access memory (Random Access Memory, RAM), magnetic disk or optical disk and other media that can store program codes .

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Software Systems (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Bioethics (AREA)
  • Health & Medical Sciences (AREA)
  • General Health & Medical Sciences (AREA)
  • Databases & Information Systems (AREA)
  • Data Mining & Analysis (AREA)
  • Information Retrieval, Db Structures And Fs Structures Therefor (AREA)
  • Storage Device Security (AREA)

Abstract

L'invention concerne un procédé de gestion de données. Le procédé comprend les étapes suivantes : un client peut déterminer une valeur d'index de texte chiffré en fonction d'informations sur des données de texte en clair, et envoyer la valeur d'index de texte chiffré à un dispositif en nuage ; le dispositif en nuage peut établir, dans une structure d'index (telle qu'un B-arbre), une correspondance entre la valeur d'index de texte chiffré et des informations sur un emplacement de stockage de données de texte chiffré correspondant aux données de texte en clair, ou rechercher, dans une structure d'index, un emplacement de stockage de données de texte chiffré en fonction de la valeur d'index de texte chiffré, de façon à exécuter une opération sur les données de texte chiffré. Dans la présente invention, une valeur d'index de texte chiffré est utilisée pour remplacer un champ dans une colonne de données afin de servir de valeur de clé dans un index ordonné classique, de façon à mettre en œuvre une recherche de données de texte chiffré, et une interrogation basée sur l'ordre peut être effectuée sur des données de texte chiffré stockées dans une table sans ajout d'aucun champ de table de données, ce qui permet de réduire l'espace occupé par une table entière utilisée pour stocker les données de texte chiffré et d'améliorer l'extensibilité des données stockées dans un dispositif en nuage.
PCT/CN2022/071757 2021-01-25 2022-01-13 Procédé, dispositif et système de gestion de données WO2022156588A1 (fr)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN202110098939.6A CN114792009A (zh) 2021-01-25 2021-01-25 一种数据管理的方法、设备及系统
CN202110098939.6 2021-01-25

Publications (1)

Publication Number Publication Date
WO2022156588A1 true WO2022156588A1 (fr) 2022-07-28

Family

ID=82460552

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2022/071757 WO2022156588A1 (fr) 2021-01-25 2022-01-13 Procédé, dispositif et système de gestion de données

Country Status (2)

Country Link
CN (1) CN114792009A (fr)
WO (1) WO2022156588A1 (fr)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN117729535A (zh) * 2023-05-17 2024-03-19 荣耀终端有限公司 一种查询方法、电子设备及系统

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115880789B (zh) * 2023-02-08 2023-06-30 中昊芯英(杭州)科技有限公司 基于加密的人脸识别方法、相关装置和存储介质
CN115952563B (zh) * 2023-03-10 2023-09-12 深圳市一秋医纺科技有限公司 基于物联网的数据安全通信系统

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104765848A (zh) * 2015-04-17 2015-07-08 中国人民解放军空军航空大学 混合云存储中支持结果高效排序的对称可搜索加密方法
CN107370725A (zh) * 2017-06-21 2017-11-21 西安电子科技大学 一种云环境下通用加密数据库的存取方法及系统
CN108628867A (zh) * 2017-03-16 2018-10-09 北京科瑞云安信息技术有限公司 面向云存储的多关键词密文检索方法和系统
CN112231752A (zh) * 2020-10-20 2021-01-15 南开大学 一种无交互频率隐藏的密文插入查询删除方法

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104765848A (zh) * 2015-04-17 2015-07-08 中国人民解放军空军航空大学 混合云存储中支持结果高效排序的对称可搜索加密方法
CN108628867A (zh) * 2017-03-16 2018-10-09 北京科瑞云安信息技术有限公司 面向云存储的多关键词密文检索方法和系统
CN107370725A (zh) * 2017-06-21 2017-11-21 西安电子科技大学 一种云环境下通用加密数据库的存取方法及系统
CN112231752A (zh) * 2020-10-20 2021-01-15 南开大学 一种无交互频率隐藏的密文插入查询删除方法

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN117729535A (zh) * 2023-05-17 2024-03-19 荣耀终端有限公司 一种查询方法、电子设备及系统

Also Published As

Publication number Publication date
CN114792009A (zh) 2022-07-26

Similar Documents

Publication Publication Date Title
WO2022156588A1 (fr) Procédé, dispositif et système de gestion de données
CN108701198B (zh) 安全控制系统和方法
CN111373390B (zh) 在结构化框架中存储非结构化数据
US10685132B1 (en) Methods and apparatus for encrypted indexing and searching encrypted data
US20100161995A1 (en) System, method, and computer-readable medium for cryptographic key rotation in a database system
US9069987B2 (en) Secure data access using SQL query rewrites
US8769302B2 (en) Encrypting data and characterization data that describes valid contents of a column
EP3843356B1 (fr) Procédé de gestion de fichiers de modèle, dispositif terminal et support de stockage lisible par ordinateur
WO2021017305A1 (fr) Procédé et appareil d'interrogation de données, dispositif électronique et support de stockage lisible par ordinateur
CN110175174A (zh) 一种数据查询方法、装置、设备及存储介质
WO2019104140A1 (fr) Interrogation efficiente de bases de données tout en assurant une confidentialité différentielle
CN103365941A (zh) 信息处理方法和系统
US10177795B1 (en) Cache index mapping
CN115438016A (zh) 分布式对象存储中动态分片方法、系统、介质及设备
US20210224242A1 (en) Systems and methods for indexing and searching data
Tinoco et al. {EnigMap}:{External-Memory} Oblivious Map for Secure Enclaves
US11461551B1 (en) Secure word search
AU2019350694B2 (en) Identification of records for post-cloning tenant identifier translation
CN110297842B (zh) 一种数据比对方法、装置、终端和存储介质
CN113297210A (zh) 数据处理方法及装置
CN113127717A (zh) 一种密钥检索方法和系统
US10977249B2 (en) Method, system, and apparatus for performing flow-based processing using stored procedure
US12001487B2 (en) Multi-model enrichment memory and catalog for better search recall with granular provenance and lineage
US20080059396A1 (en) Database Access Server with Reformatting
WO2024087312A1 (fr) Procédé d'accès à une base de données, dispositif informatique et serveur

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 22742067

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 22742067

Country of ref document: EP

Kind code of ref document: A1