WO2024078108A1 - 一种基于区块链的数据处理方法、装置、电子设备、计算机可读存储介质及计算机程序产品 - Google Patents

一种基于区块链的数据处理方法、装置、电子设备、计算机可读存储介质及计算机程序产品 Download PDF

Info

Publication number
WO2024078108A1
WO2024078108A1 PCT/CN2023/111968 CN2023111968W WO2024078108A1 WO 2024078108 A1 WO2024078108 A1 WO 2024078108A1 CN 2023111968 W CN2023111968 W CN 2023111968W WO 2024078108 A1 WO2024078108 A1 WO 2024078108A1
Authority
WO
WIPO (PCT)
Prior art keywords
data
bit array
business
blockchain node
subscription
Prior art date
Application number
PCT/CN2023/111968
Other languages
English (en)
French (fr)
Inventor
刘区城
郭锐
梁军
舒丽珂
王宗友
蓝虎
卢洋
刘汉卿
李军
张慧
朱耿良
聂凯轩
时一防
廖志勇
黄杨峻
Original Assignee
腾讯科技(深圳)有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 腾讯科技(深圳)有限公司 filed Critical 腾讯科技(深圳)有限公司
Priority to US18/528,133 priority Critical patent/US20240129108A1/en
Publication of WO2024078108A1 publication Critical patent/WO2024078108A1/zh

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/06Protocols specially adapted for file transfer, e.g. file transfer protocol [FTP]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/10Protocols in which an application is distributed across nodes in the network
    • H04L67/1097Protocols in which an application is distributed across nodes in the network for distributed storage of data in networks, e.g. transport arrangements for network file system [NFS], storage area networks [SAN] or network attached storage [NAS]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/40Network security protocols

Definitions

  • the present application relates to the field of Internet technology, and in particular to a blockchain-based data processing method, device, electronic device, computer-readable storage medium, and computer program product.
  • platform applications are springing up like mushrooms after rain.
  • platforms With the rapid development of mobile Internet technology and various emerging technologies, platform applications are springing up like mushrooms after rain.
  • platforms With the emergence of a large number of platform applications, users have a wider range of choices.
  • platform applications In order to improve active retention, platform applications need to continuously promote their own platforms.
  • platform applications will cooperate with advertisers with strong platform promotion capabilities.
  • the platform application provides its own first business data to the advertiser, and the advertiser determines the common business data between its second business data and the first business data, that is, the business intersection data, and then performs promotion processing associated with the business intersection data.
  • the prior art has the following defects: 1.
  • the platform application transmits its own original data (that is, the first business data) to the advertiser, thereby reducing the security of the data; 2.
  • the direct data flow between the platform application and the advertiser makes it impossible to accurately trace the data acquisition status.
  • the embodiments of the present application provide a blockchain-based data processing method, device, electronic device, computer-readable storage medium, and computer program product, which can improve data security and accurately trace data acquisition status.
  • the present application embodiment provides a data processing method based on blockchain, the method is executed by a first device, and the method includes:
  • the first bit array is encrypted by the data key to obtain a ciphertext bit array; wherein the data key is generated by the second device in the data intersection application, and the data intersection application runs in the trusted execution environment a of the second device;
  • the ciphertext bit array is transmitted to the blockchain node in the blockchain so that the blockchain node stores the ciphertext bit array; wherein the ciphertext bit array stored in the blockchain node is used to be forwarded by the blockchain node to the second device; the second device is used to decrypt the ciphertext bit array obtained from the blockchain node through the data key in the data intersection application to obtain the first bit array; the first bit array is used to instruct the second device to generate a second bit array corresponding to the second business data in the data intersection application; the second bit array and the first bit array are used to instruct the second device to determine the business intersection data between the first business data and the second business data in the data intersection application; the business intersection data is used to instruct the second device to perform business processing associated with the business intersection data.
  • the embodiment of the present application provides a data processing method based on blockchain, the method is executed by a second device, and the method includes:
  • the ciphertext bit array obtained from the blockchain node is decrypted using the data key to obtain the first bit array
  • a second bit array corresponding to the second business data is generated, and business intersection data between the first business data and the second business data is determined according to the second bit array and the first bit array;
  • the embodiment of the present application provides a data processing device based on blockchain, the device running on a first device, the device comprising:
  • a first generating module configured to generate a first bit array corresponding to the first business data when the first business data meets the data uploading condition
  • a first processing module is configured to encrypt the first bit array using a data key to obtain a ciphertext bit array; wherein the data key is generated by the second device in a data intersection application, and the data intersection application runs in a trusted execution environment a of the second device;
  • a ciphertext transmission module is configured to transmit a ciphertext bit array to a blockchain node in a blockchain so that the blockchain node stores the ciphertext bit array; wherein the ciphertext bit array stored in the blockchain node is used to be forwarded by the blockchain node to a second device; the second device is used to decrypt the ciphertext bit array obtained from the blockchain node using a data key in a data intersection application to obtain a first bit array; the first bit array is used to instruct the second device to generate a second bit array corresponding to the second business data in the data intersection application; the second bit array and the first bit array are used to instruct the second device to determine business intersection data between the first business data and the second business data in the data intersection application; the business intersection data is used to instruct the second device to perform business processing associated with the business intersection data.
  • the present application embodiment provides a data processing device based on blockchain, the device runs on a second device, and the device includes:
  • a ciphertext acquisition module is configured to acquire a ciphertext bit array forwarded by a blockchain node in a blockchain; wherein the ciphertext bit array is transmitted by a first device to a blockchain node, and the ciphertext bit array is obtained by the first device encrypting a first bit array by using a data key, and the data key is generated by a second device in a data intersection application; the data intersection application runs in a trusted execution environment a of the second device; the first bit array is generated by the first device for the first business data when the first business data meets a data upload condition;
  • a first processing module is configured to decrypt the ciphertext bit array obtained from the blockchain node using the data key in the data intersection application to obtain a first bit array
  • a first generating module is configured to generate a second bit array corresponding to the second business data in a data intersection application, and determine business intersection data between the first business data and the second business data according to the second bit array and the first bit array;
  • the second processing module is configured to perform business processing on the business intersection data.
  • the present application provides an electronic device, including: a processor, a memory, and a network interface;
  • the above-mentioned processor is connected to the above-mentioned memory and the above-mentioned network interface, wherein the above-mentioned network interface is used to provide a data communication function, the above-mentioned memory is used to store a computer program, and the above-mentioned processor is used to call the above-mentioned computer program so that the electronic device executes the blockchain-based data processing method in the embodiment of the present application.
  • An embodiment of the present application provides a computer-readable storage medium, in which a computer program is stored.
  • the computer program is suitable for being loaded by a processor and executing the blockchain-based data processing method in the embodiment of the present application.
  • An embodiment of the present application provides a computer program product, which includes a computer program stored in a computer-readable storage medium; a processor of an electronic device reads the computer program from the computer-readable storage medium, and the processor executes the computer program, so that the electronic device executes the blockchain-based data processing method in the embodiment of the present application.
  • the embodiment of the present application by generating the first bit array corresponding to the first business data, it can be ensured that the first business data is available but not visible, so the security of the first business data can be improved; further, since the data key is obtained through the data intersection application in the trusted execution environment a, Generated, so its generation environment is safe, the application environment is safe, and the storage environment is safe, so the security of the first bit array can be improved by encrypting the first bit array with the data key; further, by transmitting the ciphertext bit array to the blockchain, the acquisition status of the second device for the ciphertext bit array can be accurately traced; in addition, the embodiment of the present application determines the business intersection data between the first business data and the second business data through the first bit array and the second bit array corresponding to the second business data, so not only can the business processing associated with the business intersection data be performed, but also the security of the first business data is further improved. As can be seen from the above, the embodiment of the present application can improve the security of data (including the first business data
  • FIG1 is a schematic diagram of a system architecture provided by an embodiment of the present application.
  • FIG2a is a schematic diagram of a scenario of data processing based on blockchain provided in an embodiment of the present application.
  • FIG2b is a flowchart of a blockchain-based object registration method provided in an embodiment of the present application.
  • FIG2c is a second schematic diagram of a scenario of data processing based on blockchain provided in an embodiment of the present application.
  • FIG3 is a flowchart of a data processing method based on blockchain provided in an embodiment of the present application.
  • FIG4a is a timing diagram 1 of a data processing method based on blockchain provided in an embodiment of the present application.
  • FIG4b is a second timing diagram of a data processing method based on blockchain provided in an embodiment of the present application.
  • FIG4c is a third timing diagram of a blockchain-based data processing method provided in an embodiment of the present application.
  • FIG4d is a fourth timing diagram of a data processing method based on blockchain provided in an embodiment of the present application.
  • FIG4e is a fifth timing diagram of a blockchain-based data processing method provided in an embodiment of the present application.
  • FIG5 is a second flow chart of a data processing method based on blockchain provided in an embodiment of the present application.
  • FIG6a is a sixth timing diagram of a blockchain-based data processing method provided in an embodiment of the present application.
  • FIG6b is a seventh timing diagram of a data processing method based on blockchain provided in an embodiment of the present application.
  • FIG6c is a timing diagram eight of a data processing method based on blockchain provided in an embodiment of the present application.
  • FIG7 is a flowchart diagram of a data processing method based on blockchain provided in an embodiment of the present application.
  • FIG8 is a ninth timing diagram of a data processing method based on blockchain provided in an embodiment of the present application.
  • FIG9 is a timing diagram 10 of a data processing method based on blockchain provided in an embodiment of the present application.
  • FIG10 is a structural schematic diagram 1 of a blockchain-based data processing device provided in an embodiment of the present application.
  • FIG11 is a second structural diagram of a blockchain-based data processing device provided in an embodiment of the present application.
  • FIG. 12 is a schematic diagram of the structure of an electronic device provided in an embodiment of the present application.
  • Blockchain is a chain data structure with blocks as the basic unit. The digital summary is used in the block to verify the transaction history previously obtained, which is suitable for the needs of tamper-proof and scalability in the distributed accounting scenario; blockchain also refers to the distributed accounting technology implemented by the blockchain structure, including distributed consensus, privacy and security protection, peer-to-peer communication technology, network protocols, smart contracts, etc. The goal of the blockchain is to realize a distributed data record book, which only allows additions but not deletions.
  • the basic structure of the underlying ledger is a linear linked list. The linked list is composed of "blocks" connected in series, and the hash value of the previous block is recorded in the subsequent block. Whether each block (and the transactions in the block) is legal can be quickly verified by calculating the hash value. If a node in the network issues a request to add a new block, it must reach a consensus on the block through the consensus mechanism.
  • Hash value Also known as information characteristic value or characteristic value, the hash value is generated by converting input data of any length into a password and performing a fixed output through a hash algorithm. The original input data cannot be retrieved by decrypting the hash value. It is a one-way encryption function. In the blockchain, each block (except the initial block) contains the hash value of the previous block. The hash value is the potential core foundation and the most important aspect of blockchain technology. It retains the authenticity of the recorded and viewed data, as well as the integrity of the blockchain as a whole.
  • Blockchain nodes The blockchain network divides nodes into consensus nodes (also called core nodes) and synchronization nodes (which can include data nodes and light nodes). Among them, the consensus node is responsible for the consensus business of the entire blockchain network; the synchronization node is responsible for synchronizing the ledger information of the consensus node, that is, synchronizing the latest block data. Whether it is a consensus node or a synchronization node, its internal structure includes network communication components, because the blockchain network is essentially a peer-to-peer (P2P) network, and it needs to communicate with other nodes in the blockchain network through P2P components.
  • P2P peer-to-peer
  • the resources and services in the blockchain network are scattered on various nodes, and the transmission of information and the implementation of services are directly carried out between nodes without the intervention of intermediate links or centralized servers (third parties).
  • Public key and private key are a key pair (i.e., a public key and a private key) obtained through an algorithm.
  • the public key is the public part of the key pair, and the private key is the non-public part.
  • the public key is usually used to encrypt data, verify digital signatures, etc. This algorithm can ensure that the key pair obtained is unique.
  • the other key must be used to decrypt it. For example, if the data is encrypted with the public key, it must be decrypted with the private key. If it is encrypted with the private key, it must also be decrypted with the public key, otherwise the decryption will not be successful.
  • Asymmetric signature The signature algorithm includes two keys, a public key (public key for short) and a private key (private key for short). The public key and the private key are a pair. If the private key is used to sign data, the signature can only be verified with the corresponding public key. Because the signing process and the verification process use two different keys, this algorithm is called an asymmetric signature.
  • the basic process of asymmetric signature to achieve confidential information exchange can be: Party A generates a pair of keys and makes the public key public. When Party A needs to send a message to another role (Party B), it uses its own private key to sign the confidential message and then sends it to Party B; Party B then uses Party A's public key to verify the signed message.
  • Smart Contract A computer protocol designed to disseminate, verify or execute contracts in an information-based manner.
  • a smart contract (referred to as a contract) is a code that can be understood and executed by each node of the blockchain, which can execute any logic and obtain results.
  • smart contracts are managed and tried out through transactions on the blockchain. Each transaction is equivalent to a remote procedure call (RPC) request to the blockchain system.
  • RPC remote procedure call
  • a smart contract is equivalent to an executable program
  • the blockchain is equivalent to an operating system that provides an operating environment.
  • the blockchain can contain multiple contracts (such as the resource fusion function, resource issuance function, etc. in this application), which are distinguished by contract accounts (Identity, ID), identification numbers or names.
  • both the publishing theme contract and the subscription theme contract are smart contracts.
  • Trusted Execution Environment A trusted execution environment is a secure area built by software and hardware methods on a computing platform that can ensure that the code and data loaded in the secure area are protected in terms of confidentiality and integrity. The goal of a trusted execution environment is to ensure that a task is executed as expected, to ensure the confidentiality and integrity of the initial state, and the machine state of the runtime. Confidentiality and integrity.
  • Figure 1 is a schematic diagram of a system architecture provided by an embodiment of the present application.
  • the system architecture may include a first device cluster, a second device cluster, a certificate device cluster, and a blockchain network.
  • the first device cluster includes a first device 100a.
  • the first device 100a refers to a device installed with a platform application.
  • the platform application can be a video application, a live broadcast application, a social application, an instant messaging application, a game application, a music application, a shopping application, a novel application, a browser, and other applications that provide platform functions.
  • the application client corresponding to the platform application can be an independent client, or it can be an embedded sub-client integrated in a certain client (for example, a social client, an educational client, and a multimedia client, etc.), which is not limited here.
  • the first device 100a in the embodiment of the present application can provide the first business data of the above-mentioned platform application.
  • relevant technical means such as Bloom filters
  • Bloom filters can be used to conceal the original data (i.e., the first business data), generate the first bit array, and ensure the availability of the first business data.
  • the second device cluster includes a second device 100b, and the second device 100b can provide a trusted execution environment, such as an instruction set extension (Software Guard Extensions, SGX). Based on its hardware technology, the second device 100b can run a data intersection application in a trusted execution environment, generate a data key in the data intersection application, and store the data key in a secure enclave, so the security of the data key can be ensured.
  • a trusted execution environment such as an instruction set extension (Software Guard Extensions, SGX).
  • SGX Software Guard Extensions
  • the second device 100b can download the first bit array provided by the first device 100a in the blockchain network, and run the data intersection application in the trusted execution environment to perform data intersection operations, that is, through the first bit array and its own second business data, determine the common business data between the first business data and the second business data, which is referred to as business intersection data in the embodiment of the present application.
  • the second device 100b can perform business processing associated with business intersection data, such as business intersection data is used to characterize intersection users, and advertisements for the above platform applications can be placed to intersection users to attract intersection users to return to the platform application.
  • the data intersection application may be a short video application, a live broadcast application, a social application, an instant messaging application, a game application, a music application, a shopping application, a novel application, a browser, or other application that has the function of providing business intersection data determination.
  • the application client corresponding to the data intersection application may be an independent client or an embedded sub-client integrated in a certain client (e.g., a social client, an educational client, and a multimedia client, etc.), which is not limited here.
  • the certificate device cluster includes a certificate device 100c.
  • the certificate device 100c in the embodiment of the present application refers to a device with a function of providing object information endorsement, such as a device corresponding to a certificate authority (CA).
  • CA certificate authority
  • the certificate device cluster can provide object authentication for the first object corresponding to the first device cluster and the second object corresponding to the second device cluster, respectively, and provide object information endorsement for the first object and the second object, respectively, and bind the object public key to its object information for signature verification, to ensure the integrity and non-forgeability of the object information, and to ensure the non-repudiation of the sender of the information.
  • any device in FIG1 includes but is not limited to a terminal device or a business server.
  • the business server can be an independent physical server, or a server cluster or distributed system composed of multiple physical servers, or a cloud server that provides basic cloud computing services such as cloud database, cloud service, cloud computing, cloud function, cloud storage, network service, cloud communication, middleware service, domain name service, security service, CDN, and big data and artificial intelligence platform.
  • Terminal devices include but are not limited to mobile phones, computers, intelligent voice interaction devices, smart home appliances, vehicle terminals, aircraft, etc.
  • the blockchain network may include a blockchain node cluster 10, and the blockchain node cluster 10 may include a blockchain node 10A, a blockchain node 10B, a blockchain node 10C, and a blockchain node 10N.
  • the embodiment of the present application does not limit the number of blockchain nodes in the blockchain node cluster 10.
  • the blockchain nodes in FIG. 1 include but are not limited to mobile terminals or servers.
  • the above-mentioned server may be an independent physical It can be a server cluster or distributed system composed of multiple physical servers, or a cloud server that provides cloud services, cloud databases, cloud computing, cloud functions, cloud storage, network services, cloud communications, middleware services, domain name services, security services, content delivery networks (CDN), and big data and artificial intelligence platforms and other basic cloud computing services.
  • the above-mentioned mobile terminals include but are not limited to mobile phones, computers, intelligent voice interaction devices, smart home appliances, vehicle-mounted terminals, aircraft, etc.
  • the mobile terminal and the server can be directly or indirectly connected by wire or wireless means, and the embodiments of the present application do not limit this.
  • the first device in the first device cluster may be in communication connection with the second device in the second device cluster, for example, there is a communication connection between the first device 100a and the second device 100b.
  • the first device in the first device cluster may be in communication connection with the certificate device in the certificate device cluster, for example, there is a communication connection between the first device 100a and the certificate device 100c.
  • the first device in the first device cluster may be in communication connection with the blockchain node in the blockchain node cluster 10, for example, there may be a communication connection between the first device 100a and the blockchain node 10A.
  • the second device in the second device cluster may be in communication connection with the certificate device in the certificate device cluster, for example, there is a communication connection between the second device 100b and the certificate device 100c.
  • the second device in the second device cluster may be in communication connection with the blockchain node in the blockchain node cluster 10, for example, there may be a communication connection between the second device 100b and the blockchain node 10A.
  • the certificate devices in the certificate device cluster may be in communication connection with the blockchain nodes in the blockchain node cluster 10, for example, the certificate device 100c may be in communication connection with the blockchain node 10A.
  • the above-mentioned communication connection does not limit the connection method. It can be directly or indirectly connected through a wired communication method, directly or indirectly connected through a wireless communication method, or through other methods, which are not limited in this application.
  • related data such as user information (such as topic publishing object information and topic subscription object information) is involved.
  • user information such as topic publishing object information and topic subscription object information
  • Step 1 the first device 100a corresponding to the first object (for example, a platform party) generates a first asymmetric key pair for signing a business message; the second device 100b corresponding to the second object (for example, an advertiser, another platform party different from the first object) generates a second asymmetric key pair for signing a business message, and generates a third asymmetric key pair for signing a data intersection application, and the third asymmetric key pair can be used to determine that the application developer is the developer of the second object.
  • Figure 2a is a schematic diagram of a scenario of data processing based on blockchain provided in an embodiment of the present application.
  • the first asymmetric key pair includes the first private key in Figure 2a and the first public key corresponding to the first private key; the second asymmetric key pair includes the second private key in Figure 2a and the second public key corresponding to the second private key; the third asymmetric key pair includes the third private key in Figure 2a and the third public key corresponding to the third private key.
  • Step 2a the first device 100a uses the first public key and the first object information used to represent the first object as parameters to generate a first certificate application request; the first device 100a uses the first private key to sign the first certificate application request to obtain a first signature message, and sends the first certificate application request carrying the first signature message to the certificate device 100c.
  • the second device 100b uses the second public key and the second object information used to represent the second object as parameters to generate a second certificate application request; the second device 100b uses the second private key to sign the second certificate application request to obtain a second signature message, and sends the second certificate application request carrying the second signature message to the certificate device 100c.
  • the second device 100b uses the third public key and the second object information used to represent the second object as parameters to generate a third certificate application request.
  • the second device 100b signs the third certificate application request with the third private key to obtain a third signature message, and sends the third certificate application request carrying the third signature message to the certificate device 100c.
  • the second device 100b applies for a two-party certificate from the certificate device 100c.
  • Step 3 as shown in FIG2a, when the certificate device 100c receives the first certificate application request, it first verifies the first signature message through the first public key. If the verification is successful, the first object information is reviewed. If the certificate device 100c confirms that the first object information is correct, it issues a first business certificate to the first device 100a, and the first business certificate includes the first public key. Similarly, when the second certificate application request is received, the second signature message is first verified through the second public key. If the verification is successful, the second object information is reviewed. If the certificate device 100c confirms that the second object information is correct, it issues a second business certificate to the second device 100b, and the second business certificate includes the second public key.
  • the third signature message is first verified through the third public key. If the verification is successful, the second object information is reviewed. If the certificate device 100c confirms that the second object information is correct, it issues an application developer certificate to the second device 100b, and the application developer certificate includes the third public key.
  • Step 4 the first device 100a uses the first business certificate as a parameter to initiate a first object registration request to the blockchain network; the first object registration request also carries a signature message, and its generation process can refer to the generation process of the first signature message, which will not be repeated here.
  • the signature message carried by the first object registration request is called the fourth signature message.
  • the second object registration request mentioned below carries the fifth signature message
  • the third object registration request carries the sixth signature message.
  • the blockchain node in the blockchain network When the blockchain node in the blockchain network receives the first object registration request, it first verifies the fourth signature message through the first public key. If the verification is successful, the first business certificate is reviewed. If the blockchain node verifies and passes the first business certificate, the object contract in the smart contract is called. The object contract generates a first address corresponding to the first object information based on the first public key in the first business certificate, and uses the first address as the first object identifier. The first object identifier, the first business certificate and the first object information are then associated and stored.
  • the structure parameters and contract methods of the object contract can refer to the object contract shown in Figure 2b.
  • a blockchain node in a blockchain network receives a second object registration request, it first verifies the fifth signature message through the second public key. If the verification is successful, the second business certificate is reviewed. If the blockchain node verifies and approves the second business certificate, the object contract in the smart contract is called. The object contract generates a second address corresponding to the second object information based on the second public key in the second business certificate, and uses the second address as the second object identifier, and then stores the second object identifier, the second business certificate, and the second object information in association. Similarly, when a blockchain node receives a third object registration request, it first verifies the sixth signature message through the third public key. If the verification is successful, the application developer certificate is reviewed.
  • the object contract in the smart contract is called.
  • the object contract generates a third address corresponding to the second object information based on the third public key in the application developer certificate, and uses the third address as the third object identifier, and then stores the third object identifier, the application developer certificate, and the second object information in association.
  • Figure 2b is a flow chart of a method for object registration based on blockchain provided by an embodiment of the present application.
  • the first device in step 1a, the first device generates a first asymmetric key pair; in step 1b, the second device generates a second asymmetric key pair and a third asymmetric key pair; in step 2a, the first device applies for a certificate from a certificate device; in step 2b, the second device applies for a certificate from a certificate device; in step 3a, the certificate device issues a certificate to the first device; in step 3b, the certificate device issues a certificate to the second device; in step 4a, the first device registers an object with a blockchain node; in step 4b, the second device registers an object with a blockchain node.
  • the information of the participants (including the first object and the second object) in the embodiment of the present application is authenticated by the CA, and the key is linked to the object information.
  • the collaboration process is signed by a private key to ensure that each process can be associated with the initiator, so it can prevent tampering and denial, facilitate traceability, facilitate supervision, and reduce evil.
  • Step 5 The first device needs to determine that the first service data meets the data upload condition.
  • the determination process can be summarized as follows: 2c, FIG. 2c is a schematic diagram of a scenario of data processing based on blockchain provided by an embodiment of the present application.
  • the first device 100a performs security detection of object information, execution environment and application on the second device 100b through remote authentication. The specific implementation of this process will not be described here. Please refer to the description of step S101 in the embodiment corresponding to FIG. 3 below, and the description in the embodiment corresponding to FIG. 5 below.
  • the first bit array 20a corresponding to the first business data is obtained.
  • the first bit array 20a can make the original data, that is, the first business data, available but not visible, so the security of the first business data can be improved.
  • the specific implementation process of the first bit array 20a please refer to the description of step S101 in the embodiment corresponding to FIG. 3 below, which will not be described here.
  • Step 6 the first device 100a uses the data key 20b to encrypt the first bit array 20a to obtain the ciphertext bit array 20c.
  • the data key 20b is generated by the second device 100b in the data intersection application in the trusted execution environment 20e. Since the data key 20b is generated in the TEE, its generation environment is safe, so the data key 20b will not be leaked, and it is highly secure to use it to encrypt the first bit array 20a.
  • the enclave that only generates it i.e., the data intersection application
  • Step 7 the first device 100a signs the ciphertext bit array 20c through the above-mentioned first private key to obtain the seventh signature message, as shown in Figure 2c, and the first device 100a transmits the ciphertext bit array 20c carrying the seventh signature message to the blockchain network.
  • the blockchain node in the blockchain network After receiving the ciphertext bit array 20c, the blockchain node in the blockchain network first verifies the seventh signature message through the first public key in the first asymmetric key pair. If the verification passes, the blockchain node ensures that the ciphertext bit array 20c is intact and has not been tampered with, so the ciphertext bit array 20c is chained, that is, stored.
  • the second device 100b sends a data download request for obtaining the ciphertext bit array 20c to the blockchain network.
  • the blockchain node decides to return the ciphertext bit array 20c or refuse to process the data download request according to the current subscription status corresponding to the second object information (equivalent to the subject subscription object information of this application), and leaves a trace of this process on the chain for easy tracing. If the current subscription status of the second object information indicates that the second device 100b has the authority to obtain the ciphertext bit array 20c, the ciphertext bit array 20c is returned to the second device 100b.
  • the blockchain network witnesses the process of the second device 100b obtaining the ciphertext bit array 100c, ensuring that the data can be traced and preventing the second device 100b from not providing business services.
  • the second device 100b has a common execution environment 20d and a trusted execution environment 20e.
  • the common execution environment 20d can run a second object platform corresponding to the second object (which is different from the platform corresponding to the first device 100a), such as an advertiser platform; the data intersection application runs in the trusted execution environment 20e.
  • the second device 100b uses the ciphertext bit array 20c and the second business data as parameters to generate an intersection data search request; and sends the intersection data search request to the data intersection application running in the trusted execution environment 20e.
  • Step 10 as shown in FIG2c, in the data intersection application, the second device 100b uses the data key 20b to decrypt the ciphertext bit array 20c to obtain the first bit array 20a. Further, the second device 100b generates a second bit array 20f corresponding to the second business data. Through the first bit array 20a and the second bit array 20f, the second device 100b can determine the common business data between the first business data and the second business data, which is called business intersection data in this embodiment of the application.
  • Step 11 as shown in FIG. 2c, the second device 100b transmits the business intersection data determined in the trusted execution environment 20e to the second object platform. Further, the second device 100b performs business processing associated with the business intersection data.
  • the embodiments of the present application can be applied to various scenarios, including but not limited to cloud technology, artificial intelligence, smart transportation, assisted driving, etc.
  • the embodiments of the present application can be applied to scenarios of determining business intersection data between platforms, platform recommendation scenarios, platform evaluation scenarios, etc., and specific business scenarios will not be listed one by one here.
  • FIG 3 is a flow chart of a data processing method based on blockchain provided in an embodiment of the present application.
  • the data processing method based on blockchain can be executed by a first device, or by a second device, or by a blockchain node, or by at least two entities among the first device, the second device, and the blockchain node, and is not limited here.
  • the embodiment of the present application is described by taking the first device as an example, wherein the first device can be the first device 100a of the embodiment corresponding to Figure 1 above.
  • the data processing method based on blockchain can at least include the following steps S101-S103.
  • Step S101 when the first business data meets the data upload condition, a first bit array corresponding to the first business data is generated.
  • a topic for the first business data is generated, and a topic publishing request including the topic and the topic publishing object information is generated;
  • the topic publishing request is signed by the device private key corresponding to the first device to obtain the signature message z, and the publishing topic contract of the blockchain node is called based on the topic publishing request;
  • the topic publishing request carrying the signature message z is sent to the blockchain node through the publishing topic contract, so that the blockchain node calls the publishing topic contract when the legitimacy of the topic publishing request is verified;
  • the publishing topic contract is used to instruct the blockchain node to store the topic when verifying that the topic publishing object information belongs to the registered object information and determining that the topic has the attribute to be published;
  • the topic stored in the blockchain node is used to instruct the second device to send a topic subscription request to the blockchain node;
  • the signature message z is used to instruct the blockchain node to verify the legitimacy of the topic publishing request;
  • the topic subscription request forwarded by the blockchain node when determining that the topic subscription request has the request validity attribute is obtained; according
  • the specific process of determining the relationship between the first business data and the data upload condition based on the topic subscription request forwarded by the blockchain node may include: generating a remote authentication request based on the topic subscription request forwarded by the blockchain node; sending the remote authentication request to the second device, so that the second device generates an intermediate key pair g including the intermediate public key f according to the remote authentication request; the intermediate public key f is used to instruct the second device to call the trusted execution environment a to generate a remote authentication report for the data intersection application; obtaining the remote authentication report returned by the second device, and determining the relationship between the first business data and the data upload condition based on the remote authentication report.
  • the specific process of generating a remote authentication request based on the topic subscription request forwarded by the blockchain node may include: generating an authentication challenge random number and an intermediate key pair j including an intermediate private key h and an intermediate public key i based on the topic subscription request forwarded by the blockchain node; generating a remote authentication request based on the intermediate public key i and the authentication challenge random number; the intermediate public key i is used to instruct the second device to generate a communication key based on the intermediate public key i, the authentication challenge random number and the intermediate private key k in the intermediate key pair g; the communication key is used to encrypt the data key to obtain an encrypted data key; it may also include: obtaining the intermediate public key f in the remote authentication report, generating a communication key based on the intermediate public key f, the authentication challenge random number and the intermediate private key h; obtaining the encrypted data key returned by the second device, and decrypting the encrypted data key through the communication key to obtain the data key.
  • an initial bit array mapped with a first random number and a random mapping function are obtained, and the first business data is input into the random mapping function; a second random number corresponding to the first business data is generated through the random mapping function; the first random number includes the second random number; a bit array to be updated is determined in the initial bit array; the bit array to be updated is mapped with the second random number; the bit array to be updated in the initial bit array is updated, and the updated initial bit array is determined as the first bit array.
  • the first device before publishing the ciphertext bit array, the first device first publishes the topic corresponding to the first business data, so that the data recipient (including the second device) can subscribe to the topic. Therefore, the first device can review the topic subscription request corresponding to the second device and return the review result to the blockchain network; if the review result is a pass result, it is determined that the first business data meets the data upload conditions.
  • Figure 4a is a timing diagram of a blockchain-based data processing method provided in an embodiment of the present application. As shown in Figure 4a, step 4a1, the first device generates a topic; the embodiment of the present application does not limit the platform corresponding to the first device, so it does not limit the first business data. The type of restrictions is imposed.
  • Step 4a2 the first device generates a topic publishing request; wherein, the topic publishing request includes the topic and the topic publishing object information (equivalent to the first object information mentioned above); Step 4a3, the first device generates a signature message z; the first device signs the topic publishing request through the device private key corresponding to the first device (equivalent to the first private key mentioned above), and obtains the signature message z; Step 4a4, the first device sends the topic publishing request carrying the signature message z to the blockchain node; specifically, the first device calls the topic publishing method of the topic contract on the blockchain (i.e., publishes the topic contract) to publish the topic to the blockchain network; the structure parameters and contract methods (including the topic publishing method) of the topic contract can refer to the topic contract shown in Figure 4a.
  • the topic publishing request includes the topic and the topic publishing object information (equivalent to the first object information mentioned above); Step 4a3, the first device generates a signature message z; the first device signs the topic publishing request through the device private key corresponding to the first device
  • Step 4a5 the blockchain node verifies the subject; specifically, after receiving the subject publishing request, the blockchain node verifies the signature message z through the device public key corresponding to the first device (equivalent to the first public key mentioned above). If the verification is successful, it ensures that the subject publishing request has not been tampered with. Further, the publishing subject method is called. Through the publishing subject method, the blockchain node can verify that the publisher (i.e., the subject publishing object information) belongs to the registered object information on the chain, which is equivalent to the valid object indicated in bold in Figure 4a. Secondly, it can ensure that the subject has not been registered, that is, whether the subject already exists on the chain; after the above verification is passed, execute step 4a6. Step 4a6, the blockchain node stores the subject.
  • the publisher i.e., the subject publishing object information
  • Step 4a7 the blockchain node returns the result to the first device; the result can be information used to characterize the storage of the subject by the blockchain node.
  • the embodiment of the present application does not expand the description of the process of the second device sending a subject subscription request to the blockchain node. Please refer to the description in the embodiment corresponding to Figure 7 below.
  • the blockchain node forwards the topic subscription request to the first device, or the first device queries the blockchain node for the pending topic subscription request, as shown in FIG4b , which is a timing diagram of a blockchain-based data processing method provided in an embodiment of the present application.
  • Step 4b1 the first device queries the blockchain node for the pending topic subscription request;
  • step 4b2 the blockchain node returns the latest valid topic subscription request to the first device;
  • the blockchain node can use the topic (equivalent to the topic name) as a parameter to call the method in the topic contract, such as the bold “Get the latest valid subscription request” in FIG4b , to obtain the pending topic subscription request.
  • the first device can determine the relationship between the first business data and the data upload condition according to the topic subscription request forwarded by the blockchain node.
  • Figure 4c is a timing diagram of a data processing method based on blockchain provided by an embodiment of the present application.
  • the first device in step 4c1, the first device generates an authentication challenge random number and an intermediate key pair j (h, i), wherein h represents the intermediate public key in the intermediate key pair j, and i represents the intermediate private key in the intermediate key pair j, which is a pair of asymmetric key pairs.
  • the first device generates a remote authentication request; specifically, the first device uses the intermediate public key h and the authentication challenge random number as parameters to generate a remote authentication request.
  • Step 4c3 the first device sends a remote authentication request.
  • the second device generates an intermediate key pair g (f, k), wherein f represents the intermediate public key in the intermediate key pair g, and k represents the intermediate private key in the intermediate key pair g, which is also a pair of asymmetric key pairs.
  • Step 4c5 the second device generates a remote authentication report; specifically, the second device uses the intermediate public key f as a parameter, calls the trusted execution environment a, and generates a remote authentication report.
  • the second device generates a communication key; specifically, the second device generates a communication key according to the intermediate public key i, the authentication challenge random number and the intermediate private key k in the remote authentication request, and saves it.
  • One feasible way is to generate the communication key through a key exchange algorithm.
  • the intermediate private key h and the intermediate public key i of the intermediate key pair j can be expressed by the following formula (1).
  • G in formula (1) is the base number
  • p is a prime number
  • both G and P are authentication challenge random numbers.
  • the intermediate private key k and the intermediate public key f of the intermediate key pair g can be expressed by the following formula (2).
  • the communication keys generated by the first device and the second device respectively can be expressed by the following formula (3).
  • Step 4c7 the second device returns the remote authentication report to the first device.
  • Step 4c8 the first device verifies the remote authentication report; the first device calls the authentication service (Provisioning Certification Service, PCS) to verify the remote authentication report. If the verification is successful, that is, the first business data meets the data upload conditions, then execute step 4c9.
  • Step 4c9 the first device generates a communication key. Specifically, the first device generates a communication key based on the intermediate public key f, the authentication challenge random number, and the intermediate private key h in the remote authentication report, which can be seen in the above formula (3). The first device then saves the communication key.
  • the first device in order to ensure the security of the first bit array, the first device will encrypt the first bit array, and the data key for encrypting the first bit array is generated by the second device in a trusted execution environment.
  • Figure 4d is a timing diagram of a blockchain-based data processing method provided in an embodiment of the present application.
  • step 4d1 the second device generates a data key; the second device can generate a data key in a trusted execution environment when obtaining a remote authentication request, and run and store it in the trusted execution environment.
  • the second device generates an encrypted data key; specifically, the second device encrypts the data key through the communication key to obtain the encrypted data key.
  • Step 4d3 the second device sends the encrypted data key to the first device.
  • Step 4d4 the first device decrypts the encrypted data key through the communication key to obtain the data key.
  • other devices except the first device and the second device cannot generate a communication key because they do not have an intermediate private key k or an intermediate private key h.
  • the first device When the first service data meets the data upload condition, the first device generates the first bit array corresponding to the first service data.
  • a feasible method for generating the first bit array is to use a Bloom filter, which is composed of a very long binary vector (which can be equivalent to the initial bit array, and each point of the original binary vector is 0) and a series of random mapping functions.
  • the Bloom filter can be used to retrieve whether an element (such as the second service data in the embodiment of the present application) is in a set (such as the first service data in the embodiment of the present application).
  • the principle is that when an element is added to the set, the element is mapped to L points in the initial bit array through L random mapping functions (usually L is greater than 1), and the L points are set to 1.
  • the L points in the first bit array are 1. If any one of the L points in the first bit array is not 1, it can be determined that the element does not belong to the set. If the L points in the first bit array are all 1, the element may be in the set. In the embodiment of the present application, the element is determined as the service intersection data.
  • Figure 4e is a timing diagram of a blockchain-based data processing method provided in an embodiment of the present application.
  • the first device obtains the first business data.
  • the first device generates a first bit array; the first device generates a Bloom filter, and stores the first business data into the Bloom filter.
  • the first bit array is a Bloom filter in which the first business data is stored.
  • the first device does not provide plaintext data (first business data), but reads the first business data from the database and stores it into the Bloom filter. Without leaking data, it can ensure that the second device can filter out the business intersection data therefrom, thereby achieving the purpose of data being available but invisible.
  • Step S102 encrypt the first bit array using the data key to obtain a ciphertext bit array; the data key is generated by the second device in the data intersection application, and the data intersection application runs in the trusted execution environment a of the second device.
  • step 4e3 the first device generates an encrypted bit array; the first device encrypts the first bit array using the data key to obtain an encrypted bit array.
  • Step S103 transmitting the ciphertext bit array to the blockchain node in the blockchain, so that the blockchain node stores the ciphertext bit array; the ciphertext bit array stored in the blockchain node is used to be forwarded by the blockchain node to the second device; the second device is used to decrypt the ciphertext bit array obtained from the blockchain node by using the data key in the data intersection application to obtain the first bit array; the first bit array is used to instruct the second device to generate a second bit array corresponding to the second business data in the data intersection application; the second bit array and the first bit array are used to indicate The second device determines the business intersection data between the first business data and the second business data in the data intersection application; the business intersection data is used to instruct the second device to perform business processing associated with the business intersection data.
  • step 4e4 the first device sends the encrypted bit array to the blockchain node.
  • step 4e5 the blockchain node stores the encrypted bit array.
  • the embodiment of the present application does not describe the process of the second device obtaining the encrypted bit array and the process of determining the business intersection data.
  • the process of the second device obtaining the encrypted bit array and the process of determining the business intersection data can be found in the description in the embodiment corresponding to Figure 7 below.
  • the embodiment of the present application by generating the first bit array corresponding to the first business data, it can be ensured that the first business data is available but invisible, so the security of the first business data can be improved; further, since the data key is generated by the data intersection application in the trusted execution environment a, its generation environment is safe, the application environment is safe, and the storage environment is safe, so the first bit array is encrypted by the data key, and the security of the first bit array can be improved; further, by transmitting the ciphertext bit array to the blockchain, the acquisition status of the second device for the ciphertext bit array can be accurately traced; in addition, the embodiment of the present application determines the business intersection data between the first business data and the second business data through the first bit array and the second bit array corresponding to the second business data, so not only can the business processing associated with the business intersection data be performed, but also the security of the first business data is further improved. As can be seen from the above, the use of the embodiment of the present application can improve the security of data (including the first business data and the first business
  • Fig. 5 is a flow chart of a data processing method provided in an embodiment of the present application. As shown in Fig. 5, the process of the data processing method includes the following steps S1011 to S1013, and steps S1011 to S1013 are a specific embodiment of step S101 in the embodiment corresponding to Fig. 3.
  • Step S1011 calling the authentication service, and verifying the remote authentication report through the authentication service to obtain a first verification result.
  • remote authentication occurs before the first device sends the ciphertext bit array to the blockchain network. It mainly verifies the data operating environment, application security, and the correctness of the developer information (i.e., subscriber) of the second device, thereby ensuring that the ciphertext bit array is provided to the correct user and that the ciphertext bit array is used safely.
  • the embodiments of the present application do not limit the order of verification of the data operating environment, verification of the application, and verification of the developer information.
  • the verifications can be performed in parallel or in series. If the verifications are performed in series, the verification of the data operating environment can be performed first or last.
  • Step S1012 When the first verification result indicates that the remote authentication report verification fails, it is determined that the first business data does not meet the data upload condition.
  • the first verification result indicates that the remote authentication report verification fails
  • a first update subscription state is generated to indicate that the trusted execution environment a does not have the environment security attribute
  • the first update subscription state is sent to the blockchain node so that the blockchain node sets the first update subscription state for the topic subscription request.
  • the first device calls the authentication service and verifies the validity of the remote authentication report through the authentication service. When the verification fails, it means that the trusted execution environment of the second device is unreliable and the subscription request needs to be ignored. At this time, the first device updates the subscription status to "unsafe environment", that is, the first updated subscription status, and terminates the subsequent process.
  • Step S1013 when the first verification result indicates that the remote authentication report verification is passed, the source code of the data intersection application is obtained, and the relationship between the first business data and the data upload condition is determined according to the source code.
  • the source code is verified to obtain a second verification result; when the second verification result indicates that the source code verification is passed, the subject subscription object information for the data intersection application in the remote authentication report is obtained, and the subject subscription object information is verified to obtain a third verification result; the remote measurement value for the source code in the remote authentication report is obtained, and the remote measurement value is verified to obtain a fourth verification result; the relationship between the first business data and the data upload condition is determined based on the third verification result and the fourth verification result; when the second verification result When the result indicates that the source code verification failed, it is determined that the first business data does not meet the data upload conditions; the following technical solution can also be executed: when the second verification result indicates that the source code verification failed, it is determined that the source code does not have code security attributes; a second update subscription status is generated to indicate that the source code does not have code security attributes, and the second update subscription status is sent to the blockchain node, so that the blockchain node sets the second update subscription status for the topic subscription request.
  • the specific process of verifying the subject subscription object information and obtaining the third verification result may include: obtaining an application development object certificate for the data intersection application, obtaining application development object information from the application development object certificate, and comparing the subject subscription object information with the application development object information; when the subject subscription object information is different from the application development object information, generating a third verification result indicating that the subject subscription object information verification has failed; when the subject subscription object information is the same as the application development object information, generating a third verification result indicating that the subject subscription object information verification has passed; the following technical solution may also be executed: when the third verification result indicates that the subject subscription object information verification has failed, generating a third updated subscription status indicating that the subject subscription object information is unauthorized object information; and sending the third updated subscription status to the blockchain node so that the blockchain node sets the third updated subscription status for the subject subscription request.
  • the specific process of verifying the remote measurement value and obtaining the fourth verification result may include: compiling the source code in the trusted execution environment b of the first device to obtain a trusted measurement value; comparing the remote measurement value with the trusted measurement value, and when the remote measurement value is different from the trusted measurement value, generating a fourth verification result indicating that the remote measurement value verification failed; when the remote measurement value is the same as the trusted measurement value, generating a fourth verification result indicating that the remote measurement value verification passed; the following technical solution may also be executed: when the fourth verification result indicates that the remote measurement value verification failed, generating a fourth update subscription state indicating that the source code does not match the running code; sending the fourth update subscription state to the blockchain node, so that the blockchain node sets the fourth update subscription state for the topic subscription request.
  • the specific process of determining the relationship between the first business data and the data upload condition may include: when the third verification result indicates that the topic subscription object information verification has passed, and the fourth verification result indicates that the remote measurement value verification has passed, determining that the first business data meets the data upload condition; the following technical solution may also be executed: when the first business data meets the data upload condition, generating a fifth updated subscription status indicating that the topic subscription request has passed the verification; sending the fifth updated subscription status to the blockchain node, so that the blockchain node sets the fifth updated subscription status for the topic subscription request.
  • the first device When there is an unprocessed remote authentication report, the first device will verify the identity of the subscriber corresponding to the remote authentication report to ensure that it is a partner.
  • Figure 6a is a timing diagram of a data processing method based on blockchain provided by an embodiment of the present application.
  • the first device requests the blockchain node to obtain the application developer certificate; when the first device has not cached the application developer certificate of the subscriber, the application developer certificate of the subscriber is downloaded from the chain and the application developer certificate of the subscriber is cached; when the application developer certificate of the subscriber has been cached locally, step 6a1 is skipped and step 6a2 is executed.
  • step 6a2 the blockchain node returns the application developer certificate to the first device; the blockchain node can call the object information acquisition method in the object contract according to the object identifier sent by the first device, and then obtain the application developer certificate requested by the first device.
  • step 6a3 the first device verifies the subject subscription object information and obtains the third verification result; specifically, the first device compares the application development object information in the application developer certificate with the subject subscription object information in the remote authentication report to obtain the third verification result.
  • step 6a4 when the verification fails, the first device returns the third updated subscription status to the blockchain node. When the verification is passed, the first device does not execute this step. At this time, other verification steps can be executed, or the fifth updated subscription status can be returned to the blockchain node.
  • the second device provides the source code (code) of the data intersection application to the first device, which performs manual review.
  • code code
  • the subscription status is updated to "The program does not meet expectations" (second updated subscription status) and the subsequent process is terminated.
  • FIG. 6b is a timing diagram of a data processing method based on blockchain provided in an embodiment of the present application. 7.
  • step 6b1 compile the source code in the trusted execution environment of the first device to generate a trusted measurement value; step 6b2, the first device compares the trusted measurement value and the remote measurement value; when the trusted measurement value and the remote measurement value are the same, return to the fifth updated subscription state, or proceed to the subsequent process.
  • Step 6b3 when different, the first device returns to the fourth updated subscription state; when the trusted measurement value and the remote measurement value are inconsistent, it means that the audit code provided by the second device is inconsistent with the code running on the second device in the TEE environment, and there is a potential risk, so the subscription status is updated to "the audit code is inconsistent with the running code", and the subsequent process is terminated.
  • the verification of the source code includes two aspects, one is to verify the source code, and the other is to compile the source code. Please refer to Figure 6c.
  • Figure 6c is a timing diagram eight of a data processing method based on blockchain provided in an embodiment of the present application.
  • step 6c1 the second device generates the source code of the data intersection application; step 6c2, the second device compiles the source code in a trusted execution environment to obtain the data intersection application; step 6c3, the second device runs the data intersection application in a trusted execution environment; step 6c4, the second device transmits the source code to the first device; the embodiment of the present application does not limit the source code transmission method, which can be point-to-point transmission between the second device and the first device, or the second device can transmit the source code to the blockchain network, and then the first device obtains it from the blockchain network; in addition, in the scenario where the second device updates the source code, the second device will transmit the updated source code to the first device again.
  • the source code transmission method which can be point-to-point transmission between the second device and the first device, or the second device can transmit the source code to the blockchain network, and then the first device obtains it from the blockchain network; in addition, in the scenario where the second device updates the source code, the second device will transmit the updated source code to the first device again.
  • step 6c4 and step 6c2 The embodiment of the present application does not limit the execution order of step 6c4 and step 6c2, and they can be executed simultaneously.
  • Step 6c5 the second device reviews the source code; if the review fails, the second update subscription status is sent to the blockchain node; if the review passes, step 6c6 is executed, the first device compiles the source code in the trusted execution environment to obtain the data intersection application.
  • Step 6c7 the first device generates a trust metric value for the data intersection application; the subsequent process is consistent with the above, so it will not be repeated.
  • the first device updates the subscriber in the subject contract and updates the status of the contract subscription request to "completed" (fifth updated subscription status). At the same time, the first device saves the remote authentication result.
  • the first device will send a remote authentication request to the subscriber (i.e., the second device) based on the topic subscription request.
  • the remote authentication request not only prompts the second device to return a remote authentication report, but also prompts the second device to generate a communication key and return an encrypted data key.
  • the embodiment of the present application integrates blockchain, trusted execution environment and Bloom filter technology to provide a hardware and software solution for finding the intersection of encrypted data.
  • Object information authentication is provided through blockchain to ensure process transparency and process trust; execution environment security and application security are ensured through TEE remote authentication; and data availability and invisible function is achieved through Bloom filter.
  • This solution greatly reduces the time complexity and space complexity of the program, ensures the security of data throughout the entire life cycle of storage, transmission and operation, and can quickly find public samples of multiple parties without leaking business data, so joint business processing can be achieved.
  • FIG 7 is a flowchart diagram of a data processing method based on blockchain provided in an embodiment of the present application.
  • the data processing method based on blockchain can be executed by a first device, or by a second device, or by a blockchain node, or by at least two entities among the first device, the second device, and the blockchain node, and is not limited here.
  • the embodiment of the present application is described by taking execution in the second device as an example, and the second device can be the second device 100b of the embodiment corresponding to Figure 1 above.
  • the method can at least include the following steps S201 to S204.
  • Step S201 obtaining a ciphertext bit array forwarded by a blockchain node in the blockchain; the ciphertext bit array is transmitted by the first device to the blockchain node, and the ciphertext bit array is obtained by the first device encrypting the first bit array through the data key, and the data key is generated by the second device in the data intersection application; the data intersection application runs in the trusted execution environment a of the second device; the first bit array is generated by the first device for the first business data when the first business data meets the data upload condition.
  • a topic subscription request for subscribing to a topic is generated according to the topic subscription object information; the topic is generated by the first device for the first business data; based on the topic subscription request, a subscription topic contract of the blockchain node is called; by subscribing to the topic contract, The topic subscription request is sent to the blockchain node, so that when the blockchain node verifies through the subscription topic contract that the topic has the attribute to be subscribed and the topic subscription object information belongs to the registered object information, the topic subscription request is stored and a request pending verification status is set for the topic subscription request; the request pending verification status is used to instruct the blockchain node to forward the topic subscription request to the first device.
  • a data download request for obtaining a ciphertext bit array is generated based on the topic subscription object information; the data download request is sent to the blockchain node, so that the blockchain node queries the current subscription status corresponding to the topic subscription object information according to the data download request; the ciphertext bit array returned by the blockchain node when it is determined that the current subscription status is the fifth updated subscription status is obtained; the fifth updated subscription status is used to indicate that the first device has passed the verification of the topic subscription request; the topic subscription request is sent when the blockchain node stores a topic for the first business data.
  • FIG8 is a timing diagram of a data processing method based on blockchain provided by an embodiment of the present application.
  • the second device sends a topic subscription request to the blockchain node; wherein the topic subscription request includes topic subscription object information.
  • the blockchain node verifies the topic subscription request; specifically, the blockchain node will call the subscription topic method (equivalent to the subscription topic contract), and through the subscription topic method, ensure that the topic has not been subscribed by other parties (such topics are only subscribed by one party, because the topic message is encrypted, the communication key and the data key cannot be shared between multiple parties to prevent data leakage), and at the same time ensure that the subscriber is a registered object on the chain.
  • the subscription topic method equivalent to the subscription topic contract
  • Step 83 the blockchain node saves the topic subscription request; the blockchain node generates a subscription request identifier based on the topic name, the subscriber (i.e., the topic subscription object information), the block height and the transaction index (index), saves the topic subscription request, and marks the request processing status of the topic subscription request as "object not registered/has been subscribed by other objects/pending authorization" according to the above verification situation. If the topic subscription request is valid, the request identifier of the latest valid subscription request of the updated topic is the latest subscription request identifier.
  • Step 84 The blockchain node returns a result to the second device; the result can be used to characterize the processing result of the blockchain network for the topic subscription request.
  • Step S202 in the data intersection application, the ciphertext bit array obtained from the blockchain node is decrypted using the data key to obtain the first bit array.
  • Figure 9 is a timing diagram of a blockchain-based data processing method provided in an embodiment of the present application.
  • the second device downloads the ciphertext bit array from the blockchain node.
  • the second device decrypts the ciphertext bit array using the data key to obtain the first bit array.
  • Step S203 in the data intersection application, a second bit array corresponding to the second business data is generated, and business intersection data between the first business data and the second business data is determined according to the second bit array and the first bit array.
  • the second business data includes second business data C d , d is a positive integer, and d is less than or equal to the total number of second business data; the second bit array includes the second bit array E d corresponding to the second business data C d ; when the first bit array includes the second bit array E d , the second business data C d is determined to be the business intersection data between the first business data and the second business data.
  • step 93 the second device generates a second bit array of the second business data.
  • the process of the first device generating the first bit array is the same as the process of the second device generating the second bit array, so it is not repeated here.
  • Step 94 the second device compares the second bit array and the first bit array to determine the business intersection data.
  • Steps 92-94 in Figure 9 are all performed in a trusted execution environment.
  • the embodiment of the present application does not limit the number of second business data, which can be one or more.
  • the second device traverses each second business data to determine the existence of a second bit array corresponding to a second business data in the first bit array.
  • a second bit array corresponding to a second business data exists in the first bit array, it is determined that the second business data is business intersection data.
  • Step 95 the second device performs business processing associated with the business intersection data.
  • the first business data is the mobile phone number held by the platform application corresponding to the first device.
  • the mobile phone number can be the contact information of the silent object of the platform application.
  • the platform application wants to promote the silent object to attract the silent object to review the platform.
  • the first device cooperates with a promoter of the capability, but in order to ensure the security of the mobile phone number of the silent object, the first device cannot disclose the mobile phone number to the outside.
  • the first device can adopt the method provided by this application, that is, first generate the first bit array corresponding to the mobile phone number (that is, the first business data), specifically, store the mobile phone number in a Bloom filter; then use the data key generated by the second device in the trusted execution environment to encrypt the Bloom filter with the mobile phone number stored in it to obtain an encrypted Bloom filter; then transmit the encrypted Bloom filter to the blockchain.
  • the blockchain first performs a relevant review on the encrypted Bloom filter, and when the review is passed, the encrypted Bloom filter is stored; when a data download request sent by the second device is obtained, the second device is first reviewed for similarity, and when the review is passed, the encrypted Bloom filter is forwarded to the second device.
  • the second device In the data intersection application running in the trusted execution environment, the second device first decrypts the encrypted Bloom filter with the data key to obtain a Bloom filter with the mobile phone number stored in it (for distinction, called the first Bloom filter). Then the mobile phone number it holds is transmitted to the trusted execution environment, and each mobile phone number is stored separately in a Bloom filter (for distinction, called the second Bloom filter). When the second Bloom filter matches the first Bloom filter, it is determined that the mobile phone number in the second Bloom filter belongs to the mobile phone number jointly held by the promoter and the platform application (business intersection data). Subsequently, the second device pushes the advertisement with promotion effect provided by the first device to the business intersection data.
  • the business intersection data belongs to the contact information of the silent object of the platform application.
  • PSI private set intersection
  • Step S204 performing business processing on the business intersection data.
  • media data with an application recommendation function provided by the first device is acquired, and the media data is pushed to the second service data C d .
  • the embodiment of the present application can not only protect the privacy of the object, but also reduce the amount of data, reduce the number of communications, and reduce the time and space complexity of the system.
  • the embodiments of the present application can ensure the security of data keys during storage, transmission and use, thereby ensuring the security of data.
  • the embodiment of the present application puts the code on the chain, which improves the credibility of the application.
  • the data provider i.e., the first device
  • the data provider can stop providing the first business data and put this process on the chain to store evidence of the service status change.
  • the participants including data users and data providers
  • putting the object identity information on the chain can verify the integrity of the data; putting the workflow on the chain can ensure the transparency of the process and facilitate supervision.
  • the embodiment of the present application by generating the first bit array corresponding to the first business data, it can be ensured that the first business data is available but invisible, so the security of the first business data can be improved; further, since the data key is generated by the data intersection application in the trusted execution environment a, its generation environment is safe, the application environment is safe, and the storage environment is safe, so the first bit array is encrypted by the data key, and the security of the first bit array can be improved; further, by transmitting the ciphertext bit array to the blockchain, the acquisition status of the second device for the ciphertext bit array can be accurately traced; in addition, the embodiment of the present application determines the business intersection data between the first business data and the second business data through the first bit array and the second bit array corresponding to the second business data, so not only can the business processing associated with the business intersection data be performed, but also the security of the first business data is further improved. As can be seen from the above, the use of the embodiment of the present application can improve the security of data (including the first business data and the first business
  • FIG 10 is a structural schematic diagram of a blockchain-based data processing device provided in an embodiment of the present application.
  • the blockchain-based data processing device 1 can be run on a first device, and the blockchain-based data processing device 1 can be used to execute the corresponding steps in the method provided in an embodiment of the present application.
  • the blockchain-based data processing device 1 may include: a first generation module 11, a first processing module 12, and a ciphertext transmission module 13.
  • the first generation module 11 is configured to generate a first bit array corresponding to the first business data when the first business data meets the data upload condition; the first processing module 12 is configured to encrypt the first bit array through the data key to obtain a ciphertext bit array; wherein the data key is generated by the second device in the data intersection application, and the data intersection application runs in the trusted execution environment a of the second device; the ciphertext transmission module 13 is configured to transmit the ciphertext bit array to the blockchain node in the blockchain, so that the blockchain node stores the ciphertext bit array; wherein the ciphertext bit array stored in the blockchain node is used to be forwarded by the blockchain node to the second device; the second device is used to decrypt the ciphertext bit array obtained from the blockchain node through the data key in the data intersection application to obtain a first bit array; the first bit array is used to instruct the second device to generate a second bit array corresponding to the second business data in the data intersection application; the second bit array and the first bit array are used to instruct the
  • the specific functional implementation of the first generation module 11, the first processing module 12 and the ciphertext transmission module 13 can refer to steps S101 to S103 in the embodiment corresponding to FIG. 3 above, which will not be repeated here.
  • the blockchain-based data processing device 1 may further include: a second processing module 15, a request sending module 16, a request obtaining module 17 and a relationship determination module 18.
  • the second generating module 14 is configured to generate a subject for the first business data, and generate a subject publishing request including the subject and subject publishing object information;
  • the second processing module 15 is configured to sign the subject publishing request through the device private key corresponding to the first device, obtain the signature message z, and call the publishing subject contract of the blockchain node based on the subject publishing request;
  • the request sending module 16 is configured to send the subject publishing request carrying the signature message z to the blockchain node through the publishing subject contract, so that the blockchain node calls the publishing subject contract when passing the legitimacy verification of the subject publishing request;
  • the publishing subject contract is used to instruct the blockchain node to verify that the subject publishing object information belongs to the registered object information, and When it is determined that the topic has the attribute to be published, the topic is stored; the topic stored in the blockchain node is used to instruct the second device to send a topic subscription request to
  • step S101 in the embodiment corresponding to FIG. 3 above, which will not be described again here.
  • the relationship determination module 18 may include: a first generation unit 181, a request sending unit 182, and a first acquisition unit 183.
  • the first generation unit 181 is configured to generate a remote authentication request according to the topic subscription request forwarded by the blockchain node;
  • the request sending unit 182 is configured to send the remote authentication request to the second device, so that the second device generates an intermediate key pair g including an intermediate public key f according to the remote authentication request; wherein the intermediate public key f is used to instruct the second device to call the trusted execution environment a to generate a remote authentication report for the data intersection application;
  • the first acquisition unit 183 is configured to obtain the remote authentication report returned by the second device, and determine the relationship between the first business data and the data upload condition according to the remote authentication report.
  • step S101 for the specific functional implementation of the first generating unit 181 , the request sending unit 182 and the first acquiring unit 183 , reference may be made to step S101 in the embodiment corresponding to FIG. 3 , which will not be described in detail here.
  • the first acquisition unit 183 may include: a report verification subunit 1831, a first determination subunit 1832, and a second determination subunit 1833.
  • the report verification subunit 1831 is configured to call the authentication service, and perform verification processing on the remote authentication report through the authentication service to obtain a first verification result;
  • the first determination subunit 1832 is configured to determine that the first business data does not meet the data upload condition when the first verification result indicates that the remote authentication report verification fails;
  • the second determination subunit 1833 is configured to obtain the source code of the data intersection application when the first verification result indicates that the remote authentication report verification passes, and determine the relationship between the first business data and the data upload condition according to the source code;
  • the first acquisition unit 183 may also include: a third determination subunit 1834 and a status sending subunit 1835.
  • the third determination subunit 1834 is configured to determine that the trusted execution environment a does not have the environmental security attribute when the first verification result indicates that the remote authentication report verification fails; the status sending subunit 1835 is configured to generate a first update subscription state for indicating that the trusted execution environment a does not have the environmental security attribute, and send the first update subscription state to the blockchain node so that the blockchain node sets the first update subscription state for the topic subscription request.
  • step S1013 The specific functional implementation of the report verification subunit 1831, the first determination subunit 1832, the second determination subunit 1833, the third determination subunit 1834 and the status sending subunit 1835 can be found in step S1013 in the corresponding embodiment of Figure 5 above, and will not be repeated here.
  • the second determining subunit 1833 may include: a first processing subunit 18331 , a second processing subunit 18332 , a third processing subunit 18333 , and a relationship determining subunit 18334 .
  • the first processing sub-unit 18331 is configured to verify the source code and obtain a second verification result
  • the second processing sub-unit 18332 is configured to obtain the subject subscription object information for the data intersection application in the remote authentication report when the second verification result indicates that the source code verification has passed, and verify the subject subscription object information to obtain a third verification result
  • the third processing sub-unit 18333 is configured to obtain the remote measurement value for the source code in the remote authentication report, and verify the remote measurement value to obtain a fourth verification result
  • the relationship determination sub-unit 18334 is configured to determine the relationship between the first business data and the data upload condition based on the third verification result and the fourth verification result
  • the second processing sub-unit 18332 is also configured to determine that the first business data does not meet the data upload condition when the second verification result indicates that
  • the second processing sub-unit 18332 is further configured to determine that the source code does not have code security attributes when the second verification result indicates that the source code verification fails; the state generation sub-unit 18335 is configured to generate a second update subscription state for indicating that the source code does not have code security attributes, and send the second update subscription state to the blockchain node so that the blockchain node sets the second update subscription state for the topic subscription request.
  • step S1013 The specific functional implementation of the first processing sub-unit 18331, the second processing sub-unit 18332, the third processing sub-unit 18333, the relationship determination sub-unit 18334 and the state generation sub-unit 18335 can be found in step S1013 in the embodiment corresponding to Figure 5 above, and will not be repeated here.
  • the second processing sub-unit 18332 is specifically used to obtain an application development object certificate for a data intersection application, obtain application development object information from the application development object certificate, and compare the subject subscription object information with the application development object information; the second processing sub-unit 18332 is also configured to generate a third verification result indicating that the subject subscription object information verification has failed when the subject subscription object information is different from the application development object information; the second processing sub-unit 18332 is also configured to generate a third verification result indicating that the subject subscription object information verification has passed when the subject subscription object information is the same as the application development object information; the second processing sub-unit 18332 is also configured to generate a third updated subscription state indicating that the subject subscription object information is unauthorized object information when the third verification result indicates that the subject subscription object information verification has failed; the second processing sub-unit 18332 is also configured to send the third updated subscription state to the blockchain node, so that the blockchain node sets the third updated subscription state for the subject subscription request.
  • step S1013 in the embodiment corresponding to FIG5 above, which will not be described again here.
  • the third processing subunit 18333 is further configured to compile the source code in the trusted execution environment b of the first device.
  • the trusted measurement value is obtained; the third processing sub-unit 18333 is further configured to compare the remote measurement value with the trusted measurement value, and if the remote measurement value is different from the trusted measurement value, a fourth verification result is generated to indicate that the remote measurement value verification has failed; the third processing sub-unit 18333 is further configured to generate a fourth verification result indicating that the remote measurement value verification has passed when the remote measurement value is the same as the trusted measurement value; the third processing sub-unit 18333 is further configured to generate a fourth update subscription state indicating that the source code does not match the running code when the fourth verification result indicates that the remote measurement value verification has failed; the third processing sub-unit 18333 is further configured to send the fourth update subscription state to the blockchain node, so that the blockchain node sets the fourth update subscription state for the topic subscription request.
  • step S1013 in the embodiment corresponding to FIG5 above, which will not be described again here.
  • the relationship determination subunit 18334 is configured to determine that the first business data meets the data upload condition when the third verification result indicates that the topic subscription object information verification is passed and the fourth verification result indicates that the remote measurement value verification is passed; the relationship determination subunit 18334 is also configured to generate a fifth updated subscription state indicating that the topic subscription request has passed the verification when the first business data meets the data upload condition; the relationship determination subunit 18334 is also configured to send the fifth updated subscription state to the blockchain node, so that the blockchain node sets the fifth updated subscription state for the topic subscription request.
  • step S1013 in the embodiment corresponding to FIG5 above, which will not be described in detail here.
  • the first generating unit 181 may include: a first generating subunit 1811 and a second generating subunit 1812.
  • the first generating subunit 1811 is configured to generate an authentication challenge random number and an intermediate key pair j including an intermediate private key h and an intermediate public key i according to a topic subscription request forwarded by a blockchain node;
  • the second generating subunit 1812 is configured to generate a remote authentication request according to the intermediate public key i and the authentication challenge random number;
  • the intermediate public key i is used to instruct the second device to generate a communication key according to the intermediate public key i, the authentication challenge random number and the intermediate private key k in the intermediate key pair g;
  • the communication key is used to encrypt the data key to obtain an encrypted data key.
  • the first generation unit 181 may include: a first acquisition subunit 1813 and a second acquisition subunit 1814.
  • the first acquisition subunit 1813 is configured to acquire the intermediate public key f in the remote authentication report, and generate a communication key according to the intermediate public key f, the authentication challenge random number and the intermediate private key h;
  • the second acquisition subunit 1814 is configured to acquire the encrypted data key returned by the second device, and decrypt the encrypted data key through the communication key to obtain the data key.
  • the specific functional implementation of the first generating subunit 1811, the second generating subunit 1812, the first acquiring subunit 1813 and the second acquiring subunit 1814 can refer to step S101 in the embodiment corresponding to FIG. 3 above, which will not be repeated here.
  • the first generation module 11 may include: a second acquisition unit 111, a second generation unit 112, a first determination unit 113, and a second determination unit 114.
  • the second acquisition unit 111 is configured to acquire an initial bit array mapped with a first random number and a random mapping function, and input the first business data into the random mapping function;
  • the second generation unit 112 is configured to generate a second random number corresponding to the first business data through a random mapping function, wherein the first random number includes the second random number;
  • the first determination unit 113 is configured to determine a bit array to be updated in the initial bit array, wherein the bit array to be updated is mapped with the second random number;
  • the second determination unit 114 is configured to update the bit array to be updated in the initial bit array, and determine the updated initial bit array as the first bit array.
  • step S101 in the embodiment corresponding to FIG. 3 above, which will not be described again.
  • the first bit array corresponding to the first business data, it can be ensured that the first business data is available but not visible, so the security of the first business data can be improved; further, since the data key is generated by the data intersection application in the trusted execution environment a, its generation environment is secure, the application environment is secure, and the storage environment is secure, so the first bit array is encrypted by the data key.
  • the ciphertext bit array can be processed to improve the security of the first bit array; further, by transmitting the ciphertext bit array to the blockchain, the acquisition status of the second device for the ciphertext bit array can be accurately traced; in addition, the embodiment of the present application determines the business intersection data between the first business data and the second business data through the first bit array and the second bit array corresponding to the second business data, so not only can the business processing associated with the business intersection data be performed, but also the security of the first business data is further improved. As can be seen from the above, the embodiment of the present application can improve the security of data (including the first business data and the first bit array) and accurately trace the data acquisition status.
  • the blockchain-based data processing device 2 may include: a ciphertext acquisition module 21, a first processing module 22, a first generation module 23, and a second processing module 24.
  • the ciphertext acquisition module 21 is configured to obtain the ciphertext bit array forwarded by the blockchain node in the blockchain; the ciphertext bit array is transmitted by the first device to the blockchain node, and the ciphertext bit array is obtained by the first device encrypting the first bit array through the data key, and the data key is generated by the second device in the data intersection application; the data intersection application runs in the trusted execution environment a of the second device; the first bit array is generated by the first device for the first business data when the first business data meets the data upload condition; the first processing module 22 is configured to decrypt the ciphertext bit array obtained from the blockchain node through the data key in the data intersection application to obtain the first bit array; the first generation module 23 is configured to generate a second bit array corresponding to the second business data in the data intersection application, and determine the business intersection data between the first business data and the second business data according to the second bit array and the first bit array; the second processing module 24 is configured to perform business processing on the business intersection data.
  • the specific functional implementation of the ciphertext acquisition module 21, the first processing module 22, the first generation module 23 and the second processing module 24 can refer to steps S201 to S204 in the embodiment corresponding to FIG. 7 above, which will not be repeated here.
  • the ciphertext acquisition module 21 may include: a request generation unit 211, a request sending unit 212, and a ciphertext acquisition unit 213.
  • the request generation unit 211 is configured to generate a data download request for obtaining a ciphertext bit array according to the subject subscription object information
  • the request sending unit 212 is configured to send the data download request to the blockchain node, so that the blockchain node queries the current subscription state corresponding to the subject subscription object information according to the data download request
  • the ciphertext acquisition unit 213 is configured to obtain the ciphertext bit array returned by the blockchain node when determining that the current subscription state is the fifth updated subscription state; the fifth updated subscription state is used to indicate that the first device has passed the verification of the subject subscription request; the subject subscription request is sent when the blockchain node stores a subject for the first business data.
  • step S201 The specific functional implementation of the request generating unit 211, the request sending unit 212 and the ciphertext obtaining unit 213 can refer to step S201 in the embodiment corresponding to FIG. 7 above, which will not be described in detail here.
  • the second business data includes second business data Cd , d is a positive integer, and d is less than or equal to the total number of second business data;
  • the second bit array includes the second bit array Ed corresponding to the second business data Cd ;
  • the first generation module 23 is further configured to determine that the second business data Cd is the business intersection data between the first business data and the second business data when the first bit array includes the second bit array Ed ;
  • the second processing module 24 is further configured to obtain media data with application recommendation function provided by the first device, and push the media data to the second business data Cd .
  • the specific functional implementation of the first generating module 23 and the second processing module 24 can refer to step S203-step S204 in the embodiment corresponding to FIG. 7 above, which will not be described again here.
  • the data processing device 2 based on blockchain may further include: a second generation module 25, a contract calling module 26, and a request sending module 27.
  • the second generation module 25 is configured to generate a topic subscription request for subscribing to a topic according to the topic subscription object information; the topic is generated by the first device for the first business data; the contract calling module 26 is configured to call the subscription topic contract of the blockchain node based on the topic subscription request; the request sending module 27 is configured to send the topic subscription request to the blockchain node through the subscription topic contract,
  • the blockchain node verifies through the subscription topic contract that the topic has the attribute to be subscribed and the topic subscription object information belongs to the registered object information, the topic subscription request is stored and a request pending verification status is set for the topic subscription request; the request pending verification status is used to instruct the blockchain node to forward the topic subscription request to the first device.
  • step S201 The specific functional implementation of the second generation module 25, the contract calling module 26 and the request sending module 27 can refer to step S201 in the embodiment corresponding to Figure 7 above, which will not be repeated here.
  • the embodiment of the present application by generating the first bit array corresponding to the first business data, it can be ensured that the first business data is available but invisible, so the security of the first business data can be improved; further, since the data key is generated by the data intersection application in the trusted execution environment a, its generation environment is safe, the application environment is safe, and the storage environment is safe, so the first bit array is encrypted by the data key, and the security of the first bit array can be improved; further, by transmitting the ciphertext bit array to the blockchain, the acquisition status of the second device for the ciphertext bit array can be accurately traced; in addition, the embodiment of the present application determines the business intersection data between the first business data and the second business data through the first bit array and the second bit array corresponding to the second business data, so not only can the business processing associated with the business intersection data be performed, but also the security of the first business data is further improved. As can be seen from the above, the use of the embodiment of the present application can improve the security of data (including the first business data and the first business
  • FIG. 12 is a schematic diagram of the structure of an electronic device provided in an embodiment of the present application.
  • the electronic device 1000 may include: at least one processor 1001, such as a CPU, at least one network interface 1004, a user interface 1003, a memory 1005, and at least one communication bus 1002.
  • the communication bus 1002 is used to realize the connection and communication between these components.
  • the user interface 1003 may include a display screen (Display), a keyboard (Keyboard), and the network interface 1004 may optionally include a standard wired interface, a wireless interface (such as a WI-FI interface).
  • the memory 1005 may be a high-speed RAM memory, or it may be a non-volatile memory (non-volatile memory), such as at least one disk memory.
  • the memory 1005 may also be optionally at least one storage device located away from the aforementioned processor 1001.
  • the memory 1005 as a computer storage medium may include an operating system, a network communication module, a user interface module, and a device control application.
  • the network interface 1004 can provide a network communication function; the user interface 1003 is mainly used to provide an input interface for the user; and the processor 1001 can be used to call the device control application stored in the memory 1005 to implement the following technical solutions: if the first business data meets the data upload condition, a first bit array corresponding to the first business data is generated; the first bit array is encrypted by the data key generated by the second device in the data intersection application to obtain a ciphertext bit array; the data intersection application runs in the trusted execution environment a of the second device; the ciphertext bit array is transmitted to the blockchain node in the blockchain, So that the blockchain node stores the ciphertext bit array; the ciphertext bit array stored in the blockchain node is used to be forwarded by the blockchain node to the second device; the second device is used to decrypt the ciphertext bit array obtained from the blockchain node through the data key in the data intersection application to obtain the first bit array; the first bit array is used to instruct the second device to
  • the processor 1001 can be used to call the device control application stored in the memory 1005 to implement the following technical solutions: obtaining a ciphertext bit array forwarded by a blockchain node in the blockchain; the ciphertext bit array is transmitted by the first device to the blockchain node, and the ciphertext bit array is obtained by encrypting the first bit array by the first device through the data key generated by the second device in the data intersection application; the data intersection application runs in the trusted execution environment a of the second device; the first bit array is generated by the first device for the first business data when the first business data meets the data upload condition; in the data intersection application, the ciphertext bit array obtained from the blockchain node is decrypted by the data key to obtain the first bit array; in the data intersection application, the second business data is generated The corresponding second bit array determines the business intersection data between the first business data and the second business data according to the second bit array and the first bit array; and performs business processing on the business intersection data.
  • the electronic device 1000 described in the embodiments of the present application can execute the description of the data processing method or device based on blockchain in the above embodiments, which will not be repeated here.
  • the description of the beneficial effects of adopting the same method will not be repeated.
  • the present application also provides a computer-readable storage medium, which stores a computer program.
  • the computer program is executed by a processor, the description of the data processing method or device based on blockchain in the above embodiments is implemented, which will not be repeated here.
  • the description of the beneficial effects of the same method will not be repeated.
  • the computer-readable storage medium may be a blockchain-based data processing device provided in any of the aforementioned embodiments or an internal storage unit of the electronic device, such as a hard disk or memory of the electronic device.
  • the computer-readable storage medium may also be an external storage device of the electronic device, such as a plug-in hard disk, a smart memory card (smart media card, SMC), a secure digital (secure digital, SD) card, a flash card (flash card), etc. equipped on the electronic device.
  • the computer-readable storage medium may also include both an internal storage unit of the electronic device and an external storage device.
  • the computer-readable storage medium is used to store the computer program and other programs and data required by the electronic device.
  • the computer-readable storage medium may also be used to temporarily store data that has been output or is to be output.
  • the embodiment of the present application also provides a computer program product, which includes a computer program, which is stored in a computer-readable storage medium.
  • the processor of the electronic device reads the computer program from the computer-readable storage medium, and the processor executes the computer program, so that the electronic device can execute the description of the data processing method or device based on blockchain in the above embodiments, which will not be repeated here.
  • the description of the beneficial effects of using the same method will not be repeated.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Storage Device Security (AREA)
  • Financial Or Insurance-Related Operations Such As Payment And Settlement (AREA)

Abstract

本申请实施例公开了一种基于区块链的数据处理方法、装置、电子设备、计算机可读存储介质及计算机程序产品,该方法包括:第一设备生成第一业务数据对应的第一位数组;通过数据密钥,对第一位数组进行加密处理,得到密文位数组;其中,所述数据秘钥是所述第二设备在数据交集应用中生成的,数据交集应用运行于可信执行环境a中;将密文位数组传输至区块链节点,以使区块链节点转发密文位数组至第二设备;第二设备在数据交集应用中,通过数据密钥对密文位数组进行解密处理,得到第一位数组;第二设备生成第二业务数据对应的第二位数组;第二设备确定第一业务数据以及第二业务数据之间的业务交集数据,并进行与业务交集数据相关联的业务处理。

Description

一种基于区块链的数据处理方法、装置、电子设备、计算机可读存储介质及计算机程序产品
相关申请的交叉引用
本申请基于申请号为202211259133.1、申请日为2022年10月14日的中国专利申请提出,并要求中国专利申请的优先权,中国专利申请的全部内容在此引入本申请作为参考。
技术领域
本申请涉及互联网技术领域,尤其涉及一种基于区块链的数据处理方法、装置、电子设备、计算机可读存储介质及计算机程序产品。
背景技术
随着移动互联网技术以及各种新兴技术的快速发展,平台应用好像雨后春笋。随着大量平台应用的出现,用户有了更广泛的选择。为了提升活跃留存,平台应用需要不断地推广自己的平台。
在现有技术中,平台应用为了推广自己,会与具有强大的平台推广能力的广告商合作。具体为,平台应用提供自己的第一业务数据至广告商,广告商确定自己拥有的第二业务数据与第一业务数据之间共同的业务数据,即业务交集数据,然后进行与业务交集数据相关联的推广处理。明显地,现有技术存在如下缺陷:1、平台应用将自己的原始数据(即第一业务数据)传输至广告商,故降低了数据的安全性;2,平台应用与广告商之间直接的数据流转,致使无法准确地追溯数据获取状态。
发明内容
本申请实施例提供一种基于区块链的数据处理方法、装置、电子设备、计算机可读存储介质及计算机程序产品,可以提高数据的安全性以及准确地追溯数据获取状态。
本申请实施例提供了一种基于区块链的数据处理方法,所述方法由第一设备执行,所述方法包括:
当第一业务数据满足数据上传条件时,生成第一业务数据对应的第一位数组;
通过数据密钥,对第一位数组进行加密处理,得到密文位数组;其中,所述数据秘钥是第二设备在数据交集应用中生成的,数据交集应用运行于第二设备的可信执行环境a中;
将密文位数组传输至区块链中的区块链节点,以使区块链节点存储密文位数组;其中,存储在区块链节点的密文位数组用于由区块链节点转发至第二设备;第二设备用于在数据交集应用中,通过数据密钥对从区块链节点中所获取的密文位数组进行解密处理,得到第一位数组;第一位数组用于指示第二设备在数据交集应用中,生成第二业务数据对应的第二位数组;第二位数组以及第一位数组用于指示第二设备在数据交集应用中,确定第一业务数据以及第二业务数据之间的业务交集数据;业务交集数据用于指示第二设备进行与业务交集数据相关联的业务处理。
本申请实施例提供了一种基于区块链的数据处理方法,所述方法由第二设备执行,所述方法包括:
获取由区块链中的区块链节点转发的密文位数组;其中,密文位数组是第一设备传输至区块链节点的,且密文位数组是第一设备通过数据密钥,对第一位数组进行加密处理所得到的,数据秘钥是第二设备在数据交集应用中生成的;数据交集应用运行于第二设备的可信执行环境a中;第一位数组是第一设备在第一业务数据满足数据上传条件时,针对第一业务数据所生成的;
在数据交集应用中,通过数据密钥对从区块链节点中所获取的密文位数组进行解密处理,得到第一位数组;
在数据交集应用中,生成第二业务数据对应的第二位数组,根据第二位数组以及第一位数组,确定第一业务数据以及第二业务数据之间的业务交集数据;
对业务交集数据进行业务处理。
本申请实施例提供了一种基于区块链的数据处理装置,所述装置运行于第一设备,所述装置包括:
第一生成模块,配置为当第一业务数据满足数据上传条件时,生成第一业务数据对应的第一位数组;
第一处理模块,配置为通过数据密钥,对第一位数组进行加密处理,得到密文位数组;其中,数据秘钥是第二设备在数据交集应用中生成的,数据交集应用运行于第二设备的可信执行环境a中;
密文传输模块,配置为将密文位数组传输至区块链中的区块链节点,以使区块链节点存储密文位数组;其中,存储在区块链节点的密文位数组用于由区块链节点转发至第二设备;第二设备用于在数据交集应用中,通过数据密钥对从区块链节点中所获取的密文位数组进行解密处理,得到第一位数组;第一位数组用于指示第二设备在数据交集应用中,生成第二业务数据对应的第二位数组;第二位数组以及第一位数组用于指示第二设备在数据交集应用中,确定第一业务数据以及第二业务数据之间的业务交集数据;业务交集数据用于指示第二设备进行与业务交集数据相关联的业务处理。
还配置为还配置为还配置为还配置为还配置为还配置为还配置为还配置为还配置为还配置为本申请实施例提供了一种基于区块链的数据处理装置,所述装置运行于第二设备,所述装置包括:
密文获取模块,配置为获取由区块链中的区块链节点转发的密文位数组;其中,密文位数组是第一设备传输至区块链节点的,且密文位数组是第一设备通过数据密钥,对第一位数组进行加密处理所得到的,数据秘钥是第二设备在数据交集应用中生成的;数据交集应用运行于第二设备的可信执行环境a中;第一位数组是第一设备在第一业务数据满足数据上传条件时,针对第一业务数据所生成的;
第一处理模块,配置为在数据交集应用中,通过数据密钥对从区块链节点中所获取的密文位数组进行解密处理,得到第一位数组;
第一生成模块,配置为在数据交集应用中,生成第二业务数据对应的第二位数组,根据第二位数组以及第一位数组,确定第一业务数据以及第二业务数据之间的业务交集数据;
第二处理模块,配置为对业务交集数据进行业务处理。
本申请提供了一种电子设备,包括:处理器、存储器、网络接口;
上述处理器与上述存储器、上述网络接口相连,其中,上述网络接口用于提供数据通信功能,上述存储器用于存储计算机程序,上述处理器用于调用上述计算机程序,以使得电子设备执行本申请实施例中的基于区块链的数据处理方法。
本申请实施例提供了一种计算机可读存储介质,上述计算机可读存储介质中存储有计算机程序,上述计算机程序适于由处理器加载并执行本申请实施例中的基于区块链的数据处理方法。
本申请实施例提供了一种计算机程序产品,该计算机程序产品包括计算机程序,该计算机程序存储在计算机可读存储介质中;电子设备的处理器从计算机可读存储介质读取该计算机程序,处理器执行该计算机程序,使得该电子设备执行本申请实施例中的基于区块链的数据处理方法。
在本申请实施例中,通过生成第一业务数据对应的第一位数组,可以确保第一业务数据可用不可见,故可以提高第一业务数据的安全性;进一步地,由于数据密钥是通过可信执行环境a中的数据交集应用 所生成的,故其生成环境安全、应用环境安全以及存储环境安全,故通过数据密钥对第一位数组进行加密处理,可以提高第一位数组的安全性;进一步地,通过将密文位数组传输至区块链,可以准确地追溯第二设备针对密文位数组的获取状态;此外,本申请实施例是通过第一位数组以及第二业务数据对应的第二位数组,确定第一业务数据以及第二业务数据之间的业务交集数据,故不仅可以进行与业务交集数据相关联的业务处理,还进一步提高了第一业务数据的安全性。上述可知,采用本申请实施例,可以提高数据(包括第一业务数据以及第一位数组)的安全性,以及准确地追溯数据获取状态。
附图说明
为了更清楚地说明本申请实施例或现有技术中的技术方案,下面将对实施例或现有技术描述中所需要使用的附图作简单地介绍,显而易见地,下面描述中的附图仅仅是本申请的一些实施例,对于本领域普通技术人员来讲,在不付出创造性劳动的前提下,还可以根据这些附图获得其他的附图。
图1是本申请实施例提供的一种系统架构示意图;
图2a是本申请实施例提供的一种基于区块链的数据处理的场景示意图一;
图2b是本申请实施例提供的一种基于区块链的对象注册方法的流程示意图;
图2c是本申请实施例提供的一种基于区块链的数据处理的场景示意图二;
图3是本申请实施例提供的一种基于区块链的数据处理方法的流程示意图一;
图4a是本申请实施例提供的一种基于区块链的数据处理方法的时序示意图一;
图4b是本申请实施例提供的一种基于区块链的数据处理方法的时序示意图二;
图4c是本申请实施例提供的一种基于区块链的数据处理方法的时序示意图三;
图4d是本申请实施例提供的一种基于区块链的数据处理方法的时序示意图四;
图4e是本申请实施例提供的一种基于区块链的数据处理方法的时序示意图五;
图5是本申请实施例提供的一种基于区块链的数据处理方法的流程示意图二;
图6a是本申请实施例提供的一种基于区块链的数据处理方法的时序示意图六;
图6b是本申请实施例提供的一种基于区块链的数据处理方法的时序示意图七;
图6c是本申请实施例提供的一种基于区块链的数据处理方法的时序示意图八;
图7是本申请实施例提供的一种基于区块链的数据处理方法的流程示意图三;
图8是本申请实施例提供的一种基于区块链的数据处理方法的时序示意图九;
图9是本申请实施例提供的一种基于区块链的数据处理方法的时序示意图十;
图10是本申请实施例提供的一种基于区块链的数据处理装置的结构示意图一;
图11是本申请实施例提供的一种基于区块链的数据处理装置的结构示意图二;
图12是本申请实施例提供的一种电子设备的结构示意图。
具体实施方式
下面将结合本申请实施例中的附图,对本申请实施例中的技术方案进行清楚、完整地描述,显然,所描述的实施例仅仅是本申请一部分实施例,而不是全部的实施例。基于本申请中的实施例,本领域普通技术人员在没有作出创造性劳动前提下所获得的所有其他实施例,都属于本申请保护的范围。
为了便于理解,首先对部分名词进行以下简单解释:
1、区块链:区块链是一种以区块为基本单位的链式数据结构,区块中利用数字摘要对之前获取的交易历史进行校验,适合分布式记账场景下防篡改和可扩展性的需求;区块链还指代区块链结构实现的分布式记账技术,包括分布式共识、隐私与安全保护、点对点通信技术、网络协议、智能合约等。区块链的目标是实现一个分布的数据记录账本,此账本只允许添加,不允许删除。账本底层的基本结构是一个线性的链表。链表由一个个“区块”串联组成,后继区块中记录前继区块的哈希(Hash)值,每个区块(以及区块中的交易)是否合法,可通过计算哈希值的方式进行快速检验。若网络中的节点发出添加一个新的区块的请求,必须经过共识机制对区块达成共识确认。
2、哈希值(hash):也称作信息特征值或特征值,哈希值是通过哈希算法将任意长度的输入数据转换为密码并进行固定输出而生成的,不能通过解密哈希值来检索原始输入数据,它是一个单向的加密函数。在区块链中,每个区块(除了初始区块)都包含前继区块的哈希值,哈希值是区块链技术中的潜力核心基础和最重要的方面,它保留了记录和查看数据的真实性,以及区块链作为一个整体的完整性。
3、区块链节点:区块链网络将节点区分为共识节点(也可以称作核心节点)以及同步节点(可以包括数据节点以及轻节点)。其中,共识节点负责区块链全网的共识业务;同步节点负责同步共识节点的账本信息,即同步最新的区块数据。无论是共识节点还是同步节点,其内部构造都包括网络通信组件,因为区块链网络本质是一个点对点(Peer to Peer,P2P)网络,需通过P2P组件与区块链网络中的其他节点进行通信。区块链网络中的资源和服务都分散在各个节点上,信息的传输和服务的实现都直接在节点之间进行,无需中间环节或中心化的服务器(第三方)介入。
4、公钥(public key)与私钥(private key):公钥与私钥是通过一种算法得到的一个密钥对(即一个公钥和一个私钥),公钥是密钥对中公开的部分,私钥则是非公开的部分。公钥通常用于加密数据、验证数字签名等。通过这种算法能够确保得到的密钥对是唯一的,使用这种密钥对的时候,如果用其中一个密钥加密一段数据,必须用另一个密钥解密,例如,用公钥加密数据就必须用私钥解密,如果用私钥加密也必须用公钥解密,否则解密将不会成功。
5、非对称签名:签名算法包括两个密钥,公开密钥(简称公钥,public key)和私有密钥(简称私钥,private key)。公钥与私钥是一对,如果用私钥对数据进行签名,只有用对应的公钥才能验签。因为签名过程和验签过程分别使用两个不同的密钥,所以这种算法称作非对称签名。非对称签名实现机密信息交换的基本过程可以是:甲方生成一对密钥并将公钥公开,甲方需要向其他角色(乙方)发送消息时,使用自己的私钥对机密消息进行签名后再发送给乙方;乙方再用甲方的公钥对签名后的消息进行验签。
6、智能合约(Smart Contract):是一种旨在以信息化方式传播、验证或执行合同的计算机协议。在区块链系统当中,智能合约(简称合约)是一种区块链各节点可以理解并执行的代码,可以执行任意逻辑并得到结果。在实际应用中,智能合约通过区块链上的交易来管理与试用。每条交易相当于对区块链系统的一个远程过程调用(Remote Procedure Call,RPC)请求。如果说智能合约相当于可执行程序,区块链就相当于提供运行环境的操作系统。区块链可以包含多个合约(如本申请中的资源融合函数、资源发行函数等),以合约账号(Identity,ID)、标识号或名称来区分。在本申请实施例中,发布主题合约以及订阅主题合约均属于智能合约。
7、可信执行环境(Trusted Execution Environment,TEE):可信执行环境是计算平台上由软硬件方法构建的一个安全区域,可以保证在安全区域内加载的代码和数据在机密性和完整性方面得到保护。可信执行环境的目标是确保一个任务按照预期执行,保证初始状态的机密性、完整性,以及运行时状态的机 密性、完整性。
请参见图1,图1是本申请实施例提供的一种系统架构示意图。如图1所示,该系统架构可以包括第一设备集群、第二设备集群、证书设备集群以及区块链网络。
上述系统可以包括一个或多个第一设备,本申请实施例不对第一设备的数量进行限制。如图1所示,第一设备集群包括第一设备100a。第一设备100a是指安装有平台应用的设备。其中,平台应用可以为视频应用、直播应用、社交应用、即时通信应用、游戏应用、音乐应用、购物应用、小说应用、浏览器等具有提供平台功能的应用。其中,平台应用对应的应用客户端可以为独立的客户端,也可以为集成在某客户端(例如,社交客户端、教育客户端以及多媒体客户端等)中的嵌入式子客户端,在此不做限定。本申请实施例中的第一设备100a可以提供上述平台应用的第一业务数据,基于隐私保护需求,可以使用相关技术手段(例如布隆过滤器),隐匿原始数据(即第一业务数据),生成第一位数组,确保第一业务数据的可用性。
上述系统可以包括一个或多个第二设备,本申请实施例不对第二设备的数量进行限制。如图1所示,第二设备集群包括第二设备100b,第二设备100b可以提供可信执行环境,例如指令集扩展(Software Guard Extensions,SGX)。基于其硬件技术,第二设备100b可以在可信执行环境中运行数据交集应用,在数据交集应用中生成数据密钥,并将数据密钥存储于安全飞地,故可以确保数据密钥的安全。此外,第二设备100b可以在区块链网络中下载第一设备100a所提供的第一位数组,在可信执行环境中运行数据交集应用,以进行数据求交运算,即通过第一位数组以及自己的第二业务数据,确定第一业务数据以及第二业务数据之间的共同业务数据,本申请实施例称为业务交集数据。此外,第二设备100b可以进行与业务交集数据相关联的业务处理,例如业务交集数据用于表征交集用户,则可以对交集用户投放针对上述平台应用的广告,吸引交集用户回归平台应用。其中,数据交集应用可以为短视频应用、直播应用、社交应用、即时通信应用、游戏应用、音乐应用、购物应用、小说应用、浏览器等具有提供业务交集数据确定功能的应用。其中,数据交集应用对应的应用客户端可以为独立的客户端,也可以为集成在某客户端(例如,社交客户端、教育客户端以及多媒体客户端等)中的嵌入式子客户端,在此不做限定。
上述系统可以包括一个或多个证书设备,本申请实施例不对证书设备的数量进行限制。如图1所示,证书设备集群包括证书设备100c。本申请实施例中的证书设备100c是指具有提供对象信息背书功能的设备,例如证书颁发机构(Certificate Authority,CA)对应的设备。证书设备集群可以为第一设备集群对应的第一对象以及第二设备集群对应的第二对象分别提供对象认证,且为第一对象以及第二对象分别提供对象信息背书,并将对象公钥与其对象信息绑定起来,用于验签,确保对象信息的完整性及不可伪造,并确保信息发送方的不可抵赖性。
图1中的任意设备(包括第一设备100a、第二设备100b以及证书设备100c)包括但不限于终端设备或业务服务器。其中,业务服务器可以是独立的物理服务器,也可以是多个物理服务器构成的服务器集群或者分布式系统,还可以是提供云数据库、云服务、云计算、云函数、云存储、网络服务、云通信、中间件服务、域名服务、安全服务、CDN、以及大数据和人工智能平台等基础云计算服务的云服务器。终端设备包括但不限于手机、电脑、智能语音交互设备、智能家电、车载终端、飞行器等。
区块链网络可以包括区块链节点集群10,区块链节点集群10可以包括区块链节点10A、区块链节点10B、区块链节点10C以及区块链节点10N。同理,本申请实施例不对区块链节点集群10中的区块链节点的数量进行限制。,图1中的区块链节点包括但不限于移动终端或服务器。上述服务器可以是独立的物 理服务器,也可以是多个物理服务器构成的服务器集群或者分布式系统,还可以是提供云服务、云数据库、云计算、云函数、云存储、网络服务、云通信、中间件服务、域名服务、安全服务、内容分发网络(Content Delivery Network,简称CDN)、以及大数据和人工智能平台等基础云计算服务的云服务器。上述移动终端包括但不限于手机、电脑、智能语音交互设备、智能家电、车载终端、飞行器等。其中,移动终端和服务器可以通过有线或无线方式进行直接或间接地连接,本申请实施例对此不做限制。
第一设备集群之间可以存在通信连接。同时,第一设备集群中的第一设备可以与第二设备集群中的第二设备存在通信连接,例如第一设备100a与第二设备100b之间存在通信连接。同时,第一设备集群中的第一设备可以与证书设备集群中的证书设备存在通信连接,例如第一设备100a与证书设备100c之间存在通信连接。同时,第一设备集群中的第一设备可以与区块链节点集群10中的区块链节点存在通信连接,例如第一设备100a可以与区块链节点10A之间存在通信连接。
第二设备集群之间可以存在通信连接。同时,第二设备集群中的第二设备可以与证书设备集群中的证书设备存在通信连接,例如第二设备100b与证书设备100c之间存在通信连接。同时,第二设备集群中的第二设备可以与区块链节点集群10中的区块链节点存在通信连接,例如第二设备100b可以与区块链节点10A之间存在通信连接。
证书设备集群之间可以存在通信连接。同时,证书设备集群中的证书设备可以与区块链节点集群10中的区块链节点存在通信连接,例如证书设备100c可以与区块链节点10A之间存在通信连接。
区块链节点集群10之间可以存在通信连接,例如区块链节点10A与区块链节点10C之间存在通信连接,区块链节点10A与区块链节点10N之间存在通信连接。
上述的通信连接不限定连接方式,可以通过有线通信方式进行直接或间接地连接,也可以通过无线通信方式进行直接或间接地连接,还可以通过其他方式,本申请在此不做限制。
在本申请的具体实施方式中,涉及到用户信息(例如主题发布对象信息以及主题订阅对象信息)等相关的数据,当本申请中的实施例运用到具体产品或技术中时,需要获得用户许可或者同意,且相关数据的收集、使用和处理需要遵守相关国家和地区的相关法律法规和标准。
本申请实施例提供的基于区块链的数据处理方法的流程可以概述如下。
步骤1、第一对象(例如平台方)对应的第一设备100a生成用于业务消息签名的第一非对称密钥对;第二对象(例如广告商,不同于第一对象的另一个平台方)对应的第二设备100b生成用于业务消息签名的第二非对称密钥对,以及生成用于数据交集应用签名的第三非对称密钥对,第三非对称密钥对可以用于确定应用开发者为第二对象的开发人员。请一并参见图2a,图2a是本申请实施例提供的一种基于区块链的数据处理的场景示意图一。第一非对称密钥对包括图2a中的第一私钥以及第一私钥对应的第一公钥;第二非对称密钥对包括图2a中的第二私钥以及第二私钥对应的第二公钥;第三非对称密钥对包括图2a中的第三私钥以及第三私钥对应的第三公钥。
步骤2、如图2a所示,第一设备100a将第一公钥以及用于表征第一对象的第一对象信息作为参数,生成第一证书申请请求;第一设备100a通过第一私钥,对第一证书申请请求进行签名处理,得到第一签名消息,将携带第一签名消息的第一证书申请请求发送至证书设备100c。第二设备100b将第二公钥以及用于表征第二对象的第二对象信息作为参数,生成第二证书申请请求;第二设备100b通过第二私钥,对第二证书申请请求进行签名处理,得到第二签名消息,将携带第二签名消息的第二证书申请请求发送至证书设备100c。第二设备100b将第三公钥以及用于表征第二对象的第二对象信息作为参数,生成第三证 书申请请求;第二设备100b通过第三私钥,对第三证书申请请求进行签名处理,得到第三签名消息,将携带第三签名消息的第三证书申请请求发送至证书设备100c。第二设备100b向证书设备100c申请两方证书。
步骤3、如图2a所示,证书设备100c收到第一证书申请请求时,先通过第一公钥对第一签名消息进行验签处理,若验签成功,则审核第一对象信息,若证书设备100c确认第一对象信息无误后,则向第一设备100a颁发第一业务证书,该第一业务证书包括第一公钥。同样地,收到第二证书申请请求时,先通过第二公钥对第二签名消息进行验签处理,若验签成功,则审核第二对象信息,若证书设备100c确认第二对象信息无误后,则向第二设备100b颁发第二业务证书,该第二业务证书包括第二公钥。同样地,收到第三证书申请请求时,先通过第三公钥对第三签名消息进行验签处理,若验签成功,则审核第二对象信息,若证书设备100c确认第二对象信息无误后,则向第二设备100b颁发应用开发者证书,该应用开发者证书包括第三公钥。
步骤4、如图2a所示,第一设备100a将第一业务证书作为参数,向区块链网络发起第一对象注册请求;该第一对象注册请求也携带一个签名消息,其生成过程可以参见第一签名消息的生成过程,此处不再进行赘述,为了区别上述提及的签名消息,将第一对象注册请求所携带的签名消息称为第四签名消息,同理,下文提及的第二对象注册请求携带第五签名消息,第三对象注册请求携带第六签名消息。
区块链网络中的区块链节点收到第一对象注册请求时,先通过第一公钥对第四签名消息进行验签处理,若验签成功,则审核第一业务证书,若区块链节点审核通过第一业务证书,则调用智能合约中的对象合约,对象合约基于第一业务证书中的第一公钥,生成第一对象信息对应的第一地址,并将该第一地址作为第一对象标识,然后将第一对象标识、第一业务证书以及第一对象信息进行关联存储,对象合约的结构体参数以及合约方法可以参见图2b所示的对象合约。
同样地,区块链网络中的区块链节点收到第二对象注册请求时,先通过第二公钥对第五签名消息进行验签处理,若验签成功,则审核第二业务证书,若区块链节点审核通过第二业务证书,则调用智能合约中的对象合约,对象合约基于第二业务证书中的第二公钥,生成第二对象信息对应的第二地址,并将该第二地址作为第二对象标识,然后将第二对象标识、第二业务证书以及第二对象信息进行关联存储。同样地,区块链节点收到第三对象注册请求时,先通过第三公钥对第六签名消息进行验签处理,若验签成功,则审核应用开发者证书,若区块链节点审核通过应用开发者证书,则调用智能合约中的对象合约,对象合约基于应用开发者证书中的第三公钥,生成第二对象信息对应的第三地址,并将该第三地址作为第三对象标识,然后将第三对象标识、应用开发者证书以及第二对象信息进行关联存储。
上述步骤1-步骤4过程请一并参见图2b,图2b是本申请实施例提供的一种基于区块链的对象注册方法的流程示意图。如图2b所示,步骤1a,第一设备生成第一非对称密钥对;步骤1b,第二设备生成第二非对称密钥对以及第三非对称密钥对;步骤2a,第一设备向证书设备申请证书;步骤2b,第二设备向证书设备申请证书;步骤3a,证书设备向第一设备颁发证书;步骤3b,证书设备向第二设备颁发证书;步骤4a,第一设备向区块链节点进行对象注册;步骤4b,第二设备向区块链节点进行对象注册。上述可知,本申请实施例的参与方(包括第一对象以及第二对象)信息由CA认证,并将密钥与对象信息挂钩,协作过程均由私钥签名,确保每个流程均能关联到发起方,故可以防止篡改与抵赖,便于溯源,利于监管,减少作恶。
步骤5、第一设备需要确定第一业务数据满足数据上传条件,确定过程可以概述如下:请一并参见图 2c,图2c是本申请实施例提供的一种基于区块链的数据处理的场景示意图二。如图2c所示,第一设备100a通过远程认证,对第二设备100b进行对象信息、执行环境以及应用的安全性检测,该过程的具体实现,此处暂不展开描述,请参见下文图3所对应的实施例中步骤S101的描述,以及下文图5所对应的实施例中的描述。通过上述的安全性检测,若第一设备100a确定第一业务数据满足数据上传条件,则获取第一业务数据对应的第一位数组20a。,第一位数组20a可以使原始数据,即第一业务数据,可用不可见,故可以提高第一业务数据的安全性。其中,第一位数组20a的具体实现过程,请参见下文图3所对应的实施例中步骤S101的描述,此处暂不展开描述。
步骤6、如图2c所示,第一设备100a使用数据密钥20b对第一位数组20a进行加密处理,得到密文位数组20c。其中,数据密钥20b是第二设备100b在可信执行环境20e中的数据交集应用中所生成的。由于数据密钥20b在TEE中生成,其生成环境安全,因此数据密钥20b不会泄露,用它来加密第一位数组20a安全性高,仅生成它的飞地(即数据交集应用)可以通过数据密钥20b解密密文位数组20c,故可以确保第一位数组20a的安全。
步骤7、第一设备100a通过上述的第一私钥,对密文位数组20c进行签名处理,得到第七签名消息,如图2c所示,第一设备100a将携带第七签名消息的密文位数组20c传输至区块链网络。区块链网络中的区块链节点接收密文位数组20c后,首先通过第一非对称密钥对中的第一公钥,对第七签名消息进行验签处理,若验签通过,则区块链节点确保密文位数组20c完整未经篡改,故对密文位数组20c进行上链处理,即进行存储。
步骤8、第二设备100b向区块链网络发送用于获取密文位数组20c的数据下载请求,区块链节点获取到数据下载请求后,根据第二对象信息(等同于本申请的主题订阅对象信息)对应的当前订阅状态,决定返回密文位数组20c或拒绝处理数据下载请求,并将此过程上链留痕,便于追溯。若针对第二对象信息的当前订阅状态表征第二设备100b具有获取该密文位数组20c的权限,则将密文位数组20c返回至第二设备100b。,由区块链网络见证第二设备100b获取密文位数组100c的过程,确保数据可溯源,防止第二设备100b不提供业务服务。
步骤9、如图2c所示,第二设备100b具有普通执行环境20d以及可信执行环境20e,普通执行环境20d可以运行第二对象对应的第二对象平台(其不同于第一设备100a对应的平台),例如广告商平台;数据交集应用运行于可信执行环境中20e。在运行于普通执行环境20d的第二对象平台中,第二设备100b将密文位数组20c以及第二业务数据作为参数,生成交集数据查找请求;将交集数据查找请求发送至运行于可信执行环境20e中的数据交集应用。
步骤10、如图2c所示,在数据交集应用中,第二设备100b通过数据密钥20b,对密文位数组20c进行解密处理,得到第一位数组20a。进一步,第二设备100b生成第二业务数据对应的第二位数组20f,通过第一位数组20a以及第二位数组20f,第二设备100b可以确定第一业务数据以及第二业务数据之间的共有的业务数据,本申请实施例称为业务交集数据。
步骤11、如图2c所示,第二设备100b将在可信执行环境20e中所确定的业务交集数据传输至第二对象平台,进一步,第二设备100b进行与业务交集数据相关联的业务处理。
本申请实施例可应用于各种场景,包括但不限于云技术、人工智能、智慧交通、辅助驾驶等。本申请实施例可适用于平台之间业务交集数据确定场景,平台推荐场景,平台测评场景等,这里将不对具体的业务场景进行一一列举。
参见图3,图3是本申请实施例提供的一种基于区块链的数据处理方法的流程示意图一。该基于区块链的数据处理方法可以由第一设备执行,也可以由第二设备执行,也可以由区块链节点执行,还可以由第一设备、第二设备以及区块链节点中的至少两个主体交互执行,此处不做限制。为了便于叙述以及理解,本申请实施例以在第一设备中进行为例进行叙述,其中,第一设备可以为上述图1所对应实施例的第一设备100a。如图3所示,该基于区块链的数据处理方法至少可以包括以下步骤S101-步骤S103。
步骤S101,当第一业务数据满足数据上传条件时,生成第一业务数据对应的第一位数组。
具体的,生成针对第一业务数据的主题,生成包括主题以及主题发布对象信息的主题发布请求;通过第一设备对应的设备私钥,对主题发布请求进行签名处理,得到签名消息z,基于主题发布请求,调用区块链节点的发布主题合约;通过发布主题合约,将携带签名消息z的主题发布请求发送至区块链节点,以使区块链节点在通过主题发布请求的合法性验证时,调用发布主题合约;发布主题合约用于指示区块链节点在验证主题发布对象信息属于注册对象信息,且确定主题具有待发布属性时,存储主题;存储在区块链节点的主题,用于指示第二设备向区块链节点节点发送主题订阅请求;签名消息z用于指示区块链节点对主题发布请求进行合法性验证;获取区块链节点在确定主题订阅请求具有请求有效属性时,所转发的主题订阅请求;根据区块链节点所转发的主题订阅请求,确定第一业务数据与数据上传条件之间的关系;第一业务数据与数据上传条件之间的关系包括第一业务数据满足数据上传条件,或第一业务数据不满足数据上传条件。
在一些实施例中,根据区块链节点所转发的主题订阅请求,确定第一业务数据与数据上传条件之间的关系的具体过程可以包括:根据区块链节点所转发的主题订阅请求,生成远程认证请求;将远程认证请求发送至第二设备,以使第二设备根据远程认证请求生成包括中间公钥f的中间密钥对g;中间公钥f用于指示第二设备调用可信执行环境a,生成针对数据交集应用的远程认证报告;获取第二设备返回的远程认证报告,根据远程认证报告,确定第一业务数据与数据上传条件之间的关系。
在一些实施例中,根据区块链节点所转发的主题订阅请求,生成远程认证请求的具体过程可以包括:根据区块链节点所转发的主题订阅请求,生成认证挑战随机数,以及包括中间私钥h以及中间公钥i的中间密钥对j;根据中间公钥i以及认证挑战随机数,生成远程认证请求;中间公钥i用于指示第二设备根据中间公钥i、认证挑战随机数以及中间密钥对g中的中间私钥k,生成通信密钥;通信密钥用于对数据密钥进行加密处理,得到加密数据密钥;则还可以包括:获取远程认证报告中的中间公钥f,根据中间公钥f、认证挑战随机数以及中间私钥h,生成通信密钥;获取第二设备返回的加密数据密钥,通过通信密钥,对加密数据密钥进行解密处理,得到数据密钥。
具体的,获取映射有第一随机数的初始位数组以及随机映射函数,将第一业务数据输入至随机映射函数;通过随机映射函数,生成第一业务数据对应的第二随机数;第一随机数包括第二随机数;在初始位数组中确定待更新位数组;待更新位数组映射有第二随机数;对初始位数组中的待更新位数组更新,并将更新之后的初始位数组确定为第一位数组。
在本申请实施例中,第一设备在发布密文位数组之前,先发布第一业务数据对应的主题,以使数据接收方(包括第二设备)订阅该主题,故第一设备可以审核第二设备对应的主题订阅请求,并将审核结果返回至区块链网络;若审核结果为审核通过结果,则确定第一业务数据满足数据上传条件。请一并参见图4a,图4a是本申请实施例提供的一种基于区块链的数据处理方法的时序示意图一。如图4a所示,步骤4a1,第一设备生成主题;,本申请实施例不对第一设备对应的平台进行限制,故不对第一业务数据 的类型进行限制。步骤4a2,第一设备生成主题发布请求;其中,该主题发布请求包括主题以及主题发布对象信息(等同于上文提及的第一对象信息);步骤4a3,第一设备生成签名消息z;第一设备通过第一设备对应的设备私钥(等同于上文提及的第一私钥),对主题发布请求进行签名处理,得到签名消息z;步骤4a4,第一设备发送携带签名消息z的主题发布请求至区块链节点;具体地,第一设备调用区块链上的主题合约的发布主题方法(即发布主题合约),向区块链网络发布主题;主题合约的结构体参数以及合约方法(包括发布主题方法)可以参见图4a所示的主题合约。步骤4a5,区块链节点验证主题;具体地,区块链节点接收到主题发布请求后,通过第一设备对应的设备公钥(等同于上述的第一公钥),对签名消息z进行验签处理,若验证通过,则确保主题发布请求未被篡改,进一步,调用发布主题方法,通过发布主题方法,区块链节点可以核对发布者(即主题发布对象信息)属于链上注册对象信息,等同于图4a中加粗表示的有效对象,其次可以确保主题尚未被注册,即链上是否已存在主题;以上验证通过后执行步骤4a6。步骤4a6,区块链节点存储主题。步骤4a7,区块链节点返回结果至第一设备;结果可以为用于表征区块链节点存储主题的信息。本申请实施例暂不展开描述第二设备发送主题订阅请求至区块链节点的过程,请参见下文图7所对应的实施例中的描述。
在确定主题订阅请求具有请求有效属性时,区块链节点转发主题订阅请求至第一设备,或第一设备向区块链节点查询待处理的主题订阅请求,如图4b所示,图4b是本申请实施例提供的一种基于区块链的数据处理方法的时序示意图二。步骤4b1,第一设备向区块链节点查询待处理的主题订阅请求;步骤4b2,区块链节点返回最新有效的主题订阅请求至第一设备;区块链节点可以将主题(等同于主题名)作为参数,调用主题合约中的方法,如图4b中加粗表示的“获取最新有效的订阅请求”,获取待处理的主题订阅请求。
第一设备根据区块链节点所转发的主题订阅请求,可以确定第一业务数据与数据上传条件之间的关系,请一并参见图4c,图4c是本申请实施例提供的一种基于区块链的数据处理方法的时序示意图三。如图4c所示,步骤4c1,第一设备生成认证挑战随机数,以及中间密钥对j(h,i),其中,h表示中间密钥对j中的中间公钥,i表示中间密钥对j中的中间私钥,其为一对非对称密钥对。步骤4c2,第一设备生成远程认证请求;具体地,第一设备将中间公钥h以及认证挑战随机数作为参数,生成远程认证请求。步骤4c3,第一设备发送远程认证请求。步骤4c4,第二设备生成中间密钥对g(f,k),其中,f表示中间密钥对g中的中间公钥,k表示中间密钥对g中的中间私钥,其也是一对非对称密钥对。步骤4c5,第二设备生成远程认证报告;具体地,第二设备将中间公钥f作为参数,调用可信执行环境a,生成远程认证报告。步骤4c6,第二设备生成通信密钥;具体地,第二设备根据远程认证请求中的中间公钥i、认证挑战随机数以及中间私钥k,生成通信密钥,将其保存下来,一种可行方式为通过密钥交换算法,生成通信密钥。其中,中间密钥对j的中间私钥h以及中间公钥i,可以通过如下公式(1)表示。
i=(G^h)mod p                          (1)
其中,公式(1)中的G为底数,p为素数,G以及P均属于认证挑战随机数。
中间密钥对g的中间私钥k以及中间公钥f,可以通过如下公式(2)表示。
f=(G^k)mod p                          (2)
第一设备以及第二设备分别生成的通信密钥,可以通过如下公式(3)表示。
S=(i^k)mod p=(f^h)mod p      (3)
步骤4c7,第二设备返回远程认证报告至第一设备。步骤4c8,第一设备验证远程认证报告;第一设备调用认证服务(Provisioning Certification Service,PCS),对远程认证报告进行验证,若验证通过,即第一业务数据满足数据上传条件,则执行步骤4c9。步骤4c9,第一设备生成通信密钥。具体的,第一设备根据远程认证报告中的中间公钥f、认证挑战随机数以及中间私钥h,生成通信密钥,可以参见上述公式(3),之后第一设备保存通信密钥。
在本申请实施例中,为了保障第一位数组的安全性,第一设备会对第一位数组进行加密,且对第一位数组进行加密的数据密钥,是第二设备在可信执行环境中所生成的。请一并参见图4d,图4d是本申请实施例提供的一种基于区块链的数据处理方法的时序示意图四。如图4d所示,步骤4d1,第二设备生成数据密钥;第二设备可以在获取到远程认证请求时,在可信执行环境中生成数据密钥,并将其运行以及存储于可信执行环境。步骤4d2,第二设备生成加密数据密钥;具体地,第二设备通过通信密钥,对数据密钥进行加密处理,得到加密数据密钥。步骤4d3,第二设备发送加密数据密钥至第一设备。步骤4d4,第一设备通过通信密钥,解密加密数据密钥,得到数据密钥。,除了第一设备以及第二设备之外的其他设备,无法生成通信密钥,因为不具有中间私钥k或中间私钥h。
当第一业务数据满足数据上传条件时,第一设备生成第一业务数据对应的第一位数组,一种可行地生成第一位数组的方法为采用布隆过滤器(Bloom Filter),布隆过滤器是由一个很长的二进制向量(可以等同于初始位数组,原始的二进制向量的每个点均为0),和一系列随机映射函数构成。布隆过滤器可以用于检索一个元素(例如本申请实施例的第二业务数据),是否在一个集合(例如本申请实施例中的第一业务数据)中,其原理是,当一个元素被加入集合时,通过L个随机映射函数(通常L大于1),将这个元素映射成初始位数组中的L个点,将L个点置为1。检索时,确认第一位数组中这L个点是否为1,如果第一位数组中这L个点中存在任意一个点不为1,可以确定该元素不属于集合,如果第一位数组中这L个点均为1,则这个元素可能在该集合中,在本申请实施例中,将该元素确定为业务交集数据。
请一并参见图4e,图4e是本申请实施例提供的一种基于区块链的数据处理方法的时序示意图五。如图4e所示,步骤4e1,第一设备获取第一业务数据。步骤4e2,第一设备生成第一位数组;第一设备生成布隆过滤器,将第一业务数据存入布隆过滤器,此时第一位数组为存入有第一业务数据的布隆过滤器。在本申请实施例中,第一设备不提供明文数据(第一业务数据),而是将第一业务数据从数据库中读取出来,并存入布隆过滤器,在不泄漏数据的情况下,又能保证第二设备可以从中过滤出业务交集数据,达到数据可用不可见的目的。
步骤S102,通过数据密钥,对第一位数组进行加密处理,得到密文位数组;数据秘钥是第二设备在数据交集应用中生成的,数据交集应用运行于第二设备的可信执行环境a中。
具体的,请再参见图4e,步骤4e3,第一设备生成加密位数组;第一设备通过数据密钥,对第一位数组进行加密处理,得到加密位数组。
步骤S103,将密文位数组传输至区块链中的区块链节点,以使区块链节点存储密文位数组;存储在区块链节点的密文位数组用于由区块链节点转发至第二设备;第二设备用于在数据交集应用中,通过数据密钥对从区块链节点中所获取的密文位数组进行解密处理,得到第一位数组;第一位数组用于指示第二设备在数据交集应用中,生成第二业务数据对应的第二位数组;第二位数组以及第一位数组用于指示 第二设备在数据交集应用中,确定第一业务数据以及第二业务数据之间的业务交集数据;业务交集数据用于指示第二设备进行与业务交集数据相关联的业务处理。
具体的,步骤4e4,第一设备发送加密位数组至区块链节点。步骤4e5,区块链节点存储加密位数组。
本申请实施例暂不对第二设备获取加密位数组的过程,以及确定业务交集数据的过程展开描述,第二设备获取加密位数组的过程,以及确定业务交集数据的过程可以参见下文图7所对应的实施例中的描述。
在本申请实施例中,通过生成第一业务数据对应的第一位数组,可以确保第一业务数据可用不可见,故可以提高第一业务数据的安全性;进一步地,由于数据密钥是通过可信执行环境a中的数据交集应用所生成的,故其生成环境安全、应用环境安全以及存储环境安全,故通过数据密钥对第一位数组进行加密处理,可以提高第一位数组的安全性;进一步地,通过将密文位数组传输至区块链,可以准确地追溯第二设备针对密文位数组的获取状态;此外,本申请实施例是通过第一位数组以及第二业务数据对应的第二位数组,确定第一业务数据以及第二业务数据之间的业务交集数据,故不仅可以进行与业务交集数据相关联的业务处理,还进一步提高了第一业务数据的安全性。上述可知,采用本申请实施例,可以提高数据(包括第一业务数据以及第一位数组)的安全性,以及准确地追溯数据获取状态。
参见图5,图5是本申请实施例提供的一种数据处理方法的流程示意图二。如图5所示,该数据处理方法的过程包括如下步骤S1011-步骤S1013,且步骤S1011-步骤S1013为图3所对应实施例中步骤S101的一个具体实施例。
步骤S1011,调用认证服务,通过认证服务对远程认证报告进行验证处理,得到第一验证结果,
作为示例,远程认证发生在第一设备将密文位数组发送至区块链网络之前,主要验证第二设备的数据运行环境、应用程序安全性,以及开发者信息(即订阅方)的正确性,从而保证密文位数组提供给了正确的使用者,并且密文位数组使用过程安全。
作为示例,本申请实施例不对数据运行环境的验证、应用程序的验证,以及开发者信息的验证顺序进行限定,可以并行验证,也可以串行验证,若串行验证,可以最先进行数据运行环境的验证,也可以最后进行数据运行环境的验证。
步骤S1012,当第一验证结果指示远程认证报告验证失败时,确定第一业务数据不满足数据上传条件。
作为示例,当第一验证结果指示远程认证报告验证失败时,确定可信执行环境a不具有环境安全属性;生成用于指示可信执行环境a不具有环境安全属性的第一更新订阅状态,将第一更新订阅状态发送至区块链节点,以使区块链节点为主题订阅请求设置第一更新订阅状态。
第一设备调用认证服务,通过认证服务,验证远程认证报告的有效性,当验证失败时,说明第二设备的可信执行环境不可靠,需忽略订阅请求,此时,第一设备更新订阅状态为"环境不安全",即第一更新订阅状态,并终止后续流程。
步骤S1013,当第一验证结果指示远程认证报告验证通过时,获取数据交集应用的源码,根据源码,确定第一业务数据与数据上传条件之间的关系。
作为示例,对源码进行验证处理,得到第二验证结果;当第二验证结果指示源码验证通过时,获取远程认证报告中针对数据交集应用的主题订阅对象信息,对主题订阅对象信息进行验证处理,得到第三验证结果;获取远程认证报告中针对源码的远程度量值,对远程度量值进行验证处理,得到第四验证结果;根据第三验证结果以及第四验证结果,确定第一业务数据与数据上传条件之间的关系;当第二验证 结果指示源码验证失败时,确定第一业务数据不满足数据上传条件;还可以执行以下技术方案:当第二验证结果指示源码验证失败时,确定源码不具有代码安全属性;生成用于指示源码不具有代码安全属性的第二更新订阅状态,将第二更新订阅状态发送至区块链节点,以使区块链节点为主题订阅请求设置第二更新订阅状态。
在一些实施例中,对主题订阅对象信息进行验证处理,得到第三验证结果的具体过程可以包括:获取针对数据交集应用的应用开发对象证书,从应用开发对象证书中获取应用开发对象信息,将主题订阅对象信息与应用开发对象信息进行对比;当主题订阅对象信息与应用开发对象信息不同时,生成用于指示主题订阅对象信息验证失败的第三验证结果;当主题订阅对象信息与应用开发对象信息相同时,生成用于指示主题订阅对象信息验证通过的第三验证结果;还可以执行以下技术方案:当第三验证结果指示主题订阅对象信息验证失败时,生成用于指示主题订阅对象信息为未授权对象信息的第三更新订阅状态;将第三更新订阅状态发送至区块链节点,以使区块链节点为主题订阅请求设置第三更新订阅状态。
在一些实施例中,对远程度量值进行验证处理,得到第四验证结果的具体过程可以包括:在第一设备的可信执行环境b中对源码进行编译处理,得到可信度量值;将远程度量值与可信度量值进行对比,当远程度量值与可信度量值不同时,生成用于指示远程度量值验证失败的第四验证结果;当远程度量值与可信度量值相同时,生成用于指示远程度量值验证通过的第四验证结果;还可以执行以下技术方案:当第四验证结果指示远程度量值验证失败时,生成用于指示源码与运行代码不匹配的第四更新订阅状态;将第四更新订阅状态发送至区块链节点,以使区块链节点为主题订阅请求设置第四更新订阅状态。
在一些实施例中,根据第三验证结果以及第四验证结果,确定第一业务数据与数据上传条件之间的关系的具体过程可以包括:当第三验证结果指示主题订阅对象信息验证通过,且第四验证结果指示远程度量值验证通过时,确定第一业务数据满足数据上传条件;还可以执行以下技术方案:当第一业务数据满足数据上传条件时,生成用于指示主题订阅请求通过验证的第五更新订阅状态;将第五更新订阅状态发送至区块链节点,以使区块链节点为主题订阅请求设置第五更新订阅状态。
当存在未处理的远程认证报告时,第一设备会验证该远程认证报告对应的订阅者的身份,确保它为合作方,请一并参见图6a,图6a是本申请实施例提供的一种基于区块链的数据处理方法的时序示意图六。如图6a所示,步骤6a1,第一设备向区块链节点请求获取应用开发者证书;当第一设备还未缓存订阅方的应用开发者证书时,从链上下载订阅方的应用开发者证书,并将订阅方的应用开发者证书缓存;当本地已缓存订阅方的应用开发者证书时,跳过步骤6a1,执行步骤6a2。步骤6a2,区块链节点返回应用开发者证书至第一设备;区块链节点可以根据第一设备发送的对象标识,调用对象合约中的获取对象信息方法,进而获取第一设备请求获取的应用开发者证书。步骤6a3,第一设备对主题订阅对象信息进行验证,得到第三验证结果;具体地,第一设备将应用开发者证书中的应用开发对象信息,与远程认证报告中的主题订阅对象信息进行对比,得到第三验证结果。步骤6a4,当验证失败时,第一设备返回第三更新订阅状态至区块链节点。,当验证通过时,第一设备不执行该步骤,此时可以执行其他验证步骤,也可以返回第五更新订阅状态至区块链节点。
第二设备提供数据交集应用的源码(代码)给第一设备,由第一设备进行人工审核,当源码存在不安全因素时,例如漏洞或恶意使用数据,更新订阅状态为“程序不符预期”(第二更新订阅状态),并终止后续流程。
此外,请一并参见图6b,图6b是本申请实施例提供的一种基于区块链的数据处理方法的时序示意图 七。如图6b所示,步骤6b1,第一设备可信执行环境中编译源码生成可信度量值;步骤6b2,第一设备将可信度量值以及远程度量值进行对比;当可信度量值以及远程度量值相同时,返回第五更新订阅状态,或进行后续过程。步骤6b3,当不同,则第一设备返回第四更新订阅状态;当可信度量值以及远程度量值不一致,说明第二设备提供的审核代码与在第二设备在TEE环境中正在运行的代码不一致,有潜在的风险,因此更新订阅状态为“审核代码与运行代码不一致”,并终止后续流程。
上述可知,针对源码的验证包括两方面,一是对源码进行验证,二是对源码进行编译,请一并参见图6c,图6c是本申请实施例提供的一种基于区块链的数据处理方法的时序示意图八。如图6c所示,步骤6c1,第二设备生成数据交集应用的源码;步骤6c2,第二设备在可信执行环境中编译源码,得到数据交集应用;步骤6c3,第二设备在可信执行环境中运行数据交集应用;步骤6c4,第二设备向第一设备传输源码;本申请实施例不对源码传输方式进行限定,可以第二设备与第一设备之间点对点传输,也可以第二设备将源码传输至区块链网络,然后第一设备从区块链网络中获取;此外,在第二设备对源码进行更新的场景下,第二设备会再次传输更新后的源码至第一设备。本申请实施例不对步骤6c4与步骤6c2的执行顺序进行限定,可以同时执行。步骤6c5,第二设备审核源码;若审核没通过,则将第二更新订阅状态发送至区块链节点;若审核通过,则执行步骤6c6,第一设备在可信执行环境中编译源码,得到数据交集应用。步骤6c7,第一设备生成数据交集应用的可信度量值;后续过程与上文一致,故不再进行赘述。
当以上认证(即订阅方认证、数据运行环境认证以及应用安全认证)均通过时,第一设备更新主题合约中的订阅者,并更新合约订阅请求的状态为“已完成”(第五更新订阅状态)。同时,第一设备保存远程认证结果。
结合本申请实施例以及上文图3所对应的实施例中的步骤S101,可知在获取到待处理的主题订阅请求后,第一设备会根据主题订阅请求,向订阅方(即第二设备)发送远程认证请求,远程认证请求不仅提示第二设备返回远程认证报告,还可以提示第二设备生成通信密钥,以及返回加密数据密钥。
本申请实施例融合区块链、可信执行环境以及布隆过滤器技术,提供加密数据求交集的软硬件结合解决方案。通过区块链提供对象信息认证,确保流程透明,过程可信;通过TEE远程认证,确保执行环境安全及应用程序安全;通过布隆过滤器,实现数据可用不可见功能。本方案大幅降低了程序的时间复杂度及空间复杂度,确保了数据在存储、传输、运行过程的全生命周期的安全,在不泄漏业务数据的情况下,可以快速找出多方公共样本,故可以达成联合业务处理。
请参见图7,图7是本申请实施例提供的一种基于区块链的数据处理方法的流程示意图三。该基于区块链的数据处理方法可以由第一设备执行,也可以由第二设备执行,也可以由区块链节点执行,还可以由第一设备、第二设备以及区块链节点中的至少两个主体交互执行,此处不做限制。为了便于叙述以及理解,本申请实施例以在第二设备中执行为例进行叙述,第二设备可以为上述图1所对应实施例的第二设备100b。如图7所示,该方法至少可以包括以下步骤S201至步骤S204。
步骤S201,获取由区块链中的区块链节点转发的密文位数组;密文位数组是第一设备传输至区块链节点的,且密文位数组是第一设备通过数据密钥,对第一位数组进行加密处理所得到的,数据秘钥是第二设备在数据交集应用中生成的;数据交集应用运行于第二设备的可信执行环境a中;第一位数组是第一设备在第一业务数据满足数据上传条件时,针对第一业务数据所生成的。
在一些实施例中,根据主题订阅对象信息,生成用于订阅主题的主题订阅请求;主题是第一设备针对第一业务数据所生成的;基于主题订阅请求,调用区块链节点的订阅主题合约;通过订阅主题合约, 将主题订阅请求发送至区块链节点,以使区块链节点在通过订阅主题合约验证主题具有待订阅属性,且主题订阅对象信息属于注册对象信息时,储存主题订阅请求,且为主题订阅请求设置请求待验证状态;请求待验证状态用于指示区块链节点将主题订阅请求转发至第一设备。
在一些实施例中,根据主题订阅对象信息,生成用于获取密文位数组的数据下载请求;将数据下载请求发送至区块链节点,以使区块链节点根据数据下载请求查询主题订阅对象信息对应的当前订阅状态;获取区块链节点在确定当前订阅状态为第五更新订阅状态时,所返回的密文位数组;第五更新订阅状态用于指示第一设备对主题订阅请求通过验证;主题订阅请求是在区块链节点存储针对第一业务数据的主题时所发送的。
请一并参见图8,图8是本申请实施例提供的一种基于区块链的数据处理方法的时序示意图九。如图8所示,步骤81、第二设备发送主题订阅请求至区块链节点;其中,主题订阅请求包括主题订阅对象信息。步骤82、区块链节点核对主题订阅请求;具体地,区块链节点会调用订阅主题方法(等同于订阅主题合约),通过订阅主题方法,确保主题还没有被其它方订阅(此类主题仅供一方订阅,因为主题的消息是加密的,通信密钥以及数据密钥不能在多方间共享,防止数据泄密),同时确保订阅者是链上已注册的对象。步骤83、区块链节点保存主题订阅请求;区块链节点基于主题名,订阅者(即主题订阅对象信息),区块高度及交易索引(index)生成订阅请求标识,保存主题订阅请求,并根据上述验证情况,标记主题订阅请求的请求处理状态为"对象未注册/已被其它对象订阅/待授权"。若主题订阅请求有效,则更新主题的最新有效订阅请求的请求标识为最新订阅请求标识。步骤84、区块链节点返回结果至第二设备;结果可以用于表征区块链网络针对主题订阅请求的处理结果。
步骤S202,在数据交集应用中,通过数据密钥对从区块链节点中所获取的密文位数组进行解密处理,得到第一位数组。
请一并参见图9,图9是本申请实施例提供的一种基于区块链的数据处理方法的时序示意图十。如图9所示,步骤91、第二设备从区块链节点下载密文位数组。步骤92、第二设备通过数据密钥对密文位数组进行解密处理,得到第一位数组。
步骤S203,在数据交集应用中,生成第二业务数据对应的第二位数组,根据第二位数组以及第一位数组,确定第一业务数据以及第二业务数据之间的业务交集数据。
具体的,第二业务数据包括第二业务数据Cd,d为正整数,且d小于或等于第二业务数据的总数量;第二位数组包括第二业务数据Cd对应的第二位数组Ed;当第一位数组包括第二位数组Ed时,确定第二业务数据Cd为第一业务数据以及第二业务数据之间的业务交集数据。
请再参见图9,步骤93、第二设备生成第二业务数据的第二位数组。具体地,第一设备生成第一位数组的过程,与第二设备生成第二位数组的过程是相同的,故此处不再赘述。步骤94、第二设备对比第二位数组以及第一位数组,确定业务交集数据。图9中的步骤92-步骤94均在可信执行环境中执行。本申请实施例不对第二业务数据的数量进行限制,可以为一个或多个。当存在多个第二业务数据时,第二设备是遍历每个第二业务数据,以确定一个第二业务数据对应的一个第二位数组在第一位数组中的存在性,当一个第二业务数据对应的一个第二位数组在第一位数组中存在时,确定该第二业务数据为业务交集数据。步骤95、第二设备进行与业务交集数据相关联的业务处理。
作为示例,第一业务数据为第一设备对应的平台应用所持有的手机号,该手机号可以是平台应用的静默对象的联系方式,平台应用想对静默对象进行推广,以吸引静默对象回顾平台。故与具有强大推广 能力的推广商合作,但为了保障静默对象的手机号的安全性,第一设备不能将手机号对外,此时第一设备可以采用本申请提供的方法,即先生成手机号(即第一业务数据)对应的第一位数组,具体可以为将手机号存入布隆过滤器;然后通过第二设备在可信执行环境中所生成的数据密钥,对存入有手机号的布隆过滤器进行加密处理,得到加密布隆过滤器;然后将加密布隆过滤器传输至区块链。
区块链先对加密布隆过滤器进行相关审核,审核通过时,存储加密布隆过滤器;在获取到第二设备发送的数据下载请求时,先对第二设备相近相关审核,审核通过时,将加密布隆过滤器转发至第二设备。
在运行于可信执行环境的数据交集应用中,第二设备先通过数据密钥对加密布隆过滤器进行解密处理,得到存入有手机号的布隆过滤器(为了区分,称为第一布隆过滤器)。然后将自己持有的手机号传输至可信执行环境,将每个手机号单独存入布隆过滤器(为了区分,称为第二布隆过滤器),当第二布隆过滤器与第一布隆过滤器匹配时,确定第二布隆过滤器中的手机号属于推广商以及平台应用共同持有的手机号(业务交集数据)。后续,第二设备将第一设备提供的具有推广效果的广告,推送给业务交集数据,业务交集数据属于平台应用的静默对象的联系方式。
本申请实施例为了保护明文数据(第一业务数据),结合了隐私集合求交技术,隐私集合求交技术全称是隐私保护集合交集(Private Set Intersection,PSI),是指持有数据的两方能够计算得到双方数据集合的交集部分,而不暴露交集以外的任何数据集合信息。PSI通常具有以下三个特点:
(1)半可信场景:数据双方不愿意暴露所有数据,仅希望求得数据集合交集;
(2)数据最小化:除了数据集合交集以外的数据不能泄露给任意一方;
(3)安全双方计算:参与计算的双方需要共同实现一套安全的计算协议,以保证数据的安全性。
步骤S204,对业务交集数据进行业务处理。
具体的,获取第一设备提供的具有应用推荐功能的媒体数据,将媒体数据推送至第二业务数据Cd
通过布隆过滤器存储第一业务数据,本申请实施例不仅能保护对象隐私,还能减少数据量,降低通信次数,降低系统的时间及空间复杂度。
通过在TEE中生成、管理数据密钥,本申请实施例能确保数据密钥在存储,传递及使用过程中的安全性,从而保证数据的安全。
通过使用区块链,本申请实施例将代码上链,提高了应用程序的可信度,当数据使用方(即第二设备)未经数据提供方(即第一设备)同意,更新代码时,数据提供方可停止提供第一业务数据,并将这个过程上链,为服务状态变更存证。此外,参与方(包括数据使用方以及数据提供方)可以为每次提供的服务/数据上链,为后继服务提供依据。另外,将对象身份信息上链,可以验证数据完整性;工作流程上链,可以确保流程透明,便于监管。
在本申请实施例中,通过生成第一业务数据对应的第一位数组,可以确保第一业务数据可用不可见,故可以提高第一业务数据的安全性;进一步地,由于数据密钥是通过可信执行环境a中的数据交集应用所生成的,故其生成环境安全、应用环境安全以及存储环境安全,故通过数据密钥对第一位数组进行加密处理,可以提高第一位数组的安全性;进一步地,通过将密文位数组传输至区块链,可以准确地追溯第二设备针对密文位数组的获取状态;此外,本申请实施例是通过第一位数组以及第二业务数据对应的第二位数组,确定第一业务数据以及第二业务数据之间的业务交集数据,故不仅可以进行与业务交集数据相关联的业务处理,还进一步提高了第一业务数据的安全性。上述可知,采用本申请实施例,可以提高数据(包括第一业务数据以及第一位数组)的安全性,以及准确地追溯数据获取状态。
参见图10,图10是本申请实施例提供的一种基于区块链的数据处理装置的结构示意图一。该基于区块链的数据处理装置1可以运行于第一设备,上述基于区块链的数据处理装置1可以用于执行本申请实施例提供的方法中的相应步骤。如图10所示,该基于区块链的数据处理装置1可以包括:第一生成模块11、第一处理模块12以及密文传输模块13。第一生成模块11,配置为当第一业务数据满足数据上传条件时,生成第一业务数据对应的第一位数组;第一处理模块12,配置为通过数据密钥,对第一位数组进行加密处理,得到密文位数组;其中,数据秘钥是第二设备在数据交集应用中生成的,数据交集应用运行于第二设备的可信执行环境a中;密文传输模块13,配置为将密文位数组传输至区块链中的区块链节点,以使区块链节点存储密文位数组;其中,存储在区块链节点的密文位数组用于由区块链节点转发至第二设备;第二设备用于在数据交集应用中,通过数据密钥对从区块链节点中所获取的密文位数组进行解密处理,得到第一位数组;第一位数组用于指示第二设备在数据交集应用中,生成第二业务数据对应的第二位数组;第二位数组以及第一位数组用于指示第二设备在数据交集应用中,确定第一业务数据以及第二业务数据之间的业务交集数据;业务交集数据用于指示第二设备进行与业务交集数据相关联的业务处理。
第一生成模块11、第一处理模块12以及密文传输模块13的具体功能实现方式,可以参见上述图3对应实施例中的步骤S101-步骤S103,这里不再进行赘述。
参见图10,基于区块链的数据处理装置1还可以包括:第二处理模块15、请求发送模块16、请求获取模块17以及关系确定模块18。第二生成模块14,配置为生成针对第一业务数据的主题,生成包括主题以及主题发布对象信息的主题发布请求;第二处理模块15,配置为通过第一设备对应的设备私钥,对主题发布请求进行签名处理,得到签名消息z,基于主题发布请求,调用区块链节点的发布主题合约;请求发送模块16,配置为通过发布主题合约,将携带签名消息z的主题发布请求发送至区块链节点,以使区块链节点在通过主题发布请求的合法性验证时,调用发布主题合约;发布主题合约用于指示区块链节点在验证主题发布对象信息属于注册对象信息,且确定主题具有待发布属性时,存储主题;存储在区块链节点的主题,用于指示第二设备向区块链节点节点发送主题订阅请求;签名消息z用于指示区块链节点对主题发布请求进行合法性验证;请求获取模块17,配置为获取区块链节点在确定主题订阅请求具有请求有效属性时,所转发的主题订阅请求;关系确定模块18,配置为根据区块链节点所转发的主题订阅请求,确定第一业务数据与数据上传条件之间的关系;第一业务数据与数据上传条件之间的关系包括第一业务数据满足数据上传条件,或第一业务数据不满足数据上传条件。
第二处理模块15、请求发送模块16、请求获取模块17以及关系确定模块18的具体功能实现方式,可以参见上述图3对应实施例中的步骤S101,这里不再进行赘述。
参见图10,关系确定模块18可以包括:第一生成单元181、请求发送单元182以及第一获取单元183。第一生成单元181,配置为根据区块链节点所转发的主题订阅请求,生成远程认证请求;请求发送单元182,配置为将远程认证请求发送至第二设备,以使第二设备根据远程认证请求生成包括中间公钥f的中间密钥对g;其中,中间公钥f用于指示第二设备调用可信执行环境a,生成针对数据交集应用的远程认证报告;第一获取单元183,配置为获取第二设备返回的远程认证报告,根据远程认证报告,确定第一业务数据与数据上传条件之间的关系。
第一生成单元181、请求发送单元182以及第一获取单元183的具体功能实现方式,可以参见上述图3对应实施例中的步骤S101,这里不再进行赘述。
参见图10,第一获取单元183可以包括:报告验证子单元1831、第一确定子单元1832以及第二确定子单元1833。报告验证子单元1831,配置为调用认证服务,通过认证服务对远程认证报告进行验证处理,得到第一验证结果;第一确定子单元1832,配置为当第一验证结果指示远程认证报告验证失败时,确定第一业务数据不满足数据上传条件;第二确定子单元1833,配置为当第一验证结果指示远程认证报告验证通过时,获取数据交集应用的源码,根据源码,确定第一业务数据与数据上传条件之间的关系;第一获取单元183还可以包括:第三确定子单元1834以及状态发送子单元1835。第三确定子单元1834,配置为当第一验证结果指示远程认证报告验证失败时,确定可信执行环境a不具有环境安全属性;状态发送子单元1835,配置为生成用于指示可信执行环境a不具有环境安全属性的第一更新订阅状态,将第一更新订阅状态发送至区块链节点,以使区块链节点为主题订阅请求设置第一更新订阅状态。
报告验证子单元1831、第一确定子单元1832、第二确定子单元1833、第三确定子单元1834以及状态发送子单元1835的具体功能实现方式,可以参见上述图5对应实施例中的步骤S1013,这里不再进行赘述。
参见图10,第二确定子单元1833可以包括:第一处理子单元18331、第二处理子单元18332、第三处理子单元18333以及关系确定子单元18334。第一处理子单元18331,配置为对源码进行验证处理,得到第二验证结果;第二处理子单元18332,配置为当第二验证结果指示源码验证通过时,获取远程认证报告中针对数据交集应用的主题订阅对象信息,对主题订阅对象信息进行验证处理,得到第三验证结果;第三处理子单元18333,配置为获取远程认证报告中针对源码的远程度量值,对远程度量值进行验证处理,得到第四验证结果;关系确定子单元18334,配置为根据第三验证结果以及第四验证结果,确定第一业务数据与数据上传条件之间的关系;第二处理子单元18332,还配置为当第二验证结果指示源码验证失败时,确定第一业务数据不满足数据上传条件;第二确定子单元1833还可以包括:状态生成子单元18335。第二处理子单元18332,还配置为当第二验证结果指示源码验证失败时,确定源码不具有代码安全属性;状态生成子单元18335,配置为生成用于指示源码不具有代码安全属性的第二更新订阅状态,将第二更新订阅状态发送至区块链节点,以使区块链节点为主题订阅请求设置第二更新订阅状态。
第一处理子单元18331、第二处理子单元18332、第三处理子单元18333、关系确定子单元18334以及状态生成子单元18335的具体功能实现方式,可以参见上述图5对应实施例中的步骤S1013,这里不再进行赘述。
参见图10,第二处理子单元18332,具体用于获取针对数据交集应用的应用开发对象证书,从应用开发对象证书中获取应用开发对象信息,将主题订阅对象信息与应用开发对象信息进行对比;第二处理子单元18332,还配置为当主题订阅对象信息与应用开发对象信息不同时,生成用于指示主题订阅对象信息验证失败的第三验证结果;第二处理子单元18332,还配置为当主题订阅对象信息与应用开发对象信息相同时,生成用于指示主题订阅对象信息验证通过的第三验证结果;第二处理子单元18332,还配置为当第三验证结果指示主题订阅对象信息验证失败时,生成用于指示主题订阅对象信息为未授权对象信息的第三更新订阅状态;第二处理子单元18332,还配置为将第三更新订阅状态发送至区块链节点,以使区块链节点为主题订阅请求设置第三更新订阅状态。
第二处理子单元18332的具体功能实现方式,可以参见上述图5对应实施例中的步骤S1013,这里不再进行赘述。
参见图10,第三处理子单元18333,还配置为在第一设备的可信执行环境b中对源码进行编译处理, 得到可信度量值;第三处理子单元18333,还配置为将远程度量值与可信度量值进行对比,若远程度量值与可信度量值不同,则生成用于指示远程度量值验证失败的第四验证结果;第三处理子单元18333,还配置为当远程度量值与可信度量值相同时,生成用于指示远程度量值验证通过的第四验证结果;第三处理子单元18333,还配置为当第四验证结果指示远程度量值验证失败时,生成用于指示源码与运行代码不匹配的第四更新订阅状态;第三处理子单元18333,还配置为将第四更新订阅状态发送至区块链节点,以使区块链节点为主题订阅请求设置第四更新订阅状态。
第三处理子单元18333的具体功能实现方式,可以参见上述图5对应实施例中的步骤S1013,这里不再进行赘述。
参见图10,关系确定子单元18334,配置为当第三验证结果指示主题订阅对象信息验证通过,且第四验证结果指示远程度量值验证通过时,确定第一业务数据满足数据上传条件;关系确定子单元18334,还配置为当第一业务数据满足数据上传条件时,生成用于指示主题订阅请求通过验证的第五更新订阅状态;关系确定子单元18334,还配置为将第五更新订阅状态发送至区块链节点,以使区块链节点为主题订阅请求设置第五更新订阅状态。
关系确定子单元18334的具体功能实现方式,可以参见上述图5对应实施例中的步骤S1013,这里不再进行赘述。
参见图10,第一生成单元181可以包括:第一生成子单元1811以及第二生成子单元1812。第一生成子单元1811,配置为根据区块链节点所转发的主题订阅请求,生成认证挑战随机数,以及包括中间私钥h以及中间公钥i的中间密钥对j;第二生成子单元1812,配置为根据中间公钥i以及认证挑战随机数,生成远程认证请求;中间公钥i用于指示第二设备根据中间公钥i、认证挑战随机数以及中间密钥对g中的中间私钥k,生成通信密钥;通信密钥用于对数据密钥进行加密处理,得到加密数据密钥。
在一些实施例中,第一生成单元181可以包括:第一获取子单元1813以及第二获取子单元1814。第一获取子单元1813,配置为获取远程认证报告中的中间公钥f,根据中间公钥f、认证挑战随机数以及中间私钥h,生成通信密钥;第二获取子单元1814,配置为获取第二设备返回的加密数据密钥,通过通信密钥,对加密数据密钥进行解密处理,得到数据密钥。
第一生成子单元1811、第二生成子单元1812、第一获取子单元1813以及第二获取子单元1814的具体功能实现方式,可以参见上述图3对应实施例中的步骤S101,这里不再进行赘述。
参见图10,第一生成模块11可以包括:第二获取单元111、第二生成单元112、第一确定单元113以及第二确定单元114。第二获取单元111,配置为获取映射有第一随机数的初始位数组以及随机映射函数,将第一业务数据输入至随机映射函数;第二生成单元112,配置为通过随机映射函数,生成第一业务数据对应的第二随机数,其中,第一随机数包括第二随机数;第一确定单元113,配置为在初始位数组中确定待更新位数组,其中,待更新位数组映射有第二随机数;第二确定单元114,配置为对初始位数组中的待更新位数组更新,并将更新之后的初始位数组确定为第一位数组。
第二获取单元111、第二生成单元112、第一确定单元113以及第二确定单元114的具体功能实现方式,可以参见上述图3对应实施例中的步骤S101,这里不再进行赘述。
在本申请实施例中,通过生成第一业务数据对应的第一位数组,可以确保第一业务数据可用不可见,故可以提高第一业务数据的安全性;进一步地,由于数据密钥是通过可信执行环境a中的数据交集应用所生成的,故其生成环境安全、应用环境安全以及存储环境安全,故通过数据密钥对第一位数组进行加 密处理,可以提高第一位数组的安全性;进一步地,通过将密文位数组传输至区块链,可以准确地追溯第二设备针对密文位数组的获取状态;此外,本申请实施例是通过第一位数组以及第二业务数据对应的第二位数组,确定第一业务数据以及第二业务数据之间的业务交集数据,故不仅可以进行与业务交集数据相关联的业务处理,还进一步提高了第一业务数据的安全性。上述可知,采用本申请实施例,可以提高数据(包括第一业务数据以及第一位数组)的安全性,以及准确地追溯数据获取状态。
参见图11,图11是本申请实施例提供的一种基于区块链的数据处理装置的结构示意图二。上述基于区块链的数据处理装置2可以运行于第二设备,该装置可以用于执行本申请实施例提供的方法中的相应步骤。如图11所示,该基于区块链的数据处理装置2可以包括:密文获取模块21、第一处理模块22、第一生成模块23以及第二处理模块24。密文获取模块21,配置为获取由区块链中的区块链节点转发的密文位数组;密文位数组是第一设备传输至区块链节点的,且密文位数组是第一设备通过数据密钥,对第一位数组进行加密处理所得到的,数据秘钥是第二设备在数据交集应用中生成的,;数据交集应用运行于第二设备的可信执行环境a中;第一位数组是第一设备在第一业务数据满足数据上传条件时,针对第一业务数据所生成的;第一处理模块22,配置为在数据交集应用中,通过数据密钥对从区块链节点中所获取的密文位数组进行解密处理,得到第一位数组;第一生成模块23,配置为在数据交集应用中,生成第二业务数据对应的第二位数组,根据第二位数组以及第一位数组,确定第一业务数据以及第二业务数据之间的业务交集数据;第二处理模块24,配置为对业务交集数据进行业务处理。
密文获取模块21、第一处理模块22、第一生成模块23以及第二处理模块24的具体功能实现方式,可以参见上述图7对应实施例中的步骤S201-步骤S204,这里不再进行赘述。
参见图11,密文获取模块21可以包括:请求生成单元211、请求发送单元212以及密文获取单元213。请求生成单元211,配置为根据主题订阅对象信息,生成用于获取密文位数组的数据下载请求;请求发送单元212,配置为将数据下载请求发送至区块链节点,以使区块链节点根据数据下载请求查询主题订阅对象信息对应的当前订阅状态;密文获取单元213,配置为获取区块链节点在确定当前订阅状态为第五更新订阅状态时,所返回的密文位数组;第五更新订阅状态用于指示第一设备对主题订阅请求通过验证;主题订阅请求是在区块链节点存储针对第一业务数据的主题时所发送的。
请求生成单元211、请求发送单元212以及密文获取单元213的具体功能实现方式,可以参见上述图7对应实施例中的步骤S201,这里不再进行赘述。
参见图11,第二业务数据包括第二业务数据Cd,d为正整数,且d小于或等于第二业务数据的总数量;第二位数组包括第二业务数据Cd对应的第二位数组Ed;第一生成模块23,还配置为当第一位数组包括第二位数组Ed时,确定第二业务数据Cd为第一业务数据以及第二业务数据之间的业务交集数据;第二处理模块24,还配置为获取第一设备提供的具有应用推荐功能的媒体数据,将媒体数据推送至第二业务数据Cd
第一生成模块23以及第二处理模块24的具体功能实现方式,可以参见上述图7对应实施例中的步骤S203-步骤S204,这里不再进行赘述。
参见图11,基于区块链的数据处理装置2还可以包括:第二生成模块25、合约调用模块26以及请求发送模块27。第二生成模块25,配置为根据主题订阅对象信息,生成用于订阅主题的主题订阅请求;主题是第一设备针对第一业务数据所生成的;合约调用模块26,配置为基于主题订阅请求,调用区块链节点的订阅主题合约;请求发送模块27,配置为通过订阅主题合约,将主题订阅请求发送至区块链节点, 以使区块链节点在通过订阅主题合约验证主题具有待订阅属性,且主题订阅对象信息属于注册对象信息时,储存主题订阅请求,且为主题订阅请求设置请求待验证状态;请求待验证状态用于指示区块链节点将主题订阅请求转发至第一设备。
第二生成模块25、合约调用模块26以及请求发送模块27的具体功能实现方式,可以参见上述图7对应实施例中的步骤S201,这里不再进行赘述。
在本申请实施例中,通过生成第一业务数据对应的第一位数组,可以确保第一业务数据可用不可见,故可以提高第一业务数据的安全性;进一步地,由于数据密钥是通过可信执行环境a中的数据交集应用所生成的,故其生成环境安全、应用环境安全以及存储环境安全,故通过数据密钥对第一位数组进行加密处理,可以提高第一位数组的安全性;进一步地,通过将密文位数组传输至区块链,可以准确地追溯第二设备针对密文位数组的获取状态;此外,本申请实施例是通过第一位数组以及第二业务数据对应的第二位数组,确定第一业务数据以及第二业务数据之间的业务交集数据,故不仅可以进行与业务交集数据相关联的业务处理,还进一步提高了第一业务数据的安全性。上述可知,采用本申请实施例,可以提高数据(包括第一业务数据以及第一位数组)的安全性,以及准确地追溯数据获取状态。
参见图12,图12是本申请实施例提供的一种电子设备的结构示意图。如图12所示,该电子设备1000可以包括:至少一个处理器1001,例如CPU,至少一个网络接口1004,用户接口1003,存储器1005,至少一个通信总线1002。其中,通信总线1002用于实现这些组件之间的连接通信。其中,在一些实施例中,用户接口1003可以包括显示屏(Display)、键盘(Keyboard),网络接口1004可选地可以包括标准的有线接口、无线接口(如WI-FI接口)。存储器1005可以是高速RAM存储器,也可以是非不稳定的存储器(non-volatile memory),例如至少一个磁盘存储器。存储器1005可选地还可以是至少一个位于远离前述处理器1001的存储装置。如图12所示,作为一种计算机存储介质的存储器1005可以包括操作系统、网络通信模块、用户接口模块以及设备控制应用程序。
在图12所示的电子设备1000中,网络接口1004可提供网络通讯功能;而用户接口1003主要用于为用户提供输入的接口;而处理器1001可以用于调用存储器1005中存储的设备控制应用程序,以实现以下技术方案:若第一业务数据满足数据上传条件,则生成第一业务数据对应的第一位数组;通过第二设备在数据交集应用中所生成的数据密钥,对第一位数组进行加密处理,得到密文位数组;数据交集应用运行于第二设备的可信执行环境a中;将密文位数组传输至区块链中的区块链节点,以使区块链节点存储密文位数组;存储在区块链节点的密文位数组用于由区块链节点转发至第二设备;第二设备用于在数据交集应用中,通过数据密钥对从区块链节点中所获取的密文位数组进行解密处理,得到第一位数组;第一位数组用于指示第二设备在数据交集应用中,生成第二业务数据对应的第二位数组;第二位数组以及第一位数组用于指示第二设备在数据交集应用中,确定第一业务数据以及第二业务数据之间的业务交集数据;业务交集数据用于指示第二设备进行与业务交集数据相关联的业务处理。
在一些实施例中,处理器1001可以用于调用存储器1005中存储的设备控制应用程序,以实现以下技术方案:获取由区块链中的区块链节点转发的密文位数组;密文位数组是第一设备传输至区块链节点的,且密文位数组是第一设备通过第二设备在数据交集应用中所生成的数据密钥,对第一位数组进行加密处理所得到的;数据交集应用运行于第二设备的可信执行环境a中;第一位数组是第一设备在第一业务数据满足数据上传条件时,针对第一业务数据所生成的;在数据交集应用中,通过数据密钥对从区块链节点中所获取的密文位数组进行解密处理,得到第一位数组;在数据交集应用中,生成第二业务数据 对应的第二位数组,根据第二位数组以及第一位数组,确定第一业务数据以及第二业务数据之间的业务交集数据;对业务交集数据进行业务处理。
应当理解,本申请实施例中所描述的电子设备1000可执行前文各实施例中对基于区块链的数据处理方法或装置的描述,在此不再赘述。另外,对采用相同方法的有益效果描述,也不再进行赘述。
本申请实施例还提供一种计算机可读存储介质,该计算机可读存储介质存储有计算机程序,该计算机程序被处理器执行时实现前文各实施例中对基于区块链的数据处理方法或装置的描述,在此不再赘述。另外,对采用相同方法的有益效果描述,也不再进行赘述。
上述计算机可读存储介质可以是前述任一实施例提供的基于区块链的数据处理装置或者上述电子设备的内部存储单元,例如电子设备的硬盘或内存。该计算机可读存储介质也可以是该电子设备的外部存储设备,例如该电子设备上配备的插接式硬盘,智能存储卡(smart media card,SMC),安全数字(secure digital,SD)卡,闪存卡(flash card)等。进一步地,该计算机可读存储介质还可以既包括该电子设备的内部存储单元也包括外部存储设备。该计算机可读存储介质用于存储该计算机程序以及该电子设备所需的其他程序和数据。该计算机可读存储介质还可以用于暂时地存储已经输出或者将要输出的数据。
本申请实施例还提供了一种计算机程序产品,该计算机程序产品包括计算机程序,该计算机程序存储在计算机可读存储介质中。电子设备的处理器从计算机可读存储介质读取该计算机程序,处理器执行该计算机程序,使得该电子设备可执行前文各实施例中对基于区块链的数据处理方法或装置的描述,在此不再赘述。另外,对采用相同方法的有益效果描述,也不再进行赘述。
本申请实施例的说明书和权利要求书及附图中的术语“第一”、“第二”等是用于区别不同对象,而非用于描述特定顺序。此外,术语“包括”以及它们任何变形,意图在于覆盖不排他的包含。例如包含了一系列步骤或单元的过程、方法、装置、产品或设备没有限定于已列出的步骤或模块,而是可选地还包括没有列出的步骤或模块,或可选地还包括对于这些过程、方法、装置、产品或设备固有的其他步骤单元。
本领域普通技术人员可以意识到,结合本文中所公开的实施例描述的各示例的单元及算法步骤,能够以电子硬件、计算机软件或者二者的结合来实现,为了清楚地说明硬件和软件的可互换性,在上述说明中已经按照功能一般性地描述了各示例的组成及步骤。这些功能究竟以硬件还是软件方式来执行,取决于技术方案的特定应用和设计约束条件。专业技术人员可以对每个特定的应用来使用不同方法来实现所描述的功能,但是这种实现不应认为超出本申请的范围。
以上所揭露的仅为本申请较佳实施例而已,当然不能以此来限定本申请之权利范围,因此依本申请权利要求所作的等同变化,仍属本申请所涵盖的范围。

Claims (19)

  1. 一种基于区块链的数据处理方法,所述方法由第一设备执行,所述方法包括:
    当第一业务数据满足数据上传条件时,生成所述第一业务数据对应的第一位数组;
    通过数据密钥,对所述第一位数组进行加密处理,得到密文位数组;其中,所述数据秘钥是第二设备在数据交集应用中生成的,所述数据交集应用运行于所述第二设备的可信执行环境a中;
    将所述密文位数组传输至所述区块链中的区块链节点,以使所述区块链节点存储所述密文位数组;
    其中,存储在所述区块链节点的所述密文位数组用于由所述区块链节点转发至所述第二设备;所述第二设备用于在所述数据交集应用中,通过所述数据密钥对从所述区块链节点中所获取的所述密文位数组进行解密处理,得到所述第一位数组;所述第一位数组用于指示所述第二设备在所述数据交集应用中,生成第二业务数据对应的第二位数组;所述第二位数组以及所述第一位数组用于指示所述第二设备在所述数据交集应用中,确定所述第一业务数据以及所述第二业务数据之间的业务交集数据;所述业务交集数据用于指示所述第二设备进行与所述业务交集数据相关联的业务处理。
  2. 根据权利要求1所述的方法,其中,所述方法还包括:
    生成针对所述第一业务数据的主题;
    生成包括所述主题以及主题发布对象信息的主题发布请求;
    通过所述第一设备对应的设备私钥,对所述主题发布请求进行签名处理,得到签名消息z;
    基于所述主题发布请求,调用所述区块链节点的发布主题合约,并通过所述发布主题合约,将携带所述签名消息z的所述主题发布请求发送至所述区块链节点,以使所述区块链节点在通过所述主题发布请求的合法性验证时,调用所述发布主题合约;
    其中,所述发布主题合约用于指示所述区块链节点在验证所述主题发布对象信息属于注册对象信息,且确定所述主题具有待发布属性时,存储所述主题;存储在所述区块链节点的所述主题,用于指示所述第二设备向所述区块链节点节点发送主题订阅请求;所述签名消息z用于指示所述区块链节点对所述主题发布请求进行合法性验证;
    获取所述区块链节点在确定所述主题订阅请求具有请求有效属性时,所转发的所述主题订阅请求;
    根据所述区块链节点所转发的所述主题订阅请求,确定所述第一业务数据与所述数据上传条件之间的关系;
    其中,所述第一业务数据与所述数据上传条件之间的关系包括所述第一业务数据满足所述数据上传条件,或所述第一业务数据不满足所述数据上传条件。
  3. 根据权利要求2所述的方法,其中,所述根据所述区块链节点所转发的所述主题订阅请求,确定所述第一业务数据与所述数据上传条件之间的关系,包括:
    根据所述区块链节点所转发的所述主题订阅请求,生成远程认证请求;
    将所述远程认证请求发送至所述第二设备,以使所述第二设备根据所述远程认证请求生成中间密钥对g;所述中间密钥对g中的中间公钥f用于指示所述第二设备调用所述可信执行环境a,生成针对所述数据交集应用的远程认证报告;
    获取所述第二设备返回的所述远程认证报告,根据所述远程认证报告,确定所述第一业务数据与所 述数据上传条件之间的关系。
  4. 根据权利要求3所述的方法,其中,所述根据所述区块链节点所转发的所述主题订阅请求,生成远程认证请求,包括:
    根据所述区块链节点所转发的所述主题订阅请求,生成认证挑战随机数,以及包括中间私钥h以及中间公钥i的中间密钥对j;
    根据所述中间公钥i以及所述认证挑战随机数,生成远程认证请求;
    其中,所述中间公钥i用于指示所述第二设备根据所述中间公钥i、所述认证挑战随机数以及所述中间密钥对g中的中间私钥k,生成通信密钥;所述通信密钥用于对所述数据密钥进行加密处理,得到加密数据密钥;
    所述方法还包括:
    获取所述远程认证报告中的所述中间公钥f,根据所述中间公钥f、所述认证挑战随机数以及所述中间私钥h,生成所述通信密钥;
    获取所述第二设备返回的加密数据密钥,通过所述通信密钥,对所述加密数据密钥进行解密处理,得到所述数据密钥。
  5. 根据权利要求3所述的方法,其中,所述根据所述远程认证报告,确定所述第一业务数据与所述数据上传条件之间的关系,包括:
    调用认证服务,通过所述认证服务对所述远程认证报告进行验证处理,得到第一验证结果;
    当所述第一验证结果指示所述远程认证报告验证失败时,确定所述第一业务数据不满足所述数据上传条件;
    当所述第一验证结果指示所述远程认证报告验证通过时,获取所述数据交集应用的源码,根据所述源码,确定所述第一业务数据与所述数据上传条件之间的关系;
    所述方法还包括:
    当所述第一验证结果指示所述远程认证报告验证失败时,确定所述可信执行环境a不具有环境安全属性;
    生成用于指示所述可信执行环境a不具有所述环境安全属性的第一更新订阅状态,将所述第一更新订阅状态发送至所述区块链节点,以使所述区块链节点为所述主题订阅请求设置所述第一更新订阅状态。
  6. 根据权利要求5所述的方法,其中,所述根据所述源码,确定所述第一业务数据与所述数据上传条件之间的关系,包括:
    对所述源码进行验证处理,得到第二验证结果;
    当所述第二验证结果指示所述源码验证通过时,获取所述远程认证报告中针对所述数据交集应用的主题订阅对象信息,对所述主题订阅对象信息进行验证处理,得到第三验证结果;
    获取所述远程认证报告中针对所述源码的远程度量值,对所述远程度量值进行验证处理,得到第四验证结果;
    根据所述第三验证结果以及所述第四验证结果,确定所述第一业务数据与所述数据上传条件之间的 关系;
    当所述第二验证结果指示所述源码验证失败时,确定所述第一业务数据不满足所述数据上传条件;
    所述方法还包括:
    当所述第二验证结果指示所述源码验证失败时,确定所述源码不具有代码安全属性;
    生成用于指示所述源码不具有所述代码安全属性的第二更新订阅状态,将所述第二更新订阅状态发送至所述区块链节点,以使所述区块链节点为所述主题订阅请求设置所述第二更新订阅状态。
  7. 根据权利要求6所述的方法,其中,所述对所述主题订阅对象信息进行验证处理,得到第三验证结果,包括:
    获取针对所述数据交集应用的应用开发对象证书,从所述应用开发对象证书中获取应用开发对象信息;
    当所述主题订阅对象信息与所述应用开发对象信息不同时,生成用于指示所述主题订阅对象信息验证失败的第三验证结果;
    当所述主题订阅对象信息与所述应用开发对象信息相同时,生成用于指示所述主题订阅对象信息验证通过的第三验证结果;
    所述方法还包括:
    当所述第三验证结果指示所述主题订阅对象信息验证失败时,生成用于指示所述主题订阅对象信息为未授权对象信息的第三更新订阅状态;
    将所述第三更新订阅状态发送至所述区块链节点,以使所述区块链节点为所述主题订阅请求设置所述第三更新订阅状态。
  8. 根据权利要求6所述的方法,其中,所述对所述远程度量值进行验证处理,得到第四验证结果,包括:
    在所述第一设备的可信执行环境b中对所述源码进行编译处理,得到可信度量值;
    当所述远程度量值与所述可信度量值不同时,生成用于指示所述远程度量值验证失败的第四验证结果;
    当所述远程度量值与所述可信度量值相同时,生成用于指示所述远程度量值验证通过的第四验证结果;
    所述方法还包括:
    当所述第四验证结果指示所述远程度量值验证失败时,生成用于指示所述源码与运行代码不匹配的第四更新订阅状态;
    将所述第四更新订阅状态发送至所述区块链节点,以使所述区块链节点为所述主题订阅请求设置所述第四更新订阅状态。
  9. 根据权利要求6所述的方法,其中,所述根据所述第三验证结果以及所述第四验证结果,确定所述第一业务数据与所述数据上传条件之间的关系,包括:
    当所述第三验证结果指示所述主题订阅对象信息验证通过,且所述第四验证结果指示所述远程度量 值验证通过时,确定所述第一业务数据满足所述数据上传条件;
    所述方法还包括:
    当所述第一业务数据满足所述数据上传条件时,生成用于指示所述主题订阅请求通过验证的第五更新订阅状态;
    将所述第五更新订阅状态发送至所述区块链节点,以使所述区块链节点为所述主题订阅请求设置所述第五更新订阅状态。
  10. 根据权利要求1至9中任一项所述的方法,其中,所述生成所述第一业务数据对应的第一位数组,包括:
    获取映射有第一随机数的初始位数组以及随机映射函数,将所述第一业务数据输入至所述随机映射函数;
    通过所述随机映射函数,生成所述第一业务数据对应的第二随机数,其中,所述第一随机数包括所述第二随机数;
    在所述初始位数组中确定待更新位数组,其中,所述待更新位数组映射有所述第二随机数;
    对所述初始位数组中的所述待更新位数组更新,并将更新之后的初始位数组确定为第一位数组。
  11. 一种基于区块链的数据处理方法,所述方法由第二设备执行,所述方法包括:
    获取由所述区块链中的区块链节点转发的密文位数组;
    其中,所述密文位数组是第一设备传输至所述区块链节点的,且所述密文位数组是所述第一设备通过数据密钥,对第一位数组进行加密处理所得到的,所述数据秘钥是所述第二设备在数据交集应用中生成的;所述数据交集应用运行于所述第二设备的可信执行环境a中;所述第一位数组是所述第一设备在第一业务数据满足数据上传条件时,针对所述第一业务数据所生成的;
    在所述数据交集应用中,通过所述数据密钥对从所述区块链节点中所获取的所述密文位数组进行解密处理,得到所述第一位数组;
    在所述数据交集应用中,生成第二业务数据对应的第二位数组,根据所述第二位数组以及所述第一位数组,确定所述第一业务数据以及所述第二业务数据之间的业务交集数据;
    对所述业务交集数据进行业务处理。
  12. 根据权利要求11所述的方法,其中,所述获取由所述区块链节点转发的密文位数组,包括:
    根据主题订阅对象信息,生成用于获取所述密文位数组的数据下载请求;
    将所述数据下载请求发送至所述区块链节点,以使所述区块链节点根据所述数据下载请求查询所述主题订阅对象信息对应的当前订阅状态;
    获取所述区块链节点在确定所述当前订阅状态为第五更新订阅状态时,所返回的密文位数组;
    其中,所述第五更新订阅状态用于指示所述第一设备对主题订阅请求通过验证;所述主题订阅请求是在所述区块链节点存储针对所述第一业务数据的主题时所发送的。
  13. 根据权利要求11所述的方法,其中,所述第二业务数据包括第二业务数据Cd,d为正整数,且 d小于或等于所述第二业务数据的总数量;所述第二位数组包括所述第二业务数据Cd对应的第二位数组Ed
    所述根据所述第二位数组以及所述第一位数组,确定所述第一业务数据以及所述第二业务数据之间的业务交集数据,包括:
    当所述第一位数组包括所述第二位数组Ed时,确定所述第二业务数据Cd为所述第一业务数据以及所述第二业务数据之间的业务交集数据;
    所述对所述业务交集数据进行业务处理,包括:
    获取所述第一设备提供的具有应用推荐功能的媒体数据,将所述媒体数据推送至所述第二业务数据Cd表征的对象。
  14. 根据权利要求11所述的方法,其中,所述方法还包括:
    根据主题订阅对象信息,生成用于订阅主题的主题订阅请求;所述主题是所述第一设备针对所述第一业务数据所生成的;
    基于所述主题订阅请求,调用所述区块链节点的订阅主题合约;
    通过所述订阅主题合约,将所述主题订阅请求发送至所述区块链节点,以使所述区块链节点在通过所述订阅主题合约验证所述主题具有待订阅属性,且所述主题订阅对象信息属于注册对象信息时,储存所述主题订阅请求,且为所述主题订阅请求设置请求待验证状态;所述请求待验证状态用于指示所述区块链节点将所述主题订阅请求转发至所述第一设备。
  15. 一种基于区块链的数据处理装置,所述装置运行于第一设备,所述装置包括:
    第一生成模块,配置为当第一业务数据满足数据上传条件时,生成所述第一业务数据对应的第一位数组;
    第一处理模块,配置为通过数据密钥,对所述第一位数组进行加密处理,得到密文位数组;其中,所述数据秘钥是第二设备在数据交集应用中生成的,所述数据交集应用运行于所述第二设备的可信执行环境a中;
    密文传输模块,配置为将所述密文位数组传输至所述区块链中的区块链节点,以使所述区块链节点存储所述密文位数组;其中,存储在所述区块链节点的所述密文位数组用于由所述区块链节点转发至所述第二设备;所述第二设备用于在所述数据交集应用中,通过所述数据密钥对从所述区块链节点中所获取的所述密文位数组进行解密处理,得到所述第一位数组;所述第一位数组用于指示所述第二设备在所述数据交集应用中,生成第二业务数据对应的第二位数组;所述第二位数组以及所述第一位数组用于指示所述第二设备在所述数据交集应用中,确定所述第一业务数据以及所述第二业务数据之间的业务交集数据;所述业务交集数据用于指示所述第二设备进行与所述业务交集数据相关联的业务处理。
  16. 一种基于区块链的数据处理装置,所述装置运行于第二设备,所述装置包括:
    密文获取模块,配置为获取由所述区块链中的区块链节点转发的密文位数组;其中,所述密文位数组是第一设备传输至所述区块链节点的,且所述密文位数组是所述第一设备通过数据密钥,对第一位数组进行加密处理所得到的,所述数据秘钥是所述第二设备在数据交集应用中生成的;所述数据交集应用 运行于所述第二设备的可信执行环境a中;所述第一位数组是所述第一设备在第一业务数据满足数据上传条件时,针对所述第一业务数据所生成的;
    第一处理模块,配置为在所述数据交集应用中,通过所述数据密钥对从所述区块链节点中所获取的所述密文位数组进行解密处理,得到所述第一位数组;
    第一生成模块,配置为在所述数据交集应用中,生成第二业务数据对应的第二位数组,根据所述第二位数组以及所述第一位数组,确定所述第一业务数据以及所述第二业务数据之间的业务交集数据;
    第二处理模块,配置为对所述业务交集数据进行业务处理。
  17. 一种电子设备,包括:处理器、存储器以及网络接口;
    所述处理器与所述存储器、所述网络接口相连,其中,所述网络接口用于提供数据通信功能,所述存储器用于存储计算机程序,所述处理器用于调用所述计算机程序,以使得所述电子设备执行权利要求1至10或权利要求11至14任一项所述的基于区块链的数据处理方法。
  18. 一种计算机可读存储介质,所述计算机可读存储介质中存储有计算机程序,所述计算机程序适于由处理器加载并执行,以使得具有所述处理器的电子设备执行权利要求1至10或权利要求11至14任一项所述的基于区块链的数据处理方法。
  19. 一种计算机程序产品,所述计算机程序产品包括计算机程序,所述计算机程序存储在计算机可读存储介质中,所述计算机程序适于由处理器读取并执行,以使得具有所述处理器的电子设备执行权利要求1至10或权利要求11至14任一项所述的基于区块链的数据处理方法。
PCT/CN2023/111968 2022-10-14 2023-08-09 一种基于区块链的数据处理方法、装置、电子设备、计算机可读存储介质及计算机程序产品 WO2024078108A1 (zh)

Priority Applications (1)

Application Number Priority Date Filing Date Title
US18/528,133 US20240129108A1 (en) 2022-10-14 2023-12-04 Data processing methods and apparatuses based on blockchain, electronic device, computer-readable storage medium, and computer program product

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN202211259133.1A CN117938406A (zh) 2022-10-14 2022-10-14 一种基于区块链的数据处理方法、设备以及可读存储介质
CN202211259133.1 2022-10-14

Related Child Applications (1)

Application Number Title Priority Date Filing Date
US18/528,133 Continuation US20240129108A1 (en) 2022-10-14 2023-12-04 Data processing methods and apparatuses based on blockchain, electronic device, computer-readable storage medium, and computer program product

Publications (1)

Publication Number Publication Date
WO2024078108A1 true WO2024078108A1 (zh) 2024-04-18

Family

ID=90668702

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2023/111968 WO2024078108A1 (zh) 2022-10-14 2023-08-09 一种基于区块链的数据处理方法、装置、电子设备、计算机可读存储介质及计算机程序产品

Country Status (2)

Country Link
CN (1) CN117938406A (zh)
WO (1) WO2024078108A1 (zh)

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109104413A (zh) * 2018-07-17 2018-12-28 中国科学院计算技术研究所 用于安全多方计算的私有数据求交集的方法及验证方法
US10878108B1 (en) * 2020-02-03 2020-12-29 Qed-It Systems Ltd. Delegated private set intersection, and applications thereof
CN112217639A (zh) * 2020-09-30 2021-01-12 招商局金融科技有限公司 数据的加密共享方法、装置、电子设备及计算机存储介质
CN113343305A (zh) * 2021-06-29 2021-09-03 招商局金融科技有限公司 隐私数据的交集计算方法、装置、设备及存储介质
CN113395159A (zh) * 2021-01-08 2021-09-14 腾讯科技(深圳)有限公司 一种基于可信执行环境的数据处理方法以及相关装置
CN114444124A (zh) * 2022-01-28 2022-05-06 杭州复杂美科技有限公司 基于布隆过滤器的隐私集合交集方法、设备及存储介质

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109104413A (zh) * 2018-07-17 2018-12-28 中国科学院计算技术研究所 用于安全多方计算的私有数据求交集的方法及验证方法
US10878108B1 (en) * 2020-02-03 2020-12-29 Qed-It Systems Ltd. Delegated private set intersection, and applications thereof
CN112217639A (zh) * 2020-09-30 2021-01-12 招商局金融科技有限公司 数据的加密共享方法、装置、电子设备及计算机存储介质
CN113395159A (zh) * 2021-01-08 2021-09-14 腾讯科技(深圳)有限公司 一种基于可信执行环境的数据处理方法以及相关装置
CN113343305A (zh) * 2021-06-29 2021-09-03 招商局金融科技有限公司 隐私数据的交集计算方法、装置、设备及存储介质
CN114444124A (zh) * 2022-01-28 2022-05-06 杭州复杂美科技有限公司 基于布隆过滤器的隐私集合交集方法、设备及存储介质

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
XIONG LU; YANG YANG; SHA JIN-RUI; FAN LEI: "Private Set Intersection Algorithm based on Blockchain", DIANXIN-JISHU = TELECOMMUNICATION TECHNOLOGY, BEIJING : RENMIN YOUDIAN CHUBANSHE, CN, vol. 53, no. 7, 31 July 2020 (2020-07-31), CN , pages 1768 - 1773, XP009553874, ISSN: 1000-1247 *

Also Published As

Publication number Publication date
CN117938406A (zh) 2024-04-26

Similar Documents

Publication Publication Date Title
US20220318907A1 (en) Systems and methods for generating secure, encrypted communications across distributed computer networks for authorizing use of cryptography-based digital repositories in order to perform blockchain operations in decentralized applications
WO2022042301A1 (zh) 一种数据处理方法、装置、智能设备及存储介质
US11171789B2 (en) System and method for implementing a resolver service for decentralized identifiers
US10824701B2 (en) System and method for mapping decentralized identifiers to real-world entities
EP3404891B1 (en) Method and system for distributing digital content in peer-to-peer network
WO2022083399A1 (zh) 一种基于区块链的数据处理方法、计算机设备、计算机可读存储介质以及计算机程序产品
CN111355726B (zh) 一种身份授权登录方法、装置及电子设备和存储介质
KR101985179B1 (ko) 블록체인 기반의 ID as a Service
CN111164948A (zh) 使用区块链网络管理网络安全漏洞
US20180006823A1 (en) Multi-hop secure content routing based on cryptographic partial blind signatures and embedded terms
JP7376727B2 (ja) 暗号学的に安全な要求の検証
US11640475B1 (en) Systems and processes for providing secure client controlled and managed exchange of data between parties
US12034868B2 (en) Systems and methods for generating secure, encrypted communications across distributed computer networks for authorizing use of cryptography-based digital repositories in order to perform blockchain operations in decentralized applications
WO2023005838A1 (zh) 数据共享方法和电子设备
CN112307116A (zh) 基于区块链的数据访问控制方法、装置及设备
US20240129108A1 (en) Data processing methods and apparatuses based on blockchain, electronic device, computer-readable storage medium, and computer program product
US12081653B2 (en) Systems and methods for providing secure, encrypted communications across distributed computer networks by coordinating cryptography-based digital repositories in order to perform blockchain operations in decentralized applications
US20230246817A1 (en) Systems and methods for generating secure, encrypted communications across distributed computer networks for authorizing use of cryptography-based digital repositories in order to perform blockchain operations in decentralized applications
US20240163118A1 (en) Blockchain-based data processing method, device, and readable storage medium
CN116561820B (zh) 可信数据处理方法及相关装置
WO2024078108A1 (zh) 一种基于区块链的数据处理方法、装置、电子设备、计算机可读存储介质及计算机程序产品
US20230245111A1 (en) Systems and methods for requesting secure, encrypted communications across distributed computer networks for authorizing use of cryptography-based digital repositories in order to perform blockchain operations in decentralized applications
CN115829560A (zh) 数字藏品鉴权方法、装置、计算机设备及存储介质
CN117014176A (zh) 基于区块链的数据处理方法、装置、设备及可读存储介质
CN114861144A (zh) 基于区块链的数据权限处理方法

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 23876314

Country of ref document: EP

Kind code of ref document: A1

WWE Wipo information: entry into national phase

Ref document number: 11202308121X

Country of ref document: SG