[go: up one dir, main page]
More Web Proxy on the site http://driver.im/

CN118133325B - Data management method based on on-chain and off-chain - Google Patents

Data management method based on on-chain and off-chain Download PDF

Info

Publication number
CN118133325B
CN118133325B CN202410552469.XA CN202410552469A CN118133325B CN 118133325 B CN118133325 B CN 118133325B CN 202410552469 A CN202410552469 A CN 202410552469A CN 118133325 B CN118133325 B CN 118133325B
Authority
CN
China
Prior art keywords
data
chain
hash value
ciphertext
chain node
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202410552469.XA
Other languages
Chinese (zh)
Other versions
CN118133325A (en
Inventor
刘超
朱达欣
夏侯建兵
侯灿坤
蒋天宇
陈柏熹
王文卓
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Quanzhou Normal University
Original Assignee
Quanzhou Normal University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Quanzhou Normal University filed Critical Quanzhou Normal University
Priority to CN202410552469.XA priority Critical patent/CN118133325B/en
Publication of CN118133325A publication Critical patent/CN118133325A/en
Application granted granted Critical
Publication of CN118133325B publication Critical patent/CN118133325B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/602Providing cryptographic facilities or services
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/10File systems; File servers
    • G06F16/18File system types
    • G06F16/182Distributed file systems
    • G06F16/1834Distributed file systems implemented based on peer-to-peer networks, e.g. gnutella
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/20Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
    • G06F16/27Replication, distribution or synchronisation of data between databases or within a distributed database system; Distributed database system architectures therefor
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
    • G06F21/6245Protecting personal data, e.g. for financial or medical purposes
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/64Protecting data integrity, e.g. using checksums, certificates or signatures
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/10Protocols in which an application is distributed across nodes in the network
    • H04L67/1097Protocols in which an application is distributed across nodes in the network for distributed storage of data in networks, e.g. transport arrangements for network file system [NFS], storage area networks [SAN] or network attached storage [NAS]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/50Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols using hash chains, e.g. blockchains or hash trees

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • Computer Security & Cryptography (AREA)
  • General Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • Bioethics (AREA)
  • Databases & Information Systems (AREA)
  • Health & Medical Sciences (AREA)
  • General Health & Medical Sciences (AREA)
  • Computer Hardware Design (AREA)
  • Software Systems (AREA)
  • Data Mining & Analysis (AREA)
  • Signal Processing (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Computing Systems (AREA)
  • Medical Informatics (AREA)
  • Storage Device Security (AREA)

Abstract

本发明涉及区块链存储技术领域,特别是涉及基于链上链下的数据管理方法,包括:数据拥有者将原数据和原数据哈希值基于密钥及预设访问控制方式进行加密,获取原数据的密文和加密后的哈希值,然后将数据信息、原数据哈希值、加密后的哈希值和密文发送至链下节点进行异步BFT共识后,将密文存储于链下节点,并将数据信息、加密后的哈希值上传到链上节点,生成链上索引;数据使用者基于链上索引访问链上节点,数据使用者基于密钥对加密后的哈希值进行解密,并将解密后的哈希值发送至链下节点进行异步BFT共识,获取密文,然后将密文进行解密,获取原数据。本发明通过引入新的安全和隐私机制,平衡性能与隐私,以满足不同领域的需求。

The present invention relates to the field of blockchain storage technology, and in particular to a data management method based on an on-chain and off-chain, including: the data owner encrypts the original data and the original data hash value based on a key and a preset access control method, obtains the ciphertext and the encrypted hash value of the original data, and then sends the data information, the original data hash value, the encrypted hash value and the ciphertext to the off-chain node for asynchronous BFT consensus, stores the ciphertext in the off-chain node, and uploads the data information and the encrypted hash value to the on-chain node to generate an on-chain index; the data user accesses the on-chain node based on the on-chain index, the data user decrypts the encrypted hash value based on the key, and sends the decrypted hash value to the off-chain node for asynchronous BFT consensus, obtains the ciphertext, and then decrypts the ciphertext to obtain the original data. The present invention balances performance and privacy by introducing new security and privacy mechanisms to meet the needs of different fields.

Description

基于链上链下的数据管理方法Data management method based on on-chain and off-chain

技术领域Technical Field

本发明涉及区块链存储技术领域,特别是涉及基于链上链下的数据管理方法。The present invention relates to the field of blockchain storage technology, and in particular to a data management method based on on-chain and off-chain.

背景技术Background technique

金融、政府和医疗保健领域每天都会产生大量的数据,包括金融交易、政府记录和医疗数据。这些数据非常敏感,需要安全存储、高效传输和方便访问。然而,传统的基于链上链下的数据管理方法在满足这些需求方面面临挑战。例如金融领域涉及大量的交易数据,每次支付都会产生新的数据记录。这些数据需要高度安全的存储,以保护客户的隐私和交易数据的完整性。同时,金融机构需要确保访问权限的精确管理,以遵守法规和规定。政府部门在其日常运作中不断产生大量的记录,包括行政流程、政策决策和法规。这些政府记录需要安全存储,以保护公民的隐私和确保记录的完整性。政府机构还需要能够方便地与受信任的对等体(如其他政府机构和官员)共享数据,同时确保数据的安全性、完整性和一致性。医疗领域通过诸如CT扫描、X光和处方等程序产生大量数据。这些医疗数据对于患者的诊断和治疗至关重要。因此,这些数据需要得到高度的安全保护,并确保只有授权的用户能够访问它们。The financial, government, and healthcare sectors generate a large amount of data every day, including financial transactions, government records, and medical data. This data is very sensitive and needs to be securely stored, efficiently transmitted, and easily accessible. However, traditional data management methods based on on-chain and off-chain face challenges in meeting these needs. For example, the financial sector involves a large amount of transaction data, and each payment generates a new data record. This data needs to be stored with high security to protect the privacy of customers and the integrity of transaction data. At the same time, financial institutions need to ensure accurate management of access rights to comply with regulations and regulations. Government departments continuously generate a large amount of records in their daily operations, including administrative processes, policy decisions, and regulations. These government records need to be stored securely to protect the privacy of citizens and ensure the integrity of records. Government agencies also need to be able to easily share data with trusted peers (such as other government agencies and officials) while ensuring the security, integrity, and consistency of the data. The medical field generates a large amount of data through procedures such as CT scans, X-rays, and prescriptions. This medical data is crucial for the diagnosis and treatment of patients. Therefore, this data needs to be highly secure and ensure that only authorized users can access it.

区块链技术被引入作为解决这些数据管理问题的理想解决方案。在区块链网络中,政府记录、金融交易和医疗数据等敏感数据可以轻松地在受信任的对等体之间共享,同时保持数据的安全性、完整性和一致性。这一技术基于区块的顺序连接,通过哈希加密来保护交易的不可篡改性。这使得复杂的记录细节,包括历史和当前信息,能够被授权方轻松访问。因此,区块链技术在数据管理领域具有巨大的潜力。Blockchain technology has been introduced as an ideal solution to these data management problems. In a blockchain network, sensitive data such as government records, financial transactions, and medical data can be easily shared between trusted peers while maintaining the security, integrity, and consistency of the data. This technology is based on the sequential connection of blocks, which are protected by hash encryption to ensure the immutability of transactions. This enables complex record details, including historical and current information, to be easily accessed by authorized parties. Therefore, blockchain technology has great potential in the field of data management.

然而,将传统的公共区块链设计应用于数据存储和传输存在固有问题:区块链技术是近年来发展起来的一种分布式数据管理方式。它通过将数据以块的形式链接起来,形成一个不可篡改的账本,用于存储交易信息。区块链的分布式性质和加密保护使其具备较高的安全性,可用于确保数据的一致性和完整性。技术方案的缺点:传统公共区块链在数据存储和传输方面可能效率较低,处理大规模数据时会遇到瓶颈;公共区块链通常为透明性而设计,但这与某些数据的隐私需求相矛盾。缺点产生的原因:区块链技术的性能问题部分是因为公共区块链的共识机制和链上存储的特性,这导致了处理大规模数据时的效率问题。However, there are inherent problems in applying traditional public blockchain designs to data storage and transmission: Blockchain technology is a distributed data management method that has developed in recent years. It links data in the form of blocks to form an immutable ledger for storing transaction information. The distributed nature and encryption protection of blockchain make it highly secure and can be used to ensure the consistency and integrity of data. Disadvantages of the technical solution: Traditional public blockchains may be inefficient in data storage and transmission, and may encounter bottlenecks when processing large-scale data; public blockchains are usually designed for transparency, but this conflicts with the privacy requirements of certain data. Reasons for the disadvantages: The performance problems of blockchain technology are partly due to the consensus mechanism and on-chain storage characteristics of public blockchains, which lead to efficiency problems when processing large-scale data.

发明内容Summary of the invention

本发明的目的是提供一种基于链上链下的数据管理方法,目的在于引入多样的客户访问控制方法、强调细粒度访问控制的高效性、保障安全性和问责制以及基于异步拜占庭共识可容错链下存储等方式,提高数据管理的效率、安全性和用户体验。The purpose of the present invention is to provide a data management method based on on-chain and off-chain, aiming to introduce various customer access control methods, emphasize the efficiency of fine-grained access control, ensure security and accountability, and improve the efficiency, security and user experience of data management by using asynchronous Byzantine consensus and fault-tolerant off-chain storage.

为实现上述目的,本发明提供了如下方案:To achieve the above object, the present invention provides the following solutions:

一种基于链上链下的数据管理方法,包括:A data management method based on both on-chain and off-chain, comprising:

数据拥有者将原数据和原数据哈希值基于密钥及预设访问控制方式进行加密,获取所述原数据的密文和加密后的哈希值,然后将数据信息、所述原数据哈希值、所述加密后的哈希值和所述密文发送至链下节点进行异步BFT共识后,将所述密文存储于链下节点,并将所述数据信息、所述加密后的哈希值上传到链上节点,生成链上索引;The data owner encrypts the original data and the hash value of the original data based on the key and the preset access control method, obtains the ciphertext and the encrypted hash value of the original data, and then sends the data information, the hash value of the original data, the encrypted hash value and the ciphertext to the off-chain node for asynchronous BFT consensus, stores the ciphertext in the off-chain node, and uploads the data information and the encrypted hash value to the on-chain node to generate an on-chain index;

数据使用者基于所述链上索引访问所述链上节点,所述数据使用者基于所述密钥对所述加密后的哈希值进行解密,并将解密后的哈希值发送至所述链下节点进行所述异步BFT共识,获取所述密文,然后将所述密文进行解密,获取所述原数据。The data user accesses the on-chain node based on the on-chain index, decrypts the encrypted hash value based on the key, and sends the decrypted hash value to the off-chain node for the asynchronous BFT consensus, obtains the ciphertext, and then decrypts the ciphertext to obtain the original data.

可选的,所述访问控制方式为广播加密或属性加密或门限加密。Optionally, the access control method is broadcast encryption, attribute encryption, or threshold encryption.

可选的,将数据信息、所述原数据哈希值、所述加密后的哈希值和所述密文发送至链下节点进行异步BFT共识后,将所述密文存储于链下节点包括:Optionally, after sending the data information, the original data hash value, the encrypted hash value, and the ciphertext to the off-chain node for asynchronous BFT consensus, storing the ciphertext in the off-chain node includes:

将所述数据信息、所述原数据哈希值、加密后的哈希值和所述密文进行打包,获取打包数据,其中所述数据信息包括所述预设访问控制方式、加密后的访问控制列表、文件大小、文件类型;Packing the data information, the original data hash value, the encrypted hash value and the ciphertext to obtain packaged data, wherein the data information includes the preset access control mode, the encrypted access control list, the file size and the file type;

将所述打包数据发送至所述链下节点,所述链下节点将所述打包数据放入消息队列后进行所述异步BFT共识;The packaged data is sent to the off-chain node, and the off-chain node puts the packaged data into a message queue and then performs the asynchronous BFT consensus;

进行所述异步BFT共识后,所述链下节点的leveldb数据库通过键值格式存储所述原数据哈希值和所述密文。After the asynchronous BFT consensus is performed, the leveldb database of the off-chain node stores the original data hash value and the ciphertext in a key-value format.

可选的,将所述数据信息、所述加密后的哈希值上传到链上节点,生成链上索引包括:Optionally, uploading the data information and the encrypted hash value to an on-chain node to generate an on-chain index includes:

所述链下节点将进行所述异步BFT共识后生成的标记指令、所述数据信息和所述加密后的哈希值发送到所述链上节点,当所述链上节点收到预设数量的所述标记指令后,将所述数据信息和加密后的哈希值上传到链上节点,生成所述链上索引,并将所述链上索引发送至所述数据拥有者,其中所述数据拥有者将所述链上索引共享至所述数据使用者。The off-chain node will send the marking instructions, the data information and the encrypted hash value generated after the asynchronous BFT consensus to the on-chain node. When the on-chain node receives a preset number of the marking instructions, it will upload the data information and the encrypted hash value to the on-chain node, generate the on-chain index, and send the on-chain index to the data owner, wherein the data owner will share the on-chain index with the data user.

可选的,所述数据使用者基于所述密钥对所述哈希值进行解密包括:Optionally, the data user decrypting the hash value based on the key includes:

将所述链上索引对应的访问类型和所述加密后的访问控制列表发送至可信执行环境,所述可信执行环境对所述加密后的访问控制列表进行解密,获取解密的访问控制列表;Sending the access type corresponding to the on-chain index and the encrypted access control list to a trusted execution environment, wherein the trusted execution environment decrypts the encrypted access control list to obtain the decrypted access control list;

所述可信执行环境对数据使用者的身份信息、所述访问类型和和所述解密的访问控制列表进行对比认证,其中所述可信执行环境为基于SGX实现的可信TEE验证器;The trusted execution environment compares and authenticates the identity information of the data user, the access type, and the decrypted access control list, wherein the trusted execution environment is a trusted TEE verifier implemented based on SGX;

认证成功后将所述数据信息和所述加密后的哈希值发送至所述数据使用者;After successful authentication, the data information and the encrypted hash value are sent to the data user;

所述数据使用者利用所述密钥中私钥对所述加密后的哈希值进行解密,并获取读取命令。The data user uses the private key in the key to decrypt the encrypted hash value and obtain a read command.

可选的,将所述解密后的哈希值发送至所述链下节点进行所述异步BFT共识,获取所述密文包括:Optionally, sending the decrypted hash value to the off-chain node for the asynchronous BFT consensus, and obtaining the ciphertext includes:

将所述读取命令和所述解密后的哈希值发送至所述链下节点进行所述异步BFT共识后,利用所述解密后的哈希值访问所述leveldb数据库,获取所述密文。After sending the read command and the decrypted hash value to the off-chain node for the asynchronous BFT consensus, the leveldb database is accessed using the decrypted hash value to obtain the ciphertext.

可选的,将所述密文进行解密,获取所述原数据包括:Optionally, decrypting the ciphertext to obtain the original data includes:

基于所述私钥和所述预设访问控制方式对所述密文进行解密,获取所述原数据。The ciphertext is decrypted based on the private key and the preset access control method to obtain the original data.

本发明的有益效果为:The beneficial effects of the present invention are:

与现有技术相比,本发明提供了更强大的细粒度访问控制,用户可以以极其详细的方式定义数据的访问权限,从而更好地保护隐私和数据安全。Compared with the prior art, the present invention provides more powerful fine-grained access control, and users can define data access rights in an extremely detailed manner, thereby better protecting privacy and data security.

本发明基于SGX实现的可信TEE验证器,用于验证用户访问权限。SGX提供了硬件级别的隔离,使程序和数据得到安全保护;The present invention implements a trusted TEE verifier based on SGX to verify user access rights. SGX provides hardware-level isolation to ensure the security of programs and data;

本发明引入基于异步拜占庭共识的链下存储作为解决方案,提高了数据传输的效率。此方法减少了区块链上的冗余数据,使数据传输更加高效,减少了单点故障的风险,提高了整个系统的鲁棒性。本发明克服了网络不确定性和攻击,异步拜占庭共识技术提高了系统的容错性,即使网络中存在恶意节点或恶劣的网络条件,系统仍能够达成一致,确保数据的安全性和一致性,为分布式系统提供了更大的灵活性,使其能够适应各种复杂情况,包括网络攻击、节点故障和网络延迟。这种适应性使得系统更具鲁棒性和可靠性。The present invention introduces off-chain storage based on asynchronous Byzantine consensus as a solution to improve the efficiency of data transmission. This method reduces redundant data on the blockchain, makes data transmission more efficient, reduces the risk of single point failure, and improves the robustness of the entire system. The present invention overcomes network uncertainty and attacks. The asynchronous Byzantine consensus technology improves the fault tolerance of the system. Even if there are malicious nodes or poor network conditions in the network, the system can still reach a consensus to ensure the security and consistency of the data, providing greater flexibility for distributed systems, enabling them to adapt to various complex situations, including network attacks, node failures, and network delays. This adaptability makes the system more robust and reliable.

本发明成功实现了性能和隐私之间的平衡。它既提供高效的数据管理,又保护数据的隐私,这一平衡对于各种应用场景至关重要。The present invention successfully achieves a balance between performance and privacy. It not only provides efficient data management but also protects the privacy of data, which is a balance that is crucial for various application scenarios.

本发明增强了数据的安全性和系统的鲁棒性,使用区块链技术保护数据的完整性,同时减少了单点故障的风险。The present invention enhances the security of data and the robustness of the system, using blockchain technology to protect the integrity of data while reducing the risk of single point failures.

附图说明BRIEF DESCRIPTION OF THE DRAWINGS

为了更清楚地说明本发明实施例或现有技术中的技术方案,下面将对实施例中所需要使用的附图作简单地介绍,显而易见地,下面描述中的附图仅仅是本发明的一些实施例,对于本领域普通技术人员来讲,在不付出创造性劳动性的前提下,还可以根据这些附图获得其他的附图。In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings required for use in the embodiments will be briefly introduced below. Obviously, the drawings described below are only some embodiments of the present invention. For ordinary technicians in this field, other drawings can be obtained based on these drawings without paying creative labor.

图1为本发明实施例的一种基于链上链下的数据管理方法的流程示意图;FIG1 is a schematic diagram of a flow chart of a data management method based on on-chain and off-chain according to an embodiment of the present invention;

图2为本发明实施例的一种基于链上链下的数据管理方法的流程框架图;FIG2 is a flow chart of a data management method based on on-chain and off-chain according to an embodiment of the present invention;

图3为本发明实施例的选择数据和加密的结构示意图;FIG3 is a schematic diagram of the structure of selecting data and encrypting according to an embodiment of the present invention;

图4为本发明实施例的RBC阶段的结构示意图;FIG4 is a schematic structural diagram of the RBC stage of an embodiment of the present invention;

图5为本发明实施例的MVBA阶段的结构示意图。FIG5 is a schematic diagram of the structure of the MVBA stage of an embodiment of the present invention.

具体实施方式Detailed ways

下面将结合本发明实施例中的附图,对本发明实施例中的技术方案进行清楚、完整地描述,显然,所描述的实施例仅仅是本发明一部分实施例,而不是全部的实施例。基于本发明中的实施例,本领域普通技术人员在没有做出创造性劳动前提下所获得的所有其他实施例,都属于本发明保护的范围。The following will be combined with the drawings in the embodiments of the present invention to clearly and completely describe the technical solutions in the embodiments of the present invention. Obviously, the described embodiments are only part of the embodiments of the present invention, not all of the embodiments. Based on the embodiments of the present invention, all other embodiments obtained by ordinary technicians in this field without creative work are within the scope of protection of the present invention.

为使本发明的上述目的、特征和优点能够更加明显易懂,下面结合附图和具体实施方式对本发明作进一步详细的说明。In order to make the above-mentioned objects, features and advantages of the present invention more obvious and easy to understand, the present invention is further described in detail below with reference to the accompanying drawings and specific embodiments.

本实施例提供了一种基于链上链下的数据管理方法,如图1所示,包括:This embodiment provides a data management method based on on-chain and off-chain, as shown in FIG1 , including:

数据拥有者将原数据和原数据哈希值基于密钥及预设访问控制方式进行加密,获取所述原数据的密文和加密后的哈希值;The data owner encrypts the original data and the hash value of the original data based on the key and the preset access control method to obtain the ciphertext of the original data and the encrypted hash value;

具体的,数据拥有者进行密钥生成,密钥生成中心进行密钥分配。数据拥有者使用密钥和选择的访问控制方案对原数据和原数据哈希值进行加密。Specifically, the data owner generates the key, and the key generation center distributes the key. The data owner uses the key and the selected access control scheme to encrypt the original data and the original data hash value.

然后将数据信息、所述原数据哈希值、所述加密后的哈希值和所述密文发送至链下节点进行异步BFT共识后,将所述密文存储于链下节点,并将所述数据信息、所述加密后的哈希值上传到链上节点,生成链上索引;Then, the data information, the original data hash value, the encrypted hash value and the ciphertext are sent to the off-chain node for asynchronous BFT consensus, the ciphertext is stored in the off-chain node, and the data information and the encrypted hash value are uploaded to the on-chain node to generate an on-chain index;

具体的,将数据信息(访问控制方式、加密后的访问控制列表、文件大小、文件类型等)、加密后的数据(密文)、原数据哈希值和加密后的哈希值打包发送链下的其中一个节点,链下节点收到数据后放入消息队列,链下运行链下BFT存储协议(链下节点异步BFT共识),对打包的数据信息、加密后的数据、原数据哈希值和加密后的哈希值达成共识。链下节点协议运行完成后,链下N个节点的数据库都存入了相同密文。使用leveldb数据库存储,key为原数据哈希值,value为加密后的数据。每个节点将完成的指令(完成的指令即链下共识存储完成后生成的一个标记指令)、数据信息和加密后的哈希值发送至链上节点,链上节点收到f+1个指令后,将数据信息和加密后的哈希值进行上链,在上链成功时会生成一个唯一的链上索引,并返回给数据拥有者,数据拥有者可以给数据使用者共享该链上索引。Specifically, the data information (access control method, encrypted access control list, file size, file type, etc.), encrypted data (ciphertext), original data hash value and encrypted hash value are packaged and sent to one of the nodes off the chain. After receiving the data, the off-chain node puts it into the message queue, runs the off-chain BFT storage protocol (off-chain node asynchronous BFT consensus) off-chain, and reaches a consensus on the packaged data information, encrypted data, original data hash value and encrypted hash value. After the off-chain node protocol is completed, the databases of N nodes off the chain are all stored with the same ciphertext. Use the leveldb database for storage, the key is the original data hash value, and the value is the encrypted data. Each node sends the completed instructions (the completed instructions are a marking instruction generated after the off-chain consensus storage is completed), data information and encrypted hash value to the on-chain node. After receiving f+1 instructions, the on-chain node will upload the data information and encrypted hash value to the chain. When the chain is successfully uploaded, a unique on-chain index will be generated and returned to the data owner. The data owner can share the on-chain index with the data user.

数据使用者基于所述链上索引访问所述链上节点,所述数据使用者基于所述密钥对所述加密后的哈希值进行解密,并将解密后的哈希值发送至所述链下节点进行所述异步BFT共识,获取所述密文,然后将所述密文进行解密,获取所述原数据。The data user accesses the on-chain node based on the on-chain index, decrypts the encrypted hash value based on the key, and sends the decrypted hash value to the off-chain node for the asynchronous BFT consensus, obtains the ciphertext, and then decrypts the ciphertext to obtain the original data.

具体的,数据使用者拥有私钥、身份信息和链上索引,其中私钥由数据拥有者在密钥生成中心生成密钥时生成,由数据拥有者分配,数据使用者使用链上索引访问链上节点。链上节点将该链上索引对应的访问类型和加密后访问控制列表发送至可信执行环境(基于SGX实现的可信TEE验证器),TEE会对加密后的访问控制列表进行解密,TEE拥有唯一可解密的私钥,可信执行环境对数据使用者的身份信息、访问类型和访问控制列表进行对比认证。认证成功后链上将数据信息和加密后的哈希值放回给数据使用者,数据使用者使用私钥对加密后的哈希值进行解密,将读取命令和解密的哈希值发送链下一个节点,通过读取命令使链下节点认为这条是读取数据库而不是存储,链下节点对解密的哈希值进行异步BFT共识,异步BFT共识后使用解密的哈希值(key)访问数据库获取加密后的数据(value),并将加密后的数据放回给数据使用者。Specifically, the data user has a private key, identity information, and an on-chain index, where the private key is generated by the data owner when the key is generated at the key generation center and is assigned by the data owner. The data user uses the on-chain index to access the on-chain node. The on-chain node sends the access type and encrypted access control list corresponding to the on-chain index to the trusted execution environment (trusted TEE verifier based on SGX implementation). TEE will decrypt the encrypted access control list. TEE has a unique decryptable private key. The trusted execution environment compares and authenticates the identity information, access type, and access control list of the data user. After successful authentication, the chain returns the data information and the encrypted hash value to the data user. The data user uses the private key to decrypt the encrypted hash value, and sends the read command and the decrypted hash value to the next node on the chain. The read command makes the off-chain node think that this is reading the database instead of storing it. The off-chain node performs asynchronous BFT consensus on the decrypted hash value. After asynchronous BFT consensus, the decrypted hash value (key) is used to access the database to obtain the encrypted data (value), and the encrypted data is returned to the data user.

将所述密文进行解密,获取所述原数据。The ciphertext is decrypted to obtain the original data.

具体的,数据使用者使用之间的私钥和预设访问控制方式对数据进行解密成功后获得原数据。Specifically, the data user obtains the original data after successfully decrypting the data using the private key and the preset access control method.

如图2所示,有6个实体包括区块链网络,数据拥有者,链下BFT存储,可信验证者,密钥生成中心,数据使用者。本实施例的方法有两个步骤包括:上传阶段和下载阶段。As shown in Figure 2, there are 6 entities including blockchain network, data owner, off-chain BFT storage, trusted verifier, key generation center, and data user. The method of this embodiment has two steps: upload phase and download phase.

上传阶段:Upload phase:

1、数据拥有者输入消息m。1. The data owner inputs message m.

2、数据拥有者选择一种访问控制方法(广播加密、属性加密、门限加密),对m进行加密。2. The data owner selects an access control method (broadcast encryption, attribute encryption, threshold encryption) to encrypt m.

3、数据拥有者将数据信息(访问控制方式、加密后的访问控制列表、文件大小、文件类型等)、加密后的数据(密文)、原数据哈希值和加密后的哈希值打包上传到链下BFT存储。3. The data owner packages the data information (access control method, encrypted access control list, file size, file type, etc.), encrypted data (ciphertext), original data hash value and encrypted hash value and uploads them to the off-chain BFT storage.

链下BFT存储协议(异步BFT共识)实现过程:Implementation process of off-chain BFT storage protocol (asynchronous BFT consensus):

准备:创建Nbuf[i](FIFO 队列),buf[i]为第i个节的消息队列;创建一个PK(公钥)和NSKi(私钥),SKi为第i个节点的私钥。Preparation: Create N buf[i] (FIFO queues), buf[i] is the message queue of the i -th node; create a PK (public key) and N SKi (private keys), SKi is the private key of the i -th node.

用户存入数据:将数据放入消息队列为空的或者随机放入第i个消息队列中。User deposits data: puts the data into an empty message queue or randomly puts it into the i-th message queue.

共识:consensus:

A、选择数据和加密:N个节点从消息队列中随机选择B/N的数据,并对其加密,作为txi(第i个节点随机选择的数据)输入。如图3所示。A. Data selection and encryption: N nodes randomly select B/N data from the message queue and encrypt them as input of txi (data randomly selected by the i-th node), as shown in Figure 3.

B、RBC(可靠广播协议)阶段:将vi输入给RBCi。使用纠删码将txi分成N块sj数据块,设置为N-2f块数据块就能复原txi。使用默克尔树计算出VAL(hbjsj)并分别发至N个节点,每个节点收到后,把VALi发至N个节点,每个节点收到后验证是否为默克尔树分支,否则丢弃。每个节点收到N-2f个消息后将数据复原为vi。节点将共享签名id发送给所有节点。节点接收到f + 1个有效的id共享签名,可以将这些共享签名组合成id的签名σ,然后输出σ。其中,vi(消息队列i输出的数据)、RBCi(PRBC的第i个节点)、sj(默克尔树的叶子节点序列号为j)、h(节点的哈希值)、bj(默克尔树从j节点到根节点的路径,)、VALi =(h, bi, si)。如图4所示。B. RBC (Reliable Broadcast Protocol) phase: Input vi to RBCi . Use erasure code to divide txi into N blocks of sj data blocks. Set it to N-2f blocks of data blocks to restore txi . Use the Merkle tree to calculate VAL ( h , bj , sj ) and send it to N nodes respectively. After each node receives it, send VALi to N nodes. After each node receives it, verify whether it is a Merkle tree branch, otherwise discard it. After each node receives N-2f messages, it restores the data to vi . The node sends the shared signature id to all nodes. The node receives f + 1 valid id shared signatures, and can combine these shared signatures into the signature σ of the id, and then output σ. Among them, vi (data output by message queue i) , RBCi (the i-th node of PRBC), sj (the leaf node sequence number of the Merkle tree is j), h (the hash value of the node), bj (the path from the j node to the root node of the Merkle tree) , VALi = (h, bi, si) . As shown in Figure 4.

C、MVBA阶段(多值拜占庭共识):N-f个PRBC完成后,将N-f个数据输入,调用MVBA协议并等待从MVBA获得输出Wi,MVBA对Wi整体进行投票,如果Wi满足N-f个正确,对Wi输入1。最后进行ABA,获得2f +1个数据输出,对2f+1个数据对应门限加密进行解密。把剩下f个数据进行第2步操作存入消息队列。如图5所示。其中,Wi(第i个节对Wi投票1|0),ABA(ABA协议)。C. MVBA phase (multi-value Byzantine consensus): After Nf PRBCs are completed, Nf data are input, the MVBA protocol is called and the output Wi is obtained from MVBA. MVBA votes on Wi as a whole. If Wi satisfies Nf correctness, input 1 to Wi. Finally, ABA is performed to obtain 2f +1 data outputs, and the corresponding threshold encryption of 2f+1 data is decrypted. The remaining f data are stored in the message queue after the second step. As shown in Figure 5. Among them, Wi (the i-th node votes 1|0 for Wi ), ABA (ABA protocol).

D、存储数据:将MVBA中的数据存入N个数据库中。D. Store data: Store the data in MVBA into N databases.

4、链下节点对数据信息(访问控制方式、加密后的访问控制列表、文件大小、文件类型等)、加密后的数据(密文)、原数据哈希值和加密后的哈希值达成共识。4. Off-chain nodes reach a consensus on data information (access control method, encrypted access control list, file size, file type, etc.), encrypted data (ciphertext), original data hash value and encrypted hash value.

5、链下节点以键值格式存储原数据哈希值h和加密后的数据c5. The off-chain node stores the original data hash value h and the encrypted data c in key-value format.

6、当链下阶段完成时,链下节点向数据拥有者返回“done”。6. When the off-chain phase is completed, the off-chain node returns “ done ” to the data owner.

7、当数据拥有者从链下节点中收到足够数量的“done”回复时,数据拥有者将数据信息和加密后数据哈希值上传到区块链网络。7. When the data owner receives a sufficient number of “ done ” responses from off-chain nodes, the data owner uploads the data information and encrypted data hash value to the blockchain network.

8、在链上阶段完成后,区块链将id返回给数据拥有者。数据拥有者可以根据自己的意愿将id分享给一些数据使用者。8. After the on-chain phase is completed, the blockchain returns the ID to the data owner. The data owner can share the ID with some data users according to his or her wishes.

下载阶段:Download phase:

1、数据使用者将数据拥有者共享的id发送给区块链。1. The data user sends the ID shared by the data owner to the blockchain.

2、区块链网络(链上)将访问类型和加密后的访问控制列表发送给可信验证者(可信执行环境)。数据使用者还将本身的身份信息发送给可信验证者。2. The blockchain network (on-chain) sends the access type and encrypted access control list to the trusted verifier (trusted execution environment). The data user also sends his or her identity information to the trusted verifier.

3、可信验证者将数据使用者的身份信息、访问类型和访问控制列表进行对比认证下成功后,数据使用者可以在步骤4中从密钥生成中心获取密钥。3. After the trusted verifier compares the data user's identity information, access type and access control list and the authentication is successful, the data user can obtain the key from the key generation center in step 4.

4、数据使用者拥有私钥、身份信息和链上索引,其中私钥由数据拥有者在密钥生成中心生成密钥时生成,当数据使用者用从密钥生成中心接收到的密钥解密加密后的哈希值后,将解密的哈希值发送到链下BFT存储。4. The data user has a private key, identity information, and on-chain index. The private key is generated by the data owner when the key is generated at the key generation center. When the data user decrypts the encrypted hash value with the key received from the key generation center, the decrypted hash value is sent to the off-chain BFT storage.

5、数据使用者可以从链下节点中下载密文c,并使用密钥和相应的访问控制方法最终获取密文m5. Data users can download the ciphertext c from the off-chain node and use the key and corresponding access control method to finally obtain the ciphertext m .

本发明的方案采用了先进的加密和安全控制机制,可信执行环境可以授予用户对受保护数据的访问权限。提供了强大的硬件和软件隔离,可以抵御多种攻击,以确保数据的强大安全性。通过使用基于区块链技术的加密哈希,数据得以不可篡改地保护,这有助于减少数据泄露和未经授权的访问风险,从而为金融、政府和医疗保健等敏感数据的安全提供了更可靠的保护。本发明技术方案提供了细粒度的隐私保护(属性加密、广播加密、门限加密实现细粒度的隐私保护),允许数据所有者精确控制谁可以访问其数据以及拥有哪些属性和标签可以访问,这有助于满足个人隐私保护法规,确保只有经过授权的用户能够获取数据,数据的主权更加明确,用户可以更好地控制其个人信息。The solution of the present invention adopts advanced encryption and security control mechanisms, and the trusted execution environment can grant users access to protected data. It provides strong hardware and software isolation, which can resist multiple attacks to ensure strong data security. By using cryptographic hashing based on blockchain technology, data can be protected in an unalterable manner, which helps reduce the risk of data leakage and unauthorized access, thereby providing more reliable protection for the security of sensitive data such as finance, government, and healthcare. The technical solution of the present invention provides fine-grained privacy protection (attribute encryption, broadcast encryption, and threshold encryption to achieve fine-grained privacy protection), allowing data owners to precisely control who can access their data and which attributes and tags can be accessed, which helps to meet personal privacy protection regulations and ensure that only authorized users can obtain data. The sovereignty of the data is clearer and users can better control their personal information.

以上所述的实施例仅是对本发明优选方式进行的描述,并非对本发明的范围进行限定,在不脱离本发明设计精神的前提下,本领域普通技术人员对本发明的技术方案做出的各种变形和改进,均应落入本发明权利要求书确定的保护范围内。The embodiments described above are only descriptions of the preferred embodiments of the present invention and are not intended to limit the scope of the present invention. Without departing from the design spirit of the present invention, various modifications and improvements made to the technical solutions of the present invention by ordinary technicians in this field should fall within the protection scope determined by the claims of the present invention.

Claims (4)

1.基于链上链下的数据管理方法,其特征在于,包括:1. A data management method based on both on-chain and off-chain, characterized by including: 数据拥有者将原数据和原数据哈希值基于密钥及预设访问控制方式进行加密,获取所述原数据的密文和加密后的哈希值,然后将数据信息、所述原数据哈希值、所述加密后的哈希值和所述密文发送至链下节点进行异步BFT共识后,将所述密文存储于链下节点,并将所述数据信息、所述加密后的哈希值上传到链上节点,生成链上索引;The data owner encrypts the original data and the hash value of the original data based on the key and the preset access control method, obtains the ciphertext and the encrypted hash value of the original data, and then sends the data information, the hash value of the original data, the encrypted hash value and the ciphertext to the off-chain node for asynchronous BFT consensus, stores the ciphertext in the off-chain node, and uploads the data information and the encrypted hash value to the on-chain node to generate an on-chain index; 将数据信息、所述原数据哈希值、所述加密后的哈希值和所述密文发送至链下节点进行异步BFT共识后,将所述密文存储于链下节点包括:After sending the data information, the original data hash value, the encrypted hash value and the ciphertext to the off-chain node for asynchronous BFT consensus, storing the ciphertext in the off-chain node includes: 将所述数据信息、所述原数据哈希值、加密后的哈希值和所述密文进行打包,获取打包数据,其中所述数据信息包括所述预设访问控制方式、加密后的访问控制列表、文件大小、文件类型;Packing the data information, the original data hash value, the encrypted hash value and the ciphertext to obtain packaged data, wherein the data information includes the preset access control mode, the encrypted access control list, the file size and the file type; 将所述打包数据发送至所述链下节点,所述链下节点将所述打包数据放入消息队列后进行所述异步BFT共识;The packaged data is sent to the off-chain node, and the off-chain node puts the packaged data into a message queue and then performs the asynchronous BFT consensus; 进行所述异步BFT共识后,所述链下节点的leveldb数据库通过键值格式存储所述原数据哈希值和所述密文;After the asynchronous BFT consensus is performed, the leveldb database of the off-chain node stores the original data hash value and the ciphertext in a key-value format; 数据使用者基于所述链上索引访问所述链上节点,所述数据使用者基于所述密钥对所述加密后的哈希值进行解密,并将解密后的哈希值发送至所述链下节点进行所述异步BFT共识,获取所述密文,然后将所述密文进行解密,获取所述原数据;The data user accesses the on-chain node based on the on-chain index, decrypts the encrypted hash value based on the key, and sends the decrypted hash value to the off-chain node for the asynchronous BFT consensus, obtains the ciphertext, and then decrypts the ciphertext to obtain the original data; 所述数据使用者基于所述密钥对所述哈希值进行解密包括:The data user decrypting the hash value based on the key includes: 将所述链上索引对应的访问类型和所述加密后的访问控制列表发送至可信执行环境,所述可信执行环境对所述加密后的访问控制列表进行解密,获取解密的访问控制列表;Sending the access type corresponding to the on-chain index and the encrypted access control list to a trusted execution environment, wherein the trusted execution environment decrypts the encrypted access control list to obtain the decrypted access control list; 所述可信执行环境对数据使用者的身份信息、所述访问类型和和所述解密的访问控制列表进行对比认证,其中所述可信执行环境为基于SGX实现的可信TEE验证器;The trusted execution environment compares and authenticates the identity information of the data user, the access type, and the decrypted access control list, wherein the trusted execution environment is a trusted TEE verifier implemented based on SGX; 认证成功后将所述数据信息和所述加密后的哈希值发送至所述数据使用者;After successful authentication, the data information and the encrypted hash value are sent to the data user; 所述数据使用者利用所述密钥中私钥对所述加密后的哈希值进行解密,并获取读取命令;The data user decrypts the encrypted hash value using the private key in the key and obtains a read command; 将所述解密后的哈希值发送至所述链下节点进行所述异步BFT共识,获取所述密文包括:The decrypted hash value is sent to the off-chain node for the asynchronous BFT consensus, and obtaining the ciphertext includes: 将所述读取命令和所述解密后的哈希值发送至所述链下节点进行所述异步BFT共识后,利用所述解密后的哈希值访问所述leveldb数据库,获取所述密文。After sending the read command and the decrypted hash value to the off-chain node for the asynchronous BFT consensus, the leveldb database is accessed using the decrypted hash value to obtain the ciphertext. 2.根据权利要求1所述的基于链上链下的数据管理方法,其特征在于,所述访问控制方式为广播加密或属性加密或门限加密。2. According to the on-chain and off-chain data management method according to claim 1, it is characterized in that the access control method is broadcast encryption, attribute encryption or threshold encryption. 3.根据权利要求1所述的基于链上链下的数据管理方法,其特征在于,将所述数据信息、所述加密后的哈希值上传到链上节点,生成链上索引包括:3. The data management method based on on-chain and off-chain according to claim 1 is characterized in that uploading the data information and the encrypted hash value to the on-chain node and generating the on-chain index comprises: 所述链下节点将进行所述异步BFT共识后生成的标记指令、所述数据信息和所述加密后的哈希值发送到所述链上节点,当所述链上节点收到预设数量的所述标记指令后,将所述数据信息和加密后的哈希值上传到链上节点,生成所述链上索引,并将所述链上索引发送至所述数据拥有者,其中所述数据拥有者将所述链上索引共享至所述数据使用者。The off-chain node will send the marking instructions, the data information and the encrypted hash value generated after the asynchronous BFT consensus to the on-chain node. When the on-chain node receives a preset number of the marking instructions, it will upload the data information and the encrypted hash value to the on-chain node, generate the on-chain index, and send the on-chain index to the data owner, wherein the data owner will share the on-chain index with the data user. 4.根据权利要求1所述的基于链上链下的数据管理方法,其特征在于,将所述密文进行解密,获取所述原数据包括:4. The data management method based on on-chain and off-chain according to claim 1 is characterized in that decrypting the ciphertext to obtain the original data comprises: 基于所述私钥和所述预设访问控制方式对所述密文进行解密,获取所述原数据。The ciphertext is decrypted based on the private key and the preset access control method to obtain the original data.
CN202410552469.XA 2024-05-07 2024-05-07 Data management method based on on-chain and off-chain Active CN118133325B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202410552469.XA CN118133325B (en) 2024-05-07 2024-05-07 Data management method based on on-chain and off-chain

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202410552469.XA CN118133325B (en) 2024-05-07 2024-05-07 Data management method based on on-chain and off-chain

Publications (2)

Publication Number Publication Date
CN118133325A CN118133325A (en) 2024-06-04
CN118133325B true CN118133325B (en) 2024-07-12

Family

ID=91234056

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202410552469.XA Active CN118133325B (en) 2024-05-07 2024-05-07 Data management method based on on-chain and off-chain

Country Status (1)

Country Link
CN (1) CN118133325B (en)

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112069528A (en) * 2020-11-10 2020-12-11 支付宝(杭州)信息技术有限公司 Financing transaction processing method and system based on block chain
CN113157735A (en) * 2021-04-20 2021-07-23 清华大学 Method and device for inquiring block chain storage data

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
SG11201909847SA (en) * 2019-04-03 2019-11-28 Alibaba Group Holding Ltd Processing and storing blockchain data under a trusted execution environment
CN113783836B (en) * 2021-08-02 2023-06-20 南京邮电大学 IoT data access control method and system based on block chain and IBE algorithm
CN115941262A (en) * 2022-10-31 2023-04-07 蚂蚁区块链科技(上海)有限公司 Transaction execution method and node in blockchain system

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112069528A (en) * 2020-11-10 2020-12-11 支付宝(杭州)信息技术有限公司 Financing transaction processing method and system based on block chain
CN113157735A (en) * 2021-04-20 2021-07-23 清华大学 Method and device for inquiring block chain storage data

Also Published As

Publication number Publication date
CN118133325A (en) 2024-06-04

Similar Documents

Publication Publication Date Title
CN112910840B (en) A method and system for medical data storage and sharing based on consortium blockchain
US11544701B2 (en) Rapid and secure off-ledger cryptocurrency transactions through cryptographic binding of a private key to a possession token
JP7044881B2 (en) Distributed storage methods and equipment, computer equipment and storage media
CN109829326B (en) Cross-domain authentication and fair audit de-duplication cloud storage system based on block chain
US20210273812A1 (en) Data system with information provenance
CN103563325B (en) Systems and methods for securing data
CN111355705A (en) Data auditing and safety duplicate removal cloud storage system and method based on block chain
US7320076B2 (en) Method and apparatus for a transaction-based secure storage file system
US7792300B1 (en) Method and apparatus for re-encrypting data in a transaction-based secure storage system
US9698974B2 (en) Method for creating asymmetrical cryptographic key pairs
CN106452737A (en) Systems and methods for secure multi-tenant data storage
CN104917780A (en) Systems and methods for securing data in motion
CN106407766A (en) Secure file sharing method and system
CN103609059A (en) Systems and methods for secure data sharing
CN110851878B (en) Accountable medical data storage method based on block chain
Sun et al. Research on logistics information blockchain data query algorithm based on searchable encryption
CN115883214A (en) Electronic medical data sharing system and method based on alliance chain and CP-ABE
CN116436708A (en) Trusted data sharing method and system based on blockchain technology
CN115001730B (en) Access control system and method based on role attribute in distributed scene
CN118133325B (en) Data management method based on on-chain and off-chain
Desai et al. Blockchain based secure data storage and access control system using cloud
WO2024197879A1 (en) Blockchain data processing method, platform, system and apparatus, and electronic device
CN117457133A (en) Decentralised electronic medical record sharing method and system supporting dynamic access
CN114793237B (en) Smart city data sharing method, equipment and medium based on block chain technology
JP7500771B2 (en) Service provision system

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant