[go: up one dir, main page]
More Web Proxy on the site http://driver.im/

WO2024001022A1 - Cross-subnet calling - Google Patents

Cross-subnet calling Download PDF

Info

Publication number
WO2024001022A1
WO2024001022A1 PCT/CN2022/135244 CN2022135244W WO2024001022A1 WO 2024001022 A1 WO2024001022 A1 WO 2024001022A1 CN 2022135244 W CN2022135244 W CN 2022135244W WO 2024001022 A1 WO2024001022 A1 WO 2024001022A1
Authority
WO
WIPO (PCT)
Prior art keywords
subnet
execution environment
trusted execution
node
blockchain
Prior art date
Application number
PCT/CN2022/135244
Other languages
French (fr)
Chinese (zh)
Inventor
黄祖城
Original Assignee
蚂蚁区块链科技(上海)有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 蚂蚁区块链科技(上海)有限公司 filed Critical 蚂蚁区块链科技(上海)有限公司
Publication of WO2024001022A1 publication Critical patent/WO2024001022A1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • H04L9/0877Generation of secret information including derivation or calculation of cryptographic keys or passwords using additional device, e.g. trusted platform module [TPM], smartcard, USB or hardware security module [HSM]
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/20Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
    • G06F16/27Replication, distribution or synchronisation of data between databases or within a distributed database system; Distributed database system architectures therefor
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/602Providing cryptographic facilities or services
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/0442Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply asymmetric encryption, i.e. different keys for encryption and decryption

Definitions

  • the embodiments of this specification belong to the field of blockchain technology, and particularly relate to a cross-subnet calling method, device, electronic device and storage medium.
  • Blockchain is a new application model of computer technology such as distributed data storage, point-to-point transmission, consensus mechanism, and encryption algorithm.
  • data blocks are combined into a chained data structure in a chronological manner and are cryptographically guaranteed to be an untamperable and unforgeable distributed ledger. Due to the characteristics of blockchain, such as decentralization, non-tamperable information, and autonomy, blockchain has also received more and more attention and applications.
  • some nodes sometimes have the need to implement small-scale transactions to prevent other nodes from obtaining these transactions and related data. This can be achieved by further establishing a blockchain subnet based on the blockchain main network. to fulfill. In a scenario where multiple blockchain subnets are established on the blockchain main network, there are requirements for cross-subnet calls between different blockchain subnets.
  • the purpose of the present invention is to provide a cross-subnet calling method, device, electronic device and storage medium.
  • a cross-subnet calling method is proposed, which is applied to the first subnet node in the first blockchain subnet managed by the blockchain main network.
  • a subnet node maintains a first trusted execution environment
  • the blockchain mainnet also manages a second blockchain subnet
  • the second subnet node in the second blockchain subnet maintains a second trusted execution environment environment
  • the method includes: running the first smart contract in the first trusted execution environment to generate a cross-subnet request, and in the first trusted execution environment based on the first public key pair corresponding to the second trusted execution environment.
  • Encrypt the cross-subnet request to obtain an encryption request; send the encryption request to the second subnet node, and receive an encrypted response returned by the second subnet node.
  • the encrypted response is obtained by the second subnet node in the following manner : Read the encrypted request into the second trusted execution environment, and decrypt the encrypted request in the second trusted execution environment based on the first private key corresponding to the second trusted execution environment to obtain the cross-subnet request. , execute the cross-subnet request to generate a corresponding cross-subnet response, and encrypt the cross-subnet response based on the second public key corresponding to the first trusted execution environment to obtain the encrypted response; encrypt the The response is read into the first trusted execution environment, and the encrypted response is decrypted in the first trusted execution environment based on the second private key corresponding to the first trusted execution environment to obtain the cross-subnet response.
  • a cross-subnet calling method is proposed, which is applied to the second subnet node in the second blockchain subnet managed by the blockchain main network.
  • the second subnet node maintains a second trusted execution environment
  • the blockchain mainnet also manages a first blockchain subnet
  • the first subnet node in the first blockchain subnet maintains a first trusted execution environment environment
  • the method includes: receiving an encryption request obtained by encrypting a cross-subnet request by the first subnet node in the first trusted execution environment based on the first public key corresponding to the second trusted execution environment, wherein, the The cross-subnet request is generated by the first subnet node running the first smart contract in the first trusted execution environment; the encrypted request is read into the second trusted execution environment, and is executed in the second trusted execution environment based on the first smart contract.
  • the first private key corresponding to the two trusted execution environments decrypts the encrypted request to obtain the cross-subnet request, executes the cross-subnet request to generate a corresponding cross-subnet response, and generates a corresponding cross-subnet response based on the first trusted execution environment
  • the corresponding second public key encrypts the cross-subnet response to obtain an encrypted response; the encrypted response is sent to the first subnet node, so that the first subnet node reads the received encrypted response into the first subnet node.
  • a trusted execution environment, and in the first trusted execution environment, the encrypted response is decrypted based on the second private key corresponding to the first trusted execution environment to obtain the cross-subnet response.
  • a cross-subnet calling device is proposed, which is applied to the first subnet node in the first blockchain subnet managed by the blockchain main network.
  • a subnet node maintains a first trusted execution environment
  • the blockchain mainnet also manages a second blockchain subnet
  • the second subnet node in the second blockchain subnet maintains a second trusted execution environment environment
  • the device includes: an encrypted request acquisition unit, configured to run the first smart contract in the first trusted execution environment to generate a cross-subnet request, corresponding in the first trusted execution environment based on the second trusted execution environment
  • the first public key encrypts the cross-subnet request to obtain an encryption request
  • the encryption request sending unit is used to send the encryption request to the second subnet node and receive the encrypted response returned by the second subnet node,
  • the encrypted response is obtained by the second subnet node in the following manner: reading the encrypted request into the second trusted execution environment, and in the second trusted execution environment based on the first private key corresponding to the second trusted execution environment
  • the encrypted request is obtained by
  • the network response is encrypted to obtain the encrypted response; the encrypted response decryption unit is used to read the encrypted response into the first trusted execution environment, and in the first trusted execution environment based on the second trusted execution environment corresponding to the first trusted execution environment
  • the private key decrypts the encrypted response to obtain the cross-subnet response.
  • a cross-subnet calling device is proposed, which is applied to the second subnet node in the second blockchain subnet managed by the blockchain main network.
  • the second subnet node maintains a second trusted execution environment
  • the blockchain mainnet also manages a first blockchain subnet
  • the first subnet node in the first blockchain subnet maintains a first trusted execution environment Environment
  • the device includes: an encryption request receiving unit, configured to receive a cross-subnet request obtained by the first subnet node encrypting a cross-subnet request based on the first public key corresponding to the second trusted execution environment in the first trusted execution environment.
  • the encrypted response acquisition unit is used to read the encrypted request into the second trustworthy execution environment Trust execution environment, in the second trusted execution environment, decrypt the encrypted request based on the first private key corresponding to the second trusted execution environment to obtain the cross-subnet request, execute the cross-subnet request to generate the corresponding a cross-subnet response, and encrypts the cross-subnet response based on the second public key corresponding to the first trusted execution environment to obtain an encrypted response;
  • an encrypted response sending unit configured to send the encrypted response to the first subnet network node, so that the first subnet node reads the received encrypted response into the first trusted execution environment, and in the first trusted execution environment based on the second private key pair corresponding to the first trusted execution environment The encrypted response is decrypted to obtain the cross-subnet response.
  • an electronic device including: a processor; a memory for storing executable instructions by the processor; wherein the processor executes the executable instructions To implement the method described in any one of the first aspect and the second aspect.
  • a computer-readable storage medium on which computer instructions are stored, and when the instructions are executed by a processor, any one of the first and second aspects is implemented. The steps of the method described in the item.
  • the first subnet node and the second subnet node are in different blockchain subnets respectively.
  • a cross-subnet call is made between the first subnet node and the second subnet node.
  • the public key corresponding to the trusted execution environment encrypts the cross-subnet request or cross-subnet response to ensure the security of the cross-subnet communication process, the security of the node operation process and the security of the cross-subnet communication process.
  • Figure 1 is a schematic diagram of establishing a blockchain subnet based on the blockchain main network according to an exemplary embodiment.
  • Figure 2 is a flow chart of a cross-subnet calling method provided by an exemplary embodiment.
  • Figure 3 is an application scenario diagram of a cross-subnet calling method provided by an exemplary embodiment.
  • Figure 4 is an application scenario diagram of another cross-subnet calling method provided by an exemplary embodiment.
  • Figure 5 is a flow chart of another cross-subnet calling method provided by an exemplary embodiment.
  • Figure 6 is a schematic structural diagram of a device provided by an exemplary embodiment.
  • Figure 7 is a block diagram of a cross-subnet calling device provided in an exemplary embodiment.
  • Figure 8 is a block diagram of another cross-subnet calling device provided by an exemplary embodiment.
  • all blockchain nodes in the blockchain network maintain the same block data, which cannot meet the special needs of some nodes.
  • all alliance members i.e., node members within the alliance
  • All alliance members can form a blockchain network. All alliance members have corresponding blockchain nodes in the blockchain network and can pass through the corresponding zones. Blockchain nodes obtain all transactions and related data that occur on the blockchain network. However, in some cases, there may be some alliance members who want to complete some transactions with confidentiality requirements. These alliance members hope that these transactions can be stored on the blockchain or take advantage of other advantages of blockchain technology, and can avoid other Alliance members view these transactions and related data.
  • these alliance members can additionally form a new blockchain network, which is similar to the above-mentioned blockchain network containing all alliance members, building a new blockchain network from scratch requires a large amount of resources, and regardless of The establishment process of the blockchain network or the configuration process after it is built are very time-consuming.
  • the demands among alliance members are often temporary or time-sensitive, so that the newly built blockchain network will soon lose the meaning of existence due to the disappearance of demand, thus further increasing the chain construction cost of the above-mentioned blockchain network. .
  • the needs among alliance members often change, and the alliance members corresponding to each demand are often different. Therefore, whenever alliance members change, a new blockchain network may need to be formed, resulting in a loss of resources and time. A lot of waste.
  • the established blockchain network can be used as the blockchain main network, and a blockchain subnet can be established based on the blockchain main network. Then, in a consortium chain scenario such as the above, consortium members can establish the required blockchain subnet based on their own needs based on their own needs after already participating in the blockchain mainnet. Since the blockchain subnet is established on the basis of the blockchain main network, the construction process of the blockchain subnet consumes more resources and takes more time than establishing a completely independent blockchain network. are greatly reduced and the flexibility is extremely high.
  • the process of quickly establishing a blockchain subnet based on the blockchain main network is as follows: Each blockchain node in the blockchain main network obtains the transaction to establish the blockchain subnet respectively, and the transaction includes the configuration information of the blockchain subnet. , the configuration information includes the identity information of the node members participating in the establishment of the blockchain subnet, and each blockchain node in the blockchain main network executes the transaction respectively to reveal the configuration information.
  • the configuration information contains the identity information of the node member corresponding to the first blockchain node
  • the node device deploying the first blockchain node starts the third node belonging to the blockchain subnet based on the genesis block containing the configuration information.
  • Two blockchain nodes Two blockchain nodes.
  • the blockchain main network is subnet0
  • the blockchain nodes included in subnet0 are nodeA, nodeB, nodeC, nodeD, nodeE, etc.
  • nodeA, nodeB, nodeC and nodeD want to form a blockchain subnet: If nodeA is the administrator and only allows the administrator to initiate transactions to form a blockchain subnet, then nodeA can initiate the above transaction to form a blockchain subnet to subnet0; If nodeE is the administrator and only allows the administrator to initiate transactions to establish a blockchain subnet, then nodeA ⁇ nodeD need to request nodeE, so that nodeE initiates the above-mentioned transaction to establish a blockchain subnet to subnet0; if nodeE is an administrator but allows If an ordinary user initiates a transaction to establish a blockchain subnet, then nodeA ⁇ nodeE can initiate the above-mentioned transaction to establish a blockchain subnet to subnet0.
  • the blockchain node that initiates the transaction to establish the blockchain subnet does not necessarily participate in the formed blockchain subnet.
  • the blockchain subnet is ultimately formed by nodeA, nodeB, nodeC, and nodeD network, but nodeE can initiate the above-mentioned transaction of forming a blockchain subnet to subnet0, and it is not necessarily nodeA ⁇ nodeD that initiates the transaction of forming a blockchain subnet.
  • the blockchain main network in this specification can be the underlying blockchain network, that is, the blockchain main network is not a blockchain subnet established on the basis of other blockchain networks, such as the one in Figure 1 subnet0 can be considered as the blockchain mainnet belonging to the underlying blockchain network type.
  • the blockchain mainnet in this specification can also be a subnet of other blockchain networks.
  • subnet1 is the blockchain mainnet corresponding to the blockchain subnet, and this does not affect that subnet1 also belongs to the blockchain subnet created on subnet0. It can be seen that the blockchain main network and the blockchain subnet are actually relative concepts. The same blockchain network can be the blockchain main network in some cases and the blockchain subnet in other cases.
  • the configuration information can be used to configure the formed blockchain subnet so that the formed blockchain subnet meets the networking requirements. For example, by including the identity information of node members in the configuration information, you can specify which blockchain nodes are included in the formed blockchain subnet.
  • the identity information of node members may include the public key of the node, or other information that can characterize the identity of the node, such as node ID. This specification does not limit this.
  • each blockchain node has one or more corresponding sets of public and private key pairs.
  • the blockchain node holds the private key and the public key is made public and uniquely corresponds to the private key. Therefore, it can be
  • the public key represents the identity of the corresponding blockchain node. Therefore, for blockchain nodes that wish to serve as node members of the blockchain subnet, the public keys of these blockchain nodes can be added to the above-mentioned transaction for forming the blockchain subnet as the identity information of the above-mentioned node members.
  • the above public and private key pairs can be used in the signature verification process.
  • the nodeA1 mentioned above in subnet1 signs the message using its own private key, and then broadcasts the signed message in subnet1, while nodeB1, nodeC1 and nodeD1 can use the public key of nodeA1.
  • Perform signature verification on the received message to confirm that the message received does come from nodeA1 and has not been tampered with.
  • the first main network node may be a blockchain node on the blockchain main network that belongs to the node member indicated by the configuration information.
  • the first mainnet node does not directly participate in forming the blockchain subnet and become its node member. Instead, the node device used to deploy the first mainnet node needs to generate the first subnet node. , and the first subnet node becomes a node member in the blockchain subnet.
  • the first mainnet node and the first subnet node correspond to the same blockchain member. For example, in the alliance chain scenario, they correspond to the same alliance chain member, but the first mainnet node belongs to the blockchain mainnet and the first subnet.
  • the node belongs to the blockchain subnet, so that the blockchain members can participate in the transactions of the blockchain main network and the blockchain subnet respectively; and, since the blockchain main network and the blockchain subnet are two independent
  • the blockchain network allows the blocks generated by the first main network node and the blocks generated by the first sub-network node to be stored in different storage on the node device (the storage used can be a database, for example), realizing the first
  • the storage used by the main network node and the first sub-network node is isolated from each other. Therefore, the data generated by the blockchain sub-network will only be synchronized among the node members of the blockchain sub-network, so that only those participating in the blockchain main network will be synchronized.
  • the blockchain members of the network cannot obtain the data generated on the blockchain subnet, which realizes the data isolation between the blockchain main network and the blockchain subnet, and satisfies the needs of some blockchain members (i.e., the districts participating in the blockchain subnet). Transaction needs between blockchain members).
  • first main network node and the first sub network node are logically divided blockchain nodes. From the perspective of physical equipment, it is equivalent to the above deployment of the first main network node and the first sub network node.
  • the node equipment participates in both the blockchain main network and the blockchain subnet. Since the blockchain main network and the blockchain sub-network are independent of each other, the identity systems of the two blockchain networks are also independent of each other. Therefore, even the first main network node and the first sub-network node can use the exact same public name. key, the two should still be considered different blockchain nodes.
  • nodeA in subnet0 is equivalent to the first main network node, and the node device deploying nodeA generates nodeA1 belonging to subnet1, which is equivalent to the first subnet node. It can be seen that since the identity systems are independent of each other, even if the public key used by the first subnet node is different from that of the first mainnet node, it will not affect the implementation of the solution in this specification.
  • the node members of the blockchain subnet are not necessarily only some of the node members of the blockchain mainnet.
  • the node members of the blockchain subnet can be completely consistent with the node members of the blockchain main network.
  • all blockchain members can obtain the data on the blockchain main network and the blockchain subnet, but The data generated by the blockchain main network and the blockchain subnet can still be isolated from each other.
  • one type of business can be implemented on the blockchain main network and another type of business can be implemented on the blockchain subnet, so that the two types of Business data generated by businesses are isolated from each other.
  • the configuration information may also include at least one of the following: the network identifier of the blockchain subnet, the identity information of the administrator of the blockchain subnet, the identity information for the blockchain platform This manual does not limit the attribute configuration of the code.
  • the network identifier is used to uniquely characterize the blockchain subnet, so the network identifier of the blockchain subnet should be distinguished from the blockchain main network and other blockchain subnets formed on the blockchain main network.
  • the identity information of the administrator of the blockchain subnet for example, can be the public key of the node member who is the administrator; among them, the administrators of the blockchain main network and the blockchain subnet can be the same or different.
  • One of the advantages of building a blockchain subnet through the blockchain mainnet is that since the first mainnet node has been deployed on the node device that generates the first subnet node, the area used by the first mainnet node can be The blockchain platform code is reused on the first subnet node, which eliminates the need for repeated deployment of the blockchain platform code and greatly improves the efficiency of building the blockchain subnet.
  • the first subnet node can reuse the attribute configuration adopted on the first main network node; if the configuration information contains the attribute configuration for the blockchain platform code, Attribute configuration, the first subnet node can adopt this attribute configuration, so that the attribute configuration adopted by the first subnet node is not limited to the attribute configuration of the first main network node and has nothing to do with the first main network node.
  • the attribute configuration of the blockchain platform code can include at least one of the following: code version number, whether consensus is required, consensus algorithm type, block size, etc. This specification does not limit this.
  • Transactions that build a blockchain subnet include transactions that call contracts.
  • the transaction can specify the address of the called smart contract, the method called and the parameters passed in.
  • the contract called can be the aforementioned creation contract or system contract
  • the method called can be a method of establishing a blockchain subnet
  • the parameters passed in can include the above configuration information.
  • the transaction may include the following information:
  • the from field is the information of the initiator of the transaction, for example, Administrator indicates that the initiator is the administrator; the to field is the address of the called smart contract, for example, the smart contract can be a Subnet contract, then the to field is specifically the Subnet The address of the contract; the method field is the method called.
  • the method used to build a blockchain subnet in the Subnet contract can be AddSubnet(string), and string is the parameter in the AddSubnet() method.
  • genesis is used to represent this The value of the parameter, the genesis is specifically the aforementioned configuration information.
  • nodeA ⁇ nodeE Take the nodes nodeA ⁇ nodeE on Subnet0 as an example to execute a transaction that calls the AddSubnet() method in the Subnet contract. After the transaction passes the consensus, nodeA ⁇ nodeE execute the AddSubnet() method respectively and pass in the configuration information to obtain the corresponding execution results.
  • Contract execution results can be represented as events in receipts.
  • the message mechanism can realize message delivery through events in receipts to trigger blockchain nodes to perform corresponding processing.
  • the structure of the event can be, for example:
  • the number of events may be one or more; each event includes fields such as topic and data.
  • the blockchain node can listen to the topic of the event, and then perform preset processing when listening to the predefined topic, or read the relevant content from the data field of the corresponding event, and can execute the preset based on the read content. deal with.
  • the listening code can be embedded in the blockchain platform code running on the blockchain node, so that the listening code can monitor the transaction content of the blockchain transaction, the contract status of the smart contract, the receipt generated by the contract, etc. or multiple types of data, and sends the monitored data to the predefined listening party.
  • this implementation method based on listening code is relatively more proactive compared to the event mechanism.
  • the above-mentioned monitoring code can be added to the blockchain platform code by the developers of the blockchain platform during the development process, or can be embedded by the monitoring party based on its own needs. This manual does not limit this.
  • the execution result of the above Subnet contract may include the configuration information, and the execution result may be in the receipt mentioned above.
  • the receipt may include events related to the execution of the AddSubnet() method, that is, networking events.
  • the topic of the networking event can contain a predefined networking event identifier to distinguish it from other events.
  • the content of the topic is the keyword subnet, and this keyword is different from the topic in the event generated by other methods.
  • nodeA ⁇ nodeE can determine that they have listened to the event related to the execution of the AddSubnet() method, that is, the networking event, when they listen to the topic containing the keyword subnet.
  • the events in the receipt are as follows:
  • the content of the data field may include:
  • nodeA's public key nodeA's IP, nodeA's port number...
  • nodeB s public key, nodeB’s IP, nodeB’s port number...;
  • nodeD s public key, nodeD’s IP, nodeD’s port number...;
  • subnet1 is the network identifier of the blockchain subnet you want to create.
  • Each blockchain node in the blockchain main network can record the network identifiers of all blockchain subnets that have been created on the blockchain main network, or other information related to these blockchain subnets. This information can, for example, be maintained in In the above-mentioned Subnet contract, it may specifically correspond to the value of one or more contract states contained in the Subnet contract.
  • nodeA ⁇ nodeE can determine whether the above subnet1 already exists based on the recorded network identifiers of all created blockchain subnets; if it does not exist, it means that subnet1 is the new blockchain subnet that needs to be created currently. If it exists, it means that subnet1 already exists.
  • the above data field also contains the identity information of each node member and other contents.
  • the node device deploying the first main network node may monitor the generated receipt, and when the networking event is monitored and the content of the networking event indicates that the first main network node belongs to the node member, the node device deploying the first main network node may monitor the generated receipt.
  • the node device of a main network node obtains the configuration information or genesis block contained in the networking event.
  • the first blockchain node can monitor the generated receipt, and trigger the deployment of the first blockchain node when the networking event is monitored and the content of the networking event indicates that the first blockchain node belongs to the node member.
  • the node device of a blockchain node obtains the configuration information or the genesis block included in the networking event.
  • node devices can listen directly for receipts. Assume that nodeA ⁇ nodeE are deployed on node devices 1 ⁇ 5 respectively. Node devices 1 ⁇ 5 can monitor the receipts generated by nodeA ⁇ nodeE respectively. Then when it is detected that subnet1 is a newly established blockchain subnet, node device 1 ⁇ 5 will further identify the identity information of the node members contained in the data field to determine its own processing method. Taking nodeA and node device 1 as an example: If node device 1 finds that the data field contains nodeA's public key, IP address, port number and other identity information, then node device 1 obtains the configuration information from the data field based on the above message mechanism.
  • node device 1 will deploy nodeA1 locally, and then nodeA1 will load the generated genesis block, thus becoming a subnet node of subnet1; similarly, node device 2 can generate nodeB1, node Device 3 can generate nodeC1, and node device 4 can generate nodeD1. And, node device 5 will find that the identity information contained in the data field does not match itself, then the node device 5 will not generate a genesis block based on the configuration information in the data field, nor will it generate a blockchain node in subnet1.
  • blockchain nodes in the blockchain main network can monitor receipts and trigger node devices to perform relevant processing based on the monitoring results. For example, when nodeA ⁇ nodeE determines that subnet1 is a newly established blockchain subnet, they will further identify the identity information of the node members contained in the data field to determine their own processing method. For example, nodeA ⁇ nodeD will find that the data field contains their own public key, IP address, port number and other identity information. Assume that nodeA ⁇ nodeD are deployed on node devices 1 ⁇ 4 respectively.
  • nodeA will Trigger node device 1 so that node device 1 obtains configuration information from the data field based on the above message mechanism and generates a genesis block containing the configuration information, and node device 1 will deploy nodeA1 locally, and nodeA1 loads the generated genesis block. Thus, it becomes a subnet node in subnet1; similarly, nodeB will trigger node device 2 to generate nodeB1, nodeC will trigger node device 3 to generate nodeC1, and nodeD will trigger node device 4 to generate nodeD1. Also, nodeE will find that the identity information contained in the data field does not match itself. Assuming that nodeE is deployed on node device 5, then node device 5 will not generate a genesis block based on the configuration information in the data field, nor will it generate subnet1. nodes in .
  • the data field may contain identity information generated in advance for nodeA1 to nodeD1, and is different from the identity information of nodeA to nodeD.
  • node device 1 finds the identity information of nodeA1 in the data field, it can generate a genesis block, deploy nodeA1, and load the genesis block by nodeA1; or, if nodeA finds the identity information of nodeA1 in the data field, If the identity information of nodeA1 is found, then nodeA will trigger node device 1 to generate a genesis block, deploy nodeA1, and nodeA1 will load the genesis block.
  • Other blockchain nodes or node devices are handled in a similar manner and will not be described here.
  • the execution results of the contract can include the genesis block.
  • the corresponding node devices 1 to 4 can directly obtain the genesis block from the data field through the message mechanism without having to generate it themselves, which can improve the deployment efficiency of nodeA1 to nodeD1.
  • the node device implements the deployment of a blockchain node on the node device by creating an instance running the blockchain platform code in the process.
  • the node device creates a first instance in the above process, and the first instance runs the blockchain platform code.
  • the node device creates a second instance that is different from the first instance in the above process, and the second instance runs the blockchain platform code.
  • the node device can first create a first instance in the process to form the first blockchain node in the blockchain main network; and when the node member corresponding to the node device wants to participate in forming the blockchain subnet, they can A second instance is created in the above process, which is different from the above first instance, and the second instance forms a second blockchain node in the blockchain subnet.
  • the first instance and the second instance are in the same process, since no cross-process interaction is involved, the difficulty of deploying the first subnet node can be reduced and the deployment efficiency can be improved; of course, the second instance may also be in separate nodes from the first instance.
  • the node device can create the first instance in the first process to form the first blockchain node in the blockchain main network; and when the node When the node members corresponding to the device wish to participate in building a blockchain subnet, they can start a second process that is different from the first process, and create a second instance in the second process. The second instance is different from the above-mentioned first instance. The second instance then forms a second blockchain node in the blockchain subnet.
  • each blockchain node deployed on any node device involved in the embodiments of this specification is a different blockchain instance running on any node device.
  • Each blockchain node deployed on any node device The blocks generated by the nodes are stored in different storages (such as databases) on any node device, and the storage used by each blockchain node deployed on any node device is isolated from each other.
  • a blockchain subnet can be created on the blockchain mainnet.
  • subnet0 originally contains nodeA ⁇ nodeE
  • subnet1 can be formed based on subnet0.
  • This subnet1 contains nodeA1 ⁇ nodeD1, and nodeA and nodeA1, nodeB and nodeB1, nodeC and nodeC1, nodeD and nodeD1 are respectively deployed in on the same node device.
  • subnet2 or more blockchain subnets can be established on subnet0, where subnet2 includes nodeA2, nodeB2, nodeC2 and nodeE2, and nodeA is connected with nodeA1, nodeA2, nodeB is connected with nodeB1, nodeB2, nodeC, nodeC1 and nodeC2, nodeD and nodeD1, nodeE and nodeE2 are deployed on the same node device respectively.
  • subnet1, subnet2, etc. can be used as new blockchain mainnets, and further build blockchain subnets on this basis. The process is similar to the establishment of subnet1 or subnet2, and will not be described again here.
  • the above-mentioned method of initiating transactions on the blockchain main network to select node members to create a blockchain subnet can enable the subnet nodes of the newly created blockchain subnet to be deployed where the main network nodes of the blockchain main network are located.
  • the node device where the subnet node of the blockchain subnet is located belongs to a subset of the node device where the main network node is located.
  • the subnet node where the blockchain subnet is deployed belongs to the subset of node devices where the main network node is located.
  • the main network nodes in the blockchain main network are deployed on the node equipment.
  • blockchain subnets can also be created through other means and made subject to the management of the blockchain main network.
  • a blockchain subnet can be established on the blockchain main network through registration (hereinafter referred to as the registration networking method), and the existing blockchain network can be directly registered to the blockchain main network, so that the newly registered blockchain network can Under the management of the blockchain main network, the newly registered blockchain network becomes a blockchain subnet of the blockchain main network.
  • the subnet information of the blockchain subnet to be established is directly registered to the blockchain main network, so that the blockchain main network obtains the relevant information of the blockchain subnet to be established (by receiving and executing the area to be established) Transactions issued by the blockchain network to associate and store identity information with the subnet identifier assigned to the blockchain network to be established), such as the subnet identifier and operating status of the blockchain subnet to be established, where The public key and plug-in configuration information of each node member, the IP address and port information of each node device, etc. This information will be written into the contract status of the system contract corresponding to the blockchain main network.
  • the blockchain main network will Obtaining the management rights of the blockchain subnet to be formed and completing the registration means that the blockchain subnet is completed. Since the registration networking method does not require the designation of node members on the blockchain main network through transactions to form a blockchain subnet, the subnet nodes in the blockchain subnet established through the registration networking method can be compared with those deployed on the blockchain main network.
  • the node equipment of each node in the network is completely or partially different. For example, in Figure 1, subnet0 creates a subnet4 in the registration networking mode (not shown in Figure 1). It is assumed that the main network nodes nodeA ⁇ nodeE included in subnet0 itself are deployed separately.
  • the subnet nodes corresponding to subnet4 can be deployed on any other node devices except node devices 1 to 5, or one or more subnet nodes in subnet4 are deployed on node devices 1 to 5 respectively. Any node device within 5 (but it is still necessary to ensure that only one subnet node in subnet4 is deployed on a node device), and other subnet nodes in subnet4 are deployed on any other node device except node devices 1 to 5 , of course, the subnet nodes in subnet4 can also be deployed in node devices 1 to 5.
  • FIG. 2 is a flow chart of a cross-subnet calling method provided by an exemplary embodiment.
  • the method is applied to a first subnet node in a first blockchain subnet managed by a blockchain mainnet, the first subnet node maintains a first trusted execution environment, and the blockchain mainnet also manages There is a second blockchain subnet, and the second subnet node in the second blockchain subnet maintains a second trusted execution environment; the method includes:
  • S202 Run the first smart contract in the first trusted execution environment to generate a cross-subnet request, and pair the cross-subnet request in the first trusted execution environment based on the first public key corresponding to the second trusted execution environment. Perform encryption to get the encrypted request.
  • the first blockchain subnet and the second blockchain subnet are both created on the basis of the blockchain main network according to the aforementioned method of creating a blockchain subnet, where any blockchain subnet
  • the network is managed by the blockchain main network, which can be expressed as follows: the blockchain main network can realize the start and stop of nodes and network structure of each blockchain subnet by calling the subnet management contract deployed by the blockchain main network. Adjustment and other management functions.
  • the first subnet node maintains a first trusted execution environment, which can place computing tasks such as transaction execution, consensus process, and contract operation during the node operation into the first trusted execution environment for execution.
  • the first subnet node will read the ciphertext data outside the first trusted execution environment into the first trusted execution environment and decrypt it into plaintext data before performing operations. Therefore, the first subnet node can use the first trusted execution environment
  • the confidentiality of the environment is used to determine the security of the first subnet node at the node operation level.
  • the second subnet node also maintains a second trusted execution environment, which can also use the second trusted execution environment in the above manner to achieve the security of the second subnet node at the node operation level.
  • any subnet node in the first blockchain subnet or the second blockchain subnet can be deployed with a corresponding trusted execution environment, and achieve security at the operating level of each node in the above manner.
  • the first blockchain subnet and the second blockchain subnet are called TEE (Trusted Execution Environment, Trusted Execution Environment) chain.
  • the first smart contract may generate cross-subnet call requirements for other blockchain subnets, such as generating a link pointing to the second blockchain subnet.
  • the cross-subnet request of the second subnet node requires that the cross-subnet request be transmitted to the second subnet node and executed in response, and at the same time, the cross-subnet request generated by the second subnet node executing the cross-subnet request is received. response.
  • cross-subnet communication it is necessary to encrypt them in the trusted execution environment before proceeding. Communication across subnets.
  • the first subnet node will not directly send the cross-subnet request generated by the first smart contract running in the first trusted execution environment to the second subnet node, but first in the first trusted execution environment
  • the cross-subnet request is encrypted based on the first public key corresponding to the second trusted execution environment to obtain an encrypted request, and then the encrypted request is sent to the second subnet node.
  • specific fields in the original cross-subnet request will be retained during the encryption process, such as the identity information of the second subnet node (IP address, node public key or other identification) identification information of the second blockchain subnet, etc.
  • the first trusted execution environment maintains a corresponding public and private key pair (the second public key and the second private key) to implement the encryption and decryption process of internal and external data in the first trusted execution environment, wherein: The second private key is held exclusively by the first trusted execution environment, and the second public key is made public.
  • the second trusted execution environment also maintains a corresponding public and private key pair (the first public key and the first private key) to implement the encryption and decryption process of internal and external data in the second trusted execution environment, where the first private key It is held exclusively by the second trusted execution environment, and the first public key is made public.
  • the cross-subnet request when the cross-subnet request is encrypted in the first trusted execution environment based on the first public key corresponding to the second trusted execution environment to obtain an encrypted request, the encrypted request can theoretically only be obtained by uniquely holding the third A private key is decrypted in the second trusted execution environment maintained by the second subnet node, so that even if the encrypted request is captured by a third party during transmission outside the trusted execution environment, the third party will be decrypted due to the lack of the first private key.
  • the cross-subnet request cannot be decrypted and restored to the plaintext state without the key, thereby ensuring the security of the cross-subnet communication process.
  • This encrypted request is a private transaction because it has the nature and confidentiality of a blockchain transaction. .
  • the first smart contract is run by the first subnet node in the first trusted execution environment by loading the first smart contract program in the first trusted execution environment, where the first smart contract program
  • the first subnet node decrypts the first smart contract program ciphertext read from outside the first trusted execution environment in the first trusted execution environment.
  • the first smart contract runs in the first trusted execution environment, which is actually the result of the first subnet node loading the first smart contract program in the first trusted execution environment. Since the first trusted execution environment is essentially a period of In a physically isolated execution environment, the programs running in it are all loaded in isolated memory. Therefore, persistent storage is required for programs that do not need to run in the first trusted execution environment temporarily.
  • any program running in the first trusted execution environment follows the principle of "decryption and loading inside the trusted execution environment, and optional encrypted storage outside the execution environment". Therefore, the essence of the first smart contract program The above is the result of decrypting the first smart contract program ciphertext read from outside the first trusted execution environment inside the first trusted execution environment.
  • the first smart program ciphertext is obtained by the first smart contract program through the first trusted execution environment.
  • the second public key is encrypted and stored outside the first trusted execution environment. At the same time, it can be decrypted into the first smart contract program through the second private key inside the first trusted execution environment. Similar to the first smart contract, the second public key is stored in the trusted execution environment. Smart contracts that are executed in plain text within the execution environment but encrypted and stored outside the trusted execution environment are called privacy contracts.
  • S204 Send the encryption request to the second subnet node, and receive the encrypted response returned by the second subnet node.
  • the encrypted response is obtained by the second subnet node in the following manner: reading the encryption request into the second subnet node.
  • Two trusted execution environments In the second trusted execution environment, the encrypted request is decrypted based on the first private key corresponding to the second trusted execution environment to obtain the cross-subnet request, and the cross-subnet request is executed to Generate a corresponding cross-subnet response, and encrypt the cross-subnet response based on the second public key corresponding to the first trusted execution environment to obtain the encrypted response.
  • the first subnet node After the first subnet node encrypts the cross-subnet request in the first trusted execution environment to obtain the encrypted request, it can send the encrypted request to the second subnet node through cross-subnet communication.
  • Cross-subnet communication between subnet nodes in different blockchain subnets is mainly achieved through pre-established network connection links between mainnet nodes deployed on their respective node devices.
  • the node device 3 where the first subnet node nodeC1 in the first blockchain subnet subnet1 is located is also deployed with the mainnet node nodeC in the blockchain mainnet subnet0, and the second blockchain subnet
  • the main network node nodeE in subnet0 is also deployed on the node device 5 where the second subnet node nodeE2 in the network subnet2 is located.
  • nodeC1 wants to send an encryption request to nodeE2.
  • the network connection link implemented when forming subnet0 has been established in advance, and the network connection link allows node device 3 and node device 5 to communicate with each other. Therefore, nodeC1 can pass the network connection link established between nodeC and nodeE. path, thereby sending the encrypted request from node device 3 to node device 5, and finally routed by node device 5 to its locally deployed nodeE2.
  • the network connection link implemented when forming subnet0 is the consensus link established between the mainnet nodes in subnet0 for consensus on transactions and/or the synchronization for synchronization of blocks. link.
  • the main network node and the subnet node on the same node device share the blockchain communication plug-in running on the node device, such as P2P (Peer to Peer, peer-to-peer network communication) plug-in, and when the above-mentioned subnet0 is formed
  • P2P Peer to Peer, peer-to-peer network communication
  • the network connection link implemented is specifically established by nodeC and nodeE using the P2P plug-in on node device 3 and node device 5 respectively.
  • nodeC1 in subnet1 can call the P2P plug-in running locally on node device 3, and use the P2P plug-in-based network connection between node device 3 and node device 5 implemented when forming subnet0 to establish a connection with nodeE2 running on node device 5.
  • the network connection between P2P plug-ins sends the encrypted request to the node device 5, thereby further realizing network communication with nodeE2. Therefore, there is no need to establish a new network connection link between the first blockchain subnet and the second blockchain subnet. Instead, the first blockchain subnet is realized through the pre-established network connection link of the underlying blockchain main network. Cross-subnet communication between the first subnet node in the blockchain subnet and the second subnet node in the second blockchain subnet.
  • the second subnet node After the second subnet node receives the encrypted response, the second subnet node will read the encrypted response into the second trusted execution environment it maintains, and execute the encrypted response in the second trusted execution environment based on the second trusted execution environment.
  • the first private key corresponding to the environment decrypts the encrypted request and obtains the cross-subnet request.
  • the second subnet node After obtaining the cross-subnet request, the second subnet node further executes the cross-subnet request in the second trusted execution environment to generate a corresponding cross-subnet response, for example, calling the second server running in the second trusted execution environment.
  • the smart contract executes the cross-subnet request to generate a cross-subnet response, that is, the cross-subnet response is generated by the second smart contract running in the second trusted execution environment executing the cross-subnet request.
  • the cross-subnet response When the network request is to query the specific contract status at a specific block height in the second smart contract, the cross-subnet response will contain the corresponding specific contract status.
  • the second subnet node After the second subnet node obtains the cross-subnet response, also for the sake of cross-subnet communication security, it will process the second trusted execution environment based on the second public key pair corresponding to the first trusted execution environment.
  • the cross-subnet response is encrypted to obtain the encrypted response, and then the encrypted response is output to the second trusted execution environment and called back to the first subnet node.
  • the encrypted response is transmitted outside the trusted execution environment even if Captured by a third party, the third party will also be unable to decrypt and restore it to a clear text cross-subnet response due to the lack of the second private key, thereby ensuring the security of the cross-subnet communication process.
  • This encrypted response is also a type of Privacy Transactions.
  • the second smart contract is run in the second trusted execution environment by the second subnet node by loading the second smart contract program in the second trusted execution environment, where the second smart contract program
  • the second subnet node decrypts the second smart contract program ciphertext read from outside the second trusted execution environment in the second trusted execution environment.
  • the second smart contract runs in the second trusted execution environment, which is actually the result of the second subnet node loading the second smart contract program in the second trusted execution environment. Since the second trusted execution environment is essentially a period In a physically isolated execution environment, all running programs are loaded in isolated memory. Therefore, persistent storage is required for programs that do not need to run in a second trusted execution environment for the time being.
  • any program running in the second trusted execution environment follows the principle of "decryption and loading inside the trusted execution environment, and optional encrypted storage outside the execution environment". Therefore, the essence of the second smart contract program The above is the result of decrypting the second smart contract program ciphertext read from outside the second trusted execution environment and inside the second trusted execution environment. For example, when the second subnet node receives the encrypted message and decrypts it in the second trusted execution environment to obtain a cross-subnet request, it is further found that the cross-subnet request is a cross-subnet request for calling the second smart contract.
  • the second subnet node can directly call the second smart contract running in the second trusted execution environment to execute the cross-subnet request, or read the second smart program ciphertext from outside the second trusted execution environment.
  • the second smart contract program After decrypting the second smart contract program into the second trusted execution environment through the first private key, the second smart contract program is temporarily loaded in the second trusted execution environment to realize running in the second trusted execution environment.
  • the second smart contract finally calls the second smart contract in the running state to execute the cross-subnet request. Similar to the first smart contract, the second smart contract is also a privacy contract.
  • the process of the second subnet node sending an encrypted response to the first subnet node is similar to the process of the first subnet node sending an encrypted request to the second subnet node. Both are based on cross-subnet communication. The detailed process is I won’t go into details here.
  • S206 Read the encrypted response into the first trusted execution environment, and decrypt the encrypted response in the first trusted execution environment based on the second private key corresponding to the first trusted execution environment to obtain the cross-subnet answer.
  • the first subnet node After the first subnet node receives the encrypted response, it can read it into the first trusted execution environment, and use the second private key uniquely held by the first trusted execution environment in the first trusted execution environment Decrypt encrypted responses to obtain cross-subnet responses. So far, the embodiments of this specification have completely realized the process of the first subnet node initiating a cross-subnet call to the second subnet node.
  • the first subnet node and the second subnet node are in different blockchain subnets respectively.
  • a cross-subnet call is made between the first subnet node and the second subnet node.
  • the public key corresponding to the trusted execution environment encrypts the cross-subnet request or cross-subnet response to ensure the security of the cross-subnet communication process, the security of the node operation process and the security of the cross-subnet communication process.
  • the cross-subnet request includes: a consensus transaction that is jointly executed by all subnet nodes in the second blockchain subnet, or a local transaction that is independently executed only by the second subnet node.
  • the cross-subnet request may be a consensus transaction or a local transaction.
  • the cross-subnet request when the cross-subnet request is a consensus transaction, when the second subnet node receives the cross-subnet request, the cross-subnet request will be processed in the second blockchain subnet like an ordinary blockchain transaction. Consensus, execution, block formation and uploading to the blockchain ledger, which means that all subnet nodes in the second blockchain subnet (including the second subnet node) will execute the cross-subnet request to generate the corresponding Cross-subnet response, while changing the world state of the second blockchain subnet, and returning the corresponding cross-subnet response through one of the elected subnet nodes (for example, the second subnet node).
  • the local transactions involved in the embodiments of this specification refer to transactions that do not participate in blockchain consensus, block formation, and on-chain, and are only used as an internal calling medium; in the case of a cross-subnet request for a local transaction, when the third After the second subnet node receives the cross-subnet request, the second subnet node will independently execute the cross-subnet request to generate the corresponding cross-subnet response. There will be no consensus or change of the world state, but only after the execution is completed locally. Return the cross-subnet response to the first subnet node in a callback manner.
  • the embodiments of this specification can limit the calculation amount within the second subnet node, reducing the overall response of the second blockchain network to cross-subnet requests. Reduce the computational burden of subnet requests and improve the execution efficiency of cross-subnet requests.
  • the first subnet node and the second subnet node are deployed on the same or different node devices.
  • Figure 3 is an application scenario diagram based on Figure 1, using nodeC1 as the first subnet node and nodeE2 as the second subnet node. They are deployed as a first subnet node and a second subnet node.
  • nodeC belonging to subnet0, nodeC1 belonging to subnet1, and nodeC2 belonging to subnet2 are simultaneously deployed on node device 3, where nodeC, nodeC1, and nodeC2 are specifically virtual machines deployed locally by node device 3.
  • a blockchain node instance formed by running the pre-deployed blockchain platform code (hereinafter referred to as the blockchain node), and the relevant data of nodeC as a blockchain node during the running process is saved in the database corresponding to nodeC, nodeC1 Relevant data related to nodeC2 as other blockchain nodes during operation are stored separately in the databases corresponding to nodeC1 and nodeC2. Similarly, nodeE belonging to subnet0 and nodeE2 belonging to subnet2 are deployed on node device 5 at the same time.
  • any node device can be deployed with blockchain consensus code, and the node device can run the consensus code to form a consensus component instance locally; and, the node device can also be deployed with P2P (Peer to Peer) managed in the form of plug-ins.
  • P2P peer to Peer
  • the node device can run the P2P component code to form a P2P component instance locally, that is, a P2P plug-in.
  • P2P plug-in can be shared and used by different blockchain nodes on the same node device.
  • nodeC, nodeC1 and nodeC2 in node device 3 can call the same P2P plug-in running on node device 3 to share its functions and data, for example Implement cross-subnet communication.
  • nodeC1 maintains a first trusted execution environment.
  • the first smart contract deployed by nodeC1 can run in the first trusted execution environment in plain text.
  • nodeE2 also maintains a second trusted execution environment.
  • the first smart contract deployed by nodeE2 The second smart contract can also run in the second trusted execution environment in plain text.
  • cross-subnet communication between the first subnet node and the second subnet node is specifically communication across node devices, and the transmission data may pass through the first subnet node and the second subnet node during the routing process.
  • Figure 4 is an application scenario diagram based on Figure 1, using nodeC1 as the first subnet node and nodeC2 as the second subnet node. They are deployed as a first subnet node and a second subnet node. In the embodiment of the same node device, nodeC belonging to subnet0, nodeC1 belonging to subnet1, and nodeC2 belonging to subnet2 are simultaneously deployed on node device 3. Node device 3 runs a P2P plug-in locally, and the P2P plug-in can be used by node device 3 nodeC, nodeC1 and nodeC2 share data and functions.
  • multiple trusted execution environments are maintained in the same node device (node device 3), and nodeC1 maintains the first trusted execution environment,
  • the first smart contract deployed by nodeC1 can run in the first trusted execution environment in plain text.
  • nodeC2 also maintains a second trusted execution environment.
  • the second smart contract deployed by nodeC2 can also run in the third trusted execution environment in clear text. 2.
  • the cross-subnet communication between the first subnet node and the second subnet node is specifically the cross-process communication within the node device, and the transmitted data will not pass through the first subnet node and the second subnet node.
  • Other node devices other than the node device where the network node is located together will only be transferred between the first subnet node and the second subnet node through the P2P plug-in running locally on the node device.
  • it also includes: reading the cross-subnet transaction ciphertext into the first trusted execution environment, decrypting the cross-subnet transaction ciphertext in the first trusted execution environment to obtain the cross-subnet transaction, and calling A first smart contract executes the cross-subnet transaction to generate the cross-subnet request.
  • the first smart contract is the cross-subnet request generated when executing a cross-subnet transaction, and the cross-subnet request is read from outside the first trusted execution environment.
  • the cross-subnet transaction ciphertext is decrypted inside the first trusted execution environment.
  • the transaction initiator can initiate a cross-subnet transaction ciphertext to the first blockchain network, and the cross-subnet transaction ciphertext is generated by each subnet node in the first blockchain network (including the first subnet node). ) for consensus and execution.
  • the first subnet node When the first subnet node needs to execute the cross-subnet transaction ciphertext, it needs to first read the cross-subnet transaction ciphertext into the first trusted execution environment for decryption (for example, decryption based on the second private key ) to obtain a cross-subnet transaction, and then directly call the first smart contract running in the first trusted execution environment to execute the cross-subnet transaction, or read the first smart program ciphertext from outside the first trusted execution environment After decrypting the first smart contract program into the first trusted execution environment through the first private key, the first smart contract program is temporarily loaded in the first trusted execution environment to realize running in the first trusted execution environment. The first smart contract finally calls the first smart contract in the running state to execute the cross-subnet transaction to generate a cross-subnet request.
  • the cross-subnet transactions involved in the embodiments of this specification are private transactions.
  • Figure 5 is a flow chart of another cross-subnet calling method provided by an exemplary embodiment.
  • the method is applied to a second subnet node in a second blockchain subnet managed by a blockchain mainnet, the second subnet node maintains a second trusted execution environment, and the blockchain mainnet also manages There is a first blockchain subnet, and the first subnet node in the first blockchain subnet maintains a first trusted execution environment; the method includes S502 to S506.
  • S502 Receive an encryption request obtained by encrypting a cross-subnet request by the first subnet node in the first trusted execution environment based on the first public key corresponding to the second trusted execution environment, wherein the cross-subnet request is made by The first subnet node is generated by running the first smart contract in the first trusted execution environment.
  • S504 Read the encrypted request into the second trusted execution environment, and decrypt the encrypted request in the second trusted execution environment based on the first private key corresponding to the second trusted execution environment to obtain the cross-subnet request, execute the cross-subnet request to generate a corresponding cross-subnet response, and encrypt the cross-subnet response based on the second public key corresponding to the first trusted execution environment to obtain an encrypted response.
  • S506 Send the encrypted response to the first subnet node, so that the first subnet node reads the received encrypted response into the first trusted execution environment, and executes the encrypted response in the first trusted execution environment based on the first trusted execution environment.
  • a second private key corresponding to a trusted execution environment decrypts the encrypted response to obtain the cross-subnet response.
  • Figure 6 is a schematic structural diagram of a device provided by an exemplary embodiment. Please refer to Figure 6.
  • the device includes a processor 602, an internal bus 604, a network interface 606, a memory 608 and a non-volatile memory 610.
  • the processor 602 reads the corresponding computer program from the non-volatile memory 610 into the memory 608 and then runs it.
  • the execution subject of the following processing flow is not limited to each A logic unit can also be a hardware or logic device.
  • Figure 6 is a block diagram of a cross-subnet calling device provided in this specification according to an exemplary embodiment.
  • This device can be applied to the equipment shown in Figure 6 to implement the technical solution of this specification.
  • the device is applied to the first subnet node in the first blockchain subnet managed by the blockchain main network.
  • the first subnet node maintains a first trusted execution environment, and the blockchain main network
  • a second blockchain subnet is also managed, and the second subnet node in the second blockchain subnet maintains a second trusted execution environment
  • the device includes: an encryption request acquisition unit 701, configured to obtain a second trusted execution environment in the first trusted execution environment.
  • the request sending unit 702 is configured to send the encryption request to the second subnet node and receive the encrypted response returned by the second subnet node.
  • the encrypted response is obtained by the second subnet node in the following manner:
  • the encrypted request is read into the second trusted execution environment, and the encrypted request is decrypted in the second trusted execution environment based on the first private key corresponding to the second trusted execution environment to obtain the cross-subnet request, and the Make a cross-subnet request to generate a corresponding cross-subnet response, and encrypt the cross-subnet response based on the second public key corresponding to the first trusted execution environment to obtain the encrypted response;
  • the encrypted response decryption unit 703 is used to The encrypted response is read into the first trusted execution environment, and the encrypted response is decrypted in the first trusted execution environment based on the second private key corresponding to the first trusted execution environment to obtain the cross-subnet response.
  • the first smart contract is run by the first subnet node in the first trusted execution environment by loading the first smart contract program in the first trusted execution environment, where the first smart contract program is executed by the first trusted execution environment.
  • the subnet node decrypts the first smart contract program ciphertext read from outside the first trusted execution environment in the first trusted execution environment.
  • the cross-subnet response is generated by the second smart contract running in the second trusted execution environment executing the cross-subnet request.
  • the second smart contract is run in the second trusted execution environment by the second subnet node by loading the second smart contract program in the second trusted execution environment, where the second smart contract program is run by the second
  • the subnet node decrypts the second smart contract program ciphertext read from outside the second trusted execution environment in the second trusted execution environment.
  • the cross-subnet request includes: a consensus transaction that is jointly executed by all subnet nodes in the second blockchain subnet, or a local transaction that is independently executed only by the second subnet node.
  • the first subnet node and the second subnet node are deployed on the same or different node devices.
  • a cross-subnet transaction execution unit 704 configured to read the cross-subnet transaction ciphertext into the first trusted execution environment, and execute the cross-subnet transaction ciphertext in the first trusted execution environment. Decrypt to obtain the cross-subnet transaction, and call the first smart contract to execute the cross-subnet transaction to generate the cross-subnet request.
  • Figure 8 is a block diagram of another cross-subnet calling device provided in this specification according to an exemplary embodiment.
  • This device can be applied to the equipment shown in Figure 6 to implement the technology of this specification. Solution; the device is applied to a second subnet node in a second blockchain subnet managed by the blockchain main network. The second subnet node maintains a second trusted execution environment.
  • the blockchain main network also manages a first blockchain subnet, and the first subnet node in the first blockchain subnet maintains a first trusted execution environment; the device includes: an encryption request receiving unit 801 for receiving the first subnet The network node encrypts the cross-subnet request in the first trusted execution environment based on the first public key corresponding to the second trusted execution environment, wherein the cross-subnet request is generated by the first subnet node in the first trusted execution environment. Generated by running the first smart contract in the first trusted execution environment; the encrypted response acquisition unit 802 is used to read the encrypted request into the second trusted execution environment, based on the second trusted execution environment in the second trusted execution environment.
  • the first private key corresponding to the execution environment decrypts the encrypted request to obtain the cross-subnet request, executes the cross-subnet request to generate a corresponding cross-subnet response, and generates a corresponding cross-subnet response based on the first trusted execution environment corresponding to the first private key.
  • the two public keys encrypt the cross-subnet response to obtain an encrypted response; the encrypted response sending unit 803 is used to send the encrypted response to the first subnet node, so that the first subnet node will receive the encrypted response.
  • the encrypted response is read into the first trusted execution environment, and the encrypted response is decrypted in the first trusted execution environment based on the second private key corresponding to the first trusted execution environment to obtain the cross-subnet response.
  • PLD Programmable Logic Device
  • FPGA Field Programmable Gate Array
  • HDL Hardware Description Language
  • the controller may be implemented in any suitable manner, for example, the controller may take the form of, for example, a microprocessor or processor and a computer readable medium storing computer readable program code (eg, software or firmware) executable by the (micro)processor. , logic gates, switches, Application Specific Integrated Circuit (ASIC), programmable logic controllers and embedded microcontrollers.
  • controllers include but are not limited to the following microcontrollers: ARC 625D, Atmel AT91SAM, For Microchip PIC18F26K20 and Silicone Labs C8051F320, the memory controller can also be implemented as part of the memory's control logic.
  • the controller in addition to implementing the controller in the form of pure computer-readable program code, the controller can be completely programmed with logic gates, switches, application-specific integrated circuits, programmable logic controllers and embedded logic by logically programming the method steps. Microcontroller, etc. to achieve the same function. Therefore, this controller can be considered as a hardware component, and the devices included therein for implementing various functions can also be considered as structures within the hardware component. Or even, the means for implementing various functions can be considered as structures within hardware components as well as software modules implementing the methods.
  • the systems, devices, modules or units described in the above embodiments may be implemented by computer chips or entities, or by products with certain functions.
  • a typical implementation device is a server system.
  • the computer that implements the functions of the above embodiments may be, for example, a personal computer, a laptop computer, a vehicle-mounted human-computer interaction device, a cellular phone, a camera phone, a smart phone, or a personal digital assistant. , media player, navigation device, email device, game console, tablet, wearable device, or a combination of any of these devices.
  • the functions are divided into various modules and described separately.
  • the functions of each module can be implemented in the same or multiple software and/or hardware, or the modules that implement the same function can be implemented by a combination of multiple sub-modules or sub-units, etc. .
  • the device embodiments described above are only illustrative.
  • the division of the units is only a logical function division. In actual implementation, there may be other division methods.
  • multiple units or components may be combined or integrated. to another system, or some features can be ignored, or not implemented.
  • the coupling or direct coupling or communication connection between each other shown or discussed may be through some interfaces, and the indirect coupling or communication connection of the devices or units may be in electrical, mechanical or other forms.
  • These computer program instructions may also be stored in a computer-readable memory that causes a computer or other programmable data processing apparatus to operate in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including the instruction means, the instructions
  • the device implements the functions specified in a process or processes of the flowchart and/or a block or blocks of the block diagram.
  • These computer program instructions may also be loaded onto a computer or other programmable data processing device, causing a series of operating steps to be performed on the computer or other programmable device to produce computer-implemented processing, thereby executing on the computer or other programmable device.
  • Instructions provide steps for implementing the functions specified in a process or processes of a flowchart diagram and/or a block or blocks of a block diagram.
  • a computing device includes one or more processors (CPUs), input/output interfaces, network interfaces, and memory.
  • processors CPUs
  • input/output interfaces network interfaces
  • memory volatile and non-volatile memory
  • Memory may include non-permanent storage in computer-readable media, random access memory (RAM) and/or non-volatile memory in the form of read-only memory (ROM) or flash memory (flash RAM). Memory is an example of computer-readable media.
  • RAM random access memory
  • ROM read-only memory
  • flash RAM flash random access memory
  • Computer-readable media includes both persistent and non-volatile, removable and non-removable media that can be implemented by any method or technology for storage of information.
  • Information may be computer-readable instructions, data structures, modules of programs, or other data.
  • Examples of computer storage media include, but are not limited to, phase change memory (PRAM), static random access memory (SRAM), dynamic random access memory (DRAM), other types of random access memory (RAM), and read-only memory.
  • PRAM phase change memory
  • SRAM static random access memory
  • DRAM dynamic random access memory
  • RAM random access memory
  • read-only memory read-only memory
  • ROM read-only memory
  • EEPROM electrically erasable programmable read-only memory
  • flash memory or other memory technology
  • compact disc read-only memory CD-ROM
  • DVD digital versatile disc
  • Magnetic tape magnetic tape storage, graphene storage or other magnetic storage devices or any other non-transmission medium can be used to store information that can be accessed by a computing device.
  • computer-readable media does not include transitory media, such as modulated data signals and carrier waves.
  • one or more embodiments of the present description may be provided as a method, system, or computer program product. Accordingly, one or more embodiments of the present description may take the form of an entirely hardware embodiment, an entirely software embodiment, or an embodiment that combines software and hardware aspects. Furthermore, one or more embodiments of the present description may employ a computer program implemented on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, etc.) having computer-usable program code embodied therein. Product form.
  • computer-usable storage media including, but not limited to, disk storage, CD-ROM, optical storage, etc.
  • One or more embodiments of this specification may be described in the general context of computer-executable instructions, such as program modules, being executed by a computer.
  • program modules include routines, programs, objects, components, data structures, etc. that perform specific tasks or implement specific abstract data types.
  • One or more embodiments of the present specification may also be practiced in distributed computing environments where tasks are performed by remote processing devices connected through a communications network.
  • program modules may be located in both local and remote computer storage media including storage devices.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Theoretical Computer Science (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Databases & Information Systems (AREA)
  • Computing Systems (AREA)
  • Physics & Mathematics (AREA)
  • Signal Processing (AREA)
  • General Physics & Mathematics (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Bioethics (AREA)
  • General Health & Medical Sciences (AREA)
  • Software Systems (AREA)
  • Health & Medical Sciences (AREA)
  • Data Mining & Analysis (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Storage Device Security (AREA)

Abstract

The present description provides a cross-subnet calling method and apparatus, an electronic device, and a storage medium. The method is applied to a first subnet node in a first blockchain subnet managed by a blockchain mainnet; the first subnet node maintains a first trusted execution environment, the blockchain mainnet also manages a second blockchain subnet, and a second subnet node in the second blockchain subnet maintains a second trusted execution environment. The method comprises: running a first smart contract in the first trusted execution environment to generate a cross-subnet request and encrypting same to obtain an encrypted request; sending the encrypted request to the second subnet node, and receiving an encrypted response returned by the second subnet node, the encrypted response being obtained by the second subnet node by means of the following approach: reading the encrypted request into the second trusted execution environment for decryption to obtain the cross-subnet request, executing the cross-subnet request to generate a corresponding cross-subnet response, and encrypting same to obtain the encrypted response; and reading the encrypted response into the first trusted execution environment for decryption to obtain the cross-subnet response.

Description

跨子网调用Calling across subnets 技术领域Technical field
本说明书实施例属于区块链技术领域,尤其涉及一种跨子网调用方法、装置、电子设备和存储介质。The embodiments of this specification belong to the field of blockchain technology, and particularly relate to a cross-subnet calling method, device, electronic device and storage medium.
背景技术Background technique
区块链(Blockchain)是分布式数据存储、点对点传输、共识机制、加密算法等计算机技术的新型应用模式。区块链系统中按照时间顺序将数据区块以顺序相连的方式组合成链式数据结构,并以密码学方式保证的不可篡改和不可伪造的分布式账本。由于区块链具有去中心化、信息不可篡改、自治性等特性,区块链也受到人们越来越多的重视和应用。Blockchain is a new application model of computer technology such as distributed data storage, point-to-point transmission, consensus mechanism, and encryption algorithm. In the blockchain system, data blocks are combined into a chained data structure in a chronological manner and are cryptographically guaranteed to be an untamperable and unforgeable distributed ledger. Due to the characteristics of blockchain, such as decentralization, non-tamperable information, and autonomy, blockchain has also received more and more attention and applications.
在一些区块链网络中,部分节点有时存在实现小范围交易的需求,以避免其他节点获得这些交易及其相关数据,而这可以通过在区块链主网的基础上进一步建立区块链子网来实现。在区块链主网建立有多个区块链子网的场景下,不同的区块链子网之间具有跨子网调用的需求。In some blockchain networks, some nodes sometimes have the need to implement small-scale transactions to prevent other nodes from obtaining these transactions and related data. This can be achieved by further establishing a blockchain subnet based on the blockchain main network. to fulfill. In a scenario where multiple blockchain subnets are established on the blockchain main network, there are requirements for cross-subnet calls between different blockchain subnets.
发明内容Contents of the invention
本发明的目的在于提供一种跨子网调用方法、装置、电子设备和存储介质。The purpose of the present invention is to provide a cross-subnet calling method, device, electronic device and storage medium.
根据本说明书一个或多个实施例的第一方面,提出了一种跨子网调用方法,应用于由区块链主网所管理的第一区块链子网中的第一子网节点,第一子网节点维护有第一可信执行环境,所述区块链主网还管理有第二区块链子网,第二区块链子网中的第二子网节点维护有第二可信执行环境;所述方法包括:在第一可信执行环境中运行第一智能合约以生成跨子网请求,在第一可信执行环境中基于第二可信执行环境对应的第一公钥对所述跨子网请求进行加密得到加密请求;将所述加密请求发送至第二子网节点,并接收第二子网节点返回的加密应答,所述加密应答由第二子网节点通过以下方式得到:将所述加密请求读入第二可信执行环境,在第二可信执行环境中基于第二可信执行环境对应的第一私钥对所述加密请求进行解密得到所述跨子网请求,执行所述跨子网请求以生成对应的跨子网应答,并基于第一可信执行环境对应的第二公钥对所述跨子网应答进行加密得到所述加密应答;将所述加密应答读入第一可信执行环境,在第一可信执行环境中基于第一可信执行环境对应的第二私钥对所述加密应答进行解密得到所述跨子网应答。According to the first aspect of one or more embodiments of this specification, a cross-subnet calling method is proposed, which is applied to the first subnet node in the first blockchain subnet managed by the blockchain main network. A subnet node maintains a first trusted execution environment, the blockchain mainnet also manages a second blockchain subnet, and the second subnet node in the second blockchain subnet maintains a second trusted execution environment environment; the method includes: running the first smart contract in the first trusted execution environment to generate a cross-subnet request, and in the first trusted execution environment based on the first public key pair corresponding to the second trusted execution environment. Encrypt the cross-subnet request to obtain an encryption request; send the encryption request to the second subnet node, and receive an encrypted response returned by the second subnet node. The encrypted response is obtained by the second subnet node in the following manner : Read the encrypted request into the second trusted execution environment, and decrypt the encrypted request in the second trusted execution environment based on the first private key corresponding to the second trusted execution environment to obtain the cross-subnet request. , execute the cross-subnet request to generate a corresponding cross-subnet response, and encrypt the cross-subnet response based on the second public key corresponding to the first trusted execution environment to obtain the encrypted response; encrypt the The response is read into the first trusted execution environment, and the encrypted response is decrypted in the first trusted execution environment based on the second private key corresponding to the first trusted execution environment to obtain the cross-subnet response.
根据本说明书一个或多个实施例的第二方面,提出了一种跨子网调用方法,应用于由区块链主网所管理的第二区块链子网中的第二子网节点,第二子网节点维护有第二可信执行环境,所述区块链主网还管理有第一区块链子网,第一区块链子网中的第一子网节点维护有第一可信执行环境;所述方法包括:接收第一子网节点在第一可信执行环境中基于第二可信执行环境对应的第一公钥对跨子网请求进行加密得到的加密请求,其中,所述跨子网请求由第一子网节点在第一可信执行环境中运行第一智能合约所生成;将所述加密请求读入第二可信执行环境,在第二可信执行环境中基于第二可信执行环境对应 的第一私钥对所述加密请求进行解密得到所述跨子网请求,执行所述跨子网请求以生成对应的跨子网应答,并基于第一可信执行环境对应的第二公钥对所述跨子网应答进行加密得到加密应答;将所述加密应答发送至第一子网节点,以使第一子网节点将接收到的所述加密应答读入第一可信执行环境,并在第一可信执行环境中基于第一可信执行环境对应的第二私钥对所述加密应答进行解密得到所述跨子网应答。According to the second aspect of one or more embodiments of this specification, a cross-subnet calling method is proposed, which is applied to the second subnet node in the second blockchain subnet managed by the blockchain main network. The second subnet node maintains a second trusted execution environment, the blockchain mainnet also manages a first blockchain subnet, and the first subnet node in the first blockchain subnet maintains a first trusted execution environment environment; the method includes: receiving an encryption request obtained by encrypting a cross-subnet request by the first subnet node in the first trusted execution environment based on the first public key corresponding to the second trusted execution environment, wherein, the The cross-subnet request is generated by the first subnet node running the first smart contract in the first trusted execution environment; the encrypted request is read into the second trusted execution environment, and is executed in the second trusted execution environment based on the first smart contract. The first private key corresponding to the two trusted execution environments decrypts the encrypted request to obtain the cross-subnet request, executes the cross-subnet request to generate a corresponding cross-subnet response, and generates a corresponding cross-subnet response based on the first trusted execution environment The corresponding second public key encrypts the cross-subnet response to obtain an encrypted response; the encrypted response is sent to the first subnet node, so that the first subnet node reads the received encrypted response into the first subnet node. A trusted execution environment, and in the first trusted execution environment, the encrypted response is decrypted based on the second private key corresponding to the first trusted execution environment to obtain the cross-subnet response.
根据本说明书一个或多个实施例的第三方面,提出了一种跨子网调用装置,应用于由区块链主网所管理的第一区块链子网中的第一子网节点,第一子网节点维护有第一可信执行环境,所述区块链主网还管理有第二区块链子网,第二区块链子网中的第二子网节点维护有第二可信执行环境;所述装置包括:加密请求获取单元,用于在第一可信执行环境中运行第一智能合约以生成跨子网请求,在第一可信执行环境中基于第二可信执行环境对应的第一公钥对所述跨子网请求进行加密得到加密请求;加密请求发送单元,用于将所述加密请求发送至第二子网节点,并接收第二子网节点返回的加密应答,所述加密应答由第二子网节点通过以下方式得到:将所述加密请求读入第二可信执行环境,在第二可信执行环境中基于第二可信执行环境对应的第一私钥对所述加密请求进行解密得到所述跨子网请求,执行所述跨子网请求以生成对应的跨子网应答,并基于第一可信执行环境对应的第二公钥对所述跨子网应答进行加密得到所述加密应答;加密应答解密单元,用于将所述加密应答读入第一可信执行环境,在第一可信执行环境中基于第一可信执行环境对应的第二私钥对所述加密应答进行解密得到所述跨子网应答。According to the third aspect of one or more embodiments of this specification, a cross-subnet calling device is proposed, which is applied to the first subnet node in the first blockchain subnet managed by the blockchain main network. A subnet node maintains a first trusted execution environment, the blockchain mainnet also manages a second blockchain subnet, and the second subnet node in the second blockchain subnet maintains a second trusted execution environment environment; the device includes: an encrypted request acquisition unit, configured to run the first smart contract in the first trusted execution environment to generate a cross-subnet request, corresponding in the first trusted execution environment based on the second trusted execution environment The first public key encrypts the cross-subnet request to obtain an encryption request; the encryption request sending unit is used to send the encryption request to the second subnet node and receive the encrypted response returned by the second subnet node, The encrypted response is obtained by the second subnet node in the following manner: reading the encrypted request into the second trusted execution environment, and in the second trusted execution environment based on the first private key corresponding to the second trusted execution environment The encrypted request is decrypted to obtain the cross-subnet request, the cross-subnet request is executed to generate a corresponding cross-subnet response, and the cross-subnet response is generated based on the second public key corresponding to the first trusted execution environment. The network response is encrypted to obtain the encrypted response; the encrypted response decryption unit is used to read the encrypted response into the first trusted execution environment, and in the first trusted execution environment based on the second trusted execution environment corresponding to the first trusted execution environment The private key decrypts the encrypted response to obtain the cross-subnet response.
根据本说明书一个或多个实施例的第四方面,提出了一种跨子网调用装置,应用于由区块链主网所管理的第二区块链子网中的第二子网节点,第二子网节点维护有第二可信执行环境,所述区块链主网还管理有第一区块链子网,第一区块链子网中的第一子网节点维护有第一可信执行环境;所述装置包括:加密请求接收单元,用于接收第一子网节点在第一可信执行环境中基于第二可信执行环境对应的第一公钥对跨子网请求进行加密得到的加密请求,其中,所述跨子网请求由第一子网节点在第一可信执行环境中运行第一智能合约所生成;加密应答获取单元,用于将所述加密请求读入第二可信执行环境,在第二可信执行环境中基于第二可信执行环境对应的第一私钥对所述加密请求进行解密得到所述跨子网请求,执行所述跨子网请求以生成对应的跨子网应答,并基于第一可信执行环境对应的第二公钥对所述跨子网应答进行加密得到加密应答;加密应答发送单元,用于将所述加密应答发送至第一子网节点,以使第一子网节点将接收到的所述加密应答读入第一可信执行环境,并在第一可信执行环境中基于第一可信执行环境对应的第二私钥对所述加密应答进行解密得到所述跨子网应答。According to the fourth aspect of one or more embodiments of this specification, a cross-subnet calling device is proposed, which is applied to the second subnet node in the second blockchain subnet managed by the blockchain main network. The second subnet node maintains a second trusted execution environment, the blockchain mainnet also manages a first blockchain subnet, and the first subnet node in the first blockchain subnet maintains a first trusted execution environment Environment; the device includes: an encryption request receiving unit, configured to receive a cross-subnet request obtained by the first subnet node encrypting a cross-subnet request based on the first public key corresponding to the second trusted execution environment in the first trusted execution environment. Encrypted request, wherein the cross-subnet request is generated by the first subnet node running the first smart contract in the first trusted execution environment; the encrypted response acquisition unit is used to read the encrypted request into the second trustworthy execution environment Trust execution environment, in the second trusted execution environment, decrypt the encrypted request based on the first private key corresponding to the second trusted execution environment to obtain the cross-subnet request, execute the cross-subnet request to generate the corresponding a cross-subnet response, and encrypts the cross-subnet response based on the second public key corresponding to the first trusted execution environment to obtain an encrypted response; an encrypted response sending unit configured to send the encrypted response to the first subnet network node, so that the first subnet node reads the received encrypted response into the first trusted execution environment, and in the first trusted execution environment based on the second private key pair corresponding to the first trusted execution environment The encrypted response is decrypted to obtain the cross-subnet response.
根据本说明书一个或多个实施例的第五方面,提出了一种电子设备,包括:处理器;用于存储处理器可执行指令的存储器;其中,所述处理器通过运行所述可执行指令以实现如第一方面和第二方面中任一项所述的方法。According to a fifth aspect of one or more embodiments of this specification, an electronic device is proposed, including: a processor; a memory for storing executable instructions by the processor; wherein the processor executes the executable instructions To implement the method described in any one of the first aspect and the second aspect.
根据本说明书一个或多个实施例的第六方面,提出了一种计算机可读存储介质,其上存储有计算机指令,该指令被处理器执行时实现如第一方面和第二方面中任一项所述方法的步骤。According to a sixth aspect of one or more embodiments of this specification, a computer-readable storage medium is proposed, on which computer instructions are stored, and when the instructions are executed by a processor, any one of the first and second aspects is implemented. The steps of the method described in the item.
在本说明书实施例中,第一子网节点与第二子网节点分别处于不同的区块链子网,在第一子网节点与第二子网节点之间进行跨子网调用的情况下,通过在第一子网节点与 第二子网节点分别维护相应的可信执行环境,能够确保第一子网节点与第二子网节点在节点运行过程中的安全性,而彼此又可以通过对方所处的可信执行环境对应的公钥对跨子网请求或跨子网应答进行加密传输,从而确保跨子网通讯过程的安全性,节点运行过程的安全性与跨子网通讯过程的安全性相互配合,最终实现整个跨子网调用过程的系统级别的安全性。In the embodiment of this specification, the first subnet node and the second subnet node are in different blockchain subnets respectively. When a cross-subnet call is made between the first subnet node and the second subnet node, By maintaining corresponding trusted execution environments on the first subnet node and the second subnet node respectively, the security of the first subnet node and the second subnet node during node operation can be ensured, and each other can pass each other through The public key corresponding to the trusted execution environment encrypts the cross-subnet request or cross-subnet response to ensure the security of the cross-subnet communication process, the security of the node operation process and the security of the cross-subnet communication process. Cooperate with each other to ultimately achieve system-level security for the entire cross-subnet calling process.
附图说明Description of drawings
为了更清楚地说明本说明书实施例的技术方案,下面将对实施例描述中所需要使用的附图作简单地介绍,显而易见地,下面描述中的附图仅仅是本说明书中记载的一些实施例,对于本领域普通技术人员来讲,在不付出创造性劳动性的前提下,还可以根据这些附图获得其他的附图。In order to explain the technical solutions of the embodiments of this specification more clearly, the drawings needed to be used in the description of the embodiments will be briefly introduced below. Obviously, the drawings in the following description are only some of the embodiments recorded in this specification. , for those of ordinary skill in the art, other drawings can also be obtained based on these drawings without exerting creative labor.
图1是一示例性实施例提供的一种基于区块链主网组建区块链子网的示意图。Figure 1 is a schematic diagram of establishing a blockchain subnet based on the blockchain main network according to an exemplary embodiment.
图2是一示例性实施例提供的一种跨子网调用方法的流程图。Figure 2 is a flow chart of a cross-subnet calling method provided by an exemplary embodiment.
图3是一示例性实施例提供的一种跨子网调用方法的应用场景图。Figure 3 is an application scenario diagram of a cross-subnet calling method provided by an exemplary embodiment.
图4是一示例性实施例提供的另一种跨子网调用方法的应用场景图。Figure 4 is an application scenario diagram of another cross-subnet calling method provided by an exemplary embodiment.
图5是一示例性实施例提供的另一种跨子网调用方法的流程图。Figure 5 is a flow chart of another cross-subnet calling method provided by an exemplary embodiment.
图6是一示例性实施例提供的一种设备的结构示意图。Figure 6 is a schematic structural diagram of a device provided by an exemplary embodiment.
图7是一示例性实施例提供的一种跨子网调用装置的框图。Figure 7 is a block diagram of a cross-subnet calling device provided in an exemplary embodiment.
图8是一示例性实施例提供的另一种跨子网调用装置的框图。Figure 8 is a block diagram of another cross-subnet calling device provided by an exemplary embodiment.
具体实施方式Detailed ways
为了使本技术领域的人员更好地理解本说明书中的技术方案,下面将结合本说明书实施例中的附图,对本说明书实施例中的技术方案进行清楚、完整地描述,显然,所描述的实施例仅仅是本说明书一部分实施例,而不是全部的实施例。基于本说明书中的实施例,本领域普通技术人员在没有作出创造性劳动前提下所获得的所有其他实施例,都应当属于本说明书保护的范围。In order to enable those skilled in the art to better understand the technical solutions in this specification, the technical solutions in the embodiments of this specification will be clearly and completely described below in conjunction with the accompanying drawings in the embodiments of this specification. Obviously, the described The embodiments are only some of the embodiments of this specification, but not all of the embodiments. Based on the embodiments in this specification, all other embodiments obtained by those of ordinary skill in the art without creative efforts should fall within the scope of protection of this specification.
由于区块链网络的去中心化特性,使得区块链网络中的所有区块链节点均会维护相同的区块数据,无法满足部分节点的特殊需求。以联盟链为例,所有联盟成员(即联盟内的节点成员)可以组成一区块链网络,所有联盟成员在该区块链网络中分别存在对应的区块链节点,并可以通过对应的区块链节点获得该区块链网络上发生的所有交易和相关数据。但在一些情况下,可能存在部分联盟成员希望完成一些具有保密需求的交易,这些联盟成员既希望这些交易能够在区块链上存证或借助于区块链技术的其他优势,又能够避免其他联盟成员查看到这些交易和相关数据。虽然这些联盟成员可以额外组建一新的区块链网络,其建立方式与上述包含所有联盟成员的区块链网络类似,但是从头开始建立一条新的区块链网络需要消耗大量的资源,且无论是该区块链网络的建立过程或是建成后的配置过程都非常耗时。联盟成员之间的需求往往是临时的或者具有一定的时 效性,使得新建的区块链网络很快就会由于需求消失而失去存在的意义,从而进一步增加了上述区块链网络的建链成本。而联盟成员之间的需求经常会变化,而每一需求所对应的联盟成员也往往不同,因而每当联盟成员发生变化时就可能需要组建一新的区块链网络,从而造成资源和时间的大量浪费。Due to the decentralized nature of the blockchain network, all blockchain nodes in the blockchain network maintain the same block data, which cannot meet the special needs of some nodes. Taking the alliance chain as an example, all alliance members (i.e., node members within the alliance) can form a blockchain network. All alliance members have corresponding blockchain nodes in the blockchain network and can pass through the corresponding zones. Blockchain nodes obtain all transactions and related data that occur on the blockchain network. However, in some cases, there may be some alliance members who want to complete some transactions with confidentiality requirements. These alliance members hope that these transactions can be stored on the blockchain or take advantage of other advantages of blockchain technology, and can avoid other Alliance members view these transactions and related data. Although these alliance members can additionally form a new blockchain network, which is similar to the above-mentioned blockchain network containing all alliance members, building a new blockchain network from scratch requires a large amount of resources, and regardless of The establishment process of the blockchain network or the configuration process after it is built are very time-consuming. The demands among alliance members are often temporary or time-sensitive, so that the newly built blockchain network will soon lose the meaning of existence due to the disappearance of demand, thus further increasing the chain construction cost of the above-mentioned blockchain network. . The needs among alliance members often change, and the alliance members corresponding to each demand are often different. Therefore, whenever alliance members change, a new blockchain network may need to be formed, resulting in a loss of resources and time. A lot of waste.
为此,可以将已组建的区块链网络作为区块链主网,并在该区块链主网的基础上组建区块链子网。那么,在诸如上述的联盟链场景下,联盟成员可以在已经参与区块链主网的情况下,基于自身需求而在区块链主网的基础上组建所需的区块链子网。由于区块链子网是在区块链主网的基础上所建立,使得区块链子网的组建过程相比于完全独立地组建一条区块链网络,所消耗的资源和所需的耗时等都极大地降低,灵活性极高。To this end, the established blockchain network can be used as the blockchain main network, and a blockchain subnet can be established based on the blockchain main network. Then, in a consortium chain scenario such as the above, consortium members can establish the required blockchain subnet based on their own needs based on their own needs after already participating in the blockchain mainnet. Since the blockchain subnet is established on the basis of the blockchain main network, the construction process of the blockchain subnet consumes more resources and takes more time than establishing a completely independent blockchain network. are greatly reduced and the flexibility is extremely high.
基于区块链主网快捷组建区块链子网的过程如下:区块链主网中的各区块链节点分别获取组建区块链子网的交易,所述交易包含所述区块链子网的配置信息,所述配置信息包括参与组建所述区块链子网的节点成员的身份信息,所述区块链主网中的各区块链节点分别执行所述交易以透出所述配置信息,当所述配置信息包含第一区块链节点对应的节点成员的身份信息时,部署第一区块链节点的节点设备基于所述包含所述配置信息的创世块启动属于所述区块链子网的第二区块链节点。The process of quickly establishing a blockchain subnet based on the blockchain main network is as follows: Each blockchain node in the blockchain main network obtains the transaction to establish the blockchain subnet respectively, and the transaction includes the configuration information of the blockchain subnet. , the configuration information includes the identity information of the node members participating in the establishment of the blockchain subnet, and each blockchain node in the blockchain main network executes the transaction respectively to reveal the configuration information. When the When the configuration information contains the identity information of the node member corresponding to the first blockchain node, the node device deploying the first blockchain node starts the third node belonging to the blockchain subnet based on the genesis block containing the configuration information. Two blockchain nodes.
以图1所示为例,区块链主网为subnet0,该subnet0包含的区块链节点为nodeA、nodeB、nodeC、nodeD和nodeE等。假定nodeA、nodeB、nodeC和nodeD希望组建一区块链子网:如果nodeA为管理员且仅允许管理员发起组建区块链子网的交易,那么可由nodeA向subnet0发起上述组建区块链子网的交易;如果nodeE为管理员且仅允许管理员发起组建区块链子网的交易,那么nodeA~nodeD需要向nodeE进行请求,使得nodeE向subnet0发起上述组建区块链子网的交易;如果nodeE为管理员但允许普通用户发起组建区块链子网的交易,那么nodeA~nodeE均可以向subnet0发起上述组建区块链子网的交易。当然,不论是管理员或者普通用户,发起组建区块链子网的交易的区块链节点并不一定参与所组建的区块链子网,比如虽然最终由nodeA、nodeB、nodeC和nodeD组建区块链子网,但可由nodeE向subnet0发起上述组建区块链子网的交易,而并不一定由nodeA~nodeD来发起该组建区块链子网的交易。Taking the example shown in Figure 1, the blockchain main network is subnet0, and the blockchain nodes included in subnet0 are nodeA, nodeB, nodeC, nodeD, nodeE, etc. Assume that nodeA, nodeB, nodeC and nodeD want to form a blockchain subnet: If nodeA is the administrator and only allows the administrator to initiate transactions to form a blockchain subnet, then nodeA can initiate the above transaction to form a blockchain subnet to subnet0; If nodeE is the administrator and only allows the administrator to initiate transactions to establish a blockchain subnet, then nodeA ~ nodeD need to request nodeE, so that nodeE initiates the above-mentioned transaction to establish a blockchain subnet to subnet0; if nodeE is an administrator but allows If an ordinary user initiates a transaction to establish a blockchain subnet, then nodeA ~ nodeE can initiate the above-mentioned transaction to establish a blockchain subnet to subnet0. Of course, whether an administrator or an ordinary user, the blockchain node that initiates the transaction to establish the blockchain subnet does not necessarily participate in the formed blockchain subnet. For example, although the blockchain subnet is ultimately formed by nodeA, nodeB, nodeC, and nodeD network, but nodeE can initiate the above-mentioned transaction of forming a blockchain subnet to subnet0, and it is not necessarily nodeA~nodeD that initiates the transaction of forming a blockchain subnet.
在区块链主网的基础上组建区块链子网时,容易理解的是,会使得该区块链子网与区块链主网之间存在逻辑上的层次关系。比如在图1所示的subnet0上组建区块链子网subnet1时,可以认为subnet0处于第一层、subnet1处于第二层。一种情况下,本说明书中的区块链主网可以为底层区块链网络,即区块链主网并非在其他区块链网络的基础上组建的区块链子网,比如图1中的subnet0可以认为属于底层区块链网络类型的区块链主网。另一种情况下,本说明书中的区块链主网也可以为其他区块链网络的子网,比如可以在图1中subnet1的基础上进一步组建另一区块链子网,此时可以认为subnet1为该区块链子网对应的区块链主网,而这并不影响该subnet1同时属于subnet0上创建的区块链子网。可见,区块链主网与区块链子网实际上是相对概念,同一区块链网络在一些情况下可以为区块链主网、另一些情况下可以为区块链子网。When building a blockchain subnet based on the blockchain mainnet, it is easy to understand that there will be a logical hierarchical relationship between the blockchain subnet and the blockchain mainnet. For example, when building a blockchain subnet subnet1 on subnet0 shown in Figure 1, it can be considered that subnet0 is on the first layer and subnet1 is on the second layer. In one case, the blockchain main network in this specification can be the underlying blockchain network, that is, the blockchain main network is not a blockchain subnet established on the basis of other blockchain networks, such as the one in Figure 1 subnet0 can be considered as the blockchain mainnet belonging to the underlying blockchain network type. In another case, the blockchain mainnet in this specification can also be a subnet of other blockchain networks. For example, another blockchain subnet can be further established based on subnet1 in Figure 1. In this case, it can be considered subnet1 is the blockchain mainnet corresponding to the blockchain subnet, and this does not affect that subnet1 also belongs to the blockchain subnet created on subnet0. It can be seen that the blockchain main network and the blockchain subnet are actually relative concepts. The same blockchain network can be the blockchain main network in some cases and the blockchain subnet in other cases.
上述组建区块链子网的交易在被发送至区块链主网后,由区块链主网内的共识节点进行共识,并在通过共识后由各主网节点执行该交易,以完成区块链子网的组建。共识过程取决于所采用的共识机制,本说明书并不对此进行限制。After the above-mentioned transactions that form the blockchain subnet are sent to the blockchain main network, they are consensused by the consensus nodes in the blockchain main network. After passing the consensus, the transactions are executed by each main network node to complete the block. The establishment of chain subnet. The consensus process depends on the consensus mechanism used, and this instruction does not limit this.
通过在上述组建区块链子网的交易中包含配置信息,该配置信息可以用于对所组建的区块链子网进行配置,使得组建的区块链子网符合组网需求。例如,通过在配置信息中包含节点成员的身份信息,可以指定组建的区块链子网包含哪些区块链节点。By including configuration information in the above-mentioned transaction for forming a blockchain subnet, the configuration information can be used to configure the formed blockchain subnet so that the formed blockchain subnet meets the networking requirements. For example, by including the identity information of node members in the configuration information, you can specify which blockchain nodes are included in the formed blockchain subnet.
节点成员的身份信息可以包括节点的公钥,或者采用节点ID等其他能够表征节点身份的信息,本说明书并不对此进行限制。以公钥为例,每个区块链节点都存在对应的一组或多组公私钥对,由区块链节点持有私钥而公钥被公开且唯一对应于该私钥,因而可以通过公钥来表征相应区块链节点的身份。因此,对于希望作为区块链子网的节点成员的区块链节点,可以将这些区块链节点的公钥添加至上述组建区块链子网的交易中,以作为上述节点成员的身份信息。上述的公私钥对可以用于签名验证的过程。例如,在采用有签名的共识算法中,譬如subnet1上述的nodeA1采用自身维护的私钥对消息进行签名后,将经过签名的消息在subnet1中广播,而nodeB1、nodeC1和nodeD1可以用nodeA1的公钥对收到的消息进行签名验证,以确认自身收到的消息确实来自nodeA1且没有经过篡改。The identity information of node members may include the public key of the node, or other information that can characterize the identity of the node, such as node ID. This specification does not limit this. Taking the public key as an example, each blockchain node has one or more corresponding sets of public and private key pairs. The blockchain node holds the private key and the public key is made public and uniquely corresponds to the private key. Therefore, it can be The public key represents the identity of the corresponding blockchain node. Therefore, for blockchain nodes that wish to serve as node members of the blockchain subnet, the public keys of these blockchain nodes can be added to the above-mentioned transaction for forming the blockchain subnet as the identity information of the above-mentioned node members. The above public and private key pairs can be used in the signature verification process. For example, when using a signed consensus algorithm, for example, the nodeA1 mentioned above in subnet1 signs the message using its own private key, and then broadcasts the signed message in subnet1, while nodeB1, nodeC1 and nodeD1 can use the public key of nodeA1. Perform signature verification on the received message to confirm that the message received does come from nodeA1 and has not been tampered with.
第一主网节点可以为区块链主网上属于配置信息所指示的节点成员的区块链节点。在组建区块链子网时,并非由第一主网节点直接参与组建区块链子网、成为其节点成员,而是需要由用于部署该第一主网节点的节点设备生成第一子网节点,并由第一子网节点成为区块链子网中的节点成员。第一主网节点和第一子网节点对应于同一个区块链成员,比如在联盟链场景下对应于同一联盟链成员,但第一主网节点属于区块链主网、第一子网节点属于区块链子网,使得该区块链成员可以分别参与到区块链主网和区块链子网的交易中;并且,由于区块链主网和区块链子网属于相互独立的两个区块链网络,使得第一主网节点生成的区块与第一子网节点生成的区块分别存入所述节点设备上的不同存储(采用的存储譬如可以为数据库),实现了第一主网节点与第一子网节点分别使用的存储之间的相互隔离,因而区块链子网所产生的数据仅会在区块链子网的节点成员之间同步,使得仅参与了区块链主网的区块链成员无法获得区块链子网上产生的数据,实现了区块链主网与区块链子网之间的数据隔离,满足了部分区块链成员(即参与区块链子网的区块链成员)之间的交易需求。The first main network node may be a blockchain node on the blockchain main network that belongs to the node member indicated by the configuration information. When building a blockchain subnet, the first mainnet node does not directly participate in forming the blockchain subnet and become its node member. Instead, the node device used to deploy the first mainnet node needs to generate the first subnet node. , and the first subnet node becomes a node member in the blockchain subnet. The first mainnet node and the first subnet node correspond to the same blockchain member. For example, in the alliance chain scenario, they correspond to the same alliance chain member, but the first mainnet node belongs to the blockchain mainnet and the first subnet. The node belongs to the blockchain subnet, so that the blockchain members can participate in the transactions of the blockchain main network and the blockchain subnet respectively; and, since the blockchain main network and the blockchain subnet are two independent The blockchain network allows the blocks generated by the first main network node and the blocks generated by the first sub-network node to be stored in different storage on the node device (the storage used can be a database, for example), realizing the first The storage used by the main network node and the first sub-network node is isolated from each other. Therefore, the data generated by the blockchain sub-network will only be synchronized among the node members of the blockchain sub-network, so that only those participating in the blockchain main network will be synchronized. The blockchain members of the network cannot obtain the data generated on the blockchain subnet, which realizes the data isolation between the blockchain main network and the blockchain subnet, and satisfies the needs of some blockchain members (i.e., the districts participating in the blockchain subnet). Transaction needs between blockchain members).
可见,第一主网节点和第一子网节点是在逻辑上划分出来的区块链节点,而从物理设备的角度来说,相当于上述部署了第一主网节点和第一子网节点的节点设备同时参与了区块链主网和区块链子网。由于区块链主网与区块链子网之间相互独立,使得这两个区块链网络的身份体系也相互独立,因而即便第一主网节点和第一子网节点可以采用完全相同的公钥,仍然应当将两者视为不同的区块链节点。譬如在图1中,subnet0中的nodeA相当于第一主网节点,而部署该nodeA的节点设备生成了属于subnet1的nodeA1,该nodeA1相当于第一子网节点。可见,由于身份体系相互独立,所以即便第一子网节点所采用的公钥区别于第一主网节点,也不影响本说明书方案的实施。It can be seen that the first main network node and the first sub network node are logically divided blockchain nodes. From the perspective of physical equipment, it is equivalent to the above deployment of the first main network node and the first sub network node. The node equipment participates in both the blockchain main network and the blockchain subnet. Since the blockchain main network and the blockchain sub-network are independent of each other, the identity systems of the two blockchain networks are also independent of each other. Therefore, even the first main network node and the first sub-network node can use the exact same public name. key, the two should still be considered different blockchain nodes. For example, in Figure 1, nodeA in subnet0 is equivalent to the first main network node, and the node device deploying nodeA generates nodeA1 belonging to subnet1, which is equivalent to the first subnet node. It can be seen that since the identity systems are independent of each other, even if the public key used by the first subnet node is different from that of the first mainnet node, it will not affect the implementation of the solution in this specification.
当然,区块链子网的节点成员并不一定只是区块链主网的部分节点成员。在一些情况下,区块链子网的节点成员可以与区块链主网的节点成员完全一致,此时所有的区块链成员都可以获得区块链主网和区块链子网上的数据,但是区块链主网与区块链子网所产生的数据依然可以相互隔离,比如可以通过在区块链主网上实现一类业务、在区块链子网上实现另一类业务,从而可以使得这两类业务分别产生的业务数据之间相互隔离。Of course, the node members of the blockchain subnet are not necessarily only some of the node members of the blockchain mainnet. In some cases, the node members of the blockchain subnet can be completely consistent with the node members of the blockchain main network. At this time, all blockchain members can obtain the data on the blockchain main network and the blockchain subnet, but The data generated by the blockchain main network and the blockchain subnet can still be isolated from each other. For example, one type of business can be implemented on the blockchain main network and another type of business can be implemented on the blockchain subnet, so that the two types of Business data generated by businesses are isolated from each other.
除了上述的节点成员的身份信息之外,配置信息还可以包括下述至少之一:所述区块链子网的网络标识、所述区块链子网的管理员的身份信息、针对区块链平台代码的属性配置等,本说明书并不对此进行限制。网络标识用于唯一表征该区块链子网,因而该区块链子网的网络标识应当区别于区块链主网和该区块链主网上组建的其他区块链子网。区块链子网的管理员的身份信息,譬如可以为作为管理员的节点成员的公钥;其中,区块链主网与区块链子网的管理员可以相同,也可以不同。In addition to the identity information of the node members mentioned above, the configuration information may also include at least one of the following: the network identifier of the blockchain subnet, the identity information of the administrator of the blockchain subnet, the identity information for the blockchain platform This manual does not limit the attribute configuration of the code. The network identifier is used to uniquely characterize the blockchain subnet, so the network identifier of the blockchain subnet should be distinguished from the blockchain main network and other blockchain subnets formed on the blockchain main network. The identity information of the administrator of the blockchain subnet, for example, can be the public key of the node member who is the administrator; among them, the administrators of the blockchain main network and the blockchain subnet can be the same or different.
通过区块链主网来组建区块链子网的优势之一,就是由于生成第一子网节点的节点设备上已经部署了第一主网节点,因而可以将第一主网节点所使用的区块链平台代码复用在第一子网节点上,免去了区块链平台代码的重复部署,极大地提高了区块链子网的组建效率。那么,如果配置信息中未包含针对区块链平台代码的属性配置,第一子网节点可以复用第一主网节点上采用的属性配置;如果配置信息中包含了针对区块链平台代码的属性配置,第一子网节点可以采用该属性配置,使得第一子网节点所采用的属性配置不受限于第一主网节点的属性配置、与第一主网节点无关。针对区块链平台代码的属性配置可以包括下述至少之一:代码版本号、是否需要共识、共识算法类型、区块大小等,本说明书并不对此进行限制。One of the advantages of building a blockchain subnet through the blockchain mainnet is that since the first mainnet node has been deployed on the node device that generates the first subnet node, the area used by the first mainnet node can be The blockchain platform code is reused on the first subnet node, which eliminates the need for repeated deployment of the blockchain platform code and greatly improves the efficiency of building the blockchain subnet. Then, if the configuration information does not contain the attribute configuration for the blockchain platform code, the first subnet node can reuse the attribute configuration adopted on the first main network node; if the configuration information contains the attribute configuration for the blockchain platform code, Attribute configuration, the first subnet node can adopt this attribute configuration, so that the attribute configuration adopted by the first subnet node is not limited to the attribute configuration of the first main network node and has nothing to do with the first main network node. The attribute configuration of the blockchain platform code can include at least one of the following: code version number, whether consensus is required, consensus algorithm type, block size, etc. This specification does not limit this.
组建区块链子网的交易包括调用合约的交易。该交易中可以指明被调用的智能合约的地址、调用的方法和传入的参数。例如,调用的合约可以为前述的创世合约或系统合约,调用的方法可以为组建区块链子网的方法,传入的参数可以包括上述的配置信息。在一实施例中,该交易可以包含如下信息:Transactions that build a blockchain subnet include transactions that call contracts. The transaction can specify the address of the called smart contract, the method called and the parameters passed in. For example, the contract called can be the aforementioned creation contract or system contract, the method called can be a method of establishing a blockchain subnet, and the parameters passed in can include the above configuration information. In one embodiment, the transaction may include the following information:
from:Administratorfrom:Administrator
to:Subnetto:Subnet
method:AddSubnet(string)method:AddSubnet(string)
string:genesisstring: genesis
其中,from字段为该交易的发起方的信息,譬如Administrator表明该发起方为管理员;to字段为被调用的智能合约的地址,譬如该智能合约可以为Subnet合约,则to字段具体为该Subnet合约的地址;method字段为调用的方法,譬如在Subnet合约中用于组建区块链子网的方法可以为AddSubnet(string),而string为AddSubnet()方法中的参数,上述示例中通过genesis表征该参数的取值,该genesis具体为前述的配置信息。Among them, the from field is the information of the initiator of the transaction, for example, Administrator indicates that the initiator is the administrator; the to field is the address of the called smart contract, for example, the smart contract can be a Subnet contract, then the to field is specifically the Subnet The address of the contract; the method field is the method called. For example, the method used to build a blockchain subnet in the Subnet contract can be AddSubnet(string), and string is the parameter in the AddSubnet() method. In the above example, genesis is used to represent this The value of the parameter, the genesis is specifically the aforementioned configuration information.
以Subnet0上的节点nodeA~nodeE执行调用Subnet合约中AddSubnet()方法的交易为例。在交易通过共识后,nodeA~nodeE分别执行AddSubnet()方法并传入配置信息,得到相应的执行结果。Take the nodes nodeA~nodeE on Subnet0 as an example to execute a transaction that calls the AddSubnet() method in the Subnet contract. After the transaction passes the consensus, nodeA ~ nodeE execute the AddSubnet() method respectively and pass in the configuration information to obtain the corresponding execution results.
区块链网络中的节点在执行调用智能合约的交易后,会生成相应的收据(receipt),以用于记录与执行该智能合约相关的信息。这样,可以通过查询交易的收据来获得合约执行结果的相关信息。合约执行结果可以表现为收据中的事件(event)。消息机制可以通过收据中的事件实现消息传递,以触发区块链节点执行相应的处理。事件的结构譬如可以为:After nodes in the blockchain network execute transactions that call smart contracts, they will generate corresponding receipts to record information related to the execution of the smart contract. In this way, relevant information about the contract execution results can be obtained by querying the receipt of the transaction. Contract execution results can be represented as events in receipts. The message mechanism can realize message delivery through events in receipts to trigger blockchain nodes to perform corresponding processing. The structure of the event can be, for example:
Event:Event:
[topic][data][topic][data]
[topic][data][topic][data]
.........
在上述示例中,事件的数量可以为一个或多个;其中,每个事件分别包括主题(topic)和数据(data)等字段。区块链节点可以通过监听事件的topic,从而在监听到预定义的topic的情况下,执行预设处理,或者从相应事件的data字段读取相关内容,以及可以基于读取的内容执行预设处理。In the above example, the number of events may be one or more; each event includes fields such as topic and data. The blockchain node can listen to the topic of the event, and then perform preset processing when listening to the predefined topic, or read the relevant content from the data field of the corresponding event, and can execute the preset based on the read content. deal with.
上述的事件机制中,相当于在监听方(比如存在监听需求的用户)处存在具有监听功能的客户端,譬如该客户端上运行了用于实现监听功能的SDK等,由该客户端对区块链节点产生的事件进行监听,而区块链节点只需要正常生成收据即可。除了上述的事件机制之外,还可以通过其他方式实现交易信息的透出。例如,可以通过在区块链节点运行的区块链平台代码中嵌入监听代码,使得该监听代码可以监听区块链交易的交易内容、智能合约的合约状态、合约产生的收据等其中的一种或多种数据,并将监听到的数据发送至预定义的监听方。由于监听代码部署于区块链平台代码中,而非监听方的客户端处,因而相比于事件机制而言,这种基于监听代码的实现方式相对更加的主动。其中,上述的监听代码可以由区块链平台的开发人员在开发过程中加入区块链平台代码,也可以由监听方基于自身的需求而嵌入,本说明书并不对此进行限制。In the above event mechanism, it is equivalent to the existence of a client with a monitoring function at the listening party (such as a user with monitoring needs). For example, the client runs an SDK for implementing the monitoring function, etc., and the client monitors the area. Events generated by the blockchain node are monitored, and the blockchain node only needs to generate receipts normally. In addition to the above event mechanism, transaction information can also be revealed through other methods. For example, the listening code can be embedded in the blockchain platform code running on the blockchain node, so that the listening code can monitor the transaction content of the blockchain transaction, the contract status of the smart contract, the receipt generated by the contract, etc. or multiple types of data, and sends the monitored data to the predefined listening party. Since the listening code is deployed in the blockchain platform code rather than on the client of the listening party, this implementation method based on listening code is relatively more proactive compared to the event mechanism. Among them, the above-mentioned monitoring code can be added to the blockchain platform code by the developers of the blockchain platform during the development process, or can be embedded by the monitoring party based on its own needs. This manual does not limit this.
可见,上述Subnet合约的执行结果可以包括所述配置信息,该执行结果可以处于前文所述的收据中,该收据中可以包含与执行AddSubnet()方法相关的event,即组网事件。组网事件的topic可以包含预定义的组网事件标识,以区别于其他的事件。譬如在与执行AddSubnet()方法相关的event中,topic的内容为关键词subnet,且该关键词区别于其他方法所产生event中的topic。那么,nodeA~nodeE通过监听生成的收据中各个event所含的topic,可以在监听到包含关键词subnet的topic的情况下,确定监听到与执行AddSubnet()方法相关的event,即组网事件。例如,收据中的event如下:It can be seen that the execution result of the above Subnet contract may include the configuration information, and the execution result may be in the receipt mentioned above. The receipt may include events related to the execution of the AddSubnet() method, that is, networking events. The topic of the networking event can contain a predefined networking event identifier to distinguish it from other events. For example, in an event related to the execution of the AddSubnet() method, the content of the topic is the keyword subnet, and this keyword is different from the topic in the event generated by other methods. Then, by monitoring the topics contained in each event in the generated receipt, nodeA~nodeE can determine that they have listened to the event related to the execution of the AddSubnet() method, that is, the networking event, when they listen to the topic containing the keyword subnet. For example, the events in the receipt are as follows:
Event:Event:
[topic:other][data][topic:other][data]
[topic:subnet][data][topic:subnet][data]
.........
那么,nodeA~nodeE在监听到第1条event时,由于所含topic的内容为other,确定该event与AddSubnet()方法无关;以及,nodeA~nodeE在监听到第2条event时,由于所含topic的内容为subnet,确定该event与AddSubnet()方法相关,并进而读取该event对应的data字段,该data字段包含上述的配置信息。以配置信息包括区块链子网的节点成员的公钥为例,data字段的内容例如可以包括:Then, when nodeA~nodeE listens to the first event, since the content of the topic contained is other, it is determined that the event has nothing to do with the AddSubnet() method; and, when nodeA~nodeE listens to the second event, because the content of the topic contained The content of the topic is subnet. It is determined that the event is related to the AddSubnet() method, and then the data field corresponding to the event is read. The data field contains the above configuration information. Taking the configuration information including the public keys of node members of the blockchain subnet as an example, the content of the data field may include:
{subnet1;{subnet1;
nodeA的公钥,nodeA的IP、nodeA的端口号…;nodeA's public key, nodeA's IP, nodeA's port number...;
nodeB的公钥,nodeB的IP、nodeB的端口号…;nodeB’s public key, nodeB’s IP, nodeB’s port number…;
nodeC的公钥,nodeC的IP、nodeC的端口号…;nodeC’s public key, nodeC’s IP, nodeC’s port number…;
nodeD的公钥,nodeD的IP、nodeD的端口号…;nodeD’s public key, nodeD’s IP, nodeD’s port number…;
}}
其中,subnet1为希望创建的区块链子网的网络标识。区块链主网中的各个区块链节点可以记录该区块链主网上已创建的所有区块链子网的网络标识,或者与这些区块链子网相关的其他信息,这些信息譬如可以维护在上述的Subnet合约中,具体可以对应于该Subnet合约所含的一个或多个合约状态的取值。那么,nodeA~nodeE可以根据记录的已创建的所有区块链子网的网络标识,确定上述的subnet1是否已经存在;如果不存在,说明subnet1是当前需要创建的新区块链子网,如果存在则说明subnet1已经存在。Among them, subnet1 is the network identifier of the blockchain subnet you want to create. Each blockchain node in the blockchain main network can record the network identifiers of all blockchain subnets that have been created on the blockchain main network, or other information related to these blockchain subnets. This information can, for example, be maintained in In the above-mentioned Subnet contract, it may specifically correspond to the value of one or more contract states contained in the Subnet contract. Then, nodeA~nodeE can determine whether the above subnet1 already exists based on the recorded network identifiers of all created blockchain subnets; if it does not exist, it means that subnet1 is the new blockchain subnet that needs to be created currently. If it exists, it means that subnet1 already exists.
除了采用希望创建的新的区块链子网的网络标识之外,还可以采用预定义的新建网络标识,该新建网络标识表明相应的组网事件用于组建新的区块链子网。例如,可以将上述的subnet1替换为newsubnet,该newsubnet为预定义的新建网络标识,nodeA~nodeE在识别到data字段包含newsubnet时,即可确定包含该newsubnet的event为组网事件,需要创建新的区块链子网。In addition to using the network identifier of the new blockchain subnet you wish to create, you can also use a predefined new network identifier, which indicates that the corresponding networking event is used to form a new blockchain subnet. For example, you can replace the above subnet1 with newsubnet, which is a predefined new network identifier. When nodeA ~ nodeE recognize that the data field contains newsubnet, they can determine that the event containing the newsubnet is a networking event, and a new one needs to be created. Blockchain subnet.
除了网络标识subnet1之外,上述data字段中还包含各个节点成员的身份信息等内容。部署第一主网节点的节点设备可以监听生成的收据,并在监听到所述组网事件且所述组网事件的内容表明第一主网节点属于所述节点成员的情况下,由部署第一主网节点的节点设备获取所述组网事件包含的配置信息或创世块。或者,第一区块链节点可以监听生成的收据,并在监听到所述组网事件且所述组网事件的内容表明第一区块链节点属于所述节点成员的情况下,触发部署第一区块链节点的节点设备获取所述组网事件包含的所述配置信息或所述创世块。In addition to the network identifier subnet1, the above data field also contains the identity information of each node member and other contents. The node device deploying the first main network node may monitor the generated receipt, and when the networking event is monitored and the content of the networking event indicates that the first main network node belongs to the node member, the node device deploying the first main network node may monitor the generated receipt. The node device of a main network node obtains the configuration information or genesis block contained in the networking event. Alternatively, the first blockchain node can monitor the generated receipt, and trigger the deployment of the first blockchain node when the networking event is monitored and the content of the networking event indicates that the first blockchain node belongs to the node member. The node device of a blockchain node obtains the configuration information or the genesis block included in the networking event.
如前所述,节点设备可以直接监听收据。假定nodeA~nodeE分别部署在节点设备1~5上,节点设备1~5可以监听nodeA~nodeE分别生成的收据,那么在监听到subnet1是需要新组建的区块链子网的情况下,节点设备1~5会进一步识别data字段中包含的节点成员的身份信息,以确定自身的处理方式。以nodeA和节点设备1为例:如果节点设备1发现data字段包含nodeA的公钥、IP地址和端口号等身份信息,那么节点设备1在基于上述的消息机制从data字段获得配置信息的情况下,生成包含该配置信息的创世块,且节点设备1会在本地部署nodeA1,进而由nodeA1加载生成的创世块,从而成为subnet1的子网节点;类似地,节点设备2可以生成nodeB1、节点设备3可以生成nodeC1、节点设备4可以生成nodeD1。以及,节点设备5会发现data字段包含的身份信息与自身均不匹配,则该节点设备5不会根据data字段中的配置信息生成创世块,也不会生成subnet1中的区块链节点。As mentioned before, node devices can listen directly for receipts. Assume that nodeA ~ nodeE are deployed on node devices 1 ~ 5 respectively. Node devices 1 ~ 5 can monitor the receipts generated by nodeA ~ nodeE respectively. Then when it is detected that subnet1 is a newly established blockchain subnet, node device 1 ~5 will further identify the identity information of the node members contained in the data field to determine its own processing method. Taking nodeA and node device 1 as an example: If node device 1 finds that the data field contains nodeA's public key, IP address, port number and other identity information, then node device 1 obtains the configuration information from the data field based on the above message mechanism. , generate a genesis block containing the configuration information, and node device 1 will deploy nodeA1 locally, and then nodeA1 will load the generated genesis block, thus becoming a subnet node of subnet1; similarly, node device 2 can generate nodeB1, node Device 3 can generate nodeC1, and node device 4 can generate nodeD1. And, node device 5 will find that the identity information contained in the data field does not match itself, then the node device 5 will not generate a genesis block based on the configuration information in the data field, nor will it generate a blockchain node in subnet1.
如前所述,区块链主网中的区块链节点可以监听收据,并根据监听结果触发节点设备执行相关处理。例如,nodeA~nodeE在确定subnet1是需要新组建的区块链子网的情况下,会进一步识别data字段中包含的节点成员的身份信息,以确定自身的处理方式。比如,nodeA~nodeD会发现在data字段包含自身的公钥、IP地址和端口号等身份信息,假定nodeA~nodeD分别部署在节点设备1~4上,以nodeA和节点设备1为例:nodeA会触发节点设备1,使得节点设备1基于上述的消息机制从data字段获得配置信息并生 成包含该配置信息的创世块,且节点设备1会在本地部署nodeA1,该nodeA1加载生成的创世块,从而成为subnet1中的1个子网节点;类似地,nodeB会触发节点设备2生成nodeB1、nodeC会触发节点设备3生成nodeC1、nodeD会触发节点设备4生成nodeD1。以及,nodeE会发现data字段包含的身份信息与自身均不匹配,假定nodeE部署在节点设备5上,那么该节点设备5不会根据data字段中的配置信息生成创世块,也不会生成subnet1中的节点。As mentioned before, blockchain nodes in the blockchain main network can monitor receipts and trigger node devices to perform relevant processing based on the monitoring results. For example, when nodeA~nodeE determines that subnet1 is a newly established blockchain subnet, they will further identify the identity information of the node members contained in the data field to determine their own processing method. For example, nodeA ~ nodeD will find that the data field contains their own public key, IP address, port number and other identity information. Assume that nodeA ~ nodeD are deployed on node devices 1 ~ 4 respectively. Taking nodeA and node device 1 as an example: nodeA will Trigger node device 1 so that node device 1 obtains configuration information from the data field based on the above message mechanism and generates a genesis block containing the configuration information, and node device 1 will deploy nodeA1 locally, and nodeA1 loads the generated genesis block. Thus, it becomes a subnet node in subnet1; similarly, nodeB will trigger node device 2 to generate nodeB1, nodeC will trigger node device 3 to generate nodeC1, and nodeD will trigger node device 4 to generate nodeD1. Also, nodeE will find that the identity information contained in the data field does not match itself. Assuming that nodeE is deployed on node device 5, then node device 5 will not generate a genesis block based on the configuration information in the data field, nor will it generate subnet1. nodes in .
如前所述,第一主网节点与第一子网节点并不一定采用相同的身份信息。因此,在上述实施例中,data字段中可以包含预先为nodeA1~nodeD1生成的身份信息,且区别于nodeA~nodeD的身份信息。仍以nodeA和节点设备1为例:节点设备1如果在data字段中发现了nodeA1的身份信息,可以生成创世块、部署nodeA1,并由nodeA1加载该创世块;或者,nodeA如果在data字段中发现了nodeA1的身份信息,那么nodeA会触发节点设备1生成创世块、部署nodeA1,并由nodeA1加载该创世块。其他区块链节点或节点设备的处理方式类似,此处不再一一赘述。As mentioned above, the first main network node and the first subnet node do not necessarily use the same identity information. Therefore, in the above embodiment, the data field may contain identity information generated in advance for nodeA1 to nodeD1, and is different from the identity information of nodeA to nodeD. Still taking nodeA and node device 1 as an example: If node device 1 finds the identity information of nodeA1 in the data field, it can generate a genesis block, deploy nodeA1, and load the genesis block by nodeA1; or, if nodeA finds the identity information of nodeA1 in the data field, If the identity information of nodeA1 is found, then nodeA will trigger node device 1 to generate a genesis block, deploy nodeA1, and nodeA1 will load the genesis block. Other blockchain nodes or node devices are handled in a similar manner and will not be described here.
除了配置信息之外,合约的执行结果可以包括创世块。换言之,除了可以在data字段中包含配置信息,还可以直接在执行合约调用的过程中生成包含配置信息的创世块,从而将创世块包含于data字段中,那么对于上述的nodeA~nodeD而言,相应的节点设备1~4可以通过消息机制直接从data字段获得创世块,而无需自行生成,可以提升对nodeA1~nodeD1的部署效率。In addition to configuration information, the execution results of the contract can include the genesis block. In other words, in addition to including configuration information in the data field, you can also directly generate a genesis block containing configuration information during the execution of the contract call, thereby including the genesis block in the data field. Then for the above nodeA ~ nodeD In other words, the corresponding node devices 1 to 4 can directly obtain the genesis block from the data field through the message mechanism without having to generate it themselves, which can improve the deployment efficiency of nodeA1 to nodeD1.
节点设备通过在该进程中创建一个运行区块链平台代码的实例,实现在该节点设备上部署一区块链节点。对于第一主网节点而言,由节点设备在上述进程中创建第一实例,并由该第一实例运行区块链平台代码而形成。类似地,对于第一子网节点而言,由节点设备在上述进程中创建区别于第一实例的第二实例,并由该第二实例运行区块链平台代码而形成。例如,节点设备可以首先在进程中创建第一实例,以形成区块链主网中的第一区块链节点;而当该节点设备对应的节点成员希望参与组建区块链子网时,可以在上述进程中创建第二实例,该第二实例区别于上述的第一实例,并由该第二实例形成区块链子网中的第二区块链节点。当第一实例与第二实例位于同一进程时,由于不涉及跨进程交互,可以降低对第一子网节点的部署难度、提高部署效率;当然,第二实例也可能与第一实例分别处于节点设备上的不同进程中,本说明书并不对此进行限制;例如,节点设备可以在第一进程中创建第一实例,以形成区块链主网中的第一区块链节点;而当该节点设备对应的节点成员希望参与组建区块链子网时,可以启动区别于第一进程的第二进程,并在该第二进程中创建第二实例,该第二实例区别于上述的第一实例,进而由该第二实例形成区块链子网中的第二区块链节点。事实上,本说明书实施例中涉及的任一节点设备上部署的各区块链节点均为运行在所述任一节点设备上的不同的区块链实例,任一节点设备上部署的各区块链节点生成的区块分别存入所述任一节点设备上的不同存储(例如数据库),且任一节点设备部署的各区块链节点分别使用的存储之间相互隔离。The node device implements the deployment of a blockchain node on the node device by creating an instance running the blockchain platform code in the process. For the first main network node, the node device creates a first instance in the above process, and the first instance runs the blockchain platform code. Similarly, for the first subnet node, the node device creates a second instance that is different from the first instance in the above process, and the second instance runs the blockchain platform code. For example, the node device can first create a first instance in the process to form the first blockchain node in the blockchain main network; and when the node member corresponding to the node device wants to participate in forming the blockchain subnet, they can A second instance is created in the above process, which is different from the above first instance, and the second instance forms a second blockchain node in the blockchain subnet. When the first instance and the second instance are in the same process, since no cross-process interaction is involved, the difficulty of deploying the first subnet node can be reduced and the deployment efficiency can be improved; of course, the second instance may also be in separate nodes from the first instance. In different processes on the device, this specification does not limit this; for example, the node device can create the first instance in the first process to form the first blockchain node in the blockchain main network; and when the node When the node members corresponding to the device wish to participate in building a blockchain subnet, they can start a second process that is different from the first process, and create a second instance in the second process. The second instance is different from the above-mentioned first instance. The second instance then forms a second blockchain node in the blockchain subnet. In fact, each blockchain node deployed on any node device involved in the embodiments of this specification is a different blockchain instance running on any node device. Each blockchain node deployed on any node device The blocks generated by the nodes are stored in different storages (such as databases) on any node device, and the storage used by each blockchain node deployed on any node device is isolated from each other.
通过上述方式,可以在区块链主网上创建出区块链子网。以图1为例,subnet0原本包含nodeA~nodeE,而在subnet0的基础上可以组建出subnet1,该subnet1包含nodeA1~nodeD1,且nodeA与nodeA1、nodeB与nodeB1、nodeC与nodeC1、nodeD与 nodeD1分别部署在同一节点设备上。类似地,还可以在subnet0上组建出subnet2或更多的区块链子网,其中subnet2包含nodeA2、nodeB2、nodeC2和nodeE2,且nodeA与nodeA1、nodeA2,nodeB与nodeB1、nodeB2,nodeC、nodeC1与nodeC2,nodeD与nodeD1,nodeE与nodeE2分别部署在同一节点设备上。以及,可以将subnet1、subnet2等作为新的区块链主网,并在此基础上进一步组建出区块链子网,其过程与subnet1或subnet2的组建相似,此处不再赘述。可见,上述在区块链主网上发起交易选取节点成员以创建区块链子网的方式,可以使得新创建的区块链子网的子网节点均部署在区块链主网的主网节点所在的节点设备上,也就是从节点设备的角度上来说,区块链子网的子网节点所在的节点设备属于主网节点所在节点设备的子集,换言之,部署有区块链子网的子网节点所处的节点设备上部署有区块链主网中的主网节点。Through the above method, a blockchain subnet can be created on the blockchain mainnet. Taking Figure 1 as an example, subnet0 originally contains nodeA~nodeE, and subnet1 can be formed based on subnet0. This subnet1 contains nodeA1~nodeD1, and nodeA and nodeA1, nodeB and nodeB1, nodeC and nodeC1, nodeD and nodeD1 are respectively deployed in on the same node device. Similarly, subnet2 or more blockchain subnets can be established on subnet0, where subnet2 includes nodeA2, nodeB2, nodeC2 and nodeE2, and nodeA is connected with nodeA1, nodeA2, nodeB is connected with nodeB1, nodeB2, nodeC, nodeC1 and nodeC2, nodeD and nodeD1, nodeE and nodeE2 are deployed on the same node device respectively. In addition, subnet1, subnet2, etc. can be used as new blockchain mainnets, and further build blockchain subnets on this basis. The process is similar to the establishment of subnet1 or subnet2, and will not be described again here. It can be seen that the above-mentioned method of initiating transactions on the blockchain main network to select node members to create a blockchain subnet can enable the subnet nodes of the newly created blockchain subnet to be deployed where the main network nodes of the blockchain main network are located. On the node device, that is, from the perspective of the node device, the node device where the subnet node of the blockchain subnet is located belongs to a subset of the node device where the main network node is located. In other words, the subnet node where the blockchain subnet is deployed belongs to the subset of node devices where the main network node is located. The main network nodes in the blockchain main network are deployed on the node equipment.
除了通过上述在区块链主网上发起交易选取节点成员以创建区块链子网的方式,还可以通过其他手段创建区块链子网,并使得其受到区块链主网的管理。例如,可以通过注册方式在区块链主网上组建区块链子网(后续简称注册组网方式),将现有区块链网络直接注册至区块链主网,使新注册的区块链网络受到区块链主网的管理,从而使得新注册的区块链网络成为区块链主网的区块链子网。通过注册组网方式,待组建区块链子网的子网信息被直接注册至区块链主网,使得区块链主网获取待组建区块链子网的相关信息(通过接收并执行待组建区块链网络发出的、用于将其身份信息与分配至该待组建区块链网络的子网标识进行关联存证的交易),例如待组建区块链子网的子网标识和运行状态,其中各节点成员的公钥和插件配置信息、各节点设备的IP地址和端口信息等,这些信息会被写入区块链主网对应的系统合约的合约状态中,由此区块链主网将获取该待组建区块链子网的管理权,在完成注册后,便意味着区块链子网组建完成。由于注册组网方式并不需要通过交易在区块链主网上指定节点成员构成区块链子网,因此通过注册组网方式组建的区块链子网中的子网节点可以与部署在区块链主网中各节点的节点设备完全不同或部分不同,例如图1中subnet0以注册组网方式创建了一个subnet4(图1中未示出),假设subnet0自身所包含的主网节点nodeA~nodeE分别部署于节点设备1~5,那么subnet4对应的子网节点可以部署于除节点设备1~5外的其他任意节点设备上,或者,subnet4中的其中一个或多个子网节点分别部署于节点设备1~5内的任意节点设备(但仍需要保证一个节点设备上仅部署subnet4中的一个子网节点),而subnet4中的其他的子网节点部署于除节点设备1~5外的其他任意节点设备上,当然,subnet4中的子网节点也可以均部署于节点设备1~5之中。In addition to the above-mentioned method of initiating transactions on the blockchain main network and selecting node members to create a blockchain subnet, blockchain subnets can also be created through other means and made subject to the management of the blockchain main network. For example, a blockchain subnet can be established on the blockchain main network through registration (hereinafter referred to as the registration networking method), and the existing blockchain network can be directly registered to the blockchain main network, so that the newly registered blockchain network can Under the management of the blockchain main network, the newly registered blockchain network becomes a blockchain subnet of the blockchain main network. Through the registration network method, the subnet information of the blockchain subnet to be established is directly registered to the blockchain main network, so that the blockchain main network obtains the relevant information of the blockchain subnet to be established (by receiving and executing the area to be established) Transactions issued by the blockchain network to associate and store identity information with the subnet identifier assigned to the blockchain network to be established), such as the subnet identifier and operating status of the blockchain subnet to be established, where The public key and plug-in configuration information of each node member, the IP address and port information of each node device, etc. This information will be written into the contract status of the system contract corresponding to the blockchain main network. From this, the blockchain main network will Obtaining the management rights of the blockchain subnet to be formed and completing the registration means that the blockchain subnet is completed. Since the registration networking method does not require the designation of node members on the blockchain main network through transactions to form a blockchain subnet, the subnet nodes in the blockchain subnet established through the registration networking method can be compared with those deployed on the blockchain main network. The node equipment of each node in the network is completely or partially different. For example, in Figure 1, subnet0 creates a subnet4 in the registration networking mode (not shown in Figure 1). It is assumed that the main network nodes nodeA~nodeE included in subnet0 itself are deployed separately. on node devices 1 to 5, then the subnet nodes corresponding to subnet4 can be deployed on any other node devices except node devices 1 to 5, or one or more subnet nodes in subnet4 are deployed on node devices 1 to 5 respectively. Any node device within 5 (but it is still necessary to ensure that only one subnet node in subnet4 is deployed on a node device), and other subnet nodes in subnet4 are deployed on any other node device except node devices 1 to 5 , of course, the subnet nodes in subnet4 can also be deployed in node devices 1 to 5.
下面结合图2对本说明书涉及的跨子网调用方法进行详细说明。图2是一示例性实施例提供的一种跨子网调用方法的流程图。该方法应用于由区块链主网所管理的第一区块链子网中的第一子网节点,第一子网节点维护有第一可信执行环境,所述区块链主网还管理有第二区块链子网,第二区块链子网中的第二子网节点维护有第二可信执行环境;所述方法包括:The cross-subnet calling method involved in this manual will be described in detail below with reference to Figure 2. Figure 2 is a flow chart of a cross-subnet calling method provided by an exemplary embodiment. The method is applied to a first subnet node in a first blockchain subnet managed by a blockchain mainnet, the first subnet node maintains a first trusted execution environment, and the blockchain mainnet also manages There is a second blockchain subnet, and the second subnet node in the second blockchain subnet maintains a second trusted execution environment; the method includes:
S202:在第一可信执行环境中运行第一智能合约以生成跨子网请求,在第一可信执行环境中基于第二可信执行环境对应的第一公钥对所述跨子网请求进行加密得到加密请求。S202: Run the first smart contract in the first trusted execution environment to generate a cross-subnet request, and pair the cross-subnet request in the first trusted execution environment based on the first public key corresponding to the second trusted execution environment. Perform encryption to get the encrypted request.
在本说明书实施例中,第一区块链子网与第二区块链子网均是按照前述创建区块链 子网的方式在区块链主网的基础上所创建,其中,任一区块链子网均受到区块链主网的管理,具体可以表现为:区块链主网可以通过调用区块链主网所部署的子网管理合约来实现对各区块链子网的节点启停、网络结构调整等管理功能。In the embodiment of this specification, the first blockchain subnet and the second blockchain subnet are both created on the basis of the blockchain main network according to the aforementioned method of creating a blockchain subnet, where any blockchain subnet The network is managed by the blockchain main network, which can be expressed as follows: the blockchain main network can realize the start and stop of nodes and network structure of each blockchain subnet by calling the subnet management contract deployed by the blockchain main network. Adjustment and other management functions.
第一子网节点维护有第一可信执行环境,其可以将节点运行过程中的交易执行、共识过程、合约运行等计算任务置入第一可信执行环境中再进行执行,在这个过程中,第一子网节点会将第一可信执行环境外部的密文数据读入第一可信执行环境后解密为明文数据再进行操作,因此,第一子网节点可以利用第一可信执行环境的机密性来确定第一子网节点在节点运行层面的安全性。同理,第二子网节点也维护有第二可信执行环境,其同样可以通过上述方式以利用第二可信执行环境来实现第二子网节点在节点运行层面的安全性。The first subnet node maintains a first trusted execution environment, which can place computing tasks such as transaction execution, consensus process, and contract operation during the node operation into the first trusted execution environment for execution. In this process , the first subnet node will read the ciphertext data outside the first trusted execution environment into the first trusted execution environment and decrypt it into plaintext data before performing operations. Therefore, the first subnet node can use the first trusted execution environment The confidentiality of the environment is used to determine the security of the first subnet node at the node operation level. Similarly, the second subnet node also maintains a second trusted execution environment, which can also use the second trusted execution environment in the above manner to achieve the security of the second subnet node at the node operation level.
在本说明书实施例中,第一区块链子网或第二区块链子网中的任一子网节点均可以部署有相应的可信执行环境,并按照上述方式实现各自节点运行层面的安全性,在这种场景下,第一区块链子网与第二区块链子网称之为TEE(Trusted Execution Environment,可信执行环境)链。In the embodiment of this specification, any subnet node in the first blockchain subnet or the second blockchain subnet can be deployed with a corresponding trusted execution environment, and achieve security at the operating level of each node in the above manner. , in this scenario, the first blockchain subnet and the second blockchain subnet are called TEE (Trusted Execution Environment, Trusted Execution Environment) chain.
第一子网节点在第一可信执行环境中运行第一智能合约时,第一智能合约可能产生针对其他区块链子网的跨子网调用需求,例如生成指向第二区块链子网中的第二子网节点的跨子网请求,此时就要求将跨子网请求传输至第二子网节点并被响应执行,同时接收第二子网节点执行跨子网请求所生成的跨子网响应。然而,为了确保跨子网请求和跨子网应答在可信执行环境外部的传输过程(跨子网通讯)中的安全性,有必要对它们事先在可信执行环境中进行加密处理后再进行跨子网通讯。因此,第一子网节点不会直接将第一可信执行环境中运行的第一智能合约所生成的跨子网请求直接发送至第二子网节点,而是首先在第一可信执行环境中基于第二可信执行环境对应的第一公钥对所述跨子网请求进行加密得到加密请求,然后再将该加密请求发送至第二子网节点。为了确保加密请求能够被正确路由至第二子网节点,在加密过程中会保留原跨子网请求中特定的字段不进行加密,例如第二子网节点的身份信息(IP地址、节点公钥或其他身份标识)第二区块链子网的标识信息等。When the first subnet node runs the first smart contract in the first trusted execution environment, the first smart contract may generate cross-subnet call requirements for other blockchain subnets, such as generating a link pointing to the second blockchain subnet. The cross-subnet request of the second subnet node requires that the cross-subnet request be transmitted to the second subnet node and executed in response, and at the same time, the cross-subnet request generated by the second subnet node executing the cross-subnet request is received. response. However, in order to ensure the security of cross-subnet requests and cross-subnet responses during transmission outside the trusted execution environment (cross-subnet communication), it is necessary to encrypt them in the trusted execution environment before proceeding. Communication across subnets. Therefore, the first subnet node will not directly send the cross-subnet request generated by the first smart contract running in the first trusted execution environment to the second subnet node, but first in the first trusted execution environment The cross-subnet request is encrypted based on the first public key corresponding to the second trusted execution environment to obtain an encrypted request, and then the encrypted request is sent to the second subnet node. In order to ensure that the encrypted request can be correctly routed to the second subnet node, specific fields in the original cross-subnet request will be retained during the encryption process, such as the identity information of the second subnet node (IP address, node public key or other identification) identification information of the second blockchain subnet, etc.
在本说明书实施例中,第一可信执行环境维护有对应的公私钥对(第二公钥和第二私钥)以实现第一可信执行环境内外部数据的加解密过程,其中,第二私钥由第一可信执行环境独自持有,第二公钥则对外公开。同理,第二可信执行环境也维护有对应的公私钥对(第一公钥和第一私钥)以实现第二可信执行环境内外部数据的加解密过程,其中,第一私钥由第二可信执行环境独自持有,第一公钥对外公开。In this embodiment of the present description, the first trusted execution environment maintains a corresponding public and private key pair (the second public key and the second private key) to implement the encryption and decryption process of internal and external data in the first trusted execution environment, wherein: The second private key is held exclusively by the first trusted execution environment, and the second public key is made public. In the same way, the second trusted execution environment also maintains a corresponding public and private key pair (the first public key and the first private key) to implement the encryption and decryption process of internal and external data in the second trusted execution environment, where the first private key It is held exclusively by the second trusted execution environment, and the first public key is made public.
因此,当在第一可信执行环境中基于第二可信执行环境对应的第一公钥对所述跨子网请求进行加密得到加密请求后,该加密请求理论上只能在唯一持有第一私钥的第二子网节点所维护的第二可信执行环境中解密,从而使得加密请求在可信执行环境外部的传输过程中即使被第三方捕获,第三方也会因为缺少第一私钥而将其无法解密还原得到明文状态的跨子网请求,从而确保跨子网通讯过程的安全性,而这种加密请求由于同时具有区块链交易的性质和机密性因此属于一种隐私交易。Therefore, when the cross-subnet request is encrypted in the first trusted execution environment based on the first public key corresponding to the second trusted execution environment to obtain an encrypted request, the encrypted request can theoretically only be obtained by uniquely holding the third A private key is decrypted in the second trusted execution environment maintained by the second subnet node, so that even if the encrypted request is captured by a third party during transmission outside the trusted execution environment, the third party will be decrypted due to the lack of the first private key. The cross-subnet request cannot be decrypted and restored to the plaintext state without the key, thereby ensuring the security of the cross-subnet communication process. This encrypted request is a private transaction because it has the nature and confidentiality of a blockchain transaction. .
在本说明书实施例中,第一智能合约由第一子网节点通过在第一可信执行环境中加 载第一智能合约程序而运行于第一可信执行环境中,其中,第一智能合约程序由第一子网节点将从第一可信执行环境外部读入的第一智能合约程序密文在第一可信执行环境中解密得到。第一智能合约运行在第一可信执行环境中,实际上是第一子网节点在第一可信执行环境中加载第一智能合约程序的结果,由于第一可信执行环境本质上是一段物理隔离的执行环境,其中运行的程序均被加载在隔离的内存上,因此对于暂时不需要运行在第一可信执行环境中的程序,需要进行持久化存储。而为了确保信息安全,对于在第一可信执行环境中运行的任何程序,均遵循“可信执行环境内部解密加载,可选执行环境外部加密存储”的原则,因此,第一智能合约程序本质上是从第一可信执行环境外部读取到的第一智能合约程序密文在第一可信执行环境内部解密的结果,例如,第一智能程序密文是由第一智能合约程序通过第二公钥被加密存储在第一可信执行环境外部,同时在第一可信执行环境内部可以通过第二私钥被解密为第一智能合约程序,而类似第一智能合约这种在可信执行环境内部明文执行但在可信执行环境外部加密存储的智能合约被称为隐私合约。In the embodiment of this specification, the first smart contract is run by the first subnet node in the first trusted execution environment by loading the first smart contract program in the first trusted execution environment, where the first smart contract program The first subnet node decrypts the first smart contract program ciphertext read from outside the first trusted execution environment in the first trusted execution environment. The first smart contract runs in the first trusted execution environment, which is actually the result of the first subnet node loading the first smart contract program in the first trusted execution environment. Since the first trusted execution environment is essentially a period of In a physically isolated execution environment, the programs running in it are all loaded in isolated memory. Therefore, persistent storage is required for programs that do not need to run in the first trusted execution environment temporarily. In order to ensure information security, any program running in the first trusted execution environment follows the principle of "decryption and loading inside the trusted execution environment, and optional encrypted storage outside the execution environment". Therefore, the essence of the first smart contract program The above is the result of decrypting the first smart contract program ciphertext read from outside the first trusted execution environment inside the first trusted execution environment. For example, the first smart program ciphertext is obtained by the first smart contract program through the first trusted execution environment. The second public key is encrypted and stored outside the first trusted execution environment. At the same time, it can be decrypted into the first smart contract program through the second private key inside the first trusted execution environment. Similar to the first smart contract, the second public key is stored in the trusted execution environment. Smart contracts that are executed in plain text within the execution environment but encrypted and stored outside the trusted execution environment are called privacy contracts.
S204:将所述加密请求发送至第二子网节点,并接收第二子网节点返回的加密应答,所述加密应答由第二子网节点通过以下方式得到:将所述加密请求读入第二可信执行环境,在第二可信执行环境中基于第二可信执行环境对应的第一私钥对所述加密请求进行解密得到所述跨子网请求,执行所述跨子网请求以生成对应的跨子网应答,并基于第一可信执行环境对应的第二公钥对所述跨子网应答进行加密得到所述加密应答。S204: Send the encryption request to the second subnet node, and receive the encrypted response returned by the second subnet node. The encrypted response is obtained by the second subnet node in the following manner: reading the encryption request into the second subnet node. Two trusted execution environments. In the second trusted execution environment, the encrypted request is decrypted based on the first private key corresponding to the second trusted execution environment to obtain the cross-subnet request, and the cross-subnet request is executed to Generate a corresponding cross-subnet response, and encrypt the cross-subnet response based on the second public key corresponding to the first trusted execution environment to obtain the encrypted response.
第一子网节点在第一可信执行环境中对跨子网请求进行加密得到加密请求后,可以通过跨子网通讯将加密请求发送至第二子网节点。After the first subnet node encrypts the cross-subnet request in the first trusted execution environment to obtain the encrypted request, it can send the encrypted request to the second subnet node through cross-subnet communication.
不同区块链子网中子网节点之间的跨子网通讯主要是通过各自所处节点设备上部署的主网节点之间预先建立的网络连接链路所实现。以图1为例,第一区块链子网subnet1中的第一子网节点nodeC1所处的节点设备3上还部署有区块链主网subnet0中的主网节点nodeC,而第二区块链子网subnet2中的第二子网节点nodeE2所处的节点设备5上还部署有subnet0中的主网节点nodeE。假设nodeC1希望向第nodeE2发送加密请求,虽然subnet1和subnet2之间(nodeC和nodeE之间)不存在直接的网络连接链路,但由于节点设备3上部署的nodeC和节点设备5上部署的nodeE之间已经预先建立有形成subnet0时所实现的网络连接链路,且该网络连接链路可以使节点设备3与节点设备5进行相互通讯,因此,nodeC1可以通过nodeC与nodeE之间建立的网络连接链路,从而将加密请求发送至从节点设备3发送至节点设备5,并最终由节点设备5路由至其本地部署的nodeE2。在一实施例中,形成subnet0时所实现的网络连接链路即为subnet0中各主网节点之间建立的用于对交易进行共识的共识链路和/或用于对区块进行同步的同步链路。Cross-subnet communication between subnet nodes in different blockchain subnets is mainly achieved through pre-established network connection links between mainnet nodes deployed on their respective node devices. Taking Figure 1 as an example, the node device 3 where the first subnet node nodeC1 in the first blockchain subnet subnet1 is located is also deployed with the mainnet node nodeC in the blockchain mainnet subnet0, and the second blockchain subnet The main network node nodeE in subnet0 is also deployed on the node device 5 where the second subnet node nodeE2 in the network subnet2 is located. Assume that nodeC1 wants to send an encryption request to nodeE2. Although there is no direct network connection link between subnet1 and subnet2 (between nodeC and nodeE), due to the difference between nodeC deployed on node device 3 and nodeE deployed on node device 5, The network connection link implemented when forming subnet0 has been established in advance, and the network connection link allows node device 3 and node device 5 to communicate with each other. Therefore, nodeC1 can pass the network connection link established between nodeC and nodeE. path, thereby sending the encrypted request from node device 3 to node device 5, and finally routed by node device 5 to its locally deployed nodeE2. In one embodiment, the network connection link implemented when forming subnet0 is the consensus link established between the mainnet nodes in subnet0 for consensus on transactions and/or the synchronization for synchronization of blocks. link.
在本说明书实施例中,同一节点设备上的主网节点和子网节点共享该节点设备上运行的区块链通讯插件,例如P2P(Peer to Peer,对等网络通讯)插件,而上述形成subnet0时所实现的网络连接链路具体是通过nodeC和nodeE分别采用节点设备3和节点设备5上的P2P插件所建立,由于节点设备上的P2P插件可以被该节点设备上各个区块链节点所共享,因此subnet1中的nodeC1可以通过调用节点设备3本地运行的P2P插件,借助形成subnet0时所实现的节点设备3与节点设备5之间基于P2P插件的网络连接,建 立与nodeE2所属节点设备5上运行的P2P插件之间的网络连接,由此将加密请求发送至节点设备5,从而进一步实现与nodeE2之间的网络通讯。因此,第一区块链子网与第二区块链子网之间无需建立新的网络连接链路,而是通过底层区块链主网预先建立的网络连接链路,实现第一区块链子网中第一子网节点与第二区块链子网中第二子网节点之间的跨子网通讯。In the embodiment of this specification, the main network node and the subnet node on the same node device share the blockchain communication plug-in running on the node device, such as P2P (Peer to Peer, peer-to-peer network communication) plug-in, and when the above-mentioned subnet0 is formed The network connection link implemented is specifically established by nodeC and nodeE using the P2P plug-in on node device 3 and node device 5 respectively. Since the P2P plug-in on the node device can be shared by various blockchain nodes on the node device, Therefore, nodeC1 in subnet1 can call the P2P plug-in running locally on node device 3, and use the P2P plug-in-based network connection between node device 3 and node device 5 implemented when forming subnet0 to establish a connection with nodeE2 running on node device 5. The network connection between P2P plug-ins sends the encrypted request to the node device 5, thereby further realizing network communication with nodeE2. Therefore, there is no need to establish a new network connection link between the first blockchain subnet and the second blockchain subnet. Instead, the first blockchain subnet is realized through the pre-established network connection link of the underlying blockchain main network. Cross-subnet communication between the first subnet node in the blockchain subnet and the second subnet node in the second blockchain subnet.
在第二子网节点接收到加密应答后,第二子网节点会将该加密应答读入其所维护的第二可信执行环境,并在第二可信执行环境中基于第二可信执行环境对应的第一私钥对所述加密请求进行解密已获取跨子网请求。在获取跨子网请求后,第二子网节点进一步在第二可信执行环境中执行跨子网请求以生成对应的跨子网应答,例如,调用第二可信执行环境中运行的第二智能合约执行所述跨子网请求以生成跨子网应答,即所述跨子网应答由第二可信执行环境中运行的第二智能合约执行所述跨子网请求所生成,在跨子网请求为查询第二智能合约中特定区块高度下的特定合约状态的情况下,跨子网应答中便包含对应的特定合约状态。在第二子网节点获取到跨子网应答后,同样出于跨子网通讯安全性的考虑,会在第二可信执行环境中基于第一可信执行环境对应的第二公钥对所述跨子网应答进行加密得到所述加密应答,然后再将所述加密应答输出第二可信执行环境并回调至第一子网节点,此时加密应答在可信执行环境外部的传输过程即使被第三方捕获,第三方也会因为缺少第二私钥而将其无法解密还原得到明文状态的跨子网应答,从而确保跨子网通讯过程的安全性,而这种加密应答同样属于一种隐私交易。After the second subnet node receives the encrypted response, the second subnet node will read the encrypted response into the second trusted execution environment it maintains, and execute the encrypted response in the second trusted execution environment based on the second trusted execution environment. The first private key corresponding to the environment decrypts the encrypted request and obtains the cross-subnet request. After obtaining the cross-subnet request, the second subnet node further executes the cross-subnet request in the second trusted execution environment to generate a corresponding cross-subnet response, for example, calling the second server running in the second trusted execution environment. The smart contract executes the cross-subnet request to generate a cross-subnet response, that is, the cross-subnet response is generated by the second smart contract running in the second trusted execution environment executing the cross-subnet request. When the network request is to query the specific contract status at a specific block height in the second smart contract, the cross-subnet response will contain the corresponding specific contract status. After the second subnet node obtains the cross-subnet response, also for the sake of cross-subnet communication security, it will process the second trusted execution environment based on the second public key pair corresponding to the first trusted execution environment. The cross-subnet response is encrypted to obtain the encrypted response, and then the encrypted response is output to the second trusted execution environment and called back to the first subnet node. At this time, the encrypted response is transmitted outside the trusted execution environment even if Captured by a third party, the third party will also be unable to decrypt and restore it to a clear text cross-subnet response due to the lack of the second private key, thereby ensuring the security of the cross-subnet communication process. This encrypted response is also a type of Privacy Transactions.
在本说明书实施例中,第二智能合约由第二子网节点通过在第二可信执行环境中加载第二智能合约程序而运行于第二可信执行环境中,其中,第二智能合约程序由第二子网节点将从第二可信执行环境外部读入的第二智能合约程序密文在第二可信执行环境中解密得到。第二智能合约运行在第二可信执行环境中,实际上是第二子网节点在第二可信执行环境中加载第二智能合约程序的结果,由于第二可信执行环境本质上是一段物理隔离的执行环境,其中运行的程序均被加载在隔离的内存上,因此对于暂时不需要运行在第二可信执行环境中的程序,需要进行持久化存储。而为了确保信息安全,对于在第二可信执行环境中运行的任何程序,均遵循“可信执行环境内部解密加载,可选执行环境外部加密存储”的原则,因此,第二智能合约程序本质上是从第二可信执行环境外部读取到的第二智能合约程序密文在第二可信执行环境内部解密的结果。例如,在第二子网节点接收到加密消息并在第二可信执行环境中解密得到跨子网请求的情况下,进一步发现该跨子网请求是用于调用第二智能合约的跨子网请求,于是第二子网节点可以直接调用第二可信执行环境中正在运行的第二智能合约执行该跨子网请求,或者将第二智能程序密文从第二可信执行环境外部读入第二可信执行环境内部并通过第一私钥解密为第二智能合约程序后,临时在第二可信执行环境中通过加载第二智能合约程序,从而实现在第二可信执行环境中运行第二智能合约,最后再调用运行状态下的第二智能合约执行该跨子网请求。与第一智能合约类似,第二智能合约同样也属于一种隐私合约。In the embodiment of this specification, the second smart contract is run in the second trusted execution environment by the second subnet node by loading the second smart contract program in the second trusted execution environment, where the second smart contract program The second subnet node decrypts the second smart contract program ciphertext read from outside the second trusted execution environment in the second trusted execution environment. The second smart contract runs in the second trusted execution environment, which is actually the result of the second subnet node loading the second smart contract program in the second trusted execution environment. Since the second trusted execution environment is essentially a period In a physically isolated execution environment, all running programs are loaded in isolated memory. Therefore, persistent storage is required for programs that do not need to run in a second trusted execution environment for the time being. In order to ensure information security, any program running in the second trusted execution environment follows the principle of "decryption and loading inside the trusted execution environment, and optional encrypted storage outside the execution environment". Therefore, the essence of the second smart contract program The above is the result of decrypting the second smart contract program ciphertext read from outside the second trusted execution environment and inside the second trusted execution environment. For example, when the second subnet node receives the encrypted message and decrypts it in the second trusted execution environment to obtain a cross-subnet request, it is further found that the cross-subnet request is a cross-subnet request for calling the second smart contract. request, then the second subnet node can directly call the second smart contract running in the second trusted execution environment to execute the cross-subnet request, or read the second smart program ciphertext from outside the second trusted execution environment. After decrypting the second smart contract program into the second trusted execution environment through the first private key, the second smart contract program is temporarily loaded in the second trusted execution environment to realize running in the second trusted execution environment. The second smart contract finally calls the second smart contract in the running state to execute the cross-subnet request. Similar to the first smart contract, the second smart contract is also a privacy contract.
第二子网节点向第一子网节点发送加密应答的过程,与第一子网节点向第二子网节点发送加密请求的过程类似,均是基于跨子网通讯所实现的,其详细过程这里不再赘述。The process of the second subnet node sending an encrypted response to the first subnet node is similar to the process of the first subnet node sending an encrypted request to the second subnet node. Both are based on cross-subnet communication. The detailed process is I won’t go into details here.
S206:将所述加密应答读入第一可信执行环境,在第一可信执行环境中基于第一可信执行环境对应的第二私钥对所述加密应答进行解密得到所述跨子网应答。S206: Read the encrypted response into the first trusted execution environment, and decrypt the encrypted response in the first trusted execution environment based on the second private key corresponding to the first trusted execution environment to obtain the cross-subnet answer.
在第一子网节点接收到加密应答后,可以将其读入第一可信执行环境中,并在第一可信执行环境中使用第一可信执行环境所唯一持有的第二私钥对加密应答进行解密以获取跨子网应答。至此,本说明书实施例完整地实现了第一子网节点向第二子网节点发起跨子网调用的过程。After the first subnet node receives the encrypted response, it can read it into the first trusted execution environment, and use the second private key uniquely held by the first trusted execution environment in the first trusted execution environment Decrypt encrypted responses to obtain cross-subnet responses. So far, the embodiments of this specification have completely realized the process of the first subnet node initiating a cross-subnet call to the second subnet node.
在本说明书实施例中,第一子网节点与第二子网节点分别处于不同的区块链子网,在第一子网节点与第二子网节点之间进行跨子网调用的情况下,通过在第一子网节点与第二子网节点分别维护相应的可信执行环境,能够确保第一子网节点与第二子网节点在节点运行过程中的安全性,而彼此又可以通过对方所处的可信执行环境对应的公钥对跨子网请求或跨子网应答进行加密传输,从而确保跨子网通讯过程的安全性,节点运行过程的安全性与跨子网通讯过程的安全性相互配合,最终实现整个跨子网调用过程的系统级别的安全性。In the embodiment of this specification, the first subnet node and the second subnet node are in different blockchain subnets respectively. When a cross-subnet call is made between the first subnet node and the second subnet node, By maintaining corresponding trusted execution environments on the first subnet node and the second subnet node respectively, the security of the first subnet node and the second subnet node during node operation can be ensured, and each other can pass each other through The public key corresponding to the trusted execution environment encrypts the cross-subnet request or cross-subnet response to ensure the security of the cross-subnet communication process, the security of the node operation process and the security of the cross-subnet communication process. Cooperate with each other to ultimately achieve system-level security for the entire cross-subnet calling process.
可选的,所述跨子网请求包括:由第二区块链子网中各子网节点共同参与执行的共识交易,或者仅由第二子网节点独立执行的本地交易。Optionally, the cross-subnet request includes: a consensus transaction that is jointly executed by all subnet nodes in the second blockchain subnet, or a local transaction that is independently executed only by the second subnet node.
在本说明书实施例中,跨子网请求可以为共识交易或本地交易。其中,在跨子网请求为共识交易的情况下,当第二子网节点接收到跨子网请求后,跨子网请求会像普通的区块链交易那样在第二区块链子网中进行共识、执行、成块并上链至区块链账本,这意味着第二区块链子网中的所有子网节点(包括第二子网节点)均会执行该跨子网请求以生成对应的跨子网应答,同时改变第二区块链子网的世界状态,并通过其中一个选举出的子网节点(例如第二子网节点)返回相应的跨子网应答。In the embodiment of this specification, the cross-subnet request may be a consensus transaction or a local transaction. Among them, when the cross-subnet request is a consensus transaction, when the second subnet node receives the cross-subnet request, the cross-subnet request will be processed in the second blockchain subnet like an ordinary blockchain transaction. Consensus, execution, block formation and uploading to the blockchain ledger, which means that all subnet nodes in the second blockchain subnet (including the second subnet node) will execute the cross-subnet request to generate the corresponding Cross-subnet response, while changing the world state of the second blockchain subnet, and returning the corresponding cross-subnet response through one of the elected subnet nodes (for example, the second subnet node).
本说明书实施例所涉及的本地交易是指不参与区块链共识、成块、上链的交易,其仅作为一种内部的调用媒介;在跨子网请求为本地交易的情况下,当第二子网节点接收到跨子网请求后,第二子网节点将独立执行跨子网请求以生成对应的跨子网应答,不会共识也不会改变世界状态,而只是在本地完成执行后将跨子网应答以回调方式返回至第一子网节点。由于作为本地交易的跨子网请求不需要进行共识、成块与上链,因此,本说明书实施例可以将计算量限制在第二子网节点内部,减少第二区块链网络整体响应于跨子网请求的计算负担,提高跨子网请求的执行效率。The local transactions involved in the embodiments of this specification refer to transactions that do not participate in blockchain consensus, block formation, and on-chain, and are only used as an internal calling medium; in the case of a cross-subnet request for a local transaction, when the third After the second subnet node receives the cross-subnet request, the second subnet node will independently execute the cross-subnet request to generate the corresponding cross-subnet response. There will be no consensus or change of the world state, but only after the execution is completed locally. Return the cross-subnet response to the first subnet node in a callback manner. Since cross-subnet requests as local transactions do not require consensus, block formation, and chaining, the embodiments of this specification can limit the calculation amount within the second subnet node, reducing the overall response of the second blockchain network to cross-subnet requests. Reduce the computational burden of subnet requests and improve the execution efficiency of cross-subnet requests.
可选的,第一子网节点与第二子网节点部署于相同或不同的节点设备。Optionally, the first subnet node and the second subnet node are deployed on the same or different node devices.
如图3所示,图3是在图1的基础上将nodeC1作为第一子网节点而nodeE2作为第二子网节点的应用场景图,作为一个第一子网节点与第二子网节点部署于不同的节点设备的实施例,节点设备3上同时部署有属于subnet0的nodeC、属于subnet1的nodeC1以及属于subnet2中的nodeC2,其中,nodeC、nodeC1和nodeC2具体为节点设备3在本地部署的虚拟机中运行预先部署的区块链平台代码所形成的区块链节点实例(下称区块链节点),而nodeC作为区块链节点在运行过程中的相关数据保存在nodeC对应的数据库中,nodeC1和nodeC2作为其他区块链节点在运行过程中的相关数据则分部保存在nodeC1和nodeC2对应的数据库中。类似的,节点设备5上同时部署有属于subnet0的nodeE和属于subnet2的nodeE2。另外,任一节点设备中可以部署有区块链共识代码,节点设备可以运行该共识代码以在本地形成共识组件实例;以及,节点设备中还可以部署有以插件形式管理的P2P(Peer to Peer,对等网络通讯)组件代码,节点设备可以运 行该P2P组件代码以在本地形成P2P组件实例,也即P2P插件,例如图3中节点设备3和节点设备5就均在本地运行有P2P插件,该P2P插件可以被同一节点设备上的不同区块链节点所共享使用,例如节点设备3中nodeC、nodeC1和nodeC2可以调用节点设备3上运行的同一个P2P插件,以共享其功能和数据,例如实现跨子网通讯。nodeC1维护有第一可信执行环境,nodeC1所部署的第一智能合约就能够以明文形式运行在第一可信执行环境中,类似的,nodeE2也维护有第二可信执行环境,nodeE2所部署的第二智能合约也能够以明文形式运行在第二可信执行环境中。在本说明书实施例中,第一子网节点与第二子网节点之间的跨子网通讯具体是跨节点设备的通讯,其传输数据在路由过程可能会途径第一子网节点和第二子网节点分别所处的节点设备以外的其他节点设备。As shown in Figure 3, Figure 3 is an application scenario diagram based on Figure 1, using nodeC1 as the first subnet node and nodeE2 as the second subnet node. They are deployed as a first subnet node and a second subnet node. In the embodiments of different node devices, nodeC belonging to subnet0, nodeC1 belonging to subnet1, and nodeC2 belonging to subnet2 are simultaneously deployed on node device 3, where nodeC, nodeC1, and nodeC2 are specifically virtual machines deployed locally by node device 3. A blockchain node instance formed by running the pre-deployed blockchain platform code (hereinafter referred to as the blockchain node), and the relevant data of nodeC as a blockchain node during the running process is saved in the database corresponding to nodeC, nodeC1 Relevant data related to nodeC2 as other blockchain nodes during operation are stored separately in the databases corresponding to nodeC1 and nodeC2. Similarly, nodeE belonging to subnet0 and nodeE2 belonging to subnet2 are deployed on node device 5 at the same time. In addition, any node device can be deployed with blockchain consensus code, and the node device can run the consensus code to form a consensus component instance locally; and, the node device can also be deployed with P2P (Peer to Peer) managed in the form of plug-ins. , peer-to-peer network communication) component code, the node device can run the P2P component code to form a P2P component instance locally, that is, a P2P plug-in. For example, in Figure 3, node device 3 and node device 5 both run P2P plug-ins locally. The P2P plug-in can be shared and used by different blockchain nodes on the same node device. For example, nodeC, nodeC1 and nodeC2 in node device 3 can call the same P2P plug-in running on node device 3 to share its functions and data, for example Implement cross-subnet communication. nodeC1 maintains a first trusted execution environment. The first smart contract deployed by nodeC1 can run in the first trusted execution environment in plain text. Similarly, nodeE2 also maintains a second trusted execution environment. The first smart contract deployed by nodeE2 The second smart contract can also run in the second trusted execution environment in plain text. In the embodiment of this specification, cross-subnet communication between the first subnet node and the second subnet node is specifically communication across node devices, and the transmission data may pass through the first subnet node and the second subnet node during the routing process. Node devices other than the node devices where the subnet nodes are located respectively.
如图4所示,图4是在图1的基础上将nodeC1作为第一子网节点而nodeC2作为第二子网节点的应用场景图,作为一个第一子网节点与第二子网节点部署于相同的节点设备的实施例,节点设备3上同时部署有属于subnet0的nodeC、属于subnet1的nodeC1以及属于subnet2中的nodeC2,节点设备3在本地运行有P2P插件,该P2P插件可以被节点设备3中nodeC、nodeC1和nodeC2共享数据和功能。在本说明书实施例中,同一节点设备(节点设备3)中维护有多个可信执行环境(第一可信执行环境和第二可信执行环境),nodeC1维护有第一可信执行环境,nodeC1所部署的第一智能合约就能够以明文形式运行在第一可信执行环境中,nodeC2也维护有第二可信执行环境,nodeC2所部署的第二智能合约也能够以明文形式运行在第二可信执行环境中。在本说明书实施例中,第一子网节点与第二子网节点之间的跨子网通讯具体是节点设备内部的跨进程通讯,其传输数据不会经由第一子网节点和第二子网节点共同所处的节点设备以外的其他节点设备,而只会途径节点设备本地运行的P2P插件,在第一子网节点与第二子网节点之间进行流转。As shown in Figure 4, Figure 4 is an application scenario diagram based on Figure 1, using nodeC1 as the first subnet node and nodeC2 as the second subnet node. They are deployed as a first subnet node and a second subnet node. In the embodiment of the same node device, nodeC belonging to subnet0, nodeC1 belonging to subnet1, and nodeC2 belonging to subnet2 are simultaneously deployed on node device 3. Node device 3 runs a P2P plug-in locally, and the P2P plug-in can be used by node device 3 nodeC, nodeC1 and nodeC2 share data and functions. In the embodiment of this specification, multiple trusted execution environments (first trusted execution environment and second trusted execution environment) are maintained in the same node device (node device 3), and nodeC1 maintains the first trusted execution environment, The first smart contract deployed by nodeC1 can run in the first trusted execution environment in plain text. nodeC2 also maintains a second trusted execution environment. The second smart contract deployed by nodeC2 can also run in the third trusted execution environment in clear text. 2. In a trusted execution environment. In the embodiment of this specification, the cross-subnet communication between the first subnet node and the second subnet node is specifically the cross-process communication within the node device, and the transmitted data will not pass through the first subnet node and the second subnet node. Other node devices other than the node device where the network node is located together will only be transferred between the first subnet node and the second subnet node through the P2P plug-in running locally on the node device.
可选的,还包括:将跨子网交易密文读入第一可信执行环境,在第一可信执行环境中对所述跨子网交易密文进行解密得到跨子网交易,并调用第一智能合约执行所述跨子网交易以生成所述跨子网请求。Optionally, it also includes: reading the cross-subnet transaction ciphertext into the first trusted execution environment, decrypting the cross-subnet transaction ciphertext in the first trusted execution environment to obtain the cross-subnet transaction, and calling A first smart contract executes the cross-subnet transaction to generate the cross-subnet request.
在本说明书实施例中,第一智能合约是在执行跨子网交易的情况下生成的所述跨子网请求,而所述跨子网请求是通过将从第一可信执行环境外部读入的跨子网交易密文在第一可信执行环境内部解密得到的。具体而言,交易发起方可以向第一区块链网络发起跨子网交易密文,该跨子网交易密文由第一区块链网络中的各子网节点(包括第一子网节点)进行共识并执行,第一子网节点在需要执行跨子网交易密文时,需要首先将跨子网交易密文读入第一可信执行环境中解密(例如基于第二私钥进行解密)得到跨子网交易,然后可以直接调用第一可信执行环境中正在运行的第一智能合约执行该跨子网交易,或者将第一智能程序密文从第一可信执行环境外部读入第一可信执行环境内部并通过第一私钥解密为第一智能合约程序后,临时在第一可信执行环境中通过加载第一智能合约程序,从而实现在第一可信执行环境中运行第一智能合约,最后再调用运行状态下的第一智能合约执行该跨子网交易以生成跨子网请求。本说明书实施例所涉及的跨子网交易属于隐私交易。In the embodiment of this specification, the first smart contract is the cross-subnet request generated when executing a cross-subnet transaction, and the cross-subnet request is read from outside the first trusted execution environment. The cross-subnet transaction ciphertext is decrypted inside the first trusted execution environment. Specifically, the transaction initiator can initiate a cross-subnet transaction ciphertext to the first blockchain network, and the cross-subnet transaction ciphertext is generated by each subnet node in the first blockchain network (including the first subnet node). ) for consensus and execution. When the first subnet node needs to execute the cross-subnet transaction ciphertext, it needs to first read the cross-subnet transaction ciphertext into the first trusted execution environment for decryption (for example, decryption based on the second private key ) to obtain a cross-subnet transaction, and then directly call the first smart contract running in the first trusted execution environment to execute the cross-subnet transaction, or read the first smart program ciphertext from outside the first trusted execution environment After decrypting the first smart contract program into the first trusted execution environment through the first private key, the first smart contract program is temporarily loaded in the first trusted execution environment to realize running in the first trusted execution environment. The first smart contract finally calls the first smart contract in the running state to execute the cross-subnet transaction to generate a cross-subnet request. The cross-subnet transactions involved in the embodiments of this specification are private transactions.
图5是一示例性实施例提供的另一种跨子网调用方法的流程图。该方法应用于由区块链主网所管理的第二区块链子网中的第二子网节点,第二子网节点维护有第二可信执 行环境,所述区块链主网还管理有第一区块链子网,第一区块链子网中的第一子网节点维护有第一可信执行环境;所述方法包括S502至S506。Figure 5 is a flow chart of another cross-subnet calling method provided by an exemplary embodiment. The method is applied to a second subnet node in a second blockchain subnet managed by a blockchain mainnet, the second subnet node maintains a second trusted execution environment, and the blockchain mainnet also manages There is a first blockchain subnet, and the first subnet node in the first blockchain subnet maintains a first trusted execution environment; the method includes S502 to S506.
S502:接收第一子网节点在第一可信执行环境中基于第二可信执行环境对应的第一公钥对跨子网请求进行加密得到的加密请求,其中,所述跨子网请求由第一子网节点在第一可信执行环境中运行第一智能合约所生成。S502: Receive an encryption request obtained by encrypting a cross-subnet request by the first subnet node in the first trusted execution environment based on the first public key corresponding to the second trusted execution environment, wherein the cross-subnet request is made by The first subnet node is generated by running the first smart contract in the first trusted execution environment.
S504:将所述加密请求读入第二可信执行环境,在第二可信执行环境中基于第二可信执行环境对应的第一私钥对所述加密请求进行解密得到所述跨子网请求,执行所述跨子网请求以生成对应的跨子网应答,并基于第一可信执行环境对应的第二公钥对所述跨子网应答进行加密得到加密应答。S504: Read the encrypted request into the second trusted execution environment, and decrypt the encrypted request in the second trusted execution environment based on the first private key corresponding to the second trusted execution environment to obtain the cross-subnet request, execute the cross-subnet request to generate a corresponding cross-subnet response, and encrypt the cross-subnet response based on the second public key corresponding to the first trusted execution environment to obtain an encrypted response.
S506:将所述加密应答发送至第一子网节点,以使第一子网节点将接收到的所述加密应答读入第一可信执行环境,并在第一可信执行环境中基于第一可信执行环境对应的第二私钥对所述加密应答进行解密得到所述跨子网应答。S506: Send the encrypted response to the first subnet node, so that the first subnet node reads the received encrypted response into the first trusted execution environment, and executes the encrypted response in the first trusted execution environment based on the first trusted execution environment. A second private key corresponding to a trusted execution environment decrypts the encrypted response to obtain the cross-subnet response.
图6是一示例性实施例提供的一种设备的示意结构图。请参考图6,在硬件层面,该设备包括处理器602、内部总线604、网络接口606、内存608以及非易失性存储器610,当然还可能包括其他业务所需要的硬件。本说明书一个或多个实施例可以基于软件方式来实现,比如由处理器602从非易失性存储器610中读取对应的计算机程序到内存608中然后运行。当然,除了软件实现方式之外,本说明书一个或多个实施例并不排除其他实现方式,比如逻辑器件抑或软硬件结合的方式等等,也就是说以下处理流程的执行主体并不限定于各个逻辑单元,也可以是硬件或逻辑器件。Figure 6 is a schematic structural diagram of a device provided by an exemplary embodiment. Please refer to Figure 6. At the hardware level, the device includes a processor 602, an internal bus 604, a network interface 606, a memory 608 and a non-volatile memory 610. Of course, it may also include other hardware required for services. One or more embodiments of this specification may be implemented based on software. For example, the processor 602 reads the corresponding computer program from the non-volatile memory 610 into the memory 608 and then runs it. Of course, in addition to software implementation, one or more embodiments of this specification do not exclude other implementations, such as logic devices or a combination of software and hardware, etc. That is to say, the execution subject of the following processing flow is not limited to each A logic unit can also be a hardware or logic device.
如图7所示,图6是本说明书根据一示例性实施例提供的一种跨子网调用装置的框图,该装置可以应用于如图6所示的设备中,以实现本说明书的技术方案;所述装置应用于由区块链主网所管理的第一区块链子网中的第一子网节点,第一子网节点维护有第一可信执行环境,所述区块链主网还管理有第二区块链子网,第二区块链子网中的第二子网节点维护有第二可信执行环境;所述装置包括:加密请求获取单元701,用于在第一可信执行环境中运行第一智能合约以生成跨子网请求,在第一可信执行环境中基于第二可信执行环境对应的第一公钥对所述跨子网请求进行加密得到加密请求;加密请求发送单元702,用于将所述加密请求发送至第二子网节点,并接收第二子网节点返回的加密应答,所述加密应答由第二子网节点通过以下方式得到:将所述加密请求读入第二可信执行环境,在第二可信执行环境中基于第二可信执行环境对应的第一私钥对所述加密请求进行解密得到所述跨子网请求,执行所述跨子网请求以生成对应的跨子网应答,并基于第一可信执行环境对应的第二公钥对所述跨子网应答进行加密得到所述加密应答;加密应答解密单元703,用于将所述加密应答读入第一可信执行环境,在第一可信执行环境中基于第一可信执行环境对应的第二私钥对所述加密应答进行解密得到所述跨子网应答。As shown in Figure 7, Figure 6 is a block diagram of a cross-subnet calling device provided in this specification according to an exemplary embodiment. This device can be applied to the equipment shown in Figure 6 to implement the technical solution of this specification. ; The device is applied to the first subnet node in the first blockchain subnet managed by the blockchain main network. The first subnet node maintains a first trusted execution environment, and the blockchain main network A second blockchain subnet is also managed, and the second subnet node in the second blockchain subnet maintains a second trusted execution environment; the device includes: an encryption request acquisition unit 701, configured to obtain a second trusted execution environment in the first trusted execution environment. Run the first smart contract in the execution environment to generate a cross-subnet request, and encrypt the cross-subnet request in the first trusted execution environment based on the first public key corresponding to the second trusted execution environment to obtain an encrypted request; The request sending unit 702 is configured to send the encryption request to the second subnet node and receive the encrypted response returned by the second subnet node. The encrypted response is obtained by the second subnet node in the following manner: The encrypted request is read into the second trusted execution environment, and the encrypted request is decrypted in the second trusted execution environment based on the first private key corresponding to the second trusted execution environment to obtain the cross-subnet request, and the Make a cross-subnet request to generate a corresponding cross-subnet response, and encrypt the cross-subnet response based on the second public key corresponding to the first trusted execution environment to obtain the encrypted response; the encrypted response decryption unit 703 is used to The encrypted response is read into the first trusted execution environment, and the encrypted response is decrypted in the first trusted execution environment based on the second private key corresponding to the first trusted execution environment to obtain the cross-subnet response.
可选的,第一智能合约由第一子网节点通过在第一可信执行环境中加载第一智能合约程序而运行于第一可信执行环境中,其中,第一智能合约程序由第一子网节点将从第一可信执行环境外部读入的第一智能合约程序密文在第一可信执行环境中解密得到。Optionally, the first smart contract is run by the first subnet node in the first trusted execution environment by loading the first smart contract program in the first trusted execution environment, where the first smart contract program is executed by the first trusted execution environment. The subnet node decrypts the first smart contract program ciphertext read from outside the first trusted execution environment in the first trusted execution environment.
可选的,所述跨子网应答由第二可信执行环境中运行的第二智能合约执行所述跨子 网请求所生成。Optionally, the cross-subnet response is generated by the second smart contract running in the second trusted execution environment executing the cross-subnet request.
可选的,第二智能合约由第二子网节点通过在第二可信执行环境中加载第二智能合约程序而运行于第二可信执行环境中,其中,第二智能合约程序由第二子网节点将从第二可信执行环境外部读入的第二智能合约程序密文在第二可信执行环境中解密得到。Optionally, the second smart contract is run in the second trusted execution environment by the second subnet node by loading the second smart contract program in the second trusted execution environment, where the second smart contract program is run by the second The subnet node decrypts the second smart contract program ciphertext read from outside the second trusted execution environment in the second trusted execution environment.
可选的,所述跨子网请求包括:由第二区块链子网中各子网节点共同参与执行的共识交易,或者仅由第二子网节点独立执行的本地交易。Optionally, the cross-subnet request includes: a consensus transaction that is jointly executed by all subnet nodes in the second blockchain subnet, or a local transaction that is independently executed only by the second subnet node.
可选的,第一子网节点与第二子网节点部署于相同或不同的节点设备。Optionally, the first subnet node and the second subnet node are deployed on the same or different node devices.
可选的,还包括:跨子网交易执行单元704,用于将跨子网交易密文读入第一可信执行环境,在第一可信执行环境中对所述跨子网交易密文进行解密得到跨子网交易,并调用第一智能合约执行所述跨子网交易以生成所述跨子网请求。Optionally, it also includes: a cross-subnet transaction execution unit 704, configured to read the cross-subnet transaction ciphertext into the first trusted execution environment, and execute the cross-subnet transaction ciphertext in the first trusted execution environment. Decrypt to obtain the cross-subnet transaction, and call the first smart contract to execute the cross-subnet transaction to generate the cross-subnet request.
如图8所示,图8是本说明书根据一示例性实施例提供的另一种跨子网调用装置的框图,该装置可以应用于如图6所示的设备中,以实现本说明书的技术方案;所述装置应用于由区块链主网所管理的第二区块链子网中的第二子网节点,第二子网节点维护有第二可信执行环境,所述区块链主网还管理有第一区块链子网,第一区块链子网中的第一子网节点维护有第一可信执行环境;所述装置包括:加密请求接收单元801,用于接收第一子网节点在第一可信执行环境中基于第二可信执行环境对应的第一公钥对跨子网请求进行加密得到的加密请求,其中,所述跨子网请求由第一子网节点在第一可信执行环境中运行第一智能合约所生成;加密应答获取单元802,用于将所述加密请求读入第二可信执行环境,在第二可信执行环境中基于第二可信执行环境对应的第一私钥对所述加密请求进行解密得到所述跨子网请求,执行所述跨子网请求以生成对应的跨子网应答,并基于第一可信执行环境对应的第二公钥对所述跨子网应答进行加密得到加密应答;加密应答发送单元803,用于将所述加密应答发送至第一子网节点,以使第一子网节点将接收到的所述加密应答读入第一可信执行环境,并在第一可信执行环境中基于第一可信执行环境对应的第二私钥对所述加密应答进行解密得到所述跨子网应答。As shown in Figure 8, Figure 8 is a block diagram of another cross-subnet calling device provided in this specification according to an exemplary embodiment. This device can be applied to the equipment shown in Figure 6 to implement the technology of this specification. Solution; the device is applied to a second subnet node in a second blockchain subnet managed by the blockchain main network. The second subnet node maintains a second trusted execution environment. The blockchain main network The network also manages a first blockchain subnet, and the first subnet node in the first blockchain subnet maintains a first trusted execution environment; the device includes: an encryption request receiving unit 801 for receiving the first subnet The network node encrypts the cross-subnet request in the first trusted execution environment based on the first public key corresponding to the second trusted execution environment, wherein the cross-subnet request is generated by the first subnet node in the first trusted execution environment. Generated by running the first smart contract in the first trusted execution environment; the encrypted response acquisition unit 802 is used to read the encrypted request into the second trusted execution environment, based on the second trusted execution environment in the second trusted execution environment. The first private key corresponding to the execution environment decrypts the encrypted request to obtain the cross-subnet request, executes the cross-subnet request to generate a corresponding cross-subnet response, and generates a corresponding cross-subnet response based on the first trusted execution environment corresponding to the first private key. The two public keys encrypt the cross-subnet response to obtain an encrypted response; the encrypted response sending unit 803 is used to send the encrypted response to the first subnet node, so that the first subnet node will receive the encrypted response. The encrypted response is read into the first trusted execution environment, and the encrypted response is decrypted in the first trusted execution environment based on the second private key corresponding to the first trusted execution environment to obtain the cross-subnet response.
在20世纪90年代,对于一个技术的改进可以很明显地区分是硬件上的改进(例如,对二极管、晶体管、开关等电路结构的改进)还是软件上的改进(对于方法流程的改进)。然而,随着技术的发展,当今的很多方法流程的改进已经可以视为硬件电路结构的直接改进。设计人员几乎都通过将改进的方法流程编程到硬件电路中来得到相应的硬件电路结构。因此,不能说一个方法流程的改进就不能用硬件实体模块来实现。例如,可编程逻辑器件(Programmable Logic Device,PLD)(例如现场可编程门阵列(Field Programmable Gate Array,FPGA))就是这样一种集成电路,其逻辑功能由用户对器件编程来确定。由设计人员自行编程来把一个数字系统“集成”在一片PLD上,而不需要请芯片制造厂商来设计和制作专用的集成电路芯片。而且,如今,取代手工地制作集成电路芯片,这种编程也多半改用“逻辑编译器(logic compiler)”软件来实现,它与程序开发撰写时所用的软件编译器相类似,而要编译之前的原始代码也得用特定的编程语言来撰写,此称之为硬件描述语言(Hardware Description Language,HDL),而HDL也并非仅有一种,而是有许多种,如ABEL(Advanced Boolean Expression Language)、AHDL(Altera Hardware Description Language)、Confluence、CUPL(Cornell University  Programming Language)、HDCal、JHDL(Java Hardware Description Language)、Lava、Lola、MyHDL、PALASM、RHDL(Ruby Hardware Description Language)等,目前最普遍使用的是VHDL(Very-High-Speed Integrated Circuit Hardware Description Language)与Verilog。本领域技术人员也应该清楚,只需要将方法流程用上述几种硬件描述语言稍作逻辑编程并编程到集成电路中,就可以很容易得到实现该逻辑方法流程的硬件电路。In the 1990s, improvements in a technology could be clearly distinguished as hardware improvements (for example, improvements in circuit structures such as diodes, transistors, switches, etc.) or software improvements (improvements in method processes). However, with the development of technology, many improvements in today's method processes can be regarded as direct improvements in hardware circuit structures. Designers almost always obtain the corresponding hardware circuit structure by programming the improved method flow into the hardware circuit. Therefore, it cannot be said that an improvement of a method flow cannot be implemented using hardware entity modules. For example, a Programmable Logic Device (PLD) (such as a Field Programmable Gate Array (FPGA)) is such an integrated circuit whose logic functions are determined by the user programming the device. Designers can program themselves to "integrate" a digital system on a PLD, instead of asking chip manufacturers to design and produce dedicated integrated circuit chips. Moreover, nowadays, instead of manually making integrated circuit chips, this kind of programming is mostly implemented using "logic compiler" software, which is similar to the software compiler used in program development and writing, and before compilation The original code must also be written in a specific programming language, which is called Hardware Description Language (HDL), and HDL is not just one kind, but there are many, such as ABEL (Advanced Boolean Expression Language) , AHDL (Altera Hardware Description Language), Confluence, CUPL (Cornell University Programming Language), HDCal, JHDL (Java Hardware Description Language), Lava, Lola, MyHDL, PALASM, RHDL (Ruby Hardware Description Language), etc., are currently the most commonly used The two are VHDL (Very-High-Speed Integrated Circuit Hardware Description Language) and Verilog. Those skilled in the art should also know that by simply logically programming the method flow using the above-mentioned hardware description languages and programming it into the integrated circuit, the hardware circuit that implements the logical method flow can be easily obtained.
控制器可以按任何适当的方式实现,例如,控制器可以采取例如微处理器或处理器以及存储可由该(微)处理器执行的计算机可读程序代码(例如软件或固件)的计算机可读介质、逻辑门、开关、专用集成电路(Application Specific Integrated Circuit,ASIC)、可编程逻辑控制器和嵌入微控制器的形式,控制器的例子包括但不限于以下微控制器:ARC 625D、Atmel AT91SAM、Microchip PIC18F26K20以及Silicone Labs C8051F320,存储器控制器还可以被实现为存储器的控制逻辑的一部分。本领域技术人员也知道,除了以纯计算机可读程序代码方式实现控制器以外,完全可以通过将方法步骤进行逻辑编程来使得控制器以逻辑门、开关、专用集成电路、可编程逻辑控制器和嵌入微控制器等的形式来实现相同功能。因此这种控制器可以被认为是一种硬件部件,而对其内包括的用于实现各种功能的装置也可以视为硬件部件内的结构。或者甚至,可以将用于实现各种功能的装置视为既可以是实现方法的软件模块又可以是硬件部件内的结构。The controller may be implemented in any suitable manner, for example, the controller may take the form of, for example, a microprocessor or processor and a computer readable medium storing computer readable program code (eg, software or firmware) executable by the (micro)processor. , logic gates, switches, Application Specific Integrated Circuit (ASIC), programmable logic controllers and embedded microcontrollers. Examples of controllers include but are not limited to the following microcontrollers: ARC 625D, Atmel AT91SAM, For Microchip PIC18F26K20 and Silicone Labs C8051F320, the memory controller can also be implemented as part of the memory's control logic. Those skilled in the art also know that in addition to implementing the controller in the form of pure computer-readable program code, the controller can be completely programmed with logic gates, switches, application-specific integrated circuits, programmable logic controllers and embedded logic by logically programming the method steps. Microcontroller, etc. to achieve the same function. Therefore, this controller can be considered as a hardware component, and the devices included therein for implementing various functions can also be considered as structures within the hardware component. Or even, the means for implementing various functions can be considered as structures within hardware components as well as software modules implementing the methods.
上述实施例阐明的系统、装置、模块或单元,具体可以由计算机芯片或实体实现,或者由具有某种功能的产品来实现。一种典型的实现设备为服务器系统。当然,本发明不排除随着未来计算机技术的发展,实现上述实施例功能的计算机例如可以为个人计算机、膝上型计算机、车载人机交互设备、蜂窝电话、相机电话、智能电话、个人数字助理、媒体播放器、导航设备、电子邮件设备、游戏控制台、平板计算机、可穿戴设备或者这些设备中的任何设备的组合。The systems, devices, modules or units described in the above embodiments may be implemented by computer chips or entities, or by products with certain functions. A typical implementation device is a server system. Of course, the present invention does not exclude that with the development of computer technology in the future, the computer that implements the functions of the above embodiments may be, for example, a personal computer, a laptop computer, a vehicle-mounted human-computer interaction device, a cellular phone, a camera phone, a smart phone, or a personal digital assistant. , media player, navigation device, email device, game console, tablet, wearable device, or a combination of any of these devices.
虽然本说明书一个或多个实施例提供了如实施例或流程图所述的方法操作步骤,但基于常规或者无创造性的手段可以包括更多或者更少的操作步骤。实施例中列举的步骤顺序仅仅为众多步骤执行顺序中的一种方式,不代表唯一的执行顺序。在实际中的装置或终端产品执行时,可以按照实施例或者附图所示的方法顺序执行或者并行执行(例如并行处理器或者多线程处理的环境,甚至为分布式数据处理环境)。术语“包括”、“包含”或者其任何其他变体意在涵盖非排他性的包含,从而使得包括一系列要素的过程、方法、产品或者设备不仅包括那些要素,而且还包括没有明确列出的其他要素,或者是还包括为这种过程、方法、产品或者设备所固有的要素。在没有更多限制的情况下,并不排除在包括所述要素的过程、方法、产品或者设备中还存在另外的相同或等同要素。例如若使用到第一,第二等词语用来表示名称,而并不表示任何特定的顺序。Although one or more embodiments of this specification provide method operation steps as described in the embodiments or flow charts, more or fewer operation steps may be included based on conventional or non-inventive means. The sequence of steps listed in the embodiment is only one way of executing the sequence of many steps, and does not represent the only execution sequence. When the actual device or terminal product is executed, it may be executed sequentially or in parallel according to the methods shown in the embodiments or figures (for example, a parallel processor or a multi-thread processing environment, or even a distributed data processing environment). The terms "comprises," "comprises" or any other variation thereof are intended to cover a non-exclusive inclusion such that a process, method, product or apparatus including a list of elements includes not only those elements but also others not expressly listed elements, or also elements inherent to the process, method, product or equipment. Without further limitation, it does not exclude the presence of additional identical or equivalent elements in a process, method, product or apparatus including the stated elements. For example, if the words "first" and "second" are used to express names, they do not indicate any specific order.
为了描述的方便,描述以上装置时以功能分为各种模块分别描述。当然,在实施本说明书一个或多个时可以把各模块的功能在同一个或多个软件和/或硬件中实现,也可以将实现同一功能的模块由多个子模块或子单元的组合实现等。以上所描述的装置实施例仅仅是示意性的,例如,所述单元的划分,仅仅为一种逻辑功能划分,实际实现时可以有另外的划分方式,例如多个单元或组件可以结合或者可以集成到另一个系统,或一些特征可以忽略,或不执行。另一点,所显示或讨论的相互之间的耦合或直接耦合或通信连接可以是通过一些接口,装置或单元的间接耦合或通信连接,可以是电性,机械或其 它的形式。For the convenience of description, when describing the above device, the functions are divided into various modules and described separately. Of course, when implementing one or more of this specification, the functions of each module can be implemented in the same or multiple software and/or hardware, or the modules that implement the same function can be implemented by a combination of multiple sub-modules or sub-units, etc. . The device embodiments described above are only illustrative. For example, the division of the units is only a logical function division. In actual implementation, there may be other division methods. For example, multiple units or components may be combined or integrated. to another system, or some features can be ignored, or not implemented. On the other hand, the coupling or direct coupling or communication connection between each other shown or discussed may be through some interfaces, and the indirect coupling or communication connection of the devices or units may be in electrical, mechanical or other forms.
本发明是参照根据本发明实施例的方法、装置(系统)、和计算机程序产品的流程图和/或方框图来描述的。应理解可由计算机程序指令实现流程图和/或方框图中的每一流程和/或方框、以及流程图和/或方框图中的流程和/或方框的结合。可提供这些计算机程序指令到通用计算机、专用计算机、嵌入式处理机或其他可编程数据处理设备的处理器以产生一个机器,使得通过计算机或其他可编程数据处理设备的处理器执行的指令产生用于实现在流程图一个流程或多个流程和/或方框图一个方框或多个方框中指定的功能的装置。The present invention is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the invention. It will be understood that each process and/or block in the flowchart illustrations and/or block diagrams, and combinations of processes and/or blocks in the flowchart illustrations and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing device to produce a machine, such that the instructions executed by the processor of the computer or other programmable data processing device produce a use A device for realizing the functions specified in one process or multiple processes of the flowchart and/or one block or multiple blocks of the block diagram.
这些计算机程序指令也可存储在能引导计算机或其他可编程数据处理设备以特定方式工作的计算机可读存储器中,使得存储在该计算机可读存储器中的指令产生包括指令装置的制造品,该指令装置实现在流程图一个流程或多个流程和/或方框图一个方框或多个方框中指定的功能。These computer program instructions may also be stored in a computer-readable memory that causes a computer or other programmable data processing apparatus to operate in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including the instruction means, the instructions The device implements the functions specified in a process or processes of the flowchart and/or a block or blocks of the block diagram.
这些计算机程序指令也可装载到计算机或其他可编程数据处理设备上,使得在计算机或其他可编程设备上执行一系列操作步骤以产生计算机实现的处理,从而在计算机或其他可编程设备上执行的指令提供用于实现在流程图一个流程或多个流程和/或方框图一个方框或多个方框中指定的功能的步骤。These computer program instructions may also be loaded onto a computer or other programmable data processing device, causing a series of operating steps to be performed on the computer or other programmable device to produce computer-implemented processing, thereby executing on the computer or other programmable device. Instructions provide steps for implementing the functions specified in a process or processes of a flowchart diagram and/or a block or blocks of a block diagram.
在一个典型的配置中,计算设备包括一个或多个处理器(CPU)、输入/输出接口、网络接口和内存。In a typical configuration, a computing device includes one or more processors (CPUs), input/output interfaces, network interfaces, and memory.
内存可能包括计算机可读介质中的非永久性存储器,随机存取存储器(RAM)和/或非易失性内存等形式,如只读存储器(ROM)或闪存(flash RAM)。内存是计算机可读介质的示例。Memory may include non-permanent storage in computer-readable media, random access memory (RAM) and/or non-volatile memory in the form of read-only memory (ROM) or flash memory (flash RAM). Memory is an example of computer-readable media.
计算机可读介质包括永久性和非永久性、可移动和非可移动媒体可以由任何方法或技术来实现信息存储。信息可以是计算机可读指令、数据结构、程序的模块或其他数据。计算机的存储介质的例子包括,但不限于相变内存(PRAM)、静态随机存取存储器(SRAM)、动态随机存取存储器(DRAM)、其他类型的随机存取存储器(RAM)、只读存储器(ROM)、电可擦除可编程只读存储器(EEPROM)、快闪记忆体或其他内存技术、只读光盘只读存储器(CD-ROM)、数字多功能光盘(DVD)或其他光学存储、磁盒式磁带,磁带磁磁盘存储、石墨烯存储或其他磁性存储设备或任何其他非传输介质,可用于存储可以被计算设备访问的信息。按照本文中的界定,计算机可读介质不包括暂存电脑可读媒体(transitory media),如调制的数据信号和载波。Computer-readable media includes both persistent and non-volatile, removable and non-removable media that can be implemented by any method or technology for storage of information. Information may be computer-readable instructions, data structures, modules of programs, or other data. Examples of computer storage media include, but are not limited to, phase change memory (PRAM), static random access memory (SRAM), dynamic random access memory (DRAM), other types of random access memory (RAM), and read-only memory. (ROM), electrically erasable programmable read-only memory (EEPROM), flash memory or other memory technology, compact disc read-only memory (CD-ROM), digital versatile disc (DVD) or other optical storage, Magnetic tape, magnetic tape storage, graphene storage or other magnetic storage devices or any other non-transmission medium can be used to store information that can be accessed by a computing device. As defined in this article, computer-readable media does not include transitory media, such as modulated data signals and carrier waves.
本领域技术人员应明白,本说明书一个或多个实施例可提供为方法、系统或计算机程序产品。因此,本说明书一个或多个实施例可采用完全硬件实施例、完全软件实施例或结合软件和硬件方面的实施例的形式。而且,本说明书一个或多个实施例可采用在一个或多个其中包含有计算机可用程序代码的计算机可用存储介质(包括但不限于磁盘存储器、CD-ROM、光学存储器等)上实施的计算机程序产品的形式。It should be understood by those skilled in the art that one or more embodiments of the present description may be provided as a method, system, or computer program product. Accordingly, one or more embodiments of the present description may take the form of an entirely hardware embodiment, an entirely software embodiment, or an embodiment that combines software and hardware aspects. Furthermore, one or more embodiments of the present description may employ a computer program implemented on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, etc.) having computer-usable program code embodied therein. Product form.
本说明书一个或多个实施例可以在由计算机执行的计算机可执行指令的一般上下文中描述,例如程序模块。一般地,程序模块包括执行特定任务或实现特定抽象数据类型的例程、程序、对象、组件、数据结构等等。也可以在分布式计算环境中实践本本说 明书一个或多个实施例,在这些分布式计算环境中,由通过通信网络而被连接的远程处理设备来执行任务。在分布式计算环境中,程序模块可以位于包括存储设备在内的本地和远程计算机存储介质中。One or more embodiments of this specification may be described in the general context of computer-executable instructions, such as program modules, being executed by a computer. Generally, program modules include routines, programs, objects, components, data structures, etc. that perform specific tasks or implement specific abstract data types. One or more embodiments of the present specification may also be practiced in distributed computing environments where tasks are performed by remote processing devices connected through a communications network. In a distributed computing environment, program modules may be located in both local and remote computer storage media including storage devices.
本说明书中的各个实施例均采用递进的方式描述,各个实施例之间相同相似的部分互相参见即可,每个实施例重点说明的都是与其他实施例的不同之处。尤其,对于系统实施例而言,由于其基本相似于方法实施例,所以描述的比较简单,相关之处参见方法实施例的部分说明即可。在本说明书的描述中,参考术语“一个实施例”、“一些实施例”、“示例”、“具体示例”、或“一些示例”等的描述意指结合该实施例或示例描述的具体特征、结构、材料或者特点包含于本说明书的至少一个实施例或示例中。在本说明书中,对上述术语的示意性表述不必须针对的是相同的实施例或示例。而且,描述的具体特征、结构、材料或者特点可以在任一个或多个实施例或示例中以合适的方式结合。此外,在不相互矛盾的情况下,本领域的技术人员可以将本说明书中描述的不同实施例或示例以及不同实施例或示例的特征进行结合和组合。Each embodiment in this specification is described in a progressive manner. The same and similar parts between the various embodiments can be referred to each other. Each embodiment focuses on its differences from other embodiments. In particular, for the system embodiment, since it is basically similar to the method embodiment, the description is relatively simple. For relevant details, please refer to the partial description of the method embodiment. In the description of this specification, reference to the terms "one embodiment," "some embodiments," "an example," "specific examples," or "some examples" or the like means that specific features are described in connection with the embodiment or example. , structures, materials or features are included in at least one embodiment or example of this specification. In this specification, the schematic expressions of the above terms are not necessarily directed to the same embodiment or example. Furthermore, the specific features, structures, materials or characteristics described may be combined in any suitable manner in any one or more embodiments or examples. Furthermore, those skilled in the art may combine and combine different embodiments or examples and features of different embodiments or examples described in this specification unless they are inconsistent with each other.
以上所述仅为本说明书一个或多个实施例的实施例而已,并不用于限制本本说明书一个或多个实施例。对于本领域技术人员来说,本说明书一个或多个实施例可以有各种更改和变化。凡在本说明书的精神和原理之内所作的任何修改、等同替换、改进等,均应包含在权利要求范围之内。The above descriptions are only examples of one or more embodiments of this specification, and are not intended to limit one or more embodiments of this specification. To those skilled in the art, various modifications and changes may be made to one or more embodiments of this specification. Any modifications, equivalent substitutions, improvements, etc. made within the spirit and principles of this specification shall be included in the scope of the claims.

Claims (12)

  1. 一种跨子网调用方法,应用于由区块链主网所管理的第一区块链子网中的第一子网节点,第一子网节点维护有第一可信执行环境,所述区块链主网还管理有第二区块链子网,第二区块链子网中的第二子网节点维护有第二可信执行环境;所述方法包括:A cross-subnet calling method is applied to the first subnet node in the first blockchain subnet managed by the blockchain mainnet. The first subnet node maintains a first trusted execution environment, and the zone The main blockchain network also manages a second blockchain subnet, and the second subnet node in the second blockchain subnet maintains a second trusted execution environment; the method includes:
    在第一可信执行环境中运行第一智能合约以生成跨子网请求,在第一可信执行环境中基于第二可信执行环境对应的第一公钥对所述跨子网请求进行加密得到加密请求;Run the first smart contract in the first trusted execution environment to generate a cross-subnet request, and encrypt the cross-subnet request in the first trusted execution environment based on the first public key corresponding to the second trusted execution environment Get encrypted request;
    将所述加密请求发送至第二子网节点,并接收第二子网节点返回的加密应答,所述加密应答由第二子网节点通过以下方式得到:将所述加密请求读入第二可信执行环境,在第二可信执行环境中基于第二可信执行环境对应的第一私钥对所述加密请求进行解密得到所述跨子网请求,执行所述跨子网请求以生成对应的跨子网应答,并基于第一可信执行环境对应的第二公钥对所述跨子网应答进行加密得到所述加密应答;Send the encryption request to the second subnet node, and receive an encrypted response returned by the second subnet node. The encrypted response is obtained by the second subnet node in the following manner: reading the encryption request into a second accessible Trust execution environment, in the second trusted execution environment, decrypt the encrypted request based on the first private key corresponding to the second trusted execution environment to obtain the cross-subnet request, execute the cross-subnet request to generate the corresponding A cross-subnet response, and encrypting the cross-subnet response based on the second public key corresponding to the first trusted execution environment to obtain the encrypted response;
    将所述加密应答读入第一可信执行环境,在第一可信执行环境中基于第一可信执行环境对应的第二私钥对所述加密应答进行解密得到所述跨子网应答。The encrypted response is read into the first trusted execution environment, and the encrypted response is decrypted in the first trusted execution environment based on the second private key corresponding to the first trusted execution environment to obtain the cross-subnet response.
  2. 根据权利要求1所述的方法,第一智能合约由第一子网节点通过在第一可信执行环境中加载第一智能合约程序而运行于第一可信执行环境中,其中,第一智能合约程序由第一子网节点将从第一可信执行环境外部读入的第一智能合约程序密文在第一可信执行环境中解密得到。According to the method of claim 1, the first smart contract is run in the first trusted execution environment by the first subnet node by loading the first smart contract program in the first trusted execution environment, wherein the first smart contract The contract program is obtained by decrypting the first smart contract program ciphertext read from outside the first trusted execution environment by the first subnet node in the first trusted execution environment.
  3. 根据权利要求1所述的方法,所述跨子网应答由第二可信执行环境中运行的第二智能合约执行所述跨子网请求所生成。According to the method of claim 1, the cross-subnet response is generated by a second smart contract running in a second trusted execution environment executing the cross-subnet request.
  4. 根据权利要求3所述的方法,第二智能合约由第二子网节点通过在第二可信执行环境中加载第二智能合约程序而运行于第二可信执行环境中,其中,第二智能合约程序由第二子网节点将从第二可信执行环境外部读入的第二智能合约程序密文在第二可信执行环境中解密得到。According to the method of claim 3, the second smart contract is run in the second trusted execution environment by the second subnet node by loading the second smart contract program in the second trusted execution environment, wherein the second smart contract The contract program is obtained by decrypting the second smart contract program ciphertext read from outside the second trusted execution environment by the second subnet node in the second trusted execution environment.
  5. 根据权利要求1所述的方法,所述跨子网请求包括:由第二区块链子网中各子网节点共同参与执行的共识交易,或者仅由第二子网节点独立执行的本地交易。According to the method of claim 1, the cross-subnet request includes: a consensus transaction jointly executed by all subnet nodes in the second blockchain subnet, or a local transaction independently executed only by the second subnet node.
  6. 根据权利要求1所述的方法,第一子网节点与第二子网节点部署于相同或不同的节点设备。According to the method of claim 1, the first subnet node and the second subnet node are deployed on the same or different node devices.
  7. 根据权利要求1所述的方法,还包括:The method of claim 1, further comprising:
    将跨子网交易密文读入第一可信执行环境,在第一可信执行环境中对所述跨子网交易密文进行解密得到跨子网交易,并调用第一智能合约执行所述跨子网交易以生成所述跨子网请求。Read the cross-subnet transaction ciphertext into the first trusted execution environment, decrypt the cross-subnet transaction ciphertext in the first trusted execution environment to obtain the cross-subnet transaction, and call the first smart contract to execute the Cross-subnet transaction to generate said cross-subnet request.
  8. 一种跨子网调用方法,应用于由区块链主网所管理的第二区块链子网中的第二子网节点,第二子网节点维护有第二可信执行环境,所述区块链主网还管理有第一区块链子网,第一区块链子网中的第一子网节点维护有第一可信执行环境;所述方法包括:A cross-subnet calling method is applied to a second subnet node in a second blockchain subnet managed by the blockchain mainnet. The second subnet node maintains a second trusted execution environment, and the zone The blockchain main network also manages a first blockchain subnet, and the first subnet node in the first blockchain subnet maintains a first trusted execution environment; the method includes:
    接收第一子网节点在第一可信执行环境中基于第二可信执行环境对应的第一公钥对跨子网请求进行加密得到的加密请求,其中,所述跨子网请求由第一子网节点在第一可信执行环境中运行第一智能合约所生成;Receive an encryption request obtained by encrypting a cross-subnet request by the first subnet node in the first trusted execution environment based on the first public key corresponding to the second trusted execution environment, wherein the cross-subnet request is generated by the first Generated by the subnet node running the first smart contract in the first trusted execution environment;
    将所述加密请求读入第二可信执行环境,在第二可信执行环境中基于第二可信执行环境对应的第一私钥对所述加密请求进行解密得到所述跨子网请求,执行所述跨子网请求以生成对应的跨子网应答,并基于第一可信执行环境对应的第二公钥对所述跨子网应 答进行加密得到加密应答;The encrypted request is read into the second trusted execution environment, and the encrypted request is decrypted in the second trusted execution environment based on the first private key corresponding to the second trusted execution environment to obtain the cross-subnet request, Execute the cross-subnet request to generate a corresponding cross-subnet response, and encrypt the cross-subnet response based on the second public key corresponding to the first trusted execution environment to obtain an encrypted response;
    将所述加密应答发送至第一子网节点,以使第一子网节点将接收到的所述加密应答读入第一可信执行环境,并在第一可信执行环境中基于第一可信执行环境对应的第二私钥对所述加密应答进行解密得到所述跨子网应答。Send the encrypted response to the first subnet node, so that the first subnet node reads the received encrypted response into the first trusted execution environment, and executes the encrypted response in the first trusted execution environment based on the first trustworthy execution environment. The second private key corresponding to the execution environment is used to decrypt the encrypted response to obtain the cross-subnet response.
  9. 一种跨子网调用装置,应用于由区块链主网所管理的第一区块链子网中的第一子网节点,第一子网节点维护有第一可信执行环境,所述区块链主网还管理有第二区块链子网,第二区块链子网中的第二子网节点维护有第二可信执行环境;所述装置包括:A cross-subnet calling device is applied to a first subnet node in a first blockchain subnet managed by a blockchain mainnet. The first subnet node maintains a first trusted execution environment, and the zone The main blockchain network also manages a second blockchain subnet, and the second subnet node in the second blockchain subnet maintains a second trusted execution environment; the device includes:
    加密请求获取单元,用于在第一可信执行环境中运行第一智能合约以生成跨子网请求,在第一可信执行环境中基于第二可信执行环境对应的第一公钥对所述跨子网请求进行加密得到加密请求;An encryption request acquisition unit, configured to run the first smart contract in the first trusted execution environment to generate a cross-subnet request, in the first trusted execution environment based on the first public key pair corresponding to the second trusted execution environment. The above cross-subnet request is encrypted to obtain the encrypted request;
    加密请求发送单元,用于将所述加密请求发送至第二子网节点,并接收第二子网节点返回的加密应答,所述加密应答由第二子网节点通过以下方式得到:将所述加密请求读入第二可信执行环境,在第二可信执行环境中基于第二可信执行环境对应的第一私钥对所述加密请求进行解密得到所述跨子网请求,执行所述跨子网请求以生成对应的跨子网应答,并基于第一可信执行环境对应的第二公钥对所述跨子网应答进行加密得到所述加密应答;An encryption request sending unit, configured to send the encryption request to the second subnet node and receive an encrypted response returned by the second subnet node. The encrypted response is obtained by the second subnet node in the following manner: The encrypted request is read into the second trusted execution environment, and the encrypted request is decrypted in the second trusted execution environment based on the first private key corresponding to the second trusted execution environment to obtain the cross-subnet request, and the Make a cross-subnet request to generate a corresponding cross-subnet response, and encrypt the cross-subnet response based on the second public key corresponding to the first trusted execution environment to obtain the encrypted response;
    加密应答解密单元,用于将所述加密应答读入第一可信执行环境,在第一可信执行环境中基于第一可信执行环境对应的第二私钥对所述加密应答进行解密得到所述跨子网应答。The encrypted response decryption unit is used to read the encrypted response into the first trusted execution environment, and decrypt the encrypted response in the first trusted execution environment based on the second private key corresponding to the first trusted execution environment. The cross-subnet response.
  10. 一种跨子网调用装置,应用于由区块链主网所管理的第二区块链子网中的第二子网节点,第二子网节点维护有第二可信执行环境,所述区块链主网还管理有第一区块链子网,第一区块链子网中的第一子网节点维护有第一可信执行环境;所述装置包括:A cross-subnet calling device is applied to a second subnet node in a second blockchain subnet managed by the blockchain main network. The second subnet node maintains a second trusted execution environment, and the zone The blockchain main network also manages a first blockchain subnet, and the first subnet node in the first blockchain subnet maintains a first trusted execution environment; the device includes:
    加密请求接收单元,用于接收第一子网节点在第一可信执行环境中基于第二可信执行环境对应的第一公钥对跨子网请求进行加密得到的加密请求,其中,所述跨子网请求由第一子网节点在第一可信执行环境中运行第一智能合约所生成;An encryption request receiving unit, configured to receive an encryption request obtained by encrypting a cross-subnet request by the first subnet node in the first trusted execution environment based on the first public key corresponding to the second trusted execution environment, wherein, the The cross-subnet request is generated by the first subnet node running the first smart contract in the first trusted execution environment;
    加密应答获取单元,用于将所述加密请求读入第二可信执行环境,在第二可信执行环境中基于第二可信执行环境对应的第一私钥对所述加密请求进行解密得到所述跨子网请求,执行所述跨子网请求以生成对应的跨子网应答,并基于第一可信执行环境对应的第二公钥对所述跨子网应答进行加密得到加密应答;An encrypted response acquisition unit, configured to read the encrypted request into a second trusted execution environment, and decrypt the encrypted request in the second trusted execution environment based on the first private key corresponding to the second trusted execution environment. The cross-subnet request is executed to generate a corresponding cross-subnet response, and the cross-subnet response is encrypted based on the second public key corresponding to the first trusted execution environment to obtain an encrypted response;
    加密应答发送单元,用于将所述加密应答发送至第一子网节点,以使第一子网节点将接收到的所述加密应答读入第一可信执行环境,并在第一可信执行环境中基于第一可信执行环境对应的第二私钥对所述加密应答进行解密得到所述跨子网应答。An encrypted response sending unit, configured to send the encrypted response to the first subnet node, so that the first subnet node reads the received encrypted response into the first trusted execution environment, and executes the encrypted response in the first trusted execution environment. The encrypted response is decrypted in the execution environment based on the second private key corresponding to the first trusted execution environment to obtain the cross-subnet response.
  11. 一种电子设备,包括:An electronic device including:
    处理器;processor;
    用于存储处理器可执行指令的存储器;Memory used to store instructions executable by the processor;
    其中,所述处理器通过运行所述可执行指令以实现如权利要求1-8中任一项所述的方法。Wherein, the processor implements the method according to any one of claims 1-8 by running the executable instructions.
  12. 一种计算机可读存储介质,其上存储有计算机指令,该指令被处理器执行时实现如权利要求1-8中任一项所述方法的步骤。A computer-readable storage medium having computer instructions stored thereon, which when executed by a processor, implements the steps of the method according to any one of claims 1-8.
PCT/CN2022/135244 2022-06-29 2022-11-30 Cross-subnet calling WO2024001022A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN202210759288.5 2022-06-29
CN202210759288.5A CN115134075A (en) 2022-06-29 2022-06-29 Cross-subnet calling method and device, electronic equipment and storage medium

Publications (1)

Publication Number Publication Date
WO2024001022A1 true WO2024001022A1 (en) 2024-01-04

Family

ID=83382747

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2022/135244 WO2024001022A1 (en) 2022-06-29 2022-11-30 Cross-subnet calling

Country Status (2)

Country Link
CN (1) CN115134075A (en)
WO (1) WO2024001022A1 (en)

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115134075A (en) * 2022-06-29 2022-09-30 蚂蚁区块链科技(上海)有限公司 Cross-subnet calling method and device, electronic equipment and storage medium
CN115378942B (en) * 2022-10-10 2022-12-20 北京理工大学 Information cross-chain interaction method and interaction device for block chain

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111095256A (en) * 2019-04-26 2020-05-01 阿里巴巴集团控股有限公司 Securely executing intelligent contract operations in a trusted execution environment
CN112948153A (en) * 2021-05-14 2021-06-11 支付宝(杭州)信息技术有限公司 Method and device for message cross-link transmission
CN114255031A (en) * 2020-09-23 2022-03-29 华为技术有限公司 System for executing cross block chain of transaction, cross chain transaction method and equipment
CN114679274A (en) * 2021-12-31 2022-06-28 支付宝(杭州)信息技术有限公司 Cross-subnet interactive permission control method and device, electronic equipment and storage medium
CN115134075A (en) * 2022-06-29 2022-09-30 蚂蚁区块链科技(上海)有限公司 Cross-subnet calling method and device, electronic equipment and storage medium

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111095256A (en) * 2019-04-26 2020-05-01 阿里巴巴集团控股有限公司 Securely executing intelligent contract operations in a trusted execution environment
CN114255031A (en) * 2020-09-23 2022-03-29 华为技术有限公司 System for executing cross block chain of transaction, cross chain transaction method and equipment
CN112948153A (en) * 2021-05-14 2021-06-11 支付宝(杭州)信息技术有限公司 Method and device for message cross-link transmission
CN114679274A (en) * 2021-12-31 2022-06-28 支付宝(杭州)信息技术有限公司 Cross-subnet interactive permission control method and device, electronic equipment and storage medium
CN115134075A (en) * 2022-06-29 2022-09-30 蚂蚁区块链科技(上海)有限公司 Cross-subnet calling method and device, electronic equipment and storage medium

Also Published As

Publication number Publication date
CN115134075A (en) 2022-09-30

Similar Documents

Publication Publication Date Title
CN111541727B (en) Block chain all-in-one machine and automatic chain building method and device thereof
CN113259455B (en) Cross-subnet interaction method and device
CN111541724B (en) Block chain all-in-one machine and automatic node adding method and device thereof
US11451404B2 (en) Blockchain integrated stations and automatic node adding methods and apparatuses
CN113259460B (en) Cross-chain interaction method and device
CN113259456B (en) Cross-chain interaction method and device
WO2024001022A1 (en) Cross-subnet calling
CN113329030A (en) Block chain all-in-one machine, password acceleration card thereof, and key management method and device
WO2023124746A1 (en) Cross-subnet interaction permission control
WO2023124744A1 (en) Cross-subnet interaction
CN113067897B (en) Cross-chain interaction method and device
CN114363335B (en) Cross-chain interaction method and device
CN113923232A (en) Information synchronization method and device for block chain sub-network
WO2023050966A1 (en) Blockchain data verification
CN114374699B (en) Cross-chain interaction method and audit method of cross-chain interaction
CN113259461B (en) Cross-chain interaction method and block chain system
CN113259464B (en) Method for building block chain sub-network and block chain system
CN113259118B (en) Method for synchronizing node information lists
CN114095507B (en) Cross-chain interaction method and block chain system
WO2024001037A1 (en) Message transmission method and apparatus, electronic device and storage medium
CN113067903B (en) Method for building block chain sub-network and block chain system
CN114422520B (en) Cross-chain interaction method and device
CN116455900A (en) Cross-subnet interaction method and device and blockchain system
CN118975186A (en) System and method for exchanging private data between nodes in a blockchain network
CN118233075A (en) Multi-party computing method, participant node, blockchain node and system based on blockchain system

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 22949102

Country of ref document: EP

Kind code of ref document: A1