A method for generating and circulating a process control document

By generating and managing process control documents, the long-term operation and data security issues of electronic workflow systems are resolved, achieving improved data security without the need for real-time server involvement, and reducing process costs and complexity.

CN116245335BActive Publication Date: 2026-06-23HANGZHOU YIQIANBAO NETWORK TECH CO LTD

Patent Information

Authority / Receiving Office
CN · China
Patent Type
Patents(China)
Current Assignee / Owner
HANGZHOU YIQIANBAO NETWORK TECH CO LTD
Filing Date
2023-03-17
Publication Date
2026-06-23

AI Technical Summary

Technical Problem

Existing electronic workflow systems require long-term uninterrupted operation and are exposed to the external network, making workflow data prone to leakage. Digital signatures are costly and complex.

Method used

By generating process control documents, roles are divided into initiator, processor, and terminator. Sensitive data is encrypted layer by layer, the process is managed by the document, real-time server involvement is avoided, and symmetric and asymmetric encryption algorithms are used to ensure data security.

Benefits of technology

It achieves the goal of eliminating the need for servers to run for extended periods, improving data security, and reducing process costs and complexity.

✦ Generated by Eureka AI based on patent content.

Smart Images

  • Figure CN116245335B_ABST
    Figure CN116245335B_ABST
Patent Text Reader

Abstract

The application relates to the technical field of electronic workflow processing, and discloses a generation and circulation method of a process control document, which comprises the following steps: building a group of electronic workflows; making electronic workflow data, wherein the electronic workflow data comprises non-sensitive data and sensitive data; generating an original version of a process control document; and circulating the process control document in a predetermined order until a person declares that the process is ended, so that the electronic workflow server does not need to participate in the whole process of the electronic workflow after the process control document is generated, the process control document can ensure that each processor processes in sequence by layer-by-layer encryption of sensitive information, the confidentiality of the sensitive information is greatly improved, and the cost and complexity of the process circulation are reduced.
Need to check novelty before this filing date? Find Prior Art

Description

Technical Field

[0001] This application relates to the field of electronic workflow processing technology, and in particular to a method for generating and circulating workflow control documents. Background Technology

[0002] In existing technologies, there are numerous applications of electronic workflows. For example, various electronic workflows can be set up in office automation (OA) systems, such as contract approval, seal approval, leave approval, fund approval, and so on, which greatly improves the digitalization level of governments, companies, or public institutions.

[0003] However, current eWorkflow applications are generally online applications, meaning that the servers providing eWorkflows must remain online at all times and respond to application requests immediately. This places high demands on servers, requiring them not only to maintain uninterrupted operation for extended periods, but also to withstand various security threats from the external network.

[0004] In addition, the process data in current electronic workflows is visible to all members involved in the process, which can easily lead to unrelated members receiving sensitive information that they do not need to see, resulting in a relatively low level of protection for sensitive information.

[0005] In addition, in some current electronic workflows, each step requires the processor of that step to digitally sign it. Digital signatures rely on a costly and complex system, such as external CA certificate systems and timestamp services, which increases the cost and complexity of completing the process. Summary of the Invention

[0006] The purpose of this application is to overcome the shortcomings of the existing technology and provide a method for generating and circulating process control documents.

[0007] Firstly, a method for generating and circulating process control documents is provided, including:

[0008] A group is established to build an electronic workflow, wherein the roles of the group are divided into initiator R0, processors R1-RN and terminating agent R(N+1);

[0009] Create electronic workflow data, which includes both non-sensitive and sensitive data;

[0010] Generate an original version of the flow control document, wherein the original version of the flow control document includes flow roles and content fields and hash fields corresponding to the flow roles, and the flow roles include processors R1-RN and terminators R(N+1);

[0011] The process control documents are circulated in a predetermined order until the terminator announces the end of the process.

[0012] Furthermore, the initiator provides all the data involved in this electronic workflow, and each level of processor has different viewing permissions for various sensitive data in the electronic workflow data, while the terminator has no viewing permission for any sensitive data.

[0013] Furthermore, the non-sensitive data is public to everyone in the group, while each piece of sensitive data is public to the processors in the group who have the corresponding viewing permissions, and the sensitive data is encrypted using a symmetric encryption algorithm.

[0014] Furthermore, the original version of the process control document is generated by the process controller (RC) based on the definition of the electronic workflow and the permissions of each role within the organization, and the original version of the process control document consists of a table.

[0015] Furthermore, generate the original version of the process control document, including:

[0016] Determine the content domain of processor R1-RN;

[0017] Determine the content domain of the terminator R(N+1);

[0018] Determine the hash fields of processor R1-RN and terminator R(N+1).

[0019] Furthermore, the content field of the processor R1-RN is determined, including: determining the processor R1-RN's viewing permissions for each sensitive data; if the processor R1-RN has viewing permissions, the key of the sensitive data is encrypted using the public key corresponding to the transfer role, the encrypted value is assigned to the last row of the element area of ​​the transfer role related to the sensitive data, and the encryption result is encrypted sequentially using the public keys of each transfer role in reverse order, and the encrypted values ​​are assigned to the element area of ​​the transfer role related to the sensitive data in reverse order; if the processor R1-RN does not have viewing permissions, the corresponding table element is empty.

[0020] Further, determining the content field of the terminator R(N+1) includes: determining that the viewable content of the terminator R(N+1) is a random number RAND; assigning RAND to the last row of the content field element area of ​​the transfer role, and then encrypting RAND sequentially using the public keys of each transfer role in reverse order, and assigning the encrypted values ​​to the content field element area of ​​the transfer role in reverse order.

[0021] Furthermore, determining the hash fields of processors R1-RN and terminators R(N+1) includes: calculating the hash value of each row in the table and assigning it to the corresponding row in the hash field.

[0022] Furthermore, the workflow control documents are circulated in a predetermined order, including:

[0023] The initiator R0 sends the process control document to the processor R1 for processing;

[0024] Processor Rn sends the flow control document to R(n+1) for processing, where 1≤n≤N, and N refers to the total number of processors;

[0025] The terminator R(N+1) declares the process over, with the evidence of the process over being the disclosure of RAND.

[0026] Furthermore, the processor Rn sends a flow control document to R(n+1) for processing, including:

[0027] After receiving the nth version of the flow control document Fn, the processor RN verifies the hash value. If the hash value verification fails, the flow terminates.

[0028] If the hash value verification passes, the electronic workflow data is decrypted and verified, and then processed.

[0029] Based on the process control document Fn and the processing results, generate a process control document F(n+1) and send the process control document F(n+1) to R(n+1) for processing.

[0030] This application has the following beneficial effects:

[0031] 1. In this application, the electronic workflow is managed by the workflow control document. After the workflow control document is generated, the electronic workflow server does not need to participate in the entire process of the electronic workflow. Moreover, the workflow control document can ensure that each processor processes in sequence by encrypting sensitive information layer by layer. Therefore, there is no need to provide a server that runs continuously for a long time and is exposed to the external network.

[0032] 2. In this application, the process data in the electronic workflow is protected with differentiated sensitive information based on the role definition of each processor, which greatly improves the confidentiality level of sensitive information;

[0033] 3. In this application, the completion of each step of the electronic workflow does not require the processor of that step to digitally sign it. The processor only needs to issue a new version of the workflow control document to prove the completion of the step, which reduces the cost and complexity of the workflow. Attached Figure Description

[0034] The accompanying drawings, which form part of this application, are used to provide a further understanding of this application. The illustrative embodiments of this application and their descriptions are used to explain this application and do not constitute an undue limitation of this application.

[0035] To more clearly illustrate the technical solutions in the embodiments of this application, the accompanying drawings used in the description of the embodiments will be briefly introduced below. Obviously, the accompanying drawings described below are only some embodiments of this application. For those skilled in the art, other drawings can be obtained based on these drawings without creative effort.

[0036] Figure 1 This is a flowchart illustrating the generation and flow method of the process control document in this application;

[0037] Figure 2 This is a multi-party relationship diagram of the generation and circulation method of the process control document in this application. Detailed Implementation

[0038] The technical solutions of the embodiments of the present invention will be clearly and completely described below with reference to the accompanying drawings. Obviously, the described embodiments are only some embodiments of the present invention, and not all embodiments. Based on the embodiments of the present invention, all other embodiments obtained by those skilled in the art without creative effort are within the scope of protection of the present invention.

[0039] Example 1

[0040] This application's embodiment one relates to a method for generating and circulating process control documents, such as... Figure 1-2 As shown, the process includes: establishing a group for an electronic workflow, wherein the roles within the group are divided into initiator R0, processors R1-RN, and terminator R(N+1); creating electronic workflow data, wherein the electronic workflow data includes non-sensitive data and sensitive data; generating an original version of the workflow control document, wherein the original version of the workflow control document includes flow roles and corresponding content fields and hash fields, the flow roles including processors R1-RN and terminator R(N+1); circulating the workflow control document in a predetermined order until the terminator announces the end of the workflow. In this application, the electronic workflow is managed by the workflow control document, which... Once the document is generated, the eWorkflow server no longer needs to participate in the entire eWorkflow process. Furthermore, the workflow control document ensures that each processor processes information sequentially by encrypting sensitive information layer by layer, thus eliminating the need for a server that runs continuously for extended periods and is exposed to the external network. The workflow data in the eWorkflow is protected with differentiated sensitive information based on the role definition of each processor, greatly improving the confidentiality level of sensitive information. The completion of each step in the eWorkflow does not require the processor of that step to digitally sign it; the processor only needs to issue a new version of the workflow control document to prove the completion of that step, thereby reducing the cost and complexity of workflow processing.

[0041] Specifically, the flowchart of the process control document generation and circulation method in Embodiment 1 includes:

[0042] S101. Establish a group for electronic workflow, wherein the roles of the group are divided into initiator R0, processors R1-RN and terminator R(N+1);

[0043] Specifically, the Control Controller (RC) is a global role responsible for generating process control documents and does not belong to any particular electronic workflow group.

[0044] A Control Room (RC) is typically a server within an organization responsible for electronic workflows. It includes functions such as electronic workflow management, role management, sensitive information protection, and key distribution. Based on the definition of a specific electronic workflow, it forms a group corresponding to that electronic workflow.

[0045] For example, the company's contract approval process is defined by the company, initiated by the contract applicant, approved by various levels of handlers, and finally announced by the terminator.

[0046] Group roles are divided into initiator, processor and terminator. The initiator is R0, the processors at each level are R1-RN (i.e., there are N processors in total), and the terminator is R(N+1). All the above roles form a group.

[0047] The initiator is responsible for providing all the data involved in this electronic workflow. Processors at each level have different viewing permissions for various sensitive data in the contract, while the terminator has no viewing permission for any sensitive data.

[0048] It should be noted that there are multiple ways to organize groups. For example, one way to organize a group is as an instant messaging group, where group roles can post instant messages within the group to inform other group roles of the progress of the process.

[0049] Another way to organize groups is through cloud storage. Group roles can publish file-based messages on cloud storage to inform other group roles of the process progress.

[0050] Another way to organize groups is through blockchain, where group members can publish messages in the form of blocks on the blockchain to inform other group members of the progress of the process.

[0051] Group role list RL = {Rn, n∈[0,N+1]};

[0052] In addition, the RC does not have to be a server that runs continuously for a long time and is exposed to the external network. The RC assigns a pair of asymmetric keys for encryption and decryption to each of R1-RN, and R0 has a pair of asymmetric keys for signing.

[0053] S102. Create electronic workflow data, which includes non-sensitive data and sensitive data;

[0054] Specifically, the initiator prepares the electronic workflow data, which includes non-sensitive data and sensitive data, among which the sensitive data needs to be kept confidential.

[0055] Suppose that the electronic workflow involves non-sensitive data P0 and sensitive data P1-PM (i.e., a total of M sensitive data). The non-sensitive data is public to everyone in the group, and each sensitive data is public to some processors in the group. In addition, each data can be an independent file, or all data can be merged into one or more files.

[0056] R0 sends the process data to RC. RC is responsible for generating sensitive data ciphertext C1-CM (i.e., a total of M sensitive data ciphertexts) by symmetric encryption using keys according to the definition of the electronic workflow and the permissions of each role in the organization. For example, CM = SE(Pm, Km), where SE is the symmetric encryption algorithm and Km is the symmetric encryption key. RC then sends C1-CM to R0.

[0057] For example, when M=4,

[0058] Sensitive data ciphertext 1: C1 = SE(P1, K1);

[0059] Sensitive data ciphertext 2: C2 = SE(P2, K2);

[0060] Sensitive data ciphertext 3: C3 = SE(P3, K3);

[0061] Sensitive data ciphertext 4: C4 = SE(P4, K4).

[0062] S103. Generate the original version of the flow control document, wherein the original version of the flow control document includes flow roles and content fields and hash fields corresponding to the flow roles. The flow roles include processors R1-RN and terminators R(N+1).

[0063] Specifically, an original version of the process control document F0 is generated by RC. The original version of the process control document F0 consists of a table, which is divided into a content domain and a hash domain. The content domain is further divided into M according to the number of sensitive data, and is sequentially the content domains P1 - PM; the number of roles included in the table is N + 1, which are R1 - R(N + 1) respectively; the nth role corresponds to n role entries (i.e., n rows); the content domains of R1 - RN are divided into M. For Rn (1 ≤ n ≤ N), the table elements in its i-th (1 ≤ i ≤ n) row are Cmn - i respectively, indicating that this table element belongs to the visible content of the nth role Rn for the mth (1 ≤ m ≤ M, where) sensitive data, and this table element is located in the i-th row of all table elements of Rn; the content domain of R(N + 1) is 1, named as C(N + 1) - i (1 ≤ i ≤ N + 1), indicating that this table element belongs to the visible content of the (N + 1)th role R(N + 1), and this table element is located in the i-th row of all table elements of R(N + 1).

[0064] Among them, the generation steps of the original version of the process control document F0 are as follows:

[0065] S301. Determine the content domains of the processors R1 - RN:

[0066] Specifically, determine the viewing permissions of the processors R1 - RN for each sensitive data; if there is a viewing permission, encrypt the key of this sensitive data with the public key corresponding to this role, assign the encrypted value to the last row of the element area of this role regarding this sensitive data, and then encrypt the encryption result successively with the public keys of each role in reverse order, and assign the encrypted values to the element area of this role regarding this sensitive data in reverse order of the rows assigned. For example, for Cmn - i (1 ≤ i ≤ n), the area composed of these elements is divided into n rows, and this area is the element area Cmn of the role Rn regarding the sensitive data Pm. When i = n, calculate Cmn - n = E(Km, PKn) and assign it to the last row of Cmn, that is, the nth row. When i < n, calculate Cmn - i = E(Cmn - (i + 1), PKi) respectively and assign them to the i-th row of Cmn; if there is no viewing permission, the corresponding table element is empty (i.e., null).

[0067] It should be noted that E is an asymmetric encryption algorithm, PKi is the public key in the asymmetric key, and its encryption result can be decrypted by the private key SKi corresponding to PKi. PKi / SKi is the unique asymmetric key pair of the role Ri.

[0068] S302. Determine the content domain of the finisher R(N + 1):

[0069] Specifically, the visible content of the ender R(N + 1) is determined to be the random number RAND; RAND is assigned to the last line of the content domain element area of this role (i.e., the ender), and then RAND is successively encrypted with the public keys of each role in reverse order. The order of the public keys used is in reverse order, and the encrypted values are respectively assigned to the content domain element area of this role, and the order of the lines for assignment is in reverse order. Exemplarily, for C(N + 1)-i (1 ≤ i ≤ N + 1), the area composed of these elements is divided into (N + 1) lines, and this area is the content domain element area C(N + 1) of the role R(N + 1). When i = N + 1, C(N + 1)-(N + 1) = RAND is assigned to the last line of C(N + 1), that is, the (N + 1)-th line. When i < N + 1, C(N + 1)-i = E(C(N + 1)-(i + 1), PKi) is calculated respectively and assigned to the i-th line of C(N + 1).

[0070] S303. Determine the hash domain of R1 - R(N + 1):

[0071] Specifically, calculate the hash value of each line in the table and assign it to the corresponding line in the hash domain; for example, for the i-th line of Rn (1 ≤ n ≤ N), the hash object of this line is RL and Cmn - i (1 ≤ m ≤ M). After splicing the hash objects, it becomes the data stream Dn - i, and calculate the value of the hash domain of this line Hn - i = H(Dn - i), where H is the hash algorithm; for example, for the i-th line of R(N + 1), the hash object of this line is RL and C(N + 1)-i. After splicing the hash objects, it becomes the data stream D(N + 1)-i, and calculate the value of the hash domain of this line H(N + 1)-i = H(D(N + 1)-i).

[0072] Exemplarily, when M = 4 and N = 4, the original version of the process control document F0 is shown in Table 1.

[0073] Table 1: Original version of the process control document F0

[0074]

[0075]

[0076] S104. Transfer the process control document in a predetermined order until the ender announces the end of the process.

[0077] Among them, transferring the process control document in a predetermined order includes the following steps:

[0078] S401. The initiator R0 sends the process control document to the processor R1 for processing;

[0079] Specifically, for each role's content field in F0, where each role refers to role R0-role R(N+1), RC deletes all content except for the first line, forming the first version of the flow control document F1, and sends F1 to R0; since the content fields in F1 are all elements that can only be decrypted by R1, and no other member, including R0, can decrypt them, F1 can only be processed by R1.

[0080] R0 signs the process data and F1 to obtain SIG: concatenating the values ​​of all hash fields to form data stream DH; concatenating the process data and DH to form data stream D, the process data including P0 and sensitive data ciphertext C1-CM; R0 signs data stream D as the signature object to obtain SIG;

[0081] R0 sends process data, F1, and SIG to R1.

[0082] S402. Processor Rn sends the flow control document to R(n+1) for processing, where 1≤n≤N, and N refers to the total number of processors. It should be noted that the total number of processors N is a constant, while n is a variable.

[0083] The processor Rn sends a flow control document to R(n+1) for processing, including the following steps:

[0084] S4021, Processor Rn verifies the nth version of the flow control document Fn;

[0085] Specifically, calculate the hash value of the concatenated hash object of the rows in the flow control document Fn whose content fields are not empty. The calculation method is the same as step S303. Rows with empty content fields do not need to have their hash values ​​calculated. Compare the calculated hash value with the corresponding row in the hash field. If they are equal, the hash value verification passes. Otherwise, the hash value verification fails, causing Rn to fail the verification of Fn and the process to terminate.

[0086] The values ​​of all hash fields are concatenated to form the data stream DH; the process data and DH are concatenated to form the data stream D; Rn uses the data stream D as the signature object to verify the signature of SIG. If the signature verification is successful, Rn verifies Fn successfully; otherwise, Rn fails to verify Fn, and the process terminates.

[0087] S4022, Processor Rn decrypts and verifies the process data;

[0088] Specifically, for the content field of Rj (n≤j≤N), Rn extracts the element Cmj-n=E(Pmj-n,PKn) from the nth row of the content field, and decrypts the non-empty elements using its own private key SKn to obtain the plaintext Pmj-n of the content field element; when j=n, Pmj-n=Km; when j>n, Pmj-n=Cmj-(n+1); Rn uses the decrypted Km to decrypt Cm=SE(Pm,Km) to obtain the plaintext Pm, which is the sensitive data that Rn can view; Rn processes Pm according to the requirements of the electronic workflow, such as: reviewing it;

[0089] For the content field of R(N+1), Rn takes out the element C(N+1)-n=E(C(N+1)-(n+1),PKn) from the nth row of the content field, and uses its own private key SKn to decrypt the non-empty elements to obtain the plaintext C(N+1)-(n+1) of the content field element.

[0090] S4023, Processor Rn generates the (n+1)th version of the flow control document F(n+1);

[0091] Specifically, the processor Rn generates F(n+1) based on Fn: It assigns the hash field from Fn to F(n+1); for the content field of Rj (n≤j≤N), it assigns Cmj-(n+1) obtained from decryption in step S4022 to its corresponding position, i.e., the next line after Cmj-n. If Cmj-n is empty, then Cmj-(n+1) is also assigned an empty value; for the content field of R(N+1), it assigns C(N+1)-(n+1) obtained from decryption in step S4022 to its corresponding position. The corresponding position is the next row after C(N+1)-n; when 1≤n≤N-1, since the content fields of F(n+1) are all elements that can only be decrypted by R(n+1), and no other member, including R0, can be decrypted, F(n+1) can only be processed by R(n+1); when n=N, the content field elements of F(n+1), i.e. F(N+1), are C(N+1)-(n+1)=RAND, and any member can be read, so any member can take on the role of R(N+1);

[0092] In this process, the processor Rn sends the process data, F(n+1), and SIG to the terminator R(n+1).

[0093] S403, The terminator R(N+1) declares the process over, where the evidence of the process over is that RAND is made public;

[0094] Specifically, the terminator R(N+1) verifies F(N+1) in the same way as step S4021, and will not be repeated here.

[0095] Once the verification is successful, R(N+1) declares the process over; the proof that the process is over is that RAND is made public, because if the process is not over, RAND will still be encrypted and no member will be able to provide RAND.

[0096] For example, when M=4 and N=4,

[0097] The version sent from R0 to R1 is F1, as shown in Table 2:

[0098] Table 2: Process Control Document F1

[0099]

[0100]

[0101] The version sent from R1 to R2 is F2, as shown in Table 3:

[0102] Table 3: Process Control Document F2

[0103]

[0104] The version sent by R2 to R3 is F3, as shown in Table 4:

[0105] Table 4: Process Control Document F3

[0106]

[0107]

[0108] The version sent from R3 to R4 is F4, as shown in Table 5:

[0109] Table 5: Process Control Document F4

[0110]

[0111] The version sent from R4 to R5 is F5, as shown in Table 6:

[0112] Table 6: Process Control Document F5

[0113]

[0114]

[0115] Example 2

[0116] The method for generating and circulating process control documents according to Embodiment 2 of this application includes:

[0117] S101. Establish a group for electronic workflow, wherein the roles of the group are divided into initiator R0, processors R1-RN and terminator R(N+1);

[0118] Specifically, the Control Controller (RC) is a global role responsible for generating process control documents and does not belong to any particular electronic workflow group.

[0119] A Control Room (RC) is typically a server within an organization responsible for electronic workflows. It includes functions such as electronic workflow management, role management, sensitive information protection, and key distribution. Based on the definition of a specific electronic workflow, it forms a group corresponding to that electronic workflow.

[0120] For example, the company's contract approval process is defined by the company, initiated by the contract applicant, approved by various levels of handlers, and finally announced by the terminator.

[0121] Group roles are divided into initiator, processor and terminator. The initiator is R0, the processors at each level are R1-RN (i.e., there are N processors in total), and the terminator is R(N+1). All the above roles form a group.

[0122] The initiator is responsible for providing all the data involved in this electronic workflow. Processors at each level have different viewing permissions for various sensitive data in the contract, while the terminator has no viewing permission for any sensitive data.

[0123] It should be noted that there are multiple ways to organize groups. For example, one way to organize a group is as an instant messaging group, where group roles can post instant messages within the group to inform other group roles of the progress of the process.

[0124] Another way to organize groups is through cloud storage. Group roles can publish file-based messages on cloud storage to inform other group roles of the process progress.

[0125] Another way to organize groups is through blockchain, where group members can publish messages in the form of blocks on the blockchain to inform other group members of the progress of the process.

[0126] Group role list RL = {Rn, n∈[0,N+1]};

[0127] In addition, the RC does not have to be a server that runs continuously for a long time and is exposed to the external network. The RC assigns a pair of asymmetric keys for encryption and decryption to each of R1-RN, and R0 has a pair of asymmetric keys for signing.

[0128] S102. Create electronic workflow data, which includes non-sensitive data and sensitive data;

[0129] Specifically, the initiator prepares the electronic workflow data, which includes non-sensitive data and sensitive data, among which the sensitive data needs to be kept confidential.

[0130] Suppose that the electronic workflow involves non-sensitive data P0 and sensitive data P1-PM (i.e., a total of M sensitive data). The non-sensitive data is public to everyone in the group, and each sensitive data is public to some processors in the group. In addition, each data can be an independent file, or all data can be merged into one or more files.

[0131] R0 sends the process data to RC. RC is responsible for generating sensitive data ciphertext C1-CM (i.e., a total of M sensitive data ciphertexts) by symmetric encryption using keys according to the definition of the electronic workflow and the permissions of each role in the organization. For example, CM = SE(Pm, Km), where SE is the symmetric encryption algorithm and Km is the symmetric encryption key. RC then sends C1-CM to R0.

[0132] For example, when m = 4,

[0133] Sensitive data ciphertext 1: C1 = SE(P1, K1);

[0134] Sensitive data ciphertext 2: C2 = SE(P2, K2);

[0135] Sensitive data ciphertext 3: C3 = SE(P3, K3);

[0136] Sensitive data ciphertext 4: C4 = SE(P4, K4).

[0137] S103. Generate the original version of the flow control document, wherein the original version of the flow control document includes flow roles and content fields and hash fields corresponding to the flow roles. The flow roles include processors R1-RN and terminators R(N+1).

[0138] Specifically, an RC generates a process control document F0 in the original version. The process control document F0 in the original version consists of a table, which is divided into a content domain and a hash domain. The content domain is further divided into m according to the number of sensitive data, and is sequentially the content domains of P1 - PM; the number of roles included in the table is N + 1, which are R1 - R(N + 1) respectively; the nth role corresponds to n role entries (i.e., n rows); the content domains of R1 - RN are divided into m. For Rn (1 ≤ n ≤ N), the table element in its i-th (1 ≤ i ≤ n) row is Cmn - i, indicating that this table element belongs to the visible content of the nth role Rn for the mth (1 ≤ m ≤ M) sensitive data, and this table element is located in the i-th row of all table elements of Rn; the content domain of R(N + 1) is 1, named as C(N + 1) - i (1 ≤ i ≤ N + 1), indicating that this table element belongs to the visible content of the (N + 1)th role R(N + 1), and this table element is located in the i-th row of all table elements of R(N + 1).

[0139] Among them, the generation steps of the process control document F0 in the original version are as follows:

[0140] S301. Determine the content domains of handlers R1 - RN:

[0141] Specifically, determine the viewing permissions of handlers R1 - RN for each sensitive data; if there is a viewing permission, encrypt the secret key of this sensitive data using the public key corresponding to this role, assign the encrypted value to the last row of the element area of this role regarding this sensitive data, and then encrypt the encryption result successively using the public keys of each role in reverse order, and assign the encrypted values to the element area of this role regarding this sensitive data in reverse order of the rows assigned. For example, for Cmn - i (1 ≤ i ≤ n), the area composed of these elements is divided into n rows, and this area is the element area Cmn of role Rn regarding sensitive data Pm. When i = n, calculate Cmn - n = E(Km, PKn) and assign it to the last row of Cmn, that is, the nth row. When i < n, calculate Cmn - i = E(Cmn - (i + 1), PKi) and assign them to the i-th row of Cmn respectively; if there is no viewing permission, the corresponding table element is empty (i.e., null).

[0142] It should be noted that E is an asymmetric encryption algorithm, PKi is the public key in the asymmetric key, and its encryption result can be decrypted by the private key SKi corresponding to PKi. PKi / SKi is the unique asymmetric key pair of role Ri.

[0143] S302. Determine the content domain of the ender R(N + 1):

[0144] Specifically, the visible content of the ender R(N + 1) is determined to be the random number RAND; RAND is assigned to the last line of the content domain element area of this role (i.e., the ender), and then RAND is successively encrypted with the public keys of each role in reverse order. The order of the public keys used is in reverse order, and the encrypted values are respectively assigned to the content domain element area of this role, and the order of the lines for assignment is in reverse order. Exemplarily, for C(N + 1)-i (1 ≤ i ≤ N + 1), the area composed of these elements is divided into (N + 1) lines, and this area is the content domain element area C(N + 1) of the role R(N + 1). When i = N + 1, C(N + 1)-(N + 1) = RAND is assigned to the last line of C(N + 1), that is, the (N + 1)-th line. When i < N + 1, calculate C(N + 1)-i = E(C(N + 1)-(i + 1), PKi) and assign it to the i-th line of C(N + 1) respectively.

[0145] S303. Determine the hash domain of R1 - R(N + 1):

[0146] Specifically, calculate the hash value of each line in the table and assign it to the corresponding line in the hash domain; for example, for the i-th line of Rn (1 ≤ n ≤ N), the hash object of this line is RL and Cmn - i (1 ≤ m ≤ M). After splicing the hash objects, it becomes the data stream Dn - i, and calculate the value of the hash domain of this line Hn - i = H(Dn - i), where H is the hash algorithm; for example, for the i-th line of R(N + 1), the hash object of this line is RL and C(N + 1)-i. After splicing the hash objects, it becomes the data stream D(N + 1)-i, and calculate the value of the hash domain of this line H(N + 1)-i = H(D(N + 1)-i);

[0147] Exemplarily, when M = 4, N = 4, the original version of the process control document F0 is shown in Table 7.

[0148] Table 7: The original version of the process control document F0

[0149]

[0150] S104. Transfer the process control document in a predetermined order until the ender announces the end of the process.

[0151] Among them, transferring the process control document in a predetermined order includes the following steps:

[0152] S401. The initiator R0 sends the process control document to the processor R1 for processing;

[0153] Specifically, for each role in F0 (i.e., R0-R(N+1)), RC deletes all content except for the first line, forming the first version of the flow control document F1, and sends F1 to R0; since the content fields in F1 are all elements that can only be decrypted by R1, and no other member, including R0, can decrypt them, F1 can only be processed by R1.

[0154] R0 signs the process data and F1 to obtain SIG: concatenating the values ​​of all hash fields to form data stream DH; concatenating the process data and DH to form data stream D, the process data including P0 and sensitive data ciphertext C1-CM; R0 signs data stream D as the signature object to obtain SIG;

[0155] R0 sends process data, F1, and SIG to R1.

[0156] S402. Processor Rn sends the flow control document to R(n+1) for processing, where 1≤n≤N, and N refers to the total number of processors. It should be noted that the total number of processors N is a constant, while n is a variable.

[0157] The processor Rn sends a flow control document to R(n+1) for processing, including the following steps:

[0158] S4021, Processor Rn verifies the nth version of the flow control document Fn;

[0159] Specifically, calculate the hash value of the concatenated hash object of the rows in the flow control document Fn whose content fields are not empty. The calculation method is the same as step S303. Rows with empty content fields do not need to have their hash values ​​calculated. Compare the calculated hash value with the corresponding row in the hash field. If they are equal, the hash value verification passes. Otherwise, the hash value verification fails, causing Rn to fail the verification of Fn and the process to terminate.

[0160] The values ​​of all hash fields are concatenated to form the data stream DH; the process data and DH are concatenated to form the data stream D; Rn uses the data stream D as the signature object to verify the signature of SIG. If the signature verification is successful, Rn verifies Fn successfully; otherwise, Rn fails to verify Fn, and the process terminates.

[0161] S4022, Processor Rn decrypts and verifies the process data;

[0162] Specifically, for the content field of Rj (n≤j≤N), Rn extracts the element Cmj-n=E(Pmj-n,PKn) from the nth row of the content field, and decrypts the non-empty elements using its own private key SKn to obtain the plaintext Pmj-n of the content field element; when j=n, Pmj-n=Km; when j>n, Pmj-n=Cmj-(n+1); Rn uses the decrypted Km to decrypt Cm=SE(Pm,Km) to obtain the plaintext Pm, which is the sensitive data that Rn can view; Rn processes Pm according to the requirements of the electronic workflow, such as: reviewing it;

[0163] For the content field of R(N+1), Rn takes out the element C(N+1)-n=E(C(N+1)-(n+1),PKn) from the nth row of the content field, and uses its own private key SKn to decrypt the non-empty elements to obtain the plaintext C(N+1)-(n+1) of the content field element.

[0164] S4023, Processor Rn generates the (n+1)th version of the flow control document F(n+1);

[0165] Rn generates F(n+1) based on Fn: the hash field in Fn is assigned to F(n+1); for the content field of Rj (n≤j≤N), Cmj-(n+1) obtained from decryption in step 4.2.2 is assigned to its corresponding position, that is, the next line after Cmj-n. If Cmj-n is empty, then Cmj-(n+1) is also assigned to be empty; for the content field of R(N+1), C(N+1)-(n+1) obtained from decryption in step 4.2.2 is assigned to its corresponding position. That is, the next line after C(N+1)-n; when 1≤n≤N-1, since the content fields of F(n+1) are all elements that can only be decrypted by R(n+1), and no other member, including R0, can be decrypted, F(n+1) can only be processed by R(n+1); when n=N, the content field elements of F(n+1), i.e. F(N+1), are C(N+1)-(n+1)=RAND, and any member can be read, so any member can take on the role of R(N+1);

[0166] In this process, Rn sends the process data, F(n+1), and SIG to R(n+1).

[0167] S403, The terminator R(N+1) declares the process over, where the evidence of the process over is that RAND is made public;

[0168] Specifically, the terminator R(N+1) verifies F(N+1) in the same way as step S4021, and will not be repeated here.

[0169] Once the verification is successful, R(N+1) declares the process over; the proof that the process is over is that RAND is made public, because if the process is not over, RAND will still be encrypted and no member will be able to provide RAND.

[0170] For example, when M=4 and N=4,

[0171] The version R0 sends to R1 is F1, as shown in Table 8:

[0172] Table 8: Process Control Document F1

[0173]

[0174]

[0175] The version sent from R1 to R2 is F2, as shown in Table 9:

[0176] Table 9: Process Control Document F2

[0177]

[0178] The version sent from R2 to R3 is F3, as shown in Table 10:

[0179] Table 10: Process Control Document F3

[0180]

[0181]

[0182] The version sent from R3 to R4 is F4, as shown in Table 11:

[0183] Table 11: Process Control Document F4

[0184]

[0185] The version sent from R4 to R5 is F5, as shown in Table 12:

[0186] Table 12: Process Control Document F5

[0187]

[0188]

[0189] Example 3

[0190] The method for generating and circulating a workflow control document according to Embodiment 3 of this application includes: establishing a group of electronic workflows, wherein the roles of the group are divided into initiator R0, processors R1-RN, and terminator R(N+1); creating electronic workflow data, wherein the electronic workflow data includes non-sensitive data and sensitive data; generating an original version of the workflow control document, wherein the original version of the workflow control document includes circulation roles and content fields and hash fields corresponding to the circulation roles, the circulation roles including processors R1-RN and terminator R(N+1); circulating the workflow control document in a predetermined order until the terminator announces the end of the workflow. In this application, the electronic workflow consists of a process... The electronic workflow server, managed by the control document, does not need to participate in the entire electronic workflow process after the control document is generated. Furthermore, the control document ensures that each processor processes information sequentially by encrypting sensitive information layer by layer, thus eliminating the need for a server that operates continuously for extended periods and is exposed to the external network. The workflow data in the electronic workflow is protected with differentiated sensitive information based on each processor's role definition, greatly improving the confidentiality level of sensitive information. The completion of each step in the electronic workflow does not require digital signatures from the processor of that step; the processor only needs to issue a new version of the control document to prove the completion of that step, thereby reducing the cost and complexity of workflow processing.

[0191] Specifically, Figure 1 A flowchart illustrating the method for generating and circulating process control documents in Embodiment 1 of the application is shown, including:

[0192] S101. Establish a group for electronic workflow, wherein the roles of the group are divided into initiator R0, processors R1-RN and terminator R(N+1);

[0193] Specifically, the Control Controller (RC) is a global role responsible for generating process control documents and does not belong to any particular electronic workflow group.

[0194] A Control Room (RC) is typically a server within an organization responsible for electronic workflows. It includes functions such as electronic workflow management, role management, sensitive information protection, and key distribution. Based on the definition of a specific electronic workflow, it forms a group corresponding to that electronic workflow.

[0195] For example, the company's contract approval process is defined by the company, initiated by the contract applicant, approved by various levels of handlers, and finally announced by the terminator.

[0196] Group roles are divided into initiator, processor and terminator. The initiator is R0, the processors at each level are R1-RN (i.e., there are N processors in total), and the terminator is R(N+1). All the above roles form a group.

[0197] The initiator is responsible for providing all the data involved in this electronic workflow. Processors at each level have different viewing permissions for various sensitive data in the contract, while the terminator has no viewing permission for any sensitive data.

[0198] It should be noted that there are multiple ways to organize groups. For example, one way to organize a group is as an instant messaging group, where group roles can post instant messages within the group to inform other group roles of the progress of the process.

[0199] Another way to organize groups is through cloud storage. Group roles can publish file-based messages on cloud storage to inform other group roles of the process progress.

[0200] Another way to organize groups is through blockchain, where group members can publish messages in the form of blocks on the blockchain to inform other group members of the progress of the process.

[0201] Group role list RL = {Rn, n∈[0,N+1]};

[0202] In addition, the RC does not have to be a server that runs continuously for a long time and is exposed to the external network. The RC assigns a pair of asymmetric keys for encryption and decryption to each of R1-RN, and R0 has a pair of asymmetric keys for signing.

[0203] S102. Create electronic workflow data, which includes non-sensitive data and sensitive data;

[0204] Specifically, the initiator prepares the electronic workflow data, which includes non-sensitive data and sensitive data, among which the sensitive data needs to be kept confidential.

[0205] Suppose that the electronic workflow involves non-sensitive data P0 and sensitive data P1-PM (i.e., a total of M sensitive data). The non-sensitive data is public to everyone in the group, and each sensitive data is public to some processors in the group. In addition, each data can be an independent file, or all data can be merged into one or more files.

[0206] R0 sends the process data to RC. RC is responsible for generating sensitive data ciphertext C1-CM (i.e., a total of M sensitive data ciphertexts) by symmetric encryption using keys according to the definition of the electronic workflow and the permissions of each role in the organization. For example, CM = SE(Pm, Km), where SE is the symmetric encryption algorithm and Km is the symmetric encryption key. RC then sends C1-CM to R0.

[0207] For example, when m = 4,

[0208] Sensitive data ciphertext 1: C1 = SE(P1, K1);

[0209] Sensitive data ciphertext 2: C2 = SE(P2, K2);

[0210] Sensitive data ciphertext 3: C3 = SE(P3, K3);

[0211] Sensitive data ciphertext 4: C4 = SE(P4, K4).

[0212] S103. Generate the original version of the flow control document, wherein the original version of the flow control document includes flow roles and content fields and hash fields corresponding to the flow roles. The flow roles include processors R1-RN and terminators R(N+1).

[0213] Specifically, RC generates the original version of the flow control document F0. The original version of F0 consists of a table, divided into a content field and a hash field. The content field is further divided into m parts based on the number of sensitive data, ordered as P1-PM. The table contains N+1 roles, namely R1-R(N+1). The nth role corresponds to n role entries (i.e., n rows). The content fields of R1-RN are divided into m parts. For Rn (1≤n≤N), its i-th (1≤N≤N) hash field... The table elements in rows i≤n are Cmn-i, indicating that the table element belongs to the viewable content of the m-th (1≤m≤M) sensitive data of the nth role Rn, and the table element is located in the i-th row of all table elements of Rn; R(N+1) has 1 content field, named C(N+1)-i (1≤i≤N+1), indicating that the table element belongs to the viewable content of the (N+1)th role R(N+1), and the table element is located in the i-th row of all table elements of R(N+1);

[0214] The steps for generating the original version of the process control document F0 are as follows:

[0215] S301. Determine the content domain of processor R1-RN:

[0216] Specifically, determine the viewing permissions of processors R1 - RN for each sensitive data; if there is a viewing permission, encrypt the key of the sensitive data using the public key corresponding to the role, assign the encrypted value to the last line of the element area of the role regarding the sensitive data, and then encrypt the encryption result successively using the public keys of each role in reverse order. The order of the public keys used is in reverse order, and the encrypted values are respectively assigned to the element area of the role regarding the sensitive data. The order of the lines for assignment is in reverse order. For example, for Cmn - i (1 ≤ i ≤ n), the area composed of these elements is divided into n lines, and this area is the element area Cmn of role Rn regarding sensitive data Pm. When i = n, calculate Cmn - n = E(Km, PKn) and assign it to the last line of Cmn, that is, the nth line. When i < n, calculate Cmn - i = E(Cmn - (i + 1), PKi) and assign it to the ith line of Cmn respectively; if there is no viewing permission, the corresponding table element is empty (i.e., null).

[0217] It should be noted that E is an asymmetric encryption algorithm, PKi is the public key in the asymmetric key, and its encryption result can be decrypted by the private key SKi corresponding to PKi. PKi / SKi is the unique asymmetric key pair of role Ri.

[0218] S302. Determine the content area of the terminator R(N + 1):

[0219] Specifically, determine that the content viewable by the terminator R(N + 1) is the random number RAND; assign RAND to the last line of the element area of the role (i.e., the terminator), and then encrypt RAND successively using the public keys of each role in reverse order. The order of the public keys used is in reverse order, and the encrypted values are respectively assigned to the element area of the role. The order of the lines for assignment is in reverse order. Exemplarily, for C(N + 1) - i (1 ≤ i ≤ N + 1), the area composed of these elements is divided into (N + 1) lines, and this area is the element area C(N + 1) of role R(N + 1). When i = N + 1, assign C(N + 1) - (N + 1) = RAND to the last line of C(N + 1), that is, the (N + 1)th line. When i < N + 1, calculate C(N + 1) - i = E(C(N + 1) - (i + 1), PKi) and assign it to the ith line of C(N + 1) respectively.

[0220] S303. Determine the hash area of R1 - R(N + 1):

[0221] Specifically, calculate the hash value of each row in the table and assign it to the corresponding row in the hash field. For example, for the i-th row of Rn (1≤n≤N), the hash objects of this row are RL and Cmn-i (1≤m≤M). After concatenating the hash objects, they become the data stream Dn-i. Calculate the hash field value Hn-i = H(Dn-i) for this row, where H is the hash algorithm. For example, for the i-th row of R(N+1), the hash objects of this row are RL and C(N+1)-i. After concatenating the hash objects, they become the data stream D(N+1)-i. Calculate the hash field value H(N+1)-i = H(D(N+1)-i) for this row.

[0222] For example, when M=4 and N=4, the original version of the flow control document F0 is shown in Table 13.

[0223] Table 13: Original version of the process control document F0

[0224]

[0225]

[0226] S104. The process control documents are circulated in a predetermined order until the terminator announces the end of the process.

[0227] The process of circulating workflow control documents in a predetermined order includes the following steps:

[0228] S401, Initiator R0 sends a process control document to processor R1 for processing;

[0229] Specifically, for each role's content field in F0, RC deletes all content except for the first line, forming the first version of the flow control document F1, and sends F1 to R0; since the content fields in F1 are all elements that can only be decrypted by R1, and no other member, including R0, can decrypt them, F1 can only be processed by R1.

[0230] RC sends the hash value of F0 to R0, and R0 performs a digital signature calculation to obtain SIG;

[0231] R0 sends process data, F1, and SIG to R1.

[0232] S402. Processor Rn sends the flow control document to R(n+1) for processing, where 1≤n≤N, and N refers to the total number of processors. It should be noted that the total number of processors N is a constant, while n is a variable.

[0233] The processor Rn sends a flow control document to R(n+1) for processing, including the following steps:

[0234] S4021, Processor Rn verifies the nth version of the flow control document Fn;

[0235] Specifically, calculate the hash value of the concatenated hash object of the rows in the flow control document Fn whose content fields are not empty. The calculation method is the same as step S303. Rows with empty content fields do not need to have their hash values ​​calculated. Compare the calculated hash value with the corresponding row in the hash field. If they are equal, the hash value verification passes. Otherwise, the hash value verification fails, causing Rn to fail to verify Fn and the process to terminate.

[0236] S4022, Processor Rn decrypts and verifies the process data;

[0237] Specifically, for the content field of Rj (n≤j≤N), Rn extracts the element Cmj-n=E(Pmj-n,PKn) from the nth row of the content field, and decrypts the non-empty elements using its own private key SKn to obtain the plaintext Pmj-n of the content field element; when j=n, Pmj-n=Km; when j>n, Pmj-n=Cmj-(n+1); Rn uses the decrypted Km to decrypt Cm=SE(Pm,Km) to obtain the plaintext Pm, which is the sensitive data that Rn can view; Rn processes Pm according to the requirements of the electronic workflow, such as: reviewing it;

[0238] For the content field of R(N+1), Rn takes out the element C(N+1)-n=E(C(N+1)-(n+1),PKn) from the nth row of the content field, and uses its own private key SKn to decrypt the non-empty elements to obtain the plaintext C(N+1)-(n+1) of the content field element.

[0239] S4023, Processor Rn generates the (n+1)th version of the flow control document F(n+1);

[0240] Specifically, the processor Rn generates F(n+1) based on Fn: It assigns the hash field from Fn to F(n+1); for the content field of Rj (n≤j≤N), it assigns Cmj-(n+1) obtained from decryption in step S4022 to its corresponding position, i.e., the next line after Cmj-n. If Cmj-n is empty, then Cmj-(n+1) is also assigned an empty value; for the content field of R(N+1), it assigns C(N+1)-(n+1) obtained from decryption in step S4022 to its corresponding position. The corresponding position is the next row after C(N+1)-n; when 1≤n≤N-1, since the content fields of F(n+1) are all elements that can only be decrypted by R(n+1), and no other member, including R0, can be decrypted, F(n+1) can only be processed by R(n+1); when n=N, the content field elements of F(n+1), i.e. F(N+1), are C(N+1)-(n+1)=RAND, and any member can be read, so any member can take on the role of R(N+1);

[0241] In this process, the processor Rn sends the process data, F(n+1), and SIG to the terminator R(n+1).

[0242] S403, The terminator R(N+1) declares the process over, where the evidence of the process over is that RAND is made public;

[0243] Specifically, the terminator R(N+1) verifies F(N+1) in the same way as step S4021, which will not be repeated here. In addition, verification of SIG is added (since F(N+1) is consistent with F0 at this time, R(N+1) uses the hash value of F(N+1) as the signature object to verify the signature of SIG. If the verification is successful, it proves that the process control document is legal and valid).

[0244] Once the verification is successful, R(N+1) declares the process over; the proof that the process is over is that RAND is made public, because if the process is not over, RAND will still be encrypted and no member will be able to provide RAND.

[0245] For example, when M=4 and N=4,

[0246] The version sent from R0 to R1 is F1, as shown in Table 14:

[0247] Table 14: Process Control Document F1

[0248]

[0249]

[0250] The version sent from R1 to R2 is F2, as shown in Table 15:

[0251] Table 15: Process Control Document F2

[0252]

[0253] The version sent by R2 to R3 is F3, as shown in Table 16:

[0254] Table 16: Process Control Document F3

[0255]

[0256]

[0257] The version sent from R3 to R4 is F4, as shown in Table 17:

[0258] Table 17: Process Control Document F4

[0259]

[0260] The version sent from R4 to R5 is F5, as shown in Table 18:

[0261] Table 18: Process Control Document F5

[0262]

[0263] The above are merely preferred embodiments of this application; however, the scope of protection of this application is not limited thereto. Any equivalent substitutions or modifications made by those skilled in the art within the scope of the technology disclosed in this application, based on the technical solution and its improved concept, should be covered within the scope of protection of this application.

Claims

1. A method for generating and circulating workflow control documents, characterized in that, include: A group is established to build an electronic workflow, wherein the roles of the group are divided into initiator R0, processors R1-RN and terminating agent R(N+1); Create electronic workflow data, which includes both non-sensitive and sensitive data; Generate an original version of the flow control document, wherein the original version of the flow control document includes flow roles and content fields and hash fields corresponding to the flow roles, and the flow roles include processors R1-RN and terminators R(N+1); The process control documents are circulated in a predetermined order until the end person announces the end of the process; This includes generating the original version of the process control document, including: Determine the content field of the processor R1-RN, including: determining the processor R1-RN's viewing permissions for each piece of sensitive data; if the processor R1-RN has viewing permissions, then the key of the sensitive data is encrypted using the public key corresponding to the circulation role, the encrypted value is assigned to the last row of the element area of ​​the circulation role for that sensitive data, and the encryption result is successively encrypted using the public keys of each circulation role in reverse order, and the encrypted values ​​are assigned to the element area of ​​the circulation role for that sensitive data in reverse order; if the processor R1-RN does not have viewing permissions, the corresponding table element is empty; Determine the content field of the terminator R(N+1), including: determining that the viewable content of the terminator R(N+1) is a random number RAND; assigning RAND to the last row of the content field element area of ​​this transfer role, and then encrypting RAND sequentially with the public key of each transfer role in reverse order, and assigning the encrypted value to the content field element area of ​​this transfer role in reverse order; Determine the hash fields of processor R1-RN and terminator R(N+1).

2. The method for generating and circulating process control documents according to claim 1, characterized in that, The initiator provides all the data involved in this electronic workflow. Processors at each level have different viewing permissions for various sensitive data in the electronic workflow data, while the terminator has no viewing permission for any sensitive data.

3. The method for generating and circulating process control documents according to claim 2, characterized in that, The non-sensitive data is public to everyone in the group, while each piece of sensitive data is public to the processors in the group who have the corresponding viewing permissions, and the sensitive data is encrypted using a symmetric encryption algorithm.

4. The method for generating and circulating process control documents according to claim 3, characterized in that, The original version of the process control document is generated by the process controller (RC) based on the definition of the electronic workflow and the permissions of each role within the organization, and the original version of the process control document consists of a table.

5. The method for generating and circulating process control documents according to claim 4, characterized in that, Determine the hash fields of processors R1-RN and terminator R(N+1), including: calculating the hash value of each row in the table and assigning it to the corresponding row in the hash field.

6. The method for generating and circulating process control documents according to claim 4, characterized in that, The workflow control documents are circulated in a predetermined order, including: The initiator R0 sends the process control document to the processor R1 for processing; Processor Rn sends the flow control document to R(n+1) for processing, where 1≤n≤N, and N refers to the total number of processors; The terminator R(N+1) declares the process over, with the evidence of the process over being the disclosure of RAND.

7. The method for generating and circulating process control documents according to claim 6, characterized in that, Processor Rn sends a flow control document to R(n+1) for processing, including: After receiving the nth version of the flow control document Fn, the processor RN verifies the hash value. If the hash value verification fails, the flow terminates. If the hash value verification passes, the electronic workflow data is decrypted and verified, and then processed. Based on the process control document Fn and the processing results, generate a process control document F(n+1) and send the process control document F(n+1) to R(n+1) for processing.