A blockchain-based data processing method, device and equipment
By setting verification rules in the Trusted Execution Environment (TEE) of the terminal device, and using the first trusted application to verify the data to be uploaded to the blockchain, the problem of data tampering during the data upload process is solved, and the security and accuracy of data during the upload process are achieved.
Patent Information
- Authority / Receiving Office
- CN · China
- Patent Type
- Patents(China)
- Current Assignee / Owner
- ANT BLOCKCHAIN TECHNOLOGY (SHANGHAI) CO LTD
- Filing Date
- 2020-07-31
- Publication Date
- 2026-07-10
Smart Images

Figure CN116340955B_ABST
Abstract
Description
[0001] This application is a divisional application of Chinese patent application filed on July 31, 2020, with application number 202010757355.0 and invention title "A Data Processing Method, Apparatus and Device Based on Blockchain". Technical Field
[0002] This specification relates to the field of computer technology, and in particular to a data processing method, apparatus and device based on blockchain. Background Technology
[0003] Blockchain has been well applied in the areas of preventing tampering, counterfeiting, and traceability of online data. If relevant data from a certain business (such as payment business, logistics business, fundraising and funding business, etc.) is added to the blockchain, the data will be impossible to change or deny.
[0004] Typically, a user uploads data to the blockchain, which then verifies the data before storing it. However, ensuring the authenticity and accuracy of the data during transmission, and preventing its tampering, becomes a critical issue. Therefore, a technical solution is needed to guarantee the security and accuracy of data during the blockchain upload process. Summary of the Invention
[0005] The purpose of the embodiments in this specification is to provide a data processing method, apparatus, and device based on blockchain, so as to provide a technical solution that can ensure the security and accuracy of data during the process of uploading data to the blockchain.
[0006] To achieve the above technical solution, the embodiments in this specification are implemented as follows:
[0007] This specification provides a blockchain-based data processing method applied to a terminal device equipped with a Trusted Execution Environment (TEE). The method includes: obtaining a user's data upload request, the data upload request including data to be uploaded to the blockchain; transmitting the data to be uploaded to the blockchain from the data upload request to the TEE of the terminal device via a first trusted application on the terminal device for performing data upload processing; wherein the TEE is configured with verification rules for verifying the data to be uploaded to the blockchain for the first trusted application; using the TEE's trusted execution environment to determine whether the data to be uploaded to the blockchain conforms to the verification rules; if so, obtaining the verified data to be uploaded to the blockchain from the TEE based on the first trusted application, and performing blockchain upload processing on the verified data to be uploaded to the blockchain.
[0008] This specification provides an embodiment of a blockchain-based data processing device. The device includes a Trusted Execution Environment (TEE) and comprises: a blockchain request module for acquiring user data upload requests, the data upload requests including data to be uploaded to the blockchain; a data transmission module for transmitting the data to be uploaded in the data upload request to the TEE of the device via a first trusted application on the device for performing data upload processing; wherein the TEE is configured with verification rules for verifying the data to be uploaded to the blockchain for the first trusted application; a data verification module for determining whether the data to be uploaded to the blockchain conforms to the verification rules using the TEE's trusted execution environment; and a blockchain upload module for retrieving the verified data from the TEE based on the first trusted application if the TEE determines that the data to be uploaded conforms to the verification rules, and performing blockchain upload processing on the verified data.
[0009] This specification provides an embodiment of a blockchain-based data processing device. The device includes a Trusted Execution Environment (TEE) and comprises a processor and a memory configured to store computer-executable instructions. When executed, the executable instructions cause the processor to: acquire a user's data upload request, the data upload request including data to be uploaded to the blockchain; transmit the data to be uploaded to the blockchain via a first trusted application on the device; wherein the TEE is configured with verification rules for verifying the data to be uploaded to the blockchain for the first trusted application; determine whether the data to be uploaded to the blockchain conforms to the verification rules using the TEE; if so, retrieve the verified data to be uploaded to the blockchain from the TEE based on the first trusted application, and perform blockchain upload processing on the verified data to be uploaded to the blockchain. Attached Figure Description
[0010] To more clearly illustrate the technical solutions in the embodiments or prior art of this specification, the drawings used in the description of the embodiments or prior art will be briefly introduced below. Obviously, the drawings described below are only some embodiments recorded in this specification. For those skilled in the art, other drawings can be obtained based on these drawings without creative effort.
[0011] Figure 1 This is an embodiment of a blockchain-based data processing method described in this specification;
[0012] Figure 2 This is a schematic diagram of the structure of a blockchain-based data processing system as described in this specification;
[0013] Figure 3 This is another embodiment of a blockchain-based data processing method described in this specification;
[0014] Figure 4 This is yet another embodiment of a blockchain-based data processing method described in this specification;
[0015] Figure 5 This specification provides an embodiment of a blockchain-based data processing device.
[0016] Figure 6 This specification describes an embodiment of a blockchain-based data processing device. Detailed Implementation
[0017] This specification provides an embodiment of a blockchain-based data processing method, apparatus, and device.
[0018] To enable those skilled in the art to better understand the technical solutions in this specification, the technical solutions in the embodiments of this specification will be clearly and completely described below with reference to the accompanying drawings. Obviously, the described embodiments are only some embodiments of this specification, and not all embodiments. Based on the embodiments in this specification, all other embodiments obtained by those skilled in the art without creative effort should fall within the scope of protection of this specification.
[0019] Example 1
[0020] like Figure 1 As shown in the embodiments of this specification, a data processing method based on blockchain is provided. The execution subject of this method can be a terminal device, such as a computer device like a laptop or desktop computer. The terminal device can be used to verify the trustworthiness of data to be uploaded to the blockchain. The terminal device can be equipped with a trusted execution environment (TEE), which can be implemented using a program written in a predetermined programming language (i.e., it can be implemented in software). This trusted execution environment can be a secure operating environment for data processing. Alternatively, the execution subject of this method can also be a server, such as a standalone server or a server cluster consisting of multiple servers. The server can also be equipped with the aforementioned trusted execution environment (TEE). This specification describes the execution subject using a terminal device as an example. For cases where the execution subject is a server, the following related content can be referred to, and will not be repeated here. The method specifically includes the following steps:
[0021] In step S102, the user's data upload request is obtained, which includes the data to be uploaded to the blockchain.
[0022] The data to be uploaded to the blockchain can be any data, such as transaction data generated during online transactions, a user's personal credit data, or relevant data from a device in the Internet of Things. The blockchain can be a system for storing one or more different categories of data. The data upload request may include the data to be uploaded to the blockchain, as well as information such as the identifier of the data, information about the holder of the data, information about the user initiating the data upload request, and business attribute information of the data (such as the business category corresponding to the data, the business identifier corresponding to the data, etc.). The specific details can be set according to actual circumstances, and this specification does not limit this aspect in the embodiments.
[0023] In practice, blockchain technology has been well applied in preventing tampering, counterfeiting, and traceability of online data. If relevant data from a business (such as payment, logistics, fundraising, or granting) is added to the blockchain, that data becomes unalterable and irrepudiable. Typically, a user uploads data to the blockchain, which then verifies the data before storing it. However, ensuring the authenticity and accuracy of the data during transmission to blockchain nodes and preventing data tampering becomes a critical issue. Therefore, a technical solution is needed to guarantee the authenticity and accuracy of data uploaded to the blockchain. This specification provides a technical solution to ensure the authenticity and accuracy of data uploaded to the blockchain, as detailed below:
[0024] like Figure 2As shown, in order to verify the data to be uploaded to the blockchain (i.e., the data to be added to the chain), a terminal device for verifying the data to be added to the chain can be pre-defined (to distinguish it from the user's terminal device, it can be called the first terminal device, and the user's terminal device can be called the second terminal device). An application that performs the aforementioned data verification function can be installed on this first terminal device. Correspondingly, an application for uploading data to the blockchain can also be installed on the user's terminal device (i.e., the second terminal device). Through this application, the user can upload data to the blockchain. For this purpose, a data upload entry point (such as a data upload button or hyperlink) can be set in the application. If a user needs to upload data to the blockchain (i.e., data to be uploaded to the blockchain), they can do so through the aforementioned data upload portal. (Specifically, the user can click the data upload button or hyperlink, and the second terminal device can display a data upload page, which may include a data input box and / or a data selection box, where the user can input or select the data to be uploaded.) After the upload is complete, the second terminal device can obtain the data to be uploaded to the blockchain and generate a data upload request. This request is then sent to the first terminal device, which can then receive the data upload request.
[0025] It should be noted that the above method achieves this by having the second terminal device directly send a data upload request to the first terminal device. In practical applications, other methods can also be included. For example, the second terminal device can send the data upload request to a blockchain node, which can then send a redirection message to the second terminal device. This redirection message can include the access address of the first terminal device (such as an IP address). The second terminal device can then send the upload request to the first terminal device based on this access address, allowing the first terminal device to obtain the data upload request. Alternatively, the first and second terminal devices can be combined into a single terminal device. In this case, the user can directly upload data to be uploaded to the blockchain through the aforementioned data upload portal on this terminal device (e.g., the user can click the data upload button or hyperlink, and the terminal device can display a data upload page, which may include a data input box and / or a data selection box, allowing the user to input or select data to upload). After the upload is complete, the terminal device can obtain the data to be uploaded and generate a data upload request, thus obtaining the user's data upload request.
[0026] In step S104, the data to be uploaded to the blockchain in the above data upload request is transmitted to the TEE of the terminal device through the first trusted application on the terminal device for performing data upload processing. The TEE is configured with verification rules for verifying the data to be uploaded to the blockchain for the first trusted application.
[0027] The TEE (Trusted Execution Environment) can be a Trusted Execution Environment. It can be implemented using programs written in a predefined programming language (i.e., in software form). The TEE's Trusted Execution Environment can be a secure data processing environment isolated from other environments. This means that processing performed within the Trusted Execution Environment, and the data generated during processing, cannot be accessed by other execution environments or applications outside the executable environment. The TEE's Trusted Execution Environment can be implemented by creating a small operating system that can run independently in a Trusted Zone (such as TrustZone). Services provided by the TEE can be directly delivered via system calls (e.g., processed directly by the TrustZone kernel). Terminal devices can include REE (Rich Execution Environment) and TEE (Trusted Execution Environment). The REE can run the operating system installed on the terminal device, such as Android, iOS, Windows, and Linux. REEs are characterized by their powerful functionality, openness, and scalability, providing all the functions of the terminal device to upper-layer applications, such as camera and touch functionality. However, REEs have many security vulnerabilities. For example, the operating system can access all data of an application, but it is difficult to verify whether the operating system or the application has been tampered with. If tampered, user information is at significant security risk. To address this, the TEE within the terminal device is needed. The TEE has its own execution space, meaning there is also an operating system within the TEE. The TEE has a higher security level than the REE. The software and hardware resources of the terminal device that the TEE can access are separate from those of the REE, but the TEE can directly obtain information from the REE, while the REE cannot obtain information from the TEE. The TEE can perform verification and other processing through provided interfaces, thereby ensuring that user information (such as payment information and user privacy information) is not tampered with, passwords are not hijacked, and fingerprints or facial information are not stolen.
[0028] The first trusted application can be a pre-designated trusted application that can perform data on-chain processing, such as a financial payment application, an instant messaging application, or a pre-developed application. The first trusted application can be an application that needs to be installed on the terminal device, or it can be code pre-embedded in a hardware device of the terminal device, or it can be a program running in the background of the terminal device's operating system as a plugin, etc., depending on the specific circumstances. Verification rules are rules that can verify the data to be uploaded to the blockchain. Verification rules can be set in various ways. For example, they can be set based on pre-defined data anti-tampering rules, or based on the identity of the user uploading the data to the blockchain. Corresponding verification rules can also be set for different business categories of the data to be uploaded to the blockchain. Different verification rules can be set for different business categories of data to be uploaded to the blockchain. For example, for real-name authentication, verification rules that meet real-name authentication requirements can be set, while for payment, verification rules that meet payment requirements and payment security needs can be set, etc., depending on the specific circumstances. Furthermore, the verification rules are pre-configured in the TEE (Transmission Equipment) of the terminal device. To ensure the security of the verification rules, they can be encrypted. This means that the verification rules can be defined by an authorized rule-maker, and then encrypted or signed using a specified encryption or signing method to form the encrypted verification rules. The encrypted verification rules are then transmitted to the TEE of the terminal device through a designated secure data transmission channel, thus ensuring the security of the verification rules and preventing tampering. Within the feasible execution environment of the TEE, the encrypted verification rules can be decrypted or verified. After confirming that the verification rules have not been tampered with (e.g., verification passes, or decryption is possible and the decrypted rules meet preset conditions), the verification rules can be stored in the TEE.
[0029] In implementation, to ensure the security of data uploaded to the blockchain and prevent any application in the REE from accessing the data in the data upload request, a trusted application (i.e., the first trusted application) can be set up to perform data upload processing. The first trusted application provides temporary protection for the data to be uploaded, for example, by preventing unauthorized applications from accessing the data, or by performing pre-processing on the data to obtain processed data, such as encryption or signing. After receiving a user's data upload request, the terminal device (i.e., the aforementioned first terminal device) can launch the trusted application (i.e., the first trusted application) to perform data upload processing. The first trusted application can have a pre-configured security interface, and correspondingly, the terminal device's TEE can also have a corresponding security interface. Through the security interface between the first trusted application and the TEE, a secure data transmission channel can be established between the first trusted application and the TEE. The first trusted application can extract the data to be uploaded to the blockchain from the data upload request, and can transmit the data to be uploaded to the TEE of the terminal device through the aforementioned security interface and data transmission channel. By setting the first trusted application, security interface and data transmission channel, the security of data during transmission can be guaranteed.
[0030] It should be noted that the first trusted application can include multiple types. The corresponding first trusted application can be set according to the business type or business identifier of the data to be uploaded to the chain, or according to the data content or data type of the data to be uploaded to the chain, or according to the different users corresponding to the data to be uploaded to the chain. Based on the above, the above data upload request can include not only the data to be uploaded to the chain, but also relevant information such as business type, business identifier, data type, or user. In practical applications, how to set the first trusted application can be set according to the actual situation, and the embodiments in this specification do not limit this.
[0031] In step S106, the trusted execution environment of the TEE is used to determine whether the data to be uploaded to the chain conforms to the above verification rules.
[0032] To ensure the data to be uploaded to the blockchain is not leaked during processing, data verification can be performed within the Trusted Execution Environment (TEE). This verification process can take various forms, and the following are some optional methods: Verification rules for the data to be uploaded can be pre-defined. After the data is transmitted to the TEE on the terminal device, it can be placed within the TEE's Trusted Execution Environment. Within this environment, the terminal device can analyze the data. For example, it can determine the business category or the relevant information of the organization or institution corresponding to the data. Then, based on the determined business category or the relevant information of the organization or institution, it can obtain the corresponding verification rules. Within the Trusted Execution Environment (TEE), the acquired verification rules can be used to verify the data to be uploaded to the blockchain. This verification can take various forms. For example, encrypted tags can be pre-set in the data to be uploaded, containing a pre-recorded verification value (such as a hash value). Furthermore, the data to be uploaded can be obtained by encrypting either the entire original data or a portion of it. In the TEE's Trusted Execution Environment, based on the acquired verification rules, the tags in the data to be uploaded can be decrypted to obtain their original content, and the data to be uploaded can then be verified. The corresponding original data is decrypted to obtain the original data corresponding to the data to be uploaded to the blockchain. Then, a checksum (such as a hash value) corresponding to the original data can be calculated, and the calculated checksum can be compared with the checksum of the record in the tag. Since the above processing is performed in the trusted execution environment of the TEE, it is not known to other execution environments of the terminal device or any application in the terminal device. Therefore, the decrypted data to be uploaded to the blockchain and the decrypted tag in the executable environment of the TEE will not be obtained by any software program or hardware device outside the trusted execution environment of the TEE, thus ensuring the accuracy and security of the data to be uploaded to the blockchain and the tag (it will not be tampered with or leaked). Based on this, if the two checksums are the same, it can be determined that the verification result of the data to be uploaded to the blockchain is trustworthy, that is, it can be determined that the data to be uploaded to the blockchain has not been tampered with. If the two checksums are different, it can be determined that the verification result of the data to be uploaded to the blockchain is untrustworthy. In addition, if the data to be uploaded to the blockchain does not contain an encrypted tag, it can also be determined that the verification result of the data to be uploaded to the blockchain is untrustworthy. Additionally, the validity of the tag can be set (in this case, it is necessary to verify whether the tag is within the set validity period before determining the verification result of the data to be uploaded to the blockchain), which can be set according to the actual situation. In practical applications, the verification methods for data to be uploaded to the blockchain are not limited to the above methods, but can include many other possible methods, which will not be elaborated here.
[0033] The above-described data verification process for on-chain data is only one feasible method. In practical applications, other methods can also be used to verify on-chain data. Different methods can be used to verify on-chain data depending on the verification rules. Moreover, the specific processing procedures for verifying on-chain data can differ depending on the verification rules. The specific process can be set according to the actual situation, and this specification does not limit this aspect.
[0034] In step S108, if so, the verified data to be uploaded to the blockchain is obtained from the TEE based on the first trusted application, and the verified data to be uploaded to the blockchain is processed.
[0035] In implementation, by verifying the data to be uploaded to the blockchain within the Trusted Execution Environment (TEE), a verification result can be obtained. This result can include whether the data to be uploaded is trustworthy or not. If the verification result obtained through the above process indicates that the data to be uploaded is not trustworthy, a notification message indicating a failure to upload the data to the blockchain can be sent to the user who initiated the request. To enable the user to understand the reason for the failure and continue uploading data to the blockchain, relevant information or codes related to the failure can be included in the notification message. After viewing this information or code, the user can find and resolve the relevant issues to continue uploading data to the blockchain. If the verification result obtained through the above processing indicates that the data to be uploaded to the blockchain is trustworthy, the first trusted application can be triggered to obtain the verified data to be uploaded to the blockchain from the TEE. The verified data to be uploaded to the blockchain can then be uploaded to the blockchain. In this way, the processes of obtaining the data to be verified, verifying the data to be verified, and uploading the verified data to the blockchain are all completed in a trusted execution environment or trusted application. This not only enables data verification before uploading to the blockchain but also ensures the security of the data to be uploaded to the blockchain during the process.
[0036] This specification provides a blockchain-based data processing method applied to a terminal device equipped with a Trusted Execution Environment (TEE). Before data to be uploaded to the blockchain, it can be transmitted to the TEE via a first trusted application on the terminal device used for data uploading processing. This ensures the security of the data transmission process to the TEE. Furthermore, verification rules set within the TEE's trusted execution environment are used to verify the data to be uploaded. Since the TEE is a secure operating environment for data processing, the security of the data being processed on the terminal device is further guaranteed. To prevent the data to be uploaded to the blockchain from being tampered with, and furthermore, when using the Trusted Execution Environment (TEE) to determine whether the data to be uploaded to the blockchain meets the verification rules, the first trusted application retrieves the verified data to be uploaded to the blockchain from the TEE and performs on-chain processing on the verified data. In this way, the output of the verified data to be uploaded to the blockchain from the TEE and the upload of the verified data to the blockchain are both completed through the first trusted application. This ensures the security of the data to be uploaded to the blockchain during the process of outputting the data from the TEE of the terminal device and the output from the terminal device, preventing the verified data to be uploaded to the blockchain from being tampered with or leaked, and improving the security of the data to be uploaded to the blockchain.
[0037] Example 2
[0038] like Figure 3 As shown in the embodiments of this specification, a data processing method based on blockchain is provided. The execution subject of this method can be a terminal device, such as a computer device like a laptop or desktop computer. The terminal device can be used to verify the trustworthiness of data to be uploaded to the blockchain. The terminal device can be equipped with a trusted execution environment (TEE), which can be implemented using a program written in a predetermined programming language (i.e., it can be implemented in software). The TEE can serve as a secure operating environment for data processing. The method specifically includes the following steps:
[0039] In step S302, the user's data upload request is obtained, which includes the data to be uploaded to the blockchain.
[0040] The data upload request can also include a verifiable statement of the data to be uploaded to the blockchain. A verifiable statement can be a prescriptive form of information describing certain attributes of an entity such as an individual or organization. Verifiable statements enable evidence-based trust, proving to other entities that certain attributes of the current entity are credible. A verifiable statement can include multiple different fields and their corresponding values. For example, a field might be the holder of the data to be uploaded to the blockchain, with the corresponding value being organization A; another field might be the generation time of the data to be uploaded to the blockchain, with the corresponding value being January 1, 2020, etc.
[0041] It should be noted that, in order to ensure the security of the data to be uploaded to the blockchain, the data upload request may also include encrypted data to be uploaded, that is, the data to be uploaded may be ciphertext. In this case, the above step S302 can be completed through the following processing.
[0042] In implementation, the user's terminal device (i.e., the second terminal device) can upload data through an application that uploads data to the blockchain. The application can have a data upload entry point set up. If the user needs to upload data to the blockchain (i.e., data to be uploaded), they can encrypt the data using a preset encryption algorithm to obtain encrypted data to be uploaded. Then, the encrypted data to be uploaded, along with a verifiable declaration, can be uploaded through the aforementioned data upload entry point. After the upload is complete, the user's terminal device (i.e., the second terminal device) can obtain the encrypted data to be uploaded and the verifiable declaration, and can generate a data upload request. This request is then sent to the first terminal device, which can receive the data upload request.
[0043] In step S304, the data to be uploaded to the blockchain in the data upload request is obtained through the trusted program corresponding to the first trusted application on the terminal device for performing data upload processing, and the data to be uploaded to the blockchain is transmitted to the TEE of the terminal device through the trusted program corresponding to the first trusted application. The TEE is configured with verification rules for verifying the data to be uploaded to the blockchain for the first trusted application.
[0044] The verification rules are set based on one or more of the following: anti-tampering rules for on-chain data; business verification rules for data uploaded to the blockchain; timeliness conditions for data uploaded to the blockchain; and identity verification rules for users uploading data to the blockchain. The anti-tampering rules for on-chain data can determine whether the on-chain data has been tampered with, for example, by determining whether the data to be verified contains specific or designated information. For instance, it can determine whether the data to be verified contains designated signature information and / or watermark information, and whether the designated signature information and / or watermark information is complete, etc. Alternatively, a specified algorithm can be used to calculate the data to be verified, and the calculation result can be used to determine whether the on-chain data has been tampered with. For example, the hash value of the data to be verified can be calculated, and the calculated hash value can be used to further determine whether the on-chain data has been tampered with. Specific rules can also be set according to actual circumstances. The business verification rules for data uploaded to the blockchain can be such that the verification rules correspond to the business that the blockchain is designed for. Different verification rules can be set based on the different businesses that the blockchain is designed for. For example, if the blockchain to which the data to be uploaded is designed for electronic transactions, the verification rules can verify whether the business type corresponding to the data belongs to the electronic transaction category. If it is determined that the business type corresponding to the data does not belong to the electronic transaction category (such as insurance or logistics), then the data to be uploaded will not be transmitted to that blockchain. In practical applications, not only the above-mentioned implementation method is included, but multiple implementation methods can also be included. The specific implementation can be set according to the actual situation, and the embodiments in this specification do not limit this. The timeliness conditions for data uploaded to the blockchain can be set as follows: if the data to be uploaded is within the specified time limit, it can be uploaded to the blockchain; otherwise, it cannot. In practical applications, verification rules can be set directly based on the timeliness conditions of the data uploaded to the blockchain. Alternatively, the timeliness conditions can be combined with other rules (such as the aforementioned anti-tampering rules, business verification rules, and identity verification rules) to set verification rules. The identity verification rules for users uploading data to the blockchain can be based on the identities of users with the authority to upload data to the blockchain. For example, only users A and B are authorized to upload data to the blockchain. If the data to be uploaded is provided by users other than these two, it cannot be uploaded to the blockchain.
[0045] It should be noted that verification rules can be set based on the above-mentioned multiple methods. In practical applications, in addition to setting verification rules in the above ways, verification rules can also be set in various other ways. Specifically, verification rules can be flexibly set based on user needs, the needs of the blockchain-related business, and the needs of the blockchain management party or blockchain builder.
[0046] The trusted application corresponding to the first trusted application can be an application built based on a trusted application in the TEE of the terminal device. The TEE also provides a secure execution environment for authorized secure applications (or trusted programs, i.e., TrustApp, TA), while protecting the confidentiality, integrity, and access permissions of trusted program resources and data. Cryptographic techniques ensure isolation between different trusted programs, preventing any trusted program from arbitrarily reading or manipulating the data of other trusted programs. Therefore, in addition to the independence between the TEE and REE, each trusted program in the TEE also needs to be authorized and run independently. Furthermore, trusted programs require integrity verification before execution to ensure they have not been tampered with. Trusted programs can interact directly with peripherals such as touchscreens, cameras, and fingerprint sensors without needing an interface provided by the terminal device's REE, thus ensuring data security. Trusted applications can include client programs and trusted end programs. The client program can be the trusted program corresponding to the first trusted application, and the trusted end program can be the corresponding trusted program in the TEE. The trusted program corresponding to the first trusted application can trigger the execution of the corresponding trusted program in the TEE, enabling secure data transfer between the trusted program corresponding to the first trusted application and the corresponding trusted program in the TEE.
[0047] In implementation, to ensure the security and accuracy of the data to be uploaded to the blockchain, a data upload request can be obtained through a trusted program corresponding to the first trusted application on the terminal device used for data upload processing. This trusted program can then retrieve the data to be uploaded from the request, further ensuring its security. Furthermore, the trusted program corresponding to the first trusted application can trigger the execution of a corresponding trusted program in the TEE. A secure data transmission channel is then established between this trusted program and the corresponding trusted program in the TEE. Through this channel, the trusted program can transfer the data to be uploaded to the corresponding trusted program in the TEE of the terminal device, ensuring the secure delivery of the data to the TEE.
[0048] In addition, to further ensure the security of the data to be uploaded to the blockchain, the data to be uploaded to the blockchain can also be transmitted to the TEE of the terminal device in encrypted form. For details, please refer to the following: The data to be uploaded to the blockchain in the data upload request is transmitted to the TEE of the terminal device in encrypted form through the first trusted application on the terminal device used to perform the data upload processing.
[0049] In implementation, to ensure the security of the data to be uploaded to the blockchain during data transmission, the data can be encrypted. The encryption algorithms used can include various methods, such as symmetric or asymmetric encryption algorithms. The first trusted application can use the aforementioned symmetric or asymmetric encryption algorithms to encrypt the data to be uploaded to the blockchain, obtaining encrypted data (at this point, the data to be uploaded to the blockchain is ciphertext). Then, the first trusted application can transmit the encrypted data to be uploaded to the TEE of the terminal device through the corresponding interface and data transmission channel, thereby ensuring the security of the data to be uploaded to the blockchain during transmission.
[0050] It should be noted that if the data upload request in step S302 above already includes encrypted data to be uploaded to the blockchain, it is not necessary to encrypt the data to be uploaded to the blockchain again, or it is also possible to encrypt the data to be uploaded to the blockchain again. The specific settings can be determined according to the actual situation.
[0051] In step S306, the validity of the verifiable claims is verified in the trusted execution environment of the TEE.
[0052] In implementation, the first trusted application can not only transmit the data to be uploaded to the blockchain in the data upload request to the TEE of the terminal device, but also the verifiable declaration in the data upload request to the TEE of the terminal device. After the TEE of the terminal device contains the data to be uploaded to the blockchain and the verifiable declaration, it can first verify the verifiable declaration to determine its validity. If the verifiable declaration is found to be valid, then appropriate processing is performed based on the verifiable declaration, thereby further ensuring the security of data processing. Specifically, verifying the verifiable declaration can include various methods. For example, the field values contained in the verifiable declaration can be calculated using a predetermined algorithm (e.g., the hash value of the field values contained in the verifiable declaration can be calculated using a hash algorithm) to obtain the corresponding calculation result. The verifiable declaration also includes a base value of the above calculation result. The obtained calculation result can be compared with the base value in the verifiable declaration. If they are the same, the verification passes, and the declaration is verified as valid; if they are different, the verification fails, and the declaration is verified as invalid.
[0053] Besides the methods described above, various other methods can also be included. For example, the verifiable declaration may include a checksum of the verifiable declaration. After the TEE in the terminal device contains the verifiable declaration, the checksum of the verifiable declaration can be determined using a predetermined verification algorithm. Then, the calculated checksum can be compared with the checksum in the verifiable declaration. If they are the same, the verification passes, and the declaration is verified as valid; if they are different, the verification fails, and the declaration is verified as invalid. In practical applications, the methods for verifying the validity of verifiable declarations are not limited to the two methods described above; other possible methods can also be included. The specific methods can be set according to the actual situation, and the embodiments in this specification do not limit this.
[0054] In step S308, if the verification result is valid, the trusted execution environment of the TEE is used to determine whether the data to be uploaded to the chain conforms to the verification rules.
[0055] In implementation, if the verification result, determined by step S306 above, indicates that the verifiable declaration is invalid, the data to be uploaded to the blockchain can be determined to be untrusted data. In this case, a notification message indicating data upload failure can be sent to the user who initiated the data upload request. If the verification result indicates that the verifiable declaration is valid, the data to be uploaded to the blockchain can be determined to be trustworthy data, i.e., the data to be uploaded to the blockchain is trustworthy data.
[0056] If the verification result is valid, the encrypted data to be uploaded to the blockchain can be decrypted in the Trusted Execution Environment of the TEE to obtain the decrypted data to be uploaded to the blockchain. Then, it can be determined in the Trusted Execution Environment of the TEE whether the decrypted data to be uploaded to the blockchain meets the verification rules.
[0057] Based on the above, for example, if the verification rules are set based on the anti-tampering rules of the blockchain's on-chain data, and taking the anti-tampering rules as an example to determine whether the data to be verified contains specified signature information and / or watermark information, the decrypted data to be uploaded to the blockchain can be analyzed to determine whether it contains the specified signature information. If it does, the signature can be verified. If the verification passes, the data to be uploaded to the blockchain is deemed to comply with the verification rules; otherwise, it is deemed not to comply with the verification rules. Alternatively, the decrypted data to be uploaded to the blockchain can be analyzed to determine whether it contains the specified watermark information. If it does, the watermark information can be extracted from the decrypted data to be uploaded to the blockchain, and the extracted watermark information can be judged. If the watermark information is complete, the data to be uploaded to the blockchain is deemed to comply with the verification rules; otherwise, it is deemed not to comply with the verification rules.
[0058] For example, if the verification rules are set based on the business verification rules of the data uploaded to the blockchain, and taking the business verification rule as determining whether the business type corresponding to the data to be uploaded to the blockchain belongs to the electronic transaction category, then for different business types, corresponding identifiers can be set in the data to be uploaded to the blockchain. Then, the above-mentioned decrypted data to be uploaded to the blockchain can be analyzed to determine the business type contained in the decrypted data to be uploaded to the blockchain. If the determined business type is electronic transaction, then it can be determined that the data to be uploaded to the blockchain complies with the verification rules; otherwise, it can be determined that the data to be uploaded to the blockchain does not comply with the verification rules.
[0059] If the verification rules are set based on the timeliness conditions of the data uploaded to the blockchain, the decrypted data to be uploaded to the blockchain can be analyzed to determine the reception time of the decrypted data to be uploaded to the blockchain and the corresponding data timeliness conditions. If the decrypted data to be uploaded to the blockchain is determined to be valid based on the above reception time and data timeliness conditions, then the data to be uploaded to the blockchain can be determined to meet the verification rules; otherwise, the data to be uploaded to the blockchain can be determined to not meet the verification rules.
[0060] If the verification rules are set based on the identity verification rules of the user who uploads data to the blockchain, then the relevant information of the data uploader of the decrypted data to be uploaded to the blockchain can be obtained, and it can be determined whether the user has the permission to upload data to the blockchain based on the user's relevant information. If it is determined that the user has the permission to upload data to the blockchain, then it can be determined that the data to be uploaded to the blockchain complies with the verification rules; otherwise, it can be determined that the data to be uploaded to the blockchain does not comply with the verification rules.
[0061] In addition, there are various ways to determine whether the data to be uploaded to the chain conforms to the verification rules using a trusted execution environment (TEE). Here is another optional method, which may include the following steps A2 to A6.
[0062] In step A2, the data to be uploaded to the blockchain is decrypted in the trusted execution environment of the TEE to obtain the decrypted data to be uploaded to the blockchain.
[0063] In step A4, within the trusted execution environment of the TEE, the decrypted data to be uploaded to the blockchain is calculated based on the verification algorithm corresponding to the verification rules, and the corresponding calculation results are obtained.
[0064] The verification algorithm can vary depending on the verification rules. For example, it can be a hash algorithm or a data extraction algorithm. For instance, data with specified content can be split into multiple different parts, and then the split data can be inserted into the data to be uploaded to the blockchain. After the data to be uploaded to the blockchain arrives in the TEE, the split data can be extracted from the data to be uploaded to the blockchain using the verification algorithm. The extracted split data can be combined to obtain the extracted data to be uploaded to the blockchain. At this point, the combined data and the extracted data to be uploaded to the blockchain can be verified separately.
[0065] In step A6, within the trusted execution environment of the TEE, the obtained calculation results are matched with the baseline results in the verification rules, and the matching results are used to determine whether the data to be uploaded to the chain conforms to the verification rules.
[0066] In implementation, the first trusted application can obtain the benchmark result in advance and transmit it to the TEE of the terminal device. After obtaining the calculation result of the decrypted data to be uploaded to the blockchain, the calculation result can be compared with the benchmark result. If the two are the same, it can be determined that the data to be uploaded to the blockchain meets the verification rules; otherwise, it can be determined that the data to be uploaded to the blockchain does not meet the verification rules.
[0067] There are various ways to determine whether the data to be uploaded to the chain conforms to the verification rules when using a Trusted Execution Environment (TEE). The following is another optional processing method, which may include the following steps B2 and B4.
[0068] In step B2, if the verification result is valid, the verification rules corresponding to the holder of the verifiable claim are obtained in the Trusted Execution Environment of the TEE.
[0069] In implementation, if the verification result indicates that the verifiable claim is valid, it means that the data to be uploaded to the blockchain was published or provided by the holder of the verifiable claim. To further verify the data uploaded to the blockchain by holders of different verifiable claims and ensure data security, verification rules can be set for different holders of verifiable claims. Alternatively, the holder of the verifiable claim can pre-set verification rules for the data they upload to prevent other organizations or users from misappropriating the holder's verifiable claim and uploading false data to the blockchain. After confirming the validity of the verifiable claim, the verification rules corresponding to the holder of the verifiable claim can be obtained in the Trusted Execution Environment (TEE).
[0070] In step B4, the trusted execution environment of the TEE is used to determine whether the data to be uploaded to the chain conforms to the verification rules corresponding to the holder.
[0071] The specific processing procedure for step B4 above can be found in the relevant content above, and will not be repeated here.
[0072] In step S310, if so, the verified data to be uploaded to the blockchain is obtained from the TEE based on the first trusted application, and the verified data to be uploaded to the blockchain is processed.
[0073] To allow for more flexible data verification of on-chain data, the verification rules already set in the TEE can be modified. For details, please refer to steps S312 to S316 below.
[0074] In step S312, an update request for the verification rules in the TEE of the terminal device is received. The update request includes the rule data to be updated, which is encrypted.
[0075] In implementation, verification rules can include various different contents. In practical applications, models for data verification of data to be uploaded to the blockchain can be set in the trusted execution environment of the TEE, such as classification models. These models can be obtained through complex programs written in a predetermined programming language or through simpler algorithms; this specification does not limit the specifics of these models. Furthermore, to prevent unauthorized users from updating the verification rules, information about users with update permissions (such as the user who initially set or created the verification rule or a pre-designated user) can be set for the verification rules. That is, only users with update permissions can update the verification rules. When a verification rule in the TEE needs to be updated, the user can input the identifier of the verification rule to be modified and the rule data to be updated through the first trusted application (or the trusted program corresponding to the first trusted application) on their terminal device. After input, the terminal device can obtain the identifier of the verification rule to be updated and the rule data to be updated, and can generate an update request, thereby allowing the terminal device to obtain the data verification rule update request.
[0076] It should be noted that the rule data to be updated can be the model or algorithm in the verification rule, or the business type to which the verification rule applies. The specific data can be set according to the actual situation, and the embodiments in this specification do not limit this.
[0077] In step S314, the rule data to be updated is transmitted to the TEE of the terminal device through the first trusted application.
[0078] In step S316, in the trusted execution environment of the TEE, the rule data to be updated is decrypted, and the verification rule is updated based on the decrypted rule data to be updated.
[0079] In implementation, after receiving an update request for verification rules, the terminal device can obtain the identifier of the verification rules contained in the update request and locate the corresponding verification rules using this identifier. It can also obtain information about users with the authority to update the verification rules. From this information, it can check if the user who initiated the update request is included. If so, it confirms that the user who initiated the update request has the authority to update the verification rules. In this case, the terminal device can update the verification rules in the Trusted Execution Environment (TEE) based on the update request, obtaining the updated verification rules. If not, it confirms that the user who initiated the update request does not have the authority to update the verification rules. In this case, the terminal device can send an update failure notification message to the user who initiated the update request.
[0080] It should be noted that the process of updating the verification rules in steps S312 to S316 can be performed after steps S302 to S310. In practical applications, the process of steps S312 to S316 can also be performed before steps S302 to S310, or before step B4, etc. This specification does not limit this.
[0081] Based on the above, after obtaining the updated verification rules through the above method, the updated verification rules can be used to verify the data to be uploaded to the chain. That is, the processing of steps S302 to S310 can be performed. Among them, the processing of step B4 may include: in the trusted execution environment of TEE, data verification of the data to be uploaded to the chain is performed based on the updated verification rules corresponding to the holder of the verifiable claim. The specific processing procedure can be found in the relevant content above, and will not be repeated here.
[0082] This specification provides a blockchain-based data processing method applied to a terminal device equipped with a Trusted Execution Environment (TEE). Before data to be uploaded to the blockchain, it can be transmitted to the TEE via a first trusted application on the terminal device used for data uploading processing. This ensures the security of the data transmission process to the TEE. Furthermore, verification rules set within the TEE's trusted execution environment are used to verify the data to be uploaded. Since the TEE is a secure operating environment for data processing, the security of the data being processed on the terminal device is further guaranteed. To prevent the data to be uploaded to the blockchain from being tampered with, and furthermore, when using the Trusted Execution Environment (TEE) to determine whether the data to be uploaded to the blockchain meets the verification rules, the first trusted application retrieves the verified data to be uploaded to the blockchain from the TEE and performs on-chain processing on the verified data. In this way, the output of the verified data to be uploaded to the blockchain from the TEE and the upload of the verified data to the blockchain are both completed through the first trusted application. This ensures the security of the data to be uploaded to the blockchain during the process of outputting the data from the TEE of the terminal device and the output from the terminal device, preventing the verified data to be uploaded to the blockchain from being tampered with or leaked, and improving the security of the data to be uploaded to the blockchain.
[0083] Furthermore, by combining with verifiable claims, data verification of data to be added to the blockchain is performed, further enhancing the security of data verification. Moreover, the verification rules within the TEE can be updated in real time, enabling verification processes of any simple or complex nature for the data to be added to the blockchain, thus improving the scalability and flexibility of data verification.
[0084] Example 3
[0085] like Figure 4 As shown in the embodiments of this specification, a data processing method based on blockchain is provided. The execution subject of this method can be a terminal device, such as a computer device like a laptop or desktop computer. The terminal device can be used to verify the trustworthiness of data to be uploaded to the blockchain. The terminal device can be equipped with a trusted execution environment (TEE), which can be implemented using a program written in a predetermined programming language (i.e., it can be implemented in software). The TEE can serve as a secure operating environment for data processing. The method specifically includes the following steps:
[0086] In step S402, the user's data upload request is obtained, which includes the data to be uploaded to the blockchain.
[0087] The data upload request can include the digital identity information of the user initiating the request. Digital identity information refers to information that identifiableally portrays a user through digitization; that is, condensing real identity information into digital code to facilitate the binding, querying, and verification of a user's real-time behavioral information. Digital identity information can include not only identity coding information such as birth information, individual descriptions, and biometrics, but also various attributes of personal behavioral information (such as transaction information or entertainment information). Digital identity information can be displayed in various ways, such as through DID (Decentralized Identity).
[0088] It should be noted that, in order to ensure the security of the uploaded data to be uploaded to the blockchain, the data upload request may include encrypted data to be uploaded to the blockchain. In this case, the data to be uploaded to the blockchain can also be preprocessed by the following process, which may include the following: in the trusted execution environment of TEE, the encrypted data to be uploaded to the blockchain is decrypted to obtain the decrypted data to be uploaded to the blockchain.
[0089] In step S404, the data to be uploaded to the blockchain in the data upload request is obtained through the trusted program corresponding to the first trusted application on the terminal device for performing data upload processing, and the data to be uploaded to the blockchain is transmitted to the TEE of the terminal device through the trusted program corresponding to the first trusted application. The TEE is configured with verification rules for verifying the data to be uploaded to the blockchain for the first trusted application.
[0090] The verification rules are set based on one or more of the following: anti-tampering rules for data uploaded to the blockchain; business verification rules for data uploaded to the blockchain; timeliness conditions for data uploaded to the blockchain; and identity verification rules for users who upload data to the blockchain.
[0091] In addition, to further ensure the security of the data to be uploaded to the blockchain, the data to be uploaded to the blockchain can also be transmitted to the TEE of the terminal device in encrypted form. For details, please refer to the following: The data to be uploaded to the blockchain in the data upload request is transmitted to the TEE of the terminal device in encrypted form through the first trusted application on the terminal device used to perform the data upload processing.
[0092] In step S406, within the Trusted Execution Environment (TEE), the system searches for the presence of the user's digital identity information in the pre-stored digital identity information within the TEE.
[0093] In implementation, blockchain can construct corresponding digital identity information for different users. To this end, digital identity information (such as a user's DID) for users who upload data to the blockchain can be pre-set. This digital identity information can be stored in a TEE (Trusted Execution Environment) or encrypted and stored in the terminal device. When the terminal device receives a data upload request, it can search the pre-stored digital identity information in the TEE to see if the user's digital identity information exists. Alternatively, the encrypted digital identity information can be transmitted to the TEE, where it can be decrypted within the TEE's trusted execution environment to obtain the original digital identity information. Then, it can search this original digital identity information to see if the user's digital identity information exists.
[0094] In step S408, if it exists, the trusted execution environment of the TEE is used to determine whether the data to be uploaded to the chain conforms to the verification rules.
[0095] Furthermore, there are several specific processing methods for determining whether data to be uploaded to the blockchain conforms to the verification rules using the Trusted Execution Environment (TEE). One optional processing method is provided below, which may include: decrypting the data to be uploaded to the blockchain within the TEE's Trusted Execution Environment; calculating the decrypted data based on the verification algorithm corresponding to the verification rules within the TEE's Trusted Execution Environment; and matching the calculated results with the baseline results in the verification rules within the TEE's Trusted Execution Environment, and determining whether the data to be uploaded to the blockchain conforms to the verification rules based on the matching results.
[0096] The specific processing procedure of step S408 can be found in the relevant content above, and will not be repeated here.
[0097] In step S410, if so, the verified data to be uploaded to the blockchain is obtained from the TEE based on the first trusted application, and the verified data to be uploaded to the blockchain is processed.
[0098] To allow for more flexible data verification of on-chain data, the verification rules already set in the TEE can be modified. For details, please refer to steps S412 to S416 below.
[0099] In step S412, an update request for the verification rules in the TEE of the terminal device is received. The update request includes the rule data to be updated, which is encrypted.
[0100] In step S414, the rule data to be updated is transmitted to the TEE of the terminal device through the first trusted application.
[0101] In step S416, in the trusted execution environment of the TEE, the rule data to be updated is decrypted, and the verification rule is updated based on the decrypted rule data to be updated.
[0102] It should be noted that the process of updating the verification rules in steps S412 to S416 can be performed after steps S402 to S410. In practical applications, the process in steps S412 to S416 can also be performed before steps S402 to S410. This specification does not limit this.
[0103] The specific processing procedures for steps S412 to S416 can be found in the relevant content above, and will not be repeated here.
[0104] This specification provides a blockchain-based data processing method applied to a terminal device equipped with a Trusted Execution Environment (TEE). Before data to be uploaded to the blockchain, it can be transmitted to the TEE via a first trusted application on the terminal device used for data uploading processing. This ensures the security of the data transmission process to the TEE. Furthermore, verification rules set within the TEE's trusted execution environment are used to verify the data to be uploaded. Since the TEE is a secure operating environment for data processing, the security of the data being processed on the terminal device is further guaranteed. To prevent the data to be uploaded to the blockchain from being tampered with, and furthermore, when using the Trusted Execution Environment (TEE) to determine whether the data to be uploaded to the blockchain meets the verification rules, the first trusted application retrieves the verified data to be uploaded to the blockchain from the TEE and performs on-chain processing on the verified data. In this way, the output of the verified data to be uploaded to the blockchain from the TEE and the upload of the verified data to the blockchain are both completed through the first trusted application. This ensures the security of the data to be uploaded to the blockchain during the process of outputting the data from the TEE of the terminal device and the output from the terminal device, preventing the verified data to be uploaded to the blockchain from being tampered with or leaked, and improving the security of the data to be uploaded to the blockchain.
[0105] Furthermore, by combining data with digital identity information (such as DID), the security of data verification is further enhanced. Moreover, the verification rules in the TEE can be updated in real time, enabling verification processes of any simple or complex nature for the data to be uploaded to the blockchain, thus improving the scalability and flexibility of data verification.
[0106] Example 4
[0107] The above describes a blockchain-based data processing method provided in the embodiments of this specification. Based on the same idea, the embodiments of this specification also provide a blockchain-based data processing device. This device is equipped with a Trusted Execution Environment (TEE), which can serve as a secure operating environment for data processing, such as... Figure 5 As shown.
[0108] The blockchain-based data processing device includes: an on-chain request module 501, a data transmission module 502, a data verification module 503, and an on-chain module 504, wherein:
[0109] The on-chain request module 501 obtains the user's data on-chain request, which includes the data to be uploaded to the blockchain.
[0110] The data transmission module 502 transmits the data to be uploaded to the blockchain in the data upload request to the TEE of the device through a first trusted application on the device for performing data upload processing; wherein, the TEE is configured with verification rules for verifying the data to be uploaded to the blockchain for the first trusted application.
[0111] The data verification module 503 uses the trusted execution environment of the TEE to determine whether the data to be uploaded to the chain conforms to the verification rules;
[0112] The on-chain module 504, if the trusted execution environment of the TEE determines that the data to be uploaded to the chain conforms to the verification rules, then obtains the verified data to be uploaded to the chain from the TEE based on the first trusted application, and performs on-chain processing on the verified data to be uploaded to the chain.
[0113] In this embodiment of the specification, the data transmission module 502 transmits the data to be uploaded to the blockchain in the data upload request to the TEE of the device in encrypted form through a first trusted application on the device for performing data upload processing.
[0114] In this embodiment of the specification, the data transmission module 502 obtains the data to be uploaded to the blockchain from the data upload request through a trusted program corresponding to the first trusted application on the device for performing data upload processing, and transmits the data to be uploaded to the TEE of the device through the trusted program corresponding to the first trusted application.
[0115] In the embodiments described in this specification, the device further includes:
[0116] The update request module receives an update request for the verification rules in the TEE of the device. The update request includes rule data to be updated, and the rule data to be updated is encrypted.
[0117] The update data transmission module transmits the rule data to be updated to the TEE of the device through the first trusted application;
[0118] The update module decrypts the rule data to be updated in the trusted execution environment of the TEE, and updates the verification rules based on the decrypted rule data to be updated.
[0119] In the embodiments of this specification, the verification rules are set based on one or more of the following:
[0120] The anti-tampering rules for the on-chain data of the blockchain;
[0121] Business verification rules for data uploaded to the blockchain;
[0122] The timeliness conditions of data uploaded to the blockchain; and,
[0123] The rules for verifying the identity of users who upload data to the blockchain.
[0124] In this embodiment of the specification, the data upload request includes a verifiable declaration of the data to be uploaded to the blockchain, and the data verification module 503 includes:
[0125] The validity verification unit verifies the validity of the verifiable claim within the trusted execution environment of the TEE.
[0126] If the verification result is valid, the first data verification unit uses the trusted execution environment of the TEE to determine whether the data to be uploaded to the chain conforms to the verification rules.
[0127] In this embodiment of the specification, if the verification result is valid, the first data verification unit obtains the verification rules corresponding to the holder of the verifiable claim in the trusted execution environment of the TEE; and uses the trusted execution environment of the TEE to determine whether the data to be uploaded to the chain conforms to the verification rules corresponding to the holder.
[0128] In this embodiment of the specification, the data uplink request includes the user's digital identity information, and the data verification module 503 includes:
[0129] The search unit searches within the trusted execution environment of the TEE to determine whether the user's digital identity information exists in the pre-stored digital identity information within the trusted execution environment.
[0130] The second data verification unit, if present, uses the trusted execution environment of the TEE to determine whether the data to be uploaded to the chain conforms to the verification rules.
[0131] In this embodiment of the specification, the data to be uploaded to the blockchain is encrypted, and the data verification module 503 includes:
[0132] In the trusted execution environment of the TEE, the following processing is performed:
[0133] The decryption unit decrypts the data to be uploaded to the blockchain to obtain the decrypted data to be uploaded to the blockchain.
[0134] The calculation unit performs calculations on the decrypted data to be uploaded to the blockchain based on the verification algorithm corresponding to the verification rules, and obtains the corresponding calculation results.
[0135] The third data verification unit matches the obtained calculation result with the benchmark result in the verification rule, and determines whether the data to be uploaded to the chain conforms to the verification rule based on the matching result.
[0136] This specification provides a blockchain-based data processing device equipped with a Trusted Execution Environment (TEE). Before data to be uploaded to the blockchain, it can be transmitted to the TEE via a first trusted application on the device used for data uploading processing. This ensures the security of the data transmission process to the TEE. Furthermore, verification rules set within the TEE's TEE are used to verify the data to be uploaded. Since the TEE is a secure operating environment for data processing, the security of the data being processed within the device is guaranteed, preventing data from being uploaded to the blockchain. Furthermore, when using the Trusted Execution Environment (TEE) to determine whether the data to be uploaded to the blockchain conforms to the verification rules, the first trusted application retrieves the verified data from the TEE and performs on-chain processing on the verified data. Thus, the output of the verified data from the TEE and the upload of the verified data to the blockchain are both completed through the first trusted application. This ensures the security of the data being output from the TEE of the device and from the device, preventing the verified data from being tampered with or leaked, and improving the security of the data being uploaded to the blockchain.
[0137] Furthermore, by combining verifiable claims and digital identity information (such as DID) to perform data verification on the data to be added to the blockchain, the security of data verification is further enhanced. Moreover, the verification rules in the TEE can be updated in real time, enabling any simple or complex verification process for the data to be added to the blockchain, thus improving the scalability and flexibility of data verification.
[0138] Example 5
[0139] The above are examples of blockchain-based data processing devices provided in the embodiments of this specification. Based on the same concept, embodiments of this specification also provide a blockchain-based data processing device, such as... Figure 6 As shown.
[0140] The blockchain-based data processing device can be the terminal device provided in the above embodiments. The blockchain-based data processing device can be equipped with a Trusted Execution Environment (TEE). The TEE can be implemented by a program written in a predetermined programming language (i.e., it can be implemented in software form). The TEE can be a secure operating environment for data processing.
[0141] Blockchain-based data processing devices can vary significantly in configuration and performance. They may include one or more processors 601 and memory 602, with memory 602 storing one or more applications or data. Memory 602 can be temporary or persistent storage. Applications stored in memory 602 may include one or more modules (not shown), each module including a series of computer-executable instructions for the blockchain-based data processing device. Furthermore, processor 601 may be configured to communicate with memory 602, executing the series of computer-executable instructions stored in memory 602 on the blockchain-based data processing device. The blockchain-based data processing device may also include one or more power supplies 603, one or more wired or wireless network interfaces 604, one or more input / output interfaces 605, and one or more keyboards 606.
[0142] Specifically, in this embodiment, the blockchain-based data processing device includes a memory and one or more programs, wherein one or more programs are stored in the memory, and one or more programs may include one or more modules, and each module may include a series of computer-executable instructions for the blockchain-based data processing device, and is configured to be executed by one or more processors. The one or more programs include computer-executable instructions for performing the following:
[0143] Obtain the user's data upload request, which includes the data to be uploaded to the blockchain;
[0144] The data to be uploaded to the blockchain in the data upload request is transmitted to the TEE of the device through a first trusted application on the device for performing data upload processing; wherein, the TEE is configured with verification rules for verifying the data to be uploaded to the blockchain for the first trusted application.
[0145] The trusted execution environment of the TEE is used to determine whether the data to be uploaded to the chain conforms to the verification rules;
[0146] If so, the verified data to be uploaded to the blockchain is obtained from the TEE based on the first trusted application, and the verified data to be uploaded to the blockchain is processed.
[0147] In this embodiment of the specification, the step of transmitting the data to be uploaded to the blockchain in the data upload request to the TEE of the device through a first trusted application on the device for performing data upload processing includes:
[0148] The data to be uploaded to the blockchain in the data upload request is transmitted in encrypted form to the TEE of the device through a first trusted application on the device for performing data upload processing.
[0149] In this embodiment of the specification, the step of transmitting the data to be uploaded to the blockchain in the data upload request to the TEE of the device through a first trusted application on the device for performing data upload processing includes:
[0150] The data to be uploaded to the blockchain is obtained from the data upload request through a trusted program corresponding to the first trusted application on the device, and the data to be uploaded to the blockchain is transmitted to the TEE of the device through the trusted program corresponding to the first trusted application.
[0151] The embodiments in this specification also include:
[0152] Receive an update request for the verification rules in the TEE of the device, the update request including rule data to be updated, the rule data to be updated being encrypted;
[0153] The rule data to be updated is transmitted to the TEE of the device through the first trusted application;
[0154] In the trusted execution environment of the TEE, the rule data to be updated is decrypted, and the verification rule is updated based on the decrypted rule data to be updated.
[0155] In the embodiments of this specification, the verification rules are set based on one or more of the following:
[0156] The anti-tampering rules for the on-chain data of the blockchain;
[0157] Business verification rules for data uploaded to the blockchain;
[0158] The timeliness conditions of data uploaded to the blockchain; and,
[0159] The rules for verifying the identity of users who upload data to the blockchain.
[0160] In this embodiment of the specification, the data upload request includes a verifiable declaration of the data to be uploaded to the blockchain, and the step of using the trusted execution environment of the TEE to determine whether the data to be uploaded to the blockchain conforms to the verification rules includes:
[0161] The validity of the verifiable claims is verified within the trusted execution environment of the TEE.
[0162] If the verification result is valid, the trusted execution environment of the TEE is used to determine whether the data to be uploaded to the chain conforms to the verification rules.
[0163] In this embodiment of the specification, the step of determining whether the data to be uploaded to the blockchain conforms to the verification rules using the trusted execution environment of the TEE if the verification result is valid includes:
[0164] If the verification result is valid, the verification rules corresponding to the holder of the verifiable claim are obtained in the Trusted Execution Environment of the TEE.
[0165] The trusted execution environment of the TEE is used to determine whether the data to be uploaded to the chain conforms to the verification rules corresponding to the holder.
[0166] In this embodiment of the specification, the data upload request includes the user's digital identity information, and the step of using the trusted execution environment of the TEE to determine whether the data to be uploaded to the blockchain conforms to the verification rules includes:
[0167] In the trusted execution environment of the TEE, check whether the user's digital identity information exists in the digital identity information pre-stored in the trusted execution environment;
[0168] If it exists, the trusted execution environment of the TEE is used to determine whether the data to be uploaded to the chain conforms to the verification rules.
[0169] In this embodiment of the specification, the data to be uploaded to the blockchain is encrypted, and the step of using the trusted execution environment of the TEE to determine whether the data to be uploaded to the blockchain conforms to the verification rules includes:
[0170] In the trusted execution environment of the TEE, the following processing is performed:
[0171] The data to be uploaded to the blockchain is decrypted to obtain the decrypted data to be uploaded to the blockchain.
[0172] The verification algorithm corresponding to the verification rule is used to calculate the decrypted data to be uploaded to the blockchain, and the corresponding calculation results are obtained.
[0173] The obtained calculation result is matched with the benchmark result in the verification rule, and the data to be uploaded to the chain is determined based on the matching result to determine whether the data conforms to the verification rule.
[0174] This specification provides a blockchain-based data processing device equipped with a Trusted Execution Environment (TEE). Before data to be uploaded to the blockchain, it can be transmitted to the TEE via a first trusted application on the device used for data uploading processing. This ensures the security of the data transmission process to the TEE. Furthermore, verification rules set within the TEE's TEE are used to verify the data to be uploaded. Since the TEE is a secure operating environment for data processing, the security of the data being processed within the device is guaranteed, preventing data from being uploaded to the blockchain. Furthermore, when using the Trusted Execution Environment (TEE) to determine whether the data to be uploaded to the blockchain conforms to the verification rules, the first trusted application retrieves the verified data from the TEE and performs on-chain processing on the verified data. Thus, the output of the verified data from the TEE and the upload of the verified data to the blockchain are both completed through the first trusted application. This ensures the security of the data being output from the TEE of the device and from the device, preventing the verified data from being tampered with or leaked, and improving the security of the data being uploaded to the blockchain.
[0175] Furthermore, by combining verifiable claims and digital identity information (such as DID) to perform data verification on the data to be added to the blockchain, the security of data verification is further enhanced. Moreover, the verification rules in the TEE can be updated in real time, enabling any simple or complex verification process for the data to be added to the blockchain, thus improving the scalability and flexibility of data verification.
[0176] The foregoing has described specific embodiments of this specification. Other embodiments are within the scope of the appended claims. In some cases, the actions or steps recited in the claims may be performed in a different order than that shown in the embodiments and may still achieve the desired result. Furthermore, the processes depicted in the drawings do not necessarily require the specific or sequential order shown to achieve the desired result. In some embodiments, multitasking and parallel processing are possible or may be advantageous.
[0177] In the 1990s, improvements to a technology could be clearly distinguished as either hardware improvements (e.g., improvements to the circuit structure of diodes, transistors, switches, etc.) or software improvements (improvements to the methodology). However, with technological advancements, many methodological improvements today can be considered direct improvements to the hardware circuit structure. Designers almost always obtain the corresponding hardware circuit structure by programming the improved methodology into the hardware circuit. Therefore, it cannot be said that a methodological improvement cannot be implemented using a hardware physical module. For example, a Programmable Logic Device (PLD) (e.g., a Field Programmable Gate Array (FPGA)) is such an integrated circuit whose logic function is determined by the user programming the device. Designers can program a digital system themselves to "integrate" it onto a PLD, without needing chip manufacturers to design and manufacture dedicated integrated circuit chips. Furthermore, nowadays, instead of manually manufacturing integrated circuit chips, this programming is mostly implemented using "logic compiler" software. Similar to the software compiler used in program development, the original code before compilation must be written in a specific programming language, called a Hardware Description Language (HDL). There are many HDLs, such as ABEL (Advanced Boolean Expression Language), AHDL (Altera Hardware Description Language), Confluence, CUPL (Cornell University Programming Language), HDCal, JHDL (Java Hardware Description Language), Lava, Lola, MyHDL, PALASM, and RHDL (Ruby Hardware Description Language). Currently, the most commonly used are VHDL (Very-High-Speed Integrated Circuit Hardware Description Language) and Verilog. Those skilled in the art should understand that by simply performing some logic programming on the method flow using one of these hardware description languages and programming it into an integrated circuit, the hardware circuit implementing the logical method flow can be easily obtained.
[0178] The controller can be implemented in any suitable manner. For example, it can take the form of a microprocessor or processor and a computer-readable medium storing computer-readable program code (e.g., software or firmware) executable by the (micro)processor, logic gates, switches, application-specific integrated circuits (ASICs), programmable logic controllers, and embedded microcontrollers. Examples of controllers include, but are not limited to, the following microcontrollers: ARC 625D, Atmel AT91SAM, Microchip PIC18F26K20, and Silicon Labs C8051F320. A memory controller can also be implemented as part of the control logic of the memory. Those skilled in the art will also recognize that, in addition to implementing the controller in purely computer-readable program code form, the same functionality can be achieved by logically programming the method steps to make the controller take the form of logic gates, switches, application-specific integrated circuits, programmable logic controllers, and embedded microcontrollers. Therefore, such a controller can be considered a hardware component, and the means included therein for implementing various functions can also be considered as structures within the hardware component. Alternatively, the means for implementing various functions can be considered as both software modules implementing the method and structures within the hardware component.
[0179] The systems, devices, modules, or units described in the above embodiments can be implemented by computer chips or entities, or by products with certain functions. A typical implementation device is a computer. Specifically, a computer can be, for example, a personal computer, laptop computer, cellular phone, camera phone, smartphone, personal digital assistant, media player, navigation device, email device, game console, tablet computer, wearable device, or any combination of these devices.
[0180] For ease of description, the above apparatus is described by dividing it into various functional units. Of course, when implementing one or more embodiments of this specification, the functions of each unit can be implemented in one or more software and / or hardware.
[0181] Those skilled in the art will understand that the embodiments of this specification can be provided as methods, systems, or computer program products. Therefore, one or more embodiments of this specification may take the form of a completely hardware embodiment, a completely software embodiment, or an embodiment combining software and hardware aspects. Furthermore, one or more embodiments of this specification may take the form of a computer program product implemented on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, etc.) containing computer-usable program code.
[0182] Embodiments in this specification are described with reference to flowchart illustrations and / or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of this specification. It should be understood that each block of the flowchart illustrations and / or block diagrams, and combinations of blocks in the flowchart illustrations and / or block diagrams, can be implemented by computer program instructions. These computer program instructions can be provided to a processor of a general-purpose computer, special-purpose computer, embedded processor, or other programmable blockchain-based data processing device to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable blockchain-based data processing device, generate instructions for implementing the flowchart illustrations and / or block diagrams. Figure 1 One or more processes and / or boxes Figure 1 A device that provides the functions specified in one or more boxes.
[0183] These computer program instructions may also be stored in a computer-readable storage medium that can direct a computer or other programmable blockchain-based data processing device to function in a specific manner, such that the instructions stored in the computer-readable storage medium produce an article of manufacture including an instruction means, which is implemented in a process Figure 1 One or more processes and / or boxes Figure 1 The function specified in one or more boxes.
[0184] These computer program instructions can also be loaded onto a computer or other programmable blockchain-based data processing device, causing a series of operational steps to be executed on the computer or other programmable device to produce a computer-implemented process, thereby providing instructions that execute on the computer or other programmable device for implementing the process. Figure 1 One or more processes and / or boxes Figure 1 The steps of the function specified in one or more boxes.
[0185] In a typical configuration, a computing device includes one or more processors (CPU), input / output interfaces, network interfaces, and memory.
[0186] Memory may include non-persistent storage in computer-readable media, such as random access memory (RAM) and / or non-volatile memory, such as read-only memory (ROM) or flash RAM. Memory is an example of computer-readable media.
[0187] Computer-readable media includes both permanent and non-permanent, removable and non-removable media that can store information using any method or technology. Information can be computer-readable instructions, data structures, modules of programs, or other data. Examples of computer storage media include, but are not limited to, phase-change memory (PRAM), static random access memory (SRAM), dynamic random access memory (DRAM), other types of random access memory (RAM), read-only memory (ROM), electrically erasable programmable read-only memory (EEPROM), flash memory or other memory technologies, CD-ROM, digital versatile optical disc (DVD) or other optical storage, magnetic tape, magnetic magnetic disk storage or other magnetic storage devices, or any other non-transferable medium that can be used to store information accessible by a computing device. As defined herein, computer-readable media does not include transient computer-readable media, such as modulated data signals and carrier waves.
[0188] It should also be noted that the terms "comprising," "including," or any other variations thereof are intended to cover non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements includes not only those elements but also other elements not expressly listed, or elements inherent to such a process, method, article, or apparatus. Without further limitations, an element defined by the phrase "comprising one..." does not exclude the presence of other identical elements in the process, method, article, or apparatus that includes said element.
[0189] Those skilled in the art will understand that the embodiments of this specification can be provided as methods, systems, or computer program products. Therefore, one or more embodiments of this specification may take the form of a completely hardware embodiment, a completely software embodiment, or an embodiment combining software and hardware aspects. Furthermore, one or more embodiments of this specification may take the form of a computer program product implemented on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, etc.) containing computer-usable program code.
[0190] One or more embodiments of this specification can be described in the general context of computer-executable instructions, such as program modules, that are executed by a computer. Generally, program modules include routines, programs, objects, components, data structures, etc., that perform a particular task or implement a particular abstract data type. One or more embodiments of this specification can also be practiced in distributed computing environments where tasks are performed by remote processing devices connected via a communication network. In distributed computing environments, program modules can reside in local and remote computer storage media, including storage devices.
[0191] The various embodiments in this specification are described in a progressive manner. Similar or identical parts between embodiments can be referred to interchangeably. Each embodiment focuses on describing the differences from other embodiments. In particular, the system embodiments are basically similar to the method embodiments, so the description is relatively simple; relevant parts can be referred to the descriptions in the method embodiments.
[0192] The above description is merely an embodiment of this specification and is not intended to limit this specification. Various modifications and variations can be made to this specification by those skilled in the art. Any modifications, equivalent substitutions, improvements, etc., made within the spirit and principles of this specification should be included within the scope of the claims of this specification.
Claims
1. A blockchain-based data processing method applied to a user terminal device, wherein the user terminal device is equipped with a Trusted Execution Environment (TEE), and the user terminal device is the initiator of the data upload request, the method comprising: Obtain the user's data upload request, which includes the data to be uploaded to the blockchain and the user's digital identity information; The first trusted application on the user terminal device, which is used to perform data uplink processing, transmits the data to be uplinked in the data uplink request to the TEE of the user terminal device; wherein, the TEE is configured with verification rules for verifying the data to be uplinked by the first trusted application. In the trusted execution environment of the TEE, check whether the user's digital identity information exists in the digital identity information pre-stored in the trusted execution environment; If it exists, the trusted execution environment of the TEE is used to determine whether the data to be uploaded to the chain conforms to the verification rules; If so, the verified data to be uploaded to the blockchain is obtained from the TEE based on the first trusted application, and the verified data to be uploaded to the blockchain is processed.
2. The method according to claim 1, wherein determining whether the data to be uploaded to the blockchain conforms to the verification rules using the trusted execution environment of the TEE includes: The validity of the verifiable claims is verified within the trusted execution environment of the TEE. If the verification result is valid, the trusted execution environment of the TEE is used to determine whether the data to be uploaded to the chain conforms to the verification rules.
3. The method according to claim 1, wherein the step of transmitting the data to be uploaded to the blockchain in the data upload request to the TEE of the user terminal device through a first trusted application on the user terminal device for performing data upload processing includes: The first trusted application on the user terminal device, used for performing data uplink processing, transmits the data to be uplinked in the data uplink request to the TEE of the user terminal device in encrypted form.
4. The method according to claim 1, wherein the step of transmitting the data to be uploaded to the blockchain in the data upload request to the TEE of the user terminal device through a first trusted application on the user terminal device for performing data upload processing includes: The trusted program corresponding to the first trusted application on the user terminal device, which is used to perform data on-chain processing, obtains the data to be uploaded to the blockchain in the data on-chain request, and transmits the data to be uploaded to the TEE of the user terminal device through the trusted program corresponding to the first trusted application.
5. The method according to claim 1, further comprising: Receive an update request for the verification rules in the TEE of the user terminal device, wherein the update request includes rule data to be updated, and the rule data to be updated is encrypted; The rule data to be updated is transmitted to the TEE of the user terminal device through the first trusted application. In the trusted execution environment of the TEE, the rule data to be updated is decrypted, and the verification rule is updated based on the decrypted rule data to be updated.
6. The method according to claim 5, wherein the verification rules are set based on one or more of the following: The anti-tampering rules for the on-chain data of the blockchain; Business verification rules for data uploaded to the blockchain; The timeliness conditions of data uploaded to the blockchain; and, The rules for verifying the identity of users who upload data to the blockchain.
7. The method according to claim 1, wherein if the verification result is valid, the trusted execution environment of the TEE is used to determine whether the data to be uploaded to the chain conforms to the verification rules, including: If the verification result is valid, the verification rules corresponding to the holder of the verifiable claim are obtained in the Trusted Execution Environment of the TEE. The trusted execution environment of the TEE is used to determine whether the data to be uploaded to the chain conforms to the verification rules corresponding to the holder.
8. The method according to any one of claims 1-7, wherein the data to be uploaded to the blockchain is encrypted, and the step of using the trusted execution environment of the TEE to determine whether the data to be uploaded to the blockchain conforms to the verification rules includes: In the trusted execution environment of the TEE, the following processing is performed: The data to be uploaded to the blockchain is decrypted to obtain the decrypted data to be uploaded to the blockchain. The verification algorithm corresponding to the verification rule is used to calculate the decrypted data to be uploaded to the blockchain, and the corresponding calculation results are obtained. The obtained calculation result is matched with the benchmark result in the verification rule, and the data to be uploaded to the chain is determined based on the matching result to determine whether the data conforms to the verification rule.
9. A blockchain-based data processing device, wherein the device is installed in a user terminal device, the device is equipped with a Trusted Execution Environment (TEE), and the device is the initiator of the data upload request, the device comprising: The on-chain request module obtains the user's data on-chain request, which includes the data to be uploaded to the blockchain and the user's digital identity information. The data transmission module transmits the data to be uploaded to the blockchain in the data upload request to the TEE of the device through a first trusted application on the device for performing data upload processing; wherein, the TEE is configured with verification rules for verifying the data to be uploaded to the blockchain for the first trusted application. The data verification module searches the trusted execution environment of the TEE to see if the user's digital identity information exists in the pre-stored digital identity information in the trusted execution environment; if it exists, it uses the trusted execution environment of the TEE to determine whether the data to be uploaded to the chain conforms to the verification rules. If the on-chain module determines that the data to be uploaded to the chain conforms to the verification rules using the trusted execution environment of the TEE, it then obtains the verified data to be uploaded to the chain from the TEE based on the first trusted application and performs on-chain processing on the verified data to be uploaded to the chain.
10. A blockchain-based data processing device, wherein the device is a user terminal device, the device is equipped with a Trusted Execution Environment (TEE), and the device is the initiator of the data upload request, the device comprising: processor; as well as A memory configured to store computer-executable instructions, which, when executed, cause the processor to: Obtain the user's data upload request, which includes the data to be uploaded to the blockchain and the user's digital identity information; The data to be uploaded to the blockchain in the data upload request is transmitted to the TEE of the device through a first trusted application on the device for performing data upload processing; wherein, the TEE is configured with verification rules for verifying the data to be uploaded to the blockchain for the first trusted application. In the trusted execution environment of the TEE, check whether the user's digital identity information exists in the digital identity information pre-stored in the trusted execution environment; If it exists, the trusted execution environment of the TEE is used to determine whether the data to be uploaded to the chain conforms to the verification rules; If so, the verified data to be uploaded to the blockchain is obtained from the TEE based on the first trusted application, and the verified data to be uploaded to the blockchain is processed.