Authentication method and device for data multi-party computation based on data operation

By verifying the signature values ​​of algorithms/data, platforms, and hardware during multi-party computation, the problem of the inability to verify platforms and hardware in existing technologies is solved, achieving higher security in multi-party computation authentication and preventing replay attacks.

CN116800431BActive Publication Date: 2026-07-03HANGZHOU NUOWEI INFORMATION TECHNOLOGY CO LTD

Patent Information

Authority / Receiving Office
CN · China
Patent Type
Patents(China)
Current Assignee / Owner
HANGZHOU NUOWEI INFORMATION TECHNOLOGY CO LTD
Filing Date
2023-06-30
Publication Date
2026-07-03

AI Technical Summary

Technical Problem

In existing technologies, data computation authentication based on certificate chains during data operation cannot verify the platform and hardware on which the algorithm/data is deployed, and lacks the ability to prevent replay attacks.

Method used

By verifying the signature value of the identity certificate sent by the client during the multi-party computation process, including the hardware hash signature value, platform hash signature value, and algorithm hash signature value, the legitimacy of the algorithm/data, platform, and hardware is ensured, and a task certificate is generated for computation task authentication.

Benefits of technology

It improves the security of multi-party computation, prevents replay attacks, ensures the authentication of the platform and hardware on which the algorithm/data is deployed, and enhances the comprehensiveness and reliability of authentication.

✦ Generated by Eureka AI based on patent content.

Smart Images

  • Figure CN116800431B_ABST
    Figure CN116800431B_ABST
Patent Text Reader

Abstract

The embodiment of the present application relates to a kind of authentication method and device based on data operation of data multi-party computing, the method comprises: based on predetermined computing task to client sends handshake request;Identity certificate sent by client is received, and first signature value, second signature value and third signature value are obtained from the predetermined field of the identity certificate;From database, pre-stored data record is obtained, and the data record is related to the client;The first signature value, second signature value and third signature value are verified using the data record.The technical scheme provided in the embodiment of the present application verifies the signature value of algorithm / data, platform and hardware in the process of multi-party computing, and algorithm / data, platform and hardware are associated with each other, so that algorithm / data is verified while the platform (software) and hardware on which algorithm / data is deployed are also verified, the security of multi-party computing is improved, and replay attack can be prevented.
Need to check novelty before this filing date? Find Prior Art

Description

Technical Field

[0001] This invention relates to the field of multi-party computation authentication technology, and more particularly to an authentication method and apparatus based on data multi-party computation in data operations. Background Technology

[0002] In existing technologies, the data computation authentication process based on certificate chains during data operations involves generating and configuring SSL certificates for both the server and client in advance during service deployment. During the handshake phase of computation, the identities of the client and server are verified through two-way TLS, and computation is performed only after successful authentication. However, this method only verifies up to the application layer and cannot authenticate the hardware and / or software (platform) on which the application is deployed. Furthermore, the above authentication schemes typically lack protection against replay attacks; if the client / server certificates are inadvertently leaked, the subsequent computation process becomes vulnerable to attacks. Summary of the Invention

[0003] Based on the above-mentioned situation of the prior art, the purpose of this embodiment of the invention is to provide an authentication method and apparatus for multi-party computation of data based on data operation. In the data computation involved in the data operation process, while verifying the algorithm / data, the platform (software) and hardware on which the algorithm / data deployment depends are also verified, thereby improving the security of multi-party computation.

[0004] To achieve the above objectives, according to one aspect of the present invention, a data multi-party computation authentication method is provided, applied to a regulatory server, the method comprising:

[0005] A handshake request is sent to the client based on a predetermined computing task, so that the client sends an identity certificate in response to the handshake request; the client is a virtual client integrated according to the predetermined computing task.

[0006] Receive the identity certificate sent by the client, and obtain the first signature value, the second signature value, and the third signature value from the predetermined fields of the identity certificate;

[0007] Retrieve pre-stored data records from the database, the data records being associated with the client;

[0008] The data records are used to verify the first signature value, the second signature value, and the third signature value;

[0009] The second signature value is generated based on the first signature value, and the third signature value is generated based on the first signature value and the second signature value.

[0010] Furthermore, the identity certificate includes an algorithm certificate; in the algorithm certificate, the first signature value in the predetermined fields is a hardware hash signature value, the second signature value is a platform hash signature value, and the third signature value is an algorithm hash signature value.

[0011] Furthermore, the identity certificate includes a data certificate; in the data certificate, the first signature value in the predetermined fields is a hardware hash signature value, the second signature value is a platform hash signature value, and the third signature value is a data hash signature value, or a hash signature value of data, data IP, and data field.

[0012] Furthermore, the method also includes: after verification using the data record,

[0013] Send computing task information to the computing participants involved in the computing task so that each computing participant can return a task certificate signing request based on the computing task information;

[0014] The system receives task certificate signing requests from computing participants, issues task certificates through a task certification authority, and sends them to each computing participant so that each participant can use the task certificate to perform the computing task.

[0015] Furthermore, the method also includes:

[0016] Receive hardware information, hardware hash value, and hardware certificate signing request sent by the first computing participant;

[0017] Based on the hardware information, the hardware is confirmed to be usable, and the hardware hash value is stored in the database;

[0018] The hardware hash value is signed using the first private key to obtain a first signature value, and the first signature value is written into the first field of the hardware certificate;

[0019] The hardware certificate is signed using the first private key according to the hardware certificate signing request;

[0020] The signed hardware certificate is sent to the first computing participant.

[0021] Furthermore, the method also includes:

[0022] The system receives platform instance information, platform hash value, hardware hash value, and platform certificate signing request from the second computing participant; the platform instance information includes platform information and hardware information of the platform.

[0023] Based on the platform instance information, the platform instance is confirmed to be an available platform instance, and the platform hash value and hardware hash value are stored as a record in the database.

[0024] The platform hash value is signed using a second private key to obtain a second signature value;

[0025] The hardware hash value is signed using the first private key to obtain the first signature value;

[0026] Write the first signature value into the first field of the platform certificate, and write the second signature value into the second field of the platform certificate;

[0027] The platform certificate is signed using a second private key according to the platform certificate signing request;

[0028] Send the signed platform certificate to the receiving second computing participant.

[0029] Furthermore, the method also includes:

[0030] The system receives algorithm instance information, algorithm hash value, platform hash value, hardware hash value, and algorithm certificate signing request from a third computing participant. The algorithm instance information includes algorithm information, platform information on which the algorithm is implemented, and hardware information on which the platform is implemented.

[0031] Based on the algorithm instance information, the algorithm instance is confirmed to be a usable algorithm instance, and the algorithm hash value, platform hash value, and hardware hash value are stored as a record in the database.

[0032] The hash value of the algorithm is signed using a third private key to obtain a third signature value.

[0033] The platform hash value is signed using a second private key to obtain a second signature value;

[0034] The hardware hash value is signed using the first private key to obtain the first signature value;

[0035] Write the first signature value into the first field of the algorithm certificate, write the second signature value into the second field of the algorithm certificate, and write the third signature value into the third field of the algorithm certificate;

[0036] The algorithm certificate is signed using a third private key according to the algorithm certificate signing request;

[0037] Send the signed algorithm certificate to the receiving third-party computation participant;

[0038] The first computing participant, the second computing participant, and the third computing participant may be the same computing participant or different computing participants.

[0039] Furthermore, the method also includes:

[0040] The system receives data instance information, data hash value, platform hash value, hardware hash value, and data certificate signing request from the data provider. The data instance information includes data information, platform information storing the data, and hardware information running on the platform. The data information includes data, data IP address, and data fields.

[0041] Based on the data instance information, the data instance is confirmed to be a usable data instance, and the data hash value, platform hash value, and hardware hash value are stored as a record in the database.

[0042] The data hash value is signed using a third private key to obtain a third signature value.

[0043] The platform hash value is signed using a second private key to obtain a second signature value;

[0044] The hardware hash value is signed using the first private key to obtain the first signature value;

[0045] Write the first signature value into the first field of the data certificate, write the second signature value into the second field of the data certificate, and write the third signature value into the third field of the data certificate;

[0046] The data certificate is signed using a third private key according to the data certificate signing request;

[0047] Send the signed data certificate to the data provider.

[0048] According to a second aspect of the present invention, an authentication method for multi-party computation of data is provided, applied to a client, wherein the client is a virtual client integrated according to a predetermined computation task; the method includes:

[0049] Receive handshake requests sent by the monitoring server based on predetermined computing tasks;

[0050] The handshake request sends an identity certificate to the regulatory server so that the regulatory server can verify the first, second, and third signature values ​​in the identity document.

[0051] The second signature value is generated based on the first signature value, and the third signature value is generated based on the first signature value and the second signature value.

[0052] According to a third aspect of the present invention, an authentication method for multi-party computation of data is provided, applied to computation participants, the method comprising:

[0053] Send the hardware information, hardware hash value, and hardware certificate signing request encrypted with the private key of the computing participant to the regulatory service provider, so that the regulatory service provider can generate a signed hardware certificate after confirming the hardware information.

[0054] Receive the signed hardware certificate sent by the regulatory service provider and encrypt and save it to the local server.

[0055] Furthermore, the method also includes:

[0056] The platform instance information, platform hash value, hardware hash value, and platform certificate signing request, encrypted with the private key of the computing participant, are sent to the regulatory service provider. The platform instance information includes platform information and hardware information of the platform. This allows the regulatory service provider to generate a signed platform certificate after confirming the platform instance information.

[0057] Receive the signed platform certificate sent by the regulatory service provider and encrypt and save it to the local server.

[0058] Furthermore, the method also includes:

[0059] The algorithm instance information, algorithm hash value, platform hash value, hardware hash value, and algorithm certificate signing request, which are encrypted using the private key of the computing participant, are sent to the regulatory service provider. The algorithm instance information includes algorithm information, platform information on which the algorithm is implemented, and hardware information on which the platform is implemented. This allows the regulatory service provider to generate a signed algorithm certificate after confirming the algorithm instance information.

[0060] Receive the signed algorithm certificate sent by the regulatory service provider and encrypt and save it to the local server.

[0061] According to a fourth aspect of the present invention, a data multi-party computation authentication method is provided, applied to a data provider, the method comprising:

[0062] The system sends the data instance information, data hash value, platform hash value, hardware hash value, and data certificate signing request encrypted with the data provider's private key to the regulatory service provider. The data instance information includes data information, platform information storing the data, and hardware information running on the platform. This allows the regulatory service provider to generate a signed data certificate after verifying the data instance information.

[0063] Receive the signed data certificate sent by the regulatory service provider and encrypt and save it to the local server.

[0064] According to a fifth aspect of the present invention, a data multi-party computation authentication device is provided, applied to a regulatory server, the device comprising:

[0065] The request module is used to send a handshake request to the client based on a predetermined computing task, so that the client can send an identity certificate according to the handshake request; the client is a virtual client integrated according to the predetermined computing task.

[0066] The signature value acquisition module is used to receive the identity certificate sent by the client and obtain the first signature value, the second signature value and the third signature value from the predetermined fields of the identity certificate;

[0067] The verification module is used to retrieve pre-stored data records from the database, the data records being associated with the client; and to verify the first signature value, the second signature value, and the third signature value using the data records.

[0068] The second signature value is generated based on the first signature value, and the third signature value is generated based on the first signature value and the second signature value.

[0069] In summary, this invention provides an authentication method and apparatus for multi-party computation based on data operations. The method includes: sending a handshake request to a client based on a predetermined computation task; receiving an identity certificate sent by the client and obtaining a first signature value, a second signature value, and a third signature value from predetermined fields of the identity certificate; retrieving a pre-stored data record from a database, the data record being associated with the client; and verifying the first signature value, the second signature value, and the third signature value using the data record. The technical solution provided by this invention verifies the signature values ​​of the algorithm / data, platform, and hardware during the multi-party computation process. Furthermore, the algorithm / data, platform, and hardware are interconnected, thereby verifying not only the algorithm / data but also the platform (software) and hardware upon which the algorithm / data deployment depends, improving the security of multi-party computation and preventing replay attacks. Attached Figure Description

[0070] Figure 1 This is a flowchart of the authentication method for multi-party computation of data provided in an embodiment of the present invention;

[0071] Figure 2 This is a schematic diagram illustrating the interaction between the participating parties in the data multi-party computation authentication method provided in this embodiment of the invention;

[0072] Figure 3 This is a schematic diagram of the structure of the electronic device provided in an embodiment of the present invention. Detailed Implementation

[0073] To make the objectives, technical solutions, and advantages of this invention clearer, the invention will be further described in detail below with reference to specific embodiments and the accompanying drawings. It should be understood that these descriptions are merely exemplary and not intended to limit the scope of the invention. Furthermore, descriptions of well-known structures and techniques are omitted in the following description to avoid unnecessarily obscuring the concept of the invention.

[0074] It should be noted that, unless otherwise defined, the technical or scientific terms used in one or more embodiments of the present invention should have the ordinary meaning understood by one of ordinary skill in the art to which this disclosure pertains. The terms "first," "second," and similar terms used in one or more embodiments of the present invention do not indicate any order, quantity, or importance, but are merely used to distinguish different components. Terms such as "comprising" or "including" mean that the element or object preceding the word encompasses the element or object listed following the word and its equivalents, without excluding other elements or objects. Terms such as "connected" or "linked" are not limited to physical or mechanical connections, but can include electrical connections, whether direct or indirect.

[0075] The technical solution of the present invention will be described in detail below with reference to the accompanying drawings. An embodiment of the present invention provides an authentication method for multi-party computation of data. This method can be applied to a monitoring server. When performing a multi-party computation task, the monitoring server obtains the task to be distributed from the task center. First, it establishes bidirectional TLS communication with each task participant using a static identity certificate to ensure connection security. The task participants may include computation participants and data providers. During the certificate verification phase, the security of the multi-party computation is improved by verifying the signature values ​​of the algorithm / data, platform, and hardware. Figure 1 The flowchart of the authentication method for multi-party computation of this data is shown, and the method includes the following steps:

[0076] S12. A handshake request is sent to the client based on a predetermined computing task, so that the client sends its identity certificate according to the handshake request. The predetermined computing task can be a task to be distributed obtained by the monitoring server from the task center. The client is a virtual client integrated according to the predetermined computing task. For example, when performing multi-party computation based on the predetermined computing task, it involves algorithm (application service) A, platform B, and hardware (server) C. Algorithm (application service) A can be pre-installed on a designated, certificate-registered platform B, and platform B can be installed on certificate-registered hardware (server) C, thus forming a virtual client integrated according to the predetermined computing task. Through the interaction between the monitoring server and this client, simultaneous authentication of the algorithm / data, platform, and hardware can be achieved.

[0077] S14. Receive the identity certificate sent by the client and obtain the first signature value, second signature value, and third signature value from the predetermined fields of the identity certificate. During the certificate verification phase, after receiving the client's identity certificate, the supervisory server first verifies the correctness of the identity certificate signature. Then, it obtains the first signature value, second signature value, and third signature value from the predetermined fields of the identity certificate, which are typically the nsComment field of the identity certificate. According to some optional embodiments, the identity certificate can be an algorithm certificate, in which the first signature value in the predetermined fields is a hardware hash signature value, the second signature value is a platform hash signature value, and the third signature value is an algorithm hash signature value. According to some optional embodiments, the identity certificate can also be a data certificate, in which the first signature value in the predetermined fields is a hardware hash signature value, the second signature value is a platform hash signature value, and the third signature value is a data hash signature value, or a hash signature value of data, data IP, and data field.

[0078] S16. Retrieve a pre-stored data record from the database, the data record being related to the client. This data record is a data record related to the client (i.e., related to the current computing task) stored in the database by the monitoring server during the certificate registration phase, including a first signature value, a second signature value, and a third signature value. The second signature value is generated based on the first signature value, and the third signature value is generated based on the first and second signature values.

[0079] S18. The data record is used to verify the first signature value, the second signature value, and the third signature value. The regulatory server can use local CA, software CA, and application (algorithm) CA corresponding to the first signature value, the second signature value, and the third signature value respectively to verify each signature value, thereby completing the verification of the certificate binding relationship.

[0080] According to some optional embodiments, the method may further include the following step: after verification using the data record,

[0081] S20. Send computing task information to the computing participants involved in the computing task so that each computing participant can return a task certificate signing request based on the computing task information.

[0082] S22. Receive the task certificate signing request sent by the computing participants, issue a task certificate through the task certification authority and send it to each computing participant so that each computing participant can use the task certificate to perform the computing task.

[0083] In this embodiment of the invention, the first signature value, the second signature value, and the third signature value can be obtained by the computing participant and / or data provider interacting with the regulatory server according to a predetermined computing task, registering the local algorithm / data, platform, and hardware with the regulatory server. Furthermore, the platform's registration information is based on the information of the mounted hardware, and the algorithm / data's registration information is based on the information of the mounted platform and hardware, thereby verifying the identity of the application and user while also verifying the identity of the hardware / software (platform) on which the application deployment depends.

[0084] The generation of the first signature value (hardware hash signature value) (registration process) can be achieved through the following steps:

[0085] S32. Receive hardware information, hardware hash value, and hardware certificate signing request sent by the first computing participant. This hardware registration process can be completed by the interaction between the APPX set up on the computing participant and the regulatory service provider. APPX is a separately developed tool for hardware registration, adapted to various hardware (including but not limited to Intel Hygon, Huawei ARM, network devices, network gateways, and routers, etc.), and will be customized for each client. The purpose of customization is to generate the client certificate required for the APPX network connection process. Before hardware registration, APPX (taking the SGX server as an example, DMI code) generates a quote, combines it with other information to generate a hardware hash value, and uses it as the unique identification credential for the hardware. In this step, the regulatory service provider receives the hardware information, hardware hash value, and hardware certificate signing request sent by the APPX on the first computing participant. The first computing participant generates a hardware private key to encrypt the certificate signing request. The certificate signing request can also carry some additional identity information, such as department, region, and province. APPX can pre-install the regulatory service provider's certificate, and the regulatory service provider issues certificates to the client, establishing SSL using the regulatory service provider's certificate, thereby ensuring the security of two-way communication.

[0086] S34. Based on the hardware information, confirm that the hardware is usable and store the hardware hash value in the database. The monitoring server checks the machine model of the hardware based on the received hardware information and confirms whether it is an approved hardware machine model, etc. After confirmation, it stores the hardware hash value in the local database, distinguishing between hardware types when recording.

[0087] S36. Sign the hardware hash value using the first private key to obtain a first signature value, and write the first signature value into the first field of the hardware certificate. The supervisory server may have a root CA, under which hardware CA, platform CA, algorithm CA, and data CA are set up to sign hardware, platform, algorithm, and data and generate certificates. In this step, the supervisory server can use the hardware CA's private key to sign the hardware hash value to obtain a hardware hash signature value, and write the hardware hash signature value into the nsComment field of the hardware certificate. This field is, for example, {"sig":"This field is empty because this process does not require hashing","hw_sig":"This is the hardware hash signature value","sw_sig":"This field is empty because this process does not require platform hashing"}. The first private key can be the private key of the supervisory server's hardware CA.

[0088] S38. Sign the hardware certificate using the first private key according to the hardware certificate signing request.

[0089] S40. The signed hardware certificate is sent to the receiving first computing participant. After the hardware certificate is returned to the first computing participant's APPX, the APPX encrypts it and saves it to the first computing participant's server (data sealing can be used to encrypt and write it to the hard drive).

[0090] Through the above registration process, the regulatory server learns the ownership and function of the hardware-related information, while for the computing participants, storing the signed hardware certificate can lay the foundation for initiating the next task.

[0091] The generation of the second signature value (platform hash signature value) (registration process) can be achieved through the following steps:

[0092] S52. Receive platform instance information, platform hash value, hardware hash value, and platform certificate signing request sent by the second computing participant; the platform instance information includes platform information and hardware information running the platform. The platform registration process can be completed by APPY, a tool set up on the computing participant, interacting with the regulatory service provider. APPY is used for platform registration, and the platform is installed on a designated, already registered hardware server. APPY, set up on the second computing participant, hashes the platform and combines it with other information, hardware hash, hardware certificate, and hardware certificate hash to generate a platform instance hash, which serves as the unique identification credential for the platform instance. Upon receiving this credential, APPY generates the platform instance's private key and generates a platform certificate signing request (private key issuance of the platform instance's identity certificate request file CSR). The platform certificate signing request can also carry additional identity information, such as department, region, and province. APPY can pre-install the regulatory service provider's certificate, and the regulatory service provider issues certificates to the client, establishing SSL using the regulatory service provider's certificate, thereby ensuring secure two-way communication.

[0093] S54. Based on the platform instance information, confirm that the platform instance is an available platform instance, and store the platform hash value and hardware hash value as a record in the database. The monitoring server checks the hardware machine model and platform based on the received platform instance information, and confirms whether it is an approved hardware machine model and platform, etc. After confirmation, it stores the platform hash value and hardware hash value as a record in the local database.

[0094] S56. Sign the platform hash value using the second private key to obtain a second signature value; sign the hardware hash value using the first private key to obtain a first signature value; write the first signature value into the first field of the platform certificate, and write the second signature value into the second field of the platform certificate. The regulatory server can use the private key of the hardware CA to sign the hardware hash value to obtain a hardware hash signature value; and use the private key of the software CA to sign the software hash value to obtain a software hash signature value. Combine the hardware hash signature value and the software hash signature value as the nsComment field of the platform certificate, for example: {"sig":"This field is empty because the platform itself has no service","hw_sig":"This is the hardware hash signature value","sw_sig":"This is the software hash signature value"}. The second private key can be the private key of the platform CA of the regulatory server.

[0095] S58. Sign the platform certificate using the second private key according to the platform certificate signing request.

[0096] S60. The signed platform certificate is sent to the receiving second computing participant. After the platform certificate is returned to the second computing participant's APPY, APPY encrypts it and saves it to the second computing participant's server.

[0097] Through the above registration process, the regulatory server learns about the platform's ownership and function, as well as which server / hardware it is installed on. For the computing participants, having the signed platform certificate lays the foundation for initiating the next task.

[0098] The generation of the third signature value (algorithmic hash signature value) (registration process) can be achieved through the following steps:

[0099] S72. Receive algorithm instance information, algorithm hash value, platform hash value, hardware hash value, and algorithm certificate signing request from a third computing participant. The algorithm instance information includes algorithm information, platform information carrying the algorithm, and hardware information carrying the platform. For example, the algorithm is an application service installed on a specified registered platform, which is installed on a registered hardware server. The registered platform hashes the application service, combines it with other information and the platform's certificate, requests the hash of the certificate used by the platform, and generates an application service instance hash, which serves as the unique identification credential for the application service instance. Upon receiving this credential, the registered platform generates a private key for the application service instance and then generates a signing request for the application service instance (private key issuance of the application service instance's Certificate of Identity Request File, CSR). The algorithm certificate signing request may carry additional identity information, such as department, region, and province.

[0100] S74. Based on the algorithm instance information, confirm that the algorithm instance is a usable algorithm instance, and store the algorithm hash value, platform hash value, and hardware hash value as a record in the database. Upon receiving this credential, the monitoring server checks the algorithm instance information, including content, hardware machine model, specific machine, and platform model. The algorithm hash value, platform hash value, and hardware hash value are then stored as a record in the database.

[0101] S76. Sign the algorithm hash value using a third private key to obtain a third signature value; sign the platform hash value using a second private key to obtain a second signature value; sign the hardware hash value using a first private key to obtain a first signature value; write the first signature value into the first field of the algorithm certificate, write the second signature value into the second field of the algorithm certificate, and write the third signature value into the third field of the algorithm certificate. The monitoring server uses the hardware CA's private key to sign the hardware hash value to obtain a hardware hash signature value; uses the software CA's private key to sign the software hash value to obtain a software hash signature value. Uses the application service CA's private key to sign the algorithm (application) hash value to obtain an algorithm (application) hash signature value. Combine the hardware hash signature value, software hash signature value, and algorithm (application) hash signature value as the nsComment word of the algorithm certificate, for example: {"sig":"This is the service hash signature value","hw_sig":"This is the hardware hash signature value","sw_sig":"This is the software hash signature value"}.

[0102] S78. Sign the algorithm certificate using a third private key according to the algorithm certificate signing request.

[0103] S80. The signed algorithm certificate is sent to the receiving third computing participant. After the algorithm certificate is returned to the third computing participant, the third computing participant encrypts it and saves it to the third computing participant's server.

[0104] Through the above registration process, the regulatory server learns the ownership and function of the application service instance, as well as which server / hardware and platform it is installed on. For the computing participants, having the signed algorithm certificate can lay the foundation for participating in the next task initiation.

[0105] In the above embodiments, the first, second, and third computing participants may be the same or different computing participants. This can be determined specifically based on the computing task involved.

[0106] When the multi-party computation process requires the participation of the data provider, it also includes the generation of the data hash signature value (registration process), which can be achieved through the following steps:

[0107] S92. Receive data instance information, data hash value, platform hash value, hardware hash value, and data certificate signing request sent by the data provider; the data instance information includes data information, platform information storing the data, and hardware information of the platform; the data information includes data, data IP, and data fields.

[0108] S94. Confirm that the data instance is a usable data instance based on the data instance information, and store the data hash value, platform hash value, and hardware hash value as a record in the database.

[0109] S96. Sign the data hash value using a third private key to obtain a third signature value; sign the platform hash value using a second private key to obtain a second signature value; sign the hardware hash value using a first private key to obtain a first signature value; write the first signature value into the first field of the data certificate, write the second signature value into the second field of the data certificate, and write the third signature value into the third field of the data certificate.

[0110] S98. Sign the data certificate using a third private key according to the data certificate signing request.

[0111] S100. Send the signed data certificate to the data provider.

[0112] Figure 2 The diagram illustrates the interaction between participating parties in the multi-party computation authentication method provided by an embodiment of the present invention. Figure 2 As shown, the authentication method for multi-party computation involves a task center, which receives tasks to be executed from clients, verifies the legality of the tasks, and forwards task requests to the regulatory server. After receiving the task request from the task center, the regulatory server distributes the task to each computation participant and data provider. Each computation participant or data provider can obtain hardware certificates, platform certificates, algorithm certificates, and data certificates from the regulatory server's hardware CA, platform CA, algorithm CA, and data CA according to the preset task implementation. During the task execution phase, the regulatory server distributes task certificates to each computation participant and data provider through the task CA. After each computation participant and data provider authenticates with the regulatory server through the certificates, they execute the computation task.

[0113] An embodiment of the present invention also provides an authentication device for multi-party computation of data, applied to a regulatory server, the device comprising:

[0114] The request module is used to send a handshake request to the client based on a predetermined computing task, so that the client can send an identity certificate according to the handshake request; the client is a virtual client integrated according to the predetermined computing task.

[0115] The signature value acquisition module is used to receive the identity certificate sent by the client and obtain the first signature value, the second signature value and the third signature value from the predetermined fields of the identity certificate;

[0116] The verification module is used to retrieve pre-stored data records from the database, the data records being associated with the client; and to verify the first signature value, the second signature value, and the third signature value using the data records.

[0117] The second signature value is generated based on the first signature value, and the third signature value is generated based on the first signature value and the second signature value.

[0118] The specific process by which each module in the data multi-party computation authentication device provided in the above embodiments of the present invention implements its function is the same as the steps of the data multi-party computation authentication method provided in the above embodiments of the present invention. Therefore, repeated descriptions will be omitted here.

[0119] An embodiment of the present invention also provides an electronic device. Figure 3 The diagram shown is a structural schematic of an electronic device according to an embodiment of the present invention. Figure 3 As shown, the electronic device 300 includes: one or more processors 301 and a memory 302; and computer program instructions stored in the memory 302, which, when executed by the processor 301, cause the processor 301 to perform a data multi-party computation authentication method as described in any of the above embodiments. The processor 301 may be a central processing unit (CPU) or other form of processing unit with data processing capabilities and / or instruction execution capabilities, and may control other components in the electronic device to perform desired functions.

[0120] The memory 302 may include one or more computer program products, which may include various forms of computer-readable storage media, such as volatile memory and / or non-volatile memory. Volatile memory may include, for example, random access memory (RAM) and / or cache memory. Non-volatile memory may include, for example, read-only memory (ROM), hard disk, flash memory, etc. One or more computer program instructions may be stored on the computer-readable storage medium, and the processor 501 may execute the program instructions to implement the steps in the data multi-party computation authentication method of the various embodiments of the present invention described above, and / or other desired functions.

[0121] In some embodiments, the electronic device 300 may further include an input device 303 and an output device 304, these components being connected via a bus system and / or other forms of connection mechanisms. Figure 3(Not shown) Interconnected. For example, when the electronic device is a standalone device, the input device 303 can be a communication network connector for receiving acquired input signals from external mobile devices. Furthermore, the input device 303 may also include, for example, a keyboard, mouse, microphone, etc. The output device 304 can output various information to the outside, and may include, for example, a monitor, speaker, printer, and communication network and its connected remote output devices.

[0122] In addition to the methods and devices described above, embodiments of the present invention may also be computer program products, including computer program instructions that, when executed by a processor, cause the processor to perform the steps in the data multi-party computation authentication method as described in any of the above embodiments.

[0123] Computer program products can be written in any combination of one or more programming languages ​​to perform the operations of the embodiments of the present invention. The programming languages ​​include object-oriented programming languages ​​such as Java and C++, as well as conventional procedural programming languages ​​such as C or similar languages. The program code can be executed entirely on the user's computing device, partially on the user's computing device, as a standalone software package, partially on the user's computing device and partially on a remote computing device, or entirely on a remote computing device or server.

[0124] Furthermore, embodiments of the present invention may also be computer-readable storage media storing computer program instructions thereon, which, when executed by a processor, cause the processor to perform the steps in the data multi-party computation authentication method of various embodiments of the present invention.

[0125] Computer-readable storage media may take the form of any combination of one or more readable media. A readable medium may be a readable signal medium or a readable storage medium. A readable storage medium may, for example, include, but is not limited to, electrical, magnetic, optical, electromagnetic, infrared, or semiconductor systems, apparatuses, or devices, or any combination thereof. More specific examples of readable storage media (a non-exhaustive list) include: electrical connections having one or more wires, portable disks, hard disks, random access memory (RAM), read-only memory (ROM), erasable programmable read-only memory (EPROM or flash memory), optical fibers, portable compact disk read-only memory (CD-ROM), optical storage devices, magnetic storage devices, or any suitable combination thereof.

[0126] It should be understood that the processor in the embodiments of the present invention can be a Central Processing Unit (CPU), but it can also be other general-purpose processors, digital signal processors (DSPs), application-specific integrated circuits (ASICs), field-programmable gate arrays (FPGAs), or other programmable logic devices, discrete gate or transistor logic devices, discrete hardware components, etc. The general-purpose processor can be a microprocessor or any conventional processor.

[0127] In summary, the embodiments of the present invention relate to an authentication method and apparatus for multi-party computation based on data operations. The method includes: sending a handshake request to a client based on a predetermined computation task; receiving an identity certificate sent by the client and obtaining a first signature value, a second signature value, and a third signature value from predetermined fields of the identity certificate; retrieving a pre-stored data record from a database, the data record being associated with the client; and verifying the first signature value, the second signature value, and the third signature value using the data record. The technical solution provided by the embodiments of the present invention verifies the signature values ​​of the algorithm / data, platform, and hardware during the multi-party computation process. Furthermore, the algorithm / data, platform, and hardware are interconnected, thereby verifying not only the algorithm / data but also the platform (software) and hardware upon which the algorithm / data deployment depends, improving the security of multi-party computation and preventing replay attacks.

[0128] It should be understood that the discussion of any of the above embodiments is merely exemplary and is not intended to imply that the scope of the invention (including the claims) is limited to these examples. Within the framework of this invention, technical features of the above embodiments or different embodiments can also be combined, steps can be implemented in any order, and many other variations exist regarding different aspects of one or more embodiments of the invention as described above, which are not provided in the details for the sake of brevity. The specific embodiments described above are merely illustrative or explanatory of the principles of the invention and do not constitute a limitation thereof. Therefore, any modifications, equivalent substitutions, improvements, etc., made without departing from the spirit and scope of the invention should be included within the protection scope of the invention. Furthermore, the appended claims are intended to cover all variations and modifications falling within the scope and boundaries of the appended claims, or equivalent forms of such scope and boundaries.

Claims

1. A data multi-party computation authentication method, characterized in that, Applied to the regulatory server, the method includes: Receive hardware information, hardware hash value, and hardware certificate signing request sent by the first computing participant; The hardware is confirmed to be usable based on the hardware information, and the hardware hash value is stored in the database; The hardware hash value is signed using the first private key to obtain a first signature value, and the first signature value is written into the first field of the hardware certificate; The hardware certificate is signed using the first private key according to the hardware certificate signing request; Send the signed hardware certificate to the first computing participant; A handshake request is sent to the client based on a predetermined computing task, so that the client sends an identity certificate in response to the handshake request; the client is a virtual client that integrates multiple computing participants according to the predetermined computing task. Receive the identity certificate sent by the client, and obtain the first signature value, the second signature value, and the third signature value from the predetermined fields of the identity certificate; Retrieve pre-stored data records from the database, the data records being associated with the client; The data records are used to verify the first signature value, the second signature value, and the third signature value; Wherein, the second signature value is generated based on the first signature value, and the third signature value is generated based on the first signature value and the second signature value; the identity certificate includes an algorithm certificate; in the algorithm certificate, the first signature value in the predetermined fields is a hardware hash signature value, the second signature value is a platform hash signature value, and the third signature value is an algorithm hash signature value; the identity certificate also includes a data certificate; in the data certificate, the first signature value in the predetermined fields is a hardware hash signature value, the second signature value is a platform hash signature value, and the third signature value is a data hash signature value, or a hash signature value of data, data IP, and data field.

2. The method according to claim 1, characterized in that, The method further includes: verifying the data record after it passes verification. Send computing task information to the computing participants involved in the computing task so that each computing participant can return a task certificate signing request based on the computing task information; The system receives task certificate signing requests from computing participants, issues task certificates through a task certification authority, and sends them to each computing participant so that each participant can use the task certificate to perform the computing task.

3. The method according to claim 2, characterized in that, The method further includes: Receive platform instance information, platform hash value, hardware hash value, and platform certificate signing request sent by the second computing participant; the platform instance information includes platform information and hardware information of the platform. Based on the platform instance information, the platform instance is confirmed to be an available platform instance, and the platform hash value and hardware hash value are stored as a record in the database. The platform hash value is signed using a second private key to obtain a second signature value; The hardware hash value is signed using the first private key to obtain the first signature value; Write the first signature value into the first field of the platform certificate, and write the second signature value into the second field of the platform certificate; The platform certificate is signed using a second private key according to the platform certificate signing request; Send the signed platform certificate to the second computing participant.

4. The method according to claim 3, characterized in that, The method further includes: The system receives algorithm instance information, algorithm hash value, platform hash value, hardware hash value, and algorithm certificate signing request from a third computing participant. The algorithm instance information includes algorithm information, platform information on which the algorithm is implemented, and hardware information on which the platform is implemented. Based on the algorithm instance information, the algorithm instance is confirmed to be a usable algorithm instance, and the algorithm hash value, platform hash value, and hardware hash value are stored as a record in the database. The hash value of the algorithm is signed using a third private key to obtain a third signature value. The platform hash value is signed using a second private key to obtain a second signature value; The hardware hash value is signed using the first private key to obtain the first signature value; Write the first signature value into the first field of the algorithm certificate, write the second signature value into the second field of the algorithm certificate, and write the third signature value into the third field of the algorithm certificate; The algorithm certificate is signed using a third private key according to the algorithm certificate signing request; Send the signed algorithm certificate to the third computing participant; The first computing participant, the second computing participant, and the third computing participant may be the same computing participant or different computing participants.

5. The method according to claim 3, characterized in that, The method further includes: The system receives data instance information, data hash value, platform hash value, hardware hash value, and data certificate signing request from the data provider. The data instance information includes data information, platform information storing the data, and hardware information running on the platform. The data information includes data, data IP address, and data fields. Based on the data instance information, the data instance is confirmed to be a usable data instance, and the data hash value, platform hash value, and hardware hash value are stored as a record in the database. The data hash value is signed using a third private key to obtain a third signature value. The platform hash value is signed using a second private key to obtain a second signature value; The hardware hash value is signed using the first private key to obtain the first signature value; Write the first signature value into the first field of the data certificate, write the second signature value into the second field of the data certificate, and write the third signature value into the third field of the data certificate; The data certificate is signed using a third private key according to the data certificate signing request; Send the signed data certificate to the data provider.

6. An authentication device for multi-party data computation, characterized in that, The device, used in a monitoring server, includes: The request module is used to send a handshake request to the client based on a predetermined computing task, so that the client can send an identity certificate according to the handshake request; the client is a virtual client that integrates multiple computing participants according to the predetermined computing task. The signature value acquisition module is used to receive the identity certificate sent by the client and obtain the first signature value, the second signature value and the third signature value from the predetermined fields of the identity certificate; The verification module is used to retrieve pre-stored data records from the database, the data records being associated with the client; and to verify the first signature value, the second signature value, and the third signature value using the data records. It also includes a module for receiving hardware information, hardware hash value, and hardware certificate signing request sent by the first computing participant. The module is further configured to confirm that the hardware is usable based on the hardware information and store the hardware hash value in a database; sign the hardware hash value using a first private key to obtain a first signature value and write the first signature value into a first field of the hardware certificate; sign the hardware certificate using the first private key according to the hardware certificate signing request; and send the signed hardware certificate to the first computing participant. Wherein, the second signature value is generated based on the first signature value, and the third signature value is generated based on the first signature value and the second signature value; the identity certificate includes an algorithm certificate; in the algorithm certificate, the first signature value in the predetermined fields is a hardware hash signature value, the second signature value is a platform hash signature value, and the third signature value is an algorithm hash signature value; the identity certificate also includes a data certificate; in the data certificate, the first signature value in the predetermined fields is a hardware hash signature value, the second signature value is a platform hash signature value, and the third signature value is a data hash signature value, or a hash signature value of data, data IP, and data field.