A data transmission method, apparatus and device

By using blockchain-based decentralized identity identification and selective disclosure algorithms, and providing only partial identity attribute information for encrypted data transmission, the security and privacy issues in data transmission are resolved, achieving an efficient data transmission solution.

CN119544348BActive Publication Date: 2026-07-07AGRICULTURAL BANK OF CHINA

Patent Information

Authority / Receiving Office
CN · China
Patent Type
Patents(China)
Current Assignee / Owner
AGRICULTURAL BANK OF CHINA
Filing Date
2024-11-29
Publication Date
2026-07-07

AI Technical Summary

Technical Problem

In existing technologies, there are problems with the security and privacy protection of data transmission. In particular, the risk of key leakage is high when using symmetric encryption algorithms, asymmetric encryption algorithms consume a lot of resources in scenarios with multiple data receivers, and attribute encryption requires providing full identity attribute information, which leads to the risk of privacy leakage.

Method used

It adopts a decentralized identity identifier based on blockchain, verifies user identity through a selective disclosure algorithm, provides only partial identity attribute information related to the generation of attribute private keys, and transmits data using attribute encryption. It leverages the immutability and decentralized identity identifier of blockchain to protect user privacy.

Benefits of technology

It effectively ensures the authenticity and privacy of user identity information, improves the security of data transmission, reduces resource and time overhead, and is suitable for data transmission in one-to-many scenarios.

✦ Generated by Eureka AI based on patent content.

Smart Images

  • Figure CN119544348B_ABST
    Figure CN119544348B_ABST
Patent Text Reader

Abstract

The application discloses a data transmission method, device and equipment. A first node of a block chain acquires a decentralized identity identifier, which is used to indicate the authenticity of the identity attribute of the first node. The first node verifies the identity of a user based on a selective disclosure algorithm and the decentralized identity identifier. The selective disclosure algorithm indicates that the user only provides part of the identity attribute information related to the attribute private key generation. The data of the user is transmitted through the first node. The first node sends the second data of the user after attribute encryption and the corresponding attribute private key to a second node of the block chain for the user who passes the verification. The attribute private key is used to decrypt the second data. In this way, the user can be provided with a decentralized identity identifier on the basis of the block chain. The user provides part of the identity attribute information related to the attribute private key generation based on this. The authenticity and privacy of the identity attribute information of the user are guaranteed. Therefore, the security of data transmission is improved.
Need to check novelty before this filing date? Find Prior Art

Description

Technical Field

[0001] This application relates to the field of data processing technology, and in particular to a data transmission method, apparatus, and device. Background Technology

[0002] With the development of information technology, there are increasingly more scenarios requiring data transmission. For industries such as banking, a great deal of important data needs to be transmitted continuously. Therefore, the security and privacy protection of data transmission have become important areas of concern and research.

[0003] Currently, encrypting data before transmission can improve data transmission security to some extent. However, symmetric encryption algorithms can lead to key leaks and have relatively low security, making them vulnerable to cracking. Traditional asymmetric encryption algorithms, especially in scenarios with multiple data receivers, require significant resources for encryption and decryption, making them difficult to handle. Attribute encryption can address these issues to some extent. However, it typically requires providing the user's full identity attributes, which compromises privacy and poses a risk of leakage. Furthermore, since the user provides their own identity information, its authenticity is questionable. Summary of the Invention

[0004] To address the aforementioned technical issues, this application provides a data transmission method, apparatus, and device that can provide users with decentralized identity identifiers based on blockchain. Based on this, users can provide partial identity attribute information related to the generation of attribute private keys, thereby ensuring the authenticity and privacy of users' identity attribute information and improving the security of data transmission.

[0005] To achieve the above objectives, the technical solution provided in this application is as follows:

[0006] In a first aspect, this application provides a data transmission method, the method comprising:

[0007] The first node of the blockchain obtains a decentralized identity (DID), which is used to indicate the authenticity of the first node's identity attributes;

[0008] The first node verifies the user's identity based on a selective disclosure algorithm and the decentralized identity identifier. The selective disclosure algorithm instructs the user to provide only partial identity attribute information related to the generation of the attribute private key. The user's data is transmitted through the first node.

[0009] For a verified user, the first node sends the user's first data, encrypted with attributes, as second data along with the corresponding attribute private key to the second node of the blockchain. The attribute private key is used to decrypt the second data.

[0010] Optionally, the decentralized identity identifier includes a Verifiable Presentation (VP) and a Verifiable Claim (VC).

[0011] Optionally, the selective disclosure algorithm is a Merkle tree-based selective disclosure algorithm, and the user identity verification includes:

[0012] The first node verifies the validity of Merklegen's digital signature;

[0013] The first node determines whether the summary information of the identity attribute information disclosed by Merklegen and the user is equal, wherein the identity attribute information disclosed by the user includes the VP.

[0014] Optionally, the process by which the first node obtains the second data includes:

[0015] The first node performs attribute encryption on the first data based on the access structure of the public key and the identity attribute information disclosed by the user, and obtains the second data.

[0016] Optionally, the method further includes:

[0017] If the identity attribute information disclosed by the second node matches the access structure, the second node decrypts the second data based on the attribute private key and the public key to obtain the first data.

[0018] Optionally, the process by which the first node obtains the attribute private key includes:

[0019] The first node obtains the attribute private key based on the VC and the master private key corresponding to the public key using a key generation algorithm.

[0020] Secondly, this application also provides a data transmission device applied to a first node of a blockchain, the device comprising:

[0021] An acquisition unit is used to acquire a decentralized identity identifier, which is used to indicate the authenticity of the identity attributes of the first node;

[0022] The verification unit is used to verify the user's identity based on the selective disclosure algorithm and the decentralized identity identifier. The selective disclosure algorithm instructs the user to provide only partial identity attribute information related to the generation of the attribute private key. The user's data is transmitted through the first node.

[0023] The sending unit is used to send the user's first data, encrypted with attributes, and the corresponding attribute private key to the second node of the blockchain for verified users. The attribute private key is used to decrypt the second data.

[0024] Optionally, the decentralized identity includes VP and VC.

[0025] Optionally, the selective disclosure algorithm is a Merkle tree-based selective disclosure algorithm, and the verification unit is specifically used for:

[0026] Verify the validity of Merkelgen's digital signature;

[0027] Determine whether the summary information of the identity attribute information disclosed by Merkelgen and the user is equal, wherein the identity attribute information disclosed by the user includes the VP.

[0028] Optionally, the device further includes: an encryption unit;

[0029] The encryption unit is used to perform attribute encryption on the first data based on the access structure of the public key and the identity attribute information disclosed by the user, so as to obtain the second data.

[0030] Optionally, the apparatus further includes: a key generation unit;

[0031] The key generation unit is used to obtain the attribute private key based on the VC and the master private key corresponding to the public key, using a key generation algorithm.

[0032] Optionally, the device is also applied to a second node of the blockchain, and the device further includes:

[0033] The decryption unit is used to decrypt the second data based on the attribute private key and the public key to obtain the first data if the identity attribute information disclosed by the second node matches the access structure.

[0034] It should be noted that the specific implementation method of the device and the technical effects achieved can be found in the relevant description of the method provided in the first aspect or any implementation method of the first aspect.

[0035] Thirdly, this application also provides an electronic device, which includes: a processor and a memory;

[0036] The memory is used to store instructions or programs;

[0037] The processor is configured to execute the instructions or programs in the memory to cause the electronic device to perform the method provided by the first aspect or any implementation thereof.

[0038] Fourthly, this application also provides a readable medium storing instructions or programs that, when executed on a processor, cause the processor to perform the method provided by the first aspect or any implementation thereof.

[0039] Compared with the prior art, the embodiments of this application have at least the following advantages:

[0040] The technical solution provided in this application offers a data transmission method, which may include, for example, the following steps: First, the first node of the blockchain obtains a decentralized identity identifier, which indicates the authenticity of the first node's identity attributes. Next, the first node verifies the user's identity based on a selective disclosure algorithm and the decentralized identity identifier. The selective disclosure algorithm instructs the user to provide only partial identity attribute information related to the generation of the attribute private key, and the user's data is transmitted through the first node. Then, for verified users, the first node sends the user's first data, encrypted with attributes, as second data along with the corresponding attribute private key to the second node of the blockchain. The attribute private key is used to decrypt the second data. In this way, by utilizing the immutability, traceability, and anti-counterfeiting characteristics of blockchain, the authenticity of the user's identity attribute information can be effectively guaranteed. The selective disclosure algorithm based on the decentralized identity identifier allows the user to provide only partial identity attribute information related to the generation of the attribute private key, without disclosing the full amount of identity attribute information, thus avoiding the leakage of the user's identity attribute information and effectively protecting the privacy of the user's identity attribute information. Furthermore, using attribute encryption to encrypt the data to be transmitted improves the security of data transmission in one-to-many scenarios and reduces resource and time overhead. Attached Figure Description

[0041] To more clearly illustrate the technical solutions in the embodiments of this application or the prior art, the drawings used in the description of the embodiments or the prior art will be briefly introduced below. Obviously, the drawings described below are only some embodiments recorded in this application. For those skilled in the art, other drawings can be obtained based on these drawings without creative effort.

[0042] Figure 1 A flowchart illustrating an example of a data transmission method provided in this application embodiment;

[0043] Figure 2A flowchart illustrating a data transmission method provided in an embodiment of this application;

[0044] Figure 3 A schematic diagram illustrating user identity management as provided in an embodiment of this application;

[0045] Figure 4 A schematic diagram illustrating the disclosure of user identity attribute information as provided in an embodiment of this application;

[0046] Figure 5 This is a flowchart illustrating the current attribute encryption algorithm.

[0047] Figure 6 A flowchart illustrating an attribute private key generation method provided in an embodiment of this application;

[0048] Figure 7 This is a schematic diagram of the structure of a data transmission device 700 provided in an embodiment of this application;

[0049] Figure 8 This is a schematic diagram of the structure of an electronic device 800 provided in an embodiment of this application. Detailed Implementation

[0050] Taking the transmission methods of important data in the banking industry as an example, this paper introduces the data transmission methods currently in use.

[0051] Currently, data is mostly encrypted using either symmetric or asymmetric encryption algorithms. Taking the SM4 algorithm as an example of symmetric encryption, SM4 is a block cipher algorithm that uses a 128-bit key and a 128-bit block size. It encrypts and decrypts data through 32 rounds of iteration and a series of permutations, substitutions, and XOR operations. The same key is used for both encryption and decryption, and both parties involved in the data transmission must transmit the key simultaneously with the ciphertext. It is evident that symmetric encryption algorithms suffer from difficulties in key exchange and key leakage, resulting in low security and the risk of being cracked. Taking the SM2 algorithm as an example of asymmetric encryption, SM2 is an asymmetric cryptographic algorithm based on elliptic curves. Both parties involved in the data transmission hold encryption and decryption keys respectively. The encryptor uses the encryption key (also called the public key) to encrypt the data, and the decryptor uses the decryption key (also called the private key) to decrypt the data. When there are multiple data receivers, the encryptor needs to use the corresponding public key to perform the encryption operation on the data for each receiver, and each receiver, as a decryptor, needs to obtain the corresponding private key. Although asymmetric encryption algorithms have good security, in scenarios with multiple data recipients, a lot of resources are required to calculate the ciphertext for each user separately, resulting in a serious waste of computing and time resources.

[0052] For scenarios such as banking, where a lot of important data needs to be transmitted securely, such as the sharing and transmission of data between industry anti-fraud platforms, ensuring the authenticity, integrity, and availability of important data while guaranteeing the authenticity and privacy of users' identity attributes and reducing the resource and time costs of encryption and decryption during data transmission has become an important and urgent problem to be solved.

[0053] Based on this, embodiments of this application provide a data transmission method, which may include, for example, the following: First, a first node of the blockchain obtains a decentralized identity identifier, which is used to indicate the authenticity of the first node's identity attributes; then, the first node verifies the user's identity based on a selective disclosure algorithm and the decentralized identity identifier, wherein the selective disclosure algorithm instructs the user to provide only the partial identity attribute information related to the generation of the attribute private key, and the user's data is transmitted through the first node; then, for users who have passed verification, the first node sends the user's first data, encrypted with attributes, as second data and the corresponding attribute private key to a second node of the blockchain, wherein the attribute private key is used to decrypt the second data.

[0054] In this way, by leveraging the immutability, traceability, and anti-counterfeiting characteristics of blockchain, the authenticity of users' identity attribute information can be effectively guaranteed. Based on decentralized identity identification, a selective disclosure algorithm is implemented, where users provide partial identity attribute information related to the generation of attribute private keys, without disclosing the full amount of identity attribute information, thus avoiding the leakage of users' identity attribute information and effectively protecting the privacy of users' identity attribute information. In addition, using attribute encryption to encrypt the data to be transmitted can improve the security of data transmission in one-to-many scenarios and reduce resource and time overhead.

[0055] It should be noted that the entity implementing this data transmission method can be the data transmission device provided in the embodiments of this application. This data transmission device can be housed in an electronic device or a functional module of an electronic device.

[0056] The following section introduces and explains some technical terms involved in the embodiments of this application.

[0057] Blockchain refers to a chain-like data structure that combines all blocks in a sequential manner according to their creation time. It has the characteristics of decentralization, immutability, anti-counterfeiting, and traceability. Based on different requirements for the permissions of participants, it can be divided into three types: public chain, consortium chain, and private chain.

[0058] Decentralized identity authentication, following centralized and consortium identity authentication, is an identity authentication method developed based on blockchain. Users control their own identity information, and authentication is completed using decentralized identity identifiers. It features security, controllability, and decentralization. A decentralized identity identifier can be understood as a file including VP (Verification Provider) and VC (Value Provider).

[0059] Selective disclosure is a practice where, for security and privacy reasons, users do not provide all the information when submitting information, but instead provide only the necessary information based on the principle of minimization.

[0060] Attribute encryption, a type of public-key encryption, achieves one-to-many encryption and decryption by associating ciphertext and a key with a set of attributes and an access structure. It also enables fine-grained control over data, giving the data owner complete control. Depending on the associated objects, it can be divided into ciphertext-based attribute encryption and key-based attribute encryption. A user can successfully decrypt the ciphertext only if their attribute set satisfies the ciphertext's access structure.

[0061] To make the methods provided in the embodiments of this application clearer, the following is combined with Figure 1 This application describes the units included in the data transmission apparatus provided in the embodiments of the present application, as well as the main steps implemented by each unit.

[0062] like Figure 1 As shown, the data transmission device may include at least: a blockchain infrastructure unit, a user identity management unit, a user attribute disclosure unit, and a privacy data protection unit. This embodiment may include, for example: S1, the blockchain infrastructure unit establishes a consortium blockchain; S2, the user identity management unit distributes decentralized identity identifiers; S3, the user identity management unit grants user identity information; S4, the user attribute disclosure unit constructs a verifiable credential (VP); S5, the initialization module of the privacy data protection unit generates a public key and a master private key; S6, the encryption module of the privacy data protection unit performs attribute encryption as described in this embodiment; S7, the attribute private key generation module of the privacy data protection unit generates an attribute private key; S8, the decryption module of the privacy data protection unit performs attribute decryption as described in this embodiment.

[0063] The blockchain infrastructure unit leverages the immutability, traceability, and anti-counterfeiting characteristics of blockchain to effectively assist administrators in managing user identities. For scenarios involving critical banking data, considering that such data often occurs between fixed institutions or individuals, this embodiment employs a consortium blockchain as the underlying infrastructure platform in S1.

[0064] For S2, decentralized identity authentication is a new type of identity verification method built on blockchain. It can effectively guarantee the authenticity and validity of the holder's identity attributes, and has decentralized characteristics. (See below) Figure 3 As shown in this embodiment, administrators distribute decentralized identity tokens to participating users and assign corresponding roles (i.e., user identity information in S3). Users can generate verifiable claims (i.e., VCs) as needed.

[0065] For S4, in traditional attribute encryption, users need to provide complete identity attribute information to generate a decryption key. However, the authenticity of user identity information is difficult to guarantee during this process, and there is a risk of identity information leakage. Therefore, this application's embodiment adopts a selective disclosure algorithm based on Merkle trees. Users only need to provide the partial identity attribute information necessary for key generation, without providing all identity attribute information, thereby protecting the privacy of identity attribute information. In this way, the strong collision property based on the hash algorithm and the decentralized identity identifier established based on the blockchain can effectively prove the authenticity of the user's identity. For details, please refer to... Figure 4 And related examples.

[0066] For S5 to S8, the privacy data protection unit primarily employs a ciphertext policy attribute-based encryption algorithm to encrypt and decrypt the data to be transmitted. For details, please refer to... Figure 5 as well as Figure 6 And related descriptions.

[0067] visible, Figure 1 The data transmission device shown is designed for critical data transmission in the banking industry, particularly in scenarios where one party sends data and multiple parties receive it. Using blockchain as the infrastructure platform, a consortium blockchain is built within the scope of data knowledge. A decentralized identity identifier is distributed to each participant, and relevant management departments endorse the participants' identity attributes. An attribute encryption algorithm based on a ciphertext policy is used to encrypt the data, generating ciphertext. Participants provide their attribute information to obtain a decryption key (i.e., the attribute private key mentioned in this paper). The decryption key is used to decrypt the ciphertext to obtain the original data, completing the privacy-preserving data transmission. In this way, data security, user privacy, and encryption / decryption efficiency are balanced, providing a superior data transmission solution for scenarios such as the secure transmission of critical banking data.

[0068] Figure 2 This is a schematic flowchart illustrating a data transmission method provided in an embodiment of this application. This method can be applied to a data transmission device, which may include, for example, [example of such a device]. Figure 1 , or below Figure 7 The data transmission device 700 shown is shown.

[0069] like Figure 2As shown, the method may include, for example, the following S201 to S203:

[0070] S201, the first node of the blockchain obtains a decentralized identity identifier, which is used to indicate the authenticity of the first node's identity attributes.

[0071] Decentralized identity identifiers can include, but are not limited to, verifiable credentials (VP) and verifiable claims (VC). As an example, such as... Figure 3 As shown, the first node may be, for example, the data owner, and S201 may include: a VC issued by the administrator and received by the data owner from the administrator; and a VP provided by the data user and received by the data owner from the data user.

[0072] It should be noted that the terms "manager", "data owner", and "data user" in the embodiments of this application are merely simplified terms given for ease of understanding and can all be understood as management or control equipment controlled or operated by a person.

[0073] S202, the first node verifies the user's identity based on the selective disclosure algorithm and decentralized identity identifier. The selective disclosure algorithm instructs the user to provide only the partial identity attribute information related to the generation of the attribute private key, and the user's data is transmitted through the first node.

[0074] As an example, if the selective disclosure algorithm is a Merkle tree-based selective disclosure algorithm, verifying the user's identity in S202 may include: verifying the validity of the digital signature of the Merkle root; and determining whether the digest information of the Merkle root and the identity attribute information disclosed by the user are equal, wherein the identity attribute information disclosed by the user includes VP.

[0075] For example, such as Figure 4 As shown, taking a user's decentralized identity identifier, C3, as an example, C3 could be the user's VP. Based on the selective disclosure algorithm, the user can provide only {C3, Salt3, Hash12, Hash4, MerkleRoot, Sig(T)}, without needing to provide complete identity attribute information. Here, Salt3 can be understood as the user's salt value, used to ensure the security of the information provided by the user; MerkleRoot is the Merkle root; and Sig(T) is the digital signature of Sig(T). Therefore, the verification process in S202 can include: the data owner verifying the validity of Sig(T) and determining whether MerkleRoot is equal to Hash(Hash(Hash(C3||Salt3)||Hash4)||Hash12), thus verifying the authenticity and correctness of the user's identity.

[0076] S203, for verified users, the first node sends the user's first data (encrypted with attributes) and the corresponding attribute private key to the second node of the blockchain. The attribute private key is used to decrypt the second data.

[0077] As an example, prior to S203, the method may further include: the first node obtaining the second data and the corresponding attribute private key. The process of the first node obtaining the second data may, for example, include: the first node performing attribute encryption on the first data based on the public key and the access structure of the user's disclosed identity attribute information to obtain the second data. The process of the first node obtaining the attribute private key may, for example, include: the first node obtaining the attribute private key based on the VC and the master private key corresponding to the public key, using a key generation algorithm.

[0078] Following S203, for the second node that receives the second data and the corresponding attribute private key, the method may further include: if the identity attribute information disclosed by the second node matches the access structure, then the second data is decrypted based on the attribute private key and the public key to obtain the first data.

[0079] like Figure 5 As shown, the execution process of the traditional ciphertext policy attribute encryption algorithm can include: (1) The administrator executes Setup()→(PK,MSK), using implicit security parameters (which can be random numbers) as input, to generate a public key PK and a master private key MSK for the data owner. MSK is managed by the administrator and sent to the data owner; (2) The data owner executes the encryption algorithm Encrypt(PK,M,AS)→CT, where AS is the access structure set by the data owner for the plaintext data M as needed, and uses the public key PK to encrypt M to generate ciphertext CT, and sends the ciphertext CT to the data user; (3) The administrator obtains Attr (e.g., the data user's VC) from the data user, and executes the key generation algorithm KeyGen(MSK,Attr)→SK to obtain the attribute private key SK, and then sends SK to the data user; (4) After obtaining the attribute private key SK and the ciphertext CT, the data receiver uses the decryption algorithm Decrypt(PK,CT,SK)→M to decrypt the ciphertext and obtain the original plaintext M. It is evident that having administrators participate in the calculation and transmission of public and attribute private keys during this process is neither convenient nor secure.

[0080] The execution process of the ciphertext policy attribute encryption algorithm provided in this application embodiment can be found, for example, in [reference needed]. Figure 6As shown, the process may include: 1. The data user provides a VP to the data owner; 2. The data owner verifies the VP; 3. After verification, the data owner executes the key generation algorithm KeyGen(MSK,Attr)→SK to obtain the attribute private key SK; 4. The data owner sends SK to the data user. It can be seen that in traditional attribute encryption, (3) requires the data user to provide the data owner or administrator with their complete identity attribute information in order to generate an attribute private key for themselves. The authenticity and privacy of the user's identity attribute information are difficult to guarantee. In this embodiment, the user generates a verifiable declaration VC based on the selective disclosure algorithm and submits it to the data owner. The data owner uses the blockchain to verify the VC submitted by the user and generates an attribute private key for it. It should be noted that the user in this embodiment can be understood as a data user or a second node, or an account that carries information and interacts with the outside world.

[0081] It should be noted that the data user can only correctly decrypt and obtain the original ciphertext when the identity attribute information provided by the data user meets the access structure set by the data owner. Therefore, it can be understood that the embodiments of this application also have access control functions.

[0082] As can be seen, this method constructs a user identity management platform based on blockchain, distributing decentralized identity identifiers to users and declaring corresponding identity information through this platform. The decentralized identity identifiers are combined with a ciphertext policy attribute-based encryption algorithm, and a selective disclosure algorithm is used to generate a decryption key (i.e., attribute private key) for users while protecting the privacy of their identity attribute information, thus completing secure data transmission. In cases such as the secure transmission of important data in the banking industry, especially in scenarios involving multiple data recipients (or data users), this application's embodiments solve the high resource consumption problem caused by multiple encryptions in traditional encryption algorithms. It not only protects data confidentiality, security, and availability but also ensures the authenticity and privacy of users' identity attribute information.

[0083] Accordingly, embodiments of this application also provide a data transmission device 700, such as... Figure 7 As shown. The device 700 is used as the first node in a blockchain, and the device 700 may include:

[0084] The acquisition unit 701 is used to acquire a decentralized identity identifier, which is used to indicate the authenticity of the identity attribute of the first node;

[0085] Verification unit 702 is used to verify the user's identity based on a selective disclosure algorithm and the decentralized identity identifier. The selective disclosure algorithm instructs the user to provide only partial identity attribute information related to the generation of the attribute private key. The user's data is transmitted through the first node.

[0086] The sending unit 703 is used to send the user's first data encrypted with attributes, the second data, and the corresponding attribute private key to the second node of the blockchain for the verified user. The attribute private key is used to decrypt the second data.

[0087] Optionally, the decentralized identity includes VP and VC.

[0088] Optionally, the selective disclosure algorithm is a Merkle tree-based selective disclosure algorithm, and the verification unit 702 is specifically used for:

[0089] Verify the validity of Merkelgen's digital signature;

[0090] Determine whether the summary information of the identity attribute information disclosed by Merkelgen and the user is equal, wherein the identity attribute information disclosed by the user includes the VP.

[0091] Optionally, the device 700 further includes: an encryption unit;

[0092] The encryption unit is used to perform attribute encryption on the first data based on the access structure of the public key and the identity attribute information disclosed by the user, so as to obtain the second data.

[0093] Optionally, the device 700 further includes: a key generation unit;

[0094] The key generation unit is used to obtain the attribute private key based on the VC and the master private key corresponding to the public key, using a key generation algorithm.

[0095] Optionally, the device 700 is also applied to a second node of the blockchain, and the device 700 further includes:

[0096] The decryption unit is used to decrypt the second data based on the attribute private key and the public key to obtain the first data if the identity attribute information disclosed by the second node matches the access structure.

[0097] It should be noted that the specific implementation of the device 700 and the technical effects it achieves can be found in the relevant descriptions in the methods provided in the embodiments of this application.

[0098] In addition, this application also provides an electronic device, the device including a processor and a memory: the memory is used to store instructions or computer programs; the processor is used to execute the instructions or computer programs in the memory so that the electronic device performs any implementation of the method provided in this application.

[0099] See Figure 5 This diagram illustrates a structural schematic of an electronic device 800 suitable for implementing embodiments of the present disclosure. The terminal devices in the embodiments of the present disclosure may include, but are not limited to, mobile terminals such as mobile phones, laptops, digital broadcast receivers, PDAs (personal digital assistants), PADs (tablet computers), PMPs (portable multimedia players), in-vehicle terminals (e.g., in-vehicle navigation terminals), and fixed terminals such as digital TVs and desktop computers. Figure 8 The electronic device shown is merely an example and should not be construed as limiting the functionality and scope of the embodiments disclosed herein.

[0100] like Figure 8 As shown, the electronic device 800 may include a processing device (e.g., a central processing unit, a graphics processor, etc.) 801, which can perform various appropriate actions and processes according to a program stored in a read-only memory (ROM) 802 or a program loaded from a storage device 808 into a random access memory (RAM) 803. The RAM 803 also stores various programs and data required for the operation of the electronic device 800. The processing device 801, ROM 802, and RAM 803 are interconnected via a bus 804. An input / output (I / O) interface 805 is also connected to the bus 804.

[0101] Typically, the following devices can be connected to I / O interface 805: input devices 806 including, for example, touchscreens, touchpads, keyboards, mice, cameras, microphones, accelerometers, gyroscopes, etc.; output devices 807 including, for example, liquid crystal displays (LCDs), speakers, vibrators, etc.; storage devices 808 including, for example, magnetic tapes, hard disks, etc.; and communication devices 809. Communication device 809 allows electronic device 800 to communicate wirelessly or wiredly with other devices to exchange data. Although Figure 8 An electronic device 800 with various devices is shown; however, it should be understood that it is not required to implement or possess all of the devices shown. More or fewer devices may be implemented or possessed alternatively.

[0102] In particular, according to embodiments of this disclosure, the processes described above with reference to the flowcharts can be implemented as computer software programs. For example, embodiments of this disclosure include a computer program product comprising a computer program carried on a non-transitory computer-readable medium, the computer program containing program code for performing the methods shown in the flowcharts. In such embodiments, the computer program can be downloaded and installed from a network via a communication device 809, or installed from a storage device 808, or installed from a ROM 802. When the computer program is executed by a processing device 801, it performs the functions defined in the methods of embodiments of this disclosure.

[0103] The electronic device provided in this embodiment belongs to the same inventive concept as the method provided in the above embodiments. Technical details not described in detail in this embodiment can be found in the above embodiments, and this embodiment has the same beneficial effects as the above embodiments.

[0104] This application also provides a computer-readable medium storing instructions or a computer program that, when executed on a device, causes the device to perform any implementation of the method provided in this application.

[0105] It should be noted that the computer-readable medium described in this disclosure can be a computer-readable signal medium or a computer-readable storage medium, or any combination thereof. A computer-readable storage medium can be, for example,—but not limited to—an electrical, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any combination thereof. More specific examples of a computer-readable storage medium may include, but are not limited to: an electrical connection having one or more wires, a portable computer disk, a hard disk, random access memory (RAM), read-only memory (ROM), erasable programmable read-only memory (EPROM or flash memory), optical fiber, portable compact disk read-only memory (CD-ROM), optical storage device, magnetic storage device, or any suitable combination thereof. In this disclosure, a computer-readable storage medium can be any tangible medium containing or storing a program that can be used by or in connection with an instruction execution system, apparatus, or device. In this disclosure, a computer-readable signal medium can include a data signal propagated in baseband or as part of a carrier wave, carrying computer-readable program code. Such propagated data signals can take various forms, including but not limited to electromagnetic signals, optical signals, or any suitable combination thereof. A computer-readable signal medium can be any computer-readable medium other than a computer-readable storage medium, which can send, propagate, or transmit a program for use by or in connection with an instruction execution system, apparatus, or device. The program code contained on the computer-readable medium can be transmitted using any suitable medium, including but not limited to: wires, optical fibers, RF (radio frequency), etc., or any suitable combination thereof.

[0106] In some implementations, clients and servers can communicate using any currently known or future-developed network protocol such as HTTP (Hypertext Transfer Protocol) and can interconnect with digital data communication (e.g., communication networks) of any form or medium. Examples of communication networks include local area networks (“LANs”), wide area networks (“WANs”), the Internet (e.g., the Internet of Things), and peer-to-peer networks (e.g., ad hoc peer-to-peer networks), as well as any currently known or future-developed networks.

[0107] The aforementioned computer-readable medium may be included in the aforementioned electronic device; or it may exist independently and not assembled into the electronic device.

[0108] The aforementioned computer-readable medium carries one or more programs, which, when executed by the electronic device, enable the electronic device to perform the aforementioned methods.

[0109] Computer program code for performing the operations of this disclosure can be written in one or more programming languages ​​or a combination thereof, including but not limited to object-oriented programming languages ​​such as Java, Smalltalk, and C++, as well as conventional procedural programming languages ​​such as the "C" language or similar programming languages. The program code can be executed entirely on the user's computer, partially on the user's computer, as a standalone software package, partially on the user's computer and partially on a remote computer, or entirely on a remote computer or server. In cases involving remote computers, the remote computer can be connected to the user's computer via any type of network—including a local area network (LAN) or a wide area network (WAN)—or can be connected to an external computer (e.g., via the Internet using an Internet service provider).

[0110] The flowcharts and block diagrams in the accompanying drawings illustrate the architecture, functionality, and operation of possible implementations of systems, methods, and computer program products according to various embodiments of this disclosure. In this regard, each block in a flowchart or block diagram may represent a module, segment, or portion of code containing one or more executable instructions for implementing a specified logical function. It should also be noted that in some alternative implementations, the functions indicated in the blocks may occur in a different order than those indicated in the drawings. For example, two consecutively indicated blocks may actually be executed substantially in parallel, and they may sometimes be executed in reverse order, depending on the functions involved. It should also be noted that each block in the block diagrams and / or flowcharts, and combinations of blocks in the block diagrams and / or flowcharts, can be implemented using a dedicated hardware-based system that performs the specified function or operation, or using a combination of dedicated hardware and computer instructions.

[0111] The units described in the embodiments of this disclosure can be implemented in software or hardware. The names of the units / modules do not necessarily limit the specific unit itself.

[0112] The functions described above in this document can be performed, at least in part, by one or more hardware logic components. For example, exemplary types of hardware logic components that can be used, without limitation, include: Field Programmable Gate Arrays (FPGAs), Application-Specific Integrated Circuits (ASICs), Application Standard Products (ASSPs), System-on-Chip (SoCs), Complex Programmable Logic Devices (CPLDs), and so on.

[0113] In the context of this disclosure, a machine-readable medium can be a tangible medium that may contain or store a program for use by or in conjunction with an instruction execution system, apparatus, or device. A machine-readable medium can be a machine-readable signal medium or a machine-readable storage medium. A machine-readable medium can be, but is not limited to, electronic, magnetic, optical, electromagnetic, infrared, or semiconductor systems, apparatus, or devices, or any suitable combination of the foregoing. More specific examples of machine-readable storage media include electrical connections based on one or more wires, portable computer disks, hard disks, random access memory (RAM), read-only memory (ROM), erasable programmable read-only memory (EPROM or flash memory), optical fiber, portable compact disk read-only memory (CD-ROM), optical storage devices, magnetic storage devices, or any suitable combination of the foregoing.

[0114] It should be noted that the various embodiments in this specification are described in a progressive manner, with each embodiment focusing on the differences from other embodiments. Similar or identical parts between embodiments can be referred to interchangeably. For the systems or apparatus disclosed in the embodiments, since they correspond to the methods disclosed in the embodiments, the descriptions are relatively simple, and relevant parts can be referred to the method section.

[0115] It should be understood that in this application, "at least one (item)" means one or more, and "more than" means two or more. "And / or" is used to describe the relationship between related objects, indicating that three relationships can exist. For example, "A and / or B" can represent three cases: only A exists, only B exists, and both A and B exist simultaneously, where A and B can be singular or plural. The character " / " generally indicates that the preceding and following related objects are in an "or" relationship. "At least one (item) of the following" or similar expressions refer to any combination of these items, including any combination of single or plural items. For example, at least one (item) of a, b, or c can represent: a, b, c, "a and b", "a and c", "b and c", or "a and b and c", where a, b, and c can be single or multiple.

[0116] It should also be noted that, in this document, relational terms such as "first" and "second" are used only to distinguish one entity or operation from another, and do not necessarily require or imply any such actual relationship or order between these entities or operations. Furthermore, the terms "comprising," "including," or any other variations thereof are intended to cover non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements includes not only those elements but also other elements not expressly listed, or elements inherent to such a process, method, article, or apparatus. Without further limitations, an element defined by the phrase "comprising one..." does not exclude the presence of other identical elements in the process, method, article, or apparatus that includes said element.

[0117] The steps of the methods or algorithms described in conjunction with the embodiments disclosed herein can be implemented directly by hardware, a software module executed by a processor, or a combination of both. The software module can be located in random access memory (RAM), main memory, read-only memory (ROM), electrically programmable ROM, electrically erasable programmable ROM, registers, hard disk, removable disk, CD-ROM, or any other form of storage medium known in the art.

[0118] It should be noted that this application embodiment does not involve sensitive user information; all user-related information is obtained, used, and determined only after user authorization. In one example, before obtaining user-related information, the corresponding interface displays a prompt regarding authorization for data acquisition and use. This prompt informs the user, in accordance with relevant laws and regulations, of the type, scope of use, and usage scenarios of the personal information involved in this disclosure through an appropriate means, so that the user can determine whether to agree to the authorization based on the prompt. It is understood that the above notification and user authorization acquisition process is merely illustrative and does not constitute a limitation on the implementation of this disclosure. Other methods that comply with relevant laws and regulations can also be applied to the implementation of this disclosure.

[0119] The above description of the disclosed embodiments enables those skilled in the art to make or use this application. Various modifications to these embodiments will be readily apparent to those skilled in the art, and the general principles defined herein may be implemented in other embodiments without departing from the spirit or scope of this application. Therefore, this application is not to be limited to the embodiments shown herein, but is to be accorded the widest scope consistent with the principles and novel features disclosed herein.

Claims

1. A data transmission method, characterized in that, The method includes: The first node of the blockchain obtains a decentralized identity identifier, which is used to indicate the authenticity of the first node's identity attributes. The decentralized identity identifier includes a verifiable credential (VP) and a verifiable statement (VC). The first node verifies the user's identity based on a selective disclosure algorithm and the decentralized identity identifier. The selective disclosure algorithm instructs the user to provide only partial identity attribute information related to the generation of the attribute private key. The user's data is transmitted through the first node. The first node encrypts the first data based on the access structure of the public key and the identity attribute information disclosed by the user to obtain the second data, wherein the identity attribute information disclosed by the user includes the VP; The first node obtains the attribute private key based on the master private key corresponding to the VC and the public key using a key generation algorithm; For a verified user, the first node sends the user's first data, encrypted with attributes, as second data along with the corresponding attribute private key to the second node of the blockchain. The attribute private key is used to decrypt the second data.

2. The method according to claim 1, characterized in that, The selective disclosure algorithm is a Merkle tree-based selective disclosure algorithm, and the user identity verification includes: The first node verifies the validity of Merklegen's digital signature; The first node determines whether the summary information of the identity attribute information disclosed by Merklegen and the user is equal, wherein the identity attribute information disclosed by the user includes the VP.

3. The method according to claim 1, characterized in that, The method further includes: If the identity attribute information disclosed by the second node matches the access structure, the second data is decrypted based on the attribute private key and the public key to obtain the first data.

4. A data transmission device, characterized in that, The device, used as the first node in a blockchain, includes: The acquisition unit is used to acquire a decentralized identity identifier, which is used to indicate the authenticity of the identity attribute of the first node. The decentralized identity identifier includes a verifiable credential (VP) and a verifiable declaration (VC). The verification unit is used to verify the user's identity based on the selective disclosure algorithm and the decentralized identity identifier. The selective disclosure algorithm instructs the user to provide only partial identity attribute information related to the generation of the attribute private key. The user's data is transmitted through the first node. An encryption unit is used by the first node to encrypt the first data based on the access structure of the public key and the identity attribute information disclosed by the user, to obtain the second data, wherein the identity attribute information disclosed by the user includes the VP; A key generation unit is used by the first node to obtain the attribute private key based on the master private key corresponding to the VC and the public key using a key generation algorithm; The sending unit is used to send the user's first data, encrypted with attributes, and the corresponding attribute private key to the second node of the blockchain for verified users. The attribute private key is used to decrypt the second data.

5. An electronic device, characterized in that, The electronic device includes: a processor and a memory; The memory is used to store instructions or programs; The processor is configured to execute the instructions or program in the memory to cause the electronic device to perform the method according to any one of claims 1-3.

6. A readable medium, characterized in that, The readable medium stores instructions or programs that, when executed on a processor, cause the processor to perform the method according to any one of claims 1-3.