Method, system, medium, and electronic device for performing a task based on multiple agents
By introducing verifiable credentials and verifiable expression mechanisms, a multi-agent identity and authorization system is constructed, which solves the problems of identity legitimacy and task integrity in multi-agent collaborative systems, and realizes highly secure and reliable multi-agent collaborative task execution.
Patent Information
- Authority / Receiving Office
- CN · China
- Patent Type
- Applications(China)
- Current Assignee / Owner
- ALIPAY (HANGZHOU) INFORMATION TECH CO LTD
- Filing Date
- 2026-03-26
- Publication Date
- 2026-07-10
AI Technical Summary
In multi-agent collaborative systems, existing technologies struggle to ensure the legitimacy of each agent's identity, the authenticity of its operations, and the integrity of its tasks during execution. The lack of effective verification and traceability mechanisms results in insufficient system security and credibility.
By introducing verifiable credentials (VC) and verifiable representations (VP) mechanisms, a multi-agent identity and authorization system is constructed. Digital signatures and trusted transmission ensure the legitimacy of each agent's identity and the integrity of the task, enabling the verifiability and traceability of each step. A trustworthy task chain is constructed using linear or branching call relationships.
It enhances the security and trustworthiness of multi-agent collaborative systems, ensures the verifiability and traceability of each step, supports user identity inheritance and authorization constraints, enables efficient execution of complex tasks, and avoids dependence on a central platform.
Smart Images

Figure CN122363781A_ABST
Abstract
Description
Technical Field
[0001] This invention relates to computer technology, and more particularly to a method, system, medium, and electronic device for performing tasks based on multiple agents. Background Technology
[0002] In the current field of artificial intelligence, especially in the application of chain-of-agent systems, the development of AI (Artificial Intelligence) has moved towards a more complex stage of task collaboration. With the gradual maturation of large models (such as the GPT series), AI agents are no longer limited to information processing or content generation, but can perform actual tasks across systems with user authorization.
[0003] At the heart of this trend is "multi-agent collaboration"—that is, multiple AI agents working together based on user needs to gradually complete complex task chains across platforms and trust domains. The application scenarios for this collaborative structure are very broad, including but not limited to automated ordering, shopping, payment, and logistics tracking. User expectations have also shifted from simple "suggestions" to "operations" that can be directly executed by AI. For example, in a smart food delivery system, an AI agent can select restaurants, recommend dishes, place orders, make payments, and even track delivery progress based on user preferences, location, and other information. Summary of the Invention
[0004] The purpose of the embodiments in this specification is to provide a method, system, medium, and electronic device for performing tasks based on multiple agents.
[0005] This specification provides a method for multi-agent task execution, proposing a user identity and authorization mechanism for multi-agent collaborative scenarios. By introducing verifiable credentials (VC) and verifiable representations (VP), it supports complex multi-agent task chains, ensuring the legitimacy of each agent's identity, the authenticity of its operations, and the integrity of its tasks during collaboration. This allows each step in multi-agent collaboration to be verified and traceable, significantly enhancing system security and trustworthiness. A multi-agent identity and authorization system is constructed based on verifiable credentials (VC) and verifiable representations (VP), solidifying each authorization and invocation process into a verifiable, signatureable, and derivable data structure. By treating verifiable representations as new credential units that can be further derived, it naturally supports user identity inheritance, authorization constraints, and accountability traceability in linear multi-agent invocations, without relying on a central platform for post-event arbitration. Therefore, it possesses significant technical advantages in scenarios where multi-agents collaboratively execute complex tasks. The method includes: In response to a user-initiated task instruction, the user equipment generates a first verifiable representation corresponding to the task instruction based on at least one verifiable credential of the user and multiple calling objects associated with the task instruction. The first verifiable representation is digitally signed based on the user's first private key, and the signed first verifiable representation is sent to the current calling object corresponding to the calling object identification sequence. The multiple calling objects include intelligent agents, the first verifiable representation includes the at least one verifiable credential and the calling object identification sequence, and the calling relationship between the multiple calling objects includes a linear calling relationship. The first verifiable expression is signed and verified by the current calling object based on the user's public key. If the verification is successful, it is determined whether the current identifier in the calling object identifier sequence corresponds to the current calling object. If so, the corresponding task is executed based on the context information in the first verifiable expression. If the current calling object is not the last calling object corresponding to the calling object identifier sequence, the calling object identifier sequence is updated. A second verifiable expression is generated based on the updated calling object identifier sequence, the task execution result of the current calling object, and the first verifiable expression. The second verifiable expression is digitally signed based on the second private key of the current calling object, and the signed second verifiable expression is sent to the new current calling object corresponding to the updated calling identifier sequence. This process continues until the new current calling object is the last calling object corresponding to the latest calling identifier sequence. The second verifiable expression includes the first verifiable expression and the updated calling object identifier sequence.
[0006] Furthermore, the method also includes: The user equipment obtains one or more verifiable credentials issued by one or more issuers for the user.
[0007] Furthermore, the method also includes: The issuer verifies the user's identity attributes. If the verification is successful, a corresponding verifiable credential is issued to the user. The verifiable credential is digitally signed using the issuer's private key to obtain the signed verifiable credential, which is then sent to the user's device.
[0008] Further, the step of performing signature verification on the first verifiable representation based on the user's public key using the currently calling object includes: The current calling object performs signature verification on the first verifiable representation based on the user's public key, and performs signature verification on at least one verifiable credential located in the first verifiable representation based on the issuer's public key.
[0009] Further, the step of signing and verifying the first verifiable representation based on the user's public key using the current calling object, and signing and verifying the at least one verifiable credential located in the first verifiable representation based on the issuer's public key, includes: The signature verification is performed by the current calling object based on the user's public key for the first verifiable representation, and by the signature verification of the other verifiable representations based on the public keys of other calling objects that generate other verifiable representations located in the first verifiable representation, and by the signature verification of the at least one verifiable credential located in the first verifiable representation based on the issuer's public key.
[0010] Furthermore, the contextual information in the second verifiable expression includes the task execution result of the currently calling object.
[0011] Furthermore, the plurality of calling objects also includes a service provider, the identifier of which is located at the end of the calling object identifier sequence.
[0012] Further, the step of performing the corresponding task based on the context information in the first verifiable representation includes: The service provider verifies whether the order of the identifiers corresponding to the call object identifier sequence in each verifiable expression in the first verifiable expression is correct. If so, the corresponding task is executed based on the context information in the first verifiable representation.
[0013] Furthermore, the method also includes: For each participant among the issuer of verifiable credentials, the user, and the multiple calling objects, the identity provider registers the participant, binds the participant's distributed identity identifier with the participant's public key, generates the participant's distributed identity document, and publicly stores the distributed identity document.
[0014] Furthermore, the first verifiable representation includes the user's distributed identity identifier, the second verifiable representation includes the distributed identity identifier of the currently invoked object, and the invoked object identifier sequence includes the distributed identity identifiers of the plurality of invoked objects.
[0015] Furthermore, the method also includes: For each participant, obtain the distributed identity identifier of the generator in the currently verifiable representation it receives, obtain the distributed identity document of the generator based on the distributed identity identifier, and obtain the target public key of the generator from the distributed identity document.
[0016] Furthermore, the plurality of calling objects also includes a set of intelligent agents, the set of intelligent agents contains multiple intelligent agents, and the calling relationship between the plurality of calling objects also includes a branching calling relationship or a combined calling relationship.
[0017] Further, updating the call object identifier sequence using the current call object includes: If the next calling object corresponding to the current calling object is determined to be a set of agents based on the calling object identifier sequence, the target agent is determined from the multiple agents contained in the set of agents by the current calling object, and the calling object identifier sequence is updated according to the target agent.
[0018] Further, determining the target agent from among the multiple agents included in the agent set through the current calling object includes: The target agent is determined from among the multiple agents contained in the agent set based on the task execution result of the current calling object.
[0019] Furthermore, the calling object identification sequence includes at least one distributed identity identifier of the calling object and a link address, wherein the link address is used to obtain the distributed identity identifiers of the multiple intelligent agents contained in the intelligent agent set.
[0020] Furthermore, the sequence of call object identifiers includes wildcards, which correspond to any intelligent agent.
[0021] This specification also provides an embodiment of a multi-agent system for performing tasks based on multiple agents, including: User equipment is configured to respond to a task instruction initiated by a user, generate a first verifiable representation corresponding to the task instruction based on at least one verifiable credential of the user and a plurality of calling objects associated with the task instruction, digitally sign the first verifiable representation based on the user's first private key, and send the signed first verifiable representation to the current calling object corresponding to the calling object identification sequence, wherein the plurality of calling objects include intelligent agents, the first verifiable representation includes the at least one verifiable credential and the calling object identification sequence, and the calling relationship between the plurality of calling objects includes a linear calling relationship; The current calling object is used to perform signature verification on the first verifiable expression based on the user's public key. If the verification is successful, it determines whether the current identifier in the calling object identifier sequence corresponds to the current calling object. If so, it executes the corresponding task based on the context information in the first verifiable expression. If the current calling object is not the last calling object corresponding to the calling object identifier sequence, it updates the calling object identifier sequence, generates a second verifiable expression based on the updated calling object identifier sequence, the task execution result of the current calling object, and the first verifiable expression, digitally signs the second verifiable expression based on the second private key of the current calling object, and sends the signed second verifiable expression to the new current calling object corresponding to the updated calling identifier sequence. This process continues until the new current calling object is the last calling object corresponding to the latest calling identifier sequence. The second verifiable expression includes the first verifiable expression and the updated calling object identifier sequence.
[0022] This specification also provides a storage medium storing a computer program adapted to be loaded by a processor and to execute the steps of the method described above.
[0023] This specification also provides an electronic device, including a processor and a memory; wherein the memory stores a computer program adapted to be loaded by the processor and to execute the steps of the method described above.
[0024] This specification also provides a computer program product that stores at least one instruction, characterized in that the at least one instruction, when executed by a processor, implements the steps of the above-described method.
[0025] According to the embodiments of this specification, a user identity and authorization mechanism for multi-agent collaborative scenarios is proposed. By introducing verifiable credentials (VC) and verifiable representations (VP), it can support complex multi-agent task chains, ensuring the legitimacy of each agent's identity, the authenticity of its operations, and the integrity of its tasks during the collaboration process. This allows each step in multi-agent collaboration to be verified and traceable, thereby greatly enhancing the security and credibility of the system. Based on verifiable credentials (VC) and verifiable representations (VP), a multi-agent identity and authorization system is constructed, solidifying each authorization and invocation process into a verifiable, signatureable, and derivable data structure. By treating verifiable representations as new credential units that can be further derived, it naturally supports user identity inheritance, authorization constraints, and responsibility traceability in linear multi-agent invocations, and does not rely on a central platform for post-event arbitration. Therefore, it has significant technical advantages in scenarios where multi-agents collaborate to execute complex tasks. Attached Figure Description
[0026] Figure 1 A flowchart illustrating a method for performing tasks based on multiple agents, provided as an embodiment of this specification; Figure 2 A schematic diagram illustrating a linear calling relationship among multiple agents provided in an embodiment of this specification; Figure 3 A schematic diagram illustrating a branching call relationship among multiple agents, provided in an embodiment of this specification; Figure 4 This diagram illustrates a method for a multi-agent system to execute tasks under a linear calling relationship, as provided in an embodiment of this specification. Figure 5 This diagram illustrates a method for a multi-agent system to execute tasks under a branching call relationship, as provided in an embodiment of this specification. Figure 6 A system schematic diagram of a multi-agent system for performing tasks based on multiple agents is provided as an embodiment of this specification; Figure 7 This is a schematic diagram of the structure of an electronic device provided in an embodiment of this specification. Detailed Implementation
[0027] To make the objectives, technical solutions, and advantages of this specification clearer, the technical solutions of this specification will be clearly and completely described below in conjunction with specific embodiments and corresponding drawings. Obviously, the described embodiments are only a part of the embodiments of this specification, and not all of them. Based on the embodiments in this specification, all other embodiments obtained by those skilled in the art without creative effort are within the scope of protection of this specification.
[0028] Please see Figure 1 This is a flowchart illustrating a method for performing tasks based on multiple agents, provided in an embodiment of this specification. In this embodiment, the method for performing tasks based on multiple agents is applied to the multi-agent system described in this embodiment. The following will focus on... Figure 1 The process shown will be described in detail. The method for performing tasks based on multiple agents may specifically include the following steps: S102, in response to a task instruction initiated by a user, the user equipment generates a first verifiable representation corresponding to the task instruction based on at least one verifiable credential of the user and multiple calling objects associated with the task instruction, digitally signs the first verifiable representation based on the user's first private key, and sends the signed first verifiable representation to the current calling object corresponding to the calling object identification sequence. The multiple calling objects include intelligent agents, the first verifiable representation includes the at least one verifiable credential and the calling object identification sequence, and the calling relationship between the multiple calling objects includes a linear calling relationship.
[0029] In some embodiments, a multi-agent system (i.e., a multi-agent identity and authorization system) includes user devices used by users and multiple agents for performing their respective tasks. An agent is a software entity with autonomous decision-making and task execution capabilities, capable of interacting with external systems on behalf of the user or other entities when authorized. A user is an entity that holds and manages its own verifiable credentials, capable of generating and presenting verifiable representations when needed. In some embodiments, the multi-agent system also includes a service provider; for example, if a user-initiated task instruction is a food delivery order, the service provider could be a food delivery platform. In some embodiments, the multi-agent system also includes an issuer and / or an identity provider. An issuer is an organization that provides user identities and is responsible for verifying the identity attributes, qualifications, or permissions of entities and issuing verifiable credentials, such as a mobile phone number provided by a telecommunications operator. An identity provider is an organization that supports the operation of a distributed identity infrastructure, which may be a company or industry alliance.
[0030] In some embodiments, a verifiable credential (VC) is a data object generated by an issuer based on a cryptographic signature, used to declare the identity attributes, qualifications, or permissions of a subject, and whose authenticity and integrity can be independently verified by a third party. A verifiable presentation (VP) is a data object that a holder combines one or more verifiable credentials, selectively discloses, and presents to a verifier in a specific interaction scenario to prove the relevant identity or permissions. The holder is the entity that holds and manages its own verifiable credentials and can generate and present verifiable presentations when needed. The verifier is the entity that verifies the verifiable credentials or verifiable presentations during business interactions to confirm their authenticity, integrity, and validity.
[0031] In some embodiments, the multi-agent system is applicable to various AI agent products with automatic decision-making and task execution capabilities. Multiple agents in the multi-agent system can independently or collaboratively complete complex cross-platform and cross-service tasks within the scope authorized by the user. During task execution, they can present their identities, inherit permissions, and ensure accountability. In other words, the multi-agent system is suitable for mutual invocation between multiple agents. These multiple agents include, but are not limited to, platform-type AI agents (which typically serve as the main entry point for user interaction, deployed in content platforms, lifestyle service platforms, or integrated service platforms, used to understand user natural language commands, decompose and orchestrate tasks, and coordinate multiple downstream agents to complete specific tasks. Examples include agents in food delivery platforms, content recommendation platforms, or integrated lifestyle service platforms, capable of making decisions and scheduling based on user preferences and constraints), and payment-type AI. Intelligent agents (these agents are mainly used to perform highly sensitive operations with explicit user authorization, including but not limited to payment confirmation, fund deduction, account verification, and transaction status feedback. Payment-type intelligent agents typically interface with specific payment service systems and are executed at the end of the task chain, requiring high security standards for identity authenticity, authorization scope, and non-repudiation of operations), social AI intelligent agents (these agents can perform social content-related operations on behalf of users based on user authorization, such as generating and publishing content, periodically publishing information, and interacting on social platforms. Typical applications include automatically publishing social content on WeChat Moments, Weibo, Twitter, etc., or executing periodic content publishing tasks according to user instructions), and vertical domain AI intelligent agents (these agents are geared towards specific business domains and possess specialized capabilities. For example, merchant-side intelligent agents are used for marketing data analysis and order management, logistics intelligent agents are used for logistics status tracking and arrival reminders, and financial service intelligent agents are used to perform operations in specific domains such as securities trading and asset management. This solution is also applicable to the above-mentioned vertical intelligent agents participating in multi-agent collaborative tasks within the authorized scope), etc., and this example embodiment does not impose any special limitations on these.
[0032] In some embodiments, multiple agents in a multi-agent system can form a linear call relationship (i.e., chained call, indicating sequential, level-by-level transmission). In some embodiments, a linear call relationship means that the platform-type agent can complete the complete task orchestration at the initial stage of the task, clarify the calling order and responsibility boundaries of each agent, form a defined task execution chain, submit it to the user for authorization, and the task and identity information are transmitted sequentially along this chain. Each agent is only responsible for the task at its own node, and the entire process can be completed in one go. Figure 2As shown, in the food delivery scenario, the user sends a task instruction to the platform agent (platform-type intelligent agent) through the food delivery platform: "Help me order a nearby Chinese food delivery with good value for money and complete the payment with Alipay." After obtaining the user's authorization, the platform-type intelligent agent parses the user's intent, completes operations such as merchant screening, product selection, and delivery information filling, and then calls the payment agent (payment intelligent agent) to complete the payment deduction. After the payment is completed, it returns to the food delivery platform and feeds back the execution result to the user.
[0033] In some embodiments, in response to a user-initiated task instruction, the user device performs semantic recognition on the task instruction to determine multiple calling objects associated with the task instruction, the calling relationships (e.g., linear calling relationships) between these multiple calling objects, and the calling order (e.g., calling Agent1 first, then Agent2, and finally Agent3). Each calling object can be an agent. In some embodiments, in response to a user-initiated task instruction, the user device sends the task instruction to a platform (e.g., a content platform, a lifestyle service platform, or a comprehensive service platform). The platform determines the multiple calling objects associated with the task instruction, the calling relationships between these multiple calling objects, and the calling order, and returns this information to the user device. In some embodiments, the user needs to authorize multiple calling objects associated with the task instruction, the calling relationship between these multiple calling objects, and the calling order. Authorization refers to the user granting other subjects or intelligent agents the right to use their identity attributes or permissions within a specific scope, condition, or time based on their own identity and control. The user authorizes multiple calling objects arranged in an ordered manner to execute the corresponding task based on at least one verifiable credential they possess, and generates a first verifiable expression corresponding to the task instruction. The first verifiable expression includes the at least one verifiable credential and a sequence of calling object identifiers corresponding to the multiple calling objects arranged in an ordered manner. Each of the multiple calling objects can be an intelligent agent. The sequence of calling object identifiers is a sequence composed of multiple calling object identifiers arranged in an ordered manner. The order of the calling object identifier sequence matches the calling relationship and calling order between the multiple calling objects. Each calling object identifier is used to uniquely identify a calling object. For example, the domain field of the Metadata in the first verifiable expression is set to the sequence of calling object identifiers. For example, the sequence of calling object identifiers is A1, A2, and A3, where A1 corresponds to intelligent agent Agent1, A2 corresponds to intelligent agent Agent2, and A3 corresponds to intelligent agent Agent3. For example, if multiple calling objects form a linear calling relationship, the corresponding calling object identifier sequence can be "A1, A2, A3", where A1, A2, and A3 each correspond to an agent.
[0034] In some embodiments, the user equipment (UE) digitally signs the first verifiable expression using the first private key corresponding to the user's first public key, obtaining a signed first verifiable expression. The UE then sends the signed first verifiable expression to the current calling object corresponding to the calling object identifier sequence (i.e., the calling object corresponding to the current identifier in the calling object identifier sequence, for example, the calling object corresponding to the first calling object identifier in the calling object identifier sequence). For example, if the calling object identifier sequence is A1, A2, and A3, the UE sends the signed first verifiable expression to the agent Agent1 corresponding to A1. In some embodiments, the UE first sends the signed first verifiable expression to a platform (e.g., a content platform, a lifestyle service platform, or a comprehensive service platform), and then the platform forwards the first verifiable expression to the current calling object corresponding to the calling object identifier sequence.
[0035] S104, the first verifiable expression is signed and verified by the current calling object based on the user's public key. If the verification is successful, it is determined whether the current identifier in the calling object identifier sequence corresponds to the current calling object. If so, the corresponding task is executed based on the context information in the first verifiable expression. If the current calling object is not the last calling object corresponding to the calling object identifier sequence, the calling object identifier sequence is updated. A second verifiable expression is generated based on the updated calling object identifier sequence, the task execution result of the current calling object, and the first verifiable expression. The second verifiable expression is digitally signed based on the second private key of the current calling object, and the signed second verifiable expression is sent to the new current calling object corresponding to the updated calling identifier sequence. This process is repeated until the new current calling object is the last calling object corresponding to the latest calling identifier sequence. The second verifiable expression includes the first verifiable expression and the updated calling object identifier sequence.
[0036] In some embodiments, the current calling object (e.g., agent1) verifies the signature of the first verifiable representation based on the user's public key. If the verification passes, it determines whether the current identifier in the calling object identifier sequence (e.g., the first calling object identifier) corresponds to the current calling object. For example, it determines whether to accept the first verifiable representation of the previous participant (i.e., the user) based on the current identifier in the calling object identifier sequence in the domain field of the metadata in the first verifiable representation. For example, if the calling object identifier sequence in the domain field of the metadata in the first verifiable representation is A1, A2, and A3, it determines whether the first calling object identifier A1 in the calling object identifier sequence in the domain field corresponds to agent1. If so, it executes the corresponding task based on the context information in the first verifiable representation (i.e., the Context field in the first verifiable representation). The context information (Context) is the data attached to the entity that generated the first verifiable representation. For example, agent1 executes the corresponding task based on the context information in the first verifiable representation. In some embodiments, the current calling object (e.g., the first verifiable representation or the second verifiable representation) determines whether to accept the verifiable representation of the previous participant (e.g., the user or the first verifiable representation) based on the domain field of the Metadata in the currently received verifiable representation. In some embodiments, the first verifiable representation includes, but is not limited to, at least one verifiable credential, claim information, proof information, and metadata. Metadata includes, but is not limited to, data such as the domain field containing the calling object identification sequence and creation time. This example embodiment does not impose any special limitations on this. Claim information includes, but is not limited to, relevant information obtained after the user authorizes multiple calling objects associated with the task instruction, the calling relationship between the multiple calling objects, and the calling order. This example embodiment does not impose any special limitations on this.
[0037] In some embodiments, if the current calling object is not the last calling object in the calling object identifier sequence, i.e., if the current calling object is not the last calling object identifier in the calling object identifier sequence, i.e., if the current calling object is not the calling object corresponding to the last calling object identifier in the calling object identifier sequence, then the calling object identifier sequence is updated. The update operation includes setting the current identifier (e.g., the first calling object identifier) in the calling object identifier sequence to the calling object identifier corresponding to the next calling object corresponding to the current calling object (e.g., deleting the calling object identifier corresponding to the current calling object from the calling object identifier sequence). In some embodiments, a second verifiable expression is generated based on the updated calling object identifier sequence, the task execution result of the current calling object, and the first verifiable expression. The second verifiable expression includes, but is not limited to, the first verifiable expression, the task execution result of the current calling object, signature information (Proofs), Metadata, etc. Metadata includes, but is not limited to, data such as the domain field and creation time of the updated calling object identifier sequence. This example embodiment does not impose any special limitations on this. For example, the sequence of call object identifiers in the domain field of the metadata in the first verifiable representation is A1, A2, A3, and the sequence of call object identifiers in the domain field of the metadata in the second verifiable representation is A2, A3.
[0038] In some embodiments, the second verifiable expression is digitally signed based on the second private key corresponding to the second public key of the current calling object (e.g., agent1), and the signed second verifiable expression is sent to the new current calling object corresponding to the updated calling identifier sequence (i.e., the calling object corresponding to the current identifier in the updated calling object identifier sequence, for example, the calling object corresponding to the first calling object identifier in the updated calling object identifier sequence). For example, if the updated calling identifier sequence is A2 and A3, the current calling object will send the signed second verifiable expression to agent2 corresponding to A2.
[0039] In some embodiments, the new current calling object (e.g., Agent2) performs signature verification on the second verifiable representation based on the current calling object (e.g., Agent1). If the verification passes, it determines whether the current identifier (e.g., the first calling object identifier) in the latest calling object identifier sequence in the second verifiable representation corresponds to the new current calling object. For example, the new current calling object (e.g., Agent2) determines the signature based on the domain of the Metadata in the second verifiable representation. The current identifier in the caller identifier sequence (e.g., the first caller identifier) in the field is used to determine whether to accept the second verifiable representation of the previous participant (i.e., the current caller, such as Agent1). If so, the new current caller executes the corresponding task based on the context information (i.e., the context information) in the second verifiable representation. If the new current caller is not the last caller in the latest caller identifier sequence, i.e., if the new current caller is not the last caller in the latest caller identifier sequence, then the new caller identifier sequence is updated, and a third verifiable representation is generated accordingly. The specific operation is the same as or similar to the operation of updating the caller identifier sequence and generating the second verifiable representation described above, and will not be repeated here. This process continues until the new current caller is the last caller in the latest caller identifier sequence, i.e., until the new current caller corresponds to the last caller in the latest caller identifier sequence, i.e., until the new current caller is the last caller in the latest caller identifier sequence. In some embodiments, during multi-agent collaboration, each agent, inheriting authorization from upstream, generates a new verifiable representation based on its own identity and presents it to downstream agents, thereby forming a verifiable call chain or call network. In some embodiments, by incorporating the verifiable representation of the previous caller (e.g., the current caller) as a verifiable credential into the verifiable representation of the next caller (e.g., the new current caller), the verifiable credential can be extended into a novel, re-presentable, and derivable credential structure. In some embodiments, the multi-agent system, by constructing a linear (chain-like) / tree-like (branch-like) call authorization model based on verifiable credentials / verifiable representations, can achieve data authenticity, integrity, and non-repudiation. In some embodiments, the multi-agent system does not rely on a centralized institution and can achieve verifiability and traceability of the multi-agent collaboration process.
[0040] As an example, such as Figure 4As shown, under a linear call relationship, in the VP1 (first verifiable representation) presented by the user to the platform, the domain field of the Metadata is set to A1, A2, and SP in sequence. VP1 also includes VC1 (verifiable credentials) and Proofs (signature information). VC1 includes Metadata, Proofs, and Claims. The platform forwards VP1 to Agent1 (Agent A1). Agent1 verifies whether the first digit of the domain field is itself. Then, Agent1 presents VP2 (second verifiable representation) to Agent2 (Agent A2). In VP2, the domain field of the Metadata is set to A2 and SP in sequence. VP2 also includes VP1, Proofs, and Context1 (context information attached when Agent1 generates VP2). Agent2 verifies whether the first digit of the domain field is itself. Finally, Agent2 presents VP3 (third verifiable representation) to SP (service provider). In VP3, the domain field of the Metadata... The field is set to SP. VP3 also includes VP2, Proofs (signature information), and Context2 (context information attached when Agent2 generates VP3). SP verifies whether the first digit of the domain field is itself, and also verifies whether the domain field order in VP1 presented by the user to Agent1 and VP2 presented by Agent1 to Agent2 is correct, ensuring the integrity and legality of the entire call chain.
[0041] According to the embodiments of this specification, a user identity and authorization mechanism for multi-agent collaborative scenarios is proposed. By introducing verifiable credentials (VC) and verifiable representations (VP), it can support complex multi-agent task chains, ensuring the legitimacy of each agent's identity, the authenticity of its operations, and the integrity of its tasks during the collaboration process. This allows each step in multi-agent collaboration to be verified and traceable, thereby greatly enhancing the security and credibility of the system. Based on verifiable credentials (VC) and verifiable representations (VP), a multi-agent identity and authorization system is constructed, solidifying each authorization and invocation process into a verifiable, signatureable, and derivable data structure. By treating verifiable representations as new credential units that can be further derived, it naturally supports user identity inheritance, authorization constraints, and responsibility traceability in linear multi-agent invocations, and does not rely on a central platform for post-event arbitration. Therefore, it has significant technical advantages in scenarios where multi-agents collaborate to execute complex tasks.
[0042] In some embodiments, the method further includes: obtaining one or more verifiable credentials issued by one or more issuers to the user through the user equipment. In some embodiments, one or more issuers issue one or more verifiable credentials to the user, securely transmit the one or more verifiable credentials to the user equipment, and store them in a secure environment local to the user equipment.
[0043] In some embodiments, the method further includes: verifying the user's identity attributes through the issuer; if the verification is successful, issuing a corresponding verifiable credential to the user; digitally signing the verifiable credential using the issuer's private key to obtain a signed verifiable credential; and sending the verifiable credential to the user device. In some embodiments, the issuer verifies the user's identity attributes; if the verification is successful, issuing a corresponding verifiable credential to the user, wherein the verifiable credential includes user attributes verified by the issuer, such as mobile phone number, name, ID, etc. For example, a mobile operator, as the issuer, verifies the user's mobile phone number; if the verification is successful, issuing a corresponding verifiable credential to the user. In some embodiments, the issuer uses the private key corresponding to its public key to digitally sign the issued verifiable credential to obtain a signed verifiable credential; securely transmitting the signed verifiable credential to the user device and storing it in a secure environment on the user device's local machine.
[0044] In some embodiments, the step of signing and verifying the first verifiable representation using the current calling object based on the user's public key includes: signing and verifying the first verifiable representation using the current calling object based on the user's public key, and signing and verifying the at least one verifiable credential located in the first verifiable representation using the issuer's public key. In some embodiments, the current calling object signs and verifies the first verifiable representation using the user's public key, and signs and verifies the at least one verifiable credential located in the first verifiable representation using the issuer's public key. Only if both verifications pass will it be determined whether the current identifier in the calling object identifier sequence corresponds to the current calling object.
[0045] In some embodiments, the step of signing and verifying the first verifiable representation using the current calling object based on the user's public key, and signing and verifying the at least one verifiable credential located in the first verifiable representation using the issuer's public key, includes: signing and verifying the first verifiable representation using the current calling object based on the user's public key, signing and verifying the other verifiable representations using the public keys of other calling objects that generate other verifiable representations located in the first verifiable representation, and signing and verifying the at least one verifiable credential located in the first verifiable representation using the issuer's public key. In some embodiments, the current calling object (e.g., Agent1, Agent2, etc.) performs signature verification on the currently verifiable representation (e.g., first verifiable representation, second verifiable representation, etc.) it receives based on the user's public key, and performs signature verification on the at least one verifiable credential based on the public key of the issuer corresponding to at least one verifiable credential in the current verifiable representation, and performs signature verification on other verifiable representations based on the public key of other calling objects that generated other verifiable representations in the current verifiable representation. Only when all verifications pass will it be determined whether the current identifier (e.g., the first calling object identifier) in the calling object identifier sequence in the current verifiable representation corresponds to the current calling object. For example, if the calling object identification sequence is A1 and A2, where A1 corresponds to Agent1 and A2 corresponds to Agent2, and the user generates a first verifiable expression containing at least one verifiable credential and sends it to Agent1, and Agent1 generates a second verifiable expression containing the first verifiable expression and sends it to Agent2, and the current calling object is Agent2, then Agent2 needs to perform signature verification on the second verifiable expression based on Agent1's public key, perform signature verification on the first verifiable expression based on the user's public key, and perform signature verification on the at least one verifiable credential based on the public key of the issuer corresponding to the at least one verifiable credential.
[0046] In some embodiments, the context information in the second verifiable representation includes the task execution result of the currently calling object. In some embodiments, the second verifiable representation further includes context information (i.e., the Context field in the second verifiable representation), which is data attached to the entity that generates the second verifiable representation, i.e., the currently calling object. The context information includes the task execution result of the currently calling object, i.e., the task execution result obtained after the currently calling object executes the corresponding task.
[0047] In some embodiments, the plurality of calling objects further includes a service provider, the identifier of which is located at the end of the calling object identifier sequence. In some embodiments, each calling object can be an agent or a service provider. A service provider refers to a third-party enterprise / organization that provides various services to users through a communication network. For example, if a user-initiated task instruction is a food delivery order, the service provider is a food delivery platform. In some embodiments, the calling object identifier corresponding to the service provider is located at the end of the calling object identifier sequence; that is, there are no other calling object identifiers following the one corresponding to the service provider in the calling object identifier sequence. In other words, the calling object identifier corresponding to the service provider is the last calling object in the calling object identifier sequence.
[0048] In some embodiments, performing the corresponding task based on the context information in the first verifiable expression includes: verifying, through the service provider, whether the identifier order corresponding to the call object identifier sequence in each verifiable expression of the first verifiable expression is correct; if so, performing the corresponding task based on the context information in the first verifiable expression. In some embodiments, the service provider first determines whether the current identifier (e.g., the first call object identifier) in the call object identifier sequence in the received current verifiable expression (e.g., the first verifiable expression, the second verifiable expression, etc.) corresponds to the service provider; if so, it then verifies whether the identifier order corresponding to the call object identifier sequence in each verifiable expression of the current verifiable expression (e.g., the first verifiable expression, the second verifiable expression, etc.) is correct, ensuring the integrity and legality of the entire call chain; if so, performing the corresponding task based on the context information in the current verifiable expression (e.g., the first verifiable expression, the second verifiable expression, etc.). For example, the call object identifier sequence is A1, A2, SP, where A1 corresponds to Agent1, A2 corresponds to Agent2, and SP corresponds to the service provider. The user generates a first verifiable expression containing at least one verifiable credential and sends it to Agent1. Agent1 generates a second verifiable expression containing the first verifiable expression and sends it to Agent2. Agent2 generates a third verifiable expression containing the second verifiable expression and sends it to the service provider. The current call object is the service provider. In addition to verifying whether the current identifier (e.g., the first call object identifier) in the call object identifier sequence in the received third verifiable expression corresponds to the service provider, the service provider also needs to verify whether the identifier order corresponding to the call object identifier sequence in the first verifiable expression is correct, and verify whether the identifier order corresponding to the call object identifier sequence in the second verifiable expression is correct.
[0049] In some embodiments, the method further includes: for each participant among the issuer of the verifiable credential, the user, and the plurality of calling objects, registering the participant through an identity provider, binding the participant's distributed identity identifier with the participant's public key, generating the participant's distributed identity document, and publicly storing the distributed identity document. In some embodiments, the identity provider is an organization supporting the operation of the distributed identity infrastructure, which may be an enterprise or industry alliance. For each participant among the verifiable credential issuer, the user, and the multiple calling objects, the participant first registers with the identity provider. The identity provider generates a distributed identity (DID) identifier for the participant and binds the DID identifier to the participant's public key to generate a distributed identity document for the participant. The distributed identity document is publicly stored through technologies such as blockchain or web domain names to ensure that each participant can obtain the distributed identity document and parse out the public key information of other participants. Here, distributed identity (DID) is a digital identity representation method based on decentralized identifiers. Subjects can autonomously control their identity identifiers and related keys through cryptographic means, without relying on a single centralized identity provider. In the embodiments of this specification, distributed identity is introduced as a unified identity representation for intelligent agents. The distributed identity document (DID document) is a data structure associated with the distributed identity identifier, used to describe the subject's public key information, verification methods, and related service endpoints to support authentication and secure communication. In some embodiments, each participant's distributed identity document includes the participant's public key and distributed identity identifier, and uses a digital signature to ensure integrity and authenticity.In some embodiments, within a distributed identity authentication system of a multi-agent system, participants such as users, issuers, and application parties (i.e., calling objects) first register with the identity provider and generate their respective decentralized identifiers (i.e., distributed identities). Each participant binds its public key to its corresponding distributed identity to form a distributed identity document, which is then publicly published by the identity provider using technologies such as blockchain, enabling other participants in the network to parse the distributed identity document and obtain its public key information. Based on this, after verifying the user's identity attributes, the issuer binds the user's distributed identity to the user's identity attributes. Verifiable credentials are generated and digitally signed using the issuer's private key. After obtaining verifiable credentials, users can store and manage them locally. When accessing application services, users can construct a verifiable representation from their verifiable credentials based on specific authentication or attribute disclosure requirements, sign the verifiable representation using their own private key, and submit it to the application. The application verifies the user's signature and the issuer's signature in the verifiable credential by parsing the verifiable representation, and combines this with the public key information parsed from the distributed identity document to confirm the authenticity, integrity, and trustworthiness of the issuing source of the credential, thereby completing the distributed identity authentication process based on the verifiable credential mechanism.
[0050] In some embodiments, the first verifiable representation includes the user's distributed identity identifier, the second verifiable representation includes the distributed identity identifier of the current calling object, and the sequence of calling object identifiers includes the distributed identity identifiers of the plurality of calling objects. In some embodiments, the first verifiable representation includes the user's distributed identity identifier, and the second verifiable representation includes the distributed identity identifier of the current calling object; that is, the current verifiable representation includes the distributed identity identifiers of the parties that generated the current verifiable representation. For example, the distributed identity identifiers are set in the metadata of the current verifiable representation. In some embodiments, the sequence of calling object identifiers is a sequence of multiple calling object identifiers arranged in an ordered manner, each calling object identifier uniquely identifying a calling object, and each calling object identifier is a distributed identity identifier for a calling object.
[0051] In some embodiments, the method further includes: for each participant, obtaining the distributed identity identifier of the generator in the currently verifiable representation received by the participant, obtaining the distributed identity document of the generator based on the distributed identity identifier, and obtaining the target public key of the generator from the distributed identity document. In some embodiments, for each participant, the distributed identity identifier of the generator located in the currently verifiable representation received (e.g., a first verifiable representation, a second verifiable representation, etc.) is first obtained. The currently verifiable representation is generated by the generator. Then, the distributed identity document of the generator is obtained based on the distributed identity identifier of the generator, and the target public key of the generator is obtained from the distributed identity document. In some embodiments, the participant uses the target public key of the generator of the currently verifiable representation to perform signature verification on the currently verifiable representation.
[0052] In some embodiments, multiple agents in a multi-agent system can also form branch-call (i.e., tree-like call, representing one-to-many branch transmission) or combined call (i.e., network call, including both linear and branch-call relationships, representing complex interactions between multiple nodes) relationships. In some embodiments, a branch-call relationship means that the platform-type agent can only determine part of the task objectives in the initial stage, and the subsequent call path needs to be dynamically determined based on conditional judgments or user authorization scope during execution. At this time, each call node may select a different next execution node based on context information, and the overall structure exhibits branch decision characteristics. Figure 3 As shown, in the food delivery ordering scenario, the user submits a task instruction to the platform agent (platform-type intelligent agent) through the food delivery platform: "Order me a food delivery and choose the payment method with the best discount to complete the payment." After completing the merchant selection and order placement, the platform agent needs to obtain the user's authorization for multiple payment methods. Based on multiple dimensions such as the merchant's discount information, red envelope rules, food prices, order address, and delivery time, it dynamically selects the optimal payment agent from multiple payment agents, including payment agent1, payment agent2, and payment agent3, to complete the payment operation. In this process, the user authorizes multiple payment agents, including payment agent1, payment agent2, and payment agent3, during the initial authorization stage. The specific call path is ultimately determined by the platform agent during execution, forming a branch decision structure. After the payment is completed, it returns to the food delivery platform and feeds back the execution result to the user.
[0053] In some embodiments, the plurality of calling objects further includes a set of intelligent agents, the set of intelligent agents containing multiple intelligent agents, and the calling relationship between the plurality of calling objects further includes a branching calling relationship or a combining calling relationship. In some embodiments, if the plurality of calling objects constitute a linear calling relationship, then each calling object can be an intelligent agent or a service provider.
[0054] For example, if multiple calling objects form a branching call relationship, the corresponding calling object identifier sequence could be "A1, {A21, A22, A23}", where A21, A22, and A23 each correspond to an agent, thus verifying that the domain field of the Metadata in the expression uses tree bracket notation. As another example, if multiple calling objects form a combined call relationship, the corresponding calling object identifier sequence could be "A1, {{A21, {A31, A32}, A41}, {A22, {A33, A34}, A42}, A5", where A1, A31, A32, A41, A22, A33, A34, A42, and A5 each correspond to an agent.
[0055] In some embodiments, if multiple calling objects form a branching or combining calling relationship, each calling object can be an agent, a collection of agents containing multiple agents, or a service provider. In some embodiments, if the next calling object corresponding to the current calling object is determined to be a collection of agents based on the calling object identifier sequence in the currently verifiable representation (e.g., a first verifiable representation, a second verifiable representation, etc.) received by the current calling object, the current calling object will send its newly generated currently verifiable representation to one of the multiple agents contained in the collection of agents. In some embodiments, the calling object identifier corresponding to the collection of agents in the calling object identifier sequence is a set composed of the calling object identifiers corresponding to the multiple agents contained in the collection of agents, for example, the calling object identifier corresponding to the collection of agents in the calling object identifier sequence is a set composed of the distributed identity identifiers corresponding to the multiple agents contained in the collection of agents.
[0056] In some embodiments, updating the call object identifier sequence through the current call object includes: if the next call object corresponding to the current call object is determined to be a set of agents based on the call object identifier sequence, determining a target agent among the multiple agents included in the set of agents through the current call object, and updating the call object identifier sequence according to the target agent. In some embodiments, if the next call object corresponding to the current call object is determined to be a set of agents based on the call object identifier sequence in the currently verifiable expression (e.g., a first verifiable expression, a second verifiable expression, etc.) received by the current call object, the current call object will determine a target agent among the multiple agents included in the set of agents, and update the call object identifier sequence according to the target agent. The update operation includes setting the current identifier (e.g., the first call object identifier) in the call object identifier sequence to the call object identifier corresponding to the target agent (e.g., deleting the call object identifier corresponding to the current call object and the call object identifiers corresponding to other agents among the multiple agents besides the target agent from the call object identifier sequence), and then the current call object will send its newly generated currently verifiable expression to the target agent. For example, in a user ordering takeout scenario, two entities are involved: a platform agent (Agent1) and merchant agents (Agent2, Agent3, Agent4). The call object identification sequence is "A1, {A21, A22, A23}", where A1 corresponds to agent1, A21 corresponds to agent2, A22 corresponds to agent3, and A23 corresponds to agent4. However, before the platform agent is integrated, only the call order "user -> platform agent -> merchant agent" can be determined. The specific merchant agent needs to be decided by the platform agent.
[0057] In some embodiments, determining the target agent from among the multiple agents in the agent set by the current calling object includes: determining the target agent from among the multiple agents in the agent set by the current calling object based on the task execution result of the current calling object. In some embodiments, the current calling object determines the target agent from among the multiple agents in the agent set based on the task execution result obtained after executing the corresponding task. For example, it matches the task execution result with the attribute information of each agent, and selects the agent with the highest matching degree between the corresponding attribute information and the task execution result as the target agent.
[0058] As another example, such as Figure 5As shown, in the branch call relationship, the domain field of the Metadata in VP1 (first verifiable representation) presented by the user to the platform is set to A1, {A2, A3, A4}, SP in sequence. VP1 also includes VC1 (verifiable credentials) and Proofs (signature information). VC1 includes Metadata, Proofs, and Claims. The platform forwards VP1 to Agent1 (agent A1). Agent1 verifies whether the first digit of the domain field is itself, and decides on the agent to be used for the next hop call from the three agents {Agent2 (agent A2), Agent3 (agent A3), Agent4 (agent A4)} (e.g., Agent4 (agent A4)). Agent1 presents VP2 (second verifiable representation) to Agent4 (agent A4). The domain field of the Metadata in VP2 is set to A4, SP in sequence. VP2 also includes VP1 and Proofs. (Signature information), Context1 (context information attached when Agent1 generates VP2), Agent4 verifies whether the first digit of the domain field is itself, and finally, Agent4 presents VP3 (third verifiable representation) to SP (service provider). The domain field of Metadata in VP3 is set to SP. VP3 also includes VP2, Proofs (signature information), and Context2 (context information attached when Agent2 generates VP3). SP verifies whether the first digit of the domain field is itself, and at the same time verifies whether the domain field order in VP1 presented by the user to Agent1 and VP2 presented by Agent1 to Agent4 is correct, ensuring the integrity and legality of the entire call chain.
[0059] In some embodiments, the call object identifier sequence includes a distributed identity identifier of at least one call object and a link address. The link address is used to obtain the distributed identity identifiers of multiple agents contained in the agent set. In some embodiments, the multiple call objects include at least one call object (agent or service provider) and at least one agent set. Each agent set contains multiple agents. The call object identifier of an agent is its distributed identity identifier, and the call object identifier of an agent set is a link address. That is, the call object identifier sequence includes the distributed identity identifier of the at least one call object (agent or service provider) and the link address corresponding to the at least one agent set. The link address corresponding to each agent set is used to obtain the distributed identity identifiers of the multiple agents contained in the agent set. In some embodiments, the link address can reduce the amount of data in the call object identifier sequence, and the data obtained through the link address supports dynamic updates, but the link address itself remains unchanged.
[0060] In some embodiments, the call object identifier sequence includes wildcards, which correspond to any agent. In some embodiments, during the call process, if the agent used in a certain step cannot be determined at the beginning, a wildcard (e.g., "*") can be used to identify it. When the step is called, any agent can be called. That is, the call object identifier sequence can include wildcards. If the call object identifier of the next call object corresponding to the current call object is determined to be a wildcard based on the call object identifier sequence in the currently verifiable expression (e.g., the first verifiable expression, the second verifiable expression, etc.) received by the current call object, it means that any agent can be called. The current call object needs to determine a target agent as the next call object and send its newly generated currently verifiable expression to the target agent.
[0061] Figure 6 This specification provides a schematic diagram of a multi-agent system for performing tasks based on multiple agents, which can be implemented as all or part of an electronic device through software, hardware, or a combination of both. According to some embodiments, the multi-agent system 1 includes a user device 11 and a currently invoked object 12.
[0062] User equipment 11 is configured to respond to a task instruction initiated by a user, generate a first verifiable expression corresponding to the task instruction based on at least one verifiable credential of the user and a plurality of calling objects associated with the task instruction, digitally sign the first verifiable expression based on the user's first private key, and send the signed first verifiable expression to the current calling object corresponding to the calling object identification sequence, wherein the plurality of calling objects include intelligent agents, the first verifiable expression includes the at least one verifiable credential and the calling object identification sequence, and the calling relationship between the plurality of calling objects includes a linear calling relationship; The current calling object 12 is used to perform signature verification on the first verifiable expression based on the user's public key. If the verification is successful, it determines whether the current identifier in the calling object identifier sequence corresponds to the current calling object. If so, it executes the corresponding task based on the context information in the first verifiable expression. If the current calling object is not the last calling object corresponding to the calling object identifier sequence, it updates the calling object identifier sequence, generates a second verifiable expression based on the updated calling object identifier sequence, the task execution result of the current calling object, and the first verifiable expression, digitally signs the second verifiable expression based on the second private key of the current calling object, and sends the signed second verifiable expression to the new current calling object corresponding to the updated calling identifier sequence. This process continues until the new current calling object is the last calling object corresponding to the latest calling identifier sequence. The second verifiable expression includes the first verifiable expression and the updated calling object identifier sequence.
[0063] In some embodiments, the multi-agent system 1 is further configured to: obtain one or more verifiable credentials issued by one or more issuers for the user through the user equipment.
[0064] In some embodiments, the multi-agent system 1 is further configured to: verify the user's identity attributes through the issuer; if the verification is successful, issue a corresponding verifiable credential to the user; digitally sign the verifiable credential according to the issuer's private key to obtain the signed verifiable credential; and send the verifiable credential to the user device.
[0065] In some embodiments, the step of signing and verifying the first verifiable representation using the current calling object based on the user's public key includes: signing and verifying the first verifiable representation using the current calling object based on the user's public key, and signing and verifying the at least one verifiable credential located in the first verifiable representation based on the issuer's public key.
[0066] In some embodiments, the step of signing and verifying the first verifiable representation using the current calling object based on the user's public key, and signing and verifying the at least one verifiable credential located in the first verifiable representation using the issuer's public key, includes: signing and verifying the first verifiable representation using the current calling object based on the user's public key, signing and verifying the other verifiable representations using the public keys of other calling objects that generate other verifiable representations located in the first verifiable representation, and signing and verifying the at least one verifiable credential located in the first verifiable representation using the issuer's public key.
[0067] In some embodiments, the context information in the second verifiable expression includes the task execution result of the currently calling object.
[0068] In some embodiments, the plurality of calling objects further include a service provider, the identifier of which is located at the end of the calling object identifier sequence.
[0069] In some embodiments, performing the corresponding task based on the context information in the first verifiable representation includes: verifying, through the service provider, whether the identifier order corresponding to the call object identifier sequence in each verifiable representation in the first verifiable representation is correct; if so, performing the corresponding task based on the context information in the first verifiable representation.
[0070] In some embodiments, the multi-agent system 1 is further configured to: register each participant among the issuer of the verifiable credential, the user, and the plurality of calling objects through an identity provider, bind the participant's distributed identity identifier with the participant's public key, generate the participant's distributed identity document, and publicly store the distributed identity document.
[0071] In some embodiments, the first verifiable representation includes the user's distributed identity identifier, the second verifiable representation includes the distributed identity identifier of the currently invoked object, and the invoked object identifier sequence includes the distributed identity identifiers of the plurality of invoked objects.
[0072] In some embodiments, the multi-agent system 1 is further configured to: for each participant, obtain the distributed identity identifier of the generator in the currently verifiable representation received by the participant, obtain the distributed identity document of the generator based on the distributed identity identifier, and obtain the target public key of the generator from the distributed identity document.
[0073] In some embodiments, the plurality of calling objects further includes a set of intelligent agents, the set of intelligent agents containing a plurality of intelligent agents, and the calling relationship between the plurality of calling objects further includes a branching calling relationship or a combined calling relationship.
[0074] In some embodiments, updating the call object identifier sequence using the current call object includes: if the next call object corresponding to the current call object is determined to be a set of agents based on the call object identifier sequence, determining a target agent among the multiple agents included in the set of agents using the current call object, and updating the call object identifier sequence according to the target agent.
[0075] In some embodiments, determining the target agent among the multiple agents contained in the agent set by the current calling object includes: determining the target agent among the multiple agents contained in the agent set by the current calling object based on the task execution result of the current calling object.
[0076] In some embodiments, the call object identifier sequence includes at least one distributed identity identifier of the call object and a link address, wherein the link address is used to obtain the distributed identity identifiers of the multiple intelligent agents contained in the intelligent agent set.
[0077] In some embodiments, the call object identifier sequence includes wildcards, which correspond to any intelligent agent.
[0078] The above-described apparatus embodiments correspond to the aforementioned method embodiments. For detailed descriptions, please refer to the description in the method embodiments section; further details will not be repeated here. The apparatus embodiments are derived from the corresponding method embodiments and have the same technical effects. For detailed descriptions, please refer to the corresponding method embodiments.
[0079] This specification also provides a computer storage medium storing a computer program thereon, which, when executed by a processor, implements the method described in this specification.
[0080] This specification also provides a computer program product that stores at least one instruction, which is loaded by the processor and executes the method described in this specification embodiment.
[0081] This specification also provides an electronic device, including a processor and a memory; wherein the memory stores a computer program adapted to be loaded by the processor and execute the method described in the embodiments of this specification.
[0082] The embodiments in this specification also provide Figure 7The diagram shows the structure of the electronic device. Figure 7 At the hardware level, the electronic device includes a processor, internal bus, network interface, memory, and non-volatile memory, and may also include other hardware required for business operations. The processor reads the corresponding computer program from the non-volatile memory into memory and then runs it to implement the above method.
[0083] The systems, devices, modules, or units described in the above embodiments can be implemented by computer chips or entities, or by products with certain functions. A typical implementation device is a computer. Specifically, a computer can be, for example, a personal computer, laptop computer, cellular phone, camera phone, smartphone, personal digital assistant, media player, navigation device, email device, game console, tablet computer, wearable device, or any combination of these devices.
[0084] Those skilled in the art will understand that embodiments of this specification can be provided as methods, systems, or computer program products. Therefore, this specification may take the form of a completely hardware embodiment, a completely software embodiment, or an embodiment combining software and hardware aspects. Furthermore, this specification may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, etc.) containing computer-usable program code.
[0085] This specification is described with reference to flowchart illustrations and / or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of this specification. It will be understood that each block of the flowchart illustrations and / or block diagrams, and combinations of blocks in the flowchart illustrations and / or block diagrams, can be implemented by computer program instructions. These computer program instructions can be provided to a processor of a general-purpose computer, special-purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, generate instructions for implementing the flowchart illustrations and / or block diagrams. Figure 1 One or more processes and / or boxes Figure 1 A device that provides the functions specified in one or more boxes.
[0086] These computer program instructions may also be stored in a computer-readable storage medium that can direct a computer or other programmable data processing device to function in a particular manner, such that the instructions stored in the computer-readable storage medium produce an article of manufacture including instruction means, which are implemented in a process Figure 1 One or more processes and / or boxes Figure 1 The function specified in one or more boxes.
[0087] These computer program instructions may also be loaded onto a computer or other programmable data processing equipment to cause a series of operational steps to be performed on the computer or other programmable equipment to produce a computer-implemented process, thereby providing instructions that execute on the computer or other programmable equipment for implementing the process. Figure 1 One or more processes and / or boxes Figure 1 The steps of the function specified in one or more boxes.
[0088] It should also be noted that the terms "comprising," "including," or any other variations thereof are intended to cover non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements includes not only those elements but also other elements not expressly listed, or elements inherent to such a process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising one..." does not exclude the presence of other identical elements in the process, method, article, or apparatus that includes said element.
[0089] This specification can be described in the general context of computer-executable instructions that are executed by a computer, such as program modules. Generally, program modules include routines, programs, objects, components, data structures, etc., that perform a specific task or implement a specific abstract data type. This specification can also be practiced in distributed computing environments, where tasks are performed by remote processing devices connected via a communication network. In distributed computing environments, program modules can reside in local and remote computer storage media, including storage devices.
[0090] The various embodiments in this specification are described in a progressive manner. Similar or identical parts between embodiments can be referred to interchangeably. Each embodiment focuses on describing the differences from other embodiments. In particular, the system embodiments are basically similar to the method embodiments, so the description is relatively simple; relevant parts can be referred to the descriptions in the method embodiments.
[0091] The above description is merely an embodiment of this specification and is not intended to limit this specification. Various modifications and variations can be made to this specification by those skilled in the art. Any modifications, equivalent substitutions, improvements, etc., made within the spirit and principles of this specification should be included within the scope of the claims of this specification.
Claims
1. A method for performing tasks based on multiple agents, applied to a multi-agent system, comprising: In response to a user-initiated task instruction, the user equipment generates a first verifiable representation corresponding to the task instruction based on at least one verifiable credential of the user and multiple calling objects associated with the task instruction. The first verifiable representation is digitally signed based on the user's first private key, and the signed first verifiable representation is sent to the current calling object corresponding to the calling object identification sequence. The multiple calling objects include intelligent agents, the first verifiable representation includes the at least one verifiable credential and the calling object identification sequence, and the calling relationship between the multiple calling objects includes a linear calling relationship. The first verifiable expression is signed and verified by the current calling object based on the user's public key. If the verification is successful, it is determined whether the current identifier in the calling object identifier sequence corresponds to the current calling object. If so, the corresponding task is executed based on the context information in the first verifiable expression. If the current calling object is not the last calling object corresponding to the calling object identifier sequence, the calling object identifier sequence is updated. A second verifiable expression is generated based on the updated calling object identifier sequence, the task execution result of the current calling object, and the first verifiable expression. The second verifiable expression is digitally signed based on the second private key of the current calling object, and the signed second verifiable expression is sent to the new current calling object corresponding to the updated calling identifier sequence. This process continues until the new current calling object is the last calling object corresponding to the latest calling identifier sequence. The second verifiable expression includes the first verifiable expression and the updated calling object identifier sequence.
2. The method according to claim 1, further comprising: The user equipment obtains one or more verifiable credentials issued by one or more issuers for the user.
3. The method according to claim 2, further comprising: The issuer verifies the user's identity attributes. If the verification is successful, a corresponding verifiable credential is issued to the user. The verifiable credential is digitally signed using the issuer's private key to obtain the signed verifiable credential, which is then sent to the user's device.
4. The method according to claim 3, wherein the step of performing signature verification on the first verifiable expression based on the user's public key by the current calling object includes: The current calling object performs signature verification on the first verifiable representation based on the user's public key, and performs signature verification on at least one verifiable credential located in the first verifiable representation based on the issuer's public key.
5. The method according to claim 4, wherein the step of signing and verifying the first verifiable representation based on the user's public key using the current calling object, and signing and verifying the at least one verifiable credential located in the first verifiable representation based on the issuer's public key, comprises: The signature verification is performed by the current calling object based on the user's public key for the first verifiable representation, and by the signature verification of the other verifiable representations based on the public keys of other calling objects that generate other verifiable representations located in the first verifiable representation, and by the signature verification of the at least one verifiable credential located in the first verifiable representation based on the issuer's public key.
6. The method according to claim 1, wherein the context information in the second verifiable expression includes the task execution result of the currently calling object.
7. The method according to claim 1, wherein the plurality of calling objects further includes a service provider, and the identifier corresponding to the service provider is located at the end of the calling object identifier sequence.
8. The method according to claim 7, wherein performing the corresponding task based on the context information in the first verifiable representation includes: The service provider verifies whether the order of the identifiers corresponding to the call object identifier sequence in each verifiable expression in the first verifiable expression is correct. If so, the corresponding task is executed based on the context information in the first verifiable representation.
9. The method according to any one of claims 1 to 8, further comprising: For each participant among the issuer of verifiable credentials, the user, and the multiple calling objects, the identity provider registers the participant, binds the participant's distributed identity identifier with the participant's public key, generates the participant's distributed identity document, and publicly stores the distributed identity document.
10. The method according to claim 9, wherein the first verifiable representation includes the distributed identity identifier of the user, the second verifiable representation includes the distributed identity identifier of the currently invoked object, and the invoking object identifier sequence includes the distributed identity identifiers of the plurality of invoking objects.
11. The method of claim 9, further comprising: For each participant, obtain the distributed identity identifier of the generator in the currently verifiable representation it receives, obtain the distributed identity document of the generator based on the distributed identity identifier, and obtain the target public key of the generator from the distributed identity document.
12. The method according to claim 1, wherein the plurality of calling objects further includes a set of intelligent agents, the set of intelligent agents contains a plurality of intelligent agents, and the calling relationship between the plurality of calling objects further includes a branch calling relationship or a combined calling relationship.
13. The method according to claim 12, wherein updating the call object identifier sequence through the current call object comprises: If the next calling object corresponding to the current calling object is determined to be a set of agents based on the calling object identifier sequence, the target agent is determined from the multiple agents contained in the set of agents by the current calling object, and the calling object identifier sequence is updated according to the target agent.
14. The method according to claim 13, wherein determining the target agent from among the plurality of agents included in the agent set by the current calling object comprises: The target agent is determined from among the multiple agents contained in the agent set based on the task execution result of the current calling object.
15. The method according to claim 12, wherein the calling object identifier sequence includes at least one distributed identity identifier of the calling object and a link address, the link address being used to obtain the distributed identity identifiers of the plurality of intelligent agents contained in the intelligent agent set.
16. The method according to claim 1, wherein the calling object identifier sequence includes wildcards, and the wildcards correspond to any intelligent agent.
17. A multi-agent system for performing tasks based on multiple agents, comprising: User equipment is configured to respond to a task instruction initiated by a user, generate a first verifiable representation corresponding to the task instruction based on at least one verifiable credential of the user and a plurality of calling objects associated with the task instruction, digitally sign the first verifiable representation based on the user's first private key, and send the signed first verifiable representation to the current calling object corresponding to the calling object identification sequence, wherein the plurality of calling objects include intelligent agents, the first verifiable representation includes the at least one verifiable credential and the calling object identification sequence, and the calling relationship between the plurality of calling objects includes a linear calling relationship; The current calling object is used to perform signature verification on the first verifiable expression based on the user's public key. If the verification is successful, it determines whether the current identifier in the calling object identifier sequence corresponds to the current calling object. If so, it executes the corresponding task based on the context information in the first verifiable expression. If the current calling object is not the last calling object corresponding to the calling object identifier sequence, it updates the calling object identifier sequence, generates a second verifiable expression based on the updated calling object identifier sequence, the task execution result of the current calling object, and the first verifiable expression, digitally signs the second verifiable expression based on the second private key of the current calling object, and sends the signed second verifiable expression to the new current calling object corresponding to the updated calling identifier sequence. This process continues until the new current calling object is the last calling object corresponding to the latest calling identifier sequence. The second verifiable expression includes the first verifiable expression and the updated calling object identifier sequence.
18. A storage medium having a computer program stored thereon, characterized in that, When the computer program is executed by a processor, it implements the steps of the method according to any one of claims 1 to 16.
19. An electronic device, characterized in that, include: A processor and a memory; wherein the memory stores a computer program adapted to be loaded by the processor and to execute the steps of the method as claimed in any one of claims 1 to 16.
20. A computer program product having at least one instruction stored thereon, characterized in that, When the at least one instruction is executed by the processor, it implements the steps of the method according to any one of claims 1 to 16.