Digital identity collaborative authentication system based on smart contract and attribute encryption
By using a digital identity collaborative authentication system based on smart contracts and attribute encryption, the problems of opaque policy logic and dependency on authentication conclusions in centralized authentication systems are solved. This system achieves transparency of encryption policies, dynamic execution, and reliability of authentication conclusions, thereby enhancing the credibility and robustness of the authentication system.
Patent Information
- Authority / Receiving Office
- CN · China
- Patent Type
- Applications(China)
- Current Assignee / Owner
- WOHUI CHAIN (ZHEJIANG) DIGITAL TECHNOLOGY CO LTD
- Filing Date
- 2026-06-16
- Publication Date
- 2026-07-14
AI Technical Summary
Existing digital identity authentication systems rely on a single or a few centralized authoritative authentication sources. Their strategy logic is opaque, difficult to adjust dynamically, and the validity of authentication conclusions depends on the credibility of the central node, lacking credibility and robustness.
A digital identity collaborative authentication system based on smart contracts and attribute encryption is adopted. By receiving attribute data from multiple external authentication sources, standardizing the data, generating standard identity attribute data blocks, and running a strategy parsing smart contract in the blockchain network to execute attribute-based encryption operations, a verifiable authentication token is generated. Multiple verification nodes independently verify the tokens and reach a final conclusion through a consensus mechanism.
It achieves transparent, dynamic, and automated execution of encryption strategies, improves the reliability and non-repudiation of authentication conclusions, eliminates the risk of centralized manipulation, and ensures the credibility and consistency of authentication conclusions.
Smart Images

Figure CN122394762A_ABST
Abstract
Description
Technical Field
[0001] This invention relates to the fields of digital identity authentication and blockchain technology, specifically a digital identity collaborative authentication system based on smart contracts and attribute encryption. Background Technology
[0002] Existing digital identity authentication systems largely rely on a single or a few centralized authoritative authentication sources. These systems typically have a centralized server that centrally manages and verifies user identity attributes and statically pre-configures access control policies. This architecture depends entirely on the trusted operation and security of the centralized entity at the policy generation, update, and execution levels. When authentication policies need to be dynamically adjusted based on context, or when integrating identity assertions from multiple sources, existing technologies struggle to provide a transparent, auditable, and tamper-proof policy execution trajectory. The opacity of policy logic and dependence on a single management entity make policies susceptible to single-point tampering or inconsistencies, and also fail to meet the requirements for policy credibility in cross-domain collaborative scenarios.
[0003] In generating authentication conclusions, existing technologies typically rely on the service provider accepting the authentication request to independently complete the verification and directly issue the conclusion. Even with the introduction of multi-factor authentication, the final decision-making power still rests with the requesting party. This model makes the validity of the authentication conclusion entirely dependent on the credibility and security of the accepting party. In scenarios requiring mutual trust among multiple parties or high non-repudiation of authentication results, unilateral statements from a single institution lack sufficient credibility and robustness. Once this central node is compromised or misbehaves, all authentication conclusions it issues will face a crisis of trust. How to construct an authentication conclusion generation mechanism that does not rely on the credit endorsement of any single central node and possesses broad credibility is a challenge currently facing technology. Summary of the Invention
[0004] The purpose of this invention is to provide a digital identity collaborative authentication system based on smart contracts and attribute encryption to solve the problems mentioned in the background art.
[0005] To achieve the above objectives, the present invention provides a digital identity collaborative authentication system based on smart contracts and attribute encryption, the system comprising:
[0006] The identity data processing module receives a set of raw attribute data provided by multiple external authentication sources, and performs a structured transformation on the raw attribute data set under preset standardized processing rules to generate standard identity attribute data blocks.
[0007] The strategy parsing contract module runs a strategy parsing smart contract deployed in the blockchain network for the standard identity attribute data block, and extracts the encrypted strategy descriptor associated with the current authentication task.
[0008] The attribute encryption execution module selects the corresponding encryption function and access structure template from the attribute base encryption library according to the content of the encryption policy descriptor, inputs the standard identity attribute data block into the encryption function and access structure template, performs attribute base encryption operation, and generates ciphertext attribute credentials.
[0009] The token encapsulation and distribution module binds the encrypted attribute certificate with the strategy execution certificate generated by the strategy parsing smart contract and encapsulates it into a verifiable authentication token.
[0010] The collaborative verification and consensus module broadcasts and distributes the verifiable authentication token in the collaborative authentication network, and triggers verification nodes to independently verify the integrity and policy compliance of the verifiable authentication token. It aggregates the independent verification results from multiple verification nodes and forms the final collaborative authentication conclusion through a preset consensus mechanism.
[0011] Preferably, receiving the raw attribute data set provided by multiple external authentication sources includes:
[0012] Establish authorized data connection channels with different external authentication sources, including government databases, financial institution authentication systems, and public service platforms;
[0013] The system asynchronously receives raw attribute data streams pushed by various external authentication sources through the authorized data connection channel.
[0014] The original attribute data stream is marked with source identifiers and timestamps to form original data units with traceability information;
[0015] The original data units with traceability information from different external authentication sources are temporarily buffered and stored to form the original attribute data set.
[0016] Preferably, under preset standardized processing rules, the original attribute data set undergoes a structured transformation, including:
[0017] Load a predefined attribute data schema definition file, which specifies the constraints on the name, type, length, and value range of the attributes;
[0018] Traverse each original data unit with traceability information in the original attribute data set;
[0019] Based on the attribute data pattern definition file, the original data units with traceability information are cleaned in format, type-casted, and their value ranges are verified for compliance.
[0020] The data that passes the verification will be reassembled according to the attribute data pattern definition file, and the data that fails the verification will be discarded.
[0021] Assign a globally unique attribute identifier to each reassembled data unit to generate the standard identity attribute data block.
[0022] Preferably, a policy parsing smart contract deployed in the blockchain network is run to extract the cryptographic policy descriptor associated with the current authentication task, including:
[0023] The attribute identifier in the standard identity attribute data block and the context information of the current authentication task are used as input parameters to call the public interface of the strategy parsing smart contract.
[0024] The strategy parsing smart contract matches strategy entries that match the attribute identifier and the context information in its internally stored strategy rule base;
[0025] Parse the encryption strength level, the list of allowed verification nodes, and the combination of attribute conditions that must be met from the successfully matched policy entries;
[0026] The encryption strength level, the list of allowed verification nodes, and the attribute conditions that must be met are combined and encoded into a machine-readable encryption policy descriptor, which contains a policy hash value.
[0027] Preferably, based on the content of the encryption policy descriptor, the corresponding encryption function and access structure template are selected from the attribute-based encryption library, including:
[0028] Parse the encryption strength level field in the encryption policy descriptor;
[0029] Based on the value of the encryption strength level field, search the index of the attribute-based encryption library for a set of candidate encryption algorithms that meet the strength level requirements;
[0030] By combining the required attribute conditions, compatible encryption function instances are selected from the candidate encryption algorithm set.
[0031] Based on the logical relationship of the required attribute conditions, a corresponding access control tree structure is generated as the access structure template.
[0032] Preferably, the standard identity attribute data block is input into the encryption function and access structure template to perform attribute-based encryption operation, including:
[0033] Map the attribute name and attribute value pairs in the standard identity attribute data block to the leaf nodes of the access structure template;
[0034] Using the public key parameter of the encryption function instance, perform independent encryption operations on the attribute values mapped to each leaf node;
[0035] Based on the tree-like logical structure in the access structure template, the encryption parameters of the intermediate nodes are aggregated from bottom to top;
[0036] Finally, the encryption synthesis of the entire data block is completed at the root node of the access structure template, and the ciphertext attribute certificate is output.
[0037] Preferably, binding the encrypted attribute certificate with the strategy execution certificate generated by the strategy parsing smart contract includes:
[0038] Invoke the certificate generation function of the smart contract parsing strategy, and input the strategy hash value and the storage address of the encrypted attribute certificate;
[0039] The strategy parsing smart contract generates a digital certificate containing the strategy hash value, the storage address, and the smart contract signature, which serves as the strategy execution certificate;
[0040] Associate the credential identifier of the policy execution credential with the encrypted attribute credential using metadata;
[0041] The associated overall data is encapsulated into the verifiable authentication token with a specific data format.
[0042] Preferably, the verifiable authentication token is broadcast and distributed in the collaborative authentication network, and verification nodes are triggered to independently verify the integrity and policy compliance of the verifiable authentication token, including:
[0043] The verifiable authentication token is published to a specific transaction on the blockchain network, and the transaction event is captured by the subscribed verification nodes;
[0044] Each verification node extracts the verifiable authentication token from the blockchain and separates the encrypted attribute credential and the policy execution credential from it.
[0045] Each verification node independently verifies the validity of the smart contract signature on the policy execution credential;
[0046] Each verification node retrieves the corresponding original encrypted policy descriptor from the blockchain based on the policy hash value in the policy execution credential.
[0047] Each verification node uses its own attribute private key to attempt to decrypt and access the structure of the encrypted attribute credential, generating a local verification result.
[0048] Preferably, independent verification results from multiple verification nodes are aggregated, and a final collaborative authentication conclusion is formed through a pre-defined consensus mechanism, including:
[0049] Each verification node submits its local verification result, node identifier, and a random number proof to a result aggregation smart contract as a verification response after jointly signing the local verification result, node identifier, and random number proof.
[0050] The results are aggregated by the smart contract, which collects all valid verification responses that arrive within a predetermined time window.
[0051] The result aggregation smart contract filters out verification responses from authorized verification nodes based on the list of allowed verification nodes;
[0052] Statistical analysis was performed on the local verification results in the screened verification responses to calculate the proportion of nodes that reached a positive conclusion.
[0053] The ratio is compared with a preset consensus threshold. If the ratio is reached or exceeded, the result aggregates the smart contract to generate a final state record indicating successful authentication; otherwise, a state record indicating failed authentication is generated.
[0054] Preferably, the result aggregation smart contract generates a final state record indicating successful authentication, including:
[0055] The final state record shall include at least the unique number of this authentication task, the final conclusion, the list of verification node identifiers that have reached consensus, and the height and timestamp of the final state record on the blockchain;
[0056] The final state record is permanently written into the distributed ledger of the blockchain;
[0057] The result aggregation smart contract sends an event notification containing the hash value of the final state record to all subscribers associated with this authentication task.
[0058] Compared with the prior art, the beneficial effects of the present invention are:
[0059] The process of parsing and generating descriptors for encryption policies is encoded into smart contracts deployed on the blockchain. This technical solution makes the triggering, execution logic, and output results of the policy a transparent, immutable, and traceable event on the blockchain. Any processing of standard identity attribute data blocks must obtain the corresponding encryption policy instructions by calling this contract, eliminating the risks of single-point manipulation and black-box operation that may exist with centralized policy servers. Encryption policies can achieve automated, dynamic, and trusted execution. Changes and upgrades can be completed through updates to the contract code and take effect immediately across the entire network, ensuring the consistency and timeliness of policy management.
[0060] By binding encrypted attribute credentials with policy execution credentials derived from the blockchain and encapsulating them into a verifiable authentication token, which is then broadcast in a collaborative authentication network, multiple verification nodes can independently verify the token's integrity and policy compliance, rather than relying on the judgment of a single institution. The independent verification results of each node are aggregated through a pre-defined consensus mechanism, ultimately forming an authentication conclusion reached by the distributed network. This ensures that the final authentication conclusion no longer originates from a unilateral statement by a specific centralized institution, but rather from a trusted process that has undergone independent verification and network consensus. It defends against attacks and collusive fraud targeting a single validator, enhancing the reliability, non-repudiation, and overall credibility of the authentication conclusion. Attached Figure Description
[0061] Figure 1 This is a sequence diagram of the digital identity collaborative authentication system based on smart contracts and attribute encryption as described in this invention;
[0062] Figure 2 A flowchart for receiving and buffering the raw attribute data set;
[0063] Figure 3 A flowchart for selecting encryption functions and accessing structure templates;
[0064] Figure 4 A comparison chart of signature verification performance of verification nodes in a digital identity collaborative authentication system;
[0065] Figure 5 A stacked bar chart showing the data processing results of external authentication sources in a digital identity collaborative authentication system. Detailed Implementation
[0066] The technical solutions of the embodiments of the present invention will be clearly and completely described below with reference to the accompanying drawings. Obviously, the described embodiments are only some embodiments of the present invention, and not all embodiments. Based on the embodiments of the present invention, all other embodiments obtained by those skilled in the art without creative effort are within the scope of protection of the present invention.
[0067] Please see Figure 1This invention provides a digital identity collaborative authentication system based on smart contracts and attribute encryption. The method includes: an identity data processing module receiving raw attribute data sets from multiple external authentication sources and performing structured transformation on the sets according to preset standardized processing rules to generate standard identity attribute data blocks; a policy parsing contract module calling and running a policy parsing smart contract deployed in a blockchain network for the generated standard identity attribute data blocks to extract an encrypted policy descriptor associated with the current authentication task; an attribute encryption execution module selecting a matching encryption function and access structure template from an attribute-based encryption library based on the specific content of the extracted encryption policy descriptor, then inputting the standard identity attribute data blocks into it, performing attribute-based encryption operations, and generating ciphertext attribute credentials; a token encapsulation and distribution module binding the ciphertext attribute credentials with the policy execution credentials generated by the policy parsing smart contract, encapsulating them into a verifiable authentication token; and a collaborative verification and consensus module broadcasting and distributing the verifiable authentication token in the collaborative authentication network, triggering verification nodes in the network to independently verify the integrity and policy compliance of the token, aggregating the independent verification results from multiple verification nodes, and forming a final collaborative authentication conclusion through a preset consensus mechanism.
[0068] In one embodiment of the present invention, see [reference] Figure 2 Establish authorized data connection channels with different external authentication sources, including government databases, financial institution authentication systems, and public service platforms. Asynchronously receive raw attribute data streams pushed by each external authentication source through the established authorized data connection channels. Mark the source of the received raw attribute data streams with source identification and timestamps to form raw data units with traceability information. Temporarily buffer and store the raw data units with traceability information from different external authentication sources to form the raw attribute data set. Load a predefined attribute data pattern definition file, which specifies the name, type, length, and value range constraints of the attributes. Traverse each raw data unit with traceability information in the raw attribute data set, and perform format cleaning, type casting, and value range compliance verification on each raw data unit according to the attribute data pattern definition file. Reassemble the verified data content according to the attribute data pattern definition file, while discarding the data content that fails verification. Assign a globally unique attribute identifier to each reassembled data unit to generate the standard identity attribute data block.
[0069] In practical implementation, authorized data connection channels are established with three types of external authentication sources: government databases, financial institution authentication systems, and public service platforms. These channels employ a secure communication link based on a two-way authentication mechanism using digital certificates. In some embodiments, the authorized data connection channels asynchronously receive citizen identification codes and name data streams from government databases, account level and real-name status data streams from financial institution authentication systems, and social insurance payment status data streams from public service platforms. Each received raw attribute data stream is appended with a source identifier containing the source system code and sequence number, and the precise timestamp of data arrival is recorded, forming raw data units with traceability information. In practical implementation, the raw data units with traceability information from the government database, the financial institution authentication system, and the public service platform are stored together in a distributed message queue for temporary buffering, constituting a complete set of raw attribute data.
[0070] In the specific implementation, a predefined attribute data pattern definition file is loaded. Each raw data unit with traceability information in the original attribute data set is traversed. Based on the attribute data pattern definition file, the raw data units with traceability information undergo format cleaning operations, including removing leading and trailing whitespace characters and standardizing the date format to YYYY-MM-DD. In the specific implementation, type casting is performed to convert the text-based "Account Level" numerical string into integer data, and the "Citizen Identity Number" undergoes value range compliance verification to check if it conforms to the encoding rules and checksum algorithm. In the specific implementation, the verified "Citizen Identity Number" and "Name" data contents are reassembled according to the field order defined in the attribute data pattern definition file, discarding raw data units that fail verification or have incorrect formats. Each reassembled data unit is assigned a globally unique attribute identifier, generated from a version number, timestamp, and random hash. The final product is a standard identity attribute data block.
[0071] During the value range compliance verification process, optionally, a numeric attribute value v can be normalized, and the calculation formula is as follows:
[0072]
[0073] Where: the symbol N(v) represents the result of the attribute value v after normalization. This represents the minimum allowed value for this attribute as specified in the attribute data schema definition file, symbol... This represents the maximum allowed value for the attribute as specified in the attribute data schema definition file. It is understood that this calculation ensures that the value is constrained within a predefined standardized range. In some embodiments, for non-numerical attributes, such as "occupational category," the value range compliance check is performed by querying a predefined occupational category code table; the check passes only if the code exists in the code table. It is understood that the attribute data schema definition file serves as the benchmark for standardized transformation; missing or inconsistent attribute data units will be excluded by the system, thereby ensuring the structural and semantic consistency of data blocks input into subsequent modules.
[0074] In one embodiment of the present invention, the attribute identifier in the standard identity attribute data block and the context information of the current authentication task are used as input parameters to call the public interface of the policy parsing smart contract. The policy parsing smart contract matches policy entries that match the attribute identifier and the context information in its internally stored policy rule base. From the successfully matched policy entries, the encryption strength level, the list of allowed verification nodes, and the combination of attribute conditions that must be met are parsed. The parsed encryption strength level, the list of allowed verification nodes, and the combination of attribute conditions that must be met are encoded into a machine-readable encryption policy descriptor, which contains a policy hash value.
[0075] In practice, the attribute identifier from the standard identity attribute data block and the context information of the current authentication task are used as input parameters. A public query interface of the strategy resolution smart contract deployed on the blockchain is invoked via a blockchain transaction. The attribute identifier is a unique string consisting of alphanumeric characters, while the context information is a structure containing a request timestamp, the requesting application identifier, and the authentication scenario code. In some embodiments, the input parameters are constructed as a JSON object and submitted to the strategy resolution smart contract via a Web3 library.
[0076] In its implementation, the strategy parsing smart contract executes matching logic within its internally persistent strategy rule base. This rule base is stored in a mapping format, with the key being the strategy index and the value being a strategy entry containing the applicable scenario, attribute conditions, encryption strength level, and a list of verification nodes. The strategy parsing smart contract iterates through the rule base, comparing the list of attribute identifiers in the input parameters with the authentication scenario codes in the context information, and then with the applicable attribute set and applicable scenario scope defined in each strategy entry. Optionally, the matching process incorporates a weighting function to measure the matching degree, expressed as:
[0077]
[0078] Where: M represents the overall matching degree between the current input parameter and a certain policy entry; n represents the total number of required attribute conditions defined for that policy entry; and n represents the total number of required attribute conditions defined for that policy entry. It is an indicator function that has a value of 1 if the set of attribute identifiers in the input parameters contains the i-th required attribute condition, and a value of 0 otherwise. This represents the preset weight factor of the i-th attribute condition in this strategy.
[0079] From the successfully matched policy entries, the policy parsing smart contract extracts the specific encryption strength level, the list of allowed verification nodes, and the required combination of attribute conditions. The encryption strength level may be an enumeration value, the list of allowed verification nodes is an array containing multiple blockchain addresses, and the required combination of attribute conditions is a logical expression. In practice, the policy parsing smart contract concatenates these three types of data—encryption strength level, list of allowed verification nodes, and required combination of attribute conditions—with a random number to calculate a hash value. All this information, along with the hash value, is encoded into a machine-readable encryption policy descriptor. The encryption policy descriptor uses binary or serialized format, and it necessarily contains the policy hash value, which serves as the core verification basis. The policy hash value ensures the integrity and immutability of the encryption policy descriptor, providing a reliable benchmark for the policy execution of subsequent modules.
[0080] In one embodiment of the present invention, see [reference] Figure 3 The encryption strength level field in the encryption policy descriptor is parsed. Based on the value of the encryption strength level field, a set of candidate encryption algorithms that meet the strength level requirement is searched in the index of the attribute-based encryption library. Combined with the required attribute conditions, compatible encryption function instances are selected from the candidate encryption algorithm set. Based on the logical relationship of the required attribute conditions, a corresponding access control tree structure is generated as the access structure template. Attribute name and attribute value pairs in the standard identity attribute data block are mapped to the leaf nodes of the access structure template. Using the public key parameter of the encryption function instance, independent encryption operations are performed on the attribute values mapped to each leaf node. Based on the tree-like logical structure in the access structure template, the encryption parameters of intermediate nodes are aggregated from bottom to top. Finally, the encryption synthesis of the entire data block is completed at the root node of the access structure template, and the ciphertext attribute credential is output.
[0081] In practice, the encryption strength level field in the encryption policy descriptor is parsed. This field is an enumerated numerical value. Based on the specific value of the encryption strength level field, a search is performed in a predefined index table of the attribute-based encryption library. This index table establishes a mapping from the encryption strength level to a set of cryptographic algorithm identifiers that meet its security strength requirements. The found candidate encryption algorithm set may contain two algorithm identifiers: "ABE-CC-256" and "ABE-CP-256". Combining this with the required attribute conditions obtained from the encryption policy descriptor, encryption function instances whose logical structure is compatible with the attribute condition combinations are selected from the candidate encryption algorithm set.
[0082] Optionally, the independent encryption operations of the encryption function instance on the leaf nodes follow a mathematical construction, and their calculation process can be expressed as:
[0083]
[0084] Where: symbol This represents the intermediate ciphertext component calculated for a specific leaf node. The symbol `g` is the generator of the cyclic group, `s` is the randomly selected master secret exponent during encryption, `H` is a hash function that maps attribute strings to group elements, `attr` is the attribute name mapped to the leaf node, `v` is the encoded numerical representation of the attribute value mapped to the leaf node, and `ρ` is the randomized blinding factor related to the leaf node's position in the access control tree. It can be understood that the encryption of each leaf node introduces independent randomness. Based on the tree-like logical structure in the access structure template, the encryption parameters of intermediate nodes are aggregated from bottom to top. For the root node, which acts as an AND gate, the aggregation operation requires combining the ciphertext components of all its child nodes with the relevant randomization parameters, calculated according to the combination algorithm defined by the encryption function instance. Finally, the encryption synthesis of the entire data block is completed at the root node of the access structure template, outputting a structured data object that integrates the ciphertext components of all leaf nodes, the access structure description, and system parameters.
[0085] In one embodiment of the present invention, the credential generation function of the strategy parsing smart contract is invoked, and the strategy hash value and the storage address of the encrypted attribute credential are input. The strategy parsing smart contract generates a digital credential containing the strategy hash value, the storage address, and the smart contract signature, which serves as the strategy execution credential. The credential identifier of the strategy execution credential is associated with the encrypted attribute credential through metadata. The associated overall data is encapsulated into a verifiable authentication token with a specific data format. The verifiable authentication token is published to a specific transaction on the blockchain network, and this transaction event is captured by subscribed verification nodes. Each verification node extracts the verifiable authentication token from the blockchain and separates the encrypted attribute credential and the strategy execution credential from it. Each verification node independently verifies the validity of the smart contract signature on the strategy execution credential. Each verification node retrieves the corresponding original encrypted strategy descriptor from the blockchain based on the strategy hash value in the strategy execution credential. Each verification node uses its own attribute private key to attempt to decrypt the encrypted attribute credential and perform access structure matching, generating a local verification result.
[0086] In practical implementation, the encrypted attribute credential and the policy execution credential are bound and encapsulated into a verifiable authentication token. The process involves distributing this token and triggering independent verification by verification nodes. This process calls the credential generation function of the policy parsing smart contract, inputting the policy hash value contained in the encrypted policy descriptor and the storage address of the encrypted attribute credential. Upon receiving the input, the policy parsing smart contract generates a digital credential containing the policy hash value, storage address, and smart contract signature as the policy execution credential. Referring to Table 1, the data structure of the policy execution credential can include the fields shown in Table 1.
[0087] Table 1: Policy Execution Certificate Field Table
[0088]
[0089] In practical implementation, the smart contract signature on the strategy execution certificate is generated by hashing the concatenated string of the strategy hash value and the storage address, and then performing a digital signature operation using the private key of the strategy parsing smart contract. Optionally, the signature operation process can be expressed as follows:
[0090]
[0091] Where: symbol This represents the final generated smart contract signature data. The symbol "Sign" represents the selected digital signature algorithm function. This represents the private key parameter corresponding to the smart contract account for policy parsing. The symbol H represents the cryptographic hash function, the symbol policy_hash represents the policy hash value, the symbol || represents the string concatenation operation, and the symbol storage_address represents the storage address of the encrypted attribute credential.
[0092] In practice, a verifiable authentication token is published as a data payload in a specific transaction on the blockchain network. This transaction is broadcast throughout the entire blockchain network, and the transaction event is captured by verification nodes that have pre-subscribed to the relevant topics. Each verification node listens for blockchain events, and upon capturing the transaction event, extracts the complete verifiable authentication token from the transaction data stored on the blockchain. Each verification node parses the format of the verifiable authentication token, separating it into two parts: a ciphertext attribute credential and a policy execution credential. In some embodiments, the ciphertext attribute credential is separated as a Base64-encoded string, and the policy execution credential is separated as a JSON object. Each verification node independently verifies the validity of the smart contract signature on the policy execution credential. The verification process uses the public address of the policy parsing smart contract to decrypt the signature and compares it with the recalculated message hash. Based on the policy hash value in the policy execution credential, each verification node retrieves the corresponding original encrypted policy descriptor from the blockchain's storage history. After a successful retrieval, each verification node uses its own attribute private key to attempt to decrypt the encrypted attribute credential and match it with the access structure, generating a local verification result. It can be understood that each verification node's attribute private key corresponds to its authorized attribute set. Only if its attributes meet the access control tree structure set during encryption can the decryption attempt succeed, thus generating a "passed" local verification result; otherwise, a "failed" local verification result is generated.
[0093] See Figure 4 This is a performance comparison chart of signature verification nodes in a digital identity collaborative authentication system, primarily showing the signature verification time and pass rate of different verification nodes. This chart serves as a tool for evaluating the validity of verification nodes in the digital identity collaborative authentication system. Nodes A / B / D are valid verification nodes: their signature verification time is reasonable and their pass rate is 100%, allowing them to participate in subsequent consensus. Nodes C / E are invalid nodes: their pass rate is 0, and they must be excluded from the consensus node list. This type of visualization helps the system quickly filter valid verification nodes, which is a prerequisite for the reliable operation of the "consensus mechanism" in collaborative authentication, directly affecting the accuracy and efficiency of the authentication conclusion.
[0094] In one embodiment of the present invention, each verification node jointly signs its local verification result, node identifier, and a random number proof, and submits it as a verification response to a result aggregation smart contract. The result aggregation smart contract collects all valid verification responses arriving within a predetermined time window. Based on the allowed verification node list, the result aggregation smart contract filters verification responses from authorized verification nodes. It statistically analyzes the local verification results in the filtered verification responses and calculates the proportion of nodes reaching a positive conclusion. This proportion is compared with a preset consensus threshold. If the consensus threshold is reached or exceeded, the result aggregation smart contract generates a final state record indicating successful authentication; otherwise, it generates a state record indicating authentication failure. The final state record includes at least the unique number of this authentication task, the final conclusion, a list of verification node identifiers that reached consensus, and the height and timestamp of the final state record on the blockchain. The final state record is permanently written into the distributed ledger of the blockchain. The result aggregation smart contract sends an event notification containing the hash value of the final state record to all subscribers associated with this authentication task.
[0095] In practice, the process involves aggregating the independent verification results of multiple verification nodes and forming a final collaborative authentication conclusion through a consensus mechanism. Each verification node submits its local verification result, node identifier, and a random number proof, along with a joint signature, as a verification response to a result aggregation smart contract deployed on the blockchain. Specifically, the result aggregation smart contract collects all valid verification responses arriving within a predetermined time window. This predetermined time window is defined by the smart contract's state variables, such as 300 block times from the first received response. The result aggregation smart contract verifies the validity of the digital signature of each verification response and checks whether the random number proof has been reused, considering only responses that pass verification as valid.
[0096] The resulting aggregation smart contract filters verification responses from authorized verification nodes based on the allowed verification node list obtained from the cryptographic policy descriptor. The allowed verification node list is a predefined whitelist of blockchain addresses. The resulting aggregation smart contract iterates through all valid verification responses, retaining only those whose node identifiers are present in the whitelist. The local verification results of the filtered verification responses are statistically analyzed to calculate the proportion of nodes achieving a positive conclusion. In specific implementations, the resulting aggregation smart contract counts the number of responses with a "pass" local verification result. Optionally, the calculation process for the proportion of nodes achieving a positive conclusion can be expressed as follows:
[0097]
[0098] Where: symbol The symbol represents the proportion of nodes that reached a positive conclusion, calculated from the given information. This indicates the number of responses whose local verification result is "passed" after filtering. This represents the total number of valid verification responses remaining after filtering through the authorization list. This proportion quantifies the level of agreement among the authorized verification nodes regarding the authentication result. In some embodiments, the preset consensus threshold is two-thirds (approximately 66.7%). The aggregated smart contract will calculate this proportion. Compared with the preset consensus threshold, if If the consensus threshold is reached or exceeded, the resulting aggregated smart contract generates a final state record indicating successful authentication; otherwise, it generates a final state record indicating authentication failure.
[0099] See Figure 5 This is a stacked bar chart showing the data processing results from external authentication sources in a digital identity collaborative authentication system. It primarily displays the distribution of raw data volume from different external authentication sources after structured transformation and cleaning. This chart serves as an effectiveness evaluation tool for the "Identity Data Processing Module" within the digital identity collaborative authentication system. Government / financial / public service authentication sources have a high data validity rate (91%-94%), making them a core and reliable source of digital identity attribute data. Social platform data has a relatively lower validity rate, requiring strengthened standardization of its data format processing rules. This type of visualization helps the system filter high-quality external authentication sources, ensuring the accuracy and reliability of subsequent digital identity attribute data.
[0100] It should be noted that, in this document, relational terms such as "first" and "second" are used only to distinguish one entity or operation from another, and do not necessarily require or imply any such actual relationship or order between these entities or operations. Furthermore, the terms "comprising," "including," or any other variations thereof are intended to cover non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements includes not only those elements but also other elements not expressly listed, or elements inherent to such process, method, article, or apparatus.
[0101] Although embodiments of the invention have been shown and described, it will be understood by those skilled in the art that various changes, modifications, substitutions and alterations can be made to these embodiments without departing from the principles and spirit of the invention, the scope of which is defined by the appended claims and their equivalents.
Claims
1. A digital identity collaborative authentication system based on smart contracts and attribute encryption, characterized in that, The system includes: The identity data processing module receives a set of raw attribute data provided by multiple external authentication sources, and performs a structured transformation on the raw attribute data set under preset standardized processing rules to generate standard identity attribute data blocks. The strategy parsing contract module runs a strategy parsing smart contract deployed in the blockchain network for the standard identity attribute data block, and extracts the encrypted strategy descriptor associated with the current authentication task. The attribute encryption execution module selects the corresponding encryption function and access structure template from the attribute base encryption library according to the content of the encryption policy descriptor, inputs the standard identity attribute data block into the encryption function and access structure template, performs attribute base encryption operation, and generates ciphertext attribute credentials. The token encapsulation and distribution module binds the encrypted attribute certificate with the strategy execution certificate generated by the strategy parsing smart contract and encapsulates it into a verifiable authentication token. The collaborative verification and consensus module broadcasts and distributes the verifiable authentication token in the collaborative authentication network, and triggers verification nodes to independently verify the integrity and policy compliance of the verifiable authentication token. It aggregates the independent verification results from multiple verification nodes and forms the final collaborative authentication conclusion through a preset consensus mechanism.
2. The digital identity collaborative authentication system based on smart contracts and attribute encryption according to claim 1, characterized in that, The receipt of the raw attribute data set provided by multiple external authentication sources includes: Establish authorized data connection channels with different external authentication sources, including government databases, financial institution authentication systems, and public service platforms; The system asynchronously receives raw attribute data streams pushed by various external authentication sources through the authorized data connection channel. The original attribute data stream is marked with source identifiers and timestamps to form original data units with traceability information; The original data units with traceability information from different external authentication sources are temporarily buffered and stored to form the original attribute data set.
3. The digital identity collaborative authentication system based on smart contracts and attribute encryption according to claim 2, characterized in that, Under preset standardized processing rules, the original attribute data set undergoes a structured transformation, including: Load a predefined attribute data schema definition file, which specifies the constraints on the name, type, length, and value range of the attributes; Traverse each original data unit with traceability information in the original attribute data set; Based on the attribute data pattern definition file, the original data units with traceability information are cleaned in format, type-casted, and their value ranges are verified for compliance. The data that passes the verification will be reassembled according to the attribute data pattern definition file, and the data that fails the verification will be discarded. Assign a globally unique attribute identifier to each reassembled data unit to generate the standard identity attribute data block.
4. The digital identity collaborative authentication system based on smart contracts and attribute encryption according to claim 3, characterized in that, Run the policy parsing smart contract deployed on the blockchain network to extract the cryptographic policy descriptor associated with the current authentication task, including: The attribute identifier in the standard identity attribute data block and the context information of the current authentication task are used as input parameters to call the public interface of the strategy parsing smart contract. The strategy parsing smart contract matches strategy entries that match the attribute identifier and the context information in its internally stored strategy rule base; Parse the encryption strength level, the list of allowed verification nodes, and the combination of attribute conditions that must be met from the successfully matched policy entries; The encryption strength level, the list of allowed verification nodes, and the attribute conditions that must be met are combined and encoded into a machine-readable encryption policy descriptor, which contains a policy hash value.
5. The digital identity collaborative authentication system based on smart contracts and attribute encryption according to claim 4, characterized in that, Based on the content of the encryption policy descriptor, the corresponding encryption function and access structure template are selected from the attribute-based encryption library, including: Parse the encryption strength level field in the encryption policy descriptor; Based on the value of the encryption strength level field, search the index of the attribute-based encryption library for a set of candidate encryption algorithms that meet the strength level requirements; By combining the required attribute conditions, compatible encryption function instances are selected from the candidate encryption algorithm set. Based on the logical relationship of the required attribute conditions, a corresponding access control tree structure is generated as the access structure template.
6. The digital identity collaborative authentication system based on smart contracts and attribute encryption according to claim 5, characterized in that, The standard identity attribute data block is input into the encryption function and access structure template to perform attribute-based encryption operations, including: Map the attribute name and attribute value pairs in the standard identity attribute data block to the leaf nodes of the access structure template; Using the public key parameter of the encryption function instance, perform independent encryption operations on the attribute values mapped to each leaf node; Based on the tree-like logical structure in the access structure template, the encryption parameters of the intermediate nodes are aggregated from bottom to top; Finally, the encryption synthesis of the entire data block is completed at the root node of the access structure template, and the ciphertext attribute certificate is output.
7. The digital identity collaborative authentication system based on smart contracts and attribute encryption according to claim 6, characterized in that, Binding the encrypted attribute certificate to the policy execution certificate generated by the policy parsing smart contract includes: Invoke the certificate generation function of the smart contract parsing strategy, and input the strategy hash value and the storage address of the encrypted attribute certificate; The strategy parsing smart contract generates a digital certificate containing the strategy hash value, the storage address, and the smart contract signature, which serves as the strategy execution certificate; Associate the credential identifier of the policy execution credential with the encrypted attribute credential using metadata; The associated overall data is encapsulated into the verifiable authentication token with a specific data format.
8. The digital identity collaborative authentication system based on smart contracts and attribute encryption according to claim 7, characterized in that, The verifiable authentication token is broadcast and distributed in the collaborative authentication network, and verification nodes are triggered to independently verify the integrity and policy compliance of the verifiable authentication token, including: The verifiable authentication token is published to a specific transaction on the blockchain network, and the transaction event is captured by the subscribed verification nodes; Each verification node extracts the verifiable authentication token from the blockchain and separates the encrypted attribute credential and the policy execution credential from it. Each verification node independently verifies the validity of the smart contract signature on the policy execution credential; Each verification node retrieves the corresponding original encrypted policy descriptor from the blockchain based on the policy hash value in the policy execution credential. Each verification node uses its own attribute private key to attempt to decrypt and access the structure of the encrypted attribute credential, generating a local verification result.
9. The digital identity collaborative authentication system based on smart contracts and attribute encryption according to claim 8, characterized in that, The system aggregates independent verification results from multiple verification nodes and uses a pre-defined consensus mechanism to form a final collaborative authentication conclusion, including: Each verification node submits its local verification result, node identifier, and a random number proof to a result aggregation smart contract as a verification response after jointly signing the local verification result, node identifier, and random number proof. The results are aggregated by the smart contract, which collects all valid verification responses that arrive within a predetermined time window. The result aggregation smart contract filters out verification responses from authorized verification nodes based on the list of allowed verification nodes; Statistical analysis was performed on the local verification results in the screened verification responses to calculate the proportion of nodes that reached a positive conclusion. The ratio is compared with a preset consensus threshold. If the ratio is reached or exceeded, the result aggregates the smart contract to generate a final state record indicating successful authentication; otherwise, a state record indicating failed authentication is generated.
10. The digital identity collaborative authentication system based on smart contracts and attribute encryption according to claim 9, characterized in that, The result aggregates the smart contract to generate a final state record indicating successful authentication, including: The final state record shall include at least the unique number of this authentication task, the final conclusion, the list of verification node identifiers that have reached consensus, and the height and timestamp of the final state record on the blockchain; The final state record is permanently written into the distributed ledger of the blockchain; The result aggregation smart contract sends an event notification containing the hash value of the final state record to all subscribers associated with this authentication task.