[go: up one dir, main page]

CN114491637B - Data query method, device, computer equipment and storage medium - Google Patents

Data query method, device, computer equipment and storage medium Download PDF

Info

Publication number
CN114491637B
CN114491637B CN202210109193.9A CN202210109193A CN114491637B CN 114491637 B CN114491637 B CN 114491637B CN 202210109193 A CN202210109193 A CN 202210109193A CN 114491637 B CN114491637 B CN 114491637B
Authority
CN
China
Prior art keywords
data
mapping
key
query
result
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202210109193.9A
Other languages
Chinese (zh)
Other versions
CN114491637A (en
Inventor
张凡
蒋杰
侯忱
刘煜宏
陈鹏
陶阳宇
王礼斌
程勇
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Tencent Technology Shenzhen Co Ltd
Original Assignee
Tencent Technology Shenzhen Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Tencent Technology Shenzhen Co Ltd filed Critical Tencent Technology Shenzhen Co Ltd
Priority to CN202210109193.9A priority Critical patent/CN114491637B/en
Publication of CN114491637A publication Critical patent/CN114491637A/en
Application granted granted Critical
Publication of CN114491637B publication Critical patent/CN114491637B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
    • G06F21/6227Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database where protection concerns the structure of data, e.g. records, types, queries
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/602Providing cryptographic facilities or services

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Software Systems (AREA)
  • General Health & Medical Sciences (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Health & Medical Sciences (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Bioethics (AREA)
  • Databases & Information Systems (AREA)
  • Storage Device Security (AREA)

Abstract

The application relates to a data query method, a data query device, computer equipment, a storage medium and a computer program product, which can protect data security. The data storage side generates an encryption key and first key alignment data based on a first mapping result obtained by mapping the candidate object identifiers through the first mapping reference data, and sends ciphertext object data respectively corresponding to the candidate object identifiers and first key alignment data obtained by encrypting plaintext object data through the encryption key to the data inquiry side. The data inquiring party decrypts ciphertext object data corresponding to the first key alignment data successfully matched with the second key alignment data based on the decryption key to obtain target object data; the second mapping result used for generating the decryption key and the second key alignment data is obtained by mapping the query object identifier based on the second mapping reference data, and the same result is obtained by mapping the same object identifier based on the first mapping reference data and the second mapping reference data.

Description

Data query method, device, computer equipment and storage medium
Technical Field
The present application relates to the field of computer technology, and in particular, to a data query method, apparatus, computer device, storage medium, and computer program product.
Background
With the development of computer technology, data stored on a network is growing, and data inquiry on the network is common. The data querying party can provide the content to be queried to the data storage party, the data storage party searches and counts in the database, and then returns the result to the data querying party.
However, the data querying party directly exposes the data to be queried to the data storage party, so that the risk of information leakage exists, and the data storage party can leak the query information of the data querying party to other devices, thereby causing the data leakage of the data querying party and having certain potential safety hazard.
Disclosure of Invention
In view of the foregoing, it is desirable to provide a data query method, apparatus, computer device, computer readable storage medium, and computer program product that are capable of protecting both parties from data security at the time of data query.
The application provides a data query method, which is applied to data storage equipment, and comprises the following steps:
acquiring at least two candidate object identifiers and plaintext object data corresponding to each candidate object identifier;
mapping the candidate object identifiers based on first mapping reference data to obtain first mapping results corresponding to the candidate object identifiers;
Generating an encryption key and first key alignment data based on a first mapping result corresponding to the same candidate object identifier, and encrypting corresponding plaintext object data based on the encryption key corresponding to the same candidate object identifier to obtain ciphertext object data;
Sending ciphertext object data and first key alignment data corresponding to each candidate object identifier to data query equipment so that the data query equipment matches second key alignment data corresponding to the query object identifier with each first key alignment data, and decrypting ciphertext object data corresponding to successfully matched first key alignment data based on a decryption key corresponding to the query object identifier to obtain target object data corresponding to the query object identifier;
The decryption key and the second key alignment data are obtained based on a second mapping result, the second mapping result is obtained by mapping the query object identifier based on second mapping reference data, the first mapping reference data and the second mapping reference data are different, and the mapping results obtained by mapping the same object identifier based on the first mapping reference data and the second mapping reference data are the same.
The application also provides a data query device, which comprises:
the data acquisition module is used for acquiring at least two candidate object identifiers and plaintext object data corresponding to each candidate object identifier;
the first data mapping module is used for respectively carrying out mapping processing on each candidate object identifier based on first mapping reference data to obtain a first mapping result corresponding to each candidate object identifier;
The data encryption module is used for generating an encryption key and first key alignment data based on a first mapping result corresponding to the same candidate object identifier, and encrypting corresponding plaintext object data based on the encryption key corresponding to the same candidate object identifier to obtain ciphertext object data;
The data sending module is used for sending the ciphertext object data and the first key alignment data which correspond to the candidate object identifiers respectively to the data query equipment so that the data query equipment can match the second key alignment data corresponding to the query object identifiers with the first key alignment data, and decrypt ciphertext object data corresponding to the successfully matched first key alignment data based on the decryption keys corresponding to the query object identifiers to obtain target object data corresponding to the query object identifiers;
The decryption key and the second key alignment data are obtained based on a second mapping result, the second mapping result is obtained by mapping the query object identifier based on second mapping reference data, the first mapping reference data and the second mapping reference data are different, and the mapping results obtained by mapping the same object identifier based on the first mapping reference data and the second mapping reference data are the same.
The application provides a data query method, which is applied to data query equipment, and comprises the following steps:
acquiring a query object identifier corresponding to target object data to be queried;
Mapping the query object identifier based on second mapping reference data to obtain a second mapping result;
Obtaining a decryption key and second key alignment data corresponding to the query object identifier based on the second mapping result;
Acquiring encrypted data sent by a data storage device; the encryption data comprises ciphertext object data and first key alignment data which are respectively corresponding to at least two candidate object identifiers, the ciphertext object data are obtained by encrypting plaintext object data corresponding to the candidate object identifiers based on encryption keys corresponding to the candidate object identifiers, the encryption keys corresponding to the candidate object identifiers and the first key alignment data are obtained based on first mapping results corresponding to the candidate object identifiers, the first mapping results are obtained by mapping the candidate object identifiers based on first mapping reference data, the first mapping reference data and the second mapping reference data are different, and the mapping results obtained by mapping the same object identifier are the same based on the first mapping reference data and the second mapping reference data;
And matching the second key alignment data with each first key alignment data, and decrypting ciphertext object data corresponding to the successfully matched first key alignment data based on the decryption key to obtain the target object data.
The application also provides a data query device. The device comprises:
The identification acquisition module is used for acquiring an inquiry object identification corresponding to target object data to be inquired;
The second data mapping module is used for carrying out mapping processing on the query object identifier based on second mapping reference data to obtain a second mapping result;
The key data generation module is used for obtaining a decryption key and second key alignment data corresponding to the query object identifier based on the second mapping result;
the encrypted data acquisition module is used for acquiring encrypted data sent by the data storage device; the encryption data comprises ciphertext object data and first key alignment data which are respectively corresponding to at least two candidate object identifiers, the ciphertext object data are obtained by encrypting plaintext object data corresponding to the candidate object identifiers based on encryption keys corresponding to the candidate object identifiers, the encryption keys corresponding to the candidate object identifiers and the first key alignment data are obtained based on first mapping results corresponding to the candidate object identifiers, the first mapping results are obtained by mapping the candidate object identifiers based on first mapping reference data, the first mapping reference data and the second mapping reference data are different, and the mapping results obtained by mapping the same object identifier are the same based on the first mapping reference data and the second mapping reference data;
And the data decryption module is used for matching the second key alignment data with each first key alignment data, and decrypting ciphertext object data corresponding to the successfully matched first key alignment data based on the decryption key to obtain the target object data.
A computer device comprising a memory storing a computer program and a processor implementing the steps of the various data querying methods described above when the processor executes the computer program.
A computer readable storage medium having stored thereon a computer program which when executed by a processor performs the steps of the various data querying methods described above.
A computer program product comprising a computer program which when executed by a processor performs the steps of the various data querying methods described above.
The data query method, apparatus, computer device, storage medium and computer program product, the data storage device obtains at least two candidate object identifiers and plaintext object data corresponding to each candidate object identifier, respectively performs mapping processing on each candidate object identifier based on first mapping reference data to obtain first mapping results corresponding to each candidate object identifier, generates encryption keys and first key alignment data based on the first mapping results corresponding to the same candidate object identifier, obtains encryption keys and first key alignment data corresponding to each candidate object identifier, respectively, encrypts corresponding plaintext object data based on the encryption keys corresponding to the same candidate object identifier to obtain ciphertext object data, And sending the ciphertext object data and the first key alignment data which respectively correspond to the candidate object identifiers to the data query equipment. The data query device performs mapping processing on the query object identifier based on the second mapping reference data to obtain a second mapping result, and obtains a decryption key and second key alignment data based on the second mapping result. The data query device matches the second key alignment data corresponding to the query object identifier with each first key alignment data, decrypts ciphertext object data corresponding to the successfully matched first key alignment data based on the decryption key corresponding to the query object identifier, and accordingly obtains target object data corresponding to the query object identifier. The first mapping reference data and the second mapping reference data are different, but the mapping results obtained by mapping the same object identifier based on the first mapping reference data and the second mapping reference data are the same. Thus, if the query object identifier is consistent with a certain candidate object identifier, the second mapping result corresponding to the query object identifier is consistent with the first mapping result corresponding to the candidate object identifier, and if the query object identifier is inconsistent with a certain candidate object identifier, the second mapping result corresponding to the query object identifier is inconsistent with the first mapping result corresponding to the candidate object identifier. Further, if the mapping result is the same, the generated key and the key alignment data are the same. Then, after obtaining ciphertext object data and first key alignment data corresponding to at least two candidate object identifiers on the data storage device, the data query device matches the second key alignment data and each first key alignment data corresponding to the query object identifiers, if there is successful data matching, it indicates that there is an object identifier consistent with the query object identifier in each candidate object identifier, each ciphertext object data includes ciphertext data obtained by encrypting plaintext object data corresponding to the query object identifier, and further, the data query device may decrypt ciphertext object data corresponding to the successfully matched first key alignment data based on a decryption key corresponding to the query object identifier, and obtaining plaintext object data corresponding to the query object identifier. further, since the first mapping reference data and the second mapping reference data are different, even if the data query device acquires a plurality of ciphertext object data, the ciphertext object data corresponding to the object identifier other than the query object identifier cannot be successfully decrypted. In summary, in the whole data interaction process, the data storage device cannot acquire the query object of the data query device, and the data query device cannot acquire the plaintext data of other objects except the plaintext object data of the query object, so that the data security of the data storage device and the data query device is ensured.
Drawings
FIG. 1 is an application environment diagram of a data polling method in one embodiment;
FIG. 2 is a flow diagram of a method of data polling in one embodiment;
FIG. 3 is a flow chart illustrating the acquisition of first mapping reference data in one embodiment;
FIG. 4 is a timing diagram of acquiring first mapping reference data according to one embodiment;
FIG. 5 is a schematic diagram of generating first mapping reference data in one embodiment;
FIG. 6 is a flow chart of a data polling method in another embodiment;
FIG. 7 is a flow diagram of a data query performed by a data querying party in one embodiment;
FIG. 8 is a flow diagram of data interaction by a data inquirer and a data store in one embodiment;
FIG. 9 is a block diagram of the structure of a data polling device in one embodiment;
FIG. 10 is a block diagram of a data polling device in one embodiment;
FIG. 11 is an internal block diagram of a computer device in one embodiment;
Fig. 12 is an internal structural diagram of a computer device in one embodiment.
Detailed Description
The present application will be described in further detail with reference to the drawings and examples, in order to make the objects, technical solutions and advantages of the present application more apparent. It should be understood that the specific embodiments described herein are for purposes of illustration only and are not intended to limit the scope of the application.
The data query method provided by the embodiment of the application can be applied to an application environment shown in figure 1. Wherein the data querying device 102 communicates with the data storage device 104 via a network. The data query device refers to a device which initiates data query and represents a data query party. The data storage device refers to a device storing data that the data querying party wants to query, and represents the data holder. The data query device and the data storage device may be terminals or servers. The terminal can be, but not limited to, various personal computers, notebook computers, smart phones, tablet computers, internet of things equipment and portable wearable equipment, and the internet of things equipment can be smart speakers, smart televisions, smart air conditioners, smart vehicle-mounted equipment and the like. The portable wearable device may be a smart watch, smart bracelet, headset, or the like. The server may be implemented as a stand-alone server or as a server cluster or cloud server composed of a plurality of servers.
Specifically, the data storage device obtains at least two candidate object identifiers and plaintext object data corresponding to each candidate object identifier, and performs mapping processing on each candidate object identifier based on first mapping reference data to obtain first mapping results corresponding to each candidate object identifier. The data storage device generates an encryption key and first key alignment data based on a first mapping result corresponding to the same candidate object identifier, and encrypts corresponding plaintext object data based on the encryption key corresponding to the same candidate object identifier to obtain ciphertext object data. The data storage device sends ciphertext object data and first key alignment data which respectively correspond to the candidate object identifiers to the data query device.
The data query device performs mapping processing on the query object identifier based on the second mapping reference data to obtain a second mapping result, and obtains a decryption key and second key alignment data based on the second mapping result. The data query device matches the second key alignment data with each first key alignment data, decrypts the ciphertext object data corresponding to the successfully matched first key alignment data based on the decryption key, and obtains target object data corresponding to the query object identifier, namely obtains plaintext object data corresponding to the query object identifier.
In one embodiment, as shown in fig. 2, a data query method is provided, and the method is applied to the data storage device in fig. 1 for illustration, and includes the following steps:
Step S202, acquiring at least two candidate object identifiers and plaintext object data corresponding to each candidate object identifier.
Wherein the candidate object identification is an object identification stored on the data storage device. An object identifier is an identifier that is used to uniquely identify an object, and may specifically include a character string of at least one of letters, numbers, and symbols. The object may refer to an organism, e.g., a person, an animal, a plant, etc., and the object may refer to an article, e.g., an electronic device, a mechanical device, an office appliance, etc. For example, if the object is an animal, the object identifier is an animal identifier, if the object is a person, the object identifier is a user identifier, and if the object is an electronic device, the object identifier is an electronic device identifier.
Plaintext object data refers to object data that is not encrypted. The object data refers to related data of an object, for example, attribute information, behavior information, test information, and the like of the object.
Specifically, the data storage device refers to a device storing data that the data querying party wants to query, and represents the data holder. The data storage device stores plaintext object data corresponding to each of the plurality of candidate object identifiers. The data query device refers to a device which initiates data query and represents a data query party. The data query device may send a data query request to the data storage device, and the data storage device generates encrypted data corresponding to the candidate object identifiers based on the candidate object identifiers and plaintext object data corresponding to the candidate object identifiers according to the data query request, and sends the encrypted data corresponding to at least two candidate object identifiers to the data query device. The data query device determines an object identifier shared with the data storage device in the query information based on the encrypted data, decrypts the encrypted data corresponding to the shared object identifier, and takes the plaintext object data obtained by decryption as a query result.
Step S204, mapping processing is carried out on each candidate object identifier based on the first mapping reference data, and a first mapping result corresponding to each candidate object identifier is obtained.
The first mapping reference data is used for mapping the candidate object identifier to new data so as to prevent the data of the candidate object identifier from being directly exposed if the original candidate object identifier is directly sent to the data query equipment. The first mapping result refers to a mapping result corresponding to the candidate object identifier. Each candidate object identification has a corresponding mapping result.
Specifically, the data storage device may perform mapping processing on the local candidate object identifiers based on the first mapping reference data, and map at least two candidate object identifiers to new data, so as to protect the data security of the candidate object identifiers. The data storage device may perform mapping processing on the candidate object identifier through a mapping formula based on the first mapping reference data, to obtain a first mapping result. The data storage device may also use a file in which a correspondence relationship between data before and after mapping is recorded as first mapping reference data, and determine a corresponding first mapping result from the first mapping reference data based on the candidate object identifier.
Step S206, generating an encryption key and first key alignment data based on the first mapping result corresponding to the same candidate object identifier, and encrypting the corresponding plaintext object data based on the encryption key corresponding to the same candidate object identifier to obtain ciphertext object data.
The encryption key is used for encrypting the plaintext data to obtain ciphertext data. The encryption key is a symmetric key, which refers to the same key used in encryption and decryption. The first key alignment data refers to key alignment data corresponding to the candidate object identification. The key alignment data is used to determine whether the two object identifiers are identical object identifiers, and if the two object identifiers are identical object identifiers, the symmetric keys generated based on the mapping result are identical, so the key alignment data is also used to determine whether the two symmetric keys are identical keys. The ciphertext object data refers to object data subjected to encryption processing.
Specifically, the data storage device may generate the encryption key and the first key alignment data based on the first mapping result corresponding to the same candidate object identifier, so as to obtain the encryption key and the first key alignment data respectively corresponding to each candidate object identifier. The data storage device may perform data segmentation on the first mapping result to obtain the encryption key and the first key alignment data. The data storage device may also fuse the first mapping result with the shared data to obtain a fused mapping result, and perform data segmentation on the fused mapping result to obtain the encryption key and the first key alignment data. The shared data is data shared between the data storage device and the data querying device, that is, data known to both parties. For example, the first mapping result and the shared data may be spliced to obtain a fusion mapping result, the fusion mapping result is subjected to data segmentation, a part of data is obtained from the fusion mapping result as an encryption key, and a part of data is obtained as first key alignment data. It will be appreciated that there may or may not be a partial overlap of the encryption key and the first key alignment data.
Further, the data storage device may encrypt plaintext object data corresponding to the candidate object identifier based on an encryption key corresponding to the candidate object identifier, to obtain ciphertext object data corresponding to the candidate object identifier. It will be appreciated that the data storage device may be encrypted using a conventional symmetric encryption algorithm, such as the AES encryption algorithm (Advanced Encryption Standard ), or the data storage device may be encrypted using a custom encryption algorithm.
Step S208, the ciphertext object data and the first key alignment data corresponding to the candidate object identifiers are sent to the data query equipment, so that the data query equipment matches the second key alignment data corresponding to the query object identifiers with the first key alignment data, and decrypts the ciphertext object data corresponding to the successfully matched first key alignment data based on the decryption key corresponding to the query object identifiers, thereby obtaining the target object data corresponding to the query object identifiers.
The decryption key and the second key alignment data are obtained based on a second mapping result, and the second mapping result is obtained by mapping the query object identifier based on second mapping reference data.
The query object identification refers to the object identification to be queried. The second mapping result refers to the mapping result corresponding to the query object identifier. The data query device performs mapping processing on the query object identifier based on the second mapping reference data to obtain a second mapping result, and obtains a decryption key and second key alignment data based on the second mapping result. The decryption key is used for encrypting the ciphertext data to obtain plaintext data, and the decryption key is a symmetric key. The second key alignment data refers to key alignment data corresponding to the query object identifier. The data querying device may obtain the decryption key and the second key alignment data based on the second mapping result in the same data processing manner as the data storage device.
The first mapping reference data and the second mapping reference data are different mapping reference data, but the mapping results obtained by mapping the same object identifier based on the first mapping reference data and the second mapping reference data are the same. In this way, the data storage device and the data query device respectively hold the mapping reference data of the data storage device and the data query device, and although the mapping reference data of the data storage device and the data query device are not completely consistent, the mapping result obtained by mapping the same object identifier based on the mapping reference data is consistent, so that the data query device can be effectively prevented from knowing plaintext data except plaintext object data corresponding to the shared object identifiers of the two data storage devices, and the data security of the data storage device can be protected.
The target object data refers to plaintext object data corresponding to the query object identifier.
Specifically, similar to the operation of the data storage device, the data query device may perform mapping processing on the query object identifier based on the second mapping reference data to obtain a second mapping result, for example, perform mapping processing on the query object identifier through a mapping formula based on the second mapping reference data to obtain the second mapping result. The data querying device may obtain the decryption key and the second key alignment data based on the second mapping result, for example, perform data segmentation on the second mapping result to obtain the decryption key and the second key alignment data.
After the data query device obtains the ciphertext object data and the first key alignment data sent by the data storage device, the second key alignment data corresponding to the query object identifier and each first key alignment data can be matched, whether the data identical to the second key alignment data exist in each first key alignment data or not is determined, and the first key alignment data identical to the second key alignment data in the first key alignment data are used as the successfully matched first key alignment data. It will be appreciated that if a certain first key alignment data and a second key alignment data are identical, it is explained that a first mapping result for generating the first key alignment data and a second mapping result for generating the second key alignment data are identical, a candidate object identification for generating the first mapping result and a query object identification for generating the second mapping result are identical, and an encryption key and a decryption key generated based on the first mapping result and the second mapping result are also identical. Therefore, the data query device can decrypt the ciphertext object data corresponding to the successfully matched first key alignment data based on the decryption key corresponding to the query object identifier, and obtain the target object data corresponding to the query object identifier.
It will be appreciated that there may be at least two query object identifiers. The data query device respectively matches each first key alignment data with each second key alignment data, and can determine the common object identification between all query object identifications and the data storage device according to the matching result, and further decrypt ciphertext object data corresponding to the common object identification based on a decryption key corresponding to the common object identification, so as to obtain plaintext object data respectively corresponding to each common object identification.
In one embodiment, the data storage device may interact with the data querying device based on an inadvertent transmission protocol (Oblivious Transfer, OT protocol) to generate first mapping reference data that acts the same as but is not exactly identical to the second mapping reference data. The data storage device may perform data screening on the second mapping reference data and the third mapping reference data on the data query device based on the unintentional transmission protocol to obtain the first mapping reference data. The third mapping reference data is generated based on the second mapping result. Finally, the mapping result of mapping the same object identifier is the same based on the first mapping reference data, the second mapping reference data and the third mapping reference data.
The first mapping reference data and the second mapping reference data may also be generated by a third party device, the data storage device obtains the first mapping reference data from the third party device, and the data querying device obtains the second mapping reference data from the third party device.
In the above data query method, if the query object identifier is consistent with a certain candidate object identifier, the second mapping result corresponding to the query object identifier is consistent with the first mapping result corresponding to the candidate object identifier, and if the query object identifier is inconsistent with a certain candidate object identifier, the second mapping result corresponding to the query object identifier is inconsistent with the first mapping result corresponding to the candidate object identifier. Further, if the mapping result is the same, the generated key and the key alignment data are the same. Then, after obtaining ciphertext object data and first key alignment data corresponding to at least two candidate object identifiers on the data storage device, the data query device matches second key alignment data and each first key alignment data corresponding to the query object identifiers, if there is successful data matching, it indicates that object identifiers consistent with the query object identifiers exist in each candidate object identifier, each ciphertext object data includes ciphertext data obtained by encrypting plaintext object data corresponding to the query object identifiers, and further, the data query device may decrypt ciphertext object data corresponding to the successfully matched first key alignment data based on decryption keys corresponding to the query object identifiers, so as to obtain plaintext object data corresponding to the query object identifiers. Further, since the first mapping reference data and the second mapping reference data are different, even if the data query device acquires a plurality of ciphertext object data, the ciphertext object data corresponding to the object identifier other than the query object identifier cannot be successfully decrypted. In summary, in the whole data interaction process, the data storage device cannot acquire the query object of the data query device, and the data query device cannot acquire the plaintext data of other objects except the plaintext object data of the query object, so that the data security of the data storage device and the data query device is ensured.
In one embodiment, mapping processing is performed on each candidate object identifier based on the first mapping reference data, so as to obtain a first mapping result corresponding to each candidate object identifier, including:
Obtaining a public key between the data query device and the data storage device; based on the public key, performing data conversion on the current object identifier to obtain first conversion data corresponding to the current object identifier; the first conversion data comprises a plurality of first sub-data which are orderly arranged; based on the first sub-data and the ordering information of the first sub-data, mapping sub-data corresponding to each first sub-data is obtained from the first mapping reference data; and obtaining a first mapping result corresponding to the current object identifier based on each mapping sub-data.
Wherein the public key is a key known to both the data querying device and the data storage device, i.e. a key shared between the data querying device and the data storage device. The public key may be generated by the data querying device and sent to the data storage device, or the public key may be generated by the data storage device and sent to the data querying device, or the data querying device and the data storage device may obtain the public key from other devices.
The current object identifier refers to any one of the candidate object identifiers.
Specifically, the data storage device may acquire a public key shared with the data query device, and perform data conversion on the current object identifier based on the public key, so as to obtain first converted data corresponding to the current object identifier. The data storage device may perform fusion processing on the public key and the current object identifier to obtain first conversion data, or may perform hash processing on the current object identifier first, and then fuse the hash processing results of the public key and the current object identifier to obtain first conversion data.
The first conversion data includes a plurality of first sub-data arranged in an order. That is, the first conversion data is long data composed of a plurality of first sub data. The first mapping reference data is composed of a plurality of first mapping sub-data which are orderly arranged, and each first sub-data can find out the corresponding first mapping sub-data. The data storage device may acquire mapping sub-data corresponding to each first sub-data from the first mapping reference data based on the first sub-data and ordering information of the first sub-data. For example, the data storage device may first obtain a first mapping sub-data set corresponding to the ordering information of the first sub-data from the first mapping reference data, and then obtain, from the first mapping sub-data set, the first mapping sub-data corresponding to the specific value of the first sub-data as mapping sub-data corresponding to the first sub-data. The first mapping sub data set corresponding to the ordering information of the first sub data may include a plurality of first mapping sub data matched with the ordering information of the first sub data, and the first mapping sub data matched with the ordering information of the first sub data may be the first mapping sub data whose ordering information is consistent with the ordering information of the first sub data, or may be the first mapping sub data whose difference between the ordering information and the ordering information of the first sub data is smaller than a preset difference. The first mapping sub-data corresponding to the specific value of the first sub-data may be data in which the ordering information matches the specific value of the first sub-data in the first mapping sub-data set. In summary, the data storage device may obtain mapping sub-data corresponding to each first sub-data from the first mapping reference data based on the first sub-data and the ordering information of the first sub-data.
Finally, the data storage device may obtain a first mapping result corresponding to the current object identifier based on each mapping sub-data, for example, each mapping sub-data may be directly spliced to obtain the first mapping result, or each mapping sub-data may be spliced to obtain first spliced data, and then hash processing is performed on the first spliced data to obtain the first mapping result.
In the above embodiment, when mapping processing is performed, data conversion is performed first, and then mapping sub-data is searched from the first mapping reference data to generate a mapping result. The object identifier is subjected to multiple processing to obtain a mapping result, so that the data security of the object identifier is protected.
In one embodiment, based on the public key, performing data conversion on the current object identifier to obtain first converted data corresponding to the current object identifier, where the data conversion includes:
Carrying out hash processing on the current object identifier to obtain a first hash processing result; and fusing the public key and the first hash processing result to obtain first conversion data.
Specifically, when data conversion is performed, the data storage device may perform hash processing on the current object identifier to obtain a first hash processing result, and then fuse the public key with the first hash processing result to obtain first converted data.
The hash processing is to convert input data into output data with a fixed length through a hash algorithm, and the hash processing can convert irregular data into regular data and convert the irregular data into a preset numerical range so as to facilitate subsequent data processing. The hash process converts the object identification composed of arbitrary length data into data composed of fixed length data, and can normalize various object identifications. The data storage device may perform hash processing based on a custom formula, or may perform hash processing based on a conventional hash algorithm.
When data fusion is performed, the data storage device may perform encryption processing on the first hash processing result based on the public key, to obtain first converted data. The data storage device may also fuse the public key with the first hash result based on a custom formula to obtain the first converted data.
In one embodiment, the first conversion data is calculated as follows:
(v1,v2,…vw)=F(k,H1(x))
H1:{0,1}*→{0,1}256
F:{0,1}128×{0,1}256→[m]w
Where (v 1,v2,…vw) denotes first converted data, v i denotes the i-th first sub-data, and the first converted data is composed of w first sub-data. H 1 denotes a hash function, the input data of H 1 is binary data of an arbitrary length, and the output data of H 1 is binary data of 256 bits. * And (3) representing an arbitrary length, x representing a candidate object identifier, and H 1 (x) representing a first hash processing result. F represents a fusion function, which can also be called as a pseudo random function, the input data of F comprises 128-bit binary data and 256-bit binary data, and the output data of F is data formed by splicing w data with the value range of [0, m-1 ].
It will be appreciated that 128 bits and 256 bits are examples only, and that other numbers of bit limits may be used, as may be specifically set as desired.
In the above embodiment, when data conversion is performed, hash processing is performed first, so that different types of object identifiers can be normalized, and then a public key is fused, so that the data complexity of the first converted data can be increased, and the data security can be improved.
In one embodiment, the first mapping reference data is a first mapping reference matrix. Based on the first sub-data and the ordering information of the first sub-data, mapping sub-data corresponding to each first sub-data is obtained from the first mapping reference data, and the method comprises the following steps:
Taking the first sub-data as first position information corresponding to a first matrix direction, taking the ordering information of the first sub-data as second position information corresponding to a second matrix direction, wherein the first matrix direction and the second matrix direction are mutually perpendicular; and acquiring matrix data positioned by the first position information and the second position information corresponding to the same first sub-data from the first mapping reference matrix as mapping sub-data, and obtaining mapping sub-data corresponding to each first sub-data.
The first mapping reference data may be a first mapping reference matrix, that is, the first mapping reference data is data in a matrix form. The first matrix direction and the second matrix direction represent two directions of the matrix, the first matrix direction and the second matrix direction are perpendicular to each other, for example, the first matrix direction may represent a row direction of the matrix, and the second matrix direction may represent a column direction of the matrix; it is also possible that the first matrix direction represents the column direction of the matrix and the second matrix direction represents the row direction of the matrix.
In particular, matrix data can be quickly located based on row and column information of the matrix data in the matrix when the matrix data is queried in the matrix. If the first mapping reference data is a first mapping reference matrix, the data storage device may generate coordinate information of mapping sub-data to be searched in the matrix based on the first sub-data and ordering information of the first sub-data, and quickly locate mapping sub-data corresponding to the first sub-data in the first mapping reference matrix based on the generated coordinate information. The data storage device may use the first sub-data as first position information corresponding to the first matrix direction, use the sorting information of the first sub-data as second position information corresponding to the second matrix direction, perform data positioning in the first mapping reference matrix based on the first position information and the second position information, and use the positioned matrix data as mapping sub-data. Finally, mapping sub-data corresponding to each first sub-data can be obtained through positioning based on each first sub-data and the ordering information of the first sub-data.
For example, the first mapping reference matrix is represented by matrix C, each ordered first sub-data is represented by v 1,v2,…vw, v i represents the ith first sub-data, and the corresponding first mapping sub-data of v i is represented byThe representation is made of a combination of a first and a second color,Matrix data representing the ith column of the v i th row in matrix C.
It will be appreciated that the first mapping reference data may be represented in other data forms, e.g. in a tabular form, in a vector form, etc., in addition to being represented in a matrix form.
In the above embodiment, if the first mapping reference data is a first mapping reference matrix, matrix coordinates are generated based on the numerical value of the first sub-data and the ordering information of the first sub-data, and the mapping sub-data corresponding to the first sub-data can be quickly found in the first mapping reference matrix based on the matrix coordinates.
In one embodiment, obtaining a first mapping result corresponding to the current object identifier based on each mapping sub-data includes:
Splicing the mapping sub-data based on the ordering information of the first sub-data to obtain first spliced data; and carrying out hash processing on the first spliced data to obtain a first mapping result.
Specifically, in order to improve data complexity and protect data security, when obtaining a first mapping result based on each mapping sub-data, the data storage device may splice each mapping sub-data to obtain first spliced data based on the ordering information of the first sub-data, and then hash the first spliced data to obtain the first mapping result. It can be understood that, the first sub-data are orderly arranged, so that the mapping sub-data corresponding to the first sub-data can be considered to be orderly arranged, and the first spliced data can be obtained by orderly splicing the mapping sub-data.
In one embodiment, the first mapping result is calculated as follows:
H2:{0,1}w→{0,1}256
Wherein, psi represents the first mapping result, pi represents stitching, Representing the first sub-data of the map,Representing the second mapping sub-data,Representing the w-th mapping sub-data,And the first spliced data obtained by sequentially splicing the mapping sub-data is represented. H 2 denotes a hash function, the input data of H 2 is a w-bit binary data, and the output data of H 2 is a 256-bit binary data.
It will be appreciated that 256 bits are merely examples, and that other numbers of bit limits may be employed, as may be specifically set as desired.
In the above embodiment, based on the ordering information of the first sub-data, each mapping sub-data is spliced to obtain first spliced data, and the first spliced data is hashed to obtain a first mapping result. The mapping sub-data can be hidden through the hash processing, the finally generated first mapping result is helpful for protecting the data security of the data storage device, and other devices are difficult to crack the original data from the data generated based on the first mapping result.
In one embodiment, as shown in fig. 3, the first mapping reference data acquisition process includes the following steps:
Step S302, a first asymmetric key and a second asymmetric key sent by a data query device are obtained.
Wherein, the asymmetric key refers to different keys used in encryption and decryption. The asymmetric key is used in encryption and the private key corresponding to the asymmetric key is used in decryption. The first asymmetric key and the second asymmetric key may be generated by the data querying device itself or may be obtained by the data querying device from another device. The data query device sends the first asymmetric key and the second asymmetric key to the data storage device, and the first asymmetric key and the second asymmetric key are used for encrypting plaintext data on the data storage device to protect data security of the data storage device.
Step S304, determining a target asymmetric key from the first asymmetric key and the second asymmetric key based on the key reference information corresponding to the target mapping position, and encrypting the target symmetric key based on the target asymmetric key to obtain a first encryption result.
The target mapping position refers to a data position corresponding to at least one mapping sub-data in the mapping reference data. For example, if the mapping reference data is a mapping reference matrix, the target mapping location may be a certain row or a certain column in the matrix. The key reference information is used for performing key screening on the first asymmetric key and the second asymmetric key, and determining one asymmetric key as a target asymmetric key. The key reference information corresponding to different mapping positions may be the same or different, so that the finally determined target asymmetric key may be the same or different.
The target symmetric key is a symmetric key that is known to the data storage device but not known to the data querying device. The target symmetric key may be generated by the data storage device itself or may be obtained by the data storage device from another device.
Specifically, the first mapping reference data is composed of a plurality of first mapping sub-data, and the data storage device can sequentially determine the first mapping sub-data corresponding to each mapping position through data interaction of the data query device, so that the first mapping reference data is finally obtained.
The data storage device can acquire key reference information corresponding to each mapping position respectively, determine a target mapping position from each mapping position, determine first mapping sub-data corresponding to the target mapping position through one round of data interaction of the data query device, acquire the next mapping position as a new target mapping position, determine first mapping sub-data corresponding to the new target mapping position through the new round of data interaction of the data query device, and so on, the data storage device can finally obtain first mapping sub-data corresponding to each mapping position respectively, and the first mapping sub-data are combined to obtain the first mapping reference data.
Step S306, the first encryption result is sent to the data query device, so that the data query device decrypts the first encryption result based on the first private key corresponding to the first asymmetric key and the second private key corresponding to the second asymmetric key respectively to obtain a first decryption result and a second decryption result, encrypts second mapping sub-data corresponding to the target mapping position in the second mapping reference data based on the first decryption result to obtain a second encryption result, and encrypts third mapping sub-data corresponding to the target mapping position in the third mapping reference data based on the second decryption result to obtain a third encryption result.
Wherein the second mapping reference data and the third mapping reference data are data that is known to the data querying device but is not known to the data storage device. And the mapping results obtained by mapping the same object identifier are the same based on the second mapping reference data and the third mapping reference data respectively. It is understood that the first mapping reference data, the second mapping reference data, and the third mapping reference data are not identical data, but the mapping results obtained by mapping the same object identifier based on the first mapping reference data, the second mapping reference data, and the third mapping reference data, respectively, are identical. The second mapping reference data may be randomly generated or may be preset.
First, the data storage device obtains a first asymmetric key and a second asymmetric key sent by the data querying device. In a complete round of data interaction process, the data storage device screens an asymmetric key from the first asymmetric key and the second asymmetric key based on key reference information corresponding to a target mapping position to serve as a target asymmetric key, and encrypts the target symmetric key based on the target asymmetric key to obtain a first encryption result. The data storage device then transmits the first encryption result to the data querying device. The data query device decrypts the first encryption result based on a first private key corresponding to the first asymmetric key to obtain a first decryption result, and decrypts the first encryption result based on a second private key corresponding to the second asymmetric key to obtain a second decryption result. It will be appreciated that the data querying device does not know which asymmetric key the data storage device employs for the encryption process, and therefore the data querying device cannot know which of the first decryption result and the second decryption result is the useful decryption result. Further, the data query device encrypts second mapping sub-data corresponding to the target mapping position in the second mapping reference data based on the first decryption result to obtain a second encryption result, and encrypts third mapping sub-data corresponding to the target mapping position in the third mapping reference data based on the second decryption result to obtain a third encryption result. It will be appreciated that the first asymmetric key and the second mapping reference data have a correspondence, and the second asymmetric key and the third mapping reference data have a correspondence. The data query device sends the second encryption result and the third encryption result to the data storage device, and the data storage device decrypts the useful encryption result in the second encryption result and the third encryption result based on the target symmetric key, so that first mapping sub-data corresponding to the target mapping position in the first mapping reference data can be obtained.
Step S308, obtaining the second encryption result and the third encryption result sent by the data query device.
Step S310, determining a target encryption result from the second encryption result and the third encryption result based on the key reference information corresponding to the target mapping position, and decrypting the target encryption result based on the target symmetric key to obtain first mapping sub-data corresponding to the target mapping position in the first mapping reference data.
Specifically, the data storage device acquires the second encryption result and the third encryption result sent by the data query device. And in the second encryption result and the third encryption result, the encryption result obtained by encrypting based on the decryption result of successful decryption is a useful encryption result, and the data storage device can screen the useful encryption result from the second encryption result and the third encryption result based on the key reference information corresponding to the target mapping position as a target encryption result. And the data storage equipment decrypts the target encryption result based on the target symmetric key to finally obtain first mapping sub-data corresponding to the target mapping position in the first mapping reference data.
It can be understood that if the first asymmetric key is taken as the target asymmetric key based on the key reference information corresponding to the target mapping position, the first decryption result is effective data decrypted based on the correct private key, the second decryption result is scrambled data decrypted based on the wrong private key, the second encryption result is effective encryption result encrypted based on the effective data, and the third encryption result is ineffective encryption result encrypted based on the scrambled data. Correspondingly, based on the key reference information corresponding to the target mapping position, the second encryption result corresponding to the first asymmetric key can be obtained from the second encryption result and the third encryption result as the target encryption result.
In one embodiment, during each data processing, the data query device may first send the second encryption result corresponding to the first asymmetric key, and then send the third encryption result corresponding to the second asymmetric key. Thus, the data storage device can accurately determine the target encryption result from the second encryption result and the third encryption result based on the key reference information corresponding to the target mapping position.
Step S312, the next mapping position is used as an updated mapping position, the updated mapping position is used as a target mapping position, key reference information corresponding to the target mapping position is returned, and the step of determining the target asymmetric key from the first asymmetric key and the second asymmetric key is executed until the first mapping sub-data corresponding to each mapping position in the first mapping reference data is determined, so as to obtain the first mapping reference data.
Specifically, through a round of data interaction, the data storage device may obtain first mapping sub-data corresponding to a mapping position in the first mapping reference data. And then, the data storage equipment takes the next mapping position as an updating mapping position, takes the updating mapping position as a new target mapping position, and carries out new data interaction again to obtain first mapping sub-data corresponding to the next mapping position in the first mapping reference data, and the like until all the mapping positions are taken as target mapping positions, and the data storage equipment determines the first mapping sub-data corresponding to each mapping position in the first mapping reference data. Finally, the data storage device combines the first mapping sub-data corresponding to each mapping position to obtain first mapping reference data.
A complete round of data interaction is described with reference to fig. 4. Where k0 represents a first asymmetric key, k1 represents a second asymmetric key, and k2 represents a target symmetric key. The second mapping reference data is represented by matrix a, the third mapping reference data is represented by matrix B, and the first mapping reference data is represented by matrix C. The key reference information is represented by binary data s, where k0 is the target asymmetric key if s is 0, and k1 is the target asymmetric key if s is 1.
Assuming that the target mapping position is the first column of the matrix, A1 represents the first column of the matrix a, B1 represents the first column of the matrix B, C1 represents the first column of the matrix C, and s1 represents the key reference information corresponding to the first column of the data. The data querying device sends k0 and k1 to the data storage device. Assuming s1=0, the data storage device encrypts k2 based on k0 to obtain a first encryption result m0, and transmits m0 to the data querying device. The data query device decrypts m0 based on the private key corresponding to k0 to obtain a first decryption result j0, and decrypts m0 based on the private key corresponding to k1 to obtain a second decryption result j1. Where k0=k2, but the data querying device is not aware. The data query device obtains a second encryption result m1 based on the j0 encryption A1, obtains a third encryption result m2 based on the j1 encryption B1, and sends m1 and m2 to the data storage device. Because s1=0, the data storage device decrypts m1 based on k0 to get C1, where c1=a1, but the data storage device is not aware. Similarly, if s1=1, c1=b1. And so on, matrix C is ultimately composed of columns of matrix a and columns of matrix B.
In the above embodiment, in the process of acquiring the first mapping reference data, only the encrypted data and the secret key are transmitted between the data storage device and the data query device, and the data security of both parties is protected without involving specific plaintext data. Through data interaction, the data storage device can only acquire the first mapping reference data, and is not aware of the second mapping reference data and the third mapping reference data.
In one embodiment, determining the target asymmetric key from the first asymmetric key and the second asymmetric key based on the key reference information corresponding to the target mapping location includes:
When the key reference information corresponding to the target mapping position is first preset information, the first asymmetric key is used as a target asymmetric key; and when the key reference information corresponding to the target mapping position is second preset information, taking the second asymmetric key as the target asymmetric key.
Specifically, when the key reference information corresponding to the target mapping position is the first preset information, the data storage device may use the first asymmetric key as the target asymmetric key. When the key reference information corresponding to the target mapping position is second preset information, the data storage device may use the second asymmetric key as the target asymmetric key. The first preset information and the second preset information may be set according to actual needs, for example, the first preset information is set to 0, and the second preset information is set to 1; or the first preset information is set to 1 and the second preset information is set to 0.
In the above embodiment, whether to use the first asymmetric key or the second asymmetric key as the target asymmetric key may be determined quickly according to whether the key reference information is the first preset information or the second preset information.
In one embodiment, determining the target encryption result from the second encryption result and the third encryption result based on the key reference information corresponding to the target mapping location includes:
when the key reference information corresponding to the target mapping position is the first preset information, the second encryption result is used as a target encryption result; and when the key reference information corresponding to the target mapping position is the second preset information, taking the third encryption result as a target encryption result.
Specifically, when the key reference information corresponding to the target mapping position is the first preset information, the data storage device may use the second encryption result as the target encryption result, so if the key reference information corresponding to the target mapping position is the first preset information, the data storage device uses the first asymmetric key as the target asymmetric key. When the key reference information corresponding to the target mapping position is the second preset information, the data storage device may use the third encryption result as the target encryption result, because if the key reference information corresponding to the target mapping position is the second preset information, the data storage device uses the second asymmetric key as the target asymmetric key.
In the above embodiment, consistent with the method for determining the target asymmetric key, whether to use the second encryption result or the third encryption result as the target encryption result is determined according to whether the key reference information is the first preset information or the second preset information, so that correct decryption of data based on the symmetric key can be ensured.
In one embodiment, the third mapping reference data is obtained by the data query device fusing the second mapping reference data with the target mapping reference data, the target mapping reference data is obtained by the data query device updating the initial mapping reference data based on second conversion data corresponding to the query object identifier, and the second conversion data is obtained by performing data conversion on the query object identifier based on the public key.
Specifically, the data query device may generate third mapping reference data based on the second mapping reference data and the target mapping reference data, and specifically may perform fusion processing on the second mapping reference data and the target mapping reference data to obtain the third mapping reference data. For example, if the mapping reference data is a matrix, the second mapping reference data and the matrix data corresponding to the target mapping reference data may be subjected to exclusive-or processing, so as to obtain third mapping reference data. For the target mapping reference data, the data query device may perform data conversion on the query object identifier based on the public key to obtain second conversion data, and perform data update on the initial mapping reference data based on the second conversion data to obtain the target mapping reference data.
The initial mapping reference data is initialized mapping reference data, and each mapping sub-data can be initialized to be first preset sub-data in the initial mapping reference data. When the data is updated, the data query device may convert mapping sub-data corresponding to the second conversion data in the initial mapping reference data from the first preset sub-data to the second preset sub-data. It may be appreciated that the second conversion data includes a plurality of second sub-data arranged in an order, and mapping sub-data corresponding to each of the second sub-data may be determined in the initial mapping reference data based on the second sub-data and ordering information of the second sub-data. The first preset sub data and the second preset sub data may be set as needed, for example, the first preset sub data may be set to 1 and the second preset sub data may be set to 0.
In one embodiment, the second mapping reference data may be randomly generated. Even if the second map reference data is randomly generated, the mapping result obtained by performing the mapping process on the same object identifier is the same based on the second map reference data, based on third map reference data obtained by performing the fusion process on the second map reference data and the target map reference data, and based on first map reference data obtained by the second map reference data and the third map reference data.
In one embodiment, referring to fig. 5, the target mapping reference data is D, the second mapping reference data is a, the third mapping reference data is B, the first mapping reference data is C, and the key reference information is S. The mapping sub-data having a value of 0 in the target mapping reference data is determined based on the first converted data, and the second mapping reference data is randomly generated. And performing exclusive OR processing on the second mapping reference data A and the target mapping reference data D to obtain third mapping reference data B. The first mapping reference data C may be obtained based on the key reference information S, the second mapping reference data a, and the third mapping reference data B. The first mapping reference data C is composed of the first three columns of data of B and the fourth column of data of a. In the first mapping reference data C, the second mapping reference data a and the third mapping reference data B, mapping sub-data corresponding to the first conversion data are identical, so that mapping results obtained by mapping the same object identifier based on the first mapping reference data, the second mapping reference data and the third mapping reference data are identical.
In the above embodiment, based on the second conversion data corresponding to the query object identifier, the initial mapping reference data is updated to obtain the target mapping reference data, and then the second mapping reference data and the target mapping reference data are fused to obtain the third mapping reference data, so that the same mapping result can be obtained by performing the mapping process on the query object identifier based on the second mapping reference data and the third mapping reference data.
In one embodiment, generating the encryption key and the first key alignment data based on the first mapping result corresponding to the same candidate object identification includes:
and carrying out data segmentation on the first mapping result corresponding to the current object identifier to obtain an encryption key and first key alignment data corresponding to the current object identifier.
Specifically, the data storage device may perform data slicing on the first mapping result to generate the encryption key and the first key alignment data. The current object identifier refers to any one of the at least two candidate object identifiers. The data storage device may perform data segmentation on the first mapping result corresponding to the current object identifier, to obtain an encryption key corresponding to the current object identifier and first key alignment data. For example, the first mapping result may be split into two parts of data, where the first part of data is used as an encryption key, and the second part of data is used as first key alignment data, which may be an average split or an uneven split. The data from the first preset position to the second preset position may be obtained from the first mapping result as the encryption key, and the data from the third preset position to the fourth preset position may be obtained as the first key alignment data, where the first preset position, the second preset position, the third preset position and the fourth preset position may be set according to actual needs.
In the above embodiment, the data slicing of the first mapping result may quickly generate the encryption key and the first key alignment data.
In one embodiment, encrypting corresponding plaintext object data to obtain ciphertext object data based on an encryption key corresponding to the same candidate object identifier comprises:
Acquiring encryption reference information, and acquiring initial ciphertext data corresponding to each candidate object identifier based on an encryption key and the encryption reference information corresponding to the same candidate object identifier; and fusing the initial ciphertext data and the plaintext object data corresponding to the same candidate object identifier to obtain ciphertext object data corresponding to each candidate object identifier.
The encryption reference information may be randomly generated data or preset data.
Specifically, when encrypting plaintext object data, the data storage device may first obtain encryption reference information, generate initial ciphertext data based on the encryption key and the encryption reference information, and then fuse the initial ciphertext data and the plaintext object data to obtain ciphertext object data. The generating of the initial ciphertext data based on the encryption key and the encryption reference information may be inputting the encryption key and the encryption reference information into a pseudo-random function, and using an output result of the pseudo-random function as the initial ciphertext data, or may be generating the initial ciphertext data based on a custom formula. The fusing of the initial ciphertext data and the plaintext object data may be an exclusive or process of the initial ciphertext data and the plaintext object data, or may be a fusing of the initial ciphertext data and the plaintext object data based on a custom formula.
In one embodiment, the encrypted reference information may include a plurality of reference sub-information, each of which is sequentially incremented in value, e.g., each of which is a counter sequentially incremented in value. The data storage device can perform data processing on the encryption key and each piece of reference sub-information to generate ciphertext sub-data, obtain initial sub-data corresponding to each piece of reference sub-information, and form each piece of initial sub-data into initial ciphertext data. That is, the initial ciphertext data includes a plurality of initial sub-data. Correspondingly, when data fusion is carried out, the plaintext object data can be segmented into a plurality of plaintext sub-data, the initial sub-data with consistent ordering information and the plaintext sub-data are subjected to fusion processing, ciphertext sub-data corresponding to the plaintext sub-data respectively are obtained, and the ciphertext sub-data form ciphertext object data.
It will be appreciated that the encryption process of other data in the present application may refer to the data processing process of encrypting plaintext object data with an encryption key.
In the above embodiment, the initial ciphertext data generated based on the encryption key and the encryption reference information may be approximately considered as a random number, and then the initial ciphertext data and the plaintext object data are fused, and the plaintext object data may be hidden, thereby obtaining ciphertext object data.
In one embodiment, the encrypted reference information identifies corresponding first key alignment data for the candidate.
Specifically, the data storage device may use the first key alignment data generated based on the first mapping result as encryption reference information employed in the encryption processing. That is, when encrypting the plaintext object data based on the encryption key, the initial ciphertext data may be generated based on the encryption key and the first key alignment data, and then the initial ciphertext data and the plaintext object data may be fused to obtain the ciphertext object data.
In one embodiment, the ciphertext object data is calculated as follows:
c=CTREnciv,(d)
where c represents ciphertext object data, d represents plaintext object data, iv represents first key alignment data, and key represents an encryption key. CTREnc () represents the CTR mode of the symmetric encryption algorithm.
In the above embodiment, the first key alignment data is used as encryption reference information, so that data generated based on the first mapping result can be fully utilized, the data utilization rate is improved, and other data is not required to be additionally acquired.
In one embodiment, as shown in fig. 6, a data query method is provided, and the method is applied to the data query device in fig. 1 for illustration, and includes the following steps:
Step S602, obtaining a query object identifier corresponding to target object data to be queried.
The target object data to be queried refers to plaintext object data corresponding to the query object identifier. The data query device does not know the plaintext object data corresponding to the query object identifier at first, and the plaintext object data corresponding to the query object identifier needs to be finally obtained through data interaction of the data storage device.
Step S604, mapping the query object identifier based on the second mapping reference data to obtain a second mapping result.
Step S606, based on the second mapping result, obtaining the decryption key and the second key alignment data corresponding to the query object identifier.
Specifically, when the data query device initiates the data query, the data query device may perform mapping processing on the query object identifier based on the second mapping reference data to obtain a second mapping result, and generate a decryption key and second key alignment data corresponding to the query object identifier based on the second mapping result, where the decryption key and the second key alignment data are used to screen and decrypt target object data from data sent by the data storage device.
It will be appreciated that the data processing procedure for mapping the query object identification based on the second mapping reference data may refer to the data processing procedure for mapping the candidate object identification based on the first mapping reference data. The data processing procedure for obtaining the decryption key and the second key alignment data based on the second mapping result may refer to the data processing procedure for obtaining the encryption key and the first key alignment data based on the first mapping result.
Step S608, obtaining encrypted data sent by the data storage device; the encrypted data comprises ciphertext object data and first key alignment data which correspond to at least two candidate object identifiers respectively, the ciphertext object data is obtained by encrypting plaintext object data corresponding to the candidate object identifiers based on the encryption keys corresponding to the candidate object identifiers, the encryption keys corresponding to the candidate object identifiers and the first key alignment data are obtained based on first mapping results corresponding to the candidate object identifiers, the first mapping results are obtained by mapping the candidate object identifiers based on first mapping reference data, the first mapping reference data and the second mapping reference data are different, and the mapping results obtained by mapping the same object identifier are the same based on the first mapping reference data and the second mapping reference data.
Specifically, the data querying device may send a data querying request to the data storage device to prompt the data storage device to send encrypted data to the data querying device. The data storage device may perform mapping processing on at least two local candidate data identifiers based on the first mapping reference data to obtain first mapping results corresponding to each candidate object identifier, and generate an encryption key and first key alignment data based on the first mapping results to obtain the encryption key and the first key alignment data corresponding to each candidate object identifier. The data storage device may encrypt the corresponding plaintext object data based on the encryption key corresponding to the same candidate object identifier to generate ciphertext object data, so as to obtain ciphertext object data corresponding to each candidate object identifier. The data storage device takes the calculated first key alignment data and the ciphertext object data as encryption data to the data query device.
It will be appreciated that specific data processing of the data storage device may refer to the contents of various related embodiments of the data query method applied to the data storage device.
In step S610, the second key alignment data and each first key alignment data are matched, and the ciphertext object data corresponding to the successfully matched first key alignment data is decrypted based on the decryption key to obtain the target object data.
Specifically, after the data query device obtains the encrypted data sent by the data storage device, the second key alignment data corresponding to the query device identifier is respectively matched with the first key alignment data corresponding to each candidate object identifier, and the first key alignment data consistent with the second key alignment data is used as the successfully matched first key alignment data. And further, the data query device decrypts the ciphertext object data corresponding to the successfully matched first key alignment data based on the decryption key corresponding to the query device identifier, and finally obtains plaintext object data corresponding to the query device identifier, namely target object data.
In the above data query method, if the query object identifier is consistent with a certain candidate object identifier, the second mapping result corresponding to the query object identifier is consistent with the first mapping result corresponding to the candidate object identifier, and if the query object identifier is inconsistent with a certain candidate object identifier, the second mapping result corresponding to the query object identifier is inconsistent with the first mapping result corresponding to the candidate object identifier. Further, if the mapping result is the same, the generated key and the key alignment data are the same. Then, after obtaining ciphertext object data and first key alignment data corresponding to at least two candidate object identifiers on the data storage device, the data query device matches second key alignment data and each first key alignment data corresponding to the query object identifiers, if there is successful data matching, it indicates that object identifiers consistent with the query object identifiers exist in each candidate object identifier, each ciphertext object data includes ciphertext data obtained by encrypting plaintext object data corresponding to the query object identifiers, and further, the data query device may decrypt ciphertext object data corresponding to the successfully matched first key alignment data based on decryption keys corresponding to the query object identifiers, so as to obtain plaintext object data corresponding to the query object identifiers. Further, since the first mapping reference data and the second mapping reference data are different, even if the data query device acquires a plurality of ciphertext object data, the ciphertext object data corresponding to the object identifier other than the query object identifier cannot be successfully decrypted. In summary, in the whole data interaction process, the data storage device cannot acquire the query object of the data query device, and the data query device cannot acquire the plaintext data of other objects except the plaintext object data of the query object, so that the data security of the data storage device and the data query device is ensured.
In a specific embodiment, the data query method of the present application may be applied to a financial wind control scenario. Taking a financial wind control scenario as an example, in the process of evaluating the credit rating of a user, an a company wants to query the credit information (such as a belief losing record, a multi-head lending, etc.) of the user on an b platform, if the data on the b platform is directly retrieved through the user id, the b platform may generate a leakage risk when obtaining the user id, for example, reselling the user id to a competitor of the a company. However, by the data query method, the first company can perform collaborative calculation with the second platform, the second platform can not provide user data of all users, only provides user data of intersection users in the query list of the first company, so that privacy information of non-intersection users of the second platform is protected, and meanwhile, the platform side can not sense the query list of the first company, so that privacy information of the user id of the first company is protected. The first company is a data inquiring party, and the second platform is a data storing party.
Referring to fig. 7, a guest side represents a data querying side, a Host side represents a data storing side, a data holding side, and a data querying method includes the steps of:
1. The query list of the Guest side is { id_1, id_3, id_5}, and the query list is used as the input of collaborative calculation. The Host takes the local data as input for the collaborative calculation. The local data of the Host side includes id and data corresponding to id (i.e. plaintext object data), specifically includes id_0 and corresponding data_0, id_1 and corresponding data_1, id_2 and corresponding data_2, id_3 and corresponding data_3.
2. Through cooperative calculation, the Guest side and the Host side respectively obtain the iv value and the key of the symmetric password corresponding to the respective ids.
Where iv_i_key_i=oprf (id_i). The OPRF (id_i) represents a cooperative calculation result corresponding to id_i, iv_i represents an iv value corresponding to id_i, that is, key alignment data corresponding to id_i, and key_i represents a key corresponding to id_i.
3. The Host encrypts the corresponding data by using the iv and key, and sends the iv and the encrypted data to the Guest. The Host does not send the key to the Guest.
The iv_i_key_i [ data_i ] represents data obtained by encrypting the data_i corresponding to the id_i based on the iv value corresponding to the id_i and the key, namely the encrypted data_i.
4. The Guest side compares the local iv with the Host side iv, and takes the intersection part as the queriable data. The Guest party decrypts the encrypted data corresponding to the iv value based on the key corresponding to the iv value of the intersection part, and obtains a query result.
Wherein the data of the non-intersection part is not decryptable, which is equivalent to random noise for Guest.
5. And finally, the Guest side obtains the query results data_1 and data_3 of the query results data_3 and data_5 of the query results data_3.
The specific procedure of the above-described steps 2-4 is described with reference to fig. 8.
1. Host and Guest negotiate parameters
The Host and Guest negotiate security parameters lambda and sigma, protocol parameters m, w, two hash functions H 1:{0,1}*→{0,1}256,H2:{0,1}w→{0,1}256, pseudo-random function F {0,1} 128×{0,1}256→[m]w. In one embodiment, m may be set to 2 20, w may be set to 400 to 600, λ may be set to 128, and σ may be set to 40.
2. Pre-calculation process
The Guest side pre-sets the m×w bit matrix D to all 1's. The w columns corresponding to matrix D are D 1,D2,…,Dw,D1=D2=…=Dw=1m. The Guest party uniformly and randomly selects the key k R{0,1}λ, calculates (v 1,v2,…vw)=F(k,H1 (Y)) for each Y epsilon Y, and sets the j-th row of v j of D to be zero, namely, the order Finally, matrix D is a matrix consisting of 0 and 1.
Wherein k≡ R{0,1}λ represents that k is a key with a lambda length, k is a vector, and the value range of each number in the vector is 0 or 1. That is, k is a λ -bit binary number. Y comprises ids corresponding to plaintext data to be queried of a Guest party, and Y represents any one id in Y.
The Host randomly selects the bit string s≡ R{0,1}w.
Where s≡ R{0,1}w denotes that s is a w-bit binary number.
3. The Guest and Host execute w OT protocols.
The Guest side randomly selects the m×w bit matrix a≡ {0,1} m×w, and then calculates the matrix
The Host and the Guest execute w OT (Oblivious Transfer, inadvertent transmission) protocols, where the Guest uses { a i,Bi}i∈[w] as an input of the protocol as the sender, the Host uses s= (s 1,s2,…,sw) as an input of the protocol as the receiver, and after the protocol ends, the Host obtains w columns { C i∈{0,1}m}i∈[w], whereThese w columns are concatenated to form an m×w bit matrix c= (C 1,C2,…,Cw).
Wherein,Representing bitwise exclusive or, representing bitwise exclusive or.
4. Inadvertent pseudorandom function computation
The Guest side sends the pseudo-random function key k to the Host side.
For each (X, d) ∈X, the Host side calculates (v 1,v2,…,vw)=F(k,H1 (X)), then calculates Here, theThe value representing row v j and column j of matrix C is next split in half with 256 bits ψ, the first 128 bits being iv and the last 128 bits being key. The Host calls CTR mode encryption data d of the symmetric encryption algorithm to obtain c= CTREnc iv,key (d), and finally calculates and sends a set ψ= { (iv, c) } to the Guest.
Wherein, X includes all ids corresponding to plaintext data of the Host, X represents any one id in X, and d represents data corresponding to the id.
For each Y ε Y, the Guest side calculates (v 1′,v2′,…,vw′)=F(k,H1 (Y)), then calculates Here, theThe value representing row v j, column j of matrix a is next split in half with 256 bits ψ, the first 128 bits being iv', and the last 128 bits being key. After the Guest receives the set ψ from the Host, when iv in the set ψ is compared with iv 'calculated by the Guest, if iv=iv' exists, a CTR mode of a symmetric encryption algorithm is called, a corresponding ciphertext c is decrypted to obtain plaintext b= CTRDec iv,key (c), and b obtained through decryption is a query value corresponding to y.
Furthermore, through actual measurement, the data query method can realize high-performance calculation of a hidden query scene with hundred million-level data volume. The execution environment is 20 servers, each server is allocated with 2 cores, 15G memory, driver-memory is allocated with 10G, and test data refers to Table 1. Where the algorithm (N-N) represents querying N-scale data from N-scale data.
TABLE 1
Algorithm (N-N) 10 Ten thousand-1 hundred million 1 Hundred million to 1 hundred million
Query time of the scheme 5min 21min
Query time of traditional scheme 1h 1h30min
The following advantages can be obtained by adopting the data query method of the application:
1. Traffic reduction and security improvement. The scheme provided by the invention uses OPRF (Oblivious Pseudo Random Function, inadvertent pseudo random function) function to replace asymmetric encryption, processes hundred million-level data volume, only uses constant asymmetric encryption and decryption calculation (generally hundreds of times) in the data preprocessing stage, and the rest calculation is symmetric encryption, so that the communication volume can be greatly reduced in a mass data scene.
2. The improvement of the calculation speed is realized by using an asymmetric password and 1 out of N unintentional transmission in the traditional hidden inquiry scheme, and for the problem scales N and N, the required calculation is as follows: n+N asymmetric encryption and decryption calculations, N1 out of N carelessly transmitted calculations. The single asymmetric encryption and decryption and 1 out of n OT all need higher calculation amount. The scheme provided by the invention uses the OPRF function, and can realize equivalent hundreds of times of 1 out of N OT calculation by only needing hundreds of times of 1 out of 2 OT, and can realize more than 10 times of improvement in calculation speed.
It can be appreciated that the data query method of the present application can also be applied to marketing, identity verification, anti-fraud, financial wind control, equipment testing, etc. For example, in an anti-fraud scenario, a Guest party queries behavior information corresponding to a user id from a Host party, and identifies a behavior risk of the user based on the behavior information. In the marketing scene, the Guest side inquires behavior information corresponding to the user id from the Host side, and behavior characteristics of the user are identified based on the behavior information. In the device test, the Guest side queries test information corresponding to the device id from the Host side, and detects the reliability and safety of the device based on the test information.
It should be understood that, although the steps in the flowcharts related to the embodiments described above are sequentially shown as indicated by arrows, these steps are not necessarily sequentially performed in the order indicated by the arrows. The steps are not strictly limited to the order of execution unless explicitly recited herein, and the steps may be executed in other orders. Moreover, at least some of the steps in the flowcharts described in the above embodiments may include a plurality of steps or a plurality of stages, which are not necessarily performed at the same time, but may be performed at different times, and the order of the steps or stages is not necessarily performed sequentially, but may be performed alternately or alternately with at least some of the other steps or stages.
Based on the same inventive concept, the embodiment of the application also provides a data query device for realizing the above related data query method. The implementation of the solution provided by the device is similar to the implementation described in the above method, so the specific limitation in the embodiments of one or more data query devices provided below may refer to the limitation of the data query method hereinabove, and will not be repeated herein.
In one embodiment, as shown in fig. 9, there is provided a data query apparatus 900, comprising: a data acquisition module 902, a first data mapping module 904, a data encryption module 906, and a data transmission module 908, wherein:
The data obtaining module 902 is configured to obtain at least two candidate object identifiers and plaintext object data corresponding to each candidate object identifier.
The first data mapping module 904 is configured to perform mapping processing on each candidate object identifier based on the first mapping reference data, so as to obtain a first mapping result corresponding to each candidate object identifier.
The data encryption module 906 is configured to generate an encryption key and first key alignment data based on a first mapping result corresponding to the same candidate object identifier, and encrypt corresponding plaintext object data based on the encryption key corresponding to the same candidate object identifier to obtain ciphertext object data.
The data sending module 908 is configured to send the ciphertext object data and the first key alignment data corresponding to each candidate object identifier to the data querying device, so that the data querying device matches the second key alignment data corresponding to the query object identifier with each first key alignment data, and decrypt ciphertext object data corresponding to the successfully matched first key alignment data based on the decryption key corresponding to the query object identifier, to obtain target object data corresponding to the query object identifier.
The decryption key and the second key alignment data are obtained based on a second mapping result, the second mapping result is obtained by mapping the query object identifier based on second mapping reference data, the first mapping reference data and the second mapping reference data are different, and the mapping result obtained by mapping the same object identifier based on the first mapping reference data and the second mapping reference data is the same.
According to the data query device, in the whole data interaction process, the data storage device cannot acquire the query object of the data query device, the data query device cannot acquire the plaintext data of other objects except the plaintext object data of the query object, and the data security of the data storage device and the data query device is ensured.
In one embodiment, the first data mapping module comprises:
And the public key acquisition unit is used for acquiring the public key between the data query device and the data storage device.
The data conversion unit is used for carrying out data conversion on the current object identifier based on the public key to obtain first conversion data corresponding to the current object identifier; the first conversion data includes a plurality of first sub-data arranged in an order.
The mapping sub-data acquisition unit is used for acquiring mapping sub-data corresponding to each first sub-data from the first mapping reference data based on the first sub-data and the ordering information of the first sub-data.
And the mapping result determining unit is used for obtaining a first mapping result corresponding to the current object identifier based on each mapping sub-data.
In one embodiment, the data conversion unit is further configured to perform hash processing on the current object identifier to obtain a first hash processing result; and fusing the public key and the first hash processing result to obtain first conversion data.
In one embodiment, the first mapping reference data is a first mapping reference matrix, the mapping sub-data obtaining unit is further configured to use the first sub-data as first location information corresponding to a first matrix direction, and use ordering information of the first sub-data as second location information corresponding to a second matrix direction, where the first matrix direction and the second matrix direction are perpendicular to each other; and acquiring matrix data positioned by the first position information and the second position information corresponding to the same first sub-data from the first mapping reference matrix as mapping sub-data, and obtaining mapping sub-data corresponding to each first sub-data.
In one embodiment, the mapping result determining unit is further configured to splice each mapping sub-data based on the ordering information of the first sub-data, to obtain first spliced data; and carrying out hash processing on the first spliced data to obtain a first mapping result.
In one embodiment, the data query device 900 further comprises:
The first mapping reference data acquisition module is used for acquiring a first asymmetric key and a second asymmetric key which are sent by the data query equipment; determining a target asymmetric key from the first asymmetric key and the second asymmetric key based on key reference information corresponding to the target mapping position, and encrypting the target symmetric key based on the target asymmetric key to obtain a first encryption result; the first encryption result is sent to the data query equipment, so that the data query equipment decrypts the first encryption result based on a first private key corresponding to the first asymmetric key and a second private key corresponding to the second asymmetric key respectively to obtain a first decryption result and a second decryption result, encrypts second mapping sub-data corresponding to a target mapping position in second mapping reference data based on the first decryption result to obtain a second encryption result, and encrypts third mapping sub-data corresponding to the target mapping position in third mapping reference data based on the second decryption result to obtain a third encryption result; wherein, the mapping results obtained by mapping the same object identifier are the same based on the second mapping reference data and the third mapping reference data respectively; acquiring a second encryption result and a third encryption result which are sent by data query equipment; determining a target encryption result from the second encryption result and the third encryption result based on key reference information corresponding to the target mapping position, decrypting the target encryption result based on the target symmetric key, and obtaining first mapping sub-data corresponding to the target mapping position in the first mapping reference data; and taking the next mapping position as an updating mapping position, taking the updating mapping position as a target mapping position, returning key reference information corresponding to the target mapping position, and determining the target asymmetric key from the first asymmetric key and the second asymmetric key until determining first mapping sub-data corresponding to each mapping position in the first mapping reference data to obtain first mapping reference data.
In one embodiment, the first mapping reference data obtaining module is further configured to use the first asymmetric key as the target asymmetric key when the key reference information corresponding to the target mapping position is first preset information; and when the key reference information corresponding to the target mapping position is second preset information, taking the second asymmetric key as the target asymmetric key.
In one embodiment, the first mapping reference data obtaining module is further configured to, when the key reference information corresponding to the target mapping position is first preset information, use the second encryption result as the target encryption result; and when the key reference information corresponding to the target mapping position is the second preset information, taking the third encryption result as a target encryption result.
In one embodiment, the third mapping reference data is obtained by the data query device fusing the second mapping reference data with the target mapping reference data, the target mapping reference data is obtained by the data query device performing data update on the initial mapping reference data based on second conversion data corresponding to the query object identifier, and the second conversion data is obtained by performing data conversion on the query object identifier based on the public key.
In one embodiment, the data encryption module is further configured to perform data segmentation on the first mapping result corresponding to the current object identifier, to obtain an encryption key corresponding to the current object identifier and first key alignment data.
In one embodiment, the data encryption module is further configured to obtain encryption reference information, and obtain initial ciphertext data corresponding to each candidate object identifier based on an encryption key and the encryption reference information corresponding to the same candidate object identifier; and fusing the initial ciphertext data and the plaintext object data corresponding to the same candidate object identifier to obtain ciphertext object data corresponding to each candidate object identifier.
In one embodiment, the encrypted reference information identifies corresponding first key alignment data for the candidate.
In one embodiment, as shown in fig. 10, there is provided a data query apparatus 1000, comprising: an identification acquisition module 1002, a second data mapping module 1004, a key data generation module 1006, an encrypted data acquisition module 1008, and a data decryption module 1010, wherein:
The identifier obtaining module 1002 is configured to obtain a query object identifier corresponding to target object data to be queried;
the second data mapping module 1004 is configured to perform mapping processing on the query object identifier based on the second mapping reference data, so as to obtain a second mapping result.
The key data generating module 1006 is configured to obtain, based on the second mapping result, a decryption key and second key alignment data corresponding to the query object identifier.
An encrypted data acquisition module 1008, configured to acquire encrypted data sent by the data storage device; the encrypted data comprises ciphertext object data and first key alignment data which correspond to at least two candidate object identifiers respectively, the ciphertext object data is obtained by encrypting plaintext object data corresponding to the candidate object identifiers based on the encryption keys corresponding to the candidate object identifiers, the encryption keys corresponding to the candidate object identifiers and the first key alignment data are obtained based on first mapping results corresponding to the candidate object identifiers, the first mapping results are obtained by mapping the candidate object identifiers based on first mapping reference data, the first mapping reference data and the second mapping reference data are different, and the mapping results obtained by mapping the same object identifier are the same based on the first mapping reference data and the second mapping reference data.
The data decryption module 1010 is configured to match the second key alignment data with each first key alignment data, and decrypt ciphertext object data corresponding to the successfully matched first key alignment data based on the decryption key, to obtain target object data.
According to the data query device, in the whole data interaction process, the data storage device cannot acquire the query object of the data query device, the data query device cannot acquire the plaintext data of other objects except the plaintext object data of the query object, and the data security of the data storage device and the data query device is ensured.
The various modules in the data querying device described above may be implemented in whole or in part by software, hardware, and combinations thereof. The above modules may be embedded in hardware or may be independent of a processor in the computer device, or may be stored in software in a memory in the computer device, so that the processor may call and execute operations corresponding to the above modules.
In one embodiment, a computer device is provided, which may be a server, and the internal structure of which may be as shown in fig. 11. The computer device includes a processor, a memory, an Input/Output interface (I/O) and a communication interface. The processor, the memory and the input/output interface are connected through a system bus, and the communication interface is connected to the system bus through the input/output interface. Wherein the processor of the computer device is configured to provide computing and control capabilities. The memory of the computer device includes a non-volatile storage medium and an internal memory. The non-volatile storage medium stores an operating system, computer programs, and a database. The internal memory provides an environment for the operation of the operating system and computer programs in the non-volatile storage media. The database of the computer device is used for storing data such as object identification, mapping reference data, plaintext object data and the like. The input/output interface of the computer device is used to exchange information between the processor and the external device. The communication interface of the computer device is used for communicating with an external terminal through a network connection. The computer program is executed by a processor to implement a data query method.
In one embodiment, a computer device is provided, which may be a terminal, and the internal structure thereof may be as shown in fig. 12. The computer device includes a processor, a memory, an input/output interface, a communication interface, a display unit, and an input means. The processor, the memory and the input/output interface are connected through a system bus, and the communication interface, the display unit and the input device are connected to the system bus through the input/output interface. Wherein the processor of the computer device is configured to provide computing and control capabilities. The memory of the computer device includes a non-volatile storage medium and an internal memory. The non-volatile storage medium stores an operating system and a computer program. The internal memory provides an environment for the operation of the operating system and computer programs in the non-volatile storage media. The input/output interface of the computer device is used to exchange information between the processor and the external device. The communication interface of the computer device is used for carrying out wired or wireless communication with an external terminal, and the wireless mode can be realized through WIFI, a mobile cellular network, NFC (near field communication) or other technologies. The computer program is executed by a processor to implement a data query method. The display unit of the computer equipment is used for forming a visual picture, and can be a display screen, a projection device or a virtual reality imaging device, wherein the display screen can be a liquid crystal display screen or an electronic ink display screen, the input device of the computer equipment can be a touch layer covered on the display screen, can also be a key, a track ball or a touch pad arranged on a shell of the computer equipment, and can also be an external keyboard, a touch pad or a mouse and the like.
It will be appreciated by those skilled in the art that the structures shown in fig. 11 and 12 are merely block diagrams of portions of structures associated with aspects of the present application and are not intended to limit the computer device to which aspects of the present application may be applied, and that a particular computer device may include more or less components than those shown, or may combine some of the components, or have a different arrangement of components.
In an embodiment, there is also provided a computer device comprising a memory and a processor, the memory having stored therein a computer program, the processor implementing the steps of the method embodiments described above when the computer program is executed.
In one embodiment, a computer-readable storage medium is provided, storing a computer program which, when executed by a processor, implements the steps of the method embodiments described above.
In one embodiment, a computer program product or computer program is provided that includes computer instructions stored in a computer readable storage medium. The processor of the computer device reads the computer instructions from the computer-readable storage medium, and the processor executes the computer instructions, so that the computer device performs the steps in the above-described method embodiments.
It should be noted that, the user information (including but not limited to user equipment information, user personal information, etc.) and the data (including but not limited to data for analysis, stored data, presented data, etc.) related to the present application are information and data authorized by the user or sufficiently authorized by each party, and the collection, use and processing of the related data need to comply with the related laws and regulations and standards of the related country and region.
Those skilled in the art will appreciate that implementing all or part of the above described methods may be accomplished by way of a computer program stored on a non-transitory computer readable storage medium, which when executed, may comprise the steps of the embodiments of the methods described above. Any reference to memory, database, or other medium used in embodiments provided herein may include at least one of non-volatile and volatile memory. The nonvolatile Memory may include Read-Only Memory (ROM), magnetic tape, floppy disk, flash Memory, optical Memory, high density embedded nonvolatile Memory, resistive random access Memory (ReRAM), magneto-resistive random access Memory (Magnetoresistive Random Access Memory, MRAM), ferroelectric Memory (Ferroelectric Random Access Memory, FRAM), phase change Memory (PHASE CHANGE Memory, PCM), graphene Memory, and the like. Volatile memory can include random access memory (Random Access Memory, RAM) or external cache memory, and the like. By way of illustration, and not limitation, RAM can be in various forms such as static random access memory (Static Random Access Memory, SRAM) or dynamic random access memory (Dynamic Random Access Memory, DRAM), etc. The databases referred to in the embodiments provided herein may include at least one of a relational database and a non-relational database. The non-relational database may include, but is not limited to, a blockchain-based distributed database, and the like. The processor referred to in the embodiments provided in the present application may be a general-purpose processor, a central processing unit, a graphics processor, a digital signal processor, a programmable logic unit, a data processing logic unit based on quantum computing, or the like, but is not limited thereto.
The technical features of the above embodiments may be arbitrarily combined, and all possible combinations of the technical features in the above embodiments are not described for brevity of description, however, as long as there is no contradiction between the combinations of the technical features, they should be considered as the scope of the description.
The foregoing examples illustrate only a few embodiments of the application and are described in detail herein without thereby limiting the scope of the application. It should be noted that it will be apparent to those skilled in the art that several variations and modifications can be made without departing from the spirit of the application, which are all within the scope of the application. Accordingly, the scope of the application should be assessed as that of the appended claims.

Claims (18)

1. A data query method, for application to a data storage device, the method comprising:
acquiring at least two candidate object identifiers and plaintext object data corresponding to each candidate object identifier;
mapping the candidate object identifiers based on first mapping reference data to obtain first mapping results corresponding to the candidate object identifiers;
Generating an encryption key and first key alignment data based on a first mapping result corresponding to the same candidate object identifier, and encrypting corresponding plaintext object data based on the encryption key corresponding to the same candidate object identifier to obtain ciphertext object data;
Sending ciphertext object data and first key alignment data corresponding to each candidate object identifier to data query equipment so that the data query equipment matches second key alignment data corresponding to the query object identifier with each first key alignment data, and decrypting ciphertext object data corresponding to successfully matched first key alignment data based on a decryption key corresponding to the query object identifier to obtain target object data corresponding to the query object identifier;
The decryption key and the second key alignment data are obtained based on a second mapping result, the second mapping result is obtained by mapping the query object identifier based on second mapping reference data, the first mapping reference data and the second mapping reference data are different, and the mapping results obtained by mapping the same object identifier based on the first mapping reference data and the second mapping reference data are the same.
2. The method according to claim 1, wherein the mapping the candidate object identifiers based on the first mapping reference data to obtain a first mapping result corresponding to the candidate object identifiers includes:
obtaining a public key between the data query device and the data storage device;
Based on the public key, performing data conversion on the current object identifier to obtain first conversion data corresponding to the current object identifier; the first conversion data comprises a plurality of first sub-data which are orderly arranged;
based on the first sub-data and the ordering information of the first sub-data, mapping sub-data corresponding to each first sub-data is obtained from the first mapping reference data;
and obtaining a first mapping result corresponding to the current object identifier based on each mapping sub-data.
3. The method according to claim 2, wherein the performing data conversion on the current object identifier based on the public key to obtain the first converted data corresponding to the current object identifier includes:
Carrying out hash processing on the current object identifier to obtain a first hash processing result;
And fusing the public key and the first hash processing result to obtain the first conversion data.
4. The method according to claim 2, wherein the first mapping reference data is a first mapping reference matrix, and the obtaining mapping sub-data corresponding to each first sub-data from the first mapping reference data based on the first sub-data and ordering information of the first sub-data includes:
Taking the first sub-data as first position information corresponding to a first matrix direction, and taking the ordering information of the first sub-data as second position information corresponding to a second matrix direction, wherein the first matrix direction and the second matrix direction are mutually perpendicular;
And acquiring matrix data positioned by first position information and second position information corresponding to the same first sub-data from the first mapping reference matrix as mapping sub-data, and obtaining mapping sub-data corresponding to each first sub-data.
5. The method according to claim 2, wherein the obtaining the first mapping result corresponding to the current object identifier based on each mapping sub-data includes:
Splicing the mapping sub-data based on the ordering information of the first sub-data to obtain first spliced data;
and carrying out hash processing on the first spliced data to obtain the first mapping result.
6. The method according to claim 1, wherein the process of obtaining the first mapping reference data comprises the steps of:
Acquiring a first asymmetric key and a second asymmetric key which are sent by the data query equipment;
determining a target asymmetric key from the first asymmetric key and the second asymmetric key based on key reference information corresponding to a target mapping position, and encrypting the target symmetric key based on the target asymmetric key to obtain a first encryption result;
The first encryption result is sent to the data query device, so that the data query device decrypts the first encryption result based on a first private key corresponding to the first asymmetric key and a second private key corresponding to the second asymmetric key respectively to obtain a first decryption result and a second decryption result, encrypts second mapping sub-data corresponding to a target mapping position in the second mapping reference data based on the first decryption result to obtain a second encryption result, and encrypts third mapping sub-data corresponding to the target mapping position in third mapping reference data based on the second decryption result to obtain a third encryption result; wherein, the mapping results obtained by mapping the same object identifier are the same based on the second mapping reference data and the third mapping reference data respectively;
acquiring the second encryption result and the third encryption result sent by the data query equipment;
Determining a target encryption result from the second encryption result and the third encryption result based on key reference information corresponding to a target mapping position, and decrypting the target encryption result based on the target symmetric key to obtain first mapping sub-data corresponding to the target mapping position in the first mapping reference data;
And taking the next mapping position as an updating mapping position, taking the updating mapping position as a target mapping position, returning key reference information corresponding to the target mapping position, and executing the step of determining the target asymmetric key from the first asymmetric key and the second asymmetric key until determining first mapping sub-data corresponding to each mapping position in the first mapping reference data to obtain the first mapping reference data.
7. The method of claim 6, wherein the determining the target asymmetric key from the first asymmetric key and the second asymmetric key based on the key reference information corresponding to the target mapping location comprises:
when the key reference information corresponding to the target mapping position is first preset information, the first asymmetric key is used as the target asymmetric key;
and when the key reference information corresponding to the target mapping position is second preset information, the second asymmetric key is used as the target asymmetric key.
8. The method of claim 6, wherein determining the target encryption result from the second encryption result and the third encryption result based on the key reference information corresponding to the target mapping location comprises:
When the key reference information corresponding to the target mapping position is first preset information, the second encryption result is used as the target encryption result;
And when the key reference information corresponding to the target mapping position is second preset information, the third encryption result is used as the target encryption result.
9. The method according to claim 6, wherein the third mapping reference data is obtained by the data query device by fusing the second mapping reference data with target mapping reference data, the target mapping reference data is obtained by the data query device by updating initial mapping reference data based on second conversion data corresponding to the query object identifier, and the second conversion data is obtained by converting the query object identifier based on a public key.
10. The method according to any one of claims 1 to 9, wherein generating the encryption key and the first key alignment data based on the first mapping result corresponding to the same candidate object identifier comprises:
And carrying out data segmentation on a first mapping result corresponding to the current object identifier to obtain an encryption key and first key alignment data corresponding to the current object identifier.
11. The method according to any one of claims 1 to 9, wherein encrypting the corresponding plaintext object data based on the encryption key corresponding to the same candidate object identifier to obtain ciphertext object data includes:
Acquiring encryption reference information, and acquiring initial ciphertext data corresponding to each candidate object identifier based on an encryption key and the encryption reference information corresponding to the same candidate object identifier;
And fusing initial ciphertext data and plaintext object data corresponding to the same candidate object identifier to obtain ciphertext object data corresponding to each candidate object identifier.
12. The method of claim 11, wherein the encrypted reference information identifies corresponding first key alignment data for a candidate object.
13. A data query method, applied to a data query device, the method comprising:
acquiring a query object identifier corresponding to target object data to be queried;
Mapping the query object identifier based on second mapping reference data to obtain a second mapping result;
Obtaining a decryption key and second key alignment data corresponding to the query object identifier based on the second mapping result;
Acquiring encrypted data sent by a data storage device; the encryption data comprises ciphertext object data and first key alignment data which are respectively corresponding to at least two candidate object identifiers, the ciphertext object data are obtained by encrypting plaintext object data corresponding to the candidate object identifiers based on encryption keys corresponding to the candidate object identifiers, the encryption keys corresponding to the candidate object identifiers and the first key alignment data are obtained based on first mapping results corresponding to the candidate object identifiers, the first mapping results are obtained by mapping the candidate object identifiers based on first mapping reference data, the first mapping reference data and the second mapping reference data are different, and the mapping results obtained by mapping the same object identifier are the same based on the first mapping reference data and the second mapping reference data;
And matching the second key alignment data with each first key alignment data, and decrypting ciphertext object data corresponding to the successfully matched first key alignment data based on the decryption key to obtain the target object data.
14. A data querying device, the device comprising:
the data acquisition module is used for acquiring at least two candidate object identifiers and plaintext object data corresponding to each candidate object identifier;
the first data mapping module is used for respectively carrying out mapping processing on each candidate object identifier based on first mapping reference data to obtain a first mapping result corresponding to each candidate object identifier;
The data encryption module is used for generating an encryption key and first key alignment data based on a first mapping result corresponding to the same candidate object identifier, and encrypting corresponding plaintext object data based on the encryption key corresponding to the same candidate object identifier to obtain ciphertext object data;
The data sending module is used for sending the ciphertext object data and the first key alignment data which correspond to the candidate object identifiers respectively to the data query equipment so that the data query equipment can match the second key alignment data corresponding to the query object identifiers with the first key alignment data, and decrypt ciphertext object data corresponding to the successfully matched first key alignment data based on the decryption keys corresponding to the query object identifiers to obtain target object data corresponding to the query object identifiers;
The decryption key and the second key alignment data are obtained based on a second mapping result, the second mapping result is obtained by mapping the query object identifier based on second mapping reference data, the first mapping reference data and the second mapping reference data are different, and the mapping results obtained by mapping the same object identifier based on the first mapping reference data and the second mapping reference data are the same.
15. A data querying device, the device comprising:
The identification acquisition module is used for acquiring an inquiry object identification corresponding to target object data to be inquired;
The second data mapping module is used for carrying out mapping processing on the query object identifier based on second mapping reference data to obtain a second mapping result;
The key data generation module is used for obtaining a decryption key and second key alignment data corresponding to the query object identifier based on the second mapping result;
the encrypted data acquisition module is used for acquiring encrypted data sent by the data storage device; the encryption data comprises ciphertext object data and first key alignment data which are respectively corresponding to at least two candidate object identifiers, the ciphertext object data are obtained by encrypting plaintext object data corresponding to the candidate object identifiers based on encryption keys corresponding to the candidate object identifiers, the encryption keys corresponding to the candidate object identifiers and the first key alignment data are obtained based on first mapping results corresponding to the candidate object identifiers, the first mapping results are obtained by mapping the candidate object identifiers based on first mapping reference data, the first mapping reference data and the second mapping reference data are different, and the mapping results obtained by mapping the same object identifier are the same based on the first mapping reference data and the second mapping reference data;
And the data decryption module is used for matching the second key alignment data with each first key alignment data, and decrypting ciphertext object data corresponding to the successfully matched first key alignment data based on the decryption key to obtain the target object data.
16. A computer device comprising a memory and a processor, the memory storing a computer program, characterized in that the processor implements the steps of the method of any one of claims 1 to 12 or 13 when the computer program is executed.
17. A computer readable storage medium, on which a computer program is stored, characterized in that the computer program, when being executed by a processor, implements the steps of the method of any of claims 1 to 12 or 13.
18. A computer program product comprising a computer program, characterized in that the computer program, when executed by a processor, implements the steps of the method of any one of claims 1 to 12 or 13.
CN202210109193.9A 2022-01-28 2022-01-28 Data query method, device, computer equipment and storage medium Active CN114491637B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202210109193.9A CN114491637B (en) 2022-01-28 2022-01-28 Data query method, device, computer equipment and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210109193.9A CN114491637B (en) 2022-01-28 2022-01-28 Data query method, device, computer equipment and storage medium

Publications (2)

Publication Number Publication Date
CN114491637A CN114491637A (en) 2022-05-13
CN114491637B true CN114491637B (en) 2024-07-23

Family

ID=81477748

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210109193.9A Active CN114491637B (en) 2022-01-28 2022-01-28 Data query method, device, computer equipment and storage medium

Country Status (1)

Country Link
CN (1) CN114491637B (en)

Families Citing this family (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115118458B (en) * 2022-05-31 2024-04-19 腾讯科技(深圳)有限公司 Data processing method, device, computer equipment and storage medium
CN115473681B (en) * 2022-08-10 2025-05-27 阿里云计算有限公司 Data fusion method and device, storage medium and electronic device
CN115412356B (en) * 2022-09-02 2025-05-06 杭州趣链科技有限公司 Data query equipment, device, computer equipment and storage medium
WO2024138503A1 (en) * 2022-12-29 2024-07-04 深圳Tcl数字技术有限公司 Data encryption method and apparatus, computer device and storage medium
CN115935429B (en) * 2022-12-30 2023-08-22 上海零数众合信息科技有限公司 Data processing method, device, medium and electronic equipment

Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113886887A (en) * 2021-10-25 2022-01-04 支付宝(杭州)信息技术有限公司 Data query method and device based on multi-party secure computing

Family Cites Families (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US10097522B2 (en) * 2015-05-21 2018-10-09 Nili Philipp Encrypted query-based access to data
US9846785B2 (en) * 2015-11-25 2017-12-19 International Business Machines Corporation Efficient two party oblivious transfer using a leveled fully homomorphic encryption
US10055602B2 (en) * 2016-04-19 2018-08-21 International Business Machines Corporation Securely processing range predicates on cloud databases
CN113254957B (en) * 2019-11-26 2022-04-08 支付宝(杭州)信息技术有限公司 Data query method, device, equipment and system based on privacy information protection

Patent Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113886887A (en) * 2021-10-25 2022-01-04 支付宝(杭州)信息技术有限公司 Data query method and device based on multi-party secure computing

Also Published As

Publication number Publication date
CN114491637A (en) 2022-05-13

Similar Documents

Publication Publication Date Title
CN114491637B (en) Data query method, device, computer equipment and storage medium
US10476662B2 (en) Method for operating a distributed key-value store
JP6180177B2 (en) Encrypted data inquiry method and system capable of protecting privacy
JP5348337B2 (en) Encrypted database management system, client and server, natural join method and program
CN108811519A (en) System and method for establishing the link between identifier in the case of underground identification information specific
US11133926B2 (en) Attribute-based key management system
CN114443718B (en) A data query method and system
CN104967693A (en) Document similarity calculation method facing cloud storage based on fully homomorphic password technology
CN115412356B (en) Data query equipment, device, computer equipment and storage medium
CN116232639B (en) Data transmission method, device, computer equipment and storage medium
CN114006689B (en) Data processing method, device and medium based on federal learning
CN117220865A (en) Longitude and latitude encryption method, longitude and latitude verification device and readable storage medium
CN116132065B (en) Key determination method, device, computer equipment and storage medium
WO2018116826A1 (en) Message transmission system, communication terminal, server device, message transmission method, and program
CN114661992A (en) A sort query system and method based on inadvertent transmission protocol
CN114398656A (en) File encryption method, file decryption method, file encryption device, file decryption device, computer equipment and storage medium
US10594473B2 (en) Terminal device, database server, and calculation system
CN116595562B (en) Data processing method and electronic equipment
CN117077156B (en) Data processing method and electronic device
CN116248289B (en) Industrial Internet identity resolution access control method based on ciphertext attribute encryption
CN118972094B (en) Unstructured personal data protection method for omni-channel self-collection business in the apparel industry
CN116112268B (en) Data processing method, device, computer equipment and storage medium
JP6493402B2 (en) Addition device, deletion device, addition request device, data search system, data search method, and computer program
CN115296808B (en) Secret key replacement method, device, computer equipment and storage medium
CN119513877B (en) Searchable encryption method, computer device, storage medium and computer program product

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant