CN109388923B

Movatterモバイル変換

Info

Publication number: CN109388923B
Application number: CN201710690933.1A
Authority: CN
Inventors: 徐刚; 陈盛东; 胡淳一
Original assignee: Shanghai Ceying Network Technology Co ltd
Current assignee: Shanghai Ceying Network Technology Co ltd
Priority date: 2017-08-14
Filing date: 2017-08-14
Publication date: 2020-12-04
Anticipated expiration: 2037-08-14
Also published as: CN109388923A

Abstract

Translated fromChinese

本申请公开了一种程序执行方法，应用于基于区块链的去中心化系统，其中，已发布至所述区块链中的应用程序被绑定了用户标识；包括：当接收到用户基于持有的私钥在所述区块链上向目标程序发布的目标指令时，获取所述用户的用户标识；查询获取到的所述用户标识是否与所述目标程序绑定；如果获取到的所述用户标识与所述目标程序绑定，则在所述目标程序中触发执行所述目标指令。

The present application discloses a program execution method, which is applied to a blockchain-based decentralized system, wherein an application program published in the blockchain is bound with a user identifier; When the held private key issues the target instruction to the target program on the blockchain, obtain the user ID of the user; query whether the obtained user ID is bound to the target program; if the obtained user ID is bound to the target program; If the user identifier is bound to the target program, the target instruction is triggered to be executed in the target program.

Description

Translated fromChinese

一种程序执行方法及装置A program execution method and device

技术领域technical field

本申请涉及计算机应用技术领域，尤其涉及一种程序执行方法及装置。The present application relates to the technical field of computer applications, and in particular, to a program execution method and device.

背景技术Background technique

区块链技术，是一种由若干台计算设备共同参与“记账”，共同维护一份完整的分布式数据库的新兴技术。由于区块链技术具有去中心化、公开透明、每台计算设备可以参与数据库记录、并且各计算设备之间可以快速的进行数据同步的特性，利用区块链技术来搭建去中心化系统，并在区块链的分布式数据库中收录各种执行程序进行自动执行，已在众多的领域中广泛的进行应用；例如，在金融科技领域，利用区块链技术搭建P2P支付平台，并在区块链上发布诸如智能合约等执行程序，可以在不经过银行等金融机构的前提下，实现不同的用户之间的点对点安全支付。Blockchain technology is an emerging technology in which several computing devices jointly participate in "bookkeeping" and jointly maintain a complete distributed database. Since the blockchain technology has the characteristics of decentralization, openness and transparency, each computing device can participate in database records, and data synchronization between computing devices can be performed quickly, the blockchain technology is used to build a decentralized system, and Various execution programs are included in the distributed database of the blockchain for automatic execution, which has been widely used in many fields; for example, in the field of financial technology, blockchain technology is used to build a P2P payment platform, and in the blockchain Execution programs such as smart contracts are released on the chain, which can realize peer-to-peer secure payment between different users without going through financial institutions such as banks.

发明内容SUMMARY OF THE INVENTION

本申请提出一种程序执行方法，应用于基于区块链的去中心化系统，其中，已发布至所述区块链中的应用程序被绑定了用户标识；所述方法包括：The present application proposes a program execution method, which is applied to a blockchain-based decentralized system, wherein an application program published in the blockchain is bound with a user identifier; the method includes:

当接收到用户基于持有的私钥在所述区块链上向目标程序发布的目标指令时，获取所述用户的用户标识；When receiving the target instruction issued by the user to the target program on the blockchain based on the private key held by the user, obtain the user ID of the user;

查询获取到的所述用户标识是否与所述目标程序绑定；Query whether the obtained user ID is bound to the target program;

如果获取到的所述用户标识与所述目标程序绑定，则在所述目标程序中触发执行所述目标指令。If the acquired user ID is bound to the target program, triggering the execution of the target instruction in the target program.

可选的，所述获取所述用户的用户标识之前，包括：Optionally, before obtaining the user ID of the user, the method includes:

基于与用户持有的私钥对应的公钥对所述目标指令的电子签名进行验证；Verifying the electronic signature of the target instruction based on the public key corresponding to the private key held by the user;

如果验证通过，将所述目标指令传递至所述目标程序，由所述目标程序获取所述用户的用户标识，并查询获取到的所述用户标识是否与所述目标程序绑定；以及，在确定获取到的所述用户标识与所述目标程序绑定时，触发执行所述目标指令。If the verification is passed, the target instruction is passed to the target program, and the target program obtains the user ID of the user, and queries whether the obtained user ID is bound to the target program; and, in When it is determined that the acquired user ID is bound to the target program, the execution of the target instruction is triggered.

可选的，所述目标程序和所述用户标识的绑定关系记录在预设的映射表中；其中，所述预设的映射表被发布至所述区块链。Optionally, the binding relationship between the target program and the user identifier is recorded in a preset mapping table; wherein, the preset mapping table is published to the blockchain.

可选的，还包括:Optionally, also include:

获取与所述用户持有的私钥对应的公钥，与所述用户标识之间的绑定关系；以及，对应于所述绑定关系的电子签名；Obtain the binding relationship between the public key corresponding to the private key held by the user and the user identifier; and, the electronic signature corresponding to the binding relationship;

基于所述去中心化系统存储的可信公钥针对所述电子签名进行验证；Verifying the electronic signature based on the trusted public key stored in the decentralized system;

如果验证通过，将与所述用户持有的私钥对应的公钥记录至所述映射表中，以在所述映射表中创建所述用户的用户标识，与用户持有的私钥对应的公钥之间的绑定关系。If the verification is passed, the public key corresponding to the private key held by the user is recorded in the mapping table, so as to create the user ID of the user in the mapping table, and the private key corresponding to the private key held by the user is created in the mapping table. Binding relationship between public keys.

可选的，所述用户持有的私钥对应的公钥，与所述用户标识之间的绑定关系存储在所述用户的身份证书中。Optionally, the binding relationship between the public key corresponding to the private key held by the user and the user identifier is stored in the user's identity certificate.

可选的，所述获取所述用户的用户标识，包括：Optionally, the obtaining the user identifier of the user includes:

获取用户在基于持有的私钥在所述区块链上向目标程序发布所述目标指令时，同步发布的用户标识；或者，Obtain the user ID that is released synchronously when the user issues the target instruction to the target program on the blockchain based on the private key held; or,

基于用户持有的私钥对应的公钥，在已发布至区块链中的映射表中查询与所述公钥绑定的用户标识；其中，所述映射表记录了所述目标程序、所述用户标识，以及与用户持有的私钥对应的公钥之间的绑定关系。Based on the public key corresponding to the private key held by the user, the user ID bound to the public key is queried in the mapping table that has been published in the blockchain; wherein the mapping table records the target program, all The binding relationship between the user ID and the public key corresponding to the private key held by the user.

可选的，其中，当所述用户持有的私钥及对应的公钥发生更新时，删除所述映射表中记录的更新前的公钥与所述用户标识的绑定关系，并在所述映射表中重新创建更新后的公钥与所述用户标识的绑定关系。Optionally, when the private key and the corresponding public key held by the user are updated, the binding relationship between the public key before the update and the user identity recorded in the mapping table is deleted, and the The binding relationship between the updated public key and the user ID is recreated in the mapping table.

可选的，所述用户标识绑定多个公钥；其中，与所述用户标识绑定的多个公钥，分别对应不同的用户角色。Optionally, the user ID is bound with multiple public keys; wherein, the multiple public keys bound with the user ID respectively correspond to different user roles.

可选的，所述用户标识为基于所述用户提交的身份信息生成的用户身份编码。Optionally, the user identifier is a user identity code generated based on the identity information submitted by the user.

可选的，已发布至所述区块链中的应用程序为智能合约程序。Optionally, the application program published in the blockchain is a smart contract program.

本申请还提出一种程序执行装置，其特征在于，应用于基于区块链的去中心化系统中的任一节点设备，其中，已发布至所述区块链中的应用程序被绑定了用户标识；所述装置包括：The present application also proposes a program execution device, which is characterized in that it is applied to any node device in a blockchain-based decentralized system, wherein the application program published in the blockchain is bound to User identification; the device includes:

获取模块，当接收到用户基于持有的私钥在所述区块链上向目标程序发布的目标指令时，获取所述用户的用户标识；an acquisition module, when receiving the target instruction issued by the user to the target program on the blockchain based on the private key held by the user, acquiring the user ID of the user;

查询模块，查询获取到的所述用户标识是否与所述目标程序绑定；A query module for querying whether the obtained user ID is bound to the target program;

执行模块，如果获取到的所述用户标识与所述目标程序绑定，则在所述目标程序中触发执行所述目标指令。The execution module, if the acquired user identifier is bound to the target program, triggers the execution of the target instruction in the target program.

可选的，所述装置还包括：Optionally, the device further includes:

验证模块，获取所述用户的用户标识之前，基于与用户持有的私钥对应的公钥对所述目标指令的电子签名进行验证；如果验证通过，将所述目标指令传递至所述目标程序，由所述目标程序获取所述用户的用户标识，并查询获取到的所述用户标识是否与所述目标程序绑定；以及，在确定获取到的所述用户标识与所述目标程序绑定时，触发执行所述目标指令。The verification module, before acquiring the user identity of the user, verifies the electronic signature of the target instruction based on the public key corresponding to the private key held by the user; if the verification is passed, transmits the target instruction to the target program , obtain the user ID of the user by the target program, and query whether the obtained user ID is bound to the target program; and, after determining that the obtained user ID is bound to the target program is triggered to execute the target instruction.

可选的，所述获取模块进一步：Optionally, the obtaining module further:

在本申请中，提出了一种在基于区块链的去中心化系统中，通过为已发布至区块链中的应用程序绑定的用户标识，来决策执行相应用户发布的目标指令的机制。去中心化系统可以为发布至区块链中的应用程序分别绑定用户标识，当接收到用户基于持有的私钥在区块链上向目标程序发布的目标指令时，可以获取该用户的用户标识，并查询该用户标识是否与该目标程序绑定，如果该用户标识与该目标程序绑定，则可以在该目标程序中触发执行该目标指令。In this application, a mechanism is proposed in a blockchain-based decentralized system to decide to execute the target instruction issued by the corresponding user through the user identifier bound to the application program published in the blockchain. . The decentralized system can bind user IDs to applications published on the blockchain. When receiving the target instruction issued by the user to the target program on the blockchain based on the private key held by the user, it can obtain the user's ID. User ID, and query whether the user ID is bound with the target program, if the user ID is bound with the target program, the target instruction can be triggered and executed in the target program.

一方面，由于在本申请中，用户标识可以唯一标识用户的身份，因此将已发布至区块链的应用程序与用户标识绑定，可以对发布至区块链的应用程序进行实名化；On the one hand, since the user ID can uniquely identify the user's identity in this application, binding the application published to the blockchain with the user ID can real-name the application published to the blockchain;

另一方面，由于在本申请中，在决策上述目标指令是否能够在目标程序中触发执行时，不再使用与目标程序绑定的公钥信息来，而是使用与目标程序绑定的用户标识，因此在用户持有的私钥以及对应的公钥发生更新时，用户仍然可以使用更新后的私钥正常的向上述目标程序发布可以在该目标程序中触发执行的指令。On the other hand, in this application, when deciding whether the above target instruction can trigger execution in the target program, the public key information bound to the target program is no longer used, but the user ID bound to the target program is used. Therefore, when the private key held by the user and the corresponding public key are updated, the user can still use the updated private key to normally issue an instruction that can trigger execution in the target program to the target program.

附图说明Description of drawings

为了更清楚地说明本申请实施例或现有技术中的技术方案，下面将对实施例或现有技术描述中所需要使用的附图作简单地介绍，显而易见地，下面描述中的附图仅仅是本申请中记载的一些实施例，对于本领域普通技术人员来讲，还可以根据这些附图获得其他的附图。In order to more clearly illustrate the embodiments of the present application or the technical solutions in the prior art, the following briefly introduces the accompanying drawings required for the description of the embodiments or the prior art. Obviously, the drawings in the following description are only These are some embodiments described in this application. For those of ordinary skill in the art, other drawings can also be obtained according to these drawings.

图1是本申请一实施例示出的一种程序执行方法的流程示意图；1 is a schematic flowchart of a program execution method according to an embodiment of the present application;

图2是本申请一实施例示出的一种程序执行装置的逻辑框图；2 is a logical block diagram of a program execution apparatus shown in an embodiment of the present application;

图3是本申请一实施例示出的一种承载所述程序执行装置的电子设备的硬件架构图。FIG. 3 is a hardware architecture diagram of an electronic device carrying the program execution apparatus according to an embodiment of the present application.

具体实施方式Detailed ways

在实际应用中，对于发布至区块链中的应用程序，通常都会绑定若干授信的公钥，只有持有与这些绑定的公钥对应的私钥的用户，才具有在区块链中向这些应用程序发布，能够在这些应用程序中触发执行的指令的权限。即通过为已发布至区块链中的应用程序绑定公钥，相当于为各应用程序绑定了一个授信用户的名单，只有该名单中的用户向这些应用程序发布的指令，才能够在这些应用程序中触发执行。In practical applications, for applications published in the blockchain, several trusted public keys are usually bound, and only users who hold the private keys corresponding to these bound public keys have access to the blockchain. Permissions issued to these applications that can trigger execution of instructions in these applications. That is, by binding the public key to the applications that have been published in the blockchain, it is equivalent to binding a list of trusted users to each application. Only the instructions issued by the users in the list to these applications can These applications trigger execution.

通过这种方式，虽然在某种程度可以提升已发布至区块链的这些应用程序的安全性，然而一旦持有这些绑定的公钥以及对应的用户，发生私钥丢失、失密，导致更换了私钥以及对应的公钥时，将会造成已经发布的这些应用程序存在安全隐患，甚至彻底的不可用；In this way, although the security of these applications that have been released to the blockchain can be improved to a certain extent, once the bound public key and the corresponding user are held, the private key will be lost or compromised, resulting in replacement When the private key and the corresponding public key are obtained, it will cause these published applications to have security risks, or even be completely unavailable;

例如，以上述应用程序为发布至区块链中的智能合约程序为例，如果与该智能合约程序绑定的公钥以及对应的私钥出现丢失或者被破解，不仅会造成该智能合约程序的彻底不可用，甚至会由于该唯一私钥被冒用而对用户造成损失。For example, taking the above application as an example of a smart contract program published in the blockchain, if the public key bound to the smart contract program and the corresponding private key are lost or cracked, it will not only cause the smart contract program to fail. Completely unusable, even causing losses to the user due to the fraudulent use of the unique private key.

可见，现有的基于与已发布至区块链的应用程序绑定的公钥，来决策用户向区块链中的应用程序发布的指令，是否能够在该应用程序中触发执行的机制，存在着明显的技术局限，在这些应用程序绑定的公钥对应的私钥出现丢失或者被破解的特殊场景下，会影响目标程序的执行稳定性以及安全性。It can be seen that the existing mechanism for deciding whether the instructions issued by the user to the application in the blockchain can trigger the execution in the application based on the public key bound to the application that has been published to the blockchain, exists. Due to obvious technical limitations, in special scenarios where the private key corresponding to the public key bound to these applications is lost or cracked, the execution stability and security of the target program will be affected.

有鉴于此，本申请则提出了一种在基于区块链的去中心化系统中，通过为已发布至区块链中的应用程序绑定的用户标识，来决策执行相应用户发布的目标指令的机制。In view of this, this application proposes a blockchain-based decentralized system, through which the user IDs bound to the applications published in the blockchain are used to decide to execute the target instructions issued by the corresponding users Mechanisms.

在实现时，去中心化系统可以为发布至区块链中的应用程序分别绑定用户标识，当接收到用户基于持有的私钥在区块链上向目标程序发布的目标指令时，可以获取该用户的用户标识，并查询该用户标识是否与该目标程序绑定，如果该用户标识与该目标程序绑定，则可以在该目标程序中触发执行该目标指令。When implemented, the decentralized system can bind user IDs to applications published on the blockchain. Obtain the user ID of the user, and query whether the user ID is bound to the target program, and if the user ID is bound to the target program, the target instruction can be triggered and executed in the target program.

下面通过具体实施例并结合具体的应用场景对本申请进行描述。The present application will be described below through specific embodiments and in conjunction with specific application scenarios.

请参考图1，图1是本申请一实施例提供的一种程序执行方法，应用于基于区块链的去中心化系统，执行以下步骤：Please refer to FIG. 1. FIG. 1 is a program execution method provided by an embodiment of the present application, which is applied to a blockchain-based decentralized system and performs the following steps:

步骤101，当接收到用户基于持有的私钥在所述区块链上向目标程序发布的目标指令时，获取所述用户的用户标识；Step 101, when receiving the target instruction issued by the user to the target program on the blockchain based on the private key held by the user, obtain the user ID of the user;

步骤102，查询获取到的所述用户标识是否与所述目标程序绑定；Step 102, query whether the obtained user ID is bound to the target program;

步骤103，如果获取到的所述用户标识与所述目标程序绑定，则在所述目标程序中触发执行所述目标指令。Step 103: If the obtained user ID is bound to the target program, trigger the execution of the target instruction in the target program.

上述去中心化系统，具体可以是一个基于区块链技术搭建的，“去中心化”的分布式系统。The above-mentioned decentralized system may specifically be a “decentralized” distributed system based on blockchain technology.

其中，在上述去中心化系统中，可以包括若干台节点设备，这些节点设备可以呈现一种高度自治的“去中心化”特性，并且可以通过搭载区块链的共识机制(比如特定的共识协商算法)，将本地化产生的数据，或者发布的执行程序发布至该区块链上，并被最新生成的新区块的“记账人”(俗称“矿工”)收录至该新区块中，同时接入该区块链的各个节点可以将该区块内的所有内容同步至其本地，从而构成该区块链的分布式数据库。Among them, in the above-mentioned decentralized system, several node devices can be included, and these node devices can present a highly autonomous "decentralization" feature, and can use the consensus mechanism of the blockchain (such as a specific consensus negotiation) Algorithm), publish the data generated by localization or the published execution program to the blockchain, and be included in the new block by the "bookkeeper" (commonly known as "miner") of the newly generated new block, and at the same time Each node accessing the blockchain can synchronize all the content in the block to its local area, thereby forming a distributed database of the blockchain.

通过这种方式，用户无需在后台部署大规模的服务器集群作为“数据中心”，而且用户一侧的任意形式的前端设备(比如移动终端、PC终端)，都可以作为上述去中心化系统中的一台节点设备。In this way, users do not need to deploy a large-scale server cluster as a "data center" in the background, and any form of front-end equipment (such as mobile terminals, PC terminals) on the user side can be used as the data center in the above-mentioned decentralized system. A node device.

上述目标程序，是指被收录至区块链的分布式数据库，并同步至区块链中各台计算设备的程序代码。上述目标程序的具体形态，在本申请中不进行特别限定，可以是已经收录至区块链的分布式数据库中的，对应任意功能的执行程序；The above target program refers to the program code that is included in the distributed database of the blockchain and synchronized to each computing device in the blockchain. The specific form of the above-mentioned target program is not particularly limited in this application, and may be an execution program corresponding to any function that has been recorded in the distributed database of the blockchain;

在示出的一种实施方式中，上述目标程序具体可以是收录至至区块链中的智能合约程序。其中，所谓智能合约程序，通常是指以数字形式约定了参与者的权利和义务的执行程序。In the illustrated embodiment, the above-mentioned target program may specifically be a smart contract program recorded in the blockchain. Among them, the so-called smart contract program usually refers to the execution program that stipulates the rights and obligations of participants in digital form.

例如，在实际应用中，上述智能合约程序具体可以是已经发布至区块链中的智能合约程序，也可以是指用于在线协商智能合约程序的在线协商程序。在初始状态下，成功注册上述去中心化系统的多方用户之间，可以依托于已收录至上述区块链的分布式数据库中的在线协商程序，共同参与协商出一段智能合约程序。For example, in practical applications, the above-mentioned smart contract program may specifically be a smart contract program that has been published in the blockchain, or may refer to an online negotiation program for online negotiation of a smart contract program. In the initial state, the multi-party users who have successfully registered the above-mentioned decentralized system can jointly participate in the negotiation of a smart contract program by relying on the online negotiation program that has been recorded in the distributed database of the above-mentioned blockchain.

其中，在本申请中，对于已经发布并收录至区块链的分布式数据库中的应用程序，可以预先绑定用户标识(绑定的用户标识可以为一个，也可以为多个)。Among them, in this application, for the application program that has been published and recorded in the distributed database of the blockchain, a user ID can be bound in advance (the bound user ID can be one or multiple).

在示出的一种实施方式中，上述去中心化系统在将开发完成的应用程序发布至区块链之前，可以为各应用程序绑定用户标识，并创建用于记录各应用程序和已绑定的用户标识之间的绑定关系的映射表，然后将该映射表发布至区块链，在区块链的分布式数据库中进行收录。In the illustrated embodiment, before publishing the developed applications to the blockchain, the above-mentioned decentralized system can bind user IDs for each application, and create a user ID for recording each application and the bound application. The mapping table of the binding relationship between the specified user IDs is then published to the blockchain for inclusion in the distributed database of the blockchain.

例如，在一种实现方式中，可以将上述映射表与上述应用程序一起发布至区块链。当然，在实际应用中，上述映射表也可以在上述应用程序被发布至区块链之前，或者之后单独发布，在本申请中不进行特别限定。For example, in one implementation, the above mapping table may be published to the blockchain along with the above application. Of course, in practical applications, the above-mentioned mapping table may also be released separately before or after the above-mentioned application program is released to the blockchain, which is not particularly limited in this application.

通过这种方式，使得应用程序的开发者，在为各应用程序绑定用户标识时，可以不再需要将绑定的用户标识，写入应用程序的代码中，而是通过映射表的形式，来维护各个应用程序和绑定的用户标识之间的绑定关系，从而可以灵活的对与各应用程序绑定的用户标识进行修改更新，而不需要修改应用程序的底层代码。In this way, when the application developer binds the user ID for each application, it is no longer necessary to write the bound user ID into the code of the application, but in the form of a mapping table, To maintain the binding relationship between each application and the bound user ID, the user ID bound to each application can be flexibly modified and updated without modifying the underlying code of the application.

当然，在实际应用中，与各应用程序绑定的用户标识，也可以提前写入各应用程序的代码中；Of course, in practical applications, the user ID bound to each application can also be written in the code of each application in advance;

例如，在一种场景中，假设一个已发布的应用程序绑定了多个用户标识，并且每一个用户标识可以向该应用程序发布的指令类型，以及触发的执行动作均不尽相同，在这种情况下，为了使应用程序能够正确区分出不同的用户标识，仍然可以采用将用户标识写入应用程序的代码中的方式。For example, in one scenario, it is assumed that a published application is bound with multiple user IDs, and the types of instructions that each user ID can issue to the application and the triggered execution actions are all different. In this case, in order to enable the application program to correctly distinguish different user IDs, the user ID can still be written into the code of the application program.

上述用户标识，具体可以是被上述去中心化系统存储的可信公钥授权的身份标识；该“授权”可理解为上述用户标识具体可以由上述可信公钥对应的私钥的持有者来配置，当上述可信公钥对应的私钥的持有者为用户配置了用户标识后，可以基于持有的私钥对该用户标识和该用户的公钥的绑定关系进行电子签名。The above-mentioned user identification may specifically be an identity identification authorized by the trusted public key stored in the above-mentioned decentralized system; this "authorization" can be understood as the above-mentioned user identification, which may be specifically the holder of the private key corresponding to the above-mentioned trusted public key To configure, after the holder of the private key corresponding to the above trusted public key configures the user ID for the user, he can electronically sign the binding relationship between the user ID and the user's public key based on the private key held.

而上述去中心化系统可以预先存储一个或者多个公开的可信公钥(比如可以在区块链的程序代码中添加可信公钥列表)，当接收到携带了电子签名的用户标识和公钥的绑定关系后，可以基于存储的可信公钥对该用户标识和公钥的绑定关系的电子签名进行验证；当验证通过后，即可确认该用户标识为经过上述可信公钥授权的身份标识。The above-mentioned decentralized system can pre-store one or more public trusted public keys (for example, a list of trusted public keys can be added to the program code of the blockchain). After the binding relationship of the key, the electronic signature of the binding relationship between the user ID and the public key can be verified based on the stored trusted public key; when the verification is passed, it can be confirmed that the user ID has passed the above trusted public key. Authorized identity.

其中，与上述可信公钥对应的私钥的持有方，在本申请中不进行特别限定，可以是上述去中心化系统的运营方(比如去中心化系统的运营方具有CA资质)，也可以是第三方的CA机构。即在本申请中，上述用户标识，可以是由上述去中心化系统配置，也可以由第三方CA机构来配置。Wherein, the holder of the private key corresponding to the above-mentioned trusted public key is not particularly limited in this application, and may be the operator of the above-mentioned decentralized system (for example, the operator of the decentralized system has CA qualification), It can also be a third-party CA organization. That is, in this application, the above-mentioned user identification may be configured by the above-mentioned decentralized system, or may be configured by a third-party CA organization.

类似的，与上述用户持有的私钥对应的公钥，和上述用户的用户标识之间的绑定关系，具体也可以是由上述去中心化系统建立完成，也可以是由第三方的CA机构建立完成。Similarly, the binding relationship between the public key corresponding to the private key held by the above-mentioned user and the user ID of the above-mentioned user may be established by the above-mentioned decentralized system, or may be established by a third-party CA. The establishment of the institution is completed.

例如，在一种实现方式中，第三方CA机构可以基于用户提交的个人身份信息(比如用户的身份证号或者企业法人的纳税人识别号、组织机构代码或统一社会信用代码等能够唯一标识用户身份的信息)，为用户生成唯一对应的用户标识)，并建立该用户与该用户持有的私钥对应的公钥的绑定关系，然后将该绑定关系存储在该用户的用户身份证书中，由用户持有。For example, in one implementation, the third-party CA agency can uniquely identify the user based on the personally identifiable information submitted by the user (such as the user's ID number or the taxpayer identification number of an enterprise legal person, organization code or unified social credit code, etc.) identity information), generate a unique corresponding user ID) for the user, and establish a binding relationship between the user and the public key corresponding to the private key held by the user, and then store the binding relationship in the user's user identity certificate. , held by the user.

其中，上述用户标识，具体可以是通过诸如哈希算法等摘要算法对用户提交的信息进行计算，得到一串可以唯一标识用户身份的字符串；当然，在实际应用中，上述用户标识具体也可以是用户提交的用户身份信息的明文数据。Wherein, the above-mentioned user ID can be calculated by using a digest algorithm such as a hash algorithm to calculate the information submitted by the user to obtain a string of character strings that can uniquely identify the user's identity; of course, in practical applications, the above-mentioned user ID can also be It is the plaintext data of the user identity information submitted by the user.

以下将以第三方CA机构为用户生成用户标识，并由第三方CA机构以用户身份证书的形式向用户下发上述绑定关系为例进行说明。The following will take as an example that a third-party CA agency generates a user ID for a user, and the third-party CA agency issues the above-mentioned binding relationship to the user in the form of a user ID certificate as an example for description.

其中，需要说明的是，以第三方CA机构为用户生成用户标识仅为示例性的；在实际应用中，当上述去中心化系统的运营方具有CA资质，上述用户标识以及上述用户身份证书，也可以由上述去中心化系统进行生成和下发，在本申请中不进行特别限定。Among them, it should be noted that the user ID generated by the third-party CA organization for the user is only exemplary; It can also be generated and distributed by the above-mentioned decentralized system, which is not particularly limited in this application.

在本例中，在初始状态下，用户可以向上述去中心化系统提交个人身份信息(比如用户的身份证号或者企业法人的统一社会信用代码等能够唯一标识用户身份的信息)，向上述去中心化系统发起注册，当注册完成后可以基于注册完成的用户账号以及相关的输入口令登录上述去中心化系统，并将注册完成的用户账号与用户持有的便携式智能硬件进行绑定。In this example, in the initial state, the user can submit personal identity information (such as the user's ID number or the unified social credit code of the corporate legal person, etc.) to the above-mentioned decentralized system that can uniquely identify the user's identity, and submit it to the above-mentioned decentralization system. The centralized system initiates the registration. After the registration is completed, the user can log in to the above-mentioned decentralized system based on the registered user account and the relevant input password, and bind the registered user account with the portable smart hardware held by the user.

上述便携式智能硬件，具体可以是一个用于进行非对称加密通信、电子签名和对用户身份进行数字认证的便携式智能硬件；比如，该便携式智能硬件具体可以是USB key硬件。The above-mentioned portable intelligent hardware may specifically be a portable intelligent hardware for performing asymmetric encrypted communication, electronic signature and digital authentication of user identity; for example, the portable intelligent hardware may specifically be USB key hardware.

其中，在该便携式智能硬件中可以内置为用户生成私钥公钥对的安全算法。Wherein, a security algorithm for generating a private key and public key pair for the user can be built in the portable intelligent hardware.

在示出的一种实施方式中，当用户首次使用该便携式智能硬件，将该便携式智能硬件通信连接到该去中心化系统维护的授信公钥所代表的授权系统(如CA认证中心)，该便携式智能硬件可以调用内置的安全算法，为该用户生成一个私钥以及对应于该私钥的公钥。In the illustrated embodiment, when the user uses the portable intelligent hardware for the first time, the portable intelligent hardware is communicatively connected to the authorization system (such as the CA certification center) represented by the trusted public key maintained by the decentralized system, the Portable smart hardware can invoke built-in security algorithms to generate a private key for the user and a public key corresponding to that private key.

其中，私钥将作为保密数据保存在硬件内由用户个人持有，公钥将上传至该区块链存储的可信公钥所代表的授权系统(如CA认证中心)，以由该授权系统来建立用户公钥与用户标识之间的的绑定关系；比如，该绑定关系具体可以以用户身份证书的形式存储。用户标识可用代表用户身份的唯一性信息，比如用户的身份证号或者企业法人的纳税人识别号、组织机构代码或统一社会信用代码等信息生成。Among them, the private key will be stored in the hardware as confidential data and held by the user, and the public key will be uploaded to the authorization system (such as CA certification center) represented by the trusted public key stored in the blockchain, so that the authorization system can to establish a binding relationship between the user's public key and the user ID; for example, the binding relationship can be stored in the form of a user ID certificate. The user ID can be generated from the unique information representing the user's identity, such as the user's ID number or the taxpayer identification number of the corporate legal person, the organization code or the unified social credit code.

其中，在本例中，上述用户身份标识具体可以是上述CA机构基于哈希算法对上述个人身份信息进行计算生成的一个唯一的用户身份编码。Wherein, in this example, the above-mentioned user identity identifier may specifically be a unique user identity code generated by the above-mentioned CA organization by calculating the above-mentioned personal identity information based on a hash algorithm.

当为该用户生成了用户身份编码后，可以将该用户身份编码与该用户的公钥进行绑定，然后将该绑定关系存储在为用户生成的用户身份证书中；用户持有的私钥作为保密数据将不包含在用户身份证书中。除此之外，在建立上述绑定关系时，用户还可提供用户的名称、地址等其他信息至上述授权机构，以在建立的绑定关系中加入更多的用户身份信息。After the user identity code is generated for the user, the user identity code can be bound with the user's public key, and then the binding relationship is stored in the user identity certificate generated for the user; the private key held by the user As confidential data will not be included in the user identity certificate. In addition, when establishing the above-mentioned binding relationship, the user can also provide other information such as the user's name, address, etc. to the above-mentioned authorized organization, so as to add more user identity information to the established binding relationship.

当然，在实际应用中，同一个用户可能会同时承担多个用户角色，并基于持有的多个私钥，在不同的用户角色下来完成相应的操作；在这种情况下，该用户的用户身份编码可与多个公钥绑定，每一个公钥可以分别对应不同的用户角色。Of course, in practical applications, the same user may assume multiple user roles at the same time, and complete corresponding operations under different user roles based on the multiple private keys held; in this case, the user of the user The identity code can be bound with multiple public keys, and each public key can correspond to a different user role.

例如，以企业的法人为例，作为企业的法人可能会在签署某一份电子文书的流程中，涉及到多个签字角色，如经办人、复核人、审批人等。在这种情况下，区块链数据库存储的可信公钥所代表的授权机构可以为该多个角色分别绑定一个对应的公钥，以便于该企业的法人可以在不同的用户角色下，使用不同的公钥以及对应的私钥，完成相应的签约确认行为。For example, taking the legal person of an enterprise as an example, the legal person of the enterprise may involve multiple signature roles in the process of signing an electronic document, such as manager, reviewer, and approver. In this case, the authorized agency represented by the trusted public key stored in the blockchain database can bind a corresponding public key to each of the multiple roles, so that the legal person of the enterprise can use different user roles. Use different public keys and corresponding private keys to complete the corresponding contract confirmation behavior.

在本例中，当CA机构为用户生成了用户身份证书后，可以使用代表CA机构的可信公钥对应的私钥，对该用户身份证书进行电子签名，然后将电子签名后的用户身份证书下发至上述智能硬件，在上述智能硬件的安全存储环境中进行存储。In this example, after the CA has generated the user identity certificate for the user, the private key corresponding to the trusted public key representing the CA can be used to electronically sign the user identity certificate, and then the electronically signed user identity certificate can be used to electronically sign the user identity certificate. Delivered to the above-mentioned intelligent hardware, and stored in the secure storage environment of the above-mentioned intelligent hardware.

在上述区块链去中心化系统中，可以预先配置一个可信公钥列表，在该可信公钥列表中可以包含若干个可信的第三方CA机构的公钥，以及与各公钥对应的电子签名算法。当用户首次使用上述智能硬件时，上述去中心化系统中与该智能硬件对接的节点设备，可以基于上述可信公钥列表中的公钥，以及对应的电子签名算法，对上述用户身份证书中的电子签名进行验证，如果验证通过则可以从该用户身份证书中读取与该用户持有的私钥对应的公钥，然后记录至上述映射表中，以在上述映射表中创建该用户的用户标识，和与该用户持有的私钥对应的公钥之间的绑定关系。In the above-mentioned blockchain decentralized system, a trusted public key list can be pre-configured, and the trusted public key list can include the public keys of several trusted third-party CA agencies, and the public keys corresponding to each public key. electronic signature algorithm. When the user uses the above-mentioned intelligent hardware for the first time, the node device connected to the intelligent hardware in the above-mentioned decentralized system may, based on the public key in the above-mentioned trusted public key list and the corresponding electronic signature algorithm, make a statement on the above-mentioned user identity document. If the verification is passed, the public key corresponding to the private key held by the user can be read from the user's identity certificate, and then recorded in the above-mentioned mapping table to create the user's private key in the above-mentioned mapping table. The binding relationship between the user ID and the public key corresponding to the private key held by the user.

即在本申请中，在向区块链发布应用程序的阶段，上述映射表中默认可以仅记录用户标识和应用程序之间的绑定关系，当用户持有含CA机构认证的证书的USB key登陆到该去中心化的区块链系统，经区块链上的可信任公钥验签证书通过，区块链可以从该用户的证书中读取其用户标识和公钥，再将用户的用户标识写入上述映射表，与用户持有的私钥对应的公钥进行绑定，此时可以认为用户已经完成注册。上述映射表中最终将记录了已发布的应用程序、用户标识、以及用户持有的私钥对应的公钥等三者的绑定关系。That is, in this application, at the stage of releasing the application to the blockchain, the above mapping table can only record the binding relationship between the user ID and the application by default. When the user holds a USB key with a certificate certified by the CA organization Log in to the decentralized blockchain system and pass the trusted public key verification certificate on the blockchain. The blockchain can read the user ID and public key from the user's certificate, and then transfer the user's The user ID is written into the above mapping table and bound with the public key corresponding to the private key held by the user. At this time, it can be considered that the user has completed the registration. The above mapping table will finally record the binding relationship between the published application, the user ID, and the public key corresponding to the private key held by the user.

当然，在实际应用中，如果用户持有的私钥发生失密或者丢失；比如，用户持有的便携式智能硬件被破解或者丢失，造成用户更换了持有的私钥，此时用户的公钥通常也会同步的进行更新；在这种情况下，用户可以使用更换后的便携式智能硬件重新接入上述节点设备，与用户注册完成的用户账户重新进行绑定，并重复以上过程，触发CA机构重新为该用户生成并下发用户身份证书，并基于重新下发的用户身份证书中的信息，删除上述映射表中记录的更新前的公钥与上述用户标识的绑定关系，并在上述映射表中重新创建更新后的公钥与上述用户标识之间的绑定关系。Of course, in practical applications, if the private key held by the user is compromised or lost; for example, the portable smart hardware held by the user is cracked or lost, causing the user to replace the private key held by the user. At this time, the public key of the user is usually It will also be updated synchronously; in this case, the user can use the replaced portable intelligent hardware to re-connect to the above node device, re-bind with the user account that the user has registered, and repeat the above process to trigger the CA organization to re-connect. Generate and issue a user identity certificate for the user, and based on the information in the reissued user identity certificate, delete the binding relationship between the public key before the update recorded in the above-mentioned mapping table and the above-mentioned user identity, and record in the above-mentioned mapping table. Recreate the binding relationship between the updated public key and the above-mentioned user ID.

通过这种方式，使得用户持有的私钥失密或者丢失，造成用户持有的私钥以及对应的公钥发生更新时，该用户标识仍然可以保持唯一不变，从而可以保证在区块链数据库进行电子存证和溯源时身份的唯一性。In this way, the private key held by the user is encrypted or lost, so that when the private key held by the user and the corresponding public key are updated, the user ID can still remain unique and unchanged, thus ensuring that the blockchain database Uniqueness of identity for electronic depository and traceability.

在本申请中，当将用户的用户标识，与用户持有的私钥对应的公钥成功绑定后，后续该用户可以基于与该公钥对应的私钥，在区块链上向与该用户标识具有绑定关系的目标程序发布执行指令，来触发该目标程序进行执行。In this application, after the user's user ID and the public key corresponding to the private key held by the user are successfully bound, the user can subsequently use the private key corresponding to the public key on the blockchain to communicate with the public key corresponding to the public key. The target program with the binding relationship of the user identifier issues an execution instruction to trigger the execution of the target program.

其中，用户通过持有的私钥向上述目标程序发布执行指令的具体方式，在本申请中不进行限定；Wherein, the specific manner in which the user issues the execution instruction to the above-mentioned target program through the private key held by the user is not limited in this application;

例如，以上述目标程序为发布在区块链上用于进行在线签约的智能合约程序为例，当在该去中心化系统中任一节点设备上，访问与上述目标程序对应的业务页面，并在该业务页面上发起了一次签约确认时，可以进一步在该节点设备上通过上述智能硬件执行了一次签约确认操作；比如，可以是点击该智能硬件上的确认按钮的操作；然后，触发上述智能硬件基于用户持有的私钥提交一个用于进行签约确认的执行指令，并将该执行指令在区块链上发布至上述目标程序。For example, taking the above target program as an example of a smart contract program published on the blockchain for online signing, when any node device in the decentralized system accesses the business page corresponding to the above target program, and When a contract confirmation is initiated on the service page, a contract confirmation operation may be further performed on the node device through the above intelligent hardware; for example, it may be an operation of clicking the confirmation button on the intelligent hardware; then, the above intelligent hardware is triggered. The hardware submits an execution instruction for contract confirmation based on the private key held by the user, and publishes the execution instruction to the above target program on the blockchain.

其中，用户向上述目标程序发布的执行指令中，通常包括指令代码、基于私钥提交的电子签名、以及与用户持有的私钥对应的公钥。Wherein, the execution instruction issued by the user to the above-mentioned target program usually includes the instruction code, the electronic signature submitted based on the private key, and the public key corresponding to the private key held by the user.

另外，上述执行指令的具体类型，在本申请也不进行特别限定；例如，上述执行指令可以是触发上述目标程序启动的启动指令，也可以是用于触发上述目标程序执行任意类型的业务流程的业务指令。In addition, the specific type of the above-mentioned execution instruction is not particularly limited in this application; for example, the above-mentioned execution instruction may be a start-up instruction that triggers the start of the above-mentioned target program, or may be used to trigger the above-mentioned target program to execute any type of business process. business order.

当上述执行指令被发布至区块链后，首先可以基于与用户持有的私钥对应的公钥，对该执行指令的电子签名进行验证，当验证通过后，可以进一步执行如图1中步骤101-103示出的，基于用户标识来确定发布至目标程序的执行指令，是否能够在上述目标程序中执行的决策流程。After the above execution instruction is released to the blockchain, the electronic signature of the execution instruction can be verified based on the public key corresponding to the private key held by the user. After the verification is passed, the steps shown in Figure 1 can be further performed. 101-103 show the decision flow of determining whether the execution instruction issued to the target program can be executed in the above target program based on the user identifier.

其中，需要说明的是，上述步骤101-103示出的决策流程，具体可以由上述区块链的底层代码来执行，也可以由上述目标程序作为执行主体来执行。It should be noted that the decision-making process shown in the above steps 101-103 can be specifically executed by the underlying code of the above-mentioned blockchain, or can be executed by the above-mentioned target program as an execution subject.

即在实际应用中，上述步骤101-103示出的决策流程对应的执行逻辑，可以以代码的形式写入区块链的底层代码，也可以写入发布至区块链的上述目标程序。That is, in practical applications, the execution logic corresponding to the decision-making process shown in the above steps 101-103 can be written into the underlying code of the blockchain in the form of code, or can be written into the above-mentioned target program published to the blockchain.

在示出的一种实施方式中，当区块链对上述执行指令的电子签名验证通过后，首先可以判断发布的该执行指令，是否为需要基于用户标识来进行决策的指令；比如，可以直接根据指令类型来判断；In the illustrated embodiment, when the electronic signature of the above execution instruction is verified by the blockchain, it can be first determined whether the issued execution instruction is an instruction that needs to be decided based on the user ID; for example, it can be directly Judging by the type of instruction;

一方面，如果经过判断，该执行指令为不需要基于用户标识来进行决策的普通指令时，则可以直接将该执行指令传递至上述目标程序进行执行即可。On the one hand, if it is judged that the execution instruction is an ordinary instruction that does not require decision-making based on the user identification, the execution instruction can be directly transferred to the above target program for execution.

另一方面，如果经过判断，该执行指令为需要基于用户标识来进行决策的指令，那么可以进一步获取发布该执行指令的用户的用户标识，并基于获取到的用户标识来决策该执行指令是否为能够在上述目标程序中触发执行的指令；On the other hand, if it is judged that the execution instruction is an instruction that needs to be decided based on the user ID, then the user ID of the user who issued the execution instruction can be further obtained, and based on the obtained user ID, it is determined whether the execution instruction is a An instruction that can trigger execution in the above target program;

即在本申请中，并不是用户基于持有的私钥提交的所有执行指令，均需要基于用户标识进行决策，在实际应用中，本领域技术人员可以基于实际的业务需求，仅将部分类型的执行指令定义为需要基于用户标识进行决策的指令，从而可以提升业务的灵活性。That is, in this application, not all execution instructions submitted by the user based on the private key held by the user need to be decided based on the user ID. An execution instruction is defined as an instruction that needs to make a decision based on a user ID, so that the flexibility of the business can be improved.

比如，在不同的业务场景中，对指令进行触发执行的安全等级可能并不相同，对于安全等级较高的业务场景，可以基于用户标识对该执行指令进行进一步的决策；而对于安全等级较低的业务场景，可以将所有执行指令均作为普通指令进行执行即可。For example, in different business scenarios, the security levels for triggering execution of instructions may be different. For business scenarios with higher security levels, further decisions can be made on the execution instructions based on user IDs; while for lower security levels In the business scenario, all execution instructions can be executed as ordinary instructions.

其中，在获取用户标识时的具体实现方式，在本申请中不进行特别限定；Wherein, the specific implementation manner when obtaining the user ID is not particularly limited in this application;

例如，在一种实现方式中，用户在向上述目标程序发布执行指令时，可以将自身的用户标识一并发布至区块链，在这种情况下，区块链可以通过获取用户在发布上述执行指令时，同步发布的用户标识，来取得该用户的用户标识。在另一种实现方式中，区块链在接收到用户向上述目标程序发布的执行指令后，也可以从该执行指令中读取公钥信息，然后将该公钥信息作为查询索引，在上述映射表执行一次查询，来查询该用户的用户标识。For example, in an implementation manner, when a user issues an execution instruction to the above target program, he/she may publish his or her own user ID to the blockchain. In this case, the blockchain can obtain the user's When the instruction is executed, the issued user ID is synchronized to obtain the user ID of the user. In another implementation manner, after receiving the execution instruction issued by the user to the above target program, the blockchain can also read the public key information from the execution instruction, and then use the public key information as a query index. The mapping table performs a query to query the user ID of the user.

当获取到的该用户的用户标识后，区块链可以进一步查询获取到的该用户标识，是否与上述目标程序绑定；例如，可以将该用户标识作为查询索引，在上述映射表中执行一次查询，来查询与该用户标识绑定的应用程序，并基于结果来确定该用户标识是否已与上述目标程序绑定。After obtaining the user ID of the user, the blockchain can further query whether the obtained user ID is bound to the above-mentioned target program; for example, the user ID can be used as a query index and executed once in the above mapping table query, to query the application program bound to the user ID, and based on the result, determine whether the user ID has been bound to the above target program.

如果该用户标识已经与上述目标程序绑定，此时表明与该用户标识绑对应的用户，基于当前持有的私钥向上述目标程序发布的执行指令，可以在该目标程序中触发执行，因此区块链可以进一步将该执行指令传递至上述目标程序(比如，基于上述执行指令中携带的上述目标程序的调用接口信息，将上述执行指令传递至上述目标程序)，在该目标程序中进行触发执行。If the user ID has been bound to the target program, it means that the user corresponding to the user ID can trigger execution in the target program based on the execution instruction issued to the target program based on the currently held private key. The blockchain can further transmit the execution instruction to the above-mentioned target program (for example, based on the calling interface information of the above-mentioned target program carried in the above-mentioned execution instruction, transmit the above-mentioned execution instruction to the above-mentioned target program), and trigger in the target program. implement.

通过这种方式，区块链可以在执行完毕如上述步骤101-103示出的决策流程，确定出发布上述执行指令的用户的用户标识，已与该目标程序绑定，该执行指令可以在该目标程序中触发执行时，再将该执行指令传递至上述目标程序，因而对于上述目标程序而言，将仅能够收到那些可以在该目标程序中触发执行的执行指令，可以显著的提升该目标程序的执行效率(即目标程序接收到的每一个指令都是可以触发执行的指令)以及程序的安全性(即只有少部分可以执行的指令能够最终传递至该智能合约)。In this way, the blockchain can determine that the user ID of the user who issued the above execution instruction has been bound to the target program after the execution of the decision process shown in the above steps 101-103, and the execution instruction can be executed in the When the execution is triggered in the target program, the execution instruction is then passed to the above target program. Therefore, for the above target program, only those execution instructions that can be triggered and executed in the target program can be received, which can significantly improve the target program. The execution efficiency of the program (that is, every instruction received by the target program is an instruction that can trigger execution) and the security of the program (that is, only a small number of executable instructions can be finally delivered to the smart contract).

在示出的另一种实施方式中，当区块链对上述执行指令的电子签名验证通过后，也可以进一步将该执行指令传递至上述目标程序，由上述目标程序来继续执行如上述步骤101-103示出的决策流程。In another embodiment shown, when the electronic signature of the execution instruction is verified by the blockchain, the execution instruction may be further transmitted to the target program, and the target program will continue to execute the above step 101 -103 shows the decision-making process.

例如，在一种方式中，区块链可以将用户在发布上述执行指令时，同步发布的用户标识，一并传递给上述目标程序，由上述目标程序进一步查询与该用户标识绑定的应用程序，进而确定该用户标识是否已与自身绑定，并在确定该用户标识已与自身绑定时，触发执行该执行指令。For example, in one way, the blockchain can transmit the user ID synchronously issued by the user when issuing the above execution instruction to the above target program, and the above target program can further query the application bound to the user ID. , and then determine whether the user ID has been bound with itself, and when it is determined that the user ID has been bound with itself, trigger the execution of the execution instruction.

在另一种实现方式中，上述目标程序也可以将该执行指令中携带的公钥作为查询索引，在上述映射表中查询绑定的用户标识，然后进一步确定该用户标识是否已与自身绑定，并在确定该用户标识已与自身绑定时，触发执行该执行指令。In another implementation manner, the above target program can also use the public key carried in the execution instruction as a query index, query the bound user ID in the above mapping table, and then further determine whether the user ID has been bound to itself , and when it is determined that the user ID has been bound to itself, trigger the execution of the execution instruction.

通过这种方式，区块链可以在对接收到发布至上述目标程序的执行指令的电子签名验证通过后，就可以立即将该执行指令传递至上述目标程序，由上述目标程序执行如上述步骤101-103示出的决策流程，来确定发布上述执行指令是否可以在该目标程序中触发执行，因此对于上述目标程序而言，将能够接收到所有发布至该目标程序的执行指令。In this way, the blockchain can immediately transmit the execution instruction to the above-mentioned target program after the electronic signature verification of the execution instruction issued to the above-mentioned target program is passed, and the above-mentioned target program executes the above-mentionedstep 101 The decision flow shown in -103 is to determine whether issuing the above execution instruction can trigger execution in the target program, so for the above target program, all execution instructions issued to the target program will be able to be received.

其中，需要补充说明的是，对于发布在区块链上的应用程序(比如智能合约程序)而言，其底层的运行环境，通常可以是在区块链的软件环境中搭建的虚拟机。Among them, it should be added that for applications published on the blockchain (such as smart contract programs), the underlying operating environment can usually be a virtual machine built in the software environment of the blockchain.

即在实际应用中，对于区块链中的任一节点设备而言，可以将发往目标程序的执行指令，传递给与该目标程序对应的虚拟机；而该虚拟机可以在自身的软件执行环境中，加载该目标程序的执行代码，并基于加载的这些执行代码来响应和执行上述节点设备传递的执行指令，然后将执行结果发布至区块链。在本申请中，如果用户持有的私钥发生失密或者丢失；比如，用户持有的便携式智能硬件被破解或者丢失，造成用户更换了持有的私钥，此时用户的公钥通常也会同步的进行更新；在这种情况下，由于用户可以使用更换后的便携式智能硬件重新接入上述区块链，与用户注册完成的用户账户重新进行绑定，并通过重复以上过程，触发CA机构重新为该用户生成并下发用户身份证书，并基于重新下发的用户身份证书中的信息，删除上述映射表中记录的更新前的公钥与上述用户标识的绑定关系，以及在上述映射表中重新创建更新后的公钥与上述用户标识之间的绑定关系，因此对于上述用户而言，用户标识并没有发生变化，进而该用户仍然可以使用更新后的私钥，基于同一个用户身份向上述目标程序发布能够在上述目标程序中触发执行的执行指令。That is, in practical applications, for any node device in the blockchain, the execution instructions sent to the target program can be passed to the virtual machine corresponding to the target program; and the virtual machine can be executed in its own software. In the environment, the execution code of the target program is loaded, and based on the loaded execution code, the execution instruction transmitted by the above node device is responded and executed, and the execution result is published to the blockchain. In this application, if the private key held by the user is compromised or lost; for example, the portable smart hardware held by the user is cracked or lost, causing the user to replace the private key held, the user's public key will usually also be Updates are performed synchronously; in this case, since the user can use the replaced portable smart hardware to re-connect to the above-mentioned blockchain, re-bind with the user account that has been registered by the user, and repeat the above process to trigger the CA agency Regenerate and issue a user identity certificate for the user, and based on the information in the reissued user identity certificate, delete the binding relationship between the public key before the update recorded in the above-mentioned mapping table and the above-mentioned user identity, and in the above-mentioned mapping The binding relationship between the updated public key and the above user ID is recreated in the table. Therefore, for the above user, the user ID has not changed, and the user can still use the updated private key based on the same user. The identity issues an execution instruction capable of triggering execution in the above target program to the above target program.

在整个过程中，由于与上述目标程序绑定的用户标识始终未发生变化，因此用户持有的私钥以及对应的公钥的变化，并不会对上述目标程序造成任何影响。During the whole process, since the user ID bound to the above target program has not changed, changes in the private key held by the user and the corresponding public key will not have any impact on the above target program.

例如，虽然用户持有的私钥以及对应的公钥发生了变化，但与上述目标程序建立绑定关系的为用户标识，并不是用户的公钥，因此并不会导致该目标程序彻底不可用；For example, although the private key held by the user and the corresponding public key have changed, the user ID that establishes a binding relationship with the above target program is not the user's public key, so the target program will not be completely unavailable. ;

又如，由于用户持有的私钥和对应的公钥发生变化后，会及时的更新上述映射表，解除更新前的公钥与上述目标程序的绑定关系，并重新建立更新后的公钥与上述目标程序的绑定关系，因此对于非法用户而言，使用更换前的私钥并不能向该目标程序发布可以执行的执行指令。For another example, after the private key held by the user and the corresponding public key are changed, the above mapping table will be updated in time, the binding relationship between the public key before the update and the above target program will be released, and the updated public key will be re-established. Because of the binding relationship with the above target program, for illegal users, the use of the private key before replacement cannot issue executable execution instructions to the target program.

可见，通过以上实施例可知，本申请提出的在基于区块链的去中心化系统中，通过为已发布至区块链中的应用程序绑定的用户标识，来决策执行相应用户发布的目标指令的机制，可以有效避免由于用户持有的私钥以及对应的公钥发生更新，而造成的发布至区块链中的应用程序不可用或者存在安全隐患的问题，有助于保证上述目标程序的稳定性以及安全性，It can be seen from the above embodiments that in the blockchain-based decentralized system proposed in this application, the user ID bound to the application program published in the blockchain is used to decide to execute the target published by the corresponding user. The mechanism of instruction can effectively avoid the problem that the application program published to the blockchain is unavailable or has security risks due to the update of the private key held by the user and the corresponding public key, which helps to ensure the above target program. stability and security,

与上述方法实施例相对应，本申请还提供了装置的实施例。Corresponding to the above method embodiments, the present application also provides device embodiments.

请参见图2，本申请提出一种程序执行装置20，应用于基于区块链的去中心化系统中；Referring to FIG. 2, the present application proposes aprogram execution device 20, which is applied in a blockchain-based decentralized system;

其中，请参见图3，作为承载所述程序执行装置20的电子设备所涉及的硬件架构中，通常包括处理器、内存、非易失性存储器、网络接口以及内部总线等；以软件实现为例，所述程序执行装置20通常可以理解为加载在内存中的计算机程序，通过处理器运行之后形成的软硬件相结合的逻辑装置，所述程序执行装置20包括：Wherein, please refer to FIG. 3 , the hardware architecture involved as the electronic device carrying theprogram execution apparatus 20 usually includes a processor, a memory, a non-volatile memory, a network interface, an internal bus, etc.; take software implementation as an example , theprogram execution device 20 can generally be understood as a computer program loaded in the memory, a logic device formed by the combination of software and hardware after the processor runs, and theprogram execution device 20 includes:

获取模块201，当接收到用户基于持有的私钥在所述区块链上向目标程序发布的目标指令时，获取所述用户的用户标识；Obtainingmodule 201, when receiving the target instruction issued by the user to the target program on the blockchain based on the private key held by the user, obtaining the user ID of the user;

查询模块202，查询获取到的所述用户标识是否与所述目标程序绑定；query module 202, query whether the obtained user ID is bound to the target program;

执行模块203，如果获取到的所述用户标识与所述目标程序绑定，则在所述目标程序中触发执行所述目标指令。Theexecution module 203 triggers the execution of the target instruction in the target program if the obtained user ID is bound to the target program.

在本实施例中，所述装置20还包括：In this embodiment, thedevice 20 further includes:

验证模块204(图2中未示出)，获取所述用户的用户标识之前，基于与用户持有的私钥对应的公钥对所述目标指令的电子签名进行验证；如果验证通过，将所述目标指令传递至所述目标程序，由所述目标程序获取所述用户的用户标识，并查询获取到的所述用户标识是否与所述目标程序绑定；以及，在确定获取到的所述用户标识与所述目标程序绑定时，触发执行所述目标指令。The verification module 204 (not shown in FIG. 2 ), before acquiring the user identity of the user, verifies the electronic signature of the target instruction based on the public key corresponding to the private key held by the user; The target instruction is transmitted to the target program, and the target program obtains the user ID of the user, and inquires whether the obtained user ID is bound with the target program; and, after determining the obtained user ID When the user ID is bound to the target program, the execution of the target instruction is triggered.

在本实施例中，所述目标程序和所述用户标识的绑定关系记录在预设的映射表中；其中，所述预设的映射表被发布至所述区块链。In this embodiment, the binding relationship between the target program and the user identifier is recorded in a preset mapping table; wherein, the preset mapping table is published to the blockchain.

在本实施例中，所述获取模块201进一步：In this embodiment, the obtainingmodule 201 further:

在本实施例中，所述用户持有的私钥对应的公钥，与所述用户标识之间的绑定关系存储在所述用户的身份证书中。In this embodiment, the binding relationship between the public key corresponding to the private key held by the user and the user identifier is stored in the user's identity certificate.

在本实施例中，所述获取所述用户的用户标识，包括：In this embodiment, the obtaining the user identifier of the user includes:

在本实施例中，其中，当所述用户持有的私钥及对应的公钥发生更新时，删除所述映射表中记录的更新前的公钥与所述用户标识的绑定关系，并在所述映射表中重新创建更新后的公钥与所述用户标识的绑定关系。In this embodiment, when the private key and the corresponding public key held by the user are updated, the binding relationship between the public key before the update and the user ID recorded in the mapping table is deleted, and The binding relationship between the updated public key and the user ID is recreated in the mapping table.

在本实施例中，所述用户标识绑定多个公钥；其中，与所述用户标识绑定的多个公钥，分别对应不同的用户角色。In this embodiment, the user identification is bound with multiple public keys; wherein, the multiple public keys bound with the user identification correspond to different user roles respectively.

在本实施例中，所述用户标识为基于所述用户提交的身份信息生成的用户身份编码。In this embodiment, the user identification is a user identification code generated based on the identification information submitted by the user.

在本实施例中，已发布至所述区块链中的应用程序为智能合约程序。In this embodiment, the application program that has been published in the blockchain is a smart contract program.

以上各实施例阐明的系统、模块，具体可以由计算机芯片或实体实现，或者由具有某种功能的产品来实现。一种典型的实现设备为计算机或者服务器。其中，计算机的具体形式可以是个人计算机、膝上型计算机、蜂窝电话、相机电话、智能电话、个人数字助理、媒体播放器、导航设备、电子邮件收发设备、游戏控制台、平板计算机、可穿戴设备或者这些设备中的任意几种设备的组合。通过以上的实施方式的描述可知，本领域的技术人员可以清楚地了解到本申请可借助软件加必需的通用硬件平台的方式来实现。基于这样的理解，本申请的技术方案本质上或者说对现有技术做出贡献的部分可以以软件产品的形式体现出来，该计算机软件产品可以存储在存储介质中，如ROM/RAM、磁碟、光盘等，包括若干指令用以使得一台计算机设备(可以是个人计算机，服务器，或者网络设备等)执行本申请各个实施例或者实施例的某些部分所述的方法。The systems and modules described in the above embodiments may be specifically implemented by computer chips or entities, or by products with certain functions. A typical implementation device is a computer or a server. Among them, the specific form of the computer can be a personal computer, a laptop computer, a cellular phone, a camera phone, a smart phone, a personal digital assistant, a media player, a navigation device, an email sending and receiving device, a game console, a tablet computer, a wearable device or a combination of any of these devices. From the description of the above embodiments, those skilled in the art can clearly understand that the present application can be implemented by means of software plus a necessary general hardware platform. Based on this understanding, the technical solutions of the present application can be embodied in the form of software products in essence or the parts that make contributions to the prior art, and the computer software products can be stored in storage media, such as ROM/RAM, magnetic disks , CD-ROM, etc., including several instructions for causing a computer device (which may be a personal computer, a server, or a network device, etc.) to execute the methods described in various embodiments or some parts of the embodiments of the present application.

本说明书中的各个实施例均采用递进的方式描述，各个实施例之间相同相似的部分互相参见即可，每个实施例重点说明的都是与其他实施例的不同之处。尤其，对于装置实施例而言，由于其基本相似于方法实施例，所以描述得比较简单，相关之处参见方法实施例的部分说明即可。以上所描述的装置实施例仅仅是示意性的，其中所述作为分离部件说明的模块可以是或者也可以不是物理上分开的，在实施本申请方案时可以把各模块的功能在同一个或多个软件和/或硬件中实现。也可以根据实际的需要选择其中的部分或者全部模块来实现本实施例方案的目的。本领域普通技术人员在不付出创造性劳动的情况下，即可以理解并实施。The various embodiments in this specification are described in a progressive manner, and the same and similar parts between the various embodiments may be referred to each other, and each embodiment focuses on the differences from other embodiments. In particular, for the apparatus embodiment, since it is basically similar to the method embodiment, the description is relatively simple, and reference may be made to the partial description of the method embodiment for related parts. The device embodiments described above are only illustrative, and the modules described as separate components may or may not be physically separated. When implementing the solution of the present application, the functions of each module may be integrated into one or more modules. implemented in software and/or hardware. Some or all of the modules may also be selected according to actual needs to achieve the purpose of the solution in this embodiment. Those of ordinary skill in the art can understand and implement it without creative effort.

以上所述仅是本申请的具体实施方式，应当指出，对于本技术领域的普通技术人员来说，在不脱离本申请原理的前提下，还可以做出若干改进和润饰，这些改进和润饰也应视为本申请的保护范围。The above are only specific embodiments of the present application. It should be pointed out that for those skilled in the art, without departing from the principles of the present application, several improvements and modifications can also be made. It should be regarded as the protection scope of this application.