CN-122001574-A - Method and device for identity service, management and consensus authorization of intelligent body

Abstract

The application relates to the technical field of artificial intelligence and provides an intelligent identity service, management and consensus authorization method and device, wherein the identity service method comprises the steps of receiving identity registration application information sent by an intelligent body, and verifying the identity registration application information to obtain a verification result; under the passing condition, the identity registration application information is sent to a plurality of preset distributed authentication and authorization nodes, the plurality of distributed authentication and authorization nodes are used for carrying out consensus signature processing on the identity registration application information and returning an aggregate signature, the aggregate signature is received, hash operation is carried out on the aggregate signature to obtain the DID of the intelligent agent, the DID and the aggregate signature are recorded in a pre-deployed trusted blockchain, and the DID is sent to the intelligent agent, wherein the DID is an identity credential when the intelligent agent carries out identity verification. Therefore, an AI intelligent agent identity service system which is decentralised, verifiable, traceable, expandable and has privacy protection capability is constructed.

Inventors

• ZHONG ZIYUAN
• WEI HAN
• PAN XIAOFENG
• WU JING
• Ye Keke
• GAO HONGMIN
• YU YANG

Assignees

• 中移动信息技术有限公司
• 中国移动通信集团有限公司

Dates

Publication Date

20260508

Application Date

20260211

Claims (19)

1. 1. An agent identity service method, wherein the method is applied to an agent identity service device, and the method comprises: receiving identity registration application information sent by an intelligent body, and performing verification on the identity registration application information to obtain a verification result; If the verification result is that the verification result is passed, the identity registration application information is sent to a plurality of preset distributed authentication and authorization nodes, wherein the plurality of distributed authentication and authorization nodes are used for carrying out consensus signature processing on the identity registration application information based on a preset multiparty collaborative authorization algorithm and returning an aggregate signature; Receiving the aggregate signatures returned by the distributed authentication and authorization nodes, performing hash operation on the aggregate signatures to obtain a decentralization identifier DID of the intelligent agent, and recording the DID and the aggregate signatures to a pre-deployed trusted blockchain; And sending the DID to the intelligent agent, wherein the DID is an identity credential when the intelligent agent performs identity verification.
2. 2. The method of claim 1, wherein the performing audit verification on the identity registration application information to obtain an audit verification result comprises: extracting a field to be verified from the identity registration application information, wherein the field to be verified comprises at least one of an agent name, an application party name, an agent capability, version information, an input/output mode and a comprehensive description; Sequentially carrying out integrity check, format check and validity check on the field to be checked to obtain check conclusion corresponding to the integrity check, the format check and the validity check respectively; Determining the auditing and verifying results according to the checking conclusions, wherein when the checking conclusions pass, the auditing and verifying results are determined to pass; and when any check conclusion is not passed, determining that the check verification result is not passed, and terminating the registration flow of the intelligent agent corresponding to the identity registration application information.
3. 3. The method of claim 1, wherein the sending the identity registration application information to a preset plurality of distributed authentication and authorization nodes comprises: Receiving a registration information hash value and an application signature sent by the intelligent agent, wherein the registration information hash value is obtained by carrying out hash operation on the identity registration application information by the intelligent agent, and the application signature is obtained by carrying out signature operation on the registration information hash value by the intelligent agent by using a pre-held intelligent agent private key; And sending the identity registration application information, the registration information hash value and the application signature to the distributed authentication and authorization nodes.
4. 4. The method of claim 3, wherein the recording the DID and the aggregate signature to a pre-deployed trusted blockchain comprises: Acquiring the registration information hash value, and acquiring node public keys corresponding to the distributed authentication and authorization nodes from the distributed authentication and authorization nodes, wherein the node public keys are calculated by the distributed authentication and authorization nodes according to the corresponding node private keys; Packaging the DID, the aggregate signature, the registration information hash value and the node public keys corresponding to the distributed authentication and authorization nodes to obtain transaction data; Creating a DID document associated with the DID according to the aggregate signature, wherein the DID document comprises a verification method for verifying the aggregate signature based on bilinear pairing characteristics; and writing the transaction data and the DID document into a block, and broadcasting the block to a block chain network corresponding to the trusted block chain for storage.
5. 5. The method of any of claims 1-4, wherein after sending the DID to the agent, the method further comprises: Receiving a verification challenge sent by an external verifier for the intelligent agent, wherein the verification challenge comprises a requirement attribute set defined by the external verifier and a random number used for preventing replay attack; Forwarding the verification challenge to the agent, wherein the agent is configured to generate a verifiable representation from the verification challenge; The verifiable expression returned by the intelligent agent is received, wherein the verifiable expression comprises DID of the intelligent agent, zero knowledge proof and public input, the zero knowledge proof is generated by the intelligent agent based on a verifiable certificate held by the intelligent agent, the verifiable certificate is a digital certificate issued to the intelligent agent in advance by a certification party, and the public input comprises DID of the intelligent agent, the requirement attribute set, DID of the certification party and the random number; Inquiring and obtaining an aggregate signature associated with the DID and a node public key corresponding to each distributed authentication and authorization node from the trusted blockchain according to the DID of the intelligent agent, and performing basic identity verification on the intelligent agent according to the aggregate signature and the node public key to obtain a basic identity verification result; And under the condition that the basic identity verification result is passed, carrying out capability verification according to the zero knowledge proof and the public input to obtain a capability verification result, and returning the capability verification result to the external verification party.
6. 6. The method of claim 5, wherein the performing basic identity verification on the agent according to the aggregate signature and the node public key to obtain a basic identity verification result comprises: The hash verification is executed, wherein the hash verification comprises the steps of carrying out hash operation on the aggregated signature inquired from the trusted block chain to obtain a signature hash value, judging whether the signature hash value is equal to the DID of the intelligent agent, if so, determining that the hash verification passes, and if not, determining that the hash verification does not pass; Under the condition that the hash check is passed, executing multiparty collaborative check, wherein the multiparty collaborative check comprises the steps of acquiring a registration information hash value associated with the DID from the trusted blockchain, calculating a public key according to node public keys corresponding to the distributed authentication and authorization nodes, checking by using a preset bilinear pairing check equation based on the aggregation signature, the registration information hash value and the public key, determining that the multiparty collaborative check is passed if the bilinear pairing check equation is established, and determining that the multiparty collaborative check is not passed if the bilinear pairing check equation is not established; And determining the basic identity verification result according to the hash verification result and the multiparty collaborative verification result, wherein the basic identity verification result is determined to pass only when the hash verification result and the multiparty collaborative verification result are both passed, and the basic identity verification result is determined to not pass otherwise.
7. 7. The method of claim 5, wherein performing the capability verification based on the zero knowledge proof and the public input to obtain a capability verification result comprises: inputting the zero knowledge proof and the public input into a preset zero knowledge proof verification algorithm to carry out verification calculation to obtain a verification calculation result; And determining the capability verification result according to the verification calculation result, wherein if the verification calculation result is true, the intelligent agent is determined to have the capability corresponding to the requirement attribute set, the capability verification result is determined to pass, and if the verification calculation result is false, the capability verification result is determined to not pass.
8. 8. An agent identity management method, wherein the method is applied to an agent, the method comprising: generating identity registration application information and sending the identity registration application information to an intelligent identity service device, wherein the intelligent identity service device is used for checking and verifying the identity registration application information; After the identity registration application information is checked and verified by the intelligent identity service device, carrying out hash operation on the identity registration application information to obtain a registration information hash value, carrying out signature operation on the registration information hash value by using an intelligent private key held in advance to obtain an application signature, and sending the registration information hash value and the application signature to the intelligent identity service device, wherein the intelligent identity service device is used for forwarding the identity registration application information, the registration information hash value and the application signature to a plurality of distributed authentication authorization nodes, and the plurality of distributed authentication authorization nodes are used for checking and signing the application signature based on a preset multiparty cooperative authorization algorithm and carrying out consensus signature processing on the registration information hash value to generate an aggregate signature; and receiving a decentralised identifier DID sent by the intelligent identity service, and storing the DID as an identity credential, wherein the DID is obtained by hash operation of the aggregation signature by the intelligent identity service device.
9. 9. The method of claim 8, wherein generating identity registration application information comprises: Acquiring at least one of an agent name, an applicant name, agent capability, version information, an input/output mode and comprehensive description as a field to be organized; calculating according to the pre-held intelligent private key to obtain an intelligent public key; and organizing the field to be organized and the intelligent agent public key according to a preset data format to obtain the identity registration application information.
10. 10. The method of claim 8, wherein after receiving the de-centralized identifier DID sent by the agent identity service and storing the DID as an identity credential, the method further comprises: receiving a verification challenge forwarded by the intelligent identity service device, wherein the verification challenge comprises a requirement attribute set defined by an external verification party and a random number used for preventing replay attack; Extracting the requirement attribute set and the random number from the verification challenge, and acquiring a verifiable certificate capable of proving that the intelligent agent has the requirement attribute set according to the requirement attribute set, wherein the verifiable certificate is a digital certificate issued to the intelligent agent in advance by a certification issuer; Taking the verifiable certificate as private input, extracting the DID of the proving party from the verifiable certificate, taking the DID stored by the intelligent agent, the required attribute set, the DID of the proving party and the random number as public input, and performing proof calculation on the private input and the public input based on a preset zero knowledge proof algorithm to obtain zero knowledge proof; And packaging the zero knowledge proof and the public input to obtain a verifiable expression, and sending the verifiable expression to the intelligent identity service device, wherein the intelligent identity service device is used for carrying out basic identity verification and capability verification on the intelligent body according to the verifiable expression, and returning a verification result to the external verifier.
11. 11. An agent identity consensus authorization method, applied to a distributed authentication authorization node, comprising: receiving identity registration application information, a registration information hash value and an application signature sent by an intelligent identity service device; Acquiring a public key of an intelligent agent from the identity registration application information, and performing signature verification processing on the application signature based on the public key of the intelligent agent to obtain a signature verification result; under the condition that the signature verification result is passed, performing consensus signature processing on the registered information hash value based on a preset multiparty cooperative authorization algorithm to obtain an aggregate signature; and returning the aggregate signature to the agent identity service device, wherein the agent identity service device is used for generating an agent decentralization identifier DID according to the aggregate signature.
12. 12. The method of claim 11, wherein the performing a consensus signature process on the registration information hash value based on a preset multiparty cooperative authorization algorithm to obtain an aggregate signature includes: Acquiring a preset public private key and a random number, wherein the public private key is a private key commonly held by a plurality of distributed authentication and authorization nodes; Constructing a key generation polynomial based on the public private key and the random number, wherein a constant term of the key generation polynomial is the public private key, and each term coefficient is the random number; acquiring a node number corresponding to the node, substituting the node number into the key generation polynomial to calculate, and acquiring a node private key corresponding to the node; Performing signature operation on the registered information hash value by using the node private key to obtain an authorized signature fragment corresponding to the node; And performing aggregation operation on the authorization signature fragments generated by each distributed authentication and authorization node to obtain the aggregation signature.
13. 13. The method according to claim 12, wherein the aggregating the authorization signature fragments generated by the distributed authentication and authorization nodes to obtain the aggregate signature includes: Broadcasting the authorization signature fragments generated by the node to other distributed authentication and authorization nodes, and receiving the authorization signature fragments broadcast by the other distributed authentication and authorization nodes; Acquiring the total number of distributed authentication authorized nodes and the preset maximum tolerable malicious node number, and determining a signature threshold according to the total number and the maximum tolerable malicious node number; When the number of received authorized signature fragments reaches the signature threshold, acquiring node numbers corresponding to the authorized signature fragments, and calculating according to the node numbers to obtain Lagrange interpolation parameters corresponding to the authorized signature fragments respectively; and carrying out weighted summation operation on each authorized signature fragment according to each Lagrangian interpolation parameter to obtain the aggregate signature.
14. 14. An agent identity service device, wherein the device is applied to an agent identity service device, the device comprising: The first receiving module is used for receiving the identity registration application information sent by the intelligent agent, and carrying out audit verification on the identity registration application information to obtain an audit verification result; the first execution module is used for sending the identity registration application information to a plurality of preset distributed authentication and authorization nodes when the auditing and verification result is passed, wherein the plurality of distributed authentication and authorization nodes are used for carrying out consensus signature processing on the identity registration application information based on a preset multiparty collaborative authorization algorithm and returning an aggregate signature; Receiving the aggregate signatures returned by the distributed authentication and authorization nodes, performing hash operation on the aggregate signatures to obtain a decentralization identifier DID of the intelligent agent, and recording the DID and the aggregate signatures to a pre-deployed trusted blockchain; And sending the DID to the intelligent agent, wherein the DID is an identity credential when the intelligent agent performs identity verification.
15. 15. An agent identity management device, wherein the device is applied to an agent, the device comprising: The system comprises a generation module, an intelligent identity service device and an identity registration application module, wherein the generation module is used for generating identity registration application information and sending the identity registration application information to the intelligent identity service device, and the intelligent identity service device is used for checking and verifying the identity registration application information; The second execution module is used for carrying out hash operation on the identity registration application information after the identity registration application information is checked and verified by the intelligent identity service device to obtain a registration information hash value, carrying out signature operation on the registration information hash value by using an intelligent private key held in advance to obtain an application signature, and sending the registration information hash value and the application signature to the intelligent identity service device, wherein the intelligent identity service device is used for forwarding the identity registration application information, the registration information hash value and the application signature to a plurality of distributed authentication authorization nodes, and the plurality of distributed authentication authorization nodes are used for checking the application signature and carrying out consensus signature processing on the registration information hash value to generate an aggregate signature based on a preset multiparty collaborative authorization algorithm; and receiving a decentralised identifier DID sent by the intelligent identity service, and storing the DID as an identity credential, wherein the DID is obtained by hash operation of the aggregation signature by the intelligent identity service device.
16. 16. An agent identity consensus authorization device, characterized by being applied to a distributed authentication authorization node, the device comprising: The second receiving module is used for receiving the identity registration application information, the registration information hash value and the application signature sent by the intelligent identity service device; The third execution module is used for acquiring the public key of the intelligent agent from the identity registration application information, and carrying out signature verification processing on the application signature based on the public key of the intelligent agent to obtain a signature verification result; under the condition that the signature verification result is passed, performing consensus signature processing on the registered information hash value based on a preset multiparty cooperative authorization algorithm to obtain an aggregate signature; and returning the aggregate signature to the agent identity service device, wherein the agent identity service device is used for generating an agent decentralization identifier DID according to the aggregate signature.
17. 17. A network device comprising a processor, a memory and a program stored on the memory and executable on the processor, the program when executed by the processor implementing the steps of an agent identity service method according to any one of claims 1-7, or the program when executed by the processor implementing the steps of an agent identity management method according to any one of claims 8-10, or the program when executed by the processor implementing the steps of an agent identity consensus authorization method according to any one of claims 11-13.
18. 18. A computer readable storage medium, characterized in that the computer readable storage medium has stored thereon a computer program which, when executed by the processor, implements the steps of an agent identity service method according to any one of claims 1-7, or which, when executed by the processor, implements the steps of an agent identity management method according to any one of claims 8-10, or which, when executed by the processor, implements the steps of an agent identity consensus authorization method according to any one of claims 11-13.
19. 19. A computer program product comprising computer instructions which, when executed by the processor, implement the steps of an agent identity service method according to any one of claims 1 to 7, or which, when executed by the processor, implement the steps of an agent identity management method according to any one of claims 8 to 10, or which, when executed by the processor, implement the steps of an agent identity consensus authorization method according to any one of claims 11 to 13.

Description

Method and device for identity service, management and consensus authorization of intelligent body Technical Field The embodiment of the application relates to the technical field of artificial intelligence, in particular to an intelligent identity service, management and consensus authorization method and device. Background With the rapid development of artificial intelligence technology, agents (ARTIFICIAL INTELLIGENCE AGENT, AI agents) have become key units in the construction of open, collaborative digital ecology, with trusted identities and security management constituting the infrastructure core supporting large-scale multi-Agent networks. Under the background, an intelligent agent name service system based on public key infrastructure (Public Key Infrastructure, PKI) has been developed, aiming at providing unique and reliable identity for an intelligent agent through a certificate issuing and verifying mechanism and realizing registration, discovery and management of the intelligent agent by referring to a Domain name system (DNS NAME SYSTEM) hierarchical analysis architecture, thereby supporting cross-Domain collaboration and ecological interconnection. However, existing PKI-centric agent name service architecture still relies on a centralized certificate authority (CERTIFICATE AUTHORITY, CA) as a trust anchor in nature, forming a trust center model. The architecture exposes various systematic defects in practical application, namely, on one hand, a centralized CA is used as a single trust root, once internal corruption, external tampering or targeted attack is encountered, the issued whole intelligent body identities are subjected to risks of collapse of the trust root, certificate revocation flows are lagged, trust chains are long and difficult to adapt to the dynamic and high-frequency identity state change requirements of the intelligent body, and on the other hand, the CA and registration mechanism (Registration Authority, RA) nodes become obvious single-point fault targets and attack focuses in the system, and once the intelligent body identities are attacked, the whole identity service system is paralyzed. In addition, the sensitive data such as registration information, certificate chains and the like of the intelligent agent are stored in a highly concentrated manner, so that hidden danger of privacy disclosure exists, the minimization of the disclosure principle and the increasingly strict data compliance requirements are difficult to meet, and the auditability and the controllability are obviously insufficient. In summary, the existing agent name service system using PKI as a core has the technical problems of single point failure, privacy disclosure and lack of expandability due to the centralized trust bottleneck. Disclosure of Invention The embodiment of the application provides an agent identity service, management and consensus authorization method and device, which are used for solving the technical problems of single-point failure, privacy disclosure and lack of expandability caused by the centralized trust bottleneck of the existing agent name service system taking PKI as a core. In order to solve the technical problems, the application is realized as follows: In a first aspect, an embodiment of the present application provides an agent identity service method, where the method is applied to an agent identity service device, and the method includes: receiving identity registration application information sent by an intelligent body, and performing verification on the identity registration application information to obtain a verification result; If the verification result is that the verification result is passed, the identity registration application information is sent to a plurality of preset distributed authentication and authorization nodes, wherein the plurality of distributed authentication and authorization nodes are used for carrying out consensus signature processing on the identity registration application information based on a preset multiparty collaborative authorization algorithm and returning an aggregate signature; Receiving the aggregate signatures returned by the distributed authentication and authorization nodes, performing hash operation on the aggregate signatures to obtain a decentralization identifier DID of the intelligent agent, and recording the DID and the aggregate signatures to a pre-deployed trusted blockchain; And sending the DID to the intelligent agent, wherein the DID is an identity credential when the intelligent agent performs identity verification. Optionally, the verifying the identity registration application information to obtain a verification result includes: extracting a field to be verified from the identity registration application information, wherein the field to be verified comprises at least one of an agent name, an application party name, an agent capability, version information, an input/output mode and a comprehensive descriptio