Search

CN-122027601-A - Distributed digital identity account processing method and device and electronic equipment

CN122027601ACN 122027601 ACN122027601 ACN 122027601ACN-122027601-A

Abstract

The application relates to the technical field of information security and cryptography, and provides a distributed digital identity account processing method, a device and electronic equipment. The method comprises the steps of receiving an alias registration request sent by a first QVI mechanism, creating a user account tree based on first account association information corresponding to a first user, determining a first alias corresponding to the first user by the user account tree which is a merck tree comprising at least one pair of leaf nodes, binding the first alias with the user account tree and generating a first identity credential, at least combining a first root hash signature value of the user account tree and a hash value of the first identity credential to generate a first association record, synchronously storing the first association record in a blockchain, determining the corresponding user account tree according to the alias to be verified carried in the query request, generating a zero knowledge proof based on the user account tree, and returning at least the zero knowledge proof to a second user. The technical scheme of the application can simplify the AID account verification process and improve the user experience.

Inventors

  • XUE YUAN
  • JIN FAN
  • MI XIANGYOU

Assignees

  • 中金金融认证中心有限公司

Dates

Publication Date
20260512
Application Date
20260407

Claims (12)

  1. 1. A distributed digital identity account processing method, the method comprising: receiving an alias registration request for a first user sent by a first QVI mechanism; Creating a user account tree based on first account related information corresponding to the first user carried in the alias registration request, wherein the first account related information comprises a first account registered by the first user in the first QVI mechanism, the user account tree is a merck tree comprising at least one pair of leaf nodes, and a first pair of leaf nodes in the at least one pair of leaf nodes are used for recording the first account related information; Determining a globally unique first alias corresponding to the first user, binding the first alias with the user account tree, and generating a first identity certificate, wherein an extension domain of the first identity certificate comprises the first alias; At least combining a first hash signature value of the user account tree and a hash value of the first identity credential to generate a first association record, and synchronously storing the first association record in a blockchain; Responding to a query request submitted by a second user, determining a corresponding user account tree according to an alias to be verified carried in the query request, generating a zero knowledge proof based on the user account tree, returning the first account, the zero knowledge proof and the first identity credential to the second user, and triggering the second user to verify the first account held by the first user according to the zero knowledge proof and the first association record queried from the blockchain.
  2. 2. The method of claim 1, wherein generating a zero knowledge proof based on the user account tree comprises: determining a target account corresponding to the alias to be verified; And generating zero knowledge proof according to the target leaf node corresponding to the target account in the user account tree, wherein the zero knowledge proof comprises hash values of brothers on the merck path from the target leaf node to the root node of the user account tree and hash values of the target leaf node.
  3. 3. The method of claim 2, wherein the step of determining the position of the substrate comprises, The target account is a default account; Or alternatively The query request also carries additional information, and the target account is an account specified by the additional information.
  4. 4. The method of claim 1, wherein the alias registration request further carries first identity material information corresponding to the first user, the first identity material information including at least one identity attribute information; the method further comprises the steps of: Creating a user identity tree based on the identity material information, wherein the user identity tree is a merck tree comprising at least one leaf node, and the at least one leaf node corresponds to the at least one identity attribute information one by one; At least combining the first root hash signature value of the user account tree and the hash value of the first identity credential to generate a first association record, including: and combining the root hash signature value of the user identity tree, the first root hash signature value of the user account tree and the hash value of the first identity certificate to generate a first association record.
  5. 5. The method according to claim 4, wherein the method further comprises: Responding to an alias registration request sent by a second QVI mechanism for a first user, and under the condition that the first user is registered with a first alias according to the first identity material information, creating a second pair of leaf nodes in a user account tree corresponding to the first user; Binding the first account number, the second account number and the first alias; after the second pair of leaf nodes are created, a second root hash signature value of the user account tree is redetermined; combining the root hash signature value of the user identity tree, the second root hash signature value of the user account tree and the hash value of the first identity certificate to generate a second association record; synchronously verifying the second association record in the blockchain; And returning the query address of the second associated record on the blockchain to the second QVI mechanism.
  6. 6. The method of claim 5, wherein the method further comprises: In response to receiving a unbinding request for a first user sent by a second QVI mechanism, unbinding the second account and the first alias; deleting the second pair of leaf nodes in a user account tree corresponding to the first user, and redetermining a third hash signature value of the user account tree; Combining the root hash signature value of the user identity tree, the third root hash signature value of the user account tree and the hash value of the first identity credential to generate a third association record; synchronously storing the third association record in the blockchain; and returning the query address recorded on the blockchain by the third association to the second QVI mechanism.
  7. 7. The method according to any one of claims 4-6, further comprising: Responding to an identity information updating request sent by a first QVI mechanism and aiming at a first user, verifying the authenticity of the first user, and updating the identity attribute information recorded by a corresponding leaf node in the user identity tree under the condition that the verification passes; Determining a root hash signature value of the updated user identity tree; Combining the updated root hash signature value of the user identity tree, the root hash signature value of the user account tree and the hash value of the first identity certificate to generate a fourth association record; Synchronously storing the fourth association record in the blockchain; and returning the query address recorded on the blockchain by the fourth association to the first QVI mechanism.
  8. 8. The method according to any one of claims 4-6, further comprising: Responding to an alias update request sent by the first QVI mechanism for a first user, verifying the first identity material information carried in the alias update request, and verifying the authenticity of the first user, and inquiring whether a second alias carried in the alias update request is registered or not under the condition that verification is passed; Re-acquiring a third alias corresponding to the first user under the condition that the second alias is registered; generating a second identity certificate under the condition that the second alias is unregistered, wherein an extension domain of the second identity certificate comprises the second alias; Combining at least the root hash signature value of the user account tree and the hash value of the second identity credential to generate a fifth associated record, and synchronously storing the fifth associated record in a blockchain; and returning the query address recorded on the blockchain by the fifth association to the first QVI mechanism.
  9. 9. The method according to any one of claims 4-6, further comprising: Verifying the authenticity of the first user, and inquiring whether an alias to be verified carried in the authentication request exists or not under the condition that the authentication passes, wherein the authentication request is generated by the first QVI mechanism in response to an issuing vLEI credential request initiated by the first user; under the condition that the alias to be verified exists, determining a target account corresponding to the alias to be verified; generating a first zero knowledge proof according to a target leaf node corresponding to the target account in the user account tree; determining a corresponding target leaf node of the user identity attribute information in the user identity tree according to the user identity attribute information required by the vLEI certificate issued carried in the identity verification request, and generating a second zero knowledge proof according to the target leaf node; And returning the true identity attribute information recorded by the target leaf node, the target account number, the target associated information corresponding to the target account number, the first zero knowledge proof and the second zero knowledge proof to the first QVI mechanism.
  10. 10. The method according to any one of claims 2-6, further comprising: the authentication method comprises the steps of receiving an identity inquiry request sent by a second user and aiming at a first user, inquiring whether an alias to be authenticated carried in the identity inquiry request exists or not, wherein the identity inquiry request is used for verifying the authenticity of vLEI certificates and aliases held by the first user; under the condition that the alias to be verified exists, determining a target account corresponding to the alias to be verified; Generating a third zero knowledge proof according to a target leaf node corresponding to the target account in the user account tree; And returning the target account number and the third zero knowledge proof to the second user together to trigger the second user to verify the authenticity of vLEI certificates and aliases held by the first user according to the third zero knowledge proof and the first association record inquired from the blockchain.
  11. 11. A distributed digital identity account processing device, the device comprising: a receiving unit, configured to receive an alias registration request for a first user sent by a first QVI mechanism; The device comprises a first QVI mechanism, a first name registration request, a second QVI mechanism, a first name registration request and a second name registration request, wherein the first name registration request comprises first name registration information, second name registration information and second name registration information, the first name registration information comprises first name registration information, a Merker tree creation unit and a user name tree, wherein the first name registration information comprises first name registration information of the first user in the first QVI mechanism; The generation unit is used for determining a globally unique first alias corresponding to the first user and generating a first identity certificate, wherein the extension domain of the first identity certificate comprises the first alias; The association unit is used for at least combining the first hash signature value of the user account tree and the hash value of the first identity certificate to generate a first association record, and synchronously storing the first association record in a blockchain; The verification unit is used for responding to a query request submitted by a second user, determining a corresponding user account tree according to an alias to be verified carried in the query request, generating zero knowledge proof based on the user account tree, returning the first account, the zero knowledge proof and the first identity credential to the second user, and triggering the second user to verify the first account held by the first user according to the zero knowledge proof and the first association record queried from the blockchain.
  12. 12. An electronic device comprising a processor and a memory storing a computer program, wherein the processor implements the distributed digital identity account processing method of any one of claims 1 to 10 when executing the computer program.

Description

Distributed digital identity account processing method and device and electronic equipment Technical Field The invention relates to the technical field of information security and cryptography, in particular to a distributed digital identity account processing method, a device and electronic equipment. Background Verifiable global legal person identification code (Verifiable LEI, vLEI) is a verifiable legal entity identification code intended to provide verifiable digital identity to entities in the digital world. The autonomous identifier (Autonomic Identifier, AID) is a self-managed anonymous identifier. In the current vLEI system, when two users with AID accounts first establish connection, the standard verification process is that two parties execute a challenge/response process on the other party, so as to confirm the true identity of the other party and avoid man-in-the-middle attacks, and the process needs to execute two rounds, namely each party needs to take turns to act as a challenger and a challenged party. Besides the standard verification process, according to the requirements of some specific scenes, the AID account verification process may involve auditing the identity material of the other party, so that the AID account verification process is very complicated, and especially when a user holds a plurality of AID accounts, the user needs to execute a challenge/response on each AID account held by the user, and the complicated verification process causes poor user experience. Disclosure of Invention The embodiment of the application provides a distributed digital identity account processing method, a device and electronic equipment, which realize the management of a plurality of AID accounts based on an individual name, simplify the verification process and promote the user experience. The embodiment of the application provides a distributed digital identity account processing method, which comprises the steps of receiving an alias registration request aiming at a first user and sent by a first QVI mechanism, creating a user account tree based on first account related information corresponding to the first user and carried in the alias registration request, wherein the first account related information comprises a first account registered by the first user in the first QVI mechanism, the user account tree is a merck tree comprising at least one pair of leaf nodes, a first pair of leaf nodes in the at least one pair of leaf nodes are used for recording the first account related information, the first account is an AID account or a DID account, determining a globally unique first alias corresponding to the first user, binding the first alias with the user account tree, generating a first identity credential, combining at least a first root hash signature value of the first identity credential with a hash value of the first identity credential, generating a first association record, and synchronously storing the first association record in a block chain, responding to a query request submitted by a second user, determining a first account to be subjected to a zero-knowledge proof, and triggering a zero-knowledge-link to be used for verifying the first account from the first account to a zero-knowledge-of the first user, and generating a zero-knowledge-link to the first account. According to the distributed digital identity account processing method, zero knowledge proof is generated based on a user account tree, and comprises the steps of determining a target account corresponding to an alias to be verified, wherein the target account is a default account or an account specified by additional information carried in a query request, generating the zero knowledge proof according to a target leaf node corresponding to the target account in the user account tree, and the zero knowledge proof comprises hash values of brother nodes and hash values of the target leaf nodes on a merck path from the target leaf node to a root node of the user account tree. According to the distributed digital identity account processing method, the target account is a default account, or the query request also carries additional information, and the target account is an account specified by the additional information. The method for processing the distributed digital identity account number further comprises the steps of creating a user identity tree based on the identity material information, wherein the user identity tree is a merck tree comprising at least one leaf node, the at least one leaf node corresponds to the at least one identity attribute information one by one, at least combining a first root hash signature value of the user account number tree with a hash value of a first identity certificate to generate a first association record, and the first association record is generated by combining the root hash signature value of the user identity tree, the first root hash signature value of the user account number