WO2024022110A1 - Access control system and method, device and computer-readable storage medium - Google Patents

Abstract

An access control system and method, a device and a computer-readable storage medium. The access control system comprises a service request device, a service providing device, and a position providing device. The service request device is used for sending a service request and an authorization query identifier. The service providing device is connected to the service request device and is used for receiving the service request and the authorization query identifier, generating a constraint condition of zero-knowledge proof according to the service request and the authorization query identifier, and outputting the constraint condition. The position providing device is connected to the service providing device and is used for receiving the constraint condition, obtaining a provable result on the basis of the zero-knowledge proof according to the constraint condition, and outputting the provable result to the service providing device. The service providing device is further used for verifying the provable result to obtain a verification result, and determining, according to the verification result, whether a position-based service is provided for the service request device, wherein the provable result does not comprise position data of the service request device.

Description

访问控制***、方法、设备及计算机可读存储介质Access control systems, methods, devices and computer-readable storage media

相关申请的交叉引用Cross-references to related applications

本申请基于申请号为202210875971.5、申请日为2022年07月25日的中国专利申请提出，并要求该中国专利申请的优先权，该中国专利申请的全部内容在此引入本申请作为参考。This application is filed based on a Chinese patent application with application number 202210875971.5 and a filing date of July 25, 2022, and claims the priority of the Chinese patent application. The entire content of the Chinese patent application is hereby incorporated by reference into this application.

技术领域Technical field

本申请实施例涉及但不限于位置服务及网络安全技术领域，尤其涉及一种访问控制***、方法、设备及计算机可读存储介质。Embodiments of the present application relate to but are not limited to the technical fields of location services and network security, and in particular, to an access control system, method, device and computer-readable storage medium.

背景技术Background technique

在基于位置信息的访问控制领域中，将个人轨迹信息通过区块链设备加密上链保存，然后验证方要求数据所有者证明其个人轨迹，数据所有者从区块链上获取个人位置信息后在个人终端上计算可证明的结果。但是数据所有者在个人终端上向验证方展示验证结果时，验证方难以验证数据所有者可能存在的假冒或篡改风险。In the field of access control based on location information, personal trajectory information is encrypted and stored on the blockchain through the blockchain device, and then the verifier requires the data owner to prove his or her personal trajectory. The data owner obtains the personal location information from the blockchain and then Compute provable results on a personal terminal. However, when the data owner displays the verification results to the verifier on a personal terminal, it is difficult for the verifier to verify the data owner's possible risk of counterfeiting or tampering.

发明内容Contents of the invention

以下是对本文详细描述的主题的概述。本概述并非是为了限制权利要求的保护范围。The following is an overview of the topics described in detail in this article. This summary is not intended to limit the scope of the claims.

本申请实施例提供了一种访问控制***、方法、设备及计算机可读存储介质。Embodiments of the present application provide an access control system, method, device and computer-readable storage medium.

第一方面，根据本申请实施例的访问控制***包括：In a first aspect, an access control system according to an embodiment of the present application includes:

服务请求设备，用于发送服务请求和授权查询标识；Service request equipment, used to send service requests and authorization query identifiers;

服务提供设备，与所述服务请求设备连接，用于接收所述服务请求和所述授权查询标识，根据所述服务请求和所述授权查询标识生成零知识证明的约束条件，并将所述约束条件输出；以及A service providing device, connected to the service requesting device, is used to receive the service request and the authorization query identification, generate zero-knowledge proof constraints based on the service request and the authorization query identification, and convert the constraints conditional output; and

位置提供设备，与所述服务提供设备连接，用于接收所述约束条件，根据所述约束条件基于零知识证明得到可证明结果，并将所述可证明结果输出给所述服务提供设备；所述服务提供设备还用于对所述可证明结果进行验证处理得到验证结果，并根据所述验证结果判断是否对所述服务请求设备提供基于位置的服务，其中，所述可证明结果不包括所述服务请求设备的位置数据。a location providing device, connected to the service providing device, for receiving the constraint, obtaining a provable result based on the zero-knowledge proof according to the constraint, and outputting the provable result to the service providing device; The service providing device is also configured to perform verification processing on the provable result to obtain a verification result, and determine whether to provide location-based services to the service requesting device based on the verification result, wherein the provable result does not include the verification result. The service described above requests a device's location data.

第二方面，根据本申请实施例的访问控制方法应用于服务请求设备，所述方法包括：In the second aspect, the access control method according to the embodiment of the present application is applied to the service requesting device, and the method includes:

向服务提供设备发送服务请求和授权查询标识，以使所述服务提供设备根据所述服务请求和所述授权查询标识生成零知识证明的约束条件并将所述约束条件输出给位置提供设备；以及Send the service request and the authorization query identification to the service providing device, so that the service providing device generates the constraints of the zero-knowledge proof according to the service request and the authorization query identification and outputs the constraints to the location providing device; and

接收来自所述服务提供设备的基于位置的服务，其中，所述基于位置的服务是所述服务设备对来自所述位置提供设备提供的的可证明结果进行验证处理后发送的，所述可证明结果是所述位置提供设备根据所述约束条件，基于零知识证明得到的，其中，所述可证明结果不包括所述服务请求设备的位置数据。Receive a location-based service from the service providing device, wherein the location-based service is sent by the service device after verifying a provable result provided from the location providing device, and the provable result is The result is obtained by the location providing device based on the zero-knowledge proof according to the constraint, wherein the provable result does not include the location data of the service requesting device.

第三方面，根据本申请实施例的访问控制方法应用于服务提供设备，所述方法包括：In a third aspect, the access control method according to the embodiment of the present application is applied to service providing equipment, and the method includes:

接收服务请求设备的服务请求和授权查询标识，并根据所述服务请求和所述授权查询标识，得到零知识证明的约束条件；Receive the service request and authorization query identification of the service requesting device, and obtain the constraints of the zero-knowledge proof based on the service request and the authorization query identification;

向位置提供设备发送所述约束条件，以使所述位置提供设备根据所述约束条件，基于零知识证明得到可证明结果，其中，所述可证明结果不包括所述服务请求设备的位置数据； Send the constraint condition to the location providing device, so that the location providing device obtains a provable result based on a zero-knowledge proof according to the constraint condition, wherein the provable result does not include the location data of the service requesting device;

接收所述位置提供设备发送的所述可证明结果，对所述可证明结果进行验证处理，得到验证结果，并根据所述验证结果，判断是否对所述服务请求设备提供基于位置的服务；以及Receive the provable result sent by the location providing device, perform a verification process on the provable result, obtain a verification result, and determine whether to provide location-based services to the service requesting device based on the verification result; and

在判断结果为是的情况下，发送所述基于位置的服务。If the determination result is yes, the location-based service is sent.

第四方面，根据本申请实施例的访问控制方法应用于位置提供设备，所述方法包括：In the fourth aspect, the access control method according to the embodiment of the present application is applied to the location providing device, and the method includes:

获取来自服务提供设备的零知识证明的约束条件，并根据所述约束条件基于零知识证明得到可证明结果，其中，所述可证明结果不包括所述服务请求设备的位置数据；以及Obtaining constraints from a zero-knowledge proof of a service providing device, and obtaining a provable result based on the zero-knowledge proof according to the constraints, wherein the provable result does not include location data of the service requesting device; and

将所述可证明结果输出给所述服务提供设备，以使所述服务提供设备对所述可证明结果进行验证处理生成验证结果，并根据所述验证结果判断是否对服务请求设备提供基于位置的服务。Output the provable result to the service providing device, so that the service providing device performs verification processing on the provable result to generate a verification result, and determines whether to provide location-based location-based services to the service requesting device based on the verification result. Serve.

第五方面，根据本申请实施例的访问控制设备包括存储器、处理器及存储在所述存储器上并可在所述处理器上运行的计算机程序，所述处理器执行所述计算机程序时实现如上述第二方面所述的访问控制方法，或者实现如上述第三方面所述的访问控制方法，又或者实现如上述第四方面所述的访问控制方法。In the fifth aspect, an access control device according to an embodiment of the present application includes a memory, a processor, and a computer program stored on the memory and executable on the processor. When the processor executes the computer program, the following is implemented: The access control method described in the above second aspect either implements the access control method described in the above third aspect, or implements the access control method described in the above fourth aspect.

第六方面，根据本申请实施例的计算机可读存储介质存储有计算机可执行指令，所述计算机可执行指令用于执行如上述第二方面所述的访问控制方法，或者执行如上述第三方面所述的访问控制方法，又或者执行如上述第四方面所述的访问控制方法。In a sixth aspect, a computer-readable storage medium according to an embodiment of the present application stores computer-executable instructions, which are used to execute the access control method as described in the above-mentioned second aspect, or to execute as in the above-mentioned third aspect. The access control method described above, or the access control method described in the fourth aspect above is executed.

本申请的附加方面和优点将在下面的描述中部分给出，部分将从下面的描述中变得明显，或通过本申请的实践了解到。Additional aspects and advantages of the application will be set forth in part in the description which follows, and in part will be obvious from the description, or may be learned by practice of the application.

附图说明Description of drawings

附图用来提供对本申请技术方案的进一步理解，并且构成说明书的一部分，与本申请的实施例一起用于解释本申请的技术方案，并不构成对本申请技术方案的限制。The drawings are used to provide a further understanding of the technical solution of the present application and constitute a part of the specification. They are used to explain the technical solution of the present application together with the embodiments of the present application and do not constitute a limitation of the technical solution of the present application.

图1是本申请第一方面的一个实施例提供的访问控制***的结构示意图；Figure 1 is a schematic structural diagram of an access control system provided by an embodiment of the first aspect of this application;

图2是本申请第一方面的一个实施例提供的访问控制***具体的结构示意图；Figure 2 is a specific structural schematic diagram of an access control system provided by an embodiment of the first aspect of this application;

图3是本申请第一方面的一个实施例提供的基于蜂窝网络用户行程的访问控制***的结构示意图；Figure 3 is a schematic structural diagram of an access control system based on cellular network user journeys provided by an embodiment of the first aspect of the present application;

图4是本申请第一方面的另一个实施例提供的基于用户接入位置的权限评估***的结构示意图；Figure 4 is a schematic structural diagram of a rights assessment system based on user access location provided by another embodiment of the first aspect of the present application;

图5是本申请第二方面的一个实施例提供的访问控制方法的流程示意图；Figure 5 is a schematic flow chart of an access control method provided by an embodiment of the second aspect of this application;

图6是本申请第三方面的一个实施例提供的访问控制方法的流程示意图；Figure 6 is a schematic flowchart of an access control method provided by an embodiment of the third aspect of this application;

图7是本申请第三方面的另一个实施例提供的获取约束条件的流程示意图；Figure 7 is a schematic flowchart of obtaining constraints provided by another embodiment of the third aspect of the present application;

图8是本申请第三方面的另一个实施例提供的获取验证结果的流程示意图；Figure 8 is a schematic flowchart of obtaining verification results provided by another embodiment of the third aspect of the present application;

图9是本申请第三方面的另一个实施例提供的业务模块对验证结果进行处理的流程示意图；Figure 9 is a schematic flowchart of a business module processing verification results provided by another embodiment of the third aspect of this application;

图10是本申请第三方面的另一个实施例提供的对可证明结果进行验证处理的流程示意图；Figure 10 is a schematic flow chart of verifying provable results provided by another embodiment of the third aspect of the present application;

图11是本申请第三方面的另一个实施例提供的对服务请求设备提供基于位置服务的流程示意图；Figure 11 is a schematic flowchart of providing location-based services to a service requesting device according to another embodiment of the third aspect of the present application;

图12是本申请第四方面的一个实施例提供的访问控制方法的流程示意图；以及Figure 12 is a schematic flowchart of an access control method provided by an embodiment of the fourth aspect of the present application; and

图13是本申请第四方面的另一个实施例提供的获取可证明结果的流程示意图。Figure 13 is a schematic flowchart of obtaining provable results provided by another embodiment of the fourth aspect of the present application.

具体实施方式Detailed ways

为了使本申请的目的、技术方案及优点更加清楚明白，以下结合附图及实施例，对本申请进行进一步详细说明。应当理解，此处所描述的具体实施例仅用以解释本申请，并不用于限定本申 请。In order to make the purpose, technical solutions and advantages of the present application more clear, the present application will be further described in detail below with reference to the drawings and embodiments. It should be understood that the specific embodiments described here are only used to explain the present application and are not used to limit the present application. please.

需要说明的是，虽然在装置示意图中进行了功能模块划分，在流程图中示出了逻辑顺序，但是在某些情况下，可以以不同于装置中的模块划分，或流程图中的顺序执行所示出或描述的步骤。说明书和权利要求书及上述附图中的术语“第一”、“第二”等是用于区别类似的对象，而不必用于描述特定的顺序或先后次序。It should be noted that although the functional modules are divided in the device schematic diagram and the logical sequence is shown in the flow chart, in some cases, the modules can be divided into different modules in the device or the order in the flow chart can be executed. The steps shown or described. The terms "first", "second", etc. in the description, claims, and above-mentioned drawings are used to distinguish similar objects and are not necessarily used to describe a specific sequence or sequence.

传统的基于位置的访问控制***中，以传统蜂窝网络中无线接入网络的信号定位为例，用户手机终端所在小区标识定位就是基础的定位功能，基站里每个小区都有相对固定的覆盖范围和编号，最简单的定位方法就是根据终端所接入的小区进行定位。基站测量定位信号接收终端反馈的测量结果，将信息上报给定位解算引擎，然后定位引擎根据测量信息计算终端的位置坐标，并将位置坐标发送至定位平台，最终传递到各种基于位置的应用。其他各种接入网络场景如基于卫星定位或基于室内定位等技术也是类似的原理。这种传统的接入网络下基于位置的访问控制***，需要个人数据所有者向接入网络的数据平台发送请求，数据平台返回在一定时间和空间下的个人位置轨迹信息，进而个人数据所有者展示这些明文数据以换取基于位置的服务。In traditional location-based access control systems, taking the signal positioning of wireless access networks in traditional cellular networks as an example, the cell identity positioning where the user's mobile phone terminal is located is the basic positioning function. Each cell in the base station has a relatively fixed coverage area. and numbering. The simplest positioning method is to position based on the cell to which the terminal is connected. The base station measures the positioning signal and receives the measurement results fed back by the terminal, reports the information to the positioning solution engine, and then the positioning engine calculates the position coordinates of the terminal based on the measurement information, and sends the position coordinates to the positioning platform, and finally passes them to various location-based applications. . Various other access network scenarios, such as satellite positioning or indoor positioning, have similar principles. This traditional location-based access control system under the access network requires the personal data owner to send a request to the data platform of the access network, and the data platform returns the personal location trajectory information in a certain time and space, and then the personal data owner This clear text data is exposed in exchange for location-based services.

但是，这种传统的基于位置的访问控制***在无法证明计算完整性的情况下，数据所有者依然必须无条件信任接入网络的数据平台，而事实上数据平台面临着因处理过程无意失误导致结果出错、有意作弊导致篡改计算过程和结果、被恶意攻击者攻陷并控制等风险；并且数据所有者必须通过展示个人的位置轨迹信息来换取相应的基于位置的服务，牺牲了个人的数据隐私性；另外，提供位置服务的服务提供者只能查看而不能验证，导致数据所有者可能通过伪造等方式提交不合法的证明，无法保护服务提供者的利益。However, when this traditional location-based access control system cannot prove the integrity of the calculation, the data owner must still unconditionally trust the data platform connected to the network. In fact, the data platform is faced with the consequences of unintentional errors in the processing process. There are risks such as errors, intentional cheating, tampering with the calculation process and results, and being compromised and controlled by malicious attackers; and the data owner must display personal location trajectory information in exchange for corresponding location-based services, sacrificing personal data privacy; In addition, service providers who provide location services can only view but not verify, causing the data owner to submit illegal certificates through forgery and other methods, failing to protect the interests of the service provider.

相关技术在基于位置信息的访问控制领域中，提供了基于区块链的零知识证明方式，将个人轨迹信息通过区块链设备加密上链保存，然后验证方要求数据所有者证明其个人轨迹，数据所有者从区块链上获取个人位置信息后在个人终端上计算可证明的结果。但是数据所有者在个人终端上向验证方展示验证结果时，验证方难以验证数据所有者可能存在的假冒或篡改风险。Related technology provides a zero-knowledge proof method based on blockchain in the field of access control based on location information. Personal trajectory information is encrypted and stored on the chain through the blockchain device, and then the verifier requires the data owner to prove his or her personal trajectory. The data owner obtains the personal location information from the blockchain and calculates provable results on the personal terminal. However, when the data owner displays the verification results to the verifier on a personal terminal, it is difficult for the verifier to verify the data owner's possible risk of counterfeiting or tampering.

基于上述情况，本申请实施例提供了一种访问控制***、方法、设备及计算机可读存储介质，其中，访问控制***包括服务请求设备、服务提供设备和位置提供设备，数据所有者通过服务请求设备向服务提供设备发送服务请求和授权查询标识；服务提供设备与服务请求设备连接以接收服务请求和授权查询标识，并根据服务请求和授权查询标识生成零知识证明的约束条件，且将约束条件输出给位置提供设备；位置提供设备与服务提供设备连接以接收约束条件，并根据约束条件查询得到服务请求设备的位置数据，且对约束条件和位置数据进行零知识证明以得到可证明结果，再将可证明结果输出给服务提供设备；服务提供设备还用于对可证明结果进行验证处理得到验证结果，并根据验证结果对服务请求设备提供基于位置的服务。与相关技术相比，本申请实施例的访问控制***，由数据所有者通过服务请求设备对服务提供设备进行授权，并对约束条件和位置数据进行零知识证明，能够避免数据所有者可能存在的假冒或篡改风险，有效保障提供基于位置的服务的服务提供方权益；也不需要引入新的可信设备，可证明结果不包括服务请求设备的位置数据，基于现有的接入网络即可保护个人隐私数据和保证计算完整性的可信度，进而降低成本。Based on the above situation, embodiments of the present application provide an access control system, method, device and computer-readable storage medium. The access control system includes a service requesting device, a service providing device and a location providing device. The data owner requests through the service The device sends a service request and an authorization query identifier to the service providing device; the service providing device connects with the service requesting device to receive the service request and the authorization query identifier, and generates the constraints of the zero-knowledge proof based on the service request and the authorization query identifier, and sets the constraints Output to the location providing device; the location providing device is connected to the service providing device to receive the constraints, and queries the location data of the service requesting device according to the constraints, and performs zero-knowledge proof on the constraints and location data to obtain provable results, and then Output the provable results to the service providing device; the service providing device is also used to perform verification processing on the provable results to obtain verification results, and provide location-based services to the service requesting device based on the verification results. Compared with related technologies, the access control system of the embodiment of the present application allows the data owner to authorize the service providing device through the service requesting device, and performs zero-knowledge proof on the constraints and location data, which can avoid possible problems of the data owner. The risk of counterfeiting or tampering effectively protects the rights and interests of service providers who provide location-based services; there is no need to introduce new trusted devices, and it can be proven that the results do not include the location data of the service requesting device, and it can be protected based on the existing access network Personal privacy data and credibility to ensure computational integrity, thereby reducing costs.

下面结合附图，对本申请实施例作进一步阐述。The embodiments of the present application will be further described below with reference to the accompanying drawings.

本申请第一方面实施例具体提供一种访问控制***，参照图1，图1是本申请一个实施例提供的访问控制***的结构示意图，访问控制***包括服务请求设备、服务提供设备和位置提供 设备，服务请求设备用于发送服务请求和授权查询标识；服务提供设备与服务请求设备连接，用于接收服务请求和授权查询标识，根据服务请求和授权查询标识生成零知识证明的约束条件，并将约束条件输出；位置提供设备与服务提供设备连接，用于接收约束条件，根据约束条件基于零知识证明得到可证明结果，并将可证明结果输出给服务提供设备；服务提供设备还用于对可证明结果进行验证处理得到验证结果，并根据验证结果判断是否对服务请求设备提供基于位置的服务，其中，可证明结果不包括服务请求设备的位置数据。The first embodiment of the present application specifically provides an access control system. Refer to Figure 1. Figure 1 is a schematic structural diagram of an access control system provided by an embodiment of the present application. The access control system includes a service requesting device, a service providing device and a location providing device. The service requesting device is used to send service requests and authorization query identifiers; the service providing device is connected to the service requesting device and is used to receive service requests and authorization query identifiers, and generate zero-knowledge proof constraints based on the service requests and authorization query identifiers, and Output the constraint conditions; the location providing device is connected to the service providing device to receive the constraint conditions, obtain provable results based on zero-knowledge proof according to the constraint conditions, and output the provable results to the service providing device; the service providing device is also used to Verification processing is performed on the provable result to obtain the verification result, and based on the verification result, it is judged whether to provide location-based services to the service requesting device, where the provable result does not include location data of the service requesting device.

需要说明的是，在现有接入网络条件基于位置信息的访问控制***中，通过对约束条件和位置数据进行零知识证明以验证数据所有者是否满足提供位置服务的服务提供者的要求，进而实现独立数据平台计算完整性的信任问题；通过零知识证明得到的可证明结果代替传统的必须展示个人位置信息的方式，以对个人隐私数据进行保护；数据所有者通过服务请求设备向服务提供设备发送服务请求并进行授权，不必依赖个人终端设备的计算能力计算得到可证明结果，防止数据所有者可能存在的假冒或篡改风险，有效保障提供基于位置的服务的服务提供者方的权益。It should be noted that in the access control system based on location information of existing access network conditions, zero-knowledge proof is performed on the constraints and location data to verify whether the data owner meets the requirements of the service provider that provides location services, and then Trust issues in realizing the computational integrity of independent data platforms; Provable results obtained through zero-knowledge proof replace the traditional way of displaying personal location information to protect personal privacy data; Data owners provide equipment to services through service request equipment To send service requests and authorize them, there is no need to rely on the computing power of personal terminal devices to calculate provable results, preventing possible counterfeiting or tampering risks of data owners, and effectively protecting the rights and interests of service providers who provide location-based services.

需要说明的是，标识包括数据所有者的标识信息及数据所有者需要查询的位置信息。数据所有者的标识信息可以为手机号，也可以为员工的员工ID，还可以为其他可以甄别数据所有者的标识信息，对此，本申请实施例不作限定。It should be noted that the identification includes the identification information of the data owner and the location information that the data owner needs to query. The identification information of the data owner can be a mobile phone number, an employee ID of an employee, or other identification information that can identify the data owner, which is not limited in the embodiments of this application.

需要说明的是，获取可证明结果的具体流程为：位置提供设备根据约束条件查询得到服务请求设备的位置数据，并对约束条件和位置数据进行零知识证明以得到可证明结果。It should be noted that the specific process for obtaining provable results is: the location providing device queries to obtain the location data of the service requesting device according to the constraints, and performs zero-knowledge proof on the constraints and location data to obtain provable results.

在一些实施例中，数据所有者通过服务请求设备向服务提供设备也即服务提供者发送服务请求并授权给服务提供设备，允许服务提供设备使用数据所有者自身的身份标识符来查询数据所有者需要查询的位置信息；服务提供设备根据数据所有者通过服务请求设备发送的服务请求和授权，查询数据所有者的标识信息，以及数据所有者需要查询的位置信息，并根据该标识信息和位置信息形成零知识证明的约束条件，并将约束条件发送给位置提供设备；位置提供设备根据约束条件到位置提供设备中查询获取与数据所有者相对应的位置数据，并对约束条件和位置数据进行零知识证明以得到可证明结果，再将可证明结果输出给服务提供设备；之后服务提供设备对可证明结果进行验证处理得到验证结果，验证结果包括若可证明结果被验证按照约束条件并由零知识证明计算得到的，则采信本次可证明结果，否则不认可本次可证明结果或重新获取可证明结果，并再次进行验证处理，直至采信本次可证明结果；若采信本次可证明结果，则服务提供设备对数据所有者提供基于位置的服务，若不认可本次可证明结果，则服务提供设备拒绝对数据所有者提供基于位置的服务。In some embodiments, the data owner sends a service request to the service providing device, that is, the service provider, through the service requesting device and authorizes the service providing device to allow the service providing device to use the data owner's own identity identifier to query the data owner. The location information that needs to be queried; the service providing device queries the identification information of the data owner and the location information that the data owner needs to query based on the service request and authorization sent by the data owner through the service request device, and based on the identification information and location information Form the constraints of the zero-knowledge proof and send the constraints to the location providing device; the location providing device queries the location providing device according to the constraints to obtain the location data corresponding to the data owner, and zeroes the constraints and location data. Knowledge is proved to obtain provable results, and then the provable results are output to the service providing equipment; then the service providing equipment performs verification processing on the provable results to obtain the verification results. The verification results include if the provable results are verified according to the constraints and by zero knowledge If it is proved that the calculation is obtained, the provable result this time will be accepted. Otherwise, the provable result will not be recognized or the provable result will be obtained again, and the verification process will be carried out again until the provable result this time is accepted; if the provable result this time is accepted, Then the service providing device provides location-based services to the data owner. If the certifiable result is not recognized, the service providing device refuses to provide location-based services to the data owner.

需要说明的是，可证明结果不包括数据所有者的个人位置数据。位置数据使用同态加密的方式存储，位置数据可以是明文存储，也可以是密文存储，本申请实施例在此不作限定。To be clear, provable results do not include the data owner’s personal location data. The location data is stored using homomorphic encryption. The location data can be stored in plain text or in cipher text. This is not limited in the embodiments of the present application.

参照图1，可以理解的是，位置提供设备包括ZKP证明器调用模块和数据源模块，ZKP证明器调用模块分别与服务提供设备、数据源模块连接，ZKP证明器调用模块用于根据约束条件从数据源模块中查询得到服务请求设备的位置数据，并对约束条件和位置数据进行零知识证明以得到可证明结果，并将可证明结果输出给服务提供设备。Referring to Figure 1, it can be understood that the location providing device includes a ZKP prover calling module and a data source module. The ZKP proving device calling module is connected to the service providing device and the data source module respectively. The ZKP proving device calling module is used to obtain from In the data source module, the location data of the service requesting device is queried, and zero-knowledge proof is performed on the constraints and location data to obtain provable results, and the provable results are output to the service providing device.

需要说明的是，位置提供设备包括数据处理设备和数据源，数据处理设备中设有ZKP证明器调用模块，数据源中设有数据源模块，服务提供设备将约束条件发送给位置提供设备中的数据处理设备；数据处理设备根据约束条件到数据源中的数据源模块中查询并获取与数据所有者 相对应的位置数据，ZKP证明器调用模块对约束条件和位置数据进行零知识证明以得到可证明结果，并将可证明结果输出给服务提供设备。It should be noted that the location providing equipment includes data processing equipment and data sources. The data processing equipment is provided with a ZKP prover calling module, the data source is provided with a data source module, and the service providing equipment sends constraints to the location providing equipment. Data processing equipment; the data processing equipment queries the data source module in the data source according to the constraints and obtains the information related to the data owner. Corresponding to the location data, the ZKP prover calls the module to perform zero-knowledge proof on the constraints and location data to obtain provable results, and outputs the provable results to the service providing equipment.

需要说明的是，ZKP为Zero Knowledge Proof的缩写，译为零知识证明。零知识证明指的是证明者能够在不向验证者提供任何有用信息的情况下，使验证者相信某个论断是正确的。零知识证明实质上是一种涉及两方或更多方的协议，即两方或更多方完成一项任务所需采取的一系列步骤。证明者向验证者证明并使其相信自己知道或拥有某一消息，但证明过程不能向验证者泄漏任何关于被证明消息的信息。It should be noted that ZKP is the abbreviation of Zero Knowledge Proof, which is translated as zero knowledge proof. Zero-knowledge proof means that the prover can convince the verifier that a certain assertion is correct without providing any useful information to the verifier. A zero-knowledge proof is essentially a protocol involving two or more parties, that is, a series of steps that two or more parties need to take to complete a task. The prover proves to the verifier and makes him believe that he knows or possesses a certain message, but the proof process cannot reveal any information about the proven message to the verifier.

参照图1，可以理解的是，服务提供设备包括ZKP证明器分发模块、ZKP验证器调用模块和业务模块，业务模块分别与服务请求设备、ZKP证明器分发模块、ZKP验证器调用模块连接，ZKP证明器分发模块与ZKP证明器调用模块的输入端连接，ZKP验证器调用模块与ZKP证明器调用模块的输出端连接；ZKP证明器分发模块用于根据服务请求和授权查询标识生成零知识证明的约束条件，并将约束条件输出给位置提供设备；ZKP验证器调用模块用于接收可证明结果，对可证明结果进行验证处理得到验证结果，并将验证结果发送给业务模块；业务模块用于根据验证结果，判断是否对服务请求设备提供基于位置的服务。Referring to Figure 1, it can be understood that the service providing equipment includes a ZKP certifier distribution module, a ZKP verifier calling module and a business module. The business module is connected to the service requesting equipment, the ZKP certifier distribution module and the ZKP verifier calling module respectively. ZKP The prover distribution module is connected to the input end of the ZKP prover calling module, and the ZKP verifier calling module is connected to the output end of the ZKP prover calling module; the ZKP prover distribution module is used to generate zero-knowledge proofs based on service requests and authorization query identifiers. Constraint conditions, and output the constraint conditions to the location providing device; the ZKP verifier calling module is used to receive the provable results, perform verification processing on the provable results to obtain the verification results, and send the verification results to the business module; the business module is used to Verify the results to determine whether to provide location-based services to the service requesting device.

需要说明的是，ZKP证明器分发模块根据数据所有者的标识信息和需要查询的位置信息形成零知识证明的约束条件，并将约束条件输出给ZKP证明器调用模块，以使ZKP证明器调用模块根据约束条件从数据源模块中获取与数据所有者相对应的位置数据，并对约束条件和位置数据进行零知识证明以得到可证明结果且将可证明结果输出给ZKP验证器调用模块；ZKP验证器调用模块根据可证明结果调用验证功能以对可证明结果进行验证处理，得到验证结果，验证结果包括：若可证明结果被验证按照约束条件并由零知识证明计算得到的，则采信本次可证明结果，否则不认可本次可证明结果或重新获取可证明结果并再次进行验证处理，直至采信本次可证明结果；并且ZKP验证器调用模块将得到的验证结果发送给业务模块，业务模块根据该验证结果，决定是否对服务请求设备提供基于位置的服务，具体为若采信本次可证明结果，则业务模块对数据所有者提供基于位置的服务，若不认可本次可证明结果，则业务模块拒绝对数据所有者提供基于位置的服务。It should be noted that the ZKP prover distribution module forms the constraints of the zero-knowledge proof based on the identification information of the data owner and the location information that needs to be queried, and outputs the constraints to the ZKP prover calling module, so that the ZKP prover calls the module Obtain the location data corresponding to the data owner from the data source module according to the constraints, perform zero-knowledge proof on the constraints and location data to obtain provable results, and output the provable results to the ZKP verifier calling module; ZKP verification The caller calling module calls the verification function according to the provable result to verify the provable result and obtain the verification result. The verification result includes: If the provable result is verified according to the constraints and calculated by the zero-knowledge proof, then the provable result is accepted. Prove the result, otherwise the provable result will not be recognized or the provable result will be re-obtained and the verification process will be performed again until the provable result is accepted; and the ZKP verifier calling module will send the obtained verification result to the business module, and the business module will The verification result determines whether to provide location-based services to the service requesting device. Specifically, if the provable result is accepted, the business module will provide location-based services to the data owner. If the provable result is not accepted, the business module will provide location-based services to the data owner. Module denies location-based services to the data owner.

需要说明的是，访问控制方法可以应用于基于蜂窝网络用户行程的访问，也可以应用于基于用户接入位置的权限评估***，还可以应用于其他实施例，上述两种实施例仅为本申请技术方案的较佳实施例而已，并非用于限定本申请的保护范围。凡在本申请的精神和原则之内，所做的任何修改、等同、替换和改进等，均应包含在本申请的保护范围之内。It should be noted that the access control method can be applied to access based on the cellular network user's itinerary, and can also be applied to the authority evaluation system based on the user's access location. It can also be applied to other embodiments. The above two embodiments are only for this application. It is only a preferred embodiment of the technical solution and is not used to limit the scope of protection of the present application. Any modifications, equivalents, replacements and improvements made within the spirit and principles of this application shall be included in the protection scope of this application.

示例性的，参照图2，手机用户是否在最近14天到过疫情中、高危城市，具体流程为：首先，UE用户通过扫码等方式申请进入公共服务场所并授权提供服务的公共服务场所使用自身的手机号进行历史位置查询；公共服务场所根据获得的手机号以及业务需要查询的时间段和位置空间列表生成零知识证明的约束条件，并将该约束条件发送到运营商的数据处理平台；运营商的数据处理平台根据接收到的约束条件以及运营商自身蜂窝网络平台存储的用户历史位置轨迹信息进行零知识证明，并将可证明结果返回给公共服务场所，其中，可证明结果并不包括UE用户的个人位置数据，仅包含是否满足在最近14天到过疫情中、高危城市是或否的结果，即可验证信息不包括UE用户的个人位置数据；公共服务场所对可证明结果进行验证处理，如果可证明结果被验证是严格按照约束条件进行计算的，就采信本次可证明结果，否则要求数据处理平台重算或者认为可证明结果为假；最后，公共服务场所根据验证结果决定是否对UE用户提供基于 位置的服务。For example, referring to Figure 2, whether a mobile phone user has been to a medium or high-risk city in the last 14 days, the specific process is: First, the UE user applies to enter a public service place by scanning a QR code and authorizes the use of the public service place that provides the service. Perform historical location query with its own mobile phone number; public service venues generate zero-knowledge proof constraints based on the obtained mobile phone number and the time period and location space list that the business needs to query, and send the constraints to the operator's data processing platform; The operator's data processing platform performs zero-knowledge proof based on the received constraints and the user's historical location trajectory information stored by the operator's own cellular network platform, and returns the provable results to the public service venue. The provable results do not include The personal location data of UE users only includes the result of yes or no whether they have been to an epidemic-hit or high-risk city in the last 14 days. The verifiable information does not include the personal location data of UE users; public service venues will verify the provable results. Processing, if the provable result is verified to be calculated strictly in accordance with the constraints, the provable result will be accepted. Otherwise, the data processing platform will be required to recalculate or consider the provable result to be false; finally, the public service venue will decide whether to proceed based on the verification results. Provide UE users with Location services.

示例性的，参照图3，安全授权场景下员工登录办公***，需要根据员工位置(如居家或公司现场)评估风险并授予不同级别的权限，具体流程为：首先，需要接入网络的用户请求接入服务并授权访问***使用自己的用户ID，其中，访问***可能不是网络供应商自有，比如是独立的第三方安全商以云平台形式提供的通用安全服务，因此员工的具***置信息不能对其暴露；访问控制***根据用户ID(如员工ID)、时间段(如当前接入时间)、位置列表(如公司所有办公园区位置)生成零知识证明的约束条件，并将该约束条件发送到网络供应方(如公司IT***)的数据处理平台即ZKP证明器调用模块；网络供应方的数据处理平台也即ZKP证明器调用模块根据接收到的约束条件以及网络供应方自身平台存储的用户网络接入点信息(如IP等)进行零知识证明得到可证明结果，并将可证明结果返回给访问***，其中，可证明结果中并不包含员工的具体接入地点信息，即可验证信息不包括员工的具体接入地点信息；访问***对可证明结果进行验证处理，如果可证明结果被验证是严格按照约束条件进行计算的，就采信本次可证明结果，否则要求数据处理平台重算或者认为可证明结果为假；最后访问***根据验证结果评估接入用户的风险级别，进而决定对接入用户授予相应级别的权限。For example, referring to Figure 3, when employees log in to the office system in a security authorization scenario, they need to assess risks and grant different levels of permissions based on the employee's location (such as home or company site). The specific process is: First, the user who needs to access the network requests Access the service and authorize access to the system using your own user ID. The access system may not be owned by the network provider. For example, it is a general security service provided by an independent third-party security provider in the form of a cloud platform. Therefore, the specific location information of employees cannot be Expose it; the access control system generates zero-knowledge proof constraints based on user ID (such as employee ID), time period (such as current access time), and location list (such as the locations of all company office parks), and sends the constraints To the data processing platform of the network provider (such as the company's IT system), that is, the ZKP prover calling module; the data processing platform of the network provider, that is, the ZKP prover calling module, based on the received constraints and the users stored on the network provider's own platform Perform zero-knowledge proof on network access point information (such as IP, etc.) to obtain provable results, and return the provable results to the access system. Among them, the provable results do not contain the employee’s specific access location information, which can be used to verify the information. The specific access location information of employees is not included; the access system verifies the provable results. If the provable results are verified to be calculated strictly in accordance with the constraints, the provable results will be accepted. Otherwise, the data processing platform will be required to recalculate. Or it is believed that the result can be proved to be false; finally, the access system evaluates the risk level of the access user based on the verification results, and then decides to grant the corresponding level of permissions to the access user.

需要说明的是，UE为User Equipment的缩写，译为用户设备；IT为Information Technology的缩写，译为信息技术；ID为Identity Document的缩写，译为身份标识号码。It should be noted that UE is the abbreviation of User Equipment, translated as user equipment; IT is the abbreviation of Information Technology, translated as information technology; ID is the abbreviation of Identity Document, translated as identity identification number.

第二方面，本申请实施例还提供了一种访问控制方法，应用于服务请求设备，参照图1和图5，方法包括但不限于以下步骤：In the second aspect, embodiments of the present application also provide an access control method, applied to service requesting devices. Referring to Figures 1 and 5, the method includes but is not limited to the following steps:

步骤S100，向服务提供设备发送服务请求和授权查询标识，以使服务提供设备根据服务请求和授权查询标识生成零知识证明的约束条件并将约束条件输出给位置提供设备；Step S100: Send a service request and an authorization query identification to the service providing device, so that the service providing device generates zero-knowledge proof constraints based on the service request and the authorization query identification and outputs the constraints to the location providing device;

步骤S200，接收来自服务提供设备的基于位置的服务，其中，基于位置的服务是服务设备对来自位置提供设备提供的可证明结果进行验证处理后发送的，可证明结果是位置提供设备根据约束条件，基于零知识证明得到的。其中，可证明结果不包括服务请求设备的位置数据。Step S200: Receive a location-based service from a service providing device. The location-based service is sent by the service device after verifying the provable result provided by the location providing device. The provable result is the location providing device according to the constraint conditions. , obtained based on zero-knowledge proof. Among other things, the provable results do not include location data of the service requesting device.

需要说明的是，第二方面实施例提供的访问控制方法具体应用于访问控制***的服务请求设备，访问控制***还包括服务提供设备和位置提供设备，服务提供设备分别与服务请求设备、位置提供设备连接。It should be noted that the access control method provided by the embodiment of the second aspect is specifically applied to the service requesting device of the access control system. The access control system also includes a service providing device and a location providing device. The service providing device is respectively connected with the service requesting device and the location providing device. Device connection.

在一些实施例中，位置提供设备包括ZKP证明器调用模块和数据源模块，ZKP证明器调用模块分别与服务提供设备、数据源模块的输出端连接；服务提供设备包括ZKP证明器分发模块、ZKP验证器调用模块和业务模块，业务模块分别与服务请求设备、ZKP证明器分发模块的输入端、ZKP验证器调用模块的输出端连接，ZKP证明器分发模块的输出端与ZKP证明器调用模块的输入端连接，ZKP验证器调用模块的输入端与ZKP证明器调用模块的输出端连接。In some embodiments, the location providing device includes a ZKP certifier calling module and a data source module. The ZKP certifier calling module is connected to the output end of the service providing device and the data source module respectively; the service providing device includes a ZKP certifier distribution module, ZKP The verifier calling module and the business module. The business module is connected to the service request device, the input end of the ZKP prover distribution module, and the output end of the ZKP verifier calling module. The output end of the ZKP prover distribution module is connected to the ZKP prover calling module. The input end is connected, and the input end of the ZKP verifier call module is connected to the output end of the ZKP prover call module.

需要说明的是，参照图2，数据所有者通过服务请求设备向服务提供设备发送服务请求并进行授权，以使ZKP证明器分发模块根据数据所有者的标识信息和需要查询的位置信息形成零知识证明的约束条件，并将约束条件输出给ZKP证明器调用模块，以使ZKP证明器调用模块对约束条件和位置数据进行零知识证明以得到可证明结果并将可证明结果输出给ZKP验证器调用模块，ZKP验证器调用模块根据可证明结果调用验证功能以对可证明结果进行验证处理，得到验证结果，并且ZKP验证器调用模块将得到的验证结果发送给业务模块，业务模块根据该验证结果，决定是否对服务请求设备提供基于位置的服务，具体为若采信本次可证明结果，则业务模块对数据所有者提供基于位置的服务，若不认可本次可证明结果，则业务模块拒绝对数据所有者提 供基于位置的服务。It should be noted that, referring to Figure 2, the data owner sends a service request to the service providing device through the service request device and authorizes it, so that the ZKP prover distribution module forms zero knowledge based on the identification information of the data owner and the location information that needs to be queried. Prove the constraints and output the constraints to the ZKP prover call module, so that the ZKP prover call module performs zero-knowledge proof on the constraints and position data to obtain provable results and output the provable results to the ZKP verifier call module, the ZKP verifier calling module calls the verification function according to the provable results to verify the provable results, and obtains the verification results, and the ZKP verifier calling module sends the obtained verification results to the business module, and the business module based on the verification results, Decide whether to provide location-based services to the service requesting device. Specifically, if the provable results are accepted, the business module will provide location-based services to the data owner. If the provable results are not accepted, the business module will refuse to access the data. Owner mentions Provide location-based services.

需要说明的是，数据所有者通过服务请求设备向服务提供设备发送服务请求并进行授权，不必依赖个人终端设备的计算能力计算得到可证明结果，防止数据所有者可能存在的假冒或篡改风险，有效保障提供基于位置的服务的服务提供者方的权益。与相关技术相比，本申请实施例的访问控制方法，由数据所有者通过服务请求设备对服务提供设备进行授权，并对约束条件和位置数据进行零知识证明，能够避免数据所有者可能存在的假冒或篡改风险，有效保障提供基于位置的服务的服务提供方权益；也不需要引入新的可信设备，基于现有的接入网络即可保护个人隐私数据和保证计算完整性的可信度，进而降低成本。It should be noted that the data owner sends a service request to the service providing device through the service requesting device and authorizes it. It does not have to rely on the computing power of the personal terminal device to calculate provable results, preventing the data owner from possible counterfeiting or tampering risks, and effectively Protect the rights and interests of service providers who provide location-based services. Compared with related technologies, the access control method of the embodiment of the present application allows the data owner to authorize the service providing device through the service requesting device, and performs zero-knowledge proof on the constraints and location data, which can avoid possible problems of the data owner. The risk of counterfeiting or tampering effectively protects the rights and interests of service providers who provide location-based services; there is no need to introduce new trusted devices, and personal privacy data can be protected and the credibility of computing integrity can be guaranteed based on the existing access network. , thereby reducing costs.

第三方面，本申请实施例还提供了一种访问控制方法，应用于访问控制***的服务提供设备，参照图1和图6，访问控制***还包括服务请求设备和位置提供设备，服务提供设备分别与服务请求设备、位置提供设备连接；In the third aspect, embodiments of the present application also provide an access control method, which is applied to the service providing equipment of the access control system. Referring to Figures 1 and 6, the access control system also includes a service requesting equipment and a location providing equipment. The service providing equipment Connect to the service requesting device and the location providing device respectively;

访问控制方法，包括但不限于以下步骤：Access control methods, including but not limited to the following steps:

步骤S300，接收服务请求设备的服务请求和授权查询标识，并根据服务请求和授权查询标识，得到零知识证明的约束条件；Step S300, receive the service request and authorization query identification of the service requesting device, and obtain the constraints of the zero-knowledge proof based on the service request and authorization query identification;

步骤S400，向位置提供设备发送约束条件，以使位置提供设备根据约束条件，基于零知识证明得到可证明结果；其中，可证明结果不包括服务请求设备的位置数据；Step S400: Send constraint conditions to the location providing device, so that the location providing device can obtain provable results based on zero-knowledge proof according to the constraint conditions; wherein the provable results do not include the location data of the service requesting device;

步骤S500，接收位置提供设备发送的可证明结果，对可证明结果进行验证处理，得到验证结果，并根据验证结果，判断是否服务请求设备提供基于位置的服务。Step S500: Receive the provable result sent by the location providing device, perform verification processing on the provable result, obtain the verification result, and determine whether the service requesting device provides location-based services based on the verification result.

步骤S600，在判断结果为是的情况下，发送基于位置的服务。Step S600: If the determination result is yes, location-based services are sent.

需要说明的是，第三方面实施例提供的访问控制方法具体应用于访问控制***的服务提供设备，访问控制***还包括服务请求设备和位置提供设备，服务提供设备分别与服务请求设备、位置提供设备连接。It should be noted that the access control method provided by the embodiment of the third aspect is specifically applied to the service providing equipment of the access control system. The access control system also includes a service requesting equipment and a location providing equipment. The service providing equipment is respectively connected with the service requesting equipment and the location providing equipment. Device connection.

需要说明的是，位置提供设备包括数据处理设备和数据源，数据处理设备中设有ZKP证明器调用模块，数据源中设有数据源模块，ZKP证明器调用模块分别与服务提供设备、数据源模块连接，服务提供设备将约束条件发送给位置提供设备中的数据处理设备；数据处理设备根据约束条件到数据源中的数据源模块中查询并获取与数据所有者相对应的位置数据，ZKP证明器调用模块对约束条件和位置数据进行零知识证明以得到可证明结果，并将可证明结果输出给服务提供设备。It should be noted that the location providing equipment includes data processing equipment and data sources. The data processing equipment is equipped with a ZKP prover calling module, and the data source is equipped with a data source module. The ZKP proving device calling module is respectively connected with the service providing equipment and the data source. Module connection, the service providing device sends the constraints to the data processing device in the location providing device; the data processing device queries the data source module in the data source according to the constraints and obtains the location data corresponding to the data owner, ZKP certification The programmer calls the module to perform zero-knowledge proof on the constraints and position data to obtain provable results, and outputs the provable results to the service providing equipment.

需要说明的是，与相关技术相比，本申请实施例的访问控制方法，由数据所有者通过服务请求设备对服务提供设备进行授权，并对约束条件和位置数据进行零知识证明，能够避免数据所有者可能存在的假冒或篡改风险，有效保障提供基于位置的服务的服务提供方权益；也不需要引入新的可信设备，基于现有的接入网络即可保护个人隐私数据和保证计算完整性的可信度，进而降低成本。It should be noted that, compared with related technologies, the access control method of the embodiment of the present application allows the data owner to authorize the service providing device through the service requesting device, and performs zero-knowledge proof on the constraints and location data, which can avoid data Possible risks of counterfeiting or tampering by owners effectively protect the rights and interests of service providers who provide location-based services; there is no need to introduce new trusted devices, and personal privacy data and calculation integrity can be protected based on the existing access network. reliability, thereby reducing costs.

需要说明的是，参照图2，数据所有者通过服务请求设备向服务提供设备发送服务请求并进行授权，以使服务提供设备根据数据所有者的标识信息和需要查询的位置信息形成零知识证明的约束条件，并通过服务提供设备将约束条件输出给ZKP证明器调用模块，以使ZKP证明器调用模块对约束条件和位置数据进行零知识证明以得到可证明结果并将可证明结果返回输出给服务提供设备，服务提供设备根据可证明结果调用验证功能以对可证明结果进行验证处理，得到验证结果，并且服务提供设备根据该验证结果，决定是否对服务请求设备提供基于位置的服 务，具体为：若采信本次可证明结果，则业务模块对数据所有者提供基于位置的服务，若不认可本次可证明结果，则业务模块拒绝对数据所有者提供基于位置的服务。It should be noted that, referring to Figure 2, the data owner sends a service request to the service providing device through the service requesting device and authorizes it, so that the service providing device forms a zero-knowledge proof based on the identification information of the data owner and the location information that needs to be queried. Constraints, and output the constraints to the ZKP prover calling module through the service providing device, so that the ZKP prover calling module performs zero-knowledge proof on the constraints and position data to obtain provable results and return the provable results to the service The service providing device calls the verification function according to the provable result to verify the provable result and obtains the verification result, and the service providing device decides whether to provide location-based services to the service requesting device based on the verification result. Specifically, if the provable result is accepted, the business module will provide location-based services to the data owner. If the provable result is not accepted, the business module will refuse to provide location-based services to the data owner.

示例性的，将访问控制方法应用于识别手机用户是否在最近14天到过疫情中、高危城市，则可证明结果为到过疫情中、高危城市，或者可证明结果为未到过疫情中、高危城市。For example, if the access control method is applied to identify whether a mobile phone user has been to a medium- or high-risk city in the past 14 days, the result can be proved to be that he has been to a medium- or high-risk city, or it can be proved that the result is that he has not been to a medium- or high-risk city. High-risk cities.

参照图2和图7，可以理解的是，服务提供设备包括ZKP证明器分发模块、ZKP验证器调用模块和业务模块，业务模块分别与服务请求设备、ZKP证明器分发模块、ZKP验证器调用模块连接，ZKP证明器分发模块与ZKP证明器调用模块的输入端连接，ZKP证明器调用模块与ZKP验证器调用模块的输出端连接；步骤S300中的根据服务请求和授权查询标识，得到零知识证明的约束条件，及步骤S400中的向位置提供设备发送约束条件，包括但不限于以下步骤：Referring to Figure 2 and Figure 7, it can be understood that the service providing equipment includes a ZKP certifier distribution module, a ZKP verifier calling module and a business module. The business module is respectively connected with the service requesting equipment, the ZKP certifier distribution module, and the ZKP verifier calling module. Connection, the ZKP prover distribution module is connected to the input end of the ZKP prover calling module, and the ZKP prover calling module is connected to the output end of the ZKP verifier calling module; in step S300, the zero-knowledge proof is obtained based on the service request and authorization query identification. The constraints, and sending the constraints to the location providing device in step S400, include but are not limited to the following steps:

步骤S410，将服务请求和授权查询标识发送到ZKP证明器分发模块，以使ZKP证明器分发模块根据服务请求和授权查询标识生成零知识证明的约束条件，并将约束条件发送到位置提供设备。Step S410: Send the service request and the authorization query identification to the ZKP prover distribution module, so that the ZKP prover distribution module generates the constraints of the zero-knowledge proof based on the service request and the authorization query identification, and sends the constraints to the location providing device.

在一些实施例中，ZKP证明器分发模块根据数据所有者的标识信息和需要查询的位置信息形成零知识证明的约束条件，并将约束条件输出给ZKP证明器调用模块，以使ZKP证明器调用模块对约束条件和位置数据进行零知识证明以得到可证明结果并将可证明结果输出给ZKP验证器调用模块。In some embodiments, the ZKP prover distribution module forms the constraints of the zero-knowledge proof based on the identification information of the data owner and the location information that needs to be queried, and outputs the constraints to the ZKP prover calling module, so that the ZKP prover calls The module performs zero-knowledge proof on constraints and position data to obtain provable results and outputs the provable results to the ZKP verifier calling module.

参照图2和图,8，可以理解的是，步骤S500中的对可证明结果进行验证处理，得到验证结果，包括但不限于以下步骤：2 and 8, it can be understood that the verification process on the provable result in step S500 to obtain the verification result includes but is not limited to the following steps:

步骤S510，将可证明结果发送到ZKP验证器调用模块，以使ZKP验证器调用模块对可证明结果进行验证处理，得到验证结果。Step S510: Send the provable result to the ZKP verifier calling module, so that the ZKP verifier calling module verifies the provable result and obtains the verification result.

需要说明的是，将可证明结果输出给ZKP验证器调用模块。ZKP验证器调用模块根据可证明结果调用验证功能以对可证明结果进行验证处理，得到验证结果，并且ZKP验证器调用模块将得到的验证结果发送给业务模块，业务模块根据该验证结果，决定是否对服务请求设备提供基于位置的服务，具体为若采信本次可证明结果，则业务模块对数据所有者提供基于位置的服务，若不认可本次可证明结果，则业务模块拒绝对数据所有者提供基于位置的服务It should be noted that the provable results are output to the ZKP verifier calling module. The ZKP verifier calling module calls the verification function according to the provable results to verify the provable results and obtain the verification results. The ZKP verifier calling module sends the obtained verification results to the business module. The business module decides whether to Provide location-based services to service requesting devices. Specifically, if the provable results are accepted, the business module will provide location-based services to the data owner. If the provable results are not accepted, the business module will refuse to provide location-based services to the data owner. Provide location-based services

参照图9，可以理解的是，步骤S500中的根据验证结果，判断是否对服务请求设备提供基于位置的服务，包括但不限于以下步骤：Referring to Figure 9, it can be understood that, in step S500, judging whether to provide location-based services to the service requesting device according to the verification result includes but is not limited to the following steps:

步骤S520，将验证结果发送到业务模块，以使业务模块根据验证结果，判断是否对服务请求设备提供基于位置的服务。Step S520: Send the verification result to the business module, so that the business module determines whether to provide location-based services to the service requesting device based on the verification result.

需要说明的是，验证结果包括若可证明结果被验证按照约束条件并由零知识证明计算得到的，则采信本次可证明结果，否则不认可本次可证明结果或重新获取可证明结果，并再次进行验证处理，直至采信本次可证明结果；若采信本次可证明结果，则业务模块对数据所有者提供基于位置的服务，若不认可本次可证明结果，则业务模块拒绝对数据所有者提供基于位置的服务。It should be noted that the verification results include if the provable result is verified according to the constraints and calculated by zero-knowledge proof, then the provable result will be accepted. Otherwise, the provable result will not be recognized or the provable result will be obtained again, and The verification process is performed again until the provable result is accepted; if the provable result is accepted, the business module provides location-based services to the data owner. If the provable result is not recognized, the business module refuses to own the data. Provide location-based services.

参照图10，可以理解的是，步骤S500中的对可证明结果进行验证处理，得到验证结果，包括但不限于以下步骤：Referring to Figure 10, it can be understood that the verification process on the provable result in step S500 to obtain the verification result includes but is not limited to the following steps:

步骤S530，对可证明结果进行验证处理，若可证明结果为在约束条件下根据零知识证明得到的，确定验证结果为采信可证明结果；Step S530, perform verification processing on the provable result. If the provable result is obtained based on zero-knowledge proof under constraints, it is determined that the verification result is an accepted provable result;

步骤S540，若可证明结果不是在约束条件下根据零知识证明得到的，确定验证结果为拒绝采信可证明结果。 Step S540: If the provable result is not obtained based on the zero-knowledge proof under constraint conditions, determine that the verification result is a rejection of the provable result.

需要说明的是，ZKP验证器调用模块根据可证明结果调用验证功能以对可证明结果进行验证处理，进而得到验证结果，其中，若可证明结果不是在约束条件下根据零知识证明得到的，则确定验证结果为拒绝采信可证明结果或者重新获取可证明结果并再次进行验证处理，直至确定验证结果为采信可证明结果。It should be noted that the ZKP verifier calling module calls the verification function according to the provable result to verify the provable result, and then obtain the verification result. Among them, if the provable result is not obtained based on zero-knowledge proof under constraints, then Determine that the verification result is a provable result that is rejected, or re-obtain the provable result and perform the verification process again until it is determined that the verification result is a provable result that is accepted.

参照图11，可以理解的是，步骤S500中的根据验证结果，判断是否对服务请求设备提供基于位置的服务，包括但不限于以下步骤：Referring to Figure 11, it can be understood that, in step S500, judging whether to provide location-based services to the service requesting device according to the verification result includes but is not limited to the following steps:

步骤S550，若验证结果为采信可证明结果，对服务请求设备提供基于位置的服务；Step S550, if the verification result is an acceptable and provable result, provide location-based services to the service requesting device;

步骤S560，若验证结果为拒绝采信可证明结果，拒绝对服务请求设备提供基于位置的服务。Step S560: If the verification result is a refusal to accept the provable result, refuse to provide location-based services to the service requesting device.

需要说明的是，业务模块根据ZKP验证器调用模块得到的验证结果，决策是否对数据所有者提供提供基于位置的服务。It should be noted that the business module decides whether to provide location-based services to the data owner based on the verification results obtained by the ZKP verifier calling module.

在一些实施例中，数据所有者通过服务请求设备向服务提供设备也即服务提供者发送服务请求并授权给服务提供设备，允许服务提供设备使用数据所有者自身的身份标识符来查询数据所有者需要查询的位置信息，该位置信息包括位置空间信息和时间信息；服务提供设备根据数据所有者发送的服务请求和授权，查询数据所有者的标识信息，以及数据所有者需要查询的位置信息，并根据该标识信息和位置信息形成零知识证明的约束条件，并将该约束条件通过ZKP证明器分发模块发送到位置提供设备中的ZKP证明器调用模块；ZKP证明器调用模块根据约束条件到数据源中的数据源模块查询获取与数据所有者相对应的位置数据，并对约束条件和位置数据进行零知识证明以得到可证明结果，再将可证明结果输出给ZKP验证器调用模块；之后ZKP验证器调用模块对可证明结果进行验证处理并得到验证结果，若验证结果为采信可证明结果，则业务模块对数据所有者提供基于位置的服务，若验证结果为拒绝采信可证明结果，则业务模块拒绝对数据所有者提供基于位置的服务。In some embodiments, the data owner sends a service request to the service providing device, that is, the service provider, through the service requesting device and authorizes the service providing device to allow the service providing device to use the data owner's own identity identifier to query the data owner. The location information that needs to be queried includes location space information and time information; the service providing device queries the identification information of the data owner and the location information that the data owner needs to query based on the service request and authorization sent by the data owner, and The constraints of the zero-knowledge proof are formed based on the identification information and location information, and the constraints are sent to the ZKP prover calling module in the location providing device through the ZKP prover distribution module; the ZKP prover calling module goes to the data source according to the constraints. The data source module in the query obtains the location data corresponding to the data owner, performs zero-knowledge proof on the constraints and location data to obtain provable results, and then outputs the provable results to the ZKP verifier calling module; then ZKP verifies The server calls the module to verify the provable result and obtain the verification result. If the verification result is an accepted provable result, the business module provides location-based services to the data owner. If the verification result is a rejected provable result, the business module Deny location-based services to the data owner.

第四方面，本申请实施例还提供了一种访问控制方法，应用于访问控制***的服务提供设备，参照图1和图12，访问控制***还包括服务请求设备和服务提供设备，服务提供设备分别与服务请求设备、位置提供设备连接；In the fourth aspect, embodiments of the present application also provide an access control method, which is applied to the service providing equipment of the access control system. Referring to Figures 1 and 12, the access control system also includes a service requesting equipment and a service providing equipment. The service providing equipment Connect to the service requesting device and the location providing device respectively;

访问控制方法，包括但不限于以下步骤：Access control methods, including but not limited to the following steps:

步骤S700，获取来自服务提供设备的零知识证明的约束条件，并根据约束条件基于零知识证明得到可证明结果；其中，可证明结果不包括所述服务请求设备的位置数据；Step S700, obtain the constraint conditions of the zero-knowledge proof from the service providing device, and obtain a provable result based on the zero-knowledge proof according to the constraint conditions; wherein the provable result does not include the location data of the service requesting device;

步骤S800，将可证明结果输出给服务提供设备，以使服务提供设备对可证明结果进行验证处理生成验证结果，并根据验证结果判断是否对服务请求设备提供基于位置的服务。Step S800, output the provable result to the service providing device, so that the service providing device performs verification processing on the provable result to generate a verification result, and determines whether to provide location-based services to the service requesting device based on the verification result.

需要说明的是，第四方面实施例提供的访问控制方法具体应用于访问控制***的位置提供设备，访问控制***还包括服务请求设备和服务提供设备，服务提供设备分别与服务请求设备、位置提供设备连接。It should be noted that the access control method provided by the embodiment of the fourth aspect is specifically applied to the location providing device of the access control system. The access control system also includes a service requesting device and a service providing device. The service providing device is respectively connected with the service requesting device and the location providing device. Device connection.

需要说明的是，在步骤S700之前，服务请求设备向服务提供设备发送服务请求和授权查询标识，以使服务提供设备根据服务请求和授权查询数据所有者的标识信息和数据所有者所要查询的位置信息并根据该标识信息和位置信息生成零知识证明的约束条件，再将约束条件发送到位置提供设备。It should be noted that before step S700, the service requesting device sends a service request and an authorization query identification to the service providing device, so that the service providing device queries the identification information of the data owner and the location that the data owner wants to query according to the service request and authorization. information and generate zero-knowledge proof constraints based on the identification information and location information, and then send the constraints to the location providing device.

示例性的，数据所有者通过服务请求设备向服务提供设备也即服务提供者发送服务请求并授权给服务提供设备，允许服务提供设备使用数据所有者自身的身份标识符来查询数据所有者需要查询的位置信息，该位置信息包括位置空间信息和时间信息；服务提供设备根据数据所有 者通过服务请求设备发送的服务请求和授权，查询数据所有者的标识信息，以及数据所有者需要查询的位置信息，并根据该标识信息和位置信息形成零知识证明的约束条件，并将约束条件发送给位置提供设备；位置提供设备根据约束条件到位置提供设备中查询获取与数据所有者相对应的位置数据，并对约束条件和位置数据进行零知识证明以得到可证明结果，再将可证明结果输出给服务提供设备；之后服务提供设备对可证明结果进行验证处理得到验证结果，验证结果包括若可证明结果被验证按照约束条件并由零知识证明计算得到的，则采信本次可证明结果，否则不认可本次可证明结果或重新获取可证明结果，并再次进行验证处理，直至采信本次可证明结果；若采信本次可证明结果，则服务提供设备对数据所有者提供基于位置的服务，若不认可本次可证明结果，则服务提供设备拒绝对数据所有者提供基于位置的服务。For example, the data owner sends a service request to the service providing device, that is, the service provider, through the service requesting device and authorizes the service providing device to allow the service providing device to use the data owner's own identity identifier to query what the data owner needs to query. location information, which includes location space information and time information; the service provider equipment owns the location information based on the data. Through the service request and authorization sent by the service request device, the user queries the identification information of the data owner and the location information that the data owner needs to query, and forms the constraints of the zero-knowledge proof based on the identification information and location information, and sets the constraints Sent to the location providing device; the location providing device queries the location providing device according to the constraints to obtain the location data corresponding to the data owner, and performs zero-knowledge proof on the constraints and location data to obtain provable results, and then converts the provable The result is output to the service providing equipment; then the service providing equipment performs verification processing on the provable result to obtain the verification result. The verification result includes that if the provable result is verified according to the constraints and calculated by the zero-knowledge proof, then the provable result will be accepted. , otherwise the provable results will not be recognized or the provable results will be re-obtained, and the verification process will be performed again until the provable results are accepted; if the provable results are accepted, the service provider equipment will provide the data owner with location-based If the service does not recognize the provable results, the service provider will refuse to provide location-based services to the data owner.

参照图2和图13，可以理解的是，位置提供设备包括ZKP证明器调用模块和数据源模块，ZKP证明器调用模块分别与服务提供设备、数据源模块连接；根据约束条件，查询得到服务请求设备的位置数据，步骤S700中的根据约束条件基于零知识证明得到可证明结果，包括但不限于以下步骤：Referring to Figure 2 and Figure 13, it can be understood that the location providing device includes a ZKP prover calling module and a data source module. The ZKP proving device calling module is connected to the service providing device and the data source module respectively; according to the constraints, the service request is obtained through query The location data of the device, and obtaining provable results based on zero-knowledge proof according to the constraints in step S700 include but are not limited to the following steps:

步骤S710，将约束条件发送到ZKP证明器调用模块，以使ZKP证明器调用模块根据约束条件从数据源模块中查询得到服务请求设备的位置数据并对约束条件和位置数据进行零知识证明，得到可证明结果。Step S710, send the constraint conditions to the ZKP prover calling module, so that the ZKP prover calling module queries the data source module to obtain the location data of the service requesting device according to the constraints and performs zero-knowledge proof on the constraints and location data, and obtains Provable results.

需要说明的是，服务提供设备包括ZKP证明器分发模块、ZKP验证器调用模块和业务模块，业务模块分别与服务请求设备、ZKP证明器分发模块、ZKP验证器调用模块连接，ZKP证明器分发模块与ZKP证明器调用模块的输入端连接，ZKP验证器调用模块与ZKP证明器调用模块的输出端连接。It should be noted that the service providing equipment includes a ZKP certifier distribution module, a ZKP verifier calling module and a business module. The business module is connected to the service requesting equipment, the ZKP certifier distribution module and the ZKP verifier calling module respectively. The ZKP certifier distribution module It is connected to the input end of the ZKP prover call module, and the ZKP verifier call module is connected to the output end of the ZKP prover call module.

需要说明的是，ZKP证明器分发模块根据数据所有者的标识信息和需要查询的位置信息形成零知识证明的约束条件，并将约束条件输出给ZKP证明器调用模块，以使ZKP证明器调用模块根据约束条件从数据源模块中获取与数据所有者相对应的位置数据，并对约束条件和位置数据进行零知识证明以得到可证明结果且将可证明结果输出给ZKP验证器调用模块；ZKP验证器调用模块根据可证明结果调用验证功能以对可证明结果进行验证处理，得到验证结果，其中，验证结果包括：若可证明结果被验证为在约束条件下根据零知识证明得到的，确定验证结果为采信可证明结果，否则确定验证结果为拒绝采信可证明结果或重新获取可证明结果并再次进行验证处理，直至采信本次可证明结果；并且ZKP验证器调用模块将得到的验证结果发送给业务模块，业务模块根据该验证结果，决定是否对服务请求设备提供基于位置的服务，具体为若验证结果为采信可证明结果，则业务模块对数据所有者对服务请求设备提供基于位置的服务，若验证结果为拒绝采信可证明结果，则业务模块拒绝对服务请求设备提供基于位置的服务。It should be noted that the ZKP prover distribution module forms the constraints of the zero-knowledge proof based on the identification information of the data owner and the location information that needs to be queried, and outputs the constraints to the ZKP prover calling module, so that the ZKP prover calls the module Obtain the location data corresponding to the data owner from the data source module according to the constraints, perform zero-knowledge proof on the constraints and location data to obtain provable results, and output the provable results to the ZKP verifier calling module; ZKP verification The caller calling module calls the verification function according to the provable result to verify the provable result and obtain the verification result. The verification result includes: if the provable result is verified to be obtained according to the zero-knowledge proof under constraints, determine the verification result. In order to accept the provable result, otherwise the verification result is determined to be to refuse to accept the provable result or to re-obtain the provable result and perform the verification process again until the provable result is accepted; and the ZKP verifier calling module sends the obtained verification result to the business Module, the business module decides whether to provide location-based services to the service requesting device based on the verification result. Specifically, if the verification result is an admissible and provable result, the business module will provide the data owner with location-based services to the service requesting device. If If the verification result is a provable result that refuses to be accepted, the business module refuses to provide location-based services to the service requesting device.

在一些实施例中，参照图2，将访问控制***应用于基于蜂窝网络用户行程的访问，示例性的，手机用户是否在最近14天到过疫情中、高危城市，具体流程为：首先，UE用户通过扫码等方式申请进入公共服务场所并授权提供服务的公共服务场所使用自身的手机号进行历史位置查询；公共服务场所根据获得的手机号以及业务需要查询的时间段和位置空间列表生成零知识证明的约束条件，并将该约束条件发送到运营商的数据处理平台；运营商的数据处理平台根据接收到的约束条件以及运营商自身蜂窝网络平台存储的用户历史位置轨迹信息进行零知识证明，并将可证明结果返回给公共服务场所，其中，可证明结果并不包括UE用户的个人位置数据，仅包含是否满足在最近14天到过疫情中、高危城市是或否的结果，及可验证信息，不包 括UE用户的个人位置数据；公共服务场所对可证明结果进行验证处理，如果可证明结果被验证是严格按照约束条件进行计算的，就采信本次可证明结果，否则要求数据处理平台重算或者认为可证明结果为假；最后，公共服务场所根据验证结果决定是否对UE用户提供基于位置的服务。In some embodiments, referring to Figure 2, the access control system is applied to access based on the itinerary of the cellular network user. For example, whether the mobile phone user has visited a medium- or high-risk city in the last 14 days. The specific process is: First, the UE Users apply to enter public service venues by scanning QR codes and authorize the public service venues that provide services to use their mobile phone numbers to query historical locations; public service venues generate zeros based on the obtained mobile phone numbers and the time period and location space list that the business needs to query. The constraints of the knowledge proof are sent to the operator's data processing platform; the operator's data processing platform performs zero-knowledge proof based on the received constraints and the user's historical location trajectory information stored by the operator's own cellular network platform. , and return the provable results to the public service venue. The provable results do not include the personal location data of the UE user, but only include the results of yes or no whether the user has been to an epidemic-hit or high-risk city in the last 14 days, and can Verification information, not included Including the personal location data of UE users; public service venues verify the provable results. If the provable results are verified to be calculated strictly in accordance with constraints, the provable results will be accepted. Otherwise, the data processing platform will be required to recalculate or It is considered that the result can be proven to be false; finally, the public service venue decides whether to provide location-based services to UE users based on the verification results.

在一些实施例中，参照图3，将访问控制***应用于基于用户接入位置的权限评估***，示例性的，安全授权场景下员工登录办公***，需要根据员工位置(如居家或公司现场)评估风险并授予不同级别的权限，具体流程为：首先，需要接入网络的用户请求接入服务并授权访问***使用自己的用户ID，其中，访问***可能不是网络供应商自有，比如是独立的第三方安全商以云平台形式提供的通用安全服务，因此员工的具***置信息不能对其暴露；访问控制***根据用户ID(如员工ID)、时间段(如当前接入时间)、位置列表(如公司所有办公园区位置)生成零知识证明的约束条件，并将该约束条件发送到网络供应方(如公司IT***)的数据处理平台即ZKP证明器调用模块；网络供应方的数据处理平台也即ZKP证明器调用模块根据接收到的约束条件以及网络供应方自身平台存储的用户网络接入点信息(如IP等)进行零知识证明得到可证明结果，并将可证明结果返回给访问***，其中，可证明结果中并不包含员工的具体接入地点信息，即可验证信息不包括员工的具体接入地点信息；访问***对可证明结果进行验证处理，如果可证明结果被验证是严格按照约束条件进行计算的，就采信本次可证明结果，否则要求数据处理平台重算或者认为可证明结果为假；最后访问***根据验证结果评估接入用户的风险级别，进而决定对接入用户授予相应级别的权限。In some embodiments, referring to Figure 3, the access control system is applied to a permission evaluation system based on user access location. For example, in a security authorization scenario, when an employee logs in to the office system, it needs to be based on the employee's location (such as home or company site). Assess risks and grant different levels of permissions. The specific process is: First, users who need to access the network request access services and authorize access to the system using their own user IDs. The access system may not be owned by the network provider, such as an independent A general security service provided by a third-party security provider in the form of a cloud platform, so employees' specific location information cannot be exposed to them; the access control system based on user ID (such as employee ID), time period (such as current access time), location list (such as all office park locations of the company) generates the constraints of the zero-knowledge proof and sends the constraints to the data processing platform of the network provider (such as the company's IT system), that is, the ZKP prover calling module; the data processing platform of the network provider That is, the ZKP prover calling module performs zero-knowledge proof based on the received constraints and the user network access point information (such as IP, etc.) stored on the network provider's own platform to obtain a provable result, and returns the provable result to the access system. , among them, the provable result does not include the employee’s specific access location information, that is, the verifiable information does not include the employee’s specific access location information; the access system verifies the provable result. If the provable result is verified to be strict If the calculation is carried out according to the constraints, the provable result will be accepted. Otherwise, the data processing platform will be required to recalculate or consider the provable result to be false. Finally, the access system will evaluate the risk level of the access user based on the verification results, and then decide on the access user. Grant the appropriate level of permissions.

可以理解的是，位置数据使用同态加密的方式存储。Understandably, location data is stored using homomorphic encryption.

需要说明的是根据约束条件从数据源模块查询得到服务请求设备的位置数据使用同态加密的方式存储，以对位置数据进行更好的保护。位置数据可以是明文存储，也可以是密文存储，本申请实施例在此不作限定。It should be noted that the location data of the service requesting device obtained from the data source module according to the constraints is stored using homomorphic encryption to better protect the location data. The location data may be stored in plain text or in cipher text, which is not limited in the embodiment of the present application.

另外，本申请第五方面实施例还提供了一种访问控制设备，该访问控制设备包括：存储器、处理器及存储在存储器上并可在处理器上运行的计算机程序。In addition, the fifth embodiment of the present application also provides an access control device, which includes: a memory, a processor, and a computer program stored in the memory and executable on the processor.

处理器和存储器可以通过总线或者其他方式连接。The processor and memory may be connected via a bus or other means.

存储器作为一种非暂态计算机可读存储介质，可用于存储非暂态软件程序以及非暂态性计算机可执行程序。此外，存储器可以包括高速随机存取存储器，还可以包括非暂态存储器，例如至少一个磁盘存储器件、闪存器件、或其他非暂态固态存储器件。在一些实施方式中，存储器可选包括相对于处理器远程设置的存储器，这些远程存储器可以通过网络连接至该处理器。上述网络的实例包括但不限于互联网、企业内部网、局域网、移动通信网及其组合。As a non-transitory computer-readable storage medium, memory can be used to store non-transitory software programs and non-transitory computer executable programs. In addition, the memory may include high-speed random access memory and may also include non-transitory memory, such as at least one magnetic disk storage device, flash memory device, or other non-transitory solid-state storage device. In some embodiments, the memory may optionally include memory located remotely from the processor, and the remote memory may be connected to the processor via a network. Examples of the above-mentioned networks include but are not limited to the Internet, intranets, local area networks, mobile communication networks and combinations thereof.

实现上述第二方面实施例的访问控制方法所需的非暂态软件程序以及指令存储在存储器中，当被处理器执行时，执行上述实施例中的访问控制***，例如，执行以上描述的图5中的方法步骤S100至S200。The non-transitory software programs and instructions required to implement the access control method of the above-mentioned embodiment of the second aspect are stored in the memory. When executed by the processor, the access control system in the above-mentioned embodiment is executed. For example, the above-described figure is executed. Method steps S100 to S200 in 5.

实现上述第三方面实施例的访问控制方法所需的非暂态软件程序以及指令存储在存储器中，当被处理器执行时，执行上述实施例中的访问控制方法，例如，执行以上描述的图6中的方法步骤S300至S600、图7中的方法步骤S410、图8中的方法步骤S510、图9中的方法步骤S520、图10中的方法步骤S530至S540、图11中的方法步骤S550至S560。The non-transitory software programs and instructions required to implement the access control method of the above-mentioned third aspect embodiment are stored in the memory. When executed by the processor, the access control method in the above-mentioned embodiment is executed. For example, the above-described figure is executed. Method steps S300 to S600 in Figure 6, method step S410 in Figure 7, method step S510 in Figure 8, method step S520 in Figure 9, method steps S530 to S540 in Figure 10, method step S550 in Figure 11 to S560.

实现上述第四方面实施例的访问控制方法所需的非暂态软件程序以及指令存储在存储器中，当被处理器执行时，执行上述实施例中的访问控制方法，例如，执行以上描述的图12中的方法 步骤S700至S900、图13中的方法步骤S910。The non-transitory software programs and instructions required to implement the access control method in the fourth embodiment are stored in the memory. When executed by the processor, the access control method in the above embodiment is executed. For example, the above-described figure is executed. Methods in 12 Steps S700 to S900, method step S910 in Figure 13.

以上所描述的设备实施例仅仅是示意性的，其中作为分离部件说明的单元可以是或者也可以不是物理上分开的，即可以位于一个地方，或者也可以分布到多个网络单元上。可以根据实际的需要选择其中的部分或者全部模块来实现本实施例方案的目的。The device embodiments described above are only illustrative, and the units described as separate components may or may not be physically separate, that is, they may be located in one place, or they may be distributed to multiple network units. Some or all of the modules can be selected according to actual needs to achieve the purpose of the solution of this embodiment.

此外，本申请的一个实施例还提供了一种计算机可读存储介质，该计算机可读存储介质存储有计算机可执行指令，该计算机可执行指令被一个处理器或控制器执行，例如，被上述设备实施例中的一个处理器执行，可使得上述处理器执行上述实施例中的访问控制方法，例如，执行以上描述的图5中的方法步骤S100至S200、图6中的方法步骤S300至S600、图7中的方法步骤S410、图8中的方法步骤S510、图9中的方法步骤S520、图10中的方法步骤S530至S540、图11中的方法步骤S550至S560、图12中的方法步骤S700至S900、图13中的方法步骤S910。In addition, an embodiment of the present application also provides a computer-readable storage medium that stores computer-executable instructions, and the computer-executable instructions are executed by a processor or controller, for example, by the above-mentioned Execution by a processor in the device embodiment can cause the above-mentioned processor to execute the access control method in the above embodiment, for example, execute the above-described method steps S100 to S200 in Figure 5 and method steps S300 to S600 in Figure 6 , method step S410 in Figure 7, method step S510 in Figure 8, method step S520 in Figure 9, method steps S530 to S540 in Figure 10, method steps S550 to S560 in Figure 11, method in Figure 12 Steps S700 to S900, method step S910 in Figure 13.

本领域普通技术人员可以理解，上文中所公开方法中的全部或某些步骤、***可以被实施为软件、固件、硬件及其适当的组合。某些物理组件或所有物理组件可以被实施为由处理器，如中央处理器、数字信号处理器或微处理器执行的软件，或者被实施为硬件，或者被实施为集成电路，如专用集成电路。这样的软件可以分布在计算机可读介质上，计算机可读介质可以包括计算机存储介质(或非暂时性介质)和通信介质(或暂时性介质)。如本领域普通技术人员公知的，术语计算机存储介质包括在用于存储信息(诸如计算机可读指令、数据结构、程序模块或其他数据)的任何方法或技术中实施的易失性和非易失性、可移除和不可移除介质。计算机存储介质包括但不限于RAM、ROM、EEPROM、闪存或其他存储器技术、CD-ROM、数字多功能盘(DVD)或其他光盘存储、磁盒、磁带、磁盘存储或其他磁存储装置、或者可以用于存储期望的信息并且可以被计算机访问的任何其他的介质。此外，本领域普通技术人员公知的是，通信介质通常包含计算机可读指令、数据结构、程序模块或者诸如载波或其他传输机制之类的调制数据信号中的其他数据，并且可包括任何信息递送介质。Those of ordinary skill in the art can understand that all or some steps and systems in the methods disclosed above can be implemented as software, firmware, hardware, and appropriate combinations thereof. Some or all of the physical components may be implemented as software executed by a processor, such as a central processing unit, a digital signal processor, or a microprocessor, or as hardware, or as an integrated circuit, such as an application specific integrated circuit . Such software may be distributed on computer-readable media, which may include computer storage media (or non-transitory media) and communication media (or transitory media). As is known to those of ordinary skill in the art, the term computer storage media includes volatile and nonvolatile media implemented in any method or technology for storage of information such as computer readable instructions, data structures, program modules or other data. removable, removable and non-removable media. Computer storage media includes, but is not limited to, RAM, ROM, EEPROM, flash memory or other memory technology, CD-ROM, Digital Versatile Disk (DVD) or other optical disk storage, magnetic cassettes, tapes, disk storage or other magnetic storage devices, or may Any other medium used to store the desired information and that can be accessed by a computer. Additionally, it is known to those of ordinary skill in the art that communication media typically embodies computer readable instructions, data structures, program modules or other data in a modulated data signal such as a carrier wave or other transport mechanism, and may include any information delivery media .

以上是对本申请的较佳实施进行了具体说明，但本申请并不局限于上述实施方式，熟悉本领域的技术人员在不违背本申请精神的前提下还可作出种种的等同变形或替换，这些等同的变形或替换均包含在本申请权利要求所限定的范围内。 The above is a detailed description of the preferred implementation of the present application, but the present application is not limited to the above-mentioned embodiments. Those skilled in the art can also make various equivalent modifications or substitutions without violating the spirit of the present application. Equivalent modifications or substitutions are included within the scope defined by the claims of this application.

Claims (15)

1. 一种访问控制***，包括：An access control system that includes:

   服务请求设备，用于发送服务请求和授权查询标识；Service request equipment, used to send service requests and authorization query identifiers;

   服务提供设备，与所述服务请求设备连接，用于接收所述服务请求和所述授权查询标识，根据所述服务请求和所述授权查询标识生成零知识证明的约束条件，并将所述约束条件输出；以及A service providing device, connected to the service requesting device, is used to receive the service request and the authorization query identification, generate zero-knowledge proof constraints based on the service request and the authorization query identification, and convert the constraints conditional output; and

   位置提供设备，与所述服务提供设备连接，用于接收所述约束条件，根据所述约束条件基于零知识证明得到可证明结果，并将所述可证明结果输出给所述服务提供设备；所述服务提供设备还用于对所述可证明结果进行验证处理得到验证结果，并根据所述验证结果判断是否对所述服务请求设备提供基于位置的服务，其中，所述可证明结果不包括所述服务请求设备的位置数据。a location providing device, connected to the service providing device, for receiving the constraint, obtaining a provable result based on the zero-knowledge proof according to the constraint, and outputting the provable result to the service providing device; The service providing device is also configured to perform verification processing on the provable result to obtain a verification result, and determine whether to provide location-based services to the service requesting device based on the verification result, wherein the provable result does not include the verification result. The service described above requests a device's location data.
2. 根据权利要求1所述的***，其中，所述位置提供设备包括ZKP证明器调用模块和数据源模块，所述ZKP证明器调用模块分别与所述服务提供设备、所述数据源模块连接，所述ZKP证明器调用模块用于根据所述约束条件从所述数据源模块中查询得到所述服务请求设备的位置数据，并对所述约束条件和所述位置数据进行零知识证明以得到所述可证明结果，并将所述可证明结果输出给所述服务提供设备。The system according to claim 1, wherein the location providing device includes a ZKP prover calling module and a data source module, and the ZKP proving device calling module is connected to the service providing device and the data source module respectively, so The ZKP prover calling module is used to query the location data of the service requesting device from the data source module according to the constraints, and perform zero-knowledge proof on the constraints and the location data to obtain the The result can be proven and the provable result can be output to the service providing device.
3. 根据权利要求1所述的***，其中，所述服务提供设备包括ZKP证明器分发模块、ZKP验证器调用模块和业务模块，所述业务模块分别与所述服务请求设备、所述ZKP证明器分发模块、所述ZKP验证器调用模块连接，所述ZKP证明器分发模块与所述ZKP证明器调用模块的输入端连接，所述ZKP验证器调用模块与所述ZKP证明器调用模块的输出端连接；所述ZKP证明器分发模块用于根据所述服务请求和所述授权查询标识生成零知识证明的约束条件，并将所述约束条件输出给所述位置提供设备；所述ZKP验证器调用模块用于接收所述可证明结果，对所述可证明结果进行验证处理得到验证结果，并将所述验证结果发送给所述业务模块；所述业务模块用于根据所述验证结果，判断是否对所述服务请求设备提供基于位置的服务。The system according to claim 1, wherein the service providing device includes a ZKP authenticator distribution module, a ZKP authenticator calling module and a business module, and the business module is respectively connected with the service requesting device, the ZKP authenticator distribution module module, the ZKP verifier calling module is connected, the ZKP prover distribution module is connected with the input end of the ZKP prover calling module, the ZKP verifier calling module is connected with the output end of the ZKP prover calling module ; The ZKP prover distribution module is used to generate zero-knowledge proof constraints based on the service request and the authorization query identification, and output the constraints to the location providing device; the ZKP verifier calling module Used to receive the provable result, perform verification processing on the provable result to obtain the verification result, and send the verification result to the business module; the business module is used to determine whether to verify the verification result based on the verification result. The service requests the device to provide location-based services.
4. 一种访问控制方法，应用于服务请求设备，并包括：An access control method that applies to service requesting devices and includes:

   向服务提供设备发送服务请求和授权查询标识，以使所述服务提供设备根据所述服务请求和所述授权查询标识生成零知识证明的约束条件并将所述约束条件输出给位置提供设备；以及Send the service request and the authorization query identification to the service providing device, so that the service providing device generates the constraints of the zero-knowledge proof according to the service request and the authorization query identification and outputs the constraints to the location providing device; and

   接收来自所述服务提供设备的基于位置的服务，其中，所述基于位置的服务是所述服务设备对来自所述位置提供设备提供的可证明结果进行验证处理后发送的，所述可证明结果是所述位置提供设备根据所述约束条件，基于零知识证明得到的，其中，所述可证明结果不包括所述服务请求设备的位置数据。Receive a location-based service from the service providing device, wherein the location-based service is sent by the service device after verifying a provable result provided from the location providing device, and the provable result is is obtained by the location providing device based on the zero-knowledge proof according to the constraint, wherein the provable result does not include the location data of the service requesting device.
5. 一种访问控制方法，应用于服务提供设备，并包括：An access control method applied to service providing equipment and includes:

   接收服务请求设备的服务请求和授权查询标识，并根据所述服务请求和所述授权查询标识，得到零知识证明的约束条件；Receive the service request and authorization query identification of the service requesting device, and obtain the constraints of the zero-knowledge proof based on the service request and the authorization query identification;

   向位置提供设备发送所述约束条件，以使所述位置提供设备根据所述约束条件，基于零知识证明得到可证明结果，其中，所述可证明结果不包括所述服务请求设备的位置数据；Send the constraint condition to the location providing device, so that the location providing device obtains a provable result based on a zero-knowledge proof according to the constraint condition, wherein the provable result does not include the location data of the service requesting device;

   接收所述位置提供设备发送的所述可证明结果，对所述可证明结果进行验证处理，得到验证结果，并根据所述验证结果，判断是否对所述服务请求设备提供基于位置的服务；以及 Receive the provable result sent by the location providing device, perform a verification process on the provable result, obtain a verification result, and determine whether to provide location-based services to the service requesting device based on the verification result; and

   在判断结果为是的情况下，发送所述基于位置的服务。If the determination result is yes, the location-based service is sent.
6. 根据权利要求5所述的方法，其中，所述服务提供设备包括ZKP证明器分发模块、ZKP验证器调用模块和业务模块，所述业务模块分别与所述服务请求设备、所述ZKP证明器分发模块、所述ZKP验证器调用模块连接，所述ZKP证明器分发模块与所述ZKP证明器调用模块的输入端连接，所述ZKP证明器调用模块与所述ZKP验证器调用模块的输出端连接；所述根据所述服务请求和所述授权查询标识，得到零知识证明的约束条件，向位置提供设备发送约束条件，包括：The method according to claim 5, wherein the service providing device includes a ZKP authenticator distribution module, a ZKP authenticator calling module and a business module, and the business module is connected to the service requesting device, the ZKP authenticator distribution module respectively. module, the ZKP verifier calling module is connected, the ZKP prover distribution module is connected with the input end of the ZKP prover calling module, the ZKP prover calling module is connected with the output end of the ZKP verifier calling module ; Obtaining the constraint conditions of the zero-knowledge proof based on the service request and the authorization query identification, and sending the constraint conditions to the location providing device, including:

   将所述服务请求和所述授权查询标识发送到所述ZKP证明器分发模块，以使所述ZKP证明器分发模块根据所述服务请求和所述授权查询标识生成零知识证明的约束条件，并将所述约束条件发送到位置提供设备。Send the service request and the authorization query identification to the ZKP prover distribution module, so that the ZKP prover distribution module generates the constraints of the zero-knowledge proof according to the service request and the authorization query identification, and The constraints are sent to the location providing device.
7. 根据权利要求6所述的方法，其中，所述对所述可证明结果进行验证处理，得到验证结果，包括：The method according to claim 6, wherein the verification process on the provable result to obtain the verification result includes:

   将所述可证明结果发送到所述ZKP验证器调用模块，以使所述ZKP验证器调用模块对所述可证明结果进行验证处理，得到验证结果。The provable result is sent to the ZKP verifier calling module, so that the ZKP verifier calling module performs verification processing on the provable result to obtain the verification result.
8. 根据权利要求6所述的方法，其中，所述根据所述验证结果，判断是否对所述服务请求设备提供基于位置的服务，包括：The method according to claim 6, wherein determining whether to provide location-based services to the service requesting device according to the verification result includes:

   将所述验证结果发送到所述业务模块，以使所述业务模块根据所述验证结果，判断是否对所述服务请求设备提供基于位置的服务。The verification result is sent to the service module, so that the service module determines whether to provide location-based services to the service requesting device according to the verification result.
9. 根据权利要求5所述的方法，其中，所述对所述可证明结果进行验证处理，得到验证结果，包括：The method according to claim 5, wherein said performing verification processing on the provable result to obtain the verification result includes:

   对所述可证明结果进行验证处理，若所述可证明结果为在所述约束条件下根据零知识证明得到的，确定所述验证结果为采信所述可证明结果；以及Perform verification processing on the provable result, and if the provable result is obtained based on zero-knowledge proof under the constraint conditions, determine that the verification result is accepted as the provable result; and

   若所述可证明结果不是在所述约束条件下根据零知识证明得到的，确定所述验证结果为拒绝采信所述可证明结果。If the provable result is not obtained according to the zero-knowledge proof under the constraint conditions, the verification result is determined to refuse to accept the provable result.
10. 根据权利要求9所述的方法，其中，所述根据所述验证结果，判断是否对所述服务请求设备提供基于位置的服务，包括：The method according to claim 9, wherein determining whether to provide location-based services to the service requesting device according to the verification result includes:

    若所述验证结果为采信所述可证明结果，对所述服务请求设备提供基于位置的服务；以及If the verification result is to adopt the provable result, provide location-based services to the service requesting device; and

    若所述验证结果为拒绝采信所述可证明结果，拒绝对所述服务请求设备提供基于位置的服务。If the verification result is a refusal to accept the provable result, the service requesting device is refused to provide location-based services.
11. 一种访问控制方法，应用于位置提供设备，并包括：An access control method applied to location-providing devices and includes:

    获取来自服务提供设备的零知识证明的约束条件，并根据所述约束条件基于零知识证明得到可证明结果，其中，所述可证明结果不包括所述服务请求设备的位置数据；以及Obtaining constraints from a zero-knowledge proof of a service providing device, and obtaining a provable result based on the zero-knowledge proof according to the constraints, wherein the provable result does not include location data of the service requesting device; and

    将所述可证明结果输出给所述服务提供设备，以使所述服务提供设备对所述可证明结果进行验证处理生成验证结果，并根据所述验证结果判断是否对服务请求设备提供基于位置的服务。Output the provable result to the service providing device, so that the service providing device performs verification processing on the provable result to generate a verification result, and determines whether to provide location-based location-based services to the service requesting device based on the verification result. Serve.
12. 根据权利要求11所述的方法，其中，所述位置提供设备包括ZKP证明器调用模块和数据源模块，所述ZKP证明器调用模块分别与所述服务提供设备、所述数据源模块连接；所述根据所述约束条件基于零知识证明得到可证明结果，包括：The method according to claim 11, wherein the location providing device includes a ZKP prover calling module and a data source module, and the ZKP proving device calling module is respectively connected to the service providing device and the data source module; Provable results are obtained based on zero-knowledge proof according to the constraints, including:

    将所述约束条件发送到所述ZKP证明器调用模块，以使所述ZKP证明器调用模块根据所述约束条件从所述数据源模块中查询得到所述服务请求设备的位置数据并对所述约束条件和所述位置数据进行零知识证明，得到可证明结果。 Send the constraint condition to the ZKP prover calling module, so that the ZKP prover calling module queries and obtains the location data of the service requesting device from the data source module according to the constraint condition and performs the query on the ZKP prover calling module. The constraints and the position data are subjected to zero-knowledge proof to obtain provable results.
13. 根据权利要求11或12任一项所述的方法，其中，所述位置数据使用同态加密的方式存储。The method according to any one of claims 11 or 12, wherein the location data is stored using homomorphic encryption.
14. 一种访问控制设备，包括存储器、处理器及存储在所述存储器上并可在所述处理器上运行的计算机程序，其中，所述处理器执行所述计算机程序时实现：An access control device includes a memory, a processor, and a computer program stored on the memory and executable on the processor, wherein when the processor executes the computer program:

    如权利要求4所述的访问控制方法；The access control method as claimed in claim 4;

    或者，or,

    如权利要求5至10中任一项所述的访问控制方法；The access control method according to any one of claims 5 to 10;

    或者，or,

    如权利要求11至13中任一项所述的访问控制方法。The access control method according to any one of claims 11 to 13.
15. 一种计算机可读存储介质，存储有计算机可执行指令，其中，所述计算机可执行指令用于：A computer-readable storage medium storing computer-executable instructions, wherein the computer-executable instructions are used for:

    执行权利要求4所述的访问控制方法；Perform the access control method described in claim 4;

    或者，or,

    执行权利要求5至10任一项所述的访问控制方法；Perform the access control method described in any one of claims 5 to 10;

    或者，or,

    执行权利要求11至13中任一项所述的访问控制方法。 Implement the access control method described in any one of claims 11 to 13.