[0001 ] The present application relates generally to blockchain technology, and in particular to secure transmission of blockchain data.

Background Art

|0002] Common methods for the transmission of blockchain data used by existing blockchain implementations often utilize a peer-to-peer (P2P) protocol. At present, most of the P2P networks are based on the user datagram protocol (U DP) or the transmission control protocol (TCP) which along with the internet protocol (I P), form part of the internet protocol suite.

[0003] In a peer-to-peer network environment of blockchain data transmission, computer nodes do not depend on a dedicated centralized server. Each node is able to both request for and also respond to network service requests from other nodes. However, in such an architecture, there are several challenges that must be dealt with such as poor data security, slow response time, unnecessary data redundancy, and lack of predictability.

[0004] It is therefore an object of the present invention to mitigate at least some of the challenges.

Summary of Invention

[0005| In accordance with an aspect of the present invention, there is provided a method for secure transmission of blockchain data from a first node to a second node in a blockchain comprising the steps of: at the first node: a) obtaining an asymmetric encryption private key and public key for the first node; b) obtaining an asymmetric encryption public key for the second node; c) obtaining a symmetric encryption key; d) signing the blockchain data with a digital signature using the private key for the first node; e) encrypting the blockchain data and signature using the symmetric encryption key to form symmetrically encrypted data; and f) encrypting the symmetric key using the public key for the second node to form an encrypted symmetric key; and g) transmitting the symmetrically encrypted data and the encrypted symmetric key to the second node, in a plurality of data streams, using a secure transport layer protocol.

[0006J In accordance with another aspect of the present invention, there is provided a method for secure transmission of blockchain data from a first node to a second node in a blockchain comprising the steps of: at the first node: a) generating the blockchain data; b) receiving an selection of one of a symmetric and asymmetric encryption: c) obtaining an asymmetric encryption private key and public key for the first node; d) obtaining an asymmetric encryption public key for the second node; e) signing the blockchain data with a digital signature using the private key for the first node; f) upon the selection indicating use of asymmetric encryption: i) encrypting the blockchain data and signature using the public key for the second node; g) upon the selection indicating use of symmetric encryption: i) obtaining a symmetric encryption key; ii) encrypting the blockchain data and signature using the symmetric encryption key to form symmetrically encrypted data; and iii) encrypting the symmetric key using the public key for the second node to form an encrypted symmetric key; and h) transmitting the encrypted data to the second node, in a plurality of data streams using a secure transport layer protocol.

[0007] In yet another embodiment of the present invention, there is provided a blockchain system that includes a first node and a second node. The first node comprises a first processor and memory coupled to the first processor storing instructions that when executed by the first processor execute the steps of: a) obtaining an asymmetric encryption private key and public key for the first node; b) obtaining an asymmetric encryption public key for the second node; c) obtaining a symmetric encryption key; d) signing the blockchain data with a digital signature using the private key for the first node; e) encrypting the blockchain data and signature using the symmetric encryption key to form symmetrically encrypted data; and f) encrypting the symmetric key using the public key for the second node to form an encrypted symmetric key; and g) transmitting the symmetrically encrypted data and the encrypted symmetric key to the second node, in a plurality of data streams, using a secure transport layer protocol. The second node comprises: a second processor and second memory coupled to the second processor storing instructions that when executed by the first processor execute the steps of: a) receiving the symmetrically encrypted data and encrypted symmetric key using the secure transport layer protocol; b) obtaining an asymmetric encryption private key for the second node and the public key for the second node; c) obtaining the asymmetric encryption public key for the first node; d) decrypting the encrypted symmetric key using the private key for the second node; e) decrypting the encrypted blockchain data and signature using the symmetric key; and verifying the digital signature using the public key of the first public key for the first node.

Brief Description of Drawings

[0008] In the figures, which illustrate by way of example only, embodiments of the present invention,

[0009] FIG. 1 is a schematic block diagram of illustrating secure transmission of blockchain data between nodes of a blockchain, according to one exemplary embodiment of the present invention;

[0010] FIG. 2 is a schematic block diagram of illustrating another secure transmission of blockchain data between nodes of a blockchain. according to another exemplary embodiment of the present invention; and

[0011] FIG. 3 is a flowchart depicting steps involved in a process executed in a blockchain network, following the completion of building a block, to transfer blockchain data from one node to another, according to an exemplary embodiment of the present invention.

[0012] Specific implementations of embodiments of the present disclosure wi ll be described in detail, with reference to the drawings. The same reference numerals in the drawings will be used identify the same or similar parts or portions. The drawings are not necessarily drawn to scale.

Description of Embodiments [0013] A description of various embodiments of the present invention is provided below.

[0014] In this disclosure, the use of the word "a" or "an" when used herein in conjunction with the term "comprising ^" may mean "one, ^" but it is also consistent with the meaning of "one or more, ^'* "at least one ^" and "one or more than one. ^" Any element expressed in the singular form also encompasses its plural form. Any element expressed in the plural form also encompasses its singular form. The term "plurality" as used herein means more than one. for example, two or more, three or more, four or more, and the like. Directional terms such as "top. ^" "bottom," "upwards," "downwards, ^" "vertically," and "laterally ^" are used for the purpose of providing relative reference only, and are not intended to suggest any limitations on how any article is to be positioned during use, or to be mounted in an assembly or relative to an environment.

[0015] The terms "comprising ^" , "having ^" , "including ^" , and "containing ^" , and grammatical variations thereof, are inclusive or open-ended and do not exclude additional, un-recited elements and/or method steps. The term "consisting essentially of ^" when used herein in connection with a composition, use or method, denotes that additional elements, method steps or both additional elements and method steps may be present, but that these additions do not materially affect the manner in which the recited composition, method, or use functions. The term "consisting of when used herein in connection with a composition, use. or method, excludes the presence of additional elements and/or method steps.

[0016] A "blockchain" is a tamper-evident, shared digital ledger that records transactions in a public or private peer-to-peer network of computing devices. The ledger is maintained as a growing sequential chain of cryptographic hash-linked blocks.

[0017] A "node ^" is a device on a blockchain network.

[0018] In the drawings illustrating embodiments of the present invention, the same or similar reference labels correspond to the same or similar parts. In the description of the invention, it should be noted that the meaning of "a plurality of ^* means two or more unless otherwise specified; The directions or positions of the terms "up ^" , "down ^" , "left ^" , "right ^" , "inside ^" , "outside ^" , "front end ^" , "back end", "head ^" , "tail ^" , the orientation or positional relationship shown in the drawings is merely for the convenience of describing the invention and simplifying the description rather than indicating or implying that the indicated dev ice or element must have a particular orientation and be constructed and operated in a particular orientation, and therefore cannot be used as a l imitation of the invention.

[0019] In addition, the terms "first, ^" "second, ^" "third. ^" and the like are used for descriptive purposes only and cannot be interpreted as indicating or implying relative importance.

[0020] In the description of the invention, it should also be noted that the terms "mounted, ^" "linked, ^" and "connected ^" should be interpreted in a broad sense unless expl icitly defined and limited otherwise. For example, it could be fixed connection, or assembled connection, or integrally connected; either hard-wired or soft-wired; it may be directly connected or ind irectly connected through an intermediary. For technical professionals, the specific mean ings of the above terms in the invention may be understood in context.

[00211 Standards communication functions of a telecommunication or computer network include several layers which are often abstracted into conceptual models such as the popular Open Systems Interconnection (OSI) model . The OS I model a conceptual model that characterizes and standardizes the communication functions of a telecommunication in a hardware implementation independent manner. The OSI layer is comprised of seven layers, which are the physical layer, data link layer, the network layer, the transport layer, the session layer, the presentation layer and the application layer.

[0022] The transport layer in such a layered model refers to methods and protocols that provide host-to-host communication services for appl ications and services such as connection- oriented communication, reliabi lity, flow control, and multiplexing.

[0023J One of the transport layer protocols used for the transport of data in a network is the Stream Control Transmission Protocol (SCTP). SCTP can be used to transport multiple data streams by aggregating the data streams into a single managed bundle. This single managed bundle shares common characteristics, such as a communication path and start and end points. As a result, connection information that would have been transmitted over multiple data streams can be handled and managed as connection information of a single bundle.

[0024] Properties of SCTP make it a good choice for use as a transport protocol for w ide area network (WAN) optimization. An SCTP tunnel can be created between network devices to provide a proxy tunnel for a multiple of TCP sessions. This proxy with the SCTP tunnel is implemented such that multiple TCP sessions can be multiplexed or aggregated into a single (or multiple) managed SCTP association(s).

Embodiment I

[0025] An exemplary first embodiment of the present invention will be described below with reference to FIG. 1.

[0026] In transmitting blockchain data from a first node such as server 101 to a second end point such as client 108. several steps are involved. Specifically at a first node such as server 101 , a software, application, firmware or other process obtains (102) its own RSA private key and RSA public key of the other side e.g. client 108. The node uses its private key to sign the data, and uses public key of other side to encrypt data and signature ( 103). The encrypted data 104 is then sent via a socket 105. A socket address data structure is bound using port binding step 106 and the socket is put in a listening state (step 107) to facilitate the transfer of data to the transport layer.

[0027] At the first node, the transport layer receives (120) and accepts connection request 130 to establish SCTP connection and receives the data from the port, and transmits the received data in multiple streams from end points 122. 124. 126 to end points 132, 134. 136 respectively to the second node. After data transmission is complete then the connection is closed in steps 128. 138. The received data at the second node or client 108. is routed up though its socket layer 112 to provide encrypted data 11 1 to the application layer of the second node. [0028] The second node or client 108, obtains its own RSA private key and the RSA public key of the other side (110) and then decrypts the encrypted data 111 to verify the signature ( 109).

[0029] As depicted in FIG. 1 , a system and method for secure transmission of blockchain data based on the SCTP protocol provided by a representative asymmetric encryption algorithm know as RSA (Rivest-Shamir-Adleman) includes the following steps:

[0030] 1 . The application layer obtains the RSA public-private key pair and signs and encrypts blockchain data;

[0031] 2. The transport layer uses the SCTP protocol to transfer the data packet;

[0032] 3. The application layer obtains RSA public and private key pairs and decrypts the blockchain data and verifies the signature.

[0033] In a preferred embodiment, in step 1 the asymmetric encryption algorithm RSA is used. However, the invention is not limited to the use of RSA. and other asymmetric encryption algorithms such as ECC. SM2 and the like may alternately be used.

[0034] Details of signing and encrypting blockchain data in step 1 , may specifically include the following steps.

[0035] 1 .1 . Adopting the RSA asymmetric encryption; obtaining the transmitting or first node's own private key; signing the blockchain data; obtaining the receiving or second node ^' s RSA public key from a certification authority (CA) or other key management system: and using the RSA public key to encrypt signature string and blockchain data, denoted as P I 1 :

[0036| The details of transmitting blockchain data in step 2 is as follows:

[0037] 2. 1 . SCTP establishes the connection through four (4) handshakes;

[0038] 2.2. SCTP transfers the encrypted blockchain data based on multi-host, multi-flow, datagram fragmentation and other protocol technologies; [0039] 2.3. SCTP smoothly closes this transmission socket;

[0040] 2.4. Repeat 2.1 -2.3 as needed.

[0041] Step 3 of decrypting and verifying the blockchain data specifically includes the following steps:

[0042| 3.1 . RSA asymmetric encryption is adopted; the second node obtains its own private key to decrypt the encrypted blockchain data transmitted via SCTP; the second node obtains the other side ^" s (first node's) RSA public key from CA or other key management systems; and the public key is used for verifying the signature;

Embodiment II

[0043] A second embodiment of the present invention will be further described below w ith reference to FIG. 2.

[0044] As shown in FIG. 2, in a second embodiment of the present invention, the method selects a representative asymmetric encryption algorithm (e.g.. RSA); a symmetric encryption algorithm (e.g.. Advance Encryption Standard or AES); and an SCTP protocol-based secure transmission method for blockchain data.

[0045] In transmitting blockchain data from a first node such as server 201 to a second node or end point such as client 208, several steps are involved. Specifically at a first node such as server 201 , a software, application, firmware or other process obtains (202) obtain its ow n RSA private key, RSA public key of other side, and AES symmetric key . The node uses its private key to sign the data. The node uses the AES key of other side to encrypt blockchain data and signature (203) and uses the RSA public key to encrypt the AES key. The encrypted data 204 is then sent via a socket 205. A socket address data structure is bound using port binding step 206 and the socket is put in a listening state (step 207) to facilitate the transfer of data to the transport layer. [0046] At the first node, the transport layer receives (220) and accepts connection request 230 to establish SCTP connection and receives the data from the port, and transmits the received data in multiple streams from end points 222, 224, 226 to end points 232. 234, 236 respectively to the second node. After data transmission is complete then the connection is closed in steps 228, 238. The received data at the second node or client 208, is routed up though its socket layer 212 to provide encrypted data 211 to the application layer of the second node.

[0047] The second node or client 208, obtains its own RSA private key and RSA public key of the other side (210); decrypts the AES key using its private RSA key, uses the AES key to decrypt the encrypted data 211 and uses RSA public key of the other side to verify the signature (209).

[0048] The method depicted in FIG. 2 includes the following steps:

[0049] 1 . the application layer (at the first node, e.g. server 201 ) obtains the RSA publ ic- private key pair and the AES key and signs and encrypts the blockchain data;

[0050] 2. the transport layer uses the SCTP protocol to transfer the data packet;

[0051 ] 3. the application layer (at the second node) obtains the RSA public and private key pairs and the AES key and decrypts the blockchain data and verifies the signature.

[0052[ ^{m a} preferred embodiment, the asymmetric encryption algorithm is RSA and the symmetric encryption algorithm is AES. Key sizes of 128-bit, 192-bit. and 256-bit are specified in the AES standard. However, other asymmetric encryption algorithms such as ECC (Elliptic- Curve cryptography). SM2 and other symmetric encryption algorithms such as DES (Data Encryption Standard) may be used.

[0053] The details of signing and encrypting the blockchain data in step 1 may include the following steps:

[0054] 1 .1 . Use AES symmetric encryption combined with RSA digital envelope to transmit symmetric key. Obtain its own RSA private key to sign blockchain data; obtain the other side ^' s RSA public key from CA or other key management systems; encrypt the signature string and biockchain data via AES symmetric encryption, (denoted as P I 2); AES symmetric key is encrypted using the other side's RSA public key (denoted as P I 3 );

[0055] The details of transmitting the biockchain data in step 2 is as follows:

[0056] 2.1 . SCTP establishes the connection through four (4) handshakes;

[0057] 2.2. SCTP transfers the encrypted biockchain data based on multi-host, multi-flow, datagram fragmentation and other protocol technologies.

[0058] 2.3. SCTP smoothly closes this transmission socket;

[0059] 2.4. Repeat steps 2.1 -2.3 as needed

[0060] The details for decrypting and verifying the biockchain data in step 3 specifically includes the following steps, corresponding to step 1 :

[0061] 3.1 . AES symmetric encryption is used in conjunction with RSA digital envelope to transmit the AES symmetric key. Obtain its own RSA private key, use it to decrypt the AES symmetric key encrypted by RSA asymmetric algorithm, then, the AES symmetric key is used to decrypt the encrypted biockchain data; Obtain the other side ^' s RSA public key from the CA or other key management systems and use it to verify the signature.

Embodiment III

[0062] FIG. 3 depicts a process 300. exemplary of another embodiment of the present invention. The steps inside the dotted box may be performed at a first transmitting node in a biockchain network, while the steps outside the box may be performed at the receiving node in the biockchain network.

[0063] As depicted, at the first node, biockchain data is created (302) and the process asks if asymmetric or symmetric encryption should be used (304). [0064] If symmetric data encryption is to be used (304) then, the data is symmetrically encrypted using a digital envelop on symmetric key (314) to transmit the encrypted data to the other node using SCTP transfer (308). The first node ^' s private key and second node's public key may be retrieved to create the digital envelop for the symmetric key by asymmetrically encrypting the symmetric key, in addition to symmetrically encrypting the blockchain data and/or signature.

[0065] If asymmetric data encryption is to be used (304) then the first node ^' s private key and other side's (second nod's) public key are retrieved (305). The first node ^' s private key is used to sign blockchain data and the public key of the second node is used to encrypt the data and signature (306). In either case, SCTP transfer (308) is used to send the data to the second node or other side.

[0066] At the second node, the data is decrypted (e.g.. using the second node ^' s asymmetric private key to open the digital envelop and to obtain the symmetric key. and then using symmetric key to decrypt the blockchain data). After decrypting the blockchain data, the process provides blockchain data service (312) to the blockchain.

Embodiment IV

[0067| In another embodiment of the present invention, there is provided a blockchain system that includes a first node and a second node. The first node comprises a first processor and first memory coupled to the first processor storing instructions that when executed by the first processor execute the steps of: a) obtaining an asymmetric encryption private key and public key for the first node; b) obtaining an asymmetric encryption public key for the second node; c) obtaining a symmetric encryption key; d) signing the blockchain data with a digital signature using the private key for the first node; e) encrypting the blockchain data and signature using the symmetric encryption key to form symmetrically encrypted data: and f) encrypting the symmetric key using the public key for the second node to form an encrypted symmetric key; and g) transmitting the symmetrically encrypted data and the encrypted symmetric key to the second node, in a plurality of data streams, using a secure transport layer protocol. The second

- I I - node comprises: a second processor and second memory coupled to the second processor storing instructions that when executed by the first processor execute the steps of: a) receiving the symmetrically encrypted data and encrypted symmetric key using the secure transport layer protocol; b) obtaining an asymmetric encryption private key for the second node and the public key for the second node; c) obtaining the asymmetric encryption public key for the first node; d) decrypting the encrypted symmetric key using the private key for the second node: e) decrypting the encrypted blockchain data and signature using the symmetric key; and f) verifying the digital signature using the public key of the first public key for the first node.

[0068] It should be noted that the two embodiments or implementations described above are merely preferred implementations of exemplary embodiments and are not intended to limit the invention. That is, the descriptions of the above embodiments of the present invention have been presented for purposes of illustration, but are not intended to be exhaustive or limited to the embodiments disclosed. Many modifications, replacements and variations will be apparent to those of ordinary skill in the art without departing from the scope and spirit of the described embodiments.

[0069] Having thus described, by way of example only, embodiments of the present invention, it is to be understood that the invention as defined by the appended claims is not to be limited by particular details set forth in the above description of exemplary embodiments as many variations and permutations are possible without departing from the scope of the claims.