A digital authentication method and system based on industrial production data
By using unique fingerprint binding for devices, dynamic consensus, and encryption strategies, combined with blockchain technology, the problems of long processing times and insufficient data privacy in traditional authentication are solved, enabling efficient and secure industrial product authentication that adapts to rapid enterprise iteration.
Patent Information
- Authority / Receiving Office
- CN · China
- Patent Type
- Patents(China)
- Current Assignee / Owner
- CVC CERTIFICATION & TESTING CO LTD
- Filing Date
- 2025-08-18
- Publication Date
- 2026-07-14
AI Technical Summary
Traditional industrial product certification relies on physical sample testing and manual review, which is time-consuming and costly, making it difficult to adapt to the rapid iteration of enterprises. Blockchain certification solutions lack binding to physical characteristics of equipment, have static consensus mechanisms, and have simple encryption strategies, resulting in insufficient data privacy protection and failing to meet the certification needs in the industrial internet environment.
By generating a unique device fingerprint and binding it to industrial production data, using the national cryptographic SM3 algorithm to generate hash values, combining a dynamic consensus protocol and Merkle tree structure, and employing the zk-SNARK protocol for verification, off-chain decryption of encryption quality parameters, and quantum-secure signatures, cross-chain verification and quantum-resistant key rotation are achieved.
Significantly shorten certification cycles, reduce costs, enhance data credibility and security, enable traceability throughout the product lifecycle, and adapt to the needs of enterprise digital transformation.
Smart Images

Figure CN120934770B_ABST
Abstract
Description
Technical Field
[0001] This invention relates to the field of industrial internet and product quality certification technology, specifically to a digital certification method and system based on industrial production data. Background Technology
[0002] With the deepening development of the Industrial Internet and digital transformation, the security, credibility, and certification efficiency of industrial production data have become significant challenges for the manufacturing industry. Traditional industrial product certification mainly relies on physical sample testing and manual review processes, which are not only time-consuming and costly but also difficult to adapt to the rapid product development pace of modern enterprises. In the field of industrial data certification, blockchain technology, due to its decentralized, tamper-proof, and traceable characteristics, has become an important technical means to solve the problem of data credibility.
[0003] However, existing technologies still have the following problems and shortcomings:
[0004] 1. Traditional certification service models rely on physical prototype testing and manual review, resulting in long certification testing cycles and high costs, making it difficult to meet the needs of enterprises for rapid updates and iterations of new products;
[0005] 2. Existing blockchain authentication schemes lack full utilization of the physical characteristics of industrial production equipment, and cannot establish a trusted binding relationship between equipment and data;
[0006] 3. Most blockchain authentication systems use a fixed consensus mechanism, which cannot be dynamically adjusted according to the timeliness requirements of raw industrial production data, thus affecting system efficiency;
[0007] 4. The existing data encryption and storage strategies are relatively simple and lack differentiated encryption processing mechanisms for different types of industrial data;
[0008] 5. Insufficient privacy protection for industrial data during the certification process leads to security concerns among enterprises regarding open data, hindering the widespread application of certification.
[0009] 6. The lack of a digital certification model that enables dynamic supervision of data assets based on enterprise digital transformation makes it difficult to meet the certification needs in the industrial internet environment.
[0010] Therefore, there is an urgent need for a digital authentication method that can combine the physical characteristics of equipment, support dynamic consensus mechanisms, provide differentiated encryption strategies, and protect data privacy, so as to improve the efficiency and credibility of industrial product authentication. Summary of the Invention
[0011] To overcome the technical problems of traditional certification service models being unable to keep up with the speed of enterprise new product updates and lacking a digital certification model that enables dynamic supervision of data assets based on enterprise digital transformation, this invention provides a digital certification method and system based on industrial production data.
[0012] To solve the above problems, the present invention is implemented according to the following technical solution:
[0013] In a first aspect, the present invention provides a digital authentication method based on industrial production data, comprising the following steps: S100: acquiring raw industrial production data, and calling an unclonable function interface to generate a unique device fingerprint, binding the unique device fingerprint with the raw industrial production data, and generating a device-data binding hash value using the national cryptographic SM3 algorithm; encrypting the raw industrial production data to form encryption quality parameters, and submitting the device-data binding hash value and the index information associated with the encryption quality parameters to a consortium blockchain; S200: consortium blockchain nodes dynamically select a consensus protocol based on the timeliness of the raw industrial production data, and construct a consensus mechanism for... The system should use a Merkle tree structure and store the root hash value; S300: Verify whether the device-data binding hash value is contained in the Merkle tree corresponding to the specific root hash value using a zero-knowledge proof protocol; S400: During the authentication phase, call the verified device-data binding hash value and the index information associated with the encryption quality parameter to locate and decrypt the encryption quality parameter stored off-chain to obtain the original quality parameter; S500: Based on the original quality parameter, device-data binding hash value, product identification information, and blockchain transaction information, generate a three-dimensional trusted identifier and dynamic authentication description text, and verify the signature using a quantum-safe electronic signature.
[0014] In conjunction with the first aspect, the present invention provides a first specific implementation of the first aspect, wherein the unique device fingerprint is generated using a non-cloning function response-challenge mechanism and includes device physical characteristic parameters; the encryption quality parameters are implemented using the national cryptographic SM4 symmetric encryption algorithm or the national cryptographic SM4 symmetric encryption algorithm; wherein the encryption algorithm selection strategy is to use the national cryptographic SM4 symmetric encryption algorithm for batch data and to use the national cryptographic SM4 symmetric encryption algorithm for single key data.
[0015] In conjunction with the first aspect, the present invention provides a second specific implementation of the first aspect. Specifically, the dynamic selection of the consensus protocol channel is based on the timeliness threshold of the original industrial production data; the Merkle tree structure includes a sharding processing mechanism, which automatically triggers sharding storage when the data volume exceeds a preset threshold.
[0016] In conjunction with the first aspect, the present invention provides a third specific implementation of the first aspect. Specifically, the zero-knowledge proof protocol uses zk-SNARK technology to achieve anonymous verification; the verification request is verified for the validity of the proof through a light node of the consortium blockchain.
[0017] In conjunction with the first aspect, the present invention provides a fourth specific implementation of the first aspect, specifically, the encryption quality parameters stored off-chain are decrypted through a trusted execution environment; the decryption key corresponds to the national cryptographic algorithm key used during encryption.
[0018] In conjunction with the first aspect, the present invention provides a fifth specific implementation of the first aspect. Specifically, the quantum-secure electronic signature is implemented using the SM9 algorithm through a master private key issued by the root CA of the consortium blockchain; the signature data is encoded in ASN.1 format and contains zero-knowledge proofs of the Merkle tree verification path.
[0019] In conjunction with the first aspect, the present invention provides a sixth specific implementation of the first aspect, wherein the zero-knowledge proof is generated based on the verification path information of a specific root hash value extracted from the consortium blockchain, and is used to prove the legitimate inclusion relationship of the device-data binding hash value.
[0020] In conjunction with the first aspect, the present invention provides a seventh specific implementation of the first aspect, specifically, S600: establishing a cross-chain verification channel to verify the equivalence of authentication identifiers between different consortium chains through a relay chain protocol; S700: deploying a key rotation mechanism resistant to quantum computing attacks to periodically update the SM9 master private key and migrate historical data signatures.
[0021] Secondly, this invention also provides a digital authentication system based on industrial production data, comprising: a data acquisition and encryption module, used to acquire raw industrial production data, and call an unclonable function interface to generate a unique device fingerprint, bind the unique device fingerprint to the raw industrial production data, and generate a device-data binding hash value using the national cryptographic SM3 algorithm; encrypting the raw industrial production data to form encryption quality parameters, and submitting the device-data binding hash value and the index information associated with the encryption quality parameters to the consortium blockchain; a dynamic consensus processing module, used by consortium blockchain nodes to dynamically select a consensus protocol based on the timeliness of the raw industrial production data, construct a corresponding Merkle tree structure and store the root hash value; and an anonymous verification module, using... The system verifies whether the device-data binding hash value is contained in the Merkle tree corresponding to a specific root hash value using a zero-knowledge proof protocol; an off-chain data decryption module is used during the authentication phase to call the verified device-data binding hash value and the index information associated with the encryption quality parameters to locate and decrypt the off-chain encryption quality parameters to obtain the original quality parameters; a signature generation module is used to generate a three-dimensional trusted identifier and dynamic authentication description text based on the original quality parameters, device-data binding hash value, product identification information, and blockchain transaction information, and to perform signature verification through a quantum-safe electronic signature; and a blockchain network interface connects the consortium blockchain main chain and sharded storage system, supporting smart contract calls and cross-chain verification.
[0022] Compared with existing technologies, the beneficial effects of this invention are as follows: By constructing a multi-layered integration of data flow and anti-tampering mechanisms, including a data acquisition layer, a data transmission layer, and a data storage layer, secure data acquisition, transmission, and storage are achieved; through the innovative design of trusted identification and data sharing, the trustworthiness and secure sharing of data are ensured; by using blockchain as the trust center, the immutability and traceability of data are achieved; through a data quality assessment model, the quality of product data is comprehensively evaluated; through multi-source data encapsulation and de-identification technology for product certification, sensitive enterprise data is protected; and through a dual-chain collaborative trusted authentication service interaction mechanism, the credibility of authentication is enhanced. Compared with traditional authentication methods, this invention significantly shortens the authentication cycle, reduces authentication costs, enhances data trustworthiness, ensures data security, and achieves traceability throughout the entire product lifecycle, effectively solving the problems existing in traditional authentication service models and adapting to the needs of enterprise digital transformation. Attached Figure Description
[0023] The specific embodiments of the present invention will be further described in detail below with reference to the accompanying drawings, wherein:
[0024] Figure 1 This is a flowchart of a digital authentication method based on industrial production data according to the present invention. Detailed Implementation
[0025] The preferred embodiments of the present invention will be described below with reference to the accompanying drawings. It should be understood that the preferred embodiments described herein are for illustration and explanation only and are not intended to limit the present invention.
[0026] like Figure 1 As shown, this invention provides a digital authentication method and system based on industrial production data.
[0027] Example 1
[0028] like Figure 1 As shown, a digital authentication method based on industrial production data includes the following steps:
[0029] S100: Obtain the original industrial production data, call the non-cloning function interface to generate a unique device fingerprint, bind the unique device fingerprint to the original industrial production data, and use the national cryptographic SM3 algorithm to generate a device-data binding hash value; the unique device fingerprint is generated using the non-cloning function response-challenge mechanism and includes the device's physical characteristic parameters.
[0030] Specifically, in industrial production scenarios, raw industrial production data is collected through various sensors, automated control systems, production management systems, PLM systems, ERP systems, and QMS systems. This data may include time-series data (such as data on equipment operating parameters changing over time), structured data (such as production task information in a database), and unstructured data (such as text descriptions in equipment fault diagnosis reports). To facilitate subsequent processing, this data is collected and integrated using a data acquisition bus or data integration tool to convert data of different formats into a unified format, such as JSON or XML. An unclonable function interface is called, employing a response-challenge mechanism to generate a unique fingerprint for the device. This interface is based on the device's physical characteristic parameters, including but not limited to: the device chip's delay characteristics, resistance distribution, temperature sensitivity, and voltage response characteristics. These parameters are collected by dedicated sensors and digitized to form the foundational data for the device's unique fingerprint. The device's serial number, MAC address, and physical characteristic parameters are combined and processed using an irreversible hash algorithm to generate a fixed-length string as the device's unique fingerprint. This ensures that even if the device's software is cloned, the generated fingerprint will differ due to the different hardware, thus guaranteeing the uniqueness of the device's identity. The generated unique device fingerprint is bound to the original industrial production data. The unique device fingerprint can be used as the key, and the original industrial production data as the value, stored in an associative array. Then, the national cryptographic algorithm SM3 is used to perform a hash operation on this bound data structure. The SM3 algorithm processes the input bound unique device fingerprint and original industrial production data through a series of complex operations, including message expansion and iterative compression, ultimately outputting a fixed-length hash value, i.e., the device-data binding hash value, representing the "digital fingerprint" of the binding relationship between the device and the data.
[0031] In a preferred embodiment, the original industrial production data is encrypted to form encryption quality parameters, and the device-data binding hash value and the index information associated with the encryption quality parameters are submitted to the consortium blockchain; the encryption quality parameters are implemented using the national cryptographic SM4 symmetric encryption algorithm or the national cryptographic SM4 symmetric encryption algorithm; wherein, the encryption algorithm selection strategy is to use the national cryptographic SM4 symmetric encryption algorithm for batch data and the national cryptographic SM4 symmetric encryption algorithm for single key data.
[0032] Specifically, encrypting raw industrial production data is for the purpose of protecting data privacy and security. This can be achieved using symmetric encryption algorithms (such as AES - Advanced Encryption Standard) or asymmetric encryption algorithms (such as the Chinese national cryptographic standard SM2). If using AES symmetric encryption, a symmetric key needs to be generated first. This key can be generated securely, such as by generating a 128-bit or 256-bit key using a random number generator. This key is then used to encrypt the raw industrial production data. The encryption process converts the raw data into ciphertext, making it impossible for unauthorized users to easily recover the original data even if they obtain the ciphertext. The encrypted data can be called encryption quality parameters; it contains all the information of the raw industrial production data, but exists in encrypted form, and only those with the correct decryption key can view its true content. A consortium blockchain is a blockchain network that allows multiple organizations or entities to jointly maintain and manage it. Before submitting the device-data binding hash value and the associated encryption quality parameter index information to the consortium blockchain, a data structure suitable for blockchain storage needs to be constructed. This typically includes the device-data binding hash value itself, as well as index information for the cryptographic quality parameters. This index information can be used to quickly locate and retrieve the corresponding cryptographic quality parameters. The submission process may involve smart contracts on the blockchain. A smart contract is an automatically executed contract term stored as code on the blockchain. By calling the relevant functions within the smart contract and passing this data as parameters, the smart contract processes the data according to preset rules and records it in a new block on the blockchain. Once recorded, this data becomes immutable and traceable, providing a reliable foundation for subsequent data queries, audits, and verifications.
[0033] S200: The consortium blockchain nodes dynamically select the consensus protocol based on the timeliness of the original industrial production data, construct the corresponding Merkle tree structure, and store the root hash value.
[0034] Specifically, consortium blockchain nodes dynamically select consensus protocols based on the timeliness of the raw industrial production data. The timeliness of raw industrial production data can be measured by the data generation time interval. For raw industrial production data with extremely high real-time requirements (such as real-time equipment operating status data, updated every second), its timeliness is relatively high; while for some periodic quality inspection reports (generated once a day), its timeliness is relatively low. Nodes can set a timeliness threshold to distinguish different types of raw industrial production data. Within this threshold range, for high-timeliness raw industrial production data, protocols that can reach consensus in a short time are prioritized, such as the Practical Byzantine Fault Tolerance (PBFT) algorithm, which can complete consensus within a few seconds to tens of seconds, suitable for this scenario; for medium-timeliness raw industrial production data, the Raft algorithm can be used, which is simple and efficient, and can quickly reach consensus in a relatively stable network environment; for low-timeliness raw industrial production data, variants of Proof-of-Work or Proof-of-Stake can be selected. These protocols have relatively long consensus times, but for data with low timeliness requirements, consensus can be achieved while ensuring data security and immutability. Once the consensus protocol is determined, the consortium blockchain nodes begin constructing the Merkle tree structure. Taking a data block containing multiple cryptographic quality parameters and their associated index information as an example: First, a hash operation is performed on each cryptographic quality parameter and its index information, resulting in a series of hash values that serve as leaf nodes. For example, the hash value of cryptographic quality parameter A is hash(A), and the hash value of index information A is hash(index A). Then, these leaf nodes are paired, and the combined hash value is calculated to serve as the parent node. This process continues upwards until a complete Merkle tree is constructed, yielding the root hash value. The constructed Merkle tree structure includes a sharding mechanism, automatically triggering sharding storage when the data volume exceeds a preset threshold. The root hash value is stored in the consortium blockchain ledger as a unique identifier for the entire data block, used for subsequent data verification.
[0035] In a preferred embodiment, the dynamic selection of the consensus protocol channel is based on the timeliness threshold of the original industrial production data; the Merkle tree structure includes a sharding mechanism that automatically triggers sharding storage when the data volume exceeds a preset threshold.
[0036] Specifically, the dynamic selection of consensus protocol channels is based on the timeliness threshold of the original industrial production data. Specifically, the system dynamically selects a suitable consensus protocol according to the timeliness requirements of the original industrial production data. For original industrial production data with high timeliness requirements, the system automatically selects the PBFT (Practical Byzantine Fault Tolerance) consensus protocol; for original industrial production data with medium timeliness requirements (such as routine production parameters and quality inspection data), the timeliness threshold is set to 1 to 10 seconds, and the system selects the Raft consensus protocol; for original industrial production data with low timeliness requirements (such as historical statistical data and periodic report data), the timeliness threshold is set to more than 10 seconds, and the system selects the PoA (Proof-of-Authority) consensus protocol. The PBFT consensus protocol achieves high throughput and low latency in consortium blockchains, making it suitable for processing transactions requiring rapid confirmation. This protocol completes consensus through three phases: pre-preparation, preparation, and confirmation, and can tolerate Byzantine faults of no more than (n-1) / 3 nodes, where n is the total number of nodes. The Raft consensus protocol is based on a leader election mechanism, offering high performance and a simple implementation. This protocol achieves consensus by having a leader node receive client requests and replicate log entries to other nodes. Raft can tolerate no more than (n-1) / 2 node failures. The PoA consensus protocol uses pre-authorized validator nodes to generate blocks, offering high efficiency and controllability. In a consortium blockchain environment, PoA ensures system security through identity authentication and reputation mechanisms, making it suitable for handling data with low timeliness requirements. The Merkle tree structure includes a sharding mechanism, automatically triggering shard storage when the data volume exceeds a preset threshold. In this embodiment, the preset threshold is set to a maximum of 1000 transaction records per Merkle tree node. When the data volume exceeds this threshold, the system automatically divides the data into multiple shards. Each shard constructs an independent Merkle tree, and the root hash values of each shard are connected through the upper-level Merkle trees to form a hierarchical Merkle tree structure. The Merkle tree uses a binary tree structure, with leaf nodes storing the hash value of the data block and non-leaf nodes storing a combined hash of the hash values of their child nodes. The root hash value serves as a unique identifier for the entire dataset and is stored on the blockchain, ensuring data integrity and verifiability.
[0037] S300: Verify whether the device-data binding hash value is contained in the Merkle tree corresponding to the specific root hash value by means of a zero-knowledge proof protocol.
[0038] Specifically, zk-SNARK is a concise, non-interactive system that can prove the truth of a statement without revealing the original data. zk-SNARK is used to prove that something is indeed contained within a specific correspondence without exposing its full structure or other sensitive information. The zk-SNARK proof process consists of three main steps: a setup phase, a proof generation phase, and a verification phase.
[0039] The setup phase generates public parameters and a verification key. The proof generation phase generates a proof based on the public parameters and private inputs (Merkle path information). The verification phase uses the verification key and public inputs (and) to verify the validity of the proof. Proof validity is verified through light nodes in the consortium blockchain. Light nodes only need to download the blockchain information and related proof data, without storing the complete blockchain data, significantly reducing verification costs. Light nodes verify zk-SNARK proofs to confirm whether the device-data binding hash is contained in the specific corresponding Merkle tree. The proof is generated based on extracted specific verification path information and is used to prove the legitimate inclusion relationship of the device-data binding hash. The verification path information includes the hashes of all sibling nodes on the path from the leaf node to the root node. This information allows for recalculation, thereby verifying the integrity and authenticity of the data.
[0040] In a preferred embodiment, the zero-knowledge proof protocol uses zk-SNARK technology to achieve anonymous verification; the verification request is verified for the validity of the proof through a light node of the consortium blockchain.
[0041] Specifically, when using zk-SNARK technology, the first step is to generate common parameters, which will be used to generate and verify zero-knowledge proofs. The generation of these common parameters needs to be secure, typically employing multi-party computation to prevent any single party from gaining exclusive access to sensitive information. For example, a trusted multi-party computation protocol can be used to combine the inputs from multiple participants to generate a set of common parameters, such as points on an elliptic curve or random numbers. Next, a verification circuit is constructed to verify whether the device-data-binding hash value is contained within the Merkle tree corresponding to a specific root hash value. The verification circuit can be viewed as an abstract representation of a computation process, defining how the input data undergoes a series of logical operations to obtain the output result. In this scenario, the input data includes the device-data-binding hash value, the root hash value of the Merkle tree, and the Merkle path, etc. The output is a boolean value indicating whether the device-data-binding hash value is contained within the Merkle tree. When verifying a device-data-binding hash value, a full node uses the aforementioned common parameters and verification circuitry, along with the actual input data (device-data-binding hash value, Merkle path, etc.), to generate a zero-knowledge proof using the zk-SNARK proof generation algorithm. This proof contains a set of cryptographic information that proves the input to the verification circuitry satisfies specific conditions without revealing the specific values of the inputs. In a consortium blockchain network, light nodes are resource-constrained nodes that typically do not store complete blockchain data but rely on full nodes to obtain the necessary information. When a verification request is generated, such as a client or application needing to verify the validity of a device-data-binding hash value, the request is sent to a light node in the consortium blockchain. Upon receiving the request, the light node records relevant information, such as the requested device identifier and data identifier. Based on the verification request, the light node sends a request to the full node, requesting the full node to provide the corresponding zero-knowledge proof. This request includes necessary parameters, such as the device-data-binding hash value and the root hash value of the corresponding Merkle tree, so that the full node can generate the correct proof. After receiving the request from the light node, the full node generates the proof according to the zero-knowledge proof generation process described above and sends it back to the light node. Upon receiving the proof, the light node uses a zk-SNARK verification algorithm, combining the public parameters, the description of the verification circuit, and the proof itself, to verify the validity of the proof. The verification algorithm primarily verifies whether the encrypted information in the proof satisfies the logic of the verification circuit and ensures that this information is consistent with the public parameters and the description of the verification circuit. Specifically, the verification algorithm checks whether certain encrypted values in the proof match the output of the verification circuit, and also verifies whether these encrypted values meet the mathematical requirements of zero-knowledge proofs, such as linearity and randomness.If the verification passes, the light node can confirm that the device-data-binding hash is indeed contained in the specific Merkle tree, and this verification process does not reveal any specific information about the device-data-binding hash or Merkle path, thus achieving anonymous verification.
[0042] S400: During the authentication phase, the verified device-data binding hash value and the index information associated with the encryption quality parameters are invoked to locate and decrypt the encryption quality parameters stored off-chain to obtain the original quality parameters.
[0043] Specifically, during the authentication phase, the verified device-data binding hash value and the index information of the associated encryption quality parameters are invoked. The index information is used to locate the encryption quality parameters stored off-chain. The off-chain encryption quality parameters are decrypted through a trusted execution environment. The trusted execution environment provides a secure execution environment, ensuring that the decryption process is not subject to external interference. The decryption key corresponds to the national cryptographic algorithm key used during encryption. Using the SM4 decryption algorithm, the encryption quality parameters are restored to their original state, which is then used in subsequent authentication processes.
[0044] In a preferred embodiment, the encryption quality parameters stored off-chain are decrypted through a trusted execution environment; the decryption key corresponds to the national cryptographic algorithm key used during encryption.
[0045] A Trusted Execution Environment (TEE) is a secure execution environment provided at the hardware level, isolated from a regular Rich Execution Environment (REE). A TEE ensures that code executed and data processed within it maintains confidentiality and integrity even if the device is compromised by malware. A TEE is used to securely decrypt encryption quality parameters stored off-chain. It provides a secure environment that prevents interference from external malware during the decryption process, while protecting the decryption key from being leaked.
[0046] Specifically, due to the limited storage space and high cost of blockchain, encryption quality parameters are typically stored off-chain (such as the distributed storage system IPFS or traditional databases). This data is associated with records on the blockchain through its hash value or index information. Encryption quality parameters can be stored in IPFS, with their content-addressed hash value recorded on the blockchain as index information. Before storage, the encryption quality parameters are encrypted using the national standard SM4 symmetric encryption algorithm. The encrypted data is stored in ciphertext form in the off-chain storage system, and each encrypted data unit is accompanied by necessary metadata, such as the encryption algorithm identifier, ciphertext length, and generation timestamp, to facilitate subsequent decryption and management. The decryption key is a symmetric key generated by a national standard algorithm (such as SM4) during data encryption. This key is securely stored in the dedicated key storage area of the TEE after generation. The decryption key must strictly correspond to the national standard algorithm key used during encryption. This means that the same key must be used during encryption and decryption to ensure correct data recovery. Key management and distribution must follow strict security policies, such as using a Key Management System (KMS) to centrally manage the generation, distribution, rotation, and destruction of keys. When encryption quality parameters are needed, an authorized application or service initiates a decryption request. This request typically includes index information of the encryption quality parameters (such as an IPFS hash), device identifier, data identifier, and other relevant information. Upon receiving the decryption request, the system first verifies the legitimacy and authorization status of the request. This can be done by checking the requester's digital certificate, access token, or through authorization verification via smart contracts on the blockchain. For example, smart contracts can define which entities have the right to decrypt specific data under what conditions. After successful verification, the system retrieves the corresponding decryption key from the TEE's key storage area. Before retrieving the key, the TEE verifies the integrity and authenticity of the request, ensuring that the key is only used in authorized decryption operations. The TEE can check whether the decryption request has been tampered with through its internal signature verification mechanism. Within the secure environment of the TEE, the obtained decryption key is used to decrypt the encryption quality parameters. The decryption process strictly follows the decryption procedure of the national cryptographic algorithm SM4. Before returning the decrypted data to the requester, the system verifies the integrity and correctness of the data. This is done by calculating the hash value of the decrypted data and comparing it with the hash value recorded during encryption. If the hash values match, it means the data has not been tampered with during decryption and can be used securely. Throughout the decryption process, encryption quality parameters and decryption keys are always handled within the security boundaries of the TEE. Even if the REE portion of the device is compromised by malware, attackers cannot obtain the keys or decrypted data within the TEE, thus ensuring data confidentiality. By using mechanisms such as hash value comparison during encryption and decryption, the system can detect whether data has been tampered with during storage or transmission. If data integrity is compromised, the system will refuse to decrypt or use the data, thereby protecting data integrity.Because the decryption process takes place within the TEE (Transmission Equipment), and the decrypted data is used only within authorized scope, this mechanism effectively restricts the scope of data access and use, enhancing privacy protection. For example, in industrial production scenarios, only authorized quality control personnel or production management systems can decrypt data within the TEE and use specific encryption quality parameters for analysis and decision-making.
[0047] S500: Based on the original quality parameters, device-data binding hash value, product identification information and blockchain transaction information, generate a three-dimensional trusted identifier and dynamic authentication description text, and verify the signature through a quantum-safe electronic signature.
[0048] In a preferred embodiment, the three-dimensional trusted identifier includes spatial coordinate encoding information; the quantum-safe electronic signature is implemented using the SM9 algorithm through a master private key issued by the consortium blockchain root CA; the signature data is encoded in ASN.1 format and includes zero-knowledge proofs of the Merkle tree verification path.
[0049] Specifically, the 3D trusted identifier contains spatial coordinate encoding information. It employs 3D code technology to encode product information into an identifier with three dimensions: X, Y, and Z. The spatial coordinate encoding information includes: the X-axis encodes basic product information (such as product type, production date, batch number, etc.); the Y-axis encodes the digest information of the device-data binding hash value; and the Z-axis encodes blockchain transaction information and verification path. The generation process of the 3D trusted identifier first extracts features from the original quality parameters, then combines them with the device-data binding hash value, product identifier information, and blockchain transaction information, mapping them to a 3D spatial coordinate system through a specific algorithm to form a unique and anti-counterfeiting 3D code. The quantum-secure electronic signature uses the SM9 algorithm and is implemented through a master private key issued by the consortium blockchain root CA. SM9 is an identity-based cryptographic algorithm that enables identity authentication and digital signatures without certificates. The SM9 algorithm uses bilinear pairing operations and has security features resistant to quantum computing attacks. The consortium blockchain root CA acts as a trust anchor, responsible for generating and distributing the SM9 master private key. The master private key is 256 bits long and is distributed to authorized signing devices through a secure channel. The signing process includes: calculating the hash value of the data to be signed, signing the hash value using the SM9 master private key, and generating signature data. The signed data is encoded in ASN.1 format and includes a zero-knowledge proof of the Merkle tree verification path. ASN.1 is a standard data structure description language used to define abstract syntax for data. The ASN.1 encoding of the signed data includes: signature algorithm identifier, signature value, signature timestamp, signer identity information, and a zero-knowledge proof of the Merkle tree verification path.
[0050] S600: Establish a cross-chain verification channel to verify the equivalence of authentication identifiers between different consortium chains through the relay chain protocol.
[0051] Specifically, the cross-chain verification channel is implemented based on hash time-locked contracts and relay chain technology. The relay chain, acting as a bridge between different consortium blockchains, is responsible for forwarding and verifying cross-chain messages. The relay chain protocol adopts the BTC Relay model, using SPV proofs to verify the authenticity of block header information. The source chain generates a transaction containing authentication identifier information and submits it to the relay chain; the relay chain verifies the validity of the source chain's block header and transaction proof; the target chain obtains the verification result through the relay chain and confirms the equivalence of the authentication identifier.
[0052] S700: Deploys a key rotation mechanism resistant to quantum computing attacks, periodically updating the SM9 master private key and migrating historical data signatures.
[0053] Specifically, the quantum-resistant key rotation mechanism is based on post-quantum cryptography algorithms and a time-triggered strategy. Every 90 days, the system automatically triggers an SM9 master-private key update process. The new key is generated using an enhanced entropy source and key derivation function to improve quantum-resistant capabilities. Historical data is re-signed using the new key, generating a signature mapping table. The relationship between the old and new signatures is stored on the blockchain, ensuring that the verifiability of historical data is unaffected by key updates. During the key rotation process, the system maintains parallel operation of both keys to ensure service continuity.
[0054] Implementation 2
[0055] A digital authentication system based on industrial production data includes a data acquisition and encryption module. This module acquires raw industrial production data, calls an unclonable function interface to generate a unique fingerprint for each device, binds the unique fingerprint to the raw industrial production data, and generates a device-data binding hash value using the national cryptographic SM3 algorithm. The module encrypts the raw industrial production data to form encryption quality parameters and submits the device-data binding hash value and the index information associated with the encryption quality parameters to a consortium blockchain.
[0056] In a preferred embodiment, the data acquisition and encryption module includes a data acquisition unit, a device fingerprint generation unit, a data binding unit, and an encryption processing unit. The data acquisition unit collects raw industrial production data through industrial IoT devices, including equipment operating parameters, environmental parameters, and product quality parameters. The device fingerprint generation unit calls a non-clonable function interface to generate a unique fingerprint based on the device's physical characteristics. The non-clonable function interface adopts a standard API design and supports various physical characteristic acquisition methods, including SRAM PUF (Physically Non-Clonable Function) and delayed PUF. The device fingerprint generation process includes: sending a random challenge value to the device; the device generating a response value based on its physical characteristics; and the response value undergoing stability processing and error correction encoding to form the device's unique fingerprint. The data binding unit binds the device's unique fingerprint to the raw industrial production data by concatenating the unique fingerprint with the raw data, and then using the national cryptographic algorithm SM3 to calculate a hash value, generating a device-data binding hash value. The input to the SM3 algorithm is the combination of the device's unique fingerprint and the raw data, and the output is a 256-bit hash value. The encryption processing unit selects an appropriate encryption algorithm based on the data type. For batch data, the national standard SM4 symmetric encryption algorithm with a key length of 128 bits is used; for single key data, the national standard SM2 asymmetric encryption algorithm with a key length of 256 bits is used. The encrypted data forms encryption quality parameters and generates index information, including data identifier, encryption algorithm identifier, timestamp, etc.
[0057] In a preferred embodiment, the dynamic consensus processing module is used for consortium blockchain nodes to dynamically select a consensus protocol based on the timeliness of the original industrial production data, construct a corresponding Merkle tree structure, and store the root hash value.
[0058] Specifically, the dynamic consensus processing module includes a timeliness analysis unit, a consensus protocol selection unit, and a Merkle tree construction unit. The timeliness analysis unit assesses the timeliness requirements of the raw industrial production data based on its type and importance, categorizing the data into three types: high timeliness, medium timeliness, and low timeliness. The consensus protocol selection unit dynamically selects a suitable consensus protocol based on the timeliness analysis results. For high-timeliness raw industrial production data, the PBFT consensus protocol is selected; for medium-timeliness raw industrial production data, the Raft consensus protocol is selected; and for low-timeliness raw industrial production data, the PoA consensus protocol is selected. The switching of consensus protocols is automatically completed through preset trigger conditions, ensuring a balance between system performance and security. The Merkle tree construction unit is responsible for constructing the corresponding Merkle tree structure and calculating the root hash value. The Merkle tree adopts a binary tree structure, with leaf nodes storing the hash values of transaction data and non-leaf nodes storing combined hashes of their child nodes. When the amount of data exceeds the preset threshold (1000 transaction records / node), the sharding mechanism is automatically triggered to divide the data into multiple shards. Each shard builds an independent Merkle tree, and the root hash values of each shard are connected through the upper-level Merkle tree.
[0059] In a preferred embodiment, the anonymous verification module is used to verify, via a zero-knowledge proof protocol, whether the device-data binding hash value is contained in the Merkle tree corresponding to a specific root hash value.
[0060] Specifically, the anonymous verification module includes a proof generation unit, a verification request processing unit, and a result verification unit. The proof generation unit uses zk-SNARK technology to generate zero-knowledge proofs. The zk-SNARK proof generation process includes: a setup phase generating public parameters and a verification key; and a proof generation phase generating the proof based on the public parameters and private inputs (Merkle path information). The proof generation unit first extracts the Merkle tree structure information corresponding to a specific root hash value from the consortium blockchain, and then constructs a verification path from the device-data-binding hash value to the root hash value. The verification path includes the hash values of all sibling nodes along the path from the leaf node to the root node. Based on the verification path information, the proof generation unit uses the zk-SNARK algorithm to generate a proof demonstrating that the device-data-binding hash value is indeed contained in the Merkle tree corresponding to the specific root hash value. The verification request processing unit receives verification requests and processes them through light nodes in the consortium blockchain. Light nodes only need to download the blockchain information and related proof data, without needing to store the complete blockchain data, significantly reducing verification costs. The verification request includes the device-data-binding hash value, the target root hash value, and the zero-knowledge proof. The result verification unit uses a verification key and common inputs (device-data binding hash and root hash) to verify the validity of the zero-knowledge proof. The verification process does not require knowledge of the complete Merkle tree structure or verification path; it only needs to verify whether the proof is valid, thus enabling anonymous verification.
[0061] In a preferred embodiment, the off-chain data decryption module is used during the authentication phase to call the verified device-data binding hash value and the index information associated with the encryption quality parameter to locate and decrypt the off-chain storage encryption quality parameter to obtain the original quality parameter.
[0062] Specifically, the off-chain data decryption module includes a data location unit, a secure decryption unit, and a parameter recovery unit. The data location unit locates the encryption quality parameters stored off-chain based on the device-data binding hash value and the index information of the associated encryption quality parameters. The off-chain storage uses the distributed file system IPFS, precisely locating the data through Content Identifiers (CIDs). The secure decryption unit performs the decryption operation within a Trusted Execution Environment (TEE). The TEE is implemented based on Intel SGX technology, providing hardware-level memory encryption and isolation. The decryption process takes place within an SGX secure enclave to prevent key leakage and tampering of the decryption process. The decryption key corresponds to the national cryptographic algorithm key used during encryption; for SM4 encrypted data, the same 128-bit symmetric key is used for decryption; for SM2 encrypted data, the corresponding private key is used. The parameter recovery unit converts the decrypted data back to the original quality parameter format, restoring the semantic information and structural relationships of the data. The recovery process includes data format conversion, parameter verification, and integrity checks to ensure that the decrypted data is consistent with the original data.
[0063] In a preferred embodiment, the signature generation module is used to generate a three-dimensional trusted identifier and dynamic authentication description text based on the original quality parameters, device-data binding hash value, product identification information and blockchain transaction information, and to verify the signature through a quantum-safe electronic signature.
[0064] Specifically, the signature generation module includes an identifier generation unit, a descriptive text generation unit, and a signature processing unit. The identifier generation unit generates a three-dimensional trusted identifier based on the original quality parameters, device-data binding hash value, product identification information, and blockchain transaction information. The three-dimensional trusted identifier uses 3D code technology to encode information into the X, Y, and Z dimensions. The generation process of the three-dimensional trusted identifier includes feature extraction, information fusion, and spatial encoding. Feature extraction extracts key features from the original quality parameters; information fusion combines the extracted features with the device-data binding hash value, product identification information, and blockchain transaction information; spatial encoding maps the fused information to a three-dimensional spatial coordinate system to form a 3D code. The descriptive text generation unit generates a dynamic authentication description text based on the original quality parameters and blockchain transaction information. The description text includes basic product information, a summary of quality parameters, authentication time, authentication authority, etc., presented in natural language for easy user understanding. The signature processing unit verifies the three-dimensional trusted identifier and the dynamic authentication description text using a quantum-secure electronic signature. The signature uses the SM9 algorithm and is signed using the master private key issued by the consortium blockchain root CA. The signature data is encoded in ASN.1 format and includes the signature algorithm identifier, signature value, signature timestamp, signer identity information, zero-knowledge proof of the Merkle tree verification path, etc.
[0065] In a preferred embodiment, a blockchain network interface is provided, which connects the consortium blockchain main chain and the sharded storage system, and supports smart contract calls and cross-chain verification.
[0066] Specifically, the blockchain network interface includes a main chain interaction unit, a sharded storage interaction unit, a smart contract invocation unit, and a cross-chain verification unit. The main chain interaction unit is responsible for communicating with the consortium blockchain main chain, including functions such as submitting transactions, querying block information, and obtaining consensus status. Main chain interaction uses a standard blockchain RPC interface, supporting both synchronous and asynchronous call modes. The sharded storage interaction unit is responsible for communicating with the sharded storage system, including functions such as data sharded storage, sharded data querying, and sharded state synchronization. The sharded storage system uses Distributed Hash Table (DHT) technology to distribute data across multiple nodes, improving system scalability and availability. The smart contract invocation unit provides smart contract deployment, invocation, and monitoring functions. Smart contracts are developed using the Solidity language and executed through the WebAssembly virtual machine. Smart contract invocation supports batch transaction processing and parallel execution, improving transaction processing efficiency. The cross-chain verification unit enables interoperability between different consortium blockchains, supporting cross-chain asset transfer and information verification. Cross-chain verification is based on hash time-locked contracts and relay chain technology, using SPV proofs to verify the validity of cross-chain transactions. The cross-chain verification unit also supports interoperability between heterogeneous blockchains, such as interoperability with public chains, consortium chains, and private chains.
[0067] The above description is merely a preferred embodiment of the present invention and is not intended to limit the present invention in any way. Therefore, any modifications, equivalent changes, and alterations made to the above embodiments based on the technical essence of the present invention without departing from the scope of the present invention shall still fall within the scope of the present invention.
Claims
1. A digital authentication method based on industrial production data, characterized in that, Includes the following steps: S100: Obtain the original industrial production data, call the non-clonable function interface to generate a unique fingerprint for the device, bind the unique fingerprint for the device to the original industrial production data, and use the national cryptographic SM3 algorithm to generate a device-data binding hash value; encrypt the original industrial production data to form encryption quality parameters, and submit the device-data binding hash value and the index information associated with the encryption quality parameters to the consortium blockchain; S200: Consortium blockchain nodes dynamically select consensus protocols based on the timeliness of original industrial production data, construct corresponding Merkle tree structures, and store root hash values; S300: Verify whether the device-data binding hash value is contained in the Merkle tree corresponding to the specific root hash value using a zero-knowledge proof protocol; S400: During the authentication phase, the verified device-data binding hash value and the index information associated with the encryption quality parameters are invoked to locate and decrypt the encryption quality parameters stored off-chain to obtain the original quality parameters; S500: Based on the original quality parameters, device-data binding hash value, product identification information and blockchain transaction information, generate a three-dimensional trusted identifier and dynamic authentication description text, and verify the signature through a quantum-safe electronic signature.
2. The digital authentication method based on industrial production data according to claim 1, characterized in that, In step S100: The device's unique fingerprint is generated using a non-clonable function response-challenge mechanism and includes the device's physical characteristic parameters. The encryption quality parameters are implemented using the national standard SM4 symmetric encryption algorithm or the national standard SM2 asymmetric encryption algorithm. The encryption algorithm selection strategy is to use the national standard SM4 symmetric encryption algorithm for batch data and the national standard SM2 asymmetric encryption algorithm for single key data.
3. The digital authentication method based on industrial production data according to claim 1, characterized in that, In step S200: The dynamic selection of the consensus protocol channel is based on the timeliness threshold of the original industrial production data; The Merkle tree structure includes a sharding mechanism that automatically triggers sharding storage when the amount of data exceeds a preset threshold.
4. The digital authentication method based on industrial production data according to claim 1, characterized in that, In step S300: The zero-knowledge proof protocol uses zk-SNARK technology to achieve anonymous verification. The verification request is validated by a light node on the consortium blockchain.
5. The digital authentication method based on industrial production data according to claim 1, characterized in that, In step S400: The encryption quality parameters stored off-chain are decrypted through a trusted execution environment; The decryption key corresponds to the national cryptographic algorithm key used during encryption.
6. The digital authentication method based on industrial production data according to claim 1, characterized in that, In step S500: The three-dimensional trusted identifier contains spatial coordinate encoding information; The quantum-secure electronic signature is implemented using the SM9 algorithm and a master private key issued by the consortium blockchain root CA. The signature data is encoded in ASN.1 format and contains zero-knowledge proofs of the Merkle tree verification path.
7. The digital authentication method based on industrial production data according to claim 6, characterized in that, The zero-knowledge proof is generated based on path verification information extracted from a specific root hash value from the consortium blockchain, and is used to prove the legitimate inclusion relationship of the device-data binding hash value.
8. The digital authentication method based on industrial production data according to claim 1, characterized in that, Also includes: S600: Establish a cross-chain verification channel to verify the equivalence of authentication identifiers between different consortium chains through the relay chain protocol; S700: Deploys a key rotation mechanism resistant to quantum computing attacks, periodically updating the SM9 master private key and migrating historical data signatures.
9. A digital authentication system based on industrial production data, characterized in that, include: The data acquisition and encryption module is used to acquire raw industrial production data, call the non-clonable function interface to generate a unique fingerprint for the device, bind the unique fingerprint for the device to the raw industrial production data, and use the national cryptographic SM3 algorithm to generate a device-data binding hash value; encrypt the raw industrial production data to form encryption quality parameters, and submit the device-data binding hash value and the index information associated with the encryption quality parameters to the consortium blockchain; The dynamic consensus processing module is used by consortium blockchain nodes to dynamically select a consensus protocol based on the timeliness of the original industrial production data, construct the corresponding Merkle tree structure and store the root hash value. An anonymous verification module is used to verify, via a zero-knowledge proof protocol, whether the device-data binding hash value is contained in the Merkle tree corresponding to a specific root hash value; The off-chain data decryption module is used during the authentication phase to call the verified device-data binding hash value and the index information associated with the encryption quality parameters to locate and decrypt the encryption quality parameters stored off-chain to obtain the original quality parameters. The signature generation module is used to generate a three-dimensional trusted identifier and dynamic authentication description text based on the original quality parameters, device-data binding hash value, product identification information and blockchain transaction information, and to verify the signature through a quantum-safe electronic signature. A blockchain network interface connects the consortium blockchain main chain and sharded storage system, supporting smart contract calls and cross-chain verification.