A method and system for controlling railway traffic signaling devices
By generating a dynamic security control domain in the railway traffic signal control system, implementing two-way authentication and secure time synchronization, and using elliptic curve cryptography and dynamic confusion matrix to generate dynamic domain session keys, the problem of insufficient verification of command source in existing technologies is solved, thereby realizing the reliability of control commands and the accuracy of execution time, and improving the accuracy and security of the control system.
Patent Information
- Authority / Receiving Office
- CN · China
- Patent Type
- Patents(China)
- Current Assignee / Owner
- LANZHOU JIAOTONG UNIV
- Filing Date
- 2026-03-19
- Publication Date
- 2026-07-07
Smart Images

Figure CN121849208B_ABST
Abstract
Description
Technical Field
[0001] This invention relates to the field of traffic signal control technology, and in particular to a method and system for controlling railway traffic signal devices. Background Technology
[0002] In related technologies, traditional signal control systems rely on centralized or hierarchical control architectures. Information interaction between trains and ground signaling equipment (such as signals, transponders, and train control centers), especially the synchronization of time-related commands, is crucial for ensuring safe train intervals and route resource allocation. However, the joint verification mechanism for the authenticity, completeness, and timeliness of the command source is insufficient in the signal control command issuance process of related technologies. In other words, related technologies struggle to improve the accuracy of railway traffic signal device control.
[0003] The information disclosed in the background section of this application is intended only to enhance the understanding of the general background of this application and should not be construed as an admission or in any way implying that the information constitutes prior art known to those skilled in the art. Summary of the Invention
[0004] This invention provides a method and system for controlling railway traffic signal devices, which can solve the technical problem that related technologies struggle to improve the accuracy of railway traffic signal device control.
[0005] According to a first aspect of the present invention, a railway traffic signal control method is provided, comprising: acquiring, at multiple moments during a control cycle, instantaneous train speed, real-time track section curvature, real-time train track characteristic frequency code, train instantaneous speed change rate, interlocking logic, train position, and planned route; generating a dynamic safety control domain based on the train position and the planned route; performing bidirectional authentication and secure time synchronization on domain members within the dynamic safety control domain; generating a control instruction set based on the interlocking logic and the planned route, wherein the control instruction set includes: control instructions and absolute execution timestamps; securely distributing the control instruction set based on the real-time train track characteristic frequency code and the train instantaneous speed change rate; and domain members within the dynamic safety control domain executing instructions based on the control instruction set, the train instantaneous speed change rate, the train instantaneous speed, and the real-time track section curvature.
[0006] According to the present invention, generating a dynamic safety control domain based on the train position and the planned route includes: generating a dynamic control task identifier based on the train position and the planned route; and generating a dynamic safety control domain based on the dynamic control task identifier, wherein the dynamic safety control domain includes: an area control center, an onboard control unit, and a trackside signal control device related to the planned route.
[0007] According to the present invention, performing two-way authentication and secure time synchronization for members within a dynamic security control domain includes: performing two-way authentication for members within a dynamic security control domain based on an elliptic curve cryptography algorithm; and performing secure time synchronization based on a regional control center as the reference time source.
[0008] According to the present invention, the secure distribution of the control command set based on the real-time train track characteristic frequency code and the instantaneous speed change rate of the train includes: obtaining the authentication phase exchange public key of the domain members within the dynamic security control domain; obtaining the real-time geographic coordinates of the regional control center; obtaining the elliptic curve group order; generating a dynamic obfuscation matrix based on the dynamic control task identifier and the absolute execution timestamp; generating a dynamic domain session key based on the dynamic obfuscation matrix, the real-time train track characteristic frequency code, the instantaneous speed change rate of the train, the absolute execution timestamp, the authentication phase exchange public key, the dynamic control task identifier, the real-time geographic coordinates of the regional control center, and the elliptic curve group order; generating a secure command broadcast packet based on the dynamic domain session key and the control command set; and securely distributing the secure command broadcast packet.
[0009] According to the present invention, generating a dynamic domain session key based on the dynamic confusion matrix, the real-time train track characteristic frequency code, the train instantaneous speed change rate, the absolute execution timestamp, the authentication phase exchange public key, the dynamic control task identifier, the real-time geographic coordinates of the regional control center, and the elliptic curve group order includes: determining a first hash function value based on the authentication phase exchange public key; determining a second hash function value based on the real-time geographic coordinates of the regional control center; and generating a dynamic domain session key based on the dynamic confusion matrix, the real-time train track characteristic frequency code, the train instantaneous speed change rate, the absolute execution timestamp, the dynamic control task identifier, the first hash function value, the second hash function value, and the elliptic curve group order.
[0010] According to the present invention, a dynamic domain session key is generated based on the dynamic confusion matrix, the real-time train track feature frequency code, the train instantaneous speed change rate, the absolute execution timestamp, the dynamic control task identifier, the first hash function value, the second hash function value, and the elliptic curve group order, including: according to the formula: Determine the dynamic domain session key at time i of the control cycle. ,in," " is the XOR operation, " " is a non-linear operator, "For modulo operation, For collision hash functions, Let i be the dynamic confusion matrix at time i of the control period. This is the dynamic control task identifier at the i-th moment of the control cycle. The first hash function value of the public key is exchanged during the authentication phase of the k-th member within the dynamic security control domain. The second hash function value represents the real-time geographic coordinates of the regional control center at the i-th moment of the control cycle. Let i be the absolute execution timestamp at the i-th moment of the control cycle. To control the instantaneous speed change rate of the train at the i-th moment of the control cycle, For the real-time train track characteristic frequency code at the i-th moment of the control cycle, Let K be the order of the elliptic curve group, K be the number of members in the dynamic security control domain, k ≤ K, and both k and K are positive integers.
[0011] According to the present invention, members within a dynamic safety control domain execute commands based on the control command set, the instantaneous speed change rate of the train, the instantaneous speed of the train, and the real-time track segment curvature, including: obtaining the logical topology hop count of each member within the dynamic safety control domain; obtaining the estimated maximum network delay jitter; determining the adaptive execution time window radius based on the logical topology hop count, the estimated maximum network delay jitter, the instantaneous speed change rate of the train, the instantaneous speed of the train, and the real-time track segment curvature; determining the adaptive execution time window based on the adaptive execution time window radius; and members within the dynamic safety control domain executing the control commands within the adaptive execution time window corresponding to the absolute execution timestamp.
[0012] According to the present invention, determining the adaptive execution time window radius based on the logical topology hop count, the estimated maximum network latency jitter, the instantaneous train speed change rate, the instantaneous train speed, and the real-time track segment curvature includes: according to the formula: Determine the adaptive execution time window radius of the k-th member within the dynamic safety control domain at the i-th moment of the control cycle. ,in, , , and Here, is the preset coefficient, and max is the function to find the maximum value. Let be the logical topology hop count of the k-th member within the dynamic security control domain. For the estimated maximum network latency jitter of the k-th member within the dynamic security control domain at time i of the control period. To control the instantaneous speed of the train at the i-th moment of the cycle, To preset the instantaneous speed threshold of the train, To control the real-time curvature of the orbital segment at time i of the control cycle, To preset the curvature threshold, To control the instantaneous speed change rate of the train at the i-th moment of the control cycle, The preset velocity change rate threshold is K, which is the number of members in the dynamic safety control domain, k≤K, and both k and K are positive integers.
[0013] According to a second aspect of the present invention, a railway traffic signal device control system is provided, comprising: a train data module, configured to acquire, at multiple times during a control cycle, instantaneous train speed, real-time track section curvature, real-time train track characteristic frequency code, instantaneous train speed change rate, interlocking logic, train position, and planned route; a dynamic control module, configured to generate a dynamic safety control domain based on the train position and the planned route; an authentication and synchronization module, configured to perform bidirectional authentication and secure time synchronization for members within the dynamic safety control domain; a control instruction module, configured to generate a control instruction set based on the interlocking logic and the planned route, wherein the control instruction set includes: control instructions and absolute execution timestamps; an instruction distribution module, configured to securely distribute the control instruction set based on the real-time train track characteristic frequency code and the instantaneous train speed change rate; and an instruction execution module, configured for members within the dynamic safety control domain to execute instructions based on the control instruction set, the instantaneous train speed change rate, the instantaneous train speed, and the real-time track section curvature.
[0014] Technical Effects: According to the present invention, a dynamic safety control domain can be dynamically constructed for trains and ground signaling equipment that execute the same route or are controlled by the same interlocking logic. Within the dynamic safety control domain, two-way authentication and command synchronization are implemented to ensure that the source of control commands is reliable, the content is complete, and the execution time is precisely synchronized. Furthermore, the regional control center safely distributes the set of control commands based on the real-time train track characteristic frequency code and the instantaneous speed change rate of the train. Members within the dynamic safety control domain execute commands based on the set of control commands, the instantaneous speed change rate of the train, the instantaneous speed of the train, and the real-time track section curvature, thereby improving the accuracy of railway traffic signaling device control. When determining the dynamic domain session key, it can be generated based on the dynamic confusion matrix, real-time train track characteristic frequency code, train instantaneous speed change rate, absolute execution timestamp, dynamic control task identifier, first hash function value, second hash function value, and elliptic curve group order. During the generation of the dynamic domain session key, task binding, identity binding, spatial binding, time binding, and physical environment binding can be performed based on the dynamic control task identifier, hash sum of public keys of domain members, control center coordinate hash, timestamp, and physical characteristics, improving the security of the dynamic domain session key. When determining the adaptive execution time window radius, it can be determined based on the logical topology hop count, estimated maximum network latency jitter, train instantaneous speed, and real-time track segment curvature. During the calculation process, the adaptive execution time window radius can be determined by fully considering the logical topology hop count of domain members, estimated maximum network latency jitter, and train physical operation risks, improving the accuracy of the adaptive execution time window radius.
[0015] It should be understood that the foregoing general description and the following detailed description are exemplary and explanatory only, and are not intended to limit the invention. Other features and aspects of the invention will become clearer from the following detailed description of exemplary embodiments with reference to the accompanying drawings. Attached Figure Description
[0016] To more clearly illustrate the technical solutions in the embodiments of the present invention or the prior art, the drawings used in the description of the embodiments or the prior art will be briefly introduced below. Obviously, the drawings described below are only some embodiments of the present invention. For those skilled in the art, other embodiments can be obtained based on these drawings without creative effort.
[0017] Figure 1 A schematic flowchart of a railway traffic signal device control method according to an embodiment of the present invention is shown as an example;
[0018] Figure 2 An exemplary schematic diagram of generating a dynamic security control domain according to an embodiment of the present invention is shown;
[0019] Figure 3 An exemplary schematic diagram illustrating two-way authentication and secure time synchronization according to an embodiment of the present invention is shown;
[0020] Figure 4 An exemplary schematic diagram illustrates the secure distribution of a set of control instructions according to an embodiment of the present invention;
[0021] Figure 5 An exemplary schematic diagram illustrating instruction execution according to an embodiment of the present invention is shown;
[0022] Figure 6 A block diagram of a railway traffic signal control system according to an embodiment of the present invention is shown as an example;
[0023] Figure 7 A schematic diagram illustrating the identity authentication process of a two-way authentication scheme according to an embodiment of the present invention is shown. Detailed Implementation
[0024] To make the objectives, technical solutions, and advantages of the embodiments of the present invention clearer, the technical solutions of the embodiments of the present invention will be clearly and completely described below with reference to the accompanying drawings. Obviously, the described embodiments are only some embodiments of the present invention, and not all embodiments. Based on the embodiments of the present invention, all other embodiments obtained by those skilled in the art without creative effort are within the scope of protection of the present invention.
[0025] The technical solution of the present invention will be described in detail below with reference to specific embodiments. These specific embodiments can be combined with each other, and the same or similar concepts or processes may not be described again in some embodiments.
[0026] Figure 1 An exemplary flowchart of a railway traffic signal control method according to an embodiment of the present invention is shown, the method comprising:
[0027] Step S1: At multiple moments in the control cycle, acquire the train's instantaneous speed, real-time track section curvature, real-time train track characteristic frequency code, train instantaneous speed change rate, interlocking logic, train position, and planned route.
[0028] Step S2: Generate a dynamic safety control domain based on the train position and the planned route;
[0029] Step S3: Perform two-way authentication and secure time synchronization for members within the dynamic security control domain;
[0030] Step S4: Generate a set of control instructions based on the interlocking logic and the planned route, wherein the set of control instructions includes: control instructions and absolute execution timestamps;
[0031] Step S5: Distribute the control command set safely based on the real-time train track characteristic frequency code and the instantaneous speed change rate of the train;
[0032] Step S6: Within the dynamic safety control domain, domain members execute commands based on the control command set, the instantaneous speed change rate of the train, the instantaneous speed of the train, and the real-time track section curvature.
[0033] According to the railway traffic signal control method of the present invention, a dynamic safety control domain can be dynamically constructed for trains and ground signal equipment that are executing the same route or controlled by the same interlocking logic. Within the dynamic safety control domain, two-way authentication and command synchronization are implemented to ensure that the source of control commands is reliable, the content is complete, and the execution time is precisely synchronized. Furthermore, the regional control center safely distributes the set of control commands based on the real-time train track characteristic frequency code and the instantaneous speed change rate of the train. Members within the dynamic safety control domain execute commands based on the set of control commands, the instantaneous speed change rate of the train, the instantaneous speed of the train, and the real-time track section curvature, thereby improving the accuracy of railway traffic signal control.
[0034] According to one embodiment of the present invention, in step S1, at multiple moments during the control cycle, the instantaneous speed of the train, the real-time track section curvature, the real-time train track characteristic frequency code, the instantaneous speed change rate of the train, the interlocking logic, the train position, and the planned route are acquired.
[0035] For example, the instantaneous speed and rate of change of the train can be obtained in real time through onboard speed sensors. The lateral acceleration (centrifugal force) and longitudinal acceleration of the train can be sensed in real time by using the onboard inertial navigation system (IMU) or accelerometer. The current real-time track section curvature (a normalized value from 0 to 1) can be deduced from this. The train position is obtained according to the positioning system in the train. The train determines the track section code of its current position through the onboard positioning system (such as transponder, track circuit identification, Beidou / GPS + digital map). Subsequently, the onboard computer or regional control center queries the pre-stored track database based on this code and reads the characteristic frequency code corresponding to the section, that is, the real-time train track characteristic frequency code. The interlocking logic is the computer interlocking table or logic rules pre-set in the interlocking equipment of the regional control center or station. The planned route is a task dynamically generated according to the train timetable or dispatcher instructions.
[0036] According to one embodiment of the present invention, in step S2, a dynamic safety control domain is generated based on the train position and the planned route.
[0037] Figure 2An exemplary schematic diagram of generating a dynamic security control domain according to an embodiment of the present invention is shown.
[0038] According to an embodiment of the present invention, step S2 includes:
[0039] Step S21: Generate a dynamic control task identifier based on the train position and the planned route;
[0040] Step S22: Generate a dynamic safety control domain based on the dynamic control task identifier, wherein the dynamic safety control domain includes: a regional control center, an on-board control unit, and a trackside signal control device related to the planned route.
[0041] For example, based on the train's location and planned route, a dynamic control task identifier is generated. For instance, when a train requests to enter a certain section or take a specific route, the area control center dynamically generates a unique control task identifier based on the train's location, planned route, and the involved trackside signaling equipment (including but not limited to signals, turnout controllers, and track circuits). This is the dynamic control task identifier. A temporary dynamic safety control domain is created around this dynamic control task identifier. The initial members of this domain include: the area control center (as the domain manager), the onboard control unit (installed on the train, configured to participate in authentication and synchronization as a member of the dynamic safety control domain, receive, decrypt, and verify control commands, and execute drive or brake commands at the synchronization time), and all trackside signal control devices directly related to the route (including signal controllers and turnout controllers, configured to participate in authentication and synchronization as members of the dynamic safety control domain, receive, decrypt, and verify control commands, and execute signal display switching or turnout conversion operations at the synchronization time). Furthermore, the area control center, onboard control unit, and trackside signal control devices all have built-in communication and security computing modules that support elliptic curve cryptography and secure network time protocols.
[0042] According to one embodiment of the present invention, in step S3, two-way authentication and secure time synchronization are performed on members within the dynamic security control domain.
[0043] Figure 3 An exemplary schematic diagram illustrating two-way authentication and secure time synchronization according to an embodiment of the present invention is shown.
[0044] According to an embodiment of the present invention, step S3 includes:
[0045] Step S31: Perform two-way authentication on members within the dynamic security control domain based on the elliptic curve cryptography algorithm;
[0046] Step S32: Perform secure time synchronization based on the regional control center as the reference time source.
[0047] For example, currently, my country's railway time synchronization network uses the NTPv4 protocol as its core time synchronization protocol to provide high-precision time reference signals for various railway business subsystems and equipment, ensuring coordination and consistency between the railway system and various business platforms, and a high degree of time uniformity. However, the NTP protocol, based on the connectionless UDP protocol, suffers from issues such as the lack of client authentication during the authentication phase. This inherent security flaw makes the NTP protocol a serious vulnerability to various malicious attacks. Therefore, a two-way authentication protocol based on elliptic curve cryptography is used for mutual recognition among all members within the control domain (e.g., regional control centers, trains, and trackside equipment). Elliptic curve cryptography is an asymmetric encryption algorithm based on elliptic curve mathematical theory. Compared to the traditional RSA algorithm, elliptic curve cryptography achieves the same level of security with a shorter key, improving encryption efficiency in application areas. The two-way authentication scheme begins when a client node requests access to the railway time synchronization network and is executed in four steps: initialization, initial association, certificate exchange, and authentication.In the initialization phase of the two-way authentication scheme, each primary and secondary time synchronization node only needs to register once with the trusted host. Trusted host registration is performed offline and does not need to be executed simultaneously with the authentication process. Initially, both the time synchronization server and the time synchronization client need to register with the trusted host and generate their respective public-private key pairs. During the authentication phase, the time synchronization server and the time synchronization client interact multiple times to verify each other's identity. The symbols in the two-way authentication scheme are explained as follows: (SkC, PkC) represent the client's public-private key pair, (SkS, PkS) represent the server's public-private key pair, (SkT, PkT) represent the trusted host's public-private key pair, and AH indicates a trusted host. In this context, the system uses a host, a time synchronization client (TC), a time synchronization server (TS), an elliptic curve group (E), an elliptic curve group (q), a base point of the elliptic curve (P), a hash function (H), a client identity certificate (CRTC), a server identity certificate (CRTS), a client host identifier (C), a server host identifier (S), a client random number (RC), a server random number (RS), and an EX(m) function to encrypt message m using key x. During initialization, AH selects a prime number n, Dn is a finite field of order n, and AH defines an elliptic curve group E on Dn, where q is the order of the group, P is the base point of the elliptic curve, and AH selects a random number k ∈ [1, n-1] as the private key SkT. The system generates a local public key PkT = k·P. Finally, after generating a collision-resistant hash function H, the AH publishes public authentication parameters (E, P, q, PkT, H) to the time synchronization node. Before the authentication scheme is executed, the TC and TS have already obtained the public authentication parameter information transmitted by the AH through a secure channel. In the initial association phase, when the TC applies to access the railway time synchronization network, it enters the initial association phase of the railway time synchronization network protocol. In this phase, the TC randomly selects a prime number r∈[1, n-1] on the finite field Dn as its private key Skc. Simultaneously, it calculates the TC public key Pkc = r·P using the base point P and generates the TC host identifier C. Similarly, the TS generates a server public-private key pair (Sks, Pks) and a TS host identifier S. The TC combines the TC public key Pkc and the TC host identifier C into a message (Pkc, C) and sends it to the AH for registration through a secure channel. After successful verification, the AH calculates the hash value H(Pkc, C) based on the TC message as the parameter of the TC certificate. Simultaneously, the TC certificate CRTc is generated by signing the parameters and hash value of the message using the AH private key SkT. The CRTc certificate is then sent to the TC. Similarly, the TS completes registration with the AH, and the AH issues a certificate CRTs to the TS. The TC sends an initial association request message to request access to the TS. This message contains the TC status field and the TC host identifier C. The status field mainly includes the encryption algorithm and authentication scheme selected by the host, as well as the host's current status information.The TS generates a TS response message and sends it to the TC based on the encryption algorithm information selected in the status field of the TC message. The TS response message contains the TS status field and the TS host identifier S. During the certificate exchange phase, the TC sends a certificate exchange request message to the TS. The TS responds to the TC's request by sending its TS certificate CRTs. Upon receiving the TS certificate exchange request message, the TC verifies the validity of the TS certificate CRTs. If the verification is successful, the TC uses the AH public key PkT to retrieve the TS public key Pks from the TS certificate CRTs. Simultaneously, the TC sends a message containing its TC identity certificate CRTc to the TS. Upon receiving the TC certificate CRTc, the TS verifies its validity. If the verification is successful, the TS uses the AH public key PkT to retrieve the TC public key Pkc from the TC certificate CRTc. Due to the railway time... In the step-by-step authentication mechanism, the TC does not store the TS certificate list. Therefore, after the certificate exchange is completed, the two-way authentication scheme performs further identity authentication to avoid the security risks of forged certificates and replay attacks. In the identity authentication phase, after the certificate exchange is completed, the TC and TS initiate identity authentication of the time synchronization node, and the two-way authentication process between the TC and TS begins. The TC sends an authentication request message to the TS, which contains a random number Rc generated by the TC and the TC identifier C. The TC uses its private key Skc to perform a signature operation to obtain the authentication request message Ec(Rc,C). The TS receives the TC authentication request message and uses the TC public key Pkc to decrypt the request message to obtain the TC random number Rc. Before time synchronization is established, the TS resends the TC's random number Rc to the TC for verification to prevent replay attacks. TS generates a random number Rs and encrypts it with TC's public key Pkc to obtain the message information Pkc(Rs). TS combines Pkc(Rs), the TC random number Rc, and the TS identifier S to form a message (Pkc(Rs), Rc, S), and performs a signature operation using TS's private key Sks to obtain the authentication response message Es(Pkc(Rs), Rc, S). TS sends the authentication response message to TC. After receiving the authentication response message from TS, TC decrypts it using TS's public key Pks. If the decryption verification is successful, the message has not been tampered with by an attacker. TC verifies the random number Rc in the TS response message. If the verification is successful, TC has not been subjected to a replay attack, and TS's authentication is successful. TC uses its local private key Skc to parse the TS random number Rs and encrypts it with its private key Skc to obtain the authentication response message Ec(Rs), which is then sent to TS. When TS receives the TC authentication response message, TS uses the TC public key Pkc to decrypt the TC authentication response message to obtain the TS random number Rs, proving that the random number Rs was sent by TC. TC authentication is successful. The specific authentication process of the two-way authentication scheme is as follows. Figure 7As shown, after completing two-way authentication, the regional control center serves as the reference time source. Using the secure NTP protocol that integrates the above two-way authentication mechanism, a precise time reference is distributed to all members within the dynamic security control domain. This process can prevent man-in-the-middle attacks and replay attacks, ensuring that the time within the entire dynamic security control domain is highly consistent and the source is trustworthy.
[0048] According to one embodiment of the present invention, in step S4, a set of control instructions is generated based on the interlocking logic and the planned route, wherein the set of control instructions includes: control instructions and absolute execution timestamps.
[0049] For example, a regional control center (usually located in a signal tower or control center along the railway line) generates a set of control instructions based on a predetermined train schedule (e.g., train A needs to arrive at station B at 10:00 and depart for station C at 10:05) and interlocking logic (e.g., how switches should turn, how signals should illuminate, and which sections cannot have trains entering simultaneously). The set of control instructions includes control instructions and an absolute execution timestamp. The control instructions are specific instructions sent to specific members (e.g., trains or signaling devices) within the dynamic safety control domain (e.g., acceleration, deceleration, opening signals, locking switches). The absolute execution timestamp is the execution time of the instruction (based on the reference time source established in S32). Specifically, a high-speed train is traveling at 300 km / h. There is a construction section with a speed limit of 120 km / h 5 km ahead. The regional control center calculates, based on the train schedule (the train needs to pass through this section and cannot be late) and interlocking logic (the track ahead is clear, and switches are open), that the train needs to begin decelerating 2 km from the construction section. The train reaches 2 km... The precise time is 10:05:30.000. Based on this, control commands (e.g., start deceleration and target speed 120km / h) and absolute execution timestamps (10:05:30.000) are generated. The set of control commands is determined as a pre-generated set of commands to be transmitted before being distributed at the regional control center.
[0050] According to an embodiment of the present invention, in step S5, the control command set is safely distributed based on the real-time train track characteristic frequency code and the instantaneous speed change rate of the train.
[0051] Figure 4 An exemplary schematic diagram illustrates the secure distribution of a set of control instructions according to an embodiment of the present invention.
[0052] According to an embodiment of the present invention, step S5 includes:
[0053] Step S51: Obtain the authentication phase exchange public key of the domain members within the dynamic security control domain;
[0054] Step S52: Obtain the real-time geographic coordinates of the regional control center;
[0055] Step S53: Obtain the order of the elliptic curve group;
[0056] Step S54: Generate a dynamic obfuscation matrix based on the dynamic control task identifier and the absolute execution timestamp;
[0057] Step S55: Generate a dynamic domain session key based on the dynamic confusion matrix, the real-time train track feature frequency code, the train instantaneous speed change rate, the absolute execution timestamp, the authentication phase exchange public key, the dynamic control task identifier, the real-time geographic coordinates of the regional control center, and the elliptic curve group order.
[0058] Step S56: Generate a security instruction broadcast packet based on the dynamic domain session key and the control instruction set;
[0059] Step S57: Securely distribute the security instruction broadcast packet.
[0060] For example, the public key exchanged during the authentication phase is the public key exchanged by members within the dynamic security control domain during the two-way authentication phase. The methods for obtaining the public key exchanged during the authentication phase include, but are not limited to: 1. Pre-installed storage: Before the member device (train / control center) leaves the factory or goes online, its public key certificate is pre-installed in the trusted repository of other members within the domain; 2. Dynamic certificate exchange: During the authentication phase, the member device sends a digital certificate containing its public key to other members within the domain, and the public key is extracted after verification; 3. Physical feature derivation: Based on the physical unclonable feature (PUF) of the member device or the real-time motion state entropy source, the public key is dynamically generated and exchanged. The methods for obtaining the real-time geographic coordinates of the regional control center include, but are not limited to: 1. Pre-stored: Before the construction or launch of the regional control center, its geographical location is accurately measured using professional surveying instruments, and its coordinate values are pre-stored in the system configuration file; 2. Dynamic positioning: The geographical location of the control center is obtained in real time using communication base station signals or network positioning technology; 3. Logical mapping: Based on the characteristics of the track circuit sections within the control center's jurisdiction, combined with the pre-stored track circuit-geographic coordinate mapping table, the logical location of the control center is determined. The real-time geographic coordinates of the regional control center are latitude and longitude coordinates, such as WGS-84 format. The elliptic curve group order is obtained, for example, by defining the elliptic curve group order. A dynamic obfuscation matrix is generated based on the dynamic control task identifier and the absolute execution timestamp. The dynamic obfuscation matrix is an n×n matrix, and its elements are generated by the dynamic control task identifier and the absolute execution timestamp. For example, the value of the element in the first row and first column of the dynamic obfuscation matrix is... A dynamic domain session key is generated based on the dynamic confusion matrix, real-time train track characteristic frequency code, train instantaneous speed change rate, absolute execution timestamp, authentication phase exchange public key, dynamic control task identifier, real-time geographic coordinates of the regional control center, and elliptic curve group order. Based on the dynamic domain session key and the control command set, a security command broadcast packet is generated. For example, the regional control center uses the dynamic domain session key to encrypt and sign the control command set, generating a security command broadcast packet, which is then distributed to all members within the dynamic security control domain. Before the security command broadcast packet is distributed, the control command set has already been generated and is presented as a pre-generated, transmission-ready command set. During the distribution process, the regional control center uses the dynamic domain session key to encrypt and sign the control command set.
[0061] According to an embodiment of the present invention, step S55 includes:
[0062] Step S551: Determine the first hash function value based on the public key exchanged during the authentication phase;
[0063] Step S552: Determine the value of the second hash function based on the real-time geographic coordinates of the regional control center;
[0064] Step S553: Generate a dynamic domain session key based on the dynamic confusion matrix, the real-time train track feature frequency code, the train instantaneous speed change rate, the absolute execution timestamp, the dynamic control task identifier, the first hash function value, the second hash function value, and the elliptic curve group order.
[0065] For example, the extracted authentication phase exchange public key (usually a binary or hexadecimal string) is used as input, and a hash function defined by the protocol (e.g., SHA-256) is used to determine the first hash function value; the real-time geographic coordinates of the regional control center are converted into a standard string format (e.g., "116.397026,39.90923"), and the hash function defined by the protocol is used to determine the second hash function value; based on the dynamic confusion matrix, real-time train track characteristic frequency code, train instantaneous speed change rate, absolute execution timestamp, dynamic control task identifier, first hash function value, second hash function value, and elliptic curve group order, a dynamic domain session key is generated.
[0066] According to an embodiment of the present invention, step S553 includes: determining the dynamic domain session key at the i-th moment of the control period according to formula (1). ,
[0067] (1)
[0068] in," " is the XOR operation, " " is a non-linear operator, "For modulo operation, For collision hash functions, Let i be the dynamic confusion matrix at time i of the control period. This is the dynamic control task identifier at the i-th moment of the control cycle. The first hash function value of the public key is exchanged during the authentication phase of the k-th member within the dynamic security control domain. The second hash function value represents the real-time geographic coordinates of the regional control center at the i-th moment of the control cycle. Let i be the absolute execution timestamp at the i-th moment of the control cycle. To control the instantaneous speed change rate of the train at the i-th moment of the control cycle, For the real-time train track characteristic frequency code at the i-th moment of the control cycle, Let K be the order of the elliptic curve group, K be the number of members in the dynamic security control domain, k ≤ K, and both k and K are positive integers.
[0069] According to one embodiment of the present invention, The dynamic control task identifier at time i of the control cycle ensures that the dynamic domain session key is generated based on a specific task. If the task changes, the dynamic domain session key must also change, preventing replay attacks. The authentication phase of this communication involves exchanging the sum of the first hash function values of the public keys of all domain members participating in the communication. If any member is replaced (e.g., an attacker impersonating the train), this value changes, causing key generation to fail and thus blocking unauthorized communication. The second hash function value, representing the real-time geographic coordinates of the regional control center at time i of the control cycle, ensures that the dynamic domain session key is valid only within a specific geographic area. If an attacker attempts to forge a signal in a different location, the correct dynamic domain session key cannot be generated due to the mismatched coordinates. To control the absolute execution timestamp at the i-th moment of the control cycle, the current precise time is introduced to ensure the timeliness of the dynamic domain session key. Even if an attacker intercepts the dynamic domain session key from the previous second, it will become invalid in the next second due to the time change. To control the instantaneous speed change rate of the train at the i-th moment of the control cycle, This refers to the real-time train track characteristic frequency code at the i-th moment of the control cycle. To couple physical features, the instantaneous rate of change of train speed (train motion state) and real-time train track feature frequency code (track feature) are coupled using nonlinear operators. This combination allows the dynamic domain session key to be strongly correlated with the train's real-time physical state; if the train is stationary, hijacked, or off track, The value will be abnormal, causing the key to fail to generate, thus failing to protect driving safety. The raw material representing the dynamic domain session key. This is the dynamic confusion matrix at time i of the control period, used for data confusion and transformation. This indicates complex mixed data (i.e., Compress into a fixed-length string. This indicates that a modulo operation is performed on a fixed-length string to ensure that the final generated dynamic domain session key is a valid elliptic curve scalar.
[0070] In this way, a dynamic domain session key can be generated based on the dynamic confusion matrix, real-time train track characteristic frequency code, train instantaneous speed change rate, absolute execution timestamp, dynamic control task identifier, first hash function value, second hash function value, and elliptic curve group order. During the generation of the dynamic domain session key, task binding, identity binding, spatial binding, time binding, and physical environment binding can be performed based on the dynamic control task identifier, hash of public keys of members within the domain, hash of control center coordinates, timestamp, and physical characteristics, respectively, thereby improving the security of the dynamic domain session key.
[0071] According to an embodiment of the present invention, in step S6, the domain members within the dynamic safety control domain execute commands based on the control command set, the instantaneous speed change rate of the train, the instantaneous speed of the train, and the real-time track section curvature.
[0072] Figure 5 A schematic diagram illustrating instruction execution according to an embodiment of the present invention is shown.
[0073] According to an embodiment of the present invention, step S6 includes:
[0074] Step S61: Obtain the logical topology hop count of each member within the dynamic security control domain;
[0075] Step S62: Obtain the estimated maximum network latency jitter;
[0076] Step S63: Determine the adaptive execution time window radius based on the logical topology hop count, the estimated maximum network delay jitter, the instantaneous speed change rate of the train, the instantaneous speed of the train, and the real-time track segment curvature;
[0077] Step S64: Determine the adaptive execution time window based on the radius of the adaptive execution time window;
[0078] Step S65: Within the dynamic security control domain, domain members execute the control instructions within the adaptive execution time window corresponding to the absolute execution timestamp.
[0079] For example, the logical topology hop count of each member within the dynamic security control domain can be obtained through network route probing or a pre-configured topology table. This represents the logical "hops" between the member (e.g., a train or trackside equipment) and the area control center; a higher hop count indicates a more complex network path and greater potential transmission delay and jitter. The estimated maximum network latency jitter is the maximum time deviation that a data packet might experience from transmission to reception under the worst network conditions. This can be estimated based on historical network performance statistics or the QoS parameters of network devices. The estimated maximum network latency jitter can serve as the physical upper limit of a time window, ensuring that the window size does not exceed the network's actual tolerance limit. Based on the logical topology hop count... The maximum network latency jitter, train instantaneous speed, and real-time track section curvature are estimated to determine the radius of the adaptive execution time window, which represents the allowable time deviation range. The adaptive execution time window is determined based on the absolute execution timestamp and the radius. Within the adaptive execution time window corresponding to the absolute execution timestamp, members of the dynamic safety control domain execute control commands. After execution, each member sends an execution confirmation feedback to the regional control center. When the train safely passes through the route or the task is completed, the regional control center disbands the dynamic synchronization group (dynamic safety control domain) and destroys the temporary keys and parameters related to this task.
[0080] According to an embodiment of the present invention, step S63 includes: determining the adaptive execution time window radius of the k-th in-domain member within the dynamic security control domain at the i-th moment of the control cycle according to formula (2). ,
[0081] (2)
[0082] in, , , and Here, is the preset coefficient, and max is the function to find the maximum value. Let be the logical topology hop count of the k-th member within the dynamic security control domain. For the estimated maximum network latency jitter of the k-th member within the dynamic security control domain at time i of the control period. To control the instantaneous speed of the train at the i-th moment of the cycle, To preset the instantaneous speed threshold of the train, To control the real-time curvature of the orbital segment at time i of the control cycle, To preset the curvature threshold, To control the instantaneous speed change rate of the train at the i-th moment of the control cycle, The preset velocity change rate threshold is K, which is the number of members in the dynamic safety control domain, k≤K, and both k and K are positive integers.
[0083] According to one embodiment of the present invention, This is the ratio of the logical topology hop count of the k-th member within the dynamic security control domain to the maximum logical topology hop count of the K members within the domain. Used to normalize the logical topology hop count of members within a domain to a proportional value. and For preset coefficients, and The sum is less than or equal to 1 (the final adaptive execution time window radius cannot be greater than 1). ,if and If the sum is greater than 1, then the window radius of the member in the domain with the most hops will exceed the physical limit. Used to control the degree to which the number of hops affects the size of the adaptive execution time window radius. It can be set to 0.5. This is used to ensure a minimum safety buffer even if the hop count is 0 (direct connection). It must be greater than or equal to the minimum latency of the system hardware and operating system in processing instructions (usually a few milliseconds to tens of milliseconds). It can be set to 0.2. This means mapping the normalized ratio value to a weighting coefficient related to the logical hop count. When the logical topology hop count of the member in the k-th domain is relatively high, The larger the value, the larger the adaptive execution time window radius for members within that domain. This is because network latency for members in remote domains is high and unstable, requiring a larger time tolerance range; otherwise, network jitter can easily lead to misjudgments. This means determining the maximum allowable time deviation for members within the k-th domain based on weighting coefficients related to the logical hop count and the estimated maximum network latency jitter. To control the instantaneous speed of the train at the i-th moment of the cycle, The larger, The larger the value, the better. It can be set to the maximum permissible operating speed of the train in the current section or the track design speed. The closer the value is to 0, the smaller the adaptive execution time window radius. This means that at high speeds, even a communication delay or time asynchrony of only a few milliseconds can cause train control commands to lag, leading to serious accidents. Therefore, the faster the speed, the more stringent the requirements for time synchronization. To control the real-time curvature of the orbital segment at time i of the control cycle. The larger, The larger the value, the better. It can be set to the maximum allowable curvature or safety limit of the current line section. The closer the value is to 0, the smaller the adaptive execution time window radius. This indicates that the train's stability deteriorates and its fault tolerance decreases on curves or steep slopes. If communication delays occur at this time, the consequences could be disastrous. Therefore, the harsher the track environment, the more stringent the requirements for time synchronization. To control the instantaneous speed change rate of the train at the i-th moment of the cycle, when the train speed changes too rapidly, The larger, It can be set to the train's normal maximum safe acceleration or deceleration. This represents a coupled risk term, indicating that braking or accelerating on a straight track is relatively manageable, but braking or accelerating on a curve increases the risk exponentially (prone to rollover or derailment). When the train is stationary or moving at a constant speed, the acceleration is 0. The value is 1, considering only the risk of curvature itself, when the train brakes suddenly on a curve ( When it is very large, The value of will become very large, multiplying the risks associated with curvature. Used to control the degree of contraction of overall physical risk with respect to the time window radius. Used to adjust the coupling relationship between track curvature risk and train dynamics (acceleration) risk. It can be set to 1, indicating that when When the value increases by 1 unit, the adaptive execution time window radius decreases to approximately 37% of its original value. It can be set to 2, which means that the risk of acceleration is magnified by 2 times on sharp bends. This indicates that the radius of the adaptive execution time window is determined based on the logical topology hop count of members within the domain, the estimated maximum network latency jitter, and the physical operation risk of the train.
[0084] In this way, the adaptive execution time window radius can be determined based on the logical topology hop count, the estimated maximum network latency jitter, the instantaneous train speed, and the real-time track section curvature. During the calculation process, the adaptive execution time window radius can be determined by fully considering the logical topology hop count of members within the domain, the estimated maximum network latency jitter, and the physical operation risk of the train, thus improving the accuracy of the adaptive execution time window radius.
[0085] According to the railway traffic signal control method of the present invention, a dynamic safety control domain can be dynamically constructed for trains and ground signal equipment that are executing the same route or controlled by the same interlocking logic. Within the dynamic safety control domain, two-way authentication and command synchronization are implemented to ensure that the source of control commands is reliable, the content is complete, and the execution time is precisely synchronized. Furthermore, the regional control center safely distributes the set of control commands based on the real-time train track characteristic frequency code and the instantaneous speed change rate of the train. Members within the dynamic safety control domain execute commands based on the set of control commands, the instantaneous speed change rate of the train, the instantaneous speed of the train, and the real-time track section curvature, thereby improving the accuracy of railway traffic signal control. When determining the dynamic domain session key, it can be generated based on the dynamic confusion matrix, real-time train track characteristic frequency code, train instantaneous speed change rate, absolute execution timestamp, dynamic control task identifier, first hash function value, second hash function value, and elliptic curve group order. During the generation of the dynamic domain session key, task binding, identity binding, spatial binding, time binding, and physical environment binding can be performed based on the dynamic control task identifier, hash sum of public keys of domain members, control center coordinate hash, timestamp, and physical characteristics, improving the security of the dynamic domain session key. When determining the adaptive execution time window radius, it can be determined based on the logical topology hop count, estimated maximum network latency jitter, train instantaneous speed, and real-time track segment curvature. During the calculation process, the adaptive execution time window radius can be determined by fully considering the logical topology hop count of domain members, estimated maximum network latency jitter, and train physical operation risks, improving the accuracy of the adaptive execution time window radius.
[0086] Figure 6 A block diagram of a railway traffic signal control system according to an embodiment of the present invention is shown as an example, the system comprising:
[0087] The train data module is used to acquire the instantaneous speed of the train, the real-time track section curvature, the real-time train track characteristic frequency code, the instantaneous speed change rate of the train, the interlocking logic, the train position, and the planned route at multiple moments in the control cycle.
[0088] The dynamic control module is used to generate a dynamic safety control domain based on the train position and the planned route;
[0089] The authentication synchronization module is used to perform two-way authentication and secure time synchronization for members within the dynamic security control domain.
[0090] A control instruction module is used to generate a set of control instructions based on the interlocking logic and the planned route, wherein the set of control instructions includes: control instructions and absolute execution timestamps;
[0091] The instruction distribution module is used to safely distribute the set of control instructions based on the real-time train track characteristic frequency code and the instantaneous speed change rate of the train.
[0092] The instruction execution module is used for domain members within the dynamic safety control domain to execute instructions based on the control instruction set, the instantaneous speed change rate of the train, the instantaneous speed of the train, and the real-time track section curvature.
[0093] This invention can be a method, apparatus, system, and / or computer program product. The computer program product may include a computer-readable storage medium having computer-readable program instructions loaded thereon for performing various aspects of the invention.
[0094] Those skilled in the art should understand that the embodiments of the present invention described above and shown in the accompanying drawings are merely examples and do not limit the present invention. The objectives of the present invention have been fully and effectively achieved. The functions and structural principles of the present invention have been demonstrated and explained in the embodiments, and any variations or modifications may be made to the implementation of the present invention without departing from the stated principles.
Claims
1. A railway traffic signal device control method characterized by, include: At multiple moments during the control cycle, the instantaneous train speed, real-time track section curvature, real-time train track characteristic frequency code, instantaneous train speed change rate, interlocking logic, train position, and planned route are acquired; a dynamic safety control domain is generated based on the train position and the planned route. Perform two-way authentication and secure time synchronization for members within the dynamic security control domain; Based on the interlocking logic and the planned route, a control command set is generated, wherein the control command set includes: control commands and absolute execution timestamps; the control command set is safely distributed based on the real-time train track characteristic frequency code and the train instantaneous speed change rate; members within the dynamic safety control domain execute commands based on the control command set, the train instantaneous speed change rate, the train instantaneous speed, and the real-time track section curvature; based on the train position and the planned route, a dynamic safety control domain is generated, including: generating a dynamic control task identifier based on the train position and the planned route; generating a dynamic safety control domain based on the dynamic control task identifier, wherein the dynamic safety control domain includes: a regional control center, an onboard control unit, and trackside signal control devices related to the planned route. The process involves: securely distributing the control command set based on the real-time train track characteristic frequency code and the train instantaneous speed change rate; obtaining the authentication phase exchange public key of the domain members within the dynamic security control domain; obtaining the real-time geographic coordinates of the regional control center; obtaining the elliptic curve group order; generating a dynamic obfuscation matrix based on the dynamic control task identifier and the absolute execution timestamp; generating a dynamic domain session key based on the dynamic obfuscation matrix, the real-time train track characteristic frequency code, the train instantaneous speed change rate, the absolute execution timestamp, the authentication phase exchange public key, the dynamic control task identifier, the real-time geographic coordinates of the regional control center, and the elliptic curve group order; generating a secure command broadcast packet based on the dynamic domain session key and the control command set; and securely distributing the secure command broadcast packet.
2. The railway traffic signal control method according to claim 1, characterized in that, Two-way authentication and secure time synchronization are performed for members within the dynamic security control domain, including: two-way authentication of members within the dynamic security control domain based on elliptic curve cryptography; and secure time synchronization based on the regional control center as the reference time source.
3. The railway traffic signal control method according to claim 1, characterized in that, Generating a dynamic domain session key based on the dynamic confusion matrix, the real-time train track characteristic frequency code, the train instantaneous speed change rate, the absolute execution timestamp, the authentication phase exchange public key, the dynamic control task identifier, the real-time geographic coordinates of the regional control center, and the elliptic curve group order includes: determining a first hash function value based on the authentication phase exchange public key; determining a second hash function value based on the real-time geographic coordinates of the regional control center; and generating the dynamic domain session key based on the dynamic confusion matrix, the real-time train track characteristic frequency code, the train instantaneous speed change rate, the absolute execution timestamp, the dynamic control task identifier, the first hash function value, the second hash function value, and the elliptic curve group order.
4. The railway traffic signal control method according to claim 3, characterized in that, Based on the dynamic confusion matrix, the real-time train track characteristic frequency code, the train instantaneous speed change rate, the absolute execution timestamp, the dynamic control task identifier, the first hash function value, the second hash function value, and the elliptic curve group order, a dynamic domain session key is generated, including: according to the formula: Determine the dynamic domain session key at time i of the control cycle. ,in," "This is the XOR operation." " is a non-linear operator," "For modular arithmetic, For collision hash functions, Let i be the dynamic confusion matrix at time i of the control period. This is the dynamic control task identifier at the i-th moment of the control cycle. The first hash function value of the public key is exchanged during the authentication phase of the k-th member within the dynamic security control domain. The second hash function value represents the real-time geographic coordinates of the regional control center at the i-th moment of the control cycle. Let i be the absolute execution timestamp at the i-th moment of the control cycle. To control the instantaneous speed change rate of the train at the i-th moment of the control cycle, For the real-time train track characteristic frequency code at the i-th moment of the control cycle, Let K be the order of the elliptic curve group, K be the number of members in the dynamic security control domain, k ≤ K, and both k and K are positive integers.
5. The railway traffic signal control method according to claim 1, characterized in that, Within the dynamic safety control domain, domain members execute commands based on the control command set, the instantaneous train speed change rate, the instantaneous train speed, and the real-time track segment curvature. This includes: obtaining the logical topology hop count for each domain member; obtaining the estimated maximum network delay jitter; determining the adaptive execution time window radius based on the logical topology hop count, the estimated maximum network delay jitter, the instantaneous train speed change rate, the instantaneous train speed, and the real-time track segment curvature; determining the adaptive execution time window based on the adaptive execution time window radius; and executing the control commands within the adaptive execution time window corresponding to the absolute execution timestamp.
6. The railway traffic signal control method according to claim 5, characterized in that, Based on the logical topology hop count, the estimated maximum network latency jitter, the train instantaneous speed change rate, the train instantaneous speed, and the real-time track segment curvature, the adaptive execution time window radius is determined, including: according to the formula: Determine the adaptive execution time window radius of the k-th member within the dynamic safety control domain at the i-th moment of the control cycle. ,in, , , and Here, is the preset coefficient, and max is the function to find the maximum value. Let be the logical topology hop count of the k-th member within the dynamic security control domain. For the estimated maximum network latency jitter of the k-th member within the dynamic security control domain at time i of the control period. To control the instantaneous speed of the train at the i-th moment of the cycle, To preset the instantaneous speed threshold of the train, To control the real-time curvature of the orbital segment at time i of the control cycle, To preset the curvature threshold, To control the instantaneous speed change rate of the train at the i-th moment of the control cycle, The preset velocity change rate threshold is K, which is the number of members in the dynamic safety control domain, k≤K, and both k and K are positive integers.
7. A railway traffic signal device control system, characterized in that, The method is used to execute the method of any one of claims 1-6, comprising: a train data module, used to acquire, at multiple moments in a control cycle, instantaneous train speed, real-time track segment curvature, real-time train track characteristic frequency code, instantaneous train speed change rate, interlocking logic, train position, and planned route; a dynamic control module, used to generate a dynamic safety control domain based on the train position and the planned route; an authentication synchronization module, used to perform bidirectional authentication and secure time synchronization for members within the dynamic safety control domain; a control command module, used to generate a control command set based on the interlocking logic and the planned route, wherein the control command set includes: control commands and absolute execution timestamps; a command distribution module, used to securely distribute the control command set based on the real-time train track characteristic frequency code and the instantaneous train speed change rate; and a command execution module, used for members within the dynamic safety control domain to execute commands based on the control command set, the instantaneous train speed change rate, the instantaneous train speed, and the real-time track segment curvature; and to generate a dynamic safety control domain based on the train position and the planned route. The domain includes: generating a dynamic control task identifier based on the train position and the planned route; generating a dynamic safety control domain based on the dynamic control task identifier, wherein the dynamic safety control domain includes: an area control center, an onboard control unit, and a trackside signal control device related to the planned route; and securely distributing the control command set based on the real-time train track characteristic frequency code and the train instantaneous speed change rate, including: obtaining the authentication phase exchange public key of the domain members within the dynamic safety control domain; obtaining the real-time geographic coordinates of the area control center; obtaining the elliptic curve group order; generating a dynamic obfuscation matrix based on the dynamic control task identifier and the absolute execution timestamp; generating a dynamic domain session key based on the dynamic obfuscation matrix, the real-time train track characteristic frequency code, the train instantaneous speed change rate, the absolute execution timestamp, the authentication phase exchange public key, the dynamic control task identifier, the real-time geographic coordinates of the area control center, and the elliptic curve group order; generating a safety command broadcast packet based on the dynamic domain session key and the control command set; and securely distributing the safety command broadcast packet.