A blockchain-based intelligent device identity authentication method
By combining blockchain and BG-TrustGNN, a smart device authentication method is constructed, which solves the problem of joint verification of smart devices in dynamic scenarios, and achieves highly accurate and strongly correlated authentication, adapting to dynamic permission changes and abnormal behavior scenarios.
Patent Information
- Authority / Receiving Office
- CN · China
- Patent Type
- Applications(China)
- Current Assignee / Owner
- SHANDONG XIDONG IOT TECH CO LTD
- Filing Date
- 2026-03-25
- Publication Date
- 2026-06-05
AI Technical Summary
In existing technologies, the identity information, group relationships, and permission status of smart devices are stored in a scattered manner, making it difficult to perform joint verification under specific groups, specific permissions, and specific operating scenarios. The authentication results are not adaptable to dynamic scenarios and lack effective utilization of permission changes, group migrations, and abnormal events.
A blockchain-based smart device authentication method is adopted. By generating device public and private keys, main chain and sub-chain records are constructed. Combined with BG-TrustGNN for joint verification, an authentication decision and on-chain verification record for the current request are formed, including signature verification, timestamp verification and random number verification. A hierarchical heterogeneous verification graph is constructed to perform multi-type chain-level propagation calculations.
It improves the accuracy of identity verification and the relevance of permission determination, enhances the adaptability to dynamic scenarios, realizes unified verification of device identity authenticity and operation legality, and improves data consistency and processing relevance.
Smart Images

Figure CN122160068A_ABST
Abstract
Description
Technical Field
[0001] This invention relates to the field of smart device identity authentication and communication security technology, and in particular to a blockchain-based smart device identity authentication method. Background Technology
[0002] With the continuous deployment of the Internet of Things (IoT) and smart terminals, the demand for identity authentication of smart devices in industrial control, security monitoring, and resource access is constantly increasing. In existing technologies, common solutions primarily verify device identity and access requests through a central authentication server, digital certificates, or static permission tables, and combine timestamps, random numbers, and signature mechanisms to achieve basic authentication processing. Other solutions write device identifiers, public keys, or access records to the blockchain to enhance data traceability and tamper-proof capabilities.
[0003] In practical applications, the aforementioned existing technologies typically store device identity information, group relationships, and permission status in a scattered manner. There is a lack of unified correlation between identity verification and operation legitimacy determination, making it difficult to jointly verify requests from devices under specific groups, permissions, and operational scenarios. Furthermore, the utilization of permission changes, group migrations, historical operations, and abnormal events is limited, resulting in insufficient adaptability of authentication results to dynamic scenarios. Moreover, relying solely on signature verification results or static authorization relationships makes it difficult to form a closed-loop on-chain verification system covering the entire request process.
[0004] Therefore, how to provide a blockchain-based smart device authentication method is a problem that urgently needs to be solved by those skilled in the art. Summary of the Invention
[0005] One objective of this invention is to propose a blockchain-based smart device authentication method. This invention comprehensively utilizes blockchain notarization, digital signature verification, and the BG-TrustGNN joint verification method to perform correlation verification on the smart device's device identity, group relationship, permission status, historical operations, and abnormal events, forming an authentication decision and on-chain verification record for the current request. It has the advantages of high authentication accuracy, strong correlation of permission determination, traceability of the verification process, and strong anti-tampering capabilities.
[0006] A blockchain-based smart device authentication method according to an embodiment of the present invention includes the following steps: Generate device public and private keys for smart devices, construct main chain identity records and sub-chain control records, and obtain on-chain registration information; When a smart device initiates a request to access a target resource or a request to perform a target operation, a request message is generated, and the request message is signed using the device's private key to obtain a signed request message. The access gateway or edge authentication node receives the signature request message, performs signature verification, timestamp validity verification, and random number repeatability verification on the signature request message, and obtains the pre-verification result; Based on the pre-verification results, signature gating information is generated, and based on the on-chain registration information, multi-dimensional on-chain information is obtained. A hierarchical heterogeneous verification graph is constructed based on multi-dimensional information on the chain, and multiple types of verification chains are extracted based on the hierarchical heterogeneous verification graph to obtain a set of verification chains; BG-TrustGNN is used to perform chain-level propagation calculations on each verification chain in the verification chain set to obtain chain-level propagation results. The chain-level propagation results are then weighted and aggregated to obtain joint verification results. The authentication decision is output based on the joint verification result, and the authentication decision and the authentication digest corresponding to the signature request message are written to the sub-chain. The state digest is synchronized to the main chain to obtain the on-chain verification record.
[0007] Optionally, the step of generating a device public key and a device private key for the smart device, constructing a main chain identity record and a sub-chain control record, and obtaining on-chain registration information specifically includes: Perform a key generation operation on the smart device to generate the device's public key and private key, and obtain the key generation result; Based on the key generation result, a device identifier is assigned to the smart device, and the device type, device registration status and subchain identifier of the smart device are collected to obtain device identity registration data; Write device identity registration data into the main chain to generate a main chain identity record; Based on the device identifier and the identifier of the sub-chain to which the device belongs, the sub-chain control data is obtained; Write the subchain control data to the subchain corresponding to the subchain identifier to which the device belongs, and generate a subchain control record; The main chain identity record and the sub-chain control record are associated and registered to generate on-chain registration information.
[0008] Optionally, the step of generating a request message and signing the request message using the device's private key to obtain a signed request message when the smart device initiates a target resource access request or target operation request specifically includes: When a smart device initiates a request to access a target resource or to perform a target operation, the device identifier in the on-chain registration information is called to obtain the set of request parameters. The request parameter set is arranged and formatted to generate a request message. A digest is calculated from the request message to obtain the message digest. The device private key from the key generation result is used to perform a signature operation on the message digest to obtain a signature value. The request message is then combined with the signature value to obtain a signature request message.
[0009] Optionally, the step of receiving the signature request message from the access gateway or edge authentication node, performing signature verification, timestamp validity verification, and random number repeatability verification on the signature request message to obtain the pre-verification result specifically includes: The access gateway or edge authentication node receives the signature request message, parses the signature request message, and obtains the request parsing result; Based on the device identifier in the request parsing result, the main chain identity record is read from the on-chain registration information, and the revocation status is read to obtain the main chain reading result; Perform digest calculation on the request message to generate a digest to be verified, and perform signature verification on the signature value based on the device public key to obtain the signature verification result; Based on the timestamp in the request parsing result, perform timestamp validity verification on the signed request message to obtain the timestamp verification result; The random number in the request parsing result is used to perform a random number repeatability check on the signed request message to obtain the random number check result; Based on the device registration status and revocation status in the main chain reading results, perform identity status verification on the signature request message to obtain the identity status verification result; The signature verification result, timestamp verification result, random number verification result, and identity status verification result are combined, and combined with the device's sub-chain identifier in the main chain reading result, to generate a pre-verification result.
[0010] Optionally, the step of generating signature gating information based on the pre-verification results and obtaining on-chain multi-dimensional information based on the on-chain registration information specifically includes: The pre-verification results are judged. When the signature verification result, timestamp verification result, random number verification result and identity status verification result in the pre-verification result all pass, a pre-verification pass identifier is generated. Based on the signature verification result, timestamp verification result, random number verification result, identity status verification result, and pre-verification pass flag, generate signature gating information; Based on the device identifier in the signature request message and the subchain identifier to which the device belongs in the pre-verification result, the on-chain read result is read from the on-chain registration information; Based on the main chain identity record in the on-chain read results, generate device identity information and device public key binding information; Based on the sub-chain control records in the on-chain read results, generate device group relationship information, permission policy information, permission change information, historical operation information, and abnormal event information; Based on the device's subchain identifier and subchain control record in the main chain identity record, generate main chain and subchain mapping information; The device identity information, device public key binding information, device group relationship information, permission policy information, permission change information, historical operation information, abnormal event information, main chain and sub-chain mapping information, and signature gating information are combined to generate multi-dimensional information on the chain.
[0011] Optionally, the step of constructing a hierarchical heterogeneous verification graph based on multi-dimensional information on the chain, and extracting multiple types of verification chains based on the hierarchical heterogeneous verification graph to obtain a set of verification chains specifically includes: Receive on-chain multidimensional information and signature request messages, and extract graph construction input information from the on-chain multidimensional information and signature request messages; Based on the graph, construct a set of nodes and edges from the input information, and then construct a hierarchical heterogeneous verification graph. Based on the hierarchical heterogeneous verification graph, feature loading is performed on each node in the node set to generate a node feature set; Based on the hierarchical heterogeneous verification graph, the relationships of each edge in the edge set are loaded to generate an edge feature set; Starting with a device node and ending with a resource node or operation node, a path is searched in the hierarchical heterogeneous verification graph. The paths are then classified according to the sequence of node types and edge types traversed in each path, generating multi-type verification chains. The verification chains in the multi-type verification chain are classified according to the chain type to obtain the verification chain set.
[0012] Optionally, the step of using BG-TrustGNN to perform chain-level propagation calculations on each verification chain in the verification chain set to obtain chain-level propagation results, and then weighting and aggregating the chain-level propagation results to obtain joint verification results specifically includes: Receive the verification chain set, on-chain multidimensional information, and signature gating information, and extract the propagation input information; The propagation input information is input into BG-TrustGNN, and the basic propagation vector is obtained through the encoding module, the hierarchical heterogeneous message passing module, the signature gating module, and the verification chain encoding module. Generate a signature gating coefficient based on the signature gating information, generate a timing adjustment coefficient based on the permission change information and device group relationship information, and generate a risk penalty coefficient based on the abnormal event information to obtain the propagation adjustment parameters; The basic propagation vector is combined with the propagation adjustment parameters to obtain the chain-level propagation result; Using the dual-role embedding module, request role embedding and authorization role embedding are constructed based on the chain-level propagation results; Using the aggregation output module, a weighted aggregation vector is generated based on the chain-level propagation results, request role embedding, and authorized role embedding corresponding to each verification chain; The request role embedding, the authorized role embedding, and the weighted aggregation vector are combined to generate a joint verification result.
[0013] Optionally, the step of inputting the propagation input information into BG-TrustGNN and obtaining the basic propagation vector through the encoding module, hierarchical heterogeneous message passing module, signature gating module, and verification chain encoding module specifically includes: The propagation input information is input into BG-TrustGNN. Through the encoding module, feature mapping is performed on each node feature in the node feature set and each edge feature in the edge feature set to generate initial node representation and initial edge representation. Input the initial node representation and initial edge representation into the hierarchical heterogeneous message passing module, and perform multi-level heterogeneous message propagation on each node based on the hierarchical heterogeneous verification graph to generate a graph propagation representation; The graph propagation representation and signature gating information are input into the signature gating module. A gating vector is generated based on the signature gating information, and the graph propagation representation is gated and modulated using the gating vector to generate a gated graph propagation representation. The gated graph propagation representation is input into the verification chain encoding module. For each verification chain in the verification chain set, the gated graph propagation representation corresponding to each node is extracted and arranged in the order of the nodes to generate a verification chain representation sequence. The verification chain encoding module is used to perform chain-level encoding on the verification chain representation sequence to generate the basic propagation vector corresponding to the verification chain.
[0014] Optionally, the step of using the dual-role embedding module to construct the request role embedding and the authorization role embedding based on the chain-level propagation result specifically includes: The dual-role embedding module receives the chain-level propagation results and the set of verification chains. Based on the set of verification chains, it determines the direction of each verification chain, identifies the requesting role chain and the authorized role chain, and obtains the role division result. Based on the role classification results, extract the chain-level propagation results corresponding to the request role chain set from the chain-level propagation results, and generate a request role propagation sub-result set. Based on the role classification results, extract the chain-level propagation results corresponding to the authorized role chain set from the chain-level propagation results, and generate the authorized role propagation sub-result set. Using the dual-role embedding module, attention weights are calculated for each chain-level propagation result in the request role's propagation sub-result set to generate a request role attention weight set. Based on the request role attention weight set, the chain-level propagation results in the request role propagation sub-result set are weighted and aggregated to construct the request role embedding; Calculate the attention weights of each chain-level propagation result in the authorized role propagation sub-result set to generate an authorized role attention weight set. Based on the set of attention weights for authorized roles, the propagation results of each chain in the set of propagation sub-results of authorized roles are weighted and aggregated to construct the embedded role of authorized roles. The request role embedding and the authorized role embedding are concatenated to generate a dual role embedding result.
[0015] Optionally, the step of outputting an authentication decision based on the joint verification result, writing the authentication decision and the authentication digest corresponding to the signature request message into the sub-chain, and synchronizing the state digest to the main chain to obtain the on-chain verification record specifically includes: Receive the joint verification result and signature request message, and calculate the verification decision probability vector and verification decision category based on the request role embedding, authorized role embedding and weighted aggregation vector in the joint verification result; Output the authentication decision corresponding to the current request based on the authentication decision category; Generate an authentication digest based on the signature request message, authentication decision, and federated verification result; Write the authentication decision and authentication digest into the subchain corresponding to the subchain identifier to which the device belongs, and generate a subchain verification record; Generate a corresponding state digest based on the authentication digest and subchain verification record, and synchronize the state digest to the main chain to generate a main chain synchronization record; Associate and register the subchain verification record, main chain synchronization record, authentication digest, and status digest to generate on-chain verification record.
[0016] The beneficial effects of this invention are: This invention establishes a unified on-chain organizational structure for device identity information, group relationship information, and access control information by writing device identifier, device public key, device registration status, and the identifier of the subchain to which the device belongs into the main chain, and writing group affiliation, group hierarchy, permission policies, permission change records, historical operation records, and abnormal event records into the corresponding subchains. Based on this, device identity verification and operation legitimacy determination can be completed using the same on-chain data system, thereby improving data consistency and processing correlation between the identity verification process and the permission determination process.
[0017] When a device initiates a request, this invention first performs signature verification, timestamp validity verification, random number repeatability verification, and identity status verification on the signature request message. Then, it combines multi-dimensional information from the blockchain to construct a hierarchical heterogeneous verification graph and extracts multiple types of verification chains for chain-level propagation calculation. Therefore, the verification process no longer relies solely on a single signature result or static authorization relationship for judgment. Instead, it incorporates device identity, public key binding, group relationships, permission status, historical operations, and abnormal events into a unified verification process. This allows the current request to complete joint verification under multi-dimensional constraints, thereby improving the adaptability of identity verification results to dynamic scenarios.
[0018] Compared to existing graph neural networks, the BG-TrustGNN used in this invention improves upon existing ones by using a hierarchical heterogeneous verification graph composed of the main chain and sub-chains as the propagation basis. During propagation, it introduces signature gating information, permission change information, group migration information, historical operation information, and abnormal event information, while simultaneously constructing request role embeddings and authorized role embeddings. Based on this improvement, the network output is no longer limited to a single relation representation but can simultaneously characterize the authenticity of device identity and the legitimacy of operations, thereby enhancing the joint judgment capability for dynamic permission changes, group relationship changes, and abnormal behavior scenarios. Attached Figure Description
[0019] The accompanying drawings are provided to further illustrate the invention and form part of the specification. They are used in conjunction with embodiments of the invention to explain the invention and do not constitute a limitation thereof. In the drawings: Figure 1 This is a flowchart of a blockchain-based smart device authentication method proposed in this invention; Figure 2 This is a schematic diagram illustrating the construction of a hierarchical heterogeneous verification graph in a blockchain-based smart device authentication method proposed in this invention. Figure 3 This is a schematic diagram of the structure of BG-TrustGNN in the blockchain-based smart device authentication method proposed in this invention. Detailed Implementation
[0020] The present invention will now be described in further detail with reference to the accompanying drawings. These drawings are simplified schematic diagrams, illustrating only the basic structure of the invention, and therefore only show the components relevant to the invention.
[0021] refer to Figures 1-3 A blockchain-based smart device authentication method includes the following steps: Generate device public and private keys for smart devices, construct main chain identity records and sub-chain control records, and obtain on-chain registration information; When a smart device initiates a request to access a target resource or a request to perform a target operation, a request message is generated, and the request message is signed using the device's private key to obtain a signed request message. The access gateway or edge authentication node receives the signature request message, performs signature verification, timestamp validity verification, and random number repeatability verification on the signature request message, and obtains the pre-verification result; Based on the pre-verification results, signature gating information is generated, and based on the on-chain registration information, multi-dimensional on-chain information is obtained. A hierarchical heterogeneous verification graph is constructed based on multi-dimensional information on the chain, and multiple types of verification chains are extracted based on the hierarchical heterogeneous verification graph to obtain a set of verification chains; BG-TrustGNN is used to perform chain-level propagation calculations on each verification chain in the verification chain set to obtain chain-level propagation results. The chain-level propagation results are then weighted and aggregated to obtain joint verification results. The authentication decision is output based on the joint verification result, and the authentication decision and the authentication digest corresponding to the signature request message are written to the sub-chain. The state digest is synchronized to the main chain to obtain the on-chain verification record.
[0022] In this embodiment, generating a device public key and a device private key for the smart device, constructing a main chain identity record and a sub-chain control record, and obtaining on-chain registration information specifically includes: Perform a key generation operation on the smart device to generate the device's public key and private key, and obtain the key generation result; The key generation operation includes: calling the key generation algorithm based on preset security parameters to generate a one-to-one corresponding device public key and device private key for the smart device. The device public key is used to write to the main chain and serve as one of the identity identification information of the smart device, while the device private key is used to sign the request message initiated by the smart device. Based on the key generation result, a device identifier is assigned to the smart device, and the device type, device registration status and subchain identifier of the smart device are collected. The device identifier, device public key, device type, device registration status, subchain identifier of the device and registration timestamp are combined to form device identity registration data, thus obtaining device identity registration data. Write device identity registration data into the main chain to generate a main chain identity record corresponding to the smart device; Specifically, this includes: encapsulating device identity registration data to form a main chain registration transaction, broadcasting the main chain registration transaction to the main chain nodes, having the main chain nodes perform consensus processing on the main chain registration transaction and write it into a block, and generating a main chain identity record on the main chain corresponding to the device identifier; The main chain identity record includes at least the device identifier, device public key, device type, device registration status, the sub-chain identifier to which the device belongs, and the registration timestamp; Based on the device identifier and the subchain identifier to which the device belongs, configure the group affiliation relationship, group hierarchy relationship, device permission information, group permission information, permission change records, historical operation records and abnormal event records corresponding to the smart device to obtain subchain control data; Write the subchain control data to the subchain corresponding to the subchain identifier to which the device belongs, and generate a subchain control record corresponding to the smart device; Specifically, this includes: determining the target subchain based on the subchain identifier of the device; encapsulating the subchain control data to form a subchain control transaction; broadcasting the subchain control transaction to the subchain nodes of the target subchain; having the subchain nodes perform consensus processing on the subchain control transaction and write it into a block; and generating a subchain control record corresponding to the device identifier on the target subchain. The sub-chain control record should include at least the device identifier, group affiliation, group hierarchy, device permission information, group permission information, permission change record, historical operation record, and abnormal event record. The main chain identity record and the sub-chain control record are associated and registered to generate on-chain registration information corresponding to smart devices; Specifically, this includes: establishing a correspondence between the main chain identity record and the sub-chain control record using the device identifier as the association field; establishing a mapping relationship between the main chain and the sub-chain using the sub-chain identifier to which the device belongs as the mapping field; and uniformly registering the main chain identity record and the sub-chain control record to form on-chain registration information.
[0023] In this embodiment, when a smart device initiates a target resource access request or a target operation request, a request message is generated, and the request message is signed using the device's private key to obtain a signed request message, specifically including: When a smart device initiates a target resource access request or a target operation request, the device identifier in the on-chain registration information is called to obtain the target operation type, target resource identifier, request initiation time and request context information corresponding to the current request, and a random number is generated to obtain the request parameter set; The request parameter set includes device identifier, target operation type, target resource identifier, timestamp, random number, and request context information; Among them, the device identifier is used to indicate the identity of the smart device that initiated the current request, the target operation type is used to indicate the operation category corresponding to the current request, the target resource identifier is used to indicate the target resource corresponding to the current request, the timestamp is used to indicate the initiation time of the current request, the random number is used to indicate the one-time random identifier corresponding to the current request, and the request context information is used to indicate the environment status, network status, session status or device status corresponding to the current request. The request parameter set is arranged and formatted to generate a request message corresponding to the request parameter set; Field orchestration includes arranging the device identifier, target operation type, target resource identifier, timestamp, random number, and request context information in sequence; arranging the subfields in the request context information in sequence; and configuring the corresponding field name, field length, field type, or field identifier for each field. The format encapsulation includes writing the fields after field arrangement into at least one of the message header, message body, and extended field area according to the message structure; performing encoding conversion on device identifier, target operation type, target resource identifier, timestamp, random number, and request context information; and concatenating, encapsulating, or serializing the encoded field content to form a unified format request data structure. Perform a digest calculation on the request message to obtain the message digest corresponding to the request message; The digest calculation includes reading all fields from the request message, extracting the message fields corresponding to the device identifier, target operation type, target resource identifier, timestamp, random number, and request context information in the same order as the field arrangement; performing hash operations on all extracted message fields; and outputting a fixed-length digest as the message digest. The message digest is used to represent the digest feature value of the request message. The device private key from the key generation result is used to perform a signature operation on the message digest, resulting in a signature value corresponding to the message digest. The signature operation includes reading the device private key and message digest, using the device private key to encrypt and sign the message digest, and outputting the signature result corresponding to the message digest as the signature value. The request message is combined with the signature value to obtain the signature request message corresponding to the current request; Specifically, this includes using the request message as the request data part, the signature value as the signature data part, and splicing, encapsulating, or associating the request data part and the signature data part according to a preset message format; The correspondence between the request message and the signature value is preserved in the signature request message so that the access gateway or edge authentication node can perform verification processing based on the request message and the signature value.
[0024] In this embodiment, the access gateway or edge authentication node receives the signature request message and performs signature verification, timestamp validity verification, and random number repeatability verification on the signature request message to obtain the pre-verification result, specifically including: The access gateway or edge authentication node receives the signature request message, parses the signature request message, extracts the request message and signature value, and extracts the device identifier, timestamp and random number from the request message to obtain the request parsing result; Based on the device identifier in the request parsing result, read the main chain identity record corresponding to the device identifier from the on-chain registration information, and extract the device public key, device registration status and the sub-chain identifier to which the device belongs from the main chain identity record. Read the revocation status corresponding to the device identifier to obtain the main chain reading result. Perform digest calculation on the request message to generate a digest to be verified corresponding to the request message, and perform signature verification on the signature value based on the device public key in the main chain reading result to obtain the signature verification result; Signature verification includes calling the device public key corresponding to the device identifier, verifying the signature value, and determining whether the signature value was generated by the device private key corresponding to the device public key for the digest to be verified. When the signature value can be verified by the device public key for the digest to be verified, the signature verification result is determined to be successful. When the signature value cannot be verified by the device public key for the digest to be verified, the signature verification result is determined to be unsuccessful. Based on the timestamp in the request parsing result, perform timestamp validity verification on the signed request message to obtain the timestamp verification result; The timestamp validity verification includes obtaining the current time when the access gateway or edge authentication node receives the signature request message, calculating the time difference between the current time and the timestamp, and comparing the time difference with a preset time window threshold. When the time difference is less than or equal to the preset time window threshold, the timestamp verification result is determined to be successful; when the time difference is greater than the preset time window threshold, the timestamp verification result is determined to be unsuccessful. The random number in the request parsing result is used to perform a random number repeatability check on the signed request message to obtain the random number check result; Random number repeatability verification involves matching and comparing the random number with a set of used random numbers maintained by the access gateway or edge authentication node for the device identifier; if the random number does not belong to the set of used random numbers, the random number verification result is determined to be random number verification passed; if the random number belongs to the set of used random numbers, the random number verification result is determined to be random number verification failed. Based on the device registration status and revocation status in the main chain reading results, perform identity status verification on the signature request message to obtain the identity status verification result; Identity status verification includes: determining whether the device registration status is valid and whether the revocation status is not revoked; when the device registration status is valid and the revocation status is not revoked, the identity status verification result is determined to be identity status verification passed; when the device registration status is not valid or the revocation status is not revoked, the identity status verification result is determined to be identity status verification failed. The signature verification result, timestamp verification result, random number verification result, and identity status verification result are combined, and combined with the device's sub-chain identifier in the main chain reading result, to generate a pre-verification result; The process of generating a pre-verification result includes determining that the current request has passed pre-verification when the signature verification result is "signature verification passed", the timestamp verification result is "timestamp verification passed", the random number verification result is "random number verification passed" and the identity status verification result is "identity status verification passed". The device's subchain identifier is written into the pre-verification result. If any of the signature verification result, timestamp verification result, random number verification result, or identity status verification result fails, the pre-verification result indicates that the current request has failed the pre-verification, and the subchain identifier to which the device belongs is written into the pre-verification result.
[0025] In this implementation, signature gating information is generated based on the pre-verification results, and multi-dimensional on-chain information is obtained based on the on-chain registration information, specifically including: The pre-verification results are judged. When the signature verification result, timestamp verification result, random number verification result and identity status verification result in the pre-verification results all indicate that they have passed, a pre-verification pass identifier corresponding to the current request is generated. Among them, the pre-verification pass flag is used to indicate that the signature request message has passed signature verification, timestamp validity verification, random number repeatability verification, and identity status verification; Based on the signature verification result, timestamp verification result, random number verification result, identity status verification result, and pre-verification pass flag, generate signature gating information corresponding to the signature request message; Based on the device identifier in the signature request message and the subchain identifier to which the device belongs in the pre-verification result, the main chain identity record and subchain control record corresponding to the device identifier are read from the on-chain registration information to obtain the on-chain read result; The on-chain read results include at least the main chain identity record, the sub-chain control record, the device identifier, and the sub-chain identifier to which the device belongs. Extract the device identifier, device public key, device type, device registration status, device subchain identifier, and registration timestamp from the main chain identity record in the on-chain read results to generate device identity information and device public key binding information; Among them, the device identity information includes at least the device identifier, device type, device registration status and registration timestamp, and the device public key binding information includes at least the device identifier and the device public key; Extract group affiliation, group hierarchy, device permission information, group permission information, permission change records, historical operation records, and abnormal event records from the sub-chain control records read from the chain, and generate device group relationship information, permission policy information, permission change information, historical operation information, and abnormal event information; Among them, the device group relationship information includes at least the device identifier, group affiliation relationship and group hierarchy relationship; the permission policy information includes at least the device identifier, device permission information and group permission information; the permission change information includes at least the device identifier and permission change record; the historical operation information includes at least the device identifier and historical operation record; and the abnormal event information includes at least the device identifier and abnormal event record. Based on the device's subchain identifier and subchain control record in the main chain identity record, main chain and subchain mapping information is generated; wherein, the main chain and subchain mapping information includes at least the device identifier, main chain identity record, subchain control record and device's subchain identifier; The device identity information, device public key binding information, device group relationship information, permission policy information, permission change information, historical operation information, abnormal event information, main chain and sub-chain mapping information, and signature gating information are combined to generate on-chain multi-dimensional information corresponding to the signature request message.
[0026] In this embodiment, a hierarchical heterogeneous verification graph is constructed based on multi-dimensional information on the chain, and multiple types of verification chains are extracted based on the hierarchical heterogeneous verification graph to obtain a set of verification chains, specifically including: Receive on-chain multidimensional information and signature request messages, extract device identity information, device public key binding information, device group relationship information, permission policy information, permission change information, historical operation information, abnormal event information, main chain and sub-chain mapping information and signature gating information from the on-chain multidimensional information, extract request messages from the signature request messages, and generate request association information based on the target operation type, target resource identifier and request context information in the request messages to obtain graph construction input information; Based on the graph construction input information, device nodes, public key nodes, main chain anchor nodes, sub-chain domain nodes, group nodes, permission nodes, resource nodes, operation nodes, time context nodes, and risk event nodes are constructed, and these device nodes, public key nodes, main chain anchor nodes, sub-chain domain nodes, group nodes, permission nodes, resource nodes, operation nodes, time context nodes, and risk event nodes are combined to form a node set; Based on device public key binding information, main chain and sub-chain mapping information, device group relationship information, permission policy information, historical operation information, abnormal event information, and request association information, identity binding edges, main chain mapping edges, sub-chain affiliation edges, group affiliation edges, group hierarchy edges, permission granting edges, permission effect edges, historical behavior edges, abnormal event marking edges, and time sequence association edges are established in the node set. These edges are then combined to form an edge set. A hierarchical heterogeneous verification graph for signature request messages is constructed based on the node set and edge set. The node type mapping relationship is used to represent the node type corresponding to each node in the node set, and the edge type mapping relationship is used to represent the edge type corresponding to each edge in the edge set. Based on the hierarchical heterogeneous verification graph, feature loading is performed on each node in the node set. Device identity information, device public key binding information, device group relationship information, permission policy information, permission change information, historical operation information, abnormal event information, main chain and sub-chain mapping information, signature gating information, and request association information are mapped to the corresponding nodes respectively, forming a node feature set that corresponds one-to-one with device nodes, public key nodes, main chain anchor nodes, sub-chain domain nodes, group nodes, permission nodes, resource nodes, operation nodes, time context nodes, and risk event nodes. Based on the hierarchical heterogeneous verification graph, the edges in the edge set are loaded with relationships. Device public key binding information, main chain and sub-chain mapping information, device group relationship information, permission policy information, permission change information, historical operation information, abnormal event information and request association information are mapped to the corresponding edges respectively, forming edge features that correspond one-to-one with identity binding edges, main chain mapping edges, sub-chain affiliation edges, group affiliation edges, group hierarchy edges, permission granting edges, permission effect edges, historical behavior edges, abnormal marking edges and time sequence association edges, generating an edge feature set; Starting with a device node and ending with a resource node or operation node, a path with a length not exceeding a preset threshold is searched in the hierarchical heterogeneous verification graph. The paths are then classified according to the sequence of node types and edge types traversed in each path to generate multi-type verification chains. The various verification chains in the multi-type verification chain are classified according to the chain type to generate identity verification chain, group inheritance chain, permission authorization chain, historical behavior chain, risk propagation chain and cross-chain consistency chain. The identity verification chain, group inheritance chain, permission authorization chain, historical behavior chain, risk propagation chain and cross-chain consistency chain are combined to obtain the verification chain set.
[0027] In this embodiment, BG-TrustGNN is used to perform chain-level propagation calculations on each verification chain in the verification chain set to obtain chain-level propagation results. The chain-level propagation results are then weighted and aggregated to obtain joint verification results, specifically including: Receive the verification chain set, on-chain multidimensional information and signature gating information, extract the identity verification chain, group inheritance chain, permission authorization chain, historical behavior chain, risk propagation chain and cross-chain consistency chain from the verification chain set, and extract permission change information, group migration information, historical operation information and abnormal event information from the on-chain multidimensional information to obtain propagation input information; The propagation input information is input into BG-TrustGNN, and the basic propagation vector is obtained through the encoding module, the hierarchical heterogeneous message passing module, the signature gating module, and the verification chain encoding module. Based on the signature verification results, timestamp verification results, random number verification results, and identity status verification results in the signature gating information, a weighted sum is performed according to preset weights to generate the signature gating coefficients corresponding to each verification chain. Based on permission change information, group migration information in device group relationship information, and historical operation information, calculate the time difference between permission change time and current request time, the time difference between group migration time and current request time, and the time difference between historical operation time and current request time, respectively. Then, perform exponential decay weighted fusion on the time differences to generate the timing adjustment coefficients corresponding to each verification chain. Based on the severity of each abnormal event in the abnormal event information and the time difference between the occurrence time of the abnormal event and the current request time, each abnormal event is time-decayed weighted and accumulated and normalized to generate the risk penalty coefficient corresponding to each verification chain, thus obtaining the propagation adjustment parameter. The basic propagation vector is combined with the propagation adjustment parameters to obtain the chain-level propagation results for each verification chain; Specifically, this includes gating modulation of the basic propagation vector corresponding to each verification chain using the corresponding signature gating coefficient, performing time-series weighting using the corresponding time-series adjustment coefficient, and performing penalty correction using the corresponding risk penalty coefficient. Using the dual-role embedding module, request role embedding and authorization role embedding are constructed based on the chain-level propagation results; Using the aggregation output module, the request role embedding and the authorized role embedding are concatenated according to the chain-level propagation results, request role embedding and authorized role embedding corresponding to each verification chain, and then mapped through the aggregation mapping matrix to generate an aggregation query vector; Based on the degree of matching between the aggregated query vector and the chain-level propagation results corresponding to each verification chain, the aggregate weight corresponding to each verification chain is calculated. By using the aggregation weights corresponding to each verification chain, the chain-level propagation results corresponding to each verification chain are weighted and summed to generate a weighted aggregation vector; The request role embedding, the authorized role embedding, and the weighted aggregation vector are combined to generate a joint verification result.
[0028] In this embodiment, the propagation input information is input into BG-TrustGNN, and the basic propagation vector is obtained through the encoding module, hierarchical heterogeneous message passing module, signature gating module, and verification chain encoding module, specifically including: The propagation input information is input into BG-TrustGNN. Through the encoding module, feature mapping is performed on each node feature in the node feature set and each edge feature in the edge feature set to generate initial node representation and initial edge representation. Feature mapping includes extracting the original node features corresponding to each node, and using a preset node feature mapping matrix and node feature bias vector to perform a linear transformation on each original node feature to generate an initial node representation that corresponds one-to-one with each node. Extract the original edge features corresponding to each edge, and use the preset edge feature mapping matrix and edge feature bias vector to perform a linear transformation on each original edge feature to generate an initial edge representation that corresponds one-to-one with each edge. Input the initial node representation and initial edge representation into the hierarchical heterogeneous message passing module, and perform multi-level heterogeneous message propagation on each node based on the hierarchical heterogeneous verification graph to generate a graph propagation representation; Multi-layer heterogeneous message propagation includes, for each propagation layer, for the current node, traversing each adjacent node and its corresponding edge connected to the current node, calling the transformation matrix corresponding to the edge type according to the edge type, transforming the node representation of each adjacent node in the previous propagation layer, and determining the corresponding edge-level attention weight according to the connection relationship between the current node and each adjacent node. The weighted summation of the transformed representations of each neighboring node is performed using the attention weights of each edge level to generate the aggregated message corresponding to the current node at this propagation layer. The aggregated message is then merged with the result of the self-connection transformation matrix of the node representation of the current node in the previous propagation layer, and then processed by the activation function to obtain the node representation of the current node in that propagation layer; after each propagation layer is completed, the graph propagation representation of each node is obtained. The graph propagation representation and signature gating information are input into the signature gating module. A gating vector is generated based on the signature gating information, and the graph propagation representation is gated and modulated using the gating vector to generate a gated graph propagation representation. Specifically, this involves mapping the signature gating information using a preset gating mapping matrix and gating bias vector, generating a gating vector corresponding to the current smart device through an activation function, and multiplying the gating vector element-wise with the graph propagation representation corresponding to each node to obtain the gating graph propagation representation corresponding to each node. The gated graph propagation representation is input into the verification chain encoding module. For each verification chain in the verification chain set, the gated graph propagation representation corresponding to each node is extracted according to the node order in the verification chain, and arranged in the node order to generate the verification chain representation sequence corresponding to the verification chain. Each sequence element in the verification chain representation sequence corresponds to the gated graph propagation representation of each node in the verification chain. The length of the verification chain representation sequence is the same as the number of nodes in the verification chain, thus obtaining the verification chain representation sequence. The verification chain encoding module is used to perform chain-level encoding on the verification chain representation sequence to generate the basic propagation vector corresponding to the verification chain. Chain-level encoding involves sequentially inputting the verification chain representation sequence into a forward-gated recurrent unit, performing forward recursive encoding on each sequence element in the verification chain representation sequence according to the node order, and obtaining the forward hidden state corresponding to each sequence position; The verification chain representation sequence is sequentially input into the reverse gated loop unit. Each sequence element in the verification chain representation sequence is recursively encoded in the reverse direction of the node order to obtain the reverse hidden state corresponding to each sequence position. The positive hidden state at the end of the verification chain representation sequence is concatenated with the negative hidden state at the beginning of the verification chain representation sequence to generate the basic propagation vector corresponding to the verification chain.
[0029] In this embodiment, the construction of request role embedding and authorization role embedding based on the chain-level propagation result using the dual-role embedding module specifically includes: The dual-role embedding module receives the chain-level propagation results and the set of verification chains. Based on the start node type, end node type, and propagation direction of each verification chain in the set, it determines the direction of each verification chain. Verification chains whose propagation direction is from device nodes to resource nodes or operation nodes are identified as request role chains, and verification chains whose propagation direction is from permission nodes, group nodes, or main chain anchor nodes to device nodes are identified as authorized role chains. This yields the role classification results for the corresponding smart devices. The role classification results include the set of request role chains and the set of authorized role chains. Based on the role classification results, extract the chain-level propagation results corresponding to the request role chain set from the chain-level propagation results, and generate the request role propagation sub-result set for the corresponding smart device. Based on the role classification results, extract the chain-level propagation results corresponding to the authorized role chain set from the chain-level propagation results, and generate the authorized role propagation sub-result set for the corresponding smart device. Using the dual-role embedding module, attention weights are calculated for each chain-level propagation result in the request role's propagation sub-result set to generate a request role attention weight set. Specifically, for each chain-level propagation result in the request role propagation sub-result set, the request role attention mapping matrix and the request role attention bias vector are first mapped, and then the intermediate representation is obtained through hyperbolic tangent activation operation. The intermediate representation is matched and calculated with the request role attention parameter vector, and the matching calculation results are normalized to obtain the request role attention weights corresponding to each request role chain. Based on the request role attention weight set, the chain-level propagation results in the request role propagation sub-result set are weighted and aggregated to construct the request role embedding of the smart device as the request initiator; In this process, the chain-level propagation result corresponding to each request role chain is multiplied by the corresponding request role attention weight, and the product results are summed to obtain the request role embedding; Calculate the attention weights of each chain-level propagation result in the authorized role propagation sub-result set to generate an authorized role attention weight set. Specifically, for each chain-level propagation result in the authorized role propagation sub-result set, the authorized role attention mapping matrix and the authorized role attention bias vector are first mapped, and then the intermediate representation is obtained through hyperbolic tangent activation operation. The intermediate representation is matched with the authorized role attention parameter vector, and the matching calculation results are normalized to obtain the authorized role attention weights corresponding to each authorized role chain. Based on the set of attention weights for authorized roles, the propagation results of each chain in the set of propagation sub-results of authorized roles are weighted and aggregated to construct the embedded authorized role of the smart device as the subject of permission carrying; In this process, the chain-level propagation result corresponding to each authorized role chain is multiplied by the corresponding authorized role attention weight, and the product results are summed to obtain the authorized role embedding. The request role embedding and the authorized role embedding are concatenated to generate the dual role embedding result for the corresponding smart device.
[0030] In this implementation, an authentication decision is output based on the joint verification result, and the authentication decision and the authentication digest corresponding to the signature request message are written to the sub-chain. The state digest is synchronized to the main chain, and the on-chain verification record is obtained, specifically including: Receive joint verification results and signature request messages, extract request role embedding, authorized role embedding and weighted aggregation vector from the joint verification results, and extract request message and signature value from the signature request message to generate decision input information; Based on the request role embedding, authorized role embedding, and weighted aggregation vector in the joint verification results, calculate the verification decision probability vector and verification decision category corresponding to the current request; Specifically, this includes: concatenating the request role embedding, the authorized role embedding, and the weighted aggregate vector to generate a joint feature vector; inputting the joint feature vector into the first decision layer for mapping processing to obtain the first decision layer output vector; inputting the first decision layer output vector into the second decision layer for mapping processing to obtain the second decision layer output vector; performing probability normalization processing on the second decision layer output vector to generate a verification decision probability vector; and determining the verification decision category based on the category with the highest probability value in the verification decision probability vector. Output the authentication decision corresponding to the current request based on the authentication decision category; Specifically, this includes: when the verification decision category corresponds to "allow execution", output "allow execution"; when the verification decision category corresponds to "restricted execution", output "restricted execution"; when the verification decision category corresponds to "secondary authentication", output "secondary authentication"; when the verification decision category corresponds to "deny execution", output "deny execution"; and when the verification decision category corresponds to "deny and alarm", output "deny and alarm". Generate an authentication digest corresponding to the current request based on the signature request message, authentication decision, and federated authentication result; Specifically, this includes: extracting the device identifier, request message, and signature value from the signature request message; extracting the authentication decision and federated authentication results; concatenating the device identifier, request message, signature value, authentication decision, and federated authentication results; performing digest calculation on the concatenated result to generate an authentication digest; Write the authentication decision and authentication digest into the subchain corresponding to the subchain identifier to which the device belongs, and generate a subchain verification record; Generate a corresponding state digest based on the authentication digest and subchain verification record, and synchronize the state digest to the main chain to generate a main chain synchronization record; Specifically, this includes: concatenating the authentication digest, subchain verification record, and the subchain identifier to which the device belongs; performing digest calculation on the concatenated result to generate a status digest; and writing the device identifier and status digest into the main chain to generate a main chain synchronization record corresponding to the current request. Associate and register the subchain verification record, main chain synchronization record, authentication digest, and status digest to generate an on-chain verification record corresponding to the current request; The associated registration includes extracting subchain verification records, main chain synchronization records, authentication digests, and status digests, and associating and combining these records to generate on-chain verification records.
[0031] Example 1: To verify the feasibility of this invention in practice, it was applied to an industrial IoT control scenario. In this scenario, multiple types of smart devices access control and status resources through an access gateway. Devices need to perform corresponding operations according to their group affiliation and permissions. Existing solutions typically rely on signature verification and static permission tables. When device permissions are adjusted, groups are migrated, or abnormal access occurs, issues can easily arise where identity verification passes but the operation is inconsistent with the current authorized status. Furthermore, there is a lack of unified correlation between the verification result and on-chain records.
[0032] In this embodiment, a public and private key are first generated for the smart device, and the device identity information is written to the main chain. Group relationships, permission policies, historical operation records, and abnormal event records are written to the sub-chain, forming on-chain registration information. When a device initiates a request, a request message is generated and signed. The access gateway performs signature verification, timestamp validity verification, and random number repeatability verification on the signed request message. Subsequently, multi-dimensional information on the chain is extracted, a hierarchical heterogeneous verification graph is constructed, and a set of verification chains is extracted. BG-TrustGNN performs chain-level propagation computation on the set of verification chains, and outputs a joint verification result by combining signature gating information, permission change information, group migration information, historical operation information, and abnormal event information. Then, an identity verification decision is generated and written to the on-chain verification record. In this way, the system can not only determine whether the request was issued by a legitimate device, but also whether the device has the conditions to perform the operation under the current permissions and current group status.
[0033] Test results show that, within a continuous operating cycle, the proposed solution processed 64,200 request messages, including 56,280 normal requests and 7,920 risky requests. Compared to a control scheme that only uses signature verification and a static permission table, the proposed solution achieves a 99.18% success rate for normal request verification, a 97.36% abnormal request identification rate, and a 98.41% interception rate for illegal requests after permission changes. The average verification latency is 44.3 milliseconds, slightly higher than the control scheme's 32.1 milliseconds, but the success rate of main chain and sub-chain association reaches 100%, and the on-chain verification record integrity rate reaches 100%. The data demonstrates that the proposed solution can achieve integrated processing of device identity verification and operation legality determination under conditions of dynamic permission changes and abnormal behavior.
[0034] Table 1. Statistical table of the verification effect of the present invention in industrial IoT control scenarios.
[0035] As can be seen from the table above, the present invention demonstrates superior overall performance compared to the control scheme across several key indicators of smart device authentication. Regarding the success rate of normal request verification, the present invention achieves 99.18%, higher than the control scheme's 97.04%, indicating that the present invention exhibits high stability in ensuring legitimate device access and normal operation, and can complete authentication processing without significantly impacting normal business operations. In terms of abnormal request identification rate, the present invention achieves 97.36%, significantly higher than the control scheme's 84.12%, demonstrating that by introducing multi-dimensional on-chain information, hierarchical heterogeneous verification graphs, and the BG-TrustGNN joint verification mechanism, the present invention can more effectively identify abnormal access requests, abnormal behavior requests, and requests that do not conform to the current authorization status, thereby improving the ability to identify risky requests.
[0036] Regarding the interception rate of unauthorized requests after permission changes, this invention achieves 98.41%, while the control scheme only reaches 75.86%, a significant difference. This indicates that this invention can integrate permission change information, group relationship changes, and current request behavior into a unified verification process, enabling timely verification of requests initiated by devices after permission adjustments, rather than relying solely on static permission tables for judgment. In other words, in scenarios with dynamic permission changes, this invention can more accurately reflect the impact of on-chain state changes on current requests, thereby enhancing the consistency between authentication results and permission status. This effect has strong application value for scenarios such as the Industrial Internet of Things (IIoT), where devices frequently connect and permissions may change dynamically.
[0037] In terms of verification efficiency, the average verification latency of this invention is 44.3 milliseconds, compared to 32.1 milliseconds for the control scheme. Although the processing time of this invention is slightly increased, this increase results in higher anomaly detection capabilities and stronger dynamic permission determination capabilities. Simultaneously, the success rate of the association between the main chain and sub-chains and the completeness rate of on-chain verification records both reach 100%, while the control scheme is 0%. This indicates that this invention not only completes request verification but also achieves the association and storage of verification results between the main chain and sub-chains, forming a complete on-chain verification closed loop. Overall, this invention demonstrates good implementation results in identity authenticity verification, operation legality determination, and verification result traceability.
[0038] The above are merely preferred embodiments of the present invention, but the scope of protection of the present invention is not limited thereto. Any equivalent substitutions or modifications made by those skilled in the art within the scope of the technology disclosed in the present invention, based on the technical solution and inventive concept of the present invention, should be covered within the scope of protection of the present invention.
Claims
1. A blockchain-based smart device authentication method, characterized in that, Includes the following steps: Generate device public and private keys for smart devices, construct main chain identity records and sub-chain control records, and obtain on-chain registration information; When a smart device initiates a request to access a target resource or a request to perform a target operation, a request message is generated, and the request message is signed using the device's private key to obtain a signed request message. The access gateway or edge authentication node receives the signature request message, performs signature verification, timestamp validity verification, and random number repeatability verification on the signature request message, and obtains the pre-verification result; Based on the pre-verification results, signature gating information is generated, and based on the on-chain registration information, multi-dimensional on-chain information is obtained. A hierarchical heterogeneous verification graph is constructed based on multi-dimensional information on the chain, and multiple types of verification chains are extracted based on the hierarchical heterogeneous verification graph to obtain a set of verification chains; BG-TrustGNN is used to perform chain-level propagation calculations on each verification chain in the verification chain set to obtain chain-level propagation results. The chain-level propagation results are then weighted and aggregated to obtain joint verification results. The authentication decision is output based on the joint verification result, and the authentication decision and the authentication digest corresponding to the signature request message are written to the sub-chain. The state digest is synchronized to the main chain to obtain the on-chain verification record.
2. The blockchain-based smart device authentication method according to claim 1, characterized in that, The process of generating a public and private key for the smart device, constructing a main chain identity record and a sub-chain control record, and obtaining on-chain registration information specifically includes: Perform a key generation operation on the smart device to generate the device's public key and private key, and obtain the key generation result; Based on the key generation result, a device identifier is assigned to the smart device, and the device type, device registration status and subchain identifier of the smart device are collected to obtain device identity registration data; Write device identity registration data into the main chain to generate a main chain identity record; Based on the device identifier and the identifier of the sub-chain to which the device belongs, the sub-chain control data is obtained; Write the subchain control data to the subchain corresponding to the subchain identifier to which the device belongs, and generate a subchain control record; The main chain identity record and the sub-chain control record are associated and registered to generate on-chain registration information.
3. The blockchain-based smart device authentication method according to claim 1, characterized in that, When a smart device initiates a target resource access request or a target operation request, generating a request message and signing the request message using the device's private key to obtain a signed request message specifically includes: When a smart device initiates a request to access a target resource or to perform a target operation, the device identifier in the on-chain registration information is called to obtain the set of request parameters. The request parameter set is arranged and formatted to generate a request message. A digest is calculated from the request message to obtain the message digest. The device private key from the key generation result is used to perform a signature operation on the message digest to obtain a signature value. The request message is then combined with the signature value to obtain a signature request message.
4. The blockchain-based smart device authentication method according to claim 1, characterized in that, The process of receiving a signature request message from an access gateway or edge authentication node, performing signature verification, timestamp validity verification, and random number repeatability verification on the signature request message, and obtaining a pre-verification result specifically includes: The access gateway or edge authentication node receives the signature request message, parses the signature request message, and obtains the request parsing result; Based on the device identifier in the request parsing result, the main chain identity record is read from the on-chain registration information, and the revocation status is read to obtain the main chain reading result; Perform digest calculation on the request message to generate a digest to be verified, and perform signature verification on the signature value based on the device public key to obtain the signature verification result; Based on the timestamp in the request parsing result, perform timestamp validity verification on the signed request message to obtain the timestamp verification result; The random number in the request parsing result is used to perform a random number repeatability check on the signed request message to obtain the random number check result; Based on the device registration status and revocation status in the main chain reading results, perform identity status verification on the signature request message to obtain the identity status verification result; The signature verification result, timestamp verification result, random number verification result, and identity status verification result are combined, and combined with the device's sub-chain identifier in the main chain reading result, to generate a pre-verification result.
5. The blockchain-based smart device authentication method according to claim 1, characterized in that, The process of generating signature gating information based on pre-verification results and obtaining multi-dimensional on-chain information based on on-chain registration information specifically includes: The pre-verification results are judged. When the signature verification result, timestamp verification result, random number verification result and identity status verification result in the pre-verification result all pass, a pre-verification pass identifier is generated. Based on the signature verification result, timestamp verification result, random number verification result, identity status verification result, and pre-verification pass flag, generate signature gating information; Based on the device identifier in the signature request message and the subchain identifier to which the device belongs in the pre-verification result, the on-chain read result is read from the on-chain registration information; Based on the main chain identity record in the on-chain read results, generate device identity information and device public key binding information; Based on the sub-chain control records in the on-chain read results, generate device group relationship information, permission policy information, permission change information, historical operation information, and abnormal event information; Based on the device's subchain identifier and subchain control record in the main chain identity record, generate main chain and subchain mapping information; The device identity information, device public key binding information, device group relationship information, permission policy information, permission change information, historical operation information, abnormal event information, main chain and sub-chain mapping information, and signature gating information are combined to generate multi-dimensional information on the chain.
6. The blockchain-based smart device authentication method according to claim 1, characterized in that, The process of constructing a hierarchical heterogeneous verification graph based on multi-dimensional on-chain information, and extracting multiple types of verification chains based on the hierarchical heterogeneous verification graph to obtain a set of verification chains specifically includes: Receive on-chain multidimensional information and signature request messages, and extract graph construction input information from the on-chain multidimensional information and signature request messages; Based on the graph, construct a set of nodes and edges from the input information, and then construct a hierarchical heterogeneous verification graph. Based on the hierarchical heterogeneous verification graph, feature loading is performed on each node in the node set to generate a node feature set; Based on the hierarchical heterogeneous verification graph, the relationships of each edge in the edge set are loaded to generate an edge feature set; Starting with a device node and ending with a resource node or operation node, a path is searched in the hierarchical heterogeneous verification graph. The paths are then classified according to the sequence of node types and edge types traversed in each path, generating multi-type verification chains. The verification chains in the multi-type verification chain are classified according to the chain type to obtain the verification chain set.
7. The blockchain-based smart device authentication method according to claim 1, characterized in that, The process of using BG-TrustGNN to perform chain-level propagation calculations on each verification chain in the verification chain set, obtaining chain-level propagation results, and then weighting and aggregating the chain-level propagation results to obtain joint verification results specifically includes: Receive the verification chain set, on-chain multidimensional information, and signature gating information, and extract the propagation input information; The propagation input information is input into BG-TrustGNN, and the basic propagation vector is obtained through the encoding module, the hierarchical heterogeneous message passing module, the signature gating module, and the verification chain encoding module. Generate a signature gating coefficient based on the signature gating information, generate a timing adjustment coefficient based on the permission change information and device group relationship information, and generate a risk penalty coefficient based on the abnormal event information to obtain the propagation adjustment parameters; The basic propagation vector is combined with the propagation adjustment parameters to obtain the chain-level propagation result; Using the dual-role embedding module, request role embedding and authorization role embedding are constructed based on the chain-level propagation results; Using the aggregation output module, a weighted aggregation vector is generated based on the chain-level propagation results, request role embedding, and authorized role embedding corresponding to each verification chain; The request role embedding, the authorized role embedding, and the weighted aggregation vector are combined to generate a joint verification result.
8. A blockchain-based smart device authentication method according to claim 7, characterized in that, The process of inputting the propagation input information into BG-TrustGNN and obtaining the basic propagation vector through the encoding module, hierarchical heterogeneous message passing module, signature gating module, and verification chain encoding module specifically includes: The propagation input information is input into BG-TrustGNN. Through the encoding module, feature mapping is performed on each node feature in the node feature set and each edge feature in the edge feature set to generate initial node representation and initial edge representation. Input the initial node representation and initial edge representation into the hierarchical heterogeneous message passing module, and perform multi-level heterogeneous message propagation on each node based on the hierarchical heterogeneous verification graph to generate a graph propagation representation; The graph propagation representation and signature gating information are input into the signature gating module. A gating vector is generated based on the signature gating information, and the graph propagation representation is gated and modulated using the gating vector to generate a gated graph propagation representation. The gated graph propagation representation is input into the verification chain encoding module. For each verification chain in the verification chain set, the gated graph propagation representation corresponding to each node is extracted and arranged in the order of the nodes to generate a verification chain representation sequence. The verification chain encoding module is used to perform chain-level encoding on the verification chain representation sequence to generate the basic propagation vector corresponding to the verification chain.
9. A blockchain-based smart device authentication method according to claim 7, characterized in that, The specific steps of utilizing the dual-role embedding module to construct the request role embedding and the authorization role embedding based on the chain-level propagation results include: The dual-role embedding module receives the chain-level propagation results and the set of verification chains. Based on the set of verification chains, it determines the direction of each verification chain, identifies the requesting role chain and the authorized role chain, and obtains the role division result. Based on the role classification results, extract the chain-level propagation results corresponding to the request role chain set from the chain-level propagation results, and generate a request role propagation sub-result set. Based on the role classification results, extract the chain-level propagation results corresponding to the authorized role chain set from the chain-level propagation results, and generate the authorized role propagation sub-result set. Using the dual-role embedding module, attention weights are calculated for each chain-level propagation result in the request role's propagation sub-result set to generate a request role attention weight set. Based on the request role attention weight set, the chain-level propagation results in the request role propagation sub-result set are weighted and aggregated to construct the request role embedding; Calculate the attention weights of each chain-level propagation result in the authorized role propagation sub-result set to generate an authorized role attention weight set. Based on the set of attention weights for authorized roles, the propagation results of each chain in the set of propagation sub-results of authorized roles are weighted and aggregated to construct the embedded role of authorized roles. The request role embedding and the authorized role embedding are concatenated to generate a dual role embedding result.
10. A blockchain-based smart device authentication method according to claim 1, characterized in that, The process of outputting an authentication decision based on the joint verification result, writing the authentication decision and the authentication digest corresponding to the signature request message into the sub-chain, and synchronizing the state digest to the main chain to obtain the on-chain verification record specifically includes: Receive the joint verification result and signature request message, and calculate the verification decision probability vector and verification decision category based on the request role embedding, authorized role embedding and weighted aggregation vector in the joint verification result; Output the authentication decision corresponding to the current request based on the authentication decision category; Generate an authentication digest based on the signature request message, authentication decision, and federated verification result; Write the authentication decision and authentication digest into the subchain corresponding to the subchain identifier to which the device belongs, and generate a subchain verification record; Generate a corresponding state digest based on the authentication digest and subchain verification record, and synchronize the state digest to the main chain to generate a main chain synchronization record; Associate and register the subchain verification record, main chain synchronization record, authentication digest, and status digest to generate on-chain verification record.