An encryption method and system for internet of things communication data

By constructing an initial key matrix based on time intervals and channel states, and combining lightweight computation and dynamic key update step size, the problem of power consumption and communication interruption caused by frequent handshakes and clock drift in IoT devices is solved, achieving efficient data encryption and stable transmission in a low-power environment.

CN122160171APending Publication Date: 2026-06-05JIANGXI INFORMATION APPL VOCATIONAL & TECH COLLEGE

Patent Information

Authority / Receiving Office
CN · China
Patent Type
Applications(China)
Current Assignee / Owner
JIANGXI INFORMATION APPL VOCATIONAL & TECH COLLEGE
Filing Date
2026-04-16
Publication Date
2026-06-05

AI Technical Summary

Technical Problem

In large-scale low-power IoT deployment scenarios, devices consume a lot of power and occupy a lot of communication bandwidth due to frequent network handshake negotiations and clock drift. Furthermore, packet loss in weak networks can cause the transmit and receive clocks to lose synchronization, leading to data decryption failures and communication interruptions.

Method used

An initial key matrix is ​​constructed by obtaining the historical data packet reception time interval sequence and channel state indicators between the communication node and the receiving node. The key update step size is dynamically adjusted based on the communication error rate. Lightweight operations such as matrix multiplication, cyclic shift and XOR operation are used for encryption, and a key alignment fingerprint verification mechanism is added.

Benefits of technology

It effectively reduces device power consumption, improves anti-replay and anti-hacking capabilities, ensures data security and transmission stability, adapts to the hardware capabilities of low-power IoT terminals, and enhances the fault tolerance of communication.

✦ Generated by Eureka AI based on patent content.

Smart Images

  • Figure CN122160171A_ABST
    Figure CN122160171A_ABST
Patent Text Reader

Abstract

The application discloses an encryption method and system for communication data of an Internet of Things, and belongs to the technical field of communication link encryption. In order to solve the problem that a receiving node cannot synchronously generate a corresponding decryption key, and finally causes large-area data decryption failure and communication interruption, the application comprises the following steps: acquiring a receiving time interval sequence of historical data packets between a communication node and a receiving node, and a channel state index of a current communication link; constructing an initial key matrix; acquiring data payload to be sent by the communication node, and acquiring a communication error rate of the current communication link, and updating the communication error rate of the current communication link; performing a cyclic shift operation on the initial key matrix according to a key update step, to obtain a target encryption matrix; performing encryption processing on the data payload based on the target encryption matrix, to obtain encrypted payload, and sending the encrypted payload to the receiving node; and the application improves the encryption security, communication reliability and device endurance of communication data in a low-power weak-network Internet of Things scene.
Need to check novelty before this filing date? Find Prior Art

Description

Technical Field

[0001] This invention relates to the field of communication link encryption technology, specifically to a method and system for encrypting Internet of Things (IoT) communication data. Background Technology

[0002] In the field of IoT technology, a massive number of edge sensors and communication nodes need to periodically aggregate business data to the cloud or central gateway. Because IoT deployment environments are open and the data involves device control or environmental monitoring, the security and confidentiality of communication links are particularly critical. To prevent eavesdropping and replay attacks, related technologies typically establish a data encryption transmission mechanism between communication nodes and receiving nodes. The encryption schemes of these technologies mainly employ a periodic handshake negotiation mechanism based on a key management server, or dynamically rotate symmetric encryption keys using random numbers calculated based on a local clock. During execution, the communication node first sends a key request message to the key server, obtains the symmetric working key for the current period after multiple rounds of asymmetric encryption verification, and then uses this working key to encrypt and send the collected business data. If a local clock scheme is used, both the communication node and the receiving node read their local hardware clock stamp and generate a dynamic key according to the same random algorithm.

[0003] However, in real-world large-scale low-power IoT deployments, devices primarily rely on battery power and operate in weak network environments. Frequent network handshakes and negotiations severely deplete battery power and significantly consume already limited communication bandwidth. Furthermore, if a clock-based dynamic key generation mechanism is employed, the hardware oscillator is prone to clock drift due to IoT nodes remaining in deep sleep mode for extended periods to conserve energy. Simultaneously, severe packet loss caused by weak networks leads to misalignment of state statistics at both ends. This uncontrollability of the underlying physical environment causes the clocks or state counters at both ends to gradually lose synchronization, preventing the receiving node from synchronously generating the corresponding decryption key, ultimately resulting in widespread data decryption failures and communication interruptions.

[0004] To address the above issues, a method and system for encrypting IoT communication data are proposed. Summary of the Invention

[0005] The purpose of this invention is to provide an encryption method and system for IoT communication data, which solves the problem in the background where the uncontrollable physical environment causes the clocks or state counters at both ends of the receiving end to gradually lose synchronization, making it impossible for the receiving node to synchronously generate the corresponding decryption key, ultimately leading to large-scale data decryption failures and communication interruptions.

[0006] To achieve the above objectives, the present invention provides the following technical solution: A method for encrypting IoT communication data, comprising: S101, obtain the sequence of historical data packet reception time intervals between the communication node and the receiving node, as well as the channel state indicators of the current communication link; S102, Construct an initial key matrix based on the received time interval sequence and the channel state index; S103, obtain the data payload to be sent by the communication node, obtain the communication error rate of the current communication link, update the communication error rate of the current communication link, and obtain the updated communication error rate; S104, determine the key update step size based on the updated communication error rate; S105, Perform a cyclic shift operation on the initial key matrix according to the key update step size to obtain the target encryption matrix; S106, the data payload is encrypted based on the target encryption matrix to obtain an encrypted payload, and the encrypted payload is sent to the receiving node.

[0007] Further, obtaining the sequence of historical data packet reception time intervals between the communication node and the receiving node includes: S201, Obtain the arrival timestamps of multiple historical data packets received by the communication node within a preset time window; S202, calculate the difference in arrival timestamps of two adjacent historical data packets in chronological order; S203, the multiple differences are concatenated according to the order of calculation to obtain the receiving time interval sequence.

[0008] Further, the construction of the initial key matrix based on the received time interval sequence and the channel state index includes: S301, Extract the received signal strength indication sequence from the channel state index; S302, the received time interval sequence is used as a row vector and the received signal strength indication sequence is used as a column vector; S303, Perform matrix multiplication on the row vector and the column vector to obtain the initial key matrix.

[0009] Further, obtaining the communication error rate of the current communication link includes: S401, Count the total number of service data packets sent by the communication node to the receiving node within a preset time window; S402, obtain the number of retransmission request messages received by the communication node within the preset time window and fed back by the receiving node; S403, calculate the ratio of the number of retransmission request messages to the total number to obtain the communication error rate; S404, retrieve the historical communication error rate recorded within the preceding time window; S405, assign a first weight parameter to the historical communication error rate, and assign a second weight parameter to the currently acquired communication error rate; S406, Based on the first weight parameter and the second weight parameter, a weighted summation is performed on the historical communication error rate and the currently acquired communication error rate to obtain a smoothed communication error rate; S407, the smoothed communication error rate is used as the updated communication error rate.

[0010] Further, determining the key update step size based on the updated communication error rate includes: S501, Obtain a pre-set error threshold range and step size mapping table, wherein the step size mapping table contains multiple candidate step size values ​​that decrease as the error range increases; S502, determine the error threshold range in which the communication error rate is located; S503, extract the candidate step size value corresponding to the current error threshold interval from the step size mapping table, and use it as the key to update the step size.

[0011] Further, the step of performing a cyclic shift operation on the initial key matrix according to the key update step size to obtain the target encryption matrix includes: S601, Obtain the row dimension values ​​and column dimension values ​​of the initial key matrix; S602, perform a modulo operation based on the key update step size and the column dimension value to obtain the row shift parameter; S603, perform a modulo operation based on the key update step size and the row dimension value to obtain the column shift parameter; S604, perform a cyclic shift in the row direction on the initial key matrix according to the row shift parameters, and perform a cyclic shift in the column direction according to the column shift parameters to obtain the target encryption matrix.

[0012] Further, the step of encrypting the data payload based on the target encryption matrix to obtain an encrypted payload includes: S701, parse the data frame header of the data payload and extract the data service identifier; S702, if the data service identifier is a control instruction type, then extract the main diagonal elements of the target encryption matrix to form a high-dimensional mask vector; S703, perform an XOR operation on the data payload based on the high-dimensional mask vector to obtain the encrypted payload.

[0013] Furthermore, the step of encrypting the data payload based on the target encryption matrix to obtain the encrypted payload further includes: S801, if the data service identifier is a regular collection type, then extract the first row elements of the target encryption matrix to form a low-dimensional mask vector. S802, perform an XOR operation on the data payload based on the low-dimensional mask vector to obtain the encrypted payload.

[0014] Furthermore, before sending the encrypted payload to the receiving node, the method further includes: S901, Perform a hash summation operation on all elements of the target encryption matrix to obtain a key-aligned fingerprint; S902, the key-aligned fingerprint is inserted into the tail field of the encrypted payload.

[0015] This invention also discloses another technical solution: an encryption system for Internet of Things (IoT) communication data, comprising: The data acquisition module obtains the sequence of historical data packet reception time intervals between the communication node and the receiving node, as well as the channel status indicators of the current communication link. The key matrix construction module constructs an initial key matrix based on the received time interval sequence and channel state indicators; The communication error update module obtains the data payload to be sent by the communication node, obtains the communication error rate of the current communication link, and updates the communication error rate to obtain the updated communication error rate. The step size calculation module determines the key update step size based on the updated communication error rate. The matrix shifting module performs a cyclic shift operation on the initial key matrix according to the key update step size to obtain the target encryption matrix; The data encryption sending module encrypts the data payload based on the target encryption matrix to obtain an encrypted payload, and then sends the encrypted payload to the receiving node.

[0016] Compared with the prior art, the beneficial effects of the present invention are as follows: 1. This invention constructs an initial key matrix based on the inherent timing and channel characteristics of the communication link. It does not require the additional deployment of a key management server, multiple rounds of handshake to negotiate keys, or reliance on a local clock to generate keys. This effectively avoids the power consumption and bandwidth occupation caused by frequent handshakes. At the same time, it solves the problems of clock drift caused by IoT node sleep and loss of synchronization caused by packet loss in weak networks. It significantly extends the battery life of battery-powered terminals and is suitable for large-scale low-power IoT deployment scenarios. 2. This invention dynamically adjusts the key update step size based on the communication error rate. When the channel quality is good, the update speed is accelerated, improving the anti-replay and anti-cracking capabilities. In weak network and high packet loss scenarios, the update amplitude is reduced to avoid the encryption matrices of the sender and receiver losing synchronization. Unlike the fixed and blind updates of traditional encryption schemes, this invention achieves accurate matching between the encryption strategy and the channel state, reducing the probability of decryption failure and communication interruption while ensuring data security. 3. It adopts lightweight computing logic and adapts to the computing power limitations of IoT terminal hardware. The core operations of the entire encryption process only include matrix multiplication, circular shift, XOR operation and lightweight hash operation. It does not require complex encryption algorithms and a large amount of computing power support. The operation time is controllable and no additional hardware resources are required. It can be directly adapted to IoT edge nodes with limited computing power and sensitive power consumption, reducing the cost of device deployment and upgrade. 4. Implement differentiated encryption strategies to balance data security and transmission efficiency. High-dimensional mask vector encryption is used for critical data such as control commands to improve the security level; low-dimensional mask vector encryption is used for routine data collection to reduce computational overhead and adapt to the transmission needs of different types of IoT data. This not only prevents equipment failure caused by leakage or tampering of critical data, but also ensures the high-frequency reporting efficiency of routine data. 5. Possesses key synchronization fault tolerance capability, improving adaptability to weak network environments. Through a key alignment fingerprint verification mechanism, it achieves rapid synchronization and verification of the key matrices of both the sender and receiver. If key synchronization fails, it can be quickly recovered through a simple synchronization request without rebuilding the key, effectively improving communication fault tolerance in weak network packet loss scenarios and ensuring the continuity and stability of data transmission. Attached Figure Description

[0017] Figure 1 This is a flowchart illustrating the steps of the present invention.

[0018] Figure 2 This is a system architecture diagram of the present invention. Detailed Implementation

[0019] The technical solutions of the embodiments of the present invention will be clearly and completely described below with reference to the accompanying drawings. Obviously, the described embodiments are only some embodiments of the present invention, and not all embodiments. Based on the embodiments of the present invention, all other embodiments obtained by those skilled in the art without creative effort are within the scope of protection of the present invention.

[0020] Example 1: As Figure 1 As shown, the following preferred technical solutions are provided: This embodiment provides a method for encrypting IoT communication data, the specific steps of which are as follows: S101, obtain the sequence of historical data packet reception time intervals between the communication node and the receiving node, as well as the channel state indicators of the current communication link; This step aims to extract the inherent timing and channel characteristics of the physical layers of both communicating parties as the original basis for generating encryption keys. It eliminates the need for additional key distribution interaction processes and local storage of fixed keys, thereby reducing the radio frequency wake-up frequency and computing power consumption of low-power devices from the source, while avoiding the risk of leakage during the key distribution process.

[0021] In some embodiments, obtaining the received time interval sequence specifically includes: S201, Obtain the arrival timestamps of multiple historical data packets received by the communication node within a preset time window; S202, calculate the difference in arrival timestamps between two adjacent historical data packets in chronological order; S203, multiple differences are concatenated in the order of calculation to obtain the receiving time interval sequence.

[0022] Specifically, the preset time window can be flexibly configured according to the reporting cycle of the IoT terminal, set to a range of 1 to 5 seconds, with a 2-second window preferred. This ensures that enough historical data is collected to guarantee the randomness of the sequence, while avoiding increased power consumption and response delay caused by an excessively long window. The communication node captures the arrival time of the preamble of each historical data packet through a built-in 32-bit hardware timer, converts the timer count value into a UTC timestamp in the format yyyy to MM to ddHH:mm:ss.ssssss, and stores it in the on-chip Flash register with a storage depth of no less than 10 groups to ensure that there is enough historical data for calculation. The absolute difference between two adjacent timestamps is calculated sequentially, and abnormally large differences caused by sudden channel interference are eliminated. The specific threshold is set to three times the average difference within a preset window. Values ​​exceeding this threshold are considered outliers. The remaining valid differences are combined in chronological order into a one-dimensional array sequence of received time intervals. The array length is consistent with the number of valid data packets within the preset window, consisting of 8 to 12 elements. Each element has a value ranging from 10ms to 500ms, adapting to the periodic reporting patterns of IoT terminals. This sequence directly reflects the transmission delay fluctuation characteristics of the physical link. Affected by factors such as wireless propagation environment, distance, and interference, it possesses strong uniqueness and randomness. External eavesdropping devices cannot replicate this sequence using a single eavesdropping data, providing secure raw material for subsequent key construction.

[0023] Simultaneously, the channel status indicators of the current communication link are read in real time through the radio frequency chip of the communication node. The reading frequency is consistent with the data packet receiving frequency, and is read once every 100ms. The channel status indicators include physical layer parameters such as received signal strength indication, signal-to-noise ratio, and channel quality indication. In this embodiment, the received signal strength indication sequence is preferred as the core feature, with a value range of -120dBm to -30dBm. The larger the value, the better the channel quality. This value changes in real time with the wireless propagation environment and is collected once every 100ms. The number of collections is consistent with the number of elements in the receiving time interval sequence, forming the received signal strength indication sequence, which can be used as a dynamic perturbation factor for key construction, providing unpredictable basic features for the subsequent encryption matrix. In addition, in order to avoid feature instability caused by excessive fluctuations in the received signal strength indication value, the collected received signal strength indication sequence is subjected to mean filtering, and the average value of three adjacent collection values ​​is taken as the final received signal strength indication sequence element, further improving the stability of the feature.

[0024] This step extracts the natural timing and channel characteristics of the physical layer, eliminating the need for additional key handshake negotiation, key storage, or external key distribution servers. It solves the problems of cumbersome key distribution, easy cracking of static keys, and hardware resource consumption for key storage in traditional IoT encryption schemes. At the same time, it reduces the radio frequency wake-up frequency and computational overhead of low-power nodes, ensuring that the device can operate stably for a long time.

[0025] S102, Construct the initial key matrix based on the received time interval sequence and channel state indicators;

[0026] This step mathematically fuses two types of physical layer features, time-series features, and channel features to construct an initial key matrix that is unique, time-varying, and resistant to cracking. This initial key matrix serves as the basis for subsequent dynamic encryption. The dimension of the matrix is ​​strongly bound to the length of the feature sequence, ensuring that the initial key matrix generated for each communication is different.

[0027] In some embodiments, constructing the initial key matrix specifically includes: S301, Extract the received signal strength indication sequence from the channel state index; S302, the received time interval sequence is used as a row vector and the received signal strength indication sequence is used as a column vector; S303 performs matrix multiplication on the row vectors and column vectors to obtain the initial key matrix.

[0028] Specifically, the received signal strength indicator values, continuously collected within a preset time window and processed by mean filtering, are arranged in the order of collection to form a column vector matching the length of the received time interval sequence. If the length of the received time interval sequence is N, where N is between 8 and 12, then the length of the received signal strength indicator column vector is also N, ensuring the feasibility of matrix multiplication. Since the received time interval sequence and the received signal strength indicator sequence have different dimensions, direct calculation would lead to excessive differences in the matrix element values, affecting subsequent encryption. Therefore, the received time interval sequence and the received signal strength indicator sequence are first normalized: each element of the received time interval sequence is divided by the maximum value of the sequence to obtain a normalized row vector with values ​​ranging from 0 to 1; each element of the received signal strength indicator sequence is added to 120 to eliminate negative values, then divided by 90 to map the values ​​to the 0-1 interval, resulting in a normalized column vector; subsequently, the matrix multiplier built into the communication node is used to perform matrix multiplication. The outer product operation, multiplying the row vector and column vector, yields an N×N two-dimensional matrix, generating a two-dimensional initial key matrix. Each element in the matrix is ​​generated by coupling time-series and channel features. The calculation method is to multiply the i-th element of the row vector and the j-th element of the column vector to obtain the element in the i-th row and j-th column of the matrix. Each element has a value ranging from 0 to 1. To facilitate subsequent encryption operations, each element is multiplied by 255 and rounded to the nearest integer, ultimately forming an N×N integer initial key matrix. The matrix generated on the same communication link at different times and under different environments is different. Even if a third party obtains a single time interval sequence or received signal strength indication sequence, it cannot replicate the complete initial key matrix, effectively improving the key's anti-cracking capability. In addition, if the generated initial key matrix contains all zero rows or all zero columns, which may occur under extreme channel conditions, it will automatically trigger the re-collection of feature sequences and the reconstruction of the initial key matrix to avoid key invalidation.

[0029] This step deeply integrates the dual-dimensional features of the physical layer through matrix operations to construct an initial key matrix that is strongly bound to the communication link. It abandons the traditional fixed key scheme and solves the problems of easy leakage and insufficient encryption security of static keys. At the same time, the matrix operation logic is simple, involving only normalization and multiplication operations, without the need for complex encryption algorithms. It is compatible with the computing power of low-power IoT processors, and the operation time is controlled within 10ms, which will not affect the normal data reporting of terminal devices.

[0030] S103, obtain the data payload to be sent by the communication node, obtain the communication error rate of the current communication link, update the communication error rate of the current communication link, and obtain the updated communication error rate;

[0031] This step quantitatively assesses the current link transmission quality. It obtains the instantaneous communication error rate by counting the number of retransmission requests, and then eliminates the impact of instantaneous interference through historical smoothing to obtain a stable and reliable communication error rate. This provides an accurate status basis for adjusting the subsequent key update rhythm and ensures that key updates are adapted to channel quality.

[0032] In some embodiments, obtaining and updating the communication error rate specifically includes: S401, Count the total number of service data packets sent by the communication node to the receiving node within the preset time window; S402, obtain the number of retransmission request messages received by the communication node from the receiving node within a preset time window; S403, calculate the ratio of the number of retransmission request messages to the total number to obtain the communication error rate; S404, retrieve the historical communication error rate recorded within the preceding time window; S405, assign a first weight parameter to the historical communication error rate, and assign a second weight parameter to the currently acquired communication error rate; S406, based on the first weight parameter and the second weight parameter, perform a weighted summation of the historical communication error rate and the currently acquired communication error rate to obtain the smoothed communication error rate; S407 uses the smoothed communication error rate as the updated communication error rate.

[0033] Specifically, the preset time window in this step is consistent with the preset time window in S101, with a priority of 2 seconds to ensure the synchronization of data acquisition. The communication node uses a built-in data packet counter to count the total number of service data packets sent within the preset time window. The 16-bit counter has a maximum counting range of 0 to 65535, and each service data packet contains a unique data packet identifier to avoid duplicate counting. At the same time, the communication node starts a dedicated listening callback function to listen for retransmission request messages returned by the receiving node. The PUBACK message of the MQTT protocol is used, and the message header carries a retransmission identifier and the corresponding data packet identifier. The number of retransmission requests received within the preset time window is counted to ensure that the retransmission request corresponds one-to-one with the sent service data packet and to avoid miscounting. The ratio of the number of retransmission requests to the total number of sent data packets is used as the instantaneous communication error rate. The larger the ratio, the more serious the channel packet loss and the worse the transmission quality. The ratio ranges from 0 to 1. When the ratio is 0, it means that there is no packet loss in the channel. When the ratio is 1, it means that all data packets need to be retransmitted.

[0034] To avoid abnormal fluctuations in the error rate caused by transient electromagnetic interference, a historical smoothing mechanism is introduced to ensure the stability of the communication error rate. The first and second weighting parameters can be flexibly configured according to the IoT communication scenario, ensuring that the sum of the first and second weighting parameters equals 1. Typically, the first weighting parameter is set to 0.6 to 0.8, with a preference for 0.7, emphasizing historical stability and reducing the impact of transient fluctuations. The second weighting parameter is set to 0.2 to 0.4, with a preference for 0.3, taking into account transient channel conditions to ensure the error rate responds promptly to channel changes. The historical communication error rate within the preceding time window is read from the on-chip Flash memory. In the first calculation, when the communication node is just started, the historical communication error rate is set to 0.1 by default, assuming good channel quality. The smoothed communication error rate is calculated using the weighted summation formula: the smoothed communication error rate equals the first weight parameter multiplied by the historical communication error rate plus the second weight parameter multiplied by the current instantaneous communication error rate. This smoothed communication error rate is used as the updated communication error rate to ensure a stable key update rhythm and avoid encryption synchronization issues between the sender and receiver due to sudden changes in the error rate. In addition, if the current instantaneous communication error rate is greater than 0.8, indicating extremely poor channel quality, the second weight parameter is automatically increased to 0.5 to speed up the error rate response and adjust the key update strategy in a timely manner.

[0035] This step quantifies communication quality by statistically analyzing retransmission requests and uses weighted smoothing to eliminate transient interference. It solves the problems of large channel state fluctuations and easy loss of synchronization of encryption parameters in weak network environments, providing accurate state basis for dynamically adjusting key update strategies. At the same time, the statistical logic is simple, requires no additional hardware resources, and is compatible with the computing power of low-power terminals.

[0036] S104, Determine the key update step size based on the updated communication error rate;

[0037] This step establishes a mapping relationship between communication quality and key update rhythm, enabling the encryption strategy to adaptively match the channel state. In scenarios with weak network packet loss, it maintains encryption synchronization between the sender and receiver, accelerates key update speed when the channel quality is good, improves encryption security, and balances encryption security and communication reliability.

[0038] In some embodiments, determining the key update step size specifically includes: S501, obtain a pre-set error threshold range and step size mapping table, the step size mapping table contains multiple candidate step size values ​​that decrease as the error range increases; S502, determine the error threshold range in which the communication error rate falls; S503: Extract the candidate step size value corresponding to the current error threshold range from the step size mapping table, and use it as the key to update the step size.

[0039] Specifically, an error threshold range and step size mapping table is pre-configured in the read-only storage area of ​​the device firmware. The mapping table uses a key-value pair structure for easy and fast lookup. The specific configuration is as follows, which can be adjusted according to the actual scenario:

[0040] Error threshold range of 0 to 0.2, excluding 0.2: corresponding to candidate step size value of 8, suitable for scenarios with good channel quality and low packet loss rate, to speed up key update speed and improve encryption security;

[0041] Error threshold range of 0.2 to 0.5, excluding 0.5: corresponding to candidate step size value of 4, suitable for scenarios with general channel quality and slight packet loss, balancing key update speed and synchronization;

[0042] The error threshold range is 0.5 to 1, including both ends: corresponding to a candidate step size value of 2, which is suitable for weak network scenarios with poor channel quality and high packet loss rate, reducing the key update amplitude and reducing the probability of the encryption matrix losing synchronization due to packet loss between the sender and receiver.

[0043] The updated smoothed communication error rate is compared with each of the aforementioned threshold intervals to determine its corresponding interval. Then, a lookup table is used to quickly extract the corresponding candidate step size value, which is used as the key update step size. All step size values ​​are positive integers to ensure the feasibility of subsequent cyclic shift operations. In addition, to avoid a step size value of 0, which may occur in extreme cases, if the candidate step size value obtained from the lookup table is 0, the step size value is automatically adjusted to 1 to ensure that the key matrix can be updated normally. At the same time, the step size mapping table can be dynamically updated by configuration commands issued by the receiving node to adapt to different communication scenario requirements and adjust the key update strategy without modifying the firmware.

[0044] This step uses an adaptive step-size mapping strategy to link the key update rhythm with channel quality, solving the problem of decryption failure caused by excessively fast key updates in weak network and high packet loss scenarios. At the same time, it accelerates the update speed when the channel quality is good, improving encryption security and balancing the security and reliability of IoT communication.

[0045] S105, Perform a cyclic shift operation on the initial key matrix according to the key update step size to obtain the target encryption matrix;

[0046] This step achieves dynamic evolution of the key matrix through lightweight cyclic shift operations. Without increasing computing power overhead, it ensures that a new target encryption matrix is ​​generated each time data is sent, realizing one key per packet, effectively resisting data packet replay attacks. At the same time, the cyclic shift operation logic is simple and adaptable to the hardware capabilities of low-power IoT nodes.

[0047] In some embodiments, obtaining the target encryption matrix by cyclic shifting specifically includes: S601, Obtain the row dimension and column dimension values ​​of the initial key matrix; S602, perform a modulo operation based on the key update step size and column dimension value to obtain the row shift parameter; S603, perform a modulo operation based on the key update step size and row dimension value to obtain the column shift parameter; S604. Perform a cyclic shift in the row direction on the initial key matrix according to the row shift parameter, and perform a cyclic shift in the column direction according to the column shift parameter to obtain the target encryption matrix.

[0048] Specifically, the row and column dimensions of the initial key matrix are obtained through the matrix attribute reading function. Since the initial key matrix is ​​an N×N square matrix, the row dimension value is equal to the column dimension value. Therefore, the row and column dimensions are consistent, both ranging from 8 to 12, which matches the length of the feature sequence. To avoid the key update step size exceeding the matrix dimension and causing invalid shifts, the key update step size is converted into a shift parameter adapted to the matrix size through modulo operation: the row shift parameter is equal to the key update step size modulo the column dimension value, and the column shift parameter is equal to the key update step size modulo the row dimension value. The modulo operation ensures that the value range of the shift parameter is from 0 to the column dimension value minus 1, avoiding the shift bits exceeding the matrix range.

[0049] A bidirectional cyclic shift operation is performed on the initial key matrix: First, the matrix is ​​cyclically shifted to the right according to the row shift parameter, meaning each element in a row is shifted to the right by the row shift parameter number of positions. Any overflowing rightmost elements are automatically filled to the leftmost position of that row. For example, with a row shift parameter of 2, a row containing elements 1, 2, 3, 4 becomes 3, 4, 1, 2. Then, the matrix is ​​cyclically shifted downwards according to the column shift parameter, meaning each column containing elements is shifted downwards by the column shift parameter number of positions. Any overflowing bottommost elements are automatically filled to the top of that column. For example, with a column shift parameter of 1, a column containing elements 1, 2, 3, 4 becomes 4, 1, 2, 3. This cyclic shift operation is implemented through the communication node's built-in logic. The computation unit is implemented without complex algorithms, with computation time controlled within 5ms and extremely low power consumption, making it fully compatible with the hardware capabilities of low-power IoT nodes. After the shift is completed, the reconstructed target encryption matrix is ​​obtained. This matrix has the same structure as the initial key matrix, an N×N square matrix, but the order of the elements changes dynamically. A new target encryption matrix is ​​generated each time data is sent, effectively resisting data packet replay attacks. Attackers cannot crack the encryption by repeatedly sending historical encrypted data packets. In addition, if the shifted target encryption matrix is ​​completely consistent with the initial key matrix, in extreme cases, if the step size is an integer multiple of the matrix dimension, the key is automatically updated with the step size increased by 1, and the cyclic shift operation is re-executed to ensure the uniqueness of the target encryption matrix.

[0050] This step achieves dynamic updates of the key matrix through lightweight cyclic shifting, solving the problem that traditional fixed keys are easily cracked by replay attacks. At the same time, it is simple to operate, has extremely low power consumption, adapts to the hardware limitations of IoT terminals, and balances encryption security with device battery life.

[0051] S106, encrypt the data payload based on the target encryption matrix to obtain the encrypted payload, and send the encrypted payload to the receiving node;

[0052] This step implements differentiated encryption strategies based on the type of data service. High-strength encryption is used for critical control data, while lightweight encryption is used for routine data collection. This balances the security of critical data with the efficiency of routine data transmission. At the same time, key alignment fingerprints are added to ensure the encryption synchronization between the sender and receiver and improve fault tolerance in weak network environments.

[0053] In some embodiments, encryption of control command type data specifically includes: S701, parses the data frame header of the data payload and extracts the data service identifier; S702, if the data service identifier is a control instruction type, then extract the main diagonal elements of the target encryption matrix to form a high-dimensional mask vector; S703 performs an XOR operation on the data payload based on the high-dimensional mask vector to obtain the encrypted payload.

[0054] In some embodiments, encryption of conventionally acquired data specifically includes: S801, if the data service identifier is a regular collection type, then extract the first row elements of the target encryption matrix to form a low-dimensional mask vector. S802 performs an XOR operation on the data payload based on the low-dimensional mask vector to obtain the encrypted payload.

[0055] Specifically, the data payload adopts the standard MQTT protocol data frame format, with a frame header length of 8 bytes. The 3rd and 4th bytes are the data service identification field, used to distinguish data types: when the service identification is 0x0001 to 0x0010, it is determined to be a control command type, including critical data such as equipment start / stop commands, parameter configuration commands, and fault reset commands. This type of data has high security requirements, and once leaked or tampered with, it may lead to risks such as equipment misoperation and failure. When the service identification is 0x0100 to 0x1000, it is determined to be a regular collection type, including periodic reporting information such as ambient temperature and humidity, equipment power, and sensor data. This type of data has relatively low security requirements, and the focus is on transmission efficiency.

[0056] For control command type data, extract the main diagonal elements of the target encryption matrix, from the top left corner to the bottom right corner of the matrix, i.e., row 1, column 1, row 2, column 2, ..., row N, column N, to form a high-dimensional mask vector. The vector length is consistent with the matrix dimension N, ranging from 8 to 12. The high-dimensional mask vector has more elements, resulting in higher encryption strength and effectively resisting brute-force attacks. Perform a bitwise XOR operation between the effective payload of the data payload (excluding the frame header) and the high-dimensional mask vector. The XOR operation rules are: 0⊕0=0, 0⊕1=1, 1⊕0=1, 1⊕1=0. If the data payload length is greater than the mask vector length during the operation, the mask vector is reused cyclically until the entire data payload is encrypted, resulting in the encrypted payload.

[0057] For conventionally collected data, the first row of the target encryption matrix is ​​extracted to form a low-dimensional mask vector with a length of N (8-12). Compared to high-dimensional mask vectors, low-dimensional mask vectors require less computation and have a faster encryption speed, making them suitable for the high-frequency reporting needs of conventional data. Similarly, bitwise XOR operations are used to encrypt the data payload. If the data payload length is greater than the mask vector length, the mask vector is reused cyclically to obtain the encrypted payload. XOR operations do not require complex key management, have high speed, and low power consumption, making them perfectly suited to the computing capabilities of low-power terminals. Furthermore, the encrypted payload cannot be cracked through simple eavesdropping, ensuring data transmission security.

[0058] In some embodiments, the method further includes the following steps before sending the encrypted payload: S901, perform a hash summation operation on all elements of the target encryption matrix to obtain the key-aligned fingerprint; S902, insert the key-aligned fingerprint into the tail field of the encrypted payload.

[0059] Specifically, a hash summation operation is performed on all elements of the target encryption matrix using a lightweight CRC16 hash algorithm. The sum of all elements is calculated, and then a CRC16 check operation is performed on the sum to obtain a 16-bit, 2-byte key-aligned fingerprint. This fingerprint uniquely represents the state of the target encryption matrix, and the computational logic is simple, time-efficient, and does not increase device power consumption. The key-aligned fingerprint is inserted into the tail field of the encryption payload (frame tail), and together with the payload and frame header, forms a complete transmitted data frame. The total length of the data frame equals the frame header length plus the payload length plus the fingerprint length. The receiving node receives the data. After the frame, the key alignment fingerprint at the end is extracted first, and then the fingerprint is calculated based on the target encryption matrix generated synchronously. The two fingerprints are compared to see if they match. If they match, it means that the key matrices of the sender and receiver are synchronized and can be decrypted normally. If they do not match, it means that the key is out of sync. The receiving node sends a synchronization request message to the communication node, and the communication node retransmits the encryption payload and the key alignment fingerprint to achieve fast synchronization without re-establishing the key, thus improving fault tolerance in weak network environments. In addition, to prevent the fingerprint from being tampered with, the fingerprint is bound to the frame header information of the encryption payload. If the frame header is tampered with, the fingerprint verification will also fail, further improving data security.

[0060] After the encrypted payload is constructed, the communication node modulates the data frame into a wireless signal through the radio frequency chip and sends it to the receiving node. The transmission power is automatically adjusted according to the channel status. The higher the communication error rate, the greater the transmission power. The maximum transmission power does not exceed 10dBm to ensure successful data transmission while minimizing power consumption. After receiving the encrypted payload, the receiving node generates the corresponding target encryption matrix according to the same steps as the communication node, extracts the key alignment fingerprint to verify synchronization, and after the verification is passed, extracts the corresponding mask vector according to the data service identifier, performs an XOR operation to decrypt, obtains the original data payload, and completes the entire data encryption transmission process.

[0061] This step achieves a balance between security level and computing power consumption through business-differentiated encryption and key fingerprint verification, resolving the contradiction between excessive power consumption and insufficient security in IoT encryption schemes. At the same time, it ensures the reliability of encryption synchronization between the sender and receiver, and is suitable for IoT communication scenarios with low power consumption, weak network, and multiple service types.

[0062] Example 2: Figure 2 As shown, the following preferred technical solutions are provided:

[0063] This embodiment also provides an encryption system for IoT communication data, used to implement an encryption method for IoT communication data. The system and method correspond one-to-one, employ a modular design, have a clear structure, and are easy to deploy, maintain, and expand. It is compatible with the hardware architecture of low-power IoT terminals and data aggregation nodes, and specifically includes:

[0064] The data acquisition module obtains the historical data packet reception time interval sequence between the communication node and the receiving node, as well as the channel status indicators of the current communication link. Specifically, it captures the arrival timestamps of historical data packets through the 32-bit hardware timer built into the communication node, stores them in the on-chip Flash register, calculates the difference between adjacent timestamps and removes outliers, and splices them together to obtain the reception time interval sequence. At the same time, it acquires channel status parameters such as received signal strength indication and signal-to-noise ratio in real time through the RF chip, performs mean filtering on the received signal strength indication parameter, and generates a received signal strength indication sequence to provide the original physical characteristics for key construction. This module also has an anomaly handling function. When the length of the acquired feature sequence is insufficient or there are outliers, it automatically triggers re-acquisition to ensure the validity of the feature sequence.

[0065] The key matrix construction module constructs an initial key matrix based on the received time interval sequence and channel state indicators. Specifically, it extracts the received time interval sequence and received signal strength indication sequence output by the data acquisition module, normalizes the two sequences to eliminate dimensional differences, uses the received time interval sequence as a row vector and the received signal strength indication sequence as a column vector, performs matrix outer product operations through a hardware multiplier to generate an N×N initial key matrix, and converts the matrix elements into integers from 0 to 255. Simultaneously, it checks whether the initial key matrix contains all-zero rows or columns; if so, it triggers reconstruction to ensure the validity of the key matrix. This module has simple computational logic, with a processing time of less than 10ms, making it suitable for low-power processors.

[0066] The communication error update module acquires the data payload to be sent by the communication node and the current communication error rate of the communication link, and updates the communication error rate to obtain the updated communication error rate. Specifically, it counts the total number of service data packets sent within a preset time window using a data packet counter, captures the number of retransmission request messages fed back by the receiving node through a listening callback function, and calculates the instantaneous communication error rate. It reads the historical communication error rate of the previous time window from the on-chip Flash, assigns corresponding weight parameters to the historical error rate and the current error rate, with the first weight parameter equal to 0.7 and the second weight parameter equal to 0.3, and performs a weighted summation operation to obtain the smoothed communication error rate, which is used as the updated communication error rate. This module also has a dynamic weight adjustment function. When the instantaneous error rate is greater than 0.8, it automatically adjusts the weight parameters to speed up the error rate response.

[0067] The step size calculation module determines the key update step size based on the updated communication error rate. Specifically, it reads a preset error threshold range and step size mapping table from the device firmware read-only storage area, compares the smoothed communication error rate output by the communication error update module with each threshold range, determines the range, and then looks up the corresponding candidate step size value as the key update step size. If the step size value obtained from the lookup table is 0, it is automatically adjusted to 1 to ensure that the key matrix can be updated normally. This module supports dynamically updating the step size mapping table by receiving configuration commands from the receiving node to adapt to different communication scenarios.

[0068] The matrix shifting module performs a cyclic shift operation on the initial key matrix according to the key update step size to obtain the target encryption matrix. Specifically, it reads the initial key matrix output by the key matrix construction module, obtains the row and column dimension values ​​of the matrix, calculates the row shift parameters, modulo the key update step size with respect to the column dimension, and modulo the key update step size with respect to the row dimension. Through the logic operation unit, it performs a cyclic right shift of rows and a cyclic down shift of columns on the initial key matrix, and automatically fills the overflow elements to the corresponding starting positions. If the target encryption matrix after shifting is consistent with the initial key matrix, it automatically adjusts the step size and shifts again to ensure the uniqueness of the target encryption matrix. The operation time of this module is controlled within 5ms, and the power consumption is extremely low.

[0069] The data encryption transmission module encrypts the data payload based on the target encryption matrix to obtain an encrypted payload, which is then sent to the receiving node. Specifically, it parses the frame header of the data payload, extracts the data service identifier, and distinguishes between control commands and regular acquisition data. For control command type data, it extracts the main diagonal elements of the target encryption matrix to form a high-dimensional mask vector and performs bitwise XOR encryption. For regular acquisition type data, it extracts the first row elements of the target encryption matrix to form a low-dimensional mask vector and performs bitwise XOR encryption. It calculates the key alignment fingerprint of the target encryption matrix using the CRC-16 algorithm, inserts the fingerprint into the end of the encrypted payload, and constructs a complete data frame. The data frame is modulated and transmitted to the receiving node via an RF chip, automatically adjusting the transmission power according to the channel status to ensure data transmission reliability. This module also has an encryption verification function, automatically verifying the integrity of the encrypted payload after encryption to avoid encryption failure.

[0070] The aforementioned modules work in tandem to form a complete closed loop, from physical feature acquisition, key construction, dynamic updates to data encryption and transmission. Modules interact via an internal data bus, with data transmission latency controlled within 20ms. This fully adapts to low-power, weak-network, and multi-service communication scenarios in the Internet of Things (IoT), achieving secure and efficient data transmission encryption. Furthermore, the system features a self-diagnostic function. When a module malfunctions, such as data acquisition failure or key construction anomalies, an alarm is automatically triggered, and a fault message is sent to the receiving node. This facilitates timely troubleshooting by maintenance personnel, improving system stability and reliability.

[0071] It should be noted that, in this document, relational terms such as "first" and "second" are used only to distinguish one entity or operation from another, and do not necessarily require or imply any such actual relationship or order between these entities or operations. Furthermore, the terms "comprising," "including," or any other variations thereof are intended to cover non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements includes not only those elements but also other elements not expressly listed, or elements inherent to such process, method, article, or apparatus.

[0072] Although embodiments of the invention have been shown and described, it will be understood by those skilled in the art that various changes, modifications, substitutions and alterations can be made to these embodiments without departing from the principles and spirit of the invention, the scope of which is defined by the appended claims and their equivalents.

Claims

1. A method for encrypting Internet of Things (IoT) communication data, characterized in that, include: S101, obtain the sequence of historical data packet reception time intervals between the communication node and the receiving node, as well as the channel state indicators of the current communication link; S102, Construct an initial key matrix based on the received time interval sequence and the channel state index; S103, obtain the data payload to be sent by the communication node, obtain the communication error rate of the current communication link, update the communication error rate of the current communication link, and obtain the updated communication error rate; S104, determine the key update step size based on the updated communication error rate; S105, Perform a cyclic shift operation on the initial key matrix according to the key update step size to obtain the target encryption matrix; S106, the data payload is encrypted based on the target encryption matrix to obtain an encrypted payload, and the encrypted payload is sent to the receiving node.

2. The method for encrypting IoT communication data according to claim 1, characterized in that, The acquisition of the historical data packet reception time interval sequence between the communication node and the receiving node includes: S201, Obtain the arrival timestamps of multiple historical data packets received by the communication node within a preset time window; S202, calculate the difference in arrival timestamps of two adjacent historical data packets in chronological order; S203, the multiple differences are concatenated according to the order of calculation to obtain the receiving time interval sequence.

3. The method for encrypting IoT communication data according to claim 1, characterized in that, The construction of the initial key matrix based on the received time interval sequence and the channel state index includes: S301, Extract the received signal strength indication sequence from the channel state index; S302, the received time interval sequence is used as a row vector and the received signal strength indication sequence is used as a column vector; S303, Perform matrix multiplication on the row vector and the column vector to obtain the initial key matrix.

4. The method for encrypting IoT communication data according to claim 1, characterized in that, The step of obtaining the communication error rate of the current communication link includes: S401, Count the total number of service data packets sent by the communication node to the receiving node within a preset time window; S402, obtain the number of retransmission request messages received by the communication node within the preset time window and fed back by the receiving node; S403, calculate the ratio of the number of retransmission request messages to the total number to obtain the communication error rate; S404, retrieve the historical communication error rate recorded within the preceding time window; S405, assign a first weight parameter to the historical communication error rate, and assign a second weight parameter to the currently acquired communication error rate; S406, Based on the first weight parameter and the second weight parameter, a weighted summation is performed on the historical communication error rate and the currently acquired communication error rate to obtain a smoothed communication error rate; S407, the smoothed communication error rate is used as the updated communication error rate.

5. The method for encrypting IoT communication data according to claim 1, characterized in that, Determining the key update step size based on the updated communication error rate includes: S501, Obtain a pre-set error threshold range and step size mapping table, wherein the step size mapping table contains multiple candidate step size values ​​that decrease as the error range increases; S502, determine the error threshold range in which the communication error rate is located; S503, extract the candidate step size value corresponding to the current error threshold interval from the step size mapping table, and use it as the key to update the step size.

6. The method for encrypting IoT communication data according to claim 1, characterized in that, The step of performing a cyclic shift operation on the initial key matrix according to the key update step size to obtain the target encryption matrix includes: S601, Obtain the row dimension values ​​and column dimension values ​​of the initial key matrix; S602, perform a modulo operation based on the key update step size and the column dimension value to obtain the row shift parameter; S603, perform a modulo operation based on the key update step size and the row dimension value to obtain the column shift parameter; S604, perform a cyclic shift in the row direction on the initial key matrix according to the row shift parameters, and perform a cyclic shift in the column direction according to the column shift parameters to obtain the target encryption matrix.

7. The method for encrypting IoT communication data according to claim 1, characterized in that, The process of encrypting the data payload based on the target encryption matrix to obtain the encrypted payload includes: S701, parse the data frame header of the data payload and extract the data service identifier; S702, if the data service identifier is a control instruction type, then extract the main diagonal elements of the target encryption matrix to form a high-dimensional mask vector; S703, perform an XOR operation on the data payload based on the high-dimensional mask vector to obtain the encrypted payload.

8. The method for encrypting IoT communication data according to claim 1, characterized in that, The step of encrypting the data payload based on the target encryption matrix to obtain the encrypted payload further includes: S801, if the data service identifier is a regular collection type, then extract the first row elements of the target encryption matrix to form a low-dimensional mask vector. S802, perform an XOR operation on the data payload based on the low-dimensional mask vector to obtain the encrypted payload.

9. The method for encrypting IoT communication data according to claim 1, characterized in that, Before sending the encrypted payload to the receiving node, the method further includes: S901, Perform a hash summation operation on all elements of the target encryption matrix to obtain a key-aligned fingerprint; S902, the key-aligned fingerprint is inserted into the tail field of the encrypted payload.

10. An encryption system for Internet of Things (IoT) communication data, characterized in that, A method for encrypting IoT communication data according to any one of claims 1-9 includes: The data acquisition module obtains the sequence of historical data packet reception time intervals between the communication node and the receiving node, as well as the channel status indicators of the current communication link. The key matrix construction module constructs an initial key matrix based on the received time interval sequence and channel state indicators; The communication error update module obtains the data payload to be sent by the communication node, obtains the communication error rate of the current communication link, and updates the communication error rate to obtain the updated communication error rate. The step size calculation module determines the key update step size based on the updated communication error rate. The matrix shifting module performs a cyclic shift operation on the initial key matrix according to the key update step size to obtain the target encryption matrix; The data encryption sending module encrypts the data payload based on the target encryption matrix to obtain an encrypted payload, and then sends the encrypted payload to the receiving node.