Storage encryption system for warehouse business data
By decoupling the logical changes and physical rewriting of data encryption levels in the warehouse management system, and utilizing parameterized topology transformation matrices and evolved key streams, high throughput and dynamic security defense collaboration under high concurrency conditions are achieved. This solves the problem of accumulated encryption operation latency in existing technologies and improves system performance and security.
Patent Information
- Authority / Receiving Office
- CN · China
- Patent Type
- Applications(China)
- Current Assignee / Owner
- YANTAI FUSHI NETWORK TECHNOLOGY CO LTD
- Filing Date
- 2026-03-24
- Publication Date
- 2026-06-19
AI Technical Summary
In existing warehouse management systems, the physical coupling between data encryption and storage paths leads to accumulated encryption operation delays, limiting the response speed of the storage system and making it impossible to simultaneously meet the requirements of high throughput and dynamic security defense under high concurrency conditions.
The I/O queue is monitored by the state feature acquisition module, a parameterized topology transformation matrix is generated, an evolution key stream is generated by the key evolution module, and encryption operators are attached during the hardware garbage collection cycle of the underlying storage medium to decouple the logical changes and physical rewriting actions of the data encryption level and achieve synchronous encryption.
Without increasing bus overhead, it ensures the system's response performance and data protection strength under high concurrency conditions, eliminates the instantaneous encroachment of encryption operations on the storage system's I/O bus bandwidth, and improves the flexibility of security defense and the utilization rate of hardware resources.
Smart Images

Figure CN122241739A_ABST
Abstract
Description
Technical Field
[0001] This invention belongs to the field of warehouse data security technology, and in particular relates to a storage encryption system for warehouse business data. Background Technology
[0002] Current warehouse management systems handle large-scale order flows, inventory changes, and user privacy data. To meet data security compliance requirements, the industry typically deploys encryption mechanisms at the storage layer, using symmetric encryption algorithms to encrypt data stored on the storage medium. Automated warehouse centers have high data throughput, and their read / write requests exhibit a clear hot / cold distribution. Because encryption operations are physically coupled with the storage path, the system applies constant encryption to all data requests, causing the latency generated by encryption operations to accumulate in the input / output path and limiting the overall response speed of the storage system.
[0003] Existing technologies for enhancing data protection typically require a continuous chain of physical actions: reading, decrypting, reencrypting, and writing. When data states change and encryption algorithms need adjustment, this design, which deeply binds logical security level changes with physical data rewriting, causes storage channels to experience instantaneous high traffic loads and encroaches on normal business data bandwidth. While the industry has attempted to improve processing speed using hardware accelerator cards, this approach fails to address the causal relationship between logical changes and physical rewriting. When handling security level transitions in massive amounts of data, the physical limitations of physical write bandwidth remain, preventing the system from simultaneously meeting high throughput and dynamic security defense requirements. For example, Chinese invention patent application CN120010779A discloses a dynamic intelligent control system for system I / O queues, which suffers from a fundamental mismatch when applied to high-frequency warehouse encryption scenarios: the scheduling logic remains at the overall queue allocation at the system level, ignoring the unique write amplification effect and physical erase cycle of encrypted data in the underlying storage medium. Under this scheduling mode, encryption operator update actions still physically conflict with business read / write operations at the bus level, failing to eliminate the performance crashes caused by the deep binding of logical security level changes and physical data rewriting.
[0004] Therefore, the technical problem to be solved by this invention is how to achieve an adaptive data encryption mechanism that can dynamically evolve with the characteristics of data activity without introducing additional bus overhead, so as to ensure a deep synergy between security protection strength and system processing performance under large-scale high-concurrency conditions. Summary of the Invention
[0005] This invention provides a storage encryption system for warehousing business data, comprising:
[0006] The status feature acquisition module is used to extract structured feature parameters that characterize the data storage status of warehouse operations by monitoring the I / O read and write queues of the storage system. The structured feature parameters consist of data load throughput, data access concurrency frequency, and logical address offset density.
[0007] The topology mapping module is used to use the data payload throughput as the matrix dimension index and determine the initial weight value based on the logical address offset density to establish a parameterized topology transformation matrix corresponding to the data payload to be encrypted.
[0008] The key evolution module is used to perform vector iterative transformation operations on the parameterized topological transformation matrix. By changing the logical shift of the vector elements in the parameterized topological transformation matrix, it generates an evolution key stream corresponding to the vector evolution state.
[0009] The synchronous encryption module is used to obtain the physical block erase signal generated by the underlying storage medium and attach the encryption operator replacement action of the data payload to be encrypted to the hardware garbage collection cycle of the underlying storage medium. During the physical data transfer process of the underlying storage medium, the evolved key stream is used to perform encryption operator replacement on the data written to the physical transfer destination address.
[0010] Preferably, the synchronous encryption module is equipped with a signal sensing interface; the signal sensing interface is used to obtain the block erase warning signal generated by the underlying storage medium in real time; the synchronous encryption module is also used to suspend non-urgent I / O requests through firmware instructions of the underlying storage medium when the block erase warning signal is triggered, and to retrieve the evolution key stream and perform in-situ re-encryption on the data payload in the physical transfer destination address during the physical data transfer process of the underlying storage medium.
[0011] Preferably, the topology mapping module includes: a parameter extraction unit and a matrix initialization unit; the parameter extraction unit is used to establish a mapping constraint set representing the data security strength based on structured feature parameters; the matrix initialization unit is used to call a preset parameterized topology template and map each parameter in the mapping constraint set to the weight allocation or vector bias of a specific node in the parameterized topology template to generate a parameterized topology transformation matrix.
[0012] Preferably, the key evolution module is used to call the vector parallel computing unit to perform synchronous update operations on the multidimensional coordinate vectors in the parameterized topological transformation matrix, and generate an evolved key stream with non-uniform distribution characteristics through the iterative evolution of the multidimensional coordinate vectors in the logical space.
[0013] Preferably, the system also includes a load adjustment module; the load adjustment module is used to adjust the calculation step size of the key evolution module according to the data load throughput; when the data load throughput exceeds the preset traffic threshold, the load adjustment module generates a step size compression instruction to forcibly reduce the number of iterations of the multidimensional coordinate vector, so as to shorten the calculation cycle of a single key generation.
[0014] Preferably, the system further includes a state control module; the state control module is used to mark the data payload to be encrypted through metadata state bits during the encryption operator replacement phase; the mark is used to indicate the key version number currently corresponding to the data payload to be encrypted, so as to establish the index mapping relationship between the logical address space involved in the logical address offset density and the key version.
[0015] Preferably, the system further includes a key envelope module; the key envelope module is used to perform secondary encapsulation of the data payload to be encrypted using a randomly generated temporary session key during the encryption operator replacement performed by the synchronous encryption module, so as to cover the data status window during the physical data transfer process of the underlying storage medium.
[0016] Preferably, the key evolution module is used to calculate the matrix evolution order k based on the data access concurrency frequency. The formula for calculating the matrix evolution order k is: , where k is the matrix evolution order, α is the preset security weight coefficient, and ρ is the quantized characteristic value representing the data access concurrency frequency.
[0017] Preferably, the system further includes: a situational awareness module; the situational awareness module is used to monitor the frequency of unauthorized access to the logical address space; when the frequency of unauthorized access exceeds a preset historical baseline value, the situational awareness module sends a dimension expansion instruction to the topology mapping module to increase the initial vector dimension of the parameterized topology transformation matrix.
[0018] Preferably, the system is applied to a distributed storage environment; the status feature acquisition module obtains the logical address offset density by listening to the read and write request queue of the distributed storage environment; the synchronization encryption module is integrated into the firmware layer of the storage controller and is used to synchronously inject encryption operators when the underlying storage medium performs physical block erasure operations.
[0019] Compared with existing technologies, the warehousing business data storage encryption system of the present invention has the following advantages:
[0020] 1. In the storage encryption of warehouse business data, by decoupling the logical change of data encryption level from the rewriting of physical payload, the system can instantly switch the security strength when it senses a change in activity characteristics by performing nested encapsulation on the key envelope metadata in the cache. This avoids triggering physical rereading and rewriting of the entire data during the high-frequency flow of business data, eliminates the instantaneous encroachment of encryption operations on the I / O bus bandwidth of the storage system, and ensures that the business system maintains constant response performance and data protection strength under high-speed interaction conditions.
[0021] 2. By attaching the cryptographic operator replacement task of the data payload to the hardware garbage collection cycle of the underlying storage medium, the physical re-encryption action is executed synchronously with the inherent block erasure and physical transfer process of the medium. This collaborative mode transforms the re-encryption operation, which originally required independent computing power and bus bandwidth, into an endogenous link in the hardware maintenance process of the storage medium. It effectively reclaims and utilizes redundant hardware resources, resolves the contradiction between encryption / decryption services and business logic competing for hardware resources in high-concurrency scenarios, and improves the anti-cryptographic analysis capability of large-scale quiescent data without introducing additional system overhead.
[0022] 3. Construct a key evolution mechanism based on parameterized spatial topology features. Replace the traditional one-dimensional scalar cryptographic generation logic with three-dimensional grid subdivision operations. Since grid topology evolution can be efficiently taken over by vector parallel computing units, the system can complete the high-dimensional key generation within a nanosecond time window, thereby eliminating the risk of computational avalanche during the switching process of complex encryption algorithms. This geometric dimension control method establishes a deterministic correlation between the scalability of cryptographic strength and the parallel processing capability of the underlying hardware, improving the system's security defense flexibility when dealing with sudden traffic data. Attached Figure Description
[0023] Figure 1 This is a logical interaction diagram of the storage encryption system for warehousing business data of the present invention;
[0024] Figure 2 This is a diagram showing the hardware and software collaboration and signal flow of the warehousing and storage encryption system of this invention. Detailed Implementation
[0025] The technical solutions of the embodiments of this application will be clearly described below with reference to the accompanying drawings. Obviously, the described embodiments are only some embodiments of this application, not all embodiments. All other embodiments obtained by those skilled in the art based on the embodiments of this application are within the scope of protection of this application.
[0026] It should be noted that all directional and positional terms used in this invention, such as: up, down, left, right, front, back, vertical, horizontal, inner, outer, top, low, lateral, longitudinal, center, etc., are only used to explain the relative positional relationship and connection between components in a specific state (as shown in the accompanying drawings). They are only for the convenience of describing this invention and do not require that this invention be constructed and operated in a specific orientation. Therefore, they should not be construed as limiting this invention. In addition, the descriptions of "first," "second," etc., in this invention are for descriptive purposes only and should not be construed as indicating or implying their relative importance or implicitly indicating the number of technical features indicated.
[0027] In the description of this invention, unless otherwise explicitly specified and limited, the terms installation, connection, and linking should be interpreted broadly. For example, they can refer to fixed connections, detachable connections, or integral connections; they can refer to mechanical connections; they can refer to direct connections or indirect connections through an intermediate medium; they can refer to the internal connection of two components. For those skilled in the art, the specific meaning of the above terms in this invention can be understood according to the specific circumstances.
[0028] In the description of this specification, references to the terms "an embodiment," "some embodiments," "illustrative embodiments," "examples," "specific examples," or "some examples," etc., indicate that a specific feature, structure, material, or characteristic described in connection with that embodiment or example is included in at least one embodiment or example of the present invention. In this specification, the illustrative expressions of the above terms do not necessarily refer to the same embodiment or example, and the specific features, structures, materials, or characteristics described may be combined in any suitable manner in one or more embodiments or examples.
[0029] A storage encryption system for warehousing business data includes:
[0030] The status feature acquisition module is used to extract structured feature parameters that characterize the data storage status of warehouse operations by monitoring the I / O read and write queues of the storage system. The structured feature parameters consist of data load throughput, data access concurrency frequency, and logical address offset density.
[0031] The topology mapping module is used to use the data payload throughput as the matrix dimension index and determine the initial weight value based on the logical address offset density to establish a parameterized topology transformation matrix corresponding to the data payload to be encrypted.
[0032] The key evolution module is used to perform vector iterative transformation operations on the parameterized topological transformation matrix. By changing the logical shift of the vector elements in the parameterized topological transformation matrix, it generates an evolution key stream corresponding to the vector evolution state.
[0033] The synchronous encryption module is used to obtain the physical block erase signal generated by the underlying storage medium and attach the encryption operator replacement action of the data payload to be encrypted to the hardware garbage collection cycle of the underlying storage medium. During the physical data transfer process of the underlying storage medium, the evolved key stream is used to perform encryption operator replacement on the data written to the physical transfer destination address.
[0034] Preferably, the synchronous encryption module is equipped with a signal sensing interface; the signal sensing interface is used to obtain the block erase warning signal generated by the underlying storage medium in real time; the synchronous encryption module is also used to suspend non-urgent I / O requests through firmware instructions of the underlying storage medium when the block erase warning signal is triggered, and to retrieve the evolution key stream and perform in-situ re-encryption on the data payload in the physical transfer destination address during the physical data transfer process of the underlying storage medium.
[0035] Preferably, the topology mapping module includes: a parameter extraction unit and a matrix initialization unit; the parameter extraction unit is used to establish a mapping constraint set representing the data security strength based on structured feature parameters; the matrix initialization unit is used to call a preset parameterized topology template and map each parameter in the mapping constraint set to the weight allocation or vector bias of a specific node in the parameterized topology template to generate a parameterized topology transformation matrix.
[0036] Preferably, the key evolution module is used to call the vector parallel computing unit to perform synchronous update operations on the multidimensional coordinate vectors in the parameterized topological transformation matrix, and generate an evolved key stream with non-uniform distribution characteristics through the iterative evolution of the multidimensional coordinate vectors in the logical space.
[0037] Preferably, the system also includes a load adjustment module; the load adjustment module is used to adjust the calculation step size of the key evolution module according to the data load throughput; when the data load throughput exceeds the preset traffic threshold, the load adjustment module generates a step size compression instruction to forcibly reduce the number of iterations of the multidimensional coordinate vector, so as to shorten the calculation cycle of a single key generation.
[0038] Preferably, the system further includes a state control module; the state control module is used to mark the data payload to be encrypted through metadata state bits during the encryption operator replacement phase; the mark is used to indicate the key version number currently corresponding to the data payload to be encrypted, so as to establish the index mapping relationship between the logical address space involved in the logical address offset density and the key version.
[0039] Preferably, the system further includes a key envelope module; the key envelope module is used to perform secondary encapsulation of the data payload to be encrypted using a randomly generated temporary session key during the encryption operator replacement performed by the synchronous encryption module, so as to cover the data status window during the physical data transfer process of the underlying storage medium.
[0040] Preferably, the key evolution module is used to calculate the matrix evolution order k based on the data access concurrency frequency. The formula for calculating the matrix evolution order k is: , where k is the matrix evolution order, α is the preset security weight coefficient, and ρ is the quantized characteristic value representing the data access concurrency frequency.
[0041] Preferably, the system further includes: a situational awareness module; the situational awareness module is used to monitor the frequency of unauthorized access to the logical address space; when the frequency of unauthorized access exceeds a preset historical baseline value, the situational awareness module sends a dimension expansion instruction to the topology mapping module to increase the initial vector dimension of the parameterized topology transformation matrix.
[0042] Preferably, the system is applied to a distributed storage environment; the status feature acquisition module obtains the logical address offset density by listening to the read and write request queue of the distributed storage environment; the synchronization encryption module is integrated into the firmware layer of the storage controller and is used to synchronously inject encryption operators when the underlying storage medium performs physical block erasure operations.
[0043] Example 1: This example describes a storage encryption system for warehouse business data applied to a large-scale automated warehouse center handling high-concurrency access. When the warehouse system is in a peak order settlement period, massive amounts of hot data in a high-frequency read / write state are transferred to a long-term dormant archive state in a very short time. Traditional static encryption mechanisms trigger a full physical re-read / write of all data during this state transition phase to enhance password protection strength. The mechanism of deeply binding logical security level changes with physical load read / write actions causes instantaneous read / write traffic surges in the storage channel, exceeding the I / O bus bandwidth limit of the underlying storage controller and causing system-level blocking of the business queue. To address the physical constraints between the aforementioned high-frequency service flow and encryption computation overhead, the state feature acquisition module monitors the I / O read / write queues of the underlying distributed storage environment, extracting structured feature parameters composed of data payload throughput, data access concurrency frequency, and logical address offset density. The sampling strategy employs a fixed hardware sampling frequency of 2000Hz, and a 1024-layer circular buffer is allocated in the controller memory. Data feature extraction is based on a sliding window of 500 milliseconds, with the window sliding forward every 100 milliseconds, meaning there is an 80% time overlap between adjacent sampling windows. Regarding the data access concurrency frequency… The number of I / O submission interrupt signal pulses within the window is calculated. For logical address offset density, it is calculated by dividing the difference between the largest and smallest logical block addresses within the window by the total number of requests. The topology mapping module uses data load throughput as the matrix dimension index and determines the initial weight value based on the logical address offset density. Specifically, the average throughput value is calculated with a statistical period of 100 milliseconds, divided by 64 MB / s, rounded down, and then uniformly accumulated with a base offset of 4 as the final matrix row and column dimensions. If the calculated dimension value exceeds 64, it is forcibly locked to 64 to ensure... The vector operation instructions are kept within the access boundaries of the L1 cache. At the same time, the physical sector span corresponding to the logical address offset density is read and normalized to the range of 0.0 to 1.0 as the initial weight coefficients of the diagonal elements in the topology transformation matrix. A parameterized topology transformation matrix is established for the data payload to be encrypted. By transforming the linear cryptographic algebraic substitution process that depends on a single processing unit into an iterative evolution of the logical space based on multidimensional coordinate vectors, the key evolution module calls the vector parallel computing unit to perform synchronous update operations on the parameterized topology transformation matrix, generating an evolution key stream that corresponds to the vector evolution state and has non-uniform distribution characteristics.
[0044] In the evolutionary computation of multidimensional topological key generation, the key evolution module calculates the matrix evolution order k based on the data access concurrency frequency. The specific calculation formula is as follows: Where k is the dimensionless matrix evolution order, α is the dimensionless preset security weight coefficient, and ρ is the quantized characteristic value in Hz representing the concurrent frequency of data access. The key evolution module determines the specific calculation step size of the evolution key stream based on this calculation formula. The synchronization encryption module obtains the physical block erase warning signal generated by the underlying storage medium and monitors the free block counter of the flash translation layer (FTL) in real time through the 0xAF vendor-defined instruction set of the storage controller firmware layer. When the number of available physical blocks is less than 5% of the total capacity, the firmware triggers a hard interrupt signal. The synchronization encryption module intercepts the current physical block erase request, and the controller sends a 64-byte preprocessed message containing the logical address start bit and length of the data to be transferred, thereby ensuring that the bus is idle for 2 milliseconds before the physical erase operation officially starts. Within the window, the underlying firmware commands are triggered via the signal sensing interface to suspend non-urgent I / O requests, and the encryption operator replacement action of the data payload to be encrypted is mounted within the hardware garbage collection cycle of the underlying storage medium. During the physical data transfer process of the underlying storage medium, the synchronous encryption module retrieves the evolution key stream and performs in-situ re-encryption operator replacement on the data written to the physical transfer destination address. This mechanism decouples the logical change of data encryption level from the real-time rewriting action of physical payload at the physical level, so that the physical re-encryption action is executed synchronously with the storage medium's inherent block erasure and physical transfer process, eliminating the instantaneous encroachment of independent encryption operations on the storage system I / O bus bandwidth, and achieving a coordinated configuration of high concurrency throughput performance and dynamic cryptographic defense strength for large-scale warehousing data under the original bus load level.
[0045] Example 2: In a distributed storage simulation environment used to test high-frequency concurrent read / write conditions, a low-level hardware platform including a block-level I / O read / write benchmark module is constructed. The initial queue depth is set to 128, and the random read / write ratio is maintained at 7:3. To reproduce the background interference generated by head seek and bus arbitration in industrial storage channels, a random read / write latency disturbance with a fluctuation amplitude of 15% is superimposed at the data flow source. This simulation environment is used to calibrate the value range of the security weight coefficient α. This parameter setting balances the cryptographic state diffusion rate and the computational load of the vector parallel computing unit. When the extracted logical address offset density tends to be sparse, the security weight coefficient α is set to tend towards the upper limit of the value to maintain the cryptographic evolution state transition. Based on this logical rule, the basic value of the dimensionless security weight coefficient α is determined to be 1.5 under the current simulation conditions.
[0046] In the simulation environment described above, a first comparison sample group was set up, which adopted a static real-time rewrite encryption method; a second comparison sample group was set up, which established a parameterized topology transformation matrix but stripped the underlying physical block erasure mounting action; an out-of-range control group was set up, which set the security weight coefficient α to a value of 3.5 to observe the out-of-range degradation effect; and the present invention sample group was set up, which adopted the complete system of the present invention, set up a problem intensity gradient system to characterize the data access concurrency frequency ρ, and selected three service request frequencies with nonlinear spans of 1000Hz, 5000Hz and 12000Hz as verification nodes. The data load throughput test was started and the system was input with structured feature parameters containing the aforementioned delay perturbation. The state feature acquisition module extracted the structured feature parameters by listening to the I / O read and write queue. The topology mapping module established a parameterized topology transformation matrix with the data load throughput as the matrix dimension index. When the data access concurrency frequency ρ was at a medium gradient of 5000Hz, the key evolution module substituted the security weight coefficient α into the formula. The evolution order k of the matrix with one dimension is calculated to be 18. The vector parallel computing unit updates the multidimensional coordinate vector in the parameterized topological transformation matrix according to this order, and outputs the evolution key stream with non-uniform distribution characteristics in the logical space as intermediate data. The synchronous encryption module obtains the physical block erasure warning signal generated by the underlying storage medium, triggers the firmware instruction to suspend non-urgent I / O requests through the signal sensing interface, and pushes the encryption operator replacement action of the data payload to be encrypted into the hardware garbage collection waiting queue.
[0047] The final storage I / O latency measurements of each group were extracted under the extreme concurrent frequency gradient of 12000Hz. Due to the superposition of random disturbances, the I / O latency of the first comparative sample group rose to 145.2ms and triggered physical channel blockage. The I / O latency of the second comparative sample group was recorded as 89.4ms, reflecting that single vector calculation is still constrained by the bus occupation caused by physical write amplification. The sample group of this invention completed the in-situ re-encryption operator replacement synchronously within the hardware garbage collection cycle, and its I / O latency remained stable at 12.6ms. The single iteration time of the multi-dimensional coordinate vector was measured as 4.2μs. The quantitative difference between the second comparative sample group and the sample group of this invention reflects that the logical space iteration and physical rewriting action generated a synergistic effect of eliminating the additional bus bandwidth occupation. After the security weight coefficient α was set to 3.5, the single iteration time of the out-of-range control group climbed to 85.3μs and triggered the processor cache overflow anomaly, ensuring the parameter working window of the system's high-frequency throughput performance and dynamic password defense strength.
[0048] Example 3: Under tens of millions of concurrent throughput conditions, the topology mapping module and the load adjustment module work together to execute dynamic parameter determination logic to construct a parameterized topology transformation matrix. When the state feature acquisition module outputs real-time data load throughput, data access concurrency frequency, and logical address offset density, the parameter extraction unit in the topology mapping module obtains the real-time values of the above feature parameters and integrates the feature parameters into a mapping constraint set characterizing the data security strength. The matrix initialization unit retrieves a preset two-dimensional parameterized topology template and assigns weights to specific nodes according to the mapping constraint set. The matrix initialization unit reads the current scalar value of the logical address offset density and multiplies it by the value determined according to the upper limit of the storage controller bus bandwidth. The mapping coefficients are used to calculate the initial vector bias. The matrix initialization unit uses the data payload throughput as the row index and the data access concurrency frequency as the column index, injecting the initial vector bias into the corresponding coordinate nodes of the two-dimensional parameterized topology template to generate a parameterized topology transformation matrix for the current data payload to be encrypted. The topology mapping module calls a preset orthogonal basis matrix template, determines the row and column dimensions of the matrix based on the data payload throughput, and injects the normalized logical address offset density as a perturbation operator into the eigenvalue calculation process of the orthogonal basis matrix template to generate a parameterized topology transformation matrix. The parameter extraction unit converts the logical address offset density into values between 0 and 1 and calculates the matrix elements. The initial weights of each coordinate node are determined. θ is determined by the product of the logical address offset density and the preset mapping coefficient. Seed is a preset random seed vector. By adjusting the initial weights, the one-dimensional scalar cryptographic generation logic is transformed into a multi-dimensional coordinate vector logical space for iterative evolution, thereby controlling the diffusion rate of the evolving key stream.
[0049] After the topology mapping module injects the initial vector bias into the parameterized topology template, the system initiates the pipelined mapping procedure for the vector parallel computing unit. The parameter extraction unit decomposes the multidimensional feature vectors in the mapping constraint set into discrete sub-vectors conforming to the Single Instruction Multiple Data (SIMD) instruction set. Based on the register width of the underlying computing unit, it allocates the weights of each node in the parameterized topology transformation matrix to independent computing channels. The key evolution module obtains the pipelined aligned processing instructions and triggers the hardware-level vector multiplication and addition unit to achieve concurrent iteration of coordinate vectors in the logical space. Specifically, the iteration operator is defined as follows: for each 32-bit vector element in the parameterized topology transformation matrix, an XOR operation is performed with the current logical address, and based on the current... The matrix evolution order is used to perform a circular left shift operation. If the matrix evolution order is less than 16, it is shifted left by 3 bits in a single operation. If the matrix evolution order is greater than or equal to 16, it is shifted left by 7 bits in a single operation. The overflow bits generated in each iteration are fed back to the lower 4 bits of the adjacent coordinate nodes for weight compensation. This pipeline operation based on bit shifting and XOR ensures that the hardware cycle loss of a single coordinate update is constant at 12 clock cycles under the single instruction multiple data (SIMD) architecture. This procedure decomposes the complex spatial topology evolution task into computation instructions that can be directly addressed by the underlying transistor logic, compensates for the instruction cycle delay loss induced by high-order matrix operations, and enables the generation rate of the evolution key stream to achieve physical timing matching with the physical read and write bandwidth of the underlying storage medium.
[0050] During the process of the key evolution module calling the vector parallel computing unit to iteratively update the parameterized topology transformation matrix, the load adjustment module monitors the hardware performance status parameters of the underlying processor. The load adjustment module extracts the current hardware cache utilization and core operating temperature as hardware load feedback parameters. The load adjustment module internally loads an 80°C temperature safety threshold based on the processor's full-load thermal design power calibration and an 85% cache safety threshold based on the system memory throughput limit calibration. When the hardware cache utilization is detected to be greater than 85% for 5 consecutive sampling cycles or the core operating temperature is greater than 80°C, the load adjustment module sends a frequency reduction interrupt signal to the key evolution module. After receiving the frequency reduction interrupt signal, the key evolution module halves the evolution step size of the internal multi-dimensional coordinate vector and simultaneously reduces the update frequency of the parameterized topology transformation matrix. The aforementioned status monitoring and step size reduction mechanism keeps the computational overhead of the vector parallel computing unit under control, ensuring that the encryption operator replacement action continues to be executed within the hardware garbage collection cycle of the underlying storage medium.
[0051] Example 4: Before deploying the warehousing business data storage encryption system to heterogeneous distributed storage nodes, the system first triggers an offline baseline calibration procedure based on the physical environment characteristics to determine the specific values of the preset mapping coefficients. Through the underlying control interface, a stress test data stream consisting of alternating continuous large-block read / write operations and discrete random seeks is injected into the target storage bus. During the test stream operation, the status feature acquisition module continuously monitors and acquires the maximum physical transmission bandwidth when the storage medium reaches its limit throughput state. The matrix initialization unit extracts this maximum physical transmission bandwidth and applies it according to the following formula: Where β is a dimensionless preset mapping coefficient. The measured peak value of the maximum physical transmission bandwidth is expressed in GB / s. The test stream base bandwidth is measured in GB / s, and γ is a dimensionless hardware architecture compensation constant. The system retrieves an initial physical block distribution snapshot under no-load conditions and generates a two-dimensional parameterized topology template with uniform grid distribution characteristics based on the inherent physical spacing of each storage medium sector. The aforementioned operation process provides initialization data support corresponding to the underlying hardware physical boundary for the subsequent construction of the parameterized topology transformation matrix.
[0052] Based on the hardware performance parameters obtained from the offline baseline calibration procedure, the load adjustment module synchronously executes an in-situ calibration process targeting the hardware cache utilization rate and the core operating temperature safety threshold. This module extracts the steady-state maximum temperature when the processor core heat dissipation reaches dynamic equilibrium during the continuous operation of the stress test data stream. Simultaneously, it records the critical cache resident level when the memory controller experiences read / write instruction queuing under full-load parallel computing. The system multiplies the steady-state maximum temperature and the critical cache resident level by a dimensionless engineering safety reduction factor to calculate the temperature safety threshold used to trigger the frequency reduction interrupt signal in subsequent business operations. The calibration steps for the full threshold and cache safety threshold, as well as the hardware architecture compensation constant and preset safety weight coefficient, are as follows: During the system power-on self-test phase, initiate 10 rounds of stress ramp-up tests, increasing the I / O load by 10% in each round. The initial value of the hardware architecture compensation constant is set to 1.2. If the processor core temperature rise rate exceeds 2 degrees Celsius per second as monitored in real time, the constant is gradually reduced in increments of 0.05. The preset safety weight coefficient is calibrated based on the 4KB random write latency. When the latency first exceeds 15 milliseconds, record the utilization node at this point and multiply its value by 0.8 as the threshold. The baseline value of the security weight coefficient under normal operating conditions is calibrated and stored in-situ in a 256-byte non-volatile register inside the controller. This data filling method quantifies the physical energy loss and computing bus queuing delay caused by high-frequency cryptographic substitution operations. This allows the key evolution module to adjust the multi-dimensional coordinate vector evolution progress and parameterized topology transformation matrix update frequency as needed based on the actual dissipation boundary of the current processor. The preset security weight coefficient α is determined using an offline stress ramp-up test method. Continuous large-block read / write data streams are injected into the target storage bus, and the utilization rate of the vector parallel computing unit is monitored. The curve of change with the increase of data access concurrency frequency ρ is used to select the frequency response node when the utilization rate reaches 75% as the calibration benchmark. The basic value of α for the balanced cryptographic state diffusion rate and computing load is calculated. The hardware architecture compensation constant γ is determined based on the steady-state maximum temperature and critical cache resident amount when the processor core reaches thermal equilibrium under full load. The steady-state maximum temperature and critical cache resident amount are multiplied by the engineering security reduction factor to determine the temperature security threshold and cache security threshold for triggering the frequency reduction interrupt signal during business operation, so that the key generation calculation cycle and the physical read and write bandwidth of the underlying storage medium are matched in time.
[0053] Example 5: When the distributed flash memory medium experiences nonlinear fluctuations in the hardware garbage collection cycle due to wear leveling, causing the physical data transfer window to shrink randomly, the parameterized topology transformation matrix may fail to reach the preset evolution order within a single cycle. In this case, the synchronization encryption module triggers a preset hardware time awareness and vector breakpoint protection procedure. The synchronization encryption module reads the remaining available time for the current physical block garbage collection action through the storage controller firmware interface and calls the vector parallel computing unit to extract the baseline time for a single coordinate vector update. The synchronization encryption module uses the following formula: Where η is the dimensionless time margin coefficient. The remaining available time is in μs. The system extracts the scalar value of the time margin coefficient η, which is the baseline time for a single coordinate vector update in μs, and uses it as the input parameter for subsequent state freeze logic. The synchronization encryption module monitors the physical block erase warning signal output by the flash memory conversion layer in real time through the storage controller firmware interface. When the warning signal is triggered, the remaining available time of the underlying bus is retrieved. Compared to the time required for a single coordinate vector update baseline Calculate the time margin coefficient If the time margin coefficient is less than or equal to the physical operation truncation threshold of 1.15, the synchronous encryption module sends a vector iteration suspension instruction to the key evolution module, writes the intermediate state data snapshot sequence containing the current evolution order and spatial displacement vector into the controller's non-volatile buffer area, and when the next physical block erasure signal is detected, it reloads the snapshot sequence and drives the vector parallel computing unit to deduce the remaining vector update operation starting from the evolution order before truncation, so that the encryption operator replacement action continues to evolve across cycles within the physical transport window.
[0054] When the synchronization encryption module determines that the time margin coefficient η is less than or equal to the physical operation truncation threshold calibrated to 1.15, the synchronization encryption module issues a vector iteration suspension instruction to the key evolution module. After receiving the instruction, the key evolution module truncates the evolution path of the current multidimensional coordinate vector, transforms the intermediate state topology matrix containing the current evolution order and spatial displacement vector into an independent data snapshot sequence, and writes the data snapshot sequence into the non-volatile buffer of the controller. When the state feature acquisition module detects the next physical block erase signal initiated by the storage medium, the synchronization encryption module reloads the data snapshot sequence from the non-volatile buffer, and then drives the vector parallel computing unit to deduce the remaining vector update operation starting from the evolution order before truncation. This cross-cycle state protection and continuation deduction logic compensates for the time jitter residual of the memory hardware handling window, enabling the encryption operator replacement action to achieve cross-cycle continuation evolution under extreme hardware timing constraints.
[0055] The embodiments of this application have been described above with reference to the accompanying drawings. Unless otherwise specified, the embodiments and features in the embodiments of this application can be combined with each other. This application is not limited to the specific embodiments described above. The specific embodiments described above are merely illustrative and not restrictive. Those skilled in the art can make many other forms under the guidance of this application without departing from the spirit of this application and the scope of protection of this invention, and all of these forms are within the protection scope of this application.
Claims
1. A storage encryption system for warehousing business data, characterized in that, include: The status feature acquisition module is used to extract structured feature parameters that characterize the data storage status of warehouse operations by monitoring the I / O read and write queues of the storage system. The structured feature parameters consist of data load throughput, data access concurrency frequency, and logical address offset density. The topology mapping module is used to use the data payload throughput as the matrix dimension index and determine the initial weight value based on the logical address offset density to establish a parameterized topology transformation matrix corresponding to the data payload to be encrypted. The key evolution module is used to perform vector iterative transformation operations on the parameterized topological transformation matrix. By changing the logical shift of the vector elements in the parameterized topological transformation matrix, it generates an evolution key stream corresponding to the vector evolution state. The synchronous encryption module is used to obtain the physical block erase signal generated by the underlying storage medium and attach the encryption operator replacement action of the data payload to be encrypted to the hardware garbage collection cycle of the underlying storage medium. During the physical data transfer process of the underlying storage medium, the evolved key stream is used to perform encryption operator replacement on the data written to the physical transfer destination address.
2. The storage encryption system for warehousing business data according to claim 1, characterized in that, The synchronous encryption module is equipped with a signal sensing interface; the signal sensing interface is used to obtain the block erase warning signal generated by the underlying storage medium in real time; the synchronous encryption module is also used to suspend non-urgent I / O requests through firmware instructions of the underlying storage medium when the block erase warning signal is triggered, and to retrieve the evolution key stream and perform in-situ re-encryption on the data payload in the physical transfer destination address during the physical data transfer process of the underlying storage medium.
3. The storage encryption system for warehousing business data according to claim 1, characterized in that, The topology mapping module includes a parameter extraction unit and a matrix initialization unit. The parameter extraction unit is used to establish a mapping constraint set representing the data security strength based on structured feature parameters. The matrix initialization unit is used to call a preset parameterized topology template and map each parameter in the mapping constraint set to the weight allocation or vector bias of a specific node in the parameterized topology template to generate a parameterized topology transformation matrix.
4. The storage encryption system for warehousing business data according to claim 1, characterized in that, The key evolution module is used to call the vector parallel computing unit to perform synchronous update operations on the multidimensional coordinate vectors in the parameterized topological transformation matrix. Through the iterative evolution of the multidimensional coordinate vectors in the logical space, an evolved key stream with non-uniform distribution characteristics is generated.
5. The storage encryption system for warehousing business data according to claim 1, characterized in that, The system also includes a load adjustment module; the load adjustment module is used to adjust the calculation step size of the key evolution module according to the data load throughput; when the data load throughput exceeds the preset traffic threshold, the load adjustment module generates a step size compression instruction to forcibly reduce the number of iterations of the multi-dimensional coordinate vector in order to shorten the calculation cycle of a single key generation.
6. The storage encryption system for warehousing business data according to claim 1, characterized in that, The system also includes a state control module; the state control module is used to mark the data payload to be encrypted through metadata state bits during the encryption operator replacement phase; the mark is used to indicate the key version number corresponding to the data payload to be encrypted, so as to establish the index mapping relationship between the logical address space involved in the logical address offset density and the key version.
7. The storage encryption system for warehousing business data according to claim 1, characterized in that, The system also includes a key envelope module; the key envelope module is used to perform secondary encapsulation of the data payload to be encrypted using a randomly generated temporary session key during the encryption operator replacement performed by the synchronous encryption module, so as to cover the data status window during the physical data transfer process of the underlying storage medium.
8. The storage encryption system for warehousing business data according to claim 1, characterized in that, The key evolution module is used to calculate the matrix evolution order k based on the data access concurrency frequency. The formula for calculating the matrix evolution order k is: , where k is the matrix evolution order, α is the preset security weight coefficient, and ρ is the quantized characteristic value representing the data access concurrency frequency.
9. A storage encryption system for warehousing business data according to claim 6, characterized in that, The system also includes: a situational awareness module; the situational awareness module is used to monitor the frequency of unauthorized access to the logical address space; when the frequency of unauthorized access exceeds the preset historical baseline value, the situational awareness module sends a dimension expansion instruction to the topology mapping module to increase the initial vector dimension of the parameterized topology transformation matrix.
10. A storage encryption system for warehousing business data according to claim 1, characterized in that, This system is applied to a distributed storage environment; the status feature acquisition module obtains the logical address offset density by listening to the read and write request queue of the distributed storage environment; the synchronous encryption module is integrated into the firmware layer of the storage controller and is used to synchronously inject encryption operators when the underlying storage medium performs physical block erasure operations.