Human body communication based rail transit non-inductive passing payment method, system and device
The contactless payment method, which combines human body communication and biometrics, solves the efficiency and security issues of rail transit payment systems, enabling users to make contactless payments and improving peak-hour travel efficiency while ensuring payment security and privacy.
Patent Information
- Authority / Receiving Office
- CN · China
- Patent Type
- Applications(China)
- Current Assignee / Owner
- CHINA RAILWAY ERYUAN ENGINEERING GROUP CO LTD
- Filing Date
- 2026-04-03
- Publication Date
- 2026-06-19
AI Technical Summary
Existing rail transit payment systems suffer from inefficiency and inadequate security in user operation, especially during peak hours when they can cause congestion at turnstiles. Furthermore, radio frequency communication is susceptible to interference and eavesdropping, making it difficult to achieve truly seamless passage.
The method of contactless payment based on human body communication is adopted. Biometric data is collected by user terminal device to generate biometric key, which is combined with lightweight signature algorithm to generate signature payment token. The token is transmitted to the gate through human skin as a transmission medium. The gate verifies the signature and controls the gate to open, thus realizing contactless payment.
It enables payment to be completed without user intervention, improves passage efficiency, prevents misuse of lost devices, and eliminates signal interference and eavesdropping at the physical layer, ensuring payment security and reliability.
Smart Images

Figure CN122244965A_ABST
Abstract
Description
Technical Field
[0001] This invention relates to the field of rail transit technology, and more specifically, to a method, system, and device for contactless payment for rail transit based on human body communication. Background Technology
[0002] Currently, automatic fare collection systems for urban rail transit mainly rely on Near Field Communication (NFC) and optical recognition technologies to enable passenger entry and exit ticket checks and payments. NFC technology is widely used for contactless card payments via physical transit cards, mobile bus cards, and smart wearable devices; QR code technology uses dynamic or static QR codes generated by mobile applications, which are scanned by gate cameras to complete identity authentication and fare deduction. These technological solutions have, to a certain extent, achieved electronic payment, replacing traditional single-journey tickets and improving operational efficiency.
[0003] However, in practical applications, existing technologies still have shortcomings: for example, current NFC payments require passengers to hold their physical card or mobile phone close to the gate's sensing area, while QR code payments require passengers to turn on their mobile phone screen in advance and align it with the scanning window. Both operations require passengers to "take out their card" or "turn on their screen" when passing through the gate, making it difficult to achieve truly "seamless passage." When passengers are carrying heavy objects, holding children, using assistive devices, or during peak hours when there are large crowds, this operation can easily cause congestion at the gate, reduce passage efficiency, and affect the overall travel experience.
[0004] Secondly, the communication between the terminal devices (such as mobile phones and watches) and the turnstiles that NFC and QR code payments rely on is essentially radio frequency (RF) communication. Taking NFC as an example, its operating frequency is 13.56MHz. Although the communication distance is relatively short, there is still a risk of malicious reading by personal devices in crowded environments. Furthermore, RF signals propagate through the air, making it difficult to completely avoid electromagnetic interference. If other RF technologies (such as Bluetooth or Wi-Fi in the 2.4GHz band) are used, the signal coverage is larger, making it more susceptible to interference from the dense wireless signals within subway stations, and there is a risk of signal overflow leading to long-distance eavesdropping or man-in-the-middle attacks. Summary of the Invention
[0005] The problem solved by this invention is one or more of the aforementioned related technical problems.
[0006] To address the aforementioned issues, this invention provides a method, system, and device for contactless payment for rail transit based on human body communication.
[0007] In a first aspect, the present invention provides a contactless payment method for rail transit based on human body communication, which is based on a user terminal device worn by the user, the user terminal device communicating via a wireless body area network; the contactless payment method for rail transit based on human body communication includes: The user's biometric data is collected through the user terminal device, and the biometric data is processed based on a fuzz extractor to generate a biometric key; Based on a lightweight signature algorithm, a signature payment token is generated according to the biometric key, the pre-stored gate public key, the user's virtual identity identifier, the current timestamp, and the anti-replay random number. When the user's body parts come into contact with the sensor electrodes of the gate, the user terminal device is activated and sends the signature payment token to the gate after modulation via the human body communication protocol through human skin as a transmission medium. After receiving the signed payment token, the gate performs a deseal operation on the signed payment token based on the edge computing gateway in the gate and the preset gate private key. After the signed payment token is verified, the gate is opened and the fee is deducted based on the passage record.
[0008] Optionally, the biometric data includes electrocardiogram (ECG) signals or photoplethysmography (PPG) pulse wave data; when the user terminal device detects that it cannot collect valid biometric data, it automatically destroys or locks the biometric key.
[0009] Optionally, the step of generating a signature payment token based on a lightweight signature algorithm, using the biometric key, pre-stored gate public key, user virtual identity identifier, current timestamp, and anti-replay random number, includes: Using the biometric key as the sender's private key and the pre-stored gate public key as the receiver's public key, a lightweight signature algorithm based on superelliptic curve cryptography is used to perform signature operations on the message body containing the user's virtual identity identifier, the current timestamp, and the anti-replay random number to generate a signature ciphertext as the signature payment token.
[0010] Optionally, the turnstile is also used for: Detect whether the user is in the access area and record the proximity timestamp; When the user's body part touches the sensing electrode of the gate, the change in charge that conforms to the characteristics of live capacitance is detected, the touch timestamp is recorded, and the contact duration is monitored. Calculate the timing difference between the touch timestamp and the proximity timestamp; If the timing difference is less than or equal to the first preset threshold and the contact duration is greater than or equal to the second preset threshold, it is determined to be a valid touch behavior, triggering the wake-up of the user terminal device. Otherwise, it is judged as invalid interference, and wake-up and data transmission are not triggered.
[0011] Optionally, the step of performing a designing operation on the signed payment token based on a preset gate private key, and controlling the gate to open after the signed payment token has been verified, includes: The signature payment token is decrypted according to the preset gate private key, and the current timestamp and the anti-replay random number are extracted; Perform a timeliness check on the current timestamp to determine whether it is within a preset time window; The uniqueness of the anti-replay random number is checked by querying whether the same random number already exists in the local cache. If it exists, it is determined to be a replay attack. Verify the legitimacy of the decrypted user virtual identity. If all checks pass, the gate is opened.
[0012] Optionally, the toll deduction process based on passage records includes: The passage records are decrypted and verified, and funds are deducted and accounts are updated.
[0013] Optionally, the contactless payment method for rail transit based on human body communication further includes: When a user binds multiple user terminal devices, any one of the user terminal devices is determined as the master device, which is used to generate and send the signature payment token; The remaining user terminal devices are marked as auxiliary devices and do not participate in the generation and transmission of the signature payment token when the main device is working normally.
[0014] Optionally, the signature payment token also includes an emergency flag. When the user terminal device detects an abnormality in the user's health, it sets the emergency flag to an active state. When the gate recognizes the emergency flag after decryption, it opens the gate and sends a location alarm message. The gate includes an edge computing gateway, and the designing operation is performed locally on the edge computing gateway.
[0015] Secondly, the present invention provides a contactless payment system for rail transit based on human body communication, based on a user-worn terminal device, wherein the user terminal device communicates using a wireless body area network; the contactless payment system for rail transit based on human body communication includes: The acquisition unit is used to acquire the user's biometric data through the user terminal device, and process the biometric data based on the fuzz extractor to generate a biometric key; The processing unit is used to generate a signed payment token based on a lightweight signature algorithm, according to the biometric key, a pre-stored gate public key, the user's virtual identity identifier, the current timestamp, and an anti-replay random number. When the user's body part touches the gate's sensing electrode, the user terminal device is awakened and sends the signed payment token to the gate via human skin as a transmission medium, modulated by a human body communication protocol. After receiving the signed payment token, the gate performs a deseal operation on the signed payment token according to a preset gate private key. After the signed payment token is verified, the gate gate is opened, and the fee is deducted based on the passage record.
[0016] Thirdly, the present invention provides a rail transit contactless payment device based on human body communication, including a memory, a processor, and a computer program stored in the memory and executable on the processor. When the processor executes the computer program, it implements the rail transit contactless payment method based on human body communication as described in the first aspect.
[0017] The beneficial effects of the contactless payment method, system, and equipment for rail transit based on human body communication of the present invention are: By integrating biometric binding, lightweight signature encryption, and human body communication technologies, seamless payment for rail transit has been achieved. Firstly, in terms of user experience, users don't need to take out a card or turn on their phone; payment is triggered simply by the natural contact of a part of their body with the gate, completely freeing their hands and significantly improving efficiency during peak hours. Secondly, in terms of security, the biometric key generated by the fuzzy key extractor establishes a strong binding between the device and the legitimate user, effectively preventing unauthorized use and fraudulent transactions after device loss. Simultaneously, using human skin as the signal transmission medium strictly limits the communication range to the human body surface, thus physically... The layer eliminates long-distance eavesdropping and electromagnetic interference of radio frequency signals, greatly improving the security of the payment process. In addition, the lightweight signature technology completes the signing and encryption in one operation, which not only ensures the confidentiality and non-forgeability of the payment token, but also meets the need for millisecond-level fast verification at the gate. Finally, after the gate completes the designing and verification locally, it opens the gate first, and then deducts the fee asynchronously based on the passage record. This ensures both passage efficiency and reliable accounting settlement. Overall, it provides a seamless passage payment solution for rail transit that combines ultimate convenience, physical security and efficient collaboration. Attached Figure Description
[0018] Figure 1 This is a flowchart illustrating a contactless payment method for rail transit based on human body communication, according to an embodiment of the present invention. Figure 2 This is a flowchart illustrating a signature encryption algorithm according to an embodiment of the present invention; Figure 3 This is a schematic diagram of a contactless payment system for rail transit based on human body communication, according to an embodiment of the present invention. Detailed Implementation
[0019] To make the above-mentioned objects, features, and advantages of the present invention more apparent and understandable, specific embodiments of the present invention will be described in detail below with reference to the accompanying drawings. Although some embodiments of the present invention are shown in the drawings, it should be understood that the present invention can be implemented in various forms and should not be construed as limited to the embodiments set forth herein. Rather, these embodiments are provided to provide a more thorough and complete understanding of the present invention. It should be understood that the accompanying drawings and embodiments of the present invention are for illustrative purposes only and are not intended to limit the scope of protection of the present invention.
[0020] It should be understood that the various steps described in the method embodiments of the present invention may be performed in different orders and / or in parallel. Furthermore, the method embodiments may include additional steps and / or omit the steps shown. The scope of the present invention is not limited in this respect.
[0021] The term "comprising" and its variations as used herein are open-ended, meaning "including but not limited to"; the term "based on" means "at least partially based on"; the term "one embodiment" means "at least one embodiment"; the term "another embodiment" means "at least one additional embodiment"; the term "some embodiments" means "at least some embodiments"; and the term "optionally" means "optional embodiments". Definitions of other terms will be given in the following description. It should be noted that the concepts of "first," "second," etc., mentioned in this invention are used only to distinguish different devices, modules, or units, and are not intended to limit the order of functions performed by these devices, modules, or units or their interdependencies.
[0022] It should be noted that the terms "a" and "a plurality of" used in this invention are illustrative rather than restrictive. Those skilled in the art should understand that, unless otherwise expressly indicated in the context, they should be understood as "one or more".
[0023] The names of the messages or information exchanged between the multiple devices in the embodiments of the present invention are for illustrative purposes only and are not intended to limit the scope of these messages or information.
[0024] Existing payment methods (transportation cards, mobile phones) merely serve as storage media for static credentials or dynamic tokens; they themselves cannot detect whether the current holder is the legitimate account owner. If a device is lost or stolen, the finder can impersonate it to complete payments, resulting in financial loss for the user. While some mobile phones support fingerprint or facial unlocking, this unlocking operation is independent of the payment process and is not cryptographically bound to the generation of the payment token, thus failing to fundamentally solve the problem of "device loss equals fraudulent use."
[0025] Some mobile payment solutions (such as QR codes) rely on real-time online verification between turnstiles and cloud servers. When there is network congestion or poor signal, payment delays or failures may occur, affecting the smoothness of passage. Even with offline code technology, regular online updates are often required, and it is difficult to effectively prevent replay attacks.
[0026] Therefore, existing rail transit payment schemes have significant shortcomings in terms of traffic efficiency, physical layer security, user identity binding, and network dependence, making it difficult to meet the growing demand for efficient, safe, and seamless passage.
[0027] To address the problems existing in the aforementioned related technologies, embodiments of the present invention provide a method, system, and device for contactless payment for rail transit based on human body communication.
[0028] like Figure 1 As shown in the figure, this invention provides a contactless payment method for rail transit based on human body communication. The method utilizes a user-worn terminal device that communicates via a wireless body area network. The contactless payment method for rail transit based on human body communication includes: Step S100: Collect the user's biometric data through the user terminal device, and process the biometric data based on the fuzzy extractor to generate a biometric key.
[0029] Specifically, when a user first wears or uses the user terminal device (such as a smartwatch, smart bracelet, or other wearable device), the device automatically or in response to the user's registration command enters an initialization binding mode. In this mode, the device's built-in biosensors (such as a photoplethysmography (PPG) sensor or electrocardiogram (ECG) sensor) begin to continuously collect the user's biometric signals, for example, collecting 5 to 10 seconds of pulse wave data or ECG signal data as raw biometric samples. Because biometric signals will vary slightly each time they are collected due to factors such as sensor contact status and physiological fluctuations, directly using them as keys will lead to subsequent verification failures.
[0030] Therefore, a fuzzy extractor technique is introduced to process the raw biometric data. Specifically, the fuzzy extractor first quantizes the acquired analog signal, converting it into biometric data in binary bit string form. Then, the generation algorithm in the fuzzy extractor, based on error-correcting coding principles, extracts a stable and uniformly distributed random bit string from the biometric data as a biometric key, while simultaneously generating auxiliary data. The biometric key possesses the stability and randomness required for cryptography and can serve as the private key material for subsequent signature operations. The auxiliary data is used to assist in reconstructing the same biometric key in subsequent use; it does not reveal any information about the biometric key and can be publicly stored in the insecure storage area of the device. The generated biometric key is written into the secure unit of the user terminal device and marked as "activated" for subsequent payment token generation. Through this process, this step achieves localized binding of user biometrics to the device, providing a reliable identity trust anchor for the entire payment system.
[0031] It should be noted that, in order to comply with the principles regarding the processing of sensitive personal information, biometric data is processed locally only and is not uploaded to the cloud.
[0032] By using a fuzzy extractor to transform naturally fluctuating biometric data into stable, random, and irreversible biometric keys, a cryptographically strong binding between the user's liveness identity and the user's terminal device is achieved. This ensures that the generation of payment tokens relies on the user's real-time biometric presence, fundamentally eliminating the risk of unauthorized use and fraudulent transactions after device loss. Furthermore, biometric data collection and processing are completed locally on the user's terminal device, eliminating the need to upload raw biometric data to the cloud or access control systems, effectively protecting user privacy and adhering to the minimum necessary principle for personal information protection. In addition, the biometric-generated keys do not require users to remember or carry them, laying a secure foundation for a seamless "touch-to-pay" experience.
[0033] Step S200: Based on a lightweight signature algorithm, a signature payment token is generated according to the biometric key, the pre-stored gate public key, the user's virtual identity identifier, the current timestamp, and the anti-replay random number.
[0034] Specifically, the user terminal device generates a signed payment token based on a lightweight signature encryption algorithm. It reads the biometric key generated in step S100 from the security unit as the sender's private key, which is uniquely bound to the legitimate user's identity; simultaneously, it reads the pre-stored gate public key as the receiver's public key, which is pre-configured by the rail transit system and ensures that only the target gate can decrypt it. The device constructs a message body to be signed, which includes at least the following four elements: a de-identified user virtual identity (used for anonymizing user identification), a current timestamp (accurate to milliseconds), and a replay-protected random number (a one-time random value to ensure token uniqueness). Subsequently, the device calls the lightweight signature encryption algorithm, taking the biometric key, gate public key, and message body as input, and simultaneously performs digital signing (proving the message originates from a legitimate user) and encryption (ensuring only the gate can decrypt it) in a single cryptographic operation, finally outputting a compact signed ciphertext, i.e., the signed payment token.
[0035] For example, assuming a lightweight signature encryption scheme based on elliptic curves is adopted, the device uses a biometric key to sign the hash value of the message body, and uses the gate public key to encrypt the message body and the signature. The generated ciphertext is the token.
[0036] By integrating signature and encryption into a single cryptographic operation, computational overhead and communication rounds are significantly reduced, making it suitable for scenarios with limited user terminal device resources. Token generation can be completed within milliseconds. The signature token embeds a virtual user identity identifier, which, combined with a biometric key, achieves a cryptographic binding between user identity and payment behavior, preventing unauthorized use after device loss. Simultaneously, the introduction of timestamps and anti-replay random numbers ensures that each generated token is unique and time-sensitive. The gate can effectively prevent replay attacks through verification, ensuring the security and reliability of the payment process. The entire token generation process is completed locally, without requiring a real-time network connection, laying the foundation for offline payment access.
[0037] In step S300, when a user's body part touches the sensing electrode of the gate, the user terminal device is awakened and sends the signature payment token to the gate after modulation via the human body communication protocol through human skin as the transmission medium.
[0038] Specifically, the human body communication protocol can be selected from the human body communication frequency band defined by the IEEE 802.15.6 standard, and the working frequency is set to 21MHz; the signature payment token is conducted to the sensing electrode of the gate through the human skin via the principle of electric field coupling, and the signal transmission range can be limited to a preset range on the human body surface (such as 10 cm).
[0039] When a passenger (user) enters the turnstile area and touches the metal electrode plate of the turnstile's sensing area with any part of their body (such as fingers, palm, back of hand, or elbow), this contact triggers a dual wake-up mechanism. On one hand, the turnstile's sensing electrodes detect a change in charge that conforms to the characteristics of living capacitance and generate a trigger signal; on the other hand, this change in charge is conducted through the human skin to the user terminal device worn by the passenger (such as a smartwatch). The device's built-in human body communication module detects this physical layer signal change and is awakened, switching from a low-power standby state to an active state.
[0040] Subsequently, the user terminal device's human body communication module modulates the pre-calculated signature payment token into a carrier signal, such as 21MHz, according to the human body communication protocol defined by the IEEE 802.15.6 standard. This modulated signal is coupled to the user's skin surface through the device's electrodes and uses human tissue as a signal transmission waveguide, conducting along the skin surface to the contact point between the body and the gate's sensing electrodes. When the signal reaches the contact point, it is coupled from the human body to the gate's sensing electrodes through the principle of electric field coupling, completing the wireless transmission of the payment token. Throughout the transmission process, the signal energy is strictly confined to the human body surface and the vicinity of the contact point; beyond a few centimeters of human skin, the signal strength attenuates sharply to the point of being unreceiveable. After transmission, the signature payment token received by the gate is used for subsequent steps of signature verification. The entire wake-up and transmission process is automatically completed the instant the user naturally touches the gate, without requiring any device operation or screen interaction from the user.
[0041] Human body communication technology enables an extremely convenient "touch-to-transfer" experience. Users do not need to take out a card, turn on the screen, or perform any additional operations. Even if their hands are occupied, they can easily pass through the gate, greatly improving the efficiency and user experience during peak hours. At the same time, the signal uses human skin as a dedicated transmission medium, physically limiting the communication range to a centimeter-level area around the contact point. This completely avoids the security risks of traditional radio frequency communication, such as long-distance eavesdropping, electromagnetic interference, or man-in-the-middle attacks, providing physical isolation-level natural protection for payment data. In addition, the use of the 21MHz low-frequency band for communication effectively avoids the interference bands of dense 2.4GHz / 5GHz Wi-Fi and 5G cellular signals in subway stations, ensuring highly reliable transmission of payment instructions in complex electromagnetic environments. By using the touch behavior itself as the sole expression of intent for wake-up and triggering, the user's intent and the device's response are naturally unified, creating the prerequisite for subsequent rapid verification and passage execution.
[0042] Step S400: After the gate receives the signed payment token, it performs a deseal operation on the signed payment token based on the preset gate private key using the edge computing gateway in the gate. After the signed payment token is verified, the gate is opened and the fee is deducted based on the passage record.
[0043] Specifically, after receiving the signed payment token transmitted via human skin from the user terminal device through sensing electrodes, the gate transmits the token data to the edge computing gateway built into the gate. The edge computing gateway first calls the gate's private key, pre-stored in the security module, to perform a designing operation on the received signed payment token. This designing operation is the reverse process of signature verification, completing both decryption and signature verification functions in one operation: on the one hand, the gate's private key is used to decrypt the ciphertext to recover the original message body, which includes the user's virtual identity, the current timestamp, and a replay-protected random number; on the other hand, based on the recovered message body and the public key corresponding to the biometric key used by the user terminal device (which can be derived from system parameters or obtained through the user's virtual identity index), the legality of the signature in the signed payment token is verified, confirming that the token was indeed generated by the user terminal device bound to the legitimate user and has not been tampered with.
[0044] After the decryption operation is completed, the edge computing gateway performs multi-dimensional verification on the recovered message body. For example, it first verifies whether the current timestamp is within a preset valid time window (e.g., no more than 5 minutes different from the current system time of the gate) to prevent the replay use of expired tokens. Secondly, it verifies whether the anti-replay random number already exists in the local cache record. If it does not exist, the random number is added to the cache and the process continues; if it exists, it is judged as a replay attack and passage is denied. Finally, it verifies the validity of the user's virtual identity (e.g., whether it is in the list of allowed users or whether the account status is normal). If all the above verifications pass, the edge computing gateway sends an opening command to the gate's execution mechanism to control the gate to open and allow passengers to pass. At the same time, the gate generates a passage record containing information such as the user's virtual identity, passage time, and passage station, and encrypts the record before asynchronously uploading it to the cloud clearing platform via a secure network channel. After receiving the passage record, the cloud clearing platform decrypts and verifies it, completes the deduction of funds from the user's account and updates the account balance, and returns the deduction result to the gate for subsequent reconciliation or user inquiry. Throughout the process, the gate opening and payment processing are decoupled, allowing passengers to pass through immediately after verification without waiting for payment to be completed.
[0045] By completing the signature verification locally at the gate through an edge computing gateway, millisecond-level fast verification of payment tokens is achieved, ensuring that passengers can pass through instantly after touching the gate, avoiding gate congestion caused by network latency or cloud processing bottlenecks. The signature verification operation simultaneously completes identity authentication, data integrity verification, and decryption in a single operation, ensuring payment security while minimizing processing time. The dual anti-replay mechanism of timestamps and random numbers effectively prevents the risk of intercepted and replayed tokens. The asynchronous deduction mechanism decouples access control from fund settlement, achieving reliable accounting while ensuring access efficiency. The entire verification process only requires the private key and system parameters stored locally at the gate, without the need for real-time network access to query the user's original biometrics or complete account information, thus protecting user privacy and improving system availability and resilience.
[0046] In this embodiment, by integrating biometric binding, lightweight signature encryption, and human body communication technologies, seamless payment for rail transit is achieved. Firstly, in terms of user experience, users do not need to take out a card or turn on their phone; payment is triggered simply by the natural contact of a part of their body with the gate, completely freeing their hands and significantly improving passage efficiency during peak hours. Secondly, in terms of security, the biometric key generated by the fuzzy key extractor achieves strong binding between the device and the legitimate user, effectively preventing unauthorized use and fraudulent transactions after device loss. Simultaneously, using human skin as the signal transmission medium strictly limits the communication range to the human body surface. By physically eliminating long-distance eavesdropping and electromagnetic interference of radio frequency signals, the security of the payment process is greatly improved. In addition, the lightweight signature technology completes the signing and encryption in one operation, which not only ensures the confidentiality and non-forgeability of the payment token, but also meets the need for millisecond-level fast verification at the gate. Finally, the gate opens first after the local designing and verification is completed, and then the fee is deducted asynchronously based on the passage record. This ensures both passage efficiency and reliable accounting settlement. Overall, it provides a seamless passage payment solution for rail transit that combines ultimate convenience, physical security and efficient collaboration.
[0047] Optionally, the biometric data includes electrocardiogram (ECG) signals or photoplethysmography (PPG) pulse wave data; when the user terminal device detects that it cannot collect valid biometric data, it automatically destroys or locks the biometric key.
[0048] Specifically, in this invention, the biometric data preferably uses electrocardiogram (ECG) signals or photoplethysmography (PPG) pulse wave data. Both of these biometric features have unique properties specific to living organisms and are suitable for real-time acquisition scenarios of wearable devices.
[0049] ECG signal acquisition methods: ECG signals are the potential distribution of the heart's electrical activity on the body surface, exhibiting significant individual variability and uniqueness in a living organism. User terminal devices (such as smartwatches) acquire ECG signals through built-in dry or wet electrode sensors on the back of the watch that contacts the user's skin. Specific acquisition methods include: Single-lead acquisition: Two electrodes on the back of the device contact the skin on the inside of the user's wrist, forming a measurement circuit to acquire standard limb lead ECG signals; Three-lead acquisition: Some enhanced devices can be used with additional electrodes on the crown or case to achieve simultaneous acquisition of multiple leads, obtaining richer feature information.
[0050] Photoplethysmography (PPG) acquisition methods: PPG is an optical signal that uses a photoelectric sensor to detect changes in blood volume, reflecting physiological parameters such as heart rate and blood oxygenation. User terminal devices acquire PPG signals in the following ways: Reflective photoelectric measurement: Green or infrared LEDs on the back of the device emit light that penetrates the skin surface. A photodiode receives the light intensity changes after reflection and absorption by blood vessels, extracting the pulse wave waveform. Transmissive photoelectric measurement: Suitable for ear clip or finger clip devices, the light penetrates the tissue and is detected by a receiver on the opposite side, obtaining a purer pulse wave signal.
[0051] When the user terminal device detects that it cannot collect valid biometric data, it determines that the device has been removed from the human body or illegally, and then triggers the automatic destruction or locking of the biometric key. Specific implementation methods include the following optional solutions: Optional implementation methods for the detection mechanism: Option A: Real-time monitoring based on signal quality: The device continuously monitors the signal quality parameters of the biosensors, including: Signal-to-noise ratio threshold judgment: When the amplitude of the QRS complex of the ECG signal is lower than the preset threshold, or when the ratio of the AC component to the DC component of the PPG signal is abnormal, it is judged as invalid acquisition; Signal stability analysis: If waveform feature points cannot be stably extracted within multiple consecutive sampling periods, or if the heart rate value exceeds the normal physiological range (e.g., <30bpm or >220bpm), it is determined to be a signal abnormality; Baseline drift detection: If the signal baseline drift exceeds the set range, it indicates that the sensor is not making good contact or has detached from the human body.
[0052] Option B: Assisted detection based on wearable sensors: The device has a built-in independent wear detection sensor, which, together with biometric data collection, forms a dual verification mechanism: Capacitive contact detection: Determines whether the device is in close contact with the skin by measuring the capacitance change between the device backplate and the skin. Infrared proximity sensor: detects the distance between the device and human skin, and determines that the device has detached when the distance exceeds a preset threshold; Temperature sensor monitoring: Detects whether the temperature of the contact surface of the device is within the normal human body temperature range (e.g., 32℃-37℃).
[0053] Option C: Multi-sensor fusion judgment: By integrating data from biosensors, wearable sensors, and inertial sensors (accelerometers, gyroscopes), a decision-making algorithm is used to determine the device's status. For example, if the accelerometer detects vigorous movement but the biosignal remains absent, combining this with an infrared sensor to determine detachment can improve detection accuracy.
[0054] Key protection measures may include: immediate key destruction: upon determining that the device has been removed from the human body, the security unit immediately performs an erasure operation, permanently deleting the stored biometric key. This solution is suitable for scenarios with extremely high security requirements, ensuring that the device cannot continue to use the original key under any circumstances. After being worn again, the user needs to re-perform the initial binding process.
[0055] Key Locking and Temporary Storage: The device marks the biometric key as "locked," and the key data remains in the secure unit but cannot be used for signing operations. When the device re-detects valid biometric data and passes liveness verification, the system automatically unlocks the key and restores payment functionality. This solution balances security and convenience, avoiding frequent user re-registration.
[0056] Key derivation locking: When the device detects that the device has been removed from the device, it does not directly destroy the key itself, but destroys or locks the auxiliary data or key derivation factors used to derive the key. After the device is put back on, it needs to re-collect biometrics and reconstruct them with the retained auxiliary data (such as auxiliary data in the fuzz extractor). If the reconstruction is successful, the original key can be recovered.
[0057] Taking a user wearing a smartwatch as an example: In a normal usage scenario, the user wears the watch on their wrist. The PPG sensor on the back of the device continuously collects pulse wave signals. The signal quality is stable, and the heart rate fluctuates within a normal range. The device is in an "activated" state, and the biometric key is available in the secure unit.
[0058] Device detachment detection scenario: The user removes the watch and places it on a table while asleep. The device's built-in infrared proximity sensor detects a distance of more than 5mm from the skin, and the PPG sensor fails to detect a valid pulse wave signal for 10 consecutive seconds (signal-to-noise ratio below the threshold). A multi-sensor fusion algorithm determines that the device has been detached from the human body. According to a preset strategy (e.g., selecting scheme B), the device marks the biometric key as "locked," storing it in a secure unit but preventing its use for generating payment tokens.
[0059] Re-wearing and recovery scenario: The user wears the watch again the following morning. The device detects the infrared sensor signal indicating it is close to the skin, and the PPG sensor begins to collect a stable pulse wave signal. The device automatically collects the current biometric data, calls the fuzzy extractor's reconstruction algorithm, and combines it with stored auxiliary data to successfully reconstruct the same biometric key as in the initialization phase. The security unit updates the key's status from "locked" to "available," and the device resumes payment functionality.
[0060] If the user selects Option A (immediate destruction), the device will erase the biometric key immediately upon detecting detachment. When the user wears the device again, the initialization process needs to be repeated: first biometric data is collected, a new biometric key and auxiliary data are generated through a fuzz extractor, and the device binding is re-completed.
[0061] By using live biometric features such as electrocardiogram (ECG) signals or photoplethysmography (PPG) waves as the sole entropy source for key generation, a cryptographically enforced binding between the user terminal device and the legitimate user is achieved. This prevents any device detached from the human body from generating a valid payment token, fundamentally eliminating the risk of fund theft after device loss or theft. Employing a multi-layered detachment detection mechanism (signal quality monitoring, wearable sensor assistance, and multi-sensor fusion), the system can accurately identify whether the device is in a normal wearing state in various complex scenarios, avoiding misjudgments caused by brief sensor malfunctions or motion artifacts. Simultaneously, it provides multiple key protection strategies (immediate destruction, temporary locking, and derived locking), allowing the system to be flexibly configured according to security level requirements and user experience needs, minimizing the cumbersome process of repeated user registration while ensuring fund security. Furthermore, all biometric processing and key management are completed within the device's local security unit; raw biometric data does not need to be uploaded to the cloud or access gates, fully protecting the user's sensitive biometric privacy information.
[0062] Optionally, the step of generating a signature payment token based on a lightweight signature algorithm, using the biometric key, pre-stored gate public key, user virtual identity identifier, current timestamp, and anti-replay random number, includes: Using the biometric key as the sender's private key and the pre-stored gate public key as the receiver's public key, a lightweight signature algorithm based on superelliptic curve cryptography is used to perform signature operations on the message body containing the user's virtual identity identifier, the current timestamp, and the anti-replay random number to generate a signature ciphertext as the signature payment token.
[0063] Specifically, in this invention, the generation of the signature payment token is based on a lightweight signature algorithm constructed using hyperelliptic curve cryptography, which integrates the biometric key. , gate public key User virtual identity identifier Current timestamp and replay-protected random numbers The five core elements are organically integrated to simultaneously complete digital signature and data encryption in a single cryptographic operation, generating a signed and encrypted text that combines identity authentication and confidentiality protection as a payment token.
[0064] Among them, biometric keys The user terminal device generates its own private key, which serves as the sender's signature private key; the gate's public key. The public key, pre-issued by the rail transit system and stored in the user's terminal device, serves as the recipient's encryption public key; the user's virtual identity identifier. : A unique user identifier after anonymization, used by the gate to identify the user; Current timestamp The system time at which the token was generated, used for timeliness verification; a random number to prevent replay. : A random number generated by the user terminal device to ensure the uniqueness of each token.
[0065] The message body m is composed of the last three parameters mentioned above: .
[0066] Hyperelliptic curve cryptography is a generalization of elliptic curve cryptography, defined on genus... HECCs, based on the discrete logarithm problem on the hyperelliptic curve Jacobian group, offer security on elliptic curves. Compared to elliptic curves, HECCs can use shorter key lengths for the same security strength, making them suitable for resource-constrained wearable devices.
[0067] Curve parameter definitions include: finite domain (q is a large prime number or a power of 2); Hyperelliptic curve equation C: ,in, The first polynomial, Jacobi group Factor groups on the curve serve as the algebraic structure for cryptographic operations; base points The order is a large prime number n; the system master public key / private key pair (generated and distributed by the rail transit operation system during the initialization phase).
[0068] In some embodiments, such as Figure 2 As shown, the signature encryption algorithm The specific implementation process includes: Step 1: Generating a temporary key pair: The user terminal device randomly selects a temporary private key. Calculate the temporary public key (Scalar multiplication over Jacobi groups). Temporary key pairs are used to implement forward security and the uniqueness of each token.
[0069] Step 2: Shared key calculation: Based on the recipient's public key And the temporary private key r, calculate the shared key point This shared key point can only be calculated by the sender and the gate holding the corresponding private key.
[0070] Step 3: Key Derivation: Input the coordinates (or their compressed representation) of the shared key point Q into the key derivation function KDF to generate a symmetric encryption key. And possible MAC keys (if needed). Key derivation functions may be: hash-based KDF, HMAC-based KDF, or block cipher-based KDF (such as using AES to generate key material in counter mode).
[0071] Step 4: Message Encryption: Using the derived symmetric key Encrypt the message body m to obtain the ciphertext. Encryption algorithms can be: AES-GCM mode (providing both encryption and integrity protection), AES-CTR mode + independent MAC (such as HMAC), or lightweight block ciphers (such as PRESENT, SPECK) suitable for devices with extremely low computing power.
[0072] Step 5: Signature generation: Based on the sender's private key The relevant parameters are signed using a temporary private key r. Typical implementations include: Calculate hash value , where H is a cryptographic hash function. Calculate the signature. .
[0073] Step 6: Assemble the encrypted message: The above calculation results are combined to form the final ciphertext. It is output as a signature payment token.
[0074] Taking a certain city's rail transit system as an example: The operating system selects a hyperelliptic curve of genus g=2, defined on the 256-bit prime field GF(p), with the curve equation as follows: The process involves generating a master key pair and assigning a unique public-private key pair to each gate. The gate's public key and security parameters are pre-loaded into the user's smartwatch. The gate's private key is a key that is securely stored by the gate itself and will never be disclosed to outsiders. It is used to decrypt received signed payment tokens and verify signatures.
[0075] User registration: After a user completes biometric binding via the watch, the biometric key is stored in the watch's secure unit. and the gate public key .
[0076] Token generation (before the user approaches the gate): The watch generates the current timestamp. and random numbers ; Assemble the message body: Randomly select a temporary private key r; calculate the temporary public key. ; Calculate the shared key point Use HKDF to derive an AES-128 key from Q. ; Encrypt message m using AES-GCM to obtain ciphertext c; Calculate hash Calculate signature .
[0077] Output ciphertext .
[0078] Once the token is pre-calculated, it is temporarily stored in the watch's buffer and sent via human body communication when the user touches the gate.
[0079] By employing a lightweight signature algorithm based on superelliptic curve cryptography, biometric keys, gate public keys, and payment-related parameters are organically integrated. Identity signing and data encryption are completed simultaneously in a single cryptographic operation, significantly reducing the computational overhead and communication interactions of wearable devices. This enables payment token generation and verification to be completed within milliseconds, perfectly meeting the stringent requirements of high throughput and low latency in rail transit. The use of superelliptic curve cryptography allows for shorter key lengths while maintaining the same security strength, effectively saving limited security storage space on user terminals and reducing the amount of data transmitted wirelessly, thus improving the transmission efficiency of the human-human communication link. Furthermore, by directly using the biometric key as the signature private key in the signature process... The algorithm implements a cryptographically binding mechanism between the user's liveness detection and the payment token, ensuring that any device unable to reconstruct a legitimate biometric key cannot generate a valid token, fundamentally eliminating the risk of misuse after device loss. The signature algorithm incorporates temporary private keys and shared keys to ensure that even if the same user repeatedly passes through the gate, each generated payment token is unique and unlinkable, effectively protecting the user's privacy. Furthermore, the signature algorithm offers various parameter and implementation options (curve type, hash function, encryption mode, protocol framework, etc.), enabling the system to be flexibly configured according to security level requirements, device computing power constraints, and compliance needs, demonstrating excellent technical adaptability and scalability.
[0080] Optionally, the turnstile is also used for: Detect whether the user is in the access area and record the proximity timestamp; When the user's body part touches the sensing electrode of the gate, the change in charge that conforms to the characteristics of live capacitance is detected, the touch timestamp is recorded, and the contact duration is monitored. Calculate the timing difference between the touch timestamp and the proximity timestamp; If the timing difference is less than or equal to the first preset threshold and the contact duration is greater than or equal to the second preset threshold, it is determined to be a valid touch behavior, triggering the wake-up of the user terminal device. Otherwise, it is judged as invalid interference, and wake-up and data transmission are not triggered.
[0081] Specifically, in this invention, to further improve the accuracy and anti-interference capability of the seamless passage experience, an intent recognition step can be optionally introduced. That is, the gate performs time-series and stability dual verification on the user's approach behavior and touch behavior, accurately distinguishing the user's real passage intent from accidental unintentional touch, and triggering the wake-up of the user terminal device and data transmission only when it is confirmed as a valid touch.
[0082] The turnstile has a built-in proximity sensor (such as an infrared proximity sensor, ultrasonic sensor, or laser rangefinder) that continuously monitors a preset passage area in front of the turnstile (e.g., within 30cm to 50cm directly in front of the turnstile). When a user enters this area, the proximity sensor is triggered, and the turnstile control system records the current system time as an proximity timestamp. This process marks the user as entering a waiting state. This step is used to filter out users who genuinely intend to pass, eliminating interference from irrelevant individuals in the distance.
[0083] The turnstile's sensing electrode plate (usually located on the side or top of the turnstile entrance, made of metal) remains in a low-level detection state to monitor changes in charge. Human skin has unique capacitance characteristics (living capacitance); when a user's body part (finger, palm, back of hand, elbow, etc.) touches the electrode plate, it triggers a detectable change in charge. The charge detection circuit within the turnstile captures this change and records the current system time as a touch timestamp. At the same time, a microsecond-level timer is started to continuously monitor the duration D of the contact, that is, the length of time from the occurrence of contact to the departure (or continuous monitoring after the signal stabilizes).
[0084] Calculate the difference between the touch timestamp and the proximity timestamp. and with the preset first preset threshold (For example, 2 seconds) for comparison: like This indicates that the user did not touch the area for an extended period after entering it, or that the touch was not detected before proximity (e.g., by touching it directly from the side), and is therefore deemed an invalid intent.
[0085] like Then proceed to the next step of determining the duration of contact.
[0086] The monitored contact duration D is compared with a second preset threshold. (For example, 50ms) for comparison: like This indicates that the contact was extremely brief, possibly due to an unintentional scratch by the user or collision with a foreign object, and is therefore determined to be invalid interference.
[0087] like This indicates that the user consciously and consistently touched the sensing electrode, which is considered a valid touch action.
[0088] Once a valid touch is detected, the gate immediately sends a wake-up signal to the user's terminal device via reverse excitation, such as through a human body communication link, or triggers the device's human body communication module to wake up through a change in the charge of the sensing electrodes (e.g., the device wakes up itself upon detecting a change in the human body communication carrier signal). Subsequently, the device executes the token sending process to complete the contactless access payment.
[0089] If any of the above conditions are not met, it is determined to be invalid interference, and no wake-up or data transmission is triggered. The gate continues to remain in standby detection state, and abnormal events can be recorded for subsequent analysis (such as statistical analysis of false trigger frequency).
[0090] Take a subway station during the morning rush hour as an example: Passenger Xiao Li entered the area 30cm in front of the turnstile with his suitcase. The proximity sensor detected and recorded the movement. Then, Xiao Li naturally reached out and touched the sensor electrode of the gate with his palm; the moment of contact was recorded. Contact duration .calculate set up ,and (set up If the touch is deemed valid, the watch will wake up and send a payment token, opening the gate.
[0091] By introducing a dual determination mechanism of proximity-touch timing verification and contact duration, the system achieves accurate identification of user passage intentions, effectively distinguishing between genuine passage behavior and accidental unintentional touches (such as body scraping, luggage collisions, children playing, etc.), significantly reducing the false triggering rate of the turnstiles and avoiding disorder and security risks caused by accidental gate opening. At the same time, by setting a timing difference threshold, abnormal passage behaviors such as entering from the side or touching after prolonged lingering are eliminated, further improving the reliability of the system. Touch detection using liveness capacitance characteristics ensures that only human skin contact can be recognized, eliminating interference from non-living objects (such as umbrellas, backpacks). The optional configuration of multiple sensor types and determination strategies allows the system to flexibly adapt to different station environments, passenger flow densities, and security level requirements, providing passengers with a stable, smooth, and seamless passage experience, while providing operators with adjustable and refined control methods, balancing passage efficiency and system security.
[0092] Optionally, the step of performing a designing operation on the signed payment token based on a preset gate private key, and controlling the gate to open after the signed payment token has been verified, includes: The signature payment token is decrypted according to the preset gate private key, and the current timestamp and the anti-replay random number are extracted; Perform a timeliness check on the current timestamp to determine whether it is within a preset time window; The uniqueness of the anti-replay random number is checked by querying whether the same random number already exists in the local cache. If it exists, it is determined to be a replay attack. Verify the legitimacy of the decrypted user virtual identity. If all checks pass, the gate is opened.
[0093] Specifically, after receiving the signed payment token sent by the user terminal device through human body communication, the gate must perform a strict designing operation and multi-dimensional verification to ensure the authenticity, integrity and timeliness of the token. The gate can only be opened to allow passengers to pass after all verifications are passed.
[0094] The gate's built-in edge computing gateway receives the signature payment token. Then, the gate's private key, which is pre-stored in the security module, is invoked first. Perform the desealization operation. Desealization is the inverse process of signature verification, completing both decryption and signature verification in a single operation: Shared key recovery: using the gate's private key Calculate the shared key point using the temporary public key R in the token. .because (D is the base point), and ,therefore It is consistent with the shared key point calculated on the user's end.
[0095] Key Derivation: Input the coordinates of the shared key point Q into the same key derivation function KDF as the user terminal to recover the symmetric decryption key. .
[0096] Ciphertext decryption: using Decrypt the ciphertext portion c to recover the original message body. .
[0097] Signature verification: Based on the recovered message body m, temporary public key R, and system parameters, verify the legitimacy of signature s and confirm that the token was indeed issued by the holder of a legitimate biometric key. The signature must be generated by the user's terminal device and must not have been tampered with. If signature verification fails, passage will be denied directly.
[0098] After successful decryption, the gate extracts three core elements from the message body: the user's virtual identity identifier. Current timestamp and replay-protected random numbers This is for subsequent verification purposes.
[0099] Timeliness verification (timestamp verification): The turnstile will extract the timestamp The current system time of the turnstile Compare and calculate the time difference. . judge Is it within the preset time window W (e.g., W=5 minutes)? like This indicates that the token is within its validity period, has not expired and has not been replayed, and the verification has passed.
[0100] like This indicates that the token has expired, is deemed invalid, and passage is denied with an error recorded.
[0101] This verification prevents attackers from intercepting old tokens and replaying them at a later time.
[0102] Uniqueness check (random number replay prevention): The gate maintains a local cache (such as Redis, an in-memory database, or a hash table) that records anti-replay random numbers used within a recent period (at least covering the time window W). For the currently extracted random number: Check if the same item already exists in the cache. .
[0103] If it does not exist, it means that the token is being used for the first time. The random number is added to the cache and the verification passes.
[0104] If the token already exists, it means that the token has been used, which is considered a replay attack. Passage is denied and an alarm is triggered.
[0105] This verification ensures that each token can only be used once, so even if an attacker intercepts and replays the same token in a very short time, they will not be able to pass through the gate.
[0106] Identity verification: The turnstile decrypts the user's virtual identity. Perform a validity verification: Blacklist verification: Query this Check if the item is reported lost, frozen, or blacklisted. If so, refuse passage.
[0107] Account status verification: Optionally, if the gate has network connectivity or caches account status information, it can verify whether the user's account balance is sufficient and whether it is in a normal state (not in arrears, not cancelled).
[0108] Permission verification: Verify whether the user has permission to access the current site and at the current time (e.g., some sites only allow access to specific user groups).
[0109] If the identity verification is successful, the user is confirmed as a legitimate user.
[0110] Only after all the above verifications (signature verification, timeliness verification, uniqueness verification, and identity legitimacy verification) pass will the gate's edge computing gateway send an opening command to the actuator, controlling the gate to open and allow passengers to pass. The entire verification process is completed within milliseconds, ensuring seamless passage for passengers.
[0111] By constructing a multi-layered and multi-dimensional signature verification system, a comprehensive security review of payment tokens has been achieved, providing a solid security guarantee for seamless passage in rail transit. First, the decryption operation simultaneously completes identity authentication, data integrity verification, and message decryption in a single computation, ensuring both the legitimacy of the token's origin and the confidentiality of its content, while also meeting the gate's millisecond-level processing requirements. Second, timeliness and uniqueness verification form a dual anti-replay mechanism, blocking the unauthorized reuse of tokens from the perspectives of time and usage frequency, effectively resisting common threats such as replay attacks and man-in-the-middle attacks. Third, the verification of the user's virtual identity further links payment behavior with account status, ensuring that only legitimate users can pass through under normal circumstances. In addition, multiple optional implementation methods (such as caching strategies, verification methods, and threshold settings) allow the system to be flexibly configured according to the passenger flow characteristics, security levels, and network conditions of different stations, maximizing passage efficiency while ensuring security. Finally, all verifications are completed locally on the gate's edge computing gateway, without relying on the cloud in real time, reducing the impact of network latency on passage and improving the system's availability in abnormal situations such as network outages, providing passengers with a safe, smooth, and seamless passage experience.
[0112] Optionally, the toll deduction process based on passage records includes: The passage records are decrypted and verified, and funds are deducted and accounts are updated.
[0113] Specifically, after verifying the signed payment token and opening the gate, the turnstile immediately generates a passage record. This record includes at least: the user's virtual identity identifier. Passage timestamp , Passage Station Signs The gate number (GateID) and, optionally, a unique transaction ID (TransactionID) are required. To ensure data security, the gate uses a symmetric key shared with the cloud or a cloud public key to encrypt access records.
[0114] The turnstile uploads encrypted access records to a cloud-based clearing platform via a secure communication network (such as a private network or VPN). Uploading can be done in real-time or in batches, depending on network conditions and system configuration. To cope with network interruptions, the turnstile has a local cache queue to ensure no records are lost.
[0115] Cloud-based decryption and verification: After receiving the encrypted record, the cloud-based clearing platform uses the corresponding key to decrypt it and recover the original access record. Multiple verification steps are then performed: Integrity verification: Check whether the record has been tampered with (e.g., via MAC or digital signature).
[0116] Association verification: Confirm that the token corresponding to this record has not been repeatedly liquidated before (using serial number to prevent duplicates).
[0117] Account matching: Mapping users' virtual identities to their actual accounts.
[0118] After successful verification, the cloud system deducts funds, updates the user's account balance, and generates a payment voucher. If the account balance is insufficient, it is marked as overdue, and subsequent passage will be restricted or deducted. The payment result can be sent asynchronously to the gate or the user's app.
[0119] Reconciliation and anomaly handling: Regularly reconcile the local records of the turnstiles with the records in the cloud. If discrepancies are found, trigger the anomaly handling process (such as manual verification, supplementary deduction, or refund).
[0120] By decoupling the toll deduction process from the gate opening, asynchronous coordination between access control and fund settlement is achieved, ensuring that passengers can pass instantly after verification without waiting for the toll deduction to be completed. This fundamentally eliminates the impact of network latency or cloud processing bottlenecks on access efficiency. The use of encrypted upload and multi-factor authentication mechanisms ensures the confidentiality, integrity, and non-repudiation of access records during transmission and storage, preventing data tampering or forgery. Diverse upload strategies and anti-duplicate processing methods allow the system to flexibly adjust according to network conditions and operational needs, optimizing resource utilization while ensuring data reliability. Furthermore, the asynchronous toll deduction mechanism provides flexibility for subsequent reconciliation, anomaly handling, and credit management, enhancing the robustness and maintainability of the entire payment system and providing passengers with a fast and secure seamless payment experience.
[0121] Optionally, the contactless payment method for rail transit based on human body communication further includes: When a user binds multiple user terminal devices, any one of the user terminal devices is determined as the master device, which is used to generate and send the signature payment token; The remaining user terminal devices are marked as auxiliary devices and do not participate in the generation and transmission of the signature payment token when the main device is working normally.
[0122] Specifically, in practical applications, users may simultaneously own multiple terminal devices that support human body communication (such as smartwatches, bracelets, rings, etc.). To avoid command conflicts, duplicate charges, or gate processing chaos caused by multiple devices responding simultaneously when passing through the gate, a master device designation mechanism is introduced: When users register for the first time or add devices subsequently, they can bind multiple devices to the same account through a mobile app or gate access interface. The cloud clearing platform records a list of all bound devices under that account and their unique identifiers (such as device ID, public key fingerprint, etc.).
[0123] During or at any time during the binding process, guide the user to designate a device from the already bound devices as the "primary gate device." The designation method can be: 1. Manual selection by the user in the app. 2. Automatic recommendation based on device type and usage frequency (e.g., prioritizing watches over wristbands). 3. Temporary designation by the user at the gate via a specific operation (e.g., double-tapping).
[0124] The cloud will mark the designated primary device as the "primary device" and the remaining devices as "auxiliary devices". This role information can be synchronized to the local storage of all devices, or dynamically distributed by the cloud each time a device passes through the gate.
[0125] When a user touches the gate, all active bound devices may be activated. To eliminate conflicts, one of the following strategies is employed: Master device priority: All devices are woken up, but auxiliary devices automatically remain silent and do not send payment tokens when the presence of the master device is detected; only the master device sends tokens.
[0126] Token priority: If multiple devices send tokens at the same time, the gate can select to accept the token of the main device (the main device has higher priority) and reject the others based on the device priority field in the token.
[0127] Cloud-based decision-making: The gate uploads multiple tokens to the cloud. The cloud selects the valid token based on the master device's markings and notifies the gate of the processing result (this method has a significant delay and is not recommended).
[0128] Degradation handling in case of master device failure: If the master device runs out of power, is disconnected from the user, or malfunctions, the auxiliary device can temporarily take over. Takeover conditions include: the master device failing to respond to wake-up calls multiple times consecutively; the master device actively broadcasting its failure status; or the user manually activating the "temporary master device" mode on the auxiliary device.
[0129] Users can change their primary device at any time in the app, and the cloud will update the tag and synchronize it to all devices after the change.
[0130] By introducing multi-device role management and a master device designation mechanism, the system effectively solves the problems of command conflicts and duplicate charges when users have multiple wearable devices simultaneously. It ensures that only one device generates a payment token for each passage, avoiding gate processing chaos and duplicate deductions of user funds. The master device priority strategy guarantees the determinism and stability of the passage process, while the intelligent takeover mechanism of auxiliary devices when the master device fails improves the system's reliability and user experience, preventing passage failure due to a single device malfunction. Multiple designation methods and conflict avoidance schemes provide flexible choices for different user habits and usage scenarios, meeting personalized needs while ensuring system compatibility and scalability. In addition, cloud synchronization and local collaboration of role information ensure the consistency of status between multiple devices, providing technical support for users to seamlessly switch between multiple devices, further enhancing the continuity and reliability of the seamless passage experience.
[0131] Optionally, the signature payment token also includes an emergency flag. When the user terminal device detects an abnormality in the user's health, it sets the emergency flag to an active state. When the gate recognizes the emergency flag after decryption, it opens the gate and sends a location alarm message. The decryption operation is performed locally on the edge computing gateway.
[0132] Specifically, in this application, in order to further enhance passenger safety in rail transit scenarios, an emergency flag may be introduced into the signature payment token, so that when the user terminal device detects an abnormality in the wearer's health, it can actively trigger an emergency response mechanism. Through the local rapid processing of the gate edge computing gateway, automatic gate opening and alarm linkage can be realized in emergency situations, thus buying valuable rescue time for passengers.
[0133] User terminal devices (such as smartwatches, wristbands, etc.) have built-in biosensors that continuously monitor the wearer's physiological parameters, including but not limited to: Heart rate monitoring: The heart rate value is detected in real time through a PPG sensor. When the heart rate is lower than the set threshold (e.g., 40 bpm) or higher than the threshold (e.g., 220 bpm), it is determined to be a heart abnormality.
[0134] Heart rate variability analysis: Detects a sudden drop in heart rate variability or abnormal waveforms, suggesting possible arrhythmia.
[0135] Fall detection: Using accelerometer and gyroscope data, combined with algorithms, it can identify whether a user has experienced a violent fall (such as a sudden acceleration impact followed by prolonged stillness).
[0136] Blood oxygen saturation monitoring: When SpO2 is below the safe threshold (e.g., 90%), it indicates an abnormality in the respiratory or circulatory system.
[0137] Multi-sensor fusion: Combining multiple indicators for comprehensive judgment, such as the disappearance of heart rate + fall detection + rest time exceeding the threshold, is judged as a serious abnormality.
[0138] When any one or a combination of the above conditions triggers a health anomaly determination, the user terminal device, during the generation of the signature payment token, will set the emergency flag in the message body. Set to a valid state (e.g., change the reserved 1-bit flag from the default "0" to "1"). This flag, as part of the message body, is protected by signature operations along with other data (user virtual identity, timestamp, random number) to ensure its authenticity and immutability.
[0139] The device follows the normal signature process, using a biometric key. The sender's private key, with the gate's public key. For the recipient's public key, include the emergency flag bit. The message body is subjected to signature encryption to generate a signature payment token. The token is sent to the gate via human body communication.
[0140] After receiving the token, the gate immediately performs a decryption operation via its built-in edge computing gateway. Decryption is completed locally, without interaction with the cloud, ensuring millisecond-level response. Upon successful decryption, the gate extracts the relevant fields from the recovered message body, including the emergency flag. The edge computing gateway checks this flag: like (By default) the regular timeliness, uniqueness, and identity verification process will continue.
[0141] like If the situation is critical, the emergency response mode will be activated immediately.
[0142] In emergency handling mode, the gate edge computing gateway performs the following operations: Unconditional gate opening: Regardless of the user's account status, balance, or even whether identity verification is fully passed (but the token itself must be successfully decrypted to ensure authenticity), an opening command is immediately sent to the gate enforcement mechanism to ensure that the user can pass through quickly and avoid delays in rescue due to gate obstruction.
[0143] Sending location alarm information: The edge computing gateway sends alarm information to the station's intelligent customer service system, control room, or staff handheld terminals via wired or wireless networks (such as the station's internal LAN, 4G / 5G). The alarm information must include at least: the gate number and specific location of the emergency (e.g., "Gate No. 3, Exit B, Station A"); the event timestamp; a user-anonymized identifier (for subsequent association with rescue records to protect privacy); and an optional anomaly type code (e.g., "abnormal heart rate" or "fall").
[0144] Record emergency event logs: Record emergency event details locally for post-event statistics, reconciliation, and optimization of rescue processes.
[0145] Upon receiving an alarm, station staff can quickly proceed to the location of the affected turnstile to provide assistance. Simultaneously, they can notify on-site medical personnel or contact the 120 emergency medical center. If the user subsequently needs to exit the station, other turnstiles, upon recognizing the same user's emergency token (if the token is still valid), will also activate emergency processing mode to ensure unimpeded passage throughout the process.
[0146] By embedding an emergency flag into the signature payment token and utilizing the local processing capabilities of the gate's edge computing gateway, a second-level emergency response mechanism for abnormal health scenarios was implemented, providing intelligent protection for the safety of rail transit passengers. First, the multi-dimensional health monitoring of user terminal devices can detect life-threatening emergencies such as cardiac arrest and falls in real time, and automatically trigger emergency procedures when users are unconscious or unable to actively seek help, reflecting the humanistic care of technology. Second, the emergency flag, as part of the signature token, is cryptographically protected, ensuring its authenticity and unforgeability, and preventing malicious triggering. Third, the gate edge computing gateway completes desigration and emergency flag recognition locally, without waiting for cloud response, achieving unconditional gate opening in milliseconds, avoiding delays in the best rescue opportunity due to gate obstruction. At the same time, the instant location alarm information can accurately guide staff to the scene of the incident quickly, significantly improving rescue efficiency. In addition, multiple optional implementation methods (anomaly detection algorithms, flag setting strategies, alarm linkage methods, etc.) allow the system to be flexibly configured according to the passenger flow characteristics, security level, and privacy requirements of different stations, achieving a balance between ensuring passenger safety and protecting personal privacy. Finally, this solution organically integrates the daily contactless payment function with life safety protection in emergency situations, upgrading the rail transit system from a simple means of transportation to a smart travel platform with proactive care capabilities.
[0147] Optionally, the step of processing the biometric data based on a fuzz extractor to generate a biometric key includes: During the initialization phase, first biometric data is collected through the user terminal device as an instance of the biometric data. The fuzzy extractor is used to generate a stable biometric key and auxiliary data, and the auxiliary data is publicly stored in the user terminal device. In subsequent use, the second biometric data is collected through the user terminal device as another instance of the biometric data. Combined with the auxiliary data, the same key as the biometric key is reconstructed by the fuzz extractor.
[0148] Specifically, the phase differentiation mechanism is as follows: In this application, the user terminal device internally maintains a state machine to distinguish between the initialization phase and the subsequent use phase.
[0149] Initialization Phase Determination: When a user first wears the device and actively triggers the registration process through the application, the device is in an "uninitialized" state. The biometric data collected at this time is identified as "first biometric data" and used to execute the Gen algorithm of the fuzzy extractor to generate a biometric key and auxiliary data. After completion, the device status changes to "activated".
[0150] Determination during subsequent use: When the device is in an "activated" state and the wear sensor detects that the device is continuously worn on the human body, each time the user touches the gate to trigger the gate passage process, the device automatically collects the current biometric data and identifies it as "second biometric data" (or the Nth data). At this time, the device calls the Rep algorithm of the fuzzy extractor, combined with the pre-stored auxiliary data, to reconstruct the same biometric key as in the initialization stage.
[0151] Those skilled in the art will understand that the distinction between "first" and "second" is not determined by the content of the biometric data itself, but by the system state and triggering event at the time of collection. Regardless of the number of times the data is collected, as long as the device is in an activated state and is triggered by touching the gate, the collected data belongs to the biometric data of the "subsequent use stage" and is used for reconstruction rather than regenerating the key.
[0152] It should be noted that the information (including but not limited to user device information, user personal information, etc.), data (including but not limited to data used for analysis, data stored, data displayed, etc.) and signals involved in this application are all authorized by the user or fully authorized by all parties. The collection, use and processing of related data must comply with the relevant laws, regulations and standards of the relevant countries and regions, and corresponding operation portals are provided for users to choose to authorize or refuse.
[0153] like Figure 3 As shown in the figure, an embodiment of the present invention provides a contactless payment system for rail transit based on human body communication. This system utilizes a user-worn terminal device that communicates via a wireless body area network. The contactless payment system for rail transit based on human body communication includes: The acquisition unit is used to acquire the user's biometric data through the user terminal device, and process the biometric data based on the fuzz extractor to generate a biometric key; The processing unit is used to generate a signed payment token based on a lightweight signature algorithm, according to the biometric key, a pre-stored gate public key, the user's virtual identity identifier, the current timestamp, and an anti-replay random number. When the user's body part touches the gate's sensing electrode, the user terminal device is awakened and sends the signed payment token to the gate via human skin as a transmission medium, modulated by a human body communication protocol. After receiving the signed payment token, the gate performs a deseal operation on the signed payment token according to a preset gate private key. After the signed payment token is verified, the gate gate is opened, and the fee is deducted based on the passage record.
[0154] This invention provides a contactless payment device for rail transit based on human body communication, comprising a memory and a processor; the memory is used to store a computer program; the processor is used to implement the contactless payment method for rail transit based on human body communication as described above when the computer program is executed.
[0155] This invention provides a computer-readable storage medium storing a computer program. When the computer program is executed by a processor, it implements the above-described method for contactless payment for rail transit based on human body communication.
[0156] While the present invention has been disclosed above, its scope of protection is not limited thereto. Those skilled in the art can make various changes and modifications without departing from the spirit and scope of the present invention, and all such changes and modifications will fall within the scope of protection of the present invention.
Claims
1. A contactless payment method for rail transit based on human body communication, characterized in that, Based on the user-worn user terminal device, the user terminal device communicates using a wireless body area network; The contactless payment method for rail transit based on human body communication includes: The user's biometric data is collected through the user terminal device, and the biometric data is processed based on a fuzz extractor to generate a biometric key; Based on a lightweight signature algorithm, a signature payment token is generated according to the biometric key, the pre-stored gate public key, the user's virtual identity identifier, the current timestamp, and the anti-replay random number. When the user's body parts come into contact with the sensor electrodes of the gate, the user terminal device is activated and sends the signature payment token to the gate after modulation via the human body communication protocol through human skin as a transmission medium. After receiving the signed payment token, the gate performs a deseal operation on the signed payment token based on the edge computing gateway in the gate and the preset gate private key. After the signed payment token is verified, the gate is opened and the fee is deducted based on the passage record.
2. The contactless payment method for rail transit based on human body communication according to claim 1, characterized in that, The biometric data includes electrocardiogram (ECG) signals or photoplethysmography (PPG) pulse wave data; when the user terminal device detects that it cannot collect valid biometric data, it automatically destroys or locks the biometric key.
3. The contactless payment method for rail transit based on human body communication according to claim 1, characterized in that, The lightweight signature encryption algorithm generates a signature payment token based on the biometric key, pre-stored gate public key, user virtual identity identifier, current timestamp, and anti-replay random number, including: Using the biometric key as the sender's private key and the pre-stored gate public key as the receiver's public key, a lightweight signature algorithm based on superelliptic curve cryptography is used to perform signature operations on the message body containing the user's virtual identity identifier, the current timestamp, and the anti-replay random number to generate a signature ciphertext as the signature payment token.
4. The contactless payment method for rail transit based on human body communication according to claim 1, characterized in that, The turnstile is also used for: Detect whether the user is in the access area and record the proximity timestamp; When the user's body part touches the sensing electrode of the gate, the change in charge that conforms to the characteristics of live capacitance is detected, the touch timestamp is recorded, and the contact duration is monitored. Calculate the timing difference between the touch timestamp and the proximity timestamp; If the timing difference is less than or equal to the first preset threshold and the contact duration is greater than or equal to the second preset threshold, it is determined to be a valid touch behavior, triggering the wake-up of the user terminal device. Otherwise, it is judged as invalid interference, and wake-up and data transmission are not triggered.
5. The contactless payment method for rail transit based on human body communication according to claim 1, characterized in that, The step of performing a designing operation on the signed payment token based on a preset gate private key, and controlling the gate to open after the signed payment token has been successfully verified, includes: The signature payment token is decrypted according to the preset gate private key, and the current timestamp and the anti-replay random number are extracted; Perform a timeliness check on the current timestamp to determine whether it is within a preset time window; The uniqueness of the anti-replay random number is checked by querying whether the same random number already exists in the local cache. If it exists, it is determined to be a replay attack. Verify the legitimacy of the decrypted user virtual identity. If all checks pass, the gate is opened.
6. The contactless payment method for rail transit based on human body communication according to claim 1, characterized in that, The toll deduction process based on passage records includes: The passage records are decrypted and verified, and funds are deducted and accounts are updated.
7. The contactless payment method for rail transit based on human body communication according to claim 1, characterized in that, The contactless payment method for rail transit based on human body communication also includes: When a user binds multiple user terminal devices, any one of the user terminal devices is determined as the master device, which is used to generate and send the signature payment token; The remaining user terminal devices are marked as auxiliary devices and do not participate in the generation and transmission of the signature payment token when the main device is working normally.
8. The contactless payment method for rail transit based on human body communication according to claim 1, characterized in that, The signature payment token also includes an emergency flag; When the user terminal device detects an abnormality in the user's health, it sets the emergency flag to an active state. When the gate recognizes the emergency flag after decryption, it opens the gate and sends a location alarm message. The decryption operation is performed locally on the edge computing gateway.
9. A contactless payment system for rail transit based on human body communication, characterized in that, Based on the user-worn user terminal device, the user terminal device communicates using a wireless body area network; The rail transit contactless payment system based on human body communication includes: The acquisition unit is used to acquire the user's biometric data through the user terminal device, and process the biometric data based on the fuzz extractor to generate a biometric key; The processing unit is used to generate a signed payment token based on a lightweight signature algorithm, according to the biometric key, a pre-stored gate public key, the user's virtual identity identifier, the current timestamp, and an anti-replay random number. When the user's body part touches the gate's sensing electrode, the user terminal device is awakened and sends the signed payment token to the gate via human skin as a transmission medium, modulated by a human body communication protocol. After receiving the signed payment token, the gate performs a deseal operation on the signed payment token according to a preset gate private key. After the signed payment token is verified, the gate gate is opened, and the fee is deducted based on the passage record.
10. A contactless payment device for rail transit based on human body communication, comprising a memory, a processor, and a computer program stored in the memory and executable on the processor, characterized in that, When the processor executes the computer program, it implements the rail transit contactless payment method based on human body communication as described in any one of claims 1 to 8.