A full-factorial identity authentication system and method

By integrating a dynamic trust assessment coprocessor and large lexical aggregation technology into a security chip, the problems of data leakage, cross-scenario reuse, and offline verification in existing identity authentication systems are solved, achieving efficient and accurate trust assessment and cross-scenario adaptability.

CN122339701APending Publication Date: 2026-07-03玺链科技有限公司 +4

Patent Information

Authority / Receiving Office
CN · China
Patent Type
Applications(China)
Current Assignee / Owner
玺链科技有限公司
Filing Date
2026-04-04
Publication Date
2026-07-03

AI Technical Summary

Technical Problem

Existing identity authentication systems suffer from data leakage risks, inability to be reused across scenarios, insufficient offline verification capabilities, inaccurate trust assessment models, and reliance on cloud computing.

Method used

It employs a secure chip for hardware-level organizational information storage, integrates a dynamic trust assessment coprocessor to realize a non-linear trust assessment model, supports offline verification and intelligent services, and achieves cross-scenario universal code through large word aggregation and standardized API.

Benefits of technology

It achieves hardware-level trusted storage, improves the accuracy and real-time performance of trust assessment, supports offline identity authentication, and enhances business efficiency and cross-scenario adaptability.

✦ Generated by Eureka AI based on patent content.

Smart Images

  • Figure CN122339701A_ABST
    Figure CN122339701A_ABST
Patent Text Reader

Abstract

This invention discloses a full-element identity authentication system based on chip-level organizational information storage and dynamic trust assessment. It includes a security chip and a standardized API. The standardized API allows the main system to call the security chip's services. The security chip includes: a secure storage area for storing core credentials and field digests of multi-CA certified organizational information; a multi-CA root certificate library for pre-installing digital certificate authority root certificates; a hardware encryption engine for providing hardware-level encryption / decryption and signature verification; a dynamic trust assessment coprocessor for real-time calculation and updating of the trust level of each entity; a large-term aggregation module for aggregating and encapsulating five-digit packet digests, term keys, dynamic trust levels, and timestamps into a single verifiable large term; an offline verifier for verifying electronic signatures or large-term signatures using pre-installed root certificates, returning the verification result and the required field digest; and a communication module for establishing a secure connection with the main system.
Need to check novelty before this filing date? Find Prior Art

Description

Technical Field

[0001] This invention belongs to the field of network security technology, specifically relating to an identity authentication system and method. Background Technology

[0002] Currently, organizational information (such as ID card numbers, unified social credit codes, real estate information, village collective membership certificates, and administrative permits) of five types of entities (individuals, families, enterprises, communities / villages, and governments) has become the basic identity asset of the digital society. However, existing identity authentication systems generally have the following shortcomings: First, the organizational information and digital identifiers of these five types of entities are mostly stored centrally on cloud servers or software databases. Once the servers are attacked or data is leaked, it will trigger a large-scale privacy leak risk. Moreover, they are highly dependent on online verification and cannot work in environments without a network or with a weak network (such as confidential institutions, remote rural areas, underground spaces, etc.). Second, the identity authentication systems of different entities (individuals, enterprises, governments, etc.) are independent of each other, and identity credentials are fragmented, making it impossible to form a unified, reusable, and trustworthy identity carrier across scenarios. Third, existing security chips (including ordinary embedded SIM (eSIM) chips, etc.) only provide simple encrypted storage and signature functions, and do not have built-in business rule engines and dynamic trust computing capabilities, making it impossible to independently complete complex offline identity verification and intelligent service triggering.

[0003] In dynamic trust assessment, existing technologies mostly employ static certificates or simple linear weighted models to evaluate the credibility of entities. These models suffer from significant technical flaws: First, the linear decay of trust over time fails to accurately reflect the psychological and legal reality of trust erosion over time; second, they lack multi-dimensional contextual consistency assessments of the operating environment (device fingerprints, geographical location, operating habits, etc.), making it difficult to identify abnormal behavior patterns; third, the linear subtraction mechanism for punishing risk events severely underestimates the cumulative weakening effect of high-frequency, low-risk events on trust levels; fourth, they cannot integrate authoritative third-party data such as external social credit, resulting in a single assessment dimension; and fifth, the weight parameters are mostly statically set, unable to adaptively optimize based on changes in entity behavior. These flaws lead to insufficient real-time performance and accuracy of existing trust assessment models in high-value business scenarios (such as financial lending and government approvals), and the assessment process relies on cloud computing, making it impossible to complete offline within a secure chip.

[0004] It should be noted that the above description of the technical background is only for the purpose of providing a clear and complete explanation of the technical solutions of the present invention and facilitating understanding by those skilled in the art. It should not be assumed that the above technical solutions are known to those skilled in the art simply because they have been described in the background section of this invention. Summary of the Invention

[0005] The purpose of this invention is to overcome the shortcomings of the prior art and provide a full-element identity authentication system and method based on chip-level organizational information storage and dynamic trust assessment.

[0006] This application discloses a full-element identity authentication system based on chip-level organizational information storage and dynamic trust assessment, including a security chip and a standardized application program interface (API). The standardized API allows the main system to call the security chip's services. The security chip includes: a secure storage area divided into multiple independent partitions, each used to store core credentials and field digests of organizational information certified by multiple Certificate Authorities (CAs); a multi-CA root certificate library for pre-installing root certificates of nationally recognized digital certificate authorities; a hardware encryption engine for providing hardware-level encryption / decryption and signature verification; a dynamic trust assessment coprocessor configured to calculate and update the trust level of each entity in real time; a large token aggregation module configured to aggregate and encapsulate the five-digit packet digest, token primary key, dynamic trust level, and timestamp into a single verifiable large token; an offline verifier configured to verify electronic signatures (including electronic seals and electronic signatures) or large token signatures using pre-installed root certificates, returning the verification result and the required field digest; and a communication module for establishing a secure connection with the main system.

[0007] Furthermore, the aforementioned dynamic trust assessment coprocessor employs a nonlinear dynamic trust assessment model to calculate the trust level. This model includes at least one of the following features: using an exponential function to decay the subject's authentication information over time; using a multidimensional context coupling coefficient to comprehensively assess the consistency of the operating environment; using a superlinear logarithmic function to nonlinearly penalize risk events; fusing external social credit collaboration factors through a Bayesian network; and dynamically adjusting the weights of behavioral factors through an online learning algorithm.

[0008] Furthermore, the above nonlinear dynamic trust assessment model can be expressed as:

[0009] (Equation 1)

[0010] In the formula, The overall trust level at the current moment. As the initial authoritative certification benchmark value, It is an exponential time decay factor. This represents the real-time value of the behavioral factor. For dynamic weights of behavioral factors, For context consistency coefficient, It is a composite risk event index. As a risk penalty coefficient, As a social credit coordination factor, For reputation data activity, This is the reputation fusion rate coefficient.

[0011] Furthermore, the aforementioned large tokens can be configured as any of the following forms: string encoding, QR code, or Near Field Communication (NFC) tag, and are bound to the value of the built-in monotonic counter (rpmc) of the aforementioned security chip during generation for offline replay protection.

[0012] Furthermore, the aforementioned security chip also includes an intelligent service triggering unit, which is configured to store modular rule templates, support incremental updates via security update packages, and automatically extract structured fields from large lexical units in response to external commands, driving the output of decision results from large artificial intelligence (AI) models.

[0013] Furthermore, the aforementioned security chip also includes a cross-device synchronization module, which is configured to establish an end-to-end encrypted channel with another security chip after physical contact pairing and biometric verification, synchronizing five-digit packet digests, trust level history, and large word mapping relationships.

[0014] Furthermore, the aforementioned security chip is integrated into an embedded SIM (eSIM) card.

[0015] This application also discloses a full-element identity authentication method based on chip-level organizational information storage and dynamic trust assessment, including the following steps: S1, writing the core credentials and field summaries of the five-digit packet organizational information certified by multiple CAs into the secure storage area of ​​the security chip, and pre-setting multiple CA root certificates; S2, the dynamic trust assessment coprocessor built into the security chip calculates and updates the trust level of each subject in real time; S3, according to user instructions, the security chip aggregates and encapsulates the five-digit packet summary, lexical primary key, trust level, and timestamp into a large lexical, and outputs it as a string, QR code, or NFC tag; S4, the verifier scans the large lexical, and the security chip offline verifies the signature, trust level, validity period, and anti-replay counter. If the threshold is met, it returns verification passed and the required field summary; S5, in response to intelligent service instructions, the security chip automatically extracts the structured fields in the corresponding large lexical according to the pre-set rule template, drives the AI ​​large model to perform inference, and outputs the decision result.

[0016] Furthermore, in step S2, the trust level is calculated in real time using a nonlinear dynamic trust assessment model. This model includes at least one or more mechanisms such as exponential time decay, multidimensional context coupling, superlinear risk penalty, external credit factor fusion, and dynamic weight adjustment.

[0017] Furthermore, the QR code generated in step S3 includes a monotonic counter value. After scanning, the verifier needs to interact with the security chip to check whether the monotonic counter value has been used to prevent replay attacks.

[0018] Furthermore, in step S5, if detailed business data is required and the device is online, the security chip requests data from the cloud through a secure channel and uses the data after verifying that the hash of the returned data matches the digest stored in the security chip.

[0019] The beneficial effects of this invention are as follows.

[0020] First, by storing the multi-CA certified organizational information and digital identifiers of five types of entities—individuals, families, enterprises, communities and villages, and governments—in an independent secure partition of the security chip, hardware-level trusted storage is achieved, and the keys are never exported, fundamentally eliminating the risk of data leakage caused by centralized cloud storage.

[0021] Second, the nonlinear dynamic trust assessment model built into the security chip adopts innovative mechanisms such as exponential time decay, multidimensional contextual consistency coupling, superlinear logarithmic risk penalty, fusion of external social credit collaborative factors, and online weight self-learning. Compared with the existing linear weighted model, it significantly improves the accuracy, real-time performance, and scenario adaptability of trust assessment.

[0022] Third, the security chip has multiple CA root certificates pre-installed and integrates an offline verifier, which can independently complete large-byte signature verification, trust level determination and anti-replay checks without relying on the network, completely solving the identity authentication problem in environments without or with weak network.

[0023] Fourth, through large-scale metaword aggregation and encapsulation and standardized APIs, the five-digit identity credential can be used universally across various scenarios such as government services, financial credit, and enterprise listing. It also supports intelligent services driven by built-in rule templates in the security chip, which greatly improves business efficiency.

[0024] Fifth, it supports encrypted synchronization of physical contact between security chips, enabling seamless identity migration across devices.

[0025] Sixth, the security chip of this invention can be integrated into the eSIM card, seamlessly integrating with existing mobile communication infrastructure, providing a highly feasible product form for large-scale commercial use.

[0026] In summary, the present invention has achieved significant results in terms of security, dynamic evaluation capabilities, offline availability, cross-scenario integration, and product scalability. Attached Figure Description

[0027] Figure 1 This is a schematic diagram of a full-element identity authentication system based on chip-level organizational information storage and dynamic trust assessment in one embodiment of the present invention.

[0028] Figure 2 This is a flowchart of a full-element identity authentication method based on chip-level organizational information storage and dynamic trust assessment in one embodiment of the present invention.

[0029] The reference numerals in the above figures are as follows:

[0030] The system includes an identity authentication system 10, a security chip 100, a secure storage area 200, a multi-CA root certificate library 300, a hardware encryption engine 400, a dynamic trust evaluation coprocessor 500, a large term aggregation module 600, an offline verifier 700, a communication module 800, a standardized API 900, an intelligent service triggering unit 1100, a cross-device synchronization module 1200, and steps S1 to S5. Detailed Implementation

[0031] To better understand this invention, the following embodiments are provided in conjunction with the accompanying drawings. It should be understood that the embodiments of this invention are for illustrative purposes only and not for limiting the invention; the scope of protection of this invention is defined solely by the claims. The embodiments provided are merely preferred embodiments and are not intended to limit the invention in any way. Those skilled in the art can make changes, equivalent substitutions, or modifications based on the content of this invention, resulting in different implementation methods. However, any changes and modifications, or equivalent substitutions, made to the method of this invention without departing from the inventive concept are within the scope of protection of this invention.

[0032] It should be noted that the following detailed descriptions are exemplary and intended to provide further illustration of the invention. Unless otherwise specified, all technical and scientific terms used herein have the same meaning as commonly understood by one of ordinary skill in the art to which this invention pertains.

[0033] It should be noted that the terminology used herein is for the purpose of describing particular embodiments only and is not intended to limit the scope of exemplary embodiments according to the invention. As used herein, the singular form is intended to include the plural form as well, unless the context clearly indicates otherwise. Furthermore, it should be understood that when the terms “comprising” and / or “including” are used in this specification, they indicate the presence of features, steps, operations, and / or combinations thereof.

[0034] First, please refer to Figure 1 , Figure 1 This is a schematic diagram of a full-element identity authentication system 10 based on chip-level organizational information storage and dynamic trust assessment in an embodiment of the present invention. Figure 1 As shown, the full-element identity authentication system 10 based on chip-level organizational information storage and dynamic trust assessment of the present invention includes a security chip 100 and a standardized API 900.

[0035] The aforementioned security chip 100 includes a secure storage area 200, a multi-CA root certificate library 300, a hardware encryption engine 400, a dynamic trust evaluation coprocessor 500, a large word aggregation module 600, an offline verifier 700, a communication module 800, an intelligent service triggering unit 1100, and a cross-device synchronization module 1200.

[0036] The aforementioned security chip 100 is the hardware carrier of the entire system, serving as an integrated circuit component resistant to tampering and physical attacks. The security chip 100 can exist independently or be integrated into devices such as embedded SIM (eSIM) cards, Bluetooth keys, and mobile phone motherboards. Its function is to provide a secure operating environment, ensuring that internal storage and computing processes are not threatened by external software attacks or physical probes.

[0037] The aforementioned security chip 100 includes the aforementioned security storage area 200, which is divided into at least five independent partitions, each used to store core credentials and field summaries of multi-CA certified personal, family, enterprise, community / village, and government data package organization information.

[0038] It is worth noting that, in one embodiment of the present invention, the aforementioned secure storage area 200 is a physically isolated storage area within the aforementioned secure chip 100, divided into at least five independent partitions. Each partition stores organizational information for a type of entity. The partitions are as follows: Individual Data Package: core personal identity credentials and field summaries (such as ID card number hashes and biometric templates); Family Data Package: family member relationship hashes and shared asset hashes; Enterprise Data Package: unified social credit code hashes and equity structure summaries; Community Data Package: community / village collective organization information hashes and member rights certificates; Government Data Package: government agency information hashes.

[0039] The aforementioned multi-CA root certificate library 300 pre-installs root certificates from nationally recognized digital certificate authorities (CAs), such as the CA of the Ministry of Public Security of the People's Republic of China and the CA of the State Administration for Market Regulation. These root certificates are used for offline verification of the trustworthiness of external electronic signatures or large-byte signatures. In one embodiment of the present invention, without needing to connect to the network to query the CA status, the aforementioned security chip 100 can complete the certificate chain verification locally, which is the basis for realizing offline identity authentication.

[0040] The aforementioned hardware encryption engine 400 supports various cryptographic algorithms to provide hardware-level encryption, decryption, and signature verification. The hardware encryption engine 400 is a dedicated encryption / decryption circuit built into the aforementioned security chip 100, supporting cryptographic algorithms from the State Commercial Cryptography Administration of the People's Republic of China (GB-T 32907-2016 Information Security Technology SM4 Block Cipher Algorithm) and international standard algorithms (SM3 hash cipher algorithm (ISO / IEC 10118-3:2018 Information Security Technology Hash Functions Part 3: Specialized Hash Functions), SM2 / SM9 digital signature algorithm (ISO / IEC 14888-3:2018 Information Security Technology Digital Signatures with Appendix Part 3: Discrete Logarithm-based Mechanisms), asymmetric encryption algorithm RSA, Advanced Encryption Standard (AES), etc.). Its functions include: hardware-level encryption of data stored in the aforementioned secure storage area 200; digital signature of output large tokens; signature verification of received verification requests; and derivation of session keys for communication encryption.

[0041] The aforementioned dynamic trust assessment coprocessor 500 is configured to calculate and update the trust level of each entity in real time. The dynamic trust assessment coprocessor 500 is a dedicated microprocessor integrated within the security chip 100, operating independently of the main CPU. The dynamic trust assessment coprocessor 500 is configured to calculate and update the trust level of each entity in real time and can run the nonlinear dynamic trust assessment model unique to this invention (such as exponential decay, superlinear risk penalty, etc.).

[0042] In one embodiment of the present invention, the trust assessment process is completed within the aforementioned security chip 100, without relying on external networks or cloud servers, ensuring offline availability and rapid response (<50 milliseconds). The real-time updated trust level is bound to large words for the verifier to use in decision-making.

[0043] The aforementioned large lexical aggregation module 600 is configured to aggregate and encapsulate the five-digit packet digest, lexical primary key, dynamic trust level, and timestamp into a single verifiable large lexical. The large lexical aggregation module 600 is responsible for encapsulating multiple identity elements into a single verifiable data structure. The specific aggregation content includes: five-digit packet digest (hash value of each partition); lexical primary key (ID that uniquely identifies the lexical); dynamic trust level (calculated by the aforementioned dynamic trust evaluation coprocessor 500); and timestamp (to prevent replay).

[0044] In one embodiment of the present invention, the above-mentioned large word aggregation module 600 aggregates the five scattered types of identity information into a "large word". Users only need to show a QR code or NFC tag to prove their multiple identity attributes, realizing one code for all purposes.

[0045] It is worth noting that, in one embodiment of the present invention, the aforementioned large token can be configured as any of the following forms: string encoding, QR code, or NFC tag, and is bound to the built-in monotonic counter value of the security chip during generation for offline replay protection. This allows it to adapt to different scenarios such as web pages, offline windows, or near-field communication. Simultaneously, the large token is bound to the built-in monotonic counter value of the security chip 100 during generation. This counter automatically increments each time it is generated and cannot be rolled back. During offline verification, the verifier needs to interact with the security chip to check whether the monotonic counter value has been used, thereby effectively preventing the large token from being intercepted and reused, thus solving the replay attack problem in offline scenarios.

[0046] The aforementioned offline verifier 700 is configured to verify electronic signatures or large-term signatures using a pre-installed root certificate, returning the verification result and the required field digest. The offline verifier 700 is configured to utilize a pre-installed multi-CA root certificate library 300 to verify the following without an internet connection: whether the electronic seal signature presented by a third party is valid; whether the large-term signature is authentic, valid, and meets the trust level requirements. Upon successful verification, only the "verification result" and the field digest required by the business (such as "company name") are returned; the original sensitive data (such as ID card number) remains within the aforementioned security chip 100. This minimizes data disclosure, protects user privacy, and completely eliminates dependence on the network.

[0047] The aforementioned communication module 800 is used to establish a secure connection with the host system (such as HarmonyOS, Android, Windows and other operating systems). The aforementioned communication module 800 can support a variety of physical interfaces, including but not limited to Bluetooth, Near Field Communication (NFC), chip internal bus (serial peripheral interface (SPI), Inter-Integrated Circuit (I2C) and Universal Serial Bus (USB).

[0048] The aforementioned standardized API 900 is used by the main system to call chip services. API 900 is a set of function interfaces for the main system to call, with a unified parameter format and return value specification. Typical APIs include: AUTHENTICATE(): verifies user identity and returns the trust level; EXPORT_TOKEN(): outputs large words (string / QR code / NFC); ​​SERVICE_INVOKE(): calls intelligent services (such as one-click tax filing); SYNC_PEER(): synchronizes data with another security chip; UPDATE_RULE(): updates intelligent service rule templates.

[0049] In one embodiment of the present invention, the aforementioned standardized API 900 enables the security chip 100 of the present invention to be integrated across platforms (HarmonyOS, UnionTech, Windows, iOS, etc.), reducing the development threshold of upper-layer applications and enhancing the scalability of the technology.

[0050] The aforementioned dynamic trust assessment coprocessor 500 uses a nonlinear dynamic trust assessment model to calculate the trust level. This model includes at least one of the following features: using an exponential function to decay the subject's authentication information over time; using a multidimensional context coupling coefficient to comprehensively assess the consistency of the operating environment; using a superlinear logarithmic function to nonlinearly penalize risk events; fusing external social credit collaboration factors through a Bayesian network; and dynamically adjusting the weights of behavioral factors through an online learning algorithm.

[0051] In other words, the aforementioned dynamic trust assessment coprocessor 500 employs a nonlinear dynamic trust assessment model to calculate trust levels. This model includes at least one of the following innovative mechanisms: using an exponential function to decay the subject's authentication information over time, in accordance with the nonlinear loss of trust over time; using multidimensional contextual coupling coefficients to comprehensively assess the consistency of the operating environment (such as device fingerprints, geographical location, operating habits, etc.) to identify abnormal behavior patterns; using a superlinear logarithmic function to nonlinearly penalize risk events, effectively suppressing the chronic erosion of trust levels by high-frequency, low-risk events; integrating external social credit collaboration factors through a Bayesian network to incorporate authoritative third-party data into the local assessment system; and dynamically adjusting the weights of behavioral factors through online learning algorithms, enabling the model to adapt to changes in subject behavior patterns.

[0052] The combination of these mechanisms enables the trust assessment process to be completed offline within the security chip, significantly improving the accuracy, robustness, and adaptability of trust assessment compared to existing linear weighted models. The aforementioned nonlinear dynamic trust assessment model can be expressed as:

[0053] (Equation 1)

[0054] In the formula, The overall trust level at the current moment. As the initial authoritative certification benchmark value, It is an exponential time decay factor. This represents the real-time value of the behavioral factor. For dynamic weights of behavioral factors, For context consistency coefficient, It is a composite risk event index. As a risk penalty coefficient, As a social credit coordination factor, For reputation data activity, This is the reputation fusion rate coefficient.

[0055] In this embodiment, five innovative mechanisms are integrated into a unified mathematical framework that can be engineered. Part One It is through This causes the initial authentication value to decay non-linearly over time, initially rapidly and then gradually, achieving exponential time decay and pass rate. The overall baseline value is modulated, and when the device fingerprint, geographic location, or operating habits are inconsistent with the historical profile, this coefficient will significantly lower the trust level to achieve multi-dimensional contextual coupling. Part Two Superlinear logarithmic risk penalty is achieved when the composite risk event index When the value increases, the penalty term is multiplied by... This demonstrates accelerated growth, effectively curbing the chronic erosion of trust levels by high-frequency, low-risk events. Part Three Bayesian external credit fusion was achieved, in which This represents a social credit coordination factor derived from authoritative third-party data such as central bank credit reporting and public credit platforms. As a fusion strength coefficient, when reputation data activity As the value increases (i.e., the more frequently external data is updated and the higher its reliability), the coefficient approaches 1, allowing external credit factors to fully participate in the evaluation; simultaneously, the weight of behavioral factors in the model... By dynamically adjusting through online learning algorithms, the model can adapt to changes in the subject's behavioral patterns.

[0056] All calculations in this equation are performed within the aforementioned dynamic trust assessment coprocessor 500, without relying on an external network. This achieves true chip-level offline dynamic trust assessment. Compared to the linear weighted model in existing technologies that lacks a unified mathematical expression, this equation provides a precise, reproducible, and engineering-deployable technical specification for the quantitative calculation of trust levels.

[0057] The aforementioned security chip 100 also includes an intelligent service triggering unit 1100, configured to store modular rule templates, supporting incremental updates via security update packages, and automatically extracting structured fields from large lexical units in response to external commands, driving the AI ​​large model to output decision results. In other words, the intelligent service triggering unit 1100 is configured to store modular rule templates, such as data field images for tax declarations and calculation formulas for credit assessments, and supports incremental updates via security update packages signed by a trusted CA, thereby adapting to changes in business rules without replacing the chip. When the main system initiates an intelligent service command (such as "one-click tax filing") via a standardized API, the intelligent service triggering unit 1100 can respond to external commands, automatically extract the required five-fold structured fields from large lexical units, and drive the local or cloud-based AI large model to perform inference, ultimately outputting structured decision results, realizing automated intelligent services driven by built-in rules of the security chip.

[0058] It is worth noting that the aforementioned security chip 100 also includes a cross-device synchronization module 1200, which is configured to establish an end-to-end encrypted channel with another security chip after physical contact pairing and biometric verification, and synchronize five-digit packet digests, trust level history and large word mapping relationships.

[0059] For example, the aforementioned cross-device synchronization module 1200 is configured to establish an end-to-end encrypted channel between the first chip and the second chip after two devices are physically in contact (such as NFC proximity) and the user completes biometric verification (such as fingerprint or facial recognition). This securely synchronizes the five-digit packet digest, trust level history, and large word mapping relationship. After verifying that the data signature is correct, the receiving security chip writes it to the local secure storage area, thereby achieving seamless migration of the user's digital identity when changing devices without having to reapply for authentication from a CA authority. At the same time, the dual protection mechanism of physical contact and biometric verification effectively prevents remote malicious synchronization attacks.

[0060] For example, when user Li changes to a new mobile phone, a seamless migration of digital identity is achieved through secure synchronization between security chips, allowing him to use the one-click tax filing service on his new phone. Li's original phone A has a built-in first chip 100A, and his new phone B has a built-in second chip 100B. Li brings phones A and B together via NFC, and both devices display a pairing code on their screens. After Li confirms the pairing code and completes fingerprint verification, the cross-device synchronization module 1200 of phone A and phone B establish an end-to-end encrypted channel. The security chip 100A of phone A encrypts and synchronizes the five-digit packet digest (personal, family, enterprise, community / village, government), trust level history (recent 30 days' records), and large term mapping table to phone B. After verifying the data signature, the security chip 100B of phone B writes the data to the corresponding partition of the local secure storage area 200. Li can use all digital identity functions on his new phone without needing to reapply for authentication from a CA authority.

[0061] Mr. Li initiated a "one-click tax filing" command on his new mobile phone. The standardized API 900 on mobile phone B received the command and called the SERVICE_INVOKE interface. The intelligent service triggering unit 1100 automatically extracted revenue, tax record summaries from the enterprise data package, personal income summaries from the individual data package, and real estate information summaries from the household data package, based on a pre-set tax rule template. If Mr. Li was online, the security chip 100B requested detailed financial statements from the cloud through a secure channel. After verifying that the hash of the returned data matched the summary stored in the security chip, it drove the cloud-based AI tax model to calculate the tax refund amount. After Mr. Li confirmed, the tax return was directly connected to the tax bureau system, and the filing was completed in 5 minutes.

[0062] Subsequently, the state adjusted the corporate income tax rate, and the State Taxation Administration released a rule update package. Mr. Li downloaded the update package via the app and authorized its import into the aforementioned security chip 100B on his mobile phone B. After the security chip verified the update package signature, the rule template in the aforementioned intelligent service trigger unit 1100 completed an incremental update. The next time he filed his tax return with one click, the security chip automatically applied the new tax rate.

[0063] Please refer to Figure 2 , Figure 2 This is a flowchart of a full-element identity authentication method based on chip-level organizational information storage and dynamic trust assessment, according to an embodiment of the present invention. Figure 2As shown, the above-mentioned full-element identity authentication method based on chip-level organizational information storage and dynamic trust assessment includes the following steps: S1, writing the core credentials and field digests of the five-digit packet organizational information certified by multiple CAs into the secure storage area of ​​the security chip, and pre-setting multiple CA root certificates; S2, the dynamic trust assessment coprocessor built into the security chip calculates and updates the trust level of each subject in real time; S3, according to user instructions, the security chip aggregates and encapsulates the five-digit packet digest, lexical primary key, trust level, and timestamp into a large lexical, and outputs it as a string, QR code, or NFC tag; S4, the verifier scans the large lexical, and the security chip offline verifies the signature, trust level, validity period, and anti-replay counter. If the threshold is met, it returns verification passed and the required field digest; S5, in response to intelligent service instructions, the security chip automatically extracts the structured fields in the corresponding large lexical according to the pre-set rule template, drives the AI ​​large model to perform inference, and outputs the decision result.

[0064] It is worth noting that the trust level in step S2 is calculated in real time using a nonlinear dynamic trust assessment model. This model includes at least one or more mechanisms such as exponential time decay, multidimensional context coupling, superlinear risk penalty, external credit factor fusion, and dynamic weight adjustment.

[0065] The QR code generated in step S3 includes a monotonic counter value. After scanning, the verifier needs to interact with the security chip to check whether the monotonic counter value has been used to prevent replay attacks.

[0066] If detailed business data is required in step S5 and the device is online, the security chip requests data from the cloud through a secure channel and verifies that the hash of the returned data matches the digest stored in the security chip before using it.

[0067] Example 1: Government Services with One-Code Access

[0068] This embodiment describes the specific process by which Mr. Zhang, a citizen, uses a mobile phone equipped with the identity authentication system 10 of this invention to handle the change of a business license at a government service center.

[0069] First, Zhang's mobile phone is equipped with a device integrating the aforementioned security chip 100. The secure storage area 200 of this security chip 100 has been pre-written with data packets (ID card number hash, mobile phone number, biometric template), family data packets (family member relationship hash), and enterprise data packets (unified social credit code hash, legal person information, equity structure summary) certified by the CA of the Ministry of Public Security of the People's Republic of China and the CA of the State Administration for Market Regulation. The aforementioned multi-CA root certificate library 300 has pre-installed root certificates from the CA of the Ministry of Public Security of the People's Republic of China and the CA of the State Administration for Market Regulation.

[0070] Step S1 (Write the five-digit data package): Zhang completes real-name authentication and activation through the government affairs app. The security chip 100 writes the core credentials and field summary of the five-digit data package into the independent partition of the secure storage area 200.

[0071] Step S2 (Dynamic Trust Assessment): The aforementioned dynamic trust assessment coprocessor 500 calculates Zhang's current trust level in real time based on the nonlinear dynamic trust assessment model. Assume an initial authority certification benchmark value... No risk events in the last 30 days ( ), Context consistency coefficient Social credit synergy factor Calculations yielded This trust level is persistently stored in the aforementioned security chip 100.

[0072] Step S3 (Large Term Generation and Output): Mr. Zhang arrives at the government service center window, opens the government service app, and selects "Generate Government Service Code." The aforementioned large term aggregation module 600 aggregates the five-digit package summary, terminology key, current trust level (0.92), timestamp, and current value of the monotonic counter. This data is then signed using the aforementioned hardware encryption engine 400 to generate a large terminology QR code, which is displayed on the phone screen. This QR code is bound to the monotonic counter value and is valid for 30 seconds.

[0073] Step S4 (Offline Authentication): The window staff scans the QR code on Zhang's mobile phone using a scanning device. The communication module 800 receives the verification request, and the offline verifier 700 uses the root certificate in the multi-CA root certificate library 300 to offline verify the large-term signature, validity period, trust level (0.92 ≥ threshold 0.75), and monotonic counter value status (unused). After successful verification, the offline verifier 700 only returns "verification passed" and the enterprise data package field summary (enterprise name, unified social credit code) required for the business. Sensitive data such as the original ID card number does not leave the security chip 100. The window system automatically retrieves the business registration information and completes the business license change within 3 minutes.

[0074] Step S5 (Intelligent Service): If Zhang subsequently initiates the "One-Click Annual Report" command, the aforementioned intelligent service trigger unit 1100 responds to the external command, automatically extracts the revenue and tax record summaries from the enterprise data package from the large terminology, drives the cloud AI large model to fill in the annual report form and submit it, without the need for manual filling throughout the entire process.

[0075] Example 2: Offline Enterprise Credit Investigation and Intelligent Tax Services Integrated into eSIM Card

[0076] This embodiment describes the complete process of Mr. Wang, a business owner in a remote mountainous area, applying for a loan from a bank in an environment without network coverage using a mobile phone with an eSIM card integrated with the security chip 100 of this invention, and using smart tax services when there is network coverage.

[0077] The aforementioned security chip 100 is integrated into an embedded SIM (eSIM) card. In addition to a traditional communication authentication module, the eSIM card also integrates the aforementioned secure storage area 200, a multi-CA root certificate library 300, a hardware encryption engine 400, a dynamic trust assessment coprocessor 500, a large term aggregation module 600, an offline verifier 700, a communication module 800, a standardized API 900, an intelligent service triggering unit 1100, and a cross-device synchronization module 1200.

[0078] Step S1 (Writing the Five Data Packets): When Mr. Wang applies for a new mobile phone number at the telecommunications operator's business hall, he simultaneously activates the digital identity service. The business hall uses a secure terminal to write Mr. Wang's enterprise data packet (unified social credit code hash, tax record summary, environmental penalty record hash, and revenue summary for the past three years), individual data packet (legal person's ID card hash, personal credit summary), family data packet (family member information hash), and community data packet (village collective member certificate hash) into the independent partition of the aforementioned secure storage area 200 of the eSIM card, and pre-installs the root certificates of the State Administration for Market Regulation CA, the Ministry of Public Security of the People's Republic of China CA, and the State Administration of Taxation CA in the aforementioned multi-CA root certificate library 300.

[0079] Step S2 (Dynamic Trust Assessment): The aforementioned dynamic trust assessment coprocessor 500 calculates the enterprise's trust level in real time based on historical operational data. Assume an initial authoritative certification benchmark value. Exponential time decay factor behavioral factor weighted sum Context consistency coefficient (Device fingerprint matching with operating habits), composite risk event index (No negative records), social credit synergy factor (Good ratings from public credit platforms), reputation data activity Reputation fusion rate coefficient Substituting into the nonlinear dynamic trust assessment model:

[0080] (Equation 2)

[0081] Because the model output limit is 1.00, the actual trust level is... (After normalization), this trust level is persistently stored in the aforementioned security chip 100 and marked as "Excellent Taxpayer".

[0082] Step S3 (Large Term Generation and Output): Mr. Wang went to the bank to apply for a loan. Because his business was located in a remote mountainous area, the bank branch had no network signal. Mr. Wang used his mobile phone system to call the EXPORT_TOKEN interface in the aforementioned standardized API 900. The large term aggregation module 600 aggregated the enterprise data package digest (tax record hash, environmental penalty hash), the number package digest (legal person credit hash), the term primary key, the current trust level of 0.95, the timestamp, and the current value of the monotonic counter built into the aforementioned security chip 100. SM2 signing was performed through the aforementioned hardware encryption engine 400 to generate large terms and output them as NFC tags. This NFC tag is bound to the monotonic counter value, and the counter automatically increments each time it is read.

[0083] Step S4 (Offline Authentication): The bank's account manager arrives at the company's location (without any network signal) with a handheld terminal. The handheld terminal reads the large-byte token from Mr. Wang's mobile phone via NFC. The communication module 800 receives the verification request, and the offline verifier 700 uses the root certificate in the multi-CA root certificate library 300 to perform the following offline verifications within the security chip 100: verifying the authenticity of the large-byte token's SM2 signature; checking the validity period of the large-byte token (not expired); determining that the trust level 0.95 ≥ the loan business threshold 0.85; and interacting with the security chip 100 via NFC to check whether the monotonic counter value has been used (confirming first-time use). After all verifications are successful, the offline verifier 700 only returns "verification passed" and the field summary required for the business: summary of the company's tax records (A-level taxpayer for three consecutive years), environmental penalty records (none), and summary of the legal representative's credit information (no bad records). Sensitive data such as the original ID number and specific tax amount are not left within the security chip 100. Based on this, the bank account manager approves a 500,000 yuan credit loan on-site, and the funds are credited immediately.

[0084] Step S5 (Smart Service): After the loan is disbursed, Mr. Wang needs to complete his quarterly tax return. At this point, Mr. Wang returns to a location with network coverage, opens his mobile tax app, and selects "One-Click Tax Filing." The mobile system uses the standardized API 900 to call the SERVICE_INVOKE interface, initiating a smart service command to the security chip 100.

[0085] The aforementioned intelligent service triggering unit 1100 responds to the instruction and automatically performs the following operations based on the pre-set tax rule template (which has been pre-imported via a security update package, including data field mapping: Enterprise Data Package Revenue Field → Tax Return Income Column, Enterprise Data Package Tax Payment Field → Tax Paid Amount Column, Individual Data Package Personal Income Field → Operator Salary Column). Field Extraction: Extracts the current quarter's revenue summary (verified by hash) and tax record summary from the large terms stored in the aforementioned secure storage area 200, as well as the personal income summary from the individual data package. Cloud Collaboration and Hash Verification: Due to the large volume of detailed financial statement data for this quarter, not all of it is stored in the secure chip. The aforementioned secure chip 100 requests detailed revenue data for this quarter from the cloud tax system through a secure channel. The cloud returns data along with a data hash value. The aforementioned secure chip 100 compares the hash value of the returned data with the pre-stored summary within the secure chip to confirm that the data has not been tampered with before using it. AI-driven inference: The aforementioned intelligent service triggering unit 1100 inputs the extracted structured fields (revenue, tax paid, cost deductions, etc.) into the cloud-based AI tax model. This model calculates the amount of tax payable or tax refundable based on the latest tax laws and regulations (which have been synchronized to the rule template of the security chip via a rule update package). Output: The AI ​​model outputs structured decision results—a pre-filled and complete tax return (including detailed calculations).

[0086] After confirming that everything was correct, Mr. Wang submitted the application with one click. The application form was directly connected to the tax bureau's system, and the quarterly declaration was completed within 5 minutes.

[0087] If the national VAT rate is subsequently adjusted, the State Taxation Administration will release a rule update package through official channels. Mr. Wang downloads the update package via the app and authorizes its import into the aforementioned security chip 100. After the security chip 100 verifies the CA signature of the update package, the tax rule template in the aforementioned intelligent service trigger unit 1100 completes an incremental update (only replacing the tax rate parameters and calculation formulas, without affecting other rules). The next time he files a tax return with one click, the security chip 100 automatically applies the new tax rate without requiring chip replacement or a phone system upgrade.

[0088] The core advantage of this invention lies in the fact that by writing the multi-CA certified organizational information and digital identifiers of five types of entities—individuals, families, enterprises, communities / villages, and governments—into the independent secure storage area 200 of the secure chip 100, and combining this with the non-linear dynamic trust assessment coprocessor 500 and the large-byte aggregation module 600 integrated within the secure chip, it achieves for the first time secure chip-level binding and offline aggregation and encapsulation of five-digit identity credentials and dynamic trust levels at the hardware level. This allows users to complete cross-scenario identity verification, trust assessment, and intelligent service triggering through a single large-byte (QR code / NFC tag) without relying on any network connection. This completely solves the fundamental technical problems in existing technologies, such as the privacy leakage risk caused by centralized cloud storage of identity information, the offline failure problem caused by relying on online verification, and the inability to uniformly reuse fragmented multi-entity identities.

[0089] The embodiments of the present invention described above can be implemented in various hardware, software codes, or combinations thereof. For example, embodiments of the present invention can also be program code executing the above methods in a Digital Signal Processor (DSP). The present invention can also relate to various functions executed by a computer processor, digital signal processor, microprocessor, or Field Programmable Gate Array (FPGA). The processor described above can be configured to perform specific tasks according to the present invention, which are accomplished by executing machine-readable software code or firmware code defining the specific methods disclosed in the present invention. The software code or firmware code can be developed into different programming languages ​​and different formats or forms. The software code can also be compiled for different target platforms. However, the different code styles, types, and languages ​​of the software code performing tasks according to the present invention and other types of configuration code do not depart from the spirit and scope of the present invention.

[0090] Therefore, those skilled in the art will recognize that although embodiments of the present invention have been shown and described in detail herein, many other variations or modifications conforming to the principles of the present invention can be directly determined or derived from the disclosure of the present invention without departing from the spirit and scope of the invention. Therefore, the scope of the present invention should be understood and recognized as covering all such other variations or modifications.

Claims

1. A full-element identity authentication system based on chip-level organizational information storage and dynamic trust assessment, comprising a security chip and a standardized API, wherein the standardized API is used by the main system to call the security chip services, and the security chip comprises: A secure storage area is divided into multiple independent partitions, each used to store core credentials and field summaries of organization information authenticated by multiple CAs; One-to-many CA root certificate store is used to pre-configure root certificates of nationally recognized digital certificate authorities; A hardware encryption engine is used to provide hardware-level encryption, decryption, and signature verification. A dynamic trust assessment coprocessor is configured to calculate and update the trust levels of each entity in real time. A large lexicon aggregation module is configured to aggregate and encapsulate five-digit packet summaries, lexicon primary keys, dynamic trust levels, and timestamps into a single verifiable large lexicon; An offline validator is configured to verify digital signatures or large-byte signatures using a pre-configured root certificate, returning the verification result and a digest of the required fields; and A communication module is used to establish a secure connection with the main system.

2. The full-element identity authentication system according to claim 1, characterized in that, The large token is configured as any of the following forms: string encoding, QR code, or NFC tag, and is bound to the built-in monotonic counter value of the security chip during generation.

3. The full-element identity authentication system according to claim 1, characterized in that, The security chip also includes an intelligent service triggering unit, which is configured to store modular rule templates, support incremental updates via security update packages, and automatically extract structured fields from large words in response to external commands, driving the AI ​​large model to output decision results.

4. The full-element identity authentication system according to claim 1, characterized in that, The security chip also includes a cross-device synchronization module, which is configured to establish an end-to-end encrypted channel with another security chip after physical contact pairing and biometric verification, and synchronize five-digit packet digests, trust level history and big-word mapping relationships.

5. The full-element identity authentication system according to claim 1, characterized in that, The security chip is integrated into the embedded SIM card.

6. The full-element identity authentication system according to any one of claims 1 to 5, characterized in that, The dynamic trust assessment coprocessor uses a nonlinear dynamic trust assessment model to calculate the trust level, and the nonlinear dynamic trust assessment model includes at least one of the following features: An exponential function is used to decay the main authentication information over time. The consistency of the operating environment is comprehensively evaluated using multidimensional context coupling coefficients. A superlinear logarithmic function is used to apply nonlinear penalties to risk events; Integrate external social credit factors through Bayesian networks; The weights of behavioral factors are dynamically adjusted through an online learning algorithm.

7. The full-element identity authentication system according to claim 6, characterized in that, The nonlinear dynamic trust assessment model is expressed as follows: In the formula, The overall trust level at the current moment. As the initial authoritative certification benchmark value, It is an exponential time decay factor. This represents the real-time value of the behavioral factor. For dynamic weights of behavioral factors, For context consistency coefficient, It is a composite risk event index. As a risk penalty coefficient, As a social credit coordination factor, For reputation data activity, This is the reputation fusion rate coefficient.

8. A full-element identity authentication method based on chip-level organizational information storage and dynamic trust assessment, comprising the following steps: S1. Write the core credentials and field digests of the five-digit packet organization information certified by multiple CAs into the secure storage area of ​​the security chip, and pre-install the multi-CA root certificate; S2. The dynamic trust assessment coprocessor built into the security chip calculates and updates the trust level of each subject in real time. S3. According to the user's instructions, the security chip aggregates and encapsulates the five-digit packet digest, term key, trust level and timestamp into a large term, and outputs it as a string, QR code or NFC tag; S4. The verifier scans large words and the security chip offline verifies the signature, trust level, validity period and anti-replay monotonic counter. If the threshold is met, the verification is passed and the required field summary is returned. S5 responds to intelligent service commands. The security chip automatically extracts the structured fields from the corresponding large words according to the preset rule template, drives the AI ​​large model to perform inference, and outputs the decision results.

9. The full-element authentication method according to claim 8, characterized in that: In step S2, the trust level is calculated in real time using a nonlinear dynamic trust assessment model. This model includes at least one or more mechanisms such as exponential time decay, multidimensional context coupling, superlinear risk penalty, external credit factor fusion, and dynamic weight adjustment.

10. The full-element authentication method according to claim 8 or 9, characterized in that: The QR code generated in step S3 includes a monotonic counter value. After scanning, the verifier needs to interact with the security chip to check whether the monotonic counter value has been used to prevent replay attacks. In step S5, if detailed business data is required and the device is online, the security chip requests data from the cloud through a secure channel and verifies that the hash of the returned data matches the digest stored in the security chip before using it.