An end-to-end secret state transmission method for distributed energy power data

By constructing an end-to-end encrypted transmission method in a distributed energy system and utilizing hybrid key exchange and the AEAD encryption algorithm, the security and reliability issues in distributed energy power data transmission are solved, achieving efficient and secure data transmission.

CN122394786APending Publication Date: 2026-07-14ECONOMIC TECH RES INST OF STATE GRID HENAN ELECTRIC POWER +1

Patent Information

Authority / Receiving Office
CN · China
Patent Type
Applications(China)
Current Assignee / Owner
ECONOMIC TECH RES INST OF STATE GRID HENAN ELECTRIC POWER
Filing Date
2026-04-27
Publication Date
2026-07-14

AI Technical Summary

Technical Problem

Existing technologies for distributed energy power data transmission suffer from several problems, including reliance on edge trust assumptions leading to plaintext exposure risks, difficulty in resisting the long-term threat of quantum computing, lack of anti-replay capability of the business semantic layer, and excessive communication and computing overhead in weak network environments for post-quantum algorithms.

Method used

An end-to-end encrypted transmission method is constructed by establishing an encrypted channel between the energy system terminal and the cloud. The edge gateway only undertakes the functions of encrypted forwarding and protocol adaptation and does not hold any session keys. A hybrid key exchange mechanism is used to generate classical shared secrets and quantum shared secrets to realize encrypted encapsulation and transmission of data plane payload. A hybrid KEM and AEAD encryption algorithm is adopted, combined with a sliding window mechanism and session multiplexing strategy to ensure the security and reliability of data transmission.

Benefits of technology

It completely eliminates the systemic decryption risk of the gateway acting as a plaintext aggregation point, provides long-term security against quantum computing, reduces transmission overhead, improves the real-time performance and reliability of data transmission, and achieves efficient and secure encrypted transmission.

✦ Generated by Eureka AI based on patent content.

Smart Images

  • Figure CN122394786A_ABST
    Figure CN122394786A_ABST
Patent Text Reader

Abstract

The application discloses an end-to-end secret state transmission method for distributed energy power data, and relates to the technical field of distributed energy power data transmission.The application strictly converges the trust boundary to the terminal and the cloud by constructing an end-to-end secret state channel, and the edge gateway only undertakes the functions of ciphertext forwarding and protocol adaptation, does not hold any session key, and does not have decryption capability.The method breaks the traditional hop-by-hop decryption mode, completely eliminates the systematic decryption risk of the gateway as a plaintext gathering point, and simultaneously introduces a hybrid key exchange mechanism in the key system construction between the photovoltaic terminal and the cloud, which provides the ability to resist future quantum computation backtracking decryption through quantum shared secret, and ensures the security compatibility with the existing system through classical shared secret, thereby forming a double insurance security barrier, avoiding the combined attack path of near-end plaintext stealing and far-end quantum backtracking, and realizing efficient and secure secret state transmission.
Need to check novelty before this filing date? Find Prior Art

Description

Technical Field

[0001] This invention relates to the field of distributed energy power data transmission technology, and in particular to an end-to-end dense transmission method, system, device and medium for distributed energy power data. Background Technology

[0002] As an important component of various new energy sources, distributed energy systems exhibit significant characteristics in their operation monitoring data, such as wide-area distribution, high-frequency sampling, multi-hop links, and long-term sensitivity. These data (such as power, voltage, and frequency) are not only used for real-time grid connection monitoring but also serve as key evidence for power generation forecasting, dispatching decisions, and electricity market settlement. Unlike traditional closed power SCADA systems, distributed energy power data exhibits more prominent characteristics of wide-area distribution, high-concurrency access, high-frequency reporting, cross-network carrying, and long-term retention. Furthermore, the data often needs to be transmitted across untrusted links such as public networks and cellular networks, making it extremely difficult to control its security boundaries.

[0003] Currently, the main solutions for distributed energy power data transmission include segmented boundary protection and general transport layer security protocols. While segmented boundary protection offers practical convenience in engineering deployment through gateways for protocol adaptation and encryption conversion, its heavy reliance on the assumption of "trustworthy edge aggregation nodes" means that if the gateway, as the plaintext aggregation point, is compromised or infected with malicious code, the exposure of plaintext due to segmented decryption will amplify the single-point risk into a systemic risk. General transport layer security protocols typically aim to establish secure channels using traditional public-key systems such as RSA / ECC to ensure data transmission security. While these traditional public-key-based solutions can guarantee channel confidentiality and bit-level integrity, they face a structural threat of "stealing before decrypting" when facing future quantum computing capabilities.

[0004] To address the issues present in segmented boundary protection schemes and schemes based on general transport layer security protocols, researchers developed a post-quantum TLS migration scheme. This scheme embeds post-quantum algorithms into protocols such as TLS, aiming to resist quantum threats through algorithmic replacement. However, in principle, it still treats each segmented gateway as a convergence point. The gateway is responsible for decrypting terminal data, performing reduction conversion or aggregation, and then re-encrypting and sending it to the cloud using quantum algorithms. In the real-world environment of distributed energy, with massive terminal access and weak network jitter and narrowband transmission, attackers may exploit the decryption capabilities of the gateways in segmented protection, combined with the long-term threat of quantum computing, to form a combined attack path of "near-end plaintext theft + far-end quantum backtracking." Ultimately, this leads to compound attacks on distributed energy power data during transmission, making it difficult to achieve efficient and secure encrypted transmission. Summary of the Invention

[0005] This invention provides an end-to-end dense state transmission method for distributed energy power data, which can solve the problems existing in the prior art.

[0006] This invention provides an end-to-end dense state transmission method for distributed energy power data, comprising the following steps: Collect distributed energy power data from each distributed energy system and store the distributed energy power data in the energy system terminal. The energy system terminal generates a list of hybrid key exchange groups and corresponding hybrid key sharing materials. The cloud selects a group of hybrid keys as authorized hybrid keys, generates the authorized hybrid key sharing materials corresponding to the authorized hybrid keys, and returns the authorized hybrid key sharing materials to the energy system terminal. The hybrid key exchange group includes a classical elliptic curve group and a post-quantum key encapsulation mechanism group. The cloud and the energy system terminal respectively use authorized hybrid key sharing materials to generate classical shared secrets and quantum shared secrets, and respectively combine classical shared secrets and quantum shared secrets into a hybrid shared secret; the energy system terminal and the cloud perform two-way authentication based on their respective pre-set post-quantum cryptography certificates. After authentication, the cloud and the energy system terminal respectively derive session keys for themselves based on the hybrid shared secret; The energy system terminal uses a session key to encapsulate distributed energy power data to generate ciphertext. The encapsulated ciphertext is then forwarded to the cloud via an edge gateway. During the forwarding process, the edge gateway only parses the routing information in the ciphertext for ciphertext transmission, without decrypting the ciphertext or holding the session key. After receiving the ciphertext, the cloud uses the same session key to decrypt it, thereby obtaining the distributed energy power data to achieve end-to-end encrypted transmission.

[0007] Preferably, the certificate signature algorithm of the post-quantum cryptography certificate is ML-DSA; The post-quantum cryptography certificate includes quantum cryptography subject information, as well as the equipment type and manufacturer model in the distributed energy system, the substation and site to which it belongs, the data domains and measurement point sets that can be reported, the maximum certificate validity period, and the policy version number.

[0008] Preferably, the generation of the session key includes: The cloud and energy system terminals respectively generate a session master key, a data encryption key, a random value derived key, a session identifier, and a key version number based on a hybrid shared secret and using key derivation functions, in order to form a session key.

[0009] Preferably, the energy system terminal uses a session key to encapsulate distributed energy power data to generate ciphertext, including: The energy system terminal uses the session key and adopts the AEAD authentication encryption mode with associated data to encrypt the power load in the distributed energy power data into the ciphertext header field, which consists of the device identifier, timestamp, monotonically increasing sequence number and key version number in the distributed energy power data. The AEAD authentication encryption mode with associated data adopts either the AES-GCM algorithm or the ChaCha20-Poly1305 algorithm.

[0010] Preferably, before transmitting the encapsulated ciphertext, the energy system terminal generates a monotonically increasing sequence number based on the current timestamp and maintains a local transmission window; When receiving encrypted text in the cloud, the maximum received sequence number and the receiving status of the sequence number within the window are recorded through a sliding window mechanism, and non-legal encrypted text that exceeds the window or time range is filtered in combination with timestamp thresholds.

[0011] Preferably, the energy system terminal and the cloud perform full lifecycle management of the pre-installed post-quantum cryptography certificates on the energy system terminal and the cloud when the system is offline. The full lifecycle management includes certificate issuance, certificate rotation, certificate revocation, algorithm parameter set configuration, key rotation strategy, audit logs, and event tracking.

[0012] Preferably, the uplink and downlink data in the cloud and the energy system terminal use different encryption keys, which are derived from the session master key through key derivation functions to prevent one-way key leakage.

[0013] This invention also provides an end-to-end dense transmission system for distributed energy power data, comprising: The control plane collects distributed energy power data from each distributed energy system and stores the distributed energy power data in the energy system terminal. The energy system terminal generates a list of hybrid key exchange groups and corresponding hybrid key sharing materials. The cloud selects a group of hybrid keys as authorized hybrid keys, generates the authorized hybrid key sharing materials corresponding to the authorized hybrid keys, and returns the authorized hybrid key sharing materials to the energy system terminal. The hybrid key exchange group includes a classical elliptic curve group and a post-quantum key encapsulation mechanism group. The cloud and the energy system terminal respectively use authorized hybrid key sharing materials to generate classical shared secrets and quantum shared secrets, and respectively combine classical shared secrets and quantum shared secrets into a hybrid shared secret; the energy system terminal and the cloud perform two-way authentication based on their respective pre-set post-quantum cryptography certificates. After authentication, the cloud and the energy system terminal respectively derive session keys for themselves based on the hybrid shared secret; On the data plane, the energy system terminal uses a session key to encapsulate distributed energy power data to generate ciphertext. The encapsulated ciphertext is then forwarded to the cloud via an edge gateway. During the forwarding process, the edge gateway only parses the routing information in the ciphertext for ciphertext transmission, without decrypting the ciphertext transmission or holding the session key. After receiving the ciphertext, the cloud uses the same session key to decrypt it, thereby obtaining the distributed energy power data to achieve end-to-end encrypted transmission.

[0014] This invention also provides an electronic device, including a memory and a processor; The memory is used to store computer programs; When the processor executes the computer program stored in the memory, it implements the steps of the end-to-end dense transmission method for distributed energy power data as described above.

[0015] This invention also provides a computer-readable storage medium for storing a computer program, which, when executed by a processor, implements the steps of an end-to-end encrypted transmission method for distributed energy power data as described above.

[0016] This invention provides an end-to-end dense-state transmission method for distributed energy power data, which has the following advantages compared with the prior art: This invention constructs an end-to-end encrypted channel between the energy system terminal and the cloud. The edge gateway only undertakes encrypted forwarding and protocol adaptation functions, without holding any session keys or having decryption capabilities. Compared with current solutions where the gateway must decrypt before transmission, this method strictly converges the trust boundary to the terminal and the cloud, breaking the traditional "hop-by-hop decryption" mode. It establishes the encrypted tunnel directly between the energy system terminal and the cloud, fundamentally cutting off the path for attackers to steal data using intermediate nodes and completely eliminating the systemic decryption risk of the gateway as a plaintext aggregation point. At the same time, in the construction of the key system between the energy system terminal and the cloud, a hybrid key exchange mechanism is introduced. Using the classical elliptic curve group and the post-quantum key encapsulation mechanism group in the hybrid key exchange group, a hybrid shared secret containing classical shared secret and quantum shared secret is generated for the energy system terminal and the cloud respectively. On the one hand, the quantum shared secret provides the ability to resist future quantum computing "backtracking decryption". On the other hand, the classical shared secret ensures security compatibility with the existing system, forming a "double insurance" security barrier. This avoids the combined attack path of "near-end plaintext theft + far-end quantum backtracking" and achieves efficient and secure encrypted transmission. Attached Figure Description

[0017] Figure 1 This is a schematic diagram of the overall process of an end-to-end dense state transmission method for distributed energy power data provided in an embodiment of the present invention; Figure 2 This is a schematic diagram comparing the computational costs of different KEM methods for end-to-end dense state transmission of distributed energy power data, provided by an embodiment of the present invention. Figure 3 A schematic diagram of different handshake overheads for an end-to-end dense state transmission method for distributed energy power data provided in an embodiment of the present invention; Figure 4 This is a schematic diagram illustrating the comparison and analysis of effective field size and encryption throughput of an end-to-end encrypted transmission method for distributed energy power data provided in an embodiment of the present invention. Figure 5 This is a schematic diagram illustrating the comparative analysis of different encryption algorithms for distributed energy power data in an end-to-end encrypted transmission method for distributed energy power data provided in an embodiment of the present invention. Figure 6 This is a schematic diagram illustrating the end-to-end latency statistics of different encryption algorithms for an end-to-end encrypted transmission method for distributed energy power data, provided in an embodiment of the present invention. Detailed Implementation

[0018] To make the above-mentioned objects, features, and advantages of the present invention more apparent and understandable, specific embodiments of the present invention will be described in detail below with reference to the accompanying drawings. Many specific details are set forth in the following description to provide a thorough understanding of the present invention. However, the present invention can be practiced in many other ways different from those described herein, and those skilled in the art can make similar modifications without departing from the spirit of the present invention. Therefore, the present invention is not limited to the specific embodiments disclosed below.

[0019] As a crucial component of new energy sources, distributed energy systems exhibit significant characteristics in their operational monitoring data, including wide-area distribution, high-frequency sampling, multi-hop links, and long-term sensitivity. This data (such as power, voltage, and frequency) is not only used for real-time grid-connected monitoring but also serves as a key basis for power generation forecasting, dispatch decisions, and electricity market settlement. Unlike traditional closed power SCADA systems, distributed energy power data exhibits more prominent characteristics such as wide-area distribution, high-concurrency access, high-frequency reporting, cross-network transmission, and long-term retention. Furthermore, data often needs to be transmitted across untrusted links such as public networks and cellular networks, making its security boundaries extremely difficult to control. With the development of quantum computing technology, the National Institute of Standards and Technology (NIST) has released post-quantum cryptography standards, such as ML-KEM and ML-DSA, to replace traditional public-key algorithms vulnerable to Shor's algorithm attacks. The security protection system of the power Internet of Things (IoT) urgently needs to migrate to the post-quantum era. Therefore, PV data security should not be viewed merely as a "transmission encryption" issue but should be modeled as a system engineering project spanning the entire end-to-edge-to-cloud chain. Its security boundaries, identity system, key management, and anti-replay timing constraints all need to be aligned with business semantics.

[0020] Currently, the main technical solutions for transmitting distributed energy power data include the following: 1. Segmented protection and boundary protection scheme: This is the most common engineering paradigm for the power Internet of Things. In the terminal to gateway segment, vendor-specific protocols or lightweight encryption are usually used for access control. In the gateway to cloud segment, a standard VPN or TLS secure channel is established. The gateway, as the aggregation point, is responsible for decrypting the terminal data, converting or aggregating the protocol, and then re-encrypting and sending it to the cloud.

[0021] 2. Power Communication Security Extension Scheme Based on IEC Standards: Based on the IEC 62351 security standard family, security extensions are added to power-specific communication protocols such as IEC61850 and IEC 60870-5-104. This scheme ensures the security of power business data transmission by integrating authentication and encryption mechanisms into the protocol stack, but it usually still relies on the traditional RSA / ECC public key system.

[0022] 3. General Transport Layer Security (TLS) / VPN Solution: Directly utilize the Internet's common TLS protocol (such as TLS 1.2 / 1.3) or IPsec VPN to build an encrypted tunnel; this solution relies on a widely deployed PKI system, uses classic asymmetric algorithms (RSA / ECC) for key negotiation and authentication, and provides bit-level encryption of the transmission channel.

[0023] 4. Basic post-quantum TLS migration schemes (IETF Drafts): TLS 1.3 post-quantum hybrid key exchange drafts proposed by academia and the IETF standards organization (such as using ECDHE combined with ML-KEM); this scheme aims to address quantum threats, with a primary focus on algorithm replacement at the protocol level, that is, introducing post-quantum algorithms to establish a connection during the TLS handshake process.

[0024] Among the transmission schemes described above, while segmented boundary protection offers practical convenience in engineering deployment through gateways for protocol adaptation and encryption conversion, its heavy reliance on the assumption of "trustworthy edge aggregation nodes" means that if the gateway, as the plaintext aggregation point, is compromised or infected with malicious code, the exposure of plaintext due to segmented decryption will amplify the single-point risk into a systemic risk. Schemes based on general transport layer security protocols typically aim to establish secure channels using traditional public-key systems such as RSA / ECC to ensure data transmission security. While these traditional public-key-based schemes can guarantee channel confidentiality and bit-level integrity, they are vulnerable to unforeseen circumstances. While quantum computing capabilities are available, they face the structural threat of "stealing first and then decrypting." At the same time, general channels lack strong binding to the temporal semantics of business (such as sampling timestamps and monotonic sequence numbers), making it unable to effectively resist historical replay and delayed delivery attacks targeting time-series data. Although basic post-quantum TLS migration schemes can provide long-term quantum-resistant security, the issue of handshake message and certificate size expansion must be considered. In real-world environments such as distributed energy systems with massive terminal access and weak network jitter and narrowband transmission, excessive handshake overhead can lead to a sharp increase in first packet latency and frequent fragmentation retransmissions, making it difficult to meet the high availability and low latency requirements of power services.

[0025] To address the current challenges in the transmission of distributed energy power data, such as the risk of plaintext exposure due to reliance on edge trust assumptions, difficulty in resisting the long-term threat of quantum computing, lack of anti-replay capability at the business semantic layer, and excessive communication and computational overhead of post-quantum algorithms in weak network environments, etc. Figure 1 As shown, this invention provides an end-to-end encrypted transmission method for distributed energy power data. Its core principle is that the minimum trusted boundary converges to the terminal E and the cloud C: the gateway G and the transmission network N are only assigned "ciphertext reachability," not "plaintext visibility." Specifically, the system is divided into three mutually decoupled yet collaborative planes:

[0026] (1) Control Plane: responsible for identity, authentication and key establishment: terminal E and cloud C complete two-way authentication based on post-quantum certificate (PQ-PKI) and exchange derived session keys through hybrid key exchange; the session state (connection ID, key version, rotation cycle, anti-replay window parameters, etc.) generated by the control plane will serve as the basis for data plane encapsulation and verification.

[0027] (2) Data Plane: Responsible for the encrypted encapsulation and transmission of PV service load: Terminal E uses the session key to encrypt the PV time-series data using AEAD, and includes the device identifier, timestamp, serial number / window number and other service-related metadata into AAD binding to achieve "content invisible, tamper-proof detectable, replay rejectable, and out-of-order controllable"; Cloud C completes decryption and verification before entering the service processing link.

[0028] (3) Operations Plane: Responsible for lifecycle governance necessary for large-scale deployment, including certificate issuance / rotation / revocation, algorithm parameter set configuration (such as ML-KEM parameters, hybrid group selection), key rotation strategy, audit logs and event tracking, etc., and supports domain-based gray-scale upgrade and rollback strategies to adapt to the objective constraints of long-term operation of power systems and gradual migration of existing terminals.

[0029] After the control plane, data plane, and operations plane are constructed, the actual execution mainly includes: 1. Identity and key system construction.

[0030] This invention constructs a PQ-PKI system for PV terminals and manages key materials separately in three layers: "long-term - session - data". (1) Device identity and certificate profile.

[0031] A certificate CertE is issued for each terminal E, and the cloud C holds a CertC. The certificate signing algorithm adopts the NIST-standardized ML-DSA (such as ML-DSA-65) to improve the authentication security margin under the quantum adversary model. In addition to the regular subject information, it is recommended to add extensions that are more in line with power operation and maintenance (which can be expressed by custom OIDs): equipment type / manufacturer model, affiliated transformer area / station, allowed data domain / measuring point set, maximum certificate validity period, policy version number, etc., so that the certificate can not only "authenticate", but also have engineering semantics of "authorization and auditability".

[0032] (2) Key Hierarchy and Minimum Exposure Surface.

[0033] Long-term identity key: ML-DSA signing private key sksig, used for handshake authentication, certificate verification and signing of critical control messages; this key should be placed in secure storage (secure chip / TEE / trusted firmware area) as much as possible, and accompanied by anti-rollback and secure boot strategies to reduce the risk of leakage caused by physical contact and firmware rollback.

[0034] Session key: The session master key Ksess, derived from the hybrid key exchange, has a short lifespan (it is recommended to use it by connection or by time window) and is used to generate data plane encryption keys and nonce derived keys; the impact of session key leakage is limited to a single connection / single cycle.

[0035] Data keys: Directional keys (uplink / downlink separated) derived from Ksess via KDF and nonce-derived keys Knonce, supporting rolling by "key version number / window number" for easy anti-replay and disconnection recovery.

[0036] (3) Rotation, Revocation with Offline Tolerance.

[0037] Power terminals often operate offline for extended periods or in weak network environments, making it impractical to rely solely on online OCSP queries. This invention employs a primary strategy of "short-term certificates + periodic rotation": certificates with relatively short validity periods (e.g., weekly / monthly) are updated in batches via the online window of the device by the operations and maintenance team; for devices that require long-term offline operation, a compromise of "domain-specific CRL issuance + local caching strategy version number" can be used, enabling the terminal / cloud to still make consistency judgments even without real-time queries; simultaneously, to meet auditing requirements, the cloud needs to record evidentiary fields such as "certificate serial number, revocation reason, last successful handshake time, and abnormal replay count," forming a traceable closed loop.

[0038] 2. Establishment of PQC hybrid key exchange session.

[0039] Balancing the interoperability of the existing power system ecosystem with long-term security margins against quantum adversaries, this invention adopts a session establishment strategy of "hybrid key exchange + post-quantum signature authentication" within the TLS 1.3 framework; the handshake process is described in a journal-style format according to "key messages and verification points": Hybrid negotiation: The terminal declares the supported hybrid groups and cipher suites in ClientHello and carries the corresponding KeyShare information; the cloud selects the hybrid group in ServerHello and returns the corresponding KeyShare, enabling both parties to complete hybrid key negotiation and enter the handshake key derivation.

[0040] Two-way authentication: The two parties then complete two-way authentication through Certificate Verify, where the signing and verification of the certificate / handshake context uses ML-DSA to provide quantum-resistant identity authentication capabilities; NIST FIPS 204 explicitly states that ML-DSA is used to generate and verify digital signatures and is considered resistant to large-scale quantum computing adversaries.

[0041] Key Derivation and State Initialization: Based on the agreed-upon shared secret, both parties derive the data encryption key (K_enc), the random value derived key (K_nonce), the session ID, and the key version number, respectively. The receiving end initializes the replay window state to prevent attackers from intercepting old messages and retransmitting them, thereby misleading the system's judgment. Finally, the final session state (S) is returned, officially starting end-to-end encrypted transmission.

[0042] 3. PV-Sec data encapsulation oriented towards business semantics.

[0043] To address the strong time-series characteristics of distributed energy power data, this invention designs a PV-Sec encapsulation structure to achieve data plane protection, employing an AEAD (Authorized Encryption with Associated Data) mode (such as AES-GCM or ChaCha20-Poly1305). Unlike traditional encryption, this invention uses device identifier (dev_id), timestamp, monotonically increasing sequence number (seq), and key version number (key_version) as the message header fields. The AEAD algorithm (such as AES-GCM or ChaCha20-Poly1305) is used to encrypt the photovoltaic load, and the aforementioned header fields are incorporated into the authentication calculation as Associated Authentication Data (AAD). The cloud maintains a sliding window and a received marker bitmap, combined with a timestamp threshold to filter out outdated or duplicate messages, resisting replay and situational spoofing attacks. Any tampering with the timestamp, cross-device misappropriation of ciphertext, or replay of historical data will cause the integrity verification during cloud decryption to fail, thus being immediately identified and discarded.

[0044] like Figure 2 This paper compares the computational costs of different key encapsulation mechanisms (KEMs) on energy system terminals. Specifically, it selects the classical ECDH (P-256), the standard post-quantum ML-KEM-768, and the hybrid KEM (ECDH+ML-KEM) used in this invention as comparison objects. The test indicators are the average time (milliseconds) for a single key encapsulation / decapsulation and the peak stack memory usage (KB). The experimental results show that the classical ECDH takes about 1.2ms and uses about 2.5KB of memory; the pure ML-KEM-768 takes about 8.7ms and uses about 18KB of memory; the hybrid KEM of this invention takes about 9.9ms and uses about 21KB of memory. Compared with the pure ML-KEM-768, it only increases the computational cost by about 13%, but gains long-term security against quantum backtracking attacks and compatibility with classical algorithms.

[0045] like Figure 3The total number of bytes and fragmentation probability of different KEM mechanisms during the complete TLS handshake process were compared. The test scenario was the initial connection establishment between the terminal and the cloud. The comparison items included TLS 1.2 (ECDHE+RSA), TLS 1.3 (ECDHE), TLS 1.3+ML-KEM pure post-quantum, and the hybrid KEM of this invention (ECDHE+ML-KEM). The experimental results show that the total size of the TLS 1.2 handshake message is approximately 2.1KB, and the TLS... The 1.3 (ECDHE) solution is approximately 1.8KB, while the pure post-quantum TLS (ML-KEM+ML-DSA) solution is approximately 8.5KB, with an IP fragmentation probability as high as 62% in weak network environments. In contrast, the hybrid KEM solution of this invention is approximately 4.3KB, reducing the fragmentation probability to 23%. It is evident that this invention effectively compresses the additional public key and ciphertext length that needs to be transmitted in the post-quantum part by retaining the classic elliptic curve shared secret. At the same time, by utilizing certificate compression and extended field optimization, the handshake overhead is controlled within 4.5KB. In narrowband scenarios such as NB-IoT, the handshake success rate is improved by approximately 40% compared to the pure post-quantum solution, and the first packet latency is reduced by more than 35%.

[0046] like Figure 4 The figure shows the curves of encryption throughput as a function of payload size when different AEAD algorithms are used on the data plane. The test environment is the terminal side (ARM). The experiments compared AES-128-GCM and ChaCha20-Poly1305 on both the Cortex-M4 and cloud (X86) sides. Results showed that on the terminal side, AES-GCM throughput was approximately 4.2 MB / s when the load was less than 256 bytes, while ChaCha20-Poly1305 was approximately 3.8 MB / s, with a difference of less than 10%. When the load increased to 1024 bytes, AES-GCM throughput increased to 9.1 MB / s, and ChaCha20-Poly1305 increased to 7.3 MB / s. On the cloud side, both algorithms achieved throughputs exceeding 200 MB / s, showing no performance bottleneck. Since distributed energy power data packets typically do not exceed 256 bytes, the two algorithms performed similarly on the terminal and both met real-time requirements. Therefore, this invention defaults to using ChaCha20-Poly1305 to reduce reliance on AES hardware acceleration and improve versatility on low-end terminals.

[0047] like Figure 5The comparison shows the comprehensive capabilities of the PV-Sec encapsulation (AEAD+AAD binding device ID, timestamp, and serial number) of this invention with ordinary TLS record layer encryption (encrypting only the payload) in terms of replay resistance, tamper resistance, and out-of-order tolerance. The experimental results show that ordinary TLS record layer cannot resist replay attacks (requires the upper-layer serial number) and cannot detect tampering of business metadata. Attackers can re-inject historically valid ciphertext, misleading the scheduling system. However, the PV-Sec encapsulation of this invention can forcibly include the device identifier, timestamp, and serial number into AAD. Any modification to the header fields will cause decryption and authentication to fail.

[0048] like Figure 6 The figure shows the average end-to-end latency of different secure transmission schemes on 50,000 distributed energy power data records. The first scheme is segmented plaintext gateway, with an average latency of 112ms. The second scheme is segmented TLS (terminal-gateway TLS, gateway-cloud TLS, gateway decryption and re-encryption), with an average latency of 246ms, of which gateway processing accounts for 45% and there is a risk of plaintext exposure. The third scheme is standard post-quantum TLS (pure ML-KEM + ML-DSA), with an average latency of 478ms, mainly because each reconnection requires a complete post-quantum handshake and large packets cause retransmission. The fourth scheme is the scheme of this invention (hybrid KEM + PV-Sec encapsulation + session multiplexing), with an average latency of 189ms. Because this invention uses end-to-end encryption to eliminate the gateway encryption and decryption step, and session multiplexing reduces the handshake frequency by more than 80%, the reconnection recovery time in weak network environments is shortened to 1 / 3 of the original post-quantum scheme.

[0049] This invention addresses the characteristics of distributed energy systems, such as "high-frequency reporting, long-term retention, reconnection after link failure, and transparent forwarding at the edge." It establishes an end-to-end threat model and a set of security objectives (confidentiality / integrity / anti-replay / two-way authentication / forward security / auditability and maintainability), and proposes quantitative evaluation criteria aligned with business indicators such as sampling period, concurrent access, and link jitter, providing unified boundary conditions for solution design and comparative evaluation. Furthermore, this invention proposes an end-to-end encrypted transmission architecture with minimum trust boundaries for edge-cloud PQC, constructing an E→C end-to-end encrypted channel. This allows edge gateways to only handle encrypted caching, forwarding, and protocol adaptation without decryption capabilities. The control plane (identity and keys) and data plane (PV load) are layered and decoupled, significantly reducing the risk of plaintext aggregation and systemic compromise caused by edge-side attacks.

[0050] To address the challenges of traditional public-key cryptosystems' inability to withstand the "steal-then-decrypt" threat of future quantum computing and the difficulty in compatibility with existing systems, this invention designs a portable PQC session and identity system (Hybrid TLS 1.3 + PQ-PKI). It introduces hybrid key exchange involving ML-KEM during session establishment to balance interoperability and quantum security margins, and uses ML-DSA certificate-based two-way authentication to achieve trusted device identities and full lifecycle key management (issuance / rotation / revocation / auditing), forming a post-quantum-secure access mechanism that can be implemented in power engineering.

[0051] To address the challenges of replay attacks, timing inconsistencies, and difficulty in assessing overhead during cross-domain transmission of energy business data, this invention proposes PV-Sec application layer encapsulation. This encapsulates key metadata such as device identifiers, timestamps, and sequence / window numbers into AEAD authentication binding, enabling replay resistance and timing consistency verification. Furthermore, it provides a cross-protocol stack landing path (TLS bearer / payload embedded) and a "handshake-certificate-computation-data plane" overhead quantification and capacity planning model, enabling sensitivity analysis and engineering forecasting even in the absence of real-world testing.

[0052] This invention constructs an end-to-end encrypted channel with minimal trust boundaries, breaking the traditional "hop-by-hop decryption" mode and enabling the encrypted tunnel to be directly established between the terminal (E) and the cloud (C). The edge gateway (G) is downgraded to an untrusted traffic forwarding node, only responsible for routing and caching ciphertext, and does not hold session keys. Even if the gateway is completely compromised, attackers cannot obtain the plaintext of photovoltaic business data, fundamentally eliminating the risk of data leakage from intermediate nodes.

[0053] This invention achieves hybrid post-quantum protection with dual guarantees of "compatibility + long-term effectiveness," employing TLS 1.3 hybrid key exchange (ECDHE + ML-KEM). On the one hand, the ML-KEM algorithm provides the ability to resist future quantum computing "backtracking decryption," ensuring the long-term confidentiality of power data. On the other hand, it retains the mature security of classical algorithms, playing a "double insurance" role and ensuring system interoperability and security during the transition period.

[0054] This invention provides strong temporal integrity protection based on business semantics. It designs a PV-Sec encapsulation protocol that forces key business metadata such as device ID, timestamp, and serial number to be included in the AEAD encryption calculation as Associated Authentication Data (AAD). This enables the encryption layer to be aware of business logic. The cloud can not only verify whether the data has been tampered with, but also accurately identify and discard historical data, delayed data, or cross-device spliced ​​data that has been maliciously replayed by attackers, preventing the scheduling system from being misled by false situations.

[0055] This invention proposes a combined strategy of "session multiplexing priority" and "sliding window fault tolerance." By significantly reducing the costly frequency of asymmetric handshakes (using PSK to multiplex sessions) and designing the replay detection logic to support out-of-order arrival within a certain range, it effectively reduces computational and communication overhead. Under the same weak network conditions, the success rate and real-time performance of data reporting are significantly better than the scheme of directly applying standard post-quantum TLS. At the same time, in addition to having the ability to resist quantum migration, this invention has more controllable transmission overhead and faster reconnection recovery speed. In complex environments such as distributed energy systems with high-frequency reporting and high requirements for long-term confidentiality, the architecture of this invention improves the engineering adaptability and practicality of the system.

[0056] The embodiments described above are merely illustrative of several implementations of the present invention, and while the descriptions are relatively specific and detailed, they should not be construed as limiting the scope of the invention patent. It should be noted that those skilled in the art can make various modifications and improvements without departing from the concept of the present invention, and these all fall within the protection scope of the present invention. Therefore, the protection scope of this invention patent should be determined by the appended claims.

Claims

1. An end-to-end dense-state transmission method for distributed energy power data, characterized in that, Includes the following steps: Collect distributed energy power data from each distributed energy system and store the distributed energy power data in the energy system terminal. The energy system terminal generates a list of hybrid key exchange groups and corresponding hybrid key sharing materials. The cloud selects a group of hybrid keys as authorized hybrid keys, generates the authorized hybrid key sharing materials corresponding to the authorized hybrid keys, and returns the authorized hybrid key sharing materials to the energy system terminal. The hybrid key exchange group includes a classical elliptic curve group and a post-quantum key encapsulation mechanism group. The cloud and the energy system terminal respectively use authorized hybrid key sharing materials to generate classical shared secrets and quantum shared secrets, and respectively combine classical shared secrets and quantum shared secrets into a hybrid shared secret; the energy system terminal and the cloud perform two-way authentication based on their respective pre-set post-quantum cryptography certificates. After authentication, the cloud and the energy system terminal respectively derive session keys for themselves based on the hybrid shared secret; The energy system terminal uses a session key to encapsulate distributed energy power data to generate ciphertext. The encapsulated ciphertext is then forwarded to the cloud via an edge gateway. During the forwarding process, the edge gateway only parses the routing information in the ciphertext for ciphertext transmission, without decrypting the ciphertext or holding the session key. After receiving the ciphertext, the cloud uses the same session key to decrypt it, thereby obtaining the distributed energy power data to achieve end-to-end encrypted transmission.

2. The end-to-end dense-state transmission method for distributed energy power data according to claim 1, characterized in that, The certificate signature algorithm for the post-quantum cryptography certificate is ML-DSA; The post-quantum cryptography certificate includes quantum cryptography subject information, as well as the equipment type and manufacturer model in the distributed energy system, the substation and site to which it belongs, the data domains and measurement point sets that can be reported, the maximum certificate validity period, and the policy version number.

3. The end-to-end dense-state transmission method for distributed energy power data according to claim 1, characterized in that, The generation of the session key includes: The cloud and energy system terminals respectively generate a session master key, a data encryption key, a random value derived key, a session identifier, and a key version number based on a hybrid shared secret and using key derivation functions, in order to form a session key.

4. The end-to-end dense state transmission method for distributed energy power data according to claim 1, characterized in that, The energy system terminal uses a session key to encapsulate distributed energy power data to generate ciphertext, including: The energy system terminal uses the session key and adopts the AEAD authentication encryption mode with associated data to encrypt the power load in the distributed energy power data into the ciphertext header field, which consists of the device identifier, timestamp, monotonically increasing sequence number and key version number in the distributed energy power data. The AEAD authentication encryption mode with associated data adopts either the AES-GCM algorithm or the ChaCha20-Poly1305 algorithm.

5. The end-to-end dense-state transmission method for distributed energy power data according to claim 1, characterized in that, Before transmitting the encapsulated ciphertext, the energy system terminal generates a monotonically increasing sequence number based on the current timestamp and maintains a local transmission window. When receiving encrypted text in the cloud, the maximum received sequence number and the receiving status of the sequence number within the window are recorded through a sliding window mechanism, and non-legal encrypted text that exceeds the window or time range is filtered in combination with timestamp thresholds.

6. The end-to-end dense-state transmission method for distributed energy power data according to claim 1, characterized in that, The energy system terminal and the cloud perform full lifecycle management of the pre-installed post-quantum cryptography certificates in the energy system terminal and the cloud when the system is offline. The full lifecycle management includes certificate issuance, certificate rotation, certificate revocation, algorithm parameter set configuration, key rotation strategy, audit logs, and event tracking.

7. The end-to-end dense-state transmission method for distributed energy power data according to claim 1, characterized in that, The uplink and downlink data in the cloud and energy system terminal use different encryption keys, which are derived from the session master key through key derivation functions to prevent one-way key leakage.

8. An end-to-end dense-state transmission system for distributed energy power data, characterized in that, include: The control plane collects distributed energy power data from each distributed energy system and stores the distributed energy power data in the energy system terminal. The energy system terminal generates a list of hybrid key exchange groups and corresponding hybrid key sharing materials. The cloud selects a group of hybrid keys as authorized hybrid keys, generates the authorized hybrid key sharing materials corresponding to the authorized hybrid keys, and returns the authorized hybrid key sharing materials to the energy system terminal. The hybrid key exchange group includes a classical elliptic curve group and a post-quantum key encapsulation mechanism group. The cloud and the energy system terminal respectively use authorized hybrid key sharing materials to generate classical shared secrets and quantum shared secrets, and respectively combine classical shared secrets and quantum shared secrets into a hybrid shared secret; the energy system terminal and the cloud perform two-way authentication based on their respective pre-set post-quantum cryptography certificates. After authentication, the cloud and the energy system terminal respectively derive session keys for themselves based on the hybrid shared secret; On the data plane, the energy system terminal uses a session key to encapsulate distributed energy power data to generate ciphertext. The encapsulated ciphertext is then forwarded to the cloud via an edge gateway. During the forwarding process, the edge gateway only parses the routing information in the ciphertext for ciphertext transmission, without decrypting the ciphertext transmission or holding the session key. After receiving the ciphertext, the cloud uses the same session key to decrypt it, thereby obtaining the distributed energy power data to achieve end-to-end encrypted transmission.

9. An electronic device, characterized in that, include: Memory and processor; The memory is used to store computer programs; When the processor executes the computer program stored in the memory, it implements the steps of the end-to-end dense transmission method for distributed energy power data as described in any one of claims 1 to 7.

10. A computer-readable storage medium, characterized in that, Used to store a computer program, which, when executed by a processor, implements the steps of an end-to-end dense transmission method for distributed energy power data as described in any one of claims 1 to 7.