CN111416715A

CN111416715A - Quantum secret communication identity authentication system and method based on secret sharing

Info

Publication number: CN111416715A
Application number: CN202010277217.2A
Authority: CN
Inventors: 富尧; 钟一民; 杨羽成
Original assignee: Ruban Quantum Technology Co Ltd; Nanjing Ruban Quantum Technology Co Ltd
Current assignee: Ruban Quantum Technology Co Ltd; Nanjing Ruban Quantum Technology Co Ltd
Priority date: 2020-04-09
Filing date: 2020-04-09
Publication date: 2020-07-14
Anticipated expiration: 2040-04-09
Also published as: CN111416715B

Abstract

The invention discloses a quantum secret communication identity authentication system and method based on secret sharing, which comprises service stations and user sides which are in communication connection, wherein each service station is provided with more than one user side, the user sides are mobile equipment groups formed by more than one mobile equipment, the mobile equipment in the same group secretly shares the same equipment ID, equipment false identity and equipment key, login identity authentication is implemented between the user side and the belonging service station, and a group session key is generated; and generating a session key between the two mobile devices in the identity authentication process between the two mobile devices. In the authentication method, the complete secret key and the ID of the user are not exposed in the network, the secret shared secret key is updated after each identity authentication, the threshold signature process is simplified, the attack of a quantum computer can be resisted without encryption, and the security of the identity authentication is greatly improved.

Description

Quantum secret communication identity authentication system and method based on secret sharing

Technical Field

The invention relates to the technical field of secret sharing, in particular to a quantum secret communication identity authentication system and method based on secret sharing.

Background

Quantum communication technology is an emerging secure communication technology established based on quantum physics. The quantum communication technology of China has already entered the stage of practicability, and its application prospect and strategic significance have also drawn extensive attention to the development of the industry by local governments and important industries. In addition to establishing quantum communication trunks, some large-scale metropolitan quantum communication networks have also been successfully built and operated. Based on the metropolitan area quantum communication network, the quantum communication technology also has primary application, and high-security video voice communication and other applications can be realized. Quantum communication networks such as quantum communication trunk and quantum communication metropolitan area networks constitute a quantum communication network, and the essence of the quantum communication network is Quantum Key Distribution (QKD). Quantum communication networks built on QKD technology can therefore be referred to as QKD networks.

With the rapid development of the mobile internet, the business websites in the enterprise and public institution gradually develop towards the mobile terminal, so that the user hopes to access the website server in the enterprise and public institution through the portable mobile terminal in order to facilitate the staff to know the work content at any time. If the identity authentication has a vulnerability, data leakage can be caused, and irreparable results can be brought to enterprises. Therefore, a secure and reliable identity authentication method is very necessary. The existing authentication methods for the mobile terminal mainly include: the authentication is carried out by logging in authentication through an account number and a password, authentication through a dynamic password, and authentication through comparing equipment identification information with user equipment information prestored in an authentication server, but the possibility that the account password, the dynamic password and the equipment ID are intercepted and leaked exists.

However, the existing mobile device identity authentication methods usually use an encryption method based on mathematical algorithm complexity in the information transmission process, such as currently mainstream asymmetric encryption algorithms, for example, RSA encryption algorithm, which are mostly based on two mathematical problems, namely factorization of large integers or calculation of discrete logarithms over a finite field. Their difficulty in breaking is also dependent on the efficiency with which these problems are solved. On a traditional computer, the two mathematical problems are required to be solved, and the time is taken to be exponential (namely, the cracking time increases in exponential order along with the increase of the length of the public key), which is not acceptable in practical application. The xiuer algorithm tailored for quantum computers can perform integer factorization or discrete logarithm calculation within polynomial time (i.e. the cracking time increases at the speed of k power along with the increase of the length of a public key, wherein k is a constant irrelevant to the length of an ID), so that the possibility is provided for the cracking of RSA and discrete logarithm encryption algorithms.

Patent document CN108650028B discloses a multiple authentication system and method based on a quantum communication network and a true random number, which is based on multiple authentications performed by the quantum communication network and the true random number, and aims to improve system security better, but in the process of performing bidirectional authentication between a user a and a user B, the user a sends a message including the random number to the user B in a plaintext form, a session key is generated by the user B and a quantum network service station synchronously, a session key is known by the service station, and the authentication process is mainly performed among the user a, the user B and a previous quantum communication service station, and the encryption and decryption modes are single.

Patent document CN 110808834A discloses a quantum key distribution method and a quantum key distribution system, and discloses quantum key distribution information including: a public key of the terminal and an encryption algorithm corresponding to the public key; receiving a quantum key sent by a quantum key node, encrypting the quantum key according to the public key and the encryption algorithm, and detecting the timeliness of the quantum key.

In summary, the conventional authentication method based on the mobile device has the following problems:

1. after the key fob is lost or stolen, the key fob may be hacked to obtain the internal key. If the private key of the asymmetric key system is known to the adversary, the ownership of the private key will be lost. If the public key of the asymmetric key system is known by an enemy, if the enemy owns the quantum computer, the private key is cracked through the public key, and the ownership corresponding to the private key is lost.

2. After the key fob is lost or stolen, it may be directly used and may damage the rights and interests corresponding to the user account. For example, the user account is transferred with the right, and the right is stolen.

3. The quantum computing resistance of the existing digital signature is not high, and a signature private key can be obtained by computing. In order to make the digital signature have quantum computing resistance, the digital signature must be encrypted, and the computation amount of the digital signature is increased.

4. The ID of the existing network communication subject is exposed in the network, and the security of the user privacy is not high.

5. The existing multi-party threshold signature method has the disadvantages of more complex flow and higher communication cost.

6. In the existing algorithm based on the ID cryptography, an elliptic curve generating element is used as a fixed parameter and cannot be changed permanently, and the safety of a system based on the ID cryptography is not high enough.

Disclosure of Invention

The technical purpose is as follows: aiming at the technical problems, the invention provides a quantum secret communication identity authentication system and method based on secret sharing.

The technical scheme is as follows: in order to achieve the technical purpose, the invention adopts the following technical scheme:

a quantum secret communication identity authentication system based on secret sharing is characterized in that: the system comprises service stations and user terminals which are in communication connection, wherein the service stations are quantum communication service stations, each service station is provided with more than one user terminal, and the user terminals are mobile equipment groups formed by more than one mobile equipment;

the mobile devices in the same group are issued with key fobs by the service station and share the same device ID, device false identity PID and device key with (n, n) secret, and corresponding secret sharing random numbers, ID components, device false identity PID components and key components are stored in each mobile device key fob in a distributed mode; the device key comprises a main private key, a main public key, a temporary private key and a temporary public key which are authenticated and updated at a time;

the service station is provided with a service station public key and a service station private key which are authenticated and updated once; implementing login identity authentication between a user side and a service station to which the user side belongs, and generating a group session key in the login identity authentication process; and performing communication identity authentication between the two mobile devices, and generating a session key between the mobile devices in the communication identity authentication process.

The invention also discloses a secret sharing-based secret key distribution method of the quantum secret communication identity authentication system, which is characterized by sequentially executing the following steps:

a1, the service station sends a group of secret sharing random numbers, a base point generator and the service station ID to each mobile device under the same user end; different mobile devices correspond to different secret sharing random numbers;

a2, each mobile device generates two true random numbers which are respectively used as a main private key component and a temporary private key component, and calculates the corresponding main public key component and temporary public key component by combining the received base point generator;

calculating a hash value of a combination of the base point generator and the service station ID and taking the hash value as a service station public key, and calculating a service station private key component according to the main private key component and the service station public key;

each mobile device sends the main public key component, the temporary public key component and the service station private key component to the service station;

a3, the service station calculates the complete master public key, temporary public key and service station private key according to the secret shared random number, the master public key component, temporary public key component and service station private key component sent by all mobile devices under the same user side, and calculates the hash value of the temporary public key;

calculating the false identity PID of the equipment according to the equipment ID and the corresponding base point generator, and carrying out secret sharing on the false identity PID of the equipment by using the corresponding secret sharing random number;

sending the obtained hash values of the multiple groups of equipment false identity PID components, the main public key and the temporary public key to a user side, and storing key items corresponding to the user side, wherein the key items comprise an equipment ID, the main public key, a service station private key, a base point generator, all secret sharing random numbers and equipment false identity PID components;

a4, each mobile device of the user end stores the corresponding device false identity PID component, secret sharing random number, main private key component, main public key, temporary private key component, temporary public key component, hash value of the temporary public key, base point generator and service station ID.

The invention also discloses a login identity authentication method of the quantum secret communication identity authentication system based on secret sharing, which is characterized in that login identity authentication is implemented between the user side and the service station to which the user side belongs, and a group session key is generated in the login identity authentication process; the method comprises the following steps:

b1, the mobile devices in the same group are used as the initiator of the authentication request, and send an encrypted first device-side message to the service station, wherein the first device-side message comprises a first message component and a first message authentication code generated by each mobile device;

b2, the service station is used as an authentication request processing party, verifies and processes the first equipment terminal message, and returns the first authentication terminal message to each mobile equipment of the user terminal, wherein the first authentication terminal message comprises notification content and a notification signature, and the notification content comprises a group session key;

b3, after the mobile devices verify and process the first authentication end message, sending an encrypted second device end message to the service station, wherein the second device end message comprises a second message component and a second message authentication code generated by each mobile device;

b4, the service station verifies and processes the second equipment terminal message, and returns a second authentication terminal message to each mobile equipment of the user terminal;

and B5, the mobile equipment verifies and processes the second authentication end message to obtain the notification content and the notification signature, and the identity authentication is finished after the verification is passed.

Preferably, the first message component comprises a device-side signature component, and the generating step comprises:

the mobile equipment generates an authentication request message and acquires a uniform timestamp with all the mobile equipment in the same group;

combining the service station ID, the authentication request information and the timestamp as transaction content, using the hash value of the temporary public key as an R signature parameter, calculating the hash value of the combination of the R signature parameter and the transaction content and using the hash value as an E signature parameter;

and calculating to obtain the device side signature component according to the temporary private key component, the main private key component and the E signature parameter.

Preferably, in step B2, the service station generates a new base point generator, a group session key, and a notification for use in a next round of signature, where the notification content includes the notification, the new base point generator, and the group session key, and the notification signature is calculated by the service station according to all device-side signature components.

Preferably, the first message component includes a first ciphertext, the first ciphertext is obtained by encrypting the temporary public key component stored locally by the mobile device using the service station public key of the service station to which the mobile device belongs, and adding a first offset in the encryption process; the first offset includes a timestamp, a locally stored secret shared random number, and a device false identity PID component.

Preferably, in step B3, the mobile device generates two true random numbers as a new master private key component and a new ephemeral private key component for the next round of use, calculates a corresponding new master public key component and new ephemeral public key component in combination with the received new base station generator, and calculates a hash value of a combination of the new base station generator and the service station ID as a new service station public key;

the second message component comprises a second ciphertext, the second ciphertext is obtained by encrypting the combination of the new master public key component, the new temporary public key sub-management and the new service station private key component by the mobile device by using the service station public key, a second offset is added in the encryption process, and the second offset comprises a timestamp, a group session key and a locally stored false identity PID component.

Preferably, in step B4, the service station calculates a complete new master public key, a new temporary public key, and a new service station private key according to the secret shared random number, the new master public key component, the new temporary public key component, and the new service station private key component sent by all mobile devices under the same user side, and calculates a hash value of the new temporary public key; and calculating the false identity PID of the new device according to the device ID and the corresponding new base point generator, and carrying out secret sharing on the false identity PID of the new device by using the corresponding secret sharing random number.

Preferably, the first message authentication code is obtained by calculating a hash value of the base point generator by the mobile device, and the second message authentication code is obtained by calculating the second message component by the mobile device using the group session key.

Before the communication identity authentication is implemented between two mobile devices, each mobile device and the affiliated service station complete login identity authentication to obtain respective group session keys, under the protection of the group session keys, the mobile devices apply for the session keys between the mobile devices from the service station, and the session keys between the mobile devices are used for encrypting transmission messages between the mobile devices after the communication identity authentication is completed.

Has the advantages that: due to the adoption of the technical scheme, the invention has the following technical effects:

1. in the invention, after the key fob is lost or stolen, the key fob cannot be cracked violently to acquire the internal key. If the adversary obtains the user's key fob, the user's key fob has stored therein a secret shared random number hash value Hx_iSecret shared public key component PK_iSecret shared private key component SK_iTherefore, SK, PK cannot be recovered using secret sharing, i.e. without any valid identity-related key information. If the enemy acquires the quantum communication service station key fob, all secret sharing random numbers are stored in the quantum communication service station key fob, and SK and PK cannot be recovered by using secret sharing, namely, no valid key information related to identity exists. Since the private key of the user cannot be enemyAs known, since a small number of key fobs cannot successfully perform identity authentication, the private key cannot be maliciously acquired, and the private key cannot be lost due to the loss of the small number of key fobs, so that the ownership of the account corresponding to the private key is greatly protected.

2. In the invention, the public key of the user is not disclosed, so that the quantum computer cannot obtain the public key and cannot obtain the private key corresponding to the public key; the public key of the user which is not disclosed is added into the process that the service station signs the user certificate, so that the certificate signature can resist the attack of quantum computation without extra encryption protection, and the computation amount of digital signature and verification signature is reduced; for the threshold signature, a signature component (namely TxsigE) is not disclosed, so that an adversary lacks the necessary parameters for cracking the threshold signature, and the threshold signature can resist attack of a quantum computer without encryption.

3. In the invention, the ID of the device owner is shared by the plurality of devices in a secret mode, and the service station recovers the secret of the ID after receiving the secret components of the IDs of the plurality of devices, so that the ID of the device owner is not exposed in the network, and the safety is improved.

4. In the invention, the secret shared secret key is updated after each identity authentication, thereby improving the safety.

5. In the invention, the threshold signature process is greatly simplified and the communication cost is reduced by pre-sharing the parameters of the threshold signature.

6. When the algorithm based on the ID cryptography is used, the elliptic curve generating element is used as a variable parameter, the identity authentication is changed every time, and the safety of the system based on the ID cryptography is greatly improved.

Drawings

Fig. 1 is a system configuration diagram according to an embodiment of the present invention.

Detailed Description

Description of the System

The system structure diagram of the present invention is shown in fig. 1, where a user side a and a user side B are mobile device clusters and have quantum key fobs, where the user side a is used as an active side and the user side B is used as a passive side. Key card of A is by quantum communication service stationQA, B, is issued by the quantum communication service station QB. The ID of A is ID_AThe ID may be the ID of the device owner of the mobile device cluster corresponding to the a; similarly, the ID of B is ID_B。

The mobile device may be:

(1) the UKEY is connected with the user host through a USB interface;

(2) the IC key card is connected with the user host through an IC card reader;

(3) an NFC key fob connected to a user host through NFC;

(4) the Bluetooth KEY is connected with the user host through Bluetooth;

(5) the infrared KEY is connected with the user host through infrared;

(6) and the WIFI key fob is connected with the user host through WIFI.

The actual embodiment of the mobile device may be: the mobile phone comprises a car key, a mobile communication terminal (such as a mobile phone and the like), wearable equipment (such as a Bluetooth headset, smart glasses, a smart watch and the like), an IC card and the like.

The user host may be a PC, cell phone, or other computing device with networking capabilities.

The user goes to the QKD device in the area where the user is located to register and obtain a quantum key fob (with a unique quantum key fob ID) after approval. The quantum key card stores user registration information and is also internally provided with an identity authentication protocol, at least comprising a key generation algorithm and an authentication function or other algorithms related to identity authentication.

In the invention, the password system for communication of the mobile equipment A uses an ECC system.

The ID of Mobile device A is denoted IDA_i(i∈[0，n-1])。

The number of secret components is n.

When the quantum communication service station QA issues a key fob for the mobile device A, the domain parameters of the elliptic curve including q, a, b, P and n are selected first. q represents the size of the finite field Fq; the variables a and b being elliptic curves y²＝x³A coefficient of + ax + b, satisfies 4a³+27b²Not equal to 0; p is the base point generator. After generating the elliptic curve, selecting a base point generator P full ofIts order is an integer n. The generated private key sk and public key pk satisfy pk sk P. The relevant parameters q, a, b, P, n of the algorithm are written to the key fob designated area.

The secret sharing of (n, n) is performed for the private key SK of each user side. When secret sharing of (t, n) is carried out on information m, n is the number of fragments of m for splitting shared secret, t is the minimum number of fragments required for recovering m, and t is more than or equal to 2 and less than or equal to n.

Randomly selecting n different nonzero elements from finite field GF (q) of prime order q to generate secret sharing random number x₀，x₁，x₂，...，x_n-1Is assigned to participant Pi (i ∈ [0, n-1 ]])。

Selecting t-1 elements a from GF (q) aiming at a private key SK₁，a₂，...，a_t-1Structural polynomial

Then SK exists_i＝f(x_i) (i is more than or equal to 0 and less than or equal to n-1). The calculated secret component is (x)_i，SK_i). In the case of an ECC system: PK_i＝SK_i*P。

SK can be recovered by obtaining any t shadow secrets from n participants, and the specific steps are as follows:

according to the formula

Determining a Lagrangian parameter lambda_iAccording to the formula SK (f (0) ∑ λ_i*SK_iSK is obtained. In the case of an ECC system:

for the user ID, the calculated secret component is (x)_i，ID_i). From n to nSK can be recovered by acquiring any t shadow secrets in a participant, and the specific steps are as follows: according to the formula

Determining a Lagrangian parameter lambda_iThen according to the formula

And obtaining the ID.

The invention performs secret sharing of (n, n).

Let the user's permanent private key SK_MainThe permanent private key component is

The permanent public key of the user end is PK_Main＝SK_MainP, permanent public key component PK_iMain＝SK_iMain*P。

Taking a random number SK_iTempAs a secret shared ephemeral private key component, the ephemeral public key component PK_iTemp＝SK_iTempP, temporary private key

Temporary public key

Temporary public key hash value HPK_Temp＝H(PK_Temp)＝H(PK_Tempx||PK_Tempy) H (#) is a hash operation.

The user side key fob is obtained in a secure manner, e.g., by registering with the QKD device and importing corresponding key security information into the key fob.

Stage 1: key distribution

Step 1:

QA generates n sets of x_i，(i∈[0，n-1]) Form n groups x_i||P_A||ID_QAN to AAnd (4) each member. Wherein, P_AIs a generator specific to a.

Step 2:

a receives x_i||P_A||ID_QAThereafter, a true random number SK is generated by the key fob_AMainiAnd SK_ATempiCalculating PK_AMaini＝SK_AMaini*P_A，PK_ATempi＝SK_ATempi*P_A。

Calculation of PK_QA＝H₁(P_A||ID_QA)，H₁() is a hash operation based on ID cryptography. SK_QAi＝SK_AMaini*PK_QA. N groups of PK_AMaini||PK_ATempi||SK_QAiAnd sent to QA.

And step 3:

QA from n groups (x)_i，PK_AMaini) To restore PK_AMainThe principle is as follows:

according to the same principle, according to n groups (x)_i，PK_ATempi) Recovery of

QA from n groups (x)_i，SK_QAi) And recovering SK based on ID cryptography principle_QAThe principle is as follows:

computing

To PID_ASecret sharing to obtain n groups (x)_i，PID_Ai)。

Calculating HPK_ATemp＝H(PK_ATemp) N sets of PID_Ai||PK_AMain||HPK_ATempSending the data to A, and storing an item related to A, wherein the stored item is as follows: ID_A||PK_AMain||SK_QA||P_A||{(x_i，PID_Ai)，(i∈[0，n-1])}。

And 4, step 4:

after receiving the PID, the user end A stores the PID_Ai/x_i/SK_AMaini/PK_AMaini/PK_AMain/SK_ATempi/PK_ATempi/HPK_ATemp/P_A/ID_QA。

And (2) stage: login identity authentication

Step 1: a → QA.

The n mobile devices obtain the uniform time timeR and the authentication Request message Request.

Each mobile device calculates the PK_QA＝H₁(P_A||ID_QA) Using PK_QAFor PK_ATempiUsing an encryption algorithm based on ID cryptography, the encryption process is as follows:

generating a random number r, EPK_iU＝r*P_A，g＝e(PK_QA，PK_AMaini)，

Wherein H₂() is a hash operation.

Is calculated to obtain

For EPK_iUCalculating the offset to obtain EPK'_i＝{EPK_iU-HG(timeR||x_i||PID_Ai)，EPK_iV}. Where HG is a hash function that maps integers to elliptic curve points.

Each mobile device will ID_QACombining timeR and Request into Tx, making TxsigR equal to HPK_ATempThen, TxsigE | | H (TxsigR | | Tx) is calculated. Where H (×) is a hash operation.

Each mobile device calculates a signature component ReqSig_i＝SK_ATempi+SK_AMaini*TxsigE(modq)。

MsgA1 is made for each mobile device_i＝PID_Ai||Tx||EPK′_i||ReqSig_i。

Computing HP per Mobile device_A＝H(P_A) Using HP_AFor MsgA1_iMaking a message authentication code MAC (MsgA 1)_i，HP_A) All MsgA1_iAnd the MsgA1 is combined and sent to the quantum communication service station QA. MsgA1 may be denoted as MsgA1 ═ { MsgA1_i||MAC(MsgA1_i，HP_A)，(i∈[0，n-1])}。

Step 2: QA → A.

After receiving the MsgA1, the QA judges the rationality of the timeR and the Request in the Tx, and checks whether all PIDs are contained locally_AiThe key entry of (2). QA extraction ID_A||PK_AMain||SK_QA||P_A||{(xi，PID_Ai)，(i∈[0，n-1])}。

According to P_ACalculating HP_A＝H(P_A) For multiple MACs (MsgA 1)_i，HP_A) And (6) carrying out verification.

After the verification is passed, HG (timeR | | x) is calculated_i||PIDA_i) And mixing EPK'_iReverting to EPK_i. Computing

According to n groups (x)_i，PK_ATempi) Recovery of

Calculating HPK_ATemp＝H(PK_ATemp) Let TxsigR be HPK_ATemp，TxsigE＝H(TxsigR||Tx)。

QA makes a complete signature

PK for QA_AMainVerifying the signature Txsig, which comprises the following specific steps:

(1) calculate PK'_ATemp＝Txsig*P_A-PK_AMainTxsigE; the principle is as follows: txsig P_A-PK_AMain*TxsigE＝(SK_ATemp+SK_AMain*TxsigE(mod q))*P_A-PK_AMain*TxsigE＝PK_ATemp+PK_AMain*TxsigE-PK_AMain*TxsigE＝PK_ATemp。

To obtain PK'_ATemp＝(PK′_ATempx，PK′_ATempy)。

(2) Calculating TxsigR ═ H (PK'_ATemp) Further, TxsigE 'H (TxsigR' | Tx) is calculated. And comparing the TxsigE' with the TxsigE obtained by decryption.

And after the verification is passed, the identity authentication is passed.

QA generates P usable by the next round of signature_ANew。

QA generates a group session key KS and a notification Notify.

Using SK_QAFor Ntf1 Notify P_ANewI KS performs ID-based cryptographic signatures. The signature process is as follows:

generating a random number r, calculating PK_QANew＝H₁(P_ANew||ID_QA)，UNtf1＝r*PK_QANew，h＝H₃(Ntf1，UNtf1)，VNtf1＝(r+h)*SK_QA. Wherein H₃() is a hash operation.

The signature Ntfsig1 is obtained as SIGN (Ntf1, SK)_QA)＝(UNtf1，VNtf1)。

Use of PK_AMainiECIES encryption is carried out on the notification contents Ntf1 and Ntfsig1, and ENtf1 is obtained through calculation_i＝ENC(Ntf1||Ntfsig1，PK_AMaini)＝{ENtf1_iR，ENtf1_ic，ENtf1_it}. For ENtf1_iRCalculating offset to obtain ENtf 1'_i＝{ENtf1_iR-PK_ATempi，ENtf1_ic，ENtf1_it}。

N groups of { ENtf 1'_i，(i∈[0，n-1]) It is sent to a.

And step 3: a → QA.

Use of PK_ATempiMixing ENtf 1'_iReverts to ENtf1_iReuse of SK_AMainiDecrypting ENtf1_iResulting in Ntf1| | | Ntfsig 1.

Use of PK_QAVerify Ntfsig1, verify (P)_A，PK_AMain，UNtf1+h*PK_QANewVNtf1) is a Diffie-Hellman tuple. After the verification is passed, P is obtained_ANew||KS。

After the verification is passed, each key fob of A generates a true random number SK_AMainiNewAnd SK_ATempiNewCalculating PK_AMainiNew＝SK_AMainiNew*P_ANew，PK_ATempiNew＝SK_ATempiNew*P_ANew。

Calculation of PK_QANew＝H₁(P_ANew||ID_QA)，SK_QAiNew＝SK_AMainiNew*PK_QANew. N groups of PK_AMainiNew||PK_ATempiNew||SK_QAiNewAnd sent to QA.

Per mobile device usage PK_QAFor PK_AMainiNew||PK_ATempiNew||SK_QAiNewThe calculation process is the same as above using an encryption algorithm based on ID cryptography.

Is calculated to obtain

For ESK_iUCalculating offset to obtain 0 ESK'_i＝{ESK_iU-HG(timeR||KS||PIDA_i)，ESK_iV}。

MsgA2 is made for each mobile device_i＝PIDA_i||ESK′_i。

KS pair MsgA2 for each mobile device_iMaking a message authentication code MAC (MsgA 2)_iKS), all MsgA2_iAnd the MsgA2 is combined and sent to the quantum communication service station QA. MsgA2 may be denoted as MsgA2 ═ { MsgA2_i||MAC(MsgA2_i，KS)，(i∈[0，n-1]))。

And 4, step 4: QA → A.

After receiving MsgA2, QA of quantum communication service station judges PIDA_iIs reasonable (there are n PIDAs in the identity authentication session for which the search has not been completed_iSession(s).

Pairing multiple MACs according to KS (MsgA 2)_iKS) was performed.

According to n groups (x)_i，PK_AMainiNew) Recovery of

According to n groups (x)_i，PK_ATempiNew) Recovery of

According to n groups (x)_i，SK_QAiNew) Recovery of

Calculation of PK_QANew＝H₁(P_ANew||ID_QA)，

To PID_ANewTo carry outSecret sharing yields n groups (x)_i，PID_AiNew)。

Calculating HPK_ATempNew＝H(PK_ATempNew) N sets of Ntf2 are PID_AiNew||PK_AMainNew||HPK_ATempNewThe signature based on the ID cryptography is performed, and the signature process is the same as above, resulting in the signature Ntfsig2 being SIGN (Ntf2, SK)_QA)＝(UNtf2，VNtf2)。

According to n groups (x)_i，PK_ATempi) Recovery of

Use of PK_AMainiNewECIES encryption is carried out on the notification contents Ntf2 and Ntfsig2, and ENtf2 is obtained through calculation_i＝ENC(Ntf2||Ntfsig2，PK_AMainiNew)＝{ENtf2_iR，ENtf2_ic，ENtf2_it}. For ENtf2_iRCalculating offset to obtain ENtf 2'_i＝{ENtf2_iR-H(KS||PK_AMainiNew)，ENtf2_ic，ENtf2_it}。

N groups of { ENtf 2'_i，(i∈[0，n-1]) It is sent to a.

QA updates the entry related to a: ID_A||PK_AMainNew||SK_QANew||P_ANew||{(x_i，PID_AiNew)，(i∈[0，n-1])}。

Client A receives n groups of { ENtf 2'_i，(i∈[0，n-1]) After that, H (KS | | | PK) is calculated_AMainiNew) And mixing ENtf 2'_iReverts to ENtf2_iReuse of SK_AMainiNewDecrypting ENtf2_iResulting in Ntf2| | | Ntfsig 2.

Use of PK_QANewVerify Ntfsig2, verify (P)_ANew，PK_AMainiNew，UNtf2+h*PK_QANewVNtf2) is a Diffie-Hellman tuple.

After the verification is passed, updating

PID_AiNew/x_i/SK_AMainiNew/PK_AMainiNew/PK_AMainNew/SK_ATempiNew/PK_ATempiNew/HPK_ATempNew/P_ANew/ID_QA。

And (3) stage: communication identity authentication

This phase is for a mobile device in client a to authenticate a communication identity with a mobile device in client B. In the following, A and B are used instead.

Let QA, QB be A, B's issuing service station, respectively. IDA and IDB carry information of IDQA and IDQB.

The session key of A logging in QA is KS_AAnd the session key for B logging in QB is KS_BThe flow of logging in and acquiring the session key is as described in stage 2.

QKD channel is built between QA and QB of quantum communication service station, QA and QB use quantum key K_QCommunication, K_QPosition in the symmetric key pool is P_Q。

Step 1:

the user end A knows that the service station of the opposite side is QB according to the IDB.

A utilization of KS_AApplying QA for a key between QA and QB, QA will apply P_QKey K for location_QUsing KS_AThe protection of (2) is sent to a.

A selects a generator P_ABGenerating a public and private key pair SK_A、PK_A＝SK_A*P_AB。

Using K_QEncryption P_ABAnd PK_ATo obtain { P_AB||PK_A}K_Q. Combining to obtain MSG_AB＝IDA||IDB||TimeR||P_Q||{P_AB||PK_A}K_Q。

Using K_QFor MSG_ABComputing message authentication code and incorporating MSG_ABTogether as M_AAnd sending the data to B. M_ACan be expressed as MSG_AB||MAC(MSG_AB，K_Q)。

Step 2:

user B receives M_AThereafter, using KS_BApplying for P between QA and QB to QB_QKey to location, QB to P_QKey K for location_QUsing KS_BThe protection of (2) is sent to B.

B uses K_QFor MSG_ABComputing message authentication code and combining with MAC (MSG)_AB，K_Q) Performing comparison and verification, and using K after the verification is passed_QDecrypting MSG_ABTo obtain P_AB||PK_A。

According to the generation element P_ABGenerating a public and private key pair SK_B、PK_B＝SK_B*P_AB。

Calculating K_AB＝SK_B*PK_A。

Using K_QEncrypted PK_BTo obtain { PK_B}K_Q. Combining to obtain MSG_BA＝IDA||IDB||TimeR||{PK_B}K_Q。

Using K_ABFor MSG_BAComputing message authentication code and incorporating MSG_BATogether as M_BAnd sending the data to A. M_BCan be expressed as MSG_BA||MAC(MSG_BA，K_AB). Subsequent B utilization of K_ABAnd carrying out message encryption and decryption and message authentication with the A. Can be combined with K_ABSplitting into K_ABEAnd K_ABAAs message encryption/decryption and message authentication keys, respectively.

And step 3:

user A receives M_BThen, use K_QDecrypting MSG_BAObtaining PK_B。

Calculating K_AB＝SK_A*PK_B. Using K_ABFor MSG_BAComputing message authentication code and combining with MAC (MSG)_BA，K_AB) Performing comparison and verification, and after the verification is passed, A confirms K_ABIs a session key. Subsequent A with K_ABAnd B, encrypting and decrypting the message and authenticating the message. Can be combined with K_ABSplitting into K_ABEAnd K_ABAAs message encryption/decryption and message authentication keys, respectively.

The technical features of the embodiments described above may be arbitrarily combined, and for the sake of brevity, all possible combinations of the technical features in the embodiments described above are not described, but should be considered as being within the scope of the present specification as long as there is no contradiction between the combinations of the technical features.

The above-mentioned embodiments only express several embodiments of the present invention, and the description thereof is more specific and detailed, but not construed as limiting the scope of the invention. It should be noted that, for a person skilled in the art, several variations and modifications can be made without departing from the inventive concept, which falls within the scope of the present invention. Therefore, the protection scope of the present patent shall be subject to the appended claims.

Claims

1. A quantum secret communication identity authentication system based on secret sharing is characterized in that: the system comprises service stations and user terminals which are in communication connection, wherein the service stations are quantum communication service stations, each service station is provided with more than one user terminal, and the user terminals are mobile equipment groups formed by more than one mobile equipment;

2. The secret sharing based secret secure quantum communication identity authentication system key distribution method according to claim 1, characterized by sequentially executing the following steps:

3. The login identity authentication method of the secret sharing based quantum secret communication identity authentication system according to claim 1, wherein the login identity authentication is implemented between the user side and the service station to which the user side belongs, and a group session key is generated in the login identity authentication process; the method comprises the following steps:

and B5, the mobile equipment verifies and processes the second authentication end message, and the identity authentication is finished after the verification is passed.

4. The login authentication method of the secret sharing based quantum secure communication authentication system according to claim 3, wherein the first message component comprises a device-side signature component, and the generating step comprises:

5. The login identity authentication method of the secret sharing based quantum secret communication identity authentication system according to claim 4, wherein: in step B2, the service station generates a new base point generator, a group session key, and a notification for use in the next round of signature, where the notification content includes the notification, the new base point generator, and the group session key, and the notification signature is calculated by the service station according to all device-side signature components.

6. The login identity authentication method of the secret sharing based quantum secret communication identity authentication system according to claim 3, wherein: the first message component comprises a first ciphertext, the first ciphertext is obtained by encrypting a temporary public key component which is locally stored by the mobile equipment by using a service station public key of a service station to which the mobile equipment belongs, and a first offset is added in the encryption process; the first offset includes a timestamp, a locally stored secret shared random number, and a device false identity PID component.

7. The login identity authentication method of the secret sharing based quantum secret communication identity authentication system according to claim 4, wherein: in step B3, the mobile device generates two true random numbers as a new master private key component and a new ephemeral private key component for the next round of use, calculates a corresponding new master public key component and new ephemeral public key component in combination with the received new base point generator, and calculates a hash value of a combination of the new base point generator and the service station ID as a new service station public key;

8. The login identity authentication method of the secret sharing based quantum secret communication identity authentication system according to claim 3, wherein: in step B4, the service station calculates a complete new master public key, a new temporary public key, and a new service station private key according to the secret shared random number, the new master public key component, the new temporary public key component, and the new service station private key component sent by all mobile devices under the same user side, and calculates a hash value of the new temporary public key; and calculating the false identity PID of the new device according to the device ID and the corresponding new base point generator, and carrying out secret sharing on the false identity PID of the new device by using the corresponding secret sharing random number.

9. The login authentication method of the secret sharing based quantum secret communication authentication system according to claim 3, wherein the first message authentication code is obtained by computing a hash value of the base point generator by the mobile device to compute the first message component, and the second message authentication code is obtained by computing the second message component by the mobile device using the group session key.

10. The communication identity authentication method of the secret sharing based quantum secret communication identity authentication system according to claim 1, wherein before the communication identity authentication between the two mobile devices, each mobile device and the belonging service station complete login identity authentication to obtain a respective group session key, under the protection of the group session key, the mobile device applies for the session key between the mobile devices from the service station, and the session key between the mobile devices is used for encrypting the transmission message between the mobile devices after the communication identity authentication is completed.