CN108270562B - Anti-quantum key agreement method - Google Patents
Anti-quantum key agreement method Download PDFInfo
- Publication number
- CN108270562B CN108270562B CN201711379239.4A CN201711379239A CN108270562B CN 108270562 B CN108270562 B CN 108270562B CN 201711379239 A CN201711379239 A CN 201711379239A CN 108270562 B CN108270562 B CN 108270562B
- Authority
- CN
- China
- Prior art keywords
- matrix
- negotiation
- vector
- rounding
- communication party
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0816—Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
- H04L9/0852—Quantum cryptography
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/002—Countermeasures against attacks on cryptographic mechanisms
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0816—Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
- H04L9/0838—Key agreement, i.e. key establishment technique in which a shared key is derived by parties as a function of information contributed by, or associated with, each of these
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Physics & Mathematics (AREA)
- Electromagnetism (AREA)
- Theoretical Computer Science (AREA)
- Mobile Radio Communication Systems (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses an anti-quantum key agreement method. The communication party Alice selects a matrix S with n rows and l columns and calculatesAnd sends F to the correspondent Bob; after receiving F, Bob selects a matrix S' with l rows and n columns and a matrix Y with n rows and l columns, and calculatesThen Bob selects a matrix D' of l rows and l columns to calculate C ═ CBob then sends B' and C to Alice, the correspondent. Alice calculates and obtains the result according to the received B' and CAnd km ═ rec (D, C). The invention has zero negotiation error probability, can resist the existing quantum attack and other various attack strategies, has high operation efficiency and easy implementation, has strong practicability and can be integrated into the TLS protocol.
Description
Technical Field
The invention belongs to the technical field of computer technology and information security, and relates to a quantum-resistant key negotiation method, which comprises two basic negotiation methods and proposal parameters. The method is safe under a standard model, can resist the existing quantum attack, and has high operation efficiency and strong practicability.
Background
The key agreement method is to allow two or more communication parties to agree out a key in some way in an insecure environment to ensure confidentiality and data integrity of the following communication contents, and the well-known key exchange protocol is Diffie-Hellman key exchange protocol. This protocol has a wide range of uses, the best known being the TLS protocol as a secure socket. The TLS protocol is a short name for a Transport Layer Security (Transport Layer Security) protocol, and is the most widely used network Security communication protocol in the world at present. The TLS protocol comprises a handshake protocol and a record layer protocol, and the key negotiation method of the invention is used in the handshake protocol to generate a pre-master key, and then generates a master key through a key derivation function.
As quantum computers have been studied, quantum algorithms (algorithms running on quantum computers) have been increasingly recognized. Different from the classical algorithm, the quantum algorithm has stronger computing capability, and some problems (such as a large integer decomposition problem and a discrete logarithm problem) which are very difficult under the classical computing theory become simple before the quantum computing theory, and the more famous quantum algorithms include a Shor quantum decomposition algorithm and a Gorver quantum search algorithm. Traditional cryptographic systems based on number theory problems (large integer decomposition problems, discrete logarithm problems, etc.) can be broken down in polynomial time by adversaries possessing quantum computing capabilities.
In key agreement, if the enemy stores the ciphertext data transmitted by today communication, the enemy can possibly restore the communication content through a quantum computer at a future day, so that the quantum key agreement resisting method is an urgent safety requirement facing the future quantum information era.
The lattice code is one of the cryptographic techniques recognized by the international academia at present and capable of resisting the existing quantum attack. As a special algebraic structure, lattices have many good cryptographic properties, and the lattice difficulty problem has so far been no effective algorithm and polynomial-time quantum attack, so that lattice-based cryptosystems are considered as the best candidate for quantum cryptography.
Disclosure of Invention
The invention aims to realize a practical quantum-resistant accurate key agreement method, and the invention is based on the LWR (round-robin learning) problem or ring-LWR (round-robin learning) problem that the secret message is a sparse vector or a binary vector.
In particular, the invention comprises the following three important aspects:
anti-quantum key negotiation method based on LWR problem
The security of the present invention is based on the LWR difficulty problem of secret messages being sparse vectors.
Anti-quantum key negotiation method based on ring-LWR problem
The security of the present invention is based on the ring-LWR difficulty problem where the secret message is a sparse vector or a binary vector.
Efficient and rapid calculation of three-rec function
In the method, the rec function is required to be used for obtaining the final negotiation key, and in order to improve the negotiation efficiency, the invention provides an algorithm for efficiently calculating the rec function.
Fourthly, the invention is integrated into the TLS protocol
FIG. 3 is a message flow diagram of the TLS protocol (BOS, J.W., COSTELLO, C., NAEHRIG, M., AND STEBILA, D.Post-quaternary key exchange for the TLS protocol from the layers protocol. in 2015IEEE Symposium on Security AND Privacy (2015), pp.553-570.) in which ServerKeyexchange, ClientKeyexchange AND two complekeyesoperation are labeled for the purpose of illustrating which link in the TLS handshake the present invention (FIGS. 1 AND 2) occurs. Computekeys operations in fig. 3 include generating a premaster secret, corresponding to (km negotiated in fig. 1 and 2), a master secret derived from the premaster secret and an encryption secret derived from the master secret.
The technical scheme of the invention is as follows:
a quantum key negotiation resisting method is characterized by comprising the following steps:
1) the communication party Alice selects a matrix S with n rows and l columns and calculates the messageThen sending the message F to the communication party Bob; the matrix A is an LWR public matrix shared by Alice and Bob of two communication parties, the matrix A is a matrix with n rows and n columns, and elements in the matrix A belong to Zq,ZqIs a sectionA set of integers of (d);
2) after receiving the message F, the communication party Bob selects a matrix S' with l rows and n columns and a matrix Y with n rows and l columns, and calculatesThen the communication party Bob selects a matrix D' of n rows and l columns for calculationAnd a secret keyThen the communication party Bob sends B' and C to the communication party Alice; wherein, the matrix W 'is a matrix with one row and one column, the matrix B' is a matrix with one row and n columns, and the elements of the matrix W 'and the matrix B' both belong to Zp,ZpIs a sectionA set of integers of (d);
3) the communication party Alice calculates according to the received B' and CAnd the key km rec (D, C), the matrix D being a matrix of one row and one column, the elements in the matrix D belonging to Zq(ii) a Wherein, the output of the function rec (D, C) is a matrix with rows and columns the same as those of D and C, the ith row and jth column elements in the matrix are obtained by the elements at the corresponding positions of the matrix D and C, namely, the ith row and jth column element value in the matrix is a numberThe negotiated cross rounding function value of (a) is required to be nearest to the element of the corresponding position in matrix D and equal to the element of the corresponding position in matrix C;for negotiating cross-rounding functions, i.e. For negotiating rounding functions, i.e. In order to lower the rounding function,for the rounding-down function, q>p,B<log2q-1。
Further, the correspondent Alice randomly and uniformly assembles from the matrixSelecting a matrix S with n rows and l columns; wherein the content of the first and second substances,each column of each matrix in the set belongs to A set of n-dimensional vectors is represented,each vector has n-h 0 components and h non-0 components, each non-0 component is taken from { + -1 }; the correspondent Bob randomly and uniformly assembles from the slave matrixIn which a matrix of n rows and l columns is selectedFor matrixTransposing to obtain the matrix S'; from the collectionAnd randomly and uniformly selecting the matrix Y.
Further, the method for solving the function rec (D, C) is as follows: establishing a corresponding table of the negotiation rounding function and the negotiation cross rounding function, i.e. converting ZqNumber in (1) rounds the function value according to negotiationIs divided into 2BX 2 parts, where w.epsilon.ZqThen, Z is further introducedqNumber in cross rounding function values by negotiationIs divided into 2BX 2 parts, where w.epsilon.ZqWill 2 thisBX 2 co-quotient cross-rounding function values are respectively associated with the 2 mentioned aboveBThe x 2 negotiation rounding function values are in one-to-one correspondence, wherein each pair of same negotiation rounding function values respectively correspond to two different negotiation cross rounding function values; after the corresponding table is established, for w epsilon D, firstly, the negotiation cross rounding function value of w is solvedAnd determining the position of the value in the correspondence table, ifEqual to the element of the corresponding position in C, and outputting the corresponding negotiation rounding function value in the corresponding table; if it is notElements not equal to the corresponding positions in C are sequentially judgedWhether the nearby numbers are equal to the elements of the corresponding position in C until appearanceEqual to the element in the corresponding position in C, the corresponding negotiated rounding function value in the corresponding table is returned, where i is taken from {1, 2, … }, + i and-i represent the value in the last i-th and first i-th bits, respectively, of the corresponding table.
Further, the correspondent Alice uses a seed through the pseudo random generator GenAGenerating said matrix A and then seed the seedASending the data to a communication party Bob; bob seed through the pseudo-random generator GenAGenerating the matrix A; the pseudo-random generator Gen is pre-negotiated between the communication party Alice and the communication party Bob.
A quantum key negotiation resisting method is characterized by comprising the following steps:
1) the communication party Alice selects an n-dimensional vector s and calculates the messageWherein a is a ring-LWR common ring element, a is an n-dimensional vector, and then a message b is sent to a communication party Bob;
2) after receiving the message b, the communication party Bob selects an n-dimensional vector s' and a ring element y, and calculates Then the communication party Bob selects a ring element d', and calculates c ═<dbl(d′)>2,qAnd key km ' ═ dbl (d ') ']2,q(ii) a The communication party Bob sends b' and c to the communication party Alice; wherein y is an n-dimensional vector, d 'is an n-dimensional vector, the value of the component in the vector s' is 0 or +/-1, and the value of the component in the vector s is 0 or +/-1;
3) the communication party Alice calculates according to the received b' and cAnd the key km ═ rec (dbl (d), c); wherein the output of the function rec (dbl (d), c) is a vector having the same dimension as dbl (d) and c, the elements in the vector are obtained from the elements at the corresponding positions in the vectors dbl (d) and c, the i-th element in the vector is a number of negotiated rounding function values, the number is required to be nearest to the element at the corresponding position in the vector dbl (d), and the negotiated cross rounding function value of the number is equal to the element at the corresponding position in the vector c;for negotiating cross-rounding functions, i.e. For negotiating rounding functions, i.e. q>p, In order to round down the function of the round-down,in order to be a function of the upper rounding,in order to lower the rounding function,dbl () is a random doubling function for the rounding down function.
Further, the correspondent Alice randomly and uniformly gathers V from the matrixtSelecting the vector s; wherein, VtIs composed ofOr {0,1}n,A set of n-dimensional vectors is represented,each vector has n-h 0 components and h non-0 components, each non-0 component is taken from { + -1 }; {0,1}nRepresents a set of n-dimensional vectors, each element in the set being an n-dimensional vector, each component of the vector belonging to {0,1 }; bob random uniform slave set VtTo select a vector s' from the setWherein the ring elements y are randomly and uniformly selected, and randomly and uniformly selected from the setOne ring element d' is selected.
Further, when the slave setsIntermediate sampling to obtain vector s, sampling setWhen the number of the non-zero elements of the vector in (1) is h, the required parameter is satisfiedWhen from the set {0,1}nWhen the vector s is obtained by middle sampling, the parameters satisfyn, h, q, p and t are positive integers.
Further, the method for solving the function rec (dbl (d), c) is as follows: firstly, establishing a corresponding table of a negotiation rounding function and a negotiation cross rounding function, and converting Z into a corresponding table2qNumber in (1) rounds the function value according to negotiationIs divided into 2BX 2 parts, where w.epsilon.Z2qThen, Z is further introduced2qNumber in cross rounding function values by negotiationIs divided into 2BX 2 parts, where w.epsilon.Z2qWill 2 thisBX 2 co-quotient cross-rounding function values are respectively associated with the 2 mentioned aboveBThe x 2 negotiation rounding function values are in one-to-one correspondence, wherein each pair of same negotiation rounding function values respectively correspond to two different negotiation cross rounding function values; after the corresponding table is established, for w ∈ dbl (d), the negotiation cross rounding function value of w is firstly obtainedAnd determines the position of the value in the correspondence table, ifC, the element which is equal to the corresponding position in the c outputs the corresponding negotiation rounding function value in the corresponding table; if it is notElements not equal to the corresponding positions in c are sequentially judgedWhether the nearby numbers are equal to the elements of the corresponding positions in c until they appearEqual to the element at the corresponding position in c, then the negotiated rounding function value for the corresponding position in the corresponding table is returned, where i is taken from {1, 2, … }, + i and-i represent the value at the last i-th and first i-th bits, respectively, in the corresponding table.
Further, the correspondent Alice uses a seed through the pseudo random generator GenAGenerating the ring-LWR common ring element a, and then seed the seedASending the data to a communication party Bob; the correspondent Bob passes the pseudo-random generator Gen and the seedAGenerating the ring-LWR common ring element a; the pseudo-random generator Gen is pre-negotiated between the communication party Alice and the communication party Bob.
Compared with the prior art, the invention has the advantages that:
1) the discrete Gaussian sampling process is avoided, and the operation efficiency is obviously improved;
2) the communication complexity is obviously reduced compared with the prior similar protocol;
3) the safety of the method can be reduced to the (ring-) LWR assumption that the secret message is a sparse vector or a binary vector under a standard model, and exponential reduction loss does not exist;
4) the method can resist the existing quantum attack;
5) the method does not need to store information in advance and a large number of random numbers;
6) the linear calculation, rounding function, uniform sampling and other operations used in the method are easy to realize and high in efficiency.
7) In the method, the keys finally negotiated by the two parties are completely the same, and the method is accurate key negotiation;
8) the session key that participates in the two-party negotiation is proven to be pseudo-random.
Drawings
FIG. 1 is a quantum key agreement method resistant to LWR problems;
FIG. 2 is a quantum key agreement resistant method based on the ring-LWR problem;
fig. 3 is a message flow diagram after the key agreement protocol is integrated into the TLS protocol.
Detailed Description
The invention is further illustrated by the following specific examples and the accompanying drawings.
One, symbolic description and suggested parameter
2) Matrix arrayIs a common parameter shared by two communicating parties, whereinRepresenting a matrix set, wherein the matrixes in the matrix set are all matrixes with n rows and n columns, and the elements of the matrixes belong to Zq。
3)Represents a set of n-dimensional vectors, where each vector has n-h 0 components and h non-0 components, these non-0 components being taken from { ± 1}, where n is identical to n in the matrix a in 2) above.Represents a set of n x l matrices, wherein each column of the matrix belongs toHere n is identical to n in ring R in 6) below.
4){0,1}nRepresents a set of n-dimensional vectors, each element of the set being an n-dimensional vector, each component of the vector belonging to {0,1}, {0,1}nIt can also be considered as a set of polynomials of degree less than n, the coefficients of each polynomial in the set belonging to {0,1 }.
5) If S is a set, then U (S) represents a uniform distribution over S, taking as x a random uniform sample in set SOrIn particular, occurring in the protocolAndrespectively representing the sets of matrices defined from 3) and 4) aboveVector collectionAnd vector set {0,1}nWhere the components of the vectors and matrices in the set are 0,1 or-1. For convenience of presentation, the present inventionRequiring the absolute value of the component in the vector (matrix) set to be less than t, wherein t represents the value range of the component, and the vector set is marked as VtAnd the set of matrices is denoted MtThe parameter t is adjusted according to different situations, becauseAndthe medium component is 0,1 or-1, so t takes 1. In this way, the matrix setCan use MtIs represented by the formula, where t is 1, set of vectorsAnd {0,1}nCan use VtWherein t is 1.
Description of the drawings: the symbols described below regarding the ring may collide with the symbols in 2) -5), since the ring is used in the quantum key agreement resistant method based on the ring-LWR problem, and the symbols in 2) -5) are used in the quantum key agreement resistant method based on the LWR problem, the colliding symbols are respectively used in two different methodologies, and the symbols do not collide in the same methodology, so that they are not distinguished, and only the collision is described slightly.
6) Ring R ═ Z [ x ]]/xn+1, wherein Z [ x ]]Representing a set of integer coefficient polynomials, which set is mathematically called a polynomial ring, xn+1 is an nth degree polynomial, Z [ x ]]/xn+1 represents a set of integer polynomial equations of degree less than n, denoted as ring R. The invention requires that n is a power of 2, each element in the ring R is an integer coefficient polynomial with the degree smaller than n, and the ring element can also be regarded as an n-dimensional integer coefficient vector consisting of polynomial coefficients. Note that, ring Z [ x ]]/xn+1 is expressed as a symbol in its entirety in a convention of mathematics, where n is different from 2) -5) and x is also different from 5).
7)ring-Ring R of LWR common RingqR/qR, wherein the ring R ═ Z [ x ]]/xn+1, R/qR denotes a degree less than n, the coefficient belonging to ZqSet of polynomials, denoted Ring Rq. Ring RqThe number of the elements in (1) is less than n, and the coefficient belongs to ZqCan also be regarded as a ring element as an n-dimensional vector, wherein each element in the vector belongs to Zq. The ring R/qR is expressed as a whole as a symbol and is a representation defined in common in mathematics, and similarly, the ring R is expressed as a wholePR/pR, wherein the ring R ═ Z [ x ]]/xn+1, R/pR represents a degree less than n, the coefficient belonging to ZpSet of polynomials, denoted Ring Rp. Ring RpThe number of the elements in (1) is less than n, and the coefficient belongs to ZpCan also be regarded as a ring element as an n-dimensional vector, wherein each element in the vector belongs to Zp. The whole ring R/pR is expressed as a symbol, which is a conventional expression defined in mathematics.
8) Ring element (polynomial, vector) a ∈ RqIs a common parameter shared by both parties of the protocol.
9) SymbolDescription of the drawings: whereinIs a collection, the elements of the collection areAnd satisfies that the lower rounding function value of that element equals W',it is referred to as a uniform random sampling,refer to a collection of slavesMedium random uniformitySampling an element D', assemblingElement U in (b) needs to satisfy two conditions: the element U must be a setAnd the lower rounding function value of element U equals W'.
10) SymbolDescription of the drawings: whereinIs a set, the elements of the set being RqAnd satisfies that the lower rounding function value of this element equals w',it is referred to as a uniform random sampling,refer to a collection of slavesRandomly and uniformly sampling an element d' in a setElement u in (2) needs to satisfy two conditions: the element u must be a ring RqAnd the lower rounding function value of element u equals w'.
Two, function definition
Description of the drawings: 4) and 5) the definition domains of the two functions are slightly different in the two sets of methodologies, specifically, in the quantum key agreement resisting method based on the LWR problem, v in the two functions of 4) and 5) belongs to ZqIn the quantum key agreement resisting method based on ring-LWR problem, v in the two functions of 4) and 5) belongs to Z2qAt this point, the rounding function is negotiatedNegotiating cross rounding functions In the two sets of method systems, the value of the parameter B is also different.
6) rec function: input w ∈ ZqAnd b ∈ {0,1}, rec (w, b) inputGo outV is required to be nearest to w andaiming at the calculation of the function, the invention provides a new method which is simple and efficient. Preparation before function calculation-building a correspondence table, since ZqHas a value of 2 for the negotiated rounding function of the number in (1)BWith a different result, only 2 cross-rounding function values are negotiated. Firstly, the invention is to handle ZqNumber in (1) rounds the function value according to negotiationIs divided into 2BX 2 parts, where w.epsilon.Zq(ZqHas a value of 2 for the negotiated rounding function of the number in (1)BA different result, repeated once for each result, thus obtaining 2BX 2 co-quotient rounding function values, two of which are identical). Then the Z is putqNumber in cross rounding function values by negotiationIs divided into 2BX 2 parts, where w.epsilon.Zq(ZqThe negotiated cross-rounding function values for the numbers in (1) are only two: 0 and 1, repeat 2 for these two resultsBThen, 2 is obtainedBX 2 co-quotient cross-rounding function values), 2 of theseBX 2 co-quotient cross-rounding function values are respectively associated with the 2 mentioned aboveBThe x 2 negotiation rounding function values correspond one to one, and the corresponding result is that two identical negotiation rounding function values correspond to two different negotiation cross rounding functions respectively. After the corresponding table is established, the specific operation method of the function calculation is as follows: for w ∈ ZqFirst, find the negotiation cross round function value of wAt the same time, the position of the value in the correspondence table is known, ifOutputting a negotiation rounding function value corresponding to the negotiation cross rounding function value in the correspondence tableIf it is notSequentially judging from near to far, right first and left secondWhether the number in the vicinity is equal to b, or not, and specifically, whether the number in the vicinity is equal to b or not is determined sequentially Up to a certain valueStopping and then returning the negotiated rounding function values corresponding to the negotiated cross rounding function values in the correspondence tableWhere i is taken from {1, 2, …, }, + i and-i represent the values at the i-th and i-th positions in the corresponding table, respectively. It should be noted that w and b in rec (w, b) are both a number, in the LWR-based quantum key agreement resisting method, D and C in rec (D, C) are both matrices with the same size, and during calculation, two elements corresponding to positions in the two matrices need to be operated, and the obtained result is also a matrix with the same size; in summary, in the LWR-based key agreement method, we can regard w and b as two elements of corresponding positions in the matrices D and C, respectively, and when operating on the matrices, operate on the elements of their corresponding positions, respectively.
Description of the drawings: 6) the rec function is mainly explained for the quantum resistance based on the LWR problemIn the key agreement method, in the quantum key agreement method against the ring-LWR problem, the definition of rec function is slightly different: input w ∈ Z2qAnd b belongs to {0,1}, establishing a corresponding table firstly, because Z belongs to {0,1}, and solving the problem that Z belongs to the corresponding table2qHas a value of 2 for the negotiated rounding function of the number in (1)BWith a different result, only 2 cross-rounding function values are negotiated. Firstly, the invention is to handle ZqNumber in (1) rounds the function value according to negotiationIs divided into 2BX 2 parts, where w.epsilon.Z2q(Z2qHas a value of 2 for the negotiated rounding function of the number in (1)BA different result, repeated once for each result, thus obtaining 2BX 2 co-quotient rounding function values, two of which are identical). Then, Z is further introduced2qNumber in cross rounding function values by negotiationIs divided into 2BX 2 parts, where w.epsilon.Z2q(Z2qThe negotiated cross-rounding function values for the numbers in (1) are only two: 0 and 1, repeat 2 for these two resultsBThen, 2 is obtainedBX 2 co-quotient cross-rounding function values), 2 of theseBX 2 co-quotient cross-rounding function values are respectively associated with the 2 mentioned aboveBThe x 2 negotiation rounding function values correspond one to one, and the corresponding result is that two identical negotiation rounding function values correspond to two different negotiation cross rounding functions respectively. After the corresponding table is established, the specific operation method of the function calculation is as follows: for w ∈ Z2qFirst, find the negotiation cross round function value of wAt the same time, the position of the value in the correspondence table is known, ifOutputting a negotiation rounding function value corresponding to the negotiation cross rounding function value in the correspondence tableIf it is notSequentially judging from near to far, right first and left secondWhether the number in the vicinity is equal to b, or not, and specifically, whether the number in the vicinity is equal to b or not is determined sequentially Up to a certain valueStopping and then returning the negotiated rounding function values corresponding to the negotiated cross rounding function values in the correspondence tableWhere i is taken from {1, 2, …, }, + i and-i represent the values at the i-th and i-th positions in the corresponding table, respectively. It should be noted that w and b in rec (w, b) are both a number, and in the method for quantum key agreement resistance based on the ring-LWR problem, dbl (d) and c in rec (dbl (d), c) are both vectors with the same dimension, and during operation, two elements corresponding to positions in the two vectors need to be operated, and the obtained result is also a vector with the same dimension. In the key agreement method based on ring-LWR, the invention respectively considers w and b as two elements corresponding to the positions in vectors dbl (d) and c, and when the vectors are operated, the elements corresponding to the positions are respectively operated. It is also noted that the choice of parameter B is different in the two sets of methodologies.
7) Random doubling function dbl: Zq→Z2qX → dbl (x) 2x-e, where e is sampled from { -1, 0,1} with a probability of p for each sample-1=p1=1/4,p0=1/2。
It should be noted that the argument of the function is a matrix (vector), and performing the function operation on the matrix (vector) is actually performing the function operation on each component in the matrix (vector).
Four, protocol process
1. The quantum key negotiation resisting method based on the LWR problem can refer to FIG. 1 in the attached drawings of the specification.
1) At each run time, Alice first randomly and uniformly slave set MtIn which a matrix of n rows and l columns is selectedComputingWherein, A is a common parameter which has been negotiated by both communication parties before, and the detailed negotiation mode is optimized and realized. Alice then sends F to Bob.
2) Bob receives F, and Bob randomly and uniformly gets from the set MtIn which a matrix of l rows and n columns is selectedFrom the collectionUniformly selecting a matrix of n rows and l columns at randomComputingThen, Bob randomly and uniformly gathers from the setIn which a matrix of l rows and l columns is selectedComputing Finally, Bob sends B' and C to Alice.
Successful operation of the method means that the km calculated by Alice and the km' calculated by Bob are identical. It should be noted that the multiplication and addition in the process of the method are both matrix multiplication and addition in the general sense, and slightly different is that a modulo operation is required as a result.
2. The quantum key negotiation resisting method based on the ring-LWR problem can refer to FIG. 2 in the attached drawings of the specification.
1) At each run time, Alice first randomly and uniformly slave set VtTo select n-dimensional 0-1 vectorComputing Wherein a is a common parameter which has been negotiated by both communication parties before, and the specific negotiation mode is detailed in the optimization implementation. Alice then sends b to Bob.
2) Bob receives b, and then randomly and uniformly receives the b from the set VtTo select n-dimensional 0-1 vectorFrom the collectionUniformly selecting a ring element (n-dimensional vector) at randomComputingThen randomly and uniformly from the setIn which a ring element (n-dimensional vector) is selectedCalculating c ═<dbl(d′)>2,q,km′=[dbl(d′)′]2,q. And finally b' and c are sent to Alice.
Successful operation of the method means that the km calculated by Alice and the km' calculated by Bob are identical. It should be noted that the multiplication and addition of the above ring elements are polynomial multiplication and addition in the general sense, and slightly different is that the result needs a polynomial modulo one, and the coefficients of the polynomial need an integer modulo one.
3. Parameter selection
1) Anti-quantum key negotiation method based on LWR problem
The parameters h, q, p, t, B,is a positive integer, wherein q>p,B<log2q-1. In order to ensure the correctness of the protocol, the invention requires the parameters to be satisfied
2) Anti-quantum key negotiation method based on ring-LWR problem
The parameters n, h, q, p and t are positive integers, and in order to ensure correctness, the method requires that the parameters meet the requirements(when the secret s is from the setMiddle sampling, set of samplesThe number of non-zero elements of the vector in (1) is h); parameter satisfaction(when the secret is from the set 0,1}nMiddle sampling, set of samples {0,1}nThe number of non-zero elements of the vector in (1) is not required).
4. Optimizing implementation
In both of the above negotiation methods, each time Alice runs, Alice may be seeded by a small random seed via the pseudo-random generator GenACommon parameters for generating ring-LWR or LWR, i.e. matrix A or a ∈ RqThen seed this seedASent to Bob, Bob can pass through the pseudo-random generator Gen and the random seed since the pseudo-random generator Gen is an algorithm that has been negotiated by two people beforeAThe same common parameters as Alice are generated. Wherein seedAIs a random bit string; gen stands for pseudo-random generator, a pseudo-random generator is an algorithm that can spread a short random bit string into a long bit string that is difficult to distinguish from a random bit string of the same length, e.g., a pseudo-random generator can be constructed using the AES algorithm in ECB mode. This point-to-point technique can be chosen according to the application and is therefore not included in the method of the invention.
Fifth, integrate into TLS protocol
In the above two methods, step (1) corresponds to the set key exchange process in the TLS protocol message flow diagram (fig. 3), the sent message is { b }, step (2) corresponds to the Client key exchange process (the sent message is { b ', c }) and a partial process of the Client's computer keys, and step (3) corresponds to a partial process of the set's computer keys. In the actual operation process, the messages transmitted by the SeverKeyExchange process and the ClientKeyExchange process are plaintext, and the messages transmitted by the Client terminal and the Sever terminal computer keys process are ciphertext. Km obtained by the Client terminal and the server terminal computer keys process is used as a pre-master key of the TLS process, and the computer keys process also comprises the steps of generating a master key and an encryption key through a key derivation function and then encrypting a message by using the encryption key for transmission.
The above embodiments are only intended to illustrate the technical solution of the present invention and not to limit the same, and a person skilled in the art can modify the technical solution of the present invention or substitute the same without departing from the spirit and scope of the present invention, and the scope of the present invention should be determined by the claims.
Claims (10)
1. A quantum key negotiation resisting method is characterized by comprising the following steps:
1) the communication party Alice selects a matrix S with n rows and l columns and calculates the messageThen sending the message F to the communication party Bob; the matrix A is an LWR public matrix shared by Alice and Bob of two communication parties, the matrix A is a matrix with n rows and n columns, and elements in the matrix A belong to Zq,ZqIs a sectionA set of integers of (d);representing a set of matrices of n rows and l columns, the elements of the matrices being taken from Zp;ZpIs a sectionN, l, q, p are positive integers;
2) after receiving the message F, the communication party Bob selects a line l nA matrix S' of columns and a matrix Y of n rows and l columns, are calculatedThen the communication party Bob selects a matrix D' of n rows and l columns for calculationAnd a secret keyThen the communication party Bob sends B' and C to the communication party Alice; wherein, the matrix W 'is a matrix with one row and one column, the matrix B' is a matrix with one row and n columns, and the elements of the matrix W 'and the matrix B' both belong to Zp;
3) The communication party Alice calculates according to the received B' and CAnd the key km rec (D, C), the matrix D being a matrix of one row and one column, the elements in the matrix D belonging to Zq(ii) a The output of the function rec (D, C) is a matrix with rows and columns the same as those of D and C, the jth row and jth column elements in the matrix are obtained from the elements at the corresponding positions of the matrices D and C, that is, the jth row and jth column element values in the matrix are the negotiated rounding function values of a number, which is required to be nearest to the elements at the corresponding positions in the matrix D, and the negotiated cross rounding function values of the number are equal to the elements at the corresponding positions in the matrix C;for negotiating cross-rounding functions, i.e. For negotiating rounding functions, i.e. In order to lower the rounding function,for the rounding-down function, q>p,B<log2q-1。
2. The method of claim 1, wherein the correspondent Alice randomly and uniformly gathers from a matrixSelecting a matrix S with n rows and l columns; wherein the content of the first and second substances,each column of each matrix in the set belongs to A set of n-dimensional vectors is represented,each vector has n-h 0 components and h non-0 components, each non-0 component is taken from { + -1 }; the correspondent Bob randomly and uniformly assembles from the slave matrixIn which a matrix of n rows and l columns is selectedFor matrixTransposing to obtain the matrix S'; from the collectionUniformly selecting the matrix Y and h as positive integers in a medium-random manner, and collectingThe elements in (A) belong toAnd satisfies one element of
4. A method according to claim 1 or 2 or 3, characterized in that the solution of the function rec (D, C) is as follows: establishing a corresponding table of the negotiation rounding function and the negotiation cross rounding function, i.e. converting ZqNumber in (1) rounds the function value according to negotiationIs divided into 2BX 2 parts, where w.epsilon.ZqThen, Z is further introducedqNumber in cross rounding function values by negotiationIs divided into 2BX 2 parts, where w.epsilon.ZqWill 2 thisBX 2 co-quotient cross-rounding function values are respectively associated with the 2 mentioned aboveBThe x 2 negotiation rounding function values are in one-to-one correspondence, wherein each pair of same negotiation rounding function values respectively correspond to two different negotiation cross rounding function values; after the corresponding table is established, for w epsilon D, firstly, the negotiation cross rounding function value of w is solvedAnd determining the position of the value in the correspondence table, ifEqual to the element of the corresponding position in C, and outputting the corresponding negotiation rounding function value in the corresponding table; if it is notElements not equal to the corresponding positions in C are sequentially judgedWhether the nearby numbers are equal to the elements of the corresponding position in C until appearanceEqual to the element in the corresponding position in C, the corresponding negotiated rounding function value in the corresponding table is returned, where i is taken from {1, 2, … }, + i and-i represent the value in the last i-th and first i-th bits, respectively, of the corresponding table.
5. The method of claim 1, 2 or 3, wherein the correspondent Alice derives a seed from a seed by means of the pseudo-random generator GenAGenerating said matrix A and then setting the seed seedASending the data to a communication party Bob; bob seed through the pseudo-random generator GenAGenerating the matrix A; the pseudo-random generator Gen is pre-negotiated between the communication party Alice and the communication party Bob.
6. A quantum key negotiation resisting method is characterized by comprising the following steps:
1) the communication party Alice selects an n-dimensional vector s and calculates the messageWherein a is a ring-LWR common ring element, a is an n-dimensional vector, and then a message b is sent to a communication party Bob; n, q and p are positive integers;
2) after receiving the message b, the communication party Bob selects an n-dimensional vector s' and a ring element y, and calculates Then the communication party Bob selects a ring element d', and calculates c ═<dbl(d′)>2,qAnd key km ' ═ dbl (d ') ']2,q(ii) a The communication party Bob sends b' and c to the communication party Alice; wherein y is an n-dimensional vector, d 'is an n-dimensional vector, the value of the component in the vector s' is 0 or 1, and the value of the component in the vector s is 0 or 1;
3) the communication party Alice calculates according to the received b' and cAnd the key km ═ rec (dbl (d), c); wherein the output of the function rec (dbl (d), c) is a vector having dimensions identical to those of dbl (d) and c, the elements in the vector are derived from the elements at the corresponding positions of the vectors dbl (d) and c, the i-th element in the vector is a negotiated rounding function value for a number that is required to be nearest to the element at the corresponding position in the vector dbl (d), and the negotiated cross rounding function value for the number is equal to the negotiated cross rounding function value for the corresponding position in the vector cAn element of a location;for negotiating cross-rounding functions, i.e. For negotiating rounding functions, i.e. B<log2q-1,In order to round down the function of the round-down,in order to be a function of the upper rounding,in order to lower the rounding function,dbl () is a random doubling function for the rounding down function.
7. The method of claim 6, wherein the correspondent Alice randomly and uniformly derives from the set of matrices VtSelecting the vector s; wherein, VtIs composed ofOr {0,1}n,A set of n-dimensional vectors is represented,each vector has n-h 0 components and h non-0 components, each non-0 component is taken from { + -1 }; {0,1}nRepresents a set of n-dimensional vectors, each element in the set being an n-dimensional vector, each component of the vector belonging to {0,1 }; bob random uniform slave set VtTo select a vector s' from the setWherein the ring elements y are randomly and uniformly selected, and randomly and uniformly selected from the setWherein one ring element d', h is a positive integer, RqIs a set of ring elements, where each component is taken from Zq。
8. The method of claim 7, wherein when aggregatingIntermediate sampling to obtain vector s, sampling setWhen the number of the non-zero elements of the vector in (1) is h, the required parameter is satisfiedWhen from the set {0,1}nWhen the vector s is obtained by middle sampling, the parameters satisfyt is a positive integer.
9. The method of claim 6, wherein solving the function rec (dbl (d), c) is by: firstly, establishing a corresponding table of a negotiation rounding function and a negotiation cross rounding function, and converting Z into a corresponding table2qNumber in (1) rounds the function value according to negotiationIs divided into 2BX 2 parts, where w.epsilon.Z2qThen, Z is further introduced2qNumber in cross rounding function values by negotiationIs divided into 2BX 2 parts, where w.epsilon.Z2qWill 2 thisBX 2 co-quotient cross-rounding function values are respectively associated with the 2 mentioned aboveBThe x 2 negotiation rounding function values are in one-to-one correspondence, wherein each pair of same negotiation rounding function values respectively correspond to two different negotiation cross rounding function values; after the corresponding table is established, for w ∈ dbl (d), the negotiation cross rounding function value of w is firstly obtainedAnd determines the position of the value in the correspondence table, ifC, the element which is equal to the corresponding position in the c outputs the corresponding negotiation rounding function value in the corresponding table; if it is notElements not equal to the corresponding positions in c are sequentially judgedWhether the nearby numbers are equal to the elements of the corresponding positions in c until they appearIs equal to in cThe element of the corresponding position returns the negotiated rounding function value of the corresponding position in the corresponding table, wherein i is taken from {1, 2, …, }, + i and-i represent the value of the i-th bit and the i-th bit in the corresponding table respectively, and Z2qIs a set of integers in the interval [ -q, q).
10. The method of any of claims 6 to 9, wherein the correspondent Alice is fed by a seed through the pseudo-random generator GenAGenerating the ring-LWR common ring element a, and then seed the seedASending the data to a communication party Bob; the correspondent Bob passes the pseudo-random generator Gen and the seedAGenerating the ring-LWR common ring element a; the pseudo-random generator Gen is pre-negotiated between the communication party Alice and the communication party Bob.
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN2017111630592 | 2017-11-21 | ||
CN201711163059 | 2017-11-21 |
Publications (2)
Publication Number | Publication Date |
---|---|
CN108270562A CN108270562A (en) | 2018-07-10 |
CN108270562B true CN108270562B (en) | 2020-05-01 |
Family
ID=62772306
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201711379239.4A Active CN108270562B (en) | 2017-11-21 | 2017-12-20 | Anti-quantum key agreement method |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN108270562B (en) |
Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN106060070A (en) * | 2016-07-01 | 2016-10-26 | 中国人民解放军国防科学技术大学 | TLS handshake protocol for identity-based cryptosystem |
CN106341232A (en) * | 2016-09-18 | 2017-01-18 | 中国科学院软件研究所 | Anonymous entity identification method based on password |
CN106534077A (en) * | 2016-10-18 | 2017-03-22 | 华南理工大学 | Authenticable agent re-encryption system and method based on symmetric cryptography |
CN106992856A (en) * | 2017-03-29 | 2017-07-28 | 山西大学 | The data coordinating method of extensive continuous variable quantum key distribution based on GPU |
CN107359987A (en) * | 2017-07-07 | 2017-11-17 | 上海交通大学 | Continuous variable quantum key distribution multidimensional machinery of consultation under finite dimensional effect |
Family Cites Families (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20140098955A1 (en) * | 2009-12-15 | 2014-04-10 | Los Alamos National Security, Llc | Quantum enabled security for optical communications |
JP6165637B2 (en) * | 2014-01-08 | 2017-07-19 | 株式会社東芝 | Quantum communication device, quantum communication method and program |
-
2017
- 2017-12-20 CN CN201711379239.4A patent/CN108270562B/en active Active
Patent Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN106060070A (en) * | 2016-07-01 | 2016-10-26 | 中国人民解放军国防科学技术大学 | TLS handshake protocol for identity-based cryptosystem |
CN106341232A (en) * | 2016-09-18 | 2017-01-18 | 中国科学院软件研究所 | Anonymous entity identification method based on password |
CN106534077A (en) * | 2016-10-18 | 2017-03-22 | 华南理工大学 | Authenticable agent re-encryption system and method based on symmetric cryptography |
CN106992856A (en) * | 2017-03-29 | 2017-07-28 | 山西大学 | The data coordinating method of extensive continuous variable quantum key distribution based on GPU |
CN107359987A (en) * | 2017-07-07 | 2017-11-17 | 上海交通大学 | Continuous variable quantum key distribution multidimensional machinery of consultation under finite dimensional effect |
Non-Patent Citations (2)
Title |
---|
《Post-quantum key exchange for the TLS protocol from the ring learning with errors problem》;Joppe W.Bos;《IEEE》;20151231;全文 * |
LDPC码在量子密钥分配多维协商算法中的应用;林毅;《量子光学学报》;20130315(第2期);全文 * |
Also Published As
Publication number | Publication date |
---|---|
CN108270562A (en) | 2018-07-10 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN110572253A (en) | Method and system for enhancing privacy of federated learning training data | |
CN111049650B (en) | SM2 algorithm-based collaborative decryption method, device, system and medium | |
CN101977112B (en) | Public key cipher encrypting and decrypting method based on neural network chaotic attractor | |
CN112989368A (en) | Method and device for processing private data by combining multiple parties | |
Dehkordi et al. | Threshold quantum secret sharing between multiparty and multiparty using Greenberger–Horne–Zeilinger state | |
CN113141247B (en) | Homomorphic encryption method, homomorphic encryption device, homomorphic encryption system and readable storage medium | |
CN111600661B (en) | Three-dimensional encryption OFDM optical system based on real-time updated chaotic key distribution | |
CN114465708B (en) | Privacy data processing method, device, system, electronic equipment and storage medium | |
CN113132104A (en) | Active and safe ECDSA (electronic signature SA) digital signature two-party generation method | |
Dawson et al. | Ensuring Cloud Data Security Using the Soldier Ant Algorithm | |
Krishna et al. | A novel approach with matrix based public key crypto systems | |
CN116684062A (en) | Cloud computing outsourcing and data dynamic sharing method and system based on proxy re-encryption | |
CN108270562B (en) | Anti-quantum key agreement method | |
Subramaniam et al. | A quantum diffie-hellman protocol | |
CN109981254A (en) | A kind of miniature public key encryption method based on limited Lee's type group's resolution problem | |
Nalwaya et al. | A cryptographic approach based on integrating running key in feedback mode of elgamal system | |
US20060104447A1 (en) | Discrete logarithm-based cryptography using the Shafarevich-Tate group | |
Zhou et al. | A survey of security aggregation | |
de Kock | A non-interactive key exchange based on ring-learning with errors | |
Bobrysheva et al. | Post-quantum security of communication and messaging protocols: achievements, challenges and new perspectives | |
CN113259107A (en) | Grid-based dual-mode encryption method | |
Wang et al. | A quantum concurrent signature scheme based on the quantum finite automata signature scheme | |
Jawaid et al. | Selection of fittest key using genetic algorithm and autocorrelation in cryptography | |
WO2003013052A1 (en) | Cryptosystems based on non-commutatity | |
Yin et al. | A symmetric key exchange protocol bsaed on virtual S-box |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |