CN108270562B - Anti-quantum key agreement method - Google Patents

Anti-quantum key agreement method Download PDF

Info

Publication number
CN108270562B
CN108270562B CN201711379239.4A CN201711379239A CN108270562B CN 108270562 B CN108270562 B CN 108270562B CN 201711379239 A CN201711379239 A CN 201711379239A CN 108270562 B CN108270562 B CN 108270562B
Authority
CN
China
Prior art keywords
matrix
negotiation
vector
rounding
communication party
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201711379239.4A
Other languages
Chinese (zh)
Other versions
CN108270562A (en
Inventor
张振峰
陈隆
王克
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Institute of Software of CAS
Original Assignee
Institute of Software of CAS
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Institute of Software of CAS filed Critical Institute of Software of CAS
Publication of CN108270562A publication Critical patent/CN108270562A/en
Application granted granted Critical
Publication of CN108270562B publication Critical patent/CN108270562B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0852Quantum cryptography
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/002Countermeasures against attacks on cryptographic mechanisms
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0838Key agreement, i.e. key establishment technique in which a shared key is derived by parties as a function of information contributed by, or associated with, each of these

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Physics & Mathematics (AREA)
  • Electromagnetism (AREA)
  • Theoretical Computer Science (AREA)
  • Mobile Radio Communication Systems (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention discloses an anti-quantum key agreement method. The communication party Alice selects a matrix S with n rows and l columns and calculates
Figure DDA0001515288040000011
And sends F to the correspondent Bob; after receiving F, Bob selects a matrix S' with l rows and n columns and a matrix Y with n rows and l columns, and calculates
Figure DDA0001515288040000012
Then Bob selects a matrix D' of l rows and l columns to calculate C ═ C
Figure DDA0001515288040000013
Bob then sends B' and C to Alice, the correspondent. Alice calculates and obtains the result according to the received B' and C
Figure DDA0001515288040000014
And km ═ rec (D, C). The invention has zero negotiation error probability, can resist the existing quantum attack and other various attack strategies, has high operation efficiency and easy implementation, has strong practicability and can be integrated into the TLS protocol.

Description

Anti-quantum key agreement method
Technical Field
The invention belongs to the technical field of computer technology and information security, and relates to a quantum-resistant key negotiation method, which comprises two basic negotiation methods and proposal parameters. The method is safe under a standard model, can resist the existing quantum attack, and has high operation efficiency and strong practicability.
Background
The key agreement method is to allow two or more communication parties to agree out a key in some way in an insecure environment to ensure confidentiality and data integrity of the following communication contents, and the well-known key exchange protocol is Diffie-Hellman key exchange protocol. This protocol has a wide range of uses, the best known being the TLS protocol as a secure socket. The TLS protocol is a short name for a Transport Layer Security (Transport Layer Security) protocol, and is the most widely used network Security communication protocol in the world at present. The TLS protocol comprises a handshake protocol and a record layer protocol, and the key negotiation method of the invention is used in the handshake protocol to generate a pre-master key, and then generates a master key through a key derivation function.
As quantum computers have been studied, quantum algorithms (algorithms running on quantum computers) have been increasingly recognized. Different from the classical algorithm, the quantum algorithm has stronger computing capability, and some problems (such as a large integer decomposition problem and a discrete logarithm problem) which are very difficult under the classical computing theory become simple before the quantum computing theory, and the more famous quantum algorithms include a Shor quantum decomposition algorithm and a Gorver quantum search algorithm. Traditional cryptographic systems based on number theory problems (large integer decomposition problems, discrete logarithm problems, etc.) can be broken down in polynomial time by adversaries possessing quantum computing capabilities.
In key agreement, if the enemy stores the ciphertext data transmitted by today communication, the enemy can possibly restore the communication content through a quantum computer at a future day, so that the quantum key agreement resisting method is an urgent safety requirement facing the future quantum information era.
The lattice code is one of the cryptographic techniques recognized by the international academia at present and capable of resisting the existing quantum attack. As a special algebraic structure, lattices have many good cryptographic properties, and the lattice difficulty problem has so far been no effective algorithm and polynomial-time quantum attack, so that lattice-based cryptosystems are considered as the best candidate for quantum cryptography.
Disclosure of Invention
The invention aims to realize a practical quantum-resistant accurate key agreement method, and the invention is based on the LWR (round-robin learning) problem or ring-LWR (round-robin learning) problem that the secret message is a sparse vector or a binary vector.
In particular, the invention comprises the following three important aspects:
anti-quantum key negotiation method based on LWR problem
The security of the present invention is based on the LWR difficulty problem of secret messages being sparse vectors.
Anti-quantum key negotiation method based on ring-LWR problem
The security of the present invention is based on the ring-LWR difficulty problem where the secret message is a sparse vector or a binary vector.
Efficient and rapid calculation of three-rec function
In the method, the rec function is required to be used for obtaining the final negotiation key, and in order to improve the negotiation efficiency, the invention provides an algorithm for efficiently calculating the rec function.
Fourthly, the invention is integrated into the TLS protocol
FIG. 3 is a message flow diagram of the TLS protocol (BOS, J.W., COSTELLO, C., NAEHRIG, M., AND STEBILA, D.Post-quaternary key exchange for the TLS protocol from the layers protocol. in 2015IEEE Symposium on Security AND Privacy (2015), pp.553-570.) in which ServerKeyexchange, ClientKeyexchange AND two complekeyesoperation are labeled for the purpose of illustrating which link in the TLS handshake the present invention (FIGS. 1 AND 2) occurs. Computekeys operations in fig. 3 include generating a premaster secret, corresponding to (km negotiated in fig. 1 and 2), a master secret derived from the premaster secret and an encryption secret derived from the master secret.
The technical scheme of the invention is as follows:
a quantum key negotiation resisting method is characterized by comprising the following steps:
1) the communication party Alice selects a matrix S with n rows and l columns and calculates the message
Figure BDA0001515288020000021
Then sending the message F to the communication party Bob; the matrix A is an LWR public matrix shared by Alice and Bob of two communication parties, the matrix A is a matrix with n rows and n columns, and elements in the matrix A belong to Zq,ZqIs a section
Figure BDA0001515288020000022
A set of integers of (d);
2) after receiving the message F, the communication party Bob selects a matrix S' with l rows and n columns and a matrix Y with n rows and l columns, and calculates
Figure BDA0001515288020000027
Then the communication party Bob selects a matrix D' of n rows and l columns for calculation
Figure BDA0001515288020000023
And a secret key
Figure BDA0001515288020000024
Then the communication party Bob sends B' and C to the communication party Alice; wherein, the matrix W 'is a matrix with one row and one column, the matrix B' is a matrix with one row and n columns, and the elements of the matrix W 'and the matrix B' both belong to Zp,ZpIs a section
Figure BDA0001515288020000025
A set of integers of (d);
3) the communication party Alice calculates according to the received B' and C
Figure BDA0001515288020000026
And the key km rec (D, C), the matrix D being a matrix of one row and one column, the elements in the matrix D belonging to Zq(ii) a Wherein, the output of the function rec (D, C) is a matrix with rows and columns the same as those of D and C, the ith row and jth column elements in the matrix are obtained by the elements at the corresponding positions of the matrix D and C, namely, the ith row and jth column element value in the matrix is a numberThe negotiated cross rounding function value of (a) is required to be nearest to the element of the corresponding position in matrix D and equal to the element of the corresponding position in matrix C;
Figure BDA0001515288020000031
for negotiating cross-rounding functions, i.e.
Figure BDA0001515288020000032
Figure BDA0001515288020000033
Figure BDA0001515288020000034
For negotiating rounding functions, i.e.
Figure BDA0001515288020000035
Figure BDA0001515288020000036
Figure BDA0001515288020000037
In order to lower the rounding function,
Figure BDA0001515288020000038
for the rounding-down function, q>p,
Figure BDA0001515288020000039
B<log2q-1。
Further, the correspondent Alice randomly and uniformly assembles from the matrix
Figure BDA00015152880200000310
Selecting a matrix S with n rows and l columns; wherein the content of the first and second substances,
Figure BDA00015152880200000311
each column of each matrix in the set belongs to
Figure BDA00015152880200000312
Figure BDA00015152880200000313
A set of n-dimensional vectors is represented,
Figure BDA00015152880200000314
each vector has n-h 0 components and h non-0 components, each non-0 component is taken from { + -1 }; the correspondent Bob randomly and uniformly assembles from the slave matrix
Figure BDA00015152880200000315
In which a matrix of n rows and l columns is selected
Figure BDA00015152880200000316
For matrix
Figure BDA00015152880200000317
Transposing to obtain the matrix S'; from the collection
Figure BDA00015152880200000318
And randomly and uniformly selecting the matrix Y.
Further, in the above-mentioned case,
Figure BDA00015152880200000319
h,q,p,t,B,
Figure BDA00015152880200000320
are all positive integers.
Further, the method for solving the function rec (D, C) is as follows: establishing a corresponding table of the negotiation rounding function and the negotiation cross rounding function, i.e. converting ZqNumber in (1) rounds the function value according to negotiation
Figure BDA00015152880200000321
Is divided into 2BX 2 parts, where w.epsilon.ZqThen, Z is further introducedqNumber in cross rounding function values by negotiation
Figure BDA00015152880200000322
Is divided into 2BX 2 parts, where w.epsilon.ZqWill 2 thisBX 2 co-quotient cross-rounding function values are respectively associated with the 2 mentioned aboveBThe x 2 negotiation rounding function values are in one-to-one correspondence, wherein each pair of same negotiation rounding function values respectively correspond to two different negotiation cross rounding function values; after the corresponding table is established, for w epsilon D, firstly, the negotiation cross rounding function value of w is solved
Figure BDA00015152880200000323
And determining the position of the value in the correspondence table, if
Figure BDA00015152880200000324
Equal to the element of the corresponding position in C, and outputting the corresponding negotiation rounding function value in the corresponding table; if it is not
Figure BDA00015152880200000325
Elements not equal to the corresponding positions in C are sequentially judged
Figure BDA00015152880200000326
Whether the nearby numbers are equal to the elements of the corresponding position in C until appearance
Figure BDA00015152880200000327
Equal to the element in the corresponding position in C, the corresponding negotiated rounding function value in the corresponding table is returned, where i is taken from {1, 2, … }, + i and-i represent the value in the last i-th and first i-th bits, respectively, of the corresponding table.
Further, the correspondent Alice uses a seed through the pseudo random generator GenAGenerating said matrix A and then seed the seedASending the data to a communication party Bob; bob seed through the pseudo-random generator GenAGenerating the matrix A; the pseudo-random generator Gen is pre-negotiated between the communication party Alice and the communication party Bob.
A quantum key negotiation resisting method is characterized by comprising the following steps:
1) the communication party Alice selects an n-dimensional vector s and calculates the message
Figure BDA00015152880200000328
Wherein a is a ring-LWR common ring element, a is an n-dimensional vector, and then a message b is sent to a communication party Bob;
2) after receiving the message b, the communication party Bob selects an n-dimensional vector s' and a ring element y, and calculates
Figure BDA0001515288020000041
Figure BDA0001515288020000042
Then the communication party Bob selects a ring element d', and calculates c ═<dbl(d′)>2,qAnd key km ' ═ dbl (d ') ']2,q(ii) a The communication party Bob sends b' and c to the communication party Alice; wherein y is an n-dimensional vector, d 'is an n-dimensional vector, the value of the component in the vector s' is 0 or +/-1, and the value of the component in the vector s is 0 or +/-1;
3) the communication party Alice calculates according to the received b' and c
Figure BDA0001515288020000043
And the key km ═ rec (dbl (d), c); wherein the output of the function rec (dbl (d), c) is a vector having the same dimension as dbl (d) and c, the elements in the vector are obtained from the elements at the corresponding positions in the vectors dbl (d) and c, the i-th element in the vector is a number of negotiated rounding function values, the number is required to be nearest to the element at the corresponding position in the vector dbl (d), and the negotiated cross rounding function value of the number is equal to the element at the corresponding position in the vector c;
Figure BDA0001515288020000044
for negotiating cross-rounding functions, i.e.
Figure BDA0001515288020000045
Figure BDA0001515288020000046
Figure BDA0001515288020000047
For negotiating rounding functions, i.e.
Figure BDA0001515288020000048
Figure BDA0001515288020000049
q>p,
Figure BDA00015152880200000410
Figure BDA00015152880200000411
In order to round down the function of the round-down,
Figure BDA00015152880200000412
in order to be a function of the upper rounding,
Figure BDA00015152880200000413
in order to lower the rounding function,
Figure BDA00015152880200000414
dbl () is a random doubling function for the rounding down function.
Further, the correspondent Alice randomly and uniformly gathers V from the matrixtSelecting the vector s; wherein, VtIs composed of
Figure BDA00015152880200000415
Or {0,1}n
Figure BDA00015152880200000416
A set of n-dimensional vectors is represented,
Figure BDA00015152880200000417
each vector has n-h 0 components and h non-0 components, each non-0 component is taken from { + -1 }; {0,1}nRepresents a set of n-dimensional vectors, each element in the set being an n-dimensional vector, each component of the vector belonging to {0,1 }; bob random uniform slave set VtTo select a vector s' from the set
Figure BDA00015152880200000418
Wherein the ring elements y are randomly and uniformly selected, and randomly and uniformly selected from the set
Figure BDA00015152880200000419
One ring element d' is selected.
Further, when the slave sets
Figure BDA00015152880200000420
Intermediate sampling to obtain vector s, sampling set
Figure BDA00015152880200000421
When the number of the non-zero elements of the vector in (1) is h, the required parameter is satisfied
Figure BDA00015152880200000422
When from the set {0,1}nWhen the vector s is obtained by middle sampling, the parameters satisfy
Figure BDA00015152880200000423
n, h, q, p and t are positive integers.
Further, the method for solving the function rec (dbl (d), c) is as follows: firstly, establishing a corresponding table of a negotiation rounding function and a negotiation cross rounding function, and converting Z into a corresponding table2qNumber in (1) rounds the function value according to negotiation
Figure BDA00015152880200000424
Is divided into 2BX 2 parts, where w.epsilon.Z2qThen, Z is further introduced2qNumber in cross rounding function values by negotiation
Figure BDA00015152880200000425
Is divided into 2BX 2 parts, where w.epsilon.Z2qWill 2 thisBX 2 co-quotient cross-rounding function values are respectively associated with the 2 mentioned aboveBThe x 2 negotiation rounding function values are in one-to-one correspondence, wherein each pair of same negotiation rounding function values respectively correspond to two different negotiation cross rounding function values; after the corresponding table is established, for w ∈ dbl (d), the negotiation cross rounding function value of w is firstly obtained
Figure BDA0001515288020000051
And determines the position of the value in the correspondence table, if
Figure BDA0001515288020000052
C, the element which is equal to the corresponding position in the c outputs the corresponding negotiation rounding function value in the corresponding table; if it is not
Figure BDA0001515288020000053
Elements not equal to the corresponding positions in c are sequentially judged
Figure BDA0001515288020000054
Whether the nearby numbers are equal to the elements of the corresponding positions in c until they appear
Figure BDA0001515288020000055
Equal to the element at the corresponding position in c, then the negotiated rounding function value for the corresponding position in the corresponding table is returned, where i is taken from {1, 2, … }, + i and-i represent the value at the last i-th and first i-th bits, respectively, in the corresponding table.
Further, the correspondent Alice uses a seed through the pseudo random generator GenAGenerating the ring-LWR common ring element a, and then seed the seedASending the data to a communication party Bob; the correspondent Bob passes the pseudo-random generator Gen and the seedAGenerating the ring-LWR common ring element a; the pseudo-random generator Gen is pre-negotiated between the communication party Alice and the communication party Bob.
Compared with the prior art, the invention has the advantages that:
1) the discrete Gaussian sampling process is avoided, and the operation efficiency is obviously improved;
2) the communication complexity is obviously reduced compared with the prior similar protocol;
3) the safety of the method can be reduced to the (ring-) LWR assumption that the secret message is a sparse vector or a binary vector under a standard model, and exponential reduction loss does not exist;
4) the method can resist the existing quantum attack;
5) the method does not need to store information in advance and a large number of random numbers;
6) the linear calculation, rounding function, uniform sampling and other operations used in the method are easy to realize and high in efficiency.
7) In the method, the keys finally negotiated by the two parties are completely the same, and the method is accurate key negotiation;
8) the session key that participates in the two-party negotiation is proven to be pseudo-random.
Drawings
FIG. 1 is a quantum key agreement method resistant to LWR problems;
FIG. 2 is a quantum key agreement resistant method based on the ring-LWR problem;
fig. 3 is a message flow diagram after the key agreement protocol is integrated into the TLS protocol.
Detailed Description
The invention is further illustrated by the following specific examples and the accompanying drawings.
One, symbolic description and suggested parameter
1)ZqAnd ZpAre respectively expressed as intervals
Figure BDA0001515288020000061
And
Figure BDA0001515288020000062
is selected.
2) Matrix array
Figure BDA0001515288020000063
Is a common parameter shared by two communicating parties, wherein
Figure BDA0001515288020000064
Representing a matrix set, wherein the matrixes in the matrix set are all matrixes with n rows and n columns, and the elements of the matrixes belong to Zq
3)
Figure BDA0001515288020000065
Represents a set of n-dimensional vectors, where each vector has n-h 0 components and h non-0 components, these non-0 components being taken from { ± 1}, where n is identical to n in the matrix a in 2) above.
Figure BDA0001515288020000066
Represents a set of n x l matrices, wherein each column of the matrix belongs to
Figure BDA0001515288020000067
Here n is identical to n in ring R in 6) below.
4){0,1}nRepresents a set of n-dimensional vectors, each element of the set being an n-dimensional vector, each component of the vector belonging to {0,1}, {0,1}nIt can also be considered as a set of polynomials of degree less than n, the coefficients of each polynomial in the set belonging to {0,1 }.
5) If S is a set, then U (S) represents a uniform distribution over S, taking as x a random uniform sample in set S
Figure BDA0001515288020000068
Or
Figure BDA0001515288020000069
In particular, occurring in the protocol
Figure BDA00015152880200000610
And
Figure BDA00015152880200000611
respectively representing the sets of matrices defined from 3) and 4) above
Figure BDA00015152880200000612
Vector collection
Figure BDA00015152880200000613
And vector set {0,1}nWhere the components of the vectors and matrices in the set are 0,1 or-1. For convenience of presentation, the present inventionRequiring the absolute value of the component in the vector (matrix) set to be less than t, wherein t represents the value range of the component, and the vector set is marked as VtAnd the set of matrices is denoted MtThe parameter t is adjusted according to different situations, because
Figure BDA00015152880200000614
And
Figure BDA00015152880200000615
the medium component is 0,1 or-1, so t takes 1. In this way, the matrix set
Figure BDA00015152880200000616
Can use MtIs represented by the formula, where t is 1, set of vectors
Figure BDA00015152880200000617
And {0,1}nCan use VtWherein t is 1.
Description of the drawings: the symbols described below regarding the ring may collide with the symbols in 2) -5), since the ring is used in the quantum key agreement resistant method based on the ring-LWR problem, and the symbols in 2) -5) are used in the quantum key agreement resistant method based on the LWR problem, the colliding symbols are respectively used in two different methodologies, and the symbols do not collide in the same methodology, so that they are not distinguished, and only the collision is described slightly.
6) Ring R ═ Z [ x ]]/xn+1, wherein Z [ x ]]Representing a set of integer coefficient polynomials, which set is mathematically called a polynomial ring, xn+1 is an nth degree polynomial, Z [ x ]]/xn+1 represents a set of integer polynomial equations of degree less than n, denoted as ring R. The invention requires that n is a power of 2, each element in the ring R is an integer coefficient polynomial with the degree smaller than n, and the ring element can also be regarded as an n-dimensional integer coefficient vector consisting of polynomial coefficients. Note that, ring Z [ x ]]/xn+1 is expressed as a symbol in its entirety in a convention of mathematics, where n is different from 2) -5) and x is also different from 5).
7)ring-Ring R of LWR common RingqR/qR, wherein the ring R ═ Z [ x ]]/xn+1, R/qR denotes a degree less than n, the coefficient belonging to ZqSet of polynomials, denoted Ring Rq. Ring RqThe number of the elements in (1) is less than n, and the coefficient belongs to ZqCan also be regarded as a ring element as an n-dimensional vector, wherein each element in the vector belongs to Zq. The ring R/qR is expressed as a whole as a symbol and is a representation defined in common in mathematics, and similarly, the ring R is expressed as a wholePR/pR, wherein the ring R ═ Z [ x ]]/xn+1, R/pR represents a degree less than n, the coefficient belonging to ZpSet of polynomials, denoted Ring Rp. Ring RpThe number of the elements in (1) is less than n, and the coefficient belongs to ZpCan also be regarded as a ring element as an n-dimensional vector, wherein each element in the vector belongs to Zp. The whole ring R/pR is expressed as a symbol, which is a conventional expression defined in mathematics.
8) Ring element (polynomial, vector) a ∈ RqIs a common parameter shared by both parties of the protocol.
9) Symbol
Figure BDA0001515288020000071
Description of the drawings: wherein
Figure BDA0001515288020000072
Is a collection, the elements of the collection are
Figure BDA0001515288020000073
And satisfies that the lower rounding function value of that element equals W',
Figure BDA0001515288020000074
it is referred to as a uniform random sampling,
Figure BDA0001515288020000075
refer to a collection of slaves
Figure BDA0001515288020000076
Medium random uniformitySampling an element D', assembling
Figure BDA0001515288020000077
Element U in (b) needs to satisfy two conditions: the element U must be a set
Figure BDA0001515288020000078
And the lower rounding function value of element U equals W'.
10) Symbol
Figure BDA0001515288020000079
Description of the drawings: wherein
Figure BDA00015152880200000710
Is a set, the elements of the set being RqAnd satisfies that the lower rounding function value of this element equals w',
Figure BDA00015152880200000711
it is referred to as a uniform random sampling,
Figure BDA00015152880200000712
refer to a collection of slaves
Figure BDA00015152880200000713
Randomly and uniformly sampling an element d' in a set
Figure BDA00015152880200000714
Element u in (2) needs to satisfy two conditions: the element u must be a ring RqAnd the lower rounding function value of element u equals w'.
Two, function definition
1) Rounding down function
Figure BDA00015152880200000715
Zq→ZpWherein p is<q,
Figure BDA00015152880200000716
2) Upper rounding function
Figure BDA00015152880200000717
Figure BDA00015152880200000718
Means taking the smallest integer no less than x.
3) Lower rounding function
Figure BDA00015152880200000719
Figure BDA00015152880200000720
Refers to taking the largest integer no greater than x.
4) Negotiating rounding functions
Figure BDA00015152880200000721
5) Negotiating cross rounding functions
Figure BDA00015152880200000722
Description of the drawings: 4) and 5) the definition domains of the two functions are slightly different in the two sets of methodologies, specifically, in the quantum key agreement resisting method based on the LWR problem, v in the two functions of 4) and 5) belongs to ZqIn the quantum key agreement resisting method based on ring-LWR problem, v in the two functions of 4) and 5) belongs to Z2qAt this point, the rounding function is negotiated
Figure BDA0001515288020000081
Negotiating cross rounding functions
Figure BDA0001515288020000082
Figure BDA0001515288020000083
In the two sets of method systems, the value of the parameter B is also different.
6) rec function: input w ∈ ZqAnd b ∈ {0,1}, rec (w, b) inputGo out
Figure BDA0001515288020000084
V is required to be nearest to w and
Figure BDA0001515288020000085
aiming at the calculation of the function, the invention provides a new method which is simple and efficient. Preparation before function calculation-building a correspondence table, since ZqHas a value of 2 for the negotiated rounding function of the number in (1)BWith a different result, only 2 cross-rounding function values are negotiated. Firstly, the invention is to handle ZqNumber in (1) rounds the function value according to negotiation
Figure BDA0001515288020000086
Is divided into 2BX 2 parts, where w.epsilon.Zq(ZqHas a value of 2 for the negotiated rounding function of the number in (1)BA different result, repeated once for each result, thus obtaining 2BX 2 co-quotient rounding function values, two of which are identical). Then the Z is putqNumber in cross rounding function values by negotiation
Figure BDA0001515288020000087
Is divided into 2BX 2 parts, where w.epsilon.Zq(ZqThe negotiated cross-rounding function values for the numbers in (1) are only two: 0 and 1, repeat 2 for these two resultsBThen, 2 is obtainedBX 2 co-quotient cross-rounding function values), 2 of theseBX 2 co-quotient cross-rounding function values are respectively associated with the 2 mentioned aboveBThe x 2 negotiation rounding function values correspond one to one, and the corresponding result is that two identical negotiation rounding function values correspond to two different negotiation cross rounding functions respectively. After the corresponding table is established, the specific operation method of the function calculation is as follows: for w ∈ ZqFirst, find the negotiation cross round function value of w
Figure BDA0001515288020000088
At the same time, the position of the value in the correspondence table is known, if
Figure BDA0001515288020000089
Outputting a negotiation rounding function value corresponding to the negotiation cross rounding function value in the correspondence table
Figure BDA00015152880200000810
If it is not
Figure BDA00015152880200000811
Sequentially judging from near to far, right first and left second
Figure BDA00015152880200000812
Whether the number in the vicinity is equal to b, or not, and specifically, whether the number in the vicinity is equal to b or not is determined sequentially
Figure BDA00015152880200000813
Figure BDA00015152880200000814
Up to a certain value
Figure BDA00015152880200000815
Stopping and then returning the negotiated rounding function values corresponding to the negotiated cross rounding function values in the correspondence table
Figure BDA00015152880200000816
Where i is taken from {1, 2, …, }, + i and-i represent the values at the i-th and i-th positions in the corresponding table, respectively. It should be noted that w and b in rec (w, b) are both a number, in the LWR-based quantum key agreement resisting method, D and C in rec (D, C) are both matrices with the same size, and during calculation, two elements corresponding to positions in the two matrices need to be operated, and the obtained result is also a matrix with the same size; in summary, in the LWR-based key agreement method, we can regard w and b as two elements of corresponding positions in the matrices D and C, respectively, and when operating on the matrices, operate on the elements of their corresponding positions, respectively.
Description of the drawings: 6) the rec function is mainly explained for the quantum resistance based on the LWR problemIn the key agreement method, in the quantum key agreement method against the ring-LWR problem, the definition of rec function is slightly different: input w ∈ Z2qAnd b belongs to {0,1}, establishing a corresponding table firstly, because Z belongs to {0,1}, and solving the problem that Z belongs to the corresponding table2qHas a value of 2 for the negotiated rounding function of the number in (1)BWith a different result, only 2 cross-rounding function values are negotiated. Firstly, the invention is to handle ZqNumber in (1) rounds the function value according to negotiation
Figure BDA0001515288020000091
Is divided into 2BX 2 parts, where w.epsilon.Z2q(Z2qHas a value of 2 for the negotiated rounding function of the number in (1)BA different result, repeated once for each result, thus obtaining 2BX 2 co-quotient rounding function values, two of which are identical). Then, Z is further introduced2qNumber in cross rounding function values by negotiation
Figure BDA0001515288020000092
Is divided into 2BX 2 parts, where w.epsilon.Z2q(Z2qThe negotiated cross-rounding function values for the numbers in (1) are only two: 0 and 1, repeat 2 for these two resultsBThen, 2 is obtainedBX 2 co-quotient cross-rounding function values), 2 of theseBX 2 co-quotient cross-rounding function values are respectively associated with the 2 mentioned aboveBThe x 2 negotiation rounding function values correspond one to one, and the corresponding result is that two identical negotiation rounding function values correspond to two different negotiation cross rounding functions respectively. After the corresponding table is established, the specific operation method of the function calculation is as follows: for w ∈ Z2qFirst, find the negotiation cross round function value of w
Figure BDA0001515288020000093
At the same time, the position of the value in the correspondence table is known, if
Figure BDA0001515288020000094
Outputting a negotiation rounding function value corresponding to the negotiation cross rounding function value in the correspondence table
Figure BDA0001515288020000095
If it is not
Figure BDA0001515288020000096
Sequentially judging from near to far, right first and left second
Figure BDA0001515288020000097
Whether the number in the vicinity is equal to b, or not, and specifically, whether the number in the vicinity is equal to b or not is determined sequentially
Figure BDA0001515288020000098
Figure BDA0001515288020000099
Up to a certain value
Figure BDA00015152880200000910
Stopping and then returning the negotiated rounding function values corresponding to the negotiated cross rounding function values in the correspondence table
Figure BDA00015152880200000911
Where i is taken from {1, 2, …, }, + i and-i represent the values at the i-th and i-th positions in the corresponding table, respectively. It should be noted that w and b in rec (w, b) are both a number, and in the method for quantum key agreement resistance based on the ring-LWR problem, dbl (d) and c in rec (dbl (d), c) are both vectors with the same dimension, and during operation, two elements corresponding to positions in the two vectors need to be operated, and the obtained result is also a vector with the same dimension. In the key agreement method based on ring-LWR, the invention respectively considers w and b as two elements corresponding to the positions in vectors dbl (d) and c, and when the vectors are operated, the elements corresponding to the positions are respectively operated. It is also noted that the choice of parameter B is different in the two sets of methodologies.
7) Random doubling function dbl: Zq→Z2qX → dbl (x) 2x-e, where e is sampled from { -1, 0,1} with a probability of p for each sample-1=p1=1/4,p0=1/2。
It should be noted that the argument of the function is a matrix (vector), and performing the function operation on the matrix (vector) is actually performing the function operation on each component in the matrix (vector).
Four, protocol process
1. The quantum key negotiation resisting method based on the LWR problem can refer to FIG. 1 in the attached drawings of the specification.
1) At each run time, Alice first randomly and uniformly slave set MtIn which a matrix of n rows and l columns is selected
Figure BDA0001515288020000101
Computing
Figure BDA0001515288020000102
Wherein, A is a common parameter which has been negotiated by both communication parties before, and the detailed negotiation mode is optimized and realized. Alice then sends F to Bob.
2) Bob receives F, and Bob randomly and uniformly gets from the set MtIn which a matrix of l rows and n columns is selected
Figure BDA0001515288020000103
From the collection
Figure BDA0001515288020000104
Uniformly selecting a matrix of n rows and l columns at random
Figure BDA0001515288020000105
Computing
Figure BDA0001515288020000106
Then, Bob randomly and uniformly gathers from the set
Figure BDA0001515288020000107
In which a matrix of l rows and l columns is selected
Figure BDA0001515288020000108
Computing
Figure BDA0001515288020000109
Figure BDA00015152880200001010
Finally, Bob sends B' and C to Alice.
3) After Alice receives B' and C, calculate
Figure BDA00015152880200001011
And km ═ rec (D, C).
Successful operation of the method means that the km calculated by Alice and the km' calculated by Bob are identical. It should be noted that the multiplication and addition in the process of the method are both matrix multiplication and addition in the general sense, and slightly different is that a modulo operation is required as a result.
2. The quantum key negotiation resisting method based on the ring-LWR problem can refer to FIG. 2 in the attached drawings of the specification.
1) At each run time, Alice first randomly and uniformly slave set VtTo select n-dimensional 0-1 vector
Figure BDA00015152880200001012
Computing
Figure BDA00015152880200001013
Figure BDA00015152880200001014
Wherein a is a common parameter which has been negotiated by both communication parties before, and the specific negotiation mode is detailed in the optimization implementation. Alice then sends b to Bob.
2) Bob receives b, and then randomly and uniformly receives the b from the set VtTo select n-dimensional 0-1 vector
Figure BDA00015152880200001015
From the collection
Figure BDA00015152880200001016
Uniformly selecting a ring element (n-dimensional vector) at random
Figure BDA00015152880200001017
Computing
Figure BDA00015152880200001018
Then randomly and uniformly from the set
Figure BDA00015152880200001019
In which a ring element (n-dimensional vector) is selected
Figure BDA00015152880200001020
Calculating c ═<dbl(d′)>2,q,km′=[dbl(d′)′]2,q. And finally b' and c are sent to Alice.
3) After Alice receives b' and c, calculate
Figure BDA00015152880200001021
And km ═ rec (dbl (d), c).
Successful operation of the method means that the km calculated by Alice and the km' calculated by Bob are identical. It should be noted that the multiplication and addition of the above ring elements are polynomial multiplication and addition in the general sense, and slightly different is that the result needs a polynomial modulo one, and the coefficients of the polynomial need an integer modulo one.
3. Parameter selection
1) Anti-quantum key negotiation method based on LWR problem
The parameters h, q, p, t, B,
Figure BDA0001515288020000111
is a positive integer, wherein q>p,
Figure BDA0001515288020000112
B<log2q-1. In order to ensure the correctness of the protocol, the invention requires the parameters to be satisfied
Figure BDA0001515288020000113
2) Anti-quantum key negotiation method based on ring-LWR problem
The parameters n, h, q, p and t are positive integers, and in order to ensure correctness, the method requires that the parameters meet the requirements
Figure BDA0001515288020000114
(when the secret s is from the set
Figure BDA0001515288020000115
Middle sampling, set of samples
Figure BDA0001515288020000116
The number of non-zero elements of the vector in (1) is h); parameter satisfaction
Figure BDA0001515288020000117
(when the secret is from the set 0,1}nMiddle sampling, set of samples {0,1}nThe number of non-zero elements of the vector in (1) is not required).
4. Optimizing implementation
In both of the above negotiation methods, each time Alice runs, Alice may be seeded by a small random seed via the pseudo-random generator GenACommon parameters for generating ring-LWR or LWR, i.e. matrix A or a ∈ RqThen seed this seedASent to Bob, Bob can pass through the pseudo-random generator Gen and the random seed since the pseudo-random generator Gen is an algorithm that has been negotiated by two people beforeAThe same common parameters as Alice are generated. Wherein seedAIs a random bit string; gen stands for pseudo-random generator, a pseudo-random generator is an algorithm that can spread a short random bit string into a long bit string that is difficult to distinguish from a random bit string of the same length, e.g., a pseudo-random generator can be constructed using the AES algorithm in ECB mode. This point-to-point technique can be chosen according to the application and is therefore not included in the method of the invention.
Fifth, integrate into TLS protocol
In the above two methods, step (1) corresponds to the set key exchange process in the TLS protocol message flow diagram (fig. 3), the sent message is { b }, step (2) corresponds to the Client key exchange process (the sent message is { b ', c }) and a partial process of the Client's computer keys, and step (3) corresponds to a partial process of the set's computer keys. In the actual operation process, the messages transmitted by the SeverKeyExchange process and the ClientKeyExchange process are plaintext, and the messages transmitted by the Client terminal and the Sever terminal computer keys process are ciphertext. Km obtained by the Client terminal and the server terminal computer keys process is used as a pre-master key of the TLS process, and the computer keys process also comprises the steps of generating a master key and an encryption key through a key derivation function and then encrypting a message by using the encryption key for transmission.
The above embodiments are only intended to illustrate the technical solution of the present invention and not to limit the same, and a person skilled in the art can modify the technical solution of the present invention or substitute the same without departing from the spirit and scope of the present invention, and the scope of the present invention should be determined by the claims.

Claims (10)

1. A quantum key negotiation resisting method is characterized by comprising the following steps:
1) the communication party Alice selects a matrix S with n rows and l columns and calculates the message
Figure FDA0002346240520000011
Then sending the message F to the communication party Bob; the matrix A is an LWR public matrix shared by Alice and Bob of two communication parties, the matrix A is a matrix with n rows and n columns, and elements in the matrix A belong to Zq,ZqIs a section
Figure FDA0002346240520000012
A set of integers of (d);
Figure FDA0002346240520000013
representing a set of matrices of n rows and l columns, the elements of the matrices being taken from Zp;ZpIs a section
Figure FDA0002346240520000014
N, l, q, p are positive integers;
2) after receiving the message F, the communication party Bob selects a line l nA matrix S' of columns and a matrix Y of n rows and l columns, are calculated
Figure FDA00023462405200000127
Then the communication party Bob selects a matrix D' of n rows and l columns for calculation
Figure FDA00023462405200000132
And a secret key
Figure FDA0002346240520000016
Then the communication party Bob sends B' and C to the communication party Alice; wherein, the matrix W 'is a matrix with one row and one column, the matrix B' is a matrix with one row and n columns, and the elements of the matrix W 'and the matrix B' both belong to Zp
3) The communication party Alice calculates according to the received B' and C
Figure FDA0002346240520000017
And the key km rec (D, C), the matrix D being a matrix of one row and one column, the elements in the matrix D belonging to Zq(ii) a The output of the function rec (D, C) is a matrix with rows and columns the same as those of D and C, the jth row and jth column elements in the matrix are obtained from the elements at the corresponding positions of the matrices D and C, that is, the jth row and jth column element values in the matrix are the negotiated rounding function values of a number, which is required to be nearest to the elements at the corresponding positions in the matrix D, and the negotiated cross rounding function values of the number are equal to the elements at the corresponding positions in the matrix C;
Figure FDA0002346240520000018
for negotiating cross-rounding functions, i.e.
Figure FDA0002346240520000019
Figure FDA00023462405200000110
Figure FDA00023462405200000111
For negotiating rounding functions, i.e.
Figure FDA00023462405200000133
Figure FDA00023462405200000114
Figure FDA00023462405200000129
In order to lower the rounding function,
Figure FDA00023462405200000130
for the rounding-down function, q>p,
Figure FDA00023462405200000115
B<log2q-1。
2. The method of claim 1, wherein the correspondent Alice randomly and uniformly gathers from a matrix
Figure FDA00023462405200000116
Selecting a matrix S with n rows and l columns; wherein the content of the first and second substances,
Figure FDA00023462405200000117
each column of each matrix in the set belongs to
Figure FDA00023462405200000118
Figure FDA00023462405200000119
A set of n-dimensional vectors is represented,
Figure FDA00023462405200000120
each vector has n-h 0 components and h non-0 components, each non-0 component is taken from { + -1 }; the correspondent Bob randomly and uniformly assembles from the slave matrix
Figure FDA00023462405200000121
In which a matrix of n rows and l columns is selected
Figure FDA00023462405200000122
For matrix
Figure FDA00023462405200000123
Transposing to obtain the matrix S'; from the collection
Figure FDA00023462405200000124
Uniformly selecting the matrix Y and h as positive integers in a medium-random manner, and collecting
Figure FDA00023462405200000125
The elements in (A) belong to
Figure FDA00023462405200000126
And satisfies one element of
Figure FDA00023462405200000131
3. The method of claim 1,
Figure FDA0002346240520000021
t,B,
Figure FDA0002346240520000022
are all positive integers.
4. A method according to claim 1 or 2 or 3, characterized in that the solution of the function rec (D, C) is as follows: establishing a corresponding table of the negotiation rounding function and the negotiation cross rounding function, i.e. converting ZqNumber in (1) rounds the function value according to negotiation
Figure FDA0002346240520000023
Is divided into 2BX 2 parts, where w.epsilon.ZqThen, Z is further introducedqNumber in cross rounding function values by negotiation
Figure FDA0002346240520000024
Is divided into 2BX 2 parts, where w.epsilon.ZqWill 2 thisBX 2 co-quotient cross-rounding function values are respectively associated with the 2 mentioned aboveBThe x 2 negotiation rounding function values are in one-to-one correspondence, wherein each pair of same negotiation rounding function values respectively correspond to two different negotiation cross rounding function values; after the corresponding table is established, for w epsilon D, firstly, the negotiation cross rounding function value of w is solved
Figure FDA0002346240520000025
And determining the position of the value in the correspondence table, if
Figure FDA0002346240520000026
Equal to the element of the corresponding position in C, and outputting the corresponding negotiation rounding function value in the corresponding table; if it is not
Figure FDA0002346240520000027
Elements not equal to the corresponding positions in C are sequentially judged
Figure FDA0002346240520000028
Whether the nearby numbers are equal to the elements of the corresponding position in C until appearance
Figure FDA0002346240520000029
Equal to the element in the corresponding position in C, the corresponding negotiated rounding function value in the corresponding table is returned, where i is taken from {1, 2, … }, + i and-i represent the value in the last i-th and first i-th bits, respectively, of the corresponding table.
5. The method of claim 1, 2 or 3, wherein the correspondent Alice derives a seed from a seed by means of the pseudo-random generator GenAGenerating said matrix A and then setting the seed seedASending the data to a communication party Bob; bob seed through the pseudo-random generator GenAGenerating the matrix A; the pseudo-random generator Gen is pre-negotiated between the communication party Alice and the communication party Bob.
6. A quantum key negotiation resisting method is characterized by comprising the following steps:
1) the communication party Alice selects an n-dimensional vector s and calculates the message
Figure FDA00023462405200000210
Wherein a is a ring-LWR common ring element, a is an n-dimensional vector, and then a message b is sent to a communication party Bob; n, q and p are positive integers;
2) after receiving the message b, the communication party Bob selects an n-dimensional vector s' and a ring element y, and calculates
Figure FDA00023462405200000213
Figure FDA00023462405200000211
Then the communication party Bob selects a ring element d', and calculates c ═<dbl(d′)>2,qAnd key km ' ═ dbl (d ') ']2,q(ii) a The communication party Bob sends b' and c to the communication party Alice; wherein y is an n-dimensional vector, d 'is an n-dimensional vector, the value of the component in the vector s' is 0 or 1, and the value of the component in the vector s is 0 or 1;
3) the communication party Alice calculates according to the received b' and c
Figure FDA00023462405200000212
And the key km ═ rec (dbl (d), c); wherein the output of the function rec (dbl (d), c) is a vector having dimensions identical to those of dbl (d) and c, the elements in the vector are derived from the elements at the corresponding positions of the vectors dbl (d) and c, the i-th element in the vector is a negotiated rounding function value for a number that is required to be nearest to the element at the corresponding position in the vector dbl (d), and the negotiated cross rounding function value for the number is equal to the negotiated cross rounding function value for the corresponding position in the vector cAn element of a location;
Figure FDA0002346240520000031
for negotiating cross-rounding functions, i.e.
Figure FDA0002346240520000032
Figure FDA0002346240520000033
Figure FDA0002346240520000034
For negotiating rounding functions, i.e.
Figure FDA0002346240520000035
Figure FDA0002346240520000036
B<log2q-1,
Figure FDA00023462405200000317
In order to round down the function of the round-down,
Figure FDA00023462405200000318
in order to be a function of the upper rounding,
Figure FDA00023462405200000319
in order to lower the rounding function,
Figure FDA00023462405200000320
dbl () is a random doubling function for the rounding down function.
7. The method of claim 6, wherein the correspondent Alice randomly and uniformly derives from the set of matrices VtSelecting the vector s; wherein, VtIs composed of
Figure FDA0002346240520000037
Or {0,1}n
Figure FDA0002346240520000038
A set of n-dimensional vectors is represented,
Figure FDA0002346240520000039
each vector has n-h 0 components and h non-0 components, each non-0 component is taken from { + -1 }; {0,1}nRepresents a set of n-dimensional vectors, each element in the set being an n-dimensional vector, each component of the vector belonging to {0,1 }; bob random uniform slave set VtTo select a vector s' from the set
Figure FDA00023462405200000321
Wherein the ring elements y are randomly and uniformly selected, and randomly and uniformly selected from the set
Figure FDA00023462405200000322
Wherein one ring element d', h is a positive integer, RqIs a set of ring elements, where each component is taken from Zq
8. The method of claim 7, wherein when aggregating
Figure FDA00023462405200000323
Intermediate sampling to obtain vector s, sampling set
Figure FDA00023462405200000324
When the number of the non-zero elements of the vector in (1) is h, the required parameter is satisfied
Figure FDA00023462405200000325
When from the set {0,1}nWhen the vector s is obtained by middle sampling, the parameters satisfy
Figure FDA00023462405200000326
t is a positive integer.
9. The method of claim 6, wherein solving the function rec (dbl (d), c) is by: firstly, establishing a corresponding table of a negotiation rounding function and a negotiation cross rounding function, and converting Z into a corresponding table2qNumber in (1) rounds the function value according to negotiation
Figure FDA00023462405200000310
Is divided into 2BX 2 parts, where w.epsilon.Z2qThen, Z is further introduced2qNumber in cross rounding function values by negotiation
Figure FDA00023462405200000311
Is divided into 2BX 2 parts, where w.epsilon.Z2qWill 2 thisBX 2 co-quotient cross-rounding function values are respectively associated with the 2 mentioned aboveBThe x 2 negotiation rounding function values are in one-to-one correspondence, wherein each pair of same negotiation rounding function values respectively correspond to two different negotiation cross rounding function values; after the corresponding table is established, for w ∈ dbl (d), the negotiation cross rounding function value of w is firstly obtained
Figure FDA00023462405200000312
And determines the position of the value in the correspondence table, if
Figure FDA00023462405200000313
C, the element which is equal to the corresponding position in the c outputs the corresponding negotiation rounding function value in the corresponding table; if it is not
Figure FDA00023462405200000314
Elements not equal to the corresponding positions in c are sequentially judged
Figure FDA00023462405200000315
Whether the nearby numbers are equal to the elements of the corresponding positions in c until they appear
Figure FDA00023462405200000316
Is equal to in cThe element of the corresponding position returns the negotiated rounding function value of the corresponding position in the corresponding table, wherein i is taken from {1, 2, …, }, + i and-i represent the value of the i-th bit and the i-th bit in the corresponding table respectively, and Z2qIs a set of integers in the interval [ -q, q).
10. The method of any of claims 6 to 9, wherein the correspondent Alice is fed by a seed through the pseudo-random generator GenAGenerating the ring-LWR common ring element a, and then seed the seedASending the data to a communication party Bob; the correspondent Bob passes the pseudo-random generator Gen and the seedAGenerating the ring-LWR common ring element a; the pseudo-random generator Gen is pre-negotiated between the communication party Alice and the communication party Bob.
CN201711379239.4A 2017-11-21 2017-12-20 Anti-quantum key agreement method Active CN108270562B (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN2017111630592 2017-11-21
CN201711163059 2017-11-21

Publications (2)

Publication Number Publication Date
CN108270562A CN108270562A (en) 2018-07-10
CN108270562B true CN108270562B (en) 2020-05-01

Family

ID=62772306

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201711379239.4A Active CN108270562B (en) 2017-11-21 2017-12-20 Anti-quantum key agreement method

Country Status (1)

Country Link
CN (1) CN108270562B (en)

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106060070A (en) * 2016-07-01 2016-10-26 中国人民解放军国防科学技术大学 TLS handshake protocol for identity-based cryptosystem
CN106341232A (en) * 2016-09-18 2017-01-18 中国科学院软件研究所 Anonymous entity identification method based on password
CN106534077A (en) * 2016-10-18 2017-03-22 华南理工大学 Authenticable agent re-encryption system and method based on symmetric cryptography
CN106992856A (en) * 2017-03-29 2017-07-28 山西大学 The data coordinating method of extensive continuous variable quantum key distribution based on GPU
CN107359987A (en) * 2017-07-07 2017-11-17 上海交通大学 Continuous variable quantum key distribution multidimensional machinery of consultation under finite dimensional effect

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20140098955A1 (en) * 2009-12-15 2014-04-10 Los Alamos National Security, Llc Quantum enabled security for optical communications
JP6165637B2 (en) * 2014-01-08 2017-07-19 株式会社東芝 Quantum communication device, quantum communication method and program

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106060070A (en) * 2016-07-01 2016-10-26 中国人民解放军国防科学技术大学 TLS handshake protocol for identity-based cryptosystem
CN106341232A (en) * 2016-09-18 2017-01-18 中国科学院软件研究所 Anonymous entity identification method based on password
CN106534077A (en) * 2016-10-18 2017-03-22 华南理工大学 Authenticable agent re-encryption system and method based on symmetric cryptography
CN106992856A (en) * 2017-03-29 2017-07-28 山西大学 The data coordinating method of extensive continuous variable quantum key distribution based on GPU
CN107359987A (en) * 2017-07-07 2017-11-17 上海交通大学 Continuous variable quantum key distribution multidimensional machinery of consultation under finite dimensional effect

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
《Post-quantum key exchange for the TLS protocol from the ring learning with errors problem》;Joppe W.Bos;《IEEE》;20151231;全文 *
LDPC码在量子密钥分配多维协商算法中的应用;林毅;《量子光学学报》;20130315(第2期);全文 *

Also Published As

Publication number Publication date
CN108270562A (en) 2018-07-10

Similar Documents

Publication Publication Date Title
CN110572253A (en) Method and system for enhancing privacy of federated learning training data
CN111049650B (en) SM2 algorithm-based collaborative decryption method, device, system and medium
CN101977112B (en) Public key cipher encrypting and decrypting method based on neural network chaotic attractor
CN112989368A (en) Method and device for processing private data by combining multiple parties
Dehkordi et al. Threshold quantum secret sharing between multiparty and multiparty using Greenberger–Horne–Zeilinger state
CN113141247B (en) Homomorphic encryption method, homomorphic encryption device, homomorphic encryption system and readable storage medium
CN111600661B (en) Three-dimensional encryption OFDM optical system based on real-time updated chaotic key distribution
CN114465708B (en) Privacy data processing method, device, system, electronic equipment and storage medium
CN113132104A (en) Active and safe ECDSA (electronic signature SA) digital signature two-party generation method
Dawson et al. Ensuring Cloud Data Security Using the Soldier Ant Algorithm
Krishna et al. A novel approach with matrix based public key crypto systems
CN116684062A (en) Cloud computing outsourcing and data dynamic sharing method and system based on proxy re-encryption
CN108270562B (en) Anti-quantum key agreement method
Subramaniam et al. A quantum diffie-hellman protocol
CN109981254A (en) A kind of miniature public key encryption method based on limited Lee&#39;s type group&#39;s resolution problem
Nalwaya et al. A cryptographic approach based on integrating running key in feedback mode of elgamal system
US20060104447A1 (en) Discrete logarithm-based cryptography using the Shafarevich-Tate group
Zhou et al. A survey of security aggregation
de Kock A non-interactive key exchange based on ring-learning with errors
Bobrysheva et al. Post-quantum security of communication and messaging protocols: achievements, challenges and new perspectives
CN113259107A (en) Grid-based dual-mode encryption method
Wang et al. A quantum concurrent signature scheme based on the quantum finite automata signature scheme
Jawaid et al. Selection of fittest key using genetic algorithm and autocorrelation in cryptography
WO2003013052A1 (en) Cryptosystems based on non-commutatity
Yin et al. A symmetric key exchange protocol bsaed on virtual S-box

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant