CN111651788B - Terminal access control system and method based on lattice code - Google Patents
Terminal access control system and method based on lattice code Download PDFInfo
- Publication number
- CN111651788B CN111651788B CN202010496061.7A CN202010496061A CN111651788B CN 111651788 B CN111651788 B CN 111651788B CN 202010496061 A CN202010496061 A CN 202010496061A CN 111651788 B CN111651788 B CN 111651788B
- Authority
- CN
- China
- Prior art keywords
- identity information
- data
- storage unit
- information
- public key
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
- G06F21/6218—Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/602—Providing cryptographic facilities or services
Abstract
The access control unit is added to an interface hardware layer of data acquisition terminal and external data communication, so that access control is realized on a physical layer, and the system and the method are safer and more reliable; the access control method of the invention uses an encryption method based on the lattice code, has the capability of resisting quantum computer attack, and can solve the problems that the existing terminal equipment is easy to be invaded maliciously and data is stolen.
Description
Technical Field
The disclosure belongs to the technical field of communication, and relates to a terminal access control system and method based on a lattice code.
Background
The statements in this section merely provide background information related to the present disclosure and may not constitute prior art.
With the development of the internet of things technology, more and more embedded terminal devices for data acquisition are provided, audio and video acquisition terminals are common in daily life, the devices are convenient for enriching our lives, but the terminal devices are often invaded maliciously, and the data is stolen, so that the security problems that the devices are accessed from the outside are caused, so that the embedded terminal devices can operate normally, and the data in the embedded terminal devices are protected from being maliciously modified or stolen.
With the development of quantum computers and the development of quantum algorithms for computing large integer decomposition and discrete logarithm, the security of a plurality of traditional passwords is threatened, and the lattice passwords capable of resisting quantum computer attacks become a research hotspot of the cryptology field. The lattice-based password scheme has the characteristics of quantum attack resistance, simple hardware implementation and the like. The problem of error Learning (LWE) was proposed by Regev in 2005 and reduced the LWE problem quantum to the standard difficult problem on the lattice. All cryptographic schemes built on top of the LWE problem are therefore able to build their security on top of the worst-case difficulty of the lattice problem.
The prior patent document (application number 201811210425.X "FPGA-based DM365 data transmission interface circuit") provides a FPGA-based DM365 data transmission interface circuit, which can solve the technical problem that a DM365 chip transmission interface and a communicable peripheral circuit are single in the prior art, and utilizes the characteristic of flexible design of the FPGA chip circuit in an embedded terminal to improve the convenience of communication between the terminal and the outside, but the FPGA interface module is used as the foremost end of the whole embedded terminal device for interacting with the outside data, and an access control module is not designed, so that an external device can directly control the embedded terminal through the FPGA circuit, and the safety of the terminal cannot be ensured.
Disclosure of Invention
The disclosure provides a terminal access control system and method based on a lattice code to solve the above problems, and the disclosure can solve the problems that the existing terminal equipment is easy to be maliciously invaded and data is stolen.
According to some embodiments, the following technical scheme is adopted in the disclosure:
the utility model provides a terminal access control system based on grid password, includes data acquisition terminal and host computer, and data acquisition terminal includes DSP module and FPGA module, wherein:
the FPGA module is connected with the DSP module and the upper computer, and the FPGA module comprises:
the first interface adaptation module is used for providing a connection interface between the FPGA module and the DSP module;
the second interface adaptation module is used for providing a connection communication interface between the FPGA module and an upper computer;
the uplink data buffer unit and the downlink data buffer unit are used for buffering data;
the data input and output control unit is used for controlling the upper computer to read data from the uplink data cache unit and write data into the downlink data cache unit;
the access control module based on the lattice code is used for receiving the encrypted access request information from the upper computer, decrypting and verifying the information, if the information passes the verification, generating an enabling signal to enable the data input and output control unit, and the upper computer can perform read-write operation on the terminal equipment through the data input and output control unit; and if the verification is not passed, the upper computer cannot access the data acquisition terminal.
As an alternative embodiment, the lattice code based access control module comprises:
a private key storage unit for storing private key data to which only the private key generation unit can write data and from which only the decryption unit can read data;
the public key storage unit is used for storing public key data, only the secret key generation unit can write data into the public key storage unit, and the external equipment can directly read the public key data from the public key storage unit;
the access control unit is used for generating a secret key pair of a lattice cipher public key encryption scheme, storing the generated secret key pair into the private key storage unit and the public key storage unit respectively, and sending an enabling signal to the secret key generation unit only to enable the secret key generation unit to regenerate the secret key pair, wherein other units cannot influence the secret key generation unit;
the identity information storage unit is used for storing the identity information of the external equipment trusted by the terminal, and the identity information comprises a user name, a password and a random number;
the decryption unit is used for decrypting the encrypted ciphertext by using the private key to obtain a plaintext, wherein the private key is read from the private key storage unit, and the ciphertext is sent to the decryption unit by the access control unit;
and the access control unit receives the encrypted identity information transmitted by the external equipment, sends the encrypted identity information to the decryption unit for decryption to obtain the identity information, then compares the identity information with the information in the identity information storage unit, if the user name and the password in the identity information are the same and the random numbers are different, the authentication is passed, and if the user name and the password in the identity information are different, the authentication is not passed.
And the access control unit sends an enabling signal to the data input and output control unit after the verification is passed, allows the external equipment to read and write data of the data acquisition terminal, updates the identity information to the identity information storage unit, and enables the signal to the key generation unit to regenerate the key pair.
The first interface adaptation module is an EMIF interface adaptation module, and the second interface adaptation module is a PCI interface adaptation module.
The method for controlling access by using the system comprises the following steps:
1) setting identity information initial data in an identity information storage unit circuit;
2) after the terminal equipment is electrified and starts working, the key generation unit generates a public key and a private key, writes the public key into the public key storage unit, and writes the private key into the private key storage unit:
3) when the upper computer wants to access the terminal equipment, user name and password information are input in the identity information input module and then sent to the encryption program module based on the lattice password;
4) after receiving the identity information, the encryption program module based on the lattice code reads the public key information from the public key storage unit of the terminal, and then encrypts the identity information by using the public key:
5) the encryption program module based on the lattice code sends the encrypted identity information c to an access control unit of the terminal;
6) the access control unit of the terminal decrypts the received encrypted identity information c to obtain the identity information and then verifies the identity information, after the verification is passed, the access control unit sends an enabling signal to the data input and output control unit to allow the external equipment to read and write data of the data acquisition terminal, updates the corresponding identity information to the identity information storage unit, and enables the signal to the key generation unit to regenerate the key pair;
7) the upper computer writes data to the downlink data cache unit through the data input and output control unit and reads data from the uplink data cache unit, and then data communication with the data acquisition terminal is achieved.
As an alternative embodiment, said step 2) comprises:
2a) setting the highest degree n of a polynomial, wherein the modulus q is a prime number and satisfies q ≡ 1 mod 2 n; randomly selecting a polynomial s ∈ R and obeying distribution DσAnd taking s as a private key, randomly selecting a polynomial e belonging to R and obeying distribution DσTaking e as an error polynomial, and randomly and uniformly selecting alpha epsilon R, wherein DσIs a discrete Gaussian distribution over an integer domain Z, with an expectation of 0 and a standard deviation of σ; r is a polynomial ring Zq[x]/(xn+1);
2b) Calculating b ═ as + e, wherein the error polynomial e is the key to the LWE problem, and if there is no error term, s is directly calculated by b and a;
2c) obtaining a private key sk which is s and a public key pk which is (alpha, b), writing the public key into a public key storage unit, and writing the private key into a private key storage unit;
as an alternative embodiment, the step 4) specifically includes:
4a) generating a random number, and splicing the random number behind the user name and the password information to form complete identity authentication information m;
4b) randomly selecting e1, e2, e3 e R to obey distribution Dσ,DσIs a discrete Gaussian distribution over an integer field Z, desirably 0, with a standard deviation of σ, and R being a polynomial ring Zq[x]/(xn+1);
4c) Let m1 ═ f (m) e R, where
For realizing the conversion of the mode domain, the input information m is converted from [0,1]Is converted into [0, q-1]]A range of (d);
4d) encrypting the identity information by using public key information, wherein c1 ═ α × e1+ e2, c2 ═ b × e1+ e3+ m1, a ciphertext containing the identity information is obtained, and c ═ c1, c2 is the encrypted identity information;
as an alternative embodiment, the step 6) specifically includes:
6a) the access control unit firstly decrypts the access verification information, and further obtains the unencrypted identity information:
6b) the user name, the password and the random number are disassembled and compared with corresponding data in the identity information storage unit for verification;
6c) after the verification is passed, the access control unit sends an enabling signal to the data input and output control unit, the external equipment is allowed to read and write data of the data acquisition terminal, then the identity information is updated to the identity information storage unit, and the key generation unit is enabled by the enabling signal to regenerate the key pair.
As an alternative embodiment, said step 6a) comprises:
6aa) performing a polynomial multiplication operation on a ring of the first part c1 of the ciphertext and the private key s to obtain a result, and performing a polynomial addition operation on the result and the second part c2 of the ciphertext to obtain m2, namely m2 is c1 s + c 2;
6ab) from m2 [0, q-1]]Range of (2) to [0, 1]]The range, for each digit of m2, is determined using the following formula,
if the number in m2 is within the range, the position is 1, and if the number is not within the range, the position is 0, the conversion is completed to obtain m3, and m3 is equal to the identity information m before encryption.
As an alternative embodiment, the step 6b) specifically includes:
6ba) if the user name and the password are different from those of the storage area, the authentication fails;
6bb) if the user name and the password are the same as those of the memory and the random number is also the same, the upper computer does not regenerate the encrypted identity information for access, and the encrypted identity information is possibly stolen for reuse and fails in verification;
6bc) if the user name and password are the same as those of the memory area and the random number is different, the authentication is passed.
Compared with the prior art, the beneficial effect of this disclosure is:
according to the access control method and device, the access control unit is added in the hardware layer of the interface for communicating the data acquisition terminal and external data, access control is achieved in the physical layer, and the access control method and device are safer and more reliable; moreover, the access control method of the embodiment uses an encryption method based on a lattice code, and has the capability of resisting quantum computer attacks.
Drawings
The accompanying drawings, which are included to provide a further understanding of the disclosure, illustrate embodiments of the disclosure and together with the description serve to explain the disclosure and are not to be construed as limiting the disclosure.
Fig. 1 is a schematic diagram of the system architecture of the present disclosure.
The specific implementation mode is as follows:
the present disclosure is further described with reference to the following drawings and examples.
It should be noted that the following detailed description is exemplary and is intended to provide further explanation of the disclosure. Unless defined otherwise, all technical and scientific terms used herein have the same meaning as commonly understood by one of ordinary skill in the art to which this disclosure belongs.
It is noted that the terminology used herein is for the purpose of describing particular embodiments only and is not intended to be limiting of example embodiments according to the present disclosure. As used herein, the singular forms "a", "an" and "the" are intended to include the plural forms as well, and it should be understood that when the terms "comprises" and/or "comprising" are used in this specification, they specify the presence of stated features, steps, operations, devices, components, and/or combinations thereof, unless the context clearly indicates otherwise.
Referring to fig. 1, the terminal access control system based on the lattice code of the present embodiment includes: the audio and video acquisition terminal comprises a DSP module and an FPGA module, wherein the DSP module is connected with the FPGA module through an EMIF interface, and the FPGA module is connected with the upper computer through a PCI interface. Wherein:
the DSP module comprises a DSP chip, audio and video acquisition equipment and a related peripheral circuit. The DSP chip reads relevant working parameters from a downlink data cache unit in the FPGA module, then controls audio and video acquisition equipment to acquire audio and image data, processes the original data into TS data streams convenient to transmit, and finally writes the TS data streams into an uplink data cache unit.
The DSP chip of the present example is a chip of, but not limited to, TI TMS320DM 365.
The FPGA module comprises an FPGA chip and a related peripheral circuit, and the main modules designed in the FPGA chip are an uplink data cache unit, a downlink data cache unit, a data input and output control unit and an access control module based on a lattice code:
the uplink data cache unit and the downlink data cache unit are used for buffering data and solving the problem that the reading and writing speeds of the DSP module and the upper computer are inconsistent when the data are in asynchronous transmission, wherein the uplink data cache unit uses a dual-port RAM memory with an address space of 1Mbyte, and the downlink data cache unit uses a dual-port RAM memory with an address space of 64 Kbyte.
The data input and output control unit is used for controlling the upper computer to read data from the uplink data cache unit and write data into the downlink data cache unit;
the access control module based on the grid code is used for receiving the encrypted access request information from the upper computer, decrypting and verifying the information, if the information passes the verification, generating an enabling signal to enable the data input and output control unit, and the upper computer can perform read-write operation on the audio and video acquisition terminal through the data input and output control unit; if the verification is not passed, the upper computer cannot pass through the data input and output control unit, and further cannot access the terminal. The module mainly comprises a private key storage unit, a public key storage unit, a key pair generation unit, an identity information storage unit, a decryption unit and an access control unit:
the private key storage unit is used for storing private key data, only the private key generation unit can write data into the private key storage unit, only the decryption unit can read data from the private key storage unit, and the unit uses a FIFO memory with an address space of 16 Kbyte;
the public key storage unit is used for storing public key data, only the secret key generation unit can write data into the public key storage unit, the external equipment can directly read the public key data from the public key storage unit, and the public key storage unit uses an FIFO memory with an address space of 16 Kbyte;
the key pair generating unit is used for generating a key pair of a lattice cipher public key encryption scheme and respectively storing the generated key pair into the private key storage unit and the public key storage unit, and only the access control unit can send an enabling signal to the key generating unit to enable the key generating unit to regenerate the key pair. The random number used in the key generation process is generated by an eight-bit linear feedback shift register, and the addition operation, the multiplication operation and the modular operation are all realized by using a universal IP core;
the identity information storage unit is used for storing the identity information of the external equipment trusted by the terminal, the identity information comprises a user name, a password and a random number, and the unit uses a RAM memory with an address space of 1 Kbyte;
the decryption unit decrypts the encrypted ciphertext by using a private key to obtain a plaintext, wherein the private key is read from the private key storage unit, the ciphertext is sent to the decryption unit by the access control unit, and the addition operation, the multiplication operation and the modular operation are all realized by using a general IP core;
the access control unit receives the encrypted identity information transmitted by the external equipment, sends the encrypted identity information to the decryption unit for decryption to obtain the identity information, then compares the identity information with the information in the identity information storage unit, if the user name and the password in the identity information are the same and the random numbers are different, the authentication is passed, and if the user name and the password in the identity information are different, the authentication is not passed. After the verification is passed, the unit sends an enabling signal to the data input and output control unit, allows the external equipment to read and write data of the data acquisition terminal, updates the identity information to the identity information storage unit, and enables the signal to the key generation unit to regenerate the key pair. If the authentication is not passed, the external device cannot access the terminal device.
The FPGA chip of the present example is, but not limited to, a chip available from ALTREA corporation under the model number EP3C80F484i 7.
The upper computer is a PC (personal computer), wherein an encryption program module based on the lattice code is a software program realized by using C language, and the working flow of the program is as follows:
1) inputting a user name and password information;
2) calling a rand () function to generate a random number, and splicing the random number with input information to form complete identity information m;
3) reading a public key pk (a, b) required by the lattice cipher encryption;
4) calling a SetCoeff function in an NTL library, and selecting error polynomials e1, e2 and e 3;
5) identity information m multiplied by
M1 is obtained;
6) calling a MulTrunc () function in an NTL library to calculate polynomial multiplication, and encrypting m1 by using pk to calculate tmp1 ═ α × e1+ e2, tmp2 ═ b × e1+ e3+ m 1;
7) c1 ═ tmp1 mod q, c2 ═ tmp2 mod q, and finally, the encrypted identity information c ═ c1, c2 are obtained.
Of course, in some embodiments, the method for performing access control by using the above system is characterized by including the following steps:
1) setting identity information initial data in an identity information storage unit circuit during FPGA circuit design;
2) after the terminal equipment is electrified and starts working, the key generation unit generates a public key and a private key, writes the public key into the public key storage unit, and writes the private key into the private key storage unit:
2a) setting the highest degree n of a polynomial, wherein the modulus q is a prime number and satisfies q ≡ 1 mod 2 n; randomly selecting a polynomial s ∈ R and obeying distribution DσAnd taking s as a private key, randomly selecting a polynomial e belonging to R and obeying distribution DσTaking e as an error polynomial, and randomly and uniformly selecting alpha epsilon R, wherein DσIs a discrete gaussian distribution over the integer domain Z, with an expectation of 0 and a standard deviation of σ; r is a polynomial ring Zq[x]/(xn+1);
2b) Calculating b ═ as + e, wherein the error polynomial e is the key to the LWE problem, and if there is no error term, s is directly calculated by b and a;
2c) obtaining a private key sk which is s and a public key pk which is (alpha, b), writing the public key into a public key storage unit, and writing the private key into a private key storage unit;
3) when the upper computer wants to access the terminal equipment, user name and password information are input in the identity information input module and then sent to the encryption program module based on the lattice password;
4) after receiving the identity information, the encryption program module based on the lattice code reads the public key information from the public key storage unit of the terminal, and then encrypts the identity information by using the public key:
4a) generating a random number, and splicing the random number behind the user name and the password information to form complete identity authentication information m;
4b) randomly selecting e1, e2, e3 epsilon R to comply with distribution Dσ,DσIs a discrete Gaussian distribution over an integer field Z, desirably 0, with a standard deviation of σ, and R being a polynomial ring Zq[x]/(xn+1);
4c) Let m1 ═ f (m) e R, where
For realizing the conversion of the mode domain, the input information m is converted from [0,1]Is converted into [0, q-1]]A range of (d);
4d) encrypting the identity information by using public key information, wherein c1 ═ α × e1+ e2, c2 ═ b × e1+ e3+ m1 obtain ciphertext containing the identity information, and c ═ c1 and c2 (encrypted identity information);
5) the encryption program module based on the lattice code sends the encrypted identity information c to an access control unit of the terminal;
6) the access control unit of the terminal decrypts the received encrypted identity information c, and verifies after obtaining the identity information:
6a) the access control unit firstly decrypts the access verification information, and then obtains the unencrypted identity information m:
6aa) performing cyclic polynomial multiplication on the first part c1 of the ciphertext and the private key s, and performing polynomial addition on the obtained result and the second part c2 of the ciphertext to obtain m2, namely m2 is c1 s + c 2;
6ab) from m2 [0, q-1]]Range of (2) to [0, 1]]The range, for each digit of m2, is determined using the following formula,
if the number in m2 is within the range, the position is 1, if the number is not within the range, the position is 0, the conversion is completed to obtain m3, and m3 is equal to the identity information m before encryption;
6b) and (3) splitting m3 into a user name, a password and a random number, and comparing the user name, the password and the random number with corresponding data in the identity information storage unit respectively:
6ba) if the user name and the password are different from those of the storage area, the authentication fails;
6bb) if the user name and the password are the same as those of the memory and the random number is also the same, the upper computer does not regenerate encrypted identity information for access, and the encrypted identity information is possibly stolen for reuse and fails to be verified;
6bc) if the user name and the password are the same as those of the storage area and the random numbers are different, the authentication is passed;
6c) after the verification is passed, the access control unit sends an enabling signal to the data input and output control unit, the external equipment is allowed to read and write data of the data acquisition terminal, then the identity information is updated to the identity information storage unit, and the key generation unit is enabled by the enabling signal to regenerate the key pair.
7) The upper computer writes data to the downlink data cache unit through the data input and output control unit and reads data from the uplink data cache unit, and then data communication with the data acquisition terminal is achieved.
As will be appreciated by one skilled in the art, embodiments of the present disclosure may be provided as a method, system, or computer program product. Accordingly, the present disclosure may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present disclosure may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and so forth) having computer-usable program code embodied therein.
The present disclosure is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the disclosure. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
The above description is only a preferred embodiment of the present disclosure and is not intended to limit the present disclosure, and various modifications and changes may be made to the present disclosure by those skilled in the art. Any modification, equivalent replacement, improvement and the like made within the spirit and principle of the present disclosure should be included in the protection scope of the present disclosure.
Although the embodiments of the present disclosure have been described with reference to the accompanying drawings, it is not intended to limit the scope of the present disclosure, and it should be understood by those skilled in the art that various modifications and variations can be made without inventive changes in the technical solutions of the present disclosure.
Claims (3)
1. A terminal access control method based on lattice codes is characterized in that: the method comprises the following steps:
step 1) setting identity information initial data in an identity information storage unit circuit;
step 2) after the terminal equipment is electrified and starts working, the key generation unit generates a public key and a private key, writes the public key into the public key storage unit, and writes the private key into the private key storage unit:
step 3) when the upper computer wants to access the terminal equipment, inputting a user name and password information in an identity information input module, and then sending the user name and password information to an encryption program module based on a lattice password;
step 4) after the encryption program module based on the lattice code receives the identity information, reading public key information from a public key storage unit of the terminal, and then encrypting the identity information by using the public key:
step 5) the encrypted identity information c is sent to an access control unit of the terminal by an encryption program module based on the lattice code;
step 6) the access control unit of the terminal decrypts the received encrypted identity information c to obtain the identity information and then verifies the identity information, after the verification is passed, the access control unit sends an enabling signal to the data input and output control unit to allow the external equipment to read and write data of the data acquisition terminal, updates the corresponding identity information to the identity information storage unit and enables the signal to the key generation unit to regenerate the key pair;
step 7) the upper computer writes data to the downlink data cache unit through the data input and output control unit and reads data from the uplink data cache unit, so that data communication with the data acquisition terminal is realized;
the step 6) specifically comprises the following steps:
step 6a) the access control unit first decrypts the access verification information, and then obtains the unencrypted identity information:
step 6b), the user name, the password and the random number are disassembled again, and the user name, the password and the random number are respectively compared with corresponding data in the identity information storage unit for verification;
step 6c), after the verification is passed, the access control unit sends an enabling signal to the data input and output control unit, allows the external equipment to read and write data of the data acquisition terminal, updates corresponding identity information to the identity information storage unit, and enables the signal to the key generation unit to regenerate a key pair;
said step 6a) comprises:
step 6aa) for the unencrypted identity information m, performing cyclic polynomial multiplication on the first part c1 of the ciphertext and the private key s, and performing polynomial addition on the obtained result and the second part c2 of the ciphertext to obtain m2, namely m2 is c1 is s + c 2;
step 6ab) converting m2 from the range of [0, q-1] to the range of [0, 1], so that m3 is obtained after conversion is completed, and m3 is equal to the identity information m before encryption;
the step 6b) specifically comprises:
step 6ba) if the user name and the password are different from those of the storage area, the authentication fails;
step 6bb) if the user name and the password are the same as those of the memory and the random number is also the same, the upper computer does not regenerate the encrypted identity information for access, the encrypted identity information is possibly stolen for reuse, and the authentication fails;
step 6bc) if the user name and password are the same as those of the storage area and the random number is different, the authentication is passed.
2. The method of claim 1, further comprising: the step 2) comprises the following steps:
step 2a) setting the highest degree n of a polynomial, wherein the modulus q is a prime number and q ≡ 1 mod 2n is satisfied; randomly selecting a polynomial s ∈ R and obeying distribution DσAnd taking s as a private key, randomly selecting a polynomial e belonging to R and obeying distribution DσTaking e as an error polynomial, and randomly and uniformly selecting alpha epsilon R, wherein DσIs a discrete gaussian distribution over the integer domain Z, with an expectation of 0 and a standard deviation of σ; r is a polynomial ring Zq[x]/(xn+1);
Step 2b) calculating b ═ as + e, wherein error polynomial e is the key of LWE problem, if there is no error term, s is directly calculated by b and a;
and 2c) obtaining the private key sk which is s and the public key pk which is (alpha, b), writing the public key into the public key storage unit, and writing the private key into the private key storage unit.
3. The method of claim 1, further comprising: the step 4) specifically comprises the following steps:
step 4a) generating a random number, and splicing the random number behind the user name and password information to form complete identity authentication information m;
step 4b) randomly selecting e1, e2, e3 e R according to distribution Dσ,DσIs a discrete Gaussian distribution over an integer field Z, desirably 0, with a standard deviation of σ, and R being a polynomial ring Zq[x]/(xn+1);
Step 4c) let m1 ═ f (m) e R, where
For realizing the conversion of the mode domain, the input information m is converted from [0,1]Is converted into [0, q-1]]A range of (d);
step 4d) encrypts the identity information using the public key information, where c1 ═ α × e1+ e2 and c2 ═ b × e1+ e3+ m1, to obtain a ciphertext including the identity information, and c ═ c1, c2, that is, the encrypted identity information.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010496061.7A CN111651788B (en) | 2020-06-03 | 2020-06-03 | Terminal access control system and method based on lattice code |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010496061.7A CN111651788B (en) | 2020-06-03 | 2020-06-03 | Terminal access control system and method based on lattice code |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN111651788A CN111651788A (en) | 2020-09-11 |
| CN111651788B true CN111651788B (en) | 2022-06-10 |
Family
ID=72347439
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202010496061.7A Active CN111651788B (en) | 2020-06-03 | 2020-06-03 | Terminal access control system and method based on lattice code |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN111651788B (en) |
Families Citing this family (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113420883B (en) * | 2021-06-28 | 2022-11-22 | 山东浪潮科学研究院有限公司 | Method and equipment for quantum programming frame to adapt to quantum computer |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103986576A (en) * | 2014-04-18 | 2014-08-13 | 深圳大学 | Proxy signature method and system based on lattice |
| CN107005414A (en) * | 2014-12-09 | 2017-08-01 | 索尼公司 | Message processing device, information processing method, program and information processing system |
| CN107743133A (en) * | 2017-11-30 | 2018-02-27 | 中国石油大学(北京) | Mobile terminal and its access control method and system based on trustable security environment |
| CN108512662A (en) * | 2018-04-12 | 2018-09-07 | 上海海事大学 | The hiding multimachine structure encryption method of support policy on a kind of lattice |
| CN110138543A (en) * | 2019-04-24 | 2019-08-16 | 西安邮电大学 | Blind label decryption method under lattice public-key cryptosystem |
| CN110912691A (en) * | 2019-11-15 | 2020-03-24 | 任子行网络技术股份有限公司 | Ciphertext distribution method, device and system based on grid access control encryption algorithm in cloud environment and storage medium |
-
2020
- 2020-06-03 CN CN202010496061.7A patent/CN111651788B/en active Active
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103986576A (en) * | 2014-04-18 | 2014-08-13 | 深圳大学 | Proxy signature method and system based on lattice |
| CN107005414A (en) * | 2014-12-09 | 2017-08-01 | 索尼公司 | Message processing device, information processing method, program and information processing system |
| CN107743133A (en) * | 2017-11-30 | 2018-02-27 | 中国石油大学(北京) | Mobile terminal and its access control method and system based on trustable security environment |
| CN108512662A (en) * | 2018-04-12 | 2018-09-07 | 上海海事大学 | The hiding multimachine structure encryption method of support policy on a kind of lattice |
| CN110138543A (en) * | 2019-04-24 | 2019-08-16 | 西安邮电大学 | Blind label decryption method under lattice public-key cryptosystem |
| CN110912691A (en) * | 2019-11-15 | 2020-03-24 | 任子行网络技术股份有限公司 | Ciphertext distribution method, device and system based on grid access control encryption algorithm in cloud environment and storage medium |
Also Published As
| Publication number | Publication date |
|---|---|
| CN111651788A (en) | 2020-09-11 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10142107B2 (en) | Token binding using trust module protected keys | |
| JP5815294B2 (en) | Secure field programmable gate array (FPGA) architecture | |
| US8462955B2 (en) | Key protectors based on online keys | |
| CN102138300B (en) | Message authentication code pre-computation with applications to secure memory | |
| CN109831430B (en) | Safe, controllable and efficient data sharing method and system under cloud computing environment | |
| US8509449B2 (en) | Key protector for a storage volume using multiple keys | |
| US10103888B2 (en) | Method of performing keyed-hash message authentication code (HMAC) using multi-party computation without Boolean gates | |
| US8028166B2 (en) | Versatile secure and non-secure messaging | |
| CN110868287B (en) | Authentication encryption ciphertext coding method, system, device and storage medium | |
| CN111131278B (en) | Data processing method and device, computer storage medium and electronic equipment | |
| KR20030085512A (en) | Methods for remotely changing a communications password | |
| US20190347445A1 (en) | Security data generation based upon software unreadable registers | |
| CN110868291B (en) | Data encryption transmission method, device, system and storage medium | |
| CN110889123B (en) | Authentication method, key pair processing method, device and readable storage medium | |
| WO2020155812A1 (en) | Data storage method and device, and apparatus | |
| CN102163267A (en) | Solid state disk as well as method and device for secure access control thereof | |
| CN111314050A (en) | Encryption and decryption method and device | |
| KR20170097509A (en) | Operation method based on white-box cryptography and security apparatus for performing the method | |
| CN111079178B (en) | Method for desensitizing and backtracking trusted electronic medical record | |
| CN111949999A (en) | Apparatus and method for managing data | |
| US20060053288A1 (en) | Interface method and device for the on-line exchange of content data in a secure manner | |
| US8751819B1 (en) | Systems and methods for encoding data | |
| CN111651788B (en) | Terminal access control system and method based on lattice code | |
| Zegers et al. | A lightweight encryption and secure protocol for smartphone cloud | |
| US20100158246A1 (en) | Method for authentication and electronic device for performing the authentication |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |