CN113868715A - Signature method and system based on quantum key - Google Patents

Signature method and system based on quantum key Download PDF

Info

Publication number
CN113868715A
CN113868715A CN202111194119.3A CN202111194119A CN113868715A CN 113868715 A CN113868715 A CN 113868715A CN 202111194119 A CN202111194119 A CN 202111194119A CN 113868715 A CN113868715 A CN 113868715A
Authority
CN
China
Prior art keywords
signature
key
client
value
signing
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202111194119.3A
Other languages
Chinese (zh)
Inventor
王一曲
方可燕
王玉东
范嘉辰
冯阳
席文
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Shenzhen Guoxin Quantum Technology Co ltd
Original Assignee
Shenzhen Guoxin Quantum Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Shenzhen Guoxin Quantum Technology Co ltd filed Critical Shenzhen Guoxin Quantum Technology Co ltd
Priority to CN202111194119.3A priority Critical patent/CN113868715A/en
Publication of CN113868715A publication Critical patent/CN113868715A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/64Protecting data integrity, e.g. using checksums, certificates or signatures
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/602Providing cryptographic facilities or services
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06NCOMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
    • G06N10/00Quantum computing, i.e. information processing based on quantum-mechanical phenomena

Abstract

The invention discloses a signature method and a system based on a quantum key, which comprises a first client for sending data, a second client for receiving the data and a key exchange center, wherein the first client is provided with a signature key, the key exchange center stores the signature key corresponding to the first client, and the signature method comprises the following steps: the signature process of the first client, the forwarding process of the second client and the signature verification process of the key exchange center. The invention stores the signature key of the corresponding client by setting the key exchange center with high safety, so that when the first client sends data, the real identity of the first client can be verified by the signature key stored in the key exchange center, thereby solving the safety problem of the symmetric key in quantum key distribution.

Description

Signature method and system based on quantum key
Technical Field
The invention belongs to the technical field of quantum communication, and relates to a signature for quantum communication, in particular to a signature method and a signature system based on a quantum key.
Background
With the rapid development of quantum computing, the computing power of a computer can be developed in a geometric series, and the time and cost for breaking complex operations are reduced. The existing public key based cryptosystem (PKI), which is an asymmetric cipher based on complex mathematical operations, will face a serious challenge to the security of the existing mainstream public key cryptography represented by ECC/RSA in the foreseeable future. At the present stage, two technical approaches can resist quantum computing threats: one is a quantum secure communication technology based on quantum physics, of which QKD (quantum key distribution) technology is mainly represented; the other is an alternative algorithm scheme based on post-quantum cryptography (PQC), which is represented by a novel public key cryptography algorithm based on lattice, multivariable, Hash and other mathematical difficult problems.
The mainstream signature process adopts an asymmetric encryption algorithm based on a public key, and the main process is as follows: the method comprises the steps that a sender generates a message digest from a message text by using a hash function, then the digest is encrypted by using a private key of the sender, the encrypted digest is used as a digital signature of the message and is sent to a receiver together with the message, the receiver firstly calculates the message digest from the received original message by using the hash function same as that of the sender, then decrypts the digital signature attached to the message by using a public key, and if the two digests are the same, the receiver can confirm that the message is the sender. The digital signature has the following effects: one is to be able to determine that the message was indeed signed and sent by the sender because someone else cannot impersonate the sender's signature. The second is that the digital signature can determine the integrity of the message. Because the digital signature is characterized in that it represents the characteristics of the file, if the file is changed, the value of the digital abstract will also be changed, and different files will obtain different digital abstracts.
It can be seen that asymmetric encryption has a significant advantage over traditional symmetric encryption in that the encryption key for symmetric encryption is public, and anyone can impersonate the sender to encrypt the message, so that the identity of the sender cannot be verified. In the quantum transmission process, the interception of intermediate information by a third party can be detected by the communication system, and although the quantum key distribution system based on the QKD technology realizes the secure transmission of the quantum key, the quantum key belongs to a symmetric key and has defects in a signature algorithm.
Disclosure of Invention
Aiming at the technical scheme that a security system of a symmetric key does not effectively sign transmission data in the existing quantum key distribution system based on the QKD technology, the invention aims to provide a signature method and a signature system based on the quantum key, and a signature process based on the symmetric key is realized by adding a key exchange center for managing the signature key.
In a first aspect, to achieve the above technical object, the present invention provides a quantum-key-based signing method, including a first client for sending data, a second client for receiving data, and a key exchange center, where the first client has at least a signing key distributed by a quantum network, and the key exchange center stores at least a signing key corresponding to the first client and distributed by the quantum network, and the signing method includes:
signature process of the first client:
obtaining a first hash value of data to be signed according to a preset hash algorithm;
signing by using a signing key to generate a first signing value;
sending the signed data, identity information of the first client and the first signature value to the second client;
and the forwarding process of the second client:
receiving the data sent by the first client, the identity information of the first client and a first signature value;
obtaining a second hash value for the data according to a preset hash algorithm;
sending the second hash value, the identity information of the first client and the first signature value to a key exchange center;
the signature verification process of the key exchange center comprises the following steps:
receiving a second hash value sent by a second client, identity information of a first client and a first signature value;
signing again by using the signing key to obtain a second signing value;
and obtaining a verification result through the second signature value and the first signature value.
By adopting the signing method of the technical scheme, the signing key of the corresponding client is stored by setting the key exchange center with high security, so that the true identity of the first client can be verified by the signing key stored in the key exchange center when the first client sends data.
Preferably, the generating a first signature value by signing with a signature key includes:
splicing the first hash value with the identity information of the first client to obtain a first character string;
and performing HMAC operation on the first character string through the signature key to obtain a first signature value.
Preferably, the re-signing with the signing key to obtain the second signing value includes:
splicing the second hash value with the identity information of the first client to obtain a second character string;
and performing HMAC operation on the second character string through a signature key which is stored in the key exchange center and corresponds to the first client to obtain a second signature value.
Preferably, the obtaining of the verification result through the second signature value and the first signature value includes:
comparing the second signature value to the first signature value;
if the verification information is the same as the verification information, returning verification passing information to the second client, otherwise, returning verification failing information to the second client.
In a second aspect, the present application further provides another quantum-key-based signing method applied to data storage, including a client for locally storing data and a key exchange center for verifying a signature, where the client has at least a signing key distributed by a quantum network, and the key exchange center stores a historical signing key distributed by the quantum network and corresponding to the client, and the signing method includes:
and (3) signature process:
the client side obtains a first hash value according to a preset hash algorithm on data to be stored;
signing by using a signature key for storage to generate a first signature value, wherein the signature key for storage is a signature key distributed to a client by a quantum network when the client signs data to be stored;
storing the data to be stored and signature information to a client together, wherein the signature information comprises identity information of the client, a first signature value and a key attribute of a signature key for storage;
and (3) a label checking process:
the client obtains a second hash value for the stored data according to a preset hash algorithm;
sending the second hash value and the signature information to a key exchange center;
the key exchange center searches out a signature key for storage used in the client signature process from the historical signature keys according to the key attribute of the signature key for storage;
verifying and signing by using the signature key for storage searched from the historical signature key to obtain a second signature value;
and obtaining a verification result through the second signature value and the first signature value.
Preferably, the generating a first signature value by signing with a signature key for storage includes:
splicing the first hash value and the identity information of the client to obtain a first character string;
extracting an atomic key from the signing key for storage;
and performing HMAC operation on the first character string through the atomic key to obtain a first signature value.
Preferably, the key exchange center searches the signing key for storage used in the client signing process from the historical signing keys according to the key attribute of the signing key for storage, and includes:
acquiring a key unique identifier from the key attribute of the stored signature key;
and searching a signature key for storage used in the process of signing with the client from the historical signature key according to the unique key identifier.
Preferably, the obtaining a second signature value by performing verification signature using the signature key for storage found from the historical signature key includes:
splicing the second hash value with the identity information of the client to obtain a second character string;
extracting an atomic key from the signature key for storage found from the historical signature keys;
and performing HMAC operation on the second character string through the atomic key to obtain a second signature value.
Preferably, the obtaining of the verification result through the second signature value and the first signature value includes:
comparing the second signature value to the first signature value;
if the data are the same, the data stored in the local client are actually stored in the client, otherwise, the data stored in the local client are not actually stored in the client.
In a third aspect, the present invention further provides a quantum key based signing system, including a first client for sending data, a second client for receiving data, and a key exchange center, where the first client has at least a signing key distributed by a quantum network, and the key exchange center stores at least a signing key corresponding to the first client distributed by the quantum network;
the first client comprises a signature module, the signature module obtains a first hash value according to a preset hash algorithm for data to be signed, then carries out signature by using a signature key to generate a first signature value, and finally sends the signed data, the identity information of the first client and the first signature value to a second client;
the second client comprises a forwarding module, the forwarding module receives the data sent by the first client, the identity information of the first client and the first signature value, obtains a second hash value according to a preset hash algorithm on the data, and sends the second hash value, the identity information of the first client and the first signature value to the key exchange center;
the key exchange center comprises a signature verification module, the signature verification module receives a second hash value sent by a second client, identity information of a first client and a first signature value, then uses a signature key to perform re-signature to obtain a second signature value, and finally obtains a verification result through the second signature value and the first signature value.
In a fourth aspect, the present application also provides a quantum-key-based signing system applied to data storage, including a client for locally storing data and a key exchange center for verifying a signature, where the client has at least a signing key distributed by a quantum network, and the key exchange center stores a historical signing key distributed by the quantum network and corresponding to the client, and the signing system includes:
the hash module is used for obtaining a first hash value of the data to be stored according to a preset hash algorithm during signature and obtaining a second hash value of the stored data according to the preset hash algorithm during signature verification;
the signature module is used for carrying out signature by utilizing a signature key for storage to generate a first signature value, wherein the signature key for storage is a signature key distributed to a client by a quantum network when the client signs data to be stored;
the storage module is used for storing the data to be stored and signature information to the client together, wherein the signature information comprises identity information of the client, a first signature value and a key attribute of a signature key for storage;
a sending module, configured to send the second hash value and the signature information to a key exchange center;
the searching module is used for searching the signing key for storage used in the client signing process from the historical signing key according to the key attribute of the signing key for storage;
the signature verification module is used for verifying and signing by using the signature key for storage searched from the historical signature key to obtain a second signature value;
and the verification module obtains a verification result by comparing the second signature value with the first signature value.
By adding the key exchange center, the signature method and the signature system can not only carry out signature verification on data sent by two interactive parties, but also verify the integrity and the safety of data locally stored by the client.
Drawings
FIG. 1 is a flow chart of a signature process in a data transmission signature method;
FIG. 2 is a flow chart of a forwarding process in a data transmission signature method;
FIG. 3 is a flow chart of a signature verification process in the data transmission signature method;
FIG. 4 is a sequence diagram illustrating interaction between two parties of communication and a key exchange center in a data transmission signature method;
FIG. 5 is a flow diagram of a signing method for local storage of data;
FIG. 6 is a block diagram of a signature system module for local storage of data.
Detailed Description
In order to facilitate understanding of those skilled in the art, the present invention will be further described with reference to the following examples and drawings, which are not intended to limit the present invention.
The following is an example of an interaction process of a data sender a, a data receiver B and a key exchange center:
as shown in fig. 1 to 4, this embodiment provides a quantum key-based signing method applying three-party interaction, where a data sender a at least has a signing key distributed by a quantum network for sending data, a data receiver B receives data, and a key exchange center at least stores the signing key distributed by the quantum network and corresponding to the data sender a, the signing method includes the following steps:
(1) signature process of data sender A
S11: obtaining a first hash value of the data to be signed according to a preset hash algorithm
The above process is equivalent to hashing the message by a public key system to obtain an abstract, in this embodiment, the hash algorithm selects an SM3 hash algorithm, which is a domestic cryptographic hash function standard, the relevant standard is "GM/T0004-2012" SM3 cryptographic hash algorithm ", and SM3 is mainly used for digital signature and verification, message authentication code generation and verification, random number generation, and the like.
The hash algorithm includes, in addition to the SM3 algorithm, SHA-2, MD5, and other hash functions that ensure that information is not tampered with.
S12: generating a first signature value by signing with a signing key
The step is equivalent to a public key system performing digital signature on the abstract by using a private key, and the difference of the step is a symmetric key adopted by the signature, and the specific process is as follows:
firstly, the first hash value obtained in the step S11 and the identity information of the data sender a are sequentially spliced to obtain a character string M1, and then HMAC operation is performed on the character string M1 through a signature key to obtain a first signature value.
HMAC (Hash-based Message Authentication Code) is a method for Message Authentication based on a Hash function and a key. If we use the SM3 algorithm, it corresponds to the SM3-HMAC algorithm.
S13: sending the signed data, the identity information of the data sender A and the first signature value to the data receiver B
In this step, after the data is signed, the data is required to be sent to the data receiver B together with the identity information of the data sender a and the first signature value generated in step S12.
(2) Forwarding process of data receiver B
S21: receiving the data sent by a data sender A, the identity information of the data sender A and a first signature value
S22: obtaining a second hash value according to a preset hash algorithm on the data
In this step, the plaintext of the data is subjected to hash operation to obtain a second hash value, and the plaintext of the data is obtained by decrypting the encrypted data sent by the data sender a.
S23: sending the second hash value, the identity information of the data sender A and the first signature value to a key exchange center
(3) Signature verification process for key exchange center
S31: receiving a second hash value sent by a data receiver B, identity information of a data sender A and a first signature value;
s32: signing again by using the signing key to obtain a second signing value
This step is similar to S12, and the main purpose is to prepare for signature verification, and the specific steps are as follows:
and sequentially splicing the second hash value and the identity information of the data sender A to obtain a character string M2, and performing HMAC operation on the character string M2 through a signature key which is stored in a key exchange center and corresponds to the data sender A to obtain a second signature value.
Since only the key exchange center has the signing key corresponding to the client except for the client itself, in this embodiment, only the key exchange center can verify the identity information of the signing party.
S33: obtaining a verification result through the second signature value and the first signature value, specifically:
and comparing the second signature value with the first signature value, if the second signature value is the same as the first signature value, returning verification passing information to the data receiver B, indicating that the identity information of the signature party is real and the transmitted data is not modified, otherwise, returning verification failing information to the data receiver B, and informing the data sender A by the data receiver B according to the received verification result.
As can be seen from the above steps, as long as the data sent by the data sender a is the same as the data received by the data receiver B, the integrity of data transmission can be determined through the signature verification of the key exchange center, and the authenticity of the identity of the data sender a is described through the signature verification of the key exchange center.
Since the signature method is mainly described in this embodiment, the data transmission process is omitted, and the following description is briefly made:
the data transmitting party a transmits data to the data receiving party B instead of sending the data in plaintext, which needs to be realized by a corresponding algorithm in quantum communication, and a relatively simple data security transmission method is provided for reference.
First, the two communication parties need to distribute a temporary session key (the session key needs to be discarded after transmission) for the two communication parties through a negotiation algorithm, the session key is used for encryption and decryption in the data transmission process, the data sent by the data sending party a to the data receiving party B is a ciphertext encrypted by the session key, the data receiving party B receives the ciphertext and decrypts the ciphertext by using the corresponding session key to obtain plaintext data, and the data hashed in step S22 is the plaintext data.
In quantum communication, each client theoretically needs to distribute an encryption key and a signature key, a key exchange center is provided with the encryption key and the signature key corresponding to each client identity, in order to ensure the security of quantum communication, the key exchange center has quite high security on information stored by the key exchange center, and the stored encryption key and signature key are mainly used for verifying identity and are not disclosed to the outside.
It is possible that both the encryption key and the signing key are used during quantum communication, for example, during session key agreement, both the encryption key and the signing key of the communication sender and the encryption key of the communication receiver are used. In the application, only the signature key of the communication sender is used, and the key exchange center plays a role in signature verification, so that the key exchange center is very important for the security of key management.
In view of the foregoing analysis, the present embodiment provides a quantum-key-based signing system, including a data sender a for sending data, a data receiver B for receiving data, and a key exchange center, where the data sender a has at least a signing key distributed by a quantum network, and the key exchange center stores at least a signing key corresponding to the data sender a distributed by the quantum network.
The data sending party A comprises a signature module, the signature module obtains a first hash value according to a preset hash algorithm for data to be signed, then uses a signature key to carry out signature to generate a first signature value, and finally sends the signed data, the identity information of the data sending party A and the first signature value to the data receiving party B.
The first signature value is obtained by the following process: the obtained first hash value and the identity information of the data sender A are sequentially spliced to obtain a character string M1, and HMAC operation is performed on the character string M1 through a signature key to obtain a first signature value.
HMAC (Hash-based Message Authentication Code) is a method for Message Authentication based on a Hash function and a key. If we use the SM3 algorithm, it corresponds to the SM3-HMAC algorithm.
The data receiving party B comprises a forwarding module, the forwarding module receives the data sent by the data sending party A, the identity information of the data sending party A and the first signature value, obtains a second hash value according to a preset hash algorithm on the data, and finally sends the second hash value, the identity information of the data sending party A and the first signature value to the key exchange center.
The key exchange center comprises a signature verification module, the signature verification module receives the second hash value sent by the data receiver B, the identity information of the data sender A and the first signature value, then uses the signature key to perform re-signature to obtain a second signature value, and finally obtains a verification result by comparing the first signature value with the second signature value.
Wherein the second signature value is obtained by: and sequentially splicing the second hash value and the identity information of the data sender A to obtain a character string M2, and performing HMAC operation on the character string M2 through a signature key which is stored in a key exchange center and corresponds to the data sender A to obtain a second signature value.
The preset hash algorithm is an SM3 hash algorithm.
It can be seen that, both the above two embodiments are applied to data transmission, and the present application may also apply a signature method to data storage for verifying locally stored data, where the signature method is only for locally stored clients, the clients also have at least a signature key distributed by a quantum network, and the key exchange center stores a historical signature key distributed by the quantum network and corresponding to the clients.
Generally, the key exchange center needs to store and record all signing keys distributed by the quantum network for many years, and all the signing keys discarded before form historical signing keys which are stored in the key exchange center, so that the data security of the key exchange center is crucial and will not be discussed in this application.
As shown in fig. 5, the signature method specifically includes a signature process and a signature verification process, where the signature mainly stores the signature information and the data to be stored to a local client, and when verifying the signature, the signature information and the like need to be sent to a key exchange center for verification, and the signature process and the signature verification process are specifically described below.
And (3) signature process:
in the signing process, the client that stores the data is named a storage client, and has a storage signing key distributed by a quantum network, and the storage signing key is only a valid signing key that can be used by the current storage client.
S41: the storage client obtains a first hash value for data to be signed according to a preset hash algorithm, wherein the data to be signed is data to be signed and stored, and the preset hash algorithm is an SM3 hash algorithm.
S42: and signing by using a signature key for storage to generate a first signature value, wherein the signature key for storage is a signature key distributed to a client by a quantum network when the client signs data to be stored.
According to the related content of GM/T0051 and GM/T0050 in the symmetric key management system, the encapsulation format of the standard key includes information such as a key unique identifier (KeyID, including managed system identifier, management node identifier and key number), a key type, a key length, an atomic key, etc., and the signing key adopts the encapsulation format in which the atomic key is a random number really used for signing, and other non-atomic key information including the key unique identifier belongs to the key attribute of the signing key.
Therefore, the specific process of signing by using the signing key in this step is as follows:
sequentially splicing the first hash value obtained in the step S41 with the identity information of the storage client to obtain a character string M3; an atomic key is extracted from the storage signature key, and HMAC operation is performed on the character string M3 using the atomic key to obtain a first signature value.
S43: and storing the data to be stored and the signature information to the storage client together, wherein the signature information comprises identity information of the storage client, a first signature value and a key attribute of a storage signature key.
The first signature value is reserved for verifying the authenticity of the data signature at a later stage, the key attribute comprises a key unique identifier which can find a signature key used for storing the signature from historical key data, the key attribute can also directly use the key unique identifier, the historical key is considered to be only a signature key, and the key attribute also comprises an encryption key, a session key and the like, and in order to improve the finding speed, the key type can be added into the key attribute, so that the key type can be found only in the historical key of which the key type belongs to the signature key.
The data can be stored in plaintext in the storage process, and more safely, the data is encrypted by an encryption key of the client to obtain a ciphertext and then stored.
When the integrity and the safety of the stored data are verified, the storage client needs to interact with the key exchange center to perform a signature verification process, and the specific steps are as follows:
s44: the storage client obtains a second hash value for the stored data according to a preset hash algorithm
The predetermined hash algorithm is SM3 hash algorithm, and the calculation of the second hash value is prepared for later verification whether the stored data is modified, and if the data is modified, the second hash value is also changed.
S45: sending the second hash value and the signature information to the key exchange center
The signature information here includes identity information of the storage client used when the storage data is signed, key attributes of the storage signature key, and the like.
S46: the key exchange center searches out the signature key for storage used in the process of signing by the client terminal from the historical signature keys according to the key attribute of the signature key for storage, and the signature key of the client terminal for storage needs to be updated irregularly or periodically, so that only the signature key can be searched in the historical signature keys of the key exchange center for signature verification, and the specific process is as follows:
and acquiring a key unique identifier from the key attribute of the storage signing key, and searching the storage signing key used in the client signing process from the historical signing key according to the key unique identifier.
S47: and verifying and signing by using the signature key for storage searched from the historical signature key to obtain a second signature value.
The step is a core process of signature verification of a key exchange center, and specifically comprises the following steps:
splicing the second hash value with the identity information of the storage client to obtain a character string M4; extracting an atomic key from the signature key for storage found in step S46, where the atomic key is a random number for signing the data to be stored in step S42 when signing; and performing HMAC operation on the character string M4 through the atomic key to obtain a second signature value.
S48: obtaining a verification result through the first signature value and the second signature value, specifically: and comparing the first signature value with the second signature value, if the first signature value and the second signature value are the same, the data stored in the storage client is the real legal storage of the storage client, otherwise, the data stored in the local client is not the real storage of the client, and the data can be the non-local storage or the data is modified by a person.
And finally, the key exchange center sends the verification result to the storage client, and then prompts users according to the verification result when the users use the stored data, such as: if the data is verified to be safe, the data can be directly used, and if the data is verified to be unsafe, the risk of the safety and the integrity of the data needs to be prompted.
Through the process, the integrity and the safety of the locally stored data can be verified, and the data is confirmed to be locally stored in the client.
Similarly, the present application also provides a signature system for verifying the security of stored data, which includes a hash module, a signature module, a storage module, a sending module, a searching module, a signature verification module and a verification module, as shown in fig. 6.
When signing, the hash module, the signature module and the storage module need to be called, and when signing is verified, the hash module, the sending module, the searching module, the signing verification module and the verification module need to be called
The hash module can be used for signing and signature checking, the hash module obtains a first hash value for data to be stored according to a preset hash algorithm during signing, a second hash value for the stored data according to the preset hash algorithm during signature checking is obtained, and the preset hash algorithms all adopt SM3 hash algorithms.
The signature module performs signature by using a storage signature key to generate a first signature value, wherein the storage signature key is a signature key distributed to a client by a quantum network when the client signs data to be stored.
The signature module obtains a first signature value according to the following method:
sequentially splicing the first hash value and the identity information of the client to obtain a character string M3; an atomic key is extracted from the storage signature key, and HMAC operation is performed on the character string M3 using the atomic key to obtain a first signature value.
The storage module is used for storing the data to be stored and the signature information to the client together, and the signature information comprises identity information of the client, a first signature value and a key attribute of a signature key for storage.
And during signature verification, the hash module calculates the stored data to obtain a second hash value, and then the sending module sends the second hash value and the signature information to the key exchange center.
The key exchange center searches a signature key for storage used in the client signature process from a historical signature key (a historical key library) through a search module, and specifically comprises the following steps: the searching module obtains the unique key identifier from the key attribute of the storage signing key, and searches the storage signing key used in the client signing process from the historical signing key according to the unique key identifier.
The signature verification module verifies the signature by using the signature key for storage searched from the historical signature key by using the search module to obtain a second signature value, and the specific steps are as follows:
splicing the second hash value with the identity information of the storage client to obtain a character string M4; extracting an atomic key from the searched signature key for storage; and performing HMAC operation on the character string M4 through the atomic key to obtain a second signature value.
The verification module obtains a verification result by comparing the second signature value with the first signature value, if the first signature value is the same as the second signature value, the data stored in the storage client is the true legal storage of the storage client, otherwise, the data stored in the local client is not the true storage of the client, and the data may be the non-local storage or the data is modified by a person.
The key exchange center returns the verification result to the client, and the client realizes signature verification through the key exchange center, so that the integrity and the safety of the stored data can be analyzed.
The foregoing describes a quantum key based signature method and system provided in the present application in detail. The description of the specific embodiments is only intended to facilitate an understanding of the methods of the present application and their core concepts. It should be noted that, for those skilled in the art, it is possible to make several improvements and modifications to the present application without departing from the principle of the present application, and such improvements and modifications also fall within the scope of the claims of the present application.

Claims (10)

1. A quantum-key-based signing method, comprising a first client for sending data, a second client for receiving data, and a key exchange center, wherein the first client has at least a signing key distributed by a quantum network, and the key exchange center stores at least a signing key corresponding to the first client distributed by the quantum network, the signing method comprising:
signature process of the first client:
obtaining a first hash value of data to be signed according to a preset hash algorithm;
signing by using a signing key to generate a first signing value;
sending the signed data, identity information of the first client and the first signature value to the second client;
and the forwarding process of the second client:
receiving the data sent by the first client, the identity information of the first client and a first signature value;
obtaining a second hash value for the data according to a preset hash algorithm;
sending the second hash value, the identity information of the first client and the first signature value to a key exchange center;
the signature verification process of the key exchange center comprises the following steps:
receiving a second hash value sent by a second client, identity information of a first client and a first signature value;
signing again by using the signing key to obtain a second signing value;
and obtaining a verification result through the second signature value and the first signature value.
2. The quantum key signature method of claim 1, wherein the signing with the signature key to generate the first signature value comprises:
splicing the first hash value with the identity information of the first client to obtain a first character string;
and performing HMAC operation on the first character string through the signature key to obtain a first signature value.
3. The quantum key signature method of claim 2, wherein re-signing with the signature key to obtain the second signature value comprises:
splicing the second hash value with the identity information of the first client to obtain a second character string;
and performing HMAC operation on the second character string through a signature key which is stored in the key exchange center and corresponds to the first client to obtain a second signature value.
4. A quantum key-based signing method is applied to data storage and is characterized by comprising a client for locally storing data and a key exchange center for verifying signature, wherein the client at least has a signing key distributed by a quantum network, and the key exchange center stores a historical signing key distributed by the quantum network and corresponding to the client, and the signing method comprises the following steps:
and (3) signature process:
the client side obtains a first hash value according to a preset hash algorithm on data to be stored;
signing by using a signature key for storage to generate a first signature value, wherein the signature key for storage is a signature key distributed to a client by a quantum network when the client signs data to be stored;
storing the data to be stored and signature information to a client together, wherein the signature information comprises identity information of the client, a first signature value and a key attribute of a signature key for storage;
and (3) a label checking process:
the client obtains a second hash value for the stored data according to a preset hash algorithm;
sending the second hash value and the signature information to a key exchange center;
the key exchange center searches out a signature key for storage used in the client signature process from the historical signature keys according to the key attribute of the signature key for storage;
verifying and signing by using the signature key for storage searched from the historical signature key to obtain a second signature value;
and obtaining a verification result through the second signature value and the first signature value.
5. The quantum key signature method of claim 4, wherein the generating a first signature value by signing with a signature key for storage comprises:
splicing the first hash value and the identity information of the client to obtain a first character string;
extracting an atomic key from the signing key for storage;
and performing HMAC operation on the first character string through the atomic key to obtain a first signature value.
6. The quantum key signing method of claim 5, wherein the key exchange center finds out the signing key for storage used in the client signing process from the historical signing keys according to the key attribute of the signing key for storage, and comprises:
acquiring a key unique identifier from the key attribute of the stored signature key;
and searching a signature key for storage used in the process of signing with the client from the historical signature key according to the unique key identifier.
7. The quantum key signature method of claim 6, wherein the verifying the signature with the stored signature key found from the historical signature key to obtain the second signature value comprises:
splicing the second hash value with the identity information of the client to obtain a second character string;
extracting an atomic key from the signature key for storage found from the historical signature keys;
and performing HMAC operation on the second character string through the atomic key to obtain a second signature value.
8. The quantum key signature method of claim 7, wherein obtaining the verification result by the second signature value and the first signature value comprises:
comparing the second signature value to the first signature value;
if the data are the same, the data stored in the local client are actually stored in the client, otherwise, the data stored in the local client are not actually stored in the client.
9. A signature system based on a quantum key is characterized by comprising a first client for sending data, a second client for receiving the data and a key exchange center, wherein the first client at least has a signature key distributed by a quantum network, and the key exchange center at least stores the signature key distributed by the quantum network and corresponding to the first client;
the first client comprises a signature module, the signature module obtains a first hash value according to a preset hash algorithm for data to be signed, then carries out signature by using a signature key to generate a first signature value, and finally sends the signed data, the identity information of the first client and the first signature value to a second client;
the second client comprises a forwarding module, the forwarding module receives the data sent by the first client, the identity information of the first client and the first signature value, obtains a second hash value according to a preset hash algorithm on the data, and sends the second hash value, the identity information of the first client and the first signature value to the key exchange center;
the key exchange center comprises a signature verification module, the signature verification module receives a second hash value sent by a second client, identity information of a first client and a first signature value, then uses a signature key to perform re-signature to obtain a second signature value, and finally obtains a verification result through the second signature value and the first signature value.
10. A quantum-key-based signing system applied to data storage, comprising a client for locally storing data and a key exchange center for verifying a signature, wherein the client has at least a signing key distributed by a quantum network, and the key exchange center stores a historical signing key distributed by the quantum network and corresponding to the client, and the signing system comprises:
the hash module is used for obtaining a first hash value of the data to be stored according to a preset hash algorithm during signature and obtaining a second hash value of the stored data according to the preset hash algorithm during signature verification;
the signature module is used for carrying out signature by utilizing a signature key for storage to generate a first signature value, wherein the signature key for storage is a signature key distributed to a client by a quantum network when the client signs data to be stored;
the storage module is used for storing the data to be stored and signature information to the client together, wherein the signature information comprises identity information of the client, a first signature value and a key attribute of a signature key for storage;
a sending module, configured to send the second hash value and the signature information to a key exchange center;
the searching module is used for searching the signing key for storage used in the client signing process from the historical signing key according to the key attribute of the signing key for storage;
the signature verification module is used for verifying and signing by using the signature key for storage searched from the historical signature key to obtain a second signature value;
and the verification module obtains a verification result by comparing the second signature value with the first signature value.
CN202111194119.3A 2021-10-13 2021-10-13 Signature method and system based on quantum key Pending CN113868715A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202111194119.3A CN113868715A (en) 2021-10-13 2021-10-13 Signature method and system based on quantum key

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202111194119.3A CN113868715A (en) 2021-10-13 2021-10-13 Signature method and system based on quantum key

Publications (1)

Publication Number Publication Date
CN113868715A true CN113868715A (en) 2021-12-31

Family

ID=78999246

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202111194119.3A Pending CN113868715A (en) 2021-10-13 2021-10-13 Signature method and system based on quantum key

Country Status (1)

Country Link
CN (1) CN113868715A (en)

Similar Documents

Publication Publication Date Title
CN111639361B (en) Block chain key management method, multi-person common signature method and electronic device
CN110213042B (en) Cloud data deduplication method based on certificate-free proxy re-encryption
US20190377889A1 (en) Verifiable version control on authenticated and/or encrypted electronic documents
US11223486B2 (en) Digital signature method, device, and system
CN110048849B (en) Multi-layer protection session key negotiation method
CN113630248B (en) Session key negotiation method
WO2010005071A1 (en) Password authenticating method
CN113612610B (en) Session key negotiation method
CN105721153A (en) System and method for key exchange based on authentication information
CN113382002B (en) Data request method, request response method, data communication system, and storage medium
CN115632880B (en) Reliable data transmission and storage method and system based on state cryptographic algorithm
Jalil et al. A secure and efficient public auditing system of cloud storage based on BLS signature and automatic blocker protocol
CN111049738B (en) E-mail data security protection method based on hybrid encryption
CN114448641A (en) Privacy encryption method, electronic equipment, storage medium and chip
US20160080336A1 (en) Key Usage Detection
CN115604038A (en) Cloud storage data auditing system and method based on block chain and edge computing
CN109302286B (en) Fido equipment key index generation method
CN113225318B (en) Method and system for government affair big data encryption transmission and safe storage
CN110048852B (en) Quantum communication service station digital signcryption method and system based on asymmetric key pool
CN114760072B (en) Signature and signature verification method, device and storage medium
CN116318654A (en) SM2 algorithm collaborative signature system, method and equipment integrating quantum key distribution
KR100974628B1 (en) Method and System of distributing group key using broadcasting message authentication on wireless sensor network and Recording medium using this
CN116232578A (en) Multi-party collaborative signature system, method and equipment integrating quantum key distribution
CN113656818B (en) Trusted-free third party cloud storage ciphertext deduplication method and system meeting semantic security
US20220020010A1 (en) Decentralized electronic contract attestation platform

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination