WO2017152423A1

WO2017152423A1 - Key negotiation method, device and system

Info

Publication number: WO2017152423A1
Application number: PCT/CN2016/076170
Authority: WO
Inventors: 仲伟伟; 陈璟
Original assignee: 华为技术有限公司
Priority date: 2016-03-11
Filing date: 2016-03-11
Publication date: 2017-09-14
Also published as: CN107925578B; CN107925578A

Abstract

Disclosed are a key negotiation method, device and system, relating to the field of wireless communications and used for solving the problem of a low degree of encryption when a BNN-IBS is applied to a D2D wireless communication network for key negotiation. The key negotiation method comprises: when a key generation device sends a public key and a private key of a first user equipment to the first user equipment, when the key generation device sends a public key and a private key of a second user equipment to the second user equipment, when the first user equipment sends a first signature message to the second user equipment, and when the second user equipment sends a second signature message to the first user equipment, performing homomorphic encryption. The embodiments of the present invention are applied to a D2D wireless communication network.

Description

Key negotiation method, device and system

Technical field

The present invention relates to the field of wireless communications, and in particular, to a key negotiation method, device, and system.

Background technique

With the gradual improvement of the 4G standard, 5G technology has entered people's attention. There are data showing that the future 5G wireless communication system will develop in the direction of network convergence, one direction is heterogeneous network, and the other direction is to allow close proximity under cellular network. The mobile device communicates directly, that is, D2D (English name: Device to Device, Chinese name: device to device) communication mode.

On the one hand, key agreement has always been a very important security mechanism in wireless communication systems. For D2D wireless communication, due to the uncertainty of the transmission path between the UE and the UE, routers, firewalls, etc. used in traditional wireless networks cannot be used. The device performs key negotiation. Currently, there are no standards and protocols for key negotiation for D2D wireless communication.

On the other hand, BNN-IBS is used in the Internet of Things and sensor networks (English name: Bellare M; Namprempre C; Neven G; identity-based signature, Chinese: elliptic curve based by Bellare M, Namprempre C, Neven G Identity Signing Protocol) for key negotiation. Referring to Figure 1, the BNN-IBS process includes the following steps:

S101, PKG (English name: private key generator, Chinese name: private key generator) set system parameters.

Select the elliptic curve E(F _p ) on the finite field F _p , where E/F _p represents the group of order n consisting of points on E(F _p ): p∈E/F _p and the order of p is q, q is a prime number and satisfies q ² not divisible by n; G _{1 is} a cyclic group generated by p;

Is the system private key; calculate Q=sp as the system public key; select two cryptographic hash functions

S102, PKG to UE (English name: user equipment, Chinese name: use User equipment) publish system parameters.

The PKG advertises the system parameters <E(F _p ), p, q, Q, H ₁ , H ₂ > to UE1 and UE2.

S103. PKG allocates a user private key <R ₁ , s ₁ > to UE1.

Given user identity information ID _u ∈{0,1} ^* ;

Calculate R = rp; calculate s = r + cx mod q, c = H ₁ (ID _u | | R) using the system private key x. User ID _u 's private key SK _u = (R, s). Specifically, for UE1, PKG allocates a user private key <R ₁ , s ₁ > to UE1.

S104. The UE1 performs a signature <R ₁ , Y ₁ , z ₁ > by using a hash function.

Select

Calculate Y = yp, z = y + hs mod q. Where h = H ₂ (ID _u , m, R, Y). The signature of the user ID _u to the message m is <R, Y, z>. Specifically, for UE1, h=H ₂ (ID ₁ , m, R ₁ , Y ₁ ), z ₁ =y+hs ₁ mod q, and the signature of the message m is <R ₁ , Y ₁ , z ₁ >.

S105, UE1 signature information _{_{<m, ID 1, R 1}} , Y 1, z 1> sent to UE2.

S106. The UE2 performs signature verification.

Given user ID _u , system parameters, message m, and signature <R, Y, z>, calculate h = H ₂ (ID _u , m, R, Y), c = H ₁ (ID _u || R). It is judged whether zp=Y+h(R+cQ) is established. If it is established, the verification passes, and the message m is received, otherwise the message m is discarded. Specifically, for UE2, h=H ₂ (ID ₁ , m, R ₁ , Y ₁ ), c=H ₁ (ID ₁ ||R ₁ ), and judge z ₁ p=Y ₁ +h(R ₁ Whether +cQ) is established. If it is established, the verification is passed, the message m is received, otherwise the message m is discarded.

S107. PKG allocates a user private key <R ₂ , s ₂ > to UE2.

The specific calculation step is the same as step S103. Specifically, for UE2, PKG allocates a user private key <R ₂ , s ₂ > to UE2.

S108. The UE2 performs the signature <R ₂ , Y ₂ , z ₂ > using a hash function.

The specific calculation step is the same as step S104. Specifically, for UE2, h=H ₂ (ID ₂ , m, R ₂ , Y ₂ ), z ₂ =y+hs ₂ mod q, and the signature of the message m is <R ₂ , Y ₂ , z ₂ >.

S109. The UE2 transmits the signature information <m, ID ₂ , R ₂ , Y ₂ , z ₂ > to the UE 1.

S110. The UE1 performs signature verification.

The specific calculation step is the same as step S106. Specifically, for UE1, h=H ₂ (ID ₂ , m, R ₂ , Y ₂ ), c=H ₁ (ID ₂ ||R ₂ ), and judge z ₂ p=Y ₂ +h(R ₂ Whether +cQ) is established. If it is established, the verification is passed, the message m is received, otherwise the message m is discarded.

But BNN-IBS has the following problems: due to PKG generation system parameters and UE1 Both the UE and the UE2 use a hash function for encryption, which is low in encryption and cannot be used against tampering data attacks.

Summary of the invention

Embodiments of the present invention provide a key agreement method, apparatus, and system for solving the problem of low degree of encryption when applying BNN-IBS to a D2D wireless communication network for key negotiation.

In order to achieve the above object, embodiments of the present invention adopt the following technical solutions:

The first aspect provides a key negotiation method, which specifically includes the following steps:

The key generation device generates a system parameter and a master key according to a preset elliptic curve parameter, wherein the system parameter includes an elliptic curve parameter, an intermediate parameter, and a system public key, and the intermediate parameter is used to indicate a finite field defined by the elliptic curve parameter, the system The public key is used by the first user equipment to perform key agreement with the second user equipment;

The key generation device broadcasts system parameters;

The key generation device generates a public key and a private key of the first user equipment according to the system parameter, the master key, and the identifier of the first user equipment;

The key generation device sends the public key and the private key of the first user equipment to the first user equipment through homomorphic encryption, and is used for performing key negotiation between the first user equipment and the second user equipment, by using homomorphic encryption. Encryption using a hash function has a higher degree of encryption, while communication and computational overhead is small, which reduces the computational complexity;

The key generation device generates a public key and a private key of the second user equipment according to the system parameter, the master key, and the identifier of the second user equipment;

The key generation device sends the common key and the private key of the second user equipment to the second user equipment through homomorphic encryption, and the second user equipment performs key agreement with the first user equipment, by using homomorphic encryption. Encryption with a hash function has a higher degree of encryption, while communication and computational overhead is small, which reduces the computational complexity.

In this implementation, when the key generation device sends the public key and the private key of the first user equipment to the first user equipment, the key generation device sends the public key and the private key of the second user equipment to the second Homomorphic encryption is performed on user equipment. Instead of As described in BNN-IBS: when PKG sets system parameters, when PKG allocates user private key for UE1 and UE2, and when UE1 and UE2 sign, both use hash function for encryption. Homomorphic encryption can resist attacks that tamper with data. The degree of encryption is higher than that of the hash function, which increases the complexity of encryption. Therefore, the key agreement method provided by the embodiment of the present invention solves the problem of low encryption degree when the BNN-IBS identity signature protocol is applied to the D2D wireless communication network for key negotiation. In addition, the use of homomorphic encryption and hashing, communication and computational overhead is small, reducing the computational complexity.

With reference to the first aspect, in a first possible implementation manner, the key negotiation method includes:

The key generation device obtains an intermediate parameter according to the elliptic curve parameter and the integer;

The key generation device selects a random number as a master key from a finite field indicated by the intermediate parameter;

The key generation device obtains the system public key based on the master key and intermediate parameters.

With reference to the first aspect or the first possible implementation manner of the first aspect, in a second possible implementation manner, the key negotiation method includes:

The key generation device selects the first random number from the finite field indicated by the intermediate parameter;

The key generation device generates a public key of the first user equipment according to the system parameter, the identifier of the first user equipment, and the first random number;

The key generation device generates a private key of the first user equipment according to the system parameter, the master key, the public key of the first user equipment, and the first random number.

With reference to the first aspect, or the first possible implementation of the first aspect, or the second possible implementation of the first aspect, in a third possible implementation, the key negotiation method includes:

The key generation device selects the second random number from the finite field indicated by the intermediate parameter;

The key generation device generates a public key of the second user equipment according to the system parameter, the identifier of the second user equipment, and the second random number;

The key generation device generates a private key of the second user equipment according to the system parameter, the master key, the public key of the second user equipment, and the second random number.

The second aspect provides a key negotiation method, which specifically includes the following steps:

The first user equipment receives system parameters sent by the key generation device, where the system parameters include an elliptic curve parameter, an intermediate parameter, and a system public key, wherein the intermediate parameter is used to indicate a finite field defined by the elliptic curve parameter, and the system public key is used The first user equipment performs key agreement with the second user equipment;

The first user equipment receives the public key and the private key of the first user equipment sent by the key generation device, and decrypts the public key and the private key of the first user equipment, where the public key and the private key of the first user equipment pass Homomorphic encryption, by adopting homomorphic encryption, is more encrypted than using hash function, and the communication and computational overhead is small, which reduces the computational complexity;

The first user equipment generates a first signature message according to the system parameter and the public key and the private key of the first user equipment;

The first user equipment sends the first signature message to the second user equipment through homomorphic encryption. By adopting homomorphic encryption, the encryption is higher than that of the hash function, and the communication and computation overhead are small. Reduce the complexity of the calculation;

The first user equipment receives the second signature message sent by the second user equipment, and decrypts the second signature message, where the second signature message is homomorphic encrypted by using homomorphic encryption, compared to using a hash function. Encryption, the degree of encryption is higher, while the communication and computational overhead is small, which reduces the computational complexity;

If the first user equipment verifies that the identity of the second user equipment is legal according to the second signature message and the system parameter, the first user equipment obtains the shared key that communicates with the second user equipment according to the second signature message and the system parameter.

In this implementation, in the implementation, when the key generation device sends the public key and the private key of the first user equipment to the first user equipment, the first user equipment sends the first signature message to the second The homomorphic encryption is performed when the user equipment, and when the second user equipment sends the second signature message to the first user equipment. Rather than as described in BNN-IBS: When the PKG sets the system parameters, the PKG allocates the user private key for UE1 and UE2, and when both UE1 and UE2 sign, the hash function is used for encryption. Homomorphic encryption can resist attacks that tamper with data, and its encryption is better than Kazakhstan. The encryption of the Greek function is higher, which increases the complexity of encryption. Therefore, the key agreement method provided by the embodiment of the present invention solves the problem of low encryption degree when the BNN-IBS identity signature protocol is applied to the D2D wireless communication network for key negotiation. In addition, the use of homomorphic encryption and hashing, communication and computational overhead is small, reducing the computational complexity.

With reference to the second aspect, in a first possible implementation manner, the key negotiation method includes:

The first user equipment selects a third random number and a fourth random number from a finite field indicated by the intermediate parameter;

The first user equipment generates a first signature message according to the system parameter, the public key and the private key of the first user equipment, and the third random number and the fourth random number.

With reference to the second aspect, in a second possible implementation manner, the key negotiation method includes:

If the preset parameter relationship is satisfied between the system parameter and the parameter included in the second signature message, it is determined that the identity of the second user equipment is legal.

In conjunction with the first possible implementation of the second aspect, in a third possible implementation, the key negotiation method includes:

The first user equipment obtains a shared key that communicates with the second user equipment according to the third random number, the second signature message, and the system parameter.

The third aspect provides a key negotiation method, which specifically includes the following steps:

The second user equipment receives the system parameter sent by the key generation device, where the system parameter includes an elliptic curve parameter, an intermediate parameter, and a system public key, the intermediate parameter is used to indicate a finite field defined by the elliptic curve parameter, and the system public key is used for the second The user equipment performs key agreement with the first user equipment.

The second user equipment receives the first signature message sent by the first user equipment, and decrypts the first signature message, where the first signature message is homomorphic encrypted, by using homomorphic encryption, compared to using a hash function. Encryption, the degree of encryption is higher, while the communication and computational overhead is small, which reduces the computational complexity;

Receiving, by the second user equipment, a public key of the second user equipment sent by the key generation device a private key, and decrypting the public key and the private key of the second user equipment, wherein the public key and the private key of the second user equipment are homomorphic encrypted, and by using homomorphic encryption, the encryption is performed by using a hash function. The encryption degree is higher, and the communication and calculation overhead is small, which reduces the computational complexity;

If the second user equipment verifies that the identity of the first user equipment is legal according to the first signature message and the system parameter, the second user equipment generates a second signature message according to the system parameter, the public key of the second user equipment, and the private key;

The second user equipment sends the second signature message to the first user equipment through homomorphic encryption. By adopting the homomorphic encryption, the encryption is higher than that of the hash function, and the communication and calculation overhead are small. Reduce the complexity of the calculation;

The second user equipment obtains a shared key that communicates with the first user equipment according to the first signature message and the system parameter.

In this implementation, when the key generation device sends the public key and the private key of the second user equipment to the second user equipment, when the first user equipment sends the first signature message to the second user equipment, When the second user equipment sends the second signature message to the first user equipment, the homomorphic encryption is performed. Rather than as described in BNN-IBS: When the PKG sets the system parameters, the PKG allocates the user private key for UE1 and UE2, and when both UE1 and UE2 sign, the hash function is used for encryption. Homomorphic encryption can resist attacks that tamper with data. The degree of encryption is higher than that of the hash function, which increases the complexity of encryption. Therefore, the key agreement method provided by the embodiment of the present invention solves the problem of low encryption degree when the BNN-IBS identity signature protocol is applied to the D2D wireless communication network for key negotiation. In addition, the use of homomorphic encryption and hashing, communication and computational overhead is small, reducing the computational complexity.

With reference to the third aspect, in a first possible implementation manner, the key negotiation method includes:

The second user equipment selects the fifth random number and the sixth random number from the finite field indicated by the intermediate parameter;

The second user equipment generates a second signature message according to the system parameter, the public key and the private key of the second user equipment, and the fifth random number and the sixth random number.

With reference to the third aspect, in a second possible implementation manner, the key negotiation method includes:

If the preset equation relationship is satisfied between the system parameter and the parameter included in the first signature message, it is determined that the identity of the first user equipment is legal.

In conjunction with the first possible implementation of the third aspect, in a third possible implementation, the key negotiation method includes:

The second user equipment obtains a shared key that communicates with the first user equipment according to the fifth random number, the first signature message, and the system parameter.

The fourth aspect provides a key generation device, which is used to perform the key negotiation method described in the first aspect or the possible implementation manner in the first aspect, including:

a processing unit, configured to generate a system parameter and a master key according to a preset elliptic curve parameter, wherein the system parameter includes an elliptic curve parameter, an intermediate parameter, and a system public key, and the intermediate parameter is used to indicate a finite field defined by the elliptic curve parameter, The system public key is used for key negotiation between the first user equipment and the second user equipment;

a sending unit for broadcasting system parameters;

The processing unit is further configured to generate a public key and a private key of the first user equipment according to the system parameter, the master key, and the identifier of the first user equipment;

The sending unit is further configured to send the public key and the private key of the first user equipment to the first user equipment by using the same state encryption, and the first user equipment performs key negotiation with the second user equipment, and adopts homomorphic encryption. Compared with the hash function, the encryption is higher, and the communication and calculation overhead is smaller, which reduces the computational complexity;

The processing unit is further configured to generate a public key and a private key of the second user equipment according to the system parameter, the master key, and the identifier of the second user equipment;

The sending unit is further configured to send the public key and the private key of the second user equipment to the second user equipment by using the same state encryption, and the second user equipment performs key negotiation with the first user equipment, by adopting homomorphic encryption. Compared with the hash function, the encryption is higher, and the communication and calculation overhead is smaller, which reduces the computational complexity.

Since the key generation device in the present invention can be used to execute the method flow of the first aspect, the technical effects that can be obtained can also refer to the method of the first aspect. Ming will not repeat them here.

In conjunction with the fourth aspect, in a first possible implementation, the processing unit is further configured to:

Obtain intermediate parameters according to elliptic curve parameters and integers;

Selecting a random number as the master key from the finite field indicated by the intermediate parameter;

The system public key is obtained based on the master key and intermediate parameters.

In conjunction with the fourth aspect or the first possible implementation of the fourth aspect, in a second possible implementation, the processing unit is further configured to:

Selecting a first random number from a finite field indicated by an intermediate parameter;

Generating a public key of the first user equipment according to the system parameter, the identifier of the first user equipment, and the first random number;

Generating a private key of the first user equipment according to the system parameter, the master key, the public key of the first user equipment, and the first random number.

With reference to the fourth aspect, or the first possible implementation manner of the fourth aspect, or the second possible implementation manner of the fourth aspect, in a third possible implementation manner, the processing unit is further configured to:

Selecting a second random number from a finite field indicated by the intermediate parameter;

Generating a public key of the second user equipment according to the system parameter, the identifier of the second user equipment, and the second random number;

Generating a private key of the second user equipment according to the system parameter, the master key, the public key of the second user equipment, and the second random number.

The fifth aspect provides a user equipment, which is used to perform the key negotiation method described in the second aspect or the possible implementation manner of the second aspect, including:

a receiving unit, configured to receive a system parameter sent by the key generation device, where the system parameter includes an elliptic curve parameter, an intermediate parameter, and a system public key, where the intermediate parameter is used to indicate a finite field defined by the elliptic curve parameter, and the system public key is used by Key negotiation between the user equipment and the second user equipment;

The receiving unit is further configured to receive a public key and a private key of the user equipment sent by the key generation device, and decrypt the public key and the private key of the user equipment, where the user equipment The public key and the private key are homomorphic encrypted, and by using homomorphic encryption, the encryption is higher than that of the hash function, and the communication and computational overhead are small, which reduces the computational complexity;

a processing unit, configured to generate a first signature message according to the system parameter and the public key and the private key of the user equipment;

a sending unit, configured to send the first signature message to the second user equipment by homomorphic encryption, and by using homomorphic encryption, the encryption is higher than that of the hash function, and the communication and computing overhead is small. , reducing the complexity of the calculation;

The receiving unit is further configured to receive the second signature message sent by the second user equipment, and decrypt the second signature message, where the second signature message is homomorphic encrypted by using homomorphic encryption, compared to adopting a hash. The function encrypts, the degree of encryption is higher, and the communication and calculation overhead is small, which reduces the computational complexity;

The processing unit is further configured to: if the identity of the second user equipment is verified according to the second signature message and the system parameter, obtain a shared key that communicates with the second user equipment according to the second signature message and the system parameter.

Since the user equipment in the present invention can be used to perform the method flow of the second aspect, the technical effects that can be obtained are also referred to the method of the second aspect, and the present invention is not described herein again.

In conjunction with the fifth aspect, in a first possible implementation, the processing unit is further configured to:

Selecting a third random number and a fourth random number from a finite field indicated by the intermediate parameter;

The first signature message is generated according to the system parameter, the public key and the private key of the user equipment, and the third random number and the fourth random number.

In conjunction with the fifth aspect, in a second possible implementation, the processing unit is further configured to:

In conjunction with the first possible implementation of the fifth aspect, in a third possible implementation, the processing unit is further configured to:

A shared key that communicates with the second user equipment is obtained according to the third random number, the second signature message, and the system parameter.

The sixth aspect provides a user equipment, which is used to perform the key negotiation method described in the third aspect or the possible implementation manner of the third aspect, including:

a receiving unit, configured to receive a system parameter sent by the key generation device, where the system parameter includes an elliptic curve parameter, an intermediate parameter, and a system public key, where the intermediate parameter is used to indicate a finite field defined by the elliptic curve parameter, and the system public key is used by the user The device performs key negotiation with the first user equipment.

The receiving unit is further configured to receive the first signature message sent by the first user equipment, and decrypt the first signature message, where the first signature message is homomorphic encrypted, by using homomorphic encryption, compared to adopting a hash The function encrypts, the degree of encryption is higher, and the communication and calculation overhead is small, which reduces the computational complexity;

The receiving unit is further configured to receive the public key and the private key of the user equipment sent by the key generation device, and decrypt the public key and the private key of the user equipment, where the public key and the private key of the user equipment are homomorphic encrypted. By adopting homomorphic encryption, the encryption is higher than that of the hash function, and the communication and computational overhead is small, which reduces the computational complexity;

a processing unit, configured to: if the identity of the first user equipment is valid according to the first signature message and the system parameter, generate a second signature message according to the system parameter, the public key and the private key of the user equipment;

The sending unit is configured to send the second signature message to the first user equipment by homomorphic encryption, and by using homomorphic encryption, the encryption is higher than that of the hash function, and the communication and computing overhead is small. , reducing the complexity of the calculation;

The processing unit is further configured to obtain, according to the first signature message and the system parameter, a shared key that communicates with the first user equipment.

Since the user equipment in the present invention can be used to perform the method flow of the third aspect, the technical effects that can be obtained can also refer to the method of the third aspect, and the present invention will not be described herein.

In combination with the sixth aspect, in the first possible implementation, the processing unit further uses to:

Selecting a fifth random number and a sixth random number from a finite field indicated by the intermediate parameter;

And generating a second signature message according to the system parameter, the public key and the private key of the user equipment, and the fifth random number and the sixth random number.

In conjunction with the sixth aspect, in a second possible implementation, the processing unit is further configured to:

In conjunction with the first possible implementation of the sixth aspect, in a third possible implementation, the processing unit is further configured to:

A shared key that communicates with the first user equipment is obtained according to the fifth random number, the first signature message, and the system parameter.

According to a seventh aspect, a key generation apparatus is provided for performing the key agreement method described in the first aspect or the possible implementation manner of the first aspect, including: a processor, an interface circuit, a memory, and a bus; The interface circuit and the memory are connected by a bus and complete communication with each other; the processor is configured to execute program code in the memory to control the interface circuit to perform the following operations:

a processor, configured to generate a system parameter and a master key according to a preset elliptic curve parameter, where the system parameter includes an elliptic curve parameter, an intermediate parameter, and a system public key, and the intermediate parameter is used to indicate a finite field defined by the elliptic curve parameter, The system public key is used for key negotiation between the first user equipment and the second user equipment;

Interface circuit for broadcasting system parameters;

The interface circuit is further configured to send the public key and the private key of the first user equipment to the first user equipment by using the same state encryption, and the first user equipment performs key agreement with the second user equipment, and adopts homomorphic encryption. Compared with the hash function, the encryption is higher, and the communication and calculation overhead is smaller, which reduces the computational complexity;

a processor, further for marking a system parameter, a master key, and a second user device Knowledge generating a public key and a private key of the second user equipment;

The interface circuit is further configured to send the public key and the private key of the second user equipment to the second user equipment by using the same state encryption, and the second user equipment performs key negotiation with the first user equipment, and adopts homomorphic encryption. Compared with the hash function, the encryption is higher, and the communication and calculation overhead is smaller, which reduces the computational complexity.

Since the key generation device in the present invention can be used to perform the method flow of the first aspect, the technical effects that can be obtained can also refer to the method in the first aspect, and the present invention will not be described herein.

In conjunction with the seventh aspect, in a first possible implementation, the processor is further configured to:

With reference to the seventh aspect, or the first possible implementation manner of the seventh aspect, in a second possible implementation manner, the processor is further configured to:

With reference to the seventh aspect, or the first possible implementation manner of the seventh aspect, or the second possible implementation manner of the seventh aspect, in a third possible implementation manner, the processor is further configured to:

The eighth aspect provides a user equipment, where the method for performing the key negotiation described in the second aspect or the possible implementation manner of the second aspect is provided, including: a processor, a first connection Port circuit, second interface circuit, memory and bus; processor, first interface circuit, second interface circuit, memory are connected by bus and complete communication with each other; processor is used to execute program code in memory to control first interface The circuit and the second interface circuit perform the following operations:

a first interface circuit, configured to receive a system parameter sent by the key generation device, where the system parameter includes an elliptic curve parameter, an intermediate parameter, and a system public key, where the intermediate parameter is used to indicate a finite field defined by the elliptic curve parameter, and the system public The key is used by the user equipment to perform key agreement with the second user equipment;

The first interface circuit is further configured to receive a public key and a private key of the user equipment sent by the key generation device, and decrypt the public key and the private key of the user equipment, where the public key and the private key of the user equipment are homomorphic Encryption, by using homomorphic encryption, is more encrypted than using a hash function, and the communication and computational overhead is small, which reduces the computational complexity;

a processor, configured to generate a first signature message according to system parameters and a public key and a private key of the user equipment;

The second interface circuit is configured to send the first signature message to the second user equipment by homomorphic encryption, and by using homomorphic encryption, the encryption is higher than the hash function, and the communication and computation overhead are simultaneously Smaller, reducing the complexity of the calculation;

The first interface circuit is further configured to receive the second signature message sent by the second user equipment, and decrypt the second signature message, where the second signature message is homomorphic and encrypted by using homomorphic encryption. The hash function is encrypted, and the encryption degree is higher, and the communication and calculation overhead is small, which reduces the computational complexity;

The processor is further configured to: if the identity of the second user equipment is verified according to the second signature message and the system parameter, obtain a shared key that communicates with the second user equipment according to the second signature message and the system parameter.

In conjunction with the eighth aspect, in a first possible implementation, the processor is further configured to:

In conjunction with the eighth aspect, in a second possible implementation, the processor is further configured to:

In conjunction with the first possible implementation of the eighth aspect, in a third possible implementation, the processor is further configured to:

According to a ninth aspect, a user equipment is provided for performing the key negotiation method described in the third aspect or the possible implementation manner of the third aspect, including: a processor, a first interface circuit, a second interface circuit, and a memory And a bus; the processor, the first interface circuit, the second interface circuit, the memory are connected through the bus and complete communication with each other; the processor is configured to execute program code in the memory to control the first interface circuit and the second interface circuit to perform the following operations :

The first interface circuit is configured to receive system parameters sent by the key generation device, where the system parameters include an elliptic curve parameter, an intermediate parameter, and a system public key, and the intermediate parameter is used to indicate a finite field defined by the elliptic curve parameter, and the system public key is used. Key negotiation between the user equipment and the first user equipment;

The first interface circuit is further configured to receive the first signature message sent by the first user equipment, and decrypt the first signature message, where the first signature message is homomorphic encrypted, by using homomorphic encryption, compared to adopting The hash function is encrypted, and the encryption degree is higher, and the communication and calculation overhead is small, which reduces the computational complexity;

a processor, configured to generate a second signature message according to the system parameter, the public key and the private key of the user equipment, if the identity of the first user equipment is valid according to the first signature message and the system parameter;

The second interface circuit is configured to send the second signature message to the first user equipment by homomorphic encryption, and by using homomorphic encryption, the encryption is higher than that of the hash function, and the communication and computing overhead are simultaneously Smaller, reducing the complexity of the calculation;

The processor is further configured to obtain, according to the first signature message and the system parameter, a shared key that communicates with the first user equipment.

In conjunction with the ninth aspect, in a first possible implementation, the processor is further configured to:

In conjunction with the ninth aspect, in a second possible implementation, the processor is further configured to:

In conjunction with the first possible implementation of the ninth aspect, in a third possible implementation, the processor is further configured to:

According to a tenth aspect, there is provided a key agreement system, comprising any one of the key generation devices provided in the above-mentioned fourth aspect or a possible implementation in the fourth aspect, and possibly in the fifth aspect or the fifth aspect described above Any of the user equipments provided in the implementation manner, and any one of the user equipments provided in the foregoing sixth aspect or the possible implementation manners in the sixth aspect,

Or, comprising any one of the key generation devices provided in the above-mentioned seventh aspect or the possible implementation in the seventh aspect, and as in the eighth aspect or the eighth aspect described above Any of the user equipments provided in the implementation manner, and any one of the user equipments provided in the foregoing ninth aspect or the possible implementation manners in the ninth aspect.

The key agreement system provided by the embodiment of the present invention includes any one of the key generation devices provided in the foregoing fourth aspect or the possible implementation manner in the fourth aspect, and the fifth aspect or the fifth aspect as possible Any of the user equipments provided in the implementation manner, and any one of the user equipments provided in the foregoing sixth aspect or the possible implementation manners in the sixth aspect, or including the seventh aspect or the seventh aspect as described above Any one of the key generation devices provided in the implementation, and any one of the user devices as provided in the eighth aspect or the possible implementation in the eighth aspect, and the ninth or ninth aspect as described above For the technical effects of the above-mentioned key generation device and the user equipment, reference may be made to the technical effects of the above-mentioned key generation device and the user device.

DRAWINGS

In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the embodiments or the description of the prior art will be briefly described below. Obviously, the drawings in the following description are only It is a certain embodiment of the present invention, and other drawings can be obtained from those skilled in the art without any creative work.

1 is a schematic flow chart of a prior art BNN-IBS key negotiation method;

2 is a schematic diagram of a key agreement system according to an embodiment of the present invention;

3 is a schematic flowchart of a key negotiation method according to an embodiment of the present invention;

FIG. 4 is a schematic flowchart diagram of another key negotiation method according to an embodiment of the present invention;

FIG. 5 is a schematic flowchart of generating system parameters and a master key according to a preset elliptic curve parameter according to an embodiment of the present invention;

FIG. 6 is a schematic diagram of relationship between parameters in a process of generating and transmitting a first signature message according to an embodiment of the present invention;

FIG. 7 is a schematic flowchart of generating, by an eNB, a public key and a private key of UE1 according to an embodiment of the present disclosure;

FIG. 8 is a schematic flowchart of generating a first signature message by the UE1 according to an embodiment of the present invention;

FIG. 9 is a schematic flowchart of generating, by an eNB, a public key and a private key of UE2 according to an embodiment of the present invention;

FIG. 10 is a schematic flowchart of the UE2 verifying that the identity of the UE1 is legal according to an embodiment of the present invention;

FIG. 11 is a schematic flowchart of generating a second signature message by the UE2 according to an embodiment of the present invention;

FIG. 12 is a schematic flowchart of a UE2 obtaining a shared key according to an embodiment of the present invention;

FIG. 13 is a schematic flowchart of the UE1 verifying that the identity of the UE2 is legal according to an embodiment of the present invention;

FIG. 14 is a schematic flowchart of a UE1 obtaining a shared key according to an embodiment of the present invention;

FIG. 15 is a schematic structural diagram of a key generation device according to an embodiment of the present invention;

FIG. 16 is a schematic structural diagram of a first user equipment according to an embodiment of the present invention;

FIG. 17 is a schematic structural diagram of a second user equipment according to an embodiment of the present invention;

FIG. 18 is a schematic structural diagram of another key generation device according to an embodiment of the present invention;

FIG. 19 is a schematic structural diagram of another first user equipment according to an embodiment of the present invention;

FIG. 20 is a schematic structural diagram of another second user equipment according to an embodiment of the present invention.

Detailed ways

The technical solutions in the embodiments of the present invention are clearly and completely described in the following with reference to the accompanying drawings in the embodiments of the present invention. It is obvious that the described embodiments are only a part of the embodiments of the present invention, but not all embodiments. All other embodiments obtained by those skilled in the art based on the embodiments of the present invention without creative efforts are within the scope of the present invention.

The application will present various aspects, embodiments, or features in a system that can include multiple devices, components, modules, and the like. It is to be understood and appreciated that the various systems may include additional devices, components, modules, etc. and/or may not include all of the devices, components, modules, etc. discussed in connection with the figures. In addition, a combination of these schemes can also be used.

In the embodiments of the present invention, the word "exemplary" is used to mean an example, an illustration, or an illustration. Any embodiment or design described as "example" in this application should not be construed as preferred or advantageous over other embodiments or designs. Rather, the term use examples is intended to present concepts in a concrete manner.

The embodiment of the present invention can be applied to a time division duplexing (TDD) scenario or a frequency division duplexing (FDD) scenario.

The embodiment of the present invention is described in the context of a 4G network in a wireless communication network. It should be noted that the solution in the embodiment of the present invention may also be applied to other wireless communication networks, and the corresponding names may also be used in other wireless communication networks. Replace the name of the corresponding function.

Referring to FIG. 2, an embodiment of the present invention provides a key agreement system, which is applied to D2D communication (D2D communication under cellular network control) architecture under the coverage of an existing cellular network, including: eNB 21, UE1 22, UE2 23. UE1 and UE2 are both devices capable of D2D communication. The eNB first needs to discover devices UE1 and UE2 capable of D2D communication, establish a logical connection with UE1 and UE2, and then control resource allocation of UE1 and UE2, perform resource scheduling and interference management, and obtain high-quality communication.

An embodiment of the present invention provides a key negotiation method, as shown in FIG. Including the following steps:

S301. The key generation device generates a system parameter and a master key according to a preset elliptic curve parameter, where the system parameter includes an elliptic curve parameter, an intermediate parameter, and a system public key, and the intermediate parameter is used to indicate a finite field defined by the elliptic curve parameter. The system public key is used by the first user equipment to perform key agreement with the second user equipment.

The preset elliptic curve parameter is determined by the Wellstrass equation: y ² + a ₁ xy + a ₃ y = x ³ + a ₂ x ² + a ₄ x + a ₆ The curve, called the elliptic curve, is because the equation is similar to the curve integral of the ellipse. The master key may be randomly generated or generated according to a preset formula. The present invention is not limited. For example, a random selection method is adopted in the embodiment of the present invention.

The first user equipment and the second user equipment are both parties that perform key agreement with each other.

S302. The key generation device broadcasts system parameters.

Affected by the finite field defined by the elliptic curve parameters, if the attacker wants to obtain the master key, it is necessary to solve the elliptic curve discrete logarithm problem. However, the current difficult problem has not found an efficient (equivalent to polynomial complexity) algorithm.

S303. The first user equipment receives the system parameter sent by the key generation device.

S304. The second user equipment receives the system parameter sent by the key generation device.

S305. The key generation device generates a public key and a private key of the first user equipment according to the system parameter, the master key, and the identifier of the first user equipment.

The identity of the first user equipment is obtained by the first user equipment to the key generation device registration process.

S306. The key generation device sends the public key and the private key of the first user equipment to the first user equipment by using the same state encryption, and is used by the first user equipment to perform key agreement with the second user equipment.

Homomorphic encryption is a cryptographic technique based on computational complexity theory of mathematical problems. The homomorphic encrypted data is processed to obtain an output, and the output is decrypted, and the result is the same as the output obtained by processing the unencrypted original data by the same method.

The homomorphic encryption in embodiments of the present invention satisfies the additive homomorphism and the multiplicative homomorphism. Its In the addition, the homomorphism is: if there is a valid algorithm, E(x+y)=E(x)⊕E(y) or x+y=D(E(x)⊕E(y)) holds, and does not Leak x and y. The multiplicative homomorphism is: if there is a valid algorithm ×, E(x×y)=E(x)E(y) or xy=D(E(x)E(y)) holds, and x and y are not leaked. Their difference is similar to the ordinary addition multiplication, except that the operation ⊕ or × is an efficient algorithm that satisfies certain conditions during encryption or decryption. The use of addition homomorphism instead of hashing reduces computational complexity. Multiplicative homomorphic encryption of identity information enhances the privacy of identity information and resists tampering with data attacks during communication.

Compared with hash function encryption, homomorphic encryption can effectively combat tampering data attacks.

S307. The first user equipment receives the public key and the private key of the first user equipment sent by the key generation device, and decrypts the public key and the private key of the first user equipment.

S308. The first user equipment generates a first signature message of the first user equipment according to the system parameter and the public key and the private key of the first user equipment.

S309. The first user equipment sends the first signature message to the second user equipment by homomorphic encryption.

S310. The second user equipment receives the first signature message sent by the first user equipment, and decrypts the first signature message.

S311. The key generation device generates a public key and a private key of the second user equipment according to the system parameter, the master key, and the identifier of the second user equipment.

The identity of the second user equipment is obtained by the second user equipment to the key generation device registration process.

S312. The key generation device sends the public key and the private key of the second user equipment to the second user equipment by using the same state encryption for the second user equipment to perform key agreement with the first user equipment.

S313. The second user equipment receives the public key and the private key of the second user equipment sent by the key generation device, and decrypts the public key and the private key of the second user equipment.

S314. The second user equipment verifies whether the identity of the first user equipment is legal according to the first signature message and the system parameter. If it is verified that the identity of the first user equipment is legal, the second user equipment generates a second signature message according to the system parameter, the public key of the second user equipment, and the private key.

S315. The second user equipment sends the second signature message to the first user equipment by homomorphic encryption.

S316. The second user equipment obtains a shared key that communicates with the first user equipment according to the first signature message and the system parameter.

S317. The first user equipment receives the second signature message sent by the second user equipment, and decrypts the second signature message.

S318. The first user equipment verifies whether the identity of the second user equipment is legal according to the second signature message and the system parameter. If the identity of the second user equipment is legal, the first user equipment obtains a shared key that communicates with the second user equipment according to the second signature message and the system parameter.

The key negotiation method provided by the embodiment of the present invention, when the key generation device sends the public key and the private key of the first user equipment to the first user equipment, the key generation device and the public key of the second user equipment When the private key is sent to the second user equipment, when the first user equipment sends the first signature message to the second user equipment, and when the second user equipment sends the second signature message to the first user equipment, Homomorphic encryption. Rather than as described in BNN-IBS: When the PKG sets the system parameters, the PKG allocates the user private key for UE1 and UE2, and when both UE1 and UE2 sign, the hash function is used for encryption. Homomorphic encryption can resist attacks that tamper with data. The degree of encryption is higher than that of the hash function, which increases the complexity of encryption. Therefore, the key agreement method provided by the embodiment of the present invention solves the problem of low encryption degree when the BNN-IBS identity signature protocol is applied to the D2D wireless communication network for key negotiation. In addition, the use of homomorphic encryption and hashing, communication and computational overhead is small, reducing the computational complexity.

The following describes an embodiment of the present invention by taking the first user equipment as UE1, the second user equipment as UE2, and the key generation device PKG as an eNB (English name: Chinese name:) as an example. However, those skilled in the art can understand that in the D2D communication mode under partial cellular network coverage, in the scenario where the UE transitions from the idle state (English name: idle) to the active state (English name: active), the UE should Select eNB as PKG when there is cellular network coverage, and choose trusted when there is no cellular network coverage. The third party acts as a PKG; in the D2D communication mode without cell network coverage, all trusted third parties are selected as PKGs between UEs.

An embodiment of the present invention provides a key negotiation method. Referring to FIG. 4, the method includes the following steps:

S401. An RRC connection is established between the UE1 and the eNB, and an RRC connection is established between the UE2 and the eNB. The step is an optional step, and is mainly used for establishing a wireless connection between the UE1 and the eNB and establishing a wireless connection between the UE2 and the eNB; the eNB acquires the identifiers of the UE1 and the UE2; and facilitates subsequent parameter transmission between each other.

S402. The eNB generates system parameters <E(F _p ), p, q, a′, r′, p′, q′, P> and a master key s according to a preset elliptic curve parameter E(F _p ), where , system parameters <E(F _p ), p, q, a', r', p', q', P> include elliptic curve parameters E(F _p ), intermediate parameters p, q, p', q', a' and r', the system public key P, where q is used to indicate a non-zero q-order finite field

The system public key is used for key negotiation between the first user equipment and the second user equipment.

Specifically, referring to FIG. 5, step S402 includes steps S4021 to S4025:

S4021, the eNB determines a preset elliptic curve parameter E( _Fp ).

The eNB selects an ellipse in the finite field F _p according to the plane curve determined by the Weltstras equation: y ² + a ₁ xy + a ₃ y = x ³ + a ₂ x ² + a ₄ x + a ₆ The curve, exemplarily, selects an elliptic curve as shown in the formula (1).

E(F _p ): y ² =x ³ +ax+b Formula (1)

Wherein, a, b also belong to the finite field F _p, i.e. a, b∈F _p, satisfying ^{^{4a 3 + 27b 2 mod q ≠}} 0, wherein, mod is modulo operation.

It will be appreciated by those skilled in the art that other elliptic curves satisfying the Westerstras equation: y ² + a ₁ xy + a ₃ y = x ³ + a ₂ x ² + a ₄ x + a ₆ are equally applicable to this Embodiments of the invention.

S4022. The eNB obtains intermediate parameters p, q, p', q', a', and r' according to the elliptic curve parameter E( _Fp ) and an integer.

Specifically, including:

The eNB elliptic curve parameter E(F _p ) obtains some intermediate parameters p and q of the system parameters <E(F _p ), p, q, a', r', p', q', P>.

Set point at infinity and the elliptic curve E (F _p) constituting the point group E / F _p, select a point p in the group E / F _p, the point p generated by cyclic groups G _1, wherein the order of the point p q (For the operation defined in the group, p can obtain the unit cell of this group after multiple operations, wherein the minimum value q of the operation times is called the order of p), and q is used as a part of the system parameters for broadcasting. Non-zero q-order finite field

The eNB selects an integer to obtain the remaining intermediate parameters p', q', a', r' of the system parameters <E(F _p ), p, q, a', r', p', q', P>.

Illustratively, the integer λ=60 is chosen such that p'=λ ⁵ , q'=λ ³ , a'=λ ² , r'=λ, where λ is an arbitrary integer value. The four intermediate parameters p', q', a', and r' are four parameters defined in the homomorphic encryption process to satisfy the homomorphic encryption condition. It will be appreciated by those skilled in the art that the calculation of the intermediate parameters p', q', a', r' in other manners that satisfy the homomorphic encryption condition is equally applicable to embodiments of the present invention.

S4023, eNB from the non-zero q-order finite field indicated by the intermediate parameter q

Select the random number s (the value range is 1, 2, ... q-1) (ie

As the master key, the master key is kept secret.

Among them, the finite field

The finite field defined by the elliptic curve parameter E(F _p ).

When the random number s is selected, it can be randomly selected or selected according to a preset formula. The present invention is not limited, and a random selection method is adopted in the embodiment of the present invention.

S4024. The eNB obtains the system public key P according to the master key s and the intermediate parameter p by using formula (2).

P=sp formula (2)

S4025, the eNB finally obtains the system parameters <E(F _p ), p, q, a', r', p', q', P>.

S403. The eNB broadcasts a system parameter <E(F _p ), p, q, a', r', p', q', P>.

Under the influence of the finite field defined by the elliptic curve parameters, the attacker needs to obtain the master key s by intercepting the system parameters <E(F _p ), p, q, a', r', p', q', P>. It is difficult to solve the elliptic curve discrete logarithm problem, but the current difficult problem has not found an efficient (equivalent to polynomial complexity) algorithm.

S404. The UE1 receives the system parameter <E(F _p ), p, q, a', r', p', q', P> sent by the eNB.

S405. The UE2 receives the system parameter <E(F _p ), p, q, a', r', p', q', P> sent by the eNB.

The following steps S406 to S410 are the process of generating and transmitting the first signature message of the UE1. The relationship between the parameters is shown in Fig. 6.

S406. The eNB generates a public key c _{UE1 of the UE1} according to the system parameter <E(F _p ), p, q, a′, r′, p′, q′, P>, the master key s, and the identifier ID _{UE1 of the UE1} . And private key (R _UE1 , d _UE1 ). Specifically, referring to FIG. 7, step S406 includes steps S4061 to S4063.

S4061, eNB from the non-zero q-order finite field indicated by the intermediate parameter q

Selecting a random number as the first random number r _UE1 , ie

When the first random number r _UE1 is selected, it may be randomly selected or selected according to a preset formula. The present invention is not limited, and a random selection method is adopted in the embodiment of the present invention.

Influenced by the finite field defined by the elliptic curve parameters, if the attacker wants to obtain the first random number r _{UE1, it is} also necessary to solve the elliptic curve discrete logarithm problem.

S4062. The eNB passes the formula (3) according to the system parameter <E(F _p ), p, q, a', r', p', q', P>, the identifier ID _{UE1 of the UE1,} and the first random number r _UE1 . And formula (4) generates the public key c _{UE1 of UE1} .

R _UE = r _UE p formula (3)

Formula (4)

The identifier of the UE satisfies the UE _ID ∈{0, 1} (representing the digit string formed by the binary 0, 1. For example, the identifier ID of the _UE1 may be 101, that is, the number 5, and the identifier ID of the _UE2 may be 110. Number 6). The eNB may obtain the identity information of the UE1 and the UE2 in the step S401, and may also obtain the identity information from the UE1 and the UE2 in this step, which is not limited in the embodiment of the present invention.

In addition, the dot multiplication symbol "·" in the formula (4) represents an operation commonly used in cryptography, and its operation mode is different from ordinary arithmetic multiplication; the star multiplication symbol "*" in the formula (4) indicates ordinary Arithmetic multiplication.

S4063. The eNB is based on the system parameter <E(F _p ), p, q, a', r', p', q', P>, the master key s, the public key c _{UE1 of the UE1} , and the first random number r _UE1 The private key (R _UE1 , d _UE1 ) of UE1 is generated by formula (3) and formula (5).

d _UE = r _UE + c _UE s mod q formula (5)

Specifically, the calculation method of the public key c _UE1 and the private key (R _UE1 , d _UE1 ) of the _UE1 is:

R _UE1 = r _UE1 p formula (6)

d _UE1 = r _UE1 + c _UE1 s mod q formula (7)

Formula (8)

S407. The eNB sends the public key c _UE1 and the private key (R _UE1 , d _UE1 ) of the _{UE1 to the UE1} through homomorphic encryption, and is used by the UE1 to perform key negotiation with the UE2.

Under the influence of the finite field defined by the elliptic curve parameter, if the attacker wants to obtain the first random number r _UE1 by intercepting the public key c _UE1 and the private key (R _UE1 , d _UE1 ) of _{UE1, it is} also necessary to solve the elliptic curve discrete logarithm problem. .

S408. The UE1 receives the public key c _UE1 and the private key (R _UE1 , d _UE1 ) of the UE1 sent by the eNB, and decrypts the public key c _UE1 and the private key (R _UE1 , d _UE1 ) of the _UE1 .

S409. The UE1 generates, according to the system parameter <E(F _p ), p, q, a', r', p', q', P>, and the public key c _UE1 and the private key (R _UE1 , d _UE1 ) of the _UE1 . The first signature message of _UE1 <c _UE1 , E _UE1 , R _UE1 , Y _UE1 , Z _UE1 >. Specifically, referring to FIG. 8, step S409 includes steps S4091 to S4092.

S4091, UE1 is a non-zero q-order finite field indicated by the intermediate parameter q

Select the third random number x _UE1 (ie

And the fourth random number y _UE1 (ie

).

The third random number x _UE1 or the fourth random number y _UE1 may be randomly selected or selected according to a preset formula. The present invention is not limited, and a random selection method is adopted in the embodiment of the present invention.

S4092, UE1 according to system parameter <E(F _p ), p, q, a', r', p', q', P>, public key c _{UE1 of the} first user equipment and private key (R _UE1 , d _UE1 And the third random number x _UE1 and the fourth random number x _UE1 , generating E in the first signature message <c _UE1 , E _UE1 , R _UE1 , Y _UE1 , Z _UE1 > by formulas (9) to (12) _UE1 , Y _UE1 , Z _UE1 . The first signature messages <c _UE1 , E _UE1 , R _UE1 , Y _UE1 , Z _UE1 > in c _UE1 , R _{UE1 are} not operated, directly from UE1's public key c _UE1 and private key (R _UE1 , d _UE1 ).

E _UE1 = x _UE1 p formula (9)

Y _UE1 = y _UE1 p formula (10)

h _UE1 = ID _UE1 + E _UE1 + R _UE1 + Y _UE1 + a'·r' + p' * q', formula (11)

Z _UE1 = y _UE1 + h _UE1 d _UE1 mod q Formula (12)

S410. The UE1 sends the first signature message <c _UE1 , E _UE1 , R _UE1 , Y _UE1 , Z _UE1 > to the UE2 through homomorphic encryption.

Under the influence of the finite field defined by the elliptic curve parameter, the attacker wants to obtain the third random number x _UE1 and the fourth random number y by intercepting the first signature message <c _UE1 , E _UE1 , R _UE1 , Y _UE1 , Z _UE1 > _UE1 also needs to solve the elliptic curve discrete logarithm problem.

S411. The UE2 receives the first signature message <c _UE1 , E _UE1 , R _UE1 , Y _UE1 , Z _UE1 > sent by the UE1, and the first signature message <c _UE1 , E _UE1 , R _UE1 , Y _UE1 , Z _UE1 > decryption.

S412. The eNB generates a public key c _{UE2 of the UE2} according to the system parameter <E(F _p ), p, q, a′, r′, p′, q′, P>, the master key s, and the identifier ID _{UE2 of the UE2} . And the private key (R _UE2 , d _UE2 ), specifically, referring to FIG. 9 , step S412 includes steps S4121 to S4123 .

S4121, eNB from the non-zero q-order finite field indicated by the intermediate parameter q

Selecting a random number as the second random number r _UE2 , ie

When the second random number r _UE2 is selected, it can be randomly selected or selected according to a preset formula. The present invention is not limited, and a random selection method is adopted in the embodiment of the present invention.

Influenced by the finite field defined by the elliptic curve parameters, if the attacker wants to obtain the second random number r _{UE2, it is} also necessary to solve the elliptic curve discrete logarithm problem.

S4122. The eNB passes the formula (3) according to the system parameters <E(F _p ), p, q, a', r', p', q', P>, the identifier ID _{UE2 of the UE2,} and the second random number r _UE2 . And formula (4) generates UE2's public key c _UE2 .

The eNB may obtain the identity information of the UE1 and the UE2 in the step S401, and may also obtain the identity information from the UE1 and the UE2 in this step, which is not limited in the embodiment of the present invention.

S4123. The eNB is based on the system parameter <E(F _p ), p, q, a', r', p', q', P>, the master key s, the public key c _{UE2 of the UE2} , and the second random number r _UE2 The private key (R _UE2 , d _UE2 ) of UE2 is generated by formula (3) and formula (5).

Specifically, the calculation method of the public key c _UE2 and the private key (R _UE2 , d _UE2 ) of the _UE 2 is:

R _UE2 = r _UE2 p formula (13)

d _UE2 = r _UE2 + c _UE2 s mod q formula (14)

Formula (15)

S413. The eNB sends the public key c _UE2 and the private key (R _UE2 , d _UE2 ) of the _{UE2 to the UE2} through homomorphic encryption.

Under the influence of the finite field defined by the elliptic curve parameter, if the attacker wants to obtain the second random number r _UE2 by intercepting the private key of UE2 (R _UE2 , d _UE2 ), it is also necessary to solve the elliptic curve discrete logarithm problem.

S414. The UE2 receives the public key c _UE2 and the private key (R _UE2 , d _UE2 ) of the UE2 sent by the eNB, and decrypts the public key c _UE2 and the private key (R _UE2 , d _UE2 ) of the _UE2 .

S415. The UE2 is based on the first signature message <c _UE1 , E _UE1 , R _UE1 , Y _UE1 , Z _UE1 > and system parameters <E(F _p ), p, q, a', r', p', q', P> Verify that the identity of UE1 is legal. If it is verified that the identity of UE1 is legal, step S416 is performed, otherwise it ends directly.

Specifically, if the system parameter <E(F _p ), p, q, a', r', p', q', P> and the first signature message <c _UE1 , E _UE1 , R _UE1 , Y _UE1 , Z _If the parameters included in the _UE1 > satisfy the preset equality relationship, the identity of the UE1 is determined to be legal. Referring to FIG. 10, step S415 includes steps S4151 to S4153:

S4151, UE2 decrypts according to formula (16) to calculate D(c _UE1 );

Formula (16)

S4152, UE2 decrypts and calculates D(h _UE1 ) according to formula (17):

D(h _UE1 )=(c _UE1 +E _UE1 +R _UE1 +Y _UE1 )mod p'mod a' Equation (17)

S4153, UE2 determines whether the identity of the UE1 is valid by determining whether the equation (18) is established. If the equation is established, the UE1 is legally authenticated, and the identity verification is performed, and step S416 is performed; otherwise, the identity of the UE1 is invalid and cannot be authenticated. Then, the first signature message <c _UE1 , E _UE1 , R _UE1 , Y _UE1 , Z _UE1 > of UE1 is discarded and the session with UE1 is refused, and the process ends.

Z _UE1 p=Y _UE1 +D(h _UE1 )(R _UE1 +D(c _UE1 )P) Formula (18)

S416. The UE2 generates, according to the system parameter <E(F _p ), p, q, a', r', p', q', P>, the public key c _{UE2 of the UE2,} and the private key (R _UE2 , d _UE2 ). Second signature message <c _UE2 , E _UE2 , R _UE2 , Y _UE2 , Z _UE2 >. Specifically, referring to FIG. 11, the steps S4161 to S4162 are included:

S4161, UE2 from the non-zero q-order finite field indicated by the intermediate parameter q

The fifth random number x _UE2 selected in the middle (ie

And the sixth random number y _UE2 (ie

).

When the fifth random number x _UE2 or the sixth random number y _UE2 is selected, it may be randomly selected or selected according to a preset formula. The present invention is not limited, and a random selection method is adopted in the embodiment of the present invention.

S4162, UE2 according to system parameters <E(F _p ), p, q, a', r', p', q', P>, public key c _{UE2 of the} second user equipment and private key (R _UE2 , d _UE2 And the fifth random number x _UE2 and the sixth random number x _UE2 , generating E in the second signature message <c _UE2 , E _UE2 , R _UE2 , Y _UE2 , Z _UE2 > by formulas (19) to (22) _UE2 , Y _UE2 , Z _UE2 . The second signature message <c _UE2 , E _UE2 , R _UE2 , Y _UE2 , Z _UE2 > c _UE2 , R _{UE2 is} not operated, directly from UE2's public key c _UE2 and private key (R _UE2 , d _UE2 ).

E _UE2 = x _UE2 p formula (19)

Y _UE2 = y _UE2 p formula (20)

h _UE2 = ID _UE2 + E _UE2 + R _UE2 + Y _UE2 + a'·r' + p' * q', formula (21)

Z _UE2 = y _UE2 + h _UE2 d _UE2 mod q Formula (22)

S417. The UE2 sends the second signature message <c _UE2 , E _UE2 , R _UE2 , Y _UE2 , Z _UE2 > to the UE1 through homomorphic encryption.

Under the influence of the finite field defined by the elliptic curve parameter, the attacker wants to obtain the fifth random number x _UE2 and the sixth random number y by intercepting the second signature message <c _UE2 , E _UE2 , R _UE2 , Y _UE2 , Z _UE2 > _UE2 also needs to solve the elliptic curve discrete logarithm problem.

S418. The UE2 is based on the fifth random number x _UE2 , the first signature message <c _UE1 , E _UE1 , R _UE1 , Y _UE1 , Z _UE1 > and the system parameter <E(F _p ), p, q, a', r' , p', q', P> obtain the shared key SK _UE1UE2 that communicates with UE1.

Specifically, referring to FIG. 12, step S418 includes steps S4181 to S4183:

S4181, UE2 calculates the intermediate parameter K _{UE2UE1 of the} shared key according to the fifth random number x _UE2 , the first signature message <c _UE1 , E _UE1 , R _UE1 , Y _UE1 , Z _UE1 > E _UE1 through formula (23) .

K _UE2UE1 = x _UE2 E _UE1 . Formula (23)

S4182, UE2 according to the first signature message <c _UE1 , E _UE1 , R _UE1 , Y _UE1 , Z _UE1 > R _UE1 , c _UE1 and system parameter <E(F _p ), p, q, a', r' , p', q', P>, inversely deriving the identification ID _{UE1 of the UE1} by the formula (4), specifically, referring to the formula (24).

Formula (24)

S4183. The UE2 passes the identifier ID _{UE2 of the UE2} , the identifier ID _{UE1 of the UE1} , the intermediate parameter _KUE2UE1, and the system parameter <E( _Fp ), p, q, a', r', p', q', P>. Equation (25) obtains the shared key SK _UE1UE2 in communication with UE1.

SK _UE1UE2 = ID _UE1 + ID _UE2 + K _UE2UE1 + a'·r' + p' * q' Formula (25)

S419. The UE1 receives the second signature message <c _UE2 , E _UE2 , R _UE2 , Y _UE2 , Z _UE2 > sent by the UE2, and the second signature message <c _UE2 , E _UE2 , R _UE2 , Y _UE2 , Z _UE2 > decryption.

S420. The UE1 according to the second signature message <c _UE2 , E _UE2 , R _UE2 , Y _UE2 , Z _UE2 >, system parameter <E(F _p ), p, q, a', r', p', q', P> Verify that the identity of UE2 is legal.

Specifically, if the system parameter <E(F _p ), p, q, a', r', p', q', P> and the second signature message < c _UE2 , E _UE2 , R _UE2 , Y _UE2 , Z _If the parameters included in the _UE2 > satisfy the preset equality relationship, the identity of the UE1 is determined to be legal. Referring to FIG. 13, step S420 includes steps S4201 to S4203:

S4201, UE1 decrypts according to formula (26) to calculate D(c _UE2 );

Formula (26)

S4202: UE1 decrypts and calculates D(h _UE2 ) according to formula (27):

D(h _UE2 )=(c _UE2 +E _UE2 +R _UE2 +Y _UE2 )mod p'mod a' formula (27)

S4203, UE1 determines whether the identity of the UE2 is valid by determining whether the equation (28) is valid. If the equation is established, the UE2 is legally authenticated, and the identity verification is performed, and step S421 is performed; otherwise, the identity of the UE2 is invalid and cannot be authenticated. Then, the first signature message <c _UE2 , E _UE2 , R _UE2 , Y _UE2 , Z _UE2 > of UE2 is discarded and the session with UE2 is refused, and the process ends.

Z _UE2 p=Y _UE2 +D(h _UE2 )(R _UE2 +D(c _UE2 )P) Formula (28)

S421. If the identity of the UE2 is legal, the UE1 is based on the third random number x _UE1 , the second signature message <c _UE2 , E _UE2 , R _UE2 , Y _UE2 , Z _UE2 > and the system parameter <E(F _p ),p, q, a', r', p', q', P> obtains the shared key SK _UE1UE2 that communicates with UE2, and discards the second signature message if the identity of UE2 is invalid.

Specifically, referring to FIG. 14, step S421 includes steps S4211 to S4213:

S4211, UE1 calculates an intermediate parameter K _{UE1UE2 of the} shared key according to the third random number x _UE1 , the second signature message <c _UE , E _UE2 , R _UE2 , Y _UE2 , Z _UE2 > E _UE2 through formula (29) .

K _UE1UE2 = x _UE1 E _UE2 . Formula (29)

S4212, UE1 according to the second signature message <c _UE2 , E _UE2 , R _UE2 , Y _UE2 , Z _UE2 > R _UE2 , c _UE2 and system parameter <E(F _p ), p, q, a', r' , p', q', P>, inversely deriving the identification ID _{UE2 of the UE2} by the formula (4), specifically, referring to the formula (30).

Formula (30)

S4213. The UE1 passes the identifier ID _{UE1 of the UE1} , the identifier ID _{UE2 of the UE2} , the intermediate parameter _KUE1UE2, and the system parameter <E( _Fp ), p, q, a', r', p', q', P>. Equation (31) results in a shared key SK _UE2UE1 that communicates with UE2.

SK _UE2UE1 = ID _UE1 + ID _UE2 + K _UE1UE2 + a'·r' + p' * q' Formula (31)

Specifically, the shared key SK _UE2UE1 calculated in step S421 is equal to the shared key SK _UE1UE2 calculated in step S418, that is, SK _UE2UE1 = SK _UE1UE2 .

In the key negotiation method provided by the embodiment of the present invention, when the eNB sends the public key and the private key of the UE1 to the UE1, when the eNB sends the public key and the private key of the UE2 to the UE2, the first signature message is sent by the UE1. When UE2 is given, and when UE2 sends a second signature message to UE1, homomorphic encryption is performed. Rather than setting the system parameters in PKG as described in BNN-IBS, the PKG uses the hash function for encryption when the user private key is assigned to UE1 and UE2, and when both UE1 and UE2 are signed. Homomorphic encryption can resist attacks that tamper with data. The degree of encryption is higher than that of the hash function, which increases the complexity of encryption. Therefore, the key agreement method provided by the embodiment of the present invention solves the problem of low encryption degree when the BNN-IBS identity signature protocol is applied to the D2D wireless communication network for key negotiation. In addition, the use of homomorphic encryption and hashing, communication and computational overhead is small, reducing the computational complexity.

The present invention provides a key generation apparatus for performing the above-described key negotiation method. Referring to FIG. 15, the present invention includes: a processing unit 211, and a sending unit 212.

The processing unit 211 is configured to generate a system parameter and a master key according to the preset elliptic curve parameter, where the system parameter includes an elliptic curve parameter, an intermediate parameter, and a system public key, and the intermediate parameter is used to indicate a finite field defined by the elliptic curve parameter The system public key is used by the first user equipment to perform key agreement with the second user equipment.

Optionally, in a possible implementation manner,

The processing unit 211 is configured to: obtain an intermediate parameter according to the elliptic curve parameter and the integer; select the random number as the master key from the finite field indicated by the intermediate parameter; and obtain the system public key according to the master key and the intermediate parameter.

a sending unit 212, configured to broadcast system parameters;

In addition, the processing unit 211 is further configured to generate a public key and a private key of the first user equipment according to the system parameter, the master key, and the identifier of the first user equipment;

Optionally, in a possible implementation manner,

The processing unit 211 is configured to: select a first random number from a finite field indicated by the intermediate parameter; generate a public key of the first user equipment according to the system parameter, the identifier of the first user equipment, and the first random number; The master key, the public key of the first user equipment, and the first random number generate a private key of the first user equipment.

The sending unit 212 is further configured to send the public key and the private key of the first user equipment to the first user equipment by using the same state encryption, and the first user equipment performs key agreement with the second user equipment.

The processing unit 211 is further configured to generate a public key and a private key of the second user equipment according to the system parameter, the master key, and the identifier of the second user equipment.

Optionally, in a possible implementation manner,

The processing unit 211 is configured to: select a second random number from the finite field indicated by the intermediate parameter; generate a public key of the second user equipment according to the system parameter, the identifier of the second user equipment, and the second random number; according to the system parameter, The master key, the public key of the second user equipment, and the second random number generate a private key of the second user equipment.

The sending unit 212 is further configured to send the public key and the private key of the second user equipment to the second user equipment by using the same state encryption, and the second user equipment performs key negotiation with the first user equipment.

It should be noted that the sending unit 212 in this embodiment may be an interface circuit with a sending function on the eNB, such as a transmitter or an information sending interface. The processing unit 211 may be a separately set processor or integrated in the eNB. Implemented in a certain processor, or in the form of program code, stored in the memory of the eNB, A certain processor of the eNB calls and executes the functions of the above processing unit 211. The processor described herein may be a central processing unit (English name: central processing unit, English abbreviation: CPU), or a specific integrated circuit (English full name: application specific integrated circuit, English abbreviation: ASIC), or configured One or more integrated circuits implementing embodiments of the present invention.

The key generation device in the embodiment of the present invention may be used to perform the foregoing method, and therefore, the technical effects that can be obtained are also referred to the foregoing method embodiments, and details are not described herein again.

The present invention provides a first user equipment for performing the above-described key negotiation method. Referring to FIG. 16, the present invention includes a receiving unit 221, a processing unit 222, and a sending unit 223. among them:

The receiving unit 221 is configured to receive system parameters sent by the key generation device, where the system parameters include an elliptic curve parameter, an intermediate parameter, and a system public key, where the intermediate parameter is used to indicate a finite field defined by the elliptic curve parameter, and the system public key The first user equipment performs key agreement with the second user equipment.

The receiving unit 221 is further configured to receive the public key and the private key of the first user equipment sent by the key generation device, and decrypt the public key and the private key of the first user equipment, where the public key of the first user equipment is The private key is homomorphic encrypted.

The processing unit 222 is configured to generate a first signature message according to the system parameter and the public key and the private key of the first user equipment.

Optionally, in a possible implementation manner,

The processing unit 222 is configured to: select a third random number and a fourth random number from a finite field indicated by the intermediate parameter; and, according to the system parameter, the public key and the private key of the first user equipment, and the third random number and the fourth random number, Generate a first signed message.

The sending unit 223 is configured to send the first signature message to the second user equipment by homomorphic encryption.

The receiving unit 221 is further configured to receive the second signature message sent by the second user equipment, and decrypt the second signature message, where the second signature message is homomorphically encrypted.

The processing unit 222 is further configured to: if the identity of the second user equipment is verified according to the second signature message and the system parameter, obtain a shared key that communicates with the second user equipment according to the second signature message and the system parameter.

Optionally, in a possible implementation manner,

The processing unit 222 is configured to: if the system parameter and the parameter included in the second signature message satisfy a preset equality relationship, determine that the identity of the second user equipment is legal; according to the third random number, the second signature message, and System parameters, resulting in a shared key that communicates with the second user device.

It should be noted that the sending unit 223 in this embodiment may be an interface circuit having a sending function on the UE, such as a transmitter or an information sending interface; and the receiving unit 221 may be an interface circuit having a receiving function on the UE, such as a receiver. Or information receiving interface. The processing unit 222 may be a separately set processor, or may be implemented in one processor of the UE. In addition, it may also be stored in the memory of the UE in the form of program code, and is called and executed by a certain processor of the UE. The function of the above processing unit 222. The processor described herein may be a central processing unit (English name: central processing unit, English abbreviation: CPU), or a specific integrated circuit (English full name: application specific integrated circuit, English abbreviation: ASIC), or configured One or more integrated circuits implementing embodiments of the present invention.

The first user equipment in the embodiment of the present invention may be used to perform the foregoing method, and therefore, the technical effects that can be obtained are also referred to the foregoing method embodiments, and details are not described herein again.

The present invention provides a second user equipment for performing the above-described key agreement method. Referring to FIG. 17, the present invention includes a receiving unit 231, a processing unit 232, and a sending unit 233. among them:

The receiving unit 231 is configured to receive system parameters sent by the key generation device, where the system parameters include an elliptic curve parameter, an intermediate parameter, and a system public key, where the intermediate parameter is used to indicate a finite field defined by the elliptic curve parameter, and the system public key is used. The second user equipment performs key agreement with the first user equipment.

The receiving unit 231 is further configured to receive the first signature sent by the first user equipment. And decrypting the first signed message, wherein the first signed message is homomorphic encrypted.

The receiving unit 231 is further configured to receive the public key and the private key of the second user equipment sent by the key generation device, and decrypt the public key and the private key of the second user equipment, where the public key of the second user equipment is The private key is homomorphic encrypted.

The processing unit 232 is configured to generate a second signature message according to the system parameter, the public key of the second user equipment, and the private key, if the identity of the first user equipment is verified according to the first signature message and the system parameter.

Optionally, in a possible implementation manner,

The processing unit 232 is configured to: if the preset parameter relationship is satisfied between the system parameter and the parameter included in the first signature message, determine that the identity of the first user equipment is legal. The processing unit 232 is further configured to: select a fifth random number and a sixth random number from the finite field indicated by the intermediate parameter; according to the system parameter, the public key and the private key of the second user equipment, and the fifth random number and the sixth random number Number, generating a second signature message.

The sending unit 233 is configured to send the second signature message to the first user equipment by homomorphic encryption.

The processing unit 232 is further configured to obtain, according to the first signature message and the system parameter, a shared key that communicates with the first user equipment.

Optionally, in a possible implementation manner,

The processing unit 232 is configured to: obtain a shared key that communicates with the first user equipment according to the fifth random number, the first signature message, and the system parameter.

It should be noted that the sending unit 233 in this embodiment may be an interface circuit having a sending function on the UE, such as a transmitter or an information sending interface, and the receiving unit 231 may be an interface circuit having a receiving function on the UE, such as a receiver. Or information receiving interface. The processing unit 232 may be a separately set processor, or may be implemented in one processor of the UE. In addition, it may also be stored in the memory of the UE in the form of program code, and is called and executed by a certain processor of the UE. The function of the above processing unit 232. The processor described herein may be a central processing unit (English name: central processing unit, English abbreviation: CPU), or a specific integrated circuit (English) The application specific integrated circuit (ASIC), or one or more integrated circuits configured to implement the embodiments of the present invention.

The second user equipment in the embodiment of the present invention may be used to perform the foregoing method, and therefore, the technical effects that can be obtained are also referred to the foregoing method embodiments, and details are not described herein again.

The present invention provides a key generation apparatus for performing the above-described key agreement method. Referring to FIG. 18, the apparatus may be an eNB, which may include: a processor 1801, an interface circuit 1802, a memory 1803, and a bus 1804; The processor 1801, the interface circuit 1702, and the memory 1803 are connected by the bus 1804 and complete communication with each other.

It should be noted that the processor 1801 herein may be a processor or a general term of multiple processing elements. For example, the processor may be a central processing unit CPU, or a specific integrated circuit ASIC, or one or more integrated circuits configured to implement embodiments of the present invention, such as one or more microprocessors (English full name) : digital singnal processor, English abbreviation: DSP), or one or more field programmable gate arrays (English full name: field programmable aate array, English abbreviation: FPGA).

The memory 1803 may be a storage device or a collective name of a plurality of storage elements, and is used to store executable program code or parameters, data, and the like required for the operation of the access network management device. The memory 1803 may include a random access memory (English name: random-access memory, English abbreviation: RAM), and may also include non-volatile memory (English name: non-volatile memory, English abbreviation: NVRAM), such as disk storage, flash memory. (Flash) and so on.

The bus 1804 can be an industry standard architecture (English name: industry standard architecture, English abbreviation: ISA) bus, external device interconnection (English full name: peripheral component: English abbreviation: PCI) bus or extended industry standard architecture (English full name: Extended industry standard architecture, English abbreviation: EISA) bus. The bus 1804 can be divided into an address bus, a data bus, a control bus, and the like. For ease of representation, only one thick line is shown in Figure 18, but it does not mean that there is only one bus or one type of bus.

The processor 1801 is configured to execute program code stored therein to control the interface circuit 1802 to perform the method provided in the above method embodiments.

Specifically, the processor 1801 is configured to execute a program in the memory to execute the function of the processing unit of the key generation device in the above embodiment.

The interface circuit 1802 is for performing the function of the transmitting unit of the key generation device in the above embodiment.

The present invention provides a first user equipment for performing the above-mentioned key negotiation method. Referring to FIG. 19, the apparatus may be a UE, which may include: a processor 1901, a first interface circuit 1902, and a second interface circuit. 1903, a memory 1904 and a bus 1905; a processor 1901, a first interface circuit 1902, a second interface circuit 1903, and a memory 1904 are connected by a bus 1905 and complete communication with each other.

It should be noted that the processor 1901 herein may be a processor or a collective name of multiple processing elements. For example, the processor may be a central processing unit CPU, or a specific integrated circuit ASIC, or one or more integrated circuits configured to implement embodiments of the present invention, such as one or more microprocessors (English full name) : digital singnal processor, English abbreviation: DSP), or one or more field programmable gate arrays (English full name: field programmable aate array, English abbreviation: FPGA).

The memory 1904 may be a storage device or a collective name of a plurality of storage elements, and is used to store executable program code or parameters, data, and the like required for the operation of the access network management device. The memory 1904 may include a random access memory (English name: random-access memory, English abbreviation: RAM), and may also include non-volatile memory (English name: non-volatile memory, English abbreviation: NVRAM), such as disk storage, flash memory (Flash) and so on.

Bus 1905 can be an industry standard architecture (English full name: industry standard architecture, English abbreviation: ISA) bus, external device interconnection (English Full name: peripheral component, English abbreviation: PCI) bus or extended industry standard architecture (English full name: extended industry standard architecture, English abbreviation: EISA) bus. The bus 1905 can be divided into an address bus, a data bus, a control bus, and the like. For ease of representation, only one thick line is shown in Figure 19, but it does not mean that there is only one bus or one type of bus.

The processor 1901 is configured to execute program code stored therein to control the first interface circuit 1902 and the two interface circuit 1903 to perform the method provided in the above method embodiment.

Specifically, the processor 1901 is configured to execute a program in the memory to perform the function of the processing unit of the first user equipment in the foregoing embodiment.

The first interface circuit 1902 is configured to perform the function of the receiving unit of the first user equipment in the above embodiment.

The second interface circuit 1903 is configured to perform the function of the transmitting unit of the first user equipment in the above embodiment.

The present invention provides a second user equipment for performing the above-described key negotiation method. Referring to FIG. 20, the apparatus may be a UE, which may include: a processor 2001, a first interface circuit 2002, and a second interface circuit. 2003, the memory 2004 and the bus 2005; the processor 2001, the first interface circuit 2002, the second interface circuit 2003, and the memory 2004 are connected by the bus 2005 and complete communication with each other.

It should be noted that the processor 2001 herein may be a processor or a collective name of multiple processing elements. For example, the processor may be a central processing unit CPU, or a specific integrated circuit ASIC, or one or more integrated circuits configured to implement embodiments of the present invention, such as one or more microprocessors (English full name) : digital singnal processor, English abbreviation: DSP), or one or more field programmable gate arrays (English full name: field programmable aate array, English abbreviation: FPGA).

The memory 2004 may be a storage device or a collective name of a plurality of storage elements, and is used to store executable program code or parameters, data, and the like required for the operation of the access network management device. The memory 2004 may include a random access memory (English name: random-access memory, English abbreviation: RAM), and may also include non-volatile memory (English name: non-volatile memory, English abbreviation: NVRAM), such as disk storage, flash memory (Flash) and so on.

Bus 2005 can be an industry standard architecture (English full name: industry standard architecture, English abbreviation: ISA) bus, external device interconnection (English full name: peripheral component: English abbreviation: PCI) bus or extended industry standard architecture (English full name: Extended industry standard architecture, English abbreviation: EISA) bus. The bus 2005 can be divided into an address bus, a data bus, a control bus, and the like. For ease of representation, only one thick line is shown in FIG. 20, but it does not mean that there is only one bus or one type of bus.

The processor 2001 is configured to execute program code stored therein to control the first interface circuit 2002 and the two interface circuit 2003 to perform the method provided in the above method embodiments.

Specifically, the processor 2001 is configured to execute a program in the memory to execute the function of the processing unit of the second user equipment in the foregoing embodiment.

The first interface circuit 2002 is configured to perform the functions of the receiving unit of the second user equipment in the above embodiment.

The second interface circuit 2003 is configured to perform the functions of the transmitting unit of the second user equipment in the above embodiment.

It should be understood that, in various embodiments of the present invention, the size of the sequence numbers of the above processes does not mean the order of execution, and the order of execution of each process should be determined by its function and internal logic, and should not be taken to the embodiments of the present invention. The implementation process constitutes any limitation.

One of ordinary skill in the art will recognize that the embodiments disclosed herein are incorporated The elements and algorithm steps of the various examples described can be implemented in electronic hardware, or a combination of computer software and electronic hardware. Whether these functions are performed in hardware or software depends on the specific application and design constraints of the solution. A person skilled in the art can use different methods for implementing the described functions for each particular application, but such implementation should not be considered to be beyond the scope of the present invention.

A person skilled in the art can clearly understand that for the convenience and brevity of the description, the specific working process of the system, the device and the unit described above can refer to the corresponding process in the foregoing method embodiment, and details are not described herein again.

In the several embodiments provided by the present application, it should be understood that the disclosed systems, devices, and methods may be implemented in other manners. For example, the device embodiments described above are merely illustrative. For example, the division of the unit is only a logical function division. In actual implementation, there may be another division manner, for example, multiple units or components may be combined or Can be integrated into another system, or some features can be ignored or not executed. In addition, the mutual coupling or direct coupling or communication connection shown or discussed may be an indirect coupling or communication connection through some interface, device or unit, and may be electrical, mechanical or otherwise.

The units described as separate components may or may not be physically separated, and the components displayed as units may or may not be physical units, that is, may be located in one place, or may be distributed to multiple network units. Some or all of the units may be selected according to actual needs to achieve the purpose of the solution of the embodiment.

In addition, each functional unit in each embodiment of the present invention may be integrated into one processing unit, or each unit may exist physically separately, or two or more units may be integrated into one unit.

The functions may be stored in a computer readable storage medium if implemented in the form of a software functional unit and sold or used as a standalone product. Based on such understanding, the technical solution of the present invention, which is essential or contributes to the prior art, or a part of the technical solution, may be embodied in the form of a software product, which is stored in a storage medium, including Several instructions to make a meter The computer device (which may be a personal computer, server, or network device, etc.) performs all or part of the steps of the methods described in various embodiments of the present invention. The foregoing storage medium includes: a U disk, a mobile hard disk, a read only memory (English full name: read-only memory, English abbreviation: ROM), a random access memory (English full name: random access memory, English abbreviation: RAM), magnetic A variety of media that can store program code, such as a disc or a disc.

The above is only a specific embodiment of the present invention, but the scope of the present invention is not limited thereto, and any person skilled in the art can easily think of changes or substitutions within the technical scope of the present invention. It should be covered by the scope of the present invention. Therefore, the scope of the invention should be determined by the scope of the claims.

Claims

A key negotiation method, comprising:

The key generation device generates a system parameter and a master key according to a preset elliptic curve parameter, wherein the system parameter includes the elliptic curve parameter, an intermediate parameter, and a system public key, and the intermediate parameter is used to indicate the ellipse a finite field defined by a curve parameter, where the system public key is used for key negotiation between the first user equipment and the second user equipment;

The key generation device broadcasts the system parameter;

The key generation device generates a public key and a private key of the first user equipment according to the system parameter, the master key, and the identifier of the first user equipment;

The key generation device sends the public key and the private key of the first user equipment to the first user equipment through homomorphic encryption, and the first user equipment and the second user equipment perform a key Negotiate

Generating, by the key generation device, a public key and a private key of the second user equipment according to the system parameter, the master key, and the identifier of the second user equipment;

The key generation device sends the public key and the private key of the second user equipment to the second user equipment by using the same state encryption, and the second user equipment performs a key with the first user equipment. Negotiation.
The key agreement method according to claim 1, wherein the key generation device generates a system parameter and a master key according to a preset elliptic curve parameter, including:

The key generation device obtains the intermediate parameter according to the elliptic curve parameter and an integer;

The key generation device selects a random number as the master key from the finite field indicated by the intermediate parameter;

The key generation device obtains a system public key according to the master key and the intermediate parameter.
The key negotiation method according to claim 1 or 2, wherein the generating of the first user equipment is performed according to the system parameter, the master key, and the identifier of the first user equipment. Key and private key, including:

The key generation device selects a first random number from a finite field indicated by the intermediate parameter;

The key generation device generates a public key of the first user equipment according to the system parameter, the identifier of the first user equipment, and the first random number;

The key generation device generates a private key of the first user equipment according to the system parameter, the master key, the public key of the first user equipment, and the first random number.
The key negotiation method according to any one of claims 1-3, wherein the generating the second user according to the system parameter, the master key, and the identifier of the second user equipment The public and private keys of the device, including:

The key generation device selects a second random number from a finite field indicated by the intermediate parameter;

The key generation device generates a public key of the second user equipment according to the system parameter, the identifier of the second user equipment, and the second random number;

The key generation device generates a private key of the second user equipment according to the system parameter, the master key, the public key of the second user equipment, and the second random number.
A key negotiation method, comprising:

Receiving, by the first user equipment, a system parameter sent by the key generation device, where the system parameter includes an elliptic curve parameter, an intermediate parameter, and a system public key, wherein the intermediate parameter is used to indicate a finite field defined by the elliptic curve parameter The system public key is used by the first user equipment to perform key negotiation with the second user equipment.

Receiving, by the first user equipment, a public key and a private key of the first user equipment that are sent by the key generation device, and decrypting a public key and a private key of the first user equipment, where the The public key and private key of a user equipment are homomorphic encrypted;

The first user equipment generates a first signature message according to the system parameter and the public key and the private key of the first user equipment;

Transmitting, by the first user equipment, the first signature message to the second user equipment by using the same state encryption;

Receiving, by the first user equipment, a second signature message sent by the second user equipment, where And decrypting the second signature message, wherein the second signature message is homomorphic encrypted;

If the first user equipment verifies that the identity of the second user equipment is legal according to the second signature message and the system parameter, the first user equipment is configured according to the second signature message and the system parameter. A shared key is obtained that is in communication with the second user equipment.
The key agreement method according to claim 5, wherein the first user equipment generates a first signature message according to the system parameter and the public key and the private key of the first user equipment, including:

The first user equipment selects a third random number and a fourth random number from a finite field indicated by the intermediate parameter;

The first user equipment generates the first signature message according to the system parameter, the public key and the private key of the first user equipment, and the third random number and the fourth random number.
The key negotiation method according to claim 5, wherein the first user equipment verifies the identity of the second user equipment according to the second signature message and the system parameter, including:

If the preset parameter relationship is satisfied between the system parameter and the parameter included in the second signature message, determining that the identity of the second user equipment is legal.
The key negotiation method according to claim 6, wherein the first user equipment obtains a shared key for communicating with the second user equipment according to the second signature message and the system parameter, include:

The first user equipment obtains a shared key that communicates with the second user equipment according to the third random number, the second signature message, and the system parameter.
A key negotiation method, comprising:

Receiving, by the second user equipment, a system parameter sent by the key generation device, where the system parameter includes an elliptic curve parameter, an intermediate parameter, and a system public key, where the intermediate parameter is used to indicate a finite field defined by the elliptic curve parameter, where The system public key is used by the second user equipment to perform key agreement with the first user equipment;

Receiving, by the second user equipment, the first signature message sent by the first user equipment, and decrypting the first signature message, where the first signature message is homomorphic encrypted;

Receiving, by the second user equipment, a public key and a private key of the second user equipment that are sent by the key generation device, and decrypting a public key and a private key of the second user equipment, where the The public key and the private key of the second user equipment are homomorphic encrypted;

If the second user equipment verifies that the identity of the first user equipment is legal according to the first signature message and the system parameter, the second user equipment is configured according to the system parameter, the second user equipment a public key and a private key to generate a second signature message;

Transmitting, by the second user equipment, the second signature message to the first user equipment by homomorphic encryption;

The second user equipment obtains a shared key that communicates with the first user equipment according to the first signature message and the system parameter.
The key negotiation method according to claim 9, wherein the second user equipment generates a second signature message according to the system parameter, the public key and the private key of the second user equipment, including:

The second user equipment selects a fifth random number and a sixth random number from a finite field indicated by the intermediate parameter;

The second user equipment generates the second signature message according to the system parameter, the public key and the private key of the second user equipment, and the fifth random number and the sixth random number.
The key negotiation method according to claim 9, wherein if the second user equipment verifies the identity of the first user equipment according to the first signature message and the system parameter, the method includes:

If the preset parameter relationship is satisfied between the system parameter and the parameter included in the first signature message, determining that the identity of the first user equipment is legal.
The key negotiation method according to claim 10, wherein the second user equipment obtains a shared key for communicating with the first user equipment according to the first signature message and the system parameter, Includes:

And obtaining, by the second user equipment, a shared key that communicates with the first user equipment according to the fifth random number, the first signature message, and the system parameter.
A key generation device, comprising:

a processing unit, configured to generate a system parameter and a master key according to a preset elliptic curve parameter, where the system parameter includes the elliptic curve parameter, an intermediate parameter, and a system public key, where the intermediate parameter is used to indicate the a finite field defined by an elliptic curve parameter, where the system public key is used for key negotiation between the first user equipment and the second user equipment;

a sending unit, configured to broadcast the system parameter;

The processing unit is further configured to generate a public key and a private key of the first user equipment according to the system parameter, the master key, and the identifier of the first user equipment;

The sending unit is further configured to send the public key and the private key of the first user equipment to the first user equipment through homomorphic encryption, where the first user equipment and the second user equipment perform Key agreement

The processing unit is further configured to generate a public key and a private key of the second user equipment according to the system parameter, the master key, and the identifier of the second user equipment;

The sending unit is further configured to send the public key and the private key of the second user equipment to the second user equipment by using a homomorphic encryption, where the second user equipment performs the second user equipment with the first user equipment. Key negotiation.
The key generation device according to claim 13, wherein the processing unit is further configured to:

Obtaining the intermediate parameter according to the elliptic curve parameter and an integer;

Selecting a random number as the master key from the finite field indicated by the intermediate parameter;

The system public key is obtained according to the master key and the intermediate parameter.
The key generation device according to claim 13 or 14, wherein the processing unit is further configured to:

Selecting a first random number from a finite field indicated by the intermediate parameter;

Generating a public key of the first user equipment according to the system parameter, the identifier of the first user equipment, and the first random number;

Generating a private key of the first user equipment according to the system parameter, the master key, the public key of the first user equipment, and the first random number.
The key generation device according to any one of claims 13 to 15, wherein the processing unit is further configured to:

Selecting a second random number from a finite field indicated by the intermediate parameter;

Generating a public key of the second user equipment according to the system parameter, the identifier of the second user equipment, and the second random number;

Generating a private key of the second user equipment according to the system parameter, the master key, the public key of the second user equipment, and the second random number.
A user equipment, comprising:

a receiving unit, configured to receive a system parameter sent by the key generation device, where the system parameter includes an elliptic curve parameter, an intermediate parameter, and a system public key, where the intermediate parameter is used to indicate that the elliptic curve parameter is limited a domain, the system public key is used by the user equipment to perform key agreement with the second user equipment;

The receiving unit is further configured to receive a public key and a private key of the user equipment sent by the key generation device, and decrypt a public key and a private key of the user equipment, where the user equipment The public and private keys are encrypted in the same state;

a processing unit, configured to generate a first signature message according to the system parameter and a public key and a private key of the user equipment;

a sending unit, configured to send the first signature message to the second user equipment by homomorphic encryption;

The receiving unit is further configured to receive a second signature message sent by the second user equipment, and decrypt the second signature message, where the second signature message is homomorphic encrypted;

The processing unit is further configured to: if the identity of the second user equipment is verified according to the second signature message and the system parameter, obtain, according to the second signature message and the system parameter, A shared key that the second user device communicates with.
The user equipment according to claim 17, wherein the processing unit is further configured to:

Selecting a third random number and a fourth random number from a finite field indicated by the intermediate parameter;

And generating the first signature message according to the system parameter, a public key and a private key of the user equipment, and the third random number and the fourth random number.
The user equipment according to claim 17, wherein the processing unit is further configured to:

If the preset parameter relationship is satisfied between the system parameter and the parameter included in the second signature message, determining that the identity of the second user equipment is legal.
The user equipment according to claim 18, wherein the processing unit is further configured to:

And obtaining, according to the third random number, the second signature message, and the system parameter, a shared key that communicates with the second user equipment.
A user equipment, comprising:

a receiving unit, configured to receive a system parameter sent by the key generation device, where the system parameter includes an elliptic curve parameter, an intermediate parameter, and a system public key, where the intermediate parameter is used to indicate a finite field defined by the elliptic curve parameter, The system public key is used by the user equipment to perform key agreement with the first user equipment;

The receiving unit is further configured to receive a first signature message sent by the first user equipment, and decrypt the first signature message, where the first signature message is homomorphic encrypted;

The receiving unit is further configured to receive a public key and a private key of the user equipment sent by the key generation device, and decrypt a public key and a private key of the user equipment, where the user equipment The public and private keys are encrypted in the same state;

a processing unit, configured to generate a second according to the system parameter, the public key and the private key of the user equipment, if the identity of the first user equipment is legal according to the first signature message and the system parameter Signed message

a sending unit, configured to send the second signature message to the first user equipment by homomorphic encryption;

The processing unit is further configured to obtain, according to the first signature message and the system parameter, a shared key that communicates with the first user equipment.
The user equipment according to claim 21, wherein the processing unit is further configured to:

Selecting a fifth random number and a sixth random number from a finite field indicated by the intermediate parameter;

And generating the second signature message according to the system parameter, a public key and a private key of the user equipment, and the fifth random number and the sixth random number.
The user equipment according to claim 21, wherein the processing unit is further configured to:

If the preset parameter relationship is satisfied between the system parameter and the parameter included in the first signature message, determining that the identity of the first user equipment is legal.
The user equipment according to claim 22, wherein the processing unit is further configured to:

And obtaining, according to the fifth random number, the first signature message, and the system parameter, a shared key that communicates with the first user equipment.
A key generation device, comprising: a processor, an interface circuit, a memory, and a bus; the processor, the interface circuit, and the memory are connected through the bus and complete communication with each other; the processor is configured to execute the memory The program code in the control to perform the following operations on the interface circuit:

The processor is configured to generate a system parameter and a master key according to a preset elliptic curve parameter, where the system parameter includes the elliptic curve parameter, an intermediate parameter, and a system public key, where the intermediate parameter is used to indicate a finite field defined by the elliptic curve parameter, where the system public key is used for key negotiation between the first user equipment and the second user equipment;

The interface circuit is configured to broadcast the system parameter;

The processing unit is further configured to generate a public key and a private key of the first user equipment according to the system parameter, the master key, and the identifier of the first user equipment;

The interface circuit is further configured to send the public key and the private key of the first user equipment to the first user equipment through homomorphic encryption, where the first user equipment and the second user equipment perform Key agreement

The processor is further configured to generate a public key and a private key of the second user equipment according to the system parameter, the master key, and the identifier of the second user equipment;

The interface circuit is further configured to send the public key and the private key of the second user equipment to the second user equipment by using a homomorphic encryption, where the second user equipment performs the second user equipment with the first user equipment. Key negotiation.
The key generation device according to claim 25, wherein the processor is further configured to:

Obtaining the intermediate parameter according to the elliptic curve parameter and an integer;

Selecting a random number as the master key from the finite field indicated by the intermediate parameter;

The system public key is obtained according to the master key and the intermediate parameter.
The key generation device according to claim 25 or 26, wherein the processor is further configured to:

Selecting a first random number from a finite field indicated by the intermediate parameter;

Generating a public key of the first user equipment according to the system parameter, the identifier of the first user equipment, and the first random number;

Generating a private key of the first user equipment according to the system parameter, the master key, the public key of the first user equipment, and the first random number.
The key generation device according to any one of claims 25-27, wherein the processor is further configured to:

Selecting a second random number from a finite field indicated by the intermediate parameter;

Generating a public key of the second user equipment according to the system parameter, the identifier of the second user equipment, and the second random number;

Generating a private key of the second user equipment according to the system parameter, the master key, the public key of the second user equipment, and the second random number.
A user equipment, comprising: a processor, a first interface circuit, a second interface circuit, a memory, and a bus; the processor, the first interface circuit, the second interface circuit, and the memory are connected and completed through the bus Communication with each other; the processor is configured to execute program code in the memory to control the first interface circuit and the second interface circuit to perform the following operations:

The first interface circuit is configured to receive a system parameter sent by a key generation device, where The system parameter includes an elliptic curve parameter, an intermediate parameter, and a system public key, wherein the intermediate parameter is used to indicate a finite field defined by the elliptic curve parameter, and the system public key is used for the user equipment and the Two user equipments perform key agreement;

The first interface circuit is further configured to receive a public key and a private key of the user equipment sent by the key generation device, and decrypt a public key and a private key of the user equipment, where the user The public key and private key of the device are encrypted in the same state;

The processor is configured to generate a first signature message according to the system parameter and a public key and a private key of the user equipment;

The second interface circuit is configured to send the first signature message to the second user equipment by homomorphic encryption;

The first interface circuit is further configured to receive a second signature message sent by the second user equipment, and decrypt the second signature message, where the second signature message is homomorphic encrypted;

The processor is further configured to: if the identity of the second user equipment is verified according to the second signature message and the system parameter, obtain, according to the second signature message and the system parameter, A shared key that the second user device communicates with.
The user equipment according to claim 29, wherein the processor is further configured to:

Selecting a third random number and a fourth random number from a finite field indicated by the intermediate parameter;

And generating the first signature message according to the system parameter, a public key and a private key of the user equipment, and the third random number and the fourth random number.
The user equipment according to claim 29, wherein the processor is further configured to:

If the preset parameter relationship is satisfied between the system parameter and the parameter included in the second signature message, determining that the identity of the second user equipment is legal.
The user equipment according to claim 30, wherein the processor is further configured to:

And obtaining, according to the third random number, the second signature message, and the system parameter, a shared key that communicates with the second user equipment.
A user equipment, comprising: a processor, a first interface circuit, a second interface circuit, a memory, and a bus; the processor, the first interface circuit, the second interface circuit, and the memory are connected and completed through the bus Communication with each other; the processor is configured to execute program code in the memory to control the first interface circuit and the second interface circuit to perform the following operations:

The first interface circuit is further configured to receive a public key and a private key of the user equipment sent by the key generation device, and decrypt a public key and a private key of the user equipment, where the user The public key and private key of the device are encrypted in the same state;

The first interface circuit is configured to receive a system parameter sent by a key generation device, where the system parameter includes an elliptic curve parameter, an intermediate parameter, and a system public key, where the intermediate parameter is used to indicate the elliptic curve parameter definition a finite domain, the system public key is used by the user equipment to perform key agreement with the first user equipment;

The first interface circuit is further configured to receive a first signature message sent by the first user equipment, and decrypt the first signature message, where the first signature message is homomorphic encrypted;

The processor is configured to generate, according to the first signature message and the system parameter, the identity of the first user equipment, according to the system parameter, the public key and the private key of the user equipment, Second signature message;

The second interface circuit is configured to send the second signature message to the first user equipment by homomorphic encryption;

The processor is further configured to obtain, according to the first signature message and the system parameter, a shared key that communicates with the first user equipment.
The user equipment according to claim 33, wherein the processor is further configured to:

Selecting a fifth random number and a sixth random number from a finite field indicated by the intermediate parameter;

And generating the second signature message according to the system parameter, a public key and a private key of the user equipment, and the fifth random number and the sixth random number.
The user equipment according to claim 33, wherein the processor is further configured to:

If the preset parameter relationship is satisfied between the system parameter and the parameter included in the first signature message, determining that the identity of the first user equipment is legal.
The user equipment according to claim 34, wherein the processor is further configured to:

And obtaining, according to the fifth random number, the first signature message, and the system parameter, a shared key that communicates with the first user equipment.
A key agreement system, comprising the key generation device according to any one of claims 13-16, the user equipment according to any one of claims 17-20, and the method of any one of claims 21-24 User equipment

or,

A key generation device according to any one of claims 25 to 28, a user device according to any one of claims 29 to 32, and a user device according to any one of claims 33 to 36.