Cryptographic device supporting post-quantum cryptographic algorithms

By designing a cryptographic device that supports post-quantum cryptography algorithms, including modules for cryptographic operations, key management, platform services, and access control, the problem of the lack of interface functions for post-quantum cryptography algorithms in existing technologies is solved, achieving more comprehensive management and security.

CN120150941BActive Publication Date: 2026-06-09ORIGIN QUANTUM COMPUTING TECH (HEFEI) CO LTD

Patent Information

Authority / Receiving Office
CN · China
Patent Type
Patents(China)
Current Assignee / Owner
ORIGIN QUANTUM COMPUTING TECH (HEFEI) CO LTD
Filing Date
2025-03-13
Publication Date
2026-06-09

AI Technical Summary

Technical Problem

The existing national cryptographic standards lack interface functions related to post-quantum cryptography algorithms, which makes it impossible to build a complete management system and meet the needs of users in actual business operations.

Method used

Design a cryptographic device that supports post-quantum cryptography algorithms, including a cryptographic operation module, a key management module, a platform service module, and an access control module, to realize the hybrid operation of national cryptographic algorithms and post-quantum cryptography algorithms, and introduce a hierarchical access control mechanism.

Benefits of technology

It has achieved complete computation and key management of national cryptographic algorithms and post-quantum cryptographic algorithms, improved the management system, and enhanced data security and adaptability.

✦ Generated by Eureka AI based on patent content.

Smart Images

  • Figure CN120150941B_ABST
    Figure CN120150941B_ABST
Patent Text Reader

Abstract

The embodiment of the application discloses a cryptographic device supporting post-quantum cryptographic algorithm, comprising a cryptographic operation module, a key management module, a platform service module and an authority management module, the cryptographic operation module is used for completing cryptographic operation according to national cryptographic algorithm and / or post-quantum cryptographic algorithm; the key management module is used for managing the key used by the national cryptographic algorithm and / or the post-quantum cryptographic algorithm; the platform service module is used for performing full life cycle management on the file in the cryptographic device, recording the running state and operation record of the cryptographic device, and verifying the function of the cryptographic device; the authority management module is used for assigning different management authorities to the cryptographic device according to the level of the user. By adopting the embodiment of the application, the function of the current cryptographic device can be improved, not only the national cryptographic operation can be provided, but also the post-quantum cryptographic operation or the mixed operation of the two can be provided.
Need to check novelty before this filing date? Find Prior Art

Description

Technical Field

[0001] This invention relates to the field of post-quantum cryptography, and more particularly to a cryptographic device that supports post-quantum cryptography algorithms. Background Technology

[0002] Post-quantum cryptography is a new type of cryptographic system capable of resisting quantum computer attacks, aiming to replace widely used classical public-key cryptography algorithms such as RSA (Rivest-Shamir-Adleman) and Elliptic Curve Cryptography (ECC). With the rapid development of quantum computing technology, traditional cryptography faces the risk of being broken by quantum attacks such as Shor's algorithm, making post-quantum cryptography a core technological direction for ensuring future data security.

[0003] The current national cryptography standard only defines interface functions related to classical cryptographic algorithms, lacking interface functions related to post-quantum cryptographic algorithms. Although the standard defines some interfaces for device management, key management, and access control, these interface functions are limited in functionality and do not constitute a complete management system, which is insufficient to meet the actual business needs of users. Summary of the Invention

[0004] This application provides a cryptographic device that supports post-quantum cryptography algorithms, which helps to improve the functionality of current cryptographic devices. It can not only provide national cryptographic operations, but also post-quantum cryptography operations or a combination of both.

[0005] This application provides a cryptographic device that supports post-quantum cryptography algorithms, the cryptographic device comprising:

[0006] The cryptographic operation module is used to perform cryptographic operations based on national cryptographic algorithms and / or post-quantum cryptographic algorithms;

[0007] A key management module is used to manage the keys used by the national cryptographic algorithm and / or the post-quantum cryptographic algorithm;

[0008] The platform service module is used to perform full lifecycle management of files in the cryptographic device, record the operating status and operation records of the cryptographic device, and verify the functions of the cryptographic device;

[0009] The access control module is used to manage the cryptographic device by assigning different management permissions according to the user's level.

[0010] Optionally, the cryptographic operation module includes:

[0011] The national cryptographic algorithm module is used to perform cryptographic operations using the national cryptographic algorithm.

[0012] The post-quantum cryptography module is used to perform cryptographic operations using the post-quantum cryptography algorithm.

[0013] The hybrid operation module is used to perform cryptographic operations using the national cryptographic algorithm and the post-quantum cryptographic algorithm.

[0014] Optionally, the interface in the national cryptographic operation module adopts the interface in the national standard specification, and the interfaces in the post-quantum cryptographic operation module and the hybrid operation module are designed in accordance with the interface form in the national standard specification.

[0015] Optionally, the key management module includes:

[0016] The national cryptographic key management module is used to manage the keys used by the national cryptographic algorithm.

[0017] The post-quantum cryptography key management module is used to manage the keys used by the post-quantum cryptography algorithm;

[0018] The hybrid key management module is used to manage the hybrid key used by the national cryptographic algorithm and the post-quantum cryptographic algorithm.

[0019] Optionally, the interface in the national cryptographic key management module adopts the interface in the national standard specification, and the interfaces in the post-quantum cryptography key management module and the hybrid key management module are designed in accordance with the interface form in the national standard specification.

[0020] Optionally, the platform service module includes:

[0021] The file management module is used for full lifecycle management of files in the cryptographic device;

[0022] The log module is used to record the operating status and operation records of the cryptographic device, and output logs to assist in troubleshooting. The level of detail in the output content is set according to the output level.

[0023] The self-test module is used to verify the functionality of the cryptographic device using a known answer test method.

[0024] Optionally, the file management module includes interfaces in national standards and specifications and custom interfaces. The interfaces in national standards and specifications are used to ensure compatibility and implement basic functions, while the custom interfaces are used to compensate for the limitations of the interfaces in national standards and specifications and adapt to specific user needs.

[0025] Optionally, the permission management module includes:

[0026] The operator management module is used to manage the cryptographic devices according to the operator's permissions;

[0027] The administrator management module is used to manage the cryptographic devices according to administrator privileges;

[0028] The super administrator management module is used to manage the cryptographic device according to the super administrator's privileges, wherein the operator's privileges are lower than the administrator's privileges, which are lower than the super administrator's privileges.

[0029] Optionally, the interface in the cryptographic device is encapsulated in a secondary manner.

[0030] Optionally, the interface in the cryptographic device will only execute its functions when both the data validity and permissions are verified successfully; if either the data validity or the permissions are verified, an error value will be returned.

[0031] This application provides a cryptographic device supporting post-quantum cryptography algorithms, including a cryptographic operation module, a key management module, a platform service module, and a permission management module. The cryptographic operation module is used to perform cryptographic operations based on national cryptographic algorithms and / or post-quantum cryptography algorithms. The key management module is used to manage the keys used by national cryptographic algorithms and / or post-quantum cryptography algorithms. The platform service module is used to perform full lifecycle management of files in the cryptographic device, record the operating status and operation records of the cryptographic device, and verify the functionality of the cryptographic device. The permission management module is used to manage the cryptographic device by assigning different management permissions according to the user's level. It can be seen that in this embodiment, both the cryptographic operation module and the key management module of the cryptographic device can realize cryptographic operations or key management of national cryptographic algorithms and / or post-quantum cryptography algorithms, which is more complete than existing cryptographic devices that only support national cryptographic operations. In addition, this application adds a platform service module and a permission management module, and adds a hierarchical mechanism, making the management system more complete. Attached Figure Description

[0032] To more clearly illustrate the technical solutions in the embodiments of this application or the prior art, the drawings used in the description of the embodiments or the prior art will be briefly introduced below. Obviously, the drawings described below are only some embodiments of the present invention. For those skilled in the art, other drawings can be obtained based on these drawings without creative effort.

[0033] Figure 1 This paper illustrates a schematic diagram of the structure of a cryptographic device supporting post-quantum cryptography algorithms according to an embodiment of this application;

[0034] Figure 2 This paper shows a schematic diagram of the structure of a cryptographic operation module provided in one embodiment of the present application;

[0035] Figure 3This paper shows a schematic diagram of the structure of a password management module provided in one embodiment of the present application;

[0036] Figure 4 This paper shows a schematic diagram of the structure of a platform service module provided in one embodiment of the present application;

[0037] Figure 5 This illustration shows a schematic diagram of the structure of a permission management module provided in one embodiment of this application;

[0038] Figure 6 A schematic diagram of the structure of a cryptographic device supporting post-quantum cryptography algorithms provided in another embodiment of this application is shown. Detailed Implementation

[0039] The technical solutions of the embodiments of this application will be clearly and completely described below with reference to the accompanying drawings. Obviously, the described embodiments are only some embodiments of this application, and not all embodiments. Based on the embodiments of this application, all other embodiments obtained by those of ordinary skill in the art without creative effort are within the scope of protection of this application.

[0040] Please refer to Figure 1 This illustration shows a schematic diagram of the structure of a cryptographic device supporting a post-quantum cryptography algorithm according to an embodiment of this application. The cryptographic device 1 includes:

[0041] Cryptographic operation module 10 is used to perform cryptographic operations according to national cryptographic algorithms and / or post-quantum cryptographic algorithms;

[0042] Key management module 20 is used to manage the keys used by the national cryptographic algorithm and / or the post-quantum cryptographic algorithm;

[0043] The platform service module 30 is used to perform full lifecycle management of files in the cryptographic device, record the operating status and operation records of the cryptographic device, and verify the functions of the cryptographic device;

[0044] The access control module 40 is used to manage the cryptographic device by assigning different management permissions according to the user's level.

[0045] The National Cryptographic Algorithm (referred to as "National Cryptographic Algorithm") is a cryptographic standard system independently designed and promoted by the State Cryptography Administration (OSCCA), aiming to safeguard national information security and achieve independent control over cryptographic technologies. This system covers multiple fields including symmetric encryption, asymmetric encryption, hash algorithms, and cryptographic protocols, and is widely used in critical infrastructures such as government affairs, finance, and communications. Its core algorithms and characteristics are shown in Table 1 below.

[0046] Table 1. Core Algorithms and Characteristics of Chinese Cryptographic Algorithms

[0047]

[0048]

[0049] Among them, post-quantum cryptography is a new generation of cryptographic technology designed to address the threat of quantum computing. It aims to replace current classical algorithms based on Large Integer Factorization (RSA) and Elliptic Curve Discrete Logarithm (ECC / SM2). Its core objective is to leverage mathematical problems that quantum computers cannot efficiently solve to build a secure communication system for the future. Its core algorithms and characteristics are shown in Table 2 below.

[0050] Table 2. Core Algorithms and Characteristics of Post-Quantum Cryptography Algorithms

[0051]

[0052] For example, cryptographic operations include encryption, decryption, hashing, digital signatures, and key exchange. Key management includes key import, key generation, and key deletion. File lifecycle management encompasses the entire process from file creation to deletion, such as file creation, file moving, file copying, file pasting, and file deletion. Verifying the functionality of cryptographic devices involves determining whether a given module can perform its predefined functions.

[0053] Please refer to Figure 2 This illustration shows a schematic diagram of the structure of a cryptographic operation module provided in one embodiment of this application. The cryptographic operation module 10 includes:

[0054] National cryptographic operation module 11 is used to perform cryptographic operations using the national cryptographic algorithm.

[0055] Post-quantum cryptography module 12 is used to perform cryptographic operations using the post-quantum cryptography algorithm;

[0056] Hybrid operation module 13 is used to perform cryptographic operations using the national cryptographic algorithm and the post-quantum cryptographic algorithm.

[0057] In one embodiment of this application, the interface in the national cryptographic operation module 11 adopts the interface in the national standard specification, and the interfaces in the post-quantum cryptographic operation module 12 and the hybrid operation module 13 are designed in accordance with the interface form in the national standard specification.

[0058] For example, following the interface design in national standard specifications, the algorithm name prefix or verb-based operation naming can be used; input parameters should come first, output parameters should come second, and length parameters should follow the data pointer to set the parameter order; a unified 32-bit error code should be returned, with predefined standard error types for error handling; the encryption algorithm should use a context to save intermediate states for context management; the caller should be explicitly required to allocate an output buffer, and the interface should not manage the memory lifecycle to ensure memory safety.

[0059] The interfaces in the national cryptographic operation module 11, the post-quantum cryptographic operation module 12, and the hybrid operation module 13 can all include signature interfaces and signature verification interfaces. For example, if the national cryptographic algorithm is SM2 and the post-quantum cryptographic algorithm is Dilithium, then the interfaces in the national cryptographic operation module 11 can include external key ECC signature interfaces, external key ECC signature verification interfaces, internal key ECC signature interfaces, and internal key ECC signature verification interfaces. The interfaces in the post-quantum cryptographic operation module 12 can include external key Dilithium signature interfaces, external key Dilithium signature verification interfaces, internal key Dilithium signature interfaces, and internal key Dilithium signature verification interfaces. The interfaces in the hybrid operation module 13 can include external key Dilithium and SM2 hybrid signature interfaces, external key Dilithium and SM2 hybrid signature verification interfaces, internal key Dilithium and SM2 hybrid signature interfaces, and internal key Dilithium and SM2 hybrid signature verification interfaces.

[0060] Please refer to Figure 3 This illustration shows a structural diagram of a password management module provided in one embodiment of this application. The password management module 20 includes:

[0061] The national cryptographic key management module 21 is used to manage the keys used by the national cryptographic algorithm;

[0062] The post-quantum cryptography key management module 22 is used to manage the keys used by the post-quantum cryptography algorithm;

[0063] The hybrid key management module 23 is used to manage the hybrid key used by the national cryptographic algorithm and the post-quantum cryptographic algorithm.

[0064] In one embodiment of this application, the interface in the national cryptographic key management module 21 adopts the interface in the national standard specification, and the interfaces in the post-quantum cryptography key management module 22 and the hybrid key management module 23 are designed in accordance with the interface form in the national standard specification.

[0065] It should be noted that the interface design is modeled after the interface forms in national standards and specifications. Figure 3 The specific details of the embodiments will not be repeated here.

[0066] In one embodiment of this application, the national cryptographic key management module 21 includes an interface in the national standard specification and a custom interface. The interface in the national standard specification is used to ensure compatibility and implement basic functions, while the custom interface is used to make up for the limitations of the interface in the national standard specification and adapt to the specific needs of users.

[0067] For example, the national cryptographic key management module 21 includes interfaces in the national standard specifications such as an interface for exporting ECC encryption public keys, an interface for exporting ECC signature public keys, an interface for generating session keys and encrypting output using internal ECC keys, and an interface for generating session keys and encrypting output using external ECC keys; it also includes custom interfaces such as an interface for generating ECC key pairs, an interface for importing ECC key pairs, and an interface for deleting ECC key pairs.

[0068] The post-quantum cryptography key management module 22, modeled after the interfaces in the national standard specification, includes interfaces for exporting Kyber public keys, generating session keys and encrypting output using internal Kyber keys, generating session keys and encrypting output using external Kyber keys, generating Kyber key pairs, importing Kyber key pairs, and deleting Kyber key pairs.

[0069] The hybrid key management module 23, modeled after the interfaces in the national standard specification, includes interfaces for exporting Kyber and ECC hybrid public keys, generating session keys and encrypting output using Kyber and ECC hybrid keys, generating session keys and encrypting output using external Kyber and ECC hybrid keys, generating Kyber and ECC hybrid key pairs, importing Kyber and ECC hybrid key pairs, and deleting Kyber and ECC hybrid key pairs.

[0070] Please refer to Figure 4 This illustration shows a structural diagram of a platform service module provided in one embodiment of this application. The platform service module 30 includes:

[0071] File management module 31 is used for full lifecycle management of files in the cryptographic device;

[0072] Log module 32 is used to record the operating status and operation records of the cryptographic device, and output logs to assist in troubleshooting. The level of detail in the output content is set according to the output level.

[0073] Self-test module 33 is used to test the functionality of the cryptographic device using a known answer test method.

[0074] In one embodiment of this application, the file management module 31 includes interfaces in national standards and specifications and custom interfaces. The interfaces in national standards and specifications are used to ensure compatibility and implement basic functions, while the custom interfaces are used to compensate for the limitations of the interfaces in national standards and specifications and adapt to the specific needs of users.

[0075] For example, the file management module 31 includes interfaces in national standards and specifications such as a file generation interface, a file import interface, and a file deletion interface; and includes custom interfaces such as a key information backup file generation interface, a user information backup file generation interface, a key information recovery interface using a backup file, and a user information recovery interface using a backup file.

[0076] In the logging module 32, the log output levels can be divided into 3, 5, 7, etc., without any limitation. The higher the level, the more detailed the log information is printed. Developers can set the log output level in the configuration file.

[0077] The specific method for testing known answers in self-test module 33 can be to input preset parameters into a specified function, and then compare the result generated by the function with the preset result to determine whether the function is working properly.

[0078] Please refer to Figure 5 This diagram illustrates the structure of a permission management module according to an embodiment of this application. The permission management module 40 includes:

[0079] Operator management module 41 is used to manage the cryptographic device according to operator permissions;

[0080] Administrator management module 42 is used to manage the cryptographic device according to administrator privileges;

[0081] The super administrator management module 43 is used to manage the cryptographic device according to the super administrator's permissions, wherein the operator's permissions are lower than the administrator's permissions, which are lower than the super administrator's permissions.

[0082] For example, under operator privileges, users can only view and use symmetric keys and check the status of asymmetric keys; they cannot manage symmetric keys, nor can they use or manage asymmetric keys. Viewing keys here means that the operator can see which locations in the cryptographic device contain keys and which are empty, but cannot view the specific values ​​of the keys. Using keys means being able to perform operations using the keys and derive the public key of the key pair. Managing keys refers to using functions such as generating keys, importing keys, deleting keys, setting private key access control codes, and generating / restoring backup files.

[0083] With administrator privileges, users can add and delete operators, and can also view, use, and manage symmetric keys, as well as view and use asymmetric keys, but cannot manage asymmetric keys.

[0084] With super administrator privileges, users can add and delete operators and administrators, view, use, and manage symmetric and asymmetric keys, and perform device initialization operations.

[0085] In one embodiment of this application, the interface in the aforementioned cryptographic device is encapsulated in a secondary manner.

[0086] The interfaces in national standard specifications are all in C language form, using pointers as input and output parameters. In some scenarios, using pointers may lead to unsafe situations such as memory leaks. For example, to address this issue, a C++ interface can be wrapped around the original national standard interface, using strings as input and output parameters. This is relatively safer, and strings have more library functions in C++, making them more convenient for users.

[0087] For example, the input and output parameters of the function interface that uses an internal key for signing in the standard are in the following form:

[0088] int SDF_InternalSign_ECC(void *hSessionHandle, / / session handle)

[0089] unsigned int uilSKIndex, / / Index of the internal key

[0090] unsigned char*pucData, / / Pointer to the information to be signed

[0091] unsigned int uiDataLength, / / Length of the information to be signed

[0092] ECCSignature*pucSignature); / / Pointer to the signature

[0093] By further encapsulating this interface, a C++ version of the interface can be obtained:

[0094] int InternalSign_ECC(std::string_view hSessionHandle,

[0095] unsigned int uilSKIndex,

[0096] std::string_view pucData,

[0097] std::string&pucSignature);

[0098] As you can see, this interface replaces the pointer-type input parameters (hSessionHandle and pucData) in the standard interface with std::string_view type, which is safer. Furthermore, after the replacement, we can calculate the size of the information to be signed using pucData.size(), thus eliminating the need for the uiDataLength input parameter.

[0099] In one embodiment of this application, the interface in the cryptographic device executes its functions only when both data validity and permissions are verified successfully; if either data validity or permissions fails to be verified, an error value is returned.

[0100] For example, data validity verification may include at least one of the following: pointer validity check (all input pointers are not empty), length range verification (such as key length, ciphertext format), numerical validity (such as whether the SM2 public key is a valid point of an elliptic curve), and data format verification (such as SM4 ciphertext padding format); permission verification may include at least one of the following: operation permission verification (such as whether key generation is allowed), key usage matching (such as whether the SM2 key is allowed to be used for encryption / signing), and access control (such as verifying the caller's identity for private key operations).

[0101] It should be noted that the data validity can be checked first, followed by the permissions, or vice versa; no specific rule is set here.

[0102] This application provides a cryptographic device supporting post-quantum cryptography algorithms, including a cryptographic operation module, a key management module, a platform service module, and a permission management module. The cryptographic operation module is used to perform cryptographic operations based on national cryptographic algorithms and / or post-quantum cryptography algorithms. The key management module is used to manage the keys used by national cryptographic algorithms and / or post-quantum cryptography algorithms. The platform service module is used to perform full lifecycle management of files in the cryptographic device, record the operating status and operation records of the cryptographic device, and verify the functionality of the cryptographic device. The permission management module is used to manage the cryptographic device by assigning different management permissions according to the user's level. It can be seen that in this embodiment, both the cryptographic operation module and the key management module of the cryptographic device can realize cryptographic operations or key management of national cryptographic algorithms and / or post-quantum cryptography algorithms, which is more complete than existing cryptographic devices that only support national cryptographic operations. In addition, this application adds a platform service module and a permission management module, and adds a hierarchical mechanism, making the management system more complete.

[0103] Please refer to Figure 6This illustration shows a schematic diagram of the structure of a cryptographic device supporting a post-quantum cryptography algorithm according to another embodiment of this application. The cryptographic device 1 includes:

[0104] Cryptographic operation module 10 is used to perform cryptographic operations according to national cryptographic algorithms and / or post-quantum cryptographic algorithms;

[0105] Key management module 20 is used to manage the keys used by the national cryptographic algorithm and / or the post-quantum cryptographic algorithm;

[0106] The platform service module 30 is used to perform full lifecycle management of files in the cryptographic device, record the operating status and operation records of the cryptographic device, and verify the functions of the cryptographic device;

[0107] The access control module 40 is used to manage the cryptographic device by assigning different management permissions according to the user's level.

[0108] The cryptographic operation module 10 includes:

[0109] National cryptographic operation module 11 is used to perform cryptographic operations using the national cryptographic algorithm.

[0110] Post-quantum cryptography module 12 is used to perform cryptographic operations using the post-quantum cryptography algorithm;

[0111] Hybrid operation module 13 is used to perform cryptographic operations using the national cryptographic algorithm and the post-quantum cryptographic algorithm.

[0112] The password management module 20 includes:

[0113] The national cryptographic key management module 21 is used to manage the keys used by the national cryptographic algorithm;

[0114] The post-quantum cryptography key management module 22 is used to manage the keys used by the post-quantum cryptography algorithm;

[0115] The hybrid key management module 23 is used to manage the hybrid key used by the national cryptographic algorithm and the post-quantum cryptographic algorithm.

[0116] The platform service module 30 includes:

[0117] File management module 31 is used for full lifecycle management of files in the cryptographic device;

[0118] Log module 32 is used to record the operating status and operation records of the cryptographic device, and output logs to assist in troubleshooting. The level of detail in the output content is set according to the output level.

[0119] Self-test module 33 is used to test the functionality of the cryptographic device using a known answer test method.

[0120] The permission management module 40 includes:

[0121] Operator management module 41 is used to manage the cryptographic device according to operator permissions;

[0122] Administrator management module 42 is used to manage the cryptographic device according to administrator privileges;

[0123] The super administrator management module 43 is used to manage the cryptographic device according to the super administrator's permissions, wherein the operator's permissions are lower than the administrator's permissions, which are lower than the super administrator's permissions.

[0124] For a description of each module in the embodiments of this application, please refer to [link / reference]. Figures 1-5 The descriptions in the embodiments are not illustrated in detail here.

[0125] It is understood that the specific examples in this application are only intended to help those skilled in the art better understand the implementation methods of this application, and are not intended to limit the scope of the invention.

[0126] It is understood that in the various embodiments of this application, the sequence number of each process does not imply the order of execution. The execution order of each process should be determined by its function and internal logic, and should not limit the implementation process of the embodiments of this application in any way.

[0127] It is understood that the various implementation methods described in this application can be implemented individually or in combination, and the implementation methods in this application are not limited in this respect.

[0128] Unless otherwise stated, all technical and scientific terms used in the embodiments of this application have the same meaning as commonly understood by one of ordinary skill in the art. The terminology used in this application is for the purpose of describing particular embodiments only and is not intended to limit the scope of this application. The term "and / or" as used in this application includes any and all combinations of one or more of the associated listed items. The singular forms "a," "the," and "the" as used in the embodiments of this application and the appended claims are also intended to include the plural forms unless the context clearly indicates otherwise.

[0129] It is understood that the processor in the embodiments of this application can be an integrated circuit chip with signal processing capabilities. During implementation, each step of the above method embodiments can be completed by the integrated logic circuits in the processor's hardware or by instructions in software form. The processor can be a general-purpose processor, a digital signal processor (DSP), an application-specific integrated circuit (ASIC), a field-programmable gate array (FPGA), or other programmable logic devices, discrete gate or transistor logic devices, or discrete hardware components. It can implement or execute the methods, steps, and logic block diagrams disclosed in the embodiments of this application. The general-purpose processor can be a microprocessor or any conventional processor. The steps of the methods disclosed in the embodiments of this application can be directly embodied in the execution of a hardware decoding processor, or executed by a combination of hardware and software modules in the decoding processor. The software modules can be located in random access memory, flash memory, read-only memory, programmable read-only memory, electrically erasable programmable memory, registers, or other mature storage media in the art. This storage medium is located in memory; the processor reads information from the memory and, in conjunction with its hardware, completes the steps of the above method.

[0130] It is understood that the memory in the embodiments of this application may be volatile memory or non-volatile memory, or may include both volatile and non-volatile memory. Specifically, non-volatile memory may be read-only memory (ROM), programmable read-only memory (PROM), erasable programmable read-only memory (EPROM), electrically erasable programmable read-only memory (EEPROM), or flash memory. Volatile memory may be random access memory (RAM). It should be noted that the memory in the systems and methods described herein is intended to include, but is not limited to, these and any other suitable types of memory.

[0131] Those skilled in the art will recognize that the units and algorithm steps of the various examples described in conjunction with the embodiments disclosed herein can be implemented in electronic hardware, or a combination of computer software and electronic hardware. Whether these functions are implemented in hardware or software depends on the specific application and design constraints of the technical solution. Those skilled in the art can use different methods to implement the described functions for each specific application, but such implementation should not be considered beyond the scope of this application.

[0132] Those skilled in the art will clearly understand that, for the sake of convenience and brevity, the specific working processes of the systems, devices, and units described above can be referred to the corresponding processes in the aforementioned method implementations, and will not be repeated here.

[0133] In the several embodiments provided in this application, it should be understood that the disclosed systems, apparatuses, and methods can be implemented in other ways. For example, the apparatus embodiments described above are merely illustrative; for instance, the division of units is only a logical functional division, and in actual implementation, there may be other division methods. For example, multiple units or components may be combined or integrated into another system, or some features may be ignored or not executed. Furthermore, the mutual coupling or direct coupling or communication connection shown or discussed may be through some interfaces; the indirect coupling or communication connection between apparatuses or units may be electrical, mechanical, or other forms.

[0134] The units described as separate components may or may not be physically separate. The components shown as units may or may not be physical units; that is, they may be located in one place or distributed across multiple network units. Some or all of the units can be selected to achieve the purpose of this embodiment, depending on actual needs.

[0135] In addition, the functional units in the various embodiments of this application can be integrated into one processing unit, or each unit can exist physically separately, or two or more units can be integrated into one unit.

[0136] If a function is implemented as a software functional unit and sold or used as an independent product, it can be stored in a computer-readable storage medium. Based on this understanding, the technical solution of this application, in essence, or the part that contributes to the prior art, or part of the technical solution, can be embodied in the form of a software product. The computer software product is stored in a storage medium and includes several instructions to cause a computer device (which may be a personal computer, server, or network device, etc.) to execute all or part of the steps of the methods of various embodiments of this application. The aforementioned storage medium includes various media capable of storing program code, such as USB flash drives, portable hard drives, read-only memory (ROM), random access memory (RAM), magnetic disks, or optical disks.

[0137] The above are merely specific embodiments of this application, but the scope of protection of this invention is not limited thereto. Any variations or substitutions that can be easily conceived by those skilled in the art within the technical scope disclosed in this application should be included within the scope of protection of this application. Therefore, the scope of protection of this invention should be determined by the scope of the claims.

Claims

1. A cryptographic device supporting post-quantum cryptography algorithms, characterized in that, The cryptographic device includes: The cryptographic operation module is used to perform cryptographic operations based on national cryptographic algorithms and / or post-quantum cryptographic algorithms; A key management module is used to manage the keys used by the national cryptographic algorithm and / or the post-quantum cryptographic algorithm; The platform service module is used to perform full lifecycle management of files in the cryptographic device, record the operating status and operation records of the cryptographic device, and verify the functions of the cryptographic device; The access control module is used to manage the cryptographic device by assigning different management permissions according to the user's level; wherein: The cryptographic operation module includes: The national cryptographic algorithm module is used to perform cryptographic operations using the national cryptographic algorithm. The post-quantum cryptography module is used to perform cryptographic operations using the post-quantum cryptography algorithm. A hybrid operation module is used to perform cryptographic operations using the national cryptographic algorithm and the post-quantum cryptographic algorithm; The key management module includes: The national cryptographic key management module is used to manage the keys used by the national cryptographic algorithm. The post-quantum cryptography key management module is used to manage the keys used by the post-quantum cryptography algorithm; A hybrid key management module is used to manage the hybrid key used by the national cryptographic algorithm and the post-quantum cryptographic algorithm; The interface in the national cryptographic operation module adopts the interface in the national standard specification. The interfaces in the post-quantum cryptography operation module and the hybrid operation module are designed in imitation of the interface form in the national standard specification. The interface design in imitation of the interface form in the national standard specification includes: using algorithm name prefix or verb form for operation naming; setting the parameter order by putting input parameters first and output parameters second, with the length parameter following the data pointer; uniformly returning 32-bit error codes, predefined standard error types, and error handling; using Context to save intermediate states for encryption algorithms for context management; explicitly requiring the caller to allocate an output buffer, and ensuring memory security by not managing the memory lifecycle of the interface.

2. The cryptographic device according to claim 1, characterized in that, The interface in the national cryptographic key management module adopts the interface in the national standard specification, and the interfaces in the post-quantum cryptography key management module and the hybrid key management module are designed in accordance with the interface form in the national standard specification.

3. The cryptographic device according to claim 1, characterized in that, The platform service modules include: The file management module is used for full lifecycle management of files in the cryptographic device; The log module is used to record the operating status and operation records of the cryptographic device, and output logs to assist in troubleshooting. The level of detail in the output content is set according to the output level. The self-test module is used to verify the functionality of the cryptographic device using a known answer test method.

4. The cryptographic device according to claim 3, characterized in that, The file management module includes interfaces in national standards and specifications as well as custom interfaces. The interfaces in national standards and specifications are used to ensure compatibility and implement basic functions, while the custom interfaces are used to compensate for the limitations of the interfaces in national standards and specifications and adapt to specific user needs.

5. The cryptographic device according to claim 1, characterized in that, The access control module includes: The operator management module is used to manage the cryptographic devices according to the operator's permissions; The administrator management module is used to manage the cryptographic devices according to administrator privileges; The super administrator management module is used to manage the cryptographic device according to the super administrator's privileges. The operator's privileges are lower than the administrator's privileges, and the administrator's privileges are lower than the super administrator's privileges.

6. The cryptographic device according to any one of claims 1-5, characterized in that, The interface in the cryptographic device is encapsulated twice.

7. The cryptographic device according to any one of claims 1-5, characterized in that, The interface in the cryptographic device will only execute its functions if both the data validity and permissions are verified successfully; if either the data validity or permissions verification fails, an error value will be returned.