A post-quantum cryptographic implementation device for inter-satellite ultra-high-speed secure transmission

By using a post-quantum cryptography implementation device between on-orbit intelligent agents, employing NIST standardized algorithms and FPGA hardware acceleration, and constructing a hybrid encryption pipeline module and LDPC encoding, the problem of traditional post-quantum cryptography algorithms being unable to adapt to spaceborne platforms is solved, achieving ultra-high-speed secure transmission and autonomous scheduling, and is suitable for scenarios such as low-Earth orbit satellite constellations.

CN122179099APending Publication Date: 2026-06-09SHANGHAI UNI SENTRY INTELLIGENT TECH CO LTD

Patent Information

Authority / Receiving Office
CN · China
Patent Type
Applications(China)
Current Assignee / Owner
SHANGHAI UNI SENTRY INTELLIGENT TECH CO LTD
Filing Date
2026-03-20
Publication Date
2026-06-09

AI Technical Summary

Technical Problem

Existing technologies cannot achieve ultra-high-speed secure transmission between on-orbit intelligent agents. Furthermore, traditional post-quantum cryptography algorithms have high computational complexity and high computing power consumption, making them unsuitable for the resource limitations of spaceborne platforms. Moreover, existing solutions cannot balance transmission security and speed, lack on-orbit autonomous scheduling capabilities, and are difficult to adapt to fluctuations in space links.

Method used

Design a post-quantum cryptography implementation device for ultra-high-speed secure transmission between on-orbit intelligent agents. Employ NIST standardized algorithms and FPGA hardware acceleration to construct a hybrid encryption pipeline module. Combine LDPC strong error correction channel coding and link aggregation technology to achieve encryption latency control at the microsecond level. Furthermore, multi-dimensional adaptive regulation is achieved through an on-orbit autonomous scheduling module to adapt to the space environment.

Benefits of technology

It achieves ultra-high-speed secure transmission between on-orbit intelligent agents, combining quantum attack resistance and space environment adaptability. It is suitable for scenarios such as low-Earth orbit satellite constellations, reducing reliance on ground control and improving transmission reliability and security.

✦ Generated by Eureka AI based on patent content.

Smart Images

  • Figure CN122179099A_ABST
    Figure CN122179099A_ABST
Patent Text Reader

Abstract

The application relates to a post-quantum cryptographic implementation device for super-high-speed safe transmission between on-orbit intelligent agents, belonging to the technical field of space communication and information security, which comprises the following modules: an initialization and identity authentication module, a key data transmission module, a mixed encryption pipeline construction module, a link adaptive transmission module, an on-orbit autonomous scheduling and full-process regulation and data interaction module and a data receiving and decryption verification and result data feedback module. The post-quantum cryptographic implementation device for super-high-speed safe transmission between on-orbit intelligent agents is adopted, encryption delay is controlled at the microsecond level, the device has the security against quantum attacks and the space environment adaptability, and is suitable for low-orbit satellite constellations, on-orbit intelligent terminals and the like.
Need to check novelty before this filing date? Find Prior Art

Description

Technical Field

[0001] This invention belongs to the field of space communication and information security technology, and specifically relates to a post-quantum cryptography implementation device for ultra-high-speed secure transmission between on-orbit intelligent agents. Background Technology

[0002] With the deep integration of space technology and artificial intelligence, on-orbit intelligent agents have become the core execution units of space platforms such as satellite constellations and space stations. They possess autonomous data acquisition, real-time processing, high-speed transmission, and intelligent decision-making capabilities, and their satellite-to-ground / inter-satellite data transmission rates are gradually increasing to over 10Gbps. The secure transmission of massive amounts of remote sensing data and intelligent decision-making data has become a core necessity for the industry. At the same time, quantum computing technology is rapidly iterating and developing. Traditional mainstream public-key cryptography algorithms such as RSA and ECC are easily cracked by general-purpose quantum computers, posing a serious threat to the long-term security of space data transmission. Post-quantum cryptography (PQC) has become the only core technological path to ensure the long-term security of space communication.

[0003] However, existing technologies have the following shortcomings: post-quantum cryptography algorithms themselves have high computational complexity and high computing power overhead, while on-orbit intelligent agent spacecraft platforms face the objective problem of strict limitations in computing power, power consumption, and size, making conventional post-quantum algorithms unable to directly adapt to the lightweight operation requirements of spacecraft; ultra-high-speed laser communication has extremely high requirements for end-to-end transmission latency, and existing post-quantum cryptography implementation schemes are mostly pure software implementations or low-speed hardware implementations, with encryption processing latency far exceeding the ultra-high-speed transmission threshold, making it impossible to balance transmission security and transmission rate; they mostly rely on centralized ground control and lack on-orbit intelligent autonomous scheduling capabilities, making them unable to adapt to complex space scenarios with space link fluctuations and dynamic changes in computing power, and most schemes have not carried out specific optimizations for ultra-high-speed transmission links, making it difficult to achieve a balance between transmission reliability and security.

[0004] Therefore, a new device is urgently needed. Summary of the Invention

[0005] The purpose of this invention is to provide a post-quantum cryptography implementation device for ultra-high-speed secure transmission between on-orbit intelligent agents. This device controls the encryption delay to the microsecond level, and has both quantum attack resistance and space environment adaptability. It is suitable for scenarios such as low-Earth orbit satellite constellations and on-orbit intelligent terminals.

[0006] To achieve the above objectives, the present invention provides a post-quantum cryptography implementation device for ultra-high-speed secure transmission between on-orbit intelligent agents, comprising: The initialization and authentication, key data transmission module realizes two-way authentication between the ground control station and the on-orbit intelligent agent, parsing and caching of the initial session key and global initialization of the encryption module, and outputs the corresponding status identifier, key information and system data. A hybrid encryption pipeline module is constructed and connected to the initialization and identity authentication, key data transmission module to realize the fragmentation processing of the business data to be transmitted. A pipeline with parallel quantum key negotiation and symmetric encryption is constructed to complete the encryption of business data and output computing power, progress data and encrypted data frames. The link adaptation transmission module is connected to the hybrid encryption pipeline module to realize channel coding and link aggregation of encrypted data frames, complete spatial channel compensation processing, and output channel, transmission quality data and encapsulated encrypted data stream. The on-orbit autonomous scheduling and full-process control data interaction module is connected to the link adaptation and transmission module, receives computing load and transmission quality data and determines the security risk level, performs full-process dynamic control and issues adjustment instructions. The data receiving, decryption verification, and result data feedback module is connected to the on-orbit autonomous scheduling and full-process control data interaction module to realize the decryption of encrypted data streams and data integrity verification, perform abnormal attack monitoring and hierarchical handling, push valid data or output abnormal identification data, and form a full-process data closed loop. The method for implementing the device includes the following steps: S1: The ground control station and the on-orbit intelligent agent complete two-way identity authentication based on the post-quantum signature algorithm. After successful authentication, the agent receives the post-quantum key-encapsulated ciphertext data; parses and caches the initial session key, loads the pre-optimized post-quantum cryptographic algorithm parameters, starts the FPGA hardware acceleration adaptation and writes the algorithm configuration data, and completes the global initialization of the encryption module; outputs the initialization completion status flag and cached session key information, and outputs the initial key data and system ready status data. S2. Receive the initialization completion signal and session key information, buffer the service data to be transmitted and complete the fragmentation according to the ultra-high-speed frame format; use the post-quantum key encapsulation algorithm to negotiate the session key, and simultaneously use the symmetric encryption algorithm to encrypt the fragmented data, constructing a pipeline in parallel for encryption computing and data transmission; output the computing load data and encryption progress data, and output the encrypted data frame at the same time; S3. Perform dedicated channel coding on the encrypted data frame, integrate multiple physical links through link aggregation and encapsulate them into a transmission data stream; collect channel status data in real time, perform Doppler frequency shift and signal attenuation compensation; output the channel status data and transmission quality data, and output the encrypted data stream at the same time; S4. Determine the security risk level based on computing load data, link transmission quality data, and preset security thresholds; issue encryption algorithm parameters and key update frequency instructions to the key management link and encryption processing unit to achieve closed-loop autonomous control of the entire process. S5. Decompose the encrypted data stream into data frames, and decrypt the session key and business data in sequence; perform integrity verification and abnormal attack monitoring on the decrypted data. If the verification passes, output valid business data; if the verification fails, output an abnormal flag and send it back to the ground control station.

[0007] Preferably, in S1, the post-quantum signature algorithm is the NIST-standardized CRYSTALS-Dilithium algorithm, and the post-quantum key encapsulation algorithm is the NIST-standardized CRYSTALS-Kyber algorithm. The two post-quantum algorithms are optimized by pruning redundant parameters, eliminating redundant computational steps that are not suitable for the space operating environment, and loading the onboard parameter set. While retaining 128-bit quantum security strength, the polynomial dimension is reduced, the coefficient bit width is compressed, and unnecessary onboard extended computational branches are eliminated.

[0008] Preferably, in S1, the FPGA hardware acceleration adaptation process integrates the dedicated NTT polynomial multiplication acceleration logic for the CRYSTALS-Kyber algorithm, and adopts multi-threaded parallel operation to split the post-quantum key negotiation and data encryption tasks into multiple independent parallel processing flows. The constant coefficients, original unit roots of the module, and intermediate value pre-calculation tables corresponding to NTT transformation, polynomial multiplication, and modular reduction operations are hardened into the FPGA on-chip RAM register and then call the hardened CRYSTALS-Kyber dedicated NTT acceleration IP and AES-256-GCM symmetric encryption acceleration IP to perform the operation.

[0009] Preferably, in S2, a two-layer separation encryption mechanism is adopted, specifically as follows: The post-quantum CRYSTALS-Kyber algorithm is used for secure encapsulation and distribution of session keys, while the AES-256-GCM symmetric encryption algorithm is used for encryption and decryption of business data. Key negotiation and data encryption are executed asynchronously and in parallel. The session key negotiation process and the business data encryption process are independent of each other, start synchronously and operate in parallel. Key data synchronous retrieval and matching are only completed when the symmetric encryption unit needs to call the session key. Simultaneously, a five-level, non-blocking pipeline is constructed, consisting of data fragmentation, key negotiation, symmetric encryption, channel coding, and link encapsulation. Each stage is configured with a dual-port ping-pong buffer and a dual-encryption core parallel processing unit, and the pipeline processing cycle is adaptively adjusted according to the service data frame length and channel status.

[0010] Preferably, in S3, the link adaptation processing adopts LDPC strong error correction channel coding. Based on real-time acquired channel state data, the LDPC coding rate, modulation scheme, and encryption strength are jointly and adaptively adjusted. Dynamic load balancing of encrypted data frames is implemented for multiple parallel physical link channels, and joint encryption-transmission fault tolerance processing is performed for harsh spatial environments.

[0011] Preferably, S4 also includes an on-orbit autonomous and safe scheduling dual-dimensional adaptive control mode, specifically: The first dimension dynamically switches between full encryption mode and lightweight encryption mode based on the real-time computing power utilization of the on-orbit intelligent agent's CPU and FPGA. The second dimension adaptively adjusts the key update cycle based on link transmission stability and external attack monitoring results. Under normal circumstances, timed key updates are implemented, and emergency forced key updates are triggered immediately when security risks are detected. The third dimension is the business priority dimension, which divides on-orbit business data into three priorities: telemetry and control command level, core remote sensing data level, and routine status information level. Different encryption strengths and transmission strategies are matched for different priority businesses. Simultaneously, a lightweight neural network prediction model with a parameter size of ≤10KB is deployed in orbit. Based on historical operating data, it predicts link fluctuations, computing power peaks and potential attack risks, performs pre-scheduling, and synchronously issues control instructions to the S1 key management link, S2 encryption processing unit, and S3 link encoding and link aggregation unit to achieve joint control of the entire link.

[0012] Preferably, in S1, when the global initialization of the encryption module is completed, the initialization process of the onboard true random number generator TRNG is started synchronously to complete the entropy source verification and randomness detection of the random number sequence; Simultaneously, the on-orbit dynamic reconfiguration channel of the FPGA acceleration core is enabled to complete the reconfiguration firmware verification and remote command receiving channel configuration, supporting on-orbit remote updates of algorithm parameters, security mode, and acceleration core working status.

[0013] Preferably, in S5, the encrypted data stream decomposition, session key decryption, business data symmetric decryption, and data integrity verification adopt a parallel pipeline architecture that matches the encryption end; When the verification unit performs abnormal attack monitoring, it performs graded handling of abnormal events: minor abnormalities trigger rapid retransmission of single frame data, moderate abnormalities trigger emergency key updates and link policy adjustments, and severe abnormalities immediately interrupt the transmission link, initiate link switching, and reset all keys. After the session key is decrypted, the key destruction operation is performed immediately to clear the key cache data, so that the key is not reused for a single session.

[0014] It also includes: a processor, an FPGA hardware acceleration unit, a memory, a spaceborne laser communication interface, a spaceborne TRNG true random number generator, an on-orbit dynamic reconfiguration unit, and an inter-satellite communication interface; the processor is coupled to the memory and is used to read and execute instructions and / or program code in the memory to execute any of the post-quantum cryptography implementation methods described above; the FPGA hardware acceleration unit integrates hardened CRYSTALS-KyberNTT acceleration IP, AES-256-GCM acceleration IP, and LDPC encoding acceleration IP; the spaceborne TRNG true random number generator is coupled to the processor and the key management unit to provide an entropy source for on-orbit key generation; the on-orbit dynamic reconfiguration unit is coupled to the FPGA hardware acceleration unit and supports on-orbit remote updates of algorithm parameters and acceleration core states; the inter-satellite communication interface is coupled to the processor and supports inter-satellite post-quantum secure handshake and key distribution; the spaceborne laser communication interface is coupled to the processor and the FPGA hardware acceleration unit and is used for the transmission of ultra-high-speed encrypted data streams between space and ground / inter-satellite.

[0015] The present invention also discloses a computer-readable medium storing computer program code, which, when executed on a computer, causes the computer to perform any of the post-quantum cryptography implementation methods described above; the computer-readable medium also stores spaceborne dedicated minimal parameter set configuration data, lightweight AI prediction model parameters, link adaptive coding and modulation configuration table, service priority classification rule data, and preset security threshold configuration data.

[0016] Therefore, the present invention employs the above-mentioned post-quantum cryptography implementation device for ultra-high-speed secure transmission between on-orbit intelligent agents. Compared with the prior art, the technical solution of the present invention has the following beneficial effects: (1) The initialization and identity authentication and key data transmission module adopts the NIST standardized quantum algorithm and two-layer encryption architecture, combined with hash integrity verification, which can resist quantum computing attacks, meet the satellite lifespan security requirements, and prevent traditional network attacks such as data tampering and replay attacks. (2) The hybrid encryption pipeline module adopts FPGA hardware acceleration, NTT polynomial fast multiplication, encryption computing and data transmission parallel pipeline and link aggregation technology, which can break through the computing power bottleneck of post-quantum algorithm, accurately control encryption delay, and realize ultra-high speed data transmission to meet the real-time transmission needs of massive data of on-orbit intelligent agents. (3) Initialization and identity authentication, key data transmission module. In view of the limited spaceborne resources, the core parameters of the post-quantum cryptography algorithm are pre-optimized and firmware is trimmed. Adaptation parameters are set based on the polynomial ring formula, which can take into account the quantum security strength and the computing power overhead of the spaceborne FPGA, and is compatible with existing spaceborne hardware and traditional space communication protocols, thus improving backward compatibility and engineering deployment convenience. (4) The on-orbit autonomous scheduling and full-process control data interaction module adopts an AI-driven multi-dimensional adaptive scheduling strategy. It dynamically adjusts the operation mode according to computing load, link quality and security risks, which can realize on-orbit autonomous safety control, reduce dependence on ground control and improve the overall robustness of the space system. (5) The link adaptation transmission module adopts LDPC strong error correction coding, link aggregation technology and Doppler frequency shift and signal attenuation real-time compensation mechanism, which can realize efficient integration of multiple links, improve the reliability and stability of ultra-high speed transmission links, and adapt to the harsh channel environment of inter-satellite / satellite-to-ground laser communication.

[0017] The technical solution of the present invention will be further described in detail below with reference to the accompanying drawings and embodiments. Attached Figure Description

[0018] Figure 1 This is a flowchart illustrating an embodiment of a post-quantum cryptography implementation device for ultra-high-speed secure transmission between on-orbit intelligent agents according to the present invention. Detailed Implementation

[0019] To make the objectives, technical solutions, and advantages of the embodiments of the present invention clearer, the technical solutions of the embodiments of the present invention will be clearly and completely described below with reference to the accompanying drawings. Obviously, the described embodiments are only some embodiments of the present invention, not all embodiments. All other embodiments obtained by those skilled in the art without creative effort are within the scope of protection of the present invention. Unless otherwise defined, the technical or scientific terms used in the present invention should have the ordinary meaning understood by those skilled in the art.

[0020] Example 1 like Figure 1 As shown, this embodiment provides a post-quantum cryptography implementation device for ultra-high-speed secure transmission between on-orbit intelligent agents. It should be understood that the specific parameters, models and protocols mentioned in this embodiment are merely examples to help those skilled in the art understand the present invention, and are not intended to limit the present invention.

[0021] This embodiment provides a post-quantum cryptography implementation device for ultra-high-speed secure transmission between on-orbit intelligent agents, applied to the scenario of on-orbit intelligent agents on a single low-Earth orbit satellite. The on-board hardware is equipped with a dedicated FPGA acceleration chip and an on-board laser communication module, while the ground end is equipped with a control station and a high-speed data receiving device. The post-quantum algorithm uses the NIST standardized CRYSTALS-Kyber algorithm (key encapsulation) and CRYSTALS-Dilithium algorithm (signature), the symmetric encryption algorithm uses AES-256-GCM, and the data integrity verification uses the SM3 hash algorithm.

[0022] This embodiment, based on the core requirements of limited on-orbit intelligent agent resources and ultra-high-speed transmission with low latency, defines a spaceborne scenario-adaptive definition for the core mathematical model of the post-quantum algorithm. The fundamental formula of the core polynomial ring is: ; In the formula, For model a polynomial ring; To fix the prime modulus, It balances quantum security strength with onboard FPGA computing power overhead; For the indeterminate elements of the polynomial; Let be the order of the polynomial. Adapted for fast parallel computing on FPGAs; For model Ring of integers; It is a cycloid polynomial used to define the boundaries of polynomial operations.

[0023] The implementation method of the post-quantum cryptography implementation device for ultra-high-speed secure transmission between on-orbit intelligent agents according to the present invention includes the following steps: S1. The ground control station pre-generates a quantum public-private key pair and transmits the public key data to the on-orbit intelligent agent's onboard communication receiving unit via a ground-based secure telemetry and control link. After the communication receiving unit completes the public key data parsing, it caches the public key data in the onboard dedicated key storage area. After the on-orbit intelligent agent is powered on and initialized, the key management unit retrieves the local public key data from the key storage area and completes two-way authentication with the ground control station using the CRYSTALS-Dilithium algorithm to prevent unauthorized devices from accessing the system.

[0024] After successful authentication, the ground control station transmits the key-encapsulated ciphertext CT to the on-orbit agent. The on-orbit agent then uses the CRYSTALS-Kyber algorithm standard decapsulation process to generate the initial session key. The core key decapsulation formula is as follows: ; In the formula, To parse the generated 128-bit security strength session key; This is a post-quantum key decapsulation function; Post-quantum private keys stored locally for on-orbit intelligent agents; Key-encrypted data transmitted to the ground control station; It is an abbreviation for Key Encapsulation Mechanism; For decapsulation operation; The generated session key SK is synchronously cached in the onboard high-speed key cache area. The on-orbit agent loads the trimmed and optimized algorithm firmware data, writes the algorithm configuration parameters into the FPGA dedicated register, starts the FPGA built-in NTT acceleration core, and completes the full process initialization of the encryption module. The initialization process of the onboard true random number generator TRNG is started simultaneously to complete the entropy source verification and randomness detection of the random number sequence, providing a compliant entropy source for subsequent key updates. The on-orbit dynamic reconfiguration channel of the FPGA acceleration core is enabled to complete the reconfiguration firmware verification and remote command receiving channel configuration. The initialization completion status flag and cached session key information are output to S2, while the initial key data and system ready status data are output to S4. S2. After receiving the initialization completion signal and session key preparation information output by S1, the data acquisition unit of the on-orbit intelligent agent transmits remote sensing monitoring, equipment status and other business data to the on-board high-speed data buffer in real time. The buffer completes the business data fragmentation processing according to the preset ultra-high-speed transmission frame format and transmits the fragmented business data to be encrypted synchronously to the FPGA encryption processing unit. The encryption processing unit synchronously initiates dual-process parallel data processing, namely, session key negotiation and business data encryption start simultaneously and operate independently, without waiting for each other or having any sequential dependency. Key retrieval is only performed synchronously when needed during the encryption phase, thus achieving asynchronous operation without waiting. Specifically: The CRYSTALS-Kyber algorithm utilizes number-theoretic transformations (NTTs) to achieve fast polynomial multiplication. The core NTT forward transformation formula is as follows: ; In the formula, For the frequency domain Polynomial coefficients; These are the coefficients of the primitive polynomial in the time domain; For model Primal root of unit (NIST Kyber standard value); The subscript for the polynomial coefficients represents the range of values. ; Real-time encryption of business data is performed synchronously via AES-256-GCM, directly using the negotiated session key for high-speed encryption, forming a three-stage pipeline of key negotiation, data encryption, and link transmission; the total pipeline delay is calculated as follows: ; In the formula, This represents the total encryption latency of a single-frame data pipeline. Delay for post-quantum key negotiation; Delay for AES-256-GCM encryption; The time consumed by the asynchronous parallel overlap of the two processes; This pipeline architecture completely eliminates the superposition of computational latency, stably controls the single-frame data encryption latency to within 5 microseconds, and completes the data transmission of the entire business data encryption process. Output real-time computing load data and encryption progress data to S4, and output the processed encrypted data frame to S3. S3 receives the encrypted service data frame output by S2, and performs LDPC strong error correction coding and interleaving optimization on the data frame. The LDPC strong error correction channel coding is a low-density parity-check linear block error correction coding system. An efficient check system is built using a sparse check matrix, and spatial channel adaptation parameters are specifically optimized to balance error correction performance and coding overhead, effectively resisting transmission losses caused by spatial noise and signal attenuation. The encoded data is then aggregated from multiple physical links and encapsulated into an ultra-high-speed data stream, achieving concurrent transmission speeds of over 10Gbps. The formula for calculating the total bandwidth of the multi-link aggregation is: ; In the formula, This represents the effective total bandwidth after multi-link aggregation. The total number of physical laser links carried by the spacecraft; For the first The standard bandwidth of a single physical laser link; To improve link aggregation efficiency, in this embodiment... ; During transmission, channel status data is collected in real time, Doppler frequency shift and signal attenuation compensation are completed, and channel status and transmission quality data are output to S4 simultaneously, while the encapsulated encrypted data stream is output to S5. S4 receives the initial key data and system ready status data output by S1, the encryption computing load data output by S2, and the link transmission quality data output by S3, respectively. Combined with the preset security threshold, it determines the external risk level and performs multi-dimensional dynamic control. In this embodiment, the preset security threshold includes three core judgment dimensions: 1. Computing power load threshold: FPGA computing power utilization rate ≥ 85% triggers lightweight encryption mode switching; 2. Link Bit Error Rate Threshold: Link Bit Error Rate Triggering adjustments to the coding rate and modulation scheme; 3. Abnormal attack frequency threshold: If 3 or more unauthorized access or data tampering events are detected within 1 minute, an emergency key update will be triggered.

[0025] Based on the computing power usage, an encryption mode switching instruction is issued to the S2 encryption processing unit; based on the link and security status, a key update cycle and emergency update instruction are issued to the S1 key management link, forming a complete control closed loop of "data feedback - risk assessment - instruction issuance - process adjustment". It can achieve autonomous adaptation without ground intervention and ensure stable operation of the entire process. The first dimension of regulation involves transmitting full encryption or lightweight encryption mode instructions to the FPGA encryption unit based on the onboard FPGA computing power utilization rate and system load data, dynamically switching encryption operation strategies to adapt to the dynamic changes of onboard computing resources, and maximizing the utilization of onboard computing power while ensuring security. The second dimension of control involves transmitting the key update cycle and emergency update instructions to the key management unit based on the link status and security monitoring data. Under normal circumstances, a timed update instruction is issued every 30 minutes. When a security risk is detected, an emergency forced update instruction is issued immediately. At the same time, abnormal status data is uploaded to the ground control station to complete the entire process of control data distribution and status data feedback in the scheduling process. The third dimension of regulation, based on business priorities, adopts a fixed full encryption mode for measurement and control command-level data, an adaptive encryption mode for core remote sensing data, and a lightweight encryption mode for routine status information data, thereby achieving optimal resource allocation.

[0026] S5: The ground control station receives the encrypted data stream output by S3, decomposes it into standard data frames, and sends them to the decryption unit; it uses the decapsulation logic of S1 to complete the session key decryption, and the decryption parameters are completely consistent with the logic and encryption steps without deviation; it decrypts the service data in reverse using AES-256-GCM, and completes the integrity verification through the SM3 hash algorithm to check for tampering and replay attacks. When the verification unit performs abnormal attack monitoring, it performs graded handling of abnormal events: minor anomalies (single frame data verification failure, bit error rate not exceeding the standard) trigger rapid retransmission of single frame data; moderate anomalies (verification failure of 3 or more consecutive frames, link bit error rate exceeding the standard) trigger emergency key update and link policy adjustment; severe anomalies (detection of illegal key access, batch data tampering) immediately interrupt the transmission link, initiate link switching and full key reset.

[0027] Upon successful verification, valid data is pushed to the business unit. If verification fails, an anomaly flag is generated, output to S4, and simultaneously transmitted back to the ground control station, immediately initiating the corresponding tiered handling process and forming a closed-loop data flow. After the session key is decrypted and used, a key destruction operation is performed immediately to clear the key cache data, ensuring that the key is not reused for a single session and guaranteeing forward security.

[0028] Example 2 This embodiment is an optimized and upgraded version of Embodiment 1, applied to the scenario of on-orbit intelligent agents in a large-scale low-Earth orbit satellite constellation. Based on Embodiment 1, the onboard hardware adds an onboard TRNG module, a multi-channel inter-satellite laser communication link, and an FPGA dynamic reconfiguration unit. The post-quantum algorithm adopts a dedicated onboard minimal parameter set, and the symmetric encryption, channel coding, and verification algorithms are fully compatible with Embodiment 1, allowing for seamless integration with Embodiment 1.

[0029] The core optimization parameters and implementation process of this embodiment are as follows: The CRYSTALS-Kyber algorithm employs a dedicated, minimal parameter set for spaceborne applications, is based on the Kyber-512 security level, retains the core polynomial ring parameters (n=256, q=3329) unchanged, and eliminates the extended key derivation function, multi-user key sharing branch, and side-channel protection redundant extended branch, thereby compressing the algorithm firmware size and reducing the computational overhead of a single key encapsulation operation. The constant coefficients, primitive roots of unity, and modulus reduction intermediate value pre-calculation tables for the NTT transform core operations are pre-generated and embedded in the FPGA's on-chip BlockRAM, further reducing the latency of a single NTT transform operation.

[0030] Employing a five-level, end-to-end non-blocking pipeline architecture encompassing data fragmentation, key negotiation, symmetric encryption, channel coding, and link encapsulation, and configured with dual encryption cores and dual-port ping-pong buffers, the total latency for single-frame data encryption processing is optimized to: ; In the formula, To optimize the total encryption latency of a single frame of data; Delay for LDPC encoding; Delay for key encapsulation; The time consumed by the parallel overlap of the five-stage pipeline; This is a function to find the maximum value. In this embodiment, Ultimately, the total encryption latency of a single frame of data is stably controlled within 1.7μs, supporting ultra-high-speed service data transmission at 50Gbps.

[0031] A two-layer fully connected lightweight neural network prediction model is deployed in orbit. The input features have eight dimensions (including real-time computing power utilization, link error rate, signal attenuation, Doppler shift, service data volume, remaining key update time, frequency of abnormal events, and on-orbit ambient temperature). The output features have three dimensions (encryption mode switching instruction, key update cycle adjustment instruction, and link coding and modulation strategy adjustment instruction). The total number of model parameters is 8KB, the inference latency is ≤0.8ms, and the FPGA logic resource usage is ≤0.8%. The model is trained offline based on historical operating data and performs real-time inference during on-orbit operation. It predicts link fluctuations, computing power peaks, and potential attack risks, performs pre-scheduling, and achieves joint control of the entire link.

[0032] Business priority is divided into three levels: measurement and control command level (highest priority, fixed full encryption), core remote sensing data level (medium priority, adaptive encryption), and routine status information level (low priority, lightweight encryption), thereby improving resource utilization and reducing system power consumption.

[0033] The LDPC coding rate supports adaptive switching between four levels: 1 / 2, 2 / 3, 3 / 4, and 5 / 6. The modulation scheme supports adaptive switching between four levels: QPSK, 8PSK, 16QAM, and 64QAM. After aggregation of four 10Gbps laser links, the effective total bandwidth is ≥39.2Gbps, and the link aggregation efficiency is [not specified]. .

[0034] The inter-satellite quantum fast secure handshake adopts a two-interaction process, with a complete handshake latency of ≤8ms. The constellation distributed key pool supports key synchronization and backup for more than 100 satellite nodes, with key anomaly recovery time of ≤100ms and zero service interruption time during encrypted context hot migration.

[0035] A single-session key forward confidentiality mechanism is adopted, and the session key is destroyed immediately after use, with no key reuse or residue; the random number sequence generated by the onboard TRNG module passes the NISTSP800-22 full-item randomness test, meeting the security requirements for on-orbit key generation.

[0036] Therefore, the present invention employs the above-mentioned post-quantum cryptography implementation device for ultra-high-speed secure transmission between on-orbit intelligent agents. This device controls the encryption delay to the microsecond level, combining quantum attack resistance security with space environment adaptability, and is suitable for scenarios such as low-orbit satellite constellations and on-orbit intelligent terminals.

[0037] Those skilled in the art will understand that embodiments of this application can be provided as methods, systems, or computer program products. Therefore, this application can take the form of a completely hardware embodiment, a completely software embodiment, or an embodiment combining software and hardware aspects. Furthermore, this application can take the form of a computer program product embodied on one or more computer-usable storage media (including but not limited to disk storage, CD-ROM, optical storage, etc.) containing computer-usable program code.

[0038] Finally, it should be noted that the above embodiments are only used to illustrate the technical solutions of the present invention and not to limit them. Although the present invention has been described in detail with reference to preferred embodiments, those skilled in the art should understand that modifications or equivalent substitutions can still be made to the technical solutions of the present invention, and these modifications or equivalent substitutions cannot cause the modified technical solutions to deviate from the spirit and scope of the technical solutions of the present invention.

Claims

1. A post-quantum cryptography implementation device for ultra-high-speed secure transmission between on-orbit intelligent agents, characterized in that, include: The initialization and authentication, key data transmission module realizes two-way authentication between the ground control station and the on-orbit intelligent agent, parsing and caching of the initial session key and global initialization of the encryption module, and outputs the corresponding status identifier, key information and system data. A hybrid encryption pipeline module is constructed and connected to the initialization and identity authentication, key data transmission module to realize the fragmentation processing of the business data to be transmitted. A pipeline with parallel quantum key negotiation and symmetric encryption is constructed to complete the encryption of business data and output computing power, progress data and encrypted data frames. The link adaptation transmission module is connected to the hybrid encryption pipeline module to realize channel coding and link aggregation of encrypted data frames, complete spatial channel compensation processing, and output channel, transmission quality data and encapsulated encrypted data stream. The on-orbit autonomous scheduling and full-process control data interaction module is connected to the link adaptation and transmission module, receives computing load and transmission quality data and determines the security risk level, performs full-process dynamic control and issues adjustment instructions. The data receiving, decryption verification, and result data feedback module is connected to the on-orbit autonomous scheduling and full-process control data interaction module to realize the decryption of encrypted data streams and data integrity verification, perform abnormal attack monitoring and hierarchical handling, push valid data or output abnormal identification data, and form a full-process data closed loop. The method for implementing the device includes the following steps: S1: The ground control station and the on-orbit intelligent agent complete two-way identity authentication based on the post-quantum signature algorithm. After successful authentication, the agent receives the post-quantum key-encapsulated ciphertext data; parses and caches the initial session key, loads the pre-optimized post-quantum cryptographic algorithm parameters, starts the FPGA hardware acceleration adaptation and writes the algorithm configuration data, and completes the global initialization of the encryption module; outputs the initialization completion status flag and cached session key information, and outputs the initial key data and system ready status data. S2. Receive the initialization completion signal and session key information, buffer the service data to be transmitted and complete the fragmentation according to the ultra-high-speed frame format; use the post-quantum key encapsulation algorithm to negotiate the session key, and simultaneously use the symmetric encryption algorithm to encrypt the fragmented data, constructing a pipeline in parallel for encryption computing and data transmission; output the computing load data and encryption progress data, and output the encrypted data frame at the same time; S3. Perform dedicated channel coding on the encrypted data frame, integrate multiple physical links through link aggregation and encapsulate them into a transmission data stream; collect channel status data in real time, perform Doppler frequency shift and signal attenuation compensation; output the channel status data and transmission quality data, and output the encrypted data stream at the same time; S4. Determine the security risk level based on computing load data, link transmission quality data, and preset security thresholds; issue encryption algorithm parameters and key update frequency instructions to the key management link and encryption processing unit to achieve closed-loop autonomous control of the entire process. S5. Decompose the encrypted data stream into data frames, and decrypt the session key and business data in sequence; perform integrity verification and abnormal attack monitoring on the decrypted data. If the verification passes, output valid business data; if the verification fails, output an abnormal flag and send it back to the ground control station.

2. The post-quantum cryptography implementation device for ultra-high-speed secure transmission between on-orbit intelligent agents according to claim 1, characterized in that, In S1, the post-quantum signature algorithm is the NIST-standardized CRYSTALS-Dilithium algorithm, and the post-quantum key encapsulation algorithm is the NIST-standardized CRYSTALS-Kyber algorithm. The two post-quantum algorithms are optimized by pruning redundant parameters, eliminating redundant computational steps that are not suitable for the space operating environment, and loading the onboard parameter set. While retaining 128-bit quantum security strength, the polynomial dimension is reduced, the coefficient bit width is compressed, and unnecessary onboard extended computational branches are eliminated.

3. The post-quantum cryptography implementation device for ultra-high-speed secure transmission between on-orbit intelligent agents according to claim 2, characterized in that, In S1, the FPGA hardware acceleration adaptation process integrates the dedicated NTT polynomial multiplication acceleration logic of the CRYSTALS-Kyber algorithm, and adopts multi-threaded parallel operation to split the post-quantum key negotiation and data encryption tasks into multiple independent parallel processing processes. The constant coefficients, original unit roots of the module, and intermediate value pre-calculation tables corresponding to NTT transformation, polynomial multiplication, and modular reduction operations are hardened into the FPGA on-chip RAM register and then call the hardened CRYSTALS-Kyber dedicated NTT acceleration IP and AES-256-GCM symmetric encryption acceleration IP to perform the operation.

4. The post-quantum cryptography implementation device for ultra-high-speed secure transmission between on-orbit intelligent agents according to claim 3, characterized in that, S2 employs a two-layer separation encryption mechanism, specifically: The post-quantum CRYSTALS-Kyber algorithm is used for secure encapsulation and distribution of session keys, while the AES-256-GCM symmetric encryption algorithm is used for encryption and decryption of business data. Key negotiation and data encryption are executed asynchronously and in parallel. The session key negotiation process and the business data encryption process are independent of each other, start synchronously and operate in parallel. Key data synchronous retrieval and matching are only completed when the symmetric encryption unit needs to call the session key. Simultaneously, a five-level, non-blocking pipeline is constructed, consisting of data fragmentation, key negotiation, symmetric encryption, channel coding, and link encapsulation. Each stage is configured with a dual-port ping-pong buffer and a dual-encryption core parallel processing unit, and the pipeline processing cycle is adaptively adjusted according to the service data frame length and channel status.

5. The post-quantum cryptography implementation device for ultra-high-speed secure transmission between on-orbit intelligent agents according to claim 4, characterized in that, In S3, the link adaptation process adopts LDPC strong error correction channel coding. Based on real-time acquired channel state data, the LDPC coding rate, modulation scheme, and encryption strength are jointly and adaptively adjusted. Dynamic load balancing of encrypted data frames is implemented for multiple parallel physical link channels, and joint encryption-transmission fault tolerance processing is performed for harsh spatial environments.

6. The post-quantum cryptography implementation device for ultra-high-speed secure transmission between on-orbit intelligent agents according to claim 5, characterized in that, S4 also includes an on-orbit autonomous and safe scheduling mode with a two-dimensional adaptive control mechanism, specifically: The first dimension dynamically switches between full encryption mode and lightweight encryption mode based on the real-time computing power utilization of the on-orbit intelligent agent's CPU and FPGA. The second dimension adaptively adjusts the key update cycle based on link transmission stability and external attack monitoring results. Under normal circumstances, timed key updates are implemented, and emergency forced key updates are triggered immediately when security risks are detected. The third dimension is the business priority dimension, which divides on-orbit business data into three priorities: telemetry and control command level, core remote sensing data level, and routine status information level. Different encryption strengths and transmission strategies are matched for different priority businesses. Simultaneously, a lightweight neural network prediction model with a parameter size of ≤10KB is deployed in orbit. Based on historical operating data, it predicts link fluctuations, computing power peaks and potential attack risks, performs pre-scheduling, and synchronously issues control instructions to the S1 key management link, S2 encryption processing unit, and S3 link encoding and link aggregation unit to achieve joint control of the entire link.

7. The post-quantum cryptography implementation device for ultra-high-speed secure transmission between on-orbit intelligent agents according to claim 2, characterized in that, In S1, when the global initialization of the encryption module is completed, the initialization process of the onboard true random number generator TRNG is started synchronously to complete the entropy source verification and randomness detection of the random number sequence. Simultaneously, the on-orbit dynamic reconfiguration channel of the FPGA acceleration core is enabled to complete the reconfiguration firmware verification and remote command receiving channel configuration, supporting on-orbit remote updates of algorithm parameters, security mode, and acceleration core working status.

8. The post-quantum cryptography implementation device for ultra-high-speed secure transmission between on-orbit intelligent agents according to claim 1, characterized in that, In S5, encrypted data stream decomposition, session key decryption, business data symmetric decryption, and data integrity verification adopt a parallel pipeline architecture that matches the encryption end. When the verification unit performs abnormal attack monitoring, it performs graded handling of abnormal events: minor abnormalities trigger rapid retransmission of single frame data, moderate abnormalities trigger emergency key updates and link policy adjustments, and severe abnormalities immediately interrupt the transmission link, initiate link switching, and reset all keys. After the session key is decrypted, the key destruction operation is performed immediately to clear the key cache data, so that the key is not reused for a single session.