Modular lattice-based key exchange method, device and storage medium
By using a modular lattice-based key exchange method to generate random number seeds and compressed public keys, and by utilizing recovery functions and signal values and introducing verification tags, the problem that existing technologies cannot resist quantum computer attacks is solved. This achieves high-security and low-failure-probability key exchange, which is suitable for scenarios such as TLS/SSL handshakes, VPNs, and IoT.
Patent Information
- Authority / Receiving Office
- CN · China
- Patent Type
- Applications(China)
- Current Assignee / Owner
- XIAN JIAOTONG LIVERPOOL UNIV
- Filing Date
- 2026-04-07
- Publication Date
- 2026-07-10
AI Technical Summary
Existing key exchange protocols and key encapsulation mechanisms cannot withstand quantum computer attacks and are difficult to replace in scenarios such as TLS/SSL handshakes, VPNs, and resource-constrained IoT, lacking forward security and single key control.
A modular lattice-based key exchange method is adopted. By generating a random number seed and a compressed public key, a recovery function is used to calculate a temporary key. Signal values and verification tags are introduced to ensure data randomness and security. A hash function is used for consistency verification to reduce the probability of failure and improve security.
It significantly reduces the probability of key exchange failure, improves security, ensures data randomness and tamper resistance, and is suitable for scenarios such as TLS/SSL handshake, VPN, and IoT in quantum computing environments.
Smart Images

Figure CN122372191A_ABST
Abstract
Description
Technical Field
[0001] This invention belongs to the field of cryptography technology and relates to a key exchange method, apparatus and storage medium based on modular lattice, referred to as a Ding's key exchange method, apparatus and storage medium based on modular lattice. Background Technology
[0002] Before two parties needing to communicate encryptedly can begin communicating through public channels (such as radio, the internet, etc.), they need to generate and share a key. This key is shared only between the two parties and kept secret from third parties. Then, this key and a symmetric encryption algorithm such as AES are used to encrypt the communication content before transmission. Currently, there are two implementation methods: Key Exchange Protocol (KEP) and Key Encapsulation Mechanism (KEM).
[0003] The basic operating mode of a key exchange protocol is that each party generates its own secret data, then uses public parameters to convert the secret data into publicly available data, exchanges their public data with each other, and then uses the other party's public data and their own secret data to calculate the same data as the key through some mathematical operation.
[0004] The currently widely used key exchange protocol is the Diffie-Hellman key exchange protocol, which is widely used in TLS / SSL handshakes, VPNs, and resource-constrained IoT scenarios, while key encapsulation mechanisms are widely used in other scenarios. However, neither the currently widely used traditional key exchange protocol nor the traditional key encapsulation mechanism can withstand quantum computers. With the rapid development of quantum computers, both need to be upgraded to quantum-resistant ones. A quantum-resistant key encapsulation mechanism has been standardized by NIST (NIST FIPS 203 ML-KEM) in 2024, while a quantum-resistant key exchange protocol has not yet been standardized. However, the standardized quantum-resistant key encapsulation mechanism cannot directly replace the currently used key exchange protocol for the following reasons:
[0005] Due to different application scenarios, the key encapsulation mechanism is difficult to directly replace the currently widely used Diffie-Hellman key exchange protocol in scenarios such as TLS / SSL handshake, VPN, and resource-constrained IoT.
[0006] Key exchange protocols offer several irreplaceable advantages over key encapsulation mechanisms: each session uses a single key, providing perfect forward security, while key encapsulation mechanisms lack forward security (unless also treated as one-time use); once the private key is leaked, all historical keys will be decrypted. Furthermore, keys in key exchange protocols are generated through mutual negotiation, while keys in key encapsulation mechanisms are generated by one party and then encapsulated before being transmitted to the other, meaning single control over the key is maintained.
[0007] Therefore, even though there are already standards for quantum-resistant key encapsulation mechanisms, there is still a pressing need for a key exchange based on modular lattices. Summary of the Invention
[0008] To address the aforementioned issues, this invention provides a key exchange method based on modular grids, which significantly reduces the failure probability while enhancing security.
[0009] A second objective of the present invention is to provide a key exchange device based on a modular grid.
[0010] A third objective of this invention is to provide a computer-readable storage medium.
[0011] The technical solution adopted in this invention is a key exchange method based on a modular grid, comprising the following steps:
[0012] S1: Party A generates a random number seed, then obtains a compressed public key, and sends the compressed public key and the random number seed to Party B;
[0013] S2: Party B obtains a compressed public key based on the received random number seed. Party B uses a recovery function to recover data from the received compressed public key of Party A and calculates a temporary key. The temporary key is processed by a segmented signal function to obtain a signal value. The signal value is used to coordinate the temporary key to obtain a temporary key shared by both parties. Party B generates a verification tag based on the temporary key shared by both parties, Party B's compressed public key, and the signal value. The temporary key and the verification tag are used as input to derive the final key.
[0014] S3: Party A recovers data from Party B's compressed public key using a parity-preserving recovery function and calculates a temporary key. It then uses a signal value to coordinate the temporary key, obtaining a shared temporary key. Party A recalculates the verification tag based on its locally calculated shared temporary key, the received compressed public key from Party B, and the signal value, comparing it with the received verification tag. Only if the tags match successfully, Party A uses the temporary key and verification tag as input to derive a final key identical to Party B's, employing the same method. This ensures data randomness and detects tampering with the data received by Party A, thus achieving higher security.
[0015] Furthermore, in step S1, the method for obtaining the compressed public key is as follows: a public parameter matrix is generated based on the random number seed, a temporary private key vector and an error vector are generated through random sampling, then a temporary public key is calculated, and finally a compressed public key is obtained using a compression function that maintains parity.
[0016] The common parameter matrix is a polynomial ring. On matrix The elements in the temporary private key vector and the error vector are all Small polynomials in.
[0017] in, , Represents the modulus of an integer The ring, It is an odd prime number. express The elements in the expression, where n is the degree of the polynomial;
[0018] The compressed public key mentioned by Party A Among them, A's temporary public key , The temporary private key vector generated for party A. The error vector generated for A.
[0019] Further, in step S2, the method for obtaining the compressed public key is as follows: Based on the received random number seed, a public parameter matrix identical to that of party A is generated; a temporary private key vector and an error vector are generated through random sampling; then, a temporary public key is calculated; and finally, a compression function that maintains parity is used to obtain the compressed public key; the elements in the temporary private key vector and the error vector are all... The small polynomial in the formula. The compressed public key described by Party B. Among them, the temporary public key of party B , The temporary private key vector generated for Party B. The error vector generated for B.
[0020] Furthermore, in step S2, Party B calculates the temporary key. ,or ,in, Compress the public key for Party A The recovered data; For B's random sampling error, ;
[0021] In step S3, Party A calculates the temporary key. ,or ,in, Compress the public key for Party B The recovered data; Let A be the random sampling error. To further enhance security.
[0022] Furthermore, the steps for acquiring and coordinating the signal values include:
[0023] mold Integer ring Divided into Sub-intervals, Integers greater than zero;
[0024] Construct the segmented signal function :right elements in First from Random sampling was obtained ,if In the In each subinterval, then define The signal value is , ;
[0025] Construct the coordination function after partitioning Based on the received signal value Determine the sub-interval in which the input value is located. If it is located in the reference sub-interval, directly modulo 2 to obtain the coordinated bit value; if it is not located in the reference sub-interval, rotate the value to the reference sub-interval by subtracting the offset, and then perform modulo 2 operation to obtain the coordinated bit value.
[0026] Among them, when As the value increases, the tolerance of the coordination function decreases from... Approaching That is, the coordination function can tolerate a larger error, thus allowing a larger sampling range during random sampling, which can significantly reduce the probability of failure.
[0027] Furthermore, in step S2, the specific method for generating the verification tag is as follows: a hash function is used to perform a hash operation, and the input data for the hash operation includes the temporary key shared by both parties calculated by Party B, and optionally includes Party B's compressed public key, signal value, or other data.
[0028] Furthermore, in steps S2 and S3, the method for deriving the final key is as follows: using a key derivation function or a hash function, a calculation is performed on a combination containing at least the following data: the coordinated parties share a temporary key and a verification tag.
[0029] Furthermore, step S3 also includes the following steps: when the verification tag recalculated by Party A is inconsistent with the received verification tag, Party A still calculates a pseudo-random final key, but verifies its validity when the subsequent upper-layer protocol uses the key.
[0030] A modular lattice-based key exchange device includes an initiator device and a responder device. Both the initiator device and the responder device are equipped with a processor and a memory. The memory stores a computer program, and the processor executes the computer program to implement the aforementioned modular lattice-based key exchange method.
[0031] A computer-readable storage medium having a computer program stored thereon, which, when executed by a processor, implements the aforementioned module-based key exchange method.
[0032] The beneficial effects of this invention are:
[0033] 1. This invention significantly reduces the failure probability by segmenting the signal. The method includes first segmenting the signal into intervals... Divided into Then construct the corresponding signal function for each sub-interval. and coordination function The purpose of this method is to, when As the value increases, the tolerance error value decreases from... Approaching That is, the coordination function can tolerate a larger error, thus allowing a larger sampling range during random sampling, which can significantly reduce the probability of failure.
[0034] 2. This invention achieves higher security by introducing a verification tag composed of a shared key and the hash of the ciphertext, performing consistency checks, and deriving the final key based on the shared key and ciphertext. This ensures data randomness and detects any tampering of data received by Party A. Verification Tag Composed of the shared key between the two parties, B's public key, and the hash of the signal, it ensures that when A receives the encrypted data... , and In case of any tampering, or if both parties share a key and Inconsistencies are always detectable, and the most lightweight cryptographic primitive, hash functions, are used to ensure efficiency. Party B's public key and signal are generated based on random secret data, making them random as well. This results in random check tags, and the final key depends on these random check tags. This prevents attackers from obtaining any information about the shared key from the protocol's output, thus achieving higher security. Attached Figure Description
[0035] To more clearly illustrate the technical solutions in the embodiments of the present invention or the prior art, the drawings used in the description of the embodiments or the prior art will be briefly introduced below. Obviously, the drawings described below are only some embodiments of the present invention. For those skilled in the art, other drawings can be obtained based on these drawings without creative effort.
[0036] Figure 1 This is a flowchart of the first part of the key exchange method based on a modular grid according to an embodiment of the present invention.
[0037] Figure 2 This is a flowchart of the second part of the key exchange method based on a modular grid according to an embodiment of the present invention. Detailed Implementation
[0038] The technical solutions of the present invention will be clearly and completely described below with reference to the embodiments of the present invention. Obviously, the described embodiments are only some embodiments of the present invention, and not all embodiments. Based on the embodiments of the present invention, all other embodiments obtained by those of ordinary skill in the art without creative effort are within the scope of protection of the present invention.
[0039] The existing quantum-resistant key exchange protocol is Ding Key Exchange. However, it does not meet the requirements for ciphertext tamper-proof security. This invention is a new quantum-resistant key exchange protocol that is further improved based on the existing Ding Key Exchange, and it solves some of its shortcomings. Before describing the key exchange protocol of this invention in detail, the existing Ding Key Exchange protocol (standard proposal: Ding Key Exchange, NIST submission 2017) is described in detail below.
[0040] The design of Ding's key exchange protocol is primarily based on the following observation: The communicating parties A and B share a public key exchange protocol. Matrix M, A chooses the secret 3D column vector Calculate the product It is then sent to Party B, who chooses to keep it secret. 3D column vector Calculate the product The vector is then sent to A (the T in the upper right corner indicates vector transpose), and then A calculates the product. B calculates Then both sides will get the same value, that is, both will be 0. However, this simple solution is insecure, as the secret vector for each side can be calculated simply by solving the system of equations using linear algebra.
[0041] To ensure the security of the scheme, each party can add a secret, very small error vector. That is, what party A sends to party B is What B sent to A was Then the plan becomes safe, meaning it can no longer rely solely on... and Recover Because this has been proven to be a difficult problem. However, the problem lies in the value obtained by A. The value obtained by B The difference is no longer the same, but a small margin of error. To eliminate this error, both parties can multiply it by 2, meaning that what party A sends to party B is... What B sent to A was Thus, the value obtained by A The value obtained by B Although different, the difference It is a multiple of 2. If the operation is performed on integers, then modulo 2 will eliminate error terms, resulting in the same value—either both 0 or both 1. However, since all numerical values and operations are performed modulo 2, the error term will be eliminated, resulting in the same value: either both 0 or both 1. ring The above number multiplied by 2 is not necessarily an even number, because the modulus... The result might be an odd number after the operation. For example, 2 multiplied by 2 and then modulo 3 equals 1. Therefore, such a simple solution cannot guarantee that both sides get the same value, and thus it is not feasible.
[0042] The Ding's key exchange protocol proposes a method to solve this problem. Its core is that B sends an additional signal to A, indicating... Is it included in the interval? Within this range, both parties can coordinate to obtain the same value based on the signal. If so, then as long as the error is controlled within a sufficiently small range so that the parity remains unchanged after modulo q, that is, the error... There will be Thus, model The value remains unchanged, so it can be treated as an integer, and the error can be eliminated by modulo 2. If not, then... Add all This model back It then rotated to the interval Therefore, the aforementioned methods can be used to eliminate errors. In addition, the Ding's key exchange protocol also introduces data compression to reduce the amount of data transmitted, and checks parity during data compression and recovery; if the parity changes, it is maintained by incrementing by 1. Furthermore, parity introduces a certain statistical bias, so methods are also employed to eliminate this bias.
[0043] Describe some necessary symbol definitions. (Use...) Describe an odd prime number. Represents the modulus of an integer A ring, whose elements are represented as Sometimes it is also expressed as According to the model The periodicity, The elements can be viewed as arranged on a circle, with the first and last elements connected. The basic version of the Ding's key exchange protocol is... It is constructed, but it has the drawback of having a very large public and private key size. The optimized version is constructed on a polynomial ring, which can significantly reduce the size of the public and private keys. This description only covers the version on the polynomial ring. express polynomial module on A polynomial ring whose elements are polynomials of degree no more than n-1, and whose coefficients are... The elements in the set. For a real number , This indicates rounding down, meaning not greater than or equal to the nearest integer. The largest integer, This indicates rounding up, meaning not less than the nearest integer. The smallest integer. Next, some core functions introduced in the Ding's key exchange protocol are described:
[0044] signal function :right elements in First from Random sampling was obtained (Right now There is a 50% probability that it will be 0 or 1), if In the interval In the middle, the definition The signal is ,otherwise A signal of 0 indicates that the interval is... In this context, a signal value of 1 indicates "not," and the purpose of random sampling here is to eliminate statistical bias in the signal function. The signal function can be naturally extended to... Above, that is, applying a signal function to each coefficient of the polynomial.
[0045] Coordination function According to the signal Bundle elements in Mapped to 0 or 1 according to formula (1):
[0046] (1)
[0047] If the signal is 0, it means that it is located in the interval. Inside, then directly Modulo 2 results in 0 or 1 (if) If the number is even, the value is 0; otherwise, it is 1. If the signal is 1, it means the number is not in the interval. Inside, then minus After (its function is to rotate to the interval) Then modulo 2. Formula (1) is expressed as first modulo 2. Then modulo 2. The coordination function can be naturally extended to... Above, that is, applying a coordination function to each coefficient of the polynomial.
[0048] Compression functions that preserve parity : It is less than integers, compression functions elements in Compressed into The elements in the array are kept parity unchanged in order to reduce the amount of data transmitted. Specifically, the definition is to first set the parity of the elements in the array to remain unchanged. After scaling down proportionally, round down to the nearest whole number. Next, check the parity. If the parity is different, add 1 to keep the parity unchanged. .
[0049] Recovery function that preserves parity The recovery function is the inverse operation of the compression function, that is, it restores the original state of the compressed state. elements in Restore to The elements in the array are kept parity unchanged. Specifically, the definition is to first set the parity of the elements in the array to remain unchanged. Enlarged proportionally and then rounded down to the nearest whole number. Next, check the parity. If the parity is different, add 1 to keep the parity unchanged. .
[0050] The coordination function has the following property: if elements in The difference is even, and the difference is less than or equal to According to The signal, the coordination function will... Mapping to the same value allows both communicating parties to coordinate and obtain the same value; that is, based on one party's signal, two numbers with similar parity are mapped to the same value. Compression and restoration functions have the following property: compressing a number and then restoring it results in a number that maintains the same parity as the original number, provided that appropriate values are chosen. This allows the difference to be controlled within a sufficiently small range.
[0051] Comparative Example 1,
[0052] The steps of the Ding's key exchange protocol are as follows:
[0053] (1): Party A generates a 128-bit random number seed, and uses this seed to generate a... polynomials in As a public parameter, a temporary private key is then generated through random sampling. and error Both are The small polynomial in the middle is then used to calculate the temporary public key. Then compress using a compression function. get ,Bundle Send the seed to Party B.
[0054] (2): B uses a seed to generate the same polynomial as A. Then, a temporary private key is generated through random sampling. and error Both are The small polynomial in the middle is then used to calculate the temporary public key. Then compress using a compression function. get .
[0055] (3): Party B uses the recovery function from get Then calculate and signal Then use the signal to calculate This serves as a temporary key shared by both parties. Party B sends the encrypted text, i.e., its own compressed public key, to Party A. and signal .
[0056] (4): Party A uses the recovery function from get Then calculate Then use a signal calculate This serves as a temporary key shared by both parties.
[0057] In the Ding's key exchange protocol, by selecting appropriate parameters, the shared temporary key calculated by parties A and B will have a high probability of being the same and possessing sufficient security strength. Table 1 shows the corresponding security strength and probability of failure (i.e., the probability that the keys of the two parties are different) under specific parameters, as well as the amount of data communicated.
[0058] Table 1 Experimental data of Ding's key exchange protocol
[0059]
[0060] Existing Ding's key exchange protocols have several shortcomings. First, they do not meet the security requirement of preventing ciphertext tampering. Here, ciphertext refers to the temporary public key and signal sent by Party B to Party A. Second, while the failure probability is already very low, it is not low enough to be negligible in practical use. This invention addresses these two shortcomings by designing a new quantum-resistant key exchange protocol (a modular lattice-based key exchange method) that reduces the failure probability to a negligible level (below 2). -100 It also achieves tamper-proof security for encrypted text.
[0061] This invention comprises two parts. The first part is a key exchange protocol with a lower failure probability but lacking ciphertext tamper-proof security. The second part, based on the result of the first part, further constructs a protocol that satisfies ciphertext tamper-proof security, ultimately resulting in a key exchange protocol with a negligible failure probability, smaller communication data volume, and higher security. Furthermore, it can detect discrepancies when the shared keys of both parties are inconsistent. The scheme of this invention is based on a modular lattice key exchange method, called Module-Lattice-Based Ding Key Exchange, or simply Ding-KEX.
[0062] The key technology in the first part is to significantly reduce the probability of failure by segmenting the signal and expanding the dimension.
[0063] Divide the signal into intervals: Let It is an integer greater than zero.
[0064] interval Divided into Sub-intervals: , , …, , …, The width of each sub-interval is approximately .
[0065] Segmented signal function :right elements in First from Random sampling was obtained (Right now There is a 50% probability that it will be 0 or 1), if In the interval In the middle, then define The signal is The purpose of random sampling here is to eliminate statistical bias in the signal function. The signal function can be naturally extended to... Above, that is, applying a signal function to each coefficient of the polynomial.
[0066] The coordination function after splitting According to the signal Bundle elements in The following formula maps the signal to 0 or 1. If the signal is 0, it indicates that the signal is within the interval [0, 1]. Then directly Modulo 2 results in 0 or 1 (if) If it is even, then it is 0; otherwise, it is 1. This indicates the interval. ,but minus After (its function is from the interval) Rotate to interval Modulo 2 again. Expressed as a formula: , first model Then modulo 2. The coordination function can be naturally extended to... Above, that is, applying a coordination function to each coefficient of the polynomial.
[0067] The coordination function after partitioning has the following property: If elements in The difference is even, and the difference is less than or equal to According to The signal, the coordination function will... Mapping to the same value allows both communicating parties to coordinate and obtain the same value; that is, based on one party's signal, two numbers with the same and similar parity are mapped to the same value. When At that time, this was consistent with Ding's key exchange protocol, but when As it increases, the difference from Approaching That is, the signal function and the coordination function can tolerate larger error values. The role of signal segmentation is to allow for a greater tolerance of the signal. , The range of values has been expanded from the original Compress to This makes the coordination function Zhongneng allows The larger the difference, the greater the tolerance for error, and thus the larger the allowed sampling range during random sampling, which significantly reduces the probability of failure.
[0068] Example 1,
[0069] Using the segmented signal function and coordination function described above, and reducing the dimension from... 1-dimensional extension on Wei, such as Figure 1 As shown, the steps are as follows:
[0070] 1: Party A generates a A random number seed is used to generate a 1-bit random number. On matrix As a common parameter, it is then generated through random sampling. dimensional vector As a temporary private key and As for the error, the elements of both are The small polynomial in the middle is then used to calculate the temporary public key. Then compress using a compression function. get ,Right now ,Bundle Send the seed to Party B.
[0071] 2: Player B uses a seed to generate the same matrix as Player A. Then generated through random sampling dimensional vector As a temporary private key and As an error vector, the elements of both are The small polynomial in the middle is then used to calculate the temporary public key. Then compress using a compression function. get ,Right now ;
[0072] 3: Party B uses the recovery function from get ,Right now Then calculate and signal Then use the signal to calculate This serves as a temporary key shared by both parties. Party B sends the encrypted text, i.e., its own compressed public key, to Party A. and signal The signal is generated separately for each component (polynomial) of the vector.
[0073] 4: Party A uses the recovery function from get ,Right now Then calculate Then use a signal calculate This serves as a temporary key shared by both parties.
[0074] Compared to the Ding's key exchange protocol, this new key exchange protocol (Example 1) has a significantly lower failure probability and a smaller amount of data to communicate. However, its security is low and it cannot be used in practice yet.
[0075] Example 2,
[0076] In step 3 of Example 1, a verification tag consisting of a hash of the shared key and the ciphertext is introduced, and a consistency check is performed. Furthermore, a final key is derived based on the shared key and the ciphertext to ensure that if the data received by Party A is tampered with, it can be detected. Figure 2 As shown, the complete key exchange protocol process and steps are as follows:
[0077] 1: Party A generates a A random number seed is used to generate a polynomial ring. On matrix As a common parameter, it is then generated through random sampling. dimensional vector As a temporary private key and As for the error, the elements of both are The small polynomial in the middle is then used to calculate the temporary public key. Then compress using a compression function. Obtain the compressed public key ,Bundle Send the seed to Party B.
[0078] 2: Player B uses a seed to generate the same matrix as Player A. Then generated through random sampling dimensional vector As a temporary private key and As an error vector, the elements of both are The small polynomial in the middle is then used to calculate the temporary public key. Then compress using a compression function. get .
[0079] 3: Party B uses the recovery function from get Then calculate and signal Then use the signal to calculate This serves as a temporary key shared by both parties.
[0080] 4: Party B generates verification tags The final key is generated using a key derivation function (or hash function). Party B sends the tagged ciphertext to Party A, which is the compressed public key. ,Signal Validation tags .
[0081] 5: Party A uses the recovery function from get Then calculate Then use a signal calculate As a shared temporary key.
[0082] 6: Party A performs a consistency check and recalculates the check tags. ,examine Is it equal to If they are equal, it means that Party A received the encrypted data. It has not been tampered with, and and They are consistent, then the final key is calculated. If they are not equal, it indicates failure, meaning that the encrypted data received by Party A has a very high probability of being tampered with, or it was not tampered with but only had a very low probability of being altered. .
[0083] The key exchange protocol can be supplemented with an additional step at the end: if the consistency check fails, party A will still calculate... (Incorrect key). This is a common practice in cryptography, known as the "silent failure" strategy or "implicitly reject," which can defend against validity feedback attacks and side-channel attacks. See the ML-KEM standard for details. The key is then verified again when used in higher-layer protocols. The validity of the verification tag and the derived final key can be determined using various methods, which are not limited here. Furthermore, the data used to calculate the verification tag and the derived final key is not limited to the data specifically listed above and can include more data.
[0084] The encrypted, tamper-proof, and secure key exchange method designed in Embodiment 2 of this invention uses similar parameter settings to the NIST standard ML-KEM, and the same central binomial distribution to generate the private key and noise vector, because it has undergone rigorous efficiency and security verification. Parameters The size of the compressed public key is Bytes, Seed (32 bytes), Signal The total data volume includes 32 bytes for the public key, 32 bytes for the verification tag, and 32 bytes for the shared key. The total communication data includes A's compressed public key and seed, and B's compressed public key, signal, and verification tag. Specific parameters and the corresponding public key data sizes and failure probabilities are shown in Table 2, where the data size is in bytes.
[0085] Table 2 Experimental data of Example 2 of the present invention
[0086]
[0087] Under this configuration, the size of the public key and other data, as well as the failure probability, of Embodiment 2 of the present invention are similar to those of the NIST standard ML-KEM, and the amount of data communicated is better than that. In addition, it is significantly better than the original Ding's key exchange protocol.
[0088] To simplify the security proof, an optional operation can be added: in step S3 of Example 2, a small error can be randomly sampled. Multiply by 2 and add to ,Right now Similarly, in step S5, a small error can be randomly sampled. Multiply by 2 and add to ,Right now .
[0089] In some embodiments, in step 4 of Example 2, Party B generates a verification tag. , or , The input to the operation can also include more data than that.
[0090] If the modular key exchange method described in this invention is implemented as a software functional module and sold or used as an independent product, it can be stored in a computer-readable storage medium. Based on this understanding, the technical solution of this invention, or the part that contributes to the prior art, or a part of the technical solution, can be embodied in the form of a software product. This computer software product is stored in a storage medium and includes several instructions to cause a computer device (which may be a personal computer, server, or network device, etc.) to execute all or part of the steps of the modular key exchange method described in this invention. The aforementioned storage medium includes various media capable of storing program code, such as USB flash drives, external hard drives, ROM, RAM, magnetic disks, or optical disks.
[0091] The above description is merely a preferred embodiment of the present invention and is not intended to limit the scope of protection of the present invention. Any modifications, equivalent substitutions, improvements, etc., made within the spirit and principles of the present invention are included within the scope of protection of the present invention.
Claims
1. A key exchange method based on a modular lattice, characterized in that, Includes the following steps: S1: Party A generates a random number seed and obtains a compressed public key, which is then sent to Party B; S2: Party B obtains the compressed public key based on the received random number seed, recovers the data from the received compressed public key of Party A and calculates the temporary key, obtains the signal value after processing the segmented signal function, performs coordination processing on the temporary key to obtain the temporary key shared by both parties, and then generates a verification tag. The temporary key and the verification tag are used as input to derive the final key. S3: Party A recovers data from the received compressed public key of Party B and calculates a temporary key. It then coordinates the obtained shared temporary key using the received signal value. Party A then recalculates the verification tag. Only when the tag matches successfully, Party A uses the temporary key and the verification tag as input to derive a final key that is consistent with Party B's.
2. The key exchange method based on a modular lattice according to claim 1, characterized in that, In step S1, the method for obtaining the compressed public key is as follows: a public parameter matrix is generated based on the random number seed, a temporary private key vector and an error vector are generated through random sampling, a temporary public key is then calculated, and a compressed public key is obtained using a compression function that maintains parity. The common parameter matrix is a polynomial ring. The elements of the temporary private key vector and the error vector are all in the multidimensional matrix on the surface. Small polynomials in.
3. The key exchange method based on a modular lattice according to claim 2, characterized in that, In step S2, the method for obtaining the compressed public key is as follows: based on the received random number seed, a public parameter matrix identical to that of party A is generated; a temporary private key vector and an error vector are generated through random sampling; then the temporary public key is calculated; and finally, the compressed public key is obtained using a compression function that maintains parity. The elements in the temporary private key vector and the error vector are all Small polynomials in.
4. The key exchange method based on a modular grid according to claim 3, characterized in that, In step S2, Party B calculates the temporary key. The product of the transpose of the temporary private key vector generated by Party B and the data recovered from the compressed public key by Party A, or the random sampling error of Party B. twice as much, ; In step S3, Party A calculates the temporary key. The product of the temporary private key vector generated by Party A and the data recovered from the compressed public key by Party B, or the random sampling error of Party A. twice as much, .
5. The key exchange method based on a modular lattice according to claim 2, characterized in that, Acquisition of the signal value: mold Integer ring Divided into Sub-intervals, Integers greater than zero; Construct the segmented signal function :right elements in First from Random sampling was obtained ,if In the In each subinterval, then define The signal value is , ; The coordination process: Construct the coordination function after partitioning According to the signal value Determine the sub-interval in which the input value is located. If it is located in the reference sub-interval, directly modulo 2 to obtain the coordinated bit value; if it is not located in the reference sub-interval, rotate the value to the reference sub-interval by subtracting the offset, and then perform modulo 2 operation to obtain the coordinated bit value. Among them, when As the value increases, the tolerance of the coordination function decreases from... Approaching .
6. The key exchange method based on a modular lattice according to claim 1, characterized in that, In step S2, the specific method for generating the verification tag is as follows: a hash function is used to perform a hash operation. The input data for the hash operation includes the temporary key shared by both parties calculated by Party B, and optionally includes Party B's compressed public key, signal value, or other data.
7. The key exchange method based on a modular lattice according to claim 1, characterized in that, In steps S2 and S3, the method for deriving the final key is as follows: using a key derivation function or a hash function, a combination containing at least the following data is calculated: the coordinated parties share a temporary key and a verification tag.
8. The key exchange method based on a modular lattice according to claim 1, characterized in that, Step S3 also includes the following steps: when the verification tag recalculated by Party A is inconsistent with the received verification tag, Party A still calculates a pseudo-random final key, but verifies its validity when the subsequent upper-layer protocol uses the key.
9. A key exchange device based on a modular grid, characterized in that, It includes an initiating device and a responding device, both of which are equipped with a processor and a memory. The memory stores a computer program, and when the processor executes the computer program, it implements a key exchange method based on a modular grid as described in any one of claims 1 to 8.
10. A computer-readable storage medium having a computer program stored thereon, characterized in that, When the computer program is executed by a processor, it implements a module-based key exchange method as described in any one of claims 1 to 8.