Search

CN-120110677-B - Digital certificate issuing method and related device based on post quantum mixing algorithm

CN120110677BCN 120110677 BCN120110677 BCN 120110677BCN-120110677-B

Abstract

The embodiment of the application discloses a digital certificate issuing method and a related device based on a post quantum hybrid algorithm, wherein a user terminal generates three pairs of public keys according to an asymmetric encryption algorithm, a post quantum key signing algorithm and a post quantum key packaging algorithm, generates a certificate signing request according to a hybrid public key comprising a first public key and a second public key and user identification information, sends the certificate signing request and a third public key to a CA terminal, generates a hybrid key signing and packaging certificate, a key packaging ciphertext and an encrypted hybrid key packaging private key according to the hybrid key signing and packaging public key, decrypts the key packaging ciphertext and the encrypted hybrid key packaging private key according to the first private key and the third private key to obtain a hybrid key packaging private key, installs the hybrid key signing and packaging certificate and binds the hybrid key packaging certificate with a corresponding private key, so that the issuing of the hybrid key signing and packaging certificate can be realized, the legal use of the certificate in a quantum algorithm resisting scene is ensured, and the information security is improved.

Inventors

  • LI YE
  • LIU ZHENYA

Assignees

  • 本源量子计算科技(合肥)股份有限公司

Dates

Publication Date
20260512
Application Date
20250228

Claims (11)

  1. 1. A digital certificate issuing method based on a post quantum mixing algorithm, which is characterized by being applied to a user terminal, the method comprising: Generating a first public key and a first private key according to an asymmetric encryption algorithm, generating a second public key and a second private key according to a post quantum key signature algorithm, and generating a third public key and a third private key according to a post quantum key encapsulation algorithm; Taking the first public key and the second public key as mixed public keys, and generating a certificate signature request according to the mixed public keys and user identification information; sending the certificate signing request and the third public key to a certificate authority terminal; Receiving a mixed key signature certificate, a mixed key encapsulation certificate, a key encapsulation ciphertext and an encrypted mixed key encapsulation private key which are sent by the certificate authority terminal; the mixed key signing certificate is generated by signing the certificate signing request by using a self mixed signing private key after the certificate authority terminal successfully verifies the user identification information, the mixed key signing certificate is generated by signing a mixed key signing public key and the user identification information by using a self mixed signing private key by using the certificate authority terminal, the encrypted mixed key signing private key is obtained by encrypting the mixed key signing private key by using a symmetric key by using the certificate authority terminal, and the key signing ciphertext and the symmetric key are obtained by carrying out key signing operation by using the first public key and the third public key by using the certificate authority terminal; Decrypting the key encapsulation ciphertext and the encrypted mixed key encapsulation private key according to the first private key and the third private key to obtain a mixed key encapsulation private key; and installing the mixed key signing certificate and the mixed key packaging certificate, and binding the mixed key signing certificate and the mixed key packaging certificate with the mixed key packaging private key, the first private key and the second private key.
  2. 2. The method according to claim 1, wherein decrypting the key-encapsulated ciphertext and the encrypted hybrid key-encapsulated private key according to the first private key and the third private key to obtain a hybrid key-encapsulated private key comprises: performing key unpacking operation on the key packing ciphertext according to the first private key and the third private key to obtain the symmetric key; And decrypting the encrypted mixed key package private key by using the symmetric key to obtain the mixed key package private key.
  3. 3. The method of claim 1 or 2, wherein the binding the hybrid key signature certificate and the hybrid key encapsulation certificate with the hybrid key encapsulation private key, the first private key, and the second private key comprises: Binding the mixed key signature certificate with the first private key and the second private key, and binding the mixed key encapsulation certificate with the fourth private key and the fifth private key.
  4. 4. The method according to claim 1, wherein the method further comprises: installing an intermediate certificate, if the certificate authority center terminal is a root certificate authority center terminal, the intermediate certificate is issued by the root certificate authority center terminal, and if the certificate authority center terminal is not the root certificate authority center terminal, the intermediate certificate is issued by a last-stage certificate authority center terminal.
  5. 5. A digital certificate issuing method based on a post quantum hybrid algorithm, which is characterized by being applied to a certificate authority terminal, the method comprising: receiving a certificate signing request and a third public key sent by a user terminal, wherein the certificate signing request is generated by the user terminal according to a mixed public key and user identification information, the third public key is generated by the user terminal according to a post quantum key encapsulation algorithm, and the mixed public key comprises a first public key generated by the user terminal according to an asymmetric encryption algorithm and a second public key generated by the user terminal according to the post quantum key signing algorithm; After the user identification information is successfully checked, the certificate signing request is signed by using a self mixed signing private key to generate a mixed key signing certificate; generating a fourth public key and a fourth private key according to the asymmetric encryption algorithm, and generating a fifth public key and a fifth private key according to the post quantum key encapsulation algorithm; taking the fourth public key and the fifth public key as mixed key packaging public keys and taking the fourth private key and the fifth private key as mixed key packaging private keys; Signing the mixed key encapsulation public key and the user identification information by using a mixed signature private key to generate a mixed key encapsulation certificate; Performing key encapsulation operation by using the first public key and the third public key to obtain a key encapsulation ciphertext and a symmetric key; Encrypting the mixed key packaging private key by using the symmetric key to obtain an encrypted mixed key packaging private key; And sending the mixed key signing certificate, the mixed key packaging certificate, the key packaging ciphertext and the encrypted mixed key packaging private key to the user terminal, so that the user terminal decrypts the key packaging ciphertext and the encrypted mixed key packaging private key according to the first private key corresponding to the first public key and the third private key corresponding to the third public key to obtain the mixed key packaging private key, installs the mixed key signing certificate and the mixed key packaging certificate, and binds the mixed key signing certificate and the mixed key packaging certificate with the mixed key packaging private key and the second private key corresponding to the first private key and the second public key.
  6. 6. The method of claim 5, wherein the user terminal performs a key unpacking operation on the key packed ciphertext according to a first private key corresponding to the first public key and a third private key corresponding to the third public key to obtain the symmetric key, and decrypts the encrypted hybrid key packed private key using the symmetric key to obtain the hybrid key packed private key.
  7. 7. The method according to claim 5 or 6, wherein the user terminal binds the hybrid key signature certificate with a second private key corresponding to the first private key and the second public key, and binds the hybrid key encapsulation certificate with the fourth private key and the fifth private key.
  8. 8. A digital certificate issuing device based on a post quantum mixing algorithm, which is applied to a user terminal, the device comprising: The key generation unit is used for generating a first public key and a first private key according to an asymmetric encryption algorithm, generating a second public key and a second private key according to a post quantum key signature algorithm, and generating a third public key and a third private key according to a post quantum key encapsulation algorithm; A key processing unit, configured to use the first public key and the second public key as a hybrid public key, and generate a certificate signing request according to the hybrid public key and user identification information; an information generating unit for transmitting the certificate signing request and the third public key to a certificate authority terminal; The information receiving unit is used for receiving the mixed key signature certificate, the mixed key encapsulation certificate, the key encapsulation ciphertext and the encrypted mixed key encapsulation private key which are sent by the certificate authority terminal; the mixed key signing certificate is generated by signing the certificate signing request by using a self mixed signing private key after the certificate authority terminal successfully verifies the user identification information, the mixed key signing certificate is generated by signing a mixed key signing public key and the user identification information by using a self mixed signing private key by using the certificate authority terminal, the encrypted mixed key signing private key is obtained by encrypting the mixed key signing private key by using a symmetric key by using the certificate authority terminal, and the key signing ciphertext and the symmetric key are obtained by carrying out key signing operation by using the first public key and the third public key by using the certificate authority terminal; the information decryption unit is used for decrypting the key encapsulation ciphertext and the encrypted mixed key encapsulation private key according to the first private key and the third private key to obtain a mixed key encapsulation private key; And the certificate installation unit is used for installing the mixed key signature certificate and the mixed key encapsulation certificate and binding the mixed key signature certificate and the mixed key encapsulation certificate with the mixed key encapsulation private key, the first private key and the second private key.
  9. 9. A digital certificate issuing device based on a post quantum hybrid algorithm, which is applied to a certificate authority terminal, the device comprising: The information receiving unit is used for receiving a certificate signing request and a third public key sent by a user terminal, wherein the certificate signing request is generated by the user terminal according to a mixed public key and user identification information, the third public key is generated by the user terminal according to a post quantum key encapsulation algorithm, and the mixed public key comprises a first public key generated by the user terminal according to an asymmetric encryption algorithm and a second public key generated by the user terminal according to the post quantum key signing algorithm; The information generating unit is used for signing the certificate signing request by using a self mixed signing private key to generate a mixed key signing certificate after the user identification information is successfully verified; generating a fourth public key and a fourth private key according to the asymmetric encryption algorithm, and generating a fifth public key and a fifth private key according to the post quantum key encapsulation algorithm; the method comprises the steps of taking a fourth public key and a fifth public key as a mixed key packaging public key, taking the fourth private key and the fifth private key as mixed key packaging private keys, signing the mixed key packaging public key and the user identification information by using own mixed signature private keys to generate a mixed key packaging certificate, carrying out key packaging operation by using the first public key and the third public key to obtain a key packaging ciphertext and a symmetric key, encrypting the mixed key packaging private keys by using the symmetric key to obtain an encrypted mixed key packaging private key, sending the mixed key signing certificate, the mixed key packaging certificate, the key packaging ciphertext and the encrypted mixed key packaging private key to the user terminal, so that the user terminal decrypts the key packaging private key and the encrypted mixed key packaging private key according to a first private key corresponding to the first public key and a third private key corresponding to obtain a mixed key packaging private key, and installing the mixed key packaging certificate and the mixed key packaging private key, and the mixed key packaging certificate, and sending the mixed key packaging private key to the user terminal, and the mixed key packaging private key certificate.
  10. 10. An electronic device is characterized by comprising a processor and a memory; The processor is connected to a memory, wherein the memory is adapted to store a computer program, the processor being adapted to invoke the computer program to perform the method of any of claims 1-4 or claims 5-7.
  11. 11. A computer readable storage medium, characterized in that the computer readable storage medium stores a computer program comprising program instructions which, when executed by a processor, perform the method of any of claims 1-4 or claims 5-7.

Description

Digital certificate issuing method and related device based on post quantum mixing algorithm Technical Field The invention relates to the technical field of post quantum cryptography, in particular to a digital certificate issuing method and a related device based on a post quantum mixing algorithm. Background The development of quantum computing constitutes a great potential threat to traditional encryption algorithms. Traditional public key encryption algorithms such as RSA (Rivest-Shamir-Adleman) and ECC (Elliptic Curve Cryptography ) rely on mathematical challenges that can become easily resolved in front of quantum computers. Once a quantum computer reaches sufficient computational power, the encryption systems based on these algorithms, which are currently widely used, are at risk of being hacked. For example, in a quantum computing environment, the RSA algorithm may quickly decompose its encryption key, resulting in the loss of confidentiality of the encrypted data. This means that many of the secure communications, digital signatures and key exchange protocols that exist require re-inspection and improvement to address the challenges of the quantum computing era. Post-quantum cryptography Post-Quantum Cryptography, PQC provides an effective solution to the threat of quantum computing to traditional encryption algorithms. PQC is based on a number of new mathematical challenges that remain highly safe in the face of quantum computers. The main advantage of PQC is that it can provide reliable cryptographic protection in the quantum computing era. Unlike traditional encryption algorithms, the security of the PQC algorithm does not rely on mathematical problems that are easily broken under quantum computers. For example, lattice-based cryptography, code-based cryptography, and multivariate polynomial-based cryptography, etc., are all important research directions in PQC. However, the conventional public key certificate does not include the public key of the PQC algorithm, and in the scenario of using the classical+anti-quantum hybrid algorithm, the public key of the used anti-quantum algorithm cannot be verified, and is easy to be attacked by a man-in-the-middle. Disclosure of Invention The embodiment of the application provides a digital certificate issuing method and a related device based on a post quantum hybrid algorithm, which can realize the issuing of a hybrid key signature certificate and a hybrid key packaging certificate, ensure the legal use of the certificate in a quantum algorithm resistant scene and improve the information security. The first aspect of the embodiment of the application provides a digital certificate issuing method based on a post quantum mixing algorithm, which is applied to a user terminal and comprises the following steps: Generating a first public key and a first private key according to an asymmetric encryption algorithm, generating a second public key and a second private key according to a post quantum key signature algorithm, and generating a third public key and a third private key according to a post quantum key encapsulation algorithm; Taking the first public key and the second public key as mixed public keys, and generating a certificate signature request according to the mixed public keys and user identification information; sending the certificate signing request and the third public key to a certificate authority terminal; receiving a mixed key signature certificate, a mixed key encapsulation certificate, a key encapsulation ciphertext and an encrypted mixed key encapsulation private key which are generated by the certificate authority terminal according to the certificate signature request and the third public key; Decrypting the key encapsulation ciphertext and the encrypted mixed key encapsulation private key according to the first private key and the third private key to obtain a mixed key encapsulation private key; and installing the mixed key signing certificate and the mixed key packaging certificate, and binding the mixed key signing certificate and the mixed key packaging certificate with the mixed key packaging private key, the first private key and the second private key. Optionally, the receiving the mixed key signature certificate, the mixed key encapsulation certificate, the key encapsulation ciphertext and the encrypted mixed key encapsulation private key generated by the certificate authority terminal according to the certificate signature request and the third public key includes: The method comprises the steps of receiving a mixed key signing certificate, a mixed key packaging certificate, a key packaging ciphertext and an encrypted mixed key packaging private key, wherein the mixed key signing certificate, the mixed key packaging certificate, the key packaging ciphertext and the encrypted mixed key packaging private key are sent by a certificate authority terminal, the mixed key signing certificate is generated by using a self mixed signing