Search

CN-122027144-A - Post quantum password secure access method for ultra-high-speed storage in space-based computing environment

CN122027144ACN 122027144 ACN122027144 ACN 122027144ACN-122027144-A

Abstract

The invention discloses a post quantum password security access method for ultra-high-speed storage in a space-based computing environment, which relates to the technical field of data storage security and comprises the steps of initializing post quantum password parameters and generating a key system, constructing a hierarchical access token tree, distributing the computing overhead of single post quantum signature verification to a large number of lightweight token verification operations, constructing a commitment Merkle tree, carrying out cryptographic binding on identity authentication and data integrity verification through a joint anchor value, executing token-based quick access authentication and non-interactive streaming integrity verification, simultaneously completing double verification of the identity authentication and the data integrity in a single verification process, and ensuring the high efficiency and forward security of dynamic update by incrementally updating the commitment tree and the forward evolution of a token. On the premise of ensuring the security intensity of the post quantum cryptography, the invention obviously reduces the cryptography calculation overhead and protocol interaction delay of space-based memory access and improves the throughput and response speed of the memory system.

Inventors

  • MA XIAONAN
  • Qu Jilan

Assignees

  • 上海伊世智能科技有限公司

Dates

Publication Date
20260512
Application Date
20260324

Claims (10)

  1. 1. The post quantum cryptography secure access method for ultra-high-speed storage in the space-based computing environment is characterized by comprising the following steps: Step 100, defining a password parameter set meeting a Module-LWE difficulty assumption, negotiating between a space base node and an access terminal to generate a shared session key and a signature key pair; Step 200, constructing a hierarchical access token tree, namely constructing a binary token tree by taking a shared session key as a root seed and deriving child node keys layer by layer through a lattice trapdoor one-way function based on a forward security key evolution mechanism, generating an access token by leaf nodes, and signing a root node value to generate a token tree root signature value; Step 300, generating a lattice incremental vector commitment and constructing a joint anchoring structure, namely dividing storage data into a data block set, calculating a lattice vector commitment value for each data block, constructing a commitment Merkle tree by layer-by-layer aggregation through a lattice hash function, and cryptographically binding a root commitment value with a token tree root signature value to generate a joint anchoring value; step 400, performing token-based quick access authentication, namely extracting an access token and a target data block address from a storage access request, reconstructing an authentication path from a leaf node to a root node layer by layer, comparing the authentication path with a root node value, and checking a valid time window and access authority of the access token; Step 500, performing non-interactive streaming integrity verification and generating unified access authorization; And 600, incrementally updating the commitment tree and executing the forward evolution of the token, namely, after the writing operation is finished, calculating the lattice vector commitment value of new data and updating the lattice vector commitment value to the root node layer by layer along a path, marking the consumed token invalid and deriving the next period key set, executing the security erasure on the current period key to ensure the forward security, and recalculating the joint anchor value.
  2. 2. The post quantum cryptography secure access method of claim 1 wherein the set of cryptographic parameters includes a lattice dimension parameter, a modulus, an error distribution parameter, and a security parameter, wherein the lattice dimension parameter and the modulus satisfy a target security level requirement under a model-LWE difficulty assumption; The negotiation generation of the shared session key is realized through a CRYSTALS-Kyber key encapsulation mechanism, wherein the space-based node generates a key encapsulation key pair and broadcasts an encapsulation public key to all access terminals; the signature key pair is generated through a CRYSTALS-Dilithium digital signature algorithm, wherein a signature public key is distributed to each access terminal, and a signature private key is safely stored by the space-based node.
  3. 3. The post quantum cryptography secure access method of ultra-high speed storage in a space-based computing environment according to claim 2, wherein the method for computing the check-trap one-way function is as follows: ; Wherein, the For the sub-node key vector, As a parent node key vector, For the sub-node position index, The vector concatenation operation is represented by a vector, For a public matrix generated by a uniform random distribution in the system initialization phase, In the form of a modulus, As a one-way function of the lattice trapdoor, Representing a modulo operation.
  4. 4. A post quantum cryptography secure access method for ultra-high speed storage in a space-based computing environment according to claim 3 wherein each access token contains the following fields: The token identification TID is a unique identifier generated by the position code of the leaf node in the binary token tree, and the data type is a bit string with fixed length; effective time window , And Identifying valid start-stop timestamps of the access tokens, respectively; An access permission bitmap, wherein the 0 th bit represents the read permission, the 1 st bit represents the write permission and the 2 nd bit represents the delete permission, and the data type is a bit string with fixed length; And the hierarchical path index sequence records the ordered sequence of the child node position index values of each layer passing through from the leaf node to the root node and is used for reconstructing the calculation path from the leaf node to the root node during verification.
  5. 5. The post quantum cryptography secure access method of claim 4 wherein computing a lattice vector commitment value for each data block comprises: the method comprises the steps of encoding data blocks into integer vectors of modulus, sampling corresponding random commitment blind factors for each data block, sampling each component of the random commitment blind factors from discrete Gaussian distribution taking error distribution parameters as parameters, and calculating a lattice vector commitment value according to the following calculation formula: ; Wherein, the In order to disclose the commitment matrix, Partitioning data A corresponding random commitment blind factor vector, Partitioning data Is used for the vector encoding of (a), Partitioning data Lattice vector commitment value of (a).
  6. 6. The post quantum cryptography secure access method of claim 5 wherein the lattice-based hash function is a lattice-based collision-resistant hash function The calculation mode is as follows: ; Wherein, the As a public matrix parameter of the hash function, The lattice vector promise value of each non-leaf node of the promise Merkle tree is equal to the lattice vector promise value of the left and right child nodes of the promise Merkle tree, and the lattice vector promise value is calculated through a lattice anti-collision hash function after being spliced; the calculation mode of the joint anchor value is as follows: ; Wherein, the To commit the root commit value of the Merkle tree, For the token tree root signature value, The data is represented by a concatenation of the data, In order to combine the anchor values, Is a lattice anti-collision hash function.
  7. 7. The post quantum cryptography secure access method of claim 6 wherein reconstructing the leaf node to root node authentication path layer by layer and comparing with the root node value comprises: A hierarchical path index sequence in a read access token, the hierarchical path index sequence comprising Starting from leaf node key value of access token, splicing current node value and brother node auxiliary verification value of current layer in every layer according to left-right position relationship indicated by hierarchical path index sequence, calculating to obtain father node value of upper layer by lattice hash function, proceeding from leaf node layer by layer to root node direction, and making them pass through The layer calculation is carried out to obtain a reconstructed root node calculation value, the reconstructed root node calculation value is compared with the original root node value of the stored binary token tree, if the root node calculation value is equal to the original root node value, the root node calculation value passes through, otherwise, the root node calculation value does not pass through; verifying the valid time window and access rights of the access token, comprising: checking a validity time window Whether or not to meet , wherein, Checking whether the authority bit corresponding to the operation type appointed by the storage access request in the access authority bit map is 1.
  8. 8. The post quantum cryptography secure access method of claim 7 wherein non-interactive streaming integrity verification is performed and a unified access authorization is generated, comprising the steps of: step 501, locating the corresponding data block according to the target data block address ; Step 502, extracting data blocks from the commitment Merkle tree Corresponding promise verification paths from leaf nodes to root nodes, the promise verification paths comprising slave data chunks Lattice vector commitment values of brother nodes of each layer on the path from the leaf node to the root node; step 503, recalculate the data chunk Splicing the lattice vector promise value of the node obtained by current calculation with the lattice vector promise value stored by the brother node of the current layer according to the left-right position relation in each layer along the promise verification path, obtaining the lattice vector promise value of the father node of the upper layer by calculation of a lattice hash function, and obtaining a reconstruction root promise value by pushing the leaf node layer by layer towards the root node; step 504, recalculating the joint anchor value based on the reconstructed root commitment value and the token tree root signature value; And 505, recalculating the joint anchoring value and comparing the calculated joint anchoring value with the stored joint anchoring value, generating unified access authorization when the authentication is consistent and passed, and otherwise, not passing.
  9. 9. The method for accessing ultra-high-speed storage of postquantum passwords in a space-based computing environment according to claim 8, wherein the method comprises the steps of updating the lattice vector promise value of a leaf node where modified data blocks are located in a promise Merkle tree to be updated by layers along a path, splicing the lattice vector promise values of left and right child nodes of each non-leaf node along the path from the leaf node where the updating is located to the root node, and then recalculating the lattice vector promise value of the node through a lattice hash function, wherein the lattice vector promise value of unaffected sibling nodes on the path is kept unchanged.
  10. 10. The method for accessing ultra-high-speed storage of postquantum passwords in a space-based computing environment according to claim 9, wherein the method for marking the consumed tokens invalid and deriving the next period key set, and performing secure erasure on the current period key to ensure forward security comprises the steps of adding the consumed access tokens to a token invalidation list, deriving the sub-token key set of the next period from the current period key state corresponding to the access tokens based on a forward security key evolution function, and performing zero clearing operation on a memory area corresponding to the key state of the current period after the derivation is completed.

Description

Post quantum password secure access method for ultra-high-speed storage in space-based computing environment Technical Field The invention relates to the technical field of data storage security, in particular to a post quantum cryptography secure access method for ultra-high-speed storage in a space-based computing environment. Background With the development of quantum computing technology, a quantum computer based on a shell algorithm forms a serious threat to the existing public key cryptosystem, a space-based information system is used as a key infrastructure, and the data storage security of the space-based information system faces the challenge of quantum attack. To address this threat, the prior art began to explore the application of post quantum cryptography algorithms to the space-based environment, and related projects aimed at satellite measurement and control links and payload data transmission links, using the CRYSTALS-Kyber and CRYSTALS-Dilithium algorithms of the base Yu Ge to achieve key encapsulation and digital signature. In the access authentication level, the prior art provides a lightweight post-quantum access authentication scheme and an anonymous post-quantum access authentication scheme, a Regev encryption mechanism is adopted to reduce space-borne storage overhead, and zero knowledge proof is realized based on a refused sampling method so as to complete identity authentication. In the storage security layer, the prior art provides a dynamic storage proving mechanism based on homomorphic authentication tree, and high-efficiency audit and dynamic update of storage data in a space-based information port are realized by encrypting and uploading data blocks and constructing challenge-response type integrity verification. However, the above prior art focuses mainly on the establishment of a communication link or the integrity verification of stored data, and lacks targeted consideration for real-time access control problems in ultra-high-speed storage scenarios in space-based computing environments. When multiple users or multiple tasks need to read, write, encrypt and store data at high frequency, the performance cost of the post quantum cryptography algorithm due to large key size, long signature length and high calculation complexity is obviously amplified, the IP fragmentation is easy to trigger under the condition of limited bandwidth, and the inherent high packet loss rate characteristic of the satellite network further aggravates the access delay of the fragmentation retransmission. Meanwhile, the processing capacity of the spaceborne computer is limited, and the computing resources and memory occupation required by the quantum cryptography algorithm after operation form a bottleneck for the throughput of storage access. The existing dynamic storage proving mechanism can verify the integrity of data, but the interaction cost in the challenge-response process and the update calculation of the homomorphic authentication tree can obviously influence the response speed of a storage system when facing high-frequency access. Disclosure of Invention The invention aims to provide a post-quantum password security access method for ultra-high-speed storage in a space-based computing environment, which solves the problem of optimizing the password calculation and protocol interaction flow in the storage access process on the premise of ensuring the security intensity of the post-quantum password so as to meet the throughput and delay requirements of the ultra-high-speed storage in the space-based environment. In order to achieve the above purpose, the invention provides a post quantum cryptography secure access method for ultra-high speed storage in a space-based computing environment, comprising the following steps: Step 100, defining a password parameter set meeting a Module-LWE difficulty assumption, negotiating between a space base node and an access terminal to generate a shared session key and a signature key pair; Step 200, constructing a hierarchical access token tree, namely constructing a binary token tree by taking a shared session key as a root seed and deriving child node keys layer by layer through a lattice trapdoor one-way function based on a forward security key evolution mechanism, generating an access token by leaf nodes, and signing a root node value to generate a token tree root signature value; Step 300, generating a lattice incremental vector commitment and constructing a joint anchoring structure, namely dividing storage data into a data block set, calculating a lattice vector commitment value for each data block, constructing a commitment Merkle tree by layer-by-layer aggregation through a lattice hash function, and cryptographically binding a root commitment value with a token tree root signature value to generate a joint anchoring value; step 400, performing token-based quick access authentication, namely extracting an access token and a target data block address