Disclosure of Invention
In order to solve the problems of insufficient message transmission safety, low calculation efficiency, difficult privacy protection and the like in the existing vehicle-mounted ad hoc network, the invention provides a vehicle-mounted ad hoc network safety communication system based on an NTRU grid cryptosystem, and aims to improve the safety and efficiency of message transmission in the vehicle-mounted ad hoc network.
In order to achieve the above purpose, the invention adopts the following technical scheme:
The vehicle-mounted self-networking safety communication system based on the NTRU grid cryptosystem comprises a key generation module, a message signing module, a message encryption module, a message decryption module, a message verification module, an identity authentication module, a key exchange module and a certificate management module, wherein the improvement is that the vehicle-mounted self-networking safety communication system further comprises a pseudo-random number generator;
the key generation module adopts an NTRU grid cryptosystem to generate public key and private key pairs for each communication node in the vehicle-mounted ad hoc network, and issues and manages the public keys through the certificate management module;
The message signing module signs by utilizing a private key and a random polynomial dynamically generated by a pseudo-random number generator based on an NTRU grid cryptosystem to generate a signature polynomial,Wherein, the method comprises the steps of,As the private key polynomial of the sender,In order to be a hash value of a message,A temporary random polynomial dynamically generated for the sender,As the current time stamp is to be used,For the modulus in the NTRU encryption process,Is a polynomial convolution operator symbol,Is the sign of the exclusive-or operation,Is the sign of modulo arithmetic;
the message encrypting module obtains the public key of the receiver through the certificate managing module and encodes the message to be sent into a message with the frequency smaller than that of the message to be sentAnd the absolute value of the coefficient is at mostIs a function of the message polynomial m of (c), by randomly selecting a temporary polynomialAnd encrypts the message to be transmitted by combining the public key of the receiver to form a final ciphertext;WhereinFor the temporarily generated random polynomial, for the randomness of the encryption operation,、Are all the moduli in the NTRU encryption process,For the current timestamp, the uniqueness used to bind each encryption, preventing replay attacks,The method comprises the steps that a public key polynomial of a receiver is obtained through a certificate management module, and H represents hash operation;
the message decryption module, the receiver uses private key and inverse element of module p thereofFor received ciphertextDecrypting and recovering the plaintext, and decrypting the message polynomialWherein, the method comprises the steps of,,A and b are intermediate calculated values,For the temporary random polynomial dynamically generated by the receiver, the randomness in the decryption process is enhanced,For the current timestamp, a temporary random polynomial is combinedThe uniqueness of each decryption is increased, and replay attack is prevented;
The message verification module is used for obtaining the public key of the sender through the certificate management module by the receiver and separating the signature polynomial from the received dataSignature polynomial pair using public key polynomial of senderPerforming polynomial convolution and modular operation to recover hash value and random polynomial, and then performing polynomial operation on decrypted messageThe method comprises the steps of carrying out hash operation, comparing the hash operation with a recovered hash value, simultaneously verifying the validity of a random polynomial, judging that the message is complete and the source is legal if the hash value is consistent and the random polynomial is valid, and entering a subsequent processing flow;
the identity authentication module completes identity authentication of the vehicle-mounted network node through a challenge-response protocol based on the NTRU password, and ensures identity legitimacy of both communication parties;
the key exchange module realizes the secure key exchange between the communication nodes in the vehicle-mounted ad hoc network through an improved boom key distribution protocol.
Preferably, in the key generation module, the generation process of the public key and the private key comprises the steps of selecting two random keysPolynomial of degreeAndGenerating a key, utilizing an extended Euclidean algorithm pairInversion is not performedThe polynomial is re-selected based on the inverse of the polynomial,AndRespectively areIn-mold dieSum dieThe lower multiplication inverse, i.eCalculating,Is a temporary random polynomial, and the public key is obtained asThe private key isThe coefficients of the random polynomial of the private key are randomly selected from { -1,0,1} by a pseudo-random number generator;
wherein, theAndIs the modulus in the NTRU encryption process,The value of (2) to (5) ensures the irreversibility of the polynomial operation,The value of (2) is 2048-q-4096, q is more than 6p,Representing the public key polynomial of the formula,The method is a sign of modulo arithmetic, N is polynomial degree, and the value is 509-N1277.
As the preferable mode of the invention, the identity authentication module performs the steps of:
Verifier generates random challenge polynomialsPolynomial degree isThe coefficients are randomly selected from a sparse polynomial set L with all times smaller than N and absolute values of the coefficients not exceeding a set threshold value, and the current time stamp T is recorded to generate challenge dataThe time stamp T is synchronously transmitted through a protocol and is sent to a proving party;
The proving party verifies the validity of the current timestamp T, discards the challenge if the timeout occurs, and uses the private key f and the random polynomial dynamically generated by the pseudo-random number generator if the challenge is validFor challenge polynomialsSigning the signature by using a signature polynomialReturning to the verification party;
the verifier obtains the public key of the prover from the certificate management module and signs the polynomial using the public key pairPerforming inverse operation to recover hash value and random polynomial, performing hash operation on random challenge polynomial, comparing it with recovered hash value, and simultaneously verifying random polynomialIf the hash is consistent and the time stamp is valid, the authentication is passed.
Preferably, the key exchange module performs key exchange mainly by exchanging public column vectors of both partiesAndImplemented when the nodeAnd (3) withWhen communication is needed, nodeComputing a shared key:;
NodeComputing a shared key:;
Wherein, the nodePrivate key vector of (a)S is a D x D symmetric matrix, elements of the symmetric matrix are randomly selected from a finite field GF (q), reversibility is met, and q is a large prime number; Overt matrix for D x DIs the first of (2)Column polynomial vector, open matrixThe element of (2) is a random polynomial with degree < N, coefficient range [ - (p-1)/2, (p-1)/2 ]; Is a nodeIs described herein).
As the optimization of the invention, the certificate management module is responsible for the full life cycle management of the public key certificate in the vehicle-mounted ad hoc network, including certificate generation, distribution, revocation and updating.
Preferably, the pseudo-random number generator is a pseudo-random number generator conforming to the ANSI X9.17 standard, and the pseudo-random number generator adopts a triple DES encryption mode to ensure unpredictability of a random polynomial or a random number.
As a preferred aspect of the present invention, a temporary random polynomialTemporary random polynomial dynamically generated by senderTemporarily generated random polynomialTemporary random polynomial dynamically generated by receiverAll belong to L which is a sparse polynomial set with all times smaller than N and coefficient absolute value not exceeding a set threshold, namely a random polynomial set, wherein the random polynomialThe coefficients of (1) are selected from { -1, 0,1 }.
The invention also provides a vehicle-mounted ad hoc network safety communication method based on the NTRU grid cryptosystem, which comprises the following steps:
Step 1, generating a public key and a private key pair of each communication node in the vehicle-mounted ad hoc network by utilizing an NTRU grid cryptosystem, issuing the public key of each communication node to the safety communication system by the communication node, managing the public key by a certificate management module, and ensuring the validity of the public key by the certificate management module in charge of distributing, withdrawing and updating the public key certificate;
Step 2, when the sender needs to send the message, the private key is used for signing the message to be sent, a random polynomial dynamically generated by a pseudo random number generator is added in the signing process, the signing is completed by using an NTRU signing algorithm, each time of signing is unique, the generated signature data and the original message are sent to a message encryption module, the message encryption module requests a public key certificate of a receiver from a certificate management module, the message to be sent is encoded into a message polynomial conforming to the NTRU grid cryptosystem, and the temporary polynomial is randomly selectedThe public key of the receiver is used for encrypting the message to be sent, and then the message with the signature and the encryption is transmitted to the receiver through the vehicle-mounted ad hoc network;
Step 3, after receiving the message, the receiver first uses the private key and the inverse element of its module pFor received ciphertextDecrypting and recovering plaintext, requesting public key certificate of sender from certificate management module, recovering hash value and random polynomial by signature verification operation, and then obtaining decrypted message polynomialCarrying out hash processing, and comparing the hash processing with a hash value obtained by signature verification operation; if the hash value is consistent and the random polynomial is valid, proving that the message is not tampered in the transmission process and is truly sent by a legal sender, executing the step 4, continuing to process the message, and if the verification fails, rejecting the message;
Step 4, identity authentication;
The receiver and the sender complete identity authentication by a challenge-response mode based on the NTRU password, and the verifier generates a random challenge polynomial, the proving party signs the random challenge polynomial by a private key and returns the random challenge polynomial, and the generated signature verifier verifies by a public key of the proving party to prevent replay attack;
Step 5, performing key negotiation through an improved boom key distribution protocol to determine a session key;
step 6, communication;
The receiver uses the private key to sign NTRU of the response message, encrypts the response message by using the negotiated session key, and then returns the data to the sender;
If the communication between the sender and the receiver is stable, the subsequent data exchange is directly encrypted by using a session key;
if the sender leaves the coverage area of the receiver, the sender needs to carry out identity authentication and key negotiation with the new receiver again.
As a preferred aspect of the present invention, the abnormal behavior management module monitors abnormal behavior during communication, and performs certificate revocation or security response measures when an abnormality is found, and prevents the device from continuing unsafe communication by revoked certificates while dynamically updating the certificate revocation list.
As the optimization of the invention, the man-in-the-middle attack is prevented by the three-party identity authentication during the identity authentication, and the vehicle-mounted unit, the road side unit and the service provider respectively need to mutually verify the certificates of the other party and confirm the identity of the other party during the three-party authentication.
As the preference of the invention, the identity authentication is carried out by attaching a pseudonym certificate issued by a pseudonym certificate authority, after receiving an identity authentication request, a proving party firstly checks whether the pseudonym certificate is issued by a trusted pseudonym certificate authority and verifies whether the signature of the pseudonym certificate is correct so as to ensure the integrity of the pseudonym certificate, then checks the validity period of the pseudonym certificate to ensure that the pseudonym certificate is not expired, simultaneously queries a certificate revocation list or verifies whether the pseudonym certificate is revoked by using an online certificate status protocol, and if the signature of the pseudonym certificate is correct, is not expired and is not revoked, the proving party considers the pseudonym certificate to be valid and continues the next identity authentication process, otherwise, the identity authentication is failed.
The invention has the advantages and beneficial effects that:
(1) The invention adopts signature and encryption scheme based on Elliptic Curve (ECDSA) or RSA, adopts NTRU format signature and encryption, has more advantages in quantum attack resistance compared with the traditional public key system, can effectively resist threat of quantum calculation to the existing encryption technology, thereby guaranteeing data security, and simultaneously, on the basis of optimizing the traditional NTRU algorithm, the invention improves algorithm structure and improves calculation efficiency (optimizing convolution operation, reducing operation times, improving signature generation and verification efficiency, optimizing module operation process, reducing calculation complexity, improving calculation precision, ensuring quick and accurate signature process), reducing calculation complexity of signature generation and verification, improving integral calculation efficiency, meeting the requirements of vehicle-mounted ad hoc network on real-time and high efficiency, and being suitable for vehicle-mounted equipment (OBU) with limited resources. In addition, the traditional VANET mainly adopts two-way authentication (OBU and RSU) or centralized CA authentication, and the invention introduces VSP (service provider) as a third party to form a three-party mutual authentication mechanism of OBU-RSU-VSP, so that the RSU is not only a relay node, but also can participate in identity authentication and key negotiation together with the VSP, thereby improving the reliability of authentication and ensuring safer communication between vehicles.
(2) The invention adopts the boom key distribution protocol to carry out key negotiation, which is different from common DIFFIEHELLMAN (DH) key exchange, the boom protocol allows the direct calculation of the session key between any two legal nodes without additional key exchange, which is very beneficial to the VANET high dynamic environment, and the boom+NTRU combination enables the key negotiation to be more efficient and has quantum resistance.
(3) The invention combines NTRU signature and pseudonym certificate mechanism, not only supports identity authentication, but also optimizes in privacy protection, and periodically replaces the pseudonym certificate, so that OBU can not be maliciously tracked in the long-term communication process, and most of the prior VANET schemes still mainly depend on the traditional pseudo-identity switching strategy in privacy protection.
(4) The pseudonym certificate is mainly used for enhancing privacy protection and preventing an external attacker from presuming the running track or identity information of the external attacker by long-term tracking of the communication record of the vehicle. The pseudonym certificate is still issued by a certificate authority (e.g. PCA) but does not bind the real identity of the vehicle but uses a periodically changing pseudonym, and is replaced at intervals (e.g. minutes or hours) such that the communication records of the same vehicle cannot be correlated for a long period of time, even if an attacker intercepts a message sent by an OBU, it is difficult for the attacker to keep track of the OBU for a long period of time by means of the public key due to the regular updating of the pseudonym certificate.
(5) In the invention, a boom key distribution protocol is adopted in key negotiation, and plays a role of safety key negotiation in the whole process, so that the OBU, the RSU and the VSP can dynamically calculate a shared key (session key) under the condition of not revealing the key, thereby enhancing the confidentiality and the anti-attack capability of the communication of the Internet of vehicles.
(6) The system of the whole Internet of vehicles performs operations such as strict identity verification, signature encryption, certificate revocation and the like through a plurality of certificate authorities, ensures the communication safety among vehicles, road side units and service providers, ensures that information integrity and confidentiality can be maintained under malicious attack through signature and encryption processing of all messages, and further enhances the anti-attack capability of the system through certificate management and abnormal behavior management mechanisms, and ensures that all devices in the system communicate under the trusted condition.
(7) The invention adopts a challenge-response mechanism and a three-way authentication mode, enhances the capability of preventing replay attack, and supports efficient identity authentication and key exchange processes. Compared with the traditional elliptic curve cryptosystem and RSA algorithm, the invention obviously improves the calculation efficiency and reduces the bandwidth and storage requirements on the premise of ensuring the same security level, and is suitable for wide application in vehicle-mounted ad hoc networks.
(8) The invention uses the NTRU grid cryptosystem to generate the public key and the private key pair, thereby greatly reducing the key length and the calculation complexity while ensuring the safety. Also, by using the NTRU-based signature algorithm, messages in vehicle communications can be signed and encrypted, ensuring the integrity and confidentiality of the messages during transmission. In addition, the invention adopts a pseudonymous certificate mechanism, prevents the revealing of the identity of the vehicle by randomly switching the pseudonymous certificate and the serial number, further enhances the privacy protection of the user, prevents the revealing of the true identity of the vehicle, combines the pseudonymous certificate mechanism with an NTRU signature mechanism, and further enhances the privacy protection through dynamic certificate rotation.
(9) The method provided by the invention can stably operate in changeable communication environments, effectively ensures the safety of vehicle-mounted communication, and ensures the authenticity and the non-tamper property (integrity) of information. Meanwhile, the optimized algorithm reduces the calculation resources required by signature and verification while maintaining higher safety, reduces the hardware burden of the vehicle-mounted terminal, and improves the expandability and the long-term running stability of the system. The scheme is compatible with the existing vehicle-mounted ad hoc network architecture, is easy to deploy and integrate, does not need to greatly modify the system architecture, and can quickly adapt to actual application requirements.
Detailed Description
The following detailed description of the application, taken in conjunction with the accompanying drawings, is not intended to limit the scope of the application, so that those skilled in the art may better understand the technical solutions of the application and their advantages.
Example 1:
As shown in fig. 1, the present embodiment provides a vehicle-mounted ad hoc network secure communication system based on NTRU grid cryptosystem, which includes a key generation module, a message signature module, a message encryption module, a message decryption module, a message verification module, an identity authentication module, a key exchange module, a pseudo-random number generator, and a certificate management module CA;
the key generation module is used for generating a public key and a private key pair of a communication node in the vehicle-mounted ad hoc network, generating the public key and the private key pair of each communication node (namely a vehicle) by adopting an NTRU grid cryptosystem, and issuing and managing the public key through the certificate management module CA;
In the invention, in the process of generating the NTRU cryptosystem secret key, firstly, proper NTRU parameters (such as the degree of a polynomial, a modulus and the like) are selected according to the requirement of a vehicle-mounted ad hoc network, and a public key and a private key pair are generated according to the parameters.
In order to ensure the high efficiency and the safety of the vehicle-mounted ad hoc network, reduce the calculation overhead and improve the efficiency, the embodiment adopts an optimized NTRU key generation algorithm, which specifically comprises the following steps:
And selecting proper parameters, namely selecting parameters of the NTRU algorithm, such as polynomial degree and modulus, according to the safety requirement of the vehicle-mounted communication system. These parameters should ensure the security of the key generation while keeping the calculation process in line with the low computational resource requirements of the on-board network node.
In this embodiment, the public key and the private key are generated by selecting two random processesPolynomial of degreeAndGenerating a key, using an extended Euclidean algorithm pairInversion is not performedThe polynomial is re-selected based on the inverse of the polynomial;AndRespectively areIn-mold dieSum dieThe lower multiplication inverse, i.eCalculating,Is a temporary random polynomial generated by a pseudo-random number generator,E L (L is a sparse polynomial set with all times smaller than N and coefficient absolute value not exceeding a set threshold, namely a random polynomial set) is used for generating a public key, and after being combined with a current timestamp T, a value for calculating the public key is generated to obtain the public key asThe private key is;
Wherein, theAndIs the modulus in the NTRU encryption process,The value of (2) to (5) ensures the irreversibility of the polynomial operation,The value of (2) is 2048-q-4096, q >6p is satisfied, decryption errors are prevented,Representing the public key polynomial of the formula,Is the sign of modulo arithmetic; is a polynomial convolution operator symbol,The value range is 509-N-1277, preferably N-677, and meets NIST post quantum security Level 3 standard.
In this embodiment, the private key is a random polynomial generated based on NTRU lattice cryptosystem, its coefficient is randomly selected from { -1,0,1} by a pseudo-random number generator conforming to ANSI X9.17 standard, and its reversibility under mode p and mode q is verified by an extended euclidean algorithm to ensure quantum security, when communicating with other nodes, the generated private key is used to sign a message, and the public key is used to verify the signature, by this way, the nodes can mutually authenticate each other, ensure validity of identity of the other party, and prevent identity forging.
The message signing module is used for ensuring the integrity and non-tamper property of the message in the transmission process, and the sender signs by utilizing a private key of the sender and a random polynomial dynamically generated by a pseudo-random number generator based on an NTRU grid cryptosystem to generate a signature polynomial;
Specifically, the NTRU parameters are initialized firstly, polynomial degree N-1 (the value range is prime number meeting the post quantum security standard, and is recommended to 509 to 1277), modulus p (small prime number is selected, and the range is2 to 5) and q (large prime number is selected, and q >6p is met, and the range is 2048 to 4096), and the private key is a randomly generated polynomial, the coefficient of which is selected from { -1, 0, 1} and passes the reversibility verification of the modulus p and q.
The signature generation stage is to hash the message to be signed to generate a message abstractThen, combining a temporary random polynomial dynamically generated by a pseudo random number generator (adopting triple DES encryption protection seeds) conforming to ANSI X9.17 standard, and generating a unique signature polynomial through NTRU polynomial convolution operation and modular operation,, wherein,For the sender private key polynomial,In order to be a hash value of a message,A temporary random polynomial dynamically generated for the sender,∈L,As the current time stamp is to be used,Modulus in encryption for NTRU, checkingWhether or not the coefficient range of (2) is withinAnd if not, performing die adjustment.
The embodiment can ensure that each time signature is unpredictable due to dynamic change of random polynomials, signature data is bound with an original message and then transmitted to a message encryption module.
The message encrypting module obtains the public key of the receiver through the certificate management module CA, encodes the message to be sent into a message polynomial conforming to the NTRU grid cryptosystem, and randomly selects a temporarily generated random polynomialEncrypting the message to be transmitted containing the signature data by combining the public key of the receiver to form a final ciphertext;
specifically, the original message is converted into a message with a number of times smaller thanPolynomial m (the value range is prime number meeting the post quantum security standard, usually 509 to 1277), the coefficient range is [ - (p-1)/2, (p-1)/2 ], that is, the absolute value of the coefficient is not more than (p-1)/2, p is small modulus, the value range is 2 to 5, and during encryption, a random polynomial is selected from a random polynomial set L(The coefficients are selected from { -1, 0, 1 }), L is a sparse polynomial set with all degree smaller than N and coefficient absolute value not exceeding a set threshold (generally ksparse is 1 or 2), then, the receiver public key polynomial h (polynomial with degree N-1) is combined, and the result is obtained by polynomial convolution operation (sign) Sum-modulo operation to generate ciphertextWherein q is a large modulus (range 2048 to 4096), q >6p,Representing a hash operation and,As the current time stamp is to be used,∈L,Representing the encoded message polynomial, ciphertextIs adjusted to be within the range of [ -q/2, q/2).
In this embodiment, the generated ciphertext is transmitted through the vehicle-mounted network, the receiver can decrypt and verify based on the private key thereof, the whole process relies on lightweight polynomial operation, compared with the traditional scheme relying on elliptic curve scalar multiplication, the calculation cost is obviously reduced, and meanwhile, the balance of safety and efficiency is ensured through dynamic parameter selection and quantum resistance design.
The message decryption module, the receiver uses its own private key and the inverse element of its modulo pFor received ciphertextDecrypting and recovering the plaintext;
specifically, the receiving party receives the ciphertextAfterwards, the private key f (coefficients are randomly generated from { -1, 0, 1} and verified by the reversibility of modulo p and q) and the inverse of modulo p thereof are usedDecrypting and calculating an intermediate resultAnd adjusting the coefficients to (-q/2, q/2) range, and performing modulo p operation on a to obtainBy inverse elementRecovering plaintext, decrypting the message polynomialWherein M is a decrypted message polynomial, a and b are intermediate calculated values,A temporary random polynomial dynamically generated for the receiver,E, L, enhancing randomness in the decryption process,For the current timestamp, a random polynomial is combinedThe uniqueness of each decryption is increased, and replay attack is prevented;
The message verification module, the receiver acquires the public key of the sender through the certificate management module CA, and uses the public key of the sender to carry out integrity verification on the decrypted data, firstly, the hash value and the random polynomial are recovered through signature verification operation, and then the decrypted message polynomial is obtainedThe method comprises the steps of carrying out hash processing, comparing the hash processing with a hash value obtained by signature verification operation, verifying the validity of a random polynomial at the same time, and if the hash value is consistent and the random polynomial is valid, proving that the message is not tampered in the transmission process and is actually sent by a legal sender, and confirming the integrity of the message;
Specifically, the receiver obtains the public key of the sender through the certificate management module, and polynomials are obtained for the decrypted messageAnd (3) carrying out integrity check, verifying the validity of signature data, ensuring that the message is not tampered and the source is legal, and realizing the following steps:
Public key acquisition and parameter initialization, namely acquiring public key polynomial of a sender from a certificate management module(Polynomial degree isWherein, the method comprises the steps of,Prime number range for meeting the post quantum safety standard) Confirm the parameter range of NTRU, small modulusThe value range is as follows: ) Large modulusThe value range is as follows: and meet the following。
Signature data extraction and preprocessing, namely separating signature polynomials from received data;
Signature verification operation using public key polynomial of senderFor signature polynomialsPerforming polynomial convolution and modular operation to recover the hash value and the random polynomial: , representing a polynomial convolution operation (coefficient modulo multiply-accumulate), i.e. splitting the result into recovered hash valuesRandom polynomial。
Integrity comparison and random polynomial verification:
Hash consistency verification of decrypted message polynomialsPerforming a hash operation (algorithm consistent with sender, e.g., SM 3/SHA-256) to generate a local hash valueAnd resume(s)And (5) strict comparison.
And (3) verifying validity of a random polynomial:
Checking random polynomialsWhether the generation of (a) meets ANSI X9.17 standards (based on current timestamp and seed update mechanism);
VerificationWhether the current timestamp of (a) is within a valid window (e.g., ±1 second) to prevent replay attacks.
Verification result processing, ifAnd is also provided withIf the hash value is not matched or the random polynomial is overtime, the message is judged to be tampered or illegally sent, and an exception management module (such as log record and notification of certificate revocation authority PCA) is triggered.
The identity authentication module completes identity authentication of the vehicle-mounted network node through Challenge-response protocol (Challenge-Response Protocol) based on the NTRU (Challenge-response) password, so that identity legitimacy of two communication parties is ensured, namely the two communication parties are authorized devices, and counterfeit identity attack is prevented;
Specifically, the identity authentication module verifies the identity legitimacy of the vehicle-mounted network node (such as a vehicle-end OBU and a road side unit RSU) through a challenge-response protocol based on the NTRU lattice password, ensures that both communication parties are authorized devices, resists disguise attack, and comprises the following implementation steps:
Challenge generation (Verifier → Prover): verifier (Verifier, such as RSU): generation of random challenge polynomialsThe degree of the polynomial is(N is a safety parameter, a value range) The coefficients are randomly selected from a set L (sparse polynomial, coefficient absolute value is less than or equal to k, and ksparse =1 or 2), and a current time stamp T (precision to millisecond) is added to generate challenge dataAnd the time stamp T is synchronously transmitted through a protocol and is sent to the Prover.
Response generation (Prover- & gtverifier) by Prover (proving party, e.g., OBU), verifying the validity of the current timestamp T (e.g., time window + -1 second), discarding the challenge if timeout occurs, and if valid, using the private key f (coefficient selected from { -1, 0, 1}, satisfying the modulusAndReversibility) versus challenge polynomialSigning to generate signature polynomialsWherein, the method comprises the steps of,To challenge polynomialPerforming hash operation; for a dynamic random polynomial generated by a pseudo-random number generator conforming to the ANSI X9.17 PRNG standard,E L, signWith the current timestampCombined into response dataReturns to the Verifier.
Response verification (Verifier) obtaining the Prover public key polynomial from the certificate management ModuleSignature polynomial using public key polynomial h pairPerforming inverse operation to recover the hash value and the random polynomial: computing a local hashAnd resume(s)Strictly comparing and verifying random polynomialTimestamp validity of (in procedure and challenge)And if the hash is consistent and the time stamp is valid, the authentication is passed, otherwise, the authentication is judged to be an illegal node, and the alarm is triggered and the session is terminated.
In this embodiment, the identity authentication module may prevent man-in-the-middle attack through multi-party identity authentication (e.g. OBU, RSU, VSP), and protect the security of the system;
The key exchange module realizes the secure key exchange between the communication nodes in the vehicle-mounted ad hoc network based on the boom protocol, and ensures the security and confidentiality of the key in the communication process. In the key exchange process, both parties ensure the encryption process of the subsequent communication to be protected through exchanging keys. The design of the key exchange protocol improves the efficiency and the safety, and ensures the safety of information transmission no matter what network environment.
Specifically, the key exchange module (based on the boom protocol) realizes the secure key exchange between communication nodes (such as OBU and RSU) in the vehicle-mounted ad hoc network (VANET) through the improved boom key distribution protocol, ensures the generation and distribution of the dynamic session keys among the nodes to meet the requirements of quantum attack resistance and lightweight computation, and comprises the following realization steps:
1. initializing a system:
Parameter definition:
A safety threshold ksecurity (the number of the maximum anti-trapping nodes, the value range is more than or equal to 50 and less than or equal tosecurity and less than or equal to 200);
A finite field GF (q), where q is a large prime number (consistent with NTRU parameters, 2048≤q≤4096);
the matrix dimension D is disclosed (the value is ksecurity +1, i.e. d=ksecurity +1).
Matrix generation:
Generating a D x D symmetric matrix S, wherein elements of the symmetric matrix S are randomly selected from GF (q) to meet reversibility;
A D x D open matrix G is generated, the elements of which are random polynomials (degree < N, coefficient range [ - (p-1)/2, (p-1)/2 ], compatible with NTRU parameters).
2. Private key vector distribution
And (3) node registration:
Each node (such as OBU) is assigned a unique identity(E.g., vehicle MAC address or digital certificate);
Is a nodeCalculating a private key vector:Wherein, the method comprises the steps of,Is a matrixIs the first of (2)Column polynomial vectors.
Private key vector storage:
NodeSecure storage(Polynomial vector of length D), the matrix S is destroyed to prevent leakage.
3. Dynamic key agreement
Session key generation:
When the nodeAnd (3) withWhen communication is needed, the two parties exchange public column vectorsAnd;
NodeComputing a shared key:
NodeComputing a shared key:
Guaranteed by matrix symmetry =As a session key.
In this embodiment, matrix operation of the boom protocol is combined with NTRU polynomial convolution, and the element of the disclosed matrix G is NTRU compatible polynomial (coefficient range [ - (p-1)/2, (p-1)/2 ]), and quantum computing attack is resisted by using the lattice cryptographic characteristics of NTRU. Furthermore, the module may be designed as a dynamic update mechanism, i.e. the disclosure matrix G may be updated periodically (e.g. every 24 hours), preventing long-term key exposure.
The certificate management module (CA) is responsible for the whole life cycle management of public key certificates in a vehicle-mounted ad hoc network (VANET), comprises the steps of certificate generation, distribution, revocation and updating, and combines an NTRU grid cryptosystem to resist quantum computing attack, so as to ensure node identity legitimacy and communication link security, and comprises the following implementation steps:
1. System initialization and parameter configuration
NTRU parameter definition:
Polynomial degree N (prime number meeting post quantum security standard, value range));
Small modulusLarge modulus。
Certificate templates:
The lightweight X.509 certificate format extension is adopted, an NTRU public key polynomial h (the format is a coefficient list, and the range is embedded);
The certificate field contains:
node identification(E.g., vehicle MAC address or VIN code);
Public key polynomial;
Expiration date (dynamic adjustment, default 24 hours);
Issuing authority signature (NTRU-based certificate issuing authority private keyAnd (5) generation).
2. Certificate generation and distribution
And (3) node registration:
generating NTRU key pairs by a new node i (e.g. OBU/RSU);
Submitting a registration request to a Certificate Authority (CA), includingAnd。
Certificate issuance:
after the CA verifies the node identity validity, the private key is usedSigning the certificate content to generate a certificate fileSignature polynomialsWhereinFor a hash operation (hash function),A playback resistant random polynomial generated for a pseudo-random number generator conforming to ANSI X9.17 standard,∈L。
Will beDistributed to nodes and to full network side units (RSUs).
3. Certificate Revocation List (CRL) management
And (3) the trigger condition is cancelled:
node private key disclosure, identity anomalies, or session key negotiation failure exceeds a threshold number.
CRL generation and broadcasting:
The CA periodically generates a revocation list CRL containing the ID of the revoked certificate and the revocation current time stamp, the CRL being in the form of a polynomial code (coefficient range) Broadcasting to the whole network through RSU, updating period is less than or equal to 5 minutes, and adding NTRU signature of CA during broadcasting to ensure list integrity.
4. Certificate updating and collaborative authentication
Periodic updating:
before expiration of the certificate validity period, the CA automatically generates a new certificateThe node verifies the CA signature of the new certificate and then replaces the old certificate without re-registration.
In this embodiment, in the challenge-response protocol, the verifier (e.g., RSU) obtains the public key polynomial of the party through the certificate management moduleAnd checkWhether the certificate is in the latest CRL or not, and if the certificate is valid and the signature verification is passed, judging that the identity is legal.
Further, in this embodiment, the pseudo-random number generator is a pseudo-random number generator conforming to ANSI X9.17 standard, and the ANSI X9.17 pseudo-random number generator adopts triple DES encryption to ensure unpredictability of the random polynomial or the random number, so as to improve security of the random polynomial or the random number.
Example 2:
as shown in fig. 2, the present embodiment provides a vehicle-mounted ad hoc network secure communication method based on NTRU grid cryptosystem, which includes the following steps:
Step 1, generating a public key and a private key pair of a communication node in each vehicle-mounted ad hoc network by utilizing an NTRU grid cryptosystem, issuing the public key of the communication node to the secure communication system of the embodiment 1 by the communication node, managing the public key by a certificate management module CA, and ensuring the validity of the public key by the certificate management module CA in charge of distributing, withdrawing and updating a public key certificate;
In this embodiment, the public key certificate is mainly used for identity authentication to ensure the true identity of the communication entity, and is issued by the certificate management module CA, and binds the true identity (for example, VIN code, that is, unique identification information of the vehicle) of the communication entity with the public key to ensure the credibility of the public key;
Step 2, when the sender needs to send the message, the sender uses the private key to sign the message to be sent, adds a random polynomial generated by a pseudo random number generator (ANSI X9.17 PRNG) in the signing process, completes each signature by using an NTRU signature algorithm, makes each signature unique (even the same message, because some random factors can be added in the signing process, the signature value generated by each signature can be different), sends the generated signature data and the original message to a message encryption module, and the message encryption module sends the public key certificate of the receiver to the CA to code the message to be sent into a message polynomial conforming to the NTRU grid cryptosystem, and randomly selects a temporary polynomialAnd encrypting the message to be sent by using the public key of the receiver, and then transmitting the message with the signature and the encrypted message to the receiver through the vehicle-mounted ad hoc network.
For example, when an on-board unit (OBU) enters a certain area, the on-board unit needs to request traffic signal states and road conditions ahead from a nearby Road Side Unit (RSU), the OBU firstly generates a request message containing information such as position, speed, direction, current time stamp and the like, and uses an NTRU signature algorithm to carry out integrity protection, and simultaneously encrypts the message by using the public key of the RSU to ensure communication safety;
in this embodiment, the OBU and the RSU acquire the public key of the other party by exchanging public key certificates in communication, thereby performing encryption and signature verification.
Step 3, after receiving the message, the receiver first uses its own private key and the inverse element of its modulo pFor received ciphertextDecrypting and recovering plaintext, then requesting the public key certificate of the sender from CA, recovering hash value and random polynomial through signature verification operation, and then carrying out polynomial decoding on the decrypted messageCarrying out hash processing, and comparing the hash processing with a hash value obtained by signature verification operation; if the hash value is consistent and the random polynomial is valid, proving that the message is not tampered in the transmission process and is truly sent by a legal sender, executing the step 4, continuing to process the message, and if the verification fails, rejecting the message;
For example, after the RSU receives the message, it firstly uses its private key to decrypt the message and uses the public key of the OBU to verify the signature, and at the same time checks whether the public key certificate of the OBU is valid or not;
Step 4, identity authentication:
The receiver and the sender complete identity authentication by a challenge-response mode based on NTRU (challenge-response unit) grid passwords, and verify the legitimacy of the identity of the other party to prevent counterfeit identity attack, wherein an authenticatee (such as RSU) can generate a random challenge polynomial, an authenticatee (such as OBU, also called proving party) needs to sign the random challenge polynomial by using a private key of the authenticatee and returns the random challenge polynomial, and the generated signature authenticatee (also called verifying party) can verify by using a public key of the authenticatee to prevent replay attack;
In this embodiment, when the OBU sends an identity authentication request, a pseudonym certificate issued by a Pseudonym Certificate Authority (PCA) is attached, so as to prevent user privacy disclosure, after receiving the identity authentication request, the RSU or VSP first checks whether the pseudonym certificate is issued by the trusted PCA, verifies whether the signature of the pseudonym certificate is correct (verifying that the pseudonym certificate is signed by using the public key of the PCA in the pseudonym certificate), if verification is successful, indicates that the pseudonym certificate is issued by the trusted PCA and is not tampered with), so as to ensure the integrity thereof, then checks the validity period of the pseudonym certificate, and simultaneously checks whether the pseudonym certificate has been revoked, and queries a Certificate Revocation List (CRL) or uses an Online Certificate State Protocol (OCSP), if the pseudonym certificate is signed correctly, unexpired and is not revoked, the RSU or VSP considers the pseudonym certificate to be valid, and continues the next identity authentication process, for example, verifies that the identity authentication is sent otherwise, if verification is successful, indicates that the pseudonym certificate is issued by the PCA and is not tampered by the public key of the PCA, and the VSP further communicates with the OBU and the communication management module if the communication is successful, and the communication is enabled.
It should be noted that identity authentication only occurs during the first communication exchange, and authentication is no longer required during subsequent communication exchanges.
Step 5, carrying out key negotiation through the improved boom key distribution protocol to determine a session key:
in particular, when a nodeAnd (3) withWhen communication is needed, the two parties exchange public column vectorsAndThe preparation method is finished;
NodeComputing a shared key:Node (C)Private key vector of (a)Wherein, the method comprises the steps of,Overt matrix for D x DIs the first of (2)Column polynomial vector, open matrixS is D x D symmetric matrix, its element is randomly selected from GF (q), so as to meet reversibility, q is large prime number, 2048 is less than or equal to q is less than or equal to 4096;
NodeComputing a shared key:;
Guaranteed by matrix symmetry =As a session key;
The matrix operation of the boom protocol is combined with the NTRU polynomial convolution, so that the two parties (OBU and RSU) can safely negotiate a shared session key (the two parties can calculate the same key through encrypted public information) under the condition of not directly sharing the key, and the security risk of directly exchanging the key is avoided;
Step 6, communication:
The receiver (such as RUS) uses its private key to sign NTRU of the response message, encrypts the response message with the session key (shared key) negotiated with the OBU before, and then returns the data to the sender (such as OBU);
If the communication between the OBU and the RSU is stable, the subsequent data exchange can be directly encrypted by using a session key, such as the periodic sending of the position update by the OBU, the feedback of the road congestion condition in front by the RSU, and the like;
If the OBU leaves the coverage area of the RSU, the OBU needs to carry out identity authentication and key negotiation with the new RSU again, so that the communication safety is ensured. In the whole process, the NTRU signature ensures that the message is not repudiated, the certificate management module CA is responsible for identity authentication, and the session key ensures confidentiality of subsequent communication.
Further, in this embodiment, during identity authentication, a multiparty identity authentication (for example OBU, RSU, VSP) is used to prevent man-in-the-middle attacks and protect the security of the system, and in this three-party authentication process, the on-board unit (OBU), the Road Side Unit (RSU) and the service provider (VSP) respectively need to mutually verify the identities of each other;
The OBU firstly sends an identity authentication request to the RSU, and the RSU verifies the certificate of the OBU and confirms the identity of the certificate;
RSU and VSP, RSU makes identity authentication request through VSP, VSP verifies RSU certificate and confirms its identity;
And the OBU and the VSP send an identity authentication request to the VSP through the guidance of the RSU, and the VSP verifies the certificate of the OBU again to ensure the validity of the OBU identity.
The invention introduces the VSP (service provider) as a third party to form a three-party mutual authentication mechanism of the OBU-RSU-VSP, so that the RSU is not just a relay node, but can participate in identity authentication and key negotiation together with the VSP, thereby improving the reliability of authentication and ensuring safer communication between vehicles.
The invention uses an NTRU-boom hybrid architecture to combine a lattice password with a lightweight key distribution protocol to solve the quantum defect of the traditional boom protocol, adopts dynamic security design, generates a random polynomial to strictly follow ANSI X9.17 standard and bind a current time stamp (+ -1 second window) to ensure the uniqueness and playback resistance of each communication, adopts a dynamic session key (each communication update) and a short-term certificate (24-hour forced update) for key management to greatly reduce the key leakage risk, realizes 5-minute update of a Certificate Revocation List (CRL) through fragment broadcasting, realizes the dynamic association of message signature, identity authentication and certificate issuance by binding the current time stamp-random polynomial-hash in a whole network synchronous delay of <1 second, and comprehensively surpasses the prior art in quantum security resistance, real-time performance, dynamic expansibility and resource efficiency.
The invention carries out comprehensive comparison analysis on an RSA signature algorithm (scheme III) based on an elliptic curve cryptosystem (LD 1), an NTRU lattice cryptosystem (LD 2) and a common large prime number decomposition problem, and mainly carries out evaluation on three aspects of security, calculation cost and communication cost. In terms of security, the key lengths of the three signature schemes are compared (in bits), and the result is shown in fig. 3. As can be seen from the four sets of data in fig. 3, the NTRU scheme with a key length of 347 bits is equivalent to the security of the LD1 with 224 bits and the RSA scheme with 2048 bits in terms of security, and shows a difference in key length of different signature algorithms. In terms of calculation cost, the NTRU scheme has the advantages of shorter key and ciphertext length and higher calculation speed, and can more efficiently complete encryption and decryption operations compared with RSA and elliptic curve signature systems. In addition, due to the lower storage space requirement and the smaller transmission bandwidth of the NTRU scheme, the requirement on system hardware resources is reduced, so that the NTRU scheme is more suitable for being applied in an environment with lower requirements on processor speed and network bandwidth.
The operation efficiency of the above three signature schemes is shown in fig. 4. As can be seen from the data of fig. 4, there is a significant difference in the operational efficiency of the three signature schemes. In LD1, 160 rational scalar multiplication operations are required to be performed when encryption and decryption are performed based on an elliptic curve cryptosystem. In contrast, LD2 based on NTRU algorithm involves only addition, multiplication, and modulo operation of small integers, and thus LD2 performs one convolution operation and two convolution operations, respectively, in the encryption and decryption processes. As for scheme three, it relies on the large prime problem, and 17 and 1000 modular multiplication operations are required to perform encryption and decryption, respectively. It can be seen that, under the same security level, the calculation speed of LD2 is significantly faster than the other two public key systems, and the calculation costs of the three schemes are shown in table 1.
Table 1 computational overhead for three schemes
| Scheme for the production of a semiconductor device | Key generation (ms) | Encryption (ms) | Decryption (ms) | Total time (ms) |
| Scheme III | 4.07 | 248.21 | 4.012 | 256.29 |
| LD1 | 0.27 | 9.119 | 10.472 | 9.389 |
| LD2 | 0.014 | 0.829 | 0.952 | 1.795 |
In general, LD2 is superior to LD1 in terms of key generation and encryption and decryption speeds, and its overall operating speed is about 5.23 times faster than LD1, but about 142.84 times faster than scheme three. This shows that LD2 not only meets the same criteria in terms of security, but also has significant advantages in terms of computational efficiency, especially for scenes that require efficient processing.
According to the invention, through optimizing the NTRU signature algorithm, the calculation cost is effectively reduced, the signature generation and verification efficiency is improved, the requirements of the vehicle-mounted ad hoc network on instantaneity and high efficiency are met, and the method can stably operate in a complex network environment.
The foregoing description of the invention has been presented for purposes of illustration and description, and is not intended to be limiting. Several simple deductions, modifications or substitutions may also be made by a person skilled in the art to which the invention pertains, based on the idea of the invention. Therefore, the protection scope of the present invention shall be subject to the protection scope of the claims.