CN101217362B

CN101217362B - An RFID Communication Security Mechanism Based on Dynamic Randomized DRNTRU Public Key Encryption System

Info

Publication number: CN101217362B
Application number: CN2007100330251A
Authority: CN
Inventors: 詹宜巨; 蔡庆玲
Original assignee: Sun Yat Sen University
Current assignee: Sun Yat Sen University
Priority date: 2007-12-29
Filing date: 2007-12-29
Publication date: 2010-04-21
Anticipated expiration: 2027-12-29
Also published as: CN101217362A

Abstract

The invention discloses an RFID communication security mechanism established based on a dynamic randomized DRNTRU (Dynamic, Randomized Number Theory Research Unit) public key encryption system. The RFID system communication security mechanism established by using the dynamic randomization DRNTRU public key encryption system proposed by the present invention can not only effectively solve the security problem of the RFID system, but also the method is novel, simple and easy to implement, and does not need to exhaustively search for keys and labels Code TID (Tag Identifier), does not require key synchronization, only one-way authentication is required, it is very suitable for RFID systems that only have limited resources and require high-speed response.

Description

An RFID Communication Security Mechanism Based on Dynamic Randomized DRNTRU Public Key Encryption System

技术领域 technical field

本发明属于通信技术领域，特别适合射频标签识别技术。The invention belongs to the technical field of communication, and is particularly suitable for the identification technology of radio frequency tags.

背景技术 Background technique

随着RFID(无线射频识别)的广泛应用，RFID系统的安全问题也日益突出，RFID系统存在的主要安全问题有保密性问题、流量分析及可跟踪性、个人隐私泄漏问题，这些问题已经严重地阻碍了RFID的进一步发展，成为RFID系统发展的急待解决的关键问题之一。因而，也已吸引了业界众多网络安全学者的关注和投入，并已提出了各种解决方案和策略，如使用哈希函数、对称密钥等等，系统需要服务器在后端数据库中穷尽搜索标签的标识码TID及密钥，部分系统更需要服务器和标签两端的密钥同步，而维持服务器和标签两端密钥同步的算法极其复杂难以实现，因而均需耗费系统的大量资源如执行时间和存储空间，并不适合要求高速响应又仅具有有限资源的RFID系统使用。至今，业界仍未能提出一个安全、高效、实用、低成本的适合RFID系统通信安全问题的解决方案。本发明在RFID系统安全领域首次提出了动态随机化DRNTRU(Dynamic，RandomizedNumberTheoryResearchUnit)公钥加密系统，提出以NTRU公钥加密系统为基础，将随机化参数引入该算法，使其成为动态的、随机化的DRTRUN公钥密码体制，并将其应用到RFID系统。使用动态随机化DRNTRU公钥加密系统建立的RFID系统通信安全机制不仅有效地解决了RFID系统通信的安全问题，而且具有新颖、简单、易于实现，不需要密钥穷尽搜索，不需要密钥同步，非常适用于拥有有限资源的RFID系统。With the widespread application of RFID (Radio Frequency Identification), the security issues of RFID systems are becoming more and more prominent. The main security issues in RFID systems include confidentiality, traffic analysis and traceability, and personal privacy leakage. These issues have been seriously It hinders the further development of RFID and becomes one of the key problems to be solved urgently in the development of RFID system. Therefore, it has also attracted the attention and investment of many network security scholars in the industry, and various solutions and strategies have been proposed, such as using hash functions, symmetric keys, etc. The system requires the server to exhaustively search for tags in the back-end database. The identification code TID and key of the tag, some systems need the key synchronization between the server and the tag, and the algorithm to maintain the key synchronization between the server and the tag is extremely complicated and difficult to implement, so it will consume a lot of resources of the system, such as execution time and The storage space is not suitable for RFID systems that require high-speed response and only have limited resources. So far, the industry has still failed to propose a safe, efficient, practical, and low-cost solution to the communication security problem of RFID systems. The present invention proposes a dynamic randomized DRNTRU (Dynamic, Randomized Number Theory Research Unit) public key encryption system for the first time in the field of RFID system security, and proposes to introduce randomization parameters into the algorithm based on the NTRU public key encryption system to make it dynamic and randomized. The DRTRUN public key cryptosystem and apply it to RFID system. The RFID system communication security mechanism established by using the dynamic randomized DRNTRU public key encryption system not only effectively solves the security problem of RFID system communication, but also has the characteristics of novelty, simplicity, and easy implementation. It does not require exhaustive key search and key synchronization. Ideal for RFID systems with limited resources.

发明内容 Contents of the invention

本发明的目的是提供一种基于动态随机化DRNTRU公钥加密系统建立的RFID通信安全机制，该方案可满足中等级以及高等级射频识别(RFID)技术中读写器(Reader)与标签(Tag)之间的无线通信的安全机制的要求。The purpose of the present invention is to provide a kind of RFID communication security mechanism based on dynamic randomization DRNTRU public key encryption system establishment, and this scheme can satisfy the reader (Reader) and label (Tag) in the mid-level and high-level radio frequency identification (RFID) technology. ) The requirements for the security mechanism of the wireless communication between.

为达上述目的，本发明通过采取以下技术方案予以实现：In order to achieve the above object, the present invention is achieved by taking the following technical solutions:

一种基于动态随机化DRNTRU公钥加密系统建立的RFID通信安全机制，其特征是RFID系统初始时，由服务器使用动态随机化DRNTRU公钥加密系统生成公钥h_key和私钥(f_key，F_p)，并为每一个标签分配一个唯一的标识码TID，服务器将标识码TID以及贴有该标签的物品的相关信息同时存储于标签和后端数据库，将公钥h_key和私钥(f_key，F_p)分别存储于标签和后端数据库，RFID系统的通信认证协议步骤如下：A kind of RFID communication security mechanism based on the dynamic randomization DRNTRU public key encryption system, it is characterized in that when the RFID system is initial, the server uses the dynamic randomization DRNTRU public key encryption system to generate the public key h _key and the private key (f _key , F _p ), and assign a unique identification code TID to each tag, the server will store the identification code TID and the relevant information of the item with the tag in the tag and the back-end database at the same time, and store the public key h _key and private key (f _key , F _p ) are stored in the label and the back-end database respectively, and the communication authentication protocol steps of the RFID system are as follows:

(1)读写器(Reader)→标签(Tag)：读写器从多项式集合L_m中选取一随机数R_r，并向标签发送认证请求Query，同时将R_r发送给标签；(1) Reader (Reader)→Tag (Tag): The reader selects a random number R _r from the polynomial set L _m , sends an authentication request Query to the tag, and sends R _r to the tag at the same time;

(2)标签(Tag)→读写器(Reader)→服务器(Server)：标签接到读写器发来的认证请求(Query，R_r)后，首先也从多项式集合L_m中选取一随机数R_t计算出

再从多项式集合L_ω中选取一随机数ω，利用公钥h_key对C进行加密运算然后将(PID，R_t)发送给读写器，读写器再将(PID，R_t，R_r)转发给服务器；(2) Tag (Tag) → Reader (Reader) → Server (Server): After the tag receives the authentication request (Query, R _r ) sent by the reader, it first selects a random number from the polynomial set L _m The number R _t is calculated from

Then select a random number ω from the polynomial set L _ω , and use the public key h _key to encrypt C Then send (PID, R _t ) to the reader, and the reader forwards (PID, R _t , R _r ) to the server;

(3)服务器(Server)：服务器收到(PID，R_t，R_r)后，首先利用私钥(f_key，F_p)，对PID进行解码运算：

和

获得C，因为

对C进行R₁＝Z||C，再对读写器转发来的(R_t，R_r)进行

然后将两者进行异或运算：

如果结果为0，则认证通过，再截取g(C，0，63)，即可得到标识码TID；否则，认证失败，拒绝接受标识码TID并停止操作。(3) Server (Server): After receiving (PID, R _t , R _r ), the server first uses the private key (f _key , F _p ) to decode the PID:

and

get a C because

Perform R ₁ =Z||C on C, and then perform the (R _t , R _r ) forwarded by the reader

Then XOR the two together:

If the result is 0, the authentication is passed, and then g(C, 0, 63) is intercepted to obtain the identification code TID; otherwise, the authentication fails, the identification code TID is rejected and the operation is stopped.

本发明所述的动态随机化DRNTRU公钥加密系统以NTRU公钥加密系统为基础，将随机化参数R_r，R_t引入NTRU加密系统，具体方法是对原有加密算法的明文m进行修改处理，将其进行

变换，即可将随机化参数R_r，R_t引入NTRU加密系统，使NTRU加密系统成为动态随机化DRNTRU公钥加密系统。令：ID，R_r，R_t∈L_m，ω∈L_ω，选择NTRU的参数p＝3，则L_m{m∈R：m的系数在[-1，1]区间}，标识码TID为64bits的二进制数，用ID表示，仅占用ID的[ID₀，ID₁，...，ID₆₃]，其余的[ID₆₄，ID₆₅，...，ID_N-1]用于传输随机数R_r，R_t，定义：令v，u，w∈L_m，将v，u，w用向量表示，其长度为N，The dynamic randomized DRNTRU public key encryption system of the present invention is based on the NTRU public key encryption system, and the randomization parameters R _r and R _t are introduced into the NTRU encryption system. The specific method is to modify the original encryption algorithm The plaintext m of is modified, and it is

Transformation, the randomization parameters R _r , R _t can be introduced into the NTRU encryption system, making the NTRU encryption system a dynamic randomized DRNTRU public key encryption system. Order: ID, R _r , R _t ∈ L _m , ω ∈ L _ω , select NTRU parameter p=3, then L _m {m ∈ R: the coefficient of m is in the interval [-1, 1]}, the identification code TID It is a binary number of 64bits, represented by ID, only occupies ID [ID ₀ , ID ₁ , ..., ID ₆₃ ], and the rest [ID ₆₄ , ID ₆₅ , ..., ID _N-1 ] is used for transmission Random number R _r , R _t , definition: Let v, u, w∈L _m , express v, u, w with vector, its length is N,

v＝[v₀，v₁，...，v₆₃，v₆₄，v₆₅，...，v_N-1]，v=[v ₀ , v ₁ , . . . , v ₆₃ , v ₆₄ , v ₆₅ , . . . , v _N-1 ],

u＝[u₀，u₁，...，u₆₃，u₆₄，u₆₅，...，u_N-1]，u=[u ₀ , u ₁ , . . . , u ₆₃ , u ₆₄ , u ₆₅ , . . . , u _N-1 ],

w＝[w₀，w₁，...，w₆₃，w₆₄，w₆₅，...，w_N-1]，w=[w ₀ , w ₁ , . . . , w ₆₃ , w ₆₄ , w ₆₅ , . . . , w _N-1 ],

||联接运算：w＝v||u＝[v₀，v₁，...，v₆₃，u₆₄，u₆₅，...，u_N-1]，||Join operation: w=v||u=[v ₀ , v ₁ ,..., v ₆₃ , u ₆₄ , u ₆₅ ,..., u _N-1 ],

g(w，i，j)截取运算：g(w，i，j)＝[w_i，w_i+1，...，w_j]。g(w, i, j) interception operation: g(w, i, j)=[w _i , w _i+1 , . . . , w _j ].

本发明的特点是：The features of the present invention are:

1.首次提出了动态随机化DRNTRU公钥加密系统。由于RFID系统对安全问题如防跟踪，防流量分析，隐私保护等有着特殊要求，现有的NTRU公钥加密系统无法实现RFID系统的防跟踪，防流量分析，隐私保护等安全防护的特殊需要，必须使NTRU公钥加密系统具有动态、随机变化的功能。本方案以NTRU公钥加密系统为基础，将随机化参数引入该加密算法，使其成为具有动态、随机变化功能的一种新的公钥加密系统——动态随机化DRNTRU公钥加密系统。本加密方法不仅具有NTRU公钥加密系统的密钥产生容易，加密、解密迅速，密钥短及安全性能高，对带宽、处理器、存储器的性能要求低占用系统资源少等特点，而且又具有动态及随机变化的新功能。1. The dynamic randomization DRNTRU public key encryption system is proposed for the first time. Since the RFID system has special requirements for security issues such as anti-tracking, anti-traffic analysis, and privacy protection, the existing NTRU public key encryption system cannot meet the special needs of anti-tracking, anti-traffic analysis, and privacy protection for the RFID system. The NTRU public key encryption system must have the function of dynamic and random changes. This scheme is based on the NTRU public key encryption system, and introduces randomization parameters into the encryption algorithm, making it a new public key encryption system with dynamic and random changing functions - dynamic randomization DRNTRU public key encryption system. This encryption method not only has the characteristics of easy key generation of NTRU public key encryption system, rapid encryption and decryption, short key and high security performance, low performance requirements for bandwidth, processor and memory, and less system resource occupation, but also has the advantages of New features that change dynamically and randomly.

2.首次提出使用动态随机化DRNTRU公钥加密系统建立RFID系统的安全机制，将该动态随机化DRNTRU公钥加密系统应用于RFID系统，由此建立的RFID系统通信安全机制，可以有效地解决RFID系统所具有的特殊的安全问题。此外，本方案实现了RFID系统通信协议的单向认证，与双向认证相比单向认证更加简单、快速，更适合要求高速响应的RFID系统使用。由于本方法仅利用DRNTRU加密算法中的明文m就实现了ID和的同时传输，减少了传输时间，降低了带宽。整个系统只使用一对公钥和私钥，不需要在后端数据库穷尽搜索密钥，不需要密钥同步，减少了复杂的密钥存储和密钥管理系统，节省了系统大量的时间和空间。因为仅有服务器才拥有私钥，才能够解开个标签的密文信息，因而只需对标签进行单向认证。又因为服务器通过认证、解密即可直接获得加密标识码TID，因而不需要在后端数据库中穷尽搜索标识码TID，易于在要求高速、又仅具有有限资源的RFID系统的标签中实施。2. For the first time, it is proposed to use the dynamic randomized DRNTRU public key encryption system to establish the security mechanism of the RFID system, and apply the dynamic randomized DRNTRU public key encryption system to the RFID system. The RFID system communication security mechanism thus established can effectively solve the problem of RFID Special security issues that the system has. In addition, this scheme realizes the one-way authentication of the communication protocol of the RFID system. Compared with the two-way authentication, the one-way authentication is simpler and faster, and is more suitable for the RFID system that requires high-speed response. Since this method only uses the plaintext m in the DRNTRU encryption algorithm to realize the ID and Simultaneous transmission reduces transmission time and reduces bandwidth. The whole system only uses a pair of public key and private key, no need to exhaustively search the key in the back-end database, no need for key synchronization, which reduces the complexity of key storage and key management systems, saving a lot of time and space in the system . Because only the server has the private key, it can unlock the ciphertext information of a tag, so only one-way authentication is required for the tag. And because the server can directly obtain the encrypted identification code TID through authentication and decryption, there is no need to exhaustively search the identification code TID in the back-end database, and it is easy to implement in tags of RFID systems that require high speed and only have limited resources.

本发明的有益效果是：The beneficial effects of the present invention are:

采用本发明提出的动态随机化DRNTRU公钥加密系统建立的RFID系统通信安全机制，整个系统只需要一对公钥和私钥，所有的标签都使用公钥加密，服务器都使用私钥解密，使用DRNTRU公钥加密系统对ID(TID)进行加密每次产生的密文PID都是动态随机变化的，因而能够有效地抵御流量分析和跟踪等攻击，又由于每个标识码TID不同，使用DRNTRU公钥进行加密后通信中的ID都以变化的密文传输PID，所以能确保每一个标签，每次认证读取的PID信息都不相同，故可以实现传输信息的保密，抵抗拒绝服务攻击、重放攻击、主动攻击等，满足了RFID系统通信安全机制的特殊要求。Using the RFID system communication security mechanism established by the dynamic randomized DRNTRU public key encryption system proposed by the present invention, the entire system only needs a pair of public key and private key, all tags are encrypted with the public key, and the server uses the private key to decrypt. The DRNTRU public key encryption system encrypts the ID (TID) and the ciphertext PID generated each time is dynamically and randomly changed, so it can effectively resist traffic analysis and tracking attacks, and because each identification code TID is different, using DRNTRU public key After encrypted with the key, the ID in the communication transmits the PID in a changing ciphertext, so it can ensure that the PID information read by each label and each authentication is different, so the confidentiality of the transmitted information can be realized, and the denial of service attack, re- Unleash attacks, active attacks, etc., to meet the special requirements of the RFID system communication security mechanism.

采用本发明提出的动态随机化DRNTRU公钥加密系统建立的RFID系统通信安全机制，可以有效地解决RFID系统可以实现传输信息的保密，抵抗拒绝服务攻击、重放攻击，主动攻击，抵抗流量分析和跟踪等攻击，并且不需要穷尽搜索密钥及标签TID，不需要密钥更新，密钥存储和管理简单，具有新颖，简单易于实现，因此，本发明在有效解决了RFID系统通信安全问题的同时又具有响应速度快、所需资源少、易于实现等特点，非常适合于用于建立RFID系统通信安全机制。The RFID system communication security mechanism established by the dynamic randomized DRNTRU public key encryption system proposed by the present invention can effectively solve the problem that the RFID system can realize the confidentiality of transmission information, resist denial of service attacks, replay attacks, active attacks, and resist traffic analysis and Attacks such as tracking, and do not need to exhaustively search the key and tag TID, do not need to update the key, the key storage and management are simple, novel, simple and easy to implement, therefore, the present invention effectively solves the communication security problem of the RFID system at the same time It also has the characteristics of fast response speed, less required resources, and easy implementation, and is very suitable for establishing a communication security mechanism for RFID systems.

下表列出现有安全协议与本发明的安全协议的安全性能比较。The table below lists the security performance comparison between the existing security protocol and the security protocol of the present invention.

表1各种方法的安全性能比较Table 1 Comparison of security performance of various methods

附图说明 Description of drawings

图1为本发明所述的RFID系统的通信认证协议示意图。Fig. 1 is a schematic diagram of the communication authentication protocol of the RFID system according to the present invention.

具体实施方式 Detailed ways

一、建立动态随机化DRNTRU公钥加密系统1. Establish a dynamic randomized DRNTRU public key encryption system

1NTRU公钥加密系统1NTRU public key encryption system

NTRU公钥加密系统的加密使用基于多项式代数和对数p和q归约模的混合系统，而解密使用基于概率论的非混合系统。NTRU的安全性基于多项式、不同模混合运算的相互作用及基于数论中从一个非常大的维数格中寻找极短向量的数学难题。由于该算法只使用了简单的模乘和模求逆运算，因而它具有密钥产生容易，加密、解密迅速，密钥短及安全性能高，对带宽、处理器、存储器的性能要求低占用系统资源少等特点，NTRU在密码学领域中引起了极大的关注，并得到了迅速发展与完善，在实际应用中取得了良好的效果。The encryption of the NTRU public key encryption system uses a hybrid system based on polynomial algebra and logarithmic p and q reduction modulus, while decryption uses a non-hybrid system based on probability theory. The security of NTRU is based on the interaction of polynomials, mixed operations of different moduli, and the mathematical problem of finding extremely short vectors from a very large dimensional lattice in number theory. Since the algorithm only uses simple modular multiplication and modular inversion operations, it has the advantages of easy key generation, fast encryption and decryption, short key and high security performance, and low performance requirements for bandwidth, processor, and memory. Occupy the system With few resources and other characteristics, NTRU has attracted great attention in the field of cryptography, and has been developed and improved rapidly, and has achieved good results in practical applications.

一个NTRU公钥加密系统建立在三个整数参数(N，p，q)和四个整系数的最高次系数为N-1的多项式集合L_f，L_g，L_ω，L_m之上。p，q不必为素数，但要求gcd(p，q)＝1，并且q远大于p。NTRU建立于整系数多项式环R＝Y[X]/(X^M-1)上，一个元素A∈R可以表示成一个多项式或一个向量：

An NTRU public-key encryption system is based on three integer parameters (N, p, q) and four polynomial sets L _f , L _g , L _ω , L _m whose highest order coefficient is N-1. p and q are not necessarily prime numbers, but gcd(p, q)=1 is required, and q is far greater than p. NTRU is built on the integer coefficient polynomial ring R=Y[X]/(X ^M -1), an element A∈R can be expressed as a polynomial or a vector:

用

来表示环R上的乘法，这个乘法可以表示为一个循环卷积：

use

To represent the multiplication on the ring R, this multiplication can be expressed as a circular convolution:

${C C}_{k k} = = {Σ Σ}_{i i = = 00}^{k k} {A A}_{i i} {B B}_{k k - - i i} + + {Σ Σ}_{i i = = k k + + 11}^{N N - - 11} {A A}_{i i} {B B}_{N N + + k k - - i i} = = \underset{i i + + j j &equiv; &equiv; k k ((mod mod N N))}{Σ Σ} {A A}_{i i} {B B}_{j j}$

其中多项式集合L_f，L_g，L_ω，L_m满足如下要求：L_m＝{m∈R：m的系数位于区间[-(p-1)/2，(p-1)/2]}Among them, the polynomial set L _f , L _g , L _ω , and L _m meet the following requirements: L _m = {m∈R: the coefficient of m is located in the interval [-(p-1)/2, (p-1)/2]}

定义：L(d₁，d₂)＝{F∈R：F有d₁个系数为1，d₂个系数为-1，其余系数为0}，再选择三个正整数d_f，d_g，d_ω，设多项式集合L_f，L_g，L_ω分别满足：L_f＝L(d_f，d_f-1)，L_g＝L(d_g，d_g)，L_ω＝L(d_ω，d_ω)Definition: L(d ₁ , d ₂ )={F∈R: F has d ₁ coefficient as 1, d ₂ coefficients as -1, and the remaining coefficients as 0}, and then select three positive integers d _f , d _g , d _ω , let the polynomial sets L _f , L _g , L _ω respectively satisfy: L _f ＝L(d _f , d _f -1), L _g ＝L(d _g , d _g ), L _ω ＝L(d _ω ，d _ω )

1.1密钥生成1.1 Key Generation

NTRU公钥加密系统在生成密钥时，首先随机地选择两个多项式f_key∈L_f，g∈L_g。要求f_key关于模p和模q的逆F_p，F_q都存在，也即满足：

其中F_p和F_q可以使用扩展的欧几里德算法来计算。然后计算公钥：

多项式h_key就是NTRU公钥加密系统的公钥，而多项式f_key即为NTRU的私钥，同时将F_p与f_key一起保存，共同用作私钥。When the NTRU public key encryption system generates a key, it first randomly selects two polynomials f _key ∈ L _f , g ∈ L _g . It is required that the inverse F _p and F _q of f _key with respect to modulus p and modulus q both exist, that is to say, satisfy:

where F _p and F _q can be calculated using the extended Euclidean algorithm. Then calculate the public key:

The polynomial h _key is the public key of the NTRU public key encryption system, and the polynomial f _key is the private key of NTRU. At the same time, F _p and f _key are stored together as the private key.

1.2加密1.2 encryption

在通信时，假设发送方S要发给接受方R一个消息m，S首先从明文集L_m中选择要发送的消息m。然后再从L_ω中随机选择一个多项式ω，并用R的公钥h_key计算：

e就是S发给R的密文。During communication, assuming that the sender S wants to send a message m to the receiver R, S first selects the message m to be sent from the plaintext set L _m . Then randomly select a polynomial ω from L _ω , and use R's public key h _key to calculate:

e is the ciphertext sent by S to R.

1.3解密1.3 Decryption

当接收方R收到S发来的密文消息e后，R用自己的私钥(f_key，F_p)对其进行解密。R首先要计算：在[-q/2，q/2]内选择a的系数，再对a进行

计算，即可重新得到S发来的明文m。When the receiver R receives the ciphertext message e sent by S, R uses its own private key (f _key , F _p ) to decrypt it. R first has to calculate: Select the coefficient of a in [-q/2, q/2], and then perform a

By calculating, the plaintext m sent by S can be obtained again.

其中解密原理为：The decryption principle is:

$a a &equiv; &equiv; {f f}_{key key} &CircleTimes; &CircleTimes; e e &equiv; &equiv; {f f}_{key key} &CircleTimes; &CircleTimes; pω pω &CircleTimes; &CircleTimes; {h h}_{key key} + + {f f}_{key key} &CircleTimes; &CircleTimes; m m ((mod mod q q))$

$= f_{key} &CircleTimes; pω &CircleTimes; F_{q} &CircleTimes; g + f_{key} &CircleTimes; m (\mod q)$ (∵ $h_{key} &equiv; F_{q} &CircleTimes; g (\mod q)$ ) $= f_{key} &CircleTimes; pω &CircleTimes; f_{q} &CircleTimes; g + f_{key} &CircleTimes; m (\mod q)$ (∵ $h_{key} &equiv; f_{q} &CircleTimes; g (\mod q)$ )

$= pω &CircleTimes; g + f_{key} &CircleTimes; m (\mod q)$ (∵ $F_{p} &CircleTimes; f_{key} &equiv; 1 (\mod p)$ ) $= pω &CircleTimes; g + f_{key} &CircleTimes; m (\mod q)$ (∵ $f_{p} &CircleTimes; f_{key} &equiv; 1 (\mod p)$ )

考虑最后一个多项式

由于对NTRU参数选择地严格限制，几乎总是可以保证它的所有系数都在[-q/2，q/2]内，所以对它的系数进行模q后，多项式仍然保持不变，因而也就恢复了原多项式：

再把a模p后就得到了多项式

再与F_p相乘，就又重新得到了消息m。Consider the last polynomial

Due to the strict restrictions on the selection of NTRU parameters, it can almost always be guaranteed that all its coefficients are in [-q/2, q/2], so after modulo q on its coefficients, the polynomial remains unchanged, and thus The original polynomial is restored:

Then modulo a to p to get the polynomial

Multiplying it with F _p again gives the message m again.

2动态随机化DRNTRU公钥加密系统2 Dynamic randomization DRNTRU public key encryption system

由于RFID系统的安全机制除了要求能够实现传输信息的保密，抵抗拒绝服务、重放信息等攻击外、还必须能够抵御流量分析、跟踪攻击、解决隐私等RFID系统的特殊安全问题。因而必须确保每个标签在每次认证中所读取的标识码TID信息不仅要以密文进行通信传输，而且还要以动态、随机变化的密文传输。在NTRU公钥加密系统中，由加密公式

可知：当对一个固定的消息m加密后得到的密文都始终相同，因而无法满足RFID系统的安全要求，必须使其具备动态、随机变化功能，因而本发明以NTRU公钥加密系统为基础，将随机化参数引入该算法，使NTRU算法成为具有动态的、随机变化能力的动态随机化DRNTRU公钥加密系统。Since the security mechanism of the RFID system not only requires the confidentiality of the transmitted information, but also resists attacks such as denial of service and replaying information, it must also be able to resist traffic analysis, tracking attacks, and solve special security issues of the RFID system such as privacy. Therefore, it must be ensured that the identification code TID information read by each tag in each authentication must not only be communicated in ciphertext, but also be transmitted in dynamic and randomly changing ciphertext. In the NTRU public key encryption system, by the encryption formula

It can be seen that the ciphertext obtained after encrypting a fixed message m is always the same, so it cannot meet the security requirements of the RFID system, and it must be equipped with dynamic and random changing functions. Therefore, the present invention is based on the NTRU public key encryption system. The randomization parameters are introduced into the algorithm, so that the NTRU algorithm becomes a dynamic randomized DRNTRU public key encryption system with the ability of dynamic and random changes.

在本发明中，令：ID，R_r，R_t，Z∈L_m，ω∈L_ω，为了便于说明，在此使用ID，R_r，R_t，Z的向量表示形式。选择NTRU的参数p＝3，则L_m{m∈R：m的系数在[-1，1]区间}，标识码TID为64bits的二进制数，可用ID表示，由于标识码TID为64bits，因而其仅占用ID的[ID₀，ID₁，...，ID₆₃]，其余的[ID₆₄，ID₆₅，...，ID_N-1]在本系统中用于传输随机数。R_r，R_t表示通信认证时使用的随机数，可利用[ID₆₄，ID₆₅，...，ID_N-1]位进行传输，这样既可成功地将随机数引入NTRU加密算法又没有增加通信时间和带宽，设Z＝[0，...，0]。In the present invention, let: ID, R _r , R _t , Z∈L _m , ω∈L _ω , for the convenience of description, the vector representation of ID, R _r , R _t , Z is used here. Select the parameter p=3 of NTRU, then L _m {m∈R: the coefficient of m is in the [-1, 1] interval}, the identification code TID is a binary number of 64 bits, which can be represented by ID. Since the identification code TID is 64 bits, therefore It only occupies [ID ₀ , ID ₁ , . . . , ID ₆₃ ] of the ID, and the rest [ID ₆₄ , _{ID 65} _, . R _r , R _t represent the random numbers used in communication authentication, which can be transmitted using [ID ₆₄ , ID ₆₅ , ..., ID _N-1 ] bits, so that random numbers can be successfully introduced into the NTRU encryption algorithm without To increase communication time and bandwidth, set Z=[0, . . . , 0].

定义：令v，u，w∈L_m，将v，u，w用向量表示，其长度为N，Definition: let v, u, w∈L _m , express v, u, w with a vector whose length is N,

v＝[v₀，v₁，...，v₆₃，v₆₄，v₆₅，...，v_N-1]及u＝[u₀，u₁，...，u₆₃，u₆₄，u₆₅，...，u_N-1]v=[v ₀ , v ₁ , ..., v ₆₃ , v ₆₄ , v ₆₅ , ..., v _N-1 ] and u=[u ₀ , u ₁ , ..., u ₆₃ , u ₆₄ , _u65 ,..., _uN-1 ]

w＝[w₀，w₁，...，w₆₃，w₆₄，w₆₅，...，w_N-1]w=[w ₀ , w ₁ , . . . , w ₆₃ , w ₆₄ , w ₆₅ , . . . , w _N-1 ]

·||联接运算：w＝v||u＝[v₀，v₁，...，v₆₃，u₆₄，u₆₅，...，u_N-1]·||Join operation: w=v||u=[v ₀ , v ₁ ,..., v ₆₃ , u ₆₄ , u ₆₅ ,..., u _N-1 ]

·g(w，i，j)截取运算：g(w，i，j)＝[w_i，w_i+1，...，w_j]g(w, i, j) interception operation: g(w, i, j)=[w _i , w _i+1 , . . . , w _j ]

·

：为异或运算·

: XOR operation

·认证过程中使用的其它变量、运算与NTRU公钥加密系统一致。·Other variables and operations used in the authentication process are consistent with the NTRU public key encryption system.

将随机化参数引入NTRU加密系统的具体方法是对原有加密算法

的明文m进行了修改处理，将其进行

变换，即可将随机化参数R_r，R_t引入本加密系统，使NTRU算法成为具有动态的、随机变化能力的动态随机化DRNTRU公钥加密系统。The specific method of introducing randomization parameters into the NTRU encryption system is to modify the original encryption algorithm

The plaintext m of has been modified, and it will be

In other words, the randomization parameters R _r and R _t can be introduced into the encryption system, so that the NTRU algorithm can become a dynamic randomization DRNTRU public key encryption system with dynamic and random changing capabilities.

注释：Notes:

1.由于ID，R_r，R_t∈L_m，在NTRU公钥加密系统既可以使用多项式表示又可以使用向量表示，为与NTRU表示一致，本发明仍使用多项式表示，仅在联接运算和截取运算时为便于表达将其作为向量处理，故ID，R_r，R_t，Z未使用黑体小写向量常用的表示方法表示。1. Due to ID, R _r , R _t ∈ L _m , both polynomial representation and vector representation can be used in NTRU public key encryption system. In order to be consistent with NTRU representation, the present invention still uses polynomial representation, only in connection operation and interception For the convenience of expression, it is treated as a vector during operation, so ID, R _r , R _t , Z are not represented by the common expression method of bold lowercase vector.

2.本发明将随机多项式及随机向量均称为随机数。2. The present invention refers to random polynomials and random vectors as random numbers.

二、建立基于动态随机化DRNTRU公钥加密系统的RFID通信安全机制2. Establish an RFID communication security mechanism based on a dynamic randomized DRNTRU public key encryption system

2.1初时条件设置2.1 Initial condition setting

RFID系统初始时，由服务器使用DRNTRU公钥加密系统生成公钥h_key和私钥(f_key，F_p)，并为每一个标签分配一个唯一的标识码TID(可由制造商完成)，服务器将标识码TID以及物品(贴有该标签的物品)的相关信息同时存储于标签和后端数据库，将公钥h_key和私钥(f_key，F_p)分别存储于标签和后端数据库，由于公钥h_key和私钥(f_key，F_p)是系统建立时由服务器产生的，服务器将其中的私钥(f_key，F_p)秘密地保存起来，而将公钥h_key分发给每一个标签，同时又通过安全通道将标识码TID存储到每一个相应的标签，故标识码TID和私钥(f_key，F_p)在本系统中都被认为是安全保密的。At the beginning of the RFID system, the server uses the DRNTRU public key encryption system to generate the public key h _key and private key (f _key , F _p ), and assigns a unique identification code TID to each tag (which can be completed by the manufacturer), and the server will The identification code TID and the relevant information of the item (the item with the tag) are stored in the tag and the back-end database at the same time, and the public key h _key and the private key (f _key , F _p ) are stored in the tag and the back-end database respectively. The public key h _key and private key (f _key , F _p ) are generated by the server when the system is established, and the server keeps the private key (f _key , F _p ) secretly, and distributes the public key h _key to each At the same time, the identification code TID is stored in each corresponding tag through a secure channel, so the identification code TID and the private key (f _key , F _p ) are considered safe and confidential in this system.

2.2认证步骤2.2 Authentication steps

RFID系统的通信认证协议如图1所示，认证步骤如下：The communication authentication protocol of the RFID system is shown in Figure 1, and the authentication steps are as follows:

1.Reader→Tag：读写器从多项式集合L_m中选取一随机数R_r，并向标签发送认证请求Query，同时将R_r发送给标签；1. Reader→Tag: The reader selects a random number R _r from the polynomial set L _m , sends an authentication request Query to the tag, and sends R _r to the tag at the same time;

2.Tag→Reader→Server：标签接到读写器发来的认证请求(Query，R_r)后，首先也从多项式集合L_m中选取一随机数R_t计算出

再从多项式集合L_ω中选取一随机数ω，利用公钥h_key对C进行加密运算

然后将(PID，R_t)发送给读写器，读写器再将(PID，R_t，R_r)转发给服务器；2. Tag→Reader→Server: After the tag receives the authentication request (Query, R _r ) sent by the reader, it first selects a random number R _t from the polynomial set L _m to calculate

Then select a random number ω from the polynomial set L _ω , and use the public key h _key to encrypt C

Then send (PID, R _t ) to the reader, and the reader forwards (PID, R _t , R _r ) to the server;

3.Server：服务器收到(PID，R_t，R_r)后，首先利用私钥(f_key，F_p)，对PID进行解码运算：

和

获得C，因为

对C进行R₁＝Z||C，再对读写器转发来的(R_t，R_r)进行

然后将两者进行异或运算：

如果结果为0，则认证通过，再截取g(C，0，63)，即可得到标识码TID(利用TID就可直接在后端数据库中读取该标识码TID对应的标签信息，如果后端数据库中没有该标识码TID，则也认为其为非法标签拒绝接受而停止操作)；否则，认证失败，拒绝接受标识码TID并停止操作。3.Server: After receiving (PID, R _t , R _r ), the server first uses the private key (f _key , F _p ) to decode the PID:

and

get a C because

Then XOR the two together:

If the result is 0, the authentication is passed, and then intercept g(C, 0, 63) to obtain the identification code TID (by using TID, you can directly read the label information corresponding to the identification code TID in the back-end database, if later If there is no such identification code TID in the terminal database, it is also considered as an illegal label and the operation is stopped); otherwise, the authentication fails, the identification code TID is rejected and the operation is stopped.

下面对上述具体实施方式所述的变量及表达式作出说明：The variables and expressions described in the above-mentioned specific implementation are described below:

变量：variable:

L_f，L_g，L_ω，L_m：为四个整系数的最高次系数为N-1的多项式集合，并满足如下要求：L_m＝{m∈R：m的系数位于区间[-(p-1)/2，(p-1)/2]}，其中N，p，q为三个整数，p，q不必为素数，但要求gcd(p，q)＝1，并且q远大于p。L _f , L _g , L _ω , L _m : It is a polynomial set with four integer coefficients whose highest order coefficient is N-1, and meets the following requirements: L _m = {m∈R: the coefficient of m is located in the interval [-( p-1)/2, (p-1)/2]}, where N, p, q are three integers, p, q do not have to be prime numbers, but require gcd(p, q) = 1, and q is much greater than p.

R：为整系数多项式环R＝Y[X]/(X^N-1)。R: a polynomial ring with integer coefficients R=Y[X]/(X ^N -1).

A：为一个元素A∈R，其向量形式可表示为： A: It is an element A∈R, and its vector form can be expressed as:

R_r：为读写器产生的随机数，R_r∈L_m。R _r : the random number generated by the reader, R _r ∈ L _m .

R_t：为标签产生的随机数，R_t∈L_m。R _t : the random number generated for the label, R _t ∈ L _m .

Z：为N维零向量，Z∈L_m。Z: N-dimensional zero vector, Z∈L _m .

ID：为标签的标识码TID的向量表示形式，ID∈L_m。ID: is the vector representation of the tag's identification code TID, ID∈L _m .

PID：为标签的标识码TID向量的密文表示形式，PID∈L_m。PID: is the ciphertext representation of the tag's identification code TID vector, PID∈L _m .

f_key：由DRTUN公钥加密系统的产生的私钥。f _key : The private key generated by the DRTUN public key encryption system.

h_key：由DRTUN公钥加密系统的产生的公钥h _key : the public key generated by the DRTUN public key encryption system

F_p：关于模p的逆F_p，也即满足： F _p : the inverse F _p modulo p, which satisfies:

F_q：关于模q的逆F_q，也即满足：

F _q : the inverse F _q with respect to modulo q, which satisfies:

定义：definition:

定义1.若a，b为整数，则称a与b是模n同余的，记为a≡b(modn)。Definition 1. If a and b are integers, then a and b are said to be congruent modulo n, which is denoted as a≡b(modn).

定义2.非负数d称为a与b的最大公因子，记为d＝gcd(a，b)。Definition 2. The non-negative number d is called the greatest common factor of a and b, which is denoted as d=gcd(a, b).

定义3：L(d₁，d₂)＝{F∈R：F有d₁个系数为1，d₂个系数为-1，其余系数为0}，再选择三个正整数d_f，d_g，d_ω，设多项式集合L_f，L_g，L_ω分别满足：L_f＝L(d_f，d_f-1)，L_g＝L(d_g，d_g)，L_ω＝L(d_ω，d_ω)Definition 3: L(d ₁ , d ₂ )={F∈R: F has d ₁ coefficient as 1, d ₂ coefficients as -1, and the remaining coefficients as 0}, and then select three positive integers d _f , d _g , d _ω , suppose the polynomial sets L _f , L _g , L _ω respectively satisfy: L _f ＝L(d _f , d _f -1), L _g ＝L(d _g , d _g ), L _ω ＝L( d _ω ，d _ω )

定义4：令v，u，w∈L_m，将v，u，w用向量表示，其长度为N，Definition 4: let v, u, w ∈ L _m , express v, u, w with a vector whose length is N,

运算：Operation:

||：为联接运算w＝v||u＝[v₀，v₁，...，v₆₃，u₆₄，u₆₅，...，u_N-1]||: join operation w=v||u=[v ₀ , v ₁ ,..., v ₆₃ , u ₆₄ , u ₆₅ ,..., u _N-1 ]

g(w，i，j)：为截取运算g(w，i，j)＝[w_i，w_i+1，...，w_j]g(w, i, j): for interception operation g(w, i, j)=[w _i , w _i+1 ,..., w _j ]

：为异或运算

: XOR operation

：表示环R上的乘法，这个乘法可以表示为一个循环卷积：

: Represents the multiplication on the ring R, which can be expressed as a circular convolution:

Claims

1. An RFID secure communication method based on dynamic randomization DRNTRU public key encryption system is characterized in that: when the RFID system was initial, the server uses dynamic randomization DRNTRU public key encryption system to generate public key h _key and private key (f _key , F _p ), where the public key h _key and private key (f _key , F _p ) are generated as follows:

When the NTRU public-key encryption system generates a key, it first randomly selects two polynomials f _key ∈ L _f , g ∈ L _g , and requires that the inverses F _p and F q of f _key with respect to modulus p and modulus _q exist, that is, satisfy:

where F _p and F _q can be calculated using the extended Euclidean algorithm, and then calculate the public key: The polynomial h _key is the public key of the NTRU public key encryption system, and the polynomial f _key is the private key of NTRU. At the same time, F _p and f _key are stored together and used as the private key (f _key , F _p );

After the public key h _key and private key (f _key , F _p ) are generated, a unique identification code TID is assigned to each tag, and the server stores the identification code TID and the relevant information of the item with the tag in both the tag and the tag. The back-end database stores the public key h _key and the private key (f _key , F _p ) in the tag and the back-end database respectively. The communication authentication protocol steps of the RFID system are as follows:

(1) Reader (Reader)→Tag (Tag): The reader selects a random number R _r from the polynomial set L _m , sends an authentication request Query to the tag, and sends R _r to the tag at the same time;

(2) Tag (Tag) → Reader (Reader) → Server (Server): After the tag receives the authentication request (Query, R _r ) sent by the reader, it first selects a random number from the polynomial set L _m The number R _t is calculated from

(3) Server (Server): After receiving (PID, R _t , R _r ), the server first uses the private key (f _key , F _p ) to decode the PID:

and

get a C because

Then XOR the two together:

If the result is 0, the authentication is passed, then intercept g(C, 0, 63) to obtain the identification code TID; otherwise, the authentication fails, refuse to accept the identification code TID and stop the operation;

The variables, definitions and operation symbols involved in the above scheme are described as follows:

L _f , L _g , L _ω , L _m : a collection of four integer coefficient polynomials with the highest coefficient of N-1

p, q: two integers, p, q do not have to be prime numbers, but require gcd(p, q) = 1, and q is much larger than p

R _r : the random number generated by the reader, R _r ∈ L _m

R _t : random number generated for the label, R _t ∈ L _m

Z: N-dimensional zero vector, Z∈L _m

ID: is the vector representation of the tag's identification code TID, ID∈L _m

PID: is the ciphertext representation of the tag's identification code TID vector, PID∈L _m

f _key : the private key generated by the DRTUN public key encryption system

h _key : the public key generated by the DRTUN public key encryption system

F _p : the inverse F _p modulo p, which satisfies:

F _q : the inverse F _q with respect to modulo q, which satisfies:

||: join operation

g(C, 0, 63): Indicates that 0 to 63 bits of the vector C are intercepted using the interception operation g(w, i, j)

mod: modulo operation

XOR operation

Represents the multiplication on the ring R, which can be expressed as a circular convolution:

2. the RFID secure communication method based on dynamic randomization DRNTRU public key encryption system according to claim 1 is characterized in that: described dynamic randomization DRNTRU public key encryption system is based on NTRU public key encryption system, will The randomization parameters R _r , R _t are introduced into the NTRU encryption system, making the NTRU encryption system a dynamic randomized DRNTRU public key encryption system. The specific method of introducing the randomization parameters R _r , R _t into the NTRU encryption system is to modify the original encryption algorithm

The plaintext m of is modified, and it is

Transformation, where ID, R _r , R _t ∈ L _m , ω ∈ L _ω , select NTRU parameter p=3, then L _m = {m ∈ R: the coefficient of m is in the interval [-1, 1]}, identify The code TID is a binary number of 64 bits, represented by ID, which only occupies [ID ₀ , ID ₁ , ..., ID ₆₃ ] of Id, and the rest [ID ₆₄ , ID ₆₅ , ..., ID _N-1 ] Used to transmit random numbers R _r , R _t .