CN100440776C - Elliptic curve signature and signature verification method and apparatus - Google Patents

Elliptic curve signature and signature verification method and apparatus Download PDF

Info

Publication number
CN100440776C
CN100440776C CNB021547165A CN02154716A CN100440776C CN 100440776 C CN100440776 C CN 100440776C CN B021547165 A CNB021547165 A CN B021547165A CN 02154716 A CN02154716 A CN 02154716A CN 100440776 C CN100440776 C CN 100440776C
Authority
CN
China
Prior art keywords
signature
function
certifying
value
curve
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Expired - Lifetime
Application number
CNB021547165A
Other languages
Chinese (zh)
Other versions
CN1505313A (en
Inventor
陈建华
汪朝晖
李莉
涂航
崔竞松
彭蓉
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
BEIJING HUADA INFOSEC TECHNOLOGY Ltd
Original Assignee
BEIJING HUADA INFOSEC TECHNOLOGY Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by BEIJING HUADA INFOSEC TECHNOLOGY Ltd filed Critical BEIJING HUADA INFOSEC TECHNOLOGY Ltd
Priority to CNB021547165A priority Critical patent/CN100440776C/en
Publication of CN1505313A publication Critical patent/CN1505313A/en
Application granted granted Critical
Publication of CN100440776C publication Critical patent/CN100440776C/en
Anticipated expiration legal-status Critical
Expired - Lifetime legal-status Critical Current

Links

Images

Abstract

The present invention relates to an elliptic curve signing method, wherein a transmitting end discloses system parameters and a public key YA thereof and then generates a random number k, elliptic curve dot multiplication operation is carried out to k and a basic dot G of a curve, a dot kG on the curve is obtained, a function d calculates the dot kG and a plaintext m, and r=d(m, kG) is obtained. The functions of f0, f1, g0 and g1 are all functions of r, the equation of f0(r)+f<1>(r)s=k-x<A>(g<0>(r)+g<1>(r)s) is solved by the functions of f0, f1, g0 and g1 and the random number and a private key xA, and s=(k-x<A>g0(r)-f0(r))(f1(r))-g1(r))<-1> is obtained through solution. The receiving end obtains P=(f0(r)+f<1>(r)s)G+(g<0>(r)+g<1>(r)s)Y<A> by receiving and using the public key YA of the transmitting end, the basic dot G and the functions of f0, f1, g0 and g1, and a function d' is used for calculating m'=d'(r, P). M' obtained through calculation and the received m are compared, wherein the function d and the function d' must have the properties that the shape of the function d is set as D=d(x, y), and y=d'(x, D) is calculated according to the function d. The present invention can shorten the length of signatures with the same safety intensity, and can accelerate the speed of signature.

Description

Ellipse curve signature and certifying signature method and apparatus
Technical field
The present invention relates to data signature and certifying signature, is signature and the certifying signature method of utilizing the elliptic curve discrete logarithm problem.
Background technology
Cryptographic system is divided into symmetric cryptosystem and asymmetric cryptosystem.
Symmetric cryptography also is the conventional cipher algorithm sometimes, is exactly that encryption key can be calculated from separate dense wanting, otherwise also sets up.In most of algorithms, the enciphering/deciphering key is identical.These algorithms also are secret-key algorithm or single key algorithm, and it requires sender and recipient before secure communication, consult a key.The fail safe of symmetric cryptography depends on key, and the key of divulging a secret just means that anyone can both carry out enciphering/deciphering to message.So though the speed of symmetric cryptography is very fast, how secret key safety being distributed to legal user but is a problem.
At patent " encryption device and method " (" CRYPTOGRAPHIC APPARATUS METHOD ", the patent No.: provided US4200770) one can be in overt channel the method and apparatus of interchange key, this method is called the public-key cryptography exchange or is called the Diffie-Hellman key exchange method.This patent makes communicating pair use a mould power function to consult and transmit their secret information.The assailant will seek out the secret information of transmission, must solve discrete logarithm problem.If the parameter of using is enough big, separating discrete logarithm problem is an intractable problem.
Public key cryptography claims asymmetric cryptography again, then can effectively solve the problem of above-mentioned authentication.Public key cryptography is different with the symmetric cryptography that only uses a key, and public key cryptography is asymmetric, and its uses two independences but the key of certain mathematical connection is arranged: PKI and private key.Secret its private key of recipient in the communication discloses its PKI like this.Most important progress in the public key cryptography is exactly a digital signature, realizes that by public key cryptography digital signature can effectively solve the problem of above-mentioned authentication.User A is before B transmission information, use the private key of oneself that this information is carried out digital signature, user B is after the information that receives the A transmission, use the signature of the disclosed public key verifications A of A, because have only A to have its private key, this has just guaranteed that the information that B received comes from A really, and is not distorted, and has also confirmed the identity of A simultaneously.
Patent " cryptographic communication system and method " (" CRYPTOGRAPHIC COMMUNICATIONSSYSTEM AND METHOD ", the patent No.: US4405829) proposed Rivest, a kind of public key cryptography method--the RSA of Shamir and Adleman invention.The fail safe of RSA public key cryptography method is based on the intractability of big integer factor resolution problem.But to the improving constantly of security requirement, also come also high more to the requirement of RSA key length along with at present.
Taher ElGamal has proposed a kind of public key digital signature mechanism based on euler algorithm.In this mechanism, transmit leg A uses the mould power function to hide private key x, calculates y=g xMod p, and PKI y is open.Recipient B utilizes private key to sign, and B utilizes the PKI of A to come certifying signature, and specific algorithm is as follows:
1, preprocessing process: obtain the needed parameters of signature
1.1: determine finite field gf (p), promptly determine prime number p;
1.2: determine generator g;
1.3: choose random number x A, make 1≤x A≤ p-1 is with x AAs signature key, i.e. private key;
1.4: calculate y A = g x A , y AAs PKI, be used for certifying signature;
1.6: open parameter g, p and PKI y A
2, signature process:
2.1: transmit leg open parameter g, p and PKI y A
2.2: generate random number k, wherein 1≤k≤p-1 utilizes the mould power function to calculate r=g k
2.3: calculate for plaintext m: s=k -1(m-xr) mod p;
2.4: above-mentioned acquisition (r s) is the signature of transmit leg to plaintext m, and transmit leg will (r, s) and expressly m sends to the recipient.
3, proof procedure:
3.1: recipient B receive expressly m with and signature (r, s);
3.2: according to known parameters p, the PKI y of g and A A, judge y A rr sWhether mod p equals g mMod p, if then checking is passed through, otherwise, authentication failed
4, finish.
The method is referred to as Digital Signature Algorithm (DSA) subsequently.
The Fundamentals of Mathematics relevant with the ElGamal data signature mechanism are quite complicated, and signature length is quite long.United States Patent (USP) " generates and verifies electronic signature and discern the method for signing " (" Method for Identifying Subscribers and for Generatingand Verifying Electronic Signatures in a Data Exchange System " patent No. US4 in data exchange system, 995,082) in, proposed the method for a kind of safe generation than the short number word signature, its basis is other mathematical method with lower complexity.
In United States Patent (USP) " Digital Signature Algorithm " (" Digital Signature Algorithm " patent No. US5,231,668), under the situation that keeps the same mathematical complexity, shortened the length of ElGamal digital signature.
Subsequently, the Rueppel of Switzerland and Australian Nyberg have obtained patent " digital signature method and key exchange method " (" Digital Signature Method and KeyAgreement Method " patent No. US5 in the U.S., 600,725), the endorsement method in this patent has signature, verifying speed is fast and the function of message recovery.Its concrete signature-verification process is as follows:
1, preprocessing process: obtain the needed parameters of signature
1.1: determine finite field gf (p);
1.2: determine generator g;
1.3: choose random number x A, make 1≤x A≤ p-1 is with x AAs private key for user;
1.4: calculate y A = g x A mod p , y AAs client public key;
1.6: open g, p and PKI y A
2, signature process:
2.1: obtain signature information m;
2.2: signer generates random number k, and wherein 1≤k≤p-1 utilizes the mould power function to calculate r=mg -kMod p;
2.3: calculate s=k-xr mod p;
2.4: (r s) sends to the recipient to signer with its signature with message m.
3, proof procedure:
3.1: the recipient receive message m and its signature (r, s);
3.2: according to known parameters p, g, y A, judge g sy A rWhether rmod p equals m (modp), if equate, then checking is passed through, otherwise, authentication failed;
4, finish.
Neal Koblitz in 1985 and Victor Miller propose respectively elliptic curve is used for common key cryptosystem, and have realized already present public key algorithm with elliptic curve.Cryptographic algorithm based on elliptic curve discrete logarithm problem intractability is called as elliptic curve cryptography (Elliptic Curve Cryptography is called for short ECC), becomes the public key algorithm of being accepted extensively by international cryptography circle.
Subsequently, DSA signature mechanism mentioned above and NR signature mechanism are transplanted on the elliptic curve successively, become ECDSA signature algorithm and ECNR signature algorithm, make signature mechanism based on a mathematics difficult problem, promote to based on elliptic curve discrete logarithm problem intractability from the discrete logarithm problem intractability.
Summary of the invention
The objective of the invention is to propose a kind of new ellipse curve signature method.This endorsement method is based on the elliptic curve discrete logarithm problem, this problem has higher complexity on mathematics, thereby have higher characteristics of unit security intensity, promptly can shorten the length of digital signature greatly with identical security intensity, accelerate signature speed, thereby more can satisfy the demand of constrained environments such as mobile communication; And this signature algorithm can construct by the selection of parameter than the application ECDSA ECDSA of DSA Digital Signature Algorithm on elliptic curve high-efficient algorithm more, the message that makes the user not transmit to be signed can also make this algorithm have the function of message recovery, even also can be carried out signature verification.
The invention provides a kind of signature and certifying signature method, system at first determines finite field gf (q), chooses elliptic curve equation E; Choose the basic point G of elliptic curve, and calculate elliptic curve point order of a group N on the finite field.Transmit leg A utilizes these system parameterss to generate the private key x of oneself as signer A, 1≤x wherein A≤ N-1 utilizes basic point G to calculate dot product then and obtains some Y on the elliptic curve A=x AG is as PKI.Below the signature process step of sender A for plaintext m:
At first, open system parameters of transmit leg A and PKI Y thereof A, generate random number k then, make k drop on the interval [1, N-1], the basic point G of k and curve is carried out the elliptic curve point multiplication operation, obtain the some kG on the curve; Use some kG that function d will obtain and expressly m carry out computing, wherein guarantee from d, to obtain the value of k, obtain r=d (m, kG).Function f 0, f 1, g 0, g 1Be all the function of r, use function f 0, f 1, g 0, g 1With random number and private key x ASolving equation f 0(r)+f 1(r) s=k-x A(g 0(r)+g 1(r) s) solve s=(k-x Ag 0(r)-f 0(r)) (f 1(r)+x Ag 1(r)) -1, obtain like this (r s) is the signature of A to plaintext m.(r s) sends to B to sender A with its signature with plaintext m.
Recipient B receives plaintext m, and (r, s), Y at first uses public-key with its signature A, elliptic curve basic point G and function f 0, f 1, g 0, g 1Calculate P=(f 0(r)+f 1(r) G+ (g s) 0(r)+g 1(r) Y s) A, use function d ' and calculating m '=d ' (r, P).M ' that calculates and the m that receives are compared, if identical then sign legally, simultaneously m ' recovers the plaintext that obtains from the signature result, if difference then sign illegal.
Wherein above-mentioned function d and function d ' must have following character: establishing function d shape is D=d (x, y), from function d can push away y=d ' (x, D), the function d that obtains like this can effectively be hidden cleartext information and random number information in above-mentioned signature and proof procedure; Function d ' can in above-mentioned proof procedure, recover the cleartext information that obtains hiding.
According to another aspect of the present invention, provide a kind of signature of described ellipse curve signature and certifying signature method and device of certifying signature of adopting;
Description of drawings
Fig. 1 is the flow chart of signature process of the present invention.
Fig. 2 is the flow chart of certifying signature process of the present invention.
Fig. 3 is the block diagram of signature of the present invention and certifying signature device.
Embodiment
Fig. 1 illustrates the flow chart of signature process of the present invention.
In step 101, recipient A discloses its PKI Y AAnd system parameters: the basic point G of curve E, elliptic curve point group, elliptic curve point order of a group N;
In step 102, recipient A generates random number k, 1≤k≤N-1 wherein, and wherein N is the some order of a group of elliptic curve;
In step 103, the point multiplication operation with k and basic point G make elliptic curve obtains the some kG on the curve;
In step 104, obtain expressly m.When the length of real messages was longer than the message-length that can sign, message m can be replaced with the result of Hash function h (m), promptly used private key that the hash value h (m) of message m is signed; When checking, the Hash of message m elder generation that receives is obtained h (m), re-use h (m) certifying signature;
In step 105, use function d that plaintext m and the kG that obtains in the step 104 carried out computing, obtain r=d (m, kG).Wherein function d must have following character: establishing d function shape is D=d (x, y), from function d can push away function d ', y=d ' (x is arranged, D), the d function that obtains like this can effectively be hidden cleartext information and random number information in above-mentioned signature and proof procedure; D ' function can recover the cleartext information that obtains hiding in following validation process steps 204;
In step 106, use function d that plaintext m and the P that obtains in the step 104 carried out computing, obtain r=d (m, P).Use the function f of r 0, f 1, g 0, g 1With random number and private key x ASolving equation f 0(r)+f 1(r) s=k-x A(g 0(r)+g 1(r) s) solve s=(k-x Ag 0(r)-f 0(r))
(f 1(r)+x Ag 1(r)) -1
In step 107, before sending the signature result, must judge whether the signature r and the s that obtain are zero, if be zero, then must skip to step 102, reselect random number k, again plaintext m are signed;
In step 108, the r and the s that obtain in step 107 are non-vanishing, then obtained A to the signature result of plaintext m (r, s).(r s) sends to B to sender A with its signature with plaintext m.
So far, signature process finishes.
Fig. 2 illustrates the flow chart of certifying signature process of the present invention.
In step 201, recipient B receive plaintext m that A sends and signature (r, s);
In step 202, B obtains the PKI Y of system parameters and A A
In step 203, the B Y that uses public-key A, elliptic curve basic point G and function f 0, f 1, g 0, g 1Calculate P=(f 0(r)+f 1(r) G+ (g s) 0(r)+g 1(r) Y s) A
In step 204, B uses function d ' and calculating m '=d ' (r, P);
In step 205, B compares m ' that obtains in the step 204 and the m that receives, if equate, and then to step 206, if unequal, then to step 207;
In step 206, m ' and the m that receives equate that checking is passed through, and it is legal to sign;
In step 206, m ' and the m that receives are unequal, and signature is illegal.
So far, the certifying signature process finishes.
In step 104, when the length of real messages was grown than the message-length that can sign, message m can be replaced with the result of Hash function h (m), and promptly the hash value h (m) to message m signs; In verification step 201, use the Hash function to handle earlier the message m that receives and obtain h (m), again to h (m) certifying signature.
If in the message m of signature, embed (Padding) information of filling, then when sending signature, can not send message m, and only send signature (r, s); When checking, (r s) recovers message m, utilizes the authenticity and integrity of filling (Padding) Information Authentication signature then to utilize signature.
The function d in step 105 and the function d of step 204 ' must have following character: establishing d function shape is D=d (x, y), from function d can push away y=d ' (x, D), the d function that obtains like this can effectively be hidden cleartext information and random number information in above-mentioned signature and proof procedure; D ' function can recover the cleartext information that obtains hiding in above-mentioned proof procedure.D and d ' can comprise following form:
A) d (m kG) can value be: d (m, kG)=m (kG) x=r, then d , ( r , P ) = r P x - 1 = m , Wherein (kG) XAnd P XRefer to the abscissa of getting a kG and P respectively;
B) d (m kG) can value be: d (m, kG)=m (kG) y=r, then d , ( r , P ) = r P y - 1 = m , Wherein (kG) xAnd P xRefer to the ordinate of getting a kG and P respectively;
C) d (m kG) can value be: d ( m , kG ) = m &CirclePlus; ( kG ) x = r , Then d , ( r , P ) = m , Wherein
Figure C0215471600138
Computing also can be used
Figure C0215471600139
Computing replaces;
D) d (m kG) can value be: d ( m , kG ) = m &CirclePlus; ( kG ) y = r , Then d , ( r , P ) = r &CirclePlus; P y = m , Wherein
Figure C02154716001313
Computing also can be used
Figure C02154716001314
Computing replaces;
E) d (m kG) can value be: d (m, kG)=(m+ (kG) x) mod N=r, then d ' (r, P)=(r-P x) mod N=m, wherein N is that some G is at the elliptic curve point order of a group;
F) d (m, kG) can value for being that expressly kG is the symmetric cryptography function of key with m, and d ' (r, P) can value for being ciphertext accordingly with r, P is the symmetrical decryption function of key;
G) or the like.
Function f in step 106 and the step 203 0, f 1, g 0, g 1Be the linear function of r,, can get the simple function of the following r in order to obtain higher computational efficiency:
H) function f 0, f 1, g 0, g 1Value is f respectively 0(r)=c 0* r, f 1(r)=c 1, g 0(r)=c 2, g 1(r)=c 0* r, wherein c 0, c 1, c 2Be constant and function f 0, f 1, g 0, g 1Can exchange;
I) function f 0, f 1, g 0, g 1Value is f respectively 0(r)=c 1, f 1(r)=c 2, g 0(r)=c 0* r, g 1(r)=c 3, c wherein 0, c 1, c 2, c 3Be constant and function f 0, f 1, g 0, g 1Can exchange;
J) or the like.
Fig. 3 illustrates signature of the present invention and certifying signature device.When transmit leg A communicated by letter on a communication channel with recipient B, it is right that transmit leg A uses key generating device 340 to generate key: PKI Y AWith private key x A, announce its PKI and system parameters.A uses signature device 320, in conjunction with the signature process of Fig. 1 explanation plaintext m is signed, and expressly m and signature as a result S send to B.
Recipient B receives the expressly m and the S as a result that signs, and obtains the PKI Y of system parameters and A A, use certifying signature device 350, by in conjunction with the checking of Fig. 2 explanation to the signature of plaintext m S as a result, be verified the result.
Above invention has been described in conjunction with most preferred embodiment of the present invention, and those of ordinary skill in the art can do various modifications and change to it under the situation that does not depart from scope of the present invention.

Claims (32)

1. ellipse curve signature and certifying signature method, it is right that wherein transmit leg has oneself key: private key x AWith PKI Y A, and public address system parameter and PKI Y A, transmit leg uses the private key x of oneself APlaintext m is realized digital signature, and plaintext m and signature are sent to the recipient, the recipient uses the PKI Y of transmit leg AVerify that whether transmit leg is legal to the signature of plaintext m, comprises following steps:
Open system parameters of transmit leg and PKI Y thereof A, generate random number k then, make k drop on the interval [1, N-1], wherein N is the some order of a group of elliptic curve, and the basic point G of k and curve is carried out the elliptic curve point multiplication operation, obtains the some kG on the curve; Use some kG that function d will obtain and expressly m carry out computing, wherein guarantee from d, to obtain the value of k, obtain r=d (m, kG); Function f 0, f 1, g 0, g 1Be all the function of r, use function f 0, f 1, g 0, g 1With random number and private key x ASolving equation f 0(r)+f 1(r) s=k-x A(g 0(r)+g 1(r) s) solve s=(k-x Ag 0(r)-f 0(r)) (f 1(r)+x Ag 1(r)) -1, obtain like this (r s) is the signature of transmit leg to plaintext m; (r s) sends to the recipient to transmit leg with its signature with plaintext m;
The recipient receives expressly m and transmit leg, and (r s), at first uses the PKI Y of transmit leg to the signature of m A, elliptic curve basic point G and function f 0, f 1, g 0, g 1Calculate P=(f 0(r)+f 1(r) G+ (g s) 0(r)+g 1(r) Y s) A, use function d ' and calculating m '=d ' (r, P); M ' that calculates and the m that receives are compared, if identical then sign legally, simultaneously m ' recovers the plaintext that obtains from the signature result, if difference then sign illegal;
Wherein above-mentioned function d and function d ' must have following character: establish function d shape and be D=d (x, y), from function d push away y=d ' (x, D).
2. ellipse curve signature as claimed in claim 1 and certifying signature method, wherein when the length of real messages m was longer than the message-length that can sign, message m was replaced with the result of Hash function h (m), promptly used private key that the hash value h (m) of message m is signed; When checking, the Hash of message m elder generation that receives is obtained h (m), re-use h (m) certifying signature.
3. ellipse curve signature as claimed in claim 1 and certifying signature method wherein, if embed filling information in the message m of signature, then do not send message m when sending signature, and only send signature (r, s); When checking, (r s) recovers message m, utilizes the authenticity and integrity of filling information certifying signature then to utilize signature.
4. ellipse curve signature as claimed in claim 1 and certifying signature method, wherein function d and function d ' must have following character: establishing d function shape is D=d (x, y), from function d push away y=d ' (x, D), the d function that obtains is so effectively hidden cleartext information and random number information in above-mentioned signature and proof procedure; D ' function recovers the cleartext information that obtains hiding in above-mentioned proof procedure.
5. ellipse curve signature as claimed in claim 1 and certifying signature method, wherein function d and function d ' be taken as: when d (m, kG) value be d (m, kG)=m (kG) xDuring=r, then d , ( r , P ) = r P x - 1 = m , Wherein (kG) xAnd P xRefer to the abscissa of getting a kG and P respectively.
6. ellipse curve signature as claimed in claim 1 and certifying signature method, wherein function d and function d ' be taken as: when d (m, kG) value be d (m, kG)=m (kG) yDuring=r, then d , ( r , P ) = r P y - 1 = m , Wherein (kG) xAnd P xRefer to the ordinate of getting a kG and P respectively.
7. ellipse curve signature as claimed in claim 1 and certifying signature method, wherein function d and function d ' be taken as: (m, kG) value is as d d ( m , kG ) = m &CirclePlus; ( kG ) x = r The time, then d , ( r , P ) = r &CirclePlus; P x = m .
8. ellipse curve signature as claimed in claim 1 and certifying signature method, wherein function d and function d ' be taken as: (m, kG) value is as d d ( m , kG ) = m &CircleTimes; ( kG ) x = r The time, then d , ( r , P ) = r &CircleTimes; P x = m .
9. ellipse curve signature as claimed in claim 1 and certifying signature method, wherein function d and function d ' be taken as: (m, kG) value is as d d ( m , kG ) = m &CirclePlus; ( kG ) y = r The time, then d , ( r , P ) = r &CirclePlus; P v = m .
10. ellipse curve signature as claimed in claim 1 and certifying signature method, wherein function d and function d ' be taken as: (m, kG) value is as d d ( m , kG ) = m &CircleTimes; ( kG ) y = r The time, then d , ( r , P ) = r &CircleTimes; P y = m .
11. ellipse curve signature as claimed in claim 1 and certifying signature method, wherein function d and function d ' be taken as: when d (m, kG) value is for being expressly with m, when kG is the symmetric cryptography function of key, d ' (r, P) value is for being ciphertext accordingly with r, P is the symmetrical decryption function of key.
12. ellipse curve signature as claimed in claim 1 and certifying signature method, wherein function f 0, f 1, g 0, g 1Be the linear function of r.
13. ellipse curve signature as claimed in claim 1 and certifying signature method, wherein function f 0, f 1, g 0, g 1Be taken as: f 0(r)=c 0* r, f 1(r)=c 1, g 0(r)=c 2, g 1(r)=c 0* r, wherein c 0, c 1, c 2Be constant.
14. ellipse curve signature as claimed in claim 1 and certifying signature method, wherein function f 0, f 1, g 0, g 1Be taken as: f 1(r)=c 0* r, f 0(r)=c 1, g 1(r)=c 2, g 0(r)=c 0* r, wherein c 0, c 1, c 2Be constant.
15. ellipse curve signature as claimed in claim 1 and certifying signature method, wherein function f 0, f 1, g 0, g 1Value is f respectively 0(r)=c 1, f 1(r)=c 2, g 0(r)=c 0* r, g 1(r)=c 3, c wherein 0, c 1, c 2, c 3Be constant.
16. ellipse curve signature as claimed in claim 1 and certifying signature method, wherein function f 0, f 1, g 0, g 1Value is f respectively 1(r)=c 1, f 0(r)=c 2, g 1(r)=c 0* r, g 0(r)=c 3, c wherein 0, c 1, c 2, c 3Be constant.
17. ellipse curve signature and certifying signature system comprise key generating device (340), signature device (320) and certifying signature device (350), and it is right that wherein the transmit leg of this system uses described key generating device (340) generation key: private key x AWith PKI Y A, and public address system parameter and PKI Y A, and use described signature device (320) to utilize the private key x of oneself APlaintext m is realized digital signature, and wherein said signature device (320) is carried out:
Open system parameters and PKI Y thereof A, generate random number k then, make k drop on the interval [1, N-1], wherein N is the some order of a group of elliptic curve, and the basic point G of k and curve is carried out the elliptic curve point multiplication operation, obtains the some kG on the curve; Use some kG that function d will obtain and expressly m carry out computing, wherein guarantee from d, to obtain the value of k, obtain r=d (m, kG); Function f 0, f 1, g 0, g 1Be all the function of r, use function f 0, f 1, g 0, g 1With random number and private key x ASolving equation f 0(r)+f 1(r) s=k-x A(g 0(r)+g 1(r) s) solve s=(k-x Ag 0(r)-f 0(r)) (f 1(r)+x Ag 1(r)) -1, obtain like this (r s) is the signature of transmit leg to plaintext m; (r s) sends to the recipient to transmit leg with its signature with plaintext m;
Described certifying signature device (350) is carried out:
(r s), at first uses the PKI Y of transmit leg to the signature of m to receive expressly m and transmit leg A, elliptic curve basic point G and function f 0, f 1, g 0, g 1Calculate P=(f 0(r)+f 1(r) G+ (g s) 0(r)+g 1(r) Y s) A, use function d ' and calculating m '=d ' (r, P); M ' that calculates and the m that receives are compared, if identical then sign legally, simultaneously m ' recovers the plaintext that obtains from the signature result, if difference then sign illegal;
Wherein above-mentioned function d and function d ' must have following character: establish function d shape and be D=d (x, y), from function d push away y=d ' (x, D).
18. ellipse curve signature and certifying signature system as claim 17, wherein when the length of real messages m is grown than the message-length that can sign, the signature device replaces with the result of Hash function h (m) with message m, promptly uses private key that the hash value h (m) of message m is signed; When checking, the certifying signature device obtains h (m) with the Hash of message m elder generation that receives, and re-uses h (m) certifying signature.
19. as the ellipse curve signature and the certifying signature system of claim 17, wherein,, then when sending signature, do not send message m if in the message m of signature, embed filling information, and only send signature (r, s); When checking, (r s) recovers message m, utilizes the authenticity and integrity of filling information certifying signature then to utilize signature.
20. ellipse curve signature and certifying signature system as claim 17, wherein function d and function d ' must have following character: establishing d function shape is D=d (x, y), from function d push away y=d ' (x, D), the d function that obtains is so effectively hidden cleartext information and random number information in above-mentioned signature and proof procedure; D ' function recovers the cleartext information that obtains hiding in above-mentioned proof procedure.
21. as the ellipse curve signature and the certifying signature system of claim 17, wherein function d and function d ' be taken as: when d (m, kG) value be d (m, kG)=m (kG) xDuring=r, then d , ( r , P ) = r P x - 1 = m , Wherein (kG) xAnd P xRefer to the abscissa of getting a kG and P respectively.
22. as the ellipse curve signature and the certifying signature system of claim 17, wherein function d and function d ' be taken as: when d (m, kG) value be d (m, kG)=m (kG) yDuring=r, then d , ( r , P ) = r P y - 1 = m , Wherein (kG) xAnd P xRefer to the ordinate of getting a kG and P respectively.
23. as the ellipse curve signature and the certifying signature system of claim 17, wherein function d and function d ' be taken as: (m, kG) value is as d d ( m , kG ) = m &CirclePlus; ( kG ) x = r The time, then d , ( r , P ) = r &CirclePlus; P x = m .
24. as the ellipse curve signature and the certifying signature system of claim 17, wherein function d and function d ' be taken as: (m, kG) value is as d d ( m , kG ) = m &CircleTimes; ( kG ) x = r The time, then d , ( r , P ) = r &CircleTimes; P x = m .
25. as the ellipse curve signature and the certifying signature system of claim 17, wherein function d and function d ' be taken as: (m, kG) value is as d d ( m , kG ) = m &CirclePlus; ( kG ) y = r The time, then d , ( r , P ) = r &CirclePlus; P y = m .
26. as the ellipse curve signature and the certifying signature system of claim 17, wherein function d and function d ' be taken as: (m, kG) value is as d d ( m , kG ) = m &CircleTimes; ( kG ) y = r The time, then d , ( r , P ) = r &CircleTimes; P y = m .
27. as the ellipse curve signature and the certifying signature system of claim 17, wherein function d and function d ' be taken as: when d (m, kG) value is for being expressly with m, when kG is the symmetric cryptography function of key, d ' (r, P) value is for being ciphertext accordingly with r, P is the symmetrical decryption function of key.
28. ellipse curve signature and certifying signature system, wherein function f as claim 17 0, f 1, g 0, g 1Be the linear function of r.
29. ellipse curve signature and certifying signature system, wherein function f as claim 17 0, f 1, g 0, g 1Be taken as: f 0(r)=c 0* r, f 1(r)=c 1, g 0(r)=c 2, g 1(r)=c 0* r, wherein c 0, c 1, c 2Be constant.
30. ellipse curve signature and certifying signature system, wherein function f as claim 17 0, f 1, g 0, g 1Be taken as: f 1(r)=c 0* r, f 0(r)=c 1, g 1(r)=c 2, g 0(r)=c 0* r, wherein c 0, c 1, c 2Be constant.
31. ellipse curve signature and certifying signature system, wherein function f as claim 17 0, f 1, g 0, g 1Value is f respectively 0(r)=c 1, f 1(r)=c 2, g 0(r)=c 0* r, g 1(r)=c 3, c wherein 0, c 1, c 2, c 3Be constant.
32. ellipse curve signature and certifying signature system, wherein function f as claim 17 0, f 1, g 0, g 1Value is f respectively 1(r)=c 1, f 0(r)=c 2, g 1(r)=c 0* r, g 0(r)=c 3, c wherein 0, c 1, c 2, c 3Be constant.
CNB021547165A 2002-11-29 2002-11-29 Elliptic curve signature and signature verification method and apparatus Expired - Lifetime CN100440776C (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CNB021547165A CN100440776C (en) 2002-11-29 2002-11-29 Elliptic curve signature and signature verification method and apparatus

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CNB021547165A CN100440776C (en) 2002-11-29 2002-11-29 Elliptic curve signature and signature verification method and apparatus

Publications (2)

Publication Number Publication Date
CN1505313A CN1505313A (en) 2004-06-16
CN100440776C true CN100440776C (en) 2008-12-03

Family

ID=34235561

Family Applications (1)

Application Number Title Priority Date Filing Date
CNB021547165A Expired - Lifetime CN100440776C (en) 2002-11-29 2002-11-29 Elliptic curve signature and signature verification method and apparatus

Country Status (1)

Country Link
CN (1) CN100440776C (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109889341A (en) * 2019-01-15 2019-06-14 思力科(深圳)电子科技有限公司 Data processing method, electronic tag and radio-frequency card reader

Families Citing this family (23)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1262087C (en) * 2005-01-14 2006-06-28 南相浩 Method and apparatus for cipher key generation based on identification
US7602907B2 (en) * 2005-07-01 2009-10-13 Microsoft Corporation Elliptic curve point multiplication
DE102006004237A1 (en) * 2006-01-30 2007-08-16 Siemens Ag Method and device for agreeing a common key between a first communication device and a second communication device
US8311214B2 (en) * 2006-04-24 2012-11-13 Motorola Mobility Llc Method for elliptic curve public key cryptographic validation
CN101079701B (en) * 2006-05-22 2011-02-02 北京华大信安科技有限公司 Highly secure ellipse curve encryption and decryption method and device
CN101296075B (en) * 2007-04-29 2012-03-21 四川虹微技术有限公司 Identity authentication system based on elliptic curve
CN101488958B (en) * 2009-02-20 2011-09-07 东南大学 Large cluster safe real-time communication method executed by using elliptical curve
CN101547099B (en) * 2009-05-07 2011-08-03 张键红 Elliptical curve-based method and elliptical curve-based device for self-authenticating signature
CN102487321B (en) * 2010-12-03 2014-07-02 航天信息股份有限公司 Signcryption method and system
CN104660399B (en) * 2013-11-25 2018-02-23 上海复旦微电子集团股份有限公司 A kind of RSA modular exponentiation operation method and device
CN103701598B (en) * 2013-12-05 2017-07-11 武汉信安珞珈科技有限公司 It is a kind of that endorsement method and digital signature device are checked based on SM2 signature algorithms
CN104866779B (en) * 2015-04-07 2018-05-11 福建师范大学 It is a kind of to control e-file life cycle and the method and system of safety deleting
CN105933338A (en) * 2016-06-24 2016-09-07 收付宝科技有限公司 Method and device for performing virtual card transaction
CN106685651A (en) * 2016-12-22 2017-05-17 北京信安世纪科技有限公司 Method for creating digital signatures by cooperation of client and server
CN107395370B (en) * 2017-09-05 2020-07-14 深圳奥联信息安全技术有限公司 Identification-based digital signature method and device
CN107612934A (en) * 2017-10-24 2018-01-19 济南浪潮高新科技投资发展有限公司 A kind of block chain mobile terminal computing system and method based on Secret splitting
CN109104712B (en) * 2018-07-17 2021-04-30 北京神州安付科技股份有限公司 Wireless recharging encryption system based on NFC function and encryption method thereof
CN110022210B (en) * 2019-03-28 2022-03-15 思力科(深圳)电子科技有限公司 Signature verification method based on elliptic curve password, signature end and signature verification end
CN111125782B (en) * 2019-12-24 2022-12-09 兴唐通信科技有限公司 Method and system for verifying ID of unclonable chip
CN111475856B (en) * 2020-04-03 2023-12-22 数据通信科学技术研究所 Digital signature method and method for verifying digital signature
CN113225190A (en) * 2021-02-08 2021-08-06 数字兵符(福州)科技有限公司 Quantum security digital signature method using new problem
CN113810195B (en) * 2021-06-04 2023-08-15 国网山东省电力公司 Safe transmission method and device for electric power training simulation assessment data
CN114065171B (en) * 2021-11-11 2022-07-08 北京海泰方圆科技股份有限公司 Identity authentication method, device, system, equipment and medium

Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP0874307A1 (en) * 1997-03-25 1998-10-28 Certicom Corp. Accelerated finite field operations on an elliptic curve
EP0892520A2 (en) * 1997-07-17 1999-01-20 Matsushita Electric Industrial Co., Ltd. Elliptic curve calculation apparatus capable of calculating multiples at high speed
JPH11231779A (en) * 1998-02-19 1999-08-27 Nippon Telegr & Teleph Corp <Ntt> Method and device for blind signture using elliptic curve and program recording medium
US6049610A (en) * 1991-09-17 2000-04-11 Next Software, Inc. Method and apparatus for digital signature authentication
US6088798A (en) * 1996-09-27 2000-07-11 Kabushiki Kaisha Toshiba Digital signature method using an elliptic curve, a digital signature system, and a program storage medium having the digital signature method stored therein
CN1264974A (en) * 1999-12-01 2000-08-30 陈永川 Digital signature method using elliptic curve encryption algorithm
CN1280726A (en) * 1997-12-05 2001-01-17 保密信息技术公司 Transformation methods for optimizing elliptic curve cryptographic computations

Patent Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6049610A (en) * 1991-09-17 2000-04-11 Next Software, Inc. Method and apparatus for digital signature authentication
US6088798A (en) * 1996-09-27 2000-07-11 Kabushiki Kaisha Toshiba Digital signature method using an elliptic curve, a digital signature system, and a program storage medium having the digital signature method stored therein
EP0874307A1 (en) * 1997-03-25 1998-10-28 Certicom Corp. Accelerated finite field operations on an elliptic curve
EP0892520A2 (en) * 1997-07-17 1999-01-20 Matsushita Electric Industrial Co., Ltd. Elliptic curve calculation apparatus capable of calculating multiples at high speed
CN1280726A (en) * 1997-12-05 2001-01-17 保密信息技术公司 Transformation methods for optimizing elliptic curve cryptographic computations
JPH11231779A (en) * 1998-02-19 1999-08-27 Nippon Telegr & Teleph Corp <Ntt> Method and device for blind signture using elliptic curve and program recording medium
CN1264974A (en) * 1999-12-01 2000-08-30 陈永川 Digital signature method using elliptic curve encryption algorithm

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109889341A (en) * 2019-01-15 2019-06-14 思力科(深圳)电子科技有限公司 Data processing method, electronic tag and radio-frequency card reader

Also Published As

Publication number Publication date
CN1505313A (en) 2004-06-16

Similar Documents

Publication Publication Date Title
CN100440776C (en) Elliptic curve signature and signature verification method and apparatus
US8116451B2 (en) Key validation scheme
US7308097B2 (en) Digital signature and authentication method and apparatus
US6446207B1 (en) Verification protocol
EP1847062B1 (en) Challenge-response signatures and secure diffie-hellman protocols
EP2276196B1 (en) Method for the Application of Implicit Signature Schemes
JP5205398B2 (en) Key authentication method
US8983064B2 (en) Strengthened public key protocol
US20050135606A1 (en) Method and apparatus for verifiable generation of public keys
CN101079701B (en) Highly secure ellipse curve encryption and decryption method and device
GB2321741A (en) Verification of electronic transactions
US6122742A (en) Auto-recoverable and auto-certifiable cryptosystem with unescrowed signing keys
US20020136401A1 (en) Digital signature and authentication method and apparatus
CN103905189A (en) Method and system for certificateless and pairing-free identity-based proxy signcryption
CN100452695C (en) Elliptic curve encryption and decryption method and apparatus
US20150006900A1 (en) Signature protocol
Zhang et al. A novel efficient group signature scheme with forward security
EP1571778A1 (en) Method for generating fair blind signatures
Huang et al. Partially blind ECDSA scheme and its application to bitcoin
Li et al. Group-oriented (t, n) threshold digital signature schemes with traceable signers
EP1025674A1 (en) Signature verification for elgamal schemes
Chang et al. Threshold untraceable signature for group communications
CA2306282C (en) Accelerated signature verification on an elliptic curve
KR19980045017A (en) Multi-Signature Method and its Modular Value Generation Method
JPH11212455A (en) Method and system for proving identity of original ordinary text from plural cipher texts

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant
CX01 Expiry of patent term
CX01 Expiry of patent term

Granted publication date: 20081203