CN106612182B - SM2 white-box digital signature implementation method based on remainder system - Google Patents

Abstract

The invention provides a method for realizing SM2 white-box digital signature based on a remainder system. The method is developed aiming at the problem that the key is unsafe to operate in an untrusted environment and a malicious attacker can obtain the system key through a white box attack means, and the size of a key table is reduced by splitting a large number through a remainder system; ensuring that intermediate results are invisible to an attacker by using scrambling; the unknown property of the terminal key operation relation is ensured by using the random factor of the cloud, the security of a signature private key in the terminal signature operation process is realized, and meanwhile, the standard SM2 signature verification algorithm can be used for verification. The invention has the advantages of small required storage space, high calculation efficiency, good safety and strong practicability.

Description

SM2 white-box digital signature implementation method based on remainder system

Technical Field

The invention relates to the technical field of information security, in particular to an SM2 white-box digital signature implementation method based on a remainder system.

Background

In the existing software encryption algorithm, keys are directly appeared in the memory of a computing platform, and an attacker can steal the keys through malicious software and the like and cannot deal with the existing white-box attack means; the existing hardware encryption algorithm can better ensure the security of key calculation, but has higher relative use cost and poorer universality, and cannot be used in part of application scenes with relatively lower security requirements; meanwhile, part of research organizations propose a software encryption algorithm based on a cloud plus part secret key and a secret key distributed storage strategy, but the cloud plus part strategy cannot resist the leakage of a local private key and also solves the authentication problem of a cloud terminal and a terminal.

Disclosure of Invention

In order to solve the problems, the invention provides a method for realizing SM2 white-box digital signature based on a remainder system, which is suitable for a system comprising a client and a serverThe system modulus is n and the auxiliary modulus is m_rThe method is characterized by comprising the following steps of:

the client selects a public key P and a private key d, selects a remainder system, and has a prime number base of β ═ P₁,p₂,…,p_t) The dynamic range of the radical β satisfies ω ═ p₁p₂p₃…p_t≥2⁷⁶⁸。

Step two: the client generates a first private key lookup table and a second private key lookup table. The specific method comprises the following steps:

step 2.1: two nonlinear key replacement tables are randomly selected and respectively recorded as Sbox1 and Sbox2, and the client ID and the Sbox1 of the client are sent to the server for storage through the public key of the server.

Step 2.2: converting public key P to P using remainder system_i(i ═ 1, …, t, r) and generates a first private key look-up Table_1,i(i-1, …, t, r) by the following method: random traversal generates two random numbers N₁And N₂In which N is₂,N₁∈[1,n-1]Respectively converted into N by a remainder system_1iAnd N_2iCalculating u_i＝sbox2(N_1,i×sbox1^-1(sbox1(N_2,i))modp_i) Will traverse all u's generated_iAs a Table Table_1,i(i ═ 1, …, t, r).

Step 2.3: generating a second private key lookup Table Table Using private key d and remainder System_2,i(i-1, …, t, r) by the following method: random traversal generates two random numbers L₁And L₂Wherein L is₂,L₁∈[1,n-1]Respectively converted into L by a remainder system_1iAnd L_2iWhile converting the private key d to d_iCalculating s_i＝d_i×(sbox2^-1(L_1i)-L_2i×d_i)mod p_iWill traverse all s generated_iAs a Table Table_2,i(i ═ 1, …, t, r);

step three: the client carries out signature, and the specific method comprises the following steps:

step 3.1: client computing M | | Z_A(ii) a Wherein M is a signature message, Z_AIs the identity of the client.

Step 3.2: the client end calculates the message digest e as H by using the hash function_v(M’)。

Step 3.3 client generates first random number k₁∈[1,n-1]；

Step 3.4: client-side calculation of elliptic curve point Q₁＝[k₁]G, and e and Q₁Sending the data to a server; wherein the content of the first and second substances,

step 3.5, the server generates a second random number k₂∈[1,n-1]；

Step 3.6, the server calculates the elliptic curve point (x)₁，y₁)＝[k₂]*Q₁；

Step 3.7: the server calculates a first partial signature r ═ (x)₁+ e) mod n, a second random number k₂Based on the radical { β | p_rDenoted by the remainder system as k₂＝(k_2,1,…,k_2,t|k_2,r) Obfuscating by Sbox1, then adding r to

Sbox1(k₂)＝[sbox1(k_2,1),sbox1(k_2,2),…,sbox1(k_2,t)|sbox1(k_2,r)]And sending the data to the client.

Step 3.8: the client end sends the first random number K₁And r is based on the radicals { β | p_rDenoted by the remainder system as k₁＝(k_1,1,k_1,2,…,k_1,t|k_1,r) And r ═ r (r)₁,r₂,…,r_t|r_r)；

Step 3.9: client uses first private key lookup Table (Table)_1,i(i-1, …, t, r) calculating an intermediate value u_i＝sbox2(k_1,i×sbox1^-1(sbox1(k_2,i))modp_i)。

Fourthly, the client uses the second private key to look up the Table_2,i(i-1, …, t, r) calculating s_i＝d_i×(sbox2^-1(u_i)-r_i×d_i)mod p_iIn the middle ofKey d_ATable hidden in second private key lookup Table_2,iIn (1).

Step 4.1: the client recovers s by using the Chinese remainder theorem.

Step 4.2: the client calculates s '═ s mod n, and s' is the second partial signature value.

Step five: outputting the message M and the signature.

G is a base point selected from the elliptic curve.

Further, each random number is generated using a random number generator.

The invention has the beneficial effects that:

(1) during the signature operation process of the client, the complete plaintext of the private key cannot appear in hardware equipment such as a memory, and the like, so that the white-box attack security of the running of the cryptographic algorithm is ensured.

(2) The method only needs 207.5MB of inner layer size, and the requirement of storage space is small.

(3) The realization method has the advantages of basically consistent signature efficiency with the original SM2 algorithm and higher practicability.

(4) The use cost of the commercial cryptographic algorithm can be reduced by using white-box software, and the use range of the commercial cryptographic algorithm is expanded.

(5) The white-box software algorithm is used, the encryption and decryption safety is guaranteed, meanwhile, the universality is high, and no special requirements are needed for operating platform hardware.

Drawings

Fig. 1 is a schematic flow chart of signature performed by a client.

Detailed Description

The design concept of the invention is as follows: research is carried out aiming at the problem that the key is unsafe to operate in an untrusted environment and a malicious attacker can obtain the system key through a white box attack means, and the size of a key table is reduced by using a remainder system to split a large number; ensuring that intermediate results are invisible to an attacker by using scrambling; the unknown property of the terminal key operation relation is ensured by using the random factor of the cloud, the security of a signature private key in the terminal signature operation process is realized, and meanwhile, the standard SM2 signature verification algorithm can be used for verification.

The invention is constructed based on the digital signature algorithm of the national commercial cipher algorithm SM2, the SM2 digital signature algorithm is requested to participate in the management standard issued by the national commercial cipher administration, and simultaneously, the invention also uses a typical mathematical tool, namely a remainder system, and the detailed description is as follows:

the remainder system can be defined as assuming that there exists a remainder system consisting of a set of mutually prime remainder bases β ═ m₁,m₂,…,m_kIs determined, M ═ M₁m₂…m_kFor any integer x ≦ M, it may be uniquely represented under β as (x) for this set of bases₁,x₂,…,x_k) Wherein x is_iIs x to m_iThe result of the modulo is recorded as

For remainder systems, there is only a unique representation if the integer x is within the dynamic range.

It is assumed that the integers x, y are each represented by x ═ x (x) under the group β₁,x₂,…,x_k) And ═ y₁,y₂,…,y_k) And then:

wherein, "°" is +, -,. times.operation.

Systematic representation of the remainder for x (x)₁,x₂,…,x_k) From the Chinese remainder theorem:

α therein<k,M_i＝M/m_i，

Is M_iIn the mold m_iα is obtained by selecting a suitable auxiliary modulus m_rCome and restoreWherein m is_rK +1 or more and gcd (M, M)_r) 1. Let x_rIs x to m_rThe modulo result of (c), namely:

then:

because α<k<m_rTherefore, it is

For any integer x, can be in the extension base

The lower is represented by (x)₁,x₂,…,x_k|x_r) Referred to as extended RNS representation.

The system applicable to the method comprises the client and the server. The client, i.e. the user executing the digital signature algorithm, whose operating environment is not trusted, and the server, which is a cooperative signing party, belong to a component of the key management center, which mainly provides a random factor for the client.

Assuming that the system modulus of the system is n and the auxiliary modulus is m_rThe base point of the selected elliptic curve is G, and the signature message is M, Z_AIs the identity of the client, H_vIs the digest function used (available commercially from the cryptographic standard SM3 algorithm). The method comprises 4 parts in total: (1) selecting parameters and generating a secret key; (2) generating a private key table; (3) calculating a signature; (4) and (5) checking and calculating. Wherein (1) and (4) are both performed with reference to the national commercial SM2 digital signature algorithm standard.

The specific steps of the invention are described as follows:

the client selects a public key d and a private key P, selects a remainder system, and has a prime number base of β ═ p₁,p₂,…,p_t) The dynamic range of the radical β satisfies ω ═ p₁p₂p₃…p_t≥2⁷⁶⁸。

Step two: the client generates a first private key lookup table and a second private key lookup table. The specific method comprises the following steps:

step 2.1: two nonlinear key replacement tables (which are consistent with an S box used in a symmetric cryptographic algorithm) are randomly selected and recorded as Sbox1 and Sbox2 respectively, and the client ID and the Sbox1 of the server are sent to the server for storage through the public key of the server.

Step 2.2: converting public key P to P using remainder system_i(i ═ 1, …, t, r) and generates a first private key look-up Table_1,i(i-1, …, t, r) by the following method: random traversal generates two random numbers N₁And N₂In which N is₂,N₁∈[1,n-1]Respectively converted into N by a remainder system_1iAnd N_2iCalculating u_i＝sbox2(N_1,i×sbox1^-1(sbox1(N_2,i))modp_i) Will traverse all u's generated_iAs a Table Table_1,i(i ═ 1, …, t, r).

Step 2.3: generating a second private key lookup Table Table Using private key d and remainder System_2,i(i-1, …, t, r) by the following method: random traversal generates two random numbers L₁And L₂Wherein L is₂,L₁∈[1,n-1]Respectively converted into L by a remainder system_1iAnd L_2iWhile converting the private key d to d_iCalculating s_i＝d_i×(sbox2^-1(L_1i)-L_2i×d_i)mod p_iWill traverse all s generated_iAs a Table Table_2,i(i ═ 1, …, t, r);

step three: the client carries out signature, and the specific method comprises the following steps:

step 3.1: client computing M | | Z_A(ii) a Wherein M is a signature message, Z_AIs the identity of the client.

Step 3.2: the client end calculates the message digest e as H by using the hash function_v(M’)。

Step 3.3. the client generates a first random number k with the random number generator₁∈[1,n-1]；

Step 3.4: client-side calculation of elliptic curve point Q₁＝[k₁]G, and e and Q₁Sending the data to a server; wherein the content of the first and second substances,

step 3.5 the server generates a second random number k with a random number generator₂∈[1,n-1]；

Step 3.6, the server calculates the elliptic curve point (x)₁，y₁)＝[k₂]*Q₁；

Step 3.7: the server calculates a first partial signature r ═ (x)₁+ e) mod n, a second random number k₂Based on the radical { β | p_rDenoted by the remainder system as k₂＝(k_2,1,…,k_2,t|k_2,r) Obfuscating by Sbox1, then adding r to

Sbox1(k₂)＝[sbox1(k_2,1),sbox1(k_2，2),…,sbox1(k_2,t)|sbox1(k_2,r)]And sending the data to the client.

Step 3.8: the client end sends the first random number k₁And r is based on the radicals { β | p_rDenoted by the remainder system as k₁＝(k_1,1,k_1,2,…,k_1,t|k_1,r) And r ═ r (r)₁,r₂,…,r_t|r_r)；

Step 3.9: client uses first private key lookup Table (Table)_1,i(i-1, …, t, r) calculating an intermediate value u_i＝sbox2(k_1,i×sbox1^-1(sbox1(k_2,i))modp_i)。

Fourthly, the client uses the second private key to look up the Table_2,i(i-1, …, t, r) calculating s_i＝d_i×(sbox2^-1(u_i)-r_i×d_i)mod p_iWherein the private key d_ATable hidden in second private key lookup Table_2,iIn (1).

Step 4.1: the client recovers s by using the Chinese remainder theorem.

Step 4.2: the client calculates s '═ s mod n, and s' is the second partial signature value.

Step five: outputting the message M and the signature.

Further, each random number is generated using a random number generator.

Claims (2)

1. A method for realizing SM2 white-box digital signature based on a remainder system is suitable for a system comprising a client and a server, wherein the system modulus of the system is n, and the auxiliary modulus is m_rThe method is characterized by comprising the following steps of:

the client selects a public key p and a private key d, selects a remainder system with a prime number base of β ═ p₁,p₂,…,p_t) The dynamic range of the radical β satisfies ω ═ p₁p₂p₃…p_t≥2⁷⁶⁸；

Step two: the client generates a first private key lookup table and a second private key lookup table; the specific method comprises the following steps:

step 2.1: randomly selecting two nonlinear key replacement tables which are respectively recorded as Sbox1 and Sbox2, and sending the client ID and the Sbox1 of the server to the server for storage through a public key of the server;

step 2.2: converting public key p to p using remainder system_i(i ═ 1, …, t, r) and generates a first private key look-up Table_1,i(i-1, …, t, r) by the following method: random traversal generates two random numbers N₁And N₂In which N is₂,N₁∈[1,n-1]Respectively converted into N by a remainder system_1iAnd N_2iCalculating u_i＝sbox2(N_1,i×sbox1^-1(sbox1(N_2,i))modp_i) Will traverse all u's generated_iAs a Table Table_1,i(i ═ 1, …, t, r);

step 2.3: generating a second private key lookup Table Table Using private key d and remainder System_2,i(i-1, …, t, r) by the following method: random traversal generates two random numbers L₁And L₂Wherein L is₂,L₁∈[1,n-1]Through remainder systemRespectively convert them into L_1iAnd L_2iWhile converting the private key d to d_iCalculating s_i＝d_i×(sbox2^-1(L_1i)-L_2i×d_i)mod p_iWill traverse all s generated_iAs a Table Table_2,i(i ═ 1, …, t, r);

step three: the client carries out signature, and the specific method comprises the following steps:

step 3.1: client computing M | | Z_A(ii) a Wherein M is a signature message, Z_AThe identity of the client is identified;

step 3.2: the client end calculates the message digest e as H by using the hash function_v(M’)；

Step 3.3 client generates first random number k₁∈[1,n-1]；

Step 3.4: client-side calculation of elliptic curve point Q₁＝[k₁]G, and e and Q₁Sending the data to a server; wherein the content of the first and second substances,

step 3.5, the server generates a second random number k₂∈[1,n-1]；

Step 3.6, the server calculates the elliptic curve point (x)₁，y₁)＝[k₂]*Q₁；

Step 3.7: the server calculates a first partial signature r ═ (x)₁+ e) mod n, a second random number k₂Based on the radical { β | p_rDenoted by the remainder system as k₂＝(k_2,1,…,k_2,t|k_2,r) Obfuscating by Sbox1, then r and Sbox1 (k)₂)＝[sbox1(k_2,1),sbox1(k_2,2),…,sbox1(k_2,t)|sbox1(k_2,r)]Sending the data to a client;

step 3.8: the client end sends the first random number K₁And r is based on the radicals { β | p_rDenoted by the remainder system as k₁＝(k_1,1,k_1,2,…,k_1,t|k_1,r) And r ═ r (r)₁,r₂,…,r_t|r_r)；

Step 3.9: client uses first private key lookup Table (Table)_1,i(i-1, …, t, r) calculating an intermediate valueu_i＝sbox2(k_1,i×sbox1^-1(sbox1(k_2,i))modp_i)；

Fourthly, the client uses the second private key to look up the Table_2,i(i-1, …, t, r) calculation

s_i＝d_i×(sbox2^-1(u_i)-r_i×d_i)modp_iWherein the private key d_iTable hidden in second private key lookup Table_2,iPerforming the following steps;

step 4.1: the client recovers s by using the Chinese remainder theorem;

step 4.2: the client calculates s 'as s mod n, and s' is the second partial signature value;

step five: outputting the message M and the signature;

wherein t is the number of prime number bases in the step one, and r represents an auxiliary modulus m_r；

p₁Represents the first prime radical, p₂Represents a second elementary radical, p_tRepresents the t-th prime number base;

N_1iand N_2iIs N₁And N₂Via prime radical β ═ p₁,p₂,…,p_t) The result of the conversion, in particular (N)₁₁,…,N_1i…) and (N)₂₁,…,N_2i,…)；

Hv (M ') is the hash value of M';

d_iis represented by a prime radical β ═ p₁,p₂,…,p_t) The result of the conversion, in particular (d)₁,…,d_i,…)；

G is a base point selected from the elliptic curve.

2. The SM2 white-box digital signature implementation method based on a remainder system of claim 1, wherein each random number is generated using a random number generator.

Images