CN106712968A - Secret key acquiring method, digital signature method and devices - Google Patents

Secret key acquiring method, digital signature method and devices Download PDF

Info

Publication number
CN106712968A
CN106712968A CN201710098244.1A CN201710098244A CN106712968A CN 106712968 A CN106712968 A CN 106712968A CN 201710098244 A CN201710098244 A CN 201710098244A CN 106712968 A CN106712968 A CN 106712968A
Authority
CN
China
Prior art keywords
byte
key
difference
elliptic curve
value
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201710098244.1A
Other languages
Chinese (zh)
Other versions
CN106712968B (en
Inventor
李增局
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Intelligent Cloud Measurement Information Technology Co., Ltd.
Beijing wisdom cloud Measuring Technology Co., Ltd.
Original Assignee
Beijing Wisdom Cloud Measuring Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Wisdom Cloud Measuring Technology Co Ltd filed Critical Beijing Wisdom Cloud Measuring Technology Co Ltd
Priority to CN201710098244.1A priority Critical patent/CN106712968B/en
Publication of CN106712968A publication Critical patent/CN106712968A/en
Application granted granted Critical
Publication of CN106712968B publication Critical patent/CN106712968B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
    • H04L9/3252Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures using DSA or related signature schemes, e.g. elliptic based signatures, ElGamal or Schnorr schemes
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/30Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy
    • H04L9/3066Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy involving algebraic varieties, e.g. elliptic or hyper-elliptic curves

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Theoretical Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Algebra (AREA)
  • Mathematical Analysis (AREA)
  • Mathematical Optimization (AREA)
  • Mathematical Physics (AREA)
  • Pure & Applied Mathematics (AREA)
  • Physics & Mathematics (AREA)
  • Computing Systems (AREA)
  • Storage Device Security (AREA)

Abstract

The invention provides a secret key acquiring method, a digital signature method and devices. The secret key acquiring method comprises the steps of: setting a highest byte position of a secret key as a target byte position, and carrying out the following byte value acquiring operation of: carrying out digital signature according to a generated pseudo secret key and recording a generated first ellipse curve point and a signature result; carrying out signature verification of digital signature according to the signature result and recording a generated second ellipse curve point; according to a difference value of the first ellipse curve point and the second ellipse curve point, searching a byte difference value of the target byte positions of the secret key and the pseudo secret key from a preset byte value range, and setting a value range of a byte value; and according to the value range, determining the byte value of the target byte position of the secret key; and setting a new target byte position, continuing to carry out the byte value acquiring operation, and until byte values of all byte positions of the secret key are acquired, determining the byte values of all the byte positions as the secret key.

Description

Key acquisition method, digital signature method and device
Technical field
The present invention relates to cryptographic algorithm technical field, more particularly, to a kind of key acquisition method, digital signature method and Device.
Background technology
SM2 ellipse curve public key cipher algorithms are a kind of more advanced safe cryptographic algorithms.In multi point arithmetic, Know many times of points and basic point, the problem for solving multiple turns into elliptic curves discrete logarithm problem.With big number resolution problem and finite field Upper offline logarithm problem is compared, and the solution difficulty of elliptic curves discrete logarithm problem is much bigger.Therefore, in identical safe coefficient It is required that under, elliptic curve cipher is much smaller compared with the key scale needed for other public key cryptographies.
, it is necessary to test the security of signature algorithm in the research and development for carrying out the Digital Signature Algorithm based on SM2.It is existing Some test modes are mainly injects certain wrong data during digital signature, and obtains sign test result, then sentences The disconnected key whether being obtained in that in above-mentioned signature algorithm, to determine whether above-mentioned signature algorithm meets safety standards;However, The mode of above-mentioned acquisition key usually requires that the random number produced in signature process has certain scope, and the limitation is substantially reduced To the validity and exploitativeness of Digital Signature Algorithm test.
For the restricted larger problem of mode of above-mentioned acquisition key, effective solution is not yet proposed.
The content of the invention
In view of this, it is an object of the invention to provide a kind of key acquisition method, digital signature method and device, to drop The low mode for obtaining key is restricted.
In a first aspect, the embodiment of the invention provides a kind of key acquisition method, the key is used to be based on SM2 elliptic curves In the Digital Signature Algorithm of public key algorithm, the method includes:The highest byte position for setting key is target byte position, Carry out following byte values and obtain operation:Using the data of physics mode change target byte position, generate and key byte length Identical puppet key;Wherein, the physics mode includes laser irradiation mode or electrophoresis stimulation mode;Numeral is carried out according to pseudo- key Signature, the first elliptic curve point generated in record digital signature procedure and signature result;Digital label are carried out according to signature result The sign test of name, the second elliptic curve point generated during record sign test;According to the first elliptic curve point and the second elliptic curve The difference of point, the byte difference of key and the target byte position of pseudo- key is searched for from the range of default byte value;According to word Section difference, sets the span of the byte value of the target byte position of key;The target word of key is determined according to span Save the byte value of position;The next byte location for setting target byte position is new target byte position, proceed on State byte value and obtain operation, until the byte value of all byte locations of key is got, by the byte value of all byte locations It is defined as key.
With reference in a first aspect, the embodiment of the invention provides the first possible implementation method of first aspect, wherein, on The difference according to the first elliptic curve point and the second elliptic curve point is stated, key is searched for from the range of default byte value close with puppet The byte difference of the target byte position of key includes:The initial value d=00 of byte difference is set, following byte difference search are carried out Operation:Judge [the d*2 of byte difference d248* r mod n] whether the coordinate of G be equal to the first elliptic curve point and second oval bent Difference [k] G- (x of line point1’,y1’);Wherein, (x1,y1)=[k] G be the first elliptic curve point;(x1’,y1') it is the second ellipse Curve point;R=(e+x1)mod n;ZAIt is the distinguished mark on user A, part elliptical song The Hash Value of line systematic parameter and user's A public keys;M is message to be signed;Hv() is that eap-message digest length is the password of v bits Hash function;E is the output valve that cryptographic Hash function acts on message M;Modn is mould n computings;N is the rank of basic point G;If It is no, d=d+1 is updated, proceed above-mentioned byte difference search operation, until d=FF;If it is, record byte difference;Or Person;The initial value d=-01 of byte difference is set, following byte difference search operations are carried out:Judge [the d*2 of byte difference d248* R mod n] whether the coordinate of G be equal to difference [k] G- (x of the first elliptic curve point and the second elliptic curve point1’,y1’);Its In, (x1,y1)=[k] G be the first elliptic curve point;(x1’,y1') it is the second elliptic curve point;R=(e+x1)mod n;ZAIt is the distinguished mark on user A, part elliptical curve systematic parameter and user's A public keys Hash Value;M is message to be signed;Hv() is that eap-message digest length is the cryptographic Hash function of v bits;E is cryptographic Hash Function acts on the output valve of message M;Modn is mould n computings;N is the rank of elliptic curve basic point G;(r, s) is the signature for sending; X | | y is the splicing of x and y;If not, updating d=d-1, proceed above-mentioned byte difference search operation, until d=-FF;Such as Fruit is to record byte difference.
With reference to the first possible implementation method of first aspect, second of first aspect is the embodiment of the invention provides Possible implementation method, wherein, above-mentioned second elliptic curve point (x1’,y1') obtained by following manner:(x1’,y1')= [s’]G+[t]PA=[s '+t*dA] G=[s '+(s '+r) * dA]=[(1+dA)s’+r*dA] G=[k-r*dA’+r*dA]G;Its In, PA=[dA]G;(r ', s ') it is the signature for receiving;T=(r '+s ') mod n;PAIt is the public key of user A;dAIt is the private of user A Key;dA' it is pseudo- key;The random number that k is produced for randomizer, and k ∈ [1, n-1];[k] G=(r-e) mod n;Or Person;(x1’,y1')=[s '+t*dA] G=[s '+(s '+r) * dA]=[(1+dA)s’+r*dA] G=[(1+dA)(1+dA’)-1(k- r*dA)+r*dA] G=[k+ (dA-dA’)(k-r*dA)] G=[k] G+ [(dA-dA’)k]G–[(dA-dA’)r]PA;Wherein, (r ', S ') it is the signature for receiving;T=(r '+s ') mod n;PAIt is the public key of user A;dAIt is the private key of user A;dA' it is pseudo- key;k It is random number that randomizer is produced, and k ∈ [1, n-1];[k] G=(r-e) mod n.
With reference in a first aspect, the embodiment of the invention provides the third possible implementation method of first aspect, wherein, on The span for stating the byte value of the target byte position that key is set according to byte difference includes:The target word of key is set Save the byte value d of position1=d+d2Span M=[d, FF];Wherein, d is byte difference, and d >=0;d2It is pseudo- key The byte value of target byte position;d2、d1It is hexadecimal double figures, and 0≤d with d2≤FF;Or;The mesh of key is set Mark the byte value d of byte location1=d+d2Span M=[00, FF+d];Wherein, d is byte difference, and d≤0;D2 is The byte value of the target byte position of pseudo- key;d2、d1It is hexadecimal double figures, and 0≤d with d2≤FF。
With reference in a first aspect, the embodiment of the invention provides the 4th kind of possible implementation method of first aspect, wherein, on State and determine that the byte value of the target byte position of key includes according to span:Judge maximum and minimum value in span It is whether identical;If not, proceeding byte value obtains operation;If it is, determining maximum and/or minimum value are the mesh of key Mark the byte value of byte location.
Second aspect, the embodiment of the invention provides a kind of digital signature method, and the method includes:Waiting of receiving is signed The message M and Z for prestoring of nameASplicing is carried out, splicing result is obtainedWherein, ZABe on The Hash Value of the distinguished mark, part elliptical curve systematic parameter and user's A public keys of family A;Carry out following generation signature results Operation:It is right according to cryptographic Hash functionProcessed, obtained the output valve that cryptographic Hash function acts on message MWherein, Hv() is that eap-message digest length is the cryptographic Hash function of v bits;By randomizer obtain with Machine number k;Wherein, k ∈ [1, n-1];N is that n is the rank of elliptic curve basic point G;Obtain the first elliptic curve point (x1,y1)=[k] G; Obtain r=(e+x1)mod n;Judge whether r=0 or r+k=n sets up;If it is, proceeding above-mentioned generation signature result Operation;If not, obtaining s=((1+dA)-1(k-r*dA))mod n;Wherein, (1+dA)-1And dAIt is the number for prestoring According to;dAIt is the private key of user A;Judge whether s is equal to 0;If s is equal to 0, proceed the operation of above-mentioned generation signature result; If s is not equal to 0, digital signature result (r, s) is determined.
The third aspect, the embodiment of the invention provides a kind of key acquisition device, and the key is used to be based on SM2 elliptic curves In the Digital Signature Algorithm of public key algorithm, the device includes:Target byte position setup module, for setting key most High byte position is target byte position, carries out following byte values and obtains operation:Pseudo- key production module, for using physics side The data of formula change target byte position, generation and key byte length identical puppet key;Wherein, the physics mode includes swashing Light irradiation mode or electrophoresis stimulation mode;Digital Signature module, for being digitally signed according to pseudo- key, records digital signature During generate the first elliptic curve point and signature result;Sign test module, for what is be digitally signed according to signature result Sign test, the second elliptic curve point generated during record sign test;Byte difference search module, for according to the first elliptic curve The difference of point and the second elliptic curve point, key is searched for from the range of default byte value with the target byte position of pseudo- key Byte difference;Span setup module, the byte value for according to byte difference, setting the target byte position of key takes Value scope;Byte value determining module, the byte value of the target byte position for determining key according to span;Key determines Module, the next byte location for setting target byte position is new target byte position, proceeds above-mentioned byte Value obtains operation, until getting the byte value of all byte locations of key, the byte value of all byte locations is defined as Key.
With reference to the third aspect, the first possible implementation method of the third aspect is the embodiment of the invention provides, wherein, on Stating byte difference search module includes:First initial value setup unit, the initial value d=00 for setting byte difference, is carried out Following byte difference search operations:First the judging unit, [d*2 for judging byte difference d248* r mod n] coordinate of G is No difference [k] G- (x for being equal to the first elliptic curve point and the second elliptic curve point1’,y1’);Wherein, (x1,y1)=[k] G is First elliptic curve point;(x1’,y1') it is the second elliptic curve point;R=(e+x1)mod n;ZA It is the Hash Value of the distinguished mark on user A, part elliptical curve systematic parameter and user's A public keys;M is to be signed disappearing Breath;Hv() is that eap-message digest length is the cryptographic Hash function of v bits;E is the output that cryptographic Hash function acts on message M Value;Modn is mould n computings;N is the rank of basic point G;First updating block, if for the [d*2 of byte difference d248*r mod n] The coordinate of G is not equal to difference [k] G- (x of the first elliptic curve point and the second elliptic curve point1’,y1'), d=d+1 is updated, after It is continuous to carry out above-mentioned byte difference search operation, until d=FF;First recording unit, if for the [d*2 of byte difference d248*r Mod n] coordinate of G is equal to difference [k] G- (x of the first elliptic curve point and the second elliptic curve point1’,y1'), record byte is poor Value;Or;Second initial value setup unit, the initial value d=-01 for setting byte difference carries out following byte differences and searches Rope is operated:Second the judging unit, [d*2 for judging byte difference d248* r mod n] whether to be equal to first oval for the coordinate of G Difference [k] G- (x of curve point and the second elliptic curve point1’,y1’);Wherein, (x1,y1)=[k] G be the first elliptic curve point; (x1’,y1') it is the second elliptic curve point;R=(e+x1)mod n; ZAIt is on the distinguishable of user A Not Biao Shi, the Hash Value of part elliptical curve systematic parameter and user's A public keys;M is message to be signed;Hv() is eap-message digest Length is the cryptographic Hash function of v bits;E is the output valve that cryptographic Hash function acts on message M;Modn is mould n computings;n It is the rank of elliptic curve basic point G;(r, s) is the signature for sending;X | | y is the splicing of x and y;Second updating block, if for [the d*2 of byte difference d248* r mod n] coordinate of G is not equal to the difference of the first elliptic curve point and the second elliptic curve point [k]G-(x1’,y1'), d=d-1 is updated, proceed above-mentioned byte difference search operation, until d=-FF;Second record Unit, if for the [d*2 of byte difference d248* r mod n] coordinate of G is equal to the first elliptic curve point and the second elliptic curve Difference [k] G- (x of point1’,y1'), record byte difference.
With reference to the third aspect, second possible implementation method of the third aspect is the embodiment of the invention provides, wherein, on Stating byte value determining module includes:3rd judging unit, for judging whether maximum and minimum value are identical in span;After Continuous operating unit, if differed for maximum in span and minimum value, proceeds byte value and obtains operation;Byte Value determining unit, if identical with minimum value for maximum in span, determining maximum and/or minimum value are key The byte value of target byte position.
Fourth aspect, the embodiment of the invention provides a kind of digital signature device, and the device includes:Splicing module, For the message M to be signed and Z for prestoring that will be receivedASplicing is carried out, splicing result is obtainedWherein, ZAIt is the hash of the distinguished mark on user A, part elliptical curve systematic parameter and user's A public keys Value;Carry out the operation of following generation signature results:Processing module is right for according to cryptographic Hash functionProcessed, obtained Obtain the output valve that cryptographic Hash function acts on message MWherein, Hv() is that eap-message digest length is the close of v bits Code hash function;Random number acquisition module, for obtaining random number k by randomizer;Wherein, k ∈ [1, n-1];N is N is the rank of elliptic curve basic point G;First elliptic curve point acquisition module, for obtaining the first elliptic curve point (x1,y1)=[k] G;R acquisition modules, for obtaining r=(e+x1)mod n;First judge module, for judge r=0 or r+k=n whether into It is vertical;First continues operation module, if set up for r=0 or r+k=n, proceeds the behaviour of above-mentioned generation signature result Make;S acquisition modules, if invalid for r=0 or r+k=n, obtain s=((1+dA)-1(k-r*dA))mod n;Wherein, (1+dA)-1And dAIt is the data for prestoring;dAIt is the private key of user A;Second judge module, for judging whether s is equal to 0; Second continues operation module, if being equal to 0 for s, proceeds the operation of above-mentioned generation signature result;Digital signature result is true Cover half block, if being not equal to 0 for s, determines digital signature result (r, s).
The embodiment of the present invention brings following beneficial effect:
A kind of key acquisition method provided in an embodiment of the present invention, the pseudo- key according to generation is digitally signed and tests Sign, the second elliptic curve generated during the first elliptic curve point and sign test generated in digital signature procedure can be obtained Point;According to first elliptic curve point and the difference of the second elliptic curve point, the target byte position of search key and pseudo- key Byte difference, and the span of the byte value of the target byte position of key is set;Can be determined according to the span The byte value of the target byte position of key;After the byte value of all byte locations of key is got, by all bytes position The byte value put is defined as key.The mode that aforesaid way greatly reduces acquisition key is restricted, public for SM2 elliptic curves The key of key cryptographic algorithm has preferable universality and exploitativeness;And be based on when above-mentioned key acquisition method is applied to test During the ability of the resisting differential error analysis of the Digital Signature Algorithm of SM2 ellipse curve public key cipher algorithms, can effectively find The leak of above-mentioned Digital Signature Algorithm, and then improve the security of above-mentioned Digital Signature Algorithm.
A kind of digital signature method provided in an embodiment of the present invention, by the private key d of user AAWith (1+dA)-1Deposit in advance Storage, it is possible to use family direct access d in being digitally signedAWith (1+dA)-1Data, compared in the prior art to (1+dA )-1The mode of real-time calculating is carried out, which can defend reading dAThe acquisition operation of Shi Jinhang keys, improves digital label The safety and reliability of name method.
Other features and advantages of the present invention will be illustrated in the following description, also, the partly change from specification Obtain it is clear that or being understood by implementing the present invention.The purpose of the present invention and other advantages are in specification, claims And specifically noted structure is realized and obtained in accompanying drawing.
To enable the above objects, features and advantages of the present invention to become apparent, preferred embodiment cited below particularly, and coordinate Appended accompanying drawing, is described in detail below.
Brief description of the drawings
In order to illustrate more clearly of the specific embodiment of the invention or technical scheme of the prior art, below will be to specific The accompanying drawing to be used needed for implementation method or description of the prior art is briefly described, it should be apparent that, in describing below Accompanying drawing is some embodiments of the present invention, for those of ordinary skill in the art, before creative work is not paid Put, other accompanying drawings can also be obtained according to these accompanying drawings.
Fig. 1 is a kind of flow chart of key acquisition method provided in an embodiment of the present invention;
Fig. 2 is a kind of flow chart of digital signature method provided in an embodiment of the present invention;
Fig. 3 is a kind of structural representation of key acquisition device provided in an embodiment of the present invention;
Fig. 4 is a kind of structural representation of digital signature device provided in an embodiment of the present invention.
Specific embodiment
To make the purpose, technical scheme and advantage of the embodiment of the present invention clearer, below in conjunction with accompanying drawing to the present invention Technical scheme be clearly and completely described, it is clear that described embodiment is a part of embodiment of the invention, rather than Whole embodiments.Based on the embodiment in the present invention, those of ordinary skill in the art are not making creative work premise Lower obtained every other embodiment, belongs to the scope of protection of the invention.
In view of the restricted larger problem of mode for obtaining key in the prior art, one kind is the embodiment of the invention provides Key acquisition method, digital signature method and device, the technology can be used for test in embedded system or intelligent card chip The ability of the resisting differential error analysis of the Digital Signature Algorithm based on SM2 ellipse curve public key cipher algorithms realized, the technology Can be realized using related software and hardware, be described below by embodiment.
Embodiment one:
A kind of flow chart of key acquisition method shown in Figure 1, the key is used for close based on SM2 curve public keys In the Digital Signature Algorithm of code algorithm, the method comprises the following steps:
Step S102, the highest byte position for setting key is target byte position, carries out following byte values and obtains operation:
Step S104, using the data of physics mode change target byte position, generates and key byte length identical Pseudo- key;Wherein, the physics mode includes laser irradiation mode or electrophoresis stimulation mode;Target byte is changed using physics mode During the data of position, the change of the data is random, is also unknown;Due to based on SM2 ellipse curve public key cipher algorithms The middle key length for using is 32 bytes, therefore, random generation for the byte length of key be also 32 bytes;
Step S106, is digitally signed according to above-mentioned pseudo- key, and first generated in record digital signature procedure is oval Curve point and signature result;
Step S108, according to the sign test that signature result is digitally signed, second generated during record sign test is oval Curve point;
Step S110, according to the first elliptic curve point and the difference of the second elliptic curve point, from default byte value scope The byte difference of the target byte position of interior search key and pseudo- key;
In practical implementations, above-mentioned key and the pseudo- key of generation are unknown;But based on SM2 ellipse curve public key ciphers During the digital signature and sign test of algorithm, specific elliptic curve, the mathematical field of the curve and the module of curve are specified What parameter was all to determine, therefore, the first elliptic curve point and sign test mistake generated during being digitally signed according to pseudo- key The difference of the second elliptic curve point generated in journey, may search for out the byte of the target byte position of true key and pseudo- key Difference.
Further, because elliptic curve is based on dispersed accumulation, it is difficult to solve coefficient by coordinate value;Therefore can be with By the way of forward lookup, for example, 00,01,02 ..., FF.
Step S112, according to byte difference, sets the span of the byte value of the target byte position of key;
Step S114, the byte value of the target byte position of key is determined according to span;
The scope of the byte value of the target byte position of above-mentioned key and pseudo- key is 00-FF;For a certain determination Key, obtains a byte difference by not generating a pseudo- key, the byte difference can reduce the target byte position of key The possibility span of the byte value put, therefore, after repeatedly generation pseudo-random key, the target byte position of above-mentioned key The possibility span of byte value can progressively reduce, and infinitely approach the byte value of the target byte position of key, and the byte It is hexadecimal positive number to be worth, and then obtains the byte value of the target byte position of key.
Step S116, the next byte location for setting target byte position is new target byte position, is proceeded Above-mentioned byte value obtains operation, until the byte value of all byte locations of key is got, by the byte of all byte locations Value is defined as key.
A kind of key acquisition method provided in an embodiment of the present invention, the pseudo- key according to generation is digitally signed and tests Sign, the second elliptic curve generated during the first elliptic curve point and sign test generated in digital signature procedure can be obtained Point;According to first elliptic curve point and the difference of the second elliptic curve point, the target byte position of search key and pseudo- key Byte difference, and the span of the byte value of the target byte position of key is set;Can be determined according to the span The byte value of the target byte position of key;After the byte value of all byte locations of key is got, by all bytes position The byte value put is defined as key.The mode that aforesaid way greatly reduces acquisition key is restricted, public for SM2 elliptic curves The key of key cryptographic algorithm has preferable universality and exploitativeness;And be based on when above-mentioned key acquisition method is applied to test During the ability of the resisting differential error analysis of the Digital Signature Algorithm of SM2 ellipse curve public key cipher algorithms, can effectively find The leak of above-mentioned Digital Signature Algorithm, and then improve the security of above-mentioned Digital Signature Algorithm.
May be likely to be negative for positive number in view of above-mentioned byte difference, it is above-mentioned according to the first elliptic curve point and second The difference of elliptic curve point, key is searched for from the range of default byte value poor with the byte of the target byte position of pseudo- key Value, specifically can in the following manner realize, in which, byte difference is searched for since 00, until FF, including:
(1) the initial value d=00 of byte difference is set, following byte difference search operations are carried out:
(2) [the d*2 of byte difference d is judged248* r mod n] whether the coordinate of G be equal to the first elliptic curve point and second Difference [k] G- (x of elliptic curve point1’,y1’);Wherein, (x1,y1)=[k] G be the first elliptic curve point;(x1’,y1') it is the Two elliptic curve points;R=(e+x1)mod n; ZAIt is the distinguished mark on user A, part The Hash Value of elliptic curve systems parameter and user's A public keys;M is message to be signed;Hv() is that eap-message digest length is v bits Cryptographic Hash function;E is the output valve that cryptographic Hash function acts on message M;Modn is mould n computings;N is the rank of basic point G;
(3) if not, updating d=d+1, above-mentioned byte difference search operation is proceeded, until d=FF;
(4) if it is, record byte difference.
It is above-mentioned according to the first elliptic curve point and the difference of the second elliptic curve point, searched for from the range of default byte value Key and the byte difference of the target byte position of pseudo- key, specifically can also in the following manner realize, in which, byte is poor Value is searched for since -01, until-FF, including:
(1) the initial value d=-01 of byte difference is set, following byte difference search operations are carried out:
(2) [the d*2 of byte difference d is judged248* r mod n] whether the coordinate of G be equal to the first elliptic curve point and second Difference [k] G- (x of elliptic curve point1’,y1’);Wherein, (x1,y1)=[k] G be the first elliptic curve point;(x1’,y1') it is the Two elliptic curve points;R=(e+x1)mod n; ZAIt is the distinguished mark on user A, part The Hash Value of elliptic curve systems parameter and user's A public keys;M is message to be signed;Hv() is that eap-message digest length is v bits Cryptographic Hash function;E is the output valve that cryptographic Hash function acts on message M;Modn is mould n computings;N is elliptic curve base The rank of point G;(r, s) is the signature for sending;X | | y is the splicing of x and y;
(3) if not, updating d=d-1, above-mentioned byte difference search operation is proceeded, until d=-FF;
(4) if it is, record byte difference.
Above-mentioned way of search can efficiently obtain the difference phase with the first elliptic curve point and the second elliptic curve point The byte matched somebody with somebody is poor.
During the sign test of digital signature, above-mentioned second elliptic curve point (x1’,y1') can obtain in several ways , mode one is:(x1’,y1')=[s '] G+ [t] PA=[s '+t*dA] G=[s '+(s '+r) * dA]=[(1+dA)s’+r*dA] G=[k-r*dA’+r*dA]G;Wherein, PA=[dA]G;(r ', s ') it is the signature for receiving;T=(r '+s ') mod n;PAIt is user A Public key;dAIt is the private key of user A;dA' it is pseudo- key;The random number that k is produced for randomizer, and k ∈ [1, n-1]; [k] G=(r-e) mod n;
Mode two is:(x1’,y1')=[s '+t*dA] G=[s '+(s '+r) * dA]=[(1+dA)s’+r*dA] G=[(1+ dA)(1+dA’)-1(k-r*dA)+r*dA] G=[k+ (dA-dA’)(k-r*dA)] G=[k] G+ [(dA-dA’)k]G–[(dA-dA’)r] PA;Wherein, (r ', s ') it is the signature for receiving;T=(r '+s ') mod n;PAIt is the public key of user A;dAIt is the private key of user A; dA' it is pseudo- key;The random number that k is produced for randomizer, and k ∈ [1, n-1];[k] G=(r-e) mod n.
Specifically, aforesaid way one is that pseudo- key is implanted into during the modular multiplication into Digital Signature Algorithm;Aforesaid way Two is that pseudo- key is implanted into the inversion process into Digital Signature Algorithm.
Further, it is above-mentioned according to byte difference according to the positive and negative of byte difference, the target byte position of key is set The span of byte value, can be accomplished in the following manner, mode one:The byte value d of the target byte position of key is set1 =d+d2Span M=[d, FF];Wherein, d is byte difference, and d >=0;d2It is the word of the target byte position of pseudo- key Section value;d2、d1It is hexadecimal double figures, and 0≤d with d2≤FF;
Mode two:The byte value d of the target byte position of key is set1=d+d2Span M=[00, FF+d];Its In, d is byte difference, and d≤0;D2 is the byte value of the target byte position of pseudo- key;d2、d1It is hexadecimal two with d Digit, and 0≤d2≤FF。
Further, the byte value of the above-mentioned target byte position that key is determined according to span, comprises the following steps: (1) judge whether maximum and minimum value are identical in span;(2) if not, proceeding byte value obtains operation;(3) If it is, determining maximum and/or minimum value are the byte value of the target byte position of key.
For example, as d=-0x33, M1=[00, CC], it is seen then that d1Span there occurs diminution;Random generation again Pseudo- password, and a byte difference is obtained, for example, as d=0x78, M2=[78, FF];For another example, as d=-0x87, M3= [-87,78];According to M2And M3Common factor, you can determine the byte value d of the target byte position of key1
The above method can efficiently and accurately obtain the byte value of key, and then obtain complete key, and with stronger Exploitativeness.
Embodiment two:
A kind of flow chart of digital signature method shown in Figure 2, the method can be defendd by above-described embodiment one The key acquisition method of middle offer carries out key acquisition, and the method comprises the following steps:
Step S202, the message M to be signed and Z for prestoring that will be receivedASplicing is carried out, stitching portion is obtained Reason resultWherein, ZAIt is the distinguished mark on user A, part elliptical curve systematic parameter and user's A public keys Hash Value;
Carry out the operation of following generation signature results:
Step S204 is right according to cryptographic Hash functionProcessed, obtain cryptographic Hash function and act on message M's Output valveWherein, Hv() is that eap-message digest length is the cryptographic Hash function of v bits;
Step S206, random number k is obtained by randomizer;Wherein, k ∈ [1, n-1];N is that n is elliptic curve base The rank of point G;
Step S208, obtains the first elliptic curve point (x1,y1)=[k] G;
Step S210, obtains r=(e+x1)mod n;
Step S212, judges whether r=0 or r+k=n sets up;If it is, performing step S204;If not, performing step Rapid S214;
Step S214, obtains s=((1+dA)-1(k-r*dA))mod n;Wherein, (1+dA)-1And dAIt is what is prestored Data;dAIt is the private key of user A;
Step S216, judges whether s is equal to 0;If s is equal to 0, step S204 is performed;If s is not equal to 0, step is performed S218;
Step S218, determines digital signature result (r, s).
In a kind of digital signature method provided in an embodiment of the present invention, by the private key d of user AAWith (1+dA)-1Deposit in advance Storage, it is possible to use family direct access d in being digitally signedAWith (1+dA)-1Data, compared in the prior art to (1+dA )-1The mode of real-time calculating is carried out, which can defend reading dAThe acquisition operation of Shi Jinhang keys, improves digital label The safety and reliability of name method.
Embodiment three:
Corresponding to the digital signature method provided in the key acquisition method and embodiment two provided in above-described embodiment one, The embodiment of the invention provides the difference error injection method of testing and defence method of a kind of SM2 signature algorithms process.
Existing embedded cryptography equipment, is based on hardware platform and software programming reality by taking smart card and USB key as an example Existing.With the proposition of some attack methods that the nineties in last century proposes, people are gradually, it is realized that the security of cryptographic algorithm Mathematics security is depended not only on, while these support that the implementation of the equipment of cryptographic algorithm also can be to the peace of cryptographic algorithm Full property threatens.The current field has Many researchers that various side-channel attack methods, these sides have been proposed Method can make attacker be easy to attack the key for obtaining cryptographic algorithm.These conventional methods include:Timing attack, power consumption Analysis, electromagnetic radiation analysis, phonetic analysis, probe analysis, the huge profit analysis of test circuit, caching are attacked and error injection Attack, decile emi analysis method.Maximally effective attack method includes power consumption analysis, mistake to above-mentioned side-channel attack method at present Injection attacks etc..
Above-mentioned error injection mode is the CRT-RSA algorithm attack methods that classics are proposed from Dan Boneh in 1997 etc.. One of in 1997, li Biham and Adi Shamir (while be also the inventor of RSA Algorithm) delivered for symmetric cryptography The fault analysis method of algorithm, and propose and be named as Differential fault analysis (Differential Fault for the first time Analysis, abbreviation DFA) attack method, use till today.2002, the actual experiment to CRT-RSA algorithms was attacked.Ying Fei The fault analysis model that C.Aumuller of Ling companies et al. is proposed based on scholars, it is actual to CRT-RSA algorithms to be attacked Hit, and achieve successfully.The same year, P.Dusart et al. have carried out network analysis to the error injection of AES.They think for The attack of AES can not simply use for reference the attack thought to DES, because both have difference on operating structure.2008 In CHES meetings, scholar David Vigilant propose a kind of new CRT-RSA algorithm implementations.2010, for text Offer the protection algorithm of proposition, Jean-S ' ebastien Coron et al. and theoretic leak have found by analysis.
And SM2 algorithms are realized based on elliptic curve.At present, for the attack of elliptic curve be mainly from Three aspects are started with.One is the operation on operating elliptic curve group, computing is occurred have the new of weak security at one On group.This attack method can be on the defensive by way of whether inspection result is on elliptic curve.Another, Blomer et al. assumes that the symbol of median can be changed.This attack pattern, result is still the available point of elliptic curve. Therefore, defence method above-mentioned is no longer valid, it is necessary to more complicated defence method can just resist this attack.It is also a kind of It is safe-error modes, in order to defend simple power consumption analysis, elliptic curve is usually using always addition and the side of times point Formula is realized, and some additions are redundancies.Attacker can inject provisional mistake by for these additive processes, and observation is No wrong result is produced, if produced, it was demonstrated that the process is effective, if mistake, it was demonstrated that the addition is redundancy , so as to progressively confirm the value of each bit.
There is not exploitativeness mostly for the difference error injection test of current SM2 signature algorithms, it is proposed by the present invention For the method for testing of the difference error injection of SM2 signature algorithms, testing difference error injection has exploitativeness, and the party Method has certain universality to current SM2 signature algorithm implementation process;Meanwhile, for above-mentioned difference error injection test side A kind of method, it is proposed that suggestion of defence method, can effectively various error injections attack.
The method of testing and defence method of the right difference error injection for clearly describing SM2 signature algorithms, first SM2 signature algorithms are introduced.SM2 algorithms are realized based on elliptic curve.The algorithm specifies specific elliptic curve, What the mathematical field of curve and the addition swarm parameter of curve were all to determine.The process of Digital Signature Algorithm is as follows:
A1, put M=ZA | | M;
A2, calculating e=Hv (M)
A3, using randomizer produce random number k belong to [1, n-1]
A4, calculating elliptic curve point (x1, y1)=[k] G
A5, calculating r=(e+x1) mod n, A3 is returned if r=0 or r+k=n.
A6, calculating s=((1+dA) -1 (k-r*dA)) mod n, return to A3 if s=0.
(r, s) that said process is obtained is signature result.
The sign test process of digital signature is as follows:
Whether B1, inspection r ' belong to [1, n-1], invalid, do not pass through;
Whether B2, inspection s ' belong to [1, n-1], invalid, do not pass through;
B3, value M '=ZA | | M ';
B4, calculating e=Hv (M ');
B5, calculating t=(r '+s ') mod n, if t=0, verify and do not pass through.
B6, calculate elliptic curve point (x1 ', y1 ')=[s '] G+ [t] PA
B7, calculating R=(e+x1 ') mod n, verify r '==R, pass through if setting up, and otherwise verify and do not pass through.
The method of the error injections for elliptic curve cryptography several in the prior art mentioned above, to SM2's Signature algorithm does not all have exploitativeness.These methods both for digital signature procedure A4 steps, while, it is desirable to A4 steps The middle random number k for using is fixed and can repeatedly used.And learnt from A3 steps, k is random number, is every time random Produce, therefore above-mentioned error injection mode does not all have exploitativeness.
In view of the uniqueness of the Digital Signature Algorithm based on elliptic curve, Jorn-Marc Schmidt et al. are proposed For the error injection mode of ECDSA.But this method cannot be implemented to SM2 signature algorithms, first The flow of the suitable algorithm flow of this mode and SM2 algorithms is variant, and the hypothesis of the attack method that the author proposes will in addition Ask comparing harsh, it is desirable to which injecting mistake makes code flow change, and does not have exploitativeness.
To sum up, the difference error injection method of testing of the first SM2 signature algorithm process is the embodiment of the invention provides, should A6 step of the method for SM2 Digital Signature Algorithms;(1+d in A6 stepsA)-1Can be stored as constant, it is also possible to pass through dACalculate the value;Then r*d is calculatedAValue (" * " in the embodiment be expressed as be multiplied), calculate (k-r*dA) mod n Modular multiplication (the 1+d of the big number of value, finally calculating twoA)-1(k-r*dA).The testing scheme is to calculate r*dAShi Jinhang error injections.
The d that SM2 is usedALength is 32 bytes, is designated as d31d30…d1d0, wherein d31It is dAHighest byte, and d0It is dA Lowest byte;In smart card or embedded system, dAIt is to be stored in FLASH or EEPROM with bytewise; During calculating, system reads d from Flash or EEPROMA, it is assumed that to d in test process31Byte has carried out error injection; At this moment, r*dAResult be designated as r*dA', and (dA-dA')=(d31', 0 ..., 0,0), wherein d31' be and dAAnd dA' first byte Difference;It should be noted that due to dAAnd dA' magnitude relationship do not determine, d31' symbol can be carried;By dA' substitute into A6 steps Rapid computing, has obtained s '.
Then, above-mentioned signature result (r, s ') is substituted into sign test process, is obtained:(x1 ', y1 ')=[s '] G+ [t] PA, and PA=[dA]G;Substituting into formula has:(x1 ', y1 ')=[s '+t*dA] G=[s '+(s '+r) * dA]=[(1+dA)s’+r*dA] G= [k-r*dA’+r*dA]G;The x coordinate of known [k] G is (r-e) mod n;Therefore the difference of [k] G and (x1 ', y1 ') can be calculated, I.e.:[k] G-(x1 ', y1 ')=[r*dA’–r*dA] G=[r* (d31 ', 0 ..., 0,0)] G.
Because elliptic curve is based on discrete logarithm problem, it is difficult to solve coefficient by coordinate value.Therefore forward lookup is used Mode, at this moment need in two kinds of situation to analyze:One is that d31 ' is that just two is that d31 ' is negative;Work as d31 ' for timing, directly adopt , it is necessary to replace (d31 ', 0 ..., 0,0) using n- (| d31 ' |, 0 ..., 0,0) when using the value, and d31 ' to bear, wherein | D31 ' | it is absolute value, n is the rank of elliptic curve, is fixed constant.
During search, from 0x00-0xFF, other bytes supplement is 0 to private key d first bytes, calculates times point of the value and r products (wherein 0x represents hexadecimal);Then the difference of n and d is calculated, times point of the value and r products is calculated, all of 256*2 is observed Which is with to obtain [k] G-(x1 ', y1 ') equal in individual data, you can obtain current erroneous value.
Assuming that the model of mistake is completely random, i.e., for single byte no matter d31Why it is worth, d31' can be 0x00- The arbitrary value of 0xFF;According to above analysis it is known that to fixed value d31, (dA’-dA) value be only possible to be 00,01 ..., d31, n-1,n-2…,n+0xFF-d31.Therefore, in the case where wrong frequency is enough, lead-in can be approached out using difference The value of section.
Above-mentioned test process is exemplified below:
The rank n=0xFFFFFFFE FFFFFFFF FFFFFFFF FFFFFFFF 7203DF6B 21C6052B of SM2 algorithms 53BBF409 39D54123;
If dA=0x787968B4FA32C3FD 2417842E 73BBFEFF 2F3C848B 6831D7E0 EC65228B 3937E498;
To dAHighest byte carry out error injection, d31AB is rewritten as, i.e.,
dA'=0xAB7968B4 FA32C3FD 2417842E 73BBFEFF 2F3C848B 6831D7E0 EC65228B 3937E498;
Then d31'=- 0x33.
In order to search out d31Key value, first by calculate [0x 00*2248*r mod n] G coordinate whether be equal to [k]G–(x1’,y1’).Whether the coordinate for then calculating [0x 01*2248*r mod n] G is equal to [k] G-(x1 ', y1 '), successively Calculate:Whether the coordinate of [0xFF*2248*r mod n] G is equal to [k] G-(x1 ', y1 ').In view of d31' it is probably negative, Equally, search for:Whether the coordinate of [(n-0x 00*2248) * r mod n] G is equal to [k] G-(x1 ', y1 ');Then [(n- is calculated 0x 01*2248) * r mod n] whether the coordinate of G be equal to [k] G-(x1 ', y1 ');Finally arrive:[(n-0x FF*2248)*r Mod n] whether the coordinate of G be equal to [k] G-(x1 ', y1 ').
Search for successively, in this 256*2 data, it is found that whether times point coordinates of [(n-0x 33*2248) * r mod n] G Equal to [k] G-(x1 ', y1 ').Therefore, it is derived by then d31'=- 0x33.In view of the value, d31Value should be less than 0xCC, Because working as d31Any improper value can not all make d during more than 0xCC31'=- 0x33.
Mistake is re-injected, in the event of mistake, d is equally judged31' value, and have d31' value diminution d31Byte Scope.If mistake occurs in that d31'=0x78 and d31During '=- 0x87, you can determine d31The value of byte is 0x78.
The analysis method of other bytes is identical with first byte, to all bytes successively in this way, you can obtain base In the key of SM2 signature algorithms.
The method has very strong exploitativeness.First, the program does not calculate many times of points of elliptic curve to signature process Process carries out error injection, but error injection is carried out to private key operation process, and many times of dot factors are random number, and private key is solid Definite value, therefore error injection to private key has more implementation;Secondly, the error model that the program is used also has very strong operation Property.Due to be all in data copy within a smart card and calculating process in units of byte or word, therefore should in error injection The possibility of unit error is higher, and the program only needs to confirm the position of byte, and error injection difficulty is little.Cause The exploitativeness of this algorithm is very strong.Meanwhile, the byte model extends also to word model, increases for word model search space Plus, but still there is very strong operability.
The embodiment of the invention provides second difference error injection method of testing of SM2 signature algorithm processes, the method A6 steps for SM2 Digital Signature Algorithms are assumed during signature s is calculated, first to calculate 1+dAValue, in the process In to dAError injection is carried out;The d of mistakeAUse dA' represent, by dA' sign test process is substituted into, have:(x1 ', y1 ')=[s '+t* dA] G=[s '+(s '+r) * dA]=[(1+dA)s’+r*dA] G=[(1+dA)(1+dA’)-1(k-r*dA)+r*dA] G=[k+ (dA- dA’)(k-r*dA)] G=[k] G+ [(dA-dA ') k] G-[(dA-dA’)r]PA;Wherein, PA is public key, and [k] G is equal to (r-e) mod n.Difference error injection analysis of test methods with the first SM2 signature algorithm process is similar, using the positive and negative spy of data byte Property, the key value of each byte can be obtained, and then the value of whole key can have been obtained.
The embodiment of the present invention additionally provides a kind of defender of the difference error injection method of testing of SM2 signature algorithms process Method;In order to defend side channel power consumption analysis technology, some designs are to r*dAMod n carry out mask design.Such as r*dA=x*r*dA* x-1This mode, and x is random number;But, by analysis above it is known that this defence method cannot defend this paper institutes State to dAAttack.Therefore, d is not only operated directly in computingA, could defend to dAError injection.Equally, a pin To (1+dA)-1Having carried out mask cannot also resist the detection mode of this paper, because in the presence of to dADirect operation.
Above-mentioned detection mode is mainly and is using dAWhen be directly injected into mistake.In order to defend this detection attack method, Need directly operate d in computing of signingA.Such as s=((1+dA)-1(k-r*dA)) mod n=((1+dA)-1k-(1+ dA)-1*r*dA)) mod n=((1+dA)-1(k+r)-r) mod n. are here (1+dA)-1Need to be expected as the part with key Calculate storage in the chips.If using this flow, there will be no and directly use dAScene.So it is prevented that this paper institutes The detection attack meanses of use.
By above-mentioned defence method, you can realize the defence to above-mentioned detection means;And do not have in view of this implementation The time complexity and space complexity of algorithm realization are significantly increased, therefore the defence method has operability and easily implementation Property.
The embodiment of the present invention can realize the detection to the resistance error injection defence method of SM2 signature algorithms, by this Method can effectively find the leak of SM2 signature algorithm implementation process.Meanwhile, the present invention points out a series of leakage of implementations Hole, and the effective measures of defence error injection scheme are given on its basis, it is ensured that the security based on SM2 signature algorithms.
Example IV:
A kind of structural representation of key acquisition device shown in Figure 3, the key is used for public based on SM2 elliptic curves In the Digital Signature Algorithm of key cryptographic algorithm, the device includes following part:
Target byte position setup module 302, is target byte position for setting the highest byte position of key, is carried out Following byte values obtain operation:
Pseudo- key production module 304, for the data using physics mode change target byte position, generates and key word Section length identical puppet key;Wherein, the physics mode includes laser irradiation mode or electrophoresis stimulation mode;
Digital Signature module 306, for being digitally signed according to pseudo- key, the generated in record digital signature procedure One elliptic curve point and signature result;
Sign test module 308, for according to the signature sign test that is digitally signed of result, generated during record sign test the Two elliptic curve points;
Byte difference search module 310, for the difference according to the first elliptic curve point and the second elliptic curve point, from pre- If byte value in the range of search for the byte difference of key and the target byte position of pseudo- key;
Span setup module 312, for according to byte difference, setting the byte value of the target byte position of key Span;
Byte value determining module 314, the byte value of the target byte position for determining key according to span;
Key determining module 316, the next byte location for setting target byte position is new target byte position Put, proceed above-mentioned byte value and obtain operation, until the byte value of all byte locations of key is got, by all bytes The byte value of position is defined as key.
A kind of key acquisition device provided in an embodiment of the present invention, the pseudo- key according to generation is digitally signed and tests Sign, the second elliptic curve generated during the first elliptic curve point and sign test generated in digital signature procedure can be obtained Point;According to first elliptic curve point and the difference of the second elliptic curve point, the target byte position of search key and pseudo- key Byte difference, and the span of the byte value of the target byte position of key is set;Can be determined according to the span The byte value of the target byte position of key;After the byte value of all byte locations of key is got, by all bytes position The byte value put is defined as key.The mode that aforesaid way greatly reduces acquisition key is restricted, public for SM2 elliptic curves The key of key cryptographic algorithm has preferable universality and exploitativeness;And be based on when above-mentioned key acquisition method is applied to test During the ability of the resisting differential error analysis of the Digital Signature Algorithm of SM2 ellipse curve public key cipher algorithms, can effectively find The leak of above-mentioned Digital Signature Algorithm, and then improve the security of above-mentioned Digital Signature Algorithm.
May be likely to be negative that above-mentioned byte difference search module includes for positive number in view of above-mentioned byte difference:(1) First initial value setup unit, the initial value d=00 for setting byte difference, carries out following byte difference search operations:(2) First the judging unit, [d*2 for judging byte difference d248* r mod n] whether the coordinate of G be equal to the first elliptic curve point With difference [k] G- (x of the second elliptic curve point1’,y1’);Wherein, (x1,y1)=[k] G be the first elliptic curve point;(x1’, y1') it is the second elliptic curve point;R=(e+x1)mod n;ZAIt is the distinguished mark on user A The Hash Value of knowledge, part elliptical curve systematic parameter and user's A public keys;M is message to be signed;Hv() is eap-message digest length It is the cryptographic Hash function of v bits;E is the output valve that cryptographic Hash function acts on message M;Modn is mould n computings;N is base The rank of point G;(3) first updating blocks, if for the [d*2 of byte difference d248* r mod n] to be not equal to first ellipse for the coordinate of G Difference [k] G- (x of circular curve point and the second elliptic curve point1’,y1'), d=d+1 is updated, proceed above-mentioned byte difference and search Rope is operated, until d=FF;(4) first recording units, if for the [d*2 of byte difference d248* r mod n] G coordinate etc. In difference [k] G- (x of the first elliptic curve point and the second elliptic curve point1’,y1'), record byte difference;
Above-mentioned byte difference search module also includes:(1) second initial value setup unit, for setting the first of byte difference Initial value d=-01, carries out following byte difference search operations:(2) second the judging units, [d* for judging byte difference d 2248* r mod n] whether the coordinate of G be equal to difference [k] G- (x of the first elliptic curve point and the second elliptic curve point1’,y1’); Wherein, (x1,y1)=[k] G be the first elliptic curve point;(x1’,y1') it is the second elliptic curve point;R=(e+x1)mod n;ZAIt is the distinguished mark on user A, part elliptical curve systematic parameter and user's A public keys Hash Value;M is message to be signed;Hv() is that eap-message digest length is the cryptographic Hash function of v bits;E is cryptographic Hash Function acts on the output valve of message M;Modn is mould n computings;N is the rank of elliptic curve basic point G;(r, s) is the signature for sending; X | | y is the splicing of x and y;(3) second updating blocks, if for the [d*2 of byte difference d248* r mod n] G coordinate not Equal to difference [k] G- (x of the first elliptic curve point and the second elliptic curve point1’,y1'), d=d-1 is updated, proceed above-mentioned Byte difference search operation, until d=-FF;(4) second recording units, if for the [d*2 of byte difference d248*r mod N] coordinate of G is equal to difference [k] G- (x of the first elliptic curve point and the second elliptic curve point1’,y1'), record byte difference.
Above-mentioned way of search can efficiently obtain the difference phase with the first elliptic curve point and the second elliptic curve point The byte matched somebody with somebody is poor.
Further, above-mentioned byte value determining module includes:(1) the 3rd judging unit, for judging in span most Whether big value and minimum value are identical;(2) operating unit is continued, if differed for maximum in span and minimum value, Proceed byte value and obtain operation;(3) byte value determining unit, if for maximum in span and minimum value phase Together, determining maximum and/or minimum value are the byte value of the target byte position of key.The above method can be obtained efficiently and accurately The byte value of key is taken, and then obtains complete key, and with stronger exploitativeness.
Embodiment five:
A kind of structural representation of digital signature device shown in Figure 4, the device includes following part:
Splicing module 402, for the message M to be signed and Z for prestoring that will be receivedACarry out stitching portion Reason, obtains splicing resultWherein, ZAIt is the distinguished mark on user A, part elliptical curve system ginseng The Hash Value of number and user's A public keys;
Carry out the operation of following generation signature results:
Processing module 404 is right for according to cryptographic Hash functionProcessed, obtained the effect of cryptographic Hash function In the output valve of message MWherein, Hv() is that eap-message digest length is the cryptographic Hash function of v bits;
Random number acquisition module 406, for obtaining random number k by randomizer;Wherein, k ∈ [1, n-1];N is N is the rank of elliptic curve basic point G;
First elliptic curve point acquisition module 408, for obtaining the first elliptic curve point (x1,y1)=[k] G;
R acquisition modules 410, for obtaining r=(e+x1)mod n;
First judge module 412, for judging whether r=0 or r+k=n sets up;If it is, proceeding above-mentioned life Into the operation of signature result;
S acquisition modules 414, if invalid for r=0 or r+k=n, obtain s=((1+dA)-1(k-r*dA))mod n;Wherein, (1+dA)-1And dAIt is the data for prestoring;dAIt is the private key of user A;
Second judge module 416, for judging whether s is equal to 0;If s is equal to 0, proceed above-mentioned generation signature knot The operation of fruit;
Digital signature result determining module 418, if being not equal to 0 for s, determines digital signature result (r, s).
In a kind of digital signature device provided in an embodiment of the present invention, by the private key d of user AAWith (1+dA)-1Deposit in advance Storage, it is possible to use family direct access d in being digitally signedAWith (1+dA)-1Data, compared in the prior art to (1+dA )-1The mode of real-time calculating is carried out, which can defend reading dAThe acquisition operation of Shi Jinhang keys, improves digital label The safety and reliability of name method.
The present invention proposes having for two kinds of anti-error injection defence methods of effective detection methods detection SM2 signature algorithms Effect property, both schemes all with operability is facilitated, were all significantly improved compared to former detection scheme.The present invention is proposed Two kinds of effective schemes of detection method of defence, and the program has the feature of very inexpensive and convenient realization, does not influence SM2 Signature algorithm realizes efficiency.
The computer program product of key acquisition method, digital signature method and device that the embodiment of the present invention is provided, Computer-readable recording medium including storing program code, the instruction that described program code includes can be used for side before execution Method described in method embodiment, implements and can be found in embodiment of the method, will not be repeated here.
If the function is to realize in the form of SFU software functional unit and as independent production marketing or when using, can be with Storage is in a computer read/write memory medium.Based on such understanding, technical scheme is substantially in other words The part contributed to prior art or the part of the technical scheme can be embodied in the form of software product, the meter Calculation machine software product is stored in a storage medium, including some instructions are used to so that a computer equipment (can be individual People's computer, server, or network equipment etc.) perform all or part of step of each embodiment methods described of the invention. And foregoing storage medium includes:USB flash disk, mobile hard disk, read-only storage (ROM, Read-Only Memory), arbitrary access are deposited Reservoir (RAM, Random Access Memory), magnetic disc or CD etc. are various can be with the medium of store program codes.
Finally it should be noted that:Embodiment described above, specific embodiment only of the invention, is used to illustrate the present invention Technical scheme, rather than its limitations, protection scope of the present invention is not limited thereto, although with reference to the foregoing embodiments to this hair It is bright to be described in detail, it will be understood by those within the art that:Any one skilled in the art The invention discloses technical scope in, it can still modify to the technical scheme described in previous embodiment or can be light Change is readily conceivable that, or equivalent is carried out to which part technical characteristic;And these modifications, change or replacement, do not make The essence of appropriate technical solution departs from the spirit and scope of embodiment of the present invention technical scheme, should all cover in protection of the invention Within the scope of.Therefore, protection scope of the present invention described should be defined by scope of the claims.

Claims (10)

1. a kind of key acquisition method, it is characterised in that the key is used for the number based on SM2 ellipse curve public key cipher algorithms In word signature algorithm, methods described includes:
The highest byte position for setting key is target byte position, carries out following byte values and obtains operation:
The data of the target byte position are changed using physics mode, is generated close with the key byte length identical puppet Key;Wherein, the physics mode includes laser irradiation mode or electrophoresis stimulation mode;
It is digitally signed according to the pseudo- key, the first elliptic curve point and signature generated in record digital signature procedure are tied Really;
According to the sign test that the signature result is digitally signed, the second elliptic curve point generated during record sign test;
According to first elliptic curve point and the difference of second elliptic curve point, searched for from the range of default byte value The byte difference of the key and the target byte position of the pseudo- key;
According to the byte difference, the span of the byte value of the target byte position of the key is set;
The byte value of the target byte position of the key is determined according to the span;
The next byte location for setting the target byte position is new target byte position, proceeds above-mentioned byte value Operation is obtained, until getting the byte value of all byte locations of the key, the byte value of all byte locations is determined It is the key.
2. method according to claim 1, it is characterised in that described according to first elliptic curve point and described second The difference of elliptic curve point, the key is searched for from the range of default byte value with the target byte position of the pseudo- key Byte difference includes:
The initial value d=00 of the byte difference is set, following byte difference search operations are carried out:
Judge [the d*2 of the byte difference d248* r mod n] whether the coordinate of G be equal to first elliptic curve point and described Difference [k] G- (x of the second elliptic curve point1’,y1’);Wherein, (x1,y1)=[k] G be first elliptic curve point;(x1’, y1') it is second elliptic curve point;R=(e+x1)mod n;ZAIt is on the distinguishable of user A Not Biao Shi, the Hash Value of part elliptical curve systematic parameter and user's A public keys;M is message to be signed;Hv() is eap-message digest Length is the cryptographic Hash function of v bits;E is the output valve that cryptographic Hash function acts on message M;Modn is mould n computings;n It is the rank of basic point G;
If not, updating d=d+1, proceed above-mentioned byte difference search operation, until d=FF;
If it is, recording the byte difference;
Or;
The initial value d=-01 of the byte difference is set, following byte difference search operations are carried out:
Judge [the d*2 of the byte difference d248* r mod n] whether the coordinate of G be equal to first elliptic curve point and described Difference [k] G- (x of the second elliptic curve point1’,y1’);Wherein, (x1,y1)=[k] G be first elliptic curve point;(x1’, y1') it is second elliptic curve point;R=(e+x1)mod n;ZAIt is on the distinguishable of user A Not Biao Shi, the Hash Value of part elliptical curve systematic parameter and user's A public keys;M is message to be signed;Hv() is eap-message digest Length is the cryptographic Hash function of v bits;E is the output valve that cryptographic Hash function acts on message M;Modn is mould n computings;n It is the rank of elliptic curve basic point G;(r, s) is the signature for sending;X | | y is the splicing of x and y;
If not, updating d=d-1, proceed above-mentioned byte difference search operation, until d=-FF;
If it is, recording the byte difference.
3. method according to claim 2, it is characterised in that the second elliptic curve point (x1’,y1') pass through following sides Formula is obtained:
(x1’,y1')=[s '] G+ [t] PA=[s '+t*dA] G=[s '+(s '+r) * dA]=[(1+dA)s’+r*dA] G=[k-r* dA’+r*dA]G;Wherein, PA=[dA]G;(r ', s ') it is the signature for receiving;T=(r '+s ') mod n;PAIt is the public key of user A; dAIt is the private key of user A;dA' it is the pseudo- key;The random number that k is produced for randomizer, and k ∈ [1, n-1];[k]G =(r-e) mod n;
Or;
(x1’,y1')=[s '+t*dA] G=[s '+(s '+r) * dA]=[(1+dA)s’+r*dA] G=[(1+dA)(1+dA’)-1(k- r*dA)+r*dA] G=[k+ (dA-dA’)(k-r*dA)] G=[k] G+ [(dA-dA’)k]G–[(dA-dA’)r]PA;Wherein, (r ', S ') it is the signature for receiving;T=(r '+s ') mod n;PAIt is the public key of user A;dAIt is the private key of user A;dA' it is that the puppet is close Key;The random number that k is produced for randomizer, and k ∈ [1, n-1];[k] G=(r-e) mod n.
4. method according to claim 1, it is characterised in that described according to the byte difference, sets the key The span of the byte value of target byte position includes:
The byte value d of the target byte position of the key is set1=d+d2Span M=[d, FF];Wherein, d is described Byte difference, and d >=0;d2It is the byte value of the target byte position of the pseudo- key;d2、d1It it is hexadecimal two with d Number, and 0≤d2≤FF;
Or;
The byte value d of the target byte position of the key is set1=d+d2Span M=[00, FF+d];Wherein, d is The byte difference, and d≤0;D2 is the byte value of the target byte position of the pseudo- key;d2、d1It is hexadecimal with d Double figures, and 0≤d2≤FF。
5. method according to claim 1, it is characterised in that the mesh that the key is determined according to the span The byte value for marking byte location includes:
Judge whether maximum and minimum value are identical in the span;
If not, proceeding the byte value obtains operation;
If it is, determining the byte value of the maximum and/or target byte position that the minimum value is the key.
6. a kind of digital signature method, it is characterised in that methods described includes:
The message M to be signed and Z for prestoring that will be receivedASplicing is carried out, splicing result is obtainedWherein, the ZAIt is the distinguished mark on user A, part elliptical curve systematic parameter and user's A public keys Hash Value;
Carry out the operation of following generation signature results:
According to cryptographic Hash function, to describedProcessed, obtained the output valve that cryptographic Hash function acts on message MWherein, Hv() is that eap-message digest length is the cryptographic Hash function of v bits;
Random number k is obtained by randomizer;Wherein, k ∈ [1, n-1];N is that n is the rank of elliptic curve basic point G;
Obtain the first elliptic curve point (x1,y1)=[k] G;
Obtain r=(e+x1)mod n;
Judge whether r=0 or r+k=n sets up;
If it is, proceeding the operation of above-mentioned generation signature result;
If not, obtaining s=((1+dA)-1(k-r*dA))mod n;Wherein, (1+dA)-1And dAIt is the data for prestoring;dA It is the private key of user A;
Judge whether s is equal to 0;
If s is equal to 0, proceed the operation of above-mentioned generation signature result;
If s is not equal to 0, digital signature result (r, s) is determined.
7. a kind of key acquisition device, it is characterised in that the key is used for the number based on SM2 ellipse curve public key cipher algorithms In word signature algorithm, described device includes:
Target byte position setup module, is target byte position for setting the highest byte position of key, carries out following words Section value obtains operation:
Pseudo- key production module, the data for changing the target byte position using physics mode, generation and the key Byte length identical puppet key;Wherein, the physics mode includes laser irradiation mode or electrophoresis stimulation mode;
Digital Signature module, for being digitally signed according to the pseudo- key, first generated in record digital signature procedure Elliptic curve point and signature result;
Sign test module, for the sign test being digitally signed according to the signature result, second generated during record sign test Elliptic curve point;
Byte difference search module, for the difference according to first elliptic curve point and second elliptic curve point, from The byte difference of the key and the target byte position of the pseudo- key is searched in the range of default byte value;
Span setup module, for according to the byte difference, setting the byte value of the target byte position of the key Span;
Byte value determining module, the byte value of the target byte position for determining the key according to the span;
Key determining module, the next byte location for setting the target byte position is new target byte position, Proceed above-mentioned byte value and obtain operation, until the byte value of all byte locations of the key is got, by all words The byte value for saving position is defined as the key.
8. device according to claim 7, it is characterised in that the byte difference search module includes:
First initial value setup unit, the initial value d=00 for setting the byte difference carries out following byte difference search Operation:
First the judging unit, [d*2 for judging the byte difference d248* r mod n] whether the coordinate of G be equal to described the Difference [k] G- (x of one elliptic curve point and second elliptic curve point1’,y1’);Wherein, (x1,y1)=[k] G is described First elliptic curve point;(x1’,y1') it is second elliptic curve point;R=(e+x1)mod n;ZAIt is the distinguished mark on user A, part elliptical curve systematic parameter and user's A public keys Hash Value;M is message to be signed;Hv() is that eap-message digest length is the cryptographic Hash function of v bits;E is cryptographic Hash Function acts on the output valve of message M;Modn is mould n computings;N is the rank of basic point G;
First updating block, if for the [d*2 of the byte difference d248* r mod n] coordinate of G is not equal to described first Difference [k] G- (x of elliptic curve point and second elliptic curve point1’,y1'), d=d+1 is updated, proceed above-mentioned byte Difference search operation, until d=FF;
First recording unit, if for the [d*2 of the byte difference d248* r mod n] to be equal to described first ellipse for the coordinate of G Difference [k] G- (x of circular curve point and second elliptic curve point1’,y1'), record the byte difference;
Or;
Second initial value setup unit, the initial value d=-01 for setting the byte difference carries out following byte differences and searches Rope is operated:
Second the judging unit, [d*2 for judging the byte difference d248* r mod n] whether the coordinate of G be equal to described the Difference [k] G- (x of one elliptic curve point and second elliptic curve point1’,y1’);Wherein, (x1,y1)=[k] G is described First elliptic curve point;(x1’,y1') it is second elliptic curve point;R=(e+x1)mod n;ZAIt is the distinguished mark on user A, part elliptical curve systematic parameter and user's A public keys Hash Value;M is message to be signed;Hv() is that eap-message digest length is the cryptographic Hash function of v bits;E is cryptographic Hash Function acts on the output valve of message M;Modn is mould n computings;N is the rank of elliptic curve basic point G;(r, s) is the signature for sending; X | | y is the splicing of x and y;
Second updating block, if for the [d*2 of the byte difference d248* r mod n] coordinate of G is not equal to described first Difference [k] G- (x of elliptic curve point and second elliptic curve point1’,y1'), d=d-1 is updated, proceed above-mentioned byte Difference search operation, until d=-FF;
Second recording unit, if for the [d*2 of the byte difference d248* r mod n] to be equal to described first ellipse for the coordinate of G Difference [k] G- (x of circular curve point and second elliptic curve point1’,y1'), record the byte difference.
9. device according to claim 7, it is characterised in that the byte value determining module includes:
3rd judging unit, for judging whether maximum and minimum value are identical in the span;
Continue operating unit, if differed for maximum in the span and minimum value, proceed the byte Value obtains operation;
Byte value determining unit, if identical with minimum value for maximum in the span, determine the maximum and/ Or the byte value of the target byte position that the minimum value is the key.
10. a kind of digital signature device, it is characterised in that described device includes:
Splicing module, for the message M to be signed and Z for prestoring that will be receivedASplicing is carried out, is spelled Connect resultWherein, the ZABe the distinguished mark on user A, part elliptical curve systematic parameter and The Hash Value of user's A public keys;
Carry out the operation of following generation signature results:
Processing module, for according to cryptographic Hash function, to describedProcessed, acquisition cryptographic Hash function is acted on and disappeared Cease the output valve of MWherein, Hv() is that eap-message digest length is the cryptographic Hash function of v bits;
Random number acquisition module, for obtaining random number k by randomizer;Wherein, k ∈ [1, n-1];N is that n is ellipse The rank of curve basic point G;
First elliptic curve point acquisition module, for obtaining the first elliptic curve point (x1,y1)=[k] G;
R acquisition modules, for obtaining r=(e+x1)mod n;
First judge module, for judging whether r=0 or r+k=n sets up;
First continues operation module, if set up for r=0 or r+k=n, proceeds the behaviour of above-mentioned generation signature result Make;
S acquisition modules, if invalid for r=0 or r+k=n, obtain s=((1+dA)-1(k-r*dA))mod n;Wherein, (1+dA)-1And dAIt is the data for prestoring;dAIt is the private key of user A;
Second judge module, for judging whether s is equal to 0;
Second continues operation module, if being equal to 0 for s, proceeds the operation of above-mentioned generation signature result;
Digital signature result determining module, if being not equal to 0 for s, determines digital signature result (r, s).
CN201710098244.1A 2017-02-22 2017-02-22 Key acquisition method, digital signature method and device Active CN106712968B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201710098244.1A CN106712968B (en) 2017-02-22 2017-02-22 Key acquisition method, digital signature method and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201710098244.1A CN106712968B (en) 2017-02-22 2017-02-22 Key acquisition method, digital signature method and device

Publications (2)

Publication Number Publication Date
CN106712968A true CN106712968A (en) 2017-05-24
CN106712968B CN106712968B (en) 2019-08-30

Family

ID=58911944

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201710098244.1A Active CN106712968B (en) 2017-02-22 2017-02-22 Key acquisition method, digital signature method and device

Country Status (1)

Country Link
CN (1) CN106712968B (en)

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107623570A (en) * 2017-11-03 2018-01-23 北京无字天书科技有限公司 A kind of SM2 endorsement methods based on addition Secret splitting
CN109286607A (en) * 2018-08-07 2019-01-29 中国石油天然气集团公司 The method that digital elevation model is encrypted based on mapping control point outcome table
CN109586912A (en) * 2018-11-09 2019-04-05 天津海泰方圆科技有限公司 A kind of generation method, system, equipment and the medium of SM2 digital signature
CN109672539A (en) * 2019-03-01 2019-04-23 深圳市电子商务安全证书管理有限公司 SM2 algorithm collaboration signature and decryption method, apparatus and system
CN110798305A (en) * 2019-09-24 2020-02-14 瓦戈科技有限公司 Fault analysis defense method, electronic equipment and readable storage medium
CN115134120A (en) * 2022-05-30 2022-09-30 西藏大学 ECC (error correction code) and OPT (optical packet transport) combined encryption method

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20090252327A1 (en) * 2008-04-02 2009-10-08 Mathieu Ciet Combination white box/black box cryptographic processes and apparatus
CN102104481A (en) * 2010-12-17 2011-06-22 中国科学院数据与通信保护研究教育中心 Elliptic curve-based key exchange method
CN102761415A (en) * 2011-04-27 2012-10-31 航天信息股份有限公司 System for generating, verifying and mixing digital signatures of p-element domain SM2 elliptic curves
CN103427997A (en) * 2013-08-16 2013-12-04 西安西电捷通无线网络通信股份有限公司 Method and device for generating digital signature
CN106357378A (en) * 2016-08-22 2017-01-25 上海交通大学 Key detection method applied to SM2 signature and system thereof

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20090252327A1 (en) * 2008-04-02 2009-10-08 Mathieu Ciet Combination white box/black box cryptographic processes and apparatus
CN102104481A (en) * 2010-12-17 2011-06-22 中国科学院数据与通信保护研究教育中心 Elliptic curve-based key exchange method
CN102761415A (en) * 2011-04-27 2012-10-31 航天信息股份有限公司 System for generating, verifying and mixing digital signatures of p-element domain SM2 elliptic curves
CN103427997A (en) * 2013-08-16 2013-12-04 西安西电捷通无线网络通信股份有限公司 Method and device for generating digital signature
CN106357378A (en) * 2016-08-22 2017-01-25 上海交通大学 Key detection method applied to SM2 signature and system thereof

Cited By (12)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107623570A (en) * 2017-11-03 2018-01-23 北京无字天书科技有限公司 A kind of SM2 endorsement methods based on addition Secret splitting
CN107623570B (en) * 2017-11-03 2020-12-04 北京无字天书科技有限公司 SM2 signature method based on addition key segmentation
CN109286607A (en) * 2018-08-07 2019-01-29 中国石油天然气集团公司 The method that digital elevation model is encrypted based on mapping control point outcome table
CN109286607B (en) * 2018-08-07 2020-11-03 中国石油天然气集团有限公司 Method for encrypting digital elevation model based on surveying and mapping control point achievement table
CN109586912A (en) * 2018-11-09 2019-04-05 天津海泰方圆科技有限公司 A kind of generation method, system, equipment and the medium of SM2 digital signature
CN109586912B (en) * 2018-11-09 2020-04-07 天津海泰方圆科技有限公司 SM2 digital signature generation method, system, equipment and medium
CN109672539A (en) * 2019-03-01 2019-04-23 深圳市电子商务安全证书管理有限公司 SM2 algorithm collaboration signature and decryption method, apparatus and system
CN109672539B (en) * 2019-03-01 2021-11-05 深圳市电子商务安全证书管理有限公司 SM2 algorithm collaborative signature and decryption method, device and system
CN110798305A (en) * 2019-09-24 2020-02-14 瓦戈科技有限公司 Fault analysis defense method, electronic equipment and readable storage medium
CN110798305B (en) * 2019-09-24 2023-05-30 瓦戈科技有限公司 Fault analysis defense method, electronic equipment and readable storage medium
CN115134120A (en) * 2022-05-30 2022-09-30 西藏大学 ECC (error correction code) and OPT (optical packet transport) combined encryption method
CN115134120B (en) * 2022-05-30 2023-07-07 西藏大学 Encryption method combining ECC with OPT

Also Published As

Publication number Publication date
CN106712968B (en) 2019-08-30

Similar Documents

Publication Publication Date Title
CN106712968B (en) Key acquisition method, digital signature method and device
EP3208789B1 (en) Method of protecting a circuit against a side-channel analysis
Wagner Cryptanalysis of a provably secure CRT-RSA algorithm
Medwed et al. Template attacks on ECDSA
CN104836670B (en) A kind of SM2 signature algorithm security verification method unknown based on random number
CA2701573C (en) Fault detection in exponentiation and point multiplication operations using a montgomery ladder
Roy et al. Compact and side channel secure discrete Gaussian sampling
CN101873307A (en) Digital signature method, device and system based on identity forward secrecy
CN111835518B (en) Error injection method and system in elliptic curve public key cryptographic algorithm security assessment
CN108259506B (en) SM2 whitepack password implementation method
EP3161996A1 (en) System and device binding metadata with hardware intrinsic properties
CN110663215A (en) Elliptic curve point multiplication device and method in white-box scene
CN106385316B (en) PUF is fuzzy to extract circuit and method
EP3020159A1 (en) Electronic signature system
Campos et al. Trouble at the CSIDH: protecting CSIDH with dummy-operations against fault injection attacks
Barenghi et al. A novel fault attack against ECDSA
TW200939114A (en) Modular reduction using a special form of the modulus
Banik et al. Cryptanalysis of plantlet
US8799754B2 (en) Verification of data stream computations using third-party-supplied annotations
Cao et al. Lattice-based fault attacks on deterministic signature schemes of ECDSA and EdDSA
CN104484627B (en) Design method of randomized anti-fault-attack measures for reconfigurable array architecture
Blömer et al. Wagner’s Attack on a secure CRT-RSA Algorithm Reconsidered
Qiao et al. Practical public template attacks on CRYSTALS-dilithium with randomness leakages
KR102444193B1 (en) Method for doing quantum-resistant signature based on Ring-LWR and system thereof
EP3461053A1 (en) Fault attacks counter-measures for eddsa

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
CB03 Change of inventor or designer information
CB03 Change of inventor or designer information

Inventor after: Li Zengju

Inventor after: Su Junheng

Inventor after: Shi Ruhui

Inventor after: Li Wenbao

Inventor after: Chen Baishun

Inventor after: Zhang Ce

Inventor after: Li Haibin

Inventor after: An Dao

Inventor after: Huang Tianning

Inventor after: Jiang Xiao

Inventor before: Li Zengju

TA01 Transfer of patent application right
TA01 Transfer of patent application right

Effective date of registration: 20180123

Address after: 102308 room 701, room 7, courtyard 98, lotus Stone Lake, gate head District, Peking City

Applicant after: Beijing wisdom cloud Measuring Technology Co., Ltd.

Applicant after: Beijing Intelligent Cloud Measurement Information Technology Co., Ltd.

Address before: Room 701, room 7, courtyard No. 98, lotus Stone Lake West Road, Beijing, Beijing

Applicant before: Beijing wisdom cloud Measuring Technology Co., Ltd.

GR01 Patent grant
GR01 Patent grant