Key acquisition method, digital signature method and device
Technical field
The present invention relates to cryptographic algorithm technical field, more particularly, to a kind of key acquisition method, digital signature method and
Device.
Background technology
SM2 ellipse curve public key cipher algorithms are a kind of more advanced safe cryptographic algorithms.In multi point arithmetic,
Know many times of points and basic point, the problem for solving multiple turns into elliptic curves discrete logarithm problem.With big number resolution problem and finite field
Upper offline logarithm problem is compared, and the solution difficulty of elliptic curves discrete logarithm problem is much bigger.Therefore, in identical safe coefficient
It is required that under, elliptic curve cipher is much smaller compared with the key scale needed for other public key cryptographies.
, it is necessary to test the security of signature algorithm in the research and development for carrying out the Digital Signature Algorithm based on SM2.It is existing
Some test modes are mainly injects certain wrong data during digital signature, and obtains sign test result, then sentences
The disconnected key whether being obtained in that in above-mentioned signature algorithm, to determine whether above-mentioned signature algorithm meets safety standards;However,
The mode of above-mentioned acquisition key usually requires that the random number produced in signature process has certain scope, and the limitation is substantially reduced
To the validity and exploitativeness of Digital Signature Algorithm test.
For the restricted larger problem of mode of above-mentioned acquisition key, effective solution is not yet proposed.
The content of the invention
In view of this, it is an object of the invention to provide a kind of key acquisition method, digital signature method and device, to drop
The low mode for obtaining key is restricted.
In a first aspect, the embodiment of the invention provides a kind of key acquisition method, the key is used to be based on SM2 elliptic curves
In the Digital Signature Algorithm of public key algorithm, the method includes:The highest byte position for setting key is target byte position,
Carry out following byte values and obtain operation:Using the data of physics mode change target byte position, generate and key byte length
Identical puppet key;Wherein, the physics mode includes laser irradiation mode or electrophoresis stimulation mode;Numeral is carried out according to pseudo- key
Signature, the first elliptic curve point generated in record digital signature procedure and signature result;Digital label are carried out according to signature result
The sign test of name, the second elliptic curve point generated during record sign test;According to the first elliptic curve point and the second elliptic curve
The difference of point, the byte difference of key and the target byte position of pseudo- key is searched for from the range of default byte value;According to word
Section difference, sets the span of the byte value of the target byte position of key;The target word of key is determined according to span
Save the byte value of position;The next byte location for setting target byte position is new target byte position, proceed on
State byte value and obtain operation, until the byte value of all byte locations of key is got, by the byte value of all byte locations
It is defined as key.
With reference in a first aspect, the embodiment of the invention provides the first possible implementation method of first aspect, wherein, on
The difference according to the first elliptic curve point and the second elliptic curve point is stated, key is searched for from the range of default byte value close with puppet
The byte difference of the target byte position of key includes:The initial value d=00 of byte difference is set, following byte difference search are carried out
Operation:Judge [the d*2 of byte difference d248* r mod n] whether the coordinate of G be equal to the first elliptic curve point and second oval bent
Difference [k] G- (x of line point1’,y1’);Wherein, (x1,y1)=[k] G be the first elliptic curve point;(x1’,y1') it is the second ellipse
Curve point;R=(e+x1)mod n;ZAIt is the distinguished mark on user A, part elliptical song
The Hash Value of line systematic parameter and user's A public keys;M is message to be signed;Hv() is that eap-message digest length is the password of v bits
Hash function;E is the output valve that cryptographic Hash function acts on message M;Modn is mould n computings;N is the rank of basic point G;If
It is no, d=d+1 is updated, proceed above-mentioned byte difference search operation, until d=FF;If it is, record byte difference;Or
Person;The initial value d=-01 of byte difference is set, following byte difference search operations are carried out:Judge [the d*2 of byte difference d248*
R mod n] whether the coordinate of G be equal to difference [k] G- (x of the first elliptic curve point and the second elliptic curve point1’,y1’);Its
In, (x1,y1)=[k] G be the first elliptic curve point;(x1’,y1') it is the second elliptic curve point;R=(e+x1)mod n;ZAIt is the distinguished mark on user A, part elliptical curve systematic parameter and user's A public keys
Hash Value;M is message to be signed;Hv() is that eap-message digest length is the cryptographic Hash function of v bits;E is cryptographic Hash
Function acts on the output valve of message M;Modn is mould n computings;N is the rank of elliptic curve basic point G;(r, s) is the signature for sending;
X | | y is the splicing of x and y;If not, updating d=d-1, proceed above-mentioned byte difference search operation, until d=-FF;Such as
Fruit is to record byte difference.
With reference to the first possible implementation method of first aspect, second of first aspect is the embodiment of the invention provides
Possible implementation method, wherein, above-mentioned second elliptic curve point (x1’,y1') obtained by following manner:(x1’,y1')=
[s’]G+[t]PA=[s '+t*dA] G=[s '+(s '+r) * dA]=[(1+dA)s’+r*dA] G=[k-r*dA’+r*dA]G;Its
In, PA=[dA]G;(r ', s ') it is the signature for receiving;T=(r '+s ') mod n;PAIt is the public key of user A;dAIt is the private of user A
Key;dA' it is pseudo- key;The random number that k is produced for randomizer, and k ∈ [1, n-1];[k] G=(r-e) mod n;Or
Person;(x1’,y1')=[s '+t*dA] G=[s '+(s '+r) * dA]=[(1+dA)s’+r*dA] G=[(1+dA)(1+dA’)-1(k-
r*dA)+r*dA] G=[k+ (dA-dA’)(k-r*dA)] G=[k] G+ [(dA-dA’)k]G–[(dA-dA’)r]PA;Wherein, (r ',
S ') it is the signature for receiving;T=(r '+s ') mod n;PAIt is the public key of user A;dAIt is the private key of user A;dA' it is pseudo- key;k
It is random number that randomizer is produced, and k ∈ [1, n-1];[k] G=(r-e) mod n.
With reference in a first aspect, the embodiment of the invention provides the third possible implementation method of first aspect, wherein, on
The span for stating the byte value of the target byte position that key is set according to byte difference includes:The target word of key is set
Save the byte value d of position1=d+d2Span M=[d, FF];Wherein, d is byte difference, and d >=0;d2It is pseudo- key
The byte value of target byte position;d2、d1It is hexadecimal double figures, and 0≤d with d2≤FF;Or;The mesh of key is set
Mark the byte value d of byte location1=d+d2Span M=[00, FF+d];Wherein, d is byte difference, and d≤0;D2 is
The byte value of the target byte position of pseudo- key;d2、d1It is hexadecimal double figures, and 0≤d with d2≤FF。
With reference in a first aspect, the embodiment of the invention provides the 4th kind of possible implementation method of first aspect, wherein, on
State and determine that the byte value of the target byte position of key includes according to span:Judge maximum and minimum value in span
It is whether identical;If not, proceeding byte value obtains operation;If it is, determining maximum and/or minimum value are the mesh of key
Mark the byte value of byte location.
Second aspect, the embodiment of the invention provides a kind of digital signature method, and the method includes:Waiting of receiving is signed
The message M and Z for prestoring of nameASplicing is carried out, splicing result is obtainedWherein, ZABe on
The Hash Value of the distinguished mark, part elliptical curve systematic parameter and user's A public keys of family A;Carry out following generation signature results
Operation:It is right according to cryptographic Hash functionProcessed, obtained the output valve that cryptographic Hash function acts on message MWherein, Hv() is that eap-message digest length is the cryptographic Hash function of v bits;By randomizer obtain with
Machine number k;Wherein, k ∈ [1, n-1];N is that n is the rank of elliptic curve basic point G;Obtain the first elliptic curve point (x1,y1)=[k] G;
Obtain r=(e+x1)mod n;Judge whether r=0 or r+k=n sets up;If it is, proceeding above-mentioned generation signature result
Operation;If not, obtaining s=((1+dA)-1(k-r*dA))mod n;Wherein, (1+dA)-1And dAIt is the number for prestoring
According to;dAIt is the private key of user A;Judge whether s is equal to 0;If s is equal to 0, proceed the operation of above-mentioned generation signature result;
If s is not equal to 0, digital signature result (r, s) is determined.
The third aspect, the embodiment of the invention provides a kind of key acquisition device, and the key is used to be based on SM2 elliptic curves
In the Digital Signature Algorithm of public key algorithm, the device includes:Target byte position setup module, for setting key most
High byte position is target byte position, carries out following byte values and obtains operation:Pseudo- key production module, for using physics side
The data of formula change target byte position, generation and key byte length identical puppet key;Wherein, the physics mode includes swashing
Light irradiation mode or electrophoresis stimulation mode;Digital Signature module, for being digitally signed according to pseudo- key, records digital signature
During generate the first elliptic curve point and signature result;Sign test module, for what is be digitally signed according to signature result
Sign test, the second elliptic curve point generated during record sign test;Byte difference search module, for according to the first elliptic curve
The difference of point and the second elliptic curve point, key is searched for from the range of default byte value with the target byte position of pseudo- key
Byte difference;Span setup module, the byte value for according to byte difference, setting the target byte position of key takes
Value scope;Byte value determining module, the byte value of the target byte position for determining key according to span;Key determines
Module, the next byte location for setting target byte position is new target byte position, proceeds above-mentioned byte
Value obtains operation, until getting the byte value of all byte locations of key, the byte value of all byte locations is defined as
Key.
With reference to the third aspect, the first possible implementation method of the third aspect is the embodiment of the invention provides, wherein, on
Stating byte difference search module includes:First initial value setup unit, the initial value d=00 for setting byte difference, is carried out
Following byte difference search operations:First the judging unit, [d*2 for judging byte difference d248* r mod n] coordinate of G is
No difference [k] G- (x for being equal to the first elliptic curve point and the second elliptic curve point1’,y1’);Wherein, (x1,y1)=[k] G is
First elliptic curve point;(x1’,y1') it is the second elliptic curve point;R=(e+x1)mod n;ZA
It is the Hash Value of the distinguished mark on user A, part elliptical curve systematic parameter and user's A public keys;M is to be signed disappearing
Breath;Hv() is that eap-message digest length is the cryptographic Hash function of v bits;E is the output that cryptographic Hash function acts on message M
Value;Modn is mould n computings;N is the rank of basic point G;First updating block, if for the [d*2 of byte difference d248*r mod n]
The coordinate of G is not equal to difference [k] G- (x of the first elliptic curve point and the second elliptic curve point1’,y1'), d=d+1 is updated, after
It is continuous to carry out above-mentioned byte difference search operation, until d=FF;First recording unit, if for the [d*2 of byte difference d248*r
Mod n] coordinate of G is equal to difference [k] G- (x of the first elliptic curve point and the second elliptic curve point1’,y1'), record byte is poor
Value;Or;Second initial value setup unit, the initial value d=-01 for setting byte difference carries out following byte differences and searches
Rope is operated:Second the judging unit, [d*2 for judging byte difference d248* r mod n] whether to be equal to first oval for the coordinate of G
Difference [k] G- (x of curve point and the second elliptic curve point1’,y1’);Wherein, (x1,y1)=[k] G be the first elliptic curve point;
(x1’,y1') it is the second elliptic curve point;R=(e+x1)mod n; ZAIt is on the distinguishable of user A
Not Biao Shi, the Hash Value of part elliptical curve systematic parameter and user's A public keys;M is message to be signed;Hv() is eap-message digest
Length is the cryptographic Hash function of v bits;E is the output valve that cryptographic Hash function acts on message M;Modn is mould n computings;n
It is the rank of elliptic curve basic point G;(r, s) is the signature for sending;X | | y is the splicing of x and y;Second updating block, if for
[the d*2 of byte difference d248* r mod n] coordinate of G is not equal to the difference of the first elliptic curve point and the second elliptic curve point
[k]G-(x1’,y1'), d=d-1 is updated, proceed above-mentioned byte difference search operation, until d=-FF;Second record
Unit, if for the [d*2 of byte difference d248* r mod n] coordinate of G is equal to the first elliptic curve point and the second elliptic curve
Difference [k] G- (x of point1’,y1'), record byte difference.
With reference to the third aspect, second possible implementation method of the third aspect is the embodiment of the invention provides, wherein, on
Stating byte value determining module includes:3rd judging unit, for judging whether maximum and minimum value are identical in span;After
Continuous operating unit, if differed for maximum in span and minimum value, proceeds byte value and obtains operation;Byte
Value determining unit, if identical with minimum value for maximum in span, determining maximum and/or minimum value are key
The byte value of target byte position.
Fourth aspect, the embodiment of the invention provides a kind of digital signature device, and the device includes:Splicing module,
For the message M to be signed and Z for prestoring that will be receivedASplicing is carried out, splicing result is obtainedWherein, ZAIt is the hash of the distinguished mark on user A, part elliptical curve systematic parameter and user's A public keys
Value;Carry out the operation of following generation signature results:Processing module is right for according to cryptographic Hash functionProcessed, obtained
Obtain the output valve that cryptographic Hash function acts on message MWherein, Hv() is that eap-message digest length is the close of v bits
Code hash function;Random number acquisition module, for obtaining random number k by randomizer;Wherein, k ∈ [1, n-1];N is
N is the rank of elliptic curve basic point G;First elliptic curve point acquisition module, for obtaining the first elliptic curve point (x1,y1)=[k]
G;R acquisition modules, for obtaining r=(e+x1)mod n;First judge module, for judge r=0 or r+k=n whether into
It is vertical;First continues operation module, if set up for r=0 or r+k=n, proceeds the behaviour of above-mentioned generation signature result
Make;S acquisition modules, if invalid for r=0 or r+k=n, obtain s=((1+dA)-1(k-r*dA))mod n;Wherein,
(1+dA)-1And dAIt is the data for prestoring;dAIt is the private key of user A;Second judge module, for judging whether s is equal to 0;
Second continues operation module, if being equal to 0 for s, proceeds the operation of above-mentioned generation signature result;Digital signature result is true
Cover half block, if being not equal to 0 for s, determines digital signature result (r, s).
The embodiment of the present invention brings following beneficial effect:
A kind of key acquisition method provided in an embodiment of the present invention, the pseudo- key according to generation is digitally signed and tests
Sign, the second elliptic curve generated during the first elliptic curve point and sign test generated in digital signature procedure can be obtained
Point;According to first elliptic curve point and the difference of the second elliptic curve point, the target byte position of search key and pseudo- key
Byte difference, and the span of the byte value of the target byte position of key is set;Can be determined according to the span
The byte value of the target byte position of key;After the byte value of all byte locations of key is got, by all bytes position
The byte value put is defined as key.The mode that aforesaid way greatly reduces acquisition key is restricted, public for SM2 elliptic curves
The key of key cryptographic algorithm has preferable universality and exploitativeness;And be based on when above-mentioned key acquisition method is applied to test
During the ability of the resisting differential error analysis of the Digital Signature Algorithm of SM2 ellipse curve public key cipher algorithms, can effectively find
The leak of above-mentioned Digital Signature Algorithm, and then improve the security of above-mentioned Digital Signature Algorithm.
A kind of digital signature method provided in an embodiment of the present invention, by the private key d of user AAWith (1+dA)-1Deposit in advance
Storage, it is possible to use family direct access d in being digitally signedAWith (1+dA)-1Data, compared in the prior art to (1+dA
)-1The mode of real-time calculating is carried out, which can defend reading dAThe acquisition operation of Shi Jinhang keys, improves digital label
The safety and reliability of name method.
Other features and advantages of the present invention will be illustrated in the following description, also, the partly change from specification
Obtain it is clear that or being understood by implementing the present invention.The purpose of the present invention and other advantages are in specification, claims
And specifically noted structure is realized and obtained in accompanying drawing.
To enable the above objects, features and advantages of the present invention to become apparent, preferred embodiment cited below particularly, and coordinate
Appended accompanying drawing, is described in detail below.
Brief description of the drawings
In order to illustrate more clearly of the specific embodiment of the invention or technical scheme of the prior art, below will be to specific
The accompanying drawing to be used needed for implementation method or description of the prior art is briefly described, it should be apparent that, in describing below
Accompanying drawing is some embodiments of the present invention, for those of ordinary skill in the art, before creative work is not paid
Put, other accompanying drawings can also be obtained according to these accompanying drawings.
Fig. 1 is a kind of flow chart of key acquisition method provided in an embodiment of the present invention;
Fig. 2 is a kind of flow chart of digital signature method provided in an embodiment of the present invention;
Fig. 3 is a kind of structural representation of key acquisition device provided in an embodiment of the present invention;
Fig. 4 is a kind of structural representation of digital signature device provided in an embodiment of the present invention.
Specific embodiment
To make the purpose, technical scheme and advantage of the embodiment of the present invention clearer, below in conjunction with accompanying drawing to the present invention
Technical scheme be clearly and completely described, it is clear that described embodiment is a part of embodiment of the invention, rather than
Whole embodiments.Based on the embodiment in the present invention, those of ordinary skill in the art are not making creative work premise
Lower obtained every other embodiment, belongs to the scope of protection of the invention.
In view of the restricted larger problem of mode for obtaining key in the prior art, one kind is the embodiment of the invention provides
Key acquisition method, digital signature method and device, the technology can be used for test in embedded system or intelligent card chip
The ability of the resisting differential error analysis of the Digital Signature Algorithm based on SM2 ellipse curve public key cipher algorithms realized, the technology
Can be realized using related software and hardware, be described below by embodiment.
Embodiment one:
A kind of flow chart of key acquisition method shown in Figure 1, the key is used for close based on SM2 curve public keys
In the Digital Signature Algorithm of code algorithm, the method comprises the following steps:
Step S102, the highest byte position for setting key is target byte position, carries out following byte values and obtains operation:
Step S104, using the data of physics mode change target byte position, generates and key byte length identical
Pseudo- key;Wherein, the physics mode includes laser irradiation mode or electrophoresis stimulation mode;Target byte is changed using physics mode
During the data of position, the change of the data is random, is also unknown;Due to based on SM2 ellipse curve public key cipher algorithms
The middle key length for using is 32 bytes, therefore, random generation for the byte length of key be also 32 bytes;
Step S106, is digitally signed according to above-mentioned pseudo- key, and first generated in record digital signature procedure is oval
Curve point and signature result;
Step S108, according to the sign test that signature result is digitally signed, second generated during record sign test is oval
Curve point;
Step S110, according to the first elliptic curve point and the difference of the second elliptic curve point, from default byte value scope
The byte difference of the target byte position of interior search key and pseudo- key;
In practical implementations, above-mentioned key and the pseudo- key of generation are unknown;But based on SM2 ellipse curve public key ciphers
During the digital signature and sign test of algorithm, specific elliptic curve, the mathematical field of the curve and the module of curve are specified
What parameter was all to determine, therefore, the first elliptic curve point and sign test mistake generated during being digitally signed according to pseudo- key
The difference of the second elliptic curve point generated in journey, may search for out the byte of the target byte position of true key and pseudo- key
Difference.
Further, because elliptic curve is based on dispersed accumulation, it is difficult to solve coefficient by coordinate value;Therefore can be with
By the way of forward lookup, for example, 00,01,02 ..., FF.
Step S112, according to byte difference, sets the span of the byte value of the target byte position of key;
Step S114, the byte value of the target byte position of key is determined according to span;
The scope of the byte value of the target byte position of above-mentioned key and pseudo- key is 00-FF;For a certain determination
Key, obtains a byte difference by not generating a pseudo- key, the byte difference can reduce the target byte position of key
The possibility span of the byte value put, therefore, after repeatedly generation pseudo-random key, the target byte position of above-mentioned key
The possibility span of byte value can progressively reduce, and infinitely approach the byte value of the target byte position of key, and the byte
It is hexadecimal positive number to be worth, and then obtains the byte value of the target byte position of key.
Step S116, the next byte location for setting target byte position is new target byte position, is proceeded
Above-mentioned byte value obtains operation, until the byte value of all byte locations of key is got, by the byte of all byte locations
Value is defined as key.
A kind of key acquisition method provided in an embodiment of the present invention, the pseudo- key according to generation is digitally signed and tests
Sign, the second elliptic curve generated during the first elliptic curve point and sign test generated in digital signature procedure can be obtained
Point;According to first elliptic curve point and the difference of the second elliptic curve point, the target byte position of search key and pseudo- key
Byte difference, and the span of the byte value of the target byte position of key is set;Can be determined according to the span
The byte value of the target byte position of key;After the byte value of all byte locations of key is got, by all bytes position
The byte value put is defined as key.The mode that aforesaid way greatly reduces acquisition key is restricted, public for SM2 elliptic curves
The key of key cryptographic algorithm has preferable universality and exploitativeness;And be based on when above-mentioned key acquisition method is applied to test
During the ability of the resisting differential error analysis of the Digital Signature Algorithm of SM2 ellipse curve public key cipher algorithms, can effectively find
The leak of above-mentioned Digital Signature Algorithm, and then improve the security of above-mentioned Digital Signature Algorithm.
May be likely to be negative for positive number in view of above-mentioned byte difference, it is above-mentioned according to the first elliptic curve point and second
The difference of elliptic curve point, key is searched for from the range of default byte value poor with the byte of the target byte position of pseudo- key
Value, specifically can in the following manner realize, in which, byte difference is searched for since 00, until FF, including:
(1) the initial value d=00 of byte difference is set, following byte difference search operations are carried out:
(2) [the d*2 of byte difference d is judged248* r mod n] whether the coordinate of G be equal to the first elliptic curve point and second
Difference [k] G- (x of elliptic curve point1’,y1’);Wherein, (x1,y1)=[k] G be the first elliptic curve point;(x1’,y1') it is the
Two elliptic curve points;R=(e+x1)mod n; ZAIt is the distinguished mark on user A, part
The Hash Value of elliptic curve systems parameter and user's A public keys;M is message to be signed;Hv() is that eap-message digest length is v bits
Cryptographic Hash function;E is the output valve that cryptographic Hash function acts on message M;Modn is mould n computings;N is the rank of basic point G;
(3) if not, updating d=d+1, above-mentioned byte difference search operation is proceeded, until d=FF;
(4) if it is, record byte difference.
It is above-mentioned according to the first elliptic curve point and the difference of the second elliptic curve point, searched for from the range of default byte value
Key and the byte difference of the target byte position of pseudo- key, specifically can also in the following manner realize, in which, byte is poor
Value is searched for since -01, until-FF, including:
(1) the initial value d=-01 of byte difference is set, following byte difference search operations are carried out:
(2) [the d*2 of byte difference d is judged248* r mod n] whether the coordinate of G be equal to the first elliptic curve point and second
Difference [k] G- (x of elliptic curve point1’,y1’);Wherein, (x1,y1)=[k] G be the first elliptic curve point;(x1’,y1') it is the
Two elliptic curve points;R=(e+x1)mod n; ZAIt is the distinguished mark on user A, part
The Hash Value of elliptic curve systems parameter and user's A public keys;M is message to be signed;Hv() is that eap-message digest length is v bits
Cryptographic Hash function;E is the output valve that cryptographic Hash function acts on message M;Modn is mould n computings;N is elliptic curve base
The rank of point G;(r, s) is the signature for sending;X | | y is the splicing of x and y;
(3) if not, updating d=d-1, above-mentioned byte difference search operation is proceeded, until d=-FF;
(4) if it is, record byte difference.
Above-mentioned way of search can efficiently obtain the difference phase with the first elliptic curve point and the second elliptic curve point
The byte matched somebody with somebody is poor.
During the sign test of digital signature, above-mentioned second elliptic curve point (x1’,y1') can obtain in several ways
, mode one is:(x1’,y1')=[s '] G+ [t] PA=[s '+t*dA] G=[s '+(s '+r) * dA]=[(1+dA)s’+r*dA]
G=[k-r*dA’+r*dA]G;Wherein, PA=[dA]G;(r ', s ') it is the signature for receiving;T=(r '+s ') mod n;PAIt is user A
Public key;dAIt is the private key of user A;dA' it is pseudo- key;The random number that k is produced for randomizer, and k ∈ [1, n-1];
[k] G=(r-e) mod n;
Mode two is:(x1’,y1')=[s '+t*dA] G=[s '+(s '+r) * dA]=[(1+dA)s’+r*dA] G=[(1+
dA)(1+dA’)-1(k-r*dA)+r*dA] G=[k+ (dA-dA’)(k-r*dA)] G=[k] G+ [(dA-dA’)k]G–[(dA-dA’)r]
PA;Wherein, (r ', s ') it is the signature for receiving;T=(r '+s ') mod n;PAIt is the public key of user A;dAIt is the private key of user A;
dA' it is pseudo- key;The random number that k is produced for randomizer, and k ∈ [1, n-1];[k] G=(r-e) mod n.
Specifically, aforesaid way one is that pseudo- key is implanted into during the modular multiplication into Digital Signature Algorithm;Aforesaid way
Two is that pseudo- key is implanted into the inversion process into Digital Signature Algorithm.
Further, it is above-mentioned according to byte difference according to the positive and negative of byte difference, the target byte position of key is set
The span of byte value, can be accomplished in the following manner, mode one:The byte value d of the target byte position of key is set1
=d+d2Span M=[d, FF];Wherein, d is byte difference, and d >=0;d2It is the word of the target byte position of pseudo- key
Section value;d2、d1It is hexadecimal double figures, and 0≤d with d2≤FF;
Mode two:The byte value d of the target byte position of key is set1=d+d2Span M=[00, FF+d];Its
In, d is byte difference, and d≤0;D2 is the byte value of the target byte position of pseudo- key;d2、d1It is hexadecimal two with d
Digit, and 0≤d2≤FF。
Further, the byte value of the above-mentioned target byte position that key is determined according to span, comprises the following steps:
(1) judge whether maximum and minimum value are identical in span;(2) if not, proceeding byte value obtains operation;(3)
If it is, determining maximum and/or minimum value are the byte value of the target byte position of key.
For example, as d=-0x33, M1=[00, CC], it is seen then that d1Span there occurs diminution;Random generation again
Pseudo- password, and a byte difference is obtained, for example, as d=0x78, M2=[78, FF];For another example, as d=-0x87, M3=
[-87,78];According to M2And M3Common factor, you can determine the byte value d of the target byte position of key1。
The above method can efficiently and accurately obtain the byte value of key, and then obtain complete key, and with stronger
Exploitativeness.
Embodiment two:
A kind of flow chart of digital signature method shown in Figure 2, the method can be defendd by above-described embodiment one
The key acquisition method of middle offer carries out key acquisition, and the method comprises the following steps:
Step S202, the message M to be signed and Z for prestoring that will be receivedASplicing is carried out, stitching portion is obtained
Reason resultWherein, ZAIt is the distinguished mark on user A, part elliptical curve systematic parameter and user's A public keys
Hash Value;
Carry out the operation of following generation signature results:
Step S204 is right according to cryptographic Hash functionProcessed, obtain cryptographic Hash function and act on message M's
Output valveWherein, Hv() is that eap-message digest length is the cryptographic Hash function of v bits;
Step S206, random number k is obtained by randomizer;Wherein, k ∈ [1, n-1];N is that n is elliptic curve base
The rank of point G;
Step S208, obtains the first elliptic curve point (x1,y1)=[k] G;
Step S210, obtains r=(e+x1)mod n;
Step S212, judges whether r=0 or r+k=n sets up;If it is, performing step S204;If not, performing step
Rapid S214;
Step S214, obtains s=((1+dA)-1(k-r*dA))mod n;Wherein, (1+dA)-1And dAIt is what is prestored
Data;dAIt is the private key of user A;
Step S216, judges whether s is equal to 0;If s is equal to 0, step S204 is performed;If s is not equal to 0, step is performed
S218;
Step S218, determines digital signature result (r, s).
In a kind of digital signature method provided in an embodiment of the present invention, by the private key d of user AAWith (1+dA)-1Deposit in advance
Storage, it is possible to use family direct access d in being digitally signedAWith (1+dA)-1Data, compared in the prior art to (1+dA
)-1The mode of real-time calculating is carried out, which can defend reading dAThe acquisition operation of Shi Jinhang keys, improves digital label
The safety and reliability of name method.
Embodiment three:
Corresponding to the digital signature method provided in the key acquisition method and embodiment two provided in above-described embodiment one,
The embodiment of the invention provides the difference error injection method of testing and defence method of a kind of SM2 signature algorithms process.
Existing embedded cryptography equipment, is based on hardware platform and software programming reality by taking smart card and USB key as an example
Existing.With the proposition of some attack methods that the nineties in last century proposes, people are gradually, it is realized that the security of cryptographic algorithm
Mathematics security is depended not only on, while these support that the implementation of the equipment of cryptographic algorithm also can be to the peace of cryptographic algorithm
Full property threatens.The current field has Many researchers that various side-channel attack methods, these sides have been proposed
Method can make attacker be easy to attack the key for obtaining cryptographic algorithm.These conventional methods include:Timing attack, power consumption
Analysis, electromagnetic radiation analysis, phonetic analysis, probe analysis, the huge profit analysis of test circuit, caching are attacked and error injection
Attack, decile emi analysis method.Maximally effective attack method includes power consumption analysis, mistake to above-mentioned side-channel attack method at present
Injection attacks etc..
Above-mentioned error injection mode is the CRT-RSA algorithm attack methods that classics are proposed from Dan Boneh in 1997 etc..
One of in 1997, li Biham and Adi Shamir (while be also the inventor of RSA Algorithm) delivered for symmetric cryptography
The fault analysis method of algorithm, and propose and be named as Differential fault analysis (Differential Fault for the first time
Analysis, abbreviation DFA) attack method, use till today.2002, the actual experiment to CRT-RSA algorithms was attacked.Ying Fei
The fault analysis model that C.Aumuller of Ling companies et al. is proposed based on scholars, it is actual to CRT-RSA algorithms to be attacked
Hit, and achieve successfully.The same year, P.Dusart et al. have carried out network analysis to the error injection of AES.They think for
The attack of AES can not simply use for reference the attack thought to DES, because both have difference on operating structure.2008
In CHES meetings, scholar David Vigilant propose a kind of new CRT-RSA algorithm implementations.2010, for text
Offer the protection algorithm of proposition, Jean-S ' ebastien Coron et al. and theoretic leak have found by analysis.
And SM2 algorithms are realized based on elliptic curve.At present, for the attack of elliptic curve be mainly from
Three aspects are started with.One is the operation on operating elliptic curve group, computing is occurred have the new of weak security at one
On group.This attack method can be on the defensive by way of whether inspection result is on elliptic curve.Another,
Blomer et al. assumes that the symbol of median can be changed.This attack pattern, result is still the available point of elliptic curve.
Therefore, defence method above-mentioned is no longer valid, it is necessary to more complicated defence method can just resist this attack.It is also a kind of
It is safe-error modes, in order to defend simple power consumption analysis, elliptic curve is usually using always addition and the side of times point
Formula is realized, and some additions are redundancies.Attacker can inject provisional mistake by for these additive processes, and observation is
No wrong result is produced, if produced, it was demonstrated that the process is effective, if mistake, it was demonstrated that the addition is redundancy
, so as to progressively confirm the value of each bit.
There is not exploitativeness mostly for the difference error injection test of current SM2 signature algorithms, it is proposed by the present invention
For the method for testing of the difference error injection of SM2 signature algorithms, testing difference error injection has exploitativeness, and the party
Method has certain universality to current SM2 signature algorithm implementation process;Meanwhile, for above-mentioned difference error injection test side
A kind of method, it is proposed that suggestion of defence method, can effectively various error injections attack.
The method of testing and defence method of the right difference error injection for clearly describing SM2 signature algorithms, first
SM2 signature algorithms are introduced.SM2 algorithms are realized based on elliptic curve.The algorithm specifies specific elliptic curve,
What the mathematical field of curve and the addition swarm parameter of curve were all to determine.The process of Digital Signature Algorithm is as follows:
A1, put M=ZA | | M;
A2, calculating e=Hv (M)
A3, using randomizer produce random number k belong to [1, n-1]
A4, calculating elliptic curve point (x1, y1)=[k] G
A5, calculating r=(e+x1) mod n, A3 is returned if r=0 or r+k=n.
A6, calculating s=((1+dA) -1 (k-r*dA)) mod n, return to A3 if s=0.
(r, s) that said process is obtained is signature result.
The sign test process of digital signature is as follows:
Whether B1, inspection r ' belong to [1, n-1], invalid, do not pass through;
Whether B2, inspection s ' belong to [1, n-1], invalid, do not pass through;
B3, value M '=ZA | | M ';
B4, calculating e=Hv (M ');
B5, calculating t=(r '+s ') mod n, if t=0, verify and do not pass through.
B6, calculate elliptic curve point (x1 ', y1 ')=[s '] G+ [t] PA
B7, calculating R=(e+x1 ') mod n, verify r '==R, pass through if setting up, and otherwise verify and do not pass through.
The method of the error injections for elliptic curve cryptography several in the prior art mentioned above, to SM2's
Signature algorithm does not all have exploitativeness.These methods both for digital signature procedure A4 steps, while, it is desirable to A4 steps
The middle random number k for using is fixed and can repeatedly used.And learnt from A3 steps, k is random number, is every time random
Produce, therefore above-mentioned error injection mode does not all have exploitativeness.
In view of the uniqueness of the Digital Signature Algorithm based on elliptic curve, Jorn-Marc Schmidt et al. are proposed
For the error injection mode of ECDSA.But this method cannot be implemented to SM2 signature algorithms, first
The flow of the suitable algorithm flow of this mode and SM2 algorithms is variant, and the hypothesis of the attack method that the author proposes will in addition
Ask comparing harsh, it is desirable to which injecting mistake makes code flow change, and does not have exploitativeness.
To sum up, the difference error injection method of testing of the first SM2 signature algorithm process is the embodiment of the invention provides, should
A6 step of the method for SM2 Digital Signature Algorithms;(1+d in A6 stepsA)-1Can be stored as constant, it is also possible to pass through
dACalculate the value;Then r*d is calculatedAValue (" * " in the embodiment be expressed as be multiplied), calculate (k-r*dA) mod n
Modular multiplication (the 1+d of the big number of value, finally calculating twoA)-1(k-r*dA).The testing scheme is to calculate r*dAShi Jinhang error injections.
The d that SM2 is usedALength is 32 bytes, is designated as d31d30…d1d0, wherein d31It is dAHighest byte, and d0It is dA
Lowest byte;In smart card or embedded system, dAIt is to be stored in FLASH or EEPROM with bytewise;
During calculating, system reads d from Flash or EEPROMA, it is assumed that to d in test process31Byte has carried out error injection;
At this moment, r*dAResult be designated as r*dA', and (dA-dA')=(d31', 0 ..., 0,0), wherein d31' be and dAAnd dA' first byte
Difference;It should be noted that due to dAAnd dA' magnitude relationship do not determine, d31' symbol can be carried;By dA' substitute into A6 steps
Rapid computing, has obtained s '.
Then, above-mentioned signature result (r, s ') is substituted into sign test process, is obtained:(x1 ', y1 ')=[s '] G+ [t] PA, and
PA=[dA]G;Substituting into formula has:(x1 ', y1 ')=[s '+t*dA] G=[s '+(s '+r) * dA]=[(1+dA)s’+r*dA] G=
[k-r*dA’+r*dA]G;The x coordinate of known [k] G is (r-e) mod n;Therefore the difference of [k] G and (x1 ', y1 ') can be calculated,
I.e.:[k] G-(x1 ', y1 ')=[r*dA’–r*dA] G=[r* (d31 ', 0 ..., 0,0)] G.
Because elliptic curve is based on discrete logarithm problem, it is difficult to solve coefficient by coordinate value.Therefore forward lookup is used
Mode, at this moment need in two kinds of situation to analyze:One is that d31 ' is that just two is that d31 ' is negative;Work as d31 ' for timing, directly adopt
, it is necessary to replace (d31 ', 0 ..., 0,0) using n- (| d31 ' |, 0 ..., 0,0) when using the value, and d31 ' to bear, wherein |
D31 ' | it is absolute value, n is the rank of elliptic curve, is fixed constant.
During search, from 0x00-0xFF, other bytes supplement is 0 to private key d first bytes, calculates times point of the value and r products
(wherein 0x represents hexadecimal);Then the difference of n and d is calculated, times point of the value and r products is calculated, all of 256*2 is observed
Which is with to obtain [k] G-(x1 ', y1 ') equal in individual data, you can obtain current erroneous value.
Assuming that the model of mistake is completely random, i.e., for single byte no matter d31Why it is worth, d31' can be 0x00-
The arbitrary value of 0xFF;According to above analysis it is known that to fixed value d31, (dA’-dA) value be only possible to be 00,01 ..., d31,
n-1,n-2…,n+0xFF-d31.Therefore, in the case where wrong frequency is enough, lead-in can be approached out using difference
The value of section.
Above-mentioned test process is exemplified below:
The rank n=0xFFFFFFFE FFFFFFFF FFFFFFFF FFFFFFFF 7203DF6B 21C6052B of SM2 algorithms
53BBF409 39D54123;
If dA=0x787968B4FA32C3FD 2417842E 73BBFEFF 2F3C848B 6831D7E0 EC65228B
3937E498;
To dAHighest byte carry out error injection, d31AB is rewritten as, i.e.,
dA'=0xAB7968B4 FA32C3FD 2417842E 73BBFEFF 2F3C848B 6831D7E0 EC65228B
3937E498;
Then d31'=- 0x33.
In order to search out d31Key value, first by calculate [0x 00*2248*r mod n] G coordinate whether be equal to
[k]G–(x1’,y1’).Whether the coordinate for then calculating [0x 01*2248*r mod n] G is equal to [k] G-(x1 ', y1 '), successively
Calculate:Whether the coordinate of [0xFF*2248*r mod n] G is equal to [k] G-(x1 ', y1 ').In view of d31' it is probably negative,
Equally, search for:Whether the coordinate of [(n-0x 00*2248) * r mod n] G is equal to [k] G-(x1 ', y1 ');Then [(n- is calculated
0x 01*2248) * r mod n] whether the coordinate of G be equal to [k] G-(x1 ', y1 ');Finally arrive:[(n-0x FF*2248)*r
Mod n] whether the coordinate of G be equal to [k] G-(x1 ', y1 ').
Search for successively, in this 256*2 data, it is found that whether times point coordinates of [(n-0x 33*2248) * r mod n] G
Equal to [k] G-(x1 ', y1 ').Therefore, it is derived by then d31'=- 0x33.In view of the value, d31Value should be less than 0xCC,
Because working as d31Any improper value can not all make d during more than 0xCC31'=- 0x33.
Mistake is re-injected, in the event of mistake, d is equally judged31' value, and have d31' value diminution d31Byte
Scope.If mistake occurs in that d31'=0x78 and d31During '=- 0x87, you can determine d31The value of byte is 0x78.
The analysis method of other bytes is identical with first byte, to all bytes successively in this way, you can obtain base
In the key of SM2 signature algorithms.
The method has very strong exploitativeness.First, the program does not calculate many times of points of elliptic curve to signature process
Process carries out error injection, but error injection is carried out to private key operation process, and many times of dot factors are random number, and private key is solid
Definite value, therefore error injection to private key has more implementation;Secondly, the error model that the program is used also has very strong operation
Property.Due to be all in data copy within a smart card and calculating process in units of byte or word, therefore should in error injection
The possibility of unit error is higher, and the program only needs to confirm the position of byte, and error injection difficulty is little.Cause
The exploitativeness of this algorithm is very strong.Meanwhile, the byte model extends also to word model, increases for word model search space
Plus, but still there is very strong operability.
The embodiment of the invention provides second difference error injection method of testing of SM2 signature algorithm processes, the method
A6 steps for SM2 Digital Signature Algorithms are assumed during signature s is calculated, first to calculate 1+dAValue, in the process
In to dAError injection is carried out;The d of mistakeAUse dA' represent, by dA' sign test process is substituted into, have:(x1 ', y1 ')=[s '+t*
dA] G=[s '+(s '+r) * dA]=[(1+dA)s’+r*dA] G=[(1+dA)(1+dA’)-1(k-r*dA)+r*dA] G=[k+ (dA-
dA’)(k-r*dA)] G=[k] G+ [(dA-dA ') k] G-[(dA-dA’)r]PA;Wherein, PA is public key, and [k] G is equal to (r-e) mod
n.Difference error injection analysis of test methods with the first SM2 signature algorithm process is similar, using the positive and negative spy of data byte
Property, the key value of each byte can be obtained, and then the value of whole key can have been obtained.
The embodiment of the present invention additionally provides a kind of defender of the difference error injection method of testing of SM2 signature algorithms process
Method;In order to defend side channel power consumption analysis technology, some designs are to r*dAMod n carry out mask design.Such as r*dA=x*r*dA*
x-1This mode, and x is random number;But, by analysis above it is known that this defence method cannot defend this paper institutes
State to dAAttack.Therefore, d is not only operated directly in computingA, could defend to dAError injection.Equally, a pin
To (1+dA)-1Having carried out mask cannot also resist the detection mode of this paper, because in the presence of to dADirect operation.
Above-mentioned detection mode is mainly and is using dAWhen be directly injected into mistake.In order to defend this detection attack method,
Need directly operate d in computing of signingA.Such as s=((1+dA)-1(k-r*dA)) mod n=((1+dA)-1k-(1+
dA)-1*r*dA)) mod n=((1+dA)-1(k+r)-r) mod n. are here (1+dA)-1Need to be expected as the part with key
Calculate storage in the chips.If using this flow, there will be no and directly use dAScene.So it is prevented that this paper institutes
The detection attack meanses of use.
By above-mentioned defence method, you can realize the defence to above-mentioned detection means;And do not have in view of this implementation
The time complexity and space complexity of algorithm realization are significantly increased, therefore the defence method has operability and easily implementation
Property.
The embodiment of the present invention can realize the detection to the resistance error injection defence method of SM2 signature algorithms, by this
Method can effectively find the leak of SM2 signature algorithm implementation process.Meanwhile, the present invention points out a series of leakage of implementations
Hole, and the effective measures of defence error injection scheme are given on its basis, it is ensured that the security based on SM2 signature algorithms.
Example IV:
A kind of structural representation of key acquisition device shown in Figure 3, the key is used for public based on SM2 elliptic curves
In the Digital Signature Algorithm of key cryptographic algorithm, the device includes following part:
Target byte position setup module 302, is target byte position for setting the highest byte position of key, is carried out
Following byte values obtain operation:
Pseudo- key production module 304, for the data using physics mode change target byte position, generates and key word
Section length identical puppet key;Wherein, the physics mode includes laser irradiation mode or electrophoresis stimulation mode;
Digital Signature module 306, for being digitally signed according to pseudo- key, the generated in record digital signature procedure
One elliptic curve point and signature result;
Sign test module 308, for according to the signature sign test that is digitally signed of result, generated during record sign test the
Two elliptic curve points;
Byte difference search module 310, for the difference according to the first elliptic curve point and the second elliptic curve point, from pre-
If byte value in the range of search for the byte difference of key and the target byte position of pseudo- key;
Span setup module 312, for according to byte difference, setting the byte value of the target byte position of key
Span;
Byte value determining module 314, the byte value of the target byte position for determining key according to span;
Key determining module 316, the next byte location for setting target byte position is new target byte position
Put, proceed above-mentioned byte value and obtain operation, until the byte value of all byte locations of key is got, by all bytes
The byte value of position is defined as key.
A kind of key acquisition device provided in an embodiment of the present invention, the pseudo- key according to generation is digitally signed and tests
Sign, the second elliptic curve generated during the first elliptic curve point and sign test generated in digital signature procedure can be obtained
Point;According to first elliptic curve point and the difference of the second elliptic curve point, the target byte position of search key and pseudo- key
Byte difference, and the span of the byte value of the target byte position of key is set;Can be determined according to the span
The byte value of the target byte position of key;After the byte value of all byte locations of key is got, by all bytes position
The byte value put is defined as key.The mode that aforesaid way greatly reduces acquisition key is restricted, public for SM2 elliptic curves
The key of key cryptographic algorithm has preferable universality and exploitativeness;And be based on when above-mentioned key acquisition method is applied to test
During the ability of the resisting differential error analysis of the Digital Signature Algorithm of SM2 ellipse curve public key cipher algorithms, can effectively find
The leak of above-mentioned Digital Signature Algorithm, and then improve the security of above-mentioned Digital Signature Algorithm.
May be likely to be negative that above-mentioned byte difference search module includes for positive number in view of above-mentioned byte difference:(1)
First initial value setup unit, the initial value d=00 for setting byte difference, carries out following byte difference search operations:(2)
First the judging unit, [d*2 for judging byte difference d248* r mod n] whether the coordinate of G be equal to the first elliptic curve point
With difference [k] G- (x of the second elliptic curve point1’,y1’);Wherein, (x1,y1)=[k] G be the first elliptic curve point;(x1’,
y1') it is the second elliptic curve point;R=(e+x1)mod n;ZAIt is the distinguished mark on user A
The Hash Value of knowledge, part elliptical curve systematic parameter and user's A public keys;M is message to be signed;Hv() is eap-message digest length
It is the cryptographic Hash function of v bits;E is the output valve that cryptographic Hash function acts on message M;Modn is mould n computings;N is base
The rank of point G;(3) first updating blocks, if for the [d*2 of byte difference d248* r mod n] to be not equal to first ellipse for the coordinate of G
Difference [k] G- (x of circular curve point and the second elliptic curve point1’,y1'), d=d+1 is updated, proceed above-mentioned byte difference and search
Rope is operated, until d=FF;(4) first recording units, if for the [d*2 of byte difference d248* r mod n] G coordinate etc.
In difference [k] G- (x of the first elliptic curve point and the second elliptic curve point1’,y1'), record byte difference;
Above-mentioned byte difference search module also includes:(1) second initial value setup unit, for setting the first of byte difference
Initial value d=-01, carries out following byte difference search operations:(2) second the judging units, [d* for judging byte difference d
2248* r mod n] whether the coordinate of G be equal to difference [k] G- (x of the first elliptic curve point and the second elliptic curve point1’,y1’);
Wherein, (x1,y1)=[k] G be the first elliptic curve point;(x1’,y1') it is the second elliptic curve point;R=(e+x1)mod n;ZAIt is the distinguished mark on user A, part elliptical curve systematic parameter and user's A public keys
Hash Value;M is message to be signed;Hv() is that eap-message digest length is the cryptographic Hash function of v bits;E is cryptographic Hash
Function acts on the output valve of message M;Modn is mould n computings;N is the rank of elliptic curve basic point G;(r, s) is the signature for sending;
X | | y is the splicing of x and y;(3) second updating blocks, if for the [d*2 of byte difference d248* r mod n] G coordinate not
Equal to difference [k] G- (x of the first elliptic curve point and the second elliptic curve point1’,y1'), d=d-1 is updated, proceed above-mentioned
Byte difference search operation, until d=-FF;(4) second recording units, if for the [d*2 of byte difference d248*r mod
N] coordinate of G is equal to difference [k] G- (x of the first elliptic curve point and the second elliptic curve point1’,y1'), record byte difference.
Above-mentioned way of search can efficiently obtain the difference phase with the first elliptic curve point and the second elliptic curve point
The byte matched somebody with somebody is poor.
Further, above-mentioned byte value determining module includes:(1) the 3rd judging unit, for judging in span most
Whether big value and minimum value are identical;(2) operating unit is continued, if differed for maximum in span and minimum value,
Proceed byte value and obtain operation;(3) byte value determining unit, if for maximum in span and minimum value phase
Together, determining maximum and/or minimum value are the byte value of the target byte position of key.The above method can be obtained efficiently and accurately
The byte value of key is taken, and then obtains complete key, and with stronger exploitativeness.
Embodiment five:
A kind of structural representation of digital signature device shown in Figure 4, the device includes following part:
Splicing module 402, for the message M to be signed and Z for prestoring that will be receivedACarry out stitching portion
Reason, obtains splicing resultWherein, ZAIt is the distinguished mark on user A, part elliptical curve system ginseng
The Hash Value of number and user's A public keys;
Carry out the operation of following generation signature results:
Processing module 404 is right for according to cryptographic Hash functionProcessed, obtained the effect of cryptographic Hash function
In the output valve of message MWherein, Hv() is that eap-message digest length is the cryptographic Hash function of v bits;
Random number acquisition module 406, for obtaining random number k by randomizer;Wherein, k ∈ [1, n-1];N is
N is the rank of elliptic curve basic point G;
First elliptic curve point acquisition module 408, for obtaining the first elliptic curve point (x1,y1)=[k] G;
R acquisition modules 410, for obtaining r=(e+x1)mod n;
First judge module 412, for judging whether r=0 or r+k=n sets up;If it is, proceeding above-mentioned life
Into the operation of signature result;
S acquisition modules 414, if invalid for r=0 or r+k=n, obtain s=((1+dA)-1(k-r*dA))mod
n;Wherein, (1+dA)-1And dAIt is the data for prestoring;dAIt is the private key of user A;
Second judge module 416, for judging whether s is equal to 0;If s is equal to 0, proceed above-mentioned generation signature knot
The operation of fruit;
Digital signature result determining module 418, if being not equal to 0 for s, determines digital signature result (r, s).
In a kind of digital signature device provided in an embodiment of the present invention, by the private key d of user AAWith (1+dA)-1Deposit in advance
Storage, it is possible to use family direct access d in being digitally signedAWith (1+dA)-1Data, compared in the prior art to (1+dA
)-1The mode of real-time calculating is carried out, which can defend reading dAThe acquisition operation of Shi Jinhang keys, improves digital label
The safety and reliability of name method.
The present invention proposes having for two kinds of anti-error injection defence methods of effective detection methods detection SM2 signature algorithms
Effect property, both schemes all with operability is facilitated, were all significantly improved compared to former detection scheme.The present invention is proposed
Two kinds of effective schemes of detection method of defence, and the program has the feature of very inexpensive and convenient realization, does not influence SM2
Signature algorithm realizes efficiency.
The computer program product of key acquisition method, digital signature method and device that the embodiment of the present invention is provided,
Computer-readable recording medium including storing program code, the instruction that described program code includes can be used for side before execution
Method described in method embodiment, implements and can be found in embodiment of the method, will not be repeated here.
If the function is to realize in the form of SFU software functional unit and as independent production marketing or when using, can be with
Storage is in a computer read/write memory medium.Based on such understanding, technical scheme is substantially in other words
The part contributed to prior art or the part of the technical scheme can be embodied in the form of software product, the meter
Calculation machine software product is stored in a storage medium, including some instructions are used to so that a computer equipment (can be individual
People's computer, server, or network equipment etc.) perform all or part of step of each embodiment methods described of the invention.
And foregoing storage medium includes:USB flash disk, mobile hard disk, read-only storage (ROM, Read-Only Memory), arbitrary access are deposited
Reservoir (RAM, Random Access Memory), magnetic disc or CD etc. are various can be with the medium of store program codes.
Finally it should be noted that:Embodiment described above, specific embodiment only of the invention, is used to illustrate the present invention
Technical scheme, rather than its limitations, protection scope of the present invention is not limited thereto, although with reference to the foregoing embodiments to this hair
It is bright to be described in detail, it will be understood by those within the art that:Any one skilled in the art
The invention discloses technical scope in, it can still modify to the technical scheme described in previous embodiment or can be light
Change is readily conceivable that, or equivalent is carried out to which part technical characteristic;And these modifications, change or replacement, do not make
The essence of appropriate technical solution departs from the spirit and scope of embodiment of the present invention technical scheme, should all cover in protection of the invention
Within the scope of.Therefore, protection scope of the present invention described should be defined by scope of the claims.