CN106856431A - Improved ECDSA and sign test method - Google Patents
Improved ECDSA and sign test method Download PDFInfo
- Publication number
- CN106856431A CN106856431A CN201510901744.5A CN201510901744A CN106856431A CN 106856431 A CN106856431 A CN 106856431A CN 201510901744 A CN201510901744 A CN 201510901744A CN 106856431 A CN106856431 A CN 106856431A
- Authority
- CN
- China
- Prior art keywords
- calculates
- sign test
- trusted
- mod
- party
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3247—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
- H04L9/3252—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures using DSA or related signature schemes, e.g. elliptic based signatures, ElGamal or Schnorr schemes
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Storage Device Security (AREA)
Abstract
The invention discloses a kind of improved ECDSA, before identity is identified, signer and sign test direction trusted third party obtain nonce t, step (1), random selection k ∈ [1, n-1];Step (2), computing kP=(x1, y1), afterwards x1It is converted into integer;Step (3), calculates r=x1Mod n, if r=0, then rebound step (1) and obtain nonce t to trusted third party;Step (4), calculates e=H (m), wherein, H (x) is hash function;Step (5), calculates s=k-1T (e+dr) mod n, if s=0, then rebound step (1) and obtain nonce t to trusted third party;Step (6), output signature is to (r, s).The invention also discloses a kind of sign test method based on the improved ECDSA.The present invention can effectively solve the behavior that go-between pretends to be signature.
Description
Technical field
The present invention relates to information security field, more particularly to a kind of improved ECDSA
(ECDSA).The invention further relates to a kind of sign test method based on the improved ECDSA.
Background technology
1st, ECDSA is theoretical introduces
Digital signature corresponds to the digitlization of handwritten signature, data origin authentication can be provided, with data integrity and
The characteristics of non-repudiation.ECDSA is exactly the elliptic curve version of digital signature.ECDSA idiographic flows
It is as follows:
|input paramete group D=(q, FR, S, a, b, P, n, h), private key d, message m.
Output signature is right(R, s).
A, random selection k ∈ [1, n-1];
B, computing kP=(x1, y1), afterwards x1It is converted into integer;
C, calculating r=x1Mod n, if r=0, then rebound step a;
D, calculating e=H (m), wherein, H(X) it is hash function;
E, calculating s=k-1(e+dr) mod n, if s=0, then rebound step a;
F, output signature are to (r, s).
So obtain this signature to other users just can by public key with signature determination is determine whether to (r, s)
The signature of user.Verify that the idiographic flow of signature is as follows:
|input paramete group D=(q, FR, S, a, b, P, n, h), public key Q, message m is signed to (r, s).
A, determine r ∈ [1, n-1], s ∈ [1, n-1], otherwise sign test failure;
B, calculating e=H (m), wherein, J(X) it is hash function;
C, calculating w=s-1mod n;
D, calculating u1=ew mod n, u2=rw mod n;
E, calculating X=u1P+u2Q, if X is infinite point, signature failure;
F, X=(x:, afterwards being converted into integer;
If G, with it is equal, sign test success, otherwise sign test failure.
2nd, Mafia's fraud
Alice is in the dining room of Bob --- and the dining room that Mafia possesses is had a meal, and Carol is in the market of Dave --- and one
High-grade jeweler's shop of family is done shopping, and Bob and Carol is mafioso, and they can be communicated by a cryptochannel,
And Al ice and Dave do not know this fraud.
After Alice has a meal in the dining room of Bob, when preparation is checked and identifies identity to Bob, Bob notifies that Carol starts this
Field fraud, Carol also buys jewel and prepares to identify identity to Dave, so, when Alice carries out digital label to the bill of Bob
After name, the digital signature of Alice is transmitted to Carol by Bob again, and Carol can just be carried out using the digital signature of Alice with Dave
Transaction, furthermore, Alice have purchased jewel to Mafia.
So if being improved to digital signature, and digital signature is introduced into time parameter, then when Alice is to Bob
Bill be digitally signed after, the digital signature of Alice is transmitted to Carol by Bob again, and the digital signature of Alice has just been lost
Imitate, so Mafia also cannot just implement fraud.
Former ECDSA signature can be what is be recycled, and when introduced between after the factor, ECDSA signatures just cannot be by him
People reuses.
The content of the invention
The technical problem to be solved in the present invention is to provide a kind of improved ECDSA, can effectively solve
Certainly go-between pretends to be the row of signature;Therefore, the present invention also provides one kind being calculated based on the improved digital signature of elliptic curve
The sign test method of method.
In order to solve the above technical problems, improved ECDSA of the invention, comprises the following steps:
Before identity is identified, signer and sign test direction trusted third party obtain nonce t (t < n), wherein, n is
The rank of elliptic curve, the idiographic flow of that signature is as follows:
|input paramete group D=(q, FR, S, a, b, P, n, h), private key d, public key Q, message m, nonce t;
Step (1), random selection k ∈ [1, n-1];
Step (2), computing kP=(x1, y1), afterwards x1It is converted into integer;
Step (3), calculates r=x1Mod n, if r=0, then rebound step (1) and when being obtained to trusted third party
Between random number t;
Step (4), calculates e=H (m), wherein, H (x) is hash function;
Step (5), calculates s=k-1T (e+dr) mod n, if s=0, then rebound step (1) and to the credible 3rd
Side obtains nonce t;
Step (6), output signature is to (r, s).
Based on the sign test method of above-mentioned improved ECDSA, comprise the following steps:Identifying identity
Before, signer and sign test direction trusted third party obtain nonce t;
|input paramete group D=(q, FR, S, a, b, P, n, h), nonce t, message m is signed to (r, s);
Step (I), determines r ∈ [1, n-1], s ∈ [1, n-1], otherwise sign test failure;
Step (II), calculates e=H (m), wherein, H (x) is hash function;
Step (III), calculates W=s-1mod n;
Step (IV), calculates u1=tew mod n, u2=trw mod n;
Step (V), calculates X=u1P+u2Q, if X is infinite point, signature failure;
Step (VI), X=(x1, y1), afterwards x1It is converted into integer;
Step (VII), if x1It is equal with r, then sign test success, otherwise sign test failure.
In this case, because under different time, t is different, it is assumed that Alice carries out numeral to the bill of Bob
During signature, t=t1.The cost time is needed because the digital signature of Alice is transmitted to Carol by Bob, Carol provides number to Dave
The nonce t=t of word signature2(t1≠t2), the nonce t=t of Dave sign tests2, so the digital signature of Alice
(t=t1) being cannot be by Dave sign test.So Mafia cannot just be checked using the money of Alice to them.
Compared with traditional ellipse curve signature, the present invention can solve the behavior that go-between pretends to be signature.If someone
Signature only in special time effectively, if it is exactly impossible that other people want to pretend to be the signature of this person.From this point, first by can
Letter third party provides a random number for changing over time, and the ECDSA of signer can change according to this random number so that
ECDSA signatures can not again be falsely used by other people.
Brief description of the drawings
The present invention is further detailed explanation with specific embodiment below in conjunction with the accompanying drawings:
Fig. 1 is improved ECDSA flow chart;
Fig. 2 is sign test flow chart corresponding with the improved ECDSA.
Specific embodiment
Fig. 1 illustrates specific implementation details of the invention there is provided below scheme.
USA National Institute of Standard and Technology (NIST) recommends 5 sets of parameters for the elliptic curve cipher of prime field.This
Set of parameter therein is used in embodiment, it is specific as follows:
In finite field FPIn, there is elliptic curve E, it is defined as follows:
E:y2=x3+ ax2+ b
Wherein:
P=0xFFFFFFFF00000001000000000000000000000000FFFFFFFFFFFF FFFFFFFFFFFF;
A=0xFFFFFFFF00000001000000000000000000000000FFFFFFFFFFFF FFFFFFFFFFFC;
B=0x5ac635d8aa3a93e7b3ebbd55769886bc651d06b0cc53b0f63bce 3c3e27d2604b.
The coordinate of basic point P is,
[0x6B17D1F2E12C4247F8BCE6E563A440F277037D812DEB33A0F4A13945D898C296,
0x4fe342e2fe1a7f9b8ee7eb4a7c0f9e162bce33576b315ececbb6406837bf51f5]
The rank n of basic point is,
0xFFFFFFFF00000000FFFFFFFFFFFFFFFFBCE6FAADA7179E84F3B9CAC2FC632551。
Assuming that private key d is,
D=0x2CA1411A41B17B24CC8C3B089CFD033F1920202A6C0DE8ABB97D F1498D50D2C8.
Nonce t is,
0xDE1D6C79DE7DF80410C86E073DB2B80828DB2AB5E3D285BE740CD478478F6CE9。
Step one, random selection k ∈ [1, n-1];
K=0xA0640D4957F27D091AB1AEBC69949D96E5AC2BB283ED5284A567 4758B12F08DF.
Step 2, computing kP=(x1, y1);
The coordinate of kP is,
[0xD73CD3722BAE6CC0B39065BB4003D8ECE1EF2F7A8A55BFD677234B 0B3B902650,
0x7FB6E56C2A703DD7E7E9557EAD184588AB38066718EE4B808CD18DDD825D8866]。
Step 3, calculates r=x1Mod n, if r=0, then rebound step one;
R=0xD73CD3722BAE6CC0B39065BB4003D8ECE1EF2F7A8A55BFD67723 4B0B3B902650.
Step 4, calculates e=H (m), wherein, H (x) is hash function;
Assuming that e is,
E=0x1BD4ED430B0F384B4E8D458EFF1A8A553286D7AC21CB2F680617 2EF5F94A06AD.
Step 5, calculates s=tk-1(e+dr) mod n;
S=0xFAE726AC808D31657D76DD694DE947685BCCEFCF478D902C4DB2 EFB19DA9CF.
Step 6, output signature is to (r, s).
With reference to shown in Fig. 2, sign test example is as follows:
Step one, calculates e=H (m), wherein, H (x) is hash function.
E with signature as,
E=0x1BD4ED430B0F384B4E8D458EFF1A8A553286D7AC21CB2F680617 2EF5F94A06AD.
Step 2, calculates w=s-1Inodn;
W=0x9726409CCE9F14FDD743617455CAD733C52157D5ECED55CD3A1C 6F3BA87C0713.
Step 3, calculates ul=tew mod n, u2=trw mod n;
u1=0x4230443019AF06D9B2BEB55EBEAEF17537567CB205F87CFD3C6F79 D5978837CC;
u2=0xE31FA66A651BD372F13FA47FB48F04D8F2EAC254287E1DAA01E901 F50C30703B.
Step 4, calculates X=u1P+u2Q, if X is infinite point, signature failure.
The coordinate of point X is,
[0xD73CD3722BAE6CC0B39065BB4003D8ECE1EF2F7A8A55BFD677234B 0B3B902650,
0x7FB6E56C2A703DD7E7E9557EAD184588AB38066718EE4B808CD18DDD825D8866]
Because the abscissa of X is equal with r, sign test success.
Above by embodiment, the present invention has been described in detail, but protection scope of the present invention be not limited to it is described
Embodiment.Without departing from the principles of the present invention, those skilled in the art can also make many deformations and improvement, these
Also should be regarded as protection scope of the present invention.
Claims (4)
1. a kind of improved ECDSA, it is characterised in that comprise the following steps:
Before identity is identified, signer and sign test direction trusted third party obtain nonce t, t < n;Wherein, n is ellipse
Order of a curve;
|input paramete group D=(q, FR, S, a, b, P, n, h), private key d, public key Q, message m, nonce t;
Step (1), random selection k ∈ [1, n-1];
Step (2), computing kP=(x1, y1), afterwards x1It is converted into integer;
Step (3), calculates r=x1Mod n, if r=0, then rebound step (1) and to trusted third party obtain the time with
Machine number t;
Step (4), calculates e=H (m), wherein, H (x) is hash function;
Step (5), calculates s=k-1T (e+dr) mod n, if s=0, then rebound step (1) and obtained to trusted third party
Take nonce t;
Step (6), output signature is to (r, s).
2. algorithm as claimed in claim 1, it is characterised in that:The value of t is that trusted third party is preparing signature card in step (5)
The random value that bright identity is given, the random value can be changed over time and changed.
3. a kind of sign test method based on algorithm described in claim 1 or 2, it is characterised in that comprise the following steps:Identifying body
Before part, signer and sign test direction trusted third party obtain nonce t;
|input paramete group D=(q, FR, S, a, b, P, n, h), nonce t, message m is signed to (r, s);
Step (I), determines r ∈ [1, n-1], s ∈ [1, n-1], otherwise sign test failure;
Step (II), calculates e=H (m), wherein, H (x) is hash function;
Step (III), calculates w=s-1mod n;
Step (IV), calculates u1=tew mod n, u2=trw mod n;
Step (V), calculates X=u1P+u2Q, if X is infinite point, signature failure;
Step (VI), X=(x1, y1), afterwards x1It is converted into integer;
Step (VII), if x1It is equal with r, then sign test success, otherwise sign test failure.
4. method as claimed in claim 3, it is characterised in that:The value of t is that trusted third party is preparing to sign in step (IV)
The random value that identity is given is proved, the random value can be changed over time and changed.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201510901744.5A CN106856431A (en) | 2015-12-09 | 2015-12-09 | Improved ECDSA and sign test method |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201510901744.5A CN106856431A (en) | 2015-12-09 | 2015-12-09 | Improved ECDSA and sign test method |
Publications (1)
Publication Number | Publication Date |
---|---|
CN106856431A true CN106856431A (en) | 2017-06-16 |
Family
ID=59132185
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201510901744.5A Pending CN106856431A (en) | 2015-12-09 | 2015-12-09 | Improved ECDSA and sign test method |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN106856431A (en) |
Cited By (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN109005039A (en) * | 2018-08-30 | 2018-12-14 | 天津通卡智能网络科技股份有限公司 | A method of accelerating ecdsa sign test in embedded device end |
CN109150544A (en) * | 2018-08-30 | 2019-01-04 | 天津通卡智能网络科技股份有限公司 | A method of accelerating sm2 sign test in embedded device end |
CN113114466A (en) * | 2021-03-23 | 2021-07-13 | 武汉珈港科技有限公司 | Parallel signature checking method |
Citations (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN103427997A (en) * | 2013-08-16 | 2013-12-04 | 西安西电捷通无线网络通信股份有限公司 | Method and device for generating digital signature |
CN103475473A (en) * | 2013-08-26 | 2013-12-25 | 广东数字证书认证中心有限公司 | Digital signature method, digital signature equipment, password operation method in digital signature, and server |
-
2015
- 2015-12-09 CN CN201510901744.5A patent/CN106856431A/en active Pending
Patent Citations (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN103427997A (en) * | 2013-08-16 | 2013-12-04 | 西安西电捷通无线网络通信股份有限公司 | Method and device for generating digital signature |
CN103475473A (en) * | 2013-08-26 | 2013-12-25 | 广东数字证书认证中心有限公司 | Digital signature method, digital signature equipment, password operation method in digital signature, and server |
Non-Patent Citations (1)
Title |
---|
张宇: "基于ECDSA的故障攻击研究", 《西安电子科技大学硕士学位论文》 * |
Cited By (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN109005039A (en) * | 2018-08-30 | 2018-12-14 | 天津通卡智能网络科技股份有限公司 | A method of accelerating ecdsa sign test in embedded device end |
CN109150544A (en) * | 2018-08-30 | 2019-01-04 | 天津通卡智能网络科技股份有限公司 | A method of accelerating sm2 sign test in embedded device end |
CN113114466A (en) * | 2021-03-23 | 2021-07-13 | 武汉珈港科技有限公司 | Parallel signature checking method |
CN113114466B (en) * | 2021-03-23 | 2023-09-29 | 武汉珈港科技有限公司 | Parallel signature verification method |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN110473105B (en) | Block chain transaction settlement method, system and related equipment | |
JP6903064B2 (en) | Data transfer control method and system based on integrated blockchain | |
KR102050129B1 (en) | Block chain supporting multiple one-way functions used for verification of blocks | |
US11017036B2 (en) | Publicly verifiable proofs of space | |
CN107171794A (en) | A kind of electronic document based on block chain and intelligent contract signs method | |
CN110503434B (en) | Data verification method, device, equipment and storage medium based on Hash algorithm | |
CN111125736A (en) | Pathogenic gene detection method based on privacy protection intersection calculation protocol | |
CN109818730B (en) | Blind signature acquisition method and device and server | |
GB2520446A (en) | Quorum based data processing | |
US9027103B2 (en) | Method and system for securely accessing to protected resource | |
CN106685651A (en) | Method for creating digital signatures by cooperation of client and server | |
CN113411188B (en) | Electronic contract signing method, electronic contract signing device, storage medium and computer equipment | |
CN110264172B (en) | Transaction processing method and device based on blockchain | |
CN110363509A (en) | A kind of information protecting method and device | |
CN113988857A (en) | NFT transaction method, transaction system, computer-readable storage medium and terminal device | |
CN106856431A (en) | Improved ECDSA and sign test method | |
WO2020192236A1 (en) | Blind signature-based transaction method and device | |
CN111859030A (en) | Public auditing method supporting composite data | |
US20200099521A1 (en) | Trusted ring | |
WO2011144247A1 (en) | Digital signature method and apparatus | |
CN113645036A (en) | Ether shop transaction privacy protection method based on ring signature and intelligent contract | |
CN106570423A (en) | Data tamper-proofing method and system | |
CN111768199A (en) | Digital currency transaction method and local wallet system | |
CN107659411B (en) | Method and system for tracking user signature by condition in encrypted currency | |
CN106685648B (en) | A kind of distributed signature method and system based on elliptic curve |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
RJ01 | Rejection of invention patent application after publication |
Application publication date: 20170616 |
|
RJ01 | Rejection of invention patent application after publication |