CN110943826A - Split key signature method and system based on SM2 algorithm - Google Patents

Abstract

The invention provides a method and a system for splitting a key signature based on SM2 algorithm, which achieve the purpose of splitting the key to ensure the security of the private key on one hand, and two communication parties respectively generate own sub private keys, and the final signature result can be obtained only through the cooperative calculation of the two communication parties; on the other hand, a very simple scheme for split key signing based on the SM2 algorithm is provided. The scheme utilizes the inverse model of the sub-private key of the communication party and the operation result of the base point G on the elliptic curve as a key parameter, reduces the operation amount of the algorithm and the interactive data amount of the communication parties, and also reduces the data amount of important parameters needing safe storage, thereby reducing the risk of data leakage, reducing the interaction time delay of the two parties and ensuring that the algorithm has better applicability. In addition, the security of the system is further improved by respectively and safely storing the private keys and the key parameters of the two parties.

Description

Split key signature method and system based on SM2 algorithm

Technical Field

The invention relates to the technical field of information security and cryptography application, in particular to a split key signature method and a split key signature system based on SM2 algorithm.

Background

The cryptographic technology is the core technology of information security. The elliptic curve public key cryptography (ECC) algorithm has relatively great development and wide application in recent years, and the national cryptology administration releases an elliptic curve public key cryptography algorithm SM2 in 12 months and 17 days in 2010, thereby playing an important safety guarantee role in applications such as electronic commerce, identity authentication and the like in China.

In the public key cryptosystem, it is a very important issue to ensure the security of the private key. The user's private key typically needs to be securely stored and used in specialized cryptographic hardware from which the private key cannot be derived. However, with the popularization of public key cryptographic algorithm application, the SM2 algorithm is widely used in systems and applications such as e-commerce, e-government affairs, mobile police affairs and mobile office, and plays an increasingly important role in internet of things applications such as car networking, intelligent medical systems and intelligent home systems, and cloud computing systems. Many systems and terminals using the SM2 algorithm, especially intelligent mobile terminals, do not have hardware cryptographic modules configured in the form of cryptographic chips or TF cards, usb keys, etc., and can only rely on software cryptographic modules to complete cryptographic operations, and the private keys need to be stored in the local storage medium of the user terminal. Although the private key can be protected by encryption, PIN code and the like during storage, the private key can be stolen, and when the software cryptographic module carries out cryptographic operation, the private key in a plaintext form finally appears in the memory, so that the private key is easy to steal by an attacker through some methods.

In order to solve the problem, a feasible scheme is to divide the private key into a plurality of parts, store the parts in different terminals or servers, when the private key is needed to be used for cryptographic operation, each terminal or server respectively uses its own sub-private key to perform cryptographic operation and interact partial operation results, and the finally obtained cryptographic operation result is equal to the result of directly using the private key to perform cryptographic operation (such as digital signature).

Some algorithms have been proposed on the basis of the scheme, but most of the algorithms are complex in operation process, more contents need to be interacted among parties participating in operation, and the communication data volume is large; in addition, in the operation process, some key parameters except the sub-private key are usually stored, and in order to further ensure the security of the algorithm, the sub-private key and the key parameters are required to be stored safely. In some application scenarios such as cloud computing and the internet of things, the data volume of interaction between parties participating in operation and the data volume needing safe storage need to be reduced, so that the risk of data leakage is reduced, the interaction time delay is reduced, the requirements of safe storage on software or hardware are reduced, and the algorithm has better applicability.

In order to solve the above problems, an ideal technical solution is also required.

Disclosure of Invention

The invention aims to provide a method and a system for splitting a key signature based on SM2 algorithm, which aim to solve the defects of the prior art, enable two communication parties to independently generate respective sub private keys through key splitting, sign messages through cooperative operation of the two parties, and greatly reduce interactive data volume of the two parties and data volume needing safe storage while fully ensuring the security of the private keys through extremely simplified design of the algorithm.

In order to achieve the purpose, the invention adopts the technical scheme that: a split key signature system based on SM2 algorithm comprises a first communication party and a second communication party, wherein the first communication party comprises a first cryptographic operation module, a first secure storage module, a third secure storage module and a first communication module, the second communication party comprises a second cryptographic operation module, a second secure storage module and a second communication module, and the first communication party and the second communication party are in communication connection through the first communication module and the second communication module; the first communication party and the second communication party share the SM2 algorithm elliptic curve E and a base point G with an upper order of the E being n;

the first communication party generates a random number d1 e [1, n-1] through the first cryptographic operation module]The sub private key of the first communication party is stored into the first secure storage module; the second communication party generates a random number d 2E [1, n-1] through the second cryptographic operation module]The sub private key of the second communication party is stored into the second secure storage module; the second communication party calculates an elliptic curve point P2 ═ d2 according to d2 and G through the second cryptographic operation module^-1]G, wherein d2^-1Multiplicative inverse d2 representing d2^-1mod n; then sending P2 to the first party through the second communication module; the first communication party receives P2 through the first communication module, stores the P2 in the third secure storage module, and then calculates a public key P [ d 1] according to d1, P2 and G by the first cryptographic operation module^-1]P2-G and disclosing the public key by the first communication module, wherein d1^-1Multiplicative inverse d1 representing d1^-1mod n；

When a signature is needed, the first communication party performs signature preprocessing on a message M to be signed through the first password operation module to obtain a message digest e; then generating a random number k1 ∈ [1, n-1], acquiring P2 from the third secure storage module, calculating a first partial signature W1 ═ k1] P2 according to k1 and P2, and sending e and W1 to the second communication party through the first communication module;

the second communication party receives e and W1 through the second communication module, the second cryptographic operation module generates a random number k2 epsilon [1, n-1], and a second partial signature W2 ═ k2] G is calculated according to k2 and G; then, an elliptic curve point W is calculated according to W1 and W2, wherein W is W1+ W2, and the coordinates of W are (x1, y 1); then calculating according to x1 and e to obtain a third partial signature r ═ (x1+ e) mod n; if r is 0, the second cryptographic operation module regenerates the random number and calculates a second partial signature and a third partial signature;

the second communication party acquires d2 from the second secure storage module, calculates a fourth partial signature s1 ═ d2 ═ k2+ d2 ×) mod n according to k2, d2 and r through the second cryptographic operation module, and sends s1 and r to the first communication party through the second communication module;

the first communication party receives s1 and r through the first communication module, acquires d1 from the first secure storage module, and calculates s ═ d1 ≠ k1+ s1) -r) mod n according to d1, k1, s1 and r, and if s ≠ 0, the first communication party outputs M and its digital signature (r, s); and if s is 0, restarting the cooperative signature process of the two communication parties.

Based on the above, the signing preprocessing is performed on the message M to be signed by the first communication party to obtain the message digest e, which includes: and the first communication party calculates a hash value Z of the first communication party by using a cryptographic hash function, then splices Z and M into M1, and then uses the hash function for M1 to obtain the message digest e.

Based on the above, the first secure storage module, and/or the second secure storage module, and/or the third secure storage module implement secure storage through a software or hardware storage module.

Based on the above, the random numbers d1, k1 generated by the first communication party are respectively obtained by one or more random number operations between [1, n-1], and/or the random numbers d2, k2 generated by the second communication party are respectively obtained by one or more random number operations between [1, n-1 ]; the operation comprises linear operation, multiplication and inversion.

A split key signature method based on SM2 algorithm is characterized in that the two communication parties comprise a first communication party and a second communication party, the first communication party and the second communication party share an SM2 algorithm elliptic curve E and a base point G with an upper order of E being n; the method comprises the following steps:

first, generating respective sub private keys and computing public key of both parties

S101, the first communication party generates a random number d 1E [1, n-1] which is used as a sub private key of the first communication party and is stored safely; the second communication party generates a random number d 2E [1, n-1] as a sub private key of the second communication party and stores the random number safely;

s102, the second communication party calculates according to d2 and G to obtain an elliptic curve point P2 ═ d2^-1]G and sends P2 to the first correspondent, wherein d2^-1Multiplicative inverse d2 representing d2^-1mod n；

S103, the first communication party calculates a public key P ═ d1 according to d1, P2 and G^-1]P2-G, which discloses the public key and stores P2 securely; wherein d1^-1Multiplicative inverse d1 representing d1^-1mod n；

Two-party and two-party collaborative signature stage

S201, the first communication party carries out signature preprocessing on a message M to be signed to obtain a message digest e;

s202, the first communication party generates a random number k1 e [1, n-1], calculates a first partial signature W1 ═ k1] P2 according to k1 and P2, and sends the message digest e and the first partial signature W1 to the second communication party;

s203, the second communication party generates a random number k2 ∈ [1, n-1], and a second partial signature W2 ═ k2] G is calculated according to k2 and G;

s204, calculating, by the second party, an elliptic curve point W (W1 + W2) according to the first partial signature W1 and the second partial signature W2, where the coordinates of W are (x1, y 1); then calculating a third partial signature r ═ (x1+ e) mod n according to x1 and the message digest e, and if r ═ 0, returning to S203;

s205, the second communication party calculates a fourth partial signature S1 ═ (d2 × k2+ d2 × r) mod n according to k2, d2, and r, and sends S1 and r to the first communication party;

s206, the first communication party calculates S ═ d1 (k1+ S1) -r) mod n according to d1, k1, S1 and r, and returns to S202 if S ═ 0;

s207, the first party outputs M and its digital signature (r, S).

Based on the above, in step S101, the first communication party sends a cooperative generation key request to the second communication party, and after receiving the cooperative generation key request, the second communication party generates a random number d2 e [1, n-1] as a sub-private key of the second communication party.

Based on the above, steps S201 and S202 are respectively:

s201, the first communication party generates a random number k1 e [1, n-1], calculates a first partial signature W1 ═ k1] P2 according to k1 and P2, and sends the first partial signature W1 to the second communication party;

s202, the second communication party carries out signature preprocessing on the message M to be signed to obtain a message digest e.

Compared with the prior art, the invention has substantive characteristics and progress, and specifically comprises the following steps:

1. the technical scheme of the invention provides a simple scheme for splitting key signatures based on SM2 algorithm. According to the technical scheme, on one hand, the purpose of splitting the secret key to ensure the safety of the private key is achieved, the final signature result can be obtained only through cooperative calculation of two communication parties, any party cannot obtain any sensitive information of the private key of the other party from intermediate data transmitted by the two communication parties, and the private key cannot be obtained through parameter calculation generated and obtained by the own party to generate the signature. On the other hand, compared with other split key signature algorithms, the technical scheme utilizes the modular inverse of the sub-private key of the communication party and the operation result of the base point G as a key parameter, thereby reducing the number of times of dot product in the algorithm, reducing the operation amount of the algorithm, reducing the data amount of interaction between the communication party and the base point G, and reducing the data amount of important parameters needing to be stored, so that the risk of data leakage can be reduced, the interaction time delay can be reduced, the requirements of safe storage on software or hardware can be reduced, the algorithm has better applicability, and the application requirements of various scenes can be better met particularly in the environments of cloud computing, the Internet of things and the like.

2. The technical scheme of the invention further increases the security of the system by respectively and safely storing the sub-private keys and the key parameters of the two parties. If the subprivate key of any party is lacked or the key parameters are lacked, the signature cannot be correctly generated, so that the difficulty of forging the signature is increased. Moreover, through the extremely simple design of the algorithm, only the first communication party needs to safely store the key parameters, and the second communication party does not need the key parameters after the public and private key generation stage, so that the data volume of safe storage can be reduced, or the operation amount of repeatedly calculating the key parameters is reduced.

Drawings

FIG. 1 is a functional block diagram of one embodiment of the system of the present invention.

FIG. 2 is a schematic flow diagram of one embodiment of the method of the present invention.

Detailed Description

The technical solution of the present invention is further described in detail by the following embodiments.

In the present invention, a point multiplication operation on an elliptic curve E is expressed in a form similar to [ k ] G, where [ k ] G represents a k-times point of a point G, where k is a positive integer and G is an elliptic curve point. mod n denotes a modulo n operation. "" denotes a multiplication of a numerical value.

In the present invention, the sign used for elliptic curve point addition and numerical value addition is plus sign "+". If the addition is carried out on elliptic curve points, the plus represents the point addition operation; if the numerical values are added, the "+" indicates the addition of the numerical values.

In the invention, the symbols used for the point subtraction operation of the elliptic curve and the subtraction operation of the numerical value are the minus sign. If the subtraction is carried out on the points of the elliptic curve, the '-' represents the point subtraction operation; if the values are subtracted, the "-" indicates a subtraction of the values.

Example 1

As shown in fig. 1, a split key signature system based on SM2 algorithm includes a first communication party and a second communication party, where the first communication party includes a first cryptographic operation module, a first secure storage module, a third secure storage module and a first communication module, the second communication party includes a second cryptographic operation module, a second secure storage module and a second communication module, and the first communication party and the second communication party are communicatively connected through the first communication module and the second communication module; the first communication party and the second communication party share the SM2 algorithm elliptic curve E and a base point G with an upper order of the E being n;

the first safe storage module, the second safe storage module and the third safe storage module can be used for safe storage in a software mode, and can also be used for realizing safe storage through a hardware storage module.

The first communication party generates a random number d1 e [1, n-1] through the first cryptographic operation module]The sub private key of the first communication party is stored into the first secure storage module; the second communication party generates a random number d 2E [1, n-1] through the second cryptographic operation module]The sub private key of the second communication party is stored into the second secure storage module; the second communication party calculates an elliptic curve point P2 ═ d2 according to d2 and G through the second cryptographic operation module^-1]G, wherein d2^-1Multiplicative inverse d2 representing d2^-1mod n; then sending P2 to the first party through the second communication module; the first communication party receives P2 through the first communication module, stores the P2 in the third secure storage module, and then calculates a public key P [ d 1] according to d1, P2 and G by the first cryptographic operation module^-1]P2-G and disclosing the public key by the first communication module, wherein d1^-1Multiplicative inverse d1 representing d1^-1mod n；

Here d1^-1、d2^-1Respectively, the multiplicative inverses of d1 and d2, i.e., d1 × d1^-1＝1mod n，d2*d2^-1＝1mod n。

When a signature is needed, the first communication party performs signature preprocessing on a message M to be signed through the first password operation module to obtain a message digest e; then generating a random number k1 ∈ [1, n-1], acquiring P2 from the third secure storage module, calculating a first partial signature W1 ═ k1] P2 according to k1 and P2, and sending e and W1 to the second communication party through the first communication module;

the second communication party receives e and W1 through the second communication module, the second cryptographic operation module generates a random number k2 epsilon [1, n-1], and a second partial signature W2 ═ k2] G is calculated according to k2 and G; then, an elliptic curve point W is calculated according to W1 and W2, wherein W is W1+ W2, and the coordinates of W are (x1, y 1); then calculating according to x1 and e to obtain a third partial signature r ═ (x1+ e) mod n; if r is 0, the second cryptographic operation module regenerates the random number and calculates a second partial signature and a third partial signature;

the second communication party acquires d2 from the second secure storage module, calculates a fourth partial signature s1 ═ d2 ═ k2+ d2 ×) mod n according to k2, d2 and r through the second cryptographic operation module, and sends s1 and r to the first communication party through the second communication module;

the first communication party receives s1 and r through the first communication module, acquires d1 from the first secure storage module, and calculates s ═ d1 ≠ k1+ s1) -r) mod n according to d1, k1, s1 and r, and if s ≠ 0, the first communication party outputs M and its digital signature (r, s); and if s is 0, restarting the cooperative signature process of the two communication parties.

In this embodiment, the relationship between the private key d and the sub-private keys d1 and d2 is (1+ d)^-1D1 × d2mod n. The consistency of the public-private key pairing is proved as follows:

composed of (1+ d)^-1D1 × d2mod n, the obtained private key d (d 1)^-1*d2^-1-1)mod；

Public key P ═ d1^-1]P2-G

＝[d1^-1*d2^-1]G-G

＝[(d1^-1*d2^-1-1)]G

＝[d]G

The correctness of the signature result of the embodiment is proved as follows:

let k be k1 d2^-1+k2mod n，k∈[1,n-1]. Composed of (1+ d)^-1D1 × d2mod n, available as

s＝[d1*(k1+s1)-r]mod n

＝[d1*(k1+d2*k2+d2*r)-r]mod n

＝[d1*d2(k1*d2^-1+k2+r)-r]mod n

＝[(1+d)^-1(k+r)-r]mod n

＝(1+d)^-1(k+r-r*(1+d))mod n

＝(1+d)^-1(k-r*d)mod n。

Therefore, the algorithm can obtain correct signature.

The first communication party and the second communication party can not calculate the private key d according to the parameters generated and obtained by the first communication party and the second communication party, and the safety of the private key is guaranteed.

In addition, the roles of the first and second communicants may be interchanged.

The first communication party carries out signature preprocessing on a message M to be signed to obtain a message digest e, and the method comprises the following steps: and the first communication party calculates a hash value Z of the first communication party by using a cryptographic hash function, then splices Z and M into M1, and then uses the hash function for M1 to obtain the message digest e. Reference may be made in particular to the SM2 standard algorithm.

The random numbers d1, k1 generated by the first communication party and the random numbers d2, k2 generated by the second communication party can be generated directly by a random number generator and positioned at [1, n-1]]A random number therebetween, or one or more random numbers [1, n-1]]And the random number operation therebetween, wherein the operation includes linear operation, multiplication, inversion and the like. For example, d1 ═ d (d11+ … + d1i + … + d1m) mod n, or d1 ═ (d11 × (…) × d1i × (…) × d1m) mod n, or d1 ═ (d11 × (… × (d1 i) × (…) × d1m)^-1modn，d1＝(d11+…+d1i+…+d1m)^-1mod n, etc., where d1i e [1, n-1]]，i∈[1,m]And m is more than or equal to 1. By such an operation, the security of the cryptographic algorithm can be further enhanced.

In the communication process of the two communication parties, sensitive information of the sub-private keys of the two communication parties is protected, the first communication party and the second communication party cannot obtain the sub-private key of the other party, and the private key d cannot be obtained by calculating parameters generated and obtained by the first communication party and the second communication party. Thus, the private key can be ensured to be safe, and the safety of the cryptographic algorithm is ensured.

In addition, in addition to the sub-private keys of the two communication parties, the first communication party also stores the key parameter P2 securely, which further increases the security of the system. The signature cannot be correctly generated without the child private key of the first party, or without the critical parameter P2.

In the embodiment, through the extremely simple design of the algorithm, the system only needs to safely store the key parameter P2 in the first communication party, so as to achieve the above purpose. The second party, after the generation of the public and private key phases, no longer needs the critical parameter P2, and therefore does not need to store or recalculate the parameter, reducing the need for secure storage.

Example 2

Based on the same inventive concept as the above method, as shown in fig. 2, this embodiment is a split key signature method based on SM2 algorithm, and is characterized in that the two communicating parties include a first communicating party and a second communicating party, and the first communicating party and the second communicating party share a base point G with an upper order of an elliptic curve E of SM2 algorithm and an upper order of E being n; the method comprises the following steps:

first, generating respective sub private keys and computing public key of both parties

S101, the first communication party generates a random number d 1E [1, n-1] which is used as a sub private key of the first communication party and is stored safely; the second communication party generates a random number d 2E [1, n-1] as a sub private key of the second communication party and stores the random number safely;

s102, the second communication party calculates according to d2 and G to obtain an elliptic curve point P2 ═ d2^-1]G and sends P2 to the first correspondent, wherein d2^-1Multiplicative inverse d2 representing d2^-1mod n；

S103, the first communication party calculates a public key P ═ d1 according to d1, P2 and G^-1]P2-G, which discloses the public key and stores P2 securely; wherein d1^-1Multiplicative inverse d1 representing d1^-1mod n；

Two-party and two-party collaborative signature stage

S201, the first communication party carries out signature preprocessing on a message M to be signed to obtain a message digest e;

s202, the first communication party generates a random number k1 e [1, n-1], calculates a first partial signature W1 ═ k1] P2 according to k1 and P2, and sends the message digest e and the first partial signature W1 to the second communication party;

s203, the second communication party generates a random number k2 ∈ [1, n-1], and a second partial signature W2 ═ k2] G is calculated according to k2 and G;

s204, calculating, by the second party, an elliptic curve point W (W1 + W2) according to the first partial signature W1 and the second partial signature W2, where the coordinates of W are (x1, y 1); then calculating a third partial signature r ═ (x1+ e) mod n according to x1 and the message digest e, and if r ═ 0, returning to S203;

s205, the second communication party calculates a fourth partial signature S1 ═ (d2 × k2+ d2 × r) mod n according to k2, d2, and r, and sends S1 and r to the first communication party;

s206, the first communication party calculates S ═ d1 (k1+ S1) -r) mod n according to d1, k1, S1 and r, and returns to S202 if S ═ 0;

s207, the first party outputs M and its digital signature (r, S).

In the above step S101, the first communication party may send a cooperative generation key request to the second communication party, and the second communication party receives the cooperative generation key request and then generates a random number d2 e [1, n-1] as a sub-private key of the second communication party.

In addition, in some cases, the second communication party may replace the first communication party to perform signature preprocessing on the message M to be signed, so as to obtain the message digest e. At this time, the first communication party does not need to calculate the message digest e and send the message digest e to the second communication party, and the interactive data volume of the two parties is further reduced.

Finally, it should be noted that the above examples are only used to illustrate the technical solutions of the present invention and not to limit the same; although the present invention has been described in detail with reference to preferred embodiments, those skilled in the art will understand that: modifications to the embodiments of the invention or equivalent substitutions of parts of the technical features can be made without departing from the spirit of the technical solution of the invention, which is to be covered by the technical solution of the invention.

Claims (7)

1. A split key signature system based on SM2 algorithm comprises a first communication party and a second communication party, wherein the first communication party comprises a first cryptographic operation module, a first secure storage module, a third secure storage module and a first communication module, the second communication party comprises a second cryptographic operation module, a second secure storage module and a second communication module, and the first communication party and the second communication party are in communication connection through the first communication module and the second communication module; the first communication party and the second communication party share the SM2 algorithm elliptic curve E and a base point G with an upper order of the E being n;

the first communication party generates a random number d1 e [1, n-1] through the first cryptographic operation module]The sub private key of the first communication party is stored into the first secure storage module; the second communication party generates a random number d 2E [1, n-1] through the second cryptographic operation module]The sub private key of the second communication party is stored into the second secure storage module; the second communication party calculates an elliptic curve point P2 ═ d2 according to d2 and G through the second cryptographic operation module^-1]G, wherein d2^-1Multiplicative inverse d2 representing d2^-1mod n; then sending P2 to the first party through the second communication module; the first communication party receives P2 through the first communication module, stores the P2 in the third secure storage module, and then calculates a public key P [ d 1] according to d1, P2 and G by the first cryptographic operation module^-1]P2-G and disclosing the public key by the first communication module, wherein d1^-1Multiplicative inverse d1 representing d1^-1mod n；

When a signature is needed, the first communication party performs signature preprocessing on a message M to be signed through the first password operation module to obtain a message digest e; then generating a random number k1 ∈ [1, n-1], acquiring P2 from the third secure storage module, calculating a first partial signature W1 ═ k1] P2 according to k1 and P2, and sending e and W1 to the second communication party through the first communication module;

the second communication party receives e and W1 through the second communication module, the second cryptographic operation module generates a random number k2 epsilon [1, n-1], and a second partial signature W2 ═ k2] G is calculated according to k2 and G; then, an elliptic curve point W is calculated according to W1 and W2, wherein W is W1+ W2, and the coordinates of W are (x1, y 1); then calculating according to x1 and e to obtain a third partial signature r ═ x1+ e) modn; if r is 0, the second cryptographic operation module regenerates the random number and calculates a second partial signature and a third partial signature;

the second communication party acquires d2 from the second secure storage module, calculates a fourth partial signature s1 ═ d2 ═ k2+ d2 ×) mod n according to k2, d2 and r through the second cryptographic operation module, and sends s1 and r to the first communication party through the second communication module;

the first communication party receives s1 and r through the first communication module, acquires d1 from the first secure storage module, and calculates s ═ d1 ≠ k1+ s1) -r) mod n according to d1, k1, s1 and r, and if s ≠ 0, the first communication party outputs M and its digital signature (r, s); and if s is 0, restarting the cooperative signature process of the two communication parties.

2. The split-key signature system based on SM2 algorithm of claim 1, wherein the pre-signing of the message M to be signed by the first communication party to obtain the message digest e comprises: and the first communication party calculates a hash value Z of the first communication party by using a cryptographic hash function, then splices Z and M into M1, and then uses the hash function for M1 to obtain the message digest e.

3. The split key signature system based on SM2 algorithm according to claim 1 or 2, wherein the first secure storage module, and/or the second secure storage module, and/or the third secure storage module, implements secure storage through software or hardware storage module.

4. The SM2 algorithm-based split key signature system according to claim 1 or 2, wherein the first communication party generated random numbers d1, k1 are respectively derived from one or more random number operations between [1, n-1], and/or the second communication party generated random numbers d2, k2 are respectively derived from one or more random number operations between [1, n-1 ]; the operation comprises linear operation, multiplication and inversion.

5. A split key signature method based on SM2 algorithm is characterized in that the two communication parties comprise a first communication party and a second communication party, the first communication party and the second communication party share an SM2 algorithm elliptic curve E and a base point G with an upper order of E being n; the method comprises the following steps:

first, generating respective sub private keys and computing public key of both parties

S101, the first communication party generates a random number d 1E [1, n-1] which is used as a sub private key of the first communication party and is stored safely; the second communication party generates a random number d 2E [1, n-1] as a sub private key of the second communication party and stores the random number safely;

s102, the second communication party calculates according to d2 and G to obtain an elliptic curve point P2 ═ d2^-1]G and sends P2 to the first correspondent, wherein d2^-1Multiplicative inverse d2 representing d2^-1mod n；

S103, the first communication party calculates a public key P ═ d1 according to d1, P2 and G^-1]P2-G, which discloses the public key and stores P2 securely; wherein d1^-1Represents the multiplicative inverse of d 1;

two-party and two-party collaborative signature stage

S201, the first communication party carries out signature preprocessing on a message M to be signed to obtain a message digest e;

s202, the first communication party generates a random number k1 e [1, n-1], calculates a first partial signature W1 ═ k1] P2 according to k1 and P2, and sends the message digest e and the first partial signature W1 to the second communication party;

s203, the second communication party generates a random number k2 ∈ [1, n-1], and a second partial signature W2 ═ k2] G is calculated according to k2 and G;

s204, calculating, by the second party, an elliptic curve point W (W1 + W2) according to the first partial signature W1 and the second partial signature W2, where the coordinates of W are (x1, y 1); then calculating a third partial signature r ═ (x1+ e) mod n according to x1 and the message digest e, and if r ═ 0, returning to S203;

s205, the second communication party calculates a fourth partial signature S1 ═ (d2 × k2+ d2 × r) mod n according to k2, d2, and r, and sends S1 and r to the first communication party;

s206, the first communication party calculates S ═ d1 (k1+ S1) -r) mod n according to d1, k1, S1 and r, and returns to S202 if S ═ 0;

s207, the first party outputs M and its digital signature (r, S).

6. The split key signature method based on the SM2 algorithm of claim 5, wherein: in step S101, the first communication party sends a cooperative generation key request to the second communication party, and the second communication party generates a random number d2 e [1, n-1] as a sub-private key of the second communication party after receiving the cooperative generation key request.

7. The split key signature method based on the SM2 algorithm of claim 5, wherein the steps S201 and S202 are respectively:

s201, the first communication party generates a random number k1 e [1, n-1], calculates a first partial signature W1 ═ k1] P2 according to k1 and P2, and sends the first partial signature W1 to the second communication party;

s202, the second communication party carries out signature preprocessing on the message M to be signed to obtain a message digest e.

Images