CN112202562B - RSA key generation method, computer device and medium - Google Patents
RSA key generation method, computer device and medium Download PDFInfo
- Publication number
- CN112202562B CN112202562B CN202011238405.0A CN202011238405A CN112202562B CN 112202562 B CN112202562 B CN 112202562B CN 202011238405 A CN202011238405 A CN 202011238405A CN 112202562 B CN112202562 B CN 112202562B
- Authority
- CN
- China
- Prior art keywords
- party
- component
- random number
- private key
- current
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract description 109
- 239000013598 vector Substances 0.000 claims description 38
- 230000006870 function Effects 0.000 claims description 34
- 238000004590 computer program Methods 0.000 claims description 9
- 239000011159 matrix material Substances 0.000 description 93
- 230000008569 process Effects 0.000 description 36
- 238000012795 verification Methods 0.000 description 31
- 238000012545 processing Methods 0.000 description 23
- 230000003993 interaction Effects 0.000 description 20
- 238000010586 diagram Methods 0.000 description 12
- 238000004364 calculation method Methods 0.000 description 11
- 238000012360 testing method Methods 0.000 description 11
- 230000002441 reversible effect Effects 0.000 description 8
- 230000008030 elimination Effects 0.000 description 4
- 238000003379 elimination reaction Methods 0.000 description 4
- 238000003672 processing method Methods 0.000 description 4
- 239000000654 additive Substances 0.000 description 3
- 230000000996 additive effect Effects 0.000 description 3
- 230000005540 biological transmission Effects 0.000 description 3
- 230000007547 defect Effects 0.000 description 3
- 239000003999 initiator Substances 0.000 description 3
- 238000004422 calculation algorithm Methods 0.000 description 2
- 238000001914 filtration Methods 0.000 description 2
- 230000000670 limiting effect Effects 0.000 description 2
- 230000001360 synchronised effect Effects 0.000 description 2
- 238000000354 decomposition reaction Methods 0.000 description 1
- 230000005251 gamma ray Effects 0.000 description 1
- 230000002452 interceptive effect Effects 0.000 description 1
- 230000009191 jumping Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000008520 organization Effects 0.000 description 1
- 238000002360 preparation method Methods 0.000 description 1
- 230000002829 reductive effect Effects 0.000 description 1
- 230000001172 regenerating effect Effects 0.000 description 1
- 230000003068 static effect Effects 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/30—Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy
- H04L9/3006—Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy underlying computational problems or public-key parameters
- H04L9/302—Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy underlying computational problems or public-key parameters involving the integer factorization problem, e.g. RSA or quadratic sieve [QS] schemes
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3247—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
- H04L9/3249—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures using RSA or related signature schemes, e.g. Rabin scheme
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computing Systems (AREA)
- Theoretical Computer Science (AREA)
- Mobile Radio Communication Systems (AREA)
Abstract
The invention relates to an RSA key generation method, a computer device and a medium, wherein the RSA key generation method of one embodiment comprises the following steps: the current party obtains a prime number first current party component and a prime number second current party component, shares Euler function values with the opposite party to obtain a first Euler function component, executes a secure dot product protocol with the opposite party to obtain a third dot product protocol component, determines a first sharing parameter component based on the third dot product protocol component, the first selective random number, the first Euler function component, the second selective random number and the public exponent, exchanges the first sharing parameter component and the second sharing parameter component determined by the opposite party with the opposite party, determines a first integer and a second integer, and then determines a first RSA private key component according to the first integer and the second integer. The scheme of the embodiment improves the overall efficiency under the condition of meeting the safety.
Description
The present application is a divisional application filed by the chinese patent office at 2017, 12, 27, with application number 2017114477448, entitled "RSA modulus generation method, RSA key generation method, computer device, and medium", the entire contents of which are incorporated herein by reference.
Technical Field
The present invention relates to the field of cryptography, and in particular, to an RSA modulus generation method, an RSA key generation method, a computer device, and a computer storage medium.
Background
RSA distributed key escrow prevents a key escrow organization from misusing rights by storing components of RSA private keys at the escrow platform and the client, respectively, and requiring the client to perform RSA signature generation operations in conjunction with the escrow platform. To secure a private key for distributed escrow, two or more participants are required to generate a private key component by executing a secure multiparty computing protocol during the generation of the private key, without any of the participants being able to obtain the complete RSA private key.
The generation of the RSA private key requires the acquisition of a modulus N, which must be the product of two primes P and Q. How to obtain N satisfying the condition through the secure computing protocol becomes a key technology for distributed generation of RSA private keys. However, the current scheme for calculating the modulus N needs to consume a large amount of operation resources, resulting in low efficiency. According to practical tests, an average of 1 hour is required for a 1024-bit RSA modulus to calculate a set of RSA private keys. For 2048-bit RSA modulus, about 1-2 days are needed to calculate a group of RSA private keys, which obviously has no engineering practical value.
Disclosure of Invention
Based on this, it is necessary to provide an RSA modulus generation method, an RSA key generation method, a computer device, and a computer storage medium.
An RSA modulus generation method, the method comprising:
the current participant generates a first length random number and a second length random number;
the current party and the opposite party execute multiplication-addition protocol processing, and the current party obtains a first addition parameter and a second addition parameter; the first addition parameter and a third addition parameter held by the opposite-end party share the product of the first length random number and the opposite-end first length random number generated by the opposite-end party, and the second addition parameter and a fourth addition parameter held by the opposite-end party share the product of the second length random number and the opposite-end second length random number generated by the opposite-end party;
the current participant determines a first modulus initial component according to the first length random number, the second length random number, the first addition parameter and the second addition parameter;
the current party determines an RSA modulus based on the first modulus initial component and a second modulus initial component held by the opposite party.
An RSA modulus generation method, the method comprising:
The first party generates a first random number with a length of one and a second random number with a length of two; the second party generates a length-one second random number and a length-two second random number;
the first party performs multiplication-addition protocol processing based on the first random number with the length and the second random number with the length, the second party performs multiplication-addition protocol processing based on the second random number with the length and the second random number with the length, the first party obtains a first addition parameter and a second addition parameter, and the second party obtains a third addition parameter and a fourth addition parameter; the first addition parameter and the third addition parameter share the product of a first random number with a length and a second random number with a length, and the second addition parameter and the fourth addition parameter share the product of a second random number with a length and a second random number with a length;
the first participator determines a first modulus initial component according to the first random number with the length, the second random number with the length, the first addition parameter and the second addition parameter; the second party determines a second modulus initial component according to the length-first second random number, the length-second random number, the third addition parameter and the fourth addition parameter;
the first party and the second party determine an RSA modulus based on the first modulus initial component and the second modulus initial component.
An RSA private key generation method comprises the following steps:
the current participator obtains prime number one current participator component and prime number two current participator component; the prime number one current party component and the prime number one opposite party component obtained by the opposite party share the prime number one, and the prime number two current party component and the prime number two opposite party component obtained by the opposite party share the prime number two;
the current party shares Euler function values with the opposite party according to the prime number first current party component and the prime number second current party component to obtain a first Euler function component;
the current participant executes a secure dot product protocol with the opposite-end participant based on the selected first selected random number and the second selected random number to obtain a third dot product protocol component;
the current participant determining a first shared parameter component based on the third dot product protocol component, the first selected random number, the first euler function component, the second selected random number, and the disclosure exponent;
after the current party and the opposite party exchange the first shared parameter component and the second shared parameter component determined by the opposite party, determining a first integer and a second integer, wherein the sum of the first shared parameter component and the second shared parameter component is a first product of the first integer, and the sum of the second integer and the second product of the public exponent is a preset integer;
The current party determines a first RSA private key component from the first integer and the second integer.
An RSA private key generation method comprises the following steps:
the first party obtains prime number first components and prime number second first components, the second party obtains prime number first second components and prime number second components, the prime number first components and the prime number first second components share prime number first, and the prime number second first components and the prime number second components share prime number second;
the first participator and the second participator share Euler function values according to prime number first component, prime number second first component prime number first component second component and prime number second component, the first participator obtains first Euler function component, and the second participator obtains second Euler function component;
based on the first selection random number and the second selection random number selected by the first participant, and the third selection random number and the fourth selection random number selected by the second participant, the first participant and the second participant execute a secure dot product protocol, the first participant obtains a third dot product protocol component, and the second participant obtains a fourth dot product protocol component;
the first party determining a first shared parameter component based on the third dot product protocol component, the first selected random number, the first euler function component, the second selected random number, and the disclosure exponent; the second party determining a second shared parameter component based on the third dot product protocol component, the third selected random number, the second euler function component, the fourth selected random number, and the disclosure exponent;
After a first party and a second party exchange a first shared parameter component and a second shared parameter component, determining a first integer and a second integer, wherein the sum of the first shared parameter component and the second shared parameter component is a first product of the first integer and the second product of the second integer and the public exponent is a preset integer;
the first party determines a first RSA private key component according to the first integer, the second selected random number and the second integer, and the second party determines a second RSA private key component according to the first integer and the fourth selected random number.
A computer device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, the processor implementing the steps of the above method when the program is executed.
A computer readable storage medium having stored thereon a computer program which when executed by a processor performs the steps of the above method.
According to the scheme of the embodiment, the RSA modulus and the RSA key are completed by introducing the shorter random number and then processing the shorter random number to obtain a plurality of longer random numbers, the RSA modulus and the RSA key are completed by introducing the random number, the defect of insufficient computing resources of the client is considered to a certain extent, and the overall efficiency is improved under the condition of meeting certain safety.
Drawings
FIG. 1 is a schematic illustration of an application environment of the present embodiment;
FIG. 2 is a flow diagram of an RSA modulus generation method in one embodiment;
FIG. 3 is a flow chart of an RSA modulus generation method in another embodiment;
FIG. 4 is a schematic diagram of an interactive flow for generating RSA moduli in one specific example;
FIG. 5 is a flow chart of an RSA key generation method according to one embodiment;
FIG. 6 is a flow chart of an RSA key generation method according to another embodiment;
FIG. 7 is a schematic diagram of an interaction flow for generating RSA private keys in one specific example;
FIG. 8 is a schematic diagram of the internal architecture of a computer device in one embodiment.
Detailed Description
In order to make the objects, technical solutions and advantages of the present application more apparent, the present application will be further described in detail with reference to the accompanying drawings and examples. It should be understood that the specific embodiments described herein are for purposes of illustration only and are not intended to limit the present application.
Fig. 1 is an application environment diagram of an RSA modulus and RSA key generation method in one embodiment. Referring to fig. 1, the method involves two devices, namely device 101 and device 102, and in some embodiments, the device 102 may also be a server, thereby enabling the collaborative generation of RSA moduli or RSA keys between the terminal and the server. The devices 101, 102 may be, in particular, desktop terminals, mobile terminals, and other devices that may or may not cooperate to generate RSA moduli or RSA keys, where the devices 102 are servers, they may be stand-alone servers or a server cluster of multiple servers.
Fig. 2 shows a schematic diagram of an RSA modulus generation method in an embodiment described by taking as an example a process in which one device (device 101 or device 102) in fig. 1.
As shown in fig. 2, the RSA modulus generation method in this embodiment includes steps S201 to S204.
Step S201: the current party generates a first length random number and a second length random number.
When the first length random number and the second length random number are generated by the front party, the generation can be performed in any possible way. In one embodiment, the current party may generate the first length random number, the second length random number based on common parameters agreed with the peer party. Wherein the common parameter can be agreed in different ways based on actual technical requirements, in a specific example, the common parameter can be k, and after determining the common parameter, the product of the smallest prime numbers of the common parameter can be calculated, such as
In generating the first length random number and the second length random number, any possible manner may be used, and in a specific example, the first length is denoted as n bits, and the second length is denoted as M bits, and then a random number p≡0 mod (4M) with n bits length may be generated, and a random number q≡3 mod 4 with M bits length (second length random number) may be generated. In other embodiments, other ways of generating the first length random number and the second length random number based on the common parameter may be used.
Step S201: the current party and the opposite party execute multiplication-addition protocol processing, and the current party obtains a first addition parameter and a second addition parameter.
The process of multiplying the addition protocol process may be performed in any possible manner, and in one particular example, the Mult-To-Sum protocol (which may be based on a hybrid multiplication homomorphic encryption or a confusing transmission OT protocol implementation) may be performed twice To complete the multiplying addition protocol process.
In one example, the multiplicative addition protocol process may be accomplished based on the following principles: the first addition parameter and the third addition parameter held by the opposite-end party share the product of the first length random number and the opposite-end first length random number generated by the opposite-end party, and the second addition parameter and the fourth addition parameter held by the opposite-end party share the product of the second length random number and the opposite-end second length random number generated by the opposite-end party. And if the sum of the first addition parameter and the third addition parameter held by the opposite-end party is the product of the first length random number and the opposite-end first length random number generated by the opposite-end party, the sum of the second addition parameter and the fourth addition parameter held by the opposite-end party is the product of the second length random number and the opposite-end second length random number generated by the opposite-end party.
Step S203: the current party determines a first modulus initial component according to the first length random number, the second length random number, the first addition parameter and the second addition parameter.
The determination of the first modulus initial component by the current participant may be performed in one example as follows. And summing the product of the first length random number and the second length random number with the first addition parameter and the second addition parameter to determine a first modulus initial component.
Step S204: the current party determines an RSA modulus based on the first modulus initial component and a second modulus initial component held by the opposite party.
When the front-end participant determines the RSA modulus based on the first modulus initial component and the second modulus initial component held by the opposite-end participant, it may take place in different ways based on different considerations.
In one particular example, the manner in which the current party determines the RSA modulus based on the first modulus initial component and the second modulus initial component held by the opposite party may include:
the current party exchanges a first modulus initial component and a second modulus initial component held by the opposite party with the opposite party; the current party determines an RSA modulus from the first modulus initial component and the second modulus initial component. In particular, the RSA modulus may be a sum of the first modulus initial component and the second modulus initial component.
In another specific example, the above manner may be further extended, that is, the current party determines the RSA modulus based on the first modulus initial component and the second modulus initial component held by the opposite party, which may be performed in the following manner:
the current participant generates a third length random number such that the sum of the second length random number and the third length random number is an odd number, an odd number of modulo 4 remainder 3, a prime number, or a Blum prime number (prime number of modulo 4 remainder 3). Therefore, the third length random number enables the sum of the second length random number and the third length random number to be odd, the odd of the modulo 4 surplus 3, prime number or Blum prime number, the probability that the sum of the second length random number, the third length random number and the opposite-end first length random number generated by the opposite-end participant is prime number is greatly increased, and the processing efficiency is further improved. The generation of the third length random number may be performed in any possible manner, and in one particular example, the second length random number is denoted as Q a When the third length is denoted as q bits, a random number (third length random number) x≡0 mod (4M) of q bits length can be generated; or generating a third of q-bit lengthLength random number x, so that Q a +x=3mod 4. In other embodiments, the third length random number may be generated in other ways, as long as the sum of the second length random number and the third length random number is an odd number, an odd number of modulo 4 or 3, a prime number, or a Blum prime number.
The current participant uses the second length random number and the third length random number as input parameters, and executes a secure dot product protocol with the opposite-end participant to obtain a first dot product protocol component; the specific process of executing the secure dot product protocol may be performed in any possible manner;
the current participant determines a first intermediate component according to the first modulus initial component, the first length random number, the third length random number and the first dot product protocol component; in a specific example, the first intermediate component may specifically be a sum of a product of the first length random number and the third length random number and a first modulus initial component and a first dot product protocol component;
the current party exchanges the first intermediate component with the opposite party and the second intermediate component determined by the opposite party, and determines an RSA modulus from the first intermediate component and the second intermediate component. In particular, the RSA modulus may be a sum of the first intermediate component and the second intermediate component.
According to the scheme of the embodiment, the current party generates the third-length random number, generates the RSA mode in an incremental mode, and reasonably selects the length of the third-length random number of the incremental part, so that the privacy of the finally obtained prime number can be ensured on one hand, the defect of insufficient client resources can be overcome on the other hand, and the overall efficiency is improved under the condition of meeting certain safety.
In one embodiment, when the current participant uses the second length random number and the third length random number as input parameters and executes the secure dot product protocol with the opposite-end participant, the following manner may be adopted to obtain the first dot product protocol component:
the current participant randomly generates random parameters; the random parameter can be a specific random number or a random number vector containing the random number, and the number of the random numbers can be 1 or more and is determined based on actual technical requirements;
and the current party constructs a current party dot product input vector according to the second length random number, the third length random number and the random parameter, and executes a secure dot product protocol with the opposite party to obtain a first dot product protocol component.
Therefore, in the process of executing the dot product protocol, the random parameters are introduced, and the dot product input vector is constructed by combining the introduced random parameters, so that the data transmitted in the interaction process can be confused, the privacy protection of the input parameters is improved, and the safety is improved. It will be appreciated that the random parameters introduced during the execution of the secure dot product protocol are eliminated before the final dot product protocol output result (e.g., the first dot product protocol component) is obtained, so as to ensure the accuracy of the output result, and any possible way may be adopted for the specific elimination.
In a specific example, after the RSA modulus is determined, whether the RSA modulus meets the modulus divide condition may be further determined, and the RSA modulus is discarded when the RSA modulus meets the modulus divide condition. Thereby filtering out RSA modulus which does not meet the requirement, and avoiding wasting time and consuming resources. The modulus trial division condition can be set differently in combination with the actual technical requirements. In one embodiment, the modulus trial-division condition may be set such that the RSA modulus includes a small prime factor, so as to perform the small prime trial division, and specifically, the RSA modulus may be discarded when the RSA modulus includes a prime factor less than a preset numerical threshold. The preset value threshold may be set in accordance with the actual technical needs, for example, may be set to 2000.
In another specific example, after the RSA modulus is determined as described above, or when the RSA modulus does not meet a modulus trial division condition (e.g., does not contain prime factors less than a preset numerical threshold), a diathesis test may be further performed.
In one implementation, the current participant may act as the initiated party for the diathesis test, specifically by:
the current party receives the verification parameters of the opposite party sent by the opposite party and determines the verification parameters of the current party according to an RSA modulus, a first length random number, a second length random number and a third length random number;
And when the current party verification parameter and the opposite party verification parameter meet a preset relation, the RSA modulus is used as the final determined RSA modulus.
On the other hand, if the current party verification parameter and the opposite party verification parameter do not meet the preset relation, the process of generating the random number with the third length can be skipped to regenerate a new RSA modulus.
In another implementation manner, the current participant may also be used as an initiator of the diathesis test, specifically, the following manner may be adopted:
the current party determines a current party verification parameter based on the second length random number, the third length random number, the first length random number and the RSA modulus, and sends the current party verification parameter to the opposite party; and after the current party verification parameter is used for indicating the opposite party to determine the opposite party verification parameter, when the current party verification parameter and the opposite party verification parameter meet a preset relation, the RSA modulus is used as a final determined RSA modulus.
Fig. 3 shows a flow diagram of an RSA modulus generation method in another embodiment, which is described by taking as an example the processing procedure of two parties involved in the RSA modulus generation procedure. As shown in fig. 3, the RSA modulus generation method in this embodiment includes steps S301 to S304 as follows.
Step S301: the first party generates a first length random number (for convenience of distinction from the first length random number generated by the second party, this embodiment and the following embodiments will be referred to as a first length random number), and a second length random number (for convenience of distinction, this embodiment and the following embodiments will be referred to as a second length first random number); the second party generates a first length random number (referred to as a length-second random number in this embodiment and in the following embodiments for ease of distinction) and a second length random number (referred to as a length-second random number in this embodiment and in the following embodiments for ease of distinction).
The generation of the first random number, the second random number, and the second random number may be performed in any possible manner, where the first party may generate the first random number and the second random number based on a common parameter agreed with the second party, and the second party may generate the second random number and the second random number based on the common parameter. Wherein the common parameter can be agreed in different ways based on actual technical requirements, in a specific example, the common parameter can be k, and after determining the common parameter, the product of the smallest prime numbers of the common parameter can be calculated, such as
In one specific example, the first length is denoted as n bits, the second length is denoted as m bits, and the first party generates a first random number P of length n bits a Identical to 0 mod (4M), generating a first random number Q of length of M bits a ≡3 mod 4. The second party generates a second random number Q with a length of n bits b Identical to 0 mod (4M), generating a second random number P of length M bits b ≡3 mod 4。
Step S302: the first party and the second party execute multiplication-addition protocol processing, the first party obtains a first addition parameter and a second addition parameter, and the second party obtains a third addition parameter and a fourth addition parameter.
The process of multiplying the addition protocol process may be performed in any possible manner, and in one particular example, the Mult-To-Sum protocol (which may be based on a hybrid multiplication homomorphic encryption or a confusing transmission OT protocol implementation) may be performed twice To complete the multiplying addition protocol process.
In one example, the multiplicative addition protocol process may be accomplished based on the following principles: the first addition parameter and the third addition parameter share the product of a first random number with a length and a second random number with a length, and the second addition parameter and the fourth addition parameter share the product of a second random number with a length and a second random number with a length. If the sum of the first addition parameter and the third addition parameter is the product of the first random number with the length and the second random number with the length, the sum of the second addition parameter and the fourth addition parameter is the product of the second random number with the length and the second random number with the length.
Step S303: the first participator determines a first modulus initial component according to the first random number with the length, the second random number with the length, the first addition parameter and the second addition parameter; the second party determines a second modulus initial component according to the length-first second random number, the length-second random number, the third addition parameter and the fourth addition parameter.
The first party, in determining the first modulus initial component, may in one example proceed in the following manner: and summing the product of the first random number with the length and the second random number with the first addition parameter and the second addition parameter to determine a first modulus initial component.
The second party, in determining the second modulus initial component, may in one example proceed in the following manner: and summing the product of the length-one second random number and the length-two second random numbers with a third addition parameter and a fourth addition parameter to determine a second modulus initial component.
Step S304: the first party and the second party determine an RSA modulus based on the first modulus initial component and the second modulus initial component.
When determining the RSA modulus based on the first modulus initial component and the second modulus initial component held by the opposite party, it may be performed in different ways based on different considerations.
In one particular example, the manner in which the first and second parties determine the RSA modulus based on the first modulus initial component and the second modulus initial component may include:
the first party exchanges the first modulus initial component and the second modulus initial component with the second party;
the first party or the second party determines an RSA modulus from the first modulus initial component and the second modulus initial component. In particular, the RSA modulus may be a sum of the first modulus initial component and the second modulus initial component.
In another specific example, the above manner may be further extended, that is, the manner in which the first and second parties determine the RSA modulus based on the first modulus initial component and the second modulus initial component may include:
the first party generates a third length random number (referred to as a third length first random number in this embodiment and the examples below for convenience of distinction) such that the sum of the second length first random number and the third length first random number is an odd number, an odd number of modulo 4 or more 3, a prime number or a Blum prime number. Therefore, the sum of the length two first random numbers and the length three first random numbers is made to be odd, the sum of the length 4 surplus 3 is made to be prime, prime or Blum prime, the probability that the sum of the length two first random numbers, the length three first random numbers and the length one second random number generated by the second party is made to be prime is greatly increased, and the processing efficiency is further improved. In a specific example, the third length is denoted as q bits, and then three first random numbers x≡0 mod (4M) of length of q bits can be generated; or generating three first random numbers x of length of Q bits so that Q a +x=3mod 4. In other embodiments, the third length first random number may be generated in other manners, as long as the sum of the second length first random number and the third length first random number is an odd number, an odd number of modulo 4 or 3, a prime number or a Blum prime number.
The second party generates a third length random number (referred to as a third length random number in this embodiment and the examples below for convenience of distinction) such that the sum of the second length random number and the third length random number is an odd number, an odd number of modulo 4 or more 3, a prime number or a Blum prime number. Thus, the sum of the second random number and the third random number is odd, the odd number of the modulo 4 remainder 3, prime number or Blum prime number by the third random number, so that the second random number, the third random number and the first partyThe probability that the sum of the generated length first random number is prime number is greatly increased, and the processing efficiency is further improved. In a specific example, the third length is denoted as q bits, and then three second random numbers y≡0 mod (4M) of length of q bits can be generated; or generating a length three second random number y of Q-bit length such that Q b +y=3mod 4. In other embodiments, the third length second random number may be generated in other manners, as long as the sum of the second length second random number and the third length second random number is an odd number, an odd number of modulo 4 or 3, a prime number or a Blum prime number.
The first party uses a second random number with a length of two and a third random number with a length of three as input parameters, the second party uses a second random number with a length of two and a third random number with a length of three as input parameters, the first party and the second party execute a secure dot product protocol, the first party obtains a first dot product protocol component, and the second party obtains a second dot product protocol component; the specific process of executing the secure dot product protocol may be performed in any possible manner.
The first party determines a first intermediate component according to the first modulus initial component, the first random number with the length, the third random number with the length and the first dot product protocol component; the second party determines a second intermediate component according to the second modulus initial component, the length-second random number, the length-third second random number and the second dot product protocol component; in a specific example, the first intermediate component may specifically be a sum of a first random number of length, a product of three first random numbers of length, and a first modulus initial component and a first dot product protocol component; the second intermediate component may specifically be a sum of a product of a length-second random number and a length-third second random number, and a second modulus initial component and a second dot product protocol component;
The first party exchanges the first intermediate component and the second intermediate component with the second party and determines an RSA modulus from the first intermediate component and the second intermediate component. In particular, the RSA modulus may be a sum of the first intermediate component and the second intermediate component.
In one embodiment, the first party uses the second random number with the length and the third random number with the length as input parameters, the second party uses the second random number with the length and the third random number with the length as input parameters, the first party and the second party execute the secure dot product protocol, the first party obtains the first dot product protocol component, and the second party obtains the second dot product protocol component, the following method can be adopted:
the first party randomly generates a first random parameter, and the second party randomly generates a second random parameter; the first random parameter and the second random parameter can be specific random numbers or random number vectors containing random numbers, and the number of the random numbers can be 1 or more and is determined based on actual technical requirements;
the first party constructs a first party dot product input vector according to the length second random number, the length third first random number and the first random parameter, and the second party constructs a second party dot product input vector according to the length second random number, the length third second random number and the second random parameter;
The first party performs a secure dot product protocol with the second party based on the first party dot product input vector and the second party performs a secure dot product protocol with the second party based on the second party dot product input vector, the first party obtains a first dot product protocol component and the second party obtains a second dot product protocol component.
Therefore, in the process of executing the dot product protocol, the random parameters are introduced, and the dot product input vector is constructed by combining the introduced random parameters, so that the data transmitted in the interaction process can be confused, the privacy protection of the input parameters is improved, and the safety is improved. It will be appreciated that the random parameters introduced during the execution of the secure dot product protocol are eliminated before the final dot product protocol output result (e.g., the first dot product protocol component, the second dot product protocol component) is obtained, so as to ensure the accuracy of the output result, and any possible way may be adopted for specific elimination.
In a specific example, after the RSA modulus is determined, whether the RSA modulus meets the modulus divide condition may be further determined, and the RSA modulus is discarded when the RSA modulus meets the modulus divide condition. Thereby filtering out RSA modulus which does not meet the requirement, and avoiding wasting time and consuming resources. The modulus trial division condition can be set differently in combination with the actual technical requirements. In one embodiment, the modulus trial divide condition may be set such that the RSA modulus contains a small prime factor, thereby performing a small prime trial divide. Specifically, the first party or the second party gives up the RSA modulus when the RSA modulus contains prime factors smaller than a preset numerical threshold. The preset value threshold may be set in accordance with the actual technical needs, for example, may be set to 2000.
In another specific example, after the RSA modulus is determined as described above, or when the RSA modulus does not contain prime factors less than a preset numerical threshold, a further diathesis test may be performed. In one implementation manner, the second party is taken as an initiator of the diathesis test, and the first party is taken as an initiated party of the diathesis test, specifically, the following method can be adopted:
the second party determines a second verification parameter based on the second random number with the length, the third random number with the length, the first random number with the length and the RSA modulus, and sends the second verification parameter to the first party;
the first party receives the second verification parameter and determines the first verification parameter according to the RSA modulus, the first random number with the length, the second random number with the length and the third random number with the length;
and the first party takes the RSA modulus as the finally determined RSA modulus when the first verification parameter and the second verification parameter meet the preset relation. The predetermined relationship may be set in connection with specific technical needs.
If the first verification parameter and the second verification parameter do not meet the preset relation, the step of generating the first random number with the length of three and the second random number with the length of three can be skipped, and a new RSA modulus is regenerated.
It will be appreciated that, in another implementation, if the first party is used as the initiator of the diathesis test, the second party is used as the initiated party of the diathesis test, specifically the following manner may be adopted:
the first party determines a first verification parameter based on the first random number with the length, the second random number with the length, the third random number with the length and the RSA modulus, and sends the first verification parameter to the second party;
the second party receives the second verification parameter, determines the second verification parameter according to the second random number with the length, the third random number with the length, the first random number with the length and the RSA modulus, and determines the second verification parameter;
and the second party takes the RSA modulus as the finally determined RSA modulus when the first verification parameter and the second verification parameter meet the preset relation.
Based on the RSA modulus generation method described above, the following is illustrated in conjunction with one specific example, and fig. 4 correspondingly shows a schematic diagram of the interaction flow of the RSA modulus in this specific example. In this specific example, a case will be described in which the first party is Alice, the second party is Bob, the first length is denoted n, the second length is denoted m, the third length is denoted q, and a random number is generated based on a common parameter of a contract.
Alice and Bob agree on a common parameter k and calculate the product of k minimum prime numbers:
alice then generates a random number P of n-bit length (first random number in length) a Identical to 0 mod (4M), generating a random number of M bits length (second length first random number) Q a ≡3 mod 4。
Bob generates an n-bit length random number (length-second random number) Q b Identical to 0 mod (4M), generating a random number of M bits length (second random number of length) P b ≡3 mod 4. In a specific example, the first length may be 1024 bits and the second length may be 128 bits.
Subsequently, alice performs 2 times the processing of the Mult-To-Sum protocol (which may be implemented based on a hybrid multiplicative homomorphic encryption or a transmission OT-protocol in the absence) with Bob, alice obtains a first addition parameter a 1 Second addition of ginsengNumber a 2 Bob obtains a third addition parameter b 1 Fourth addition parameter b 2 The following relationship is satisfied:
the sum of the first addition parameter and the third addition parameter is a first random number P with a length a Product of length-second random number, i.e. a 1 +b 1 =P a Q b The method comprises the steps of carrying out a first treatment on the surface of the The sum of the second addition parameter and the fourth addition parameter is a length two first random number Q a Product of length two second random numbers, i.e. a 2 +b 2 =P b Q a 。
Subsequently, alice generates a first random number P according to the length a First random number Q of length two a First addition parameter a 1 Second addition parameter a 2 Determining a first modulus initial component N a The first modulus initial component N a Specifically, a first random number P of length is used a And a second length first random number Q a And the product of (a) and the first addition parameter a 1 Second addition parameter a 2 Summing to obtain, N a =P a Q a +a 1 +a 2 。
Bob is based on a second random number Q b Second random number P of length b Third addition parameter b 1 Determination of the second modulus initial component N by fourth addition parameter b The second modulus initial component N b By combining a length with a second random number Q b And a second random number P of length b And the third addition parameter b 1 Fourth addition parameter b 2 Summing to obtain, N b =P b Q b +b 1 +b 2 。
Subsequently, alice generates a third length random number (third length first random number) x≡0 mod 4 such that second length first random number Q a The sum of the length three first random numbers x is prime;
correspondingly, bob generates a third-length random number (third-length second random number) y≡0 mod 4 such that the second-length random number P b The sum of the length three second random numbers y is prime. In one specific example of this embodiment, the method comprises,the third length may be 128 bits.
Thus, both Alice and Bob can agree that:
N′=[P a +(P b +y)][(Q a +x)+Q b ]=(N a +xP a )+(N b +yQ b )+(xP b +yQ a +xy)
in the above-mentioned contracted formula, alice can independently calculate the first term N a +xP a Bob can independently calculate the second term N b +yQ b The third term xP b +yQ a +xy can be seen as the dot product of two 3-element vectors.
Thus, alice and Bob may execute a secure dot product protocol, where Alice inputs vectorsBob input vector +.>After the end of the secure dot product protocol execution Alice obtains a first dot product protocol component S a Bob obtains a second dot product protocol component S b The two satisfy: s is S a +S b =xP b +yQ a +xy。
The specific process of executing the secure dot product protocol may be performed in any possible manner, and in one embodiment the process of executing the secure dot product protocol may be as follows:
a first participant Alice obtains a first input vector, and constructs a first N-order matrix and a second N-order matrix according to the first input vector; the second participant Bob obtains a second input vector and constructs a third N-order matrix and a fourth N-order matrix according to the second input vector; the first input vector and the second input vector can only contain input parameters, and can also contain the input parameters and randomly generated random parameters so as to confuse data sent in the interaction process, thereby improving privacy protection of the input parameters and improving safety;
alice and Bob perform matrix sharing interaction processing, alice obtains a first participant shared matrix component, bob obtains a second participant shared matrix component, the first participant shared matrix component and the second participant shared matrix component share a dot product protocol shared matrix, and the dot product protocol shared matrix is the sum of the product of a first N-order matrix and a third N-order matrix and the product of the second N-order matrix and the fourth N-order matrix;
Alice determines the element values of the designated main diagonal elements of the first party shared matrix component as the dot product protocol component result of the first party; alice determines the element values of the specified main diagonal elements of the second party shared matrix component as a dot product protocol component result for the second party.
The following is a detailed illustration in conjunction with one specific example. It will be appreciated that in other examples, the dot product protocol process may be accomplished in other ways.
In this particular example, 3 sets of vectors are input by Alice:/>bob inputs 3 sets of vectors: />Sharing of the 3 groups of dot product calculation results is finally output, so that Alice obtains S a [i]Bob obtains S b [i]And satisfy the relationship. S is S a [i]+S b [i]=x i P b +y i Q a +x i y i 。
The specific dot product protocol process may be as follows.
Alice generates a random fourth-order invertible matrix P and calculates the invertible matrix P -1 The method comprises the steps of carrying out a first treatment on the surface of the Bob generates a random fourth-order invertible matrix Q and calculates its invertible matrix Q -1 . Alice selects a random fourth-order matrix D 1 Bob selects a random fourth-order matrix D 2 。
Alice generates a random number Q a [0]~Q a [5]、x 1 [0]、x 1 [1]、x 2 [0]、x 2 [1]、x 3 [0]、x 3 [1]These random numbers satisfy the relationship: q (Q) a [0]+Q a [1]=Q a 、Q a [2]+Q a [3]=Q a 、Q a [4]+Q a [5]=Q a 、x 1 [0]+x 1 [1]=x 1 、x 2 [0]+x 2 [1]=x 2 、x 3 [0]+x 3 [1]=x 3 。
Bob generates a random number P b [0]~P b [5]、y 1 [0]、y 1 [1]、y 2 [0]、y 2 [1]、y 3 [0]、y 3 [1]These random numbers satisfy the relationship: p (P) b [0]+P b [1]=P b 、P b [2]+P b [3]=P b 、P b [4]+P b [5]=P b 、y 1 [0]+y 1 [1]=y 1 、y 2 [0]+y 2 [1]=y 2 、y 3 [0]+y 3 [1]=y 3 。
Alice generates a random number mu 1 ~μ 8 Then constructing a first matrix A 1 Second matrix A 2 :
Bob generates a random number lambda 1 ~λ 8 Then construct a matrix third matrix B 1 Fourth matrix B 2 :
The first round of interaction may then begin to be performed.
Alice uses a reversible matrix P and a random matrix D 1 First matrix a 1 Determining a first matrix intermediate component, the first matrix intermediate component comprising: reversible matrix P and first matrixA 1 The first product result P x a of (2) 1 And a reversible matrix P and a random matrix D 1 The second product result P x D of (2) 1 Then the first matrix intermediate component P×A 1 And P x D 1 To Bob.
Bob receives the first matrix intermediate component and then generates a first matrix intermediate component (P x a 1 And P x D 1 ) Third matrix B 1 The second interaction result component XB is determined, and specifically may be calculated by using the following formula:
XB=(P×A 1 )×B 1 +(P×D 1 )=P×(A 1 ×B 1 +D 1 )。
in the second round of interaction, bob uses a reversible matrix Q and a random matrix D 2 Fourth matrix B 2 Determining a second matrix intermediate component, the second matrix intermediate component comprising: determination B of reversible matrix Q and fourth second-order matrix 2 Third product result Q×B 2 And a second reversible second-order matrix Q and a random matrix D 2 The fourth product result Q x D of (2) 2 . Then the second matrix intermediate component Q×B 2 And Q X D 2 To Alice.
After Alice receives the second matrix intermediate component, alice generates a second matrix intermediate component (QXB 2 And Q X D 2 ) And a second matrix A 2 The first interaction result component XA is determined, and may specifically be calculated using the following equation:
XA=(Q×B 2 )×A 2 +(Q×D 2 )=Q×(B 2 ×A 2 +D 2 )。
after the two-round interaction process is completed, a subsequent process of dot product calculation can be performed. It can be appreciated that the process of exchanging the first matrix intermediate component and the second matrix intermediate component by Alice and Bob can be performed simultaneously, so as to reduce the number of interactions and improve the processing efficiency.
In the dot product calculation process, the following value setting is performed:
alice getsBob takes->
Alice and Bob agree on a set of parameters c ij Which are coefficients of independent sets of linear equations (e.g. all c ij All small primes), based on these parameters c ij Configurable coefficient matrix
Subsequently, alice determines a first initial matrix component U according to the coefficient matrix C, the first interaction result component XA and the reversible matrix P, and may specifically use the following formula to calculate: u= (P) -1 ) T +C×XA。
After Alice obtains the first initial matrix component U, sending the obtained first initial matrix component U to Bob. In a specific example, alice may send Bob with all the rightmost columns of U set to zero. In this embodiment, alice sets all the right-most columns of U to zero and sends them to Bob.
And Bob determines a second initial matrix component V according to the coefficient matrix C, the second interaction result component XB, and the reversible matrix Q, and may specifically use the following formula to perform calculation: v= (Q) -1 ) T -C T ×XB。
After Bob obtains the second initial matrix component V, bob sends the obtained second initial matrix component V to Alice. In a specific example, bob may send Alice with all the rightmost columns of V set to zero. In this embodiment, bob sets all the right-most columns of V to zero and sends them to Alice. It can be appreciated that the process of exchanging the first initial matrix component U and the second initial matrix component V by Alice and Bob may be performed simultaneously, so as to reduce the number of interactions and improve the processing efficiency.
After Alice receives the second initial matrix component V sent by Bob, according to the first interaction result component XA, the second initial matrix component V and the random matrix D 1 Determining a shared matrix component S of Alice a The calculation can be specifically performed by adopting the following formula:
after Bob receives the first initial matrix component U, according to the second interaction result component XB, the first initial matrix component U and the random matrix D 2 Determination of shared matrix component S of Bob b The calculation can be specifically performed in the following manner:
shared matrix component S determined based on Alice a And Bob-determined shared matrix component S b It can be determined that Alice shares a matrix with Bob:
thus, alice and Bob only need to select 3 elements of the main diagonal of the shared matrix component held by themselves, which are respectively the addition and sharing of dot product operation results of 32 groups of input vectors:
S a [i]+S b [i]=x i P b +y i Q a +x i y i 。
the dot product calculation protocol shown in this example, constructed based on matrix multiplication operations, can achieve efficient calculation of dot product results. And by inputting a fixed input variable P b And Q a The random number decomposition is carried out, so that the input matrix has a certain number of independent variables, and the whole scheme can meet the safety condition that the number of the independent variables is more than the number of public processes.
It will be appreciated that, in this example, only the processing procedure of one dot product protocol is described as an example, and in other embodiments, other dot product protocol processing methods may be used to complete the dot product protocol processing, which is not limited by the embodiment scheme.
After the processing procedure based on the dot product protocol, alice obtains the dot product protocol component S thereof a (it will be appreciated that the dot product protocol component is in fact the element value S in the matrix described above a [i]) Bob obtains its dot product protocol component S b (it will be appreciated that the dot product protocol component is in fact the element value S in the matrix described above b [i])。
Alice then initiates a component N according to the first modulus a A first random number P of length a A third random number x of length and a first dot product protocol component S a Determining a first intermediate component N' a First intermediate component N' a Specifically, the following formula can be used for the determination:
N′ a =N a +xP a +S a 。
bob's initial component N according to the second modulus b Length-second random number Q b A third random number y of length and a second dot product protocol component S b Determining a second intermediate component N' b The calculation can be specifically performed by adopting the following formula:
N′ b =N b +yQ b +S b 。
subsequently, alice exchanges with Bob for the first intermediate component N' a Second intermediate component N' b Either party may be based on the first intermediate component N' a Second intermediate component N' b Determining RSA modulus N':
N′=N′ a +N′ b =(P+y)(Q+x)。
wherein p=p a +P b ,Q=Q a +Q b Alice and Bob share prime numbers p+y and q+x.
After the RSA modulus is obtained, small prime trial division can be further performed to filter out RSA moduli which do not meet the requirements. Specifically, alice or Bob discards the RSA modulus when the RSA modulus contains prime factors less than a predetermined numerical threshold. The preset value threshold may be set in accordance with the actual technical needs, for example, may be set to 2000.
After the RSA modulus is determined, or when the RSA modulus does not contain prime factors less than a preset numerical threshold, a bipericity diathesis test may be further performed.
Alice calculates: p'. a =P a ,Q′ a =Q a +x;
Bob calculation: p'. b =P b +y,Q′ b =Q b The method comprises the steps of carrying out a first treatment on the surface of the The relationship is obviously: p'. a +P′ b =P+y,Q′ a +Q′ b =Q+x;P′ a +P′ b +Q′ a +Q′ b =P+Q+x+y。
In the diathesis test, bob selects the base number g and calculates a second verification parameter based on g: and V is combined with 1 To Alice. In one example, the condition +.>G, where (×) denotes Jacobi symbol (Jacobi symbol), for example g=4 can be chosen.
Alice calculates a first verification parameter based on g:
subsequently, alice checks the second verification parameter V 1 With the first verification parameter V 2 Whether the relationship is satisfied: v (V) 2 ≡±V 1 And (3) when mod N ' is met, outputting N ', taking N ' as the final determined RSA modulus, otherwise, jumping to the step of generating the first random number with the length of three and the second random number with the length of three, and regenerating a new RSA modulus.
In the specific example, the RSA modulus is generated in an incremental mode, and the bit length of the random numbers x and y of the incremental part is reasonably selected, so that the privacy of prime numbers P and Q can be ensured on one hand, the defect of insufficient computing resources of a client is overcome, and the overall efficiency is improved under the condition of meeting certain safety.
An embodiment of an RSA private key generation method is also provided, and a schematic diagram of the RSA private key generation method in an embodiment is shown in fig. 5, where the processing procedure of one device (device 101 or device 102) in fig. 1 is illustrated as an example.
As shown in fig. 5, the RSA private key generation method in this embodiment includes steps S501 to S506.
Step S501: the current party obtains a prime number one current party component and a prime number two current party component. The prime number one current party component and the prime number one opposite party component obtained by the opposite party share the prime number one, and the prime number two current party component and the prime number two opposite party component obtained by the opposite party share the prime number two.
The prime number one current party component refers to a component obtained by the current party after the current party and the opposite party need to share prime number one, and the prime number two current party component refers to a component obtained by the current party after the current party and the opposite party need to share prime number two. The prime number one and prime number two division can be performed in any possible manner, for example, division can be performed by adding division.
In a specific example, the prime number-current-party component and the prime number-second-current-party component may be generated by a random generation method, for example, may be determined based on a method in an RSA modulus generation method as described above, for example, the prime number-current-party component may be the sum of the first-length random number (the first-length random number when the current party is the first party; the second-length random number when the current party is the second party), the prime number-second-current-party component may be the second-length random number (the second-length first random number when the current party is the first party; the second-length second random number when the current party is the second party), or the second-length random number and the third-length random number (the third-length first random number when the current party is the first party; the third-length second random number when the current party is the second party). It will of course be appreciated that the prime number one current party component, prime number two current party component may be obtained in other ways.
Step S502: the current party shares Euler function values with the opposite party according to the prime number first current party component and the prime number second current party component to obtain a first Euler function component.
The sharing of the euler function value by the first party and the second party may be performed in any possible way.
Step S503: the current party executes a secure dot product protocol with the opposite party based on the selected first selected random number and the second selected random number to obtain a third dot product protocol component. The specific process of executing the secure dot product protocol may be performed in any possible manner.
In one embodiment, when the current participant performs the secure dot product protocol with the peer participant based on the selected first selected random number and the second selected random number to obtain the third dot product protocol component, the following manner may be adopted:
the current participant randomly generates random parameters; the random parameter can be a specific random number or a random number vector containing the random number, and the number of the random numbers can be 1 or more and is determined based on actual technical requirements;
the first party constructs a first party dot product input vector according to the length second random number, the length third first random number and the first random parameter, and the second party constructs a second party dot product input vector according to the length second random number, the length third second random number and the second random parameter;
The current party constructs a current party dot product input vector according to the selected first random number, the second random number and the random parameters, and executes a secure dot product protocol with the opposite party to obtain a third dot product protocol component.
Therefore, in the process of executing the dot product protocol, the random parameters are introduced, and the dot product input vector is constructed by combining the introduced random parameters, so that the data transmitted in the interaction process can be confused, the privacy protection of the input parameters is improved, and the safety is improved. It will be appreciated that the random parameters introduced during the execution of the secure dot product protocol are eliminated before the final dot product protocol output result (e.g., the first dot product protocol component, the second dot product protocol component) is obtained, so as to ensure the accuracy of the output result, and any possible way may be adopted for specific elimination.
Step S504: the current participant determines a first shared parameter component based on the third dot product protocol component, the first selected random number, the first euler function component, and the second selected random number. The specific manner of determining the first shared parameter component may be done in any possible manner.
Step S505: after the current party exchanges the first shared parameter component with the opposite party and the second shared parameter component determined by the opposite party, the first integer and the second integer are determined.
In one particular example, the first integer and the second integer may be determined based on the following principles: and the sum of the first product of the sum value of the first shared parameter component and the second shared parameter component and the first integer and the sum value of the second product of the second integer and the public exponent is a preset integer. The preset integer may be set in accordance with the actual technical needs, and in a specific example, may be 1.
Step S506: the current party determines a first RSA private key component from the first integer and the second integer.
In a specific example, after the current party determines the first RSA private key component, the method may further include the steps of:
the current participant takes the fifth random number as a private key component of the current participant;
the current party determines the difference value between the first RSA private key component and the current party private key component, and sends the difference value to the opposite party; the difference value is used for indicating the opposite-end party to determine the private key component of the opposite-end party according to the difference value and the second RSA private key component determined by the opposite-end party.
In this case, the current party only needs to store one private key component to perform collaborative signature for all other parties, and at this time, the current party may be a server party, so that the server only needs to store one private key component to perform collaborative signature for all users.
In another specific example, after the current party determines the first RSA private key component, the method may further include the steps of:
the current party receives a difference value sent by the opposite party, wherein the difference value is a difference value between a second RSA private key component determined by the opposite party and a private key component of the opposite party;
the current party determines a current party private key component from the first RSA private key component and the difference.
Thus, the counterpart party can execute collaborative signature for all users only by storing one private key component.
In another specific example, the current party, after obtaining the first RSA private key component, needs to securely store the first RSA private key component for use in performing the signing.
In another specific example, to obtain higher security, after the current party determines the first RSA private key component, it may further include:
the current participant calculates sensitive parameters related to RSA private key components according to the equipment ID and the user password;
and the current party derives the private key component of the current party according to the sensitive parameter and the first RSA private key component. At this time, the private key component of the opposite party is stored securely.
Thus, at the moment when the signature needs to be executed, the current participant calculates sensitive parameters related to the RSA private key component in a combined mode according to the device ID and the user Password (PIN), and then derives the RSA private key component by utilizing the sensitive parameters. The RSA private key component is destroyed from the memory immediately after being used, and the life cycle of the RSA private key component is shortened.
Fig. 6 shows a flow chart of an RSA private key generation method in another embodiment, which is described by taking as an example the processing procedure of two parties involved in the RSA private key generation procedure. As shown in fig. 6, the RSA private key generation method in this embodiment includes steps S601 to S606 as follows.
Step S601: the first party obtains a prime number-first party component (for convenience of distinction, this embodiment and the following embodiments are referred to as prime number-first component), a prime number-second first party component (for convenience of distinction, this embodiment and the following embodiments are referred to as prime number-second first component), and the second party obtains a prime number-second party component (for convenience of distinction, this embodiment and the following embodiments are referred to as prime number-second component), a prime number-second party component (for convenience of distinction, this embodiment and the following embodiments are referred to as prime number-second component). Prime number one first component and prime number one second component share prime number one, prime number two first component and prime number two second component share prime number two.
In this step, the first party and the second party each obtain a component that segments the prime number. The prime number one is needed to be shared by the first participant and the second participant, after the prime number one is divided, the first component of the prime number one is obtained by the first participant, and the second component of the prime number one is obtained by the second participant; the first party and the second party need to share prime numbers two, after the prime numbers two are divided, the first party obtains prime numbers two first components, and the second party obtains prime numbers two second components. The prime number one and prime number two division can be performed in any possible manner, for example, division can be performed by adding division.
In a specific example, taking the additive division as an example, the prime number first component, the prime number second component, the prime number first second component, and the prime number second component may be generated by a random generation manner, for example, may be determined based on a manner in an RSA modulus generation method as described above, for example, the prime number first component may be the length first random number, and the prime number second first component may be the length second random number or a sum of the length second random number and the length third random number; the prime number-second component may be the length-second random number, and the prime number-second component may be the length-second random number or a sum of the length-second random number and the length-third second random number. It will of course be appreciated that prime first component, prime second component may be obtained in other ways.
Step S602: the first participator and the second participator share Euler function values according to prime number first component, prime number second first component prime number first component second component and prime number second component, the first participator obtains first Euler function component, and the second participator obtains second Euler function component. The sharing of the euler function value by the first party and the second party may be performed in any possible way.
Step S603: the first party performs a secure dot product protocol with the second party based on a first random selection number selected by the first party, a second random selection number selected by the second party, and a third random selection number and a fourth random selection number selected by the second party, the first party obtains a dot product protocol component of the first party (for the sake of distinction, this embodiment is referred to as a third dot product protocol component in the following embodiments), and the second party obtains a dot product protocol component of the second party (for the sake of distinction, this embodiment is referred to as a fourth dot product protocol component in the following embodiments). The specific process of executing the secure dot product protocol may be performed in any possible manner.
In one embodiment, the process of the first participant and the second participant performing the secure dot product protocol may be performed in the following manner:
The first party randomly generates a third random parameter, and the second party randomly generates a fourth random parameter; the third random parameter and the fourth random parameter can be specific random numbers or random number vectors containing random numbers, and the number of the random numbers can be 1 or more and is determined based on actual technical requirements;
the first party builds a first party dot product input vector based on the selected first selected random number, the second selected random number and the third random parameter, and the second party builds a second party dot product input vector based on the selected third selected random number, the fourth selected random number and the fourth random parameter;
the first party performs a secure dot product protocol with the second party based on the first party dot product input vector and the second party based on the second party dot product input vector, the first party obtains a third dot product protocol component and the second party obtains a fourth dot product protocol component.
Therefore, in the process of executing the dot product protocol, the random parameters are introduced, and the dot product input vector is constructed by combining the introduced random parameters, so that the data transmitted in the interaction process can be confused, the privacy protection of the input parameters is improved, and the safety is improved. It will be appreciated that the random parameters introduced during the execution of the secure dot product protocol are eliminated before the final dot product protocol output result (e.g., the first dot product protocol component, the second dot product protocol component) is obtained, so as to ensure the accuracy of the output result, and any possible way may be adopted for specific elimination.
Step S604: the first party determining a first shared parameter component based on the third dot product protocol component, the first selected random number, the first euler function component, the second selected random number, and the disclosure exponent; the second party determines a second shared parameter component based on the third dot product protocol component, the third selected random number, the second euler function component, the fourth selected random number, and the disclosure exponent. The specific manner of determining the first shared parameter component and the second shared parameter component may be performed in any possible manner.
Step S605: after the first party exchanges the first shared parameter component and the second shared parameter component with the second party, a first integer and a second integer are determined.
In one particular example, the first integer and the second integer may be determined based on the following principles: the sum of the first product of the sum of the first shared parameter component and the second shared parameter component and the first integer and the sum of the second product of the second integer and the disclosure exponent is a preset integer. The disclosure index is a disclosure index agreed by the first participant and the second participant, and the preset integer can be set in combination with actual technical requirements, and in a specific example, the disclosure index can be 1.
Step S606: the first party determines a first RSA private key component according to the first integer, the second selected random number and the second integer, and the second party determines a second RSA private key component according to the first integer and the fourth selected random number.
In a specific example, after the first party determines the first RSA private key component and the second party determines the second RSA private key component, the method further comprises the steps of:
the second party takes the fifth random number as a private key component of the second party;
the second party determines a difference value between the second RSA private key component and the second party private key component and sends the difference value to the first party;
the first party determines a first party private key component from the first RSA private key component and the difference.
In this case, the second party only needs to store one private key component to perform collaborative signing for all the first parties, and in this case, the second party may be a server party in general, so that the server only needs to store one private key component to perform collaborative signing for all the users.
In another specific example, the first party, after obtaining the first RSA private key component, needs to securely store the first RSA private key component for use in performing the signing.
In another embodiment, to obtain higher security, after the first party determines the first RSA private key component and the second party determines the second RSA private key component, the method further includes the steps of:
the second party stores the second RSA private key component;
the first participant calculates sensitive parameters related to RSA private key components according to the equipment ID and the user password; and deriving the first party private key component from the sensitive parameter and the first RSA private key component.
Thus, at the moment when the signature needs to be executed, the first party calculates sensitive parameters related to the RSA private key component in a combined mode according to the equipment ID and the user Password (PIN), and then derives the RSA private key component by utilizing the sensitive parameters. The RSA private key component is destroyed from the memory immediately after being used, and the life cycle of the RSA private key component is shortened.
Based on the RSA private key generation method described above, the following is illustrated in detail in conjunction with one specific example, and fig. 7 correspondingly shows a schematic diagram of an interaction flow of the RSA private key in the specific example. In this specific example, alice is taken as a first participant and Bob is taken as a second participant.
The scheme of the embodiment is to generate an RSA private key based on the following basic technical principle.
Alice and Bob agree on an RSA public exponent e, hopefully to calculate the additive share of the private key D corresponding to e. Assume that both parties jointly calculate a shared parameter: γ=λΦ (N) +re.
Wherein, phi (N) = (P-1) (Q-1) is Euler function, lambda and R are random numbers.
The two sides of the above pair phi (N) are subjected to modulo operation to obtain: gammamod phi (N) =re mod phi (N).
Using the extended euclidean algorithm, two integers x and y can be selected, satisfying the relationship: xγ+ye=1.
The two sides of the above pair phi (N) are subjected to modulo operation to obtain: (xr+y) mod phi (N) =e -1 modφ(N)。
If d= (xr+y) mod Φ (N), then the relationship is satisfied: de=1 mod Φ (N), it is obvious that D is an RSA private key corresponding to the public modulus exponent e.
Accordingly, in one particular example, one particular process of generating an RSA private key may be as follows.
Alice obtains prime number first component, prime number second first component, bob obtains prime number second component, prime number second first componentTwo components. The prime number first component, the prime number second component, and the prime number second component may be obtained in any possible manner. In a specific example, in the step of generating the RSA modulus, alice obtains an additive component P of the primes P and Q a Sum (Q) a +x), bob obtains the sum component (P) of prime numbers P and Q b +y) and Q b . Thus, in this example, a prime number-a first component-can be set to P a The prime number two first components are set as (Q a +x), prime number-second component is set as (P b +y), prime number two second component Q b 。
Subsequently Alice and Bob share the euler function value.
If the euler function is calculated from P and Q:
φ(N)=(P-1)(Q-1)=N-P-Q+1。
thus, in one specific example, the first euler function component obtained by Alice may be: phi (phi) a (N)=N-P a -(Q a +x) +1. And the second euler function component obtained by Bob may be: phi (phi) b (N)=-(P b +y)-Q b 。
Obviously, there are: phi (phi) a (N)+φ b (N) =Φ (N), so that Alice and Bob add share Φ (N).
It will be appreciated that in other embodiments Alice and Bob may share the euler function phi (N) in other ways as well.
Subsequently, alice selects a first selection random number lambda a A second selected random number R a Bob selects a third selection random number lambda b Fourth selected random number R b Then both parties execute the secure dot product protocol once so that Alice obtains a third dot product protocol component S a Bob obtains a fourth dot product protocol component S b The following relationships are satisfied:
S a +S b =λ a φ b (N)+λ b φ a (N)。
the specific processing manner of the secure dot product protocol may be any possible manner, for example, the processing manner of the secure dot product protocol in the process of generating the RSA modulus.
The processing procedure of the secure dot product protocol requires two parties to calculate lambda securely a φ b (N)+λ b φ a (N) it is apparent that this is a second order vector dot product operation, which is calculated as described above in connection with the generation of RSA moduli i P b +y i Q a +x i y i Having different forms.
For this purpose, lambda is a φ b (N)+λ b φ a (N) transform into:
λ a φ a +λ b φ a =λ a (φ b [0]+φ b [1])+λ b (φ a [0]+φ a [1])。
alice and Bob then construct the input first matrix a in the preparation phase of executing the protocol as follows 1 Second matrix A 2 Third matrix B 1 Fourth matrix B 2 。
Wherein Alice constructs a first matrix A 1 Second matrix A 2 :
Bob constructs matrix third matrix B 1 Fourth matrix B 2 :
Wherein: phi (phi) a [0]+φ a [1]=φ a (N),φ b [0]+φ b [1]=φ b (N)。
So that after processing based on the corresponding mode, dot product operation results can be obtained:
A 1 ×B 1 +B 2 ×A 2 =λ a φ b +λ b φ a 。
it will be appreciated that in other embodiments, the dot product result may be obtained by using other specific processing methods of the dot product protocol.
Alice then bases on the third dot product protocol component S a A first selected random number lambda a First Euler function component phi a (N), a second selection random number R a And a public exponent e, determining a first shared parameter component gamma a :
γ a =S a +λ a φ a (N)+R a e。
Bob is based on a third dot product protocol component S b Third selected random number lambda b Second Euler function component phi b (N), fourth selection random number R b And a disclosure index determining a second shared parameter component gamma b :
γ b =eS b +λ b φ b (N)+R b e。
Thereby satisfying the following: gamma ray a +γ b =(λ a +λ b )(φ a (N)+φ b (N))+(R a +R b )e。
Alice exchanges gamma with Bob a And gamma b Both parties can calculate: gamma = gamma a +γ b 。
Subsequently, alice and Bob exchange the first shared parameter component and the second shared parameter component, and then determine the first integer and the second integer. In one specific example, the first integer x and the second integer y may be selectively determined using an extended euclidean algorithm to satisfy the relationship: xγ+ye=1.
A simple calculation method may be: first, calculate x=γ -1 mode, then calculate y= -xγ/e.
After obtaining the first integer x and the second integer y, alice selects the random number R according to the first integer x and the second a And a second integer y to calculate a first RSA private key component D a :D a =xR a +y. Bob selects a random number R according to the first integer x, fourth b Determining a second RSA private key component D b :D b =xR b 。
Obviously satisfyRelationship: d (D) a +D b =x(R a +R b ) +y=xr+y. Thereby realizing the generation of RSA private key.
In a specific example, the client may still select 1024 bits or longer of the private key component when generating the RSA private key, and a shorter random number bit (e.g., m=128) is selected during the phase of generating the RSA modulus, without resulting in reduced security of the final calculated private key component.
In another specific example, the private key component of the server may be kept unchanged, so that the server only needs to store one private key component to perform collaborative signature for all users. Taking Bob as a server, the specific implementation method may be as follows:
Bob selects a random number (fifth random number) D 0 As a server private key component, i.e. set D b =D 0 Then calculate the second RSA private key component D b =xR b And a server private key component D 0 Is the difference of (a): b=xr b -D 0 . And then sending the calculated difference B to Alice.
After Alice receives the difference B, alice generates a first RSA private key component xR a +y and difference B determine a first party private key component (client private key component) D a Specifically, the first RSA private key component xR a The sum of +y and the difference B is determined as the client private key component D a D is a =xR a +y+B=xR+y-D 0 。
Alice and Bob thus share the private key xr+y.
In another particular example, the client obtains the private key component D a =xR a After +y, it needs to be stored securely for use when signing. Unless a Trusted Execution Environment (TEE) is introduced at the terminal where the client is located, it is typically a modifiable computing environment (e.g., iOS, android operating systems, etc.). If sensitive parameters related to the private key component are stored in the terminal, attacks such as hijacking of trojans may be faced.
In order to obtain higher security, after the server stores the private key component, the client may calculate a sensitive parameter related to the RSA private key component according to the device ID and the user Password (PIN), and then derive the RSA private key component according to the sensitive parameter. At the moment of executing the signature, the client side firstly calculates sensitive parameters related to the RSA private key component in a combined mode according to the equipment ID and the user Password (PIN), and then derives the RSA private key component by utilizing the sensitive parameters. The RSA private key component is destroyed from the memory immediately after being used, and the life cycle of the RSA private key component is shortened.
Based on the examples described above, in one embodiment there is also provided a computer device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, wherein the processor implements the method of any of the embodiments described above when the program is executed.
FIG. 8 illustrates an internal block diagram of a computer device in one embodiment. The computer device may in particular be device 101 (or device 102) of fig. 1. As shown in fig. 8, the computer device includes a processor, a memory, a network interface, and an input device connected by a system bus. The memory includes a nonvolatile storage medium and an internal memory. The non-volatile storage medium of the computer device stores an operating system and may also store a computer program which, when executed by a processor, causes the processor to implement a dot product protocol processing method. The internal memory may also have stored therein a computer program which, when executed by the processor, causes the processor to perform the dot product protocol processing method.
It will be appreciated by those skilled in the art that the structure shown in fig. 8 is merely a block diagram of some of the structures associated with the present application and is not limiting of the computer device to which the present application may be applied, and that a particular computer device may include more or fewer components than shown, or may combine certain components, or have a different arrangement of components.
Those skilled in the art will appreciate that implementing all or part of the above-described methods in accordance with the embodiments may be accomplished by way of a computer program stored in a non-transitory computer readable storage medium, which when executed, may comprise the steps of the embodiments of the methods described above. Any reference to memory, storage, database, or other medium used in the various embodiments provided herein may include non-volatile and/or volatile memory. The nonvolatile memory can include Read Only Memory (ROM), programmable ROM (PROM), electrically Programmable ROM (EPROM), electrically Erasable Programmable ROM (EEPROM), or flash memory. Volatile memory can include Random Access Memory (RAM) or external cache memory. By way of illustration and not limitation, RAM is available in a variety of forms such as Static RAM (SRAM), dynamic RAM (DRAM), synchronous DRAM (SDRAM), double Data Rate SDRAM (DDRSDRAM), enhanced SDRAM (ESDRAM), synchronous Link DRAM (SLDRAM), memory bus direct RAM (RDRAM), direct memory bus dynamic RAM (DRDRAM), and memory bus dynamic RAM (RDRAM), among others.
Accordingly, in one embodiment there is also provided a storage medium having stored thereon a computer program, wherein the program when executed by a processor implements a method as in any of the above embodiments.
The technical features of the above-described embodiments may be arbitrarily combined, and all possible combinations of the technical features in the above-described embodiments are not described for brevity of description, however, as long as there is no contradiction between the combinations of the technical features, they should be considered as the scope of the description.
The above examples illustrate only a few embodiments of the invention, which are described in detail and are not to be construed as limiting the scope of the invention. It should be noted that it will be apparent to those skilled in the art that several variations and modifications can be made without departing from the spirit of the invention, which are all within the scope of the invention. Accordingly, the scope of protection of the present invention is to be determined by the appended claims.
Claims (11)
1. An RSA private key generation method, comprising the steps of:
the current party obtains a prime number one current party component and a prime number two current party component, wherein the prime number one current party component shares a prime number one with a prime number one opposite party component obtained by the opposite party, and the prime number two current party component shares a prime number two with a prime number two opposite party component obtained by the opposite party;
The current party shares Euler function values with the opposite party according to the prime number first current party component and the prime number second current party component to obtain a first Euler function component;
the current participant executes a secure dot product protocol with the opposite-end participant based on the selected first selected random number and the second selected random number to obtain a third dot product protocol component;
the current participant determining a first shared parameter component based on the third dot product protocol component, the first selected random number, the first euler function component, the second selected random number, and the disclosure exponent;
after the current party and the opposite party exchange the first shared parameter component and the second shared parameter component determined by the opposite party, determining a first integer and a second integer, wherein the sum of the first shared parameter component and the second shared parameter component is a first product of the first integer, and the sum of the second integer and the second product of the public exponent is a preset integer;
the current party determines a first RSA private key component from the first integer and the second integer.
2. The method of claim 1, wherein the step of the current participant performing a secure dot product protocol with the peer participant based on the selected first selected random number, the second selected random number, and obtaining a third dot product protocol component comprises:
The current participant randomly generates random parameters;
the current party constructs a current party dot product input vector according to the selected first random number, the second random number and the random parameters, and executes a secure dot product protocol with the opposite party to obtain a third dot product protocol component.
3. The method according to claim 1 or 2, further comprising the step, after the current party determines the first RSA private key component:
the current party receives a difference value sent by the opposite party, wherein the difference value is a difference value between a second RSA private key component determined by the opposite party and a private key component of the opposite party;
the current party determines a current party private key component according to the first RSA private key component and the difference value.
4. A method according to claim 1 or 2, wherein after the current party determines the first RSA private key component, further comprising the step of:
the current participant calculates sensitive parameters related to RSA private key components according to the equipment ID and the user password;
and the current party derives the private key component of the current party according to the sensitive parameter and the first RSA private key component.
5. The method according to claim 1 or 2, further comprising the step, after the current party has determined the first RSA private key component when the current party is a server:
The current participant takes the fifth random number as a private key component of the current participant;
the current party determines the difference value between the first RSA private key component and the current party private key component, and sends the difference value to the opposite party; the difference value is used for indicating the opposite-end party to determine the private key component of the opposite-end party according to the difference value and the second RSA private key component determined by the opposite-end party.
6. An RSA private key generation method, comprising the steps of:
the first party obtains prime number first component and prime number second first component, and the second party obtains prime number first second component and prime number second component; prime number one first component and prime number one second component share prime number one, prime number two first component and prime number two second component share prime number two;
the first participator and the second participator share Euler function values according to prime number first component, prime number second first component, prime number first second component and prime number second component, the first participator obtains a first Euler function component, and the second participator obtains a second Euler function component;
based on the first selection random number and the second selection random number selected by the first participant, and the third selection random number and the fourth selection random number selected by the second participant, the first participant and the second participant execute a secure dot product protocol, the first participant obtains a third dot product protocol component, and the second participant obtains a fourth dot product protocol component;
The first party determining a first shared parameter component based on the third dot product protocol component, the first selected random number, the first euler function component, the second selected random number, and the disclosure exponent; the second party determining a second shared parameter component based on the third dot product protocol component, the third selected random number, the second euler function component, the fourth selected random number, and the disclosure exponent;
after a first party and a second party exchange a first shared parameter component and a second shared parameter component, determining a first integer and a second integer, wherein the sum of the first shared parameter component and the second shared parameter component is a first product of the first integer and the second product of the second integer and the disclosure index is a preset integer;
the first party determines a first RSA private key component according to the first integer, the second selected random number and the second integer, and the second party determines a second RSA private key component according to the first integer and the fourth selected random number.
7. The method of claim 6, wherein the first party performs a secure dot product protocol with the second party, the first party obtains a third dot product protocol component, and the second party obtains a fourth dot product protocol component, the step comprising:
The first party randomly generates a third random parameter, and the second party randomly generates a fourth random parameter;
the first party builds a first party dot product input vector based on the selected first selected random number, the second selected random number and the third random parameter, and the second party builds a second party dot product input vector based on the selected third selected random number, the fourth selected random number and the fourth random parameter;
the first party performs a secure dot product protocol with the second party based on the first party dot product input vector and the second party based on the second party dot product input vector, the first party obtains a third dot product protocol component and the second party obtains a fourth dot product protocol component.
8. The method of claim 6 or 7, wherein after the first party determines the first RSA private key component and the second party determines the second RSA private key component, further comprising the steps of:
the second party takes the fifth random number as a private key component of the second party;
the second party determines a difference value between the second RSA private key component and the second party private key component and sends the difference value to the first party;
The first party determines a first party private key component from the first RSA private key component and the difference.
9. The method of claim 6 or 7, wherein after the first party determines the first RSA private key component and the second party determines the second RSA private key component, further comprising the steps of:
the second party stores the second RSA private key component;
the first party calculates sensitive parameters related to the RSA private key component according to the equipment ID and the user password, and derives the first party private key component according to the sensitive parameters and the first RSA private key component.
10. A computer device comprising a memory and a processor, the memory having stored thereon a computer program, characterized in that the processor, when executing the program, implements the steps of the method of any of claims 1 to 5 or the steps performed by the first party or the second party of any of claims 6 to 9.
11. A computer readable storage medium having stored thereon a computer program, characterized in that the program when executed by a processor realizes the steps of the method of any of claims 1 to 5 or the steps performed by the first party or the second party of any of claims 6 to 9.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011238405.0A CN112202562B (en) | 2017-12-27 | 2017-12-27 | RSA key generation method, computer device and medium |
Applications Claiming Priority (2)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201711447744.8A CN107888385B (en) | 2017-12-27 | 2017-12-27 | RSA modulus generation method, RSA key generation method, computer device, and medium |
| CN202011238405.0A CN112202562B (en) | 2017-12-27 | 2017-12-27 | RSA key generation method, computer device and medium |
Related Parent Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201711447744.8A Division CN107888385B (en) | 2017-12-27 | 2017-12-27 | RSA modulus generation method, RSA key generation method, computer device, and medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN112202562A CN112202562A (en) | 2021-01-08 |
| CN112202562B true CN112202562B (en) | 2024-02-27 |
Family
ID=61771470
Family Applications (2)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201711447744.8A Active CN107888385B (en) | 2017-12-27 | 2017-12-27 | RSA modulus generation method, RSA key generation method, computer device, and medium |
| CN202011238405.0A Active CN112202562B (en) | 2017-12-27 | 2017-12-27 | RSA key generation method, computer device and medium |
Family Applications Before (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201711447744.8A Active CN107888385B (en) | 2017-12-27 | 2017-12-27 | RSA modulus generation method, RSA key generation method, computer device, and medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (2) | CN107888385B (en) |
Families Citing this family (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108629583A (en) * | 2018-04-16 | 2018-10-09 | 上海分赋信息科技有限公司 | Mapped system and correlation method of the digital asset on mapping chain are realized based on distributed computing technology |
| CN109067538B (en) * | 2018-07-06 | 2021-12-24 | 数安时代科技股份有限公司 | Security protocol method, computer device, and storage medium |
| CN112910933B (en) * | 2021-05-07 | 2021-07-13 | 鹏城实验室 | Authentication method, authentication device, and verification device |
| CN114584285B (en) * | 2022-05-05 | 2022-07-29 | 深圳市洞见智慧科技有限公司 | Secure multiparty processing method and related device |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1898898A (en) * | 2003-12-26 | 2007-01-17 | 松下电器产业株式会社 | Prime calculation device, method, and key issuing system |
| EP1944906A2 (en) * | 1998-05-22 | 2008-07-16 | Certco Incorporated | Robust efficient distributed RSA-key generation |
| JP2010044262A (en) * | 2008-08-14 | 2010-02-25 | Toshiba Corp | Key generation device and program |
| CN101902330A (en) * | 2009-08-25 | 2010-12-01 | 彭艳兵 | Algorithm for accelerating RSA private key search |
| CN106850212A (en) * | 2017-03-06 | 2017-06-13 | 西安电子科技大学 | Key generation system and method based on rsa cryptosystem algorithm |
Family Cites Families (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101086755A (en) * | 2006-06-09 | 2007-12-12 | 郑建德 | A quick digital signature technology without index calculation |
| US20100208884A1 (en) * | 2009-02-19 | 2010-08-19 | Thomson Licensing | Method and device for hashing onto points of an elliptic curve |
| CN101834723A (en) * | 2009-03-10 | 2010-09-15 | 上海爱信诺航芯电子科技有限公司 | RSA (Rivest-Shamirh-Adleman) algorithm and IP core |
| CN106506156B (en) * | 2016-12-15 | 2018-08-03 | 北京三未信安科技发展有限公司 | A kind of distributed Threshold Signature method based on elliptic curve |
| CN106533698A (en) * | 2016-12-15 | 2017-03-22 | 北京三未信安科技发展有限公司 | RSA-based distributed threshold signature method and system |
-
2017
- 2017-12-27 CN CN201711447744.8A patent/CN107888385B/en active Active
- 2017-12-27 CN CN202011238405.0A patent/CN112202562B/en active Active
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| EP1944906A2 (en) * | 1998-05-22 | 2008-07-16 | Certco Incorporated | Robust efficient distributed RSA-key generation |
| CN1898898A (en) * | 2003-12-26 | 2007-01-17 | 松下电器产业株式会社 | Prime calculation device, method, and key issuing system |
| JP2010044262A (en) * | 2008-08-14 | 2010-02-25 | Toshiba Corp | Key generation device and program |
| CN101902330A (en) * | 2009-08-25 | 2010-12-01 | 彭艳兵 | Algorithm for accelerating RSA private key search |
| CN106850212A (en) * | 2017-03-06 | 2017-06-13 | 西安电子科技大学 | Key generation system and method based on rsa cryptosystem algorithm |
Non-Patent Citations (1)
| Title |
|---|
| 一种基于有限扩域的公钥密码体制;张育斌 等;西安电子科技大学学报(自然科学版);27(4);全文 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN107888385A (en) | 2018-04-06 |
| CN112202562A (en) | 2021-01-08 |
| CN107888385B (en) | 2020-12-22 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN112202562B (en) | RSA key generation method, computer device and medium | |
| US8713329B2 (en) | Authenticated secret sharing | |
| EP2787682B1 (en) | Key negotiation method and apparatus according to sm2 key exchange protocol | |
| US9571274B2 (en) | Key agreement protocol | |
| CN109067538B (en) | Security protocol method, computer device, and storage medium | |
| CN108055128B (en) | RSA key generation method, RSA key generation device, storage medium and computer equipment | |
| US20210243005A1 (en) | Fully homomorphic encryption method and device and computer readable storage medium | |
| US20120221858A1 (en) | Accelerated Key Agreement With Assisted Computations | |
| CN109450640B (en) | SM 2-based two-party signature method and system | |
| Wang et al. | Lattice-based key exchange on small integer solution problem | |
| WO2018211676A1 (en) | Multiparty computation method, apparatus and program | |
| CN112506469A (en) | Method and device for processing private data | |
| Kaaniche et al. | A novel zero-knowledge scheme for proof of data possession in cloud storage applications | |
| US20060036861A1 (en) | Method and apparatus for algebro-geometric key establishment protocols based on matrices over topological monoids | |
| US20160352689A1 (en) | Key agreement protocol | |
| CN115001674A (en) | Execution method of sharing OT protocol, secure multi-party computing method and device | |
| JP6610277B2 (en) | Shared key generation program, shared key generation method, and information processing terminal | |
| EP2493112B1 (en) | Accelerated key agreement with assisted computations | |
| EP3580890B1 (en) | Method and system for selecting a secure prime for finite field diffie-hellman | |
| US11438146B1 (en) | System and method for performing key exchange while overcoming a malicious adversary party | |
| CN108134668B (en) | Dot product protocol processing method, computer device and storage medium | |
| US20240007273A1 (en) | Messageless Secure Multi-Party Computations with Passive and Active Adversaries | |
| Mirault | Distributed and secure linear algebra--Master Thesis | |
| CN115426188A (en) | Encryption method and related device for jointly generating encryption scheme parameters based on two parties | |
| JP3518680B2 (en) | Prime number generator |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |