CN113055163B - Blind signature generation method based on SM9 digital signature algorithm - Google Patents

Abstract

The invention discloses a blind signature generation method based on SM9 digital signature algorithm, wherein the generation process has two parties participating together, one party is Signer, and the other party is usedThe User, generates a blind signature as follows: 1) signer generates random numbers

Calculating a first temporary variable R ═ r.P ₁ And sending R to a User; 2) after receiving R, the User generates two random numbers

Calculating the second temporary variable w ═ e (α · R + α · β · P ₁ ，P _pub‑s ) Converting the data type of w into a bit string, and then calculating the hash value H of the message M to be signed as H ₂ (M | | w, N) and a third temporary variable h' ═ α ^‑1 H- β mod N, finally sends h' to Signer; 3) after receiving h ', the Signer calculates a fourth temporary variable S ═ r-h' · D _ID And sending S' to the User; 4) upon receiving S ', the User calculates the signature value S ═ α · S', and outputs a signature (h, S). The invention blinds the signed message in the signing process on the basis of not changing the whole framework of the SM9 signing algorithm, and can complete signing under the condition of ensuring that the message is not leaked.

Description

Blind signature generation method based on SM9 digital signature algorithm

Technical Field

The invention relates to an information security technology, in particular to a blind signature generation method based on an SM9 digital signature algorithm.

Background

Digital signature is a security technology that appears with the development of information network technology, and the purpose is to realize the function of traditional handwritten signature through technical means, and is used for identifying the identity of a signer and the legality of data content. The method can also verify whether the original text of the file changes in the transmission process, and ensure the integrity, authenticity and non-repudiation of the transmitted electronic file. Digital signatures are an important part of public key cryptography, and have an important role in many occasions.

Typically, the signer must know what the message he signed to sign. In many cases, when a signer is required to sign a message, the content of the signature is unknown, and the signature of the signer cannot be tracked after signing. With the promotion of this need to protect privacy, blind signatures come into force. Blind signatures have been used in a number of fields such as electronic voting, mobile payment, digital currency, and the like.

Aiming at the situation, the efficient blind signature generation scheme based on the SM9 digital signature algorithm is designed, in the signature process, a user firstly blinds the message, a signer signs the blinded message, and finally the user obtains the digital signature of the real message. The signer does not know the specific content of the signed message and cannot trace the signature after signing. According to the scheme, the Signer (Signer) and the User (User) execute the scheme together, so that the correctness of the signature can be guaranteed, and the privacy of the signature message can be guaranteed.

Disclosure of Invention

The technical problem to be solved by the invention is to provide a blind signature generation method based on an SM9 digital signature algorithm aiming at the defects in the prior art.

The technical scheme adopted by the invention for solving the technical problems is as follows: a blind signature generation method based on SM9 digital signature algorithm is provided, the generation process has two parties participating together, one party is Signer, the other party is User, the steps of generating blind signature are as follows:

1) signer generates random numbers

Calculating a first temporary variable R ═ r.P ₁ And sending R to a User;

wherein the content of the first and second substances,

is a set consisting of the integers 1,2, …, N-1; n is a cyclic group

And

and N > 2 ¹⁹¹ Is a prime number; p ₁ Is a circulating group

A generator of (2);

2) after receiving R, the User generates two random numbers

Calculating the second temporary variable w ═ e (α · R + α · β · P ₁ ，P _pub-s ) Converting the data type of w into a bit string, and then calculating the hash value H of the message M to be signed as H ₂ (M | | w, N) and a third temporary variable h' ═ α ^-1 H- β mod N, finally sends h' to Signer;

wherein e is selected from

To

Of bilinear pairs, P _pub-s Is the master public key of the system, P _pub-s ＝ks·P ₂ Wherein P is ₁ Is a circulating group

Is a system private key, and is a set of key generation centers KGC

Selecting randomly;

3) after receiving h ', the Signer calculates a fourth temporary variable S ═ r-h' · D _ID And sending S' to the User;

wherein D is _ID The private key of the user generated for the key generation center KGC,

D _ID ＝t ₂ ·P ₁ ，

wherein, t ₁ ＝H ₁ (I _DS ||hid，N)+ks，

4) Upon receiving S ', the User calculates the signature value S ═ α · S', and outputs a signature (h, S).

The invention has the following beneficial effects:

according to the invention, on the basis of not changing the whole framework of the SM9 signature algorithm, the signed message is blinded in the signature process, and the signature can be completed under the condition that the message is not leaked, namely, a signer does not know the signature content, and a user can obtain the SM9 signature of the real message. Meanwhile, the invention realizes the function of two-party distributed generation of SM9 signature, and the two parties must participate simultaneously when generating the signature. Under the condition of keeping strong security and high efficiency of the existing SM9 signature, the correctness of the signature can be ensured and the privacy of the signature message can be ensured in the signature process.

Drawings

The invention will be further described with reference to the accompanying drawings and examples, in which:

FIG. 1 is a flow chart of a method of an embodiment of the present invention.

Detailed Description

In order to make the objects, technical solutions and advantages of the present invention more apparent, the present invention is further described in detail with reference to the following embodiments. It should be understood that the specific embodiments described herein are merely illustrative of the invention and are not intended to limit the invention.

The reference numerals in this example mean:

KGC: key generation center

Signer, User: and (4) communication parties.

The order is the group of addition cycles of prime N.

Multiplication of order by prime number NAnd (4) a method circulation group.

e: from

To

Bilinear pairs of (c).

g ^u : multiplicative group

To the power of u of g.

H ₁ (·)，H ₂ (. o): from {0, 1} ^* To

A cryptographic hash function of (1).

ID _U : the identity of the correspondent U can uniquely determine the public key of the correspondent U.

D _ID : the signing key of the correspondent U.

mod N: and (4) performing modulo N operation.

N: circulation group

And

and N > 2 ¹⁹¹ Are prime numbers.

P ₁ ，P ₂ : are respectively a group

And

the generator of (1).

u · P: additive group

U times of element P in the formula.

ks: a system master private key.

P _pub-s : master public key of system, here P _pub-s ＝ks·P ₂ 。

x | | y: the concatenation of x and y, where x and y are bit strings or byte strings.

Set of integers 1,2, …, N-1

As shown in fig. 1, a blind signature generation method based on SM9 digital signature algorithm, in which two parties participate together in the generation process, one party is Signer, and the other party is User, and the steps of generating the blind signature are as follows:

1) signer generates random numbers

Calculating a first temporary variable R ═ r.P ₁ And sending R to a User;

wherein the content of the first and second substances,

is a set consisting of the integers 1,2, …, N-1; n is a cyclic group

And

and N > 2 ¹⁹¹ Is a prime number; p ₁ Is a circulating group

A generator of (2);

2) after receiving R, the User generates two random numbers

Calculating the second temporary variable w ═ e (α · R + α · β · P ₁ ，P _pub-s ) Converting the data type of w into a bit string, and then calculating the hash value H of the message M to be signed as H ₂ (M | | w, N) and a third temporary variable h' ═ α ^-1 H- β mod N, finally sends h' to Signer;

wherein e is selected from

To

Of bilinear pairs, P _pub-s Is the master public key of the system, P _pub-s ＝ks·P ₂ Wherein P is ₁ Is a circulating group

Is a system private key, and is a set of key generation centers KGC

Selecting randomly;

3) after receiving h ', the Signer calculates a fourth temporary variable S ═ r-h' · D _ID And sending S' to the User;

wherein D is _ID The private key of the user generated for the key generation center KGC,

D _ID ＝t ₂ ·P ₁ ，

wherein t is ₁ ＝H ₁ (ID _S ||hid，N)+ks，

4) Upon receiving S ', the User calculates the signature value S ═ α · S', and outputs a signature (h, S).

The invention has the characteristics of low implementation complexity, high safety, easy verification and the like, is used for generating the correct blind signature under the condition that a Signer does not know the message, needs two parties of a Signer and a User to participate simultaneously in the process of generating the signature, and does not leak the signed message to the Signer in the process of generating the blind signature, thereby ensuring the anonymity and the untraceability of the signature scheme of the invention.

It will be understood that modifications and variations can be made by persons skilled in the art in light of the above teachings and all such modifications and variations are intended to be included within the scope of the invention as defined in the appended claims.

Claims (1)

1. A blind signature generation method based on SM9 digital signature algorithm, the generation process has two parties participating together, one party is Signer, another party is User, characterized in that, the steps of generating blind signature are as follows:

1) signer generates random numbers

Calculating a first temporary variable R ═ r.P ₁ And sending R to a User;

wherein the content of the first and second substances,

is a set consisting of the integers 1,2, …, N-1; n is a cyclic group

And

order of (1), and N>2 ¹⁹¹ Is a prime number; p ₁ Is a circulating group

A generator of (2);

2) after receiving R, the User generates two random numbers

Calculating the second temporary variable w ═ e (α · R + α · β · P ₁ ,P _pub-s ) Converting the data type of w into a bit string, and then calculating the hash value H of the message M to be signed as H ₂ (M | | w, N) and a third temporary variable h ^′ ＝α ^-1 H- β mod N, finally sends h' to Signer;

wherein e is selected from

To

Of bilinear pairs, P _pub-s Is the master public key of the system, P _pub-s ＝ks·P ₂ Wherein P is ₁ Is a circulating group

Is a system private key, and is a set of key generation centers KGC

Selecting randomly;

3) after receiving h ', the Signer calculates a fourth temporary variable S ═ r-h' · D _ID And sending S' to the User;

wherein D is _ID The private key of the user generated for the key generation center KGC,

D _ID ＝t ₂ ·P ₁ ，

wherein, t ₁ ＝H ₁ (ID _S ||hid,N)+ks，

4) Upon receiving S ', the User calculates the signature value S ═ α · S', and outputs a signature (h, S).

Images