CN103929305A - SM2 signature algorithm implementation method - Google Patents

Abstract

The invention discloses an SM2 signature algorithm implementation method. The method comprises the steps of step one, mapping a base point G from a weierstrass mode to a Montgomery mode; step two, setting (img file = 'DDA00002742588300011.TIF' wi= '341' he= '85'/); step three, (img file = 'DDA00002742588300012.TIF' wi= '279' he= '84'/); step four, selecting the random number k<[1,n-1]; step five, making kG in the Montgomery mode and setting Kg as (x1,y1), and converting x1 into an integer; step six, calculating r<- (e+x1) modn, and returning to step four if r =m or r+k =m; step seven, calculating s<-((1+dA) -1*(k-r*dA)) modn, and returning to step four if s =0; step eight, returning a digital signature (r, s). According to the method, the SM2 signature algorithm scheme can save storage space during calculation.

Description

The implementation method of SM2 signature algorithm

Technical field

The present invention relates to field of cryptography, particularly relate to a kind of implementation method of SM2 signature algorithm.

Background technology

Password Management office of country has announced < < SM2 ellipse curve public key cipher algorithm > > in December, 2010, SM2 algorithm is a kind of elliptic curve (ECC) in essence, in detail, SM2 algorithm dictates the details such as signature, checking, cipher key change.

SM2 signature algorithm is a kind of elliptic curve numeral authentication method, and confirmation that can be to Data Source, guarantees signer non-repudiation.

Elliptic curve Montgomery (Montgomery) form is E _m: By ²=x ³+ Ax+x, under this form, point add operation and point doubling are not need y coordinate; And at elliptic curve weierstrass (Weierstrass) form E:y ²=x ³+ ax+b, point add operation and point doubling need to add y coordinate; When being computing, its shortcoming can take a large amount of memory spaces.

Summary of the invention

The technical problem to be solved in the present invention is to provide a kind of implementation method of SM2 signature algorithm, can reduce the memory space of computing.

For solving the problems of the technologies described above, the implementation method of SM2 signature algorithm of the present invention, comprises the steps:

Step 1, is mapped to Montgomery form by basic point G from weierstrass form;

Step 2, puts wherein, Z _abe user's Hash Value, M is information, ← be assignment;

Step 3, calculates wherein H (x) is hash function;

Step 4, chooses random number k ∈ [1, n-1];

Step 5 is made kG under the form of Montgomery, and making it is (x ₁, y ₁), and by x ₁be converted into integer;

Step 6, calculates r ← (e+x ₁) mod n, if r=0 or r+k=n return to step 4;

Step 7, calculates s ← ((1+d _a) ^-1* (k-r*d _a)) mod n, if s=0 returns to step 4, wherein d _ait is private key for user;

Step 8, returns to digital signature (r, s).

The present invention is mapped to Montgomery form regeneration by SM2 signature algorithm from weierstrass form and generates signature to (r, s), because under the form of Montgomery, the point add operation of elliptic curve and point doubling do not need y coordinate, the memory space in the time of can greatly reducing computing.

Accompanying drawing explanation

Below in conjunction with accompanying drawing and embodiment, the present invention is further detailed explanation:

Fig. 1 is the flow chart of the implementation method of described SM2 signature algorithm;

Fig. 2 calculates kG=(x ₁, y ₁) flow chart.

Embodiment

The present invention, from traditional elliptic curve weierstrass form, is converted into Montgomery form, then signs.Shown in Fig. 1, the implementation method of described SM2 signature algorithm, input parameter is elliptic curve parameter, Z _a, M, P _a, d _a, Z wherein _abe user's Hash Value, M is information, P _aclient public key, d _abe private key for user, comprise the steps:

Step 1, is mapped to Montgomery form by basic point G from weierstrass form;

Step 2, puts $\stackrel{\&OverBar;}{M}\&LeftArrow;Z_A\left|\right|M;$

Step 3, calculates wherein, H (x) is hash function;

Step 4, chooses random number k ∈ [1, n-1];

Step 5 is made kG=(x under the form of Montgomery ₁, y ₁), and by x ₁be converted into integer;

Step 6, calculates r ← (e+x ₁) mod n, if r=0 or r+k=n return to step 4;

Step 7, calculates s ← ((1+d _a) ^-1* (k-r*d _a)) mod n, if s=0 returns to step 4;

Step 8, returns to digital signature (r, s).

Computing in above steps is all carried out under the form of Montgomery (Montgomery).

In step 1, basic point G is mapped to Montgomery form from weierstrass form also needs to meet specified conditions:

Elliptic curve weierstrass form E:y ²=x ³+ ax+b, at finite field F _pmiddle x ³+ ax+b=0 has root, is made as α, simultaneously 3 α ²+ a is the quadratic residue of p.

Order $s=\frac{1}{\sqrt{{3\mathrm{\&alpha;}}^2+a}},$ Carry out again coordinate transform $(x,y)\&RightArrow;(\frac{x}{s}+a,\frac{y}{s}),$ Weierstrass form E:y ²=x ³+ ax+b just can be mapped to Montgomery form E _m: By ²=x ³+ Ax+x is upper, B=s wherein, A=3 α s.

In described step 5, by calling the algorithm of following steps, calculate kG=(x ₁, y ₁):

Step (1), input integer k and G=(x: y: 1);

Step (2), and calculating 2G=(x ': y ': z ');

Step (3), G ' ← 2G;

Step (4), is launched into binary form integer k k wherein _s-1=1;

Step (5) circulates from i=s-2 to i=0:

Step (6), if k _i=0, Q ' ← G '+G, Q ← 2G, if k _i=1, Q ← G '+G, Q ' ← 2G ';

Step (7), G ' ← Q ', G ← Q;

Step (8), i ← i-1;

Step (9), after circulation finishes, output point G;

Finally, the value of some G just equals required kG.

And all the other steps are to generate to have signed to (r, s).

Described step (6) point add operation and point doubling are to complete under the form of Montgomery, and curve form is E _m: By ²=x ³+ Ax+x.Concrete operation formula used is as follows:

Point add operation:

X _2m+1＝Z ₁((X _m+1-Z _m+1)(X _m+Z _m)+(X _m+1+Z _m+1)(X _m-Z _m)) ²

Z _2m+1＝X ₁((X _m+1-Z _m+1)(X _m+Z _m)-(X _m+1+Z _m+1)(X _m-Z _m)) ²

2 point doublings:

X _2m＝(X _m+Z _m) ²(X _m-Z _m) ²

$Z_{2m}={4X}_m{Z}_m({(X_m-Z_m)}^2+\left(\frac{A+2}{4}\right)\left({4X}_m{Z}_m\right)).$

Wherein, X ₁represent the X coordinate of basic point, Z ₁represent the Z coordinate of basic point, X _mrepresent the X coordinate that m is ordered, Z _mrepresent the Z coordinate that m is ordered.

An embodiment below:

Choose and get prime number p=2 ¹⁹²-2 ⁶⁴-1, set up finite field F _p, for weierstrass form elliptic curve E (F _p): y ²=x ³+ ax+b, wherein:

a＝0x6A57BA7CC7CA8D851ACBB58340EB80F0E8372EF409A67DDA

b＝0x6C681624BCF461FAB96DE16AA545D775E66382F2CEC977CA

α＝0xA4413AD3EF0CF90F91DF3FDBB089DC51876087BA609E7664

Meet α ³+ a α+b=0, and 3 α ²+ a is the quadratic residue of p.Choose

G=(37,234,817,531,077,503,299,542,912,797,226,283,109,347,945,036,092,741,173 35,34,212,690,789,145,242,334,546,290,613,444,983,044,748,276,014,286,432,549 21,1), order just changed into Montgomery curve form, its X coordinate

X＝3860313548999787338078427342307244695792884328213221870944，

With Z coordinate Z=1,

If k=179=1*2 ⁰+ 1*2 ¹+ 0*2 ²+ 0*2 ³+ 1*2 ⁴+ 1*2 ⁵+ 0*2 ⁶+ 1*2 ⁷kG is calculated as follows:

k i	k 7	k 6	k 5	k 4	k 3	k 2	k 1	k 0
									179	1	0	1	1	0	0	1	1

Q

G

2G

5G

11G

22G

44G

89G

1?79G

Q′

2G

3G

6G

12G

23G

45G

90G

1?80G

Visible 179P is required.Its X coordinate, it is as follows that Z sits target value:

X＝620772673523943864697586076752183162272170717129942472090

Z＝154061983259894946655828807576947185385080422622278501903。

So x ₁=X/Z.Generating afterwards that the step of signature right (r, s) namely carries out under the form of Montgomery, is also feasible.Sign test process too, so just can not calculated y coordinate, thereby save memory space simultaneously.

Below through the specific embodiment and the embodiment, the present invention is had been described in detail, but protection scope of the present invention is not limited to described execution mode and embodiment.Without departing from the principles of the present invention, those skilled in the art also can make many distortion and improvement, and these also should be considered as protection scope of the present invention.

Claims (4)

1. an implementation method for SM2 signature algorithm, is characterized in that, comprises the steps:

Step 1, is mapped to Montgomery form by basic point G from weierstrass form;

Step 2, puts wherein, Z _abe user's Hash Value, M is information, ← be assignment;

Step 3, calculates h(x wherein) be hash function;

Step 4, chooses random number k ∈ [1, n-1], and wherein n is the rank of a G;

Step 5 is made kG under the form of Montgomery, and making it is (x ₁, y ₁), and by x ₁be converted into integer;

Step 6, calculates r ← (e+x ₁) modn, if r=0 or r+k=n return to step 4; "

Step 7, calculates s ← ((1+d _a) ^-1* (k-r*d _a)) modn, if s=0 returns to step 4, wherein d _abe private key for user, * represents multiplication sign;

Step 8, returns to digital signature (r, s).

2. the method for claim 1, is characterized in that: the computing in each step is all carried out under the form of Montgomery.

3. the method for claim 1, is characterized in that: during implementation step five, calculate by the following method kG=(x ₁, y ₁);

Step (1), input integer k and G=(x: y: 1);

Step (2), calculates 2G=(x ': y ': z ');

Step (3), G ' ← 2G;

Step (4), is launched into binary form integer k k wherein _s-1=1;

Step (5) circulates from i=s-2 to i=0:

Step (6), if k _i=W, Q ' ← G '+G, Q ← 2G, if k _i=1, Q ← G '+G, Q ' ← 2G ';

Step (7), G ' ← Q ', G ← Q;

Step (8), i ← i-1;

Step (9), after circulation finishes, output point G;

Finally, the value of some G just equals required kG.

4. method as claimed in claim 3, is characterized in that: point add operation and point doubling in described step (6) complete under the form of Montgomery, and curve form is E _m: Ey ²=X ³+ Ax+x; B, A is elliptic curve parameter, wherein:

Point add operation is calculated as follows:

X _2m+1＝Z ₁((X _m+1-Z _m+1)(X _m+Z _m)+(X _m+1+Z _m+1)(X _m-Z _m)) ²，

Z _2m+1＝X ₁((X _m+1-Z _m+1)(X _m+Z _m)-(X _m+1+Z _m+1)(X _m-Z _m)) ²

2 point doublings are calculated as follows:

X _2m=(X _mten Z _m) ²(X _m-Z _m) ²

$Z_{2m}={4X}_m{Z}_m({(X_m-Z_m)}^2+\left(\frac{A+2}{4}\right)\left({4X}_m{Z}_m\right));$

Wherein, X ₁represent the X coordinate of basic point G, Z ₁represent the Z coordinate of basic point G, X _mrepresent the X coordinate that m is ordered, Z _mrepresent the Z coordinate that m is ordered.