CN107196763B - SM2 algorithm collaborative signature and decryption method, device and system - Google Patents
SM2 algorithm collaborative signature and decryption method, device and system Download PDFInfo
- Publication number
- CN107196763B CN107196763B CN201710546334.2A CN201710546334A CN107196763B CN 107196763 B CN107196763 B CN 107196763B CN 201710546334 A CN201710546334 A CN 201710546334A CN 107196763 B CN107196763 B CN 107196763B
- Authority
- CN
- China
- Prior art keywords
- signature
- elliptic curve
- group element
- communication party
- curve group
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3247—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
- H04L9/3252—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures using DSA or related signature schemes, e.g. elliptic based signatures, ElGamal or Schnorr schemes
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/30—Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy
- H04L9/3066—Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy involving algebraic varieties, e.g. elliptic or hyper-elliptic curves
Abstract
The invention relates to a SM2 algorithm collaborative signing and decryption method, a device and a system, wherein the SM2 algorithm collaborative signing method implemented from the perspective of a first communication party comprises the following steps: generating a message digest of the message to be signed according to a preset cryptographic hash algorithm; receiving a first elliptic curve group element fed back by a second communication party based on a first public key parameter and a selected random number; generating a first partial signature according to the message digest and the first elliptic curve group element; performing modulo operation based on the first partial signature to generate an obfuscated intermediate result, and transmitting the obfuscated intermediate result to the second communication party; when an intermediate signature fed back by the second communication party according to the obfuscated intermediate result is received, generating a second partial signature according to the intermediate signature and the first partial signature; from the first partial signature and the second partial signature, a complete SM2 digital signature is obtained.
Description
Technical Field
The invention relates to the technical field of cryptography, in particular to a SM2 algorithm collaborative signature and decryption method, device and system.
Background
Elliptic curve cryptography (ECC for short) is a public key system based on the mathematical problem of elliptic curves defined over finite fields. The SM2 algorithm is an elliptic curve public key cryptographic algorithm specified in the standard GM/T0003 and 2012SM2 elliptic curve public key cryptographic algorithm formulated by the State crypto administration, and is a specific algorithm of an ECC cryptosystem.
In order to improve the security of a private key in a cloud computing environment, the conventional technology proposes that partial private keys are respectively stored in two communication parties, the two parties can carry out operations such as signature or decryption on a message only by combining, and the two communication parties cannot acquire any information of the private key of the other party, so that an attacker cannot forge a signature or decrypt a ciphertext when invading any one of the two parties.
In the implementation process, the inventor finds that at least the following problems exist in the conventional technology: the conventional technology sends the message digest of the message to be signed to another communication party, which is not beneficial to protecting the privacy of the user. Meanwhile, if a malicious attacker replaces the message digest through the control channel, the two communication parties can generate and output a digital signature according to the tampered message digest, so that the attacker can forge the signature.
Disclosure of Invention
Therefore, it is necessary to provide a method, a device and a system for SM2 algorithm collaborative signature and decryption in order to solve the problem that the conventional technology cannot protect user privacy and resist malicious attacks.
In order to achieve the above object, in one aspect, an embodiment of the present invention provides an SM2 algorithm collaborative signing method implemented from the perspective of a first communication party, including the following steps:
generating a message digest of the message to be signed according to a preset cryptographic hash algorithm;
receiving a first elliptic curve group element fed back by a second communication party based on a first public key parameter and a selected random number; generating a first partial signature according to the message digest and the first elliptic curve group element;
performing modulo operation based on the first partial signature to generate an obfuscated intermediate result, and transmitting the obfuscated intermediate result to the second communication party;
when an intermediate signature fed back by the second communication party according to the obfuscated intermediate result is received, generating a second partial signature according to the intermediate signature and the first partial signature;
from the first partial signature and the second partial signature, a complete SM2 digital signature is obtained.
On the other hand, the embodiment of the invention also provides an SM2 algorithm collaborative signature method implemented from the perspective of a second communication party, which comprises the following steps:
generating a first elliptic curve group element according to the selected random number and a first public key parameter of the first communication party, and transmitting the first elliptic curve group element to the first communication party;
receiving an intermediate confusion result fed back by the first communication party based on the first elliptic curve group element, and generating an intermediate signature according to the second private key component and the intermediate confusion result;
the intermediate signature is transmitted to the first party.
In one aspect, an embodiment of the present invention provides a method for implementing cooperative decryption of an SM2 algorithm from a second communication party, including the following steps:
receiving a first point multiplication result which is transmitted by a first communication party and is obtained according to a first private key component and an elliptic curve group element corresponding to the first bit string;
performing product operation on the second private key component and the first point multiplication result to obtain a second point multiplication result;
receiving elliptic curve group elements corresponding to a first bit string transmitted by a first communication party according to the first bit string of the SM2 ciphertext;
obtaining a temporary symmetric key according to the second point multiplication result and the elliptic curve group element corresponding to the first bit string, and extracting a second bit string of the SM2 ciphertext;
performing bitwise XOR operation on the temporary symmetric key and the second bit string to obtain a decrypted plaintext;
and verifying the decrypted plaintext, and outputting the decrypted plaintext when the verification is successful.
On the other hand, the embodiment of the present invention further provides a method for implementing the SM2 algorithm cooperation decryption from the perspective of the first communication party, including the following steps:
obtaining a first bit string of an SM2 ciphertext; carrying out data type conversion on the first bit string to obtain elliptic curve group elements corresponding to the first bit string;
obtaining a first dot product result according to the first private key component and the elliptic curve group element corresponding to the first bit string;
and transmitting the first point multiplication result and the elliptic curve group element corresponding to the first bit string to the second communication party.
In one aspect, an embodiment of the present invention provides an SM2 algorithm collaborative signing apparatus implemented from a first communication party perspective, including:
the first communication party message digest generation unit is used for generating a message digest of the message to be signed according to a preset cipher hash algorithm;
the first communication party message signature generation unit is used for receiving a first elliptic curve group element fed back by the second communication party based on the first public key parameter and the selected random number; generating a first partial signature according to the message digest and the first elliptic curve group element; performing modulo operation based on the first partial signature to generate an obfuscated intermediate result, and transmitting the obfuscated intermediate result to the second communication party; when an intermediate signature fed back by the second communication party according to the obfuscated intermediate result is received, generating a second partial signature according to the intermediate signature and the first partial signature; from the first partial signature and the second partial signature, a complete SM2 digital signature is obtained.
On the other hand, an embodiment of the present invention further provides an SM2 algorithm collaborative signature apparatus implemented from the perspective of a second communication party, including:
the second communication party parameter generating unit is used for generating a first elliptic curve group element according to the selected random number and the first public key parameter of the first communication party and transmitting the first elliptic curve group element to the first communication party;
the second communication party intermediate signature generation unit is used for receiving an intermediate confusion result fed back by the first communication party based on the first elliptic curve group element and generating an intermediate signature according to the second private key component and the intermediate confusion result; the intermediate signature is transmitted to the first party.
In one aspect, an embodiment of the present invention provides a device for implementing SM2 algorithm cooperation decryption from a second communication party, including:
the second communication party receiving unit is used for receiving a first point multiplication result which is transmitted by the first communication party and is obtained according to the first private key component and the elliptic curve group element corresponding to the first bit string; receiving elliptic curve group elements corresponding to a first bit string transmitted by a first communication party according to the first bit string of the SM2 ciphertext;
the second communication party decryption unit is used for performing product operation on the second private key component and the first point multiplication result to obtain a second point multiplication result; obtaining a temporary symmetric key according to the second point multiplication result and the elliptic curve group element corresponding to the first bit string, and extracting a second bit string of the SM2 ciphertext; performing bitwise XOR operation on the temporary symmetric key and the second bit string to obtain a decrypted plaintext; and verifying the decrypted plaintext, and outputting the decrypted plaintext when the verification is successful.
On the other hand, an embodiment of the present invention further provides a device for implementing the SM2 algorithm in cooperation with a decryption method, where the device includes:
a first correspondent processing unit for obtaining a first bit string of the SM2 ciphertext; carrying out data type conversion on the first bit string to obtain elliptic curve group elements corresponding to the first bit string; obtaining a first point multiplication result according to the first private key component and the elliptic curve group element corresponding to the first bit string;
and the first communication party transmission unit is used for transmitting the first point multiplication result and the elliptic curve group element corresponding to the first bit string to the second communication party.
In one aspect, an embodiment of the present invention provides an SM2 algorithm collaborative signature system, including a first communication party and a second communication party;
the second communication party generates a first elliptic curve group element according to the selected random number and a first public key parameter of the first communication party, and transmits the first elliptic curve group element to the first communication party;
the first communication party generates a message digest of the message to be signed according to a preset cryptographic hash algorithm and generates a first partial signature according to the message digest and the first elliptic curve group element; performing modulo operation based on the first partial signature to generate an obfuscated intermediate result, and transmitting the obfuscated intermediate result to the second communication party; the second communication party generates an intermediate signature according to the second private key component and the obfuscated intermediate result; and transmitting the intermediate signature to the first party;
the first communication party generates a second partial signature according to the intermediate signature and the first partial signature; and from the first partial signature and the second partial signature, a complete SM2 digital signature is obtained.
On one hand, the embodiment of the invention also provides an SM2 algorithm collaborative decryption system, which comprises a first communication party and a second communication party;
the first communication party acquires a first bit string of SM2 ciphertext; carrying out data type conversion on the first bit string to obtain elliptic curve group elements corresponding to the first bit string; obtaining a first point multiplication result according to the first private key component and the elliptic curve group element corresponding to the first bit string; transmitting the first point multiplication result and the elliptic curve group element corresponding to the first bit string to a second communication party;
the second communication party performs product operation on the second private key component and the first point multiplication result to obtain a second point multiplication result; obtaining a temporary symmetric key according to the second point multiplication result and the elliptic curve group element corresponding to the first bit string, and extracting a second bit string of the SM2 ciphertext; performing bitwise XOR operation on the temporary symmetric key and the second bit string to obtain a decrypted plaintext; and verifying the decrypted plaintext, and outputting the decrypted plaintext when the verification is successful.
Embodiments of the present invention further provide a computer-readable storage medium, on which a computer program is stored, where the computer program, when executed by a processor, implements the steps in the SM2 algorithm collaborative signing method from the perspective of the first communication party.
An embodiment of the present invention provides a computer device, which includes a memory, a processor, and a computer program stored in the memory and executable on the processor, where the processor executes the computer program to implement the steps in the SM2 algorithm collaborative signing method in the first communication party perspective.
An embodiment of the present invention provides a computer-readable storage medium, on which a computer program is stored, where the computer program, when executed by a processor, implements the steps in the SM2 algorithm collaborative signing method of the embodiment from the perspective of the second communication party.
The embodiment of the present invention provides a computer device, which includes a memory, a processor, and a computer program stored in the memory and executable on the processor, and when the processor executes the computer program, the processor implements the steps in the SM2 algorithm collaborative signature method in the second communication party perspective.
An embodiment of the present invention provides a computer-readable storage medium, on which a computer program is stored, where the computer program, when executed by a processor, implements the steps in the SM2 algorithm collaborative decryption method from the perspective of the second communication party.
The embodiment of the present invention provides a computer device, which includes a memory, a processor, and a computer program stored in the memory and executable on the processor, where the processor executes the computer program to implement the steps in the SM2 algorithm cooperation decryption method from the second communication party perspective.
An embodiment of the present invention provides a computer-readable storage medium, on which a computer program is stored, where the computer program, when executed by a processor, implements the steps in the SM2 algorithm collaborative decryption method from the perspective of the first communication party.
The embodiment of the present invention provides a computer device, which includes a memory, a processor, and a computer program stored in the memory and executable on the processor, where the processor executes the computer program to implement the steps in the SM2 algorithm collaborative decryption method from the first communication party perspective.
The invention has the following advantages and beneficial effects:
according to the SM2 algorithm collaborative signing and decrypting method, device and system, the first communication party calculates the message digest and partial signature result and outputs the signature result, so that the privacy of a user cannot be leaked in the process of generating the digital signature. Intermediate results related to the partial signature result cannot reveal the partial signature result, so that the first communication party completes the digital signature with the help of the second communication party, but the second communication party does not know what message the first communication party signs, and the blind signature effect is achieved. The first communication party and the second communication party cooperatively generate the signature, an attacker cannot obtain a complete private key under the condition that one party is hijacked, and cannot use the private key offline, so that a service provider who provides private key escrow can be prevented from using a user private key to forge a digital signature without authorization in an application occasion of private key escrow. In the signing process and the decryption process, two communication parties can finish signing and decryption through less interaction, so that the application requirements of low delay and less interaction in a cloud computing environment can be met. The invention can protect the privacy of the user and resist malicious attacks.
Drawings
Fig. 1 is a schematic flow chart of an embodiment 1 of the SM2 algorithm collaborative signing method implemented from the perspective of a first communication party according to the present invention;
fig. 2 is a schematic flow chart of an embodiment 1 of the SM2 algorithm collaborative signing method implemented from the perspective of a second communication party according to the present invention;
fig. 3 is a schematic flowchart of embodiment 1 of the SM2 algorithm cooperative decryption method implemented from the perspective of the second communication party;
fig. 4 is a schematic flow chart of embodiment 1 of the SM2 algorithm cooperative decryption method implemented from the perspective of the first communication party;
fig. 5 is a schematic structural diagram of an embodiment 1 of the SM2 algorithm collaborative signing apparatus implemented from the perspective of a first communication party according to the present invention;
fig. 6 is a schematic structural diagram of an SM2 algorithm collaborative signing apparatus embodiment 1 implemented from the perspective of a second communication party according to the present invention;
fig. 7 is a schematic structural diagram of an embodiment 1 of the SM2 algorithm cooperative decryption apparatus implemented from the perspective of a second communication party in the present invention;
fig. 8 is a schematic structural diagram of embodiment 1 of the SM2 algorithm cooperative decryption apparatus implemented from the perspective of the first communication party.
Detailed Description
To facilitate an understanding of the invention, the invention will now be described more fully with reference to the accompanying drawings. Preferred embodiments of the present invention are shown in the drawings. This invention may, however, be embodied in many different forms and should not be construed as limited to the embodiments set forth herein. Rather, these embodiments are provided so that this disclosure will be thorough and complete.
Unless defined otherwise, all technical and scientific terms used herein have the same meaning as commonly understood by one of ordinary skill in the art to which this invention belongs. The terminology used in the description of the invention herein is for the purpose of describing particular embodiments only and is not intended to be limiting of the invention. As used herein, the term "and/or" includes any and all combinations of one or more of the associated listed items.
The invention discloses a specific application scene description of SM2 algorithm collaborative signature and decryption method, device and system:
the selection of the elliptic curve system parameters refers to the part 5 of the GM/T0003.5-2012 SM2 elliptic curve public key cryptographic algorithm: parameter definition < norm. The relevant parameters include a finite field FqScale q of (d), defining an elliptic curve E (F)q) Two elements of (a), (b) E.Fq,E(Fq) Base point G ═ xG,yG) (G.noteq.O), wherein xGAnd yGIs FqTwo elements of (1); the order n of G, which is a prime number, and other options (e.g., a residue factor h of n, etc.).
User A as signer has a length of entlenABit distinguishable identification IDANote ENTLAIs composed of an integer entlenATwo bytes converted by the method, using a cryptographic hash function H with a message digest length of v bitsvObtaining a hash value Z of the user AA=H256(ENTLA||IDA||a||b||xG||yG||xA||yA) (ii) a Wherein x isA、yAPublic key P for user AAThe coordinates of (a);
the SM2 digital signature generation algorithm is as follows:
setting a message to be signed as M, and in order to acquire a digital signature (r, s) of the message M, a user A as a signer realizes the following operation steps:
a) device for placing
Wherein
Containing a message M to be signed and a hash value ZA;
b) ComputingConverting the data type of e into an integer according to the methods given by 4.2.3 and 4.2.4 of GM/T0003.1-2012 standard;
c) generating a random number k ∈ [1, …, n-1] by using a random number generator;
d) client-side computing elliptic curve group element (x)1,y1)=[k]G, x is determined by the method given in 4.2.8 of the GM/T0003.1-2012 Standard1Converts the data type of (a) to an integer;
e) calculating r ═ e + x1(mod n), if r is 0 or r + k is n, returning to step c);
f) calculating s ═ 1+ dA)-1(k-r·dA) (mod n), if s is 0, returning to step c);
g) the data type of r, s is converted into byte string according to the details given by GM/T0003.1-2012 standard 4.2.2, and then the digital signature result (r, s) of the message M is output.
In order to improve the security of a private key in a cloud computing environment, the conventional technology proposes that partial private keys are respectively stored in two communication parties, the two parties can carry out operations such as signature or decryption on a message only by combining, and the two communication parties cannot acquire any information of the private key of the other party, so that an attacker cannot forge a signature or decrypt a ciphertext when invading any one of the two parties. In the conventional technique, the message digest e is sent to the second party, and the second party generates the partial signature r according to e. The message digest e belongs to the user privacy information, and the partial signature r is a part of the final output digital signature (r, s), so that the traditional technology is not beneficial to protecting the user privacy.
In addition, if a malicious attacker replaces the message digest e through the control channel, both parties generate and output a digital signature according to the tampered message digest e, so that the attacker may achieve the goal of forging the signature. Such malicious attacks can be resisted by adding a step before outputting the digital signature, and executing a signature verification process, however, the characteristics of the SM2 cryptosystem determine that the signature verification process consumes more resources than the generation of the digital signature, and the improvement reduces the efficiency of the system.
The embodiment 1 of the SM2 algorithm collaborative signature method implemented from the perspective of the first communication party of the present invention:
in order to solve the problem that the traditional technology can not protect the privacy of users and resist malicious attacks, the invention provides an embodiment 1 of an SM2 algorithm collaborative signature method implemented from the perspective of a first communication party; fig. 1 is a schematic flow chart of an embodiment 1 of the SM2 algorithm collaborative signing method implemented from the perspective of a first communication party according to the present invention; as shown in fig. 1, the following steps may be included:
step S110: generating a message digest of the message to be signed according to a preset cryptographic hash algorithm;
step S120: receiving a first elliptic curve group element fed back by a second communication party based on a first public key parameter and a selected random number; generating a first partial signature according to the message digest and the first elliptic curve group element;
step S130: performing modulo operation based on the first partial signature to generate an obfuscated intermediate result, and transmitting the obfuscated intermediate result to the second communication party;
step S140: when an intermediate signature fed back by the second communication party according to the obfuscated intermediate result is received, generating a second partial signature according to the intermediate signature and the first partial signature;
step S150: obtaining a complete SM2 digital signature according to the first partial signature and the second partial signature;
specifically, the SM2 algorithm collaborative signature method of the present invention may include two parties: a first party and a second party. The two parties determine a preset cryptographic hash function H according to the SM2 standard algorithmvElliptic curve E, elliptic curve group generator G and order n of the additive group. Wherein the first communication party is a signer having Z defined by SM2AAnd (4) parameters. Preferably, the preset cryptographic hash algorithm may be an SM3 digest algorithm;
according to the invention, the first communication party calculates the message digest and the partial signature result and outputs the signature result, so that the privacy of the user is not leaked in the process of generating the digital signature. The intermediate result is obfuscated in relation to the first partial signature such that the first party completes the digital signature with the help of the second party, but the second party does not know what message the first party signed, and the partial signature result cannot be revealed, achieving the effect of a blind signature. The invention can protect the privacy of the user and resist malicious attacks.
In a specific embodiment, before the step of generating the message digest of the message to be signed according to the preset cryptographic hash algorithm, the method further includes the steps of:
generating a first private key component based on the following formula:
d1∈[1,…,n-1]
wherein d is1Is a first private key component;
according to the first private key component, obtaining a first public key parameter based on the following formula:
P1=[d1]G
wherein, P1Is a first public key parameter;
in particular, the first communication party randomly selects the private key component d1∈[1,…,n-1](ii) a And the process of generating the first private key component by the first communication party is simple, and the calculation amount is small. The first communication party generates a signature according to the first private key component held by the first communication party, and even if an attacker hijacks the first private key component, the complete private key cannot be obtained, and the offline use of the private key cannot be realized. In the application of private key escrow, a service provider providing private key escrow can be prevented from unauthorized use of a user private key to forge a digital signature.
Further, the first communication party calculates a public key parameter P1=[d1]G, and sending a public key parameter P1To the second communication partner.
Preferably, after the step of transmitting the first public key parameter to the second communication party, the method further comprises the steps of:
and receiving the common public key transmitted by the second communication party and generated according to the first public key parameter.
Specifically, the first communication party receives the public key parameter P based on the second communication party1And a private key parameter d2Generated common public key P of both partiesA=[d2]P1-G=[d1d2-1]G。
It should be noted that the common public key P is calculatedAThe respective private key components of the first and second parties are required to participate in the calculation to obtain. Wherein the common public key PAIt can be calculated by either party, depending on which party initiated the calculation process first.
In addition, the common private key of the first communication party and the second communication party is denoted as dAThen P isA=[dA]G=[d1d2-1]G, therefore has dA=(d1d2-1),
The above formula reveals the mathematical relationships between the private key component and the common private key, as well as between the private key component and the public key, which will be used later in the process of verifying the correctness of the signature.
In a specific embodiment, the first elliptic curve group element comprises an elliptic curve group element R1And elliptic curve group element R2;
The step of generating a first partial signature based on the message digest and the first elliptic curve group element comprises:
respectively selecting random numbers k3A random number k4Generating a second elliptic curve group element (x) based on the following formula1,y1):
(x1,y1)=[k3]R1+R2+[k4]G
Wherein k is3∈[1,…,n-1];k4∈[1,…,n-1](ii) a G is an elliptic curve E (F)q) An upper base point; n is an elliptic curve E (F)q) The order of the upper base point G; x is the number of1Is the second elliptic curve group element (x)1,y1) X-axis coordinate of (1), y1Is the second elliptic curve group element (x)1,y1) Y-axis coordinates of (a);
according to the second elliptic curve group element (x)1,y1) And a message digest that generates a first partial signature based on the following equation:
r=e+x1(mod n)
wherein e is a message digest; r is a first partial signature; mod n is a modulo n operation.
In a specific embodiment, performing a modulo operation based on the first partial signature, the step of generating the obfuscated intermediate result comprises:
according to a random number k4And a first partial signature r, generating a confusing intermediate result based on the following formula:
r′=r+k4(mod n)
where r' is the confusing intermediate result.
In a particular embodiment, the intermediate signature comprises a first intermediate signature s1And a second intermediate signature s2;
In the step of generating the second partial signature based on the intermediate signature and the first partial signature, the second partial signature is generated based on the following formula:
wherein s is a second partial signature; d1Is the first private key component.
Specifically, the first communication party receives the elliptic curve group element R transmitted by the second communication party1Elliptic curve group element R2(ii) a The first communication party selects a random number k3∈[1,…,n-1]Random number k4∈[1,…,n-1]Calculating an elliptic curve group element (x)1,y1)=[k3]R1+R2+[k4]G, wherein x1Is an elliptic curve group element (x)1,y1) X-axis coordinates of (a);
further, the step of the first communication party generating the message digest of the message to be signed comprises: will ZAAnd M-splice formation
And calculate
Taking the calculation result as a message abstract; wherein M is the message to be signed; zAFor identifying ID based on discernability of user AAComputed hashA value;
is ZA||M;HvIs a cryptographic hash function;
i.e. the first communication party calculates the message digest e ═ Hv(ZA | | M), calculating partial signature result r ═ e + x1(mod n) in which ZAIs based on the discernable identity ID of the user AACalculating a hash value, wherein M is an input original text to be signed; and use a random number k4Calculating an obfuscated intermediate result r' ═ r + k with the partial signature result r4(mon) and then sends r' to the second correspondent.
It should be noted that, the user a has ownership of the private key; and the first communication party and the second communication party are two communication parties participating in executing the protocol, and can be a client and a server. The invention divides the private key of the user into two parts which are respectively stored in the client and the server, namely, the two communication parties respectively generate random numbers as the private key components. In the invention, two communication parties respectively hold private key components to cooperatively generate a signature, and an attacker cannot obtain a complete private key under the condition of hijacking one of the two parties and cannot realize offline use of the private key. Meanwhile, two communication parties respectively hold private key components to cooperatively generate a signature, and in the application occasion of private key escrow, a service provider providing the private key escrow can be prevented from using a user private key to forge a digital signature without authorization.
The first communication party receives the intermediate signature s fed back by the second communication party1And s2(ii) a Using private key parameter d1Random number k3Partial signature result r, received intermediate signature s1And s2Computing partial signature results
The first party outputting a signature conforming to the requirements of the SM2 signature formatDigital signature (r, s) using a common public key PAThe signature result may be verified.
Preferably, before the step of generating the first partial signature according to the message digest and the first elliptic curve group element, the method further comprises the steps of:
according to the first elliptic curve group element R1The dot product result S is obtained based on the following formula1:
S1=[h]R1
Wherein h is a cofactor of n;
upon detection of dot product result S1Is an elliptic curve E (F)q) Receiving a first elliptic curve group element which is fed back again by the second communication party according to the first public key parameter and the random number selected again;
or
According to the first elliptic curve group element R2The dot product result S is obtained based on the following formula2:
S2=[h]R2
Wherein h is a cofactor of n;
upon detection of dot product result S2Is an elliptic curve E (F)q) And receiving the first elliptic curve group element fed back again by the second communication party according to the first public key parameter and the random number selected again.
In particular, for security, an elliptic curve group element R is received at the first communication partner1、R2Then, S is calculated1=[h]R1,S2=[h]R2Where h is a cofactor for n. If S1Or S2If it is the infinity point, the process returns to step S120, in which the second communication party is notified to re-execute the elliptic curve group element generated according to the first public key parameter. And returning to the step for recalculation, wherein the aim is to regenerate random numbers and avoid outputting intermediate results without randomness.
In a specific embodiment, the step of generating the first partial signature based on the message digest and the first elliptic curve group element further comprises the steps of:
detecting the value of the first part of signature r, and receiving a first elliptic curve group element which is fed back again by the second communication party according to the first public key parameter and the random number selected again when the value of the first part of signature r is 0;
or
According to the second elliptic curve group element (x)1,y1) Calculating based on the following formula to obtain a calculation result S0:
S0=[r]G+(x1,y1)
Upon detection of the calculation result S0Is an elliptic curve E (F)q) And receiving the first elliptic curve group element fed back again by the second communication party according to the first public key parameter and the random number selected again.
Specifically, in the ECC cryptosystem, the signature is calculated by calculating r and s based on a linear equation, a plurality of linear equations may form an equation set, and then the user private key is calculated by solving the equation set. In order to avoid the attack, the ECC signature adopts the encryption principle of one-time pad, and a random number k is introduced into each signature to hide a user private key. Since 0 is a fixed value, rather than a random result, all calculation results with a value of 0 represent a non-trivial signature, meaning that the signature equation can be simplified so that the user's private key can be calculated. Returning to step S120, the purpose is to regenerate the random number and avoid outputting intermediate results that do not have randomness.
Further, s ═ 1+ d in SM2 signature equationA)-1(k-r·dA) (mod n) if r is 0, k-r · dAK, i.e. this part is associated with the private key dAIrrelevant, security is impaired.
If r + k is n, meaning that k is n-r and both n and r are public, then k is equal to k, which is not a random number, and then (1+ d) is the signature equation sA)-1(k-r. dA (mod n)) the private key d can be directly calculated.
Preferably, the step of generating the second partial signature according to the intermediate signature and the first partial signature further comprises the steps of:
detecting a first intermediate signature s1A value of (d); upon detection of the first intermediate signature s1When the value of (1) is 0, receiving a first elliptic curve group element which is fed back again by the second communication party according to the first public key parameter and the random number selected again;
or
Detecting a second intermediate signature s2A value of (d); upon detection of the second intermediate signature s2When the value of (1) is 0, receiving the first elliptic curve group element which is fed back again by the second communication party according to the first public key parameter and the random number selected again.
In particular, for security, the intermediate result s is received at the first communication partner1And s2Then, if s is found by inspection10 or s2And when the first public key parameter is equal to 0, the second communication party is informed to re-execute the elliptic curve group element generated according to the first public key parameter.
In a specific embodiment, the step of generating the second partial signature based on the following formula from the intermediate signature, the first partial signature and the first private key component further comprises the steps of:
detecting the value of the second partial signature s; and when the value of the first part of signature s is detected to be 0 or n-r, receiving a first elliptic curve group element which is fed back again by the second communication party according to the first public key parameter and the random number selected again.
Specifically, if s is 0, notifying the second communication party to re-execute the step of generating the elliptic curve group element according to the first public key parameter; meanwhile, r + s may be calculated, and if r + s is satisfied, the second communication party is notified to re-execute the step of generating the elliptic curve group element according to the first public key parameter.
The SM2 algorithm collaborative signature method implemented from the perspective of the first communication party enables the first communication party to calculate the message digest and the partial signature result and output the signature result, and the digital signature can be signed by a common public key P of the first communication party and the second communication partyAAnd (6) verifying. The partial signature result r is hidden by the random number and the confusing intermediate result r' is related to the partial signature result r, butIt is not to leak the partial signature result r, thus allowing the first communication party to complete the digital signature with the help of the second communication party, but the second communication party does not know what message the first communication party signed, on the one hand avoiding leaking the partial signature result r, and on the other hand having features like a blind signature.
The embodiment 1 of the SM2 algorithm collaborative signature method implemented from the perspective of the second communication party of the present invention:
based on the technical scheme of the SM2 algorithm collaborative signing method implemented from the perspective of the first communication party, meanwhile, in order to solve the problem that the traditional technology cannot protect the privacy of users and resist malicious attacks, the invention provides an SM2 algorithm collaborative signing method implemented from the perspective of the second communication party, embodiment 1; fig. 2 is a schematic flow chart of an embodiment 1 of the SM2 algorithm collaborative signing method implemented from the perspective of a second communication party according to the present invention; as shown in fig. 2, the following steps may be included:
step S210: generating a first elliptic curve group element according to the selected random number and a first public key parameter of the first communication party, and transmitting the first elliptic curve group element to the first communication party;
step S220: receiving an intermediate confusion result fed back by the first communication party based on the first elliptic curve group element, and generating an intermediate signature according to the second private key component and the intermediate confusion result;
step S230: the intermediate signature is transmitted to the first party.
Specifically, the first communication party is caused to calculate the message digest and the partial signature result and output the signature result in cooperation with the second communication party, so that the user privacy is not leaked in the process of generating the digital signature. The intermediate result related to the first partial signature is mixed up, so that the first communication party completes the digital signature with the help of the second communication party, but the second communication party cannot sign any message by the first communication party, the partial signature result cannot be leaked, and the blind signature effect is achieved.
The process of generating the second private key component by the second communication party is simple, and the calculation amount is small. The first communication party generates a signature according to the second private key component held by the first communication party, and even if an attacker hijacks the second private key component, the first communication party cannot obtain a complete private key and cannot realize offline use of the private key. In the application of private key escrow, a service provider providing private key escrow can be prevented from unauthorized use of a user private key to forge a digital signature. The invention can protect the privacy of the user and resist malicious attacks.
In a particular embodiment, the step of generating the second private key component comprises:
generating a second private key component based on the following formula:
d2∈[1,…,n-1]
wherein d is2Is a second private key component; n is an elliptic curve E (F)q) The order of the upper base point G;
the step of generating the first elliptic curve group element according to the selected random number and the first public key parameter of the first communication party further comprises the following steps:
receiving a first public key parameter P transmitted by a first communication party1;
Generating a common public key from the first public key parameter and the second private key component based on the following formula:
PA=[d2]P1-G
wherein, PAIs a common public key;
disclosing said common public key PA。
In particular, the second party randomly selects the private key component d2∈[1,…,n-1]According to the received public key parameter P1And a private key parameter d2Generating a common public key P of both partiesA=[d2]P1-G=[d1d2-1]G and disclose a common public key PA。
Therein, a common public key P is disclosedAAt the same time, the common public key P can also be usedASent to a CA authority for issuing digital certificates for subscribers.
Preferably, the public key P is generatedAThereafter, the public key P is verified according to the method given in GM/T0003.1-2012 Standard 6.2AWhether it is valid. The verification here is for the technical solution of the present inventionCompleteness, if the public key is used directly without verification, there may be security issues that may result in the private key being compromised.
In a specific embodiment, the elliptic curve group element comprises an elliptic curve group element R1And elliptic curve group element R2;
The step of generating a first elliptic curve group element according to the selected random number and a first public key parameter of the first communication party comprises:
respectively selecting random numbers k1A random number k2Generating an elliptic curve group element R based on the following formula1And elliptic curve group element R2:
R1=[k1]P1
R2=[k2]G
Wherein k is1∈[1,…,n-1];k2∈[1,…,n-1]。
Specifically, the second communication party selects the random number k1∈[1,…,n-1]Random number k2∈[1,…,n-1]Calculating an elliptic curve group element R1=[k1]P1=[k1d1]G, elliptic curve group element R2=[k2]G, then combining elliptic curve group elements R1Elliptic curve group element R2And sending the message to the first communication party.
In a particular embodiment, the intermediate signature comprises a first intermediate signature s1And a second intermediate signature s2;
The step of generating an intermediate signature based on the second private key component and the obfuscated intermediate result comprises:
from the second private key component d2And a random number k1Generating a first intermediate signature s based on the following formula1:
From the second private key component d2A random number k2And obfuscating the intermediate result based onThe following formula generates a second intermediate signature s2:
Where r' is the confusing intermediate result.
Specifically, the second communication party selects the random number k1∈[1,…,n-1]Random number k2∈[1,…,n-1]Calculating an elliptic curve group element R1=[k1]P1=[k1d1]G, elliptic curve group element R2=[k2]G, then combining elliptic curve group elements R1And elliptic curve group element R2And sending the message to the first communication party.
In particular, the second party uses the private key parameter d2Random number k1Random number k2And the received intermediate result r' calculating the intermediate result
Andthen s is1And s2And sending the message to the first communication party.
In a particular embodiment, the step of generating the intermediate signature based on the second private key component and the obfuscated intermediate result further comprises, before the step of generating the intermediate signature, the step of:
detecting the value of the aliased intermediate result r'; and when the value of the confusion intermediate result r' is detected to be 0, regenerating the first elliptic curve group element according to the first public key parameter and the random number selected again.
Specifically, for security, the second communication party checks the received intermediate result r ', and if r' is 0, the step of generating the elliptic curve group element from the first public key parameter and the second private key component is executed again.
The SM2 algorithm collaborative signing method implemented from the perspective of the second party of the present invention, allows the second party to assist the first party in generating a digital signature,the digital signature may be signed by a common public key P of the first and second communication partiesAAnd (6) verifying. Hiding the partial signature result r by the random number does not leak the partial signature result r, thus enabling the second communication party to assist the first communication party to complete the digital signature, but the second communication party does not know what message the first communication party signed, on the one hand avoiding leaking the partial signature result r, on the other hand having features like a blind signature.
Embodiment 1 of the SM2 algorithm collaborative decryption method implemented from the perspective of the second party:
in order to solve the problem that the traditional technology can not protect the privacy of the user and resist malicious attacks, the invention also provides an embodiment 1 of the SM2 algorithm collaborative decryption method implemented from the perspective of the second communication party; fig. 3 is a schematic flowchart of embodiment 1 of the SM2 algorithm cooperative decryption method implemented from the perspective of the second communication party; as shown in fig. 3, the following steps may be included:
step S310: receiving elliptic curve group elements corresponding to a first bit string transmitted by a first communication party according to the first bit string of the SM2 ciphertext; receiving a first point multiplication result which is transmitted by a first communication party and is obtained according to the first private key component and elliptic curve group elements corresponding to the first bit string;
step S320: performing product operation on the second private key component and the first point multiplication result to obtain a second point multiplication result;
step S330: obtaining a temporary symmetric key according to the second point multiplication result and the elliptic curve group element corresponding to the first bit string, and extracting a second bit string of the SM2 ciphertext;
step S340: performing bitwise XOR operation on the temporary symmetric key and the second bit string to obtain a decrypted plaintext; and verifying the decrypted plaintext, and outputting the decrypted plaintext when the verification is successful.
Specifically, based on the technical scheme of the collaborative signature method, in the decryption process of the collaborative decryption method, only a few interactions need to be performed by two communication parties, so that the application requirements of low delay and few interactions in a cloud computing environment can be met.
In a specific embodiment, the step of obtaining the temporary symmetric key according to the second dot product and the elliptic curve group element corresponding to the first bit string includes:
obtaining an elliptic curve group element (x) based on the following formula2,y2):
(x2,y2)=T2-C1 *
Wherein, T2Is the second dot product result; c1 *An elliptic curve group element corresponding to the first bit string;
according to elliptic curve group element (x)2,y2) Generating a temporary symmetric key based on the following formula:
t=KDF(x2||y2,klen)
wherein t is a temporary symmetric key; | represents splicing; KDF (—) is a predefined key derivation function; klen expresses the length of the output bit string;
the steps of verifying the decrypted plaintext and outputting the decrypted plaintext when the verification is successful comprise:
the check code is obtained based on the following formula:
u=Hash(x2||M′||y2),
wherein u is a check code; m' is a decrypted plaintext; hash represents a preset cryptographic Hash algorithm;
extracting a third bit string C in SM2 ciphertext3Where u is equal to C3And if so, verifying the verification successfully and outputting a decrypted plaintext M'.
Specifically, the second communication party uses its own private key component d2Calculating a second dot product result T2=[d2]T1Wherein, T1Representing a first dot product result; then, an elliptic curve group element (x) is calculated2,y2)=T2-C1 *=[d1d2-1]C1 *=[dA]C1 *。
It should be noted that the roles of the first communication party and the second communication party in the decryption process can be interchanged, i.e. the second communication party counts the roles firstCalculating [ d ]2]C1 *And sending the encrypted data to the first communication party, and then completing the subsequent decryption process and outputting the plaintext M' by the first communication party.
Further, the second communication party calculates a temporary symmetric key t KDF (x)2||y2Klen), where | | denotes concatenation, KDF (#) is a predefined key derivation function, and klen denotes the length of the output bit string. If t is all 0 bit string, error is reported and exit is performed. It makes no sense to encrypt with a fixed key, and the encryption result is also a fixed value.
The second communication party extracts the bit string C from the ciphertext C2And calculate
Wherein
Representing a bitwise exclusive-or operation. And calculates the check code u as Hash (x)2||M′||y2) Then extracting a bit string C from the ciphertext C3If u ≠ C3And the ciphertext C is tampered, an error is reported and quit is performed. The second party outputs the plaintext M'.
The embodiment 1 of the SM2 algorithm collaborative decryption method implemented from the perspective of the first communication party of the present invention:
in order to solve the problem that the traditional technology can not protect the privacy of the user and resist malicious attacks, based on the technical scheme of the SM2 algorithm collaborative decryption method implemented from the perspective of the second communication party, the invention provides an SM2 algorithm collaborative decryption method implemented from the perspective of the second communication party, as shown in embodiment 1; fig. 4 is a schematic flow chart of embodiment 1 of the SM2 algorithm cooperative decryption method implemented from the perspective of the first communication party; as shown in fig. 4, the following steps may be included:
step S410: obtaining a first bit string of an SM2 ciphertext; carrying out data type conversion on the first bit string to obtain elliptic curve group elements corresponding to the first bit string;
step S420: obtaining a first dot product result according to the first private key component and the elliptic curve group element corresponding to the first bit string;
step S430: and transmitting the first point multiplication result and the elliptic curve group element corresponding to the first bit string to the second communication party.
Specifically, the first communication party obtains the SM2 ciphertext: c ═ C1||C3||C2Extracting a bit string C from the ciphertext C1(ii) a For the first bit string C1Carrying out data type conversion to obtain an elliptic curve group element C corresponding to the first bit string1 *(ii) a The first party uses the private key component d1(i.e., in the case where the first communication party is the first communication party) the first dot product result T is calculated1=[d1]C1 *And will T1And sending the information to the second communication party.
In a specific embodiment, before the step of obtaining the first point multiplication result according to the first private key component and the elliptic curve group element corresponding to the first bit string, the method further includes the steps of:
verifying the elliptic curve group element corresponding to the first bit string, reporting an error and quitting decryption when verifying that the elliptic curve group element corresponding to the first bit string is an infinite point of an elliptic curve;
and
from the first bit string, a dot product result S is calculated based on the following formula:
S=[h]C1 *
wherein h is a cofactor of an order n of a base point on the elliptic curve; c1 *An elliptic curve group element corresponding to the first bit string;
and when the point multiplication result S is detected to be an infinite point of the elliptic curve, reporting an error and exiting decryption.
In particular, the first communication partner may transmit the first bit string C in the manner given in GM/T0003.1-2012 standards 4.2.4 and 4.2.101Is converted into an elliptic curve group element C1 *Then verify C1 *Whether it is an elliptic curve E (F)q) If yes, prompting an error and exiting the decryption process.
Preferably, the verification method is to use elliptic curveGroup element C1 *The coordinates x and y of (a) are substituted into the elliptic curve equation y ═ f (x) to see if the equation holds. If the element is not verified to belong to the elliptic curve, on one hand, the subsequent point multiplication operation will be wrong, and on the other hand, the attack of special input may exist, which causes the safety problem.
And if [ h ]]C1 *The infinite point represents that in the data encryption stage, the generator G of the elliptic curve is not used for calculating the point multiplication, which may cause malicious attack and leak the private key of the user.
The SM2 algorithm collaborative signature apparatus embodiment 1 implemented from the perspective of the first communication party of the present invention:
in order to solve the problem that the traditional technology can not protect the privacy of users and resist malicious attacks, the invention provides an embodiment 1 of a SM2 algorithm collaborative signature device implemented from the perspective of a first communication party; fig. 5 is a schematic structural diagram of an embodiment 1 of the SM2 algorithm collaborative signing apparatus implemented from the perspective of a first communication party according to the present invention; as shown in fig. 5, may include:
a first communication party message digest generating unit 510, configured to generate a message digest of a message to be signed according to a preset cryptographic hash algorithm;
a first communication party message signature generating unit 520, configured to receive a first elliptic curve group element fed back by a second communication party based on a first public key parameter and a selected random number; generating a first partial signature according to the message digest and the first elliptic curve group element; performing modulo operation based on the first partial signature to generate an obfuscated intermediate result, and transmitting the obfuscated intermediate result to the second communication party; when an intermediate signature fed back by the second communication party according to the obfuscated intermediate result is received, generating a second partial signature according to the intermediate signature and the first partial signature; from the first partial signature and the second partial signature, a complete SM2 digital signature is obtained.
It should be noted that, each unit module in the SM2 algorithm collaborative signing apparatus implemented from the perspective of the first communication party in the present invention can correspondingly implement each flow step in the SM2 algorithm collaborative signing method implemented from the perspective of the first communication party, and details are not repeated here.
The SM2 algorithm collaborative signature apparatus embodiment 1 implemented from the perspective of the second party of the present invention:
in order to solve the problem that the traditional technology can not protect the privacy of users and resist malicious attacks, the invention provides an embodiment 1 of a SM2 algorithm collaborative signature device implemented from the perspective of a second communication party; fig. 6 is a schematic structural diagram of an SM2 algorithm collaborative signing apparatus embodiment 1 implemented from the perspective of a second communication party according to the present invention; as shown in fig. 6, may include:
the second communication party parameter generating unit 610 is configured to generate a first elliptic curve group element according to the selected random number and the first public key parameter of the first communication party, and transmit the first elliptic curve group element to the first communication party;
a second communication party intermediate signature generating unit 620, configured to receive an obfuscated intermediate result fed back by the first communication party based on the first elliptic curve group element, and generate an intermediate signature according to the second private key component and the obfuscated intermediate result; the intermediate signature is transmitted to the first party.
It should be noted that, each unit module in the SM2 algorithm collaborative signing apparatus implemented from the perspective of the second communication party in the present invention can correspondingly implement each flow step in the SM2 algorithm collaborative signing method implemented from the perspective of the second communication party, and details are not repeated here.
Embodiment 1 of the SM2 algorithm cooperative decryption apparatus implemented by the second communication party of the present invention:
in order to solve the problem that the traditional technology can not protect the privacy of users and resist malicious attacks, the invention provides an embodiment 1 of a SM2 algorithm cooperative decryption device implemented from the perspective of a second communication party; fig. 7 is a schematic structural diagram of an embodiment 1 of the SM2 algorithm cooperative decryption apparatus implemented from the perspective of a second communication party in the present invention; as shown in fig. 7, may include:
a second communication party receiving unit 710, configured to receive a first point multiplication result transmitted by the first communication party and obtained according to the first private key component and the elliptic curve group element corresponding to the first bit string; receiving elliptic curve group elements corresponding to a first bit string transmitted by a first communication party according to the first bit string of the SM2 ciphertext;
a second communication party decryption unit 720, configured to perform product operation on the second private key component and the first dot product result to obtain a second dot product result; obtaining a temporary symmetric key according to the second point multiplication result and the elliptic curve group element corresponding to the first bit string, and extracting a second bit string of the SM2 ciphertext; performing bitwise XOR operation on the temporary symmetric key and the second bit string to obtain a decrypted plaintext; and verifying the decrypted plaintext, and outputting the decrypted plaintext when the verification is successful.
It should be noted that, each unit module in the SM2 algorithm collaborative decryption apparatus implemented from the perspective of the second communication party in the present invention can correspondingly implement each flow step in the SM2 algorithm collaborative decryption method implemented from the perspective of the second communication party, and details are not repeated here.
Embodiment 1 of the SM2 algorithm cooperative decryption apparatus of the present invention, which is implemented from the perspective of the first communication party:
in order to solve the problem that the traditional technology can not protect the privacy of users and resist malicious attacks, the invention provides an embodiment 1 of a SM2 algorithm cooperative decryption device implemented from the perspective of a first communication party; fig. 8 is a schematic structural diagram of an embodiment 1 of the SM2 algorithm cooperative decryption apparatus implemented from the perspective of a first communication party in the present invention; as shown in fig. 8, may include:
a first correspondent processing unit 810 for obtaining a first bit string of the SM2 ciphertext; obtaining a first dot product result according to the first private key component and the elliptic curve group element corresponding to the first bit string; carrying out data type conversion on the first bit string to obtain elliptic curve group elements corresponding to the first bit string;
and a first communication party transmission unit 820, configured to transmit the first point multiplication result and the elliptic curve group element corresponding to the first bit string to the second communication party.
It should be noted that, each unit module in the SM2 algorithm cooperative decryption apparatus implemented from the perspective of the first communication party in the present invention can correspondingly implement each flow step in the SM2 algorithm cooperative decryption method implemented from the perspective of the first communication party, and details are not repeated here.
Embodiment 1 of the SM2 algorithm collaborative signature system of the present invention:
in order to solve the problem that the traditional technology cannot protect user privacy and resist malicious attacks, the invention provides an embodiment 1 of an SM2 algorithm collaborative signing system, which may include a first communication party and a second communication party;
the second communication party generates a first elliptic curve group element according to the selected random number and a first public key parameter of the first communication party, and transmits the first elliptic curve group element to the first communication party;
the first communication party generates a message digest of the message to be signed according to a preset cryptographic hash algorithm and generates a first partial signature according to the message digest and the first elliptic curve group element; performing modulo operation based on the first partial signature to generate an obfuscated intermediate result, and transmitting the obfuscated intermediate result to the second communication party; the second communication party generates an intermediate signature according to the second private key component and the obfuscated intermediate result; and transmitting the intermediate signature to the first party;
the first communication party generates a second partial signature according to the intermediate signature and the first partial signature; and from the first partial signature and the second partial signature, a complete SM2 digital signature is obtained.
Specifically, to describe the technical solution of the SM2 algorithm collaborative signature system in detail, the implementation flow in practical application is taken as an example to describe:
the SM2 algorithm collaborative signature system may include two parties, a first party and a second party. The two parties determine a hash function H according to the SM2 standard algorithmvElliptic curve E, elliptic curve group generator G, and order n of the additive group. The first communication party, as a signer, has Z specified in SM2AAnd (4) parameters. The specific implementation process comprises the following steps:
1. protocol for generating a key pair
1) The first correspondent randomly selects a private key component d1∈[1,…,n-1]Computing the public key parameter P1=[d1]G, and sending a public key parameter P1To the second communication partner.
2) Random selection of privacy by a first partyKey component d2∈[1,…,n-1]According to the received public key parameter P1And a private key parameter d2Generating a common public key P of both partiesA=[d2]P1-G=[d1d2-1]G and disclose a common public key PA。
Wherein the common public key PAThe first party and the second party are generated using respective private key components. The common private key of the first communication party and the second communication party is recorded as dAThen P isA=[dA]G=[d1d2-1]G, therefore has dA=(d1d2-1),
Note that P is calculated1Need to use d1At P1On the basis of PA. P can also be calculated by the second communication partner1Then the first party is at P1Calculating P on the basisABecause the calculation results are symmetrical.
Preferably: the second communication party is generating the public key PAThereafter, the public key P is verified according to the method given in GM/T0003.1-2012 Standard 6.2AWhether it is valid.
In a specific embodiment, the elliptic curve group element comprises a first elliptic curve group element R1And a first elliptic curve group element R2;
The second communication party selects random numbers k respectively1A random number k2Generating a first elliptic curve group element R based on the following formula1And a first elliptic curve group element R2:
R1=[k1]P1
R2=[k2]G
Wherein k is1∈[1,…,n-1];k2∈[1,…,n-1](ii) a G is an elliptic curve E (F)q) An upper base point; n is an elliptic curve E (F)q) The order of the upper base point G;
first party of communicationRespectively selecting random number k3A random number k4Generating an elliptic curve group element (x) based on the following formula1,y1):
(x1,y1)=[k3]R1+R2+[k4]G
Wherein k is3∈[1,…,n-1];k4∈[1,…,n-1];x1Is an elliptic curve group element (x)1,y1) X-axis coordinate of (1), y1Is an elliptic curve group element (x)1,y1) Y-axis coordinates of (a);
according to elliptic curve group element (x)1,y1) And a message digest that generates a first partial signature based on the following equation:
r=e+x1(mod n)
wherein e is a message digest; r is a first partial signature; mod n is a modulo n operation.
2. Protocol for collaborative generation of digital signatures
1) The second communication party selects a random number k1∈[1,…,n-1]Random number k2∈[1,…,n-1]Calculating an elliptic curve group element R1=[k1]P1=[k1d1]G, elliptic curve group element R2=[k2]G, then combining elliptic curve group elements R1And elliptic curve group element R2And sending the message to the first communication party.
2) The first communication party receives an elliptic curve group element R1Element R of elliptic curve group2(ii) a The first communication party selects a random number k3∈[1,…,n-1]Random number k4∈[1,…,n-1]Calculating an elliptic curve group element (x)1,y1)=[k3]R1+R2+[k4]G, wherein x1Is an elliptic curve group element (x)1,y1) X-axis coordinates of (a); the first communication partner calculates a message digest e ═ H (Z)A| M), calculating partial signature result r ═ e + x1(mod n) in which ZAIs based on the discernable identity ID of the user AACalculating a hash value, wherein M is an input original text to be signed;if r is 0, returning to the step 1) to execute again; the first communication party uses the random number k4Calculating an obfuscated intermediate result r' ═ r + k with the partial signature result r4(mod n) and then sends r' to the second party.
3) The second party using the private key parameter d2Random number k1Random number k2And the received intermediate result r' calculating the intermediate result
Andthen s is1And s2And sending the message to the first communication party.
4) The first communication party receives the intermediate result s1And s2(ii) a The first party uses the private key parameter d1Random number k3Partial signature result r, received intermediate result s1And s2Computing partial signature results
And if s is 0, returning to the step 1) for re-execution.
The first party outputs a digital signature (r, s) complying with the requirements of the SM2 signature format, using the common public key PAThe signature result may be verified.
It has to be noted that in step 1) of the protocol the second party needs to obtain the private key component d of the first party1Corresponding public key parameter P1=[d1]This can be sent by the first party to the second party by adding a pre-step, or the parameters can be pre-stored by the second party and used directly for calculation.
In a specific embodiment, the random number k1A random number k2A random number k3And a random number k4The following conditions are satisfied:
random number k1A random number k2A random number k3And a random number k4Part of random numbers are selected by the second communication party, and the rest of random numbers are selected by the first communication party;
the random number equation for generating the SM2 digital signature contains a random number k1A random number k2A random number k3And a random number k4。
In a specific embodiment, the random number k1A random number k2A random number k3And a random number k4The following random number equation is satisfied:
k=k1k3d1+k2+k4(mod n)
wherein k is a random number and k is an element of [1, …, n-1]];d1Is the first private key.
Specifically, the signature result is proof of correctness:
k is given as k1k3d1+k2+k4(mod n), then (x)1,y1)=[k]G;
(x1,y1)=[k1k3d1+k2+k4]G
r=H(ZA||M)+x1(mod n)
It can be seen that the partial signature results r and s are in the same form as the standard SM2 signature result, but only one specific way is used to generate the random number k, since k is1、k2、k3、k4All are random choices and still meet the requirements of one-time pad. Since 4 random numbers are contributed by the first and second communication parties, respectively, this ensures that neither party has control over the random number k in the final output signature result, in other words, that neither party can derive the private key d from the known random number kA。
More specifically, in the present inventionThe random number k is not only one configuration, but there may be a plurality, and the basic requirements are that: (1) random number k1A random number k2A random number k3And a random number k4Must be contributed separately by both communication parties, should not be generated by one of them; (2) the final calculation must be able to be transformed into k-rd form, i.e. all k i can be transformed]The transformation is sorted into a unified item.
The protocol for the coordinated generation of a digital signature enables a first communication partner to generate a digital signature which can be signed by a common public key P of the first and second communication partnersAAnd (6) verifying.
The protocol for cooperatively generating the digital signature has the advantages that the intermediate result r' is related to the partial signature result r, but the partial signature result r is not leaked, so that the first communication party completes a digital signature with the help of the second communication party, but the second communication party does not know what message is signed by the first communication party, on one hand, the leakage of the partial signature result r is avoided, and on the other hand, the characteristic similar to a blind signature is realized.
Preferably, in step 2) of the present protocol, in addition to the determination that r is 0, it is necessary to calculate [ r ═ 0 []G+(x1,y1) Then checking whether the calculation result is equal to O, if so, returning to the step 1) of the protocol to reselect the random number. Where O is a unit element of the elliptic curve addition group, called an infinity point or a zero point.
Preferably, in the protocol, in step 2), the first communication partner receives the elliptic curve group element R1、R2Then, S is calculated1=[h]R1,S2=[h]R2Where h is a cofactor for n. If S1Or S2If the point is an infinite point, returning to the step 1) of the protocol to execute again.
Preferably, in step 2) of the present protocol, the second communication party checks the received intermediate result r ', and if r' is 0, the procedure returns to step 1) to be executed again.
Preferably, the first communication partner receives the intermediate result s in step 4) of the protocol1And s2Then, if s is found by inspection10 or s2When it is equal to 0, then returnAnd returning to the step 1) for re-execution.
Preferably, a step is added after step 4) of the protocol, r + s is calculated, and if r + s ═ n is satisfied, the procedure returns to step 1) and is executed again.
It should be noted that, in the present invention, the first communication party and the second communication party may represent one of roles of a client and a server, and if the first communication party is the client, the second communication party is the server. Generally, the server is preferentially selected to execute the steps of the second communication party, and because the client executes the steps of the first communication party, the client calculates the plaintext abstract and outputs a signature result, which is beneficial to protecting the privacy of the user.
Embodiment 1 of the SM2 algorithm collaborative decryption system of the present invention:
in order to solve the problem that the traditional technology cannot protect user privacy and resist malicious attacks, the invention further provides an embodiment 1 of the SM2 algorithm collaborative decryption system, which may include a first communication party and a second communication party;
the first communication party acquires a first bit string of SM2 ciphertext; obtaining a first dot product result according to the first private key component and the elliptic curve group element corresponding to the first bit string; carrying out data type conversion on the first bit string to obtain elliptic curve group elements corresponding to the first bit string; transmitting the first point multiplication result and the elliptic curve group element corresponding to the first bit string to a second communication party;
the second communication party performs product operation on the second private key component and the first point multiplication result to obtain a second point multiplication result; obtaining a temporary symmetric key according to the second point multiplication result and the elliptic curve group element corresponding to the first bit string, and extracting a second bit string of the SM2 ciphertext; performing bitwise XOR operation on the temporary symmetric key and the second bit string to obtain a decrypted plaintext; and verifying the decrypted plaintext, and outputting the decrypted plaintext when the verification is successful.
Specifically, the implementation process of the SM2 algorithm in cooperation with the decryption system of the present invention may include the following steps:
3. protocol for cooperative decryption of ciphertext C
1) The first correspondent obtains the SM2 ciphertext: c ═ C1||C3||C2Extracting a bit string C from the ciphertext C1Conversion of the data type into elliptic Curve group element C according to the methods given in GM/T0003.1-2012 standards 4.2.4 and 4.2.101Then verify C1Whether it is an elliptic curve F (F)q) If yes, prompting an error and exiting the decryption process.
2) The first party uses the private key component d1Calculating T1=[d1]C1And will T1And sending the information to the second communication party.
3) The second party using the private key component d2Calculating T2=[d2]T1Then calculate (x)2,y2)=T2-C1=[d1d2-1]C1=[dA]C1。
4) The second communication partner calculates t ═ KDF (x)2||y2Klen), where | | denotes concatenation, KDF (#) is a predefined key derivation function, and klen denotes the length of the output bit string. If t is all 0 bit string, error is reported and exit is performed.
5) The second communication party extracts the bit string C from the ciphertext C2And calculate
WhereinRepresenting a bitwise exclusive-or operation.
6) The second communication partner calculates u-Hash (x)2||M′||y2) Then extracting a bit string C from the ciphertext C3If u ≠ C3An error is reported and exit is performed.
7) The second party outputs the plaintext M'.
It should be noted that, in the above calculation process, the roles of the first communication party and the second communication party can be interchanged, that is, d is calculated by the second communication party first2]C1And sending the encrypted data to the first communication party, and then completing the subsequent decryption process and outputting the plaintext M' by the first communication party.
Preferably, inStep 2) of the decryption process is preceded by a step in which the first communication party calculates S ═ h]C1Where h is a cofactor for n. If S is an infinite point, an error is reported and the operation is exited.
The SM2 algorithm collaborative signature and decryption method, device and system have the following advantages:
1) the message digest e and the partial signature result r are both calculated by the first communication party, and finally the signature result is also output by the first communication party, so that the privacy of the user cannot be leaked in the process of generating the digital signature.
2) The intermediate result r' is related to the partial signature result r but does not leak the partial signature result r, thus allowing the first party to complete a digital signature with the help of the second party, but the second party does not know what message the first party signed, having features like a blind signature.
3) The two communication parties respectively generate random numbers as private key components, the processes of generating the private keys and calculating the public keys are simple, and the calculation amount is small.
4) Two communication parties respectively hold private key components to cooperatively generate a signature, and an attacker cannot obtain a complete private key under the condition that one party is hijacked, and cannot realize offline use of the private key.
5) The two communication parties respectively hold the private key components to cooperatively generate the signature, and in the application occasion of private key escrow, a service provider providing the private key escrow can be prevented from using the private key of a user to forge the digital signature without authorization.
6) In the signing process and the decryption process, only few interactions need to be carried out by two communication parties, so that the application requirements of low delay and few interactions in a cloud computing environment can be met.
The present invention also provides a computer-readable storage medium having stored thereon a computer program which, when being executed by a processor, implements the steps of the SM2 algorithm co-signing method of the above embodiment from the perspective of the first communication party.
The invention provides a computer device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, wherein the processor executes the computer program to implement the steps of the SM2 algorithm collaborative signing method of the embodiment from the perspective of the first communication party.
The present invention provides a computer-readable storage medium having stored thereon a computer program which, when executed by a processor, implements the steps in the SM2 algorithm co-signing method of the embodiment described above from the perspective of the second party.
The invention provides a computer device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, wherein the processor executes the computer program to implement the steps of the SM2 algorithm collaborative signing method of the embodiment from the perspective of the second communication party.
The present invention provides a computer-readable storage medium having stored thereon a computer program which, when being executed by a processor, implements the steps of the above-described SM2 algorithm collaborative decryption method of the embodiment from the perspective of the second communication party.
The invention provides a computer device, comprising a memory, a processor and a computer program stored on the memory and capable of running on the processor, wherein the processor executes the computer program to realize the steps of the SM2 algorithm collaborative decryption method from the second communication side.
The present invention provides a computer-readable storage medium having stored thereon a computer program which, when being executed by a processor, implements the steps of the above-described SM2 algorithm collaborative decryption method of the embodiment from the perspective of the first communication party.
The invention provides a computer device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, wherein the processor executes the computer program to implement the steps of the SM2 algorithm collaborative decryption method of the embodiment from the perspective of the first communication party.
The technical features of the embodiments described above may be arbitrarily combined, and for the sake of brevity, all possible combinations of the technical features in the embodiments described above are not described, but should be considered as being within the scope of the present specification as long as there is no contradiction between the combinations of the technical features. Those skilled in the art will appreciate that all or part of the steps in the method for implementing the above embodiments may be implemented by hardware instructions related to a program, the program may be stored in a computer-readable storage medium, and when executed, the program includes the steps of the above method, and the storage medium, such as: ROM/RAM, magnetic disk, optical disk, etc.
The above-mentioned embodiments only express several embodiments of the present invention, and the description thereof is more specific and detailed, but not construed as limiting the scope of the invention. It should be noted that, for a person skilled in the art, several variations and modifications can be made without departing from the inventive concept, which falls within the scope of the present invention. Therefore, the protection scope of the present patent shall be subject to the appended claims.
Claims (25)
1. An SM2 algorithm co-signing method, characterized in that the method is applied to a first communication party; the method comprises the following steps:
generating a message digest of the message to be signed according to a preset cryptographic hash algorithm;
receiving a first elliptic curve group element fed back by a second communication party based on a first public key parameter and a selected random number; generating a first partial signature according to the message digest and the first elliptic curve group element;
performing a modulo operation based on the first partial signature to generate an obfuscated intermediate result, and transmitting the obfuscated intermediate result to the second communication party;
when an intermediate signature fed back by the second communication party according to the obfuscated intermediate result is received, generating a second partial signature according to the intermediate signature and the first partial signature;
and obtaining a complete SM2 digital signature according to the first partial signature and the second partial signature.
2. The SM2 algorithm co-signing method of claim 1, wherein the preset cryptographic hash algorithm is SM3 algorithm; what is needed isThe first elliptic curve group element comprises an elliptic curve group element R1And elliptic curve group element R2;
Generating a first partial signature based on the message digest and the first elliptic curve group element comprises:
respectively selecting random numbers k3A random number k4Generating a second elliptic curve group element (x) based on the following formula1,y1):
(x1,y1)=[k3]R1+R2+[k4]G
Wherein k is3∈[1,…,n-1];k4∈[1,…,n-1](ii) a G is an elliptic curve E (F)q) An upper base point; n is an elliptic curve E (F)q) The order of the upper base point G; x is the number of1Is the second elliptic curve group element (x)1,y1) X-axis coordinate of (1), y1Is the second elliptic curve group element (x)1,y1) Y-axis coordinates of (a);
according to the second elliptic curve group element (x)1,y1) And the message digest, the first partial signature being generated based on the following formula:
r=e+x1(mod n)
wherein e is the message digest; r is the first partial signature; mod n is a modulo n operation.
3. The SM2 algorithm co-signing method of claim 2, further comprising, before the step of generating a first partial signature from the message digest and the first elliptic curve group element, the steps of:
according to the elliptic curve group element R1And the elliptic curve group element R2The dot product result S is obtained based on the following formula1And dot product result S2:
S1=[h]R1
S2=[h]R2
Wherein h is a cofactor of n;
upon detection of the point multiplication knotFruit S1Or the dot product result S2Is an elliptic curve E (F)q) Receiving the elliptic curve group element R which is fed back again by the second communication party according to the first public key parameter and the reselected random number1And the elliptic curve group element R2。
4. The SM2 algorithm co-signing method of claim 2, further comprising, after the step of generating a first partial signature from the message digest and the first elliptic curve group element, the steps of:
detecting the value of the first part of signature R, and receiving the elliptic curve group element R which is fed back again by the second communication party according to the first public key parameter and the random number selected again when the value of the first part of signature R is 01And the elliptic curve group element R2;
Or
According to the second elliptic curve group element (x)1,y1) Calculating based on the following formula to obtain a calculation result S0:
S0=[r]G+(x1,y1)
Upon detection of said calculation result S0Is an elliptic curve E (F)q) Receiving the elliptic curve group element R which is fed back again by the second communication party according to the first public key parameter and the reselected random number1And the elliptic curve group element R2。
5. The SM2 algorithm co-signing method of any one of claims 2 to 4, wherein the step of performing a modulo operation based on the first partial signature to generate a obfuscated intermediate result comprises:
according to the random number k4And the first partial signature r, generating an obfuscated intermediate result based on the following formula:
r′=r+k4(mod n)
wherein r' is the obfuscated intermediate result.
6. The SM2 algorithm collaborative signing method of claim 5, wherein the step of generating the message digest of the message to be signed according to a preset cryptographic hash algorithm further comprises the steps of:
generating a first private key component based on the following formula:
d1∈[1,…,n-1]
wherein d is1Is the first private key component;
according to the first private key component, obtaining the first public key parameter based on the following formula:
P1=[d1]G
wherein, P1The first public key parameter;
transmitting the first public key parameter to the second party.
7. The SM2 algorithm co-signing method of claim 6, wherein the intermediate signature comprises a first intermediate signature s1And a second intermediate signature s2;
In the step of generating a second partial signature from the intermediate signature and the first partial signature, the second partial signature is generated based on the following formula:
wherein s is the second partial signature; d1Is the first private key component.
8. The SM2 algorithm co-signing method of claim 7, wherein the step of generating a second partial signature from the intermediate signature and the first partial signature further comprises the steps of:
detecting the first intermediate signature s1And said second intermediate signature s2A value of (d);
upon detection of saidFirst intermediate signature s1Is 0 or the second intermediate signature s2When the value of (1) is 0, receiving the elliptic curve group element R which is fed back again by the second communication party according to the first public key parameter and the reselected random number1And the elliptic curve group element R2。
9. The SM2 algorithm co-signing method of claim 7, wherein the step of generating a second partial signature based on the intermediate signature and the first partial signature further comprises the steps of:
detecting the value of the second partial signature s;
when the value of the second partial signature s is detected to be 0 or n-R, receiving the elliptic curve group element R which is fed back again by the second communication party according to the first public key parameter and the random number selected again1And the elliptic curve group element R2。
10. An SM2 algorithm collaborative signature method, characterized in that, the method is applied to a second communication party; the method comprises the following steps:
generating a first elliptic curve group element according to the selected random number and a first public key parameter of a first communication party, and transmitting the first elliptic curve group element to the first communication party;
receiving an intermediate confusion result fed back by the first communication party based on the first elliptic curve group element, and generating an intermediate signature according to a second private key component and the intermediate confusion result;
transmitting the intermediate signature to the first correspondent.
11. The SM2 algorithm co-signing method of claim 10, wherein the step of generating the first elliptic curve group element based on the selected random number and the first public key parameter of the first communication party further comprises the steps of:
generating the second private key component based on the following formula:
d2∈[1,…,n-1]
wherein d is2Is the second private key component; n is an elliptic curve E (F)q) The order of the upper base point G;
the step of generating the first elliptic curve group element according to the selected random number and the first public key parameter of the first communication party further comprises the following steps:
receiving a first public key parameter P transmitted by a first communication party1;
According to the first public key parameter P1And said second private key component d2The common public key is generated based on the following formula:
PA=[d2]P1-G
wherein, PAIs the common public key;
disclosing said common public key PA。
12. The SM2 algorithm co-signing method of claim 11, wherein the first elliptic curve group element comprises an elliptic curve group element R1And elliptic curve group element R2;
The step of generating a first elliptic curve group element according to the selected random number and a first public key parameter of the first communication party comprises:
respectively selecting random numbers k1A random number k2Generating the elliptic curve group element R based on the following formula1And elliptic curve group element R2:
R1=[k1]P1
R2=[k2]G
Wherein k is1∈[1,…,n-1];k2∈[1,…,n-1];P1The first public key parameter; g is an elliptic curve E (F)q) An upper base point; n is an elliptic curve E (F)q) The order of the upper base point G.
13. The SM2 algorithm co-signing method of claim 12, wherein the intermediate signature comprises the second signatureAn intermediate signature s1And a second intermediate signature s2;
Generating an intermediate signature based on the second private key component and the obfuscated intermediate result comprises:
according to the second private key component d2And said random number k1Generating the first intermediate signature s based on the following formula1:
According to the second private key component d2The random number k2And the obfuscated intermediate result, generating the second intermediate signature s based on the following formula2:
Wherein r' is the obfuscated intermediate result.
14. The SM2 algorithm co-signing method of claim 13, further comprising, before the step of generating an intermediate signature from the second private key component and the obfuscated intermediate result, the steps of:
detecting the value of the aliased intermediate result r'; when the value of the confusion intermediate result R' is detected to be 0, the elliptic curve group element R is regenerated according to the first public key parameter and the random number selected again1And the elliptic curve group element R2。
15. An SM2 algorithm collaborative signature device, comprising:
the first communication party message digest generation unit is used for generating a message digest of the message to be signed according to a preset cipher hash algorithm;
the first communication party message signature generation unit is used for receiving a first elliptic curve group element fed back by the second communication party based on the first public key parameter and the selected random number; generating a first partial signature according to the message digest and the first elliptic curve group element; performing a modulo operation based on the first partial signature to generate an obfuscated intermediate result, and transmitting the obfuscated intermediate result to the second communication party; when an intermediate signature fed back by the second communication party according to the obfuscated intermediate result is received, generating a second partial signature according to the intermediate signature and the first partial signature; and obtaining a complete SM2 digital signature according to the first partial signature and the second partial signature.
16. An SM2 algorithm collaborative signature device, comprising:
the second communication party parameter generating unit is used for generating a first elliptic curve group element according to the selected random number and a first public key parameter of the first communication party and transmitting the first elliptic curve group element to the first communication party;
the second communication party intermediate signature generation unit is used for receiving an obfuscated intermediate result fed back by the first communication party based on the first elliptic curve group element and generating an intermediate signature according to a second private key component and the obfuscated intermediate result; transmitting the intermediate signature to the first correspondent.
17. An SM2 algorithm collaborative signature system, which is characterized by comprising a first communication party and a second communication party;
the second communication party generates a first elliptic curve group element according to the selected random number and a first public key parameter of the first communication party and transmits the first elliptic curve group element to the first communication party;
the first communication party generates a message digest of the message to be signed according to a preset cryptographic hash algorithm and generates a first partial signature according to the message digest and the first elliptic curve group element; performing a modulo operation based on the first partial signature to generate an obfuscated intermediate result, and transmitting the obfuscated intermediate result to the second communication party; the second communication party generates an intermediate signature according to the second private key component and the obfuscated intermediate result; and transmitting the intermediate signature to the first correspondent;
the first communicator generates a second partial signature according to the intermediate signature and the first partial signature; and obtaining a complete SM2 digital signature according to the first partial signature and the second partial signature.
18. The SM2 algorithm collaborative signature system of claim 17, wherein the first elliptic curve group element comprises an elliptic curve group element R1And elliptic curve group element R2;
The second communication party respectively selects random numbers k1A random number k2Generating the elliptic curve group element R based on the following formula1And elliptic curve group element R2:
R1=[k1]P1
R2=[k2]G
Wherein k is1∈[1,…,n-1];k2∈[1,…,n-1](ii) a G is an elliptic curve E (F)q) An upper base point; n is an elliptic curve E (F)q) The order of the upper base point G;
the first communication party respectively selects random numbers k3A random number k4Generating a second elliptic curve group element (x) based on the following formula1,y1):
(x1,y1)=[k3]R1+R2+[k4]G
Wherein k is3∈[1,…,n-1];k4∈[1,…,n-1];x1Is the second elliptic curve group element (x)1,y1) X-axis coordinate of (1), y1Is the second elliptic curve group element (x)1,y1) Y-axis coordinates of (a);
according to the second elliptic curve group element (x)1,y1) And the message digest, the first partial signature being generated based on the following formula:
r=e+x1(mod n)
wherein e is the message digest; r is the first partial signature; mod n is a modulo n operation.
19. The SM2 algorithm co-signing system of claim 18, wherein the random number k1The random number k2The random number k3And the random number k4The following conditions are satisfied:
the random number equation for generating the SM2 digital signature contains the random number k1The random number k2The random number k3And said random number k4。
20. The SM2 algorithm co-signing system of claim 19, wherein the random number k1The random number k2The random number k3And the random number k4The following random number equation is satisfied:
k=k1k3d1+k2+k4(mod n)
wherein k is a random number and k is an element of [1, …, n-1]];d1Is the first private key component.
21. The SM2 algorithm collaborative signing system of any of claims 17 to 20, wherein the first correspondent is a client; the second communication party is a server side.
22. A computer-readable storage medium, on which a computer program is stored which, when being executed by a processor, carries out the steps of the method according to any one of claims 1 to 9.
23. A computer device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, characterized in that the steps of the method of any of claims 1 to 9 are implemented when the program is executed by the processor.
24. A computer-readable storage medium, on which a computer program is stored which, when being executed by a processor, carries out the steps of the method according to any one of claims 10 to 14.
25. A computer device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, characterized in that the steps of the method of any one of claims 10 to 14 are implemented when the program is executed by the processor.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201710546334.2A CN107196763B (en) | 2017-07-06 | 2017-07-06 | SM2 algorithm collaborative signature and decryption method, device and system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201710546334.2A CN107196763B (en) | 2017-07-06 | 2017-07-06 | SM2 algorithm collaborative signature and decryption method, device and system |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN107196763A CN107196763A (en) | 2017-09-22 |
| CN107196763B true CN107196763B (en) | 2020-02-18 |
Family
ID=59881484
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201710546334.2A Active CN107196763B (en) | 2017-07-06 | 2017-07-06 | SM2 algorithm collaborative signature and decryption method, device and system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN107196763B (en) |
Families Citing this family (55)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107707353B (en) * | 2017-09-26 | 2020-10-23 | 深圳奥联信息安全技术有限公司 | SM9 algorithm implementation method and device |
| CN107566128A (en) * | 2017-10-10 | 2018-01-09 | 武汉大学 | A kind of two side's distribution SM9 digital signature generation methods and system |
| CN107888380A (en) * | 2017-10-30 | 2018-04-06 | 武汉大学 | A kind of the RSA digital signature generation method and system of two sides distribution identity-based |
| CN107911217B (en) * | 2017-10-30 | 2021-02-26 | 陈彦丰 | Method and device for cooperatively generating signature based on ECDSA algorithm and data processing system |
| CN107623570B (en) * | 2017-11-03 | 2020-12-04 | 北京无字天书科技有限公司 | SM2 signature method based on addition key segmentation |
| CN107947913B (en) * | 2017-11-15 | 2020-08-07 | 武汉大学 | Anonymous authentication method and system based on identity |
| CN109818741B (en) * | 2017-11-22 | 2022-06-07 | 航天信息股份有限公司 | Decryption calculation method and device based on elliptic curve |
| CN107911223B (en) * | 2017-11-23 | 2021-03-09 | 上海众人网络安全技术有限公司 | Cross signature method and device |
| CN109936455B (en) * | 2017-12-19 | 2022-06-07 | 航天信息股份有限公司 | Digital signature method, device and system |
| CN107948189B (en) * | 2017-12-19 | 2020-10-30 | 数安时代科技股份有限公司 | Asymmetric password identity authentication method and device, computer equipment and storage medium |
| CN108055136A (en) * | 2017-12-22 | 2018-05-18 | 上海众人网络安全技术有限公司 | Endorsement method, device, computer equipment and storage medium based on elliptic curve |
| CN108199835B (en) * | 2018-01-19 | 2021-11-30 | 北京江南天安科技有限公司 | Multi-party combined private key decryption method |
| CN108650080B (en) * | 2018-03-27 | 2019-11-19 | 北京迪曼森科技有限公司 | A kind of tagged keys management method and system |
| CN108650094A (en) * | 2018-04-13 | 2018-10-12 | 武汉大学 | A kind of Proxy Signature generation method and system based on SM2 digital signature |
| CN108964923B (en) * | 2018-06-22 | 2021-07-20 | 成都卫士通信息产业股份有限公司 | Interactive SM2 signature method, system and terminal for hiding private key |
| CN109088726B (en) * | 2018-07-19 | 2021-01-26 | 郑州信大捷安信息技术股份有限公司 | SM2 algorithm-based collaborative signing and decrypting method and system for two communication parties |
| CN108989047B (en) * | 2018-07-19 | 2021-03-02 | 郑州信大捷安信息技术股份有限公司 | SM2 algorithm-based cooperative signature method and system for two communication parties |
| CN108880807A (en) * | 2018-08-02 | 2018-11-23 | 中钞信用卡产业发展有限公司杭州区块链技术研究院 | Private key signature process method, apparatus, equipment and medium |
| CN109245903B (en) * | 2018-09-29 | 2021-10-01 | 北京信安世纪科技股份有限公司 | Signature method and device for cooperatively generating SM2 algorithm by two parties and storage medium |
| CN109309569B (en) * | 2018-09-29 | 2021-10-01 | 北京信安世纪科技股份有限公司 | SM2 algorithm-based collaborative signature method and device and storage medium |
| CN109274503B (en) * | 2018-11-05 | 2022-01-04 | 北京仁信证科技有限公司 | Distributed collaborative signature method, distributed collaborative signature device and soft shield system |
| CN109600224A (en) * | 2018-11-06 | 2019-04-09 | 卓望数码技术(深圳)有限公司 | A kind of SM2 key generation, endorsement method, terminal, server and storage medium |
| CN109600232B (en) * | 2018-12-05 | 2021-08-06 | 北京智慧云测科技有限公司 | Attack verification and protection method and device for SM2 signature algorithm |
| CN111447065B (en) * | 2019-01-16 | 2021-03-09 | 中国科学院软件研究所 | Active and safe SM2 digital signature two-party generation method |
| CN109672539B (en) * | 2019-03-01 | 2021-11-05 | 深圳市电子商务安全证书管理有限公司 | SM2 algorithm collaborative signature and decryption method, device and system |
| CN110035065A (en) * | 2019-03-12 | 2019-07-19 | 华为技术有限公司 | Data processing method, relevant apparatus and computer storage medium |
| CN110380855B (en) * | 2019-06-14 | 2020-07-14 | 武汉理工大学 | SM9 digital signature generation method and system supporting multi-party cooperative enhanced security |
| CN112181974B (en) * | 2019-07-01 | 2023-06-02 | 上海嗨普智能信息科技股份有限公司 | Identification information distribution method, system and storage device |
| CN110535635B (en) * | 2019-07-19 | 2022-06-17 | 北京向芯力科技有限公司 | Cooperative signature method and system supporting information hiding |
| CN112632630A (en) * | 2019-10-08 | 2021-04-09 | 航天信息股份有限公司 | SM 2-based collaborative signature calculation method and device |
| CN112737783B (en) * | 2019-10-28 | 2022-08-12 | 航天信息股份有限公司 | Decryption method and device based on SM2 elliptic curve |
| CN110601841B (en) * | 2019-11-01 | 2022-06-14 | 成都卫士通信息产业股份有限公司 | SM2 collaborative signature and decryption method and device |
| CN110958115B (en) * | 2019-12-03 | 2022-08-23 | 成都卫士通信息产业股份有限公司 | Digital signature device, method, storage medium and equipment based on SM9 white box |
| CN110990896B (en) * | 2019-12-03 | 2023-01-06 | 成都卫士通信息产业股份有限公司 | Digital signature device, method, storage medium and equipment based on SM2 white box |
| CN111130804B (en) * | 2019-12-27 | 2022-09-06 | 上海市数字证书认证中心有限公司 | SM2 algorithm-based collaborative signature method, device, system and medium |
| CN111314089B (en) * | 2020-02-18 | 2023-08-08 | 数据通信科学技术研究所 | SM 2-based two-party collaborative signature method and decryption method |
| CN113300846B (en) * | 2020-02-24 | 2022-08-09 | 华为技术有限公司 | Signature method, terminal equipment and network equipment |
| CN112311549A (en) * | 2020-03-26 | 2021-02-02 | 神州融安科技(北京)有限公司 | Signature generation or assistance method, device, system, electronic equipment and storage medium |
| CN111510299B (en) * | 2020-04-10 | 2021-03-19 | 宁波富万信息科技有限公司 | Joint digital signature generation method, electronic device, and computer-readable medium |
| CN111582867B (en) * | 2020-05-11 | 2023-09-22 | 浙江同花顺智能科技有限公司 | Collaborative signature and decryption method and device, electronic equipment and storage medium |
| CN112188465B (en) * | 2020-09-29 | 2021-10-26 | 江苏恒宝智能系统技术有限公司 | Emergency command communication system and working method thereof |
| CN112131596B (en) * | 2020-09-30 | 2021-11-09 | 北京海泰方圆科技股份有限公司 | Encryption and decryption method, equipment and storage medium |
| CN112241527B (en) * | 2020-12-15 | 2021-04-27 | 杭州海康威视数字技术股份有限公司 | Secret key generation method and system of terminal equipment of Internet of things and electronic equipment |
| CN112737778B (en) * | 2020-12-30 | 2022-08-12 | 武汉船舶通信研究所(中国船舶重工集团公司第七二二研究所) | Digital signature generation and verification method and device, electronic equipment and storage medium |
| CN113014386B (en) * | 2021-03-30 | 2023-06-02 | 宋煜 | Cryptographic system based on multiparty collaborative computing |
| CN113255010B (en) * | 2021-05-21 | 2022-03-15 | 郑州信大捷安信息技术股份有限公司 | Detection method and system for collaborative signature and decrypted product |
| CN113158176B (en) * | 2021-06-02 | 2022-08-02 | 工业信息安全(四川)创新中心有限公司 | Public key analysis method, device, equipment and storage medium based on SM2 signature |
| CN113055189B (en) * | 2021-06-02 | 2021-08-10 | 工业信息安全(四川)创新中心有限公司 | SM2 digital signature verification failure reason judgment method, device, equipment and medium |
| CN113468580B (en) * | 2021-07-23 | 2022-08-09 | 建信金融科技有限责任公司 | Multi-party collaborative signature method and system |
| CN113904777B (en) * | 2021-09-23 | 2023-10-03 | 武汉大学 | SM2 digital signature algorithm-based signcryption method |
| CN114567448B (en) * | 2022-04-29 | 2022-08-02 | 华南师范大学 | Collaborative signature method and collaborative signature system |
| CN115134093B (en) * | 2022-08-30 | 2022-11-15 | 北京信安世纪科技股份有限公司 | Digital signature method and computing device |
| CN115314205B (en) * | 2022-10-11 | 2023-01-03 | 中安网脉(北京)技术股份有限公司 | Collaborative signature system and method based on key segmentation |
| CN115801322A (en) * | 2022-10-20 | 2023-03-14 | 浪潮软件股份有限公司 | Encryption method and system for realizing server-side secure communication |
| CN116318688B (en) * | 2023-05-24 | 2023-08-15 | 北京信安世纪科技股份有限公司 | Collaborative signature method, device and storage medium |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102387019A (en) * | 2011-10-19 | 2012-03-21 | 西安电子科技大学 | Certificateless partially blind signature method |
| CN103780385A (en) * | 2012-10-23 | 2014-05-07 | 航天信息股份有限公司 | Blind signature method based on elliptic curve and device thereof |
| CN104243456A (en) * | 2014-08-29 | 2014-12-24 | 中国科学院信息工程研究所 | Signing and decrypting method and system applied to cloud computing and based on SM2 algorithm |
-
2017
- 2017-07-06 CN CN201710546334.2A patent/CN107196763B/en active Active
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102387019A (en) * | 2011-10-19 | 2012-03-21 | 西安电子科技大学 | Certificateless partially blind signature method |
| CN103780385A (en) * | 2012-10-23 | 2014-05-07 | 航天信息股份有限公司 | Blind signature method based on elliptic curve and device thereof |
| CN104243456A (en) * | 2014-08-29 | 2014-12-24 | 中国科学院信息工程研究所 | Signing and decrypting method and system applied to cloud computing and based on SM2 algorithm |
Non-Patent Citations (1)
| Title |
|---|
| SM2椭圆曲线门限密码算法;尚铭等;《密码学报》;20140415(第2期);第3.2和3.3节 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN107196763A (en) | 2017-09-22 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN107196763B (en) | SM2 algorithm collaborative signature and decryption method, device and system | |
| CN107948189B (en) | Asymmetric password identity authentication method and device, computer equipment and storage medium | |
| CN108352015B (en) | Secure multi-party loss-resistant storage and encryption key transfer for blockchain based systems in conjunction with wallet management systems | |
| CN107947913B (en) | Anonymous authentication method and system based on identity | |
| CN107707358B (en) | EC-KCDSA digital signature generation method and system | |
| CN107634836B (en) | SM2 digital signature generation method and system | |
| US8670563B2 (en) | System and method for designing secure client-server communication protocols based on certificateless public key infrastructure | |
| CN108199835B (en) | Multi-party combined private key decryption method | |
| CN107659395B (en) | Identity-based distributed authentication method and system in multi-server environment | |
| CN107395368B (en) | Digital signature method, decapsulation method and decryption method in media-free environment | |
| US10511581B2 (en) | Parallelizable encryption using keyless random permutations and authentication using same | |
| US9705683B2 (en) | Verifiable implicit certificates | |
| CN104901935A (en) | Bilateral authentication and data interaction security protection method based on CPK (Combined Public Key Cryptosystem) | |
| CN113711564A (en) | Computer-implemented method and system for encrypting data | |
| CN114095181B (en) | Threshold ring signature method and system based on cryptographic algorithm | |
| CN109068322A (en) | Decryption method, system, mobile terminal, server and storage medium | |
| CN111342955A (en) | Communication method and device thereof, and computer storage medium | |
| CN111355582A (en) | Two-party combined signature and decryption method and system based on SM2 algorithm | |
| CN111049738B (en) | E-mail data security protection method based on hybrid encryption | |
| CN113132104A (en) | Active and safe ECDSA (electronic signature SA) digital signature two-party generation method | |
| CN111565108B (en) | Signature processing method, device and system | |
| CN116318654A (en) | SM2 algorithm collaborative signature system, method and equipment integrating quantum key distribution | |
| CN114978488A (en) | SM2 algorithm-based collaborative signature method and system | |
| KR102304831B1 (en) | Encryption systems and method using permutaion group based cryptographic techniques | |
| CN108768958B (en) | Verification method for data integrity and source based on no leakage of verified information by third party |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |