CN108667626B - Secure two-party collaboration SM2 signature method - Google Patents

Secure two-party collaboration SM2 signature method Download PDF

Info

Publication number
CN108667626B
CN108667626B CN201810800708.3A CN201810800708A CN108667626B CN 108667626 B CN108667626 B CN 108667626B CN 201810800708 A CN201810800708 A CN 201810800708A CN 108667626 B CN108667626 B CN 108667626B
Authority
CN
China
Prior art keywords
proof
communication
party
signature
sub
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201810800708.3A
Other languages
Chinese (zh)
Other versions
CN108667626A (en
Inventor
侯红霞
杨波
张明瑞
任伟
王瑞瑆
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Geer Software Ltd By Share Ltd
Shaanxi Normal University
Original Assignee
Geer Software Ltd By Share Ltd
Shaanxi Normal University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Geer Software Ltd By Share Ltd, Shaanxi Normal University filed Critical Geer Software Ltd By Share Ltd
Priority to CN201810800708.3A priority Critical patent/CN108667626B/en
Publication of CN108667626A publication Critical patent/CN108667626A/en
Application granted granted Critical
Publication of CN108667626B publication Critical patent/CN108667626B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communication
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communication including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communication including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communication
    • H04L9/008Cryptographic mechanisms or cryptographic arrangements for secret or secure communication involving homomorphic encryption
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communication
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0838Key agreement, i.e. key establishment technique in which a shared key is derived by parties as a function of information contributed by, or associated with, each of these
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communication
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • H04L9/0869Generation of secret information including derivation or calculation of cryptographic keys or passwords involving random numbers or seeds
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communication
    • H04L9/30Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy
    • H04L9/3066Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy involving algebraic varieties, e.g. elliptic or hyper-elliptic curves
    • H04L9/3073Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy involving algebraic varieties, e.g. elliptic or hyper-elliptic curves involving pairings, e.g. identity based encryption [IBE], bilinear mappings or bilinear pairings, e.g. Weil or Tate pairing
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communication
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communication including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3218Cryptographic mechanisms or cryptographic arrangements for secret or secure communication including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using proof of knowledge, e.g. Fiat-Shamir, GQ, Schnorr, ornon-interactive zero-knowledge proofs
    • H04L9/3221Cryptographic mechanisms or cryptographic arrangements for secret or secure communication including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using proof of knowledge, e.g. Fiat-Shamir, GQ, Schnorr, ornon-interactive zero-knowledge proofs interactive zero-knowledge proofs

Abstract

A safe two-party cooperation SM2 signature method comprises the steps of system initialization, negotiation generation of a signature public key, cooperation signature and output of a complete signature. The invention adopts zero knowledge proof technology to authenticate the identity of the other party before negotiating the signature public key and the cooperative signature, uses commitment technology to ensure the correctness of outputting the complete signature, uses homomorphic encryption technology to ensure that the first communication party does not need to decrypt the received ciphertext and can realize the operation corresponding to the plaintext, and the addition of the time stamp mechanism ensures that the two communication parties can output the correct complete signature only under the condition that the identity, the current time and the position information of the first communication party are consistent, thereby greatly improving the safety of the system, reducing the loss caused by the leakage of the signature private key and preventing the attack of the man-in-the-middle. The invention has higher security and can be used in the environment that the communication channel is not secure.

Description

Secure two-party collaboration SM2 signature method
Technical Field
The invention belongs to the technical field of information security, and particularly relates to a secure two-party cooperative SM2 signature method.
Background
In order to meet application requirements of an electronic authentication service system and the like, the SM2 elliptic curve public key cryptographic algorithm is issued by the national cryptographic administration of 12-month-17-year-2010, and the national standard GB/T32918 is formulated. The second part of the standard describes an elliptic curve based signature algorithm, the SM2 signature algorithm. The signature algorithm comprises a digital signature generation algorithm and a verification algorithm, wherein the signature generation algorithm is used for realizing the function of generating a digital signature on data by a signer, and the verification algorithm is used for realizing the function of verifying the reliability of the signature by a verifier. Each signer will generate a pair of keys: a public key that is public and a private key that is kept secret by the signer. When generating the signature, the signer generates the signature by using a private key; during verification, the verifier verifies the signature by using the public key of the signer.
The SM2 digital signature algorithm can meet the safety requirements of identity authentication, data integrity and authenticity in various password applications, and is widely used in the domestic password application field for many years at present. However, with the development of various attack technologies, an attacker can steal the private key of the user by using various attack tools, and once the private key is stolen by the attacker, the attacker can impersonate the identity of a legitimate user by using the stolen private key to sign, so that the harm caused by the stealing can be disastrous.
In order to solve the above problems, an effective solution is to split the private key into two parts, which are stored in the first communication party and the second communication party respectively, and when the private key is used, the two parties perform cooperative computing, so that the private key does not appear completely at any party, i.e., any party participating in the operation cannot take the complete private key. In 2014, the ringer and the like disclose a signature method based on an SM2 algorithm, which is suitable for cloud computing, and the method realizes the functions under the condition that both parties are honest, namely, both communication parties can obtain a complete signature of a message by respectively utilizing respective partial private keys for joint computing. However, in the key generation and signature generation stage of the method, an authentication mechanism for the identities of two communication parties is lacked, and man-in-the-middle attack is difficult to prevent, so that an attacker can impersonate the identity of the first communication party to generate a complete signature and pass verification.
Disclosure of Invention
The technical problem to be solved by the invention is to overcome the defects of the signature method and provide a safe two-party cooperation SM2 signature method which is easy to operate and high in safety.
The technical scheme for solving the technical problems comprises the following steps:
(1) system initialization
The first and second parties share the elliptic curve parameter E (F) of the SM2 signature algorithmp) G and n, E (F)p) Represents a finite field FpUpper elliptic curveAnd all rational points of the E comprise a set consisting of infinite points O, G represents a base point with an order of n on the elliptic curve E, n is a limited positive integer, values of all parameters are preset according to an SM2 method, and a cryptographic hash method hash, a commitment protocol com, a zero knowledge proof protocol proof and a homomorphic encryption method Enc with addition homomorphism which are used by the two communication parties are well defined in advance.
(2) Negotiating generation of a public signature key
First correspondent generates a child private key d1And a sub public key P1The second party generates a sub-private key d2And a sub public key P2And the two communication parties negotiate with the sub public key of the other party and the sub private key of the communication parties to generate a signature public key P.
(3) Collaborative signatures
First communication party generates temporary sub-private key k1And a temporary sub public key Q1The second party generates a temporary sub-private key k2And a temporary sub public key Q2And respectively generating a partial signature r and a partial signature s according to the temporary sub public key of the other party, the sub private key of the other party and the temporary sub private key of the other party, and generating a complete signature by the cooperation of the two communication parties.
(4) Outputting a complete signature
The second communication party combines the partial signature r and the partial signature s into a complete signature output.
In the step (2) of generating a signature public key by negotiation, the method for generating the signature public key P by the two communication parties respectively using the child public key of the other party and the child private key of the two communication parties in negotiation comprises the following steps:
1) the first party generates a private-public key pair
The first communication party generates a message at [1, n-1 ]]Random number d between1D is mixing1As the child private key, there are: d1∈[1,n-1]From d1[*]G obtains the result as a sub public key P1(ii) a Wherein [ ] A]Representing an elliptic curve point multiplication operation.
2) The second communication party generates a private-public key pair
The second party generates a message at [1, n-1 ]]Random number d between2D is mixing2As the child private key, there are:d2∈[1,n-1]from d2[*]G obtains the result as a sub public key P2
3) Mutual authentication between two communication parties
First communication party determines private sub-key d by using zero-knowledge proof protocol proof predetermined by both parties1Proof of zero knowledge of (d)1) Determining the sub public key P according to the commitment protocol com predetermined by both parties1And a sub private key d1Proof of zero knowledge of (d)1) The commitment value com (P)1||proof(d1) According to the predetermined acceptance agreement com, the acceptance value com (P) is obtained1||proof(d1) And commitment information to the second party, where | represents concatenation.
The second communication party determines the sub-private key d using a predetermined zero-knowledge proof protocol proof2Proof of zero knowledge of (d)2) Generating a key pair pk and sk of a predetermined addition homomorphic encryption method Enc, where pk denotes a homomorphic public key and sk denotes a homomorphic private key, and dividing a sub-public key P2Homomorphic public key pk and child private key d2Proof of zero knowledge of (d)2) And sending the message to the first communication party.
The first communication partner verifies P according to a predetermined zero-knowledge proof of knowledge protocol proof2=d2[*]G, according to the promption protocol com predetermined by both parties, the public key P of the sub-promption information will be released1And a sub private key d1Proof of zero knowledge of (d)1) And sending the information to the second communication party.
The second communication party receives the de-acceptance information and verifies the acceptance value com (P) according to the acceptance agreement com predetermined by both parties1||proof(d1) For example) correctness, proof of agreement proof of knowledge P with a predetermined zero1=d1[*]G。
4) Communication parties negotiate to generate signature public key
The first communication party is composed of1[*]P2[-]G as a signature public key P, wherein [ -]Representing an elliptic curve point subtraction operation.
The second communication party is composed of2[*]P1[-]G gets the result as public signature key P ', P' is equal to P.
In the cooperative signature step (3), the method for generating the complete signature by the cooperation of the two communication parties comprises the following steps:
1) processing a message to be signed by a first communication party
The first communication party splices the identity Z and the message M which are common to the first communication party and the second communication party to form M', namely: m '═ Z | | M, hash (M') is determined by cryptographic hash method hash, the result obtained is taken as e.
2) Processing the message to be signed by the second communication party
The steps of processing the message to be signed by the second communication party are the same as the steps of processing the message to be signed by the first communication party.
3) The first correspondent generates a temporary child public and private key pair
The first communication party generates a message at [1, n-1 ]]Random number k between1Will k is1As temporary sub-private key, by k1[*]G obtains the result as a temporary sub-public key Q1
4) The second communication party generates a temporary child public and private key pair
The second party generates a message at [1, n-1 ]]Random number k between2Will k is2As temporary sub-private key, by k2[*]G obtains the result as a temporary sub-public key Q2
5) Mutual authentication between two communication parties
First communication party determines temporary sub-private key k by using zero-knowledge proof protocol proof predetermined by both parties1Proof of zero knowledge of (k)1) Determining the temporary sub public key Q according to the commitment protocol com predetermined by both parties1And a temporary sub-private key k1Proof of zero knowledge of (k)1) The commitment value com (Q)1||proof(k1) According to the predetermined acceptance agreement com, the acceptance value com (Q) is transmitted1||proof(k1) And the commitment information to the second party.
Second communication party determines temporary sub-private key k by using zero-knowledge proof protocol proof predetermined by both parties2Proof of zero knowledge of (k)2) Temporary sub-public key Q2And a temporary sub-private key k2Proof of zero knowledge of (k)2) Hair-like deviceTo the first party.
Proof of verification Q by the first communication party with a two-party-predetermined zero-knowledge proof protocol proof2=k2[*]G, according to the promised agreement com preset by both parties, sending the temporary sub public key Q of the deputy information1And a temporary sub-private key k1Proof of zero knowledge of (k)1) To the second communication partner.
The second communication party receives the de-acceptance information and verifies the acceptance value com (Q) according to the acceptance agreement com predetermined by both parties1||proof(k1) For example) to verify Q with a predetermined zero-knowledge proof of knowledge protocol proof1=k1[*]G。
6) Generating timestamps
The two communication parties respectively carry out ID according to the identity information of the first communication party1Current time T and the position information S of the first communication party, and determining the hash (ID) by the hash of the password hashing method1I T S), the result obtained is used as a time stamp T, wherein ID1T, S are bit strings.
7) Cooperative signature of two communication parties
The second communication party is composed of k2[*]Q1The result obtained is taken as point (x)1,y1) From x1The + emodn results in a partial signature r, where mod represents the modulo operation; generating a bit at [1, n2]Random number η, encryption operation Enc according to homomorphic encryption method EncpkDeterminingAndthe obtained results are respectively used as homomorphic cryptographs c1And homomorphic ciphertext c2(ii) a Will homomorphic cipher text c1And homomorphic ciphertext c2And is sent to the first communication partner, wherein,denotes d2At FpUpper inverse element, EncpkIndicating the homomorphic encryption method Enc under the homomorphic public key pkThe encryption operation of (1).
The first communication party is composed of k1[*]Q2The result obtained is taken as point (x)1,y1) From x1+ emodn as partial signature r; computingAnd sending s 'to the second communication party as s' with the calculated result, wherein,denotes d1At FpInverse of upper, t-1Denotes the time stamp t at FpThe upper inverse element ⊙ represents scalar multiplication homomorphic operation, that is, a ⊙ b represents multiplication of the plaintext corresponding to b and a;representing addition homomorphic operations, i.e.The addition operation is performed between the plaintext corresponding to a and the plaintext corresponding to b.
The decryption operation Dec of the second communication partner in accordance with the homomorphic encryption method EncskDetermining Decsk(s') -rmodn, the result obtained as a partial signature s, where DecskRepresenting the decryption operation of the homomorphic encryption method Enc under the homomorphic private key sk.
The homomorphic encryption method Enc is any one of a Paillier homomorphic encryption method, a Benaloh homomorphic encryption method and an NS homomorphic encryption method.
The SM2 signature private key is divided into two parts which are respectively kept by a first communication party and a second communication party, a signature public key and a complete SM2 signature can be generated only by the cooperative calculation of the two communication parties in a key generation stage and a signature stage, and any party cannot obtain the complete private key and independently output a complete signature. In the invention, in order to ensure the authenticity of the identities of the two communication parties, before negotiating a signature public key and a cooperative signature, the two communication parties utilize a zero-knowledge proof technology to authenticate the identity of the other party; ensuring the correctness of the output complete signature by using a commitment technology; the homomorphic encryption technology is utilized to ensure that the first communication party can realize the operation of the corresponding plaintext without decrypting the received ciphertext; the addition of the time stamp mechanism ensures that the two communication parties can output correct complete signatures only under the condition that the identity and the current time of the first communication party are consistent with the position information of the first communication party; the technologies greatly improve the security of the system and reduce the loss caused by the leakage of the private signature key. Compared with the prior art, the method can prevent man-in-the-middle attack, has higher safety, and is suitable for being used in an unsafe environment of a communication channel.
Drawings
FIG. 1 is a flow chart of example 1 of the present invention.
Detailed Description
In order to make the technical solution of the present invention clearer and more obvious, the solution of the present invention is further described in detail below with reference to the accompanying drawings.
For convenience of description, a first communication party and a second communication party are used to represent two communication parties respectively, wherein the first communication party is a mobile terminal, and the second communication party is a server side.
Example 1
In fig. 1, the secure two-party collaboration SM2 signing method of the present embodiment consists of the following steps.
(1) System initialization
The first and second communication parties share the elliptic curve parameter E (F) of the SM2 algorithmp) G and n, E (F)p) Represents a finite field FpAll rational points of the upper elliptic curve E, including the infinite points O, form a set, G represents a base point with an order n on the elliptic curve E, n is a finite positive integer, and the elliptic curve parameter E (F) of the embodimentp) The specific values of G and n are the same as the values of all parameters in appendix A.2 in GB/T32918.2-2016. The communication parties reserve the password hash method to be used in advance and the hash is the password hash method given by GB/T32905 and 2016, namely the SM3 algorithm; the commitment protocol com is defined in FIG. 2.1 of the document Fastscene two-party ECDSA signingSM3In this embodiment, the specific method for determining the commitment value is as follows: comSM3(x) SM3(x | | | R) wherein R is at [1, n-1 |)]Random number between, | | represents concatenation; the proof of zero knowledge protocol proof is the Schnorr proof of zero knowledge protocol proof of C.P. Schnorr proposed in "E Current identification and standards for smart cards" in 1989Schnorr(ii) a The homomorphic encryption method Enc is a Paillier homomorphic encryption method with addition homomorphy proposed by Paillier in "Cryptosystems based on composite segregated devices" in 1999, and the Paillier homomorphic encryption method of the embodiment is one of the homomorphic encryption methods Enc.
(2) Negotiating generation of a public signature key
First correspondent generates a child private key d1And a sub public key P1The second party generates a sub-private key d2And a sub public key P2. The method for generating the signature public key P by the two communication parties through the negotiation of the child public key of the other party and the child private key of the two communication parties is as follows;
1) the first party generates a private-public key pair
The first communication party generates a message at [1, n-1 ]]Random number d between1D is mixing1As the child private key, there are: d1∈[1,n-1]From d1[*]G obtains the result as a sub public key P1(ii) a Wherein [ ] A]Representing an elliptic curve point multiplication operation.
2) The second communication party generates a private-public key pair
The second party generates a message at [1, n-1 ]]Random number d between2D is mixing2As the child private key, there are: d2∈[1,n-1]From d2[*]G obtains the result as a sub public key P2
3) Mutual authentication between two communication parties
The proof of zero knowledge protocol proof of the present embodiment employs the Schnorr proof of zero knowledge protocol proofSchnorrThe acceptance protocol com adopts the acceptance protocol comSM3. Zero knowledge proof protocol proof for a first communication partnerSchnorrDetermining the private Key d1Proof of zero knowledge ofSchnorr(d1) According to the promised agreement com predetermined by both partiesSM3Determining the public key P1And a sub private key d1Proof of zero knowledge ofSchnorr(d1) Is given as a commitment value comSM3(P1||proofSchnorr(d1) Specifically, the method comprises the following steps: determination of SM3 (P) by cryptographic hashing method SM31||proofSchnorr(d1) R), the obtained result is taken as the sub public key P1And a sub private key d1Proof of zero knowledge ofSchnorr(d1) Is given as a commitment value comSM3(P1||proofSchnorr(d1) According to the promised agreement com predetermined by both parties)SM3The commitment value comSM3(P1||proofSchnorr(d1) And commitment information R to the second party, where R is a [1, n-1 ] position generated for the first party]Random number in between, | | represents concatenation.
The homomorphic encryption method Enc in this embodiment adopts a Paillier homomorphic encryption method. Zero knowledge proof protocol proof for second communication partySchnorrDetermining the private Key d2Proof of zero knowledge ofSchnorr(d2) Generating a key pair pk and sk of the Paillier homomorphic encryption method, wherein pk represents a Paillier homomorphic public key, sk represents a Paillier homomorphic private key, and a sub public key P is obtained2Homomorphic public key pk and child private key d2Proof of zero knowledge ofSchnorr(d2) And sending the message to the first communication party.
The first communication partner proof of agreement proof of zero knowledgeSchnorrVerification P2=d2[*]G, according to the promise agreement com predetermined by both partiesSM3Will solve promise information sub public key P1And a sub private key d1Proof of zero knowledge ofSchnorr(d1) Sending the information to a second communication party;
the second communication party receives the de-acceptance information and conforms to the acceptance agreement com predetermined by the two partiesSM3Verifying the commitment value comSM3(P1||proofSchnorr(d1) The specific method is as follows: verifying comSM3(P1||proofSchnorr(d1))=SM3(P1||proofSchnorr(d1)||R),Proof of agreement proof of knowledge with predefined zeroSchnorrVerification P1=d1[*]G;
4) Communication parties negotiate to generate signature public key
The first communication party is composed of1[*]P2[-]G as a signature public key P, wherein [ -]Representing an elliptic curve point subtraction operation;
the second communication party is composed of2[*]P1[-]G gets the result as public signature key P ', P' is equal to P.
(3) Collaborative signatures
First communication party generates temporary sub-private key k1And a temporary sub public key Q1The second party generates a temporary sub-private key k2And a temporary sub public key Q2And the two communication parties cooperate to generate a complete signature according to the temporary sub public key of the other party, the sub private key of the communication parties and the temporary sub private key of the communication parties.
The method for generating the complete signature by the cooperation of the two communication parties comprises the following steps:
1) processing a message to be signed by a first communication party
The hash of the cryptographic hash method of the embodiment adopts the cryptographic hash method given in GB/T32905 and 2016, i.e. the SM3 algorithm. The first communication party splices the identity Z and the message M which are common to the first communication party and the second communication party to form M', namely: m '═ Z | | | M, SM3 (M') was determined by cryptographic hashing method SM3, the result obtained as e;
2) processing the message to be signed by the second communication party
The steps of the second communication party processing the message to be signed are the same as the steps of the first communication party processing the message to be signed;
3) the first correspondent generates a temporary child public and private key pair
The first communication party generates a message at [1, n-1 ]]Random number k between1Will k is1As temporary sub-private key, by k1[*]G obtains the result as a temporary sub-public key Q1
4) The second communication party generates a temporary child public and private key pair
The second party generates a message at [1, n-1 ]]Random number k between2Will k is2As temporary sub-private key, by k2[*]G obtains the result as a temporary sub-public key Q2
5) Mutual authentication between two communication parties
Zero knowledge proof protocol proof for a first communication partnerSchnorrDetermining a temporary child private key k1Proof of zero knowledge ofSchnorr(k1) The acceptance agreement com predetermined by both parties of the embodiment adopts comSM3. Com according to the promise agreement predetermined by both partiesSM3Determining a temporary sub-public key Q1And a temporary sub-private key k1Proof of zero knowledge ofSchnorr(k1) Is given as a commitment value comSM3(Q1||proofSchnorr(k1) Specifically, the method comprises the following steps: determination of SM3 (Q) by cryptographic hashing method SM31||proofSchnorr(k1) R') and using the obtained result as the temporary sub public key Q1And a temporary sub-private key k1Proof of zero knowledge ofSchnorr(k1) Is given as a commitment value comSM3(Q1||proofSchnorr(k1) According to the promised agreement com predetermined by both parties)SM3The commitment value comSM3(Q1||proofSchnorr(k1) And commitment information R 'is sent to the second communication party, wherein R' is generated by the first communication party and is located at [1, n-1 ]]A random number in between.
Zero knowledge proof protocol proof for second communication partySchnorrDetermining a temporary child private key k2Proof of zero knowledge ofSchnorr(k2) Temporary sub-public key Q2And a temporary sub-private key k2Proof of zero knowledge ofSchnorr(k2) And sending the message to the first communication party.
Proof of knowledge protocol proof with two parties predetermined by first communication partySchnorrVerification Q2=k2[*]G, according to the promise agreement com predetermined by both partiesSM3Sending temporary sub public key Q of de-acceptance information1And a temporary sub-private key k1Proof of zero knowledge ofSchnorr(k1) To the second communication partner.
The second communication party receivesThe acceptance information is decoded, and the acceptance agreement com predetermined by both parties is adoptedSM3Verifying the commitment value comSM3(Q1||proofSchnorr(k1) The specific method is as follows: verifying comSM3(Q1||proofSchnorr(k1))=SM3(Q1||proofSchnorr(k1) | R'), proof of agreement proof with predetermined zero knowledgeSchnorrVerification Q1=k1[*]G。
6) Generating timestamps
The two communication parties respectively carry out ID according to the identity information of the first communication party1The current time T and the location information S of the first communication party, the hash of the cryptographic hash method of the embodiment is SM3 cryptographic hash method, which is SM3 (ID)1I T S) as a time stamp T, wherein ID1T, S are bit strings.
7) Cooperative signature of two communication parties
The homomorphic encryption method Enc in this embodiment adopts a Paillier homomorphic encryption method. The second communication party is composed of k2[*]Q1The result obtained is taken as point (x)1,y1) From x1The + emodn results in a partial signature r, where mod represents the modulo operation; generating a bit at [1, n2]Random number η, according to the encryption operation Paillier in the Paillier homomorphic encryption methodpkEnc in the present embodimentpkBy using PaillierpkFromAndthe obtained results are respectively used as Paillier homomorphic cryptographs c1And Paillier homomorphic ciphertext c2(ii) a Homomorphic ciphertext c of Paillier1And Paillier homomorphic ciphertext c2And is sent to the first communication partner, wherein,representing a sub-private key d2At FpUpper inverse element, PaillierpkRepresenting the encryption operation of the Paillier homomorphic encryption method under the homomorphic public key pk.
The first communication party is composed of k1[*]Q2The result obtained is taken as point (x)1,y1) From x1+ emodn as partial signature r; computingAnd sending s 'to the second communication party as s' with the calculated result, wherein,representing a sub-private key d1At FpInverse of upper, t-1Denotes the time stamp t at Fp⊙ represents Paillier scalar multiplication homomorphic operation, namely a ⊙ b represents that the plaintext corresponding to b is multiplied by a;representing Paillier addition homomorphic operations, i.e.The addition operation is carried out on the plaintext corresponding to the a and the plaintext corresponding to the b;
the second communication party performs the decryption operation Paillier according to the Paillier homomorphic encryption methodskDetermining Pailliersk(s') -rmodn, the result obtained as a partial signature s, wherein PaillierskAnd the decryption operation of the Paillier addition homomorphic method under the homomorphic private key sk is shown.
(4) Outputting a complete signature
The second communication party combines the partial signature r and the partial signature s into a complete signature output.
Example 2
(1) System initialization
The homomorphic encryption method Enc in the step adopts a Benaloh homomorphic encryption method with addition homomorphism proposed by J.benaloh in Dense probabilitization type in 1994. The other steps in this step are the same as in example 1.
(2) Negotiating generation of a public signature key
This procedure is the same as in example 1.
(3) Collaborative signatures
Steps 1) to 6) are the same as in example 1.
7) Cooperative signature of two communication parties
The homomorphic encryption method Enc in this embodiment adopts a Benaloh homomorphic encryption method. The second communication party is composed of k2[*]Q1The result obtained is taken as point (x)1,y1) From x1The + emodn results in a partial signature r, where mod represents the modulo operation; generating a bit at [1, n2]Random number η, Benaloh according to the encryption operation in Benaloh homomorphic encryption methodpkEnc in the present embodimentpkBy using BenalohpkFromAndthe obtained results are respectively used as the Benaloh homomorphic cryptographs c1And Benaloh homomorphic ciphertext c2(ii) a Homomorphic ciphertext c of Benaloh1And Benaloh homomorphic ciphertext c2And is sent to the first communication partner, wherein,representing a sub-private key d2At FpUpper inverse element, BenalohpkRepresenting the encryption operation of the Benaloh homomorphic encryption method under the homomorphic public key pk.
The first communication party is composed of k1[*]Q2The result obtained is taken as point (x)1,y1) From x1+ emodn as partial signature r; computingAnd sending s 'to the second communication party as s' with the calculated result, wherein,representing a sub-private key d1At FpInverse of upper, t-1Denotes the time stamp t at Fp⊙ represents the Benaloh scalar multiplication homomorphic operation, that is, a ⊙ b represents the multiplication of the plaintext corresponding to b and a;representing Benaloh addition homomorphism, i.e.The addition operation is carried out on the plaintext corresponding to the a and the plaintext corresponding to the b;
the second communication party operates Benaloh according to decryption in the Benaloh homomorphic encryption methodpkDetermining Benalohpk(s') -rmodn, the result obtained as a partial signature s, wherein BenalohpkThe decryption operation of the Benaloh addition homomorphic method under the homomorphic private key sk is shown.
(4) Outputting a complete signature
This procedure is the same as in example 1.
Example 3
(1) System initialization
The homomorphic encryption method Enc in this step adopts the NS homomorphic encryption method with additive homomorphism proposed by D.Naccache and J.Stern in "A new public cryptography based on highher recourses" in 1998. The other steps in this step are the same as in example 1.
(2) Negotiating generation of a public signature key
This procedure is the same as in example 1.
(3) Collaborative signatures
Steps 1) to 6) are the same as in example 1.
7) Cooperative signature of two communication parties
The homomorphic encryption method Enc in this embodiment adopts an NS homomorphic encryption method. The second communication party is composed of k2[*]Q1The result obtained is taken as point (x)1,y1) From x1The + emodn results in a partial signature r, where mod represents the modulo operation; generating a bit at [1, n2]Random number η in between, according to NS homomorphismEncryption operation NS in encryption methodpkEnc in the present embodimentpkUsing NSpkFromAndthe obtained results are respectively used as NS homomorphic cryptographs c1And NS homomorphic ciphertext c2(ii) a Homomorphic cipher text c of NS1And NS homomorphic ciphertext c2And is sent to the first communication partner, wherein,representing a sub-private key d2At FpUpper inverse element, NSpkRepresenting the cryptographic operation of the NS homomorphic cryptographic method under the homomorphic public key pk.
The first communication party is composed of k1[*]Q2The result obtained is taken as point (x)1,y1) From x1+ emodn as partial signature r; computingAnd sending s 'to the second communication party as s' with the calculated result, wherein,representing a sub-private key d1At FpInverse of upper, t-1Denotes the time stamp t at FpThe inverse of the above, ⊙, represents the NS scalar multiplication homomorphic operation, i.e., a ⊙ b represents the multiplication of the plaintext corresponding to b and a;indicating NS addition homomorphism, i.e.The addition operation is carried out on the plaintext corresponding to the a and the plaintext corresponding to the b;
the second communication party operates NS according to the decryption operation in the NS homomorphic encryption methodpkDetermining NSpk(s′) Rmodn, the result obtained as a partial signature s, where NSpkRepresenting the decryption operation of the NS addition homomorphic method under the homomorphic private key sk.
(4) Outputting a complete signature
This procedure is the same as in example 1.

Claims (1)

1. A secure two-party collaboration SM2 signature method is characterized by comprising the following steps:
(1) system initialization
The first and second parties share the elliptic curve parameter E (F) of the SM2 signature algorithmp) G and n, E (F)p) Represents a finite field FpAll rational points of the upper elliptic curve E comprise an infinite point O, a set is formed, G represents a base point with the order of n on the elliptic curve E, n is a limited positive integer, the values of all parameters are preset according to an SM2 method, and a cryptographic hash method hash, a commitment protocol com, a zero knowledge proof protocol proof and a homomorphic encryption method Enc with addition homomorphism are well defined in advance by both communication parties;
(2) negotiating generation of a public signature key
First correspondent generates a child private key d1And a sub public key P1The second party generates a sub-private key d2And a sub public key P2The two communication parties negotiate with the sub public key of the other party and the sub private key of the communication parties to generate a signature public key P;
the method for generating the signature public key P by the two communication parties through the negotiation of the child public key of the other party and the child private key of the two communication parties is as follows:
1) the first party generates a private-public key pair
The first communication party generates a message at [1, n-1 ]]Random number d between1D is mixing1As the child private key, there are: d1∈[1,n-1]From d1[*]G obtains the result as a sub public key P1(ii) a Wherein [ ] A]Representing an elliptic curve point multiplication operation;
2) the second communication party generates a private-public key pair
The second party generates a message at [1, n-1 ]]Random number d between2D is mixing2As the child private key, there are: d2∈[1,n-1]From d2[*]G obtains the result as a sub public key P2
3) Mutual authentication between two communication parties
First communication party determines private sub-key d by using zero-knowledge proof protocol proof predetermined by both parties1Proof of zero knowledge of (d)1) Determining the sub public key P according to the commitment protocol com predetermined by both parties1And a sub private key d1Proof of zero knowledge of (d)1) The commitment value com (P)1||proof(d1) According to the predetermined acceptance agreement com, the acceptance value com (P) is obtained1||proof(d1) ) and commitment information to the second party, where | represents concatenation;
the second communication party determines the sub-private key d using a predetermined zero-knowledge proof protocol proof2Proof of zero knowledge of (d)2) Generating a key pair pk and sk of a predetermined addition homomorphic encryption method Enc, where pk denotes a homomorphic public key and sk denotes a homomorphic private key, and dividing a sub-public key P2Homomorphic public key pk and child private key d2Proof of zero knowledge of (d)2) Sending the information to a first communication party;
the first communication partner verifies P according to a predetermined zero-knowledge proof of knowledge protocol proof2=d2[*]G, according to the promption protocol com predetermined by both parties, the public key P of the sub-promption information will be released1And a sub private key d1Proof of zero knowledge of (d)1) Sending the information to a second communication party;
the second communication party receives the de-acceptance information and verifies the acceptance value com (P) according to the acceptance agreement com predetermined by both parties1||proof(d1) For example) correctness, proof of agreement proof of knowledge P with a predetermined zero1=d1[*]G;
4) Communication parties negotiate to generate signature public key
The first communication party is composed of1[*]P2[-]G as a signature public key P, wherein [ -]Representing an elliptic curve point subtraction operation;
the second communication party is composed of2[*]P1[-]G, taking the result as a signature public key P ', wherein P' is equal to P;
(3) collaborative signatures
First communication party generates temporary sub-private key k1And a temporary sub public key Q1The second party generates a temporary sub-private key k2And a temporary sub public key Q2Respectively generating a partial signature r and a partial signature s according to the temporary sub public key of the other party, the sub private key of the other party and the temporary sub private key of the other party, and generating a complete signature by the cooperation of the two communication parties; the method for generating the complete signature by the cooperation of the two communication parties comprises the following steps:
1) processing a message to be signed by a first communication party
The first communication party splices the identity Z and the message M which are common to the first communication party and the second communication party to form M', namely: determining a hash (M') by using a cryptographic hash method hash, wherein the obtained result is used as e;
2) processing the message to be signed by the second communication party
The steps of the second communication party processing the message to be signed are the same as the steps of the first communication party processing the message to be signed;
3) the first correspondent generates a temporary child public and private key pair
The first communication party generates a message at [1, n-1 ]]Random number k between1Will k is1As temporary sub-private key, by k1[*]G obtains the result as a temporary sub-public key Q1
4) The second communication party generates a temporary child public and private key pair
The second party generates a message at [1, n-1 ]]Random number k between2Will k is2As temporary sub-private key, by k2[*]G obtains the result as a temporary sub-public key Q2
5) Mutual authentication between two communication parties
First communication party determines temporary sub-private key k by using zero-knowledge proof protocol proof predetermined by both parties1Proof of zero knowledge of (k)1) Determining the temporary sub public key Q according to the commitment protocol com predetermined by both parties1And a temporary sub-private key k1Proof of zero knowledge of (k)1) The commitment value com (Q)1||proof(k1) According to the predetermined acceptance agreement com, the acceptance value com (Q) is transmitted1||proof(k1) ) and the commitment information to the second correspondent;
second communication party determines temporary sub-private key k by using zero-knowledge proof protocol proof predetermined by both parties2Proof of zero knowledge of (k)2) Temporary sub-public key Q2And a temporary sub-private key k2Proof of zero knowledge of (k)2) Sending the information to a first communication party;
proof of verification Q by the first communication party with a two-party-predetermined zero-knowledge proof protocol proof2=k2[*]G, sending temporary sub public key Q of de-acceptance information1And a temporary sub-private key k1Proof of zero knowledge of (k)1) To the second communication party;
the second communication party receives the de-acceptance information and verifies the acceptance value com (Q) according to the acceptance agreement com predetermined by both parties1||proof(k1) For example) to verify Q with a predetermined zero-knowledge proof of knowledge protocol proof1=k1[*]G;
6) Generating timestamps
The two communication parties respectively carry out ID according to the identity information of the first communication party1Current time T and the position information S of the first communication party, and determining the hash (ID) by the hash of the password hashing method1I T S), the result obtained is used as a time stamp T, wherein ID1T, S is a bit string;
7) cooperative signature of two communication parties
The second communication party is composed of k2[*]Q1The result obtained is taken as point (x)1,y1) From x1The + emodn results in a partial signature r, where mod represents the modulo operation; generating a bit at [1, n2]Random number η, encryption operation Enc according to homomorphic encryption method EncpkDeterminingAndthe obtained results are respectively used as homomorphic cryptographs c1And homomorphic ciphertext c2(ii) a Will homomorphic cipher text c1And homomorphic ciphertext c2And is sent to the first communication partner, wherein,denotes d2At FpUpper inverse element, EncpkRepresenting the encryption operation of the homomorphic encryption method Enc under the homomorphic public key pk;
the first communication party is composed of k1[*]Q2The result obtained is taken as point (x)1,y1) From x1+ emodn as partial signature r; computingAnd sending s 'to the second communication party as s' with the calculated result, wherein,denotes d1At FpInverse of upper, t-1Denotes the time stamp t at FpThe upper inverse element ⊙ represents scalar multiplication homomorphic operation, that is, a ⊙ b represents multiplication of the plaintext corresponding to b and a;representing addition homomorphic operations, i.e.The addition operation is carried out on the plaintext corresponding to the a and the plaintext corresponding to the b;
the decryption operation Dec of the second communication partner in accordance with the homomorphic encryption method EncskDetermining Decsk(s') -rmodn, the result obtained as a partial signature s, where DecskRepresenting the decryption operation of the homomorphic encryption method Enc under the homomorphic private key sk;
(4) outputting a complete signature
The second communication party combines the partial signature r and the partial signature s into a complete signature output.
CN201810800708.3A 2018-07-20 2018-07-20 Secure two-party collaboration SM2 signature method Active CN108667626B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201810800708.3A CN108667626B (en) 2018-07-20 2018-07-20 Secure two-party collaboration SM2 signature method

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201810800708.3A CN108667626B (en) 2018-07-20 2018-07-20 Secure two-party collaboration SM2 signature method

Publications (2)

Publication Number Publication Date
CN108667626A CN108667626A (en) 2018-10-16
CN108667626B true CN108667626B (en) 2020-03-03

Family

ID=63788450

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201810800708.3A Active CN108667626B (en) 2018-07-20 2018-07-20 Secure two-party collaboration SM2 signature method

Country Status (1)

Country Link
CN (1) CN108667626B (en)

Families Citing this family (19)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109450640B (en) * 2018-10-24 2022-05-17 成都卫士通信息产业股份有限公司 SM 2-based two-party signature method and system
CN109600224A (en) * 2018-11-06 2019-04-09 卓望数码技术(深圳)有限公司 A kind of SM2 key generation, endorsement method, terminal, server and storage medium
CN109547199B (en) * 2018-11-19 2021-07-02 武汉大学 Method for generating SM2 digital signature by combining multiple parties
CN109547212B (en) * 2018-12-04 2021-06-18 中国电子科技集团公司第三十研究所 Threshold signature method based on SM2 signature algorithm
CN109600232B (en) * 2018-12-05 2021-08-06 北京智慧云测科技有限公司 Attack verification and protection method and device for SM2 signature algorithm
CN110011781B (en) * 2019-03-04 2020-05-19 华中科技大学 Homomorphic encryption method and medium for transaction amount encryption and supporting zero knowledge proof
CN109818730A (en) * 2019-03-06 2019-05-28 矩阵元技术(深圳)有限公司 Acquisition methods, device and the server of Proxy Signature
CN110086630B (en) * 2019-04-23 2021-10-19 陕西师范大学 Method for generating digital signature based on Edwards curve
CN110278088A (en) * 2019-07-18 2019-09-24 广州安研信息科技有限公司 A kind of SM2 collaboration endorsement method
CN110958114A (en) * 2019-10-25 2020-04-03 武汉大学 Two-party cooperative SM2 key generation and ciphertext decryption method and medium
CN110880977B (en) * 2019-11-26 2021-04-27 武汉大学 Safe and efficient SM9 ring signature generation and verification method
CN111224783B (en) * 2019-11-26 2021-07-23 复旦大学 Two-square elliptic curve digital signature method supporting secret key refreshing
CN111049650A (en) * 2019-12-27 2020-04-21 上海市数字证书认证中心有限公司 SM2 algorithm-based collaborative decryption method, device, system and medium
CN111130804A (en) * 2019-12-27 2020-05-08 上海市数字证书认证中心有限公司 SM2 algorithm-based collaborative signature method, device, system and medium
CN111064583B (en) * 2020-03-17 2020-07-31 北京信安世纪科技股份有限公司 Threshold SM2 digital signature method and device, electronic equipment and storage medium
CN111600860B (en) * 2020-05-08 2022-05-31 格尔软件股份有限公司 Implicit certificate calculation method suitable for Internet of vehicles environment
CN111654378B (en) * 2020-05-28 2021-01-05 广东纬德信息科技股份有限公司 Data security self-checking method based on electric power security gateway
CN112636918B (en) * 2020-12-08 2021-06-29 无锡艾立德智能科技有限公司 Efficient two-party collaborative signature method based on SM2
CN114070561A (en) * 2022-01-17 2022-02-18 工业信息安全(四川)创新中心有限公司 Zero-knowledge proof method and system based on SM2 algorithm

Family Cites Families (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP5060556B2 (en) * 2007-07-11 2012-10-31 株式会社東芝 Group signature system, apparatus and program
CN107634836B (en) * 2017-09-05 2020-09-08 何德彪 SM2 digital signature generation method and system
CN107682151B (en) * 2017-10-30 2021-02-02 武汉大学 GOST digital signature generation method and system
CN107659395B (en) * 2017-10-30 2021-09-24 武汉大学 Identity-based distributed authentication method and system in multi-server environment
CN107707358B (en) * 2017-10-30 2019-12-24 武汉大学 EC-KCDSA digital signature generation method and system
CN108173639B (en) * 2018-01-22 2020-10-27 中国科学院数据与通信保护研究教育中心 Two-party cooperative signature method based on SM9 signature algorithm

Also Published As

Publication number Publication date
CN108667626A (en) 2018-10-16

Similar Documents

Publication Publication Date Title
CN108667626B (en) Secure two-party collaboration SM2 signature method
CN107634836B (en) SM2 digital signature generation method and system
CN107707358B (en) EC-KCDSA digital signature generation method and system
CN108173639B (en) Two-party cooperative signature method based on SM9 signature algorithm
CN107948189B (en) Asymmetric password identity authentication method and device, computer equipment and storage medium
Toorani et al. An elliptic curve-based signcryption scheme with forward secrecy
CN107947913B (en) Anonymous authentication method and system based on identity
WO2018225053A1 (en) Digital signing by utilizing multiple distinct signing keys, distributed between two parties
CN107733648B (en) Identity-based RSA digital signature generation method and system
CN109639439B (en) ECDSA digital signature method based on two-party cooperation
CN107659395B (en) Identity-based distributed authentication method and system in multi-server environment
CN109309569B (en) SM2 algorithm-based collaborative signature method and device and storage medium
CN110138567B (en) ECDSA (electronic signature system) based collaborative signature method
CN106936584B (en) Method for constructing certificateless public key cryptosystem
CN104767612A (en) Signcryption method from certificateless environment to public key infrastructure environment
Yao et al. A light-weight certificate-less public key cryptography scheme based on ECC
CN108055134B (en) Collaborative computing method and system for elliptic curve point multiplication and pairing operation
CN110048849A (en) A kind of session cipher negotiating method of multilayer protection
CN110086630B (en) Method for generating digital signature based on Edwards curve
CN110943845A (en) Method and medium for cooperatively generating SM9 signature by two light-weight parties
CN110113150B (en) Encryption method and system based on non-certificate environment and capable of repudiation authentication
CN110120939B (en) Encryption method and system capable of repudiation authentication based on heterogeneous system
Harn et al. Fully deniable message authentication protocols preserving confidentiality
CN109412815B (en) Method and system for realizing cross-domain secure communication
Yoon Cryptanalysis of an efficient secret handshakes scheme with unlinkability

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
CB02 Change of applicant information
CB02 Change of applicant information

Address after: 710062 No. 199 South Changan Road, Shaanxi, Xi'an

Applicant after: Shaanxi Normal University

Applicant after: Geer software Limited by Share Ltd

Address before: 710062 No. 199 South Changan Road, Shaanxi, Xi'an

Applicant before: Shaanxi Normal University

Applicant before: Geer Software Co., Ltd., Shanghai

CB03 Change of inventor or designer information
CB03 Change of inventor or designer information

Inventor after: Hou Hongxia

Inventor after: Yang Bo

Inventor after: Zhang Mingrui

Inventor after: Ren Wei

Inventor after: Wang Ruixing

Inventor before: Hou Hongxia

Inventor before: Yang Bo

Inventor before: Zhang Mingrui

Inventor before: Ren Wei

Inventor before: Wang Ruixing

GR01 Patent grant
GR01 Patent grant