CN108964923A - Hide interactive SM2 endorsement method, system and the terminal of private key - Google Patents
Hide interactive SM2 endorsement method, system and the terminal of private key Download PDFInfo
- Publication number
- CN108964923A CN108964923A CN201810650042.8A CN201810650042A CN108964923A CN 108964923 A CN108964923 A CN 108964923A CN 201810650042 A CN201810650042 A CN 201810650042A CN 108964923 A CN108964923 A CN 108964923A
- Authority
- CN
- China
- Prior art keywords
- private key
- sub
- signature
- communication party
- point
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3247—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3247—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
- H04L9/3252—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures using DSA or related signature schemes, e.g. elliptic based signatures, ElGamal or Schnorr schemes
Abstract
The present invention relates to security technology areas.More particularly to interactive SM2 endorsement method, system and the terminal of a kind of hiding private key, including initialization section and main part.In initialization section, first communication party generates private key dA, it is based on private key dAFour sub- private keys are generated, while two sub- basic points are generated based on basic point G, one in two in four sub- private keys and two sub- basic points is then sent to second communication party, deletes the private key d being locally stored after second communication party receives the dataA.In main part, first communication party generates first part according to the subbase point being locally stored and signs, and is sent to second communication party;Second communication party according to sub- private key and the subbase point being locally stored generate second and third, four parts sign, be sent to first communication party;First communication party generates full signature with the data being locally stored based on the data that second communication party sends.Using the present invention, the data private key d of core can be madeAIt is only generated and is grasped by private key owner's first communication party.
Description
Technical field
The present invention relates to security technology areas, and in particular to a kind of endorsement method of the interactive SM2 algorithm of hiding private key,
System and terminal.
Background technique
Currently, digital signature and encryption and decryption technology based on public key cryptography have been widely used in e-commerce, identity
In the application such as certification, become the important tool to ensure information security, and the safety of private key and use are to guarantee these application peaces
Full basis.
Under normal circumstances, it needs to call complete key information when running cryptographic algorithm, so key is needed directly to store
In memory.And in the weaker terminal of protective capacities, this will increase the risk of key loss.Such as mobile phone is lost, algorithm fortune
Calculation process such as is ravesdropping at the loss that can all lead to key.In order to improve the safety of private key, a kind of title is proposed in the prior art
For the algorithm of Threshold cryptogrphy, i.e., private key is split and be distributed in different physical equipments, to avoid whole private keys letter
Breath is directly stored and is used.For example, private key can be distributed in n member in one (t, n) Threshold Group Signature, t or
T or more member can cooperate complete signature, and be less than t member when be then unable to complete signature.
Disclosed in CN 104243456B a kind of signature suitable for cloud computing based on SM2 algorithm and decryption method and
System.Its main method is: first communication party and second communication party generate private key by key agreement, and final two side only grasps
Partial information relevant to private key, and both sides do not grasp specific private key value.When needing to sign or decrypt, both sides can lead to
Cross interaction realization.
But in the above-mentioned technical solutions, first communication party and second communication party grasp the information of equivalent, and private key is both sides
Negotiate generation, the responsible party of private key not fully possesses private key, in electronic signature, does not embody private key responsible party to private
The sovereignty of key.In practice, the both sides of communication are not reciprocity to the incidental responsibility of private key.Therefore need to core data into
Capable not reciprocity division, allows a side to grasp more core data, and another party is allowed to grasp less core data.Therefore, it needs
A kind of endorsement method or system or terminal are wanted, so that private key responsible party possesses the initiative to private key, the both sides for the signature that lets on
Core data can not be grasped on a 50-50 basis.
Summary of the invention
In view of this, the present invention provides a kind of interactive SM2 endorsement method of hiding private key, the ellipse that the SM2 is used
Curve has basic point G and order n, which comprises
First communication party:
Generate private key dA;
Based on the private key dAGenerate sub- private key d0, sub- private key d1, sub- private key d2, sub- private key d3;
Subbase point G is generated based on basic point G0With subbase point G1;
By sub- private key d2, sub- private key d3With subbase point G1It is sent to second communication party;
Second communication party:
Receive and store the sub- private key d of first communication party transmission2, sub- private key d3With subbase point G1;
First communication party:
Delete private key dA, sub- private key d2, sub- private key d3With subbase point G1;
Store sub- private key d0, sub- private key d1With subbase point G0;
First communication party:
Obtain message M to be signed;
Generate the eap-message digest e of message M to be signed;
According to subbase point G0Generate first part signature Q1;
By eap-message digest e and first part signature Q1It is sent to second communication party;
Second communication party:
Receive the eap-message digest e and first part signature Q that first communication party is sent1;
According to first part signature Q1, there are also subbase point G by eap-message digest e1Second part signature r is generated, according to sub- private key d2
Generate Part III signature s1, according to sub- private key d3Generate Part IV signature s2;
By second part signature r, Part III signature s1With Part IV signature s2It is sent to first communication party;
First communication party:
Receive second part signature r, the Part III signature s that second communication party sends1With Part IV signature s2;
According to sub- private key d0, sub- private key d1, second part signature r, Part III sign s1With Part IV signature s2It generates
Full signature (r, s).
Further, the first communication party generates private key dAInclude: to generate a random number, the random number of generation is made
For private key dA。
Further, told first communication party is based on the private key dAGenerate sub- private key d0, sub- private key d1, sub- private key d2, son
Private key d3Include:
Generate random number a0With random number a1, wherein a0,a1∈[1,n-1];
Calculate d0=a1/(1+dA);
D1=- (dA/a1+a0);
d2=a0/a1;
d3=a0×a1/(1+dA)。
Further, the first communication party is based on basic point G, generates subbase point G0With subbase point G1Include:
Calculate G0=[a0]G;
G1=[a1] G0。
Further, the first communication party is according to subbase point G0Generate message M to be signed eap-message digest e and first
Sign a Q separately1Include:
Z and M are spliced to form M ' by first communication party, and calculate e=Hash (M '), wherein Z indicates first communication party and the
The common identity of two communication parties, Hash () indicate scheduled cryptographic Hash function;
First communication party generates random number k0, wherein k0∈[1,n-1];
Calculate Q1=[k0]G0。
Further, the second communication party is according to first part signature Q1, there are also subbase point G by eap-message digest e1Generate the
Sign r for two parts, and according to sub- private key d2Generate Part III signature s1, according to sub- private key d3Generate Part IV signature s2Packet
It includes:
Generate random number k1, random number k2, wherein k1,k2∈[1,n-1];
Calculate (x, y)=[k1]Q1+[k2]G1;
R=(x+e) mod n;
s1=k1×d2mod n;
s2=(r+k2)×d3mod n。
Further, the first communication party is according to sub- private key d0, sub- private key d1, second part sign r, Part III label
Name s1With Part IV signature s2It generates full signature and exports and include:
Calculate s=(d0×k0×s1+d0×d1×r+s2)mod n;
If s is not equal to 0 and is not equal to n-r, first communication party exports (r, s) as full signature.
Correspondingly, the present invention also provides a kind of interactive SM2 signature system of hiding private key, the ellipse that the SM2 is used
Curve has basic point G and order n, the system comprises: first communication party and second communication party, wherein
The first communication party, for generating private key dA;Based on the private key dAGenerate sub- private key d0, sub- private key d1, son it is private
Key d2, sub- private key d3;Subbase point G is generated based on basic point G0With subbase point G1;By sub- private key d2, sub- private key d3With subbase point G1It sends
To second communication party;Delete private key dA, sub- private key d2, sub- private key d3With subbase point G1;Store sub- private key d0, sub- private key d1And subbase
Point G0;Obtain message M to be signed;Generate the eap-message digest e of message M to be signed;According to subbase point G0Generate first part's signature
Q1;By eap-message digest e and first part signature Q1It is sent to second communication party;Receive the second part label that second communication party sends
Name r, Part III signature s1With Part IV signature s2;According to sub- private key d0, sub- private key d1, second part sign r, third portion
Sign a s separately1With Part IV signature s2Generate full signature;
The second communication party receives and stores the sub- private key d of first communication party transmission2, sub- private key d3With subbase point G1;
Receive the eap-message digest e and first part signature Q that first communication party is sent1;According to first part signature Q1, eap-message digest e also
Subbase point G1Second part signature r is generated, according to sub- private key d2Generate Part III signature s1, according to sub- private key d3Generate the 4th
Part signature s2;By second part signature r, Part III signature s1With Part IV signature s2It is sent to first communication party.
Correspondingly, the present invention also provides a kind of terminal for supporting SM2 to sign, the elliptic curve that the SM2 is used has base
Point G and order n, comprising: the first generation module, removing module, the first memory module, obtains module, second at the first sending module
Generation module, the second sending module, the first receiving module and full signature generation module, wherein
First generation module, for generating private key dA, it is based on the private key dAGenerate sub- private key d0, sub- private key d1, son
Private key d2, sub- private key d3, subbase point G is generated based on basic point G0With subbase point G1;
First sending module, for sending sub- private key d2, sub- private key d3With subbase point G1;
The removing module, for deleting private key dA, sub- private key d2, sub- private key d3With subbase point G1;
First memory module, for storing sub- private key d0, sub- private key d1With subbase point G0;
The acquisition module, for obtaining message M to be signed;
Second generation module, for generating the eap-message digest e of message M to be signed, according to subbase point G0Generate first
Part signature Q1;
Second sending module, for sending eap-message digest e and first part signature Q1;
First receiving module, for receiving second part signature r, Part III signature s1With Part IV signature s2;
The full signature generation module, for according to sub- private key d0, sub- private key d1, second part sign r, Part III
Sign s1With Part IV signature s2Generate full signature.
Correspondingly, the present invention also provides a kind of terminals, comprising: the second receiving module, the second memory module, third receive mould
Block, part signature generation module and third sending module;Wherein,
Second receiving module, for receiving sub- private key d2, sub- private key d3With subbase point G1;
Second memory module, for storing sub- private key d2, sub- private key d3With subbase point G1;
The third receiving module, for receiving eap-message digest e and first part signature Q1;
The part signature generation module, for according to first part signature Q1, eap-message digest e and subbase point G1Generate the
Sign r for two parts, according to sub- private key d2Generate Part III signature s1, according to sub- private key d3Generate Part IV signature s2;
The third sending module, for sending second part signature r, Part III signature s1With Part IV signature s2。
Compared with prior art, technical solution of the present invention makes core data private key dAIt is only grasped by first communication party, private key
Responsible party actively divides private key to another party, to realize that the both sides for participating in signature can not grasp having for core data on a 50-50 basis
Beneficial effect.
Detailed description of the invention
Fig. 1 is a kind of flow chart of the interactive SM2 endorsement method of hiding private key of the present invention;
Fig. 2 is a kind of flow chart of the initialization section of the interactive SM2 endorsement method of hiding private key of the present invention;
Fig. 3 is a kind of flow chart of the main part of the interactive SM2 endorsement method of hiding private key of the present invention.
Specific embodiment
It is with reference to the accompanying drawing and specific real in order to make those skilled in the art more fully understand technical solution of the present invention
Applying example, the present invention is described in further detail.
The present invention provides a kind of interactive SM2 endorsement method of hiding private key, in one embodiment, what SM2 was used
Elliptic curve has basic point G and order n.Referring to Fig.1, endorsement method specific steps of the invention include initialization section and main body
Part, wherein
The initialization section of the SM2 endorsement method are as follows:
First communication party:
Step 101: generating private key dA;Preferably stored with ciphertext form;
Step 102: being based on the private key dAGenerate sub- private key d0, sub- private key d1, sub- private key d2, sub- private key d3;
Step 103: subbase point G is generated based on basic point G0With subbase point G1;
Step 104: by sub- private key d2, sub- private key d3With subbase point G1It is sent to second communication party;
Second communication party:
Step 205: receiving the sub- private key d that first communication party is sent2, sub- private key d3With subbase point G1;
Step 206: storing sub- private key d2, sub- private key d3With subbase point G1;
First communication party:
Step 107: deleting private key dA, sub- private key d2, sub- private key d3With subbase point G1;
Step 108: storing sub- private key d0, sub- private key d1With subbase point G0。
The main part of the SM2 endorsement method are as follows:
First communication party:
Step 109: obtaining message M to be signed;
Step 110: generating the eap-message digest e of message M to be signed;
Step 111: according to subbase point G0Generate first part signature Q1;
Step 112: by eap-message digest e and first part signature Q1It is sent to second communication party;
Second communication party:
Step 213: receiving the eap-message digest e and first part signature Q that first communication party is sent1;
Step 214: according to first part signature Q1, there are also subbase point G by eap-message digest e1Second part signature r is generated, according to
Sub- private key d2Generate Part III signature s1, according to sub- private key d3Generate Part IV signature s2;
Step 215: by second part signature r, Part III signature s1With Part IV signature s2It is sent to the first communication
Side;
First communication party:
Step 116: receiving second part signature r, the Part III signature s that second communication party sends1With Part IV label
Name s2;
Step 117: according to sub- private key d0, sub- private key d1, second part signature r, Part III sign s1With Part IV label
Name s2It generates full signature (r, s).
Preferably, first communication party is after step 117 further include:
Step 118: exporting the full signature (r, s) of message M to be signed and generation.
The process of sign test is consistent with the sign test process of canonical algorithm SM2.
In this embodiment, second communication party's sub- private key that uses that treated, rather than it is corresponding with ciphering process
Real private key.Private key is the core parameter of SM2 algorithm, once leakage, influences great.The setting of the present invention in this way, can be with
Prevent second communication party from directly obtaining core data.This aspect makes attacker that can not obtain core by attacking second communication party
On the other hand calculation evidence can actively reveal core data to avoid second communication party intentionally.To sum up, technical solution of the present invention makes core
Calculation is according to private key dAIt is only grasped by first communication party, to realize that the both sides for participating in signature can not grasp core data on a 50-50 basis
Beneficial effect.
In addition, in this embodiment, first communication party just deletes after sub- private key is sent to second communication party.
So that the protection of key shortens to one section of very short time in initialization procedure by the protection for entirely using the period.Only need initial
The information of key is protected during changing, once initialization terminates, the cleartext information of private key would not be appeared in memory and operation.
In addition, in this embodiment, second communication party receives first communication party and sends sub- private key, and second communication party is certainly
Oneself does not generate sub- private key.Disclosed in CN 104243456B in the prior art, first communication party and second communication party pass through
Random number oneself is generated as the sub- private key of oneself.The prior art in this case, private key is to negotiate, and private key is subsidiary
Responsibility both sides undertake.And the sub- private key not instead of second communication party that the application second communication party uses oneself generates, the
One communication party is assigned to second communication party, and the subsidiary responsibility of private key is that private key responsible party undertakes.Compared to having technology before aforementioned,
The present invention more meets the requirement of electronic signature.
In addition, in this embodiment, first communication party and second communication party respectively hold two sub- private keys, and attacker needs
Two sub- private keys are all stolen into the second communication party that can disguise oneself as.Therefore, a sub- private key is only held compared to each side
The aforementioned prior art, the present invention can be further improved the safety of second communication party.
To sum up, the safety of interactive SM2 signature can be effectively ensured in technical solution of the present invention.
Lower mask body introduces the implementation method of the interactive SM2 endorsement method of above-mentioned hiding private key:
Firstly, Fig. 2 describes the realization step of initialization section in detail referring to shown in Fig. 2.
Step 101 includes: to generate a random number, using the random number of generation as private key dA。
Step 102 includes: to generate random number a0With random number a1, wherein a0,a1∈[1,n-1];
Calculate d0=a1/(1+dA);
d1=-(dA/a1+a0);
d2=a0/a1;d3=a0×a1/(1+dA)。
Step 103 includes: to calculate G0=[a0]G;
G1=[a1]G0。
Wherein operation ' [a] G ' indicates the point doubling on elliptic curve.
Correspondingly, step 107 includes: to delete private key dA, sub- private key d2, sub- private key d3, subbase point G1, random number a0With it is random
Number a1.The deletion includes deleting data from any storage medium of first communication party such as memory, caching, in hard disk.
Secondly, Fig. 3 describes the realization step of main part in detail referring to shown in Fig. 3.
Step 110 includes: Z and M to be spliced to form M ', and calculate e=Hash (M ');Or it is denoted as e=Hash (Z | | M).Its
In, Z indicates first communication party and the common identity of second communication party, and Hash () indicates scheduled cryptographic Hash function.
Step 111 includes: generation random number k0, wherein k0∈[1,n-1];Calculate Q1=[k0]G0。
Step 214 includes: generation random number k1, random number k2, wherein k1,k2∈[1,n-1]
Calculate (x, y)=[k1]Q1+[k2]G1;
R=(x+e) mod n;
If r=0,
Regenerate random number k1、k2, and (x, y) and r are recalculated, until r ≠ 0,
If r ≠ 0,
Calculate s1=k1×d2mod n;
s2=(r+k2)×d3mod n。
Step 117 includes: to calculate s=(d0×k0×s1+d0×d1×r+s2)mod n;
If s=0 or s=r re-executes step related to this, until s ≠ 0 and s ≠ r.
If s ≠ 0 and s ≠ r, (r, s) is used as full signature by first communication party.
Correspondingly, the present invention also provides a kind of interactive SM2 signature system of hiding private key, the ellipse that the SM2 is used
Curve has basic point G and order n, the system comprises: first communication party and second communication party, wherein
The first communication party, for generating private key dA;Based on the private key dAGenerate sub- private key d0, sub- private key d1, son it is private
Key d2, sub- private key d3;Subbase point G is generated based on basic point G0With subbase point G1;By sub- private key d2, sub- private key d3With subbase point G1It sends
To second communication party;Delete private key dA, sub- private key d2, sub- private key d3With subbase point G1;Store sub- private key d0, sub- private key d1And subbase
Point G0;Obtain message M to be signed;Generate the eap-message digest e of message M to be signed;According to subbase point G0Generate first part's signature
Q1;By eap-message digest e and first part signature Q1It is sent to second communication party;Receive the second part label that second communication party sends
Name r, Part III signature s1With Part IV signature s2;According to sub- private key d0, sub- private key d1, second part sign r, third portion
Sign a s separately1With Part IV signature s2Generate full signature;
The second communication party receives and stores the sub- private key d of first communication party transmission2, sub- private key d3With subbase point G1;
Receive the eap-message digest e and first part signature Q that first communication party is sent1;According to first part signature Q1, eap-message digest e also
Subbase point G1Second part signature r is generated, according to sub- private key d2Generate Part III signature s1, according to sub- private key d3Generate the 4th
Part signature s2;By second part signature r, Part III signature s1With Part IV signature s2It is sent to first communication party.
Correspondingly, the present invention also provides a kind of terminal for supporting SM2 to sign, the elliptic curve that the SM2 is used has base
Point G and order n, comprising: the first generation module, removing module, the first memory module, obtains module, second at the first sending module
Generation module, the second sending module, the first receiving module and full signature generation module, wherein
First generation module, for generating private key dA, it is based on the private key dAGenerate sub- private key d0, sub- private key d1, son
Private key d2, sub- private key d3, subbase point G is generated based on basic point G0With subbase point G1;
First sending module, for sending sub- private key d2, sub- private key d3With subbase point G1;
The removing module, for deleting private key dA, sub- private key d2, sub- private key d3With subbase point G1;
First memory module, for storing sub- private key d0, sub- private key d1With subbase point G0;
The acquisition module, for obtaining message M to be signed;
Second generation module, for generating the eap-message digest e of message M to be signed, according to subbase point G0Generate first
Part signature Q1;
Second sending module, for sending eap-message digest e and first part signature Q1;
First receiving module, for receiving second part signature r, Part III signature s1With Part IV signature s2;
The full signature generation module, for according to sub- private key d0, sub- private key d1, second part sign r, Part III
Sign s1With Part IV signature s2Generate full signature.
Correspondingly, the present invention also provides a kind of terminals, comprising: the second receiving module, the second memory module, third receive mould
Block, part signature generation module and third sending module;Wherein,
Second receiving module, for receiving sub- private key d2, sub- private key d3With subbase point G1;
Second memory module, for storing sub- private key d2, sub- private key d3With subbase point G1;
The third receiving module, for receiving eap-message digest e and first part signature Q1;
The part signature generation module, for according to first part signature Q1, eap-message digest e and subbase point G1Generate the
Sign r for two parts, according to sub- private key d2Generate Part III signature s1, according to sub- private key d3Generate Part IV signature s2;
The third sending module, for sending second part signature r, Part III signature s1With Part IV signature s2。
The above is only the preferred embodiment of the present invention, it is noted that above-mentioned preferred embodiment is not construed as pair
Limitation of the invention, protection scope of the present invention should be defined by the scope defined by the claims..For the art
For those of ordinary skill, without departing from the spirit and scope of the present invention, several improvements and modifications can also be made, these change
It also should be regarded as protection scope of the present invention into retouching.
Claims (10)
1. a kind of interactive SM2 endorsement method of hiding private key, the elliptic curve that the SM2 is used has basic point G and order n,
It is characterized in that, which comprises
First communication party:
Generate private key dA;
Based on the private key dAGenerate sub- private key d0, sub- private key d1, sub- private key d2, sub- private key d3;
Subbase point G is generated based on basic point G0With subbase point G1;
By sub- private key d2, sub- private key d3With subbase point G1It is sent to second communication party;
Second communication party:
Receive and store the sub- private key d of first communication party transmission2, sub- private key d3With subbase point G1;
First communication party:
Delete private key dA, sub- private key d2, sub- private key d3With subbase point G1;
Store sub- private key d0, sub- private key d1With subbase point G0;
First communication party:
Obtain message M to be signed;
Generate the eap-message digest e of message M to be signed;
According to subbase point G0Generate first part signature Q1;
By eap-message digest e and first part signature Q1It is sent to second communication party;
Second communication party:
Receive the eap-message digest e and first part signature Q that first communication party is sent1;
According to first part signature Q1, there are also subbase point G by eap-message digest e1Second part signature r is generated, according to sub- private key d2It generates
Part III signature s1, according to sub- private key d3Generate Part IV signature s2;
By second part signature r, Part III signature s1With Part IV signature s2It is sent to first communication party;
First communication party:
Receive second part signature r, the Part III signature s that second communication party sends1With Part IV signature s2;
According to sub- private key d0, sub- private key d1, second part signature r, Part III sign s1With Part IV signature s2It generates complete
It signs (r, s).
2. the method according to claim 1, wherein the first communication party generates private key dAIt include: to generate one
Random number, using the random number of generation as private key dA。
3. according to the method described in claim 2, it is characterized in that, the first communication party is based on the private key dAIt is private to generate son
Key d0, sub- private key d1, sub- private key d2, sub- private key d3Include:
Generate random number a0With random number a1, wherein a0, a1∈ [1, n-1];
Calculate d0=a1/(1+dA);
d1=-(dA/a1+a0);
d2=a0/a1;
d3=a0×a1/(1+dA)。
4. according to the method described in claim 3, it is characterized in that, the first communication party is based on basic point G, generation subbase point G0
With subbase point G1Include:
Calculate G0=[a0]G;
G1=[a1]G0。
5. the method according to claim 1, wherein the first communication party is according to subbase point G0It generates to be signed
The eap-message digest e of message M and first part signature Q1Include:
Z and M are spliced to form M ' by first communication party, and calculate e=Hash (M '), wherein Z indicates that first communication party and second is led to
The common identity in letter side, Hash () indicate scheduled cryptographic Hash function;
First communication party generates random number k0, wherein k0∈ [1, n-1];
Calculate Q1=[k0]G0。
6. according to the method described in claim 5, it is characterized in that, the second communication party is according to first part signature Q1, message
Making a summary, there are also subbase point G by e1Second part signature r is generated, and according to sub- private key d2Generate Part III signature s1, according to sub- private key
d3Generate Part IV signature s2Include:
Generate random number k1, random number k2, wherein k1, k2∈ [1, n-1];
Calculate (x, y)=[k1]Q1+[k2]G1;
R=(x+e) mod n;
s1=k1×d2mod n;
s2=(r+k2)×d3mod n。
7. according to the method described in claim 6, it is characterized in that, the first communication party is according to sub- private key d0, sub- private key d1、
Second part signature r, Part III signature s1, Part IV sign s2It generates full signature and exports and include:
Calculate s=(d0×k0×s1+d0×d1×r+s2)mod n;
If s is not equal to 0 and is not equal to n-r, first communication party exports (r, s) as full signature.
8. a kind of interactive SM2 signature system of hiding private key, the elliptic curve that the SM2 is used has basic point G and order n,
It is characterized in that, the system comprises: first communication party and second communication party, wherein
The first communication party, for generating private key dA;Based on the private key dAGenerate sub- private key d0, sub- private key d1, sub- private key d2、
Sub- private key d3;Subbase point G is generated based on basic point G0With subbase point G1;By sub- private key d2, sub- private key d3With subbase point G1It is sent to
Two communication parties;Delete private key dA, sub- private key d2, sub- private key d3With subbase point G1;Store sub- private key d0, sub- private key d1With subbase point
G0;Obtain message M to be signed;Generate the eap-message digest e of message M to be signed;According to subbase point G0Generate first part signature Q1;
By eap-message digest e and first part signature Q1It is sent to second communication party;Receive the second part signature that second communication party sends
R, Part III signature s1With Part IV signature s2;According to sub- private key d0, sub- private key d1, second part sign r, Part III
Sign s1With Part IV signature s2Generate full signature;
The second communication party receives and stores the sub- private key d of first communication party transmission2, sub- private key d3With subbase point G1;It receives
The eap-message digest e and first part signature Q that first communication party is sent1;According to first part signature Q1, there are also subbases by eap-message digest e
Point G1Second part signature r is generated, according to sub- private key d2Generate Part III signature s1, according to sub- private key d3Generate Part IV
Sign s2;By second part signature r, Part III signature s1With Part IV signature s2It is sent to first communication party.
9. a kind of terminal for supporting SM2 to sign, the elliptic curve that the SM2 is used have basic point G and order n, which is characterized in that
Include: the first generation module, the first sending module, removing module, the first memory module, obtain module, the second generation module, the
Two sending modules, the first receiving module and full signature generation module, wherein
First generation module, for generating private key dA, it is based on the private key dAGenerate sub- private key d0, sub- private key d1, sub- private key
d2, sub- private key d3, subbase point G is generated based on basic point G0With subbase point G1;
First sending module, for sending sub- private key d2, sub- private key d3With subbase point G1;
The removing module, for deleting private key dA, sub- private key d2, sub- private key d3With subbase point G1;
First memory module, for storing sub- private key d0, sub- private key d1With subbase point G0;
The acquisition module, for obtaining message M to be signed;
Second generation module, for generating the eap-message digest e of message M to be signed, according to subbase point G0Generate first part's label
Name Q1;
Second sending module, for sending eap-message digest e and first part signature Q1;
First receiving module, for receiving second part signature r, Part III signature s1With Part IV signature s2;
The full signature generation module, for according to sub- private key d0, sub- private key d1, second part signature r, Part III signature
s1With Part IV signature s2Generate full signature.
10. a kind of terminal characterized by comprising the second receiving module, the second memory module, third receiving module, part are signed
Name generation module and third sending module;Wherein,
Second receiving module, for receiving sub- private key d2, sub- private key d3With subbase point G1;
Second memory module, for storing sub- private key d2, sub- private key d3With subbase point G1;
The third receiving module, for receiving eap-message digest e and first part signature Q1;
The part signature generation module, for according to first part signature Q1, eap-message digest e and subbase point G1Generate second
A r is signed separately, according to sub- private key d2Generate Part III signature s1, according to sub- private key d3Generate Part IV signature s2;
The third sending module, for sending second part signature r, Part III signature s1With Part IV signature s2。
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201810650042.8A CN108964923B (en) | 2018-06-22 | 2018-06-22 | Interactive SM2 signature method, system and terminal for hiding private key |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201810650042.8A CN108964923B (en) | 2018-06-22 | 2018-06-22 | Interactive SM2 signature method, system and terminal for hiding private key |
Publications (2)
Publication Number | Publication Date |
---|---|
CN108964923A true CN108964923A (en) | 2018-12-07 |
CN108964923B CN108964923B (en) | 2021-07-20 |
Family
ID=64491527
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201810650042.8A Active CN108964923B (en) | 2018-06-22 | 2018-06-22 | Interactive SM2 signature method, system and terminal for hiding private key |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN108964923B (en) |
Cited By (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN110289955A (en) * | 2019-06-25 | 2019-09-27 | 杭州趣链科技有限公司 | A kind of key management method for serving certificate agency based on threshold cryptography model |
CN113300846A (en) * | 2020-02-24 | 2021-08-24 | 华为技术有限公司 | Signature method, terminal equipment and network equipment |
Citations (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20060153364A1 (en) * | 2005-01-07 | 2006-07-13 | Beeson Curtis L | Asymmetric key cryptosystem based on shared knowledge |
US20140211938A1 (en) * | 2013-01-29 | 2014-07-31 | Certicom Corp. | Modified elliptic curve signature algorithm for message recovery |
CN104243456A (en) * | 2014-08-29 | 2014-12-24 | 中国科学院信息工程研究所 | Signing and decrypting method and system applied to cloud computing and based on SM2 algorithm |
CN106603246A (en) * | 2017-01-22 | 2017-04-26 | 武汉理工大学 | SM2 digital signature segmentation generation method and system |
CN106961336A (en) * | 2017-04-18 | 2017-07-18 | 北京百旺信安科技有限公司 | A kind of key components trustship method and system based on SM2 algorithms |
CN107196763A (en) * | 2017-07-06 | 2017-09-22 | 数安时代科技股份有限公司 | SM2 algorithms collaboration signature and decryption method, device and system |
CN107623570A (en) * | 2017-11-03 | 2018-01-23 | 北京无字天书科技有限公司 | A kind of SM2 endorsement methods based on addition Secret splitting |
-
2018
- 2018-06-22 CN CN201810650042.8A patent/CN108964923B/en active Active
Patent Citations (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20060153364A1 (en) * | 2005-01-07 | 2006-07-13 | Beeson Curtis L | Asymmetric key cryptosystem based on shared knowledge |
US20140211938A1 (en) * | 2013-01-29 | 2014-07-31 | Certicom Corp. | Modified elliptic curve signature algorithm for message recovery |
CN104243456A (en) * | 2014-08-29 | 2014-12-24 | 中国科学院信息工程研究所 | Signing and decrypting method and system applied to cloud computing and based on SM2 algorithm |
CN106603246A (en) * | 2017-01-22 | 2017-04-26 | 武汉理工大学 | SM2 digital signature segmentation generation method and system |
CN106961336A (en) * | 2017-04-18 | 2017-07-18 | 北京百旺信安科技有限公司 | A kind of key components trustship method and system based on SM2 algorithms |
CN107196763A (en) * | 2017-07-06 | 2017-09-22 | 数安时代科技股份有限公司 | SM2 algorithms collaboration signature and decryption method, device and system |
CN107623570A (en) * | 2017-11-03 | 2018-01-23 | 北京无字天书科技有限公司 | A kind of SM2 endorsement methods based on addition Secret splitting |
Cited By (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN110289955A (en) * | 2019-06-25 | 2019-09-27 | 杭州趣链科技有限公司 | A kind of key management method for serving certificate agency based on threshold cryptography model |
CN113300846A (en) * | 2020-02-24 | 2021-08-24 | 华为技术有限公司 | Signature method, terminal equipment and network equipment |
Also Published As
Publication number | Publication date |
---|---|
CN108964923B (en) | 2021-07-20 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN107579819B (en) | A kind of SM9 digital signature generation method and system | |
CN109309569B (en) | SM2 algorithm-based collaborative signature method and device and storage medium | |
CN108199835B (en) | Multi-party combined private key decryption method | |
CN105245328B (en) | It is a kind of that management method is generated based on the key of third-party user and file | |
CN107566128A (en) | A kind of two side's distribution SM9 digital signature generation methods and system | |
CN105406966B (en) | A kind of distribution of threshold secret information, reduction, integrity verification method and device | |
CN106603504A (en) | VoIP (Voice over Internet Protocol) encrypting and monitoring methods and VoIP encrypting and monitoring devices | |
US6640303B1 (en) | System and method for encryption using transparent keys | |
CN107948152A (en) | Information storage means, acquisition methods, device and equipment | |
CN107171796A (en) | A kind of many KMC key recovery methods | |
CN108768636A (en) | A method of restoring private key using multi-party collaboration | |
CN115225672A (en) | End-to-end data transmission method, device and medium | |
CN108964923A (en) | Hide interactive SM2 endorsement method, system and the terminal of private key | |
CN110932855A (en) | Quantum key distribution method based on block chain | |
CN106257859A (en) | A kind of password using method | |
CN107689867B (en) | Key protection method and system under open environment | |
CA2368307C (en) | Voice and data encryption method using a cryptographic key split combiner | |
CN115834038A (en) | Encryption method and device based on national commercial cryptographic algorithm | |
CN111541652B (en) | System for improving security of secret information keeping and transmission | |
TWI430643B (en) | Secure key recovery system and method | |
CN111010386B (en) | Privacy protection and data supervision control method based on shared account book | |
CN109104272A (en) | Private key store method, system and computer readable storage medium | |
EP1693982A2 (en) | Method for establishing a secure communication channel | |
CN112713989A (en) | Decryption method and device | |
CN110401533A (en) | A kind of private key encryption method and device |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant | ||
CP01 | Change in the name or title of a patent holder |
Address after: No. 333, Yunhua Road, high tech Zone, Chengdu, Sichuan 610041 Patentee after: China Electronics Technology Network Security Technology Co.,Ltd. Address before: No. 333, Yunhua Road, high tech Zone, Chengdu, Sichuan 610041 Patentee before: CHENGDU WESTONE INFORMATION INDUSTRY Inc. |
|
CP01 | Change in the name or title of a patent holder |