CN108964923A - Hide interactive SM2 endorsement method, system and the terminal of private key - Google Patents

Hide interactive SM2 endorsement method, system and the terminal of private key Download PDF

Info

Publication number
CN108964923A
CN108964923A CN201810650042.8A CN201810650042A CN108964923A CN 108964923 A CN108964923 A CN 108964923A CN 201810650042 A CN201810650042 A CN 201810650042A CN 108964923 A CN108964923 A CN 108964923A
Authority
CN
China
Prior art keywords
private key
sub
signature
communication party
point
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201810650042.8A
Other languages
Chinese (zh)
Other versions
CN108964923B (en
Inventor
王现方
张立廷
潘文伦
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
China Electronics Technology Network Security Technology Co ltd
Original Assignee
Chengdu Westone Information Industry Inc
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Chengdu Westone Information Industry Inc filed Critical Chengdu Westone Information Industry Inc
Priority to CN201810650042.8A priority Critical patent/CN108964923B/en
Publication of CN108964923A publication Critical patent/CN108964923A/en
Application granted granted Critical
Publication of CN108964923B publication Critical patent/CN108964923B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
    • H04L9/3252Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures using DSA or related signature schemes, e.g. elliptic based signatures, ElGamal or Schnorr schemes

Abstract

The present invention relates to security technology areas.More particularly to interactive SM2 endorsement method, system and the terminal of a kind of hiding private key, including initialization section and main part.In initialization section, first communication party generates private key dA, it is based on private key dAFour sub- private keys are generated, while two sub- basic points are generated based on basic point G, one in two in four sub- private keys and two sub- basic points is then sent to second communication party, deletes the private key d being locally stored after second communication party receives the dataA.In main part, first communication party generates first part according to the subbase point being locally stored and signs, and is sent to second communication party;Second communication party according to sub- private key and the subbase point being locally stored generate second and third, four parts sign, be sent to first communication party;First communication party generates full signature with the data being locally stored based on the data that second communication party sends.Using the present invention, the data private key d of core can be madeAIt is only generated and is grasped by private key owner's first communication party.

Description

Hide interactive SM2 endorsement method, system and the terminal of private key
Technical field
The present invention relates to security technology areas, and in particular to a kind of endorsement method of the interactive SM2 algorithm of hiding private key, System and terminal.
Background technique
Currently, digital signature and encryption and decryption technology based on public key cryptography have been widely used in e-commerce, identity In the application such as certification, become the important tool to ensure information security, and the safety of private key and use are to guarantee these application peaces Full basis.
Under normal circumstances, it needs to call complete key information when running cryptographic algorithm, so key is needed directly to store In memory.And in the weaker terminal of protective capacities, this will increase the risk of key loss.Such as mobile phone is lost, algorithm fortune Calculation process such as is ravesdropping at the loss that can all lead to key.In order to improve the safety of private key, a kind of title is proposed in the prior art For the algorithm of Threshold cryptogrphy, i.e., private key is split and be distributed in different physical equipments, to avoid whole private keys letter Breath is directly stored and is used.For example, private key can be distributed in n member in one (t, n) Threshold Group Signature, t or T or more member can cooperate complete signature, and be less than t member when be then unable to complete signature.
Disclosed in CN 104243456B a kind of signature suitable for cloud computing based on SM2 algorithm and decryption method and System.Its main method is: first communication party and second communication party generate private key by key agreement, and final two side only grasps Partial information relevant to private key, and both sides do not grasp specific private key value.When needing to sign or decrypt, both sides can lead to Cross interaction realization.
But in the above-mentioned technical solutions, first communication party and second communication party grasp the information of equivalent, and private key is both sides Negotiate generation, the responsible party of private key not fully possesses private key, in electronic signature, does not embody private key responsible party to private The sovereignty of key.In practice, the both sides of communication are not reciprocity to the incidental responsibility of private key.Therefore need to core data into Capable not reciprocity division, allows a side to grasp more core data, and another party is allowed to grasp less core data.Therefore, it needs A kind of endorsement method or system or terminal are wanted, so that private key responsible party possesses the initiative to private key, the both sides for the signature that lets on Core data can not be grasped on a 50-50 basis.
Summary of the invention
In view of this, the present invention provides a kind of interactive SM2 endorsement method of hiding private key, the ellipse that the SM2 is used Curve has basic point G and order n, which comprises
First communication party:
Generate private key dA
Based on the private key dAGenerate sub- private key d0, sub- private key d1, sub- private key d2, sub- private key d3
Subbase point G is generated based on basic point G0With subbase point G1
By sub- private key d2, sub- private key d3With subbase point G1It is sent to second communication party;
Second communication party:
Receive and store the sub- private key d of first communication party transmission2, sub- private key d3With subbase point G1
First communication party:
Delete private key dA, sub- private key d2, sub- private key d3With subbase point G1
Store sub- private key d0, sub- private key d1With subbase point G0
First communication party:
Obtain message M to be signed;
Generate the eap-message digest e of message M to be signed;
According to subbase point G0Generate first part signature Q1
By eap-message digest e and first part signature Q1It is sent to second communication party;
Second communication party:
Receive the eap-message digest e and first part signature Q that first communication party is sent1
According to first part signature Q1, there are also subbase point G by eap-message digest e1Second part signature r is generated, according to sub- private key d2 Generate Part III signature s1, according to sub- private key d3Generate Part IV signature s2
By second part signature r, Part III signature s1With Part IV signature s2It is sent to first communication party;
First communication party:
Receive second part signature r, the Part III signature s that second communication party sends1With Part IV signature s2
According to sub- private key d0, sub- private key d1, second part signature r, Part III sign s1With Part IV signature s2It generates Full signature (r, s).
Further, the first communication party generates private key dAInclude: to generate a random number, the random number of generation is made For private key dA
Further, told first communication party is based on the private key dAGenerate sub- private key d0, sub- private key d1, sub- private key d2, son Private key d3Include:
Generate random number a0With random number a1, wherein a0,a1∈[1,n-1];
Calculate d0=a1/(1+dA);
D1=- (dA/a1+a0);
d2=a0/a1
d3=a0×a1/(1+dA)。
Further, the first communication party is based on basic point G, generates subbase point G0With subbase point G1Include:
Calculate G0=[a0]G;
G1=[a1] G0
Further, the first communication party is according to subbase point G0Generate message M to be signed eap-message digest e and first Sign a Q separately1Include:
Z and M are spliced to form M ' by first communication party, and calculate e=Hash (M '), wherein Z indicates first communication party and the The common identity of two communication parties, Hash () indicate scheduled cryptographic Hash function;
First communication party generates random number k0, wherein k0∈[1,n-1];
Calculate Q1=[k0]G0
Further, the second communication party is according to first part signature Q1, there are also subbase point G by eap-message digest e1Generate the Sign r for two parts, and according to sub- private key d2Generate Part III signature s1, according to sub- private key d3Generate Part IV signature s2Packet It includes:
Generate random number k1, random number k2, wherein k1,k2∈[1,n-1];
Calculate (x, y)=[k1]Q1+[k2]G1
R=(x+e) mod n;
s1=k1×d2mod n;
s2=(r+k2)×d3mod n。
Further, the first communication party is according to sub- private key d0, sub- private key d1, second part sign r, Part III label Name s1With Part IV signature s2It generates full signature and exports and include:
Calculate s=(d0×k0×s1+d0×d1×r+s2)mod n;
If s is not equal to 0 and is not equal to n-r, first communication party exports (r, s) as full signature.
Correspondingly, the present invention also provides a kind of interactive SM2 signature system of hiding private key, the ellipse that the SM2 is used Curve has basic point G and order n, the system comprises: first communication party and second communication party, wherein
The first communication party, for generating private key dA;Based on the private key dAGenerate sub- private key d0, sub- private key d1, son it is private Key d2, sub- private key d3;Subbase point G is generated based on basic point G0With subbase point G1;By sub- private key d2, sub- private key d3With subbase point G1It sends To second communication party;Delete private key dA, sub- private key d2, sub- private key d3With subbase point G1;Store sub- private key d0, sub- private key d1And subbase Point G0;Obtain message M to be signed;Generate the eap-message digest e of message M to be signed;According to subbase point G0Generate first part's signature Q1;By eap-message digest e and first part signature Q1It is sent to second communication party;Receive the second part label that second communication party sends Name r, Part III signature s1With Part IV signature s2;According to sub- private key d0, sub- private key d1, second part sign r, third portion Sign a s separately1With Part IV signature s2Generate full signature;
The second communication party receives and stores the sub- private key d of first communication party transmission2, sub- private key d3With subbase point G1; Receive the eap-message digest e and first part signature Q that first communication party is sent1;According to first part signature Q1, eap-message digest e also Subbase point G1Second part signature r is generated, according to sub- private key d2Generate Part III signature s1, according to sub- private key d3Generate the 4th Part signature s2;By second part signature r, Part III signature s1With Part IV signature s2It is sent to first communication party.
Correspondingly, the present invention also provides a kind of terminal for supporting SM2 to sign, the elliptic curve that the SM2 is used has base Point G and order n, comprising: the first generation module, removing module, the first memory module, obtains module, second at the first sending module Generation module, the second sending module, the first receiving module and full signature generation module, wherein
First generation module, for generating private key dA, it is based on the private key dAGenerate sub- private key d0, sub- private key d1, son Private key d2, sub- private key d3, subbase point G is generated based on basic point G0With subbase point G1
First sending module, for sending sub- private key d2, sub- private key d3With subbase point G1
The removing module, for deleting private key dA, sub- private key d2, sub- private key d3With subbase point G1
First memory module, for storing sub- private key d0, sub- private key d1With subbase point G0
The acquisition module, for obtaining message M to be signed;
Second generation module, for generating the eap-message digest e of message M to be signed, according to subbase point G0Generate first Part signature Q1
Second sending module, for sending eap-message digest e and first part signature Q1
First receiving module, for receiving second part signature r, Part III signature s1With Part IV signature s2
The full signature generation module, for according to sub- private key d0, sub- private key d1, second part sign r, Part III Sign s1With Part IV signature s2Generate full signature.
Correspondingly, the present invention also provides a kind of terminals, comprising: the second receiving module, the second memory module, third receive mould Block, part signature generation module and third sending module;Wherein,
Second receiving module, for receiving sub- private key d2, sub- private key d3With subbase point G1
Second memory module, for storing sub- private key d2, sub- private key d3With subbase point G1
The third receiving module, for receiving eap-message digest e and first part signature Q1
The part signature generation module, for according to first part signature Q1, eap-message digest e and subbase point G1Generate the Sign r for two parts, according to sub- private key d2Generate Part III signature s1, according to sub- private key d3Generate Part IV signature s2
The third sending module, for sending second part signature r, Part III signature s1With Part IV signature s2
Compared with prior art, technical solution of the present invention makes core data private key dAIt is only grasped by first communication party, private key Responsible party actively divides private key to another party, to realize that the both sides for participating in signature can not grasp having for core data on a 50-50 basis Beneficial effect.
Detailed description of the invention
Fig. 1 is a kind of flow chart of the interactive SM2 endorsement method of hiding private key of the present invention;
Fig. 2 is a kind of flow chart of the initialization section of the interactive SM2 endorsement method of hiding private key of the present invention;
Fig. 3 is a kind of flow chart of the main part of the interactive SM2 endorsement method of hiding private key of the present invention.
Specific embodiment
It is with reference to the accompanying drawing and specific real in order to make those skilled in the art more fully understand technical solution of the present invention Applying example, the present invention is described in further detail.
The present invention provides a kind of interactive SM2 endorsement method of hiding private key, in one embodiment, what SM2 was used Elliptic curve has basic point G and order n.Referring to Fig.1, endorsement method specific steps of the invention include initialization section and main body Part, wherein
The initialization section of the SM2 endorsement method are as follows:
First communication party:
Step 101: generating private key dA;Preferably stored with ciphertext form;
Step 102: being based on the private key dAGenerate sub- private key d0, sub- private key d1, sub- private key d2, sub- private key d3
Step 103: subbase point G is generated based on basic point G0With subbase point G1
Step 104: by sub- private key d2, sub- private key d3With subbase point G1It is sent to second communication party;
Second communication party:
Step 205: receiving the sub- private key d that first communication party is sent2, sub- private key d3With subbase point G1
Step 206: storing sub- private key d2, sub- private key d3With subbase point G1
First communication party:
Step 107: deleting private key dA, sub- private key d2, sub- private key d3With subbase point G1
Step 108: storing sub- private key d0, sub- private key d1With subbase point G0
The main part of the SM2 endorsement method are as follows:
First communication party:
Step 109: obtaining message M to be signed;
Step 110: generating the eap-message digest e of message M to be signed;
Step 111: according to subbase point G0Generate first part signature Q1
Step 112: by eap-message digest e and first part signature Q1It is sent to second communication party;
Second communication party:
Step 213: receiving the eap-message digest e and first part signature Q that first communication party is sent1
Step 214: according to first part signature Q1, there are also subbase point G by eap-message digest e1Second part signature r is generated, according to Sub- private key d2Generate Part III signature s1, according to sub- private key d3Generate Part IV signature s2
Step 215: by second part signature r, Part III signature s1With Part IV signature s2It is sent to the first communication Side;
First communication party:
Step 116: receiving second part signature r, the Part III signature s that second communication party sends1With Part IV label Name s2
Step 117: according to sub- private key d0, sub- private key d1, second part signature r, Part III sign s1With Part IV label Name s2It generates full signature (r, s).
Preferably, first communication party is after step 117 further include:
Step 118: exporting the full signature (r, s) of message M to be signed and generation.
The process of sign test is consistent with the sign test process of canonical algorithm SM2.
In this embodiment, second communication party's sub- private key that uses that treated, rather than it is corresponding with ciphering process Real private key.Private key is the core parameter of SM2 algorithm, once leakage, influences great.The setting of the present invention in this way, can be with Prevent second communication party from directly obtaining core data.This aspect makes attacker that can not obtain core by attacking second communication party On the other hand calculation evidence can actively reveal core data to avoid second communication party intentionally.To sum up, technical solution of the present invention makes core Calculation is according to private key dAIt is only grasped by first communication party, to realize that the both sides for participating in signature can not grasp core data on a 50-50 basis Beneficial effect.
In addition, in this embodiment, first communication party just deletes after sub- private key is sent to second communication party. So that the protection of key shortens to one section of very short time in initialization procedure by the protection for entirely using the period.Only need initial The information of key is protected during changing, once initialization terminates, the cleartext information of private key would not be appeared in memory and operation.
In addition, in this embodiment, second communication party receives first communication party and sends sub- private key, and second communication party is certainly Oneself does not generate sub- private key.Disclosed in CN 104243456B in the prior art, first communication party and second communication party pass through Random number oneself is generated as the sub- private key of oneself.The prior art in this case, private key is to negotiate, and private key is subsidiary Responsibility both sides undertake.And the sub- private key not instead of second communication party that the application second communication party uses oneself generates, the One communication party is assigned to second communication party, and the subsidiary responsibility of private key is that private key responsible party undertakes.Compared to having technology before aforementioned, The present invention more meets the requirement of electronic signature.
In addition, in this embodiment, first communication party and second communication party respectively hold two sub- private keys, and attacker needs Two sub- private keys are all stolen into the second communication party that can disguise oneself as.Therefore, a sub- private key is only held compared to each side The aforementioned prior art, the present invention can be further improved the safety of second communication party.
To sum up, the safety of interactive SM2 signature can be effectively ensured in technical solution of the present invention.
Lower mask body introduces the implementation method of the interactive SM2 endorsement method of above-mentioned hiding private key:
Firstly, Fig. 2 describes the realization step of initialization section in detail referring to shown in Fig. 2.
Step 101 includes: to generate a random number, using the random number of generation as private key dA
Step 102 includes: to generate random number a0With random number a1, wherein a0,a1∈[1,n-1];
Calculate d0=a1/(1+dA);
d1=-(dA/a1+a0);
d2=a0/a1;d3=a0×a1/(1+dA)。
Step 103 includes: to calculate G0=[a0]G;
G1=[a1]G0
Wherein operation ' [a] G ' indicates the point doubling on elliptic curve.
Correspondingly, step 107 includes: to delete private key dA, sub- private key d2, sub- private key d3, subbase point G1, random number a0With it is random Number a1.The deletion includes deleting data from any storage medium of first communication party such as memory, caching, in hard disk.
Secondly, Fig. 3 describes the realization step of main part in detail referring to shown in Fig. 3.
Step 110 includes: Z and M to be spliced to form M ', and calculate e=Hash (M ');Or it is denoted as e=Hash (Z | | M).Its In, Z indicates first communication party and the common identity of second communication party, and Hash () indicates scheduled cryptographic Hash function.
Step 111 includes: generation random number k0, wherein k0∈[1,n-1];Calculate Q1=[k0]G0
Step 214 includes: generation random number k1, random number k2, wherein k1,k2∈[1,n-1]
Calculate (x, y)=[k1]Q1+[k2]G1
R=(x+e) mod n;
If r=0,
Regenerate random number k1、k2, and (x, y) and r are recalculated, until r ≠ 0,
If r ≠ 0,
Calculate s1=k1×d2mod n;
s2=(r+k2)×d3mod n。
Step 117 includes: to calculate s=(d0×k0×s1+d0×d1×r+s2)mod n;
If s=0 or s=r re-executes step related to this, until s ≠ 0 and s ≠ r.
If s ≠ 0 and s ≠ r, (r, s) is used as full signature by first communication party.
Correspondingly, the present invention also provides a kind of interactive SM2 signature system of hiding private key, the ellipse that the SM2 is used Curve has basic point G and order n, the system comprises: first communication party and second communication party, wherein
The first communication party, for generating private key dA;Based on the private key dAGenerate sub- private key d0, sub- private key d1, son it is private Key d2, sub- private key d3;Subbase point G is generated based on basic point G0With subbase point G1;By sub- private key d2, sub- private key d3With subbase point G1It sends To second communication party;Delete private key dA, sub- private key d2, sub- private key d3With subbase point G1;Store sub- private key d0, sub- private key d1And subbase Point G0;Obtain message M to be signed;Generate the eap-message digest e of message M to be signed;According to subbase point G0Generate first part's signature Q1;By eap-message digest e and first part signature Q1It is sent to second communication party;Receive the second part label that second communication party sends Name r, Part III signature s1With Part IV signature s2;According to sub- private key d0, sub- private key d1, second part sign r, third portion Sign a s separately1With Part IV signature s2Generate full signature;
The second communication party receives and stores the sub- private key d of first communication party transmission2, sub- private key d3With subbase point G1; Receive the eap-message digest e and first part signature Q that first communication party is sent1;According to first part signature Q1, eap-message digest e also Subbase point G1Second part signature r is generated, according to sub- private key d2Generate Part III signature s1, according to sub- private key d3Generate the 4th Part signature s2;By second part signature r, Part III signature s1With Part IV signature s2It is sent to first communication party.
Correspondingly, the present invention also provides a kind of terminal for supporting SM2 to sign, the elliptic curve that the SM2 is used has base Point G and order n, comprising: the first generation module, removing module, the first memory module, obtains module, second at the first sending module Generation module, the second sending module, the first receiving module and full signature generation module, wherein
First generation module, for generating private key dA, it is based on the private key dAGenerate sub- private key d0, sub- private key d1, son Private key d2, sub- private key d3, subbase point G is generated based on basic point G0With subbase point G1
First sending module, for sending sub- private key d2, sub- private key d3With subbase point G1
The removing module, for deleting private key dA, sub- private key d2, sub- private key d3With subbase point G1
First memory module, for storing sub- private key d0, sub- private key d1With subbase point G0
The acquisition module, for obtaining message M to be signed;
Second generation module, for generating the eap-message digest e of message M to be signed, according to subbase point G0Generate first Part signature Q1
Second sending module, for sending eap-message digest e and first part signature Q1
First receiving module, for receiving second part signature r, Part III signature s1With Part IV signature s2
The full signature generation module, for according to sub- private key d0, sub- private key d1, second part sign r, Part III Sign s1With Part IV signature s2Generate full signature.
Correspondingly, the present invention also provides a kind of terminals, comprising: the second receiving module, the second memory module, third receive mould Block, part signature generation module and third sending module;Wherein,
Second receiving module, for receiving sub- private key d2, sub- private key d3With subbase point G1
Second memory module, for storing sub- private key d2, sub- private key d3With subbase point G1
The third receiving module, for receiving eap-message digest e and first part signature Q1
The part signature generation module, for according to first part signature Q1, eap-message digest e and subbase point G1Generate the Sign r for two parts, according to sub- private key d2Generate Part III signature s1, according to sub- private key d3Generate Part IV signature s2
The third sending module, for sending second part signature r, Part III signature s1With Part IV signature s2
The above is only the preferred embodiment of the present invention, it is noted that above-mentioned preferred embodiment is not construed as pair Limitation of the invention, protection scope of the present invention should be defined by the scope defined by the claims..For the art For those of ordinary skill, without departing from the spirit and scope of the present invention, several improvements and modifications can also be made, these change It also should be regarded as protection scope of the present invention into retouching.

Claims (10)

1. a kind of interactive SM2 endorsement method of hiding private key, the elliptic curve that the SM2 is used has basic point G and order n, It is characterized in that, which comprises
First communication party:
Generate private key dA
Based on the private key dAGenerate sub- private key d0, sub- private key d1, sub- private key d2, sub- private key d3
Subbase point G is generated based on basic point G0With subbase point G1
By sub- private key d2, sub- private key d3With subbase point G1It is sent to second communication party;
Second communication party:
Receive and store the sub- private key d of first communication party transmission2, sub- private key d3With subbase point G1
First communication party:
Delete private key dA, sub- private key d2, sub- private key d3With subbase point G1
Store sub- private key d0, sub- private key d1With subbase point G0
First communication party:
Obtain message M to be signed;
Generate the eap-message digest e of message M to be signed;
According to subbase point G0Generate first part signature Q1
By eap-message digest e and first part signature Q1It is sent to second communication party;
Second communication party:
Receive the eap-message digest e and first part signature Q that first communication party is sent1
According to first part signature Q1, there are also subbase point G by eap-message digest e1Second part signature r is generated, according to sub- private key d2It generates Part III signature s1, according to sub- private key d3Generate Part IV signature s2
By second part signature r, Part III signature s1With Part IV signature s2It is sent to first communication party;
First communication party:
Receive second part signature r, the Part III signature s that second communication party sends1With Part IV signature s2
According to sub- private key d0, sub- private key d1, second part signature r, Part III sign s1With Part IV signature s2It generates complete It signs (r, s).
2. the method according to claim 1, wherein the first communication party generates private key dAIt include: to generate one Random number, using the random number of generation as private key dA
3. according to the method described in claim 2, it is characterized in that, the first communication party is based on the private key dAIt is private to generate son Key d0, sub- private key d1, sub- private key d2, sub- private key d3Include:
Generate random number a0With random number a1, wherein a0, a1∈ [1, n-1];
Calculate d0=a1/(1+dA);
d1=-(dA/a1+a0);
d2=a0/a1
d3=a0×a1/(1+dA)。
4. according to the method described in claim 3, it is characterized in that, the first communication party is based on basic point G, generation subbase point G0 With subbase point G1Include:
Calculate G0=[a0]G;
G1=[a1]G0
5. the method according to claim 1, wherein the first communication party is according to subbase point G0It generates to be signed The eap-message digest e of message M and first part signature Q1Include:
Z and M are spliced to form M ' by first communication party, and calculate e=Hash (M '), wherein Z indicates that first communication party and second is led to The common identity in letter side, Hash () indicate scheduled cryptographic Hash function;
First communication party generates random number k0, wherein k0∈ [1, n-1];
Calculate Q1=[k0]G0
6. according to the method described in claim 5, it is characterized in that, the second communication party is according to first part signature Q1, message Making a summary, there are also subbase point G by e1Second part signature r is generated, and according to sub- private key d2Generate Part III signature s1, according to sub- private key d3Generate Part IV signature s2Include:
Generate random number k1, random number k2, wherein k1, k2∈ [1, n-1];
Calculate (x, y)=[k1]Q1+[k2]G1
R=(x+e) mod n;
s1=k1×d2mod n;
s2=(r+k2)×d3mod n。
7. according to the method described in claim 6, it is characterized in that, the first communication party is according to sub- private key d0, sub- private key d1、 Second part signature r, Part III signature s1, Part IV sign s2It generates full signature and exports and include:
Calculate s=(d0×k0×s1+d0×d1×r+s2)mod n;
If s is not equal to 0 and is not equal to n-r, first communication party exports (r, s) as full signature.
8. a kind of interactive SM2 signature system of hiding private key, the elliptic curve that the SM2 is used has basic point G and order n, It is characterized in that, the system comprises: first communication party and second communication party, wherein
The first communication party, for generating private key dA;Based on the private key dAGenerate sub- private key d0, sub- private key d1, sub- private key d2、 Sub- private key d3;Subbase point G is generated based on basic point G0With subbase point G1;By sub- private key d2, sub- private key d3With subbase point G1It is sent to Two communication parties;Delete private key dA, sub- private key d2, sub- private key d3With subbase point G1;Store sub- private key d0, sub- private key d1With subbase point G0;Obtain message M to be signed;Generate the eap-message digest e of message M to be signed;According to subbase point G0Generate first part signature Q1; By eap-message digest e and first part signature Q1It is sent to second communication party;Receive the second part signature that second communication party sends R, Part III signature s1With Part IV signature s2;According to sub- private key d0, sub- private key d1, second part sign r, Part III Sign s1With Part IV signature s2Generate full signature;
The second communication party receives and stores the sub- private key d of first communication party transmission2, sub- private key d3With subbase point G1;It receives The eap-message digest e and first part signature Q that first communication party is sent1;According to first part signature Q1, there are also subbases by eap-message digest e Point G1Second part signature r is generated, according to sub- private key d2Generate Part III signature s1, according to sub- private key d3Generate Part IV Sign s2;By second part signature r, Part III signature s1With Part IV signature s2It is sent to first communication party.
9. a kind of terminal for supporting SM2 to sign, the elliptic curve that the SM2 is used have basic point G and order n, which is characterized in that Include: the first generation module, the first sending module, removing module, the first memory module, obtain module, the second generation module, the Two sending modules, the first receiving module and full signature generation module, wherein
First generation module, for generating private key dA, it is based on the private key dAGenerate sub- private key d0, sub- private key d1, sub- private key d2, sub- private key d3, subbase point G is generated based on basic point G0With subbase point G1
First sending module, for sending sub- private key d2, sub- private key d3With subbase point G1
The removing module, for deleting private key dA, sub- private key d2, sub- private key d3With subbase point G1
First memory module, for storing sub- private key d0, sub- private key d1With subbase point G0
The acquisition module, for obtaining message M to be signed;
Second generation module, for generating the eap-message digest e of message M to be signed, according to subbase point G0Generate first part's label Name Q1
Second sending module, for sending eap-message digest e and first part signature Q1
First receiving module, for receiving second part signature r, Part III signature s1With Part IV signature s2
The full signature generation module, for according to sub- private key d0, sub- private key d1, second part signature r, Part III signature s1With Part IV signature s2Generate full signature.
10. a kind of terminal characterized by comprising the second receiving module, the second memory module, third receiving module, part are signed Name generation module and third sending module;Wherein,
Second receiving module, for receiving sub- private key d2, sub- private key d3With subbase point G1
Second memory module, for storing sub- private key d2, sub- private key d3With subbase point G1
The third receiving module, for receiving eap-message digest e and first part signature Q1
The part signature generation module, for according to first part signature Q1, eap-message digest e and subbase point G1Generate second A r is signed separately, according to sub- private key d2Generate Part III signature s1, according to sub- private key d3Generate Part IV signature s2
The third sending module, for sending second part signature r, Part III signature s1With Part IV signature s2
CN201810650042.8A 2018-06-22 2018-06-22 Interactive SM2 signature method, system and terminal for hiding private key Active CN108964923B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201810650042.8A CN108964923B (en) 2018-06-22 2018-06-22 Interactive SM2 signature method, system and terminal for hiding private key

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201810650042.8A CN108964923B (en) 2018-06-22 2018-06-22 Interactive SM2 signature method, system and terminal for hiding private key

Publications (2)

Publication Number Publication Date
CN108964923A true CN108964923A (en) 2018-12-07
CN108964923B CN108964923B (en) 2021-07-20

Family

ID=64491527

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201810650042.8A Active CN108964923B (en) 2018-06-22 2018-06-22 Interactive SM2 signature method, system and terminal for hiding private key

Country Status (1)

Country Link
CN (1) CN108964923B (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110289955A (en) * 2019-06-25 2019-09-27 杭州趣链科技有限公司 A kind of key management method for serving certificate agency based on threshold cryptography model
CN113300846A (en) * 2020-02-24 2021-08-24 华为技术有限公司 Signature method, terminal equipment and network equipment

Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20060153364A1 (en) * 2005-01-07 2006-07-13 Beeson Curtis L Asymmetric key cryptosystem based on shared knowledge
US20140211938A1 (en) * 2013-01-29 2014-07-31 Certicom Corp. Modified elliptic curve signature algorithm for message recovery
CN104243456A (en) * 2014-08-29 2014-12-24 中国科学院信息工程研究所 Signing and decrypting method and system applied to cloud computing and based on SM2 algorithm
CN106603246A (en) * 2017-01-22 2017-04-26 武汉理工大学 SM2 digital signature segmentation generation method and system
CN106961336A (en) * 2017-04-18 2017-07-18 北京百旺信安科技有限公司 A kind of key components trustship method and system based on SM2 algorithms
CN107196763A (en) * 2017-07-06 2017-09-22 数安时代科技股份有限公司 SM2 algorithms collaboration signature and decryption method, device and system
CN107623570A (en) * 2017-11-03 2018-01-23 北京无字天书科技有限公司 A kind of SM2 endorsement methods based on addition Secret splitting

Patent Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20060153364A1 (en) * 2005-01-07 2006-07-13 Beeson Curtis L Asymmetric key cryptosystem based on shared knowledge
US20140211938A1 (en) * 2013-01-29 2014-07-31 Certicom Corp. Modified elliptic curve signature algorithm for message recovery
CN104243456A (en) * 2014-08-29 2014-12-24 中国科学院信息工程研究所 Signing and decrypting method and system applied to cloud computing and based on SM2 algorithm
CN106603246A (en) * 2017-01-22 2017-04-26 武汉理工大学 SM2 digital signature segmentation generation method and system
CN106961336A (en) * 2017-04-18 2017-07-18 北京百旺信安科技有限公司 A kind of key components trustship method and system based on SM2 algorithms
CN107196763A (en) * 2017-07-06 2017-09-22 数安时代科技股份有限公司 SM2 algorithms collaboration signature and decryption method, device and system
CN107623570A (en) * 2017-11-03 2018-01-23 北京无字天书科技有限公司 A kind of SM2 endorsement methods based on addition Secret splitting

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110289955A (en) * 2019-06-25 2019-09-27 杭州趣链科技有限公司 A kind of key management method for serving certificate agency based on threshold cryptography model
CN113300846A (en) * 2020-02-24 2021-08-24 华为技术有限公司 Signature method, terminal equipment and network equipment

Also Published As

Publication number Publication date
CN108964923B (en) 2021-07-20

Similar Documents

Publication Publication Date Title
CN107579819B (en) A kind of SM9 digital signature generation method and system
CN109309569B (en) SM2 algorithm-based collaborative signature method and device and storage medium
CN108199835B (en) Multi-party combined private key decryption method
CN105245328B (en) It is a kind of that management method is generated based on the key of third-party user and file
CN107566128A (en) A kind of two side's distribution SM9 digital signature generation methods and system
CN105406966B (en) A kind of distribution of threshold secret information, reduction, integrity verification method and device
CN106603504A (en) VoIP (Voice over Internet Protocol) encrypting and monitoring methods and VoIP encrypting and monitoring devices
US6640303B1 (en) System and method for encryption using transparent keys
CN107948152A (en) Information storage means, acquisition methods, device and equipment
CN107171796A (en) A kind of many KMC key recovery methods
CN108768636A (en) A method of restoring private key using multi-party collaboration
CN115225672A (en) End-to-end data transmission method, device and medium
CN108964923A (en) Hide interactive SM2 endorsement method, system and the terminal of private key
CN110932855A (en) Quantum key distribution method based on block chain
CN106257859A (en) A kind of password using method
CN107689867B (en) Key protection method and system under open environment
CA2368307C (en) Voice and data encryption method using a cryptographic key split combiner
CN115834038A (en) Encryption method and device based on national commercial cryptographic algorithm
CN111541652B (en) System for improving security of secret information keeping and transmission
TWI430643B (en) Secure key recovery system and method
CN111010386B (en) Privacy protection and data supervision control method based on shared account book
CN109104272A (en) Private key store method, system and computer readable storage medium
EP1693982A2 (en) Method for establishing a secure communication channel
CN112713989A (en) Decryption method and device
CN110401533A (en) A kind of private key encryption method and device

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant
CP01 Change in the name or title of a patent holder

Address after: No. 333, Yunhua Road, high tech Zone, Chengdu, Sichuan 610041

Patentee after: China Electronics Technology Network Security Technology Co.,Ltd.

Address before: No. 333, Yunhua Road, high tech Zone, Chengdu, Sichuan 610041

Patentee before: CHENGDU WESTONE INFORMATION INDUSTRY Inc.

CP01 Change in the name or title of a patent holder