CN108964923B - Interactive SM2 signature method, system and terminal for hiding private key - Google Patents

Interactive SM2 signature method, system and terminal for hiding private key Download PDF

Info

Publication number
CN108964923B
CN108964923B CN201810650042.8A CN201810650042A CN108964923B CN 108964923 B CN108964923 B CN 108964923B CN 201810650042 A CN201810650042 A CN 201810650042A CN 108964923 B CN108964923 B CN 108964923B
Authority
CN
China
Prior art keywords
private key
sub
generating
signature
partial signature
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201810650042.8A
Other languages
Chinese (zh)
Other versions
CN108964923A (en
Inventor
王现方
张立廷
潘文伦
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
China Electronics Technology Network Security Technology Co ltd
Original Assignee
Chengdu Westone Information Industry Inc
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Chengdu Westone Information Industry Inc filed Critical Chengdu Westone Information Industry Inc
Priority to CN201810650042.8A priority Critical patent/CN108964923B/en
Publication of CN108964923A publication Critical patent/CN108964923A/en
Application granted granted Critical
Publication of CN108964923B publication Critical patent/CN108964923B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
    • H04L9/3252Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures using DSA or related signature schemes, e.g. elliptic based signatures, ElGamal or Schnorr schemes

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

The invention relates to the technical field of safety. In particular toAn interactive SM2 signature method, system and terminal for hiding private keys includes an initialization portion and a body portion. In the initialization part, the first communication party generates a private key dABased on the private key dAGenerating four sub private keys, simultaneously generating two sub base points based on the base point G, then sending two of the four sub private keys and one of the two sub base points to a second communication party, and deleting the locally stored private key d after the second communication party receives the dataA. In the main part, a first communication party generates a first partial signature according to a locally stored child node and sends the first partial signature to a second communication party; the second communication party generates signatures of the second part, the third part and the fourth part according to the locally stored sub-private key and the sub-base point, and sends the signatures to the first communication party; the first party generates a complete signature based on the data sent by the second party and the locally stored data. By using the invention, the core data private key d can be ensuredAThe master is generated only by the first communication party of the private key accountant.

Description

Interactive SM2 signature method, system and terminal for hiding private key
Technical Field
The invention relates to the technical field of security, in particular to a signature method, a system and a terminal of an interactive SM2 algorithm for hiding a private key.
Background
At present, digital signature and encryption and decryption technologies based on public key cryptography are widely applied to applications such as electronic commerce and identity authentication, and become important tools for ensuring information security, and the security and the use of private keys are the basis for ensuring the application security.
Generally, when a cryptographic algorithm is run, complete key information needs to be called, so that the key needs to be directly stored in a memory. This increases the risk of key loss on terminals with less protection. For example, the loss of the mobile phone, the interception of the algorithm operation process, and the like can cause the loss of the key. In order to improve the security of the private key, an algorithm called threshold cryptography is proposed in the prior art, that is, the private key is split and distributed in different physical devices, so as to avoid direct storage and use of all private key information. For example, in a (t, n) threshold signature scheme, the private key may be distributed among n members, and t or more members may cooperate to complete the signature, but less than t members may not complete the signature.
CN 104243456B discloses a signature and decryption method and system based on SM2 algorithm, which are suitable for cloud computing. The main method comprises the following steps: the first communication party and the second communication party generate private keys through key agreement, and finally, the two parties only master partial information related to the private keys and do not master specific private key values. When signature or decryption is needed, the two parties can be realized through interaction.
However, in the above technical solution, the first communication party and the second communication party grasp the same amount of information, the private key is generated by negotiation between the two parties, the responsible party of the private key does not completely own the private key, and the ownership of the private key by the responsible party of the private key is not reflected in the electronic signature. In practice, the responsibilities attached to the private key by the two parties to the communication are not equal. Therefore, it is necessary to divide the core data unequally, so that one side can grasp more core data and the other side can grasp less core data. Therefore, a signature method or system or terminal is needed, so that a private key responsible party has initiative for the private key, and two parties participating in signature can grasp core data unequally.
Disclosure of Invention
In view of the above, the present invention provides an interactive SM2 signature method for hiding a private key, where an elliptic curve used by the SM2 has a base point G and an order n, and the method includes:
the first communication party:
generating a private key dA
Based on the private key dAGenerating a child private key d0Sub private key d1Sub private key d2Sub private key d3
Generating child base points G based on base points G0And child base G1
Secret sub-key d2Sub private key d3And child base G1Sending the information to a second communication party;
the second communication party:
receiving and storing the sub private key d sent by the first communication party2Sub private key d3And child base G1
The first communication party:
deleting private informationKey dASub private key d2Sub private key d3And child base G1
Store the child private key d0Sub private key d1And child base G0
The first communication party:
acquiring a message M to be signed;
generating a message digest e of a message M to be signed;
according to the child base point G0Generating a first partial signature Q1
Signing a message digest e and a first part Q1Sending the information to a second communication party;
the second communication party:
receiving a message digest e and a first partial signature Q sent by a first communication party1
Signing Q according to the first part1Message abstract e and subbase point G1Generating a second partial signature r according to the sub-private key d2Generating a third partial signature s1According to the sub-private key d3Generating a fourth partial signature s2
Signing the second part with a signature r and signing the third part with a signature s1And a fourth partial signature s2Sending the information to a first communication party;
the first communication party:
receiving a second partial signature r and a third partial signature s sent by a second communication party1And a fourth partial signature s2
According to the sub-private key d0Sub private key d1A second partial signature r and a third partial signature s1And a fourth partial signature s2A full signature (r, s) is generated.
Further, the first party generates a private key dAThe method comprises the following steps: generating a random number, and using the generated random number as a private key dA
Further, the first party is based on the private key dAGenerating a child private key d0Sub private key d1Sub private key d2Sub private key d3The method comprises the following steps:
generating a random number a0And a random number a1Wherein a is0,a1∈[1,n-1];
Calculating d0=a1/(1+dA);
d1=-(dA/a1+a0);
d2=a0/a1
d3=a0×a1/(1+dA)。
Further, the first communication party generates a child base point G based on the base point G0And child base G1The method comprises the following steps:
calculation of G0=[a0]G;
G1=[a1] G0
Further, the first communication party is based on the sub-base point G0Generating a message digest e and a first partial signature Q of a message M to be signed1The method comprises the following steps:
the first communication party splices Z and M to form M ', and calculates e as Hash (M'), wherein Z represents the common identity of the first communication party and the second communication party, and Hash () represents a predetermined cryptographic Hash function;
the first communication party generates a random number k0Wherein k is0∈[1,n-1];
Calculating Q1=[k0]G0
Further, the second party signs Q according to the first part1Message abstract e and subbase point G1Generating a second partial signature r according to the sub-private key d2Generating a third partial signature s1According to the sub-private key d3Generating a fourth partial signature s2The method comprises the following steps:
generating a random number k1A random number k2Wherein k is1,k2∈[1,n-1];
Calculating (x, y) ═ k1]Q1+[k2]G1
r=(x+e)mod n;
s1=k1×d2mod n;
s2=(r+k2)×d3mod n。
Further, the first correspondent is based on the child private key d0Sub private key d1A second partial signature r and a third partial signature s1And a fourth partial signature s2Generating and outputting a full signature comprises:
calculating s ═ d0×k0×s1+d0×d1×r+s2)mod n;
If s is not equal to 0 and not equal to n-r, the first party outputs (r, s) as a full signature.
Accordingly, the present invention also provides an interactive SM2 signature system hiding private keys, the SM2 using elliptic curves having a base point G and an order n, the system comprising: a first party and a second party, wherein,
the first communication party is used for generating a private key dA(ii) a Based on the private key dAGenerating a child private key d0Sub private key d1Sub private key d2Sub private key d3(ii) a Generating child base points G based on base points G0And child base G1(ii) a Secret sub-key d2Sub private key d3And child base G1Sending the information to a second communication party; deletion of the private Key dASub private key d2Sub private key d3And child base G1(ii) a Store the child private key d0Sub private key d1And child base G0(ii) a Acquiring a message M to be signed; generating a message digest e of a message M to be signed; according to the child base point G0Generating a first partial signature Q1(ii) a Signing a message digest e and a first part Q1Sending the information to a second communication party; receiving a second partial signature r and a third partial signature s sent by a second communication party1And a fourth partial signature s2(ii) a According to the sub-private key d0Sub private key d1A second partial signature r and a third partial signature s1And a fourth partial signature s2Generating a complete signature;
the second communicationA party for receiving and storing the sub private key d sent by the first communication party2Sub private key d3And child base G1(ii) a Receiving a message digest e and a first partial signature Q sent by a first communication party1(ii) a Signing Q according to the first part1Message abstract e and subbase point G1Generating a second partial signature r according to the sub-private key d2Generating a third partial signature s1According to the sub-private key d3Generating a fourth partial signature s2(ii) a Signing the second part with a signature r and signing the third part with a signature s1And a fourth partial signature s2And sending the message to the first communication party.
Accordingly, the present invention also provides a terminal supporting SM2 signature, wherein an elliptic curve used by the SM2 has a base point G and an order n, and comprises: a first generating module, a first sending module, a deleting module, a first storing module, an obtaining module, a second generating module, a second sending module, a first receiving module and a complete signature generating module,
the first generation module is used for generating a private key dABased on said private key dAGenerating a child private key d0Sub private key d1Sub private key d2Sub private key d3Generating child base points G based on the base points G0And child base G1
The first sending module is used for sending the sub private key d2Sub private key d3And child base G1
The deleting module is used for deleting the private key dASub private key d2Sub private key d3And child base G1
The first storage module is used for storing a sub-private key d0Sub private key d1And child base G0
The acquisition module is used for acquiring a message M to be signed;
the second generating module is used for generating the message digest e of the message M to be signed according to the subbase point G0Generating a first partial signature Q1
The second sending module is used for sending the message digest e and the first sending modulePartial signature Q1
The first receiving module is used for receiving a second partial signature r and a third partial signature s1And a fourth partial signature s2
The complete signature generation module is used for generating a complete signature according to the sub-private key d0Sub private key d1A second partial signature r and a third partial signature s1And a fourth partial signature s2A complete signature is generated.
Correspondingly, the invention also provides a terminal, comprising: the system comprises a second receiving module, a second storage module, a third receiving module, a partial signature generating module and a third sending module; wherein the content of the first and second substances,
the second receiving module is used for receiving the sub private key d2Sub private key d3And child base G1
The second storage module is used for storing a sub-private key d2Sub private key d3And child base G1
The third receiving module is used for receiving the message digest e and the first partial signature Q1
The partial signature generation module is used for generating a first partial signature Q according to the first partial signature1Message digest e and child node G1Generating a second partial signature r according to the sub-private key d2Generating a third partial signature s1According to the sub-private key d3Generating a fourth partial signature s2
The third sending module is used for sending the second partial signature r and the third partial signature s1And a fourth partial signature s2
Compared with the prior art, the technical scheme of the invention ensures that the core data private key dAThe method has the advantages that the method is only mastered by the first communication party, and the private key responsible party actively divides the private key to the other party, so that the two parties participating in signature can master the core data unequally.
Drawings
Fig. 1 is a flow chart of an interactive SM2 signature method for hiding private keys according to the present invention;
fig. 2 is a flow chart of an initialization portion of an interactive SM2 signing method of the present invention hiding private keys;
fig. 3 is a flow chart of the main part of an interactive SM2 signing method of hiding private keys according to the present invention.
Detailed Description
In order to make the technical solutions of the present invention better understood by those skilled in the art, the present invention will be further described in detail with reference to the accompanying drawings and specific embodiments.
The present invention provides an interactive SM2 signature method that hides private keys, in one embodiment, the elliptic curve used by SM2 has a base point G and an order n. Referring to fig. 1, the signature method of the present invention includes specific steps of an initialization part and a body part, wherein,
the initialization part of the SM2 signature method is:
the first communication party:
step 101: generating a private key dA(ii) a Preferably in ciphertext form;
step 102: based on the private key dAGenerating a child private key d0Sub private key d1Sub private key d2Sub private key d3
Step 103: generating child base points G based on base points G0And child base G1
Step 104: secret sub-key d2Sub private key d3And child base G1Sending the information to a second communication party;
the second communication party:
step 205: receiving a sub-private key d sent by a first communication party2Sub private key d3And child base G1
Step 206: store the child private key d2Sub private key d3And child base G1
The first communication party:
step 107: deletion of the private Key dASub private key d2Sub private key d3And child base G1
Step 108: store the child private key d0Sub private key d1And (b) aBase point G0
The SM2 signature method comprises the following main parts:
the first communication party:
step 109: acquiring a message M to be signed;
step 110: generating a message digest e of a message M to be signed;
step 111: according to the child base point G0Generating a first partial signature Q1
Step 112: signing a message digest e and a first part Q1Sending the information to a second communication party;
the second communication party:
step 213: receiving a message digest e and a first partial signature Q sent by a first communication party1
Step 214: signing Q according to the first part1Message abstract e and subbase point G1Generating a second partial signature r according to the sub-private key d2Generating a third partial signature s1According to the sub-private key d3Generating a fourth partial signature s2
Step 215: signing the second part with a signature r and signing the third part with a signature s1And a fourth partial signature s2Sending the information to a first communication party;
the first communication party:
step 116: receiving a second partial signature r and a third partial signature s sent by a second communication party1And a fourth partial signature s2
Step 117: according to the sub-private key d0Sub private key d1A second partial signature r and a third partial signature s1And a fourth partial signature s2A full signature (r, s) is generated.
Preferably, the first communication party further comprises after step 117:
step 118: and outputting the message M to be signed and the generated complete signature (r, s).
The signature verification process is consistent with that of the standard algorithm SM 2.
In this embodiment, the second party uses the processed sub-private key rather than encryptionThe process corresponds to the true private key. The private key is the core parameter of the SM2 algorithm, and once leaked, the influence is significant. The present invention can prevent the second communication party from directly obtaining the core data by such an arrangement. This makes it impossible for an attacker to obtain the core data by attacking the second communication partner on the one hand, and on the other hand prevents the second communication partner from intentionally and actively revealing the core data. In conclusion, the technical scheme of the invention ensures that the core data private key dAOnly by the first communication partner, thereby achieving the advantageous effect that both parties participating in the signature can grasp the core data unequally.
Furthermore, in this embodiment, the first party deletes the child private key after sending it to the second party. So that the protection of the key is shortened from the protection of the full use period to a short time in the initialization process. That is, only the information of the key needs to be protected during the initialization process, and once the initialization is finished, the plaintext information of the private key does not appear in the memory and the operation.
Further, in this embodiment, the second party receives the child private key from the first party without the second party itself generating the child private key. In the prior art disclosed in CN 104243456B, both the first communication party and the second communication party generate random numbers by themselves as their own sub-private keys. In this case of the prior art, the private key is negotiated and both parties of the responsibility attached to the private key assume. The sub private key used by the second communication party is not generated by the second communication party, but is appointed by the first communication party to the second communication party, and the private key is carried by the private key responsible party. Compared with the prior art, the method and the device are more in line with the requirements of electronic signatures.
Furthermore, in this embodiment, the first communication party and the second communication party each hold two sub-private keys, and an attacker needs to steal both sub-private keys to be able to masquerade as the second communication party. Thus, the present invention may further improve the security of the second communication party compared to the aforementioned prior art where each party only holds one sub-private key.
In conclusion, the technical scheme of the invention can effectively ensure the security of the signature of the interactive SM 2.
The following describes an implementation method of the above interactive SM2 signature method for hiding a private key specifically:
first, referring to fig. 2, fig. 2 describes the implementation steps of the initialization part in detail.
Step 101 comprises: generating a random number, and using the generated random number as a private key dA
Step 102 comprises: generating a random number a0And a random number a1Wherein a is0,a1∈[1,n-1];
Calculating d0=a1/(1+dA);
d1=-(dA/a1+a0);
d2=a0/a1;d3=a0×a1/(1+dA)。
Step 103 comprises: calculation of G0=[a0]G;
G1=[a1]G0
Wherein the operation 'a G' represents a point doubling operation on an elliptic curve.
Accordingly, step 107 comprises: deletion of the private Key dASub private key d2Sub private key d3"child node G1A random number a0And a random number a1. The deletion includes deleting data from any storage medium of the first communication partner, such as memory, cache, hard disk.
Next, referring to fig. 3, fig. 3 describes the implementation steps of the main body portion in detail.
Step 110 comprises: splicing Z and M to form M ', and calculating e ═ Hash (M'); or e ═ Hash (Z | | | M). Wherein Z represents an identity common to the first and second communication parties, and Hash () represents a predetermined cryptographic Hash function.
Step 111 comprises: generating a random number k0Wherein k is0∈[1,n-1](ii) a Calculating Q1=[k0]G0
Step 214 includes: generating a random number k1A random number k2Wherein k is1,k2∈[1,n-1]
Calculating (x, y) ═ k1]Q1+[k2]G1
r=(x+e)mod n;
If r is 0, then
Regenerating the random number k1、k2And (x, y) and r are recalculated until r ≠ 0,
if r is not equal to 0, then
Calculating s1=k1×d2mod n;
s2=(r+k2)×d3mod n。
Step 117 comprises: calculating s ═ d0×k0×s1+d0×d1×r+s2)mod n;
If s ≠ 0 or s ≠ r, the associated steps are re-executed until s ≠ 0 and s ≠ r.
If s ≠ 0 and s ≠ r, then the first correspondent regards (r, s) as a complete signature.
Accordingly, the present invention also provides an interactive SM2 signature system hiding private keys, the SM2 using elliptic curves having a base point G and an order n, the system comprising: a first party and a second party, wherein,
the first communication party is used for generating a private key dA(ii) a Based on the private key dAGenerating a child private key d0Sub private key d1Sub private key d2Sub private key d3(ii) a Generating child base points G based on base points G0And child base G1(ii) a Secret sub-key d2Sub private key d3And child base G1Sending the information to a second communication party; deletion of the private Key dASub private key d2Sub private key d3And child base G1(ii) a Store the child private key d0Sub private key d1And child base G0(ii) a Acquiring a message M to be signed; generating a message digest e of a message M to be signed; according to the child base point G0Generating a first partial signature Q1(ii) a Signing a message digest e and a first part Q1Sending the information to a second communication party;receiving a second partial signature r and a third partial signature s sent by a second communication party1And a fourth partial signature s2(ii) a According to the sub-private key d0Sub private key d1A second partial signature r and a third partial signature s1And a fourth partial signature s2Generating a complete signature;
the second communication party receives and stores the sub-private key d sent by the first communication party2Sub private key d3And child base G1(ii) a Receiving a message digest e and a first partial signature Q sent by a first communication party1(ii) a Signing Q according to the first part1Message abstract e and subbase point G1Generating a second partial signature r according to the sub-private key d2Generating a third partial signature s1According to the sub-private key d3Generating a fourth partial signature s2(ii) a Signing the second part with a signature r and signing the third part with a signature s1And a fourth partial signature s2And sending the message to the first communication party.
Accordingly, the present invention also provides a terminal supporting SM2 signature, wherein an elliptic curve used by the SM2 has a base point G and an order n, and comprises: a first generating module, a first sending module, a deleting module, a first storing module, an obtaining module, a second generating module, a second sending module, a first receiving module and a complete signature generating module,
the first generation module is used for generating a private key dABased on said private key dAGenerating a child private key d0Sub private key d1Sub private key d2Sub private key d3Generating child base points G based on the base points G0And child base G1
The first sending module is used for sending the sub private key d2Sub private key d3And child base G1
The deleting module is used for deleting the private key dASub private key d2Sub private key d3And child base G1
The first storage module is used for storing a sub-private key d0Sub private key d1And child base G0
The acquisition module is used for acquiring a message M to be signed;
the second generating module is used for generating the message digest e of the message M to be signed according to the subbase point G0Generating a first partial signature Q1
The second sending module is used for sending the message digest e and the first partial signature Q1
The first receiving module is used for receiving a second partial signature r and a third partial signature s1And a fourth partial signature s2
The complete signature generation module is used for generating a complete signature according to the sub-private key d0Sub private key d1A second partial signature r and a third partial signature s1And a fourth partial signature s2A complete signature is generated.
Correspondingly, the invention also provides a terminal, comprising: the system comprises a second receiving module, a second storage module, a third receiving module, a partial signature generating module and a third sending module; wherein the content of the first and second substances,
the second receiving module is used for receiving the sub private key d2Sub private key d3And child base G1
The second storage module is used for storing a sub-private key d2Sub private key d3And child base G1
The third receiving module is used for receiving the message digest e and the first partial signature Q1
The partial signature generation module is used for generating a first partial signature Q according to the first partial signature1Message digest e and child node G1Generating a second partial signature r according to the sub-private key d2Generating a third partial signature s1According to the sub-private key d3Generating a fourth partial signature s2
The third sending module is used for sending the second partial signature r and the third partial signature s1And a fourth partial signature s2
The above is only a preferred embodiment of the present invention, and it should be noted that the above preferred embodiment should not be considered as limiting the present invention, and the protection scope of the present invention should be subject to the scope defined by the claims. It will be apparent to those skilled in the art that various modifications and adaptations can be made without departing from the spirit and scope of the invention, and these modifications and adaptations should be considered within the scope of the invention.

Claims (9)

1. An interactive SM2 signing method hiding private keys, the SM2 using elliptic curves having a base point G and an order n, the method comprising:
the first communication party:
generating a private key dA
Based on the private key dAGenerating a child private key d0Sub private key d1Sub private key d2Sub private key d3
Generating child base points G based on base points G0And child base G1
Secret sub-key d2Sub private key d3And child base G1Sending the information to a second communication party;
the second communication party:
receiving and storing the sub private key d sent by the first communication party2Sub private key d3And child base G1
The first communication party:
deletion of the private Key dASub private key d2Sub private key d3And child base G1
Store the child private key d0Sub private key d1And child base G0
The first communication party:
acquiring a message M to be signed;
generating a message digest e of a message M to be signed;
according to the child base point G0Generating a first partial signature Q1
Signing a message digest e and a first part Q1Sending the information to a second communication party;
the second communication party:
receiving a first communication party transmissionMessage digest e and first partial signature Q of1
Signing Q according to the first part1Message abstract e and subbase point G1Generating a second partial signature r according to the sub-private key d2Generating a third partial signature s1According to the sub-private key d3Generating a fourth partial signature s2
Signing the second part with a signature r and signing the third part with a signature s1And a fourth partial signature s2Sending the information to a first communication party;
the first communication party:
receiving a second partial signature r and a third partial signature s sent by a second communication party1And a fourth partial signature s2
According to the sub-private key d0Sub private key d1A second partial signature r and a third partial signature s1And a fourth partial signature s2Generating a full signature (r, s);
wherein the first correspondent is based on the private key dAGenerating a child private key d0Sub private key d1Sub private key d2Sub private key d3The method comprises the following steps:
generating a random number a0And a random number a1Wherein a is0,a1∈[1,n-1];
Calculating d0=a1/(1+dA);d1=-(dA/a1+a0);d2=a0/a1;d3=a0×a1/(1+dA)。
2. The method of claim 1, wherein the first party generates a private key dAThe method comprises the following steps: generating a random number, and using the generated random number as a private key dA
3. The method of claim 1, wherein the first communication party generates a child base point G based on the base point G0And child base G1The method comprises the following steps:
calculation of G0=[a0]G;
G1=[a1]G0
4. The method of claim 1, wherein the first party is based on a child base point G0Generating a message digest e and a first partial signature Q of a message M to be signed1The method comprises the following steps:
the first communication party splices Z and M to form M ', and calculates e as Hash (M'), wherein Z represents the common identity of the first communication party and the second communication party, and Hash () represents a predetermined cryptographic Hash function;
the first communication party generates a random number k0Wherein k is0∈[1,n-1];
Calculating Q1=[k0]G0
5. The method of claim 4, wherein the second party signs Q based on the first portion1Message abstract e and subbase point G1Generating a second partial signature r according to the sub-private key d2Generating a third partial signature s1According to the sub-private key d3Generating a fourth partial signature s2The method comprises the following steps:
generating a random number k1A random number k2Wherein k is1,k2∈[1,n-1];
Calculating (x, y) ═ k1]Q1+[k2]G1
r=(x+e)modn;
s1=k1×d2modn;
s2=(r+k2)×d3modn。
6. The method of claim 5, wherein the first party is based on a sub-private key d0Sub private key d1A second partial signature r and a third partial signature s1Fourth partial signature s2Generating and outputting a full signature comprises:
calculating s ═ d0×k0×s1+d0×d1×r+s2)modn;
If s is not equal to 0 and not equal to n-r, the first party outputs (r, s) as a full signature.
7. An interactive SM2 signature system hiding private keys, the SM2 using elliptic curves having a base point G and an order n, the system comprising: a first party and a second party, wherein,
the first communication party is used for generating a private key dA(ii) a Based on the private key dAGenerating a child private key d0Sub private key d1Sub private key d2Sub private key d3(ii) a Generating child base points G based on base points G0And child base G1(ii) a Secret sub-key d2Sub private key d3And child base G1Sending the information to a second communication party; deletion of the private Key dASub private key d2Sub private key d3And child base G1(ii) a Store the child private key d0Sub private key d1And child base G0(ii) a Acquiring a message M to be signed; generating a message digest e of a message M to be signed; according to the child base point G0Generating a first partial signature Q1(ii) a Signing a message digest e and a first part Q1Sending the information to a second communication party; receiving a second partial signature r and a third partial signature s sent by a second communication party1And a fourth partial signature s2(ii) a According to the sub-private key d0Sub private key d1A second partial signature r and a third partial signature s1And a fourth partial signature s2Generating a complete signature; wherein said is based on said private key dAGenerating a child private key d0Sub private key d1Sub private key d2Sub private key d3The method comprises the following steps: generating a random number a0And a random number a1Wherein a is0,a1∈[1,n-1](ii) a Calculating d0=a1/(1+dA);d1=-(dA/a1+a0);d2=a0/a1;d3=a0×a1/(1+dA);
The second communication party receives and stores the sub-private key d sent by the first communication party2Sub private key d3And child base G1(ii) a Receiving a message digest e and a first partial signature Q sent by a first communication party1(ii) a Signing Q according to the first part1Message abstract e and subbase point G1Generating a second partial signature r according to the sub-private key d2Generating a third partial signature s1According to the sub-private key d3Generating a fourth partial signature s2(ii) a Signing the second part with a signature r and signing the third part with a signature s1And a fourth partial signature s2And sending the message to the first communication party.
8. A terminal supporting SM2 signature, the SM2 using an elliptic curve having a base point G and an order n, comprising: a first generating module, a first sending module, a deleting module, a first storing module, an obtaining module, a second generating module, a second sending module, a first receiving module and a complete signature generating module,
the first generation module is used for generating a private key dABased on said private key dAGenerating a child private key d0Sub private key d1Sub private key d2Sub private key d3Generating child base points G based on the base points G0And child base G1(ii) a Wherein said is based on said private key dAGenerating a child private key d0Sub private key d1Sub private key d2Sub private key d3The method comprises the following steps: generating a random number a0And a random number a1Wherein a is0,a1∈[1,n-1](ii) a Calculating d0=a1/(1+dA);d1=-(dA/a1+a0);d2=a0/a1;d3=a0×a1/(1+dA);
The first sending module is used for sending the sub private key d2Sub private key d3And child base G1
The deleting module is used for deleting the private key dASub private key d2Sub private key d3And child base G1
The first storage module is used for storing a sub-private key d0Sub private key d1And child base G0
The acquisition module is used for acquiring a message M to be signed;
the second generating module is used for generating the message digest e of the message M to be signed according to the subbase point G0Generating a first partial signature Q1
The second sending module is used for sending the message digest e and the first partial signature Q1
The first receiving module is used for receiving a second partial signature r and a third partial signature s1And a fourth partial signature s2
The complete signature generation module is used for generating a complete signature according to the sub-private key d0Sub private key d1A second partial signature r and a third partial signature s1And a fourth partial signature s2A complete signature is generated.
9. A terminal for interactive SM2 signing based on the SM2 signing enabled terminal of claim 8, comprising: the system comprises a second receiving module, a second storage module, a third receiving module, a partial signature generating module and a third sending module; wherein the content of the first and second substances,
the second receiving module is used for receiving the sub-private key d of claim 82Sub private key d3And child base G1
The second storage module for storing the sub-private key d of claim 82Sub private key d3And child base G1
The third receiving module is used for receiving the message digest e and the first partial signature Q of claim 81
The partial signature generation module is used for generating a first partial signature Q according to the first partial signature1Message digest e and child node G1Generate the firstTwo-part signature r, based on the sub-private key d2Generating a third partial signature s1According to the sub-private key d3Generating a fourth partial signature s2
The third sending module is used for sending the second partial signature r and the third partial signature s1And a fourth partial signature s2
CN201810650042.8A 2018-06-22 2018-06-22 Interactive SM2 signature method, system and terminal for hiding private key Active CN108964923B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201810650042.8A CN108964923B (en) 2018-06-22 2018-06-22 Interactive SM2 signature method, system and terminal for hiding private key

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201810650042.8A CN108964923B (en) 2018-06-22 2018-06-22 Interactive SM2 signature method, system and terminal for hiding private key

Publications (2)

Publication Number Publication Date
CN108964923A CN108964923A (en) 2018-12-07
CN108964923B true CN108964923B (en) 2021-07-20

Family

ID=64491527

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201810650042.8A Active CN108964923B (en) 2018-06-22 2018-06-22 Interactive SM2 signature method, system and terminal for hiding private key

Country Status (1)

Country Link
CN (1) CN108964923B (en)

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110289955A (en) * 2019-06-25 2019-09-27 杭州趣链科技有限公司 A kind of key management method for serving certificate agency based on threshold cryptography model
CN113300846B (en) * 2020-02-24 2022-08-09 华为技术有限公司 Signature method, terminal equipment and network equipment

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104243456A (en) * 2014-08-29 2014-12-24 中国科学院信息工程研究所 Signing and decrypting method and system applied to cloud computing and based on SM2 algorithm
CN106603246A (en) * 2017-01-22 2017-04-26 武汉理工大学 SM2 digital signature segmentation generation method and system
CN106961336A (en) * 2017-04-18 2017-07-18 北京百旺信安科技有限公司 A kind of key components trustship method and system based on SM2 algorithms
CN107196763A (en) * 2017-07-06 2017-09-22 数安时代科技股份有限公司 SM2 algorithms collaboration signature and decryption method, device and system
CN107623570A (en) * 2017-11-03 2018-01-23 北京无字天书科技有限公司 A kind of SM2 endorsement methods based on addition Secret splitting

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20060153364A1 (en) * 2005-01-07 2006-07-13 Beeson Curtis L Asymmetric key cryptosystem based on shared knowledge
US8971528B2 (en) * 2013-01-29 2015-03-03 Certicom Corp. Modified elliptic curve signature algorithm for message recovery

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104243456A (en) * 2014-08-29 2014-12-24 中国科学院信息工程研究所 Signing and decrypting method and system applied to cloud computing and based on SM2 algorithm
CN106603246A (en) * 2017-01-22 2017-04-26 武汉理工大学 SM2 digital signature segmentation generation method and system
CN106961336A (en) * 2017-04-18 2017-07-18 北京百旺信安科技有限公司 A kind of key components trustship method and system based on SM2 algorithms
CN107196763A (en) * 2017-07-06 2017-09-22 数安时代科技股份有限公司 SM2 algorithms collaboration signature and decryption method, device and system
CN107623570A (en) * 2017-11-03 2018-01-23 北京无字天书科技有限公司 A kind of SM2 endorsement methods based on addition Secret splitting

Also Published As

Publication number Publication date
CN108964923A (en) 2018-12-07

Similar Documents

Publication Publication Date Title
CN109309569B (en) SM2 algorithm-based collaborative signature method and device and storage medium
CN109274503B (en) Distributed collaborative signature method, distributed collaborative signature device and soft shield system
CN108199835B (en) Multi-party combined private key decryption method
CN107483212B (en) Method for generating digital signature by cooperation of two parties
CN107579819B (en) A kind of SM9 digital signature generation method and system
CN110264200B (en) Block chain data processing method and device
CN107248909B (en) Certificateless secure signature method based on SM2 algorithm
US6125185A (en) System and method for encryption key generation
JP2020502856A5 (en)
AU2017223129A1 (en) Secure multiparty loss resistant storage and transfer of cryptographic keys for blockchain based systems in conjunction with a wallet management system
CN109150897B (en) End-to-end communication encryption method and device
CN109245903B (en) Signature method and device for cooperatively generating SM2 algorithm by two parties and storage medium
CN110535635B (en) Cooperative signature method and system supporting information hiding
US6640303B1 (en) System and method for encryption using transparent keys
CN113742670B (en) Multiparty collaborative decryption method and device
CN111342955B (en) Communication method and device and computer storage medium
TW202031010A (en) Data storage method and device, and apparatus
CN111859435B (en) Data security processing method and device
CN112632630A (en) SM 2-based collaborative signature calculation method and device
CN113987584A (en) Method and system for hiding query
CN108964923B (en) Interactive SM2 signature method, system and terminal for hiding private key
CN115499126A (en) SM2 key distributed storage-based key pair generation method, collaborative signature method, decryption method, device and medium
CN115225672A (en) End-to-end data transmission method, device and medium
NL1043779B1 (en) Method for electronic signing and authenticaton strongly linked to the authenticator factors possession and knowledge
CN114117406A (en) Data processing method, device, equipment and storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant
CP01 Change in the name or title of a patent holder
CP01 Change in the name or title of a patent holder

Address after: No. 333, Yunhua Road, high tech Zone, Chengdu, Sichuan 610041

Patentee after: China Electronics Technology Network Security Technology Co.,Ltd.

Address before: No. 333, Yunhua Road, high tech Zone, Chengdu, Sichuan 610041

Patentee before: CHENGDU WESTONE INFORMATION INDUSTRY Inc.