Specific embodiment
Hereinafter, preferred embodiments of the present invention will be described with reference to the accompanying drawings, it should be understood that preferred reality described herein
Apply example only for the purpose of illustrating and explaining the present invention and is not intended to limit the present invention.
Referring to Fig. 1, the application provides a kind of SM2 collaboration endorsement method, which comprises
S1: client generates the first integer and the second integer at random, as client private key component, and is based respectively on described
First integer and the second integer calculations client the first public key component value and client the second public key component value;
S2: the client public key component is sent to server by client;
S3: the server receives the client public key component that the client is sent, random to generate third integer, as
Privacy key component, and it is based on the client public key component value and default basic point value, generation represents client identity
Public key;
S4: the client generates the verifying to presetting message based on the client private key component and presetting message and believes
Breath, and the verification information is sent to the server;
S5: the server receives the verification information that the client is sent, and verifies client using client public key component
It holds identity, and response message is generated based on the verification information and the privacy key component, and to the client feedback
The response message;
S6: the client generates the signing messages of the presetting message based on client private key and the response message.
Specifically, in practical applications, the present invention realizes one by the way that SM2 private key is divided into multiple (>=3) private key components
Kind can verify that the SM2 collaboration endorsement method of client identity, wherein server end can verify that when client submits signature request
Client identity.
System uses the elliptic curve parameter E (F of SM2 algorithmq), G and n, wherein E (Fq) it is to be defined on finite field FqOn
Elliptic curve E, is defined on FpElliptic curve equation on (p is greater than 3 prime number) is y2=x3+ ax+b, wherein a, b ∈ Fp, and
(4a3+27b2)mod p≠0。#E(Fq) indicate Point on Elliptic Curve number.G is a basic point of elliptic curve, (xG,yG) be
The coordinate of G point, xG、yGIt is FqIn two elements, n be basic point G rank (n is #E (Fq) prime factor), h be #E (Fq) it is remaining because
Son (h=#E (Fq)/n), [k] G indicates the multiplying of big number k and point G.
It is entlen that user A, which has length,ABit distinguishes mark IDA, remember ENTLAIt is by integer entlenAConversion and
At two bytes, use cryptographic Hash function H256(SM3) the Hash Value Z of user A is acquiredA=H256(ENTLA||IDA||a||b
||xG||yG||xA||yA), wherein (xA,yA) be user A public key PAThe coordinate of point.
1. public and private key generating algorithm
C1: client generates first integer and second integer according to following formula: generating d at random1∈[1,n-
2], d2∈[1,n-2];d1Indicate first integer, d2Indicate second integer, (d1,d2) it is the client private key point
Amount;
C2: client generates client the first public key component value and the second public key of the client according to following formula
Component value: P1=[d1] G, P2=[d2]P1,P1Indicate first public key of client point
Magnitude, P2Indicate the second public key of client component value;
C3: client is by (P1,P2) client public key component is used as to be sent to server end;
D1: server end generates the third integer according to following formula: generating d at random3∈[1,n-2];d3Described in expression
Third integer, as privacy key component;
D2: server end is calculated according to following formula: PA=[d3]P2- G,Wherein PAIndicate the representative
The public key of client identity, P2Indicate client the second public key component value that the client sends over;
D3: verifying [h] PAIt whether is infinite point, if [h] PAIt is infinite point, then returns to D1, it is whole regenerates third
Number, and the public key for representing client identity is generated again according to the third integer regenerated;[if h] PAIt is not infinite point,
By PAAs the public key for representing client identity.
2. cooperateing with signature algorithm
A1: client sets M '=ZA| | M calculates e=H256(M '), by standard (GB/T 32918.1-2016 " information security
Technology SM2 ellipse curve public key cipher algorithm part 1 general provisions ") in method by the data type conversion of e be integer;
A2: client generates integer k at random1∈[1,n-1];
A3: client calculates Q1=[k1]P1=(x ', y ') calculates k '=x ' mod n.
A4: client calculates
A5: client is by (e, Q1, k ") and it is used as verification information to be sent to server end;
B1: server end parses Q1=(x ', y ') calculates k '=x ' mod n;
B2: server end calculates [(k ")-1e]G+[(k″)-1k′]P1=(x ", y "), verifying (x ", y ")=(x ', y ') are
No establishment is refused to execute downwards if invalid, be executed downwards if setting up.
B3: server end generates integer k at random2∈ [1, n-1], k3∈[1,n-1];
B4: server end calculates Q2=[k2] G, Q3=[k3] G, Q '4=[k '] P1+[k2]Q1+Q3=(x '1,y′1);
B5: server end calculates r '=(e+x '1) mod n, B3 is returned to if r '=0, if r ' does not carry out B6 for 0;
B6: server end calculates
B7: server end is by (Q2,Q3,s1,s2) in response information be sent to user client A;
A6: client calculates Q4=[k '] P1+[k1d1]Q2+Q3=(x1,y1), calculate r=(e+x1)mod n;
A7: client calculatesIf s=0 or s+r mod n=0
B1 is then returned, executes A8 if the two is not satisfied;
A8: client presses standard (GB/T 32918.1-2016 " information security technology SM2 ellipse curve public key cipher algorithm
Part 1 general provisions ") in method r, s are converted into byte serial, then the signing messages of presetting message M be (r, s).
A9: client call standard (" calculate GB/T 32918.2-2016 by information security technology SM2 ellipse curve public key cipher
Method part 2: Digital Signature Algorithm ") in signature verification algorithm (Verify) verifying signature correctness.
Any third party can verify user A and cooperate with signature (r, s) to presetting message M with server end.
Wherein, when generating signature components r, according to GB/T 32918.2-2016 " information security technology SM2 elliptic curve
Public key algorithm part 2: Digital Signature Algorithm " in definition, r=(e+x1)mod n.It signs and calculates in the collaboration of this programme
In method, k " is embedded in e in the signature request that client is submitted, and need to only calculate x ' in server end1Mod n, wherein x '1It is i.e. practical
The x used1, and it is utilized respectively k ", x '1Generate server-side portion signature s1、s2, finally calculated again by client corresponding
x1Mod n and r, and use s1、s2Synthesize last signature (r, s).
Referring to Fig. 2, the application also provides a kind of SM2 collaboration signature system that can verify that client identity, the system
Including client and server, in which:
Client generates the first integer and the second integer at random, as the private key component of client, and is based respectively on described
First integer and corresponding client the first public key component value of second integer calculations and client the second public key component value;
The client public key component is sent to server by client;
The server receives the client public key component that the client is sent, random to generate third integer, as clothes
Business device private key component, and it is based on the client public key component value and default basic point value, it generates and finally represents client identity
Public key;
The client generates the verification information to presetting message based on the client private key component and presetting message,
And the verification information is sent to the server;
The server receives the verification information that the client is sent, and verifies client body using client public key component
Part, and response message is generated based on the verification information and the privacy key component, and to described in the client feedback
Response message;
The client generates the signing messages of the presetting message based on client private key component and the response message.
In one embodiment, the client generates first integer and described second according to following formula at random
Integer:
d1∈ [1, n-2], d2∈[1,n-2]
(d1,d2) it is the client private key component.Wherein, d1Indicate first integer, d2Indicate that described second is whole
Number, n indicate the rank of default basic point value;
And the client generates described in client the first public key component value and client the according to following formula
Two public key component values:
P1=[d1] G, P2=[d2]P1,
Wherein, P1Indicate the first public key of client component value, P2Indicate the second public key of client component value, G table
Show the default basic point value;
Correspondingly, the client public key representation in components is (P1,P2)。
In one embodiment, the server generates the third integer according to following formula at random:
d3∈[1,n-2]
Wherein, d3The third integer is indicated, as privacy key component;
Correspondingly, the server is calculated according to following formula:
PA=[d3]P2- G,
Wherein, PAIndicate the public key for representing client identity, P2Indicate the client that the client sends over
Two public key component values.
SM2 provided by the present application cooperates with endorsement method, does not use threshold schemes, and private key is divided into multiple (n >=3) private
Key component, wherein server end possesses a private key component, and client possesses multiple private key components.Wherein, it is submitted in client
When signature request, the private key component or part private key component that client is possessed using it do authentication to server.
When client submits signature request, wherein having contained the online verification of client identity, to avoid client
Unauthorized use server end private key component.Any third party cannot disguise oneself as legitimate client, falsely use the identity of other users
It is required that server end achievement unit divides signature operation, with attack analysis client private key component or forge a signature.
Server end after legal client, is signed separately in authentication signature request using the private key component calculation part of oneself
Name, and send back to client.Client is signed using the part that client private key component and server end are replied, and is generated most
Meeting GB/T 32918.2-2016 eventually, " information security technology SM2 ellipse curve public key cipher algorithm part 2: digital signature is calculated
Method " format SM2 private key signature.
When generating signature components r, according to GB/T 32918.2-2016, " information security technology SM2 curve public key is close
Code algorithm part 2: Digital Signature Algorithm " in definition, r=(e+x1)mod n.In the collaboration signature algorithm of this programme,
K " is embedded in e in the signature request that client is submitted, and need to only calculate x ' in server end1Mod n, wherein x '1Actually use
x1, and it is utilized respectively k ", x '1Generate server-side portion signature s1、s2, corresponding x is finally calculated by client again1mod n
With r, and use s1、s2Synthesize last signature (r, s).
Therefore technical solution provided by the present application, SM2 private key is divided into multiple private key components, wherein server is gathered around
There is a private key component, client possesses remaining private key component.The part private key that client is possessed based on system parameter with it
Component submits signature request to server.The identity of server authentication client is to possess the client for specifying legal private key component
End receives signature request, generates relevant part and sign and reply client, signature request and clothes of the client before
The reply at business device end, the private key component possessed using it generate final SM2 signature.In this way, being assisted by server and client side
With the mode of running, the safety of SM2 private key can be improved.
Obviously, various changes and modifications can be made to the invention without departing from essence of the invention by those skilled in the art
Mind and range.In this way, if these modifications and changes of the present invention belongs to the range of the claims in the present invention and its equivalent technologies
Within, then the present invention is also intended to include these modifications and variations.