Detailed Description
The preferred embodiments of the present invention will be described in conjunction with the accompanying drawings, and it will be understood that they are described herein for the purpose of illustration and explanation and not limitation.
Referring to fig. 1, the present application provides a SM2 collaborative signing method, including:
s1: the client randomly generates a first integer and a second integer as client private key components, and calculates a client first public key component value and a client second public key component value based on the first integer and the second integer respectively;
s2: the client side sends the client side public key component to a server;
s3: the server receives a client public key component sent by the client, randomly generates a third integer serving as a server private key component, and generates a public key representing the identity of the client based on the client public key component value and a preset base value;
s4: the client generates verification information of a preset message based on the client private key component and the preset message, and sends the verification information to the server;
s5: the server receives verification information sent by the client, verifies the identity of the client by using a client public key component, generates response information based on the verification information and the server private key component, and feeds back the response information to the client;
s6: and the client generates signature information of the preset message based on a client private key and the response information.
In particular, in practical application, the SM2 collaborative signing method capable of verifying the identity of the client is realized by dividing the SM2 private key into a plurality of (more than or equal to 3) private key components, wherein when the client submits a signing request, the server side can verify the identity of the client.
The system uses the elliptic curve parameters E (F) of the SM2 algorithmq) G and n, wherein E (F)q) To be defined in a finite field FqThe elliptic curve E of (A) is defined at Fp(p is a prime number greater than 3) is y2=x3+ ax + b, where a, b ∈ FpAnd (4 a)3+27b2)modp≠0。#E(Fq) Indicating the number of points on the elliptic curve. G is a base point of the elliptic curve, (x)G,yG) Is the coordinate of G point, xG、yGIs FqN is the order of the base point G (n is # E (F)q) H is # E (F)q) Cofactor of (h ═ E (F))q)/n),[k]G denotes the multiplication of a large number k with a point G.
User A has a length of entlenABit distinguishable identification IDANote ENTLAIs composed of an integer entlenATwo bytes converted using a cryptographic hash function H256(SM3) obtaining a hash value Z of user AA=H256(ENTLA||IDA||a||b||xG||yG||xA||yA) Wherein (x)A,yA) Public key P for user AAThe coordinates of the points.
1. Public and private key generation algorithm
C1: the client generates the first integer and the second integer according to the following formula: random generation of d1∈[1,n-2],d2∈[1,n-2];d1Represents said first integer, d2Represents the second integer, (d)1,d2) Is the client private key component;
c2: the client generates the client first public key component value and the client second public key component value according to the following formulas: p
1=[d
1]G,P
2=[d
2]P
1,
P
1Representing a value of a first public key component, P, of said client
2Representing a value of a second public key component of the client;
c3: the client will (P)1,P2) Sending the public key component as a client public key component to a server;
d1: the server side generates the third integer according to the following formula: random generation of d3∈[1,n-2];d3Representing the third integer as a server private key component;
d2: the server side calculates according to the following formula: p
A=[d
3]P
2-G,
Wherein P is
ARepresenting said public key representing the identity of said representative client, P
2Representing a client second public key component value sent by the client;
d3: verification [ h]PAIf it is an infinite point, if [ h ]]PAIf the value is the infinity point, returning to D1, regenerating a third integer, and regenerating a public key representing the identity of the client according to the regenerated third integer; if [ h ]]PANot at the point of infinity, PAAs the public key representing the client identity.
2. Collaborative signature algorithm
A1: client setting M ═ ZAI | M, calculate e ═ H256(M') converting the data type of e into an integer according to a method in the standard (GB/T32918.1-2016 general rule of section 1 of the SM2 elliptic curve public key cryptography algorithm);
a2: client randomly generating integer k1∈[1,n-1];
A3: client computing Q1=[k1]P1(x ', y'), and k 'x' mod n is calculated.
A4: client-side computing
A5: the client side will (e, Q)1K') as verification information is sent to the server;
b1: server side resolution Q1(x ', y'), calculating k '═ x' mod n;
b2: server side calculation [ (k')-1e]G+[(k″)-1k′]P1And verifying whether the (x ", y") is true, if not, rejecting to execute downwards, and if so, executing downwards.
B3: server side randomly generates integer k2∈[1,n-1],k3∈[1,n-1];
B4: server side computation Q2=[k2]G,Q3=[k3]G,Q′4=[k′]P1+[k2]Q1+Q3=(x′1,y′1);
B5: server-side calculates r '═ e + x'1) mod n, if r 'is 0, return to B3, if r' is not 0, go to B6;
b6: server-side computing
B7: server side will (Q)2,Q3,s1,s2) Sending the response information to the user client A;
a6: client computing Q4=[k′]P1+[k1d1]Q2+Q3=(x1,y1) Calculating r ═ e + x1)mod n;
A7: client-side computing
If s is 0 or s + r mod n is 0, returning to B1, and if the two are not satisfied, executing A8;
a8: the client converts r and s into byte strings according to a method in a standard (GB/T32918.1-2016 (general rule of information security technology SM2 elliptic curve public key cryptography) part 1), and the signature information of the message M is preset to be (r, s).
A9: the client calls a signature verification algorithm (Verify) in a standard (GB/T32918.2-2016 (information security technology SM2 elliptic curve public key cryptographic algorithm part 2: digital signature algorithm)) to Verify the correctness of the signature.
Any third party can verify the co-signature (r, s) of the user a and the server to the preset message M.
When a signature component r is generated, according to the GB/T32918.2-2016 (information security technology SM 2) elliptic curve public key cryptographic algorithm part 2: definition in digital signature Algorithm, r ═ e + x1) mod n. In the collaborative signature algorithm of the scheme, e is embedded in a signature request submitted by a client, and only x 'needs to be calculated at a server'1mod n, where x'1I.e. x actually used1And use k ' and x ' respectively '1Generating a server-side partial signature s1、s2Finally, the client end calculates the corresponding x1mod n and r, and use s1、s2The final signature (r, s) is synthesized.
Referring to fig. 2, the present application further provides an SM2 collaborative signing system capable of verifying client identity, the system includes a client and a server, wherein:
the client randomly generates a first integer and a second integer as private key components of the client, and calculates a corresponding client first public key component value and a client second public key component value based on the first integer and the second integer respectively;
the client side sends the client side public key component to a server;
the server receives a client public key component sent by the client, randomly generates a third integer serving as a server private key component, and generates a public key which finally represents the identity of the client based on the client public key component value and a preset base point value;
the client generates verification information of a preset message based on the client private key component and the preset message, and sends the verification information to the server;
the server receives verification information sent by the client, verifies the identity of the client by using a client public key component, generates response information based on the verification information and the server private key component, and feeds back the response information to the client;
and the client generates signature information of the preset message based on the client private key component and the response information.
In one embodiment, the client randomly generates the first integer and the second integer according to the following formula:
d1∈[1,n-2],d2∈[1,n-2]
(d1,d2) Is the client private key component. Wherein d is1Represents said first integer, d2Represents the second integer, n represents the order of a preset radix value;
and the client generates the client first public key component value and the client second public key component value according to the following formulas:
wherein, P1Representing a value of a first public key component, P, of said client2Representing the client second public key component value, G representing the preset radix value;
accordingly, the client public key component is denoted as (P)1,P2)。
In one embodiment, the server randomly generates the third integer according to the following formula:
d3∈[1,n-2]
wherein d is3Representing the third integer as a server private key component;
accordingly, the server calculates according to the following formula:
wherein, PARepresenting said public key representing the identity of said representative client, P2Representing a client second public key component value sent by the client.
According to the SM2 collaborative signing method, a threshold scheme is not adopted, a private key can be divided into a plurality of (n is larger than or equal to 3) private key components, wherein a server side has one private key component, and a client side has a plurality of private key components. When the client side submits the signature request, the client side uses the private key component or part of the private key component owned by the client side to carry out identity verification on the server.
When the client side submits the signature request, the online verification of the client side identity is included, and therefore the client side is prevented from using the server side private key component in an unauthorized mode. Any third party can not be disguised as a legal client, and the identity of other users is pretended to require the server to realize partial signature operation so as to attack and analyze the private key component of the client or forge the signature.
After the server side verifies that the signature request comes from a legal client side, partial signature is calculated by using the private key component of the server side, and the partial signature is sent back to the client side. The client uses the private key component of the client and the partial signature replied by the server to generate a part 2 of an elliptic curve public key cryptographic algorithm which finally conforms to GB/T32918.2-2016 (information security technology SM 2): SM2 private key signature in digital signature algorithm format.
When the signature component r is generated, according to GB/T32918.2-2016 (information Security technology SM 2) part 2 of elliptic curve public key cryptography algorithm: definition in digital signature Algorithm, r ═ e + x1) mod n. In the collaborative signature algorithm of the scheme, e is embedded in a signature request submitted by a client, and only x 'needs to be calculated at a server'1mod n, where x'1I.e. x actually used1And use k ' and x ' respectively '1Generating a server-side partial signature s1、s2Finally, the client end calculates the corresponding x1mod n and r, and use s1、s2The final signature (r, s) is synthesized.
As can be seen from the above, according to the technical scheme provided by the application, the SM2 private key is divided into a plurality of private key components, wherein the server has one private key component, and the client has the rest private key components. And the client submits a signature request to the server based on the system parameters and part of private key components owned by the system parameters. The server verifies that the identity of the client is the client with the appointed legal private key component, receives the signature request, generates a related partial signature and replies to the client, and the client generates a final SM2 signature by using the private key component according to the previous signature request and the reply of the server. In this way, the security of the SM2 private key can be improved by the way that the server and the client operate cooperatively.
It will be apparent to those skilled in the art that various changes and modifications may be made in the present invention without departing from the spirit and scope of the invention. Thus, if such modifications and variations of the present invention fall within the scope of the claims of the present invention and their equivalents, the present invention is also intended to include such modifications and variations.