CN110113165B - SM2 digital signature collaborative generation method and system supporting mixed secret sharing - Google Patents

SM2 digital signature collaborative generation method and system supporting mixed secret sharing Download PDF

Info

Publication number
CN110113165B
CN110113165B CN201910335602.5A CN201910335602A CN110113165B CN 110113165 B CN110113165 B CN 110113165B CN 201910335602 A CN201910335602 A CN 201910335602A CN 110113165 B CN110113165 B CN 110113165B
Authority
CN
China
Prior art keywords
mod
digital signature
devices
user
private key
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201910335602.5A
Other languages
Chinese (zh)
Other versions
CN110113165A (en
Inventor
龙毅宏
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Wuhan University of Technology WUT
Original Assignee
Wuhan University of Technology WUT
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Wuhan University of Technology WUT filed Critical Wuhan University of Technology WUT
Priority to CN201910335602.5A priority Critical patent/CN110113165B/en
Publication of CN110113165A publication Critical patent/CN110113165A/en
Application granted granted Critical
Publication of CN110113165B publication Critical patent/CN110113165B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/085Secret sharing or secret splitting, e.g. threshold schemes
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • H04L9/0863Generation of secret information including derivation or calculation of cryptographic keys or passwords involving passwords or one-time passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • H04L9/0869Generation of secret information including derivation or calculation of cryptographic keys or passwords involving random numbers or seeds
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/30Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy
    • H04L9/3066Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy involving algebraic varieties, e.g. elliptic or hyper-elliptic curves
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Theoretical Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Algebra (AREA)
  • Mathematical Analysis (AREA)
  • Mathematical Optimization (AREA)
  • Mathematical Physics (AREA)
  • Pure & Applied Mathematics (AREA)
  • Physics & Mathematics (AREA)
  • Computing Systems (AREA)
  • Storage Device Security (AREA)

Abstract

The invention relates to an SM2 digital signature method: m devices each having a secret c1,…,cm(ii) a From t at initialization1=c1Through with c2,...,cmModulo n addition or multiplication progressive calculation of t2,...,tmCalculate GB=[1+dA]G,b=(tm+tmdA)‑1(mod n),dAIs a private key; when required dAWhen signing the message M, the M devices respectively choose kiBy taking and calculating t2,...,tmCorresponding progressive calculation from Q1=[k1]GBTo obtain Q2,…,Qm(ii) a Calculating r ═ e + x1) mod n, where (x)1,y1)=QmE is the hash value of message M; m devices adopt and calculate Q2,…,QmCorresponding progressive calculation from s1=(k1+c1br) mod n to s2,…,sm,s=(sm-r) mod n; and (r, s) is a digital signature.

Description

支持混合秘密共享的SM2数字签名协同生成方法及系统Method and system for collaborative generation of SM2 digital signature supporting hybrid secret sharing

技术领域technical field

本发明属于信息安全技术领域,特别是一种支持混合秘密共享的SM2 数字签名协同生成方法及系统。The invention belongs to the technical field of information security, in particular to a method and system for collaboratively generating SM2 digital signatures supporting mixed secret sharing.

背景技术Background technique

SM2是由国家密码管理局颁布的一种椭圆曲线公钥密码算法(参见《SM2椭圆曲线公钥密码算法》规范,国家密码管理局,2010年12月),基于此算法能实现数字签名、密钥交换及数据加密。但是,由于SM2算法独特的数字签名运算方式,通常的秘密共享(分割)方式及对应的通常的基于秘密共享的密码运算方式无法适合于使用SM2私钥进行数字签名的情形。针对此问题,本专利申请的发明人曾提出了相应的基于秘密共享的数字签名生成方案,但有关方案仅支持求和秘密共享(秘密份额的和构成了秘密)或乘积秘密共享(秘密份额的乘积构成了秘密),不支持求和与乘积混合的秘密共享方式(混合秘密共享),这就是本专利申请的发明要解决的问题。SM2 is an elliptic curve public key cryptography algorithm promulgated by the State Cryptography Administration (see "SM2 Elliptic Curve Public Key Cryptography Algorithm" specification, State Cryptography Administration, December 2010). Key exchange and data encryption. However, due to the unique digital signature operation method of the SM2 algorithm, the common secret sharing (splitting) method and the corresponding common secret sharing-based cryptographic operation method cannot be suitable for the situation of using the SM2 private key for digital signature. In response to this problem, the inventor of this patent application has proposed a corresponding digital signature generation scheme based on secret sharing, but the relevant scheme only supports summation secret sharing (the sum of the secret shares constitutes a secret) or product secret sharing (the secret share The product constitutes a secret), and the secret sharing method (mixed secret sharing) in which summation and product are mixed is not supported, which is the problem to be solved by the invention of this patent application.

发明内容SUMMARY OF THE INVENTION

本发明的目的是提出一种支持求和与乘积混合的秘密共享的SM2数字签名协同生成方法及系统。The purpose of the present invention is to propose a SM2 digital signature collaborative generation method and system that supports the secret sharing of summation and product mixing.

针对本发明的目的,本发明提出的技术方案包括支持混合秘密共享的SM2数字签名协同生成方法及系统。For the purpose of the present invention, the technical solutions proposed by the present invention include a method and system for collaboratively generating SM2 digital signatures that support hybrid secret sharing.

在以下对本发明技术方案的描述中,若P、Q是椭圆曲线点群中的元素(点),则P+Q表示P、Q的点加,[k]P表示k个椭圆曲线点P的点加,即P+P+...+P(共有k个P,即点P与整数k的数乘,若k为负数则表示 |k|个P点相加后的点的逆元);省略号“...”,表示多个同样(类型) 的数据项或多个同样的运算([k]P是《SM2椭圆曲线公钥密码算法》中约定的点的数乘表示);In the following description of the technical solutions of the present invention, if P and Q are elements (points) in the elliptic curve point group, then P+Q represents the point addition of P and Q, and [k]P represents the sum of k elliptic curve points P. Point addition, that is, P+P+...+P (there are k P, that is, the number multiplication of point P and integer k, if k is a negative number, it means the inverse of the points after adding |k| P points); The ellipsis "..." indicates multiple identical (type) data items or multiple identical operations ([k]P is the multiplication representation of the points agreed in "SM2 Elliptic Curve Public Key Cryptographic Algorithm");

c-1表示整数c的模n乘法逆(即cc-1mod n=1),如无特别说明,本专利申请的整数逆,都是指模n乘法逆;多个整数相乘(包括整数符号相乘、常数与整数符号相乘),在不产生二义性的情况下,省略掉乘号“·”,如k1·k2简化为k1k2,3·c,简化位3c;c -1 represents the modulo n multiplicative inverse of the integer c (ie, cc -1 mod n=1). Unless otherwise specified, the integer inverse of this patent application refers to the modulo n multiplicative inverse; the multiplication of multiple integers (including integers) Multiplication of symbols, multiplication of constants and integer symbols), in the case of no ambiguity, omit the multiplication sign "·", such as k 1 ·k 2 is simplified to k 1 k 2 , 3·c, simplified bit 3c ;

mod n表示模n运算(modulo operation),对应于《SM2椭圆曲线公钥密码算法》规范中的modn;还有,模n运算的算子mod n的优先级是最低的,如a+b mod n等同于(a+b)modn,a-b mod n等同于(a-b)mod n,ab mod n等同于(ab)mod n。mod n represents the modulo operation, which corresponds to modn in the specification of "SM2 Elliptic Curve Public Key Cryptography Algorithm"; also, the operator mod n of the modulo n operation has the lowest priority, such as a+b mod n is equivalent to (a+b) mod n, a-b mod n is equivalent to (a-b) mod n, and ab mod n is equivalent to (ab) mod n.

本发明的支持混合秘密共享的SM2数字签名协同生成方法,具体如下。The SM2 digital signature collaborative generation method supporting hybrid secret sharing of the present invention is specifically as follows.

所述方法涉及m个装置,其中m≥2;The method involves m devices, where m≧2;

m个装置分别标号为第1号到第m号装置;m个装置分别保存有在 [1,n-1]区间内随机选择的整数秘密c1,c2,…,cm,其中n为SM2椭圆曲线点群的阶,也是SM2椭圆曲线点群的基点G的阶,ci是第i号装置保存的秘密,i=1,…,m;The m devices are respectively labeled No. 1 to No. m devices; the m devices respectively store integer secrets c 1 , c 2 ,..., cm selected randomly in the interval [1,n-1], where n is The order of the SM2 elliptic curve point group is also the order of the base point G of the SM2 elliptic curve point group, c i is the secret kept by the i-th device, i=1,...,m;

在初始化阶段按如下方式计算得到秘密c(在将c1,c2,…,cm分配给m 个装置之前或之后,由m个装置中的一个装置或m个装置之外的装置或m 个装置完成初始化操作):The secret c is calculated in the initialization phase as follows (before or after allocating c 1 , c 2 , . device completes the initialization operation):

第1步:设置t1=c1,进入第2步;Step 1: set t 1 =c 1 , enter step 2;

第i步:i=2,…m,计算ti=(ti-1+ci)mod n,或ti=(citi-1)mod n;Step i: i=2,...m, calculate t i =(t i-1 +c i )mod n, or t i =(c i t i-1 )mod n;

若i=m,则令c=tm,完成c的计算,否则进入第i+1步,直到第m步计算得到tmIf i=m, then let c= tm , complete the calculation of c, otherwise go to the i+1th step, until the mth step calculates tm ;

以上计算c的过程中每步独立选择计算公式;每一步的计算公式的选择不依赖其他步的公式的选择,随机选择或者主观任意选择或者依据设计要求选择;In the above process of calculating c, the calculation formula is independently selected for each step; the selection of the calculation formula of each step does not depend on the selection of the formulas of other steps, and is selected randomly or subjectively or according to design requirements;

之后,取GB=[(1+dA)]G,b=(c-1(1+dA)-1)mod n,w=1,h=1,Then, take GB = [(1+d A )]G, b =(c -1 (1+d A ) -1 ) mod n, w=1, h=1,

或者,取GB=[(1+dA)]G,b=(-c-1dA(1+dA)-1)mod n,w=1,h=0,Or, take GB =[(1+d A )]G, b =(-c -1 d A (1+d A ) -1 )mod n, w=1, h=0,

或者,取GB=[c-1]G,b=1,w=(c-1(1+dA)-1)mod n,h=1,Or, taking GB = [c -1 ]G, b =1, w=(c -1 (1+d A ) -1 ) mod n, h=1,

或者,取GB=[-c-1dA]G,b=1,w=(-c-1dA(1+dA)-1)mod n,h=0,Or, take GB = [-c -1 d A ]G, b =1, w=(-c -1 d A (1+d A ) -1 ) mod n, h=0,

其中c-1是c的模n乘法逆,(1+dA)-1是(1+dA)的模n乘法逆,dA是用户的SM2私钥;where c -1 is the modulo n multiplicative inverse of c, (1+d A ) -1 is the modulo n multiplicative inverse of (1+d A ), and d A is the user's SM2 private key;

完成初始化后,将GB、b、w、h分发给m个装置,m个装置都不保存 dA、c;After completing the initialization, distribute GB , b , w, h to m devices, and m devices do not save d A , c;

当需要使用用户的SM2私钥dA针对消息M进行数字签名时,m个装置按如下方式进行数字签名的协同生成(需要使用用户的SM2私钥dA、针对消息M进行数字签名的主体可以是调用这m个装置的密码应用程序、系统或密码模块,或者m个装置之一中的密码应用程序、系统):When the user's SM2 private key d A needs to be used to digitally sign the message M, the m devices perform the collaborative generation of the digital signature as follows (the subject that needs to use the user's SM2 private key d A to digitally sign the message M can be is the cryptographic application, system or cryptographic module that invokes the m devices, or the cryptographic application, system in one of the m devices):

第1号装置在[1,n-1]内随机选择一个整数k1,计算Q1=[k1]GB,然后将Q1传送给第2号装置;Device No. 1 randomly selects an integer k 1 in [1,n-1], calculates Q 1 =[k 1 ] GB , and then transmits Q 1 to Device No. 2;

第i号装置,i=2,…,m,在[1,n-1]内随机选择一个整数ki,并按如下方式计算QiThe ith device, i=2,...,m, randomly selects an integer k i in [1,n-1] and computes Q i as follows:

若计算ti时采用的公式是ti=(ti-1+ci)mod n,则Qi=Qi-1+[ki]GBIf the formula used in calculating t i is t i =(t i-1 +c i )mod n, then Q i =Q i-1 +[k i ]G B ;

若计算ti时采用的公式是ti=(citi-1)mod n,则Qi=[ci]Qi-1+[ki]GBIf the formula used in calculating t i is t i =(ci t i -1 )mod n, then Q i =[ci ]Q i -1 +[ ki ] GB ;

若i=m,则令Q=Qm,转入后续处理,否则,第i号装置将Qi传送给第 i+1号装置,直到第m号装置完成Qm计算;If i= m , then make Q=Qm, and transfer to subsequent processing, otherwise, the i-th device transmits Q i to the i+1-th device until the m -th device completes the Qm calculation;

m个装置中的一个装置计算r=(e+x1)mod n,其中x1取自(x1,y1)=Q,e 是从用户标识和消息M导出的杂凑值(即散列值)(按SM2算法,e是从用户标识IDA等参数导出的杂凑值ZA同消息M合并后的数据的杂凑值,参见SM2规范);One of the m devices computes r=(e+x 1 ) mod n, where x 1 is taken from (x 1 , y 1 )=Q, and e is the hash value (i.e. the hash value) derived from the subscriber identity and the message M value) (according to the SM2 algorithm, e is the hash value of the data obtained by combining the hash value Z A and the message M derived from parameters such as the user identification ID A , see the SM2 specification);

(这里r是非保密数据,根据需要可在两个装置之间传递)(here r is non-confidential data that can be passed between the two devices as needed)

之后,第1号装置计算s1=(k1+c1br)mod n,这里k1与计算Q1时的k1相同;After that, the No. 1 device calculates s 1 =(k 1 +c 1 br)mod n, where k 1 is the same as k 1 when calculating Q 1 ;

第1号装置将s1传送给第2号装置;Device No. 1 transmits s 1 to Device No. 2;

第i号装置,i=2,…,m,按如下方式计算siDevice i, i=2,...,m, computes s i as follows:

若计算Qi采用的公式是Qi=Qi-1+[ki]GB,则si=(si-1+ki+cibr)mod n;If the formula used to calculate Q i is Q i =Q i-1 +[ ki ] GB , then s i =(s i-1 + ki +c i br)mod n;

若计算Qi采用的公式是Qi=[ci]Qi-1+[ki]GB,则si=(cisi-1+ki)mod n,这里ki与计算Qi时的ki相同;If the formula used to calculate Q i is Q i =[ ci ]Q i-1 +[ ki ] GB , then s i =(ci s i -1 + ki )mod n, where ki is the same as calculating The ki when Q i is the same;

若i=m,则计算得到sm后,转入后续计算,否则,第i号装置将si传送给第i+1号装置,直到第m号装置计算得到smIf i=m, after calculating and obtaining s m , transfer to follow-up calculation, otherwise, the i-th device transmits s i to the i+1-th device, until the m-th device calculates and obtains s m ;

m个装置中的一个装置计算s=(wsm-hr)mod n,(r,s)即是针对消息M 的数字签名。One of the m devices computes s=(ws m -hr) mod n, where (r, s) is the digital signature for the message M .

对于以上所述SM2数字签名协同生成方法,在ti计算时,i=2,…,或 m,若出现ti=0,则重新在[1,n-1]内选择整数秘密c1,…,ci,重新设置 t1,重新计算tj,j=2,…,i,直到ti≠0,i=2,…,m。For the above-mentioned SM2 digital signature collaborative generation method, when t i is calculated, i = 2 , . ...,ci , reset t 1 , recalculate t j , j =2,..., i until ti ≠0, i=2,...,m.

对于以上所述SM2数字签名协同生成方法,若用户的SM2私钥dA是在计算得到c后生成,则生成用户的SM2私钥dA的方式包括在[1,n-1]中随机选择一个整数作为dA,或者按如下方式:For the above-mentioned SM2 digital signature collaborative generation method, if the user's SM2 private key d A is generated after calculating c, the method of generating the user's SM2 private key d A includes randomly selecting from [1,n-1] an integer as d A , or as follows:

若b=(c-1(1+dA)-1)mod n,则在[1,n-1]中固定或任意选择(主观任意或随机选择)一个整数作为b,以满足b=(c-1(1+dA)-1)mod n且dA≠0的 dA作为用户的SM2私钥;If b=(c -1 (1+d A ) -1 )mod n, then in [1,n-1] an integer is fixed or arbitrarily selected (subjectively arbitrarily or randomly selected) as b, so as to satisfy b=( c -1 (1+d A ) -1 )mod n and d A with d A ≠ 0 is used as the user's SM2 private key;

若b=(-c-1dA(1+dA)-1)mod n,则在[1,n-1]中固定或任意选择(主观任意或随机选择)一个整数作为b,以满足b=(-c-1dA(1+dA)-1)mod n且dA≠0 的dA作为用户的SM2私钥;If b=(-c -1 d A (1+d A ) -1 )mod n, then in [1,n-1] an integer is fixed or arbitrarily selected (subjectively arbitrarily or randomly selected) as b to satisfy b=(-c -1 d A (1+d A ) -1 )mod n and d A where d A ≠0 is used as the user's SM2 private key;

若w=(c-1(1+dA)-1)mod n,则在[1,n-1]中固定或任意选择(主观任意或随机选择)一个整数作为w,以满足w=(c-1(1+dA)-1)mod n且dA≠0的 dA作为用户的SM2私钥;If w=(c -1 (1+d A ) -1 )mod n, then in [1,n-1] an integer is fixed or arbitrarily selected (subjectively arbitrarily or randomly selected) as w, so as to satisfy w=( c -1 (1+d A ) -1 )mod n and d A with d A ≠ 0 is used as the user's SM2 private key;

若w=(-c-1dA(1+dA)-1)mod n,则在[1,n-1]中固定或任意选择(主观任意或随机选择)一个整数作为w,以满足w=(-c-1dA(1+dA)-1)mod n且dA≠0 的dA作为用户的SM2私钥。If w=(-c -1 d A (1+d A ) -1 )mod n, then in [1,n-1] an integer is fixed or arbitrarily selected (subjectively arbitrarily or randomly selected) as w to satisfy w=(-c -1 d A (1+d A ) -1 )mod n and d A with d A ≠0 is used as the user's SM2 private key.

对于以上所述SM2数字签名协同生成方法,若第i号装置完成Qi计算后,i=1,…,或m,检查发现Qi是零元(无穷远点),则第1号到第i 号装置重新选取kj,重新计算Qj,j=1,…,i,直到Qi不是零元,i=1,…,m。For the above-mentioned SM2 digital signature collaborative generation method, if the ith device completes the calculation of Qi, i =1, . Device i reselects k j and recalculates Q j , j=1,...,i until Q i is not zero, i=1,...,m.

对于以上所述SM2数字签名协同生成方法,若在生成针对消息M的数字签名过程中,检查发现r为整数0,则m个装置重新计算Qi,i=1,…,m,重新计算Q、r,直到r≠0。For the above-mentioned SM2 digital signature collaborative generation method, if in the process of generating the digital signature for the message M, it is found that r is an integer 0, then m devices recalculate Q i , i=1,...,m, and recalculate Q , r, until r≠0.

对于以上所述SM2数字签名协同生成方法,若在生成针对消息M的数字签名过程中,检查发现[r]G+Q是SM2椭圆曲线点群的零元(无穷远点),则m个装置重新计算Qi,i=1,…,m,重新计算Q、r,直到[r]G+Q 不是SM2椭圆曲线点群的零元;For the above-mentioned SM2 digital signature collaborative generation method, if in the process of generating the digital signature for message M, it is found that [r]G+Q is the zero element (infinity point) of the SM2 elliptic curve point group, then m devices Recalculate Qi, i =1,...,m, recalculate Q, r, until [r]G+Q is not the zero element of the SM2 elliptic curve point group;

或者,若在生成针对消息M的数字签名后,检查发现(s+r)mod n=0,则m个装置重新计算Qi,i=1,…,m,重新计算Q、r,重新计算si,i=1,…,m,重新计算s,直到(s+r)mod≠0。Or, if after generating the digital signature for the message M, it is found that (s+r)mod n=0, then m devices recalculate Qi, i =1,...,m, recalculate Q, r, and recalculate s i , i=1,...,m, recalculate s until (s+r)mod≠0.

对于以上所述SM2数字签名协同生成方法,在针对消息M的数字签名生成过程中,若第i号装置(不必所有装置)在Qi和si的计算式中同时用aiki替代ki,i=1,…,或m,则所述SM2数字签名协同生成方法仍然成立,其中ai是在[1,n-1]中固定选择或任意选择(主观任意或随机选择) 的一个整数,ai对外保密或不保密(若ai是随机选择的整数,则ai是每次计算Qi时在[1,n-1]中随机选择的整数,或者是初始化时在[1,n-1]中随机选择的整数)。For the above-mentioned SM2 digital signature collaborative generation method, in the process of digital signature generation for message M, if the i-th device (not necessarily all devices) uses a i k i instead of k in the calculation formula of Qi and s i at the same time i , i =1, . Integer, a i is kept secret or not (if a i is a randomly selected integer, then a i is an integer randomly selected in [1, n-1] each time Q i is calculated, or is initialized in [1] ,n-1] randomly selected integers).

对于以上所述SM2数字签名协同生成方法,若取w=(c-1(1+dA)-1)mod n 或w=(-c-1dA(1+dA)-1)mod n,且取cm=1且计算tm采用算式tm=(cmtm-1)mod n,且将w作为秘密由第m号装置保存(其他装置没有w),且由第m号装置计算s=(wsm-hr)mod n,则所述SM2数字签名协同生成方法仍然成立。For the above-mentioned SM2 digital signature collaborative generation method, if w=(c -1 (1+d A ) -1 )mod n or w=(-c -1 d A (1+d A ) -1 )mod n, and take cm = 1 and calculate t m using the formula t m =( cm t m -1 )mod n, and keep w as a secret by the m-th device (other devices do not have w), and the m-th device If the device calculates s=(ws m -hr) mod n, the SM2 digital signature collaborative generation method is still established.

对于以上所述SM2数字签名协同生成方法,若取w=(c-1(1+dA)-1)mod n 或w=(-c-1dA(1+dA)-1)mod n,且取cm=1且计算tm采用算式tm=(cmtm-1)mod n,且将w作为秘密由第m号装置保存(其他装置没有w),且由第m号装置计算s=(wsm-hr)mod n,且用户的SM2私钥dA是在计算得到c后生成,则生成用户的SM2私钥dA的方式包括在[1,n-1]中随机选择一个整数作为 dA,或者按如下方式:For the above-mentioned SM2 digital signature collaborative generation method, if w=(c -1 (1+d A ) -1 )mod n or w=(-c -1 d A (1+d A ) -1 )mod n, and take cm = 1 and calculate t m using the formula t m =( cm t m -1 )mod n, and keep w as a secret by the m-th device (other devices do not have w), and the m-th device If the device calculates s=(ws m -hr) mod n, and the user's SM2 private key d A is generated after calculating c, the method of generating the user's SM2 private key d A is included in [1,n-1] Randomly choose an integer as d A in , or as follows:

若w=(c-1(1+dA)-1)mod n,则在[1,n-1]中随机选择一个整数作为w,以满足w=(c-1(1+dA)-1)mod n且dA≠0的dA作为用户的SM2私钥;If w=(c -1 (1+d A ) -1 )mod n, then randomly select an integer as w in [1,n-1] to satisfy w=(c -1 (1+d A ) -1 ) d A with mod n and d A ≠ 0 is used as the user's SM2 private key;

若w=(-c-1dA(1+dA)-1)mod n,则在[1,n-1]中随机选择一个整数作为w,以满足w=(-c-1dA(1+dA)-1)mod n且dA≠0的dA作为用户的SM2私钥。If w=(-c -1 d A (1+d A ) -1 )mod n, then randomly select an integer as w in [1,n-1] to satisfy w=(-c -1 d A (1+d A ) -1 ) mod n and d A with d A ≠ 0 is used as the user's SM2 private key.

基于对于以上所述SM2数字签名协同生成方法,可构建SM2数字签名协同生成系统,系统包括m个装置,其中m大于或等于2,所述m个装置按所述SM2数字签名生成方法,协同生成使用用户的SM2私钥dA针对消息M的数字签名。Based on the above-mentioned SM2 digital signature collaborative generation method, an SM2 digital signature collaborative generation system can be constructed. The system includes m devices, where m is greater than or equal to 2, and the m devices can collaboratively generate the SM2 digital signature according to the SM2 digital signature generation method. Digital signature of message M using user's SM2 private key d A.

从以上描述可以看到,本发明的SM2数字签名协同生成方法和系统支持混合秘密共享,即计算共享秘密c的过程既包含与c1,…,cm中元素的模n和,又包含与c1,…,cm中元素的模n乘积。It can be seen from the above description that the SM2 digital signature collaborative generation method and system of the present invention supports hybrid secret sharing, that is, the process of calculating the shared secret c includes both the modulo n sum with the elements in c 1 ,...,cm m , and the The modulo n product of the elements in c 1 ,...,cm.

具体实施方式Detailed ways

下面结合实施例对本发明作进一步的描述。以下实施例仅是本发明列举的几个可能的实施例,不代表全部可能的实施例,不作为对本发明的限定。The present invention will be further described below in conjunction with the examples. The following embodiments are only a few possible embodiments exemplified by the present invention, and do not represent all possible embodiments, and are not intended to limit the present invention.

实施例1、Embodiment 1,

此实施例包括m个分别标号为第1号到第m号的装置,m≥2;在初始化阶段,m个装置中的一个装置或m个装置之外的一个装置在[1,n-1] 区间内随机选择m个整数c1,…,cm,然后按前述秘密c的递进计算方法计算得到c;取GB=[(1+dA)]G,b=(c-1(1+dA)-1)mod n,w=1,h=1,其中c-1是c的模n乘法逆,(1+dA)-1是(1+dA)的模n乘法逆,dA是用户的SM2私钥;将c1,…,cm分别分发给第1号到第m号装置,将GB、b分发给需要的装置(w、h不用分发,只需采用w=1、h=1对应的计算公式即可),将c、 dA销毁;当需要使用用户的SM2私钥dA针对消息M生成数字签名时,m个装置按前述支持混合秘密共享的SM2数字签名协同生成方法生成针对消息M的数字签名。此实施例中,用户的SM2私钥dA由在[1,n-1]中随机选择一个整数生成。This embodiment includes m devices numbered No. 1 to No. m respectively, where m≥2; in the initialization phase, one of the m devices or one device other than the m devices is in [1, n-1 ] randomly select m integers c 1 ,...,cm in the interval, and then calculate c according to the aforementioned progressive calculation method of secret c; take GB =[(1+d A )]G, b =(c -1 (1+d A ) −1 ) mod n, w=1, h=1, where c −1 is the modulo n multiplicative inverse of c and (1+d A ) −1 is the modulo n of (1+d A ) Multiplicative inverse, d A is the user's SM2 private key; distribute c 1 ,...,cm to No. 1 to No. m devices respectively, distribute GB and b to the required devices (w, h do not need to be distributed, only The calculation formula corresponding to w=1, h=1 needs to be adopted), and c, d A are destroyed; when the user’s SM2 private key d A needs to be used to generate a digital signature for the message M, m devices support mixed secrets according to the aforementioned The shared SM2 digital signature collaborative generation method generates a digital signature for message M. In this embodiment, the user's SM2 private key d A is generated by randomly selecting an integer in [1,n-1].

实施例2、Embodiment 2,

此实施例与实施例1的差别在于:用户的SM2私钥dA是在计算得到c 后生成的,且以满足b=(c-1(1+dA)-1)mod n且dA≠0的dA作为用户的SM2 私钥,其中,b是在[1,n-1]中固定选择或任意选择(主观任选或随机选择)的整数。The difference between this embodiment and Embodiment 1 is that the user's SM2 private key d A is generated after c is calculated, and satisfies b=(c -1 (1+d A ) -1 )mod n and d A d A of ≠ 0 is used as the user's SM2 private key, where b is an integer selected fixedly or arbitrarily (subjectively or randomly) in [1,n-1].

实施例3、Embodiment 3,

此实施例包括m个分别标号为第1号到第m号的装置,m≥2;在初始化阶段,m个装置中的一个装置或m个装置之外的一个装置在[1,n-1] 区间内随机选择m个整数c1,…,cm,然后按前述秘密c的递进计算方法计算得到c;GB=[(1+dA)]G,b=(-c-1dA(1+dA)-1)mod n,w=1,h=0,其中c-1是c的模n乘法逆,(1+dA)-1是(1+dA)的模n乘法逆,dA是用户的SM2私钥;将c1,…,cm分别分发给第1号到第m号装置,将GB、b分发给需要的装置(w、h不用分发,只需采用w=1、h=0对应的计算公式即可),将c、 dA销毁;当需要使用用户的SM2私钥dA针对消息M生成数字签名时,m个装置按前述支持混合秘密共享的SM2数字签名协同生成方法生成针对消息M的数字签名。此实施例中,用户的SM2私钥dA由在[1,n-1]中随机选择一个整数生成。This embodiment includes m devices numbered No. 1 to No. m respectively, where m≥2; in the initialization phase, one of the m devices or one device other than the m devices is in [1, n-1 ] randomly select m integers c 1 ,...,cm in the interval, and then calculate c according to the above-mentioned progressive calculation method of secret c; GB =[(1+d A )]G, b =(-c -1 d A (1+d A ) −1 ) mod n, w=1, h=0, where c −1 is the modulo n multiplicative inverse of c and ( 1 +d A ) −1 is the Modulo n multiplicative inverse, d A is the user's SM2 private key; distribute c 1 ,...,cm to No. 1 to No. m devices respectively, distribute GB and b to the required devices (w, h do not need to be distributed , only need to adopt the calculation formula corresponding to w=1, h=0), destroy c and d A ; when it is necessary to use the user's SM2 private key d A to generate a digital signature for message M, m devices support the aforementioned The SM2 digital signature collaborative generation method of hybrid secret sharing generates a digital signature for message M. In this embodiment, the user's SM2 private key d A is generated by randomly selecting an integer in [1,n-1].

实施例4、Embodiment 4,

此实施例与实施例1的差别在于:用户的SM2私钥dA是在计算得到c 后生成的,且以满足b=(-c-1dA(1+dA)-1)mod n且dA≠0的dA作为用户的SM2 私钥,其中,b是在[1,n-1]中固定选择或任意选择(主观任选或随机选择)的整数。The difference between this embodiment and Embodiment 1 is that the user's SM2 private key d A is generated after c is calculated, and satisfies b=(-c -1 d A (1+d A ) -1 )mod n And d A with d A ≠ 0 is used as the user's SM2 private key, where b is an integer selected fixedly or arbitrarily (subjectively or randomly) in [1,n-1].

实施例5、Embodiment 5,

此实施例包括m个分别标号为第1号到第m号的装置,m≥2;在初始化阶段,m个装置中的一个装置或m个装置之外的一个装置在[1,n-1] 区间内随机选择m个整数c1,…,cm,然后按前述秘密c的递进计算方法计算得到c;取GB=[c-1]G,b=1,w=(c-1(1+dA)-1)mod n,h=1,其中c-1是c 的模n乘法逆,dA是用户的SM2私钥;将c1,…,cm分别分发给第1号到第 m号装置,将GB、w分发给需要的装置(b、h不用分发,只需采用b=1、 h=1对应的计算公式即可),将c、dA销毁;当需要使用用户的SM2私钥 dA针对消息M生成数字签名时,m个装置按前述支持混合秘密共享的SM2 数字签名协同生成方法生成针对消息M的数字签名。此实施例中,用户的SM2私钥dA由在[1,n-1]中随机选择一个整数生成。This embodiment includes m devices numbered No. 1 to No. m respectively, where m≥2; in the initialization phase, one of the m devices or one device other than the m devices is in [1, n-1 ] randomly select m integers c 1 ,...,cm in the interval, and then calculate c according to the aforementioned progressive calculation method of secret c; take GB = [c -1 ]G, b = 1, w = (c - 1 (1+d A ) -1 ) mod n, h=1, where c -1 is the modulo n multiplicative inverse of c , and d A is the user's SM2 private key; distribute c 1 ,...,cm to the No. 1 to No. m devices, distribute GB and w to the required devices (b, h do not need to be distributed, just use the calculation formula corresponding to b=1, h=1), and destroy c and d A ; When the user's SM2 private key d A needs to generate a digital signature for the message M, m devices generate a digital signature for the message M according to the aforementioned SM2 digital signature collaborative generation method supporting hybrid secret sharing. In this embodiment, the user's SM2 private key d A is generated by randomly selecting an integer in [1,n-1].

实施例6、Embodiment 6,

此实施例与实施例3的差别在于:用户的SM2私钥dA是在计算得到 c后生成的,且以满足w=(c-1(1+dA)-1)mod n且dA≠0的dA作为用户的SM2 私钥,其中w是在[1,n-1]中固定选择或任意选择(主观任选或随机选择) 的整数。The difference between this embodiment and Embodiment 3 is that the user's SM2 private key d A is generated after calculating c, and satisfies w=(c -1 (1+d A ) -1 )mod n and d A d A of ≠ 0 is used as the user's SM2 private key, where w is an integer selected fixedly or arbitrarily (subjectively or randomly) in [1,n-1].

实施例7、Embodiment 7,

此实施例包括m个分别标号为第1号到第m号的装置,m≥2;在初始化阶段,m个装置中的一个装置或m个装置之外的一个装置在[1,n-1] 区间内随机选择m个整数c1,…,cm,然后按前述秘密c的递进计算方法计算得到c;取GB=[-c-1dA]G,b=1,w=(-c-1dA(1+dA)-1)modn,h=0,其中c-1是c的模n乘法逆,dA是用户的SM2私钥;将c1,…,cm分别分发给第1号到第m号装置,将GB、w分发给需要的装置(b、h不用分发,只需采用 b=1、h=0对应的计算公式即可),将c、dA销毁;当需要使用用户的SM2 私钥dA针对消息M生成数字签名时,m个装置按前述支持混合秘密共享的 SM2数字签名协同生成方法生成针对消息M的数字签名。此实施例中,用户的SM2私钥dA由在[1,n-1]中随机选择一个整数生成。This embodiment includes m devices numbered No. 1 to No. m respectively, where m≥2; in the initialization phase, one of the m devices or one device other than the m devices is in [1, n-1 ] randomly select m integers c 1 ,...,cm in the interval, and then calculate c according to the above-mentioned progressive calculation method of secret c; take GB =[-c -1 d A ]G, b =1, w= (-c -1 d A (1+d A ) -1 ) modn, h=0, where c -1 is the modulo n multiplicative inverse of c , and d A is the user's SM2 private key; m is distributed to No. 1 to No. m devices respectively, and GB and w are distributed to the required devices (b, h do not need to be distributed, just use the calculation formula corresponding to b=1, h=0), and c , d A is destroyed; when the user's SM2 private key d A needs to generate a digital signature for message M, m devices generate a digital signature for message M according to the aforementioned SM2 digital signature collaborative generation method supporting mixed secret sharing. In this embodiment, the user's SM2 private key d A is generated by randomly selecting an integer in [1,n-1].

实施例8、Embodiment 8,

此实施例与实施例3的差别在于:用户的SM2私钥dA是在计算得到 c后生成的,且以w=(-c-1dA(1+dA)-1)mod n且dA≠0的dA作为用户的SM2 私钥,其中w是在[1,n-1]中固定选择或任意选择(主观任选或随机选择) 的整数。The difference between this embodiment and Embodiment 3 is that the user's SM2 private key d A is generated after calculating c, and w=(-c -1 d A (1+d A ) -1 )mod n and d A with d A ≠ 0 is used as the user's SM2 private key, where w is an integer selected fixedly or arbitrarily (subjectively or randomly) in [1,n-1].

实施例9、Embodiment 9,

此实施例包括m个分别标号为第1号到第m号的装置,m≥2;在初始化阶段,m个装置中的一个装置或m个装置之外的一个装置在[1,n-1] 区间内随机选择m-1个整数c1,…,cm-1,取cm=1,然后按前述秘密c的递进计算方法计算得到c,其中计算tm采用计算式tm=(cmtm-1)mod n;取 GB=[c-1]G,b=1,w=(c-1(1+dA)-1)mod n,h=1,其中c-1是c的模n乘法逆,(1+dA)-1是(1+dA)的模n乘法逆,dA是用户的SM2私钥;将c1,…,cm-1分别分发给第1号到第m-1号装置,将w分发给第m号装置作为秘密保存(其他装置没有w),将GB分发给需要的装置(b、h不用分发,只需采用b=1、 h=1对应的计算公式即可),将c、dA销毁;当需要使用用户的SM2私钥 dA针对消息M生成数字签名时,m个装置按前述支持混合秘密共享的SM2 数字签名协同生成方法中生成针对消息M的数字签名,其中由第m号装置计算s=(wsm-hr)mod n。此实施例中,用户的SM2私钥dA由在[1,n-1] 中随机选择一个整数生成。This embodiment includes m devices numbered No. 1 to No. m respectively, where m≥2; in the initialization phase, one of the m devices or one device other than the m devices is in [1, n-1 ] Randomly select m-1 integers c 1 ,...,c m-1 in the interval, take c m =1, and then calculate c according to the above-mentioned progressive calculation method of secret c, where t m is calculated using the calculation formula t m = (c m t m-1 ) mod n; take GB = [c -1 ]G, b =1, w=(c -1 (1+d A ) -1 ) mod n, h=1, where c -1 is the modulo n multiplicative inverse of c, ( 1 + d A ) -1 is the modulo n multiplicative inverse of (1+d A ), d A is the user's SM2 private key; Distribute to No. 1 to No. m-1 devices respectively, distribute w to No. m device as a secret (other devices do not have w), distribute GB to required devices ( b , h do not need to be distributed, just use b = 1, h = 1 corresponding calculation formula), destroy c and d A ; when it is necessary to use the user's SM2 private key d A to generate a digital signature for the message M, the m devices support mixed secret sharing as described above. In the SM2 digital signature collaborative generation method, a digital signature for message M is generated, wherein s=(ws m -hr) mod n is calculated by the mth device. In this embodiment, the user's SM2 private key d A is generated by randomly selecting an integer in [1,n-1].

实施例10、Embodiment 10,

此实施例与实施例6的差别在于:用户的SM2私钥dA是在计算得到c 后生成的,且以满足w=(c-1(1+dA)-1)mod n且dA≠0的dA作为用户的SM2 私钥,其中,w是在[1,n-1]中随机选择的整数。The difference between this embodiment and Embodiment 6 is that the user's SM2 private key d A is generated after c is calculated, and satisfies w=(c -1 (1+d A ) -1 )mod n and d A d A of ≠ 0 is used as the user's SM2 private key, where w is an integer randomly selected in [1,n-1].

实施例11、Embodiment 11,

此实施例包括m个分别标号为第1号到第m号的装置,m≥2;在初始化阶段,m个装置中的一个装置或m个装置之外的一个装置在[1,n-1] 区间内随机选择m-1个整数c1,…,cm-1,取cm=1,然后按前述秘密c的递进计算方法计算得到c,其中计算tm采用计算式tm=(cmtm-1)mod n;取 GB=[-c-1dA]G,b=1,w=(-c-1dA(1+dA)-1)mod n,h=0,其中c-1是c的模n乘法逆,(1+dA)-1是(1+dA)的模n乘法逆,dA是用户的SM2私钥;将c1,…,cm-1分别分发给第1号到第m-1号装置,将w分发给第m号装置作为秘密保存(其他装置没有w),将GB分发给需要的装置(b、h不用分发,只需采用b=1、h=0对应的计算公式即可),将c、dA销毁;当需要使用用户的SM2 私钥dA针对消息M生成数字签名时,m个装置按前述支持混合秘密共享的 SM2数字签名协同生成方法中生成针对消息M的数字签名,其中由第m号装置计算s=(wsm-hr)mod n(即s=(wsm)mod n)。此实施例中,用户的SM2 私钥dA由在[1,n-1]中随机选择一个整数生成。This embodiment includes m devices numbered No. 1 to No. m respectively, where m≥2; in the initialization phase, one of the m devices or one device other than the m devices is in [1, n-1 ] Randomly select m-1 integers c 1 ,...,c m-1 in the interval, take c m =1, and then calculate c according to the above-mentioned progressive calculation method of secret c, where t m is calculated using the calculation formula t m = (c m t m-1 ) mod n; take GB = [-c -1 d A ]G, b =1, w=(-c -1 d A (1+d A ) -1 )mod n, h=0, where c -1 is the modulo n multiplicative inverse of c, (1+d A ) -1 is the modulo n multiplicative inverse of ( 1 +d A ), and d A is the user's SM2 private key; ...,c m-1 are distributed to devices No. 1 to m-1 respectively, w is distributed to No. m device as a secret (other devices do not have w), and GB is distributed to required devices (b, h There is no need to distribute, just use the calculation formula corresponding to b=1, h=0) to destroy c and d A ; when it is necessary to use the user's SM2 private key d A to generate a digital signature for message M, m devices press In the aforementioned SM2 digital signature collaborative generation method supporting hybrid secret sharing, a digital signature for message M is generated, wherein s=(ws m -hr) mod n (ie, s=(ws m ) mod n) is calculated by the mth device. In this embodiment, the user's SM2 private key d A is generated by randomly selecting an integer in [1,n-1].

实施例12、Embodiment 12,

此实施例与实施例6的差别在于:用户的SM2私钥dA是在计算得到c 后生成的,且以满足w=(-c-1dA(1+dA)-1)mod n且dA≠0的dA作为用户的SM2 私钥,其中,w是在[1,n-1]中随机选择的整数。The difference between this embodiment and Embodiment 6 is that the user's SM2 private key d A is generated after calculating c , and satisfies w=(-c -1 d A (1+d A ) -1 )mod n And d A with d A ≠ 0 is used as the user's SM2 private key, where w is an integer randomly selected in [1,n-1].

基于前述支持混合秘密共享的SM2数字签名协同生成方法构建相应的SM2数字签名协同生成系统,系统包括m个装置,其中m大于或等于2;所述m个装置中的每个装置是一个密码服务器或一个用户计算装置;所述m个装置按所述SM2数字签名生成方法,协同生成使用用户的SM2私钥dA针对消息M的数字签名。A corresponding SM2 digital signature collaborative generation system is constructed based on the aforementioned SM2 digital signature collaborative generation method supporting hybrid secret sharing. The system includes m devices, where m is greater than or equal to 2; each of the m devices is a cryptographic server Or a user computing device; the m devices cooperate to generate a digital signature for message M using the user's SM2 private key d A according to the SM2 digital signature generation method.

其他未说明的具体技术实施,对于相关领域的技术人员而言是众所周知,不言自明的。Other unexplained specific technical implementations are well known and self-evident to those skilled in the relevant art.

Claims (10)

1.一种支持混合秘密共享的SM2数字签名协同生成方法,其特征是:1. a SM2 digital signature collaborative generation method supporting hybrid secret sharing, characterized in that: 所述方法涉及m个装置,其中m≥2;The method involves m devices, where m≧2; m个装置分别标号为第1号到第m号装置;m个装置分别保存有在[1,n-1]区间内随机选择的整数秘密c1,c2,…,cm,其中n为SM2椭圆曲线点群的阶,也是SM2椭圆曲线点群的基点G的阶,ci是第i号装置保存的秘密,i=1,…,m;The m devices are respectively labeled No. 1 to No. m devices; the m devices respectively store integer secrets c 1 , c 2 ,..., cm selected randomly in the interval [1,n-1], where n is The order of the SM2 elliptic curve point group is also the order of the base point G of the SM2 elliptic curve point group, c i is the secret kept by the i-th device, i=1,...,m; 在初始化阶段按如下方式计算得到秘密c:The secret c is calculated in the initialization phase as follows: 第1步:设置t1=c1,进入第2步;Step 1: set t 1 =c 1 , enter step 2; 第i步:i=2,…m,计算ti=(ti-1+ci)mod n,或ti=(citi-1)mod n;Step i: i=2,...m, calculate t i =(t i-1 +c i )mod n, or t i =(c i t i-1 )mod n; 若i=m,则令c=tm,完成秘密c的计算,否则进入第i+1步,直到第m步计算得到tmIf i=m, then let c=t m , complete the calculation of the secret c, otherwise enter the i+1th step until the mth step calculates t m ; 以上计算c的过程中每步独立选择计算公式;In the above process of calculating c, the calculation formula is independently selected for each step; 之后,取GB=[(1+dA)]G,b=(c-1(1+dA)-1)mod n,w=1,h=1,Then, take GB = [(1+d A )]G, b =(c -1 (1+d A ) -1 ) mod n, w=1, h=1, 或者,取GB=[(1+dA)]G,b=(-c-1dA(1+dA)-1)mod n,w=1,h=0,Or, take GB =[(1+d A )]G, b =(-c -1 d A (1+d A ) -1 )mod n, w=1, h=0, 或者,取GB=[c-1]G,b=1,w=(c-1(1+dA)-1)mod n,h=1,Or, taking GB = [c -1 ]G, b =1, w=(c -1 (1+d A ) -1 ) mod n, h=1, 或者,取GB=[-c-1dA]G,b=1,w=(-c-1dA(1+dA)-1)mod n,h=0,Or, take GB = [-c -1 d A ]G, b =1, w=(-c -1 d A (1+d A ) -1 ) mod n, h=0, 其中c-1是c的模n乘法逆,(1+dA)-1是(1+dA)的模n乘法逆,dA是用户的SM2私钥;where c -1 is the modulo n multiplicative inverse of c, (1+d A ) -1 is the modulo n multiplicative inverse of (1+d A ), and d A is the user's SM2 private key; 完成初始化后,将GB、b、w、h分发给m个装置,m个装置都不保存用户的SM2私钥dA、秘密c;After completing the initialization, distribute GB, b , w, h to m devices, and none of m devices save the user's SM2 private key d A and secret c; 当需要使用用户的SM2私钥dA针对消息M进行数字签名时,m个装置按如下方式进行数字签名的协同生成:When the user's SM2 private key d A needs to be used to digitally sign the message M, the m devices perform the collaborative generation of the digital signature as follows: 第1号装置在[1,n-1]内随机选择一个整数k1,计算Q1=[k1]GB,然后将Q1传送给第2号装置;Device No. 1 randomly selects an integer k 1 in [1,n-1], calculates Q 1 =[k 1 ] GB , and then transmits Q 1 to Device No. 2; 第i号装置,i=2,…,m,在[1,n-1]内随机选择一个整数ki,并按如下方式计算QiThe ith device, i=2,...,m, randomly selects an integer k i in [1,n-1] and computes Q i as follows: 若计算ti时采用的公式是ti=(ti-1+ci)mod n,则Qi=Qi-1+[ki]GBIf the formula used in calculating t i is t i =(t i-1 +c i )mod n, then Q i =Q i-1 +[k i ]G B ; 若计算ti时采用的公式是ti=(citi-1)mod n,则Qi=[ci]Qi-1+[ki]GBIf the formula used in calculating t i is t i =(ci t i -1 )mod n, then Q i =[ci ]Q i -1 +[ ki ] GB ; 若i=m,则令Q=Qm,转入后续处理,否则,第i号装置将Qi传送给第i+1号装置,直到第m号装置完成Qm计算;If i= m , then make Q=Qm, and transfer to subsequent processing, otherwise, the i-th device transmits Q i to the i+1-th device until the m -th device completes the Qm calculation; m个装置中的一个装置计算r=(e+x1)mod n,其中x1取自(x1,y1)=Q,e是从用户标识和消息M导出的杂凑值;One of the m devices computes r=(e+x 1 ) mod n, where x 1 is taken from (x 1 , y 1 )=Q, and e is the hash value derived from the subscriber identity and message M; 之后,第1号装置计算s1=(k1+c1br)mod n,这里k1与计算Q1时的k1相同;After that, the No. 1 device calculates s 1 =(k 1 +c 1 br)mod n, where k 1 is the same as k 1 when calculating Q 1 ; 第1号装置将s1传送给第2号装置;Device No. 1 transmits s 1 to Device No. 2; 第i号装置,i=2,…,m,按如下方式计算siDevice i, i=2,...,m, computes s i as follows: 若计算Qi采用的公式是Qi=Qi-1+[ki]GB,则si=(si-1+ki+cibr)mod n;If the formula used to calculate Q i is Q i =Q i-1 +[ ki ] GB , then s i =(s i-1 + ki +c i br)mod n; 若计算Qi采用的公式是Qi=[ci]Qi-1+[ki]GB,则si=(cisi-1+ki)mod n,这里ki与计算Qi时的ki相同;If the formula used to calculate Q i is Q i =[ ci ]Q i-1 +[ ki ] GB , then s i =(ci s i -1 + ki )mod n, where ki is the same as calculating The ki when Q i is the same; 若i=m,则计算得到sm后,转入后续计算,否则,第i号装置将si传送给第i+1号装置,直到第m号装置计算得到smIf i=m, after calculating and obtaining s m , transfer to follow-up calculation, otherwise, the i-th device transmits s i to the i+1-th device, until the m-th device calculates and obtains s m ; m个装置中的一个装置计算s=(wsm-hr)mod n,(r,s)即是针对消息M的数字签名。One of the m devices calculates s=(ws m -hr) mod n, where (r, s) is the digital signature for the message M. 2.根据权利要求1所述的支持混合秘密共享的SM2数字签名协同生成方法,其特征是:2. the SM2 digital signature collaborative generation method supporting hybrid secret sharing according to claim 1, is characterized in that: 在ti计算时,i=2,…,或m,若出现ti=0,则重新在[1,n-1]内选择整数秘密c1,…,ci,重新设置t1,重新计算tj,j=2,…,i,直到ti≠0,i=2,…,m。When t i is calculated, i=2,..., or m, if t i =0 occurs, select the integer secret c 1 ,...,c i in [1,n-1] again, reset t 1 , Calculate t j , j=2,...,i until t i ≠0,i=2,...,m. 3.根据权利要求1所述的支持混合秘密共享的SM2数字签名协同生成方法,其特征是:3. the SM2 digital signature collaborative generation method that supports mixed secret sharing according to claim 1, is characterized in that: 若用户的SM2私钥dA是在计算得到c后生成,则生成用户的SM2私钥dA的方式包括在[1,n-1]中随机选择一个整数作为dA,或者按如下方式:If the user's SM2 private key d A is generated after calculating c, the method of generating the user's SM2 private key d A includes randomly selecting an integer in [1,n-1] as d A , or as follows: 若b=(c-1(1+dA)-1)mod n,则在[1,n-1]中固定或任意选择一个整数作为b,以满足b=(c-1(1+dA)-1)mod n且dA≠0的dA作为用户的SM2私钥;If b=(c -1 (1+d A ) -1 )mod n, then fix or arbitrarily select an integer as b in [1,n-1] to satisfy b=(c -1 (1+d A ) -1 ) mod n and d A with d A ≠ 0 is used as the user's SM2 private key; 若b=(-c-1dA(1+dA)-1)mod n,则在[1,n-1]中固定或任意选择一个整数作为b,以满足b=(-c-1dA(1+dA)-1)mod n且dA≠0的dA作为用户的SM2私钥;If b=(-c -1 d A (1+d A ) -1 )mod n, then fix or arbitrarily select an integer as b in [1,n-1] to satisfy b=(-c -1 d A (1+d A ) -1 )mod n and d A with d A ≠ 0 is used as the user's SM2 private key; 若w=(c-1(1+dA)-1)mod n,则在[1,n-1]中固定或任意选择一个整数作为w,以满足w=(c-1(1+dA)-1)mod n且dA≠0的dA作为用户的SM2私钥;If w=(c -1 (1+d A ) -1 )mod n, then fix or arbitrarily select an integer as w in [1,n-1] to satisfy w=(c -1 (1+d A ) -1 ) mod n and d A with d A ≠ 0 is used as the user's SM2 private key; 若w=(-c-1dA(1+dA)-1)mod n,则在[1,n-1]中固定或任意选择一个整数作为w,以满足w=(-c-1dA(1+dA)-1)mod n且dA≠0的dA作为用户的SM2私钥。If w=(-c -1 d A (1+d A ) -1 )mod n, then fix or arbitrarily select an integer as w in [1,n-1] to satisfy w=(-c -1 d A (1+d A ) -1 ) mod n and d A with d A ≠ 0 is used as the user's SM2 private key. 4.根据权利要求1所述的支持混合秘密共享的SM2数字签名协同生成方法,其特征是:4. the SM2 digital signature collaborative generation method supporting hybrid secret sharing according to claim 1, is characterized in that: 若第i号装置完成Qi计算后,i=1,…,或m,检查发现Qi是零元,则第1号到第i号装置重新选取kj,重新计算Qj,j=1,…,i,直到Qi不是零元,i=1,…,m。If the ith device completes the calculation of Qi , i = 1, . ,...,i until Q i is not zero, i=1,...,m. 5.根据权利要求1所述的支持混合秘密共享的SM2数字签名协同生成方法,其特征是:5. the SM2 digital signature collaborative generation method supporting hybrid secret sharing according to claim 1, is characterized in that: 若在生成针对消息M的数字签名过程中,检查发现r为整数0,则m个装置重新计算Qi,i=1,…,m,重新计算Q、r,直到r≠0。If in the process of generating the digital signature for the message M, it is found that r is an integer 0, then m devices recalculate Q i , i=1,...,m, and recalculate Q and r until r≠0. 6.根据权利要求1所述的支持混合秘密共享的SM2数字签名协同生成方法,其特征是:6. The SM2 digital signature collaborative generation method supporting hybrid secret sharing according to claim 1, is characterized in that: 若在生成针对消息M的数字签名过程中,检查发现[r]G+Q是SM2椭圆曲线点群的零元,则m个装置重新计算Qi,i=1,…,m,重新计算Q、r,直到[r]G+Q不是SM2椭圆曲线点群的零元;If in the process of generating the digital signature for the message M, it is found that [r]G+Q is the zero element of the SM2 elliptic curve point group, then m devices recalculate Q i , i=1,...,m, and recalculate Q , r, until [r]G+Q is not a zero element of the SM2 elliptic curve point group; 或者,若在生成针对消息M的数字签名后,检查发现(s+r)mod n=0,则m个装置重新计算Qi,i=1,…,m,重新计算Q、r,重新计算si,i=1,…,m,重新计算s,直到(s+r)mod≠0。Or, if after generating the digital signature for the message M, it is found that (s+r)mod n=0, then m devices recalculate Qi, i =1,...,m, recalculate Q, r, and recalculate s i , i=1,...,m, recalculate s until (s+r)mod≠0. 7.根据权利要求1所述的支持混合秘密共享的SM2数字签名协同生成方法,其特征是:7. The SM2 digital signature collaborative generation method supporting hybrid secret sharing according to claim 1, is characterized in that: 在针对消息M的数字签名生成过程中,若第i号装置在Qi和si的计算式中同时用aiki替代ki,i=1,…,或m,则所述SM2数字签名协同生成方法仍然成立,其中ai是在[1,n-1]中固定选择或任意选择的一个整数,ai对外保密或不保密。In the process of generating the digital signature for the message M, if the ith device replaces k i with a i k i in the calculation formulas of Q i and s i at the same time, i=1, . . . , or m, then the SM2 digital The signature co-generation method still holds, where a i is an integer chosen fixedly or arbitrarily in [1,n-1], and a i is kept secret or not. 8.根据权利要求1所述的支持混合秘密共享的SM2数字签名协同生成方法,其特征是:8. The SM2 digital signature collaborative generation method supporting hybrid secret sharing according to claim 1, is characterized in that: 若取w=(c-1(1+dA)-1)mod n或w=(-c-1dA(1+dA)-1)mod n,且取cm=1且计算tm采用算式tm=(cmtm-1)mod n,且将w作为秘密由第m号装置保存,且由第m号装置计算s=(wsm-hr)modn,则所述SM2数字签名协同生成方法仍然成立。If w = (c -1 (1+d A ) -1 ) mod n or w = (-c -1 d A (1+d A ) -1 ) mod n, and take cm = 1 and calculate t m adopts the formula t m =(cm t m -1 )mod n, and holds w as a secret by the mth device, and calculates s=(ws m -hr)modn by the mth device, then the SM2 The digital signature co-generation method still holds. 9.根据权利要求8所述的支持混合秘密共享的SM2数字签名协同生成方法,其特征是:9. The SM2 digital signature collaborative generation method supporting hybrid secret sharing according to claim 8, is characterized in that: 若取w=(c-1(1+dA)-1)mod n或w=(-c-1dA(1+dA)-1)mod n,且取cm=1且计算tm采用算式tm=(cmtm-1)mod n,且将w作为秘密由第m号装置保存,且由第m号装置计算s=(wsm-hr)modn,且用户的SM2私钥dA是在计算得到c后生成,则生成用户的SM2私钥dA的方式包括在[1,n-1]中随机选择一个整数作为dA,或者按如下方式:If w = (c -1 (1+d A ) -1 ) mod n or w = (-c -1 d A (1+d A ) -1 ) mod n, and take cm = 1 and calculate t m adopts the formula t m =(cm t m -1 ) mod n, and keeps w as a secret by the m-th device, and calculates s=(ws m -hr) mod n by the m-th device, and the user's SM2 The private key d A is generated after calculating c, and the way to generate the user's SM2 private key d A includes randomly selecting an integer in [1,n-1] as d A , or as follows: 若w=(c-1(1+dA)-1)mod n,则在[1,n-1]中随机选择一个整数作为w,以满足w=(c-1(1+dA)-1)mod n且dA≠0的dA作为用户的SM2私钥;If w=(c -1 (1+d A ) -1 )mod n, then randomly select an integer as w in [1,n-1] to satisfy w=(c -1 (1+d A ) -1 ) d A with mod n and d A ≠ 0 is used as the user's SM2 private key; 若w=(-c-1dA(1+dA)-1)mod n,则在[1,n-1]中随机选择一个整数作为w,以满足w=(-c- 1dA(1+dA)-1)mod n且dA≠0的dA作为用户的SM2私钥。If w=(-c -1 d A (1+d A ) -1 )mod n, then randomly select an integer as w in [1,n-1] to satisfy w=(-c - 1 d A (1+d A ) -1 ) mod n and d A with d A ≠ 0 is used as the user's SM2 private key. 10.一种基于权利要求1-9中任一项所述的支持混合秘密共享的SM2数字签名协同生成方法的SM2数字签名协同生成系统,其特征是:10. A SM2 digital signature collaborative generation system based on the SM2 digital signature collaborative generation method supporting hybrid secret sharing according to any one of claims 1-9, wherein: 所述SM2数字签名协同生成系统包括m个装置,其中m大于或等于2;所述m个装置中的每个装置是一个密码服务器或一个用户计算装置;所述m个装置按所述SM2数字签名协同生成方法,协同生成使用用户的SM2私钥dA针对消息M的数字签名。The SM2 digital signature collaborative generation system includes m devices, wherein m is greater than or equal to 2; each device in the m devices is a password server or a user computing device; the m devices are based on the SM2 digital The signature collaborative generation method is to collaboratively generate a digital signature for the message M using the user's SM2 private key d A.
CN201910335602.5A 2019-04-24 2019-04-24 SM2 digital signature collaborative generation method and system supporting mixed secret sharing Active CN110113165B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201910335602.5A CN110113165B (en) 2019-04-24 2019-04-24 SM2 digital signature collaborative generation method and system supporting mixed secret sharing

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201910335602.5A CN110113165B (en) 2019-04-24 2019-04-24 SM2 digital signature collaborative generation method and system supporting mixed secret sharing

Publications (2)

Publication Number Publication Date
CN110113165A CN110113165A (en) 2019-08-09
CN110113165B true CN110113165B (en) 2020-09-04

Family

ID=67486593

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201910335602.5A Active CN110113165B (en) 2019-04-24 2019-04-24 SM2 digital signature collaborative generation method and system supporting mixed secret sharing

Country Status (1)

Country Link
CN (1) CN110113165B (en)

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106534183A (en) * 2016-12-12 2017-03-22 中国航天系统工程有限公司 SM2/SM3/SM4 hybrid encryption method aiming at remote measurement and control terminal system
CN106712965A (en) * 2017-01-17 2017-05-24 数安时代科技股份有限公司 Digital signature method, device and cipher device
CN107872322A (en) * 2017-11-02 2018-04-03 武汉理工大学 Digital signature collaborative generation method and system based on homomorphic encryption
CN109547209A (en) * 2018-11-19 2019-03-29 北京大学 A kind of two side's SM2 digital signature generation methods

Family Cites Families (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8971528B2 (en) * 2013-01-29 2015-03-03 Certicom Corp. Modified elliptic curve signature algorithm for message recovery
CN106656512B (en) * 2017-01-17 2019-07-09 武汉理工大学 Support the SM2 digital signature generation method and system of threshold cryptography
CN107819585B (en) * 2017-11-17 2020-08-25 武汉理工大学 SM9 digital signature collaborative generation method and system
CN108055134B (en) * 2017-12-12 2020-08-25 武汉理工大学 Collaborative calculation method and system for elliptic curve point multiplication and pairing operation
CN108989054B (en) * 2018-08-30 2020-08-04 武汉理工大学 A cryptographic system and digital signature method

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106534183A (en) * 2016-12-12 2017-03-22 中国航天系统工程有限公司 SM2/SM3/SM4 hybrid encryption method aiming at remote measurement and control terminal system
CN106712965A (en) * 2017-01-17 2017-05-24 数安时代科技股份有限公司 Digital signature method, device and cipher device
CN107872322A (en) * 2017-11-02 2018-04-03 武汉理工大学 Digital signature collaborative generation method and system based on homomorphic encryption
CN109547209A (en) * 2018-11-19 2019-03-29 北京大学 A kind of two side's SM2 digital signature generation methods

Also Published As

Publication number Publication date
CN110113165A (en) 2019-08-09

Similar Documents

Publication Publication Date Title
CN107819585B (en) SM9 digital signature collaborative generation method and system
CN106549770B (en) SM2 digital signature generation method and system
CN106357401B (en) A kind of storage of private key and application method
US8429408B2 (en) Masking the output of random number generators in key generation protocols
CN106850198B (en) SM2 digital signature generation method and system based on multi-device collaboration
CN106603231B (en) Based on the distributed SM2 digital signature generation method and system for going secretization
CN107872322B (en) Homomorphic encryption-based digital signature collaborative generation method and system
CN106656512B (en) Support the SM2 digital signature generation method and system of threshold cryptography
CN107968710B (en) SM9 digital signature separation interaction generation method and system
CN106712942B (en) SM2 digital signature generation method and system based on privacy sharing
CN106850229B (en) SM2 digital signature generation method and system based on product secret division
CN110213057B (en) SM9 digital signature collaborative generation method and system with product r parameter
CN107483205B (en) A digital signature generation method and system based on encrypted private key secret
CN110519051B (en) SM9 signature cooperative generation method and system of r parameter and secret double product
CN110798313B (en) Secret dynamic sharing-based collaborative generation method and system for number containing secret
CN109962783B (en) SM9 digital signature collaborative generation method and system based on progressive calculation
CN107528696B (en) Method and system for generating digital signature with hidden private key secret
CN110166235B (en) SM9 digital signature collaborative generation method and system for enhancing security
CN110299998B (en) SM9 digital signature collaborative generation method and system by means of intermediate parameters
CN110380855B (en) SM9 digital signature generation method and system supporting multi-party cooperative enhanced security
EP2395698B1 (en) Implicit certificate generation in the case of weak pseudo-random number generators
CN110113165B (en) SM2 digital signature collaborative generation method and system supporting mixed secret sharing
CN110266486A (en) The simple and direct generation method of SM9 digital signature and system based on product privacy sharing
CN110943842B (en) Secure collaborative generation method and system for SM9 digital signature
CN115150062A (en) SM9 digital signature generation method and system with signature making data controlled safely

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant