CN110113165B - SM2 digital signature collaborative generation method and system supporting mixed secret sharing - Google Patents

SM2 digital signature collaborative generation method and system supporting mixed secret sharing Download PDF

Info

Publication number
CN110113165B
CN110113165B CN201910335602.5A CN201910335602A CN110113165B CN 110113165 B CN110113165 B CN 110113165B CN 201910335602 A CN201910335602 A CN 201910335602A CN 110113165 B CN110113165 B CN 110113165B
Authority
CN
China
Prior art keywords
mod
digital signature
devices
user
private key
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201910335602.5A
Other languages
Chinese (zh)
Other versions
CN110113165A (en
Inventor
龙毅宏
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Wuhan University of Technology WUT
Original Assignee
Wuhan University of Technology WUT
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Wuhan University of Technology WUT filed Critical Wuhan University of Technology WUT
Priority to CN201910335602.5A priority Critical patent/CN110113165B/en
Publication of CN110113165A publication Critical patent/CN110113165A/en
Application granted granted Critical
Publication of CN110113165B publication Critical patent/CN110113165B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/085Secret sharing or secret splitting, e.g. threshold schemes
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • H04L9/0863Generation of secret information including derivation or calculation of cryptographic keys or passwords involving passwords or one-time passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • H04L9/0869Generation of secret information including derivation or calculation of cryptographic keys or passwords involving random numbers or seeds
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/30Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy
    • H04L9/3066Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy involving algebraic varieties, e.g. elliptic or hyper-elliptic curves
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Theoretical Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Algebra (AREA)
  • Mathematical Analysis (AREA)
  • Mathematical Optimization (AREA)
  • Mathematical Physics (AREA)
  • Pure & Applied Mathematics (AREA)
  • Physics & Mathematics (AREA)
  • Computing Systems (AREA)
  • Storage Device Security (AREA)

Abstract

The invention relates to an SM2 digital signature method: m devices each having a secret c1,…,cm(ii) a From t at initialization1=c1Through with c2,...,cmModulo n addition or multiplication progressive calculation of t2,...,tmCalculate GB=[1+dA]G,b=(tm+tmdA)‑1(mod n),dAIs a private key; when required dAWhen signing the message M, the M devices respectively choose kiBy taking and calculating t2,...,tmCorresponding progressive calculation from Q1=[k1]GBTo obtain Q2,…,Qm(ii) a Calculating r ═ e + x1) mod n, where (x)1,y1)=QmE is the hash value of message M; m devices adopt and calculate Q2,…,QmCorresponding progressive calculation from s1=(k1+c1br) mod n to s2,…,sm,s=(sm-r) mod n; and (r, s) is a digital signature.

Description

SM2 digital signature collaborative generation method and system supporting mixed secret sharing
Technical Field
The invention belongs to the technical field of information security, and particularly relates to an SM2 digital signature collaborative generation method and system supporting mixed secret sharing.
Background
SM2 is an elliptic curve public key cryptographic algorithm issued by the national crypto-authority (see specification SM2 elliptic curve public key cryptographic algorithm, national crypto-authority, 12 months 2010), and based on the algorithm, digital signature, key exchange and data encryption can be realized. However, due to the unique digital signature operation method of the SM2 algorithm, the general secret sharing (division) method and the corresponding general secret sharing-based cryptographic operation method cannot be applied to the case of performing digital signature using the SM2 private key. In view of this problem, the inventor of the present patent application has proposed a corresponding secret sharing-based digital signature generation scheme, but the related scheme only supports sum secret sharing (sum of secret shares constitutes a secret) or product secret sharing (product of secret shares constitutes a secret), and does not support a secret sharing manner of mixing sum and product (mixed secret sharing), which is the problem to be solved by the invention of the present patent application.
Disclosure of Invention
The invention aims to provide a method and a system for cooperatively generating SM2 digital signatures, which support sum and product mixed secret sharing.
Aiming at the purpose of the invention, the technical scheme provided by the invention comprises an SM2 digital signature cooperative generation method and system supporting mixed secret sharing.
In the following description of the present invention, if P, Q is an element (point) in the elliptic curve point group, P + Q represents a point addition of P, Q, and [ k ] P represents a point addition of k elliptic curve points P, i.e., P +. + P (k total P, i.e., a multiplication of a point P by an integer k, and if k is a negative number, an inverse element of a point to which | k | P points are added); an ellipsis ". The ellipsis" represents a plurality of identical (types) data items or a plurality of identical operations ([ k ] P is a number-times representation of the point agreed in SM2 elliptic curve public key cryptography);
c-1representing the modulo n inverse of integer c (i.e., cc)-1mod n ═ 1), unless otherwise specified, the integer inverse of this patent application refers to the modulo n multiplication inverse; multiple integer multiplications (including integer-symbol multiplications, constant-integer-symbol multiplications), omitting the multiplication "·" as k, without ambiguity1·k2Simplified as k1k23 · c, reduced bit 3 c;
mod n denotes the modulo n operation (modulo operation), corresponding to mod n in the SM2 elliptic Curve public Key cryptography Algorithm specification; also, the operator mod n of the modulo n operation is of lowest priority, e.g., a + b mod n is equivalent to (a + b) mod n, a-b mod n is equivalent to (a-b) mod n, and ab mod n is equivalent to (ab) mod n.
The invention discloses a SM2 digital signature collaborative generation method supporting mixed secret sharing, which is concretely as follows.
The process involves m devices, where m.gtoreq.2;
the m devices are respectively numbered from No. 1 to No. m; m devices are stored in [1, n-1 ] respectively]Randomly selected integer secret c within the interval1,c2,…,cmWhere n is the order of the SM2 elliptic curve point group and is also the order of the base point G of the SM2 elliptic curve point group, ciIs a secret held by device number i, i-1, …, m;
the secret c is calculated in the initialization phase as follows (when c is to be calculated)1,c2,…,cmInitialization operations are completed by one of the m devices or devices other than the m devices or the m devices before or after allocation to the m devices):
step 1: setting t1=c1Entering the step 2;
the ith step: i.e. i2, … m, calculate ti=(ti-1+ci) mod n, or ti=(citi-1)mod n;
If i is m, let c be tmAnd c is calculated, otherwise, the step (i + 1) is carried out until the step (m) is calculated to obtain tm
In the process of calculating c, independently selecting a calculation formula in each step; the calculation formula of each step is selected independently of the formulas of other steps, and the calculation formula is selected randomly or subjectively or randomly or according to design requirements;
then, get GB=[(1+dA)]G,b=(c-1(1+dA)-1)mod n,w=1,h=1,
Or, take GB=[(1+dA)]G,b=(-c-1dA(1+dA)-1)mod n,w=1,h=0,
Or, take GB=[c-1]G,b=1,w=(c-1(1+dA)-1)mod n,h=1,
Or, take GB=[-c-1dA]G,b=1,w=(-c-1dA(1+dA)-1)mod n,h=0,
Wherein c is-1Is the inverse of the modulo n multiplication of c, (1+ d)A)-1Is (1+ d)A) Modulo n multiplication inverse of dAIs the user's SM2 private key;
after the initialization is completed, G is addedBB, w, h to m devices, none of which holds dA、c;
When it is required to use the user's SM2 private key dAWhen digitally signing a message M, M devices perform coordinated generation of digital signatures as follows (requiring the use of the user's SM2 private key dAThe body that digitally signs for message M may be a cryptographic application, system or cryptographic module that invokes the M devices, or a cryptographic application, system in one of the M devices):
device No. 1 is in [1, n-1 ]]Randomly selecting an integer k1Calculating Q1=[k1]GBThen Q is added1To device No. 2;
device No. i, i 2, …, m, at [1, n-1]Randomly selecting an integer kiAnd Q is calculated as followsi
If t is calculatediThe formula adopted is ti=(ti-1+ci) mod n, then Qi=Qi-1+[ki]GB
If t is calculatediThe formula adopted is ti=(citi-1) mod n, then Qi=[ci]Qi-1+[ki]GB
If i is equal to m, then Q is equal to QmGo to subsequent processing, otherwise, device No. i will QiTo the device No. i +1 until the device No. m completes QmCalculating;
one of the m devices calculates r ═ e + x1) mod n, where x1Is taken from (x)1,y1) Q, e is a hash value (i.e. hash value) derived from the subscriber identity and the message M (e is from the subscriber identity ID according to the SM2 algorithmAIsoparametric derived hash value ZAHash value of the data merged with message M, see SM2 specification);
(where r is non-secure data, transferable between two devices as required)
Thereafter, the device No. 1 calculates s1=(k1+c1br) mod n, where k1And calculating Q1K of time1The same;
device No. 1 will s1To device No. 2;
device No. i, i 2, …, m, calculates s as followsi
If Q is calculatediThe formula adopted is Qi=Qi-1+[ki]GBThen si=(si-1+ki+cibr)mod n;
If Q is calculatediThe formula adopted is Qi=[ci]Qi-1+[ki]GBThen si=(cisi-1+ki) mod n, where kiAnd calculating QiK of timeiThe same;
if i is m, s is calculatedmThen, the subsequent calculation is carried out, otherwise, the device No. i sends siTransmitted to the device No. i +1 until the device No. m calculates to obtain sm
One of the m devices calculates s ═ s (ws)m-hr) mod n, (r, s) is the digital signature for message M.
For the SM2 digital signature collaborative generation method described above, at tiWhen calculated, i is 2, …, or m, if t occursiIf 0, then again in [1, n-1 ]]Internally selected integer secret c1,…,ciResetting t1Recalculating tjJ 2, …, i, until ti≠0,i=2,…,m。
For the above-mentioned collaborative generation method of the SM2 digital signature, if the user's SM2 private key dAIs generated after c is calculated, the SM2 private key d of the user is generatedAIn a manner comprised in [1, n-1 ]]In the step (2), an integer is randomly selected as dAOr as follows:
if b is ═ c-1(1+dA)-1) mod n, then in [1, n-1 ]]In the step (c), an integer is fixedly or randomly selected (subjectively randomly or randomly selected) as b so as to satisfy the condition that b is equal to (c)-1(1+dA)-1) mod n and dAD not equal to 0ASM2 private key as user;
if b is (-c)-1dA(1+dA)-1) mod n, then in [1, n-1 ]]In the step (c), an integer is fixed or arbitrarily selected (subjectively arbitrarily or randomly selected) as b so as to satisfy the condition that b is (-c)-1dA(1+dA)-1) mod n and dAD not equal to 0ASM2 private key as user;
if w is ═ c-1(1+dA)-1) mod n, then in [1, n-1 ]]In the formula (i), an integer is fixed or arbitrarily selected (subjectively arbitrarily or randomly selected) as w so as to satisfy w ═ (c)-1(1+dA)-1) mod n and dAD not equal to 0ASM2 private key as user;
if w is (-c)-1dA(1+dA)-1) mod n, then in [1, n-1 ]]Wherein an integer is fixedly or arbitrarily selected (subjectively arbitrarily or randomly selected) as w so as to satisfy w ═ (-c)-1dA(1+dA)-1) mod n and dAD not equal to 0AAs the user's SM2 private key.
For the above-mentioned cooperative generation method of the SM2 digital signature, if the device i completes QiAfter calculation, i is 1, …, or m, and Q is checkediIs zero (point of infinity), the devices No. 1 to No. i reselect kjRecalculating QjJ 1, …, i, up to QiIs not a zero-element, i ═ 1, …, m.
For the above-mentioned SM2 digital signature collaborative generation method, if it is checked that r is an integer 0 in the process of generating a digital signature for a message M, M devices recalculate QiI ≠ 1, …, m, recalculating Q, r until r ≠ 0.
For the above-mentioned SM2 digital signature collaborative generation method, if in the process of generating the digital signature for the message M, the finding r is checked]G + Q is the zero element (infinite point) of the SM2 elliptic curve point group, then the m devices recalculate QiI 1, …, m, recalculated Q, r until r]G + Q is not a zero element of the SM2 elliptic curve point group;
alternatively, if it is checked that (s + r) mod n is 0 after the digital signature for the message M is generated, the M devices recalculate QiI 1, …, m, recalculated Q, r, recalculated siI ═ 1, …, m, recalculate s until (s + r) mod ≠ 0.
For the above-mentioned SM2 digital signature cooperative generation method, in the digital signature generation process for the message M, if the i-th device (not necessarily all devices) is in QiAnd siIn the calculation formula (D) simultaneously using aikiAlternative kiI ═ 1, …, or m, the SM2 digital signature collaborative generation method still holds, where aiIs characterized in that the molecular weight of the compound is in the following 1,n-1]an integer of (1) a fixed choice or an arbitrary choice (subjective arbitrary or random choice), aiSecret or insecure to the outside (if a)iIs a randomly selected integer, then aiIs to calculate Q each timeiWhen is in [1, n-1 ]]Or at [1, n-1 ] at initialization]Randomly selected integer of (a).
In the above-described SM2 digital signature cooperation generation method, if w ═ c is taken-1(1+dA)-1) mod n or w ═ c-1dA(1+dA)-1) mod n, and take cm1 and calculate tmUsing the formula tm=(cmtm-1) mod n, and w is held as a secret by the mth device (the other devices do not have w), and s is calculated by the mth device as (ws)m-hr) mod n, the SM2 digital signature co-generation method still holds.
In the above-described SM2 digital signature cooperation generation method, if w ═ c is taken-1(1+dA)-1) mod n or w ═ c-1dA(1+dA)-1) mod n, and take cm1 and calculate tmUsing the formula tm=(cmtm-1) mod n, and w is held as a secret by the mth device (the other devices do not have w), and s is calculated by the mth device as (ws)mHr) mod n, and the user's SM2 private key dAIs generated after c is calculated, the SM2 private key d of the user is generatedAIn a manner comprised in [1, n-1 ]]In the step (2), an integer is randomly selected as dAOr as follows:
if w is ═ c-1(1+dA)-1) mod n, then in [1, n-1 ]]Wherein an integer is randomly selected as w so as to satisfy w ═ (c)-1(1+dA)-1) mod n and dAD not equal to 0ASM2 private key as user;
if w is (-c)-1dA(1+dA)-1) mod n, then in [1, n-1 ]]Wherein an integer is randomly selected as w so as to satisfy w ═ (-c)-1dA(1+dA)-1) mod n and dAD not equal to 0AAs a userSM2 private key.
Based on the SM2 digital signature collaborative generation method, an SM2 digital signature collaborative generation system can be constructed, the system comprises m devices, wherein m is greater than or equal to 2, and the m devices collaboratively generate and use an SM2 private key d of a user according to the SM2 digital signature generation methodAA digital signature for message M.
From the above description, it can be seen that the SM2 digital signature collaborative generation method and system of the present invention support hybrid secret sharing, i.e. the process of computing the shared secret c includes both c and c1,…,cmModulo n and of medium element, in turn including c1,…,cmModulo n product of the medium element.
Detailed Description
The present invention will be further described with reference to the following examples. The following examples are merely illustrative of a few possible embodiments of the present invention and are not intended to represent all possible embodiments and are not intended to limit the present invention.
Examples 1,
This embodiment includes m devices numbered 1 to m, respectively, where m is 2 or more; in the initialization phase, one of the m devices or one device other than the m devices is in [1, n-1 ]]Randomly selecting m integers c in interval1,…,cmThen c is obtained by calculation according to the progressive calculation method of the secret c; get GB=[(1+dA)]G,b=(c-1(1+dA)-1) mod n, w 1, h 1, where c-1Is the inverse of the modulo n multiplication of c, (1+ d)A)-1Is (1+ d)A) Modulo n multiplication inverse of dAIs the user's SM2 private key; c is to1,…,cmRespectively distributed to No. 1 to No. m devices, GBB distributes the data to required devices (w and h do not need to distribute, and only a calculation formula corresponding to w being 1 and h being 1 is needed), and c and d are distributedADestroying; when it is required to use the user's SM2 private key dAWhen generating a digital signature for the message M, the M devices generate a digital signature for the message M in the aforementioned SM2 digital signature collaborative generation method that supports mixed secret sharing. In this embodiment, the user's SM2 private key dAFrom [1, n-1 ]]Wherein an integer is randomly selected for generation.
Examples 2,
The difference between this example and example 1 is that: user's SM2 private key dAIs generated after c is calculated, and satisfies the condition that b is equal to (c)-1(1+dA)-1) mod n and dAD not equal to 0AThe SM2 private key as the user, where b is at [1, n-1 ]]Fixed or arbitrarily selected (subjectively optional or randomly selected).
Examples 3,
This embodiment includes m devices numbered 1 to m, respectively, where m is 2 or more; in the initialization phase, one of the m devices or one device other than the m devices is in [1, n-1 ]]Randomly selecting m integers c in interval1,…,cmThen c is obtained by calculation according to the progressive calculation method of the secret c; gB=[(1+dA)]G,b=(-c-1dA(1+dA)-1) mod n, w 1, h 0, where c-1Is the inverse of the modulo n multiplication of c, (1+ d)A)-1Is (1+ d)A) Modulo n multiplication inverse of dAIs the user's SM2 private key; c is to1,…,cmRespectively distributed to No. 1 to No. m devices, GBB distributes the data to required devices (w and h do not need to be distributed, and only a calculation formula corresponding to w being 1 and h being 0 is adopted), and c and d are distributedADestroying; when it is required to use the user's SM2 private key dAWhen generating a digital signature for the message M, the M devices generate a digital signature for the message M in the aforementioned SM2 digital signature collaborative generation method that supports mixed secret sharing. In this embodiment, the user's SM2 private key dAFrom [1, n-1 ]]Wherein an integer is randomly selected for generation.
Examples 4,
The difference between this example and example 1 is that: user's SM2 private key dAIs generated after c is calculated, and satisfies b ═ c-1dA(1+dA)-1) mod n and dAD not equal to 0AThe SM2 private key as the user, where b is at [1, n-1 ]]In the fixed selection or in the arbitrary selection (subjective optional or arbitrary)Randomly selected).
Examples 5,
This embodiment includes m devices numbered 1 to m, respectively, where m is 2 or more; in the initialization phase, one of the m devices or one device other than the m devices is in [1, n-1 ]]Randomly selecting m integers c in interval1,…,cmThen c is obtained by calculation according to the progressive calculation method of the secret c; get GB=[c-1]G,b=1,w=(c-1(1+dA)-1) mod n, h ═ 1, where c-1Is the inverse of a modulo n multiplication of c, dAIs the user's SM2 private key; c is to1,…,cmRespectively distributed to No. 1 to No. m devices, GBW is distributed to required devices (b and h do not need to be distributed, and only a calculation formula corresponding to b being 1 and h being 1 is adopted), and c and d are distributedADestroying; when it is required to use the user's SM2 private key dAWhen generating a digital signature for the message M, the M devices generate a digital signature for the message M in the aforementioned SM2 digital signature collaborative generation method that supports mixed secret sharing. In this embodiment, the user's SM2 private key dAFrom [1, n-1 ]]Wherein an integer is randomly selected for generation.
Examples 6,
The difference between this example and example 3 is that: user's SM2 private key dAIs generated after c is calculated, and satisfies w ═ c-1(1+dA)-1) mod n and dAD not equal to 0AThe SM2 private key as the user, where w is at [1, n-1 ]]Fixed or arbitrarily selected (subjectively optional or randomly selected).
Example 7,
This embodiment includes m devices numbered 1 to m, respectively, where m is 2 or more; in the initialization phase, one of the m devices or one device other than the m devices is in [1, n-1 ]]Randomly selecting m integers c in interval1,…,cmThen c is obtained by calculation according to the progressive calculation method of the secret c; get GB=[-c-1dA]G,b=1,w=(-c-1dA(1+dA)-1)modn,h=0, wherein c-1Is the inverse of a modulo n multiplication of c, dAIs the user's SM2 private key; c is to1,…,cmRespectively distributed to No. 1 to No. m devices, GBW is distributed to required devices (b and h do not need to be distributed, and only a calculation formula corresponding to b being 1 and h being 0 is adopted), and c and d are distributedADestroying; when it is required to use the user's SM2 private key dAWhen generating a digital signature for the message M, the M devices generate a digital signature for the message M in the aforementioned SM2 digital signature collaborative generation method that supports mixed secret sharing. In this embodiment, the user's SM2 private key dAFrom [1, n-1 ]]Wherein an integer is randomly selected for generation.
Example 8,
The difference between this example and example 3 is that: user's SM2 private key dAIs generated after c is calculated and is given as w ═ c-1dA(1+dA)-1) mod n and dAD not equal to 0AThe SM2 private key as the user, where w is at [1, n-1 ]]Fixed or arbitrarily selected (subjectively optional or randomly selected).
Examples 9,
This embodiment includes m devices numbered 1 to m, respectively, where m is 2 or more; in the initialization phase, one of the m devices or one device other than the m devices is in [1, n-1 ]]Randomly selecting m-1 integers c in the interval1,…,cm-1Taking cm1, c is then calculated according to the progressive calculation method of the secret c described above, wherein t is calculatedmUsing the formula tm=(cmtm-1) mod n; get GB=[c-1]G,b=1,w=(c-1(1+dA)-1) mod n, h ═ 1, where c-1Is the inverse of the modulo n multiplication of c, (1+ d)A)-1Is (1+ d)A) Modulo n multiplication inverse of dAIs the user's SM2 private key; c is to1,…,cm-1Respectively to devices No. 1 to No. m-1, distributing w to device No. m as secret keeping (other devices do not have w), distributing GBDistributing to needed devices (b, h do not need to distribute, and only need to adopt the corresponding calculation formula of b ═ 1 and h ═ 1I.e.) c, dADestroying; when it is required to use the user's SM2 private key dAWhen generating a digital signature for a message M, M devices generate a digital signature for the message M in the aforementioned SM2 digital signature collaborative generation method supporting mixed secret sharing, where s ═ ws is calculated by the M-th devicem-hr) mod n. In this embodiment, the user's SM2 private key dAFrom [1, n-1 ]]Wherein an integer is randomly selected for generation.
Examples 10,
The difference between this example and example 6 is that: user's SM2 private key dAIs generated after c is calculated, and satisfies w ═ c-1(1+dA)-1) mod n and dAD not equal to 0AThe SM2 private key as the user, where w is at [1, n-1 ]]Of (a) is a randomly selected integer.
Examples 11,
This embodiment includes m devices numbered 1 to m, respectively, where m is 2 or more; in the initialization phase, one of the m devices or one device other than the m devices is in [1, n-1 ]]Randomly selecting m-1 integers c in the interval1,…,cm-1Taking cm1, c is then calculated according to the progressive calculation method of the secret c described above, wherein t is calculatedmUsing the formula tm=(cmtm-1) mod n; get GB=[-c-1dA]G,b=1,w=(-c-1dA(1+dA)-1) mod n, h ═ 0, where c-1Is the inverse of the modulo n multiplication of c, (1+ d)A)-1Is (1+ d)A) Modulo n multiplication inverse of dAIs the user's SM2 private key; c is to1,…,cm-1Respectively to devices No. 1 to No. m-1, distributing w to device No. m as secret keeping (other devices do not have w), distributing GBDistributing to needed devices (b, h do not need to be distributed, and only a calculation formula corresponding to b being 1 and h being 0 is needed), and distributing c and dADestroying; when it is required to use the user's SM2 private key dAWhen generating a digital signature for a message M, M devices generate numbers for the message M in the aforementioned SM2 digital signature cooperative generation method supporting mixed secret sharingWord signature in which s ═ ws is calculated by the mth devicem-hr) mod n (i.e. s ═ wsm) mod n). In this embodiment, the user's SM2 private key dAFrom [1, n-1 ]]Wherein an integer is randomly selected for generation.
Examples 12,
The difference between this example and example 6 is that: user's SM2 private key dAIs generated after calculating c, and satisfies w ═ c-1dA(1+dA)-1) mod n and dAD not equal to 0AThe SM2 private key as the user, where w is at [1, n-1 ]]Of (a) is a randomly selected integer.
Constructing a corresponding SM2 digital signature cooperative generation system based on the SM2 digital signature cooperative generation method supporting the mixed secret sharing, wherein the system comprises m devices, and m is greater than or equal to 2; each of the m devices is a cryptographic server or a user computing device; the m devices cooperatively generate an SM2 private key d using the user according to the SM2 digital signature generation methodAA digital signature for message M.
Other specific technical implementations not described are well known to those skilled in the relevant art and will be apparent to those skilled in the relevant art.

Claims (10)

1. An SM2 digital signature collaborative generation method supporting mixed secret sharing is characterized in that:
the process involves m devices, where m.gtoreq.2;
the m devices are respectively numbered from No. 1 to No. m; m devices are stored in [1, n-1 ] respectively]Randomly selected integer secret c within the interval1,c2,…,cmWhere n is the order of the SM2 elliptic curve point group and is also the order of the base point G of the SM2 elliptic curve point group, ciIs a secret held by device number i, i-1, …, m;
the secret c is calculated in the initialization phase as follows:
step 1: setting t1=c1Entering the step 2;
the ith step: i 2, … m, and calculating ti=(ti-1+ci) mod n, or ti=(citi-1)mod n;
If i is m, let c be tmAnd finishing the calculation of the secret c, otherwise, entering the step (i + 1) until the step (m) obtains t through the calculationm
In the process of calculating c, independently selecting a calculation formula in each step;
then, get GB=[(1+dA)]G,b=(c-1(1+dA)-1)mod n,w=1,h=1,
Or, take GB=[(1+dA)]G,b=(-c-1dA(1+dA)-1)mod n,w=1,h=0,
Or, take GB=[c-1]G,b=1,w=(c-1(1+dA)-1)mod n,h=1,
Or, take GB=[-c-1dA]G,b=1,w=(-c-1dA(1+dA)-1)mod n,h=0,
Wherein c is-1Is the inverse of the modulo n multiplication of c, (1+ d)A)-1Is (1+ d)A) Modulo n multiplication inverse of dAIs the user's SM2 private key;
after the initialization is completed, G is addedBB, w, h to m devices, none of which holds the user's SM2 private key dASecret c;
when it is required to use the user's SM2 private key dAWhen the message M is digitally signed, the M devices cooperatively generate the digital signature as follows:
device No. 1 is in [1, n-1 ]]Randomly selecting an integer k1Calculating Q1=[k1]GBThen Q is added1To device No. 2;
device No. i, i 2, …, m, at [1, n-1]Randomly selecting an integer kiAnd Q is calculated as followsi
If t is calculatediThe formula adopted is ti=(ti-1+ci) mod n, then Qi=Qi-1+[ki]GB
If t is calculatediThe formula adopted is ti=(citi-1) mod n, then Qi=[ci]Qi-1+[ki]GB
If i is equal to m, then Q is equal to QmGo to subsequent processing, otherwise, device No. i will QiTo the device No. i +1 until the device No. m completes QmCalculating;
one of the m devices calculates r ═ e + x1) mod n, where x1Is taken from (x)1,y1) Q, e is a hash value derived from the user identity and the message M;
thereafter, the device No. 1 calculates s1=(k1+c1br) mod n, where k1And calculating Q1K of time1The same;
device No. 1 will s1To device No. 2;
device No. i, i 2, …, m, calculates s as followsi
If Q is calculatediThe formula adopted is Qi=Qi-1+[ki]GBThen si=(si-1+ki+cibr)mod n;
If Q is calculatediThe formula adopted is Qi=[ci]Qi-1+[ki]GBThen si=(cisi-1+ki) mod n, where kiAnd calculating QiK of timeiThe same;
if i is m, s is calculatedmThen, the subsequent calculation is carried out, otherwise, the device No. i sends siTransmitted to the device No. i +1 until the device No. m calculates to obtain sm
One of the m devices calculates s ═ s (ws)m-hr) mod n, (r, s) is the digital signature for message M.
2. The SM2 digital signature cooperative generation method supporting mixed secret sharing according to claim 1, wherein:
at tiWhen calculated, i is 2, …, or m, if t occursiIf 0, then again in [1, n-1 ]]Internally selected integer secret c1,…,ciResetting t1Recalculating tjJ 2, …, i, until ti≠0,i=2,…,m。
3. The SM2 digital signature cooperative generation method supporting mixed secret sharing according to claim 1, wherein:
if the user's SM2 private key dAIs generated after c is calculated, the SM2 private key d of the user is generatedAIn a manner comprised in [1, n-1 ]]In the step (2), an integer is randomly selected as dAOr as follows:
if b is ═ c-1(1+dA)-1) mod n, then in [1, n-1 ]]In the formula (II), an integer is fixed or arbitrarily selected as b so as to satisfy the condition that b is (c)-1(1+dA)-1) mod n and dAD not equal to 0ASM2 private key as user;
if b is (-c)-1dA(1+dA)-1) mod n, then in [1, n-1 ]]In the formula (II), an integer is fixed or arbitrarily selected as b so as to satisfy the condition that b is (-c)-1dA(1+dA)-1) mod n and dAD not equal to 0ASM2 private key as user;
if w is ═ c-1(1+dA)-1) mod n, then in [1, n-1 ]]In the formula (II), an integer is fixed or arbitrarily selected as w so as to satisfy w ═ (c)-1(1+dA)-1) mod n and dAD not equal to 0ASM2 private key as user;
if w is (-c)-1dA(1+dA)-1) mod n, then in [1, n-1 ]]Wherein an integer is fixed or arbitrarily selected as w so as to satisfy w ═ (-c)-1dA(1+dA)-1) mod n and dAD not equal to 0AAs the user's SM2 private key.
4. The SM2 digital signature cooperative generation method supporting mixed secret sharing according to claim 1, wherein:
if the device I completes QiAfter calculation, i is 1, …, or m, and Q is checkediIf it is zero, the devices from No. 1 to No. i reselect kjRecalculating QjJ 1, …, i, up to QiIs not a zero-element, i ═ 1, …, m.
5. The SM2 digital signature cooperative generation method supporting mixed secret sharing according to claim 1, wherein:
if during the generation of the digital signature for the message M, it is checked that r is an integer 0, then M devices recalculate QiI ≠ 1, …, m, recalculating Q, r until r ≠ 0.
6. The SM2 digital signature cooperative generation method supporting mixed secret sharing according to claim 1, wherein:
if during the generation of the digital signature for the message M, the finding r is checked]G + Q is the zero element of the SM2 elliptic curve point group, then m devices recalculate QiI 1, …, m, recalculated Q, r until r]G + Q is not a zero element of the SM2 elliptic curve point group;
alternatively, if it is checked that (s + r) mod n is 0 after the digital signature for the message M is generated, the M devices recalculate QiI 1, …, m, recalculated Q, r, recalculated siI ═ 1, …, m, recalculate s until (s + r) mod ≠ 0.
7. The SM2 digital signature cooperative generation method supporting mixed secret sharing according to claim 1, wherein:
in the process of generating the digital signature for the message M, if the device I is in QiAnd siIn the calculation formula (D) simultaneously using aikiAlternative kiI ═ 1, …, or m, the SM2 digital signature collaborative generation method still holds, where aiIs in [1, n-1 ]]In a fixed selection or an arbitrary selectionAn integer of aiAnd (4) security or insecurity for the outside.
8. The SM2 digital signature cooperative generation method supporting mixed secret sharing according to claim 1, wherein:
if w is ═ c-1(1+dA)-1) mod n or w ═ c-1dA(1+dA)-1) mod n, and take cm1 and calculate tmUsing the formula tm=(cmtm-1) mod n, and w is held as a secret by the mth device, and s ═ ws is calculated by the mth devicem-hr) modn, the SM2 digital signature co-generation method still holds.
9. The SM2 digital signature cooperative generation method supporting mixed secret sharing according to claim 8, wherein:
if w is ═ c-1(1+dA)-1) mod n or w ═ c-1dA(1+dA)-1) mod n, and take cm1 and calculate tmUsing the formula tm=(cmtm-1) mod n, and w is held as a secret by the mth device, and s ═ ws is calculated by the mth devicemHr) modn, and the user's SM2 private key dAIs generated after c is calculated, the SM2 private key d of the user is generatedAIn a manner comprised in [1, n-1 ]]In the step (2), an integer is randomly selected as dAOr as follows:
if w is ═ c-1(1+dA)-1) mod n, then in [1, n-1 ]]Wherein an integer is randomly selected as w so as to satisfy w ═ (c)-1(1+dA)-1) mod n and dAD not equal to 0ASM2 private key as user;
if w is (-c)-1dA(1+dA)-1) mod n, then in [1, n-1 ]]Wherein an integer is randomly selected as w so as to satisfy w ═ (-c)- 1dA(1+dA)-1) mod n and dAD not equal to 0AAs the user's SM2 private key.
10. An SM2 digital signature cooperative generation system based on the SM2 digital signature cooperative generation method supporting the mixed secret sharing according to any one of claims 1 to 9, characterized in that:
the SM2 digital signature collaborative generation system comprises m devices, wherein m is greater than or equal to 2; each of the m devices is a cryptographic server or a user computing device; the m devices cooperatively generate and use the SM2 private key d of the user according to the SM2 digital signature cooperative generation methodAA digital signature for message M.
CN201910335602.5A 2019-04-24 2019-04-24 SM2 digital signature collaborative generation method and system supporting mixed secret sharing Active CN110113165B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201910335602.5A CN110113165B (en) 2019-04-24 2019-04-24 SM2 digital signature collaborative generation method and system supporting mixed secret sharing

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201910335602.5A CN110113165B (en) 2019-04-24 2019-04-24 SM2 digital signature collaborative generation method and system supporting mixed secret sharing

Publications (2)

Publication Number Publication Date
CN110113165A CN110113165A (en) 2019-08-09
CN110113165B true CN110113165B (en) 2020-09-04

Family

ID=67486593

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201910335602.5A Active CN110113165B (en) 2019-04-24 2019-04-24 SM2 digital signature collaborative generation method and system supporting mixed secret sharing

Country Status (1)

Country Link
CN (1) CN110113165B (en)

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106534183A (en) * 2016-12-12 2017-03-22 中国航天系统工程有限公司 SM2/SM3/SM4 hybrid encryption method aiming at remote measurement and control terminal system
CN106712965A (en) * 2017-01-17 2017-05-24 数安时代科技股份有限公司 Digital signature method, device and cipher device
CN107872322A (en) * 2017-11-02 2018-04-03 武汉理工大学 Digital signature collaboration generation method and system based on homomorphic cryptography
CN109547209A (en) * 2018-11-19 2019-03-29 北京大学 A kind of two side's SM2 digital signature generation methods

Family Cites Families (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8971528B2 (en) * 2013-01-29 2015-03-03 Certicom Corp. Modified elliptic curve signature algorithm for message recovery
CN106656512B (en) * 2017-01-17 2019-07-09 武汉理工大学 Support the SM2 digital signature generation method and system of threshold cryptography
CN107819585B (en) * 2017-11-17 2020-08-25 武汉理工大学 SM9 digital signature collaborative generation method and system
CN108055134B (en) * 2017-12-12 2020-08-25 武汉理工大学 Collaborative computing method and system for elliptic curve point multiplication and pairing operation
CN108989054B (en) * 2018-08-30 2020-08-04 武汉理工大学 Cipher system and digital signature method

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106534183A (en) * 2016-12-12 2017-03-22 中国航天系统工程有限公司 SM2/SM3/SM4 hybrid encryption method aiming at remote measurement and control terminal system
CN106712965A (en) * 2017-01-17 2017-05-24 数安时代科技股份有限公司 Digital signature method, device and cipher device
CN107872322A (en) * 2017-11-02 2018-04-03 武汉理工大学 Digital signature collaboration generation method and system based on homomorphic cryptography
CN109547209A (en) * 2018-11-19 2019-03-29 北京大学 A kind of two side's SM2 digital signature generation methods

Also Published As

Publication number Publication date
CN110113165A (en) 2019-08-09

Similar Documents

Publication Publication Date Title
CN107819585B (en) SM9 digital signature collaborative generation method and system
CN106549770B (en) SM2 digital signature generation method and system
CN107872322B (en) Homomorphic encryption-based digital signature collaborative generation method and system
CN106603246B (en) A kind of SM2 digital signature segmentation generation method and system
US8429408B2 (en) Masking the output of random number generators in key generation protocols
CN106603231B (en) Based on the distributed SM2 digital signature generation method and system for going secretization
CN106656512B (en) Support the SM2 digital signature generation method and system of threshold cryptography
CN106850198B (en) SM2 digital signature generation method and system based on the collaboration of more devices
CN107968710B (en) SM9 digital signature separation interaction generation method and system
CN106850229B (en) SM2 digital signature generation method and system based on product secret division
CN106712942B (en) SM2 digital signature generation method and system based on privacy sharing
CN110213057B (en) SM9 digital signature collaborative generation method and system with product r parameter
CN107104793B (en) A kind of digital signature generation method and system
CN109962783B (en) SM9 digital signature collaborative generation method and system based on progressive calculation
CN109951292B (en) Simplified SM9 digital signature separation interaction generation method and system
CN110519051B (en) SM9 signature cooperative generation method and system of r parameter and secret double product
CN110784300B (en) Secret key synthesis method based on multiplication homomorphic encryption
CN110166235B (en) SM9 digital signature collaborative generation method and system for enhancing security
CN110380855B (en) SM9 digital signature generation method and system supporting multi-party cooperative enhanced security
CN110401524B (en) Method and system for collaborative generation of secret-containing numbers by means of homomorphic encryption
CN110557260B (en) SM9 digital signature generation method and device
CN110299998B (en) SM9 digital signature collaborative generation method and system by means of intermediate parameters
CN110266486B (en) SM9 digital signature simple generation method and system based on product secret sharing
EP2395698B1 (en) Implicit certificate generation in the case of weak pseudo-random number generators
CN110113165B (en) SM2 digital signature collaborative generation method and system supporting mixed secret sharing

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant