CN110299998A - Generation method and system are cooperateed with by the SM9 digital signature of intermediate parameters - Google Patents
Generation method and system are cooperateed with by the SM9 digital signature of intermediate parameters Download PDFInfo
- Publication number
- CN110299998A CN110299998A CN201910764309.0A CN201910764309A CN110299998A CN 110299998 A CN110299998 A CN 110299998A CN 201910764309 A CN201910764309 A CN 201910764309A CN 110299998 A CN110299998 A CN 110299998A
- Authority
- CN
- China
- Prior art keywords
- integer
- mod
- calculate
- devices
- calculation
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000000034 method Methods 0.000 title claims abstract description 104
- 238000004364 calculation method Methods 0.000 claims description 101
- 230000002452 interceptive effect Effects 0.000 claims description 8
- 238000007689 inspection Methods 0.000 claims description 4
- 239000000654 additive Substances 0.000 description 6
- 230000000996 additive effect Effects 0.000 description 6
- 125000004122 cyclic group Chemical group 0.000 description 2
- 238000013507 mapping Methods 0.000 description 2
- 230000002195 synergetic effect Effects 0.000 description 2
- 238000011423 initialization method Methods 0.000 description 1
- 230000003993 interaction Effects 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3236—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3247—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Complex Calculations (AREA)
Abstract
SM9数字签名生成方法:标号为第1号到m号的装置分别有[1,n‑1]中整数秘密ci,n为SM9群的阶,i=1,…,m,m≥2;PA=[(c1c2…cm)‑1]dA,PU=[u]dA,dA为用户的私钥,u为[1,n‑1]内的整数秘密;PB为群G1中非零元;对消息签名时,计算w=gU^(r1r2…rm),h=H2(M||w,n),T=[r1r2…rm]PU+[‑F(z1,...,zm)]PB,V=[F(z1,...,zm)]PB+[‑hc1c2…cm]PA,F(z1,z2,…,zm)与z1a2a3…am+z2a3…am+…+zm模n同余,S=T+V;则(h,S)为dA对消息M的数字签名。SM9 digital signature generation method: devices labeled No. 1 to m respectively have integer secrets c i in [1,n-1], n is the order of SM9 group, i=1,...,m, m≥2; P A =[(c 1 c 2 …c m ) ‑1 ]d A , P U =[u]d A , d A is the user's private key, and u is an integer secret in [1,n‑1]; P B is a non-zero element in group G 1 ; when signing a message, calculate w=g U ^(r 1 r 2 …r m ), h=H 2 (M||w,n), T=[r 1 r 2 …r m ]P U +[‑F(z 1 ,...,z m )]P B ,V=[F(z 1 ,...,z m )]P B +[‑hc 1 c 2 …c m ]P A , F(z 1 ,z 2 ,…,z m ) is congruent with z 1 a 2 a 3 …a m +z 2 a 3 …a m +…+z m modulo n, S=T+V; then (h, S) is the digital signature of d A on message M.
Description
技术领域technical field
本发明属于信息安全技术领域,特别是借助中间参数的SM9数字签名协同生成方法及系统。The invention belongs to the technical field of information security, in particular to a SM9 digital signature collaborative generation method and system by means of intermediate parameters.
背景技术Background technique
SM9是由国家密码管理局颁布的一种基于双线性映射(配对运算)的标识密码算法,其中的双线性映射(配对运算)为:SM9 is an identification cryptographic algorithm based on bilinear mapping (pairing operation) promulgated by the State Cryptography Administration, where the bilinear mapping (pairing operation) is:
e:G1×G2→GT时,其中G1、G2是加法循环群,GT是一个乘法循环群,G1、G2、GT的阶是素数n(注:在SM9规范中,G1、G2、GT的阶用的是大写字母N,本专利申请采用小写n),即若P、Q、R分别为G1、G2中的元,则e(P,Q)为GT中的元,且:e: G 1 ×G 2 →G T , where G 1 and G 2 are additive cyclic groups, G T is a multiplicative cyclic group, and the order of G 1 , G 2 , and G T is a prime number n (note: in the SM9 specification Among them, the order of G 1 , G 2 , G T is capital letter N, and this patent application uses lower case n), that is, if P, Q, R are elements in G 1 , G 2 respectively, then e(P, Q) is an element in G T , and:
e(P+R,Q)=e(P,Q)e(R,Q),e(P+R,Q)=e(P,Q)e(R,Q),
e(P,Q+R)=e(P,Q)e(P,R),e(P,Q+R)=e(P,Q)e(P,R),
e(aP,bQ)=e(P,Q)ab。e(aP,bQ)=e(P,Q) ab .
基于SM9密码算法能实现基于标识的数字签名、密钥交换及数据加密。在SM9密码算法中,使用用户的SM9私钥dA针对消息M生成数字签名的过程如下:Based on the SM9 cryptographic algorithm, digital signature, key exchange and data encryption based on identification can be realized. In the SM9 cryptographic algorithm, the process of using the user's SM9 private key d A to generate a digital signature for a message M is as follows:
计算得到w=g^r,这里符号^表示幂运算(g的r次幂),r是在[1,n-1]区间内随机选择的整数,n是SM9密码算法的群G1、G2、GT的阶,g=e(P1,Ppub),P1为G1中的生成元,Ppub为主公钥(即Ppub=[s]P2,s为主私钥或主密钥,P2为G2中的生成元,参见SM9规范;注意,这里的主私钥或主密钥,主公钥,用户标识私钥使用的符号与SM9规范略有不同);Calculated to get w=g^r, where the symbol ^ means exponentiation (g to the power of r), r is an integer randomly selected in the interval [1,n-1], and n is the group G 1 and G of the SM9 cryptographic algorithm 2. The order of G T , g=e(P 1 , P pub ), P 1 is the generator in G 1 , P pub is the main public key (that is, P pub =[s]P 2 , s is the main private key or the master key, P 2 is the generator in G 2 , see the SM9 specification; note that the symbols used here for the master private key or master key, master public key, and user identification private key are slightly different from the SM9 specification);
然后,计算h=H2(M||w,n),其中H2为SM9中规定的散列函数,M||w表示M和w的字串合并,n为G1、G2、GT的阶(参见SM9规范);Then, calculate h=H 2 (M||w,n), where H 2 is the hash function specified in SM9, M||w represents the combination of M and w, and n is G 1 , G 2 , G order of T (see SM9 specification);
若r≠h,计算S=[r-h]dA,则(h,S)为生成的数字签名;若r=h,则重新选择r,重新计算w、h,直到r≠h。If r≠h, calculate S=[rh]d A , then (h, S) is the generated digital signature; if r=h, reselect r, recalculate w, h until r≠h.
针对一些特殊的需求,比如,为了保证非硬件环境下用户私钥使用的安全性,人们提出了一些基于秘密共享(分享)的SM9数字签名生成方法。在这些方法中,多个装置分别保存有用户SM9私钥的秘密份额,或者分别保存有与私钥有关的秘密的秘密份额;在需要使用用户私钥针对一个消息M生成数字签名时,每个装置利用自己的秘密份额与其他装置交互、协同运算,生成针对消息的数字签名。For some special requirements, for example, in order to ensure the security of the user's private key in a non-hardware environment, some SM9 digital signature generation methods based on secret sharing (sharing) have been proposed. In these methods, multiple devices respectively store the secret share of the private key of the user SM9, or respectively store the secret share of the secret related to the private key; when it is necessary to use the user's private key to generate a digital signature for a message M, each The device uses its own secret share to interact with other devices and perform collaborative operations to generate digital signatures for messages.
现有的基于秘密共享的SM9数字签名协同生成方案,通常在密码运算的过程中计算w=g^(a1r1+…+amrm),其中ri是第i个装置在[1,n-1]中随机选择的整数,而ai是常数,i=1,…,m(假设有m个装置);然后计算h=H2(M||w,n),最后m个装置通过协同计算得到S=[(a1r1+…+amrm)-h]dA。这种方案通常是没有问题的,但也可能出现一种情况,就是恰好出现(a1r1+…+amrm)mod n=0,而出现这样情况恰好被其中一个装置观测到(比如通过检查w是否是单位元),但却不报告,则这个装置就有可能从最终得到的数字签名(h,S)中得到用户的SM9私钥。出现这种情况的概率虽然极小,但是仍然有可能发生,尤其是在ri很难做到是真正随机选择的情况下。The existing SM9 digital signature collaborative generation scheme based on secret sharing usually calculates w=g^(a 1 r 1 +…+a m r m ) in the process of cryptographic operations, where r i is the i-th device in [ 1,n-1] randomly selected integers, and a i is a constant, i=1,...,m (assuming there are m devices); then calculate h=H 2 (M||w,n), and finally m The devices obtain S=[(a 1 r 1 +...+ am r m ) -h]d A through collaborative calculation. This scheme is usually not problematic, but there may also be a situation where (a 1 r 1 +...+a m r m ) mod n=0 happens to happen, and this happens to be observed by one of the devices ( For example, by checking whether w is a unit unit), but not reporting, the device may obtain the user's SM9 private key from the finally obtained digital signature (h, S). Although the probability of this situation is extremely small, it may still happen, especially in the case that r i is difficult to be truly randomly selected.
如果基于秘密共享的数字签名协同生成方案能做到所采用的方案是w=g^(ar1…rm),S=[(ar1…rm)-h]dA,即这里的r1,…,rm以及一个常数a是以乘积的形式出现,则不会出现(ar1…rm)mod n=0的情况,这样的方案具有更高的安全性。我们在这里把r1,…,rm以及常数a是以乘积形式出现的情形称为乘积r参数的情形,而把生成数字签名过程中r1,…,rm以及常数a以乘积形式出现的SM9数字签名协同生成方法,称为具有乘积r参数的SM9数字签名协同生成方法。If the digital signature collaborative generation scheme based on secret sharing can achieve the adopted scheme is w=g^(ar 1 …r m ), S=[(ar 1 …r m )-h]d A , that is, r 1 ,...,r m and a constant a appear in the form of a product, so the situation of (ar 1 ...r m ) mod n=0 will not occur, and such a scheme has higher security. Here we call r 1 ,...,r m and the constant a in the form of a product as the product r parameter, and we call r 1 ,...,r m and the constant a in the form of a product in the process of generating a digital signature SM9 digital signature collaborative generation method, called SM9 digital signature collaborative generation method with product r parameter.
发明内容Contents of the invention
本发明的目的是提出具有乘积r参数增强安全的SM9数字签名生成技术方案,以增强基于秘密共享的SM9数字签名协同生成技术方案的安全性。The purpose of the present invention is to propose a SM9 digital signature generation technical scheme with product r parameter enhanced security, so as to enhance the security of the SM9 digital signature collaborative generation technical scheme based on secret sharing.
针对本发明的目的,本发明提出的技术方案包括借助中间参数的SM9数字签名协同生成方法及相应的系统。Aiming at the purpose of the present invention, the technical solution proposed by the present invention includes a SM9 digital signature collaborative generation method and a corresponding system by means of intermediate parameters.
在以下对本发明技术方案的描述中,若P、Q是加法群G1、G2中的元,则P+Q表示P、Q在加法群上的加,P-Q表示P加上Q的逆元(加法逆元),[k]P表示k个P在加法群上的加,即P+P+...+P(共有k个P)(若k是负数,则是|k|个P相加的结果的加法逆元;这里[]符号的使用与SM9规范一致);In the following description of the technical solution of the present invention, if P and Q are elements in the additive groups G 1 and G 2 , then P+Q means the addition of P and Q on the additive group, and PQ means the inverse of P plus Q (additive inverse element), [k]P means the addition of k Ps on the additive group, that is, P+P+...+P (a total of k Ps) (if k is a negative number, it is |k| P phase The additive inverse of the result of addition; here the use of the [] symbol is consistent with the SM9 specification);
省略号“...”,表示多个同样(类型)的数据项或多个同样的运算;The ellipsis "..." means multiple data items of the same (type) or multiple same operations;
若a、b是乘法群GT中的元,则ab或a·b表示a、b在乘法群GT上的乘(只要不产生无二义性,“·”可以省略),a-1表示a在乘法群中逆元(乘法逆元),at表示t个a在乘法群GT上相乘(t是负数,则是|t|个a相乘的结果的乘法逆元),即幂运算,at的另一种表达方式是a^t;If a and b are elements in the multiplicative group G T , then ab or a b means the multiplication of a and b on the multiplicative group G T (as long as there is no ambiguity, "·" can be omitted), a -1 Indicates the inverse of a in the multiplicative group (multiplicative inverse), a t represents the multiplication of t a's on the multiplicative group G T (t is a negative number, it is the multiplicative inverse of the result of multiplying |t| a's), That is, exponentiation, another expression of a t is a^t;
若c为整数,则c-1表示整数c的模n乘法逆(即cc-1mod n=1);如无特别说明,本专利发明中整数的乘法逆都是针对群G1、G2、GT的阶n的模n乘法逆;If c is an integer, then c -1 represents the modulo n multiplicative inverse of integer c (that is, cc -1 mod n=1); unless otherwise specified, the multiplicative inverse of integers in this patent invention is for groups G 1 and G 2 , the modulo n multiplicative inverse of the order n of GT ;
多个整数相乘(包括整数符号相乘、常数与整数符号相乘),在不产生二义性的情况下,省略掉乘号“·”,如k1·k2简化为k1k2,3·c,简化为3c;Multiplication of multiple integers (including multiplication of integer symbols, multiplication of constants and integer symbols), in the case of no ambiguity, omit the multiplication sign "·", such as k 1 k 2 simplified to k 1 k 2 , 3·c, simplified to 3c;
mod n表示模n运算(modulo operation),对应于SM9规范中的modN;还有,模n运算的算子mod n的优先级是最低的,如a+b mod n等同于(a+b)mod n,a-b mod n等同于(a-b)mod n,ab mod n等同于(ab)mod n。mod n means modulo operation (modulo operation), corresponding to modN in the SM9 specification; also, the operator mod n of modulo n operation has the lowest priority, such as a+b mod n is equivalent to (a+b) mod n, a-b mod n is equivalent to (a-b) mod n, ab mod n is equivalent to (ab) mod n.
本发明提出的借助中间参数的SM9数字签名协同生成方法具体如下。The SM9 digital signature collaborative generation method proposed by the present invention with the help of intermediate parameters is specifically as follows.
所述方法涉及m个分别标号为第1号,第2号,…,到第m号的装置,m≥2;The method involves m devices respectively labeled No. 1, No. 2, ..., to No. m, m≥2;
第i号装置保存有[1,n-1]区间内的整数秘密ci,i=1,…,m,其中n为SM9密码算法中群G1、G2、GT的阶(为素数);The i-th device saves the integer secret c i in the interval [1,n-1], i=1,...,m, where n is the order of the groups G 1 , G 2 , GT in the SM9 encryption algorithm (which is a prime number );
(初始化阶段)预先计算有:(initialization phase) precomputed with:
PA=[c-1]dA,其中dA为用户的SM9标识私钥,c-1为c的模n乘法逆,c=(c1c2…cm)modn为m个装置都没有保存的整数秘密;P A =[c -1 ]d A , where d A is the user's SM9 identification private key, c -1 is the modulo n multiplicative inverse of c, c=(c 1 c 2 ...c m )modn is the number of m devices no integer secrets saved;
PU=[u]dA,其中u是m个装置都没有保存的[1,n-1]区间内的整数秘密;P U =[u]d A , where u is an integer secret in the interval [1,n-1] that is not saved by m devices;
u和c-1不必互异(二者不同或者相同);u and c -1 do not have to be different from each other (they are different or the same);
gU=g^u,其中^是幂运算(对^前面的元进行幂运算,^后面为幂运算的次数),g=e(P1,Ppub),P1为G1中的生成元,Ppub为主公钥(即Ppub=[s]P2,s为主私钥或主密钥,P2为G2中的生成元,参见SM9规范);g U =g ^ u, wherein ^ is exponentiation (exponentiation is carried out to the element in front of ^, and the number of times of exponentiation is behind ^), g=e(P 1 , P pub ), P 1 is the generation in G 1 element, P pub is the main public key (that is, P pub =[s]P 2 , s is the main private key or master key, and P 2 is the generating element in G 2 , see SM9 specification);
在群G1中任选一个用户私钥dA之外的非零元PB(固定选取,比如固定选PB=P1,或者主观任意选择,或者随机选择,比如,在[1,n-1]中随机选择一个整数b,计算PB=[b]P1或PB=[b]dA);Select a non-zero element P B other than the user private key d A in the group G 1 (fixed selection, such as fixed selection P B = P 1 , or subjective arbitrary selection, or random selection, for example, in [1,n -1] randomly select an integer b, calculate P B =[b]P 1 or P B =[b]d A );
m个装置都不保存dA;m devices do not save d A ;
当需要使用用户的SM9标识私钥dA针对消息M进行数字签名时,m个装置按如下方式进行数字签名的生成(需要使用用户的SM9标识私钥dA、针对消息M进行数字签名的主体可以是调用这m个装置的密码应用程序、系统或密码模块,或者m个装置之一中的密码应用程序、系统):When it is necessary to use the user's SM9 identification private key d A to digitally sign a message M, m devices generate digital signatures in the following manner (subjects who need to use the user's SM9 identification private key d A to digitally sign message M It can be a cryptographic application, system or cryptographic module that invokes these m devices, or a cryptographic application, system in one of the m devices):
首先,m个装置通过交互计算得到w=gU^(r1r2…rm),其中ri是计算过程中第i号装置在[1,n-1]区间内随机选择的整数,i=1,…,m;First, m devices obtain w=g U ^(r 1 r 2 …r m ) through interactive calculation, where r i is an integer randomly selected by the i-th device in the interval [1,n-1] during the calculation process, i=1,...,m;
然后,(m个装置中的一个装置或其他装置)计算h=H2(M||w,n),其中H2为SM9中规定的散列函数,M||w表示M和w的字串合并,n为G1、G2、GT的阶;Then, (one of the m devices or other devices) calculates h = H 2 (M||w,n), where H 2 is the hash function specified in SM9 and M||w represents the word M and w String merge, n is the order of G 1 , G 2 , G T ;
(h无需保密,可根据需要自由传送)(h does not need to be kept secret, it can be freely transmitted as needed)
(m个装置中的一个装置或其他装置)检查w与g^h是否相等,若w=g^h,则m个装置重新进行w的计算,直到w≠g^h;(one of the m devices or other devices) check whether w is equal to g^h, if w=g^h, then m devices recalculate w until w≠g^h;
之后,m个装置协同计算得到T=[r1r2…rm]PU+[-F(z1,z2,…,zm)]PB,V=[F(z1,z2,…,zm)]PB+[-c1c2…cmh]PA,其中r1,r2,…,rm分别是计算w的过程中第1号,第2号,…,第m号装置在[1,n-1]中选择的整数,z1,z2,…,zm分别是在计算T、V的过程中第1号,第2号,…,第m号装置在[1,n-1]中随机选择的整数,F(z1,z2,…,zm)是针对z1,z2,…,zm的如下计算式:Afterwards, m devices cooperate to calculate T=[r 1 r 2 ...r m ]P U +[-F(z 1 ,z 2 ,...,z m )]P B , V=[F(z 1 ,z 2 ,…,z m )]P B +[-c 1 c 2 …c m h]PA , where r 1 ,r 2 ,…,r m are No. 1 and No. 2 in the process of calculating w respectively ,..., the integers selected by the m-th device in [1,n-1], z 1 , z 2 ,...,z m are the 1st, 2nd,..., An integer randomly selected by the m-th device in [1,n-1], F(z 1 ,z 2 ,…,z m ) is the following calculation formula for z 1 ,z 2 ,…,z m :
F(z1,z2,…,zm)≡z1a2a3…am+z2a3…am+…+zm-1am+zm(mod n)(模n同余);F(z 1 ,z 2 ,…,z m )≡z 1 a 2 a 3 …a m +z 2 a 3 …a m +…+z m-1 a m +z m (mod n)(mod n congruent);
其中,ai为计算T、V的过程中第i号装置在[1,n-1]中随机选取的整数,i=2,…,m;Wherein, a i is an integer randomly selected by the i-th device in [1,n-1] in the process of calculating T and V, i=2,...,m;
最后,(m个装置中的一个装置或之外的装置)计算S=T+V,则(h,S)是针对消息M的数字签名。Finally, (one of the m devices or others) calculates S=T+V, then (h, S) is the digital signature for the message M.
(此时S=[r1r2…rm]PU+[-c1c2…cmh]PA=[(r1r2…rm)u-h]dA)(At this time S=[r 1 r 2 …r m ]P U +[-c 1 c 2 …c m h]P A =[(r 1 r 2 …r m )uh]d A )
对于以上所述借助中间参数的SM9数字签名协同生成方法,若在以上计算过程中不检查w与g^h是否相等,则计算得到S后,若(计算S=T+V的装置)检查发现S为零元,则m个装置重新进行协同计算,直到S不为零元。For the SM9 digital signature collaborative generation method with the help of intermediate parameters described above, if w is not checked whether w and g^h are equal during the above calculation process, after calculating S, if (the device for calculating S=T+V) inspection finds If S is zero, then m devices perform collaborative calculations again until S is not zero.
对于以上所述借助中间参数的SM9数字签名协同生成方法,m个装置计算得到w=gU^(r1r2…rm)的方法包括(不是全部可能的方式):For the SM9 digital signature collaborative generation method with the help of intermediate parameters described above, the methods for m devices to calculate w=g U ^(r 1 r 2 ...r m ) include (not all possible ways):
第1号装置计算g1=gU^r1,将g1发送第2号装置;The No. 1 device calculates g 1 =g U ^r 1 , and sends g 1 to the No. 2 device;
第i号装置接收到gi-1后,i=2,…,m,计算gi=gi-1^ri;After the i-th device receives g i-1 , i=2,...,m, calculate g i =g i-1 ^r i ;
若i=m,则取w=gm,完成计算,否则,第i号装置将gi传送给第i+1号装置;If i=m, take w=g m to complete the calculation, otherwise, the i-th device transmits g i to the i+1-th device;
或者,or,
第m号装置计算gm=gU^rm,将gm发送第m-1号装置;The mth device calculates g m =g U ^r m , and sends g m to the m-1th device;
第i号装置接收gi+1到后,i=m-1,…,1,计算gi=gi+1^ri;After the i-th device receives g i+1 , i=m-1,...,1, calculate g i =g i+1 ^r i ;
若i=1,则取w=g1,完成计算,否则,第i号装置将gi传送给第i-1号装置。If i=1, take w=g 1 to complete the calculation; otherwise, the i-th device transmits g i to the i-1-th device.
对于以上所述借助中间参数的SM9数字签名协同生成方法,m个装置协同计算得到T=[r1r2…rm]PU+[-F(z1,z2,…,zm)]PB,For the above-mentioned SM9 digital signature collaborative generation method with the help of intermediate parameters, m devices can collaboratively calculate T=[r 1 r 2 …r m ]P U +[-F(z 1 ,z 2 ,…,z m ) ] P B ,
V=[F(z1,z2,…,zm)]PB+[-c1c2…cmh]PA的一种方法如下(T、V协同计算方法一): A method of V=[F(z 1 ,z 2 ,…,z m )]P B +[-c 1 c 2 …c m h]PA is as follows (T, V collaborative calculation method 1):
计算得到Q1=[(r2r3…rm)-1(a2a3…am)]PB,Q2=[(r3…rm)-1(a3…am)]PB,…,Qm-1=[(rm)-1am]PB,取Qm=PB;Calculate Q 1 =[(r 2 r 3 …r m ) -1 (a 2 a 3 …a m )]P B , Q 2 =[(r 3 …r m ) -1 (a 3 …a m ) ] P B ,..., Q m-1 = [(r m ) -1 a m ] P B , get Q m = P B ;
计算得到D1=[(a2a3…am)(c2c3…cm)-1]PB,D2=[(a3…am)(c3…cm)-1]PB,…,Dm-1=[am(cm)-1]PB,取Dm=PB;Calculate D 1 =[(a 2 a 3 ...a m )(c 2 c 3 ...c m ) -1 ]P B , D 2 =[(a 3 ...a m )(c 3 ...c m ) -1 ] P B ,..., D m-1 = [a m (c m ) -1 ] P B , take D m = P B ;
其中,ai为计算过程中第i号装置在[1,n-1]中随机选取的整数,i=2,…,m;Among them, a i is an integer randomly selected by the i-th device in [1,n-1] during the calculation process, i=2,...,m;
取T0=PU,V0=[-h]PA;Take T 0 =P U , V 0 = [-h]PA;
第1号装置在[1,n-1]中随机选择一个整数z1,计算T1=[r1]T0+[-z1]Q1,V1=[z1]D1+[c1]V0,将T1、V1传送给第2号装置;Device No. 1 randomly selects an integer z 1 in [1,n-1], calculates T 1 =[r 1 ]T 0 +[-z 1 ]Q 1 , V 1 =[z 1 ]D 1 +[ c 1 ]V 0 , transmit T 1 and V 1 to device No. 2;
第i号装置接收到Ti-1、Vi-1后,i=2,…,m,若检查发现Ti-1为零元,则报错,否则,在[1,n-1]中随机选择一个整数zi或取zi=ai,计算Ti=[ri]Ti-1+[-zi]Qi,Vi=[zi]Di+[ci]Vi-1;After the i-th device receives T i-1 and V i-1 , i=2,...,m, if it is found that T i-1 is zero, it will report an error, otherwise, in [1,n-1] Randomly select an integer z i or take z i =a i , calculate T i =[r i ]T i-1 +[-z i ]Q i , V i =[z i ]D i +[ ci ]V i-1 ;
若i=m,则取T=Tm,V=Vm,完成T、V计算,否则,第i号装置将Ti、Vi传送给第i+1号装置,直到完成Tm、Vm计算;If i=m, take T=T m , V=V m , and complete the calculation of T and V; otherwise, the i-th device will transmit T i and V i to the i+1-th device until T m and V are completed m calculation;
(此时T=[r1r2…rm]PU+[-z1a2a3…am-z2a3…am-…-zm-1am-zm]PB,(At this time T=[r 1 r 2 ...r m ]P U +[-z 1 a 2 a 3 ...am -z 2 a 3 ...a m -...-z m -1 a m -z m ]P B ,
V=[z1a2a3…am+z2a3…am+…+zm-1am+zm]PB+[-(c1c2…cm)h]PA)V=[z 1 a 2 a 3 ...a m +z 2 a 3 ...a m +...+z m-1 a m +z m ]P B +[-(c 1 c 2 ...c m )h]P A )
若完成T、V计算之后由第m号装置计算S=T+V,则zm的取值允许为0或[1,n-1]中的整数常数(当然是[1,n-1]内的随机整数也没问题);If S=T+V is calculated by the m-th device after the calculation of T and V is completed, then the value of z m is allowed to be an integer constant in 0 or [1, n-1] (certainly [1, n-1] Random integers inside are fine);
若PA不公开由第1号装置作为秘密保存(当然若PU=PA,则PU也不公开,也作为秘密由第1号装置保存),PB≠PA,则将c1作为非秘密时(其取值为1或其他[1,n-1]中的整数),以上所述计算T、V的方法以及所述借助中间参数的SM9数字签名协同生成方法仍然成立。If P A is not disclosed, it is kept as a secret by the No. 1 device (of course, if PU = PA, then PU is not disclosed, and it is also kept as a secret by the No. 1 device), and P B ≠ PA, then c 1 When it is non-secret (its value is 1 or other integers in [1, n-1]), the above-mentioned method for calculating T and V and the method for synergistic generation of SM9 digital signature with the help of intermediate parameters still hold true.
对于以上所述借助中间参数的SM9数字签名协同生成方法,若PB=PA,则m个装置协同计算得到T=[r1r2…rm]PU+[-F(z1,z2,…,zm)]PB,V=[F(z1,z2,…,zm)]PB+[-c1c2…cmh]PA的一种方法如下(T、V协同计算方法二):For the SM9 digital signature collaborative generation method with the help of intermediate parameters mentioned above, if P B = PA, then m devices can collaboratively calculate T=[r 1 r 2 ...r m ]P U +[-F(z 1 , z 2 ,…,z m )]P B , one way of V=[F(z 1 ,z 2 ,…,z m )]P B +[-c 1 c 2 …c m h]P A is as follows (T, V cooperative calculation method 2):
计算得到Q1=[(r2r3…rm)-1(a2a3…am)]PB,Q2=[(r3…rm)-1(a3…am)]PB,…,Qm-1=[(rm)-1am]PB,取Qm=PB;Calculate Q 1 =[(r 2 r 3 …r m ) -1 (a 2 a 3 …a m )]P B , Q 2 =[(r 3 …r m ) -1 (a 3 …a m ) ] P B ,..., Q m-1 = [(r m ) -1 a m ] P B , get Q m = P B ;
计算得到d1=((a2a3…am)(c2c3…cm)-1)mod n,d2=((a3…am)(c3…cm)-1)modn,…,dm-1=(am(cm)-1)mod n,取dm=1;Calculate d 1 =((a 2 a 3 ...a m )(c 2 c 3 ...c m ) -1 )mod n, d 2 =((a 3 ...a m )(c 3 ...c m ) -1 ) mod n, ..., d m-1 = (a m (c m ) -1 ) mod n, get d m = 1;
其中,ai为计算过程中第i号装置在[1,n-1]中随机选取的整数,i=2,…,m;Among them, a i is an integer randomly selected by the i-th device in [1,n-1] during the calculation process, i=2,...,m;
取T0=PU,v0=-h;Take T 0 =P U , v 0 =-h;
第1号装置在[1,n-1]中随机选择一个整数z1,计算T1=[r1]T0+[-z1]Q1,v1=(z1d1+c1v0)mod n,将T1、v1传送给第2号装置;Device No. 1 randomly selects an integer z 1 in [1,n-1], calculates T 1 =[r 1 ]T 0 +[-z 1 ]Q 1 , v 1 =(z 1 d 1 +c 1 v 0 ) mod n, transmit T 1 and v 1 to device No. 2;
第i号装置接收到Ti-1、vi-1后,i=2,…,m,若检查发现Ti-1为零元,则报错,否则,在[1,n-1]中随机选择一个整数zi,计算Ti=[ri]Ti-1+[-zi]Qi,vi=(zidi+civi-1)mod n;After the i-th device receives T i-1 and v i-1 , i=2,...,m, if the inspection finds that T i-1 is zero, it will report an error, otherwise, in [1,n-1] Randomly select an integer z i , calculate T i =[r i ]T i-1 +[-z i ]Q i , v i =(z i d i +c i v i-1 )mod n;
若i=m,则取T=Tm,(m个装置中的一个装置或其他装置)计算V=[vm]PA,完成T、V计算,否则,第i号装置将Ti、vi传送给第i+1号装置,直到完成Tm、vm计算;If i=m, then take T=T m , (one of the m devices or other devices) calculate V=[v m ]PA, and complete the calculation of T and V; otherwise, the i-th device will T i , v i is sent to device i+1 until the calculation of T m and v m is completed;
(此时T=[r1r2…rm]PU+[-z1a2a3…am-z2a3…am-…-zm-1am-zm]PB,(At this time T=[r 1 r 2 ...r m ]P U +[-z 1 a 2 a 3 ...am -z 2 a 3 ...a m -...-z m -1 a m -z m ]P B ,
V=[z1a2a3…am+z2a3…am+…+zm-1am+zm]PB+[-(c1c2…cm)h]PA)V=[z 1 a 2 a 3 ...a m +z 2 a 3 ...a m +...+z m-1 a m +z m ]P B +[-(c 1 c 2 ...c m )h]P A )
若由第m号装置计算V=[vm]PA,且完成T、V计算之后由第m号装置计算S=T+V,则zm的取值允许为0或[1,n-1]中的整数常数(当然是[1,n-1]内的随机整数也没问题);If V=[v m ]PA is calculated by the mth device, and S= T +V is calculated by the mth device after the calculation of T and V is completed, then the value of z m is allowed to be 0 or [1,n- Integer constants in 1] (of course, random integers in [1,n-1] are fine);
若PA不公开由第m号装置作为秘密保存(当然PB也不公开),PU≠PA(即u和c-1互异),且由第m号装置计算V=[vm]PA,则将cm作为非秘密时(其取值为1或其他[1,n-1]中的整数),以上所述计算T、V的方法以及所述借助中间参数的SM9数字签名协同生成方法仍然成立。If P A is not disclosed and kept as a secret by the m-th device (of course, P B is also not disclosed), P U ≠ P A (that is, u and c -1 are mutually different), and the m-th device calculates V=[v m ]P A , then when c m is taken as non-secret (its value is 1 or other integers in [1,n-1]), the method for calculating T and V mentioned above and the SM9 number with the help of intermediate parameters The signature cogeneration approach still holds.
对于以上所述借助中间参数的SM9数字签名协同生成方法,若PB=PU,则m个装置协同计算得到T=[r1r2…rm]PU+[-F(z1,z2,…,zm)]PB,V=[F(z1,z2,…,zm)]PB+[-c1c2…cmh]PA的一种方法如下(T、V协同计算方法三):For the SM9 digital signature collaborative generation method with the help of intermediate parameters mentioned above, if P B =P U , then m devices can cooperatively calculate T=[r 1 r 2 ...r m ]P U +[-F(z 1 , z 2 ,…,z m )]P B , one way of V=[F(z 1 ,z 2 ,…,z m )]P B +[-c 1 c 2 …c m h]P A is as follows (T, V cooperative calculation method 3):
计算得到q1=((r2r3…rm)-1(a2a3…am))mod n,q2=((r3…rm)-1(a3…am))modn,…,qm-1=((rm)-1am)mod n,取qm=1;Calculate q 1 =((r 2 r 3 …r m ) -1 (a 2 a 3 …a m ))mod n, q 2 =((r 3 …r m ) -1 (a 3 …a m ) ) mod n, ..., q m-1 = ((r m ) -1 a m ) mod n, get q m = 1;
计算得到D1=[(a2a3…am)(c2c3…cm)-1]PB,D2=[(a3…am)(c3…cm)-1]PB,…,Dm-1=[am(cm)-1]PB,取Dm=PB;Calculate D 1 =[(a 2 a 3 ...a m )(c 2 c 3 ...c m ) -1 ]P B , D 2 =[(a 3 ...a m )(c 3 ...c m ) -1 ] P B ,..., D m-1 = [a m (c m ) -1 ] P B , take D m = P B ;
其中,ai为计算过程中第i号装置在[1,n-1]中随机选取的整数,i=2,…,m;Among them, a i is an integer randomly selected by the i-th device in [1,n-1] during the calculation process, i=2,...,m;
取t0=1,V0=[-h]PA;Take t 0 =1, V 0 = [-h]PA;
第1号装置在[1,n-1]中随机选择一个整数z1,计算t1=(r1t0-z1q1)mod n,V1=[z1]D1+[c1]V0,将t1、V1传送给第2号装置;Device No. 1 randomly selects an integer z 1 in [1,n-1], calculates t 1 =(r 1 t 0 -z 1 q 1 )mod n, V 1 =[z 1 ]D 1 +[c 1 ] V 0 , transmit t 1 and V 1 to the No. 2 device;
第i号装置接收到ti-1、Vi-1后,i=2,…,m,若检查发现ti-1为0,则报错,否则,在[1,n-1]中随机选择一个整数zi,计算ti=(riti-1-ziqi)mod n,Vi=[zi]Di+[ci]Vi-1;After the i-th device receives t i-1 and V i-1 , i=2,...,m, if it is found that t i-1 is 0, it will report an error; otherwise, randomly Select an integer z i , calculate t i =(r i t i-1 -z i q i )mod n, V i =[z i ]D i +[c i ]V i-1 ;
若i=m,则(m个装置中的一个装置或之外的装置)计算T=[tm]PB,取V=Vm,完成T、V计算,否则,第i号装置将Ti、Vi传送给第i+1号装置,直到完成Tm、Vm计算;If i=m, then (one of the m devices or other devices) calculate T=[t m ]P B , take V=V m to complete the calculation of T and V, otherwise, the i-th device will T i and V i are sent to device i+1 until the calculation of T m and V m is completed;
(此时T=[r1r2…rm]PU+[-z1a2a3…am-z2a3…am-…-zm-1am-zm]PB,(At this time T=[r 1 r 2 ...r m ]P U +[-z 1 a 2 a 3 ...am -z 2 a 3 ...a m -...-z m -1 a m -z m ]P B ,
V=[z1a2a3…am+z2a3…am+…+zm-1am+zm]PB+[-(c1c2…cm)h]PA)V=[z 1 a 2 a 3 ...a m +z 2 a 3 ...a m +...+z m-1 a m +z m ]P B +[-(c 1 c 2 ...c m )h]P A )
若由第m号装置计算T=[tm]PB,且完成T、V计算之后由第m号装置计算S=T+V,则zm的取值允许为0或[1,n-1]中的整数常数(当然是[1,n-1]内的随机整数也没问题);If T=[t m ]P B is calculated by the m-th device, and S=T+V is calculated by the m-th device after the calculation of T and V is completed, then the value of z m is allowed to be 0 or [1,n- Integer constants in 1] (of course, random integers in [1,n-1] are fine);
若PA不公开由第1号装置作为秘密保存,PB≠PA(即PU≠PA,u和c-1互异),则将c1作为非秘密时(其取值为1或其他[1,n-1]中的整数),以上所述计算T、V的方法以及所述借助中间参数的SM9数字签名协同生成方法仍然成立。If P A is not disclosed and kept as a secret by the No. 1 device, P B ≠ PA ( that is, P U ≠ PA, u and c -1 are different from each other), then when c 1 is regarded as non-secret (its value is 1 or other integers in [1, n-1]), the above-mentioned method for calculating T and V and the method for synergistic generation of SM9 digital signature with the help of intermediate parameters still hold true.
对于以上所述借助中间参数的SM9数字签名协同生成方法,计算得到Q1=[(r2r3…rm)-1(a2a3…am)]PB,Q2=[(r3…rm)-1(a3…am)]PB,…,Qm-1=[(rm)-1am]PB,For the SM9 digital signature collaborative generation method described above with the help of intermediate parameters, it is calculated that Q 1 =[(r 2 r 3 ...r m ) -1 (a 2 a 3 ... am )]P B , Q 2 =[( r 3 ... r m ) -1 (a 3 ... a m )] P B , ..., Q m-1 = [(r m ) -1 a m ] P B ,
以及D1=[(a2a3…am)(c2c3…cm)-1]PB,D2=[(a3…am)(c3…cm)-1]PB,…,Dm-1=[am(cm)-1]PB的方法包括如下方案(不是全部可能的方案):and D 1 =[(a 2 a 3 ...a m )(c 2 c 3 ...c m ) -1 ] P B , D 2 =[(a 3 ...a m )(c 3 ...c m ) -1 ] P B ,..., D m-1 = [a m (c m ) -1 ] The method of P B includes the following schemes (not all possible schemes):
方案一:Option One:
第m号装置取Qm=PB,Dm=PB,在[1,n-1]中随机选取一个整数am,计算Qm-1=[(rm)- 1am]Qm,Dm-1=[am(cm)-1]Dm,将Qm-1、Dm-1发送给第m-1号装置;The m-th device takes Q m =P B , D m =P B , randomly selects an integer a m in [1,n-1], and calculates Q m-1 =[(r m ) - 1 a m ]Q m , D m-1 =[a m (c m ) -1 ]D m , send Q m-1 and D m-1 to device m-1;
第i号装置接收到Qi、Di后,i=m-1,…,1,若i=1,则第1号装置将Q1、D1临时保留,完成Q1,Q2,…,Qm-1以及D1,D2,…,Dm-1的计算,否则,第i号装置在[1,n-1]中随机选取一个整数ai,计算Qi-1=[(ri)-1ai]Qi,Di-1=[ai(ci)-1]Di,将Qi、Di临时保留,将Qi-1、Di-1传送给第i-1号装置;After device i receives Q i and D i , i=m-1,...,1, if i=1, device No. 1 temporarily reserves Q 1 and D 1 to complete Q 1 , Q 2 ,... , Q m-1 and the calculation of D 1 , D 2 ,...,D m-1 , otherwise, the i-th device randomly selects an integer a i in [1,n-1], and calculates Q i-1 = [ (r i ) -1 a i ]Q i , D i-1 =[a i ( ci ) -1 ]D i , keep Q i and D i temporarily, and send Q i-1 and D i-1 For device i-1;
在计算Q1,Q2,…,Qm-1以及D1,D2,…,Dm-1的过程中,若第i号装置检查发现接收到的Qi或Di为零元,i=m-1,…,1,则报错;In the process of calculating Q 1 , Q 2 ,…,Q m-1 and D 1 , D 2 ,…,D m-1 , if the i-th device checks and finds that the received Q i or D i is zero, i=m-1,...,1, then report an error;
方案二:Option II:
m个装置按计算Q1,Q2,…,Qm-1以及D1,D2,…,Dm-1的方案一的方式计算、保存Q1,Q2,…,Qm-1;m devices calculate and store Q 1 , Q 2 ,...,Q m-1 according to the method of scheme 1 for calculating Q 1 , Q 2 ,...,Q m-1 and D 1 , D 2 ,...,D m -1 ;
第m号装置取dm=1,在[1,n-1]中随机选取一个整数am,计算dm-1=(am(cm)-1)dm)mod n,将dm-1发送给第m-1号装置;The m-th device takes d m =1, randomly selects an integer a m in [1,n-1], calculates d m-1 =(a m (c m ) -1 )d m )mod n, and takes d m-1 is sent to device m-1;
第i号装置接收到di后,i=m-1,…,1,若i=1,则第1号装置计算D1=[d1]PB,将D1临时保留,完成D1,D2,…,Dm-1的计算,否则,第i号装置计算Di=[di]PB,在[1,n-1]中随机选取一个整数ai,计算di-1=(ai(ci)-1di)mod n,将Di临时保留,将di-1传送给第i-1号装置;After the i-th device receives d i , i=m-1,...,1, if i=1, then the first device calculates D 1 =[d 1 ]P B , temporarily reserves D 1 and completes D 1 , D 2 ,..., the calculation of D m-1 , otherwise, the i-th device calculates D i =[d i ]P B , randomly selects an integer a i in [1,n-1], and calculates d i- 1 = (a i (c i ) -1 d i ) mod n, temporarily retaining D i , and sending d i-1 to the i-1th device;
在计算Q1,Q2,…,Qm-1以及D1,D2,…,Dm-1的过程中,若第i号装置检查发现接收到的Qi为零元或di为0,i=m-1,…,1,则报错;In the process of calculating Q 1 , Q 2 ,…,Q m-1 and D 1 , D 2 ,…,D m-1 , if the i-th device checks and finds that the received Q i is zero or d i is 0, i=m-1,...,1, then report an error;
方案三:third solution:
m个装置按计算Q1,Q2,…,Qm-1以及D1,D2,…,Dm-1的方案一的方式计算、保存D1,D2,…,Dm-1;m devices calculate and save D 1 , D 2 ,..., D m -1 according to the method of scheme 1 for calculating Q 1 , Q 2 ,...,Q m-1 and D 1 , D 2 ,...,D m-1 ;
第m号装置取qm=1,在[1,n-1]中随机选取一个整数am,计算qm-1=((rm)-1amqm)modn,将qm-1发送给第m-1号装置;The m-th device takes q m =1, randomly selects an integer a m in [1,n-1], calculates q m-1 =((r m ) -1 a m q m )modn, and converts q m- 1 sent to device m-1;
第i号装置接收到qi后,i=m-1,…,1,若i=1,则第1号装置计算Q1=[q1]PB,将Q1临时保留,完成Q1,Q2,…,Qm-1的计算,否则,第i号装置计算Qi=[qi]PB,在[1,n-1]中随机选取一个整数ai,计算qi-1=((ri)-1aiqi)mod n,将Qi临时保留,将qi-1传送给第i-1号装置;After the i-th device receives q i , i=m-1,...,1, if i=1, then the No. 1 device calculates Q 1 =[q 1 ]P B , reserves Q 1 temporarily, and completes Q 1 , Q 2 ,..., the calculation of Q m-1 , otherwise, the i-th device calculates Q i =[q i ]P B , randomly selects an integer a i in [1,n-1], and calculates q i- 1 = ((r i ) -1 a i q i )mod n, temporarily reserve Q i , and send q i-1 to the i-1th device;
在计算q1,q2,…,qm-1以及D1,D2,…,Dm-1的过程中,若第i号装置检查发现接收到的qi为0或Di为零元,i=m-1,…,1,则报错。In the process of calculating q 1 , q 2 ,…,q m-1 and D 1 , D 2 ,…,D m-1 , if the i-th device checks and finds that the received q i is 0 or D i is zero element, i=m-1,...,1, an error will be reported.
对于以上所述借助中间参数的SM9数字签名协同生成方法,计算得到Q1=[(r2r3…rm)-1(a2a3…am)]PB,Q2=[(r3…rm)-1(a3…am)]PB,…,Qm-1=[(rm)-1am]PB,For the SM9 digital signature collaborative generation method described above with the help of intermediate parameters, it is calculated that Q 1 =[(r 2 r 3 ...r m ) -1 (a 2 a 3 ... am )]P B , Q 2 =[( r 3 ... r m ) -1 (a 3 ... a m )] P B , ..., Q m-1 = [(r m ) -1 a m ] P B ,
以及d1=((a2a3…am)(c2c3…cm)-1)mod n,d2=((a3…am)(c3…cm)-1)mod n,…,dm-1=(am(cm)-1)mod n的一种方法如下:and d 1 =((a 2 a 3 ...a m )(c 2 c 3 ...c m ) -1 ) mod n, d 2 =((a 3 ...a m )(c 3 ...c m ) -1 ) One way mod n,...,d m-1 = (a m (c m ) -1 ) mod n is as follows:
第m号装置取Qm=PB,dm=1,在[1,n-1]中随机选取一个整数am,计算Qm-1=[(rm)- 1am]Qm,dm-1=(am(cm)-1)dm)mod n,将Qm-1、dm-1发送给第m-1号装置;The mth device takes Q m =P B , d m =1, randomly selects an integer a m in [1,n-1], and calculates Q m-1 =[(r m ) - 1 a m ]Q m , d m-1 =(a m (c m ) -1 )d m )mod n, send Q m-1 and d m-1 to device m-1;
第i号装置接收到Qi、di后,i=m-1,…,1,若i=1,则第1号装置将Q1、d1临时保留,完成Q1,Q2,…,Qm-1以及d1,d2,…,dm-1的计算,否则,第i号装置在[1,n-1]中随机选取一个整数ai,计算Qi-1=[(ri)-1ai]Qi,di-1=(ai(ci)-1di)mod n,将Qi、di临时保留,将Qi-1、di-1传送给第i-1号装置;After the i-th device receives Q i and d i , i=m-1,...,1, if i=1, then the No. 1 device temporarily reserves Q 1 and d 1 to complete Q 1 , Q 2 ,... , the calculation of Q m-1 and d 1 , d 2 ,...,d m-1 , otherwise, the i-th device randomly selects an integer a i in [1,n-1], and calculates Q i-1 = [ (r i ) -1 a i ]Q i , d i-1 = (a i ( ci ) -1 d i )mod n, keep Q i and d i temporarily, set Q i-1 , d i- 1 is transmitted to the i-1th device;
在计算Q1,Q2,…,Qm-1以及d1,d2,…,dm-1的过程中,若第i号装置检查发现接收到的Qi为零元或di为0,i=m-1,…,1,则报错。In the process of calculating Q 1 , Q 2 ,…,Q m-1 and d 1 ,d 2 ,…,d m-1 , if the i-th device checks and finds that the received Q i is zero or d i is 0, i=m-1,...,1, then an error will be reported.
对于以上所述借助中间参数的SM9数字签名协同生成方法,计算得到q1=((r2r3…rm)-1(a2a3…am))mod n,q2=((r3…rm)-1(a3…am))mod n,…,qm-1=((rm)-1am)mod n,For the SM9 digital signature collaborative generation method described above with the help of intermediate parameters, the calculated q 1 =((r 2 r 3 ...r m ) -1 (a 2 a 3 ...a m ))mod n, q 2 =(( r 3 ... r m ) -1 (a 3 ... a m )) mod n, ..., q m - 1 = ((r m ) -1 a m ) mod n,
以及D1=[(a2a3…am)(c2c3…cm)-1]PB,D2=[(a3…am)(c3…cm)-1]PB,…,Dm-1=[am(cm)-1]PB的一种方法如下:and D 1 =[(a 2 a 3 ...a m )(c 2 c 3 ...c m ) -1 ] P B , D 2 =[(a 3 ...a m )(c 3 ...c m ) -1 ] One method of P B ,...,D m-1 =[a m (c m ) -1 ]P B is as follows:
第m号装置取qm=1,Dm=PB,在[1,n-1]中随机选取一个整数am,计算qm-1=((rm)- 1amqm)mod n,Dm-1=[am(cm)-1]Dm,将qm-1、Dm-1发送给第m-1号装置;The m-th device takes q m =1, D m =P B , randomly selects an integer a m in [1,n-1], and calculates q m-1 =((r m ) - 1 a m q m ) mod n, D m-1 =[a m (c m ) -1 ]D m , send q m-1 and D m-1 to device m-1;
第i号装置接收到qi、Di后,i=m-1,…,1,若i=1,则第1号装置将q1、D1临时保留,完成q1,q2,…,qm-1以及D1,D2,…,Dm-1的计算,否则,第i号装置在[1,n-1]中随机选取一个整数ai,计算qi-1=((ri)-1aiqi)mod n,Di-1=[ai(ci)-1]Di,将qi、Di临时保留,将qi-1、Di-1传送给第i-1号装置;After the i-th device receives q i , D i , i=m-1,...,1, if i=1, then the No. 1 device temporarily reserves q 1 and D 1 to complete q 1 , q 2 ,... , q m-1 and the calculation of D 1 , D 2 ,...,D m-1 , otherwise, the i-th device randomly selects an integer a i in [1,n-1], and calculates q i-1 =( (r i ) -1 a i q i )mod n, D i-1 = [a i ( ci ) -1 ]D i , keep q i and D i temporarily, and set q i-1 , D i- 1 is transmitted to the i-1th device;
在计算q1,q2,…,qm-1以及D1,D2,…,Dm-1的过程中,若第i号装置检查发现接收到的qi为0或Di为零元,i=m-1,…,1,则报错。In the process of calculating q 1 , q 2 ,…,q m-1 and D 1 , D 2 ,…,D m-1 , if the i-th device checks and finds that the received q i is 0 or D i is zero element, i=m-1,...,1, an error will be reported.
在以上所述借助中间参数的SM9数字签名协同生成方法的基础上可构建SM9数字签名协同生成系统,系统包括m个分别标号为第1号,第2号,…,到第m号的装置,m≥2;第i号装置保存有[1,n-1]区间内的整数秘密ci,i=1,…,m;当需要使用用户的SM9标识私钥dA针对消息M进行数字签名时,m个装置按所述借助中间参数的SM9数字签名协同生成方法生成针对消息M的数字签名。On the basis of the above-mentioned SM9 digital signature collaborative generation method with the help of intermediate parameters, an SM9 digital signature collaborative generation system can be constructed, and the system includes m devices that are respectively labeled No. 1, No. 2, ..., to No. m, m≥2; the i-th device saves the integer secret c i in the interval [1,n-1], i=1,...,m; when it is necessary to use the user's SM9 identification private key d A to digitally sign the message M When , m devices generate a digital signature for message M according to the SM9 digital signature collaborative generation method using intermediate parameters.
从以上描述可以看到,基于本发明的方法和系统,当需要使用用户标识私钥dA对消息进行数字签名时,多个装置可以通过交互协同生成针对消息的数字签名,在计算过程中通过引入中间参数z1,…,zm以及a2,…,am,使得协同生成的数字签名具有乘积r参数,从而具有较高的安全性。As can be seen from the above description, based on the method and system of the present invention, when it is necessary to use the user identification private key d A to digitally sign a message, multiple devices can generate a digital signature for the message through interaction and collaboration. The intermediate parameters z 1 ,..., z m and a 2 ,..., a m are introduced, so that the collaboratively generated digital signature has a product r parameter, thus having higher security.
具体实施方式Detailed ways
下面结合实施例对本发明作进一步的描述。以下实施例仅是本发明列举的几个可能的实施例,不代表全部可能的实施例,不作为对本发明的限定。The present invention will be further described below in conjunction with embodiment. The following embodiments are only several possible embodiments of the present invention, and do not represent all possible embodiments, and are not intended to limit the present invention.
实施例1、Embodiment 1,
此实施例有两个标号为第1号、第2号的装置,第1号装置保存有[1,n-1]区间内的整数秘密c1,第2号装置保存有[1,n-1]区间内的整数秘密c2,其中n为SM9密码算法中群G1、G2、GT的阶(为素数);In this embodiment, there are two devices labeled No. 1 and No. 2. The No. 1 device saves the integer secret c 1 in the interval [1,n-1], and the No. 2 device saves the integer secret c 1 in the interval [1,n- 1] Integer secret c 2 in the interval, where n is the order of groups G 1 , G 2 , G T in the SM9 cryptographic algorithm (a prime number);
(初始化阶段)预先计算有:(initialization phase) precomputed with:
PA=[c-1]dA,其中dA为用户的SM9标识私钥,c-1为c的模n乘法逆,c=(c1c2)mod n为两个装置都没有保存的整数秘密;P A =[c -1 ]d A , where d A is the user's SM9 identification private key, c -1 is the modulo n multiplicative inverse of c, c=(c 1 c 2 )mod n is that neither device has saved the integer secret of
PU=[u]dA,其中u是两个装置都没有保存的[1,n-1]区间内的整数秘密;PU = [ u ]d A , where u is an integer secret in the interval [1,n-1] that is not kept by either device;
u和c-1不必互异(二者不同或者相同);u and c -1 do not have to be different from each other (they are different or the same);
gU=g^u,其中^是幂运算(对^前面的元进行幂运算,^后面为幂运算的次数),g=e(P1,Ppub),P1为G1中的生成元,Ppub为主公钥(即Ppub=[s]P2,s为主私钥或主密钥,P2为G2中的生成元,参见SM9规范);g U =g ^ u, wherein ^ is exponentiation (exponentiation is carried out to the element in front of ^, and the number of times of exponentiation is behind ^), g=e(P 1 , P pub ), P 1 is the generation in G 1 element, P pub is the main public key (that is, P pub =[s]P 2 , s is the main private key or master key, and P 2 is the generating element in G 2 , see SM9 specification);
在群G1中任选一个用户私钥dA之外的非零元PB(固定选取,比如固定选PB=P1,或者主观任意选择,或者随机选择,比如,在[1,n-1]中随机选择一个整数b,计算PB=[b]P1或PB=[b]dA);Select a non-zero element P B other than the user private key d A in the group G 1 (fixed selection, such as fixed selection P B = P 1 , or subjective arbitrary selection, or random selection, for example, in [1,n -1] randomly select an integer b, calculate P B =[b]P 1 or P B =[b]d A );
两个装置都不保存dA;Neither device saves d A ;
当需要使用用户的SM9标识私钥dA针对消息M进行数字签名时,两个装置通过交互计算得到w=gU^(r1r2),其中r1是计算过程中第1号装置在[1,n-1]区间内随机选择的整数,r2是计算过程中第2号装置在[1,n-1]区间内随机选择的整数;When it is necessary to use the user's SM9 identification private key d A to digitally sign the message M, the two devices obtain w=g U ^(r 1 r 2 ) through interactive calculation, where r 1 is the number 1 device in the calculation process. An integer randomly selected in the interval [1, n-1], r 2 is an integer randomly selected by the No. 2 device in the interval [1, n-1] during the calculation process;
然后,(两个装置中的一个装置或其他装置)计算h=H2(M||w,n),其中H2为SM9中规定的散列函数,M||w表示M和w的字串合并,n为G1、G2、GT的阶;Then, (one of the two devices or the other) computes h=H 2 (M||w,n), where H 2 is the hash function specified in SM9 and M||w represents the word M and w String merge, n is the order of G 1 , G 2 , G T ;
(两个装置中的一个装置或其他装置)检查w与g^h是否相等,若w=g^h,则两个装置重新进行w的计算,直到w≠g^h;(one of the two devices or other devices) check whether w is equal to g^h, if w=g^h, then the two devices recalculate w until w≠g^h;
之后,两个装置按前述T、V协同计算方法一计算得到Afterwards, the two devices are calculated according to the aforementioned T and V cooperative calculation method 1
T=[r1r2]PU+[-F(z1,z2)]PB,V=[F(z1,z2)]PB+[-c1c2h]PA,即:T=[r 1 r 2 ]P U +[-F(z 1 ,z 2 )]P B ,V=[F(z 1 ,z 2 )]P B +[-c 1 c 2 h]P A ,which is:
计算得到Q1=[(r2)-1a2]PB,取Q2=PB;Calculate Q 1 =[(r 2 ) -1 a 2 ]P B , take Q 2 =P B ;
计算得到D1=[a2(c2)-1]PB,取D2=PB;Calculate D 1 =[a 2 (c 2 ) -1 ]P B , take D 2 =P B ;
其中,a2为计算过程中第2号装置在[1,n-1]中随机选取的整数;Among them, a 2 is an integer randomly selected by the No. 2 device in [1,n-1] during the calculation process;
取T0=PU,V0=[-h]PA;Take T 0 =P U , V 0 = [-h]PA;
第1号装置在[1,n-1]中随机选择一个整数z1,计算T1=[r1]T0+[-z1]Q1,V1=[z1]D1+[c1]V0,将T1、V1传送给第2号装置;Device No. 1 randomly selects an integer z 1 in [1,n-1], calculates T 1 =[r 1 ]T 0 +[-z 1 ]Q 1 , V 1 =[z 1 ]D 1 +[ c 1 ]V 0 , transmit T 1 and V 1 to device No. 2;
第2号装置接收到T1、V1后,若检查发现T1为零元,则报错,否则,在[1,n-1]中随机选择一个整数z2或取z2=a2,计算T2=[r2]T1+[-z2]Q2,V2=[z2]D2+[c2]V1;After the No. 2 device receives T 1 and V 1 , if it finds that T 1 is zero, it reports an error; otherwise, randomly selects an integer z 2 in [1,n-1] or takes z 2 =a 2 , Calculate T 2 =[r 2 ]T 1 +[-z 2 ]Q 2 , V 2 =[z 2 ]D 2 +[c 2 ]V 1 ;
取T=T2,V=V2;Take T=T 2 , V=V 2 ;
(此时T=[r1r2]PU+[-z1a2-z2]PB,V=[z1a2+z2]PB+[-(c1c2)h]PA)(At this time T=[r 1 r 2 ]P U +[-z 1 a 2 -z 2 ]P B , V=[z 1 a 2 +z 2 ]P B +[-(c 1 c 2 )h ]P A )
最后,(两个装置中的一个装置或其他装置)计算S=T+V,则(h,S)为针对消息M的数字签名。Finally, (one of the two devices or the other) computes S=T+V, then (h, S) is the digital signature for message M.
(此时S=[r1r2]PU+[-c1c2h]PA=[(r1r2)u-h]dA)(At this time S=[r 1 r 2 ]P U +[-c 1 c 2 h]P A =[(r 1 r 2 )uh]d A )
若完成T、V计算之后由第2号装置计算S=T+V,则T、V计算过程中z2的取值允许为0或[1,n-1]中的整数常数(当然是[1,n-1]内的随机整数也没问题)。If S=T+V is calculated by No. 2 device after completing T and V calculation, then the value of z2 in the T and V calculation process is allowed to be 0 or an integer constant in [1, n-1] (certainly [ 1,n-1] is also fine).
实施例2、Embodiment 2,
实施例2与实施例1的差别在于,c1是非秘密,其取值为1或其他[1,n-1]中的整数(其他在[1,n-1]中主观任意或随机选择的整数),PA不公开由第1号装置作为秘密保存(当然若PU=PA,则PU也不公开,也作为秘密由第1号装置保存),且PB≠PA,其他不变。The difference between embodiment 2 and embodiment 1 is that c 1 is non-secret, and its value is 1 or other integers in [1, n-1] (other subjectively or randomly selected in [1, n-1] Integer), P A is not disclosed and stored as a secret by the No. 1 device (of course, if PU = PA, then PU is not disclosed, and is also kept as a secret by the No. 1 device), and P B ≠ PA, other constant.
实施例3、Embodiment 3,
此实施例有m个分别标号为第1号,第2号,…,到第m号的装置,m≥2,其中第i号装置保存有[1,n-1]区间内的整数秘密ci,i=1,…,m,其中n为SM9密码算法中群G1、G2、GT的阶(为素数);In this embodiment, there are m devices respectively labeled No. 1, No. 2, ..., to No. m devices, m≥2, and the device No. i stores an integer secret c in the interval [1, n-1] i , i=1,...,m, where n is the order of groups G 1 , G 2 , G T in the SM9 cryptographic algorithm (it is a prime number);
(初始化阶段)预先计算有:(initialization phase) precomputed with:
PA=[c-1]dA,其中dA为用户的SM9标识私钥,c-1为c的模n乘法逆,c=(c1c2…cm)modn为m个装置都没有保存的整数秘密;P A =[c -1 ]d A , where d A is the user's SM9 identification private key, c -1 is the modulo n multiplicative inverse of c, c=(c 1 c 2 ...c m )modn is the number of m devices no integer secrets saved;
PU=[u]dA,其中u是m个装置都没有保存的[1,n-1]区间内的整数秘密;P U =[u]d A , where u is an integer secret in the interval [1,n-1] that is not saved by m devices;
u和c-1不必互异(二者不同或者相同);u and c -1 do not have to be different from each other (they are different or the same);
gU=g^u,其中^是幂运算(对^前面的元进行幂运算,^后面为幂运算的次数),g=e(P1,Ppub),P1为G1中的生成元,Ppub为主公钥(即Ppub=[s]P2,s为主私钥或主密钥,P2为G2中的生成元,参见SM9规范);g U =g ^ u, wherein ^ is exponentiation (exponentiation is carried out to the element in front of ^, and the number of times of exponentiation is behind ^), g=e(P 1 , P pub ), P 1 is the generation in G 1 element, P pub is the main public key (that is, P pub =[s]P 2 , s is the main private key or master key, and P 2 is the generating element in G 2 , see SM9 specification);
在群G1中任选一个用户私钥dA之外的非零元PB(固定选取,比如固定选PB=P1,或者主观任意选择,或者随机选择,比如,在[1,n-1]中随机选择一个整数b,计算PB=[b]P1或PB=[b]dA);Select a non-zero element P B other than the user private key d A in the group G 1 (fixed selection, such as fixed selection P B = P 1 , or subjective arbitrary selection, or random selection, for example, in [1,n -1] randomly select an integer b, calculate P B =[b]P 1 or P B =[b]d A );
m个装置都不保存dA;m devices do not save d A ;
当需要使用用户的SM9标识私钥dA针对消息M进行数字签名时,m个装置首先通过交互计算得到w=gU^(r1r2…rm),其中ri是计算过程中第i号装置在[1,n-1]区间内随机选择的整数,i=1,…,m;When it is necessary to use the user's SM9 identification private key d A to digitally sign a message M, m devices first obtain w=g U ^(r 1 r 2 …r m ) through interactive calculations, where r i is the first An integer randomly selected by device i in the interval [1,n-1], i=1,...,m;
然后,(m个装置中的一个装置或其他装置)计算h=H2(M||w,n),其中H2为SM9中规定的散列函数,M||w表示M和w的字串合并,n为G1、G2、GT的阶;Then, (one of the m devices or other devices) calculates h = H 2 (M||w,n), where H 2 is the hash function specified in SM9 and M||w represents the word M and w String merge, n is the order of G 1 , G 2 , G T ;
(m个装置中的一个装置或其他装置)检查w与g^h是否相等,若w=g^h,则m个装置重新进行w的计算,直到w≠g^h;(one of the m devices or other devices) check whether w is equal to g^h, if w=g^h, then m devices recalculate w until w≠g^h;
之后,m个装置按前述T、V协同计算方法一计算得到Afterwards, the m devices are calculated according to the aforementioned T and V cooperative calculation method 1
T=[r1r2…rm]PU+[-F(z1,z2,…,zm)]PB,T=[r 1 r 2 …r m ]P U +[-F(z 1 ,z 2 ,…,z m )]P B ,
V=[F(z1,z2,…,zm)]PB+[-c1c2…cmh]PA,即:V=[F(z 1 ,z 2 ,…,z m )]P B +[-c 1 c 2 …c m h]P A , that is:
计算得到Q1=[(r2r3…rm)-1(a2a3…am)]PB,Q2=[(r3…rm)-1(a3…am)]PB,…,Qm-1=[(rm)-1am]PB,取Qm=PB;Calculate Q 1 =[(r 2 r 3 …r m ) -1 (a 2 a 3 …a m )]P B , Q 2 =[(r 3 …r m ) -1 (a 3 …a m ) ] P B ,..., Q m-1 = [(r m ) -1 a m ] P B , get Q m = P B ;
计算得到D1=[(a2a3…am)(c2c3…cm)-1]PB,D2=[(a3…am)(c3…cm)-1]PB,…,Dm-1=[am(cm)-1]PB,取Dm=PB;Calculate D 1 =[(a 2 a 3 ...a m )(c 2 c 3 ...c m ) -1 ]P B , D 2 =[(a 3 ...a m )(c 3 ...c m ) -1 ] P B ,..., D m-1 = [a m (c m ) -1 ] P B , take D m = P B ;
其中,ai为计算过程中第i号装置在[1,n-1]中随机选取的整数,i=2,…,m;Among them, a i is an integer randomly selected by the i-th device in [1,n-1] during the calculation process, i=2,...,m;
取T0=PU,V0=[-h]PA;Take T 0 =P U , V 0 = [-h]PA;
第1号装置在[1,n-1]中随机选择一个整数z1,计算T1=[r1]T0+[-z1]Q1,V1=[z1]D1+[c1]V0,将T1、V1传送给第2号装置;Device No. 1 randomly selects an integer z 1 in [1,n-1], calculates T 1 =[r 1 ]T 0 +[-z 1 ]Q 1 , V 1 =[z 1 ]D 1 +[ c 1 ]V 0 , transmit T 1 and V 1 to device No. 2;
第i号装置接收到Ti-1、Vi-1后,i=2,…,m,若检查发现Ti-1为零元,则报错,否则,在[1,n-1]中随机选择一个整数zi或取zi=ai,计算Ti=[ri]Ti-1+[-zi]Qi,Vi=[zi]Di+[ci]Vi-1;After the i-th device receives T i-1 and V i-1 , i=2,...,m, if it is found that T i-1 is zero, it will report an error, otherwise, in [1,n-1] Randomly select an integer z i or take z i =a i , calculate T i =[r i ]T i-1 +[-z i ]Q i , V i =[z i ]D i +[ ci ]V i-1 ;
若i=m,则取T=Tm,V=Vm,完成T、V计算,否则,第i号装置将Ti、Vi传送给第i+1号装置,直到完成Tm、Vm计算;If i=m, take T=T m , V=V m , and complete the calculation of T and V; otherwise, the i-th device will transmit T i and V i to the i+1-th device until T m and V are completed m calculation;
(此时T=[r1r2…rm]PU+[-z1a2a3…am-z2a3…am-…-zm-1am-zm]PB,(At this time T=[r 1 r 2 ...r m ]P U +[-z 1 a 2 a 3 ...am -z 2 a 3 ...a m -...-z m -1 a m -z m ]P B ,
V=[z1a2a3…am+z2a3…am+…+zm-1am+zm]PB+[-(c1c2…cm)h]PA)V=[z 1 a 2 a 3 ...a m +z 2 a 3 ...a m +...+z m-1 a m +z m ]P B +[-(c 1 c 2 ...c m )h]P A )
最后,(m个装置中的一个装置或其他装置)计算S=T+V,则(h,S)为针对消息M的数字签名。Finally, (one of the m devices or other devices) calculates S=T+V, then (h, S) is the digital signature for the message M.
(此时S=[r1r2…rm]PU+[-c1c2…cmh]PA=[(r1r2…rm)u-h]dA)(At this time S=[r 1 r 2 …r m ]P U +[-c 1 c 2 …c m h]P A =[(r 1 r 2 …r m )uh]d A )
若完成T、V计算之后由第m号装置计算S=T+V,则T、V计算过程中zm的取值允许为0或[1,n-1]中的整数常数(当然是随机整数也没问题)。If S=T+V is calculated by the mth device after the calculation of T and V is completed, the value of z m during the calculation of T and V is allowed to be 0 or an integer constant in [1, n-1] (of course, it is random Integers are fine too).
实施例4、Embodiment 4,
实施例4与实施例3的差别在于,c1是非秘密,其取值为1或其他[1,n-1]中的整数(其他在[1,n-1]中主观任意或随机选择的整数),PA不公开由第1号装置作为秘密保存(当然若PU=PA,则PU也不公开,也作为秘密由第1号装置保存),且PB≠PA,其他不变。The difference between embodiment 4 and embodiment 3 is that c 1 is non-secret, and its value is 1 or other integers in [1, n-1] (other subjectively or randomly selected in [1, n-1] Integer), P A is not disclosed and stored as a secret by the No. 1 device (of course, if PU = PA, then PU is not disclosed, and is also kept as a secret by the No. 1 device), and P B ≠ PA, other constant.
实施例5、Embodiment 5,
此实施例有两个标号为第1号、第2号的装置,第1号装置保存有[1,n-1]区间内的整数秘密c1,第2号装置保存有[1,n-1]区间内的整数秘密c2,其中n为SM9密码算法中群G1、G2、GT的阶(为素数);In this embodiment, there are two devices labeled No. 1 and No. 2. The No. 1 device saves the integer secret c 1 in the interval [1,n-1], and the No. 2 device saves the integer secret c 1 in the interval [1,n- 1] Integer secret c 2 in the interval, where n is the order of groups G 1 , G 2 , G T in the SM9 cryptographic algorithm (a prime number);
(初始化阶段)预先计算有:(initialization phase) precomputed with:
PA=[c-1]dA,其中dA为用户的SM9标识私钥,c-1为c的模n乘法逆,c=(c1c2)mod n为两个装置都没有保存的整数秘密;P A =[c -1 ]d A , where d A is the user's SM9 identification private key, c -1 is the modulo n multiplicative inverse of c, c=(c 1 c 2 )mod n is that neither device has saved the integer secret of
PU=[u]dA,其中u是两个装置都没有保存的[1,n-1]区间内的整数秘密;PU = [ u ]d A , where u is an integer secret in the interval [1,n-1] that is not kept by either device;
u和c-1不必互异(二者不同或者相同);u and c -1 do not have to be different from each other (they are different or the same);
gU=g^u,其中^是幂运算(对^前面的元进行幂运算,^后面为幂运算的次数),g=e(P1,Ppub),P1为G1中的生成元,Ppub为主公钥(即Ppub=[s]P2,s为主私钥或主密钥,P2为G2中的生成元,参见SM9规范);g U =g ^ u, wherein ^ is exponentiation (exponentiation is carried out to the element in front of ^, and the number of times of exponentiation is behind ^), g=e(P 1 , P pub ), P 1 is the generation in G 1 element, P pub is the main public key (that is, P pub =[s]P 2 , s is the main private key or master key, and P 2 is the generating element in G 2 , see SM9 specification);
取PB=PA;Take P B = P A ;
两个装置都不保存dA;Neither device saves d A ;
当需要使用用户的SM9标识私钥dA针对消息M进行数字签名时,两个装置通过交互计算得到w=gU^(r1r2),其中r1是计算过程中第1号装置在[1,n-1]区间内随机选择的整数,r2是计算过程中第2号装置在[1,n-1]区间内随机选择的整数;When it is necessary to use the user's SM9 identification private key d A to digitally sign the message M, the two devices obtain w=g U ^(r 1 r 2 ) through interactive calculation, where r 1 is the number 1 device in the calculation process. An integer randomly selected in the interval [1, n-1], r 2 is an integer randomly selected by the No. 2 device in the interval [1, n-1] during the calculation process;
然后,(两个装置中的一个装置或其他装置)计算h=H2(M||w,n),其中H2为SM9中规定的散列函数,M||w表示M和w的字串合并,n为G1、G2、GT的阶;Then, (one of the two devices or the other) computes h=H 2 (M||w,n), where H 2 is the hash function specified in SM9 and M||w represents the word M and w String merge, n is the order of G 1 , G 2 , G T ;
(两个装置中的一个装置或其他装置)检查w与g^h是否相等,若w=g^h,则两个装置重新进行w的计算,直到w≠g^h;(one of the two devices or other devices) check whether w is equal to g^h, if w=g^h, then the two devices recalculate w until w≠g^h;
之后,两个装置按前述T、V协同计算方法二计算得到Afterwards, the two devices are calculated according to the aforementioned T and V cooperative calculation method 2
T=[r1r2]PU+[-F(z1,z2)]PB,V=[F(z1,z2)]PB+[-c1c2h]PA,即:T=[r 1 r 2 ]P U +[-F(z 1 ,z 2 )]P B ,V=[F(z 1 ,z 2 )]P B +[-c 1 c 2 h]P A ,which is:
计算得到Q1=[(r2)-1a2]PB,取Q2=PB;Calculate Q 1 =[(r 2 ) -1 a 2 ]P B , take Q 2 =P B ;
计算得到d1=(a2(c2)-1)mod n,取d2=1;Calculate d 1 =(a 2 (c 2 ) -1 )mod n, take d 2 =1;
其中,a2为计算过程中第2号装置在[1,n-1]中随机选取的整数;Among them, a 2 is an integer randomly selected by the No. 2 device in [1,n-1] during the calculation process;
取T0=PU,v0=-h;Take T 0 =P U , v 0 =-h;
第1号装置在[1,n-1]中随机选择一个整数z1,计算T1=[r1]T0+[-z1]Q1,v1=(z1d1+c1v0)mod n,将T1、v1传送给第2号装置;Device No. 1 randomly selects an integer z 1 in [1,n-1], calculates T 1 =[r 1 ]T 0 +[-z 1 ]Q 1 , v 1 =(z 1 d 1 +c 1 v 0 ) mod n, transmit T 1 and v 1 to device No. 2;
第2号装置接收到T1、v1后,若检查发现T1为零元,则报错,否则,在[1,n-1]中随机选择一个整数z2,计算T2=[r2]T1+[-z2]Q2,v2=(z2d2+c2v1)mod n;After the No. 2 device receives T 1 and v 1 , if it finds that T 1 is zero, it reports an error; otherwise, randomly selects an integer z 2 in [1,n-1], and calculates T 2 =[r 2 ]T 1 +[-z 2 ]Q 2 , v 2 =(z 2 d 2 +c 2 v 1 ) mod n;
取T=T2,(两个装置中的一个装置或其他装置)计算V=[v2]PA,完成T、V计算;Take T=T 2 , (one of the two devices or other devices) calculate V=[v 2 ]PA to complete the calculation of T and V;
(此时T=[r1r2]PU+[-z1a2-z2]PB,V=[z1a2+z2]PB+[-(c1c2)h]PA)(At this time T=[r 1 r 2 ]P U +[-z 1 a 2 -z 2 ]P B , V=[z 1 a 2 +z 2 ]P B +[-(c 1 c 2 )h ]P A )
最后,(两个装置中的一个装置或其他装置)计算S=T+V,则(h,S)为针对消息M的数字签名。Finally, (one of the two devices or the other) computes S=T+V, then (h, S) is the digital signature for message M.
(此时S=[r1r2]PU+[-c1c2h]PA=[(r1r2)u-h]dA)(At this time S=[r 1 r 2 ]P U +[-c 1 c 2 h]P A =[(r 1 r 2 )uh]d A )
若由第2号装置计算V=[v2]PA,且完成T、V计算之后由第2号装置计算S=T+V,则T、V计算过程中z2的取值允许为0或[1,n-1]中的整数常数(当然是[1,n-1]内的随机整数也没问题)。If V=[v 2 ]PA is calculated by the No. 2 device, and S= T +V is calculated by the No. 2 device after the calculation of T and V is completed, then the value of z 2 during the calculation of T and V is allowed to be 0 Or an integer constant in [1,n-1] (of course a random integer in [1,n-1] is also fine).
实施例6、Embodiment 6,
实例6与实施例5的差别在于,c2是非秘密,其取值为1或其他[1,n-1]中的整数(其他在[1,n-1]中主观任意或随机选择的整数),PU≠PA(即u和c-1互异),PA不公开由第2号装置作为秘密保存(当然PB也不公开),由第2号装置计算V=[v2]PA,其他不变。The difference between Example 6 and Example 5 is that c 2 is non-secret, and its value is 1 or other integers in [1, n-1] (other subjective arbitrary or randomly selected integers in [1, n-1] ), P U ≠ P A (i.e. u and c -1 are mutually different), P A is not disclosed and kept as a secret by No. 2 device (of course P B is not disclosed), and V=[v 2 ]P A , the others remain unchanged.
实施例7、Embodiment 7,
此实施例有m个分别标号为第1号,第2号,…,到第m号的装置,m≥2,其中第i号装置保存有[1,n-1]区间内的整数秘密ci,i=1,…,m,其中n为SM9密码算法中群G1、G2、GT的阶(为素数);In this embodiment, there are m devices respectively labeled No. 1, No. 2, ..., to No. m devices, m≥2, and the device No. i stores an integer secret c in the interval [1, n-1] i , i=1,...,m, where n is the order of groups G 1 , G 2 , G T in the SM9 cryptographic algorithm (it is a prime number);
(初始化阶段)预先计算有:(initialization phase) precomputed with:
PA=[c-1]dA,其中dA为用户的SM9标识私钥,c-1为c的模n乘法逆,c=(c1c2…cm)modn为m个装置都没有保存的整数秘密;P A =[c -1 ]d A , where d A is the user's SM9 identification private key, c -1 is the modulo n multiplicative inverse of c, c=(c 1 c 2 ...c m )modn is the number of m devices no integer secrets saved;
PU=[u]dA,其中u是m个装置都没有保存的[1,n-1]区间内的整数秘密;P U =[u]d A , where u is an integer secret in the interval [1,n-1] that is not saved by m devices;
u和c-1不必互异(二者不同或者相同);u and c -1 do not have to be different from each other (they are different or the same);
gU=g^u,其中^是幂运算(对^前面的元进行幂运算,^后面为幂运算的次数),g=e(P1,Ppub),P1为G1中的生成元,Ppub为主公钥(即Ppub=[s]P2,s为主私钥或主密钥,P2为G2中的生成元,参见SM9规范);g U =g ^ u, wherein ^ is exponentiation (exponentiation is carried out to the element in front of ^, and the number of times of exponentiation is behind ^), g=e(P 1 , P pub ), P 1 is the generation in G 1 element, P pub is the main public key (that is, P pub =[s]P 2 , s is the main private key or master key, and P 2 is the generating element in G 2 , see SM9 specification);
取PB=PA;Take P B = P A ;
m个装置都不保存dA;m devices do not save d A ;
当需要使用用户的SM9标识私钥dA针对消息M进行数字签名时,m个装置首先通过交互计算得到w=gU^(r1r2…rm),其中ri是计算过程中第i号装置在[1,n-1]区间内随机选择的整数,i=1,…,m;When it is necessary to use the user's SM9 identification private key d A to digitally sign a message M, m devices first obtain w=g U ^(r 1 r 2 …r m ) through interactive calculations, where r i is the first An integer randomly selected by device i in the interval [1,n-1], i=1,...,m;
然后,(m个装置中的一个装置或其他装置)计算h=H2(M||w,n),其中H2为SM9中规定的散列函数,M||w表示M和w的字串合并,n为G1、G2、GT的阶;Then, (one of the m devices or other devices) calculates h = H 2 (M||w,n), where H 2 is the hash function specified in SM9 and M||w represents the word M and w String merge, n is the order of G 1 , G 2 , G T ;
(m个装置中的一个装置或其他装置)检查w与g^h是否相等,若w=g^h,则m个装置重新进行w的计算,直到w≠g^h;(one of the m devices or other devices) check whether w is equal to g^h, if w=g^h, then m devices recalculate w until w≠g^h;
之后,m个装置按前述T、V协同计算方法二计算得到Afterwards, the m devices are calculated according to the aforementioned T and V cooperative calculation method 2
T=[r1r2…rm]PU+[-F(z1,z2,…,zm)]PB,T=[r 1 r 2 …r m ]P U +[-F(z 1 ,z 2 ,…,z m )]P B ,
V=[F(z1,z2,…,zm)]PB+[-c1c2…cmh]PA,即:V=[F(z 1 ,z 2 ,…,z m )]P B +[-c 1 c 2 …c m h]P A , that is:
计算得到Q1=[(r2r3…rm)-1(a2a3…am)]PB,Q2=[(r3…rm)-1(a3…am)]PB,…,Qm-1=[(rm)-1am]PB,取Qm=PB;Calculate Q 1 =[(r 2 r 3 …r m ) -1 (a 2 a 3 …a m )]P B , Q 2 =[(r 3 …r m ) -1 (a 3 …a m ) ] P B ,..., Q m-1 = [(r m ) -1 a m ] P B , get Q m = P B ;
计算得到d1=((a2a3…am)(c2c3…cm)-1)mod n,d2=((a3…am)(c3…cm)-1)modn,…,dm-1=(am(cm)-1)mod n,取dm=1;Calculate d 1 =((a 2 a 3 ...a m )(c 2 c 3 ...c m ) -1 )mod n, d 2 =((a 3 ...a m )(c 3 ...c m ) -1 ) mod n, ..., d m-1 = (a m (c m ) -1 ) mod n, get d m = 1;
其中,ai为计算过程中第i号装置在[1,n-1]中随机选取的整数,i=2,…,m;Among them, a i is an integer randomly selected by the i-th device in [1,n-1] during the calculation process, i=2,...,m;
取T0=PU,v0=-h;Take T 0 =P U , v 0 =-h;
第1号装置在[1,n-1]中随机选择一个整数z1,计算T1=[r1]T0+[-z1]Q1,v1=(z1d1+c1v0)mod n,将T1、v1传送给第2号装置;Device No. 1 randomly selects an integer z 1 in [1,n-1], calculates T 1 =[r 1 ]T 0 +[-z 1 ]Q 1 , v 1 =(z 1 d 1 +c 1 v 0 ) mod n, transmit T 1 and v 1 to device No. 2;
第i号装置接收到Ti-1、vi-1后,i=2,…,m,若检查发现Ti-1为零元,则报错,否则,在[1,n-1]中随机选择一个整数zi,计算Ti=[ri]Ti-1+[-zi]Qi,vi=(zidi+civi-1)mod n;After the i-th device receives T i-1 and v i-1 , i=2,...,m, if the inspection finds that T i-1 is zero, it will report an error, otherwise, in [1,n-1] Randomly select an integer z i , calculate T i =[r i ]T i-1 +[-z i ]Q i , v i =(z i d i +c i v i-1 )mod n;
若i=m,则取T=Tm,(m个装置中的一个装置或其他装置)计算V=[vm]PA,完成T、V计算,否则,第i号装置将Ti、vi传送给第i+1号装置,直到完成Tm、vm计算;If i=m, then take T=T m , (one of the m devices or other devices) calculate V=[v m ]PA, and complete the calculation of T and V; otherwise, the i-th device will T i , v i is sent to device i+1 until the calculation of T m and v m is completed;
(此时T=[r1r2…rm]PU+[-z1a2a3…am-z2a3…am-…-zm-1am-zm]PB,(At this time T=[r 1 r 2 ...r m ]P U +[-z 1 a 2 a 3 ...am -z 2 a 3 ...a m -...-z m -1 a m -z m ]P B ,
V=[z1a2a3…am+z2a3…am+…+zm-1am+zm]PB+[-(c1c2…cm)h]PA)V=[z 1 a 2 a 3 ...a m +z 2 a 3 ...a m +...+z m-1 a m +z m ]P B +[-(c 1 c 2 ...c m )h]P A )
最后,(m个装置中的一个装置或其他装置)计算S=T+V,则(h,S)为针对消息M的数字签名。Finally, (one of the m devices or other devices) calculates S=T+V, then (h, S) is the digital signature for the message M.
(此时S=[r1r2…rm]PU+[-c1c2…cmh]PA=[(r1r2…rm)u-h]dA)(At this time S=[r 1 r 2 …r m ]P U +[-c 1 c 2 …c m h]P A =[(r 1 r 2 …r m )uh]d A )
若由第m号装置计算V=[vm]PA,且完成T、V计算之后由第m号装置计算S=T+V,则T、V计算过程中zm的取值允许为0或[1,n-1]中的整数常数(当然是[1,n-1]内的随机整数也没问题)。If V=[v m ]PA is calculated by the mth device, and S= T +V is calculated by the mth device after the calculation of T and V is completed, then the value of z m during the calculation of T and V is allowed to be 0 Or an integer constant in [1,n-1] (of course a random integer in [1,n-1] is also fine).
实施例8、Embodiment 8,
实例8与实施例7的差别在于,cm是非秘密,其取值为1或其他[1,n-1]中的整数(其他在[1,n-1]中主观任意或随机选择的整数),PU≠PA(即u和c-1互异),PA不公开由第m号装置作为秘密保存(当然PB也不公开),由第m号装置计算V=[vm]PA,其他不变。The difference between Example 8 and Example 7 is that c m is non-secret, and its value is 1 or other integers in [1, n-1] (other subjective arbitrary or randomly selected integers in [1, n-1] ), P U ≠ P A (i.e. u and c -1 are different), P A is not disclosed and kept as a secret by the m-th device (of course P B is not disclosed), and the m-th device calculates V=[v m ]P A , the others remain unchanged.
实施例9、Embodiment 9,
此实施例有两个标号为第1号、第2号的装置,第1号装置保存有[1,n-1]区间内的整数秘密c1,第2号装置保存有[1,n-1]区间内的整数秘密c2,其中n为SM9密码算法中群G1、G2、GT的阶(为素数);In this embodiment, there are two devices labeled No. 1 and No. 2. The No. 1 device saves the integer secret c 1 in the interval [1,n-1], and the No. 2 device saves the integer secret c 1 in the interval [1,n- 1] Integer secret c 2 in the interval, where n is the order of groups G 1 , G 2 , G T in the SM9 cryptographic algorithm (a prime number);
(初始化阶段)预先计算有:(initialization phase) precomputed with:
PA=[c-1]dA,其中dA为用户的SM9标识私钥,c-1为c的模n乘法逆,c=(c1c2)mod n为两个装置都没有保存的整数秘密;P A =[c -1 ]d A , where d A is the user's SM9 identification private key, c -1 is the modulo n multiplicative inverse of c, c=(c 1 c 2 )mod n is that neither device has saved the integer secret of
PU=[u]dA,其中u是两个装置都没有保存的[1,n-1]区间内的整数秘密;PU = [ u ]d A , where u is an integer secret in the interval [1,n-1] that is not kept by either device;
u和c-1不必互异(二者不同或者相同);u and c -1 do not have to be different from each other (they are different or the same);
gU=g^u,其中^是幂运算(对^前面的元进行幂运算,^后面为幂运算的次数),g=e(P1,Ppub),P1为G1中的生成元,Ppub为主公钥(即Ppub=[s]P2,s为主私钥或主密钥,P2为G2中的生成元,参见SM9规范);g U =g ^ u, wherein ^ is exponentiation (exponentiation is carried out to the element in front of ^, and the number of times of exponentiation is behind ^), g=e(P 1 , P pub ), P 1 is the generation in G 1 element, P pub is the main public key (that is, P pub =[s]P 2 , s is the main private key or master key, and P 2 is the generating element in G 2 , see SM9 specification);
取PB=PU;Take P B =P U ;
两个装置都不保存dA;Neither device saves d A ;
当需要使用用户的SM9标识私钥dA针对消息M进行数字签名时,两个装置通过交互计算得到w=gU^(r1r2),其中r1是计算过程中第1号装置在[1,n-1]区间内随机选择的整数,r2是计算过程中第2号装置在[1,n-1]区间内随机选择的整数;When it is necessary to use the user's SM9 identification private key d A to digitally sign the message M, the two devices obtain w=g U ^(r 1 r 2 ) through interactive calculation, where r 1 is the number 1 device in the calculation process. An integer randomly selected in the interval [1, n-1], r 2 is an integer randomly selected by the No. 2 device in the interval [1, n-1] during the calculation process;
然后,(两个装置中的一个装置或其他装置)计算h=H2(M||w,n),其中H2为SM9中规定的散列函数,M||w表示M和w的字串合并,n为G1、G2、GT的阶;Then, (one of the two devices or the other) computes h=H 2 (M||w,n), where H 2 is the hash function specified in SM9 and M||w represents the word M and w String merge, n is the order of G 1 , G 2 , G T ;
(两个装置中的一个装置或其他装置)检查w与g^h是否相等,若w=g^h,则两个装置重新进行w的计算,直到w≠g^h;(one of the two devices or other devices) check whether w is equal to g^h, if w=g^h, then the two devices recalculate w until w≠g^h;
之后,两个装置按前述T、V协同计算方法三计算得到Afterwards, the two devices are calculated according to the aforementioned T and V cooperative calculation method 3
T=[r1r2]PU+[-F(z1,z2)]PB,V=[F(z1,z2)]PB+[-c1c2h]PA,即:T=[r 1 r 2 ]P U +[-F(z 1 ,z 2 )]P B ,V=[F(z 1 ,z 2 )]P B +[-c 1 c 2 h]P A ,which is:
计算得到q1=((r2)-1a2)mod n,取q2=1;Calculate q 1 =((r 2 ) -1 a 2 )mod n, take q 2 =1;
计算得到D1=[a2(c2)-1]PB,取D2=PB;Calculate D 1 =[a 2 (c 2 ) -1 ]P B , take D 2 =P B ;
其中,a2为计算过程中第2号装置在[1,n-1]中随机选取的整数,i=2,…,m;Among them, a 2 is an integer randomly selected by the No. 2 device in [1,n-1] during the calculation process, i=2,...,m;
取t0=1,V0=[-h]PA;Take t 0 =1, V 0 = [-h]PA;
第1号装置在[1,n-1]中随机选择一个整数z1,计算t1=(r1t0-z1q1)mod n,V1=[z1]D1+[c1]V0,将t1、V1传送给第2号装置;Device No. 1 randomly selects an integer z 1 in [1,n-1], calculates t 1 =(r 1 t 0 -z 1 q 1 )mod n, V 1 =[z 1 ]D 1 +[c 1 ] V 0 , transmit t 1 and V 1 to the No. 2 device;
第2号装置接收到t1、V1后,若检查发现t1为0,则报错,否则,在[1,n-1]中随机选择一个整数z2,计算t2=(r2t1-z2q2)mod n,V2=[z2]D2+[c2]V1;After the No. 2 device receives t 1 and V 1 , if it finds that t 1 is 0, it reports an error; otherwise, randomly selects an integer z 2 in [1,n-1], and calculates t 2 =(r 2 t 1 -z 2 q 2 ) mod n, V 2 =[z 2 ]D 2 +[c 2 ]V 1 ;
(两个装置中的一个装置或之外的装置)计算T=[t2]PB,取V=V2;(one of the two devices or other devices) calculate T=[t 2 ]P B , take V=V 2 ;
(此时T=[r1r2]PU+[-z1a2-z2]PB,V=[z1a2+z2]PB+[-(c1c2)h]PA)(At this time T=[r 1 r 2 ]P U +[-z 1 a 2 -z 2 ]P B , V=[z 1 a 2 +z 2 ]P B +[-(c 1 c 2 )h ]P A )
最后,(两个装置中的一个装置或其他装置)计算S=T+V,则(h,S)为针对消息M的数字签名。Finally, (one of the two devices or the other) computes S=T+V, then (h, S) is the digital signature for message M.
(此时S=[r1r2]PU+[-c1c2h]PA=[(r1r2)u-h]dA)(At this time S=[r 1 r 2 ]P U +[-c 1 c 2 h]P A =[(r 1 r 2 )uh]d A )
若由第2号装置计算T=[t2]PB,且完成T、V计算之后由第2号装置计算S=T+V,则T、V计算过程中z2的取值允许为0或[1,n-1]中的整数常数(当然是[1,n-1]内的随机整数也没问题)。If T=[t 2 ]P B is calculated by the No. 2 device, and S=T+V is calculated by the No. 2 device after the calculation of T and V is completed, then the value of z 2 is allowed to be 0 during the calculation of T and V Or an integer constant in [1,n-1] (of course a random integer in [1,n-1] is also fine).
实施例10、Embodiment 10,
实例10与实施例9的差别在于,c1是非秘密,其取值为1或其他[1,n-1]中的整数(其他在[1,n-1]中主观任意或随机选择的整数),PB≠PA(即PU≠PA,u和c-1互异),PA不公开由第1号装置作为秘密保存,其他不变。The difference between Example 10 and Example 9 is that c 1 is non-secret, and its value is 1 or other integers in [1, n-1] (other subjective arbitrary or randomly selected integers in [1, n-1] ), P B ≠ PA ( that is, PU ≠ PA, u and c -1 are different from each other), PA is not disclosed and kept as a secret by No. 1 device, and the others remain unchanged.
实施例11、Embodiment 11,
此实施例有m个分别标号为第1号,第2号,…,到第m号的装置,m≥2,其中第i号装置保存有[1,n-1]区间内的整数秘密ci,i=1,…,m,其中n为SM9密码算法中群G1、G2、GT的阶(为素数);In this embodiment, there are m devices respectively labeled No. 1, No. 2, ..., to No. m devices, m≥2, and the device No. i stores an integer secret c in the interval [1, n-1] i , i=1,...,m, where n is the order of groups G 1 , G 2 , G T in the SM9 cryptographic algorithm (it is a prime number);
(初始化阶段)预先计算有:(initialization phase) precomputed with:
PA=[c-1]dA,其中dA为用户的SM9标识私钥,c-1为c的模n乘法逆,c=(c1c2…cm)modn为m个装置都没有保存的整数秘密;P A =[c -1 ]d A , where d A is the user's SM9 identification private key, c -1 is the modulo n multiplicative inverse of c, c=(c 1 c 2 ...c m )modn is the number of m devices no integer secrets saved;
PU=[u]dA,其中u是m个装置都没有保存的[1,n-1]区间内的整数秘密;P U =[u]d A , where u is an integer secret in the interval [1,n-1] that is not saved by m devices;
u和c-1不必互异(二者不同或者相同);u and c -1 do not have to be different from each other (they are different or the same);
gU=g^u,其中^是幂运算(对^前面的元进行幂运算,^后面为幂运算的次数),g=e(P1,Ppub),P1为G1中的生成元,Ppub为主公钥(即Ppub=[s]P2,s为主私钥或主密钥,P2为G2中的生成元,参见SM9规范);g U =g ^ u, wherein ^ is exponentiation (exponentiation is carried out to the element in front of ^, and the number of times of exponentiation is behind ^), g=e(P 1 , P pub ), P 1 is the generation in G 1 element, P pub is the main public key (that is, P pub =[s]P 2 , s is the main private key or master key, and P 2 is the generating element in G 2 , see SM9 specification);
取PB=PU;Take P B =P U ;
m个装置都不保存dA;m devices do not save d A ;
当需要使用用户的SM9标识私钥dA针对消息M进行数字签名时,m个装置首先通过交互计算得到w=gU^(r1r2…rm),其中ri是计算过程中第i号装置在[1,n-1]区间内随机选择的整数,i=1,…,m;When it is necessary to use the user's SM9 identification private key d A to digitally sign a message M, m devices first obtain w=g U ^(r 1 r 2 …r m ) through interactive calculations, where r i is the first An integer randomly selected by device i in the interval [1,n-1], i=1,...,m;
然后,(m个装置中的一个装置或其他装置)计算h=H2(M||w,n),其中H2为SM9中规定的散列函数,M||w表示M和w的字串合并,n为G1、G2、GT的阶;Then, (one of the m devices or other devices) calculates h = H 2 (M||w,n), where H 2 is the hash function specified in SM9 and M||w represents the word M and w String merge, n is the order of G 1 , G 2 , G T ;
(m个装置中的一个装置或其他装置)检查w与g^h是否相等,若w=g^h,则m个装置重新进行w的计算,直到w≠g^h;(one of the m devices or other devices) check whether w is equal to g^h, if w=g^h, then m devices recalculate w until w≠g^h;
之后,m个装置按前述T、V协同计算方法三计算得到Afterwards, the m devices are calculated according to the aforementioned T and V cooperative calculation method 3
T=[r1r2…rm]PU+[-F(z1,z2,…,zm)]PB,T=[r 1 r 2 …r m ]P U +[-F(z 1 ,z 2 ,…,z m )]P B ,
V=[F(z1,z2,…,zm)]PB+[-c1c2…cmh]PA,即:V=[F(z 1 ,z 2 ,…,z m )]P B +[-c 1 c 2 …c m h]P A , that is:
计算得到q1=((r2r3…rm)-1(a2a3…am))mod n,q2=((r3…rm)-1(a3…am))modn,…,qm-1=((rm)-1am)mod n,取qm=1;Calculate q 1 =((r 2 r 3 …r m ) -1 (a 2 a 3 …a m ))mod n, q 2 =((r 3 …r m ) -1 (a 3 …a m ) ) mod n, ..., q m-1 = ((r m ) -1 a m ) mod n, get q m = 1;
计算得到D1=[(a2a3…am)(c2c3…cm)-1]PB,D2=[(a3…am)(c3…cm)-1]PB,…,Dm-1=[am(cm)-1]PB,取Dm=PB;Calculate D 1 =[(a 2 a 3 ...a m )(c 2 c 3 ...c m ) -1 ]P B , D 2 =[(a 3 ...a m )(c 3 ...c m ) -1 ] P B ,..., D m-1 = [a m (c m ) -1 ] P B , take D m = P B ;
其中,ai为计算过程中第i号装置在[1,n-1]中随机选取的整数,i=2,…,m;Among them, a i is an integer randomly selected by the i-th device in [1,n-1] during the calculation process, i=2,...,m;
取t0=1,V0=[-h]PA;Take t 0 =1, V 0 = [-h]PA;
第1号装置在[1,n-1]中随机选择一个整数z1,计算t1=(r1t0-z1q1)mod n,V1=[z1]D1+[c1]V0,将t1、V1传送给第2号装置;Device No. 1 randomly selects an integer z 1 in [1,n-1], calculates t 1 =(r 1 t 0 -z 1 q 1 )mod n, V 1 =[z 1 ]D 1 +[c 1 ] V 0 , transmit t 1 and V 1 to the No. 2 device;
第i号装置接收到ti-1、Vi-1后,i=2,…,m,若检查发现ti-1为0,则报错,否则,在[1,n-1]中随机选择一个整数zi,计算ti=(riti-1-ziqi)mod n,Vi=[zi]Di+[ci]Vi-1;After the i-th device receives t i-1 and V i-1 , i=2,...,m, if it is found that t i-1 is 0, it will report an error; otherwise, randomly Select an integer z i , calculate t i =(r i t i-1 -z i q i )mod n, V i =[z i ]D i +[c i ]V i-1 ;
若i=m,则(m个装置中的一个装置或之外的装置)计算T=[tm]PB,取V=Vm,完成T、V计算,否则,第i号装置将Ti、Vi传送给第i+1号装置,直到完成Tm、Vm计算;If i=m, then (one of the m devices or other devices) calculate T=[t m ]P B , take V=V m to complete the calculation of T and V, otherwise, the i-th device will T i and V i are sent to device i+1 until the calculation of T m and V m is completed;
(此时T=[r1r2…rm]PU+[-z1a2a3…am-z2a3…am-…-zm-1am-zm]PB,(At this time T=[r 1 r 2 ...r m ]P U +[-z 1 a 2 a 3 ...am -z 2 a 3 ...a m -...-z m -1 a m -z m ]P B ,
V=[z1a2a3…am+z2a3…am+…+zm-1am+zm]PB+[-(c1c2…cm)h]PA)V=[z 1 a 2 a 3 ...a m +z 2 a 3 ...a m +...+z m-1 a m +z m ]P B +[-(c 1 c 2 ...c m )h]P A )
最后,(m个装置中的一个装置或其他装置)计算S=T+V,则(h,S)为针对消息M的数字签名。Finally, (one of the m devices or other devices) calculates S=T+V, then (h, S) is the digital signature for the message M.
(此时S=[r1r2…rm]PU+[-c1c2…cmh]PA=[(r1r2…rm)u-h]dA)(At this time S=[r 1 r 2 …r m ]P U +[-c 1 c 2 …c m h]P A =[(r 1 r 2 …r m )uh]d A )
若由第m号装置计算T=[tm]PB,且完成T、V计算之后由第m号装置计算S=T+V,则T、V计算过程中zm的取值允许为0或[1,n-1]中的整数常数(当然是[1,n-1]内的随机整数也没问题)。If T=[t m ]P B is calculated by the m-th device, and S=T+V is calculated by the m-th device after the calculation of T and V is completed, then the value of z m during the calculation of T and V is allowed to be 0 Or an integer constant in [1,n-1] (of course a random integer in [1,n-1] is also fine).
实施例12、Embodiment 12,
实例12与实施例11的差别在于,c1是非秘密,其取值为1或其他[1,n-1]中的整数(其他在[1,n-1]中主观任意或随机选择的整数),PB≠PA(即PU≠PA,u和c-1互异),PA不公开由第1号装置作为秘密保存,其他不变。The difference between Example 12 and Example 11 is that c 1 is non-secret, and its value is 1 or other integers in [1, n-1] (other subjectively or randomly selected integers in [1, n-1] ), P B ≠ PA ( that is, PU ≠ PA, u and c -1 are different from each other), PA is not disclosed and kept as a secret by No. 1 device, and the others remain unchanged.
在以上各实施例1-12中,若在计算过程中不检查w与g^h是否相等,则计算得到S后,若检查发现S为零元,则m个装置重新进行协同计算,直到S不为零元。In each of the above embodiments 1-12, if it is not checked whether w and g^h are equal during the calculation process, after the calculation of S, if the check finds that S is zero, then the m devices perform collaborative calculations again until S is not zero.
在以上实施例1-12中,m个装置计算得到w=gU^(r1r2…rm)的方法包括(不是全部可能的方式):In the above embodiments 1-12, the methods for m devices to calculate w=g U ^(r 1 r 2 ...r m ) include (not all possible ways):
第1号装置计算g1=gU^r1,将g1发送第2号装置;The No. 1 device calculates g 1 =g U ^r 1 , and sends g 1 to the No. 2 device;
第i号装置接收到gi-1后,i=2,…,m,计算gi=gi-1^ri;After the i-th device receives g i-1 , i=2,...,m, calculate g i =g i-1 ^r i ;
若i=m,则取w=gm,完成计算,否则,第i号装置将gi传送给第i+1号装置;If i=m, take w=g m to complete the calculation, otherwise, the i-th device transmits g i to the i+1-th device;
或者,or,
第m号装置计算gm=gU^rm,将gm发送第m-1号装置;The mth device calculates g m =g U ^r m , and sends g m to the m-1th device;
第i号装置接收gi+1到后,i=m-1,…,1,计算gi=gi+1^ri;After the i-th device receives g i+1 , i=m-1,...,1, calculate g i =g i+1 ^r i ;
若i=1,则取w=g1,完成计算,否则,第i号装置将gi传送给第i-1号装置。If i=1, take w=g 1 to complete the calculation; otherwise, the i-th device transmits g i to the i-1-th device.
对于以上实施例1-4,m个装置可以按前述计算得到For the above embodiments 1-4, the m devices can be calculated according to the foregoing
Q1=[(r2r3…rm)-1(a2a3…am)]PB,Q2=[(r3…rm)-1(a3…am)]PB,…,Qm-1=[(rm)-1am]PB,Q 1 =[(r 2 r 3 ...r m ) -1 (a 2 a 3 ...a m )]P B , Q 2 =[(r 3 ...r m ) -1 (a 3 ...a m )]P B , ..., Q m-1 = [(r m ) -1 a m ] P B ,
以及D1=[(a2a3…am)(c2c3…cm)-1]PB,D2=[(a3…am)(c3…cm)-1]PB,…,Dm-1=[am(cm)-1]PB的三个方案中的一个计算得到Q1,Q2,…,Qm-1,以及D1,D2,…,Dm-1。and D 1 =[(a 2 a 3 ...a m )(c 2 c 3 ...c m ) -1 ] P B , D 2 =[(a 3 ...a m )(c 3 ...c m ) -1 ] P B , ..., D m-1 = [a m (c m ) -1 ] One of the three schemes of P B calculates Q 1 , Q 2 , ..., Q m-1 , and D 1 , D 2 , ..., D m-1 .
对于以上实施例5-8,m个装置可以按前述计算得到For the above embodiments 5-8, the m devices can be calculated according to the foregoing
Q1=[(r2r3…rm)-1(a2a3…am)]PB,Q2=[(r3…rm)-1(a3…am)]PB,…,Qm-1=[(rm)-1am]PB,Q 1 =[(r 2 r 3 ...r m ) -1 (a 2 a 3 ...a m )]P B , Q 2 =[(r 3 ...r m ) -1 (a 3 ...a m )]P B , ..., Q m-1 = [(r m ) -1 a m ] P B ,
以及d1=((a2a3…am)(c2c3…cm)-1)mod n,d2=((a3…am)(c3…cm)-1)mod n,…,dm-1=(am(cm)-1)mod n的方法计算得到Q1,Q2,…,Qm-1,以及d1,d2,…,dm-1。and d 1 =((a 2 a 3 ...a m )(c 2 c 3 ...c m ) -1 ) mod n, d 2 =((a 3 ...a m )(c 3 ...c m ) -1 ) Mod n,...,d m-1 = ( am (c m ) -1 ) mod n method to calculate Q 1 , Q 2 ,..., Q m-1 , and d 1 , d 2 ,..., d m -1 .
对于以上实施例1-12,m个装置可以按前述计算得到For the above embodiments 1-12, the m devices can be calculated according to the foregoing
q1=((r2r3…rm)-1(a2a3…am))mod n,q2=((r3…rm)-1(a3…am))mod n,…,qm-1=((rm)-1am)mod nq 1 =((r 2 r 3 ...r m ) -1 (a 2 a 3 ...a m ))mod n, q 2 =((r 3 ...r m ) -1 (a 3 ...a m ))mod n, ..., q m-1 = ((r m ) -1 a m ) mod n
以及D1=[(a2a3…am)(c2c3…cm)-1]PB,D2=[(a3…am)(c3…cm)-1]PB,…,Dm-1=[am(cm)-1]PB的方法计算得到q1,q2,…,qm-1以及D1,D2,…,Dm-1。and D 1 =[(a 2 a 3 ...a m )(c 2 c 3 ...c m ) -1 ] P B , D 2 =[(a 3 ...a m )(c 3 ...c m ) -1 ] P B ,..., D m-1 = [a m (c m ) -1 ]P B method to calculate q 1 , q 2 ,..., q m-1 and D 1 , D 2 ,..., D m- 1 .
在以上实施例中,若m个装置分别有[1,n-1]区间内的整数秘密c1,c2,…,cm,则在初始化阶段的一种初始化方法如下:In the above embodiment, if m devices respectively have integer secrets c 1 , c 2 ,...,c m in the interval [1,n-1], then an initialization method in the initialization phase is as follows:
知道dA的装置,在[1,n-1]区间内随机选择m个整数作为c1,c2,…,cm,交由m个装置作为秘密保存;The device that knows d A randomly selects m integers in the interval [1,n-1] as c 1 , c 2 ,...,c m , and hand them over to m devices for secret storage;
计算PA=[c-1]dA,其中,c-1为c的模n乘法逆,c=(c1c2…cm)mod n为m个装置都没有保存的整数秘密;Calculate P A =[c -1 ]d A , where c -1 is the modulo n multiplicative inverse of c, and c=(c 1 c 2 ...c m ) mod n is an integer secret that is not kept by m devices;
计算PU=[u]dA,其中u是知道dA的装置在[1,n-1]区间内随机选择的整数;Calculate P U =[u]d A , where u is an integer randomly selected in the interval [1,n-1] by the device that knows d A ;
计算gU=g^u,其中^是幂运算(对^前面的元进行幂运算,^后面为幂运算的次数),g=e(P1,Ppub),P1为G1中的生成元,Ppub为主公钥(即Ppub=[s]P2,s为主私钥或主密钥,P2为G2中的生成元,参见SM9规范);Calculate g U =g ^ u, wherein ^ is an exponentiation (exponentiation is performed on the element in front of the ^, and the number of times of the exponentiation is behind the ^), g=e(P 1 , P pub ), and P 1 is in G 1 Generator, P pub is the main public key (that is, P pub =[s]P 2 , s is the main private key or master key, and P 2 is the generator in G 2 , see SM9 specification);
在群G1中任选一个用户私钥dA之外的非零元PB(固定选取,比如固定选PB=P1,或者主观任意选择,或者随机选择,比如,在[1,n-1]中随机选择一个整数b,计算PB=[b]P1或PB=[b]dA);Select a non-zero element P B other than the user private key d A in the group G 1 (fixed selection, such as fixed selection P B = P 1 , or subjective arbitrary selection, or random selection, for example, in [1,n -1] randomly select an integer b, calculate P B =[b]P 1 or P B =[b]d A );
之后,将PU、PB、PA、gU交给需要使用的装置,将c、u销毁。After that, hand over PU , P B , PA, and g U to the devices that need to be used, and destroy c, u .
在以上实施例中,若PB=PA,则在初始化阶段知道dA的装置选取PB=PA。In the above embodiments, if P B =PA, then the device knowing d A in the initialization stage selects P B = PA .
在以上实施例中,若PU=PB,则在初始化阶段知道dA的装置选取PU=PB。In the above embodiments, if PU =P B , then the device knowing d A in the initialization stage selects PU =P B .
在以上实施例中,若c1是取值为1或其他[1,n-1]中的整数的非秘密,则在初始化阶段c2,…,cm选取为[1,n-1]中随机选择的整数,并交由第2号,…,第m号装置保存。In the above embodiment, if c 1 is a non-secret value of 1 or other integers in [1,n-1], then in the initialization phase c 2 ,...,c m is selected as [1,n-1] An integer randomly selected from , and delivered to the No. 2, ..., m-th devices for storage.
在以上实施例中,若cm是取值为1或其他[1,n-1]中的整数的非秘密,则在初始化阶段c1,…,cm-1选取为[1,n-1]中随机选择的整数,并交由第1号,…,第m-1号装置保存。In the above embodiment, if c m is a non-secret value of 1 or other integers in [1,n-1], then in the initialization phase c 1 ,...,c m-1 is selected as [1,n- 1] randomly selected integers, and be saved by No. 1, ..., m-1 devices.
在以上实施例中,若出现取PB≠PA的情况,则在初始化阶段在[1,n-1]内随机选择一个非1的整数b,然后计算PB=[b]dA。In the above embodiments, if P B ≠ PA, a non-1 integer b is randomly selected within [1,n-1] at the initialization stage, and then P B =[b]d A is calculated .
在以上实施例中,若出现取PU≠PA(即u和c-1互异)的情况,则在初始化阶段在[1,n-1]内随机选择一个非c-1的整数u,然后计算PU=[u]dA。In the above embodiment, if there is a situation where P U ≠ P A (that is, u and c -1 are different), then in the initialization stage, an integer u other than c -1 is randomly selected in [1, n-1] , and then calculate P U =[u]d A .
依据本发明的借助中间参数的SM9数字签名协同生成方法可构建SM9数字签名协同生成系统,系统包括m个分别标号为第1号,第2号,…,到第m号的装置,m≥2;第i号装置保存有[1,n-1]区间内的整数秘密ci,i=1,…,m;当需要使用用户的SM9标识私钥dA针对消息M进行数字签名时,m个装置通过实施所述借助中间参数的SM9数字签名协同生成方法,包括实施前述实施例1-12,生成针对消息M的数字签名。According to the SM9 digital signature collaborative generation method with the help of intermediate parameters of the present invention, an SM9 digital signature collaborative generation system can be constructed. The system includes m devices respectively labeled No. 1, No. 2, ..., to No. m, m≥2 ;The i-th device saves the integer secret c i in the interval [1,n-1], i=1,...,m; when it is necessary to use the user's SM9 identification private key d A to digitally sign the message M, m A device generates a digital signature for a message M by implementing the SM9 digital signature collaborative generation method using intermediate parameters, including implementing the aforementioned embodiments 1-12.
其他未说明的具体技术实施,对于相关领域的技术人员而言是众所周知,不言自明的。Other unspecified specific technical implementations are well known and self-evident to those skilled in the relevant fields.
Claims (10)
Applications Claiming Priority (2)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2019105970581 | 2019-07-04 | ||
| CN201910597058 | 2019-07-04 |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN110299998A true CN110299998A (en) | 2019-10-01 |
| CN110299998B CN110299998B (en) | 2020-09-04 |
Family
ID=68032977
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201910764309.0A Active CN110299998B (en) | 2019-07-04 | 2019-08-19 | SM9 digital signature collaborative generation method and system by means of intermediate parameters |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN110299998B (en) |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110880977A (en) * | 2019-11-26 | 2020-03-13 | 武汉大学 | Safe and efficient SM9 ring signature generation and verification method |
| CN111064564A (en) * | 2019-12-31 | 2020-04-24 | 武汉理工大学 | SM9 signature private key generation and digital signature method, system and device |
Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20130073867A1 (en) * | 1999-01-11 | 2013-03-21 | Certicom Corp. | Method for strengthening the implementation of ecdsa against power analysis |
| CN106549770A (en) * | 2017-01-13 | 2017-03-29 | 武汉理工大学 | SM2 digital signature generation method and system |
| CN107528696A (en) * | 2017-09-27 | 2017-12-29 | 武汉理工大学 | The digital signature generation method and system of a kind of hiding private key secret |
| CN107819585A (en) * | 2017-11-17 | 2018-03-20 | 武汉理工大学 | SM9 digital signature cooperates with generation method and system |
| CN107968710A (en) * | 2017-11-27 | 2018-04-27 | 武汉理工大学 | SM9 digital signature separation interaction generation method and system |
| CN108667619A (en) * | 2018-05-10 | 2018-10-16 | 武汉大学 | A white-box implementation method and device for SM9 digital signature |
| CN109951292A (en) * | 2019-02-20 | 2019-06-28 | 武汉理工大学 | Simplified SM9 digital signature separation and interactive generation method and system |
| CN109962783A (en) * | 2019-03-20 | 2019-07-02 | 武汉理工大学 | Method and system for collaborative generation of SM9 digital signature based on progressive calculation |
-
2019
- 2019-08-19 CN CN201910764309.0A patent/CN110299998B/en active Active
Patent Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20130073867A1 (en) * | 1999-01-11 | 2013-03-21 | Certicom Corp. | Method for strengthening the implementation of ecdsa against power analysis |
| CN106549770A (en) * | 2017-01-13 | 2017-03-29 | 武汉理工大学 | SM2 digital signature generation method and system |
| CN107528696A (en) * | 2017-09-27 | 2017-12-29 | 武汉理工大学 | The digital signature generation method and system of a kind of hiding private key secret |
| CN107819585A (en) * | 2017-11-17 | 2018-03-20 | 武汉理工大学 | SM9 digital signature cooperates with generation method and system |
| CN107968710A (en) * | 2017-11-27 | 2018-04-27 | 武汉理工大学 | SM9 digital signature separation interaction generation method and system |
| CN108667619A (en) * | 2018-05-10 | 2018-10-16 | 武汉大学 | A white-box implementation method and device for SM9 digital signature |
| CN109951292A (en) * | 2019-02-20 | 2019-06-28 | 武汉理工大学 | Simplified SM9 digital signature separation and interactive generation method and system |
| CN109962783A (en) * | 2019-03-20 | 2019-07-02 | 武汉理工大学 | Method and system for collaborative generation of SM9 digital signature based on progressive calculation |
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110880977A (en) * | 2019-11-26 | 2020-03-13 | 武汉大学 | Safe and efficient SM9 ring signature generation and verification method |
| CN110880977B (en) * | 2019-11-26 | 2021-04-27 | 武汉大学 | A Secure and Efficient Method for SM9 Ring Signature Generation and Verification |
| CN111064564A (en) * | 2019-12-31 | 2020-04-24 | 武汉理工大学 | SM9 signature private key generation and digital signature method, system and device |
| CN111064564B (en) * | 2019-12-31 | 2023-03-28 | 武汉理工大学 | SM9 signature private key generation and digital signature method, system and device |
Also Published As
| Publication number | Publication date |
|---|---|
| CN110299998B (en) | 2020-09-04 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN107819585B (en) | SM9 digital signature collaborative generation method and system | |
| CN106549770B (en) | SM2 digital signature generation method and system | |
| CN107968710B (en) | SM9 digital signature separation interaction generation method and system | |
| Desmedt | Some recent research aspects of threshold cryptography | |
| CN106850198B (en) | SM2 digital signature generation method and system based on multi-device collaboration | |
| US20110307698A1 (en) | Masking the output of random number generators in key generation protocols | |
| CN106603231B (en) | Based on the distributed SM2 digital signature generation method and system for going secretization | |
| CN106656512B (en) | Support the SM2 digital signature generation method and system of threshold cryptography | |
| CN106712942B (en) | SM2 digital signature generation method and system based on privacy sharing | |
| CA2830285C (en) | Keyed pv signatures | |
| CN110213057B (en) | SM9 digital signature collaborative generation method and system with product r parameter | |
| CN110519051B (en) | SM9 signature cooperative generation method and system of r parameter and secret double product | |
| CN110299998B (en) | SM9 digital signature collaborative generation method and system by means of intermediate parameters | |
| CN110380855B (en) | SM9 digital signature generation method and system supporting multi-party cooperative enhanced security | |
| CN110798313B (en) | Secret dynamic sharing-based collaborative generation method and system for number containing secret | |
| CN109962783B (en) | SM9 digital signature collaborative generation method and system based on progressive calculation | |
| CN110166235B (en) | SM9 digital signature collaborative generation method and system for enhancing security | |
| CN110266486B (en) | Simple method and system for generating SM9 digital signature based on product secret sharing | |
| EP2395698B1 (en) | Implicit certificate generation in the case of weak pseudo-random number generators | |
| CN110943842B (en) | Secure collaborative generation method and system for SM9 digital signature | |
| CN110166256B (en) | Multi-party collaborative generation method and system of SM9 digital signature with product r parameter | |
| CN110113165B (en) | SM2 digital signature collaborative generation method and system supporting mixed secret sharing | |
| CN110266472B (en) | SM9 digital signature collaborative generation method and system supporting mixed secret sharing | |
| Kelsey et al. | Coalition and threshold hash-based signatures | |
| Mittal et al. | McEliece and Blum-Goldwasser group rings based probabilistic cryptosystems |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |