CN110299998B - SM9 digital signature collaborative generation method and system by means of intermediate parameters - Google Patents

SM9 digital signature collaborative generation method and system by means of intermediate parameters Download PDF

Info

Publication number
CN110299998B
CN110299998B CN201910764309.0A CN201910764309A CN110299998B CN 110299998 B CN110299998 B CN 110299998B CN 201910764309 A CN201910764309 A CN 201910764309A CN 110299998 B CN110299998 B CN 110299998B
Authority
CN
China
Prior art keywords
calculating
integer
mod
calculation
devices
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201910764309.0A
Other languages
Chinese (zh)
Other versions
CN110299998A (en
Inventor
龙毅宏
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Wuhan University of Technology WUT
Original Assignee
Wuhan University of Technology WUT
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Wuhan University of Technology WUT filed Critical Wuhan University of Technology WUT
Publication of CN110299998A publication Critical patent/CN110299998A/en
Application granted granted Critical
Publication of CN110299998B publication Critical patent/CN110299998B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3236Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Complex Calculations (AREA)

Abstract

SM9 digital signature generation method: the devices numbered from number 1 to m have [1, n-1 ] respectively]Secret c of medium integeriN is the order of SM9 group, i is 1, …, m is more than or equal to 2; pA=[(c1c2…cm)‑1]dA,PU=[u]dA,dAIs a private key of a user, u is [1, n-1 ]]An integer secret within; pBIs a group G1A medium non-zero element; when signing a message, calculating w-gU^(r1r2…rm),h=H2(M||w,n),T=[r1r2…rm]PU+[‑F(z1,...,zm)]PB,V=[F(z1,...,zm)]PB+[‑hc1c2…cm]PA,F(z1,z2,…,zm) And z1a2a3…am+z2a3…am+…+zmThe modulus n is congruent, and S is T + V; then (h, S) is dAA digital signature of the message M.

Description

SM9 digital signature collaborative generation method and system by means of intermediate parameters
Technical Field
The invention belongs to the technical field of information security, and particularly relates to a collaborative generation method and system of SM9 digital signatures by means of intermediate parameters.
Background
SM9 is an identification cryptographic algorithm issued by the national crypto authority based on bilinear mapping (pairing operation), wherein the bilinear mapping (pairing operation) is:
e:G1×G2→GTin which G is1、G2Is an additive cyclic group, GTIs a multiplication loop group, G1、G2、GTIs a prime number n (note: in the SM9 specification, G1、G2、GTThe order of (A) is given by the capital letter N, and the present application uses the lower case N), i.e. if P, Q, R are each G1、G2In (b), e (P, Q) is GTAnd:
e(P+R,Q)=e(P,Q)e(R,Q),
e(P,Q+R)=e(P,Q)e(P,R),
e(aP,bQ)=e(P,Q)ab
the SM 9-based cryptographic algorithm can realize digital signature based on identification, key exchange and data encryption. In the SM9 cryptographic algorithm, the user's SM9 private key d is usedAThe process of generating a digital signature for message M is as follows:
is calculated toTo w ═ g ^ r, where the symbol ^ represents the power operation (the r-th power of g), r is at [1, n-1]Randomly selected integer within the interval, n being the group G of the SM9 cryptographic algorithm1、G2、GTG ═ e (P)1,Ppub),P1Is G1The generator of (1), PpubIs the master public key (i.e. P)pub=[s]P2S is a master private or master key, P2Is G2See SM9 specification; note that here the primary private key or key, the primary public key, the sign used by the user identification private key is slightly different from the SM9 specification);
then, H is calculated as H2(M | | w, n), wherein H2For the hash function specified in SM9, M | | | w represents the merging of strings of M and w, and n is G1、G2、GT(iii) order (see SM9 specification);
if r ≠ h, calculate S [ [ r-h ≠ h]dAThen (h, S) is the generated digital signature; and if r is equal to h, reselecting r, and recalculating w and h until r is not equal to h.
For special requirements, for example, to ensure the security of the use of the private key of the user in a non-hardware environment, some methods for generating the SM9 digital signature based on secret sharing (sharing) have been proposed. In these methods, a plurality of devices each hold a secret share of the private key of the user SM9, or each hold a secret share of a secret related to the private key; when a digital signature needs to be generated for one message M by using a user private key, each device interacts and cooperates with other devices by using the secret share of the device, and the digital signature for the message is generated.
The existing SM9 digital signature collaborative generation scheme based on secret sharing usually calculates w ═ g ^ (a) in the process of cryptographic operation1r1+…+amrm) Wherein r isiIs the ith device in [1, n-1 ]]Of a randomly selected integer, and aiIs a constant, i ═ 1, …, m (assuming m devices); then H is calculated2(M | | w, n), and the last M devices obtain S ═ a [ (a) through cooperative calculation1r1+…+amrm)-h]dA. This solution is generally unproblematicHowever, it is also possible that a situation occurs in which (a) happens to occur1r1+…+amrm) mod n is 0 and this happens to be observed by exactly one of the devices (e.g. by checking if w is a unit bit) but not reported, it is possible for that device to derive the user' S SM9 private key from the resulting digital signature (h, S). The probability of this occurring, although extremely small, is still likely to occur, particularly at riIn the case of a truly random selection, which is difficult to achieve.
The scheme adopted if the secret sharing-based digital signature collaborative generation scheme can achieve is w ═ g ^ (ar)1…rm),S=[(ar1…rm)-h]dAI.e. r herein1,…,rmAnd a constant a is present in the form of a product, then it is not present (ar)1…rm) In the case of mod n being 0, such a scheme has higher security. We here handle r1,…,rmAnd the case where the constant a occurs in the form of a product is referred to as the case of the product r parameter, and r in the process of generating the digital signature is referred to as the case of the product r parameter1,…,rmAnd an SM9 digital signature cooperative generation method in which the constant a appears in the form of a product, referred to as an SM9 digital signature cooperative generation method with a product r parameter.
Disclosure of Invention
The invention aims to provide an SM9 digital signature generation technical scheme with product r parameter enhanced safety so as to enhance the safety of a secret sharing-based SM9 digital signature cooperative generation technical scheme.
Aiming at the purpose of the invention, the technical scheme provided by the invention comprises a collaborative generation method of SM9 digital signature by means of intermediate parameters and a corresponding system.
In the following description of the present invention, if P, Q is addition group G1、G2Where P + Q represents the addition of P, Q to the addition group, P-Q represents the inverse of P plus Q (addition inverse), and k]P represents the addition of k P's to the addition group, i.e., P + P +. + P (k total P) (if k is a negative number, the inverse of the result of the addition of | k | P's, where [, ]]Use of symbols andSM9 specification is consistent);
an ellipsis ". -" represents a plurality of identical (types of) data items or a plurality of identical operations;
if a, b are multiplicative groups GTWhere ab or a.b represents a, b in the multiplicative group GTMultiplication of (a, ". may be omitted, as long as it does not produce ambiguity), a-1Indicates that a is an inverse of a (multiplicative inverse) in a multiplicative group, atIndicates t a are in multiplicative group GTUp-multiplication (t is a negative number, and is the inverse of | t | the multiplication result of a), i.e. exponentiation, atIs a ^ t;
if c is an integer, then c-1Representing the modulo n inverse of integer c (i.e., cc)-1mod n ═ 1); unless otherwise specified, the multiplicative inverse of the integer in the invention of this patent is for group G1、G2、GTThe modulo n multiplication inverse of order n;
multiple integer multiplications (including integer-symbol multiplications, constant-integer-symbol multiplications), omitting the multiplication "·" as k, without ambiguity1·k2Simplified as k1k23 · c, reduced to 3 c;
mod n denotes the modulo n operation (modulo operation), corresponding to modN in the SM9 specification; also, the operator mod n of the modulo n operation is of lowest priority, e.g., a + b mod n equals (a + b) mod n, a-b mod n equals (a-b) mod n, ab mod n equals (ab) mod n.
The method for cooperatively generating the SM9 digital signature by means of the intermediate parameter provided by the invention is concretely as follows.
The method involves m devices numbered 1, 2, …, respectively, up to m, where m is greater than or equal to 2;
device No. i holds [1, n-1 ]]Integer secret c within intervaliI is 1, …, m, where n is group G in the SM9 cryptographic algorithm1、G2、GTThe order of (is a prime number);
(initialization phase) pre-calculated are:
PA=[c-1]dAwherein d isAIdentify the private key for the user's SM9, c-1Modulo n multiplication inverse of c, c ═ c1c2…cm) modn is an integer secret that is not held by any of the m devices;
PU=[u]dAwhere u is [1, n-1 ] where none of the m devices is stored]Integer secrets within the interval;
u and c-1Need not be different (different or the same);
gUg ^ u, where ^ is the exponentiation (exponentiation on the elements in front of ^ followed by the number of exponentiations), g ^ e (P ^ u)1,Ppub),P1Is G1The generator of (1), PpubIs the master public key (i.e. P)pub=[s]P2S is a master private or master key, P2Is G2See SM9 specification);
in group G1Optionally a user private key dAOther non-zero elements PB(stationary election, e.g. stationary election PB=P1Either subjectively chosen arbitrarily or randomly chosen, e.g. at [1, n-1 ]]Randomly selecting an integer b, and calculating PB=[b]P1Or PB=[b]dA);
None of the m devices store dA
When it is desired to use the user's SM9 to identify the private key dAWhen digitally signing a message M, M devices generate digital signatures as follows (the user's SM9 identification private key d needs to be usedAThe body that digitally signs for message M may be a cryptographic application, system or cryptographic module that invokes the M devices, or a cryptographic application, system in one of the M devices):
firstly, m devices obtain w ═ g through interactive calculationU^(r1r2…rm) Wherein r isiThe device No. i is in [1, n-1 ] in the calculation process]Randomly selected integer in the interval, i ═ 1, …, m;
then, H ═ H is calculated (by one of the m devices or the other device)2(M | | w, n), wherein H2For the hash function specified in SM9, M | | | w denotes M and wMerging strings of (n is G)1、G2、GTThe order of (1);
(h free transfer as required without privacy)
Checking whether w is equal to g ^ h or not (one or other of the m devices), and if w is equal to g ^ h, the m devices perform calculation of w again until w is not equal to g ^ h;
then, m devices cooperatively calculate T ═ r1r2…rm]PU+[-F(z1,z2,…,zm)]PB,V=[F(z1,z2,…,zm)]PB+[-c1c2…cmh]PAWherein r is1,r2,…,rmRespectively, No. 1, No. 2, …, No. m device in the process of calculating w is in [1, n-1 ]]Is an integer selected from1,z2,…,zmRespectively No. 1, No. 2, No. …, No. m device is in [1, n-1 ] during calculation of T, V]Of a randomly selected integer, F (z)1,z2,…,zm) Is directed to z1,z2,…,zmThe following calculation formula:
F(z1,z2,…,zm)≡z1a2a3…am+z2a3…am+…+zm-1am+zm(mod n) (modulo n congruence);
wherein, aiFor the calculation of T, V, device number i is at [1, n-1 ]]Wherein i is 2, …, m;
finally, S ═ T + V is calculated (by one or other of the M devices), then (h, S) is the digital signature for message M.
(where S is [ r ]1r2…rm]PU+[-c1c2…cmh]PA=[(r1r2…rm)u-h]dA)
For the above-mentioned SM9 digital signature collaborative generation method using intermediate parameters, if it is not checked whether w is equal to g ^ h or not in the above calculation process, after S is obtained by calculation, if (the device calculating S ═ T + V) checks that S is zero-element, m devices perform collaborative calculation again until S is not zero-element.
For the above-described SM9 digital signature collaborative generation method by means of intermediate parameters, m devices calculate w-gU^(r1r2…rm) The method of (1) comprises (not all possible ways):
device No. 1 calculates g1=gU^r1G is mixing1Transmitting device No. 2;
the device No. i receives gi-1Then i 2, …, m, calculate gi=gi-1^ri
If i is m, then w is gmFinish the calculation, otherwise, the device No. i will giTransmitting to the device No. i + 1;
alternatively, the first and second electrodes may be,
device m calculates gm=gU^rmG is mixingmTransmitting the m-1 device;
the ith device receives gi+1Then, i ═ m-1, …,1, calculate gi=gi+1^ri
If i is 1, then w is g1Finish the calculation, otherwise, the device No. i will giTo the device No. i-1.
For the above-described SM9 digital signature collaborative generation method by means of intermediate parameters, m devices collaboratively calculate to obtain T ═ r1r2…rm]PU+[-F(z1,z2,…,zm)]PB
V=[F(z1,z2,…,zm)]PB+[-c1c2…cmh]PAOne method of (T, V collaborative computing method one) is as follows:
calculating to obtain Q1=[(r2r3…rm)-1(a2a3…am)]PB,Q2=[(r3…rm)-1(a3…am)]PB,…,Qm-1=[(rm)-1am]PBTaking Qm=PB
Is calculated to obtain D1=[(a2a3…am)(c2c3…cm)-1]PB,D2=[(a3…am)(c3…cm)-1]PB,…,Dm-1=[am(cm)-1]PBTaking Dm=PB
Wherein, aiFor the calculation process, the device No. i is in [1, n-1 ]]Wherein i is 2, …, m;
get T0=PU,V0=[-h]PA
Device No. 1 is in [1, n-1 ]]In the random selection of an integer z1Calculating T1=[r1]T0+[-z1]Q1,V1=[z1]D1+[c1]V0Will T1、V1To device No. 2;
device i receives Ti-1、Vi-1When i is 2, …, m, if T is found by examinationi-1If it is zero, error is reported, otherwise, it is in [1, n-1 ]]In the random selection of an integer ziOr take zi=aiCalculating Ti=[ri]Ti-1+[-zi]Qi,Vi=[zi]Di+[ci]Vi-1
If i is equal to m, then T is equal to Tm,V=VmT, V calculation is completed, otherwise, device number i will Ti、ViTransmitting to the device No. i +1 until T is completedm、VmCalculating;
(when T ═ r [ r ]1r2…rm]PU+[-z1a2a3…am-z2a3…am-…-zm-1am-zm]PB
V=[z1a2a3…am+z2a3…am+…+zm-1am+zm]PB+[-(c1c2…cm)h]PA)
If S ═ T + V is calculated by the mth device after the T, V calculation is completed, z ismIs allowed to be 0 or [1, n-1 ]]Is (1, n-1) constant (of course)]Random integers within are not problematic);
if PAIt is not disclosed that device number 1 holds as a secret (of course if PU=PAThen P isUAlso not disclosed, is also held as a secret by device No. 1), PB≠PAThen c will be1When it is not secret (its value is 1 or other [1, n-1 ]]Integer) the above-described method of calculating T, V and the SM9 digital signature collaborative generation method by means of intermediate parameters still hold.
For the above-mentioned SM9 digital signature collaborative generation method by means of intermediate parameters, if PB=PAAnd then m devices cooperatively calculate to obtain T ═ r1r2…rm]PU+[-F(z1,z2,…,zm)]PB,V=[F(z1,z2,…,zm)]PB+[-c1c2…cmh]PAOne method of (T, V collaborative computing method two) is as follows:
calculating to obtain Q1=[(r2r3…rm)-1(a2a3…am)]PB,Q2=[(r3…rm)-1(a3…am)]PB,…,Qm-1=[(rm)-1am]PBTaking Qm=PB
Calculated to obtain d1=((a2a3…am)(c2c3…cm)-1)mod n,d2=((a3…am)(c3…cm)-1)modn,…,dm-1=(am(cm)-1) mod n, take dm=1;
Wherein, aiFor the calculation process, the device No. i is in [1, n-1 ]]Wherein i is 2, …, m;
get T0=PU,v0=-h;
Device No. 1 is in [1, n-1 ]]In the random selection of an integer z1Calculating T1=[r1]T0+[-z1]Q1,v1=(z1d1+c1v0) mod n, will T1、v1To device No. 2;
device i receives Ti-1、vi-1When i is 2, …, m, if T is found by examinationi-1If it is zero, error is reported, otherwise, it is in [1, n-1 ]]In the random selection of an integer ziCalculating Ti=[ri]Ti-1+[-zi]Qi,vi=(zidi+civi-1)mod n;
If i is equal to m, then T is equal to Tm(one or other of the m devices) calculates V ═ Vm]PAT, V calculation is completed, otherwise, device number i will Ti、viTransmitting to the device No. i +1 until T is completedm、vmCalculating;
(when T ═ r [ r ]1r2…rm]PU+[-z1a2a3…am-z2a3…am-…-zm-1am-zm]PB
V=[z1a2a3…am+z2a3…am+…+zm-1am+zm]PB+[-(c1c2…cm)h]PA)
If V ═ V is calculated by the m-th devicem]PAAnd completing T, V calculationsThen, the m-th device calculates S as T + V, so zmIs allowed to be 0 or [1, n-1 ]]Is (1, n-1) constant (of course)]Random integers within are not problematic);
if PANot publicly held by the m-th device as a secret (of course P)BAlso not disclosed), PU≠PA(i.e., u and c)-1Mutually different), and V ═ V is calculated by the m-th devicem]PAThen c will bemWhen it is not secret (its value is 1 or other [1, n-1 ]]Integer) the above-described method of calculating T, V and the SM9 digital signature collaborative generation method by means of intermediate parameters still hold.
For the above-mentioned SM9 digital signature collaborative generation method by means of intermediate parameters, if PB=PUAnd then m devices cooperatively calculate to obtain T ═ r1r2…rm]PU+[-F(z1,z2,…,zm)]PB,V=[F(z1,z2,…,zm)]PB+[-c1c2…cmh]PAOne method of (T, V collaborative computing method three) is as follows:
q is obtained by calculation1=((r2r3…rm)-1(a2a3…am))mod n,q2=((r3…rm)-1(a3…am))modn,…,qm-1=((rm)-1am) mod n, take qm=1;
Is calculated to obtain D1=[(a2a3…am)(c2c3…cm)-1]PB,D2=[(a3…am)(c3…cm)-1]PB,…,Dm-1=[am(cm)-1]PBTaking Dm=PB
Wherein, aiFor the calculation process, the device No. i is in [1, n-1 ]]Wherein i is 2, …, m;
get t0=1,V0=[-h]PA
Device No. 1 is in [1, n-1 ]]In the random selection of an integer z1Calculating t1=(r1t0-z1q1)mod n,V1=[z1]D1+[c1]V0Will t1、V1To device No. 2;
the device No. i receives ti-1、Vi-1When i is 2, …, m, if t is found by examinationi-1If 0, an error is reported, otherwise, the error is in [1, n-1 ]]In the random selection of an integer ziCalculating ti=(riti-1-ziqi)mod n,Vi=[zi]Di+[ci]Vi-1
If i is m, T is calculated (one or other of m devices)m]PBTaking V as VmT, V calculation is completed, otherwise, device number i will Ti、ViTransmitting to the device No. i +1 until T is completedm、VmCalculating;
(when T ═ r [ r ]1r2…rm]PU+[-z1a2a3…am-z2a3…am-…-zm-1am-zm]PB
V=[z1a2a3…am+z2a3…am+…+zm-1am+zm]PB+[-(c1c2…cm)h]PA)
If T ═ T is calculated by the m-th devicem]PBAnd S ═ T + V is calculated by the mth device after T, V calculation is completed, then z ismIs allowed to be 0 or [1, n-1 ]]Is (1, n-1) constant (of course)]Random integers within are not problematic);
if PANot publicly held by device No. 1 as a secret, PB≠PA(i.e. P)U≠PAU and c-1Different from each other), then c is1When it is not secret (its value is 1 or other [1, n-1 ]]Integer) the above-described method of calculating T, V and the SM9 digital signature collaborative generation method by means of intermediate parameters still hold.
For the SM9 digital signature collaborative generation method by means of the intermediate parameters, Q is obtained through calculation1=[(r2r3…rm)-1(a2a3…am)]PB,Q2=[(r3…rm)-1(a3…am)]PB,…,Qm-1=[(rm)-1am]PB
And D1=[(a2a3…am)(c2c3…cm)-1]PB,D2=[(a3…am)(c3…cm)-1]PB,…,Dm-1=[am(cm)-1]PBThe method of (a) comprises the following (not all possible):
the first scheme is as follows:
device No. m takes Qm=PB,Dm=PBIn [1, n-1 ]]In the method, an integer a is randomly selectedmCalculating Qm-1=[(rm)- 1am]Qm,Dm-1=[am(cm)-1]DmIs mixing Q withm-1、Dm-1Sending the data to the device No. m-1;
device i receives Qi、DiThen, if i is m-1, …,1, and if i is 1, the device No. 1 will Q1、D1Temporarily reserved, complete Q1,Q2,…,Qm-1And D1,D2,…,Dm-1Otherwise, the device No. i is in [1, n-1 ]]In the method, an integer a is randomly selectediCalculating Qi-1=[(ri)-1ai]Qi,Di-1=[ai(ci)-1]DiIs mixing Q withi、DiTemporarily reserve, Qi-1、Di-1Transmitting to the device No. i-1;
in calculating Q1,Q2,…,Qm-1And D1,D2,…,Dm-1If the device No. i checks and finds the received QiOr DiIf the number is zero, i is m-1, …,1, then an error is reported;
scheme II:
m devices by calculating Q1,Q2,…,Qm-1And D1,D2,…,Dm-1Calculating and storing Q in the manner of scheme one1,Q2,…,Qm-1
Device number m gets dm1 in [1, n-1 ]]In the method, an integer a is randomly selectedmCalculating dm-1=(am(cm)-1)dm) mod n, dm-1Sending the data to the device No. m-1;
device i receives diThen, if i is m-1, …,1, and if i is 1, the No. 1 device calculates D1=[d1]PBD is1Temporary Retention, complete D1,D2,…,Dm-1Otherwise, the device No. i calculates Di=[di]PBIn [1, n-1 ]]In the method, an integer a is randomly selectediCalculating di-1=(ai(ci)-1di) mod n, DiTemporarily retaining di-1Transmitting to the device No. i-1;
in calculating Q1,Q2,…,Qm-1And D1,D2,…,Dm-1If the device No. i checks and finds the received QiIs zero or diIf 0, i-m-1, …,1, an error is reported;
the third scheme is as follows:
m devices by calculating Q1,Q2,…,Qm-1And D1,D2,…,Dm-1Calculating and storing in the manner of scheme one1,D2,…,Dm-1
Device number m gets qm1 in [1, n-1 ]]In the method, an integer a is randomly selectedmCalculating qm-1=((rm)-1amqm) mod n, and qm-1Sending the data to the device No. m-1;
device i receives qiThen, if i is m-1, …,1, and if i is 1, the No. 1 device calculates Q1=[q1]PBIs mixing Q with1Temporarily reserved, complete Q1,Q2,…,Qm-1Otherwise, the ith device calculates Qi=[qi]PBIn [1, n-1 ]]In the method, an integer a is randomly selectediCalculating qi-1=((ri)-1aiqi) mod n, QiTemporarily reserving qi-1Transmitting to the device No. i-1;
in the calculation of q1,q2,…,qm-1And D1,D2,…,Dm-1If the device No. i checks and finds the received qiIs 0 or DiAnd if the number is zero, i is m-1, …,1, an error is reported.
For the SM9 digital signature collaborative generation method by means of the intermediate parameters, Q is obtained through calculation1=[(r2r3…rm)-1(a2a3…am)]PB,Q2=[(r3…rm)-1(a3…am)]PB,…,Qm-1=[(rm)-1am]PB
And d1=((a2a3…am)(c2c3…cm)-1)mod n,d2=((a3…am)(c3…cm)-1)mod n,…,dm-1=(am(cm)-1) One method of mod n is as follows:
device No. m takes Qm=PB,dm1 is at[1,n-1]In the method, an integer a is randomly selectedmCalculating Qm-1=[(rm)- 1am]Qm,dm-1=(am(cm)-1)dm) mod n, Qm-1、dm-1Sending the data to the device No. m-1;
device i receives Qi、diThen, if i is m-1, …,1, and if i is 1, the device No. 1 will Q1、d1Temporarily reserved, complete Q1,Q2,…,Qm-1And d1,d2,…,dm-1Otherwise, the device No. i is in [1, n-1 ]]In the method, an integer a is randomly selectediCalculating Qi-1=[(ri)-1ai]Qi,di-1=(ai(ci)-1di) mod n, Qi、diTemporarily reserve, Qi-1、di-1Transmitting to the device No. i-1;
in calculating Q1,Q2,…,Qm-1And d1,d2,…,dm-1If the device No. i checks and finds the received QiIs zero or diIf 0, i-m-1, …,1, an error is reported.
For the SM9 digital signature collaborative generation method by means of the intermediate parameters, q is obtained through calculation1=((r2r3…rm)-1(a2a3…am))mod n,q2=((r3…rm)-1(a3…am))mod n,…,qm-1=((rm)-1am)mod n,
And D1=[(a2a3…am)(c2c3…cm)-1]PB,D2=[(a3…am)(c3…cm)-1]PB,…,Dm-1=[am(cm)-1]PBOne method of (2) is as follows:
device number m gets qm=1,Dm=PBIn [1, n-1 ]]In the method, an integer a is randomly selectedmCalculating qm-1=((rm)- 1amqm)mod n,Dm-1=[am(cm)-1]DmQ is prepared bym-1、Dm-1Sending the data to the device No. m-1;
device i receives qi、DiThen, if i is m-1, …,1, and if i is 1, the device No. 1 will q1、D1Temporary reservation, complete q1,q2,…,qm-1And D1,D2,…,Dm-1Otherwise, the device No. i is in [1, n-1 ]]In the method, an integer a is randomly selectediCalculating qi-1=((ri)-1aiqi)mod n,Di-1=[ai(ci)-1]DiQ is prepared byi、DiTemporarily reserving qi-1、Di-1Transmitting to the device No. i-1;
in the calculation of q1,q2,…,qm-1And D1,D2,…,Dm-1If the device No. i checks and finds the received qiIs 0 or DiAnd if the number is zero, i is m-1, …,1, an error is reported.
On the basis of the SM9 digital signature collaborative generation method by means of the intermediate parameters, an SM9 digital signature collaborative generation system can be constructed, wherein the system comprises m devices which are respectively marked as No. 1, No. 2 and No. …, and m is more than or equal to 2; device No. i holds [1, n-1 ]]Integer secret c within intervaliI is 1, …, m; when it is desired to use the user's SM9 to identify the private key dAWhen the message M is digitally signed, the M devices generate the digital signature of the message M according to the SM9 digital signature collaborative generation method by means of the intermediate parameters.
From the above description, it can be seen that, based on the method and system of the present invention, the user identification private key d is used when neededAWhen digitally signing a message, multiple devices may collaborate through interactionGenerating a digital signature for a message by introducing an intermediate parameter z in the calculation process1,…,zmAnd a2,…,amAnd the digital signature generated cooperatively has a product r parameter, so that the security is higher.
Detailed Description
The present invention will be further described with reference to the following examples. The following examples are merely illustrative of a few possible embodiments of the present invention and are not intended to represent all possible embodiments and are not intended to limit the present invention.
Examples 1,
This embodiment has two devices numbered 1 and 2, device number 1 holding [1, n-1 [ ]]Integer secret c within interval1Device No. 2 stores [1, n-1 ]]Integer secret c within interval2Where n is group G in the SM9 cryptographic algorithm1、G2、GTThe order of (is a prime number);
(initialization phase) pre-calculated are:
PA=[c-1]dAwherein d isAIdentify the private key for the user's SM9, c-1Modulo n multiplication inverse of c, c ═ c1c2) mod n is an integer secret that neither device holds;
PU=[u]dAwhere u is [1, n-1 ] which neither device holds]Integer secrets within the interval;
u and c-1Need not be different (different or the same);
gUg ^ u, where ^ is the exponentiation (exponentiation on the elements in front of ^ followed by the number of exponentiations), g ^ e (P ^ u)1,Ppub),P1Is G1The generator of (1), PpubIs the master public key (i.e. P)pub=[s]P2S is a master private or master key, P2Is G2See SM9 specification);
in group G1Optionally a user private key dAOther non-zero elements PB(stationary election, e.g. stationary election PB=P1Or is orSubjectively chosen arbitrarily, or randomly chosen, e.g. at [1, n-1 ]]Randomly selecting an integer b, and calculating PB=[b]P1Or PB=[b]dA);
Neither device stores dA
When it is desired to use the user's SM9 to identify the private key dAWhen the message M is digitally signed, the two devices obtain w-g through interactive calculationU^(r1r2) Wherein r is1The No. 1 device is in [1, n-1 ] in the calculation process]Randomly selected integer within the interval, r2The No. 2 device is in [1, n-1 ] in the calculation process]Randomly selected integers within the interval;
then, H ═ H is calculated (by one of the two devices or the other device)2(M | | w, n), wherein H2For the hash function specified in SM9, M | | | w represents the merging of strings of M and w, and n is G1、G2、GTThe order of (1);
checking whether w is equal to g ^ h or not (one or other of the two devices), and if w is equal to g ^ h, the two devices perform calculation of w again until w is not equal to g ^ h;
then, the two devices are calculated according to the T, V collaborative calculation method I
T=[r1r2]PU+[-F(z1,z2)]PB,V=[F(z1,z2)]PB+[-c1c2h]PANamely:
calculating to obtain Q1=[(r2)-1a2]PBTaking Q2=PB
Is calculated to obtain D1=[a2(c2)-1]PBTaking D2=PB
Wherein, a2For the calculation process, the number 2 device is in [1, n-1 ]]Randomly selected integers in the sequence (1);
get T0=PU,V0=[-h]PA
Device No. 1 is in [1, n-1 ]]In which one is randomly selectedInteger z1Calculating T1=[r1]T0+[-z1]Q1,V1=[z1]D1+[c1]V0Will T1、V1To device No. 2;
device number 2 receives T1、V1Then, if T is found by inspection1If it is zero, error is reported, otherwise, it is in [1, n-1 ]]In the random selection of an integer z2Or take z2=a2Calculating T2=[r2]T1+[-z2]Q2,V2=[z2]D2+[c2]V1
Taking T as T2,V=V2
(when T ═ r [ r ]1r2]PU+[-z1a2-z2]PB,V=[z1a2+z2]PB+[-(c1c2)h]PA)
Finally, S ═ T + V is calculated (by one of the two devices or the other device), then (h, S) is the digital signature for message M.
(where S is [ r ]1r2]PU+[-c1c2h]PA=[(r1r2)u-h]dA)
If after T, V calculation S is calculated by device No. 2, T + V, then z is calculated T, V2Is allowed to be 0 or [1, n-1 ]]Is (1, n-1) constant (of course)]Random integers within are not problematic).
Examples 2,
Example 2 differs from example 1 in that c1Is non-secret and takes the value of 1 or other [1, n-1 ]]Of (1) and (others in [1, n-1 ]]Of a subjectively arbitrary or randomly selected integer), PAIt is not disclosed that device number 1 holds as a secret (of course if PU=PAThen P isUAlso not disclosed, is also held as a secret by device No. 1), and PB≠PAAnd others are unchanged.
Examples 3,
This example has m devices numbered 1, 2, …, respectively, through m ≧ 2, where device # i holds [1, n-1]Integer secret c within intervaliI is 1, …, m, where n is group G in the SM9 cryptographic algorithm1、G2、GTThe order of (is a prime number);
(initialization phase) pre-calculated are:
PA=[c-1]dAwherein d isAIdentify the private key for the user's SM9, c-1Modulo n multiplication inverse of c, c ═ c1c2…cm) modn is an integer secret that is not held by any of the m devices;
PU=[u]dAwhere u is [1, n-1 ] where none of the m devices is stored]Integer secrets within the interval;
u and c-1Need not be different (different or the same);
gUg ^ u, where ^ is the exponentiation (exponentiation on the elements in front of ^ followed by the number of exponentiations), g ^ e (P ^ u)1,Ppub),P1Is G1The generator of (1), PpubIs the master public key (i.e. P)pub=[s]P2S is a master private or master key, P2Is G2See SM9 specification);
in group G1Optionally a user private key dAOther non-zero elements PB(stationary election, e.g. stationary election PB=P1Either subjectively chosen arbitrarily or randomly chosen, e.g. at [1, n-1 ]]Randomly selecting an integer b, and calculating PB=[b]P1Or PB=[b]dA);
None of the m devices store dA
When it is desired to use the user's SM9 to identify the private key dAWhen a digital signature is performed on a message M, M devices firstly obtain w ═ g through interactive calculationU^(r1r2…rm) Wherein r isiThe device No. i is in [1, n-1 ] in the calculation process]An integer randomly selected within the interval of the interval,i=1,…,m;
then, H ═ H is calculated (by one of the m devices or the other device)2(M | | w, n), wherein H2For the hash function specified in SM9, M | | | w represents the merging of strings of M and w, and n is G1、G2、GTThe order of (1);
checking whether w is equal to g ^ h or not (one or other of the m devices), and if w is equal to g ^ h, the m devices perform calculation of w again until w is not equal to g ^ h;
then, the m devices are obtained by calculation according to the T, V collaborative calculation method I
T=[r1r2…rm]PU+[-F(z1,z2,…,zm)]PB
V=[F(z1,z2,…,zm)]PB+[-c1c2…cmh]PANamely:
calculating to obtain Q1=[(r2r3…rm)-1(a2a3…am)]PB,Q2=[(r3…rm)-1(a3…am)]PB,…,Qm-1=[(rm)-1am]PBTaking Qm=PB
Is calculated to obtain D1=[(a2a3…am)(c2c3…cm)-1]PB,D2=[(a3…am)(c3…cm)-1]PB,…,Dm-1=[am(cm)-1]PBTaking Dm=PB
Wherein, aiFor the calculation process, the device No. i is in [1, n-1 ]]Wherein i is 2, …, m;
get T0=PU,V0=[-h]PA
Device No. 1 is in [1, n-1 ]]In the random selection of an integerz1Calculating T1=[r1]T0+[-z1]Q1,V1=[z1]D1+[c1]V0Will T1、V1To device No. 2;
device i receives Ti-1、Vi-1When i is 2, …, m, if T is found by examinationi-1If it is zero, error is reported, otherwise, it is in [1, n-1 ]]In the random selection of an integer ziOr take zi=aiCalculating Ti=[ri]Ti-1+[-zi]Qi,Vi=[zi]Di+[ci]Vi-1
If i is equal to m, then T is equal to Tm,V=VmT, V calculation is completed, otherwise, device number i will Ti、ViTransmitting to the device No. i +1 until T is completedm、VmCalculating;
(when T ═ r [ r ]1r2…rm]PU+[-z1a2a3…am-z2a3…am-…-zm-1am-zm]PB
V=[z1a2a3…am+z2a3…am+…+zm-1am+zm]PB+[-(c1c2…cm)h]PA)
Finally, S ═ T + V is calculated (by one of the M devices or by the other devices), then (h, S) is the digital signature for message M.
(where S is [ r ]1r2…rm]PU+[-c1c2…cmh]PA=[(r1r2…rm)u-h]dA)
If the m-th device calculates S ═ T + V after T, V calculation is completed, then z is calculated in T, VmIs allowed to be 0 or [1, n-1 ]]The integer constant in (of course, random integer is not a problem).
Examples 4,
Example 4 differs from example 3 in that c1Is non-secret and takes the value of 1 or other [1, n-1 ]]Of (1) and (others in [1, n-1 ]]Of a subjectively arbitrary or randomly selected integer), PAIt is not disclosed that device number 1 holds as a secret (of course if PU=PAThen P isUAlso not disclosed, is also held as a secret by device No. 1), and PB≠PAAnd others are unchanged.
Examples 5,
This embodiment has two devices numbered 1 and 2, device number 1 holding [1, n-1 [ ]]Integer secret c within interval1Device No. 2 stores [1, n-1 ]]Integer secret c within interval2Where n is group G in the SM9 cryptographic algorithm1、G2、GTThe order of (is a prime number);
(initialization phase) pre-calculated are:
PA=[c-1]dAwherein d isAIdentify the private key for the user's SM9, c-1Modulo n multiplication inverse of c, c ═ c1c2) mod n is an integer secret that neither device holds;
PU=[u]dAwhere u is [1, n-1 ] which neither device holds]Integer secrets within the interval;
u and c-1Need not be different (different or the same);
gUg ^ u, where ^ is the exponentiation (exponentiation on the elements in front of ^ followed by the number of exponentiations), g ^ e (P ^ u)1,Ppub),P1Is G1The generator of (1), PpubIs the master public key (i.e. P)pub=[s]P2S is a master private or master key, P2Is G2See SM9 specification);
get PB=PA
Neither device stores dA
When it is desired to use the user's SM9 to identify the private key dANumbering for messages MWhen signing, two devices obtain w-g through interactive calculationU^(r1r2) Wherein r is1The No. 1 device is in [1, n-1 ] in the calculation process]Randomly selected integer within the interval, r2The No. 2 device is in [1, n-1 ] in the calculation process]Randomly selected integers within the interval;
then, H ═ H is calculated (by one of the two devices or the other device)2(M | | w, n), wherein H2For the hash function specified in SM9, M | | | w represents the merging of strings of M and w, and n is G1、G2、GTThe order of (1);
checking whether w is equal to g ^ h or not (one or other of the two devices), and if w is equal to g ^ h, the two devices perform calculation of w again until w is not equal to g ^ h;
then, the two devices are calculated according to the T, V collaborative calculation method II
T=[r1r2]PU+[-F(z1,z2)]PB,V=[F(z1,z2)]PB+[-c1c2h]PANamely:
calculating to obtain Q1=[(r2)-1a2]PBTaking Q2=PB
Calculated to obtain d1=(a2(c2)-1) mod n, take d2=1;
Wherein, a2For the calculation process, the number 2 device is in [1, n-1 ]]Randomly selected integers in the sequence (1);
get T0=PU,v0=-h;
Device No. 1 is in [1, n-1 ]]In the random selection of an integer z1Calculating T1=[r1]T0+[-z1]Q1,v1=(z1d1+c1v0) mod n, will T1、v1To device No. 2;
device number 2 receives T1、v1Then, if T is found by inspection1If it is zero, error is reported, otherwiseIn [1, n-1 ]]In the random selection of an integer z2Calculating T2=[r2]T1+[-z2]Q2,v2=(z2d2+c2v1)mod n;
Taking T as T2(one of the two devices or the other) calculates V ═ V2]PACompleting T, V calculation;
(when T ═ r [ r ]1r2]PU+[-z1a2-z2]PB,V=[z1a2+z2]PB+[-(c1c2)h]PA)
Finally, S ═ T + V is calculated (by one of the two devices or the other device), then (h, S) is the digital signature for message M.
(where S is [ r ]1r2]PU+[-c1c2h]PA=[(r1r2)u-h]dA)
If V ═ V is calculated by device No. 22]PAAnd S ═ T + V is calculated by device No. 2 after T, V calculation is complete, then z is calculated in T, V calculation process2Is allowed to be 0 or [1, n-1 ]]Is (1, n-1) constant (of course)]Random integers within are not problematic).
Examples 6,
Example 6 differs from example 5 in that c2Is non-secret and takes the value of 1 or other [1, n-1 ]]Of (1) and (others in [1, n-1 ]]Of a subjectively arbitrary or randomly selected integer), PU≠PA(i.e., u and c)-1Different from each other), PANot publicly held by device No. 2 as a secret (of course P)BAlso not disclosed), V ═ V is calculated by the device No. 22]PAAnd others are unchanged.
Example 7,
This example has m devices numbered 1, 2, …, respectively, through m ≧ 2, where device # i holds [1, n-1]Integer secret c within intervaliI is 1, …, m, where n is group G in the SM9 cryptographic algorithm1、G2、GTThe order of (is a prime number);
(initialization phase) pre-calculated are:
PA=[c-1]dAwherein d isAIdentify the private key for the user's SM9, c-1Modulo n multiplication inverse of c, c ═ c1c2…cm) modn is an integer secret that is not held by any of the m devices;
PU=[u]dAwhere u is [1, n-1 ] where none of the m devices is stored]Integer secrets within the interval;
u and c-1Need not be different (different or the same);
gUg ^ u, where ^ is the exponentiation (exponentiation on the elements in front of ^ followed by the number of exponentiations), g ^ e (P ^ u)1,Ppub),P1Is G1The generator of (1), PpubIs the master public key (i.e. P)pub=[s]P2S is a master private or master key, P2Is G2See SM9 specification);
get PB=PA
None of the m devices store dA
When it is desired to use the user's SM9 to identify the private key dAWhen a digital signature is performed on a message M, M devices firstly obtain w ═ g through interactive calculationU^(r1r2…rm) Wherein r isiThe device No. i is in [1, n-1 ] in the calculation process]Randomly selected integer in the interval, i ═ 1, …, m;
then, H ═ H is calculated (by one of the m devices or the other device)2(M | | w, n), wherein H2For the hash function specified in SM9, M | | | w represents the merging of strings of M and w, and n is G1、G2、GTThe order of (1);
checking whether w is equal to g ^ h or not (one or other of the m devices), and if w is equal to g ^ h, the m devices perform calculation of w again until w is not equal to g ^ h;
then, the m devices are obtained by calculation according to the T, V collaborative calculation method II
T=[r1r2…rm]PU+[-F(z1,z2,…,zm)]PB
V=[F(z1,z2,…,zm)]PB+[-c1c2…cmh]PANamely:
calculating to obtain Q1=[(r2r3…rm)-1(a2a3…am)]PB,Q2=[(r3…rm)-1(a3…am)]PB,…,Qm-1=[(rm)-1am]PBTaking Qm=PB
Calculated to obtain d1=((a2a3…am)(c2c3…cm)-1)mod n,d2=((a3…am)(c3…cm)-1)modn,…,dm-1=(am(cm)-1) mod n, take dm=1;
Wherein, aiFor the calculation process, the device No. i is in [1, n-1 ]]Wherein i is 2, …, m;
get T0=PU,v0=-h;
Device No. 1 is in [1, n-1 ]]In the random selection of an integer z1Calculating T1=[r1]T0+[-z1]Q1,v1=(z1d1+c1v0) mod n, will T1、v1To device No. 2;
device i receives Ti-1、vi-1When i is 2, …, m, if T is found by examinationi-1If it is zero, error is reported, otherwise, it is in [1, n-1 ]]In the random selection of an integer ziCalculating Ti=[ri]Ti-1+[-zi]Qi,vi=(zidi+civi-1)mod n;
If i is equal to m, then T is equal to Tm(one or other of the m devices) calculates V ═ Vm]PAT, V calculation is completed, otherwise, device number i will Ti、viTransmitting to the device No. i +1 until T is completedm、vmCalculating;
(when T ═ r [ r ]1r2…rm]PU+[-z1a2a3…am-z2a3…am-…-zm-1am-zm]PB
V=[z1a2a3…am+z2a3…am+…+zm-1am+zm]PB+[-(c1c2…cm)h]PA)
Finally, S ═ T + V is calculated (by one of the M devices or by the other devices), then (h, S) is the digital signature for message M.
(where S is [ r ]1r2…rm]PU+[-c1c2…cmh]PA=[(r1r2…rm)u-h]dA)
If V ═ V is calculated by the m-th devicem]PAAnd S ═ T + V is calculated by device m after T, V calculation is complete, then z is calculated T, V in the process of calculationmIs allowed to be 0 or [1, n-1 ]]Is (1, n-1) constant (of course)]Random integers within are not problematic).
Example 8,
Example 8 differs from example 7 in that cmIs non-secret and takes the value of 1 or other [1, n-1 ]]Of (1) and (others in [1, n-1 ]]Of a subjectively arbitrary or randomly selected integer), PU≠PA(i.e., u and c)-1Different from each other), PANot publicly held by the m-th device as a secret (of course P)BAlso not disclosed), V ═ V is calculated by the m-th devicem]PAAnd others are unchanged.
Examples 9,
This embodiment has two devices numbered 1 and 2, device number 1 holding [1, n-1 [ ]]Integer secret c within interval1Device No. 2 stores [1, n-1 ]]Integer secret c within interval2Where n is group G in the SM9 cryptographic algorithm1、G2、GTThe order of (is a prime number);
(initialization phase) pre-calculated are:
PA=[c-1]dAwherein d isAIdentify the private key for the user's SM9, c-1Modulo n multiplication inverse of c, c ═ c1c2) mod n is an integer secret that neither device holds;
PU=[u]dAwhere u is [1, n-1 ] which neither device holds]Integer secrets within the interval;
u and c-1Need not be different (different or the same);
gUg ^ u, where ^ is the exponentiation (exponentiation on the elements in front of ^ followed by the number of exponentiations), g ^ e (P ^ u)1,Ppub),P1Is G1The generator of (1), PpubIs the master public key (i.e. P)pub=[s]P2S is a master private or master key, P2Is G2See SM9 specification);
get PB=PU
Neither device stores dA
When it is desired to use the user's SM9 to identify the private key dAWhen the message M is digitally signed, the two devices obtain w-g through interactive calculationU^(r1r2) Wherein r is1The No. 1 device is in [1, n-1 ] in the calculation process]Randomly selected integer within the interval, r2The No. 2 device is in [1, n-1 ] in the calculation process]Randomly selected integers within the interval;
then, H ═ H is calculated (by one of the two devices or the other device)2(M | | w, n), wherein H2For the hash function specified in SM9, M | | | w represents the merging of strings of M and w, and n is G1、G2、GTThe order of (1);
checking whether w is equal to g ^ h or not (one or other of the two devices), and if w is equal to g ^ h, the two devices perform calculation of w again until w is not equal to g ^ h;
then, the two devices are obtained by calculating according to the T, V collaborative calculation method
T=[r1r2]PU+[-F(z1,z2)]PB,V=[F(z1,z2)]PB+[-c1c2h]PANamely:
q is obtained by calculation1=((r2)-1a2) mod n, take q2=1;
Is calculated to obtain D1=[a2(c2)-1]PBTaking D2=PB
Wherein, a2For the calculation process, the number 2 device is in [1, n-1 ]]Wherein i is 2, …, m;
get t0=1,V0=[-h]PA
Device No. 1 is in [1, n-1 ]]In the random selection of an integer z1Calculating t1=(r1t0-z1q1)mod n,V1=[z1]D1+[c1]V0Will t1、V1To device No. 2;
device number 2 receives t1、V1Then, if t is found by inspection1If 0, an error is reported, otherwise, the error is in [1, n-1 ]]In the random selection of an integer z2Calculating t2=(r2t1-z2q2)mod n,V2=[z2]D2+[c2]V1
(one or other of the two devices) calculates T ═ T2]PBTaking V as V2
(when T ═ r [ r ]1r2]PU+[-z1a2-z2]PB,V=[z1a2+z2]PB+[-(c1c2)h]PA)
Finally, S ═ T + V is calculated (by one of the two devices or the other device), then (h, S) is the digital signature for message M.
(where S is [ r ]1r2]PU+[-c1c2h]PA=[(r1r2)u-h]dA)
If T ═ T is calculated by device No. 22]PBAnd S ═ T + V is calculated by device No. 2 after T, V calculation is complete, then z is calculated in T, V calculation process2Is allowed to be 0 or [1, n-1 ]]Is (1, n-1) constant (of course)]Random integers within are not problematic).
Examples 10,
Example 10 differs from example 9 in that c1Is non-secret and takes the value of 1 or other [1, n-1 ]]Of (1) and (others in [1, n-1 ]]Of a subjectively arbitrary or randomly selected integer), PB≠PA(i.e. P)U≠PAU and c-1Different from each other), PAThe secret is not disclosed to be held by the device No. 1, and the others are not changed.
Examples 11,
This example has m devices numbered 1, 2, …, respectively, through m ≧ 2, where device # i holds [1, n-1]Integer secret c within intervaliI is 1, …, m, where n is group G in the SM9 cryptographic algorithm1、G2、GTThe order of (is a prime number);
(initialization phase) pre-calculated are:
PA=[c-1]dAwherein d isAIdentify the private key for the user's SM9, c-1Modulo n multiplication inverse of c, c ═ c1c2…cm) modn is an integer secret that is not held by any of the m devices;
PU=[u]dAwhere u is [1, n-1 ] where none of the m devices is stored]Integer secrets within the interval;
u and c-1Need not be different (different or the same);
gUg ^ u, where ^ is the exponentiation (exponentiation on the elements in front of ^ followed by the number of exponentiations), g ^ e (P ^ u)1,Ppub),P1Is G1The generator of (1), PpubIs the master public key (i.e. P)pub=[s]P2S is a master private or master key, P2Is G2See SM9 specification);
get PB=PU
None of the m devices store dA
When it is desired to use the user's SM9 to identify the private key dAWhen a digital signature is performed on a message M, M devices firstly obtain w ═ g through interactive calculationU^(r1r2…rm) Wherein r isiThe device No. i is in [1, n-1 ] in the calculation process]Randomly selected integer in the interval, i ═ 1, …, m;
then, H ═ H is calculated (by one of the m devices or the other device)2(M | | w, n), wherein H2For the hash function specified in SM9, M | | | w represents the merging of strings of M and w, and n is G1、G2、GTThe order of (1);
checking whether w is equal to g ^ h or not (one or other of the m devices), and if w is equal to g ^ h, the m devices perform calculation of w again until w is not equal to g ^ h;
then, the m devices are obtained by calculation according to the T, V collaborative calculation method III
T=[r1r2…rm]PU+[-F(z1,z2,…,zm)]PB
V=[F(z1,z2,…,zm)]PB+[-c1c2…cmh]PANamely:
q is obtained by calculation1=((r2r3…rm)-1(a2a3…am))mod n,q2=((r3…rm)-1(a3…am))modn,…,qm-1=((rm)-1am) mod n, take qm=1;
Is calculated to obtain D1=[(a2a3…am)(c2c3…cm)-1]PB,D2=[(a3…am)(c3…cm)-1]PB,…,Dm-1=[am(cm)-1]PBTaking Dm=PB
Wherein, aiFor the calculation process, the device No. i is in [1, n-1 ]]Wherein i is 2, …, m;
get t0=1,V0=[-h]PA
Device No. 1 is in [1, n-1 ]]In the random selection of an integer z1Calculating t1=(r1t0-z1q1)mod n,V1=[z1]D1+[c1]V0Will t1、V1To device No. 2;
the device No. i receives ti-1、Vi-1When i is 2, …, m, if t is found by examinationi-1If 0, an error is reported, otherwise, the error is in [1, n-1 ]]In the random selection of an integer ziCalculating ti=(riti-1-ziqi)mod n,Vi=[zi]Di+[ci]Vi-1
If i is m, T is calculated (one or other of m devices)m]PBTaking V as VmT, V calculation is completed, otherwise, device number i will Ti、ViTransmitting to the device No. i +1 until T is completedm、VmCalculating;
(when T ═ r [ r ]1r2…rm]PU+[-z1a2a3…am-z2a3…am-…-zm-1am-zm]PB
V=[z1a2a3…am+z2a3…am+…+zm-1am+zm]PB+[-(c1c2…cm)h]PA)
Finally, S ═ T + V is calculated (by one of the M devices or by the other devices), then (h, S) is the digital signature for message M.
(where S is [ r ]1r2…rm]PU+[-c1c2…cmh]PA=[(r1r2…rm)u-h]dA)
If T ═ T is calculated by the m-th devicem]PBAnd S ═ T + V is calculated by device m after T, V calculation is complete, then z is calculated T, V in the process of calculationmIs allowed to be 0 or [1, n-1 ]]Is (1, n-1) constant (of course)]Random integers within are not problematic).
Examples 12,
Example 12 differs from example 11 in that c1Is non-secret and takes the value of 1 or other [1, n-1 ]]Of (1) and (others in [1, n-1 ]]Of a subjectively arbitrary or randomly selected integer), PB≠PA(i.e. P)U≠PAU and c-1Different from each other), PAThe secret is not disclosed to be held by the device No. 1, and the others are not changed.
In each of the above embodiments 1-12, if it is not checked whether w is equal to g ^ h or not during the calculation, after S is obtained by calculation, if S is found to be zero by checking, m devices perform the cooperative calculation again until S is not zero.
In the above examples 1-12, m devices calculated w ═ gU^(r1r2…rm) The method of (1) comprises (not all possible ways):
device No. 1 calculates g1=gU^r1G is mixing1Transmitting device No. 2;
the device No. i receives gi-1Then i is 2, …, m, and calculatedgi=gi-1^ri
If i is m, then w is gmFinish the calculation, otherwise, the device No. i will giTransmitting to the device No. i + 1;
alternatively, the first and second electrodes may be,
device m calculates gm=gU^rmG is mixingmTransmitting the m-1 device;
the ith device receives gi+1Then, i ═ m-1, …,1, calculate gi=gi+1^ri
If i is 1, then w is g1Finish the calculation, otherwise, the device No. i will giTo the device No. i-1.
For the above examples 1-4, m devices were calculated as described above
Q1=[(r2r3…rm)-1(a2a3…am)]PB,Q2=[(r3…rm)-1(a3…am)]PB,…,Qm-1=[(rm)-1am]PB
And D1=[(a2a3…am)(c2c3…cm)-1]PB,D2=[(a3…am)(c3…cm)-1]PB,…,Dm-1=[am(cm)-1]PBOne of the three schemes of (1) calculates Q1,Q2,…,Qm-1And D1,D2,…,Dm-1
For the above examples 5-8, m devices were calculated as described above
Q1=[(r2r3…rm)-1(a2a3…am)]PB,Q2=[(r3…rm)-1(a3…am)]PB,…,Qm-1=[(rm)-1am]PB
And d1=((a2a3…am)(c2c3…cm)-1)mod n,d2=((a3…am)(c3…cm)-1)mod n,…,dm-1=(am(cm)-1) mod n method calculates Q1,Q2,…,Qm-1And d and1,d2,…,dm-1
for the above examples 1-12, m devices were calculated as described above
q1=((r2r3…rm)-1(a2a3…am))mod n,q2=((r3…rm)-1(a3…am))mod n,…,qm-1=((rm)-1am)mod n
And D1=[(a2a3…am)(c2c3…cm)-1]PB,D2=[(a3…am)(c3…cm)-1]PB,…,Dm-1=[am(cm)-1]PBIs calculated to obtain q1,q2,…,qm-1And D1,D2,…,Dm-1
In the above embodiment, if there are m devices [1, n-1 ] respectively]Integer secret c within interval1,c2,…,cmThen, an initialization method in the initialization stage is as follows:
knowing dAIn [1, n-1 ]]Randomly selecting m integers as c in the interval1,c2,…,cmDelivering the data to m devices for secret storage;
calculating PA=[c-1]dAWherein c is-1Is of cInverse modulo n multiplication, c ═ c1c2…cm) mod n is an integer secret that is not held by all m devices;
calculating PU=[u]dAWhere u is known to be dAIn [1, n-1 ]]Randomly selected integers within the interval;
calculate gUG ^ u, where ^ is the exponentiation (exponentiation on the elements in front of ^ followed by the number of exponentiations), g ^ e (P ^ u)1,Ppub),P1Is G1The generator of (1), PpubIs the master public key (i.e. P)pub=[s]P2S is a master private or master key, P2Is G2See SM9 specification);
in group G1Optionally a user private key dAOther non-zero elements PB(stationary election, e.g. stationary election PB=P1Either subjectively chosen arbitrarily or randomly chosen, e.g. at [1, n-1 ]]Randomly selecting an integer b, and calculating PB=[b]P1Or PB=[b]dA);
Then, P is addedU、PB、PA、gUAnd (4) turning to a device needing to be used, and destroying c and u.
In the above embodiment, if PB=PAThen d is known in the initialization phaseAMeans for selecting PB=PA
In the above embodiment, if PU=PBThen d is known in the initialization phaseAMeans for selecting PU=PB
In the above examples, if c1Is taken to be 1 or other [1, n-1 ]]Is not secret, then in an initialization phase c2,…,cmIs selected as [1, n-1 ]]And delivered to No. 2, …, device No. m for storage.
In the above examples, if cmIs taken to be 1 or other [1, n-1 ]]Is not secret, then in an initialization phase c1,…,cm-1Is selected as [1, n-1 ]]Of random selectionIntegers are delivered to the No. 1, …, and the m-1 device for storage.
In the above embodiments, taking P if it occursB≠PAIn the case of (1), then in the initialization phase at [1, n-1 ]]Randomly selecting an integer b other than 1, and calculating PB=[b]dA
In the above embodiments, taking P if it occursU≠PA(i.e., u and c)-1Different) then in the initialization phase at [1, n-1 ]]Internally randomly selecting a non-c-1U, then P is calculatedU=[u]dA
According to the SM9 digital signature collaborative generation method by means of the intermediate parameters, an SM9 digital signature collaborative generation system can be constructed, wherein the system comprises m devices which are respectively marked as No. 1, No. 2 and No. …, and m is more than or equal to 2; device No. i holds [1, n-1 ]]Integer secret c within intervaliI is 1, …, m; when it is desired to use the user's SM9 to identify the private key dAWhen the message M is digitally signed, the M devices generate the digital signature for the message M by implementing the SM9 digital signature collaborative generation method by means of the intermediate parameter, including implementing the foregoing embodiments 1 to 12.
Other specific technical implementations not described are well known to those skilled in the relevant art and will be apparent to those skilled in the relevant art.

Claims (10)

1. An SM9 digital signature collaborative generation method by means of intermediate parameters is characterized in that:
the method involves m devices numbered 1, 2, …, respectively, up to m, where m is greater than or equal to 2;
device No. i holds [1, n-1 ]]Integer secret c within intervaliI is 1, …, m, where n is group G in the SM9 cryptographic algorithm1、G2、GTThe order of (1);
the method comprises the following steps:
PA=[c-1]dAwherein d isAIdentify the private key for the user's SM9, c-1Modulo n multiplication inverse of c, c ═ c1c2…cm)mod n is an integer secret that is not held by all m devices;
PU=[u]dAwhere u is [1, n-1 ] where none of the m devices is stored]Integer secrets within the interval;
u and c-1Do not have to be different;
gUg ^ u, where ^ is an exponentiation, g ^ e (P)1,Ppub),P1Is G1The generator of (1), PpubIs a master public key;
in group G1Optionally a user private key dAOther non-zero elements PB
None of the m devices store dA
When it is desired to use the user's SM9 to identify the private key dAWhen a digital signature is performed on a message M, M devices generate digital signatures as follows:
firstly, m devices obtain w ═ g through interactive calculationU^(r1r2…rm) Wherein r isiThe device No. i is in [1, n-1 ] in the calculation process]Randomly selected integer in the interval, i ═ 1, …, m;
then, H is calculated as H2(M | | w, n), wherein H2For the hash function specified in SM9, M | | | w represents the merging of strings of M and w, and n is G1、G2、GTThe order of (1);
checking whether w is equal to g ^ h or not, if w is equal to g ^ h, the m devices carry out calculation of w again until w is not equal to g ^ h;
then, m devices cooperatively calculate T ═ r1r2…rm]PU+[-F(z1,z2,…,zm)]PB,V=[F(z1,z2,…,zm)]PB+[-c1c2…cmh]PAWherein r is1,r2,…,rmRespectively, No. 1, No. 2, …, No. m device in the process of calculating w is in [1, n-1 ]]Is an integer selected from1,z2,…,zmRespectively No. 1, No. 2, No. …, No. m device is in [1, n-1 ] during calculation of T, V]In the random selectionIs an integer of (a), (b) is (c), F (z)1,z2,…,zm) Is directed to z1,z2,…,zmThe following calculation formula:
F(z1,z2,…,zm)≡z1a2a3…am+z2a3…am+…+zm-1am+zm(mod n);
wherein, aiFor the calculation of T, V, device number i is at [1, n-1 ]]Wherein i is 2, …, m;
finally, calculating S ═ T + V, (h, S) is a digital signature for message M.
2. The method of claim 1 for collaborative generation of a SM9 digital signature with the aid of intermediate parameters, wherein:
if not checking whether w is equal to g ^ h or not in the calculation process, after S is obtained through calculation, if S is found to be zero element through checking, the m devices carry out cooperative calculation again until S is not zero element.
3. The method of claim 1 for collaborative generation of a SM9 digital signature with the aid of intermediate parameters, wherein:
m devices calculate w ═ gU^(r1r2…rm) The method comprises the following steps:
device No. 1 calculates g1=gU^r1G is mixing1Transmitting device No. 2;
the device No. i receives gi-1Then i 2, …, m, calculate gi=gi-1^ri
If i is m, then w is gmFinish the calculation, otherwise, the device No. i will giTransmitting to the device No. i + 1;
alternatively, the first and second electrodes may be,
device m calculates gm=gU^rmG is mixingmTransmitting the m-1 device;
the ith device receives gi+1To the end, i ═ m-1, …,1, countCalculating gi=gi+1^ri
If i is 1, then w is g1Finish the calculation, otherwise, the device No. i will giTo the device No. i-1.
4. The method of claim 1 for collaborative generation of a SM9 digital signature with the aid of intermediate parameters, wherein:
the m devices cooperatively calculate to obtain T ═ r1r2…rm]PU+[-F(z1,z2,…,zm)]PB,V=[F(z1,z2,…,zm)]PB+[-c1c2…cmh]PAOne method of (2) is as follows:
calculating to obtain Q1=[(r2r3…rm)-1(a2a3…am)]PB,Q2=[(r3…rm)-1(a3…am)]PB,…,Qm-1=[(rm)- 1am]PBTaking Qm=PB
Is calculated to obtain D1=[(a2a3…am)(c2c3…cm)-1]PB,D2=[(a3…am)(c3…cm)-1]PB,…,Dm-1=[am(cm)-1]PBTaking Dm=PB
Wherein, aiFor the calculation process, the device No. i is in [1, n-1 ]]Wherein i is 2, …, m;
get T0=PU,V0=[-h]PA
Device No. 1 is in [1, n-1 ]]In the random selection of an integer z1Calculating T1=[r1]T0+[-z1]Q1,V1=[z1]D1+[c1]V0Will T1、V1To device No. 2;
device i receives Ti-1、Vi-1When i is 2, …, m, if T is found by examinationi-1If it is zero, error is reported, otherwise, it is in [1, n-1 ]]In the random selection of an integer ziOr take zi=aiCalculating Ti=[ri]Ti-1+[-zi]Qi,Vi=[zi]Di+[ci]Vi-1
If i is equal to m, then T is equal to Tm,V=VmT, V calculation is completed, otherwise, device number i will Ti、ViTransmitting to the device No. i +1 until T is completedm、VmCalculating;
if S ═ T + V is calculated by the mth device after the T, V calculation is completed, z ismIs allowed to be 0 or [1, n-1 ]]An integer constant of (1);
if PANot publicly held by device No. 1 as a secret, PB≠PAThen c will be1As non-secret, the above-described method of computing T, V and the above-described method of cooperative generation of SM9 digital signatures with intermediate parameters still hold.
5. The method of claim 1 for collaborative generation of a SM9 digital signature with the aid of intermediate parameters, wherein:
if PB=PAAnd then m devices cooperatively calculate to obtain T ═ r1r2…rm]PU+[-F(z1,z2,…,zm)]PB,V=[F(z1,z2,…,zm)]PB+[-c1c2…cmh]PAOne method of (2) is as follows:
calculating to obtain Q1=[(r2r3…rm)-1(a2a3…am)]PB,Q2=[(r3…rm)-1(a3…am)]PB,…,Qm-1=[(rm)- 1am]PBTaking Qm=PB
Calculated to obtain d1=((a2a3…am)(c2c3…cm)-1)mod n,d2=((a3…am)(c3…cm)-1)mod n,…,dm-1=(am(cm)-1) mod n, take dm=1;
Wherein, aiFor the calculation process, the device No. i is in [1, n-1 ]]Wherein i is 2, …, m;
get T0=PU,v0=-h;
Device No. 1 is in [1, n-1 ]]In the random selection of an integer z1Calculating T1=[r1]T0+[-z1]Q1,v1=(z1d1+c1v0) mod n, will T1、v1To device No. 2;
device i receives Ti-1、vi-1When i is 2, …, m, if T is found by examinationi-1If it is zero, error is reported, otherwise, it is in [1, n-1 ]]In the random selection of an integer ziCalculating Ti=[ri]Ti-1+[-zi]Qi,vi=(zidi+civi-1)mod n;
If i is equal to m, then T is equal to TmCalculating V ═ Vm]PAT, V calculation is completed, otherwise, device number i will Ti、viTransmitting to the device No. i +1 until T is completedm、vmCalculating;
if V ═ V is calculated by the m-th devicem]PAAnd S ═ T + V is calculated by the mth device after T, V calculation is completed, then z ismIs allowed to be 0 or [1, n-1 ]]An integer constant of (1);
if PANot publicly held by device m as a secret, PU≠PAAnd is packaged by No. mSet calculation V ═ Vm]PAThen c will bemAs non-secret, the above-described method of computing T, V and the above-described method of cooperative generation of SM9 digital signatures with intermediate parameters still hold.
6. The method of claim 1 for collaborative generation of a SM9 digital signature with the aid of intermediate parameters, wherein:
if PB=PUAnd then m devices cooperatively calculate to obtain T ═ r1r2…rm]PU+[-F(z1,z2,…,zm)]PB,V=[F(z1,z2,…,zm)]PB+[-c1c2…cmh]PAOne method of (2) is as follows:
q is obtained by calculation1=((r2r3…rm)-1(a2a3…am))mod n,q2=((r3…rm)-1(a3…am))mod n,…,qm-1=((rm)-1am) mod n, take qm=1;
Is calculated to obtain D1=[(a2a3…am)(c2c3…cm)-1]PB,D2=[(a3…am)(c3…cm)-1]PB,…,Dm-1=[am(cm)-1]PBTaking Dm=PB
Wherein, aiFor the calculation process, the device No. i is in [1, n-1 ]]Wherein i is 2, …, m;
get t0=1,V0=[-h]PA
Device No. 1 is in [1, n-1 ]]In the random selection of an integer z1Calculating t1=(r1t0-z1q1)mod n,V1=[z1]D1+[c1]V0Will t1、V1To device No. 2;
the device No. i receives ti-1、Vi-1When i is 2, …, m, if t is found by examinationi-1If 0, an error is reported, otherwise, the error is in [1, n-1 ]]In the random selection of an integer ziCalculating ti=(riti-1-ziqi)mod n,Vi=[zi]Di+[ci]Vi-1
If i equals m, then T equals Tm]PBTaking V as VmT, V calculation is completed, otherwise, device number i will Ti、ViTransmitting to the device No. i +1 until T is completedm、VmCalculating;
if T ═ T is calculated by the m-th devicem]PBAnd S ═ T + V is calculated by the mth device after T, V calculation is completed, then z ismIs allowed to be 0 or [1, n-1 ]]An integer constant of (1);
if PANot publicly held by device No. 1 as a secret, PB≠PAThen c will be1As non-secret, the above-described method of computing T, V and the above-described method of cooperative generation of SM9 digital signatures with intermediate parameters still hold.
7. The method of claim 4 for collaborative generation of SM9 digital signatures with the aid of intermediate parameters, wherein:
calculating to obtain Q1=[(r2r3…rm)-1(a2a3…am)]PB,Q2=[(r3…rm)-1(a3…am)]PB,…,Qm-1=[(rm)- 1am]PB
And D1=[(a2a3…am)(c2c3…cm)-1]PB,D2=[(a3…am)(c3…cm)-1]PB,…,Dm-1=[am(cm)-1]PBThe method comprises the following scheme:
the first scheme is as follows:
device No. m takes Qm=PB,Dm=PBIn [1, n-1 ]]In the method, an integer a is randomly selectedmCalculating Qm-1=[(rm)-1am]Qm,Dm-1=[am(cm)-1]DmIs mixing Q withm-1、Dm-1Sending the data to the device No. m-1;
device i receives Qi、DiThen, if i is m-1, …,1, and if i is 1, the device No. 1 will Q1、D1Temporarily reserved, complete Q1,Q2,…,Qm-1And D1,D2,…,Dm-1Otherwise, the device No. i is in [1, n-1 ]]In the method, an integer a is randomly selectediCalculating Qi-1=[(ri)-1ai]Qi,Di-1=[ai(ci)-1]DiIs mixing Q withi、DiTemporarily reserve, Qi-1、Di-1Transmitting to the device No. i-1;
in calculating Q1,Q2,…,Qm-1And D1,D2,…,Dm-1If the device No. i checks and finds the received QiOr DiIf the number is zero, i is m-1, …,1, then an error is reported;
scheme II:
m devices by calculating Q1,Q2,…,Qm-1And D1,D2,…,Dm-1Calculating and storing Q in the manner of scheme one1,Q2,…,Qm-1
Device number m gets dm1 in [1, n-1 ]]In the method, an integer a is randomly selectedmCalculating dm-1=(am(cm)-1)dm) mod n, dm-1Sending the data to the device No. m-1;
no. i deviceReceive diThen, if i is m-1, …,1, and if i is 1, the No. 1 device calculates D1=[d1]PBD is1Temporary Retention, complete D1,D2,…,Dm-1Otherwise, the device No. i calculates Di=[di]PBIn [1, n-1 ]]In the method, an integer a is randomly selectediCalculating di-1=(ai(ci)-1di) mod n, DiTemporarily retaining di-1Transmitting to the device No. i-1;
in calculating Q1,Q2,…,Qm-1And D1,D2,…,Dm-1If the device No. i checks and finds the received QiIs zero or diIf 0, i-m-1, …,1, an error is reported;
the third scheme is as follows:
m devices by calculating Q1,Q2,…,Qm-1And D1,D2,…,Dm-1Calculating and storing in the manner of scheme one1,D2,…,Dm-1
Device number m gets qm1 in [1, n-1 ]]In the method, an integer a is randomly selectedmCalculating qm-1=((rm)-1amqm) mod n, qm-1Sending the data to the device No. m-1;
device i receives qiThen, if i is m-1, …,1, and if i is 1, the No. 1 device calculates Q1=[q1]PBIs mixing Q with1Temporarily reserved, complete Q1,Q2,…,Qm-1Otherwise, the ith device calculates Qi=[qi]PBIn [1, n-1 ]]In the method, an integer a is randomly selectediCalculating qi-1=((ri)-1aiqi) mod n, QiTemporarily reserving qi-1Transmitting to the device No. i-1;
in the calculation of q1,q2,…,qm-1And D1,D2,…,Dm-1In the process of (1), if the number i isThe device checks to find the received qiIs 0 or DiAnd if the number is zero, i is m-1, …,1, an error is reported.
8. The method of claim 5 for collaborative generation of SM9 digital signatures with the aid of intermediate parameters, wherein:
calculating to obtain Q1=[(r2r3…rm)-1(a2a3…am)]PB,Q2=[(r3…rm)-1(a3…am)]PB,…,Qm-1=[(rm)- 1am]PB
And d1=((a2a3…am)(c2c3…cm)-1)mod n,d2=((a3…am)(c3…cm)-1)mod n,…,dm-1=(am(cm)-1) One method of mod n is as follows:
device No. m takes Qm=PB,dm1 in [1, n-1 ]]In the method, an integer a is randomly selectedmCalculating Qm-1=[(rm)-1am]Qm,dm-1=(am(cm)-1)dm) mod n, Qm-1、dm-1Sending the data to the device No. m-1;
device i receives Qi、diThen, if i is m-1, …,1, and if i is 1, the device No. 1 will Q1、d1Temporarily reserved, complete Q1,Q2,…,Qm-1And d1,d2,…,dm-1Otherwise, the device No. i is in [1, n-1 ]]In the method, an integer a is randomly selectediCalculating Qi-1=[(ri)-1ai]Qi,di-1=(ai(ci)-1di) mod n, Qi、diTemporarily reserve, Qi-1、di-1Transmitting to the device No. i-1;
in calculating Q1,Q2,…,Qm-1And d1,d2,…,dm-1If the device No. i checks and finds the received QiIs zero or diIf 0, i-m-1, …,1, an error is reported.
9. The method of claim 6 wherein the SM9 digital signature collaborative generation with intermediate parameters comprises:
q is obtained by calculation1=((r2r3…rm)-1(a2a3…am))mod n,q2=((r3…rm)-1(a3…am))mod n,…,qm-1=((rm)-1am)mod n,
And D1=[(a2a3…am)(c2c3…cm)-1]PB,D2=[(a3…am)(c3…cm)-1]PB,…,Dm-1=[am(cm)-1]PBOne method of (2) is as follows:
device number m gets qm=1,Dm=PBIn [1, n-1 ]]In the method, an integer a is randomly selectedmCalculating qm-1=((rm)-1amqm)mod n,Dm-1=[am(cm)-1]DmQ is prepared bym-1、Dm-1Sending the data to the device No. m-1;
device i receives qi、DiThen, if i is m-1, …,1, and if i is 1, the device No. 1 will q1、D1Temporary reservation, complete q1,q2,…,qm-1And D1,D2,…,Dm-1Otherwise, the device No. i is in [1, n-1 ]]In the method, an integer a is randomly selectediCalculating qi-1=((ri)-1aiqi)mod n,Di-1=[ai(ci)-1]DiQ is prepared byi、DiTemporarily reserving qi-1、Di-1Transmitting to the device No. i-1;
in the calculation of q1,q2,…,qm-1And D1,D2,…,Dm-1If the device No. i checks and finds the received qiIs 0 or DiAnd if the number is zero, i is m-1, …,1, an error is reported.
10. An SM9 digital signature cooperative generation system based on the SM9 digital signature cooperative generation method by means of intermediate parameters described in any one of claims 1 to 9, characterized in that:
the system comprises m devices respectively numbered from No. 1, No. 2 and No. …, wherein m is more than or equal to 2; device No. i holds [1, n-1 ]]Integer secret c within intervaliI is 1, …, m; when it is desired to use the user's SM9 to identify the private key dAWhen the message M is digitally signed, the M devices generate the digital signature of the message M according to the SM9 digital signature collaborative generation method by means of the intermediate parameters.
CN201910764309.0A 2019-07-04 2019-08-19 SM9 digital signature collaborative generation method and system by means of intermediate parameters Active CN110299998B (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201910597058 2019-07-04
CN2019105970581 2019-07-04

Publications (2)

Publication Number Publication Date
CN110299998A CN110299998A (en) 2019-10-01
CN110299998B true CN110299998B (en) 2020-09-04

Family

ID=68032977

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201910764309.0A Active CN110299998B (en) 2019-07-04 2019-08-19 SM9 digital signature collaborative generation method and system by means of intermediate parameters

Country Status (1)

Country Link
CN (1) CN110299998B (en)

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110880977B (en) * 2019-11-26 2021-04-27 武汉大学 Safe and efficient SM9 ring signature generation and verification method
CN111064564B (en) * 2019-12-31 2023-03-28 武汉理工大学 SM9 signature private key generation and digital signature method, system and device

Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108667619A (en) * 2018-05-10 2018-10-16 武汉大学 A kind of the whitepack implementation method and device of SM9 digital signature

Family Cites Families (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7599491B2 (en) * 1999-01-11 2009-10-06 Certicom Corp. Method for strengthening the implementation of ECDSA against power analysis
CN106549770B (en) * 2017-01-13 2019-07-12 武汉理工大学 SM2 digital signature generation method and system
CN107528696B (en) * 2017-09-27 2020-01-14 武汉理工大学 Method and system for generating digital signature with hidden private key secret
CN107819585B (en) * 2017-11-17 2020-08-25 武汉理工大学 SM9 digital signature collaborative generation method and system
CN107968710B (en) * 2017-11-27 2020-08-25 武汉理工大学 SM9 digital signature separation interaction generation method and system
CN109951292B (en) * 2019-02-20 2020-08-04 武汉理工大学 Simplified SM9 digital signature separation interaction generation method and system
CN109962783B (en) * 2019-03-20 2020-08-25 武汉理工大学 SM9 digital signature collaborative generation method and system based on progressive calculation

Patent Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108667619A (en) * 2018-05-10 2018-10-16 武汉大学 A kind of the whitepack implementation method and device of SM9 digital signature

Also Published As

Publication number Publication date
CN110299998A (en) 2019-10-01

Similar Documents

Publication Publication Date Title
CN107819585B (en) SM9 digital signature collaborative generation method and system
US10530585B2 (en) Digital signing by utilizing multiple distinct signing keys, distributed between two parties
CN107968710B (en) SM9 digital signature separation interaction generation method and system
Desmedt Some recent research aspects of threshold cryptography
CN1326351C (en) Cyclotomic polynomial construction of discrete logarithm cryptosystem over finite fields
US8429408B2 (en) Masking the output of random number generators in key generation protocols
CN110213057B (en) SM9 digital signature collaborative generation method and system with product r parameter
US8549299B2 (en) Accelerated key agreement with assisted computations
Van Heyst et al. How to make efficient fail-stop signatures
US20040139029A1 (en) Apparatus and method for generating and verifying ID-based blind signature by using bilinear parings
CN109951292B (en) Simplified SM9 digital signature separation interaction generation method and system
CN110299998B (en) SM9 digital signature collaborative generation method and system by means of intermediate parameters
CN110166235B (en) SM9 digital signature collaborative generation method and system for enhancing security
CN109962783B (en) SM9 digital signature collaborative generation method and system based on progressive calculation
CN110380855B (en) SM9 digital signature generation method and system supporting multi-party cooperative enhanced security
CN110519051B (en) SM9 signature cooperative generation method and system of r parameter and secret double product
US7248692B2 (en) Method of and apparatus for determining a key pair and for generating RSA keys
CN110266486B (en) SM9 digital signature simple generation method and system based on product secret sharing
CA2742530C (en) Masking the output of random number generators in key generation protocols
EP2493112B1 (en) Accelerated key agreement with assisted computations
CN110166256B (en) SM9 digital signature multi-party collaborative generation method and system with product r parameter
Inam et al. A novel public key cryptosystem and digital signatures
Nayak Signcryption schemes based on elliptic curve cryptography
WO2022172041A1 (en) Asymmetric cryptographic schemes
CN110943842B (en) Secure collaborative generation method and system for SM9 digital signature

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant