CN111355582A - Two-party combined signature and decryption method and system based on SM2 algorithm - Google Patents

Two-party combined signature and decryption method and system based on SM2 algorithm Download PDF

Info

Publication number
CN111355582A
CN111355582A CN202010138468.2A CN202010138468A CN111355582A CN 111355582 A CN111355582 A CN 111355582A CN 202010138468 A CN202010138468 A CN 202010138468A CN 111355582 A CN111355582 A CN 111355582A
Authority
CN
China
Prior art keywords
calculating
signature
algorithm
private key
joint
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202010138468.2A
Other languages
Chinese (zh)
Inventor
尚望
兰天
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Chengdu Tianrui Xin'an Technology Co ltd
Original Assignee
Chengdu Tianrui Xin'an Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Chengdu Tianrui Xin'an Technology Co ltd filed Critical Chengdu Tianrui Xin'an Technology Co ltd
Priority to CN202010138468.2A priority Critical patent/CN111355582A/en
Publication of CN111355582A publication Critical patent/CN111355582A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/30Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy
    • H04L9/3066Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy involving algebraic varieties, e.g. elliptic or hyper-elliptic curves
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
    • H04L9/3252Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures using DSA or related signature schemes, e.g. elliptic based signatures, ElGamal or Schnorr schemes

Abstract

The invention provides a combined signature and decryption method and system based on an SM2 algorithm, which are applicable to two-party transactions. Specifically, both parties involved in the calculation respectively have partial private keys, and a common public key is calculated. The two parties respectively use own partial private keys, can sign the transaction message through joint calculation, and can decrypt the ciphertext through joint calculation; in the joint signature and decryption calculation, both the participating parties cannot acquire any information of the private key of the other party. The two parties jointly sign and decrypt to achieve simultaneous common validation of transactions. The joint signature can be verified by a common public key, and the non-repudiation of the two parties to the transaction can be verified by one-time verification. The signature verification and encryption use standard methods of the SM2 algorithm to enable compatibility with existing public key applications. In addition, under the condition that an attacker invades any one party, the signature cannot be forged or the decryption cannot be carried out, so that the security of the private key in the calculation of the two parties is improved, and the signature or decryption abuse after the private key is leaked is avoided.

Description

Two-party combined signature and decryption method and system based on SM2 algorithm
Technical Field
The invention relates to the technical field of signature decryption, in particular to a method and a system for two-party combined signature and decryption based on SM2 algorithm.
Background
The SM2 algorithm is an elliptic curve asymmetric cryptographic algorithm, is a cryptographic algorithm independently developed in China, and has been released as the national standard GB/T32918. The SM2 algorithm may implement signature and signature verification functions.
According to the algorithm specification, the SM2 algorithm signature method is described as follows: let G be a reference point on the elliptic curve, dA be a private key, PA be a public key, PA ═ dA × G, and the signature result obtained by performing digital signature calculation on the message e is (r, s); firstly, selecting a random number k, and calculating r-e + x1, wherein (x1, y1) k-G; calculate s ═ (1+ dA)-1*(k-r*dA)。
According to the algorithm specification, the SM2 algorithm verifies the signature method as follows: elliptic curve parameters specified by known signature (r, s), public key PA and SM2 algorithm; firstly, calculating t ═ r + s, and if t ═ 0, then the verification is not passed; otherwise, calculating r '═ x1+ e, judging whether r' is equal to r, and if so, passing the verification.
According to the algorithm specification, the SM2 algorithm encryption method is as follows: the method comprises the following steps of setting a message needing to be sent as a bit string M and klen as the bit length of M, and encrypting a plaintext M by using a public key PA:
a1, generating a random number k ∈ [1, n-1] by using a random number generator, wherein n is a natural number, and calculating an elliptic curve point C1 (k G) (x1, y1), wherein G is a reference point on the elliptic curve, and k G represents a k-time far point of the reference point;
a2: calculating an elliptic curve point S ═ H × PA, if S is an infinite point, reporting an error and exiting; h is a cofactor specified by the SM2 algorithm, and is 1 by default;
a3: calculating an elliptic curve point k × PA ═ (x2, y2), and converting the data types of the coordinates x2 and y2 into bit strings; calculating t as KDF (x2| | y2, klen), and if t is all 0-bit string, returning to the step 1; KDF is a key derivation function specified by the SM2 algorithm, with the output being a key sequence;
a4, calculating C2-M ⊕ t, wherein ⊕ is exclusive-or operation, and calculating C3-Hash (x 2M y2), wherein the Hash is a Hash function specified by SM2 algorithm;
a5: and outputting the ciphertext C-1C 2C 3.
According to the algorithm specification, the SM2 algorithm decryption method is as follows: assuming that a message to be decrypted is a bit string C-1 | | C2| | | C3, and klen is the bit length of C2 in a ciphertext, decrypting the ciphertext C by using a private key dA, the method includes the following operation steps:
b1: taking out a bit string C1 from C, converting C1 into points on an elliptic curve, verifying whether C1 meets an elliptic curve equation, and if not, reporting an error and exiting; calculating an elliptic curve point S-H-C1, if S is an infinite point, reporting an error and exiting;
b2: calculating dA × C1 ═ (x2, y2), and converting coordinates x2 and y2 into a bit string;
b3: calculating t as KDF (x2| | y2, klen), if t is all 0 bit string, reporting an error and exiting; KDF is a key derivation function specified by the SM2 algorithm, with the output being a key sequence;
b4, taking out a bit string C2 from C, calculating M '═ C2 ⊕ t, ⊕ is XOR operation, calculating u ═ Hash (x2| | M' | | y2), taking out a bit string C3 from C, if u is not equal to C3, reporting an error and exiting, wherein Hash is a Hash function specified by SM2 algorithm;
b5: the plaintext M' is output.
SM2 signatures can be used to guarantee the integrity of transaction messages, guaranteeing non-repudiation of computations, based on the private key being unique and owned by the holder. Since the public key can be published, the signature can be verified by the computing participant or a third party. The signature confirmation of the two-party transaction usually means that the two parties mutually confirm after signing respectively, the two parties need to use the public keys to verify respectively during verification, the process is long, and the confirmation mechanism is complex.
Based on public key publicity characteristics, when the data confidentiality of the participator is calculated, the issued public key can be used for encryption; based on the fact that the private key is unique and owned by the holder, the ciphertext can be guaranteed to be decrypted only by the owner of the private key. In a scenario that decryption needs two parties to confirm, a complex interaction control mechanism is usually adopted; or a mechanism of data re-encryption and both-party successive encryption. However, both methods have the risks of complicated control and control conditions skipped by attacks.
In addition, the common method for protecting the private key is to store the private key in special independent security hardware, but the special independent security hardware has high issuing cost, poor equipment compatibility and inconvenient use; the other method is to issue the private key in a file form, but the private key is easy to steal; after stealing, there is a risk of misuse because existing signing or decryption operations can be done independently using the private key.
Disclosure of Invention
The present invention is directed to solving the above problems by providing a two-party joint signature and decryption method and system based on SM2 algorithm. The technical scheme is as follows:
a two-party joint signing and decrypting system based on the SM2 algorithm, comprising:
the system comprises a client and a cloud server; the client side stores a private key a and a public key Pa, the cloud server side stores a private key b and a public key Pb, and the client side and the cloud server side perform information interaction;
the client receives the transaction file needing to be signed, the private key a is used for calculating a first partial signature Q1, the private key b is used for calculating a complete signature Q2 by combining with Q1, the cloud server feeds back Q2 to the client, and the client publishes the transaction file and the Q2 together;
the client requests the cloud server to decrypt the file, the private key b is used for calculating the first part of decrypted data, and the private key a is used for calculating the complete decrypted data by combining the first part of decrypted data;
and the public key Pa and the public key Pb are used for joint operation to obtain a joint public key Pu, and the joint public key Pu is used for verifying the complete signature Q2 and encrypting the file.
A two-party combined signature and decryption method based on SM2 algorithm is characterized in that two parties are marked as A and B, A has a private key a and a public key Pa, B has a private key B and a public key Pb,
the two-party joint signature comprises the following steps:
c1, B sends Pb to A;
c2, A generates a joint public key Pu through Pa and Pb;
c3, given the transaction message E, A calculates a first partial signature Q1 using the private key a, A sends Q1 to B;
c4, B calculates a complete signature Q2 by using Q1 and a private key B, wherein Q2 is signed by a joint public key Pu;
the two parties jointly decrypt, comprising the following steps:
d1, giving a combined public key Pu to encrypt the message M to obtain a ciphertext C, calculating by the aid of the private key a and the ciphertext C to obtain first part decryption data by the aid of the A, and sending the first part decryption data to the B;
b, the first part of decrypted data, the private key B and the ciphertext C are used for calculating to obtain complete decrypted data, namely plaintext M.
Optionally, in C3, the calculation process of the first partial signature Q1 obtained by a using the private key a is as follows:
1) a generates a random number m, and calculates s31 ═ m × G, wherein G is a reference base point of SM 2;
2) generating a random number k, calculating k × G ═ (x1, y1), and taking x1 of the point;
3) the hash value of the transaction message E is marked as E, and r is calculated as E + x 1;
4) calculating s32 ═ s31 ═ (k-r a);
5) calculating s33 ═ s31 × (1+ a);
6) let Q1 ═ (r, s32, s 33).
Optionally, in C4, the calculation process of the full signature Q2 by B using Q1 and the private key B is as follows:
1) calculating s41 ═ s33 × (1+ b);
2) the overall inversion of s41 gave s42 ═ s41-1
3) Calculating s43 ═ s33 ═ r ═ b;
4) calculating s 44-s 32-s 43;
5) calculating s 45-s 42-s 44;
6) s-45, and outputs the full signature Q2 ═ r, s as the signature of the transaction message E.
Optionally, in D1, the process of encrypting the message M with the public key Pu to obtain the ciphertext C is as follows:
1) let the elliptic curve point C1 ═ k × G ═ x1, y 1;
2) calculating the elliptic curve point S ═ H × PAIf S is an infinite point, an error is reported and the operation is exited, wherein H is a cofactor specified by the SM2 algorithm and is 1 by default;
3) calculating an elliptic curve point K × Pu ═ (x2, y2), that is, K × (Pa + Pb + a × Pb) ═(x2, y2), and converting the data types of the coordinates x2 and y2 into bit strings;
calculating t as KDF (x2| | y2, klen), if t is all 0 bit string, returning to step 1), where KDF is a key derivation function specified by SM2 algorithm, and the output is a key sequence;
4) calculating C2-M ⊕ t, ⊕ is exclusive-or operation, calculating C3-Hash (x 2M y2), wherein the Hash is a Hash function specified by SM2 algorithm;
5) and outputting the ciphertext C-1C 2C 3.
Optionally, in D1, a calculates the first part of decrypted data using private key a as follows:
a takes out a bit string C1 from C, calculates H x C1, H is a cofactor parameter specified by SM2 algorithm, if H x C1 is an infinite point, an error is reported and exits, otherwise, s61 is calculated as a x C1; a sends s61 to B.
Optionally, in 2, the process of obtaining the complete decrypted data, i.e. the plaintext M, by using the first partial decrypted data and the private key B is as follows:
1) b, extracting C1 from the ciphertext C, calculating s71 ═ B ═ C1, calculating s72 ═ B ═ s61 ═ B ═ a × C1, calculating s73 ═ s61+ s71+ s72 ═ s + B ═ C1, and marking the coordinates of s42 as (x2, y 2);
2) calculating t as KDF (x2| | y2, klen), if t is all 0 bit string, reporting an error and exiting; KDF is a key derivation function specified by the SM2 algorithm, with the output being a key sequence;
3) taking out a bit string C2 from C, calculating M '═ C2 ⊕ t, calculating u ═ Hash (x2| | | M' | | y2), taking out a bit string C3 from C, and if u is not equal to C3, reporting an error and exiting;
4) the output plaintext M equals M'.
The invention has the beneficial effects that:
the invention provides a method and a system for joint signature and decryption of two parties of SM2 in two-party transaction. The two parties respectively use own partial private keys to sign the transaction message through joint calculation, and in the joint signature calculation, both the participating parties cannot acquire any information of the private key of the other party. The signature obtained by joint calculation can be verified by a public key shared by both parties, and the verification uses a standard method of an SM2 algorithm. In the method, the confirmation of both parties to the transaction is completed by one signature; the signature can be checked by a public key shared by two parties, the non-repudiation of the two parties of the transaction can be confirmed by one-time checking, and the checking uses a standard method of an SM2 algorithm, so that the existing public key application can be compatible. In addition, under the condition that an attacker invades any one party, the signature cannot be forged, so that the security of the private key in the calculation of the two parties is improved, and the signature abuse after the private key is leaked is avoided.
Drawings
The accompanying drawings, which are included to provide a further understanding of the disclosure and are incorporated in and constitute a part of this specification, illustrate embodiments of the disclosure and together with the description serve to explain the disclosure without limiting the disclosure. In the drawings:
fig. 1 is a flow chart of a two-party joint signing and decrypting method based on SM2 algorithm according to the present invention;
FIG. 2 is a diagram of the steps of the two-party joint signature based on the SM2 algorithm according to the present invention;
fig. 3 is a diagram of the steps of the two-party joint decryption based on the SM2 algorithm according to the present invention;
FIG. 4 is a flowchart of the certificate preparation phase of the two-party federated signing and decrypting system of the present invention;
FIG. 5 is a flow diagram of a joint signature phase of a two-party joint signature and decryption system of the present invention;
FIG. 6 is a flow diagram of a signature verification phase of the two-party federated signature and decryption system described in the present invention;
FIG. 7 is a flow diagram of the data encryption phase of the two-party federated signing and decryption system of the present invention;
fig. 8 is a flow chart of the data encryption phase of the two-party joint signing and decrypting system of the present invention.
Detailed Description
The following detailed description of specific embodiments of the present disclosure is provided in connection with the accompanying drawings. It should be understood that the detailed description and specific examples, while indicating the present disclosure, are given by way of illustration and explanation only, not limitation.
As shown in fig. 1, the invention relates to a two-party joint signing and decrypting method based on SM2 algorithm, two parties are marked as a and B, a has a private key a and a public key Pa, B has a private key B and a public key Pb,
the two-party joint signature comprises the following steps:
c1, B sends Pb to A;
c2, A generates a joint public key Pu through Pa and Pb;
c3, given the transaction message E, A calculates a first partial signature Q1 using the private key a, A sends Q1 to B;
c4, B calculates a complete signature Q2 by using Q1 and a private key B, wherein Q2 is signed by a joint public key Pu;
the two parties jointly decrypt, comprising the following steps:
d1, giving a combined public key Pu to encrypt the message M to obtain a ciphertext C, calculating by the aid of the private key a and the ciphertext C to obtain first part decryption data by the aid of the A, and sending the first part decryption data to the B;
d2, B uses the first part of decrypted data, the private key B and the ciphertext C to calculate the complete decrypted data, namely the plaintext M.
The two parties involved in the transaction respectively have partial private keys and share a public key. As shown by MA1 in fig. 2, a party participating in a transaction is denoted as a, having a private key a and a public key Pa. As shown by MB1 in fig. 2, another party to the transaction is designated B, having a private key B and a public key Pb. Either party can compute a public key common to both parties, an example of the invention is computed by a. As shown in MA2 in fig. 2, B transmits Pb to a, and a calculates the common public key Pu + Pb + a Pb after receiving Pb. SM2 is an elliptic curve cryptography algorithm with defined parameters, the set of points on the elliptic curve belonging to the addition domain; according to the operation rule of the addition domain, the private key corresponding to Pu is recorded as u ═ a + b + a ×, b, and it can be known that the private key a and the private key b are partial private keys forming the private key u. The common public key Pu may be published.
The two participating parties can sign the message by joint calculation by using their own partial private keys, respectively, as described below. As shown by MA3 in fig. 2, for message E, party a computes a first partial signature Q1 using private key a as follows:
1) a generates a random number m, and calculates s31 ═ m × G, wherein G is a reference base point of SM 2;
2) generating a random number k, calculating k × G ═ (x1, y1), and taking x1 of the point;
3) calculating a hash value of the transaction message E as E, and calculating r as E + x 1;
4) calculating s32 ═ s31 ═ (k-r a);
5) calculating s33 ═ s31 × (1+ a);
6) keeping the partial signature Q1 ═ r (r, s32, s33), party a sends Q1 to party B.
As shown in MB2 in fig. 2, after receiving the partial signature Q1, party B calculates the full signature Q2 as follows:
1) calculating s41 ═ s33 ═ (1+ b) ═ s31 ═ (1+ a + b + a ×) b;
2) the overall inversion of s41 gave s42 ═ s31 ═ s (1+ a + b + a } b)-1,()-1Means inversion of the formula in parentheses;
3) calculating s43 ═ s33 ═ r ═ b ═ s31 ═ r ═ b + r ═ a ═ b);
4) calculating s 44-s 32-s 43-s 31 (k-r (a + b + a) b));
5) calculate s45 ═ s42 ═ s44
=(s31*(1+a+b+a*b))-1*s31*(k-r*(a+b+a*b))
=(1+a+b+a*b)-1*(k-r*(a+b+a*b));
6) S-45, and outputs the full signature Q2 ═ r, s as the signature of the transaction message E.
As can be seen from the SM2 signature algorithm, the signature result is (r, s), where r is e + x1 and s is (1+ d)A)-1*(k-r*dA). From the common public key Pu, the common public key Pu is Pa + Pb + a Pb, and the corresponding private key u is (a + b + a b). Noting the private key u as dA(a + b + a + b), then s46 ═ 1+ dA)-1*(k-r*dA) The full signature Q2 can be derived to conform to the SM2 standard structure.
The signature obtained by joint calculation can be verified by a public key shared by both parties, and the verification uses the standard method of the SM2 algorithm, which is described below. Noting the private key u as dA(a + b + a ×) and the combined computed full signature Q2 ═ r, s, r ═ e + x1, s ═ 1+ dA)-1*(k-r*dA). Since Q2 fully conforms to the SM2 signature method, it can be deduced that the signature can be signed by the public key Pu, and the signature-verifying algorithm uses the SM2 standard method.
The joint decryption of the present invention is described in detail below with reference to fig. 3.
In the invention, the message M is a ciphertext C generated by encrypting the public key Pu, which conforms to the SM2 standard method, and the ciphertext C (C1| | C2| | C3) conforms to the SM2 ciphertext standard format. The specific process is as follows:
1) let the elliptic curve point C1 ═ k × G ═ x1, y 1;
2) calculating the elliptic curve point S ═ H × PAIf S is an infinite point, an error is reported and the operation is exited, wherein H is a cofactor specified by the SM2 algorithm and is 1 by default;
3) calculating an elliptic curve point K × Pu ═ (x2, y2), that is, K × (Pa + Pb + a × Pb) ═(x2, y2), and converting the data types of the coordinates x2 and y2 into bit strings;
calculating t as KDF (x2| | y2, klen), if t is all 0 bit string, returning to step 1), where KDF is a key derivation function specified by SM2 algorithm, and the output is a key sequence;
4) calculating C2-M ⊕ t, ⊕ is exclusive-or operation, calculating C3-Hash (x 2M y2), wherein the Hash is a Hash function specified by SM2 algorithm;
5) and outputting the ciphertext C-1C 2C 3.
The public key Pu is encrypted by the encryption module M to generate a ciphertext C, and the participating parties can decrypt the ciphertext C by joint calculation by using partial private keys of the participating parties respectively, which is described as follows. As shown by MA4 in fig. 3, for ciphertext C, party a computes the first portion of decrypted data using private key a as follows:
a takes out a bit string C1 from C, calculates H x C1, H is a cofactor parameter specified by SM2 algorithm, if H x C1 is an infinite point, an error is reported and exits, otherwise, s61 is calculated as a x C1; a sends s61 to B.
As shown in MB3 in fig. 3, the process of B obtaining the complete decrypted data, i.e. the plaintext M, using the first part of decrypted data and the private key B is as follows:
1) b, extracting C1 from the ciphertext C, calculating s71 ═ B ═ C1, calculating s72 ═ B ═ s61 ═ B ═ a × C1, calculating s73 ═ s61+ s71+ s72 ═ s + B ═ C1, and marking the coordinates of s42 as (x2, y 2);
2) calculating t as KDF (x2| | y2, klen), if t is all 0 bit string, reporting an error and exiting; KDF is a key derivation function specified by the SM2 algorithm, with the output being a key sequence;
3) taking out a bit string C2 from C, calculating M '═ C2 ⊕ t, calculating u ═ Hash (x2| | | M' | | y2), taking out a bit string C3 from C, and if u is not equal to C3, reporting an error and exiting;
4) the output plaintext M equals M'.
The invention also provides a two-party combined signature and decryption system based on the SM2 algorithm, which comprises:
the system comprises a client and a cloud server; the client side stores a private key a and a public key Pa, the cloud server side stores a private key b and a public key Pb, and the client side and the cloud server side perform information interaction;
the client receives the transaction file needing to be signed, the private key a is used for calculating a first partial signature Q1, the private key b is used for calculating a complete signature Q2 by combining with Q1, the cloud server feeds back Q2 to the client, and the client publishes the transaction file and the Q2 together;
the client requests the cloud server to decrypt the file, the private key b is used for calculating the first part of decrypted data, and the private key a is used for calculating the complete decrypted data by combining the first part of decrypted data;
a third party, specifically a certificate signing authority (CA); and the third party stores a combined public key Pu obtained by the operation of the public key Pa and the public key Pb sent by the client, the third party performs information interaction with the client and the cloud server respectively, the client and the cloud server obtain the combined public key Pu from the third party, and the combined public key Pu is used for verifying the complete signature Q2 and encrypting the file.
Certificate preparation, as shown in fig. 4: and the cloud server sends Pb to the client. After receiving Pb, the client calculates the common public key Pu ═ Pa + Pb + a × Pb. The client sends Pu to the CA, and the CA issues a certificate CPu containing Pu.
Joint signature, as shown in fig. 5: the client receives a transaction file E needing to be signed, and the file needs to be signed. The client first obtains the hash value e of the file through hash calculation. The client calculates a first partial signature Q1 by using the partial private key a, and the client sends the first partial signature Q1 to the cloud server.
And after the cloud server receives the Q1, calculating a complete signature Q2 by using the partial private key b. The cloud server sends the complete signature Q2 to the client, and the client publishes the signature together with the file E.
Signature verification, as shown in fig. 6: when any one of the cloud server side or the client side or other third parties needs to verify the integrity, authenticity and transaction non-repudiation of the transaction file E, firstly, a certificate CPu is obtained, and a common public key Pu is obtained from the certificate CPu; the hash value E of file E is then calculated and the signature Q2 is verified using Pu.
Data encryption, as shown in fig. 7: when any one party of a cloud server or a client, or other third party, needs to encrypt a file M, a certificate CPu is obtained first, and a common public key Pu is obtained from the certificate CPu; and generating a ciphertext C after encrypting M by using Pu.
Joint decryption, as shown in fig. 8: when the client needs to decrypt the ciphertext C, the cloud server is requested to perform combined decryption, the cloud server acquires C1 from the ciphertext C, calculates by using a part of private keys to obtain a first part of decrypted data, and sends the first part of decrypted data to the client. And after receiving the first part of decrypted data, the client acquires a complete plaintext from the ciphertext C according to the joint decryption step.
The preferred embodiments of the present disclosure are described in detail with reference to the accompanying drawings, however, the present disclosure is not limited to the specific details of the above embodiments, and various simple modifications may be made to the technical solution of the present disclosure within the technical idea of the present disclosure, and these simple modifications all belong to the protection scope of the present disclosure.
It should be noted that, in the foregoing embodiments, various features described in the above embodiments may be combined in any suitable manner, and in order to avoid unnecessary repetition, various combinations that are possible in the present disclosure are not described again.
In addition, any combination of various embodiments of the present disclosure may be made, and the same should be considered as the disclosure of the present disclosure, as long as it does not depart from the spirit of the present disclosure.

Claims (7)

1. A two-party joint signing and decrypting system based on the SM2 algorithm, comprising:
the system comprises a client and a cloud server; the client side stores a private key a and a public key Pa, the cloud server side stores a private key b and a public key Pb, and the client side and the cloud server side perform information interaction;
the client receives the transaction file needing to be signed, the private key a is used for calculating a first partial signature Q1, the private key b is used for calculating a complete signature Q2 by combining with Q1, the cloud server feeds back Q2 to the client, and the client publishes the transaction file and the Q2 together;
the client requests the cloud server to decrypt the file, the private key b is used for calculating the first part of decrypted data, and the private key a is used for calculating the complete decrypted data by combining the first part of decrypted data;
and the public key Pa and the public key Pb are used for joint operation to obtain a joint public key Pu, and the joint public key Pu is used for verifying the complete signature Q2 and encrypting the file.
2. Method for two-party joint signing and decrypting based on SM2 algorithm, applied to the system for two-party joint signing and decrypting based on SM2 algorithm claimed in claim 1, two parties are marked A and B, A has private key a and public key Pa, B has private key B and public key Pb,
the two-party joint signature comprises the following steps:
c1, B sends Pb to A;
c2, A generates a joint public key Pu through Pa and Pb;
c3, given the transaction message E, A calculates a first partial signature Q1 using the private key a, A sends Q1 to B;
c4, B calculates a complete signature Q2 by using Q1 and a private key B, wherein Q2 can be checked by a joint public key Pu;
the two parties jointly decrypt, comprising the following steps:
d1, giving a combined public key Pu to encrypt the message M to obtain a ciphertext C, calculating by the aid of the private key a and the ciphertext C to obtain first part decryption data by the aid of the A, and sending the first part decryption data to the B;
d2, B uses the first part of decrypted data, the private key B and the ciphertext C to calculate the complete decrypted data, namely the plaintext M.
3. The method for two-party joint signing and decrypting based on SM2 algorithm, joint signing method, according to claim 2, wherein in C3, the calculation process of the first partial signature Q1 by A using private key a is as follows:
1) a generates a random number m, and calculates s31 ═ m × G, wherein G is a reference base point of SM 2;
2) generating a random number k, calculating k × G ═ (x1, y1), and taking x1 of the point;
3) the hash value of the transaction message E is marked as E, and r is calculated as E + x 1;
4) calculating s32 ═ s31 ═ (k-r a);
5) calculating s33 ═ s31 × (1+ a);
6) let Q1 ═ (r, s32, s 33).
4. The method for two-party joint signing and decrypting based on SM2 algorithm, joint signing method, in accordance with claim 3, wherein in C4, the calculation process of B's full signature Q2 using Q1 and private key B is as follows:
1) calculating s41 ═ s33 × (1+ b);
2) the overall inversion of s41 gave s42 ═ s41-1
3) Calculating s43 ═ s33 ═ r ═ b;
4) calculating s 44-s 32-s 43;
5) calculating s 45-s 42-s 44;
6) s-45, and outputs the full signature Q2 ═ r, s as the signature of the transaction message E.
5. The two-party joint signing and decrypting method and the joint decrypting method based on the SM2 algorithm according to claim 4, wherein in D1, the process of obtaining the ciphertext C by combining the public key Pu to encrypt the message M is as follows:
1) let the elliptic curve point C1 ═ k × G ═ x1, y 1;
2) calculating the elliptic curve point S ═ H × PAIf S is an infinite point, an error is reported and the operation is exited, wherein H is a cofactor specified by the SM2 algorithm and is 1 by default;
3) calculating an elliptic curve point K × Pu ═ (x2, y2), that is, K × (Pa + Pb + a × Pb) ═(x2, y2), and converting the data types of the coordinates x2 and y2 into bit strings;
calculating t as KDF (x2| | y2, klen), if t is all 0 bit string, returning to step 1), where KDF is a key derivation function specified by SM2 algorithm, and the output is a key sequence;
4) calculating C2-M ⊕ t, ⊕ is exclusive-or operation, calculating C3-Hash (x 2M y2), wherein the Hash is a Hash function specified by SM2 algorithm;
5) and outputting the ciphertext C-1C 2C 3.
6. The method for two-party joint signing and decrypting based on SM2 algorithm, joint decrypting method, according to claim 5, wherein in D1, the process of A calculating the first part of decrypted data using private key a is as follows:
a takes out a bit string C1 from C, calculates H x C1, H is a cofactor parameter specified by SM2 algorithm, if H x C1 is an infinite point, an error is reported and exits, otherwise, s61 is calculated as a x C1; a sends s61 to B.
7. The method for two-party joint signing and decrypting based on SM2 algorithm according to claim 6, wherein in D2, the process that B obtains complete decrypted data (plaintext M) using the first part decrypted data and the private key B is as follows:
1) b, extracting C1 from the ciphertext C, calculating s71 ═ B ═ C1, calculating s72 ═ B ═ s61 ═ B ═ a × C1, calculating s73 ═ s61+ s71+ s72 ═ s + B ═ C1, and marking the coordinates of s42 as (x2, y 2);
2) calculating t as KDF (x2| | y2, klen), if t is all 0 bit string, reporting an error and exiting; KDF is a key derivation function specified by the SM2 algorithm, with the output being a key sequence;
3) taking out a bit string C2 from C, calculating M '═ C2 ⊕ t, calculating u ═ Hash (x2| | | M' | | y2), taking out a bit string C3 from C, and if u is not equal to C3, reporting an error and exiting;
4) the output plaintext M equals M'.
CN202010138468.2A 2020-03-03 2020-03-03 Two-party combined signature and decryption method and system based on SM2 algorithm Pending CN111355582A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202010138468.2A CN111355582A (en) 2020-03-03 2020-03-03 Two-party combined signature and decryption method and system based on SM2 algorithm

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202010138468.2A CN111355582A (en) 2020-03-03 2020-03-03 Two-party combined signature and decryption method and system based on SM2 algorithm

Publications (1)

Publication Number Publication Date
CN111355582A true CN111355582A (en) 2020-06-30

Family

ID=71197248

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202010138468.2A Pending CN111355582A (en) 2020-03-03 2020-03-03 Two-party combined signature and decryption method and system based on SM2 algorithm

Country Status (1)

Country Link
CN (1) CN111355582A (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112822155A (en) * 2020-12-21 2021-05-18 陕西土豆数据科技有限公司 Aerial photography data encryption and decryption method based on state password

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104243456A (en) * 2014-08-29 2014-12-24 中国科学院信息工程研究所 Signing and decrypting method and system applied to cloud computing and based on SM2 algorithm
CN108199835A (en) * 2018-01-19 2018-06-22 北京江南天安科技有限公司 A kind of multi-party joint private key decryption method and system
CN109088726A (en) * 2018-07-19 2018-12-25 郑州信大捷安信息技术股份有限公司 Communicating pair collaboration signature and decryption method and system based on SM2 algorithm
CN109672539A (en) * 2019-03-01 2019-04-23 深圳市电子商务安全证书管理有限公司 SM2 algorithm collaboration signature and decryption method, apparatus and system

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104243456A (en) * 2014-08-29 2014-12-24 中国科学院信息工程研究所 Signing and decrypting method and system applied to cloud computing and based on SM2 algorithm
CN108199835A (en) * 2018-01-19 2018-06-22 北京江南天安科技有限公司 A kind of multi-party joint private key decryption method and system
CN109088726A (en) * 2018-07-19 2018-12-25 郑州信大捷安信息技术股份有限公司 Communicating pair collaboration signature and decryption method and system based on SM2 algorithm
CN109672539A (en) * 2019-03-01 2019-04-23 深圳市电子商务安全证书管理有限公司 SM2 algorithm collaboration signature and decryption method, apparatus and system

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112822155A (en) * 2020-12-21 2021-05-18 陕西土豆数据科技有限公司 Aerial photography data encryption and decryption method based on state password

Similar Documents

Publication Publication Date Title
JP6515246B2 (en) Determination of common secrets for the secure exchange of information and hierarchical and deterministic encryption keys
CN108352015B (en) Secure multi-party loss-resistant storage and encryption key transfer for blockchain based systems in conjunction with wallet management systems
CN107196763B (en) SM2 algorithm collaborative signature and decryption method, device and system
CN107707358B (en) EC-KCDSA digital signature generation method and system
US8670563B2 (en) System and method for designing secure client-server communication protocols based on certificateless public key infrastructure
US7650494B2 (en) Method and apparatus for use in relation to verifying an association between two parties
JP5205398B2 (en) Key authentication method
CN107733648B (en) Identity-based RSA digital signature generation method and system
US9705683B2 (en) Verifiable implicit certificates
CN107947913B (en) Anonymous authentication method and system based on identity
CN104821880B (en) One kind is without certificate broad sense agent signcryption method
CN107968710B (en) SM9 digital signature separation interaction generation method and system
WO2021042685A1 (en) Transaction method, device, and system employing blockchain
CN107659395B (en) Identity-based distributed authentication method and system in multi-server environment
US20210152370A1 (en) Digital signature method, device, and system
CN110113155B (en) High-efficiency certificateless public key encryption method
CN106936584B (en) Method for constructing certificateless public key cryptosystem
CN112564907B (en) Key generation method and device, encryption method and device, and decryption method and device
Saranya et al. Cloud based efficient authentication for mobile payments using key distribution method
CN112104453B (en) Anti-quantum computation digital signature system and signature method based on digital certificate
CN108055134B (en) Collaborative computing method and system for elliptic curve point multiplication and pairing operation
CN110120939B (en) Encryption method and system capable of repudiation authentication based on heterogeneous system
CN111355582A (en) Two-party combined signature and decryption method and system based on SM2 algorithm
CN111565108B (en) Signature processing method, device and system
Barker et al. Sp 800-56b. recommendation for pair-wise key establishment schemes using integer factorization cryptography

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination