CN111740837B - SM 9-based distributed signature method and system - Google Patents

SM 9-based distributed signature method and system Download PDF

Info

Publication number
CN111740837B
CN111740837B CN202010419426.6A CN202010419426A CN111740837B CN 111740837 B CN111740837 B CN 111740837B CN 202010419426 A CN202010419426 A CN 202010419426A CN 111740837 B CN111740837 B CN 111740837B
Authority
CN
China
Prior art keywords
signature
private key
assistance data
partial
communication party
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202010419426.6A
Other languages
Chinese (zh)
Other versions
CN111740837A (en
Inventor
杨国强
刘会议
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Sanwei Xin'an Technology Co ltd
Original Assignee
Sanwei Xin'an Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Sanwei Xin'an Technology Co ltd filed Critical Sanwei Xin'an Technology Co ltd
Priority to CN202010419426.6A priority Critical patent/CN111740837B/en
Publication of CN111740837A publication Critical patent/CN111740837A/en
Application granted granted Critical
Publication of CN111740837B publication Critical patent/CN111740837B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • H04L9/0866Generation of secret information including derivation or calculation of cryptographic keys or passwords involving user or device identifiers, e.g. serial number, physical or biometrical information, DNA, hand-signature or measurable physical characteristics
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • H04L9/0869Generation of secret information including derivation or calculation of cryptographic keys or passwords involving random numbers or seeds
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
    • H04L9/3255Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures using group based signatures, e.g. ring or threshold signatures

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

The invention relates to a distributed signature method and system based on SM 9. The method comprises the following steps: the key generation center generates a signature bilinear pair and a user signature private key, the user signature private key is split and then is respectively sent to the two communication parties, the two communication parties are matched with each other to complete digital signature, the complete signature private key cannot appear in a plaintext form in the signature process, and absolute safety is ensured; the two communication parties cooperate to complete the signature, any party cannot independently complete the signature, and the safety is further improved; the terminal of the Internet of things cannot store a complete signature private key, so that absolute safety of the private key is ensured; the signature operation can be completed only by two interactions, and the communication cost is low.

Description

SM 9-based distributed signature method and system
Technical Field
The invention relates to the technical field of information security, in particular to a distributed signature method and system based on SM 9.
Background
The SM9 identification password algorithm was determined to be national password industry Standard (GM/T0044-2016) in 2016. The algorithm is an identification cipher algorithm, and takes identity information (such as a serial number, a mobile phone number, a network address and the like) of a user as a public key, so that complicated key management in a traditional PKI/CA certificate system can be greatly simplified. The cryptographic system constructed based on the SM9 cryptographic algorithm has the advantage over conventional cryptographic systems of being easy to manage and easy to use. The user equipment in the system does not need to apply for the user certificate in advance or verify the digital certificate, so that the use complexity of the password system is greatly reduced, and the system is very suitable for the secure communication among users in a large number of user groups.
The application of SM9 is more and more extensive, but in the environment of the internet of things, the key management of terminal has very big risk, because the terminal of the internet of things is mostly low-power consumption equipment, and the security measure is insufficient, leads to the key to reveal easily, if store the key on the terminal of the internet of things, user's key can be stolen by the is complete, brings the potential safety hazard for whole SM9 system.
Disclosure of Invention
The invention aims to solve the technical problems existing in the prior art and provides a distributed signature method and system based on SM 9.
In order to solve the technical problems, an embodiment of the present invention provides a distributed signature method based on SM9, including the following steps:
the key generation center generates a signature bilinear pair g and a user signature private key d S And signs the user with private key d S Split into a first signature private key d 1 And a second signature private key D 2 The method comprises the steps of carrying out a first treatment on the surface of the Private key d of said first signature 1 And signature bilinear pair g is sent to the first communication party; private key D of the second signature 2 And signature bilinear pair g is sent to the second communication party;
the first communication party generates first signature assistance data w by using the signature bilinear pair g 1 The first signature assistance data w 1 And the message M to be signed is sent to the second communication party;
the second communication party performs the second communication according to the first signature assistance data w 1 And generating second signature assistance data w from said signature bilinear pair g 2 And third signature assistance data w 3 According to the second signature assistance data w 2 And third signature assistance data w 3 Performing cryptographic operation on the message M to be signed to obtain a first partial signature h, and according to the first partial signature h and the second signature private key D 2 Generating a second partial signature S 2 And a third partial signature S 3 Will w 2 ,w 3 ,S 2 ,S 3 Transmitting to the first communication party;
the first communication party performs the second signature assistance data w 2 And third signature assistance data w 3 Performing cryptographic operation on the message M to be signed to obtain a first partial signature h, and performing a cryptographic operation on the message M to be signed according to the second partial signature S 2 And a third partial signature S 3 And obtaining a complete signature value S, and obtaining a standard SM9 signature message of (h, S).
In order to solve the above technical problem, an embodiment of the present invention further provides a distributed signature system based on SM9, including: the key generation center, the first communication party and the second communication party;
the key generation center is used for generating a signature bilinear pair g and a user signature private key d S And signs the user with private key d S Split into a first signature private key d 1 And a second signature private key D 2 The method comprises the steps of carrying out a first treatment on the surface of the Private key d of said first signature 1 And signature bilinear pair g is sent to the first communication party;private key D of the second signature 2 And signature bilinear pair g is sent to the second communication party;
the first communication party is used for generating first signature auxiliary data w by using the signature bilinear pair g 1 The first signature assistance data w 1 And the message M to be signed is sent to the second communication party;
the second communication party is used for assisting the data w according to the first signature 1 And generating second signature assistance data w from said signature bilinear pair g 2 And third signature assistance data w 3 According to the second signature assistance data w 2 And third signature assistance data w 3 Performing cryptographic operation on the message M to be signed to obtain a first partial signature h, and according to the first partial signature h and the second signature private key D 2 Generating a second partial signature S 2 And a third partial signature S 3 Will w 2 ,w 3 ,S 2 ,S 3 Transmitting to the first communication party;
the first communication party is also used for assisting the data w according to the second signature 2 And third signature assistance data w 3 Performing cryptographic operation on the message M to be signed to obtain a first partial signature h, and performing a cryptographic operation on the message M to be signed according to the second partial signature S 2 And a third partial signature S 3 And obtaining a complete signature value S, and obtaining a standard SM9 signature message of (h, S).
The beneficial effects of the invention are as follows: the key generation center splits the user signature private key and then sends the split user signature private key to both communication parties, digital signature is completed through the mutual cooperation of both communication parties, the complete signature private key cannot appear in a plaintext form in the signing process, and absolute safety is guaranteed; the two communication parties cooperate to complete the signature, any party cannot independently complete the signature, and the safety is further improved; the terminal of the Internet of things cannot store a complete signature private key, so that absolute safety of the private key is ensured; the signature operation can be completed only by two interactions, and the communication cost is low.
Additional aspects of the invention and advantages thereof will be set forth in part in the description which follows and, in part, will be obvious from the description, or may be learned by practice of the invention.
Drawings
Fig. 1 is a signaling interaction diagram of a distributed signature method based on SM9 according to an embodiment of the present invention.
Detailed Description
The principles and features of the present invention are described below with reference to the drawings, the examples are illustrated for the purpose of illustrating the invention and are not to be construed as limiting the scope of the invention.
Specific embodiments are described in detail in a signature manner supporting the SM9 standard, respectively.
The SM9 national density standard defines 3 cyclic groups, G respectively 1 、G 2 、G T The steps are N, G 1 The generator of (1) is P 1 ,G 2 The generator of (1) is P 2 There is a condition of G 1 ×G 2 →G T Is mapped to; e (Q) 1 ,Q 2 ) The representation is from G 1 ×G 2 To G T Of (2), wherein Q is 1 ,Q 2 G respectively 1 And G 2 Elements of (a) and (b); h 2 () Is a cryptographic function derived from a cryptographic hash function SM 3; [ k ]]P represents a k-times point of the point P on the elliptic curve.
Fig. 1 is a signaling interaction diagram of a distributed signature method based on SM9 according to an embodiment of the present invention. As shown in fig. 1, the method includes:
the key generation center generates a signature bilinear pair g and a user signature private key d S And signs the user with private key d S Split into a first signature private key d 1 And a second signature private key D 2 The method comprises the steps of carrying out a first treatment on the surface of the Private key d of said first signature 1 And signature bilinear pair g is sent to the first communication party; private key D of the second signature 2 And signature bilinear pair g is sent to the second communication party;
the first communication party generates first signature assistance data w by using the signature bilinear pair g 1 The first signature assistance data w 1 And the message M to be signed is sent to the second communication party;
the second communication party performs the second communication according to the first signature assistance data w 1 And the signature bilinear pair g generates a secondSignature assistance data w 2 And third signature assistance data w 3 According to the second signature assistance data w 2 And third signature assistance data w 3 Performing cryptographic operation on the message M to be signed to obtain a first partial signature h, and according to the first partial signature h and the second signature private key D 2 Generating a second partial signature S 2 And a third partial signature S 3 Will w 2 ,w 3 ,S 2 ,S 3 Transmitting to the first communication party;
the first communication party performs the second signature assistance data w 2 And third signature assistance data w 3 Performing cryptographic operation on the message M to be signed to obtain a first partial signature h, and performing a cryptographic operation on the message M to be signed according to the second partial signature S 2 And a third partial signature S 3 And obtaining a complete signature value S, and obtaining a standard SM9 signature message of (h, S).
In order to ensure the safety of a user key, the embodiment of the invention adopts a key segmentation mode, provides a distributed signature method requiring cooperative signature of two parties, and solves the problem of safe storage of the terminal key of the Internet of things. The key generation center generates a signature bilinear pair and a user signature private key, the user signature private key is split and then is respectively sent to the two communication parties, the two communication parties are matched with each other to complete digital signature, the complete signature private key cannot appear in a plaintext form in the signature process, and absolute safety is ensured; the two communication parties cooperate to complete the signature, any party cannot independently complete the signature, and the safety is further improved; the terminal of the Internet of things cannot store a complete signature private key, so that absolute safety of the private key is ensured; the signature operation can be completed only by two interactions, and the communication cost is low.
Optionally, in one embodiment, said signing said user with private key d S Split into a first signature private key d 1 And a second signature private key D 2 Comprising:
the key generation center generates a first signature private key d 1 ,d 1 ∈[1,N-1],d 1 For a random number smaller than N, according to the first signature private key d 1 Calculate d 2 ,d 2 =d 1 -1 *t 2 ModN according to d 2 Calculating to obtain a second signature private key D 2 ,D 2 =[d 2 ]P 1
Wherein the user signature private key d S =[t 2 ]P 1 Wherein t is 2 P is a 256-bit integer less than N calculated from the user identity and signature master key parameters 1 For SM9 cycle group G 1 N is the order of the SM9 loop group.
In the above embodiment, the user signature private key is split into two parts, which are respectively stored by both communication parties, so that the complete private key cannot appear in the signing process, and the absolute security of the signature private key is ensured.
Optionally, in one embodiment, the first communication party generates first signature assistance data w using the signature bilinear pair g 1 Comprising:
the first communication party generates a first random number r 1 ∈[1,N-1]Wherein N is the order of the SM9 cycle group;
according to the first random number r 1 And signature bilinear pair g to calculate first signature assistance data w 1
Figure BDA0002496299380000051
In the above embodiment, the second signature assistance data w is used as the second signature assistance data w 1 The first random number r 1 Hidden to ensure r 1 The signature is not acquired by the second communication party, so that the signature safety is improved.
Optionally, in an embodiment, the second communication party is based on the first signature assistance data w 1 And generating second signature assistance data w from said signature bilinear pair g 2 And third signature assistance data w 3 Comprising:
the second communication party generates a second random number r 2 And a third random number r 3 Wherein r is 2 ,r 3 ∈[0,N-1]Wherein N is the order of the SM9 cycle group;
according to the first signature assistance data w 1 And the second random number r 2 Generating second signature assistance data w 2
Figure BDA0002496299380000061
According to the third random number r 3 And generating third signature assistance data w from said signature bilinear pair g 3
Figure BDA0002496299380000062
In the above embodiment, the second signature assistance data w is used 2 And third signature assistance data w 3 Will second random number r 2 And a third random number r 3 Hidden to ensure r 2 And r 3 The signature is not acquired by the first communication party, so that the signature safety is improved.
Optionally, in an embodiment, the step of generating the second signature assistance data w comprises 2 And third signature assistance data w 3 Performing cryptographic operation on the message M to be signed to obtain a first partial signature h, including:
according to the second signature assistance data w 2 And third signature assistance data w 3 Generating complete helper signature data w, w=w 2 *w 3
Performing cryptographic operation on the message M to be signed according to the complete auxiliary signature data w to obtain a first partial signature H, wherein h=H 2 (M||w,N),H 2 () Is a cryptographic function derived from a cryptographic hash function SM3, N being the order of the SM9 loop group.
In the above embodiment, the second communication party calculates the first partial signature h, and the number of times of two communications can be reduced without the transmission of the first communication party. Otherwise, the first communication party needs to receive the second auxiliary signature data and the third signature auxiliary data transmitted by the second communication party, then calculate h, and transmit h to the second communication party. The second party can continue the subsequent operations. At the same time, the first communication party also calculates the first partial signature h, which is to ensure that the message M to be signed has not been tampered with.
Optionally, in an embodiment, said private key D is based on said first partial signature h and said second signature 2 Generating a second partial signature S 2 And a third partial signature S 3 Comprising:
based on the first partial signature h and the second signature private key D 2 Generating a second partial signature S 2 ,S 2 =[r 3 -h]D 2
Based on the second signature private key D 2 Generating a third partial signature S 3 ,S 3 =[r 2 ]D 2
Wherein r is 2 Represents a second random number, r 3 Represents a third random number, r 2 ,r 3 ∈[0,N-1]N is the order of the SM9 cyclic group []Representing the dot product.
In the above embodiment, the second communication party simply communicates the second partial signature S 2 And a third partial signature S 3 For the first communication party, the first communication party cannot obtain r 2 、r 3 And D 2 The first communication party is guaranteed to be unable to obtain the complete private key.
Optionally, in an embodiment, said signing S according to said second part 2 And a third partial signature S 3 The complete signature value S is obtained as follows:
S=[r 1 *d 1 ]S 3 +[d 1 ]S 2
wherein r is 1 Represents a first random number, r 1 ∈[1,N-1]N is the order of the SM9 cyclic group []Representing the dot product.
In the above embodiment, the complete signature value can only be completed by the first communication party, that is, the signature initiator completes the final signature operation, so as to ensure the validity of the signature; the second communication party cannot obtain the first signature private key d 1 The second communication party is guaranteed to be unable to obtain the complete private key.
The specific distributed signature flow is as follows:
1. an initialization stage: this stage is done by the key generation center KGC alone.
a) Generating a complete user signature private key:
KGC maintains a signing master private key ks and a signing master public key P pub-s . The user identity is an ID.
The method comprises the following standard steps of calculating a user signature private key according to KGC in an industry standard GM/T0044-2016 SM9 identification password algorithm issued by the national password administration:
calculating a user signature private key d S =[t 2 ]P 1 Wherein t is 2 An integer of 256 bits less than N is calculated for a series of parameters such as user identity and system master key.
b) Splitting a private key of a user signature:
KGC generating random number d 1 ∈[1,N-1]A random number less than N, then d is calculated 2 =d 1 -1 *t 2 mod N, the first signature private key is d 1 The second signature private key is D 2 =[d 2 ]P 1
c) Calculating a signature bilinear pair:
the system signature main public key is P pub-s Signature bilinear pair g=e (P 1 ,P pub-s )。
d) Key distribution:
the first signature private key and the signature bilinear pair (d 1 G) securely transmitting to the first party a second signature private key and signature bilinear pair (D 2 G) securely transmitting to the second communication party.
2. Distributed signature phase: the first communication party initiates signature, and the message to be signed is M. The final signature is synthesized by the first party.
a) Initiating a signature by a first communication party to generate a random number r 1 ∈[1,N-1]Calculating first signature assistance data
Figure BDA0002496299380000081
And the first signing assistance data and the message to be signed (w 1 M) to the second communication party.
b) The second communication party receives w 1 After that, two random numbers r are generated 2 ,r 3 ∈[0,N-1]. Head partFirst calculate second signature assistance data
Figure BDA0002496299380000082
Then calculate the third signature assistance data +.>
Figure BDA0002496299380000083
Calculation of complete signature assistance data w=w 2 *w 3 Calculating a first partial signature h=h from w 2 (M||w, N), then calculate a second partial signature S 2 =[r 3 -h]D 2 And a third partial signature S 3 =[r 2 ]D 2 . Will (w) 2 ,w 3 ,S 2 ,S 3 ) To the first party.
c) The first communication party receives (w 2 ,w 3 ) Then, as with the second communication party, the complete signature assistance data w=w is calculated first 2 *w 3 Calculating a first partial signature h=h from w 2 (M||w, N). Then utilize (S) 2 ,S 3 ) Calculate the complete signature s= [ r ] 1 *d 1 ]S 3 +[d 1 ]S 2
And (h, S) is the standard SM9 signature message. The user identification may be used for verification.
The embodiment of the invention also provides a distributed signature system based on SM9, which comprises the following steps: the key generation center, the first communication party and the second communication party;
the key generation center is used for generating a signature bilinear pair g and a user signature private key d S And signs the user with private key d S Split into a first signature private key d 1 And a second signature private key D 2 The method comprises the steps of carrying out a first treatment on the surface of the Private key d of said first signature 1 And signature bilinear pair g is sent to the first communication party; private key D of the second signature 2 And signature bilinear pair g is sent to the second communication party;
the first communication party is used for generating first signature auxiliary data w by using the signature bilinear pair g 1 The first signature assistance data w 1 And the message M to be signed is sent to the second communication party;
the second communication party is used for assisting the data w according to the first signature 1 And generating second signature assistance data w from said signature bilinear pair g 2 And third signature assistance data w 3 According to the second signature assistance data w 2 And third signature assistance data w 3 Performing cryptographic operation on the message M to be signed to obtain a first partial signature h, and according to the first partial signature h and the second signature private key D 2 Generating a second partial signature S 2 And a third partial signature S 3 Will w 2 ,w 3 ,S 2 ,S 3 Transmitting to the first communication party;
the first communication party is also used for assisting the data w according to the second signature 2 And third signature assistance data w 3 Performing cryptographic operation on the message M to be signed to obtain a first partial signature h, and performing a cryptographic operation on the message M to be signed according to the second partial signature S 2 And a third partial signature S 3 And obtaining a complete signature value S, and obtaining a standard SM9 signature message of (h, S).
In the embodiment, the key generation center splits the user signature private key and then sends the split user signature private key to both communication parties, and the digital signature is completed by both communication parties together, so that the complete signature private key cannot appear in a plaintext form in the signing process, and absolute safety is ensured; the two communication parties cooperate to complete the signature, any party cannot independently complete the signature, and the safety is further improved; the terminal of the Internet of things cannot store a complete signature private key, so that absolute safety of the private key is ensured; the signature operation can be completed only by two interactions, and the communication cost is low.
Optionally, in one embodiment, the key generation center signs the user with a private key d S Split into a first signature private key d 1 And a second signature private key D 2 Comprising:
key generation center generates random number d 1 ∈[1,N-1],d 1 For a random number less than N, d 1 As a first signature private key, calculating d according to the first signature private key 2 ,d 2 =d 1 -1 *t 2 ModN according to d 2 Calculation and acquisitionObtain a second signature private key D 2 ,D 2 =[d 2 ]P 1
Wherein the user signature private key d S =[t 2 ]P 1 Wherein t is 2 P is a 256-bit integer less than N calculated from the user identity and signature master key parameters 1 Is group G 1 N is the order of the SM9 loop group.
Optionally, in one embodiment, the first communication party generates first signature assistance data w using the signature bilinear pair g 1 Comprising:
the first communication party generates a first random number r 1 ∈[1,N-1]Wherein N is the order of the SM9 cycle group;
according to the first random number r 1 And signature bilinear pair g to calculate first signature assistance data w 1
Figure BDA0002496299380000101
It will be clear to those skilled in the art that, for convenience and brevity of description, specific working procedures of the apparatus and units described above may refer to corresponding procedures in the foregoing method embodiments, which are not described herein again.
In the several embodiments provided in this application, it should be understood that the disclosed apparatus and method may be implemented in other ways. For example, the apparatus embodiments described above are merely illustrative, e.g., the division of elements is merely a logical functional division, and there may be additional divisions of actual implementation, e.g., multiple elements or components may be combined or integrated into another system, or some features may be omitted, or not performed.
The units described as separate units may or may not be physically separate, and units shown as units may or may not be physical units, may be located in one place, or may be distributed over a plurality of network units. Some or all of the units may be selected according to actual needs to achieve the purpose of the embodiment of the present invention.
In addition, each functional unit in the embodiments of the present invention may be integrated in one processing unit, or each unit may exist alone physically, or two or more units may be integrated in one unit. The integrated units may be implemented in hardware or in software functional units.
The integrated units, if implemented in the form of software functional units and sold or used as stand-alone products, may be stored in a computer readable storage medium. Based on such understanding, the technical solution of the present invention is essentially or a part contributing to the prior art, or all or part of the technical solution may be embodied in the form of a software product stored in a storage medium, comprising several instructions for causing a computer device (which may be a personal computer, a server, or a network device, etc.) to perform all or part of the steps of the methods of the embodiments of the present invention. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a random access Memory (RAM, random Access Memory), a magnetic disk, or an optical disk, or other various media capable of storing program codes.
The foregoing description of the preferred embodiments of the invention is not intended to limit the invention to the precise form disclosed, and any such modifications, equivalents, and alternatives falling within the spirit and scope of the invention are intended to be included within the scope of the invention.

Claims (7)

1. A distributed signature method based on SM9, comprising the steps of:
the key generation center generates a signature bilinear pair g and a user signature private key d S And signs the user with private key d S Split into a first signature private key d 1 And a second signature private key D 2 The method comprises the steps of carrying out a first treatment on the surface of the Private key d of said first signature 1 And signature bilinear pair g is sent to the first communication party; private key D of the second signature 2 And signature bilinear pair g to the second communicationA square;
the first communication party generates first signature assistance data w by using the signature bilinear pair g 1 The first signature assistance data w 1 And the message M to be signed is sent to the second communication party;
the second communication party performs the second communication according to the first signature assistance data w 1 And generating second signature assistance data w from said signature bilinear pair g 2 And third signature assistance data w 3 According to the second signature assistance data w 2 And third signature assistance data w 3 Performing cryptographic operation on the message M to be signed to obtain a first partial signature h, and according to the first partial signature h and the second signature private key D 2 Generating a second partial signature S 2 And a third partial signature S 3 Will w 2 ,w 3 ,S 2 ,S 3 Transmitting to the first communication party;
the second communication party performs the second communication according to the first signature assistance data w 1 And generating second signature assistance data w from said signature bilinear pair g 2 And third signature assistance data w 3 Comprising:
the second communication party generates a second random number r 2 And a third random number r 3 Wherein r is 2 ,r 3 ∈[0,N-1]Wherein N is the order of the SM9 cycle group;
according to the first signature assistance data w 1 And the second random number r 2 Generating second signature assistance data w 2
Figure FDA0004176701070000011
According to the third random number r 3 And generating third signature assistance data w from said signature bilinear pair g 3
Figure FDA0004176701070000012
Said private key D according to said first partial signature h and said second signature 2 Generating a second partial signature S 2 And a third part labelName S 3 Comprising:
based on the first partial signature h and the second signature private key D 2 Generating a second partial signature S 2 ,S 2 =[r 3 -h]D 2
Based on the second signature private key D 2 Generating a third partial signature S 3 ,S 3 =[r 2 ]D 2
Wherein r is 2 Represents a second random number, r 3 Represents a third random number, r 2 ,r 3 ∈[0,N-1]N is the order of the SM9 cyclic group []Representative point multiplication;
the first communication party performs the second signature assistance data w 2 And third signature assistance data w 3 Performing cryptographic operation on the message M to be signed to obtain a first partial signature h, and performing a cryptographic operation on the message M to be signed according to the second partial signature S 2 And a third partial signature S 3 Obtaining a complete signature value S, and obtaining a standard SM9 signature message of (h, S);
said signature S according to said second part 2 And a third partial signature S 3 The complete signature value S is obtained as follows:
S=[r 1 *d 1 ]S 3 +[d 1 ]S 2
wherein r is 1 Represents a first random number, r 1 ∈[1,N-1]N is the order of the SM9 cyclic group []Representing the dot product.
2. The method of claim 1, wherein said signing the user with a private key d S Split into a first signature private key d 1 And a second signature private key D 2 Comprising:
the key generation center generates a first signature private key d 1 ,d 2 ,d 1 For a random number smaller than N, according to the first signature private key d 1 Calculate d 2 ,d 2 =d 1 -1 *t 2 ModN according to d 2 Calculating to obtain a second signature private key D 2 ,D 2 =[d 2 ]P 1
Wherein the user signature private key d S =[t 2 ]P 1 Wherein t is 2 P is a 256-bit integer less than N calculated from the user identity and signature master key parameters 1 For SM9 cycle group G 1 N is the order of the SM9 loop group.
3. The method according to claim 1, wherein the first communication party generates first signature assistance data w using the signature bilinear pair g 1 Comprising:
the first communication party generates a first random number r 1 ∈[1,N-1]Wherein N is the order of the SM9 cycle group;
according to the first random number r 1 And signature bilinear pair g to calculate first signature assistance data w 1
Figure FDA0004176701070000031
4. A method according to any of claims 1 to 3, characterized in that the second signature assistance data w is based on the second signature assistance data w 2 And third signature assistance data w 3 Performing cryptographic operation on the message M to be signed to obtain a first partial signature h, including:
according to the second signature assistance data w 2 And third signature assistance data w 3 Generating complete helper signature data w, w=w 2 *w 3
Performing cryptographic operation on the message M to be signed according to the complete auxiliary signature data w to obtain a first partial signature H, wherein h=H 2 (M||w,N),H 2 () Is a cryptographic function derived from a cryptographic hash function SM3, N being the order of the SM9 loop group.
5. A SM 9-based distributed signing system comprising: the key generation center, the first communication party and the second communication party;
the key generation center is used for generating a signature bilinear pairg and user signature private key d S And signs the user with private key d S Split into a first signature private key d 1 And a second signature private key D 2 The method comprises the steps of carrying out a first treatment on the surface of the Private key d of said first signature 1 And signature bilinear pair g is sent to the first communication party; private key D of the second signature 2 And signature bilinear pair g is sent to the second communication party;
the first communication party is used for generating first signature auxiliary data w by using the signature bilinear pair g 1 The first signature assistance data w 1 And the message M to be signed is sent to the second communication party;
the second communication party is used for assisting the data w according to the first signature 1 And generating second signature assistance data w from said signature bilinear pair g 2 And third signature assistance data w 3 According to the second signature assistance data w 2 And third signature assistance data w 3 Performing cryptographic operation on the message M to be signed to obtain a first partial signature h, and according to the first partial signature h and the second signature private key D 2 Generating a second partial signature S 2 And a third partial signature S 3 Will w 2 ,w 3 ,S 2 ,S 3 Transmitting to the first communication party;
the second communication party performs the second communication according to the first signature assistance data w 1 And generating second signature assistance data w from said signature bilinear pair g 2 And third signature assistance data w 3 Comprising:
the second communication party generates a second random number r 2 And a third random number r 3 Wherein r is 2 ,r 3 ∈[0,N-1]Wherein N is the order of the SM9 cycle group;
based on the first signature assistance data w1 and the second random number r 2 Generating second signature assistance data w 2
Figure FDA0004176701070000041
According to the third random number r 3 And generating a third signature assistance with the signature bilinear pair gData w 3
Figure FDA0004176701070000042
Said private key D according to said first partial signature h and said second signature 2 Generating a second partial signature S 2 And a third partial signature S 3 Comprising:
based on the first partial signature h and the second signature private key D 2 Generating a second partial signature S 2 ,S 2 =[r 3 -h]D 2
Based on the second signature private key D 2 Generating a third partial signature S 3 ,S 3 =[r 2 ]D 2
Wherein r is 2 Represents a second random number, r 3 Represents a third random number, r 2 ,r 3 ∈[0,N-1]N is the order of the SM9 cyclic group []Representative point multiplication;
the first communication party is also used for assisting the data w according to the second signature 2 And third signature assistance data w 3 Performing cryptographic operation on the message M to be signed to obtain a first partial signature h, and performing a cryptographic operation on the message M to be signed according to the second partial signature S 2 And a third partial signature S 3 Obtaining a complete signature value S, and obtaining a standard SM9 signature message of (h, S);
said signature S according to said second part 2 And a third partial signature S 3 The complete signature value S is obtained as follows:
S=[r 1 *d 1 ]S 3 +[d 1 ]S 2
wherein r is 1 Represents a first random number, r 1 ∈[1,N-1]N is the order of the SM9 cyclic group []Representing the dot product.
6. The system of claim 5, wherein the key generation center signs the user with a private key d S Split into a first signature private key d 1 And a second signature private key D 2 Comprising:
key generation center generationRandom number d 1 ∈[1,N-1],d 1 For a random number less than N, d 1 As a first signature private key, calculating d according to the first signature private key 2 ,d 2 =d 1 -1 *t 2 ModN according to d 2 Calculating to obtain a second signature private key D 2 ,D 2 =[d 2 ]P 1
Wherein the user signature private key d S =[t 2 ]P 1 Wherein t is 2 P is a 256-bit integer less than N calculated from the user identity and signature master key parameters 1 Is group G 1 N is the order of the SM9 loop group.
7. The system of claim 5, wherein the first party uses the signature bilinear pair g to generate first signature assistance data w 1 Comprising:
the first communication party generates a first random number r 1 ∈[1,N-1]Wherein N is the order of the SM9 cycle group;
according to the first random number r 1 And signature bilinear pair g to calculate first signature assistance data w 1
Figure FDA0004176701070000051
CN202010419426.6A 2020-05-18 2020-05-18 SM 9-based distributed signature method and system Active CN111740837B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202010419426.6A CN111740837B (en) 2020-05-18 2020-05-18 SM 9-based distributed signature method and system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202010419426.6A CN111740837B (en) 2020-05-18 2020-05-18 SM 9-based distributed signature method and system

Publications (2)

Publication Number Publication Date
CN111740837A CN111740837A (en) 2020-10-02
CN111740837B true CN111740837B (en) 2023-07-07

Family

ID=72647402

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202010419426.6A Active CN111740837B (en) 2020-05-18 2020-05-18 SM 9-based distributed signature method and system

Country Status (1)

Country Link
CN (1) CN111740837B (en)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114257374B (en) * 2021-12-20 2023-08-15 山东大学 Verifiable secure outsourcing calculation method and system for identifying cryptosystem

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2014120121A1 (en) * 2013-01-29 2014-08-07 Certicom Corp. Modified sm2 elliptic curve signature algorithm supporting message recovery
CN107579819A (en) * 2017-09-13 2018-01-12 何德彪 A kind of SM9 digital signature generation method and system
CN108173639A (en) * 2018-01-22 2018-06-15 中国科学院数据与通信保护研究教育中心 A kind of two side's cooperation endorsement methods based on SM9 signature algorithms
CN110011802A (en) * 2019-02-27 2019-07-12 武汉大学 A kind of two side of efficient SM9 cooperates with the method and system of generation digital signature
CN111010285A (en) * 2019-11-25 2020-04-14 武汉大学 SM2 two-party collaborative signature method and medium suitable for lightweight client

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2014120121A1 (en) * 2013-01-29 2014-08-07 Certicom Corp. Modified sm2 elliptic curve signature algorithm supporting message recovery
CN107579819A (en) * 2017-09-13 2018-01-12 何德彪 A kind of SM9 digital signature generation method and system
CN108173639A (en) * 2018-01-22 2018-06-15 中国科学院数据与通信保护研究教育中心 A kind of two side's cooperation endorsement methods based on SM9 signature algorithms
CN110011802A (en) * 2019-02-27 2019-07-12 武汉大学 A kind of two side of efficient SM9 cooperates with the method and system of generation digital signature
CN111010285A (en) * 2019-11-25 2020-04-14 武汉大学 SM2 two-party collaborative signature method and medium suitable for lightweight client

Also Published As

Publication number Publication date
CN111740837A (en) 2020-10-02

Similar Documents

Publication Publication Date Title
CN106961336B (en) A kind of key components trustship method and system based on SM2 algorithm
CN107579819B (en) A kind of SM9 digital signature generation method and system
CN108989053B (en) Method for realizing certificateless public key cryptosystem based on elliptic curve
CN107483212B (en) Method for generating digital signature by cooperation of two parties
CN107634836B (en) SM2 digital signature generation method and system
CN107248909B (en) Certificateless secure signature method based on SM2 algorithm
EP4007983A1 (en) Systems and methods for generating signatures
CN108418686A (en) A kind of how distributed SM9 decryption methods and medium and key generation method
CN107360002B (en) Application method of digital certificate
CN107707358A (en) A kind of EC KCDSA digital signature generation method and system
CN110380846B (en) Electronic medical record patient signature method and system
CN112383397B (en) Heterogeneous signcryption communication method based on biological characteristics
CN113067823B (en) Mail user identity authentication and key distribution method, system, device and medium
CN107968710A (en) SM9 digital signature separation interaction generation method and system
CN110535626B (en) Secret communication method and system for identity-based quantum communication service station
CN109951292B (en) Simplified SM9 digital signature separation interaction generation method and system
CN111080296B (en) Verification method and device based on blockchain system
CN109547199A (en) A kind of method that multi-party joint generates SM2 digital signature
CN107104793A (en) A kind of digital signature generation method and system
CN109495244A (en) Anti- quantum calculation cryptographic key negotiation method based on pool of symmetric keys
JP2956709B2 (en) Public key generation method and apparatus
CN111740837B (en) SM 9-based distributed signature method and system
CN109962783A (en) SM9 digital signature collaboration generation method and system based on progressive calculating
CN110798313B (en) Secret dynamic sharing-based collaborative generation method and system for number containing secret
CN108055134A (en) Elliptic curve, which is counted, multiplies and matches the cooperated computing method and system of computing

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
CB02 Change of applicant information

Address after: 100102 room 1406, 14th floor, building 2, yard 16, Guangshun North Street, Chaoyang District, Beijing

Applicant after: Sanwei Xin'an Technology Co.,Ltd.

Address before: 100102 room 1406, 14th floor, building 2, yard 16, Guangshun North Street, Chaoyang District, Beijing

Applicant before: BEIJING SANSEC TECHNOLOGY DEVELOPMENT Co.,Ltd.

CB02 Change of applicant information
GR01 Patent grant
GR01 Patent grant