CN111953479B

CN111953479B - Data processing method and device

Info

Publication number: CN111953479B
Application number: CN201910409556.9A
Authority: CN
Inventors: 戴望辰; 章庆隆; 汤倩莹
Original assignee: Huawei Technologies Co Ltd
Current assignee: Huawei Technologies Co Ltd
Priority date: 2019-05-16
Filing date: 2019-05-16
Publication date: 2022-05-10
Anticipated expiration: 2039-05-16
Also published as: CN111953479A

Abstract

The application provides a data processing method and device. The data processing method comprises the following steps: the ith passwordThe key generation center obtains a first parameter x_iAnd a first secret share, wherein the ith key generation center is any one of m preset key generation centers, and the first parameter x_iIs a random positive integer, m is an integer greater than 1; the ith key generation center generates the first parameter x according to the second parameter x_iGenerating a second secret share with the first secret share; the ith key generation center sends the first parameter x to the user_iAnd the second secret share. According to the technical scheme provided by the application, the multiple key generation centers participate in the generation process of the identification private key, so that the safety and the non-repudiation of the identification private key are improved, and the load of a single key generation center and the cost of single point failure are reduced.

Description

Data processing method and device

Technical Field

The present application relates to the field of information security technologies, and in particular, to a method and an apparatus for data processing.

Background

A conventional public key system generally employs a digital certificate mechanism to realize secure correspondence between a user identity and a user public key, and a digital certificate is generally implemented by public-key infrastructure (PKI) technology. The technology requires a trusted Certificate Authority (CA) to authenticate the user and then issue a digital certificate for the user. The digital certificate binds the user identity and the user key together in a digital signature manner. In the communication process, the user needs to exchange the certificate first to complete the identity authentication of the user, and then can perform operations such as information transmission.

In certificate-based public key systems, the complexity of the certificate usage process makes it difficult for ordinary users without relevant knowledge to harness. In order to reduce the complexity of certificate management and usage in public key systems, identity-based cryptography (IBC) has been developed, i.e., a public key of a user can be calculated from an identity (e.g., a mailbox address, a mobile phone number, an identification number, etc.) of the user by a method specified by the system. In this case, the user does not need to apply for and exchange digital certificates, thereby greatly simplifying the complexity of the cryptographic system. At present, in a secure network based on an identity cryptosystem, an identity public key of a user is generally an Identity (ID) of the user, and a corresponding identity private key needs to be generated by KGC and securely sent to the user. Taking the private key generation mode given in the SM9 id cryptographic algorithm standard as an example, the private key generation method is to complete the generation process of all the user id private keys by a single KGC. However, since the identification private keys of all users are generated by a single main private key, when the KGC main private key is illegally obtained, information of all users may be leaked, and the single point failure is costly and has low security.

Therefore, how to improve the security of the user identification private key generation process is a problem to be solved urgently at present.

Disclosure of Invention

The application provides a data processing method and device, and solves the problems that single-point failure cost is high and KGC load and non-repudiation of an identification private key are poor due to the fact that a single KGC framework is applied when the identification private key is generated based on an SM9 identification cryptographic algorithm standard.

In a first aspect, a method for data processing is provided, including: the ith key generation center obtains a first parameter x_iAnd a first secret share, the ith key generation center being any one of m preset key generation centers, the first secret share including a second parameter ks_iWherein (x)_i,ks_i) Is a point on a curve corresponding to a sharing polynomial of the signature master private key ks, and the first parameter x_iIs a random positive integer, m is an integer greater than 1; the ith key generation center generates the first parameter x according to the second parameter x_iAnd generating a second secret share from the first secret share, the second secret share comprising a third parameter Y_iWherein (x)_i,Y_i) A point on a curve corresponding to a sharing polynomial of the user's identification private key; the ith key generation center sends the first parameter x to the user_iAnd the second secret share.

According to the data processing method, on the basis of the SM9 identification cryptographic algorithm standard, a plurality of key generation centers participate in the generation process of the user identification private key together, the problem that the user identification private key is leaked due to the fact that the main private key is leaked after a single KGC is broken in the generation process of the identification private key can be reduced, the risk of single-point failure is reduced, the safety of the generation process of the identification private key is improved, in addition, the generation process of the identification private key is completed jointly through a plurality of KGCs, and the problems that the identification private key is undeniable and low and the single KGC is overloaded in a single KGC framework are solved.

With reference to the first aspect, in certain implementations of the first aspect, the first secret share further includes a fourth parameter β_iAnd a fifth parameter theta_iWherein (x)_i,β_i) A point on the curve corresponding to the sharing polynomial of the non-zero parameter beta, (x)_i,θ_i) A point on a curve corresponding to the sharing polynomial with a zero parameter theta, the ith key generation center being according to the first parameter x_iAnd the first secret share, generating a second secret share, comprising: the ith key generation center determines a sixth parameter gamma according to the first secret share and the hash value of the identification public key of the user_iAnd the ith key generation center discloses the sixth parameter γ_i(ii) a The ith key generation center obtains at least 2t sixth parameters gamma_jSaid sixth parameter γ_jGenerating and disclosing by a j-th key generation center, wherein the j-th key generation center is any key generation center of the m key generation centers except the i-th key generation center; the ith key generation center determines a seventh parameter γ according to at least 2t +1 of the sixth parameters, where 2t is the order of a polynomial of the seventh parameter; and the ith key generation center generates the second secret share according to the first secret share and the seventh parameter.

According to the data processing method, the sixth parameter is obtained according to the auxiliary parameter and the parameter in the first secret sharing share, and the safety of the subsequent transmission of the sixth parameter between the KGCs is improved. In other words, the existence of the auxiliary parameter can prevent an attacker from recovering the main private key of the system according to the sixth parameter after acquiring the sixth parameter, thereby acquiring the identification private key of the user.

It should be understood that the embodiment of the present application may use one non-zero secret parameter and one zero parameter, or may use a plurality of non-zero parameters and a plurality of zero parameters.

With reference to the first aspect, in certain implementations of the first aspect, the obtaining, by the ith key generation center, a first secret share includes: the ith key generation center obtains intermediate values of m-1 main private keys

Non-zero parameter median

And zero parameter mean value

Wherein each of the master private key intermediate values

Non-zero parameter median

And zero parameter mean value

Generated by a jth key generation center; the ith key generation center generates an intermediate value according to the m-1 main private keys

Non-zero parameter median

And zero parameter mean value

And acquiring the first secret share.

According to the data processing method, the ith key generation center generates the parameters in the first secret share by acquiring the intermediate parameters sent by the other multiple key generation centers, so that the main private key of the system can be recovered only after the parameters of the multiple key generation centers are acquired, the problem that the main private key of the whole system is acquired because only one or part of KGC is broken is avoided, and the risk of single-point failure is reduced.

With reference to the first aspect, in certain implementations of the first aspect, the method further includes: the ith key generation center generates a temporary master private key ks⁽ⁱ⁾Non-zero parameter beta⁽ⁱ⁾And zero parameter theta⁽ⁱ⁾(ii) a The ith key generation center generates an ith key according to the temporary master private key ks⁽ⁱ⁾Non-zero parameter beta⁽ⁱ⁾And zero parameter theta⁽ⁱ⁾Determining m-1 intermediate values of master private keys of the j-th key generation center

Non-zero parameter median

And zero parameter mean value

The ith key generation center respectively sends the master private key intermediate values corresponding to the jth key generation centers one by one to the m-1 jth key generation centers

Non-zero parameter median

And zero parameter mean value

According to the data processing method in the embodiment of the application, when the architecture for generating the user identification private key does not have the main KGC but only consists of a plurality of lower KGCs, each lower KGC can realize the function similar to the main KGC. Specifically, each lower-layer KGC can generate a temporary master private key, generate an intermediate value for calculating the system master private key for each other KGC according to a sharing polynomial constructed by the temporary master private key, simultaneously acquire the intermediate value generated by each other KGC for the lower-layer KGC, and determine the system master private key by using the acquired intermediate value. Through the joint participation of the KGCs in the generation process of the identification private key, the risk of single-point failure and the load of each KGC are reduced, and the non-repudiation of the identification private key is improved.

With reference to the first aspect, in certain implementations of the first aspect, the obtaining, by the ith key generation center, a first secret share includes: and the ith key generation center acquires the first secret sharing share sent by the master key generation center.

With reference to the first aspect, in certain implementations of the first aspect, the sixth parameter γ_i＝β_i(HID_A+ks_i)+θ_iThe determining, by the ith key generation center, a seventh parameter θ according to the first secret share and the sixth parameter includes: the ith key generation center determines the seventh parameter γ according to a lagrange interpolation method, wherein

x_jA first parameter for key generation centers other than the ith key generation center among the m key generation centers; the generating center of the ith key generates the second secret share according to the first secret share and the seventh parameter, and the generating center of the ith key includes: the ith key generation center generates a third parameter Y in the second secret share according to the first secret share and the seventh parameter_i＝[γ^-1β_iks_i]P₁Wherein P is₁The system parameters of the cryptographic algorithm are identified for SM 9.

With reference to the first aspect, in certain implementations of the first aspect, the obtaining, by the ith key generation center, a first secret share includes: the ith key generation center generates an intermediate value according to the master private key

Non-zero parameter median

And zero parameter mean value

Obtaining the first secret share, wherein a second parameter ks in the first secret share_iSatisfy the requirement of

Is ks^(j)A point on the sharing polynomial of (1), the fourth parameter β_iSatisfy the requirement of

Is beta^(j)A point on the sharing polynomial, the fifth parameter θ_iSatisfy the requirement of

Is theta^(j)A point on the sharing polynomial of (1), where ks^(j)，β^(j)，θ^(j)Temporary master private keys, non-zero parameters, and ks, generated for the jth one of the m key generation centers, respectively⁽ⁱ⁾And ks^(j)The parameters of the shared polynomial are all random numbers, beta⁽ⁱ⁾And beta^(j)The parameters of the shared polynomial are all random numbers, theta⁽ⁱ⁾And theta^(j)The parameters of the shared polynomial of (1) are random numbers.

In a second aspect, a method for data processing is provided, including: the user receives a second secret share from the n key generation centers, wherein the second secret share comprises a first parameter x_iAnd a third parameter Y_iWherein (x)_i,Y_i) N is a point on the sharing polynomial of the user identification private key corresponding to the signature master private key, and is greater than the order of the sharing polynomial of the user identification private key; and the user generates an identification private key of the user according to the second secret share.

According to the data processing method, the user obtains the first parameter and the second secret sharing share from enough KGC (more than the order of the identification private key polynomial), and generates the own identification private key according to the first parameter and the second secret sharing share, so that the possible leakage risk when the identification private key of the user is directly generated by the key generation center and is sent to the user is avoided, and the safety of the process of generating the user identification private key is improved.

With reference to the second aspect, in some implementation manners of the second aspect, the generating, by the user, an identification private key of the user according to the second secret share includes: the user shares the share according to the third parameter Y in the second secret_iDetermining a sharing polynomial of the identification private key of the user by a Lagrange interpolation method; and the user determines the identification private key of the user according to the sharing polynomial of the identification private key.

In a third aspect, an apparatus for data processing is provided, including: a receiving unit for obtaining a first parameter x_iAnd a first secret share, the first secret share comprising a second parameter ks_iWherein (x)_i,ks_i) Is a point on a curve corresponding to a sharing polynomial of the signature master private key ks, and the first parameter x_iIs a random positive integer, m is an integer greater than 1; a processing unit for determining the first parameter x_iAnd generating a second secret share from the first secret shareA share, the second secret share comprising a third parameter Y_iWherein (x)_i,Y_i) A point on a curve corresponding to a sharing polynomial of the user's identification private key; a sending unit, configured to send the first parameter x to the user_iAnd the second secret share.

With reference to the third aspect, in certain implementations of the third aspect, the first secret share further includes a fourth parameter β_iAnd a fifth parameter theta_iWherein (x)_i,β_i) A point on the curve corresponding to the sharing polynomial of the non-zero parameter beta, (x)_i,θ_i) A point on the curve corresponding to the sharing polynomial with zero parameter theta, the processing unit being configured to determine the first parameter x_iAnd the first secret share, generating a second secret share, comprising: the processing unit is used for determining a sixth parameter gamma according to the first secret share and the hash value of the identification public key of the user_iAnd the transmitting unit discloses the sixth parameter γ_i(ii) a The processing unit is further configured to determine a seventh parameter γ according to at least 2t +1 of the sixth parameters, where 2t is the order of a polynomial of the seventh parameter; the processing unit is further configured to generate the second secret share according to the first secret share and the seventh parameter.

With reference to the third aspect, in some implementation manners of the third aspect, the receiving unit, configured to obtain the first secret share, includes: the receiving unit is used for acquiring m-1 intermediate values of main private keys

Non-zero parameter median

And zero parameter mean value

Wherein each of the master private key intermediate values

Non-zero parameter median

And zero parameter mean value

Generated by a jth key generation center; the receiving unit is also used for acquiring the intermediate value of the m-1 main private keys obtained by the processing unit

Non-zero parameter median

And zero parameter mean value

The generated first secret share.

With reference to the third aspect, in some implementations of the third aspect, the method further includes: the processing unit is configured to generate a temporary master private key ks⁽ⁱ⁾Non-zero parameter beta⁽ⁱ⁾And zero parameter theta⁽ⁱ⁾(ii) a The processing unit is further configured to determine a temporary master private key ks based on the temporary master private key ks⁽ⁱ⁾Non-zero parameter beta⁽ⁱ⁾And zero parameter theta⁽ⁱ⁾Determining m-1 intermediate values of master private keys of the j-th key generation center

Non-zero parameter median

And zero parameter mean value

The sending unit is used for respectively sending the intermediate values of the temporary main private keys which are in one-to-one correspondence with the j-th key generation centers to the m-1 j-th key generation centers

Intermediate values of non-zero parameters

And the median of the zero parameters

With reference to the third aspect, in some implementation manners of the third aspect, the receiving unit, configured to obtain the first secret share, includes: the receiving unit is used for acquiring the first secret share transmitted by the master key generation center.

With reference to the third aspect, in certain implementations of the third aspect, the sixth parameter γ_i＝βi₍HID_A+ks_i)+θ_iThe processing unit is configured to determine a seventh parameter γ according to the first secret share and the sixth parameter, and includes: the processing unit is configured to determine the seventh parameter γ according to lagrange interpolation, wherein

x_jA first parameter for key generation centers other than the ith key generation center among the m key generation centers; the processing unit is configured to generate the second secret share according to the first secret share and the seventh parameter, and includes: the processing unit is configured to generate a third parameter Y in the second secret share according to the first secret share and the seventh parameter_i＝[γ^-1β_iks_i]P₁Wherein P is₁The system parameters of the cryptographic algorithm are identified for SM 9.

With reference to the third aspect, in certain implementation manners of the third aspect, the receiving unit is configured to obtain the first secret shareThe method comprises the following steps: the receiving unit is used for acquiring the intermediate value of the processing unit according to the main private key

Non-zero parameter median

And zero parameter mean value

The determined first secret share, wherein a second parameter ks in the first secret share_iSatisfy the requirement of

Is theta^(j)A point on the sharing polynomial of (1), wherein ks^(j)，β^(j)，θ^(j)Temporary master private keys, non-zero parameters, and ks, generated for the jth one of the m key generation centers, respectively⁽ⁱ⁾And ks^(j)The parameters of the shared polynomial are all random numbers, beta⁽ⁱ⁾And beta^(j)The parameters of the shared polynomial are all random numbers, theta⁽ⁱ⁾And theta^(j)The parameters of the shared polynomial of (1) are random numbers.

In a fourth aspect, an apparatus for data processing is provided, including: a receiving unit configured to receive a second secret share from the n key generation centers, where the second secret share includes a first parameter x_iAnd a third parameter Y_iWherein (x)_i,Y_i) N is a point on the sharing polynomial of the user identification private key corresponding to the signature master private key, and is greater than the order of the sharing polynomial of the user identification private key; and the processing unit is used for generating the identification private key of the user according to the second secret share.

With reference to the fourth aspect, in some implementation manners of the fourth aspect, the processing unit, configured to generate an identification private key of the user according to the second secret share, includes: the processing unit is configured to share the share of the second secret according to the third parameter Y_iDetermining a sharing polynomial of the identification private key of the user by a Lagrange interpolation method; the processing unit is further configured to determine the identification private key of the user according to the sharing polynomial of the identification private key.

In a fifth aspect, an apparatus for data processing is provided, including: at least one receiver, a transmitter and a processor, wherein the apparatus is configured to perform the method of data processing provided by any implementation manner of the first aspect.

In a sixth aspect, an apparatus for data processing is provided, comprising: at least one receiver and a processor, wherein the apparatus is configured to perform the method of data processing provided by any implementation manner of the second aspect.

In a seventh aspect, a system for data processing is provided, including: the system comprises at least two key generation centers and a user, wherein the key generation centers are used for executing the data processing method provided by any one of the first aspect implementation manners, and the user is used for executing the data processing method provided by any one of the second aspect implementation manners.

According to the data processing method and device, the multiple key generation centers participate in the generation process of the identification private key of the user together, so that the safety of the generation process of the identification private key of the user can be improved, the risk of single-point failure is reduced, the load of a single key generation center can be reduced, and the non-repudiation of the identification private key of the user is improved.

Drawings

Fig. 1 is a schematic diagram of an identification private key generation method of the SM9 identification cryptographic algorithm standard.

Fig. 2(a) is a schematic diagram of a single KGC architecture of the SM9 signature algorithm.

Fig. 2(b) is a schematic diagram of a multi-KGC architecture according to an embodiment of the present disclosure.

Fig. 3 is a schematic diagram of a data processing method provided in the present application.

Fig. 4 is a schematic flow chart of a data processing method provided in the present application.

Fig. 5 is a schematic diagram of an architecture applied by a data processing method according to an embodiment of the present application.

Fig. 6 is a schematic diagram of an architecture applied by another data processing method according to an embodiment of the present application.

Fig. 7 is a schematic diagram of a data processing apparatus according to an embodiment of the present application.

Fig. 8 is a schematic diagram illustrating another data processing apparatus according to an embodiment of the present application.

Fig. 9 shows a schematic structural diagram of a data processing apparatus provided in the present application.

Fig. 10 shows a schematic structural diagram of another data processing apparatus provided in the present application.

Detailed Description

The technical solutions in the present application will be described clearly and completely with reference to the accompanying drawings, and it is obvious that the described embodiments are some, but not all embodiments of the present application. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application.

To facilitate understanding of the technical solutions of the present application, first, technical terms and mathematical theories that may be involved in the present application will be described.

1. Identity-based cryptography (IBC): the cipher system based on ID is one asymmetrical public key cipher system. The concept of identifying passwords was proposed by Shamir in 1984, and the main idea is that no certificate is required in the system, and the Identification (ID) of the user, such as name, Internet Protocol (IP) address, email address, mobile phone number, etc., is tried as a public key. The private key of the user is calculated by the key generation center according to the system master private key and the user identification. The public key of the user is uniquely determined by the user identification, so that no third party is required to guarantee the authenticity of the public key.

2. The SM9 algorithm: the SM9 identification code algorithm is an identification code standard adopted by the government of the people's republic of China, is issued by the national code administration in 2016, 3, month and 28, and has a relevant standard of ' GM/T0044 + SM 2016 SM9 identification face algorithm '. SM9 identifies that the cryptographic algorithm is an identity-based cryptographic algorithm based on bilinear pairings. In a commercial cryptosystem, the SM9 is mainly used for user identity authentication, calculates a corresponding private key using a user identity as a user public key, and implements functions such as digital signature, data encryption, key exchange, and key encapsulation. The encryption strength of SM9 is reported by the newseine public to be equivalent to the RSA encryption algorithm for 3072-bit keys.

3. Public-key infrastructure (PKI): the public key infrastructure is a set of hardware, software, personnel, policies, and procedures that are used to implement the functions of generating, managing, storing, distributing, and revoking keys and certificates based on a public key cryptosystem. The PKI system is a combination of computer software and hardware, authorities, and application systems. It provides basic security services for conducting e-commerce, e-government, office automation, etc., so that users who are not aware of each other or are located far away from each other can securely communicate through a chain of trust.

4. Digital Certificate Authority (CA): a digital certificate authority is a authority responsible for issuing certificates, authenticating certificates, and managing issued certificates. It specifies policies and specific steps to verify, identify the user's identity, and sign the user's certificate to ensure ownership of the certificate holder's identity and public key.

5. Message (message): bit strings of arbitrary finite length.

6. Plain text (plaintext): unencrypted information.

7. Ciphertext (cipaertext): and the information content is hidden after transformation.

8. Encryption (encryption): to generate the ciphertext, i.e. the information content of the hidden data, the data is (reversibly) transformed by a cryptographic algorithm.

9. Decryption (decryption): the corresponding reverse process is encrypted.

10. Master private key (master key): the key at the top layer of the identifier cipher key hierarchical structure is divided into an encryption master private key and a signature master private key, and is stored by KGC in a secret manner. The KGC generates an encrypted identification private key of the user by using the encrypted main private key and the identification of the user, and correspondingly, the signature main private key is responsible for generating a signature identification private key. In identifying a password, the master private key is typically generated by the KGC through a random number generator.

11. Marking: information that uniquely identifies an entity. The identifier should be composed of information that the entity cannot deny, such as an identifiable name, email, identification number, telephone number, street address, etc. of the entity.

12. Hash function (hash function): data of arbitrary length is mapped as a function of fixed length data.

13. The key generation center: a trusted authority responsible for selecting system parameters, generating an encryption master key, and generating a user encryption private key.

14. Non-repudiation (non-repudiation): also known as non-repudiation. The non-repudiation to be guaranteed when each party of the electronic commerce transaction completes the transaction refers to that the electronic commerce transaction must carry information which contains own characteristics and cannot be copied by others when data are transmitted, and the non-repudiation of behaviors after the transaction is prevented. Non-repudiation of information is typically achieved by digitally signing the transmitted message.

15. Lagrange interpolation polymonal: the lagrange difference method is a method that can difference discrete sampling points. For different sampling points, it can find a polynomial to get the corresponding sampling value at each sampling point. This polynomial is called a lagrange polynomial, and thus the lagrange difference method is a polynomial interpolation method.

The general definition of lagrange interpolation is to give k +1 points: (x)₀,y₀),…,(x_i,y_i),…,(x_k,y_k) Sampling point x_iDifferent from each other, the langrangian polynomial is:

wherein the content of the first and second substances,

from the definitions, it can be seen that:

at the same time have

Thus, x is equal to all x_iExcept that_i(x_i) Is other than 1_j≠i(x_i) Are all equal to 0, that is to say y_il_i(x_i)＝y_iAnd further L (x)_i)＝y_iTherefore, the lagrange polynomial can be correctly fitted to the existing sampling points.

The data processing method is a user identification private key generation method based on SM9 identification cryptographic algorithm, and on the basis of a private key generation mode given in SM9 identification cryptographic algorithm standard, a new user identification private key generation framework and algorithm are adopted to generate the user identification private key, so that the problems of key generation center load, poor system non-repudiation and single-point failure which possibly occur in a single key generation center framework are avoided.

The following describes a generation method of an identification private key of the current SM9 identification cryptographic algorithm standard and an architecture applied in the embodiment of the present application with reference to the drawings.

At present, the method for generating the identification private key given by the SM9 identification cryptographic algorithm standard is mainly performed by a single KGC (i.e., a master KGC), and specifically may include the following steps.

(1) The elliptic curve E (F) is selected according to the SM9 standard_q)[n]Wherein q may be any prime number, F_qMay be a finite field characterized by q and n is the order of the elliptic curve.

(2) Main KGC generates random number k_sAs a signature master private key, where k_s∈[1,n-1].

(3) The master KGC selects and publishes the identifier hid of the signature private key generation function, and in particular, the master KGC may broadcast the identifier hid of the master private key generation function so that anyone can obtain the information.

(4) Main KGC in finite field F_qHash value HID of identification public key of upper computation user A_A＝H₁(ID_A| HID, n), where HID_AHash value of identification public key for user A, H₁() A cryptographic function defined in the SM9 standard, which functions like a hash function; and | is a splicing operator used for directly splicing two character strings, for example, hello | world is helloworld.

Calculating an intermediate parameter t according to the hash value of the user identification public key and the signature master private key₁＝HID_A+k_s。

(5) Calculating intermediate parameter values

Wherein modn is a modulo operation (modulo operation).

(6) The identification private key of user A is

Wherein P is₁Is defined in F_qIs a point on the elliptic curve and is a disclosed system parameter, [ t [ [ t ]₂]P₁Representing a point multiplication operation of an elliptic curve.

As can be seen from the manner of generating the user identification private key given in the SM9 identification cryptographic algorithm standard, in the process of generating the user identification private key, a single KGC completes the processes of application, authentication, calculation, transmission, and the like of all the user identification private keys, so that the load of the KGC may be too heavy. In addition, since the identification private keys of all users are generated by the same KGC, the system of the identification private key may not be repudiated poorly. More notably, under the condition that a single KGC completes all user identification private keys, if the KGC master private key is revealed, an attacker can calculate the identification private keys of all users by using the KGC master private key, which causes the leakage of encrypted information of all users and a large cost of single point invalidation.

Aiming at the problems existing in the current SM9 standard algorithm, the embodiment of the application provides a data processing method, which utilizes a plurality of KGCs to participate in the generation process of a user identification private key together and combines with an identification private key algorithm aiming at a multi-KGC architecture to reduce the problems of leakage of the user identification private key, heavy KGC load and poor non-repudiation caused by single-point failure.

Fig. 2(a) is a schematic diagram of a single KGC architecture of the current SM9 signature algorithm, and fig. 2(b) is a schematic diagram of a multi-KGC architecture according to an embodiment of the present disclosure.

The current private key generation process based on SM9 signature cryptographic algorithm should be structured as a single KGC, that is, a master KGC completes the generation process of the signature private keys of all users (as shown in fig. 2 (a)). Because the identification private keys of all users are generated by a single main private key, in a scenario where a single server or a single KGC is used to generate the user identification private keys, if the server or the KGC is attacked by an attacker, the identification private keys of all users face the danger of being exposed and denial of service (DoS), so that the loss of single point failure is serious. In the embodiment of the present application, a multi-KGC mode is adopted for generating the user identification private key (as shown in fig. 2 (b)), that is, the generation process of the user identification private key depends on the multiple KGCs to jointly complete or part of KGCs in the multiple KGCs to jointly complete, at this time, even if one server or KGC is attacked, the main private key of the system is not revealed, and the remaining servers or KGCs may continue to provide the key management service for the user.

Fig. 3 shows a schematic diagram of a method of data processing provided by the present application.

The architecture for generating a user identification private key shown in fig. 3 may comprise a plurality of KGCs (e.g., KGC0 through KGC6), wherein each KGC may generate a portion of intermediate parameters for calculating the user identification private key and transmit the intermediate parameters to the user, so that the user can calculate its identification private key according to a sufficient number of intermediate parameters.

As an example, it is shown in FIG. 3 that the ith key generation center (denoted as KGCi) in the plurality of KGCs may generate the temporary master private key ks⁽ⁱ⁾And determining intermediate values of other KGCs according to the temporary master private key generated by the computing system, wherein the intermediate values can be used for computing the system master private key, and then respectively sending the intermediate values to the remaining KGCs corresponding to the intermediate values. Meanwhile, any KGCi can also acquire the intermediate value of the main private key sent by each of the other KGCs. For example, if there are 7 KGCs in the system shown in fig. 3, KGCi may obtain intermediate values sent by 6 other KGCs, and obtain the master private key of the system according to the obtained intermediate values of the master private key, where the operation may be, for example, a summation operation: the main private key ks ═ ks⁽⁰⁾+ks⁽¹⁾+ks⁽²⁾+ks⁽³⁾+ks⁽⁴⁾+ks⁽⁵⁾+ks⁽⁶⁾Wherein, ks⁽⁰⁾To ks⁽⁶⁾Is KGCi for computing the intermediate value of the master private key. The specific steps and algorithms for the KGCi to obtain the system master private key and the specific process for finally obtaining the user identification private key will be described in detail below. It should be understood that fig. 3 is only used for facilitating understanding of the application scenarios and principles of the method of data processing provided by the present application, and does not limit the present application, for example, to which the present application relatesThe number of KGCs may be various and is not limited to the number shown in fig. 3.

Fig. 4 shows a schematic flow chart of a method of data processing provided by the present application.

For example, the multi-KGC architecture for generating the user identification private key of the embodiment may include m KGCs, where m is an integer greater than 1, for convenience of description, an ith KGC (i.e., KGCi) of the m KGCs is selected as an execution subject, and any one of the remaining m-1 KGCs except the ith KGC of the m KGCs is represented by KGCj, and j ≠ i.

Step S410, the ith key generation center obtains a first parameter x_iAnd a first secret share.

Optionally, the first parameter x_iThe lower layer KGC may be KGC relative to the main KGC, and the plurality of lower layer KGCs or a part of KGCs in the plurality of lower layer KGCs may jointly complete the generation process of the user identification private key.

Optionally, the first parameter x_iThe random positive integer may be respectively assigned by the main KGC for each lower-layer KGC or may also be selected and disclosed by the KGCi, specifically, the KGCi may disclose the selected first parameter in a broadcast manner, and in particular, the KGCi notifies the main KGC of the selected first parameter. Wherein, different KGCs may correspond to different first parameters, for example, the first parameter of KGCi is a random integer x_iThe first parameter of KGcj (i ≠ j) is a random integer x_jThus, the first parameter may also serve as an indicator of the different KGCs.

Alternatively, the first secret share may be a sub-secret owned by KGCi generated based on a secret sharing algorithm (secret share). The secret sharing algorithm is to divide the secret S into n sub-secrets, any k of the sub-secrets can recover the secret S, any k-1 of the sub-secrets cannot recover the secret S, and k is called a threshold value.

Optionally, the first secret share comprises a second parameter ks_iWherein the second parameter is the first parameterNumber x_iFunction value obtained by substituting t-order sharing polynomial of main private key ks, namely (x)_i，ks_i) Is a point on the curve corresponding to the sharing polynomial of the signer private key ks. The first parameter and the second parameter may be used to determine a parameter in the second secret share, for example a third parameter, i.e. the partial identification private key Y_i。

In addition, the first secret share may further include a plurality of auxiliary parameters, such as at least one fourth parameter, i.e., a non-zero secret parameter β_iAnd at least one fifth parameter, i.e. a zero-secret parameter theta_i. The auxiliary parameters are used for improving the security of data transmission between KGCs or data transmission between KGCs and a user, so that even if an attacker intercepts transmitted data, the main private key of the system cannot be recovered according to the acquired data.

Optionally, the first secret share obtained by the KGCi may be obtained by the main KGC, or the KGCi may generate itself according to the obtained intermediate parameter. The process of KGCi acquiring the first secret share from the master KGC and generating the first secret share by KGCi itself will be described in detail below.

S420, the ith key generation center may determine a second secret share according to the first parameter and the first secret share.

Wherein the second secret share comprises a third parameter Y_iThird parameter Y_iIdentifies a private key value for a portion used to determine a user identification private key, and (x)_i，Y_i) May be a point on the curve corresponding to the sharing polynomial of the user's identification private key.

As an example, the process of the ith key generation center determining the second secret share from the first parameter and the first secret share may be:

the ith key generation center generates a hash value HID according to the parameters in the first secret share and the identification public key of the user A_ADetermining a sixth parameter, i.e. identifying the share gamma of the intermediate value of the private key_iAnd gamma is_iDisclose, e.g. by broadcasting, gamma_iThe values of (a) are disclosed. WhereinThe parameter in the first secret share may be to include a second parameter ks_iAt least one fourth parameter beta_iAnd at least one fifth parameter theta_i。

Alternatively, the hash value of the identification public key of the user may be the identification public key ID sent by the ith key generation center according to the user_AAnd calculated by SM9 identification cryptographic algorithm standard, wherein the hash value for identifying the public key can be HID_A＝H₁(ID_A| hid, n), wherein H₁() For the cryptographic function defined in the SM9 standard, | is the concatenation operator, | is the identifier of the signature private key generation function represented by one byte selected and disclosed by the ith key generation center, and n is the order of the elliptic curve selected according to the SM9 standard.

The ith key generation center obtains enough share gamma for identifying the intermediate value of the private key_jWherein γ is_jA sixth parameter generated and disclosed for the jth key generation center. The sufficient identification private key intermediate value means that the number of identification private key intermediate values obtained by the ith key generation center is greater than the order of the sharing polynomial of the seventh parameter, and the seventh parameter is a parameter determined according to the sixth parameter and a parameter in the first secret sharing share.

The ith key generation center shares the share according to the first secret and the sixth parameter gamma_jAnd determining the seventh parameter gamma, wherein the method for determining the seventh parameter can be Lagrange interpolation.

The ith key generation center determines a second secret share according to the first secret share and the seventh parameter, and specifically, the ith key generation center determines a part identification private key Y in the second secret share according to the first secret share and the seventh parameter_i。

S430, the ith key generation center sends the first parameter and the second secret share to the user.

Optionally, the ith key generation center may receive request information sent by the user before sending the first parameter and the second secret share, where the request information is used to request the first parameter and the second secret share from at least one KGC of the m KGCs.

Alternatively, the ith key generation center may send (x)_i,Y_i) And sending the response to the user so that the user can determine the sharing polynomial of the user identification private key through a Lagrange interpolation method after obtaining enough first parameters and second secret sharing shares, and determining the user identification private key according to the sharing polynomial. The sufficient first parameter and the sufficient second secret sharing share can be the order of the sharing polynomial of which the number of the first parameter and the second secret sharing share obtained by the user is larger than the identification private key of the user.

The data processing method provided by the embodiment of the present application is described in detail below with reference to the accompanying drawings.

Fig. 5 shows a schematic diagram of a data processing method provided in the present application. The architecture used by the data processing method comprises a main KGC and a plurality of lower KGCs.

First, the ith key generation center acquires a first parameter x_iAnd a first secret share.

Optionally, a system for generating a user identification private key is first established, where the system may include a master key generation center and m lower-layer key generation centers, where an ith key generation center of the m key generation centers is denoted as an ith key generation center or KGCi, and m is an integer greater than 1.

Optionally, after establishing the identity private key generation system, the master KGC may randomly generate the master private key ks and system parameters according to the SM9 identity cryptographic algorithm standard. The master KGC constructs a t-order sharing polynomial of the master private key according to the generated master private key, where the sharing polynomial may be, for example: KS (x) ═ a_tx^t+a_t-1x^t-1+…+a₁x + ks, wherein the parameter a of the sharing polynomial KS (x)_t、a_t-1、…、a₁Is a random integer, and a_tNot equal to 0. The master KGC may secretly store the parameter of the sharing polynomial and disclose t, wherein the master KGC may disclose t in a broadcast manner.

Optionally, the main KGC may also continue to select the auxiliary parameters, whichThe auxiliary parameters may include at least one non-zero secret parameter β and at least one zero parameter θ, e.g., the auxiliary parameters include r (r ≧ 1) non-zero secret parameters β₀，β₁，…，β_r-1And s (s is more than or equal to 1) zero parameters theta₀＝θ₁＝…＝θ_s-10. The auxiliary parameters are used for improving the security of data transmission between the KGCs or data transmission between the KGCs and the user, so that even if an attacker intercepts the transmitted data, the main private key of the system cannot be recovered according to the acquired data.

As an example, the master KGC may generate the fourth parameter and the fifth parameter in each secret share according to the selected secondary parameter. The main KGC can construct a non-zero secret parameter and zero parameter sharing polynomial B in a similar way of constructing a main private key sharing polynomial₀(x),…,C₀(x) …, wherein the order of all polynomials cannot be higher than t. Specifically, the sharing polynomial of the non-zero secret parameter constructed by the master KGC may be: b (x) b_tx^t+b_t-1x^t-1+…+b₁x + β, its constructed zero-parameter sharing polynomial may be: c (x) c_tx^t+c_t-1x^t-1+…+c₁x + theta, where each coefficient in the non-zero secret parameter sharing polynomial and the zero parameter sharing polynomial is a random integer, and b_t≠0、c_tNot equal to 0. The master KGC secret holds the sharing polynomials of B (x), C (x).

After constructing the sharing polynomial about the main private key and the auxiliary parameter, the main KGC may find the polynomial at the first parameter x_iThe value of (A), i.e. when x ═ x in the shared polynomial_iValue of time, thereby obtaining ks_i＝KS(x_i),β_0,i＝B₀(x_i),β_1,i＝B₁(x_i),…,θ_0,i＝C₀(x_i),θ_1,i＝C₁(x_i) … wherein the first parameter x_iFor parameter disclosure, the main KGC may respectively specify each KGCi or the KGCi itself may select and broadcast; furthermore, a first parameter x_iCan be generated by random numbersThe generator randomly generates, or may select, as the first parameter, a hash value for each underlying KGCi number. The first parameter may be selected in various ways, which is not limited in this application.

Optionally, after the main KGC determines the second parameter, the fourth parameter, and the fifth parameter, the main KGC may send the second parameter, the fourth parameter, and the fifth parameter to each lower-layer KGC through the secure channel as a first secret share, and may also send the first parameter to each lower-layer KGC together, where the lower-layer KGC may save the secret after acquiring the first parameter and the secret share sent by the main KGC. For example, the ith key generation center may obtain, through a secure channel, a first secret share (ks) generated by the main KGC for the ith key generation center_i,β_0,i,β_1,i,…,θ_0,i,θ_1,I…) and a first parameter x_iAnd saves it as a secret.

And secondly, the ith key generation center generates a second secret share according to the first parameter and the first secret share.

For example, the process of the ith key generation center generating the second secret share according to the first parameter and the first secret share may be:

the ith key generation center obtains the ID of the identification public key of the user, for example, the identification public key of the user A is obtained as ID_AAnd determining the hash value of the identification public key through an SM9 identification cryptographic algorithm according to the identification public key, wherein the hash value of the identification public key of the user A is specifically as follows: HID_A＝H₁(ID_A||hid,n)。

The ith key generation center determines a sixth parameter gamma according to the hash value of the identification public key and the parameters in the first secret sharing share_iWherein the sixth parameter may be a share among the identification private keys of the user a. Specifically, the generation of the sixth parameter by the ith key generation center may be:

when the ith key generation center determines the sixth parameter gamma_iCan be disclosed, for example, by being available to anyone in the form of a broadcastThe value of the six parameters.

Optionally, the ith key generation center may also obtain a sixth parameter (e.g. γ) disclosed by another key generation center (e.g. the jth key generation center KGCj)_j) When the number of the sixth parameter acquired by the ith key generation center reaches (r +1) t, the seventh parameter γ may be determined by a lagrange interpolation method, specifically, the seventh parameter γ

Optionally, the ith key generation center determines the second secret share from the seventh parameter and a parameter in the first secret share, specifically, the ith key generation center determines the second secret share from γ and x_iDetermining a third parameter in the second secret share, namely the partial identity private key Y_iAnd in particular the third parameter

Wherein, P₁Is a system parameter.

And thirdly, after the ith key generation center generates a second secret share, sending the first parameter and the second secret share to the user A.

Specifically, the ith key generation center may receive a request message sent by the user a, where the request message is used to request, from the ith key generation center, intermediate parameters, that is, a first parameter and a second secret share, for determining a user identification private key. The ith key generation center may then apply the first parameter x_iAnd a second share is sent to user A in response, e.g. the ith key generation center sends a first parameter x_iAnd the partial identification private key Y obtained from the above steps_iSent to user a, should understand that (x)_i,Y_i) It can be regarded as a point on the curve corresponding to the polynomial of the identification private key of the user a, and in addition, since the order of the polynomial of the identification private key of the user a is (r +1) t, the user needs to obtain at least (r +1) t +1 parts of the third parameter Y_iAnd according to the at least (r +1) t +1 parts of the third parameter Y_iAnd determining a polynomial of the identification private key of the user A by a Lagrange interpolation method, and further determining the identification private key of the user by the polynomial.

In order to further understand the method for generating the user identification private key by using the multi-KGC architecture shown in fig. 4, the generation process of the identification private key of the user a is further described below by taking the case where the number of the auxiliary parameters is 1 as an example.

The architecture of the system used for generating the identification private key of the user a in this embodiment is shown in fig. 4, that is, there are one main KGC and m lower KGCs. A specific process may include the following steps.

Step 1: the ith key generation center obtains a first parameter and a first secret share, and specifically comprises the following steps.

Step 1.1: the master KGC randomly generates a master private key ks and system parameters according to the SM9 identified cryptographic algorithm standard.

Step 1.2: the master KGC constructs a sharing polynomial ks (x) a of the master private key ks_tx^t+a_t-1x^t-1+…+a₁x + ks, wherein the parameter a of the sharing polynomial KS (x)_t、a_t-1、…、a₁Is a random integer, and a_tNot equal to 0. The master KGC may secretly store the parameter of the sharing polynomial and disclose t, wherein the master KGC may disclose t in a broadcast manner.

Step 1.3: the primary KGC continues to choose the secondary parameters, which may be 1 non-zero secret parameter β and 1 zero parameter θ, where β is a random integer.

Step 1.4: the main KGC constructs a sharing polynomial of the non-zero parameter β and the zero parameter θ, which is, for example: b (x) ═ b_tx^t+b_t-1x^t-1+…+b₁x + beta and C (x) c_tx^t+c_t-1x^t-1+…+c₁x, wherein b_t,…,b₁And c_t,…,c₁Are all random integers, and b_t≠0、c_tNot equal to 0. The master KGC keeps B (x) and C (x) secret.

Step 1.5: and the main KGC calculates a first secret sharing share corresponding to each lower layer KGC. For example, when the primary KGC determines the first secret share of the KGCi, the first parameter x corresponding to the KGCi may be used_iSubstituting the obtained key into the sharing polynomial of the main private key and the auxiliary parameter to obtain a second parameter ks in the first secret share corresponding to KGCi_iA fourth parameter beta_iAnd a fifth parameter theta_iI.e. ks_i＝KS(x_i)、β_i＝B(x_i)、β_i＝C(x_i)。

Step 1.6: the ith key generation center acquires the secret share (x) transmitted by the main KGC through a secure channel_i,ks_i,β_i,θ_i) And secretly storing the first secret share.

Optionally, after sending the first parameter and the first secret share, the main KGC may be in a long-term offline state, so as to physically isolate the possibility that an attacker attacks the main KGC, thereby reducing the risk of disclosure of the main private key.

It should be understood that the generation of the first secret share of each underlying KGC by the master KGC is based on the idea of secret sharing. In particular, the primary KGC divides the primary private key and the associated secondary parameters into m (m > t) shares by a polynomial-based key sharing algorithm, where each share is substantially a point on the corresponding polynomial, e.g., (x ≧ t)_i,ks_i) Is a point on the sharing polynomial of the master private key. Similarly, (x)_i,β_i)、(x_i,θ_i) Respectively a point on the curve corresponding to the sharing polynomial of the non-zero secret parameter and a point on the curve corresponding to the sharing polynomial of the zero parameter. Therefore, an attacker can restore the sharing polynomial of the corresponding main private key to obtain the main private key only after the attackers obtain the points reaching the threshold number, and therefore the method greatly reduces the influence caused by single-point failure.

Step 2: the ith key generation center generates a second secret share according to the first parameter and the first secret share, wherein the second secret share comprises a third parameter Y_iWherein Y is_iThe method is used for the user to generate a partial identification private key of the own identification private key, namely, an intermediate value of the user identification private key. Specifically, the step may further include the following specific implementation steps.

Step 2.1: the ith key generation center acquires the identification public key ID of the user A sent by the user A_AAnd calculating the hash value of the identification public key according to the SM9 identification cryptographic algorithm standard, wherein the hash value is as follows: HID (high intensity discharge)_A＝H₁(ID_A||hid,n)。

Step 2.2: the ith key generation center generates a hash value for identifying the public key according to the generated hash value and a parameter (such as a second parameter ks) in the first secret sharing share_iA fourth parameter beta_iA fifth parameter theta_iEtc.) generates a sixth parameter, which may be parameter γ in the share of the identification private key intermediate value of user a_iSpecifically, the sixth parameter γ_i＝β_i(HID_A+ks_i)+θ_i。

After the ith key generation center generates the sixth parameter, the sixth parameter may be disclosed, for example, in a broadcast form, so that any person may know the value of the sixth parameter.

Step 2.3: the ith key generation center obtains a sixth parameter gamma disclosed by other key generation centers (such as the jth key generation center KGcj)_jWhen the ith key generation center acquires not less than 2t parts of gamma_jThen, a seventh parameter γ is calculated by Lagrangian interpolation, wherein

Where n is the system parameter defined in the SM9 standard, (mod n) is the modulo operation.

Step 2.4: the ith key generation center calculates a part of identification private keys Y in the second secret share according to the seventh parameter and part of parameters in the first secret share_iWherein Y is_i＝[γ^-1β_iks_i]P₁In which P is₁Is a system parameter.

And step 3: and the ith key generation center sends the first parameter and the second secret sharing share to the user.

Specifically, a user, such as user A, obtains at least 2t +1 shares of the third parameter Y_iThen, the identification private key ds of the user can be determined through a Lagrange interpolation method_AWherein, in the step (A),

the ith key generation center determines the identification private key of the user a according to the sharing polynomial of the identification private key, specifically, since a constant term in the sharing polynomial of the identification private key obtained according to the lagrangian interpolation method is the identification private key of the user, a value of the identification private key polynomial at x ═ 0 can be obtained, and the value is the identification private key of the user.

It will be appreciated that at least 2 points are required to determine a straight line equation, at least 3 points are required to determine a 2 nd order curve equation, and so on, and at least t +1 points are required to determine a t th order polynomial. The present embodiment applies the concept that the primary KGC divides the primary private key and the related auxiliary parameters into m (m > t) shares by a polynomial-based key sharing algorithm, where each share is substantially a point on the curve corresponding to the shared polynomial. In this embodiment, since the order of the sharing polynomial is 2t, the attacker can restore the sharing polynomial to obtain the master private key only after obtaining not less than 2t +1 point. Here, 2t +1 is a threshold value, which mainly means that the security of the whole system will fail only if the number of KGCi attacked by an attacker reaches the threshold value, otherwise, the system is still secure. And because the main KGC can be off-line after the system initialization is finished, the possibility that an attacker attacks the main KGC can be isolated physically.

On the other hand, since the user a can calculate its own identification private key by only obtaining 2t +1 responses in m lower layer KGCs, not all the lower layer KGCs need to respond to the user's request. Embodiments of the present application reduce the load per KGCi compared to a single KGC architecture. For example, if there are 100 user requests to identify the private key, the KGC in the single KGC architecture mainly processes 100 requests; for the solution of the present application, assuming that there are 10 lower layer KGCs and the threshold is 4, each KGC needs to process only 40 requests (100 × 4/10 — 40) on average, which greatly reduces the workload of each KGC.

Fig. 6 is a schematic diagram illustrating an architecture to which another data processing method provided in the embodiment of the present application is applied. The architecture applied by the data processing method comprises a plurality of KGCs.

Optionally, a system for generating a user identification private key is first established, where the system may include m lower-layer key generation centers, where an ith key generation center of the m key generation centers is recorded as an ith key generation center or KGCi, and m is an integer greater than 1.

Optionally, after establishing the identification private key generation system, the ith key generation center may randomly generate a temporary master private key ks according to the SM9 identification cryptographic algorithm standard⁽ⁱ⁾And system parameters, wherein each system parameter may be the same. Wherein, the ith key generation center generates a temporary main private key ks according to the generated temporary main private key ks⁽ⁱ⁾Constructing a t-order sharing polynomial of the temporary master private key, wherein the sharing polynomial may be, for example:

wherein the sharing polynomial KS⁽ⁱ⁾(x) Parameter (d) of

Is a random integer, and

the ith key generation center may secretly store the parameter of the sharing polynomial and disclose t, wherein the ith key generation center may disclose t in a broadcast manner.

Optionally, the ith key generation center may further continue to choose auxiliary parameters, which may include at least one non-zero secret parameter β and at least one zero secret parameter θ, for exampleComprises r (r is more than or equal to 1) non-zero secret parameters

And s (s is more than or equal to 1) zero parameters

The auxiliary parameters are used for improving the security of data transmission between KGCs or data transmission between KGCs and a user, so that even if an attacker intercepts transmitted data, the main private key of the system cannot be recovered according to the acquired data.

As an example, the ith key generation center may generate the fourth parameter and the fifth parameter in each secret share according to the selected auxiliary parameter. The ith key generation center can construct a sharing polynomial of non-zero secret parameters in a similar way of constructing a master private key sharing polynomial

And zero parameter sharing polynomial

Wherein the order of all polynomials is not higher than t. Specifically, the sharing polynomial of the non-zero secret parameter constructed by the master KGC may be:

the zero-parameter sharing polynomial constructed may be:

wherein each coefficient in the non-zero secret parameter sharing non-polynomial and the zero parameter sharing polynomial is a random integer, and

master KGC secret saving B⁽ⁱ⁾(x)、C⁽ⁱ⁾(x) The sharing polynomial of (1).

In addition, the ith key generation center can also generate a temporary master private key ks for the jth key generation center⁽ⁱ⁾Is a middle ofValue of

And intermediate values of auxiliary parameters, i.e. intermediate values of non-zero secret parameters

And zero parameter mean value

Correspondingly, the ith key generation center may receive the calculation results of the intermediate values of the temporary master private keys and the intermediate values of the auxiliary parameters, which are transmitted by the other m-1 key generation centers. The intermediate values of the temporary master private key and the auxiliary parameters can be used for the jth key generation center to calculate the system master private key, the non-zero secret parameters and the zero parameters included in the first secret share. It should be understood that the jth key generation center in the present application is any key generation center of the m key generation centers except the ith key generation center, and the ith key generation center and the jth key generation center are only used for distinguishing any two key generation centers of the m key generation centers involved in the process of generating the user identification private key, and are not limited to the present application.

Optionally, the ith key generation center combines the first parameter x_iDisclosed is a method for producing a semiconductor device. Specifically, the first parameter may be disclosed in the form of broadcasting so that anyone else can know the value of the first parameter. It is to be understood that the ith key generation center may also know the values of the first parameters disclosed by the other m-1 key generation centers, e.g. the first parameter x disclosed by the jth key generation center_j。

As an example, when the ith key generation center obtains the intermediate value of the temporary master private key sent by the other m-1 key generation centers

And non-zero secret parameters

And zero parameter

Then, the parameters in the first secret share can be generated according to the obtained intermediate values of the parameters. Specifically, the ith key generation center generates a system master private key, a non-zero secret parameter and a zero parameter according to the obtained calculation results sent by the m-1 key generation centers, wherein the system master private key is

A non-zero secret parameter of

And zero parameter

At this time, the parameters in the first secret share may include (ks)_i，β_i，θ_i)。

the ith key generation center obtains the ID of the identification public key of the user, for example, the identification public key of the user A is obtained as ID_AAnd determining the hash value of the identification public key of the user a through an SM9 identification cryptographic algorithm according to the identification public key, specifically, the hash value is: HID_A＝H₁(ID_A||hid,n)。

when the ith key generation center determines the sixth parameter gamma_iThe value of the sixth parameter may be made available to anyone, for example by broadcasting.

Optionally, the ith key generation center may also obtain a sixth parameter (e.g. γ) disclosed by other key generation centers (e.g. the jth key generation center KGCj)_j) When the number of the sixth parameter acquired by the ith key generation center reaches (r +1) t, the seventh parameter γ may be determined by a lagrange interpolation method, specifically, the seventh parameter γ

Wherein, P₁Is a system parameter.

Specifically, the ith key generation center may receive a request message sent by the user a, where the request message is used to request the ith key generation center for an intermediate parameter used to determine the user identification private key, that is, a first parameter and a second secret share, the ith key generation center sends the first parameter xi and the second share to the user a as a response, for example, the ith key generation center sends the first parameter xi and the partial identification private key Yi obtained in the above steps to the user a, it should be understood that (xi, Yi) may be regarded as a point on a curve corresponding to the polynomial of the identification private key of the user a, and further, since the order of the polynomial of the identification private key of the user a is (r +1) t, the user needs to obtain at least (r +1) t +1 parts of the third parameter Yi, and determine the polynomial of the identification private key of the user a by the lagrange interpolation method according to the at least (r +1) t +1 parts of the third parameter Yi, and then the identification private key of the user is determined through the polynomial.

It should be understood that, compared with the user identification private key generation architecture in which the main KGC exists, in the user identification private key generation architecture in which only a plurality of lower KGCs exist, the main private key of the whole system is

Because no key generation center can independently recover the main private key ks of the system, only the user can independently generate the own identification private key in the whole system. If an attacker needs to obtain the identification private key of the user by obtaining the main private key of the system in the generation process of the identification private key, the attacker needs to break through a sufficient number of lower-layer key generation centers to recover the main private key, for example, if m key generation centers share the intermediate value of the temporary main private key generated by the attacker and the intermediate value of each auxiliary parameter, the attacker needs to break through all the m key generation centers to recover the main private key. Therefore, the data processing method provided by the embodiment improves the security of the user in the generation process of the identification private key, avoids the natural key entrusting function of the SM9 algorithm, and improves the non-repudiation of the system.

The data processing method provided by the application is to improve the framework applied by the generation of the user identification private key and the specific calculation process based on the SM9 identification cryptographic algorithm standard, and on the basis of conforming to the private key generation mode given by the SM9 identification cryptographic algorithm standard, by adopting a plurality of key generation centers to jointly complete the generation process of the user identification private key, the problem that the single key generation center is loaded due to the completion of the application, authentication, calculation, transmission process and the like of all the user identification private keys by the single key generation center is solved, meanwhile, the data processing method provided by the application also further improves the safety of the generation process of the identification private key, when the single key generation center is broken, the identification private key of the user can still be safely generated, the problem of single point failure is relieved, and in addition, due to the joint participation of the plurality of key generation centers, the non-repudiation of the system is further improved.

Fig. 7 illustrates a data processing apparatus provided in the present application. As shown in fig. 7, the data processing apparatus 700 includes a receiving unit 710, a processing unit 720 and a transmitting unit 730.

A receiving unit 710 for obtaining a first parameter x_iAnd a first secret share, wherein the receiving unit is a receiving unit in an ith key generation center, the ith key generation center is any one of m preset key generation centers, and the first secret share comprises a second parameter ks_iWherein (x)_i,ks_i) Is a point on a curve corresponding to a sharing polynomial of the signature master private key ks, and the first parameter x_iIs a random positive integer, and m is an integer greater than 1.

A processing unit 720 for determining the first parameter x_iAnd generating a second secret share by the first secret share, the second secret share including a third parameter Y_iWherein (x)_i,Y_i) And a point on the curve corresponding to the sharing polynomial of the identification private key of the user.

A sending unit 730, configured to send the first parameter x to the user_iAnd the second secret share.

The device 700 corresponds exactly to the ith key generation center in the method embodiment, i.e. the respective units of the device 700 are configured to perform the respective steps performed by the ith key generation center in the method embodiments shown in fig. 4 to 6.

Wherein the processing unit 720 in the device 700 performs the steps implemented or processed inside the ith key generation center in the method embodiment. For example, determining the sixth parameter γ according to the hash value of the first secret share and the identification public key of the user in fig. 5 or fig. 6 is performed_iThe step (2). The sending unit 730 performs the steps of the method embodiment sent by the ith key generation center, e.g. performs the first parameter disclosed in fig. 6Counting or disclosing the sixth parameter and the like.

Optionally, the receiving unit 710 in the apparatus 700 may further be configured to receive the intermediate value of the m-1 master private keys from the processing unit

Non-zero parameter median

And zero parameter mean value

The generated first secret share. The receiving unit 710 and the transmitting unit 730 may constitute a transceiving unit, and have both receiving and transmitting functions. The receiving unit 710 may be a transmitter, the sending unit 730 may be a transmitter, and the processing unit 720 may be a processor. The receiver and transmitter may be integrated together to form a transceiver.

Fig. 8 shows another data processing apparatus provided in the present application. The apparatus 800 comprises a receiving unit 810 and a processing unit 820.

A receiving unit 810, configured to receive a second secret share from the n key generation centers, where the second secret share includes a first parameter x_iAnd a third parameter Y_iWherein (x)_i,Y_i) And n is a point on the sharing polynomial of the identification private key of the user corresponding to the signature master private key and is greater than the order of the sharing polynomial of the identification private key of the user.

A processing unit 820, configured to generate an identification private key of the user according to the second secret share.

Fig. 8 is a schematic structural diagram of a user applicable to the embodiment of the present application, which may be used to implement the functions of the user in the above-described data processing method.

Fig. 9 shows a schematic structural diagram of a data processing apparatus provided in the present application. The apparatus 900 may be the ith key generation center in the above method embodiments, and includes a receiver 910, a processor 920, and a transmitter 930.

Wherein the receiver 910 is configured to perform the receiving step in the method embodiment, for example, obtain the first parameter x_iAnd a first secret share. Processor 920 is configured to implement the calculation or determination and the like within the key generation center in the method embodiment, for example, according to the first parameter x_iAnd generating a second secret share from the first secret share. Transmitter 930 is used to implement the sending step in method embodiments, e.g. sending the first parameter x to the user_iAnd the second secret share.

Fig. 10 shows a schematic structural diagram of another data processing apparatus provided in the present application. The apparatus 1000, which may be a user in the above method embodiments, includes a receiver 1010 and a processor 1020.

Wherein the receiver 1010 is configured to implement the receiving step in the method embodiment, for example, to receive the second secret share shares from the n key generation centers. The processor 1020 is configured to implement the calculation or determination process inside the key generation center in the method embodiment, for example, generate the identification private key of the user according to the second secret share.

Those of ordinary skill in the art will appreciate that the various illustrative elements and algorithm steps described in connection with the embodiments disclosed herein may be implemented as electronic hardware or combinations of computer software and electronic hardware. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the implementation. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present application.

It can be clearly understood by those skilled in the art that, for convenience and simplicity of description, the specific working processes of the above-described systems, apparatuses and units may refer to the corresponding processes in the foregoing method embodiments, and are not described herein again.

In the several embodiments provided in the present application, it should be understood that the disclosed system, apparatus and method may be implemented in other ways. For example, the above-described apparatus embodiments are merely illustrative, and for example, the division of the units is only one logical division, and other divisions may be realized in practice, for example, a plurality of units or components may be combined or integrated into another system, or some features may be omitted, or not executed. In addition, the shown or discussed mutual coupling or direct coupling or communication connection may be an indirect coupling or communication connection through some interfaces, devices or units, and may be in an electrical, mechanical or other form.

The units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units can be selected according to actual needs to achieve the purpose of the solution of the embodiment.

In addition, functional units in the embodiments of the present application may be integrated into one processing unit, or each unit may exist alone physically, or two or more units are integrated into one unit.

The functions, if implemented in the form of software functional units and sold or used as a stand-alone product, may be stored in a computer readable storage medium. Based on such understanding, the technical solution of the present application or portions thereof that substantially contribute to the prior art may be embodied in the form of a software product stored in a storage medium and including instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the steps of the method according to the embodiments of the present application. And the aforementioned storage medium includes: various media capable of storing program codes, such as a usb disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk, or an optical disk.

The above description is only for the specific embodiments of the present application, but the scope of the present application is not limited thereto, and any person skilled in the art can easily conceive of the changes or substitutions within the technical scope of the present application, and shall be covered by the scope of the present application. Therefore, the protection scope of the present application shall be subject to the protection scope of the claims.

Claims

1. A method of data processing, comprising:

the ith key generation center obtains a first parameter x_iAnd a first secret share, the ith key generation center being any one of m preset key generation centers, the first secret share including a second parameter ks_iWherein (x)_i,ks_i) Is a point on a curve corresponding to a sharing polynomial of the signature master private key ks, and the first parameter x_iIs a random positive integer, m is an integer greater than 1;

the ith key generation center generates a first parameter x according to the first parameter_iAnd generating a second secret share from the first secret share, the second secret share comprising a third parameter Y_iWherein (x)_i,Y_i) A point on a curve corresponding to a sharing polynomial of the user's identification private key;

the ith key generation center sends the first parameter x to the user_iAnd the second secret share is used for enabling a user to generate an identification private key of the user according to the second secret share.

2. The method of claim 1, wherein the first share of secrets further comprises a fourth parameter β_iAnd a fifth parameter theta_iWherein (x)_i,β_i) A point on the curve corresponding to the sharing polynomial of the non-zero parameter beta, (x)_i,θ_i) A point on the curve corresponding to the shared polynomial with zero parameter theta,

the ith key generation center generates the first parameter x according to the second parameter x_iShare with the first secretA share, generating a second secret share, comprising:

the ith key generation center determines a sixth parameter gamma according to the first secret share and the hash value of the identification public key of the user_iAnd the ith key generation center discloses the sixth parameter γ_i；

The ith key generation center obtains at least 2t sixth parameters gamma_jSaid sixth parameter γ_jGenerating and disclosing by a j-th key generation center, wherein the j-th key generation center is any key generation center of the m key generation centers except the i-th key generation center;

the ith key generation center determines a seventh parameter γ according to at least 2t +1 of the sixth parameters, where 2t is the order of a polynomial of the seventh parameter;

and the ith key generation center generates the second secret share according to the first secret share and the seventh parameter.

3. The method according to claim 1 or 2, wherein the ith key generation center obtains a first secret share, including:

the ith key generation center obtains intermediate values of m-1 main private keys

Non-zero parameter median

And zero parameter mean value

Wherein each of the master private key intermediate values

Non-zero parameter median

And zero parameter mean value

Generated by a jth key generation center;

the ith key generation center generates an intermediate value according to the m-1 main private keys

Non-zero parameter median

And zero parameter mean value

Generating the first secret share.

4. The method of claim 3, further comprising:

the ith key generation center generates a temporary master private key ks⁽ⁱ⁾Non-zero parameter beta⁽ⁱ⁾And zero parameter theta⁽ⁱ⁾；

The ith key generation center generates an ith key according to the temporary master private key ks⁽ⁱ⁾Non-zero parameter beta⁽ⁱ⁾And zero parameter theta⁽ⁱ⁾Determining m-1 intermediate values of master private keys of the j-th key generation center

Non-zero parameter median

And zero parameter mean value

The ith key generation center sends the information to the m-1 jth key generation centers and sends the information to the jth key generation centerThe intermediate value of the main private key with one-to-one correspondence to the heart

Non-zero parameter median

And zero parameter mean value

5. The method according to claim 1 or 2, wherein the ith key generation center obtains a first secret share, including:

and the ith key generation center acquires the first secret sharing share sent by the master key generation center.

6. Method according to claim 2, characterized in that said sixth parameter γ_i＝β_i(HID_A+ks_i)+θ_iThe determining, by the ith key generation center, a seventh parameter γ according to the first secret share and the sixth parameter includes:

the ith key generation center determines the seventh parameter γ according to a lagrange interpolation method, wherein

x_jA first parameter for key generation centers other than the ith key generation center among the m key generation centers;

the generating center of the ith key generates the second secret share according to the first secret share and the seventh parameter, and the generating center of the ith key includes:

the ith key generation center shares the share according to the first secret and the second secretSeven parameters generate a third parameter Y in the second secret share_i＝[γ^-1β_iks_i]P₁Wherein P is₁The system parameters of the cryptographic algorithm are identified for SM 9.

7. The method of claim 3, wherein obtaining the first secret share by the ith key generation center comprises:

the ith key generation center generates an intermediate value according to the master private key

Non-zero parameter median

And zero parameter mean value

8. A data processing method, comprising:

the user receives a second secret share from the m key generation centers, wherein the second secret share comprises a first parameter x_iAnd a third parameter Y_iWherein (x)_i,Y_i) M is a point on a sharing polynomial of the identification private key of the user corresponding to the signature master private key, and is greater than the order of the sharing polynomial of the identification private key of the user;

the user generates an identification private key of the user according to the second secret share;

the user generates an identification private key of the user according to the second secret share, including:

the user shares the share according to the third parameter Y in the second secret_iDetermining a sharing polynomial of the identification private key of the user by a Lagrange interpolation method;

and the user determines the identification private key of the user according to the sharing polynomial of the identification private key.

9. An apparatus for data processing, comprising:

a receiving unit for acquiring a firstParameter x_iAnd a first secret share, the first secret share comprising a second parameter ks_iWherein (x)_i,ks_i) Is a point on a curve corresponding to a sharing polynomial of the signature master private key ks, and the first parameter x_iIs a random positive integer, m is an integer greater than 1;

a processing unit for determining the first parameter x_iAnd generating a second secret share by the first secret share, the second secret share including a third parameter Y_iWherein (x)_i,Y_i) A point on a curve corresponding to a sharing polynomial of the user's identification private key;

a sending unit, configured to send the first parameter x to the user_iAnd the second secret share is used for enabling a user to generate an identification private key of the user according to the second secret share.

10. The apparatus of claim 9, wherein the first share of secrets further comprises a fourth parameter β_iAnd a fifth parameter theta_iWherein (x)_i,β_i) A point on the curve corresponding to the sharing polynomial of the non-zero parameter beta, (x)_i,θ_i) A point on the curve corresponding to the shared polynomial with zero parameter theta,

the processing unit is used for determining the first parameter x_iAnd the first secret share, generating a second secret share, comprising:

the processing unit is used for determining a sixth parameter gamma according to the first secret share and the hash value of the identification public key of the user_iAnd the transmitting unit discloses the sixth parameter γ_i；

The processing unit is further configured to obtain at least 2t sixth parameters γ_jSaid sixth parameter γ_jGenerating and disclosing by a j-th key generation center, wherein the j-th key generation center is any key generation center of the m key generation centers except the i-th key generation center;

the processing unit is further configured to determine a seventh parameter γ according to at least 2t +1 of the sixth parameters, where 2t is the order of a polynomial of the seventh parameter;

the processing unit is further configured to generate the second secret share according to the first secret share and the seventh parameter.

11. The apparatus according to claim 9 or 10, wherein the receiving unit is configured to obtain the first secret share, and includes:

the receiving unit is used for acquiring m-1 intermediate values of main private keys

Non-zero parameter median

And zero parameter mean value

Wherein each of the master private key intermediate values

Non-zero parameter median

And zero parameter mean value

Generated by a jth key generation center;

the receiving unit is also used for acquiring the intermediate value of the m-1 main private keys obtained by the processing unit

Non-zero parameter median

And zero parameter mean value

The generated first secret share.

12. The apparatus of claim 11, further comprising:

the processing unit is configured to generate a temporary master private key ks⁽ⁱ⁾Non-zero parameter beta⁽ⁱ⁾And zero parameter theta⁽ⁱ⁾；

The processing unit is further configured to determine a temporary master private key ks based on the temporary master private key ks⁽ⁱ⁾Non-zero parameter beta⁽ⁱ⁾And zero parameter theta⁽ⁱ⁾Determining m-1 intermediate values of master private keys of the j-th key generation center

Non-zero parameter median

And zero parameter mean value

Intermediate values of non-zero parameters

And the median of the zero parameters

13. The apparatus according to claim 9 or 10, wherein the receiving unit is configured to obtain the first secret share, and includes:

the receiving unit is used for acquiring the first secret share transmitted by the master key generation center.

14. The apparatus of claim 10, wherein the sixth parameter γ_i＝β_i(HID_A+ks_i)+θ_iThe processing unit is configured to determine a seventh parameter γ according to the first secret share and the sixth parameter, and includes:

the processing unit is configured to determine the seventh parameter γ according to a lagrange interpolation method, wherein

the processing unit is configured to generate the second secret share according to the first secret share and the seventh parameter, and includes:

the processing unit is configured to generate a third parameter Y in the second secret share according to the first secret share and the seventh parameter_i＝[γ^-1β_iks_i]P₁Wherein P is₁The system parameters of the cryptographic algorithm are identified for SM 9.

15. The apparatus according to claim 11, wherein the receiving unit is configured to obtain the first secret share, and includes:

the receiving unit is used for acquiring the intermediate value of the processing unit according to the main private key

Non-zero parameter median

And zero parameter mean value

16. An apparatus for data processing, comprising:

a receiving unit configured to receive a second secret share from the m key generation centers, where the second secret share includes a first parameter x_iAnd a third parameter Y_iWherein (x)_i,Y_i) M is a point on the sharing polynomial of the identification private key of the user corresponding to the signature master private key and is greater than the order of the sharing polynomial of the identification private key of the user;

the processing unit is used for generating an identification private key of the user according to the second secret share;

the processing unit is configured to share the share of the second secret according to the third parameter Y_iDetermining a sharing polynomial of the identification private key of the user by a Lagrange interpolation method;

the processing unit is further configured to determine the identification private key of the user according to the sharing polynomial of the identification private key.