CN112118111A - SM2 digital signature method suitable for threshold calculation - Google Patents

SM2 digital signature method suitable for threshold calculation Download PDF

Info

Publication number
CN112118111A
CN112118111A CN202010919794.7A CN202010919794A CN112118111A CN 112118111 A CN112118111 A CN 112118111A CN 202010919794 A CN202010919794 A CN 202010919794A CN 112118111 A CN112118111 A CN 112118111A
Authority
CN
China
Prior art keywords
digital signature
signer
signature
verifier
algorithm
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202010919794.7A
Other languages
Chinese (zh)
Other versions
CN112118111B (en
Inventor
荆继武
张译尹
王平建
刘丽敏
寇春静
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
University of Chinese Academy of Sciences
Original Assignee
University of Chinese Academy of Sciences
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by University of Chinese Academy of Sciences filed Critical University of Chinese Academy of Sciences
Priority to CN202010919794.7A priority Critical patent/CN112118111B/en
Publication of CN112118111A publication Critical patent/CN112118111A/en
Application granted granted Critical
Publication of CN112118111B publication Critical patent/CN112118111B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
    • H04L9/3252Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures using DSA or related signature schemes, e.g. elliptic based signatures, ElGamal or Schnorr schemes
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • H04L9/0869Generation of secret information including derivation or calculation of cryptographic keys or passwords involving random numbers or seeds

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Storage Device Security (AREA)

Abstract

The invention relates to the technical field of passwords, in particular to an SM2 digital signature method suitable for threshold calculation. The method comprises the steps that firstly, a signer generates an SM2 digital signature key, and a public key of the key is sent to a verifier; then the signer generates an SM2 digital signature (r, s) and sends the SM2 digital signature (r, s) to the verifier; finally, the verifier verifies the received SM2 digital signature (r, s). The method does not relate to the multiplication and inversion of secret values in the stage of generating the digital signature, and the two operations have larger overhead in threshold calculation, so that the method is more suitable for threshold calculation than the standard SM2 algorithm; moreover, the digital signature (r, s) generated by the method can be used with the digital signature result generated by the standard SM2 algorithm, and the digital signature can be verified by adopting the same verification signature algorithm as the standard SM2 algorithm, so that the method has good compatibility with the standard SM2 algorithm.

Description

SM2 digital signature method suitable for threshold calculation
Technical Field
The invention relates to the technical field of passwords, in particular to an SM2 digital signature method suitable for threshold calculation.
Background
The SM2 algorithm is an elliptic curve public key cryptographic algorithm issued by the State crypto administration, can be used for encryption and decryption and digital signature, and is widely applied in the field of passwords. The specific details of the algorithm refer to GM/T0003 and 2012 SM2 elliptic curve public key cryptography algorithm. The standard SM2 algorithm digital signature method will now be briefly described as follows:
SM2 Algorithm parameters
a)FqIs a finite field containing q elements;
b) e is defined in a finite field FqAn elliptic curve of (1);
c) g is a base point on the elliptic curve E, and the order of the base point is prime;
d) n is the order of G.
SM2 Algorithm Key Generation procedure
a) Randomly selecting a private key d E [1, n-2 ];
b) p ═ d [ ] G is calculated and P is published as a public key.
SM2 Algorithm digital signature Generation Process
a) The signer selects a random number k belonging to [1, n-1 ];
b) signer calculates k [. X [ ]]G=(x1,y1);
c) The signer calculates r ═ (hash (m) + x1) mod n, where m is the message to be signed, Hash () is a cryptographic Hash function, and if r is 0 or r + k is n, the random number k is reselected;
d) signer calculates s ═ (1+ d)-1And (k-rd) mod n, if s is 0, reselecting the random number k, and otherwise, taking (r, s) as a signature result.
SM2 Algorithm signature verification Process
a) After receiving m and (r, s), the verifier checks whether r is satisfied, s belongs to [1, n-1] and r + s is not equal to n;
b) verifier calculates (x'1,y′1)=s[*]G[+](r+s)[*]P;
c) The verifier calculates r ' (Hash (m ') + x) '1)mod n;
d) And the verifier judges whether r' is equal to r, if so, the signature verification is passed, and otherwise, the verification fails.
However, the digital signature method due to the standard SM2 algorithm involves calculating s ═ 1-d when generating the digital signature-1(k-rd) modn, that is, inversion operation is required to be performed every time a new digital signature is calculated, the calculation overhead is large, and the efficiency of generating the digital signature is influenced; furthermore, the calculation includes (1-d) of secret values-1Multiplication with the secret value (k-rd) is not beneficial to the expansion of the algorithm in more application scenarios, for example, in the threshold signature scheme, the multiplication cost between the secret values shared by the threshold is large and the requirement on the proportion of normal participants in all the participants is high, so the standard SM2 algorithm is not beneficial to the application in the threshold signature scenario.
Disclosure of Invention
The invention aims to provide an SM2 digital signature method suitable for threshold calculation, so that an SM2 digital signature does not relate to inversion operation when generating the digital signature each time, multiplication operation of a secret value is avoided, and the efficiency of generating the digital signature and the expandability of a digital signature scheme are improved on the premise of ensuring that the digital signature is generated safely.
The SM2 digital signature method suitable for threshold calculation provided by the invention comprises the following steps:
(1) the signer generates a key (d', P) and a signature parameter Q, comprising the steps of:
(1-1) the signer generates a random number between [2, n-1], uses the random number as a private key factor d 'and stores the random number in a secret way, and d' belongs to [2, n-1], wherein n is the order of a base point G of an elliptic curve E;
(1-2) the signer calculates the public key P, P ═ d ' according to the private key factor d ' in the step (1-1) '-1 -1)[*]G, and sending the public key P to the verifier; wherein [. X]Represents a dot product operation on the elliptic curve E, d'-1Representing the private key factor d' in the finite field FnInverse of multiplication above, finite field FnThe method is characterized in that the method is a finite field with n elements, and G is an n-order base point on an elliptic curve E;
(1-3) the signer calculates a signature parameter Q according to the public key P in the step (1-1), wherein Q is G [ + ] P; where [ + ] represents an addition operation on the elliptic curve E.
(2) The signer generates an SM2 digital signature (r, s), comprising the steps of:
(2-1) the signer generates a random number k ', k' belongs to [1, n-1 ];
(2-2) the signer calculates the coordinate (x) according to the random number k' and the signature parameter Q1,y1),(x1,y1)=k′[*]Q;
(2-3) the signer coordinates (x) according to the step (2-2)1,y1) Using finite fields FnThe addition above results in a first part r, r ═ of the SM2 digital signature (r, s) (hash (m) + x)1) mod n, judging r by using a first digital signature validity judgment algorithm, if the r does not pass the judgment, returning to the step (2-1), reselecting the random number k', and if the r passes the judgment, executing the step (2-4); wherein m is a message to be signed, Hash () is a cipher Hash function, and mod is a modular operation;
(2-4) the signer digitally signs the first part r of the (r, s) according to the SM2 of step (2-3), the random number k 'of step (2-1) and the private key factor d' of the signer using a finite field FnThe second part s, s of the SM2 digital signature (r, s) is obtained by the addition and multiplication, the second part s, s is (d ' r + k ' -r) mod n, a second digital signature validity judgment algorithm is used for judging s, if the judgment is not passed, the step (2-1) is returned, the random number k ' is selected again, and if the judgment is passed, the step (2-5) is executed;
(2-5) the signer sends the verified SM2 digital signature (r, s) to the verifier as a digital signature of the message m to be signed.
(3) The verifier verifies the received SM2 digital signature (r, s) comprising the steps of:
(3-1) the verifier verifies the SM2 digital signature (r, s) from the signer if r e [1, n-1]]And s is e [1, n-1]]And r + s ≠ n, then step (3-2) is performed if
Figure BDA0002666322940000031
Or
Figure BDA0002666322940000032
Or r + s ═ n, the digital signature (r, s) fails to verify;
(3-2) the verifier obtains coordinates (x ') by calculation from the public key P from the signer and the digital signature (r, s) of SM 2'1,y′1),(x′1,y′1)=s[*]G[+](r+s)[*]P;
(3-3) the verifier according to the coordinates (x 'of step (3-2)'1,y′1) And the message m 'to be authenticated calculates r', r ═ (Hash (m ') + x'1)mod n;
(3-4) the verifier compares r and r ', if r and r ' are equal, then the SM2 digital signature (r, a) verifies pass, if r and r ' are not equal, then the SM2 digital signature (r, s) fails to verify.
In the SM2 digital signature method, when generating a digital signature, the first digital signature validity determination algorithm is: if r is 0, the judgment is not passed; if r ≠ 0, it passes the judgment.
In the SM2 digital signature method, when generating the digital signature, the second digital signature validity determination algorithm is: if s is 0 or s + r is n, the judgment is not passed; if s ≠ 0 and s + r ≠ n, it passes the determination.
The SM2 digital signature method suitable for threshold calculation provided by the invention has the advantages that:
the SM2 digital signature method suitable for threshold calculation can safely generate the digital signature (r, s) of the message m, and does not involve inversion operation when calculating a new digital signature each time, so that the efficiency of generating the digital signature can be improved; in addition, the multiplication operation of a secret value is not involved in the calculation process of generating the digital signature, so that the expandability of the digital signature scheme is enhanced; moreover, the digital signature generated by the method of the invention and the digital signature result generated by the standard SM2 algorithm can be used together, and the two methods can adopt the same signature verification method, and have good compatibility with the standard SM2 algorithm.
Drawings
Fig. 1 is a general flow chart of the SM2 digital signature method suitable for threshold calculation according to the present invention.
Fig. 2 is a flowchart of a key generation method in the method of the present invention.
Fig. 3 is a flow chart of a digital signature generation method in the method of the present invention.
FIG. 4 is a flow chart of a method for verifying a signature in the method of the present invention.
Detailed Description
The general flow chart of the SM2 digital signature method suitable for threshold calculation provided by the present invention is shown in fig. 1, and includes the following steps:
(1) the signer generates a key (d', P) and a signature parameter Q, comprising the steps of:
(1-1) the signer generates a random number between [2, n-1], uses the random number as a private key factor d 'and stores the random number in a secret way, and d' belongs to [2, n-1], wherein n is the order of a base point G of an elliptic curve E;
(1-2) the signer calculates the public key P, P ═ d ' according to the private key factor d ' in the step (1-1) '-1-1)[*]G, and sending the public key P to the verifier; wherein [. X]Represents a dot product operation on the elliptic curve E, d'-1Representing the private key factor d' in the finite field FnInverse of multiplication above, finite field FnThe method is characterized in that the method is a finite field with n elements, and G is an n-order base point on an elliptic curve E;
(1-3) the signer calculates a signature parameter Q according to the public key P in the step (1-1), wherein Q is G [ + ] P; where [ + ] represents an addition operation on the elliptic curve E.
(2) The signer generates an SM2 digital signature (r, s), comprising the steps of:
(2-1) the signer generates a random number k ', k' belongs to [1, n-1 ];
(2-2) the signer calculates the coordinate (x) according to the random number k' and the signature parameter Q1,y1),(x1,y1)=k′[*]Q;
(2-3) the signer coordinates (x) according to the step (2-2)1,y1) Using finite fields FnThe addition above results in a first part r, r ═ of the SM2 digital signature (r, s) (hash (m) + x)1) mod n, using a first digital signature ofThe effectiveness judgment algorithm judges the r, if the r does not pass the judgment, the step (2-1) is returned, the random number k' is reselected, and if the r passes the judgment, the step (2-4) is executed; wherein m is a message to be signed, Hash () is a cipher Hash function, and mod is a modular operation;
(2-4) the signer digitally signs the first part r of the (r, s) according to the SM2 of step (2-3), the random number k 'of step (2-1) and the private key factor d' of the signer using a finite field FnThe second part s, s of the SM2 digital signature (r, s) is obtained by the addition and multiplication, the second part s, s is (d ' r + k ' -r) mod n, a second digital signature validity judgment algorithm is used for judging s, if the judgment is not passed, the step (2-1) is returned, the random number k ' is selected again, and if the judgment is passed, the step (2-5) is executed;
(2-5) the signer sends the verified SM2 digital signature (r, s) to the verifier as a digital signature of the message m to be signed.
(3) The verifier verifies the received SM2 digital signature (r, s) comprising the steps of:
(3-1) the verifier verifies the SM2 digital signature (r, s) from the signer if r e [1, n-1]]And s is e [1, n-1]]And r + s ≠ n, then step (3-2) is performed if
Figure BDA0002666322940000041
Or
Figure BDA0002666322940000042
Or r + s ═ n, the digital signature (r, s) fails to verify;
(3-2) the verifier obtains coordinates (x ') by calculation from the public key P from the signer and the digital signature (r, s) of SM 2'1,y′1),(x′1,y′1)=s[*]G[+](r+s)[*]P;
(3-3) the verifier according to the coordinates (x 'of step (3-2)'1,y′1) And the message m 'to be authenticated calculates r', r ═ (Hash (m ') + x'1)mod n;
(3-4) the verifier compares r and r ', if r and r ' are equal, then SM2 digital signature (r, s) verifies pass, if r and r ' are not equal, then SM2 digital signature (r, s) verifies fail.
In the above method, when generating the digital signature, the first digital signature validity judgment algorithm is: if r is 0, the judgment is not passed; if r ≠ 0, it passes the judgment.
In the above method, when the digital signature is generated, the second digital signature validity judgment algorithm is: if s is 0 or s + r is n, the judgment is not passed; if s ≠ 0 and s + r ≠ n, it passes the determination.
The SM2 digital signature method suitable for threshold calculation provided by the invention can safely and efficiently generate the digital signature (r, s) of the message m and has good expandability aiming at the problems in the prior art.
The embodiments of the present invention will be described in detail with reference to the accompanying drawings.
The signer shares the elliptic curve parameters F of the SM2 algorithm with the verifierqE, G and n, wherein FqIs a finite field, E is defined in a finite field FqG is a base point on the elliptic curve E selected in advance, and n is the order of the base point G.
Fig. 1 is a flowchart of an SM2 signature method suitable for threshold calculation according to the present invention, as shown in fig. 1, including the following steps 11-13.
Step 11: the signer locally generates the SM2 private key factor d 'and public key P, secretly stores the private key factor d' and publishes the public key P.
Step 12: the signer uses the private key factor d' to generate SM2 digital signature (r, s), where r ═ hash (m) + x1) modn, s ═ d 'r + k' -r) modn, and sends the digital signature (r, s) to the verifier.
Step 13: the verifier verifies the digital signature (r, s) using the public key P using the standard SM2 algorithm signature verification method.
Fig. 2 is a flowchart of an embodiment of a key generation method of an SM2 signing method suitable for threshold calculation according to the present invention, as shown in fig. 2, including the following steps 21-23.
Step 21: the signer secretly generates a random number between [2, n-1], and the random number is used as a private key factor d 'of the signature method and is stored secretly, namely d' E [2, n-1 ].
Step 22: signer calculation (d'-1 -1)[*]G is a public key P of the signature algorithm and is disclosed to the verifier, that is, P ═ d'-1 -1)[*]G; wherein [. X]Representing a dot product operation on the elliptic curve E.
Step 23: the signer calculates G [ + ] P as parameter Q, i.e. Q ═ G [ + ] P; where [ + ] represents an addition operation on the elliptic curve E.
Fig. 3 is a flowchart of an embodiment of a digital signature generation method of the SM2 signature method suitable for threshold calculation according to the present invention, and as shown in fig. 3, the method includes the following steps 31-37.
Step 31: the signer secretly generates a random number between [1, n-1], and takes the random number as k ', i.e. k' e [1, n-1 ].
Step 32: signer computation k' [. The]Q, and the calculation result is taken as (x)1,y1) I.e. have (x)1,y1)=k′[*]Q。
Step 33: signer computation (Hash (m) + x1) mod n and take the result of the computation as the first part r of the digital signature, i.e. r ═ hash (m) + x1) modn; where m is the message to be signed, Hash () represents the cryptographic Hash function, mod represents the modulo operation.
Step 34: the signer verifies r, and if r is 0, the steps 21 to 23 are executed again.
Step 35: the signer computes (d 'r + k' -r) modn and takes the computation result as the second part s of the digital signature, i.e. s ═ d 'r + k' -r) modn.
Step 36: the signer verifies s, and if s is 0 or s + r is n, the steps 21 to 25 are executed again.
Step 37: the signer digitally signs the message m with (r, s) as the present signature algorithm and sends it to the verifier.
The flow chart of the embodiment of the signature verification method in the signature method of the present invention, as shown in fig. 4, includes the following steps 41-44.
Step 41: the verifier receives the digital signature (r, s), verifies that r, s belongs to [1, n-1] and r + s ≠ n.
Step 42: the verifier calculates s [. sup. ]]G[+](r+s)[*]P, and taking the calculation result as (x'1,y′1) I.e. is (x'1,y′1)=[*]G[+](r+s)[*]P。
Step 43: verifier calculates (Hash (m ') + x'1) modn and taking the calculation result as r ', namely, r ═ Hash (m ') + x '1)modn。
Step 44: and the verifier compares the r ' and the r, if the r ' and the r ' are equal, the signature verification is passed, and otherwise, the verification fails.
The above description is only for the purpose of illustrating the preferred embodiments of the present invention and is not to be construed as limiting the invention, and any modifications, equivalents, improvements and the like made within the spirit and principle of the present invention should be included in the scope of the present invention.
The signature method of the invention is compared with the signature method of the standard SM2 algorithm as follows:
the signature method key generation method of the invention is compared with the standard SM2 algorithm as follows:
1. private key d e [1, n-2] of standard SM2 algorithm]The private key factor d' epsilon [2, n-1 of the signature method can be selected from]Calculated to give, i.e. d ═ d'-1 -1;
2. The public key of the standard SM2 algorithm is identical to the public key result generated by the signature method of the present invention, i.e., P ═ d [ + ]]G=(d′-1 -1)[*]G。
The digital signature generation method of the signature method is compared with the standard SM2 algorithm as follows:
1. random number k belonging to [1, n-1] used by standard SM2 algorithm signature method]The random number k' e [1, n-1] that can be used by the signature method of the present invention]Calculated to give, i.e. k ═ d'-1k′;
2. Parameter (x) calculated by standard SM2 algorithm signature method1,y1) The same result as the signature method of the present invention, namely (x)1,y1)=k[*]G=k′[*](G[+]P);
3. The first part r of the signature generated by the standard SM2 algorithm signature method and the calculation mode and the result of the signature method of the inventionSame, i.e. r ═ (hash (m) + x1)modn;
4. The second part s of the signature generated by the standard SM2 algorithm signature method is the same as the calculation result of the signature method of the invention, i.e. s ═ 1+ s)-1(k-rd)modn=(d′r+k′-r)mod n;
5. The signature rationality verification condition of the standard SM2 algorithm signature method is the same as that of the signature method, specifically, the rationality verification condition of the standard SM2 algorithm in the digital signature generation process is that r and s meet the condition that r is not equal to 0, r + k is not equal to n, and s is not equal to 0; the rationality verification condition of the signature method of the invention is that the signature (r, s) satisfies r ≠ 0, s ≠ 0, and s + r ≠ n. If r + k is equal to n, then s + r is equal to (1+ d)-1(k-rd)+r mod n=(1+d)-1(n-r-rd) + r mod n is 0, since r is not equal to 0 and s, r ∈ [0, n-1]So s + r ═ n; conversely, if s + r is equal to n, then s + r mod n is equal to (1+ d)-1(k-rd)+r mod n=(1+d)-1(k + r) mod n is 0, so k + r mod n is 0, and k, r e [1, n-1]Therefore, r + k is n. Therefore, under the condition that r ≠ 0 and s ≠ 0, r + k ≠ n is equal to and only when s + r ≠ n, that is, the signature rationality verification condition of the standard SM2 algorithm signature method is the same as that of the signature method of the present invention.
As described above, the result of the present invention is the same as that of the standard SM2 algorithm, the digital signature (r, s) generated by the method can be used as the digital signature result generated by the standard SM2 algorithm, and the digital signature can be verified by using the verification signature algorithm which is the same as that of the standard SM2 algorithm, so that the method has good compatibility with the standard SM2 algorithm.

Claims (3)

1. An SM2 digital signature method suitable for threshold computation, the method comprising:
(1) the signer generates a key (d', P) and a signature parameter Q, comprising the steps of:
(1-1) the signer generates a random number between [2, n-1], uses the random number as a private key factor d 'and stores the random number in a secret way, and d' belongs to [2, n-1], wherein n is the order of a base point G of an elliptic curve E;
(1-2) the signer calculates the public key P, P ═ d ' according to the private key factor d ' in the step (1-1) '-1-1)[*]G, and sending the public key P to the verifier; wherein [. X]Represents a dot product operation on the elliptic curve E, d'-1Representing the private key factor d' in the finite field FnInverse of multiplication above, finite field FnThe method is characterized in that the method is a finite field with n elements, and G is an n-order base point on an elliptic curve E;
(1-3) the signer calculates a signature parameter Q according to the public key P in the step (1-1), wherein Q is G [ + ] P; where [ + ] represents an addition operation on the elliptic curve E.
(2) The signer generates an SM2 digital signature (r, s), comprising the steps of:
(2-1) the signer generates a random number k ', k' belongs to [1, n-1 ];
(2-2) the signer calculates the coordinate (x) according to the random number k' and the signature parameter Q1,y1),(x1,y1)=k′[*]Q;
(2-3) the signer coordinates (x) according to the step (2-2)1,y1) Using finite fields FnThe addition above results in a first part r, r ═ of the SM2 digital signature (r, s) (hash (m) + x)1) mod n, judging r by using a first digital signature validity judgment algorithm, if the r does not pass the judgment, returning to the step (2-1), reselecting the random number k', and if the r passes the judgment, executing the step (2-4); wherein m is a message to be signed, Hash () is a cipher Hash function, and mod is a modular operation;
(2-4) the signer digitally signs the first part r of the (r, s) according to the SM2 of step (2-3), the random number k 'of step (2-1) and the private key factor d' of the signer using a finite field FnThe second part s, s of the SM2 digital signature (r, s) is obtained by the addition and multiplication, the second part s, s is (d ' r + k ' -r) mod n, a second digital signature validity judgment algorithm is used for judging s, if the judgment is not passed, the step (2-1) is returned, the random number k ' is selected again, and if the judgment is passed, the step (2-5) is executed;
(2-5) the signer sends the verified SM2 digital signature (r, s) to the verifier as a digital signature of the message m to be signed.
(3) The verifier verifies the received SM2 digital signature (r, s) comprising the steps of:
(3-1) the verifier verifies the SM2 digital signature (r, s) from the signer if r e [1, n-1]]And s is e [1, n-1]]And r + s ≠ n, then step (3-2) is performed if
Figure FDA0002666322930000011
Or
Figure FDA0002666322930000012
Or r + s ═ n, the digital signature (r, s) fails to verify;
(3-2) the verifier obtains coordinates (x ') by calculation from the public key P from the signer and the digital signature (r, s) of SM 2'1,y′1),(x′1,y′1)=s[*]G[+](r+s)[*]P;
(3-3) the verifier according to the coordinates (x 'of step (3-2)'1,y′1) And the message m 'to be authenticated calculates r', r ═ (Hash (m ') + x'1)mod n;
(3-4) the verifier compares r and r ', if r and r ' are equal, then SM2 digital signature (r, s) verifies pass, if r and r ' are not equal, then SM2 digital signature (r, s) verifies fail.
2. The SM2 digital signature method of claim 1, wherein when generating the digital signature, the first digital signature validity judgment algorithm is: if r is 0, the judgment is not passed; if r ≠ 0, it passes the judgment.
3. The SM2 digital signature method of claim 1, wherein when generating the digital signature, the second digital signature validity judgment algorithm is: if s is 0 or s + r is n, the judgment is not passed; if s ≠ 0 and s + r ≠ n, it passes the determination.
CN202010919794.7A 2020-09-04 2020-09-04 SM2 digital signature method suitable for threshold calculation Active CN112118111B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202010919794.7A CN112118111B (en) 2020-09-04 2020-09-04 SM2 digital signature method suitable for threshold calculation

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202010919794.7A CN112118111B (en) 2020-09-04 2020-09-04 SM2 digital signature method suitable for threshold calculation

Publications (2)

Publication Number Publication Date
CN112118111A true CN112118111A (en) 2020-12-22
CN112118111B CN112118111B (en) 2023-10-13

Family

ID=73801742

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202010919794.7A Active CN112118111B (en) 2020-09-04 2020-09-04 SM2 digital signature method suitable for threshold calculation

Country Status (1)

Country Link
CN (1) CN112118111B (en)

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112632475A (en) * 2020-12-30 2021-04-09 郑州轻工业大学 Picture copyright protection system and method based on state password and picture steganography
CN112926074A (en) * 2021-03-26 2021-06-08 成都卫士通信息产业股份有限公司 SM9 key thresholding generation method, device, equipment and storage medium
CN113904777A (en) * 2021-09-23 2022-01-07 武汉大学 Signcryption method based on SM2 digital signature algorithm
CN114257380A (en) * 2021-12-20 2022-03-29 湖南国科微电子股份有限公司 Digital signature method, system and equipment

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102761415A (en) * 2011-04-27 2012-10-31 航天信息股份有限公司 System for generating, verifying and mixing digital signatures of p-element domain SM2 elliptic curves
US20140211938A1 (en) * 2013-01-29 2014-07-31 Certicom Corp. Modified elliptic curve signature algorithm for message recovery
WO2014120121A1 (en) * 2013-01-29 2014-08-07 Certicom Corp. Modified sm2 elliptic curve signature algorithm supporting message recovery
CN109660351A (en) * 2018-11-08 2019-04-19 北京大学 A kind of digital signature rapid generation of SM2 public key cryptography

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102761415A (en) * 2011-04-27 2012-10-31 航天信息股份有限公司 System for generating, verifying and mixing digital signatures of p-element domain SM2 elliptic curves
US20140211938A1 (en) * 2013-01-29 2014-07-31 Certicom Corp. Modified elliptic curve signature algorithm for message recovery
WO2014120121A1 (en) * 2013-01-29 2014-08-07 Certicom Corp. Modified sm2 elliptic curve signature algorithm supporting message recovery
EP2951949A1 (en) * 2013-01-29 2015-12-09 Certicom Corp. Modified sm2 elliptic curve signature algorithm supporting message recovery
CN109660351A (en) * 2018-11-08 2019-04-19 北京大学 A kind of digital signature rapid generation of SM2 public key cryptography

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
彭庆军;: "一种基于椭圆曲线的可验证门限签名方案", 通信技术, no. 03 *
郭青霄;张大伟;常亮;刘晓东;宋靖文;: "基于SM2的代理保护代理签名的设计与实现", 网络与信息安全学报, no. 09 *

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112632475A (en) * 2020-12-30 2021-04-09 郑州轻工业大学 Picture copyright protection system and method based on state password and picture steganography
CN112632475B (en) * 2020-12-30 2024-03-29 郑州轻工业大学 Picture copyright protection system and method based on national password and picture steganography
CN112926074A (en) * 2021-03-26 2021-06-08 成都卫士通信息产业股份有限公司 SM9 key thresholding generation method, device, equipment and storage medium
CN113904777A (en) * 2021-09-23 2022-01-07 武汉大学 Signcryption method based on SM2 digital signature algorithm
CN113904777B (en) * 2021-09-23 2023-10-03 武汉大学 SM2 digital signature algorithm-based signcryption method
CN114257380A (en) * 2021-12-20 2022-03-29 湖南国科微电子股份有限公司 Digital signature method, system and equipment

Also Published As

Publication number Publication date
CN112118111B (en) 2023-10-13

Similar Documents

Publication Publication Date Title
CN110505058B (en) Identity authentication method for heterogeneous block chain in cross-chain scene
US9967239B2 (en) Method and apparatus for verifiable generation of public keys
CN107707358B (en) EC-KCDSA digital signature generation method and system
CN112118111B (en) SM2 digital signature method suitable for threshold calculation
US20180359097A1 (en) Digital signing by utilizing multiple distinct signing keys, distributed between two parties
CN107248909B (en) Certificateless secure signature method based on SM2 algorithm
CN110138567B (en) ECDSA (electronic signature system) based collaborative signature method
US20140344576A1 (en) Key validation scheme
US9800418B2 (en) Signature protocol
CN107911217B (en) Method and device for cooperatively generating signature based on ECDSA algorithm and data processing system
CN106936584B (en) Method for constructing certificateless public key cryptosystem
US20010014153A1 (en) Key validation scheme
CN115208586B (en) Secret sharing-based digital signature method and system
CN113162773A (en) Heterogeneous blind signcryption method capable of proving safety
CN114726546A (en) Digital identity authentication method, device, equipment and storage medium
WO2014205571A1 (en) Signature protocol
CN109064170B (en) Group signature method without trusted center
CN113132104A (en) Active and safe ECDSA (electronic signature SA) digital signature two-party generation method
CN110798313B (en) Secret dynamic sharing-based collaborative generation method and system for number containing secret
EP3935779B1 (en) A method for providing a digital signature to a message
CN110557260B (en) SM9 digital signature generation method and device
CN112653554A (en) Signature method, system, equipment and readable storage medium
JP4307589B2 (en) Authentication protocol
WO2016187689A1 (en) Signature protocol
JP2004526387A (en) Ring-based signature scheme

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant