CN113014399B - Pairing operation method and system for resource-limited device - Google Patents

Pairing operation method and system for resource-limited device Download PDF

Info

Publication number
CN113014399B
CN113014399B CN202110349795.7A CN202110349795A CN113014399B CN 113014399 B CN113014399 B CN 113014399B CN 202110349795 A CN202110349795 A CN 202110349795A CN 113014399 B CN113014399 B CN 113014399B
Authority
CN
China
Prior art keywords
party
group
resource
pairing operation
pubj
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202110349795.7A
Other languages
Chinese (zh)
Other versions
CN113014399A (en
Inventor
龙毅宏
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Wuhan University of Technology WUT
Original Assignee
Wuhan University of Technology WUT
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Wuhan University of Technology WUT filed Critical Wuhan University of Technology WUT
Priority to CN202110349795.7A priority Critical patent/CN113014399B/en
Publication of CN113014399A publication Critical patent/CN113014399A/en
Application granted granted Critical
Publication of CN113014399B publication Critical patent/CN113014399B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
    • H04L9/3252Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures using DSA or related signature schemes, e.g. elliptic based signatures, ElGamal or Schnorr schemes
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/30Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy
    • H04L9/3066Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy involving algebraic varieties, e.g. elliptic or hyper-elliptic curves
    • H04L9/3073Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy involving algebraic varieties, e.g. elliptic or hyper-elliptic curves involving pairings, e.g. identity based encryption [IBE], bilinear mappings or bilinear pairings, e.g. Weil or Tate pairing

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Theoretical Computer Science (AREA)
  • Signal Processing (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Mathematical Physics (AREA)
  • Physics & Mathematics (AREA)
  • Pure & Applied Mathematics (AREA)
  • Mathematical Optimization (AREA)
  • Computing Systems (AREA)
  • Mathematical Analysis (AREA)
  • General Physics & Mathematics (AREA)
  • Algebra (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

The pairing operation method for the resource-limited device comprises the following steps: the first party is a resource-constrained device, and the first party is a non-resource-constrained device; there is a bilinear map e: g1×G2→GTThe order is a prime number n; the first party has a secret c, k, Q ═ ck]P2+[c]Ppub2(ii) a When the first party needs to calculate u ═ e (S, P), where P ═ h1]P2+Ppub2,h1Is an integer, Ppub2=[s2]P2Giving Q to the second party; second party calculates g1=e(S,P2),g2E (S, Q); first party utilizes g1、g2Obtaining a value of u ═ e (S, P); alternatively, the first party has a secret c, has a group G1Meta of (1)z,gz1=e(Pz,P2)‑1,gz2=e(Pz,Ppub)‑1(ii) a When the first party needs to calculate u-e (S, P), S is calculated1=[c](S+Pz) (ii) a Second calculation of P ═ h1]P2+Ppub2,u1=e(S1P), the first party utilizes gz1、gz2、u1The value of u ═ e (S, P) was obtained.

Description

Pairing operation method and system for resource-limited device
Technical Field
The invention belongs to the technical field of passwords, and particularly relates to a pairing operation method and a pairing operation system for SM9 signature verification for a resource-limited device.
Background
Compared with the pki (public Key infrastructure) adopting the digital certificate technology, the Identity Based Cryptography (IBC) saves the troublesome link of acquiring the public Key digital certificate of the private Key owner, has simple technical implementation, is increasingly emphasized by people at present, and has wide application prospects.
The identification-Based password can be used for data Encryption (called Identity Based Encryption, IBE) and digital Signature (called Identity Based Signature, IBS). At present, most of cryptographic algorithms based on identification adopt algorithms based on bilinear mapping (also called Pairing operation, Pairing operation), wherein the bilinear mapping (Pairing operation) is as follows:
e:G1×G2→GTin which G is1、G2(groups of pairwise or bilinear mappings) are additive cyclic groups, GTIs a multiplication loop group, G1、G2、GTIs a prime number n (G is used in the SM9 specification)1、G2、GTThe order of (A) is capital letter N), i.e., if P, Q, R are G respectively1、G2In (b), e (P, Q) is GTAnd:
e(P+R,Q)=e(P,Q)e(R,Q),
e(P,Q+R)=e(P,Q)e(P,R),
e([a]P,[b]Q)=e(P,Q)ab
where a and b are integers of [0, n-1], and [ a ] P and [ b ] Q represent multiple times of point P, Q.
SM9 is an identification cryptographic algorithm based on bilinear mapping (pairing operation) issued by the national crypto authority. The SM 9-based cryptographic algorithm can realize digital signature based on identification, key exchange and data encryption. In the SM9 cryptographic algorithm, the SM9 identity private key d used by the user for signing is usedAThe process of generating a digital signature for message M is as follows:
calculating to obtain w ═ grWhere r is the value at 1, n-1 in signature computation]Randomly selected integer in the interval, g ═ e (P)1,Ppub),P1Is G1The generator of (1), PpubIs the master public key (i.e. P)pub=[s]P2S is the master private or master key, P2Is G2See SM9 specification; note that here the master private or master key, the master public key, the user's SM9 for signature identifies the sign of the private key as opposed to that in the SM9 specification);
then, H is calculated as H2(M | | w, n), wherein H2For the hash function specified in SM9, M | | | w represents the merging of strings of M and w, and n is G1、G2、GT(iii) order (see SM9 specification, note that the order of the group here uses symbols slightly different from the SM9 specification, using the lower case letter N, while the SM9 specification uses the upper case letter N);
if r ≠ h, calculate S [ [ r-h ≠ h]dAThen (h, S) is the generated digital signature; and if r is equal to h, reselecting r, and recalculating w and h until r is not equal to h.
Given the digital signature (h, S) of a message M, the method of verifying the validity of the signature is as follows (see the SM9 specification, note that the signature verification procedure in the SM9 specification uses the notation M ', (h ', S ')).
B1: checking whether h is formed by the element [1, n-1], if not, verifying that the h is not passed;
b2: checking that S belongs to G1If the verification result is not true, the verification is not passed;
b3: computing group GTWherein the element g ═ e (P)1,Ppub);
B4: computing group GTChinese YuanG or th
B5: calculating the integer h1=H1(IDA| hid, n) (here IDAThe identity of the user, hid, is the signature private key generating function identifier expressed in one byte, H1() Is a hash or hash function defined in the SM9 specification);
b6: computing group G2Wherein the element P ═ h1]P2+Ppub
B7: computing group GTThe element in (1) is (e) (S, P);
b8: computing group GTWherein w' is u.t;
b9: calculating the integer h2=H2(M | | w', n), test h2If h is true, the verification is passed; otherwise, the verification fails (H)2() Is a hash or hash function defined in the SM9 specification).
In the signature verification process, pairing operation u-e (S, P) is required, the pairing operation is complex, and a computing device with sufficient computing power and computing resources is required to complete the pairing operation within an acceptable time, and for some resource-limited devices, such as wireless sensors, various small computing devices in the internet of things, such as smart meters and field controllers, it is difficult to have sufficient computing power and computing resources to complete or complete the complex pairing operation within an acceptable time.
Disclosure of Invention
The invention aims to provide a corresponding solution for the problem of insufficient computing power of pairing operation of a resource-limited device.
In order to achieve the above object, the technical solution of the present invention includes a pairing operation method and system for a resource-limited device.
The technical scheme of the invention relates to bilinear mapping (pairing operation) e: g1×G2→GT(ii) a Group G1、G2As additive groups (usually groups of elliptic curve points), group GTAs a multiplicative group (typically an integer multiplicative group); group G1、G2、GTThe order of (a) is a prime number n; group G1、G2Are respectively P1、P2
Based on the bilinear map e definition:
e1(V, T) ═ e (V, T), where V is the group G1In (1), T is a group G2The element of (1);
e2(V, T) ═ e (T, V), where V is group G2In (1), T is a group G1The element of (1).
The technical solution of the present invention is described below, in which, unless otherwise specified, a-1The inverse of modulo n multiplication by a (i.e., (a)-1a)mod n=1)。
The pairing operation method for the resource-limited device of the invention relates to two parties: a first party, which is a resource-constrained device, and a second party, which is a non-resource-constrained device (a device with sufficient computing power, computing resources).
The pairing operation method for the resource-limited device further comprises five schemes, which are specifically as follows.
Scheme I,
The first side has [1, n-1]]Inner (randomly selected) integer secret c, k (constant) is calculated (in advance or in real time) with Q ═ ck]Pj+[c]PpubjOr Q ═ k]Pj+[c]PpubjWherein [ 2 ], []Represents a pair group G1And G2Multiple point addition (multiplication) of the element(s) in (1), j being 2 or 1, Ppubj=[sj]PjIs a group GjMaster public key in (1), sjTo a group GjA master key (master private key);
when the first party needs to calculate u-ei(S, P) wherein i is 3-j and S is a group GiWherein, P ═ h1]Pj+Ppubj,h1Is [1, n-1]]The first party and the second party perform pairing operation u-e as followsiCooperative calculation of (S, P):
the first party sends S, Q to the second party;
second party calculates g1=ei(S,Pj),g2=ei(S, Q), then g1、g2Sending to the first party;
first party utilizes g1、g2Calculating to obtain u-eiThe value of (S, P);
first party utilizes g1、g2Calculating to obtain u-eiThe value modes of (S, P) include:
if Q is calculated as Q ═ ck]Pj+[c]PpubjThen, calculate t ═ h1-k)mod n,u=(g1^t)(g2^c-1) Or, alternatively, calculate t ═ c (h)1-k))mod n,u=((g1^t)g2)^c-1
If Q is calculated as Q ═ k]Pj+[c]PpubjThen, calculate t ═ h1-c-1k)mod n,u=(g1^t)(g2^c-1) Or, alternatively, calculate t ═ (ch)1-k)mod n,u=((g1^t)g2)^c-1
In the above calculation, ^ represents the power operation (the number of power operations on the element before ^ and the number of power operations after ^ c), c-1The modulo n multiplication inverse of c (i.e., (cc)-1)mod n=1)。
Scheme II,
The first side has [1, n-1]]Inner (randomly selected) integer secrets b, c, k (constants) are calculated (in advance or in real time) with Q1=[b]Pj,Q2=[ck]Pj+[c]PpubjOr Q2=[k]Pj+[c]PpubjWherein]Represents a pair group G1And G2Multiple point addition (multiplication) of the element(s) in (1), j being 2 or 1, Ppubj=[sj]PjIs a group GjMaster public key in (1), sjTo a group GjA master key (master private key); b and c do not have to be different;
(Note: b is not secret, this scheme is still true, if b is not secret, then scheme two is identical to scheme one)
When the first party needs to calculate u-ei(S, P) wherein i is 3-j and S is a group GiWherein, P ═ h1]Pj+Ppubj,h1Is [1, n-1]]The first party and the second party perform pairing operation u-e as followsiCollaborative computation of (S, P):
first party S, Q1、Q2Sending to the second party;
second party calculates g1=ei(S,Q1),g2=ei(S,Q2) Then g is added1、g2Sending to the first party;
first party utilizes g1、g2Calculating to obtain u-eiThe value of (S, P);
first party utilizes g1、g2Calculating to obtain u-eiThe manner of the value of (S, P) includes:
if Q2Is calculated as Q2=[ck]Pj+[c]PpubjThen, t ═ h is calculated1-k)b-1)mod n,u=(g1^t)(g2^c-1) Or, alternatively, calculate t ═ c (h)1-k)b-1)mod n,u=((g1^t)g2)^c-1
If Q2Is calculated as Q2=[k]Pj+[c]PpubjThen, t ═ h is calculated1-c-1k)b-1)mod n,u=(g1^t)(g2^c-1) Alternatively, t ═ is calculated ((ch)1-k)b-1)mod n,u=((g1^t)g2)^c-1
In the above calculation, ^ represents an exponentiation, b-1Is the inverse of the modulo n multiplication of b, c-1The modulo n multiplication inverse of c.
Scheme III,
The first side has [1, n-1]]Inner (randomly selected) integer secret c (constant) is calculated (in advance or in real time) with Q1=[c]Pj,Q2=[c]PpubjWherein]Represents a pair group G1And G2Multiple point addition (multiplication) of the element(s) in (1), j being 2 or 1, Ppubj=[sj]PjIs a group GjMaster public key in (1), sjTo a group GjA master key (master private key);
when the first party needs to calculate u-ei(S, P) wherein i is 3-j and S is a group GiWherein, P ═ h1]Pj+Ppubj,h1Is [1, n-1]]The first party and the second party perform pairing operation u-e as followsiCollaborative computation of (S, P):
first, calculate Q ═ h1]Q1+Q2S, Q to the second party;
second party calculates u1=ei(S, Q), adding u1Occurs to the first party;
first calculate u ═ u1^(c-1) Wherein ^ represents power operation, c-1Is the modulo n multiplication inverse of c.
For the third scheme above, the first party needs to calculate [ h ] in real time1]Q1This may be difficult for some resource-constrained devices, for which the first party is prevented from calculating h in real time1]Q1A pairing operation eiThe (S, P) collaborative calculation scheme is as follows.
Scheme IV,
The first party has [1, n-1]]Inner (randomly selected) integer secret c, k (constant) is calculated (in advance or in real time) with Q1=[c]Pj,Qk=[ck]Pj+[c]PpubjWherein]Represents a pair group G1And G2Multiple point addition (multiplication) of the element(s) in (1), j being 2 or 1, Ppubj=[sj]PjIs group GjMaster public key in (1), sjTo group GjA master key (master private key);
at each pairing operation eiBefore (S, P), the first party calculates Qr=[r]Q1Wherein r is [1, n-1]]Internal and external secret integers, and for each pairing operation ei(S, P), r is different (how to select r and calculate Q)rThings outside of the present invention);
when the first party needs to calculate u-ei(S, P) wherein i is 3-j and S is a group GiWherein, P ═ h1]Pj+Ppubj,h1Is [1, n-1]]The first party and the second party perform pairing operation u-e as followsiCollaborative computation of (S, P):
first, calculate b ═ r-1(h1-k)) mod n, where r-1Is the modulo n multiplication inverse of r;
the first party is to convert S, b, Qr、QkSending to the second party;
second party calculates u1=ei(S,[b]Qr+Qk) Will u1Occurs to the first party;
first calculate u ═ u1^(c-1) Wherein ^ represents power operation, c-1Is the modulo n multiplication inverse of c.
For the above pairing operation method, if h1=H1(IDAI hid, n), the above method can be used for the calculation of u-e (S, P) in the verification of the SM9 digital signature (h, S) of the message M (when j is 2, i is 1, if the decryption private key of SM9 is used for the signature, the corresponding j is 1, i is 2).
Using the above aspects of the pairing algorithm for verification of the SM9 digital signature (h, S) for the message M, if a multiplicative modification of S in the digital signature (h, S) occurs, i.e. multiplying S by an integer p, and the second party knows this modification and cheats, then the first party is unable to find this modification (i.e. the signature verification still passes), although if the original (h, S) is a digital signature of the message M and the message M is not altered, then this cheating of the second party does not change the property that the modified (h, S) still has as a valid signature of the message M, i.e. it can be proved that the message M is unmodified and that the (original) S was generated by the identity private key.
The following is a scheme in which the digital signature (h, S) verification cannot pass once S is modified.
Scheme five,
The first party has a group GiSelected foreign security element PzI-1 or 2, g is calculated (in advance or in real time)z1=ei(Pz,Pj)-1,gz2=ei(Pz,Ppubj)-1Wherein j is 3-i, Ppubj=[sj]PjIs a group GjMaster public key in (1), sjTo a group GjA master key (master private key);
when the first party needs to calculate u-ei(S, P) wherein i is 3-j and S is a group GiIn the formula (II), P ═ h1]Pj+Ppubj,h1Is [1, n-1]]The first party and the second party perform pairing operation u-e as followsiCooperative calculation of (S, P):
first party calculates S1=[c](S+Pz) Or S1=[c]S+Pz,gz=(gz1^h1)gz2Wherein c is a first party in [ n-1]]Inner (randomly selected) integer secret (constant), or calculate S1When the first party is [1, n-1]]An internal randomly selected integer, wherein ^ represents power operation;
first party h1、S1Sending to the second party;
second party calculation P ═ h1]Pj+Ppubj,u1=ei(S1P), then u is added1Sending to the first party;
first party utilizes u1Calculated u-ei(S, P) value;
first party utilizes u1Calculated u-eiThe manner of (S, P) values includes:
if calculating S1Using the formula S1=[c](S+Pz) Then, calculate u ═ u (u)1^c-1)gz
If calculating S1Using the formula S1=[c]S+PzThen, calculate u ═ u (u)1gz)^c-1
In the above calculation, c-1The modulo-n multiplication inverse of c;
above-mentioned GiSelected foreign security element PzIs an initialization at group GiSelecting randomly the elements; from GiIn the selection of one randomlyIndividual element PzThe method comprises the following steps: in [1, n-1]]Randomly selecting an integer z, and calculating Pz=[z]Pi,gz1=ei(Pi,Pj)-z,gz2=ei(Pi,Ppubj)-z(i.e., g)z1=ei(Pi,Pj)^(-z),gz2=ei(Pi,Ppubj)^(-z))。
For any of the above schemes one to five, if the verification fails in practical application for signature verification, and it needs to be determined whether the verification failure is caused by the second party being untrusted and unreliable or the digital signature being invalid, then u-e may be calculated by using other schemesi(S, P), the other schemes comprise a different scheme in the four schemes, or e except the four schemesi(S, P) computing the solution (whether interacting with the second party is not necessary); and if the u calculated by adopting other schemes is different from the u calculated before, determining that the second party is not credible or unreliable, otherwise, determining that the signature verification fails due to invalid digital signature.
On the basis of the pairing operation method (any one scheme) for the resource-limited device, a pairing operation system for the resource-limited device can be constructed, wherein the system comprises the resource-limited device and a non-resource-limited device, the resource-limited device serves as the first party, and the non-resource-limited device serves as the second party;
when a resource-constrained device (in verifying the digital signature (h, S) of the message M) needs to compute u-ei(S, P) wherein i is 1 or 2, and S is a group GiWherein, P ═ h1]Pj+Ppubj,h1Is [1, n-1]]An internal integer, j-3-i, where u-e is obtained by the resource-restricted device and the non-resource-restricted device through cooperative calculation according to the pairing operation method for the resource-restricted devicei(S, P) value.
Based on the present invention, the first party as a resource-constrained device does not need to perform pairing operations in real time, and for solutions one and two, the first party as a resource-constrained device does not even need to perform operations on elements in elliptic curve point groups in real time, and for solution four, the first party as a resource-constrained device can also avoid performing operations on multiplication of numbers of elements in elliptic curve point groups in real time (point addition operations are also available) with the aid of the second party as a non-resource-constrained device. The present invention results from the verification of SM9 digital signatures, but the invention is not limited to use for the verification of SM9 digital signatures.
Detailed Description
The following describes specific implementations of the present invention.
Examples 1,
This embodiment involves bilinear mapping (pairing operation) e: g1×G2→GT(ii) a Group G1、G2As additive groups (usually groups of elliptic curve points), group GTAs a multiplicative group (typically an integer multiplicative group); group G1、G2、GTThe order of (a) is a prime number n; group G1、G2Are respectively P1、P2
This embodiment involves two parties: a first party and a second party, wherein the first party is a resource-constrained device and the second party is a non-resource-constrained device (a device with sufficient computing power, computing resources);
when the first party of this embodiment needs to compute the pairing operation u-e (S, P), where S is the group G1Wherein, P ═ h1]P2+Ppub2,h1Is [1, n-1]]Internal integer, Ppub2=[s2]P2Is a group G2Master public key in (1), s2To a group G2The first party and the second party complete the pairing operation of u-e (S, P) in the case where i is 1 and j is 2 in the first scheme of the pairing operation method for the resource-restricted device.
Examples 2,
The difference between this embodiment and embodiment 1 is that when the first party of this embodiment needs to calculate the pairing operation u-e (P, S), where S is the group G2Wherein, P ═ h1]P1+Ppub1,h1Is [1, n-1]]The number of the internal integers is equal to or greater than the total number of the internal integers,Ppub1=[s1]P1is a group G1Master public key in (1), s1To a group G1The first party and the second party complete the pairing operation of u-e (P, S) in the case where i is 2 and j is 1 in the first scheme of the pairing operation method for the resource-restricted device.
Examples 3,
The difference between this embodiment and embodiment 1 is that when the first party needs to compute the pairing operation u-e (S, P), where S is the group G1Wherein, P ═ h1]P2+Ppub2,h1Is [1, n-1]]Internal integer, Ppub2=[s2]P2Is a group G2Master public key in (1), s2To a group G2The first party and the second party complete the pairing operation of u-e (S, P) in the case where i is 1 and j is 2 in the second scheme of the pairing operation method for the resource-restricted device.
Examples 4,
The difference between this embodiment and embodiment 2 is that when the first party of this embodiment needs to calculate the pairing operation u-e (P, S), where S is the group G2Wherein, P ═ h1]P1+Ppub1,h1Is [1, n-1]]Internal integer, Ppub1=[s1]P1Is a group G1Master public key in (1), s1To a group G1The first party and the second party complete the pairing operation of u-e (P, S) in the case where i is 2 and j is 1 in the second scheme of the pairing operation method for the resource-restricted device.
Examples 5,
The difference between this embodiment and embodiment 1 is that when the first party needs to compute the pairing operation u-e (S, P), where S is the group G1Wherein, P ═ h1]P2+Ppub2,h1Is [1, n-1]]Internal integer, Ppub2=[s2]P2Is a group G2Master public key in (1), s2To a group G2The first party and the second party are the parties of the aforementioned pairing operation method for the resource-constrained deviceIn the case where i is 1 and j is 2, the pairing operation of u-e (S, P) is completed.
Examples 6,
The difference between this embodiment and embodiment 2 is that when the first party of this embodiment needs to calculate the pairing operation u-e (P, S), where S is the group G2Wherein, P ═ h1]P1+Ppub1,h1Is [1, n-1]]Internal integer, Ppub1=[s1]P1Is a group G1Master public key in (1), s1To a group G1The first party and the second party complete the pairing operation of u-e (P, S) in the case where i is 2 and j is 1 in the third scheme of the pairing operation method for the resource-restricted device.
Example 7,
The difference between this embodiment and embodiment 1 is that when the first party needs to compute the pairing operation u-e (S, P), where S is the group G1Wherein, P ═ h1]P2+Ppub2,h1Is [1, n-1]]Internal integer, Ppub2=[s2]P2Is a group G2Master public key in (1), s2To a group G2The first party and the second party complete the pairing operation of u-e (S, P) in the case where i is 1 and j is 2 in the above-mentioned scheme four of the pairing operation method for the resource-restricted device.
Example 8,
The difference between this embodiment and embodiment 2 is that when the first party of this embodiment needs to calculate the pairing operation u-e (P, S), where S is the group G2Wherein, P ═ h1]P1+Ppub1,h1Is [1, n-1]]Internal integer, Ppub1=[s1]P1Is a group G1Master public key in (1), s1To group G1The first party and the second party complete the pairing operation of u-e (P, S) in the case where i is 2 and j is 1 in the above-mentioned scheme four of the pairing operation method for the resource-restricted device.
Examples 9,
The difference between this embodiment and embodiment 1 is that when the first party requires itWhen the pairing operation u-e (S, P) is calculated, where S is the group G1In the formula (II), P ═ h1]P2+Ppub2,h1Is [1, n-1]]Internal integer, Ppub2=[s2]P2Is a group G2Master public key in (1), s2To a group G2The first party and the second party complete the pairing operation of u-e (S, P) in the case where i is 1 and j is 2 in the fifth scheme of the pairing operation method for the resource-restricted device.
Examples 10,
The difference between this embodiment and embodiment 2 is that when the first party of this embodiment needs to calculate the pairing operation u ═ e (P, S), where S is the group G2Wherein, P ═ h1]P1+Ppub1,h1Is [1, n-1]]Internal integer, Ppub1=[s1]P1Is a group G1Master public key in (1), s1To a group G1The first party and the second party complete the pairing operation of u-e (P, S) in the case where i is 2 and j is 1 in the fifth scheme of the pairing operation method for the resource-restricted device.
The above embodiments 1, 3, 5, 7, 9 can be used for e (S, P) calculation in the signature verification process of SM9 digital signature (h, S), when h is1=H1(IDA| hid, n); if the encryption private key in SM9 is of course used as the signature private key, e (P, S) is calculated in the signature verification process of the digital signature (h, S) in the above embodiments 2, 4, 6, 8, 10, and h is calculated in this case1=H1(IDA| hid, n); the invention and its implementation are not limited to the SM9 cryptographic algorithm.
The resource-restricted device as the first party and the non-resource-restricted device as the second party in the above embodiments constitute a collaborative computing system for performing pairing operations e (S, P) or e (P, S) for the resource-restricted device.
Other specific technical implementations not described are well known to those skilled in the relevant art and will be apparent to those skilled in the relevant art.

Claims (10)

1. A pairing operation method for a resource-limited device is characterized by comprising the following steps:
the method involves a bilinear map e: g1×G2→GT(ii) a Group G1、G2To add the group, group GTIs a multiplicative group; group G1、G2、GTThe order of (a) is a prime number n; group G1、G2Are respectively P1、P2
Based on the bilinear map e definition:
e1(V, T) ═ e (V, T), where V is the group G1In (1), T is a group G2The element of (1);
e2(V, T) ═ e (T, V), where V is group G2In (1), T is a group G1The element of (1);
the method involves two parties: a first party and a second party, wherein the first party is a resource-constrained device and the second party is a non-resource-constrained device;
the first side has [1, n-1]]Inner integer secret c, k, calculated as Q ═ ck]Pj+[c]PpubjOr Q ═ k]Pj+[c]PpubjWherein]Represents a pair group G1And G2Multiple point addition of the element(s) in (1), j being 2 or 1, Ppubj=[sj]PjIs a group GjMaster public key in (1), sjTo a group GjThe master key of (1);
when the first party needs to calculate u-ei(S, P) wherein i is 3-j and S is a group GiWherein, P ═ h1]Pj+Ppubj,h1Is [1, n-1]]The first party and the second party perform pairing operation u-e as followsiCollaborative computation of (S, P):
the first party sends S, Q to the second party;
second party calculates g1=ei(S,Pj),g2=ei(S, Q), then g1、g2Sending to the first party;
first party utilizes g1、g2Calculating to obtain u-eiThe value of (S, P);
first party utilizes g1、g2Calculating to obtain u-eiThe value modes of (S, P) include:
if Q is calculated as Q ═ ck]Pj+[c]PpubjThen calculate t ═ h1-k)mod n,u=(g1^t)(g2^c-1) Or, alternatively, calculate t ═ c (h)1-k))mod n,u=((g1^t)g2)^c-1
If Q is calculated as Q ═ k]Pj+[c]PpubjThen, calculate t ═ h1-c-1k)mod n,u=(g1^t)(g2^c-1) Or, alternatively, calculate t ═ (ch)1-k)mod n,u=((g1^t)g2)^c-1
In the above calculation, ^ represents an exponentiation, c-1The modulo n multiplication inverse of c.
2. A pairing operation system for a resource-restricted device based on the pairing operation method for a resource-restricted device of claim 1, characterized in that:
the pairing operation system comprises a resource-limited device and a non-resource-limited device, and when the resource-limited device needs to perform pairing operation u-ei(S, P) when the resource-restricted device is a first party and the non-resource-restricted device is a second party, performing pairing operation u-e according to the pairing operation method for the resource-restricted deviceiAnd (S, P) calculation.
3. A pairing operation method for a resource-limited device is characterized by comprising the following steps:
the method involves a bilinear map e: g1×G2→GT(ii) a Group G1、G2To add the group, group GTIs a multiplicative group; group G1、G2、GTThe order of (a) is a prime number n; group G1、G2Are respectively P1、P2
Based on the bilinear map e definition:
e1(V, T) ═ e (V, T), where V is group G1Chinese character of (1)T is a group G2The element of (1);
e2(V, T) ═ e (T, V), where V is the group G2In (1), T is a group G1The element of (1);
the method involves two parties: a first party and a second party, wherein the first party is a resource-constrained device and the second party is a non-resource-constrained device;
the first side has [1, n-1]]Inner integer secret b, c, k, calculated as Q1=[b]Pj,Q2=[ck]Pj+[c]PpubjOr Q2=[k]Pj+[c]PpubjWherein]Represents a pair group G1And G2Multiple point addition of the element(s) in (1), j being 2 or 1, Ppubj=[sj]PjIs a group GjMaster public key in (1), sjTo a group GjThe master key of (1); b and c do not have to be different;
when the first party needs to calculate u-ei(S, P) wherein i is 3-j and S is a group GiIn the formula (II), P ═ h1]Pj+Ppubj,h1Is [1, n-1]]The first party and the second party perform pairing operation u-e as followsiCollaborative computation of (S, P):
first party S, Q1、Q2Sending to the second party;
second party calculates g1=ei(S,Q1),g2=ei(S,Q2) Then g is added1、g2Sending to the first party;
first party utilizes g1、g2Calculating to obtain u-eiThe value of (S, P);
first party utilizes g1、g2Calculating to obtain u-eiThe manner of the value of (S, P) includes:
if Q2Is calculated as Q2=[ck]Pj+[c]PpubjThen, t ═ h is calculated1-k)b-1)mod n,u=(g1^t)(g2^c-1) Or, alternatively, calculate t ═ c (h)1-k)b-1)mod n,u=((g1^t)g2)^c-1
If Q2Is calculated as Q2=[k]Pj+[c]PpubjThen, t ═ h is calculated1-c-1k)b-1)mod n,u=(g1^t)(g2^c-1) Alternatively, t ═ is calculated ((ch)1-k)b-1)mod n,u=((g1^t)g2)^c-1
In the above calculation, ^ represents an exponentiation, b-1Is the inverse of the modulo n multiplication of b, c-1The modulo n multiplication inverse of c.
4. A pairing operation system for a resource-restricted device based on the pairing operation method for a resource-restricted device of claim 3, characterized in that:
the pairing operation system comprises a resource-limited device and a non-resource-limited device, and when the resource-limited device needs to perform pairing operation u-ei(S, P) when the resource-restricted device is the first party and the non-resource-restricted device is the second party, the pairing operation u-e is completed according to the pairing operation method for the resource-restricted deviceiAnd (S, P) calculation.
5. A pairing operation method for a resource-limited device is characterized in that:
the method involves a bilinear map e: g1×G2→GT(ii) a Group G1、G2As additive group, group GTIs a multiplicative group; group G1、G2、GTThe order of (a) is a prime number n; group G1、G2Are respectively P1、P2
Based on the bilinear map e definition:
e1(V, T) ═ e (V, T), where V is group G1In (1), T is a group G2The element of (1);
e2(V, T) ═ e (T, V), where V is group G2In (1), T is a group G1The element of (1);
the method involves two parties: a first party and a second party, wherein the first party is a resource-constrained device and the second party is a non-resource-constrained device;
the first side has [1, n-1]]Inner integer secret c, calculated with Q1=[c]Pj,Q2=[c]PpubjWherein]Represents a pair group G1And G2Multiple point addition of the element(s) in (1), j being 2 or 1, Ppubj=[sj]PjIs a group GjMaster public key in (1), sjTo a group GjThe master key of (1);
when the first party needs to calculate u-ei(S, P) wherein i is 3-j and S is a group GiWherein, P ═ h1]Pj+Ppubj,h1Is [1, n-1]]The first party and the second party perform pairing operation u-e as followsiCollaborative computation of (S, P):
first, calculate Q ═ h1]Q1+Q2S, Q to the second party;
second party calculates u1=ei(S, Q), mixing u1Occurs to the first party;
first calculate u ═ u1^(c-1) Wherein ^ represents power operation, c-1Is the modulo n multiplication inverse of c.
6. A pairing operation system for a resource-restricted device based on the pairing operation method for a resource-restricted device of claim 5, characterized in that:
the pairing operation system comprises a resource-limited device and a non-resource-limited device, and when the resource-limited device needs to perform pairing operation u-ei(S, P) when the resource-restricted device is the first party and the non-resource-restricted device is the second party, the pairing operation u-e is completed according to the pairing operation method for the resource-restricted deviceiAnd (S, P) calculation.
7. A pairing operation method for a resource-limited device is characterized by comprising the following steps:
the method involves bilinear mapping e: g1×G2→GT(ii) a Group G1、G2To add the group, group GTIs a multiplicative group; group G1、G2、GTThe order of (a) is a prime number n; group G1、G2Are respectively P1、P2
Based on the bilinear map e definition:
e1(V, T) ═ e (V, T), where V is group G1In (1), T is a group G2Element (b) of (1);
e2(V, T) ═ e (T, V), where V is group G2In (1), T is a group G1The element of (1);
the method involves two parties: a first party and a second party, wherein the first party is a resource-constrained device and the second party is a non-resource-constrained device;
the first side has [1, n-1]]Inner integer secret c, k, calculated with Q1=[c]Pj,Qk=[ck]Pj+[c]PpubjWherein]Represents a pair group G1And G2Multiple point addition of the element(s) in (1), j being 2 or 1, Ppubj=[sj]PjIs a group GjMaster public key in (1), sjTo a group GjThe master key of (1);
at each pairing operation eiBefore (S, P), the first party calculates Qr=[r]Q1Wherein r is [1, n-1]]Internal and external secret integers, and for each pairing operation ei(S, P), r are different;
when the first party needs to calculate u-ei(S, P) wherein i is 3-j and S is a group GiWherein, P ═ h1]Pj+Ppubj,h1Is [1, n-1]]The first party and the second party perform pairing operation u-e as followsiCollaborative computation of (S, P):
first, calculate b ═ r-1(h1-k)) mod n, where r-1Is the modulo n multiplication inverse of r;
the first party is to convert S, b, Qr、QkSending to the second party;
second party calculates u1=ei(S,[b]Qr+Qk) Will u1Occurs to the first party;
first calculate u ═ u1^(c-1) Wherein ^ represents power operation, c-1Is the modulo n multiplication inverse of c.
8. A pairing operation system for a resource-restricted device based on the pairing operation method for a resource-restricted device of claim 7, characterized in that:
the pairing operation system comprises a resource-limited device and a non-resource-limited device, and when the resource-limited device needs to perform pairing operation u-ei(S, P) when the resource-restricted device is the first party and the non-resource-restricted device is the second party, the pairing operation u-e is completed according to the pairing operation method for the resource-restricted deviceiAnd (S, P) calculation.
9. A pairing operation method for a resource-limited device is characterized by comprising the following steps:
the method involves a bilinear map e: g1×G2→GT(ii) a Group G1、G2As additive group, group GTIs a multiplicative group; group G1、G2、GTThe order of (a) is a prime number n; group G1、G2Are respectively P1、P2
Based on the bilinear map e definition:
e1(V, T) ═ e (V, T), where V is the group G1In (1), T is a group G2The element of (1);
e2(V, T) ═ e (T, V), where V is the group G2In (1), T is a group G1Element (b) of (1);
the method involves two parties: a first party and a second party, wherein the first party is a resource-constrained device and the second party is a non-resource-constrained device;
the first party has a group GiSelected foreign security element PzI is 1 or 2, calculated as gz1=ei(Pz,Pj)-1,gz2=ei(Pz,Ppubj)-1Wherein j is 3-i, Ppubj=[sj]PjIs a group GjMaster public key in (1), sjTo a group GjThe master key of (1);
when the first party needs to calculate u-ei(S, P) wherein i is 3-j and S is a group GiWherein, P ═ h1]Pj+Ppubj,h1Is [1, n-1]]The first party and the second party perform pairing operation u-e as followsiCollaborative computation of (S, P):
first party calculates S1=[c](S+Pz) Or S1=[c]S+Pz,gz=(gz1^h1)gz2Wherein c is a first moiety in [ n-1]]Inner integer secret, or calculation S1When the first party is [1, n-1]]An internal randomly selected integer, wherein ^ represents power operation;
first party h1、S1Sending to the second party;
second calculation of P ═ h1]Pj+Ppubj,u1=ei(S1P), then u is added1Sending to the first party;
first party utilizes u1Calculated u-ei(S, P) value;
first party utilizes u1Calculated u-eiThe manner of (S, P) values includes:
if calculating S1Using the formula S1=[c](S+Pz) Then, calculate u ═ u (u)1^c-1)gz
If calculating S1Using the formula S1=[c]S+PzThen, calculate u ═ u (u)1gz)^c-1
In the above calculation, c-1The modulo-n multiplication inverse of c;
above-mentioned GiSelected foreign security element PzIs an initialization at group GiSelecting randomly the elements; from GiIn randomly selecting a member PzThe method comprises the following steps: in [1, n-1]]Randomly selects one from the listInteger z, calculating Pz=[z]Pi,gz1=ei(Pi,Pj)-z,gz2=ei(Pi,Ppubj)-z
10. A pairing operation system for a resource-restricted device based on the pairing operation method for a resource-restricted device of claim 9, characterized in that:
the pairing operation system comprises a resource-limited device and a non-resource-limited device, and when the resource-limited device needs to perform pairing operation u-ei(S, P) when the resource-restricted device is the first party and the non-resource-restricted device is the second party, the pairing operation u-e is completed according to the pairing operation method for the resource-restricted deviceiAnd (S, P) calculation.
CN202110349795.7A 2021-03-31 2021-03-31 Pairing operation method and system for resource-limited device Active CN113014399B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202110349795.7A CN113014399B (en) 2021-03-31 2021-03-31 Pairing operation method and system for resource-limited device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202110349795.7A CN113014399B (en) 2021-03-31 2021-03-31 Pairing operation method and system for resource-limited device

Publications (2)

Publication Number Publication Date
CN113014399A CN113014399A (en) 2021-06-22
CN113014399B true CN113014399B (en) 2022-06-03

Family

ID=76387538

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202110349795.7A Active CN113014399B (en) 2021-03-31 2021-03-31 Pairing operation method and system for resource-limited device

Country Status (1)

Country Link
CN (1) CN113014399B (en)

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2018044146A1 (en) * 2016-09-05 2018-03-08 Lg Electronics Inc. Lightweight and escrow-less authenticated key agreement for the internet of things
CN108055134B (en) * 2017-12-12 2020-08-25 武汉理工大学 Collaborative computing method and system for elliptic curve point multiplication and pairing operation

Also Published As

Publication number Publication date
CN113014399A (en) 2021-06-22

Similar Documents

Publication Publication Date Title
CN108667626B (en) Secure two-party collaboration SM2 signature method
CN107659395B (en) Identity-based distributed authentication method and system in multi-server environment
CN108989054B (en) Cipher system and digital signature method
US9800418B2 (en) Signature protocol
US7007164B1 (en) Method and array for authenticating a first instance and a second instance
CN110113150B (en) Encryption method and system based on non-certificate environment and capable of repudiation authentication
CN111010272B (en) Identification private key generation and digital signature method, system and device
US20060215837A1 (en) Method and apparatus for generating an identifier-based public/private key pair
CN111342973A (en) Safe bidirectional heterogeneous digital signature method between PKI and IBC
CN106899413B (en) Digital signature verification method and system
US20150006900A1 (en) Signature protocol
CN111654366A (en) Secure bidirectional heterogeneous strong-designation verifier signature method between PKI and IBC
CN111262691B (en) Identification private key generation and use method, system and device based on mixed master key
CN110932865B (en) Linkable ring signature generation method based on SM2 digital signature algorithm
CN113660087A (en) SM9 identification cryptographic algorithm hardware implementation system based on finite field
CN108055134A (en) Elliptic curve, which is counted, multiplies and matches the cooperated computing method and system of computing
CN113014399B (en) Pairing operation method and system for resource-limited device
WO2016187689A1 (en) Signature protocol
CN115580408A (en) SM 9-based certificateless signature generation method and system
EP4208982A1 (en) Method for electronic signing and authenticaton strongly linked to the authenticator factors possession and knowledge
CN113452529A (en) Adapter signature generation method based on SM2 algorithm
Chen et al. Blockchain as a CA: A provably secure signcryption scheme leveraging blockchains
Dugardin et al. A New Fair Identity Based Encryption Scheme
CN116132070B (en) Heterogeneous aggregation signature method and equipment
CN115174053B (en) Signature generation method and device for repudiation ring authentication based on SM9 algorithm

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant