CN114978549A - SM2 digital signature generation method and system for signer to control signature making data - Google Patents

SM2 digital signature generation method and system for signer to control signature making data Download PDF

Info

Publication number
CN114978549A
CN114978549A CN202210577362.1A CN202210577362A CN114978549A CN 114978549 A CN114978549 A CN 114978549A CN 202210577362 A CN202210577362 A CN 202210577362A CN 114978549 A CN114978549 A CN 114978549A
Authority
CN
China
Prior art keywords
signature
public key
key
encrypted
authentication information
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202210577362.1A
Other languages
Chinese (zh)
Other versions
CN114978549B (en
Inventor
龙毅宏
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Itruschina Co ltd
Original Assignee
Wuhan University of Technology WUT
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Wuhan University of Technology WUT filed Critical Wuhan University of Technology WUT
Priority to CN202210577362.1A priority Critical patent/CN114978549B/en
Publication of CN114978549A publication Critical patent/CN114978549A/en
Application granted granted Critical
Publication of CN114978549B publication Critical patent/CN114978549B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
    • H04L9/3252Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures using DSA or related signature schemes, e.g. elliptic based signatures, ElGamal or Schnorr schemes
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/008Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols involving homomorphic encryption

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Storage Device Security (AREA)

Abstract

The invention relates to an SM2 digital signature generation method, which comprises the following steps: the signature device has P A =[d A ]G, with secret c A =E((1+d A ) ‑1 ) In which d is A Signing a private key for SM2, wherein E (-) is homomorphic encryption operation, and a signature auxiliary system has a private key for decryption operation; when signing the message M, the signing device and the signing auxiliary system are in [1, n-1 ]]Internal random selection of integer k 1 、k 2 Calculating Q ═ b 1 k 1 +b 2 k 2 ]G or Q ═ bk 1 k 2 ]G, wherein b 1 、b 2 B is 1 or 1+ d A N is the order of the base point G; calculating r ═ e + x using messages M and Q 1 ) mod n; calculating by using homomorphic encryption operation to obtain s ═ k [ ((k) ] 1 b 1 +k 2 b 2 +r)(1+d A ) ‑1 -r) mod n or s ═ bk 1 k 2 +r)(1+d A ) ‑1 R) mod n, then (r, s) is the generated digital signature.

Description

SM2 digital signature generation method and system for signer to control signature making data
Technical Field
The invention belongs to the technical field of information security, and particularly relates to an SM2 digital signature generation method and system for controlling signature making data by a signer.
Background
SM2 is a class of elliptic curve public key cryptographic algorithms established and promulgated by the national crypto-administration, and is now the national standard (see GB/T32918.2-2016 (information Security technology SM2 elliptic curve public key cryptographic algorithm part 2: digital signature Algorithm)). Based on the algorithm, the digital signature, the key exchange and the data encryption can be realized, wherein the digital signature is briefly described as follows:
using the user's SM2 private key d A When a digital signature is performed on a message M, r and s need to be calculated, where r ═ e + x 1 ) mod n, where n is the order of the base point G of the SM2 elliptic curve point group, e is the hash value (i.e. hash value, hash value) derived from the subscriber identity and the message M (e is the hash value from the subscriber identity ID according to the SM2 algorithm A Isoparametric derived hash value Z A Hash value of data merged with message M, see SM2 specification), x 1 Is taken from (x) 1 ,y 1 ) Q ═ k]G, wherein G is the base point of the SM2 elliptic curve point group; calculating s ═ 1+ d A ) -1 k-r(1+d A ) -1 d A ) mod n, where k is [1, n-1 ]]An integer randomly selected within the interval, then (r, s) is the digital signature for message M (note that the notation used for mod n in the SM2 specification is mod n).
The security of the private signature key of a user is of utmost importance in digital signatures, and therefore, the private key should be generated, stored and used in specialized cryptographic hardware, usually for security reasons. However, for various reasons, it is often necessary or common to implement the SM2 digital signature algorithm in a pure software manner, where the private key of the user is not generated, stored and used in a special cryptographic hardware, but is stored in a permanent storage medium of a personal computing device (e.g., a personal computer, a mobile phone), and the private key is generated and used in an internal memory of the computing device, so that there is a risk that the private key is stolen or stolen. Aiming at the risk of stealing and stealing the signature private key existing in the implementation of the SM2 digital signature algorithm in a pure software mode, a series of SM2 digital signature collaborative generation methods based on secret sharing are proposed, in which the SM2 signature private key of a user or the secret of the signature private key is divided into two or more shares, namely secret shares, which are respectively stored and used in two or more computing devices, wherein one secret share is stored and used in the user computing device, and the other secret share or shares are stored and used in the computing device with high security protection level (such as a password server); when the message M needs to be digitally signed by using the private key of the SM2 of the user, two or more computing devices obtain the digital signature for the message M by using respective secret shares through secure cooperative computing, namely, the respective secret shares of each device cannot be leaked and cracked in the computing process.
The electronic signature method of the people's republic of China requires that electronic signature making data is only controlled by a signer when an electronic signature is generated, a private key or the secret of the private key is divided into a plurality of parts which are respectively stored by a plurality of computing devices and used when the digital signature is generated, and the secret is not completely in accordance with the requirement because other entities except a user master partial secret of the private key of the user, namely partial signature making data, namely the signature making data is not only controlled by the signer when the digital signature is generated, therefore, for implementing SM2 digital signature by adopting a non-hardware mode (such as pure software), the digital signature making data is only controlled by the signer when the digital signature is generated, the safety of the digital signature generating process is ensured, and the problem that the private key of the user signature is prevented from being leaked and cracked is solved.
Disclosure of Invention
The invention aims to solve the problem of implementation of an SM2 digital signature algorithm in a non-password hardware environment at a user side, and provides a safe SM2 digital signature generation technical scheme for effectively controlling signature making data by a signer so as to overcome the defects of the prior art.
Aiming at the purpose of the invention, the technical scheme provided by the invention comprises an SM2 digital signature generation method and a corresponding system for controlling signature making data by a signer.
In the following description of the present invention, when P, Q is an element (point) in an elliptic curve point group, P + Q represents a point addition of P, Q, and P-Q represents an inverse element of P plus Q, [ k ]]P represents the sum of k elliptic curve points P, i.e. P + P +. + P (total of k P, if k is negative, [ k ] k]Is the additive inverse of the result of the point addition of | k | elliptic curve points P); an ellipsis ". -" represents a plurality of identical (types of) data items or a plurality of identical operations; c. C -1 Representing the modulo n inverse of integer c (i.e., cc) -1 mod n ═ 1); unless otherwise specified, the multiplicative inverse in this patent application is the order for the SM2 elliptic curve point groupThe modulo n multiplication inverse of n (i.e., the order n of base point G); multiple integer multiplication (including integer symbol parameter, variable multiplication, constant and integer symbol parameter, variable multiplication), omitting multiplication sign ". cndot." such as k, without ambiguity 1 ·k 2 Simplified as k 1 k 2 3 · c reduces to 3 c; mod n denotes the modulo n operation (modulo operation), corresponding to GB/T32918.2-2016 section 2 of the information Security technology SM2 elliptic curve public Key Cryptographic Algorithm: modn in digital signature Algorithm >; also, the operator mod n of the modulo n operation is of lowest priority, e.g., a + b mod n equals (a + b) mod n, a-b mod n equals (a-b) mod n, ab mod n equals (ab) mod n.
In an embodiment of the invention, s ═ will be calculated ((1+ d) A ) -1 k-r(1+d A ) -1 d A ) mod n, converted to calculate s ═ 1+ d A ) -1 (k+r)-r)mod n。
The SM2 digital signature generation method for controlling signature creation data by a signer of the present invention is specifically as follows.
The signature device has P A =[d A ]G, with secret c A =E((1+d A ) -1 ) In which d is A Signing the private key for the user's SM2, G being the base point of the SM2 elliptic curve point group, P A Signing the private key d for the user's SM2 A Corresponding public key, (1+ d) A ) -1 Is (1+ d) A ) Modulo n multiplication inverse of (i.e., (1+ d) A )(1+d A ) -1 ) mod n is 1), n is the order of the base point G (i.e., the order of the SM2 elliptic curve point group), n is a prime number, and E (·) is an encryption operation using a homomorphic encryption algorithm;
the signing device is a signer, namely SM2 private signature key d A The computing device of the owner of (1); the homomorphic encryption algorithm is an addition homomorphic encryption algorithm or a full homomorphic encryption algorithm; the signature assistance system has a private key of the decryption operation (private key of the homomorphic encryption algorithm) corresponding to the public key employed by the encryption operation E (-) of the homomorphic encryption algorithm, or the private key of the decryption operation corresponding to the public key employed by the encryption operation E (-) of the homomorphic encryption algorithm is encrypted by the secret key of the signature assistance system, wherein the secret key of the signature assistance system comprises a secret key of the signature assistance systemA secret key or a public key (wherein the public key includes a public key of a common public key cryptographic algorithm such as RSA, SM2, etc., or a group public key of a group cryptographic algorithm); the signature auxiliary system is a computing device or system for assisting and assisting the signature device to complete digital signature generation;
if the private key of the decryption operation corresponding to the public key adopted in the encryption operation E (-) of the homomorphic encryption algorithm is encrypted by the key of the signature auxiliary system, the signature device also has the ciphertext d of the private key of the decryption operation E (symmetric or public key encryption with signature assistance system, d E Not a secret, but may be a secret to a computing device, system other than the signature assistance system);
when it is desired to sign the private key d using the user's SM2 A When digitally signing the message M, the signing device and the signature assistance system generate a digital signature for the message M as follows (the private key d needs to be signed using the SM2 of the user A The subject of the digital signature on the message M may be an application, system, inside or outside the signing device, invoking the cryptographic functions of the signing device):
the signature device uses the message M to calculate r ═ e + x 1 ) mod n hash value e (according to the SM2 algorithm, e is the slave user identification ID) A Isoparametric derived hash value Z A Hash value of the data merged with message M, see SM2 specification);
the signature device sends e to the signature auxiliary system;
signature devices in [1, n-1 ]]Randomly selecting an integer k in the interval 1
Signature assistance systems in [1, n-1 ]]Randomly selecting an integer k in the interval 2
Signature device and signature assistance system without exposing respective secret k 1 、k 2 The following calculation is done in the case of (1):
signature device ensuring signature auxiliary system not reselect k 2 In the case of (a), Q ═ b is obtained by mutual calculation with the signature assistance system 1 k 1 +b 2 k 2 ]G, wherein b 1 1 or (1+ d) A ),b 2 1 or (1+ d) A ) Wherein b is 2 1 only applies if the homomorphic encryption algorithm corresponding to E (·) is a fully homomorphic encryption algorithm (otherwise, s is calculated later 1 The signature device cannot complete E (k) 2 (1+d A ) -1 ) An operation or calculation);
signature assistance system in ensuring that a signing device does not reselect k 1 In the case of (2), Q is obtained by mutual calculation with a signature device f =[b 1 k 1 +b 2 k 2 ]G;
The signature device and the signature support system check Q, Q separately f Whether it is zero (point of infinity in the elliptic curve point group), if Q and/or Q f Is zero, k is reselected 1 、k 2 Recalculated Q, Q f Up to Q and Q f Is a non-zero element;
alternatively, the first and second liquid crystal display panels may be,
signature device and signature assistance system without exposing respective secrets k 1 、k 2 The following calculation is done in the case of (1):
signature device ensuring signature auxiliary system does not reselect k 2 In the case of (1), Q ═ bk is obtained by mutual calculation with the signature assistance system 1 k 2 ]G, wherein b is 1 or (1+ d) A );
Signature assistance system in ensuring that a signing device does not reselect k 1 In the case of (2), Q is obtained by mutual calculation with a signature device f =[bk 1 k 2 ]G;
If b is 1, then according to Q ═ bk 1 k 2 ]G、Q f =[bk 1 k 2 ]Calculation Q, Q mode G f Is only applicable when the homomorphic encryption algorithm corresponding to E (-) is a fully homomorphic encryption algorithm (otherwise, s is calculated later 1 The signature device cannot complete E (k) 1 k 2 b(1+d A ) -1 ) An operation or calculation);
the signature device calculates r ═ e + x 1 ) mod n, where x 1 Is taken from (x) 1 ,y 1 )=Q;
Signature assistance System computation r f =(e+x 1f )mod n, wherein x 1f Is taken from (x) 1f ,y 1f )=Q f
The signature device and the signature assistance system check whether (s + r) mod n is 0 and/or (s + r), respectively, present f ) Case mod n is 0 (i.e. check if (k + r) mod n is 0 and/or (k + r) occurs f ) mod n is 0), where s is the parameter s in the digital signature (r, s) to be computed, and if so, k is reselected 1 、k 2 Recalculated Q, Q f Recalculating r, r f Until (s + r) mod n is not present 0 and/or (s + r) f ) The case where mod n is 0; if (s + r) mod n is not 0 and/or (s + r) f ) If mod n is 0, performing subsequent calculation processing;
the signature device calculates s in one of the following ways 1
s 1 The first calculation method is as follows:
q is calculated as [ b ] 1 k 1 +b 2 k 2 ]G is calculated and b 2 =(1+d A )(s 1 Calculation method one is only suitable for this case);
signature device using r, c A 、k 1 Calculated by homomorphic encryption algorithm
s 1 =E(k 1 b 1 (1+d A ) -1 +r(1+d A ) -1 (mod n));
(Note b) 1 (1+d A ) -1 Is either 1 or (1+ d) A ) -1 According to b 1 Calculation type with optimized value
s 1 And a second calculation method:
q is calculated as [ b ] 1 k 1 +b 2 k 2 ]G is obtained by calculation;
if b is 2 If 1, the homomorphic encryption algorithm corresponding to E (-) is a fully homomorphic encryption algorithm;
signature Assist System computation c 2 =E(k 2 ) C is mixing 2 Sending the data to a signature device;
signature device using r, c A 、k 1 、c 2 Calculated by homomorphic encryption algorithm
s 1 =E(k 1 b 1 (1+d A ) -1 +k 2 b 2 (1+d A ) -1 +r(1+d A ) -1 (mod n));
(Note b) 1 (1+d A ) -1 、b 2 (1+d A ) -1 Is either 1 or (1+ d) A ) -1 According to b 1 、b 2 Calculation type with optimized value
s 1 And a third calculation mode:
q is calculated as [ bk ] 1 k 2 ]G is obtained by calculation;
if b is 1, the homomorphic encryption algorithm corresponding to E (-) is a fully homomorphic encryption algorithm;
signature Assist System computation c 2 =E(k 2 ) C is mixing 2 Sending the data to a signature device;
signature device using r, c A 、k 1 、c 2 Calculated by homomorphic encryption algorithm
s 1 =E(k 1 k 2 b(1+d A ) -1 +r(1+d A ) -1 (mod n));
(Note that b (1+ d) A ) -1 Is either 1 or (1+ d) A ) -1 And the calculation formula can be optimized according to the b value
Is calculated to obtain s 1 Then, the signature device will s 1 、P A Sending the signature to a signature auxiliary system;
if the private key of the decryption operation corresponding to the public key adopted by the encryption operation E (-) of the homomorphic encryption algorithm is encrypted by the key of the signature auxiliary system, the ciphertext of the private key is d E Then the signature device will also d E Sent to the signature assistance system, which decrypts d E Obtaining a private key of the decryption operation (the private key of the homomorphic encryption algorithm, namely the private key for performing the decryption operation of the homomorphic encryption algorithm) corresponding to the public key adopted by the encryption operation E (-) of the homomorphic encryption algorithm;
for s 1 Computing methodFirst, the signature assistance system calculates s as follows:
signature assisted system decryption s 1 To obtain s 1 Is given 12 Calculating s 2 =(s 12 +k 2 )mod n,s=(s 2 -r f ) mod n, return s to the signing device; signature-assisted system verification of s before returning it to the signing device 12 Whether or not to use k 1 、r f And a public key P A Corresponding private key d A Calculated, or verified s 2 Whether or not to use k 1 、k 2 、r f And a public key P A Corresponding private key d A If the verification fails, error processing is carried out;
for s 1 In the second and third calculation modes, the signature auxiliary system calculates s as follows:
signature assisted system decryption s 1 To obtain s 1 Is given 12 Calculating s 2 =s 12 mod n,s=(s 2 -r f ) mod n, return s to the signing device; signature-assisted system verification of s before returning it to the signing device 2 Whether or not to use k 1 、k 2 、r f And a public key P A Corresponding private key d A If the verification fails, error processing is carried out;
the signature device verifies whether s is use k 1 、k 2 R and public key P A Corresponding private key d A Calculating according to the SM2 digital signature calculation mode, if the verification is passed, (r, s) is the digital signature of the message M, otherwise, switching to error processing;
(s=((k 1 b 1 +k 2 b 2 +r)(1+d A ) -1 -r) mod n or s ═ bk 1 k 2 +r)(1+d A ) -1 -r)mod n)
In the above formula of the encryption operation E (·) using the homomorphic encryption algorithm, a (mod n), where a is an integer and represents an integer congruent with a modulo n (two integers a and b modulo n are congruent, i.e., a mod n ═ b mod n is represented by a ≡ b (mod n), and the (mod n) operator has the lowest priority);
the signature assistance system assists and assists the signing device in generating the digital signature (such as decrypting s) 1 Preceding or calculating s 2 Before), firstly, whether the user using the signature device, namely the signer is the public key P is identified and confirmed A Is not authenticated here to confirm whether the user, i.e. the signer, is the public key P A Corresponding private key d A Owner of (a);
the signing device, namely a computing device owned by a signer, is a device (such as a personal computer, a mobile phone and other mobile terminals) which has computing capability and comprises software and hardware; the signature device implements the digital signature calculation and generation steps through a cryptographic module and a cryptographic program implemented in the signature device, and implements the SM2 digital signature function.
The SM2 digital signature generation method, the signature device and the signature assistance system for controlling signature creation data by the signer as described above do not expose own secret k 1 、k 2 And ensuring that the other party does not reselect k 1 、k 2 In the case of (1), Q ═ b is obtained by mutual calculation 1 k 1 +b 2 k 2 ]G、Q f =[b 1 k 1 +b 2 k 2 ]One method of G is as follows:
f (-) is defined as: f (1) ═ G, F (1+ d) A )=(G+P A );
Signature device calculates Q 1 =[k 1 ]F(b 1 ) Wherein b is 1 1 or (1+ d) A ) Calculating Q 1 Is a hash value of h 1 (using any suitable hashing algorithm), and (h) is divided into 1 Sending the signature to a signature auxiliary system;
signature assisted system computation Q 2 =[k 2 ]F(b 2 ) Wherein b is 2 1 or (1+ d) A ) Calculating Q 2 Is a hash value of h 2 H is to be 2 Sending the data to a signature device;
h for signature device to receive signature auxiliary system 2 Then, Q is added 1 Sending the signature to a signature auxiliary system;
h for signature auxiliary system to receive signature device 1 Then, Q is added 2 Sending the data to a signature device;
the signature device receives Q 2 Thereafter, the received Q is calculated and checked 2 Whether the hash value of (a) is h 2 If not, the error processing is carried out, and if so, Q is calculated to be Q 1 +Q 2
Signature assisted system receive Q 1 Thereafter, the received Q is calculated and checked 1 Is h or not 1 If not, the error processing is carried out, and if yes, Q is obtained through calculation f =Q 1 +Q 2
The above-described SM2 digital signature generation method in which the signer masters the signature creation data, the signature apparatus, and the signature support system do not expose their own secret k 1 、k 2 And ensuring that the other party does not reselect k 1 、k 2 In the case of (1), Q ═ bk is obtained by mutual calculation 1 k 2 ]G、Q f =[bk 1 k 2 ]One method of G is as follows:
f (-) is defined as: f (1) ═ G, F (1+ d) A )=(G+P A );
b is 1 or (1+ d) A );
Signature device calculates Q 1 =[k 1 ]F, (b) calculating Q 1 Is a hash value of h 1 (using any suitable hashing algorithm), and (h) is divided into 1 Sending the signature to a signature auxiliary system;
signature assisted system computation Q 2 =[k 2 ]F (b), calculating Q 2 Is a hash value of h 2 H is to be 2 Sending the data to a signature device;
h for signature device to receive signature auxiliary system 2 Then, Q is added 1 Sending the signature to a signature auxiliary system;
h for signature auxiliary system to receive signature device 1 Then, Q is added 2 Sending the data to a signature device;
the signature device receives Q 2 Thereafter, the received Q is calculated and checked 2 Whether the hash value of (a) is h 2 If, instead of the above-mentioned, the content is,then go to error process, if yes, calculate Q ═ k 1 ]Q 2
Signature assistance System reception Q 1 Thereafter, the received Q is calculated and checked 1 Whether the hash value of (a) is h 1 If not, the error processing is carried out, and if yes, Q is obtained through calculation f =[k 2 ]Q 1
For the above-described SM2 digital signature generation method in which the signer masters the signature creation data, the signature apparatus and the signature assistance system check whether (s + r) mod n ═ 0 and/or (s + r) will occur f ) mod n equal to 0 (i.e., checking if (k + r) mod n equal to 0 and/or (k + r) would occur f ) mod n ═ 0) as follows:
the signature device checks whether Q + [ r ] G is a zero element (an infinitely distant point of the SM2 elliptic curve point group), if so, a case where (s + r) mod n is 0 occurs, otherwise, no;
signature assisted system check Q f +[r f ]Whether G is zero (infinity point of SM2 elliptic curve point group), if so, (s + r) appears f ) mod n is 0, otherwise it will not.
For the SM2 digital signature generation method described above in which the signer masters the signature creation data, the signature assistance system verifies s 12 Whether or not to use k 1 、r f And a public key P A Corresponding private key d A Calculated, or verified s 2 Whether or not to use k 1 、k 2 、r f And a public key P A Corresponding private key d A One method of calculation is as follows:
signature assisted system check verification Q 1 +[r f ]G and [(s) 12 )mod n](G+P A ) If equal, the verification passes (i.e., s) 12 Is using k 1 、r f And a public key P A Corresponding private key d A Calculated), otherwise, the verification fails;
alternatively, the first and second liquid crystal display panels may be,
signature assisted system check verification Q f +[r f ]G and [ s ] 2 ](G+P A ) Whether or not they are equal to each other, if so,the verification passes (i.e. s) 2 Is using k 1 、k 2 、r f And a public key P A Corresponding private key d A Calculated), otherwise, the verification fails.
In the above-described SM2 digital signature generation method in which the signer masters the signature creation data, the signature apparatus verifies whether s uses k 1 、k 2 R and public key P A Corresponding private key d A One way to compute the digital signature in SM2 is as follows:
signature device check and verification Q + [ r ]]G and [ (s + r) mod n](G+P A ) If they are equal, then the verification passes (i.e., s is using k) 1 、k 2 R and public key P A Corresponding private key d A Calculated as the SM2 digital signature), otherwise, the verification fails.
For the SM2 digital signature generation method for controlling signature making data by a signer, a signature auxiliary system maintains a public key blacklist, and a public key P appearing on the blacklist A The signature assistance system does not generate a digital signature for the corresponding private key.
In the SM2 digital signature generation method in which the signer manages the signature creation data, the signature support system authenticates and confirms whether or not the user who uses the signature apparatus, i.e., the signer, is the public key P A There are many ways for the owner of (e.g. the user's public key P) A In connection with the user's account binding on the signature assistance system, the user uses the signature assistance system to first complete the login (identity authentication) on the signature assistance system using the account name. In fact, there are other accounts and public keys P that do not require the user to sign the secondary system A In the binding scheme, a user can log in the signature auxiliary system in an anonymous mode, but related authentication confirmation can still be realized, for example, the following scheme supports the authentication confirmation in the anonymous mode.
In the SM2 digital signature generation method in which the signer manages the signature creation data, the signature support system authenticates and confirms whether or not the user who uses the signature apparatus, i.e., the signer, is the public key P A One method of owner of (1) is as follows:
at public key P A Generated and contains the public key P A The data combination of the identity authentication information of the user (namely the signer) forms the public key authentication information (the user identity authentication information is private data only known or owned by the public key and the private key owner, such as a seed key of a password and a dynamic password, biological characteristic verification information, or a mobile phone number, an e-mail address and the like for authentication, the user identity authentication information is strictly public key authentication information and is not identity authentication information because authentication confirmation does not need the name or account name of the user, and can be in an anonymous mode), the public key authentication information is encrypted by adopting a symmetric key of a signature auxiliary system and a symmetric key cryptographic algorithm to obtain encrypted public key authentication information, or the public key authentication information is encrypted by adopting a public key cryptographic algorithm to obtain signature encrypted public key authentication information, and the signature encryption comprises signature first and then encryption, or firstly encrypting and then signing, wherein the signature uses a private key of a public key registration system (the private key comprises private keys of common RSA, SM2 and the like and a group private key of a group cryptographic algorithm), and the encryption uses a public key of a signature auxiliary system (the public key comprises common RSA, SM2 public keys and a group public key of the group cryptographic algorithm); public key authentication information encrypted by adopting a symmetric key and public key authentication information encrypted by adopting a public key cryptographic algorithm signature are collectively called encrypted public key authentication information (the public key encryption can adopt a random symmetric key to encrypt data, and the public key encrypts a random symmetric key); the encrypted public key authentication information is stored in the signature device; the public key registration system is a system for performing registration management on a user public key;
when the signature auxiliary system needs to identify and confirm whether the user using the signature device, namely the signer, is the public key P A When the owner of the signature device is in use, the signature device submits the encrypted public key authentication information to the signature auxiliary system;
the signature auxiliary system decrypts the encrypted public key identification information to obtain a plaintext of the public key identification information, wherein for the public key identification information encrypted by the signature, the signature auxiliary system needs to verify the validity of the digital signature, and the verification is continued after the verification is passed;
signature assistantThe auxiliary system checks the public key P contained in the public key authentication information obtained by decryption A Whether it is the public key P currently used for digital signature generation verification A (e.g., authentication s) 12 Or s 2 ) If not, error processing is carried out, and if yes, the operation is continued;
the signature auxiliary system obtains user identity authentication information from the public key authentication information obtained by decryption, then utilizes the user identity authentication information to authenticate the user of the signature device, namely the signer, if the user identity authentication is passed, the user using the signature device, namely the signer, is confirmed to be the public key P A Otherwise authentication validation fails.
For the SM2 digital signature generation method in which the signer takes charge of signature creation data as described above, one generation method of the symmetric-key-encrypted public key authentication information or the signature-encrypted public key authentication information is as follows:
in the generation of P A ,c A Thereafter, the signing device (anonymously) submits P to the public key registry A Application for registration P A
Public key registration system check P A Whether registered (for registered P) A The public key registration system records), if registered, the registration is prompted, if not, the registration is continued;
the signature device proves possession of P to the public key registration system without exposing its own secret A Corresponding private signature key d A (i.e. proving that the user of the signing device is the private key d A The owner of (a), i.e. the certifying and signing apparatus having c calculated in a agreed manner A I.e. proving that the signing device has c A Is E ((1+ d) A ) -1 ) And P is A =[d A ]G, note c A 、d A The signature devices are all secret), subsequent operation is carried out after the certification is passed, and otherwise, error processing is carried out;
the signing device submits authentication information (such as private data for user authentication, such as password, dynamic password seed key, biometric verification information) for user authentication to the public key registration system, or for sendingVerifying the electronic communication address of the confirmation message, such as email address, mobile phone number), and then the public key registration system using the symmetric key of the signature assistance system and using the symmetric key cryptographic algorithm to pair the content P A Encrypting the public key authentication information of the user identity authentication information to form encrypted public key authentication information, or using the private key of the public key registration system to perform the encryption on the public key authentication information containing P A Signing the public key identification information of the user identity identification information, then encrypting the signed public key identification information by adopting a public key (including common public keys such as RSA, SM2 or group public keys) of a signature auxiliary system to obtain the public key identification information which is signed first and then encrypted, or adopting the public key of the signature auxiliary system to pair the public key containing P by a public key registration system A And encrypting the public key identification information of the user identity identification information to obtain encrypted public key identification information, and then using a private key of the public key registration system to sign the encrypted public key identification information to obtain the public key identification information which is encrypted firstly and then signed.
For the above method for generating public key authentication information encrypted by a symmetric key or public key authentication information encrypted by a signature, the signature device periodically updates the encrypted public key authentication information.
As for the above method for generating the symmetric-key encrypted public key authentication information or the signature-encrypted public key authentication information, one method for the signature apparatus to update the encrypted public key authentication information is as follows:
the signature device submits the encrypted public key authentication information to the public key registration system (for example, in an anonymous way), and the public key registration system decrypts the encrypted public key authentication information, wherein if the encrypted public key authentication information is the signature encrypted public key authentication information, the public key registration system also verifies the validity of the digital signature contained in the signature encrypted public key authentication information, and continues after the verification is passed;
the public key registration system carries out identity authentication on the user of the signature device by using the user identity authentication information in the public key authentication information obtained by decryption, if the authentication is different, error processing is carried out, and if the authentication is passed, the operation is continued;
signatureDevice certifies possession of P to public key registration system without exposing its own secret A Corresponding private signature key d A (e.g. in accordance with public key P) A The same way or a different way at registration);
signature device certifies possession of P to public key registration system A Corresponding private signature key d A Then, the signature device and the public key registration system are registered according to the registration P A Generating new encrypted public key authentication information (usually updating user authentication information, P) in the same manner as generating encrypted public key authentication information A Not changed, but the update method here allows updating P A I.e., actually allows one public key authentication information to be used to generate another new public key authentication information), which includes both public key authentication information encrypted using a symmetric key and public key authentication information encrypted using a public key cryptographic algorithm signature.
If the user identity authentication information in the public key authentication information is a password, the public key registration system encrypts the public key authentication information or signs and encrypts the public key authentication information after confirming that the password meets the security requirement.
If the user identification information in the public key authentication information is a password and the public key authentication information includes a user electronic communication address (e.g., mailbox, mobile phone number, etc.), the public key registration system provides the user with a function of resetting or recovering the password in the public key authentication information through the user electronic communication address included in the public key authentication information (except for sending verification information to the electronic communication address, the password resetting or recovering process is similar to the update process of the public key authentication information).
For the above-described SM2 digital signature generation method in which the signer masters the signature creation data, P A =[d A ]G,c A =E((1+d A ) -1 ) The generation method comprises the following steps:
P A 、c A the generation method is as follows:
(e.g., by signer, initialization operator) signature device generation d A Calculate P A =[d A ]G,c A =E((1+d A ) -1 ) Then pinned outD is broken down A (the method is suitable for the situation that the signature device has a trusted computing or execution environment or has low security requirements);
P A 、c A the second generation method is as follows:
(e.g., by the signer, by the initialization operator) a computing device other than the signing device generates d A Calculating P A =[d A ]G,c A =E((1+d A ) -1 ) Then destroy d A A 1 is to P A 、c A Export, then (by some secure means) P A 、c A Importing the data into a signature device;
P A 、c A the third generation mode:
(e.g., used by the signer, the initialization operator) a computing device (in which the private key assists the generator) outside the signing device is at [1, n-1 ]]Randomly selecting an integer d 2 Calculate G 2 =[(d 2 ) -1 ]G,t 2 =E(d 2 ) Wherein (d) 2 ) -1 Is d 2 Modulo n multiplication inverse of (i.e., (d) 2 ) -1 d 2 ) mod n 1) and then d 2 Destroy, G 2 、t 2 Deriving, then G 2 、t 2 Importing the data into a signature device;
(e.g., used by signers, initialization operators) the signature apparatus is in 1, n-1]Randomly selecting an integer d 1 Calculate P A =[(d 1 ) -1 ]G 2 -G, using t 2 Is calculated to obtain c A =E(d 1 d 2 ) Wherein (d) 1 ) -1 Is d 1 Modulo n multiplication inverse of (i.e., (d) 1 ) -1 d 1 ) mod n 1) and then d 1 、G 2 、t 2 Is destroyed, then d 1 d 2 ≡(1+d A ) -1 (mod n)(d 1 d 2 With a certain d A Modulo n congruence relation exists), P A =[d A ]G;
For P as described above A 、c A The generation modes I, II and III, the encryption operation E (-) adopts a signature auxiliary systemThe signature auxiliary system has a private key of decryption operation corresponding to the public key adopted by the encryption operation E (-) of the homomorphic encryption algorithm (the public key for homomorphic encryption operation is well known at the moment), or the encryption operation E (-) adopts a public key in a public and private key pair (key pair) of the homomorphic encryption algorithm (an entity performing the encryption operation E (-) first) temporarily generated, and the private key in the temporarily generated public and private key pair (key pair) of the homomorphic encryption algorithm is encrypted by the public key of the signature auxiliary system to form a ciphertext d of the encrypted private key E (public keys of signature assistance systems include common public keys such as RSA, SM2 public keys, and group public keys of group cryptographic algorithms);
P A 、c A the generation mode is four:
the SM2 user (i.e. signer) signing the private key interacts with the key collaborative generation system by using the signing device (for example, in an anonymous mode), and obtains P through collaborative calculation by using a homomorphic encryption algorithm under the condition of not exposing respective secrets A =[d A ]G,c A =E((1+d A ) -1 ) Then, the used secret in the calculation process is destroyed;
the key collaborative generation system is a system providing SM2 public and private key pair collaborative generation service;
for P mentioned above A 、c A And a fourth generation mode is that the encryption operation E (-) adopts a public key of a homomorphic encryption algorithm of the signature auxiliary system, the signature auxiliary system has a private key of a decryption operation corresponding to the public key adopted by the encryption operation E (-), at the moment, the public key of the homomorphic encryption operation is well known, or the encryption operation E (-) adopts a public key of a public and private key pair of the homomorphic encryption algorithm temporarily generated by the key cooperation generation system, and the private key of the public and private key pair of the temporarily generated homomorphic encryption algorithm is encrypted by the secret key of the signature auxiliary system to form a ciphertext d of the encrypted private key E Wherein the key of the signature assistance system comprises a symmetric key or a public key (public keys include common public keys such as RSA, SM2 public keys, and group public keys of a group cipher algorithm).
For P as described above A 、c A Generation mode four, SM2 signatureThe user (i.e. signer) of the private key uses the signing device (for example, in an anonymous mode) to interact with the key collaborative generation system, and the P is obtained by collaborative calculation by using a homomorphic encryption algorithm under the condition of not exposing respective secrets A =[d A ]G,c A =E((1+d A ) -1 ) One way of doing so (not all possible ways) is as follows:
the user (i.e., signer) of the SM2 signing the private key issues an SM2 key pair cooperative generation request to the key cooperative generation system using the signing device (e.g., in an anonymous manner);
key co-generation system in [1, n-1 ]]Randomly selecting an integer d 2 Calculate G 2 =[(d 2 ) -1 ]G,t 2 =E(d 2 ) Wherein (d) 2 ) -1 Is d 2 Modulo n multiplication inverse (i.e., (d) 2 ) -1 d 2 ) mod n 1) and then d 2 Destroying G 2 、t 2 Is sent to a signature device, wherein t 2 =E(d 2 ) The public key adopted by the encryption operation is the public key of the homomorphic encryption algorithm of the signature auxiliary system (at this moment, the signature auxiliary system has the private key of the decryption operation corresponding to the public key adopted by the encryption operation E), or the public key in the public and private key pair of the homomorphic encryption algorithm temporarily generated by the key cooperation generation system, and for the latter, the key cooperation generation system utilizes the key of the signature auxiliary system to encrypt the private key in the temporarily generated public and private key pair of the homomorphic encryption algorithm to form the ciphertext d of the encrypted private key E Then d is E Same G 2 、t 2 Together to the signing device, wherein the key of the signing assistance system comprises a symmetric key and a public key (if the symmetric key of the signing assistance device is used, the key co-generation system can use this key);
signature devices in [1, n-1 ]]Randomly selecting an integer d 1 Calculate P A =[(d 1 ) -1 ]G 2 -G, using t 2 Is calculated to obtain c A =E(d 1 d 2 ) Wherein (d) 1 ) -1 Is d 1 Modulo n multiplication inverse of (i.e., (d) 1 ) -1 d 1 ) mod n 1) and then d 1 、G 2 、t 2 Destroying;
the signature device is not exposed c A And d A In the case of (2), the validation c is carried out by interacting with the key co-generation system A Corresponding plaintext c Am Has d 1 d 2 ≡(1+d A ) -1 (mod n) (i.e., c) Am That is d 1 d 2 With a certain d A Modulo n congruence relation exists) and P A Is [ d ] A ]G, if the verification is passed, d 1 d 2 ≡(1+d A ) -1 (mod n),P A =[d A ]G, otherwise, turning to error processing.
Above P A 、c A The generation mode III and IV generate the SM2 signature private key d of the user through an indirect mode A
Based on the SM2 digital signature generation method for controlling signature making data by a signer, an SM2 digital signature generation system for controlling signature making data by the signer can be constructed, the system comprises the signature device and a signature auxiliary system, and when the SM2 signature private key d of a user needs to be used A When a message M is digitally signed, the name device and the signature assistance system generate a digital signature for the message M in accordance with the SM2 digital signature generation method in which the signer masters signature creation data.
Based on the method of the present invention, the signer (user) uses the signature making data (1+ d) generated by the SM2 digital signature A ) -1 Completely controlled by the signer, stored in the computing device in the form of a ciphertext and used in the form of the ciphertext in the process of generating the digital signature, so that the signature making data (1+ d) is effectively prevented A ) -1 Is leaked out; meanwhile, from the perspective of entities outside the signing device and the signature auxiliary system, the security and direct use of the generated SM2 digital signature are (1+ d) A ) -1 Or d A The security of the generated SM2 digital signature is the same; from the perspective of entities other than the signing device and the signature assistance system, whether the signature assistance system uses k 2 Participating in the calculation and generation of the digital signature does not influence the generated SSecurity of M2 digital signatures; however, from the perspective of SM2 signing the owner of the private key, k is used 2 Can prevent (1+ d) A ) -1 C.g. of A After being stolen, the attacker utilizes c A Cracking SM2 signature private key d A Therefore, from the perspective of SM2 signing private key owner, the method of the present invention improves the security of using the user SM2 signing private key, and the signature assistant system can enhance the identity authentication of the signing device or the user of the signing device through public key authentication information before s is calculated, for example, by sending verification information to a user computing device other than the signing device, performing identity authentication of the user of the signing device in a face recognition manner, etc., thereby ensuring that the signature making data of the user is not stolen.
Drawings
FIG. 1 is a schematic diagram of the system of the present invention.
FIG. 2 is a schematic diagram of a distributed deployment of the present invention.
Detailed Description
The present invention will be further described with reference to the following examples. The following embodiments and examples are only a few possible embodiments and examples of the present invention, and do not represent all the possible embodiments and examples, and are not intended to limit the present invention.
The implementation of the invention needs to adopt homomorphic encryption algorithms, including addition homomorphic encryption algorithms and fully homomorphic encryption algorithms (i.e. homomorphic encryption algorithms supporting both addition homomorphic and multiplication homomorphic). The invention has no limitation to the specifically adopted addition homomorphic encryption algorithm and the fully homomorphic encryption algorithm, and the invention can be used as long as the homomorphic encryption operation of integers can be supported, for example, for the addition homomorphic encryption algorithm, the Paillier algorithm can be adopted, and for the fully homomorphic encryption algorithm, the Gentry algorithm can be adopted.
In the following description, it is to be understood that,
Figure BDA0003660873110000171
a ciphertext number representing the multiplication of two homomorphic encrypted ciphertext numbers, the result corresponding to the product of the multiplication of the two corresponding plaintext numbers;
Figure BDA0003660873110000172
a ciphertext number representing an addition of two ciphertext numbers that are homomorphically encrypted, the result corresponding to an added sum of the two corresponding plaintext numbers; as an example, the number of plaintext numbers multiplied by one ciphertext number in the homomorphic encryption corresponds to a ciphertext number of a product of multiplication of two corresponding plaintext numbers.
In homomorphic encryption operations of the present invention, E (a (mod n)) is often present, where a is an integer and a (mod n) represents a number that is congruent to a modulo n. In the invention, a number which is congruent with a modulo n is used instead of directly using a, so that when a is an operation result (such as a product) of two or more secret numbers (secret numbers), the secret is cracked by directly decomposing a, for example, a is equal to pq, because the number of bits of p and q is small (relatively speaking, not a large number), p and q are easy to decompose from a, and p and q are cracked, but if a remainder which is congruent with a modulo n is adopted, the difficulty of directly cracking p and q is increased or the calculation is impossible.
One approach to implementing E (a (mod n)) is as follows (although not all possibilities):
change the calculation E (a (mod n)) to a calculation
Figure BDA0003660873110000173
Where z is an integer randomly selected during the computation (e.g., signature device) (not limited to 1, n-1)]n) or an integer calculated from a randomly selected integer (e.g. a signature device) (z may be positive, negative, or zero), and z is selected by the following: so that the encrypted plaintext number, i.e. a + zn, in the operation process does not exceed the range of representation of the encryption operation E (-) of the homomorphic encryption algorithm for the encrypted integer, or the probability of exceeding the range of representation of the encryption operation E (-) of the homomorphic encryption algorithm for the encrypted integer is extremely small (the probability of exceeding is within a specified range) (the encryption operation E (-) of the homomorphic encryption algorithm represents positive, negative and zero by complement, if the modulus of E (-) for the encrypted integer is m, m is divided into two parts, the lower half of which represents positive and zero, and the upper half of which represents negative integer, similarly to the case of the encryption operation E (-) for the encrypted integerThe complement of the binary number).
In a specific implementation, the signature assistance system has a private key of the decryption operation corresponding to the public key used in the encryption operation E (-) of the homomorphic encryption algorithm (in this case, the private key of the decryption operation is usually stored in a dedicated cryptographic device, as shown in fig. 1), or the private key of the decryption operation corresponding to the (temporarily generated) public key used in the encryption operation E (-) of the homomorphic encryption algorithm is encrypted by the secret key of the signature assistance system to form a ciphertext d of the encrypted private key E Wherein the key of the signature assistance system comprises a symmetric key or a public key, wherein the public key comprises a common public key such as RSA, SM2, or a group public key of a group cipher algorithm, and is used for decrypting d E The symmetric key or private key of (a) is typically stored in a dedicated cryptographic device (as shown in fig. 1); when a decryption operation D (-) corresponding to the encryption operation E (-) is required, (signature auxiliary system) first decrypts D with the encryption device E The private key is obtained for the decryption operation D (-) and then the decryption operation is performed with the homomorphic encryption algorithm (the decryption operation is also typically performed in the cryptographic device).
The private key of the decryption operation corresponding to the public key used in the encryption operation E (-) of the homomorphic encryption algorithm is specifically the one which is used, and the SM2 private key d A The generation method of (c) is related to the deployment method of the inventive system (e.g. centralized or distributed deployment), see the following description.
In generating a digital signature for message M Q, Q f With different ways of calculation, different Q, Q f The calculation method not only affects the calculation method (embodiment) used for calculating the digital signature later, but also is related to the selected homomorphic encryption algorithm, and a specific implementation description is given below.
Q、Q f Examples 1,
Q、Q f The calculation adopts Q ═ b 1 k 1 +b 2 k 2 ]G、Q f =[b 1 k 1 +b 2 k 2 ]G,b 1 =1,b 2 1, the method is only applicable to the homomorphic encryption algorithm corresponding to the E (-) at this time; at this time, s 1 Can only adopt s 1 In the second calculation mode, the signature device can calculate s as follows 1
Figure BDA0003660873110000181
Wherein c is A =E((1+d A ) -1 ),c 2 =E(k 2 );
At this time correspond to s 1 =E((k 1 +r)(1+d A ) -1 +k 2 (1+d A ) -1 (mod n)),s=((k 1 +k 2 +r)(1+d A ) -1 -r)mod n。
Q、Q f Examples 2,
Q、Q f The calculation adopts Q ═ b 1 k 1 +b 2 k 2 ]G、Q f =[b 1 k 1 +b 2 k 2 ]G,b 1 =(1+d A ),b 2 1, the method is only applicable to the homomorphic encryption algorithm corresponding to the E (-) at this time; at this time, s 1 Can only adopt s 1 The second calculation mode, at this time b 1 (1+d A ) -1 Taking the value 1, the signature device can calculate s in the following way 1
Figure BDA0003660873110000191
Wherein c is A =E((1+d A ) -1 ),c 2 =E(k 2 );
At this time corresponds to s 1 =E(k 1 +k 2 (1+d A ) -1 +r(1+d A ) -1 (mod n)),
s=((k 1 (1+d A )+k 2 +r)(1+d A ) -1 -r)mod n。
Q、Q f Examples 3,
Q、Q f The calculation adopts Q ═ b 1 k 1 +b 2 k 2 ]G、Q f =[b 1 k 1 +b 2 k 2 ]G,b 1 =1,b 2 =(1+d A ) At this time, the homomorphic encryption algorithm corresponding to E (-) can be either an addition homomorphic encryption algorithm or a fully homomorphic encryption algorithm; at this time, s 1 Can be calculated using s 1 The calculation is one or two, when b 2 (1+d A ) -1 Taking a value of 1;
if s 1 Is calculated using s 1 In the first calculation mode, the signature device can calculate s as follows 1
Figure BDA0003660873110000192
Wherein c is A =E((1+d A ) -1 );
At this time corresponds to s 1 =E((k 1 +r)(1+d A ) -1 (mod n)),s=((k 1 +k 2 (1+d A )+r)(1+d A ) -1 -r)mod n。
If s 1 Is calculated using s 1 In the second calculation method, the signature device can calculate s as follows 1
Figure BDA0003660873110000193
Wherein c is A =E((1+d A ) -1 ),c 2 =E(k 2 );
At this time corresponds to s 1 =E((k 1 +r)(1+d A ) -1 +k 2 (mod n)),
s=((k 1 +k 2 (1+d A )+r)(1+d A ) -1 -r)mod n。
Q、Q f Examples 4,
Q、Q f The calculation adopts Q ═ b 1 k 1 +b 2 k 2 ]G、Q f =[b 1 k 1 +b 2 k 2 ]G,b 1 =(1+d A ),b 2 =(1+d A ) In this case, the homomorphic encryption algorithm corresponding to E (-) may be additionThe homomorphic encryption algorithm can also be a fully homomorphic encryption algorithm; at this time, s 1 Can only adopt s 1 The calculation is one or two, when b 1 (1+d A ) -1 Values 1, b 2 (1+d A ) -1 Taking a value of 1;
if s 1 Is calculated using s 1 In the first calculation mode, the signature device can calculate s as follows 1
Figure BDA0003660873110000194
Wherein c is A =E((1+d A ) -1 );
At this time corresponds to s 1 =E(k 1 +r(1+d A ) -1 (mod n)),
s=((k 1 (1+d A )+k 2 (1+d A )+r)(1+d A ) -1 -r)mod n。
If s 1 Is calculated using s 1 In the second calculation method, the signature device can calculate s as follows 1
Figure BDA0003660873110000201
Wherein c is A =E((1+d A ) -1 ),c 2 =E(k 2 );
At this time corresponds to s 1 =E(k 1 +k 2 +r(1+d A ) -1 (mod n)),
s=((k 1 (1+d A )+k 2 (1+d A )+r)(1+d A ) -1 -r)mod n。
Q、Q f Examples 5,
Q、Q f The calculation adopts Q ═ bk 1 k 2 ]G、Q f =[bk 1 k 2 ]G, b ═ 1, which is only applicable when the homomorphic encryption algorithm corresponding to E (·) is a fully homomorphic encryption algorithm; at this time, s 1 Can only adopt s 1 In the third calculation mode, the signature device can be calculated in the following modeCalculated to obtain s 1
Figure BDA0003660873110000202
Alternatively, the first and second electrodes may be,
Figure BDA0003660873110000203
alternatively, the first and second electrodes may be,
Figure BDA0003660873110000204
wherein c is A =E((1+d A ) -1 ),c 2 =E(k 2 );
At this time corresponds to s 1 =E(k 1 k 2 (1+d A ) -1 +r(1+d A ) -1 (mod n)),s=((k 1 k 2 +r)(1+d A ) -1 -r))mod n。
Q、Q f Examples 6,
Q、Q f The calculation adopts Q ═ bk 1 k 2 ]G、Q f =[bk 1 k 2 ]G,b=(1+d A ) At this time, the homomorphic encryption algorithm corresponding to E (-) can be an addition homomorphic encryption algorithm, and can also be applicable to a fully homomorphic encryption algorithm; at this time, b (1+ d) A ) -1 Value 1, s 1 Can only adopt s 1 The calculation method is carried out in a third mode,
if the homomorphic encryption algorithm corresponding to E (-) is an addition homomorphic encryption algorithm, the signature device can calculate s in the following way 1
Figure BDA0003660873110000205
Wherein c is A =E((1+d A ) -1 ),c 2 =E(k 2 );
If the homomorphic encryption algorithm corresponding to E (-) is a fully homomorphic encryption algorithm, the signature device can also calculate s in the following way 1
Figure BDA0003660873110000206
Wherein c is A =E((1+d A ) -1 ),c 2 =E(k 2 );
At this time corresponds to s 1 =E(k 1 k 2 +r(1+d A ) -1 (mod n)),s=(((1+d A )k 1 k 2 +r)(1+d A ) -1 -r))。
In particular implementations, Q, Q may be selected f One of the calculation modes, and corresponding s 1 The calculation mode, and the corresponding calculation mode of s (using s) 1 Calculation method one, then s calculation method, and using s 1 Calculation methods two and three, and the subsequent s calculation methods are different).
In the present invention, when a digital signature is generated for a message M, a signature assistance system discriminates and confirms whether or not a user who uses a signature device, i.e., a signer, is a public key P A Is necessary (note that it is not authentication verification here whether the user, i.e. the signer, is the public key P A Corresponding private key d A Owner of (c) to prevent signature creation data, i.e., secret c A Is stolen. In the embodiment, the user who uses the signature device, i.e. the signer, is authenticated and confirmed whether the public key P is used A There are many ways for the owner of (e.g. the user's public key P) A With user's public key P in account information in a signature-assisted system's account binding, e.g. in a database of user's accounts in a signature-assisted system A When the user uses the signature auxiliary system, the user firstly uses the account name to complete login (identity authentication) in the signature auxiliary system, for example, the user performs secure login through face recognition, a secure token and the like, and the signature auxiliary system obtains the public key P of the user from the user account database after completing the identity authentication of the user A Or the screening name of the public key digital certificate provided by the user has a corresponding relation with the user account, but the method is not suitable for the anonymity requirement on privacy protection, wherein the anonymity requirement is that the real identity of the user of the signature device is not exposed in the generation process of the digital signature and is not suitable for distributionA distributed deployment environment, where the invention is implemented (because of the need to centrally maintain user account information), refers to multiple signature-assisted systems being deployed at different locations, respectively.
The public key authentication information and the registration and use modes thereof introduced by the invention do not require that the user must provide real identity information, and the user privacy can be protected in an anonymous mode (in order to protect the user privacy, the biological characteristic verification information can be converted information) (note that the support of the anonymous mode does not mean that the generation and use of the public key authentication information must adopt the anonymous mode).
For the invention, in the registration and generation process of the public key authentication information, the signature device needs to prove the possession P to the public key registration system under the condition of not exposing the secret of the signature device A Corresponding private signature key d A For this, there are many possible methods and embodiments, for example, the signature device may sign a random string submitted by the public key registration system through the SM2 digital signature generation method in which the signer controls the signature generation data (when signing, the public key registration system or the signature assistance system does not verify P A Whether owned by the user of the signing device, since P is now being performed A Registering and generating public key authentication information, but no public key authentication information exists), at this time, the public key registration system is used as a signature auxiliary system or assists and assists the signature device to complete digital signature generation by means of the signature auxiliary system, or the signature device proves to possess P to the public key registration system in other ways A Corresponding private signature key d A The following is one possible method, embodiment:
signature devices in [1, n-1 ]]Randomly selecting an integer b, using c A S is obtained by homomorphic encryption operation calculation b1 =E(b(1+d A ) -1 (mod n)), and converting s b1 Sending the public key to a public key registration system; public key registration system in [1, n-1 ]]Randomly selecting an integer t, and decrypting s by using a public key registration system as a signature auxiliary system or by using the signature auxiliary system b1 Calculating to obtain T 2 =[(D(s b1 )t)mod n](G+P A ) Wherein D (-) is homomorphic addition corresponding to E (-)Decryption operation of the cipher algorithm, and converting T into 2 Sending the data to a signature device; signature device calculates T 1 =[b -1 ]T 2 Wherein b is -1 For the inverse of the modulo n multiplication of b, the signature device will convert T 1 Sending the public key to a public key registration system; public key registration system test T 1 Whether or not to [ t ]]G is the same, if the G is the same, the certificate passes, otherwise, the certificate fails.
For the SM2 digital signature generation method for controlling signature making data by a signer, the invention provides four kinds of P A =[d A ]G,c A =E((1+d A ) -1 ) Depending on the particular implementation conditions and safety requirements, which of these four ways is chosen in the particular implementation (although not all possible ways of generation are implied).
P of the invention A 、c A The first generation mode is suitable for a trusted computing or execution environment of the signature device, for example, a signature device (such as a mobile terminal) has a tee (trusted Executive environment) or an occasion with low security requirements. At this time, the signature device implements a program component for generating a secret key (public key or private key).
P of the invention A 、c A The second generation method is suitable for the situation that the signature device has no trusted computing or execution environment, and a computing device other than the signature device does not belong to an environment with higher security risk (such as a computer of the self, which is provided with security protection software), and the security requirement is not very high. At this time, a program component for generating a secret key (public key, private key) is executed in a computing device other than the signing device.
P of the invention A 、c A The third generation mode is also suitable for the situation that the signature device has no trusted computing or execution environment, and a computing device except the signature device does not belong to an environment with higher security risk (such as a computer of the third generation mode which is provided with security protection software), and the security requirement is relatively high. In this case, the signature device and a computing device other than the signature device implement a program component having a function of generating a corresponding key (public key or private key).
For P of the invention A 、c A The generation modes I, II and III are that the encryption operation E (DEG) adopts a public key of a homomorphic encryption algorithm of the signature auxiliary system, the signature auxiliary system has a private key of a decryption operation corresponding to the public key adopted by the encryption operation E (DEG) of the homomorphic encryption algorithm (at this time, the public key for performing homomorphic encryption operation is well known), or the encryption operation E (DEG) adopts a public key in a public-private key pair (key pair) of the homomorphic encryption algorithm (an entity performing the encryption operation E (DEG)) temporarily generated, and the private key in the temporarily generated private key pair (key pair) of the homomorphic encryption algorithm is encrypted by the public key of the signature auxiliary system to form a ciphertext d of the encrypted private key E (public keys of signature assistance systems include common public keys such as RSA, SM2 public keys, and group public keys of group cryptography algorithms).
P of the invention A 、c A The generation method is suitable for occasions with high security requirements when the signature device has no trusted computing or execution environment. At this time, a key cooperation generation system for cooperatively generating the signature private key of the SM2 and a program component for implementing key generation in the signature device are required to be implemented.
P of the invention A 、c A Generation modes three and four, signature device uses t 2 Calculation of c A =E(d 1 d 2 ) The method comprises the following steps:
c A =d 1 ⊙t 2 or is or
Figure BDA0003660873110000231
The latter applies only when E (-) is an encryption operation of a fully homomorphic encryption algorithm.
For P of the invention A 、c A The generation mode is four, the encryption operation E (-) adopts the public key of the homomorphic encryption algorithm of the signature auxiliary system, the signature auxiliary system has the private key of the decryption operation corresponding to the public key adopted by the encryption operation E (-), at the moment, the public key of the homomorphic encryption operation is well known, or the encryption operation E (-) adopts the public key of the public and private key pair of the homomorphic encryption algorithm temporarily generated by the key cooperation generation system, and the private key of the public and private key pair of the temporarily generated homomorphic encryption algorithm is signed by the public and private key pair of the signature auxiliary systemEncrypting the secret key to form a ciphertext d of the encrypted private key E Wherein the key of the signature assistance system comprises a symmetric key or a public key (public keys include common public keys such as RSA, SM2 public keys, and group public keys of a group cipher algorithm).
For P of the invention A 、c A Generation mode four, the signature device is not exposed c A And d A In the case of (2), the validation c is carried out by interacting with the key co-generation system A Corresponding plaintext c Am Has d 1 d 2 ≡(1+d A ) -1 (mod n) (i.e., c) Am With a certain d A (1+ d) of A ) -1 Modulo n congruence) and P A Is [ d ] A ]G, the signature device itself generates a random string, and then signs and verifies the random string according to the SM2 digital signature generation method described above in which the signer controls the signature generation data (however, b) 1 =1,b 2 Except for the case of 1, or b 1, in which case the key agreement generation system may cheat) (when the key agreement system acts as a signature assistance system, or with the aid of a signature assistance system), or by other means, such as:
signature devices in [1, n-1 ]]Randomly selecting an integer b, q and t, and using b, q and c A T calculating s b1 =E(qc Am +b(mod n)),T 1 =[t](G+P A ) Wherein c is Am Is c A Corresponding plaintext i.e. d 1 d 2 (ii) a Signature device will s b1 、T 1 Sending the key to a key collaborative generation system; the key co-generation system itself acting as a signature aid system, or with the aid of a signature aid system, decrypting s b1 Obtain the plaintext s b2 =D(s b1 ) mod n, calculate T 2 =[s b2 ]T 1 Will T 2 Returning to the signature device; signature device calculates T 3 =[t -1 ]T 2 ,t -1 Checking T for the modulo n multiplication inverse of T 3 And [ q ]]G+[b](G+P A ) If they are the same, then d is confirmed 1 d 2 ≡(1+d A ) -1 (mod n) and P A Is [ d ] A ]G;
Alternatively, the first and second electrodes may be,
signature devices in [1, n-1 ]]Randomly selecting an integer b and q, using b, q and c A Calculating s b1 =E(qc Am + b (mod n)), wherein c Am Is c A Corresponding plaintext i.e. d 1 d 2 (ii) a Signature device will s b1 Sending the key to a key collaborative generation system; the key co-generation system itself acting as a signature aid system or with the aid of a signature aid system, decrypts s b1 Obtain the plaintext s b2 =D(s b1 ) mod n, calculate T 2 =[s b2 ](G+P A ) Will T 2 Returning to the signature device; signature device check T 2 And [ q ]]G+[b](G+P A ) If they are the same, then d is confirmed 1 d 2 ≡(1+d A ) -1 (mod n) and P A Is [ d ] A ]G。
Four kinds of P given by the invention A 、c A In any generation mode, a public and private key pair (key pair) of the encryption and decryption operations of the homomorphic encryption algorithm is either fixed or generated temporarily; for a temporarily generated public-private key pair, where the private key is encrypted by the other public key of the signature assistance device (suitable P) A 、c A Generation manner one, two, three, four), or the private key is encrypted by the symmetric key of the signature assistance device (only for P) A 、c A Generation method four), the ciphertext d of the private key of the decryption operation corresponding to the encryption operation E (-) of the homomorphic encryption algorithm is obtained E The other public keys of the signature assistant device include public keys of common public key cryptographic algorithms such as RSA, SM2, SM9, etc., and may also be public keys of group cryptographic algorithms.
Whether the public and private key pair (key pair) of the encryption and decryption operation of the homomorphic encryption algorithm is fixed or temporarily generated, and whether the encryption of the temporarily generated private key is the symmetric key or the public key of the signature auxiliary device, from the perspective of obtaining the digital signature result and the security thereof, the public and private key pair (public key pair) is equivalent and has no great difference, but the public and private key pair and the public and private key pair are suitable for different deployment and implementation requirements, for example, the public and private key pair (public key pair) for encryption and decryption of the homomorphic encryption algorithm is fixed or temporarily generated, the way that the private key in the temporarily generated key pair is encrypted by the symmetric key of the signature auxiliary device is suitable for the case that the signature auxiliary system, the key cooperation generation system and the public key registration system are centrally deployed, the public and private key pair (public key pair) for encryption and decryption of the homomorphic encryption algorithm is temporarily generated, and the way that the private key in the temporarily generated key pair is encrypted by the public key of the signature auxiliary device is suitable for the situation that the signature auxiliary device is centrally deployed The system is in a distributed deployment situation, that is, the signature assistant system is distributed and deployed in different places (as shown in fig. 2), and it is better that the public key of the signature assistant device, which encrypts the private key of the temporarily generated key pair, is the group public key, so that the signature assistant devices deployed in different locations can assist and assist in generating the digital signature. Using group public key encryption involves a group (set) encryption algorithm, so-called group (set) encryption, i.e. data encrypted using a group (set) public key, a group (set) member can decrypt the encrypted data using its own private key.
In the case of distributed deployment of the signature-assisted systems, the public key authentication information is preferably encrypted by signature, and in this case, the public key for encrypting the public key authentication information may be a common public key such as RSA, SM2, SM9, or a group public key, and preferably (but not necessarily) the public key is used by a group public key, and in this case, each signature-assisted system belonging to a member of the group may perform assisted generation of a digital signature (note that being suitable for distributed deployment does not mean that it is necessary for distributed deployment).
Based on the SM2 digital signature generation method for controlling signature making data by a signer, an SM2 digital signature generation system for controlling signature making data by the signer can be constructed, and the system comprises the signature device and a signature auxiliary system, wherein the signature device can be a device which comprises software and hardware and has computing power, such as a personal computer, a mobile phone mobile terminal and the like, and the signature auxiliary system is a special system with high safety and strong computing power; if the generation and use scheme of the public key authentication information of the invention is also implemented, the constructed SM2 digital signature generation system for controlling the signature making data by the signer also comprises a public key registration system; if the invention is to be carried outP A 、c A The generation mode is four, the constructed SM2 digital signature generation system for the signer to control the signature making data also comprises a key cooperation generation system; the signature device is used as a client in the interaction process with the signature auxiliary system, the key collaborative generation system and the public key registration system; the signature auxiliary system, the key collaborative generation system and the public key registration system are systems for providing corresponding service functions, and serve as service ends in the interaction process with the signature device; when a message M needs to be digitally signed using the SM2 signature private key dA of the user, the name device and the signature assistance system generate a digital signature for the message M in an SM2 digital signature generation method in which the signer masters signature making data.
Other specific technical implementations not described are well known to those skilled in the relevant art and will be apparent to those skilled in the relevant art.

Claims (15)

1. A SM2 digital signature generation method for controlling signature making data by a signer is characterized in that:
the signature device has P A =[d A ]G, with secret c A =E((1+d A ) -1 ) Wherein d is A Signing the private key for the user's SM2, G being the base point of the SM2 elliptic curve point group, P A Signing the private key d for the user's SM2 A Corresponding public key, (1+ d) A ) -1 Is (1+ d) A ) The modulo n inverse of (a), n being the order of the base point G, n being a prime number, E (-) being an encryption operation using a homomorphic encryption algorithm;
the signing device is a signer, namely SM2 private signature key d A The computing device of the owner of (1); the homomorphic encryption algorithm is an addition homomorphic encryption algorithm or a full homomorphic encryption algorithm; the signature auxiliary system has a private key of decryption operation corresponding to a public key adopted by the encryption operation E (-) of the homomorphic encryption algorithm, or the private key of decryption operation corresponding to the public key adopted by the encryption operation E (-) of the homomorphic encryption algorithm is encrypted by a secret key of the signature auxiliary system, wherein the secret key of the signature auxiliary system comprises a symmetric secret key or a public key; the signature auxiliary system is a computing device for assisting and assisting the signature device to complete the generation of the digital signatureA device or system;
if the private key of the decryption operation corresponding to the public key adopted in the encryption operation E (-) of the homomorphic encryption algorithm is encrypted by the key of the signature auxiliary system, the signature device also has the ciphertext d of the private key of the decryption operation E
When it is desired to sign the private key d using the user's SM2 A When the digital signature is carried out on the message M, the signature device and the signature auxiliary system generate the digital signature for the message M as follows:
the signature device uses the message M to calculate r ═ e + x 1 ) mod n, where r is a component of the digital signature, x 1 The abscissa of the elliptic curve point Q obtained by subsequent calculation;
the signature device sends e to the signature auxiliary system;
signature devices in [1, n-1 ]]Randomly selecting an integer k in the interval 1
Signature assistance systems in [1, n-1 ]]Randomly selecting an integer k in the interval 2
Signature device and signature assistance system without exposing respective secrets k 1 、k 2 The following calculation is done in the case of (1):
signature device ensuring signature auxiliary system does not reselect k 2 In the case of (2), Q ═ b is obtained by interactive calculation with the signature assistance system 1 k 1 +b 2 k 2 ]G, wherein b 1 1 or (1+ d) A ),b 2 1 or (1+ d) A ) Wherein b is 2 1 is only applicable when the homomorphic encryption algorithm corresponding to E (·) is a fully homomorphic encryption algorithm, b 1、 b 2 The value of (a) is used for selecting a calculation formula of Q;
signature assistance system in ensuring that a signing device does not reselect k 1 In the case of (2), Q is obtained by mutual calculation with the signature device f =[b 1 k 1 +b 2 k 2 ]G;
The signature device and the signature support system check Q, Q separately f Whether or not it is a zero element, if Q and/or Q f Is zero, k is reselected 1 、k 2 To recalculateCalculation Q, Q f Up to Q and Q f Is a non-zero element;
alternatively, the first and second electrodes may be,
signature device and signature assistance system without exposing respective secrets k 1 、k 2 The following calculation is done in the case of (1):
signature device ensuring signature auxiliary system not reselect k 2 In the case of (1), Q ═ bk is obtained by mutual calculation with the signature assistance system 1 k 2 ]G, wherein b is 1 or (1+ d) A );
Signature assistance system in ensuring that a signing device does not reselect k 1 In the case of (2), Q is obtained by mutual calculation with a signature device f =[bk 1 k 2 ]G;
If b is 1, then according to Q ═ bk 1 k 2 ]G、Q f =[bk 1 k 2 ]Calculation Q, Q mode G f Is applicable only when the homomorphic encryption algorithm corresponding to E (-) is a fully homomorphic encryption algorithm;
the signature device calculates r ═ e + x 1 ) mod n, where x 1 Is taken from (x) 1 ,y 1 )=Q;
Signature assistance System computation r f =(e+x 1f ) mod n, where x 1f Is taken from (x) 1f ,y 1f )=Q f
The signature device and the signature assistance system check whether (s + r) mod n is 0 and/or (s + r), respectively, present f ) The case where mod n is 0, where s is the parameter s in the digital signature (r, s) to be computed, and if so, k is reselected 1 、k 2 Recalculated Q, Q f Recalculate r, r f Until (s + r) mod n 0 and/or (s + r) do not occur f ) The case where mod n is 0; if (s + r) mod n is not 0 and/or (s + r) f ) If mod n is 0, performing subsequent calculation processing;
the signature device calculates s in one of the following ways 1
s 1 The first calculation method is as follows:
q is calculated as [ b ] 1 k 1 +b 2 k 2 ]G is calculated and b 2 =(1+d A );
Signature device using r, c A 、k 1 S is obtained by calculation of homomorphic encryption algorithm 1 =E(k 1 b 1 (1+d A ) -1 +r(1+d A ) -1 (mod n));
s 1 And a second calculation method:
q is calculated as [ b ] 1 k 1 +b 2 k 2 ]G is obtained by calculation;
if b is 2 If the encryption algorithm is 1, the homomorphic encryption algorithm corresponding to the E (-) is a fully homomorphic encryption algorithm;
signature Assist System computation c 2 =E(k 2 ) C is mixing 2 Sending the data to a signature device;
signature device using r, c A 、k 1 、c 2 S is obtained by calculation of homomorphic encryption algorithm 1 =E(k 1 b 1 (1+d A ) -1 +k 2 b 2 (1+d A ) -1 +r(1+d A ) -1 (mod n));
s 1 And a third calculation mode:
q is calculated as [ bk ] 1 k 2 ]G is obtained by calculation;
if b is 1, the homomorphic encryption algorithm corresponding to E (-) is a fully homomorphic encryption algorithm;
signature Assist System computation c 2 =E(k 2 ) C is mixing 2 Sending the data to a signature device;
signature device using r, c A 、k 1 、c 2 S is obtained by calculation of homomorphic encryption algorithm 1 =E(k 1 k 2 b(1+d A ) -1 +r(1+d A ) -1 (mod n));
Is calculated to obtain s 1 Then, the signature device will s 1 、P A Sending the signature to a signature auxiliary system;
if the private key of the decryption operation corresponding to the public key adopted by the encryption operation E (-) of the homomorphic encryption algorithm is encrypted by the key of the signature auxiliary system, the ciphertext of the private key is d E The signature device will also d E Send to and signName-assisted system and signature-assisted system decryption d E Obtaining a private key of a decryption operation corresponding to a public key adopted by an encryption operation E (-) of the homomorphic encryption algorithm;
for s 1 In a first calculation mode, the signature assistance system calculates s as follows:
signature assisted system decryption s 1 To obtain s 1 Is given 12 Calculating s 2 =(s 12 +k 2 )mod n,s=(s 2 -r f ) mod n, return s to the signing device; signature-assisted system verification of s before returning it to the signing device 12 Whether or not to use k 1 、r f And a public key P A Corresponding private key d A Calculated, or verified s 2 Whether or not to use k 1 、k 2 、r f And a public key P A Corresponding private key d A If the verification fails, error processing is carried out;
for s 1 In the second and third calculation modes, the signature auxiliary system calculates s as follows:
signature assisted system decryption s 1 To obtain s 1 Is given 12 Calculating s 2 =s 12 mod n,s=(s 2 -r f ) mod n, return s to the signing device; signature-assisted system verification of s before returning it to the signing device 2 Whether or not to use k 1 、k 2 、r f And a public key P A Corresponding private key d A If the verification fails, error processing is carried out;
the signature device verifies whether s is use k 1 、k 2 R and public key P A Corresponding private key d A Calculating according to the SM2 digital signature calculation mode, if the verification is passed, (r, s) is the digital signature of the message M, otherwise, carrying out error processing;
in the above formula of the encryption operation E (-) using the homomorphic encryption algorithm, a (mod n), where a is an integer representing an integer congruent with a modulo n;
the signature assistance system is assistingBefore the signature device is assisted and assisted to complete the generation of the digital signature, firstly, the user using the signature device, namely the signer, is identified and confirmed whether the public key P is used or not A The owner of (2);
the signing device, namely a computing device owned by a signer, is a device with computing capability and comprising software and hardware; the signature device implements the digital signature calculation and generation steps through a cryptographic module and a cryptographic program implemented in the signature device, and implements the SM2 digital signature function.
2. The SM2 digital signature generation method for signer-controlled signature creation data according to claim 1, wherein:
signature device and signature auxiliary system without exposing own secret k 1 、k 2 And ensuring that the other party does not reselect k 1 、k 2 In the case of (1), Q ═ b is obtained by mutual calculation 1 k 1 +b 2 k 2 ]G、Q f =[b 1 k 1 +b 2 k 2 ]One method of G is as follows:
f (-) is defined as: f (1) ═ G, F (1+ d) A )=(G+P A );
Signature device calculates Q 1 =[k 1 ]F(b 1 ) Wherein b is 1 1 or (1+ d) A ) Calculating Q 1 Is a hash value of h 1 H is to be 1 Sending the signature to a signature auxiliary system;
signature assisted system computation Q 2 =[k 2 ]F(b 2 ) Wherein b is 2 1 or (1+ d) A ) Calculating Q 2 Of the hash value h 2 H is to be 2 Sending the data to a signature device;
h for signature device to receive signature auxiliary system 2 Then, Q is added 1 Sending the signature to a signature auxiliary system;
h for signature auxiliary system to receive signature device 1 Then, Q is added 2 Sending the data to a signature device;
the signature device receives Q 2 Then, the received Q is calculated and checked 2 Whether the hash value of (a) is h 2 If not, then go toAnd (4) error processing, if so, calculating to obtain Q-Q 1 +Q 2
Signature assisted system receive Q 1 Thereafter, the received Q is calculated and checked 1 Whether the hash value of (a) is h 1 If not, the error processing is carried out, and if yes, Q is obtained through calculation f =Q 1 +Q 2
3. The SM2 digital signature generation method for signer-controlled signature creation data according to claim 1, wherein:
signature device and signature auxiliary system without exposing own secret k 1 、k 2 And ensuring that the other party does not reselect k 1 、k 2 In the case of (1), Q ═ bk is obtained by mutual calculation 1 k 2 ]G、Q f =[bk 1 k 2 ]One method of G is as follows:
f (-) is defined as: f (1) ═ G, F (1+ d) A )=(G+P A );
b is 1 or (1+ d) A );
Signature device calculates Q 1 =[k 1 ]F (b), calculating Q 1 Is a hash value of h 1 H is to be 1 Sending the signature to a signature auxiliary system;
signature assisted system computation Q 2 =[k 2 ]F (b), calculating Q 2 Of the hash value h 2 H is to be 2 Sending the data to a signature device;
h for signature device to receive signature auxiliary system 2 Then, Q is added 1 Sending the signature to a signature auxiliary system;
h for signature auxiliary system to receive signature device 1 Then, Q is added 2 Sending the data to a signature device;
the signature device receives Q 2 Thereafter, the received Q is calculated and checked 2 Whether the hash value of (a) is h 2 If not, the process goes to error processing, if yes, Q ═ k is calculated 1 ]Q 2
Signature assisted system receive Q 1 Thereafter, the received Q is calculated and checked 1 Whether the hash value of (a) is h 1 If not, the error processing is carried out, and if yes, Q is obtained through calculation f =[k 2 ]Q 1
4. The SM2 digital signature generation method for controlling signature creation data by a signer as set forth in claim 1, wherein:
the signature device and the signature assistance system check whether (s + r) mod n is 0 and/or (s + r) occurs f ) One method for the case where mod n is 0 is as follows:
the signature device checks whether Q + [ r ] G is a zero element, if so, a case where (s + r) mod n is 0 occurs, otherwise, no;
signature assisted system check Q f +[r f ]If G is a zero element, then (s + r) will appear f ) mod n is 0, otherwise it will not.
5. The SM2 digital signature generation method for signer-controlled signature creation data according to claim 1, wherein:
signature assisted system verification s 12 Whether or not to use k 1 、r f And a public key P A Corresponding private key d A Calculated, or verified s 2 Whether or not to use k 1 、k 2 、r f And a public key P A Corresponding private key d A One method of calculation is as follows:
signature assisted system check verification Q 1 +[r f ]G and [(s) 12 )mod n](G+P A ) Whether the two are equal or not is judged, if so, the verification is passed, otherwise, the verification fails;
alternatively, the first and second electrodes may be,
signature assisted system check verification Q f +[r f ]G and s 2 ](G+P A ) And if so, passing the verification, otherwise, failing the verification.
6. The SM2 digital signature generation method for signer-controlled signature creation data according to claim 1, wherein:
signature device verificationWhether s is use k 1 、k 2 R and public key P A Corresponding private key d A One way to compute the digital signature in SM2 is as follows:
signature device check and verification Q + [ r ]]G and [ (s + r) mod n](G+P A ) And if so, passing the verification, otherwise, failing the verification.
7. The SM2 digital signature generation method for signer-controlled signature creation data according to claim 1, wherein:
the signature auxiliary system maintains a blacklist of public keys, and a public key P appearing on the blacklist A The signature assistance system does not generate a digital signature for the corresponding private key.
8. The SM2 digital signature generation method for signer-controlled signature creation data according to claim 1, wherein:
the signature assistance system discriminates and confirms whether or not the user who uses the signature device, i.e., the signer, is the public key P A One method of owner of (1) is as follows:
at public key P A After generation, the public key P is contained A The public key identification information is formed by combining data of the identity identification information of the user, the public key identification information is encrypted by adopting a symmetric key of a signature auxiliary system and a symmetric key cryptographic algorithm to obtain encrypted public key identification information, or the public key identification information is encrypted by adopting a public key cryptographic algorithm to obtain public key identification information encrypted by signature, the signature encryption comprises first signature and then encryption, or first encryption and then signature, wherein the signature uses a private key of a public key registration system, and the encryption uses a public key of the signature auxiliary system; public key authentication information encrypted by adopting a symmetric key and public key authentication information encrypted by adopting a public key cryptographic algorithm signature are collectively referred to as encrypted public key authentication information; the encrypted public key authentication information is stored in the signature device; the public key registration system is a system for performing registration management on a user public key;
when the signature auxiliary system needs to identify and confirm the user using the signature device, namely the signerWhether or not it is a public key P A When the owner of the signature device is in use, the signature device submits the encrypted public key authentication information to the signature auxiliary system;
the signature auxiliary system decrypts the encrypted public key identification information to obtain a plaintext of the public key identification information, wherein for the public key identification information encrypted by the signature, the signature auxiliary system needs to verify the validity of the digital signature, and the verification is continued after the verification is passed;
signature auxiliary system checks public key P contained in public key identification information obtained by decryption A Whether it is the public key P currently used for digital signature generation verification A If not, error processing is carried out, and if yes, the operation is continued;
the signature auxiliary system obtains user identity authentication information from the public key authentication information obtained by decryption, then utilizes the user identity authentication information to authenticate the user of the signature device, namely the signer, if the user identity authentication is passed, the user using the signature device, namely the signer, is confirmed to be the public key P A Otherwise authentication validation fails.
9. The SM2 digital signature generation method for signer-controlled signature creation data according to claim 8, wherein:
one method for generating the public key authentication information encrypted by the symmetric key or the public key authentication information encrypted by the signature is as follows:
in the generation of P A ,c A The signing device then submits P to the public key registration system A Application for registration P A
Public key registration system check P A Whether the registration is carried out or not, if the registration is carried out, the registration is prompted, and if the registration is not carried out, the registration is continued;
the signature device proves possession of P to the public key registration system without exposing its own secret A Corresponding private signature key d A If the operation is successful, the subsequent operation is carried out, otherwise, the error processing is carried out;
the signature device submits identity authentication information for user identity authentication to the public key registration system, and then the public key registration system uses the symmetry of the signature auxiliary systemKey, containing P using symmetric key cryptographic algorithm A Encrypting the public key authentication information of the user identity authentication information to form encrypted public key authentication information, or using the private key of the public key registration system to perform the encryption on the public key authentication information containing P A Signing the public key identification information of the user identity identification information, encrypting the signed public key identification information by adopting a public key of a signature auxiliary system to obtain the public key identification information which is signed first and then encrypted, or adopting a public key of the signature auxiliary system to pair the public key containing P by a public key registration system A And encrypting the public key identification information of the user identity identification information to obtain encrypted public key identification information, and then using a private key of the public key registration system to sign the encrypted public key identification information to obtain the public key identification information which is encrypted firstly and then signed.
10. The SM2 digital signature generation method for signer-controlled signature creation data according to claim 9, wherein:
one method for updating the encrypted public key authentication information by the signature device is as follows:
the signature device submits the encrypted public key authentication information to a public key registration system, and the public key registration system decrypts the encrypted public key authentication information, wherein if the encrypted public key authentication information is the signature encrypted public key authentication information, the public key registration system also verifies the validity of a digital signature contained in the signature encrypted public key authentication information, and continues after the verification is passed;
the public key registration system carries out identity authentication on the user of the signature device by using the user identity authentication information in the public key authentication information obtained by decryption, if the authentication is different, error processing is carried out, and if the authentication is passed, the operation is continued;
the signature device proves possession of P to the public key registration system without exposing its own secret A Corresponding private signature key d A
Signature device certifies possession of P to public key registration system A Corresponding private signature key d A Then, the signature device and the public key registration system are registered according to the registration P A Time-generated encrypted public key authenticationAnd generating new encrypted public key authentication information in the same way as other information, wherein the new encrypted public key authentication information comprises the public key authentication information encrypted by adopting a symmetric key and the public key authentication information encrypted by adopting a public key cryptographic algorithm signature.
11. The SM2 digital signature generation method for signer-controlled signature creation data according to claim 9, wherein:
if the user identity authentication information in the public key authentication information is a password, the public key registration system encrypts the public key authentication information or signs and encrypts the public key authentication information after confirming that the password meets the security requirement.
12. The SM2 digital signature generation method for signer-controlled signature creation data according to claim 9, wherein:
if the user identity authentication information in the public key authentication information is a password and the public key authentication information contains the user electronic communication address, the public key registration system provides the user with the function of resetting or recovering the password in the public key authentication information through the user electronic communication address contained in the public key authentication information.
13. The SM2 digital signature generation method for signer-controlled signature generation data according to any one of claims 1 to 12, wherein:
P A =[d A ]G,c A =E((1+d A ) -1 ) The generation mode of (2) comprises:
P A 、c A the generation method is as follows:
signature device generation d A Calculate P A =[d A ]G,c A =E((1+d A ) -1 ) Then destroy d A
P A 、c A The second generation mode:
a computing device other than the signature device generating d A Calculate P A =[d A ]G,c A =E((1+d A ) -1 ) Then destroy d A A 1 is to P A 、c A Deriving, then, adding P A 、c A Importing the data into a signature device;
P A 、c A the third generation mode:
one computing device other than the signature device is in [1, n-1 ]]Randomly selecting an integer d 2 Calculate G 2 =[(d 2 ) -1 ]G,t 2 =E(d 2 ) Wherein (d) 2 ) -1 Is d 2 Is inverted modulo n, then d is multiplied 2 Destroying G 2 、t 2 Deriving, then G 2 、t 2 Importing the data into a signature device;
signature devices in [1, n-1 ]]Randomly selecting an integer d 1 Calculate P A =[(d 1 ) -1 ]G 2 -G, using t 2 Is calculated to obtain c A =E(d 1 d 2 ) Wherein (d) 1 ) -1 Is d 1 Is inverted modulo n, then d is multiplied 1 、G 2 、t 2 Is destroyed, then d 1 d 2 ≡(1+d A ) -1 (mod n),P A =[d A ]G;
For P as described above A 、c A The generation modes I, II and III are that the encryption operation E (-) adopts a public key of a homomorphic encryption algorithm of the signature auxiliary system, the signature auxiliary system has a private key of a decryption operation corresponding to the public key adopted by the encryption operation E (-) of the homomorphic encryption algorithm, or the encryption operation E (-) adopts a public key in a public and private key pair of a temporarily generated homomorphic encryption algorithm, and the private key in the public and private key pair of the temporarily generated homomorphic encryption algorithm is encrypted by the public key of the signature auxiliary system to form a ciphertext d of the encrypted private key E
P A 、c A The generation mode is four:
the SM2 user of the signature private key uses the signature device to interact with the key collaborative generation system, and utilizes the homomorphic encryption algorithm to collaboratively calculate to obtain P without exposing respective secrets A =[d A ]G,c A =E((1+d A ) -1 ) Then destroying the usage in the calculation processSecret;
the key collaborative generation system is a system providing SM2 public and private key pair collaborative generation service;
for P as described above A 、c A The generation mode is four, the encryption operation E (-) adopts a public key of a homomorphic encryption algorithm of the signature auxiliary system, the signature auxiliary system has a private key of decryption operation corresponding to the public key adopted by the encryption operation E (-), or the encryption operation E (-) adopts a public key in a public and private key pair of the homomorphic encryption algorithm temporarily generated by a key cooperation generation system, the private key in the public and private key pair of the temporarily generated homomorphic encryption algorithm is encrypted by the key of the signature auxiliary system to form a ciphertext d of the encrypted private key E Wherein the key of the signature assistance system comprises a symmetric key or a public key.
14. The SM2 digital signature generation method for signer-controlled signature creation data according to claim 13, wherein:
for P as described above A 、c A In the fourth generation mode, users of SM2 signature private key use the signature device to interact with the key collaborative generation system, and obtain P through collaborative calculation by using homomorphic encryption algorithm under the condition of not exposing respective secrets A =[d A ]G,c A =E((1+d A ) -1 ) One way of (2) is as follows:
the SM2 user signing the private key sends an SM2 key pair cooperation generation request to the key cooperation generation system by using the signing device;
key co-generation system in [1, n-1 ]]Randomly selecting an integer d 2 Calculate G 2 =[(d 2 ) -1 ]G,t 2 =E(d 2 ) Wherein (d) 2 ) -1 Is d 2 Is inverted modulo n, and d is then multiplied 2 Destroying G 2 、t 2 Is sent to a signature device, wherein t 2 =E(d 2 ) The public key adopted by the encryption operation is the public key of the homomorphic encryption algorithm of the signature auxiliary system or the public key in the public and private key pair of the homomorphic encryption algorithm temporarily generated by the key cooperative generation system, and for the latter, the key cooperative generation systemThe private key in the temporarily generated public and private key pair of the homomorphic encryption algorithm is encrypted by using the key of the signature auxiliary system to form an encrypted private key ciphertext d E Then d is E Same G 2 、t 2 Sending the information to a signing device together, wherein the key of the signature auxiliary system comprises a symmetric key and a public key;
signature apparatus in [1, n-1 ]]Randomly selecting an integer d 1 Calculate P A =[(d 1 ) -1 ]G 2 -G, using t 2 Is calculated to obtain c A =E(d 1 d 2 ) Wherein (d) 1 ) -1 Is d 1 Is inverted modulo n, then d is multiplied 1 、G 2 、t 2 Destroying;
the signature device is not exposed c A And d A In the case of (2), the validation c is carried out by interacting with the key co-generation system A Corresponding plaintext c Am Has a d 1 d 2 ≡(1+d A ) -1 (mod n) and P A Is [ d ] A ]G, if the verification is passed, d 1 d 2 ≡(1+d A ) -1 (mod n),P A =[d A ]G, otherwise, turning to error processing.
15. A signer-controlled SM2 digital signature generation system of the SM2 digital signature generation method for signer-controlled signature generation data of any one of claims 1 to 12, wherein:
the system comprises the signing device and a signature auxiliary system, and when the signature of the private key d needs to be signed by using the SM2 of the user A When a message M is digitally signed, the name device and the signature assistance system generate a digital signature for the message M in accordance with the SM2 digital signature generation method in which the signer masters signature creation data.
CN202210577362.1A 2022-05-25 2022-05-25 SM2 digital signature generation method and system for signer to control signature making data Active CN114978549B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202210577362.1A CN114978549B (en) 2022-05-25 2022-05-25 SM2 digital signature generation method and system for signer to control signature making data

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210577362.1A CN114978549B (en) 2022-05-25 2022-05-25 SM2 digital signature generation method and system for signer to control signature making data

Publications (2)

Publication Number Publication Date
CN114978549A true CN114978549A (en) 2022-08-30
CN114978549B CN114978549B (en) 2024-03-22

Family

ID=82956637

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210577362.1A Active CN114978549B (en) 2022-05-25 2022-05-25 SM2 digital signature generation method and system for signer to control signature making data

Country Status (1)

Country Link
CN (1) CN114978549B (en)

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20160344557A1 (en) * 2015-05-06 2016-11-24 Morpho Method for generating a message signature from a signature token encrypted by means of a homomorphic encryption function
CN106712942A (en) * 2017-01-10 2017-05-24 武汉理工大学 SM2 digital signature generation method and system based on secret sharing
CN106850198A (en) * 2017-01-16 2017-06-13 武汉理工大学 SM2 digital signature generation method and system based on the collaboration of many devices
CN107872322A (en) * 2017-11-02 2018-04-03 武汉理工大学 Digital signature collaboration generation method and system based on homomorphic cryptography
CN110971411A (en) * 2019-12-02 2020-04-07 南京壹证通信息科技有限公司 SM2 homomorphic signature method for encrypting private key by multiplying based on SOTP technology

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20160344557A1 (en) * 2015-05-06 2016-11-24 Morpho Method for generating a message signature from a signature token encrypted by means of a homomorphic encryption function
CN106712942A (en) * 2017-01-10 2017-05-24 武汉理工大学 SM2 digital signature generation method and system based on secret sharing
CN106850198A (en) * 2017-01-16 2017-06-13 武汉理工大学 SM2 digital signature generation method and system based on the collaboration of many devices
CN107872322A (en) * 2017-11-02 2018-04-03 武汉理工大学 Digital signature collaboration generation method and system based on homomorphic cryptography
CN110971411A (en) * 2019-12-02 2020-04-07 南京壹证通信息科技有限公司 SM2 homomorphic signature method for encrypting private key by multiplying based on SOTP technology

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
邓高宇;龙毅宏;: "基于iOS终端的SM2移动密码系统", 软件, no. 02, 15 February 2018 (2018-02-15), pages 28 - 31 *

Also Published As

Publication number Publication date
CN114978549B (en) 2024-03-22

Similar Documents

Publication Publication Date Title
US10211981B2 (en) System and method for generating a server-assisted strong password from a weak secret
US10530585B2 (en) Digital signing by utilizing multiple distinct signing keys, distributed between two parties
US11552792B2 (en) Systems and methods for generating signatures
WO2021042685A1 (en) Transaction method, device, and system employing blockchain
US7634085B1 (en) Identity-based-encryption system with partial attribute matching
US9106410B2 (en) Identity based authenticated key agreement protocol
EP2807773A1 (en) System and method for securing private keys issued from distributed private key generator (d-pkg) nodes
US11374910B2 (en) Method and apparatus for effecting a data-based activity
JP2012253826A (en) Method and system for generating implicit certificates and applications to identity-based encryption (ibe)
CN108551435B (en) Verifiable encryption group signature method with anonymity
CN114467280A (en) Generating digital signatures using cold purses
CN108494559B (en) Electronic contract signing method based on semi-trusted third party
CN114666032B (en) Block chain transaction data privacy protection method based on homomorphic encryption
US11637817B2 (en) Method and apparatus for effecting a data-based activity
CN115314207A (en) Secure and controllable use method and system for SM2 signature making data
CN114389808A (en) Open ID protocol design method based on SM9 blind signature
CN114978549B (en) SM2 digital signature generation method and system for signer to control signature making data
Kilciauskas et al. Authenticated key agreement protocol based on provable secure cryptographic functions
CN110572257B (en) Identity-based data source identification method and system
CN115150062B (en) SM9 digital signature generation method and system with signature production data controlled safely
CN115314208B (en) Safe and controllable SM9 digital signature generation method and system
CN115529140B (en) Digital signature collaborative generation method and system based on WeChat applet
CN115766019A (en) Ciphertext private key-based ECDSA digital signature generation method and system
CN115865356A (en) Safe and controllable use method and system of ECDSA (electronic signature SA) private key
Ekhtiarabadi et al. Verifiable identity-based mix network

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
TA01 Transfer of patent application right

Effective date of registration: 20230628

Address after: Room 401a, building 4, yard 7, Shangdi 8th Street, Haidian District, Beijing 100085

Applicant after: ITRUSCHINA CO.,LTD.

Address before: 430070 Hubei Province, Wuhan city Hongshan District Luoshi Road No. 122

Applicant before: WUHAN University OF TECHNOLOGY

TA01 Transfer of patent application right
GR01 Patent grant
GR01 Patent grant