CN115549904A - Key generation method, related method, computer device and storage medium - Google Patents

Key generation method, related method, computer device and storage medium Download PDF

Info

Publication number
CN115549904A
CN115549904A CN202211241724.6A CN202211241724A CN115549904A CN 115549904 A CN115549904 A CN 115549904A CN 202211241724 A CN202211241724 A CN 202211241724A CN 115549904 A CN115549904 A CN 115549904A
Authority
CN
China
Prior art keywords
key
user
private key
communication party
data
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202211241724.6A
Other languages
Chinese (zh)
Inventor
封维端
袁峰
张立圆
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Wuzitianshu Technology Co ltd
Original Assignee
Beijing Wuzitianshu Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Wuzitianshu Technology Co ltd filed Critical Beijing Wuzitianshu Technology Co ltd
Priority to CN202211241724.6A priority Critical patent/CN115549904A/en
Publication of CN115549904A publication Critical patent/CN115549904A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • H04L9/0869Generation of secret information including derivation or calculation of cryptographic keys or passwords involving random numbers or seeds
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0819Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
    • H04L9/0825Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) using asymmetric-key encryption or public key infrastructure [PKI], e.g. key signature or public key certificates
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0894Escrow, recovery or storing of secret information, e.g. secret key escrow or cryptographic key storage

Abstract

The invention provides a key generation method, and also provides a related method, computer equipment and a storage medium, wherein the key generation method comprises the following steps: 1. generating system parameters; 2. based on the system parameters, the first communication party and the second communication party cooperatively work to generate a user signature private key d sA User signature master public key P pubsA And encrypts and issues an encrypted private key d of the user eA . The invention can enable the two communication parties to cooperatively generate the signature key and calculate the digital signature; therefore, the secure storage and use of the user signature key by the mobile terminal user are realized under the condition that hardware equipment such as USBKey and the like is not required to be used. The invention solves the problem of safe storage and use management of the SM9 signature private key to the user signature key by the mobile terminal in the environments of cloud computing, mobile internet and the like under the condition of double KGC.

Description

Key generation method, related method, computer device and storage medium
Technical Field
The invention belongs to the technical field of data security, and particularly relates to a key generation method of a signature key of an SM9 user, a related method, computer equipment and a storage medium.
Background
The SM9 identity cipher algorithm is an identity-based cipher algorithm released by the national cipher authority in 2016. The SM9 identification cryptographic algorithm uses a user identification as a public key of a user signature, and a user private key is generated by a Key Generation Center (KGC) according to the user identification and a master private key generated by the KGC. Because the user identifier is used as the user signature Public Key, compared with the traditional Public Key Infrastructure (PKI) system based on the certificate, the SM9 identifier cryptographic algorithm is simplified to a certain extent in the certificate management link.
The SM9 identity cryptographic algorithm includes digital signature, key exchange, key encapsulation, and encryption and decryption algorithms. And the user signature key is generated by the KGC according to the user identifier and the signature master private key of the KGC. The KGC thus assumes generation of the user signature key throughout the system. The above-described technique has a problem in that the user cannot control the generation of the user signing key, which in turn affects the security of the user signing key.
Although the generation of the user signature key is controlled by the user by using the dual KGC, the problem that the KGC grasps the security of the signature keys of all users under a single KGC can be solved. However, in a cloud environment and a mobile internet environment, a user needs to use hardware devices such as a usb key to safely store and use a user signature key on a mobile device, which brings inconvenience to the user.
Disclosure of Invention
In order to solve the above problem, the present invention provides a key generation method.
The key generation method provided by the invention comprises the following steps:
1. generating system parameters;
2. based on the system parameters, a first communication party and a second communication party cooperatively work to generate a user signature private key ds A Signing the master public key by the user and encrypting and issuing the encrypted private key de of the user A
Further, in the present invention, it is preferable that,
the first step comprises the following steps:
s1, generating a center KGC through a first secret key 1 Generating a first system parameter by generating a central KGC via a second key 2 A second system parameter is generated and,
wherein the content of the first and second substances,
the first system parameter comprises a first signer private key ks 1 And a first signature principalKey P pubs1 And a first encrypted master private key ke 1 And a first cryptographic master public key P pube1
The first signature master private key ks 1 Is a random integer and ks 1 ∈[1,N-1]Wherein N is a prime number, set to group G 2 If the order is N, the first signature master public key P pubs1 Is group G 2 And satisfy
P pubs1 =[ks 1 ]×P 2 (1),
The first encrypted master private key ke 1 Is a random integer, and ke 1 ∈[1,N-1]Let group G 1 If the order is N, the first encrypted master public key P pube1 Is group G 1 And satisfy
P pube1 =[ke 1 ]×P 1 (2),
In formulae (1) and (2), P 1 Is a group G 1 Is generated from P 2 Is a group G 2 The producer of (1), square bracket [ 2 ]]The meaning of (2) represents a double point operation on an elliptic curve, in the following equations, square bracket [ 2 ]]Is as defined in the above formula (1)]Has the same meaning as that of (A) in the prior art,
the second system parameter comprises a second signature master private key ks 2 And a second signature master public key P pubs2 Said second signature master private key ks 2 Is a random integer and ks 2 ∈[1,N-1]And satisfy
P pubs2 =[ks 2 ]×P 2 (3);
S2, generating a center KGC through the first secret key 1 And a second key generation center KGC 2 Respectively calculating to obtain a public master key P pubs
Wherein
Generating a center KGC by the first key 1 Calculating P pubs =[ks 1 ]×P pubs2
Generating a center KGC by the second key 2 Calculating P pubs =[ks 2 ]×P pubs1
S3, selecting a public parameter alpha, wherein the public parameter alpha is the secondary non-residue of the module N;
s4, enabling the first signature master public key P pubs1 First encrypted master public key P pube1 Second signature master public key P pubs2 Public master key P pubs And the public parameter alpha is published publicly,
the second step comprises the following steps: is calculated to obtain
h 1 =H 1 (ID A ||hid,N)
Wherein H 1 (ID A | hid, N) is a first cryptographic function, ID A For user identification, | | denotes merging byte strings of data, hid is a function identifier,
if h 1 Is a square element of modulo N, and adopts a method AA to generate a first part of a user signature private key ds A1 Second partial user signature private key ds A2 The first user signature master public key P pubsA And encrypts and issues the user encryption private key de A And the user encrypts the private key de A Is divided into a first part of user encryption private key de A1 The second part of the user encryption private key de A2 Said first user signing a master public key P pubsA Namely signing the master public key for the user;
if h 1 If the user signature is not the square element of the modulus N, a method BB is adopted to generate a third part of user signature private key ds AA1 Fourth part user signature private key ds AA2 The second user signs the master public key P pubsAA And encrypts and issues the user encryption private key de A And the user encrypts the private key de A Is divided into a third part of user encryption private key de AA1 Fourth part user encryption private key de AA2 Said second user signing the master public key P pubsAA I.e. the user signature master public key.
Further, in the present invention,
in said method AA, h 1 Is the square element of modulus N, i.e. h 1 ≡(h 2 ) mod N, ≡ congruence number, where x mod y represents the modulo operation of x on y, and h ish 2 The larger of the two square roots, the method AA comprises the steps of:
a1, the first communication party sends a cooperative generation key application to the second communication party;
a2, the second communication party generates a 256-bit first random number ds A2 ,ds A2 ∈[1,N-1]From P' 1 =[(ds A2 ) -1 mod N]×P 1 Calculating to obtain first data P' 1 Transmitting the first data P 'to the first communication side' 1 Said second party holding said first random number ds A2 A second partial user signature private key as the second party;
a3, the first communication party generates a 256-bit second random number r A ,r A ∈[1,N-1]From Q = [ r ] A ]×P’ 1 Calculating to obtain second data Q, wherein the first communication direction is towards the first key generation center KGC 1 Transmitting the first data P' 1 Second data Q and user identification ID A
A4, the first key generation center KGC 1 Receiving the first data P' 1 Second data Q and user identification ID A Then, calculating first user signature key generation data and the user encryption private key de A The first user signing key generation data comprises s and T;
a5, the first communication direction generates the center KGC to the said second cipher key 2 Sending T in the first user signature key generation data, and the second key generation center KGC 2 By
R=[(h+ks 2 ) -1 mod N]×T
Calculating to obtain R, and sending the R to the first communication party;
a6, the first communication party is composed of
ds A1 =P’ 1 -[(r A -1 ×h 1 ×s)mod N]×R
Calculating to obtain a first part of user signature private key ds of the first communication party A1
A7, the first communication party and the second communication party are respectively composed of
P pubsA =[h]×(P pubs1 +P pubs2 )+P pubs
Calculating to obtain the first user signature master public key P pubsA Said first user signing a master public key P pubsA Namely signing the master public key for the user;
a8, the first communication party randomly generates a second random integer d 1 ∈[1,N-1]And calculate D 1 =[d 1 ]×P 2 And de A1 =D 1 +N deA Then the first private key coordinate encrypts data E and D 1 Sending to the second communication party, and storing de A1 A first partial user encryption private key as the first party;
a9, the second communication party utilizes
S’=[(ds A2 ) -1 mod N]×P pube1
Calculating to obtain S ', and setting the coordinate of S' as (x) S’ ,y S’ ) X is to be S’ ,y S’ Convert to byte string and compute k' = KDF (x) S’ ||y S’ 128), where KDF is a key derivation function and k' is a 128-bit byte string;
a10, the second communication party decrypts the first private key coordinate encryption data E to obtain a byte string: x is the number of de’A ||y de’A = SM4_ DEC (k', E), string of bytes x de’A ||y de’A Conversion to Domain element to yield denoised first user encryption private key de' A Wherein, SM4_ DEC (k ', E) indicates that the ciphertext plaintext E is decrypted and calculated and the plaintext is output using an SM4 decryption algorithm and a 128-bit key k';
a11, second communication party utilization
de A2 =de’ A -D 1
Calculating to obtain a second part of user encryption private key de of the second communication party A2 And storing.
Further, in the present invention,
in the step A4, the calculating includes the steps of:
a41, the first key generation center KGC 1 Generating a 256-bit first random integer r, r ∈ [1, N-1 ]]From
s=(r×(h+ks 1 ) -1 )mod N
And T = [ r ] -1 mod N]×Q
Calculating to obtain the first user signature key generation data s and T;
a42, the first key generation center KGC 1 Using the first encrypted master private key ke 1 And a user identification ID A By using
t 1 =H 1 (ID A ||hid,N)+ke 1 ,
t 2 =(ke 1 ×t 1 -1 )mod N,
de A =[t 2 ]×P 2
Calculating to obtain the user encryption private key de A
A43, the first key generation center KGC 1 Generation of G 2 First random point N of deA And N is deA Is not equal to the user encryption private key de A And calculating the noised first user encryption private key de' A
de' A =de A -N deA
A44, the first key generation center KGC 1 Calculating S = [ ke = 1 ]×P’ 1 Let the coordinate of S be (x) S ,y S ) X is to S ,y S Convert to string of bytes and compute k = KDF (x) S ||y S 128), where KDF is the key derivation function and k is a 128-bit byte string;
a45, setting the denoised first user encryption private key de' A Has the coordinates of (x) de'A ,y de'A ) Said first key generation center KGC 1 X is to be de'A ,y de'A Converting the first coordinate byte string into a first coordinate byte string and encrypting the first coordinate byte stringTo the first private key coordinate encrypted data E:
E=SM4_ENC(k,x de'A ||y de'A ),
wherein, SM4_ ENC (k, x) de'A ||y de'A ) Indicating that the plaintext x is encrypted using the SM4 encryption algorithm and a 128-bit key k de'A ||y de'A Carrying out encryption calculation and outputting a ciphertext;
a46, the first key generation center KGC 1 Generating data s and T of the first user signature key, first private key coordinate encryption data E and a first random point N deA To be sent to the first communication partner,
the first partial user signature private key ds A1 And a second partial user signature private key ds A2 And satisfies the relation:
[ds A2 ]×ds A1 =ds A
the first part of user encryption private key de A1 And a second partial user encryption private key de A2 Satisfies the relationship:
de A =de A1 +de A2
further, in the present invention,
in said method BB, h 1 Is a non-square element of modulus N, then α h 1 Is the square element of the modulus N, i.e. alphah 1 ≡(hh 2 ) mod N, and hh is hh 2 The larger of the two square roots, the method BB comprises the steps of:
b1, the first communication party sends a cooperative generation key application to a second communication party;
b2, the second communication party generates a 256-bit third random number ds AA2 ,ds AA2 ∈[1,N-1]From PP' 1 =[(ds AA2 ) -1 mod N]×P 1 Calculating to obtain third data PP' 1 And transmits the third data PP 'to the first communication party' 1 Said second party holding said third random number ds AA2 A fourth part of the user signature private key as the second communication party;
b3, the first communication party generates 256 bitsFourth random number rr A ,rr A ∈[1,N-1]From QQ = [ rr ] A ]×PP’ 1 Calculating to obtain fourth data QQ, wherein the first communication direction is towards the first key generation center KGC 1 Transmitting the third data PP' 1 Fourth data QQ and user identification ID A
B4, the first key generation center KGC 1 Receiving the third data PP' 1 Fourth data QQ and user identification ID A Thereafter, second user signature key generation data (ss and TT) and user encryption private key de are calculated A The second user signing key generation data comprises ss and TT;
b5, the first communication direction generates the center KGC to the said second cipher key 2 Sending TT in the second user signature key generation data, wherein the second key generation center KGC 2 By
RR=[(hh+ks 2 ) -1 mod N]×TT
Calculating to obtain RR and sending the RR to the first communication party;
b6, the first communication party is composed of
ds AA1 =PP’ 1 -[(rr A -1 ×h 1 ×α×ss)mod N]×RR
Calculating to obtain a third part of user signature private key ds of the first communication party AA1
B7, the first communication party and the second communication party are respectively composed of
P pubsAA =[(α -1 )mod N]×([hh]×(P pubs1 +P pubs2 )+P pubs )
Calculating to obtain the second user signature master public key P pubsAA Said second user signing the master public key P pubsAA Signing a master public key for the user;
b8, the first communication party generates a fourth random integer dd 1 ∈[1,N-1]And calculating DD 1 =[dd 1 ]×P 2 And de AA1 =DD 1 +NN deA Encrypting the EE and DD data by the second private key coordinate 1 Is sent toThe second communication party, save de AA1 A third partial user encryption private key as the first party;
b9, the second communication party utilizes
SS’=[(ds AA2 ) -1 mod N]×P pube1
Calculating to obtain SS ', and setting the coordinate of SS' as (x) SS’ ,y SS’ ) X is to be SS’ ,y SS’ Convert to byte string and compute kk' = KDF (x) SS’ ||y SS’ 128), where KDF is a key derivation function and kk' is a 128-bit byte string;
b10, the second communication party decrypts the second private key coordinate encryption data EE to obtain a byte string: x is the number of de’AA ||y de’AA = SM4_ DEC (kk', EE), the byte string x de’AA ||y de’AA Conversion to Domain element to yield noised second user encrypted private key de' AA Wherein, SM4_ DEC (kk ', EE) represents that SM4 decryption algorithm and 128-bit key kk' are used for carrying out decryption calculation on ciphertext plaintext EE and outputting plaintext;
b11, the second communication party utilizes
de AA2 =de’ AA -DD 1
Calculating to obtain a fourth part of user encryption private key de of the second communication party AA2 And storing.
Further, in the present invention, it is preferable that,
in the step B4, the calculating includes the steps of:
b41, the first key generation center KGC 1 Generating a third random integer rr of 256 bits, rr ∈ [1, N-1 ]]From
ss=(rr×(hh+ks 1 ) -1 )mod N
And TT = [ rr ] -1 mod N]×QQ
Calculating to obtain the second user signature key generation data ss and TT;
b42, the first key generation center KGC 1 Using the first encrypted master private key ke 1 And a user identification ID A By using
t 1 =H 1 (ID A ||hid,N)+ke 1
t 2 =(ke 1 ×t 1 -1 )mod N,
de A =[t 2 ]×P 2
Calculating to obtain the user encryption private key de A
B43, the first key generation center KGC 1 Generation of G 2 Second random point NN on deA And NN deA Is not equal to the user encryption private key de A And calculates a noised second user encrypted private key de' AA :de' AA =de A -NN deA
B44, the first key generation center KGC 1 Calculate SS = [ ke = [ g ] 1 ]×PP’ 1 Let the coordinates of SS be (x) SS ,y SS ) X is to be SS ,y SS Convert to string of bytes and compute kk = KDF (x) SS ||y SS 128), where KDF is the key derivation function and kk is a 128-bit byte string;
b45, setting the noised second user encryption private key de' AA Has the coordinates of (x) de'AA ,y de'AA ) Said first key generation center KGC 1 X is to be de'AA ,y de'AA Converting the data into a second coordinate byte string, and encrypting the second coordinate byte string to obtain second private key coordinate encryption data EE:
EE=SM4_ENC(kk,x de'AA ||y de'AA ),
wherein, SM4_ ENC (kk, x) de'AA ||y de'AA ) Indicating that plaintext x is encrypted using an SM4 encryption algorithm and a 128-bit key kk de'AA ||y de'AA Carrying out encryption calculation and outputting a ciphertext;
b46, the first key generation center KGC 1 Generating data ss and TT, second private key coordinate encryption data EE and second random point NN of the second user signature key deA To the first party of communication,
the first mentionedThree-part user signature private key ds AA1 And a fourth part of user signature private key ds AA2 The following relation is satisfied:
[ds AA2 ]×ds AA1 =ds A
the third part of user encryption private key de AA1 And a fourth part of user encryption private key de AA2 The following relation is satisfied:
de A =de AA1 +de AA2
the invention also provides a digital signature computing method, wherein,
let the user identification be ID A And let m be the original text of the message to be signed, and use h 1 =H 1 (ID A H1 is obtained by calculation of | hid, N), where H1 is a first cryptographic function, | | represents merging of byte strings of data, hid is a function identifier, N is a prime number,
if h is 1 Is a square element of the modulus N, and the first part of the user signature private key ds is obtained by adopting the key generation method A1 And a second partial user signature private key ds A2 Then, the method is carried out with the method CC,
or
If h is 1 Instead of the square element of the modulus N, the key generation method is adopted to obtain the third part of the user signature private key ds AA1 And a fourth part of user signature private key ds AA2 And then the method is carried out by the method DD,
the method CC comprises the following steps:
CC1, the first communication party generates a fifth random integer k1 of 256 bits, k1 belongs to [1, N-1 ]]Calculate u = e (P) 1 ,P pubsA ) k1 And the u, the message original text m to be signed and the user identification ID are used A Sending to the second communication party, wherein G is set 1 Is an addition cyclic group of order N, G 2 Is an addition cyclic group of order N, G T Is a multiplication cycle of order N, then e is from G 1 ×G 2 To G T Of bilinear pairs, P 1 Is a group G 1 Generating element of (2), P pubsA Signing a master public key for a first user;
CC2, the second channelThe sender generates a sixth random integer k2, a seventh random integer k3 of 256 bits, where k2 ∈ [1, N-1 ]],k3∈[1,N-1]Then calculate w = u k2 ×e(P 1 ,P pubsA ) k3
CC3, the second communication party calculates hhh = H 2 (m||w,N),s 1 =(k2×ds A2 )mod N,s 2 =((k3-hhh)×ds A2 ) mod N, then the second correspondent will hhh, s 1 And s 2 Sending to the first communication party, wherein H 2 Is a second cryptographic function, x mod y represents the x-to-y remainder operation;
CC4, the first communication partner utilizes
S=[k1×s 1 +s 2 ]×ds A1
Calculating to obtain S, and outputting a digital signature (hhh, S);
the method DD comprises the steps of:
DD1, the first communication party generates 256-bit eighth random integer kk1, and kk1 belongs to [1, N-1 ]]Calculate uu = e (P) 1 ,P pubsAA ) kk1 And the uu, the message original text m to be signed and the user identification ID are used A Sending to a second communication party, wherein G is set 1 Is an addition cyclic group of order N, G 2 Is an addition cyclic group of order N, G T Is a multiplication cycle of order N, then e is from G 1 ×G 2 To G T Of bilinear pairs, P 1 Is a group G 1 Is generated from P pubsAA Signing the master public key for the second user;
DD2, the second party generating a ninth random integer kk2, a tenth random integer kk3 of 256 bits, where kk2 ∈ [1, N-1 ]],kk3∈[1,N-1]Then calculate ww = uu kk2 ×e(P 1 ,P pubsAA ) kk3
DD3, the second communication party calculates hhhhh = H 2 (m||ww,N),ss 1 =(kk2×ds AA2 )mod N,ss 2 =((kk3-hhhh)×ds AA2 ) mod N, then the second correspondent will hhhhh, ss 1 And ss 2 To the first communication party, whichIn (H) 2 Is a second cryptographic function, x mod y represents the modulo operation of x on y;
DD4, the first communication party utilizing
SS=[kk1×ss 1 +ss 2 ]×ds AA1
Calculating to obtain SS, and outputting a digital signature (hhh, SS).
The invention also provides a digital signature verification method, wherein,
by using h 1 =H 1 (ID A H1 is obtained by calculation of | hid, N), H1 is a first cryptographic function, | | represents merging of byte strings of data, hid is a function identifier, N is a prime number,
if h is 1 Is the square element of the modulus N, and the first user signature main public key P is obtained by adopting the key generation method pubsA Then signing the master public key P by the first communication partner using said first user pubsA Function identifier hid, user identification ID A The message m and the digital signature sig are input parameters, digital signature verification is carried out,
or
If h 1 The second user signature main public key P is obtained by adopting the key generation method instead of the square element of the modulus N pubsAA Then signing by said first correspondent a master public key P using said second user pubsAA Function identifier hid, user identification ID A And the message m and the digital signature sig are input parameters for digital signature verification.
The invention also provides a key encapsulation method, wherein the key encapsulation method is adopted for key encapsulation, and comprises the following steps: the packager uses the user identification ID B And a first key generation center KGC 1 First encryption master public key P pube1 The key encapsulation calculation is performed.
The invention also provides a key decapsulation method, wherein the key decapsulation method is adopted for key decapsulation, and after a receiver AAA receives a package ciphertext CCC of a key K, the receiver AAA serves as a first communication party and uses a first part of user encryption private key de A1 The second communication party using the second partUser encryption private key de A2 Performing a collaborative computation comprising:
GG1, the first communication party sends the encapsulation ciphertext CCC to the second communication party;
GG2, the second correspondent verifying CCC is G 1 Point of upper, G 1 Is an additive cyclic group of order N, N being a prime number;
GG3, and w 'is calculated by the second communication side' 2 =e(CCC,de A2 ) Is provided with G 2 Is an addition cyclic group of order N, G T Is a multiplication cycle of order N, then e is from G 1 ×G 2 To G T Bilinear pairs of (c);
GG4, and w 'is set as the second communication party' 2 Sending to the first communication party;
GG5, the first correspondent calculates w' = e (CCC, de) A1 )×w’ 2
GG6, the first communication party calculates a packaged key K '= KDF (CCC | | w' | ID) AAA ,klen),ID AAA For the user identification of the receiver AAA, KDF is a key derivation function, | | | denotes merging byte strings of data, and klen is the encapsulation bit length of the key K.
The invention also provides a data encryption method, wherein the key generation method is adopted for key encapsulation, and the method comprises the following steps: user identification ID of decryptor BBB of encryptor usage data B And a first key generation center KGC 1 First encryption master public key P pube1 And carrying out encryption calculation on the plaintext M.
The invention also provides a data decryption method, which adopts the key generation method to decrypt data, wherein, the data decryptor is the receiver A 132 Receive ciphertext C 132 Then, the receiver A 132 Using a first partial user encryption private key de as a first party to a communication A1 The second party uses the second part of the user's private encryption key de A2 Performing a collaborative computation comprising:
HH1, the ciphertext C to be provided by the first party 132 Sending the information to the second communication party;
HH2, authentication of the second communication partner C 132 Is G 1 Point of (3), G 1 Is an additive cyclic group of order N, N being a prime number;
HH3, calculating ww 'from second communication side' 2 =e(C 132 ,de A2 ) Is provided with G 2 Is an addition cyclic group of order N, G T Is a multiplication cycle of order N, then e is from G 1 ×G 2 To G T Bilinear pairs of (c);
HH4, w 'of the second communication party' 2 Sending to the first communication party;
HH5, calculation of ww' = e (C) by the first communication party 132 ,de A1 )×ww’ 2
HH6, and the first communication party calculates and obtains a plaintext M'.
The present invention also provides a computer device comprising a memory, a first processor and a first computer program stored on said memory and executable on said first processor, said first computer program when executed by said first processor implementing one or more of the following methods:
the above-described key generation method;
the above digital signature calculation method;
the above digital signature verification method;
the above-mentioned key encapsulation method;
the key decapsulation method;
the above-mentioned data encryption method;
the data decryption method is described above.
The invention also provides a computer-readable storage medium for storing a second computer program executable by at least one second processor for causing the at least one second processor to perform one or more of the following methods:
the above-described key generation method;
the above digital signature calculation method;
the above digital signature verification method;
the above-mentioned key encapsulation method;
the key decapsulation method;
the above-mentioned data encryption method;
the data decryption method is described above.
The key generation method provided by the invention is a signature key cooperative generation method, and is realized by cooperative calculation of a first communication party and a second communication party. After the first communication party and the second communication party apply for generating the user signature keys by the first key generation center and the second key generation center, the first communication party and the second communication party respectively generate and store partial user signature keys. The invention can enable the two communication parties to cooperatively generate the signature key and calculate the digital signature; therefore, the secure storage and use of the user signature key by the mobile terminal user are realized under the condition that hardware equipment such as USBKey and the like are not required to be used. In the present invention, when a signature key is generated, none of the first key generation center, the second key generation center, the first communication party, and the second communication party is aware of the signature private key of the user, and none of the first communication party and the second communication party is aware of the encryption private key of the user. Therefore, the key delegation problem of the user signature key is guaranteed, and the safety protection and the use of the user signature key and the encryption private key on the mobile equipment are also guaranteed. Therefore, the invention solves the problem of safe storage and use management of the SM9 signature private key to the user signature key by the mobile terminal in the environments of cloud computing, mobile internet and the like under the condition of double KGC.
By adopting the key generation method provided by the invention, the first communication party and the second communication party respectively generate corresponding partial user encryption private keys in the issuing process of the user encryption private key. On the basis, the first communication party and the second communication party can complete the key decapsulation and data decryption calculation through cooperative calculation. Additional features and advantages of the invention will be set forth in the description which follows, and in part will be obvious from the description, or may be learned by practice of the invention. The objectives and other advantages of the invention will be realized and attained by the structure particularly pointed out in the written description and claims hereof as well as the appended drawings.
Drawings
In order to more clearly illustrate the embodiments or technical solutions of the present invention, the drawings used in the embodiments or technical solutions in the prior art are briefly introduced below, and it is obvious that the drawings in the following description are some embodiments of the present invention, and it is obvious for those skilled in the art that other drawings can be obtained according to these drawings without creative efforts.
Fig. 1 is a diagram illustrating a data transfer relationship of a key generation method according to an embodiment of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the embodiments of the present invention clearer, the technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are some, but not all, embodiments of the present invention. All other embodiments, which can be obtained by a person skilled in the art without making any creative effort based on the embodiments in the present invention, belong to the protection scope of the present invention.
Unless defined otherwise, all technical and scientific terms used herein have the same meaning as commonly understood by one of ordinary skill in the art to which this application belongs; the terminology used in the description of the application herein is for the purpose of describing particular embodiments only and is not intended to be limiting of the application; the terms "including" and "having," and any variations thereof, in the description and claims of this application and the description of the above figures are intended to cover non-exclusive inclusions.
The key generation method of the SM9 user provided by the present invention is explained in detail below with reference to the accompanying drawings. Fig. 1 is a schematic diagram of a data transfer relationship of a key generation method provided by the present invention. Referring to fig. 1, the key generation method includes the steps of:
1. generating system parameters;
s1, generating center KGC through double keys 1 And KGC 2 Respectively generateAnd forming system parameters.
Generating a central KGC by means of a first key 1 Generating a first system parameter comprising a first signer master private key ks 1 And a first signature master public key P pubs1 And a first encrypted master private key ke 1 And a first cryptographic master public key P pube1 . First signature master private key ks 1 Is a random integer and ks 1 ∈[1,N-1]Wherein N is a prime number. Group G 2 Is an addition cyclic group of order N, then P pubs1 Is a group G 2 And satisfy
P pubs1 =[ks 1 ]×P 2 (1),
First encrypted master private key ke 1 Is a random integer, and ke 1 ∈[1,N-1]Wherein N is a prime number. Group G 1 Is an addition cyclic group of order N, then P pube1 Is a group G 1 And satisfy
P pube1 =[ke 1 ]×P 1 (2),
In formulae (1) and (2), P 1 Is a group G 1 Is generated from P 2 Is a group G 2 The generator of (1), square bracket [ 2 ]]The meaning of (1) represents the point doubling operation on an elliptic curve, and is specifically referred to the standard GB/T38635.1-2020- (information security technology SM9 identification cryptographic algorithm part 1): section 4 of the general rules. In the present invention, the square bracket in each following equation]The meaning of (2) is the same as that of the square bracket [ 2 ] in the above formula (1)]The meaning of (1) is the same, and represents a point doubling operation on an elliptic curve.
Similarly, the center KGC is generated through the second key 2 Generating second system parameters including a second signer private key ks 2 And a second signature master public key P pubs2 . Second signature master private key ks 2 Is a random integer and ks 2 ∈[1,N-1]And satisfy
P pubs2 =[ks 2 ]×P 2 (3)。
S2, generating center KGC through double keys 1 And KGC 2 Respectively calculating to obtain a common masterKey P pubs
Generating a central KGC by means of a first key 1 Calculating P pubs =[ks 1 ]×P pubs2
Generating a central KGC by a second key 2 Calculating P pubs =[ks 2 ]×P pubs1
First key generation center KGC 1 And a second key generation center KGC 2 The generated public master keys are the same and are all P pubs
And S3, selecting a public parameter alpha.
The common parameter alpha is a quadratic non-residue modulo N, and the first key generation center KGC 1 And a second key generation center KGC 2 And (4) offline negotiation communication and random selection. See standard GB/T38635.1-2020 — "information security technology SM9 identified part 1 of the cryptographic algorithm: general rules, N is group G in SM9 1 (addition cycle group of order prime number N), G 2 (addition cycle group of order prime number N) and G T (the order is a multiplicative cyclic group of prime numbers N).
S4, calculating the parameter P pubs1 ,P pube1 ,P pubs2 ,P pubs And alpha is published publicly.
The central KGC can be generated by means of a first key 1 Public first signature master public key P pubs1 And a first cryptographic master public key P pube1 Generating the center KGC by the second key 2 Public second signature master public key P pubs2 Generating the center KGC by the first key 1 Or/and second key generation center KGC 2 Public master key P pubs And a common parameter alpha. The parameter P may also be disclosed by other means or modules pubs1 ,P pube1 ,P pubs2 ,P pubs And alpha.
2. Generating a user signature private key ds A Signing the master public key by the user and encrypting and issuing the encrypted private key de of the user A
Let the user identification already specified by the upper application system be ID A User identification ID A The information can be the number information such as identification number, mobile phone number and the like. User markID identification A The first key generation center KGC is used for uniquely determining a user signature private key and a user encryption private key of the user A 1 And a second key generation center KGC 2 Signature master private key (ks) 1 And ks 2 ) Correlation, unique determination in the case of a determination of the system main parameters; user A's user encryption private key and first key generation center KGC 1 Encrypted master private key (ke) 1 ) Correlation, in the case of a system master parameter determination, is determined uniquely.
Generating a central KGC by means of a first key 1 Or a second key generation center KGC 2 By using
h 1 =H 1 (ID A ||hid,N)
Is calculated to obtain h 1 . Wherein H 1 (ID A | hid, N) is GB/T38635.2-2020-part 2 of the information security technology SM9 identifies part 2 of the cryptographic algorithm: the cryptographic function (i.e. the first cryptographic function) defined in Algorithm 5.3.2.2 is calculated by identifying an arbitrary user identifier ID A By function H 1 Mapping into an integer of 256 bits, | | represents merging byte strings of data, and hid is "GB/T38635.1-2020" - "information security technology SM9 identifies part 1 of the cryptographic algorithm: general rules section 4 the function identifier defined as a fixed value and from the first key generation center KGC 1 And a second key generation center KGC 2 Negotiation selection and disclosure.
The invention introduces a first communication party and a second communication party which cooperate with each other, wherein one party (such as the first communication party) of the first communication party and the second communication party is the user A, and the other party (such as the second communication party) is a user cooperation calculation party, such as a cooperation calculation server, and the first communication party and the second communication party can share data by cooperating with each other. In the present invention, h can be calculated by the first communication party and the second communication party 1 . Then according to h 1 Whether the private key is a square element of the modulus N or not, and respectively generating a first part of user signature private key ds by adopting a method AA A1 Second partial user signature private key ds A2 The first user signature master public key P pubsA And encrypts and issues a user encryption private key de A And the user encrypts the private key de A Is split into a first part of user encryption private key de A1 The second part of the user encryption private key de A2 (ii) a Or a method BB is adopted to generate a third part of user signature private key ds AA1 Fourth part user signature private key ds AA2 The second user signature master public key P pubsAA And encrypts and issues a user encryption private key de A And the user encrypts the private key de A Is split into a third part of user encryption private key de AA1 Fourth part user encryption private key de AA2
Method AA, if h 1 Is the square element of modulus N, i.e. h 1 ≡(h 2 ) mod N, ≡ is congruence number, where x mod y represents the modulo operation of x on y, and h is h 2 The larger of the two square roots, then method AA comprises the steps of:
a1, a first communication party sends a cooperative generation key application to a second communication party;
a2, the second communication party generates a 256-bit first random number ds A2 ,ds A2 ∈[1,N-1]From P' 1 =[(ds A2 ) - 1 mod N]×P 1 Calculating to obtain first data P' 1 Transmitting first data P 'to a first communication side' 1 Wherein P is 1 Is a group G 1 The second communication party stores the first random number ds A2 A second partial user signature private key as a second party to the communication;
a3, the first communication party generates a 256-bit second random number r A ,r A ∈[1,N-1]From Q = [ r ] A ]×P’ 1 Calculating to obtain second data Q, and generating a first key generation center KGC in the first communication direction 1 Sending first data P' 1 Second data Q and user identification ID A
A4, first key generation center KGC 1 First data P 'is received' 1 Second data Q and user identification ID A Then, the first user signature key generation data (s and T) and the user encryption private key de are calculated A The calculation comprises the following steps:
a41, first key generation center KGC 1 Generating a 256-bit first random integer r, r ∈ [1, N-1 ]]From
s=(r×(h+ks 1 ) -1 )mod N
And T = [ r ] -1 mod N]×Q
The calculation results in s and T,
a42, first key generation center KGC 1 Part 2 of the cryptographic algorithm is identified according to GB/T38635.2-2020- (information Security technology SM 9): algorithm, section 7.1, using a first encrypted Master private Key ke 1 And a user identification ID A By using
t 1 =H 1 (ID A ||hid,N)+ke 1 ,
t 2 =(ke 1 ×t 1 -1 )mod N,
de A =[t 2 ]×P 2
Calculating to obtain a user encryption private key de A
A43, first key generation center KGC 1 Generation of G 2 First random point N of deA And N is deA Not equal to user encryption private key de A And calculates the denoised first user encrypted private key de' A
de' A =de A -N deA
Denoised first user encryption private key de 'is introduced' A Is aimed at using a first random point N deA Encrypting a user private key de A The noise aliasing is carried out so as to make the noise aliasing,
a44, first key generation center KGC 1 Calculate S = [ ke = [ k ] 1 ]×P’ 1 Let the coordinate of S be (x) S ,y S ) And part 1 of the cryptographic algorithm is identified by GB/T38635.1-2020- (information security technology SM 9): general rules, section 7.2.6 methods will x S ,y S Convert to string of bytes and compute k = KDF (x) S ||y S 128), where KDF is part 2 of the information security technology SM9 identified cryptographic algorithm in GB/T38635.2-2020): algorithm section 5.3.6 Key derivation functionK is a 128-bit byte string,
a45, setting a denoised first user encryption private key de' A Has the coordinates of (x) de'A ,y de'A ) First key generation center KGC 1 Part 1 of the cryptographic algorithm is identified by GB/T38635.1-2020- (information security technology SM 9): general rules, section 7.2.6 methods will x de'A ,y de'A Converting the coordinate data into a first coordinate byte string, and encrypting the first coordinate byte string by using a k and SM4 cryptographic algorithm to obtain first private key coordinate encryption data E:
E=SM4_ENC(k,x de'A ||y de'A ),
wherein, SM4_ ENC (k, x) de'A ||y de'A ) Shows that the plaintext x is encrypted by using an SM4 encryption algorithm defined in GB/T32907-2016 (GB/T) -an information security technology SM4 block cipher algorithm and a 128-bit key k de'A ||y de'A Performs an encryption calculation and outputs a cipher text,
a46, first key generation center KGC 1 Generating data s and T of a first user signature key, first private key coordinate encryption data E and a first random point N deA Sending the information to a first communication party;
a5, generating center KGC for second key in first communication direction 2 Sending T in the first user signature key generation data, and sending a second key generation center KGC 2 By
R=[(h+ks 2 ) -1 mod N]×T
Calculating to obtain R, and sending the R to the first communication party;
a6, the first communication party is composed of
ds A1 =P’ 1 -[(r A -1 ×h 1 ×s)mod N]×R (3)
Calculating to obtain a first part of user signature private key ds of the first communication party A1
Wherein ds A1 The following equation is satisfied:
ds A1 =P’ 1 -[(h 1 ×(h+ks 1 ) -1 ×(h+ks 2 ) -1 )mod N]×P’ 1
=P’ 1 -[(h 1 ×(h 1 +h×(ks 1 +ks 2 )+ks 1 ×ks 2 ) -1 )mod N]×P’ 1
a7, the first communication party and the second communication party are respectively composed of
P pubsA =[h]×(P pubs1 +P pubs2 )+P pubs (4)
Calculating to obtain a first user signature master public key P pubsA At this time, the first user signs a master public key P pubsA I.e. signing the master public key for said user,
wherein P is pubsA Satisfies the following equation
P pubsA =[(h×(ks 1 +ks 2 )+ks 1 ×ks 2 )mod N]×P 2
A8, the first communication party randomly generates a second random integer d 1 ∈[1,N-1]And calculate D 1 =[d 1 ]×P 2 And de A1 =D 1 +N deA Encrypting the first private key coordinates to data E and D 1 Sending to the second communication party, and storing de A1 A first partial user encryption private key as a first communication party;
a9, second communication party utilization
S’=[(ds A2 ) -1 mod N]×P pube1
Calculating to obtain S ', and setting the coordinate of S' as (x) S’ ,y S’ ) Part 1 of the cryptographic algorithm is identified by GB/T38635.1-2020- (information security technology SM 9): general rules the method of section 7.2.6 will compare x S’ ,y S’ Convert to byte string and compute k' = KDF (x) S’ ||y S’ 128), k' is a 128-bit byte string;
a10, the second communication party decrypts the first private key coordinate encryption data E by using a k' and SM4 cryptographic algorithm to obtain a byte string:
x de’A ||y de’A =SM4_DEC(k’,E),
and then GB/T38635.1-2020 & lt- & gt, information security technology SM9 identifies part 1 of the cryptographic algorithm: general rules method section 7.2.7 strings of decrypted bytes x de’A ||y de’A Conversion to a Domain element to yield a noisy first user encrypted private key, de' A . Wherein, SM4_ DEC (k ', E) represents that SM4 decryption algorithm in GB/T32907-2016 and 128-bit secret key k' are used for carrying out decryption calculation on ciphertext plaintext E and outputting plaintext;
a11, second communication party utilization
de A2 =de’ A -D 1
Calculating to obtain a second part user encryption private key de of a second communication party A2 And storing.
The first partial user signature private key ds of the first communication partner is obtained from the above calculation A1 And a second partial user signature private key ds of the second communication partner A2 And satisfies the following relation:
[ds A2 ]×ds A1 =P 1 -[(h 1 ×(h 1 +h×(ks 1 +ks 2 )+ks 1 ×ks 2 ) -1 )mod N]×P 1 =ds A
through steps A8-a11, the first communication party and the second communication party each generate a part of the user encryption private key, which can be used for performing key decapsulation and data decryption in cooperation.
It should be noted that, when the method AA is adopted, the user signs the private key ds A Is the actual private signature key of the user A, and is split into a first part private signature key ds A1 And a second partial user signature private key ds A2 Two parts, however, the user signature private key ds A In the whole process of executing the present invention, it does not happen that any one of the first communication party and the second communication party and the first key generation center KGC 1 And a second key generation center KGC 2 Any one of the key generation centers can not independently calculate or obtain the user signature private key ds A
First part user encryption private key de of first communication party A1 And a second partial user encryption private key de of a second communication party A2 The following relation is satisfied:
de A =de A1 +de A2
user encryption private key de A This does not occur throughout the flow of performing the present invention.
Method BB, if h 1 Is a non-square element of modulo N, then α h 1 (i.e.. Alpha.times.h) 1 ) Is the square element of the modulus N, i.e. alphah 1 ≡(hh 2 ) mod N and hh is hh 2 The larger of the two square roots, method BB comprises the following steps:
b1, the first communication side sends a cooperative generation key application to the second communication side;
b2, the second communication party generates a 256-bit third random number ds AA2 ,ds AA2 ∈[1,N-1]From PP' 1 =[(ds AA2 ) -1 mod N]×P 1 Calculating to obtain third data PP' 1 And transmits the third data PP 'to the first communication side' 1 Wherein, P 1 Is a group G 1 The second communication party stores the third random number ds AA2 A fourth part of user signature private key as a second communication party;
b3, the first communication party generates a fourth random number rr of 256 bits A ,rr A ∈[1,N-1]From QQ = [ rr ] A ]×PP’ 1 Calculating to obtain fourth data QQ, and generating a first key generation center KGC in the first communication direction 1 Transmitting third data PP' 1 Fourth data QQ and user identification ID A
B4, first key generation center KGC 1 Receiving third data PP' 1 Fourth data QQ and user identification ID A Thereafter, second user signature key generation data (ss and TT) and user encryption private key de are calculated A The method comprises the following calculation steps:
b41, first key generation center KGC 1 Generating a third random integer rr of 256 bits, rr ∈ [1, N-1 ]]From
ss=(rr×(hh+ks 1 ) -1 )mod N
And TT = [ rr ] -1 mod N]×QQ
Calculating to obtain the second user signature key generation data ss and TT,
b42, first key generation center KGC 1 Part 2 of the cryptographic algorithm is identified according to GB/T38635.2-2020- (information security technology SM 9): algorithm, section 7.1, using a first encrypted Master private Key ke 1 And a user identification ID A By using
t 1 =H 1 (ID A ||hid,N)+ke 1
t 2 =(ke 1 ×t 1 -1 )mod N,
de A =[t 2 ]×P 2
Calculating to obtain a user encryption private key de A
B43, first key generation center KGC 1 Generation of G 2 Second random point NN on deA And NN deA Is not equal to the user encryption private key de A Calculating 'denoised second user encrypted private key de' AA :
de' AA =de A -NN deA
Noised second user encryption private key de 'is introduced' AA Is to use the second random point NN deA Encrypting a user private key de A The noise aliasing is carried out and the noise aliasing is carried out,
b44, first key generation center KGC 1 Calculating SS = [ ke = 1 ]×PP’ 1 Let the coordinates of SS be (x) SS ,y SS ) And part 1 of the cryptographic algorithm is identified by GB/T38635.1-2020- (information security technology SM 9): general rules, section 7.2.6 methods will x SS ,y SS Convert to string of bytes and compute kk = KDF (x) SS ||y SS 128), where KDF is GB/T38635.2-2020- "information security technology SM9 identifies part 2 of the cryptographic algorithm: algorithm, section 5.3.6, kk is a 128-bit byte string,
b45 and de' AA Has the coordinates of (x) de'AA ,y de'AA ) First key generation center KGC 1 Part 2 of the cryptographic algorithm is identified by GB/T38635.1-2020- (information security technology SM 9): algorithm method section 7.2.6 general description of x de'AA ,y de'AA Converting the second coordinate byte string into a second coordinate byte string, and encrypting the second coordinate byte string by using a kk and SM4 cryptographic algorithm to obtain second private key coordinate encryption data EE:
EE=SM4_ENC(kk,x de'AA ||y de'AA ),
wherein, SM4_ ENC (kk, x) de'AA ||y de'AA ) Shows that the plaintext x is encrypted by using an SM4 encryption algorithm defined in GB/T32907-2016 (GB/T) -an information security technology SM4 block cipher algorithm and a 128-bit key kk de'AA ||y de'AA And performing encryption calculation and outputting a ciphertext.
B46, first key generation center KGC 1 Generating data ss and TT, second private key coordinate encryption data EE and second random point NN of the second user signature key deA Sending the information to a first communication party;
b5, generating center KGC for second key in first communication direction 2 Sending TT in the second user signature key generation data, and a second key generation center KGC 2 By
RR=[(hh+ks 2 ) -1 mod N]×TT
Calculating to obtain RR and sending the RR to the first communication party;
b6, the first communication party is composed of
ds AA1 =PP’ 1 -[(rr A -1 ×h 1 ×α×ss)mod N]×RR (5)
Calculating to obtain a third part of user signature private key ds of the first communication party AA1
Wherein ds AA1 The following equation is satisfied:
ds AA1 =PP’ 1 -[(h 1 ×α×(hh+ks 1 ) -1 ×(hh+ks 2 ) -1 )mod N]×PP’ 1
=PP’ 1 -[(h 1 ×(h 1-1 ×hh×(ks 1 +ks 2 )+α -1 ×ks 1 ×ks 2 ) -1 )mod N]×PP’ 1
b7, the first communication party and the second communication party are respectively composed of
P pubsAA =[(α -1 )mod N]×([hh]×(P pubs1 +P pubs2 )+P pubs ) (6)
Calculating to obtain a second user signature main public key P pubsAA At this time, the second user signs a master public key P pubsAA I.e. signing the master public key for said user,
wherein, P pubsAA The following equation is satisfied:
P pubsAA =[(α -1 ×hh×(ks 1 +ks 2 )+α -1 ×ks 1 ×ks 2 )mod N]×P 2
b8, the first communication party generates a fourth random integer dd 1 ∈[1,N-1]And calculating DD 1 =[dd 1 ]×P 2 And de AA1 =DD 1 +NN deA Encrypting the EE and DD data by the second private key coordinate 1 Sending to the second communication party for saving de AA1 A third partial user encryption private key as the first communication party;
b9, second communication party utilizes
SS’=[(ds AA2 ) -1 mod N]×P pube1
Calculating to obtain SS ', and setting the coordinate of SS' as (x) SS’ ,y SS’ ) Part 1 of the cryptographic algorithm is identified by GB/T38635.1-2020- (information security technology SM 9): general rules the method of section 7.2.6 will compare x SS’ ,y SS’ Convert to byte string and compute kk' = KDF (x) SS’ ||y SS’ 128), where KDF is GB/T38635.2-2020- "information security technology SM9 identifies part 2 of the cryptographic algorithm: algorithm "section 5.3.6 key derivation function, kk' is a 128-bit byte string;
b10, the second communication party decrypts the second private key coordinate encryption data EE by using a kk' and SM4 cryptographic algorithm to obtain a byte string:
x de’AA ||y de’AA =SM4_DEC(kk’,EE),
and then GB/T38635.1-2020 (GB/T38635.1) -information security technology SM9 is used for identifying the part 1 of the cryptographic algorithm: general rules method section 7.2.7 strings of decrypted bytes x de’AA ||y de’AA Conversion to a Domain element to yield a noisy second user encrypted private key, de' AA Wherein, SM4_ DEC (kk ', EE) represents that SM4 decryption algorithm in GB/T32907-2016 is used and 128-bit secret key kk' is used for carrying out decryption calculation on ciphertext plaintext EE and outputting plaintext;
b11, second communication party utilization
de AA2 =de’ AA -DD 1
Calculating to obtain a fourth part user encryption private key de of the second communication party AA2 And storing.
The third part of the user signature private key ds of the first communication party can be obtained from the calculation AA1 And a fourth partial user signature private key ds of the second party AA2 Satisfies the relationship:
[ds AA2 ]×ds AA1 =P 1 -[(h 1 ×(h 1 +h×(ks 1 +ks 2 )+ks 1 ×ks 2 ) -1 )mod N]×P 1 =ds A
through steps B8-B11, the first and second parties each generate a partial user encryption private key that can be used to cooperatively perform key decapsulation and data decryption.
It should be noted that, when the method BB is adopted, the user signs the private key ds A Is the actual private signature key of the user A, and is divided into a third part private signature key ds AA1 And a fourth partial user signature private key ds AA2 Two parts, however, the user signature private key ds A In the whole process of executing the present invention, it does not happen that any one of the first communication party and the second communication party and the first key generation center KGC 1 And a second key generation center KGC 2 Neither of the key generation centers can calculate or derive ds alone A
Third part of users of the first communication party are encrypted privateKey de AA1 And a fourth part user encryption private key de of the second communication party AA2 Satisfies the relationship:
de A =de AA1 +de AA2
the invention also provides a digital signature calculation method, which adopts the key generation method and uses a first part of user signature private key ds for a first communication party A1 (or use of third part user signature private key ds) AA1 ) The second party using the second partial user signature private key ds A2 (or fourth partial user signature private key ds AA2 ) And cooperatively calculating the digital signature. In the digital signature calculation method, a user identification ID is set A And if the message to be signed is m, then use
h 1 =H 1 (ID A ||hid,N)
And H1 is obtained by calculation, and a method CC or a method DD is respectively adopted according to whether H1 is a square element of the modulus N, wherein H1.
Method CC, if h 1 Modulo N, the first party uses the first partial user signature private key ds A1 The second party using the second partial user signature private key ds A2 The method specifically comprises the following steps:
CC1, the first communication party generates a fifth random integer k1 of 256 bits, k1 belongs to [1, N-1 ]]Calculate u = e (P) 1 ,P pubsA ) k1 And data u, m and ID A To a second party, where e is from G 1 ×G 2 To G T The bilinear pairing can be seen in detail in GB/T38635.1-2020, part 1 of the information security technology SM9 identification cryptographic algorithm: general rules section 6.1;
CC2, the second communication party generates a sixth random integer k2 and a seventh random integer k3 with 256 bits, wherein k2 belongs to [1, N-1 ]],k3∈[1,N-1]Then calculate w = u k2 ×e(P 1 ,P pubsA ) k3
CC3, second communication side calculates hhh = H 2 (m||w,N),s 1 =(k2×ds A2 )mod N,s 2 =((k3-hhh)×ds A2 ) mod N, where H 2 Is GB/T38635.2-2020, part 2 of the information security technology SM9 identification cryptographic algorithm: algorithm 5.3.2.3 the cryptographic function defined in (i.e. the second cryptographic function), the second party would be hhh, s 1 And s 2 Sending the information to a first communication party;
CC4, first communication partner utilization
S=[k1×s 1 +s 2 ]×ds A1
And calculating to obtain S, and outputting the digital signature (hhh, S).
Method DD, if h 1 If the square element of modulo N is not present, the first communication partner uses the third partial user signature private key ds AA1 The second communication party uses the fourth partial user signature private key ds AA2 The method specifically comprises the following steps:
DD1, the first communication party generates an eighth random integer kk1 with 256 bits, and kk1 belongs to [1, N-1 ]]Calculate uu = e (P) 1 ,P pubsAA ) kk1 And data uu, m and ID A Sending the information to a second communication party;
DD2, the second communication party generates a ninth random integer kk2 and a tenth random integer kk3 of 256 bits, wherein kk2 belongs to [1, N-1 ]],kk3∈[1,N-1]Then calculate ww = uu kk2 ×e(P 1 ,P pubsAA ) kk3
DD3, second communication party calculates hhhhh = H 2 (m||ww,N),ss 1 =(kk2×ds AA2 )mod N,ss 2 =((kk3-hhhh)×ds AA2 ) mod N, the second party will hhhhh, ss 1 And ss 2 Sending the information to a first communication party;
DD4, first communication partner use
SS=[kk1×ss 1 +ss 2 ]×ds AA1
SS is calculated and a digital signature (hhhh, SS) is output.
The invention also provides a digital signature verification method, which adopts the key generation method and adopts the first key generation methodUser signature master public key P pubsA Or the second user signs the master public key P pubsAA Identifier hid, user identification ID A And the message m and the digital signature (hhhh, SS) are input parameters, and the digital signature verification is carried out on the message m. In the digital signature verification method, use is made of
h 1 =H 1 (ID A ||hid,N)
And h1 is obtained by calculation, and a method EE or a method FF is adopted respectively according to whether h1 is a square element of the modulus N.
Method EE, if h 1 Is the square of modulo N, the first correspondent signs the master public key P using the first user pubsA Function identifier hid, user identification ID A The message m and the digital signature sig are input parameters, and the part 2 of the cryptographic algorithm is identified according to GB/T38635.2-2020- (information security technology SM 9): algorithm section 6.4. Signing the master public key P according to the first user pubsA A first partial user signature private key ds for use by the first party A1 Second partial user signature private key ds for use with second party A2 In this way, the digital signature can be verified if the message is not tampered.
Method FF if h 1 If not the square of modulo N, the first correspondent signs the master public key P with the second user pubsAA Function identifier hid, user identification ID A The message m and the digital signature sig are input parameters, and the part 2 of the cryptographic algorithm is identified according to GB/T38635.2-2020- (information security technology SM 9): algorithm section 6.4. Signing the master public key P according to the second user pubsAA A third partial user signature private key ds for use by the first party AA1 Private partial user signature key ds for use with a second party AA2 In this way, the digital signature can be verified if the message is not tampered.
The invention also provides a key packaging method, which adopts the key generation method, and in the key packaging method, a packager sends a key K with a bit length of klen (klen is an integer) to a user and the key K is identified as an ID (identity) B By a receiver AAA using a user identification ID B And a first key generation center KGC 1 First encrypted master public key P pube1 Part 2 of the cryptographic algorithm is identified according to GB/T38635.2-2020- (information security technology SM 9): the key encapsulation calculation performed in section 8.2 of the Algorithm outputs (KKK, CCC), where KKK is the encapsulated key and CCC is the encapsulated ciphertext.
The invention also provides a key decapsulation method, which adopts the key generation method, and in the key decapsulation method, after a receiver AAA receives a ciphertext CCC of a key K, the receiver AAA serves as a first communication party and uses a first part of a user encryption private key de of the first communication party A1 And a second party (using a second partial user encryption private key de) A2 ) A process of performing a collaborative computation to recover the key K'. The calculation process is as follows:
GG1, a first communication party (receiver AAA) sends CCC to a second communication party;
GG2, second communication party verifies that CCC is G 1 A point of (a);
GG3 and second communication side calculate w' 2 =e(CCC,de A2 );
GG4 and w 'of second communication party' 2 Sending the information to a first communication party;
GG5, first communication partner calculates w' = e (CCC, de) A1 )×w’ 2
GG6, the first communication party identifies part 1 of the cryptographic algorithm according to GB/T38635.1-2020- (information security technology SM 9): section 8.4 of the general rules, the encapsulated key K '= KDF (CCC | | w' | ID) is calculated AAA ,klen)。ID AAA Is the user identity of the receiver AAA.
The invention also provides a data encryption method, which adopts the key generation method and in the data encryption method, an encryptor uses the user identification ID of the decryptor BBB of the data B And a first key generation center KGC 1 First encryption master public key P pube1 The cipher algorithm is identified according to GB/T38635.2-2020 & lt- & gt information security technology SM9Section 2: algorithm section 9.2, after encryption calculation of plaintext M, ciphertext C is output 132 =C 1 ||C 3 ||C 2
The invention also provides a data decryption method, which adopts the key generation method and in the data encryption method, the data decrypter, namely the receiver A 132 Receive ciphertext C 132 =C 1 ||C 3 ||C 2 After that, the receiver A 132 As a first communication party, a first part user encryption private key de is used A1 And a second party (using a second partial user encryption private key de) A2 ) And carrying out the process of decrypting the plaintext M by cooperative computing. The calculation process is as follows:
HH1, first communication partner (receiver A) 132 ) C is to be 132 Sending the information to a second communication party;
HH2, second communication partner authentication C 132 Is G 1 A point on;
HH3, second communication side calculates ww' 2 =e(C 132 ,de A2 );
HH4, second communication partner will be ww' 2 Sending the information to a first communication party;
HH5, first communication party calculation ww' = e (C) 132 ,de A1 )×ww’ 2
HH6, part 2 of the cryptographic algorithm is identified by the first party according to GB/T38635.2-2020- (information Security technology SM 9): the plaintext M' is obtained by calculation of B3-B5 in section 9.4 of the Algorithm and is output, wherein GB/T38635.2-2020 information Security technology SM9 identifies part 2 of the cryptographic algorithm: in section 9.4, B3-B5, ω 'is ww'.
The present invention also provides a computer device, including a storage, a first processor, and a first computer program stored on the storage and operable on the first processor, wherein the first computer program, when executed by the first processor, implements one or more of the above-mentioned key generation method, digital signature calculation method, digital signature verification method, key encapsulation method, key decapsulation method, data encryption method, and data decryption method.
The present invention also provides a computer readable storage medium for storing a second computer program executable by at least one second processor to cause the at least one second processor to perform one or more of the above-mentioned key generation method, digital signature calculation method, digital signature verification method, key encapsulation method, key decapsulation method, data encryption method, and data decryption method.
The signature key generation method provided by the invention generates partial user signature keys through the first communication party and the second communication party respectively, and generates the user signature keys through the communication with the first key generation center and the second key generation center respectively. The user signing keys are stored in part in the first and second parties respectively. In the process of generating the user signature key, any one of the first communication party, the second communication party, the first key generation center and the second key generation center cannot calculate a complete user signature key, so that the effective control of the user on the signature key is realized, the problem of completely mastering the user signature key by KGC under a single KGC (KGC), namely the trusteeship of the user signature key is solved, and the safe generation, storage and use of the user signature key by the user mobile terminal are realized under the environments of cloud computing, mobile internet and the like.
Although the present invention has been described in detail with reference to the foregoing embodiments, it should be understood by those of ordinary skill in the art that: the technical solutions described in the foregoing embodiments may still be modified, or some technical features may be equivalently replaced; and such modifications or substitutions do not depart from the spirit and scope of the corresponding technical solutions of the embodiments of the present invention.

Claims (14)

1. The key generation method is characterized by comprising the following steps:
1. generating system parameters;
2. based on the system parameters, a first communication party and a second communication party cooperatively work to generate a user signatureName and private key ds A Signing the master public key by the user and encrypting and issuing the encrypted private key de of the user A
2. The key generation method of claim 1,
the first step comprises the following steps:
s1, generating a center KGC through a first secret key 1 Generating a first system parameter by generating a central KGC via a second key 2 A second system parameter is generated and,
wherein the content of the first and second substances,
the first system parameter comprises a first signature master private key ks 1 And a first signature master public key P pubs1 And a first encrypted master private key ke 1 And a first cryptographic master public key P pube1
The first signature master private key ks 1 Is a random integer and ks 1 ∈[1,N-1]Wherein N is a prime number, set to group G 2 Is an addition cyclic group with order N, the first signature master public key P pubs1 Is a group G 2 And satisfy
P pubs1 =[ks 1 ]×P 2 (1),
The first encrypted master private key ke 1 Is a random integer, and ke 1 ∈[1,N-1]Let group G 1 If the order is N, the first encrypted master public key P pube1 Is a group G 1 And satisfy
P pube1 =[ke 1 ]×P 1 (2),
In formulae (1) and (2), P 1 Is group G 1 Generating element of (2), P 2 Is group G 2 The producer of (1), square bracket [ 2 ]]The meaning of (2) represents a double point operation on an elliptic curve, in the following equations, square bracket [ 2 ]]Is as defined in the above formula (1)]Has the same meaning as that of (A) in the prior art,
the second system parameter comprises a second signer private key ks 2 And a second signature master public key P pubs2 Said second signature master private key ks 2 Is a random integer which is a function of the number of the whole,and ks is 2 ∈[1,N-1]And satisfy
P pubs2 =[ks 2 ]×P 2 (3);
S2, generating a center KGC through the first secret key 1 And a second key generation center KGC 2 Respectively calculating to obtain a public master key P pubs
Wherein
Generating a center KGC by the first key 1 Calculating P pubs =[ks 1 ]×P pubs2
Generating a center KGC by the second key 2 Calculating P pubs =[ks 2 ]×P pubs1
S3, selecting a public parameter alpha, wherein the public parameter alpha is the secondary non-residue of the modulus N;
s4, enabling the first signature master public key P pubs1 First encrypted master public key P pube1 Second signature master public key P pubs2 Public master key P pubs And the public parameter alpha is published publicly,
the second step comprises the following steps: is calculated to obtain
h 1 =H 1 (ID A ||hid,N)
Wherein H 1 (ID A | hid, N) is a first cryptographic function, ID A For user identification, | | denotes merging byte strings of data, hid is a function identifier,
if h 1 Is a square element of modulo N, and adopts a method AA to generate a first part of a user signature private key ds A1 Second partial user signature private key ds A2 The first user signature master public key P pubsA And encrypts and issues the user encryption private key de A And the user encrypts the private key de A Is split into a first part of user encryption private key de A1 The second part of the user encryption private key de A2 Said first user signing a master public key P pubsA Namely signing the master public key for the user;
if h 1 If the user signature is not the square element of the modulus N, a method BB is adopted to generate a third part of user signature private key ds AA1 Fourth sectionUser signature private key ds AA2 The second user signs the master public key P pubsAA And encrypts and issues the user encryption private key de A And the user encrypts the private key de A Is divided into a third part of user encryption private key de AA1 Fourth part user encryption private key de AA2 Said second user signing the master public key P pubsAA I.e. the user signature master public key.
3. The key generation method of claim 2,
in said method AA, h 1 Is the square element of the modulus N, i.e. h 1 ≡(h 2 ) mod N, ≡ is a congruence number, where x mod y represents the modulo operation of x on y, and h is h 2 The larger of the two square roots, the method AA comprises the steps of:
a1, the first communication party sends a cooperative generation key application to the second communication party;
a2, the second communication party generates a 256-bit first random number ds A2 ,ds A2 ∈[1,N-1]From P' 1 =[(ds A2 ) - 1 modN]×P 1 Calculating to obtain first data P' 1 Transmitting the first data P 'to the first communication side' 1 The second communication party saves the first random number ds A2 A second partial user signature private key as the second party;
a3, the first communication party generates a 256-bit second random number r A ,r A ∈[1,N-1]From Q = [ r ] A ]×P’ 1 Calculating to obtain second data Q, wherein the first communication direction is towards the first key generation center KGC 1 Transmitting the first data P' 1 Second data Q and user identification ID A
A4, the first key generation center KGC 1 Receiving the first data P' 1 Second data Q and user identification ID A Then, calculating first user signature key generation data and the user encryption private key de A The first user signature is secretThe key generation data includes s and T;
a5, the first communication direction generates the center KGC to the second cipher key 2 Sending T in the first user signature key generation data, and the second key generation center KGC 2 By
R=[(h+ks 2 ) -1 modN]×T
Calculating to obtain R, and sending the R to the first communication party;
a6, the first communication party is composed of
ds A1 =P’ 1 -[(r A -1 ×h 1 ×s)modN]×R
Calculating to obtain a first part of user signature private key ds of the first communication party A1
A7, the first communication party and the second communication party are respectively composed of
P pubsA =[h]×(P pubs1 +P pubs2 )+P pubs
Calculating to obtain the first user signature master public key P pubsA Said first user signing a master public key P pubsA Namely signing the master public key for the user;
a8, the first communication party randomly generates a second random integer d 1 ∈[1,N-1]And calculate D 1 =[d 1 ]×P 2 And de A1 =D 1 +N deA Then the first private key coordinate encrypts data E and D 1 Sending to the second communication party, and storing de A1 A first partial user encryption private key as the first party;
a9, the second communication party utilizes
S’=[(ds A2 ) -1 modN]×P pube1
Calculating to obtain S ', and setting the coordinate of S' as (x) S’ ,y S’ ) X is to be S’ ,y S’ Convert to byte string and compute k' = KDF (x) S’ ||y S’ 128), where KDF is a key derivation function and k' is a 128-bit byte string;
a10, the second communication party decrypts the first private key coordinate encryption data E to obtain a byte string:
x de’A ||y de’A = SM4_ DEC (k', E), string of bytes x de’A ||y de’A Conversion to Domain element to yield denoised first user encryption private key de' A Wherein, SM4_ DEC (k ', E) indicates that the ciphertext plaintext E is subjected to decryption calculation using an SM4 decryption algorithm and a 128-bit key k', and the plaintext is output;
a11, second communication party utilization
de A2 =de’ A -D 1
Calculating to obtain a second part user encryption private key de of the second communication party A2 And storing.
4. The key generation method of claim 3,
in the step A4, the calculating includes the steps of:
a41, the first key generation center KGC 1 Generate a first random integer r of 256 bits, r ∈ [1, N-1 ]]From
s=(r×(h+ks 1 ) -1 )modN
And T = [ r ] -1 modN]×Q
Calculating to obtain the first user signature key generation data s and T;
a42, the first key generation center KGC 1 Using the first encrypted master private key ke 1 And a user identification ID A By using
t 1 =H 1 (ID A ||hid,N)+ke 1 ,
t 2 =(ke 1 ×t 1 -1 )modN,
de A =[t 2 ]×P 2
Calculating to obtain the user encryption private key de A
A43, the first key generation center KGC 1 Generation of G 2 First random point N of deA And N is deA Is not equal to the user encryption private key de A And calculating the noised first user encryption private key de' A
de' A =de A -N deA
A44, the first key generation center KGC 1 Calculate S = [ ke = [ k ] 1 ]×P’ 1 Let the coordinate of S be (x) S ,y S ) X is to be S ,y S Convert to string of bytes and compute k = KDF (x) S ||y S 128), where KDF is the key derivation function and k is a 128-bit byte string;
a45, setting the noised first user encryption private key de' A Has the coordinates of (x) de'A ,y de'A ) Said first key generation center KGC 1 X is to be de'A ,y de'A Converting the data into a first coordinate byte string, and encrypting the first coordinate byte string to obtain the first private key coordinate encryption data E:
E=SM4_ENC(k,x de'A ||y de'A ),
wherein, SM4_ ENC (k, x) de'A ||y de'A ) Indicating that plaintext x is encrypted using an SM4 encryption algorithm and a 128-bit key k de'A ||y de'A Carrying out encryption calculation and outputting a ciphertext;
a46, the first key generation center KGC 1 Generating data s and T of the first user signature key, first private key coordinate encryption data E and a first random point N deA To the first party of communication,
the first partial user signature private key ds A1 And a second partial user signature private key ds A2 And satisfies the relation:
[ds A2 ]×ds A1 =ds A
the first part of user encryption private key de A1 And a second partial user encryption private key de A2 Satisfies the relationship:
de A =de A1 +de A2
5. the key generation method of claim 2,
in said method BB, h 1 Is a non-square element of modulo N, then α h 1 Is the square element of the modulus N, i.e. alphah 1 ≡(hh 2 ) mod N, and hh is hh 2 The larger of the two square roots, the method BB comprises the steps of:
b1, the first communication party sends a cooperative generation key application to a second communication party;
b2, the second communication party generates a 256-bit third random number ds AA2 ,ds AA2 ∈[1,N-1]From PP' 1 =[(ds AA2 ) -1 modN]×P 1 Calculating to obtain third data PP' 1 And transmits the third data PP 'to the first communication party' 1 Said second party holding said third random number ds AA2 A fourth part of the user signature private key as the second communication party;
b3, the first communication party generates a fourth random number rr of 256 bits A ,rr A ∈[1,N-1]From QQ = [ rr ] A ]×PP’ 1 Calculating to obtain fourth data QQ, wherein the first communication direction is towards the first key generation center KGC 1 Transmitting the third data PP' 1 Fourth data QQ and user identification ID A
B4, the first key generation center KGC 1 Receiving the third data PP' 1 Fourth data QQ and user identification ID A Thereafter, second user signature key generation data (ss and TT) and user encryption private key de are calculated A Said second user signing key generation data comprises ss and TT;
b5, the first communication direction generates the center KGC to the second cipher key 2 Sending TT in the second user signature key generation data, wherein the second key generation center KGC 2 By
RR=[(hh+ks 2 ) -1 modN]×TT
Calculating to obtain RR and sending the RR to the first communication party;
b6, the first communication party is composed of
ds AA1 =PP’ 1 -[(rr A -1 ×h 1 ×α×ss)modN]×RR
Calculating to obtain a third part of user signature private key ds of the first communication party AA1
B7, the first communication party and the second communication party are respectively composed of
P pubsAA =[(α -1 )modN]×([hh]×(P pubs1 +P pubs2 )+P pubs )
Calculating to obtain the second user signature master public key P pubsAA Said second user signing the master public key P pubsAA Signing a master public key for the user;
b8, the first communication party generates a fourth random integer dd 1 ∈[1,N-1]And calculating DD 1 =[dd 1 ]×P 2 And de AA1 =DD 1 +NN deA Encrypting the second private key coordinate with the data EE and DD 1 Sending to the second communication party, and storing de AA1 A third partial user encryption private key as the first party;
b9, the second communication party utilizes
SS’=[(ds AA2 ) -1 modN]×P pube1
Calculating to obtain SS ', and setting the coordinate of SS' as (x) SS’ ,y SS’ ) X is to SS’ ,y SS’ Convert to byte string and compute kk' = KDF (x) SS’ ||y SS’ 128), where KDF is a key derivation function and kk' is a 128-bit byte string;
b10, the second communication party decrypts the second private key coordinate encryption data EE to obtain a byte string:
x de’AA ||y de’AA = SM4_ DEC (kk', EE), the byte string x de’AA ||y de’AA Conversion to Domain element to yield noised second user encrypted private key de' AA Wherein, SM4_ DEC (kk ', EE) represents that SM4 decryption algorithm and 128-bit key kk' are used for carrying out decryption calculation on ciphertext plaintext EE and outputting plaintext;
b11, the second communication party utilizes
de AA2 =de’ AA -DD 1
Calculating to obtain a fourth part of user encryption private key de of the second communication party AA2 And storing.
6. The key generation method of claim 5,
in the step B4, the calculating includes the steps of:
b41, the first key generation center KGC 1 Generating a third random integer rr of 256 bits, rr ∈ [1, N-1 ]]From
ss=(rr×(hh+ks 1 ) -1 )modN
And TT = [ rr ] -1 modN]×QQ
Calculating to obtain the second user signature key generation data ss and TT;
b42, the first key generation center KGC 1 Using the first encrypted master private key ke 1 And a user identification ID A By using
t 1 =H 1 (ID A ||hid,N)+ke 1
t 2 =(ke 1 ×t 1 -1 )modN,
de A =[t 2 ]×P 2
Calculating to obtain the user encryption private key de A
B43, the first key generation center KGC 1 Generation of G 2 Second random point NN on deA And NN deA Is not equal to the user encryption private key de A And calculates a noised second user encrypted private key de' AA :de' AA =de A -NN deA
B44, the first key generation center KGC 1 Calculating SS = [ ke = 1 ]×PP’ 1 Let the coordinates of SS be (x) SS ,y SS ) X is to SS ,y SS Convert to string of bytes and compute kk = KDF (x) SS ||y SS 128), where KDF is the key derivation function and kk is a 128-ratioA special byte string;
b45, setting the noised second user encryption private key de' AA Has the coordinates of (x) de'AA ,y de'AA ) Said first key generation center KGC 1 X is to be de'AA ,y de'AA Converting the data into a second coordinate byte string, and encrypting the second coordinate byte string to obtain second private key coordinate encryption data EE:
EE=SM4_ENC(kk,x de'AA ||y de'AA ),
wherein, SM4_ ENC (kk, x) de'AA ||y de'AA ) Indicating that plaintext x is encrypted using an SM4 encryption algorithm and a 128-bit key kk de'AA ||y de'AA Performing encryption calculation and outputting a ciphertext;
b46, the first key generation center KGC 1 Generating data ss and TT, second private key coordinate encryption data EE and second random point NN by the second user signature key deA To the first party of communication,
the third partial user signature private key ds AA1 And a fourth partial user signature private key ds AA2 Satisfies the relationship:
[ds AA2 ]×ds AA1 =ds A
the third part of user encryption private key de AA1 And a fourth part of user encryption private key de AA2 Satisfies the relationship:
de A =de AA1 +de AA2
7. a digital signature calculation method, characterized in that,
let the user identification be ID A And let m be the original text of the message to be signed, utilize h 1 =H 1 (ID A H1 is calculated by | hid, N), wherein H1 is a first cryptographic function, | | denotes merging byte strings of data, hid is a function identifier, N is a prime number,
if h is 1 Is a modulo-N square element, and the first partial user signature private key ds is obtained by the key generation method of any of claims 3 to 4 A1 And a second partial user signature private key ds A2 Then, the method is carried out with the method CC,
or
If h is 1 Using the key generation method of any of claims 5-6 to obtain the third part of the user's signed private key ds instead of a modulo-N square element AA1 And a fourth partial user signature private key ds AA2 And then the process is carried out as in method DD,
the method CC comprises the following steps:
CC1, the first communication party generates a fifth random integer k1 of 256 bits, k1 belongs to [1, N-1 ]]Calculate u = e (P) 1 ,P pubsA ) k1 And the u, the message original text m to be signed and the user identification ID are used A Sending to a second communication party, wherein G is set 1 Is an addition cyclic group of order N, G 2 Is an addition cyclic group of order N, G T Is a multiplication cycle of order N, then e is from G 1 ×G 2 To G T Of bilinear pairs, P 1 Is a group G 1 Is generated from P pubsA Signing a master public key for a first user;
CC2, a sixth random integer k2, a seventh random integer k3 of 256 bits generated by the second party, where k2 ∈ [1, N-1 ]],k3∈[1,N-1]Then calculate w = u k2 ×e(P 1 ,P pubsA ) k3
CC3, the second communication party calculates hhh = H 2 (m||w,N),s 1 =(k2×ds A2 )modN,s 2 =((k3-hhh)×ds A2 ) modN, then the second party will hhh, s 1 And s 2 Sending to the first communication party, wherein H 2 Is a second cryptographic function, x mod y represents the x-to-y remainder operation;
CC4, the first communication partner utilizes
S=[k1×s 1 +s 2 ]×ds A1
Calculating to obtain S, and outputting a digital signature (hhh, S);
the method DD comprises the steps of:
DD1, the first communication party generates 256-bit eighth random integer kk1, and kk1 belongs to [1, N-1 ]]Calculate uu = e (P) 1 ,P pubsAA ) kk1 And the uu, the message original text m to be signed and the user identification ID A Sending to a second communication party, wherein G is set 1 Is an addition cyclic group of order N, G 2 Is an addition cyclic group of order N, G T Is a multiplication cycle of order N, then e is from G 1 ×G 2 To G T Of bilinear pairs, P 1 Is a group G 1 Is generated from P pubsAA Signing the master public key for the second user;
DD2, the second party generating a ninth random integer kk2, a tenth random integer kk3 of 256 bits, where kk2 ∈ [1, N-1 ]],kk3∈[1,N-1]Then calculate ww = uu kk2 ×e(P 1 ,P pubsAA ) kk3
DD3, the second communication partner calculating hhhhh = H 2 (m||ww,N),ss 1 =(kk2×ds AA2 )modN,ss 2 =((kk3-hhhh)×ds AA2 ) modN, then the second party will hhhhh, ss 1 And ss 2 Sending to the first communication party, wherein H 2 Is a second cryptographic function, x mod y represents the x-to-y remainder operation;
DD4, the first communication party utilizing
SS=[kk1×ss 1 +ss 2 ]×ds AA1
Calculating to obtain SS, and outputting a digital signature (hhh, SS).
8. A digital signature verification method, characterized in that,
by using h 1 =H 1 (ID A H1 is obtained by calculation of | hid, N), where H1 is a first cryptographic function, | | represents merging of byte strings of data, hid is a function identifier, N is a prime number,
if h 1 Is a square element of modulo N, and the first user signature master public key P is obtained by the key generation method of any of claims 3 to 4 pubsA Then signing the master public key P by the first communication partner using said first user pubsA Function identifier hid, user identification ID A With message m and digital signature sig as input parametersThe verification of the digital signature is carried out,
or
If h 1 Obtaining the second user signature master public key P by using the key generation method of any one of claims 5 to 6 instead of the square element of modulo N pubsAA Then signing a master public key P by the first communication party using the second user pubsAA Function identifier hid, user identification ID A And the message m and the digital signature sig are input parameters for digital signature verification.
9. The key encapsulation method, which is characterized in that the key generation method of any one of claims 2 to 6 is adopted for key encapsulation, and comprises the following steps: the packager uses the user identification ID B And a first key generation center KGC 1 First encrypted master public key P pube1 The key encapsulation calculation is performed.
10. Key decapsulation method, comprising the key generation method according to any of claims 2-6, wherein, after receiving the encAN _ SNsulation message CCC of the key K, the receiver AAA acts as a first communication party using the first partial user encryption private key de A1 The second party uses the second part of the user's private encryption key de A2 Performing a collaborative computation comprising:
GG1, the first communication party sends the encapsulation ciphertext CCC to the second communication party;
GG2, the second correspondent verifying CCC is G 1 Point of (3), G 1 Is an additive cyclic group of order N, N being a prime number;
GG3, and the second communication side calculates w' 2 =e(CCC,de A2 ) Is provided with G 2 Is an addition cyclic group of order N, G T Is a multiplication cycle of order N, then e is from G 1 ×G 2 To G T Bilinear pairs of (c);
GG4, and the second communication side is w' 2 Sending to the first communication party;
GG5, the first correspondent calculates w' = e (CCC, de) A1 )×w’ 2
GG6, the first communication party calculates a packaged key K '= KDF (CCC | | w' | ID) AAA ,klen),ID AAA For the user identification of the receiver AAA, KDF is a key derivation function, | | | denotes merging of byte strings of data, and klen is the encapsulation bit length of the key K.
11. A data encryption method for performing key encapsulation by using the key generation method according to any one of claims 2 to 6, comprising: user identification ID of decryptor BBB of encryptor usage data B And a first key generation center KGC 1 First encryption master public key P pube1 And carrying out encryption calculation on the plaintext M.
12. Method for decrypting data, characterized in that the method for generating a key according to any of claims 2-6 is used for decrypting data, wherein the receiver A, the decryption party of the data 132 Received ciphertext C 132 Then, the receiver A 132 As a first communication party, using a first partial user encryption private key de A1 The second party uses the second part of the user's private encryption key de A2 Performing a collaborative computation comprising:
HH1, the ciphertext C to be provided by the first party 132 Sending the information to the second communication party;
HH2, authentication of the second communication partner C 132 Is G 1 Point of (3), G 1 Is an addition cycle group with an order of N, N being a prime number;
HH3, calculating ww 'from second communication side' 2 =e(C 132 ,de A2 ) Is provided with G 2 Is an addition cyclic group of order N, G T Is a multiplication cycle of order N, then e is from G 1 ×G 2 To G T Bilinear pairs of (c);
HH4, w 'of the second communication party' 2 Sending to the first communication party;
HH5, calculation of ww' = e (C) by the first communication party 132 ,de A1 )×ww’ 2
HH6, and the first communication party calculates and obtains a plaintext M'.
13. Computer arrangement comprising a memory, a first processor and a first computer program stored on said memory and executable on said first processor, characterized in that said first computer program when executed by said first processor implements one or several of the following methods:
the key generation method of any one of claims 1-6;
the digital signature calculation method of claim 7;
the digital signature verification method of claim 8;
the key encapsulation method of claim 9;
the key decapsulation method according to claim 10;
the data encryption method of claim 11;
a method of decrypting data as claimed in claim 12.
14. Computer-readable storage medium for storing a second computer program, the second computer program being executable by at least one second processor for causing the at least one second processor to perform one or more of the following methods:
the key generation method of any one of claims 1-6;
the digital signature calculation method of claim 7;
the digital signature verification method of claim 8;
the key encapsulation method of claim 9;
the key decapsulation method according to claim 10;
the data encryption method of claim 11;
a method of decrypting data as claimed in claim 12.
CN202211241724.6A 2022-10-11 2022-10-11 Key generation method, related method, computer device and storage medium Pending CN115549904A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202211241724.6A CN115549904A (en) 2022-10-11 2022-10-11 Key generation method, related method, computer device and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202211241724.6A CN115549904A (en) 2022-10-11 2022-10-11 Key generation method, related method, computer device and storage medium

Publications (1)

Publication Number Publication Date
CN115549904A true CN115549904A (en) 2022-12-30

Family

ID=84733643

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202211241724.6A Pending CN115549904A (en) 2022-10-11 2022-10-11 Key generation method, related method, computer device and storage medium

Country Status (1)

Country Link
CN (1) CN115549904A (en)

Similar Documents

Publication Publication Date Title
CN111314089B (en) SM 2-based two-party collaborative signature method and decryption method
CN108173639B (en) Two-party cooperative signature method based on SM9 signature algorithm
CN104539423B (en) A kind of implementation method without CertPubKey cipher system of no Bilinear map computing
US8670563B2 (en) System and method for designing secure client-server communication protocols based on certificateless public key infrastructure
CN110830236B (en) Identity-based encryption method based on global hash
CN111106936A (en) SM 9-based attribute encryption method and system
CN110113150B (en) Encryption method and system based on non-certificate environment and capable of repudiation authentication
CN112564907B (en) Key generation method and device, encryption method and device, and decryption method and device
WO2020103631A1 (en) Hidden-identity-based signcryption method employing asymmetric bilinear pairing
CN109873699B (en) Revocable identity public key encryption method
CN107395368A (en) Without the digital signature method in media environment and solution encapsulating method and decryption method
CN110535626B (en) Secret communication method and system for identity-based quantum communication service station
CN109194474A (en) A kind of data transmission method and device
CN107086912B (en) Ciphertext conversion method, decryption method and system in heterogeneous storage system
CN113285959A (en) Mail encryption method, decryption method and encryption and decryption system
CN112104453A (en) Anti-quantum computation digital signature system and signature method based on digital certificate
CN110784314A (en) Certificateless encrypted information processing method
CN111030801A (en) Multi-party distributed SM9 key generation and ciphertext decryption method and medium
CN110519226B (en) Quantum communication server secret communication method and system based on asymmetric key pool and implicit certificate
CN111262709B (en) Trapdoor hash function-based unlicensed bookmark encryption system and method
JP4715748B2 (en) How to apply padding to ensure the security of cryptography
Gobi et al. A comparative study on the performance and the security of RSA and ECC algorithm
CN113852466B (en) User revocation method based on SM9 of China
CN115549904A (en) Key generation method, related method, computer device and storage medium
CN112907247A (en) Block chain authorization calculation control method

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination