WO2019101134A1

WO2019101134A1 - Multi-distributed sm9 decryption method, medium and key generating method

Info

Publication number: WO2019101134A1
Application number: PCT/CN2018/116941
Authority: WO
Inventors: 何德彪; 马米米; 谢翔; 孙立林; 李升林
Original assignee: 云图有限公司
Priority date: 2017-11-23
Filing date: 2018-11-22
Publication date: 2019-05-31
Also published as: CN108418686A; CN108418686B

Abstract

Disclosed in the present invention are a multi-distributed SM9 decryption method, a medium and a key generating method. Multiple communication parties jointly complete a message decryption process under the conditions of not leaking the respective partial encryption key thereof and being unable to acquire the complete encryption key. The technical solution is: a key generation center (KGC) generates a corresponding partial encryption key for communication parties participating in an SM9 decryption system; after the keys are received, the n-th communication party An computes a first temporary variable (I) and returns the first temporary variable (I) to An-1; and An-1, after receiving w1, computes a second temporary variable (II), and returns the second temporary variable (II) to An-2, and so on, until A1, after receiving wn-1, computes the n-th temporary variable (III), performs decryption computing by classifying according to a plaintext encryption method, and finally outputs a plain text M'.

Description

Multi-distributed SM9 decryption method and medium and key generation method

Technical field

The present invention relates to the field of cryptography, and in particular, to a SM9 decryption method and medium based on multiple parties.

Background technique

With the rapid development of science and technology, network platforms such as the Internet of Things provide a powerful computing platform for the storage and transmission of big data, and also provide convenience for people's daily life. However, data security and privacy issues have become a matter of great concern. In a big data environment, it is a huge challenge to achieve secure storage, transmission and use of messages while preventing message leakage and ensuring message integrity and confidentiality.

Digital signature cryptography-based digital signature and encryption and decryption technology is a key technology to achieve message confidentiality, integrity and non-repudiation. It has been widely used in network communication, e-commerce and e-government. However, its security depends mainly on the protection of the key. Once the key is compromised, security cannot be discussed. Secret sharing provides a new idea for solving key management problems and plays a key role in the secure storage and transmission of secret data. Secret sharing uses an algorithm to divide the secret into several shares. Only when a certain number of shares are put together, the secret can be reconstructed by a certain algorithm, and less than this number of shares cannot reconstruct the secret. This number is called As a threshold. In the (t,n) threshold signature scheme, the secret is divided into n shares, and even if the attacker steals t-1 shares, a valid signature cannot be generated.

However, the implementation of the above algorithms usually requires a large number of bilinear pairings and exponential operations, and these operations will be a huge computational burden for resource-constrained users.

Therefore, the existing key segmentation is mostly poor in security protection, and the existing decryption scheme tends to have more interactions, and the user's computational complexity is relatively high, which cannot meet the low latency and less interaction required in the big data environment. Application requirements.

Summary of the invention

A brief overview of one or more aspects is provided below to provide a basic understanding of these aspects. This summary is not an extensive overview of all aspects that are conceived, and is not intended to identify key or critical elements in all aspects. Its sole purpose is to present some concepts of one or more aspects

The object of the present invention is to solve the above problems, and provide a multi-distributed SM9 decryption method, a medium and a key generation method, in which multiple communication parties do not leak their own partial encryption keys, and cannot obtain a complete encryption key. In the case, the decryption process of the message is completed together.

The technical solution of the present invention is as follows: The present invention discloses a key generation method, including:

Step 1: The key generation center calculates a temporary variable t ₁ =H ₁ (ID||hid,q)+ke, if t ₁ =0, regenerates the master key, calculates and publicizes the encrypted master public key, and updates the Have the user's encryption key, otherwise calculate the second temporary variable

among them

Representing the inverse of t ₁ modulo q, ie

Where ke denotes the master private key, hid is the key generation center selects the encryption key generation function identifier expressed by one byte, q is the order of the cyclic group and q>2 ¹⁹¹ is the prime number, and the ID is the identity identifier of the user , H ₁ () represents a cryptographic function derived from a cryptographic hash function;

Step 2: The key generation center randomly selects d ₁ , d ₂ ,..., d _n-1 ∈[1,q-1], and calculates

among them

Representing the inverse of d _i modulo q, ie

Where [1, q-1] represents a set of integers not less than 1 and not greater than q-1;

Step 3: The Key Generation Center sets the first part of the encryption key.

Second part encryption key

And so on, the n-1 part encryption key

Part n encryption key

Wherein P ₂ represents a generator of the addition cycle group G ₂ whose order is prime q, and [d _n ]P ₂ is d _n times the generator P ₂ ;

Step 4: User put

Stored in device A _i .

According to an embodiment of the key generation method of the present invention, before the step 1, the system initialization phase is further included:

The key generation center selects the random number ke∈[1,q-1] as the primary private key, calculates P _pub-e =[ke]P ₁ as the encrypted primary public key, and the key generation center secretly saves the primary private key ke. P _{pub-e is} published, and the key generation center selects to disclose an encryption key generation function identifier hid represented by one byte, where P ₁ is a generator of the addition cycle group G ₁ whose order is prime q, [ke]P ₁ is the ke times of the generated element P ₁ .

The invention also discloses a computer storage medium, characterized in that a computer program is stored, and the computer program is executed to perform the following steps:

among them

Representing the inverse of t ₁ modulo q, ie

among them

Representing the inverse of d _i modulo q, ie

Step 3: The Key Generation Center sets the first part of the encryption key.

Second part encryption key

And so on, the n-1 part encryption key

Part n encryption key

Step 4: User put

Stored in device A _i .

In accordance with an embodiment of the computer storage medium of the present invention, the step of executing the computer program execution further includes the system initialization phase prior to step 1:

The invention also discloses a multi-distributed SM9 decryption method, comprising:

Step 1: The nth communication party A _n extracts the bit string C ₁ from the ciphertext C, converts the data type of C ₁ into a point on the elliptic curve, verifies whether C ₁ ∈ G ₁ is established, and if not, reports an error and exits ; otherwise, A _n calculates the first temporary variable

And send w ₁ to A _n-1 , where ciphertext C=C ₁ ||C ₃ || C ₂ , C ₁ , C ₂ , C ₃ are bit strings, and G ₁ is an additive cyclic group whose order q is a prime number ,

The n-th part encryption key set for the key generation center, e(·,·) represents a bilinear map of G ₁ ×G ₂ →G _T , and G ₁ , G ₂ are addition cycle groups whose order is a prime number q, G _T is a multiplicative cyclic group whose order is a prime number q;

Step 2: After the n-1th communicating party A _n-1 receives w ₁ , calculate the second temporary variable

And send w ₂ to the n-2th communicating party A _n-2 , wherein

The n-1th part encryption key set for the key generation center,

Representing w ₁

Power, ie

Step 3: After the n-2th communicating party A _n-2 receives w ₂ , calculate the third temporary variable

And send w ₃ to the n-3th party A _n-3 , wherein

The n-2th encryption key set for the key generation center;

Step 4: By analogy, after receiving the w _n-2 , the second communicating party A ₂ calculates the n-1th temporary variable.

And send w _n-1 to the first communication party A ₁ , wherein

The second part encryption key set for the key generation center;

Step 5: After receiving the w _n-1 , the first communication party A ₁ calculates the nth temporary variable.

The data type of w _n is converted into a bit string, and the first communication party A ₁ classifies and decrypts according to the method of encrypting plaintext.

According to an embodiment of the multi-distributed SM9 decryption method of the present invention, the decryption calculation according to the method of encrypting plaintext in step 5 further comprises:

If the method of encrypting plaintext is based on the sequence cipher algorithm of the key derivation function KDF(·), calculate klen=mlen+K _{2_} len, and then calculate K'=KDF(C ₁ ||w _n ||ID,klen), Let K ₁ ' be the pre-Mlen bit of K', and K ₂ ' be the K _{2_} len bit of K'. If K ₁ ' is a full 0-bit string, report an error and exit, otherwise calculate

Where mlen is the bit length of ciphertext C, K _{2_} len is the bit length of the key K ₂ in the message authentication code function MAC (K ₂ , Z), and ID represents the identity of the user as the decrypter, and can uniquely determine the user's public Key, Z represents a message data bit string of the message authentication code to be obtained;

If the method of encrypting plaintext is a block cipher algorithm based on the key derivation function KDF(·), calculate klen=K _{1_} len+K _{2_} len, then calculate K'=KDF(C ₁ ||w _n ||ID,klen Let K ₁ ' be the K _{1_} len bit before K' and K ₂ ' be the K _{2_} len bit of K'. If K ₁ ' is a full 0 bit string, report an error and exit, otherwise calculate M'=Dec ( K ₁ ', C ₂ ), where K _{1_} len is the bit length of the key K ₁ in the block cipher algorithm Dec(·), and klen represents the length of the output bit string, and the value is preset;

Then calculate u=MAC(K ₂ ', C ₂ ), take the bit string C ₃ from C, and if u ≠ C ₃ , report an error and exit, otherwise output the plaintext M′.

The invention also discloses a computer storage medium, which stores a computer program, and executes the following steps after running the computer program:

And send w ₂ to the n-2th communicating party A _n-2 , wherein

The n-1th part encryption key set for the key generation center,

Representing w ₁

Power, ie

And send w ₃ to the n-3th party A _n-3 , wherein

The n-2th encryption key set for the key generation center;

And send w _n-1 to the first communication party A ₁ , wherein

The second part encryption key set for the key generation center;

According to an embodiment of the computer storage medium of the present invention, the step of performing the decryption calculation according to the method of encrypting plaintext in step 5 of the execution of the computer program further comprises:

Calculate u = MAC(K ₂ ', C ₂ ), take the bit string C ₃ from C, and if u ≠ C ₃ , report an error and exit, otherwise output plaintext M'.

Compared with the prior art, the present invention has the following beneficial effects: the SM9 identification cryptographic algorithm is an identification cryptographic algorithm based on a bilinear pairing, which can use the user's identity to generate a public and private key pair of the user. The application and management of SM9 does not require digital certificates, certificate bases or key stores. It is mainly used for digital signatures, data encryption, key exchange and identity authentication. The algorithm was released in 2015 as the national password industry standard (GM/T 0044). -2016). Based on the SM9 identification cryptographic algorithm, the Key Generation Center (KGC) in the present invention generates a corresponding partial key for the communicating party participating in the SM9 decryption system. After receiving the key, the nth communicating party A _n calculates the first temporary variable

And return to A _n-1 . After A _n-1 receives w ₁ , it calculates the second temporary variable.

And return to A _n-2 , and so on, until A ₁ receives w _n-1 , calculate the nth temporary variable

The decryption calculation is performed according to the method of encrypting plaintext, and finally the plaintext M' is output.

Therefore, the present invention devises a multi-party distributed SM9 decryption method and system, assuming that there are n communicating parties, this scheme must cooperate with each other to share and decrypt the partial private keys in the n communicating parties, and the final calculation result can be obtained. At the same time, the security of the private key is guaranteed. Compared with the prior art, the invention not only reduces the computational complexity of the user, but also improves the security of the key.

DRAWINGS

The above features and advantages of the present invention will be better understood from the following description of the appended claims. In the figures, components are not necessarily drawn to scale, and components having similar related features or features may have the same or similar reference numerals.

1 is a flow chart showing an embodiment of a key generation method of the present invention.

2 is a flow chart showing an embodiment of a multi-distributed SM9 decryption method of the present invention.

FIG. 3 shows a schematic diagram of an embodiment of a multi-distributed SM9 decryption method of the present invention.

Detailed ways

The invention is described in detail below with reference to the drawings and specific embodiments. It is to be noted that the aspects described below in conjunction with the drawings and the specific embodiments are merely exemplary and are not to be construed as limiting the scope of the invention.

Before starting to describe the technical solutions of the embodiments of the present invention, the symbols that appear in the following description and their definitions are listed first.

KGC: Key Generation Center. It is a trusted authority responsible for generating system parameters, master and private keys, and encryption keys.

KDF(·): Key derivation function.

MAC (·): Message authentication code function.

G ₁ , G ₂ : The addition cycle group whose order is prime q.

G _T : The multiplicative cyclic group whose order is prime q.

e: bilinear pair from G ₁ ×G ₂ to G _T .

g ^u : the power of u in the multiplicative group G _T , ie

Where u is a positive integer.

H ₁ (·), H ₂ (·): from {0,1} ^* to

Password hash function.

ID _C : The identity of the communicating party C, which can uniquely determine the public key of the communicating party C.

The encryption key of the communicating party C.

Mod q: modulo q operation. For example, 27 (mod 5) ≡ 2.

q: the order of the cyclic groups G ₁ , G ₂ and G _T , and q>2 ¹⁹¹ is a prime number.

P ₁ , P ₂ : are the generators of the groups G ₁ and G ₂ , respectively.

[u]P: U times the element P in the addition group G ₁ and G ₂ .

x||y: splicing of x and y, where x and y are bit strings or byte strings.

[x, y]: A set of integers not less than x and not greater than y.

The implementation of the key generation method of the present invention is as shown in Fig. 1. The following is a detailed description of the steps of the key generation method.

Step S11: KGC calculates a temporary variable t ₁ =H ₁ (ID||hid,q)+ke. If t ₁ =0, regenerate the master key, calculate and publicize the encrypted master public key, and update the existing user. Encryption key; otherwise, calculate the second temporary variable

among them

Representing the inverse of t ₁ modulo q, ie

In the system initialization phase before step S11, the KGC selects the random number ke ∈ [1, q-1] as the primary private key, and calculates P _pub-e = [ke] P ₁ as the encrypted primary public key. KGC secretly saves ke, public P _pub-e . The KGC selects and discloses the encryption key generation function identifier hid represented by one byte.

Step S12: KGC randomly selects d ₁ , d ₂ , ..., d _n-1 ∈ [1, q-1], and calculates

among them

Representing the inverse of d _i modulo q, ie

Step S13: KGC sets the first partial encryption key

Second part encryption key

And so on, the n-1 part encryption key

Part n encryption key

Step S14: the user puts

Stored in device A _i .

Furthermore, the present invention also discloses a computer storage medium having a computer program thereon running the computer program to perform the steps of the key generation method as described in the foregoing embodiments. Since the steps performed are the same as those of the foregoing embodiment, they are not described herein again.

The flow of an embodiment of the multi-distributed SM9 decryption method of the present invention is shown in Figures 2 and 3. The following is a detailed description of the steps of the SM9 decryption method. Let the ciphertext C=C ₁ ||C ₃ || C _{2 have} a bit length of mlen, and the bit length of the key K ₁ in the block cipher algorithm is K _{1_} len, and the key K _{2 in the} function MAC (K ₂ , Z) The bit length is K _{2_} len. In order to decrypt the ciphertext C, the n communicating parties perform the following interactions.

Step S21: The nth communication party A _n extracts the bit string C ₁ from the ciphertext C, converts the data type of C ₁ into a point on the elliptic curve, verifies whether C ₁ ∈ G ₁ is established, and if not, reports an error and exits. ; otherwise, A _n calculates the first temporary variable

And send w ₁ to A _n-1 .

Step S22: After receiving the w ₁ , the A _n-1 calculates the second temporary variable.

And send w ₂ to A _n-2 .

Step S23: After receiving the w ₂ by A _n-2 , calculating the third temporary variable

And send w ₃ to A _n-3 .

Step S24: and so on, after A ₂ receives w _n-2 , the n-1th temporary variable is calculated.

And send w _n-1 to A ₁ .

Step S25: After A ₁ receives w _n-1 , the nth temporary variable is calculated.

And convert the data type of w _n into a bit string. A ₁ is classified according to the method of encrypting plaintext for decryption calculation.

The specific manner in which A ₁ is classified according to the method of encrypting plaintext is as follows.

a) If the method of encrypting plaintext is a sequence cipher algorithm based on a key derivation function, then

i. Calculate klen=mlen+K _{2_} len, then calculate K'=KDF(C ₁ ||w _n ||ID, klen). Let K ₁ ' be the pre-Mlen bit of K', K ₂ ' be the K _{2_} len bit of K', and if K ₁ ' is a full 0-bit string, report an error and exit;

Ii. Otherwise, calculate

b) if the method of encrypting plaintext is a block cipher algorithm based on a key derivation function, then

i. Calculate klen=K _{1_} len+K _{2_} len, then calculate K'=KDF(C ₁ ||w _n ||ID, klen). Let K ₁ ' be the K _{1_} len bit before K', K ₂ ' be the K _{2_} len bit of K', and if K ₁ ' is a full 0 bit string, report an error and exit;

Ii. Otherwise, calculate M'=Dec(K ₁ ', C ₂ ), where Dec(·) is a packet decryption algorithm.

c) calculate u = MAC (K ₂ ', C ₂ ), take the bit string C ₃ from C, and if u ≠ C ₃ , report an error and exit;

d) Otherwise, the plaintext M' is output.

Moreover, the present invention also discloses a computer storage medium having a computer program thereon running the computer program to perform the steps of the multi-distributed SM9 decryption method as described in the foregoing embodiments. Since the steps performed are the same as those of the foregoing embodiment, they are not described herein again.

The invention has the advantages of high security, low communication cost, and the like, and the communication party must participate in the complete decryption of the message without leaking the respective keys. In the basic operation operation, the bilinear map calculation is relatively expensive, so in the solution of the present invention, the bilinear operation is performed by one communication party, thereby reducing the computational cost of other communication parties and reducing the number of interactions.

Although the above method is illustrated and described as a series of acts for simplicity of the explanation, it should be understood and appreciated that these methods are not limited by the order of the acts, as some acts may occur in different orders in accordance with one or more embodiments. And/or concurrently with other acts from what is illustrated and described herein or that are not illustrated and described herein, but are understood by those skilled in the art.

Those skilled in the art will further appreciate that the various illustrative logical blocks, modules, circuits, and algorithm steps described in connection with the embodiments disclosed herein may be implemented as electronic hardware, computer software, or combinations of both. To clearly illustrate this interchangeability of hardware and software, various illustrative components, blocks, modules, circuits, and steps are described above generally in the form of their functionality. Whether such functionality is implemented as hardware or software depends on the particular application and design constraints imposed on the overall system. The skilled person will be able to implement the described functionality in a different manner for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the invention.

Various illustrative logic blocks, modules, and circuits described in connection with the embodiments disclosed herein may be general purpose processors, digital signal processors (DSPs), application specific integrated circuits (ASICs), field programmable gate arrays (FPGAs), or others. Programmable logic devices, discrete gate or transistor logic, discrete hardware components, or any combination thereof designed to perform the functions described herein are implemented or executed. A general purpose processor may be a microprocessor, but in the alternative, the processor may be any conventional processor, controller, microcontroller, or state machine. The processor may also be implemented as a combination of computing devices, such as a combination of a DSP and a microprocessor, a plurality of microprocessors, one or more microprocessors in conjunction with a DSP core, or any other such configuration.

The steps of a method or algorithm described in connection with the embodiments disclosed herein may be embodied in hardware, in a software module executed by a processor, or in a combination of the two. A software module may reside in RAM memory, flash memory, ROM memory, EPROM memory, EEPROM memory, registers, hard disk, a removable disk, a CD-ROM, or any other form of storage medium known in the art. An exemplary storage medium is coupled to the processor to enable the processor to read and write information to/from the storage medium. In the alternative, the storage medium can be integrated into the processor. The processor and the storage medium can reside in an ASIC. The ASIC can reside in the user terminal. In the alternative, the processor and the storage medium may reside as a discrete component in the user terminal.

In one or more exemplary embodiments, the functions described may be implemented in hardware, software, firmware, or any combination thereof. If implemented as a computer program product in software, the functions may be stored on or transmitted as one or more instructions or code on a computer readable medium. Computer readable media includes both computer storage media and communication media including any medium that facilitates transfer of a computer program from one place to another. A storage medium may be any available media that can be accessed by a computer. By way of example and not limitation, such computer readable media may comprise RAM, ROM, EEPROM, CD-ROM or other optical disk storage, disk storage or other magnetic storage device, or can be used to carry or store instructions or data structures. Any other medium that is desirable for program code and that can be accessed by a computer. Any connection is also properly referred to as a computer readable medium. For example, if the software is transmitted from a web site, server, or other remote source using coaxial cable, fiber optic cable, twisted pair, digital subscriber line (DSL), or wireless technologies such as infrared, radio, and microwave. The coaxial cable, fiber optic cable, twisted pair cable, DSL, or wireless technologies such as infrared, radio, and microwave are included in the definition of the medium. Disks and discs as used herein include compact discs (CDs), laser discs, optical discs, digital versatile discs (DVDs), floppy discs, and Blu-ray discs, in which disks are often reproduced magnetically. Data, and discs optically reproduce data with a laser. Combinations of the above should also be included within the scope of computer readable media.

The previous description of the disclosure is provided to enable any person skilled in the art to make or use the disclosure. Various modifications to the present disclosure will be obvious to those skilled in the art, and the general principles defined herein may be applied to other variations without departing from the spirit or scope of the disclosure. The present disclosure is not intended to be limited to the examples and designs described herein, but rather the broadest scope of the principles and novel features disclosed herein.

Claims

A key generation method, comprising:

Step 1: The key generation center calculates a temporary variable t 1 =H 1 (ID||hid,q)+ke, if t 1 =0, regenerates the master key, calculates and publicizes the encrypted master public key, and updates the Have the user's encryption key, otherwise calculate the second temporary variable
among them
Representing the inverse of t 1 modulo q, ie
Where ke denotes the master private key, hid is the key generation center selects the encryption key generation function identifier expressed by one byte, q is the order of the cyclic group and q>2 191 is the prime number, and the ID is the identity identifier of the user , H 1 () represents a cryptographic function derived from a cryptographic hash function;

Step 2: The key generation center randomly selects d 1 , d 2 ,..., d n-1 ∈[1,q-1], and calculates
among them
Representing the inverse of d i modulo q, ie
Where [1, q-1] represents a set of integers not less than 1 and not greater than q-1;

Step 3: The Key Generation Center sets the first part of the encryption key.
Second part encryption key
And so on, the n-1 part encryption key
Part n encryption key
Wherein P 2 represents a generator of the addition cycle group G 2 whose order is prime q, and [d n ]P 2 is d n times the generator P 2 ;

Step 4: User put
Stored in device A i .
The key generation method according to claim 1, further comprising a system initialization phase before the step 1:

The key generation center selects the random number ke∈[1,q-1] as the primary private key, calculates P pub-e =[ke]P 1 as the encrypted primary public key, and the key generation center secretly saves the primary private key ke. P pub-e is published, and the key generation center selects to disclose an encryption key generation function identifier hid represented by one byte, where P 1 is a generator of the addition cycle group G 1 whose order is prime q, [ke]P 1 is the ke times of the generated element P 1 .
A computer storage medium characterized in that a computer program is stored, and the computer program is executed to perform the following steps:

Step 1: The key generation center calculates a temporary variable t 1 =H 1 (ID||hid,q)+ke, if t 1 =0, regenerates the master key, calculates and publicizes the encrypted master public key, and updates the Have the user's encryption key, otherwise calculate the second temporary variable
among them
Representing the inverse of t 1 modulo q, ie
Where ke denotes the master private key, hid is the key generation center selects the encryption key generation function identifier expressed by one byte, q is the order of the cyclic group and q>2 191 is the prime number, and the ID is the identity identifier of the user , H 1 () represents a cryptographic function derived from a cryptographic hash function;

Step 2: The key generation center randomly selects d 1 , d 2 ,..., d n-1 ∈[1,q-1], and calculates
among them
Representing the inverse of d i modulo q, ie
Where [1, q-1] represents a set of integers not less than 1 and not greater than q-1;

Step 3: The Key Generation Center sets the first part of the encryption key.
Second part encryption key
And so on, the n-1 part encryption key
Part n encryption key
Wherein P 2 represents a generator of the addition cycle group G 2 whose order is prime q, and [d n ]P 2 is d n times the generator P 2 ;

Step 4: User put
Stored in device A i .
The computer storage medium of claim 3 wherein the step of executing the computer program execution further comprises the system initialization phase prior to step 1:

The key generation center selects the random number ke∈[1,q-1] as the primary private key, calculates P pub-e =[ke]P 1 as the encrypted primary public key, and the key generation center secretly saves the primary private key ke. P pub-e is published, and the key generation center selects to disclose an encryption key generation function identifier hid represented by one byte, where P 1 is a generator of the addition cycle group G 1 whose order is prime q, [ke]P 1 is the ke times of the generated element P 1 .
A multi-distributed SM9 decryption method, comprising:

Step 1: The nth communication party A n extracts the bit string C 1 from the ciphertext C, converts the data type of C 1 into a point on the elliptic curve, verifies whether C 1 ∈ G 1 is established, and if not, reports an error and exits ; otherwise, A n calculates the first temporary variable
And send w 1 to A n-1 , where ciphertext C=C 1 ||C 3 || C 2 , C 1 , C 2 , C 3 are bit strings, and G 1 is an additive cyclic group whose order q is a prime number ,
The n-th part encryption key set for the key generation center, e(·,·) represents a bilinear map of G 1 ×G 2 →G T , and G 1 , G 2 are addition cycle groups whose order is a prime number q, G T is a multiplicative cyclic group whose order is a prime number q;

Step 2: After the n-1th communicating party A n-1 receives w 1 , calculate the second temporary variable
And send w 2 to the n-2th communicating party A n-2 , wherein
The n-1th part encryption key set for the key generation center,
Representing w 1
Power, ie

Step 3: After the n-2th communicating party A n-2 receives w 2 , calculate the third temporary variable
And send w 3 to the n-3th party A n-3 , wherein
The n-2th encryption key set for the key generation center;

Step 4: By analogy, after receiving the w n-2 , the second communicating party A 2 calculates the n-1th temporary variable.
And send w n-1 to the first communication party A 1 , wherein
The second part encryption key set for the key generation center;

Step 5: After receiving the w n-1 , the first communication party A 1 calculates the nth temporary variable.
The data type of w n is converted into a bit string, and the first communication party A 1 classifies and decrypts according to the method of encrypting plaintext.
The multi-distributed SM9 decryption method according to claim 5, wherein the decrypting calculation according to the method of encrypting plaintext in step 5 further comprises:

If the method of encrypting plaintext is based on the sequence cipher algorithm of the key derivation function KDF(·), calculate klen=mlen+K 2_ len, and then calculate K'=KDF(C 1 ||w n ||ID,klen), Let K 1 ' be the pre-Mlen bit of K', and K 2 ' be the K 2_ len bit of K'. If K 1 ' is a full 0-bit string, report an error and exit, otherwise calculate
Where mlen is the bit length of ciphertext C, K 2_ len is the bit length of the key K 2 in the message authentication code function MAC (K 2 , Z), and ID represents the identity of the user as the decrypter, and can uniquely determine the user's public Key, Z represents a message data bit string of the message authentication code to be obtained;

If the method of encrypting plaintext is a block cipher algorithm based on the key derivation function KDF(·), calculate klen=K 1_ len+K 2_ len, then calculate K'=KDF(C 1 ||w n ||ID,klen Let K 1 ' be the K 1_ len bit before K' and K 2 ' be the K 2_ len bit of K'. If K 1 ' is a full 0 bit string, report an error and exit, otherwise calculate M'=Dec ( K 1 ', C 2 ), where K 1_ len is the bit length of the key K 1 in the block cipher algorithm Dec(·), and klen represents the length of the output bit string, and the value is preset;

Then calculate u=MAC(K 2 ', C 2 ), take the bit string C 3 from C, and if u ≠ C 3 , report an error and exit, otherwise output the plaintext M′.
A computer storage medium, characterized in that a computer program is stored, and after running the computer program, the following steps are performed:

Step 1: The nth communication party A n extracts the bit string C 1 from the ciphertext C, converts the data type of C 1 into a point on the elliptic curve, verifies whether C 1 ∈ G 1 is established, and if not, reports an error and exits ; otherwise, A n calculates the first temporary variable
And send w 1 to A n-1 , where ciphertext C=C 1 ||C 3 || C 2 , C 1 , C 2 , C 3 are bit strings, and G 1 is an additive cyclic group whose order q is a prime number ,
The n-th part encryption key set for the key generation center, e(·,·) represents a bilinear map of G 1 ×G 2 →G T , and G 1 , G 2 are addition cycle groups whose order is a prime number q, G T is a multiplicative cyclic group whose order is a prime number q;

Step 2: After the n-1th communicating party A n-1 receives w 1 , calculate the second temporary variable
And send w 2 to the n-2th communicating party A n-2 , wherein
The n-1th part encryption key set for the key generation center,
Representing w 1
Power, ie

Step 3: After the n-2th communicating party A n-2 receives w 2 , calculate the third temporary variable
And send w 3 to the n-3th party A n-3 , wherein
The n-2th encryption key set for the key generation center;

Step 4: By analogy, after receiving the w n-2 , the second communicating party A 2 calculates the n-1th temporary variable.
And send w n-1 to the first communication party A 1 , wherein
The second part encryption key set for the key generation center;

Step 5: After receiving the w n-1 , the first communication party A 1 calculates the nth temporary variable.
The data type of w n is converted into a bit string, and the first communication party A 1 classifies and decrypts according to the method of encrypting plaintext.
The computer storage medium according to claim 7, wherein the performing the decryption calculation by the method of encrypting plaintext in step 5 of the execution of the computer program further comprises:

If the method of encrypting plaintext is based on the sequence cipher algorithm of the key derivation function KDF(·), calculate klen=mlen+K 2_ len, and then calculate K'=KDF(C 1 ||w n ||ID,klen), Let K 1 ' be the pre-Mlen bit of K', and K 2 ' be the K 2_ len bit of K'. If K 1 ' is a full 0-bit string, report an error and exit, otherwise calculate
Where mlen is the bit length of ciphertext C, K 2_ len is the bit length of the key K 2 in the message authentication code function MAC (K 2 , Z), and ID represents the identity of the user as the decrypter, and can uniquely determine the user's public Key, Z represents a message data bit string of the message authentication code to be obtained;

If the method of encrypting plaintext is a block cipher algorithm based on the key derivation function KDF(·), calculate klen=K 1_ len+K 2_ len, then calculate K'=KDF(C 1 ||w n ||ID,klen Let K 1 ' be the K 1_ len bit before K' and K 2 ' be the K 2_ len bit of K'. If K 1 ' is a full 0 bit string, report an error and exit, otherwise calculate M'=Dec ( K 1 ', C 2 ), where K 1_ len is the bit length of the key K 1 in the block cipher algorithm Dec(·), and klen represents the length of the output bit string, and the value is preset;

Calculate u = MAC(K 2 ', C 2 ), take the bit string C 3 from C, and if u ≠ C 3 , report an error and exit, otherwise output plaintext M'.