CN107483205A - The digital signature generation method and system of a kind of private key secret based on encryption - Google Patents

The digital signature generation method and system of a kind of private key secret based on encryption Download PDF

Info

Publication number
CN107483205A
CN107483205A CN201710900625.7A CN201710900625A CN107483205A CN 107483205 A CN107483205 A CN 107483205A CN 201710900625 A CN201710900625 A CN 201710900625A CN 107483205 A CN107483205 A CN 107483205A
Authority
CN
China
Prior art keywords
calculated
devices
digital signature
mod
calculating
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201710900625.7A
Other languages
Chinese (zh)
Other versions
CN107483205B (en
Inventor
龙毅宏
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Wuhan University of Technology WUT
Original Assignee
Wuhan University of Technology WUT
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Wuhan University of Technology WUT filed Critical Wuhan University of Technology WUT
Priority to CN201710900625.7A priority Critical patent/CN107483205B/en
Publication of CN107483205A publication Critical patent/CN107483205A/en
Application granted granted Critical
Publication of CN107483205B publication Critical patent/CN107483205B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/30Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy
    • H04L9/3066Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy involving algebraic varieties, e.g. elliptic or hyper-elliptic curves

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Theoretical Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Algebra (AREA)
  • Mathematical Analysis (AREA)
  • Mathematical Optimization (AREA)
  • Mathematical Physics (AREA)
  • Pure & Applied Mathematics (AREA)
  • Physics & Mathematics (AREA)
  • Computing Systems (AREA)
  • Storage Device Security (AREA)

Abstract

The present invention relates to a kind of digital signature generation method of the private key secret based on encryption:c1,…,cmIt is that integer optional in [1, n 1] that m device preserves respectively is secret, one of device, which is also preserved, meets relation cm+1=(c1c2…cm)(1+dA)‑1Mod n cm+1, wherein n is the rank of SM2 elliptic curve basic points;M device is by using c1,…,cm,cm+1And Gc=[(c1c2…cm)‑1] G collaboration generation use user's SM2 private keys dAFor the digital signature of message;Unlike the prior art, the present invention does not preserve the secret shadow without using private key, but uses the private key secret after encryption, so as to improve the security of scheme;Further the secret c of oneself may be updated in each devicei, so as to further improve the security of scheme.Digital signature generation system based on methods described structure includes the m device using methods described.

Description

The digital signature generation method and system of a kind of private key secret based on encryption
Technical field
The invention belongs to field of information security technology, the digital signature generation of particularly a kind of private key secret based on encryption Method and system.
Background technology
SM2 be by national Password Management office promulgate a kind of ellipse curve public key cipher algorithm (referring to《SM2 elliptic curves Public key algorithm》Specification, national Password Management office, in December, 2010), it can realize that digital signature, key are handed over based on this algorithm Change and data encryption.But due to the unique digital signature computing mode of SM2 algorithms, common privacy sharing (segmentation) mode And the corresponding crypto-operation mode based on privacy sharing, the situation that SM2 private keys are digitally signed can not be adapted for use with.Pin To this problem, there has been proposed some corresponding technical schemes.The method that these technical schemes generally use is by the SM2 of user Private key dASecret (1+dA)-1, it is divided into more parts, i.e. d1,…,dm, every part is referred to as secret shadow, and these secret shadows and (1+ dA)-1Meet relation (d1d2…dm) mod n=(1+dA)-1Or (d1d2…dm) mod n=(1+dA) (both is of equal value), or (d1+ d2…+dm) mod n=(1+dA)-1, then give this more parts of secret shadows to m device respectively and preserve;When needing to use user Private key dAWhen being digitally signed for a message, d is used by m device respectively1,…,dmIt is directed to by cooperated computing The digital signature of message.But there are the following problems for this kind of method:
First, each device is preserved, used and secret (1+dA)-1Directly related secret shadow, once leakage, just (1+d is cracked for attackerA)-1(i.e. dA) useful information is provided, increase private key dAThe risk cracked is (although individual device The leakage of secret shadow is it is not intended that private key is cracked, but increases the risk cracked);
Second, private key secret (1+dA)-1Once segmentation, shared, secret shadow cannot change that (change means private key Change), and secret keeps constant for a long time, can increase the risk being cracked.
The content of the invention
The purpose of the present invention is to propose to a kind of private key secret based on encryption, the digital signature generation side that can be updated to secret Method and corresponding system, further to improve the security of the SM2 digital signature generation methods based on cooperated computing, reduce The risk that private key cracks.
For the purpose of the present invention, technical scheme proposed by the present invention is a kind of numeral label of private key secret based on encryption Name generation method and system.
Below in the description of technical solution of the present invention, if P, Q are the elements (point) in elliptic curve point group, P+Q Represent that P, Q point add, P-Q represents that P adds Q inverse element, and [k] P represents that k elliptic curve point P point adds, i.e. P+P+...+P is (altogether There is k P);Ellipsis " ... ", represent the data item of multiple same (types) or multiple same computings;c-1Represent integer c's Inverse (the i.e. cc of mould n multiplication-1Mod n=1);Multiple integers are multiplied (including integer symbol is multiplied, constant is multiplied with integer symbol), Do not produce it is ambiguous in the case of, multiplication sign " " is dispensed, such as k1·k2It is reduced to k1k2, 3c, simplify position 3c;Mod n are represented Mould n computings (modulo operation), correspond to《SM2 ellipse curve public key cipher algorithms》Specification (national Password Management office, In December, 2010) in modn;Further, the operators m od n of mould n computings priority is minimum, as a+b mod n are equal to (a+b) mod n, a-b mod n are equal to (a-b) mod n, ab mod n and are equal to (ab) mod n.
The digital signature generation method of the private key secret based on encryption of the present invention includes basic skills and the side derived from again Method, wherein basic skills are as follows.
The basic skills is related to m device, wherein m >=2;
M device is respectively marked as No. 1 to m devices;
M device preserves the integer secret c in [1, n-1] section respectively1,c2,…,cm, wherein ciIt is by No. i-th dress Put the secret of preservation, i=1 ..., m;M devices preserve the integer c in [1, n-1] section simultaneouslym+1;M device preserves Secret meet following relation:
cm+1=(c1c2…cm)-1(1+dA)-1Mod n,
Wherein, dAIt is the SM2 private keys of user, n is elliptic curve point order of a group used in SM2 crypto-operations, namely SM2 The basic point G of elliptic curve point group used in crypto-operation rank (elliptic curve point group used in SM2 crypto-operations refer to by The cyclic group of basic point G generations);
(c herem+1Actually private key secret (1+dA)-1Through c1,c2,…,cmResult after encryption, that is, the private key encrypted It is secret)
Precalculate to obtain in initial phase:
Gc=[(c1c2…cm)-1] G,
P=[dA] G,
Wherein, dAIt is the SM2 private keys of user, G is the basic point of elliptic curve point group used in SM2 crypto-operations, and P is dA Corresponding public key;
By GcIt is distributed to the m device, publishes P;
As the SM2 private keys d for needing to use userAWhen being digitally signed for message M, m device enters as follows The generation of row digital signature (needs to use the SM2 private keys d of userA, for the main body that message M is digitally signed can be adjust With the cryptographic application, system or crypto module of this m device, or cryptographic application in one of m device, it is System):
No. 1 device randomly chooses an integer k in [1, n-1] section1, calculate G1=[k1]GcOr G1=[c1k1]Gc
No. 1 device is by G1Send next device i.e. No. 2 device to;
No. i-th device receives Gi-1Afterwards, i=2 ..., m, an integer k is randomly choosed in [1, n-1] sectioni, calculate Gi =[ci]Gi-1+[ki]GcOr Gi=[ci](Gi-1+[ki]Gc);
Different devices calculates GiThe calculation formula of use is identical or different (independent selection);
If i ≠ m, complete GiAfter calculating, No. i-th device is by GiNext device i.e. i+1 device is sent to, until m Number device completes GmCalculating;
If i=m, complete GmAfter calculating, m devices are fixed in [0, n-1] section or randomly choose an integer km+1(km+1Can be 0!), calculate Gm+1=Gm+[km+1] (G+P) or Gm+1=(Gm+[km+1]Gc) (if km+1=0, then Gm+1=Gm!), It is transferred to afterwards and calculates r;
Complete Gm+1Calculating after, by a device in m device or by outside m device a device calculate r =(e+x1) mod n, wherein x1It is derived from (x1,y1)=Gm+1, e is that Hash Value (hashes derived from user's mark and message M Value) (SM2 algorithms are pressed, e is to identify ID from userAEtc. Hash Value Z derived from parameterAThe Hash Value of data after merging with message M, Referring to SM2 specifications);
If obtained r, Gm+1Meet:R ≠ 0 and [r] G+Gm+1It is not the null element (infinite point) of SM2 elliptic curve point groups, Then continue to calculate digital signature, otherwise, recalculate G1,…,Gm,Gm+1And r, until r ≠ 0 and [r] G+Gm+1It is not SM2 ellipses The null element (infinite point) of curve point group;
S calculating is transferred to after completion r calculating;
No. 1 device chooses s0=r;
No. 1 device is calculated as follows s1
If G is calculated before1Using formula G1=[k1]Gc, then s1=(c1s0+k1)mod n;
If G is calculated before1Using formula G1=[c1k1]Gc, then s1=(c1s0+c1k1)mod n;
(this is to calculate s1K1With calculating G1K1It is identical)
No. 1 device is by s1Send next device i.e. No. 2 device to;
No. i-th device receives si-1Afterwards, i=2 ..., m, it is calculated as follows si
If G is calculated beforeiUsing formula Gi=[ci]Gi-1+[ki]Gc, then si=(cisi-1+ki)mod n;
If G is calculated beforeiUsing formula Gi=[ci](Gi-1+[ki]Gc), then si=ci(si-1+ki)mod n;
(now calculate siKiWith calculating GiKiIt is identical)
If i ≠ m, complete siAfter calculating, No. i-th device is by siNext device i.e. i+1 device is sent to, until m Number device completes smCalculating;
If i=m, complete smAfter calculating, m devices are calculated as follows sm+1
If G is calculated beforem+1Using formula Gm+1=Gm+[km+1] (G+P), then sm+1=(cm+1sm+km+1)mod n;
If G is calculated beforem+1Using formula Gm+1=(Gm+[km+1]Gc), then sm+1=cm+1(sm+km+1)mod n
(now calculate sm+1Km+1With calculating Gm+1Km+1It is identical)
S=(s are calculated in m devicesm+1-r)mod n;
(r, s) is exactly the digital signature for message M generated.
The device of (r, s) is finally calculated, utilizes message M and private key for user dACorresponding public key verifications digital signature The validity of (r, s), m device re-starts the generation of digital signature if invalid.
In approach described above, unless m device collusion, cm+1Even if open, approach described above be also it is safe, But it is underground, it is safer.
If dAIt is (generation) being known a priori by, then in initial phase, is known a priori by dADevice choose as follows Or calculate ci, i=1 ..., m, m+1, G is calculatedc=[(c1c2…cm)-1] G, and private key for user dACorresponding public key P:
M integer c is randomly choosed in [1, n-1] sectioni, preserved respectively by m equipment safety, wherein ciIt is No. i-th dress It is secret to put the integer of preservation, i=1 ..., m;
C is calculatedm+1=(c1c2…cm)-1(1+dA)-1Mod n, Gc=[(c1c2…cm)-1] G,
P=[d are calculatedA] G, i.e. private key for user dACorresponding SM2 public keys;
Complete cm+1、GcAfter P calculating, by cm+1M devices are transferred to preserve, the G that will be calculatedcIt is distributed to m Device, public key P is issued, by dADestroy, will not belong to the c that itself preserves, usediDestroy, i=1 ..., m, m+1;
It is described to be known a priori by dADevice be a device outside a device or m device in m device.
If dAIt is not (not yet the generating) being known a priori by, then chooses c as follows in initial phase, m devicei, i =1 ..., m, m+1, G is calculatedc=[(c1c2…cm)-1] G, and private key for user dACorresponding public key P:
Each device in m device randomly chooses an integer c in [1, n-1] section respectivelyi, i=1 ..., m, its Middle ciIt is No. i-th randomly selected integer of device;
M devices also randomly choose an integer c in [1, n-1] sectionm+1
M device is calculated as follows obtaining Gc=[(c1c2…cm)-1]G:
No. 1 device calculates P1=[(c1)-1]G;
No. 1 device is by P1Send next device i.e. No. 2 device to;
No. i-th device receives Pi-1Afterwards, i=2 ..., m, P is calculatedi=[(ci)-1]Pi-1
If i=m, Gc=PmAs [(c1c2…cm)-1] G, otherwise, No. i-th device is by PiSend next device i.e. i-th to + No. 1 device, until m devices complete PmCalculating;
P is calculatedmAfterwards, P is calculated in m devicesm+1=[(cm+1)-1]Pm
P=P is calculated in m devicesm+1-G;
If P is not the null element (infinite point) of SM2 elliptic curve point groups, P is private key for user dACorresponding SM2 is public Key, otherwise, restart ciSelection, i=1 ..., m, m+1, recalculate Gc, P, until P is not SM2 elliptic curve point groups Null element (infinite point);
Complete GcAfter being calculated with P, the G that will be calculatedcM device is distributed to, public key P is issued.
Calculating GiDuring, i=1 ..., m, m+1, once there is GiIt is the null element (infinity of SM2 elliptic curve point groups Point), then re-start GiCalculating (generally from G1Start, recalculate G1,…,Gi), until GiIt is not SM2 elliptic curve point groups Null element (infinite point).
If in above-mentioned calculating process, G is being calculatedm+1, after r, only check whether r is zero, does not check [r] G+Gm+1Whether It is the null element (infinite point) of SM2 elliptic curve point groups, and only re-starts G in r=0m+1, r calculating (as long as r ≠ 0 is just Do not re-start Gm+1, r calculate), then:
After s is calculated, (s+r) mod n=0 are found if checking, the s being calculated is abandoned, recalculates Gm+1、r (such as from G1Start ab iitio, or only recalculate Gm+1), recalculate s, repeat this process, until (s+r) mod n ≠ 0。
No. i-th device, i=1 or..., or m updates c as followsi(m device is without updating c simultaneouslyi):
An integer t is randomly choosed in [1, n-1] sectioni, with (tici) mod n renewals ci(as new ciValue);
By tiGive and preserve cm+1Device (be to give oneself if i=m for basic skills;For described below Derivation method, then be to give m+1 devices);
Preserve cm+1Device ((ti)-1cm+1) mod n renewals cm+1(as new cm+1Value) (it can't so cause ciLeakage);
Afterwards, No. i-th device or c is preservedm+1Device [(ti)-1]GcUpdate Gc(as new GcValue);
If No. i-th device takes ti=bi(ci)-1Mod n, wherein biIt is a randomly selected integer in [1, n-1] section, Then No. i-th device is secret from c by itiIt has been substituted for bi
Preserve cm+1Device actively update c as followsm+1
An integer t is randomly choosed in [1, n-1] sectionm+1, with (tm+1cm+1) mod n renewals cm+1(as new cm+1 Value);
By tm+1Give No. i-th device, i=1 or..., or m (device is randomly choosed into m devices from the 1st, It is to give oneself if i=m for basic skills;It is being to give No. m+1 dress for the method for derivation described below Put);
No. i-th device ((tm+1)-1ci) mod n renewals ci(as new ciValue);
Afterwards, No. i-th device or c is preservedm+1Device [tm+1]GcUpdate Gc(as new GcValue).
On the basis of above-mentioned basic skills, corresponding digital signature generation system can be built, system includes m device, m Individual device is numbered No. 1 and presses the digital signature generation method to m devices, the m device, use c respectively1, c2,…,cm+1, SM2 digital signature of the generation for message.
On the basis of above-mentioned basic skills, a kind of digital signature generation side of the private key secret based on encryption can be derived Method, it is specific as follows.
The digital signature generation method of the derivation is related to m+1 device, wherein m >=2;
M+1 device marked as No. 1 device ... respectively, m devices, m+1 devices;
The difference of the digital signature generation method of the derivation and the former method before derivation is:
Meet relation cm+1=(c1c2…cm)-1(1+dA)-1Mod n cm+1Being preserved as secret by m+1 devices makes With wherein c1,…,cmRespectively No. 1 secret preserved to m devices;
As the SM2 private keys d for needing to use userAWhen being digitally signed for message M, No. 1, to m devices, is pressed The cooperated computing mode in digital signature generation method before foregoing derivation, is calculated Gm
M devices are by GmIt is sent to m+1 devices;
M+1 devices calculate randomly chooses an integer k in [1, n-1] sectionm+1, by the digital signature before derivation M devices calculate G in generation methodm+1Mode calculate Gm+1
Complete Gm+1Calculating after, by a device in m+1 device or by a device outside m+1 device Calculate r=(e+x1) mod n, wherein x1It is derived from (x1,y1)=Gm+1, e is to be identified from user with Hash Value derived from message M (i.e. Hashed value);
After the r of the condition of satisfaction is calculated, No. 1 to m devices, by the digital signature generation side before foregoing derivation Cooperated computing mode in method, is calculated sm
M devices are by smIt is sent to m+1 devices;
M+1 devices, press m devices in the digital signature generation method before deriving from and calculate sm+1Mode, use meter Calculate Gm+1Shi Suoyong km+1S is calculatedm+1
S=(s are calculated in m+1 devicesm+1-r)mod n;
(r, s) is exactly the digital signature for message M generated.
(here, in this scheme, cm+1Used as safety secret, m device can not also crack cm+1And private key dA)
It is as follows for the method for derivation, its initialization:
If dAIt is known a priori by, then in initial phase, is known a priori by dAThe c that will be calculated of devicem+1Transfer to m + No. 1 device, which preserves, to be used;
If dAIt is not known a priori by, then each device in initial phase, m+1 device is respectively in [1, n-1] An integer c is randomly choosed in sectioni, i=1 ..., m, m+1, wherein ciIt is No. i-th randomly selected integer of device;No. 1 is arrived M devices use c in the manner aforesaid1,…,cmP is calculatedm, Gc=Pm;P is calculated by m+1 devices afterwardsm+1= [(cm+1)-1]Pm, P=P is calculated in m+1 devicesm+1-G;
To cm+1During renewal, cm+1Renewal operation by m+1 devices complete.
On the basis of the digital signature generation method of foregoing derivation, corresponding digital signature generation system can be built, System includes m+1 device, wherein m >=2;M+1 device marked as No. 1 device ... respectively, m devices, No. m+1 Device;The m+1 device presses the digital signature generation method of the derivation, uses c1,…,cm,cm+1, generation is for message SM2 digital signature.
Directly split private key secret (1+d with commonA)-1, using the private key secret after segmentation by cooperateing with computing to obtain Digital signature is different, and the present invention is actually to utilize multiple key c1,…,cmTo private key secret (1+dA)-1It is encrypted, then The use of the private key secret after encryption is cm+1And encryption key c1,…,cmDigital signature is obtained by cooperated computing.
In the method for the invention, due to cm+1=(c1c2…cm)-1(1+dA)-1Mod n, therefore, actually by cm+1Hide Private key dASecret (conceal (1+dA)-1), and in dAIn the case of not previously generating, c is selectedm+1Equivalent to a kind of non- Often indirect, secrecy mode generates dA
It can be seen that, based on the method for the present invention, m or m+1 device use generate at random and user from the above description SM2 private keys dAThe secret c having no bearing on1,…,cm, and conceal user's SM2 private keys dASecret cm+1, cooperated computing obtains Use the SM2 private keys d of userAFor the digital signature of a message;M or m+1 device use c1,…,cmAnd cm+1Association It is actually not expose c with calculating process1,…,cmAnd private key secret (1+dA)-1In the case of to cm+1Decrypting process.
In the method for the invention, the c comprising private key secretm+1Originally it is without secrecy, as long as c1,…,cmProtect, The method of the present invention is inherently safe, still, in the present invention, cm+1Also secret use is taken as, is thus further carried The high security of method;Further, the secret c in the present invention1,…,cm,cm+1It can constantly update, so as to further improve method Security.
《People's Republic of China's law of electronic signature》It is required that electronic signature generation data are controlled by signer, and the present invention Method is met well《Law of electronic signature》Requirement.Based on the present invention method, no matter the private key d of userABe in advance It is caused or non-predetermined caused, as long as using cm+1Device be the user for possessing private key device, such as the shifting of user Dynamic terminal, then, because other devices are not exposed to any secret of private key for user, therefore private key for user is completely user's Under control.
One outstanding advantages of present patent application are the secret c of m device1,…,cmIt can be stored in a safety The heart, and private key owner protects encrypted c0;As the secret c of some deviceiDuring loss, c can be recovered from security centrei, but Security centre can not obtain the private key of user;Other SM2 digital signature cooperated computing schemes can not accomplish this point.
Embodiment
With reference to embodiment, the invention will be further described.Following examples be only the present invention enumerate it is several can The embodiment of energy, all possible embodiments are not represented, it is not as a limitation of the invention.
Embodiment 1,
This embodiment includes the m devices marked as No. 1 to No. m respectively, m >=2, wherein m devices have user The d previously generatedA;In initial phase, c is chosen or calculated as follows to m devicesi, i=1 ..., m, m+1, calculate Obtain Gc=[(c1c2…cm)-1] G, and private key for user dACorresponding public key P:
M integer c is randomly choosed in [1, n-1] sectioni, i=1 ..., m, transfer to m equipment safety to preserve respectively, its Middle ciIt is the integer secret (c that No. i-th device preservesmPreserved by m devices oneself);
C is calculatedm+1=(c1c2…cm)-1(1+dA)-1mod n;
G is calculatedc=[(c1c2…cm)-1]G;
P=[d are calculatedA]G;
Complete cm+1、GcAfter P calculating, cm+1Preserved by m devices oneself, the G that will be calculatedcIt is distributed to m Device, public key P is issued, by dADestroy, m devices will not belong to the c that itself preserves, usediDestroy (i=1 ..., m-1);
Afterwards, when needing to use private key for user dAWhen carrying out SM2 digital signature for message M, m device is based on as described SM2 digital signature of the basic skills generation of the digital signature generation method of the private key secret of encryption for message M.
Embodiment 2,
This embodiment includes the m respectively devices marked as No. 1 to No. m, m >=2, and one outside m device fills It is equipped with the d previously generated of userA;In initial phase, d is known a priori byADevice choose or calculate as follows ci, i= 1 ..., m, m+1, G is calculatedc=[(c1c2…cm)-1] G, and private key for user dACorresponding public key P:
M integer c is randomly choosed in [1, n-1] sectioni, i=1 ..., m, transfer to m equipment safety to preserve respectively, its Middle ciIt is that the integer that No. i-th device preserves is secret;
C is calculatedm+1=(c1c2…cm)-1(1+dA)-1mod n;
G is calculatedc=[(c1c2…cm)-1]G;
P=[d are calculatedA]G;
Complete cm+1、GcAfter P calculating, by cm+1M devices are transferred to preserve, the G that will be calculatedcIt is distributed to m Device, public key P is issued, by dADestroy, by ciDestroy (i=1 ..., m, m+1);
Afterwards, when needing to use private key for user dAWhen carrying out SM2 digital signature for message M, m device is based on as described SM2 digital signature of the basic skills generation of the digital signature generation method of the private key secret of encryption for message M.
Embodiment 3,
This embodiment includes the m respectively devices marked as No. 1 to No. m, m >=2, and no device has that user's is advance The SM2 private keys d of generationA;In initial phase, m device chooses c as followsi, i=1 ..., m, m+1, G is calculatedc =[(c1c2…cm)-1] G, and private key for user dACorresponding public key P:
Each device in m device randomly chooses an integer c in [1, n-1] section respectivelyi, i=1 ..., m, its Middle ciIt is No. i-th randomly selected integer of device;
M devices also randomly choose an integer c in [1, n-1] sectionm+1
M device is calculated as follows obtaining Gc=[(c1c2…cm)-1]G:
No. 1 device calculates P1=[(c1)-1]G;
No. 1 device is by P1Send next device i.e. No. 2 device to;
No. i-th device receives Pi-1Afterwards, i=2 ..., m, P is calculatedi=[(ci)-1]Pi-1
If i=m, Gc=PmAs [(c1c2…cm)-1] G, otherwise, No. i-th device is by PiSend next device i.e. i-th to + No. 1 device, until m devices complete PmCalculating;
P is calculatedmAfterwards, P is calculated in m devicesm+1=[(cm+1)-1]Pm
P=P is calculated in m devicesm+1-G;
If P is not the null element (infinite point) of SM2 elliptic curve point groups, P is private key for user dACorresponding SM2 is public Key, otherwise, restart ciSelection, i=1 ..., m+1, recalculate Gc, P, until P is not the zero of SM2 elliptic curve point groups First (infinite point);
Complete GcAfter being calculated with P, the G that will be calculatedcM device is distributed to, public key P is issued;
Afterwards, when needing to use private key for user dAWhen carrying out SM2 digital signature for message M, m device is based on as described SM2 digital signature of the basic skills generation of the digital signature generation method of the private key secret of encryption for message M.
Embodiment 4,
This embodiment includes the m+1 devices marked as No. 1 to No. m+1 respectively, m >=2, wherein m+1 devices There is the SM2 private keys d previously generated of userA;In initial phase, c is chosen or calculated as follows to m+1 devicesi, i= 1 ..., m, m+1, G is calculatedc=[(c1c2…cm)-1] G, and private key for user dACorresponding public key P:
M integer c is randomly choosed in [1, n-1] sectioni, i=1 ..., m, transfer to m equipment safety to preserve respectively, its Middle ciIt is that the integer that No. i-th device preserves is secret;
C is calculatedm+1=(c1c2…cm)-1(1+dA)-1mod n;
G is calculatedc=[(c1c2…cm)-1]G;
P=[d are calculatedA]G;
Complete cm+1、GcAfter P calculating, cm+1Preserved by m+1 devices oneself, the G that will be calculatedcIt is distributed to m Individual device, public key P is issued, by dADestroy, m+1 devices will not belong to the c that itself preserves, usediDestroy (i=1 ..., m);
Afterwards, when needing to use private key for user dAWhen carrying out SM2 digital signature for message M, m+1 device presses the base Message M SM2 digital signature is directed in the method generation of the derivation of the digital signature generation method of the private key secret of encryption.
Embodiment 5,
This embodiment includes m+1, and the device marked as No. 1 to No. m+1, m >=2, no device have user's respectively The d previously generatedA;In initial phase, m device chooses c as followsi, i=1 ..., m, m+1, G is calculatedc= [(c1c2…cm)-1] G, and private key for user dACorresponding public key P:
Each device in m+1 device randomly chooses an integer c in [1, n-1] section respectivelyi, i=1 ..., m+ 1, wherein ciIt is No. i-th randomly selected integer of device;
M device is calculated as follows obtaining Gc=[(c1c2…cm)-1]G:
No. 1 device calculates P1=[(c1)-1]G;
No. 1 device is by P1Send next device i.e. No. 2 device to;
No. i-th device receives Pi-1Afterwards, i=2 ..., m, P is calculatedi=[(ci)-1]Pi-1
If i=m, Gc=PmAs [(c1c2…cm)-1] G, otherwise, No. i-th device is by PiSend next device i.e. i-th to + No. 1 device, until m devices complete PmCalculating;
P is calculatedmAfterwards, m devices are by PmSend m+1 devices to;
P is calculated in m+1 devicesm+1=[(cm+1)-1]Pm
P=P is calculated in m+1 devicesm+1-G;
If P is not the null element (infinite point) of SM2 elliptic curve point groups, P is private key for user dACorresponding SM2 is public Key, otherwise, restart ciSelection, i=1 ..., m, m+1, recalculate Gc, P, until P is not SM2 elliptic curve point groups Null element (infinite point);
Complete GcAfter being calculated with P, the G that will be calculatedcM device is distributed to, public key P is issued;
Afterwards, when needing to use private key for user dAWhen carrying out SM2 digital signature for message M, m+1 device presses the base Message M SM2 digital signature is directed in the method generation of the derivation of the digital signature generation method of the private key secret of encryption.
The digital signature that method based on the present invention can build the private key secret based on encryption accordingly generates system, and this is System includes m or m+1 device, m >=2, and one of device can be the mobile terminal of user (such as in basic skills M devices, or the m+1 devices in derived method), remaining device is the cipher server on the network, or All devices are all the cipher servers on network;This m or m+1 device are by implementing basic skills of the invention or group Raw method, generation use the SM2 private keys d of userAFor the digital signature of message;Constructed digital signature generation system can For previous examples 1 to implementation 5.
Other unaccounted particular techniques are implemented, and are it is well known that not saying certainly for those skilled in the relevant art Bright.

Claims (10)

1. a kind of digital signature generation method of the private key secret based on encryption, it is characterized in that:
Methods described is related to m device, wherein m >=2;
M device is respectively marked as No. 1 to m devices;
M device preserves the integer secret c in [1, n-1] section respectively1,c2,…,cm, wherein ciIt is to be preserved by No. i-th device Secret, i=1 ..., m;M devices preserve the integer c in [1, n-1] section simultaneouslym+1;The secret that m device preserves Meet following relation:
cm+1=(c1c2…cm)-1(1+dA)-1Mod n,
Wherein, dAIt is the SM2 private keys of user, n is elliptic curve point order of a group used in SM2 crypto-operations, namely SM2 passwords The basic point G of elliptic curve point group used in computing rank;
Precalculate to obtain in initial phase:
Gc=[(c1c2…cm)-1] G,
P=[dA] G,
Wherein, dAIt is the SM2 private keys of user, G is the basic point of elliptic curve point group used in SM2 crypto-operations, and P is dAIt is corresponding Public key;
By GcIt is distributed to the m device, publishes P;
As the SM2 private keys d for needing to use userAWhen being digitally signed for message M, m device carries out numeral as follows The generation of signature:
No. 1 device randomly chooses an integer k in [1, n-1] section1, calculate G1=[k1]GcOr G1=[c1k1]Gc
No. 1 device is by G1Send next device i.e. No. 2 device to;
No. i-th device receives Gi-1Afterwards, i=2 ..., m, an integer k is randomly choosed in [1, n-1] sectioni, calculate Gi= [ci]Gi-1+[ki]GcOr Gi=[ci](Gi-1+[ki]Gc);
Different devices calculates GiThe calculation formula of use is identical or different;
If i ≠ m, complete GiAfter calculating, No. i-th device is by GiNext device i.e. i+1 device is sent to, until No. m dress Put and complete GmCalculating;
If i=m, complete GmAfter calculating, m devices are fixed in [0, n-1] section or randomly choose an integer km+1, meter Calculate Gm+1=Gm+[km+1] (G+P) or Gm+1=(Gm+[km+1]Gc), it is transferred to calculate r afterwards;
Complete Gm+1Calculating after, calculate r=(e by a device in m device or by a device outside m device +x1) mod n, wherein x1It is derived from (x1,y1)=Gm+1, e is the Hash Value derived from user's mark and message M;
If obtained r, Gm+1Meet:R ≠ 0 and [r] G+Gm+1It is not the null element of SM2 elliptic curve point groups, then continues to calculate numeral Signature, otherwise, recalculates G1,…,Gm,Gm+1And r, until r ≠ 0 and [r] G+Gm+1It is not the null element of SM2 elliptic curve point groups;
S calculating is transferred to after completion r calculating;
No. 1 device chooses s0=r;
No. 1 device is calculated as follows s1
If G is calculated before1Using formula G1=[k1]Gc, then s1=(c1s0+k1)mod n;
If G is calculated before1Using formula G1=[c1k1]Gc, then s1=(c1s0+c1k1)mod n;
No. 1 device is by s1Send next device i.e. No. 2 device to;
No. i-th device receives si-1Afterwards, i=2 ..., m, it is calculated as follows si
If G is calculated beforeiUsing formula Gi=[ci]Gi-1+[ki]Gc, then si=(cisi-1+ki)mod n;
If G is calculated beforeiUsing formula Gi=[ci](Gi-1+[ki]Gc), then si=ci(si-1+ki)mod n;
If i ≠ m, complete siAfter calculating, No. i-th device is by siNext device i.e. i+1 device is sent to, until No. m dress Put and complete smCalculating;
If i=m, complete smAfter calculating, m devices are calculated as follows sm+1
If G is calculated beforem+1Using formula Gm+1=Gm+[km+1] (G+P), then
sm+1=(cm+1sm+km+1)mod n;
If G is calculated beforem+1Using formula Gm+1=(Gm+[km+1]Gc), then sm+1=cm+1(sm+km+1)mod n
S=(s are calculated in m devicesm+1-r)mod n;
(r, s) is exactly the digital signature for message M generated.
2. the digital signature generation method of the private key secret according to claim 1 based on encryption, it is characterized in that:
If dAIt is known a priori by, then in initial phase, is known a priori by dADevice choose or calculate as follows ci, i= 1 ..., m, m+1, G is calculatedc=[(c1c2…cm)-1] G, and private key for user dACorresponding public key P:
M integer c is randomly choosed in [1, n-1] sectioni, preserved respectively by m equipment safety, wherein ciIt is that No. i-th device is protected The integer deposited is secret, i=1 ..., m;
C is calculatedm+1=(c1c2…cm)-1(1+dA)-1Mod n, Gc=[(c1c2…cm)-1] G,
P=[d are calculatedA] G, i.e. private key for user dACorresponding SM2 public keys;
Complete cm+1、GcAfter P calculating, by cm+1M devices are transferred to preserve, the G that will be calculatedcIt is distributed to m dress Put, public key P is issued, by dADestroy, will not belong to the c that itself preserves, usediDestroy, i=1 ..., m, m+1;
It is described to be known a priori by dADevice be a device outside a device or m device in m device.
3. the digital signature generation method of the private key secret according to claim 1 based on encryption, it is characterized in that:
If dAIt is not known a priori by, then chooses c as follows in initial phase, m devicei, i=1 ..., m, m+1, meter Calculation obtains Gc=[(c1c2…cm)-1] G, and private key for user dACorresponding public key P:
Each device in m device randomly chooses an integer c in [1, n-1] section respectivelyi, i=1 ..., m, wherein ci It is No. i-th randomly selected integer of device;
M devices also randomly choose an integer c in [1, n-1] sectionm+1
M device is calculated as follows obtaining Gc=[(c1c2…cm)-1]G:
No. 1 device calculates P1=[(c1)-1]G;
No. 1 device is by P1Send next device i.e. No. 2 device to;
No. i-th device receives Pi-1Afterwards, i=2 ..., m, P is calculatedi=[(ci)-1]Pi-1
If i=m, Gc=PmAs [(c1c2…cm)-1] G, otherwise, No. i-th device is by PiSend next device i.e. i+1 number to Device, until m devices complete PmCalculating;
P is calculatedmAfterwards, P is calculated in m devicesm+1=[(cm+1)-1]Pm
P=P is calculated in m devicesm+1-G;
If P is not the null element of SM2 elliptic curve point groups, P is private key for user dACorresponding SM2 public keys, otherwise, restart ciSelection, i=1 ..., m, m+1, recalculate Gc, P, until P is not the null element of SM2 elliptic curve point groups;
Complete GcAfter being calculated with P, the G that will be calculatedcM device is distributed to, public key P is issued.
4. the digital signature generation method of the private key secret according to claim 1 based on encryption, it is characterized in that:
Calculating GiDuring, i=1 ..., m, m+1, once there is GiIt is the null element of SM2 elliptic curve point groups, then re-starts GiCalculating, until GiIt is not the null element of SM2 elliptic curve point groups.
5. the digital signature generation method of the private key secret according to claim 1 based on encryption, it is characterized in that:
If in above-mentioned calculating process, G is being calculatedm+1, after r, only check whether r is zero, does not check [r] G+Gm+1Whether be The null element of SM2 elliptic curve point groups, and only re-start G in r=0m+1, r calculating, then:
After s is calculated, (s+r) mod n=0 are found if checking, the s being calculated is abandoned, recalculates Gm+1, r, weight It is new to calculate s, this process is repeated, until (s+r) mod n ≠ 0.
6. the digital signature generation method of the private key secret according to claim 1 based on encryption, it is characterized in that:
No. i-th device, i=1 or..., or m updates c as followsi
An integer t is randomly choosed in [1, n-1] sectioni, with (tici) mod n renewals ci
By tiGive and preserve cm+1Device;
Preserve cm+1Device ((ti)-1cm+1) mod n renewals cm+1
Afterwards, No. i-th device or c is preservedm+1Device [(ti)-1]GcUpdate Gc
If No. i-th device takes ti=bi(ci)-1Mod n, wherein biA randomly selected integer in [1, n-1] section, then I devices are secret from c by itiIt has been substituted for bi
Preserve cm+1Device actively update c as followsm+1
An integer t is randomly choosed in [1, n-1] sectionm+1, with (tm+1cm+1) mod n renewals cm+1
By tm+1Give No. i-th device, i=1 or..., or m;
No. i-th device ((tm+1)-1ci) mod n renewals ci
Afterwards, No. i-th device or c is preservedm+1Device [tm+1]GcUpdate Gc
7. a kind of digital signature generation system of private key secret based on encryption based on any one of claim 1-6, it is special Sign is:
The system includes m device, and m device is numbered No. 1 to m devices respectively, and the m device is by described Digital signature generation method, uses c1,c2,…,cm+1, SM2 digital signature of the generation for message.
8. the digital signature generation method that a kind of digital signature generation method from any one of claim 1-6 derives from, It is characterized in that:
The digital signature generation method of the derivation is related to m+1 device, wherein m >=2;
M+1 device marked as No. 1 device ... respectively, m devices, m+1 devices;
The difference of the digital signature generation method of the derivation and the former method before derivation is:
Meet relation cm+1=(c1c2…cm)-1(1+dA)-1Mod n cm+1Preserved and used by m+1 devices as secret, its Middle c1,…,cmRespectively No. 1 secret preserved to m devices;
As the SM2 private keys d for needing to use userAWhen being digitally signed for message M, No. 1 to m devices, by foregoing group The cooperated computing mode in digital signature generation method before death, is calculated Gm
M devices are by GmIt is sent to m+1 devices;
M+1 devices calculate randomly chooses an integer k in [1, n-1] sectionm+1, generated by the digital signature before derivation M devices calculate G in methodm+1Mode calculate Gm+1
Complete Gm+1Calculating after, by a device in m+1 device or by outside m+1 device a device calculate r =(e+x1) mod n, wherein x1It is derived from (x1,y1)=Gm+1, e is the Hash Value derived from user's mark and message M;
After the r of the condition of satisfaction is calculated, No. 1 to m devices, by the digital signature generation method before foregoing derivation Cooperated computing mode, s is calculatedm
M devices are by smIt is sent to m+1 devices;
M+1 devices, press m devices in the digital signature generation method before deriving from and calculate sm+1Mode, use calculating Gm+1Shi Suoyong km+1S is calculatedm+1
S=(s are calculated in m+1 devicesm+1-r)mod n;
(r, s) is exactly the digital signature for message M generated.
9. the digital signature generation method of derivation according to claim 8, it is characterized in that:
If dAIt is known a priori by, then in initial phase, is known a priori by dAThe c that will be calculated of devicem+1Transfer to No. m+1 Device, which preserves, to be used;
If dAIt is not known a priori by, then each device in initial phase, m+1 device is respectively in [1, n-1] section Randomly choose an integer ci, i=1 ..., m, m+1, wherein ciIt is No. i-th randomly selected integer of device;No. 1 to No. m Device uses c1,…,cmP is calculatedm, Gc=Pm;P is calculated by m+1 devices afterwardsm+1=[(cm+1)-1]Pm, m+ P=P is calculated in No. 1 devicem+1-G;
To cm+1During renewal, cm+1Renewal operation by m+1 devices complete.
10. a kind of digital signature generation system based on claim 8, it is characterized in that:
The digital signature generation system includes m+1 device, wherein m >=2;M+1 device fills marked as No. 1 respectively Put ..., m devices, m+1 devices;The m+1 device presses the digital signature generation method of the derivation, uses c1,…,cm,cm+1, SM2 digital signature of the generation for message.
CN201710900625.7A 2017-09-28 2017-09-28 A kind of the digital signature generation method and system of the private key secret based on encryption Active CN107483205B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201710900625.7A CN107483205B (en) 2017-09-28 2017-09-28 A kind of the digital signature generation method and system of the private key secret based on encryption

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201710900625.7A CN107483205B (en) 2017-09-28 2017-09-28 A kind of the digital signature generation method and system of the private key secret based on encryption

Publications (2)

Publication Number Publication Date
CN107483205A true CN107483205A (en) 2017-12-15
CN107483205B CN107483205B (en) 2019-08-20

Family

ID=60605415

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201710900625.7A Active CN107483205B (en) 2017-09-28 2017-09-28 A kind of the digital signature generation method and system of the private key secret based on encryption

Country Status (1)

Country Link
CN (1) CN107483205B (en)

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109743166A (en) * 2018-12-10 2019-05-10 普华诚信信息技术有限公司 Multiple party signatures generation method and security information verification system
CN110048839A (en) * 2019-04-26 2019-07-23 山东渔翁信息技术股份有限公司 A kind of digital signature method, device and storage medium
CN110798313A (en) * 2019-10-31 2020-02-14 武汉理工大学 Secret dynamic sharing-based collaborative generation method and system for number containing secret
CN111480315A (en) * 2017-12-15 2020-07-31 区块链控股有限公司 Computer-implemented system and method for authorizing blockchain transactions using low-entropy ciphers
CN112311549A (en) * 2020-03-26 2021-02-02 神州融安科技(北京)有限公司 Signature generation or assistance method, device, system, electronic equipment and storage medium

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106603231A (en) * 2017-01-20 2017-04-26 武汉理工大学 Distributed SM2 digital signature generation method and system based on de-secrecy
CN106656512A (en) * 2017-01-17 2017-05-10 武汉理工大学 SM2 digital signature generation method and system supporting threshold password

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106656512A (en) * 2017-01-17 2017-05-10 武汉理工大学 SM2 digital signature generation method and system supporting threshold password
CN106603231A (en) * 2017-01-20 2017-04-26 武汉理工大学 Distributed SM2 digital signature generation method and system based on de-secrecy

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111480315A (en) * 2017-12-15 2020-07-31 区块链控股有限公司 Computer-implemented system and method for authorizing blockchain transactions using low-entropy ciphers
CN109743166A (en) * 2018-12-10 2019-05-10 普华诚信信息技术有限公司 Multiple party signatures generation method and security information verification system
CN110048839A (en) * 2019-04-26 2019-07-23 山东渔翁信息技术股份有限公司 A kind of digital signature method, device and storage medium
CN110798313A (en) * 2019-10-31 2020-02-14 武汉理工大学 Secret dynamic sharing-based collaborative generation method and system for number containing secret
CN112311549A (en) * 2020-03-26 2021-02-02 神州融安科技(北京)有限公司 Signature generation or assistance method, device, system, electronic equipment and storage medium

Also Published As

Publication number Publication date
CN107483205B (en) 2019-08-20

Similar Documents

Publication Publication Date Title
US10211981B2 (en) System and method for generating a server-assisted strong password from a weak secret
CN106549770B (en) SM2 digital signature generation method and system
Xue et al. A lightweight dynamic pseudonym identity based authentication and key agreement protocol without verification tables for multi-server architecture
CN107872322B (en) Homomorphic encryption-based digital signature collaborative generation method and system
US20170244687A1 (en) Techniques for confidential delivery of random data over a network
CN107483205B (en) A kind of the digital signature generation method and system of the private key secret based on encryption
CN106603246B (en) A kind of SM2 digital signature segmentation generation method and system
CN106850198B (en) SM2 digital signature generation method and system based on the collaboration of more devices
CN106850229B (en) SM2 digital signature generation method and system based on product secret division
CN107819585A (en) SM9 digital signature cooperates with generation method and system
CN106656512B (en) Support the SM2 digital signature generation method and system of threshold cryptography
CN107733648A (en) The RSA digital signature generation method and system of a kind of identity-based
CN110048836B (en) Cloud sharing data integrity auditing method capable of tracking user identity
CN107968710A (en) SM9 digital signature separation interaction generation method and system
CN106712942B (en) SM2 digital signature generation method and system based on privacy sharing
CN106603231A (en) Distributed SM2 digital signature generation method and system based on de-secrecy
Jiang et al. SDSS-MAC: Secure data sharing scheme in multi-authority cloud storage systems
CN112910632B (en) Novel cloud data integrity verification method facing multiple data users and protecting user privacy
CN107104793B (en) A kind of digital signature generation method and system
US20230006836A1 (en) Multi-party and multi-use quantum resistant signatures and key establishment
CN110784300B (en) Secret key synthesis method based on multiplication homomorphic encryption
CN109951292A (en) The SM9 digital signature simplified separates interaction generation method and system
CN107528696A (en) The digital signature generation method and system of a kind of hiding private key secret
CN106850584A (en) Anonymous authentication method facing client/server network
CN102651747A (en) Forward secure digital signature method on basis of unbelievable updating environment

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant