Secure two-party collaboration SM2 signature method
Technical Field
The invention belongs to the technical field of information security, and particularly relates to a secure two-party cooperative SM2 signature method.
Background
In order to meet application requirements of an electronic authentication service system and the like, the SM2 elliptic curve public key cryptographic algorithm is issued by the national cryptographic administration of 12-month-17-year-2010, and the national standard GB/T32918 is formulated. The second part of the standard describes an elliptic curve based signature algorithm, the SM2 signature algorithm. The signature algorithm comprises a digital signature generation algorithm and a verification algorithm, wherein the signature generation algorithm is used for realizing the function of generating a digital signature on data by a signer, and the verification algorithm is used for realizing the function of verifying the reliability of the signature by a verifier. Each signer will generate a pair of keys: a public key that is public and a private key that is kept secret by the signer. When generating the signature, the signer generates the signature by using a private key; during verification, the verifier verifies the signature by using the public key of the signer.
The SM2 digital signature algorithm can meet the safety requirements of identity authentication, data integrity and authenticity in various password applications, and is widely used in the domestic password application field for many years at present. However, with the development of various attack technologies, an attacker can steal the private key of the user by using various attack tools, and once the private key is stolen by the attacker, the attacker can impersonate the identity of a legitimate user by using the stolen private key to sign, so that the harm caused by the stealing can be disastrous.
In order to solve the above problems, an effective solution is to split the private key into two parts, which are stored in the first communication party and the second communication party respectively, and when the private key is used, the two parties perform cooperative computing, so that the private key does not appear completely at any party, i.e., any party participating in the operation cannot take the complete private key. In 2014, the ringer and the like disclose a signature method based on an SM2 algorithm, which is suitable for cloud computing, and the method realizes the functions under the condition that both parties are honest, namely, both communication parties can obtain a complete signature of a message by respectively utilizing respective partial private keys for joint computing. However, in the key generation and signature generation stage of the method, an authentication mechanism for the identities of two communication parties is lacked, and man-in-the-middle attack is difficult to prevent, so that an attacker can impersonate the identity of the first communication party to generate a complete signature and pass verification.
Disclosure of Invention
The technical problem to be solved by the invention is to overcome the defects of the signature method and provide a safe two-party cooperation SM2 signature method which is easy to operate and high in safety.
The technical scheme for solving the technical problems comprises the following steps:
(1) system initialization
The first and second parties share the elliptic curve parameter E (F) of the SM2 signature algorithmp) G and n, E (F)p) Represents a finite field FpUpper elliptic curveAnd all rational points of the E comprise a set consisting of infinite points O, G represents a base point with an order of n on the elliptic curve E, n is a limited positive integer, values of all parameters are preset according to an SM2 method, and a cryptographic hash method hash, a commitment protocol com, a zero knowledge proof protocol proof and a homomorphic encryption method Enc with addition homomorphism which are used by the two communication parties are well defined in advance.
(2) Negotiating generation of a public signature key
First correspondent generates a child private key d1And a sub public key P1The second party generates a sub-private key d2And a sub public key P2And the two communication parties negotiate with the sub public key of the other party and the sub private key of the communication parties to generate a signature public key P.
(3) Collaborative signatures
First communication party generates temporary sub-private key k1And a temporary sub public key Q1The second party generates a temporary sub-private key k2And a temporary sub public key Q2And respectively generating a partial signature r and a partial signature s according to the temporary sub public key of the other party, the sub private key of the other party and the temporary sub private key of the other party, and generating a complete signature by the cooperation of the two communication parties.
(4) Outputting a complete signature
The second communication party combines the partial signature r and the partial signature s into a complete signature output.
In the step (2) of generating a signature public key by negotiation, the method for generating the signature public key P by the two communication parties respectively using the child public key of the other party and the child private key of the two communication parties in negotiation comprises the following steps:
1) the first party generates a private-public key pair
The first communication party generates a message at [1, n-1 ]]Random number d between1D is mixing1As the child private key, there are: d1∈[1,n-1]From d1[*]G obtains the result as a sub public key P1(ii) a Wherein [ ] A]Representing an elliptic curve point multiplication operation.
2) The second communication party generates a private-public key pair
The second party generates a message at [1, n-1 ]]Random number d between2D is mixing2As the child private key, there are:d2∈[1,n-1]from d2[*]G obtains the result as a sub public key P2。
3) Mutual authentication between two communication parties
First communication party determines private sub-key d by using zero-knowledge proof protocol proof predetermined by both parties1Proof of zero knowledge of (d)1) Determining the sub public key P according to the commitment protocol com predetermined by both parties1And a sub private key d1Proof of zero knowledge of (d)1) The commitment value com (P)1||proof(d1) According to the predetermined acceptance agreement com, the acceptance value com (P) is obtained1||proof(d1) And commitment information to the second party, where | represents concatenation.
The second communication party determines the sub-private key d using a predetermined zero-knowledge proof protocol proof2Proof of zero knowledge of (d)2) Generating a key pair pk and sk of a predetermined addition homomorphic encryption method Enc, where pk denotes a homomorphic public key and sk denotes a homomorphic private key, and dividing a sub-public key P2Homomorphic public key pk and child private key d2Proof of zero knowledge of (d)2) And sending the message to the first communication party.
The first communication partner verifies P according to a predetermined zero-knowledge proof of knowledge protocol proof2=d2[*]G, according to the promption protocol com predetermined by both parties, the public key P of the sub-promption information will be released1And a sub private key d1Proof of zero knowledge of (d)1) And sending the information to the second communication party.
The second communication party receives the de-acceptance information and verifies the acceptance value com (P) according to the acceptance agreement com predetermined by both parties1||proof(d1) For example) correctness, proof of agreement proof of knowledge P with a predetermined zero1=d1[*]G。
4) Communication parties negotiate to generate signature public key
The first communication party is composed of1[*]P2[-]G as a signature public key P, wherein [ -]Representing an elliptic curve point subtraction operation.
The second communication party is composed of2[*]P1[-]G gets the result as public signature key P ', P' is equal to P.
In the cooperative signature step (3), the method for generating the complete signature by the cooperation of the two communication parties comprises the following steps:
1) processing a message to be signed by a first communication party
The first communication party splices the identity Z and the message M which are common to the first communication party and the second communication party to form M', namely: m '═ Z | | M, hash (M') is determined by cryptographic hash method hash, the result obtained is taken as e.
2) Processing the message to be signed by the second communication party
The steps of processing the message to be signed by the second communication party are the same as the steps of processing the message to be signed by the first communication party.
3) The first correspondent generates a temporary child public and private key pair
The first communication party generates a message at [1, n-1 ]]Random number k between1Will k is1As temporary sub-private key, by k1[*]G obtains the result as a temporary sub-public key Q1。
4) The second communication party generates a temporary child public and private key pair
The second party generates a message at [1, n-1 ]]Random number k between2Will k is2As temporary sub-private key, by k2[*]G obtains the result as a temporary sub-public key Q2。
5) Mutual authentication between two communication parties
First communication party determines temporary sub-private key k by using zero-knowledge proof protocol proof predetermined by both parties1Proof of zero knowledge of (k)1) Determining the temporary sub public key Q according to the commitment protocol com predetermined by both parties1And a temporary sub-private key k1Proof of zero knowledge of (k)1) The commitment value com (Q)1||proof(k1) According to the predetermined acceptance agreement com, the acceptance value com (Q) is transmitted1||proof(k1) And the commitment information to the second party.
Second communication party determines temporary sub-private key k by using zero-knowledge proof protocol proof predetermined by both parties2Proof of zero knowledge of (k)2) Temporary sub-public key Q2And a temporary sub-private key k2Proof of zero knowledge of (k)2) Hair-like deviceTo the first party.
Proof of verification Q by the first communication party with a two-party-predetermined zero-knowledge proof protocol proof2=k2[*]G, according to the promised agreement com preset by both parties, sending the temporary sub public key Q of the deputy information1And a temporary sub-private key k1Proof of zero knowledge of (k)1) To the second communication partner.
The second communication party receives the de-acceptance information and verifies the acceptance value com (Q) according to the acceptance agreement com predetermined by both parties1||proof(k1) For example) to verify Q with a predetermined zero-knowledge proof of knowledge protocol proof1=k1[*]G。
6) Generating timestamps
The two communication parties respectively carry out ID according to the identity information of the first communication party1Current time T and the position information S of the first communication party, and determining the hash (ID) by the hash of the password hashing method1I T S), the result obtained is used as a time stamp T, wherein ID1T, S are bit strings.
7) Cooperative signature of two communication parties
The second communication party is composed of k
2[*]Q
1The result obtained is taken as point (x)
1,y
1) From x
1The + emodn results in a partial signature r, where mod represents the modulo operation; generating a bit at [1, n
2]Random number η, encryption operation Enc according to homomorphic encryption method Enc
pkDetermining
And
the obtained results are respectively used as homomorphic cryptographs c
1And homomorphic ciphertext c
2(ii) a Will homomorphic cipher text c
1And homomorphic ciphertext c
2And is sent to the first communication partner, wherein,
denotes d
2At F
pUpper inverse element, Enc
pkIndicating the homomorphic encryption method Enc under the homomorphic public key pkThe encryption operation of (1).
The first communication party is composed of k
1[*]Q
2The result obtained is taken as point (x)
1,y
1) From x
1+ emodn as partial signature r; computing
And sending s 'to the second communication party as s' with the calculated result, wherein,
denotes d
1At F
pInverse of upper, t
-1Denotes the time stamp t at F
pThe upper inverse element ⊙ represents scalar multiplication homomorphic operation, that is, a ⊙ b represents multiplication of the plaintext corresponding to b and a;
representing addition homomorphic operations, i.e.
The addition operation is performed between the plaintext corresponding to a and the plaintext corresponding to b.
The decryption operation Dec of the second communication partner in accordance with the homomorphic encryption method EncskDetermining Decsk(s') -rmodn, the result obtained as a partial signature s, where DecskRepresenting the decryption operation of the homomorphic encryption method Enc under the homomorphic private key sk.
The homomorphic encryption method Enc is any one of a Paillier homomorphic encryption method, a Benaloh homomorphic encryption method and an NS homomorphic encryption method.
The SM2 signature private key is divided into two parts which are respectively kept by a first communication party and a second communication party, a signature public key and a complete SM2 signature can be generated only by the cooperative calculation of the two communication parties in a key generation stage and a signature stage, and any party cannot obtain the complete private key and independently output a complete signature. In the invention, in order to ensure the authenticity of the identities of the two communication parties, before negotiating a signature public key and a cooperative signature, the two communication parties utilize a zero-knowledge proof technology to authenticate the identity of the other party; ensuring the correctness of the output complete signature by using a commitment technology; the homomorphic encryption technology is utilized to ensure that the first communication party can realize the operation of the corresponding plaintext without decrypting the received ciphertext; the addition of the time stamp mechanism ensures that the two communication parties can output correct complete signatures only under the condition that the identity and the current time of the first communication party are consistent with the position information of the first communication party; the technologies greatly improve the security of the system and reduce the loss caused by the leakage of the private signature key. Compared with the prior art, the method can prevent man-in-the-middle attack, has higher safety, and is suitable for being used in an unsafe environment of a communication channel.
Drawings
FIG. 1 is a flow chart of example 1 of the present invention.
Detailed Description
In order to make the technical solution of the present invention clearer and more obvious, the solution of the present invention is further described in detail below with reference to the accompanying drawings.
For convenience of description, a first communication party and a second communication party are used to represent two communication parties respectively, wherein the first communication party is a mobile terminal, and the second communication party is a server side.
Example 1
In fig. 1, the secure two-party collaboration SM2 signing method of the present embodiment consists of the following steps.
(1) System initialization
The first and second communication parties share the elliptic curve parameter E (F) of the SM2 algorithmp) G and n, E (F)p) Represents a finite field FpAll rational points of the upper elliptic curve E, including the infinite points O, form a set, G represents a base point with an order n on the elliptic curve E, n is a finite positive integer, and the elliptic curve parameter E (F) of the embodimentp) The specific values of G and n are the same as the values of all parameters in appendix A.2 in GB/T32918.2-2016. The communication parties reserve the password hash method to be used in advance and the hash is the password hash method given by GB/T32905 and 2016, namely the SM3 algorithm; the commitment protocol com is defined in FIG. 2.1 of the document Fastscene two-party ECDSA signingSM3In this embodiment, the specific method for determining the commitment value is as follows: comSM3(x) SM3(x | | | R) wherein R is at [1, n-1 |)]Random number between, | | represents concatenation; the proof of zero knowledge protocol proof is the Schnorr proof of zero knowledge protocol proof of C.P. Schnorr proposed in "E Current identification and standards for smart cards" in 1989Schnorr(ii) a The homomorphic encryption method Enc is a Paillier homomorphic encryption method with addition homomorphy proposed by Paillier in "Cryptosystems based on composite segregated devices" in 1999, and the Paillier homomorphic encryption method of the embodiment is one of the homomorphic encryption methods Enc.
(2) Negotiating generation of a public signature key
First correspondent generates a child private key d1And a sub public key P1The second party generates a sub-private key d2And a sub public key P2. The method for generating the signature public key P by the two communication parties through the negotiation of the child public key of the other party and the child private key of the two communication parties is as follows;
1) the first party generates a private-public key pair
The first communication party generates a message at [1, n-1 ]]Random number d between1D is mixing1As the child private key, there are: d1∈[1,n-1]From d1[*]G obtains the result as a sub public key P1(ii) a Wherein [ ] A]Representing an elliptic curve point multiplication operation.
2) The second communication party generates a private-public key pair
The second party generates a message at [1, n-1 ]]Random number d between2D is mixing2As the child private key, there are: d2∈[1,n-1]From d2[*]G obtains the result as a sub public key P2。
3) Mutual authentication between two communication parties
The proof of zero knowledge protocol proof of the present embodiment employs the Schnorr proof of zero knowledge protocol proofSchnorrThe acceptance protocol com adopts the acceptance protocol comSM3. Zero knowledge proof protocol proof for a first communication partnerSchnorrDetermining the private Key d1Proof of zero knowledge ofSchnorr(d1) According to the promised agreement com predetermined by both partiesSM3Determining the public key P1And a sub private key d1Proof of zero knowledge ofSchnorr(d1) Is given as a commitment value comSM3(P1||proofSchnorr(d1) Specifically, the method comprises the following steps: determination of SM3 (P) by cryptographic hashing method SM31||proofSchnorr(d1) R), the obtained result is taken as the sub public key P1And a sub private key d1Proof of zero knowledge ofSchnorr(d1) Is given as a commitment value comSM3(P1||proofSchnorr(d1) According to the promised agreement com predetermined by both parties)SM3The commitment value comSM3(P1||proofSchnorr(d1) And commitment information R to the second party, where R is a [1, n-1 ] position generated for the first party]Random number in between, | | represents concatenation.
The homomorphic encryption method Enc in this embodiment adopts a Paillier homomorphic encryption method. Zero knowledge proof protocol proof for second communication partySchnorrDetermining the private Key d2Proof of zero knowledge ofSchnorr(d2) Generating a key pair pk and sk of the Paillier homomorphic encryption method, wherein pk represents a Paillier homomorphic public key, sk represents a Paillier homomorphic private key, and a sub public key P is obtained2Homomorphic public key pk and child private key d2Proof of zero knowledge ofSchnorr(d2) And sending the message to the first communication party.
The first communication partner proof of agreement proof of zero knowledgeSchnorrVerification P2=d2[*]G, according to the promise agreement com predetermined by both partiesSM3Will solve promise information sub public key P1And a sub private key d1Proof of zero knowledge ofSchnorr(d1) Sending the information to a second communication party;
the second communication party receives the de-acceptance information and conforms to the acceptance agreement com predetermined by the two partiesSM3Verifying the commitment value comSM3(P1||proofSchnorr(d1) The specific method is as follows: verifying comSM3(P1||proofSchnorr(d1))=SM3(P1||proofSchnorr(d1)||R),Proof of agreement proof of knowledge with predefined zeroSchnorrVerification P1=d1[*]G;
4) Communication parties negotiate to generate signature public key
The first communication party is composed of1[*]P2[-]G as a signature public key P, wherein [ -]Representing an elliptic curve point subtraction operation;
the second communication party is composed of2[*]P1[-]G gets the result as public signature key P ', P' is equal to P.
(3) Collaborative signatures
First communication party generates temporary sub-private key k1And a temporary sub public key Q1The second party generates a temporary sub-private key k2And a temporary sub public key Q2And the two communication parties cooperate to generate a complete signature according to the temporary sub public key of the other party, the sub private key of the communication parties and the temporary sub private key of the communication parties.
The method for generating the complete signature by the cooperation of the two communication parties comprises the following steps:
1) processing a message to be signed by a first communication party
The hash of the cryptographic hash method of the embodiment adopts the cryptographic hash method given in GB/T32905 and 2016, i.e. the SM3 algorithm. The first communication party splices the identity Z and the message M which are common to the first communication party and the second communication party to form M', namely: m '═ Z | | | M, SM3 (M') was determined by cryptographic hashing method SM3, the result obtained as e;
2) processing the message to be signed by the second communication party
The steps of the second communication party processing the message to be signed are the same as the steps of the first communication party processing the message to be signed;
3) the first correspondent generates a temporary child public and private key pair
The first communication party generates a message at [1, n-1 ]]Random number k between1Will k is1As temporary sub-private key, by k1[*]G obtains the result as a temporary sub-public key Q1;
4) The second communication party generates a temporary child public and private key pair
The second party generates a message at [1, n-1 ]]Random number k between2Will k is2As temporary sub-private key, by k2[*]G obtains the result as a temporary sub-public key Q2;
5) Mutual authentication between two communication parties
Zero knowledge proof protocol proof for a first communication partnerSchnorrDetermining a temporary child private key k1Proof of zero knowledge ofSchnorr(k1) The acceptance agreement com predetermined by both parties of the embodiment adopts comSM3. Com according to the promise agreement predetermined by both partiesSM3Determining a temporary sub-public key Q1And a temporary sub-private key k1Proof of zero knowledge ofSchnorr(k1) Is given as a commitment value comSM3(Q1||proofSchnorr(k1) Specifically, the method comprises the following steps: determination of SM3 (Q) by cryptographic hashing method SM31||proofSchnorr(k1) R') and using the obtained result as the temporary sub public key Q1And a temporary sub-private key k1Proof of zero knowledge ofSchnorr(k1) Is given as a commitment value comSM3(Q1||proofSchnorr(k1) According to the promised agreement com predetermined by both parties)SM3The commitment value comSM3(Q1||proofSchnorr(k1) And commitment information R 'is sent to the second communication party, wherein R' is generated by the first communication party and is located at [1, n-1 ]]A random number in between.
Zero knowledge proof protocol proof for second communication partySchnorrDetermining a temporary child private key k2Proof of zero knowledge ofSchnorr(k2) Temporary sub-public key Q2And a temporary sub-private key k2Proof of zero knowledge ofSchnorr(k2) And sending the message to the first communication party.
Proof of knowledge protocol proof with two parties predetermined by first communication partySchnorrVerification Q2=k2[*]G, according to the promise agreement com predetermined by both partiesSM3Sending temporary sub public key Q of de-acceptance information1And a temporary sub-private key k1Proof of zero knowledge ofSchnorr(k1) To the second communication partner.
The second communication party receivesThe acceptance information is decoded, and the acceptance agreement com predetermined by both parties is adoptedSM3Verifying the commitment value comSM3(Q1||proofSchnorr(k1) The specific method is as follows: verifying comSM3(Q1||proofSchnorr(k1))=SM3(Q1||proofSchnorr(k1) | R'), proof of agreement proof with predetermined zero knowledgeSchnorrVerification Q1=k1[*]G。
6) Generating timestamps
The two communication parties respectively carry out ID according to the identity information of the first communication party1The current time T and the location information S of the first communication party, the hash of the cryptographic hash method of the embodiment is SM3 cryptographic hash method, which is SM3 (ID)1I T S) as a time stamp T, wherein ID1T, S are bit strings.
7) Cooperative signature of two communication parties
The homomorphic encryption method Enc in this embodiment adopts a Paillier homomorphic encryption method. The second communication party is composed of k
2[*]Q
1The result obtained is taken as point (x)
1,y
1) From x
1The + emodn results in a partial signature r, where mod represents the modulo operation; generating a bit at [1, n
2]Random number η, according to the encryption operation Paillier in the Paillier homomorphic encryption method
pkEnc in the present embodiment
pkBy using Paillier
pkFrom
And
the obtained results are respectively used as Paillier homomorphic cryptographs c
1And Paillier homomorphic ciphertext c
2(ii) a Homomorphic ciphertext c of Paillier
1And Paillier homomorphic ciphertext c
2And is sent to the first communication partner, wherein,
representing a sub-private key d
2At F
pUpper inverse element, Paillier
pkRepresenting the encryption operation of the Paillier homomorphic encryption method under the homomorphic public key pk.
The first communication party is composed of k
1[*]Q
2The result obtained is taken as point (x)
1,y
1) From x
1+ emodn as partial signature r; computing
And sending s 'to the second communication party as s' with the calculated result, wherein,
representing a sub-private key d
1At F
pInverse of upper, t
-1Denotes the time stamp t at F
p⊙ represents Paillier scalar multiplication homomorphic operation, namely a ⊙ b represents that the plaintext corresponding to b is multiplied by a;
representing Paillier addition homomorphic operations, i.e.
The addition operation is carried out on the plaintext corresponding to the a and the plaintext corresponding to the b;
the second communication party performs the decryption operation Paillier according to the Paillier homomorphic encryption methodskDetermining Pailliersk(s') -rmodn, the result obtained as a partial signature s, wherein PaillierskAnd the decryption operation of the Paillier addition homomorphic method under the homomorphic private key sk is shown.
(4) Outputting a complete signature
The second communication party combines the partial signature r and the partial signature s into a complete signature output.
Example 2
(1) System initialization
The homomorphic encryption method Enc in the step adopts a Benaloh homomorphic encryption method with addition homomorphism proposed by J.benaloh in Dense probabilitization type in 1994. The other steps in this step are the same as in example 1.
(2) Negotiating generation of a public signature key
This procedure is the same as in example 1.
(3) Collaborative signatures
Steps 1) to 6) are the same as in example 1.
7) Cooperative signature of two communication parties
The homomorphic encryption method Enc in this embodiment adopts a Benaloh homomorphic encryption method. The second communication party is composed of k
2[*]Q
1The result obtained is taken as point (x)
1,y
1) From x
1The + emodn results in a partial signature r, where mod represents the modulo operation; generating a bit at [1, n
2]Random number η, Benaloh according to the encryption operation in Benaloh homomorphic encryption method
pkEnc in the present embodiment
pkBy using Benaloh
pkFrom
And
the obtained results are respectively used as the Benaloh homomorphic cryptographs c
1And Benaloh homomorphic ciphertext c
2(ii) a Homomorphic ciphertext c of Benaloh
1And Benaloh homomorphic ciphertext c
2And is sent to the first communication partner, wherein,
representing a sub-private key d
2At F
pUpper inverse element, Benaloh
pkRepresenting the encryption operation of the Benaloh homomorphic encryption method under the homomorphic public key pk.
The first communication party is composed of k
1[*]Q
2The result obtained is taken as point (x)
1,y
1) From x
1+ emodn as partial signature r; computing
And sending s 'to the second communication party as s' with the calculated result, wherein,
representing a sub-private key d
1At F
pInverse of upper, t
-1Denotes the time stamp t at F
p⊙ represents the Benaloh scalar multiplication homomorphic operation, that is, a ⊙ b represents the multiplication of the plaintext corresponding to b and a;
representing Benaloh addition homomorphism, i.e.
The addition operation is carried out on the plaintext corresponding to the a and the plaintext corresponding to the b;
the second communication party operates Benaloh according to decryption in the Benaloh homomorphic encryption methodpkDetermining Benalohpk(s') -rmodn, the result obtained as a partial signature s, wherein BenalohpkThe decryption operation of the Benaloh addition homomorphic method under the homomorphic private key sk is shown.
(4) Outputting a complete signature
This procedure is the same as in example 1.
Example 3
(1) System initialization
The homomorphic encryption method Enc in this step adopts the NS homomorphic encryption method with additive homomorphism proposed by D.Naccache and J.Stern in "A new public cryptography based on highher recourses" in 1998. The other steps in this step are the same as in example 1.
(2) Negotiating generation of a public signature key
This procedure is the same as in example 1.
(3) Collaborative signatures
Steps 1) to 6) are the same as in example 1.
7) Cooperative signature of two communication parties
The homomorphic encryption method Enc in this embodiment adopts an NS homomorphic encryption method. The second communication party is composed of k
2[*]Q
1The result obtained is taken as point (x)
1,y
1) From x
1The + emodn results in a partial signature r, where mod represents the modulo operation; generating a bit at [1, n
2]Random number η in between, according to NS homomorphismEncryption operation NS in encryption method
pkEnc in the present embodiment
pkUsing NS
pkFrom
And
the obtained results are respectively used as NS homomorphic cryptographs c
1And NS homomorphic ciphertext c
2(ii) a Homomorphic cipher text c of NS
1And NS homomorphic ciphertext c
2And is sent to the first communication partner, wherein,
representing a sub-private key d
2At F
pUpper inverse element, NS
pkRepresenting the cryptographic operation of the NS homomorphic cryptographic method under the homomorphic public key pk.
The first communication party is composed of k
1[*]Q
2The result obtained is taken as point (x)
1,y
1) From x
1+ emodn as partial signature r; computing
And sending s 'to the second communication party as s' with the calculated result, wherein,
representing a sub-private key d
1At F
pInverse of upper, t
-1Denotes the time stamp t at F
pThe inverse of the above, ⊙, represents the NS scalar multiplication homomorphic operation, i.e., a ⊙ b represents the multiplication of the plaintext corresponding to b and a;
indicating NS addition homomorphism, i.e.
The addition operation is carried out on the plaintext corresponding to the a and the plaintext corresponding to the b;
the second communication party operates NS according to the decryption operation in the NS homomorphic encryption methodpkDetermining NSpk(s′) Rmodn, the result obtained as a partial signature s, where NSpkRepresenting the decryption operation of the NS addition homomorphic method under the homomorphic private key sk.
(4) Outputting a complete signature
This procedure is the same as in example 1.