CN110113165A - Support the SM2 digital signature collaboration generation method and system of mixing privacy sharing - Google Patents
Support the SM2 digital signature collaboration generation method and system of mixing privacy sharing Download PDFInfo
- Publication number
- CN110113165A CN110113165A CN201910335602.5A CN201910335602A CN110113165A CN 110113165 A CN110113165 A CN 110113165A CN 201910335602 A CN201910335602 A CN 201910335602A CN 110113165 A CN110113165 A CN 110113165A
- Authority
- CN
- China
- Prior art keywords
- mod
- digital signature
- user
- private key
- integer
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0816—Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
- H04L9/085—Secret sharing or secret splitting, e.g. threshold schemes
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0861—Generation of secret information including derivation or calculation of cryptographic keys or passwords
- H04L9/0863—Generation of secret information including derivation or calculation of cryptographic keys or passwords involving passwords or one-time passwords
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0861—Generation of secret information including derivation or calculation of cryptographic keys or passwords
- H04L9/0869—Generation of secret information including derivation or calculation of cryptographic keys or passwords involving random numbers or seeds
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/30—Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy
- H04L9/3066—Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy involving algebraic varieties, e.g. elliptic or hyper-elliptic curves
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3247—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Signal Processing (AREA)
- Computer Networks & Wireless Communication (AREA)
- Theoretical Computer Science (AREA)
- Mathematical Physics (AREA)
- Physics & Mathematics (AREA)
- Pure & Applied Mathematics (AREA)
- Mathematical Optimization (AREA)
- Computing Systems (AREA)
- Mathematical Analysis (AREA)
- General Physics & Mathematics (AREA)
- Algebra (AREA)
- Storage Device Security (AREA)
Abstract
Invention is SM2 digital signature method: m device has secret c respectively1,…,cm;From t when initialization1=c1By with c2,...,cmMould n add or multiply and progressive t is calculated2,...,tm, calculate GB=[1+dA] G, b=(tm+tmdA)‑1(mod n), dAIt is private key;When d need to be usedAWhen to message M signature, m device distinguishes optional ki, using with calculate t2,...,tmCorresponding progressive calculating formula is from Q1=[k1]GBObtain Q2,…,Qm;Calculate r=(e+x1) mod n, wherein (x1,y1)=Qm, e is the Hash Value of message M;M device uses and calculates Q2,…,QmCorresponding progressive calculating formula is from s1=(k1+c1Br) mod n obtains s2,…,sm, s=(sm-r)mod n;(r, s) is digital signature.
Description
Technical field
The invention belongs to field of information security technology, especially a kind of SM2 digital signature association for supporting mixing privacy sharing
With generation method and system.
Background technique
SM2 is a kind of ellipse curve public key cipher algorithm by the promulgation of national Password Management office (referring to " SM2 elliptic curve
Public key algorithm " specification, national Password Management office, in December, 2010), digital signature is able to achieve based on this algorithm, key is handed over
It changes and data encryption.But due to the unique digital signature operation mode of SM2 algorithm, common privacy sharing (segmentation) mode
And the corresponding common crypto-operation mode based on privacy sharing can not be adapted for use with the feelings that SM2 private key is digitally signed
Shape.In response to this problem, the inventor of present patent application is it is proposed that the digital signature based on privacy sharing generates scheme accordingly,
But in relation to scheme only support summation privacy sharing (sum of secret shadow constitutes secret) or product privacy sharing (secret shadow
Product constitutes secret), the privacy sharing mode (mixing privacy sharing) for not supporting summation to mix with product, here it is this patents
The problems to be solved by the invention of application.
Summary of the invention
The purpose of the present invention is to propose to a kind of SM2 digital signature of privacy sharing for supporting summation to mix with product to cooperate with life
At method and system.
For the purpose of the present invention, technical solution proposed by the present invention includes supporting the SM2 number label of mixing privacy sharing
Name collaboration generation method and system.
In the description below to technical solution of the present invention, if P, Q are the element (point) in elliptic curve point group, P+Q
Indicate that the point of P, Q add, [k] P indicates that the point of k elliptic curve point P adds, i.e. P+P+...+P (shares k P, i.e. point P and integer k
Number multiply, if k be negative if indicate | k | the inverse element of a P point point after being added);Ellipsis " ... " indicates multiple same (classes
Type) data item or multiple same operations ([k] P is that the number of the point arranged in " SM2 ellipse curve public key cipher algorithm " multiplies
It indicates);
c-1Indicate inverse (the i.e. cc of the mould n multiplication of integer c-1Mod n=1), unless otherwise instructed, the integer of present patent application
It is inverse, all refer to that mould n multiplication is inverse;Multiple integers are multiplied (including integer symbol is multiplied, constant is multiplied with integer symbol), are not generating
In ambiguous situation, multiplication sign " " is dispensed, such as k1·k2It is reduced to k1k2, 3c, simplified position 3c;
Mod n indicates mould n operation (modulo operation), corresponds to " SM2 ellipse curve public key cipher algorithm " and advises
Modn in model;In addition, the priority of the operators m od n of mould n operation be it is minimum, as a+b mod n is equal to (a+b) mod
N, a-b mod n are equal to (a-b) mod n, ab mod n and are equal to (ab) mod n.
The SM2 digital signature of support mixing privacy sharing of the invention cooperates with generation method, specific as follows.
The method is related to m device, wherein m >=2;
M device is respectively marked as No. 1 to m device;M device preserve respectively in [1, n-1] section with
The integer secret c of machine selection1,c2,…,cm, wherein n is the base of SM2 elliptic curve point order of a group and SM2 elliptic curve point group
The rank of point G, ciIt is the secret that No. i-th device saves, i=1 ..., m;
It is calculated as follows to obtain secret c (by c in initial phase1,c2,…,cmBefore distributing to m device
Or later, initialization operation is completed by a device in m device or the device except m device or m device):
Step 1: setting t1=c1, into step 2;
I-th step: i=2 ... m calculates ti=(ti-1+ci) mod n or ti=(citi-1)mod n;
If i=m enables c=tm, the calculating of c is completed, otherwise enters i+1 and walks, until t is calculated in m stepm;
Above every step independent choice calculation formula during calculating c;The selection of the calculation formula of each step does not depend on it
The selection for the formula that he walks, random selection or subjective any selection are selected according to design requirement;
Later, G is takenB=[(1+dA)] G, b=(c-1(1+dA)-1) mod n, w=1, h=1,
Alternatively, taking GB=[(1+dA)] G, b=(- c-1dA(1+dA)-1) mod n, w=1, h=0,
Alternatively, taking GB=[c-1] G, b=1, w=(c-1(1+dA)-1) mod n, h=1,
Alternatively, taking GB=[- c-1dA] G, b=1, w=(- c-1dA(1+dA)-1) mod n, h=0,
Wherein c-1Be c mould n multiplication it is inverse, (1+dA)-1It is (1+dA) mould n multiplication it is inverse, dAIt is the SM2 private key of user;
After completing initialization, by GB, b, w, h be distributed to m device, m device does not save dA,c;
When needing the SM2 private key d using userAWhen being digitally signed for message M, m device as follows into
The collaboration generation of row digital signature (needs the SM2 private key d using userA, the main body that is digitally signed for message M can be with
Be call the cryptographic application of this m device, system or cryptographic application in one of crypto module or m device,
System):
No. 1 device randomly chooses an integer k in [1, n-1]1, calculate Q1=[k1]GB, then by Q1Send the 2nd to
Number device;
No. i-th device, i=2 ..., m randomly choose an integer k in [1, n-1]i, and it is calculated as follows Qi:
If calculating tiThe formula of Shi Caiyong is ti=(ti-1+ci) mod n, then Qi=Qi-1+[ki]GB;
If calculating tiThe formula of Shi Caiyong is ti=(citi-1) mod n, then Qi=[ci]Qi-1+[ki]GB;
If i=m enables Q=Qm, it is transferred to subsequent processing, otherwise, No. i-th device is by QiSend i+1 device to, directly
Q is completed to m devicemIt calculates;
A device in m device calculates r=(e+x1) mod n, wherein x1It is derived from (x1,y1)=Q, e are from user
Mark (presses SM2 algorithm, e is from user identifier ID with Hash Value (i.e. hashed value) derived from message MAEtc. hash derived from parameters
Value ZAThe Hash Value of data after merging with message M, standardizes referring to SM2);
(r is non-private data here, can be transmitted between two as needed)
Later, No. 1 device calculates s1=(k1+c1Br) mod n, here k1With calculating Q1When k1It is identical;
No. 1 device is by s1Send No. 2 device to;
No. i-th device, i=2 ..., m are calculated as follows si:
If calculating QiThe formula of use is Qi=Qi-1+[ki]GB, then si=(si-1+ki+cibr)mod n;
If calculating QiThe formula of use is Qi=[ci]Qi-1+[ki]GB, then si=(cisi-1+ki) mod n, here kiWith meter
Calculate QiWhen kiIt is identical;
If s is calculated in i=mmAfterwards, it is transferred to subsequent calculating, otherwise, No. i-th device is by siSend i+1 number dress to
It sets, until s is calculated in m devicem;
A device in m device calculates s=(wsm- hr) mod n, (r, s) is the number label for message M
Name.
Generation method is cooperateed with for SM2 digital signature described above, in tiWhen calculating, i=2 ... or m, if there is ti=
0, then integer secret c is selected in [1, n-1] again1,…,ci, reset t1, recalculate tj, j=2 ..., i, until ti
≠ 0, i=2 ..., m.
Generation method is cooperateed with for SM2 digital signature described above, if the SM2 private key d of userAIt is after c is calculated
It generates, then generates the SM2 private key d of userAMode be included in [1, n-1] one integer of random selection as dA, or by such as
Under type:
If b=(c-1(1+dA)-1) mod n, then fixed in [1, n-1] or arbitrarily selection (subjective any or random selection)
One integer is as b, to meet b=(c-1(1+dA)-1) mod n and dA≠ 0 dASM2 private key as user;
If b=(- c-1dA(1+dA)-1) mod n, then fixed or any selection (subjective any or random choosing in [1, n-1]
Select) integer is as b, to meet b=(- c-1dA(1+dA)-1) mod n and dA≠ 0 dASM2 private key as user;
If w=(c-1(1+dA)-1) mod n, then fixed in [1, n-1] or arbitrarily selection (subjective any or random selection)
One integer is as w, to meet w=(c-1(1+dA)-1) mod n and dA≠ 0 dASM2 private key as user;
If w=(- c-1dA(1+dA)-1) mod n, then fixed or any selection (subjective any or random choosing in [1, n-1]
Select) integer is as w, to meet w=(- c-1dA(1+dA)-1) mod n and dA≠ 0 dASM2 private key as user.
Generation method is cooperateed with for SM2 digital signature described above, if No. i-th device completes QiAfter calculating, i=1 ...,
Or m, check discovery QiIt is null element (infinite point), then No. 1 to No. i-th device chooses k againj, recalculate Qj, j=
1 ..., i, until QiIt is not null element, i=1 ..., m.
Generation method is cooperateed with for SM2 digital signature described above, if generating the digital signature procedure for being directed to message M
In, check that discovery r is integer 0, then m device recalculates Qi, i=1 ..., m recalculate Q, r, until r ≠ 0.
Generation method is cooperateed with for SM2 digital signature described above, if generating the digital signature procedure for being directed to message M
In, check that discovery [r] G+Q is the null element (infinite point) of SM2 elliptic curve point group, then m device recalculates Qi, i=
1 ..., m recalculate Q, r, until [r] G+Q is not the null element of SM2 elliptic curve point group;
Alternatively, if checking discovery (s+r) mod n=0, then m device weight after generating the digital signature for message M
It is new to calculate Qi, i=1 ..., m recalculate Q, r, recalculate si, i=1 ..., m recalculate s, until mod ≠ 0 (s+r).
Generation method is cooperateed with for SM2 digital signature described above, in the digital signature generating process for message M,
If No. i-th device (need not all devices) is in QiAnd siCalculating formula in use a simultaneouslyikiSubstitute ki, i=1 ... or m are then described
SM2 digital signature collaboration generation method is still set up, wherein aiIt is that (subjectivity is appointed for fixed selection or any selection in [1, n-1]
Meaning or random selection) an integer, aiExternally maintains secrecy or do not maintain secrecy (if aiIt is randomly selected integer, then aiIt is to count every time
Calculate QiWhen in [1, n-1] randomly selected integer, or initialization when in [1, n-1] randomly selected integer).
Generation method is cooperateed with for SM2 digital signature described above, if taking w=(c-1(1+dA)-1) mod n or w=(- c-1dA(1+dA)-1) mod n, and take cm=1 and calculating tmUsing formula tm=(cmtm-1) mod n, and using w as secret by m
Number device saves (other devices do not have w), and calculates s=(ws by m devicem- hr) mod n, then the SM2 digital signature
Collaboration generation method is still set up.
Generation method is cooperateed with for SM2 digital signature described above, if taking w=(c-1(1+dA)-1) mod n or w=(- c-1dA(1+dA)-1) mod n, and take cm=1 and calculating tmUsing formula tm=(cmtm-1) mod n, and using w as secret by m
Number device saves (other devices do not have w), and calculates s=(ws by m devicem- hr) mod n, and the SM2 private key d of userA
It is to be generated after c is calculated, then generates the SM2 private key d of userAMode to be included in random selection one in [1, n-1] whole
Number is used as dA, or as follows:
If w=(c-1(1+dA)-1) mod n, then one integer of random selection is as w in [1, n-1], to meet w=(c-1(1+dA)-1) mod n and dA≠ 0 dASM2 private key as user;
If w=(- c-1dA(1+dA)-1) mod n, then one integer of random selection is as w in [1, n-1], to meet w=
(-c-1dA(1+dA)-1) mod n and dA≠ 0 dASM2 private key as user.
Based on generation method is cooperateed with for SM2 digital signature described above, the collaboration of SM2 digital signature can be constructed and generate system
System, system includes m device, and wherein m is greater than or equal to 2, and the m device presses the SM2 digital signature generation method, collaboration
Generate the SM2 private key d for using userAFor the digital signature of message M.
It can be seen that, SM2 digital signature collaboration generation method of the invention and system support that mixing is secret from the above description
Shared, i.e., the process of calculating shared secret c had both included and c1,…,cmThe mould n of middle element and, and include and c1,…,cmMiddle element
Mould n product.
Specific embodiment
The present invention will be further described with reference to the examples below.Following embodiment be only the present invention enumerate it is several can
The embodiment of energy does not represent all possible embodiments, not as a limitation of the invention.
Embodiment 1,
This embodiment includes the m devices marked as No. 1 to No. m respectively, m >=2;In initial phase, m device
In a device or m device except a device m integer c is randomly choosed in [1, n-1] section1,…,cm, so
C is calculated by the progressive calculation method of aforementioned secret c afterwards;Take GB=[(1+dA)] G, b=(c-1(1+dA)-1) mod n, w=
1, h=1, wherein c-1Be c mould n multiplication it is inverse, (1+dA)-1It is (1+dA) mould n multiplication it is inverse, dAIt is the SM2 private key of user;It will
c1,…,cmIt is distributed to No. 1 respectively to m device, by GB, b be distributed to needs device (w, h do not have to distribution, only need to use
The corresponding calculation formula of w=1, h=1), by c, dAIt destroys;When needing the SM2 private key d using userAIt is raw for message M
When at digital signature, m device is generated to be directed to by the aforementioned SM2 digital signature collaboration generation method for supporting mixing privacy sharing to disappear
Cease the digital signature of M.In this embodiment, the SM2 private key d of userABy one integer generation of random selection in [1, n-1].
Embodiment 2,
This embodiment and embodiment 1 the difference is that: the SM2 private key d of userABe generated after c is calculated, and
To meet b=(c-1(1+dA)-1) mod n and dA≠ 0 dASM2 private key as user, wherein b is solid in [1, n-1]
The integer of selection or any selection (subjective optional or random selection) calmly.
Embodiment 3,
This embodiment includes the m devices marked as No. 1 to No. m respectively, m >=2;In initial phase, m device
In a device or m device except a device m integer c is randomly choosed in [1, n-1] section1,…,cm, so
C is calculated by the progressive calculation method of aforementioned secret c afterwards;GB=[(1+dA)] G, b=(- c-1dA(1+dA)-1) mod n, w=
1, h=0, wherein c-1Be c mould n multiplication it is inverse, (1+dA)-1It is (1+dA) mould n multiplication it is inverse, dAIt is the SM2 private key of user;It will
c1,…,cmIt is distributed to No. 1 respectively to m device, by GB, b be distributed to needs device (w, h do not have to distribution, only need to use
The corresponding calculation formula of w=1, h=0), by c, dAIt destroys;When needing the SM2 private key d using userAIt is raw for message M
When at digital signature, m device is generated to be directed to by the aforementioned SM2 digital signature collaboration generation method for supporting mixing privacy sharing to disappear
Cease the digital signature of M.In this embodiment, the SM2 private key d of userABy one integer generation of random selection in [1, n-1].
Embodiment 4,
This embodiment and embodiment 1 the difference is that: the SM2 private key d of userABe generated after c is calculated, and
To meet b=(- c-1dA(1+dA)-1) mod n and dA≠ 0 dASM2 private key as user, wherein b is in [1, n-1]
Fix the integer of selection or any selection (subjective optional or random selection).
Embodiment 5,
This embodiment includes the m devices marked as No. 1 to No. m respectively, m >=2;In initial phase, m device
In a device or m device except a device m integer c is randomly choosed in [1, n-1] section1,…,cm, so
C is calculated by the progressive calculation method of aforementioned secret c afterwards;Take GB=[c-1] G, b=1, w=(c-1(1+dA)-1) mod n, h=
1, wherein c-1Be c mould n multiplication it is inverse, dAIt is the SM2 private key of user;By c1,…,cmIt is distributed to No. 1 to No. m dress respectively
It sets, by GB, w be distributed to the devices (b, h do not have to distribution, only need to use the corresponding calculation formula of b=1, h=1) of needs,
By c, dAIt destroys;When needing the SM2 private key d using userAWhen generating digital signature for message M, m device presses aforementioned support
The SM2 digital signature collaboration generation method for mixing privacy sharing generates the digital signature for being directed to message M.In this embodiment, user
SM2 private key dABy one integer generation of random selection in [1, n-1].
Embodiment 6,
This embodiment and embodiment 3 the difference is that: the SM2 private key d of userABe generated after c is calculated, and
To meet w=(c-1(1+dA)-1) mod n and dA≠ 0 dAAs the SM2 private key of user, wherein w is fixed in [1, n-1]
The integer of selection or any selection (subjective optional or random selection).
Embodiment 7,
This embodiment includes the m devices marked as No. 1 to No. m respectively, m >=2;In initial phase, m device
In a device or m device except a device m integer c is randomly choosed in [1, n-1] section1,…,cm, so
C is calculated by the progressive calculation method of aforementioned secret c afterwards;Take GB=[- c-1dA] G, b=1, w=(- c-1dA(1+dA)-1)mod
N, h=0, wherein c-1Be c mould n multiplication it is inverse, dAIt is the SM2 private key of user;By c1,…,cmIt is distributed to No. 1 to No. m respectively
Device, by GB, w is distributed to the devices of needs (b, h do not have to distribution, only need to be using the corresponding calculation formula of b=1, h=0
Can), by c, dAIt destroys;When needing the SM2 private key d using userAWhen generating digital signature for message M, m device is by aforementioned
The SM2 digital signature collaboration generation method of mixing privacy sharing is supported to generate the digital signature for being directed to message M.In this embodiment,
The SM2 private key d of userABy one integer generation of random selection in [1, n-1].
Embodiment 8,
This embodiment and embodiment 3 the difference is that: the SM2 private key d of userABe generated after c is calculated, and
With w=(- c-1dA(1+dA)-1) mod n and dA≠ 0 dAAs the SM2 private key of user, wherein w is the fixed choosing in [1, n-1]
Select or arbitrarily select the integer of (subjective optional or random selection).
Embodiment 9,
This embodiment includes the m devices marked as No. 1 to No. m respectively, m >=2;In initial phase, m device
In a device or m device except a device m-1 integer c is randomly choosed in [1, n-1] section1,…,
cm-1, take cm=1, c then is calculated by the progressive calculation method of aforementioned secret c, wherein calculating tmUsing calculating formula tm=
(cmtm-1)mod n;Take GB=[c-1] G, b=1, w=(c-1(1+dA)-1) mod n, h=1, wherein c-1Be c mould n multiplication it is inverse,
(1+dA)-1It is (1+dA) mould n multiplication it is inverse, dAIt is the SM2 private key of user;By c1,…,cm-1It is distributed to No. 1 respectively to m-1
W is distributed to m device as secret and saves (other devices do not have w), by G by number deviceBIt is distributed to device (b, h of needs
Without distribution, the corresponding calculation formula of b=1, h=1 need to be only used), by c, dAIt destroys;When needing the SM2 using user
Private key dAWhen generating digital signature for message M, m device is by the aforementioned SM2 digital signature association for supporting mixing privacy sharing
With the digital signature for being directed to message M is generated in generation method, wherein calculating s=(ws by m devicem-hr)mod n.This reality
It applies in example, the SM2 private key d of userABy one integer generation of random selection in [1, n-1].
Embodiment 10,
This embodiment and embodiment 6 the difference is that: the SM2 private key d of userABe generated after c is calculated, and
To meet w=(c-1(1+dA)-1) mod n and dA≠ 0 dASM2 private key as user, wherein w be in [1, n-1] with
The integer of machine selection.
Embodiment 11,
This embodiment includes the m devices marked as No. 1 to No. m respectively, m >=2;In initial phase, m device
In a device or m device except a device m-1 integer c is randomly choosed in [1, n-1] section1,…,
cm-1, take cm=1, c then is calculated by the progressive calculation method of aforementioned secret c, wherein calculating tmUsing calculating formula tm=
(cmtm-1)mod n;Take GB=[- c-1dA] G, b=1, w=(- c-1dA(1+dA)-1) mod n, h=0, wherein c-1It is the mould n of c
Multiplication is inverse, (1+dA)-1It is (1+dA) mould n multiplication it is inverse, dAIt is the SM2 private key of user;By c1,…,cm-1It is distributed to No. 1 respectively
To m-1 device, w is distributed to m device as secret and saves (other devices do not have w), by GBIt is distributed to needs
Device (b, h do not have to distribution, need to only use the corresponding calculation formula of b=1, h=0), by c, dAIt destroys;It is used when needing to use
The SM2 private key d at familyAWhen generating digital signature for message M, m device is by the aforementioned SM2 number for supporting mixing privacy sharing
The digital signature for being directed to message M is generated in signature collaboration generation method, wherein calculating s=(ws by m devicem-hr)mod n
(i.e. s=(wsm)mod n).In this embodiment, the SM2 private key d of userABy one integer life of random selection in [1, n-1]
At.
Embodiment 12,
This embodiment and embodiment 6 the difference is that: the SM2 private key d of userABe generated after c is calculated, and
To meet w=(- c-1dA(1+dA)-1) mod n and dA≠ 0 dASM2 private key as user, wherein w is in [1, n-1]
Randomly selected integer.
Corresponding SM2 number label are constructed based on the aforementioned SM2 digital signature collaboration generation method for supporting mixing privacy sharing
Name collaboration generation system, system includes m device, and wherein m is greater than or equal to 2;Each device in the m device is one
Cipher server or user's computing device;The m device presses the SM2 digital signature generation method, and collaboration, which generates, to be made
With the SM2 private key d of userAFor the digital signature of message M.
Other unaccounted particular techniques are implemented, and are it is well known that not saying certainly for those skilled in the relevant art
Bright.
Claims (10)
1. a kind of SM2 digital signature collaboration generation method for supporting mixing privacy sharing, it is characterized in that:
The method is related to m device, wherein m >=2;
M device is respectively marked as No. 1 to m device;M device is preserved respectively to be selected at random in [1, n-1] section
The integer secret c selected1,c2,…,cm, wherein n is the basic point G of SM2 elliptic curve point order of a group and SM2 elliptic curve point group
Rank, ciIt is the secret that No. i-th device saves, i=1 ..., m;
It is calculated as follows to obtain secret c in initial phase:
Step 1: setting t1=c1, into step 2;
I-th step: i=2 ... m calculates ti=(ti-1+ci) mod n or ti=(citi-1)mod n;
If i=m enables c=tm, the calculating of secret c is completed, otherwise enters i+1 and walks, until t is calculated in m stepm;
Above every step independent choice calculation formula during calculating c;
Later, G is takenB=[(1+dA)] G, b=(c-1(1+dA)-1) mod n, w=1, h=1,
Alternatively, taking GB=[(1+dA)] G, b=(- c-1dA(1+dA)-1) mod n, w=1, h=0,
Alternatively, taking GB=[c-1] G, b=1, w=(c-1(1+dA)-1) mod n, h=1,
Alternatively, taking GB=[- c-1dA] G, b=1, w=(- c-1dA(1+dA)-1) mod n, h=0,
Wherein c-1Be c mould n multiplication it is inverse, (1+dA)-1It is (1+dA) mould n multiplication it is inverse, dAIt is the SM2 private key of user;
After completing initialization, by GB, b, w, h be distributed to m device, m device does not save the SM2 private key d of userA, secret c;
When needing the SM2 private key d using userAWhen being digitally signed for message M, m device carries out number as follows
The collaboration of signature generates:
No. 1 device randomly chooses an integer k in [1, n-1]1, calculate Q1=[k1]GB, then by Q1Send No. 2 dress to
It sets;
No. i-th device, i=2 ..., m randomly choose an integer k in [1, n-1]i, and it is calculated as follows Qi:
If calculating tiThe formula of Shi Caiyong is ti=(ti-1+ci) mod n, then Qi=Qi-1+[ki]GB;
If calculating tiThe formula of Shi Caiyong is ti=(citi-1) mod n, then Qi=[ci]Qi-1+[ki]GB;
If i=m enables Q=Qm, it is transferred to subsequent processing, otherwise, No. i-th device is by QiI+1 device is sent to, until m
Number device completes QmIt calculates;
A device in m device calculates r=(e+x1) mod n, wherein x1It is derived from (x1,y1)=Q, e be from user identifier and
Hash Value derived from message M;
Later, No. 1 device calculates s1=(k1+c1Br) mod n, here k1With calculating Q1When k1It is identical;
No. 1 device is by s1Send No. 2 device to;
No. i-th device, i=2 ..., m are calculated as follows si:
If calculating QiThe formula of use is Qi=Qi-1+[ki]GB, then si=(si-1+ki+cibr)mod n;
If calculating QiThe formula of use is Qi=[ci]Qi-1+[ki]GB, then si=(cisi-1+ki) mod n, here kiWith calculating QiWhen
KiIt is identical;
If s is calculated in i=mmAfterwards, it is transferred to subsequent calculating, otherwise, No. i-th device is by siSend i+1 device to, directly
S is calculated to m devicem;
A device in m device calculates s=(wsm- hr) mod n, (r, s) is the digital signature for message M.
2. the SM2 digital signature according to claim 1 for supporting mixing privacy sharing cooperates with generation method, it is characterized in that:
In tiWhen calculating, i=2 ... or m, if there is ti=0, then integer secret c is selected in [1, n-1] again1,…,ci, weight
New setting t1, recalculate tj, j=2 ..., i, until ti≠ 0, i=2 ..., m.
3. the SM2 digital signature according to claim 1 for supporting mixing privacy sharing cooperates with generation method, it is characterized in that:
If the SM2 private key d of userAIt is to be generated after c is calculated, then generates the SM2 private key d of userAMode be included in [1,
N-1] in random selection one integer as dA, or as follows:
If b=(c-1(1+dA)-1) mod n, then it is fixed in [1, n-1] or arbitrarily selects an integer as b, to meet b=
(c-1(1+dA)-1) mod n and dA≠ 0 dASM2 private key as user;
If b=(- c-1dA(1+dA)-1) mod n, then it is fixed in [1, n-1] or arbitrarily selects an integer as b, to meet b
=(- c-1dA(1+dA)-1) mod n and dA≠ 0 dASM2 private key as user;
If w=(c-1(1+dA)-1) mod n, then it is fixed in [1, n-1] or arbitrarily selects an integer as w, to meet w=
(c-1(1+dA)-1) mod n and dA≠ 0 dASM2 private key as user;
If w=(- c-1dA(1+dA)-1) mod n, then it is fixed in [1, n-1] or arbitrarily selects an integer as w, to meet w
=(- c-1dA(1+dA)-1) mod n and dA≠ 0 dASM2 private key as user.
4. the SM2 digital signature according to claim 1 for supporting mixing privacy sharing cooperates with generation method, it is characterized in that:
If No. i-th device completes QiAfter calculating, i=1 ... or m check discovery QiIt is null element, then No. 1 to No. i-th device weight
It is new to choose kj, recalculate Qj, j=1 ..., i, until QiIt is not null element, i=1 ..., m.
5. the SM2 digital signature according to claim 1 for supporting mixing privacy sharing cooperates with generation method, it is characterized in that:
If checking that discovery r is integer 0, then m device recalculates Q in generating the digital signature procedure for message Mi, i=
1 ..., m recalculate Q, r, until r ≠ 0.
6. the SM2 digital signature according to claim 1 for supporting mixing privacy sharing cooperates with generation method, it is characterized in that:
If checking that discovery [r] G+Q is the null element of SM2 elliptic curve point group in generating the digital signature procedure for message M,
Then m device recalculates Qi, i=1 ..., m recalculate Q, r, until [r] G+Q is not the zero of SM2 elliptic curve point group
Member;
Alternatively, if checking discovery (s+r) mod n=0, then m device is counted again after generating the digital signature for message M
Calculate Qi, i=1 ..., m recalculate Q, r, recalculate si, i=1 ..., m recalculate s, until mod ≠ 0 (s+r).
7. the SM2 digital signature according to claim 1 for supporting mixing privacy sharing cooperates with generation method, it is characterized in that:
In the digital signature generating process for message M, if No. i-th device is in QiAnd siCalculating formula in use a simultaneouslyikiSubstitution
ki, i=1 ... or m, then the SM2 digital signature collaboration generation method is still set up, wherein aiIt is the fixed choosing in [1, n-1]
It selects or an optional integer, aiIt externally maintains secrecy or does not maintain secrecy.
8. the SM2 digital signature according to claim 1 for supporting mixing privacy sharing cooperates with generation method, it is characterized in that:
If taking w=(c-1(1+dA)-1) mod n or w=(- c-1dA(1+dA)-1) mod n, and take cm=1 and calculating tmUsing formula
tm=(cmtm-1) mod n, and saved using w as secret by m device, and s=(ws is calculated by m devicem-hr)mod
N, then the SM2 digital signature collaboration generation method is still set up.
9. the SM2 digital signature according to claim 8 for supporting mixing privacy sharing cooperates with generation method, it is characterized in that:
If taking w=(c-1(1+dA)-1) mod n or w=(- c-1dA(1+dA)-1) mod n, and take cm=1 and calculating tmUsing formula
tm=(cmtm-1) mod n, and saved using w as secret by m device, and s=(ws is calculated by m devicem-hr)mod
N, and the SM2 private key d of userAIt is to be generated after c is calculated, then generates the SM2 private key d of userAMode be included in [1, n-
1] one integer of random selection is as d inA, or as follows:
If w=(c-1(1+dA)-1) mod n, then one integer of random selection is as w in [1, n-1], to meet w=(c-1(1+
dA)-1) mod n and dA≠ 0 dASM2 private key as user;
If w=(- c-1dA(1+dA)-1) mod n, then one integer of random selection is as w in [1, n-1], to meet w=(- c- 1dA(1+dA)-1) mod n and dA≠ 0 dASM2 private key as user.
10. a kind of cooperateed with based on the SM2 digital signature of any of claims 1-9 for supporting mixing privacy sharing is generated
The SM2 digital signature of method cooperates with generation system, it is characterized in that:
It includes m device that the SM2 digital signature, which generates system, and wherein m is greater than or equal to 2;Each dress in the m device
Set is a cipher server or user's computing device;The m device presses the SM2 digital signature generation method, association
With the SM2 private key d generated using userAFor the digital signature of message M.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201910335602.5A CN110113165B (en) | 2019-04-24 | 2019-04-24 | SM2 digital signature collaborative generation method and system supporting mixed secret sharing |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201910335602.5A CN110113165B (en) | 2019-04-24 | 2019-04-24 | SM2 digital signature collaborative generation method and system supporting mixed secret sharing |
Publications (2)
Publication Number | Publication Date |
---|---|
CN110113165A true CN110113165A (en) | 2019-08-09 |
CN110113165B CN110113165B (en) | 2020-09-04 |
Family
ID=67486593
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201910335602.5A Active CN110113165B (en) | 2019-04-24 | 2019-04-24 | SM2 digital signature collaborative generation method and system supporting mixed secret sharing |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN110113165B (en) |
Citations (9)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20140211938A1 (en) * | 2013-01-29 | 2014-07-31 | Certicom Corp. | Modified elliptic curve signature algorithm for message recovery |
CN106534183A (en) * | 2016-12-12 | 2017-03-22 | 中国航天***工程有限公司 | SM2/SM3/SM4 hybrid encryption method aiming at remote measurement and control terminal system |
CN106656512A (en) * | 2017-01-17 | 2017-05-10 | 武汉理工大学 | SM2 digital signature generation method and system supporting threshold password |
CN106712965A (en) * | 2017-01-17 | 2017-05-24 | 数安时代科技股份有限公司 | Digital signature method, device and cipher device |
CN107819585A (en) * | 2017-11-17 | 2018-03-20 | 武汉理工大学 | SM9 digital signature cooperates with generation method and system |
CN107872322A (en) * | 2017-11-02 | 2018-04-03 | 武汉理工大学 | Digital signature collaboration generation method and system based on homomorphic cryptography |
CN108055134A (en) * | 2017-12-12 | 2018-05-18 | 武汉理工大学 | Elliptic curve, which is counted, multiplies and matches the cooperated computing method and system of computing |
CN108989054A (en) * | 2018-08-30 | 2018-12-11 | 武汉理工大学 | A kind of cryptographic system and digital signature method |
CN109547209A (en) * | 2018-11-19 | 2019-03-29 | 北京大学 | A kind of two side's SM2 digital signature generation methods |
-
2019
- 2019-04-24 CN CN201910335602.5A patent/CN110113165B/en active Active
Patent Citations (9)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20140211938A1 (en) * | 2013-01-29 | 2014-07-31 | Certicom Corp. | Modified elliptic curve signature algorithm for message recovery |
CN106534183A (en) * | 2016-12-12 | 2017-03-22 | 中国航天***工程有限公司 | SM2/SM3/SM4 hybrid encryption method aiming at remote measurement and control terminal system |
CN106656512A (en) * | 2017-01-17 | 2017-05-10 | 武汉理工大学 | SM2 digital signature generation method and system supporting threshold password |
CN106712965A (en) * | 2017-01-17 | 2017-05-24 | 数安时代科技股份有限公司 | Digital signature method, device and cipher device |
CN107872322A (en) * | 2017-11-02 | 2018-04-03 | 武汉理工大学 | Digital signature collaboration generation method and system based on homomorphic cryptography |
CN107819585A (en) * | 2017-11-17 | 2018-03-20 | 武汉理工大学 | SM9 digital signature cooperates with generation method and system |
CN108055134A (en) * | 2017-12-12 | 2018-05-18 | 武汉理工大学 | Elliptic curve, which is counted, multiplies and matches the cooperated computing method and system of computing |
CN108989054A (en) * | 2018-08-30 | 2018-12-11 | 武汉理工大学 | A kind of cryptographic system and digital signature method |
CN109547209A (en) * | 2018-11-19 | 2019-03-29 | 北京大学 | A kind of two side's SM2 digital signature generation methods |
Non-Patent Citations (1)
Title |
---|
汪朝晖,张振峰: ""SM2椭圆曲线公钥密码算法综述"", 《信息安全研究》 * |
Also Published As
Publication number | Publication date |
---|---|
CN110113165B (en) | 2020-09-04 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN106549770B (en) | SM2 digital signature generation method and system | |
CN106603231B (en) | Based on the distributed SM2 digital signature generation method and system for going secretization | |
CN107819585B (en) | SM9 digital signature collaborative generation method and system | |
CN106603246B (en) | A kind of SM2 digital signature segmentation generation method and system | |
CN106850198B (en) | SM2 digital signature generation method and system based on the collaboration of more devices | |
CN106656512B (en) | Support the SM2 digital signature generation method and system of threshold cryptography | |
CN107872322B (en) | Homomorphic encryption-based digital signature collaborative generation method and system | |
CN106850229B (en) | SM2 digital signature generation method and system based on product secret division | |
CN106712942B (en) | SM2 digital signature generation method and system based on privacy sharing | |
CN107483205B (en) | A kind of the digital signature generation method and system of the private key secret based on encryption | |
CN107104793B (en) | A kind of digital signature generation method and system | |
CN108306732A (en) | A kind of random digit generation method, relevant device and system | |
CN107968710A (en) | SM9 digital signature separation interaction generation method and system | |
Jiang et al. | SDSS-MAC: Secure data sharing scheme in multi-authority cloud storage systems | |
CN109565440B (en) | Key exchange method and key exchange system | |
CN1905438B (en) | Combined key managing method and system based on ID | |
CN110213057A (en) | SM9 digital signature collaboration generation method and system with product r parameter | |
CN109951292A (en) | The SM9 digital signature simplified separates interaction generation method and system | |
CN107819581B (en) | Generation method and system comprising secret number and elliptic curve point | |
CN109962783A (en) | SM9 digital signature collaboration generation method and system based on progressive calculating | |
CN112995215B (en) | Decryption system, method, device, electronic equipment and storage medium | |
CN110166235A (en) | The SM9 digital signature collaboration generation method and system of enhancing safety | |
CN111656728B (en) | Device, system and method for secure data communication | |
CN107528696A (en) | The digital signature generation method and system of a kind of hiding private key secret | |
CN110401524B (en) | Method and system for collaborative generation of secret-containing numbers by means of homomorphic encryption |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |