CN110113165A - Support the SM2 digital signature collaboration generation method and system of mixing privacy sharing - Google Patents

Support the SM2 digital signature collaboration generation method and system of mixing privacy sharing Download PDF

Info

Publication number
CN110113165A
CN110113165A CN201910335602.5A CN201910335602A CN110113165A CN 110113165 A CN110113165 A CN 110113165A CN 201910335602 A CN201910335602 A CN 201910335602A CN 110113165 A CN110113165 A CN 110113165A
Authority
CN
China
Prior art keywords
mod
digital signature
user
private key
integer
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201910335602.5A
Other languages
Chinese (zh)
Other versions
CN110113165B (en
Inventor
龙毅宏
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Wuhan University of Technology WUT
Original Assignee
Wuhan University of Technology WUT
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Wuhan University of Technology WUT filed Critical Wuhan University of Technology WUT
Priority to CN201910335602.5A priority Critical patent/CN110113165B/en
Publication of CN110113165A publication Critical patent/CN110113165A/en
Application granted granted Critical
Publication of CN110113165B publication Critical patent/CN110113165B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/085Secret sharing or secret splitting, e.g. threshold schemes
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • H04L9/0863Generation of secret information including derivation or calculation of cryptographic keys or passwords involving passwords or one-time passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • H04L9/0869Generation of secret information including derivation or calculation of cryptographic keys or passwords involving random numbers or seeds
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/30Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy
    • H04L9/3066Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy involving algebraic varieties, e.g. elliptic or hyper-elliptic curves
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Signal Processing (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Theoretical Computer Science (AREA)
  • Mathematical Physics (AREA)
  • Physics & Mathematics (AREA)
  • Pure & Applied Mathematics (AREA)
  • Mathematical Optimization (AREA)
  • Computing Systems (AREA)
  • Mathematical Analysis (AREA)
  • General Physics & Mathematics (AREA)
  • Algebra (AREA)
  • Storage Device Security (AREA)

Abstract

Invention is SM2 digital signature method: m device has secret c respectively1,…,cm;From t when initialization1=c1By with c2,...,cmMould n add or multiply and progressive t is calculated2,...,tm, calculate GB=[1+dA] G, b=(tm+tmdA)‑1(mod n), dAIt is private key;When d need to be usedAWhen to message M signature, m device distinguishes optional ki, using with calculate t2,...,tmCorresponding progressive calculating formula is from Q1=[k1]GBObtain Q2,…,Qm;Calculate r=(e+x1) mod n, wherein (x1,y1)=Qm, e is the Hash Value of message M;M device uses and calculates Q2,…,QmCorresponding progressive calculating formula is from s1=(k1+c1Br) mod n obtains s2,…,sm, s=(sm-r)mod n;(r, s) is digital signature.

Description

Support the SM2 digital signature collaboration generation method and system of mixing privacy sharing
Technical field
The invention belongs to field of information security technology, especially a kind of SM2 digital signature association for supporting mixing privacy sharing With generation method and system.
Background technique
SM2 is a kind of ellipse curve public key cipher algorithm by the promulgation of national Password Management office (referring to " SM2 elliptic curve Public key algorithm " specification, national Password Management office, in December, 2010), digital signature is able to achieve based on this algorithm, key is handed over It changes and data encryption.But due to the unique digital signature operation mode of SM2 algorithm, common privacy sharing (segmentation) mode And the corresponding common crypto-operation mode based on privacy sharing can not be adapted for use with the feelings that SM2 private key is digitally signed Shape.In response to this problem, the inventor of present patent application is it is proposed that the digital signature based on privacy sharing generates scheme accordingly, But in relation to scheme only support summation privacy sharing (sum of secret shadow constitutes secret) or product privacy sharing (secret shadow Product constitutes secret), the privacy sharing mode (mixing privacy sharing) for not supporting summation to mix with product, here it is this patents The problems to be solved by the invention of application.
Summary of the invention
The purpose of the present invention is to propose to a kind of SM2 digital signature of privacy sharing for supporting summation to mix with product to cooperate with life At method and system.
For the purpose of the present invention, technical solution proposed by the present invention includes supporting the SM2 number label of mixing privacy sharing Name collaboration generation method and system.
In the description below to technical solution of the present invention, if P, Q are the element (point) in elliptic curve point group, P+Q Indicate that the point of P, Q add, [k] P indicates that the point of k elliptic curve point P adds, i.e. P+P+...+P (shares k P, i.e. point P and integer k Number multiply, if k be negative if indicate | k | the inverse element of a P point point after being added);Ellipsis " ... " indicates multiple same (classes Type) data item or multiple same operations ([k] P is that the number of the point arranged in " SM2 ellipse curve public key cipher algorithm " multiplies It indicates);
c-1Indicate inverse (the i.e. cc of the mould n multiplication of integer c-1Mod n=1), unless otherwise instructed, the integer of present patent application It is inverse, all refer to that mould n multiplication is inverse;Multiple integers are multiplied (including integer symbol is multiplied, constant is multiplied with integer symbol), are not generating In ambiguous situation, multiplication sign " " is dispensed, such as k1·k2It is reduced to k1k2, 3c, simplified position 3c;
Mod n indicates mould n operation (modulo operation), corresponds to " SM2 ellipse curve public key cipher algorithm " and advises Modn in model;In addition, the priority of the operators m od n of mould n operation be it is minimum, as a+b mod n is equal to (a+b) mod N, a-b mod n are equal to (a-b) mod n, ab mod n and are equal to (ab) mod n.
The SM2 digital signature of support mixing privacy sharing of the invention cooperates with generation method, specific as follows.
The method is related to m device, wherein m >=2;
M device is respectively marked as No. 1 to m device;M device preserve respectively in [1, n-1] section with The integer secret c of machine selection1,c2,…,cm, wherein n is the base of SM2 elliptic curve point order of a group and SM2 elliptic curve point group The rank of point G, ciIt is the secret that No. i-th device saves, i=1 ..., m;
It is calculated as follows to obtain secret c (by c in initial phase1,c2,…,cmBefore distributing to m device Or later, initialization operation is completed by a device in m device or the device except m device or m device):
Step 1: setting t1=c1, into step 2;
I-th step: i=2 ... m calculates ti=(ti-1+ci) mod n or ti=(citi-1)mod n;
If i=m enables c=tm, the calculating of c is completed, otherwise enters i+1 and walks, until t is calculated in m stepm
Above every step independent choice calculation formula during calculating c;The selection of the calculation formula of each step does not depend on it The selection for the formula that he walks, random selection or subjective any selection are selected according to design requirement;
Later, G is takenB=[(1+dA)] G, b=(c-1(1+dA)-1) mod n, w=1, h=1,
Alternatively, taking GB=[(1+dA)] G, b=(- c-1dA(1+dA)-1) mod n, w=1, h=0,
Alternatively, taking GB=[c-1] G, b=1, w=(c-1(1+dA)-1) mod n, h=1,
Alternatively, taking GB=[- c-1dA] G, b=1, w=(- c-1dA(1+dA)-1) mod n, h=0,
Wherein c-1Be c mould n multiplication it is inverse, (1+dA)-1It is (1+dA) mould n multiplication it is inverse, dAIt is the SM2 private key of user;
After completing initialization, by GB, b, w, h be distributed to m device, m device does not save dA,c;
When needing the SM2 private key d using userAWhen being digitally signed for message M, m device as follows into The collaboration generation of row digital signature (needs the SM2 private key d using userA, the main body that is digitally signed for message M can be with Be call the cryptographic application of this m device, system or cryptographic application in one of crypto module or m device, System):
No. 1 device randomly chooses an integer k in [1, n-1]1, calculate Q1=[k1]GB, then by Q1Send the 2nd to Number device;
No. i-th device, i=2 ..., m randomly choose an integer k in [1, n-1]i, and it is calculated as follows Qi:
If calculating tiThe formula of Shi Caiyong is ti=(ti-1+ci) mod n, then Qi=Qi-1+[ki]GB
If calculating tiThe formula of Shi Caiyong is ti=(citi-1) mod n, then Qi=[ci]Qi-1+[ki]GB
If i=m enables Q=Qm, it is transferred to subsequent processing, otherwise, No. i-th device is by QiSend i+1 device to, directly Q is completed to m devicemIt calculates;
A device in m device calculates r=(e+x1) mod n, wherein x1It is derived from (x1,y1)=Q, e are from user Mark (presses SM2 algorithm, e is from user identifier ID with Hash Value (i.e. hashed value) derived from message MAEtc. hash derived from parameters Value ZAThe Hash Value of data after merging with message M, standardizes referring to SM2);
(r is non-private data here, can be transmitted between two as needed)
Later, No. 1 device calculates s1=(k1+c1Br) mod n, here k1With calculating Q1When k1It is identical;
No. 1 device is by s1Send No. 2 device to;
No. i-th device, i=2 ..., m are calculated as follows si:
If calculating QiThe formula of use is Qi=Qi-1+[ki]GB, then si=(si-1+ki+cibr)mod n;
If calculating QiThe formula of use is Qi=[ci]Qi-1+[ki]GB, then si=(cisi-1+ki) mod n, here kiWith meter Calculate QiWhen kiIt is identical;
If s is calculated in i=mmAfterwards, it is transferred to subsequent calculating, otherwise, No. i-th device is by siSend i+1 number dress to It sets, until s is calculated in m devicem
A device in m device calculates s=(wsm- hr) mod n, (r, s) is the number label for message M Name.
Generation method is cooperateed with for SM2 digital signature described above, in tiWhen calculating, i=2 ... or m, if there is ti= 0, then integer secret c is selected in [1, n-1] again1,…,ci, reset t1, recalculate tj, j=2 ..., i, until ti ≠ 0, i=2 ..., m.
Generation method is cooperateed with for SM2 digital signature described above, if the SM2 private key d of userAIt is after c is calculated It generates, then generates the SM2 private key d of userAMode be included in [1, n-1] one integer of random selection as dA, or by such as Under type:
If b=(c-1(1+dA)-1) mod n, then fixed in [1, n-1] or arbitrarily selection (subjective any or random selection) One integer is as b, to meet b=(c-1(1+dA)-1) mod n and dA≠ 0 dASM2 private key as user;
If b=(- c-1dA(1+dA)-1) mod n, then fixed or any selection (subjective any or random choosing in [1, n-1] Select) integer is as b, to meet b=(- c-1dA(1+dA)-1) mod n and dA≠ 0 dASM2 private key as user;
If w=(c-1(1+dA)-1) mod n, then fixed in [1, n-1] or arbitrarily selection (subjective any or random selection) One integer is as w, to meet w=(c-1(1+dA)-1) mod n and dA≠ 0 dASM2 private key as user;
If w=(- c-1dA(1+dA)-1) mod n, then fixed or any selection (subjective any or random choosing in [1, n-1] Select) integer is as w, to meet w=(- c-1dA(1+dA)-1) mod n and dA≠ 0 dASM2 private key as user.
Generation method is cooperateed with for SM2 digital signature described above, if No. i-th device completes QiAfter calculating, i=1 ..., Or m, check discovery QiIt is null element (infinite point), then No. 1 to No. i-th device chooses k againj, recalculate Qj, j= 1 ..., i, until QiIt is not null element, i=1 ..., m.
Generation method is cooperateed with for SM2 digital signature described above, if generating the digital signature procedure for being directed to message M In, check that discovery r is integer 0, then m device recalculates Qi, i=1 ..., m recalculate Q, r, until r ≠ 0.
Generation method is cooperateed with for SM2 digital signature described above, if generating the digital signature procedure for being directed to message M In, check that discovery [r] G+Q is the null element (infinite point) of SM2 elliptic curve point group, then m device recalculates Qi, i= 1 ..., m recalculate Q, r, until [r] G+Q is not the null element of SM2 elliptic curve point group;
Alternatively, if checking discovery (s+r) mod n=0, then m device weight after generating the digital signature for message M It is new to calculate Qi, i=1 ..., m recalculate Q, r, recalculate si, i=1 ..., m recalculate s, until mod ≠ 0 (s+r).
Generation method is cooperateed with for SM2 digital signature described above, in the digital signature generating process for message M, If No. i-th device (need not all devices) is in QiAnd siCalculating formula in use a simultaneouslyikiSubstitute ki, i=1 ... or m are then described SM2 digital signature collaboration generation method is still set up, wherein aiIt is that (subjectivity is appointed for fixed selection or any selection in [1, n-1] Meaning or random selection) an integer, aiExternally maintains secrecy or do not maintain secrecy (if aiIt is randomly selected integer, then aiIt is to count every time Calculate QiWhen in [1, n-1] randomly selected integer, or initialization when in [1, n-1] randomly selected integer).
Generation method is cooperateed with for SM2 digital signature described above, if taking w=(c-1(1+dA)-1) mod n or w=(- c-1dA(1+dA)-1) mod n, and take cm=1 and calculating tmUsing formula tm=(cmtm-1) mod n, and using w as secret by m Number device saves (other devices do not have w), and calculates s=(ws by m devicem- hr) mod n, then the SM2 digital signature Collaboration generation method is still set up.
Generation method is cooperateed with for SM2 digital signature described above, if taking w=(c-1(1+dA)-1) mod n or w=(- c-1dA(1+dA)-1) mod n, and take cm=1 and calculating tmUsing formula tm=(cmtm-1) mod n, and using w as secret by m Number device saves (other devices do not have w), and calculates s=(ws by m devicem- hr) mod n, and the SM2 private key d of userA It is to be generated after c is calculated, then generates the SM2 private key d of userAMode to be included in random selection one in [1, n-1] whole Number is used as dA, or as follows:
If w=(c-1(1+dA)-1) mod n, then one integer of random selection is as w in [1, n-1], to meet w=(c-1(1+dA)-1) mod n and dA≠ 0 dASM2 private key as user;
If w=(- c-1dA(1+dA)-1) mod n, then one integer of random selection is as w in [1, n-1], to meet w= (-c-1dA(1+dA)-1) mod n and dA≠ 0 dASM2 private key as user.
Based on generation method is cooperateed with for SM2 digital signature described above, the collaboration of SM2 digital signature can be constructed and generate system System, system includes m device, and wherein m is greater than or equal to 2, and the m device presses the SM2 digital signature generation method, collaboration Generate the SM2 private key d for using userAFor the digital signature of message M.
It can be seen that, SM2 digital signature collaboration generation method of the invention and system support that mixing is secret from the above description Shared, i.e., the process of calculating shared secret c had both included and c1,…,cmThe mould n of middle element and, and include and c1,…,cmMiddle element Mould n product.
Specific embodiment
The present invention will be further described with reference to the examples below.Following embodiment be only the present invention enumerate it is several can The embodiment of energy does not represent all possible embodiments, not as a limitation of the invention.
Embodiment 1,
This embodiment includes the m devices marked as No. 1 to No. m respectively, m >=2;In initial phase, m device In a device or m device except a device m integer c is randomly choosed in [1, n-1] section1,…,cm, so C is calculated by the progressive calculation method of aforementioned secret c afterwards;Take GB=[(1+dA)] G, b=(c-1(1+dA)-1) mod n, w= 1, h=1, wherein c-1Be c mould n multiplication it is inverse, (1+dA)-1It is (1+dA) mould n multiplication it is inverse, dAIt is the SM2 private key of user;It will c1,…,cmIt is distributed to No. 1 respectively to m device, by GB, b be distributed to needs device (w, h do not have to distribution, only need to use The corresponding calculation formula of w=1, h=1), by c, dAIt destroys;When needing the SM2 private key d using userAIt is raw for message M When at digital signature, m device is generated to be directed to by the aforementioned SM2 digital signature collaboration generation method for supporting mixing privacy sharing to disappear Cease the digital signature of M.In this embodiment, the SM2 private key d of userABy one integer generation of random selection in [1, n-1].
Embodiment 2,
This embodiment and embodiment 1 the difference is that: the SM2 private key d of userABe generated after c is calculated, and To meet b=(c-1(1+dA)-1) mod n and dA≠ 0 dASM2 private key as user, wherein b is solid in [1, n-1] The integer of selection or any selection (subjective optional or random selection) calmly.
Embodiment 3,
This embodiment includes the m devices marked as No. 1 to No. m respectively, m >=2;In initial phase, m device In a device or m device except a device m integer c is randomly choosed in [1, n-1] section1,…,cm, so C is calculated by the progressive calculation method of aforementioned secret c afterwards;GB=[(1+dA)] G, b=(- c-1dA(1+dA)-1) mod n, w= 1, h=0, wherein c-1Be c mould n multiplication it is inverse, (1+dA)-1It is (1+dA) mould n multiplication it is inverse, dAIt is the SM2 private key of user;It will c1,…,cmIt is distributed to No. 1 respectively to m device, by GB, b be distributed to needs device (w, h do not have to distribution, only need to use The corresponding calculation formula of w=1, h=0), by c, dAIt destroys;When needing the SM2 private key d using userAIt is raw for message M When at digital signature, m device is generated to be directed to by the aforementioned SM2 digital signature collaboration generation method for supporting mixing privacy sharing to disappear Cease the digital signature of M.In this embodiment, the SM2 private key d of userABy one integer generation of random selection in [1, n-1].
Embodiment 4,
This embodiment and embodiment 1 the difference is that: the SM2 private key d of userABe generated after c is calculated, and To meet b=(- c-1dA(1+dA)-1) mod n and dA≠ 0 dASM2 private key as user, wherein b is in [1, n-1] Fix the integer of selection or any selection (subjective optional or random selection).
Embodiment 5,
This embodiment includes the m devices marked as No. 1 to No. m respectively, m >=2;In initial phase, m device In a device or m device except a device m integer c is randomly choosed in [1, n-1] section1,…,cm, so C is calculated by the progressive calculation method of aforementioned secret c afterwards;Take GB=[c-1] G, b=1, w=(c-1(1+dA)-1) mod n, h= 1, wherein c-1Be c mould n multiplication it is inverse, dAIt is the SM2 private key of user;By c1,…,cmIt is distributed to No. 1 to No. m dress respectively It sets, by GB, w be distributed to the devices (b, h do not have to distribution, only need to use the corresponding calculation formula of b=1, h=1) of needs, By c, dAIt destroys;When needing the SM2 private key d using userAWhen generating digital signature for message M, m device presses aforementioned support The SM2 digital signature collaboration generation method for mixing privacy sharing generates the digital signature for being directed to message M.In this embodiment, user SM2 private key dABy one integer generation of random selection in [1, n-1].
Embodiment 6,
This embodiment and embodiment 3 the difference is that: the SM2 private key d of userABe generated after c is calculated, and To meet w=(c-1(1+dA)-1) mod n and dA≠ 0 dAAs the SM2 private key of user, wherein w is fixed in [1, n-1] The integer of selection or any selection (subjective optional or random selection).
Embodiment 7,
This embodiment includes the m devices marked as No. 1 to No. m respectively, m >=2;In initial phase, m device In a device or m device except a device m integer c is randomly choosed in [1, n-1] section1,…,cm, so C is calculated by the progressive calculation method of aforementioned secret c afterwards;Take GB=[- c-1dA] G, b=1, w=(- c-1dA(1+dA)-1)mod N, h=0, wherein c-1Be c mould n multiplication it is inverse, dAIt is the SM2 private key of user;By c1,…,cmIt is distributed to No. 1 to No. m respectively Device, by GB, w is distributed to the devices of needs (b, h do not have to distribution, only need to be using the corresponding calculation formula of b=1, h=0 Can), by c, dAIt destroys;When needing the SM2 private key d using userAWhen generating digital signature for message M, m device is by aforementioned The SM2 digital signature collaboration generation method of mixing privacy sharing is supported to generate the digital signature for being directed to message M.In this embodiment, The SM2 private key d of userABy one integer generation of random selection in [1, n-1].
Embodiment 8,
This embodiment and embodiment 3 the difference is that: the SM2 private key d of userABe generated after c is calculated, and With w=(- c-1dA(1+dA)-1) mod n and dA≠ 0 dAAs the SM2 private key of user, wherein w is the fixed choosing in [1, n-1] Select or arbitrarily select the integer of (subjective optional or random selection).
Embodiment 9,
This embodiment includes the m devices marked as No. 1 to No. m respectively, m >=2;In initial phase, m device In a device or m device except a device m-1 integer c is randomly choosed in [1, n-1] section1,…, cm-1, take cm=1, c then is calculated by the progressive calculation method of aforementioned secret c, wherein calculating tmUsing calculating formula tm= (cmtm-1)mod n;Take GB=[c-1] G, b=1, w=(c-1(1+dA)-1) mod n, h=1, wherein c-1Be c mould n multiplication it is inverse, (1+dA)-1It is (1+dA) mould n multiplication it is inverse, dAIt is the SM2 private key of user;By c1,…,cm-1It is distributed to No. 1 respectively to m-1 W is distributed to m device as secret and saves (other devices do not have w), by G by number deviceBIt is distributed to device (b, h of needs Without distribution, the corresponding calculation formula of b=1, h=1 need to be only used), by c, dAIt destroys;When needing the SM2 using user Private key dAWhen generating digital signature for message M, m device is by the aforementioned SM2 digital signature association for supporting mixing privacy sharing With the digital signature for being directed to message M is generated in generation method, wherein calculating s=(ws by m devicem-hr)mod n.This reality It applies in example, the SM2 private key d of userABy one integer generation of random selection in [1, n-1].
Embodiment 10,
This embodiment and embodiment 6 the difference is that: the SM2 private key d of userABe generated after c is calculated, and To meet w=(c-1(1+dA)-1) mod n and dA≠ 0 dASM2 private key as user, wherein w be in [1, n-1] with The integer of machine selection.
Embodiment 11,
This embodiment includes the m devices marked as No. 1 to No. m respectively, m >=2;In initial phase, m device In a device or m device except a device m-1 integer c is randomly choosed in [1, n-1] section1,…, cm-1, take cm=1, c then is calculated by the progressive calculation method of aforementioned secret c, wherein calculating tmUsing calculating formula tm= (cmtm-1)mod n;Take GB=[- c-1dA] G, b=1, w=(- c-1dA(1+dA)-1) mod n, h=0, wherein c-1It is the mould n of c Multiplication is inverse, (1+dA)-1It is (1+dA) mould n multiplication it is inverse, dAIt is the SM2 private key of user;By c1,…,cm-1It is distributed to No. 1 respectively To m-1 device, w is distributed to m device as secret and saves (other devices do not have w), by GBIt is distributed to needs Device (b, h do not have to distribution, need to only use the corresponding calculation formula of b=1, h=0), by c, dAIt destroys;It is used when needing to use The SM2 private key d at familyAWhen generating digital signature for message M, m device is by the aforementioned SM2 number for supporting mixing privacy sharing The digital signature for being directed to message M is generated in signature collaboration generation method, wherein calculating s=(ws by m devicem-hr)mod n (i.e. s=(wsm)mod n).In this embodiment, the SM2 private key d of userABy one integer life of random selection in [1, n-1] At.
Embodiment 12,
This embodiment and embodiment 6 the difference is that: the SM2 private key d of userABe generated after c is calculated, and To meet w=(- c-1dA(1+dA)-1) mod n and dA≠ 0 dASM2 private key as user, wherein w is in [1, n-1] Randomly selected integer.
Corresponding SM2 number label are constructed based on the aforementioned SM2 digital signature collaboration generation method for supporting mixing privacy sharing Name collaboration generation system, system includes m device, and wherein m is greater than or equal to 2;Each device in the m device is one Cipher server or user's computing device;The m device presses the SM2 digital signature generation method, and collaboration, which generates, to be made With the SM2 private key d of userAFor the digital signature of message M.
Other unaccounted particular techniques are implemented, and are it is well known that not saying certainly for those skilled in the relevant art Bright.

Claims (10)

1. a kind of SM2 digital signature collaboration generation method for supporting mixing privacy sharing, it is characterized in that:
The method is related to m device, wherein m >=2;
M device is respectively marked as No. 1 to m device;M device is preserved respectively to be selected at random in [1, n-1] section The integer secret c selected1,c2,…,cm, wherein n is the basic point G of SM2 elliptic curve point order of a group and SM2 elliptic curve point group Rank, ciIt is the secret that No. i-th device saves, i=1 ..., m;
It is calculated as follows to obtain secret c in initial phase:
Step 1: setting t1=c1, into step 2;
I-th step: i=2 ... m calculates ti=(ti-1+ci) mod n or ti=(citi-1)mod n;
If i=m enables c=tm, the calculating of secret c is completed, otherwise enters i+1 and walks, until t is calculated in m stepm
Above every step independent choice calculation formula during calculating c;
Later, G is takenB=[(1+dA)] G, b=(c-1(1+dA)-1) mod n, w=1, h=1,
Alternatively, taking GB=[(1+dA)] G, b=(- c-1dA(1+dA)-1) mod n, w=1, h=0,
Alternatively, taking GB=[c-1] G, b=1, w=(c-1(1+dA)-1) mod n, h=1,
Alternatively, taking GB=[- c-1dA] G, b=1, w=(- c-1dA(1+dA)-1) mod n, h=0,
Wherein c-1Be c mould n multiplication it is inverse, (1+dA)-1It is (1+dA) mould n multiplication it is inverse, dAIt is the SM2 private key of user;
After completing initialization, by GB, b, w, h be distributed to m device, m device does not save the SM2 private key d of userA, secret c;
When needing the SM2 private key d using userAWhen being digitally signed for message M, m device carries out number as follows The collaboration of signature generates:
No. 1 device randomly chooses an integer k in [1, n-1]1, calculate Q1=[k1]GB, then by Q1Send No. 2 dress to It sets;
No. i-th device, i=2 ..., m randomly choose an integer k in [1, n-1]i, and it is calculated as follows Qi:
If calculating tiThe formula of Shi Caiyong is ti=(ti-1+ci) mod n, then Qi=Qi-1+[ki]GB
If calculating tiThe formula of Shi Caiyong is ti=(citi-1) mod n, then Qi=[ci]Qi-1+[ki]GB
If i=m enables Q=Qm, it is transferred to subsequent processing, otherwise, No. i-th device is by QiI+1 device is sent to, until m Number device completes QmIt calculates;
A device in m device calculates r=(e+x1) mod n, wherein x1It is derived from (x1,y1)=Q, e be from user identifier and Hash Value derived from message M;
Later, No. 1 device calculates s1=(k1+c1Br) mod n, here k1With calculating Q1When k1It is identical;
No. 1 device is by s1Send No. 2 device to;
No. i-th device, i=2 ..., m are calculated as follows si:
If calculating QiThe formula of use is Qi=Qi-1+[ki]GB, then si=(si-1+ki+cibr)mod n;
If calculating QiThe formula of use is Qi=[ci]Qi-1+[ki]GB, then si=(cisi-1+ki) mod n, here kiWith calculating QiWhen KiIt is identical;
If s is calculated in i=mmAfterwards, it is transferred to subsequent calculating, otherwise, No. i-th device is by siSend i+1 device to, directly S is calculated to m devicem
A device in m device calculates s=(wsm- hr) mod n, (r, s) is the digital signature for message M.
2. the SM2 digital signature according to claim 1 for supporting mixing privacy sharing cooperates with generation method, it is characterized in that:
In tiWhen calculating, i=2 ... or m, if there is ti=0, then integer secret c is selected in [1, n-1] again1,…,ci, weight New setting t1, recalculate tj, j=2 ..., i, until ti≠ 0, i=2 ..., m.
3. the SM2 digital signature according to claim 1 for supporting mixing privacy sharing cooperates with generation method, it is characterized in that:
If the SM2 private key d of userAIt is to be generated after c is calculated, then generates the SM2 private key d of userAMode be included in [1, N-1] in random selection one integer as dA, or as follows:
If b=(c-1(1+dA)-1) mod n, then it is fixed in [1, n-1] or arbitrarily selects an integer as b, to meet b= (c-1(1+dA)-1) mod n and dA≠ 0 dASM2 private key as user;
If b=(- c-1dA(1+dA)-1) mod n, then it is fixed in [1, n-1] or arbitrarily selects an integer as b, to meet b =(- c-1dA(1+dA)-1) mod n and dA≠ 0 dASM2 private key as user;
If w=(c-1(1+dA)-1) mod n, then it is fixed in [1, n-1] or arbitrarily selects an integer as w, to meet w= (c-1(1+dA)-1) mod n and dA≠ 0 dASM2 private key as user;
If w=(- c-1dA(1+dA)-1) mod n, then it is fixed in [1, n-1] or arbitrarily selects an integer as w, to meet w =(- c-1dA(1+dA)-1) mod n and dA≠ 0 dASM2 private key as user.
4. the SM2 digital signature according to claim 1 for supporting mixing privacy sharing cooperates with generation method, it is characterized in that:
If No. i-th device completes QiAfter calculating, i=1 ... or m check discovery QiIt is null element, then No. 1 to No. i-th device weight It is new to choose kj, recalculate Qj, j=1 ..., i, until QiIt is not null element, i=1 ..., m.
5. the SM2 digital signature according to claim 1 for supporting mixing privacy sharing cooperates with generation method, it is characterized in that:
If checking that discovery r is integer 0, then m device recalculates Q in generating the digital signature procedure for message Mi, i= 1 ..., m recalculate Q, r, until r ≠ 0.
6. the SM2 digital signature according to claim 1 for supporting mixing privacy sharing cooperates with generation method, it is characterized in that:
If checking that discovery [r] G+Q is the null element of SM2 elliptic curve point group in generating the digital signature procedure for message M, Then m device recalculates Qi, i=1 ..., m recalculate Q, r, until [r] G+Q is not the zero of SM2 elliptic curve point group Member;
Alternatively, if checking discovery (s+r) mod n=0, then m device is counted again after generating the digital signature for message M Calculate Qi, i=1 ..., m recalculate Q, r, recalculate si, i=1 ..., m recalculate s, until mod ≠ 0 (s+r).
7. the SM2 digital signature according to claim 1 for supporting mixing privacy sharing cooperates with generation method, it is characterized in that:
In the digital signature generating process for message M, if No. i-th device is in QiAnd siCalculating formula in use a simultaneouslyikiSubstitution ki, i=1 ... or m, then the SM2 digital signature collaboration generation method is still set up, wherein aiIt is the fixed choosing in [1, n-1] It selects or an optional integer, aiIt externally maintains secrecy or does not maintain secrecy.
8. the SM2 digital signature according to claim 1 for supporting mixing privacy sharing cooperates with generation method, it is characterized in that:
If taking w=(c-1(1+dA)-1) mod n or w=(- c-1dA(1+dA)-1) mod n, and take cm=1 and calculating tmUsing formula tm=(cmtm-1) mod n, and saved using w as secret by m device, and s=(ws is calculated by m devicem-hr)mod N, then the SM2 digital signature collaboration generation method is still set up.
9. the SM2 digital signature according to claim 8 for supporting mixing privacy sharing cooperates with generation method, it is characterized in that:
If taking w=(c-1(1+dA)-1) mod n or w=(- c-1dA(1+dA)-1) mod n, and take cm=1 and calculating tmUsing formula tm=(cmtm-1) mod n, and saved using w as secret by m device, and s=(ws is calculated by m devicem-hr)mod N, and the SM2 private key d of userAIt is to be generated after c is calculated, then generates the SM2 private key d of userAMode be included in [1, n- 1] one integer of random selection is as d inA, or as follows:
If w=(c-1(1+dA)-1) mod n, then one integer of random selection is as w in [1, n-1], to meet w=(c-1(1+ dA)-1) mod n and dA≠ 0 dASM2 private key as user;
If w=(- c-1dA(1+dA)-1) mod n, then one integer of random selection is as w in [1, n-1], to meet w=(- c- 1dA(1+dA)-1) mod n and dA≠ 0 dASM2 private key as user.
10. a kind of cooperateed with based on the SM2 digital signature of any of claims 1-9 for supporting mixing privacy sharing is generated The SM2 digital signature of method cooperates with generation system, it is characterized in that:
It includes m device that the SM2 digital signature, which generates system, and wherein m is greater than or equal to 2;Each dress in the m device Set is a cipher server or user's computing device;The m device presses the SM2 digital signature generation method, association With the SM2 private key d generated using userAFor the digital signature of message M.
CN201910335602.5A 2019-04-24 2019-04-24 SM2 digital signature collaborative generation method and system supporting mixed secret sharing Active CN110113165B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201910335602.5A CN110113165B (en) 2019-04-24 2019-04-24 SM2 digital signature collaborative generation method and system supporting mixed secret sharing

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201910335602.5A CN110113165B (en) 2019-04-24 2019-04-24 SM2 digital signature collaborative generation method and system supporting mixed secret sharing

Publications (2)

Publication Number Publication Date
CN110113165A true CN110113165A (en) 2019-08-09
CN110113165B CN110113165B (en) 2020-09-04

Family

ID=67486593

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201910335602.5A Active CN110113165B (en) 2019-04-24 2019-04-24 SM2 digital signature collaborative generation method and system supporting mixed secret sharing

Country Status (1)

Country Link
CN (1) CN110113165B (en)

Citations (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20140211938A1 (en) * 2013-01-29 2014-07-31 Certicom Corp. Modified elliptic curve signature algorithm for message recovery
CN106534183A (en) * 2016-12-12 2017-03-22 中国航天***工程有限公司 SM2/SM3/SM4 hybrid encryption method aiming at remote measurement and control terminal system
CN106656512A (en) * 2017-01-17 2017-05-10 武汉理工大学 SM2 digital signature generation method and system supporting threshold password
CN106712965A (en) * 2017-01-17 2017-05-24 数安时代科技股份有限公司 Digital signature method, device and cipher device
CN107819585A (en) * 2017-11-17 2018-03-20 武汉理工大学 SM9 digital signature cooperates with generation method and system
CN107872322A (en) * 2017-11-02 2018-04-03 武汉理工大学 Digital signature collaboration generation method and system based on homomorphic cryptography
CN108055134A (en) * 2017-12-12 2018-05-18 武汉理工大学 Elliptic curve, which is counted, multiplies and matches the cooperated computing method and system of computing
CN108989054A (en) * 2018-08-30 2018-12-11 武汉理工大学 A kind of cryptographic system and digital signature method
CN109547209A (en) * 2018-11-19 2019-03-29 北京大学 A kind of two side's SM2 digital signature generation methods

Patent Citations (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20140211938A1 (en) * 2013-01-29 2014-07-31 Certicom Corp. Modified elliptic curve signature algorithm for message recovery
CN106534183A (en) * 2016-12-12 2017-03-22 中国航天***工程有限公司 SM2/SM3/SM4 hybrid encryption method aiming at remote measurement and control terminal system
CN106656512A (en) * 2017-01-17 2017-05-10 武汉理工大学 SM2 digital signature generation method and system supporting threshold password
CN106712965A (en) * 2017-01-17 2017-05-24 数安时代科技股份有限公司 Digital signature method, device and cipher device
CN107872322A (en) * 2017-11-02 2018-04-03 武汉理工大学 Digital signature collaboration generation method and system based on homomorphic cryptography
CN107819585A (en) * 2017-11-17 2018-03-20 武汉理工大学 SM9 digital signature cooperates with generation method and system
CN108055134A (en) * 2017-12-12 2018-05-18 武汉理工大学 Elliptic curve, which is counted, multiplies and matches the cooperated computing method and system of computing
CN108989054A (en) * 2018-08-30 2018-12-11 武汉理工大学 A kind of cryptographic system and digital signature method
CN109547209A (en) * 2018-11-19 2019-03-29 北京大学 A kind of two side's SM2 digital signature generation methods

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
汪朝晖,张振峰: ""SM2椭圆曲线公钥密码算法综述"", 《信息安全研究》 *

Also Published As

Publication number Publication date
CN110113165B (en) 2020-09-04

Similar Documents

Publication Publication Date Title
CN106549770B (en) SM2 digital signature generation method and system
CN106603231B (en) Based on the distributed SM2 digital signature generation method and system for going secretization
CN107819585B (en) SM9 digital signature collaborative generation method and system
CN106603246B (en) A kind of SM2 digital signature segmentation generation method and system
CN106850198B (en) SM2 digital signature generation method and system based on the collaboration of more devices
CN106656512B (en) Support the SM2 digital signature generation method and system of threshold cryptography
CN107872322B (en) Homomorphic encryption-based digital signature collaborative generation method and system
CN106850229B (en) SM2 digital signature generation method and system based on product secret division
CN106712942B (en) SM2 digital signature generation method and system based on privacy sharing
CN107483205B (en) A kind of the digital signature generation method and system of the private key secret based on encryption
CN107104793B (en) A kind of digital signature generation method and system
CN108306732A (en) A kind of random digit generation method, relevant device and system
CN107968710A (en) SM9 digital signature separation interaction generation method and system
Jiang et al. SDSS-MAC: Secure data sharing scheme in multi-authority cloud storage systems
CN109565440B (en) Key exchange method and key exchange system
CN1905438B (en) Combined key managing method and system based on ID
CN110213057A (en) SM9 digital signature collaboration generation method and system with product r parameter
CN109951292A (en) The SM9 digital signature simplified separates interaction generation method and system
CN107819581B (en) Generation method and system comprising secret number and elliptic curve point
CN109962783A (en) SM9 digital signature collaboration generation method and system based on progressive calculating
CN112995215B (en) Decryption system, method, device, electronic equipment and storage medium
CN110166235A (en) The SM9 digital signature collaboration generation method and system of enhancing safety
CN111656728B (en) Device, system and method for secure data communication
CN107528696A (en) The digital signature generation method and system of a kind of hiding private key secret
CN110401524B (en) Method and system for collaborative generation of secret-containing numbers by means of homomorphic encryption

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant