CN112491560A

CN112491560A - SM2 digital signature method and medium supporting batch verification

Info

Publication number: CN112491560A
Application number: CN202011458227.2A
Authority: CN
Inventors: 何德彪; 杨伊; 张韵茹; 李莉; 罗敏
Original assignee: Wuhan University WHU
Current assignee: Wuhan University WHU
Priority date: 2020-12-11
Filing date: 2020-12-11
Publication date: 2021-03-12

Abstract

The invention belongs to the technical field of information security, and particularly relates to an SM2 digital signature method and medium supporting batch verification. Batch verification is a special digital signature algorithm verification method, allows a verifier to verify a plurality of signatures at one time, can effectively improve the verification efficiency of digital signatures, and has wide application in a plurality of fields such as Internet of vehicles, intelligent medical systems and the like. The SM2 digital signature algorithm is high in safety, small in storage space and high in signature speed, but at present, a SM2 digital signature scheme supporting batch verification does not exist. The verification process of the original SM2 digital signature algorithm requires the recovery of R_iIn the invention, R is_iAs a part of the signature, the method effectively reduces the calculation amount of batch verification, and has the characteristics of high safety, simple realization and high verification efficiency.

Description

SM2 digital signature method and medium supporting batch verification

Technical Field

The invention belongs to the technical field of information security, and particularly relates to an SM2 digital signature method and medium supporting batch verification.

Background

The digital signature is one of cryptographic techniques for guaranteeing network security, and can guarantee the integrity, authenticity and non-repudiation of data. To achieve efficient verification of digital signatures, Naccache et al propose the concept of batch verification. Batch verification can verify a plurality of signatures at one time on the premise of ensuring high accuracy, and the verification efficiency is greatly improved. The principle is to find the same item by utilizing the isomorphism of the group, and simplify the operation, thereby reducing the time required by verification. Batch verification has wide application in the fields of car networking, intelligent medical systems and the like due to the safety and high efficiency of batch verification, and becomes a hotspot of current research.

With the continuous development of digital signatures, the national crypto-authority has issued an SM2 elliptic curve digital signature algorithm in 12 th and 17 th 2010, has the advantages of high security, small storage space and high signature speed, is widely used in various fields, and does not have an SM2 digital signature scheme supporting batch verification at present. The SM2 digital signature scheme supporting batch verification is designed, and the completeness, authenticity, non-forgeability and high efficiency of the signature are guaranteed.

Disclosure of Invention

The technical problem of the invention is mainly solved by the following technical scheme:

an SM2 digital signature method supporting batch verification, characterized in that based on the following definition

n: n is a prime number and n>2²⁵⁶；

mod n: performing modulo n operation;

a set of integers consisting of the integers 1,2, …, n-1;

A_i: the signer is the ith user;

v: a verifier;

x_i: private key of user i, and

e, an elliptic curve defined by elements a and b on the finite field;

an additive cyclic group with an order of a prime number q, the elements being points on an elliptic curve;

g: circulation group

A generator of (2);

Q_i: the public key of the user i is calculated in a mode of Q_i＝x_i·G；

ID_iUser i's distinguishable identification;

h (): the input is a bit string {0,1} of any length^*Outputting a fixed-length cipher hash function;

Z_ithe signature identification of the user i is calculated in a mode of Z_i＝h(ID_i,a,b,x_G,y_G,x_Q,y_Q)；

The method comprises

Step 1, generating a signature, in particular a given message M_iPrivate key x_iPublic key Q_i＝x_iG, signer A_iPerforming the following steps to generate a digital signature:

step 1.1, A_iCalculating e_i＝h(Z_i||M_i)；

Step 1.2, A_iRandom selection

Computing

Step 1.3, A_iComputing

Step 1.4, A_iCalculating s_i＝(1+x_i)^-1(k_i-r_i·x_i)mod n；

Step 1.5, output signature σ_i＝(R_i,s_i)

Step 2, verifying the signature, in particular the given message M_iThe signature σ_iPublic key Q_iThe verifier V verifies whether the signature is valid by performing the following steps:

step 2.1, V calculates e_i＝h(Z_i||M_i),

t_i＝r_i+s_imod n, here

Step 2.2, V verification equation R_i＝s_i·G+t_i·Q_iIf so, the signature is received, otherwise the signature is rejected.

In the above-mentioned SM2 digital signature method supporting batch verification, a step of batch verification signature is further included, specifically, a given set of messages { M }₁，M₂，…,M_m}, corresponding digital signature { σ₁＝(R₁,s₁)，σ₂＝(R₂,s₂)，…,σ_m＝(R_m,s_m) }, the corresponding public key Q₁，Q₂，…,Q_mThe verifier V verifies whether the set of signatures is valid by performing the following steps:

step 1, V randomly generating a group of random numbers { a }₁，a₂…,a_m}；

Step 2, calculating e by V_i＝h(Z_i||M_i),

t_i＝r_i+s_imod n, here

Step 3, V verification equation

If so, the set of signatures is received, otherwise the set of signatures is rejected.

A computer storage medium having a computer program stored thereon, the executing of the computer program comprising the steps of:

step 1.1, A_iCalculating e_i＝h(Z_i||M_i)；

Step 1.2, A_iRandom selection

Computing

Step 1.3, A_iComputing

Step 1.4, A_iCalculating s_i＝(1+x_i)^-1(k_i-r_i·x_i)mod n；

Step 1.5, output signature σ_i＝(R_i,s_i)

step 2.1, V calculates e_i＝h(Z_i||M_i),

t_i＝r_i+s_imod n, here

Step 2.2, V verification equation R_i＝s_i·G+t_i·Q_iIf so, receiving the signature, otherwise rejecting the signature;

wherein, n: n is a prime number and n>2²⁵⁶；

mod n: performing modulo n operation;

a set of integers consisting of the integers 1,2, …, n-1;

A_i: the signer is the ith user;

v: a verifier;

x_i: private key of user i, and

e, an elliptic curve defined by elements a and b on the finite field;

g: circulation group

A generator of (2);

Q_i: the public key of the user i is calculated in a mode of Q_i＝x_i·G；

ID_iUser i's distinguishable identification;

Z_ithe signature identification of the user i is calculated in a mode of Z_i＝h(ID_i,a,b,x_G,y_G,x_Q,y_Q)。

In a computer storage medium as described above, further comprising a step of batch verification of a signature, in particular given a set of messages { M }₁，M₂，…,M_m}, corresponding digital signature { σ₁＝(R₁,s₁)，σ₂＝(R₂,s₂)，…,σ_m＝(R_m,s_m) }, the corresponding public key Q₁，Q₂，…,Q_mThe verifier V verifies whether the set of signatures is valid by performing the following steps:

Step 2, calculating e by V_i＝h(Z_i||M_i),

t_i＝r_i+s_imod n, here

Step 3, V verification equation

Therefore, the invention has the following advantages: first, the current SM2 digital signature scheme has the advantages of high security, small storage space and fast signature speed, but does not support the SM2 digital signature scheme of batch verification. Second, the verification process of the original SM2 digital signature algorithm requires R recovery_iIn the invention, R is_iAs part of the signature, the computation amount of batch verification is effectively reduced. Finally, the security of batch verification in the invention can be realized under a random prediction model.

Drawings

FIG. 1 is a method schematic of the present invention.

Detailed Description

The technical scheme of the invention is further specifically described by the following embodiments and the accompanying drawings.

Example (b):

first, the symbols and definitions related to the present invention are introduced.

n: n is a prime number and n>2²⁵⁶。

mod n: modulo n arithmetic.

A set of integers consisting of the integers 1,2, …, n-1.

A_i: and the signer is the ith user.

V: and (4) a verifier.

x_i: private key of user i, and

e, an elliptic curve defined by the elements a and b on the finite field.

The order is the group of addition cycles of prime q, the elements being points on the elliptic curve.

G: circulation group

A generator of (2).

Q_i: the public key of the user i is calculated in a mode of Q_i＝x_i·G。

ID_iA discernible identification of user i.

h (): the input is a bit string {0,1} of any length^*And the output is a cipher hash function with fixed length.

The specific description given below comprises three algorithm steps: a signature generation algorithm step, a signature verification algorithm step and a signature batch verification algorithm step.

1. And (4) signature generation algorithm.

Given message M_iPrivate key x_iPublic key Q_i＝x_iG, signer A_iPerforming the following steps to generate a digital signature:

(1)A_icalculating e_i＝h(Z_i||M_i)；

(2)A_iRandom selection

Computing

(3)A_iComputing

(4)A_iCalculating s_i＝(1+x_i)^-1(k_i-r_i·x_i)mod n；

(5) Output signature σ_i＝(R_i,s_i)

2. And (5) signature verification algorithm step.

Given message M_iThe signature σ_iPublic key Q_iThe verifier V verifies whether the signature is valid by performing the following steps:

(1) v calculation e_i＝h(Z_i||M_i),

t_i＝r_i+s_imod n, here

(2) V verification equation R_i＝s_i·G+t_i·Q_iIf so, the signature is received, otherwise the signature is rejected.

3. And (4) signature batch verification algorithm step.

Given a set of messages M₁，M₂，…,M_m}, corresponding digital signature { σ₁＝(R₁,s₁)，σ₂＝(R₂,s₂)，…,σ_m＝(R_m,s_m) }, the corresponding public key Q₁，Q₂，…,Q_mThe verifier V verifies whether the set of signatures is valid by performing the following steps:

(1) v random Generation of a set of random numbers { a }₁，a₂…,a_m}；

(2) V calculation e_i＝h(Z_i||M_i),

t_i＝r_i+s_imod n, here

(3) V verification equation

The specific embodiments described herein are merely illustrative of the spirit of the invention. Various modifications or additions may be made to the described embodiments or alternatives may be employed by those skilled in the art without departing from the spirit or ambit of the invention as defined in the appended claims.

Claims

1. An SM2 digital signature method supporting batch verification, characterized in that based on the following definition

n: n is a prime number and n>2²⁵⁶；

mod n: performing modulo n operation;

a set of integers consisting of the integers 1,2, …, n-1;

A_i: the signer is the ith user;

v: a verifier;

x_i: private key of user i, and

e, an elliptic curve defined by elements a and b on the finite field;

g: circulation group

A generator of (2);

Q_i: the public key of the user i is calculated in a mode of Q_i＝x_i·G；

ID_iUser i's distinguishable identification;

The method comprises

step 1.1, A_iCalculating e_i＝h(Z_i||M_i)；

Step 1.2, A_iRandom selection

Computing

Step 1.3, A_iComputing

Step 1.4, A_iCalculating s_i＝(1+x_i)^-1(k_i-r_i·x_i)mod n；

Step 1.5, output signature σ_i＝(R_i,s_i)

step 2.1, V calculation

t_i＝r_i+s_imod n, here

2. The SM2 digital signer supporting batch verification according to claim 1Method, characterized in that it further comprises a step of batch verification of the signature, in particular given a set of messages { M }₁，M₂，…,M_m}, corresponding digital signature { σ₁＝(R₁,s₁)，σ₂＝(R₂,s₂)，…,σ_m＝(R_m,s_m) }, the corresponding public key Q₁，Q₂，…,Q_mThe verifier V verifies whether the set of signatures is valid by performing the following steps:

Step 2, calculating e by V_i＝h(Z_i||M_i),

t_i＝r_i+s_imod n, here

Step 3, V verification equation

3. A computer storage medium having a computer program stored thereon, the executing of the computer program comprising the steps of:

step 1.1, A_iCalculating e_i＝h(Z_i||M_i)；

Step 1.2, A_iRandom selection

Computing

Step 1.3, A_iComputing

Step 1.4, A_iCalculating s_i＝(1+x_i)^-1(k_i-r_i·x_i)mod n；

Step 1.5, output signature σ_i＝(R_i,s_i)

step 2.1, V calculates e_i＝h(Z_i||M_i),

t_i＝r_i+s_imod n, here

wherein, n: n is a prime number and n>2²⁵⁶；

mod n: performing modulo n operation;

a set of integers consisting of the integers 1,2, …, n-1;

A_i: the signer is the ith user;

v: a verifier;

x_i: by usingPrivate key of user i, and

e, an elliptic curve defined by elements a and b on the finite field;

g: circulation group

A generator of (2);

Q_i: the public key of the user i is calculated in a mode of Q_i＝x_i·G；

ID_iUser i's distinguishable identification;

4. A computer storage medium as claimed in claim 3, further comprising a step of batch verification of signatures, in particular given a set of messages { M }₁，M₂，…,M_m}, corresponding digital signature { σ₁＝(R₁,s₁)，σ₂＝(R₂,s₂)，…,σ_m＝(R_m,s_m) }, the corresponding public key Q₁，Q₂，…,Q_mThe verifier V verifies whether the set of signatures is valid by performing the following steps:

Step 2, calculating e by V_i＝h(Z_i||M_i),

t_i＝r_i+s_imod n, here

Step 3, V verification equation