CN113765669A - SM2 key derivation and use method - Google Patents

SM2 key derivation and use method Download PDF

Info

Publication number
CN113765669A
CN113765669A CN202010494587.1A CN202010494587A CN113765669A CN 113765669 A CN113765669 A CN 113765669A CN 202010494587 A CN202010494587 A CN 202010494587A CN 113765669 A CN113765669 A CN 113765669A
Authority
CN
China
Prior art keywords
user
transaction
public key
signature
key
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202010494587.1A
Other languages
Chinese (zh)
Inventor
尚望
兰天
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Chengdu Tianrui Xin'an Technology Co ltd
Original Assignee
Chengdu Tianrui Xin'an Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Chengdu Tianrui Xin'an Technology Co ltd filed Critical Chengdu Tianrui Xin'an Technology Co ltd
Priority to CN202010494587.1A priority Critical patent/CN113765669A/en
Publication of CN113765669A publication Critical patent/CN113765669A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3263Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • H04L9/0869Generation of secret information including derivation or calculation of cryptographic keys or passwords involving random numbers or seeds
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/30Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy
    • H04L9/3066Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy involving algebraic varieties, e.g. elliptic or hyper-elliptic curves
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
    • H04L9/3252Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures using DSA or related signature schemes, e.g. elliptic based signatures, ElGamal or Schnorr schemes
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3234Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving additional secure or trusted devices, e.g. TPM, smartcard, USB or software token

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Theoretical Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Algebra (AREA)
  • Mathematical Analysis (AREA)
  • Mathematical Optimization (AREA)
  • Mathematical Physics (AREA)
  • Pure & Applied Mathematics (AREA)
  • Physics & Mathematics (AREA)
  • Computing Systems (AREA)
  • Storage Device Security (AREA)

Abstract

The invention provides an SM2 key derivation and use method in an SM2 public key application system. Specifically, the user holds a private key dA and a public key Pa, and the public key Pa is issued by a certificate issuing authority. When the user transaction needs password calculation, a temporary private key dA 'can be temporarily derived by dA, the user uses dA' to complete the signature of the transaction, and the signature can be verified by Pa; the transaction can use Pa to encrypt and generate a ciphertext which can be decrypted by dA'; the derived private key is destroyed without recording after the transaction is completed. The method can realize one private key in one transaction, avoid the safety problem caused by long-term use of the private key dA and greatly improve the safety of a public key application system; the method does not need to record a derived key; the method uses a standard signature verification and decryption method, and can be compatible with the application of the original password.

Description

SM2 key derivation and use method
Technical Field
The invention relates to the application field of SM2 public key, in particular to a method for deriving a key and a using method, including but not limited to the field.
Background
The SM2 algorithm is an elliptic curve (ECC) asymmetric cryptographic algorithm, is a cryptographic algorithm independently developed in China, and has been released as the national standard GB/T32918. The SM2 algorithm can implement functions such as encryption and decryption, signature and signature verification, and the like.
According to the SM2 algorithm specification, the SM2 algorithm signature method is described as follows: let G be the reference point on the elliptic curve, dAIs a private key, PAIs a public key, PA=dAG, the message hash value is e; the signature result obtained by carrying out digital signature calculation on e is (r, s); firstly, a random number k is selected, r = e + x1 is calculated,wherein (x1, y1) = k × G; calculation of s = (1+ d)A)-1*(k-r* dA)。
According to the algorithm specification, the SM2 algorithm verifies the signature method as follows: known signature (r, s), public key PAAnd elliptic curve parameters specified by SM2 algorithm, message hash value e; firstly, t = r + s is calculated, and if t =0, no verification is passed; otherwise, r' = x1+ e is calculated, where x1 takes (x1, y1) = s × G + t × PA(ii) a And judging whether r' is equal to r, and if so, passing the verification.
According to the algorithm specification, the SM2 algorithm encryption method is as follows. Let the message to be sent be a bit string M, and klen be the bit length of M, and use public key PAEncrypting a plaintext M, comprising the following operation steps:
a1: generating a random number k belonging to [1, n-1] by using a random number generator, wherein n is a natural number; calculating an elliptic curve point C1= k × G = (x1, y1), where G is a reference point on the elliptic curve, and k × G represents a k-fold distant point of the reference point;
a2: calculating elliptic curve point S = H PAIf S is an infinite point, an error is reported and quit is performed; h is a cofactor specified by the SM2 algorithm, and is 1 by default;
a3: calculating elliptic curve points k PA= (x2, y2), convert data type of coordinates x2, y2 into bit string; calculating t = KDF (x2| | y2, klen), and if t is all 0 bit strings, returning to the step 1; KDF is a key derivation function specified by the SM2 algorithm, with the output being a key sequence;
a4: calculating C2 = M ≦ t; and ^ ^ is XOR operation; calculate C3 = Hash (x 2M y 2); wherein the Hash is a Hash function prescribed by the SM2 algorithm;
a5: the output ciphertext C = C1| | C2| | | C3.
According to the algorithm specification, the SM2 algorithm encryption method is as follows. Let the message to be decrypted be a bit string C = C1| | C2| | C3, and klen be the bit length of C2 in the ciphertext, and use the private key dAAnd decrypting the ciphertext C, wherein the method comprises the following operation steps:
b1: taking out a bit string C1 from C, converting C1 into points on an elliptic curve, verifying whether C1 meets an elliptic curve equation, and if not, reporting an error and exiting; calculating an elliptic curve point S = H × C1, if S is an infinite point, reporting an error and exiting;
b2: calculating dAC1= (x2, y2), converting coordinates x2, y2 into a bit string;
b3: calculating t = KDF (x2| | y2, klen), if t is all 0 bit string, reporting error and exiting; KDF is a key derivation function specified by the SM2 algorithm, with the output being a key sequence;
b4: taking out a bit string C2 from C, and calculating M' = C2 ^ t; and ^ ^ is XOR operation; calculating u = Hash (x2| | | M' | | y2), taking out a bit string C3 from C, and if u is not equal to C3, reporting an error and exiting; wherein the Hash is a Hash function prescribed by the SM2 algorithm;
b5: the plaintext M' is output.
Using the SM2 algorithm, a public key application system based on the SM2 algorithm can be established, which includes a certificate issuing authority and a user, and includes two stages of issuing and using: (1) in the signing and issuing stage of the system, a user generates a public and private key pair, a public key is sent to a certificate signing and issuing organization, and the certificate signing and issuing organization signs and issues a user public key certificate which can be issued; the user private key is, and can only be, held and used by the user to ensure security. (2) In the application stage of the system, a user can encrypt a transaction by using a public key, and a generated ciphertext can only be decrypted by a private key of the user; the user may sign the transaction using the private key, which can only be verified by the user's public key.
Assume that the user private key is dA and the public key is Pa. In order to avoid the management cost caused by issuance, the issued key can be used for a long time generally, and can be updated only after the validity period is reached; in the valid period, the same private key dA is frequently used for signing or decrypting the transaction; these two factors contribute to the risk that the private key dA is stolen or revealed by an attack. Once stolen, the private key can be used by an attacker to issue transactions that are not authorized by the user, resulting in security problems with the misuse of the private key. One solution to the above problem is to derive a temporary private key dA 'from the user private key dA', which is used at the time of the transaction to sign the signature, which can be verified by the user public key Pa; the user public key Pa is used for encryption at the time of transaction, and the encrypted ciphertext can be decrypted by dA'.
Disclosure of Invention
The invention provides a key derivation and use method in SM2 public key application, wherein a user holds a private key dA and a public key Pa, and the public key is issued by a certificate issuing organization. When the password of the transaction is calculated, a user derives a temporary private key dA' by using dA; the user uses dA 'to perform signature calculation, and the signature of dA' can be checked by Pa; the ciphertext obtained by using Pa encryption can be decrypted by dA'; after the transaction is completed, the user destroys dA' without recording.
The present invention will be described in detail with reference to fig. 2.
According to the present invention, as shown in M1 in the figure, a user generates a private key dA and a public key Pa = dA × G (G is a reference point on an elliptic curve), where the public key Pa is issued a public key certificate Ca by a certificate issuing authority.
When the user needs to perform password calculation on the transaction, as shown in M2 in the figure, the user generates a random number n, calculates a temporary private key dA '= dA + n, and calculates Pn' = n × G.
When the user signs the transaction, as shown by M3 in the figure, the hash value of the transaction E is E, the signature (r, s) is calculated using dA 'using a standard method, and the signature Q = (r, s, Pn') is output.
When the user or the third party encrypts the transaction, as shown in M4 in the figure, the transaction E obtains the public key Pa from Ca, and uses Pa to encrypt E by using a standard method to obtain (C1 | C2| | C3), and outputs a ciphertext M = (C1 | C2| | C3).
When the user verifies the signature of the transaction, as shown in M5 in the figure, the user obtains the signature Q = (r, s, Pn '), calculates Pu' = Pa + Pn ', and verifies (r, s) using the standard method using Pu', which is described in detail as follows:
m5-1: the signature (r, s) is dA 'generated, dA' = dA + n. As described in the background, SM2 is an elliptic curve cryptography algorithm that specifies parameters, and a set of points on the elliptic curve belongs to an addition domain; the operation rule of the addition domain shows that the corresponding public key is the point addition of the two public keys. The public key Pa corresponding to dA, the public key Pn corresponding to n, and since dA ' is equal to dA + n (+ is a point addition), the signature of dA ' is equal to Pa + Pn ', that is, Pu ', and can be verified by Pu '.
When the user decrypts the transaction ciphertext, as shown by M6 in the figure, the user obtains ciphertext M = (C1 | C2| | C3), the user obtains C1 from the ciphertext M, and s1= dA' × C1-n × C1 is calculated; then, the plaintext is obtained by decrypting C2 and C3 by using a standard method, which is described in detail as follows:
m6-1: referring to B1 in the background art, C1 is taken out of the ciphertext M, and the requirement on C1 is consistent with B1;
m6-2: taking C1 from the ciphertext M, calculating s1= dA' × C1-n × C1= (dA + n) × C1-n × C1= dA × C1; referring to B2 in the background art, that is, dA × C1= (x2, y2), coordinates x2, y2 are converted into a bit string; by the above calculations, it was achieved that dA × C1 was obtained by dA';
m6-3: referring to B3, B4 and B5 in the background art, the calculation process is consistent with B3, B4 and B5, and plaintext is obtained through decryption.
The method can realize one private key in one transaction, avoid the safety problem caused by long-term use of the private key dA and greatly improve the safety of a public key application system; the method does not need to record a derived key; the method uses a standard signature verification and decryption method, and can be compatible with the application of the original password.
Drawings
Fig. 1 is a block diagram of a method for deriving and using SM2 keys.
Fig. 2 is a detailed step diagram of the SM2 key derivation and use method.
Fig. 3, fig. 4, and fig. 5 are schematic diagrams of the application of the present invention in the SM2 public key system.
Detailed Description
The key derivation and usage method of the present invention will be described with reference to the accompanying drawings. Referring to fig. 3, 4 and 5, in the present solution, the SM2 public key system includes a CA, a user a (including a U shield held by the user a), and a file management APP. CA as certificate issuing authority; the user A holds a U shield which integrates an SM2 cryptographic algorithm; the user A stores a private key and a certificate through a U shield, and signature, verification, encryption and decryption are realized through the U shield; the file management APP is a terminal service application.
Initializing a shield: a U shield is inserted into a terminal by a user A, the U shield generates a public and private key pair (dA, Pa), and sends a public key Pa to a CA; the CA issues a public key certificate CA.
File signing: the user needs to sign file F1, file F1 with hash value e 1. The user inserts a U shield, a random number n1 is generated in the U shield, and Pn 1' = n 1G (G is a reference point of an SM2 algorithm) is calculated; calculate dA 1' = dA + n1 (+ is the dot addition of SM 2);
the user sends e1 to the U shield to start signature operation;
u shield calculates a signature for e1 using dA1 ', referring to SM2 signature method in the technical background, and outputs a signature result Q = (r, s, Pn 1'); u shield destroys dA1 'and Pn 1';
the user package file F1 and the signature result Q form a file F1' = (F1, Q), which is sent to the file management APP.
And (3) verifying the signature of the file: the file management APP obtains a user certificate Ca from a CA, and a user public key Pa is obtained from the user certificate Ca;
the file management APP takes out the file F1 from the file F1', and calculates a hash value e 1; pn1 'in the signature result Q is fetched, Pu 1' = Pa + Pn1 'is calculated, and (r, s) in Q is verified using Pu 1'. The verification process refers to the SM2 verification method in the background calculation.
File encryption: the file management APP needs to send the encrypted file to the user, obtains the user public key file Ca from the CA, takes out the public key Pa, and sends a ciphertext F2' = (C1 | | C2| | C3) after the file F2 is encrypted to the user.
File decryption: after receiving the ciphertext F2', the user decrypts the ciphertext by using the Ukey. The user inserts the U shield, generates a random number n2 within the U shield, calculates dA 2' = dA + n2 (+ is a dot addition of SM 2);
the user sends F2' to the U shield and starts signature operation;
u shield taken C1 from F2 ', calculated s2= dA 2' × C1-n2 × C1= dA × C1; the decryption calculation process is completed on C2| | C3 by using s 2; the calculation process refers to the SM2 decryption method in the background technology; the Ushield outputs a decrypted plaintext F2; the U shield destroys dA 2';
the user gets decrypted F2 and can open the view.

Claims (6)

1. A secret key derivation and use method in SM2 public key application, a user is signed by a certificate issuing organization to have a private key dA and a public key Pa, characterized in that: at the time of transaction, a user derives a temporary private key dA' by using dA; the user uses dA 'to perform signature calculation, and the signature of dA' can be checked by Pa; the ciphertext generated by using Pa encryption can be decrypted by dA'; after the transaction is completed, the user destroys dA' without recording.
2. A method for key derivation and usage in SM2 public key application as claimed in claim 1, wherein the method comprises: a user generates a random number n, and calculates a derived temporary private key dA' = dA + n (+ is the point on an elliptic curve, and the same applies below); calculating a temporary public key Pn' = n G (G is a reference point on the elliptic curve and the same below); dA' is used to compute the transaction signature and Pa is used for transaction encryption.
3. A method for private key derivation and use in SM2 public key applications as claimed in claim 1, wherein dA' is used by the user to sign the transaction, characterized in that: for transaction E, the hash value is E, the user signs E with dA 'using SM2 standard method to get (r, s), and outputs signature Q = (r, s, Pn').
4. The method of private key derivation and use in SM2 public key applications as claimed in claim 1, the transaction being encrypted using Pa, wherein: and E, encrypting E by using Pa by using an SM2 standard method to obtain (C1 | | C2| | C3), and outputting a ciphertext M = (C1 | | C2| | C3).
5. The method for deriving and using private key in SM2 public key application as claimed in claim 1, wherein the user verifies the signature Q with Pa, characterized in that: the user gets Pn 'from signature Q, calculates Pu = Pa + Pn', and then verifies (r, s) in Q using the SM2 standard method using Pu.
6. The method for deriving and using private key in SM2 public key application as claimed in claim 1, wherein dA' is used by the user to decrypt the ciphertext M, and the method comprises: the user derives C1 from the ciphertext M, calculates s1= dA' × C1-n × C1; plaintext was then calculated for C2, C3 by standard methods using s 1.
CN202010494587.1A 2020-06-03 2020-06-03 SM2 key derivation and use method Pending CN113765669A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202010494587.1A CN113765669A (en) 2020-06-03 2020-06-03 SM2 key derivation and use method

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202010494587.1A CN113765669A (en) 2020-06-03 2020-06-03 SM2 key derivation and use method

Publications (1)

Publication Number Publication Date
CN113765669A true CN113765669A (en) 2021-12-07

Family

ID=78783166

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202010494587.1A Pending CN113765669A (en) 2020-06-03 2020-06-03 SM2 key derivation and use method

Country Status (1)

Country Link
CN (1) CN113765669A (en)

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7707420B1 (en) * 1999-06-23 2010-04-27 Research In Motion Limited Public key encryption with digital signature scheme
CN102201920A (en) * 2011-07-12 2011-09-28 北京中兴通数码科技有限公司 Method for constructing certificateless public key cryptography
US20140211938A1 (en) * 2013-01-29 2014-07-31 Certicom Corp. Modified elliptic curve signature algorithm for message recovery
CN106941406A (en) * 2017-05-02 2017-07-11 深圳奥联信息安全技术有限公司 Identify-based encryption endorsement method, decryption sign test method and its device
CN107634836A (en) * 2017-09-05 2018-01-26 何德彪 A kind of SM2 digital signature generation method and system

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7707420B1 (en) * 1999-06-23 2010-04-27 Research In Motion Limited Public key encryption with digital signature scheme
CN102201920A (en) * 2011-07-12 2011-09-28 北京中兴通数码科技有限公司 Method for constructing certificateless public key cryptography
US20140211938A1 (en) * 2013-01-29 2014-07-31 Certicom Corp. Modified elliptic curve signature algorithm for message recovery
CN106941406A (en) * 2017-05-02 2017-07-11 深圳奥联信息安全技术有限公司 Identify-based encryption endorsement method, decryption sign test method and its device
CN107634836A (en) * 2017-09-05 2018-01-26 何德彪 A kind of SM2 digital signature generation method and system

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
安葳鹏 等: "网络与信息安全", 30 November 2017 *
李玉生;: "SM2椭圆曲线公钥加密算法的研究与实现", 无线互联科技, no. 20, 25 October 2016 (2016-10-25) *

Similar Documents

Publication Publication Date Title
CN109584978B (en) Information processing method and system based on signature aggregation medical health monitoring network model
WO2021042685A1 (en) Transaction method, device, and system employing blockchain
CN111314089B (en) SM 2-based two-party collaborative signature method and decryption method
CN107395368B (en) Digital signature method, decapsulation method and decryption method in media-free environment
CA2590989C (en) Protocol and method for client-server mutual authentication using event-based otp
CN110958219B (en) SM2 proxy re-encryption method and device for medical cloud shared data
CN103490901B (en) Key based on combination key system generates and distribution method
CN104821880B (en) One kind is without certificate broad sense agent signcryption method
CN110120939B (en) Encryption method and system capable of repudiation authentication based on heterogeneous system
EP2334008A1 (en) A system and method for designing secure client-server communication protocols based on certificateless public key infrastructure
CN101262341A (en) A mixed encryption method in session system
CN107124274A (en) Digital signature method and device based on SM2
CN110719295B (en) Identity-based food data security-oriented proxy re-encryption method and device
CN109818741B (en) Decryption calculation method and device based on elliptic curve
CN107425971B (en) Certificateless data encryption/decryption method and device and terminal
JP2013539295A (en) Authenticated encryption of digital signatures with message recovery
CN113779645B (en) Quantum digital signature and quantum digital signature encryption method
CN110830236A (en) Identity-based encryption method based on global hash
CN104767612A (en) Signcryption method from certificateless environment to public key infrastructure environment
CN114095181B (en) Threshold ring signature method and system based on cryptographic algorithm
CN112152805B (en) Authentication encryption method, authentication decryption method and communication method
CN113285959A (en) Mail encryption method, decryption method and encryption and decryption system
CN109873699A (en) A kind of voidable identity public key encryption method
CN109951276B (en) Embedded equipment remote identity authentication method based on TPM
CN114666032B (en) Block chain transaction data privacy protection method based on homomorphic encryption

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination