CN115412260B - SM2 threshold signature method, system, device and computer readable storage medium - Google Patents

SM2 threshold signature method, system, device and computer readable storage medium Download PDF

Info

Publication number
CN115412260B
CN115412260B CN202211048343.6A CN202211048343A CN115412260B CN 115412260 B CN115412260 B CN 115412260B CN 202211048343 A CN202211048343 A CN 202211048343A CN 115412260 B CN115412260 B CN 115412260B
Authority
CN
China
Prior art keywords
random number
participant
algorithm
generating
party
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202211048343.6A
Other languages
Chinese (zh)
Other versions
CN115412260A (en
Inventor
程一帆
于昇
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Yunhai Chain Holdings Co ltd
Original Assignee
Yunhai Chain Holdings Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Yunhai Chain Holdings Co ltd filed Critical Yunhai Chain Holdings Co ltd
Priority to CN202211048343.6A priority Critical patent/CN115412260B/en
Publication of CN115412260A publication Critical patent/CN115412260A/en
Application granted granted Critical
Publication of CN115412260B publication Critical patent/CN115412260B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
    • H04L9/3255Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures using group based signatures, e.g. ring or threshold signatures
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • H04L9/0869Generation of secret information including derivation or calculation of cryptographic keys or passwords involving random numbers or seeds
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/30Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy
    • H04L9/3066Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy involving algebraic varieties, e.g. elliptic or hyper-elliptic curves
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3236Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Theoretical Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Algebra (AREA)
  • Mathematical Analysis (AREA)
  • Mathematical Optimization (AREA)
  • Mathematical Physics (AREA)
  • Pure & Applied Mathematics (AREA)
  • Physics & Mathematics (AREA)
  • Computing Systems (AREA)
  • Management, Administration, Business Operations System, And Electronic Commerce (AREA)

Abstract

The application discloses a SM2 threshold signature method, a system, equipment and a computer readable storage medium, each participant P i Selecting a random number d i I is more than or equal to 1 and less than or equal to n; each participant P i Based on random number d i And generating corresponding Q by generating element G of SM2 algorithm i The method comprises the steps of carrying out a first treatment on the surface of the On a per party P basis i Q of (2) i Generating a signature public key Q of an SM2 algorithm; each participant P i Based on random number d i Generating own private key fragment y i The method comprises the steps of carrying out a first treatment on the surface of the Each participant P u Carrying out hash operation on the message value to be signed to obtain a hash value e; each participant P u Based on private key fragment y i Calculating to obtain w u The method comprises the steps of carrying out a first treatment on the surface of the Each participant P u Selecting a random number k u Based on random number k u Generating corresponding R by signature public key Q and generator G u The method comprises the steps of carrying out a first treatment on the surface of the Each participant P u Based on R u R is calculated, and R is calculated based on the order q and the hash value e of the R, SM algorithm; each participant P u Based on random number k u 、r、w u Calculating to obtain s u The method comprises the steps of carrying out a first treatment on the surface of the Each participant P u Publication s u And is based on s u Generating s by r and q; the signature verification algorithm based on the SM2 algorithm verifies whether (r, s) is a correct signature value, and if so, the (r, s) is taken as an SM2 signature result of the message value. The safety is high.

Description

SM2 threshold signature method, system, device and computer readable storage medium
Technical Field
The present application relates to the field of information security technologies, and in particular, to an SM2 threshold signature method, system, device, and computer readable storage medium.
Background
SM2 is an elliptic curve public key cryptographic algorithm issued by the national institutes of cryptography at 12 months and 17 days 2010. SM2 performance is better and safer: the password complexity is high, the processing speed is high, and the machine performance consumption is smaller. However, the general secret sharing (segmentation) method and the corresponding secret sharing-based cryptographic operation method cannot be adapted to the case of digital signature using the SM2 private key due to the unique digital signature operation method of the SM2 algorithm.
In summary, how to implement the threshold signature in SM2 is a problem to be solved by those skilled in the art.
Disclosure of Invention
The application aims to provide an SM2 threshold signature method which can solve the technical problem of realizing threshold signature in SM2 to a certain extent. The application also provides an SM2 threshold signature system, an SM2 threshold signature device and a computer readable storage medium.
In order to achieve the above object, the present application provides the following technical solutions:
an SM2 threshold signature method, comprising:
each participant P i Selecting a random number d i I is more than or equal to 1 and less than or equal to n, wherein n represents the total number of participants in an SM2 algorithm;
each participant P i Based on random number d i And generating corresponding Q by generating element G of SM2 algorithm i
On a per party P basis i Q of (2) i Generating a signature public key Q of the SM2 algorithm;
each participant P i Based on random number d i Generating own private key fragment y i
Each participant P u Carrying out hash operation on a message value to be signed to obtain a hash value e, wherein u is more than or equal to 1 and less than or equal to T, T is less than or equal to T and represents the total number of participants in the SM2 threshold signature method, and T represents the minimum number of participants in the SM2 threshold signature method;
each participant P u Based on private key fragment y i Calculating to obtain w u
Each participant P u Selecting a random number k u Based on random number k u Generating corresponding R by signature public key Q and generator G u
Each participant P u Based on R u R is calculated, and R is calculated based on R, the order q of the SM2 algorithm and a hash value e;
each participant P u Based on random number k u 、r、w u Calculating to obtain s u
Each participantP u Publication s u And is based on s u Generating s by r and q;
and verifying whether the (r, s) is a correct signature value by a signature verification algorithm based on the SM2 algorithm, and if so, taking the (r, s) as an SM2 signature result of the message value.
Preferably, each party P i Based on random number d i And generating corresponding Q by generating element G of SM2 algorithm i Comprising:
each of the participants P based on a first operation formula i Based on random number d i And the generator G of the SM2 algorithm generates a corresponding Q i
The first operation formula includes:
Q 1 =d 1 ·G;Q i =d i ·Q i-1 ,2≤i≤n;
the basis of each party P i Q of (2) i Generating a signature public key Q of the SM2 algorithm, comprising:
let q=q n -G as the public signature key Q of the SM2 algorithm.
Preferably, each party P i Based on random number d i Generating own private key fragment y i Comprising:
each participant P i Invoking MTAwc protocol to base on d i GeneratingWherein (1)>Satisfy the relation
Each participant P i To be used forCalculating a party P for a secret j Function value y between ij ,j=[1,...,n];
Each participant P i Y is based on t-n Shamir sharing protocol ij To party P j
Each participant P j Based on y ij Calculation of
Preferably, each party P u Performing hash operation on the message value to be signed to obtain a hash value e, including:
based on the second operation formula, each participant P u Performing hash operation on the message value to be signed to obtain the hash value e;
the second operation formula includes:
e=hash(Z||M);
wherein Z represents the hash value of the user's identity identifier, elliptic curve parameters and public key coordinates; m represents the message value;
Each party P u Based on private key fragment y i Calculating to obtain w u Comprising:
each participant P u Based on private key fragment y i Calculating to obtain w u =λ u ·y u Wherein lambda is u Representing the Lagrangian coefficient;
each party P u Selecting a random number k u Based on random number k u Generating corresponding R by signature public key Q and generator G u Comprising:
each participant P u Selecting a random number k u Based on random number k u Generating corresponding R by signature public key Q and generator G u =k u ·(Q+G);
Each party P u Based on R u R is calculated, R is calculated based on R, the order q of the SM2 algorithm and a hash value e, and the method comprises the following steps:
each participant P u Based on R u Calculated to obtainAnd calculating to obtain r=r based on R, the order q of the SM2 algorithm and a hash value e x +e mod q;
Each party P u Based on random number k u 、r、w u Calculating to obtain s u Comprising:
each participant P u Based on random number k u 、r、w u Calculating to obtain s u =k u +rw u
Each party P u Publication s u And is based on s u R, q generates s, including:
each participant P u Publication s u And is based on s u R, q generation
Preferably, each party P i Selecting a random number d i Thereafter, each party P i Based on random number d i And generating corresponding Q by generating element G of SM2 algorithm i Before, still include:
each participant P i Selecting a random number sigma i
Each participant P i Based on random number d i Generating element G and random number sigma i Calculating a hash value c i =H(d i ·G;σ i ) And broadcast;
each participant P i Publication D i =d i G and the corresponding random number sigma i And knowing the corresponding random number d based on the generated proof i Is proved by the first schnorr;
each participant P i Validating received D i Random number sigma i Whether or not to meet c i =H(d i ·G;σ i ) And verifying the correctness of said first schnorr certification if received D i Random number sigma i Satisfy c i =H(d i ·G;σ i ) And the first schnorr proves correct, thenEach party P i Based on random number d i And generating corresponding Q by generating element G of SM2 algorithm i Is carried out by a method comprising the steps of.
Preferably, the said method is based on each party P i Q of (2) i After generating the signature public key Q of the SM2 algorithm, the method further includes:
each participant P i Generating Paillier public key N i =p i q i And publishing;
proof Paillier public key N based on zero knowledge proof i And (5) correctly generating.
Preferably, each party P u Selecting a random number k u Based on random number k u Generating corresponding R by signature public key Q and generator G u Thereafter, each party P u Based on R u Before calculating R, the method further comprises:
each participant P u Selecting random numbersCalculating hash value +.>And broadcast;
each participant P u Publication R u Corresponding random numberAnd generates a random number k proving knowledge of the corresponding u Is proved by the second schnorr;
each participant P u Validating received R uWhether or not to meet->And verifying the correctness of said second schnorr certificate if received R u 、/>Satisfy->And said second schnorr proves correct, then executing said each party P u Based on R u Calculating to obtain R;
each party P u Based on random number k u 、r、w u Calculating to obtain s u Thereafter, each party P u Publication s u Before, still include:
each participant P u Selecting a random number alpha u Beta and beta u Calculate V u =s u ·Q+α u ·G,W u =β u ·G;
Each participant P u Selecting a random number θ u Calculating hash value v u =H(V u ;θ u ),ω u =H(W u ;θ u ) And broadcast;
each participant P u Publication V u 、W u Random number theta u And verify the received V u 、W u Random number theta u Whether or not v is satisfied u =H(V u ;θ u ),ω u =H(W u ;θ u );
If V is received u 、W u Random number theta u Satisfy upsilon u =H(V u ;θ u ),ω u =H(W u ;θ u ) Then generate proof knows s u Random number alpha u Beta and beta u So that V is u =s u ·Q+α u ·G、W u =β u Second zero knowledge proof of G;
if all the second zero knowledge proves correct, each party P u Calculation ofCalculating phi u =β u ·V,Ψ u =α u ·W;Selecting a random number eta u Calculating a hash value phi u =H(Φ u ;η u ),ψ u =H(Ψ u ;η u ) And broadcast;
each participant P u Publication of phi u 、Ψ u 、η u And verify the received phi u 、Ψ u 、η u Whether or not to meet phi u =H(Φ u ;η u ),ψ u =H(Ψ u ;η u ) If yes, verifyWhether or not it is true, if so, executing each party P u Based on R u And calculating R.
An SM2 threshold signature system, comprising:
a first selection module for each participant P i Selecting a random number d i I is more than or equal to 1 and less than or equal to n, wherein n represents the total number of participants in an SM2 algorithm;
a first generation module for each party P i Based on random number d i And generating corresponding Q by generating element G of SM2 algorithm i
A second generation module for based on each of the participants P i Q of (2) i Generating a signature public key Q of the SM2 algorithm;
a third generation module for each participant P i Based on random number d i Generating own private key fragment y i
A first operation module for each participant P u Carrying out hash operation on a message value to be signed to obtain a hash value e, wherein u is more than or equal to 1 and less than or equal to T, T is less than or equal to T and represents the total number of participants in the SM2 threshold signature method, and T represents the minimum number of participants in the SM2 threshold signature method;
a first calculation module for each party P u Based on private key fragment y i Calculating to obtain w u
A fourth generation module for each participant P u Selecting a random number k u Based on random number k u Generating corresponding R by signature public key Q and generator G u
A second calculation module for each of the participants P u Based on R u R is calculated, and R is calculated based on R, the order q of the SM2 algorithm and a hash value e;
A third calculation module for each of the participants P u Based on random number k u 、r、w u Calculating to obtain s u
A fifth generation module for each of the participants P u Publication s u And is based on s u Generating s by r and q;
and the first verification module is used for verifying whether the (r, s) is a correct signature value or not based on a signature verification algorithm of the SM2 algorithm, and if so, taking the (r, s) as an SM2 signature result of the message value.
An SM2 threshold signing device comprising:
a memory for storing a computer program;
a processor for implementing the steps of the SM2 threshold signature method as described in any one of the above when executing the computer program.
A computer readable storage medium having stored therein a computer program which when executed by a processor implements the steps of the SM2 threshold signature method as described in any one of the above.
The application provides an SM2 threshold signature method, each participant P i Selecting a random number d i I is more than or equal to 1 and less than or equal to n, wherein n represents the total number of participants in an SM2 algorithm; each participant P i Based on random number d i And generating corresponding Q by generating element G of SM2 algorithm i The method comprises the steps of carrying out a first treatment on the surface of the On a per party P basis i Q of (2) i Generating a signature public key Q of an SM2 algorithm; each participant P i Based on random number d i Generating own private key fragment y i The method comprises the steps of carrying out a first treatment on the surface of the Each participant P u Carrying out hash operation on a message value to be signed to obtain a hash value e, wherein u is more than or equal to 1 and less than or equal to T, T is less than or equal to T and represents the total number of participants in the SM2 threshold signature method, and T represents the minimum number of the participants in the SM2 threshold signature method;each participant P u Based on private key fragment y i Calculating to obtain w u The method comprises the steps of carrying out a first treatment on the surface of the Each participant P u Selecting a random number k u Based on random number k u Generating corresponding R by signature public key Q and generator G u The method comprises the steps of carrying out a first treatment on the surface of the Each participant P u Based on R u R is calculated, and R is calculated based on the order q and the hash value e of the R, SM algorithm; each participant P u Based on random number k u 、r、w u Calculating to obtain s u The method comprises the steps of carrying out a first treatment on the surface of the Each participant P u Publication s u And is based on s u Generating s by r and q; the signature verification algorithm based on the SM2 algorithm verifies whether (r, s) is a correct signature value, and if so, the (r, s) is taken as an SM2 signature result of the message value. In the application, n participators mutually cooperate to generate own private key fragments and generate signature public keys of SM2 algorithm, thereby ensuring the security of the private key fragments and the signature public keys, and then T participators carry out T-n threshold signature based on the private key fragments and the signature public keys, thereby realizing SM2 threshold signature under the condition that the complete private key of SM2 does not appear, and having high security. The SM2 threshold signature system, the electronic device and the computer readable storage medium provided by the application also solve the corresponding technical problems.
Drawings
In order to more clearly illustrate the embodiments of the present application or the technical solutions in the prior art, the drawings that are required to be used in the embodiments or the description of the prior art will be briefly described below, and it is obvious that the drawings in the following description are only embodiments of the present application, and that other drawings can be obtained according to the provided drawings without inventive effort for a person skilled in the art.
Fig. 1 is a flowchart of an SM2 threshold signature method provided in an embodiment of the present application;
fig. 2 is a schematic structural diagram of an SM2 threshold signature system according to an embodiment of the present application;
fig. 3 is a schematic structural diagram of an SM2 threshold signature device according to an embodiment of the present application;
fig. 4 is another schematic structural diagram of an SM2 threshold signature device according to an embodiment of the present application.
Detailed Description
The following description of the embodiments of the present application will be made clearly and completely with reference to the accompanying drawings, in which it is apparent that the embodiments described are only some embodiments of the present application, but not all embodiments. All other embodiments, which can be made by those skilled in the art based on the embodiments of the application without making any inventive effort, are intended to be within the scope of the application.
Referring to fig. 1, fig. 1 is a flowchart of an SM2 threshold signature method according to an embodiment of the present application.
The SM2 threshold signature method provided by the embodiment of the application can comprise the following steps:
step S101: each participant P i Selecting a random number d i
In practice, each party P i The random number d can be selected first i For example, selecting random numbersEtc.; wherein, i is more than or equal to 1 and less than or equal to n, and n represents the total number of participants in the SM2 algorithm.
Step S102: each participant P i Based on random number d i And generating corresponding Q by generating element G of SM2 algorithm i
Step S103: on a per party P basis i Q of (2) i A signature public key Q of the SM2 algorithm is generated.
In practice, each party P i Selecting a random number d i Thereafter, each participant P i May be based on the random number d i And generating corresponding Q by generating element G of SM2 algorithm i . Then, on a per-party P basis i Q of (2) i A signature public key Q of the SM2 algorithm is generated.
In a specific application scenario, each participant P i Based on random number d i And generating corresponding Q by generating element G of SM2 algorithm i Can be based on the first operation formula, each party P i Based on random number d i And generating corresponding Q by generating element G of SM2 algorithm i
The first operation formula includes:
Q 1 =d 1 ·G;Q i =d i ·Q i-1 ,2≤i≤n;
Accordingly, on a per party P basis i Q of (2) i In generating the signature public key Q of the SM2 algorithm, q=q n G as the signature public key Q of the SM2 algorithm, etc.
In a specific application scenario, in order to ensure the generation security of the private key fragments and the signature public key, each party P may also be i The security verification is carried out, and the subsequent flow can be continued only after the security verification is satisfied, namely, each party P i Selecting a random number d i Thereafter, each participant P i Based on random number d i And generating corresponding Q by generating element G of SM2 algorithm i Previously, each party P i The random number sigma can be selected i For example, select sigma i ←{0,1} n The method comprises the steps of carrying out a first treatment on the surface of the Each participant P i Based on random number d i Generating element G and random number sigma i Calculating a hash value c i =H(d i ·G;σ i ) And broadcast; each participant P i Publication D i =d i G and the corresponding random number sigma i And knowing the corresponding random number d based on the generated proof i Is proved by the first schnorr; each participant P i Validating received D i Random number sigma i Whether or not to meet c i =H(d i ·G;σ i ) And verifying the correctness of the first schnorr certification if received D i Random number sigma i Satisfy c i =H(d i ·G;σ i ) And the first schnorr proves correct, each party P is executed i Based on random number d i And generating corresponding Q by generating element G of SM2 algorithm i If there are unsatisfied items, the protocol may be aborted, or the like.
In a specific application scenario, based on each participant P i Q of (2) i Generating SM2 calculationAfter signing public key Q by law, each party P i Paillier public key N may also be generated i =p i q i And publishing; proof Paillier public key N based on zero knowledge proof i And (5) correctly generating. So as to provide the Paillier public key to it in the context of the need to apply the Paillier public key.
Step S104: each participant P i Based on random number d i Generating own private key fragment y i
In practice, based on each party P i Q of (2) i After generating the signature public key Q of the SM2 algorithm, each party P i May be based on the random number d i Generating own private key fragment y i
In a specific application scenario, each participant P i Based on random number d i Generating own private key fragment y i May cooperate to generate a corresponding private key fragment, such as for each party P i Invoking MTAwc protocol to base on d i GeneratingWherein (1)>Satisfy the relation->Each participant P i To->Calculating a party P for a secret j Function value y between ij ,j=[1,...,n]The method comprises the steps of carrying out a first treatment on the surface of the Each participant P i Y is based on t-nsshamir sharing protocol ij To party P j The method comprises the steps of carrying out a first treatment on the surface of the Each participant P j Based on y ij Calculate->
Step S105: each participant P u And carrying out hash operation on the message value to be signed to obtain a hash value e.
In practice, each party P i Based on random number d i Generating own private key fragment y i Thereafter, each party P participating in the threshold signature u The message value to be signed can be subjected to hash operation to obtain a hash value e, wherein u is more than or equal to 1 and less than or equal to T, T is more than or equal to T, T represents the total number of participants in the SM2 threshold signature method, and T represents the minimum number of the participants in the SM2 threshold signature method.
In a specific application scenario, each participant P u In the process of carrying out hash operation on the message value to be signed to obtain the hash value e, each party P can be based on a second operation formula u Carrying out hash operation on the message value to be signed to obtain a hash value e;
the second operation formula includes:
e=hash(Z||M);
wherein Z represents the hash value of the user's identity identifier, elliptic curve parameters and public key coordinates; m represents a message value.
Step S106: each participant P u Based on private key fragment y i Calculating to obtain w u
In practice, each party P u Carrying out hash operation on the message value to be signed to obtain a hash value e, and each participant P u Private key based sharding y i Calculating to obtain w u
In a specific application scenario, each participant P u Based on private key fragment y i Calculating to obtain w u During the course of (a), each party P u May be based on private key sharding y i Calculating to obtain w u =λ u ·y u Wherein lambda is u The lagrangian coefficient is represented as such,
step S107: each participant P u Selecting a random number k u Based on random number k u Signature public key Q and generatorG generates corresponding R u
In practice, each party P u Based on private key fragment y i Calculating to obtain w u Thereafter, each participant P u The random number k can be selected u Such as randomly selectedEtc. based on random number k u Generating corresponding R by signature public key Q and generator G u
In a specific application scenario, each participant P u Selecting a random number k u Based on random number k u Generating corresponding R by signature public key Q and generator G u During the course of (a), each party P u The random number k can be selected u Based on random number k u Generating corresponding R by signature public key Q and generator G u =k u ·(Q+G)。
Step S108: each participant P u Based on R u R is calculated and calculated based on the order q and the hash value e of the R, SM algorithm.
Step S109: each participant P u Based on random number k u 、r、w u Calculating to obtain s u
Step S110: each participant P u Publication s u And is based on s u R, q generate s.
In practice, each party P u Selecting a random number k u Based on random number k u Generating corresponding R by signature public key Q and generator G u Thereafter, each participant P u Can be based on R u R is calculated, R is calculated based on the order q and the hash value e of the R, SM algorithm, and then each participant P u Based on random number k u 、r、w u Calculating to obtain s u After which each party P u Publication s u And is based on s u R, q generate s.
In a specific application scenario, each participant P u Based on R u R is calculated and obtained based on the order q and the hash of R, SM2 algorithmIn the process of calculating the value of the his e to obtain r, each party P u Can be based on R u Calculated to obtainAnd calculating r=r based on the order q and the hash value e of R, SM algorithm x +e mod q; accordingly, each participant P u Based on random number k u 、r、w u Calculating to obtain s u During the course of (a), each party P u Can be based on a random number k u 、r、w u Calculating to obtain s u =k u +rw u The method comprises the steps of carrying out a first treatment on the surface of the Accordingly, each participant P u Publication s u And is based on s u In the process of generating s by r and q, each participant P u Can publish s u And is based on s u Generation of r, q->
In a specific application scenario, in order to ensure the generation security of the private key fragments and the signature public key, each party P may also be u The security verification is carried out, and the subsequent flow can be continued only after the security verification is satisfied, namely, each party P u Selecting a random number k u Based on random number k u Generating corresponding R by signature public key Q and generator G u Thereafter, each participant P u Based on R u Before R is calculated, each party P u Random numbers can be selectedCalculating hash value +.>And broadcast; each participant P u Publication R u Corresponding random number->And generates a random number k proving knowledge of the corresponding u Is proved by the second schnorr; each participant P u Validating received R u 、/>Whether or not to meet->And verifying the correctness of the second schnorr certificate if R is received u 、/>Satisfy->And the second schnorr proves correct, each party P is executed u Based on R u In the step of calculating R, if there is an unsatisfied item, the protocol may be suspended.
In a specific application scenario, each participant P u Based on random number k u 、r、w u Calculating to obtain s u Thereafter, each participant P u Publication s u Previously, each party P u The random number alpha can also be selected u Beta and beta u For example, selectCalculate V u =s u ·Q+α u ·G,W u =β u G; each participant P u Selecting a random number θ u Calculating hash value v u =H(V u ;θ u ),ω u =H(W u ;θ u ) And broadcast; each participant P u Publication V u 、W u Random number theta u And verify the received V u 、W u Random number theta u Whether or not v is satisfied u =H(V u ;θ u ),ω u =H(W u ;θ u ) The method comprises the steps of carrying out a first treatment on the surface of the If V is received u 、W u Random number theta u Satisfy upsilon u =H(V u ;θ u ),ω u =H(W u ;θ u ) Then generateProof of knowledge of s u Random number alpha u Beta and beta u So that V is u =s u ·Q+α u ·G、W u =β u The second zero knowledge of G proves that if not, the protocol is aborted; if all the second zero knowledge proves to be correct, each party P u Calculation ofCalculating phi u =β u ·V,Ψ u =α u W; selecting a random number eta u Calculating a hash value phi u =H(Φ u ;η u ),ψ u =H(Ψ u ;η u ) And broadcast; each participant P u Publication of phi u 、Ψ u 、η u And verify the received phi u 、Ψ u 、η u Whether or not to meet phi u =H(Φ u ;η u ),ψ u =H(Ψ u ;η u ) If not, the protocol is aborted, if yes, the protocol is validatedWhether or not it is true, if so, executing each party P u Based on R u And (3) calculating R, and if R is not satisfied, stopping the protocol.
Step S111: the signature verification algorithm based on the SM2 algorithm verifies whether (r, s) is a correct signature value, and if so, the (r, s) is taken as an SM2 signature result of the message value.
In practice, each party P u Publication s u And is based on s u After s is generated by r and q, the signature verification algorithm based on the SM2 algorithm can verify whether (r and s) is a correct signature value, if so, the (r and s) is taken as an SM2 signature result of the message value.
Referring to fig. 2, fig. 2 is a schematic structural diagram of an SM2 threshold signature system according to an embodiment of the present application.
The SM2 threshold signature system provided by the embodiment of the application can comprise:
a first selection module 101 forAt each participant P i Selecting a random number d i I is more than or equal to 1 and less than or equal to n, wherein n represents the total number of participants in an SM2 algorithm;
a first generation module 102 for each party P i Based on random number d i And generating corresponding Q by generating element G of SM2 algorithm i
A second generation module 103 for, on a per-party P basis i Q of (2) i Generating a signature public key Q of an SM2 algorithm;
a third generation module 104 for each participant P i Based on random number d i Generating own private key fragment y i
A first operation module 105 for each participant P u Carrying out hash operation on a message value to be signed to obtain a hash value e, wherein u is more than or equal to 1 and less than or equal to T, T is less than or equal to T and represents the total number of participants in the SM2 threshold signature method, and T represents the minimum number of the participants in the SM2 threshold signature method;
a first calculation module 106 for each party P u Based on private key fragment y i Calculating to obtain w u
A fourth generation module 107 for each party P u Selecting a random number k u Based on random number k u Generating corresponding R by signature public key Q and generator G u
A second calculation module 108 for each party P u Based on R u R is calculated, and R is calculated based on the order q and the hash value e of the R, SM algorithm;
a third calculation module 109 for each party P u Based on random number k u 、r、w u Calculating to obtain s u
A fifth generation module 110 for each of the participants P u Publication s u And is based on s u Generating s by r and q;
the first verification module 111 is configured to verify whether (r, s) is a correct signature value by using a signature verification algorithm based on an SM2 algorithm, and if yes, take (r, s) as an SM2 signature result of the message value.
The description of each module in the SM2 threshold signature system provided in the embodiment of the present application may refer to the above embodiment, and will not be repeated herein.
The application also provides SM2 threshold signature equipment and a computer readable storage medium, which have the corresponding effects of the SM2 threshold signature method provided by the embodiment of the application. Referring to fig. 3, fig. 3 is a schematic structural diagram of an SM2 threshold signature device according to an embodiment of the present application.
The SM2 threshold signature device provided by the embodiment of the present application includes a memory 201 and a processor 202, where the memory 201 stores a computer program, and the processor 202 implements the following steps when executing the computer program:
each participant P i Selecting a random number d i I is more than or equal to 1 and less than or equal to n, wherein n represents the total number of participants in an SM2 algorithm;
each participant P i Based on random number d i And generating corresponding Q by generating element G of SM2 algorithm i
On a per party P basis i Q of (2) i Generating a signature public key Q of an SM2 algorithm;
each participant P i Based on random number d i Generating own private key fragment y i
Each participant P u Carrying out hash operation on a message value to be signed to obtain a hash value e, wherein u is more than or equal to 1 and less than or equal to T, T is less than or equal to T and represents the total number of participants in the SM2 threshold signature method, and T represents the minimum number of the participants in the SM2 threshold signature method;
Each participant P u Based on private key fragment y i Calculating to obtain w u
Each participant P u Selecting a random number k u Based on random number k u Generating corresponding R by signature public key Q and generator G u
Each participant P u Based on R u R is calculated, and R is calculated based on the order q and the hash value e of the R, SM algorithm;
each participant P u Based on random number k u 、r、w u Calculating to obtain s u
Each participant P u Publication s u And is based on s u Generating s by r and q;
the signature verification algorithm based on the SM2 algorithm verifies whether (r, s) is a correct signature value, and if so, the (r, s) is taken as an SM2 signature result of the message value.
The SM2 threshold signature device provided by the embodiment of the present application includes a memory 201 and a processor 202, where the memory 201 stores a computer program, and the processor 202 implements the following steps when executing the computer program: based on the first operation formula, each participant P i Based on random number d i And generating corresponding Q by generating element G of SM2 algorithm i
The first operation formula includes:
Q 1 =d 1 ·G;Q i =d i ·Q i-1 ,2≤i≤n;
let q=q n G is the signature public key Q of the SM2 algorithm.
The SM2 threshold signature device provided by the embodiment of the present application includes a memory 201 and a processor 202, where the memory 201 stores a computer program, and the processor 202 implements the following steps when executing the computer program: each participant P i Invoking MTAwc protocol to base on d i GeneratingWherein (1)>Satisfy the relation->Each participant P i To->Calculating a party P for a secret j Function value y between ij ,j=[1,…,n]The method comprises the steps of carrying out a first treatment on the surface of the Each participant P i Y is based on t-n Shamir sharing protocol ij To party P j The method comprises the steps of carrying out a first treatment on the surface of the Each participation inSquare P j Based on y ij Calculate->
The SM2 threshold signature device provided by the embodiment of the present application includes a memory 201 and a processor 202, where the memory 201 stores a computer program, and the processor 202 implements the following steps when executing the computer program: based on the second operation formula, each participant P u Carrying out hash operation on the message value to be signed to obtain a hash value e;
the second operation formula includes:
e=hash(Z||M);
wherein Z represents the hash value of the user's identity identifier, elliptic curve parameters and public key coordinates; m represents a message value;
each participant P u Based on private key fragment y i Calculating to obtain w u =λ u ·y u Wherein lambda is u Representing the Lagrangian coefficient; each participant P u Selecting a random number k u Based on random number k u Generating corresponding R by signature public key Q and generator G u =k u (Q+G); each participant P u Based on R u Calculated to obtainAnd calculating r=r based on the order q and the hash value e of R, SM algorithm x +e mod q; each participant P u Based on random number k u 、r、w u Calculating to obtain s u =k u +rw u The method comprises the steps of carrying out a first treatment on the surface of the Each participant P u Publication s u And is based on s u Generation of r, q->
The SM2 threshold signature device provided by the embodiment of the present application includes a memory 201 and a processor 202, where the memory 201 stores a computer program, and the processor 202 implements the following steps when executing the computer program: each participant P i Selecting a random number d i Thereafter, each participant P i Based on random number d i And generating corresponding Q by generating element G of SM2 algorithm i Previously, each party P i Selecting a random number sigma i The method comprises the steps of carrying out a first treatment on the surface of the Each participant P i Based on random number d i Generating element G and random number sigma i Calculating a hash value c i =H(d i ·G;σ i ) And broadcast; each participant P i Publication D i =d i G and the corresponding random number sigma i And knowing the corresponding random number d based on the generated proof i Is proved by the first schnorr; each participant P i Validating received D i Random number sigma i Whether or not to meet c i =H(d i ·G;σ i ) And verifying the correctness of the first schnorr certification if received D i Random number sigma i Satisfy c i =H(d i ·G;σ i ) And the first schnorr proves correct, each party P is executed i Based on random number d i And generating corresponding Q by generating element G of SM2 algorithm i Is carried out by a method comprising the steps of.
The SM2 threshold signature device provided by the embodiment of the present application includes a memory 201 and a processor 202, where the memory 201 stores a computer program, and the processor 202 implements the following steps when executing the computer program: on a per party P basis i Q of (2) i After generating the signature public key Q of the SM2 algorithm, each party P i Generating Paillier public key N i =p i q i And publishing; proof Paillier public key N based on zero knowledge proof i And (5) correctly generating.
The SM2 threshold signature device provided by the embodiment of the present application includes a memory 201 and a processor 202, where the memory 201 stores a computer program, and the processor 202 implements the following steps when executing the computer program: each participant P u Selecting a random number k u Based on random number k u Generating corresponding R by signature public key Q and generator G u Thereafter, each participant P u Based on R u Before R is calculated, each party P u Selecting random numbersCalculating hash value +.>And broadcast; each participant P u Publication R u Corresponding random number->And generates a random number k proving knowledge of the corresponding u Is proved by the second schnorr; each participant P u Validating received R u 、/>Whether or not to meet->And verifying the correctness of the second schnorr certificate if R is received u 、/>Satisfy->And the second schnorr proves correct, each party P is executed u Based on R u Calculating to obtain R; each participant P u Based on random number k u 、r、w u Calculating to obtain s u Thereafter, each participant P u Publication s u Previously, each party P u Selecting a random number alpha u Beta and beta u Calculate V u =s u ·Q+α u ·G,W u =β u G; each participant P u Selecting a random number θ u Calculating hash value v u =H(V u ;θ u ),ω u =H(W u ;θ u ) And broadcast; each participant P u Publication V u 、W u Random number theta u And verify the received V u 、W u Random numberθ u Whether or not v is satisfied u =H(V u ;θ u ),ω u =H(W u ;θ u ) The method comprises the steps of carrying out a first treatment on the surface of the If V is received u 、W u Random number theta u Satisfy upsilon u =H(V u ;θ u ),ω u =H(W u ;θ u ) Then generate proof knows s u Random number alpha u Beta and beta u So that V is u =s u ·Q+α u ·G、W u =β u Second zero knowledge proof of G; if all the second zero knowledge proves to be correct, each party P u Calculate->Calculating phi u =β u ·V,Ψ u =α u W; selecting a random number eta u Calculating a hash value phi u =H(Φ u ;η u ),ψ u =H(Ψ u ;η u ) And broadcast; each participant P u Publication of phi u 、Ψ u 、η u And verify the received phi u 、Ψ u 、η u Whether or not to meet phi u =H(Φ u ;η u ),ψ u =H(Ψ u ;η u ) If yes, verify->Whether or not it is true, if so, executing each party P u Based on R u And calculating R.
Referring to fig. 4, another SM2 threshold signature device provided in an embodiment of the present application may further include: an input port 203 connected to the processor 202 for transmitting an externally input command to the processor 202; a display unit 204 connected to the processor 202, for displaying the processing result of the processor 202 to the outside; and the communication module 205 is connected with the processor 202 and is used for realizing communication between the SM2 threshold signature device and the outside. The display unit 204 may be a display panel, a laser scanning display, or the like; communication means employed by the communication module 205 include, but are not limited to, mobile high definition link technology (HML), universal Serial Bus (USB), high Definition Multimedia Interface (HDMI), wireless connection: wireless fidelity (WiFi), bluetooth communication, bluetooth low energy communication, ieee802.11s based communication.
The embodiment of the application provides a computer readable storage medium, wherein a computer program is stored in the computer readable storage medium, and when the computer program is executed by a processor, the following steps are realized:
each participant P i Selecting a random number d i I is more than or equal to 1 and less than or equal to n, wherein n represents the total number of participants in an SM2 algorithm;
each participant P i Based on random number d i And generating corresponding Q by generating element G of SM2 algorithm i
On a per party P basis i Q of (2) i Generating a signature public key Q of an SM2 algorithm;
each participant P i Based on random number d i Generating own private key fragment y i
Each participant P u Carrying out hash operation on a message value to be signed to obtain a hash value e, wherein u is more than or equal to 1 and less than or equal to T, T is less than or equal to T and represents the total number of participants in the SM2 threshold signature method, and T represents the minimum number of the participants in the SM2 threshold signature method;
each participant P u Based on private key fragment y i Calculating to obtain w u
Each participant P u Selecting a random number k u Based on random number k u Generating corresponding R by signature public key Q and generator G u
Each participant P u Based on R u R is calculated, and R is calculated based on the order q and the hash value e of the R, SM algorithm;
each participant P u Based on random number k u 、r、w u Calculating to obtain s u
Each participant P u Publication s u And is based on s u Generating s by r and q;
the signature verification algorithm based on the SM2 algorithm verifies whether (r, s) is a correct signature value, and if so, the (r, s) is taken as an SM2 signature result of the message value.
The embodiment of the application provides a computer readable storage medium, wherein a computer program is stored in the computer readable storage medium, and when the computer program is executed by a processor, the following steps are realized: based on the first operation formula, each participant P i Based on random number d i And generating corresponding Q by generating element G of SM2 algorithm i
The first operation formula includes:
Q 1 =d 1 ·G;Q i =d i ·Q i-1 ,2≤i≤n;
let q=q n G is the signature public key Q of the SM2 algorithm.
The embodiment of the application provides a computer readable storage medium, wherein a computer program is stored in the computer readable storage medium, and when the computer program is executed by a processor, the following steps are realized: each participant P i Invoking MTAwc protocol to base on d i GeneratingWherein (1)>Satisfy the relation->Each participant P i To->Calculating a party P for a secret j Function value y between ij ,j=[1,…,n]The method comprises the steps of carrying out a first treatment on the surface of the Each participant P i Y is based on t-n Shamir sharing protocol ij To party P j The method comprises the steps of carrying out a first treatment on the surface of the Each participant P j Based on y ij Calculate->
Implementation of the applicationAn example provides a computer readable storage medium having stored therein a computer program which when executed by a processor performs the steps of: based on the second operation formula, each participant P u Carrying out hash operation on the message value to be signed to obtain a hash value e;
the second operation formula includes:
e=hash(Z||M);
wherein Z represents the hash value of the user's identity identifier, elliptic curve parameters and public key coordinates; m represents a message value;
each participant P u Based on private key fragment y i Calculating to obtain w u =λ u ·y u Wherein lambda is u Representing the Lagrangian coefficient; each participant P u Selecting a random number k u Based on random number k u Generating corresponding R by signature public key Q and generator G u =k u (Q+G); each participant P u Based on R u Calculated to obtainAnd calculating r=r based on the order q and the hash value e of R, SM algorithm x +e mod q; each participant P u Based on random number k u 、r、w u Calculating to obtain s u =k u +rw u The method comprises the steps of carrying out a first treatment on the surface of the Each participant P u Publication s u And is based on s u Generation of r, q->
The embodiment of the application provides a computer readable storage medium, wherein a computer program is stored in the computer readable storage medium, and when the computer program is executed by a processor, the following steps are realized: each participant P i Selecting a random number d i Thereafter, each participant P i Based on random number d i And generating corresponding Q by generating element G of SM2 algorithm i Previously, each party P i Selecting a random number sigma i The method comprises the steps of carrying out a first treatment on the surface of the Each participant P i Based on random number d i Generating element G and random number sigma i Calculating a hash value c i =H(d i ·G;σ i ) And broadcast; each participant P i Publication D i =d i G and the corresponding random number sigma i And knowing the corresponding random number d based on the generated proof i Is proved by the first schnorr; each participant P i Validating received D i Random number sigma i Whether or not to meet c i =H(d i ·G;σ i ) And verifying the correctness of the first schnorr certification if received D i Random number sigma i Satisfy c i =H(d i ·G;σ i ) And the first schnorr proves correct, each party P is executed i Based on random number d i And generating corresponding Q by generating element G of SM2 algorithm i Is carried out by a method comprising the steps of.
The embodiment of the application provides a computer readable storage medium, wherein a computer program is stored in the computer readable storage medium, and when the computer program is executed by a processor, the following steps are realized: on a per party P basis i Q of (2) i After generating the signature public key Q of the SM2 algorithm, each party P i Generating Paillier public key N i =p i q i And publishing; proof Paillier public key N based on zero knowledge proof i And (5) correctly generating.
The embodiment of the application provides a computer readable storage medium, wherein a computer program is stored in the computer readable storage medium, and when the computer program is executed by a processor, the following steps are realized: each participant P u Selecting a random number k u Based on random number k u Generating corresponding R by signature public key Q and generator G u Thereafter, each participant P u Based on R u Before R is calculated, each party P u Selecting random numbersCalculating hash value +.>And broadcast; each participant P u Publication R u Corresponding random number->And generates a random number k proving knowledge of the corresponding u Is proved by the second schnorr; each participant P u Validating received R u 、/>Whether or not to meet->And verifying the correctness of the second schnorr certificate if R is received u 、/>Satisfy the following requirementsAnd the second schnorr proves correct, each party P is executed u Based on R u Calculating to obtain R; each participant P u Based on random number k u 、r、w u Calculating to obtain s u Thereafter, each participant P u Publication s u Previously, each party P u Selecting a random number alpha u Beta and beta u Calculate V u =s u ·Q+α u ·G,W u =β u G; each participant P u Selecting a random number θ u Calculating hash value v u =H(V u ;θ u ),ω u =H(W u ;θ u ) And broadcast; each participant P u Publication V u 、W u Random number theta u And verify the received V u 、W u Random number theta u Whether or not v is satisfied u =H(V u ;θ u ),ω u =H(W u ;θ u ) The method comprises the steps of carrying out a first treatment on the surface of the If V is received u 、W u Random number theta u Satisfy upsilon u =H(V u ;θ u ),ω u =H(W u ;θ u ) Then generate proof knows s u Random number alpha u Beta and beta u So that V is u =s u ·Q+α u ·G、W u =β u Second zero knowledge proof of G; if all the second zero knowledge proves to be correct, each party P u Calculation ofCalculating phi u =β u ·V,Ψ u =α u W; selecting a random number eta u Calculating a hash value phi u =H(Φ u ;η u ),ψ u =H(Ψ u ;η u ) And broadcast; each participant P u Publication of phi u 、Ψ u 、η u And verify the received phi u 、Ψ u 、η u Whether or not to meet phi u =H(Φ u ;η u ),ψ u =H(Ψ u ;η u ) If yes, verify->Whether or not it is true, if so, executing each party P u Based on R u And calculating R.
The computer readable storage medium to which the present application relates includes Random Access Memory (RAM), memory, read Only Memory (ROM), electrically programmable ROM, electrically erasable programmable ROM, registers, hard disk, a removable disk, a CD-ROM, or any other form of storage medium known in the art.
The description of the related parts in the SM2 threshold signature system, the device and the computer readable storage medium provided in the embodiments of the present application is referred to the detailed description of the corresponding parts in the SM2 threshold signature method provided in the embodiments of the present application, and will not be repeated here. In addition, the parts of the above technical solutions provided in the embodiments of the present application, which are consistent with the implementation principles of the corresponding technical solutions in the prior art, are not described in detail, so that redundant descriptions are avoided.
It is further noted that relational terms such as first and second, and the like are used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Moreover, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising one … …" does not exclude the presence of other like elements in a process, method, article, or apparatus that comprises the element.
The previous description of the disclosed embodiments is provided to enable any person skilled in the art to make or use the present application. Various modifications to these embodiments will be readily apparent to those skilled in the art, and the generic principles defined herein may be applied to other embodiments without departing from the spirit or scope of the application. Thus, the present application is not intended to be limited to the embodiments shown herein but is to be accorded the widest scope consistent with the principles and novel features disclosed herein.

Claims (10)

1. An SM2 threshold signature method, comprising:
each participant P i Selecting a random number d i I is more than or equal to 1 and less than or equal to n, wherein n represents the total number of participants in an SM2 algorithm;
each participant P i Based on random number d i And generating corresponding Q by generating element G of SM2 algorithm i
On a per party P basis i Q of (2) i Generating a signature public key Q of the SM2 algorithm;
each participant P i Based on random number d i Generating own private key fragment y i
Each participant P u A hash operation is performed on the message value to be signed,obtaining a hash value e, wherein u is more than or equal to 1 and less than or equal to T, T is more than or equal to T, T represents the total number of participants in the SM2 threshold signature method, and T represents the minimum number of the participants in the SM2 threshold signature method;
Each participant P u Based on private key fragment y u Calculating to obtain w u ,w u =λ u ·y u Wherein lambda is u Representing the Lagrangian coefficient;
each participant P u Selecting a random number k u Based on random number k u Generating corresponding R by signature public key Q and generator G u ,R u =k u ·(Q+G);
Each participant P u Based on R u R is calculated and obtained by calculation,and R is calculated based on R, the order q of the SM2 algorithm and the hash value e, wherein r=r x +e mod q;
Each participant P u Based on random number k u R and w u Calculating to obtain s u ,s u =k u +rw u
Each participant P u Publication s u And is based on s u The values of r and q produce s,
and verifying whether the (r, s) is a correct signature value by a signature verification algorithm based on the SM2 algorithm, and if so, taking the (r, s) as an SM2 signature result of the message value.
2. The method according to claim 1, wherein each party P i Based on random number d i And generating corresponding Q by generating element G of SM2 algorithm i Comprising:
each of the participants P based on a first operation formula i Based on random number d i And the generator G of the SM2 algorithm generates a corresponding Q i
The first operation formula includes:
Q 1 =d 1 ·G;Q i =d i ·Q i-1 ,2≤i≤n;
the basis of each party P i Q of (2) i Generating a signature public key Q of the SM2 algorithm, comprising:
let q=q n -G as the public signature key Q of the SM2 algorithm.
3. The method according to claim 2, wherein each party P i Based on random number d i Generating own private key fragment y i Comprising:
each participant P i Invoking MTAwc protocol to base on d i GeneratingWherein (1)>Satisfy the relation->
Each participant P i To be used forCalculating a party P for a secret j Function value y between ij ,j=[1,...,n];
Each participant P i Y is based on t-n Shamir sharing protocol ij To party P j
Each participant P j Based on y ij Calculation of
4. A method according to claim 3, which comprisesCharacterized in that each party P u Performing hash operation on the message value to be signed to obtain a hash value e, including:
based on the second operation formula, each participant P u Performing hash operation on the message value to be signed to obtain the hash value e;
the second operation formula includes:
e=hash(Z||M);
wherein Z represents the hash value of the user's identity identifier, elliptic curve parameters and public key coordinates; m represents the message value.
5. The method of claim 4, wherein each party P i Selecting a random number d i Thereafter, each party P i Based on random number d i And generating corresponding Q by generating element G of SM2 algorithm i Before, still include:
each participant P i Selecting a random number sigma i
Each participant P i Based on random number d i Generating element G and random number sigma i Calculating a hash value c i =H(d i ·G;σ i ) And broadcast;
each participant P i Publication D i =d i G and the corresponding random number sigma i And generating a corresponding random number d proving knowledge i Is proved by the first schnorr;
each participant P i Validating received D i And a random number sigma i Whether or not to meet c i =H(d i ·G;σ i ) And verifying the correctness of said first schnorr certification if received D i And a random number sigma i Satisfy c i =H(d i ·G;σ i ) And said first schnorr proves correct, each party P is executed i Based on random number d i And generating corresponding Q by generating element G of SM2 algorithm i Is carried out by a method comprising the steps of.
6. According to claim 5Is characterized in that the method is based on each participant P i Q of (2) i After generating the signature public key Q of the SM2 algorithm, the method further includes:
each participant P i Generating Paillier public key N i =p i q i And publishing;
proof Paillier public key N based on zero knowledge proof i And (5) correctly generating.
7. The method of claim 5, wherein each party P u Selecting a random number k u Based on random number k u Generating corresponding R by signature public key Q and generator G u Thereafter, each party P u Based on R u Before calculating R, the method further comprises:
each participant P u Selecting random numbersCalculating hash value +.>And broadcast;
each participant P u Publication R u Corresponding random numberAnd generates a random number k proving knowledge of the corresponding u Is proved by the second schnorr;
each participant P u Validating received R u Andwhether or not to meet->And verifying the correctness of said second schnorr certificate if received R u And->Satisfy->And said second schnorr proves correct, then executing said each party P u Based on R u Calculating to obtain R;
each party P u Based on random number k u R and w u Calculating to obtain s u Thereafter, each party P u Publication s u Before, still include:
each participant P u Selecting a random number alpha u Beta and beta u Calculate V u =s u ·Q+α u ·G,W u =β u ·G;
Each participant P u Selecting a random number θ u Calculating hash value v u =H(V u ;θ u ),ω u =H(W u ;θ u ) And broadcast;
each participant P u Publication V u 、W u Random number θ u And verify the received V u 、W u Random number θ u Whether or not v is satisfied u =H(V u ;θ u ),ω u =H(W u ;θ u );
If V is received u 、W u Random number θ u Satisfy upsilon u =H(V u ;θ u ),ω u =H(W u ;θ u ) Then generate proof knows s u Random number alpha u Beta and beta u So that V is u =s u ·Q+α u ·G、W u =β u Second zero knowledge proof of G;
if all the second zero knowledge proves correct, each party P u Calculation ofCalculating phi u =β u ·V,Ψ u =α u W; selecting a random number eta u Calculating a hash value phi u =H(Φ u ;η u ),ψ u =H(Ψ u ;η u ) And broadcast;
each participant P u Publication of phi u 、Ψ u And eta u And verify the received phi u 、Ψ u And eta u Whether or not to meet phi u =H(Φ u ;η u ),ψ u =H(Ψ u ;η u ) If yes, verifyWhether or not it is true, if so, executing each party P u Based on R u And calculating R.
8. An SM2 threshold signature system, comprising:
a first selection module for each participant P i Selecting a random number d i I is more than or equal to 1 and less than or equal to n, wherein n represents the total number of participants in an SM2 algorithm;
a first generation module for each party P i Based on random number d i And generating corresponding Q by generating element G of SM2 algorithm i
A second generation module for based on each of the participants P i Q of (2) i Generating a signature public key Q of the SM2 algorithm;
a third generation module for each participant P i Based on random number d i Generating own private key fragment y i
A first operation module for each participant P u Carrying out hash operation on a message value to be signed to obtain a hash value e, wherein u is more than or equal to 1 and less than or equal to T, T is less than or equal to T and represents the total number of participants in the SM2 threshold signature method, and T represents the minimum number of participants in the SM2 threshold signature method;
a first calculation module for each party P u Based on private key fragment y u Calculating to obtain w u ,w u =λ u ·y u Wherein lambda is u Representing the Lagrangian coefficient;
a fourth generation module for each participant P u Selecting a random number k u Based on random number k u Generating corresponding R by signature public key Q and generator G u ,R u =k u ·(Q+G);
A second calculation module for each of the participants P u Based on R u R is calculated, and R is calculated based on R, the order q of the SM2 algorithm and a hash value e, wherein r=r x +e mod q;
A third calculation module for each of the participants P u Based on random number k u R and w u Calculating to obtain s u ,s u =k u +rw u
A fifth generation module for each of the participants P u Publication s u And is based on s u The values of r and q produce s,
and the first verification module is used for verifying whether the (r, s) is a correct signature value or not based on a signature verification algorithm of the SM2 algorithm, and if so, taking the (r, s) as an SM2 signature result of the message value.
9. An SM2 threshold signing device comprising:
a memory for storing a computer program;
processor for implementing the steps of the SM2 threshold signature method according to any one of claims 1 to 7 when executing said computer program.
10. A computer readable storage medium, characterized in that the computer readable storage medium has stored therein a computer program which, when executed by a processor, implements the steps of the SM2 threshold signature method according to any one of claims 1 to 7.
CN202211048343.6A 2022-08-30 2022-08-30 SM2 threshold signature method, system, device and computer readable storage medium Active CN115412260B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202211048343.6A CN115412260B (en) 2022-08-30 2022-08-30 SM2 threshold signature method, system, device and computer readable storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202211048343.6A CN115412260B (en) 2022-08-30 2022-08-30 SM2 threshold signature method, system, device and computer readable storage medium

Publications (2)

Publication Number Publication Date
CN115412260A CN115412260A (en) 2022-11-29
CN115412260B true CN115412260B (en) 2023-10-20

Family

ID=84164166

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202211048343.6A Active CN115412260B (en) 2022-08-30 2022-08-30 SM2 threshold signature method, system, device and computer readable storage medium

Country Status (1)

Country Link
CN (1) CN115412260B (en)

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113507374A (en) * 2021-07-02 2021-10-15 恒生电子股份有限公司 Threshold signature method, device, equipment and storage medium
WO2022037869A1 (en) * 2020-08-18 2022-02-24 Nchain Licensing Ag Threshold signatures
CN114157427A (en) * 2021-12-02 2022-03-08 南京邮电大学 Threshold signature method based on SM2 digital signature

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2022037869A1 (en) * 2020-08-18 2022-02-24 Nchain Licensing Ag Threshold signatures
CN113507374A (en) * 2021-07-02 2021-10-15 恒生电子股份有限公司 Threshold signature method, device, equipment and storage medium
CN114157427A (en) * 2021-12-02 2022-03-08 南京邮电大学 Threshold signature method based on SM2 digital signature

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
基于可验证SM2门限算法的移动终端签名***的设计与实现;唐泽严 等;《计算机测量与控制》;第27卷(第3期);225-230 *

Also Published As

Publication number Publication date
CN115412260A (en) 2022-11-29

Similar Documents

Publication Publication Date Title
CN110971405B (en) SM2 signing and decrypting method and system with cooperation of multiple parties
CN107634836B (en) SM2 digital signature generation method and system
JP4932168B2 (en) New fair blind signing process
US9882890B2 (en) Reissue of cryptographic credentials
JP2011091868A (en) Method and apparatus for verifiable generation of public keys
CN111934877B (en) SM2 collaborative threshold signature method, storage medium and electronic device
CN107911217B (en) Method and device for cooperatively generating signature based on ECDSA algorithm and data processing system
JP2004208263A (en) Apparatus and method of blind signature based on individual identification information employing bilinear pairing
WO2022161108A1 (en) Anonymous multi-signature method, computer device and storage medium
CN113360943A (en) Block chain private data protection method and device
CN115664675B (en) SM2 algorithm-based traceable ring signature method, system, equipment and medium
CN109104410B (en) Information matching method and device
CN115174104A (en) Attribute-based online/offline signature method and system based on secret SM9
WO2022193789A1 (en) Anonymous multi-signature method, computer device, and storage medium
CN109766716A (en) A kind of anonymous bidirectional authentication method based on trust computing
CN112434281A (en) Multi-factor identity authentication method oriented to alliance chain
CN115412260B (en) SM2 threshold signature method, system, device and computer readable storage medium
CN116318736A (en) Two-level threshold signature method and device for hierarchical management
CN113792282B (en) Identity data verification method and device, computer equipment and storage medium
CN113630254B (en) ECDSA-based generalized assignment verifier signature proving method and system
CN109274506B (en) Certificateless signature method based on SM2 secret
CN116827554B (en) Multi-channel cooperator strategy method and system based on block chain nodes
CN110535655A (en) A kind of new RSA Proxy Signature method
CN115442052B (en) Collaborative signature method, collaborative signature system, collaborative signature equipment and computer-readable storage medium
CN117692150B (en) Signature generation and signature verification method and computer equipment

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant