CN115580401A - Certificateless SM2 secret key generation method based on verifiable secret sharing - Google Patents

Certificateless SM2 secret key generation method based on verifiable secret sharing Download PDF

Info

Publication number
CN115580401A
CN115580401A CN202211306716.5A CN202211306716A CN115580401A CN 115580401 A CN115580401 A CN 115580401A CN 202211306716 A CN202211306716 A CN 202211306716A CN 115580401 A CN115580401 A CN 115580401A
Authority
CN
China
Prior art keywords
key
user
secret
key generation
private key
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202211306716.5A
Other languages
Chinese (zh)
Other versions
CN115580401B (en
Inventor
王凯
张云兵
姚景升
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Shangmi Guangzhou Information Technology Co ltd
Original Assignee
Shangmi Guangzhou Information Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Shangmi Guangzhou Information Technology Co ltd filed Critical Shangmi Guangzhou Information Technology Co ltd
Priority to CN202211306716.5A priority Critical patent/CN115580401B/en
Publication of CN115580401A publication Critical patent/CN115580401A/en
Application granted granted Critical
Publication of CN115580401B publication Critical patent/CN115580401B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/085Secret sharing or secret splitting, e.g. threshold schemes
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • H04L9/0869Generation of secret information including derivation or calculation of cryptographic keys or passwords involving random numbers or seeds
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/30Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy
    • H04L9/3066Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy involving algebraic varieties, e.g. elliptic or hyper-elliptic curves
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3218Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using proof of knowledge, e.g. Fiat-Shamir, GQ, Schnorr, ornon-interactive zero-knowledge proofs
    • H04L9/3221Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using proof of knowledge, e.g. Fiat-Shamir, GQ, Schnorr, ornon-interactive zero-knowledge proofs interactive zero-knowledge proofs

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Theoretical Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Algebra (AREA)
  • Mathematical Analysis (AREA)
  • Mathematical Optimization (AREA)
  • Mathematical Physics (AREA)
  • Pure & Applied Mathematics (AREA)
  • Physics & Mathematics (AREA)
  • Computing Systems (AREA)
  • Storage Device Security (AREA)

Abstract

The invention discloses a certificateless SM2 secret key generation method based on verifiable secret sharing, which comprises the following steps: each key generation center in the system calculates and discloses a verifiable zero knowledge commitment, and generates corresponding first part of password shares for other key generation centers; verifying whether the first partial cryptographic share is valid; if the secret shares are valid, each key generation center calculates a second part of secret shares according to the first part of password shares; the current key generation center recovers a complete system master private key S and a master public key P corresponding to the master private key pub (ii) a Calculating to generate a user private key fragment t and a public key W; the user side obtains a user complete private key and a user actual public key P according to the user private key fragment t and the public key W U . The invention can ensure eachThe secret shares received by the party entities are valid and ensure that any private information of the master key shares held in secret by the key generation centers of the parties is not revealed.

Description

Certificateless SM2 secret key generation method based on verifiable secret sharing
Technical Field
The invention relates to the technical field of information security, in particular to a certificateless SM2 secret key generation method based on verifiable secret sharing.
Background
In public key cryptography, a user's public key often needs to be associated with the user's identity information or other discernible identity, which is managed in either a certificate-based system or a certificate-less system. For the SM2 signature algorithm, a system based on a certificate needs an additional certificate authentication mechanism, the certificate management is relatively tedious, and the SM2 secret key of a user is managed through a certificate-free system, so that the user identification can be directly used as the public key of the user, the process of exchanging a digital certificate and the public key is omitted, and the cryptosystem is easy to deploy and manage.
In the existing SM2 certificateless system, a secret key fragment is generated for a user through a secret Key Generation Center (KGC), and finally, a complete secret key is independently generated by the user. The key generation center cannot know any information of the user's complete private key. The generation of the user private key shard by the single key generation center has the problems of service interruption, master private key leakage and the like caused by centralized authority or single-point failure, and under the general condition, a threshold mechanism based on a secret sharing scheme can be adopted, a multi-party key generation center shares the secret share of the master private key of the system, and the secret share collaborates with the master private key shard of the user. However, when there is a partially dishonest key generation authority, it is unavoidable that some dishonest key center distributes wrong secret shares, so that eventually an invalid key is constructed, which necessarily destroys the security and stability of the certificateless system.
Disclosure of Invention
The invention aims to overcome the defects of the prior art, provides a certificateless SM2 secret key generation method based on verifiable secret sharing, and can solve the problems of service interruption, main secret key leakage and the like caused by concentrated power or single point failure when a single KGC generates a user secret key fragment for a user in the existing SM2 certificateless system.
The purpose of the invention is realized by the following technical scheme:
a certificateless SM2 key generation method based on verifiable secret sharing comprises the following steps:
s1, each key generation center in the system calculates and discloses verifiable zero knowledge commitment according to a pre-stored main key component, a preset threshold value, system public parameters and a t-1 order polynomial, and generates corresponding first part of password shares (f) for other key generation centers i (j),g i (j) And sending to the corresponding key generation center;
s2, each key generation center verifies the first partial password share (f) according to the public zero knowledge commitment i (j),g i (j) Whether valid; if yes, executing step S3;
s3, each key generation center calculates a second part secret share S2 according to the first part password share i 、g i And shares s2 said second partial secret i 、g i The information is stored locally;
s4, the user side generates part of private keys X A And will be associated with the user part private key X A The corresponding public key and the user identification are sent to a key generation center;
s5, the current key generation center requests other key generation centers in the system to acquire a second part of secret components S2 for recovering the system master key pair i 、g i Thereby recovering the complete system main private key S and the main public key P corresponding to the main private key pub
S6, according to the private key X of the user part A User identification ID A Random parameter component omega generated randomly by other key generation centers i Calculating system public parameters to generate a user private key fragment t and a public key W;
s7, the user side according to the private key X of the user part A The user private key fragment t and the acoustic scale public key W are used for obtaining a user complete private key and a user actual public key P U And completing the generation of the certificateless SM2 key.
Preferably, step S1 comprises:
s11, each KGC in the system generates a random number S1 i And the random number s1 is added i As a component of the system master private key, where s1 i ∈[1,N-1]i∈[1,k]K represents the number of all KGCs;
s12, each KGC converts the random number S1 i As secret values, and according to a preset threshold (t, k), t-1 random numbers [ a ] are selected i1 ,a i2 ,....,a i(t-1) ]And another part of the random number r i ,b i1 ,b i2 ,....,b i(t-1) ]And calculating two t-1 order polynomials f i (x) And g i (x) Wherein [ a ] i1 ,a i2 ,....,a i(t-1) ]∈[1,N-1],[r i ,b i1 ,b i2 ,....,b i(t-1) ]∈[1,N-1]And polynomial f i (x)=s1 i +a i1 x 1 +a i2 x 2 +....+a i( t -1) x t-1 ,g i (x)=r i +b i1 x+b i2 x 2 +....+b i(t-1) x t-1 ,i∈[1,k];
S13, each KGC calculates and discloses a verifiable zero knowledge promise E i0 ,....,E i(t-1) (ii) a Wherein the content of the first and second substances,
Figure BDA0003906143480000031
s14, each KGC is according to the polynomial f i (x) And g i (x) Generating a first partial secret share (f) for the other KGCs i (j),g i (j) And apply the secret shares (f) i (j),g i (j) In turn to other KGCs; wherein i, j ∈ [1, k ]],i≠j,f i (j) And g i (j) Representing the secret shares generated by the ith KGC and sent to the jth KGC.
Preferably, step S2 comprises:
s21, each KGC receives secret shares (f) distributed by other KGCs i (j),g i (j) And verify it
Figure BDA0003906143480000032
If yes, executing step S31; wherein E jl ,j∈[1,k],l∈[1,t-1]A verifiable zero knowledge commitment issued for each KGC;
the step S3 comprises the following steps:
s31, each KGC calculates and stores a second part secret share S2 i 、g i (ii) a Wherein the content of the first and second substances,
Figure BDA0003906143480000033
Figure BDA0003906143480000034
preferably, step S4 comprises:
s41, the user side generates part of the private key X in a random secret mode A To be associated with said user part private key X A Corresponding first time point U A With a user identification ID A And sending the key to a key generation center.
5. The certificateless SM2 key generation method of claim 4, wherein step S5 comprises:
s51, the current key generation center receives the key generation request of the user and requests other key generation centers in the system to acquire a second part of secret components S2 for recovering the system master key pair i 、g i And a randomly generated random parameter component ω i (ii) a The key generation request of the user comprises a first time point U A With user identification ID A
S52, verifying the secret component S2 i Whether it is valid; if yes, go to step S52;
s53, when at least t effective secret shares S2 are obtained i Then, recovering a t-1 order polynomial F (x) by a Lagrange interpolation method, and recovering a complete system main private key S and a main public key P corresponding to the main private key pub
Preferably, step S6 includes:
s61, according to the random parameter score randomly generated by the t key generation centersQuantity omega i And a first multiple point U A Calculating to obtain a claimed public key W;
s62, according to the user identification ID A Calculating to obtain a user private key fragment t;
and S63, sending the user private key fragment t and the public key W back to the user side.
Preferably, in step S52, the verification is passed
Figure BDA0003906143480000041
Determining whether the secret component s2 is established i Whether it is valid; wherein the content of the first and second substances,
Figure BDA0003906143480000042
Figure BDA0003906143480000043
a zero knowledge commitment published for the jth KGC;
in step S53, the formula for recovering the system master private key S is:
S=F(0)mod N;
recovering the main public key P corresponding to the main private key pub The formula of (1) is:
Figure BDA0003906143480000044
wherein the content of the first and second substances,
Figure BDA0003906143480000045
is the multiple point [ S]G is the value of the x-axis on the elliptic curve,
Figure BDA0003906143480000046
is the multiple point [ S]G value on the y-axis of the elliptic curve.
Preferably, in step S61, random parameter components ω randomly generated from t key generation centers i And a first multiple point U A The formula for the calculation is:
Figure BDA0003906143480000047
P A =[ω]G;
W=P A +U A =[ω]G+[x]G=[ω+x]G=(x W ,y W );
wherein, ω is i Refers to the random parameter component generated randomly by t key generation centers, where ω is the sum of t ω i Summing and taking the sum result and the remainder of N; p is A Is a second doubling point generated from ω and the base point G; x is a radical of a fluorine atom W And y W Are the values of the x-axis and the y-axis, respectively, on the elliptic curve that purports to be the public key W.
In step S62, according to the user ID A The formula for the calculation is:
Figure BDA0003906143480000052
t 1 =Hash(x W ||y w ||Z A )mod N;
t=(ω+t 1 *S)mod N;
wherein a and b are parameters of elliptic curve, ID A Refers to a user identity, x G And y G The values of the base point G on the x-axis and the y-axis of the elliptic curve respectively; z A Then the hash value, t, generated for the result 1 The hash value result and the N are taken as the rest to obtain an integer; s is the recovered complete system master private key, and t is the user private key shard.
Preferably, step S7 includes: calculating according to the user private key fragment t and the voice balance public key W to obtain a user complete private key; generating an unforgeable user's actual public key P from the alleged public key W U (ii) a The formula for calculating according to the user private key fragment t and the acoustic public key W is as follows:
S A =(X A +t)mod N;
generating an unforgeable user's actual public key P from the alleged public key W U The formula of (1) is:
Figure BDA0003906143480000051
t 1 =Hash(x W ||y W ||Z A )mod N
P U =W+[t 1 ]P pub
preferably, step S7 is followed by: verifying the user's actual public key P U Whether the purported public key in (1) is distributed by the KGC and has not been tampered with includes: verification P U * With said user's actual public key P U If the public key is the same, the alleged public key is valid and is not tampered; wherein, P U * =[S A ]G。
Compared with the prior art, the invention has the following advantages:
the invention generates corresponding secret share according to the main key component locally stored by each key generation center through the safe multiparty calculation operation based on the secret sharing scheme and distributes the secret share to other key generation centers in the system. The invention can also verify the validity and correctness of secret shares sent by distrusted entities by the verifiable computing operation supporting the addition homomorphism based on verifiable zero knowledge commitment. The process can not only ensure that the secret shares received by each entity are correct and effective, but also ensure that any privacy information of the master key component stored in secret in each key generation center is not leaked, thereby effectively improving the safety and stability of the whole system. In addition, the invention generates the user key fragment by the cooperation of the multi-party key generation center, and calculates the complete private key by the user, thereby avoiding the power concentration of a single key generation center and improving the security of the user key.
Drawings
The accompanying drawings, which are incorporated in and constitute a part of this application, are included to provide a further understanding of the invention, and are incorporated in and constitute a part of this specification, illustrate embodiment(s) of the invention and together with the description serve to explain the invention and not to limit the invention. In the drawings:
fig. 1 is a schematic flowchart of a certificateless SM2 key generation method based on verifiable secret sharing according to the present invention.
FIG. 2 is a flow chart illustrating system initialization according to the present invention.
Fig. 3 is a schematic flow chart of user key generation according to the present invention.
Detailed Description
The invention is further illustrated by the following figures and examples.
Fig. 1 is a schematic flowchart of a certificateless SM2 key generation method based on verifiable secret sharing according to the present invention. As shown in fig. 1, a certificateless SM2 key generation method based on verifiable secret sharing includes:
s1, each key generation center in the system calculates and discloses a verifiable zero knowledge commitment according to a pre-stored main key component, a preset threshold value, a system public parameter and a t-1 order polynomial, and generates a corresponding first part of password shares (f) for other key generation centers i (j),g i (j) And sending to the corresponding key generation center;
s2, each key generation center verifies the first partial password share (f) according to the verifiable zero knowledge commitment of the key generation center i (j),g i (j) Whether it is valid; if yes, executing step S3;
s3, each key generation center calculates a second part secret share S2 according to the first part password shares i 、g i And the second partial secret share s2 is divided i 、g i The information is stored locally;
s4, the user side generates part of private keys X A And will be associated with the user part private key X A The corresponding public key and the user identification are sent to a secret key generation center;
s5, the current key generation center requests other key generation centers in the system to obtain a second part of secret components S2 for recovering the system master key pair i 、g i Thereby recovering the complete system main private key S and the main public key P corresponding to the main private key pub
S6, according to the private key X of the user part A User identification ID A Random generated by other key generation centersParameter component omega i Calculating system public parameters to generate a user private key fragment t and a public key W;
s7, the user side according to the private key X of the user part A The user private key fragment t and the acoustic scale public key W are used for obtaining a user complete private key and a user actual public key P U And completing the generation of the certificateless SM2 key.
According to the scheme, a safe and effective secret key is generated by t (t is more than or equal to 2) secret key generation center cooperative users. This key generation method satisfies the following requirements:
1. t key generation centers have complete autonomy to the locally stored system master private key component, and other users or any malicious key generation center cannot acquire the information of the master private key component;
2. the complete private key generated by the multi-party key generation center cooperative user meets the SM2 secret key specification requirement of the national secret, the user can use the private key to generate a digital signature, and the signature value meets the SM2 signature standard requirement of the national secret;
3. fewer than t key generation centers cannot collaboratively construct a complete system master private key, so that users cannot collaboratively generate an effective complete key.
4. In the process of constructing the complete master private key based on the secret sharing scheme, the t key generation centers need to carry out effective zero-knowledge verification on the received different secret shares, so that the dishonest key generation centers are prevented from distributing wrong secret shares, and an invalid system master private key is constructed.
It should be noted that the present embodiment relates to 5 Key Generation Centers (KGC) and a user side. The elliptic curve parameters related in the embodiment all meet the requirement of the SM2 cryptographic algorithm, and the disclosed system parameters comprise a finite field F q Elliptic curve E (F) of q ) Elliptic curve E (F) q ) Elements a, b, E (F) of (1) q ) X and Y coordinates (X) corresponding to the base point G of G ,Y G ) And the base points G and H correspond to the order N. The threshold t selected by the secret sharing scheme is 3, that is, at least 3 effective secret shares held by KGC are required to cooperatively construct a complete system master key.
Specifically, the certificateless SM2 key generation method based on verifiable secret sharing provided by this embodiment includes steps of system initialization and user complete key generation, which are specifically as follows:
1. system initialization (refer to FIG. 2)
1) 5 KGCs each generate a random number s1 i ∈[1,N-1]As a component of the system's primary private key, i ∈ [1,5 ]]Wherein k represents the number of all KGCs; the system here refers to 5 Key Generation Centers (KGC) and a user side. Each key generation center holds a respective master key, including a master private key and a master public key.
2) S1 each KGC stores itself i As secret values, and based on a threshold (t, k), t-1 random numbers [ a ] are selected i1 ,a i2 ,....,a i(t - 1) ]∈[1,N-1]And another part of the random number r i ,b i1 ,b i2 ,....,b i(t-1) ]∈[1,N-1]Calculating two t-1 order polynomials f i (x)=s1 i +a i1 x 1 +a i2 x 2 +....+a i(t-1) x t-1 And g i (x)=r i +b i1 x+b i2 x 2 +....+b i(t-1) x t-1 ,i∈[1,k];
3) Each KGC calculates verifiable zero knowledge commitments
Figure BDA0003906143480000081
Each KGC then discloses a verifiable zero-knowledge promise E i0 ,....,E i(t-1)
4) Each KGC is according to a polynomial f i (x) And g i (x) First partial secret shares (f) generated for other KGCs i (j),g i (j) Where i, j ∈ [1,5 ])],f i (j) And g i (j) Representing the secret shares generated by the ith KGC and sent to the jth KGC. Each KGC will share a secret (f) i (j),g i (j) I ≠ j is distributed to other KGCs in sequence;
the k KGCs calculate and disclose verifiable zero knowledge commitments according to the main key components, the threshold value t, the system public parameters and the t-1 order polynomial, which are stored by the k KGCs, generate corresponding first part secret shares for other k-1 KGCs and send the corresponding first part secret shares to the corresponding KGCs.
5) Each KGC receives secret shares (f) distributed by other KGCs i (j),g i (j) And verify it
Figure BDA0003906143480000091
Is established, wherein E ij ,j∈[1,5],l∈[1,2]A verifiable zero knowledge commitment is issued for each KGC, if the zero knowledge commitment is not established, the secret share is invalid, and the first part of secret shares need to be generated again;
steps 3), 4) and 5) verify whether the received secret share is valid through verifiable computing operation and based on verifiable zero knowledge commitments generated by each KGC, and simultaneously ensure that the system main private key component s1 is not leaked i Any of (a).
6) Each KGC calculates a second partial secret share
Figure BDA0003906143480000092
And
Figure BDA0003906143480000093
then each KGC will convert s2 i 、g i Stored locally.
The second part of secret shares s2 locally stored by each KGC in step 6) i And g i Is used for subsequently checking the validity of the secret share and constructing a t-1 order polynomial F (x) so as to construct a complete system master private key secret value S = F (0) mod N = (S1) 1 +s1 2 +s1 3 ) mod N and the master public key P KGC =S[G]=([s1 1 ]G+[s1 2 ]G+[s1 3 ]G);
Each KGC verifies whether the secret share is correct and valid according to the zero-knowledge commitment disclosed by each KGC and the first part of secret shares received from other KGCs, if yes, calculates and stores the second part of secret shares according to the locally stored first part of secret shares and the first part of secret shares received from other KGCs, and if not, requests the target key generation mechanism to obtain the first part of secret shares again.
2. User key generation (refer to FIG. 3)
A user side:
1) Random secret generation x, x ∈ [1, N-1 ]]As part of the user private key X A =x;
2) Calculate U A =[x]G;
3) Will U A With user identification ID A Sending the key to a key generation center; u shape A Refers to a private key X with a user part A The corresponding first multiple point (generated based on the base point G of the elliptic curve).
The key generation center:
1) Receiving a key generation request of a user and requesting to obtain a second partial secret component s2 for recovering the system master key pair from other key generation centers i 、g i And a randomly generated random parameter component ω i ∈[1,N-1],i∈[1,t-1];
2) Computing
Figure BDA0003906143480000101
Wherein
Figure BDA0003906143480000102
Representing the zero knowledge commitment published by the jth KGC. And then based on the received second partial secret component s2 i 、g i Passing verification
Figure BDA0003906143480000103
Figure BDA0003906143480000104
Whether the secret component s2 sent by other KGCs is satisfied or not is judged i If the secret component is valid, returning an error if the secret component is not valid, and requesting to obtain the secret component s2 again i
3) When not less than t effective secret shares s2 are collected i And then recovering the t-1 order polynomial F (x) by Lagrange interpolation so as to recover the complete system master private key S = F (0) mod N, and then calculating and disclosing the system master public key
Figure BDA0003906143480000105
Herein P pub Refers to the master public key corresponding to the above-mentioned recovered and complete system master private key S, which is generated based on the base point G of the elliptic curve, wherein
Figure BDA0003906143480000106
Refers to the multiple point [ S]G is the value of the x-axis on the elliptic curve, and
Figure BDA0003906143480000107
refers to the multiple point [ S]G value on the y-axis of the elliptic curve.
4) Computing
Figure BDA0003906143480000108
And calculate P A =[ω]G; wherein, ω is i Refers to the random parameter component generated randomly by t key generation centers, and ω is t ω i Summing and taking the sum and the N to obtain a remainder, and ensuring that the obtained omega does not exceed the N; and P is A Refers to a second doubling point generated from ω and the base point G;
5) Calculate W = P A +U A =[ω]G+[x]G=[ω+x]G=(x W ,y W ) (ii) a Wherein W is a multiple point P A And U A Sum of and x W And y W The values of W on the x-axis and y-axis, respectively, of the elliptic curve; subsequently marking W as a claimed public key;
6) Computing
Figure BDA0003906143480000109
Wherein a and b are parameters of elliptic curve, ID A Refers to the user identity, x G And y G The values of the base point G on the x-axis and the y-axis of the elliptic curve respectively; z is a linear or branched member A Then is the hash value generated for the result.
7) Calculating t 1 =Hash(x W ||y W ||Z A ) modN; wherein, t 1 The hash value result and N are used as the remainder to obtain an integer;
8) Calculation of t = (ω + t) 1 * S) modN; wherein S is recoveredA complete system master private key, t is a user private key fragment, and W is a purported public key;
9) Sending the user private key fragment t and the acoustic scale public key W back to the user side;
the user side calculates part of private keys and sends the corresponding public keys to the KGC. The KGC requests to obtain a second part of effective secret shares stored by other KGCs so as to recover the main private key of the system, then calculates and generates a part of private key of the user and a claimed public key according to a part of public keys sent by the user, the user distinguishable identification, random parameter components sent by other KGCs, system public parameters and the main public key of the system, and then sends the generated part of private key and the claimed public key to the user side.
A user side:
1) Calculating S A =(X A + t) mod N and as the user's complete private key;
2) User saves W = (x) W ,y W ) And as a user claims a public key;
the user's purported public key is used for subsequent publication-based raw data (e.g., system publication parameters, user identification ID) A System master public key P pub And user declaration public key W) to generate an unforgeable user actual public key P U . Which can then be based on the user's actual public key P U Performing signature verification and decryption operation of SM2 algorithm, and using actual public key P U The generation process is divided into the following three steps:
1) Computing
Figure BDA0003906143480000111
2) Calculating t 1 =Hash(x W ||y W ||Z A )modN;
3) Calculating P U =W+[t 1 ]P pub
The user side of the scheme generates a complete user private key by calculation according to a part of private keys received from the KGC, and generates a corresponding user actual public key by calculation according to the alleged public key, the system main public key and the system public parameters.
Wherein the user's actual public key P is verified U Whether the purported public key in (1) is by KThe steps of GC distribution and no tampering are mainly divided into:
1) Calculating P U * =[S A ]G;
2) Verification of P U * =P U Whether or not P is established, i.e. verification of P U * With the user's actual public key P generated by said calculation U If the public key is the same, the alleged public key is valid and is not tampered, and if the public key is not the same, the public key is invalid.
Compared to existing secret sharing based key generation schemes, the present embodiment introduces verifiable zero knowledge commitments. In the previous scheme, parties share a set secret value through a secret sharing scheme and obtain a corresponding secret share, and then the parties can construct a shared secret value according to the held secret share through multi-party secure computation, but if some party of dishonest entities distributes wrong and invalid secret shares or some party of entity receives wrong secret shares, the invalid secret value is finally constructed, so that the security of the system is damaged, and system resources are wasted.
The method proposed by this embodiment not only can generate and distribute the corresponding secret shares to other key generation centers according to the master key components locally stored by each key generation center through the secure multiparty calculation operation based on the secret sharing scheme, but also can verify the validity and correctness of the secret shares sent by each untrusted entity based on verifiable zero knowledge commitment and through verifiable calculation operation supporting addition homomorphism. The process can not only ensure that the secret shares received by each entity are correct and effective, but also ensure that any privacy information of the master key component stored in secret in each key generation center is not leaked, thereby effectively improving the safety and stability of the whole system.
The above-mentioned embodiments are preferred embodiments of the present invention, and the present invention is not limited thereto, and any other modifications or equivalent substitutions that do not depart from the technical spirit of the present invention are included in the scope of the present invention.

Claims (10)

1. A certificateless SM2 key generation method based on verifiable secret sharing, comprising:
s1, each key generation center in the system calculates and discloses a verifiable zero knowledge commitment according to a pre-stored main key component, a preset threshold value, a system public parameter and a t-1 order polynomial, and generates a corresponding first part of password shares (f) for other key generation centers i (j),g i (j) And sending to a corresponding key generation center;
s2, each key generation center verifies the first partial cipher share according to the public zero knowledge promise i (j),g i (j) Whether it is valid; if yes, executing step S3;
s3, each key generation center calculates a second part secret share S2 according to the first part password shares i 、g i And the second partial secret share s2 is divided i 、g i The information is stored locally;
s4, the user side generates part of the private key X A And will be associated with the user part private key X A The corresponding public key and the user identification are sent to a key generation center;
s5, the current key generation center requests other key generation centers in the system to obtain a second part of secret components S2 for recovering the system master key pair i 、g i Thereby recovering the complete system main private key S and the main public key P corresponding to the main private key pub
S6, according to the private key X of the user part A User identification ID A Random parameter component omega generated randomly by other key generation centers i Calculating system public parameters to generate a user private key fragment t and a public key W;
s7, the user side uses the private key X of the user part A The user private key fragment t and the acoustic scale public key W are used for obtaining a user complete private key and a user actual public key P U And completing the generation of the certificateless SM2 key.
2. The certificateless SM2 key generation method of claim 1, wherein step S1 comprises:
s11, each KGC in the system generates a random number S1 i And the random number s1 is added i As a component of the system master private key, where s1 i ∈[1,N-1]i∈[1,k]K represents the number of all KGCs;
s12, each KGC converts the random number S1 i As secret values, and according to a preset threshold (t, k), t-1 random numbers [ a ] are selected i1 ,a i2 ,....,a i(t-1) ]And another part of random number r i ,b i1 ,b i2 ,....,b i(t-1) ]And calculating two t-1 order polynomials f i (x) And g i (x) Wherein [ a ] i1 ,a i2 ,....,a i(t-1) ]∈[1,N-1],[r i ,b i1 ,b i2 ,....,b i(t-1) ]∈[1,N-1]And polynomial f i (x)=s1 i +a i1 x 1 +a i2 x 2 +....+a i(t-1) x t-1 ,g i (x)=r i +b i1 x+b i2 x 2 +....+b i(t-1) x t -1 ,i∈[1,k];
S13, each KGC calculates and discloses a verifiable zero-knowledge promise E i0 ,....,E i(t-1) And publically verifiable zero knowledge commitments; wherein, the first and the second end of the pipe are connected with each other,
Figure FDA0003906143470000021
Figure FDA0003906143470000022
s14, each KGC is according to a polynomial f i (x) And g i (x) Generating a first partial secret share (f) for the other KGCs i (j),g i (j) And combining the secret shares (f) i (j),g i (j) In turn to other KGCs; wherein i, j ∈ [1, k ]],i≠j,f i (j) And g i (j) Representing the secret shares generated by the ith KGC and sent to the jth KGC.
3. The certificateless SM2 key generation method of claim 2, wherein step S2 comprises:
s21, each KGC receives secret shares (f) distributed by other KGCs i (j),g i (j) And verify it
Figure FDA0003906143470000023
If yes, executing step S31; wherein E jl ,j∈[1,k],l∈[1,t-1]A verifiable zero knowledge commitment issued for each KGC;
the step S3 comprises the following steps:
s31, each KGC calculates and stores a second partial secret share S2 i 、g i (ii) a Wherein the content of the first and second substances,
Figure FDA0003906143470000024
Figure FDA0003906143470000025
4. the certificateless SM2 key generation method of claim 3, wherein step S4 comprises:
s41, the user side generates part of the private key X in a random secret mode A To be associated with said user part private key X A Corresponding first time point U A With user identification ID A And sending the key to a key generation center.
5. The certificateless SM2 key generation method of claim 4, wherein step S5 comprises:
s51, the current key generation center receives the key generation request of the user and requests other key generation centers in the system to acquire a second part of secret components S2 for recovering the system master key pair i 、g i And a randomly generated parameter component ω i (ii) a The key generation request of the user comprises a first time point U A With user identification ID A
S52, verifying the secret component S2 i Whether it is valid; if yes, go to step S53;
s53, when at least t effective secret shares S2 are obtained i Then, recovering a t-1 order polynomial F (x) by a Lagrange interpolation method, and recovering a complete system main private key S and a main public key P corresponding to the main private key pub
6. The certificateless SM2 key generation method of claim 5, wherein step S6 comprises:
s61, generating random parameter component omega randomly generated by center according to t keys i And a first multiple point U A Calculating to obtain a claimed public key W;
s62, according to the user identification ID A Calculating to obtain a user private key fragment t;
and S63, sending the user private key fragment t and the public key W back to the user side.
7. The certificateless SM2 Key generation method according to claim 5, wherein in step S52, verification is passed
Figure FDA0003906143470000031
Determining whether the secret component s2 is established i Whether it is valid; wherein the content of the first and second substances,
Figure FDA0003906143470000032
Figure FDA0003906143470000033
a zero knowledge commitment published for the jth KGC;
in step S53, the formula for recovering the system master private key S is:
S=F(0)mod N;
recovering the main public key P corresponding to the main private key pub The formula of (1) is:
Figure FDA0003906143470000034
wherein
Figure FDA0003906143470000035
Is the multiple point [ S]G is the value of the x-axis on the elliptic curve,
Figure FDA0003906143470000036
is the multiple point [ S]G value on the y-axis of the elliptic curve.
8. The certificateless SM2 Key Generation method according to claim 6, wherein in step S61 the random parameter components ω are randomly generated from t key generation centres i And a first multiple point U A The formula for the calculation is:
Figure FDA0003906143470000041
P A =[ω]G;
W=P A +U A =[ω]G+[x]G=[ω+x]G=(x W ,y W );
wherein, ω is i Refers to the random parameter components generated randomly by t key generation centers, where ω is i Summing and taking the sum result and N; p is A Is a second doubling point generated from ω and the base point G; x is the number of W And y W Are the values of the x-axis and the y-axis, respectively, on the elliptic curve that purports to be the public key W.
In step S62, according to the user ID A The formula for the calculation is:
Figure FDA0003906143470000042
t 1 =Hash(x W ||y W ||Z A )mod N;
t=(ω+t 1 *S)mod N;
wherein a and b are parameters of elliptic curve, ID A Refers to the user identity, x G And y G Are respectively provided withIs the value of the base point G on the x-axis and the y-axis of the elliptic curve; z A Then the hash value, t, generated for the result 1 The hash value result and N are used as the remainder to obtain an integer; s is the system master private key that has been restored to completion, and t is the user private key shard.
9. The certificateless SM2 key generation method of claim 8, wherein step S7 comprises:
calculating according to the user private key fragment t and the voice balance public key W to obtain a user complete private key; generating an unforgeable user's actual public key P from the alleged public key W U (ii) a The formula for calculating according to the user private key fragment t and the acoustic public key W is as follows:
S A =(X A +t)mod N;
generating an unforgeable user's actual public key P from the alleged public key W U The formula of (1) is:
Figure FDA0003906143470000051
t 1 =Hash(x W ||y W ||Z A )mod N
P U =W+[t 1 ]P pub
10. the certificateless SM2 key generation method of claim 1, further comprising after step S7: verifying the user's actual public key P U Whether the purported public key in (1) is distributed by the KGC and has not been tampered with includes: verification P U * With said user's actual public key P U If the public key is the same, the alleged public key is valid and is not tampered; wherein, P U * =[S A ]G。
CN202211306716.5A 2022-10-25 2022-10-25 Certificateless SM2 key generation method based on verifiable secret sharing Active CN115580401B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202211306716.5A CN115580401B (en) 2022-10-25 2022-10-25 Certificateless SM2 key generation method based on verifiable secret sharing

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202211306716.5A CN115580401B (en) 2022-10-25 2022-10-25 Certificateless SM2 key generation method based on verifiable secret sharing

Publications (2)

Publication Number Publication Date
CN115580401A true CN115580401A (en) 2023-01-06
CN115580401B CN115580401B (en) 2023-12-22

Family

ID=84587645

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202211306716.5A Active CN115580401B (en) 2022-10-25 2022-10-25 Certificateless SM2 key generation method based on verifiable secret sharing

Country Status (1)

Country Link
CN (1) CN115580401B (en)

Citations (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6446207B1 (en) * 1997-01-31 2002-09-03 Certicom Corporation Verification protocol
CN106961336A (en) * 2017-04-18 2017-07-18 北京百旺信安科技有限公司 A kind of key components trustship method and system based on SM2 algorithms
CN108809658A (en) * 2018-07-20 2018-11-13 武汉大学 A kind of digital signature method and system of the identity base based on SM2
CN108989053A (en) * 2018-08-29 2018-12-11 武汉珈港科技有限公司 It is a kind of based on elliptic curve without CertPubKey cipher system implementation method
CN109377360A (en) * 2018-08-31 2019-02-22 西安电子科技大学 Block chain transaction in assets transfer account method based on Weighted Threshold signature algorithm
CN112804062A (en) * 2020-12-31 2021-05-14 北京海泰方圆科技股份有限公司 Certificateless signature method, device, equipment and medium based on SM2 algorithm
US20210152371A1 (en) * 2018-04-05 2021-05-20 nChain Holdings Limited Computer implemented method and system for transferring access to a digital asset
CN113111373A (en) * 2021-05-13 2021-07-13 北京邮电大学 Random number generation method of VBFT (visual basic FT) consensus mechanism and consensus mechanism system
CN113507374A (en) * 2021-07-02 2021-10-15 恒生电子股份有限公司 Threshold signature method, device, equipment and storage medium

Patent Citations (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6446207B1 (en) * 1997-01-31 2002-09-03 Certicom Corporation Verification protocol
CN106961336A (en) * 2017-04-18 2017-07-18 北京百旺信安科技有限公司 A kind of key components trustship method and system based on SM2 algorithms
US20210152371A1 (en) * 2018-04-05 2021-05-20 nChain Holdings Limited Computer implemented method and system for transferring access to a digital asset
CN108809658A (en) * 2018-07-20 2018-11-13 武汉大学 A kind of digital signature method and system of the identity base based on SM2
CN108989053A (en) * 2018-08-29 2018-12-11 武汉珈港科技有限公司 It is a kind of based on elliptic curve without CertPubKey cipher system implementation method
CN109377360A (en) * 2018-08-31 2019-02-22 西安电子科技大学 Block chain transaction in assets transfer account method based on Weighted Threshold signature algorithm
CN112804062A (en) * 2020-12-31 2021-05-14 北京海泰方圆科技股份有限公司 Certificateless signature method, device, equipment and medium based on SM2 algorithm
CN113111373A (en) * 2021-05-13 2021-07-13 北京邮电大学 Random number generation method of VBFT (visual basic FT) consensus mechanism and consensus mechanism system
CN113507374A (en) * 2021-07-02 2021-10-15 恒生电子股份有限公司 Threshold signature method, device, equipment and storage medium

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
辛利;: "基于门限ECC的容侵CA私钥保护方案", 计算机仿真, no. 12, pages 116 *

Also Published As

Publication number Publication date
CN115580401B (en) 2023-12-22

Similar Documents

Publication Publication Date Title
US20180359097A1 (en) Digital signing by utilizing multiple distinct signing keys, distributed between two parties
CN110247757B (en) Block chain processing method, device and system based on cryptographic algorithm
JP5201136B2 (en) Anonymous authentication system and anonymous authentication method
CN107733648B (en) Identity-based RSA digital signature generation method and system
US11223486B2 (en) Digital signature method, device, and system
US20050022102A1 (en) Signature schemes using bilinear mappings
US20050268103A1 (en) Anonymity revocation
CN106936584B (en) Method for constructing certificateless public key cryptosystem
JP2002534701A (en) Auto-recoverable, auto-encryptable cryptosystem using escrowed signature-only keys
US20140321642A1 (en) Group encryption methods and devices
CN109361519B (en) Improved secret-containing number generation method and system
CN111262691B (en) Identification private key generation and use method, system and device based on mixed master key
CN111130758A (en) Lightweight anonymous authentication method suitable for resource-constrained equipment
CN115174104A (en) Attribute-based online/offline signature method and system based on secret SM9
CN113452529A (en) Adapter signature generation method based on SM2 algorithm
CN110557260B (en) SM9 digital signature generation method and device
CN111224783B (en) Two-square elliptic curve digital signature method supporting secret key refreshing
WO2019174404A1 (en) Digital group signature method, device and apparatus, and verification method, device and apparatus
CN116318736A (en) Two-level threshold signature method and device for hierarchical management
CN115314207A (en) Secure and controllable use method and system for SM2 signature making data
CN115580401B (en) Certificateless SM2 key generation method based on verifiable secret sharing
JPH11234263A (en) Method and device for mutual authentication
CN111082932A (en) Anti-repudiation identification private key generation and digital signature method, system and device
CN111064564A (en) SM9 signature private key generation and digital signature method, system and device
CN114978549B (en) SM2 digital signature generation method and system for signer to control signature making data

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant