CN115580401A - Certificateless SM2 secret key generation method based on verifiable secret sharing - Google Patents
Certificateless SM2 secret key generation method based on verifiable secret sharing Download PDFInfo
- Publication number
- CN115580401A CN115580401A CN202211306716.5A CN202211306716A CN115580401A CN 115580401 A CN115580401 A CN 115580401A CN 202211306716 A CN202211306716 A CN 202211306716A CN 115580401 A CN115580401 A CN 115580401A
- Authority
- CN
- China
- Prior art keywords
- key
- user
- secret
- key generation
- private key
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000000034 method Methods 0.000 title claims abstract description 30
- 239000012634 fragment Substances 0.000 claims abstract description 21
- 238000004364 calculation method Methods 0.000 claims description 11
- 238000012795 verification Methods 0.000 claims description 9
- 239000000126 substance Substances 0.000 claims description 6
- 230000007547 defect Effects 0.000 description 1
- 229910052731 fluorine Inorganic materials 0.000 description 1
- 125000001153 fluoro group Chemical group F* 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0861—Generation of secret information including derivation or calculation of cryptographic keys or passwords
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0816—Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
- H04L9/085—Secret sharing or secret splitting, e.g. threshold schemes
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0861—Generation of secret information including derivation or calculation of cryptographic keys or passwords
- H04L9/0869—Generation of secret information including derivation or calculation of cryptographic keys or passwords involving random numbers or seeds
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/30—Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy
- H04L9/3066—Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy involving algebraic varieties, e.g. elliptic or hyper-elliptic curves
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3218—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using proof of knowledge, e.g. Fiat-Shamir, GQ, Schnorr, ornon-interactive zero-knowledge proofs
- H04L9/3221—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using proof of knowledge, e.g. Fiat-Shamir, GQ, Schnorr, ornon-interactive zero-knowledge proofs interactive zero-knowledge proofs
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Theoretical Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Algebra (AREA)
- Mathematical Analysis (AREA)
- Mathematical Optimization (AREA)
- Mathematical Physics (AREA)
- Pure & Applied Mathematics (AREA)
- Physics & Mathematics (AREA)
- Computing Systems (AREA)
- Storage Device Security (AREA)
Abstract
The invention discloses a certificateless SM2 secret key generation method based on verifiable secret sharing, which comprises the following steps: each key generation center in the system calculates and discloses a verifiable zero knowledge commitment, and generates corresponding first part of password shares for other key generation centers; verifying whether the first partial cryptographic share is valid; if the secret shares are valid, each key generation center calculates a second part of secret shares according to the first part of password shares; the current key generation center recovers a complete system master private key S and a master public key P corresponding to the master private key pub (ii) a Calculating to generate a user private key fragment t and a public key W; the user side obtains a user complete private key and a user actual public key P according to the user private key fragment t and the public key W U . The invention can ensure eachThe secret shares received by the party entities are valid and ensure that any private information of the master key shares held in secret by the key generation centers of the parties is not revealed.
Description
Technical Field
The invention relates to the technical field of information security, in particular to a certificateless SM2 secret key generation method based on verifiable secret sharing.
Background
In public key cryptography, a user's public key often needs to be associated with the user's identity information or other discernible identity, which is managed in either a certificate-based system or a certificate-less system. For the SM2 signature algorithm, a system based on a certificate needs an additional certificate authentication mechanism, the certificate management is relatively tedious, and the SM2 secret key of a user is managed through a certificate-free system, so that the user identification can be directly used as the public key of the user, the process of exchanging a digital certificate and the public key is omitted, and the cryptosystem is easy to deploy and manage.
In the existing SM2 certificateless system, a secret key fragment is generated for a user through a secret Key Generation Center (KGC), and finally, a complete secret key is independently generated by the user. The key generation center cannot know any information of the user's complete private key. The generation of the user private key shard by the single key generation center has the problems of service interruption, master private key leakage and the like caused by centralized authority or single-point failure, and under the general condition, a threshold mechanism based on a secret sharing scheme can be adopted, a multi-party key generation center shares the secret share of the master private key of the system, and the secret share collaborates with the master private key shard of the user. However, when there is a partially dishonest key generation authority, it is unavoidable that some dishonest key center distributes wrong secret shares, so that eventually an invalid key is constructed, which necessarily destroys the security and stability of the certificateless system.
Disclosure of Invention
The invention aims to overcome the defects of the prior art, provides a certificateless SM2 secret key generation method based on verifiable secret sharing, and can solve the problems of service interruption, main secret key leakage and the like caused by concentrated power or single point failure when a single KGC generates a user secret key fragment for a user in the existing SM2 certificateless system.
The purpose of the invention is realized by the following technical scheme:
a certificateless SM2 key generation method based on verifiable secret sharing comprises the following steps:
s1, each key generation center in the system calculates and discloses verifiable zero knowledge commitment according to a pre-stored main key component, a preset threshold value, system public parameters and a t-1 order polynomial, and generates corresponding first part of password shares (f) for other key generation centers i (j),g i (j) And sending to the corresponding key generation center;
s2, each key generation center verifies the first partial password share (f) according to the public zero knowledge commitment i (j),g i (j) Whether valid; if yes, executing step S3;
s3, each key generation center calculates a second part secret share S2 according to the first part password share i 、g i And shares s2 said second partial secret i 、g i The information is stored locally;
s4, the user side generates part of private keys X A And will be associated with the user part private key X A The corresponding public key and the user identification are sent to a key generation center;
s5, the current key generation center requests other key generation centers in the system to acquire a second part of secret components S2 for recovering the system master key pair i 、g i Thereby recovering the complete system main private key S and the main public key P corresponding to the main private key pub ;
S6, according to the private key X of the user part A User identification ID A Random parameter component omega generated randomly by other key generation centers i Calculating system public parameters to generate a user private key fragment t and a public key W;
s7, the user side according to the private key X of the user part A The user private key fragment t and the acoustic scale public key W are used for obtaining a user complete private key and a user actual public key P U And completing the generation of the certificateless SM2 key.
Preferably, step S1 comprises:
s11, each KGC in the system generates a random number S1 i And the random number s1 is added i As a component of the system master private key, where s1 i ∈[1,N-1]i∈[1,k]K represents the number of all KGCs;
s12, each KGC converts the random number S1 i As secret values, and according to a preset threshold (t, k), t-1 random numbers [ a ] are selected i1 ,a i2 ,....,a i(t-1) ]And another part of the random number r i ,b i1 ,b i2 ,....,b i(t-1) ]And calculating two t-1 order polynomials f i (x) And g i (x) Wherein [ a ] i1 ,a i2 ,....,a i(t-1) ]∈[1,N-1],[r i ,b i1 ,b i2 ,....,b i(t-1) ]∈[1,N-1]And polynomial f i (x)=s1 i +a i1 x 1 +a i2 x 2 +....+a i( t -1) x t-1 ,g i (x)=r i +b i1 x+b i2 x 2 +....+b i(t-1) x t-1 ,i∈[1,k];
S13, each KGC calculates and discloses a verifiable zero knowledge promise E i0 ,....,E i(t-1) (ii) a Wherein the content of the first and second substances,
s14, each KGC is according to the polynomial f i (x) And g i (x) Generating a first partial secret share (f) for the other KGCs i (j),g i (j) And apply the secret shares (f) i (j),g i (j) In turn to other KGCs; wherein i, j ∈ [1, k ]],i≠j,f i (j) And g i (j) Representing the secret shares generated by the ith KGC and sent to the jth KGC.
Preferably, step S2 comprises:
s21, each KGC receives secret shares (f) distributed by other KGCs i (j),g i (j) And verify itIf yes, executing step S31; wherein E jl ,j∈[1,k],l∈[1,t-1]A verifiable zero knowledge commitment issued for each KGC;
the step S3 comprises the following steps:
s31, each KGC calculates and stores a second part secret share S2 i 、g i (ii) a Wherein the content of the first and second substances,
preferably, step S4 comprises:
s41, the user side generates part of the private key X in a random secret mode A To be associated with said user part private key X A Corresponding first time point U A With a user identification ID A And sending the key to a key generation center.
5. The certificateless SM2 key generation method of claim 4, wherein step S5 comprises:
s51, the current key generation center receives the key generation request of the user and requests other key generation centers in the system to acquire a second part of secret components S2 for recovering the system master key pair i 、g i And a randomly generated random parameter component ω i (ii) a The key generation request of the user comprises a first time point U A With user identification ID A ;
S52, verifying the secret component S2 i Whether it is valid; if yes, go to step S52;
s53, when at least t effective secret shares S2 are obtained i Then, recovering a t-1 order polynomial F (x) by a Lagrange interpolation method, and recovering a complete system main private key S and a main public key P corresponding to the main private key pub 。
Preferably, step S6 includes:
s61, according to the random parameter score randomly generated by the t key generation centersQuantity omega i And a first multiple point U A Calculating to obtain a claimed public key W;
s62, according to the user identification ID A Calculating to obtain a user private key fragment t;
and S63, sending the user private key fragment t and the public key W back to the user side.
Preferably, in step S52, the verification is passedDetermining whether the secret component s2 is established i Whether it is valid; wherein the content of the first and second substances, a zero knowledge commitment published for the jth KGC;
in step S53, the formula for recovering the system master private key S is:
S=F(0)mod N;
recovering the main public key P corresponding to the main private key pub The formula of (1) is:
wherein the content of the first and second substances,is the multiple point [ S]G is the value of the x-axis on the elliptic curve,is the multiple point [ S]G value on the y-axis of the elliptic curve.
Preferably, in step S61, random parameter components ω randomly generated from t key generation centers i And a first multiple point U A The formula for the calculation is:
P A =[ω]G;
W=P A +U A =[ω]G+[x]G=[ω+x]G=(x W ,y W );
wherein, ω is i Refers to the random parameter component generated randomly by t key generation centers, where ω is the sum of t ω i Summing and taking the sum result and the remainder of N; p is A Is a second doubling point generated from ω and the base point G; x is a radical of a fluorine atom W And y W Are the values of the x-axis and the y-axis, respectively, on the elliptic curve that purports to be the public key W.
In step S62, according to the user ID A The formula for the calculation is:
t 1 =Hash(x W ||y w ||Z A )mod N;
t=(ω+t 1 *S)mod N;
wherein a and b are parameters of elliptic curve, ID A Refers to a user identity, x G And y G The values of the base point G on the x-axis and the y-axis of the elliptic curve respectively; z A Then the hash value, t, generated for the result 1 The hash value result and the N are taken as the rest to obtain an integer; s is the recovered complete system master private key, and t is the user private key shard.
Preferably, step S7 includes: calculating according to the user private key fragment t and the voice balance public key W to obtain a user complete private key; generating an unforgeable user's actual public key P from the alleged public key W U (ii) a The formula for calculating according to the user private key fragment t and the acoustic public key W is as follows:
S A =(X A +t)mod N;
generating an unforgeable user's actual public key P from the alleged public key W U The formula of (1) is:
t 1 =Hash(x W ||y W ||Z A )mod N
P U =W+[t 1 ]P pub 。
preferably, step S7 is followed by: verifying the user's actual public key P U Whether the purported public key in (1) is distributed by the KGC and has not been tampered with includes: verification P U * With said user's actual public key P U If the public key is the same, the alleged public key is valid and is not tampered; wherein, P U * =[S A ]G。
Compared with the prior art, the invention has the following advantages:
the invention generates corresponding secret share according to the main key component locally stored by each key generation center through the safe multiparty calculation operation based on the secret sharing scheme and distributes the secret share to other key generation centers in the system. The invention can also verify the validity and correctness of secret shares sent by distrusted entities by the verifiable computing operation supporting the addition homomorphism based on verifiable zero knowledge commitment. The process can not only ensure that the secret shares received by each entity are correct and effective, but also ensure that any privacy information of the master key component stored in secret in each key generation center is not leaked, thereby effectively improving the safety and stability of the whole system. In addition, the invention generates the user key fragment by the cooperation of the multi-party key generation center, and calculates the complete private key by the user, thereby avoiding the power concentration of a single key generation center and improving the security of the user key.
Drawings
The accompanying drawings, which are incorporated in and constitute a part of this application, are included to provide a further understanding of the invention, and are incorporated in and constitute a part of this specification, illustrate embodiment(s) of the invention and together with the description serve to explain the invention and not to limit the invention. In the drawings:
fig. 1 is a schematic flowchart of a certificateless SM2 key generation method based on verifiable secret sharing according to the present invention.
FIG. 2 is a flow chart illustrating system initialization according to the present invention.
Fig. 3 is a schematic flow chart of user key generation according to the present invention.
Detailed Description
The invention is further illustrated by the following figures and examples.
Fig. 1 is a schematic flowchart of a certificateless SM2 key generation method based on verifiable secret sharing according to the present invention. As shown in fig. 1, a certificateless SM2 key generation method based on verifiable secret sharing includes:
s1, each key generation center in the system calculates and discloses a verifiable zero knowledge commitment according to a pre-stored main key component, a preset threshold value, a system public parameter and a t-1 order polynomial, and generates a corresponding first part of password shares (f) for other key generation centers i (j),g i (j) And sending to the corresponding key generation center;
s2, each key generation center verifies the first partial password share (f) according to the verifiable zero knowledge commitment of the key generation center i (j),g i (j) Whether it is valid; if yes, executing step S3;
s3, each key generation center calculates a second part secret share S2 according to the first part password shares i 、g i And the second partial secret share s2 is divided i 、g i The information is stored locally;
s4, the user side generates part of private keys X A And will be associated with the user part private key X A The corresponding public key and the user identification are sent to a secret key generation center;
s5, the current key generation center requests other key generation centers in the system to obtain a second part of secret components S2 for recovering the system master key pair i 、g i Thereby recovering the complete system main private key S and the main public key P corresponding to the main private key pub ;
S6, according to the private key X of the user part A User identification ID A Random generated by other key generation centersParameter component omega i Calculating system public parameters to generate a user private key fragment t and a public key W;
s7, the user side according to the private key X of the user part A The user private key fragment t and the acoustic scale public key W are used for obtaining a user complete private key and a user actual public key P U And completing the generation of the certificateless SM2 key.
According to the scheme, a safe and effective secret key is generated by t (t is more than or equal to 2) secret key generation center cooperative users. This key generation method satisfies the following requirements:
1. t key generation centers have complete autonomy to the locally stored system master private key component, and other users or any malicious key generation center cannot acquire the information of the master private key component;
2. the complete private key generated by the multi-party key generation center cooperative user meets the SM2 secret key specification requirement of the national secret, the user can use the private key to generate a digital signature, and the signature value meets the SM2 signature standard requirement of the national secret;
3. fewer than t key generation centers cannot collaboratively construct a complete system master private key, so that users cannot collaboratively generate an effective complete key.
4. In the process of constructing the complete master private key based on the secret sharing scheme, the t key generation centers need to carry out effective zero-knowledge verification on the received different secret shares, so that the dishonest key generation centers are prevented from distributing wrong secret shares, and an invalid system master private key is constructed.
It should be noted that the present embodiment relates to 5 Key Generation Centers (KGC) and a user side. The elliptic curve parameters related in the embodiment all meet the requirement of the SM2 cryptographic algorithm, and the disclosed system parameters comprise a finite field F q Elliptic curve E (F) of q ) Elliptic curve E (F) q ) Elements a, b, E (F) of (1) q ) X and Y coordinates (X) corresponding to the base point G of G ,Y G ) And the base points G and H correspond to the order N. The threshold t selected by the secret sharing scheme is 3, that is, at least 3 effective secret shares held by KGC are required to cooperatively construct a complete system master key.
Specifically, the certificateless SM2 key generation method based on verifiable secret sharing provided by this embodiment includes steps of system initialization and user complete key generation, which are specifically as follows:
1. system initialization (refer to FIG. 2)
1) 5 KGCs each generate a random number s1 i ∈[1,N-1]As a component of the system's primary private key, i ∈ [1,5 ]]Wherein k represents the number of all KGCs; the system here refers to 5 Key Generation Centers (KGC) and a user side. Each key generation center holds a respective master key, including a master private key and a master public key.
2) S1 each KGC stores itself i As secret values, and based on a threshold (t, k), t-1 random numbers [ a ] are selected i1 ,a i2 ,....,a i(t - 1) ]∈[1,N-1]And another part of the random number r i ,b i1 ,b i2 ,....,b i(t-1) ]∈[1,N-1]Calculating two t-1 order polynomials f i (x)=s1 i +a i1 x 1 +a i2 x 2 +....+a i(t-1) x t-1 And g i (x)=r i +b i1 x+b i2 x 2 +....+b i(t-1) x t-1 ,i∈[1,k];
3) Each KGC calculates verifiable zero knowledge commitmentsEach KGC then discloses a verifiable zero-knowledge promise E i0 ,....,E i(t-1) ;
4) Each KGC is according to a polynomial f i (x) And g i (x) First partial secret shares (f) generated for other KGCs i (j),g i (j) Where i, j ∈ [1,5 ])],f i (j) And g i (j) Representing the secret shares generated by the ith KGC and sent to the jth KGC. Each KGC will share a secret (f) i (j),g i (j) I ≠ j is distributed to other KGCs in sequence;
the k KGCs calculate and disclose verifiable zero knowledge commitments according to the main key components, the threshold value t, the system public parameters and the t-1 order polynomial, which are stored by the k KGCs, generate corresponding first part secret shares for other k-1 KGCs and send the corresponding first part secret shares to the corresponding KGCs.
5) Each KGC receives secret shares (f) distributed by other KGCs i (j),g i (j) And verify itIs established, wherein E ij ,j∈[1,5],l∈[1,2]A verifiable zero knowledge commitment is issued for each KGC, if the zero knowledge commitment is not established, the secret share is invalid, and the first part of secret shares need to be generated again;
steps 3), 4) and 5) verify whether the received secret share is valid through verifiable computing operation and based on verifiable zero knowledge commitments generated by each KGC, and simultaneously ensure that the system main private key component s1 is not leaked i Any of (a).
6) Each KGC calculates a second partial secret shareAndthen each KGC will convert s2 i 、g i Stored locally.
The second part of secret shares s2 locally stored by each KGC in step 6) i And g i Is used for subsequently checking the validity of the secret share and constructing a t-1 order polynomial F (x) so as to construct a complete system master private key secret value S = F (0) mod N = (S1) 1 +s1 2 +s1 3 ) mod N and the master public key P KGC =S[G]=([s1 1 ]G+[s1 2 ]G+[s1 3 ]G);
Each KGC verifies whether the secret share is correct and valid according to the zero-knowledge commitment disclosed by each KGC and the first part of secret shares received from other KGCs, if yes, calculates and stores the second part of secret shares according to the locally stored first part of secret shares and the first part of secret shares received from other KGCs, and if not, requests the target key generation mechanism to obtain the first part of secret shares again.
2. User key generation (refer to FIG. 3)
A user side:
1) Random secret generation x, x ∈ [1, N-1 ]]As part of the user private key X A =x;
2) Calculate U A =[x]G;
3) Will U A With user identification ID A Sending the key to a key generation center; u shape A Refers to a private key X with a user part A The corresponding first multiple point (generated based on the base point G of the elliptic curve).
The key generation center:
1) Receiving a key generation request of a user and requesting to obtain a second partial secret component s2 for recovering the system master key pair from other key generation centers i 、g i And a randomly generated random parameter component ω i ∈[1,N-1],i∈[1,t-1];
2) ComputingWhereinRepresenting the zero knowledge commitment published by the jth KGC. And then based on the received second partial secret component s2 i 、g i Passing verification Whether the secret component s2 sent by other KGCs is satisfied or not is judged i If the secret component is valid, returning an error if the secret component is not valid, and requesting to obtain the secret component s2 again i 。
3) When not less than t effective secret shares s2 are collected i And then recovering the t-1 order polynomial F (x) by Lagrange interpolation so as to recover the complete system master private key S = F (0) mod N, and then calculating and disclosing the system master public keyHerein P pub Refers to the master public key corresponding to the above-mentioned recovered and complete system master private key S, which is generated based on the base point G of the elliptic curve, whereinRefers to the multiple point [ S]G is the value of the x-axis on the elliptic curve, andrefers to the multiple point [ S]G value on the y-axis of the elliptic curve.
4) ComputingAnd calculate P A =[ω]G; wherein, ω is i Refers to the random parameter component generated randomly by t key generation centers, and ω is t ω i Summing and taking the sum and the N to obtain a remainder, and ensuring that the obtained omega does not exceed the N; and P is A Refers to a second doubling point generated from ω and the base point G;
5) Calculate W = P A +U A =[ω]G+[x]G=[ω+x]G=(x W ,y W ) (ii) a Wherein W is a multiple point P A And U A Sum of and x W And y W The values of W on the x-axis and y-axis, respectively, of the elliptic curve; subsequently marking W as a claimed public key;
6) ComputingWherein a and b are parameters of elliptic curve, ID A Refers to the user identity, x G And y G The values of the base point G on the x-axis and the y-axis of the elliptic curve respectively; z is a linear or branched member A Then is the hash value generated for the result.
7) Calculating t 1 =Hash(x W ||y W ||Z A ) modN; wherein, t 1 The hash value result and N are used as the remainder to obtain an integer;
8) Calculation of t = (ω + t) 1 * S) modN; wherein S is recoveredA complete system master private key, t is a user private key fragment, and W is a purported public key;
9) Sending the user private key fragment t and the acoustic scale public key W back to the user side;
the user side calculates part of private keys and sends the corresponding public keys to the KGC. The KGC requests to obtain a second part of effective secret shares stored by other KGCs so as to recover the main private key of the system, then calculates and generates a part of private key of the user and a claimed public key according to a part of public keys sent by the user, the user distinguishable identification, random parameter components sent by other KGCs, system public parameters and the main public key of the system, and then sends the generated part of private key and the claimed public key to the user side.
A user side:
1) Calculating S A =(X A + t) mod N and as the user's complete private key;
2) User saves W = (x) W ,y W ) And as a user claims a public key;
the user's purported public key is used for subsequent publication-based raw data (e.g., system publication parameters, user identification ID) A System master public key P pub And user declaration public key W) to generate an unforgeable user actual public key P U . Which can then be based on the user's actual public key P U Performing signature verification and decryption operation of SM2 algorithm, and using actual public key P U The generation process is divided into the following three steps:
2) Calculating t 1 =Hash(x W ||y W ||Z A )modN;
3) Calculating P U =W+[t 1 ]P pub ;
The user side of the scheme generates a complete user private key by calculation according to a part of private keys received from the KGC, and generates a corresponding user actual public key by calculation according to the alleged public key, the system main public key and the system public parameters.
Wherein the user's actual public key P is verified U Whether the purported public key in (1) is by KThe steps of GC distribution and no tampering are mainly divided into:
1) Calculating P U * =[S A ]G;
2) Verification of P U * =P U Whether or not P is established, i.e. verification of P U * With the user's actual public key P generated by said calculation U If the public key is the same, the alleged public key is valid and is not tampered, and if the public key is not the same, the public key is invalid.
Compared to existing secret sharing based key generation schemes, the present embodiment introduces verifiable zero knowledge commitments. In the previous scheme, parties share a set secret value through a secret sharing scheme and obtain a corresponding secret share, and then the parties can construct a shared secret value according to the held secret share through multi-party secure computation, but if some party of dishonest entities distributes wrong and invalid secret shares or some party of entity receives wrong secret shares, the invalid secret value is finally constructed, so that the security of the system is damaged, and system resources are wasted.
The method proposed by this embodiment not only can generate and distribute the corresponding secret shares to other key generation centers according to the master key components locally stored by each key generation center through the secure multiparty calculation operation based on the secret sharing scheme, but also can verify the validity and correctness of the secret shares sent by each untrusted entity based on verifiable zero knowledge commitment and through verifiable calculation operation supporting addition homomorphism. The process can not only ensure that the secret shares received by each entity are correct and effective, but also ensure that any privacy information of the master key component stored in secret in each key generation center is not leaked, thereby effectively improving the safety and stability of the whole system.
The above-mentioned embodiments are preferred embodiments of the present invention, and the present invention is not limited thereto, and any other modifications or equivalent substitutions that do not depart from the technical spirit of the present invention are included in the scope of the present invention.
Claims (10)
1. A certificateless SM2 key generation method based on verifiable secret sharing, comprising:
s1, each key generation center in the system calculates and discloses a verifiable zero knowledge commitment according to a pre-stored main key component, a preset threshold value, a system public parameter and a t-1 order polynomial, and generates a corresponding first part of password shares (f) for other key generation centers i (j),g i (j) And sending to a corresponding key generation center;
s2, each key generation center verifies the first partial cipher share according to the public zero knowledge promise i (j),g i (j) Whether it is valid; if yes, executing step S3;
s3, each key generation center calculates a second part secret share S2 according to the first part password shares i 、g i And the second partial secret share s2 is divided i 、g i The information is stored locally;
s4, the user side generates part of the private key X A And will be associated with the user part private key X A The corresponding public key and the user identification are sent to a key generation center;
s5, the current key generation center requests other key generation centers in the system to obtain a second part of secret components S2 for recovering the system master key pair i 、g i Thereby recovering the complete system main private key S and the main public key P corresponding to the main private key pub ;
S6, according to the private key X of the user part A User identification ID A Random parameter component omega generated randomly by other key generation centers i Calculating system public parameters to generate a user private key fragment t and a public key W;
s7, the user side uses the private key X of the user part A The user private key fragment t and the acoustic scale public key W are used for obtaining a user complete private key and a user actual public key P U And completing the generation of the certificateless SM2 key.
2. The certificateless SM2 key generation method of claim 1, wherein step S1 comprises:
s11, each KGC in the system generates a random number S1 i And the random number s1 is added i As a component of the system master private key, where s1 i ∈[1,N-1]i∈[1,k]K represents the number of all KGCs;
s12, each KGC converts the random number S1 i As secret values, and according to a preset threshold (t, k), t-1 random numbers [ a ] are selected i1 ,a i2 ,....,a i(t-1) ]And another part of random number r i ,b i1 ,b i2 ,....,b i(t-1) ]And calculating two t-1 order polynomials f i (x) And g i (x) Wherein [ a ] i1 ,a i2 ,....,a i(t-1) ]∈[1,N-1],[r i ,b i1 ,b i2 ,....,b i(t-1) ]∈[1,N-1]And polynomial f i (x)=s1 i +a i1 x 1 +a i2 x 2 +....+a i(t-1) x t-1 ,g i (x)=r i +b i1 x+b i2 x 2 +....+b i(t-1) x t -1 ,i∈[1,k];
S13, each KGC calculates and discloses a verifiable zero-knowledge promise E i0 ,....,E i(t-1) And publically verifiable zero knowledge commitments; wherein, the first and the second end of the pipe are connected with each other,
s14, each KGC is according to a polynomial f i (x) And g i (x) Generating a first partial secret share (f) for the other KGCs i (j),g i (j) And combining the secret shares (f) i (j),g i (j) In turn to other KGCs; wherein i, j ∈ [1, k ]],i≠j,f i (j) And g i (j) Representing the secret shares generated by the ith KGC and sent to the jth KGC.
3. The certificateless SM2 key generation method of claim 2, wherein step S2 comprises:
s21, each KGC receives secret shares (f) distributed by other KGCs i (j),g i (j) And verify itIf yes, executing step S31; wherein E jl ,j∈[1,k],l∈[1,t-1]A verifiable zero knowledge commitment issued for each KGC;
the step S3 comprises the following steps:
4. the certificateless SM2 key generation method of claim 3, wherein step S4 comprises:
s41, the user side generates part of the private key X in a random secret mode A To be associated with said user part private key X A Corresponding first time point U A With user identification ID A And sending the key to a key generation center.
5. The certificateless SM2 key generation method of claim 4, wherein step S5 comprises:
s51, the current key generation center receives the key generation request of the user and requests other key generation centers in the system to acquire a second part of secret components S2 for recovering the system master key pair i 、g i And a randomly generated parameter component ω i (ii) a The key generation request of the user comprises a first time point U A With user identification ID A ;
S52, verifying the secret component S2 i Whether it is valid; if yes, go to step S53;
s53, when at least t effective secret shares S2 are obtained i Then, recovering a t-1 order polynomial F (x) by a Lagrange interpolation method, and recovering a complete system main private key S and a main public key P corresponding to the main private key pub 。
6. The certificateless SM2 key generation method of claim 5, wherein step S6 comprises:
s61, generating random parameter component omega randomly generated by center according to t keys i And a first multiple point U A Calculating to obtain a claimed public key W;
s62, according to the user identification ID A Calculating to obtain a user private key fragment t;
and S63, sending the user private key fragment t and the public key W back to the user side.
7. The certificateless SM2 Key generation method according to claim 5, wherein in step S52, verification is passedDetermining whether the secret component s2 is established i Whether it is valid; wherein the content of the first and second substances, a zero knowledge commitment published for the jth KGC;
in step S53, the formula for recovering the system master private key S is:
S=F(0)mod N;
recovering the main public key P corresponding to the main private key pub The formula of (1) is:
8. The certificateless SM2 Key Generation method according to claim 6, wherein in step S61 the random parameter components ω are randomly generated from t key generation centres i And a first multiple point U A The formula for the calculation is:
P A =[ω]G;
W=P A +U A =[ω]G+[x]G=[ω+x]G=(x W ,y W );
wherein, ω is i Refers to the random parameter components generated randomly by t key generation centers, where ω is i Summing and taking the sum result and N; p is A Is a second doubling point generated from ω and the base point G; x is the number of W And y W Are the values of the x-axis and the y-axis, respectively, on the elliptic curve that purports to be the public key W.
In step S62, according to the user ID A The formula for the calculation is:
t 1 =Hash(x W ||y W ||Z A )mod N;
t=(ω+t 1 *S)mod N;
wherein a and b are parameters of elliptic curve, ID A Refers to the user identity, x G And y G Are respectively provided withIs the value of the base point G on the x-axis and the y-axis of the elliptic curve; z A Then the hash value, t, generated for the result 1 The hash value result and N are used as the remainder to obtain an integer; s is the system master private key that has been restored to completion, and t is the user private key shard.
9. The certificateless SM2 key generation method of claim 8, wherein step S7 comprises:
calculating according to the user private key fragment t and the voice balance public key W to obtain a user complete private key; generating an unforgeable user's actual public key P from the alleged public key W U (ii) a The formula for calculating according to the user private key fragment t and the acoustic public key W is as follows:
S A =(X A +t)mod N;
generating an unforgeable user's actual public key P from the alleged public key W U The formula of (1) is:
t 1 =Hash(x W ||y W ||Z A )mod N
P U =W+[t 1 ]P pub 。
10. the certificateless SM2 key generation method of claim 1, further comprising after step S7: verifying the user's actual public key P U Whether the purported public key in (1) is distributed by the KGC and has not been tampered with includes: verification P U * With said user's actual public key P U If the public key is the same, the alleged public key is valid and is not tampered; wherein, P U * =[S A ]G。
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202211306716.5A CN115580401B (en) | 2022-10-25 | 2022-10-25 | Certificateless SM2 key generation method based on verifiable secret sharing |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202211306716.5A CN115580401B (en) | 2022-10-25 | 2022-10-25 | Certificateless SM2 key generation method based on verifiable secret sharing |
Publications (2)
Publication Number | Publication Date |
---|---|
CN115580401A true CN115580401A (en) | 2023-01-06 |
CN115580401B CN115580401B (en) | 2023-12-22 |
Family
ID=84587645
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN202211306716.5A Active CN115580401B (en) | 2022-10-25 | 2022-10-25 | Certificateless SM2 key generation method based on verifiable secret sharing |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN115580401B (en) |
Citations (9)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US6446207B1 (en) * | 1997-01-31 | 2002-09-03 | Certicom Corporation | Verification protocol |
CN106961336A (en) * | 2017-04-18 | 2017-07-18 | 北京百旺信安科技有限公司 | A kind of key components trustship method and system based on SM2 algorithms |
CN108809658A (en) * | 2018-07-20 | 2018-11-13 | 武汉大学 | A kind of digital signature method and system of the identity base based on SM2 |
CN108989053A (en) * | 2018-08-29 | 2018-12-11 | 武汉珈港科技有限公司 | It is a kind of based on elliptic curve without CertPubKey cipher system implementation method |
CN109377360A (en) * | 2018-08-31 | 2019-02-22 | 西安电子科技大学 | Block chain transaction in assets transfer account method based on Weighted Threshold signature algorithm |
CN112804062A (en) * | 2020-12-31 | 2021-05-14 | 北京海泰方圆科技股份有限公司 | Certificateless signature method, device, equipment and medium based on SM2 algorithm |
US20210152371A1 (en) * | 2018-04-05 | 2021-05-20 | nChain Holdings Limited | Computer implemented method and system for transferring access to a digital asset |
CN113111373A (en) * | 2021-05-13 | 2021-07-13 | 北京邮电大学 | Random number generation method of VBFT (visual basic FT) consensus mechanism and consensus mechanism system |
CN113507374A (en) * | 2021-07-02 | 2021-10-15 | 恒生电子股份有限公司 | Threshold signature method, device, equipment and storage medium |
-
2022
- 2022-10-25 CN CN202211306716.5A patent/CN115580401B/en active Active
Patent Citations (9)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US6446207B1 (en) * | 1997-01-31 | 2002-09-03 | Certicom Corporation | Verification protocol |
CN106961336A (en) * | 2017-04-18 | 2017-07-18 | 北京百旺信安科技有限公司 | A kind of key components trustship method and system based on SM2 algorithms |
US20210152371A1 (en) * | 2018-04-05 | 2021-05-20 | nChain Holdings Limited | Computer implemented method and system for transferring access to a digital asset |
CN108809658A (en) * | 2018-07-20 | 2018-11-13 | 武汉大学 | A kind of digital signature method and system of the identity base based on SM2 |
CN108989053A (en) * | 2018-08-29 | 2018-12-11 | 武汉珈港科技有限公司 | It is a kind of based on elliptic curve without CertPubKey cipher system implementation method |
CN109377360A (en) * | 2018-08-31 | 2019-02-22 | 西安电子科技大学 | Block chain transaction in assets transfer account method based on Weighted Threshold signature algorithm |
CN112804062A (en) * | 2020-12-31 | 2021-05-14 | 北京海泰方圆科技股份有限公司 | Certificateless signature method, device, equipment and medium based on SM2 algorithm |
CN113111373A (en) * | 2021-05-13 | 2021-07-13 | 北京邮电大学 | Random number generation method of VBFT (visual basic FT) consensus mechanism and consensus mechanism system |
CN113507374A (en) * | 2021-07-02 | 2021-10-15 | 恒生电子股份有限公司 | Threshold signature method, device, equipment and storage medium |
Non-Patent Citations (1)
Title |
---|
辛利;: "基于门限ECC的容侵CA私钥保护方案", 计算机仿真, no. 12, pages 116 * |
Also Published As
Publication number | Publication date |
---|---|
CN115580401B (en) | 2023-12-22 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US20180359097A1 (en) | Digital signing by utilizing multiple distinct signing keys, distributed between two parties | |
CN110247757B (en) | Block chain processing method, device and system based on cryptographic algorithm | |
JP5201136B2 (en) | Anonymous authentication system and anonymous authentication method | |
CN107733648B (en) | Identity-based RSA digital signature generation method and system | |
US11223486B2 (en) | Digital signature method, device, and system | |
US20050022102A1 (en) | Signature schemes using bilinear mappings | |
US20050268103A1 (en) | Anonymity revocation | |
CN106936584B (en) | Method for constructing certificateless public key cryptosystem | |
JP2002534701A (en) | Auto-recoverable, auto-encryptable cryptosystem using escrowed signature-only keys | |
US20140321642A1 (en) | Group encryption methods and devices | |
CN109361519B (en) | Improved secret-containing number generation method and system | |
CN111262691B (en) | Identification private key generation and use method, system and device based on mixed master key | |
CN111130758A (en) | Lightweight anonymous authentication method suitable for resource-constrained equipment | |
CN115174104A (en) | Attribute-based online/offline signature method and system based on secret SM9 | |
CN113452529A (en) | Adapter signature generation method based on SM2 algorithm | |
CN110557260B (en) | SM9 digital signature generation method and device | |
CN111224783B (en) | Two-square elliptic curve digital signature method supporting secret key refreshing | |
WO2019174404A1 (en) | Digital group signature method, device and apparatus, and verification method, device and apparatus | |
CN116318736A (en) | Two-level threshold signature method and device for hierarchical management | |
CN115314207A (en) | Secure and controllable use method and system for SM2 signature making data | |
CN115580401B (en) | Certificateless SM2 key generation method based on verifiable secret sharing | |
JPH11234263A (en) | Method and device for mutual authentication | |
CN111082932A (en) | Anti-repudiation identification private key generation and digital signature method, system and device | |
CN111064564A (en) | SM9 signature private key generation and digital signature method, system and device | |
CN114978549B (en) | SM2 digital signature generation method and system for signer to control signature making data |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |