CN115580401B - Certificateless SM2 key generation method based on verifiable secret sharing - Google Patents

Certificateless SM2 key generation method based on verifiable secret sharing Download PDF

Info

Publication number
CN115580401B
CN115580401B CN202211306716.5A CN202211306716A CN115580401B CN 115580401 B CN115580401 B CN 115580401B CN 202211306716 A CN202211306716 A CN 202211306716A CN 115580401 B CN115580401 B CN 115580401B
Authority
CN
China
Prior art keywords
key
user
secret
private key
public key
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202211306716.5A
Other languages
Chinese (zh)
Other versions
CN115580401A (en
Inventor
王凯
张云兵
姚景升
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Shangmi Guangzhou Information Technology Co ltd
Original Assignee
Shangmi Guangzhou Information Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Shangmi Guangzhou Information Technology Co ltd filed Critical Shangmi Guangzhou Information Technology Co ltd
Priority to CN202211306716.5A priority Critical patent/CN115580401B/en
Publication of CN115580401A publication Critical patent/CN115580401A/en
Application granted granted Critical
Publication of CN115580401B publication Critical patent/CN115580401B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/085Secret sharing or secret splitting, e.g. threshold schemes
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • H04L9/0869Generation of secret information including derivation or calculation of cryptographic keys or passwords involving random numbers or seeds
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/30Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy
    • H04L9/3066Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy involving algebraic varieties, e.g. elliptic or hyper-elliptic curves
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3218Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using proof of knowledge, e.g. Fiat-Shamir, GQ, Schnorr, ornon-interactive zero-knowledge proofs
    • H04L9/3221Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using proof of knowledge, e.g. Fiat-Shamir, GQ, Schnorr, ornon-interactive zero-knowledge proofs interactive zero-knowledge proofs

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Theoretical Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Algebra (AREA)
  • Mathematical Analysis (AREA)
  • Mathematical Optimization (AREA)
  • Mathematical Physics (AREA)
  • Pure & Applied Mathematics (AREA)
  • Physics & Mathematics (AREA)
  • Computing Systems (AREA)
  • Storage Device Security (AREA)

Abstract

The invention discloses a certification-free SM2 key generation method based on verifiable secret sharing, which comprises the following steps: each key generation center in the system calculates and discloses a verifiable zero-knowledge promise, and generates corresponding first partial password shares for other key generation centers; verifying whether the first partial cryptographic share is valid; if so, each key generation center calculates a second part of secret share according to the first part of secret share; the current key generation center restores the complete system main private key S and the main public key P corresponding to the main private key pub The method comprises the steps of carrying out a first treatment on the surface of the Calculating and generating a user private key fragment t and a purported public key W; the user obtains a complete private key of the user and an actual public key P of the user according to the private key fragment t of the user and the claimed public key W of the user U . The invention can ensure that the secret share received by each entity is correct and effective, and can also ensure that any privacy information of the master key component secret stored by each key generation center is not leaked.

Description

Certificateless SM2 key generation method based on verifiable secret sharing
Technical Field
The invention relates to the technical field of information security, in particular to a certification-free SM2 key generation method based on verifiable secret sharing.
Background
In public key cryptography, a user's public key often needs to be associated with the user's identity information or other discernable identity, which is managed by a certificate-based system or a certificate-less system. For the national secret SM2 signature algorithm, an additional certificate authentication mechanism is needed for a certificate-based system, and certificate management is more complicated, and the SM2 key of the user can be managed through a certificate-free system, so that the identification of the user can be directly used as the public key of the user, and the process of exchanging digital certificates and the public key is omitted, so that the cryptosystem is easy to deploy and manage.
The existing SM2 certificateless system generates a private key fragment for a user through a Key Generation Center (KGC), and finally, the user independently generates a complete private key. The key generation center cannot learn any information of the complete private key of the user. The private key fragments of the system can be shared by the multiparty key generation centers by adopting a threshold mechanism based on a secret sharing scheme under the general condition, and the private key fragments of the users can be cooperatively participated in generation. However, when there is a partially dishonest key generation mechanism, it is unavoidable that some dishonest key center distributes erroneous secret shares, so that an invalid key is finally constructed, which necessarily breaks the security and stability of the certificate-less system.
Disclosure of Invention
The invention aims to overcome the defects in the prior art, and provides a certification-free SM2 key generation method based on verifiable secret sharing, which can solve the problems of service interruption, master private key leakage and the like caused by centralized rights or single point faults when a single KGC generates a user private key fragment for a user in the prior SM2 certification-free system, and simultaneously solves the problems that the multi-party KGC shares the secret share of the master private key of the system based on a threshold mechanism of a secret sharing scheme and cooperates to participate in generating the private key fragment of the user, and the problem of invalid key is constructed because part of dishonest KGCs distributes wrong secret shares.
The aim of the invention is achieved by the following technical scheme:
a method of certificateless SM2 key generation based on verifiable secret sharing comprising:
s1, each key generation center in the system calculates and discloses a verifiable zero-knowledge commitment according to a pre-stored main key component, a preset threshold value, a system public parameter and a t-1 order polynomial, and generates corresponding first partial password shares (f i (j),g i (j) And sent to the corresponding key generation center;
s2, each key generation center verifies the first partial password share (f i (j),g i (j) Whether or not to be effective; if it is valid, then executeS3, a step of S3;
s3, each key generation center calculates a second partial secret share S2 according to the first partial secret share i 、g i And the second partial secret share s2 i 、g i Is stored locally;
s4, the user generates a part of private key X A And will be in private key X with the user part A The corresponding public key and the user identification are sent to a key generation center;
s5, the current key generation center requests the other key generation centers in the system to acquire a second partial secret component S2 for recovering the system master key pair i 、g i Thereby recovering a complete system master private key S and a master public key P corresponding to the master private key pub
S6, according to the user part private key X A User identification ID A Random parameter component omega randomly generated by other key generation centers i Calculating system public parameters to generate a user private key fragment t and a purported public key W;
s7, the user uses the private key X according to the user part A The user private key fragment t and the purported public key W obtain a user complete private key and a user actual public key P U The generation of the certificateless SM2 key is completed.
Preferably, step S1 comprises:
s11, each KGC in the system generates a random number S1 i And the random number s1 i As a component of the system's primary private key, where s1 i ∈[1,N-1]i∈[1,k]K represents the number of KGCs;
s12, each KGC uses the random number S1 i As secret value and according to a preset threshold value (t, k), t-1 random numbers [ a ] are selected i1 ,a i2 ,....,a i(t-1) ]And another part of the random number r i ,b i1 ,b i2 ,....,b i(t-1) ]And calculates two t-1 order polynomials f i (x) And g i (x) Wherein [ a ] i1 ,a i2 ,....,a i(t-1) ]∈[1,N-1],[r i ,b i1 ,b i2 ,....,b i(t-1) ]∈[1,N-1]And polynomial f i (x)=s1 i +a i1 x 1 +a i2 x 2 +....+a i( t -1) x t-1 ,g i (x)=r i +b i1 x+b i2 x 2 +....+b i(t-1) x t-1 ,i∈[1,k];
S13, each KGC calculates and discloses verifiable zero-knowledge promise E i0 ,....,E i(t-1) The method comprises the steps of carrying out a first treatment on the surface of the Wherein,
s14, each KGC is according to polynomial f i (x) And g i (x) Generating a first partial secret share (f) for other KGCs i (j),g i (j) And to divide said secret share (f) i (j),g i (j) Sequentially distributed to other KGCs; wherein i, j E [1, k],i≠j,f i (j) And g i (j) Representing the secret share generated by the ith KGC and issued to the jth KGC.
Preferably, step S2 includes:
s21, each KGC receives the secret shares (f i (j),g i (j) And verifyIf so, executing step S31; wherein E is jl ,j∈[1,k],l∈[1,t-1]Verifiable zero knowledge commitments issued for each KGC;
the step S3 comprises the following steps:
s31, each KGC calculates and saves a second partial secret share S2 i 、g i The method comprises the steps of carrying out a first treatment on the surface of the Wherein,
preferably, step S4 includes:
s41, useUser random secret generation partial private key X A Will be in contact with the user part private key X A Corresponding first multiplying point U A With user identification ID A And sending the information to a key generation center.
5. The certificateless SM2 key generating method according to claim 4, wherein step S5 includes:
s51, the current key generation center receives the key generation request of the user and requests other key generation centers in the system to acquire a second partial secret component S2 for recovering the system master key pair i 、g i And a randomly generated random parameter component omega i The method comprises the steps of carrying out a first treatment on the surface of the The key generation request of the user comprises a first multiplying point U A With user identification ID A
S52, verifying the secret component S2 i Whether or not it is valid; if so, executing step S52;
s53, when at least t effective secret shares S2 are obtained i Then recovering the t-1 order polynomial F (x) by Lagrange interpolation method, and recovering the complete system main private key S and the main public key P corresponding to the main private key pub
Preferably, step S6 includes:
s61, generating random parameter component omega randomly generated by the center according to t keys i And a first multiplying point U A Calculating to obtain a purported public key W;
s62, according to the user identification ID A Calculating to obtain a user private key fragment t;
s63, the user private key fragment t and the claim public key W are sent back to the user side.
Preferably, in step S52, the verification is passedWhether or not it is established to judge the secret component s2 i Whether or not it is valid; wherein (1)> Zero knowledge commitment published for the jth KGC;
in step S53, the formula for recovering the system master private key S is:
S=F(0)mod N;
restoring the main public key P corresponding to the main private key pub The formula of (2) is:
wherein,is a multiple point S]The value of G on the x-axis on the elliptic curve, < >>Is a multiple point S]The value of G on the y-axis of the elliptic curve.
Preferably, in step S61, a random parameter component ω randomly generated by the center is generated from t keys i And a first multiplying point U A The formula for performing the calculation is:
P A =[ω]G;
W=P A +U A =[ω]G+[x]G=[ω+x]G=(x W ,y W );
wherein omega i Refers to the random parameter components randomly generated by t key generation centers, and omega is t omega i Summing and taking the sum result and N as the remainder; p (P) A Is a second multiple point generated from ω and the base point G; x is x W And y W The values of the x-axis and y-axis, respectively, on the elliptic curve, claiming the public key W.
In step S62, according to the user identification ID A The formula for performing the calculation is:
t 1 =Hash(x W ||y w ||Z A )mod N;
t=(ω+t 1 *S)mod N;
wherein a and b are parameters of elliptic curve, ID A Refers to user identification, x G And y G The values of the base point G on the x-axis and the y-axis of the elliptic curve, respectively; z is Z A Then it is the resulting hash value, t 1 An integer obtained by taking the remainder of the hash value result and N; s is the restored complete system master private key, and t is the user private key fragment.
Preferably, step S7 includes: calculating to obtain a complete private key of the user according to the private key fragment t of the user and the claimed public key W; generating a non-counterfeitable user actual public key P from a purported public key W U The method comprises the steps of carrying out a first treatment on the surface of the The formula for calculating according to the user private key fragment t and the claim public key W is as follows:
S A =(X A +t)mod N;
generating a non-counterfeitable user actual public key P from a purported public key W U The formula of (2) is:
t 1 =Hash(x W ||y W ||Z A )mod N
P U=W+[t 1 ]P pub
preferably, step S7 further comprises: verifying the user actual public key P U Whether the purported public key of (1) is distributed by KGC and has not been tampered with, specifically includes: verify P U * With the user actual public key P U If the claims are identical, if so, the purported public key is valid and not tampered with; wherein P is U * =[S A ]G。
Compared with the prior art, the invention has the following advantages:
the invention generates corresponding secret share according to the main key component stored locally by each party key generation center through the safe multiparty calculation operation based on the secret sharing scheme and distributes the secret share to other key generation centers in the system. The invention also enables verification of the validity of secret shares sent by non-trusted entities of parties based on verifiable zero-knowledge commitments and through verifiable computing operations supporting addition homonymies. The process not only can ensure that the secret shares received by the entities of each party are correct and effective, but also can ensure that any private information of the master key component secret stored by the secret key generation center of each party is not leaked, thereby effectively improving the safety and stability of the whole system. In addition, the invention cooperatively generates the user key fragments through the multiparty key generation center and calculates the complete private key by the user, thereby avoiding the authority concentration of a single key generation center and improving the security of the user key.
Drawings
The accompanying drawings, which are included to provide a further understanding of the invention and are incorporated in and constitute a part of this specification, illustrate embodiments of the invention and together with the description serve to explain the invention. In the drawings:
fig. 1 is a flow chart of a method for generating a certificateless SM2 key based on verifiable secret sharing according to the present invention.
FIG. 2 is a flow chart of system initialization according to the present invention.
Fig. 3 is a flow chart of user key generation according to the present invention.
Detailed Description
The invention is further described below with reference to the drawings and examples.
Fig. 1 is a flow chart of a method for generating a certificateless SM2 key based on verifiable secret sharing according to the present invention. As shown in fig. 1, a method for generating a certificateless SM2 key based on verifiable secret sharing includes:
s1, each key generation center in the system calculates and discloses a verifiable zero knowledge promise as follows according to a pre-stored main key component, a preset threshold value, a system public parameter and a t-1 order polynomial, wherein the zero knowledge promise is thatThe other key generation center generates a corresponding first partial cryptographic share (f i (j),g i (j) And sent to the corresponding key generation center;
s2, each key generation center verifies the first partial password share (f i (j),g i (j) Whether or not to be effective; if so, executing a step S3;
s3, each key generation center calculates a second partial secret share S2 according to the first partial secret share i 、g i And the second partial secret share s2 i 、g i Is stored locally;
s4, the user generates a part of private key X A And will be in private key X with the user part A The corresponding public key and the user identification are sent to a key generation center;
s5, the current key generation center requests the other key generation centers in the system to acquire a second partial secret component S2 for recovering the system master key pair i 、g i Thereby recovering a complete system master private key S and a master public key P corresponding to the master private key pub
S6, according to the user part private key X A User identification ID A Random parameter component omega randomly generated by other key generation centers i Calculating system public parameters to generate a user private key fragment t and a purported public key W;
s7, the user uses the private key X according to the user part A The user private key fragment t and the purported public key W obtain a user complete private key and a user actual public key P U The generation of the certificateless SM2 key is completed.
The scheme generates safe and effective keys through t (t is more than or equal to 2) key generation centers and cooperative users. This key generation method satisfies the following requirements:
1. t key generating centers have complete autonomy to a locally stored system main private key component, and other users or any malicious key generating centers cannot acquire the information of the main private key component;
2. the complete private key generated by the cooperative user of the multiparty key generation center accords with the national secret SM2 key specification requirement, the user can use the private key to generate a digital signature, and the signature value accords with the national secret SM2 signature standard requirement;
3. fewer than t key generating centers cannot cooperatively construct a complete system master private key, so that effective complete keys cannot be generated by cooperative users.
4. In the process of constructing a complete main private key based on a secret sharing scheme, t key generating centers need to perform effective zero-knowledge verification on different received secret shares, and the dishonest key generating centers are prevented from distributing wrong secret shares so as to construct an invalid main private key of the system.
The present embodiment relates to 5 Key Generating Centers (KGCs) and a client. Elliptic curve parameters related to the embodiment all meet the requirements of SM2 national density algorithm, wherein the disclosed system parameters comprise a finite field F q Elliptic curve E (F) q ) Elliptic curve E (F) q ) Elements a, b, E (F) q ) X, Y coordinates (X G ,Y G ) And the order N corresponding to the base point G, H. The threshold t chosen for the secret sharing scheme is 3, i.e. at least the complete system master key needs to be built in co-ordination with the valid secret shares held by 3 KGCs.
Specifically, the method for generating the certificateless SM2 key based on verifiable secret sharing provided in this embodiment includes the steps of system initialization and user complete key generation, and specifically includes the following steps:
1. system initialization (refer to FIG. 2)
1) 5 KGCs each generate a random number s1 i ∈[1,N-1]As a component of the system's primary private key, i ε [1,5]Wherein k represents the number of all KGCs; the system here refers to 5 Key Generation Centers (KGCs) and clients. Each key generation center holds a respective master key, including a master private key and a master public key.
2) Each KGC stores s1 i As secret value and based on a threshold value (t, k), t-1 random numbers [ a ] are selected i1 ,a i2 ,....,a i(t - 1) ]∈[1,N-1]And another part of the random number r i ,b i1 ,b i2 ,....,b i(t-1) ]∈[1,N-1]Two t-1 order polynomials f are calculated i (x)=s1 i +a i1 x 1 +a i2 x 2 +....+a i(t-1) x t-1 And g i (x)=r i +b i1 x+b i2 x 2 +....+b i(t-1) x t-1 ,i∈[1,k];
3) Zero knowledge commitment verifiable by KGC calculationSubsequent KGC disclosures can verify zero-knowledge commitment E i0 ,....,E i(t-1)
4) Each KGC is according to polynomial f i (x) And g i (x) The first partial secret share (f i (j),g i (j) I, j e [1, 5)],f i (j) And g i (j) Representing the secret share generated by the ith KGC and issued to the jth KGC. Each KGC adds a secret share (f i (j),g i (j) I.noteq.j) to other KGCs in turn;
according to the k KGCs, verifiable zero-knowledge commitments are calculated and disclosed according to the stored master key component, the threshold t, the system public parameter and the t-1 order polynomial, and corresponding first partial secret shares are generated for other k-1 KGCs and sent to the corresponding KGCs.
5) Each KGC receives the secret shares (f) distributed by other KGCs i (j),g i (j) And verifyWhether or not it is true, wherein E ij ,j∈[1,5],l∈[1,2]A verifiable zero knowledge commitment issued for each KGC, if not, the secret share is invalid, and the first part of secret share needs to be re-requested to be generated;
steps 3), 4) and 5) verifying whether the received secret shares are valid by verifiable computing operations and verifiable zero knowledge commitments generated based on the KGCs, while ensuring that the system master is not compromisedPrivate key component s1 i Any information of (3).
6) Each KGC calculates a second-part secret shareAnd->Then each KGC will s2 i 、g i Is stored locally.
The second partial secret share s2 stored locally per KGC in step 6) i And g i Is used for the subsequent verification of the validity of the secret share and constructs a polynomial F (x) of order t-1, thus constructing a complete system master private secret value s=f (0) mod n= (S1) 1 +s1 2 +s1 3 ) mod N and the primary public key is P KGC =S[G]=([s1 1 ]G+[s1 2 ]G+[s1 3 ]G);
Each KGC of the scheme verifies whether the secret share is valid or not according to the zero-knowledge promise disclosed by each KGC and the first part secret share received from other KGCs, if so, the second part secret share is calculated and stored according to the locally stored first part secret share and the first part secret share received from other KGCs, and if not, the target key generating mechanism is re-requested to acquire the first part secret share.
2. User key generation (see FIG. 3)
The user terminal:
1) Random secret generation x, x.epsilon.1, N-1]As part of private key X for a user A =x;
2) Calculation U A =[x]G;
3) U is set to A With user identification ID A Sending to a key generation center; u (U) A Refers to a private key X with a user part A The corresponding first multiple point (generated based on the base point G of the elliptic curve).
Key generation center:
1) Receiving a user's generated key request and requesting acquisition of a second partial secret for recovering a system master key pair from other key generating centersComponent s2 i 、g i And a randomly generated random parameter component omega i ∈[1,N-1],i∈[1,t-1];
2) Calculation ofWherein->Representing the zero knowledge commitment of the jth KGC publication. Then based on the received second partial secret component s2 i 、g i Pass verification-> Judging whether or not the secret component s2 sent by other KGCs is established i If not, an error is returned and the acquisition of the secret component s2 is requested again i
3) When not less than t effective secret shares s2 are collected i Then, recovering the t-1 order polynomial F (x) by Lagrangian interpolation to recover the complete system main private key S=F (0) mod N, and then calculating and disclosing the system main public keyHere P pub Refers to the main public key corresponding to the above-mentioned restored complete system main private key S, which is also generated based on the base point G of the elliptic curve, wherein +.>Refers to the multiple point S]The value of G on the x-axis of the elliptic curve, whereas +.>Refers to the multiple point S]The value of G on the y-axis of the elliptic curve.
4) Calculation ofAnd calculate P A =[ω]G, G; wherein omega i Refers to the random parameter component randomly generated by t key generation centers, and ω is t ω i Summing and taking the sum result and N for the remainder to ensure that the obtained omega does not exceed N; and P is A Refers to the second multiple point generated from ω and the base point G;
5) Calculation of w=p A +U A =[ω]G+[x]G=[ω+x]G=(x W ,y W ) The method comprises the steps of carrying out a first treatment on the surface of the Wherein W is the multiple point P A And U A Sum of x W And y W Values of W on the x-axis and y-axis of the elliptic curve, respectively; marking W as a purported public key;
6) Calculation ofWherein a and b are parameters of elliptic curve, ID A Refers to user identification, x G And y G The values of the base point G on the x-axis and the y-axis of the elliptic curve, respectively; z is Z A The resulting generated hash value.
7) Calculating t 1 =Hash(x W ||y W ||Z A ) mod N; wherein t is 1 An integer obtained by taking the remainder of the hash value result and N;
8) Calculate t= (ω+t) 1 * S) mod N; s is the restored complete system main private key, t is the user private key fragment, and W is the claim public key;
9) The user private key fragment t and the claim public key W are sent back to the user side;
the user side of the scheme calculates part of the private key and sends the corresponding public key to the KGC. The KGC requests to acquire a second part of effective secret share saved by other KGCs so as to restore a system main private key, and then calculates and generates a user part private key and a purported public key according to a part public key sent by a user, a user discernible identifier, random parameter components sent by other KGCs, a system public parameter and the system main public key, and then sends the user part private key and the purported public key to a user side.
The user terminal:
1) Calculation S A =(X A +t) mod N and as a useA user complete private key;
2) User save w= (x) W ,y W ) And claims the public key as the user;
the purported public key of the user is used for subsequent public-based raw data (e.g., system public parameters, user identification ID A System master public key P pub And a user declaration public key W) generates a non-counterfeitable user actual public key P U . And may then be based on the user's actual public key P U Performing signing and decrypting operation of SM2 algorithm, and using actual public key P of user U The generation process is divided into the following three steps:
1) Calculation of
2) Calculating t 1 =Hash(x W ||y W ||Z A )modN;
3) Calculation of P U =W+[t 1 ]P pub
The user side of the scheme generates a complete user private key according to partial private key calculation received from KGC, and generates a corresponding user actual public key according to the claimed public key, the system main public key and system public parameter calculation.
Wherein the user actual public key P is verified U The steps of whether the purported public key is distributed by KGC and not tampered with are mainly divided into:
1) Calculation of P U * =[S A ]G;
2) Verify P U * =P U Whether or not it is true, i.e. verify P U * With the calculated generated user actual public key P U If the public key is the same, the purported public key is valid and not tampered, and if the public key is not the same, the public key is invalid.
In contrast to existing secret sharing based key generation schemes, the present embodiment introduces a verifiable zero knowledge commitment. In the previous scheme, each party shares a set secret value through a secret sharing scheme and acquires a corresponding secret share, and then each party can construct the shared secret value according to the held secret share and through multiparty secure calculation, but if a dishonest entity of a certain party distributes a false invalid secret share or a certain entity receives the false secret share, the false invalid secret share is necessarily constructed finally, so that the security of the system is damaged, and the system resources are wasted.
The method provided by the embodiment not only can generate the corresponding secret share according to the master key component stored locally by the secret sharing scheme and distribute the secret share to other key generating centers through the secure multiparty computing operation based on the secret sharing scheme, but also can verify the validity and correctness of the secret share sent by the distrusted entity of each party based on verifiable zero-knowledge promise and through the verifiable computing operation supporting addition homomorphism. The process not only can ensure that the secret shares received by the entities of each party are correct and effective, but also can ensure that any private information of the master key component secret stored by the secret key generation center of each party is not leaked, thereby effectively improving the safety and stability of the whole system.
The above embodiments are preferred examples of the present invention, and the present invention is not limited thereto, and any other modifications or equivalent substitutions made without departing from the technical aspects of the present invention are included in the scope of the present invention.

Claims (10)

1. A method for generating a certificateless SM2 key based on verifiable secret sharing, comprising:
s1, each key generation center in the system calculates and discloses a verifiable zero-knowledge commitment according to a pre-stored main key component, a preset threshold value, a system public parameter and a t-1 order polynomial, and generates corresponding first partial password shares (f i (j),g i (j) And sent to the corresponding key generation center; wherein: i, j E [1, k],i≠j,f i (j) And g i (j) Representing the ith generated secret share that is sent to the jth;
s2, each key generation center verifies the first partial password share (f i (j),g i (j) Whether or not to be effective; if it isIf the result is valid, executing a step S3;
s3, each key generation center calculates a second partial secret share S2 according to the first partial secret share i 、g i And the second partial secret share s2 i 、g i Is stored locally;
s4, the user generates a part of private key X A And will be in private key X with the user part A The corresponding public key and the user identification are sent to a key generation center;
s5, the current key generation center requests the other key generation centers in the system to acquire a second partial secret component S2 for recovering the system master key pair i 、g i Thereby recovering a complete system master private key S and a master public key P corresponding to the master private key pub
S6, according to the user part private key X A User identification ID A Random parameter component omega randomly generated by other key generation centers i Calculating system public parameters to generate a user private key fragment t and a purported public key W;
s7, the user uses the private key X according to the user part A The user private key fragment t and the purported public key W obtain a user complete private key and a user actual public key P U The generation of the certificateless SM2 key is completed.
2. The certificateless SM2 key generating method according to claim 1, wherein step S1 includes:
s11, each KGC in the system generates a random number S1 i And the random number s1 i As a component of the system's primary private key, where s1 i ∈[1,N-1]i∈[1,k]K represents the number of KGCs;
s12, each KGC uses the random number S1 i As secret value and according to a preset threshold value (t, k), t-1 random numbers [ a ] are selected i1 ,a i2 ,....,a i(t-1) ]And another part of the random number r i ,b i1 ,b i2 ,....,b i(t-1) ]And calculates two t-1 order polynomials f i (x) And g i (x) Wherein [ a ] i1 ,a i2 ,....,a i(t-1) ]∈[1,N-1],[r i ,b i1 ,b i2 ,....,b i(t-1) ]∈[1,N-1]And polynomial f i (x)=s1 i +a i1 x 1 +a i2 x 2 +....+a i(t-1) x t-1 ,g i (x)=r i +b i1 x+b i2 x 2 +....+b i(t-1) x t -1 ,i∈[1,k];
S13, each KGC calculates and discloses verifiable zero-knowledge promise E i0 ,....,E i(t-1) And discloses verifiable zero-knowledge commitments; wherein,
s14, each KGC is according to polynomial f i (x) And g i (x) Generating a first partial secret share (f) for other KGCs i (j),g i (j) And to divide said secret share (f) i (j),g i (j) Sequentially distributed to other KGCs; wherein f i (j) And g i (j) A secret share generated on behalf of the ith KGC and issued to the jth KGC;
wherein: (X) G ,Y G ) Represents E (f) q ) X, Y coordinates corresponding to the base point G; n represents the corresponding order of the base point G, H; t represents a threshold selected by the secret sharing scheme, and t is 3, i.e. a complete system master key is required to be built in cooperation with at least 3 valid secret shares held by KGCs.
3. The certificateless SM2 key generating method according to claim 2, wherein step S2 includes:
s21, each KGC receives the secret shares (f i (j),g i (j) And verifyWhether or not it isIf so, executing step S31; wherein E is jl ,j∈[1,k],l∈[1,t-1]Verifiable zero knowledge commitments issued for each KGC;
the step S3 comprises the following steps:
s31, each KGC calculates and saves a second partial secret share S2 i 、g i The method comprises the steps of carrying out a first treatment on the surface of the Wherein,
4. the certificateless SM2 key generating method according to claim 3, wherein step S4 includes:
s41, generating partial private key X by random secret of user A Will be in contact with the user part private key X A Corresponding first multiplying point U A With user identification ID A And sending the information to a key generation center.
5. The certificateless SM2 key generating method according to claim 4, wherein step S5 includes:
s51, the current key generation center receives the key generation request of the user and requests other key generation centers in the system to acquire a second partial secret component S2 for recovering the system master key pair i 、g i And a randomly generated parameter component omega i The method comprises the steps of carrying out a first treatment on the surface of the The key generation request of the user comprises a first multiplying point U A With user identification ID A
S52, verifying the secret component S2 i Whether or not it is valid; if so, executing step S53;
s53, when at least t effective secret shares S2 are obtained i Then recovering the t-1 order polynomial F (x) by Lagrange interpolation method, and recovering the complete system main private key S and the main public key P corresponding to the main private key pub
6. The method for generating a certificateless SM2 key according to claim 5, wherein step S6 comprises:
s61, generating random parameter component omega randomly generated by the center according to t keys i And a first multiplying point U A Calculating to obtain a purported public key W;
s62, according to the user identification ID A Calculating to obtain a user private key fragment t;
s63, the user private key fragment t and the claim public key W are sent back to the user side.
7. The certificateless SM2 key generating method according to claim 5, wherein in step S52, the verification is passedWhether or not it is established to judge the secret component s2 i Whether or not it is valid; wherein, zero knowledge commitment published for the jth KGC;
in step S53, the formula for recovering the system master private key S is:
S=F(0)mod N;
restoring the main public key P corresponding to the main private key pub The formula of (2) is:
wherein the method comprises the steps ofIs a multiple point S]The value of G on the x-axis on the elliptic curve, < >>Is a multiple point S]The value of G on the y-axis of the elliptic curve.
8. The method of generating a certificateless SM2 key according to claim 6, wherein in step S61, a random parameter component ω is randomly generated from t key generating centers i And a first multiplying point U A The formula for performing the calculation is:
P A =[ω]G;
W=P A +U A =[ω]G+[x]G=[ω+x]G=(x W ,y W );
wherein omega i Refers to the random parameter components randomly generated by t key generation centers, and omega is t omega i Summing and taking the sum result and N as the remainder; p (P) A Is a second multiple point generated from ω and the base point G; x is x W And y W The values of the x-axis and y-axis, respectively, on the elliptic curve of the purported public key W;
in step S62, according to the user identification ID A The formula for performing the calculation is:
t 1 =Hash(x W ||y W ||Z A )mod N;
t=(ω+t 1 *S)mod N;
wherein a and b are parameters of elliptic curve, ID A Refers to user identification, x G And y G The values of the base point G on the x-axis and the y-axis of the elliptic curve, respectively; z is Z A Then it is the resulting hash value, t 1 An integer obtained by taking the remainder of the hash value result and N; s is the restored complete system master private key, and t is the user private key fragment.
9. The certificateless SM2 key generating method according to claim 8, wherein step S7 includes:
calculating to obtain a complete private key of the user according to the private key fragment t of the user and the claimed public key W; generating a non-counterfeitable user actual public key P from a purported public key W U The method comprises the steps of carrying out a first treatment on the surface of the The formula for calculating according to the user private key fragment t and the claim public key W is as follows:
S A =(X A +t)mod N;
generating a non-counterfeitable user actual public key P from a purported public key W U The formula of (2) is:
t 1 =Hash(x W ||y W ||Z A )mod N
P U =W+[t 1 ]P pub
10. the method for generating a certificateless SM2 key according to claim 1, wherein step S7 further comprises: verifying the user actual public key P U Whether the purported public key of (1) is distributed by KGC and has not been tampered with, specifically includes: verify P U * With the user actual public key P U If the claims are identical, if so, the purported public key is valid and not tampered with; wherein P is U * =[S A ]G。
CN202211306716.5A 2022-10-25 2022-10-25 Certificateless SM2 key generation method based on verifiable secret sharing Active CN115580401B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202211306716.5A CN115580401B (en) 2022-10-25 2022-10-25 Certificateless SM2 key generation method based on verifiable secret sharing

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202211306716.5A CN115580401B (en) 2022-10-25 2022-10-25 Certificateless SM2 key generation method based on verifiable secret sharing

Publications (2)

Publication Number Publication Date
CN115580401A CN115580401A (en) 2023-01-06
CN115580401B true CN115580401B (en) 2023-12-22

Family

ID=84587645

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202211306716.5A Active CN115580401B (en) 2022-10-25 2022-10-25 Certificateless SM2 key generation method based on verifiable secret sharing

Country Status (1)

Country Link
CN (1) CN115580401B (en)

Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6446207B1 (en) * 1997-01-31 2002-09-03 Certicom Corporation Verification protocol
CN106961336A (en) * 2017-04-18 2017-07-18 北京百旺信安科技有限公司 A kind of key components trustship method and system based on SM2 algorithms
CN108809658A (en) * 2018-07-20 2018-11-13 武汉大学 A kind of digital signature method and system of the identity base based on SM2
CN108989053A (en) * 2018-08-29 2018-12-11 武汉珈港科技有限公司 It is a kind of based on elliptic curve without CertPubKey cipher system implementation method
CN109377360A (en) * 2018-08-31 2019-02-22 西安电子科技大学 Block chain transaction in assets transfer account method based on Weighted Threshold signature algorithm
CN112804062A (en) * 2020-12-31 2021-05-14 北京海泰方圆科技股份有限公司 Certificateless signature method, device, equipment and medium based on SM2 algorithm
CN113111373A (en) * 2021-05-13 2021-07-13 北京邮电大学 Random number generation method of VBFT (visual basic FT) consensus mechanism and consensus mechanism system
CN113507374A (en) * 2021-07-02 2021-10-15 恒生电子股份有限公司 Threshold signature method, device, equipment and storage medium

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
GB201805633D0 (en) * 2018-04-05 2018-05-23 Nchain Holdings Ltd Computer implemented method and system

Patent Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6446207B1 (en) * 1997-01-31 2002-09-03 Certicom Corporation Verification protocol
CN106961336A (en) * 2017-04-18 2017-07-18 北京百旺信安科技有限公司 A kind of key components trustship method and system based on SM2 algorithms
CN108809658A (en) * 2018-07-20 2018-11-13 武汉大学 A kind of digital signature method and system of the identity base based on SM2
CN108989053A (en) * 2018-08-29 2018-12-11 武汉珈港科技有限公司 It is a kind of based on elliptic curve without CertPubKey cipher system implementation method
CN109377360A (en) * 2018-08-31 2019-02-22 西安电子科技大学 Block chain transaction in assets transfer account method based on Weighted Threshold signature algorithm
CN112804062A (en) * 2020-12-31 2021-05-14 北京海泰方圆科技股份有限公司 Certificateless signature method, device, equipment and medium based on SM2 algorithm
CN113111373A (en) * 2021-05-13 2021-07-13 北京邮电大学 Random number generation method of VBFT (visual basic FT) consensus mechanism and consensus mechanism system
CN113507374A (en) * 2021-07-02 2021-10-15 恒生电子股份有限公司 Threshold signature method, device, equipment and storage medium

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
基于门限ECC的容侵CA私钥保护方案;辛利;;计算机仿真(12);116 *

Also Published As

Publication number Publication date
CN115580401A (en) 2023-01-06

Similar Documents

Publication Publication Date Title
US10903991B1 (en) Systems and methods for generating signatures
US9882717B2 (en) System and method for generating a server-assisted strong password from a weak secret
CN107872322B (en) Homomorphic encryption-based digital signature collaborative generation method and system
CN111953479B (en) Data processing method and device
CN115174104A (en) Attribute-based online/offline signature method and system based on secret SM9
CN113098681B (en) Port order enhanced and updatable blinded key management method in cloud storage
CN116599659B (en) Certificate-free identity authentication and key negotiation method and system
CN111245611B (en) Anti-quantum computation identity authentication method and system based on secret sharing and wearable equipment
CN111490967B (en) Unified identity authentication method and system for providing user-friendly strong authentication and anonymous authentication
CN115580401B (en) Certificateless SM2 key generation method based on verifiable secret sharing
CN114389808B (en) OpenID protocol design method based on SM9 blind signature
CN115314207A (en) Secure and controllable use method and system for SM2 signature making data
CN114339743A (en) Internet of things client privacy protection authentication method based on edge calculation
CN111245619B (en) Key derivation method, device and system for Internet of vehicles, vehicle end and middle layer
CN114020842A (en) Data sharing method and device based on homomorphic encryption technology
CN115314208B (en) Safe and controllable SM9 digital signature generation method and system
PJA Scalable and secure group key agreement for wireless ad‐hoc networks by extending RSA scheme
CN115150062B (en) SM9 digital signature generation method and system with signature production data controlled safely
CN114978549B (en) SM2 digital signature generation method and system for signer to control signature making data
Shim Security analysis of various authentication schemes based on three types of digital signature schemes
CN117155692B (en) Smart grid data aggregation method and system based on security mask
CN110929872B (en) Anti-quantum computing private key backup, loss reporting and recovery method and system
CN109150545B (en) ECC-based (m, N) threshold group signature method
Mohanty et al. Certificateless nominative signature scheme based upon DLP
CN117997525A (en) Identity base threshold key management method and system based on multipoint evaluation mechanism

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant