CN106961336A - A kind of key components trustship method and system based on SM2 algorithms - Google Patents

Abstract

A key component escrow method and system based on the SM2 public key cryptographic algorithm belongs to the field of information security. A key escrow network is composed of N (N≥1) different key component escrow systems, and the user's SM2 private key is divided into N+1 components by means of key split storage and multi-party joint calculation. It is stored in a decentralized manner with N different key component escrow systems, and when the private key needs to be used, the user and N key component escrow systems jointly complete relevant calculations. In the stage of user key generation and use, the key component escrow system generates the user's private key component through the identification mapping algorithm, but does not actually save it, which can greatly reduce the system construction scale, save system investment costs, and improve system operation efficiency and service level.

Description

A key component escrow method and system based on SM2 algorithm

technical field

The invention relates to a key component trusteeship method and system based on an SM2 public key cryptographic algorithm and a key split storage mechanism, and belongs to the field of information security.

Background technique

In the Internet and cloud computing environment, a large number of network-related applications have emerged, such as online banking, online payment, online shopping and Internet medical care, etc., which require online user identity authentication, online operation confirmation and user privacy protection to ensure that network applications security. The best way to solve this security requirement is to use public key cryptography to realize digital signature and public key encryption. When using public key cryptography, it is critical to keep the private key used secure. Under normal circumstances, in order to ensure the safe storage and use of the private key, the private key used for signing and decryption is required to be stored in the cryptographic device, and the corresponding cryptographic operations are also executed in the cryptographic device. The cryptographic device used is usually a cryptographic machine on the server side, and a USBKEY with a CPU and an IC card on the client side. However, in the network environment and mobile terminal environment, it is inconvenient to use these cryptographic devices to store keys and perform cryptographic operations, so there is an application demand for storing keys in mobile phone files and performing cryptographic operations on mobile phones . This soft environment brings great hidden dangers to the storage security and use security of the key. In order to improve the security of key storage and cryptographic operations, the user's private key can be divided into several components by means of key split storage and multi-party joint calculation, and each private key component is stored in different key escrow systems , when a private key needs to be used to digitally sign a message, multiple key escrow systems jointly complete the signature calculation, and the final signature can be verified using the public key of the client. Similarly, when it is necessary to decrypt the ciphertext encrypted by the public key of the client, multiple key escrow systems jointly complete the decryption calculation of the ciphertext, and realize the complete decryption of the encrypted message. For the national secret SM2 public key encryption algorithm, there are already corresponding key splitting methods and joint signature algorithms (see patent application number 201710157604.0), and the current demand is to establish a safe and efficient key escrow system to provide users with Escrow service for private key components. When the number of users who need key component escrow is large (for example, reaching the level of 100 million or billion), the key escrow system must consume a large amount of storage resources and cryptographic devices to save the user's key and user-related information. It will greatly reduce the operating efficiency and service level of the system.

Contents of the invention

Aiming at the application requirement of entrusting a large number of private key components for key splitting and joint computing, the present invention proposes an identification-based private key component escrow method, and thus constructs a corresponding key component escrow system (Partialkey escrow, PKE for short), which solves the problem of user private key component custody in the scenario of a large number of users. The technical solution adopted is to establish N (N ≥ 1) key component escrow systems, generate a master key in each key component escrow system, and use an identity mapping algorithm to generate the user key. The key component escrow system uses the system master key to perform a decentralized mapping on the identification information provided by the user to generate the corresponding private key component, but does not actually save the private key component; when the user needs to use his own private key component, the same After the algorithm restores the user's private key components, the relevant cryptographic operations are performed. The user identification information referred to here may be a combination or superposition of a user identification, a PIN code set by the user, and user terminal equipment information. The beneficial effect of adopting this scheme is that the key component escrow system does not require a database software system and a large number of key storage devices, and there is no limit to the number of managed users, which can greatly improve the operating efficiency and service level of the system, and there is no need for security. reduce.

The cryptographic algorithm based on the SM2 algorithm-based key component custody method and system of the present invention is the national secret SM2 public key cryptographic algorithm and the SM3 hash algorithm, and the elliptic curve parameters related to SM2 are set according to the national secret SM2 algorithm standard. The elliptic curve on the finite field is denoted as E(Fq), its base point is denoted as G, the order of G is denoted as n, and the SM3 hash function is denoted as h(x).

The entities involved in the SM2 algorithm-based key component escrow method and system of the present invention include users and N (N≥1) key component escrow systems, and the N key component escrow systems are respectively denoted as PKE[1], PKE[2],...,PKE[N]. In the early stage of system operation, the key component escrow system PKE[i] randomly generates a system master key MK[i] and a pair of SM2 asymmetric keys, and the system master key MK[i] can also use asymmetric keys The private key of . Each user faces N key component escrow systems. For each key component escrow system, the user needs to provide different user identification information. The N identification information of a user are respectively recorded as UID[1], UID[2] ,...,UID[N].

The key component escrow system PKE[i] uses a key component mapping generation function g(x,y), for each user, through the system master key MK[i] and user identification information UID[i] The mapping can generate a private key component di=g(MK[i], UID[i]), and di∈[1,n-1].

The specific implementation process of user key component escrow is divided into two stages: key generation and key use, and key generation includes signature key generation and encryption key generation, and key use includes joint signature and joint decryption.

1. Signature key generation

Signature key generation is completed by the user and the N key component escrow systems in cooperation, and the generation steps are as follows:

Step 1: The user constructs N pieces of user identification information UID[1], UID[2],..., UID[N] with his own identification, input PIN code and hardware device information, and then sets the initial value QN+ 1=G.

Step 2: For i=N, N-1,...,1, the user executes interactively with PKE[i] in turn:

(2a) The user encrypts UID[i] with the public key of PKE[i] to generate a ciphertext C[i], and sends C[i] and Qi+1 to PKE[i].

(2b) The PKE[i] uses the private key to decrypt C[i] to obtain the user UID[i], calculate di=g(MK[i], UID[i]), Qi=(di)-1Qi +1, send Qi back to the client, and use di as the i-th signature private key component of the user, but it does not need to be saved.

(2c) The user saves Qi.

Step 3: The user randomly selects d0∈[1,n-1], calculates Q0=(d0)-1Q1, Q=Q0-G, saves d0 as the signature private key component of the client, and uses Q as the user’s The actual signature public key is saved, and Q0 is saved at the same time.

The user's actual signature private key generated through the above steps d=(d0d1d2...dN)-1-1, and the actual signature public key Q=dG. The actual signature private key does not appear during the generation process, and is unknown to the user and the N key component escrow systems. The user and the N key component escrow systems have complete autonomy over the signature private key components generated by them, and no other user or any third party can obtain information about their signature private key components.

2. Encryption key generation

The encryption key is mainly used for public key encryption and private key decryption of the message, which is completed by the user and the N key component escrow systems in cooperation, and the generation steps are as follows:

Step 1: The user constructs N pieces of user identification information UID'[1], UID'[2],..., UID'[N] with his own identification, input PIN code and hardware device information, and then sets the initial Value Q'N+1=G.

Step 2: The user sets the initial value Q'N+1=G, and for i=N, N-1,...,1, executes interactively with PKE[i] in turn:

(2a) The user encrypts UID'[i] with the public key of PKE[i] to generate a ciphertext C[i], and sends C[i] and Q'i+1 to PKE[i].

(2b) The PKE[i] uses the private key to decrypt C[i] to obtain the user UID'[i], calculate d'i=g(MK[i], UID'[i]), Q'i =d'iQ'i+1, return Q'i to the client, and use d'i as the i-th encrypted private key component of the user, but it does not need to be saved.

Step 3: The user randomly selects d'0∈[1,n-1], calculates Q'0=d'0Q1, Q'=Q'0, and saves d'0 as the encrypted private key component of the client, Save Q' as the user's actual encrypted public key.

The user's actual encrypted private key d'=d'0d'1d'2...d'N generated through the above steps, and the actual encrypted public key Q'=d'G. The actual encrypted private key does not appear during the generation process, and is agnostic to both the user and the N key component escrow systems. The user and the N key component escrow systems have complete autonomy over the private key components generated by them, and other users cannot obtain information about their private key components.

3. Joint signature

The joint signature in the present invention refers to that when a user needs to digitally sign a message, the user and N key component escrow systems jointly complete the signature of the message in sequence, and the signature result is an ordinary signature conforming to the SM2 standard, and the signature recipient This can be verified using the user's actual signing public key.

The signature method involves users and N key component escrow systems. The user has a signature private key component d0, the key component escrow system PKE[i] has a signature private key component di, and the actual signature public key of the user is Q=((d0d1...dN)-1–1) g.

Assuming that the message to be signed is M, e=h(Z||M) is the digest value of the message M, where Z is information related to the user public key and user ID. First, the user and N key component escrow systems jointly generate a pair of random key pairs in sequence, and then jointly complete the SM2 signature on the digest value e in the reverse order. The multi-party joint signature steps are as follows.

Step 1: The user reconstructs the identification information UID[1], UID[2],..., UID[N] of N users with their own identification, input PIN code and hardware device information, and then selects a random number k0, calculate R0 = k0Q0.

Step 2: For i=1,2,...,N, the user executes interactively with PKE[i] in turn:

(2a) The user sends Ri-1 and Qi to PKE[i];

(2b) PKE[i] randomly selects ki∈[1,n-1], calculates Ri=Ri-1+kiQi, and sends Ri back to the user;

Step 3: Set RN=(x1, y1), the user calculates r=(e+x1)(mod n), and write sN+1=r.

Step 4: For i=N, N-1,...,1, the user executes interactively with PKE[i] in turn:

(4a) The user encrypts UID[i]|Ri with the public key of PKE[i] to generate a ciphertext C[i], and sends C[i] and si+1 to PKE[i];

(4b) The PKE[i] performs private key decryption on C[i] to obtain UID[i] and Ri', verifies whether Ri'=Ri is established, and if established, then calculates the signature private key component di=g(MK[ i], UID[i]) and partial signature si=ki+si+1di(mod n), return the partial signature si to the client;

(4c) After receiving the partial signature si of the PKE[i], the user calculates R'=Ri-1+siQi-rG, checks whether R'=RN is established, and if established, accepts PKE[i] The partial signature of si.

Step 5: The user calculates s=k0+s1d0−r(mod n) to generate the final signature (r, s).

The signature (r, s) generated by this step can be verified using the public key Q according to the SM2 signature verification algorithm. For the specific verification process, please refer to the patent application number 201710157604.0.

4. Joint Decryption

When the user needs to decrypt the ciphertext encrypted with the user's encryption public key, the decryption of the ciphertext can be completed jointly by the user and the N key component escrow systems.

The decryption method involves the user and N key component escrow systems. The user has an encrypted private key component d'0, the key component escrow system PKE[i] has an encrypted private key component d'i, and the user's actual encrypted private key is d'=d'0d'1...d'N(mod n ), the actual encrypted public key is Q'=(d'0d'1...d'N)G.

Suppose the ciphertext to be decrypted is C1||C2||C3, where C1 is an elliptic curve point. According to the SM2 decryption algorithm, the user needs to calculate D=d'C1 first, and then perform other decryption steps. The key point for the joint completion of decryption by the user and the N key component escrow systems is the joint calculation of D=d'C1. The steps of the multi-party joint decryption scheme are as follows.

Step 1: The user reconstructs the user's identification information UID'[1], UID'[2],..., UID'[N] with his own identification, input PIN code and hardware device information, and then randomly selects k0∈[1,n-1], and k0≠(d'0)-1, calculate DN+1=k0C1.

Step 2: For i=N, N-1,...,1, the user executes interactively with the PKE[i] in turn:

(2a) The user obtains a random number r[i] from the PKE[i].

(2b) The user encrypts UID'[i]||r[i] with the public key of PKE[i] to generate a ciphertext C[i], and sends Di+1 and C[i] to PKE[ i].

(2c) The PKE[i] decrypts the private key of C[i] to obtain UID'[i] and r'[i], and verifies whether r'[i]=r[i] is true, and if it is true, calculate d 'i=g(MK[i], UID'[i])(mod n) and Di=d'iDi+1, return Di to the client.

Step 3: The user calculates D=(k0)-1d'0D1.

Step 4: Since (k0)-1d'0D1=(k0)-1(d'0d'1...d'N)k0C1=d'C1, the D obtained through the joint calculation is exactly what is needed for private key decryption According to the calculation result of the SM2 decryption algorithm, the plaintext can be solved.

Description of drawings

In order to more clearly illustrate the technical solutions in the embodiments of the present invention or the prior art, the following will briefly introduce the drawings that need to be used in the description of the embodiments or the prior art. Obviously, the accompanying drawings in the following description are only These are some embodiments of the present invention. Those skilled in the art can also obtain other drawings based on these drawings without creative work.

Fig. 1 is a structural diagram of the relationship between the key component escrow system and the client according to the present invention.

Fig. 2 is a diagram of the internal structure of the key component escrow system of the present invention.

Fig. 3 is a flowchart of signature key generation according to the present invention.

Fig. 4 is a flow chart of encryption key generation according to the present invention.

Fig. 5 is a flow chart of joint signature according to the present invention.

Fig. 6 is a flowchart of joint decryption according to the present invention.

detailed description

The following will clearly and completely describe the technical solutions in the embodiments of the present invention with reference to the accompanying drawings in the embodiments of the present invention. Obviously, the described embodiments are only some, not all, embodiments of the present invention. Based on the embodiments of the present invention, all other embodiments obtained by persons of ordinary skill in the art without making creative efforts belong to the protection scope of the present invention.

The present invention proposes a key component escrow method and system based on the SM2 algorithm. The specific implementation of the present invention will be described in detail below with reference to the accompanying drawings.

The key component escrow method and system based on the SM2 algorithm of the present invention rely on the national secret SM2 public key cryptographic algorithm and the SM3 hash algorithm, and the elliptic curve parameters related to SM2 are set according to the national secret SM2 algorithm standard. The elliptic curve on the finite field is denoted as E(Fq), its base point is denoted as G, the order of G is denoted as n, and the SM3 hash function is denoted as h(x).

Figure 1 shows the overall structure of the key component escrow system based on the SM2 algorithm. The whole system is composed of N (N≥1) key component escrow systems and many client terminals, and the number of client terminals is not limited. Each client faces N key escrow systems, and the client private key is divided into N+1 components when it is generated, which are managed by the client and N key component escrow systems respectively. The client’s private key component managed by the key component escrow system is not actually saved, but is calculated from the system master key of the key component escrow system and the identification information of the client through a mapping algorithm. The stage is determined, it will be restored after recalculation in the key usage stage, and it will be automatically destroyed after the use is completed. The beneficial effect of this key component escrow method is that it does not need to actually store the private key component of the client, saves a lot of storage resources and cryptographic devices, has no limit on the number of client terminals, and greatly improves the operating efficiency and service level of the system.

Figure 2 shows the internal structure of the key component escrow system. The key component escrow system is composed of a service unit, a key generation unit, a signature calculation unit, and a decryption calculation unit. The service unit accepts the request from the client, conducts secure communication with the client, confirms the identity of the client, and provides key generation, joint signature and joint decryption services for the client. The key generation unit uses the system master key to perform a distributed mapping on the identification information provided by the client, and generates or restores the private key component for the client during the client key generation stage and the client key use stage. The signature operation unit executes a joint signature operation, and uses the private key component of the client to perform a partial signature operation on the message digest value. The decryption operation unit executes a joint decryption operation, and performs a partial decryption operation on the data with the private key component of the client.

In order to help understand the essence of the present invention, Fig. 3 to Fig. 6 have provided the implementation steps of specific key generation and key use, and provide a specific mapping function g(MK, UID)=h(MK|| UID)(mod n), where h(x) is the SM3 hash function.

Figure 3 shows the signature key generation process of the present invention, including the following steps:

Step (1): The user terminal sets the user terminal identification information UID[i], and then sets the initial public key parameter QN+1=G.

Step (2): The client encrypts UID[N] with the public key of PKE[N], and sends the encrypted UID[N] and QN+1 to PKE[N]. PKE[N] uses the private key to decrypt and obtain the client UID[N], calculate dN=h(MK[N]||UID[N])(modn), QN=(dN)-1QN+1, and return QN To the client, dN is used as the Nth signature private key component of the client, but it does not need to be saved.

Step (3): For i=N-1,...,2, the client encrypts UID[i] with the public key of PKE[i], and sends encrypted UID[i] and Qi+1 to PKE[i] ]. PKE[i] uses the private key to decrypt and obtain the client UID[i], calculate di=h(MK[i]||UID[i])(mod n), Qi=(di)-1Qi+1, send back Qi arrives at the user end, and di is used as the i-th signature private key component of the user end, but it does not need to be saved.

Step (4): The client encrypts UID[1] with the public key of PKE[1], and sends the encrypted UID[1] and Q2 to PKE[1]. PKE[1] uses the private key to decrypt and obtain the client UID[1], calculate d1=h(MK[1]||UID[1])(modn), Q1=(d1)-1Q2, and send Q1 back to the user On the client side, use d1 as the first signature private key component on the client side, but it does not need to be saved.

Step (5): The client randomly selects d0∈[1,n-1], calculates Q0=(d0)-1Q1, Q=Q0-G, saves d0 as the signature private key component of the client, and uses Q as The actual signature public key of the client is saved, and {Q0, Q1,...,QN} are saved at the same time.

Figure 4 shows the encryption key generation process of the present invention, including the following steps:

Step (6): The user terminal constructs a set of user terminal identification information with its own identification, input PIN code and hardware device information, and records the user terminal identification information as UID'[i], and then sets the initial Value Q'N+1=G.

Step (7): The client encrypts the UID'[N] with the public key of PKE[N], and sends the encrypted UID'[N] and Q'N+1 to PKE[N]. PKE[N] uses the private key to decrypt and obtain the client UID'[N], calculate d'N=h(MK[N]||UID'[N])(mod n), Q'N=d'NQN +1, send Q'N back to the client, and use d'N as the Nth encrypted private key component of the client, but it does not need to be saved.

Step (8): For i=N-1,...,2, the client encrypts the UID'[i] with the public key of PKE[i], and sends the encrypted UID'[i] and Q'i+1 to PKE[i]. PKE[i] uses the private key to decrypt and obtain the client UID'[i], calculate d'i=h(MK[i]||UID'[i])(mod n), Q'i=d'iQi +1, send Q' i back to the client, and use d'i as the i-th encrypted private key component of the client, but it does not need to be saved.

Step (9): The client encrypts UID'[1] with the public key of PKE[1], and sends encrypted UID'[1] and Q'2 to PKE[1]. PKE[1] uses the private key to decrypt and obtain the client UID'[1], calculate d' 1=h(MK[1]||UID'[1])(mod n), Q'1=d'1Q2 , send Q'1 back to the client, and use d'1 as the first encrypted private key component of the user, but it does not need to be saved.

Step (10): The client randomly selects d'0∈[1,n-1], calculates Q'0=d'0Q1, Q'=Q'0, and uses d'0 as the encrypted private key component of the client Save, save Q' as the actual encrypted public key of the client.

Figure 5 shows the joint signature process of the present invention, including the following steps:

Step (11): The user terminal reconstructs the identification information UID[i] of the user terminal with its own identification, input PIN code and hardware device information, etc., then randomly selects k0∈[1,n-1], and calculates R0= k0Q0. Assuming that the message to be signed is M, the client calculates a digest value e=h(Z||M), where Z is the identification information and public key information of the client.

Step (12): The client sends R0 and Q1 to PKE[1], and PKE[1] randomly selects k1∈[1,n-1], calculates R1=R0+k1Q1, and sends R1 back to the client.

Step (13): For i=2,...,N-1, the client sends Ri-1 and Qi to PKE[i], PKE[i] randomly selects ki∈[1,n-1], and calculates Ri =Ri-1+kiQi, send Ri back to the user end.

Step (14): The client sends RN-1 and QN to PKE[N], PKE[N] randomly selects kN ∈ [1,n-1], calculates RN=RN-1+kNQN, and sends RN back to the user end.

Step (15): Assuming RN=(x1, y1), the UE calculates r=(e+x1)(mod n).

Step (16): The client encrypts UID[N]||RN with the public key of PKE[N], and sends it to PKE[N] together with r. The PKE[N] decrypts with the private key to obtain UID[N] and Ri', verifies whether R'N=RN is established, and if it is established, then calculates the signature private key component dN=h(MK[N]||UID[N ])(mod n) and a partial signature sN=kN+rdi(mod n), and send the partial signature sN back to the client.

Step (17): After receiving the partial signature sN of the PKE[N], the client calculates R'=RN-1+sNQN-rG, checks whether R'=RN is established, and if established, accepts the Partial signature sN of the above PKE[N].

Step (18): For i=N-1,...,2, the client encrypts UID[i]||Ri with the public key of PKE[i], and sends it to PKE[i] together with si+1 . The PKE[i] decrypts with the private key to obtain UID[i] and Ri', verifies whether Ri'=Ri is established, if established, then calculates the signature private key component di=h(MK[i]||UID[i] )(mod n) and partial signature si=ki+si+1di(mod n), and send the partial signature si back to the client. After receiving the partial signature si of the PKE[i], the client calculates R'=Ri-1+siQi-rG, checks whether R'=RN is established, and if it is established, accepts the part of PKE[i] signature si.

Step (19): The client encrypts UID[1]||R1 with the public key of PKE[1], and sends it to PKE[1] together with s2. The PKE[1] decrypts with the private key to obtain UID[1] and R1', verifies whether R1'=R1 is established, and if established, calculates the signature private key component d1=h(MK[1]||UID[1] )(mod n) and partial signature s1=k1+s2d1(mod n), and send the partial signature s1 back to the client.

Step (20): After receiving the partial signature s1 of the PKE[1], the client calculates R'=R0+s1Qi-rG, checks whether R'=RN is established, and if established, accepts the PKE[1] ] of the partial signature s1. The client calculates s=k0+s1d0−r(mod n) again to generate the final signature (r, s).

Figure 6 shows the joint decryption process of the present invention, including the following steps:

Step (21): The user terminal reconstructs the identification information UID'[i] of the user terminal with its own identification, input PIN code and hardware device information, and then randomly selects k0∈[1,n-1], and k0 ≠(d'0)-1, calculate DN+1=k0C1.

Step (22): The client encrypts UID'[N] with the public key of PKE[N], and sends it to PKE[N] together with DN+1. The PKE[N] decrypts with the private key to obtain UID'[N], calculates d'N=h(MK[N]||UID'[N])(mod n) and DN=d'N DN+1, Return the DN to the client.

Step (23): For i=N-1,...,2, the client encrypts UID'[i] with the public key of PKE[i], and sends it to PKE[i] together with Di+1. The PKE[i] decrypts with the private key to obtain UID'[i], calculates d'i=h(MK[i]||UID'[i])(mod n) and Di=d'iDi+1, and sends back Die to the client.

Step (24): The client encrypts UID'[1] with the public key of PKE[1], and sends it to PKE[1] together with D2. The PKE[1] decrypts with the private key to obtain UID'[1], calculates d'1=h(MK[1]||UID'[1])(mod n) and D1=d'1D2, and returns D1 to user terminal.

Step (25): The UE calculates D=(k0)-1d'0D1.

Step (26): The client decrypts the plaintext according to the subsequent steps of the SM2 decryption algorithm.

The above embodiments only describe the content of the present invention in principle, and it should be understood that the embodiments and mapping functions given here are only used to illustrate the basic idea of the present invention, and cannot limit the generality of the present invention. Any mathematical deformation and modification made to the essential content of the present invention are included in the protection scope of the patent of the present invention.

Claims (8)

1. A key component escrow method based on the SM2 public key cryptographic algorithm, characterized in that: it is applied to a key escrow network formed by N (N≥1) different key component escrow systems; the method include: Using the method of key split storage and multi-party joint calculation, the SM2 private key of the client is divided into N+1 components; Decentralized storage by the client and N different key component escrow systems; When a private key needs to be used to digitally sign a message, the client and N key component escrow systems jointly complete the signature calculation, and the signature formed by the calculation can be verified using the public key of the client; When it is necessary to decrypt the ciphertext encrypted by the public key of the user terminal, the user terminal and the N key component escrow systems jointly complete the decryption calculation of the ciphertext, and realize the complete decryption of the ciphertext. 2. The key component escrow method according to claim 1, wherein the method further comprises: Generate a master key in each key component escrow system; Through an identification mapping algorithm, in the user key generation stage, the key component escrow system uses the generated master key to perform decentralized mapping on the identification information provided by the user to generate the corresponding private key component; wherein, the identification information is : A combination or superposition of user identification, PIN code set by the user, and user terminal equipment information; When the user terminal needs to use its own private key component, the relevant cryptographic operation is performed after the private key component of the user terminal is recovered according to the identification mapping algorithm. 3. The key component trusteeship method according to claim 1, characterized in that: the cryptographic algorithm relied on by the present invention is the national secret SM2 public key cryptographic algorithm, and the elliptic curve parameters related to SM2 are set according to the national secret SM2 algorithm standard, The elliptic curve on the finite field is marked as E(Fq), its base point is marked as G, and the order of G is marked as n; the entities involved in the present invention include the client and N (N≥1) key component escrow systems, N The key component escrow systems are respectively denoted as PKE[1], PKE[2], ..., PKE[N]; each client sets up N identification information UID[1] for the N key component escrow systems, UID[2],..., UID[N], and the number of clients is not limited; at the initial stage of system operation, the key component escrow system PKE[i] randomly generates a system master key MK[i] and a pair of SM2 Symmetric key, the system master key MK[i] can also be used as the private key of an asymmetric key; the key component escrow system PKE[i] selects a key component mapping generation function g(x, y), for any On the client side, a private key component d _i =g(MK[i],UID[i]) can be generated by mapping the system master key MK[i] and user identification information UID[i], and d _i ∈ [ 1,n-1]. 4. The key component escrow method according to claim 1, characterized in that: the generation and split storage of the user signature key can be completed through the following steps: Step 1: The client constructs N user identification information UID[1], UID[2],..., UID[N] with its own identity, input PIN code and hardware device information, and then sets initial public key parameters Q _N+1 = G; Step 2: For i=N, N-1, ..., 1, the client executes interactively with PKE[i] in turn: (2a) The client encrypts UID[i] with the public key of PKE[i] to generate a ciphertext C[i], and sends C[i] and Q _i+1 to PKE[i]; (2b) The PKE[i] uses the private key to decrypt C[i] to obtain the user identification information UID[i], calculate d _i =g(MK[i], UID[i]), Q _i =( d _i ) ^-1 Q _i+1 , send Q _i back to the client, and use d _i as the i-th signature private key component of the user, but it does not need to be saved; (2c) The user saves Q _i ; Step 3: The client randomly selects d ₀ ∈ [1,n-1], calculates Q ₀ =(d ₀ ) ^-1 Q ₁ , Q=Q ₀ -G, and uses d ₀ as the signature private key of the client Save the component, save Q as the actual signature public key of the client, and save Q ₀ at the same time; The user’s actual signature private key generated through the above steps d=(d ₀ d ₁ d ₂ …d _N ) ^-1 -1, the actual signature public key Q=dG, the actual signature private key did not appear during the generation process, and the Both the user and the N key component escrow system are agnostic. 5. The key component escrow method according to claim 1, characterized in that: the generation and split storage of user encryption keys can be completed through the following steps: Step 1: The user constructs a user identification information with his own identification, input PIN code and hardware device information, and records the user identification information as UID'[1], UID'[2],..., UID '[N], then set the initial value Q' _N+1 = G; Step 2: For i=N, N-1,...,1, the user executes interactively with PKE[i] in turn: (2a) The user encrypts UID'[i] with the public key of PKE[i] to generate a ciphertext C[i], and sends C[i] and Q' _i+1 to PKE[i]; (2b) The PKE[i] uses the private key to decrypt C[i] to obtain the user UID'[i], and calculate d _i '=g(MK[i], UID'[i]), Q' _i ＝d _i 'Q' _i+1 , return Q' _i to the client, and use d' _i as the i-th encrypted private key component of the user, but it does not need to be saved; Step 3: The user randomly selects d' ₀ ∈ [1,n-1], calculates Q' ₀ =d' ₀ Q ₁ , Q'=Q' ₀ , and uses d' ₀ as the encrypted private key component of the client Save, save Q' as the user's actual encrypted public key; The user's actual encrypted private key d'=d' ₀ d' ₁ d' ₂ ...d' _N generated through the above steps, the actual encrypted public key Q'=d'G, the actual encrypted private key did not appear during the generation process, And it is agnostic to users and N key component escrow systems. 6. The key component escrow method according to claim 1, characterized in that: the client and N key component escrow systems can jointly complete the SM2 signature of a message, assuming that the message to be signed is M, e=h (Z||M) is the digest value of the message M, where Z is the information related to the user public key and the user ID, and the multi-party joint signature steps are as follows: Step 1: The client reconstructs the user's identification information UID[1], UID[2],..., UID[N] with its own identification, input PIN code and hardware device information, and then randomly selects k ₀ ∈[1,n-1], calculate R ₀ =k ₀ Q ₀ ; Step 2: For i=1,2,...,N, the user executes interactively with PKE[i] in turn: (2a) The client sends R _i-1 and Q _i to PKE[i]; (2b) PKE[i] randomly selects k _i ∈ [1,n-1], calculates R _i =R _i-1 +k _i Q _i , and returns R _i to the user; Step 3: Set R _N =(x ₁ ,y ₁ ), the user calculates r=(e+x ₁ )(mod n), and writes s _N+1 =r; Step 4: For i=N, N-1,...,1, the user executes interactively with PKE[i] in turn: (4a) The client encrypts UID[i]||R _i with the public key of PKE[i] to generate a ciphertext C[i], and sends C[i] and s _i+1 to PKE[i ]; (4b) The PKE[i] decrypts the private key of C[i] to obtain UID[i] and R _i ', verify whether R _i '=R _i is established, and if it is established, calculate the signature private key component d _i = g(MK[i], UID[i]) and partial signature s _i =k _i +s _i+1 d _i (mod n), return the partial signature s _i to the client; (4c) After receiving the partial signature s _i of the PKE[i], the client calculates R'=R _i-1 +s _i Q _i -rG, and checks whether R'=R _N is established, and if it is established , then accept the partial signature s _i of PKE[i]; Step 5: The client calculates s=k ₀ +s ₁ d ₀ -r(mod n) to generate the final signature (r, s); The signature (r, s) generated by this step can be verified using the signature public key Q according to the SM2 signature verification algorithm. 7. The key component escrow method according to claim 1, characterized in that: the client and N key component escrow systems can jointly complete the decryption of a public key encrypted ciphertext, assuming that the ciphertext to be decrypted is C ₁ ||C ₂ ||C ₃ , where C ₁ is an elliptic curve point, and the multi-party joint decryption steps are as follows: Step 1: The client reconstructs the user's identification information UID'[1], UID'[2],..., UID'[N] with its own identification, input PIN code and hardware device information, and then randomly selects k ₀ ∈[1,n-1], and k ₀ ≠(d' ₀ ) ^-1 , calculate D _N+1 = k ₀ C ₁ ; Step 2: For i=N, N-1,...,1, the user executes interactively with the PKE[i] in turn: (2a) The client obtains a random number r[i] from the PKE[i]; (2b) The client encrypts UID'[i]||r[i] with the public key of PKE[i] to generate a ciphertext C[i], and sends D _i+1 and C[i] to PKE[i]; (2c) The PKE[i] decrypts the private key of C[i] to obtain UID'[i] and r'[i], and verifies whether r'[i]=r[i] is established, and if it is established, calculate d ' _i ＝g(MK[i], UID'[i]) and D _i ＝d' _i D _i+1 , return D _i to the client; Step 3: the client calculates D=(k ₀ ) ^-1 d' ₀ D ₁ ; Step 4: The client sets D=(x ₂ , y ₂ ), and then decrypts the plaintext according to the subsequent steps of the SM2 decryption algorithm. 8. A key component escrow system, characterized in that: the key component escrow system is composed of a service unit, a key generation unit, a signature calculation unit, and a decryption calculation unit; the service unit accepts user requests and communicates with users. Secure communication, confirming the user's identity, providing users with key generation, joint signature and joint decryption services; the key generation unit uses the system master key to perform a decentralized mapping on the identification information provided by the user end, and the user end key In the generation stage and the client key use stage, the private key component is generated or restored for the client; the signature operation unit performs a joint signature operation, and uses the user’s private key component to perform a partial signature operation on the message digest value; the decryption operation unit performs a joint signature operation. Decryption operation, using the user's private key component to perform a partial decryption operation on the data.