CN1108041C - Digital signature method using elliptic curve encryption algorithm - Google Patents

Abstract

The present invention belongs to a digital signature method of confidentiality or secure communication. In the present invention, an elliptic curve public key encryption algorithm is adopted as a main part which is aided with a hash function and symmetric encryption algorithm. The present invention has the characteristics of shortened time for signature and authentication, high security, forward confidentiality, non-repudiation, etc. The present invention can be used for preventing counterfeiting in the various field of information transmission, such as network communication, electronic commerce, the identity (ID) authentication of notes, documents and information issuers, etc.

Description

The digital signature method of utilization elliptic curve encryption algorithm

The present invention relates to a kind of maintaining secrecy or the digital signature method of secure communication, specifically, is a kind of digital signature method that uses elliptic curve encryption algorithm.

Particularly national governments, enterprises and institutions and even individual pay close attention to secret and safety problem in the information exchanging process now.In a system (in a tame bank or the whole banking system), many users (each branch bank) are arranged, transmission information or leave check between the user, draft etc., problem is how to guarantee that the information that the user sends or the check of leaving, draft do not decoded, revise, forge by the people, can only be by specific recipient's deciphering or identification, this is a mathematical technique that the revolution meaning is arranged, and is the key problem of guaranteeing information security.For this reason, the research of public key cryptography is in the ascendant in the world, and has produced many digital signature methods thus.NBS has announced " DSS "-DSS in 1994.It is the big prime number of 512-1024 position that this standard has adopted mould, and arithmetic speed is slow.In addition, DSS does not encrypt the plaintext that sends, and is a simple endorsement method.And the plaintext that sends in the network service now also needs to encrypt sometimes.The endorsement method that is similar to DSS just can't use.CN1177872A discloses a kind of digital signature method that is used to realize having information appendix, adopts a hash function to reduce signature length, and privacy degrees is not ideal enough.CN1197248A discloses a kind of digital signature method.Need to adopt signature black box hardware in this method, implement the comparison difficulty.EP0807908A2 has disclosed and a kind of elliptic curve has been applied to method on the signature system, but the modulus of selecting for use in this method is minimum, thereby only limits the use of in smart card.

The purpose of this invention is to provide a kind of elliptic curve encryption algorithm that uses and realize digital signature and the method that signature is authenticated, be called for short ECSC.It not only can shorten signature and authenticate the used time, has very high fail safe, also has confidentiality forward simultaneously, has wide range of applications.

The object of the present invention is achieved like this:

The present invention is that the utilization elliptic curve encryption algorithm realize to be maintained secrecy or the digital signature method of secure communication, and it is based on the elliptic curve public key cryptographic algorithm, is aided with hash function and symmetric encipherment algorithm and a kind of digital signature method of constituting, and specific practice is:

(I) set up encryption system: find a big prime number n earlier, delivery is counted n for being equal to or greater than 160, and promptly 2 ¹⁵⁹≤ n＜2 ¹⁶⁰, modulus p is the big prime number of another one, and with the n isotopic number, m is a positive integer, constructs an elliptic curve E, and it is in finite field

On the Weierstrass equation be

E:y ²+ a ₁Xy+a ₃Y=x ³+ a ₂x ²+ a ₄X+a ₆E is in finite field for note On disaggregation be

Our requirement Element number be #

Be the multiple of n, suppose that P is that the order of E is the basic point of n; If the private cipher key of user A is a, the scope of a is 1＜a＜n, and publicly-owned key is $Q_a=\mathrm{aP}=(x_{Q_a},y_{Q_a}),$ The private cipher key of user B is b, and the scope of b is 1＜b＜n, and publicly-owned key is $Q_b=\mathrm{bP}=(x_{Q_b},y_{Q_b}),$ Need to select hash function h and a symmetric encipherment algorithm ENC of at least 160 of outputs in addition;

(II) carry out digital signature: user A at first checks the PKI of B, confirms the identity of B, if confirm errorlessly, A selects a positive integer x then at random, and the scope of x is 0＜x＜n, takes advantage of calculating by the elliptic curve number $k_1={\mathrm{xQ}}_b=\mathrm{xbP}=(x_{k_1},y_{k_1}),$ Utilize given hash function to calculate $k=h\left(x_{k_1}\right),$ Then A calculates $e=h\left(x_{Q_a}\right|\left|x_{Q_b}\right|\left|M\right)$ And s=ae+x-k (mod n) and R=xP, the symmetry block cipher that utilizes both sides all to know again carries out cryptographic calculation C=ENC _k(s ‖ M), last A will (R C) sends B to, and at this moment (s R) is exactly the signature of A on plaintext M.

Hash function used in the said method preferably adopts the md5 hash function.

The present invention also is that the utilization elliptic curve encryption algorithm is realized the method for the authentication of this digital signature, and specific practice is: user B receive the information that user A sends (R, C) after, he at first checks the PKI of A, confirm the identity of A, if confirm errorlessly, B utilizes and disclose known elliptic curve E calculating $k_1=\mathrm{bR}=\mathrm{bxP}=(x_{k_1},y_{k_1}),$ Calculate with given hash function $k=h\left(x_{k_1}\right),$ Again C is decrypted computing and obtains (s ‖ M)=ENC _k(C), calculate then $e=h\left(x_{Q_a}\right|\left|x_{Q_b}\right|\left|M\right),$ U=(s+k) P and V=-eQ _a, whether last B check U+V=R (mod P) sets up, and just approves signature and accepts the information that A sends if set up, otherwise accept the information that A sends with regard to denial of signature and refusal.

The present invention compared with prior art, the advantage that has is: this method is the very high digital signature method of a kind of fail safe.Its main part is an elliptic curve encryption algorithm, and this is the new recently public key cryptography that rises, and its attack difficulty is compared with other public key cryptography, and difficulty is bigger, because it provides a kind of structure " element " and " combination rule " to produce group's method.These groups have enough good character to set up cryptographic algorithm, carry out cryptanalytic some character but lack convenient cryptanalysts.Showing in EP0807908A2, is the fail safe that mould p that fail safe that 155 elliptic curve encryption algorithm produces is equivalent to DSS produces when being 512 for mould n.The digital signature method of elliptic curve encryption algorithm is multiplying, adopting the digital signature method of discrete logarithm is the index computing, and general digital signature method all adopts the discrete logarithm algorithm, as " DSS " DSS of NBS's announcement.As everyone knows, in the computing of computer, exponent arithmetic is slower than multiplying, and the algorithm of elliptic curve is converted into the exponent arithmetic of big prime number several multiplications of basic point just, and mould n is again than little many of the figure place of the mould p of DSS, and this has just accelerated encryption and decryption speed greatly, has saved the time.Require the big prime number that needs than required little of other public key cryptography owing to reach same confidentiality, thereby can find suitable key more easily, bring convenience to the generation and the management of key.

What is called is confidentiality fully forward, and when signer had been revealed his private cipher key accidentally, the assailant can not obtain the information that signer transmits in the past in other words.Why fully forward the ECSC that we propose confidentiality, be because originator A produces a random number x when signing earlier at every turn, and utilize x and the private cipher key a of oneself to encrypt together, even A has revealed the private cipher key a of oneself accidentally, nobody can know the plaintext that A is sent in the past except addressee B so, because others can not solve x in the signature equation.

Because the modulus scope that the inventive method is selected for use is big, as long as greater than 160, thereby can be used for many information transmission fields such as authentication false proof of network service, ecommerce (online transaction), bill, certificate and information transmitter, have very wide future.

In addition,, make this endorsement method have very big flexibility, enlarged its scope of application, can be applied to the different every field of security requirements because hash function and symmetric encipherment algorithm can be selected.

Embodiment 1

Suppose that originator A sends information will for addressee B, A had both wished to protect the safety of own transmission information, wished if there are other people to pretend to be ownly to B transmission information simultaneously again, and B can deny; On the other hand, B wishes to confirm that the information of oneself receiving is to come from A, and if be the information that A sends really, then can not deny after the A; Better for fail safe in addition, even if A wishes the private cipher key of oneself just in case lose, the own information that sends to B in the past can not be decrypted yet.

The process that the present invention produces digital signature is: at first, A checks the PKI of B, determines the identity of B.The method of checking is to inquire about to the network authentication center.For public-key cryptosystem, the existence of authentication center to be arranged all during application.Authentication center is an authoritative institution that communicating pair is all trusted, and carries out the task of generation and distributing key before signature scheme is carried out, and has arbitrator's effect when dispute occurring in the signature scheme implementation.A will check PKI and the identity of B, need ask for the data of B to authentication center, confirms when no problem the identity of just admitting B.Then, A produces a random number x by randomizer, and the scope of x is 0＜x＜n, calculates then $k_1={\mathrm{xQ}}_b=\mathrm{xbP}=(x_{k_1},y_{k_1}),$ Utilize the good hash function h of security performance again, we advise using the md5 hash function, calculate $k=h\left(x_{k_1}\right);$ Next A calculates $e=h\left(x_{Q_a}\right|\left|x_{q_b}\right|\left|M\right)$ And s=ae+x-k (mod n) and R=xP, ‖ wherein represents that two character strings link to each other.A utilizes the symmetry block cipher ENC that both sides know in advance then, and as IDEA, DES etc. carry out cryptographic calculation C=ENC _k(s ‖ M); Last A lumps together R and C, (R C) sends B to, and at this moment s and R are exactly the signature of A on plaintext M.

Embodiment 2

Suppose that originator A sends information will for addressee B, A had both wished to protect the safety of own transmission information, wished if there are other people to pretend to be ownly to B transmission information simultaneously again, and B can deny; On the other hand, B wishes to confirm that the information of oneself receiving is to come from A, and if be the information that A sends really, then can not deny after the A; Better for fail safe in addition, even if A wishes the private cipher key of oneself just in case lose, the own information that sends to B in the past can not be decrypted yet.

The verification process that the present invention carries out digital signature is: at first B checks the PKI of A, determines the identity of A.Method of checking and A check that the method for B is similar.After B determined that the identity of A is errorless, (R C), utilized disclose known elliptic curve E and the private cipher key b of oneself calculating the information that sends by A earlier $k_1=\mathrm{bR}=\mathrm{bxP}=(x_{k_1},x_{k_1}),$ Hash function h with given good confidentiality calculates again $k=h\left(x_{k_1}\right);$ Identical symmetric encipherment algorithm ENC was decrypted computing to ciphertext C and obtains (s ‖ M)=ENC when then the B utilization was encrypted with A _k(C), calculate again $e=h\left(x_{Q_a}\right|\left|x_{Q_b}\right|\left|M\right),$ U=(s+k) P and V=-eQ _aWhether last B check U+V=R (mod P) sets up, and just approves signature and accepts the information that A sends if set up, otherwise accept the information that A sends with regard to denial of signature and refusal.

Claims (3)

1. digital signature method, it is characterized in that: it is based on the elliptic curve public key cryptographic algorithm, is aided with hash function and symmetric encipherment algorithm and a kind of digital signature method of constituting, specific practice is:

(I) set up encryption system: find a big prime number n earlier, delivery is counted n for being equal to or greater than 160, and promptly 2 ¹⁵⁹≤ n＜2 ¹⁶⁰, modulus p is the big prime number of another one, and with the n isotopic number, m is a positive integer, constructs an elliptic curve E, and it is in finite field On the Weierstrass equation be

E:y ²+ a ₁Xy+a ₃Y=x ³+ a ₂x ²+ a ₄X+a ₆E is in finite field for note On disaggregation be

, Element number be # Be the multiple of n, suppose that P is that the order of E is the basic point of n; If the private cipher key of user A is a, the scope of a is 1＜a＜n, and publicly-owned key is $Q_a=\mathrm{ap}=(x_{Q_a}\·y_{Q_a}),$ The private cipher key of user B is b, and the scope of b is 1＜b＜n, and publicly-owned key is $Q_b=\mathrm{bp}=(x_{Q_b},y_{Q_b}),$ Need to select hash function h and a symmetric encipherment algorithm ENC of at least 160 of outputs in addition;

(II) carry out digital signature: user A at first checks the PKI of B, confirms the identity of B, if confirm errorlessly, A selects a positive integer x then at random, and the scope of x is 0＜x＜n, takes advantage of calculating by the elliptic curve number $K_1={\mathrm{xQ}}_b=\mathrm{xbp}=(x_{k_1},y_{k_1}),$ Utilize given hash function to calculate $k=h\left(x_{k_1}\right),$ Then A calculates $e=h\left(x_{Q_a}\right|\left|x_{Q_b}\right|\left|M\right)$ And s=ae+x-k (mod n) and R=xP, the symmetry block cipher that utilizes both sides all to know again carries out cryptographic calculation C=ENC _k(s ‖ M), last A will (R C) sends B to, and at this moment (s R) is exactly the signature of A on plaintext M.

2. according to the described digital signature method of claim 1, it is characterized in that the hash function that this method is used is the md5 hash function.

3. method of using the described digital signature method of claim 1 to authenticate, it is characterized in that, the process that this digital signature is authenticated is as follows: user B receives the information (R that user A sends, C) after, he at first checks the PKI of A, confirm the identity of A, if confirm errorlessly, B utilizes and disclose known elliptic curve E calculating $k_1=\mathrm{bR}=\mathrm{bxP}=(x_{k_1},y_{k_1}),$ Calculate with given hash function $k=h\left(x_{k_1}\right),$ Again C is decrypted computing and obtains (s ‖ M)=ENC _k(C), calculate then $e=h\left(x_{Q_a}\right|\left|x_{Q_B}\right|\left|M\right)$ , U=(s+k) P and V=-eQ _a, whether last B check U+V=R (modP) sets up, and just approves signature and accepts the information that A sends if set up, otherwise accept the information that A sends with regard to denial of signature and refusal.