[go: up one dir, main page]

CN111010272B - Identification private key generation and digital signature method, system and device - Google Patents

Identification private key generation and digital signature method, system and device Download PDF

Info

Publication number
CN111010272B
CN111010272B CN201911328551.XA CN201911328551A CN111010272B CN 111010272 B CN111010272 B CN 111010272B CN 201911328551 A CN201911328551 A CN 201911328551A CN 111010272 B CN111010272 B CN 111010272B
Authority
CN
China
Prior art keywords
identification
private key
user
signature
digital signature
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201911328551.XA
Other languages
Chinese (zh)
Other versions
CN111010272A (en
Inventor
龙毅宏
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Wuhan University of Technology WUT
Original Assignee
Wuhan University of Technology WUT
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Wuhan University of Technology WUT filed Critical Wuhan University of Technology WUT
Priority to CN201911328551.XA priority Critical patent/CN111010272B/en
Publication of CN111010272A publication Critical patent/CN111010272A/en
Application granted granted Critical
Publication of CN111010272B publication Critical patent/CN111010272B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0838Key agreement, i.e. key establishment technique in which a shared key is derived by parties as a function of information contributed by, or associated with, each of these
    • H04L9/0847Key agreement, i.e. key establishment technique in which a shared key is derived by parties as a function of information contributed by, or associated with, each of these involving identity based encryption [IBE] schemes
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/30Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy
    • H04L9/3066Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy involving algebraic varieties, e.g. elliptic or hyper-elliptic curves
    • H04L9/3073Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy involving algebraic varieties, e.g. elliptic or hyper-elliptic curves involving pairings, e.g. identity based encryption [IBE], bilinear mappings or bilinear pairings, e.g. Weil or Tate pairing
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2209/00Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
    • H04L2209/72Signcrypting, i.e. digital signing and encrypting simultaneously

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Theoretical Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Algebra (AREA)
  • Mathematical Analysis (AREA)
  • Mathematical Optimization (AREA)
  • Mathematical Physics (AREA)
  • Pure & Applied Mathematics (AREA)
  • Physics & Mathematics (AREA)
  • Computing Systems (AREA)
  • Storage Device Security (AREA)

Abstract

发明涉及一种标识私钥生成和数字签名方法及系统和装置,P1、P2分别为SM9算法的群G1、G2的生成元;标识认证服务器有系统主密钥sm及系统主公钥Ppub=[sm]P2;用户端的标识私钥生成客户端有用户主密钥sU,PU2=[(sU)‑1]Ppub;标识认证服务器在验证、确认用户是标识的拥有者以及PU2是PU2=[(sU)‑1]Ppub后,生成针对用户标识和PU2的认证数据CA并返回给标识私钥生成客户端;用户端密码装置以P1为群G1的生成元,Ppub为主公钥,dA为私钥,采用SM9签名算法生成消息的数字签名(h,S);验证方在验证CA的有效性后,以P1为群G1的生成元,PU2为群G2的生成元,Ppub为主公钥,采用SM9签名算法对(h,S)的有效性验证。

Figure 201911328551

The invention relates to a method, system and device for generating an identification private key and digital signature, wherein P 1 and P 2 are the generators of groups G 1 and G 2 of the SM9 algorithm respectively; the identification authentication server has a system master key s m and a system master key The public key P pub =[s m ]P 2 ; the identification private key of the client is generated and the client has the user master key s U , P U2 =[(s U ) -1 ]P pub ; the identification authentication server is verifying and confirming the user Is the owner of the identification and P U2 is P U2 = [(s U ) -1 ] P pub , generate authentication data CA for user identification and P U2 and return to the identification private key to generate the client; user-side encryption device Taking P 1 as the generator of group G 1 , P pub as the main public key, and d A as the private key, the SM9 signature algorithm is used to generate the digital signature (h, S) of the message; after verifying the validity of C A , the verifier, Taking P 1 as the generator of group G 1 , P U2 as the generator of group G 2 , and P pub as the main public key, SM9 signature algorithm is used to verify the validity of (h, S).

Figure 201911328551

Description

Identification private key generation and digital signature method, system and device
Technical Field
The invention belongs to the technical field of passwords, and particularly relates to a method, a system and a device for generating an identification private key with anti-repudiation capability and digital signature based on double-line mapping.
Background
Compared with the pki (public Key infrastructure) adopting the digital certificate technology, the Identity Based Cryptogram (IBC) has the advantages that the troublesome link of obtaining the public Key digital certificate of the private Key owner is omitted, the technology is simple to realize, the IBC is increasingly emphasized by people at present, and the IBC has a wide application prospect.
The Identity-Based password can be used for data Encryption (called Identity Based Encryption, IBE) and digital Signature (called Identity Based Signature, IBS). At present, most of cryptographic algorithms based on identification adopt algorithms based on bilinear mapping (also called Pairing operation, Pairing operation), wherein the bilinear mapping (Pairing operation) is as follows:
e:G1×G2→ GT of the recipe, in which G is1、G2(groups of pairwise or bilinear mappings) are additive cyclic groups, GTIs a multiplication loop group, G1、G2、GTIs a prime number n (G is used in the SM9 specification)1、G2、GTThe order of (A) is capital letter N), i.e., if P, Q, R are G respectively1、G2In (b), e (P, Q) is GTAnd:
e(P+R,Q)=e(P,Q)e(R,Q),
e(P,Q+R)=e(P,Q)e(P,R),
e([a]P,[b]Q)=e(P,Q)ab
where a and b are integers of [0, n-1], and [ a ] P and [ b ] Q represent the multiple addition or multiplication of P, Q at the point.
SM9 is an identification cryptographic algorithm based on bilinear mapping (pairing operation) issued by the national crypto authority. The SM 9-based cryptographic algorithm can realize digital signature based on identification, key exchange and data encryption. In the SM9 cryptographic algorithm, the user's SM9 private key d for signature is usedAThe process of generating a digital signature for message M is as follows:
calculating to obtain w ═ grWhere r is the value at 1, n-1 in signature computation]Randomly selected integer in the interval, g ═ e (P)1,Ppub),P1Is G1The generator of (1), PpubIs the master public key (i.e. P)pub=[s]P2S is a master private or master key, P2Is G2See SM9 specification; note that here the master private or master key, the master public key, user SM9 identifies the sign of the private key as different from that used in the SM9 specification);
then, H is calculated as H2(M | | w, n), wherein H2For the hash function specified in SM9, M | | | w represents the merging of strings of M and w, and n is G1、G2、GT(iii) of (see SM9 specification, note that the order of the group here uses symbols slightly different from the SM9 specification, using the lower case letter N, whereas the SM9 specification uses the upper case letter N);
if r ≠ h, calculate S [ [ r-h ≠ h]dAThen (h, S) is the generated digital signature; if rAnd (5) reselecting r and recalculating w and h until r is not equal to h.
Given the digital signature (h, S) of a message M, the method of verifying the validity of the signature is as follows (see the SM9 specification, note that the signature verification procedure in the SM9 specification uses the notation M ', (h ', S ')).
B1: checking whether h is formed by the element [1, n-1], if not, verifying that the h is not passed;
b2: checking that S belongs to G1If the verification result is not true, the verification is not passed;
b3: computing group GTWherein the element g ═ e (P)1,Ppub);
B4: computing group GTWherein t is gh
B5: calculating the integer h1=H1(IDA| hid, n) (here IDAThe identity of the user, hid, is the signature private key generating function identifier expressed in one byte, H1() Is a hash or hash function defined in the SM9 specification);
b6: computing group G2Wherein the element P ═ h1]P2+Ppub
B7: computing group GTThe element in (1) is (e) (S, P);
b8: computing group GTWherein w' is u.t;
b9: calculating the integer h2=H2(M | | w', n), test h2If h is true, the verification is passed; otherwise, the verification fails (H)2() Is a hash or hash function defined in the SM9 specification).
In the SM9 cryptographic algorithm, a user identifier (such as an ID)A) The corresponding Private Key for signature is calculated by a Key Generation Center (KGC) or a Private Key Generator (Private Key Generator, PKG) of a Private Key Generation system as follows:
calculating t1=(H1(IDA| hid, n) + s) mod n, where H1Is the hashing algorithm specified in the SM9 specification, s is the master private or master key, and n is G1、G2、GTThe order of (1), hid, is the private key generating function identifier expressed in terms of one byte, | | represents the byte string merging, mod n represents the modulo n remainder operation (note: the notation used by the master private key or master key in the SM9 specification is ks, group G1、G2、GTThe order of (a) is denoted by the symbol N, which is slightly different from the present patent application);
if t1If 0, the main private key needs to be regenerated, the main public key is calculated and published, and the existing private key of the user is updated; otherwise, calculate t2=s(t1)-1mod n,dA=[t2]P1Wherein (t)1)-1Is t1Modulo n multiplication inverse of, P1Is a group G1The generator of (1), symbol [, ]]An addition operation (multiplication of numbers, see SM9 specification) representing a plurality of elements (points), then dAIs a user identification IDAThe corresponding private signature key.
In the identification password based on bilinear mapping (pairing operation), because the private key used for digital signature by the user is generated by a private key generation system (or a private key generation center), the private key of the user generated in this way cannot be repudiated when used for digital signature, because the owner of the identification private key can say that the private key used for digital signature is generated and used by the operator of the private key generation system through the private key generation system, and the digital signature aiming at the message is not generated by the private key signature.
Disclosure of Invention
The invention aims to provide a corresponding solution for solving the problem that the existing digital signature based on identification cannot realize anti-repudiation.
In order to achieve the above object, the technical solution of the present invention includes a method for generating an identification private key, a method for digitally signing based on the method for generating an identification private key, and a system and an apparatus based on the method for generating an identification private key and the method for digitally signing.
In the description of the present invention, the inverse of an integer (e.g., a) is used unless otherwise specified-1And a is a non-0 integer) refers to the modulo n multiplication inverse of the integer, or the modulo n multiplication inverse of the modulo n remainder of the integer (which are equivalent).
The method for generating the identification private key provided by the invention is concretely as follows.
The identification private key generation method relates to bilinear mapping (pairing operation) e: g1×G2→GT(ii) a Group G1Is P1Group G2Is P2(ii) a Group G1、G2、GTThe order of (a) is a prime number n;
the identification Private Key Generation method relates to an identification authentication Server (identification authentication Server) of a Server side and an identification Private Key Generation Client (Private Key Generation Client) of a user side;
the identification authentication server has [1, n-1]]Internal system master key sm(Or System Master private Key s)m);smWith a corresponding system master public key Ppub=[sm]P2
The identification private key generation client side has [1, n-1]]Internal user master key sU(Or user-master private Key s)U) Having group G2Meta of (5)U2=[(sU)-1]PpubWherein(s)U)-1Is s isUThe inverse of the modulo n multiplication of;
the identification authentication server verifies and confirms that the user of the identification private key generation client is the owner of the identification and PU2Is(s)U)-1And PpubIs the result of the multiplication of numbers of (P)U2=[(sU)-1]PpubThen (how to verify and confirm the two points are matters beyond the invention, but not difficult), generating and issuing the user identification (such as ID)A) And PU2Authentication data C ofAAnd authenticate data CAReturning to the identification private key generation client;
the authentication data CAAssociating a user identity with PU2Bind or correspond and confirm PU2Is(s)U)-1And PpubIs the result of the multiplication of numbers of (P)U2=[(sU)-1]PpubWherein s isUIs a user master key (master private key), and authenticates dataCAThe capability or characteristic of verifiability, forgery prevention and tamper prevention; the verifiable finger being capable of verifying the authentication data CAIndeed generated and issued by the identity authentication server; the anti-counterfeiting means that other entities cannot forge authentication data which is not generated and issued by the identification authentication server and can pass verification; the tamper-proof refers to the identification of a user or PU2Or authentication data CAWill result in the authentication data CAFails verification (verification fails);
the identification private key of the user side generates a client side P1As group G1Is generated as sUFor the master key (or master private key), a user identification (e.g., ID) is generatedA) The corresponding SM9 for signature identifies the private key dA
(i.e. d)A=[sU(hID+sU)-1]P1Wherein h isID=H1(IDA||hid,n))
For the above-described identification private key generation method, PU2And authentication data CAThe identified authentication system (e.g., an identified authentication server or other system component) is published (e.g., by a common platform using blockchain techniques, such as may be available in the event of disputes).
The system of the server is called an identification authentication server here, because the function of the server is similar to the public key authentication (public key authentication) of the CA system in the PKI/CA, and the authentication data (authentication data) is similar to the digital certificate in the PKI/CA. Authentication here is not identity authentication as it is known in colloquial.
For the above identification private key generation method, the user identification includes: an original user identifier that does not contain any restricted information (e.g., email address, cell phone number without restricted information), or a restricted user identifier that contains restricted information (e.g., email address, cell phone number limited by expiration date or other information).
The identification authentication server generates and issues the user identification and PU2Authentication data C ofAIncluding using digital signatures or based on bilinear mapping (pairing) operations.
The identification authentication server generates and issues the user identification and P by adopting a bilinear mapping (pairing) operation-based modeU2Authentication data C ofAThe method comprises the following steps:
using hash function, system master key smThe sum group operation sums the user identification with PU2Mapping to group G1One element C inAAnd such mapping has the following capabilities or characteristics:
by P1、P2And PpubAuthentication data C can be verified and determined by bilinear mapping (pairing) operationAIs from the user identification and P in a conventional mannerU2Mapped group G1A medium (i.e., verifiable);
without knowing the system master key smIn case of (2), the user id and P cannot be generatedU2And verifiable authentication data CA(can verify that the foregoing is satisfied for CA(ii) verifiable requirements) (i.e., forgery prevention);
for user identification or PU2Or CAWill result in the modification of CAFailure (failure) of authentication (tamper-resistance);
then the resulting C is mapped in this mannerAIs directed to user identification and PU2The authentication data of (1).
C generated in this mannerAIn effect using the system master key (master private key) smDigital signatures based on bilinear (pairing) operations.
If G is2If the user identification is an elliptic curve point group, the identification authentication server generates and issues the user identification and P in a digital signature modeU2Authentication data C ofAOne way of (2) is:
by smAs a private key, with P2As base point (P)pubIs s ismCorresponding public key, adopting elliptic curve digital signature algorithm to pair including user identification and PU2The data is digitally signed to obtain authentication data CA
Authentication data CAOf (2) as P2Is a base point, PpubIs s ismCorresponding public key, adopting elliptic curve digital signature algorithm to authenticate data CAThe validity of (2) is verified.
The digital signature method based on the identification private key generation method provided by the invention is as follows.
When the user's SM9 ID private key d generated by the ID private key generation method is needed to be used for signatureAWhen digitally signing a message M, the signer signs P1As group G1Corresponding to the generator P in the SM9 digital signature algorithm1) With PU2As group G2Corresponding to the generator P in the SM9 digital signature algorithm2) With PpubAs (with the user master key or user master private key sUCorresponding) master public key (at this point P)pub=[sU]PU2Corresponding to the master public key P in the SM9 digital signature algorithmpub) With dAIdentifying a private key for the SM9 of the user for Signature, generating a digital Signature (h, S) (Signature) for the message M by adopting an SM9 digital Signature algorithm, and including (h, S), P and the Signature Data (Signed Data) in the final Signature Data (Signed Data)U2And authentication data CA(how the final signature data contains PU2And CASomething outside the present invention).
The signature verification method for the above-described digital signature method is as follows.
When the digital signature of the message M is subjected to signature verification, the signature verifier separates the digital signature (h, S) from the signature data, and PU2And authentication data CA
Signature verifier verification authentication data CAEffectiveness of, if CAFails the validity verification of (b), the digital signature (h, S) fails verification, if CAIf the validity verification of (1) passes, the signature verifier is signed by P1As group G1Corresponding to the generator P in the SM9 digital signature algorithm1) With PU2As group G2Corresponding to the generator P in the SM9 digital signature algorithm2) With Ppub(as a master key or master private key s with the userUCorresponding) master public key (at this point P)pub=[sU]PU2Corresponding to the master public key P in the SM9 digital signature algorithmpub) The validity of (h, S) as the digital signature of the message M is verified using the SM9 digital signature algorithm.
The corresponding identification Private Key Generation system can be constructed based on the identification Private Key Generation method of the invention, and the system comprises an identification authentication Server (identity verification Server) of a Server side and an identification Private Key Generation Client (Private Key Generation Client) of a user side; the identification private key generation client is a software component or a component combining software and hardware; the identification authentication server and the identification private key generation client generate the user identification and P according to the identification private key generation methodU2=[(sU)-1]PpubAuthentication data C ofAWherein s isUIs a user master key (master private key), and generates an SM9 identification private key d for signature corresponding to the user identificationA
Based on the identification private key generation method and the digital signature method, the corresponding password device can be constructed, the password device comprises a signature operation unit and a key storage unit, wherein the signature operation unit is used for completing signature operation, and the key storage unit stores the SM9 identification private key d which is generated according to the identification private key generation method and used for signature of the userA(ii) a The signature operation unit is a hardware component or a software component combining software and hardware; when it is necessary to use the user's SM9 identification private key d for signatureAWhen a digital signature is generated for a message M, a signature operation unit in the cryptographic device is used as a signing party in the digital signature method, and a private key d is identified by using the SM9 for signature of the user stored in the key storage unitAGenerating a digital signature (h, S) for the message M in said digital signature method (said cryptographic device not necessarily being responsible for completing PU2And CAAn operation put into the signature data).
The system comprises the identification private key generation system and the password device, wherein the identification private key generation system generates user identification and P according to the identification private key generation methodU2=[(sU)-1]PpubAuthentication data C ofAWherein s isUIs a user master key (master private key), and generates an SM9 identification private key d for signature corresponding to the user identificationAAnd generating an identification private key d to be generated by the client by the identification private keyAStored in a key storage unit of the cryptographic device; when the user's SM9 identification private key d for signature needs to be usedAWhen generating a digital signature for a message M, a signature operation unit in the cryptographic device identifies a private key d using the user's SM9 for signature stored in the key storage unitAA digital signature (h, S) for the message M is generated as described above for the digital signature method.
SM9 identification private key d for signature of user generated based on identification private key generation method of the inventionABy a user master key (master private key) sUGeneration, the identification authentication system (server) is only responsible for generating the issuing for the user identification and PU2Authentication data C ofAD is not available to the identification authentication system (server)AThe digital signature generated by using the identification private key has the resistance to repudiation because the SM9 identification private key d for signature, which cannot be generated and forged by others and organizations, of the userAAnd P isU2And CAIs publicly released so that the user cannot repudiate dAWas previously generated by the user himself.
Compared with the prior art, the technical scheme of the invention has great implementation advantages.
Drawings
FIG. 1: the invention discloses a system for generating an identification private key
FIG. 2: the invention relates to a cipher device
FIG. 3: cryptographic system of the invention
Detailed Description
The following describes specific embodiments of the present invention.
The implementation of the invention relates to the implementation of the identification private key generation method, the digital signature method and the signature verification method.
The implementation of the identification private key generation method of the invention relates to bilinear mapping (pairing operation) e: g1×G2→GT(ii) a Group G1Is P1Group G2Is P2(ii) a Group G1、G2、GTThe order of (a) is a prime number n;
the identification Private Key Generation method relates to an identification authentication Server (identification authentication Server) of a Server side and an identification Private Key Generation Client (Private Key Generation Client) of a user side;
the identification authentication server has [1, n-1]]Internal system master key sm(Or System Master private Key s)m);smWith a corresponding system master public key Ppub=[sm]P2
The identification private key generation client side has [1, n-1]]Internal user master key sU(Or user-master private Key s)U) Having group G2Meta of (5)U2=[(sU)-1]PpubWherein(s)U)-1Is s isUThe inverse of the modulo n multiplication of;
the identification authentication server verifies and confirms that the user of the identification private key generation client is the owner of the identification and PU2Is(s)U)-1And PpubIs the result of the multiplication of numbers of (P)U2=[(sU)-1]PpubThen (how to verify and confirm the two points are matters beyond the invention, but not difficult), generating and issuing the user identification (such as ID)A) And PU2Authentication data C ofAAnd authenticate data CAReturning to the identification private key generation client;
the authentication data CAAssociating a user identity with PU2Bind or correspond and confirm PU2Is(s)U)-1And PpubIs the result of the multiplication of numbers of (P)U2=[(sU)-1]PpubWherein s isUIs a user master key (master private key), and authenticates data CAThe capability or characteristic of verifiability, forgery prevention and tamper prevention; the verifiable finger being capable of verifying the authentication data CAIndeed generated and issued by the identity authentication server; the anti-counterfeiting means that other entities cannot forge authentication data which is not generated and issued by the identification authentication server and can pass verification; the tamper-proof refers to the identification of a user or PU2Or authentication data CAWill result in the authentication data CAFails verification (verification fails);
the identification private key of the user side generates a client side P1As group G1Is generated as sUFor the master key (or master private key), a user identification (e.g., ID) is generatedA) The corresponding SM9 for signature identifies the private key dA
(i.e. d)A=[sU(hID+sU)-1]P1Wherein h isID=H1(IDA||hid,n))
For the above-described identification private key generation method, PU2And authentication data CAThe identified authentication system (e.g., an identified authentication server or other system component) is published (e.g., by a common platform using blockchain techniques, such as may be available in the event of disputes).
For the above identification private key generation method, the user identification includes: an original user identifier that does not contain any restricted information (e.g., email address, cell phone number without restricted information), or a restricted user identifier that contains restricted information (e.g., email address, cell phone number limited by expiration date or other information).
In specific implementation, the identification authentication server generates and issues the user identification and PU2Authentication data C ofAIncluding using digital signatures or based on bilinear mapping (pairing) operations.
The identification authentication server is based on dualGeneration and issuance of linear mapping (pairing) operation for user identification and PU2Authentication data C ofAThe method comprises the following steps:
using hash function, system master key smThe sum group operation sums the user identification with PU2Mapping to group G1One element C inAAnd such mapping has the following capabilities or characteristics:
by P1、P2And PpubAuthentication data C can be verified and determined by bilinear mapping (pairing) operationAIs from the user identification and P in a conventional mannerU2Mapped group G1A medium (i.e., verifiable);
without knowing the system master key smIn case of (2), the user id and P cannot be generatedU2And verifiable authentication data CA(can verify that the foregoing is satisfied for CA(ii) verifiable requirements) (i.e., forgery prevention);
for user identification or PU2Or CAWill result in the modification of CAFailure of authentication (failure of authentication) (tamper resistance);
then the resulting C is mapped in this mannerAIs directed to user identification and PU2The authentication data of (1).
Generating C in such a manner based on bilinear map (pairing) operationsAIn fact, the invention CN108989054A embodiment "(five) relates to the pair containing identity information U, P", which is a digital signature based on bilinear (pairing) operation and using system master key (master private key) smUpubAnd the digital signature schemes (i.e., schemes (1) to (4)) other than the "elliptic curve cryptography-based digital signature" listed in "implementation of digital signature of data of key definition information are all digital signature schemes based on bilinear (pairing) operation. In addition, the hash function, system master key s, is utilized belowmThe sum group operation sums the user identification with PU2Mapping to group G1One element C inAAs authentication data CABy means of (again using the system master key s)mBilinear mapping based digital signatures) are alsoOne of the ways that can be used:
identification from a user (e.g. ID) using a hash functionA) And PU2Is calculated to obtain hc
Calculating to obtain CA=[(a+bsm)(nchc+sm)-1]P1Wherein n iscIs to generate CAWhen is in [1, n-1]]Internal randomly selected integer, a, b is [0, n-1]]The known integers in (a) or (b) are not 0 at the same time (of course, they may be either constant or non-constant, but usually take a fixed constant, such as a-0, b-1, or a-1, b-0, or a-1, b-1);
for the authentication data C generated in the above mannerAValidity verification is performed as follows:
employing and generating authentication data CAThe same way is used to derive the user identification and P from the hash functionU2Is calculated to obtain hc
Is calculated to obtain Pc=[nchc]P2+Ppub
Check to determine e (C)A,Pc) And e (P)1,P2)ae(P1,Ppub)bIf they are the same, the authentication data CAOtherwise, the validation fails.
a. How b is selected and set can be any, as long as b is not 0 at the same time.
If a is 0 and b is 1, then CAEssentially, the user identity is combined with PU2The combination of (c) as an identification the resulting corresponding SM9 identifies the private key (as a digital signature).
ncIs to avoid the occurrence of (n)chc+sm) mod n is 0. In the generation of CAWhen present, if (n)chc+sm) When mod n is 0, then in [1, n-1]]Reselecting an ncUp to (n)chc+sm) mod n is not 0. When the identity authentication server authenticates CAReturning to the identification private key generation client, ncAnd also returns.
Generally n will becAnd CAPut together, when verifying CAWhen validity of (2) is reached, n is taken out at the same timec
Using hash function to identify and P from userU2Is calculated to obtain hcThe method comprises the following steps:
identification from a user (e.g. ID) using a hash functionA) Is calculated to obtain h1cUsing a hash function from PU2Is calculated to obtain h2cThen calculate hc=(h1c+h2c) mod n or hc=(h1ch2c)mod n;
Or, the user identification and PU2Data merging (e.g., ID)A||PU2) Then, the hash value of the combined data is calculated by using a hash function, and the calculated hash value is used as hc
If G is2If the user identification is an elliptic curve point group, the identification authentication server generates and issues the user identification and P in a digital signature modeU2Authentication data C ofAOne way of (2) is:
by smAs a private key, with P2As base point (P)pubIs s ismCorresponding public key, adopting elliptic curve digital signature algorithm to pair including user identification and PU2The data is digitally signed to obtain authentication data CA
Authentication data CAOf (2) as P2Is a base point, PpubIs s ismCorresponding public key, adopting elliptic curve digital signature algorithm to authenticate data CAThe validity of (2) is verified.
The digital signature method implemented based on the identification private key generation method of the present invention is as follows.
When the user's SM9 ID private key d generated by the ID private key generation method is needed to be used for signatureAWhen digitally signing a message M, the signer signs P1As group G1Corresponding to the generator P in the SM9 digital signature algorithm1) To do so byPU2As group G2Corresponding to the generator P in the SM9 digital signature algorithm2) With PpubAs (with the user master key or user master private key sUCorresponding) master public key (at this point P)pub=[sU]PU2Corresponding to the master public key P in the SM9 digital signature algorithmpub) With dAIdentifying a private key for the SM9 of the user for Signature, generating a digital Signature (h, S) (Signature) for the message M by adopting an SM9 digital Signature algorithm, and including (h, S), P and the Signature Data (Signed Data) in the final Signature Data (Signed Data)U2And authentication data CA(how the final signature data contains PU2And CASomething that is outside the present invention), wherein the process of generating the digital signature (h, S) is specifically as follows:
calculating to obtain w ═ grWhere r is the value at 1, n-1 in signature computation]Randomly selected integer in the interval, g ═ e (P)1,Ppub) In which P is1、PpubAs described above;
then, H is calculated as H2(M | | w, n), wherein H2() And its parameters as described in the background;
if r ≠ h, calculate S [ [ r-h ≠ h]dAThen (h, S) is the generated digital signature; and if r is equal to h, reselecting r, and recalculating w and h until r is not equal to h.
The final signature Data (Signed Data) includes (h, S), PU2And CA(how the final signature data contains PU2And CASomething outside the present invention).
The signature verification method implemented based on the digital signature method of the present invention is as follows.
When the digital signature of the message M is subjected to signature verification, the signature verifier separates the digital signature (h, S) from the signature data, and PU2And authentication data CA
Signature verifier verification authentication data CAEffectiveness of, if CAFails the validity verification of (b), the digital signature (h, S) fails verification, if CAIf the validity verification of (1) passes, the signature verifier is signed by P1As group G1Corresponding to the generator P in the SM9 digital signature algorithm1) With PU2As group G2Corresponding to the generator P in the SM9 digital signature algorithm2) With Ppub(as a master key or master private key s with the userUCorresponding) master public key (at this point P)pub=[sU]PU2Corresponding to the master public key P in the SM9 digital signature algorithmpub) And verifying the validity of the digital signature (h, S) as the message M by adopting an SM9 digital signature algorithm, which is as follows:
b1: checking whether h is formed by the element [1, n-1], if not, verifying that the h is not passed;
b2: checking that S belongs to G1If the verification result is not true, the verification is not passed;
b3: computing group GTWherein the element g ═ e (P)1,Ppub);
B4: computing group GTWherein t is gh
B5: calculating the integer h1=H1(IDA| hid, n), where H1() And parameters see SM9 specification;
b6: computing group G2Wherein the element P ═ h1]PU2+Ppub
B7: computing group GTThe element in (1) is (e) (S, P);
b8: computing group GTWherein w' is u.t;
b9: calculating the integer h2=H2(M | | w', n), test h2If h is true, the verification is passed; otherwise, the verification is not passed.
The identification Private Key Generation method based on the invention can be implemented to construct a corresponding identification Private Key Generation system, as shown in fig. 1, the system comprises an identification authentication Server (Identity verification Server) of a Server side and an identification Private Key Generation Client (Private Key Generation Client) of a user side; the identification private key generation client is a software component or a component combining software and hardware; the identification authentication server and the identification private key generation client side pressThe identification private key generation method generates user identification and PU2=[(sU)-1]PpubAuthentication data C ofAWherein s isUIs a user master key (master private key), and generates an SM9 identification private key d for signature corresponding to the user identificationA
The identification private key generation method and the digital signature method based on the invention can be implemented to construct a corresponding password device, as shown in fig. 2, the password device comprises a signature operation unit and a key storage unit, wherein the signature operation unit is used for completing signature operation, and the key storage unit stores the user's SM9 identification private key d used for signature generated according to the identification private key generation methodA(ii) a The signature operation unit is a hardware component or a software component combining software and hardware; when it is necessary to use the user's SM9 identification private key d for signatureAWhen a digital signature is generated for a message M, a signature operation unit in the cryptographic device is used as a signing party in the digital signature method, and a private key d is identified by using the SM9 for signature of the user stored in the key storage unitAGenerating a digital signature (h, S) for the message M in said digital signature method (said cryptographic device not necessarily being responsible for completing PU2And CAAn operation put into the signature data).
The identification private key generation system and the password device based on the invention can implement and construct a corresponding password system, as shown in fig. 3, the system comprises the identification private key generation system and the password device, wherein the identification private key generation system generates user identification and P according to the identification private key generation methodU2=[(sU)-1]PpubAuthentication data C ofAWherein s isUIs a user master key (master private key), and generates an SM9 identification private key d for signature corresponding to the user identificationAAnd generating an identification private key d to be generated by the client by the identification private keyAStored in a key storage unit of the cryptographic device; when the user's SM9 identification private key d for signature needs to be usedAWhen generating a digital signature for a message M, a signature operation unit in the cryptographic device uses the key storage listThe user's SM9 for signature in the element identifies the private key dAA digital signature (h, S) for the message M is generated as described above for the digital signature method.
Other specific technical implementations not described are well known to those skilled in the relevant art and will be apparent to those skilled in the relevant art.

Claims (10)

1. A method for generating an identification private key is characterized in that:
the identification private key generation method relates to bilinear mapping e: g1×G2→GT(ii) a Group G1Is P1Group G2Is P2(ii) a Group G1、G2、GTThe order of (a) is a prime number n;
the identification private key generation method relates to an identification authentication server of a server side and an identification private key generation client side of a user side;
the identification authentication server has [1, n-1]]Internal system master key sm;smWith a corresponding system master public key Ppub=[sm]P2
The identification private key generation client side has [1, n-1]]Internal user master key sUHaving group G2Meta of (5)U2=[(sU)-1]PpubWherein(s)U)-1Is s isUThe inverse of the modulo n multiplication of;
the identification authentication server verifies and confirms that the user of the identification private key generation client is the owner of the identification and PU2Is(s)U)-1And PpubIs the result of the multiplication of numbers of (P)U2=[(sU)-1]PpubThen, generating and issuing the user identification and PU2Authentication data C ofAAnd authenticate data CAReturning to the identification private key generation client;
the authentication data CAAssociating a user identity with PU2Bind or correspond and confirm PU2Is(s)U)-1And PpubIs the result of the multiplication of numbers of (P)U2=[(sU)-1]PpubWherein s isUIs a user master key, and authenticates data CAThe capability or characteristic of verifiability, forgery prevention and tamper prevention; the verifiable finger being capable of verifying the authentication data CAIndeed generated and issued by the identity authentication server; the anti-counterfeiting means that other entities cannot forge authentication data which is not generated and issued by the identification authentication server and can pass verification; the tamper-proof refers to the identification of a user or PU2Or authentication data CAWill result in the authentication data CAFails the verification of (1);
the identification private key of the user side generates a client side P1As group G1Is generated as sUFor the master key, the SM9 identification private key d for signature corresponding to the user identification is generatedA
2. The method for generating an identification private key according to claim 1, wherein:
the user identification comprises: an original identification of the user that does not contain any defining information or a defined identification of the user that contains defining information.
3. The method for generating an identification private key according to claim 1, wherein:
the identification authentication server generates and issues the user identification and PU2Authentication data C ofAIncluding using digital signatures or based on bilinear mapping operations.
4. The method of claim 3, wherein:
the identification authentication server generates and issues user identification and P by adopting a mode based on bilinear mapping operationU2Authentication data C ofAThe method comprises the following steps:
using hash function, system master key smThe sum group operation sums the user identification with PU2Mapping to group G1One element C inAAnd such mapping has the following capabilities or characteristics:
by P1、P2And PpubCan verify and determine authentication data C by bilinear mapping operationAIs from the user identification and P in a conventional mannerU2Mapped group G1The element of (1);
without knowing the system master key smIn case of (2), the user id and P cannot be generatedU2And verifiable authentication data CA
For user identification or PU2Or CAWill result in the modification of CAFailure of the verification;
then the resulting C is mapped in this mannerAIs directed to user identification and PU2The authentication data of (1).
5. The method of claim 3, wherein:
if G is2If the user identification is an elliptic curve point group, the identification authentication server generates and issues the user identification and P in a digital signature modeU2Authentication data C ofAOne way of (2) is:
by smAs a private key, with P2As a base point, with PpubIs s ismCorresponding public key, adopting elliptic curve digital signature algorithm to pair including user identification and PU2The data is digitally signed to obtain authentication data CA
Authentication data CAOf (2) as P2Is a base point, PpubIs s ismCorresponding public key, adopting elliptic curve digital signature algorithm to authenticate data CAThe validity of (2) is verified.
6. A digital signature method based on the identification private key generation method of any one of claims 1 to 5, characterized in that:
when the user's SM9 ID private key d generated by the ID private key generation method is needed to be used for signatureAWhen digitally signing a message M, the signer signs P1As group G1Generating element ofWith PU2As group G2Is generated as PpubAs the master public key, with dAIdentifying a private key for the SM9 of the user for signature, generating a digital signature (h, S) for the message M by adopting an SM9 digital signature algorithm, and finally, containing (h, S) and P in signature dataU2And authentication data CA
7. A signature verification method based on the digital signature method of claim 6, characterized in that:
when the digital signature of the message M is subjected to signature verification, the signature verifier separates the digital signature (h, S) from the signature data, and PU2And authentication data CA
Signature verifier verification authentication data CAEffectiveness of, if CAFails the validity verification of (b), the digital signature (h, S) fails verification, if CAIf the validity verification of (1) passes, the signature verifier is signed by P1As group G1Is generated as PU2As group G2Is generated as PpubAnd the master public key adopts SM9 digital signature algorithm to verify the validity of (h, S) as the digital signature of the message M.
8. An identification private key generation system based on the identification private key generation method according to any one of claims 1 to 5, characterized in that:
the system comprises an identification authentication server of a server side and an identification private key generation client of a user side; the identification private key generation client is a software component or a component combining software and hardware; the identification authentication server and the identification private key generation client generate the user identification and P according to the identification private key generation methodU2=[(sU)-1]PpubAuthentication data C ofAWherein s isUIs a user master key, and generates an SM9 identification private key d for signature corresponding to the user identificationA
9. A cryptographic apparatus based on the digital signature method of claim 6, characterized in that:
the cipher device comprises a signature operation unit and a key storage unit, wherein the signature operation unit is used for completing signature operation, and the key storage unit stores a user SM9 identification private key d for signature generated according to the identification private key generation methodA(ii) a The signature operation unit is a hardware component or a software component combining software and hardware; when it is necessary to use the user's SM9 identification private key d for signatureAWhen a digital signature is generated for a message M, a signature operation unit in the cryptographic device is used as a signing party in the digital signature method, and a private key d is identified by using the SM9 for signature of the user stored in the key storage unitAAnd generating a digital signature (h, S) for the message M according to the digital signature method.
10. A cryptographic system based on the cryptographic device of claim 9, wherein:
the password system comprises an identification private key generation system and the password device, wherein the identification private key generation system comprises an identification authentication server of a server side and an identification private key generation client of a user side; the identification private key generation client is a software component or a component combining software and hardware; the identification authentication server and the identification private key generation client generate the user identification and P according to the identification private key generation methodU2=[(sU)-1]PpubAuthentication data C ofAWherein s isUIs a user master key, and generates an SM9 identification private key d for signature corresponding to the user identificationAAnd generating an identification private key d to be generated by the client by the identification private keyAStored in a key storage unit of the cryptographic device; when the user's SM9 identification private key d for signature needs to be usedAWhen generating a digital signature for a message M, a signature operation unit in the cryptographic device identifies a private key d using the user's SM9 for signature stored in the key storage unitAAnd generating a digital signature (h, S) for the message M according to the digital signature method.
CN201911328551.XA 2019-12-20 2019-12-20 Identification private key generation and digital signature method, system and device Active CN111010272B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201911328551.XA CN111010272B (en) 2019-12-20 2019-12-20 Identification private key generation and digital signature method, system and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201911328551.XA CN111010272B (en) 2019-12-20 2019-12-20 Identification private key generation and digital signature method, system and device

Publications (2)

Publication Number Publication Date
CN111010272A CN111010272A (en) 2020-04-14
CN111010272B true CN111010272B (en) 2021-01-12

Family

ID=70117364

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201911328551.XA Active CN111010272B (en) 2019-12-20 2019-12-20 Identification private key generation and digital signature method, system and device

Country Status (1)

Country Link
CN (1) CN111010272B (en)

Families Citing this family (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112069547B (en) * 2020-07-29 2023-12-08 北京农业信息技术研究中心 Identity authentication method and system for supply chain responsibility main body
CN112003698B (en) * 2020-09-07 2024-04-19 三未信安科技股份有限公司 SM9 collaborative digital signature method and system
CN112580765A (en) * 2020-12-17 2021-03-30 航天信息股份有限公司 Method and device for generating personalized anti-counterfeiting characteristics of certificate by applying SM9 algorithm
CN113158202B (en) * 2021-03-22 2023-12-15 北京信息科技大学 Distributed key management and verification method and system based on identification password
CN114301585B (en) * 2021-11-17 2024-01-05 北京智芯微电子科技有限公司 Identification private key using method, generation method and management system
CN114499883A (en) * 2022-02-09 2022-05-13 浪潮云信息技术股份公司 Cross-organization identity authentication method and system based on blockchain and SM9 algorithm
CN114547681A (en) * 2022-02-15 2022-05-27 北京无字天书科技有限公司 Private key generation method and related method, system, computer device and storage medium
CN114499887B (en) * 2022-02-15 2024-04-26 北京无字天书科技有限公司 Signing key generation and related methods, systems, computer devices and storage media
CN115174104B (en) * 2022-06-28 2024-12-06 福建师范大学 Attribute-based online/offline signature method and system based on commercial secret SM9
CN119051876B (en) * 2024-10-17 2025-02-14 四川省数字证书认证管理中心有限公司 Sign combined key signature and encryption method

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105530099A (en) * 2015-12-11 2016-04-27 捷德(中国)信息科技有限公司 Anti-fake verification method, device and system and anti-fake certificate based on IBC (Identity-Base Cryptography)
CN107135080A (en) * 2017-07-06 2017-09-05 深圳奥联信息安全技术有限公司 SM9 decryption methods and device
CN107819585A (en) * 2017-11-17 2018-03-20 武汉理工大学 SM9 digital signature cooperates with generation method and system

Family Cites Families (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20070043947A1 (en) * 2005-08-19 2007-02-22 Mizikovsky Semyon B Providing multimedia system security to removable user identity modules
US10348724B2 (en) * 2014-04-07 2019-07-09 Barco N.V. Ad hoc one-time pairing of remote devices using online audio fingerprinting
US10074374B2 (en) * 2014-04-07 2018-09-11 Barco N.V. Ad hoc one-time pairing of remote devices using online audio fingerprinting
CN106452721A (en) * 2016-10-14 2017-02-22 牛毅 Method and system for instruction identification of intelligent device based on identification public key
CN110519041B (en) * 2019-07-29 2021-09-03 同济大学 Attribute-based encryption method based on SM9 identification encryption

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105530099A (en) * 2015-12-11 2016-04-27 捷德(中国)信息科技有限公司 Anti-fake verification method, device and system and anti-fake certificate based on IBC (Identity-Base Cryptography)
CN107135080A (en) * 2017-07-06 2017-09-05 深圳奥联信息安全技术有限公司 SM9 decryption methods and device
CN107819585A (en) * 2017-11-17 2018-03-20 武汉理工大学 SM9 digital signature cooperates with generation method and system

Non-Patent Citations (3)

* Cited by examiner, † Cited by third party
Title
"Identity based encryption from the Weil pairing";D. Boneh;《Advances in Cryptology》;20011231;全文 *
"The SM9 Cryptographic Schemes";Zhaohui Cheng;《IACR Cryptol》;20171231;全文 *
"SM9标识密码算法综述";袁峰;《信息安全研究》;20161105;全文 *

Also Published As

Publication number Publication date
CN111010272A (en) 2020-04-14

Similar Documents

Publication Publication Date Title
CN111010272B (en) Identification private key generation and digital signature method, system and device
CN108667626B (en) Secure two-party collaboration SM2 signature method
CN109257184B (en) Linkable Ring Signature Method Based on Anonymous Broadcast Encryption
CN111342973B (en) Safe bidirectional heterogeneous digital signature method between PKI and IBC
CN108551392B (en) A blind signature generation method and system based on SM9 digital signature
CN108989054B (en) A cryptographic system and digital signature method
EP3681093B1 (en) Secure implicit certificate chaining
CN107248909B (en) A Certificateless Secure Signature Method Based on SM2 Algorithm
CN107196966A (en) The identity identifying method and system of multi-party trust based on block chain
CN108712259B (en) An efficient audit method for cloud storage based on identity-based proxy upload data
US9800418B2 (en) Signature protocol
CN109672530A (en) Anti- quantum calculation digital signature method and anti-quantum calculation digital signature system based on unsymmetrical key pond
WO2012170131A1 (en) Digital signatures with implicit certificate chains
CN102546173B (en) Digital signature system and signature method based on certificate
CN110138567A (en) A kind of collaboration endorsement method based on ECDSA
CN104821880A (en) Certificate-free generalized proxy signcryption method
JP2002534701A (en) Auto-recoverable, auto-encryptable cryptosystem using escrowed signature-only keys
CN106899413B (en) Digital signature verification method and system
CN103220146B (en) Zero Knowledge digital signature method based on multivariate public key cryptosystem
CN111654366A (en) Secure bidirectional heterogeneous strong-designation verifier signature method between PKI and IBC
CN115442057A (en) Randomizable blind signature method and system with strong unlinkability
US20150006900A1 (en) Signature protocol
CN114499887B (en) Signing key generation and related methods, systems, computer devices and storage media
TWI593267B (en) Certificateless public key management method with timestamp verification
CN110661816A (en) Cross-domain authentication method based on block chain and electronic equipment

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant