CN113849832A - Three-party collaborative signing and decryption method and system based on SM2 algorithm - Google Patents
Three-party collaborative signing and decryption method and system based on SM2 algorithm Download PDFInfo
- Publication number
- CN113849832A CN113849832A CN202110994075.6A CN202110994075A CN113849832A CN 113849832 A CN113849832 A CN 113849832A CN 202110994075 A CN202110994075 A CN 202110994075A CN 113849832 A CN113849832 A CN 113849832A
- Authority
- CN
- China
- Prior art keywords
- communication party
- party
- signature
- communication
- private key
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000004422 calculation algorithm Methods 0.000 title claims abstract description 72
- 238000000034 method Methods 0.000 title claims abstract description 57
- 230000006854 communication Effects 0.000 claims abstract description 271
- 238000004891 communication Methods 0.000 claims abstract description 269
- 238000004364 calculation method Methods 0.000 claims abstract description 13
- 239000000284 extract Substances 0.000 claims description 12
- 230000008569 process Effects 0.000 claims description 12
- 238000009795 derivation Methods 0.000 claims description 4
- 230000005540 biological transmission Effects 0.000 description 6
- 230000003993 interaction Effects 0.000 description 3
- 230000007246 mechanism Effects 0.000 description 3
- 230000009286 beneficial effect Effects 0.000 description 2
- 238000012795 verification Methods 0.000 description 2
- 230000009133 cooperative interaction Effects 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/602—Providing cryptographic facilities or services
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/64—Protecting data integrity, e.g. using checksums, certificates or signatures
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Health & Medical Sciences (AREA)
- Bioethics (AREA)
- General Health & Medical Sciences (AREA)
- Computer Hardware Design (AREA)
- Software Systems (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Mobile Radio Communication Systems (AREA)
Abstract
The invention relates to a three-party cooperative signature and decryption method and system based on SM2 algorithm, belonging to the technical field of cryptography application, wherein the cooperative signature method comprises the following steps: the communication party generates a self sub private key, and the third communication party calculates a third part of public keys and sends the third part of public keys to the second communication party; the second communication party calculates the second part of the public key and sends the second part of the public key to the first communication party; the first communication party calculates a complete public key; the first communication party calculates the message digest to be signed, generates a first part of signature and sends the first part of signature to the second communication party; the second communication party calculates a second partial signature and sends the second partial signature to the third communication party; the third communication party calculates a third part of signature and sends the third part of signature to the second communication party; the second communication party calculates a fourth partial signature and sends the fourth partial signature to the first communication party; the first party generates a full signature. Meanwhile, the invention relates to a three-party cooperative decryption method. The invention improves the security of the SM2 algorithm private key; the communication and calculation cost is low; multiplexing an SM2 algorithm basic operation module; the method can be used for a scenario of three-party collaborative generation of transaction signatures.
Description
Technical Field
The invention belongs to the technical field of cryptography application, and particularly relates to a three-party collaborative signature and decryption method and system based on SM2 algorithm.
Background
The SM2 algorithm is a public key cryptographic algorithm based on an elliptic curve issued by the State crypto administration, is an important component of the national commercial cryptographic algorithm standard, and plays an important role in security guarantee in applications such as electronic commerce, e-government affairs and identity authentication. In a public key cryptosystem, it is very important to ensure the security of a private key, and usually, the private key of a user needs to be generated, stored and used safely in special hardware, but with the development of the internet, the application field of the SM2 algorithm is wider, and in many systems using the SM2 algorithm, hardware cryptographic modules in the forms of cryptographic chips, secure elements and the like are not configured, and the private key is stored in a user terminal depending on a software cryptographic module, but although the private key can be protected by means of encryption, PIN code protection and the like, the private key is still easily stolen by an attacker.
Generally, the SM2 algorithm signature private key is solely held by the user and cannot meet the security requirements in the current distributed environment. In order to avoid concentration of the signature right and reduce the risk brought by the loss of the private key, the private key can be divided into a plurality of sub-private keys which are stored in different terminals or servers, and when the private key signature is needed, all parties generate the signature through cooperative interaction.
Some two-party signature or decryption schemes based on the SM2 algorithm exist at present, but three-party signature or decryption schemes are very few, and the problems of high calculation and communication overhead, low signature or decryption generation efficiency and the like exist.
Disclosure of Invention
Aiming at the problems in the prior art, the invention aims to provide a three-party collaborative signing and decryption method and system based on an SM2 algorithm, which can reduce the risk of private key loss, can be used for avoiding application scenarios with centralized signing rights, and can solve or at least partially solve the problems in the prior art such as large computation amount, large communication data amount, low signature generation efficiency and the like.
In order to achieve the above object, in a first aspect, the present invention provides a three-party collaborative signature method based on SM2 algorithm, including a public key generation phase and a collaborative signature phase, where the public key generation phase includes the following steps:
the third communication party generates a sub private key of the third communication party, calculates a third part of public keys according to the sub private key of the third communication party and sends the third part of public keys to the second communication party;
the second communication party generates a sub private key of the second communication party, calculates a second part public key according to the sub private key of the second communication party and the received third part public key, and sends the second part public key to the first communication party;
the first communication party generates a sub private key of the first communication party, and calculates and discloses a complete public key according to the sub private key of the first communication party and the received second part public key;
the co-signing stage comprises the following steps:
the first communication party calculates the message digest of the message to be signed, generates a first part signature and sends the message digest and the first part signature to the second communication party;
the second communication party calculates a second part signature according to the sub private key of the second communication party and the first part signature and sends the message digest and the second part signature to a third communication party;
the third communication party calculates a third part signature according to the own sub private key, the received second part signature and the received message digest, and sends the third part signature to the second communication party;
the second communication party calculates a fourth part signature according to the own sub private key and the received third part signature and sends the fourth part signature to the first communication party;
and the first communication party generates a complete signature according to the own sub private key and the fourth partial signature and outputs the complete signature.
Further, as described above, in the three-party collaborative signature method based on the SM2 algorithm, the specific calculation method of the complete public key in the public key generation phase is as follows:
the third communication party generates a random number d3∈[1,n-1]As its own sub-private key, based on the sub-private key d3Computing the third partial public key P3=d3 -1[*]G, and mixing P3Sending the data to a second communication party, wherein G is a base point of an SM2 algorithm elliptic curve E shared by the communication three parties, n is the order of the base point [. ]]Represents a dot product operation on the elliptic curve E;
the second party generates a random number d2∈[1,n-1]As its own sub-private key, based on the sub-private key d2And the received third partial public key P3Computing the second partial public key P2=d2 -1[*]P3And is combined with P2Sending the information to a first communication party;
the first communication party generates a random number d1∈[1,n-1]As its own sub-private key, based on the sub-private key d1And the received second partial public key P2Calculating the complete public key P ═ d1 -1[*]P2-G;
If P ═ O, the first correspondent regenerates the random number, otherwise P is published as the complete public key, where O is the infinity point of the elliptic curve E.
Further, in the three-party cooperative signature method based on the SM2 algorithm, the specific process of generating a complete signature in the cooperative signature stage is as follows:
for a message M to be signed, a first communication party splices a corresponding Z value in an SM2 algorithm and the message M to be signed into M ', namely M ' ═ Z | | M, and then calculates a message digest e ═ H (M '), wherein Z represents an identity common to the first communication party, a second communication party and a third communication party, and H () represents a predetermined cryptographic hash function;
the first communication party generates a random number k1∈[1,n-1]According to k1Calculating a first partial signature Q1=k1[*]G, and the message digest e and the secondPartial signature Q1Sending the information to a second communication party;
the second party generates a random number k2∈[1,n-1]According to k2And the received first partial signature Q1Calculating a second partial signature Q2=d2 -1[*]Q1+k2[*]G, and signing the message digest e and the second part Q2Sending the data to a third communication party;
the third communication party generates a random number k3∈[1,n-1]According to k3And a received second partial signature Q2Computing an intermediate partial signature Q3=d3 -1[*]Q2+k3[*]G=(x1,y1) And calculating a signature component r ═ x1+ emod n, if r ═ 0, the third communication party regenerates the random number, where mod is modulo arithmetic;
if r ≠ 0, the third correspondent calculates a third partial signature s3=d3(k3+ r) mod n, and signature component r and a third part, s3Sending the information to a second communication party;
the second party signs s according to the received third part3Computing a fourth partial signature s2=d2(k2+s3) mod n, and sign the signature component r and the fourth part s2Sending the information to a first communication party;
the first communication party according to the sub-private key d1The received signature component r and the fourth partial signature s2Calculating the signature component s ═ d1(k1+s2) -r mod n, if s is 0 or s is n-r, the signature flow is restarted, otherwise (r, s) are output as a full signature.
Further, the identities of the first, second and third communication parties may be interchanged as described above for the three-party co-signing method based on the SM2 algorithm.
In a second aspect, the invention provides a three-party collaborative decryption method based on the SM2 algorithm, which includes a public key generation phase and a collaborative decryption phase, wherein the public key generation phase includes the following steps:
the third communication party generates a sub private key of the third communication party, calculates a third part of public keys according to the sub private key of the third communication party and sends the third part of public keys to the second communication party;
the second communication party generates a sub private key of the second communication party, calculates a second part public key according to the sub private key of the second communication party and the received third part public key, and sends the second part public key to the first communication party;
the first communication party generates a sub private key of the first communication party, and calculates and discloses a complete public key according to the sub private key of the first communication party and the received second part public key;
the collaborative decryption phase comprises the following steps:
the first communication party extracts a first part of ciphertext from the obtained ciphertext, partially decrypts the first part of ciphertext according to a sub private key of the first communication party to obtain a first cooperative ciphertext, and sends the first cooperative ciphertext to the second communication party;
the second communication party decrypts the part of the first cooperative ciphertext according to the own sub-private key to obtain a second cooperative ciphertext and sends the second cooperative ciphertext to a third communication party;
the third communication party decrypts the second cooperative ciphertext partially according to the own sub-private key to obtain a third cooperative ciphertext and sends the third cooperative ciphertext to the first communication party;
and the first communication party decrypts the ciphertext completely according to the own sub private key and the received third cooperative ciphertext to obtain a complete plaintext and outputs the complete plaintext.
Further, as described above, in the three-party cooperative decryption method based on the SM2 algorithm, the specific calculation method of the complete public key in the public key generation phase is as follows:
the third communication party generates a random number d3∈[1,n-1]As its own sub-private key, based on the sub-private key d3Computing the third partial public key P3=d3 -1[*]G, and mixing P3Sending the data to a second communication party, wherein G is a base point of an SM2 algorithm elliptic curve E shared by the communication three parties, n is the order of the base point [. ]]Representing elliptic curvesA dot product operation on E;
the second party generates a random number d2∈[1,n-1]As its own sub-private key, based on the sub-private key d2And the received third partial public key P3Computing the second partial public key P2=d2 -1[*]P3And is combined with P2Sending the information to a first communication party;
the first communication party generates a random number d1∈[1,n-1]As its own sub-private key, based on the sub-private key d1And the received second partial public key P2Calculating the complete public key P ═ d1 -1[*]P2-G;
If P ═ O, the first correspondent regenerates the random number, otherwise P is published as the complete public key, where O is the infinity point of the elliptic curve E.
Further, in the three-party cooperative decryption method based on the SM2 algorithm, the specific process of generating a complete plaintext in the cooperative decryption stage is as follows:
the first communication party slave cipher text C ═ C1||C3||C2Extract the first part of the ciphertext C1And C is1Is converted into a point on the elliptic curve E, and C is judged1Whether the point is a non-infinite point or not, if so, calculating a first cooperative ciphertext T1=d1 -1[*]C1And the first cooperative ciphertext T is combined1To a second communication party, where C1、C3、C2Is a bit string;
the second communication party according to its own sub-private key d2For the first cooperative ciphertext T1Decrypting to obtain a second cooperative ciphertext T2The decryption formula is: t is2=d2 -1[*]T1And will T2Sending the data to a third communication party;
the third communication party according to its own sub-private key d3For the second cooperative ciphertext T2Decrypting to obtain a third cooperative ciphertext T3The decryption formula is: t is3=d3 -1[*]T2And will T3Sending the information to a first communication party;
the first communication party calculates T ═ T3-C1=(x2,y2) And will coordinate x2,y2Converting into a bit string;
the first communication partner calculates t ═ KDF (x)2||y2Klen), if t is an all-zero bit string, reporting an error and exiting, where KDF () represents a predetermined key derivation function, and klen represents the length of key data to be obtained;
if t ≠ 0, the first communication party follows the ciphertext C ═ C1||C3||C2Extract the second part of the ciphertext C2Calculating M ═ C2⊕t;
The first communication party calculates u ═ H (x)2||M”||y2) From the ciphertext C ═ C1||C3||C2Extract a third portion of ciphertext C3If u ≠ C3If not, the complete plaintext M' is output.
Further, according to the three-party cooperative decryption method based on the SM2 algorithm, the identities of the first communication party, the second communication party and the third communication party can be interchanged.
In a third aspect, the present invention provides a three-party collaborative signing system based on SM2 algorithm, including a first communication party, a second communication party and a third communication party, where the first communication party, the second communication party and the third communication party are communicatively connected to each other, and the three-party collaborative signing system is configured to execute the three-party collaborative signing method based on SM2 algorithm of the first aspect.
In a fourth aspect, the present invention provides a three-party cooperative decryption system based on SM2 algorithm, including a first communication party, a second communication party, and a third communication party, where the first communication party, the second communication party, and the third communication party are communicatively connected to each other, and the three-party cooperative decryption system is configured to execute the three-party cooperative decryption method based on SM2 algorithm described in the second aspect.
The three-party collaborative signing and decryption method and system based on the SM2 algorithm can independently generate and store part of private keys in a communication party, and then carry out three-party collaborative signing and decryption. Compared with the prior art, the invention has the beneficial effects that:
1. the whole private key of the SM2 algorithm never appears in the whole process, so that the safety of the private key of the SM2 algorithm is improved;
2. the private key is split into three parts, can be stored in different terminals respectively, can meet the safety requirement of a distributed environment, and is suitable for application scenes in which a plurality of mobile intelligent terminals participate at present;
3. the two parties need less computation in the signing or decryption operation process, and the transmitted data in the communication process are less, so that the method is more suitable for the cloud computing environment requiring low delay and high interaction;
4. the basic operation module of the SM2 algorithm can be multiplexed, a new operation module is not required to be added, the realization is simple, and the arrangement cost is low;
5. the method can be used for a scene of three-party collaborative generation of transaction signatures, and potential risks in signature right concentration are reduced.
Drawings
Fig. 1 is a flowchart of a three-party collaborative signing method based on SM2 algorithm according to an embodiment of the present invention;
fig. 2 is an implementation mechanism of a public key generation phase provided in the embodiment of the present invention;
FIG. 3 is a mechanism for implementing the collaborative signing phase according to an embodiment of the present invention;
fig. 4 is a flowchart of a three-party cooperative decryption method based on the SM2 algorithm according to an embodiment of the present invention;
fig. 5 is a mechanism for implementing the cooperative decryption phase according to an embodiment of the present invention.
Detailed Description
In order to make the technical problems solved, the technical solutions adopted, and the technical effects achieved by the present invention clearer, the technical solutions of the embodiments of the present invention will be further described in detail with reference to the accompanying drawings. It is to be understood that the described embodiments are merely exemplary of the invention, and not restrictive of the full scope of the invention. All other embodiments, which can be obtained by a person skilled in the art without any inventive step based on the embodiments of the present invention, are within the scope of the present invention.
For convenience of understanding, the basic concepts and terms involved in the embodiments of the present invention will be briefly described.
Communication three-party sharing SM2 algorithm elliptic curve parameter E (F)q) The elliptic curve E is defined in a finite field FqThe elliptic curve above, wherein G is a base point of the elliptic curve, the order of the base point is n, and O is an infinite point of the elliptic curve. The invention uses]Denotes the dot-product operation on E, k [. sup. ]]G represents a k-fold point of G; mod n represents a modulo n operation; for elliptic curve point addition and numerical addition, the addition is represented by a plus sign +: if the addition is the point addition of the elliptic curve, the + represents the point addition operation; if the numerical value is added, the + represents the addition operation of the numerical value; h () denotes a predetermined cryptographic hash function, KDF () denotes a predetermined key derivation function, klen denotes the length of key data to be obtained, and | | denotes concatenation.
For ease of description, the communication participants are represented by a first communication party, a second communication party and a third communication party, respectively, wherein the communication participants are typically some terminals or servers and the identities of the communication participants are interchangeable.
Fig. 1 shows a flowchart of a three-party collaborative signing method based on SM2 algorithm, which mainly includes a public key generation phase and a collaborative signing phase;
referring to fig. 2, the public key generation stage mainly includes the following steps:
and step S11, the third communication party generates a sub private key of the third communication party, calculates a third part of public key according to the sub private key of the third communication party and sends the third part of public key to the second communication party.
In an optional implementation manner, step S11 is specifically:
the third communication party generates a random number d3As its own private sub-key, d3Belong to [1, n-1 ]]Any integer within the range, and then according to the sub-private key d3Calculating a third partial public key P3And sends it to the second party. Partial public key P3The calculation formula of (2) is as follows:
P3=d3 -1[*]G
wherein, G is a base point of the communication three-party sharing SM2 algorithm elliptic curve E, n is an order of the base point, and [ ] represents a dot product operation on the elliptic curve E.
And step S12, the second communication party generates a self sub private key, calculates a second part public key according to the self sub private key and the received third part public key, and sends the second part public key to the first communication party.
In an optional implementation manner, step S12 is specifically:
the second party generates a random number d2As its own private sub-key, d2Belong to [1, n-1 ]]Any integer within the range, and then according to the sub-private key d2And the received third partial public key P3Calculating a second partial public key P2And sends it to the first party. Second partial public key P2The calculation formula of (2) is as follows:
P2=d2 -1[*]P3。
and step S13, the first communication party generates a self sub private key, and calculates and discloses a complete public key according to the self sub private key and the received second part public key.
In an optional implementation manner, step S13 is specifically:
the first communication party generates a random number d1As its own private sub-key, d1Belong to [1, n-1 ]]Any integer within the range and according to the sub-private key d1And the received second partial public key P2And (3) calculating a complete public key P, wherein the calculation formula of P is as follows:
P=d1 -1[*]P2-G
if P ═ O, the first communication party needs to regenerate the random number, otherwise P is published as a complete public key, where O is the infinity point of the elliptic curve E.
Referring to fig. 3, the collaborative signing phase mainly includes the following steps:
step S14, the first communication party calculates the message digest of the message to be signed, generates the first partial signature, and sends the message digest and the first partial signature to the second communication party.
In an optional implementation manner, step S14 specifically includes:
for a message M to be signed, a first communication party splices a corresponding Z value in an SM2 algorithm and the message M to be signed into M ', namely M ' ═ Z | | M, and then calculates a message digest e ═ H (M '), wherein Z represents an identity common to the first communication party, a second communication party and a third communication party, and H () represents a predetermined cryptographic hash function;
the first communication party generates a random number k1∈[1,n-1]According to k1Calculating a first partial signature Q1=k1[*]G, and signing the message digest e and the first part Q1And sending the information to the second communication party.
And step S15, the second communication party calculates a second part signature according to the sub private key of the second communication party and the first part signature, and sends the message digest and the second part signature to the third communication party.
In an optional implementation manner, step S15 specifically includes:
the second party generates a random number k2∈[1,n-1]According to k2And the received first partial signature Q1Calculating a second partial signature Q2=d2 -1[*]Q1+k2[*]G, and signing the message digest e and the second part Q2And sending to the third communication party.
And step S16, the third communication party calculates a third part signature according to the own sub private key, the received second part signature and the message digest, and sends the third part signature to the second communication party.
In an optional implementation manner, step S16 specifically includes:
the third communication party generates a random number k3∈[1,n-1]According to k3And a received second partial signature Q2Computing an intermediate partial signature Q3=d3 -1[*]Q2+k3[*]G=(x1,y1) And calculating a signature component r ═ x1+ e mod n, if r is 0, the third communication party regenerates the random number, where mod is modulo operation;
if r ≠ 0, the third correspondent calculates a third partial signature s3=d3(k3+ r) mod n, and signature component r and a third part, s3And sending the information to the second communication party.
And step S17, the second communication party calculates a fourth partial signature according to the own sub private key and the received third partial signature, and sends the fourth partial signature to the first communication party.
In an optional implementation manner, step S17 specifically includes:
the second party signs s according to the received third part3Computing a fourth partial signature s2=d2(k2+s3) mod n, and sign the signature component r and the fourth part s2And sending the message to the first communication party.
And step S18, the first communication party generates a complete signature according to the own sub private key and the fourth partial signature and outputs the complete signature.
In an optional implementation manner, step S18 specifically includes:
the first communication party according to the sub-private key d1The received signature component r and the fourth partial signature s2Calculating the signature component s ═ d1(k1+s2) -r mod n, if s is 0 or s is n-r, the signature flow is restarted, otherwise (r, s) are output as a full signature.
The subsequent signature verification process is consistent with the signature verification process in the SM2 algorithm.
In the embodiment, in the public key generation stage, the communication three parties respectively and independently generate own sub private keys, one party can calculate and disclose the public key through two rounds of information transmission, and the complete private key of SM2 does not appear in the whole process, so that the safety of the SM2 private key is improved; in the cooperative signature stage, communication three parties generate a complete signature on one party through four rounds of information transmission by using respective sub private keys, and any third party obtaining the signature can verify the signature through public key information and an SM2 algorithm.
The method has the advantages that only one data needs to be transmitted in each round of the public key generation stage, only two data need to be transmitted in each round of the collaborative signature stage, the communication data amount is small, the calculation method is simple, and the calculation cost is greatly reduced.
Fig. 4 shows a flowchart of a three-party cooperative decryption method based on the SM2 algorithm, which mainly includes a public key generation phase and a cooperative decryption phase;
the public key generation phase is the same as the steps S11-S13 of the public key generation phase in the three-party collaborative signing method based on the SM2 algorithm, and will not be described in detail here.
Referring to fig. 5, the collaborative decryption phase mainly includes the following steps:
and step S24, the first communication party extracts a first part of ciphertext from the obtained ciphertext, partially decrypts the first part of ciphertext according to the own sub private key to obtain a first cooperative ciphertext, and sends the first cooperative ciphertext to the second communication party.
In an optional implementation manner, step S24 is specifically:
the first communication party slave cipher text C ═ C1||C3||C2Extract the first part of the ciphertext C1And C is1Is converted into a point on the elliptic curve E, and C is judged1Whether the point is a non-infinite point or not, if so, calculating a first cooperative ciphertext T1=d1 -1[*]C1And the first cooperative ciphertext T is combined1To a second communication party, where C1、C3、C2Is a bit string.
And step S25, the second communication party partially decrypts the first cooperative ciphertext according to the own sub private key to obtain a second cooperative ciphertext, and sends the second cooperative ciphertext to the third communication party.
In an optional implementation manner, step S25 is specifically:
the second communication party according to its own sub-private key d2For the first cooperative ciphertext T1Carry out decryption to obtain theTwo-synergy ciphertext T2The decryption formula is: t is2=d2 -1[*]T1And will T2And sending to the third communication party.
And step S26, the third communication party partially decrypts the second cooperative ciphertext according to the own sub private key to obtain a third cooperative ciphertext, and sends the third cooperative ciphertext to the first communication party.
In an optional implementation manner, step S26 is specifically:
the third communication party according to its own sub-private key d3For the second cooperative ciphertext T2Decrypting to obtain a third cooperative ciphertext T3The decryption formula is: t is3=d3 -1[*]T2And will T3And sending the message to the first communication party.
And step S27, the first communication party decrypts the ciphertext completely according to the own sub private key and the received third cooperative ciphertext to obtain a complete plaintext and outputs the complete plaintext.
In an optional implementation manner, step S27 is specifically:
the first communication party calculates T ═ T3-C1=(x2,y2) And will coordinate x2,y2Converting into a bit string;
the first communication partner calculates t ═ KDF (x)2||y2Klen), if t is an all-zero bit string, reporting an error and exiting, where KDF () represents a predetermined key derivation function, and klen represents the length of key data to be obtained;
if t ≠ 0, the first communication party follows the ciphertext C ═ C1||C3||C2Extract the second part of the ciphertext C2Calculating M ═ C2⊕t;
The first communication party calculates u ═ H (x)2||M”||y2) From the ciphertext C ═ C1||C3||C2Extract a third portion of ciphertext C3If u ≠ C3If not, the complete plaintext M' is output.
In the embodiment, the communication three parties can decrypt the legal ciphertext encrypted by any third party through public key information and the SM2 algorithm on one party by using respective sub private keys through three rounds of information transmission; and each round only needs to transmit one data, so that the calculation is less, and the method is suitable for the cloud computing environment requiring low delay and high interaction.
According to the three-party collaborative signing method based on the SM2 algorithm, the invention provides a three-party collaborative signing system based on the SM2 algorithm, which comprises a first communication party, a second communication party and a third communication party, wherein the first communication party, the second communication party and the third communication party are in communication connection with each other, and the three-party collaborative signing system is configured to execute the three-party collaborative signing method based on the SM2 algorithm.
According to the three-party cooperative decryption method based on the SM2 algorithm, the invention provides a three-party cooperative decryption system based on the SM2 algorithm, which comprises a first communication party, a second communication party and a third communication party, wherein the first communication party, the second communication party and the third communication party are in communication connection with each other, and the three-party cooperative decryption system is configured to execute the three-party cooperative decryption method based on the SM2 algorithm.
The invention provides a three-party cooperative signature and decryption method and system based on SM2 algorithm, and provides a technical scheme of cooperative signature and cooperative decryption at the same time, wherein communication three parties independently generate own sub private keys in a public key generation phase, and one party can calculate and disclose a public key through two rounds of information transmission; in the cooperative signature stage, communication three parties use respective sub private keys to generate a complete signature on one party through four rounds of information transmission, any third party obtaining the signature can check the signature through public key information and an SM2 algorithm, and the signature checking process is consistent with that in the SM2 algorithm; in the cooperative decryption stage, the communication three parties can decrypt the legal ciphertext encrypted by the public key information and the SM2 algorithm of any third party on one party by using respective sub private keys through three rounds of information transmission. Through the above means, the beneficial effects obtained are as follows:
in the whole process, the complete private key of the SM2 algorithm never appears, so that the security of the private key of the SM2 algorithm is improved; the private key is split into three parts, can be stored in different terminals respectively, can meet the safety requirement of a distributed environment, and is suitable for application scenes in which a plurality of mobile intelligent terminals participate at present; the three parties need to perform less calculation in the signing or decryption operation process, and transmit less data in the communication process, so that the method is suitable for the cloud computing environment requiring low delay and high interaction; the basic operation module of the SM2 algorithm can be multiplexed, a new operation module is not required to be added, the realization is simple, and the arrangement cost is low.
It will be understood by those skilled in the art that the present invention is not limited to the embodiments described in the detailed description, and the detailed description is for the purpose of explanation and not limitation. Other embodiments will be apparent to those skilled in the art from the following detailed description, which is intended to cover all modifications, equivalents, and alternatives falling within the spirit and scope of the invention as defined by the appended claims.
Claims (10)
1. A three-party collaborative signature method based on SM2 algorithm comprises a public key generation phase and a collaborative signature phase, wherein the public key generation phase comprises the following steps:
the third communication party generates a sub private key of the third communication party, calculates a third part of public keys according to the sub private key of the third communication party and sends the third part of public keys to the second communication party;
the second communication party generates a sub private key of the second communication party, calculates a second part public key according to the sub private key of the second communication party and the received third part public key, and sends the second part public key to the first communication party;
the first communication party generates a sub private key of the first communication party, and calculates and discloses a complete public key according to the sub private key of the first communication party and the received second part public key;
the co-signing stage comprises the following steps:
the first communication party calculates the message digest of the message to be signed, generates a first part signature and sends the message digest and the first part signature to the second communication party;
the second communication party calculates a second part signature according to the sub private key of the second communication party and the first part signature and sends the message digest and the second part signature to a third communication party;
the third communication party calculates a third part signature according to the own sub private key, the received second part signature and the received message digest, and sends the third part signature to the second communication party;
the second communication party calculates a fourth part signature according to the own sub private key and the received third part signature and sends the fourth part signature to the first communication party;
and the first communication party generates a complete signature according to the own sub private key and the fourth partial signature and outputs the complete signature.
2. The three-party collaborative signature method based on the SM2 algorithm of claim 1, wherein the specific calculation method of the complete public key in the public key generation phase is as follows:
the third communication party generates a random number d3∈[1,n-1]As its own sub-private key, based on the sub-private key d3Computing the third partial public key P3=d3 -1[*]G, and mixing P3Sending the data to a second communication party, wherein G is a base point of an SM2 algorithm elliptic curve E shared by the communication three parties, n is the order of the base point [. ]]Represents a dot product operation on the elliptic curve E;
the second party generates a random number d2∈[1,n-1]As its own sub-private key, based on the sub-private key d2And the received third partial public key P3Computing the second partial public key P2=d2 -1[*]P3And is combined with P2Sending the information to a first communication party;
the first communication party generates a random number d1∈[1,n-1]As its own sub-private key, based on the sub-private key d1And the received second partial public key P2Calculating complete public key P ═ d1 -1[*]P2-G;
If P ═ O, the first correspondent regenerates the random number, otherwise P is published as the complete public key, where O is the infinity point of the elliptic curve E.
3. The three-party cooperative signature method based on the SM2 algorithm of claim 2, wherein the specific process of generating the complete signature in the cooperative signature stage is as follows:
for a message M to be signed, a first communication party splices a corresponding Z value in an SM2 algorithm and the message M to be signed into M ', namely M ' ═ Z | | M, and then calculates a message digest e ═ H (M '), wherein Z represents an identity common to the first communication party, a second communication party and a third communication party, and H () represents a predetermined cryptographic hash function;
the first communication party generates a random number k1∈[1,n-1]According to k1Calculating a first partial signature Q1=k1[*]G, and signing the message digest e and the first part Q1Sending the information to a second communication party;
the second party generates a random number k2∈[1,n-1]According to k2And the received first partial signature Q1Calculating a second partial signature Q2=d2 -1[*]Q1+k2[*]G, and signing the message digest e and the second part Q2Sending the data to a third communication party;
the third communication party generates a random number k3∈[1,n-1]According to k3And a received second partial signature Q2Computing an intermediate partial signature Q3=d3 -1[*]Q2+k3[*]G=(x1,y1) And calculating a signature component r ═ x1+ e mod n, if r is 0, the third communication party regenerates the random number, where mod is modulo operation;
if r ≠ 0, the third correspondent calculates a third partial signature s3=d3(k3+ r) mod n, and signature component r and a third part, s3Sending the information to a second communication party;
the second party signs s according to the received third part3Computing a fourth partial signature s2=d2(k2+s3) mod n, and sign the signature component r and the fourth part s2Sending to the first communicationA method for preparing;
the first communication party according to the sub-private key d1The received signature component r and the fourth partial signature s2Calculating the signature component s ═ d1(k1+s2) -r mod n, if s is 0 or s is n-r, the signature flow is restarted, otherwise (r, s) are output as a full signature.
4. The SM2 algorithm-based three-party co-signing method of any one of claims 1-3, wherein the identities of the first, second and third communicants are interchangeable.
5. A three-party cooperative decryption method based on SM2 algorithm comprises a public key generation phase and a cooperative decryption phase, wherein the public key generation phase comprises the following steps:
the third communication party generates a sub private key of the third communication party, calculates a third part of public keys according to the sub private key of the third communication party and sends the third part of public keys to the second communication party;
the second communication party generates a sub private key of the second communication party, calculates a second part public key according to the sub private key of the second communication party and the received third part public key, and sends the second part public key to the first communication party;
the first communication party generates a sub private key of the first communication party, and calculates and discloses a complete public key according to the sub private key of the first communication party and the received second part public key;
the collaborative decryption phase comprises the following steps:
the first communication party extracts a first part of ciphertext from the obtained ciphertext, partially decrypts the first part of ciphertext according to a sub private key of the first communication party to obtain a first cooperative ciphertext, and sends the first cooperative ciphertext to the second communication party;
the second communication party decrypts the part of the first cooperative ciphertext according to the own sub-private key to obtain a second cooperative ciphertext and sends the second cooperative ciphertext to a third communication party;
the third communication party decrypts the second cooperative ciphertext partially according to the own sub-private key to obtain a third cooperative ciphertext and sends the third cooperative ciphertext to the first communication party;
and the first communication party decrypts the ciphertext completely according to the own sub private key and the received third cooperative ciphertext to obtain a complete plaintext and outputs the complete plaintext.
6. The three-party cooperative decryption method based on the SM2 algorithm of claim 5, wherein the specific calculation method of the complete public key at the public key generation stage is as follows:
the third communication party generates a random number d3∈[1,n-1]As its own sub-private key, based on the sub-private key d3Computing the third partial public key P3=d3 -1[*]G, and mixing P3Sending the data to a second communication party, wherein G is a base point of an SM2 algorithm elliptic curve E shared by the communication three parties, n is the order of the base point [. ]]Represents a dot product operation on the elliptic curve E;
the second party generates a random number d2∈[1,n-1]As its own sub-private key, based on the sub-private key d2And the received third partial public key P3Computing the second partial public key P2=d2 -1[*]P3And is combined with P2Sending the information to a first communication party;
the first communication party generates a random number d1∈[1,n-1]As its own sub-private key, based on the sub-private key d1And the received second partial public key P2Calculating the complete public key P ═ d1 -1[*]P2-G;
If P ═ O, the first correspondent regenerates the random number, otherwise P is published as the complete public key, where O is the infinity point of the elliptic curve E.
7. The three-party cooperative decryption method based on the SM2 algorithm of claim 6, wherein the specific process of generating a complete plaintext in the cooperative decryption stage is as follows:
the first communication party slave cipher text C ═ C1||C3||C2Extract the first part of the ciphertext C1And C is1Is converted into a point on the elliptic curve E, and C is judged1Whether the point is a non-infinite point or not, if so, calculating a first cooperative ciphertext T1=d1 -1[*]C1And the first cooperative ciphertext T is combined1To a second communication party, where C1、C3、C2Is a bit string;
the second communication party according to its own sub-private key d2For the first cooperative ciphertext T1Decrypting to obtain a second cooperative ciphertext T2The decryption formula is: t is2=d2 -1[*]T1And will T2Sending the data to a third communication party;
the third communication party according to its own sub-private key d3For the second cooperative ciphertext T2Decrypting to obtain a third cooperative ciphertext T3The decryption formula is: t is3=d3 -1[*]T2And will T3Sending the information to a first communication party;
the first communication party calculates T ═ T3-C1=(x2,y2) And will coordinate x2,y2Converting into a bit string;
the first communication partner calculates t ═ KDF (x)2||y2Klen), if t is an all-zero bit string, reporting an error and exiting, where KDF () represents a predetermined key derivation function, and klen represents the length of key data to be obtained;
if t ≠ 0, the first communication party follows the ciphertext C ═ C1||C3||C2Extract the second part of the ciphertext C2Calculating
The first communication party calculates u ═ H (x)2||M”||y2) From the ciphertext C ═ C1||C3||C2Extract a third portion of ciphertext C3If u ≠ C3If not, the complete plaintext M' is output.
8. The three-party cooperative decryption method based on the SM2 algorithm of any one of claims 5-7, wherein the identities of the first, second and third communication parties are interchangeable.
9. A three-party collaborative signing system based on SM2 algorithm, comprising a first communication party, a second communication party and a third communication party, wherein the first communication party, the second communication party and the third communication party are connected with each other in a communication way, and the three-party collaborative signing system is configured to execute the three-party collaborative signing method based on SM2 algorithm according to any one of claims 1-4.
10. A three-party cooperative decryption system based on SM2 algorithm, comprising a first communication party, a second communication party and a third communication party, the first communication party, the second communication party and the third communication party are communicatively connected with each other, the three-party cooperative decryption system is configured to execute the three-party cooperative decryption method based on SM2 algorithm according to any one of claims 5 to 8.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110994075.6A CN113849832A (en) | 2021-08-27 | 2021-08-27 | Three-party collaborative signing and decryption method and system based on SM2 algorithm |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110994075.6A CN113849832A (en) | 2021-08-27 | 2021-08-27 | Three-party collaborative signing and decryption method and system based on SM2 algorithm |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN113849832A true CN113849832A (en) | 2021-12-28 |
Family
ID=78976286
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202110994075.6A Pending CN113849832A (en) | 2021-08-27 | 2021-08-27 | Three-party collaborative signing and decryption method and system based on SM2 algorithm |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113849832A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115499126A (en) * | 2022-04-27 | 2022-12-20 | 河南省核芯微电子科技有限公司 | Key pair generation method, cooperative signature method, decryption method, device and medium based on decentralized storage of SM2 keys |
-
2021
- 2021-08-27 CN CN202110994075.6A patent/CN113849832A/en active Pending
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115499126A (en) * | 2022-04-27 | 2022-12-20 | 河南省核芯微电子科技有限公司 | Key pair generation method, cooperative signature method, decryption method, device and medium based on decentralized storage of SM2 keys |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN109088726B (en) | SM2 algorithm-based collaborative signing and decrypting method and system for two communication parties | |
| CN111314089B (en) | SM 2-based two-party collaborative signature method and decryption method | |
| CN109309569B (en) | SM2 algorithm-based collaborative signature method and device and storage medium | |
| CN108418686B (en) | A multi-distributed SM9 decryption method and medium and key generation method and medium | |
| JP5349619B2 (en) | Identity-based authentication key agreement protocol | |
| US11223486B2 (en) | Digital signature method, device, and system | |
| CN104270249B (en) | It is a kind of from the label decryption method without certificate environment to identity-based environment | |
| CN108667627B (en) | SM2 Digital Signature Method Based on Two-Party Collaboration | |
| CN108667626A (en) | A Secure Two-Party Collaborative SM2 Signature Method | |
| CN110830236B (en) | Identity-based encryption method based on global hash | |
| Khader et al. | Preventing man-in-the-middle attack in Diffie-Hellman key exchange protocol | |
| CN107947913A (en) | The anonymous authentication method and system of a kind of identity-based | |
| CN104301108B (en) | It is a kind of from identity-based environment to the label decryption method without certificate environment | |
| CN109450640B (en) | SM 2-based two-party signature method and system | |
| CN104243456A (en) | Signing and decrypting method and system applied to cloud computing and based on SM2 algorithm | |
| CN107707358A (en) | A kind of EC KCDSA digital signature generation method and system | |
| CN107425968A (en) | A kind of SM2 elliptic curve public key cryptographic algorithms under binary field F2m realize system | |
| CN107682151A (en) | A kind of GOST digital signature generation method and system | |
| CN111355582A (en) | Two-party combined signature and decryption method and system based on SM2 algorithm | |
| JP2025000864A (en) | Computer-implemented system and method for sharing a common secret | |
| CN113132104A (en) | Active and safe ECDSA (electronic signature SA) digital signature two-party generation method | |
| CN114726546A (en) | Digital identity authentication method, device, equipment and storage medium | |
| CN113849831B (en) | A two-party collaborative signature and decryption method and system based on SM2 algorithm | |
| CN117879833A (en) | Digital signature generation method based on improved elliptic curve | |
| CN115174116A (en) | Data packet signature and signature verification system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |