[0030] In view of the problems in the prior art, the present invention proposes a signature scheme and a decryption scheme based on the SM2 algorithm that are suitable for cloud computing environments. SM2 algorithm is a standard commercial cryptographic algorithm, which is widely supported and used in cryptographic products.
[0031] In order to make the technical scheme of the present invention clearer and more comprehensible, the scheme of the present invention will be further described in detail below with reference to the drawings and embodiments.
[0032] figure 1 It is a flowchart of an embodiment of a signature method based on the SM2 algorithm suitable for cloud computing in the present invention, such as figure 1 As shown, the following steps 11-14 are included.
[0033] Step 11: The first communicating party generates its own child private key D1, and the second communicating party generates its own child private key D2.
[0034] For ease of presentation, the first communicating party and the second communicating party are used to represent the communicating parties. The first communicating party can be a client or a server. Accordingly, when the first communicating party is a client, the second communicating party The party is the server, and when the first communication party is the server, the second communication party is the client.
[0035] The first communicating party and the second communicating party share the elliptic curve parameters E(Fq), G, and n of the SM2 algorithm. The elliptic curve E is an elliptic curve defined on the finite field Fq, and G represents the base point of the nth order on the elliptic curve E, The specific values of each parameter are preset according to the SM2 algorithm.
[0036] The first communicating party and the second communicating party need to generate their own sub-private keys D1 and D2, respectively, and can further cooperate to generate a public key P.
[0037] Correspondingly, figure 2 It is a schematic diagram of the process of generating their respective sub-private keys and public keys by the first communicating party and the second communicating party of the present invention, such as figure 2 As shown, the following steps 21 to 26 are included.
[0038] Step 21: The first communicating party generates a random number between [1, n-1], and uses the generated random number as D1.
[0039] That is: D1∈[1, n-1].
[0040] Step 22: The second communicating party generates a random number between [1, n-1], and uses the generated random number as D2.
[0041] That is: D2∈[1, n-1].
[0042] Step 23: The first communicating party calculates the inverse element D1 of D1 on Fq -1 mod n.
[0043] mod means modulo operation.
[0044] Step 24: The second communicating party calculates the inverse element D2 of D2 on Fq -1 mod n.
[0045] Step 25: The first communicating party calculates D1 -1 [*]G, send the calculation result P1 to the second communication party.
[0046] That is: P1=D1 -1 [*]G, where [*] represents the point multiplication of elliptic curve.
[0047] Step 26: The second communicating party calculates D2 -1 [*]P1[-]G, publish the calculation result P as the public key.
[0048] That is: P=D2 -1 [*]P1[-]G, where [-] means point subtraction of elliptic curve.
[0049] It should be noted that the above-mentioned representations of steps 21 to 26 are only examples, and are not used to limit the execution order of the steps. In practical applications, the execution order of the steps can be set according to actual needs, as long as the final results can be obtained. The required results are sufficient, and the same is true in the subsequent diagrams involved, and will not be repeated.
[0050] Step 12: The first communicating party generates a message digest e of the message M to be signed and the first partial signature Q1, and sends e and Q1 to the second communicating party.
[0051] Step 13: The second communication party generates the second partial signature r according to Q1 and e, and generates the third partial signature s2 and the fourth partial signature s3 according to D2, and sends r, s2 and s3 to the first communication party.
[0052] Step 14: The first communicating party generates and outputs a complete signature according to D1, r, s2, and s3.
[0053] Through the process shown in steps 12-14, a complete signature of the message M to be signed can be generated.
[0054] image 3 It is a schematic diagram of the process of generating the complete signature of the message M to be signed by the first communicating party and the second communicating party of the present invention, such as image 3 As shown, the following steps 31-39 are included.
[0055] Step 31: The first communicating party splices Z and M to form M', and calculates Hash(M'), taking the calculation result as e, where Z represents the common identity of the first communicating party and the second communicating party, Hash( ) Represents a predetermined cryptographic hash function.
[0056] That is: M'=Z||M, || means splicing;
[0057] e=Hash(M').
[0058] Step 32: The first communication party generates a random number k1 between [1, n-1], calculates k1[*]G, and uses the calculation result as Q1.
[0059] That is: k1∈[1, n-1];
[0060] Q1=k1[*]G.
[0061] Step 33: The first communicating party sends e and Q1 to the second communicating party.
[0062] Step 34: The second communicating party generates a random number k2 between [1, n-1], and calculates k2[*]G to obtain the calculation result Q2.
[0063] That is: k2∈[1, n-1];
[0064] Q2=k2[*]G.
[0065] Step 35: The second communication party generates a random number k3 between [1, n-1], calculates k3[*]Q1[+]Q2, obtains the calculation result (x1, y1), and calculates x1+e mod n, take the calculation result as r, where [+] represents the point addition operation on the elliptic curve.
[0066] That is: k3∈[1, n-1];
[0067] (x1, y1)=k3[*]Q1[+]Q2;
[0068] r=x1+e mod n.
[0069] Among them, if r is not equal to 0, go to step 36, if r is equal to 0, the second communicating party can regenerate k3, and recalculate to obtain (x1, y1) and r until r is not equal to 0.
[0070] Step 36: If r is not equal to 0, the second communication party calculates D2*k3mod n, uses the calculation result as s2, and calculates D2*(r+k2)mod n, and uses the calculation result as s3.
[0071] That is: s2=D2*k3mod n;
[0072] S3=D2*(r+k2) mod n.
[0073] Step 37: The second communicating party sends r, s2 and s3 to the first communicating party.
[0074] Step 38: The first communication party calculates (D1*k1)*s2+D1*s3-r mod n to obtain the calculation result s.
[0075] That is: s=(D1*k1)s2+D1*s3-r mod n.
[0076] Among them, if s is equal to 0 or equal to n-r, then k1 can be regenerated, and the steps related to this can be re-executed. If s is not equal to 0 and not equal to n-r, step 39 is executed.
[0077] Step 39: If s is not equal to 0 and not equal to n-r, the first communicating party outputs (r, s) as a complete signature.
[0078] At the same time, the message M to be signed can also be output.
[0079] The random numbers k1, k2, k3, etc. involved in the above steps are all integers.
[0080] Figure 4 It is a flowchart of an embodiment of a decryption method based on SM2 algorithm suitable for cloud computing in the present invention, such as Figure 4 As shown, the following steps 41 to 44 are included.
[0081] Step 41: The first communicating party generates its own child private key D1, and the second communicating party generates its own child private key D2.
[0082] For ease of presentation, the first communicating party and the second communicating party are used to represent the communicating parties. The first communicating party can be a client or a server. Accordingly, when the first communicating party is a client, the second communicating party The party is the server, and when the first communication party is the server, the second communication party is the client.
[0083] The first communicating party and the second communicating party share the elliptic curve parameters E(Fq), G, and n of the SM2 algorithm. The elliptic curve E is an elliptic curve defined on the finite field Fq, and G represents the base point of the nth order on the elliptic curve E, The specific values of each parameter are preset according to the SM2 algorithm.
[0084] For the specific implementation of this step, refer to the relevant description in step 11, which will not be repeated here.
[0085] Step 42: The first communication party partially decrypts the obtained ciphertext C according to D1 to obtain the first part of the plaintext T1, and sends it to the second communication party.
[0086] Step 43: The second communicating party generates a second part of plaintext T2 according to D2 and T1, and sends it to the first communicating party.
[0087] Step 44: The first communication party completely decrypts the ciphertext C according to T2 to obtain a complete plaintext output.
[0088] Through the process shown in steps 42-44, the complete plaintext of ciphertext C can be obtained.
[0089] Figure 5 It is a schematic diagram of the process of decrypting and obtaining the complete plaintext of ciphertext C by the first communicating party and the second communicating party of the present invention, such as Figure 5 As shown, the following steps 51-510 are included.
[0090] Step 51: The first communicating party extracts the bit string C1 from the ciphertext C, which is formed by splicing the bit strings C1, C2, and C3, and after converting the data type of C1, verifies whether C1 is on the elliptic curve E The non-infinity point.
[0091] That is: C=C1||C2||C3.
[0092] The data type conversion of C1 usually refers to converting it from a bit string to an integer, how to convert it to the prior art, and how to verify whether C1 is a non-infinity point on the elliptic curve E is also the prior art.
[0093] If C1 is a non-infinity point on the elliptic curve E, perform step 52, otherwise, exit with an error.
[0094] Step 52: The first communicating party calculates D1 -1 [*]C1, use the calculation result as T1, where D1 -1 Is the inverse of D1 on Fq.
[0095] That is: T1=D1 -1 [*]C1.
[0096] Step 53: The first communicating party sends T1 to the second communicating party.
[0097] Step 54: The second communicating party calculates D2 -1 [*]T1, use the calculation result as T2, where D2 -1 Is the inverse of D2 on Fq.
[0098] That is: T2 = D2 -1 [*]T1.
[0099] Step 55: The second communicating party sends T2 to the first communicating party.
[0100] Step 56: The first communication party calculates T2[-]C1 to obtain the calculation result (x2, y2).
[0101] That is: (x2, y2)=T2[-]C1.
[0102] Step 57: The first communicating party calculates KDF(x2||y2, klen) to obtain the calculation result t, where || represents splicing, KDF() is a predetermined key derivation function, klen represents the length of the output bit string, and takes The value is preset.
[0103] That is: t=KDF(x2||y2, klen).
[0104] If t is not equal to 0, proceed to step 58, otherwise, exit with an error.
[0105] Step 58: If t is not equal to 0, the first communicating party extracts the bit string C2 from the ciphertext C and calculates Obtain the calculation result M″, where, Represents bitwise XOR operation.
[0106] That is:
[0107] Step 59: The first communication party calculates Hash(x2||M″||y2) to obtain the calculation result u.
[0108] That is: u=Hash(x2||M″||y2).
[0109] Step 510: The first communication party extracts the bit string C3 from the ciphertext C, and if u is equal to C3, output M″ as a complete plaintext.
[0110] If u is not equal to C3, you can exit with an error.
[0111] Based on the above introduction, the present invention also discloses a signature system based on SM2 algorithm suitable for cloud computing and a decryption system based on SM2 algorithm suitable for cloud computing, which are respectively introduced as follows.
[0112] The SM2 algorithm-based signature system suitable for cloud computing includes:
[0113] The first communication party is used to generate its own sub-private key D1; and generate the message digest e of the message M to be signed and the first partial signature Q1, and send e and Q1 to the second communication party; according to D1, r, s2 and s3 Generate a complete signature and output;
[0114] The second communication party is used to generate its own child private key D2; and generate the second part signature r according to Q1 and e, and generate the third part signature s2 and the fourth part signature s3 according to D2, and send r, s2 and s3 To the first communicating party.
[0115] among them,
[0116] The first communicating party and the second communicating party share the elliptic curve parameters E(Fq), G, and n of the SM2 algorithm, the elliptic curve E is an elliptic curve defined on the finite field Fq, and G is the base point of the nth order on the elliptic curve E;
[0117] D1 and D2 are both a random number between [1, n-1].
[0118] In addition,
[0119] The first communicating party can be further used to calculate the inverse element D1 of D1 on Fq -1 mod n, and calculate D1 -1 [*]G, send the calculation result P1 to the second communication party;
[0120] The second communicating party can be further used to calculate the inverse element D2 of D2 on Fq -1 mod n, and calculate D2 -1 [*]P1[-]G, the calculation result P is disclosed as a public key, where mod represents a modulo operation, [*] represents an elliptic curve point multiplication operation, and [-] represents an elliptic curve point subtraction operation.
[0121] specifically,
[0122] The first communication party calculates e=Hash(M'), M'=Z||M, where || indicates splicing, Z indicates the common identity of the first communication party and the second communication party, and Hash() indicates a predetermined Password hash function; and calculate Q1=k1[*]G, where k1 is a random number between [1, n-1], and [*] represents the elliptic curve point multiplication operation.
[0123] The second communication party calculates r=x1+e mod n, (x1, y1)=k3[*]Q1[+]Q2, Q2=k2[*]G; among them, mod means modulo operation, [*] means ellipse Curve point multiplication operation, [+] means elliptic curve point addition operation; k2 and k3 are both a random number between [1, n-1]; when r is not equal to 0, calculate s2=D2*k3mod n, s3=D2*(r+k2) mod n.
[0124] The first communication party calculates (D1*k1)*s2+D1*s3-r mod n, and obtains the calculation result s, where mod means modulo operation. If s is not equal to 0 and not equal to nr, then (r, s ) Is output as a complete signature.
[0125] The SM2 algorithm-based decryption system suitable for cloud computing includes:
[0126] The first communicating party is used to generate its own sub-private key D1; and according to D1, the obtained ciphertext C is partially decrypted to obtain the first part of the plaintext T1, which is sent to the second communicating party; the ciphertext C is completed according to T2 Decrypt, get the complete plaintext output;
[0127] The second communication party is used to generate its own sub-private key D2; and according to D2 and T1, a second part of the plaintext T2 is generated and sent to the first communication party.
[0128] among them,
[0129] The first communicating party and the second communicating party share the elliptic curve parameters E(Fq), G, and n of the SM2 algorithm, the elliptic curve E is an elliptic curve defined on the finite field Fq, and G is the base point of the nth order on the elliptic curve E;
[0130] D1 and D2 are both a random number between [1, n-1].
[0131] In addition,
[0132] The first communicating party can be further used to extract the bit string C1 from the ciphertext C, which is formed by splicing the bit strings C1, C2 and C3, and after converting the data type of C1, verify whether C1 is an elliptic curve The non-infinity point on E; if yes, calculate D1 -1 [*]C1, use the calculation result as T1, where D1 -1 Is the inverse element of D1 on Fq, and [*] represents the point product of the elliptic curve.
[0133] specifically,
[0134] The second communication party calculates T2=D2 -1 [*]T1, where D2 -1 Is the inverse element of D2 on Fq, [*] represents the point multiplication of elliptic curve.
[0135] The first communication party can be further used to calculate T2[-]C1 to obtain the calculation result (x2, y2), where [-] represents the point subtraction operation of the elliptic curve; calculate KDF(x2||y2, klen) to obtain The calculation result t, where || represents splicing, KDF() represents the predetermined key derivation function, and klen represents the predetermined output bit string length; if t is not equal to 0, the bit string C2 is extracted from the ciphertext C, And calculate Obtain the calculation result M″, where, Represents the bitwise XOR operation; calculate Hash(x2||M″||y2) to get the calculation result u, where Hash() represents the predetermined cryptographic hash function; extract the bit string C3 from the ciphertext C, if u Equal to C3, output M″ as a complete plaintext.
[0136] For the specific work flow of the foregoing system embodiment, please refer to the corresponding description in the foregoing method embodiment, which will not be repeated here.
[0137] In summary, the above are only preferred embodiments of the present invention, and are not used to limit the protection scope of the present invention. Any modification, equivalent replacement, improvement, etc., made within the spirit and principle of the present invention shall be included in the protection scope of the present invention.