CN-122001576-A - Cooperative password method and system based on certificate-free SM2

Abstract

The invention discloses a cooperative password method and a cooperative password system based on a certificate-free SM2, and belongs to the technical field of information security. Aiming at the problems of security risk of terminal key security management and use in the existing certificate-free SM2 system and the problem of SM2 certificate system management complexity, the invention generates the key by three parties of a certificate-free SM2 key generation center, a client and a collaboration server, the key generation center only provides part of private keys, the client and the collaboration server respectively generate part of private keys, and the complete private key never exists in any single entity. When signing and decrypting, the share of each private key held by both parties is completed cooperatively, and any party is broken without revealing the private key. The decryption adopts a blinding technology to protect privacy. In addition, the user can freely select whether to enable the cooperative mode, public keys are consistent in the two modes, and the verifier does not need to distinguish. The method is suitable for cloud computing, mobile payment, the Internet of things and other scenes.

Inventors

• ZHAO TONGYI

Assignees

• 赵统一

Dates

Publication Date

20260508

Application Date

20260212

Claims (9)

1. 1. The cooperative cryptography method based on the certificate-free SM2 is characterized by comprising a cooperative key generation process, a cooperative signature process and a cooperative decryption process; wherein G is an elliptic curve base point, n is the order of the base point G, d is a complete private key, P is a user public key, P= [ d ] G, d ' A is a private key share held by a client and combined with KGC, dB is a private key share held by a cooperative server, the cooperative cryptographic method adopts a certificateless public key cryptosystem, wherein the calculation of a user discernable identifier HA and a binding parameter lambda follows the GM/T0130-2023 standard, the invention does not require the right of the HA and lambda calculation method, the cooperative cryptographic method adopts a multiplication structure to decompose the modulo inverse of the complete private key d into the product of two shares on the basis of the certificateless public key cryptosystem, the relation (1+d) (-1) = d ' A-dB is satisfied, d ' A is formed by combining a secret value generated by a user and a partial key generated by a key generation center KGC through operation, KGC cannot recover the user complete private key P alone to bind user identity information and digital certificates, the invention does not require the public key P to be combined with the public key system under the conditions of the two public key cryptosystem, the invention = a cooperative mode is compatible with the public key system, the two cooperative mode is generated by the invention, the method HAs no requirement, the cooperative mode is maintained under the mode of the method HAs no requirement of a synergistic mode, the verifier or encryptor does not need to distinguish between the modes employed by the signer or decryptor.
2. 2. The method according to claim 1, wherein the collaborative key generation procedure involves a key generation center KGC, a client and a collaborative server, the complete private key d never appears in any single entity and no certificate issuing authority CA issues digital certificates, wherein sKGC is a KGC master private key, ppub = [ sKGC ] G is a KGC master public key, IDA is a user identity, HA is a user discernable identity calculated according to GM/T0130-2023 standard, λ is a binding parameter calculated according to GM/T0130-2023 standard, the overall key generation procedure combining the non-credential key generation with private key share generation of the collaborative server is claimed, comprising in particular the following steps: step S1.1, a client generates a random number dA as a secret value, wherein the value range of the dA is [1, n-1]; step S1.2, the client calculates the multiplication inverse element dA (-1) mod n of dA under the modulo n, and satisfies dA & dA (-1) ≡1 (mod n); Step S1.3, the client calculates a public key component PA= [ dA≡ (-1) ] G, wherein the public key component PA is used for subsequently receiving partial private keys of KGC encrypted transmission; Step S2.1, if the cooperative mode is started, the cooperative server generates a random number dB as the share of the private key held by the cooperative server, wherein the dB value range is [1, n-1]; s2.2, the collaboration server calculates the multiplication inverse element dB (-1) mod n of dB under the mode n; step S2.3, the collaboration server calculates an intermediate public key component P1= [ dB++1) ] PA= [ dB++1. DA++1) ] G, and returns P1 to the client; s2.4, the collaboration server safely stores dB for subsequent collaborative signature and decryption; step S2.5, if the cooperative mode is not started, setting dB=1, wherein at the moment, P1=PA= [ dA++1) ] G, and the cooperative server does not participate in subsequent password operation; step S3.1, the client side sends the user identity IDA, the middle public key component P1 and the public key component PA to KGC; Step S3.2, KGC calculates a user discernable identifier ha=h256 (ENTLA |ida|a|b|xg|yg| xPpub | yPpub) according to GM/T0130-2023 standard, wherein ENTLA is the bit length of the user identity identifier, a and b are elliptic curve parameters, (xG, yG) are coordinates of a base point G, and (xPpub, yPpub) are coordinates of a KGC main public key Ppub; step S3.3, KGC randomly selects w epsilon [1, n-1]; Step S3.4, KGC calculates the combination point WA= [ w ] G+P1; Step S3.5: KGC calculates binding according to GM/T0130-2023 standard the parameter λ=h256 (xWA | yWA |ha) mod n, wherein (xWA, yWA) is the coordinates of the combined point WA; step S3.6, KGC calculates part of private key DA= (w+lambda-sKGC)/((-1) mod n, adopting inverse element form; step S3.7, KGC calculates the public key P= [ DA (-1) ] P1-G= [ (w+λ. SKGC) ] P1-G; step S3.8, KGC uses PA as encryption public key, adopts SM2 public key encryption algorithm to encrypt part of private key DA according to GM/T0003.4 standard to obtain ciphertext Enc (DA); Step S3.9, KGC returns the triplet (Enc (DA), WA, P) to the client; step S4.1, the client receives a triplet (Enc (DA), WA, P) returned by KGC; Step S4.2, the client decrypts the ciphertext Enc (DA) by taking dA (-1) as SM2 decryption private key to obtain a partial private key DA, wherein PA= [ dA (-1) ] G is a corresponding encryption public key; Step S4.3, the client verifies the correctness of part of the private key DA, recalculates the identification HA and the binding parameter lambda, and verifies whether [ DA (-1) ] P1-G is equal to the received public key P; Step S4.4, after the verification is passed, the client calculates the share d' A=dA.DA mod n of the combined private key; Step S4.5, the client saves the share d' A of the combined private key and the public key P of the user; And S4.6, the client safely destroys the temporary variables dA and DA to prevent the private key from being revealed.
3. 3. The collaborative key generation method based on the certificateless SM2 according to claim 2, wherein in the step S3, the user can distinguish the calculation method of the identification HA and the binding parameter λ following GM/T0130-2023 standard, wherein ha=h256 (ENTLA IDA a b xG yG xPpub) is the bit length of the user identity, a and b are elliptic curve parameters, (xG, yG) is the coordinates of the base point G, (xPpub, yPpub) is the coordinates of the master public key Ppub, H256 is a 256-bit hash function, the binding parameter λ=h256 (xWA i yWA i HA) mod n, (xWA, yWA) is the coordinates of the combination point WA, the present claim does not claim the calculation itself of the above HA and λ, but protects the private key of the KGC part in the certificateless key generation frame from (da+da+35 a+d1·d+d1·d and the public key is the secret value of the encryption method of the user' d+d1·d+d1.
4. 4. The collaboration method based on the non-certificate SM2 as claimed in claim 2, wherein in the step S2, db=1 when the collaboration mode is not enabled, and p1=pa= [ dA-1) ] G, so that the user public key P obtained by KGC calculation is kept consistent in the two modes, and the verifier and the encryptor do not need to distinguish whether the collaboration mode is enabled by the user.
5. 5. The collaborative signature method based on the certificateless SM2 as set forth in claim 1, wherein the collaborative signature process converts a SM2 signature formula s= (1+d) (-1) · (k-r·d) into s=d ' a·db· (k+r) -r based on a private key share relation (1+d) (-1) =d ' a·db generated by the certificateless key generation process, where d ' a is a share of the certificateless key generation process formed by combining a user secret value and a KGC partial private key, M is a message to be signed, e is a message hash value, k1 and k2 are random numbers generated by a client and a collaborative server, respectively, and k= (k1·k2) (-1) is a joint random number, and the collaborative signature process specifically includes the steps of: Step T1.1, the client generates a first random number k1, and the value range of k1 is [1, n-1]; the client calculates user discernable identification information ZA; step T1.3, the client calculates a message hash value e=sm3 (za||m); Step T1.4, the client calculates the modulo-n multiplication inverse k1 (-1) mod n of k 1; Step T1.5, client calculates Q1= [ k1+ (-1) ] G; Step T1.6, the client sends (Q1, e) to the collaboration server; step T2.1, the collaboration server receives (Q1, e) sent by the client; Step T2.2, the collaboration server generates a second random number k2, wherein the value range of k2 is [1, n-1]; step T2.3, the collaboration server calculates the modulo-n multiplication inverse k2 (-1) mod n of k 2; step T2.4, the collaboration server calculates a joint random point Q= [ k2++1) ] Q1= (xQ, yQ), and a joint random number k= (k1.k2) ++1; step T2.5, the collaboration server calculates a signature component r= (e+xq) mod n; step T2.6, the collaboration server calculates a first intermediate signature component s2=dB-k2 (-1) mod n; Step T2.7, the collaboration server calculates a second intermediate signature component s3=db·r mod n; step T2.8, the collaboration server returns (r, s2, s 3) to the client; step T3.1, the client receives (r, s2, s 3) returned by the cooperative server; step T3.2, the client calculates the final signature component s=d 'A.k 1 (-1). S2+d' A.s 3-r mod n; And step T3.3, the client outputs a signature result (r, s).
6. 6. The collaborative signature method based on the non-certificate SM2 according to claim 5, wherein the verification of the signature result (r, s) adopts a standard SM2 signature verification algorithm, the verifier uses the user public key P to verify, and the transparent compatibility of the collaborative signature and the non-collaborative signature to the verifier is realized without knowing whether the signature is generated by the collaborative mode.
7. 7. The collaborative decryption method based on the certificateless SM2 according to claim 1, wherein the collaborative decryption process employs a blinding technique to protect the privacy of the client based on a private key share relationship (1+d)/(1) =d 'a·db) generated in the certificateless key generation process, where d' a is a share formed by combining a private value of the user and a private key of the KGC part in the certificateless key generation process, (C1, C2, C3) is SM2 ciphertext, C1 is elliptic curve point, and r is a blinding factor, and the collaborative decryption process specifically includes the following steps: step U1.1, receiving ciphertext (C1, C2, C3) by the client; step U1.2, generating a blinding factor r by the client, wherein the value range of r is [1, n-1]; step U1.3, the client calculates the modulo n multiplication inverse d 'A (-1) mod n of d' A; step U1.4, the client calculates the intermediate value T1= [ d' A (-1) ] C1+ [ r ] G after blinding; The client sends T1 to the cooperative server, and the cooperative server cannot deduce any information related to ciphertext from the T1 due to the introduction of the blinding factor r; Step U2.1, the collaboration server receives T1 sent by the client; Step U2.2, the collaboration server calculates the modulo-n multiplication inverse of dB, dB-1 mod n; step U2.3, calculating T2= [ dB++ (-1) ] T1 by the collaboration server; Step U2.4, the collaboration server calculates a blinding auxiliary value R' = [ dB++ (-1) ] G; Step U2.5, the collaboration server returns (T2, R') to the client; step U3.1, the client receives (T2, R') returned by the cooperative server; Step U3.2, the client performs blind removal calculation T=T2- [ R ] R 'to obtain T= [ (d' A.dB) ≡ (-1) ] C1; step U3.3 the client calculates the shared secret point (x 2, y 2) =t-c1= [ d ] C1; step U3.4, the client calculates a decryption key t=kdf (x2||y2, klen) by means of a key derivation function KDF; Step U3.5, client decrypting message m=c2 =t; step U3.6: client verification integrity C3 =sm3 (x2|| m||y2); And step U3.7, outputting a plaintext M if the verification is passed.
8. 8. The co-decryption method based on the non-certificate SM2 as recited in claim 7, wherein the blinding technique ensures that the co-server cannot learn the value of [ d' a (-1) ] C1 from T1, and thus cannot learn the shared secret point (x 2, y 2) and the plaintext M, the security of which is based on the difficulty of elliptic curve discrete logarithm problem.
9. 9. A co-ordinated cryptographic system based on a certificateless SM2, implementing the method of any one of claims 1 to 8, wherein the system employs a certificateless public key cryptosystem, without the need for a certificate authority CA to issue and manage digital certificates, comprising: The key generation center module is used for initializing a system, generating a master key pair (sKGC, ppub) and generating a partial private key DA for a user, wherein the partial private key DA is only one of the components of the complete private key of the user, and the key generation center cannot acquire the complete private key d of the user; the client module is used for generating a secret value dA, calculating a combined private key share d' A, initiating a collaborative signature and a collaborative decryption request, and completing final signature component s and decryption calculation; The cooperative server module is used for generating and storing private key share dB, participating in calculating intermediate signature components s2 and s3 in cooperative signature, and participating in calculating T2 and R' in cooperative decryption; The communication module is used for establishing a secure communication channel among the key generation center module, the client module and the cooperative server module; the client module can selectively enable or disable a collaboration mode with the collaboration server module, when not enabled, db=1, and in both modes, the user public key p= [ d ] G remains consistent.

Description

Cooperative password method and system based on certificate-free SM2 Technical Field The invention relates to the technical field of cryptography and information security, in particular to a collaborative signature and decryption method and system based on a certificateless public key cryptosystem, and especially relates to a technical scheme for realizing multi-party collaborative key generation, signature and decryption by combining a certificateless SM2 cryptosystem with collaborative calculation. Background SM2 is elliptic curve public key cryptographic algorithm issued by national cryptographic administration and is widely applied to digital signature, key exchange, data encryption and other scenes. In a public key cryptosystem, a user holds a pair of keys, wherein a private key is kept secret by the user, and the public key is published for other people to use. The core security issue is how to ensure the authenticity of the public key, i.e. how to let the communicating party confirm that a certain public key does belong to the purported user, rather than being masqueraded or replaced by an attacker. Around this problem, the cryptology community has developed three main public key management systems, namely a certificate-based public key infrastructure, an identity-based cryptosystem and a certificate-less public key cryptosystem. Certificate-based public key infrastructure (Public Key Infrastructure, PKI) is the most widely used public key management regime today. In the PKI architecture, a digital certificate is issued by a trusted certificate authority (CERTIFICATE AUTHORITY, CA) for each user, which binds the user identity to its public key. The correspondent verifies the authenticity of the public key by verifying the signature of the CA. The traditional SM2 algorithm employs this certificate-based PKI model. The PKI system has the advantages of mature safety model, high standardization degree, no user private key mastered by CA, and no key escrow problem. However, the PKI system has significant certificate management overhead in that the CA needs to be responsible for issuing, distributing, storing, updating and revocation of certificates, needs to maintain a Certificate Revocation List (CRL) or provide an Online Certificate Status Protocol (OCSP) service, and a user needs to acquire and verify a certificate chain of the counterpart before performing a cryptographic operation, which increases communication bandwidth and computational overhead. In application scenarios with limited resources such as large-scale internet of things and mobile terminals, the burden of certificate management is particularly prominent. To solve the problem of certificate management in PKI, shamir proposed an Identity-based cryptosystem (Identity-Based Cryptography, IBC) in 1984. In IBC, the public key of the user is directly derived from its identity information (e.g. email box, mobile phone number, etc.), and the authenticity of the public key can be determined without a certificate. The key generation center (Key Generation Center, KGC) generates a complete private key for the user based on his identity information. The IBC system thoroughly eliminates the expenditure of certificate management and simplifies the key distribution flow. However, the IBC system has an inherent key escrow problem in that since the complete private key of a user is generated by the KGC, the KGC grasps the private keys of all users, and once the KGC is broken or the KGC administrator maliciously operates, the private key security of all users is totally lost. This fundamental drawback limits the use of IBC in high security requirements scenarios. Certificate-free public key cryptography (CERTIFICATELESS PUBLIC KEY CRYPTOGRAPHY, CL-PKC) was proposed by Al-Riyami and Paterson in 2003, aiming at solving both the problem of certificate management overhead in PKI and key escrow in IBC. In a certificateless cryptosystem, the complete private key of a user is determined by two parts, wherein one part is a part of private key generated by KGC according to the identity of the user, and the other part is a secret value selected by the user. The KGC can only generate part of private keys, and cannot learn the secret value of the user, so that the complete private key of the user cannot be recovered, thereby avoiding the problem of key escrow. Meanwhile, the public key of the user is implicitly bound with the user identity information, and the communication party can verify the authenticity of the public key through the disclosed system parameters and the user identity without an additional certificate management mechanism. The certificateless cryptosystem has the advantages of PKI and IBC, and is an ideal public key management scheme. The GM/T0130-2023 (public key mechanism without certificate and implicit certificate based on SM2 algorithm) combines a certificate-free cryptosystem with the SM2 algorithm in China, defines a certificate-free cryptosy