CN104243456B

Movatterモバイル変換

Info

Publication number: CN104243456B
Application number: CN201410437599.5A
Authority: CN
Inventors: 林璟锵; 马原; 荆继武; 王琼霄; 雷灵光; 蔡权伟; 王雷
Original assignee: Institute of Information Engineering of CAS
Current assignee: Institute of Information Engineering of CAS
Priority date: 2014-08-29
Filing date: 2014-08-29
Publication date: 2017-11-03
Anticipated expiration: 2034-08-29
Also published as: CN104243456A

Abstract

The invention discloses suitable for signature of the cloud computing based on SM2 algorithms and decryption method and system.Specifically, part private key can be stored respectively in communicating pair, two sides joint, which could be signed or decrypted to message etc., to be operated, communicating pair can not get any information of other side's private key, therefore attacker is in the case where invading the side of any of which one, ciphertext all can not be forged a signature or decrypt, so as to improve the security of the private key in cloud computing environment；Moreover, during signature process and decryption, communicating pair only needs to carry out seldom interaction, so as to the application demand for meeting low latency in cloud computing environment, interacting less.

Description

Translated fromChinese

适用于云计算的基于SM2算法的签名及解密方法和系统SM2 algorithm-based signature and decryption method and system suitable for cloud computing

技术领域technical field

本发明涉及密码领域，特别涉及适用于云计算的基于SM2算法的签名及解密方法和系统。The invention relates to the field of encryption, in particular to a SM2 algorithm-based signature and decryption method and system suitable for cloud computing.

背景技术Background technique

目前，基于公钥密码学的数字签名和加解密技术已经广泛应用在电子商务、身份认证等应用中，成为保证信息安全的重要工具，而私钥的安全性及使用是保证这些应用安全的基础。At present, digital signature and encryption and decryption technologies based on public key cryptography have been widely used in e-commerce, identity authentication and other applications, and have become an important tool to ensure information security, and the security and use of private keys are the basis for ensuring the security of these applications .

在云计算环境中，主要的资源向服务器端聚集，客户端通常以弱终端的形式存在，如智能手机等，这类弱终端通常以软件的形式存储和使用私钥，因此安全防护能力较差。比如，如果私钥完整的存储在智能手机的单个文件中，那么攻击者通过权限提升则可获得私钥，另外，如果私钥完整的出现在每次的签名计算过程中，那么攻击者则可以有很多方式将其从智能手机内存中导出。In the cloud computing environment, the main resources are gathered on the server side, and the client side usually exists in the form of weak terminals, such as smart phones, etc. Such weak terminals usually store and use private keys in the form of software, so the security protection capability is poor . For example, if the private key is completely stored in a single file on the smartphone, the attacker can obtain the private key through privilege escalation. In addition, if the private key completely appears in each signature calculation process, the attacker can There are many ways to export it from the smartphone memory.

为了提高私钥的安全性，现有技术中提出了一种称为门限密码学的算法，即将私钥进行拆分并分布在不同的物理设备中，以避免全部私钥信息的直接存储和使用。比如，一个(t，n)的门限签名方案中，私钥可分布在n个成员中，t个或t个以上成员可以合作完全签名，而小于t个成员时则无法完成签名。In order to improve the security of the private key, an algorithm called threshold cryptography is proposed in the prior art, which splits the private key and distributes it in different physical devices to avoid direct storage and use of all private key information . For example, in a (t, n) threshold signature scheme, the private key can be distributed among n members, and t or more members can cooperate to complete the signature, but less than t members cannot complete the signature.

但是，上述算法的实现往往交互复杂，通信次数繁多，不能满足云计算环境中低延迟、少交互的应用需求，也就是说，上述方式对云计算环境并不适用。However, the implementation of the above algorithm often has complex interactions and numerous communication times, which cannot meet the application requirements of low latency and less interaction in the cloud computing environment. That is to say, the above method is not applicable to the cloud computing environment.

发明内容Contents of the invention

有鉴于此，本发明提供了适用于云计算的基于SM2算法的签名及解密方法和系统，能够提高云计算环境中的私钥的安全性。In view of this, the present invention provides an SM2 algorithm-based signature and decryption method and system suitable for cloud computing, which can improve the security of private keys in the cloud computing environment.

为了达到上述目的，本发明的技术方案是这样实现的：In order to achieve the above object, the technical solution of the present invention is achieved in that:

一种适用于云计算的基于SM2算法的签名方法，包括：A signature method based on the SM2 algorithm suitable for cloud computing, comprising:

第一通信方生成自身的子私钥D1，第二通信方生成自身的子私钥D2；The first communication party generates its own sub-private key D1, and the second communication party generates its own sub-private key D2;

第一通信方生成待签名消息M的消息摘要e和第一部分签名Q1，并将e和Q1发送给第二通信方；The first communication party generates the message digest e of the message M to be signed and the first part of the signature Q1, and sends e and Q1 to the second communication party;

第二通信方根据Q1和e生成第二部分签名r，并根据D2生成第三部分签名s2和第四部分签名s3，将r、s2和s3发送给第一通信方；The second communication party generates the second part signature r according to Q1 and e, and generates the third part signature s2 and the fourth part signature s3 according to D2, and sends r, s2 and s3 to the first communication party;

第一通信方根据D1、r、s2和s3生成完整签名并输出。The first communication party generates a complete signature according to D1, r, s2 and s3 and outputs it.

一种适用于云计算的基于SM2算法的解密方法，包括：A decryption method based on the SM2 algorithm suitable for cloud computing, comprising:

第一通信方根据D1对获取到的密文C进行部分解密，得到第一部分明文T1，并发送给第二通信方；The first communication party partially decrypts the obtained ciphertext C according to D1, obtains the first part of plaintext T1, and sends it to the second communication party;

第二通信方根据D2和T1生成第二部分明文T2，并发送给第一通信方；The second communication party generates the second part of plaintext T2 according to D2 and T1, and sends it to the first communication party;

第一通信方根据T2对密文C进行完整解密，得到完整明文输出。The first communication party completely decrypts the ciphertext C according to T2 to obtain a complete plaintext output.

一种适用于云计算的基于SM2算法的签名系统，包括：A signature system based on the SM2 algorithm suitable for cloud computing, including:

第一通信方，用于生成自身的子私钥D1；并生成待签名消息M的消息摘要e和第一部分签名Q1，将e和Q1发送给第二通信方；根据D1、r、s2和s3生成完整签名并输出；The first communication party is used to generate its own sub-private key D1; and generate the message digest e of the message M to be signed and the first part of the signature Q1, and send e and Q1 to the second communication party; according to D1, r, s2 and s3 Generate a full signature and output it;

第二通信方，用于生成自身的子私钥D2；并根据Q1和e生成第二部分签名r，并根据D2生成第三部分签名s2和第四部分签名s3，将r、s2和s3发送给第一通信方。The second communication party is used to generate its own sub-private key D2; and generate the second part signature r according to Q1 and e, and generate the third part signature s2 and the fourth part signature s3 according to D2, and send r, s2 and s3 to the first corresponding party.

一种适用于云计算的基于SM2算法的解密系统，包括：A decryption system based on the SM2 algorithm suitable for cloud computing, comprising:

第一通信方，用于生成自身的子私钥D1；并根据D1对获取到的密文C进行部分解密，得到第一部分明文T1，发送给第二通信方；根据T2对密文C进行完整解密，得到完整明文输出；The first communication party is used to generate its own sub-private key D1; and partially decrypt the obtained ciphertext C according to D1 to obtain the first part of plaintext T1 and send it to the second communication party; complete the ciphertext C according to T2 Decrypt to get the complete plaintext output;

第二通信方，用于生成自身的子私钥D2；并根据D2和T1生成第二部分明文T2，并发送给第一通信方。The second communication party is used to generate its own sub-private key D2; and generate a second part of plaintext T2 according to D2 and T1, and send it to the first communication party.

可见，采用本发明所述方案，可在通信双方分别存储部分私钥，两方联合才能对消息进行签名或解密等操作，通信双方均无法获取到对方私钥的任何信息，因此攻击者在入侵其中任何一方的情况下，都不能伪造签名或解密密文，相应地，当将该方案应用于云计算环境中时，即可提高云计算环境中的私钥的安全性；而且，签名过程和解密过程中，通信双方仅需要进行很少的交互，从而能够满足云计算环境中低延迟、少交互的应用需求。It can be seen that, by adopting the scheme described in the present invention, part of the private key can be stored separately in the two parties of communication, and the two parties can jointly sign or decrypt the message. In the case of any one of them, the signature cannot be forged or the ciphertext can be decrypted. Correspondingly, when the scheme is applied to the cloud computing environment, the security of the private key in the cloud computing environment can be improved; moreover, the signature process and During the decryption process, the communication parties only need to carry out little interaction, so as to meet the application requirements of low latency and less interaction in the cloud computing environment.

附图说明Description of drawings

图1为本发明适用于云计算的基于SM2算法的签名方法实施例的流程图。FIG. 1 is a flowchart of an embodiment of the SM2 algorithm-based signature method applicable to cloud computing in the present invention.

图2为本发明第一通信方和第二通信方生成各自的子私钥和公钥的过程示意图。FIG. 2 is a schematic diagram of the process of generating respective sub-private keys and public keys by the first communicating party and the second communicating party according to the present invention.

图3为本发明第一通信方和第二通信方生成待签名消息M的完整签名的过程示意图。Fig. 3 is a schematic diagram of the process of generating a complete signature of the message M to be signed by the first communicating party and the second communicating party according to the present invention.

图4为本发明适用于云计算的基于SM2算法的解密方法实施例的流程图。FIG. 4 is a flow chart of an embodiment of the SM2 algorithm-based decryption method applicable to cloud computing in the present invention.

图5为本发明第一通信方和第二通信方解密得到密文C的完整明文的过程示意图。FIG. 5 is a schematic diagram of a process in which the first communicating party and the second communicating party decrypt to obtain the complete plaintext of the ciphertext C according to the present invention.

具体实施方式detailed description

针对现有技术中存在的问题，本发明中提出一种适用于云计算环境中的、基于SM2算法的签名方案和解密方案。SM2算法是一种标准的商用密码算法，在密码产品中被广泛的支持和使用。Aiming at the problems existing in the prior art, the present invention proposes a SM2 algorithm-based signature scheme and decryption scheme suitable for cloud computing environments. The SM2 algorithm is a standard commercial cryptographic algorithm, which is widely supported and used in cryptographic products.

为了使本发明的技术方案更加清楚、明白，以下参照附图并举实施例，对本发明所述方案作进一步的详细说明。In order to make the technical solution of the present invention more clear and understandable, the solution of the present invention will be further described in detail below with reference to the accompanying drawings and examples.

图1为本发明适用于云计算的基于SM2算法的签名方法实施例的流程图，如图1所示，包括以下步骤11～14。Fig. 1 is a flow chart of an embodiment of the SM2 algorithm-based signature method applicable to cloud computing in the present invention, as shown in Fig. 1 , including the following steps 11-14.

步骤11：第一通信方生成自身的子私钥D1，第二通信方生成自身的子私钥D2。Step 11: The first communication party generates its own sub-private key D1, and the second communication party generates its own sub-private key D2.

为便于表述，分别用第一通信方和第二通信方来表示通信双方，其中，第一通信方可以为客户端或服务器端，相应地，当第一通信方为客户端时，第二通信方则为服务器端，当第一通信方为服务器端时，第二通信方则为客户端。For the convenience of expression, the first communication party and the second communication party are respectively used to represent the communication parties, wherein the first communication party can be a client or a server. Correspondingly, when the first communication party is a client, the second communication The party is the server, and when the first communication party is the server, the second communication party is the client.

第一通信方和第二通信方共享SM2算法的椭圆曲线参数E(Fq)、G和n，椭圆曲线E为定义在有限域Fq上的椭圆曲线，G表示椭圆曲线E上n阶的基点，各参数的具体取值等均根据SM2算法预先设定。The first communication party and the second communication party share the elliptic curve parameters E(Fq), G and n of the SM2 algorithm, the elliptic curve E is an elliptic curve defined on the finite field Fq, and G represents the base point of the nth order on the elliptic curve E, The specific values of each parameter are preset according to the SM2 algorithm.

第一通信方和第二通信方需要分别生成自身的子私钥D1和D2，另外，还可进一步合作生成公钥P。The first communication party and the second communication party need to generate their own sub-private keys D1 and D2 respectively. In addition, they can further cooperate to generate the public key P.

相应地，图2为本发明第一通信方和第二通信方生成各自的子私钥和公钥的过程示意图，如图2所示，包括以下步骤21～26。Correspondingly, FIG. 2 is a schematic diagram of the process of generating respective sub-private keys and public keys by the first communication party and the second communication party in the present invention, as shown in FIG. 2 , including the following steps 21-26.

步骤21：第一通信方产生一个位于[1，n-1]之间的随机数，将产生的随机数作为D1。Step 21: The first communication party generates a random number between [1, n-1], and takes the generated random number as D1.

即有：D1∈[1，n-1]。That is: D1 ∈ [1, n-1].

步骤22：第二通信方产生一个位于[1，n-1]之间的随机数，将产生的随机数作为D2。Step 22: The second communicating party generates a random number between [1, n-1], and takes the generated random number as D2.

即有：D2∈[1，n-1]。That is: D2 ∈ [1, n-1].

步骤23：第一通信方计算D1在Fq上的逆元D1^-1mod n。Step 23: The first communicating party calculates the inverse element D1^-1 mod n of D1 on Fq.

mod表示求模运算。mod means modulo operation.

步骤24：第二通信方计算D2在Fq上的逆元D2^-1mod n。Step 24: The second communication party calculates the inverse element D2⁻¹ mod n of D2 on Fq.

步骤25：第一通信方计算D1^-1[*]G，将计算结果P1发送给第二通信方。Step 25: The first communication party calculates D1^-1 [*]G, and sends the calculation result P1 to the second communication party.

即有：P1＝D1^-1[*]G，其中，[*]表示椭圆曲线点乘运算。That is: P1=^D1-1 [*]G, wherein, [*] represents the elliptic curve point multiplication operation.

步骤26：第二通信方计算D2^-1[*]P1[-]G，将计算结果P作为公钥进行公开。Step 26: The second communication party calculates D2^-1 [*]P1[-]G, and discloses the calculation result P as a public key.

即有：P＝D2^-1[*]P1[-]G，其中，[-]表示椭圆曲线点减运算。That is: P=^D2-1 [*]P1[-]G, wherein, [-] represents elliptic curve point subtraction.

需要说明的是，上述步骤21～26的表示方式仅为举例说明，并不用于限制各步骤的执行顺序，在实际应用中，可根据实际需要设定各步骤的执行顺序，只要最终能够得到所需的结果即可，后续涉及到的各示意图中同样如此，不再赘述。It should be noted that the above representations of steps 21-26 are for illustration only, and are not intended to limit the execution order of each step. In practical applications, the execution order of each step can be set according to actual needs, as long as the desired The desired result is sufficient, and the same is true for the schematic diagrams involved in the following, and will not be described again.

步骤12：第一通信方生成待签名消息M的消息摘要e和第一部分签名Q1，并将e和Q1发送给第二通信方。Step 12: The first communication party generates the message digest e and the first partial signature Q1 of the message M to be signed, and sends e and Q1 to the second communication party.

步骤13：第二通信方根据Q1和e生成第二部分签名r，并根据D2生成第三部分签名s2和第四部分签名s3，将r、s2和s3发送给第一通信方。Step 13: The second communication party generates a second partial signature r according to Q1 and e, generates a third partial signature s2 and a fourth partial signature s3 according to D2, and sends r, s2 and s3 to the first communication party.

步骤14：第一通信方根据D1、r、s2和s3生成完整签名并输出。Step 14: The first communication party generates a complete signature according to D1, r, s2 and s3 and outputs it.

通过步骤12～14所示过程，即可生成待签名消息M的完整签名。Through the process shown in steps 12-14, the complete signature of the message M to be signed can be generated.

图3为本发明第一通信方和第二通信方生成待签名消息M的完整签名的过程示意图，如图3所示，包括以下步骤31～39。Fig. 3 is a schematic diagram of the process of generating a complete signature of the message M to be signed by the first communication party and the second communication party according to the present invention, as shown in Fig. 3 , including the following steps 31-39.

步骤31：第一通信方将Z和M拼接形成M'，并计算Hash(M')，将计算结果作为e，其中，Z表示第一通信方和第二通信方共同的身份标识，Hash()表示预定的密码杂凑函数。Step 31: The first communication party concatenates Z and M to form M', and calculates Hash(M'), and takes the calculation result as e, wherein Z represents the common identity of the first communication party and the second communication party, and Hash( ) represents a predetermined cryptographic hash function.

即有：M'＝Z||M，||表示拼接；That is: M'=Z||M, || means splicing;

e＝Hash(M')。e=Hash(M').

步骤32：第一通信方产生一个位于[1，n-1]之间的随机数k1，并计算k1[*]G，将计算结果作为Q1。Step 32: The first communication party generates a random number k1 between [1, n-1], calculates k1[*]G, and uses the calculation result as Q1.

即有：k1∈[1，n-1]；That is: k1∈[1,n-1];

Q1＝k1[*]G。Q1=k1[*]G.

步骤33：第一通信方将e和Q1发送给第二通信方。Step 33: The first communication party sends e and Q1 to the second communication party.

步骤34：第二通信方产生一个位于[1，n-1]之间的随机数k2，并计算k2[*]G，得到计算结果Q2。Step 34: The second communication party generates a random number k2 between [1, n-1], calculates k2[*]G, and obtains the calculation result Q2.

即有：k2∈[1，n-1]；That is: k2∈[1,n-1];

Q2＝k2[*]G。Q2=k2[*]G.

步骤35：第二通信方产生一个位于[1，n-1]之间的随机数k3，计算k3[*]Q1[+]Q2，得到计算结果(x1，y1)，并计算x1+e mod n，将计算结果作为r，其中，[+]表示椭圆曲线点加运算。Step 35: The second communication party generates a random number k3 between [1, n-1], calculates k3[*]Q1[+]Q2, obtains the calculation result (x1, y1), and calculates x1+e mod n, the calculation result is taken as r, where [+] represents the elliptic curve point addition operation.

即有：k3∈[1，n-1]；That is: k3∈[1,n-1];

(x1，y1)＝k3[*]Q1[+]Q2；(x1, y1) = k3[*]Q1[+]Q2;

r＝x1+e mod n。r=x1+e mod n.

其中，若r不等于0，则执行步骤36，若r等于0，则第二通信方可重新产生k3，并重新计算得到(x1，y1)和r，直到r不等于0为止。Wherein, if r is not equal to 0, then execute step 36, if r is equal to 0, then the second communicating party can regenerate k3, and recalculate (x1, y1) and r until r is not equal to 0.

步骤36：若r不等于0，则第二通信方计算D2*k3mod n，将计算结果作为s2，并计算D2*(r+k2)mod n，将计算结果作为s3。Step 36: If r is not equal to 0, the second communication party calculates D2*k3 mod n, takes the calculation result as s2, and calculates D2*(r+k2) mod n, and takes the calculation result as s3.

即有：s2＝D2*k3mod n；That is: s2=D2*k3mod n;

S3＝D2*(r+k2)mod n。S3=D2*(r+k2) mod n.

步骤37：第二通信方将r、s2和s3发送给第一通信方。Step 37: The second communication party sends r, s2 and s3 to the first communication party.

步骤38：第一通信方计算(D1*k1)*s2+D1*s3-r mod n，得到计算结果s。Step 38: The first communicating party calculates (D1*k1)*s2+D1*s3-r mod n to obtain the calculation result s.

即有：s＝(D1*k1)s2+D1*s3-r mod n。That is: s=(D1*k1)s2+D1*s3-r mod n.

其中，若s等于0或等于n-r，则可从重新产生k1，并将与此相关的步骤重新执行，若s不等于0且不等于n-r，则执行步骤39。Wherein, if s is equal to 0 or equal to n-r, k1 can be regenerated from k1, and the steps related to this can be re-executed; if s is not equal to 0 and not equal to n-r, step 39 can be performed.

步骤39：若s不等于0且不等于n-r，则第一通信方将(r，s)作为完整签名输出。Step 39: If s is not equal to 0 and not equal to n-r, the first communication party outputs (r, s) as a complete signature.

同时，还可输出待签名消息M。At the same time, the message M to be signed can also be output.

上述各步骤中涉及到的各随机数k1、k2、k3等均为整数。The random numbers k1, k2, k3, etc. involved in the above steps are all integers.

图4为本发明适用于云计算的基于SM2算法的解密方法实施例的流程图，如图4所示，包括以下步骤41～44。Fig. 4 is a flow chart of an embodiment of the decryption method based on the SM2 algorithm applicable to cloud computing in the present invention, as shown in Fig. 4 , including the following steps 41-44.

步骤41：第一通信方生成自身的子私钥D1，第二通信方生成自身的子私钥D2。Step 41: The first communication party generates its own sub-private key D1, and the second communication party generates its own sub-private key D2.

本步骤的具体实现可参照步骤11中的相关说明，此处不再赘述。For the specific implementation of this step, refer to the relevant description in step 11, and details will not be repeated here.

步骤42：第一通信方根据D1对获取到的密文C进行部分解密，得到第一部分明文T1，并发送给第二通信方。Step 42: The first communication party partially decrypts the obtained ciphertext C according to D1 to obtain the first part of plaintext T1, and sends it to the second communication party.

步骤43：第二通信方根据D2和T1生成第二部分明文T2，并发送给第一通信方。Step 43: The second communication party generates a second part of plaintext T2 according to D2 and T1, and sends it to the first communication party.

步骤44：第一通信方根据T2对密文C进行完整解密，得到完整明文输出。Step 44: The first communicating party completely decrypts the ciphertext C according to T2 to obtain a complete plaintext output.

通过步骤42～44所示过程，即可得到密文C的完整明文。Through the process shown in steps 42-44, the complete plaintext of the ciphertext C can be obtained.

图5为本发明第一通信方和第二通信方解密得到密文C的完整明文的过程示意图，如图5所示，包括以下步骤51～510。Fig. 5 is a schematic diagram of the process of obtaining the complete plaintext of the ciphertext C by decrypting the first communication party and the second communication party according to the present invention, as shown in Fig. 5 , including the following steps 51-510.

步骤51：第一通信方从密文C中提取出比特串C1，密文C由比特串C1、C2和C3拼接而成，并对C1进行数据类型转换后，验证C1是否为椭圆曲线E上的非无穷远点。Step 51: The first communication party extracts the bit string C1 from the ciphertext C. The ciphertext C is concatenated from the bit strings C1, C2 and C3, and after converting the data type of C1, verify whether C1 is on the elliptic curve E non-infinite point of .

即有：C＝C1||C2||C3。That is: C=C1||C2||C3.

对C1进行数据类型转换，通常是指将其从比特串转换为整数，如何进行转换为现有技术，如何验证C1是否为椭圆曲线E上的非无穷远点同样为现有技术。Performing data type conversion on C1 usually refers to converting it from a bit string to an integer. How to perform the conversion is a prior art, and how to verify whether C1 is a non-infinity point on the elliptic curve E is also a prior art.

若C1为椭圆曲线E上的非无穷远点，则执行步骤52，否则，可报错退出。If C1 is a non-infinity point on the elliptic curve E, execute step 52; otherwise, report an error and exit.

步骤52：第一通信方计算D1^-1[*]C1，将计算结果作为T1，其中，D1^-1为D1在Fq上的逆元。Step 52: The first communicating party calculates D1^-1 [*]C1, and takes the calculation result as T1, where D1^-1 is the inverse element of D1 on Fq.

即有：T1＝D1^-1[*]C1。That is: T1 = D1^-1 [*] C1.

步骤53：第一通信方将T1发送给第二通信方。Step 53: The first communication party sends T1 to the second communication party.

步骤54：第二通信方计算D2^-1[*]T1，将计算结果作为T2，其中，D2^-1为D2在Fq上的逆元。Step 54: The second communicating party calculates D2^-1 [*]T1 and takes the calculation result as T2, wherein D2^-1 is the inverse element of D2 on Fq.

即有：T2＝D2^-1[*]T1。That is: T2=^D2-1 [*]T1.

步骤55：第二通信方将T2发送给第一通信方。Step 55: The second communication party sends T2 to the first communication party.

步骤56：第一通信方计算T2[-]C1，得到计算结果(x2，y2)。Step 56: The first communicating party calculates T2[-]C1 and obtains the calculation result (x2, y2).

即有：(x2，y2)＝T2[-]C1。That is: (x2, y2)=T2[-]C1.

步骤57：第一通信方计算KDF(x2||y2，klen)，得到计算结果t，其中，||表示拼接，KDF()为预定的密钥派生函数，klen表示输出的比特串长度，取值为预先设定。Step 57: The first communication party calculates KDF(x2||y2, klen), and obtains the calculation result t, where || indicates concatenation, KDF() is a predetermined key derivation function, and klen indicates the length of the output bit string, which is taken as The value is preset.

即有：t＝KDF(x2||y2，klen)。That is: t=KDF(x2||y2, klen).

若t不等于0，则执行步骤58，否则，可报错退出。If t is not equal to 0, execute step 58; otherwise, report an error and exit.

步骤58：若t不等于0，第一通信方从密文C中提取出比特串C2，并计算得到计算结果M″，其中，表示按位异或运算。Step 58: If t is not equal to 0, the first communication party extracts the bit string C2 from the ciphertext C, and calculates Obtain calculation result M ", among them, Represents a bitwise XOR operation.

即有：That is:

步骤59：第一通信方计算Hash(x2||M″||y2)，得到计算结果u。Step 59: The first communicating party calculates Hash(x2||M″||y2) and obtains the calculation result u.

即有：u＝Hash(x2||M″||y2)。That is: u=Hash(x2||M″||y2).

步骤510：第一通信方从密文C中提取出比特串C3，若u等于C3，则将M″作为完整明文输出。Step 510: The first communicating party extracts the bit string C3 from the ciphertext C, and if u is equal to C3, outputs M″ as a complete plaintext.

若u不等于C3，可报错退出。If u is not equal to C3, it can report an error and exit.

基于上述介绍，本发明同时公开了一种适用于云计算的基于SM2算法的签名系统以及一种适用于云计算的基于SM2算法的解密系统，分别介绍如下。Based on the above introduction, the present invention also discloses a signature system based on the SM2 algorithm suitable for cloud computing and a decryption system based on the SM2 algorithm suitable for cloud computing, which are respectively introduced as follows.

所述适用于云计算的基于SM2算法的签名系统中包括：The SM2 algorithm-based signature system suitable for cloud computing includes:

其中，in,

第一通信方和第二通信方共享SM2算法的椭圆曲线参数E(Fq)、G和n，椭圆曲线E为定义在有限域Fq上的椭圆曲线，G为椭圆曲线E上n阶的基点；The first communication party and the second communication party share the elliptic curve parameters E(Fq), G and n of the SM2 algorithm, the elliptic curve E is an elliptic curve defined on the finite field Fq, and G is the base point of n order on the elliptic curve E;

D1和D2均为位于[1，n-1]之间的一个随机数。Both D1 and D2 are a random number between [1, n-1].

另外，in addition,

第一通信方可进一步用于，计算D1在Fq上的逆元D1^-1mod n，并计算D1^-1[*]G，将计算结果P1发送给第二通信方；The first communication party can be further used to calculate the inverse element D1^-1 mod n of D1 on Fq, and calculate D1^-1 [*]G, and send the calculation result P1 to the second communication party;

第二通信方可进一步用于，计算D2在Fq上的逆元D2^-1mod n，并计算D2^-1[*]P1[-]G，将计算结果P作为公钥进行公开，其中，mod表示求模运算，[*]表示椭圆曲线点乘运算，[-]表示椭圆曲线点减运算。The second communication party can be further used to calculate the inverse element D2^-1 mod n of D2 on Fq, calculate D2^-1 [*]P1[-]G, and publish the calculation result P as a public key, where mod Indicates modulo operation, [*] indicates elliptic curve point multiplication operation, [-] indicates elliptic curve point subtraction operation.

具体地，specifically,

第一通信方计算e＝Hash(M')，M'＝Z||M，其中，||表示拼接，Z表示第一通信方和第二通信方共同的身份标识，Hash()表示预定的密码杂凑函数；并计算Q1＝k1[*]G，其中，k1为位于[1，n-1]之间的一个随机数，[*]表示椭圆曲线点乘运算。The first communication party calculates e=Hash(M'), M'=Z||M, wherein, || represents splicing, Z represents the common identity mark of the first communication party and the second communication party, Hash () represents predetermined Cryptographic hash function; and calculate Q1=k1[*]G, wherein, k1 is a random number between [1, n-1], and [*] represents an elliptic curve point multiplication operation.

第二通信方计算r＝x1+e mod n，(x1，y1)＝k3[*]Q1[+]Q2，Q2＝k2[*]G；其中，mod表示求模运算，[*]表示椭圆曲线点乘运算，[+]表示椭圆曲线点加运算；k2和k3均为位于[1，n-1]之间的一个随机数；当r不等于0时，计算s2＝D2*k3mod n，s3＝D2*(r+k2)mod n。The second communication party calculates r=x1+e mod n, (x1, y1)=k3[*]Q1[+]Q2, Q2=k2[*]G; wherein, mod represents a modulo operation, and [*] represents an ellipse Curve point multiplication operation, [+] means elliptic curve point addition operation; both k2 and k3 are a random number between [1, n-1]; when r is not equal to 0, calculate s2=D2*k3mod n, s3=D2*(r+k2) mod n.

第一通信方计算(D1*k1)*s2+D1*s3-r mod n，得到计算结果s，其中，mod表示求模运算，若s不等于0且不等于n-r，则将(r，s)作为完整签名输出。The first communication party calculates (D1*k1)*s2+D1*s3-r mod n, and obtains the calculation result s, wherein mod represents a modulo operation, if s is not equal to 0 and not equal to n-r, then (r, s ) as the full signature output.

所述适用于云计算的基于SM2算法的解密系统中包括：The described SM2 algorithm-based decryption system suitable for cloud computing includes:

其中，in,

另外，in addition,

第一通信方可进一步用于，从密文C中提取出比特串C1，密文C由比特串C1、C2和C3拼接而成，并对C1进行数据类型转换后，验证C1是否为椭圆曲线E上的非无穷远点；若是，则计算D1^-1[*]C1，将计算结果作为T1，其中，D1^-1为D1在Fq上的逆元，[*]表示椭圆曲线点乘运算。The first communication party can be further used to extract the bit string C1 from the ciphertext C, the ciphertext C is spliced by the bit strings C1, C2 and C3, and after performing data type conversion on C1, verify whether C1 is an elliptic curve A non-infinity point on E; if so, calculate D1^-1 [*]C1, and use the calculation result as T1, where D1^-1 is the inverse element of D1 on Fq, and [*] represents the elliptic curve point multiplication operation.

具体地，specifically,

第二通信方计算T2＝D2^-1[*]T1，其中，D2^-1为D2在Fq上的逆元，[*]表示椭圆曲线点乘运算。The second communication party calculates T2=D2^-1 [*]T1, wherein, D2^-1 is the inverse element of D2 on Fq, and [*] represents an elliptic curve point multiplication operation.

第一通信方还可进一步用于，计算T2[-]C1，得到计算结果(x2，y2)，其中，[-]表示椭圆曲线点减运算；计算KDF(x2||y2，klen)，得到计算结果t，其中，||表示拼接，KDF()表示预定的密钥派生函数，klen表示预定的输出的比特串长度；若t不等于0，则从密文C中提取出比特串C2，并计算得到计算结果M″，其中，表示按位异或运算；计算Hash(x2||M″||y2)，得到计算结果u，其中，Hash()表示预定的密码杂凑函数；从密文C中提取出比特串C3，若u等于C3，则将M″作为完整明文输出。The first communication party can further be used to calculate T2[-]C1 to obtain the calculation result (x2, y2), where [-] represents the elliptic curve point subtraction operation; calculate KDF (x2||y2, klen), and obtain Calculation result t, where || represents concatenation, KDF() represents a predetermined key derivation function, and klen represents the length of a predetermined output bit string; if t is not equal to 0, extract the bit string C2 from the ciphertext C, and calculate Obtain calculation result M ", among them, Indicates a bitwise XOR operation; calculate Hash(x2||M″||y2) to obtain the calculation result u, where Hash() indicates a predetermined cryptographic hash function; extract the bit string C3 from the ciphertext C, if u equal to C3, output M" as a complete plaintext.

上述系统实施例的具体工作流程请参照前述方法实施例中的相应说明，此处不再赘述。For the specific work flow of the above system embodiment, please refer to the corresponding description in the foregoing method embodiment, and details are not repeated here.

综上所述，以上仅为本发明的较佳实施例而已，并非用于限定本发明的保护范围。凡在本发明的精神和原则之内，所作的任何修改、等同替换、改进等，均应包含在本发明的保护范围之内。To sum up, the above are only preferred embodiments of the present invention, and are not intended to limit the protection scope of the present invention. Any modifications, equivalent replacements, improvements, etc. made within the spirit and principles of the present invention shall be included within the protection scope of the present invention.