Disclosure of Invention
The invention aims to solve the problems of the existing technical scheme of the ECDSA digital signature collaborative generation based on secret sharing, and provides a corresponding technical scheme to overcome the defects of the prior art, and the proposed technical scheme can be used for implementing the application scene of the signature private key non-secret sharing and the application scene of the signature private key secret sharing.
Aiming at the purpose of the invention, the technical scheme provided by the invention comprises a safe and controllable use method and a corresponding system of the ECDSA signature private key.
In the following description of the technical solution of the present invention, if P, Q is an element (point) in the elliptic curve point group, p+q represents a point addition of P, Q, P-Q represents an inverse of P plus Q, kP represents a point addition of k elliptic curve points P, that is, p+p+ & P (k is a negative number, kP is an addition inverse of a result of the point addition of |k| elliptic curve points P), c-1 represents a modular n multiplication inverse (i.e., cc-1 mod n=1) of an integer c, if not specifically described, the multiplication inverses in the present patent application are all modular n multiplication inverses for the order n of the ECDSA elliptic curve point group (i.e., the order n of the base point G), a plurality of integer multiplications (including integer symbol parameter, variable multiplication, constant and integer symbol parameter, variable multiplication), under the condition that ambiguity does not occur, if k1·k2 is simplified to k1k2, 3·c is simplified to 3 mod n represents a modular n (i.e., 3·c mod n is equal to modular n-ab) and equal to modular n+b (a+mod n) is equal to modular n+ab.
The safe and controllable use method of the ECDSA signature private key provided by the invention is specifically as follows.
The user terminal has QU=dU G, a secret dB=(bdU) mod n, SB = E (b) can be obtained, wherein dU is an ECDSA signature private key of the user, G is a base point of an ECDSA elliptic curve point group (subgroup), QU is a public key corresponding to the ECDSA signature private key dU of the user, b is an integer secret in [1, n-1], n is a rank of the base point G (also a rank of the ECDSA elliptic curve point group (subgroup), n is a prime number, and E (·) is encryption operation adopting homomorphic encryption algorithm;
The signature auxiliary device or system has a private key SK1 of decryption operation corresponding to a public key adopted by an encryption operation E (-) of the homomorphic encryption algorithm (private key of the homomorphic encryption algorithm), or a private key SK1 of decryption operation corresponding to a public key adopted by the encryption operation E (-) of the homomorphic encryption algorithm is encrypted into a ciphertext Tsk1 by adopting a key of the signature auxiliary device or system, wherein the key of the signature auxiliary device or system adopted by encrypting the private key SK1 comprises a symmetric key or a public key (wherein the public key comprises a public key of a common public key cryptographic algorithm such as RSA, SM2 and the like or a group public key of a group-oriented encryption algorithm), and a ciphertext Tsk1(Tsk1 of a ciphertext SK1 of decryption operation corresponding to the public key adopted by the encryption operation E (-) is not secret to the signature auxiliary device or system but can be used as a secret to a computing device or system outside the signature auxiliary device or system;
The signature auxiliary device or system does not have b and cannot obtain b, or the signature auxiliary device or system has or can obtain b;
the case where the user terminal can obtain SB =e (b) includes that the signature assistance device or system submits SB to the user terminal at the time of digital signature (the signature assistance device or system holds SB in advance, or temporarily encrypts b to obtain SB and then submits it to the user terminal) (where SB can be obtained means "there is a case other than SB");
The case where b is available to the signature assistance device or system includes that the user terminal submits SB to the signature assistance device or system, and b is obtained by decrypting SB by the signature assistance device or system (using private key SK1) (where b is available means a case other than "b");
The user terminal and the signature auxiliary device or the device and the system outside the system have no b;
if the signature assistance device or system does not have b and b cannot be obtained, SB is stored as a secret in the user terminal and is protected (in other cases, if the user terminal stores SB, it is also preferable to store and protect as a secret);
If the signature assistance device or system does not have b and b cannot be obtained, taking Gb=b-1 G (when the corresponding program or device or system calculates that Gb),b-1 is the modulo-n multiplication inverse of b during initialization, and at least one of the user terminal and the signature assistance device or system has Gb,Gb as a non-secret between the two (which may or may not be the secret in addition to the two);
The user terminal is a computing device (such as a personal computer, a mobile phone, a tablet computer) of a user; the signature auxiliary device or system is a computing device or system for assisting and assisting the user terminal to complete digital signature generation and computation;
When it is desired to digitally sign the message M using the user's ECDSA signature private key dU, the user terminal and the signature assistance device or system generate a digital signature for the message M as follows (the body that requires digital signing for the message M using the user's ECDSA signature private key dU may be an application, system within or outside the user terminal that requires invoking a digital signature function in the user terminal):
The user terminal calculates a hash value e of the message M for digital signature calculation by using the message M and a hash function (hash function), sends e to a signature auxiliary device or system, or calculates a hash value e of the message M for digital signature calculation by using the message M and the hash function (hash function), and sends e to the user terminal;
The user terminal randomly selects an integer k1 in the [1, n-1] interval, wherein n is the order of the base point G;
The signature assistance device or system randomly selects an integer k2 within the [1, n-1] interval;
the user terminal and the signature assistance device or system do the following without exposing the respective secret k1、k2:
under the condition that the user terminal ensures that the signature auxiliary device or system does not reselect k2, R=k1k2Gb is obtained by interaction calculation with the signature auxiliary device or system;
The signature auxiliary device or system obtains Rf=k1k2Gb through interactive calculation with the user terminal under the condition that the user terminal is ensured not to reselect k1;
Or alternatively
Under the condition that the user terminal ensures that the signature auxiliary device or system does not reselect k2, calculating R= (k1+k2)Gb;
The signature auxiliary device or system obtains Rf=(k1+k2)Gb through interactive calculation with the user terminal under the condition that the user terminal is ensured not to reselect k1;
If R and/or Rf is zero (infinity point), then the user terminal, signature assistance device or system reselects k1、k2, recalculates R, Rf until R and Rf are not zero;
The user terminal calculates r=xR mod n, where xR is taken from (xR,yR) =r;
The signature assistance device or system computes rf=xRf mod n, where xRf is taken from (xRf,yRf)=Rf;
The user terminal and the signature assistance device or system check whether r and/or rf is 0 (integer 0), if yes, the user terminal and the signature assistance device or system reselect k1、k2, recalculate R, Rf, recalculate r, rf until neither r nor rf is 0;
The user terminal and the signature assistance device or system check whether (e+rdU) mod n=0 and/or (e+rfdU) mod n=0, respectively, will occur, i.e. whether s=0 will occur, where s is the parameter s in the digital signature (r, s) to be generated by calculation;
If yes, the user terminal and the signature assistance device or system reselect k1、k2, recalculate R, Rf, recalculate r, rf until no (e+rdU) mod n=0 and/or (e+rfdU) mod n=0 occurs, or go to error processing;
If the situation that (e+rdU) mod n=0 and/or (e+rfdU) mod n=0 does not occur, performing subsequent calculation processing;
The user terminal calculates s1 as one of the following:
s1 calculation mode one:
R, Rf adopts a calculation formula of R=k1k2Gb、Rf=k1k2Gb;
The user terminal randomly selects an integer q in [1, n-1], and the integer q is calculated by q, e, r, SB、dB、k1 through homomorphic encryption algorithm:
s10=E(((k1)-1eb+q)(mod n)),s11=((k1)-1rdB-q)mod n,
Or alternatively s10=E(((k1)-1(eb+q))(mod n)),s11=((k1)-1(rdB-q))mod n,
Or s10=E(((k1)-1e(b+q))(mod n)),s11=((k1)-1(rdB-eq))mod n, wherein (k1)-1 is the modulo n multiplication inverse of k1 (eq is e x q);
The s10、s11 value pair (s10,s11) forms s1;
s1 second calculation mode:
R, Rf adopts a calculation formula of R=k1k2Gb、Rf=k1k2Gb;
The user terminal is calculated by using e, r and SB、dB、k1 through homomorphic encryption algorithm:
s1=E(((k1)-1(eb+rdB))(mod n));
s1 calculation mode three:
R, Rf adopts a calculation formula of R=k1k2Gb、Rf=k1k2Gb;
the homomorphic encryption algorithm corresponding to E (-) is the homomorphic encryption algorithm;
The signature assistance device or system computes c2=E((k2)-1), where (k2)-1 is the modulo-n multiplicative inverse of k2, sending c2 to the user terminal;
The user terminal is calculated by using e, r and SB、dB、k1、c2 through homomorphic encryption algorithm:
s1=E(((k1k2)-1(eb+rdB)) (mod n)), where (k1k2)-1) is the modulo-n multiplicative inverse of k1k2 (or (k1k2) mod n);
s1 calculation mode four:
r, Rf adopts a calculation formula of R= (k1+k2)Gb、Rf=(k1+k2)Gb;
Signature assistance device or system calculates c2=E(k2), sends c2 to the user terminal;
The user terminal randomly selects an integer q in [1, n-1], and the integer q is calculated by q, e, r, SB、dB、k1、c2 through homomorphic encryption algorithm:
s10=E((q(k1+k2))(mod n)),s11=E(q(eb+rdB)(mod n));
The s10、s11 value pair (s10,s11) forms s1;
After s1 is calculated, the user terminal sends s1 to a signature auxiliary device or system;
If the private key SK1 of the decryption operation corresponding to the public key adopted by the encryption operation E (-) of the homomorphic encryption algorithm is encrypted into the ciphertext Tsk1 by using the key of the signature auxiliary device or system, the user terminal further sends Tsk1 to the signature auxiliary device or system, and the signature auxiliary device or system decrypts Tsk1 to obtain the private key SK1 of the decryption operation corresponding to the public key adopted by the encryption operation E (-) of the homomorphic encryption algorithm (the private key SK1 of the homomorphic encryption algorithm, namely the private key SK1 of the decryption operation of the homomorphic encryption algorithm);
if the signature assistance device or system does not have b and b is not available, i.e., Gb=b-1 G:
for s1 calculation mode one, the signature assistance device or system decrypts s10 in the value pair s1 using the private key SK1 to obtain the plaintext s12 of s10, calculates s= ((k2)-1(s11+s12)) mod n;
For the second calculation mode s1, the signature assistance device or system decrypts s1 using the private key SK1 to obtain the plaintext s12 of s1, and calculates s= ((k2)-1s12) mod n;
For s1 calculation mode three, the signature assistance device or system decrypts s1 using private key SK1 to obtain plaintext s12 of s1, and calculates s=s12 mod n;
For the fourth calculation mode of s1, the signature assistance device or system decrypts s10、s11 in the value pair s1 using the private key SK1, respectively obtains plaintext s13 of plaintext s12,s11 of s10, and calculates s= ((s12)-1s13) mod n, where (s12)-1 is the modulo-n multiplicative inverse of s12;
(at this time, s= ((k1k2)-1b(e+rdU)) mod n for mode one, two, and three, and s= ((k1+k2)-1b(e+rdU)) mod n for mode four
If the signature assistance device or system has or can obtain b, i.e. Gb =g, then:
For s1 calculation mode one, the signature assistance device or system decrypts s10 in the value pair s1 using the private key SK1 to obtain the plaintext s12 of s10, calculates s= ((bk2)-1(s11+s12)) mod n, where (bk2)-1 is the modulo n multiplicative inverse of bk2 (or (bk2) mod n);
For the second calculation mode s1, the signature assist device or system decrypts s1 using the private key SK1 to obtain the plaintext s12 of s1, and calculates s= ((bk2)-1s12) mod n;
For s1 calculation mode three, the signature assistance device or system decrypts s1 using private key SK1 to obtain plaintext s12 of s1, and calculates s=b-1s12 mod n;
For s1 calculation mode four, the signature assistance device or system decrypts s10、s11 in the value pair s1 using the private key SK1, obtains plaintext s13 of plaintext s12,s11 of s10, respectively, calculates s= ((bs12)-1s13) mod n, where (bs12)-1) is the modulo-n multiplication inverse of bs12 (or (bs12) mod n);
(at this time, s= ((k1k2)-1(e+rdU)) mod n for mode one, two, and three, and s= ((k1+k2)-1(e+rdU)) mod n for mode four
Before returning s to the user terminal, the signature auxiliary device or the system verifies whether s is obtained by calculating a private key dU corresponding to e, k1、k2、rf and a public key QU according to the ECDSA calculation mode, if yes, the process is continued, otherwise, the process is transferred into error processing;
The user terminal verifies whether s is obtained by calculating the ECDSA digital signature in a calculation mode by using e, k1、k2, r and a private key dU corresponding to a public key QU, if the verification is passed, the (r, s) is the digital signature of the message M, otherwise, the error processing is carried out;
In the above calculation formula of the encryption operation E (·) using the homomorphic encryption algorithm, a (mod n), where a is an integer representing an integer congruent to a modulo n (two integers a, b modulo n congruent, i.e. a mod n=b mod n, denoted as a≡b (mod n), the (mod n) operator has the lowest priority);
The signature assistance device or system authenticates and confirms that the user using the user terminal, i.e. the signer, is the owner of the public key QU before assisting and assisting the user terminal in completing the generation of the digital signature (such as before decrypting s1 or before calculating s), or relies on a system (such as an application service system) invoking the signature assistance device or system to authenticate and confirm that the user using the user terminal, i.e. the signer, is the owner of the public key QU (note that here, not the authentication and confirmation user, i.e. the signer, is the owner of the private key dU corresponding to the public key QU);
The user terminal performs the above-described digital signature calculation and generation steps through a cryptographic program or a cryptographic module or a cryptographic component in which a cryptographic function is implemented, and implements an ECDSA digital signature function.
For the secure and controllable method of using ECDSA signature private keys described above, dB is in effect the private key ciphertext (ciphertext private key) after dU is encrypted with a multiplicand (a symmetric key encryption scheme), where b is the symmetric key used for encryption.
For the secure and controllable usage method of ECDSA signature private key described above, one method for obtaining r=k1k2Gb、Rf=k1k2Gb by interactive calculation without exposing its own secret k1、k2 and ensuring that the counterpart does not reselect k1、k2 is as follows:
The user terminal computes R1=k1Gb, computes a hash value h1 of R1 (using any suitable hash algorithm), and sends h1 to the signature assistance device or system;
The signature auxiliary device or system calculates R2=k2Gb, calculates a hash value h2 of R2, and sends h2 to the user terminal;
after receiving h2 of the signature auxiliary device or system, the user terminal sends R1 to the signature auxiliary device or system;
After receiving h1 of the user terminal, the signature auxiliary device or system sends R2 to the user terminal;
after receiving R2, the user terminal calculates and checks whether the received hash value of R2 is h2, if not, the user terminal shifts to error processing, if so, r=k1R2 is calculated;
After receiving R1, the signature assistance device or system calculates and checks whether the hash value of R1 is h1, if not, shifts to error processing, and if yes, calculates Rf=k2R1.
For the secure and controllable usage method of ECDSA signature private key described above, the user terminal and the signature assistance device or system obtain r= (one method of k1+k2)Gb、Rf=(k1+k2)Gb is as follows:
The user terminal computes R1=k1Gb, computes a hash value h1 of R1 (using any suitable hash algorithm), and sends h1 to the signature assistance device or system;
The signature auxiliary device or system calculates R2=k2Gb, calculates a hash value h2 of R2, and sends h2 to the user terminal;
after receiving h2 of the signature auxiliary device or system, the user terminal sends R1 to the signature auxiliary device or system;
After receiving h1 of the user terminal, the signature auxiliary device or system sends R2 to the user terminal;
After receiving R2, the user terminal calculates and checks whether the received hash value of R2 is h2, if not, the user terminal shifts to error processing, if so, r=r1+R2 is calculated;
after receiving R1, the signature assistance device or system calculates and checks whether the hash value of R1 is h1, if not, shifts to error processing, and if yes, calculates Rf=R1+R2.
The four s1 calculation modes, namely, the first mode, the second mode and the fourth mode, have less comprehensive calculation amount (including calculation R, s1) of the user terminal, and the third mode is the largest. Mode one introduces a randomly selected integer q based on the homonym, which makes it more difficult to directly crack b, dU from homomorphic encryption operation results.
For the above-described secure and controllable use method of the ECDSA signature private key, one method of the user terminal and the signature assistance device or system checking whether (e+rdU) mod n=0 and/or (e+rfdU) mod n=0 will occur (i.e. whether s=0 will occur, where s is the parameter s in the digital signature (r, s) to be calculated) is as follows:
The user terminal checks whether eG+rQU is zero element (infinity point of elliptic curve point group), if yes, (e+rdU) mod n=0, otherwise, it will not;
The signature assistance device or system checks whether eG+rfQU is zero (the infinity point of the elliptic curve point group), if so, the case (e+rfdU) mod n=0 will occur, otherwise it will not.
For the above method for secure and controllable use of ECDSA signature private key, the method for verifying whether s is calculated by using e, k1、k2、rf and private key dU corresponding to public key QU according to the calculation mode of ECDSA by the signature auxiliary device or system includes:
The signature assistance device or system checks whether the verification (rf, s) is a digital signature of the message M, if so, the verification passes, otherwise, the verification does not pass;
Or the signature assistance device or system checks to see if the value of sRf is the same as eg+rfQU, if so, then the verification passes, otherwise, the verification does not pass.
For the above method for secure and controllable use of ECDSA signature private key, the method for verifying whether s is calculated by using e, k1、k2, r and private key dU corresponding to public key QU according to the calculation mode of ECDSA by using the user terminal includes:
the user terminal checks whether the verification (r, s) is a digital signature of the message M, if so, the verification is passed, otherwise, the verification fails;
Or the user terminal checks whether the value of the verification sR is the same as the eg+rqU, if so, the verification passes, otherwise, the verification fails.
The key pair of the homomorphic encryption algorithm for encrypting b can be pre-existing (a signature assistance device or system) or permanent, or can be generated temporarily when encrypting b. If the key pair is generated temporarily, the corresponding private key SK1 for decrypting SB is typically encrypted as ciphertext data Tsk1 and stored in the user terminal (of course SK1 may also be stored encrypted in the user account of the signature assistance device or system).
The encryption algorithm used for encrypting the private key SK1 can be a symmetric key encryption algorithm or a public key encryption algorithm (asymmetric key encryption algorithm), and if the encryption algorithm used for encrypting the private key SK1 is a public key encryption algorithm, the encryption algorithm can be a common public key encryption algorithm (non-group-oriented encryption algorithm) or a group-oriented encryption algorithm (short group encryption algorithm). The group-oriented encryption algorithm refers to a public key encryption algorithm, in which a group has a public key, each member in the group has a private key (the private keys of different members are usually different), and data encrypted by using the public key of the group can be decrypted by using the private key of each member of the group.
The key pair of the homomorphic encryption algorithm that is temporarily generated is safer from the viewpoint of security protection of the user signature private key (because leakage of the private key SK1 that performs the decryption operation may cause leakage of the ECDSA signature private key of one user at most), and therefore the key pair of the homomorphic encryption algorithm that is temporarily generated should preferably be used, but the ciphertext data Tsk1 may be omitted using the key pair of the permanent homomorphic encryption algorithm.
For the above-described secure and controllable usage method of ECDSA private signature key, a secure and controllable usage method of ECDSA private signature key that prevents dB and/or SB from being stolen is as follows.
When a user (using a program in a user terminal or other terminals) accesses an application service system and needs to digitally sign a message M by using an ECDSA signature private key of the user, the application service system issues a security token for the user, wherein the security token is an authorization credential for requesting a signature assistance device or system to assist, cooperatively generate or/and calculate a digital signature (the security token indicates to the signature assistance device or system that the digital signature cooperatively generate request is authorized and guaranteed by the application service system, the security token does not need to contain identity information of the user, but at least one of the user identity information and public key information is contained from the security perspective);
The application service system transmits the security token or the acquired information of the security token (such as by a client program or other modes) to a password program or a password module or a password component which implements the ECDSA digital signature function in the user terminal, wherein the acquired information of the security token is information for acquiring the security token issued by the application service system (the security token is stored on the internet at the moment);
The user terminal (a cipher program or a cipher module or a cipher component for implementing the ECDSA digital signature function) submits the security token or the acquired information of the security token to a signature auxiliary device or a signature auxiliary system by Tsk2;
If the acquisition information of the security token is submitted to the signature auxiliary device or the system, the signature auxiliary device or the system uses the acquisition information to acquire the security token issued by the application service system;
The signature assistance device or system verifies the validity of the security token (e.g., verifies the validity of the security token's asymmetric key or symmetric key digital signature, such as HMAC), and thereafter the user terminal (the cryptographic program or module or component in which the ECDSA digital signature function is implemented) and the signature assistance device or system generate a digital signature for the message M using dB、SB in accordance with the previously described secure and controllable method of use of the ECDSA private key.
The manner in which the application service system passes the security token or the acquired information of the security token to the cryptographic program or the cryptographic module or the cryptographic component in the user terminal that implements the ECDSA digital signature function includes:
if the client program used by the user access application service system and the password program or the password module or the password component for implementing the ECDSA digital signature function are positioned at the same user terminal, the application service system transmits the security token or the acquisition information of the security token to the password program or the password module or the password component for implementing the ECDSA digital signature function in the user terminal through the client program;
Or if the client program used by the user to access the application service system and the password program or the password module or the password component for implementing the ECDSA digital signature function are located in different user terminals, the application service system displays bar codes (two-dimensional codes and multi-dimensional codes) through the client program used by the user, and then transmits the security token or the acquired information of the security token to the password program or the password module or the password component for implementing the ECDSA digital signature function in the user terminal in a mode that the user uses the user terminal to sweep the bar codes;
Or if the user terminal is a mobile communication terminal (such as a mobile phone), the application service system sends a short message through the mobile communication terminal of the user, starts a cipher program for implementing the ECDSA digital signature function in the mobile communication terminal of the user through information (such as URL Schema) contained in the short message, and transmits the security token or the acquired information of the security token to the cipher program for implementing the ECDSA digital signature function in the mobile communication terminal of the user automatically or by the way of inputting the information in the short message by the user through the start information (such as URL Schema).
The security enhancement scheme of the security controllable use method of the ECDSA signature private key on the basis of the security enhancement scheme for preventing dB and/or SB from being stolen is as follows:
Homomorphic encryption algorithm corresponding to homomorphic encryption operation E ();
The application service system issues the security token to the user (terminal), and randomly selects an integer k0 in [1, n-1], calculates R0=k0Gb, adopts homomorphic encryption calculation to obtain c0=E((k0)-1) or c0=E(k0), wherein (k0)-1 is the modulo n multiplication inverse of k0, then transmits R0 together with the security token to the signature auxiliary device or system through the user terminal, and transmits acquired information of c0 or c0 to the user terminal when R0 is protected by the security token (such as the hash value of R0 is a part of the security token or R0 is a part of the security token);
After verifying the validity of the received security token, the signature assistance device or system determines the validity of R0 by the security token;
If the user terminal receives the acquired information of c0, the user terminal acquires c0 by using the acquired information;
After calculating the hash value e of the message M by using the message M, the user terminal randomly selects an integer k1 in the [1, n-1] interval, and the signature auxiliary device or system randomly selects an integer k2 in the [1, n-1] interval;
the user terminal and the signature assistance device or system do the following without exposing the respective secret k1、k2:
under the condition that the user terminal ensures that the signature auxiliary device or system does not reselect k2, R=k1k2R0 is obtained by interaction calculation with the signature auxiliary device or system;
The signature auxiliary device or system obtains Rf=k1k2R0 through interactive calculation with the user terminal under the condition that the user terminal is ensured not to reselect k1;
Or alternatively
Under the condition that the user terminal ensures that the signature auxiliary device or system does not reselect k2, calculating R= (k1+k2)R0;
The signature auxiliary device or system obtains Rf=(k1+k2)R0 through interactive calculation with the user terminal under the condition that the user terminal is ensured not to reselect k1;
If R and/or Rf is zero (infinity point), then the user terminal, signature assistance device or system reselects k1、k2, recalculates R, Rf until R and Rf are not zero;
The user terminal calculates r=xR mod n, where xR is taken from (xR,yR) =r;
The signature assistance device or system computes rf=xRf mod n, where xRf is taken from (xRf,yRf)=Rf;
The user terminal and the signature assistance device or system check whether r and/or rf is 0 (integer 0), if yes, the user terminal and the signature assistance device or system reselect k1、k2, recalculate R, Rf, recalculate r, rf until neither r nor rf is 0;
The user terminal and the signature assistance device or system check whether (e+rdU) mod n=0 and/or (e+rfdU) mod n=0, respectively, will occur, i.e. whether s=0 will occur, where s is the parameter s in the digital signature (r, s) to be generated by calculation;
If yes, the user terminal and the signature assistance device or system reselect k1、k2, recalculate R, Rf, recalculate r, rf until no (e+rdU) mod n=0 and/or (e+rfdU) mod n=0 occurs, or go to error processing;
If the situation that (e+rdU) mod n=0 and/or (e+rfdU) mod n=0 does not occur, performing subsequent calculation processing;
The user terminal calculates s1 as one of the following:
s1 calculation mode five:
R, Rf adopts the calculation formula of R=k1k2R0、Rf=k1k2R0,c0=E((k0)-1);
The user terminal is calculated by using e, r and SB、dB、c0、k1 through homomorphic encryption algorithm:
s1=E(((k0k1)-1(eb+rdB)) (mod n)), where (k0k1)-1) is the modulo-n multiplicative inverse of k0k1 (or (k0k1) mod n);
s1 calculation mode six:
R, Rf adopts the calculation formula of R=k1k2R0、Rf=k1k2R0,c0=E((k0)-1);
Signature assistance device or system calculates c2=E((k2)-1), sends c2 to the user terminal;
The user terminal is calculated by using e, r and SB、dB、c0、k1、c2 through homomorphic encryption algorithm:
s1=E(((k0k1k2)-1(eb+rdB)) (mod n)), where (k0k1k2)-1) is the modulo-n multiplicative inverse of k0k1k2 (or (k0k1k2) mod n);
s1 calculation mode seven:
R, Rf adopts the calculation formula of R=(k1+k2)R0、Rf=(k1+k2)R0,c0=E(k0);
Signature assistance device or system calculates c2=E(k2), sends c2 to the user terminal;
The user terminal randomly selects an integer q in [1, n-1], and the integer q is calculated by q, e, r, SB、dB、c0、k1、c2 through homomorphic encryption algorithm:
s10=E((qk0(k1+k2))(mod n)),s11=E(q(eb+rdB)(mod n));
The s10、s11 value pair (s10,s11) forms s1;
After s1 is calculated, the user terminal sends s1 to a signature auxiliary device or system;
If the private key SK1 of the decryption operation corresponding to the public key employed in the encryption operation E (-) of the homomorphic encryption algorithm is encrypted into the ciphertext Tsk1 by using the key of the signature assistance device or system, the user terminal further sends Tsk1 to the signature assistance device or system, and the signature assistance device or system decrypts Tsk1 to obtain the private key SK1 of the decryption operation corresponding to the public key employed in the encryption operation E (-) of the homomorphic encryption algorithm (i.e., the private key SK1 of the homomorphic encryption algorithm, i.e., the private key SK1 of the decryption operation of the homomorphic encryption algorithm);
if the signature assistance device or system does not have b and b is not available, i.e., Gb=b-1 G:
For calculation mode five of s1, the signature assistance device or system decrypts s1 using private key SK1 to obtain plaintext s12 of s1, and calculates s= ((k2)-1s12) mod n;
For the sixth calculation mode of s1, the signature assistance device or system decrypts s1 using the private key SK1 to obtain the plaintext s12 of s1, and calculates s=s12 mod n;
For the seventh calculation mode of s1, the signature assistance device or system decrypts s10、s11 in the value pair s1 using the private key SK1 to obtain plaintext s13 of plaintext s12,s11 of s10, respectively, and calculates s= ((s12)-1s13) mod n;
(in this case, for s1, calculation modes five and six, s= ((k0k1k2)-1b(e+rdU)) mod n, and for s1, calculation mode seven, s= ((k0(k1+k2))-1b(e+rdU)) mod n)
If the signature assistance device or system has or can obtain b, i.e. Gb =g, then:
For calculation mode five of s1, the signature assistance device or system decrypts s1 using private key SK1 to obtain plaintext s12 of s1, and calculates s= ((bk2)-1s12) mod n;
For the sixth calculation mode of s1, the signature assistance device or system decrypts s1 using the private key SK1 to obtain the plaintext s12 of s1, and calculates s= (b-1s12) mod n;
For the seventh calculation mode of s1, the signature assistance device or system decrypts s10、s11 in the value pair s1 using the private key SK1 to obtain plaintext s13 of plaintext s12,s11 of s10, respectively, and calculates s= ((bs12)-1s13) mod n;
If the signature assistance device or system obtains b by decrypting SB, the user terminal sends SB to the signature assistance device or system, and the signature assistance device or system decrypts SB (using the private key SK1) to obtain b;
(in this case, for s1, calculation modes five and six, s= ((k0k1k2)-1(e+rdU)) mod n, and for s1, calculation mode seven, s= ((k0(k1+k2))-1(e+rdU)) mod n)
Before returning s to the user terminal, the signature auxiliary device or the system verifies whether s is obtained by calculating a private key dU corresponding to e, k0、k1、k2、rf and a public key QU according to the ECDSA calculation mode, if yes, the signature auxiliary device or the system continues, and if the verification fails, the signature auxiliary device or the system shifts to error processing;
The user terminal verifies whether s is obtained by calculating the ECDSA digital signature in a calculation mode by using e, k0、k1、k2, r and a private key dU corresponding to a public key QU, if the verification is passed, the (r, s) is the digital signature of the message M, otherwise, the error processing is carried out;
the signature assistance device or system authenticates that the user using the user terminal, i.e. the signer, is the owner of the public key QU before assisting, assisting the user terminal in completing the generation of the digital signature, or relies on the system (e.g. an application service system) invoking the signature assistance device or system to authenticate that the user using the user terminal, i.e. the signer, is the owner of the public key QU first (although the security token may contain this effect at the same time, but this is not required).
The user terminal and the signature assistance device or system obtain r=k1k2R0、Rf=k1k2R0 or r= (k1+k2)R0、Rf=(k1+k2)R0) by interactive calculation while ensuring that the counterpart does not reselect k2、k1, and obtain r=k1k2Gb、Rf=k1k2Gb or r= (k1+k2)Gb、Rf=(k1+k2)Gb may be the same way while ensuring that the counterpart does not reselect k2、k1), except that R0 at this time replaces Gb(R0 non-secret);
The signature assistance device or system verifies whether s is calculated by using e, k0、k1、k2、rf and the private key dU corresponding to the public key QU according to the ECDSA calculation method, and the user terminal verifies whether s is calculated by using e, k0、k1、k2, r and the private key dU corresponding to the public key QU according to the ECDSA digital signature calculation method, so that the same verification method as that when k0 is not used (because the verification method does not use specific k0、k1、k2) can be adopted.
Based on the aforementioned security enhancement scheme, one scheme for preventing theft of security tokens is as follows:
When the application service system issues a security token to a user (terminal), an integer w is randomly selected as a disturbance parameter in [1, n-1], w is encrypted into ciphertext data which can be decrypted only by the signature auxiliary device or system (such as encryption by a public key of the signature auxiliary device or system, or secret is shared between the application service system and the signature auxiliary device or system, thereby secret deriving an encryption key), then the ciphertext data of w is transmitted to the signature auxiliary device or system together with the security token through the user terminal, and the plaintext or ciphertext data of w is protected by the security token (such as a hash value of the ciphertext data of w or w is part of the security token, or the ciphertext data of w is part of the security token);
After verifying the validity of the received security token, the signature auxiliary device or system decrypts the ciphertext of the disturbance parameter w to obtain a plaintext of w, and determines the validity of the plaintext or ciphertext of w through the security token;
After s is calculated, the signature auxiliary device or system calculates sw = (s+w) mod n or sw = (sw) mod n to obtain a perturbed digital signature (r, sw);
(r, sw) not submitted or returned to the application service system via the user terminal;
The application service system calculates s= (sw -w) mod n or s= (w-1sw) mod n, where w-1 is the modulo n multiplication inverse of w, recovering the digital signature (r, s) for message M.
The above solution prevents the security token from being stolen, since only the application service system that signed the security token can get the correct digital signature.
The ciphertext dB and/or SB may be re-encrypted (double encrypted) to ciphertext TU (double encrypted) for the various schemes described above (TU may contain both the results of dB and SB encrypted). If dB and/or SB are re-encrypted to ciphertext TU and stored in the user terminal, when generating a digital signature for message M, the user terminal decrypts the re-encrypted ciphertext data TU of dB and/or SB to obtain dB and/or SB (note that here dB is also ciphertext after multiplier encryption, and SB is ciphertext after homomorphic encryption). The re-encryption of dB and/or SB is to solve the storage security of dB and/or SB, and prevent dB and/or SB from being stolen.
Combining the security token with dB and/or SB re-encryption, there is a further security enhancement scheme for the secure controllable use of ECDSA signature private keys as follows:
dB and/or SB are encrypted (by a symmetric key or a public key) to form ciphertext data TU, a key SK2 (by a symmetric key or a private key) for decrypting ciphertext data TU is encrypted (by a symmetric key or a public key) to form ciphertext data Tsk2, a signature auxiliary device or system is provided with a key SK3 (by a symmetric key or a private key) for decrypting ciphertext data Tsk2, and ciphertext data TU and ciphertext data Tsk2 are stored in a user terminal;
When a user (using a program in a user terminal or other terminal) accesses the application service system and needs to digitally sign a message M by using the ECDSA signature private key of the user, the application service system issues a security token to the user;
The user terminal (a cipher program or a cipher module or a cipher component for implementing the ECDSA digital signature function) submits the security token or the acquired information of the security token to a signature auxiliary device or a signature auxiliary system by Tsk2;
If the acquisition information of the security token is submitted to the signature auxiliary device or the system, the signature auxiliary device or the system uses the acquisition information to acquire the security token issued by the application service system;
After the signature assistance device or system verifies the validity of the security token (e.g., verifies the validity of the asymmetric key or symmetric key digital signature of the security token, where the key digital signature is called HMAC), the cryptograph data Tsk2 is decrypted using the key SK3 to obtain the key SK2, and the key SK2 is returned to the user terminal;
the user terminal (a cipher program or a cipher module or a cipher component for implementing the ECDSA digital signature function) decrypts the ciphertext data TU by using the key SK2 to obtain dB and/or the ciphertext encrypted by using SB(dB as a multiplier, and SB is the homomorphic encrypted ciphertext), and then the user terminal and the signature auxiliary device or system perform generation calculation of the digital signature by using dB、SB according to the secure and controllable use method of the ECDSA signature private key.
The signing assistance device or system, or the system (such as an application service system) that invokes the signing assistance device or system, how to confirm that the user is the owner of the public key QU does not belong to the content of the present invention may be implemented by the signing assistance device or system, or the system that invokes the signing assistance device or system, managing and maintaining a user account, where the public key QU of the user is stored, or binding the user account with a digital certificate of the user, where the public key QU of the user is stored.
For the secure and controllable usage method of ECDSA signing private keys described above, the generation and distribution manner of the ECDSA signing key pair of the user includes (not all possible manners):
Mode one:
Generating an ECDSA signature key pair QU、dU by a trusted program in the user terminal, wherein the trusted program is a cipher program or a cipher module developer or a program (subjected to security test and evaluation) provided by a cipher service provider, and the ECDSA signature key pair QU、dU is generated by randomly selecting an integer b in [1, n-1], calculating dB=(bdU)mod n,SB =E (b), discarding dU and b and then safely storing dB、SB (and QU);
If the Gb=b-1 G needs to be calculated, the trusted program uses b to calculate Gb=b-1 G, and stores or submits Gb (safely) in the user terminal to a signature auxiliary device or system;
mode two:
Generating an ECDSA signature key pair QU、dU by a trusted program (such as a script program in a browser) in another terminal, wherein an integer b is randomly selected in [1, n-1], dB=(bdU)mod n,SB =E (b) is calculated, dU and b are discarded, and dB、SB (and QU) are transmitted to the user terminal for storage through bar codes (such as two-dimensional codes and multidimensional codes) scanning codes or other transmission modes (such as mail and file copying);
If the Gb=b-1 G needs to be calculated, the trusted program uses the b to calculate Gb=b-1 G, and transmits Gb to a user terminal for (safe) storage through bar codes or other transmission modes (such as mail and file copying), or submits Gb to a signature auxiliary device or system for storage;
Mode three:
Generating an ECDSA signature key pair QU、dU by a key generating device or system, randomly selecting an integer b in [1, n-1], calculating dB=(bdU)mod n,SB =E (b), discarding dU and b, and transmitting dB、SB (and QU) to a user terminal in a safe mode for storage;
If the Gb=b-1 G needs to be calculated, the key generation device or the system uses the b to calculate Gb=b-1 G, then transmits Gb to the user terminal (safety) for storage, or submits Gb to the signature auxiliary device or the system for storage;
Mode four:
Randomly selecting an integer d1、b1 from [1, n-1] by a key generating device or system, encrypting b1 by adopting a homomorphic encryption algorithm to obtain SB1=E(b1), calculating dB1=(b1d1)mod n,QU1=d1 G, discarding d1、b1, and transmitting SB1、dB1、QU1 to a user terminal;
The user terminal randomly selects an integer d2、b2 in [1, n-1] or randomly selects an integer d2 in [1, n-1], fixes the value of b2 in [1, n-1] (such as b2 =1), calculates SB=E(b1b2),dB=(b2d2dB1) mod n by homomorphic encryption algorithm, SB1、dB1 and ciphertext operation, and calculates QU=d2QU1;
The user terminal verifies SB=E(b1b2),dB=(b1b2d1d2)mod n,d1d2 is congruent with an ECDSA signature private key dU modulo n in [1, n-1], i.e. d1d2=dU (mod n) and QU=dU G, i.e. dU=(d1d2) mod n and QU=dU G, without exposing d1d2, b1b2 is congruent with an integer b modulo n in [1, n-1], i.e. b1b2 =b (mod n);
The user terminal discards d2、b2 and saves SB、dB、QU;
If the Gb=b-1 G needs to be calculated, the key generating device or system uses b1 to calculate Gb1=(b1)-1 G, then transmits Gb1 to the user terminal, and the user terminal calculates Gb=(b2)-1Gb1, or uses b2 to calculate Gb2=(b2)-1 G, submits Gb2 to the signature auxiliary device or system, and the key generating device or system calculates Gb=(b1)-1Gb2;
The user terminal and/or the signature auxiliary device or system stores Gb;
For the above-mentioned ECDSA signature private key generation and distribution method, if the homomorphic encryption algorithm public key used for encrypting b is temporarily generated, the device, system or program for generating dU or d1 encrypts the private key SK1 of the corresponding homomorphic encryption algorithm used for decryption operation to obtain the ciphertext Tsk1 of SK1 by using a symmetric key or a public key, where encryption of SK1 by using the public key is applicable to all four ECDSA signature key pairs generation and distribution methods, and encryption of SK1 by using the symmetric key is applicable to only three and four ECDSA signature key pairs generation and distribution methods.
As for the first, second, and third modes of the generation and distribution modes of the ECDSA signing key pair of the user, if (limited in the implementation) the signature assistance device or system does not have b and b cannot be obtained, it is allowable to select b= (the modulo n multiplication inverse of dU)-1(dU), and dB =1.
For the fourth mode of the generation and distribution modes of the ECDSA signing key pair of the user, b1、b2 is allowed as follows:
b1=(d1)-1,b2 =1, where (d1)-1 is the modulo n multiplication inverse of d1, where b= (d1)-1,dB=d2;
b1=(d1)-1,b2=(d2)-1, where (d2)-1 is the modulo-n multiplicative inverse of d2, where b= (d1d2)-1,dB =1, (defined in the implementation) the signature assistance device or system has no b and cannot get b.
In the fourth aspect of the generation and distribution method of the ECDSA signature key pair of the user, if b1=(d1)-1,b2 =1, that is, b= (d1)-1,dB=d2, and the signature assistance device or system has or can obtain b, the corresponding implementation is an embodiment based on secret sharing of the signature private key of the secure and controllable usage method of the ECDSA signature private key.
Typically, a program or device or system that generates an ECDSA signature private key will use the generated signature private key to sign information, such as a certificate signature Request (CERTIFICATE SIGNING Request, CSR), that verifies that the user has possession of the corresponding public key, establishing an initial contact between the user and the public key.
The secure and controllable use system of the corresponding ECDSA private key can be constructed on the basis of the secure and controllable use method of the ECDSA private key, and comprises a signature auxiliary device or system and a cipher program or a cipher module or a cipher component in a user terminal, wherein the user terminal stores a cipher text dB of a user ECDSA private key dU, stores or can obtain a cipher text SB of a key b for decrypting dB, and when the user ECDSA private key is required to be used for carrying out digital signature on a message M, the cipher program or the cipher module or the cipher component in the user terminal and the signature auxiliary device or system cooperatively generate a digital signature for the message M according to the secure and controllable use method of the ECDSA private key, and the cipher program or the cipher module or the cipher component in the user terminal implements operation processing and/or functions of the user terminal in the digital signature generation method. Further, the system may also include a key generation device or system, trusted program for ECDSA signing key pair generation.
As can be seen from the above description, based on the scheme of the present invention, the signature private key dU of the user for generating the ECDSA digital signature is completely stored and used by the user in the form of the ciphertext dB after being encrypted, and other entities have no secret share of the signature private key dU, i.e. the digital signature (electronic signature) making data dU of the user belongs to the exclusive domain of the user, and is completely controlled by the user (terminal) when generating the digital signature (if b is available or not in the digital signature, i.e. it is not the signature making data), and meanwhile, various schemes are provided to further ensure the secure use and storage of the ciphertext private key, so that the storage and use of the signature making data of the present invention better accords with the electronic signature method of the people's republic and the storage and use thereof are strictly secured, and in the implementation of the present invention, if b1=(d1)-1,b2 =1, i.e. b=1=(d1)-1, and the signature auxiliary device or system has or can obtain b, the corresponding implementation is a secret based on the secret, i.e. the shared secret of the private signature, i.e. the present invention can be used in the shared digital signature-based embodiment.
Detailed Description
The following describes specific embodiments of the present invention. The following is merely illustrative of possible embodiments of the present invention and is not intended to limit the scope of the invention.
The implementation of the invention adopts homomorphic encryption algorithm, which can be addition homomorphic encryption algorithm (such as Paillier algorithm) and homomorphic encryption algorithm (such as BGV, BFV, CKKS), precise homomorphic encryption algorithm (such as Paillier, BGV, BFV) and approximate homomorphic encryption algorithm (such as CKKS). And (3) corresponding to an approximately homomorphic encryption algorithm, and after decryption to obtain data, rounding the absolute value of the data, wherein the sign bit is unchanged.
In the following description of the present invention,The result of the multiplication of two ciphertext numbers representing homomorphic encryption corresponds to the ciphertext number of the product of the multiplication of two corresponding plaintext numbers; The result corresponds to the ciphertext number of the sum of the addition of two corresponding plaintext numbers, and the result corresponds to the ciphertext number of the product of the multiplication of one plaintext number and one ciphertext number in homomorphic encryption.
E (a (mod n)) often occurs in homomorphic encryption operations of the present invention, where a is an integer and a (mod n) represents a number congruent with a modulo n. Instead of using a directly, instead of using a, the invention uses a congruence number with a modulo n, in order to avoid that when a is the result of an operation (e.g. a product) of two or more secret numbers (secret numbers), the secret is broken by directly decomposing a, e.g. a=pq, since p, q are relatively small (relatively not very large numbers), it is easier to decompose p, q from a, which would result in p, q being broken, but if a congruence number with a modulo n is used, this would increase the difficulty or be computationally impossible to directly decompose p, q.
One solution to implement E (a (mod n)) is as follows (of course not all possible):
Changing the calculation E (a (mod n)) into a calculationWhere z is an integer randomly selected during the calculation (such as a signature device) (not limited to an integer selected within [1, n-1 ]), or an integer calculated from an integer randomly selected (such as a signature device) (z may be positive, negative, or zero), the selection principle of z is such that the number of plaintext encrypted during the calculation, i.e., a+zn, does not exceed the representation range of the encryption operation E (-) of the homomorphic encryption algorithm for the encrypted integer, or the probability of exceeding the representation range of the encryption operation E (-) of the homomorphic encryption algorithm for the encrypted integer is extremely small (the probability of exceeding is within a prescribed range) (the encryption operation E (-) of the homomorphic encryption algorithm represents positive, negative, zero with the complement, and if E (-) is m, the m is divided into two parts, wherein the lower half represents a positive integer and zero, and the upper half represents a negative integer, similar to the complement in a binary number).
When generating a digital signature for a message M, the invention has seven s1 computing modes, the first four of which are basic computing modes, the second three of which are enhanced computing modes, and the s1 computing modes when an application service system participates in the generation of the digital signature, and how these computing modes are implemented is specifically described below with respect to how the homomorphic encryption algorithm adopted by E (·) is an addition homomorphic encryption algorithm or a full homomorphic encryption algorithm.
For s1 calculation mode one, the user terminal may calculate s10=E(((k1)-1 eb+q (mod n)) or s10=E(((k1)-1 (eb+q)) (mod n)) or s10=E(((k1)-1 e (b+q)) (mod n)) by homomorphic encryption using q, e, r, SB、dB、k1:
For the first s10 calculation, s01=((k1)-1 e) mod n,
For the second s10 equation, s01=((k1)-1e)mod n,s02=((k1)-1 q) mod n is calculated,
For the third s10 equation, s01=((k1)-1e)mod n,s02=((k1)-1 qe) mod n is calculated,
Or if E (·) is the encryption operation of the homomorphic encryption algorithm:
For the first s10 calculation, s01=((k1)-1 e) mod n,
For the second s10 equation, s01=((k1)-1e)mod n,s02=((k1)-1 q) mod n is calculated,
For the third s10 equation, s01=((k1)-1e)mod n,s02=((k1)-1 qe) mod n is calculated,
S11 is directly calculated, and s10、s11 value pair (s10,s11) forms s1.
For the second calculation mode S1, the user terminal may calculate S1=E(((k1)-1(eb+rdB (mod n) by homomorphic encryption using e, r, SB、dB、k1:
s10=((k1)-1e)mod n,s11=((k1)-1rdB)mod n,
or if E (·) is the encryption operation of the homomorphic encryption algorithm:
For the third calculation mode S1, the ue may calculate S1=E(((k1k2)-1(eb+rdB) by homomorphic encryption using E, r, and SB、dB、k1、c2 (mod n)), where the homomorphic encryption algorithm corresponding to c2=E((k2)-1), E (·) is the homomorphic encryption algorithm:
s10=((k1)-1e)mod n,s11=((k1)-1rdB)mod n,
Or alternatively
For the fourth calculation mode s1, the ue randomly selects an integer q in [1, n-1], and uses q, e, r, SB、dB、k1、c2, where c2=E(k2), calculates s10=E((q(k1+k2))(mod n)),s11=E(q(eb+rdB (mod n) by homomorphic encryption algorithm):
s01=(qk1)mod n,s02=(qe)mod n,s03=(qrdB)mod n;
or if the homomorphic encryption algorithm corresponding to E (-) is the homomorphic encryption algorithm:
The s10、s11 value pair (s10,s11) forms s1.
For the fifth calculation mode S1, the ue may calculate S1=E((k0k1)-1(eb+rdB (mod n)) by homomorphic encryption using E, r, and SB、dB、c0、k1, where the encryption algorithm corresponding to c0=E((k0)-1), E (·) is the homomorphic encryption algorithm:
s10=((k1)-1e)mod n,s11=((k1)-1rdB)mod n,
Or alternatively
Or alternatively
For the sixth calculation mode of S1, the ue may calculate S1=E((k0k1k2)-1(eb+rdB (mod n)) by homomorphic encryption using E, r, and SB、dB、c0、k1、c2, where the encryption algorithm corresponding to c0=E((k0)-1),c2=E((k2)-1), E (·) is the homomorphic encryption algorithm:
s10=((k1)-1e)mod n,s11=((k1)-1rdB)mod n,
Or alternatively
For the calculation mode seven of s1, the user terminal can calculate s10=E((qk0(k1+k2))(mod n)),s11=E(q(eb+rdB (mod n)) by using q, E, r, SB、dB、c0、k1、c2 through homomorphic encryption in the following manner, wherein the encryption algorithm corresponding to c0=E(k0),c2=E(k2), E (·) is the homomorphic encryption algorithm:
s01=(qk1)mod n,s02=(qe)mod n,s03=(qrdB)mod n;
or if the homomorphic encryption algorithm corresponding to E (-) is the homomorphic encryption algorithm:
The s10、s11 value pair (s10,s11) forms s1.
In the implementation of the present invention, the manner of b encryption and decryption with respect to ciphertext SB is related to the deployment manner of the signature assistance device or system, and to the manner of generation and distribution of the ECDSA signing key pair of the user.
The signature assistance device or system may include several deployment approaches as follows:
(1) The central deployment is intensively deployed by a professional password service mechanism, for example, is intensively deployed in a cloud service mode, and provides digital signature service for different clients, users and applications;
(2) Distributed deployment, which is distributed deployment by a professional password service mechanism and provides digital signature service for clients, users and applications in different places and regions;
(3) Each enterprise, organization or application system is deployed with a signature auxiliary device or system, and provides digital signature service for clients, users and applications.
The generation and distribution of the four ECDSA signing key pairs described above may be implemented no matter what deployment method the signature assistance device or system adopts, and of course, other generation and distribution methods of ECDSA signing key pairs may be implemented, which is not limited in the present invention, as long as the present invention meets the relevant security requirements.
In the specific implementation, if the ECDSA signature private Key dU (or the ECDSA signature Key pair) of the user is generated or participates in the generation by the Key generating device or system, the Key generating device or system is typically implemented as a device or system of the server, but a device such as a USB Key as the user may also be used. The key generating device or system of the server may be embodied as plug-and-play cryptographic hardware (such as a cryptographic card) or a device or system combining software and hardware (such as a cryptographic machine and a cryptographic server).
If the method is implemented, the ECDSA signature key pair is generated and distributed (including independent generation and collaborative generation) by the key generating device or the system of the server, the key generating device or the system can also adopt a central deployment, a distributed deployment or an independent deployment mode, wherein the independent deployment is mainly used for special key service provided by an organization and an enterprise, and the user of the ECDSA signature key pair is usually only the client and the user of the organization and the enterprise.
If the ECDSA signing key pair is generated by a trusted program in the user terminal, the corresponding program may be provided by a cryptographic program or a cryptographic module developer, or a cryptographic service provider, and executed in a secure user terminal environment, such as ensuring that there is no Trojan in the user terminal, or in a Trusted Execution Environment (TEE).
If implemented, the ECDSA signing key pair may be generated by a program in another terminal, a corresponding program may be provided by a cryptographic program or a developer of a cryptographic module, or a cryptographic service provider, for generating the ECDSA signing key pair, and the ciphertext dB of the signing private key dU, the ciphertext SB of b, and other parameters, data (e.g., public key QU) may be transmitted to the user terminal by means of a barcode (e.g., two-dimensional code, multi-dimensional code) scanning, or they may be transmitted to the user terminal by other means such as mail, file copy, or the user may access a special trusted website using a browser in another terminal, and the script program returned by the trusted website generates the ECDSA signing key pair in the browser, and then transmits the ciphertext dB of the signing private key dU, the ciphertext SB of b, and other parameters, data to the user terminal by means of a barcode (e.g., two-dimensional code, multi-dimensional code) scanning, or transmitting them to the user terminal by other means such as mail, file copy.
The following describes embodiments related to encryption of b and decryption of ciphertext SB in connection with embodiments of a signature assistance device or system and embodiments of generation and distribution of ECDSA signing key pairs.
Regardless of the deployment and implementation of the signature assistance device or system, the key pair of the homomorphic encryption algorithm that encrypts b and decrypts ciphertext SB may be either pre-existing or temporarily generated (by the key pair generation program or device or system) during b encryption, regardless of the implementation and deployment of the ECDSA signing key pair.
If the key pair of the homomorphic encryption algorithm that encrypts b and decrypts SB is pre-existing to the signature assistance device or system, then the following are some possible implementations:
The key pair of the homomorphic encryption algorithm for encrypting b and decrypting SB is a signature auxiliary device or system in advance, and the signature auxiliary device or system adopts an implementation manner of central deployment, so that the encryption of b is usually a public key of a public key pair of one homomorphic encryption algorithm using the signature auxiliary device or system (the public key pair, i.e. a plurality of signature auxiliary devices or systems share one key pair), and the private key SK1 of the homomorphic encryption algorithm for decrypting b ciphertext SB is a private key of the public key pair of the homomorphic encryption algorithm, and at this time, the generation and distribution of the ECDSA signature key pair can be performed in any implementation manner and in any deployment manner;
The key pair of the homomorphic encryption algorithm for b encryption and SB decryption is pre-existing in the signature auxiliary device or system, and the signature auxiliary device or system adopts a distributed deployment implementation mode, the public key pair b of the public key pair of one homomorphic encryption algorithm of the signature auxiliary device or system can be used for encryption (namely, a plurality of the signature auxiliary devices or systems distributed deployment share one key pair), the private key SK1 of the homomorphic encryption algorithm for decrypting b ciphertext SB is the private key of the public key pair of the homomorphic encryption algorithm, and at the moment, the ECDSA signature key pair can be generated and distributed in any implementation mode and deployment mode;
The key pair of the homomorphic encryption algorithm for encrypting b and decrypting SB is pre-existing to the signature auxiliary device or system, and the independently deployed implementation mode adopted by the signature auxiliary device or system is that the public key pair b of the key pair of one homomorphic encryption algorithm of the independently deployed signature auxiliary device or system is generally used for encrypting SB, and in this case, the generation and distribution of the ECDSA signature key pair can be performed in any implementation mode or deployment mode, but the program and system for generating and distributing the ECDSA signature key pair need to be configured or customized to use the public key of the corresponding homomorphic encryption algorithm for the independently deployed signature auxiliary device or system.
The key pair of the homomorphic encryption algorithm for b encryption and SB decryption is pre-existing for the signature assistance device or system, and is specifically described for the following implementation case:
The signature assistance devices or systems are deployed independently at different institutions and enterprises, they belong to different institutions and enterprises, but the ECDSA signature private key (and corresponding digital certificate) of the user may need to be used at the application systems of different institutions and enterprises, for example, the ECDSA signature private key corresponds to a digital certificate trusted at each institution and enterprise, the certificate and the private key are used at the application systems of different institutions, that is, the signature assistance devices or systems independently deployed by different institutions and enterprises may need to decrypt s1 generated by the user terminal of the same user in the process of generating the digital signature, for this, the following manner is a possible (but not the only possible manner):
The dB、SB of the user is only bound with one organization, the signature assistance device of the enterprise or the system, and when the user needs to use dB、SB to generate a digital signature, no matter which organization, the system of the enterprise the user (terminal) is interacting with, the user terminal only interacts with the bound signature assistance device or system to generate a digital signature.
If the key pair for the homomorphic encryption algorithm that encrypts b and decrypts SB is generated temporarily, then the following are some possible implementations:
The key pair of the homomorphic encryption algorithm for b encryption and SB decryption is temporarily generated, the encryption of the private key SK1 adopts a public key encryption algorithm, and the signature auxiliary device or system adopts a centrally deployed implementation mode, the public key pair of one public key pair of the signature auxiliary device or system is generally used for encrypting SK1 (the public key pair, namely, a plurality of signature auxiliary devices or systems share one key pair), and at this time, the generation and distribution of the ECDSA signature key pair can be carried out in any implementation mode and deployment mode;
The key pair of the homomorphic encryption algorithm for b encryption and SB decryption is temporarily generated, the encryption of the private key SK1 adopts a public key encryption algorithm, and the signature assistance device or system adopts a distributed deployment implementation mode, so that the public key in one public key pair of the signature assistance device or system can be used for encrypting SK1 (i.e. a plurality of signature assistance devices or systems distributed to be deployed share one key pair), or one group public key is used for encrypting SK1 (i.e. a plurality of signature assistance devices or systems distributed to be deployed belong to one group, and group members can have own private keys), and at this time, the ECDSA signature key pair can be generated and distributed in any implementation mode and deployment mode.
The key pair of the homomorphic encryption algorithm for b encryption and SB decryption is temporarily generated, the encryption of the private key SK1 adopts a public key encryption algorithm, and the independently deployed implementation mode adopted by the signature assistance device or system is generally that the public key in one key pair of the independently deployed signature assistance device or system is used for encrypting SK1, and at this time, the generation and distribution of the ECDSA signature key pair can be performed in any implementation mode and deployment mode, but the program and system for generating and distributing the ECDSA signature key pair need to be configured or customized to use the public key of the corresponding independently deployed signature assistance device or system;
The key pair of the homomorphic encryption algorithm for b encryption and SB decryption is temporarily generated, and the encryption of the private key SK1 adopts a symmetric key encryption algorithm, so that the generation and distribution of the ECDSA signature key pair needs to adopt an embodiment (including an embodiment of separate or cooperative generation and distribution) of generating and distributing by a key generating device or system of a server, and the key generating device or system needs to share a symmetric key with a corresponding signature auxiliary device or system needing to decrypt Tsk1.
If the key pair of the homomorphic encryption algorithm for b encryption and SB decryption is generated temporarily, the following description is given specifically for the following implementation case:
The signature assistance devices or systems are deployed independently at different institutions and enterprises, they belong to different institutions and enterprises, but the ECDSA signature private key (and corresponding digital certificate) of the user may need to be used at the application systems of different institutions and enterprises, for example, the ECDSA signature private key corresponds to a digital certificate trusted at each institution and enterprise, the certificate and the private key are used at the application systems of different institutions, that is, the signature assistance devices or systems deployed independently by different institutions and enterprises may face the problem of decrypting s1、Tsk1 generated by the user terminal of the same user in the process of generating the digital signature, for which the following two modes are possible (but not all possible modes):
(1) The dB、SB、Tsk1 of the user is only bound with a signing auxiliary device or system of an organization or an enterprise, and when the user needs to use dB、SB、Tsk1 to generate a digital signature, no matter which organization or system of the enterprise the user (terminal) is interacting with, the user terminal only interacts with the bound signing auxiliary device or system to generate the digital signature;
(2) The public key of the homomorphic encryption algorithm for encrypting b is temporarily generated, the private key SK1 of the homomorphic encryption algorithm which is temporarily generated is encrypted in a group-oriented encryption mode, signature auxiliary devices or systems which are independently deployed by different institutions and enterprises are members of a group, and the private key of a group member is used.
If the implementation employs a group-oriented encryption scheme, the lifecycle management (generation, updating, revocation) of the group keys (public, private) is provided by the key service system of the specialized cryptographic service organization.
Description of the implementation case where the user terminal, signature assistance device or system owns E (b) or b.
In the first case, the user terminal stores E (b), the signature auxiliary device or system does not have E (b) and E (b), and the user terminal does not send E (b) to the signature auxiliary device or system during signature;
Secondly, the user terminal stores E (b), the signature auxiliary device or system does not have E (b) and B, and the user terminal sends E (b) to the signature auxiliary device or system during signature;
In the third case, the user terminal does not store E (b), the signature auxiliary device or system stores b and/or E (b), and the signature auxiliary device or system transmits E (b) to the user terminal during signature;
In the fourth case, the ue stores E (b), the signature assistance device or system stores b and/or E (b), and the signature assistance device or system does not send E (b) to the ue during signing;
In case five, the ue holds E (b), the signature assistance device or system holds b and/or E (b), and the signature assistance device or system sends E (b) to the ue (although this is not necessary, but a possible implementation).
As long as b is available or available to the signature assistance device or system, the generation of the digital signature is performed at Gb =g (b will not be included in the generated signature data).
In the implementation of the present invention, although dB and/or SB are stored in the user terminal in the form of ciphertext of dU and b, in order to prevent theft, security protection measures, such as fingerprint protection, PIN code protection, and even re-encryption, may be further taken on dB and/or SB stored in the user terminal.
In the implementation of the present invention, in order to prevent dB and/or SB from being stolen, the signature assistance device or system needs to complete the authentication of the user by strict and secure authentication, such as by sms, biometric-based authentication, or by invoking a system of the signature assistance device or system, such as an application service system, before the digital signature generation is assisted for the user terminal, ensuring that the user is the owner of the public key QU.
The generation and distribution modes of the ECDSA signature key pair are four, the user terminal verifies SB=E(b1b2),dB=(b1b2d1d2)mod n,d1d2 to be congruent with d1d2=dU (mod n) which is dU modulo n of one ECDSA signature private key in [1, n-1] without exposing d1d2, and QU=dU G is verified to be dU=(d1d2) mod n and QU=dU G, and the following modes are various modes which can be adopted.
The user terminal randomly selects an integer t and w in [1, n-1], and obtains Sw=E((wb1b2(dB)-1 +t) (mod n) by dB、SB and homomorphic encryption operation calculation, wherein (dB)-1 is the modulo n multiplication inverse of dB, and Sw、QU is sent to a key generation device or system;
The key generating means or system calculates Qw=(D(Sw)mod n)QU, where D (·) is a decryption operation of the private key using a homomorphic encryption algorithm (assuming the key generating means or system has the ability to do this, e.g. share a cryptographic device with or by means of a signature assistance means or system);
The user terminal checks whether w-1(Qw-tQU) is the same as G, wherein w-1 is the modulo n multiplication inverse of w, if so, the verification is passed, otherwise the verification fails;
Or the user terminal randomly selects an integer t and w in [1, n-1], calculates to obtain Sw=E((wb1b2 +t (mod n) by using b1、SB and homomorphic encryption operation), and sends Sw、QU to a key generation device or system;
The key generating means or system calculates Qw=(D(Sw)mod n)QU, where D (·) is a decryption operation of the private key using a homomorphic encryption algorithm (assuming the key generating means or system has the ability to do this, e.g. share a cryptographic device with or by means of a signature assistance means or system);
The user terminal checks whether w-1(Qw-tQU) and dB G are the same, wherein w-1 is the modulo n multiplication inverse of w, if so, the verification passes, otherwise the verification fails.
The Security Token issued by the application service system is a temporary authorization credential, and can be either a standard Security Token (such as WS-Security Security Token, SAML assertion, security ticket Token, json Web Token, i.e. JWT, etc.), or a Security Token in a custom format, or an asymmetric key (such as SM2, SM9, RSA, ECDSA) signature, or a symmetric key signature (such as HMAC).
In the practice of the present invention, if after re-encrypting dB and/or SB to ciphertext TU, TU is stored in the user terminal, this encryption is (typically) not performed in the signature assistance device or system, but is (typically) performed in the user terminal, otherwise the signature assistance device or system can obtain the user terminal' S secret dB and/or SB, which obviously does not meet the security requirements of the scheme, A security target. the current question is who generated key SK2 to decrypt TU, What does encryption of SK2 be accomplished by is a simple fact noted that SK2 does not belong to a secret between the user terminal and the signature assistance device or system, so SK2 and its corresponding encryption key for encrypting dB and/or SB (corresponding encryption key is the corresponding public key if SK2 is a private key, corresponding encryption key is also a symmetric key if SK2 is a symmetric key) can be generated either by the user terminal (upon user signature key initialization) or by the signature assistance device or system (upon user signature key initialization) and then passed to the user terminal, SK2 can be encrypted using the corresponding public key if key SK3 of ciphertext Tsk2 of decryption SK2 is a private key, can be accomplished either at the user terminal or at the signature assistance device or system, and SK 3735 can be encrypted using SK3 pair2 by the signature assistance device or system if key SKsk2 of decryption of ciphertext2 is a symmetric key, and then the result of encryption of ciphertext Tsk2 is returned to the user terminal or system for the secret key of no encryption of SKsk2. The remaining problem is that for different deployment modes of the signature assistance device or system, a simple principle is that when performing digital signature, the user terminal interacts with which signature assistance device or system to encrypt SK2 with the encryption key corresponding to SK3 of which signature assistance device or system, where the encryption key corresponding to SK3 includes a symmetric key or public key, and if the public key includes a common public key and a group public key, the encryption key is similar to the encryption of SK1 of the temporarily generated homomorphic encryption algorithm when the key pair of the homomorphic encryption algorithm for SB is temporarily generated.
The invention relates to more keys which are not confused in specific implementation, wherein SK1 is a private key for decrypting b homomorphically encrypted ciphertext SB (b is a key for decrypting dB), SK2 is a key for decrypting dB and/or ciphertext TU after SB is encrypted again and is not a key for decrypting ciphertext Tsk1 of SK1, a key (not specially named) for decrypting Tsk1 belongs to a signature auxiliary device or system, SK2 does not belong to a key of the signature auxiliary device or system, SK3 is a key for decrypting ciphertext Tsk2 of SK2, SK3 is a key belonging to the signature auxiliary device or system, and no direct or indirect association exists between SK1 and SK2、SK3.
The secure controllable use system of the ECDSA private key can be implemented on the basis of the secure controllable use method of the ECDSA private key, and comprises a signature auxiliary device or system, a cipher program or a cipher module or a cipher component in a user terminal, wherein the user terminal stores a cipher text dB of a user ECDSA private key dU, stores or can obtain a cipher text SB for decrypting a cipher text b of dB, when the user' S ECDSA private key is required to be used for carrying out digital signature on a message M, the cipher program or the cipher module or the cipher component in the user terminal and the signature auxiliary device or system cooperate to generate a digital signature for the message M according to the secure controllable use method of the ECDSA private key, and the cipher program or the cipher module or the cipher component in the user terminal implements operation processing and/or functions executed by the user terminal in the secure controllable use method of the ECDSA private key. Further, the implemented system may also include a key generation device or system, trusted program for ECDSA signing key pair generation.
In the implementation of the present invention, the signature assistance device or system may be a software device or system, or may be a device or system combining software and hardware, where the software device may be a program or a cryptographic module that runs independently, and the device combining software and hardware may be plug and play cryptographic hardware, such as a cryptographic card, or may be a cryptographic machine/cryptographic server.
In the implementation of the present invention, the user terminal is various computing devices used by the user, such as a computer, a mobile phone, a tablet computer, etc., and the user terminal implements the digital signature generation function in the user terminal of the present invention through a cryptographic program or a cryptographic module or a cryptographic component running therein, that is, the program implementing the cryptographic function such as the digital signature in the user terminal may be a separately running cryptographic program, such as a program formed by an app or a WeChat applet, or may be a cryptographic module or a cryptographic component implementing the cryptographic function such as a cryptographic API, an SDK, a WeChat applet plug-in, a browser plug-in or a control, etc. If the program implementing the digital signature and other cryptographic functions is a separately running cryptographic program, the program in the same user terminal transmits data to the cryptographic program, and can utilize the mechanism provided by the user terminal and the program development technology for transmitting data between programs in the same computing device, if the program implementing the digital signature and other cryptographic functions is a cryptographic module and a cryptographic component, the program calling the cryptographic module and the cryptographic component directly transmits data to the called cryptographic module and the cryptographic component, if another terminal except the user terminal implementing the digital signature function needs to use the digital signature function in the user terminal, the program in the other terminal, such as the client program of the application service system, can transmit the calling information and data to the cryptographic program or the cryptographic module or the cryptographic component implementing the digital signature function in the user terminal by displaying a bar code and a user code scanning mode, and if the user terminal is a mobile communication terminal (such as a mobile phone), the application service system can send a short message through the mobile communication terminal of the user, and can start the cryptographic program implementing the ECDSA word signature function in the user mobile communication terminal through the information contained in the short message, such as URL (uniform resource locator) and automatically acquire the secure digital signature token or secure digital signature function of the mobile communication token through the user token.
Fig. 1 is a basic structure and an application schematic of a system according to the present invention, fig. 2 is a schematic diagram of a signature assistance device or a system center deployment scenario according to the present invention, fig. 3 is a schematic diagram of a signature assistance device or a system distribution deployment scenario according to the present invention, and fig. 4 is a schematic diagram of a signature assistance device or a system independent deployment scenario according to the present invention.
Other specific technical implementations not described are well known to those skilled in the relevant arts and are self-evident.