0


SM2签名算法中随机数K的随机性对算法安全的影响

  1. 一、构造如下SM2签名算法过程1
  2. Sig1 r1 = F2BFC778C66127C74E3613FAA1AB6E207059740B317597A78BBFCDF58AED0A51
  3. Sig1 s1 = 4FC719D00334CCC23098036DEEAA71DB464A076EFA79283389D3414D70659E88
  4. 私钥d = B3124DC843BB8BA61F035A7D0938251F5DD4CBFC96F5453B130D890A1CDBAE32
  5. 公钥P = DC9A1F6E4334DDAC74E5104AC1797B3372A765E94B0C1DAC6032CDB0934758D21AB40618825661CAD4C8542D0736101B9975C7FE23A67B00BEC38587B202C5FA
  6. 用户身份ID = 1234567812345678
  7. 待签名消息M = 12345678901234567890
  8. 随机数k = 0000000000000000000000000000000000000000000000000000000000000123
  9. 二、构造如下SM2签名算法过程2
  10. Sig1 r2 = 000E4A9838E4FCF75507F3EA012B7D2C9D7C6D76B9F1B1EE18D8A6F238991653
  11. Sig1 s2 = 21B3190B669F6ABA735726BF140ABF6F52E6C3273DA3B461178E7D9A980D21AE
  12. 私钥d = B3124DC843BB8BA61F035A7D0938251F5DD4CBFC96F5453B130D890A1CDBAE32
  13. 公钥P = DC9A1F6E4334DDAC74E5104AC1797B3372A765E94B0C1DAC6032CDB0934758D21AB40618825661CAD4C8542D0736101B9975C7FE23A67B00BEC38587B202C5FA
  14. 用户身份ID = 1234567812345678
  15. 待签名消息M = 1234567890AB1234567890AB
  16. 随机数k = 0000000000000000000000000000000000000000000000000000000000000123
  17. 以上两次SM2签名过程中随机数k相同,在对手获得两次签名结果Sig1Sig2的情况下,能否计算出私钥d
  18. SM2签名算法可知
  19. 1s1 = (k-r1d)/(1+d) mod n
  20. 2s2 = (k-r2d)/(1+d) mod n
  21. 3s1-s2 = (r2-r1)d/(1+d) mod n
  22. 4d = (s1-s2)/[(r2-r1)-(s1-s2)] mod n
  23. 5n = FFFFFFFEFFFFFFFFFFFFFFFFFFFFFFFF7203DF6B21C6052B53BBF40939D54123,(具体见GMT 0003.5-2012 SM2 椭圆曲线公钥密码算法第5部分:参数定义)
  24. 到此,若k为固定值时私钥d可以在Sig1Sig2n已知的情况下能够被推导出来。下面具体计算
  25. 1s1-s2 mod n = 2E1400C49C956207BD40DCAEDA9FB26BF3634447BCD573D27244C3B2D8587CDA
  26. 2r2-r1 mod n = 0D4E831E7283D53006D1DFEF5F800F0B9F26D8D6AA421F71E0D4CD05E7814D25
  27. 3)[(r2-r1)-(s1-s2)] mod n = DF3A8258D5EE73284991034084E05C9F1DC773FA0F32B0CAC24BFD5C48FE116E
  28. 41/[(r2-r1)-(s1-s2)] mod n,也就是DF3A8258D5EE73284991034084E05C9F1DC773FA0F32B0CAC24BFD5C48FE116E的逆元=

E5E3D3B7FF47A46B11EC572C81242A0915AC5A01EEEF04DB30E1FA62421CD2D
(5)d = 2E1400C49C956207BD40DCAEDA9FB26BF3634447BCD573D27244C3B2D8587CDA * E5E3D3B7FF47A46B11EC572C81242A0915AC5A01EEEF04DB30E1FA62421CD2D mod n =
B3124DC843BB8BA61F035A7D0938251F5DD4CBFC96F5453B130D890A1CDBAE32

  1. 用户私钥d被完整推导出来,由此可见随机数k的随机性对于SM2密码算法安全非常重要。

本文转载自: https://blog.csdn.net/ryanzzzzz/article/details/133435219
版权归原作者 搞搞搞高傲 所有, 如有侵权,请联系我们删除。

“SM2签名算法中随机数K的随机性对算法安全的影响”的评论:

还没有评论