0


SM2签名算法中随机数K的随机性对算法安全的影响

    一、构造如下SM2签名算法过程1
     Sig1 r1 =         F2BFC778C66127C74E3613FAA1AB6E207059740B317597A78BBFCDF58AED0A51
     Sig1 s1 = 4FC719D00334CCC23098036DEEAA71DB464A076EFA79283389D3414D70659E88
     私钥d = B3124DC843BB8BA61F035A7D0938251F5DD4CBFC96F5453B130D890A1CDBAE32
     公钥P = DC9A1F6E4334DDAC74E5104AC1797B3372A765E94B0C1DAC6032CDB0934758D21AB40618825661CAD4C8542D0736101B9975C7FE23A67B00BEC38587B202C5FA
     用户身份ID = 1234567812345678
     待签名消息M = 12345678901234567890
     随机数k = 0000000000000000000000000000000000000000000000000000000000000123

    二、构造如下SM2签名算法过程2
     Sig1 r2 = 000E4A9838E4FCF75507F3EA012B7D2C9D7C6D76B9F1B1EE18D8A6F238991653
     Sig1 s2 = 21B3190B669F6ABA735726BF140ABF6F52E6C3273DA3B461178E7D9A980D21AE
     私钥d = B3124DC843BB8BA61F035A7D0938251F5DD4CBFC96F5453B130D890A1CDBAE32
     公钥P = DC9A1F6E4334DDAC74E5104AC1797B3372A765E94B0C1DAC6032CDB0934758D21AB40618825661CAD4C8542D0736101B9975C7FE23A67B00BEC38587B202C5FA
     用户身份ID = 1234567812345678
     待签名消息M = 1234567890AB1234567890AB
     随机数k = 0000000000000000000000000000000000000000000000000000000000000123

    以上两次SM2签名过程中随机数k相同,在对手获得两次签名结果Sig1和Sig2的情况下,能否计算出私钥d?

    由SM2签名算法可知
     (1)s1 = (k-r1d)/(1+d) mod n
     (2)s2 = (k-r2d)/(1+d) mod n
     (3)s1-s2 = (r2-r1)d/(1+d) mod n
     (4)d = (s1-s2)/[(r2-r1)-(s1-s2)] mod n
     (5)n = FFFFFFFEFFFFFFFFFFFFFFFFFFFFFFFF7203DF6B21C6052B53BBF40939D54123,(具体见GMT 0003.5-2012 SM2 椭圆曲线公钥密码算法第5部分:参数定义)

    到此,若k为固定值时私钥d可以在Sig1、Sig2和n已知的情况下能够被推导出来。下面具体计算
     (1)s1-s2 mod n = 2E1400C49C956207BD40DCAEDA9FB26BF3634447BCD573D27244C3B2D8587CDA
     (2)r2-r1 mod n = 0D4E831E7283D53006D1DFEF5F800F0B9F26D8D6AA421F71E0D4CD05E7814D25
     (3)[(r2-r1)-(s1-s2)] mod n = DF3A8258D5EE73284991034084E05C9F1DC773FA0F32B0CAC24BFD5C48FE116E
     (4)1/[(r2-r1)-(s1-s2)] mod n,也就是DF3A8258D5EE73284991034084E05C9F1DC773FA0F32B0CAC24BFD5C48FE116E的逆元=

E5E3D3B7FF47A46B11EC572C81242A0915AC5A01EEEF04DB30E1FA62421CD2D
(5)d = 2E1400C49C956207BD40DCAEDA9FB26BF3634447BCD573D27244C3B2D8587CDA * E5E3D3B7FF47A46B11EC572C81242A0915AC5A01EEEF04DB30E1FA62421CD2D mod n =
B3124DC843BB8BA61F035A7D0938251F5DD4CBFC96F5453B130D890A1CDBAE32

    用户私钥d被完整推导出来,由此可见随机数k的随机性对于SM2密码算法安全非常重要。

本文转载自: https://blog.csdn.net/ryanzzzzz/article/details/133435219
版权归原作者 搞搞搞高傲 所有, 如有侵权,请联系我们删除。

“SM2签名算法中随机数K的随机性对算法安全的影响”的评论:

还没有评论