热门标签
热门文章
- 1【知识---图像特征提取算法--方向梯度直方图(Histogram of Oriented Gradients, HOG)原理、特点、应用场合及代码】
- 2插头dp。_插头dp csdn
- 3遗传算法-交叉算子讲解_遗传算法交叉操作
- 4【服务器数据恢复】某品牌StorageWorks服务器raid数据恢复案例_服务器数据恢复图片
- 5Nexus数据的备份与恢复_nexus3 备份和还原
- 6共同随机数(Common random number)算法及衍生的社群(association)随机选举算法_共享随机数
- 7通过js下载文件到本地的方法a标签_js 文件 下载到本地
- 8Vue权限管理的实现流程_vue权限管理怎么实现
- 9C语言函数参数传递详解_c语言参数传递
- 10CSS 实用工具: Google Fonts API 引入免费字体库
当前位置: article > 正文
国密算法 SM2 公钥加密 非对称加密 数字签名 密钥协商 python实现完整代码_python sm2加密
作者:ex123 | 2024-01-31 08:50:01
赞
踩
python sm2加密
SM2算法是国家密码管理局于2010年12月颁布的中国商用公钥密码标准算法。SM2基于椭圆曲线离散对数问题,计算复杂度是指数级(暂未发现亚指数级或多项式级的计算方法),相较于广泛应用的RSA公钥密码算法,在同等安全程度要求下,SM2所需密钥长度小、处理速度快。由于SM2在安全性、运算性能等方面都优于RSA算法,且具有自主知识产权,我国计划在商用密码体系中用SM2替换RSA算法。
椭圆曲线密码(ECC)的安全性明显强于RSA,参考下图:
采用Python语言编写的国密工具包主要是gmssl-python库和snowland-smx-python(pysmx)库,二者较为完整地实现了SM2、SM3、SM4等国密算法。本工具包涉及的散列运算使用了pysmx库的SM3算法,pysmx库对SM3算法的实现高效而优雅,在此向pysmx库的作者致以诚挚的敬意和感谢!
相较于现有Python国密算法工具包的SM2模块,本工具包的优势主要体现在以下3个方面:
1. 首次开源SM2密钥协商算法。gmssl库和pysmx库仅实现了SM2签名和验证、加密和解密算法,没有实现SM2密钥协商算法,互联网上也未找到实现SM2密钥协商算法的Python代码,故本工具包是首次在互联网上开源SM2密钥协商算法的Python代码。
2. 算法实现更为健壮和完整。gmssl库和pysmx库中的椭圆曲线点乘算法仅能输入有限域内的乘数(否则报错),所实现的SM2签名/验证算法不包含标准要求的Z值计算和Hash变换,除核心算法(密钥生成、签名、验证、加密、解密等)之外还缺少标准描述的一些辅助算法,gmssl库仅能输入bytes类型消息;本工具包的点乘算法能够输入任意自然数作为乘数并保证正确性,SM2签名/验证算法完整实现了Z值计算和Hash变换,除核心算法之外还实现了标准描述的一些重要辅助函数(如公钥验证、椭圆曲线系统参数验证等)。
3. 性能更佳。本工具包通过采用更高效的点乘算法、减少数据类型转换、充分运用算术运算加速技巧等途径,明显提高了计算效率。以SM2算法耗时的主要来源——椭圆曲线点乘运算为例进行测试,同等条件下本工具包的平均耗时约为gmssl库的35.5%、pysmx库的61.8%,实际运行签名与验证、加解密等算法同样具备上述幅度的性能优势。
上图中的前三个算法是本工具包实现的(具体描述参考国密局2010年SM2文档,下有链接),实测算法2性能最好,默认用的算法2。
对于需应用国密SM2算法的Python项目,可直接调用本工具包实现SM2数字签名与验证、加解密以及密钥协商等功能,也可基于本工具包提供的椭圆曲线运算相关函数自行设计算法和协议。
参考文献:
- 国家密码管理局关于发布《SM2椭圆曲线公钥密码算法》公告[EB/OL].(2010-12-17) [2022-02-20].https://sca.gov.cn/sca/xwdt/2010-12/17/content_1002386.shtml.
- GMSSL[EB/OL].(2020-12-09) [2022-02-20].https://github.com/duanhongyi/gmssl.
- snowland-smx[EB/OL].(2021-01-27) [2022-02-20].https://gitee.com/snowlandltd/ snowland-smx-python.
“没有网络安全,就没有国家安全。”让我们共同努力,推动国密算法更深层次、更广泛的研究和应用,为国家网络信息安全和自主化尽绵薄之力。
是否觉得看到上面一句就结束了?O(∩_∩)O
代码分三个部分,第一部分是椭圆曲线基础运算封装的类,第二部分是SM2封装的类,第三部分是测试代码。最简单而安全的密钥协商,可以用里面的ECDH,运行很快,当然SM2更安全!同时致敬DH算法,为信息网络安全耕耘已近半个世纪!几种密钥协商算法的运行时间如下图所示:
上图结果均不包括通信开销,其中ECDH和SM2用的是SM2 GB(GB/T 32918.5-2017,信息安全技术 SM2椭圆曲线公钥密码算法 第5部分:参数定义)规定的椭圆曲线参数(与参考文献1《SM2椭圆曲线公钥密码算法》中推荐的参数是一样的),这也是本工具包默认使用的参数。
测试代码按照参考文献1(国密局2010年《SM2椭圆曲线公钥密码算法》)的参数,复现了其结果,说明代码实现是标准且正确的。由于要复现结果,测试代码调用函数的时候输入了固定参数,其实好多参数是不用输入的,不输入就会使用SM2默认参数,或者随机数。
废话不多说了,代码中有详尽注释。SM2怎么用?照着测试代码用就行!
下面是完整代码(是否完整?能不能跑?一试便知!)。
- import random
- import time
- import math
- import numpy as np
- from pysmx.SM3 import digest as sm3
-
- # 小素数列表,加快判断素数速度
- small_primes = np.array([2, 3, 5, 7, 11, 13, 17, 19, 23, 29, 31, 37, 41,
- 43, 47, 53, 59, 61, 67, 71, 73, 79, 83, 89, 97, 101, 103, 107, 109,
- 113, 127, 131, 137, 139, 149, 151, 157, 163, 167, 173, 179, 181, 191,
- 193, 197, 199, 211, 223, 227, 229, 233, 239, 241, 251, 257, 263, 269,
- 271, 277, 281, 283, 293, 307, 311, 313, 317, 331, 337, 347, 349, 353,
- 359, 367, 373, 379, 383, 389, 397, 401, 409, 419, 421, 431, 433, 439,
- 443, 449, 457, 461, 463, 467, 479, 487, 491, 499, 503, 509, 521, 523,
- 541, 547, 557, 563, 569, 571, 577, 587, 593, 599, 601, 607, 613, 617,
- 619, 631, 641, 643, 647, 653, 659, 661, 673, 677, 683, 691, 701, 709,
- 719, 727, 733, 739, 743, 751, 757, 761, 769, 773, 787, 797, 809, 811,
- 821, 823, 827, 829, 839, 853, 857, 859, 863, 877, 881, 883, 887, 907,
- 911, 919, 929, 937, 941, 947, 953, 967, 971, 977, 983, 991, 997])
-
-
- def is_prime(num):
- # 排除0,1和负数
- if num < 2:
- return False
- # 排除小素数的倍数
- for prime in small_primes:
- if num % prime == 0:
- return False
- # 未分辨出来的大整数用rabin算法判断
- return rabin_miller(num)
-
-
- def rabin_miller(num):
- s = num - 1
- t = 0
- while s & 1 == 0:
- s >>= 1
- t += 1
- for trials in range(5):
- a = random.randrange(2, num - 1)
- v = pow(a, s, num)
- if v != 1:
- i = 0
- while v != (num - 1):
- if i == t - 1:
- return False
- else:
- i = i + 1
- v = v * v % num
- return True
-
-
- # 将字节转换为int
- def to_int(byte):
- return int.from_bytes(byte, byteorder='big')
-
-
- # 转换为bytes,第二参数为字节数(可不填)
- def to_byte(x, size=None):
- if isinstance(x, int):
- if size is None: # 计算合适的字节数
- size = 0
- tmp = x >> 64
- while tmp:
- size += 8
- tmp >>= 64
- tmp = x >> (size << 3)
- while tmp:
- size += 1
- tmp >>= 8
- elif x >> (size << 3): # 指定的字节数不够则截取低位
- x &= (1 << (size << 3)) - 1
- return x.to_bytes(size, byteorder='big')
- elif isinstance(x, str):
- x = x.encode()
- if size != None and len(x) > size: # 超过指定长度
- x = x[:size] # 截取左侧字符
- return x
- elif isinstance(x, bytes):
- if size != None and len(x) > size: # 超过指定长度
- x = x[:size] # 截取左侧字节
- return x
- elif isinstance(x, tuple) and len(x) == 2 and type(x[0]) == type(x[1]) == int:
- # 针对坐标形式(x, y)
- return to_byte(x[0], size) + to_byte(x[1], size)
- return bytes(x)
-
-
- # 将列表元素转换为bytes并连接
- def join_bytes(data_list):
- return b''.join([to_byte(i) for i in data_list])
-
-
- # 求最大公约数
- def gcd(a, b):
- return a if b == 0 else gcd(b, a % b)
-
-
- # 求乘法逆元过程中的辅助递归函数
- def get_(a, b):
- if b == 0:
- return 1, 0
- x1, y1 = get_(b, a % b)
- x, y = y1, x1 - a // b * y1
- return x, y
-
-
- # 求乘法逆元
- def get_inverse(a, p):
- # return pow(a, p-2, p) # 效率较低、n倍点的时候两种计算方法结果会有不同
- if gcd(a, p) == 1:
- x, y = get_(a, p)
- return x % p
- return 1
-
-
- def get_cpu_time():
- return time.perf_counter()
-
-
- # 密钥派生函数(从一个共享的秘密比特串中派生出密钥数据)
- # SM2第3部分 5.4.3
- # Z为bytes类型
- # klen表示要获得的密钥数据的比特长度(8的倍数),int类型
- # 输出为bytes类型
- def KDF(Z, klen):
- ksize = klen >> 3
- K = bytearray()
- for ct in range(1, math.ceil(ksize / HASH_SIZE) + 1):
- K.extend(sm3(Z + to_byte(ct, 4)))
- return K[:ksize]
-
-
- # 计算比特位数
- def get_bit_num(x):
- if isinstance(x, int):
- num = 0
- tmp = x >> 64
- while tmp:
- num += 64
- tmp >>= 64
- tmp = x >> num >> 8
- while tmp:
- num += 8
- tmp >>= 8
- x >>= num
- while x:
- num += 1
- x >>= 1
- return num
- elif isinstance(x, str):
- return len(x.encode()) << 3
- elif isinstance(x, bytes):
- return len(x) << 3
- return 0
-
-
- # 椭圆曲线密码类(实现一般的EC运算,不局限于SM2)
- class ECC:
- def __init__(self, p, a, b, n, G, h=None):
- self.p = p
- self.a = a
- self.b = b
- self.n = n
- self.G = G
- if h:
- self.h = h
- self.O = (-1, -1) # 定义仿射坐标下无穷远点(零点)
-
- # 预先计算Jacobian坐标两点相加时用到的常数
- self._2 = get_inverse(2, p)
- self.a_3 = (a + 3) % p
-
- # 椭圆曲线上两点相加(仿射坐标)
- # SM2第1部分 3.2.3.1
- # 仅提供一个参数时为相同坐标点相加
- def add(self, P1, P2=None):
- x1, y1 = P1
- if P2 is None or P1 == P2: # 相同坐标点相加
- # 处理无穷远点
- if P1 == self.O:
- return self.O
- # 计算斜率k(k已不具备明确的几何意义)
- k = (3 * x1 * x1 + self.a) * get_inverse(2 * y1, self.p) % self.p
- # 计算目标点坐标
- x3 = (k * k - x1 - x1) % self.p
- y3 = (k * (x1 - x3) - y1) % self.p
- else:
- x2, y2 = P2
- # 处理无穷远点
- if P1 == self.O:
- return P2
- if P2 == self.O:
- return P1
- if x1 == x2:
- return self.O
- # 计算斜率k
- k = (y2 - y1) * get_inverse(x2 - x1, self.p) % self.p
- # 计算目标点坐标
- x3 = (k * k - x1 - x2) % self.p
- y3 = (k * (x1 - x3) - y1) % self.p
- return x3, y3
-
- # 椭圆曲线上的点乘运算(仿射坐标)
- def multiply(self, k, P):
- # 判断常数k的合理性
- assert type(k) is int and k >= 0, 'factor value error'
- # 处理无穷远点
- if k == 0 or P == self.O:
- return self.O
- if k == 1:
- return P
- elif k == 2:
- return self.add(P)
- elif k == 3:
- return self.add(P, self.add(P))
- elif k & 1 == 0: # k/2 * P + k/2 * P
- return self.add(self.multiply(k >> 1, P))
- elif k & 1 == 1: # P + k/2 * P + k/2 * P
- return self.add(P, self.add(self.multiply(k >> 1, P)))
-
- # 输入P,返回-P
- def minus(self, P):
- Q = list(P)
- Q[1] = -Q[1]
- return tuple(Q)
-
- # Jacobian加重射影坐标下两点相加
- # SM2第1部分 A.1.2.3.2
- # 输入点包含两项时为仿射坐标,三项为Jacobian加重射影坐标,两点坐标系可不同
- # 两点相同时省略第二个参数
- def Jacb_add(self, P1, P2=None):
- if P2 is None or P1 == P2: # 相同点相加
- # 处理无穷远点
- if P1 == self.O:
- return self.O
-
- # 根据参数包含的项数判断坐标系(是仿射坐标则转Jacobian坐标)
- x1, y1, z1 = P1 if len(P1) == 3 else (*P1, 1)
-
- # t1 = 3 * x1**2 + self.a * pow(z1, 4, self.p)
- # t2 = 4 * x1 * y1**2
- # t3 = 8 * pow(y1, 4, self.p)
- # x3 = (t1**2 - 2 * t2) % self.p
- # y3 = (t1 * (t2 - x3) - t3) % self.p
- # z3 = 2 * y1 * z1 % self.p
- z3 = (y1 * z1 << 1) % self.p
- if z3 == 0: # 处理无穷远点
- return self.O
- T2 = y1 * y1 % self.p
- T4 = (T2 << 3) % self.p
- T5 = x1 * T4 % self.p
- T6 = z1 * z1 % self.p
- T1 = (x1 + T6) * (x1 - T6) * 3 % self.p
- T1 = (T1 + self.a_3 * T6 * T6) % self.p
- T3 = T1 * T1 % self.p
- T2 = T2 * T4 % self.p
- x3 = (T3 - T5) % self.p
- T4 = T5 + (T5 + self.p >> 1) - T3 if T5 & 1 else T5 + (T5 >> 1) - T3
- T1 = T1 * T4 % self.p
- y3 = (T1 - T2) % self.p
- else: # 不同点相加
- # 处理无穷远点
- if P1 == self.O:
- return P2
- if P2 == self.O:
- return P1
-
- # 根据参数包含的项数判断坐标系(是仿射坐标则转Jacobian坐标)
- x1, y1, z1 = P1 if len(P1) == 3 else (*P1, 1)
- x2, y2, z2 = P2 if len(P2) == 3 else (*P2, 1)
-
- if z2 != 1 and z1 != 1:
- z1_2 = z1 * z1 % self.p
- z2_2 = z2 * z2 % self.p
- t1 = x1 * z2_2 % self.p
- t2 = x2 * z1_2 % self.p
- t3 = t1 - t2
- z3 = z1 * z2 * t3 % self.p
- if z3 == 0: # 处理无穷远点
- return self.O
- t4 = y1 * z2 * z2_2 % self.p
- t5 = y2 * z1 * z1_2 % self.p
- t6 = t4 - t5
- t7 = t1 + t2
- t8 = t4 + t5
- t3_2 = t3 * t3 % self.p
- x3 = (t6 * t6 - t7 * t3_2) % self.p
- t9 = (t7 * t3_2 - (x3 << 1)) % self.p
- y3 = (t9 * t6 - t8 * t3 * t3_2) * self._2 % self.p
- else: # 可简化计算
- if z1 == 1: # 确保第二个点的z1=1
- x1, y1, z1, x2, y2 = x2, y2, z2, x1, y1
- T1 = z1 * z1 % self.p
- T2 = y2 * z1 % self.p
- T3 = x2 * T1 % self.p
- T1 = T1 * T2 % self.p
- T2 = T3 - x1
- z3 = z1 * T2 % self.p
- if z3 == 0: # 处理无穷远点
- return self.O
- T3 = T3 + x1
- T1 = T1 - y1
- T4 = T2 * T2 % self.p
- T5 = T1 * T1 % self.p
- T2 = T2 * T4 % self.p
- T3 = T3 * T4 % self.p
- T4 = x1 * T4 % self.p
- x3 = T5 - T3 % self.p
- T2 = y1 * T2 % self.p
- T3 = T4 - x3
- T1 = T1 * T3 % self.p
- y3 = T1 - T2 % self.p
- # T1 = z1 * z1 % self.p
- # T3 = x2 * T1 % self.p
- # T2 = T3 - x1
- # z3 = z1 * T2 % self.p
- # if z3 == 0: # 处理无穷远点
- # return self.O
- # T1 = (T1 * y2 * z1 - y1) % self.p
- # T4 = T2 * T2 % self.p
- # x3 = T1 * T1 - (T3 + x1) * T4 % self.p
- # T1 = T1 * (x1 * T4 - x3) % self.p
- # y3 = T1 - y1 * T2 * T4 % self.p
-
- return x3, y3, z3
-
- # Jacobian加重射影坐标下的点乘运算
- # SM2第1部分 A.3
- # 输入点包含两项时为仿射坐标,三项为Jacobian坐标
- # conv=True时结果转换为仿射坐标,否则不转换
- # algo表示选择的算法, r表示算法三(滑动窗法)的窗口值
- def Jacb_multiply(self, k, P, conv=True, algo=2, r=5):
- # 处理无穷远点
- if k == 0 or P == self.O:
- return self.O
-
- # 仿射坐标转Jacobian坐标
- # if len(P) == 2:
- # P = (*P, 1)
-
- # 算法一:二进制展开法
- if algo == 1:
- Q = P
- for i in bin(k)[3:]:
- Q = self.Jacb_add(Q)
- if i == '1':
- Q = self.Jacb_add(Q, P)
-
- # 算法二:加减法
- elif algo == 2:
- h = bin(3 * k)[2:]
- k = bin(k)[2:]
- k = '0' * (len(h) - len(k)) + k
- Q = P
- minusP = self.minus(P)
- for i in range(1, len(h) - 1):
- Q = self.Jacb_add(Q)
- if h[i] == '1' and k[i] == '0':
- Q = self.Jacb_add(Q, P)
- elif h[i] == '0' and k[i] == '1':
- Q = self.Jacb_add(Q, minusP)
-
- # 算法三:滑动窗法
- # 当k为255/256位时,通过test_r函数测试,r=5复杂度最低
- elif algo == 3:
- k = bin(k)[2:]
- l = len(k)
- if r >= l: # 如果窗口大于k的二进制位数,则本算法无意义
- return self.Jacb_multiply(int(k, 2), P, conv, 2)
-
- # 保存P[j]值的字典
- P_ = {1: P, 2: self.Jacb_add(P)}
- for i in range(1, 1 << (r - 1)):
- P_[(i << 1) + 1] = self.Jacb_add(P_[(i << 1) - 1], P_[2])
-
- t = r
- while k[t - 1] != '1':
- t -= 1
- hj = int(k[:t], 2)
- Q = P_[hj]
- j = t
- while j < l:
- if k[j] == '0':
- Q = self.Jacb_add(Q)
- j += 1
- else:
- t = min(r, l - j)
- while k[j + t - 1] != '1':
- t -= 1
- hj = int(k[j:j + t], 2)
- Q = self.Jacb_add(self.Jacb_multiply(1 << t, Q, False, 2), P_[hj])
- j += t
-
- return self.Jacb_to_affine(Q) if conv else Q
-
- # Jacobian加重射影坐标转仿射坐标
- # SM2第1部分 A.1.2.3.2
- def Jacb_to_affine(self, P):
- if len(P) == 2: # 已经是仿射坐标
- return P
- x, y, z = P
- # 处理无穷远点
- if z == 0:
- return self.O
- z_ = get_inverse(z, self.p) # z的乘法逆元
- x2 = x * z_ * z_ % self.p
- y2 = y * z_ * z_ * z_ % self.p
- return x2, y2
-
- # 判断是否为无穷远点(零点)
- def is_zero(self, P):
- if len(P) == 2: # 仿射坐标
- return P == self.O
- else: # Jacobian加重射影坐标
- return P[2] == 0
-
- # 判断是否为域Fp中的元素
- # 可输入多个元素,全符合才返回True
- def on_Fp(self, *x):
- for i in x:
- if 0 <= i < self.p:
- pass
- else:
- return False
- return True
-
- # 判断是否在椭圆曲线上
- def on_curve(self, P):
- if self.is_zero(P):
- return False
- if len(P) == 2: # 仿射坐标
- x, y = P
- return y * y % self.p == (x * x * x + self.a * x + self.b) % self.p
- else: # Jacobian加重射影坐标
- x, y, z = P
- return y * y % self.p == (x * x * x + self.a * x * pow(z, 4, self.p) + self.b * pow(z, 6, self.p)) % self.p
-
- # 生成密钥对
- # 返回值:d为私钥,P为公钥
- # SM2第1部分 6.1
- def gen_keypair(self):
- d = random.randint(1, self.n - 2)
- P = self.Jacb_multiply(d, self.G)
- return d, P
-
- # 公钥验证
- # SM2第1部分 6.2.1
- def pk_valid(self, P):
- # 判断点P的格式
- if P and len(P) == 2 and type(P[0]) == type(P[1]) == int:
- pass
- else:
- self.error = '格式有误' # 记录错误信息
- return False
- # a) 验证P不是无穷远点O
- if self.is_zero(P):
- self.error = '无穷远点'
- return False
- # b) 验证公钥P的坐标xP和yP是域Fp中的元素
- if not self.on_Fp(*P):
- self.error = '坐标值不是域Fp中的元素'
- return False
- # c) 验证y^2 = x^3 + ax + b (mod p)
- if not self.on_curve(P):
- self.error = '不在椭圆曲线上'
- return False
- # d) 验证[n]P = O
- if not self.is_zero(self.Jacb_multiply(self.n, P, False)):
- self.error = '[n]P不是无穷远点'
- return False
- return True
-
- # 确认目前已有公私钥对
- def confirm_keypair(self):
- if not hasattr(self, 'pk') or not self.pk_valid(self.pk) or self.pk != self.Jacb_multiply(self.sk, self.G):
- # 目前没有合格的公私钥对则生成
- while True:
- d, P = self.gen_keypair()
- if self.pk_valid(P): # 确保公钥通过验证
- self.sk, self.pk = d, P
- return
-
-
- # 国家密码管理局:SM2椭圆曲线公钥密码算法推荐曲线参数
- SM2_p = 0xFFFFFFFEFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF00000000FFFFFFFFFFFFFFFF
- SM2_a = 0xFFFFFFFEFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF00000000FFFFFFFFFFFFFFFC
- SM2_b = 0x28E9FA9E9D9F5E344D5A9E4BCF6509A7F39789F515AB8F92DDBCBD414D940E93
- SM2_n = 0xFFFFFFFEFFFFFFFFFFFFFFFFFFFFFFFF7203DF6B21C6052B53BBF40939D54123
- SM2_Gx = 0x32C4AE2C1F1981195F9904466A39C9948FE30BBFF2660BE1715A4589334C74C7
- SM2_Gy = 0xBC3736A2F4F6779C59BDCEE36B692153D0A9877CC62A474002DF32E52139F0A0
-
- PARA_SIZE = 32 # 参数长度(字节)
- HASH_SIZE = 32 # sm3输出256位(32字节)
- KEY_LEN = 128 # 默认密钥位数
-
-
- # SM2类继承ECC
- class SM2(ECC):
- # 默认使用SM2推荐曲线参数
- def __init__(self, p=SM2_p, a=SM2_a, b=SM2_b, n=SM2_n, G=(SM2_Gx, SM2_Gy), h=None,
- ID=None, sk=None, pk=None, genkeypair=True): # genkeypair表示是否自动生成公私钥对
- if not h: # 余因子h默认为1
- h = 1
- ECC.__init__(self, p, a, b, n, G, h)
-
- self.keysize = len(to_byte(n)) # 密钥长度(字节)
- if type(ID) in (int, str): # 身份ID(数字或字符串)
- self.ID = ID
- else:
- self.ID = ''
- if sk and pk: # 如果提供的公私钥对通过验证,即使genkeypair=True也不会重新生成
- self.sk = sk # 私钥(int [1,n-2])
- self.pk = pk # 公钥(x, y)
- self.confirm_keypair() # 验证该公私钥对,不合格则生成
- elif genkeypair: # 自动生成合格的公私钥对
- self.confirm_keypair()
-
- # 预先计算用到的常数
- if hasattr(self, 'sk'): # 签名时
- self.d_1 = get_inverse(1 + self.sk, self.n)
-
- # 椭圆曲线系统参数验证
- # SM2第1部分 5.2.2
- def para_valid(self):
- # a) 验证q = p是奇素数
- if not is_prime(self.p):
- self.error = 'p不是素数' # 记录错误信息
- return False
- # b) 验证a、b、Gx和Gy是区间[0, p−1]中的整数
- if not self.on_Fp(self.a, self.b, *self.G):
- self.error = 'a、b或G坐标值不是域Fp中的元素'
- return False
- # d) 验证(4a^3 + 27b^2) mod p != 0
- if (4 * self.a * self.a * self.a + 27 * self.b * self.b) % self.p == 0:
- self.error = '(4a^3 + 27b^2) mod p = 0'
- return False
- # e) 验证Gy^2 = Gx^3 + aGx + b (mod p)
- if not self.on_curve(self.G):
- self.error = 'G不在椭圆曲线上'
- return False
- # f) 验证n是素数,n > 2^191 且 n > 4p^1/2
- if not is_prime(self.n) or self.n <= 1 << 191 or self.n <= 4 * self.p ** 0.5:
- self.error = 'n不是素数或n不够大'
- return False
- # g) 验证[n]G = O
- if not self.is_zero(self.Jacb_multiply(self.n, self.G, False)):
- self.error = '[n]G不是无穷远点'
- return False
- # i) 验证抗MOV攻击条件和抗异常曲线攻击条件成立(A.4.2.1)
- B = 27 # MOV阈B
- t = 1
- for i in range(B):
- t = t * self.p % self.n
- if t == 1:
- self.error = '不满足抗MOV攻击条件'
- return False
- # 椭圆曲线的阶N=#E(Fp)计算太复杂,未实现A.4.2.2验证
- # Fp上的绝大多数椭圆曲线确实满足抗异常曲线攻击条件
- return True
-
- # 计算Z
- # SM2第2部分 5.5
- # ID为数字或字符串,P为公钥(不提供参数时返回自身Z值)
- def get_Z(self, ID=None, P=None):
- save = False
- if not P: # 不提供参数
- if hasattr(self, 'Z'): # 再次计算,返回曾计算好的自身Z值
- return self.Z
- else: # 首次计算自身Z值
- ID = self.ID
- P = self.pk
- save = True
- entlen = get_bit_num(ID)
- ENTL = to_byte(entlen, 2)
- Z = sm3(join_bytes([ENTL, ID, self.a, self.b, *self.G, *P]))
- if save: # 保存自身Z值
- self.Z = Z
- return Z
-
- # 数字签名
- # SM2第2部分 6.1
- # 输入:待签名的消息M、随机数k(不填则自动生成)、输出类型(默认bytes)、对M是否hash(默认是)
- # 输出:r, s(int类型)或拼接后的bytes
- def sign(self, M, k=None, outbytes=True, dohash=True):
- if dohash:
- M_ = join_bytes([self.get_Z(), M])
- e = to_int(sm3(M_))
- else:
- e = to_int(to_byte(M))
- while True:
- if not k:
- k = random.randint(1, self.n - 1)
- # x1, y1 = self.multiply(k, self.G)
- x1, y1 = self.Jacb_multiply(k, self.G)
- r = (e + x1) % self.n
- if r == 0 or r + k == self.n:
- k = 0
- continue
- # s = get_inverse(1 + self.sk, self.n) * (k - r * self.sk) % self.n
- s = self.d_1 * (k - r * self.sk) % self.n
- if s == 0:
- k = 0
- else:
- break
- if outbytes:
- return to_byte((r, s), self.keysize)
- else:
- return r, s
-
- # 数字签名验证
- # SM2第2部分 7.1
- # 输入:收到的消息M′及其数字签名(r′, s′)、签名者的身份标识IDA及公钥PA、对M是否hash(默认是)
- # 输出:True or False
- def verify(self, M, sig, IDA, PA, dohash=True):
- if isinstance(sig, bytes):
- r = to_int(sig[:self.keysize])
- s = to_int(sig[self.keysize:])
- else:
- r, s = sig
- if not 1 <= r <= self.n - 1:
- return False
- if not 1 <= s <= self.n - 1:
- return False
- if dohash:
- M_ = join_bytes([self.get_Z(IDA, PA), M])
- e = to_int(sm3(M_))
- else:
- e = to_int(to_byte(M))
- t = (r + s) % self.n
- if t == 0:
- return False
- sG = self.Jacb_multiply(s, self.G, False)
- tPA = self.Jacb_multiply(t, PA, False)
- x1, y1 = self.Jacb_to_affine(self.Jacb_add(sG, tPA))
- R = (e + x1) % self.n
- if R == r:
- return True
- else: # 避免Jacobian坐标下的等价点导致判断失败
- x1, y1 = self.add(self.Jacb_to_affine(sG), self.Jacb_to_affine(tPA))
- R = (e + x1) % self.n
- return R == r
-
- # A 发起协商
- # SM2第3部分 6.1 A1-A3
- # 返回rA、RA
- def agreement_initiate(self):
- return self.gen_keypair()
-
- # B 响应协商(option=True时计算选项部分)
- # SM2第3部分 6.1 B1-B9
- def agreement_response(self, RA, PA, IDA, option=False, rB=None, RB=None, klen=None):
- # 参数准备
- if not self.on_curve(RA):
- return False, 'RA不在椭圆曲线上'
- x1, y1 = RA
- w = math.ceil(math.ceil(math.log(self.n, 2)) / 2) - 1
- if not hasattr(self, 'sk'):
- self.confirm_keypair()
- h = 1 # SM2推荐曲线的余因子h=1
- ZA = self.get_Z(IDA, PA)
- ZB = self.get_Z()
- # B1-B7
- if not rB:
- rB, RB = self.gen_keypair()
- x2, y2 = RB
- x_2 = (1 << w) + (x2 & (1 << w) - 1)
- tB = (self.sk + x_2 * rB) % self.n
- x_1 = (1 << w) + (x1 & (1 << w) - 1)
- # V = self.multiply(h * tB, self.add(PA, self.multiply(x_1, RA)))
- V = self.Jacb_multiply(h * tB, self.Jacb_add(self.Jacb_multiply(x_1, RA, False), PA))
- if self.is_zero(V):
- return False, 'V是无穷远点'
- xV, yV = V
- if not klen:
- klen = KEY_LEN
- KB = KDF(join_bytes([xV, yV, ZA, ZB]), klen)
- if not option:
- return True, (RB, KB)
- # B8、B10(可选部分)
- tmp = join_bytes([yV, sm3(join_bytes([xV, ZA, ZB, x1, y1, x2, y2]))])
- SB = sm3(join_bytes([2, tmp]))
- S2 = sm3(join_bytes([3, tmp]))
- return True, (RB, KB, SB, S2)
-
- # A 协商确认
- # SM2第3部分 6.1 A4-A10
- def agreement_confirm(self, rA, RA, RB, PB, IDB, SB=None, option=False, klen=None):
- # 参数准备
- if not self.on_curve(RB):
- return False, 'RB不在椭圆曲线上'
- x1, y1, x2, y2 = *RA, *RB
- w = math.ceil(math.ceil(math.log(self.n, 2)) / 2) - 1
- if not hasattr(self, 'sk'):
- self.confirm_keypair()
- h = 1 # SM2推荐曲线的余因子h=1
- ZA = self.get_Z()
- ZB = self.get_Z(IDB, PB)
- # A4-A8
- x_1 = (1 << w) + (x1 & (1 << w) - 1)
- tA = (self.sk + x_1 * rA) % self.n
- x_2 = (1 << w) + (x2 & (1 << w) - 1)
- # U = self.multiply(h * tA, self.add(PB, self.multiply(x_2, RB)))
- U = self.Jacb_multiply(h * tA, self.Jacb_add(self.Jacb_multiply(x_2, RB, False), PB))
- if self.is_zero(U):
- return False, 'U是无穷远点'
- xU, yU = U
- if not klen:
- klen = KEY_LEN
- KA = KDF(join_bytes([xU, yU, ZA, ZB]), klen)
- if not option or not SB:
- return True, KA
- # A9-A10(可选部分)
- tmp = join_bytes([yU, sm3(join_bytes([xU, ZA, ZB, x1, y1, x2, y2]))])
- S1 = sm3(join_bytes([2, tmp]))
- if S1 != SB:
- return False, 'S1 != SB'
- SA = sm3(join_bytes([3, tmp]))
- return True, (KA, SA)
-
- # B 协商确认(可选部分)
- # SM2第3部分 6.1 B10
- def agreement_confirm2(self, S2, SA):
- if S2 != SA:
- return False, 'S2 != SA'
- return True, ''
-
- # 加密
- # SM2第4部分 6.1
- # 输入:待加密的消息M(bytes或str类型)、对方的公钥PB、随机数k(不填则自动生成)
- # 输出(True, bytes类型密文)或(False, 错误信息)
- def encrypt(self, M, PB, k=None):
- if self.is_zero(self.multiply(self.h, PB)): # S
- return False, 'S是无穷远点'
- M = to_byte(M)
- klen = get_bit_num(M)
- while True:
- if not k:
- k = random.randint(1, self.n - 1)
- # x2, y2 = self.multiply(k, PB)
- x2, y2 = self.Jacb_multiply(k, PB)
- t = to_int(KDF(join_bytes([x2, y2]), klen))
- if t == 0: # 若t为全0比特串则继续循环
- k = 0
- else:
- break
- # C1 = to_byte(self.multiply(k, self.G), self.keysize) # (x1, y1)
- C1 = to_byte(self.Jacb_multiply(k, self.G), self.keysize) # (x1, y1)
- C2 = to_byte(to_int(M) ^ t, klen >> 3)
- C3 = sm3(join_bytes([x2, M, y2]))
- return True, join_bytes([C1, C2, C3])
-
- # 解密
- # SM2第4部分 7.1
- # 输入:密文C(bytes类型)
- # 输出(True, bytes类型明文)或(False, 错误信息)
- def decrypt(self, C):
- x1 = to_int(C[:self.keysize])
- y1 = to_int(C[self.keysize:self.keysize << 1])
- C1 = (x1, y1)
- if not self.on_curve(C1):
- return False, 'C1不满足椭圆曲线方程'
- if self.is_zero(self.multiply(self.h, C1)): # S
- return False, 'S是无穷远点'
- # x2, y2 = self.multiply(self.sk, C1)
- x2, y2 = self.Jacb_multiply(self.sk, C1)
- klen = len(C) - (self.keysize << 1) - HASH_SIZE << 3
- t = to_int(KDF(join_bytes([x2, y2]), klen))
- if t == 0:
- return False, 't为全0比特串'
- C2 = C[self.keysize << 1:-HASH_SIZE]
- M = to_byte(to_int(C2) ^ t, klen >> 3)
- u = sm3(join_bytes([x2, M, y2]))
- C3 = C[-HASH_SIZE:]
- if u != C3:
- return False, 'u != C3'
- return True, M
-
-
- # 最简单的ECDH正确性测试
- def test_ECDH(verify=False):
- time_1 = get_cpu_time()
- sm2 = SM2(genkeypair=False)
- # A、B双方生成公、私钥
- dA, PA = sm2.gen_keypair()
- dB, PB = sm2.gen_keypair()
- # 验证ECC系统参数和公钥
- if verify:
- if not sm2.para_valid():
- print('椭圆曲线系统参数未通过验证:%s' % sm2.error)
- return
- if not sm2.pk_valid(PA):
- print('PA未通过验证:%s' % sm2.error)
- return
- if not sm2.pk_valid(PB):
- print('PB未通过验证:%s' % sm2.error)
- return
-
- # A将PA传给B,B将PB传给A
-
- # A、B双方计算密钥
- QA = sm2.Jacb_multiply(dA, PB)
- KA = KDF(to_byte(QA), KEY_LEN)
- QB = sm2.Jacb_multiply(dB, PA)
- KB = KDF(to_byte(QB), KEY_LEN)
- time_2 = get_cpu_time()
- print('ECDH密钥协商完毕,耗时%.2f ms' % ((time_2 - time_1) * 1000))
- print('KA == KB?: %s, value: 0x%s, len: %d' % (KA == KB, KA.hex(), len(KA) << 3))
-
-
- # SM2密钥协商测试
- def test_SM2_agreement(option=False):
- time_1 = get_cpu_time()
- # A、B双方初始化
- sm2_A = SM2(ID='Alice')
- sm2_B = SM2(ID='Bob')
- # A、B均掌握对方的公钥和ID
- PA, IDA = sm2_A.pk, sm2_A.ID
- PB, IDB = sm2_B.pk, sm2_B.ID
-
- # A 发起协商
- rA, RA = sm2_A.agreement_initiate()
- # A将RA发送给B
-
- # B 响应协商
- res, content = sm2_B.agreement_response(RA, PA, IDA, option)
- if not res:
- print('B报告协商错误:', content)
- return
- if option:
- RB, KB, SB, S2 = content
- else:
- RB, KB = content
- SB = None
- # B将RB、(选项SB)发送给A
-
- # A 协商确认
- res, content = sm2_A.agreement_confirm(rA, RA, RB, PB, IDB, SB, option)
- if not res:
- print('A报告协商错误:', content)
- return
- if option:
- KA, SA = content
- else:
- KA = content
-
- if option:
- # A将(选项SA)发送给B
- # B 协商确认
- res, content = sm2_B.agreement_confirm2(S2, SA)
- if not res:
- print('B报告协商错误:', content)
- return
- time_2 = get_cpu_time()
- print('SM2密钥协商完毕,耗时%.2f ms' % ((time_2 - time_1) * 1000))
- print('KA == KB?: %s, value: 0x%s, len: %d' % (KA == KB, KA.hex(), len(KA) << 3))
-
-
- # SM2示例中的椭圆曲线系统参数
- def demo_para():
- p = 0x8542D69E4C044F18E8B92435BF6FF7DE457283915C45517D722EDB8B08F1DFC3
- a = 0x787968B4FA32C3FD2417842E73BBFEFF2F3C848B6831D7E0EC65228B3937E498
- b = 0x63E4C6D3B23B0C849CF84241484BFE48F61D59A5B16BA06E6E12D1DA27C5249A
- xG = 0x421DEBD61B62EAB6746434EBC3CC315E32220B3BADD50BDC4C4E6C147FEDD43D
- yG = 0x0680512BCBB42C07D47349D2153B70C4E5D7FDFCBFA36EA1A85841B9E46E09A2
- n = 0x8542D69E4C044F18E8B92435BF6FF7DD297720630485628D5AE74EE7C32E79B7
- G = (xG, yG)
- h = 1
- return p, a, b, n, G, h
-
-
- # SM2数字签名与验证测试
- # SM2第2部分 A.1 A.2
- def test_signature():
- IDA = 'ALICE123@YAHOO.COM'
- M = 'message digest'
- dA = 0x128B2FA8BD433C6C068C8D803DFF79792A519A55171B1B650C23661D15897263
- xA = 0x0AE4C7798AA0F119471BEE11825BE46202BB79E2A5844495E97C04FF4DF2548A
- yA = 0x7C0240F88F1CD4E16352A73C17B7F16F07353E53A176D684A9FE0C6BB798E857
- PA = (xA, yA)
- k = 0x6CB28D99385C175C94F94E934817663FC176D925DD72B727260DBAAE1FB2F96F
-
- # A、B双方初始化
- sm2_A = SM2(*demo_para(), IDA, dA, PA)
- sm2_B = SM2(*demo_para())
-
- time_1 = get_cpu_time()
- # A对消息M进行签名
- sig = sm2_A.sign(M, k)
-
- # A将消息M签名(r, s)发送给B
-
- # B对消息M签名进行验证
- res = sm2_B.verify(M, sig, IDA, PA)
- time_2 = get_cpu_time()
- print('SM2签名、验证完毕,耗时%.2f ms' % ((time_2 - time_1) * 1000))
- print('结果:%s,R值:%s' % (res, sig[:sm2_A.keysize].hex()))
- # 验证通过,输出的r值(40f1ec59f793d9f49e09dcef49130d4194f79fb1eed2caa55bacdb49c4e755d1)与SM2第2部分 A.2中的结果一致
-
-
- # SM2密钥协商测试2
- # SM2第3部分 A.1 A.2
- def test_SM2_agreement2(option=False):
- IDA = 'ALICE123@YAHOO.COM'
- IDB = 'BILL456@YAHOO.COM'
- dA = 0x6FCBA2EF9AE0AB902BC3BDE3FF915D44BA4CC78F88E2F8E7F8996D3B8CCEEDEE
- xA = 0x3099093BF3C137D8FCBBCDF4A2AE50F3B0F216C3122D79425FE03A45DBFE1655
- yA = 0x3DF79E8DAC1CF0ECBAA2F2B49D51A4B387F2EFAF482339086A27A8E05BAED98B
- PA = (xA, yA)
- dB = 0x5E35D7D3F3C54DBAC72E61819E730B019A84208CA3A35E4C2E353DFCCB2A3B53
- xB = 0x245493D446C38D8CC0F118374690E7DF633A8A4BFB3329B5ECE604B2B4F37F43
- yB = 0x53C0869F4B9E17773DE68FEC45E14904E0DEA45BF6CECF9918C85EA047C60A4C
- PB = (xB, yB)
- rA = 0x83A2C9C8B96E5AF70BD480B472409A9A327257F1EBB73F5B073354B248668563
- x1 = 0x6CB5633816F4DD560B1DEC458310CBCC6856C09505324A6D23150C408F162BF0
- y1 = 0x0D6FCF62F1036C0A1B6DACCF57399223A65F7D7BF2D9637E5BBBEB857961BF1A
- RA = (x1, y1)
- rB = 0x33FE21940342161C55619C4A0C060293D543C80AF19748CE176D83477DE71C80
- x2 = 0x1799B2A2C778295300D9A2325C686129B8F2B5337B3DCF4514E8BBC19D900EE5
- y2 = 0x54C9288C82733EFDF7808AE7F27D0E732F7C73A7D9AC98B7D8740A91D0DB3CF4
- RB = (x2, y2)
-
- time_1 = get_cpu_time()
- # A、B双方初始化
- sm2_A = SM2(*demo_para(), IDA, dA, PA)
- sm2_B = SM2(*demo_para(), IDB, dB, PB)
-
- # A 发起协商
- # A生成rA, RA,将RA发送给B
-
- # B 响应协商
- res, content = sm2_B.agreement_response(RA, PA, IDA, option, rB, RB)
- if not res:
- print('B报告协商错误:', content)
- return
- if option:
- RB, KB, SB, S2 = content
- else:
- RB, KB = content
- SB = None
- # B将RB、(选项SB)发送给A
-
- # A 协商确认
- res, content = sm2_A.agreement_confirm(rA, RA, RB, PB, IDB, SB, option)
- if not res:
- print('A报告协商错误:', content)
- return
- if option:
- KA, SA = content
- else:
- KA = content
-
- if option:
- # A将(选项SA)发送给B
- # B 协商确认
- res, content = sm2_B.agreement_confirm2(S2, SA)
- if not res:
- print('B报告协商错误:', content)
- return
- time_2 = get_cpu_time()
- print('SM2密钥协商完毕,耗时%.2f ms' % ((time_2 - time_1) * 1000))
- print('KA == KB?: %s, value: 0x%s, len: %d' % (KA == KB, KA.hex(), len(KA) << 3))
- # 协商成功,输出的密钥(55b0ac62a6b927ba23703832c853ded4)与SM2第3部分 A.2中的结果一致
-
-
- # SM2加解密测试
- # SM2第4部分 A.1 A.2
- def test_encryption():
- M = 'encryption standard'
- dB = 0x1649AB77A00637BD5E2EFE283FBF353534AA7F7CB89463F208DDBC2920BB0DA0
- xB = 0x435B39CCA8F3B508C1488AFC67BE491A0F7BA07E581A0E4849A5CF70628A7E0A
- yB = 0x75DDBA78F15FEECB4C7895E2C1CDF5FE01DEBB2CDBADF45399CCF77BBA076A42
- PB = (xB, yB)
- k = 0x4C62EEFD6ECFC2B95B92FD6C3D9575148AFA17425546D49018E5388D49DD7B4F
-
- # A、B双方初始化
- sm2_A = SM2(*demo_para())
- sm2_B = SM2(*demo_para(), '', dB, PB)
-
- time_1 = get_cpu_time()
- # A用B的公钥对消息M进行加密
- res, C = sm2_A.encrypt(M, PB, k)
- if not res:
- print('A报告加密错误:', C)
- return
-
- # A将密文C发送给B
-
- # B用自己的私钥对密文C进行解密
- res, M2 = sm2_B.decrypt(C)
- if not res:
- print('B报告解密错误:', M2)
- return
- time_2 = get_cpu_time()
- print('SM2加解密完毕,耗时%.2f ms' % ((time_2 - time_1) * 1000))
- print('结果:%s,解密得:%s(%s)' % (res, M2.hex(), M2.decode()))
- # 加解密成功,解密后的16进制值(656e6372797074696f6e207374616e64617264)与SM2第4部分 A.2中的结果一致
-
-
- if __name__ == "__main__":
- test_ECDH()
- test_SM2_agreement(True)
- # 可复现SM2文档中的示例结果
- test_signature()
- test_SM2_agreement2(True)
- test_encryption()
“他们要打多久,就打多久,一直打到完全胜利!”
多用SM2,少用RSA,不用DH;多用SM3,少用SHA,不用MD5;多用SM4,少用AES,不用DES。支持国密,支持自主,不光是情怀,而是国密算法确实设计得好,易用,安全性高!
目前,对于国密算法的python实现,在代码开源、算法优化、稳定性方面还不及国外的成熟库,幸而我们的国家一直不乏有识之士踔厉奋发、笃行不怠、负重前行。
望大家共同努力,把网络信息安全牢牢掌握在自己手中,共勉!
声明:本文内容由网友自发贡献,不代表【wpsshop博客】立场,版权归原作者所有,本站不承担相应法律责任。如您发现有侵权的内容,请联系我们。转载请注明出处:https://www.wpsshop.cn/article/detail/50057
推荐阅读
相关标签
