SM2算法是國家密碼管理局于2010年12月頒布的中國商用公鑰密碼標準算法。SM2基于橢圓曲線離散對數問題，計算復雜度是指數級（暫未發現亞指數級或多項式級的計算方法），相較于廣泛應用的RSA公鑰密碼算法，在同等安全程度要求下，SM2所需密鑰長度小、處理速度快。由于SM2在安全性、運算性能等方面都優于RSA算法，且具有自主知識產權，我國計劃在商用密碼體系中用SM2替換RSA算法。

橢圓曲線密碼（ECC）的安全性明顯強于RSA，參考下圖：

采用Python語言編寫的國密工具包主要是gmssl-python庫和snowland-smx-python（pysmx）庫，二者較為完整地實現了SM2、SM3、SM4等國密算法。本工具包涉及的散列運算使用了pysmx庫的SM3算法，pysmx庫對SM3算法的實現高效而優雅，在此向pysmx庫的作者致以誠摯的敬意和感謝！

相較于現有Python國密算法工具包的SM2模塊，本工具包的優勢主要體現在以下3個方面：

1. 首次開源SM2密鑰協商算法。gmssl庫和pysmx庫僅實現了SM2簽名和驗證、加密和解密算法，沒有實現SM2密鑰協商算法，互聯網上也未找到實現SM2密鑰協商算法的Python代碼，故本工具包是首次在互聯網上開源SM2密鑰協商算法的Python代碼。

2. 算法實現更為健壯和完整。gmssl庫和pysmx庫中的橢圓曲線點乘算法僅能輸入有限域內的乘數（否則報錯），所實現的SM2簽名/驗證算法不包含標準要求的Z值計算和Hash變換，除核心算法（密鑰生成、簽名、驗證、加密、解密等）之外還缺少標準描述的一些輔助算法，gmssl庫僅能輸入bytes類型消息；本工具包的點乘算法能夠輸入任意自然數作為乘數并保證正確性，SM2簽名/驗證算法完整實現了Z值計算和Hash變換，除核心算法之外還實現了標準描述的一些重要輔助函數（如公鑰驗證、橢圓曲線系統參數驗證等）。

3. 性能更佳。本工具包通過采用更高效的點乘算法、減少數據類型轉換、充分運用算術運算加速技巧等途徑，明顯提高了計算效率。以SM2算法耗時的主要來源——橢圓曲線點乘運算為例進行測試，同等條件下本工具包的平均耗時約為gmssl庫的35.5%、pysmx庫的61.8%，實際運行簽名與驗證、加解密等算法同樣具備上述幅度的性能優勢。

上圖中的前三個算法是本工具包實現的（具體描述參考國密局2010年SM2文檔，下有鏈接），實測算法2性能最好，默認用的算法2。

對于需應用國密SM2算法的Python項目，可直接調用本工具包實現SM2數字簽名與驗證、加解密以及密鑰協商等功能，也可基于本工具包提供的橢圓曲線運算相關函數自行設計算法和協議。

參考文獻：

國家密碼管理局關于發布《SM2橢圓曲線公鑰密碼算法》公告[EB/OL]．(2010-12-17)?[2022-02-20]．https://sca.gov.cn/sca/xwdt/2010-12/17/content_1002386.shtml．

GMSSL[EB/OL]．(2020-12-09)?[2022-02-20]．https://github.com/duanhongyi/gmssl．

snowland-smx[EB/OL]．(2021-01-27)?[2022-02-20]．https://gitee.com/snowlandltd/ snowland-smx-python．

“沒有網絡安全，就沒有國家安全。”讓我們共同努力，推動國密算法更深層次、更廣泛的研究和應用，為國家網絡信息安全和自主化盡綿薄之力。

是否覺得看到上面一句就結束了？O(∩_∩)O

代碼分三個部分，第一部分是橢圓曲線基礎運算封裝的類，第二部分是SM2封裝的類，第三部分是測試代碼。最簡單而安全的密鑰協商，可以用里面的ECDH，運行很快，當然SM2更安全！同時致敬DH算法，為信息網絡安全耕耘已近半個世紀！幾種密鑰協商算法的運行時間如下圖所示：

上圖結果均不包括通信開銷，其中ECDH和SM2用的是SM2 GB（GB/T 32918.5-2017，信息安全技術 SM2橢圓曲線公鑰密碼算法 第5部分：參數定義）規定的橢圓曲線參數（與參考文獻1《SM2橢圓曲線公鑰密碼算法》中推薦的參數是一樣的），這也是本工具包默認使用的參數。

測試代碼按照參考文獻1（國密局2010年《SM2橢圓曲線公鑰密碼算法》）的參數，復現了其結果，說明代碼實現是標準且正確的。由于要復現結果，測試代碼調用函數的時候輸入了固定參數，其實好多參數是不用輸入的，不輸入就會使用SM2默認參數，或者隨機數。

廢話不多說了，代碼中有詳盡注釋。SM2怎么用？照著測試代碼用就行！

?下面是完整代碼（是否完整？能不能跑？一試便知！）。

import random import time import math import numpy as np from pysmx.SM3 import digest as sm3# 小素數列表，加快判斷素數速度 small_primes = np.array([2, 3, 5, 7, 11, 13, 17, 19, 23, 29, 31, 37, 41,43, 47, 53, 59, 61, 67, 71, 73, 79, 83, 89, 97, 101, 103, 107, 109,113, 127, 131, 137, 139, 149, 151, 157, 163, 167, 173, 179, 181, 191,193, 197, 199, 211, 223, 227, 229, 233, 239, 241, 251, 257, 263, 269,271, 277, 281, 283, 293, 307, 311, 313, 317, 331, 337, 347, 349, 353,359, 367, 373, 379, 383, 389, 397, 401, 409, 419, 421, 431, 433, 439,443, 449, 457, 461, 463, 467, 479, 487, 491, 499, 503, 509, 521, 523,541, 547, 557, 563, 569, 571, 577, 587, 593, 599, 601, 607, 613, 617,619, 631, 641, 643, 647, 653, 659, 661, 673, 677, 683, 691, 701, 709,719, 727, 733, 739, 743, 751, 757, 761, 769, 773, 787, 797, 809, 811,821, 823, 827, 829, 839, 853, 857, 859, 863, 877, 881, 883, 887, 907,911, 919, 929, 937, 941, 947, 953, 967, 971, 977, 983, 991, 997])def is_prime(num):# 排除0,1和負數if num < 2:return False# 排除小素數的倍數for prime in small_primes:if num % prime == 0:return False# 未分辨出來的大整數用rabin算法判斷return rabin_miller(num)def rabin_miller(num):s = num - 1t = 0while s & 1 == 0:s >>= 1t += 1for trials in range(5):a = random.randrange(2, num - 1)v = pow(a, s, num)if v != 1:i = 0while v != (num - 1):if i == t - 1:return Falseelse:i = i + 1v = v * v % numreturn True# 將字節轉換為int def to_int(byte):return int.from_bytes(byte, byteorder='big')# 轉換為bytes，第二參數為字節數（可不填） def to_byte(x, size=None):if isinstance(x, int):if size is None: # 計算合適的字節數size = 0tmp = x >> 64while tmp:size += 8tmp >>= 64tmp = x >> (size << 3)while tmp:size += 1tmp >>= 8elif x >> (size << 3): # 指定的字節數不夠則截取低位x &= (1 << (size << 3)) - 1return x.to_bytes(size, byteorder='big')elif isinstance(x, str):x = x.encode()if size != None and len(x) > size: # 超過指定長度x = x[:size] # 截取左側字符return xelif isinstance(x, bytes):if size != None and len(x) > size: # 超過指定長度x = x[:size] # 截取左側字節return xelif isinstance(x, tuple) and len(x) == 2 and type(x[0]) == type(x[1]) == int:# 針對坐標形式(x, y)return to_byte(x[0], size) + to_byte(x[1], size)return bytes(x)# 將列表元素轉換為bytes并連接 def join_bytes(data_list):return b''.join([to_byte(i) for i in data_list])# 求最大公約數 def gcd(a, b):return a if b == 0 else gcd(b, a % b)# 求乘法逆元過程中的輔助遞歸函數 def get_(a, b):if b == 0:return 1, 0x1, y1 = get_(b, a % b)x, y = y1, x1 - a // b * y1return x, y# 求乘法逆元 def get_inverse(a, p):# return pow(a, p-2, p) # 效率較低、n倍點的時候兩種計算方法結果會有不同if gcd(a, p) == 1:x, y = get_(a, p)return x % preturn 1def get_cpu_time():return time.perf_counter()# 密鑰派生函數（從一個共享的秘密比特串中派生出密鑰數據） # SM2第3部分 5.4.3 # Z為bytes類型 # klen表示要獲得的密鑰數據的比特長度（8的倍數），int類型 # 輸出為bytes類型 def KDF(Z, klen):ksize = klen >> 3K = bytearray()for ct in range(1, math.ceil(ksize / HASH_SIZE) + 1):K.extend(sm3(Z + to_byte(ct, 4)))return K[:ksize]# 計算比特位數 def get_bit_num(x):if isinstance(x, int):num = 0tmp = x >> 64while tmp:num += 64tmp >>= 64tmp = x >> num >> 8while tmp:num += 8tmp >>= 8x >>= numwhile x:num += 1x >>= 1return numelif isinstance(x, str):return len(x.encode()) << 3elif isinstance(x, bytes):return len(x) << 3return 0# 橢圓曲線密碼類（實現一般的EC運算，不局限于SM2） class ECC:def __init__(self, p, a, b, n, G, h=None):self.p = pself.a = aself.b = bself.n = nself.G = Gif h:self.h = hself.O = (-1, -1) # 定義仿射坐標下無窮遠點（零點）# 預先計算Jacobian坐標兩點相加時用到的常數self._2 = get_inverse(2, p)self.a_3 = (a + 3) % p# 橢圓曲線上兩點相加（仿射坐標）# SM2第1部分 3.2.3.1# 僅提供一個參數時為相同坐標點相加def add(self, P1, P2=None):x1, y1 = P1if P2 is None or P1 == P2: # 相同坐標點相加# 處理無窮遠點if P1 == self.O:return self.O# 計算斜率k（k已不具備明確的幾何意義）k = (3 * x1 * x1 + self.a) * get_inverse(2 * y1, self.p) % self.p# 計算目標點坐標x3 = (k * k - x1 - x1) % self.py3 = (k * (x1 - x3) - y1) % self.pelse:x2, y2 = P2# 處理無窮遠點if P1 == self.O:return P2if P2 == self.O:return P1if x1 == x2:return self.O# 計算斜率kk = (y2 - y1) * get_inverse(x2 - x1, self.p) % self.p# 計算目標點坐標x3 = (k * k - x1 - x2) % self.py3 = (k * (x1 - x3) - y1) % self.preturn x3, y3# 橢圓曲線上的點乘運算（仿射坐標）def multiply(self, k, P):# 判斷常數k的合理性assert type(k) is int and k >= 0, 'factor value error'# 處理無窮遠點if k == 0 or P == self.O:return self.Oif k == 1:return Pelif k == 2:return self.add(P)elif k == 3:return self.add(P, self.add(P))elif k & 1 == 0: # k/2 * P + k/2 * Preturn self.add(self.multiply(k >> 1, P))elif k & 1 == 1: # P + k/2 * P + k/2 * Preturn self.add(P, self.add(self.multiply(k >> 1, P)))# 輸入P，返回-Pdef minus(self, P):Q = list(P)Q[1] = -Q[1]return tuple(Q)# Jacobian加重射影坐標下兩點相加# SM2第1部分 A.1.2.3.2# 輸入點包含兩項時為仿射坐標，三項為Jacobian加重射影坐標，兩點坐標系可不同# 兩點相同時省略第二個參數def Jacb_add(self, P1, P2=None):if P2 is None or P1 == P2: # 相同點相加# 處理無窮遠點if P1 == self.O:return self.O# 根據參數包含的項數判斷坐標系（是仿射坐標則轉Jacobian坐標）x1, y1, z1 = P1 if len(P1) == 3 else (*P1, 1)# t1 = 3 * x1**2 + self.a * pow(z1, 4, self.p)# t2 = 4 * x1 * y1**2# t3 = 8 * pow(y1, 4, self.p)# x3 = (t1**2 - 2 * t2) % self.p# y3 = (t1 * (t2 - x3) - t3) % self.p# z3 = 2 * y1 * z1 % self.p z3 = (y1 * z1 << 1) % self.pif z3 == 0: # 處理無窮遠點return self.OT2 = y1 * y1 % self.pT4 = (T2 << 3) % self.pT5 = x1 * T4 % self.pT6 = z1 * z1 % self.pT1 = (x1 + T6) * (x1 - T6) * 3 % self.pT1 = (T1 + self.a_3 * T6 * T6) % self.pT3 = T1 * T1 % self.pT2 = T2 * T4 % self.px3 = (T3 - T5) % self.pT4 = T5 + (T5 + self.p >> 1) - T3 if T5 & 1 else T5 + (T5 >> 1) - T3T1 = T1 * T4 % self.py3 = (T1 - T2) % self.pelse: # 不同點相加# 處理無窮遠點if P1 == self.O:return P2if P2 == self.O:return P1# 根據參數包含的項數判斷坐標系（是仿射坐標則轉Jacobian坐標）x1, y1, z1 = P1 if len(P1) == 3 else (*P1, 1)x2, y2, z2 = P2 if len(P2) == 3 else (*P2, 1)if z2 != 1 and z1 != 1:z1_2 = z1 * z1 % self.pz2_2 = z2 * z2 % self.pt1 = x1 * z2_2 % self.pt2 = x2 * z1_2 % self.pt3 = t1 - t2z3 = z1 * z2 * t3 % self.pif z3 == 0: # 處理無窮遠點return self.Ot4 = y1 * z2 * z2_2 % self.pt5 = y2 * z1 * z1_2 % self.pt6 = t4 - t5t7 = t1 + t2t8 = t4 + t5t3_2 = t3 * t3 % self.px3 = (t6 * t6 - t7 * t3_2) % self.pt9 = (t7 * t3_2 - (x3 << 1)) % self.py3 = (t9 * t6 - t8 * t3 * t3_2) * self._2 % self.pelse: # 可簡化計算if z1 == 1: # 確保第二個點的z1=1x1, y1, z1, x2, y2 = x2, y2, z2, x1, y1T1 = z1 * z1 % self.pT2 = y2 * z1 % self.pT3 = x2 * T1 % self.pT1 = T1 * T2 % self.pT2 = T3 - x1z3 = z1 * T2 % self.pif z3 == 0: # 處理無窮遠點return self.OT3 = T3 + x1T1 = T1 - y1T4 = T2 * T2 % self.pT5 = T1 * T1 % self.pT2 = T2 * T4 % self.pT3 = T3 * T4 % self.pT4 = x1 * T4 % self.px3 = T5 - T3 % self.pT2 = y1 * T2 % self.pT3 = T4 - x3T1 = T1 * T3 % self.py3 = T1 - T2 % self.p# T1 = z1 * z1 % self.p# T3 = x2 * T1 % self.p# T2 = T3 - x1# z3 = z1 * T2 % self.p# if z3 == 0: # 處理無窮遠點# return self.O# T1 = (T1 * y2 * z1 - y1) % self.p# T4 = T2 * T2 % self.p# x3 = T1 * T1 - (T3 + x1) * T4 % self.p# T1 = T1 * (x1 * T4 - x3) % self.p# y3 = T1 - y1 * T2 * T4 % self.preturn x3, y3, z3# Jacobian加重射影坐標下的點乘運算# SM2第1部分 A.3# 輸入點包含兩項時為仿射坐標，三項為Jacobian坐標# conv=True時結果轉換為仿射坐標，否則不轉換# algo表示選擇的算法， r表示算法三（滑動窗法）的窗口值def Jacb_multiply(self, k, P, conv=True, algo=2, r=5):# 處理無窮遠點if k == 0 or P == self.O:return self.O# 仿射坐標轉Jacobian坐標# if len(P) == 2: # P = (*P, 1)# 算法一：二進制展開法if algo == 1:Q = Pfor i in bin(k)[3:]:Q = self.Jacb_add(Q)if i == '1':Q = self.Jacb_add(Q, P)# 算法二：加減法elif algo == 2:h = bin(3 * k)[2:]k = bin(k)[2:]k = '0' * (len(h) - len(k)) + kQ = PminusP = self.minus(P)for i in range(1, len(h) - 1):Q = self.Jacb_add(Q)if h[i] == '1' and k[i] == '0':Q = self.Jacb_add(Q, P)elif h[i] == '0' and k[i] == '1':Q = self.Jacb_add(Q, minusP)# 算法三：滑動窗法# 當k為255/256位時，通過test_r函數測試，r=5復雜度最低elif algo == 3:k = bin(k)[2:]l = len(k)if r >= l: # 如果窗口大于k的二進制位數，則本算法無意義return self.Jacb_multiply(int(k, 2), P, conv, 2)# 保存P[j]值的字典P_ = {1: P, 2: self.Jacb_add(P)}for i in range(1, 1 << (r - 1)):P_[(i << 1) + 1] = self.Jacb_add(P_[(i << 1) - 1], P_[2])t = rwhile k[t - 1] != '1':t -= 1hj = int(k[:t], 2)Q = P_[hj]j = twhile j < l:if k[j] == '0':Q = self.Jacb_add(Q)j += 1else:t = min(r, l - j)while k[j + t - 1] != '1':t -= 1hj = int(k[j:j + t], 2)Q = self.Jacb_add(self.Jacb_multiply(1 << t, Q, False, 2), P_[hj])j += treturn self.Jacb_to_affine(Q) if conv else Q# Jacobian加重射影坐標轉仿射坐標# SM2第1部分 A.1.2.3.2def Jacb_to_affine(self, P):if len(P) == 2: # 已經是仿射坐標return Px, y, z = P# 處理無窮遠點if z == 0:return self.Oz_ = get_inverse(z, self.p) # z的乘法逆元x2 = x * z_ * z_ % self.py2 = y * z_ * z_ * z_ % self.preturn x2, y2# 判斷是否為無窮遠點（零點）def is_zero(self, P):if len(P) == 2: # 仿射坐標return P == self.Oelse: # Jacobian加重射影坐標return P[2] == 0# 判斷是否為域Fp中的元素# 可輸入多個元素，全符合才返回Truedef on_Fp(self, *x):for i in x:if 0 <= i < self.p:passelse:return Falsereturn True# 判斷是否在橢圓曲線上def on_curve(self, P):if self.is_zero(P):return Falseif len(P) == 2: # 仿射坐標x, y = Preturn y * y % self.p == (x * x * x + self.a * x + self.b) % self.pelse: # Jacobian加重射影坐標x, y, z = Preturn y * y % self.p == (x * x * x + self.a * x * pow(z, 4, self.p) + self.b * pow(z, 6, self.p)) % self.p# 生成密鑰對# 返回值：d為私鑰，P為公鑰# SM2第1部分 6.1def gen_keypair(self):d = random.randint(1, self.n - 2)P = self.Jacb_multiply(d, self.G)return d, P# 公鑰驗證# SM2第1部分 6.2.1def pk_valid(self, P):# 判斷點P的格式if P and len(P) == 2 and type(P[0]) == type(P[1]) == int:passelse:self.error = '格式有誤' # 記錄錯誤信息return False# a) 驗證P不是無窮遠點Oif self.is_zero(P):self.error = '無窮遠點'return False# b) 驗證公鑰P的坐標xP和yP是域Fp中的元素if not self.on_Fp(*P):self.error = '坐標值不是域Fp中的元素'return False# c) 驗證y^2 = x^3 + ax + b (mod p)if not self.on_curve(P):self.error = '不在橢圓曲線上'return False# d) 驗證[n]P = Oif not self.is_zero(self.Jacb_multiply(self.n, P, False)):self.error = '[n]P不是無窮遠點'return Falsereturn True# 確認目前已有公私鑰對def confirm_keypair(self):if not hasattr(self, 'pk') or not self.pk_valid(self.pk) or self.pk != self.Jacb_multiply(self.sk, self.G):# 目前沒有合格的公私鑰對則生成while True:d, P = self.gen_keypair()if self.pk_valid(P): # 確保公鑰通過驗證self.sk, self.pk = d, Preturn# 國家密碼管理局：SM2橢圓曲線公鑰密碼算法推薦曲線參數 SM2_p = 0xFFFFFFFEFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF00000000FFFFFFFFFFFFFFFF SM2_a = 0xFFFFFFFEFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF00000000FFFFFFFFFFFFFFFC SM2_b = 0x28E9FA9E9D9F5E344D5A9E4BCF6509A7F39789F515AB8F92DDBCBD414D940E93 SM2_n = 0xFFFFFFFEFFFFFFFFFFFFFFFFFFFFFFFF7203DF6B21C6052B53BBF40939D54123 SM2_Gx = 0x32C4AE2C1F1981195F9904466A39C9948FE30BBFF2660BE1715A4589334C74C7 SM2_Gy = 0xBC3736A2F4F6779C59BDCEE36B692153D0A9877CC62A474002DF32E52139F0A0PARA_SIZE = 32 # 參數長度（字節） HASH_SIZE = 32 # sm3輸出256位（32字節） KEY_LEN = 128 # 默認密鑰位數# SM2類繼承ECC class SM2(ECC):# 默認使用SM2推薦曲線參數def __init__(self, p=SM2_p, a=SM2_a, b=SM2_b, n=SM2_n, G=(SM2_Gx, SM2_Gy), h=None,ID=None, sk=None, pk=None, genkeypair=True): # genkeypair表示是否自動生成公私鑰對if not h: # 余因子h默認為1h = 1ECC.__init__(self, p, a, b, n, G, h)self.keysize = len(to_byte(n)) # 密鑰長度（字節）if type(ID) in (int, str): # 身份ID（數字或字符串）self.ID = IDelse:self.ID = ''if sk and pk: # 如果提供的公私鑰對通過驗證，即使genkeypair=True也不會重新生成self.sk = sk # 私鑰（int [1,n-2]）self.pk = pk # 公鑰（x, y）self.confirm_keypair() # 驗證該公私鑰對，不合格則生成elif genkeypair: # 自動生成合格的公私鑰對self.confirm_keypair()# 預先計算用到的常數if hasattr(self, 'sk'): # 簽名時self.d_1 = get_inverse(1 + self.sk, self.n)# 橢圓曲線系統參數驗證# SM2第1部分 5.2.2def para_valid(self):# a) 驗證q = p是奇素數if not is_prime(self.p):self.error = 'p不是素數' # 記錄錯誤信息return False# b) 驗證a、b、Gx和Gy是區間[0, p?1]中的整數if not self.on_Fp(self.a, self.b, *self.G):self.error = 'a、b或G坐標值不是域Fp中的元素'return False# d) 驗證(4a^3 + 27b^2) mod p != 0if (4 * self.a * self.a * self.a + 27 * self.b * self.b) % self.p == 0:self.error = '(4a^3 + 27b^2) mod p = 0'return False# e) 驗證Gy^2 = Gx^3 + aGx + b (mod p)if not self.on_curve(self.G):self.error = 'G不在橢圓曲線上'return False# f) 驗證n是素數，n > 2^191 且 n > 4p^1/2if not is_prime(self.n) or self.n <= 1 << 191 or self.n <= 4 * self.p ** 0.5:self.error = 'n不是素數或n不夠大'return False# g) 驗證[n]G = Oif not self.is_zero(self.Jacb_multiply(self.n, self.G, False)):self.error = '[n]G不是無窮遠點'return False# i) 驗證抗MOV攻擊條件和抗異常曲線攻擊條件成立（A.4.2.1）B = 27 # MOV閾Bt = 1for i in range(B):t = t * self.p % self.nif t == 1:self.error = '不滿足抗MOV攻擊條件'return False# 橢圓曲線的階N=#E(Fp)計算太復雜，未實現A.4.2.2驗證# Fp上的絕大多數橢圓曲線確實滿足抗異常曲線攻擊條件return True# 計算Z# SM2第2部分 5.5# ID為數字或字符串，P為公鑰（不提供參數時返回自身Z值）def get_Z(self, ID=None, P=None):save = Falseif not P: # 不提供參數if hasattr(self, 'Z'): # 再次計算，返回曾計算好的自身Z值return self.Zelse: # 首次計算自身Z值ID = self.IDP = self.pksave = Trueentlen = get_bit_num(ID)ENTL = to_byte(entlen, 2)Z = sm3(join_bytes([ENTL, ID, self.a, self.b, *self.G, *P]))if save: # 保存自身Z值self.Z = Zreturn Z# 數字簽名# SM2第2部分 6.1# 輸入：待簽名的消息M、隨機數k（不填則自動生成）、輸出類型（默認bytes）、對M是否hash（默認是）# 輸出：r, s（int類型）或拼接后的bytesdef sign(self, M, k=None, outbytes=True, dohash=True):if dohash:M_ = join_bytes([self.get_Z(), M])e = to_int(sm3(M_))else:e = to_int(to_byte(M))while True:if not k:k = random.randint(1, self.n - 1)# x1, y1 = self.multiply(k, self.G)x1, y1 = self.Jacb_multiply(k, self.G)r = (e + x1) % self.nif r == 0 or r + k == self.n:k = 0continue# s = get_inverse(1 + self.sk, self.n) * (k - r * self.sk) % self.ns = self.d_1 * (k - r * self.sk) % self.nif s == 0:k = 0else:breakif outbytes:return to_byte((r, s), self.keysize)else:return r, s# 數字簽名驗證# SM2第2部分 7.1# 輸入：收到的消息M′及其數字簽名(r′, s′)、簽名者的身份標識IDA及公鑰PA、對M是否hash（默認是）# 輸出：True or Falsedef verify(self, M, sig, IDA, PA, dohash=True):if isinstance(sig, bytes):r = to_int(sig[:self.keysize])s = to_int(sig[self.keysize:])else:r, s = sigif not 1 <= r <= self.n - 1:return Falseif not 1 <= s <= self.n - 1:return Falseif dohash:M_ = join_bytes([self.get_Z(IDA, PA), M])e = to_int(sm3(M_))else:e = to_int(to_byte(M))t = (r + s) % self.nif t == 0:return FalsesG = self.Jacb_multiply(s, self.G, False)tPA = self.Jacb_multiply(t, PA, False)x1, y1 = self.Jacb_to_affine(self.Jacb_add(sG, tPA))R = (e + x1) % self.nif R == r:return Trueelse: # 避免Jacobian坐標下的等價點導致判斷失敗x1, y1 = self.add(self.Jacb_to_affine(sG), self.Jacb_to_affine(tPA))R = (e + x1) % self.nreturn R == r# A 發起協商# SM2第3部分 6.1 A1-A3# 返回rA、RAdef agreement_initiate(self):return self.gen_keypair()# B 響應協商（option=True時計算選項部分）# SM2第3部分 6.1 B1-B9def agreement_response(self, RA, PA, IDA, option=False, rB=None, RB=None, klen=None):# 參數準備if not self.on_curve(RA):return False, 'RA不在橢圓曲線上'x1, y1 = RAw = math.ceil(math.ceil(math.log(self.n, 2)) / 2) - 1if not hasattr(self, 'sk'):self.confirm_keypair()h = 1 # SM2推薦曲線的余因子h=1ZA = self.get_Z(IDA, PA)ZB = self.get_Z()# B1-B7if not rB:rB, RB = self.gen_keypair()x2, y2 = RBx_2 = (1 << w) + (x2 & (1 << w) - 1)tB = (self.sk + x_2 * rB) % self.nx_1 = (1 << w) + (x1 & (1 << w) - 1)# V = self.multiply(h * tB, self.add(PA, self.multiply(x_1, RA)))V = self.Jacb_multiply(h * tB, self.Jacb_add(self.Jacb_multiply(x_1, RA, False), PA))if self.is_zero(V):return False, 'V是無窮遠點'xV, yV = Vif not klen:klen = KEY_LENKB = KDF(join_bytes([xV, yV, ZA, ZB]), klen)if not option:return True, (RB, KB)# B8、B10（可選部分）tmp = join_bytes([yV, sm3(join_bytes([xV, ZA, ZB, x1, y1, x2, y2]))])SB = sm3(join_bytes([2, tmp]))S2 = sm3(join_bytes([3, tmp]))return True, (RB, KB, SB, S2)# A 協商確認# SM2第3部分 6.1 A4-A10def agreement_confirm(self, rA, RA, RB, PB, IDB, SB=None, option=False, klen=None):# 參數準備if not self.on_curve(RB):return False, 'RB不在橢圓曲線上'x1, y1, x2, y2 = *RA, *RBw = math.ceil(math.ceil(math.log(self.n, 2)) / 2) - 1if not hasattr(self, 'sk'):self.confirm_keypair()h = 1 # SM2推薦曲線的余因子h=1ZA = self.get_Z()ZB = self.get_Z(IDB, PB)# A4-A8x_1 = (1 << w) + (x1 & (1 << w) - 1)tA = (self.sk + x_1 * rA) % self.nx_2 = (1 << w) + (x2 & (1 << w) - 1)# U = self.multiply(h * tA, self.add(PB, self.multiply(x_2, RB)))U = self.Jacb_multiply(h * tA, self.Jacb_add(self.Jacb_multiply(x_2, RB, False), PB))if self.is_zero(U):return False, 'U是無窮遠點'xU, yU = Uif not klen:klen = KEY_LENKA = KDF(join_bytes([xU, yU, ZA, ZB]), klen)if not option or not SB:return True, KA# A9-A10（可選部分）tmp = join_bytes([yU, sm3(join_bytes([xU, ZA, ZB, x1, y1, x2, y2]))])S1 = sm3(join_bytes([2, tmp]))if S1 != SB:return False, 'S1 != SB'SA = sm3(join_bytes([3, tmp]))return True, (KA, SA)# B 協商確認（可選部分）# SM2第3部分 6.1 B10def agreement_confirm2(self, S2, SA):if S2 != SA:return False, 'S2 != SA'return True, ''# 加密# SM2第4部分 6.1# 輸入：待加密的消息M（bytes或str類型）、對方的公鑰PB、隨機數k（不填則自動生成）# 輸出(True, bytes類型密文)或(False, 錯誤信息)def encrypt(self, M, PB, k=None):if self.is_zero(self.multiply(self.h, PB)): # Sreturn False, 'S是無窮遠點'M = to_byte(M)klen = get_bit_num(M)while True:if not k:k = random.randint(1, self.n - 1)# x2, y2 = self.multiply(k, PB)x2, y2 = self.Jacb_multiply(k, PB)t = to_int(KDF(join_bytes([x2, y2]), klen))if t == 0: # 若t為全0比特串則繼續循環k = 0else:break# C1 = to_byte(self.multiply(k, self.G), self.keysize) # (x1, y1)C1 = to_byte(self.Jacb_multiply(k, self.G), self.keysize) # (x1, y1)C2 = to_byte(to_int(M) ^ t, klen >> 3)C3 = sm3(join_bytes([x2, M, y2]))return True, join_bytes([C1, C2, C3])# 解密# SM2第4部分 7.1# 輸入：密文C（bytes類型）# 輸出(True, bytes類型明文)或(False, 錯誤信息)def decrypt(self, C):x1 = to_int(C[:self.keysize])y1 = to_int(C[self.keysize:self.keysize << 1])C1 = (x1, y1)if not self.on_curve(C1):return False, 'C1不滿足橢圓曲線方程'if self.is_zero(self.multiply(self.h, C1)): # Sreturn False, 'S是無窮遠點'# x2, y2 = self.multiply(self.sk, C1)x2, y2 = self.Jacb_multiply(self.sk, C1)klen = len(C) - (self.keysize << 1) - HASH_SIZE << 3t = to_int(KDF(join_bytes([x2, y2]), klen))if t == 0:return False, 't為全0比特串'C2 = C[self.keysize << 1:-HASH_SIZE]M = to_byte(to_int(C2) ^ t, klen >> 3)u = sm3(join_bytes([x2, M, y2]))C3 = C[-HASH_SIZE:]if u != C3:return False, 'u != C3'return True, M# 最簡單的ECDH正確性測試 def test_ECDH(verify=False):time_1 = get_cpu_time()sm2 = SM2(genkeypair=False)# A、B雙方生成公、私鑰dA, PA = sm2.gen_keypair()dB, PB = sm2.gen_keypair()# 驗證ECC系統參數和公鑰if verify:if not sm2.para_valid():print('橢圓曲線系統參數未通過驗證：%s' % sm2.error)returnif not sm2.pk_valid(PA):print('PA未通過驗證：%s' % sm2.error)returnif not sm2.pk_valid(PB):print('PB未通過驗證：%s' % sm2.error)return# A將PA傳給B，B將PB傳給A# A、B雙方計算密鑰QA = sm2.Jacb_multiply(dA, PB)KA = KDF(to_byte(QA), KEY_LEN)QB = sm2.Jacb_multiply(dB, PA)KB = KDF(to_byte(QB), KEY_LEN)time_2 = get_cpu_time()print('ECDH密鑰協商完畢，耗時%.2f ms' % ((time_2 - time_1) * 1000))print('KA == KB?: %s, value: 0x%s, len: %d' % (KA == KB, KA.hex(), len(KA) << 3))# SM2密鑰協商測試 def test_SM2_agreement(option=False):time_1 = get_cpu_time()# A、B雙方初始化sm2_A = SM2(ID='Alice')sm2_B = SM2(ID='Bob')# A、B均掌握對方的公鑰和IDPA, IDA = sm2_A.pk, sm2_A.IDPB, IDB = sm2_B.pk, sm2_B.ID# A 發起協商rA, RA = sm2_A.agreement_initiate()# A將RA發送給B# B 響應協商res, content = sm2_B.agreement_response(RA, PA, IDA, option)if not res:print('B報告協商錯誤：', content)returnif option:RB, KB, SB, S2 = contentelse:RB, KB = contentSB = None# B將RB、(選項SB)發送給A# A 協商確認res, content = sm2_A.agreement_confirm(rA, RA, RB, PB, IDB, SB, option)if not res:print('A報告協商錯誤：', content)returnif option:KA, SA = contentelse:KA = contentif option:# A將(選項SA)發送給B# B 協商確認res, content = sm2_B.agreement_confirm2(S2, SA)if not res:print('B報告協商錯誤：', content)returntime_2 = get_cpu_time()print('SM2密鑰協商完畢，耗時%.2f ms' % ((time_2 - time_1) * 1000))print('KA == KB?: %s, value: 0x%s, len: %d' % (KA == KB, KA.hex(), len(KA) << 3))# SM2示例中的橢圓曲線系統參數 def demo_para():p = 0x8542D69E4C044F18E8B92435BF6FF7DE457283915C45517D722EDB8B08F1DFC3a = 0x787968B4FA32C3FD2417842E73BBFEFF2F3C848B6831D7E0EC65228B3937E498b = 0x63E4C6D3B23B0C849CF84241484BFE48F61D59A5B16BA06E6E12D1DA27C5249AxG = 0x421DEBD61B62EAB6746434EBC3CC315E32220B3BADD50BDC4C4E6C147FEDD43DyG = 0x0680512BCBB42C07D47349D2153B70C4E5D7FDFCBFA36EA1A85841B9E46E09A2n = 0x8542D69E4C044F18E8B92435BF6FF7DD297720630485628D5AE74EE7C32E79B7G = (xG, yG)h = 1return p, a, b, n, G, h# SM2數字簽名與驗證測試 # SM2第2部分 A.1 A.2 def test_signature():IDA = 'ALICE123@YAHOO.COM'M = 'message digest'dA = 0x128B2FA8BD433C6C068C8D803DFF79792A519A55171B1B650C23661D15897263xA = 0x0AE4C7798AA0F119471BEE11825BE46202BB79E2A5844495E97C04FF4DF2548AyA = 0x7C0240F88F1CD4E16352A73C17B7F16F07353E53A176D684A9FE0C6BB798E857PA = (xA, yA)k = 0x6CB28D99385C175C94F94E934817663FC176D925DD72B727260DBAAE1FB2F96F# A、B雙方初始化sm2_A = SM2(*demo_para(), IDA, dA, PA)sm2_B = SM2(*demo_para())time_1 = get_cpu_time()# A對消息M進行簽名sig = sm2_A.sign(M, k)# A將消息M簽名(r, s)發送給B# B對消息M簽名進行驗證res = sm2_B.verify(M, sig, IDA, PA)time_2 = get_cpu_time()print('SM2簽名、驗證完畢，耗時%.2f ms' % ((time_2 - time_1) * 1000))print('結果：%s，R值：%s' % (res, sig[:sm2_A.keysize].hex()))# 驗證通過，輸出的r值(40f1ec59f793d9f49e09dcef49130d4194f79fb1eed2caa55bacdb49c4e755d1)與SM2第2部分 A.2中的結果一致# SM2密鑰協商測試2 # SM2第3部分 A.1 A.2 def test_SM2_agreement2(option=False):IDA = 'ALICE123@YAHOO.COM'IDB = 'BILL456@YAHOO.COM'dA = 0x6FCBA2EF9AE0AB902BC3BDE3FF915D44BA4CC78F88E2F8E7F8996D3B8CCEEDEExA = 0x3099093BF3C137D8FCBBCDF4A2AE50F3B0F216C3122D79425FE03A45DBFE1655yA = 0x3DF79E8DAC1CF0ECBAA2F2B49D51A4B387F2EFAF482339086A27A8E05BAED98BPA = (xA, yA)dB = 0x5E35D7D3F3C54DBAC72E61819E730B019A84208CA3A35E4C2E353DFCCB2A3B53xB = 0x245493D446C38D8CC0F118374690E7DF633A8A4BFB3329B5ECE604B2B4F37F43yB = 0x53C0869F4B9E17773DE68FEC45E14904E0DEA45BF6CECF9918C85EA047C60A4CPB = (xB, yB)rA = 0x83A2C9C8B96E5AF70BD480B472409A9A327257F1EBB73F5B073354B248668563x1 = 0x6CB5633816F4DD560B1DEC458310CBCC6856C09505324A6D23150C408F162BF0y1 = 0x0D6FCF62F1036C0A1B6DACCF57399223A65F7D7BF2D9637E5BBBEB857961BF1ARA = (x1, y1)rB = 0x33FE21940342161C55619C4A0C060293D543C80AF19748CE176D83477DE71C80x2 = 0x1799B2A2C778295300D9A2325C686129B8F2B5337B3DCF4514E8BBC19D900EE5y2 = 0x54C9288C82733EFDF7808AE7F27D0E732F7C73A7D9AC98B7D8740A91D0DB3CF4RB = (x2, y2)time_1 = get_cpu_time()# A、B雙方初始化sm2_A = SM2(*demo_para(), IDA, dA, PA)sm2_B = SM2(*demo_para(), IDB, dB, PB)# A 發起協商# A生成rA, RA，將RA發送給B# B 響應協商res, content = sm2_B.agreement_response(RA, PA, IDA, option, rB, RB)if not res:print('B報告協商錯誤：', content)returnif option:RB, KB, SB, S2 = contentelse:RB, KB = contentSB = None# B將RB、(選項SB)發送給A# A 協商確認res, content = sm2_A.agreement_confirm(rA, RA, RB, PB, IDB, SB, option)if not res:print('A報告協商錯誤：', content)returnif option:KA, SA = contentelse:KA = contentif option:# A將(選項SA)發送給B# B 協商確認res, content = sm2_B.agreement_confirm2(S2, SA)if not res:print('B報告協商錯誤：', content)returntime_2 = get_cpu_time()print('SM2密鑰協商完畢，耗時%.2f ms' % ((time_2 - time_1) * 1000))print('KA == KB?: %s, value: 0x%s, len: %d' % (KA == KB, KA.hex(), len(KA) << 3))# 協商成功，輸出的密鑰(55b0ac62a6b927ba23703832c853ded4)與SM2第3部分 A.2中的結果一致# SM2加解密測試 # SM2第4部分 A.1 A.2 def test_encryption():M = 'encryption standard'dB = 0x1649AB77A00637BD5E2EFE283FBF353534AA7F7CB89463F208DDBC2920BB0DA0xB = 0x435B39CCA8F3B508C1488AFC67BE491A0F7BA07E581A0E4849A5CF70628A7E0AyB = 0x75DDBA78F15FEECB4C7895E2C1CDF5FE01DEBB2CDBADF45399CCF77BBA076A42PB = (xB, yB)k = 0x4C62EEFD6ECFC2B95B92FD6C3D9575148AFA17425546D49018E5388D49DD7B4F# A、B雙方初始化sm2_A = SM2(*demo_para())sm2_B = SM2(*demo_para(), '', dB, PB)time_1 = get_cpu_time()# A用B的公鑰對消息M進行加密res, C = sm2_A.encrypt(M, PB, k)if not res:print('A報告加密錯誤：', C)return# A將密文C發送給B# B用自己的私鑰對密文C進行解密res, M2 = sm2_B.decrypt(C)if not res:print('B報告解密錯誤：', M2)returntime_2 = get_cpu_time()print('SM2加解密完畢，耗時%.2f ms' % ((time_2 - time_1) * 1000))print('結果：%s，解密得：%s(%s)' % (res, M2.hex(), M2.decode()))# 加解密成功，解密后的16進制值(656e6372797074696f6e207374616e64617264)與SM2第4部分 A.2中的結果一致if __name__ == "__main__":test_ECDH()test_SM2_agreement(True)# 可復現SM2文檔中的示例結果test_signature()test_SM2_agreement2(True)test_encryption()

“他們要打多久，就打多久，一直打到完全勝利！”

多用SM2，少用RSA，不用DH；多用SM3，少用SHA，不用MD5；多用SM4，少用AES，不用DES。支持國密，支持自主，不光是情懷，而是國密算法確實設計得好，易用，安全性高！

目前，對于國密算法的python實現，在代碼開源、算法優化、穩定性方面還不及國外的成熟庫，幸而我們的國家一直不乏有識之士踔厲奮發、篤行不怠、負重前行。

望大家共同努力，把網絡信息安全牢牢掌握在自己手中，共勉！

總結

以上是生活随笔為你收集整理的国密算法 SM2 公钥加密 非对称加密 数字签名 密钥协商 python实现完整代码的全部內容，希望文章能夠幫你解決所遇到的問題。

如果覺得生活随笔網站內容還不錯，歡迎將生活随笔推薦給好友。