CN110061847B - Digital signature method for key distributed generation - Google Patents

Abstract

The invention discloses a digital signature method for distributed generation of a secret key, which is used for solving the technical problem of low efficiency of the traditional digital signature method. In the key generation stage, t signature participants select own sub-private keys and complete the generation of the private keys through the interaction with the first signature participant. In the signature stage, the t signature participants sequentially use the sub private keys held by the participants to carry out distributed signature, then the tth signature participant completes the synthesis of the second part of the signature under the homomorphic encryption condition, and then the first signature participant completes the final signature synthesis and verification. According to the invention, a paillier homomorphic encryption algorithm is utilized, each signature participant does not need to utilize zero knowledge proof to ensure the correctness of the signature, and the final signature verification only needs point addition operation on one elliptic curve and point multiplication operation on two elliptic curves, so that compared with t times of zero knowledge proof in the background technology, the calculation efficiency is improved.

Description

Digital signature method for key distributed generation

Technical Field

The invention relates to a digital signature method, in particular to a digital signature method for key distributed generation.

Background

A distributed threshold signature method is proposed in the document Goldfeder S, Gennaro R, Kalodner H, et al, securing Bitcoin wallets via a new DSA/ECDSA threshold signature scheme.2015. In the method, the private key of the signature is mastered by t persons, and the signature process needs to be completed by the t persons, so that the safety of the private key of the signature is improved. However, this method uses a large number of zero-knowledge proof operations, the zero-knowledge proof requires the verifying party to interact with the verified party for a plurality of times, and the higher the magnitude of the interaction times, the higher the credibility of the verified party, which is a time-consuming operation, so the efficiency of this method is relatively low. In the method, t times of zero knowledge proofings are needed to finish one signature, and t times of zero knowledge proofings are supposed to be needed for one time of zero knowledge proofings_zSecondary interactions, then t.t is required to complete all zero knowledge proofs_zAnd the number of times of interaction is too large, so that the method is not suitable for being applied in a real scene.

Disclosure of Invention

In order to overcome the defect of low efficiency of the conventional digital signature method, the invention provides a digital signature method for key distributed generation. In the key generation stage, t signature participants select own sub-private keys, and the generation of the private keys is completed through interaction with the first signature participant. In the signature stage, the t signature participants sequentially use the sub private keys held by the participants to carry out distributed signature, then the tth signature participant completes the synthesis of the second part of the signature under the homomorphic encryption condition, and then the first signature participant completes the final signature synthesis and verification. According to the invention, a paillier homomorphic encryption algorithm is utilized, each signature participant does not need to utilize zero knowledge proof to ensure the correctness of the signature, only the first signature participant needs to verify the signature to ensure the correctness of the final signature, and the final signature verification only needs point addition operation on one elliptic curve and point multiplication operation on two elliptic curves, so that compared with t times of zero knowledge proof in the background technology, the calculation efficiency is improved.

The technical scheme adopted by the invention for solving the technical problems is as follows: a digital signature method for key distributed generation is characterized by comprising the following steps:

step one, signing participant ID first₁Selects own sub-private key d₁E {1,2, …, n-1}, and then calculates its own child private key d₁Whether or not there is a multiplicative inverse modulo n

If the private key exists, the next step is executed, and if the private key does not exist, the sub private key d of the user is reselected₁E {1,2, …, n-1} and recalculate its child private key d₁Whether or not there is a multiplicative inverse modulo n

Until a multiplicative inverse is found

Sub private key d of₁Then executing the next step;

wherein, ID₁Representing the first signature participant, d₁Indicating the first signed participant ID₁The sub-private key of (a) is,

indicating the first signed participant ID₁Sub private key d of₁The multiplication inverse element under the modulus n, wherein n is a positive integer and represents the order of the base point of the elliptic curve;

step two, according to the following formula, the participant ID is signed first₁Calculating its own sub public key Q₁And a pseudo sub public key Q₁', then the child public key Q₁And a pseudo sub public key Q₁' all broadcast to all signature participants:

Q₁＝d₁G

wherein Q is₁Indicating the first signed participant ID₁Is a sub public key of₁' means first signed participant ID₁G represents a base point with an order of n on the elliptic curve;

step three, receiving the ID of the first signature participant₁Sub public key Q of₁And a pseudo sub public key Q₁' after, the ith signed participant ID_iSelects own sub-private key d_iE {1,2, …, n-1}, and then calculates its pseudo-child public key Q according to the following formula_i', and the pseudo-sub public key Q_i' sending to the first signed participant ID₁，i＝2,3,...,t：

Q_i′＝d_iQ₁′

Wherein, ID_iRepresenting the ith signature participant, d_iIndicating the ith signed participant ID_iSub private key of, Q_i' denotes the ith signed participant ID_iT is a positive integer, representing the signed participant ID_iThe number of (2);

step four, signing the participant ID first₁Upon receipt of the pseudo-child public key Q of all signed participants_i' thereafter, each signed participant ID is computed in turn as follows_iSub public key Q of_iThen all the calculated sub public keys Q are added_iDisclosed is a method for producing a synthetic resin:

Q_i＝d₁Q_i′

wherein Q is_iIndicating the ith signed participant ID_iThe child public key of (1);

step five, each signature participant ID_iReceiving a first signed participant ID₁Public sub-public key Q_iThen, the equation is verified

Q_i＝d_iG

If the verification result of each signature participant is true, executing the next step, and if the verification result of any signature participant is false, returning to the step one;

step six, according to the following formula, each signature participant ID_iCalculating a signature public key Q and disclosing the signature public key Q:

wherein Q represents a public signature key, and sigma represents a summation operation;

seventh, signing participant ID first₁Choose its own secret value k₁E {1,2, …, n-1}, and then calculates its secret value k₁Whether or not there is a multiplicative inverse modulo n

If the secret value k exists, the next step is executed, and if the secret value k does not exist, the secret value k of the user is reselected₁E {1,2, …, n-1} and recalculate its secret value k₁Whether or not there is a multiplicative inverse modulo n

Until a multiplicative inverse is found

Secret value k of₁Then executing the next step;

wherein k is₁Indicating the first signed participant ID₁Is determined by the secret value of (a),

indicating the first signed participant ID₁Secret value k of₁Inverse multiplication under modulo n;

step eight, signing the participant ID according to the following formula₁Calculating the first intermediate signature parameter value R₁And the first signature parameter intermediate value R₁Send to a second signed participant ID₂：

R₁＝k₁G

Wherein R is₁Indicating the median value, ID, of the first signature parameter₂Representing a second signature participant;

step nine, the ith signature participant ID_iReceiving the i-1 th signature parameter intermediate value R_i-1Then, choose its secret value k_iE {1,2, …, n-1}, and then calculates its secret value k_iWhether or not there is a multiplicative inverse k modulo n_i ^-1If the secret value k exists, the next step is executed, and if the secret value k does not exist, the secret value k of the user is reselected_iE {1,2, …, n-1} and recalculate its secret value k_iWhether or not there is a multiplicative inverse modulo n

Until a multiplicative inverse is found

Secret value k of_iThen the next step is performed, i ═ 2,3, …, t-1;

wherein k is_iIndicating the ith signed participant ID_iSecret ofThe value of the secret is set to be,

indicating the ith signed participant ID_iSecret value k of_iInverse multiplication under modulo n;

step ten, signing the participant ID according to the following formula_iCalculating the ith signature parameter intermediate value R_iAnd the ith signature parameter intermediate value R_iSend to the (i + 1) th signed participant ID_i+1，i＝2,3,…,t-1：

R_i＝k_iR_i-1

Wherein R is_iRepresenting the i-th signature parameter mean value, R_i-1Denotes the i-1 th signature parameter median, ID_i+1Represents the i +1 signature participant;

eleven, tth signature participant ID_tReceiving the t-1 signature parameter intermediate value R_t-1Then, choose its secret value k_tE {1,2, …, n-1}, and then calculates its secret value k_tWhether or not there is a multiplicative inverse modulo n

If the secret value k exists, the next step is executed, and if the secret value k does not exist, the secret value k of the user is reselected_tE {1,2, …, n-1} and recalculate its secret value k_tWhether or not there is a multiplicative inverse modulo n

Until a multiplicative inverse is found

Secret value k of_tThen executing the next step;

wherein, ID_tDenotes the tth signature participant, k_tIndicating the tth signed participant ID_tIs determined by the secret value of (a),

indicates the t-th labelFirst name participant ID_tSecret value k of_tInverse multiplication under modulo n;

twelfth, signature participant ID for the tth according to the following equation_tCalculating a signature parameter R, then judging whether the signature parameter R is a zero point on an elliptic curve, if so, returning to the step six, and if not, broadcasting the signature parameter R to all signature participants:

R＝k_tR_t-1＝(x_R,y_R)

wherein R is_t-1Represents the t-1 th signature parameter intermediate value, R represents the signature parameter, x_RAbscissa, y, representing signature parameter R_RRepresents the ordinate of the signature parameter R;

step thirteen, ith signature participant ID_iAfter receiving the signature parameter R, calculating a first partial signature R according to the following formula:

r＝x_Rmod n

then judging whether r is equal to 0, if so, returning to the step three, and if not, continuing to execute the next step;

wherein r represents the first partial signature and mod represents the modulo operation;

fourteen, signing the participant ID first according to the following formula₁Calculating a hash value H of the message M, and then converting the H into an integer e according to a data type conversion rule:

H＝hash(M)

wherein M represents a message, H represents a hash value of the message M, the hash represents a password hash algorithm, and e represents an integer value obtained by converting the hash value H;

fifteen step first signing participant ID₁Selecting a private key sk and a public key pk of a paillier homomorphic encryption algorithm, secretly storing the private key sk, and disclosing the public key pk;

wherein paillier represents the homomorphic encryption algorithm, sk represents the private key of the paillier homomorphic encryption algorithm and is used for decryption operation, and pk represents the public key of the paillier homomorphic encryption algorithm and is used for encryption operation;

sixthly, according to the following formula, the first stepIndividual signature participant ID₁Calculating a first signature generation parameter first part alpha₁And a second part beta of the first signature generation parameter₁Then the first signature is generated as a first part alpha of the parameter₁And a second part beta of the first signature generation parameter₁Send to a second signed participant ID₂：

β₁＝E_pk(rd₁mod n)

Wherein alpha is₁Representing a first part, beta, of a first signature generation parameter₁Representing a second part of the first signature generation parameter, E_pk(.) represents the encryption operation of the paillier homomorphic encryption algorithm;

seventeenth, the ith signing participant ID_iReceiving the i-1 st signature generation parameter first part alpha_i-1And the i-1 st signature generation parameter second part beta_i-1Then, the first part alpha of the ith signature generation parameter is calculated according to the following formula_iAnd the ith signature generation parameter second part beta_iThen the ith signature generation parameter is generated as a first part alpha_iAnd the ith signature generation parameter second part beta_iSend to the (i + 1) th signed participant ID_i+1，i＝2,3,…,t-1：

β_i＝E_pk(rd_imodn)+_Eβ_i-1

Wherein alpha is_iRepresenting the first part, beta, of the ith signature generation parameter_iRepresenting the second part, a, of the ith signature generation parameter_i-1Denotes the first part, β, of the i-1 th signature generation parameter_i-1Representing the second part of the i-1 th signature generation parameter_ERepresents the multiplication homomorphic operation under the paillier homomorphic encryption algorithm, +_ETo representperforming addition homomorphic operation under a paillier homomorphic encryption algorithm;

eighteenth, tth signature participant ID_tReceiving the t-1 st signature generation parameter first part alpha_t-1And t-1 signature generation parameter second part beta_t-1Then, the first part alpha of the t signature generation parameter is calculated according to the following formula_tAnd a tth signature generation parameter second part beta_t：

β_t＝E_pk(rd_tmod n)+_Eβ_t-1

Wherein alpha is_tRepresenting the first part, beta, of the tth signature generation parameter_tRepresenting the second part, a, of the tth signature generation parameter_t-1Denotes the first part, beta, of the t-1 th signature generation parameter_t-1Representing the second part of the t-1 th signature generation parameter, d_tIndicating the tth signed participant ID_tThe child private key of (a);

nineteenth, tth signature participant ID_tSelecting a secret confusion value rho epsilon {1,2, …, n-1}, and then calculating whether a multiplication inverse rho exists in the secret confusion value rho under a modulus n^-1And if so, executing the next step, and if not, reselecting the secret confusion value rho epsilon {1,2, …, n-1} and recalculating whether the secret confusion value rho has multiplication inverse elements rho under the modulus n^-1Until a multiplicative inverse p is found^-1Then the next step is performed;

where ρ represents a secret obfuscated value, ρ^-1Representing the multiplicative inverse of the secret obfuscated value ρ modulo n;

twenty, the tth signed participant ID according to the following equation_tCalculating the second part beta of the t +1 th signature generation parameter_t+1Then the t +1 th signature generation parameter is generated into a second part beta_t+1Sent to the t-1 signed participant ID_t-1：

Wherein, beta_t+1Second part, ID, representing the t +1 th signature Generation parameter_t-1Representing the t-1 signature participant;

twenty-one, signing the participant ID for the ith according to the following equation_iCalculating the second part beta of the 2t-i +1 th signature generation parameter_2t-i+1Then the 2t-i +1 th signature generation parameter is generated into a second part beta_2t-i+1Sent to the i-1 th signed participant ID_i-1，i＝t-1,t-2,…,2：

Wherein, beta_2t-i+1Representing the second part, beta, of the 2t-i +1 th signature generation parameter_2t-iA second part representing a 2t-i < th > signature generation parameter;

twenty-two, the first signature participant ID, according to the following equation₁Calculating a second part beta of the 2 t-th signature generation parameter_2tThen the 2t signature is generated into a second part of the parameters beta_2tSent to the tth signed participant ID_t：

Wherein, beta_2tSecond part, beta, representing the 2 t-th signature generation parameter_2t-1A second part representing a 2t-1 th signature generation parameter;

twenty-three, signature participant ID for the tth according to the following equation_tCalculating the second part beta of the 2t +1 th signature generation parameter_2t+1：

β_2t+1＝β_2t×_Eρ^-1

Wherein, beta_2t+1A second part representing a 2t +1 th signature generation parameter;

twenty four steps,Signature participant ID as follows_tCalculating the ciphertext C of the second part of the signature s under the paillier homomorphic encryption, and then sending the ciphertext C of the second part of the signature s under the paillier homomorphic encryption to the ID of the first signature participant₁：

C＝α_t+_Eβ_2t+1

Wherein s represents a second part signature, and C represents a ciphertext of the second part signature s under the paillier homomorphic encryption;

twenty five, first signing participant ID according to the following formula₁Calculating a second partial signature s:

s＝D_sk(C)mod n

wherein D is_sk(.) represents the decryption operation of the paillier homomorphic encryption algorithm;

twenty-six, the first signing participant ID, according to the following equation₁Calculating a signature verification parameter R', R ═ x_R′,y_R′)：

R′＝s^-1(eG+rQ)

Wherein R' represents a signature verification parameter, x_R' denotes the abscissa, y, of the signature verification parameter R_R' denotes the ordinate, s, of the signature verification parameter R^-1Representing a multiplicative inverse of the second partial signature s modulo n;

twenty-seventh, signing the participant ID first, according to the following equation₁Calculating a verification parameter r 'of the first partial signature, then judging whether an equation r' is satisfied, if so, executing the next step, if not, the signature fails, and returning to the step six:

r′≡x_R′mod n

wherein r' represents the verification parameter of the first partial signature and ≡ represents a congruence symbol;

twenty-eight, first signing participant ID₁Extracting the signature (r, s) and then broadcasting the signature (r, s) to all signature participants;

where (r, s) represents the final generated signature.

The invention has the beneficial effects that: in the key generation stage, t signature participants select own sub-private keys, and the generation of the private keys is completed through interaction with the first signature participant. In the signature stage, the t signature participants sequentially use the sub private keys held by the participants to carry out distributed signature, then the tth signature participant completes the synthesis of the second part of the signature under the homomorphic encryption condition, and then the first signature participant completes the final signature synthesis and verification. According to the invention, a paillier homomorphic encryption algorithm is utilized, each signature participant does not need to utilize zero knowledge proof to ensure the correctness of the signature, only the first signature participant needs to verify the signature to ensure the correctness of the final signature, and the final signature verification only needs point addition operation on one elliptic curve and point multiplication operation on two elliptic curves, so that compared with t times of zero knowledge proof in the background technology, the calculation efficiency is improved.

In addition, the invention realizes the distributed generation and storage of the private key, the generation of the private key does not need a trusted center, and the security of the private key is higher.

The invention realizes the function of generating the signature by the distributed type of the t individuals, does not need to explicitly synthesize the private key during the signature, and avoids the risk brought by the leakage of the private key.

The present invention will be described in detail below with reference to the accompanying drawings and specific embodiments.

Drawings

Fig. 1 is a flow chart of a digital signature method of distributed key generation of the present invention.

Detailed Description

The noun explains:

t: parameters of the elliptic curve secp256k 1;

p: generating a finite field F_pThe large prime number of (2) is FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFC2F ═ 2²⁵⁶-2³²-2⁹-2⁸-2⁷-2⁶-2⁴-1；

a, b: parameters of the elliptic equation, a is 0, b is 7;

g: a base point with an order of n on the elliptic curve, and the base point has a value of 0479BE667EF9DCBBAC55A06295CE870B07029BFCDB2DCE28D959F2815B16F81798483ADA7726A3C4655DA4FBFC0E1108A8FD17B448A68554199C47D08FFB10D4B 8;

n: the order of the base point G of the elliptic curve, the value of which is FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF;

h: a residue factor controlling the density of the selected points, the value of which is 01;

ID₁: a first signing participant;

ID₂: a second signing participant;

ID_i: the ith signature participant;

ID_i+1: the i +1 th signature participant;

ID_t: the tth signature participant;

ID_t-1: the t-1 signature participant;

t: positive integer representing signed participant ID_iThe number of (2);

d₁: first signing participant ID₁The child private key of (a);

first signing participant ID₁Sub private key d of₁Inverse multiplication under modulo n;

d_i: ith signed participant ID_iThe child private key of (a);

d_t: tth signed participant ID_tThe child private key of (a);

Q₁: first signing participant ID₁The child public key of (1);

Q₁': indicating the first signed participant ID₁The pseudo child public key of (1);

Q_i: ith signed participant ID_iThe child public key of (1);

Q_i': ith signed participant ID_iThe pseudo child public key of (1);

q: signing a public key;

sigma: summation operations, e.g.

k₁: first signing participant ID₁The secret value of (a);

first signing participant ID₁Secret value k of₁Inverse multiplication under modulo n;

k_i: ith signed participant ID_iThe secret value of (a);

ith signed participant ID_iSecret value k of_iInverse multiplication under modulo n;

k_t: tth signed participant ID_tThe secret value of (a);

tth signed participant ID_tSecret value k of_tInverse multiplication under modulo n;

R₁: a first signature parameter median;

R_i: the ith signature parameter median;

R_i-1: the i-1 st signature parameter median;

R_t-1: the t-1 th signature parameter intermediate value;

r: a signature parameter;

x_R: the abscissa of the signature parameter R;

y_R: the ordinate of the signature parameter R;

r: a first partial signature;

mod: modulo arithmetic, e.g., 7mod4 — 3;

m: a message;

h: hash value of message M;

hash: a cryptographic hash algorithm;

e: the integral value after the Hash value H is converted;

paillier: a homomorphic encryption algorithm;

sk: a private key of a paillier homomorphic encryption algorithm;

pk: a public key of a paillier homomorphic encryption algorithm;

E_pk(.): carrying out encryption operation on the paillier homomorphic encryption algorithm;

D_sk(.): carrying out decryption operation on the paillier homomorphic encryption algorithm;

×_E: multiplication homomorphic operation under the paillier homomorphic encryption algorithm;

+_E: performing addition homomorphic operation under a paillier homomorphic encryption algorithm;

α₁: a first signature generation parameter first portion;

α_i: a first part of the ith signature generation parameter;

α_i-1: the i-1 st signature generation parameter first part;

α_t-1: the t-1 signature generation parameter first part;

α_t: a tth signature generation parameter first part;

β₁: a second part of the first signature generation parameter;

β_i: a second part of the ith signature generation parameter;

β_i-1: the (i-1) th signature generation parameter second part;

β_t-1: a t-1 signature generation parameter second part;

β_t: a second part of the t-th signature generation parameter;

β_t+1: a t +1 th signature generation parameter second part;

β_2t-i+1: a second part of the 2t-i +1 th signature generation parameter;

β_2t-i: a second part of the 2t-i signature generation parameters;

β_2t: a second part of the 2 t-th signature generation parameter;

β_2t-1: a 2t-1 signature generation parameter second part;

β_2t+1: a 2t +1 signature generation parameter second part;

ρ: a secret obfuscation value;

ρ^-1: the multiplication inverse of the secret obfuscated value rho under the modulus n;

s: a second partial signature;

s^-1: the multiplication inverse element of the second partial signature s under the modulus n;

c: the second part of signature s is a ciphertext under the paillier homomorphic encryption;

r': a signature verification parameter;

x_R': the abscissa of the signature verification parameter R';

y_R': the ordinate of the signature verification parameter R';

r': a verification parameter for the first partial signature;

tbd: a congruence symbol;

(r, s): the final generated signature.

Refer to fig. 1. The digital signature method for distributed generation of the key comprises the following specific steps:

determining system parameters: this is a preparatory operation before implementation.

Selecting an elliptic curve secp256k1, and determining a parameter T ═ p, a, b, G, n, h, wherein T represents the parameter of the elliptic curve secp256k1, and p represents the generation finite field F_pP is FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFC2F is 2²⁵⁶-2³²-2⁹-2⁸-2⁷-2⁶-2⁴-1, a, B represent the parameters of the elliptic equation, a is 0, B is 7, G represents a base point with an order of n on the elliptic curve, G is 0479BE667EF9DCBBAC55a06295CE870B07029BFCDB2DCE28D959F2815B16F81798483ADA7726A3C4655DA4FBFC0E1108A8FD17B448a68554199C47D08FFB10D4B8, n represents the order of the base point G of the elliptic curve, n is ffffffffffffffffffffffffffffffffffffffeaeaedce 6AF48a03BBFD25E8CD0364141, h denotes a residue factor, controlling the density of the selected points, h is 01.

Step one, signing participant ID first₁Selects own sub-private key d₁E {1,2, …, n-1}, and then calculates its own child private key d₁Whether or not there is a multiplicative inverse d under modulo n₁ ^-1If the private key d exists, the next step is executed, and if the private key d does not exist, the own sub-private key d is reselected₁E {1,2, …, n-1} and recalculate its child private key d₁Whether or not there is a multiplicative inverse modulo n

Until a multiplicative inverse is found

Sub private key d of₁Then executing the next step;

wherein, ID₁Representing the first signature participant, d₁Indicating the first signed participant ID₁The sub-private key of (a) is,

indicating the first signed participant ID₁Sub private key d of₁The multiplication inverse element under the modulus n, wherein n is a positive integer and represents the order of the base point of the elliptic curve;

step two, according to the following formula, the participant ID is signed first₁Calculating its own sub public key Q₁And a pseudo sub public key Q₁', then the child public key Q₁And a pseudo sub public key Q₁' all broadcast to all signature participants:

Q₁＝d₁G

wherein Q is₁Indicating the first signed participant ID₁Is a sub public key of₁' means first signed participant ID₁G represents on an elliptic curveA base point with an order n;

step three, receiving the ID of the first signature participant₁Sub public key Q of₁And a pseudo sub public key Q₁' after, the ith signed participant ID_iSelects own sub-private key d_iE {1,2, …, n-1}, and then calculates its pseudo-child public key Q according to the following formula_i', and the pseudo-sub public key Q_i' sending to the first signed participant ID₁，i＝2,3,...,t：

Q_i′＝d_iQ₁′

Wherein, ID_iRepresenting the ith signature participant, d_iIndicating the ith signed participant ID_iSub private key of, Q_i' denotes the ith signed participant ID_iT is a positive integer, representing the signed participant ID_iThe number of (2);

step four, signing the participant ID first₁Upon receipt of the pseudo-child public key Q of all signed participants_i' thereafter, each signed participant ID is computed in turn as follows_iSub public key Q of_iThen all the calculated sub public keys Q are added_iDisclosed is a method for producing a synthetic resin:

Q_i＝d₁Q_i′

wherein Q is_iIndicating the ith signed participant ID_iThe child public key of (1);

step five, each signature participant ID_iReceiving a first signed participant ID₁Public sub-public key Q_iThen, the equation is verified

Q_i＝d_iG

If the verification result of each signature participant is true, executing the next step, and if the verification result of any signature participant is false, returning to the step one;

step six, according to the following formula, each signature participant ID_iCalculating a signature public key Q and disclosing the signature public key Q:

wherein Q represents a public signature key, and sigma represents a summation operation;

seventh, signing participant ID first₁Choose its own secret value k₁E {1,2, …, n-1}, and then calculates its secret value k₁Whether or not there is a multiplicative inverse modulo n

If the secret value k exists, the next step is executed, and if the secret value k does not exist, the secret value k of the user is reselected₁E {1,2, …, n-1} and recalculate its secret value k₁Whether or not there is a multiplicative inverse modulo n

Until a multiplicative inverse is found

Secret value k of₁Then executing the next step;

wherein k is₁Indicating the first signed participant ID₁Is determined by the secret value of (a),

indicating the first signed participant ID₁Secret value k of₁Inverse multiplication under modulo n;

step eight, signing the participant ID according to the following formula₁Calculating the first intermediate signature parameter value R₁And the first signature parameter intermediate value R₁Send to a second signed participant ID₂：

R₁＝k₁G

Wherein R is₁Indicating the median value, ID, of the first signature parameter₂Representing a second signature participant;

step nine, the ith signature participant ID_iReceiving the i-1 th signature parameter intermediate value R_i-1Then choose oneselfSecret value k of_iE {1,2, …, n-1}, and then calculates its secret value k_iWhether or not there is a multiplicative inverse k modulo n_i ^-1, if existing, executing the next step, if not existing, reselecting the secret value k of the user_iE {1,2, …, n-1} and recalculate its secret value k_iWhether or not there is a multiplicative inverse modulo n

Until a multiplicative inverse is found

Secret value k of_iThen the next step is performed, i ═ 2,3, …, t-1;

wherein k is_iIndicating the ith signed participant ID_iIs determined by the secret value of (a),

indicating the ith signed participant ID_iSecret value k of_iInverse multiplication under modulo n;

step ten, signing the participant ID according to the following formula_iCalculating the ith signature parameter intermediate value R_iAnd the ith signature parameter intermediate value R_iSend to the (i + 1) th signed participant ID_i+1，i＝2,3,…,t-1：

R_i＝k_iR_i-1

Wherein R is_iRepresenting the i-th signature parameter mean value, R_i-1Denotes the i-1 th signature parameter median, ID_i+1Represents the i +1 signature participant;

eleven, tth signature participant ID_tReceiving the t-1 signature parameter intermediate value R_t-1Then, choose its secret value k_tE {1,2, …, n-1}, and then calculates its secret value k_tWhether or not there is a multiplicative inverse modulo n

If so, the next step is performedStep, if not, reselecting its secret value k_tE {1,2, …, n-1} and recalculate its secret value k_tWhether or not there is a multiplicative inverse modulo n

Until a multiplicative inverse is found

Secret value k of_tThen executing the next step;

wherein, ID_tDenotes the tth signature participant, k_tIndicating the tth signed participant ID_tIs determined by the secret value of (a),

indicating the tth signed participant ID_tSecret value k of_tInverse multiplication under modulo n;

twelfth, signature participant ID for the tth according to the following equation_tCalculating a signature parameter R, then judging whether the signature parameter R is a zero point on an elliptic curve, if so, returning to the step six, and if not, broadcasting the signature parameter R to all signature participants:

R＝k_tR_t-1＝(x_R,y_R)

wherein R is_t-1Represents the t-1 th signature parameter intermediate value, R represents the signature parameter, x_RAbscissa, y, representing signature parameter R_RRepresents the ordinate of the signature parameter R;

step thirteen, ith signature participant ID_iAfter receiving the signature parameter R, calculating a first partial signature R according to the following formula:

r＝x_Rmod n

then judging whether r is equal to 0, if so, returning to the step three, and if not, continuing to execute the next step;

wherein r represents the first partial signature and mod represents the modulo operation;

step fourteen, according to the following formula, the firstSigning participant ID₁Calculating a hash value H of the message M, and then converting the H into an integer e according to a data type conversion rule:

H＝hash(M)

wherein M represents a message, H represents a hash value of the message M, the hash represents a password hash algorithm, and e represents an integer value obtained by converting the hash value H;

fifteen step first signing participant ID₁Selecting a private key sk and a public key pk of a paillier homomorphic encryption algorithm, secretly storing the private key sk, and disclosing the public key pk;

wherein paillier represents the homomorphic encryption algorithm, sk represents the private key of the paillier homomorphic encryption algorithm and is used for decryption operation, and pk represents the public key of the paillier homomorphic encryption algorithm and is used for encryption operation;

sixteenth, signing the participant ID first according to₁Calculating a first signature generation parameter first part alpha₁And a second part beta of the first signature generation parameter₁Then the first signature is generated as a first part alpha of the parameter₁And a second part beta of the first signature generation parameter₁Send to a second signed participant ID₂：

β₁＝E_pk(rd₁mod n)

Wherein alpha is₁Representing a first part, beta, of a first signature generation parameter₁Representing a second part of the first signature generation parameter, E_pk(.) represents the encryption operation of the paillier homomorphic encryption algorithm;

seventeenth, the ith signing participant ID_iReceiving the i-1 st signature generation parameter first part alpha_i-1And the i-1 st signature generation parameter second part beta_i-1Then, the first part alpha of the ith signature generation parameter is calculated according to the following formula_iAnd the ith signature generation parameter second part beta_iThen the ith signature is generated into the first part of the parameterα_iAnd the ith signature generation parameter second part beta_iSend to the (i + 1) th signed participant ID_i+1，i＝2,3,…,t-1：

β_i＝E_pk(rd_imod n)+_Eβ_i-1

Wherein alpha is_iRepresenting the first part, beta, of the ith signature generation parameter_iRepresenting the second part, a, of the ith signature generation parameter_i-1Denotes the first part, β, of the i-1 th signature generation parameter_i-1Representing the second part of the i-1 th signature generation parameter_ERepresents the multiplication homomorphic operation under the paillier homomorphic encryption algorithm, +_ERepresenting addition homomorphic operation under the paillier homomorphic encryption algorithm;

eighteenth, tth signature participant ID_tReceiving the t-1 st signature generation parameter first part alpha_t-1And t-1 signature generation parameter second part beta_t-1Then, the first part alpha of the t signature generation parameter is calculated according to the following formula_tAnd a tth signature generation parameter second part beta_t：

β_t＝E_pk(rd_tmod n)+_Eβ_t-1

Wherein alpha is_tRepresenting the first part, beta, of the tth signature generation parameter_tRepresenting the second part, a, of the tth signature generation parameter_t-1Denotes the first part, beta, of the t-1 th signature generation parameter_t-1Representing the second part of the t-1 th signature generation parameter, d_tIndicating the tth signed participant ID_tThe child private key of (a);

nineteenth, tth signature participant ID_tSelecting a secret confusion value rho epsilon {1,2, …, n-1}, and then calculating the secret confusion valueWhether the value rho has a multiplicative inverse rho modulo n^-1And if so, executing the next step, and if not, reselecting the secret confusion value rho epsilon {1,2, …, n-1} and recalculating whether the secret confusion value rho has multiplication inverse elements rho under the modulus n^-1Until a multiplicative inverse p is found^-1Then the next step is performed;

where ρ represents a secret obfuscated value, ρ^-1Representing the multiplicative inverse of the secret obfuscated value ρ modulo n;

twenty, the tth signed participant ID according to the following equation_tCalculating the second part beta of the t +1 th signature generation parameter_t+1Then the t +1 th signature generation parameter is generated into a second part beta_t+1Sent to the t-1 signed participant ID_t-1：

Wherein, beta_t+1Second part, ID, representing the t +1 th signature Generation parameter_t-1Representing the t-1 signature participant;

twenty-one, signing the participant ID for the ith according to the following equation_iCalculating the second part beta of the 2t-i +1 th signature generation parameter_2t-i+1Then the 2t-i +1 th signature generation parameter is generated into a second part beta_2t-i+1Sent to the i-1 th signed participant ID_i-1，i＝t-1,t-2,…,2：

Wherein, beta_2t-i+1Representing the second part, beta, of the 2t-i +1 th signature generation parameter_2t-iA second part representing a 2t-i < th > signature generation parameter;

twenty-two, the first signature participant ID, according to the following equation₁Calculating a second part beta of the 2 t-th signature generation parameter_2tThen the 2t signature is generated into a second part of the parameters beta_2tSend to the t-th tagFirst name participant ID_t：

Wherein, beta_2tSecond part, beta, representing the 2 t-th signature generation parameter_2t-1A second part representing a 2t-1 th signature generation parameter;

twenty-three, signature participant ID for the tth according to the following equation_tCalculating the second part beta of the 2t +1 th signature generation parameter_2t+1：

β_2t+1＝β_2t×_Eρ^-1

Wherein, beta_2t+1A second part representing a 2t +1 th signature generation parameter;

twenty-four steps, signature participant ID for the tth according to the following formula_tCalculating the ciphertext C of the second part of the signature s under the paillier homomorphic encryption, and then sending the ciphertext C of the second part of the signature s under the paillier homomorphic encryption to the ID of the first signature participant₁：

C＝α_t+_Eβ_2t+1

Wherein s represents a second part signature, and C represents a ciphertext of the second part signature s under the paillier homomorphic encryption;

twenty five, first signing participant ID according to the following formula₁Calculating a second partial signature s:

s＝D_sk(C)mod n

wherein D is_sk(.) represents the decryption operation of the paillier homomorphic encryption algorithm;

twenty-six, the first signing participant ID, according to the following equation₁Calculating a signature verification parameter R', R ═ x_R′,y_R′)：

R′＝s^-1(eG+rQ)

Wherein R' represents a signature verification parameter, x_R' denotes the abscissa, y, of the signature verification parameter R_R' denotes the ordinate, s, of the signature verification parameter R^-1Is shown asThe multiplication inverse element of the two-part signature s under the modulus n;

twenty-seventh, signing the participant ID first, according to the following equation₁Calculating a verification parameter r 'of the first partial signature, then judging whether an equation r' is satisfied, if so, executing the next step, if not, the signature fails, and returning to the step six:

r′≡x_R′mod n

wherein r' represents the verification parameter of the first partial signature and ≡ represents a congruence symbol;

twenty-eight, first signing participant ID₁Extracting the signature (r, s) and then broadcasting the signature (r, s) to all signature participants;

where (r, s) represents the final generated signature.

Claims (1)

1. A digital signature method for distributed generation of keys, comprising the steps of:

step one, signing participant ID first₁Selects own sub-private key d_1∈{1,2, …, n-1}, and then computes its child private key d₁Whether or not there is a multiplicative inverse modulo n

If the private key exists, the next step is executed, and if the private key does not exist, the sub private key d of the user is reselected_1∈{1,2, …, n-1} and recalculate its child private key d₁Whether or not there is a multiplicative inverse modulo n

Until a multiplicative inverse is found

Sub private key d of₁Then executing the next step;

wherein, ID₁Representing the first signature participant, d₁Indicating the first signed participant ID₁The sub-private key of (a) is,

indicating the first signed participant ID₁Sub private key d of₁The multiplication inverse element under the modulus n, wherein n is a positive integer and represents the order of the base point of the elliptic curve;

step two, according to the following formula, the participant ID is signed first₁Calculating its own sub public key Q₁And a pseudo sub public key Q₁', then the child public key Q₁And a pseudo sub public key Q₁' all broadcast to all signature participants:

Q₁＝d₁G

wherein Q is₁Indicating the first signed participant ID₁Is a sub public key of₁' means first signed participant ID₁G represents a base point with an order of n on the elliptic curve;

step three, receiving the ID of the first signature participant₁Sub public key Q of₁And a pseudo sub public key Q₁' after, the ith signed participant ID_iSelects own sub-private key d_iE {1,2, …, n-1}, and then calculates its pseudo-child public key Q according to the following formula_i', and the pseudo-sub public key Q_i' sending to the first signed participant ID₁，i＝2,3,...,t：

Q_i′＝d_iQ₁′

Wherein, ID_iRepresenting the ith signature participant, d_iIndicating the ith signed participant ID_iSub private key of, Q_i' denotes the ith signed participant ID_iT is a positive integer, representing the signed participant ID_iThe number of (2);

step four, signing the participant ID first₁Upon receipt of the pseudo-child public key Q of all signed participants_i' thereafter, each signature is calculated in turn according to the following formulaParticipant ID_iSub public key Q of_iThen all the calculated sub public keys Q are added_iDisclosed is a method for producing a synthetic resin:

Q_i＝d₁Q_i′

wherein Q is_iIndicating the ith signed participant ID_iThe child public key of (1);

step five, each signature participant ID_iReceiving a first signed participant ID₁Public sub-public key Q_iThen, the equation is verified

Q_i＝d_iG

If the verification result of each signature participant is true, executing the next step, and if the verification result of any signature participant is false, returning to the step one;

step six, according to the following formula, each signature participant ID_iCalculating a signature public key Q and disclosing the signature public key Q:

wherein Q represents a public signature key, and sigma represents a summation operation;

seventh, signing participant ID first₁Choose its own secret value k₁E {1,2, …, n-1}, and then calculates its secret value k₁Whether or not there is a multiplicative inverse modulo n

If the secret value k exists, the next step is executed, and if the secret value k does not exist, the secret value k of the user is reselected₁E {1,2, …, n-1} and recalculate its secret value k₁Whether or not there is a multiplicative inverse modulo n

Until a multiplicative inverse is found

Secret value k of₁Then executing the next step;

wherein k is₁Indicating the first signed participant ID₁Is determined by the secret value of (a),

indicating the first signed participant ID₁Secret value k of₁Inverse multiplication under modulo n;

step eight, signing the participant ID according to the following formula₁Calculating the first intermediate signature parameter value R₁And the first signature parameter intermediate value R₁Send to a second signed participant ID₂：

R₁＝k₁G

Wherein R is₁Indicating the median value, ID, of the first signature parameter₂Representing a second signature participant;

step nine, the ith signature participant ID_iReceiving the i-1 th signature parameter intermediate value R_i-1Then, choose its secret value k_iE {1,2, …, n-1}, and then calculates its secret value k_iWhether or not there is a multiplicative inverse modulo n

If the secret value k exists, the next step is executed, and if the secret value k does not exist, the secret value k of the user is reselected_iE {1,2, …, n-1} and recalculate its secret value k_iWhether or not there is a multiplicative inverse modulo n

Until a multiplicative inverse is found

Secret value k of_iThen the next step is performed, i ═ 2,3, …, t-1;

wherein k is_iIndicating the ith signed participant ID_iIs determined by the secret value of (a),

indicating the ith signed participant ID_iSecret value k of_iInverse multiplication under modulo n;

step ten, signing the participant ID according to the following formula_iCalculating the ith signature parameter intermediate value R_iAnd the ith signature parameter intermediate value R_iSend to the (i + 1) th signed participant ID_i+1，i＝2,3,…,t-1：

R_i＝k_iR_i-1

Wherein R is_iRepresenting the i-th signature parameter mean value, R_i-1Denotes the i-1 th signature parameter median, ID_i+1Represents the i +1 signature participant;

eleven, tth signature participant ID_tReceiving the t-1 signature parameter intermediate value R_t-1Then, choose its secret value k_tE {1,2, …, n-1}, and then calculates its secret value k_tWhether or not there is a multiplicative inverse modulo n

If the secret value k exists, the next step is executed, and if the secret value k does not exist, the secret value k of the user is reselected_tE {1,2, …, n-1} and recalculate its secret value k_tWhether or not there is a multiplicative inverse modulo n

Until a multiplicative inverse is found

Secret value k of_tThen executing the next step;

wherein, ID_tDenotes the tth signature participant, k_tIndicating the tth signed participant ID_tIs determined by the secret value of (a),

indicating the tth signed participant ID_tSecret value k of_tInverse multiplication under modulo n;

twelfth, signature participant ID for the tth according to the following equation_tCalculating a signature parameter R, then judging whether the signature parameter R is a zero point on an elliptic curve, if so, returning to the step six, and if not, broadcasting the signature parameter R to all signature participants:

R＝k_tR_t-1＝(x_R,y_R)

wherein R is_t-1Represents the t-1 th signature parameter intermediate value, R represents the signature parameter, x_RAbscissa, y, representing signature parameter R_RRepresents the ordinate of the signature parameter R;

step thirteen, ith signature participant ID_iAfter receiving the signature parameter R, calculating a first partial signature R according to the following formula:

r＝x_Rmodn

then judging whether r is equal to 0, if so, returning to the step three, and if not, continuing to execute the next step;

wherein r represents the first partial signature and mod represents the modulo operation;

fourteen, signing the participant ID first according to the following formula₁Calculating a hash value H of the message M, and then converting the H into an integer e according to a data type conversion rule:

H＝hash(M)

wherein M represents a message, H represents a hash value of the message M, the hash represents a password hash algorithm, and e represents an integer value obtained by converting the hash value H;

fifteen step first signing participant ID₁Selecting a private key sk and a public key pk of a paillier homomorphic encryption algorithm, secretly storing the private key sk, and disclosing the public key pk;

wherein paillier represents the homomorphic encryption algorithm, sk represents the private key of the paillier homomorphic encryption algorithm and is used for decryption operation, and pk represents the public key of the paillier homomorphic encryption algorithm and is used for encryption operation;

step tenSixth, the participant ID is signed first according to the following equation₁Calculating a first signature generation parameter first part alpha₁And a second part beta of the first signature generation parameter₁Then the first signature is generated as a first part alpha of the parameter₁And a second part beta of the first signature generation parameter₁Send to a second signed participant ID₂：

β₁＝E_pk(rd₁modn)

Wherein alpha is₁Representing a first part, beta, of a first signature generation parameter₁Representing a second part of the first signature generation parameter, E_pk(.) represents the encryption operation of the paillier homomorphic encryption algorithm;

seventeenth, the ith signing participant ID_iReceiving the i-1 st signature generation parameter first part alpha_i-1And the i-1 st signature generation parameter second part beta_i-1Then, the first part alpha of the ith signature generation parameter is calculated according to the following formula_iAnd the ith signature generation parameter second part beta_iThen the ith signature generation parameter is generated as a first part alpha_iAnd the ith signature generation parameter second part beta_iSend to the (i + 1) th signed participant ID_i+1，i＝2,3,…,t-1：

β_i＝E_pk(rd_imodn)+_Eβ_i-1

Wherein alpha is_iRepresenting the first part, beta, of the ith signature generation parameter_iRepresenting the second part, a, of the ith signature generation parameter_i-1Denotes the first part, β, of the i-1 th signature generation parameter_i-1Representing the second part of the i-1 th signature generation parameter_ERepresenting paillier homomorphic cryptographic computationsHomomorphic operation of multiplication under the method +_ERepresenting addition homomorphic operation under the paillier homomorphic encryption algorithm;

eighteenth, tth signature participant ID_tReceiving the t-1 st signature generation parameter first part alpha_t-1And t-1 signature generation parameter second part beta_t-1Then, the first part alpha of the t signature generation parameter is calculated according to the following formula_tAnd a tth signature generation parameter second part beta_t：

β_t＝E_pk(rd_tmodn)+_Eβ_t-1

Wherein alpha is_tRepresenting the first part, beta, of the tth signature generation parameter_tRepresenting the second part, a, of the tth signature generation parameter_t-1Denotes the first part, beta, of the t-1 th signature generation parameter_t-1Representing the second part of the t-1 th signature generation parameter, d_tIndicating the tth signed participant ID_tThe child private key of (a);

nineteenth, tth signature participant ID_tSelecting a secret confusion value rho epsilon {1,2, …, n-1}, and then calculating whether a multiplication inverse rho exists in the secret confusion value rho under a modulus n^-1And if so, executing the next step, and if not, reselecting the secret confusion value rho epsilon {1,2, …, n-1} and recalculating whether the secret confusion value rho has multiplication inverse elements rho under the modulus n^-1Until a multiplicative inverse p is found^-1Then the next step is performed;

where ρ represents a secret obfuscated value, ρ^-1Representing the multiplicative inverse of the secret obfuscated value ρ modulo n;

twenty, the tth signed participant ID according to the following equation_tCalculating the second part beta of the t +1 th signature generation parameter_t+1Then the t +1 th signature generation parameter is generated into a second part beta_t+1Sent to the t-1 signed participant ID_t-1：

Wherein, beta_t+1Second part, ID, representing the t +1 th signature Generation parameter_t-1Representing the t-1 signature participant;

twenty-one, signing the participant ID for the ith according to the following equation_iCalculating the second part beta of the 2t-i +1 th signature generation parameter_2t-i+1Then the 2t-i +1 th signature generation parameter is generated into a second part beta_2t-i+1Sent to the i-1 th signed participant ID_i-1，i＝t-1,t-2,…,2：

Wherein, beta_2t-i+1Representing the second part, beta, of the 2t-i +1 th signature generation parameter_2t-iA second part representing a 2t-i < th > signature generation parameter;

twenty-two, the first signature participant ID, according to the following equation₁Calculating a second part beta of the 2 t-th signature generation parameter_2tThen the 2t signature is generated into a second part of the parameters beta_2tSent to the tth signed participant ID_t：

Wherein, beta_2tSecond part, beta, representing the 2 t-th signature generation parameter_2t-1A second part representing a 2t-1 th signature generation parameter;

twenty-three, signature participant ID for the tth according to the following equation_tCalculating the second part beta of the 2t +1 th signature generation parameter_2t+1：

β_2t+1＝β_2t×_Eρ^-1

Wherein, beta_2t+1Is shown asA second part of 2t +1 signature generation parameters;

twenty-four steps, signature participant ID for the tth according to the following formula_tCalculating the ciphertext C of the second part of the signature s under the paillier homomorphic encryption, and then sending the ciphertext C of the second part of the signature s under the paillier homomorphic encryption to the ID of the first signature participant₁：

C＝α_t+_Eβ_2t+1

Wherein s represents a second part signature, and C represents a ciphertext of the second part signature s under the paillier homomorphic encryption;

twenty five, first signing participant ID according to the following formula₁Calculating a second partial signature s:

s＝D_sk(C)modn

wherein D is_sk(.) represents the decryption operation of the paillier homomorphic encryption algorithm;

twenty-six, the first signing participant ID, according to the following equation₁Calculating a signature verification parameter R', R ═ x_R′,y_R′)：

R′＝s^-1(eG+rQ)

Wherein R' represents a signature verification parameter, x_R' denotes the abscissa, y, of the signature verification parameter R_R' denotes the ordinate, s, of the signature verification parameter R^-1Representing a multiplicative inverse of the second partial signature s modulo n;

twenty-seventh, signing the participant ID first, according to the following equation₁Calculating a verification parameter r 'of the first partial signature, then judging whether an equation r' is satisfied, if so, executing the next step, if not, the signature fails, and returning to the step six:

r′＝x_R′modn

wherein r' represents a verification parameter of the first partial signature;

twenty-eight, first signing participant ID₁Extracting the signature (r, s) and then broadcasting the signature (r, s) to all signature participants;

where (r, s) represents the final generated signature.

Images