CN117394992A - Method for using multiple passwords in distributed mode and related device - Google Patents

Method for using multiple passwords in distributed mode and related device Download PDF

Info

Publication number
CN117394992A
CN117394992A CN202210822947.5A CN202210822947A CN117394992A CN 117394992 A CN117394992 A CN 117394992A CN 202210822947 A CN202210822947 A CN 202210822947A CN 117394992 A CN117394992 A CN 117394992A
Authority
CN
China
Prior art keywords
private key
key
mod
distributed
decryption
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202210822947.5A
Other languages
Chinese (zh)
Inventor
高泉
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Individual
Original Assignee
Individual
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Individual filed Critical Individual
Priority to CN202210822947.5A priority Critical patent/CN117394992A/en
Publication of CN117394992A publication Critical patent/CN117394992A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/085Secret sharing or secret splitting, e.g. threshold schemes
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/0442Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply asymmetric encryption, i.e. different keys for encryption and decryption
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
    • H04L9/3249Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures using RSA or related signature schemes, e.g. Rabin scheme
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2209/00Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
    • H04L2209/72Signcrypting, i.e. digital signing and encrypting simultaneously

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Storage Device Security (AREA)

Abstract

The invention relates to a method for using multiple passwords in a distributed mode and a related device, wherein under a general scene, the distributed operation of the passwords is based on a t-out-of-n threshold, and an initiator selects parameters to set a key distribution polynomial and matched modular operation. And the identification value of each cooperator is brought into the polynomial to be calculated, the most critical core feature is that the coefficient and the modulus of the polynomial are set by adopting a new method, so that the secret information leaked from each fragment is ensured to be negligible. A method for more thoroughly preventing the leakage of secret information of a password from a private key fragment is shown in FIG. 1B: each cooperator selects own private key fragments freely so that the problem that any secret information is extracted from the respective fragments by the cooperator is completely avoided; and then synthesizing the complete public keys corresponding to the fragments by adopting a strategy of first splitting and then combining. The new distributed cipher also has a unique method when the distributed decryption and signature use the private key fragment to recover the complete private key function, and supports a plurality of embodiments by matching with different key generation modes.

Description

Method for using multiple passwords in distributed mode and related device
Technical Field
The application relates to the technical field of information security, in particular to a method and a related device for using various passwords in a distributed setting and completing distributed encryption, decryption and digital signature.
Background
In recent years, with the popularity of the decentralization concept, the importance of distributed security has attracted attention from industries to industries again, and the distributed cryptography, particularly the key sharing and distributed usage technology thereof, is also attracting attention as a trusted technology capable of ensuring the security of the distributed system. It distributes the rights of decrypting or signing using the password to the holders of a plurality of private key fragments by sharing the private key, and only if more than a certain number of them cooperate to complete the decryption or signing. The distributed password use method is gradually applied to a plurality of hot fields such as multiparty secure computing, secure privacy communication, trusted execution environment, authorization and authentication, artificial intelligence and the like in recent years. RSA cryptography is the most commonly used standard public key cryptographic algorithm, and its distributed usage method is the most basic technique in distributed cryptography. The PAILLIER cipher has the property of additive homomorphism, and is used as a most common cryptographic algorithm in secret-state secure computation (data is processed and computed in secret state until the final result is decrypted after being encrypted), and a distributed use method is a key basic technology of secure multiparty computation. Other passwords, including ELGMAL, DSA, and lattice passwords, etc., also have real requirements for distributed use.
At present, the method for using the RSA password, the PAILLIER password and other passwords in a distributed manner is to divide the private key into components and distribute the components to a plurality of cooperators to commonly grasp the use authority of the private key, but information about a password trapdoor (trapdoor), the private key or other secret parameters is revealed when the private key is distributed, and the amount of the revealed secret information is large to be non-negligible. Where the trapdoor is secret information of some public key ciphers that is as important as the private key, its disclosure will immediately result in disclosure of the private key. Among the various major information security standards, such serious leakage of secret information is not allowed due to improper management and use of cryptographic keys. The prior art does not have a scheme for synthesizing corresponding unified external passwords and supporting distributed usage for each co-party if they already have their own private key (shards).
It can be seen that the current methods of using these passwords in a distributed manner do not meet stringent security requirements and full application scenarios.
Disclosure of Invention
The application comprises a method and a related device for using passwords in a distributed mode (such as RSA passwords and PAILLIER passwords), can not only prevent secret information leakage during private key distribution, but also not destroy functions and efficiency of distributed decryption and signature, and further generate a distributed password And innovative optimization and improvement expansion are made using the scenarios. The distributed use of passwords is generally realized by a secret key (private key) sharing technology, and the purpose of the distributed use of passwords is to avoid trust of a single individual, disperse and smartly activate the trust so as to reduce the risk of secret key abuse and leakage and strengthen the strong fault tolerance of secret key use. Key sharing techniques typically employ a t-out-of-n threshold regime, as shown in fig. 2, where t is referred to as a threshold (value) and t n. The so-called t-out-of-n threshold system, i.e. a private key K is divided into n private key fragments s 1 ,s 2 ,...,s n Mastered by n cooperators respectively; any cooperative party not less than t can restore the private key K or the function thereof by combining the private key fragments held by the cooperative parties together; however, if the number of the private key fragments is less than t, the private key K cannot be recovered or information about the private key is obtained, and the function cannot be used. Therefore, in the distributed scenario, decryption or signature using the private key K can be implemented by at least t co-participation among all n cooperators, and abuse of the private key is prevented through the distributed usage method. In order to reduce the risk of disclosure of the private key K, the private key itself is generally not recovered during the distributed decryption or signing process, and the participating parties jointly calculate the decryption or signing result by running a distributed multi-party decryption or signing protocol and using the respective private key fragments. The invention aims to solve an important safety problem of the distributed password, namely that the existing RSA password and PAILLIER password can leak information about a private key from each private key fragment when in distributed use, the amount of the leaked information is not negligible, and similar situations exist in other passwords. The present invention aims to avoid revealing secret information concerning cryptographic security from a private key fragment of a distributed cipher, or at least to control the amount of revealed secret information to a minimum negligible extent. Under special scenes, the invention can even automatically generate own private key fragments by each cooperative party and then combine the private key fragments into a uniform secret key, thereby thoroughly avoiding the possibility of revealing secret information by the private key fragments. In practice, the invention also relates to the generation of the shared secret itself, for example whether a centralized initiator is required, whether the complete key is generated first or not Key fragmentation, how to simplify distributed decryption and signature operations as much as possible, whether the correct performance of the related operations is publicly demonstrated and verified, and so on; these problems are properly solved by the innovative method. Whether in a distributed decryption or a distributed signature scenario, whether relying on threshold RSA or threshold PAILLIER ciphers, whether employing the key splitting mechanism of fig. 2 or the key combining mechanism of fig. 3, the present invention uses threshold ciphers as shown in fig. 4.
The key to the distributed password use method is to share the private key of the asymmetric password or the secret key of the symmetric password (also called as private key for unified name) to a plurality of cooperators for their distributed use. It is basically provided that: the n cooperators have public and different identification values P 1 ,P 2 ,...,P n The identification number of the first cooperator is the first identification number, the identification number of the second cooperator is the second identification number, and so on, n is a natural number greater than or equal to 2. The general method at the t-out-of-n threshold is: a private key is allocated by using a first polynomial (the coefficient of the polynomial is a first parameter and must be kept secret), the identification value of each cooperator is brought into the first polynomial to calculate, and then a special set of modulus (a second parameter and must be kept secret) is used for modular operation to obtain the fragments of each cooperator. The specially designed first polynomial contains a plurality of first parameters of confidentiality including a 0 ,a 1 ,a 2 ,...,a t-1 . Wherein the natural number t is a threshold, and t is more than 1 and less than or equal to n; a, a 0 A constant term as the first polynomial is set as the shared private key K; remaining first parameters a 1 ,a 2 ,...,a t-1 The remaining coefficients of the first polynomial are selected as random secret integers within a specific security range. The second parameter is a secret integer M used for modulo (modulo) in arithmetic calculation 1 ,M 2 ,......M n . The first polynomial is denoted as F (x) =a 0 +a 1 x+a 2 x 2 +...+a t-1 x t-1 While the ith slice is calculated as s i =F(P i )mod M i . The most critical core features are a in the first parameter 1 ,a 2 ,...,a t-1 And the selection and setting of the second parameter are performed by a specific method, which is different from any existing technology. It is their novel setting method that ensures that private key information revealed from a shard is so little as to be negligible or even completely eradicated, while shards produced using other parameter setting methods reveal as much as non-negligible information about the private key.
According to the summary of the invention [0006 ]]The method described, the selection and setting of the second parameter must satisfy a principle (called first principle): there is no linear algorithm (polynomial algorithm) that can be derived from any M i And public information to calculate a private key or trapdoor of the threshold password (trapdoor is explained in the description section below). More precisely for i=1, 2,..n, using a function G i () Setting M i =G i (T, m), where m is the trapdoor of the password and T is the private key or other non-compromised secret parameter; g i () Must be a one way function, algorithm (G) without any linear time i -1 (). If possible, even M can be i Is set to a public parameter that is completely independent of any secret information of the password. The selection range of the first parameter is to be based on the selected second parameter to ensure that the modular operation can maximally exert the function of diluting and hiding secret information; i.e. when any secret concerning the private key cannot be obtained from M i The statistical distribution of the individual slices at the time of extraction itself (which has been guaranteed computationally and statistically) is independent of the secret information of the password.
According to the summary of the invention [0006 ]]And summary of the invention [0007 ]]The method, simplest G i () Set as M i =k i m and k i Must be a secret integer, k i for i=1, 2. For l=1, 2,..t-1, each a l The selection method of (2) is based on M 1 ,M 2 ,......M n A corresponding safety range is set and selected randomly, so that the statistical distribution of each fragment is wide and uniform as much as possible.
According to the summary of the invention [0006 ]]In the method, when M cannot be added i When the second parameter M is set as the public parameter completely irrelevant to any secret information of the password, the second parameter M can be set i And simultaneously satisfy another principle (called the second principle) in order to better ensure that the information about the private key revealed in the private key fragment is as little as negligible. Second principle: for i=1, 2,..n, M i Should be infinitely close to a published constant, which is noted as N i Also referred to as the fourth parameter. That is, to ensure that secret information is extracted from the private key fragment, it is not only computationally very difficult (no linear time algorithm forms a computational challenge computational hard problem), but also statistically via M i (or simply unified mod M) the relationship-extractable private key-related secret information is also as little as negligible.
According to the summary of the invention [0008 ]]Setting M according to a first principle i =G i (K,m)=k i After m, to satisfy the summary of the invention [0009 ]]The second principle is that k in all the preferable integers i Is to make |k i m-N i I is minimal, where i represents the absolute value and N i Is set to be much larger than the multiplication modulus used in the encryption calculation.
According to the summary of the invention [0006 ]]~[0010]In the method, for distributed use, the private key sharing method of RSA is s i =F(P i )mod M i At the same time F (x) =a 0 +a 1 x+a 2 x 2 +...+a t-1 x t-1 And the first parameter and the second parameter are specifically set as follows:
1) If only the first principle is satisfied, method one is employed: m is M i =k i m and k i And a 1 ,a 2 ,...,a t-1 Is a secret integer, e.g. k i Is a secret integer a randomly selected over a sufficiently large range (to contain a large prime factor) 1 ,a 2 ,...,a t-1 From a sufficiently large set of integers (the size of this set of integers should in principle be no smaller than M 1 ,M 2 ,......M n ) Randomly selecting;
2) If the first and second principles are satisfied at the same time, then method two is employed: m is M i =k i m and k i And a 1 ,a 2 ,...,a t-1 Is a secret integer and M i Infinitely close to a published constant N i And N i Should be large enough to give k i A sufficiently wide selection range to ensure k i Not easily guessed; for example, each N i Is set to be much larger than the multiplication modulus (denoted as N') and k used by the RSA encryption operation i Is such that |k i m-N i The smallest integer and secret integer a 1 ,a 2 ,...,a t-1 From a sufficiently large set of integers (the size of this set of integers should in principle be no smaller than M 1 ,M 2 ,......M n ) Randomly selected.
According to the summary of the invention [0006 ]]~[0010]In the method, for distributed use, the private key sharing method of PAILLIER is s i =F(P i ) mod M at the same time F (x) =a 0 +a 1 x+a 2 x 2 +...+a t-1 x t-1 And the first parameter and the second parameter are specifically set as follows.
1) If only the first principle is satisfied, method one is employed: m is M i =k i m and k i And a 1 ,a 2 ,...,a t-1 Is a secret integer. For example k i =k i 'N' and k i 'is a secret integer (to contain large prime numbers) factor randomly selected over a sufficiently large range, while the multiplication modulus used for the PAILLIER encryption operation is N' 2 The method comprises the steps of carrying out a first treatment on the surface of the Secret integer a 1 ,a 2 ,...,a t-1 From a sufficiently large set of integers (the size of this set of integers should in principle be no smaller than M 1 ,M 2 ,......M n ) Randomly selected.
2) If the first and second principles are satisfied at the same time, then method two is employed: m is M i =k i m,k i =k i 'N' and k i ' and a 1 ,a 2 ,..., a t-1 Is a secret integer and M i Infinitely close to a published constant N i And N i Should be large enough to give k i ' a sufficiently broad selection range to ensure k i ' not easily guessed. For example when N' 2 When the multiplication modulus is used for encryption and decryption operation, each N i Is set to be far greater than N' 2 And k is i =k i 'N' and k i ' is such that |k i m-N i The smallest integer, and the secret integer a 1 ,a 2 ,...,a t-1 From a sufficiently large set of integers (the size of this set of integers should in principle be no smaller than M 1 ,M 2 ,......M n ) Randomly selected.
According to the summary of the invention [0006 ]]~[0010]Principles of (d) and in summary [0011 ]]The method described in (c) can also be somewhat simplified but retain the advantages of the innovative idea. I.e. the second parameter takes only the same integer M 1 =M 2 =......=M n And this is denoted as M. For distributed use, the private key sharing method of RSA is s i =F(P i ) mod M at the same time F (x) =a 0 +a 1 x+a 2 x 2 +...+a t-1 x t-1 And the first parameter and the second parameter are specifically set as follows:
1) If only the first principle is satisfied, method one is employed: m=km and k and a 1 ,a 2 ,...,a t-1 Is a secret integer, e.g. k is a randomly selected secret integer and a 1 ,a 2 ,...,a t-1 From a sufficiently large set of integers (e.g. Z M ) Randomly selecting;
2) If the first and second principles are satisfied at the same time, then method two is employed: m=km and k and a 1 ,a 2 ,...,a t-1 Is a secret integer and M is infinitely close to a public constant N, while N should be large enough to give k a sufficiently wide choice to ensure that k is not easily guessed; for example, N is set to be much larger than the multiplication modulus (i.e., N') used by RSA encryption operations and k is an integer that minimizes |km-N| and a 1 ,a 2 ,...,a t-1 From a large enough wholeSets of numbers (e.g. Z M ) Randomly selected.
According to the summary of the invention [0006 ]]~[0010]Principles of (d) and in summary [0012 ]]The method described in (c) may also be somewhat simplified but retains innovative concepts and advantages. I.e. the second parameter takes only the same integer M 1 =M 2 =......=M n And this is denoted as M. For distributed use, the private key sharing method of PAILLIER is s i =F(P i ) mod M at the same time F (x) =a 0 +a 1 x+a 2 x 2 +...+a t-1 x t-1 And the first parameter and the second parameter are specifically set as follows.
1) If only the first principle is satisfied, method one is employed: m=km and k and a 1 ,a 2 ,...,a t-1 Is a secret integer. For example, k=k 'N' where k 'is a secret integer (to contain large prime numbers) factor randomly selected over a sufficiently large range, while the multiplication modulus used for the PAILLIER encryption operation is N' 2 ;a 1 ,a 2 ,...,a t-1 From a sufficiently large set of integers (e.g. Z M ) Randomly selected.
2) If the first and second principles are satisfied at the same time, then method two is employed: m=km, k=k ' N ' and k ' and a 1 ,a 2 ,..., a t-1 Is a secret integer and M is infinitely close to a published constant N, while N should be large enough to give k 'a sufficiently wide choice to ensure that k' is not easily guessed. For example when N' 2 When the multiplication modulus is used for encryption and decryption operation, N is set to be far greater than N' 2 And k=k ' N ' and k ' is an integer such that |km-n| is minimum, and a 1 ,a 2 ,..., a t-1 From a sufficiently large set of integers (e.g. Z M ) Randomly selected.
When according to the summary of the invention [0006 ]]~[0011]、[0013]When the method uses the RSA password in a distributed mode, the encryption method and the signature verification method are unchanged, and the distributed mode is mainly reflected in decryption and signature generation; and a special method is adopted when the key is generated (the shared key is generated). Unlike some prior systems, in Z m A public key e is randomly selected or calculated; e should be substantially different from Z m Randomly selected in space and then calculating the private key k=e -1 mod m. For example, at Z N’ E, and N' is the multiplication modulus used by RSA encryption and decryption and signature operation; or at Z m A particular small subset of (e.g., containing integers of a particular length excluding weak keys, far more than Z) m Small and not at Z m E) is randomly selected from among the uniform distribution.
Summary of the invention [0006 ]]~[0011]、[0013]The method can also add some operations to satisfy verifiability, namely, the initiator can be verified to correctly distribute RSA private keys, and the private keys corresponding to e (public keys) can be restored by any t fragments. Initiator at Z N’ A large cyclic group (cyclic group) is disclosed, a generator V is selected from the group, and v=v is calculated K mod N' andinitiator publication V, V and V i for i=1, 2,..n. The verification operation is as follows.
1) Each having an identification value P i Is obtained by the synergetic prescription of (1) i Can all then verify
2) Including all cooperators, anyone can verify V e =v mod N'; and optionally a set S containing any t co-party identification values to verifyBut->Where z is a public integer that is compatible with e, for any one i e {1,2,., n }, it must be at P j E S, j not equal i contains all possible P' S j -P i As the product of these factors to ensureSyndrome calculation u i When an integer u is obtained without modulo operation i . Where V is referred to as the fifth parameter, V is referred to as the sixth parameter, V i Referred to as the seventh parameter, and z is referred to as the eighth parameter.
To match with the invention [0016 ]]Medium parameter z is selected, sometimes summary of the invention [0006 ]]~[0011]And [0013 ]]The method described in (1) may employ an optimization mechanism: selecting a small integer P 1 ,P 2 ,...,P n As identification values of the cooperators, e.g. P i =i, so that z can be chosen as small as possible to improve computational efficiency.
Summary of the invention [0016 ]]Medium parameters v and v i Sometimes a mechanism may be employed to publicly indicate that they are indeed in that selected cyclic group. For example, that loop group is selected to includeThe square number of all modes N '(squares with a modulus N' is also known as quadratic residues in +.>) When the initiator first optionally selects the integer v' and calculates +.> Reissue v 'and v' i for i=1, 2,..n, and v=v '' 2 mod N' and-> Anyone can publicly verify v=v' 2 mod N' and to confirm v and all v i Indeed in that selected cyclic group.
When according to the summary of the invention [0006 ] ]~[0010]、[0012]、[0014]When the PAILLIER cipher is used in a distributed mode, the encryption method is unchanged, but when the initiator generates a secret key (generates a shared secret key), the secret key is slightly adjusted, which is different from the secret key used in a centralized mode. p 'and q' are large prime numbers and satisfying p=2p '+1 and q=2q' +1 is also a large prime number and also m=p 'q' is trapdoor, N '=p' q 'and N' 2 Is the multiplication modulus of the encryption operation; k=km is the private key and km is a randomly selected integer; the public key consists of N 'and g modulo (mod) N' 2 The order (order) of multiplying to form a cyclic group is a multiple of N'. It should be noted that order (g)/N' cannot be too small, and it is difficult to solve the problem of factorization of the decomposition product when it is used as a multiplication factor, by including a large prime factor.
Summary of the invention [0006 ]]~[0010]、[0012]、[0014]The method can further increase some operations to meet verifiability, namely, the initiator can be verified to correctly distribute the PAILLIER private key, and the PAILLIER private key can be restored by any t fragments. Initiator atA large cyclic group (cyclic group) is disclosed, a generator V is selected from the group, and v=v is calculated K mod N′ 2 And->The initiator publishes V (fifth parameter), V (sixth parameter) and V i for i=1, 2,..n (seventh parameter). Verification operationThe following is provided.
1) Each having an identification value P i Is obtained by the synergetic prescription of (1) i Can all then verify
2) Including all cooperators, anyone can verify two equations v=1 mod N' and V n =1 mod N′ 2 One or both of which, and optionally a set S containing any t co-party identification values, to verify But->Where z (eighth parameter) is a public integer that is compatible with e, it must be at P for any one of i.epsilon.1, 2 j E S, j not equal i contains all possible P' S j -P i As the product of these factors to ensure computation of u i When an integer u is obtained without modulo operation i
To match claim [0020 ]]Medium parameter z is selected, sometimes summary of the invention [0006 ]]~[0010]、[0012]、 [0014]The method described in (1) may employ an optimization mechanism: selecting a small integer P 1 ,P 2 ,...,P n As identification values of the cooperators, e.g. P i =i, so that z can be chosen as small as possible to improve computational efficiency.
Claim [0020]Medium parameters v and v i Sometimes a mechanism may be employed to publicly indicate that they are indeed in that selected cyclic group. For example, that loop group is selected to includeAll of the modes N' 2 Square number (square wi)th a modulus N’ 2 Also called quadratic residues in->) When the initiator first optionally selects the integer v' and calculates +.> Reissue v 'and v' i for i=1, 2,..n, and v=v '' 2 mod N′ 2 And-> Anyone can publicly verify v=v' 2 mod N′ 2 And-> To confirm v and all v i Indeed in that selected cyclic group.
Embodiments of inventive aspects [0006] to [0022] require secure distribution of RSA and PAILLIER ciphers for distributed use. The device is characterized by comprising a device which is used for distributing private keys of RSA and PAILLIER passwords in a distributed password application system, wherein the distributed password application embodiment comprises an initiator and n cooperators, the initiator uses the distributed private keys to be distributed to the n cooperators, and n is a natural number greater than or equal to 2. Each cooperator has a public and different identification value, the identification value of the first cooperator is a first identification value, the identification value of the second cooperator is a second identification value, and so on. The device comprises:
● The random number generation module is used for generating random integers in a specified range;
● The acquisition module is used for acquiring a private key (broadly comprising trapdoors) provided by the initiator (or the key generation module thereof), communicating with the random number generation module, and requesting and acquiring a random number;
● The distribution module is used for generating a first polynomial (first parameter) and a modulus M (second parameter) by the input of the acquisition module to jointly form a private key distribution function;
● And the sending module is used for sending the corresponding private key fragments to the cooperative parties.
● A verification module, optionally but optionally employed, is used to verify that the initiator is operating as required honest.
And carrying each identification value into a private key distribution function to obtain a corresponding private key fragment. The identification value corresponding to the first cooperative party is brought into a private key distribution function to obtain a first fragment; the identification value corresponding to the second cooperative party is brought into a private key distribution function to obtain a second fragment; and so on. When the correctness of the operation of the initiator needs to be verified, a verification module can be added to enable all cooperators and even bystanders to verify the operation of the initiator.
Summary of the invention [0023 ]]The device is characterized in that the private key distribution function specially designed in the distribution module is s i =F(P i )mod M i At the same time F (x) =a 0 +a 1 x+a 2 x 2 +...+a t-1 x t-1 Wherein t is a natural number, and t is more than 1 and less than or equal to n. Here a 0 ,a 1 ,a 2 ,...,a t-1 Referred to as a first parameter, where M i Referred to as the second parameter. The most critical core features are a in the first parameter 1 ,a 2 ,...,a t-1 And a second parameter M i Is selected and set according to the invention content [0006 ]]~[0012]The rule and method specified in (1) ensures that private key information revealed from the shards is so little as to be negligible.
According to the summary of the invention [0023 ]]And [0024 ]]The device, a specific implementation method, is according to the summary [0011 ]]And [0012 ]]: setting M in a dispensing module i =G i (T, m), where m is the trapdoor of the password and T is the private key or other non-compromised secret parameter; g i () Must be a one way function, algorithm G without any linear time i -1 (). For example, G i () Set as M i =k i m, and a third parameter k i Is a secret integer and k is necessary i Can be optimally set so that k i m-N i Minimum, where N i Is the fourth parameter, typically set and disclosed at system start-up. Third parameter k i And a fourth parameter N i Specific settings in both RSA and PAILLIER environments are according to the summary [0011 ], respectively]And [0012 ]]The method is implemented. Correspondingly, a in the first parameter 1 ,a 2 ,...,a t-1 According to M i A range random selection is set, for example by the random number generation module from a sufficiently large set of integers (the size of this set of integers should in principle be no smaller than M 1 , M 2 ,......M n ) Randomly selected.
Summary of the invention [0023 ] ]、[0024]And [0025 ]]The device can also be according to the summary [0013 ]]And [0014 ]]The dispensing module is somewhat simplified but retains its innovative ideas and advantages. I.e. the second parameter in the allocation module takes only one integer M 1 =M 2 =......=M n And this is denoted as M. Specifically: m=km and k and a 1 ,a 2 ,...,a t-1 Is a secret integer, e.g. k is a secret integer randomly selected over a sufficiently large range (to contain a large prime factor) and a 1 ,a 2 ,..., a t-1 From a sufficiently large set of integers (e.g. Z M ) Randomly selected. And k can be optimally set to minimize/km-N, where different N i Is reduced to a published constant N. Meaning that M approaches infinitely close to a published constant N, N should be large enough to give k a sufficiently broad choice to ensure that k is not easily guessed. For example, for RSA cryptography, N is set to be much larger than the multiplication modulus used for encryption operations and k is an integer that minimizes |km-N| and a 1 ,a 2 ,..., a t-1 From a sufficiently large set of integers (e.g. Z M ) Randomly selected. For another example, for the PAILLIER code, when N' 2 When the multiplication modulus is used for encryption and decryption operation, N is set to be far greater than N' 2 And k=k ' N ' and k ' is an integer such that |km-n| is minimum, and a 1 ,a 2 ,...,a t-1 From a sufficiently large set of integers (e.g. Z M ) Randomly selected.
Summary of the invention [0023 ]]~[0026]The device can also be added with a verification module to enable all cooperators and even bystanders to verify the correctness of the operation of the initiator when the distributed RSA password is used. The verification module requests the initiator to be in Z through the acquisition module N’ A large cyclic group (cyclic group) is disclosed, a generator V is selected from the group, and v=v is calculated K mod N' andverification Module publishes V, V and V i And send s through the sending module i To have the identification value P i Is a synergic prescription of (a). Each having an identification value P i Is obtained by the synergetic prescription of (1) i Can verify +.>Once all V, V and V i (fifth, sixth, seventh parameters) all disclose that anyone can verify V, including all cooperators e =v mod N' and optionally a set S containing any t co-party identification values to verify +.>But->Where z (eighth parameter) is a public integer that is compatible with e, it must be at P for any one of i.epsilon.1, 2 j E S, j not equal i contains all possible P' S j -P i As the product of these factors to ensure computation of u i When an integer u is obtained without modulo operation i . Only if all the verifications pass, the verification module accepts the integrity of the initiator.
Summary of the invention [0027 ]]A parameter presentation sub-module may be employed as necessary to publicly present the parameters v and v i Indeed in that selected cyclic group. For example, that loop group is selected to includeThe square number of all modes N '(squares with a modulusN' is also known as quadratic residues in +.>) When the initiator first optionally selects the integer v' and calculates +.>Reissue v 'and v' i for i=1, 2,..n, and v=v '' 2 mod N' and v i = v′ i 2 mod N' for i=1, 2,. Anyone can publicly verify v=v' 2 mod N' and v i =v′ i 2 mod N' for i=1, 2, n. to confirm v and all v i Indeed in that selected cyclic group.
Summary of the invention [0023 ]]~[0026]The device can also be added with a verification module to enable all cooperators and even bystanders to verify the correctness of the operation of the initiator when the PAILLIER password is used in a distributed mode. The verification module requests the initiator to be in the room through the acquisition moduleA large cyclic group (cyclic group) is disclosed, a generator V is selected from the group, and v=v is calculated K mod N′ 2 And->Verification Module publishes V, V and V i And send s through the sending module i To have the identification value P i Is a synergic prescription of (a). Each having an identification value P i Is obtained by the synergetic prescription of (1) i Can verify +.>Once all V, V and V i (fifth, sixth, seventh parameters) all published, including all cooperators, anyone can verify two equations v=1 mod N' and V n =1 mod N′ 2 One or both of (a) and (b) optionally a set S containing any t cooperator identity values to verifyBut->Where z (eighth parameter) is a public integer that is compatible with e, it must be at P for any one of i.epsilon.1, 2 j E S, j not equal i contains all possible P' S j -P i As the product of these factors to ensure computation of u i When an integer u is obtained without modulo operation i . Only if all the verifications pass, the verification module accepts the integrity of the initiator.
Summary of the invention [0029 ]]A parameter presentation sub-module may be employed as necessary to publicly present the parameters v and v i Indeed in that selected cyclic group. For example, that loop group is selected to includeAll of the modes N' 2 Square number of (squares with a modulus N)' 2 Also called quadratic residues in->) When the initiator first optionally selects the integer v' and calculates +.>Reissue v 'and v' i for i=1, 2,..n, and v=v '' 2 mod N′ 2 And v i =v′ i 2 mod N′ 2 for i=1, 2,..n. Anyone can publicly verify v=v' 2 mod N′ 2 And v i = v′ i 2 mod N′ 2 for i=1, 2..n to confirm v and all v i Indeed in that selected cyclic group.
The methods and apparatus described in paragraphs [0006] to [0030] are in particular embodiments for supporting subsequent distributed decryption or signing operations. The encryption and decryption and signature generation/verification device matched with the device is specially designed. The selection of the public key cannot easily reveal the private key or trapdoor information; encryption and signature verification are consistent with the original RSA and PAILLIER algorithms; distributed operations (decryption or signature generation) rely on three modules: a distributed computing module (responsible for partial decryption or signature operations of each co-party), a synthesizing module (responsible for synthesizing the results of all partial operations), and a detection adjustment module (adjusting the synthesized results to ensure the correctness of the final results) which are sometimes required.
Corresponding to the methods described in the inventions [0006] to [0011], [0013], and the apparatuses described in the inventions [0015] to [0018], when the embodiments of the inventions [0023] to [0031] are implemented to the distributed decryption using the RSA cipher, the distributed decryption method is also different from or not limited to the prior art. Decryption operations rely on three modules: a partial decryption module, a decryption synthesis module and a detection adjustment module which is needed in some cases. Wherein the partial decryption module may comprise a verification sub-module for verifying the correctness of the partial decryption operation of each partner when required.
Summary of the invention [0032 ]]The partial decryption module described in (a) works as follows. The ciphertext to be decrypted is denoted as d and is assigned to s i Is calculated by the cooperator using the partial decryption moduleWhere x is a public integer that is compatible with e is referred to as the ninth parameter. If necessary, the partial decryption module may comprise a verification sub-module, requiring the cooperator to make zero knowledge proof +.>Where y is a public integer compatible with e, called the tenth parameter, and v (i.e., the fifth parameter has been defined) and v i (i.e., the seventh parameter already defined) is already calculated (by the initiator) at the time of private key sharing, not only in summary [0027 ]]And [0028 ]]For correctness checking of the initiator operation, and can also support correctness checking of the co-operation here. That is, v is at Z N’ A generator for generating a large cyclic group is disclosed, and the initiator calculates by its own verification moduleTheir value is determined by summary of the invention [0023 ]]The sending module is published by the initiator or the cooperator at the time of distribution or acceptance. When a specific application scene needs to check whether the operation of the cooperator is in good faith or not, the zero knowledge is selected to prove that the cooperator can be fixed at v i S unchanged in (3) i Is used to calculate d i But will not leak the relevant s in the proof i Is a piece of information of (a). This cyclic group may be in accordance with the summary [0028 ]]Specially chosen to ensure the summary [0028 ]]The parameter presentation submodule can ensure v and v i Indeed in this cyclic group.
Summary of the invention [0032 ]]The decryption synthesis module is matched with the invention content [0033 ]]The partial decryption module detailed in the following works as follows. Whether or not to proveOr whether a parameter showing sub-module is adopted, all partial decryption results are delivered to a decryption synthesis module for processing, t cooperators participate in cooperation, the corresponding identification values form a set S, and the partial decryption results are obtainedIs s i for i∈S。
1.But->Where z is a public integer that is compatible with e (i.e., has been defined as the eighth parameter), it must contain all possible P for any one i.epsilon.1, 2 j -P i As the product of these factors to ensure computation of u i When an integer u is obtained without modulo operation i
2. Integers a and b satisfying a×x×y×z+b×e=1 calculated using the extended euclidean algorithm (Extended Euclidean Algorithm).
3. The decryption result can be synthesized as h=w a d b mod N′。
4. Finally, a detection adjustment module can be optionally arranged for detection If so, outputting h; otherwise outputting-h mod N'. The detection adjustment module is not always necessary, but sometimes (e.g. no zero knowledge proof is given when the cooperator uses the partial decryption module or even +.>But y is odd) is unavoidable.
Corresponding to the methods described in the inventions [0006] to [0011], [0013], and the apparatuses described in the inventions [0015] to [0018], when the embodiments of the inventions [0023] to [0031] are implemented to the distributed use of RSA cryptographic signatures, the method of distributed signatures is also different from or not limited to the prior art. Signature operations rely on three modules: a partial signature module, a signature synthesis module and a test adjustment module which is sometimes required. Wherein the partial signature module may comprise a verification sub-module to verify the correctness of the partial signature operation of each co-party when required.
Summary of the invention [0035 ]]The partial signature module described in (c) works as follows. The content to be signed or its hash function (sometimes the original content of different length will be signed after being processed by the hash function), denoted as d, is allocated to s i Computing a calculation using a partial signature module by a co-party Where x is a disclosed integer that is compatible with e, the ninth parameter. If necessary, the partial signature module may include a verification sub-module that requires the cooperator to make zero knowledge proof Wherein y is a public integer which is mutually compatible with e, namely a tenth parameter, and v (namely a fifth parameter) and v i (i.e., the seventh parameter) is already calculated (by the initiator) at the time of private key sharing and can be used not only in the summary [0027 ]]And [0028 ]]The correctness checking of the operation of the initiator can also be supported. That is, v is at Z N’ A generator for generating a large cyclic group is disclosed, and the initiator calculates +.>Their value is determined by summary of the invention [0023 ]]The sending module is published by the initiator or the cooperator at the time of distribution or acceptance. When a specific application scene needs to verify whether the operation of the cooperator is good and bad, the zero knowledge is selected to ensure that the cooperator is fixed at v i S unchanged in (3) i Is used to calculate d i But will not leak the relevant s in the proof i Is a piece of information of (a). This cyclic group may be in accordance with the summary [0028 ]]Specially chosen to ensure the summary [0028 ]]The parameter presentation submodule can ensure v and v i Indeed in this cyclic group.
Summary of the invention [0035 ]]The signature synthesis module is matched with the invention content [0036 ]]The partial signature module detailed in the above works as follows. Whether or not to proveOr whether a parameter showing sub-module is adopted, all partial signature results are processed by a signature synthesis module, t cooperators participate in cooperation, the corresponding identification values form a set S, and the partial signature results are S i for i∈S。
1.But->Where z is a disclosed integer that is compatible with e, the eighth parameter, it must contain all possible P for any one i.epsilon.1, 2,..n } j -P i As the product of these factors to ensure computation of u i When an integer u is obtained without modulo operation i
2. Integers a and b satisfying a×x×y×z+b×e=1 calculated using the extended euclidean algorithm (Extended Euclidean Algorithm).
3. The signature result can be synthesized as h=w a d b mod N′。
Finally, a detection adjustment module can be optionally arranged for detectionIf so, outputting h; otherwise outputting-h mod N'. The detection adjustment module is not always necessary, but sometimes (e.g. no zero knowledge proof is given when the co-ordinator uses a partial signature module or even +. >But y is odd) is unavoidable.
Corresponding to the methods described in the inventions [0006] to [0010], [0012], [0014], and the apparatuses described in the inventions [0019] to [0022], when the embodiments of the inventions [0023] to [0031] are implemented to the distributed decryption using the PAILLIER cipher (the PAILLIER cipher is not generally used for digital signature), the method of distributed decryption is also different from or not limited to the prior art. Decryption operations rely on three modules: a partial decryption module, a decryption synthesis module and a detection adjustment module which is needed in some cases. Wherein the partial decryption module may comprise a verification sub-module for verifying the correctness of the partial decryption operation of each partner when required.
Summary of the invention [0038 ]]The partial decryption module described in (a) works as follows. The ciphertext to be decrypted is denoted as d and is assigned to s i Is calculated by the cooperator using the partial decryption moduleAnd->Wherein x is an integer disclosed, corresponding to summary [0033 ]]A ninth parameter defined in (a). If necessary, the partial decryption module may comprise a verification sub-module, requiring the cooperator to make zero knowledge proof +.>Wherein y is a public integer corresponding to summary [0033 ] ]A tenth parameter defined in (a); and v (i.e. the fifth parameter already defined) and v i (i.e., the seventh parameter already defined) is already calculated (by the initiator) at the time of private key sharing and can be used not only in the summary of the invention [0029 ]]And [0030]The correctness checking of the operation of the initiator can also be supported. That is, v is +.>A generator for generating a large cyclic group is disclosed, and the initiator calculates +.>Their value is determined by summary of the invention [0023 ]]The sending module is published by the initiator or the cooperator at the time of distribution or acceptance. When a specific application scene needs to verify whether the operation of the cooperator is good and bad, the zero knowledge is selected to ensure that the cooperator is fixed at v i S unchanged in (3) i Is used to calculate d i And g i But will not leak the relevant s in the proof i Is a piece of information of (a). This cyclic group can be based on the summary [0030 ]]Specially chosen to ensure the summary [0030 ]]The parameter presentation submodule can ensure v and v i Indeed in this cyclic group.
Summary of the invention [0038 ]]The decryption synthesis module is matched with the invention content [0039 ]]The partial decryption module detailed in the following works as follows. Whether or not to prove Or whether a parameter showing sub-module is adopted, all partial decryption results are delivered to a decryption synthesis module for processing, t cooperators participate in cooperation, the corresponding identification values form a set S, and the partial decryption results are S i for i∈S。
1.But->And z is a disclosed integer (corresponding to the eighth parameter already defined) it must contain all possible ps for any one iin {1,2,..n } j -P i As the product of these factors to ensure computation of u i When an integer u is obtained without modulo operation i
2.But->
3. The synthesis of the decryption result h=l (w)/L (w ') mod N ' is attempted, where L (u) = (u-1)/N '.
4. During the synthesis process, the detection adjustment module monitors the computation of L (w) and L (w'). If (w-1)/N' is not an integer, then changing w to-w to recalculate L (w); if (w ' -1)/N ' is not an integer, then w ' is changed to-w ' to recalculate L (w ').
The methods of the inventions [0039] and [0040] may be slightly varied to form different variants. For example, to avoid the trouble that may be encountered in the calculation of the function L () during the synthesis of the summary [0040], the parameter y may be set to an even number in the summary [0039 ]. For another example, the partial decryption module and the decryption module described in the summary [0039] and [0040] can be simplified as follows.
● Simplified partial decryption module: calculate onlyWithout calculating +.>The correctness of the corresponding partial decryption is also reduced to zero knowledge proof +.>Without involving/>
● To compensate for the simplified partial decryption operation, when generating the public key of the PAILLIER (as described in summary [0019 ]), a K' =k×order (g) is added to the public key.
● Simplified decryption composition module: calculation ofBut->Wherein z is in accordance with the summary of the invention [0040 ]]Is defined in (a); no calculation of w' is required; the result of the synthesis is h=l (w)/(xyzK ') mod N'. During the synthesis process, the detection adjustment module monitors the calculation of L (w). If (w-1)/N' is not an integer, then L (w) is recalculated by changing w to-w.
Summary of the invention [0031]]~[0041]In the described embodiment, the selection of parameters may be suitably optimized according to some additional principles. For example, the third principle: when the calculation efficiency needs to be improved, small parameters x and y are selected as much as possible, such as x=y=1 or y=2; as a fourth principle: and the even y is selected to avoid the work of detecting and adjusting the module, so that the flow is simplified. There is also a fifth reason: selecting a small integer P 1 ,P 2 ,...,P n Such as P i =i, so that z can be chosen as small as possible to improve computational efficiency.
The method of the invention [0006] to [0022] and the device of the invention [0023] to [0030] can further perform decentralization, namely cancel the initiator, and all cooperators automatically generate the secret key to share through a distributed cooperation mechanism, so that the dependence and trust on any single individual are thoroughly avoided. All cooperators are distributed to generate and share secret key, which is a multiparty computing protocol. For example, in this protocol, each coordinator generates its own private key seed as the initiator generates the private key in the inventions [0006] to [0022], and distributes its own private key seed to all the coordinators using the same sharing mechanism (a polynomial unique to itself and a concomitant modulo operation) in the inventions [0006] to [0030 ]. Each cooperator combines the allocated fragments to obtain the final private key fragments, and the corresponding private key is the combination of the private key seeds of all cooperators. The centreless distributed password is essentially that all cooperators also play the role of an initiator to repeat the process of generating and sharing the private key n times; the corresponding n running results are combined into the private key fragments which are finally shared by the user, the functions of the private keys which are finally shared can be combined under a threshold mechanism, and the distributed operation is realized as described in the invention contents [0031] to [0042 ]. The corresponding public key (including the public parameters of the password) can also be generated cooperatively by all the cooperators; the algorithm protocol of the specific secure multiparty calculation for distributively synthesizing the complete key is not the key of the invention, and any secure multiparty calculation protocol suitable for specific application scenes can be adopted. Thus, the key is not generated by any single entity in the application system, is not known to anyone, but is still shared and used in a distributed manner by multiple parties.
The method of paragraphs [0006] to [0022], and the apparatus of paragraphs [0023] to [0030], and the distributed decryption and distributed signature embodiments of paragraphs [0031] to [0042], are directed to a general scenario of t-out-of-n, i.e., t may be any threshold value not greater than n. There is a special scenario in which, when t=n, the generic distributed threshold mechanism becomes special n-out-of-n. As shown in fig. 3, this special case can avoid complex computation in private key distribution, and the policy of distributing private key fragments to cooperators by the initiator is abandoned, instead, each cooperator generates its own key fragments. All cooperators then give their key fragments to the initiator, which then calculates the corresponding complete private key and paired public key. After the initiator publishes the public key, the distributed password can work normally, and the private key function can still be completed by cooperation of all cooperators. The benefits are apparent though this particular regime can only work at n-out-of-n thresholds: the problem that secret information is leaked by the private key fragments is not worried at all, the operation of key sharing is even completely avoided, and the operations of distributed decryption and signature are simpler.
According to the summary [0044], the key generation component of n-out-of-n distributed RSA is two main operations of patch generation and key synthesis.
● And (3) generating fragments: the ith cooperating party randomly selects a secret private key fragment s i All fragments are sent to the initiator.
● Key synthesis: the initiator randomly selects parameters by itself to generate multiplication modulus N' and trapdoor m, and then calculates a private key And public key e=k -1 mod m。
Parameter u 1 ,u 2 ,...,u n Is a randomly selected integer, and can be disclosed to be selected by a cooperative sender, an initiator or both depending on the application scene. Note e=k -1 mod m does not necessarily have the correct result each time, e.g. K -1 mod m may not exist, or public key e is set to be at Z m Actually calculated e in a subset of (a) outside of which subset u can be reselected 1 ,u 2 ,..., u n And (5) recalculating e. The public key can even be calculated as e= (K) if necessary -1 mod m) +εm, where ε is a secret integer randomly generated by the initiator, this variant avoids e being in Z m The same distribution of (a) reveals information about m. This variant of calculation e is also more general in terms of: e= (K) -1 mod M); and M adopts the summary [0013 ]]Is satisfied with the definition in the summary of the invention [0013 ]]The first principle and the second principle.
Summary of the invention [0045]]The method requires a multi-module device to implement. Comprising a fragment generation module used by the cooperator to generate a private key fragment s i The key synthesis module used by the initiator is used for synthesizing the complete key, the random number generation module is used for generating random numbers for the two parties, the private key fragments are transmitted between the two parties, the transmission module is used for communicating the random number generation module for the two parties, and the acquisition module is used for acquiring the key from the initiator.
The methods and apparatus described in items [0045] and [0046] can also be developed in a completely decentralised variant, i.e. without a need for an initiator to collect key fragments of the cooperators to calculate the final private and public keys, but instead by all cooperators themselves calculate a public key through multiple parties, the private key corresponding to it can be synthesized from private key fragments of everyone. That is, instead of the initiator's key composition module, there is a multiparty computation module that helps all parties to compute a complete public key for the corresponding private key fragment, and the transport module is used to take over the multiparty computed communications between the parties and the channels they invoke the random number generation module. The obtaining module obtains the final calculation result, namely the public key, from the key synthesis multi-party calculation instead. The most important multiparty computing module accomplishes the following tasks:
● The multiparty uses the distributed composite generation protocol to jointly generate RSA multiplication modulus N' with two large prime factors;
● The parties use a distributed inverse (reverse) computing protocol to jointly compute a composite RSA public key from the distributed RSA private key.
It is also possible to use a distributed factor test protocol to detect that a published composite is indeed the product of two secret primes.
In the embodiments of encryption and decryption, the key generation method and device described in the inventions [0045] to [0047] adopts a standard RSA encryption algorithm to encrypt plaintext, and the distributed decryption operation completed by all cooperators is a brand-new method, and the decryption device comprises a partial decryption module, a decryption synthesis module, a detection adjustment module and an optional verification module. The partial decryption module helps each co-party complete own partial decryption work, the decryption synthesis module synthesizes the partial decryption result of the user into a final decryption result, the detection adjustment module tests the correctness of the final decryption result and makes necessary adjustment when the error occurs, and the verification module can prove the correctness of the related operation.
Summary of the invention [0048 ]]The partial decryption module organizes all cooperators to work as follows. For ciphertext to be decrypted, denoted as d, possess s i Is calculated by the cooperator using the partial decryption moduleWhere x is a public integer compatible with e (similar to summary [0033 ]]A ninth parameter in (c).
The decryption synthesis module described in summary [0048] works as follows. All n partial decryption results are delivered to a decryption synthesis module for processing.
1.Wherein u is i Following the summary of the invention [0045 ]]But y is a public integer which is mutually compatible with e (similar to summary [0033 ]]Tenth parameter in (c).
2. Integers a and b satisfying a×x×y+b×e=1 calculated using the extended euclidean algorithm (Extended Euclidean Algorithm).
3. The decryption result can be synthesized as h=w a d b mod N′。
Summary of the invention [0049 ]]And [0050]The decryption method and the decryption device can be simplified by adjusting parameters. I.e. x=1 or y=1 or even x=y=1. For example, when x=y=1, the distributed partial decryption operation becomesWhile the decryption synthesis operation is simplified to +>Wherein u is i Following the summary of the invention [0050 ]]The definition of (c) is unchanged and the extended euclidean algorithm may be omitted.
Summary of the invention [0049 ]]、[0050]And [0051]According to the decryption method and device, a detection and adjustment module is sometimes required to detect and adjust the final decryption result. For example, when y is an odd number, this detection adjustment is necessary. The detection and adjustment module receives the result h output by the decryption and synthesis module and checks If so, outputting h; otherwise outputting-h mod N'.
The decryption method and device described in the invention [0049] to [0052] can also obtain a verification module to be matched with, prove and verify the operation correctness of each participant. When the trust mechanism cannot guarantee the honest and credibility of the participants and needs to verify the honest and credibility of the participants, the verification module requires the parties to cooperate to complete the following operations.
● In the initial public parameter selection stage, the cooperationParty together (depending on the particular scenario, also with the participation of the initiator) at Z N’ A large cyclic group (cyclic group) is selected and a generator v is selected therefrom (similar to the summary [0016 ]]Fifth parameter in (c).
● Each synergetic party is generating s i for i=1, 2, calculate and publish at time nfor i=1, 2,..n (similar to summary [0016]A seventh parameter of (c).
● The initiator calculates and publicly issues v=v when generating the private key K K mod N' (similar to summary [0016 ]]A sixth parameter in (c).
● Anyone can verify V e =v mod N', aAnd u is i Following the summary of the invention [0045 ]]Is defined in (a).
● The synergetic party is completing the invention [0049]]The partial decryption operation is performed by giving zero knowledge proof When as in the summary [0051 ]]When x=y=1, this zero knowledge proof is reduced to log d d i =log v v i . When a specific application scene needs to verify whether the operation of the cooperator is good and bad, the zero knowledge is selected to ensure that the cooperator is fixed at v i S unchanged in (3) i Is used to calculate d i But will not leak the relevant s in the proof i Is a piece of information of (a).
In the embodiments of the digital signature class, the key generation methods and apparatus described in the summary [0045] to [0047] employ a standard RSA signature verification algorithm to verify the digital signature, and the electronic signature is generated by a novel distributed signature protocol in which all parties participate. The signature generating device consists of a partial signature module, a signature synthesis module, a detection adjustment module and an optional verification module. The partial signature module helps each co-party complete the partial signature work of the co-party, the signature synthesis module synthesizes the partial signature result of the user into a final signature result, the detection and adjustment module tests the correctness of the final signature result and makes necessary adjustment when the final signature result is in error, and the verification module can prove the correctness of the related operation.
Summary of the invention [0054 ]]The partial signature module organizes all cooperators to work as follows. The content to be signed or its hash function (sometimes the original content of different length will be signed after being processed by the hash function), denoted as d, is allocated to s i Is calculated by the cooperator of the partial signature moduleWhere x is a public integer compatible with e (similar to summary [0033 ]]A ninth parameter in (c).
The signature composition module described in the summary [0054] works as follows. And all n partial signature results are handed to a signature synthesis module for processing.
1.Wherein u is i Following the summary of the invention [0045 ]]But y is a public integer which is mutually compatible with e (similar to summary [0033 ]]Tenth parameter in (c).
2. Integers a and b satisfying a×x×y+b×e=1 calculated using the extended euclidean algorithm (Extended Euclidean Algorithm).
3. The signature result can be synthesized as h=w a d b mod N′。
Summary of the invention [0055 ]]And [0056 ]]The signature method and the signature device can be simplified by adjusting parameters. I.e. x=1 or y=1 or even x=y=1. For example, when x=y=1, the distributed partial signature operation becomesWhile the signature composition operation is simplified to +.>Wherein u is i Following the summary of the invention [0056 ]]The definition of (c) is unchanged and the extended euclidean algorithm may be omitted.
Summary of the invention [0055 ]]、[0056]And [0057 ]]The signature method and the signature device sometimes need to detect and adjust the final signature result by a detection and adjustment module. For example, when y is an odd number, this detection adjustment is necessary. The detection and adjustment module receives the result h output by the signature synthesis module and checks If so, outputting h; otherwise outputting-h mod N'.
The signature method and device described in the inventions [0055] to [0058] can also obtain a verification module to be matched with to prove and verify the correctness of the operation of each participant. When the trust mechanism cannot guarantee the honest and credibility of the participants and needs to verify the honest and credibility of the participants, the verification module requires the parties to cooperate to complete the following operations.
● In the initial public parameter selection stage, the cooperators are jointly (depending on the specific scene and the participation of the initiator) in Z N’ A large cyclic group (cyclic group) is selected and a generator v is selected therefrom (similar to the summary [0016 ]]Fifth parameter in (c).
● The synergetic party generates s i for i=1, 2, calculate and publish at time nfor i=1, 2,..n (similar to summary [0016]A seventh parameter of (c).
● The initiator calculates and publicly issues v=v when generating the private key K K mod N' (similar to summary [0016 ]]A sixth parameter in (c).
● Anyone can verify V e =v mod N', aAnd u is i Following the summary of the invention [0045 ]]Is defined in (a).
● The synergistic prescription completes the invention [0055]]The part signature operation is performed by giving zero knowledge proof When as in the summary [0057 ]]When x=y=1, this zero knowledge proof is reduced to log d d i =log v v i . When a specific application scene needs to verify whether the operation of the cooperator is good and bad, the zero knowledge is selected to ensure that the cooperator is fixed at v i S unchanged in (3) i Is used to calculate d i But will not leak the relevant s in the proof i Is a piece of information of (a).
The work of the initiator as described in items [0053] and [0059] can be done by all cooperators through multiparty calculations when the initiator is not needed for complete decentralization. For example, V may be calculated and output by the multiparty computing protocol described in summary [0047] together with the RSA public-private key pair when computing it from the private key fragment.
Summary of the invention [0053]]And [0059]]The verification work can also ensure v and v for the used cyclic group i Indeed in this cyclic group. For example, that loop group is selected to includeThe square number of all modes N '(squares with a modulus N' is also known as quadratic residues in +.>) When the integer v' is first optional and calculated for i=1, 2,..n reissue v 'and v' i for i=1, 2,..n, and v=v '' 2 mod N' and v i = v′ i 2 mod N' for i=1, 2,. Anyone can publicly verify v=v' 2 mod N' and v i =v′ i 2 mod N' for i=1, 2, n. to confirm v and all v i Indeed in that selected cyclic group. />
According to the summary [0044], the key generation component of the n-out-of-n distributed PAILLIER is two main operations of fragment generation and key synthesis.
1. And (3) generating fragments: the ith cooperating party randomly selects a secret private key fragment s i All fragments are sent to the initiator.
2. Key synthesis: the initiator randomly selects parameters to generate an undegraded total number N 'and trapdoor m, N' 2 As a multiplication modulus. Initiator atThe random integers alpha, beta and kappa are selected, and then the public key parameter g= (1+N') is calculated α β N′ mod N′ 2 And private key k=mκ. And (5) key release: the public key comprises +.> And σ=αmκ or σ=αmκmod N'.
Parameter u 1 ,u 2 ,...,u n Is a randomly selected integer, and can be selected by a cooperative sender, an initiator or a combination thereof according to application scenes. Similar to the summary of the invention [0013 ]]In the first principle, m=km is set and k is a secret integer (to contain a large prime number) randomly selected within a sufficiently large range, as long as the requirement of not revealing private key information. If similar to the summary [0013 ]]The first and second principles of (a) are satisfied, the arrangement is further enhanced: m=km and k and M is infinitely close to a published constant N, while N should be large enough to give k a sufficiently wide choice to ensure that k is not easily guessed; for example, N is set to be much larger than PAILLIER encryption operations The multiplication modulus used (i.e., N' 2 ) And k is an integer that minimizes km-N.
Summary of the invention [0062]]The method requires a multi-module device to implement. Comprising a fragment generation module used by the cooperator to generate a private key fragment s i The key synthesis module used by the initiator is used for synthesizing the complete key, the random number generation module is used for generating random numbers for the two parties, the private key fragments are transmitted between the two parties, the transmission module is used for communicating the random number generation module for the two parties, and the acquisition module is used for acquiring the key from the initiator.
The methods and apparatus described in summary [0062] and [0063] can also be developed as a completely decentralised variant, i.e. without a need for an initiator to collect key fragments of the cooperators to calculate the final private and public keys, but by all cooperators themselves calculate a public key through multiple parties, the private key corresponding to it can be synthesized from private key fragments of everyone. That is, instead of the initiator's key composition module, there is a multiparty computation module that helps all parties to compute a complete public key for the corresponding private key fragment, and the transport module is used to take over the multiparty computed communications between the parties and the channels they invoke the random number generation module. The obtaining module obtains the final calculation result, namely the public key, from the key synthesis multi-party calculation instead. The most important multiparty computing module accomplishes the following tasks:
● Multiple parties commonly generate a large composite number N ' with two large prime factors by using a distributed composite number generation protocol, so as to obtain a multiplication module N ' of encryption calculation ' 2
● The parties use a distributed computing protocol to jointly compute the other parts of the public key PAILLIER to yield a composite public key.
It is also possible to use a distributed factor test protocol to detect that a published composite is indeed the product of two secret primes.
In cooperation with the summary [0062], for plaintext η, the PAILLIER encryption algorithm is adjusted to:
1. the first part of the ciphertext is c 1 =g η r N′ mod N′ 2 And r is from Z N’ * Randomly selecting;
2. the second part of the ciphertext is c 2 =c 1 μ mod N′ 2
In conjunction with the summary of the invention [0064 ]]~[0065]For ciphertext (c) 1 ,c 2 ) The PAILLIER distributed decryption protocol comprises a partial decryption module, a decryption synthesis module and a detection adjustment module:
1. assigned to s i Is calculated by the cooperator using the partial decryption moduleWhere x is a public integer compatible with e (similar to summary [0039 ]]A ninth parameter in (c).
2. The first step of the decryption synthesis module:wherein u is i Following the summary of the invention [0062]]But y is a public integer which is mutually compatible with e (similar to summary [0039 ]]Tenth parameter in (c). />
3. And a second step of decryption synthesis module: h=l (wc) 2 xy ) Xy sigma mod N', where the function L () follows the summary of the invention [0041 ]]And the previous definition is unchanged.
4. And a detection and adjustment module: monitoring L (wc) 2 xy ) Is calculated by the computer. If (wc) 2 xy -1)/N' is not an integer, wc 2 xy Changed to-wc 2 xy Recalculate L ().
Summary of the invention [0066 ]]The decryption method and the decryption device can be simplified by adjusting parameters. I.e. x=1 or y=1 or even x=y=1. For example, when x=y=1, the distributed partial decryption operation becomesWhile the decryption synthesis operation is simplified to +>And h=l (wc 2 ) Sigma mod N', where u i Following the summary of the invention [0062 ]]Is unchanged.
The encryption and decryption methods and devices described in the inventions [0065] to [0067] can also obtain a verification module to be matched with to prove and verify the correctness of the operation of each participant. When the trust mechanism cannot guarantee the honest and credibility of the participants and needs to verify the honest and credibility of the participants, the verification module requires the parties to cooperate to complete the following operations.
● In the initial public parameter selection stage, the cooperators (depending on the specific scene and the participation of the initiator) are in the followingA large cyclic group (cyclic group) is selected and a generator v is selected therefrom (similar to the summary [0020 ] ]Fifth parameter in (c).
● The synergetic party generates s i for i=1, 2, calculate and publish at time nfor i=1, 2,..n (similar to summary [0020]A seventh parameter of (c).
● The initiator calculates and publicly issues v=v when generating the private key K K mod N′ 2 (similar to summary [0020 ]]A sixth parameter in (c).
● Including all cooperators, anyone can verify two equations v=1 mod N' and V n =1 mod N′ 2 One or both of which may be a single or a double.
● Anyone can verifyAnd u is i Following the summary of the invention [0062 ]]Is defined in (a).
● The cooperator is completing the invention [0066 ]]The partial decryption operation is performed by giving zero knowledge proofWhen as in summary [0067 ]]When the x=y=1,this zero knowledge proof is reduced toWhen a specific application scene needs to verify whether the operation of the cooperator is good and bad, the zero knowledge is selected to ensure that the cooperator is fixed at v i S unchanged in (3) i Is used to calculate d i But will not leak the relevant s in the proof i Is a piece of information of (a).
The work of the initiator described in summary [0068] can be done by all cooperators through multiparty computation when the initiator is not needed for complete decentralization. For example, V may be calculated and output by the multiparty computing protocol described in summary [0064] together when the PAILLIER public-private key pair is calculated by private key sharding.
Summary of the invention [0068 ]]The verification work can also ensure v and v for the used cyclic group i Indeed in this cyclic group. For example, that loop group is selected to includeAll of the modes N' 2 Square number of (squares with a modulus N)' 2 Also called quadratic residues in->In this case, the integer v' may be chosen first and +.> for i=1, 2,..n reissue v 'and v' i for i=1, 2,..n, and v=v '' 2 mod N′ 2 And v i = v′ i 2 mod N′ 2 for i=1, 2,..n. Anyone can publicly verify v=v' 2 mod N′ 2 And v i = v′ i 2 mod N′ 2 for i=1, 2..n to confirm v and all v i Indeed in that selected cyclic group.
In various embodiments, the above summary may first be embodied in a secure multiparty computing (secure multiparty computation) to a wide range of application scenarios. As shown in fig. 5, secure multiparty computing computes output results from multiple input data (possibly from multiple providers) as any multiparty computing task, but requires that the input data or intermediate process information not be compromised during the computing process. One typical secure multiparty computing solution is to encrypt all input data, then process it in a ciphertext state, and then decrypt it after obtaining the result of the ciphertext computation. To ensure that the privacy of the data is independent of any single individual, the processing of the computational tasks is handed to multiple computing parties (perhaps some of them also being data providers) who share the private key of the encryption algorithm and only if they cooperate to complete the decryption operation. For example, the PAILLIER cipher can be used for secure multiparty calculation in a distributed mode, on one hand, a plurality of calculation participants can control decryption authority in a distributed mode, and on the other hand, the addition homomorphism property of the PAILLIER cipher can support to construct a ciphertext calculation module and bear information processing and calculation in a ciphertext state. The computing participants shown in fig. 5 may deviate from the secure multi-party computing protocol and become vandals of the malicious (maliious) type shown in fig. 6, requiring those verification modules and functions described above to verify the integrity of the distributed computing participants (cooperators in the threshold key sharing).
The application system of the distributed password-based secure multiparty computation claimed in the invention [0071] uses the acquisition module, the distribution module and the sending module described in the invention [0023] to be unfolded around the ciphertext computation module under the t-out-of-n general threshold, and the organization structure and the workflow are as follows.
N computing participants each have a public and mutually different identification value P 1 ,P 2 ,...,P n They act as a private key K for the co-party to share the PAILLIER password. The ith calculation participant uses the acquisition module to call the distribution module and finally obtains s through the transmission module i =F(P i ) mod M and F (x) =a 0 +a 1 x+a 2 x 2 +...+a t-1 x t-1 . The basic requirements for calculating PAILLIER private key shards using these modules are: a, a 0 =k, m=km; and m is the trapdoor of the PAILLIER cipher, k=k 'N' and k 'is a secret integer randomly selected over a sufficiently large range (to contain large primes), while the multiplication modulus used for the PAILLIER encryption operation is N' 2 ;a 1 ,a 2 ,...,a t-1 From a sufficiently large set of integers (e.g. Z M ) Randomly selected. It may further be required that: m approaches infinitely close to a published constant N, and N should be large enough to give k 'a sufficiently broad choice to ensure that k' is not easily guessed. For example when N' 2 When the multiplication modulus is used for encryption operation, N is set to be much larger than N' 2 The method comprises the steps of carrying out a first treatment on the surface of the And k=k ' N ' and k ' is an integer such that |km-n| is minimum; at the same time a 1 ,a 2 ,...,a t-1 From a sufficiently large set of integers (e.g. Z M ) Randomly selected. The initiator can, if necessary, follow the summary of the invention [0029 ]]And [0030]The method distributes the public functions V, V of the private key fragments 1 ,v 2 ,...v n And prove their correctness for verification by the cooperators and others.
2. As for the task of key generation, it is to set an initiator to do (according to the summary [0019 ]]) Or by the cooperator (according to the summary [0043 ]]) May depend on the security requirements and the degree of decentralization of the particular application scenario. In either case, p 'and q' are large prime numbers, and satisfying p=2p '+1 and q=2q' +1 is also a large prime number, m=p 'q' is trapdoor, N '=p' q 'and N' 2 Is the multiplication modulus of the encryption operation; beta, a, b are in Z N’ * Is selected at random. Therefore, k=βm is the private key, the public key is defined by N', g=(1+N’) a ×b N’ mod N’ 2 θ=am β or (θ=am β mod n'). Except public key disclosure, the remaining values are kept secret from outside.
3. Individual data providers encrypt their input data using a PAILLIER password. For example, J input data w 1 ,w 2 ,...w J Is encrypted as: for j=1, 2,..j, and each x j From Z N’ * Randomly selected.
4. Invoking a ciphertext calculation module to process and calculate d under ciphertext state 1 ,d 2 ,...d J . Any ciphertext processing method developed and utilizing the homomorphism characteristic of the PAILLIER password can be adopted, and the ciphertext calculation module is called and executed by n calculation participants (cooperators) together. The calculation result of the ciphertext state output by the ciphertext calculation module is d.
5. Distributed decryption of partial decryption modules: for ciphertext d, assign to s i Co-ordinator (calculation participant) calculation Where x is a public integer (i.e. the ninth parameter has been defined). If necessary, the partial decryption module may comprise a verification sub-module, requiring the cooperator to make zero knowledge proof +.>Where y is a public integer (i.e., the tenth parameter already defined); and v (i.e. the fifth parameter already defined) and v i The seventh parameter (i.e. already defined) is already calculated at the time of sharing the private key, and can be used for checking the correctness of the key distribution operation, and can also support checking the correctness of the calculation result decryption operation.
6. Obtaining a plaintext calculation result: if t cooperators cooperate to decrypt d, their correspondent identification values form a set S, then the decryption result can be synthesized into But-> Wherein z is defined above.
Summary of the invention [0072 ]]The secure multiparty computing embodiment is based on the summary [0041 ]]The distributed PAILLIER implementation device, but summary of the invention [0041 ]]In fact for the summary of the invention [0019 ]]、[0039]And [0040]Including key generation, partial decryption and decryption synthesis). Therefore, depending on the specific application scenario, the inventive content [0072 ]]The secure multiparty computing embodiment described may also be based on the summary [0019 ]]、[0039]And [0040]The distributed PAILLIER realizing device; i.e. the public key only comprises g and N', xs for partial decryption of ciphertext and g, respectively i Power operation to the power (and corresponding zero knowledge proof of assurance of correctness if necessary), and calculating the L () function twice in the decryption synthesis. In addition, whichever PAILLIER distributed decryption is performed on secure multiparty computing embodiments may be in accordance with the summary [0042 ]]Simplifying parameters or based on summary of the invention [0043 ]]And (5) performing complete decentralization treatment.
The general secure multiparty computing embodiment described in summary [0071] can also be implemented as follows based on the special n-out-of-n distributed PAILLIER device described in summary [0062] to [0067] when t=n.
N computing participants first act as key sharing cooperators to generate respective key fragments: the ith cooperating party randomly selects a secret private key fragment s i . When one initiator is responsible for the PAILLIER key generation, these fragments are all sent to the initiator. The following works in a way that relies on the initiator to generate the PAILLIER key,whereas decentralization does not require the initiator in the summary [0077 ]]Is described in (c).
PAILLIER Key Generation: the initiator randomly selects parameters to generate a hard-to-decompose total number N 'and trapdoor m, N' 2 As a multiplication modulus. Initiator atThe random integers alpha, beta and kappa are selected, and then the public key parameter g= (1+N') is calculated α β N′ mod N′ 2 And private key k=mκ. The public key comprises +.> And σ=αmκ or σ=αmκmod N'. Wherein M is selected according to a first principle and a second principle as in the summary of the invention [0062 ]]As in (m=km, k is a secret integer, and the setting of k ensures as little private key and threshold information as possible is revealed from M) and parameter u 1 ,u 2 ,...,u n Is a randomly selected integer, and can be selected by a cooperative sender, an initiator or a combination thereof according to application scenes. Individual data providers encrypt their input data using a PAILLIER password. For example, J input data w 1 ,w 2 ,...w J Is encrypted as:and d j,2 =d j,1 μ mod N’ 2 forj=1, 2,..j, J, and each x j From Z N’ * Randomly selected.
3. The method for calling the ciphertext calculation module to process and calculate ciphertext data is the same as in the summary [0072 ].
4. Distributed partial decryption: calculation result d= (c) for ciphertext 1 ,c 2 ) Assigned to s i Co-ordinator (calculation participant) calculationWhere x is a published integer that is compatible with e (i.e., the ninth parameter has been defined). If necessary, the computing participants may be required to prove the correctness of the distributed decryption by means of zero knowledge proof, i.e. as in the summary of the invention [0068 ]]Proof s as in the last item i Is used to calculate d i But cannot leak the related d in the proof i Is described in summary [0076 ]]Detailed in (3).
5. Obtaining a plaintext calculation result: if all n cooperators decrypt d cooperatively, the decryption result is synthesized as follows.
a) The first step of the decryption synthesis module:wherein u is i Following the summary of the invention [0062 ]]And y is a public integer that is mutually exclusive of e (i.e., the tenth parameter has been defined).
b) And a second step of decryption synthesis module: h=l (wc) 2 xy )/xyσ mod N′。
c) And a detection and adjustment module: monitoring L (wc) 2 xy ) Is calculated by the computer. If (wc) 2 xy -1)/N' is not an integer, wc 2 xy Changed to-wc 2 xy Recalculate L ().
Summary of the invention [0074]]The secure multiparty computing embodiment, wherein the method and apparatus for distributed PAILLIER decryption may be in accordance with the summary [0067 ]]The method is simplified by adjusting parameters. I.e. x=1 or y=1 or even x=y=1. For example, when x=y=1, the distributed partial decryption operation becomesWhile the decryption synthesis operation is simplified to +>And h=l (wc 2 ) Sigma mod N', where u i Following the summary of the invention [0062 ]]Is unchanged in definition of。
The secure multiparty computing embodiment described in the summary [0074] of the invention, the PAILLIER encryption and decryption method and device thereof, can also obtain the cooperation of a verification module to prove and verify the correctness of the operation of each participant. When the trust mechanism cannot guarantee the honest and credibility of the participants and needs to verify the honest and credibility of the participants, the verification module requires the parties to cooperate to complete the following operations.
● During the initial public parameter selection phase, the cooperator (usually the calculation participator, depending on the specific scene, also can be in the participation of the initiator) is inA large cyclic group (cyclic group) is disclosed and a generator v is selected therefrom (i.e., summary [0068 ]]Fifth parameter in (c).
● The collaborator (the latter multiparty computing participant) is generating s i for i=1, 2, calculate and publish at time n for i=1, 2,..n (i.e. summary [0068]A seventh parameter of (c).
● Calculating and publicly releasing v=v when private key K is generated in cooperation with an initiator generating a key K mod N′ 2 (i.e., summary of the invention [0068 ]]A sixth parameter in (c).
● Including all computing participants and data providers of multiparty computing, anyone can verify two equations v=1 mod N' and V n =1 mod N′ 2 One or both of which may be a single or a double.
● Anyone can verifyAnd u is i Following the summary of the invention [0062 ]]Is defined in (a).
● Computing participants completing summary of the invention [0074]The partial solutionTo give zero knowledge proof when the secret is operatedWhen as in summary [0067 ]]When x=y=1, this zero knowledge proof is reduced toWhen a specific application scene needs to verify whether the operation of the cooperator is good and bad, the zero knowledge is selected to ensure that the cooperator is fixed at v i S unchanged in (3) i Is used to calculate d i But will not leak the relevant s in the proof i Is a piece of information of (a).
The secure multiparty computing embodiments described in the inventions [0074] and [0075] use n-out-of-n distributed PAILLIER ciphers in the key generation stage to use the method of full decentralization described in the inventions [0064] without affecting the secure multiparty computing and distributed decryption functions; under the same secret key, the secure multiparty calculation can be performed by the same method, and the obtained result can be separated out by the same distributed decryption method. In particular, secure multiparty computation that does not require initiator centric control may work with a special n-out-of-n distributed PAILLIER password as follows.
N computing participants first act as key sharing cooperators to generate key fragments: the ith cooperating party randomly selects a secret private key fragment s i . Each private key fragment corresponds to a coefficient u i Is selected by each cooperator.
2. Distributed key generation: all cooperators generate the following parameters together through a secure multiparty calculation method.
a) The public key parameter N', is the product of two large primes p and q; where p=2p '+1, q=2q' +1, p 'and q' are also large prime numbers. p ', q', p, q and also trapdoor m=p 'q' are kept secret, and only all cooperators can obtain their values in linear time. Private key k=mκ, where K is the value that K and κ are kept secret and only if all the parties cooperate to obtain them in linear timeIs a random integer in the same range.
b) Public key parameter g, and a corresponding secret parameter α=l (g) are kept secret, only all parties in coordination can obtain its value in linear time.
c) Public key parameter mu, satisfyWherein M is selected according to a first principle and a second principle as in the summary of the invention [0062 ]]As in (m=kn, k is a secret integer, and k is set to ensure that the private key and threshold information revealed from M is as little as possible).
d) Public key parameter σ=αmκ, where α, m, κ are kept secret as described above, and only all parties in collaboration can obtain their values in linear time.
The public key, including N', g, μ and σ, is finally obtained and issued, corresponding to the private key K without leakage.
3. The various multiparty computing data providers encrypt their input data using the PAILLIER password. For example, J input data w 1 ,w 2 ,...w J Is encrypted as:and d j,2 =d j,1 μ mod N’ 2 for j=1, 2,..j, and each x j From Z N’ * Randomly selected.
4. The method for calling the ciphertext calculation module to process and calculate ciphertext data is the same as in the inventions [0072] and [0074 ].
5. Distributed partial decryption: calculation result d= (c) for ciphertext 1 ,c 2 ) Grasp s i Co-ordinator (calculation participant) calculationWhere x is a published integer that is compatible with e (i.e., the ninth parameter has been defined). If necessary, it may be required to calculate the parametersThe party uses zero knowledge proof method to prove the correctness of the distributed decryption, i.e. s as in the last item of the invention content 64 i Is used to calculate d i But cannot leak the related d in the proof i Is a piece of information of (a).
6. Obtaining a plaintext calculation result: if all n cooperators decrypt d cooperatively, the decryption result is synthesized as follows.
a) The first step of the decryption synthesis module:wherein u is i Following the summary of the invention [0062 ]]And y is a public integer that is mutually exclusive of e (i.e., the tenth parameter has been defined).
b) And a second step of decryption synthesis module: h=l (wc) 2 xy )/xyσmod N′。
c) And a detection and adjustment module: monitoring L (wc) 2 xy ) Is calculated by the computer. If (wc) 2 xy -1)/N' is not an integer, wc 2 xy Changed to-wc 2 xy Recalculate L ().
Summary of the invention [0072 ]]And [0073 ]]The secure multiparty computing embodiment can realize various multiparty computing tasks, so long as the multiparty computing tasks cooperate to process the encrypted data. Such as electronic pick and electronic auction. In such embodiments, J users (pickers or bidders) submit their input (votes or targets) encrypted to the pickor auction system. N computing cooperators (participators), namely drawer or signer, are arranged in the system, and share the decryption key of the ciphertext data by t-out-of-n threshold. All votes for a candidate or all target ciphertexts d for a price according to the additive homomorphic characteristics of the PAILLIER cipher 1 ,d 2 ,...d J Product of (2)All votes or targets for that candidate or price are encrypted. At least t drawer or signer cooperative distributed decryption The number of votes obtained for the candidate or the number of bids for the price can be obtained. The key technology here is key sharing: the n computing participants respectively have an identification value P 1 ,P 2 ,...,P n They act as a private key K for the co-party to share the PAILLIER password. The ith calculation participant uses the acquisition module to call the distribution module and finally obtains s through the transmission module i =f (Pi) mod M and F (x) =a 0 +a 1 x+a 2 x 2 +...+a t-1 x t-1 . The basic requirements for calculating PAILLIER private key shards using these modules are: a, a 0 =k, m=km; and m is trapdoor of the PAILLIER cipher, k=k ' N ' and k ' is a secret integer randomly chosen within a sufficiently large range (to contain large primes); while the multiplication modulus used for the PAILLIER encryption operation is N' 2 And a 1 ,a 2 ,..., a t-1 From a sufficiently large set of integers (e.g. Z M ) Randomly selected. It may further be required that: m approaches infinitely close to a published constant N, and N should be large enough to give k 'a sufficiently broad choice to ensure that k' is not easily guessed. For example when N' 2 When the multiplication modulus is used for encryption operation, N is set to be much larger than N' 2 And k=k ' N ' and k ' is an integer such that |km-n| is minimum; at the same time a 1 ,a 2 ,...,a t-1 From a sufficiently large set of integers (e.g. Z M ) Randomly selected. The PAILLIER key generation itself may also be arranged to be performed by an initiator as required (according to the inventive content [0019]) Or by the cooperator (according to the summary [0043 ]]) May depend on the security requirements and the degree of decentralization of the particular application scenario. The distributed password using method can ensure that the private key fragments can not reveal the information of the private key and the trapdoor, and ensure the privacy protection performance of the selecting and auction system. After completion of the PAILLIER key sharing of the t-out-of-n threshold, the computing participant may use the inventive content [0072 ]]Or [0073 ]]The multiparty security computing technology based on distributed PAILLIER ciphertext computation is not realizedSelection or auction of leakage ballot (target) information.
Summary of the invention [0078 ]]The described embodiments comprising electronic selection and electronic auction may also be based on the inventive content [0074 ]]~[0077]The n-out-of-n secure multiparty computation (distributed PAILLIER dependent on n-out-of-n threshold) is implemented. For example, in an electronic auction scenario, all bidders (data providers) may be given the role of a collaborative bidder (computing participant), with PAILLIER encryption by an n-out-of-n threshold ensuring that no data can be decrypted and compromised without agreement by their provider. In the electronic selection scene, all voters or all candidates can share the PAILLIER private key for encrypting the votes through the n-out-of-n threshold, so that any party can be ensured to protect the data to be kept secret by refusing to participate in decryption. So with the summary of the invention [0078 ] ]Except that n computing co-parties, i.e., drawer or signer, in the pick or auction system share the decryption key of the ciphertext data with an n-out-of-n threshold. The key operation of billing or bidding is still to decrypt all votes for a candidate or all target ciphertext d for a price 1 ,d 2 ,...d J Product of (2)Except that key generation and distribution, data encryption and distributed decryption are to employ the inventive content [007 ]]Based on the summary of the invention [0062 ]]~[0066]And may choose to use the inventive content [0067 ]]~[0069]Including parameter simplification, correctness verification, and decentralization).
The secure multiparty computing embodiments described in the summary [0071] through [0077] may also be implemented in the field of anonymous communications, such as a sequencing network (mix net). The permuted network transmits their encrypted data for some users, the purpose of which is not at all to protect the data content itself, but rather to prevent any data from being traced back to the user providing it, thus protecting the user's personal privacy. That is, users may not be able to communicate anonymously in the sequencing network. As shown in fig. 7, the implementation method of the permuted network is that the encrypted data of all users are reordered (permutate) and re-encrypted (re-encrypted) sequentially by a plurality of nodes in the network, which can be regarded as a special secure multiparty calculation, that is, each node performs out-of-order (permutation) and re-encryption (re-encryption) operations (including providing secret input used by these operations, such as reordering and re-encrypting secret parameters used by the nodes) as a participant, and does not reveal a new order after all data are disturbed. Finally, when anonymous data is needed, a plurality of decryption parties (which can be independent participants playing the key sharer or can be simultaneously used by the order-changing nodes) sharing the decryption key can decrypt all ciphertext output by the last order-changing node to obtain the content of all data after multiple times of order-changing. Unless all of the sequencing nodes or the decryptor exceeding the decryption threshold cooperate, the data is untraceable and thus anonymous.
When a PAILLIER cipher is used to encrypt data and its private key is shared among multiple co-decrypting parties, the permuted network described in the summary [0080] is yet another example of secure multiparty computation described in the inventions [0071] to [0077], wherein the function of the ciphertext computation module described in the summary [0071] to process and compute ciphertext data in ciphertext state is embodied herein as scrambling (reordering multiple ciphertexts with one secret permustion) and re-encrypting (re-encrypting the reordered ciphertexts with a secret re-encrypting random number). The most typical PAILLIER ordering network may be implemented by the secure multi-party computing technique in summary [0072 ].
N synergistic decryptors using the inventive content [0072]]The first step and the second step of the method complete the generation and sharing of the PAILLIER key with t-out-of-n threshold, and the PAILLIER key is divided into private key fragments s respectively 1 ,s 2 ,...s n Whereas decryption operations require at least t co-decrypting parties to cooperate to complete.
2. Suppose there are J users providing data w, respectively 1 ,w 2 ,...w J They are encrypted by the set PAILLIER password as:for j=1, 2,..j, and each x j From Z N, * Randomly selected. All encrypted data is input to the sequencing network.
3. And a plurality of network nodes form a sequencing network to sequentially process all input ciphertext. Starting from the first node, each node reorders all received ciphertexts with a random optional permutation, re-encrypts them and then passes them to the next node, and secrets all information entered by itself in the reordering and re-encryption (e.g., the random numbers used for permutation and re-encryption, etc.).
4. The last network node outputs ciphertext d 'with multiple sequence changes and re-encryption' 1 ,d’ 2 ,...,d’ J . Unless all network nodes reveal their private inputs (e.g., persutation and random numbers used for re-encryption, etc.), or enough cooperating decryptors decrypt ciphertext that was originally entered by the user or that was intermediately generated in the permuted network, d' 1 ,d’ 2 ,...,d’ J Has failed to correspond to d 1 ,d 2 ,...,d J And thus cannot be traced back to the user who originally provided them.
5. At least t cooperative decryptors invoking the inventive content [0072 ]]The partial decryption module performs distributed decryption: for d' 1 ,d’ 2 ,...,d’ J Each decrypted ciphertext is denoted as D and is assigned to s i Co-ordinator (calculation participant) calculationWhere x is a disclosed integer (i.e., a ninth parameter). If necessary, the partial decryption module may comprise a verification sub-module, requiring the cooperator to make zero knowledge proof +. >Wherein y is a disclosed integer (i.e., tenth parameter); and v (i.e., fifth parameter) and v i (i.e., seventh parameter) as in summary of the invention [0072 ]]Which was already calculated at the time of private key sharing.
6. Obtaining anonymized plaintext data: if t cooperators decrypt any one of themA D, their corresponding identification values form a set S, the decryption result can be synthesized into But->Wherein z is defined above. Each d' 1 ,d’ 2 ,..., d’ J After decryption is finished in this way, all results are plaintext W output by the order-changing network 1 ,W 2 ,...,W J
The permuting network described in summary [0081] may also be implemented in accordance with the method described in summary [0073 ]. The main differences are: the public key setting and the distributed decryption of the t-out-of-n distributed PAILLIER adopted by the order-changing network are realized according to the secure multiparty computing embodiment of the invention content [0073], namely the key generation, partial decryption and decryption synthesis of the PAILLIER distributed password are completed by adopting the methods in the invention content [0019], [0039] and [0040 ].
The permuted network based on the general t-out-of-n distributed PAILLIER cipher in the summary [0081] can also be changed to adopt the special n-out-of-n threshold embodiments described in the summary [0062] to [0070] when t=n. The main differences are: the secure multiparty computation steps in key generation and distribution, data encryption and distributed decryption are implemented according to the methods described in the summary of the invention [0074] to [0077 ]. This arrangement is particularly suitable for scenarios where the sequenced network node doubles as a co-decrypting party. For example, in electronic picking applications, multiple invoicers themselves act as network nodes to build a permuted network, and also share the public key PAILLIER to jointly decrypt the permuted encrypted votes. Thus, without trust of the two players under the distributed threshold, only one drawer does not agree that the input (vote content) of any pickers (sequenced network users) cannot be found.
Summary of the invention [0071 ]]~[0077]The secure multiparty computing embodiments described also exist in large numbers in the field of trusted AI (artificial intelligence), including both AI training and AI reasoning. In AI training, the privacy data of the data provider is used to train AI models, privacy protection of the raw data, intermediate state, partial results and complete models often requires that the private information be encrypted and security enhanced by distributed management of decryption keys, while at the same time the invention [0071]~[0077]The safe multiparty computing device completes training tasks under a dense state to obtain an AI model. One exemplary embodiment is federal learning as shown in fig. 8, where input data from multiple participants is used to jointly train AI models, but they are not willing to share data directly with each other. Citizen information, such as a plurality of financial institutions and government agencies, is used to train AI tools to handle the services associated with a wide range of users. For another example, medical record information from multiple medical institutions is used to jointly train an AI diagnostic model, but legal requirements for protecting patient privacy dictate that each medical institution cannot easily reveal patient information to other institutions. In such a scenario, the input data, intermediate data and even the AI model need to be encrypted and only decrypted under strict security conditions, while the corresponding decryption key is shared by the n participants. Using summary of the invention [0072 ] ]And [0073 ]]The adopted t-out-of-n distributed password use mode can ensure that the privacy information to be protected is not decrypted and not revealed unless t participants participate in the disfigurement. The common-building AI model can be trained by learning the data under the ciphertext state by utilizing the addition homomorphic characteristic of the PAILLIER password and flexibly expanding the PAILLIER password. The key technology here is key sharing: the n participants respectively have identification values P 1 ,P 2 ,..., P n They act as a private key K for the co-party to share the PAILLIER password. As in the summary of the invention [0072 ]]The secure multiparty computing relies on the summary of the invention [0023 ]]The acquisition module, the distribution module and the sending module are unfolded around the ciphertext calculation module. The ith participant uses the acquisition module to call the distribution module and finally obtains s through the transmission module i =F(P i ) mod M and F (x) =a 0 +a 1 x+a 2 x 2 +...+a t-1 x t-1 . The basic requirements for calculating PAILLIER private key shards using these modules are: a, a 0 =k, m=km; and m is trapdoor of PAILLIER cipher, k=k 'N' and k 'is a secret integer randomly selected in a large enough range (with large prime number), and the multiplication modulus used in PAILLIER encryption operation is N' 2 ;a 1 ,a 2 ,..., a t-1 From a sufficiently large set of integers (e.g. Z M ) Randomly selected. It may further be required that: m approaches infinitely close to a published constant N, and N should be large enough to give k 'a sufficiently broad choice to ensure that k' is not easily guessed. For example when N' 2 When the multiplication modulus is used for encryption operation, N is set to be much larger than N' 2 And k=k ' N ' and k ' is an integer such that |km-n| is minimum; at the same time a 1 ,a 2 ,...,a t-1 From a sufficiently large set of integers (e.g. Z M ) Randomly selected. The PAILLIER key generation itself may also be arranged to be performed by an initiator as required (according to the inventive content [0019]) Or by the co-ordinator itself (according to the summary of the invention [0043 ]]). After the key generation setting is completed, the multiparty data can be encrypted and used for AI training, intermediate calculation results can be encrypted or partial AI models trained by all the participants respectively can be communicated among a plurality of calculation participants to perform more ciphertext calculation, and the finally obtained complete AI model can also be stored in ciphertext; any privacy information only uses the inventive content [0072 ] when necessary]The distributed decryption device can decrypt and use. The distributed password using method can ensure that the private key fragments cannot reveal the information of the private key and the trapdoor, and ensure the privacy of the AI training data and the model. AI training a specific secure multiparty computing implementation, except that the summary of the invention [0072 ] is employed ]Secure multiparty computing embodiments of (1) encrypting training data and decrypting AI models using a distributed PAILLIER password therein; summary of the invention [0073 ] can also be used]Secure multiparty computing embodiment of (1) wherein the PAILLIER cipher encrypts data without change but with the inventive content [0019 ]]、[0039]And [0040]Key generation, partial decryption and decryption in a systemForming a module.
Embodiments of multiparty AI training such as Federal learning, except for the examples of summary [0084 ]]That is to employ the summary of the invention [0072 ]]Or [0073 ]]The general key sharing and secure multiparty computation of the t-out-of-n threshold may also be employed when t=n [0074]~[0077]The special key sharing and secure multiparty computation under the n-out-of-n threshold also uses and develops the homomorphic characteristic of the PAILLIER cipher to learn the data in the ciphertext state to train the AI model. The key technology here is a special n-out-of-n threshold key sharing. Whether or not using the summary of the invention [0074 ]]The mechanism of the relying center initiator is also the summary [0077 ]]The mechanism independent of the center initiator, the key generation results are: n key sharing parties each master a private key fragment s 1 ,s 2 ,...,s n The method comprises the steps of carrying out a first treatment on the surface of the The private key is K and the public key contains N', g, μ and σ, satisfying the following requirements.
N' is the product of two large primes p and q; where p=2p '+1, q=2q' +1, p 'and q' are also large prime numbers. p ', q', p, q and also trapdoor m=p 'q' are kept secret, and only all cooperators can obtain their values in linear time. The private key K satisfies k=mκ, where K and κ are secret and only if all the parties cooperate to obtain their values in linear time, where κ isIs a random integer in the same range.
2. The public key parameter g has a corresponding secret parameter α=l (g), and only all cooperators can obtain its value in linear time.
3. Public key parameter μ satisfiesWherein M is selected according to a first principle and a second principle as in the summary of the invention [0062 ]]The method is as follows: m=km, k is a secret integer, and the setting of k ensures that the private key and threshold information revealed from M are as small as possible.
4. Public key parameter σ=αmκ, where α, m, κ are kept secret as described above, and only all parties in collaboration can obtain their values in linear time.
After the key generation setting is completed, the multiparty data can be encrypted and used for AI training. After ciphertext data learning is completed, a trained AI model is obtained, and the model can be stored in ciphertext; when the plaintext model is needed, the distributed decryption device described in the invention contents [0074] to [0077] is adopted to decrypt the ciphertext model. The distributed password using method can ensure that the private key fragments cannot reveal the information of the private key and the trapdoor, ensure the privacy of AI training data and also protect the security of an AI model if necessary.
As with the AI training embodiments of summary [0084] and [0085], AI reasoning is also a distributed password-using embodiment that uses a trained model to process input data to calculate the reasoning results, and sometimes also to process data from multiple parties that needs privacy protection. One way to protect the privacy of data in reasoning is to encrypt the input data, but each data provider does not want to encrypt its own data using someone else's password to fall into the place where someone else must trust, so the best way is to encrypt all data using one encryption mechanism to facilitate ciphertext computation while decryption keys are shared by everyone to enhance security assurance. For example, face recognition and fingerprint recognition, which are widely used in the fields of security protection, mobile payment, and the like, are one example of AI reasoning, and in order to enhance privacy protection of data (particularly, reusable highly confidential data for authentication), it is necessary to encrypt data such as face and fingerprint, and to distributively master decryption keys that can decrypt the reasoning data. In this embodiment, the AI model compares biometric (face or fingerprint, etc.) data captured or scanned in the foreground with user data recalled from the database in the background; embodiments for collecting multiparty data for reasoning calculation also exist in the fields of finance and government affairs and the like. When the multiparty data is encrypted for ciphertext comparison or other operations, each party does not want to use the key controlled by the other party, so that the two (more) parties need to share the decryption key. By utilizing the addition homomorphism characteristic of the PAILLIER cipher, data of two or more sides can be processed in the ciphertext state. The key technology here is key sharing: for example, the foreground and background both play the private key K of the PAILLIER password shared by the cooperative parties so as to ensure the data privacy during ciphertext reasoning, and no data can be revealed unless both parties agree to decrypt. The 2-out-of-2 secure multiparty computing mechanism based on PAILLIER key sharing can adopt key sharing and secure multiparty computing of a general t-out-of-n threshold described in the invention contents [0072] to [0073] or special key sharing and secure multiparty computing of an n-out-of-n threshold described in the invention contents [0074] to [0077 ].
● If the former is employed, as described in summary [0072], secure multiparty computing relies on the description of summary [0023]
The acquisition module, the distribution module and the sending module are unfolded around the ciphertext calculation module. The secure multiparty reasoning uses the acquisition module to call the distribution module and finally acquires s through the transmission module 1 =F(P 1 )mod M,s 2 =F(P 2 ) mod M and F (x) =a 0 +a 1 x. The basic requirements for calculating PAILLIER private key shards using these modules are: a, a 0 =k, m=km; and m is trapdoor of PAILLIER cipher, k=k ' N ' and k is a secret integer randomly selected within a large enough range (containing large prime number), and the multiplication modulus used by PAILLIER encryption operation is N ' 2 ;a 1 From a sufficiently large set of integers (e.g. Z M ) Randomly selected. It may further be required that: m approaches infinitely close to a published constant N, and N should be large enough to give k 'a sufficiently broad choice to ensure that k' is not easily guessed. For example when N' 2 When the multiplication modulus is used for encryption operation, N is set to be much larger than N' 2 And k=k ' N ' and k ' is an integer such that |km-n| is minimum; at the same time a 1 From a sufficiently large set of integers (e.g. Z M ) Randomly selected. The PAILLIER key generation itself may be set to be done by one initiator as the case may be (according to the inventive content [0019 ]) Or by the co-ordinating party itself (according to the summary of the invention [0043 ]]) The method comprises the steps of carrying out a first treatment on the surface of the While specific key settings and distributed usage policies may employ either the inventive content [0072 ]]The method can also adopt the inventionContent [0073 ]]The method. Of course, the embodiment of AI reasoning is not limited to face or fingerprint recognition, the computing participants of ciphertext reasoning are not limited to 2, and the method supports the reasoning scene of n > 2. In summary, the distributed password using method can ensure that the private key fragments cannot reveal information of the private key and trapdoors, and ensure data privacy of AI reasoning. After the key generation setting is completed, the multiparty data can be encrypted and used for AI training. After ciphertext reasoning is completed, the invention content [0072 ] is adopted]Or [0073 ]]And the distributed decryption device decrypts the ciphertext output to obtain an inference result.
● If the latter is employed, as in the summary of the invention [0074 ]]~[0077]Said secure multiparty computation still depends on the inventive content [0023]The acquisition module, the distribution module and the sending module are unfolded around the ciphertext calculation module, but the method for setting and using the PAILLIER password in a distributed manner is different from the former method. Whether or not using the summary of the invention [0074 ] ]The mechanism of the relying center initiator is also the summary [0077 ]]The mechanism independent of the center initiator, the key generation results are: n key sharing parties each master a private key fragment s 1 ,s 2 ,...,s n The method comprises the steps of carrying out a first treatment on the surface of the The private key is K and the public key contains N', g, μ and σ, satisfying the following requirements.
a) N' is the product of two large primes p and q; where p=2p '+1, q=2q' +1, p 'and q' are also large prime numbers. p ', q', p, q and also trapdoor m=p 'q' are kept secret, and only all cooperators can obtain their values in linear time. The private key K satisfies k=mκ, where K and κ are secret and only if all the parties cooperate to obtain their values in linear time, where κ isIs a random integer in the same range.
b) The public key parameter g has a corresponding secret parameter α=l (g), and only all cooperators can obtain its value in linear time.
c) Public key parameter μ satisfiesWherein M is selected according to a first principle and a second principle as in the summary of the invention [0062 ]]The method is as follows: m=km, k is a secret integer, and the setting of k ensures that the private key and threshold information revealed from M are as small as possible.
d) Public key parameter σ=αmκ, where α, m, κ are kept secret as described above, and only all parties in collaboration can obtain their values in linear time.
After the key generation setting is completed, the multiparty data can be encrypted and used for AI training. After ciphertext reasoning is completed, the ciphertext is decrypted by the distributed decryption device according to the invention contents [0074] to [0077] to obtain a reasoning result.
Distributed RSA and distributed PAILLIER have a special application in the field of secure multiparty computing, namely publicly verifiable (publicly verifiable) data sharing. Besides ciphertext calculation based on a distributed PAILLIER password, the secure multiparty calculation also has the solution that data are shared in a secret manner, namely each data provider distributes the fragments of the data to be provided to a plurality of calculation participants after using a secret sharing (secret sharing) technology, and then all the calculation participants use the respective fragments to calculate intermediate results through multiple rounds of interaction until final calculation results are finally obtained. In some applications where the end-to-end verifiable is used, the process of these secret sharing must be verifiable or even publicly verifiable in order to protect the dishonest participants shown in fig. 6. By publicly verifiable, by data sharing is meant that a data provider can publicly prove: the data shards that he shares to multiple computing parties come from the same secret data and are therefore properly shared, anyone can verify the correctness of this proof, and certainly the shared data or any shards thereof cannot be revealed during the proof process. This involves so-called publicly verifiable secret sharing (publicly verifiable secret sharing), a common solution being: when the data provider communicates with each data sharing party (computing party), the data fragments are encrypted and transmitted, the decryption key is grasped by the corresponding data sharing party, and then the data provider proves that all ciphertext sent by the data provider encrypts each fragment of the same secret data. In general, when verifiability is required, the data fragments are encrypted by asymmetric public key cryptography, so that the correctness of each fragment can be conveniently verified, which is a problem. When the asymmetric public key password for distributing the data fragments adopts the PAILLIER or RSA passwords, the plaintext space of the passwords mastered by each data sharing party is different, that is to say, the decryption calculation of the passwords mastered by each data sharing party uses different moduli. The different moduli not only can lead to inaccurate public verification of data sharing, but also can lead to the fact that the data fragments shared to a plurality of computing participants are hard to be strictly ensured to come from the same secret data in a ciphertext state, and the data fragments obtained by all the computing participants are more likely to become mismatched or incorrect after being changed by modulo operation, so that multi-party computing results are wrong, and the probability that dishonest data providers cheat the computing participants to destroy multi-party computing is also given. In view of this, data providers need specially adapted PAILLIER and RSA ciphers to construct an encrypted channel with all data sharers, implementing multiple different instances of the same cipher with the same plaintext space and decryption computation modulus. With this special cryptographic mechanism, secure multi-party computing can take the following steps to achieve publicly verifiable secret data sharing.
1. Summary of the invention [0045 ]]~[0053]Said distributed RSA password or summary [0062 ]]~[0070]The distributed PAILLIER cipher is modified to support a plurality of different examples of the same cipher with the same plaintext space and decryption calculation modulus under the special scene of two-by-two communication. An encrypted channel is established between the data provider and each data sharing party: when adopting RSA passwords, the RSA passwords of different channels have the same multiplication modulus N' and trapdoor m, but decryption keys mastered by respective data sharing parties are different and are not directly related to m; when PAILLIER ciphers are used, the PAILLIER ciphers of different channels have the same multiplication modulus N' 2 And trapdoor m, but the decryption keys mastered by the respective data sharing parties are all different and not directly associated with m; so each data is divided intoThe sharing party can only decrypt the data fragments belonging to the sharing party and cannot obtain the data fragments belonging to other people.
2. Whatever data splitting algorithm is adopted, the data provider encrypts the split data fragments by using the encryption channel and sends the split data fragments to each data sharing party.
3. If necessary (for example, when the data provider and the data sharing party have disputed the correctness of the data sharing), the data provider publicly proves that all encrypted data fragments are correct fragments of the same secret data, but does not reveal the data or any fragments thereof. Whatever proving method (such as common zero knowledge proving) is adopted by him, the advantage that the passwords used by each encryption channel have the same plaintext space and decryption calculation modulus can ensure that the data sharing accuracy is proving conveniently, accurately and reliably.
4. After the data of all the data providers are shared by adopting the method, each data sharing party acts as a calculation party to complete safe multiparty calculation, and a calculation result is obtained under the condition of not revealing input data. Whatever technique they use to process the data fragments and exchange intermediate computing results, after the correctness of the data sharing is publicly guaranteed, it is helpful to ensure that the secure multiparty computing is verifiable throughout.
When an RSA cipher is used to construct the encrypted channel to transmit the data fragments, the verifiable secure multi-party computing embodiment described in summary [0087] is implemented as follows.
1. A data provider establishes a standard RSA password with a multiplication modulus N ', a private key K and a trapdoor m, and publishes N' and an RSA public key e.
2. Each data sharing party selects own RSA private key fragment mastered by itself when communicating with the data provider, i.e. the ith data sharing party selects own private key fragment s i
3. Each data sharing party splits the RSA private key s selected by the data sharing party i The data provider is sent with a standard RSA password encryption of the data provider.
4. After the data provider decrypts to obtain the private key fragment of the data sharing party, s is calculated i ’=K-s i mod mfor=1, 2..n, and n is the number of data sharing parties. This corresponds to his use of a special distributed RSA cipher with first-and-last-with-n threshold (summary [0045 ] ]~[0053]Special case of the distributed RSA password when n=2) shares the private key K with each data sharing party two by two, and makes the private key fragment s obtained by each data sharing party i Are different.
5. The data provider selects a data sharing algorithm to split the data pi into n pieces pi 1 ,π 2 ,...,π n . For i=1, 2,..n, each pi i Is encrypted asAnd sent to the ith data sharing party.
6. The ith data sharing party receives the ciphertext (c i,1 ,c i,2 ) After that, it is decrypted into a key fragment by using the key fragment grasped by the user To obtain pi i
7. And the secure multiparty computing application provides a data fragment self-checking module for each data sharing party to automatically check the correctness of the obtained data fragments according to the requirements. If necessary, for example, when a certain data sharing party challenges the correctness of the fragments after self-checking, the data provider publicly proves that all encrypted data fragments are correct fragments of the same secret data, but does not reveal the data or any fragments thereof. The method can utilize the advantages that the passwords used by each encryption channel have the same plaintext space and decryption calculation modulus, for example, the modulus used by the data splitting algorithm for calculating the fragments is also set as N', so that the correctness of data splitting can be conveniently proved, and the data fragments are ensured to be completely matched all the time.
8. After all possible challenges of the data sharing party to the correctness of the data slicing are solved through public proof and verification, each data sharing party acts as a calculation participant to complete safe multiparty calculation, and a calculation result is obtained under the condition of no leakage of input data. Whether or not their processing of the data fragments to complete the multiparty computation is publicly verifiable, the proof of correctness of at least one of the data splits openly excludes any data provider from providing erroneous data fragments that disrupt the multiparty computation, and the unified decryption modulus of all the encrypted channels also prevents the data fragments from being changed to be mismatched after decryption.
The verifiable secure multi-party computing embodiment described in summary [0087] is implemented as follows when constructing encrypted channel transmission data fragments using PAILLIER ciphers.
1. A data provider first establishes a standard PAILLIER password with a multiplication modulus N' 2 Trapdoor m and private key k=mκ, where κ is at Z N′* Is selected at random. He publishes the public key PAILLIER, including N' and Z N′* Wherein α=l (g) is a secret parameter.
2. Each data sharing party selects the private key fragment of the PAILLIER that is grasped by itself when communicating with the data provider, i.e. the ith data sharing party selects the private key fragment s of itself i
3. Each data sharing party splits the PAILLIER private key selected by itself i The data provider is sent with a standard PAILLIER password encryption of the data provider.
4. After the data provider decrypts to obtain the private key fragment of the data sharing party, s is calculated i ’=K-s i for=1, 2..n, and n is the number of data sharing parties. This corresponds to his use of a special distributed PAILLIER cipher with first-and-last-with-n threshold (summary [0062 ]]~[0070]The special case of the distributed PAILLIER password when n=2) shares the private key K with each data sharing party two by two, and the private key fragments obtained by each data sharing party are different. The data provider publishes an additional public key parameter σ=αmκ or σ=αmκmod N'.
5. The data provider selects a data sharing algorithm to split the data pi into n pieces pi 1 ,π 2 ,...,π n . For i=1, 2,..n, each pi i Is encrypted asAnd sent to the ith data sharing party, where r i Is Z N′* Is a random integer in the same range.
6. The ith data sharing party receives the ciphertext (c i,1 ,c i,2 ) After that, it is decrypted into a key fragment by using the key fragment grasped by the userTo obtain pi i
7. And the secure multiparty computing application provides a data fragment self-checking module for each data sharing party to automatically check the correctness of the obtained data fragments according to the requirements. If necessary, for example, when a certain data sharing party challenges the correctness of the fragments after self-checking, the data provider publicly proves that all encrypted data fragments are correct fragments of the same secret data, but does not leak data or any fragments. The method can utilize the advantages that the passwords used by each encryption channel have the same plaintext space and decryption calculation modulus, for example, the modulus used by the data splitting algorithm for calculating the fragments is also set as N', so that the correctness of data splitting can be conveniently proved, and the data fragments are ensured to be completely matched all the time.
8. After all possible challenges of the data sharing party to the correctness of the data slicing are solved through public proof and verification, each data sharing party acts as a calculation participant to complete safe multiparty calculation, and a calculation result is obtained under the condition of no leakage of input data. Whether or not their process of processing the data fragments to complete the multiparty computation is publicly verifiable, the correctness of at least one of the data splits publicly precludes any data provider from providing erroneous data fragments to destroy the multiparty computation.
In the data sharing embodiment described in the invention contents [0087] to [0089], when the scene such as secure multiparty calculation is implemented, the shared data can be a secret key at some time; namely, a key generator or master can play a role as a data provider in the invention contents [0087] to [0089], share the private key to a plurality of computing participants (the private key fragment is used for completing multiparty decryption or signature afterwards), and construct an encryption channel to distribute the private key fragment by using a special public key encryption algorithm using the same modulus for decryption; thereby proving the coordination and consistency of the encrypted content to ensure that the key sharing achieves the accuracy of publicly provable.
The techniques of the invention [0087] to [0089] for sharing the same large-complex public key parameters, multiplication modules and plaintext space by multiple instances of the RSA password and the PAILLIER password can be used in any application embodiment requiring the multiple instances of the password to share the same parameters, especially in the case that the data encrypted by the multiple instances of the password have relevance decryption and keep matching after the relevance decryption, especially in the case that the correctness of the relevance matching requires public verification.
The apparatus and embodiments described in the summary [0035] to [0037] may also be embodied in a distributed authorization class application. I.e. a particular right (access, issue, approval), is not mastered by any single entity because of its high sensitivity, and in real-world applications it is necessary to distribute the rights to multiple palm-controlled parties by them. The exercise of this type of authority is accomplished in an electronic information system by digital signatures. That is, who holds the private key of a signature password can pass the generation of the digital signature line right. Distributed exercise rights are thus achieved by sharing the private signature key among a plurality of rights master. For example, setting an RSA password as a signature password, and simultaneously distributing an RSA private key to n mastering parties under a t-out-of-n threshold; authorization can be accomplished only if no less than t palmtops participate in the distributed signature. The rights granted in a distributed manner may be public key certificate issuance (providing a distributed signature of a plurality of issuing authorities to a certificate including information of user identity, user public key, validity period, etc., thereby ensuring authenticity and correctness of the user public key), blockchain admission (when a new node joins the blockchain, the signature that it is approved to join is not provided by a centralized single controller but commonly provided by a plurality of existing nodes), blockchain consensus (determining a plurality of blockchain nodes of the consensus, such as selected user representatives, or more users, achieving consensus by signing off a distributed shared private key), lower-level key assignment (assigning a key of a lower-level user, such as a communication key, signing off a private key by a superior cipher grasped by a superior controller, and the superior controller may de-centralize the set-up private key to master a plurality of private keys and perform signing operations in a distributed manner). The distributed authorization and admission embodiment mainly utilizes the innovative distributed signature device of the threshold RSA password in the invention to finish authorization authentication or give permission for admission and the like in a multiparty signature mode. A typical example is public key certificate authentication issuance in the PKI architecture. As shown in fig. 9, the private key used by the root CA to issue the public key certificate is no longer held and used by a single CA, but is shared by multiple root CA agents under a threshold mechanism and used by distributed signatures. In this way, security is significantly improved, even if some root CA agents refuse to collaborate on the correct public key certificate, and even if some root CA agents want to issue the wrong public key certificate, it is prevented. The security of the root CA ensures the trust of the underlying CA's and even the lowest public key certificate.
The distributed authorization application system based on the distributed password, which is claimed in the invention [0092], uses the acquisition module, the distribution module and the sending module which are described in the invention [0023], and is unfolded around the distributed private key using module which is described in the invention [0031], and finally a signature verification module is needed. RSA passwords based on the general t-out-of-n threshold described in the invention contents [0006] to [0011], [0013], [0015] to [0018], and the distributed signature device described in the invention contents [0035] to [0037], the whole organization structure and the working flow are as follows.
N signature private key mastering parties respectively have public and mutually different identification values P 1 ,P 2 ,...,P n They act as private keys K for the cooperators to share the RSA secret. The ith calculation participant uses the acquisition module to call the distribution module and finally obtains s through the transmission module i =F(P i ) mod M and F (x) =a 0 +a 1 x+a 2 x 2 +...+a t-1 x t-1 . The basic requirements for computing RSA private key fragments using these modules are: a, a 0 =k, m=km; m is the trapdoor of the RSA cipher, k is a secret integer randomly selected over a sufficiently large range (to contain large primes); a, a 1 ,a 2 ,...,a t-1 From a sufficiently large set of integers (e.g. Z M ) Randomly selected. It may further be required that: generating k is an integer that minimizes km-N, where N is a publicly set constant and is much larger than the multiplication modulus N' used for RSA encryption; at the same time a 1 ,a 2 ,...,a t-1 From a sufficiently large set of integers (e.g. Z M ) Randomly selected.
2. As for the task of key generation, it is to set an initiator to do (according to the summary [0015 ]]) Or by the private key master (the cooperator) itself (according to the summary of the invention [0043 ]]) May depend on the security requirements and the degree of decentralization of the particular application scenario. In either case, p 'and q' are large prime numbers, and satisfying p=2p '+1 and q=2q' +1 are also large prime numbers, the four prime numbers being different from each other; m=p ' q ' is trapdoor, N ' =p ' q ' is the multiplication modulus of the encryption operation; public key e and private key K satisfy ek=1 mod m and K has a sufficiently large selection space. It should be noted that, unlike some existing systems, it cannot be in Z m E is randomly selected or calculated to cause e to be in Z m Is uniformly distributed in the same way; as some information about trapdoor m will thus be revealed from e. e should be substantially different from Z m For example, much greater or much less than Z m Interval or range of (a) is randomly selected and then k=e is calculated -1 mod m. For example, at Z N’ E is selected randomly; or at Z m A particular small subset of (e.g., containing integers of a particular length excluding weak keys, far more than Z) m Small and not at Z m E) is randomly selected from among the uniform distribution.
3. The distributed private key use module comprises a distributed signature module. Its structural principle and workflow: for information requiring signature (public key certificate, blockchain admission proof, blockchain consensus content, to be assigned)The lower level key or any other content to be authorized) or its hash value (which will be normally taken for signature due to application requirements, such as adjusting the information length), i.e. the signature object, denoted d, is assigned to s i Private key master calculation of (2)Where x is a disclosed integer that is compatible with e, the ninth parameter. If necessary, the distributed signing module may comprise a verification sub-module requiring the signer to make zero knowledge proof +.>And y is a disclosed integer that is mutually exclusive of e, i.e., the tenth parameter. Wherein v (i.e. the fifth parameter) and v i (i.e., the seventh parameter) is already calculated at the time of private key sharing; that is, v is at Z N’ A generator for generating a large cyclic groupTheir value is determined by summary of the invention [0023 ]]The sending module publishes. When a specific application scene needs to verify whether the operation of the collaborative signature party is good or not, the zero knowledge proof is selected to ensure that the collaborative signature party is fixed at v i S unchanged in (3) i Is used to calculate d i But will not leak the relevant s in the proof i Is a piece of information of (a). This cyclic group may be in accordance with the summary [0028 ]]Specially chosen to ensure the summary [0028 ]]The parameter presentation submodule can ensure v and v i Indeed in this cyclic group.
4. The distributed private key use module comprises a composite signature module, and works as follows: if there are t cooperators, their corresponding identification values form a set S, the signature result can be synthesized as follows.
a)But->Where z is a disclosed integer that is compatible with e, the eighth parameter, it must contain all possible ps for any one iin {1,2,..n } j -P i As the product of these factors to ensure computation of u i When an integer u is obtained without modulo operation i
b) Integers a and b satisfying a×x×y×z+b×e=1 calculated using the extended euclidean algorithm (Extended Euclidean Algorithm).
c) The signature result can be synthesized as h=w a d b mod N′。
d) Finally, the composite signature module may optionally include a detection adjustment sub-module that verifiesIf so, outputting h; otherwise outputting-h mod N'.
5. The signature verification module works: anyone can check d=h e mod N'. Only when this check equation is satisfied, the signature h for the content d is correct. Distributed authorization (whether public key certificates, blockchain admission, blockchain consensus, subordinate keys, or other authorization credentials) is only valid if signature verification is passed.
The signature module and apparatus described above may be optimized appropriately according to some additional principles. For example, the third principle: small parameters x and y are selected as much as possible to improve the calculation efficiency, such as x=1, y=1 or y=2; as a fourth principle: and the even y is selected to avoid the work of detecting and adjusting the module, so that the flow is simplified. For example, when x=1, y=1, the distributed partial signature operation becomesWhile the concomitant proof of correctness becomes log d d i =log v v i While the signature composition operation can also be reduced to a version of x=y=1: integers a and b satisfying a×z+b×e=1 are used to calculate w and h, and attention is paid to the detection adjustment sub-module at this time. There is also a fifth reason: selecting smallInteger P 1 ,P 2 ,...,P n Such as P i =i, so that z can be chosen as small as possible to improve computational efficiency.
The distributed authorization application system based on distributed cryptography as claimed in the invention [0092] also uses the module development described in the invention [0023] and [0031], and can also be based on the special n-out-of-n threshold RSA cryptograms generated by the invention [0045] to [0047] when t=n, and the signature device described in the invention [0054] to [0059], the whole organization structure and workflow are as follows.
1. The ith signature private key master randomly selects a secret private key fragment s i . Individual calculations by a central initiator (as embodied in summary [0045 ]]As described in the key synthesis step of (c)) or in a decentralised scenario by all parties of the signature private key master (as detailed in summary [0047 ]]Said) generating multiplication modulus N' and trapdoor m without revealing private keyPublic keys N' and e=k are published under the condition of (1) -1 mod m. Parameter u 1 , u 2 ,...,u n The method is an integer selected randomly, and can be disclosed, and the private key master can select the application scene by itself or can select the application scene together with a central initiator in a centralized scene. As summary of the invention [0045 ]]Said e=k -1 Can reselect u when mod m is not present 1 ,u 2 ,...,u n Recalculate e while e selects information about m to avoid its distribution leakage.
2. The distributed private key using device comprises a distributed signature module. Its structural principle and workflow: for information requiring signature (public key certificate, blockchain admission certificate, blockchain consensus content, subordinate key to be assigned or any other content requiring authorization) or its hash value (for application needs such as adjusting information length, its hash value will be taken usually to be unsigned), i.e. signature object, denoted d, is assigned to s i The signature private key master of (1) calculates a partial signatureWhere x is a disclosed integer that is compatible with e (i.e., the ninth parameter).
3. And all n partial signature results are handed to a signature synthesis module for processing.
a)Wherein u is i Following the summary of the invention [0045 ]]And y is a public integer that is mutually exclusive of e (i.e., the tenth parameter).
b) Integers a and b satisfying a×x×y+b×e=1 calculated using the extended euclidean algorithm (Extended Euclidean Algorithm).
c) The signature result can be synthesized as h=w a d b mod N′。
4. The signature verification module works: anyone can check d=h e mod N'. Only when this check equation is satisfied, the signature h for the content d is correct. Signature verification is passed and distributed authorization (whether public key certificates, blockchain admission, blockchain consensus, subordinate keys, or other authorization credentials) is valid.
The signature module and the signature device can be simplified by adjusting parameters. I.e. x=1 or y=1 or even x=1, y=1. For example, when x=1, y=1, the distributed partial signature operation becomesWhile the signature composition operation is simplified to +.> The extended euclidean algorithm may be omitted. The signature module and the device can also obtain the matching of a verification module to prove and verify the correctness of the operation of each participant. When trust mechanisms do not guarantee the integrity of the participants and need to verify their integrity, The verification module requires the parties to cooperate to accomplish the following operations.
1. In the initial parameter selection stage, all signature private key masterers (or a central initiator or a combination of both) are in Z N’ A large cyclic group (cyclic group) is disclosed and a generator v (i.e., a fifth parameter) is selected from the group.
2. The ith signature private key master generates s i for i=1, 2, calculate and publish at time n (i.e., the seventh parameter).
3. All signature private key mastering parties calculate and release v=v simultaneously when private key K is generated through multiparty calculation (or one-party calculation of one central initiator) K mod N' (i.e., the sixth parameter).
4. Anyone can verify V e =v mod N
5. The private key master gives zero knowledge proof when completing the partial signature operation in the previous step 3When a reduced scheme of x=1, y=1 is employed, this zero knowledge proves to be reduced to log d d i =log v u i . When a specific application scene needs to verify whether the operation of the private key palm control is good and bad, the zero knowledge proof is selected to ensure that the private key palm control is fixed at v i S unchanged in (3) i Is used to calculate d i But will not leak the relevant s in the proof i Is a piece of information of (a).
The embodiments encompassed by the inventive disclosures [0092] to [0094] are not only related to various authorization scenarios and implemented in various software systems, but are sometimes extended to obtain a broader authentication service of an authorized party and to relate to hardware infrastructure. Such as remote attestation of a software and hardware computing environment (including hardware computing devices and software environments deployed thereon) in trusted computing environment TEE (trusted executive environment) (remote attestation). Remote attestation essentially measures the configuration and state of the software and hardware computing environment (particularly hardware configuration and software integrity) and authenticates the measurement signature, with the key used for the signature in turn providing endorsement authentication by the public key certificate issued by the authority. The simple remote certification only needs centralized key signing and only needs a single authority to authenticate the signing key, but needs to trust the single authentication authority, and the security level is not high. To avoid too strong trust assumptions and to increase security, the authority of the subscription authority may implement distributed decentralization by means of sharing of the private key. That is, a number of related entities, such as hardware chip vendors (e.g., TEE-enabled CPU manufacturers), system operators (e.g., cloud platforms), and software providers (e.g., operating system vendors), share certification authorities and corresponding RSA private keys, while their digital signature function that issues certificates employs the RSA algorithm. Thus, the remote attestation of the TEE can be jointly completed by a plurality of authoritative authenticators, and meanwhile, the private key or threshold information cannot be revealed by a distributed RSA signature using method.
● When adopting the inventive content [0006 ]]~[0011]、[0013]、[0015]~[0018]The implementation of such authoritative certificates requires the inventive content [0023 ] in the case of the universal t-out-of-n threshold RSA cipher]The acquisition module, distribution module and transmission module surround the summary [0031 ]]The distributed private key using module expands and uses the invention content [0035 ]]~[0037]Finally, a signature verification module is needed for the distributed signature device in the (a). The n authoritative authenticators respectively have public and mutually different identification values P 1 ,P 2 ,...,P n They act as private keys K for the cooperators to share the RSA secret. The ith authority certification party uses the acquisition module to call the distribution module and finally obtains s through the transmission module i =F(P i ) mod M and F (x) =a 0 +a 1 x+a 2 x 2 +...+a t-1 x t-1 . Computing RSA private key fragments using these modulesThe basic requirements are: a, a 0 =k, m=km; m is the trapdoor of the RSA cipher, k is a secret integer randomly selected over a sufficiently large range (to contain large primes); a, a 1 ,a 2 ,...,a t-1 From a sufficiently large set of integers (e.g. Z M ) Randomly selected. It may further be required that: generating k is an integer that minimizes km-N, where N is a publicly set constant and is much larger than the multiplication modulus N' used for RSA encryption; at the same time a 1 ,a 2 ,...,a t-1 From a sufficiently large set of integers (e.g. Z M ) Randomly selected. The key generation itself can be set to be completed by one initiator according to the actual need (according to the summary [0015 ]]) Or by the authority certification authority (according to the summary [0043 ]]). Content to be authenticated or a hash function thereof after TEE measurement is recorded as d; assigned to s i Authoritative authenticator calculationWhere x is a disclosed integer that is compatible with e, the ninth parameter. If necessary, the distributed signing module may include a verification sub-module that requires the signer to make zero knowledge proofAnd y is a disclosed integer that is mutually exclusive of e, i.e., the tenth parameter. Wherein v (i.e. the fifth parameter) and v i (i.e., the seventh parameter) is already calculated at the time of private key sharing; that is, v is at Z N’ Disclosing a selected generating element (generator) of a large cyclic group (cyclic group), and +.>Their value is determined by summary of the invention [0023 ]]The sending module publishes. This cyclic group may be in accordance with the summary [0028 ]]Specially chosen to ensure the summary [0028 ]]The parameter presentation submodule can ensure v and v i Indeed in this cyclic group. If t authoritative authenticators cooperate to complete their respective partial signatures, they correspond to The identification values form a set S, and the signature result can be synthesized as h=w a d b mod N'; wherein a and b are integers satisfying a×x×y×z+b×e=1 calculated according to the extended euclidean algorithm (Extended Euclidean Algorithm), and +.>But-> Where z is a disclosed integer that is compatible with e, the eighth parameter, it must contain all possible ps for any one iin {1,2,..n } j -P i As the product of these factors to ensure computation of u i When an integer u is obtained without modulo operation i . Finally, the composite signature module may optionally include a detection adjustment sub-module that verifiesIf so, outputting h; otherwise outputting-h mod N'. The signature verification module also verifies that d=h e mod N' is correct only when this check equation is satisfied for the signature w of the content d.
● Authoritative authentication for trusted execution environments may also be based on the summary of the invention [0045 ] when t=n]~[0047]The generated RSA cipher of a particular n-out-of-n threshold and its use in summary [0054 ]]~[0059]The implementation of the signing device described in (3) likewise requires an inventive content [0023 ]]The acquisition module, distribution module and transmission module surround the summary [0031 ]]The distributed private key is unfolded by using a module, and finally a signature verification module is needed. The ith authority authenticator randomly selects a secret private key fragment s i . Individual calculations by a central initiator (as embodied in summary [0045 ]]As described in the key synthesis step of (c)) or by all authoritative authenticators in a decentralised scenario (as in particular summary [0047 ]]Said) generating multiplication modulus N' and trapdoor m without revealing private key Public keys N' and e=k are published under the condition of (1) -1 mod m. Parameter u 1 ,u 2 ,...,u n Computing and inventive content of the sum e of the selections [0094 ]]As is the case for the applications in (a); as summary of the invention [0045 ]]Said e=k -1 Can reselect u when mod m is not present 1 ,u 2 ,...,u n Recalculating e while choosing to avoid its distribution revealing information about m. For the content to be authenticated after TEE measurement or the hash function thereof, denoted as d, the content is distributed to s i The authoritative authenticator calculates the partial signature +.>Where x is a disclosed integer that is compatible with e (i.e., the ninth parameter). If necessary, the distributed signing module may comprise a verification sub-module requiring the signer to make zero knowledge proof +.>And y is a disclosed integer that is mutually exclusive of e, i.e., the tenth parameter. Wherein v (i.e. the fifth parameter) and v i (i.e., seventh parameter) as in the summary [0059 ]]The same as in the general t-out-of-n scenario is already computed at the time of private key sharing. All n partial signature results can be synthesized as h=w a d b mod N'; wherein a and b are integers +.f calculated according to the extended Euclidean algorithm (Extended Euclidean Algorithm) satisfying a×x×y+b×e=1>The method comprises the steps of carrying out a first treatment on the surface of the Wherein u is i Following the summary of the invention [0045 ]]Is defined in (a). Finally, the composite signature module may optionally comprise a detection adjustment sub-module which verifies +.> If so, outputting h; otherwise outputting-h mod N'. The signature verification module also verifies that d=h e mod N' is correct only when this check equation is satisfied, for the signature h of the content d.
The two authoritative authentication embodiments described above may be suitably optimized in accordance with some additional principles. For example, the third principle: small parameters x and y are selected as much as possible to improve the calculation efficiency, such as x=1, y=1 or y=2; as a fourth principle: and the even y is selected to avoid the work of detecting and adjusting the module, so that the flow is simplified. For example, when x=1, y=1, the distributed partial signature operation becomesWhile the concomitant proof of correctness becomes log d d i =log v v i At the same time, the signature synthesis operation can also be simplified to a version of x=y=1, and attention should be paid to the detection adjustment sub-module. There is also a fifth reason: selecting a small integer P 1 ,P 2 ,...,P n Such as P i =i, so that z can be chosen as small as possible to improve computational efficiency.
Further more complex application scenarios are provided for embodiments described in summary [0095 ]. Complex TEE trusted execution environments, sometimes more than one, rely on computing chips, but are supported by multiple computing chips, including, for example, multiple processing chips such as CPU, GPU, NPU, DPU. At this time, each chip is built in a private key supporting authentication services such as remote attestation by the manufacturer. In this scenario, as shown in fig. 10, the special authority authentication technology based on distributed RSA subscription under the n-out-of-n threshold in the second item of the summary [0095] may be utilized to regard the plurality of chip private keys as fragments of the authority authentication private key; then, a unified public and private key pair is generated, and services such as TEE trusted execution environments are distributed and signed and authenticated by n authoritative authenticators; users using these services can verify those authoritative mutual authentications using a unified RSA public key. The essence of TEE multi-party management is to disperse the management rights of trusted computing environments into the hands of multiple key stakeholders (such as chip manufacturers, software providers and cloud platforms), which not only enhances security, but also facilitates balancing the coordination of the relationship of the parties in the actual deployment. For example, when remote proving, the private signature key can be shared by multiple parties, or synthesized by private keys of all parties as shown in fig. 10, and the measurement result can be signed.
The security of the trusted execution environment of the plurality of governors (including application platforms, system software providers, and multi-chip heterogeneous computing power providers) described in summary [0095] and [0096] is ultimately attributed to the root keys that are contributed and controlled by the plurality of governors. The distributed generation process of this root key is as follows: each management and control party issues respective public key certificates, including public key certificates of built-in private keys of each chip and public key certificates of other parties; each management and control party verifies the correctness of the public key certificates of other parties (such as by inquiring a public key authentication system of a chip manufacturer); each management and control party operates a secure multiparty computing protocol, each input private key is used as secret input, and the n-out-of-n threshold cryptographic mechanism of the invention which is divided and combined firstly is used for computing a public key as an external public key of the whole trusted execution environment under the condition of not revealing the input, so that the private key K corresponding to the public key K is ensured to be needed to be obtained by the private keys of each management and control party. The specific procedure for remote attestation of all the regulatory participation is as follows.
1. Each of the controlling parties measures a trusted execution environment, including but not limited to all or a portion of
a) Each computing chip measures the software and hardware environment within its respective range, including the chip status and the user task code running thereon
b) Platform side measures own system configuration, and relates to tool software, virtual machines, bare metal servers and the like
c) The system software gives out its own product parameters
d) The application platform provides the parameters of the various deployed software and hardware (including the computing chip and the system software) and the user task code (or hash function abstract of the code) injected into the parameters, so that the user can compare and check the measurement results of the computing chip and the system software
e) Each computing chip initiates a measurement task, and interacts with other management and control parties comprising an application platform and system software to acquire real-time information of system configuration thereof, so that users can check measurement results of the computing chips
2. Each management and control party checks all measurement results, and approves that the measurement results are partially signed by using own private key, and the support of the partial signature function of the used distributed password is needed.
3. User verification of signatures on metrics
a) Preparation: the complete signature is synthesized by all partial signatures of the measurement result, and the signature synthesis function support of the used distributed password is needed
b) Verifying a complete signature on a measurement result using an external public key of an entire trusted execution environment
c) Verifying the public keys of all the management and control parties can synthesize the external public key of the whole trusted execution environment, which means that their private keys can synthesize the signature private key K of the remote attestation
d) Verifying the correctness of the public key certificates themselves of all the governors (e.g., by querying the public key authentication hierarchy of the chip manufacturer) in addition to remote attestation, the trusted execution environment may also require other common governance functions. For example, when a user submits input data required for a computing task to a trusted execution environment, and needs to encrypt the data using one communication key, all the management parties of the trusted execution environment can issue the communication key to the user together, as follows.
1. All or part of the management control selects (as generated from the computing chip that specifically processes the data or as commonly selected by multiple management controls) the communication key
2. Each management and control party uses own private key to make partial signature on communication key
3. Synthesis of a complete signature from all partial signatures of a communication key
4. The user uses the external public key of the whole trusted execution environment to verify the complete signature of the communication key, if necessary, the public keys of all the management and control parties can synthesize the external public key of the whole trusted execution environment and verify the correctness of the public key certificate of all the management and control parties
The method and apparatus of the present invention may also be used in more embodiments, nor is the scope of application limited to RSA and PAILLIER ciphers. Other passwords, especially the passwords of which the private key sharing cannot use the natural public modulus to calculate the fragments, can also use the first principle and the second principle of the invention to distribute the private key or adopt a strategy of dividing first and then combining the private key from any optional fragments to synthesize the secret key so as to strengthen the protection of the passwords in a distributed environment. For example, when the ELGAMAL cipher is set in a round group (round group) with order (order) secret, the result of the private key distribution polynomial (i.e., the first polynomial) cannot obtain the correct private key fragmentation under the existing public modulus, so the private key sharing method of the present invention can also be used to benefit from the private key sharing method. Some passwords, the private key of which may even consist of a plurality of integers, which may each be assigned as a slice by means of the first and second principles of the invention or synthesized from any arbitrary slice by means of a first-split-then-close strategy, respectively. Embodiments of the invention are not limited to a particular form or deployment of using distributed passwords. The key generation and distribution device, the distributed decryption device and the distributed signature device can be realized in a software mode or constructed through a hardware module. When implemented in the form of software, they may be software programs or blocks of code running on a computing device. The computing device may be one or more of a physical machine, a virtual machine, a container, a cloud device, a side device, and the like. These computing facilities may in turn be deployed on one or more computing nodes, meaning that the programs for each apparatus may be deployed and run centrally on one computing device or distributed across multiple computing devices. When the key distribution device is constructed by a hardware module, each device may be installed on one or more computing apparatuses, such as a server or a mobile terminal. Their specific physical form may be part of an Application Specific Integrated Circuit (ASIC), a system on a chip (SOC), a general purpose or special purpose computing chip, a memory integrated chip or programmable logic device (programmable logic device, PLD), etc. The PLD may be one or more of complex program logic devices (complex programmable logical device, CPLD), field-programmable gate arrays (field-programmable gate array, FPGA), general-purpose array logic (generic array logic, GAL), among others. The roles of the initiator, the coordinator, the data provider, the computing participant, etc. described in the present invention are not limited to "people" or "people" of a physical or social environment, but they may also be interpreted as facilities of equipment or organizations capable of constructing or using distributed passwords. In some scenarios they may be embodied as computing devices used by users, or as clusters of multiple computing device nodes. When multiple roles among them perform multi-party computing, they can either personally complete the computing using their respective computing devices or delegate multiple computing agents to complete the computing on one or more third-party computing devices. The executor that obtains the complete signature information based on the plurality of partial signature information may be any one of the plurality of holders, or may be a device other than the plurality of holders, for example, a party commonly trusted or commonly authorized by the plurality of holders performs the process.
Noun interpretation
The present invention is related to the following concepts and terms, which are important and are explained in detail.
● Modulo arithmetic and trapdoor. In cryptographic operations, modulo arithmetic is common. For example, in RSA cryptography, the encryption operation uses a public multiplication modulus N'; in PAILLIER ciphers, the encryption operation is performed in a modulus N ’2 Proceeding below, and N' is a large integer as disclosed. It should be noted that, when performing the modulo operation, if the modulus is to be kept secret, the calculation result will reveal the information about the modulus; furthermore, statistical analysis shows that the amount of information revealed is so much as not to be negligible. Therefore, if information (such as private key fragments) to be distributed is calculated by modulo a piece of information (such as private key or trapdoor) to be kept secret, some non-negligible kept secret information is revealed. The trapdoor of the password is the place where the password is generatedThere is a secret information used in the process of including the public key and the private key from which the private key can be easily calculated, so that the trapdoor is the same security level that must be kept secret as the private key.
● The secure multi-party calculation refers to: as shown in fig. 5, a plurality of data providers input private data, and one or more computing participants jointly complete the computation of a specified function under the condition that secret input cannot be obtained, and a specified sharing party can obtain a plaintext output result. Secure multiparty computing needs to satisfy three security features. 1) Privacy: each participant cannot acquire any information except the output value and the information which can be leaked by the output value; 2) Correctness: the correct result can be obtained by correctly executing the protocol; 3) Fairness: if the honest participants do not get output, the adversary is also not. The first two security features are directed to a semi-honest adversary model, i.e., each participant may attempt to obtain private data of others without deviating from the computing protocol. Under a stronger security model (as shown in fig. 6), an adversary may be dishonest to try to tamper with the deviation calculation protocol and break fairness, at which time the verifiability of the distributed decryption described in [0018] above may ensure that the parties operate as honest at the time of decryption (part of the secure multiparty calculation).
● The concept of addition homomorphism arises when the present invention describes secure multiparty computation based on distributed PAILLIER, an important feature in application cryptography. For the encryption algorithm E (), the addition homomorphism means that the characteristic E (m1+m2) =e (m 1) E (m 2) is satisfied for any two plaintext information m1 and m 2. The method comprises the following steps: the ciphertext of the sum of the two plaintext words is equal to the product of their ciphertext words. The most typical and most commonly used addition homomorphic encryption algorithm, the PAILLIER algorithm, has been chosen by ISO as the standard algorithm for addition homomorphism, and is widely used in ciphertext calculation solutions in secure multiparty calculations.
● A sequencing Network (Mix Net or Mix Network) is an anonymous communication Network used to transfer a batch of data that needs to be anonymized. The data are put into a sequencing network after being encrypted, and are output to the sequencing network after being disordered; this batch of data, even if decrypted into plaintext, cannot be further linked to the state before being input into the permuted network, because the order is out of order, and cannot be traced back. Users of the sequencing network often are data providers that do not want to expose their own identities, and submit their own ciphertext data to the sequencing network, which, when scrambled, cannot reach their respective data providers even if decrypted into plaintext. In short, the data processed through the sequencing network is anonymized, not traceable, and is not known who provided it. Under the personal information protection laws such as GDPR, anonymous data is considered to be free from damaging personal privacy and is not regulated by related regulations, so that the anonymous data can be decrypted in a plaintext state to be conveniently and efficiently processed for various operations. To enhance security, as shown in fig. 7, the sequencing network is typically composed of a plurality of nodes (router or routing node), each of which reorders (permutation) all incoming ciphertext data in turn while re-encrypting or partially decrypting or both partially decrypting and re-encrypting them. The effect of re-encryption or partial decryption is to cause the external morphology to change (although the content is unchanged) after reordering of these ciphertexts, thus avoiding being traced back if the encryption algorithm used satisfies the semantic security (semantic security). The biggest application field of the order-changing network is electronic selection, and the encrypted votes of the pickers can be decrypted and counted after the order-changing, which is similar to the function of shaking the ballot box to disturb the order of the votes in the traditional selection, so that the trouble of ciphertext ticketing is avoided, and the privacy of each picker is ensured. The permuting network can also be used in embodiments of network statistics, electronic auctions, etc., all by anonymizing application data (e.g., the bidding of all bidders in an electronic auction) and then processing in the clear. The application can be popularized to any safe multiparty computing scene, and if the data privacy protection requirement is only non-traceable and not to protect the data content, the complex safe multiparty computation which is originally needed to depend on the specific application in the ciphertext state can be converted into a relatively simple and standardized sequencing network which does not depend on the specific application; the order-changing network is basically a simple and safe multiparty calculation, and a plurality of participants (order-changing nodes) do order-changing and re-encrypting (partial decryption) operation under the ciphertext state. The security of a sequencing network relies on an important premise: the private key of the encryption algorithm used by the method is well protected. If the private key is mastered by a single role, the security is low, and a user can destroy the order-changing network by only breaking the private key, so that the security is enhanced by arranging a plurality of order-changing nodes. Therefore, in practical application, the private key of the password used by the order-changing network is generally shared by multiple parties and is used under a certain threshold, which is the important meaning of the threshold password in the order-changing network. In this sense, the order-changing network and its important applications include embodiments where both electronic selection and electronic auction are secure multiparty computations, where multiple parties share decryption keys (in many scenarios, the order-changing node directly allows the private key sharing party to be simultaneously shared) and decryption rights, and perform order-changing operations in the ciphertext state. The threshold PAILLIER is often used in order networks, and besides supporting the threshold function and re-encryption, its unique additive homomorphism feature also requires a security (verifiable security) verifiable scenario to make it easier for the order node to prove that its order operation is correct.
● Re-encryption is an operation in a permuted network that uses a ciphertext as plaintext to encrypt again using the same encryption algorithm. In a public key cryptosystem, the corresponding relationship between the encrypted ciphertext and the original ciphertext is always unknown by utilizing the semantic security of the password. The PAILLIER cipher is a typical cipher supporting re-encryption, and the encrypted ciphertext can be decrypted once by the private key of the cipher to obtain a plaintext, and the plaintext is not distinguished from any ciphertext (whether encrypted for several times) after processing. RSA cryptography does not support re-encryption and is therefore not typically used in a permuted network.
● Trusted AI: as a typical embodiment of secure multiparty computing, AI application mainly concerns data privacy in encryption computing (learning and reasoning), including the privacy of training data and reasoning data, thus adopting encryption data and a distributed method for using decryption private keys to strengthen data privacy protection and expanding the homomorphic characteristic of the used password to complete the learning training of ciphertext data; on the premise of protecting data privacy, the data service problems of data circulation, data application and the like are solved. For example, in federal learning, data from multiple data providers and/or local training results are encrypted using a PAILLIER password; meanwhile, the multiparty shared decryption key realizes a distributed joint decryption mechanism, so that any private information cannot be encrypted and decrypted without the consent of an owner of the private information; and finally, aggregating a complete AI model when the specific safety conditions are met. As shown in fig. 8, federal learning neither leaks data nor leaks model parameters, so that large-scale distributed deep learning model training can be performed without exposing privacy, and the benefits are obvious: 1) Realize data isolation, realize safe AI: customer data will not be revealed, meeting the requirements of privacy protection and data security 2) avoiding data islanding: under the condition of ensuring that the parties involved keep independence, carrying out encryption exchange of information and model parameters 3) clearing engineering barriers: the engineering problems of large user data volume, high network cost, slow transmission speed, low transmission safety and the like are avoided.
● This embodiment of publicly verifiable secret sharing is also directed to the problem shown in fig. 6: in secure multiparty computing, some parties may deviate from the computing protocol to tamper with the results of the computing or steal secret information. So that dishonest adversaries need to be considered under a stronger security model to verify whether the operation of each participant deviates from the calculation protocol; the correctness of the operations concerned must be publicly verifiable, i.e. verified or arbitrated, by anyone if necessary. In the initial link of secure multiparty computation where a data provider uses secret sharing to split data to computing participants, it is often also necessary to publicly verify the correctness of data splitting, so as to realize publicly verifiable secret sharing, thereby ensuring that each data is fragmented according to a correct threshold mechanism and shared to all computing participants. The new technology of sharing the same (RSA or PAILLIER) complete key between a plurality of different user pairs can use the same public key (and encryption and decryption module) in different encryption communication pipelines, and can ensure that the recipients of different pipelines decrypt communication data by using different private keys which are mastered by the recipients. Therefore, in the secret sharing scene, the data fragments of all sharing parties are not revealed to others, and the correctness of secret sharing can be perfectly verified under the same modulus parameter.
● PKI (Public Key Infrastructure) public key infrastructure, also called public key infrastructure, public key infrastructure or public key infrastructure, is a set of infrastructure consisting of hardware, software, participants, management policies and procedures, and can provide cryptographic services such as encryption and digital signature, and necessary key and certificate management systems for all network applications. The aim is to create, manage, distribute, use, store and revoke digital certificates. Certificate authority CA (Certificate Authority) is the core of PKI, namely the application and issuing authority of digital certificates, and the most important purpose of CA is to provide root certificates for enhancing the security of information interaction between servers and clients. CA performs some important functions in PKI. 1. An application is accepted to verify the end-user digital certificate. 2. It is determined whether to accept the application of the end user digital certificate-approval of the certificate 3, the issuance of the applicant, and the denial of issuing the digital certificate-issuance of the certificate. 4. Accepting and processing the digital certificate updating request of the end user, namely updating the certificate. 5. And receiving the train information and the revocation of the digital certificate of the end user. 6. A certificate broke list (CRL) is generated and issued. 7. Archiving of digital certificates. 8. And (5) key archiving. 9. Historical data is archived. The most core and essential operation of CA is to issue new, changed or revoked certificates with its own master root certificate private key.
● Zero knowledge proof: is a security protocol that proves that certain secret information satisfies a particular property (in abstract terms, belongs to a certain formal language) without revealing them. It was originally proposed by SCHNORR [1] and CHUM [2] et al. For example, the zero knowledge proof primitive used in the present invention to prove that two discrete logarithms are equal is derived from [2], but the innovation of the present invention is not to propose this zero knowledge proof primitive itself, but to use this primitive to solve new problems to apply it in a zero knowledge proof scenario different from the former and prior art. It is also mentioned in this invention that in the publicly verifiable data sharing embodiment, the data provider needs to publicly prove that all encrypted data fragments are correct fragments of the same secret data, but not reveal the data or any fragments thereof, and is usually implemented by zero knowledge proof, and the specific zero knowledge proof protocol depends on the specific secure communication pipeline and secure multiparty computing scenario.
Drawings
FIG. 1-secure distributed cryptography in two main modes of use (cryptographic splitting and cryptographic synthesis)
FIG. 2-password splitting, the generated full key splitting component is assigned to the cooperator
FIG. 3-Cryptographic composition combining key fragments generated by a collaborator into a complete key
FIG. 4-infrastructure for the secure use of threshold passwords (distributed use of threshold passwords)
FIG. 5-basic mode of secure multiparty computation (computing participants do not deviate from the secure multiparty computing protocol)
FIG. 6-verifiable secure multiparty computation for dishonest enemies (computing participants may deviate from the secure multiparty computing protocol)
FIG. 7-distributed multiparty implementation of a sequencing network (a common anti-tracking network)
FIG. 8-Federal learning, distributed cryptography used with the present invention to support secure multiparty computing
FIG. 9-threshold PKI, PKI system for security-enhanced trust mitigation using distributed cryptography
FIG. 10-TEE multiparty administration, also requires support of the present invention
[1]C~Schnorr.Efficient signature generation by smart cards.Journal of Cryptology,4,1991,pages 161--174.
[2]D~Chaum and T~Pedersen.Wallet databases with observers.In CRYPTO′92,pages 89—10。

Claims (23)

1. A method for distributing private key of cipher is carried out by an initiator (private key generator) and features that the private key is passed through a polynomial sumThe accompanying modulo operation is broken down into n slices, each allocated to 1 cooperator, so there are n cooperators (private key sharers). The n-th slices are referred to herein as 1 st to n-th slices. n is a natural number equal to or greater than 2, and the threshold t (the number of cooperators required to perform the private key function) is not greater than n. The polynomial used for the private key decomposition is a first polynomial, the coefficient of the polynomial is a first parameter, and the modulus of a specially designed modular operation used when the polynomial is used is a second parameter. Using a first polynomial corresponding to the initiator, and carrying the identification value of each cooperator into the first polynomial to calculate (the ith cooperator has identification value P i The identification value of the first cooperator is the first identification value, the identification value of the second cooperator is the second identification value. The specially designed first and second parameters ensure that all private key fragments are each independent of the secret information of the password so that they are not compromised.
2. First polynomial F (x) =a 0 +a 1 x+a 2 x 2 +...+a t-1 x t-1 Is not itself the inventive concept; the key features of the realization claim 1 are that: using s i =F(P i )mod M i Calculating a value P with an identification i For its coefficients (first parameter) and accompanying modulus M when the private key of the partner of (a) is fragmented i Or the simplified setting of the modulus M (second parameter). Except for a 0 Other coefficients and modulus settings than the private key K are required to ensure F (x) mod M i With as little or no disclosure as possible of secret information (private keys, trapdoors, etc.) relating to cryptographic security.
3. For s i Mod M of (2) i (which can be simplified to a unified mod M) is a vital modulo (modulo) operation in the present invention, expressed mathematically by the symbol mod, i.e., taking the remainder of the division, the divisor being called the modulus, and the dividend being the modulus The remainder obtained by the input of the operation is the output of the modulo operation. The method is characterized in that: in the computation of private key fragmentation, the first principle of the present invention requires: by a function G i () Setting M i =G i (T, m), where m is the trapdoor of the password and T is the private key or other non-compromised secret parameter, all of which may, although need not necessarily, be a function G i () Is input to the computer; g i () Must be a one way function, algorithm G without any linear time i -1 () From M i Inverted push-out G i () Possibly secret input. That is, the modulus M is inferred from a private key fragment i It is not feasible to extract the secret information about the password in turn. If possible, even calculate M i G of (2) i () Set to have no secret input, that is M i Is set to a public parameter that is completely independent of any secret information of the password.
4. Specific mod M of the invention i The modulo operation (which can be reduced to a unified mod M) is also characterized by: when unable to make M i When the public parameter is set to be completely independent of any secret information of the password, the second principle can be selected on the basis of the first principle to further strengthen the security performance, namely M is required i The optimal choice of (can be simplified to unified M) is infinitely close to a published constant N i (which may be simplified to a unified N), i.e. a fourth parameter set in advance. That is to ensure that via mod M i The calculated private key fragments are statistically difficult to distinguish from a known distribution over a constant interval, so that each fragment's distribution can be statistically considered to be approximately a known secret-free distribution.
5. The first parameter selection method is characterized by a, in combination with claim 3 and claim 4 1 ,a 2 ,...,a t-1 From a sufficiently large set of integers (the size of this set of integers should in principle be no smaller than M 1 ,M 2 ,......M n ) Random inSelected to ensure F (x) mod M i At the position ofThe same distribution is formed, so that the statistical distribution of each private key fragment is completely independent of the private key K. When claim 3 and claim 4 are reduced to using a unified mod M instead of a different M i This characteristic changes, when: a, a 1 ,a 2 ,...,a t-1 From a sufficiently large set of integers (e.g. Z M ) To ensure F (x) mod M at Z M The same distribution is formed, so that the statistical distribution of each private key fragment is completely independent of the private key K.
6. Specifically for RSA passwords, the second parameter and the first parameter are selected to be characterized in that: m is M i =k i m and k i Is a secret big prime number selected randomly so as to meet the requirement of a first principle; after the second principle is added, then k is needed i Set to be |k i m-N i Minimum integer and constant N i Is set to be much larger than the multiplication modulus used for RSA encryption operations. First parameter a 1 ,a 2 ,...,a t-1 From a sufficiently large set of integers (the size of this set of integers should in principle be no smaller than M 1 ,M 2 ,......M n ) Randomly selected. Where i represents the absolute value and m is the trapdoor of the RSA cipher, the specific arrangement of which is found in claim 9.
7. Specifically, for the PAILLIER password, the second parameter and the first parameter are selected and characterized in that: m, M i =k i m and k i =k i 'N' and k i ' the secret big prime number selected randomly can meet the requirement of the first principle; after the second principle is added, then k is needed i Set to be |k i m-N i Minimum integer and N i Is set to be far greater than N' 2 . Wherein N' 2 Is the multiplication modulus used by the PAILLIER encryption operation, and m is the trapdoor of the PAILLIER cipher, which are specificIs set forth in claim 10.
8. The first principle and the second principle can also be correspondingly simplified in claim 6 and claim 7. Is characterized in that: originally corresponding to each different cooperator P i Is different from M i Simplified to unified M, different G i () Simplified to a unified G (), different N i Simplifying the N into unified N; i.e. all cooperators and their fragments use the unified second and fourth parameters. Specifically, for RSA ciphers, m=km and k is a secret large prime number selected randomly, so as to meet the requirement of the first principle; after the second principle is added, k is set to be an integer which minimizes |km-N| and the constant N is set to be much larger than the multiplication modulus used by RSA encryption operations; first parameter a after simplification 1 ,a 2 ,...,a t-1 From a sufficiently large set of integers (e.g. Z M ) Randomly selected. For the PAILLIER cipher, m=km and k=k ' N ' and k ' is a secret big prime number selected randomly, so that the requirement of the first principle can be met; after the second principle is added, k is set to an integer that minimizes km-N and N is set to be much larger than the multiplication modulus used by the PAILLIER encryption operation; first parameter a after simplification 1 ,a 2 ,...,a t-1 From a sufficiently large set of integers (e.g. Z M ) Randomly selected.
9. The shared complete RSA secret key, the generation of the RSA secret key and the calculation of RSA private key fragments by the RSA secret key can be completed by a centralized initiator, or can be completed in a decentralized scene in a distributed way by the cooperators of all the shared secret keys through secure multiparty calculation. In any case, p 'and q' are large prime numbers, and satisfying p=2p '+1 and q=2q' +1 is also a large prime number; m=p ' q ' is trapdoor and N ' =p ' q ' is the multiplication modulus used by RSA encryption operations. The unique features to be emphasized by the present invention are: when the key is generated (the shared key is generated), a special method is adopted; unlike some prior systems, in Z m A public key e is randomly selected or calculated; e should be from a large scale Different from Z m Randomly selected in space and then calculating the private key k=e -1 mod m. For example, at Z N’ E, and N' is the multiplication modulus used by RSA encryption and decryption and signature operation; or at Z m A particular small subset of (e.g., containing integers of a particular length excluding weak keys, far more than Z) m Small and not at Z m E) is randomly selected from among the uniform distribution.
10. The shared complete PAILLIER key can be generated by itself and the RSA private key fragmentation calculation process can be completed by a centralized initiator or can be completed in a decentralized scene by the cooperators of the shared keys through secure multiparty calculation. In any case, p 'and q' are large prime numbers, and satisfying p=2p '+1 and q=2q' +1 is also a large prime number and alsom=p 'q' is trapdoor, N '=p' q 'and N' 2 Is the multiplication modulus of the encryption operation; k=km is the private key and km is a randomly selected integer; the public key consists of N' and g. The invention is emphasized by the fact that the g-mode (mod) N' 2 The order (order) of multiplying to form a cyclic group is an integer multiple of N ', but order (g)/N' cannot be too small, and a large prime factor is needed to be contained, so that the problem of factorization of the product is solved when the order is taken as a multiplication factor; in addition, in combination with the simplified decryption operation in claim 19, a K' =k×order (g) may be added to the public key of paellier to form a variant of the paellie cipher.
11. When t=n, an n-out-of-n threshold cipher is formed, and a special implementation method different from the above-described general threshold cipher may be adopted. The method is characterized in that: generating a complete RSA or PAILLIER key according to the private key fragments (which can be the original private keys or specially selected fragments) owned by each cooperative party to form a distributed cipher of first-split-then-close, thus thoroughly overcoming the problem that the key fragments leak keysInformation problems. Specifically, the ith cooperating party randomly selects a secret private key fragment s i Corresponding public parameter u i Selected by the individual co-workers themselves or selected jointly by the relevant participants. Then use s 1 ,s 2 ,...,s n And u 1 ,u 2 ,...,u n The key generation protocol of the RSA or PAILLIER cipher is combined, and the key generation protocol is calculated by a central controller or calculated by a plurality of cooperators to generate the complete RSA or PAILLIER key.
When the n-out-of-n threshold RSA cipher adopts a special distributed structure of first division and then combination, the characteristic is as follows. Private key And public key e=k -1 mod m, where m is the RSA trapdoor already defined, s 1 ,s 2 ,...,s n And u 1 ,u 2 ,...,u n Has been defined in claim 11. The two-step key generation calculation is completed by a key synthesis device, and s can be collected by a central control party (initiator) 1 ,s 2 ,...,s n And u 1 ,u 2 ,...,u n After which it is done separately, or by secret input s of each co-party 1 ,s 2 ,...,s n Is completed through secure multiparty computation. Note e=k -1 mod m or e=k -1 mod M does not necessarily have the correct result each time, e.g., K -1 mod m may not exist, or public key e is set to be at Z m Actually calculated e outside of this subset, u can be reselected at this time 1 ,u 2 ,...,u n And (5) recalculating e. In order to avoid leakage of non-negligible secret information from e, the calculation method of the public key may be changed in addition to re-calculating the unsatisfactory public key if necessary. For example, the public key may even be calculated as e=if necessary(K -1 mod m) +εm, where ε is a randomly generated secret integer, a variant that avoids e at Z m The same distribution of (a) reveals information about m. This variant of calculation e is also more general in terms of: e= (K) -1 mod M); and M adopts the definition in claim 8, namely the second parameter selected by the first and second principles for RSA cryptography.
When the PAILLIER cipher with n-out-of-n threshold adopts a special distributed structure of first division and then combination, the key synthesis module is characterized in that: the calculation of the complete key firstly selects random integers alpha, beta and kappa to obtain a public key parameter g= (1+N') α β N ′mod N′ 2 And private key k=mκ, then calculate other parameters of the public key from the private key fragments And σ=αmκ or σ=αmκmo N'; wherein s is 1 ,s 2 ,...,s n And u 1 ,u 2 ,...,u n Has been defined in claim 11; and M adopts the definition in claim 8, namely the second parameter selected by the first and second principles for the PAILLIER password. Note that: in addition to N' and g, the public key also includes μ and σ.
14. A distributed RSA decryption device using private key fragmentation at t-out-of-n threshold is characterized as follows. Private key sharing: using a polynomial F' (x) =f (x) mod m=a 0 +a 1 x+a 2 x 2 +...+a t-1 x t-1 mod M is defined by private key a 0 Generating private key fragments s =k i =F’(P i ) for i=1, 2,..n are assigned to the individual sharers, wherein the parameters of M and the first polynomial F (x) are chosen using the first principle (the second principle can be added) simplified in claim 8 and other secret parameters that require special choice to ensure that the RSA cipher does not leak from the private key shardExposed. Decryption of the distributed part of any ciphertext d:where x is a public integer which is compatible with e (which can also be abbreviated to 1). Decryption synthesis: first calculate +.>But-> Wherein the identification values corresponding to t cooperating parties form a set S, z is a public integer of interest to e and is specifically set (for any one i e {1, 2., n }, z must be at P j E S, j not equal i contains all possible P' S j -P i As the product of these factors; u (u) i Or z may also contain other factors, which can be written as yz as in the description, which are explicitly represented by y, e.g. the tenth parameter mentioned in the description as being used in the proof of correctness of the partial decryption) to ensure that an integer u is obtained without modulo arithmetic i . Decrypting the resulting result of the synthesis: h=w a d b mod N', wherein a and b satisfy a×xz+b×e=1; if necessary, it can be checkedAnd outputting h if the output is satisfied, otherwise outputting-h mod N'.
15. A special first-in-last-out distributed RSA decryption device under n-out-of-n threshold uses the private key slicing distributed decryption feature as follows. The private key fragments s of each cooperative party are selected 1 ,s 2 ,...,s n By key synthesis (operated by an initiator or in a completely de-centralised fieldAchieving its function by multiple co-ordination party distributed combinations) in combination with u as described in claim 11 1 ,u 2 ,...,u n A complete public key and private key are generated. Result private key of key synthesis Whereas the public key e fulfils ek=1 mod m and privacy protection as set in claim 12. Decryption of the distributed part of ciphertext d: />Where x is a public integer that is compatible with e (x can be reduced to 1). Decryption synthesis: first calculate +. >Wherein u is i Has been selected at the time of key generation (u i May sometimes be u i y, with y representing an additional exponential factor, such as the tenth parameter mentioned in the description that is used in the proof of correctness of the partial decryption); then output the result h=w a d b mod N', where a and b satisfy a×x+b×e=1 or at u i Quilt u i y satisfies a×x×y+b×e=1 when substituted; if necessary, it is possible to check +.>And outputting h if the output is satisfied, otherwise outputting-h mod N'.
16. A distributed RSA signature device using private key fragmentation at t-out-of-n threshold is characterized as follows. Key generation is as described in claim 14. Partial signature: for information requiring signature or its hash value (which is usually taken to be signed due to application requirements such as adjusting the length of the information), i.e. the signature object, denoted as d, is assigned to s i Is calculated by a collaborative partyWhere x is a public integer which is compatible with e (which can also be abbreviated to 1). Signature synthesis: first calculate +.>But->Wherein the identification values corresponding to t cooperating parties form a set S, z is a public integer of interest to e and is specifically set (for any one i e {1, 2., n }, z must be at P j E S, j not equal i contains all possible P' S j -P i As the product of these factors; u (u) i Or z may also contain other factors, which can be written as yz as in the description, which are explicitly represented by y, e.g. the tenth parameter mentioned in the description as being used in the proof of correctness of the partial signature) to ensure that an integer u is obtained without modulo arithmetic i . Final result of signature composition: h=w a d b mod N', wherein a and b satisfy a×xz+b×e=1; if necessary, it is possible to check +.>And outputting h if the output is satisfied, otherwise outputting-h mod N'.
17. A special break-before-make distributed RSA signature device under the n-out-of-n threshold uses the private key slicing distributed signature as follows. Key generation is as described in claim 15. Partial signature: for information requiring signature or its hash value (the hash value is usually taken to be signed for application needs such as adjusting the length of the information), namely a signature object, denoted as d, grasp s i Is calculated by a collaborative partyWhere x is a public integer which is compatible with e (which can also be abbreviated to 1). Signature synthesis: first calculate +.>Wherein u is i Has been selected at the time of key generation (u i May sometimes be u i y, with y representing an additional exponential factor, such as the tenth parameter mentioned in the description that is used in the proof of correctness of the partial signature); then output the result h=w a d b mod N', where a and b satisfy a×x+b×e=1 or at u i Quilt u i y satisfies a×x×y+b×e=1 when substituted; if necessary, it is possible to check +.>And outputting h if the output is satisfied, otherwise outputting-h mod N'. Signature verification: />
18. A distributed PAILLIER decryption apparatus using private key fragmentation at t-out-of-n threshold is characterized as follows. Private key sharing: using a polynomial F' (x) =f (x) mod m=a 0 +a 1 x+a 2 x 2 +...+a t-1 x t-1 mod M generates a private key fragment s from private key K i =F’(P i ) for i=1, 2..n are assigned to the individual sharers, wherein the parameters of M and the first polynomial F (x) are chosen using the first principle (the second principle can be added) simplified in claim 8 and other secret parameters that require special choice to ensure that the PAILLIER cipher does not leak out of the private key shard. Decryption of the distributed part of ciphertext d:and-> Where x is a public integer (which can also be abbreviated to 1). Decryption synthesis: first calculate And->But->The method comprises the steps of carrying out a first treatment on the surface of the Wherein the identification values corresponding to t cooperating parties form a set S, z is a public integer of interest to e and is specifically set (for any one iin {1, 2..the, n }, z must be at P j E S, j not equal i contains all possible P' S j -P i As the product of these factors; u (u) i Or z may also contain other factors, which can be written as yz as in the description, which are explicitly represented by y, e.g. the tenth parameter mentioned in the description as being used in the proof of correctness of the partial decryption) to ensure that an integer u is obtained without modulo arithmetic i . Decrypting the resulting result of the synthesis: h=l (w)/L (w ') mod N ', where L (u) = (u-1)/N '. Monitoring the calculation of L (w) and L (w') if necessary; if (w-1)/N' is not an integer, then changing w to-w to recalculate L (w); if (w ' -1)/N ' is not an integer, then w ' is changed to-w ' to recalculate L (w ').
19. The t-out-of-n threshold PAILLIER decryption in claim 18 can be simplified when the private key setting and sharing of the PAILLIER cipher is unchanged but a K' =k×order (g) is added to the public key as claimed in claim 10. The simplified distributed decryption method is characterized as follows. Simplified partial decryption: calculate onlyWithout calculating +.> Simplified decryption synthesis: calculate->But->Wherein z is defined in claim 18; no calculation of w' is required; the result of the synthesis is h=l (w)/(xzK ') mod N'. During the synthesis, the calculation of L (w) may be monitored. If (w-1)/N' is not an integer, then L (w) is recalculated by changing w to-w.
20. A special divide-by-break distributed PAILLIER decryption mechanism under the n-out-of-n threshold uses the feature of private key slicing distributed decryption as follows. Random optional private key fragmentation s by the cooperator 1 ,s 2 ,...,s n And a complete private key k=mκ computation public key g= (1+n') generated by the initiator (or all cooperators multiparty computation) α β N ′mod N′ 2 And σ=αmκ or σ=αmκmod N', where α, β and κ are in Z N′ * N', M, u i And m is defined in the foregoing (mainly in claim 13). For any plaintext η, the PAILLIER encryption algorithm is changed to: the first part of ciphertext is->And r is from Z N’ * Randomly selecting; the second part of the ciphertext is c 2 =c 1 μ mod N′ 2 . Distributed partial decryption: />Where x is a public integer (which can also be abbreviated to 1). Decryption synthesis: calculate->h=L(wc 2 x ) X sigma mod N' and monitoring L (wc 2 x ) Is calculated; if (wc) 2 x -1)/N' is not an integer, wc 2 x Changed to-wc 2 x Recalculate L (). The decryption composition can also calculate +.> The additional exponential factor is denoted by y, such as the tenth parameter mentioned in the description that is used in the verification of the correctness of the partial decryption; at this time h=l (wc 2 xy )/xyσ mod N′。
21. The general features of the invention are: the extraction of secret information about the password from the private key fragment is not only computationally very difficult (without linear time algorithm to form a computational puzzle computational hard problem), but also statistically extractable secret information is so small that it can be ignored; it is not feasible to extract secret information about the password from the private key fragment in the best case, and the number of extractable secret information is zero. According to the private key sharing method, no matter the private key is divided into slices by carrying out modulus calculation processing according to a specially arranged Mi (or simply called uniform mod M) and a second principle (the first principle mainly depends on a large number of decomposition problems to prevent secret information from being extracted from the private key slices so as to ensure that statistical analysis is not feasible in terms of calculation, the second principle further strengthens safety, ensures that no non-negligible secret information can be extracted from the private key slices in terms of statistics), or the private key slices completely independent of any secret information under the strategy of separation and combination firstly, so that the method not only can meet the requirement of privacy guarantee (computational privacy) in terms of calculation; and satisfies statistical privacy guarantees (statistical privacy) even without regard to computational puzzles (e.g., computational puzzles are solvable under special conditions). Furthermore, the two private key sharing methods not only can meet the requirement that the statistical privacy guarantee (statistical privacy) leaks at most as little as negligible secret information; and even if the leakage information which is small enough to be ignored in statistics is extracted, the calculation difficulty is overcome, and the restriction of the calculation difficulty is imposed. The key set, distributed decryption and signature built on them ensure that secret information of the distributed cipher is extracted from the private key fragments and the public information in various application occasions, and besides the computational barrier to overcome mathematical problems, more importantly, the quantity of the extractable secret information is zero or is as small as negligible statistically. Not only are typical RSA and PAILLIER passwords, but also any password can adopt the two threshold private key sharing methods when in distributed use, so that secret information is protected from leakage. Some ciphers (including, but not limited to, lattice ciphers and multivariate polynomial ciphers) may even consist of a plurality of integers, which may each be assigned as fragments according to the first and second principles of the present invention, respectively, or may each be synthesized from arbitrary fragments of the cooperators using a first-split-then-mix strategy, respectively.
22. Aiming at the problem that secret information such as trapdoors of RSA and PAILLIER passwords can be leaked from other ways to form the wooden barrel short board (part of secret information which is prevented by the invention and can be leaked from the private key fragments, if the secret information can be leaked from the public key, the public key can form the short board for protecting the privacy of the whole password), besides the method for controlling the information quantity which can be leaked from the private key fragments, similar measures can be taken to avoid the secret information (such as the approximate range of m) of the passwords from being leaked from the public key. The method is characterized in that: the original public key information N ' is not disclosed any more in the key setting, but n=n ' ρ is disclosed as a multiplication modulus used in encryption calculation and signature verification, and ρ is also a large prime number and is kept secret as two large prime number factors of N '. The improved result is: the measures for strengthening the protection of the private key fragments and avoiding the secret information from being revealed have better practical effects. In addition, even in a non-distributed use environment, the improvement measure can be selected to strengthen the security of the password.
23. The two distributed methods of use of the present invention may sometimes be employed on threshold encryption and decryption and threshold signatures (including but not limited to ELGAMAL encryption and decryption, ELGAMAL signatures, SCHNORR signatures, DSA encryption and decryption, and DSA signature versions on finite simple groups and elliptic curve point groups) for passwords based on the discrete logarithm (discrete logarithm problem) problem. The method is characterized in that: the key being selected from a large circular group of secret order (order) (e.g. the cipher being built in Z N’ * Prime factorization of a large aggregate N' is computationally difficult, so where the order of the cyclic group, denoted m, as the key space is secret); then when the private key fragment is calculated modulo the secret order, part of the information of the order is revealed from the fragment, thereby destroying the security features of the password. At this time, the key sharing is completed according to the first distributed password use method of the present invention, which is specifically characterized in that: using a first polynomial F (x) =a under a general threshold of t-out-of-n 0 +a 1 x+a 2 x 2 +...+a t-1 x t-1 Splitting the private key K into s i =F(P i )mod M i for i=1, 2,..n; wherein a is 0 =K,M i Selected according to a first principle and a second principle in the scene, and a 1 ,a 2 ,...,a t-1 From a sufficiently large set of integers (the size of this set of integers should in principle be no smaller than M 1 ,M 2 ,......M n ) Randomly selected. The specific features of the first principle in this scenario are: m is M i =k i m and k i Is a secret large prime number selected randomly. The second principle in this scenario is characterized in particular by: k (k) i Set to be |k i m-N i Minimum integer and constant N i Is set to be much larger than the multiplication modulus used for encryption or signature operations. This method can be simplified and the features become: using a first polynomial F (x) =a 0 +a 1 x+a 2 x 2 +...+a t-1 x t-1 Splitting the private key K into s i =F(P i ) mod M for i=1, 2,..n; wherein a is 0 =k, m=km and K is a secret large prime number chosen randomly and K is such that |km-n| is minimum and the constant N is set to be much larger than the multiplication modulus used for encryption or signature operations. The second distributed password use method according to the invention adopts a special first-in-first-out-of-n threshold strategy to complete key sharing, and is characterized in that: the ith cooperating party randomly selects a secret private key fragment s i Corresponding public parameter u 1 ,u 2 ,...,u n The method is selected by each cooperative sender or selected by the related participants together; synthesis of private keys by a central controller (initiator) alone or by respective cooperators via secure multiparty computationAnd the corresponding public key (e.g., the public key is derived from a private key exponentiation of a public base).
CN202210822947.5A 2022-07-03 2022-07-03 Method for using multiple passwords in distributed mode and related device Pending CN117394992A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202210822947.5A CN117394992A (en) 2022-07-03 2022-07-03 Method for using multiple passwords in distributed mode and related device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210822947.5A CN117394992A (en) 2022-07-03 2022-07-03 Method for using multiple passwords in distributed mode and related device

Publications (1)

Publication Number Publication Date
CN117394992A true CN117394992A (en) 2024-01-12

Family

ID=89468915

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210822947.5A Pending CN117394992A (en) 2022-07-03 2022-07-03 Method for using multiple passwords in distributed mode and related device

Country Status (1)

Country Link
CN (1) CN117394992A (en)

Similar Documents

Publication Publication Date Title
Baum et al. Publicly auditable secure multi-party computation
Juels et al. A two-server, sealed-bid auction protocol
US5796833A (en) Public key sterilization
Demirel et al. Improving Helios with Everlasting Privacy Towards the Public.
Neji et al. Distributed key generation protocol with a new complaint management strategy
Sebé et al. Simple and efficient hash-based verifiable mixing for remote electronic voting
Buchmann et al. Towards a publicly-verifiable mix-net providing everlasting privacy
Zhao et al. Are you the one to share? Secret transfer with access structure
WO2019110399A1 (en) Two-party signature device and method
CN113645020A (en) Alliance chain privacy protection method based on safe multi-party computing
CN112511307A (en) Quantum secret voting method based on single particle
Boshrooyeh et al. Privado: Privacy-preserving group-based advertising using multiple independent social network providers
Smart et al. True trustworthy elections: remote electronic voting using trusted computing
EP1361693B1 (en) Handle deciphering system and handle deciphering method, and program
Lueks et al. Vote to link: Recovering from misbehaving anonymous users
Howlader et al. Sealed‐bid auction: a cryptographic solution to bid‐rigging attack in the collusive environment
KR101167647B1 (en) An Electron Vote Symtem
Su et al. Secure blockchain-based electronic voting mechanism.
Larriba et al. How to grant anonymous access
CN117394992A (en) Method for using multiple passwords in distributed mode and related device
Byun PDAKE: a provably secure PUF-based device authenticated key exchange in cloud setting
Kaaniche et al. SHoPS: Set homomorphic proof of data possession scheme in cloud storage applications
CN114066449A (en) Multi-center collaborative supervision block chain user identity anonymity and tracking method and system
Zhao et al. A regulatable mechanism for transacting data assets
CN111541538A (en) Data transmission method and device, server, computer equipment and storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination