CN106453285B - A kind of verification method and device that secret data is shared - Google Patents

Abstract

The invention discloses verification methods and device that a kind of secret data is shared, which comprises secret data is expressed as to the secret vector of the first preset quantity block number；The random string vector of the second preset quantity is selected, and determines the shared multinomial of secret vector according to the random string vector；Identity is calculated, the sub- share vector of the third preset quantity of secret vector is calculated according to the shared multinomial and identity；Calculate shared promise to undertakeThe sub- share vector is verified according to the shared promise, determines the correctness of the sub- share vector.The present invention determines the shared multinomial of secret data by random string vector, and the sub- share vector of secret vector is obtained according to shared polynomial computation, and sub- share vector is verified by verifying formula, calculation amount and the traffic are all smaller, and computational efficiency is higher.

Description

Secret data sharing verification method and device

Technical Field

The invention relates to the technical field of information security, in particular to a secret data sharing verification method and device.

Background

Secret sharing is an important means of information security and data confidentiality, and plays a key role in the secure storage, transmission and legal utilization of important information and secret data. The basic idea of the scheme of Shamir, which is the classic of the secret sharing scheme, is to divide the shared secret S into n shares of secrets and distribute the n shares of secrets to different participants, so that only a union of t or more servers can reconstruct the shared secret, and any less than t servers cannot obtain any information of the secret. However, the Shamir scheme requires two assumptions to be assumed: one is that the secret distributor is always honest; the second is that the savers of n shares have completely equal status and rights and have completely the same security and reliability. These two assumptions are often difficult to satisfy in reality, which may cause security problems in the actual application scenario of secret sharing, and it can be verified that the concept of secret sharing is generated in such a context. Since verifiable secret sharing is the basis of an active secure secret sharing scheme and an important tool for fault tolerance in practical applications, much work is being done on the verifiable secret sharing scheme.

One of the classical verifiable secret sharing schemes is the scheme of Feldman. The Feldman scheme is based on the Shamir scheme and discrete logarithm problem, is conditionally secure for both confidentiality and verifiability of secrets, and is simpler and clearer. However, Shamir-based secret sharing schemes require computation over a finite field of order prime p, whereas in VSS schemes, a cyclic group of order prime q is found, with q being a prime factor of p-1, which increases the commitment size and does not perform well enough. The problem is researched in the prior art, but the problems are all as follows: each shared secret needs to be pre-calculated, and the authentication of the sub-secrets needs the on-line cooperation of all parties, so that the calculation amount and the communication amount are large; or the security is based on the difficulty of discrete logarithm, in order to prevent the fraud between the participants, an interactive authentication protocol needs to be executed, and the calculation amount is very large; or a multiple secret sharing scheme is adopted, but the scheme has the defects of large calculation amount of a distributor, low efficiency and the like.

Disclosure of Invention

The invention provides a secret data sharing verification method and device, which solve the problems of large calculation amount and communication amount, low efficiency and the like in the verification protocol of the existing secret data sharing method.

In a first aspect, the present invention provides a secret data sharing verification method, including:

dividing the secret data into equal-length secret vectors expressed as a first preset number of blocks;

selecting a second preset number of random character string vectors, and determining a shared polynomial of secret data according to the random character string vectors;

calculating identity identifiers, and calculating to obtain a third preset number of sub-share vectors of secret vectors according to the identity identifiers and the sharing polynomial;

computing shared commitments

Verifying the sub-share vectors according to the sharing commitments, and determining the correctness of the sub-share vectors; wherein i and j are non-negative integers, i is more than or equal to 0 and less than or equal to p-1, and j is more than or equal to 0 and less than or equal to t-1; p is a positive integer, and p-1 is the first preset number; t is a positive integer, and t-1 is the second preset number; r is_i,jIs a component of the random string vector,a generator for the cyclic group; q is the order of the cyclic group and is a sufficiently large, publicable prime number.

Preferably, the method further comprises the following steps:

and carrying out secret reconstruction on at least fourth preset number of sub-share vectors according to the reconstruction expression to obtain the secret data.

Preferably, the sharing polynomial f (x) is:

wherein x represents an argument of the sharing polynomial,respectively are t-1 random character string vectors, t is a positive integer, and t-1 represents the second preset number;representing the secret data.

Preferably, the third preset number of sub-share vectorsComprises the following steps:

wherein m is a positive integer; p is a positive integer, and p-1 represents the first preset number; y is_0，m,…,y_p-2，mRespectively, the subelements of the sub-share vector, n representing a third preset number.

Preferably, the reconstructed expressionComprises the following steps:

wherein,BottomBlockRowfof () represents fetching a block matrixThe last row of block row vectors;representing the at least a fourth preset number of sub-share vectors; lambda [ alpha ]₀，λ₁，……λ_t-1Is a positive integer and represents a subscript of t sub-shares, optionally from the sub-shares; t is a positive integer, and t represents the fourth preset number.

In a second aspect, the present invention further provides a secret data sharing verification apparatus, including:

the data dividing module is used for dividing the secret data into equal-length secret vectors which are expressed as a first preset number of blocks;

the polynomial determining module is used for selecting random character string vectors of a second preset number and determining a shared polynomial of secret data according to the random character string vectors;

the vector calculation module is used for calculating the identity and calculating a third preset number of sub-share vectors of the secret vector according to the identity and the sharing polynomial;

a commitment calculation module for calculating shared commitments

A vector verification module, configured to verify the sub-share vectors according to the sharing commitments, and determine correctness of the sub-share vectors;

wherein i and j are non-negative integers, i is more than or equal to 0 and less than or equal to p-1, and j is more than or equal to 0 and less than or equal to t-1; p is a positive integer, and p-1 is the first preset number; t is a positive integer, t-1 is the second preset number; r is_i,jIs a component of the random string vector,a generator for the cyclic group; q is the order of the cyclic group and is a sufficiently large, publicable prime number.

Preferably, the method further comprises the following steps:

and the secret reconstruction module is used for carrying out secret reconstruction on the sub-share vectors of at least a fourth preset number according to the reconstruction expression to obtain the secret data.

Preferably, the shared polynomial f (x) in the polynomial determining module is:

wherein x represents an argument of the sharing polynomial,respectively are t-1 random character string vectors, t is a positive integer, and t-1 represents the second preset number;representing the secret data.

Preferably, the third preset number of sub-share vectors in the vector calculation moduleComprises the following steps:

wherein m is a positive integer; p is a positive integer, and p-1 represents the first preset number; y is_0,m,…,y_p-2,mRespectively, the subelements of the sub-share vector, n representing a third preset number.

Preferably, said reconstruction expression in said secret reconstruction moduleComprises the following steps:

wherein,BottomBlockRowfof () represents fetching a block matrixThe last row of block row vectors;a third preset number of sub-share vectors representing the at least fourth preset number; lambda [ alpha ]₀，λ₁，……λ_t-1Is a positive integer and represents a subscript of t sub-shares, optionally from the sub-shares; t is a positive integer, and t represents the fourth preset number.

According to the technical scheme, the shared polynomial of the secret data is determined through the random character string vector, the sub-share vector of the secret vector is obtained through calculation according to the shared polynomial, the sub-share vector is verified through the verification formula, the calculated amount and the communication amount are small, and the calculation efficiency is high.

Drawings

In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, it is obvious that the drawings in the following description are only some embodiments of the present invention, and for those skilled in the art, other drawings can be obtained according to these drawings without creative efforts.

Fig. 1 is a schematic flowchart of a secret data sharing verification method according to an embodiment of the present invention;

FIG. 2 is a flow diagram of an updatable (t, n) threshold secret sharing scheme for computational security provided by an embodiment of the present invention;

FIG. 3 is a diagram of a model of a (t, n) threshold secret sharing scheme according to an embodiment of the present invention;

FIG. 4 is a geometric description of a (t, n) threshold secret sharing process on a group according to an embodiment of the present invention;

fig. 5 is a schematic structural diagram of a secret data sharing verification apparatus according to an embodiment of the present invention.

Detailed Description

The following further describes embodiments of the invention with reference to the drawings. The following examples are only for illustrating the technical solutions of the present invention more clearly, and the protection scope of the present invention is not limited thereby.

Fig. 1 is a flowchart illustrating a secret data sharing verification method according to an embodiment of the present invention, including:

s1, dividing the secret data into equal-length secret vectors which are expressed as a first preset number of blocks;

s2, selecting a second preset number of random character string vectors, and determining a shared polynomial of secret data according to the random character string vectors;

s3, calculating identity identifiers, and calculating to obtain a third preset number of sub-share vectors of the secret vectors according to the identity identifiers and the shared polynomial;

s4, calculating sharing commitments

S5, verifying the sub-share vectors according to the sharing commitments, and determining the correctness of the sub-share vectors;

wherein i and j are non-negative integers, i is more than or equal to 0 and less than or equal to p-1, and j is more than or equal to 0 and less than or equal to t-1; p is a positive integer, and p-1 is the first preset number; t is a positive integer, and t-1 is the second preset number; r is_i,jIs a component of the random string vector,a generator for the cyclic group; q is the order of the cyclic group and is a sufficiently large, publicable prime number. .

In the embodiment, the shared polynomial of the secret data is determined through the random character string vector, the sub-share vector of the secret vector is obtained through calculation according to the shared polynomial, and the sub-share vector is verified through the verification formula, so that the calculation amount and the communication amount are small, and the calculation efficiency is high.

Further, the method further comprises:

and S6, performing secret reconstruction on at least fourth preset number of sub-share vectors according to the reconstruction expression to obtain the secret data.

Secret data can be quickly and correctly recovered by reconstructing the secret through the reconstruction expression.

Specifically, the sharing polynomial f (x) is:

wherein x represents the self of the sharing polynomialThe variables are the variables of the process,respectively are t-1 random character string vectors, t is a positive integer, and t-1 represents the second preset number;representing the secret data.

By adopting the sharing polynomial shown in the formula I, the calculation amount can be reduced, and the calculation efficiency can be improved.

Further, the third preset number of sub-share vectorsComprises the following steps:

wherein m is a positive integer; p is a positive integer, and p-1 represents the first preset number; y is_0,m,…,y_p-2,mRespectively, the subelements of the sub-share vector, n representing a third preset number.

By using the sub-share vector shown in equation two, the amount of communication between the dealer and the member can be reduced.

Further, the reconstructed expressionComprises the following steps:

wherein,BottomBlockRowof() Representing a partitioning matrixThe last row of block row vectors;representing the at least a fourth preset number of sub-share vectors; lambda [ alpha ]₀，λ₁，……λ_t-1Is a positive integer and represents a subscript of t sub-shares, optionally from the sub-shares; t is a positive integer, and t represents the fourth preset number.

By adopting the reconstruction expression shown in formula three, the amount of calculation can be reduced.

The verification method for secret data sharing provided by the embodiment is similar to the scheme of Feldman, combines threshold secret sharing on a group with a discrete logarithm problem, can achieve computational security for confidentiality and verifiability of secret information, improves computational efficiency, reduces commitment size, and is more suitable for data storage with large data volume.

For example, fig. 2 and fig. 3 show a flowchart and a model diagram of an updatable (t, n) threshold secret sharing scheme for computational security provided by the present embodiment, respectively; suppose there is a dealer D who needs to be at n participants U ═ U₁,…U_nThe shared secret S between the participants can only be recovered when t or more than t participants join together, and any combination of less than t participants cannot obtain any information about the secret. The specific scheme consists of 4 subprotocols: system initialization, secret distribution protocol, verification protocol of child share vectors, and secret reconstruction protocol.

A1, system initialization

A11, the dealer defines and publishes a large enough prime number q, a cyclic group G with the order of q is defined, and G is a generator of G;

a12, defining a limited exchange group The order being an integer0 is its generator;

a13, finding a prime number p (not less than n), andredefining a vector space[0,…0]^TTo generate an element, the results of scalar operations thereon all fall onThe above.

A2 secret distribution protocol

A21, dividing the secret S into p-1 blocks with equal length, and recording asSelecting t-2 random string vectorsWherein

A22, the dealer selects a secret sharing polynomial:

order toThe sub-share vector can be calculated by formula two

Wherein,as participant P_mAnd is defined as:0≤m≤p-1

for example, when p is 5,

the secret sharing process described above is represented in matrix form as follows:

wherein,

for example, k is 3, n is 4, and p is 5, as exemplified aboveAnd H_n×tCan be defined as H_4×3The following were used:

from the secret shared matrix representation, equation four, to calculate the sub-share vectorFor example, there are:

thus, from the matrix representation of the secret sharing, a geometrical description of the scheme can be obtained, as shown in fig. 4. As can be seen from the geometric description, the sub-share vectors are calculatedThe mathematical expression of (a) is:

wherein i is more than or equal to 0 and less than or equal to p-2, j is more than or equal to 0 and less than or equal to t-1, r_i,t-1＝s_i，r_p-1,j＝0。

A23 secret sharing vector of dealerFor U_m(0≤m≤n-1)；

A24, dealer's use awayThe scatter logarithm makes the promise of calculating(i is more than or equal to 0 and less than or equal to p-1, j is more than or equal to 0 and less than or equal to t-1), wherein r_i,t-1＝s_i，r_p-1,j0 and broadcast to U_m(0≤m≤n-1)。

A3 verification protocol of sub-share vectors

U_mReceived sub-share vectorAnd A_i,jThe correctness of the sub-share vectors can then be verified by equation six:

wherein i is more than or equal to 0 and less than or equal to p-2.

The correctness of equation six is explained below:

formula five according to the geometric description of secret sharing and A in step A24_i,jThe calculation of (a) can be:

a4 secret reconstruction protocol

When at least t members U_λ(λ ∈ B, and | B ≧ t) providing their child share vectorsThereafter, secret reconstruction can be performed using equation (4) (here, t sub-share vectors are taken as an example):

wherein,

V_k×kis based on t shadow secret vectorsFrom H_n×tTaking out a square matrix composed of t corresponding row vectors, wherein

Thus, the secret can be reconstructed

This embodiment modulo adds the integer number to the groupThe efficient secret sharing scheme is combined with the discrete logarithm problem, and has the following beneficial effects:

based on a group high-efficiency threshold secret sharing scheme, the sharing and reduction efficiency can reach the highest theoretical efficiency;

the secret vector generation process can be obtained through visual and intuitive geometric expression, so that a calculation basis is provided for a verifiable threshold secret sharing scheme;

computable security (conditional security) can be achieved for the confidentiality and verifiability of secret information;

committed size of eachRequiring only commitments of | q | bitsSmaller than the committed size of the Feldman program;

each element requires 1 exponential operation andthe calculation efficiency of the scheme is 1 exponential operation and t-1 multiplication operation, so that the scheme is higher in calculation efficiency when applied to secret sharing of large data volume.

Fig. 5 shows a schematic structural diagram of a secret data sharing verification apparatus provided in this embodiment, the apparatus includes a data dividing module 11, a polynomial determining module 12, a vector calculating module 13, and a vector verifying module 14; wherein,

the data dividing module 11 is configured to divide the secret data into equal-length secret vectors represented as a first preset number of blocks;

the polynomial determining module 12 is configured to select a second preset number of random string vectors, and determine a shared polynomial of secret data according to the random string vectors;

the vector calculation module 13 is configured to calculate an identity, and calculate a third preset number of sub-share vectors of the secret vector according to the identity and the shared polynomial;

a commitment calculation module 14 for calculating shared commitments

The vector verification module 15 is configured to verify the sub-share vectors according to the sharing commitments, and determine correctness of the sub-share vectors;

wherein i, j is a non-negative integer (0)I is more than or equal to p-1, j is more than or equal to 0 and less than or equal to t-1); p is a positive integer, and p-1 is the first preset number; t is a positive integer, and t-1 is the second preset number; r is_i,jIs a component of the random string vector,a generator for the cyclic group; q is the order of the cyclic group and is a sufficiently large, publicable prime number.

Specifically, the data dividing module 11 divides the secret data into equal-length secret vectors expressed as a first preset number of blocks; the polynomial determining module 12 selects a second preset number of random string vectors, and determines a shared polynomial of secret data according to the random string vectors; the vector calculation module 13 calculates a sub-share vector of the secret vector according to the sharing polynomial; the commitment calculation module 14 calculates shared commitmentsThe vector verification module 15 verifies the sub-share vectors according to the sharing commitments, and determines the correctness of the sub-share vectors.

In the embodiment, the shared polynomial of the secret data is determined through the random character string vector, the sub-share vector of the secret vector is obtained through calculation according to the shared polynomial, and the sub-share vector is verified through the verification formula, so that the calculation amount and the communication amount are small, and the calculation efficiency is high.

Further, the apparatus further comprises:

and the secret reconstruction module 16 is configured to perform secret reconstruction on at least fourth preset number of sub-share vectors according to the reconstruction expression to obtain the secret data.

Specifically, the shared polynomial f (x) in the polynomial determining module is:

wherein x represents an argument of the sharing polynomial,respectively are t-1 random character string vectors, t is a positive integer, and t-1 represents the second preset number;representing the secret data.

Further, the third preset number of sub-share vectors in the vector calculation moduleComprises the following steps:

wherein m is a positive integer; p is a positive integer, and p-1 represents the first preset number; y is_0,m,…,y_p-2,mRespectively, the vector quantities of the sub-share vectors.

Further, the reconstruction expression in the secret reconstruction moduleComprises the following steps:

wherein,BottomBlockRowfof () represents fetching a block matrixThe last row of block row vectors;representing the at least a fourth preset number of sub-share vectors; lambda [ alpha ]₀，λ₁，……λ_t-1Is a positive integer and represents a subscript of t sub-shares, optionally from the sub-shares; t is a positive integer, and t represents the fourth preset number.

The verification apparatus for secret data sharing described in this embodiment may be used to implement the above method embodiments, and the principle and technical effect are similar, and are not described herein again.

In the description of the present invention, numerous specific details are set forth. It is understood, however, that embodiments of the invention may be practiced without these specific details. In some instances, well-known methods, structures and techniques have not been shown in detail in order not to obscure an understanding of this description.

Claims (6)

1. A method of verifying secret data sharing, comprising:

dividing the secret data into equal-length secret vectors expressed as a first preset number of blocks;

selecting a second preset number of random character string vectors, and determining a shared polynomial of secret data according to the random character string vectors;

calculating identity identifiers, and calculating to obtain a third preset number of sub-share vectors of secret vectors according to the identity identifiers and the sharing polynomial;

computing shared commitments

Verifying the sub-share vectors according to the sharing commitments, and determining the correctness of the sub-share vectors;

wherein i and j are non-negative integers, i is more than or equal to 0 and less than or equal to p-1, and j is more than or equal to 0 and less than or equal to t-1; p is a positive integer, and p-1 is the first preset number; t is a positive integer, and t-1 is the second preset number; r is_i,jIs a component of the random string vector,a generator for the cyclic group; q is the order of the cyclic group and is a public prime number;

the sharing polynomial f (x) is:

wherein x represents an argument of the sharing polynomial,respectively are t-1 random character string vectors, t is a positive integer, and t-1 represents the second preset number;representing the secret data;

the third preset number of sub-share vectorsComprises the following steps:

wherein m is a positive integer, and m is more than or equal to 0 and less than or equal to n-1; y is_0,m,…,y_p-2,mRespectively, the subelements of the sub-share vector, n representing a third preset number.

2. The method of claim 1, further comprising:

and carrying out secret reconstruction on at least fourth preset number of sub-share vectors according to the reconstruction expression to obtain the secret data.

3. The method of claim 2, wherein the reconstructed expression isComprises the following steps:

wherein,BottomBlockRowfof () represents fetching a block matrixThe last row of block row vectors;representing the at least a fourth preset number of sub-share vectors; lambda [ alpha ]₀，λ₁，……λ_t-1Is a positive integer and represents a subscript of t sub-shares, optionally from the sub-shares; t represents the fourth preset number;to representp-1 is the first predetermined number,0≤m≤p-1，

4. an apparatus for verifying secret data sharing, comprising:

the data dividing module is used for dividing the secret data into equal-length secret vectors which are expressed as a first preset number of blocks;

the polynomial determining module is used for selecting random character string vectors of a second preset number and determining a shared polynomial of secret data according to the random character string vectors;

the vector calculation module is used for calculating the identity and calculating a third preset number of sub-share vectors of the secret vector according to the identity and the shared polynomial;

a commitment calculation module for calculating shared commitments

A vector verification module, configured to verify the sub-share vectors according to the sharing commitments, and determine correctness of the sub-share vectors;

wherein i and j are non-negative integers, i is more than or equal to 0 and less than or equal to p-1, and j is more than or equal to 0 and less than or equal to t-1; p is a positive integer, and p-1 is the first preset number; t is a positive integer, and t-1 is the second preset number; r is_i,jIs a component of the random string vector,a generator for the cyclic group; q is the order of the cyclic group and is a public prime number;

the sharing polynomial f (x) is:

wherein x represents an argument of the sharing polynomial,respectively are t-1 random character string vectors, t is a positive integer, and t-1 represents the second preset number;representing the secret data;

the third preset number of sub-share vectorsComprises the following steps:

wherein m is a positive integer, and m is more than or equal to 0 and less than or equal to n-1; y is_0,m,…,y_p-2,mRespectively, the subelements of the sub-share vector, n representing a third preset number.

5. The apparatus of claim 4, further comprising:

and the secret reconstruction module is used for carrying out secret reconstruction on the sub-share vectors of at least a fourth preset number according to the reconstruction expression to obtain the secret data.

6. The apparatus of claim 5, wherein the reconstruction expression in the secret reconstruction moduleComprises the following steps:

wherein,BottomBlockRowfof () represents fetching a block matrixThe last row of block row vectors;representing the at least a fourth preset number of sub-share vectors; lambda [ alpha ]₀，λ₁，……λ_t-1Is a positive integer and represents a subscript of t sub-shares, optionally from the sub-shares; t represents the fourth preset number;to representp-1 is the first predetermined number,0≤m≤p-1，