CN108964906A - The digital signature method of co-EC C - Google Patents

The digital signature method of co-EC C Download PDF

Info

Publication number
CN108964906A
CN108964906A CN201810796674.5A CN201810796674A CN108964906A CN 108964906 A CN108964906 A CN 108964906A CN 201810796674 A CN201810796674 A CN 201810796674A CN 108964906 A CN108964906 A CN 108964906A
Authority
CN
China
Prior art keywords
participant
signature
share
ciphertext
factor
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201810796674.5A
Other languages
Chinese (zh)
Other versions
CN108964906B (en
Inventor
卢伟龙
张永强
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Guangdong Authentication Technology Co Ltd
Age Of Security Polytron Technologies Inc
Original Assignee
Guangdong Authentication Technology Co Ltd
Age Of Security Polytron Technologies Inc
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Guangdong Authentication Technology Co Ltd, Age Of Security Polytron Technologies Inc filed Critical Guangdong Authentication Technology Co Ltd
Priority to CN201810796674.5A priority Critical patent/CN108964906B/en
Publication of CN108964906A publication Critical patent/CN108964906A/en
Application granted granted Critical
Publication of CN108964906B publication Critical patent/CN108964906B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0819Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/085Secret sharing or secret splitting, e.g. threshold schemes
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/30Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computing Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Mobile Radio Communication Systems (AREA)
  • Storage Device Security (AREA)

Abstract

This application discloses the digital signature methods of co-EC C a kind of, method in one embodiment includes: the abstract that the first participant calculates data to be signed, data summarization is obtained, and sends first message to the second participant, the first message carries the data summarization;Second participant receives the first message, and the signature share of the second participant based on the second participant and the data summarization are synthesized, and obtains the first participant signature share ciphertext;Second, which participates in the first participant of direction, sends second message, and the second message carries the first participant signature share ciphertext;First participant decrypts the first participant signature share ciphertext, obtains the first participant signature share.This embodiment avoids multiple data exchange and operations, reduce the complexity of communication and calculating.

Description

The digital signature method of co-EC C
Technical field
This application involves technical field of cryptology more particularly to a kind of digital signature methods of co-EC C.
Background technique
Cooperated computing is computation model common in contemporary distributed network;The mutual incredible participation in network Side, needs the cooperated computing in the case where not revealing oneself secret to go out the scheduled task of each side, provides the hidden of multi-party computations Private, the core functions such as correctness.Collaboration signature based on cooperated computing thought, offer can not be pseudo- during becoming cooperated computing Make the core mode of function, wherein elliptic curve digital signature algorithm of the ECDSA signature algorithm as international endorsement exists It is widely used in global range, the core features such as the integrality, verifiability and non repudiation of digital signature is provided.However, Under certain application scenarios, in order to ensure the fairness and collaborative of signature process, ECDSA signed data is needed in multiparty collaboration In the case where generate jointly, and to guarantee the privacy, correct and efficiently of the process.And the generally existing participation of traditional solution Fang Tongxin and the higher situation of computation complexity.
Summary of the invention
Based on this, it is necessary to provide the digital signature method of co-EC C a kind of.
A kind of digital signature method of co-EC C, comprising:
First participant calculates the abstract of data to be signed, obtains data summarization, and send first to the second participant and disappear Breath, the first message carry the data summarization;
Second participant receives the first message, and the signature share of the second participant based on the second participant and institute It states data summarization to be synthesized, obtains the first participant signature share ciphertext;
Second, which participates in the first participant of direction, sends second message, and the second message carries the first participant signature Share ciphertext;
First participant decrypts the first participant signature share ciphertext, obtains the first participant signature share.
Based on the scheme in embodiment as described above, the data summarization of data to be signed is obtained in the first participant Afterwards, the second participant is based on the data summarization and the second participant signature share, and the first participation is obtained by way of synthesis Side's signature share ciphertext, and it is sent to the first participant.It carries out operation by the cipher system with homomorphism property, avoids Multiple data exchange and operation, reduces the complexity of communication and calculating.
Detailed description of the invention
Fig. 1 is the flow diagram of the digital signature method of the co-EC C in one embodiment;
Fig. 2 is the flow diagram that the first participant signature share ciphertext is obtained in one embodiment;
Fig. 3 is the flow diagram that the first participant signature share ciphertext is obtained in another embodiment;
Fig. 4 is the interaction flow schematic diagram of the digital signature method of co-EC C in one embodiment;
Fig. 5 is the interaction flow schematic diagram of the digital signature method of co-EC C in another embodiment.
Specific embodiment
It is with reference to the accompanying drawings and embodiments, right in order to which the objects, technical solutions and advantages of the application are more clearly understood The application is further elaborated.It should be appreciated that specific embodiment described herein is only used to explain the application, not For limiting the application.
As shown in Figure 1, the digital signature method of the co-EC C in one embodiment, includes the following steps S11 to step S14。
The S11: the first participant of step calculates the abstract of data to be signed, obtains data summarization, and send out to the second participant First message is sent, the first message carries the data summarization.
Data to be signed refer to the data for needing participant to sign it, calculate the data summarization of data to be signed Mode can be carried out using any possible mode.
In one embodiment, which can also carry the first public key share and that the first participant is held The first temporary public key share that one participant is held.Wherein, the first public key share and the second participant that the first participant is held The the second public key share held, collectively constitutes the complete public key of cipher key pair.First participant and the second participant can be with additive The complete public key is shared, i.e., complete public key is the sum of the first public key share and the second public key share.First participant and the second ginseng The complete public key can also be shared with multiplication with side, i.e., complete public key is the product of the first public key share and the second private key share.First Participant and the second participant can also share the complete public key in other way, and the present embodiment is not specifically limited.The One participant is similar with the mode that the second participant shares complete temporary public key, i.e. the first participant can add with the second participant Method shares complete temporary public key, and complete temporary public key can also be shared with multiplication.
Correspondingly, the first private key share that the first participant is held, the second participant hold the second private key share, and first is private Key share and the second private key share collectively constitute the complete private key of cipher key pair.First participant and the second participant can be with additive The complete private key is shared, the complete private key can also be shared with multiplication, the complete private key can also be shared by other means.
The S12: the second participant of step receives the first message, and the second participant based on the second participant is signed part Volume and the data summarization are synthesized, and the first participant signature share ciphertext is obtained.
In one embodiment, the first public key share that the first participant is held and the first participation are also carried in first message In the case where the first temporary public key share of Fang Chiyou, the second participant is also based on the first public key share and the second participant is held The second private key share having obtains complete public key, and faces based on the first temporary public key share and the second participant are held second When private key share obtain complete temporary public key.
In one embodiment, the second participant is held second private based on the first public key share and the second participant Key share obtains complete public key, may include: the second private key share that the second participant is held based on the second participant, determines the The second public key share that two participants are held;Second participant is based on the first public key share and the second public key share obtains Obtain complete public key.The second temporary private that second participant is held based on the first temporary public key share and the second participant Share obtains complete temporary public key, may include: the second temporary private share that the second participant is held based on the second participant, Determine the second temporary public key share that the second participant is held;Second participant is based on the first temporary public key share and described Second temporary public key share obtains complete temporary public key.
Wherein, in the case that the first participant and the second participant addition share the complete public key, complete public key is first The sum of public key share and the second public key share, the case where the first participant and the second participant multiplication share the complete public key Under, complete public key is the product of the first public key share and the second private key share.First participant can also pass through with the second participant Other modes share the complete public key, and the present embodiment is not specifically limited.Similarly, it is participated in based on the first participant and second Side is shared to the multiplication of complete temporary public key or addition is shared, and complete temporary public key can be the first temporary public key share and the The product of two temporary private shares or the first temporary public key share and the second temporary public key share and.
In one embodiment, after the second participant synthesizes complete public key, ECC number corresponding with complete public key is also generated Certificate.Second participant can calculate the second participant signature share based on complete temporary public key.
In one embodiment, after the second participant receives the first message, the second participant is based on second and participates in The second participant signature share, the first participant signature parameter ciphertext and the data summarization of side carry out synthesizing it Before, can with comprising steps of
Second participant and the first participant are performed in unison with the proof knowledge association for the first participant signature parameter ciphertext The proof and verifying of view.
In one embodiment, the first participant can also above-mentioned proof Knowledge Protocols proof and verifying execution it Before, determine the first participant signature parameter ciphertext, the first participant signature parameter ciphertext determined can also be transferred to second Participant.First participant signature parameter ciphertext can be transferred to the second participation by various possible modes by the first participant Side.
In the specific embodiment of the application, the first participant can holding in the proof of above-mentioned proof Knowledge Protocols The first participant signature parameter ciphertext is determined during row.
First participant signature parameter ciphertext can be determined using various possible modes.
In one embodiment, the first participant signature parameter ciphertext may include: to encrypt to the first private key share The the first private key share ciphertext obtained, and the first temporary private share for carrying out encryption acquisition to the first temporary private share are close Text.
At this point, the second participant and the first participant are performed in unison with the proof to the first participant signature parameter ciphertext The proof and verifying of Knowledge Protocols may include:
Second participant and the first participant are performed in unison with to the proof Knowledge Protocols of the first private key share ciphertext It proves and verifies;
Second participant and the first participant are performed in unison with the proof knowledge association to the first temporary private share ciphertext The proof and verifying of view.
Wherein, for the first private key share ciphertext and the first temporary private share ciphertext proof Knowledge Protocols proof and Verifying, the two sequence can be executed serially in no particular order, or be executed parallel.
In one embodiment, the proof of the first private key share ciphertext can be known based on the completion of plaintext Knowledge Protocols is proved Know the proof and verifying of agreement.It specifically can be and completed based on interacting between the first participant and the second participant to the first private The proof and verifying of the proof Knowledge Protocols of key share ciphertext.At this point, the second participant and the first participant are performed in unison with to institute State the proof and verifying of the proof Knowledge Protocols of the first private key share ciphertext, comprising:
First participant is based on the first private key share and calculates the first private key share ciphertext, calculates the first participant and promises to undertake, And the first proof message is sent to the second participant, described first proves that message includes: the first private key share ciphertext and institute State the first participant promise;
Second participant, which receives first, proves message, selects the second participant challenge, and the second participant challenge is sent To the first participant;
First participant receives the second participant challenge, calculates the first response and the second sound based on the second participant challenge It answers, and send second to the second participant to prove that message, the second proof message include: first response and described second Response;
Second participant, which receives second, proves message, and meets scheduled number in the second proof message and the first proof message When learning operation relation, the process for proving and verifying is completed.
In one embodiment, interaction times can also be reduced on the basis of above-mentioned proof plaintext Knowledge Protocols, come The proof and verifying of the proof Knowledge Protocols of pairs of first private key share ciphertext.At this point, the second participant and the first participant are assisted With the proof and verifying executed to the proof Knowledge Protocols of the first private key share ciphertext, comprising:
First participant is based on the first private key share and calculates the first private key share ciphertext, and calculates the first participant and hold Promise;
First participant calculates the first participant challenge, calculates third response and the 4th sound based on the first participant challenge It answers, and sends proof message to the second participant, the proof message includes: the first private key share ciphertext, described first Participant is promised to undertake, third response and the described 4th responds;
Second participant calculates the second participant challenge, and is based on the second participant challenge, and the first private key share of verifying is close Text and the first participant are promised to undertake, when meeting scheduled mathematical operation relationship between third response and the 4th response, complete to prove With the process of verifying.
Second participant and the first participant are performed in unison with the proof knowledge association to the first temporary private share ciphertext The proof of view and the process of verifying are performed in unison with the second participant and the first participant to the first private key share ciphertext Prove that the proof of Knowledge Protocols is similar with the process of verifying, it is not reinflated herein to repeat.
In one embodiment, the first participant signature parameter ciphertext includes: that first generated to the first participant participates in Side's signature factor carries out the first participant signature factor ciphertext of encryption acquisition.Wherein, the number of the first participant signature factor It can be set in conjunction with actual needs, the first participant signature factor in one embodiment includes: that the first participant generates First signature the factor and third sign the factor.At this point, the first participant signature factor ciphertext includes: to add to the first signature factor First signature factor ciphertext of close acquisition, and to the third signature factor ciphertext that third signature factor encryption obtains.
The first signature factor and the third signature factor can be generated using various possible modes.In one embodiment, the One participant can calculate the first signature factor based on the first temporary private share, and based on the first temporary private share and the One private key share calculates the third signature factor.In another embodiment, can the first participant select one blind because After son (in the present embodiment be known as the second blinding factor), the first participant be based on the first temporary private share, second blind because Son calculates the first signature factor, and is calculated based on the first temporary private share, the first private key share and the second blinding factor The third signature factor.
At this point, the second participant and the first participant are performed in unison with the proof to the first participant signature parameter ciphertext The proof and verifying of Knowledge Protocols may include:
Second participant and the first participant are performed in unison with to the proof Knowledge Protocols of the first signature factor ciphertext It proves and verifies;
Second participant and the first participant are performed in unison with to the proof Knowledge Protocols of third signature factor ciphertext It proves and verifies.
Wherein, for first signature factor ciphertext and third signature factor ciphertext proof Knowledge Protocols proof and test Card, the two sequence can be executed serially in no particular order, or be executed parallel.
By taking the first signature factor ciphertext as an example, the second participant and the first participant be performed in unison with to described first sign because The proof and verifying of the proof Knowledge Protocols of sub- ciphertext may include:
Second participant and the first participant are performed in unison with the proof null element knowledge association to the first signature factor ciphertext The proof and verifying of view;
Second participant and the first participant are performed in unison with the proof plaintext knowledge association to the first signature factor ciphertext The proof and verifying of view.
In one embodiment, the second participant and the first participant are performed in unison with to the first signature factor ciphertext When proving the proof and verifying of null element Knowledge Protocols, specifically it can be based on the interaction between the first participant and the second participant Complete the proof and verifying of the proof Knowledge Protocols to the first signature factor ciphertext.At this point, the second participant and the first participant It is performed in unison with the proof and verifying of the proof null element Knowledge Protocols to the first signature factor ciphertext, comprising:
First participant calculates the first signature factor ciphertext, calculates the first participant and promises to undertake, and sends to the second participant First proves that message, the first proof message include: that the first signature factor ciphertext and the first participant are promised to undertake;
Second participant, which receives first, proves message, selects the second participant challenge, and the second participant challenge is sent To the first participant;
First participant receives the second participant challenge, calculates the 5th response based on the second participant challenge, and to the Two participants, which send second, proves that message, the second proof message include: the 5th response;
Second participant, which receives second, proves message, and meets scheduled number in the second proof message and the first proof message When learning operation relation, the process for proving and verifying is completed.
In one embodiment, interaction times can also be reduced on the basis of above-mentioned proof null element Knowledge Protocols, come The proof and verifying of the proof Knowledge Protocols of pairs of first signature factor ciphertext.At this point, the second participant and the first participant are assisted With the proof and verifying for executing the proof null element Knowledge Protocols to the first signature factor ciphertext, comprising:
First participant calculates the first signature factor ciphertext, and calculates the first participant and promise to undertake;
First participant calculates the first participant challenge, calculates the 6th response based on the first participant challenge, and to second Participant send prove message, the proofs message include: it is described first signature factor ciphertext, first participant promise and 6th response;
Second participant calculates the second participant challenge, and is based on the second participant challenge, and verifying the first signature factor is close When meeting scheduled mathematical operation relationship between text, the first participant promise and the 6th response, the process of proof and verifying is completed.
Wherein, the second participant is performed in unison with the first participant and is known in plain text the proof of the first signature factor ciphertext Know the proof of agreement and the process of verifying, it is identical as the principle of process of the proof of above-mentioned proof plaintext Knowledge Protocols and verifying, It is not reinflated herein to repeat.
In one embodiment, the first participant also generates the relevant parameter of homomorphism cipher mechanism, and the first participant can be with Relevant parameter based on homomorphism cipher mechanism carries out associated encryption, obtains above-mentioned first participant signature parameter ciphertext.
In one embodiment, in the case where the first participant has determined the first participant signature parameter ciphertext, the second ginseng It is synthesized with side based on the second participant signature share of the second participant and the data summarization, obtains the first participant Signature share ciphertext can be carried out using following manner:
Second participant signature share, the first participant signature parameter of second participant based on the second participant are close The literary and described data summarization is synthesized, and the first participant signature share ciphertext is obtained.
Wherein, in one embodiment, if the first participant signature parameter ciphertext includes the first private key share ciphertext and the When one temporary private share ciphertext, second participant signature share, first ginseng of second participant based on the second participant It is synthesized with square signature parameter ciphertext and the data summarization, obtains the first participant and sign share ciphertext, it specifically can be with Including step S1211 to step S1214.
The S1211: the second participant of step determines the first blinding factor.
The S1212: the second participant of step and the first participant are performed in unison with for the card for blinding interim signature share ciphertext The obviously proof and verifying of literary Knowledge Protocols, it is described blind interim signature share ciphertext be based on the first temporary private share ciphertext, Second temporary private share and the first blinding factor obtain.
The S1213: the first participant of step and the second participant, which are performed in unison with, blinds signature share ciphertext progress for first Prove the proof and verifying of plaintext Knowledge Protocols;By blinding interim signature share ciphertext described in decryption, acquisition blinds interim label Name share;And signature share is blinded based on interim signature share acquisition first is blinded, encryption described first blinds signature share and obtains It obtains described first and blinds signature share ciphertext.In one embodiment, it can be obtained by blinding interim signature share to described and taking inverse It obtains described first and blinds signature share.
The S1214: the second participant of step calculates the second participant signature share;And based on the first blinding factor, first blind Change signature share ciphertext, the first private key share ciphertext, the second private key share, the second participant signature share and data summarization to carry out Synthesis obtains the first participant signature share ciphertext.
In one embodiment, in above-mentioned steps S1214, the second participant blinds label based on the first blinding factor, first Name share ciphertext, the first private key share ciphertext, the second private key share, the second participant signature share and data summarization are closed At acquisition the first participant signature share ciphertext, may include step S12141 to step S12143.
The S12141: the second participant of step be based on the first blinding factor and first blind signature share ciphertext carry out synthesis obtain Obtain the first son signature share ciphertext.
The S12142: the second participant of step signs part to the first private key share ciphertext, the second private key share, the second participant Volume and data summarization are synthesized, and the second son signature share ciphertext is obtained.
The S12143: the second participant of step is based on the first son signature share ciphertext and the second son signature share ciphertext is closed At acquisition the first participant signature share ciphertext.
In another embodiment, if the first participant signature parameter ciphertext includes the first signature factor ciphertext and third label When name factor ciphertext, the second participant is based on the second participant signature share of the second participant, first participant signature Parameter ciphertext and the data summarization are synthesized, and are obtained the first participant signature share ciphertext, be can specifically include step S1221 to step S1222.
The S1221: the second participant of step is plucked based on the second participant signature share of the second participant and the data It wants, generates the second participant signature factor.
In one embodiment, second participant signature factor may include two signature factors, remember in the present embodiment Are as follows: the second signature factor and the 4th signature factor.Wherein, the second participant can be plucked based on the second temporary private share and data The second signature factor is calculated, and based on the second temporary private share, the second private key share and the second participant signature share Calculate the 4th signature factor.On the other hand, it is interim private based on second after the second participant can also select third blinding factor Key share, data summarization and third blinding factor calculate the second signature factor, and based on the second temporary private share, the second private Key share, the second participant signature share and third blinding factor calculate the 4th signature factor.
In another embodiment, second participant signature factor may include three signature factors, in the present embodiment It is denoted as: the second signature factor, the 4th signature factor and the 5th signature factor.Wherein, the second participant can be interim based on second Private key share and data digest calculations go out the second signature factor, and are signed part based on the second temporary private share and the second participant Volume calculates the 4th signature factor, and based on the second temporary private share, the second private key share and the second participant signature share Calculate the 5th signature factor.On the other hand, it is interim private based on second after the second participant can also select the 4th blinding factor Key share, data summarization and the 4th blinding factor calculate the second signature factor, are participated in based on the second temporary private share, second Side's signature share and the 4th blinding factor calculate the 4th signature factor, and are based on the second temporary private share, second private key part Volume, the second participant signature share and the 4th blinding factor calculate the 5th signature factor.
The S1222: the second participant of step is based on the first participant signature factor ciphertext and the second participant signature factor It is synthesized, obtains the first participant signature share ciphertext.
Second participant is synthesized based on the first participant signature factor ciphertext and the second participant signature factor Mode can be carried out using any possible mode, and the present embodiment is not specifically limited.
Step S13: the second participates in the first participant of direction and sends second message, and the second message carries first ginseng With side's signature share ciphertext.
The S14: the first participant of step decrypts the first participant signature share ciphertext, obtains the first participant signature share.
Explanation is explained in detail below in conjunction with wherein several embodiments.In this embodiment, participating in both sides, (first participates in Side and the second participant, are denoted as participant 1 and participant 2 in the present embodiment respectively), both sides arrange elliptic curve cryptosystem ginseng It counts and chooses the generation member G that rank is prime number n.Wherein, generating member G is a point on elliptic curve, and effect is to pass through G operation Other points on elliptic curve are generated, by choosing the generation member G that rank is prime number n, it can be ensured that the operation on elliptic curve can To carry out operation based on elliptic curves discrete logarithm problem, it is ensured that safety.
Wherein, the first participant holds the first private key share d1, the second participant holds the second private key share d2, first is private Key share d1With the second private key share d2Collectively form complete private key d.First participant holds the first temporary private share k1, Second participant holds the second temporary private share k2, the first temporary private share k1With the second temporary private share k2Common structure At complete temporary private k.
The difference of structural form based on private key and temporary private can have different modes.Such as private key can pass through The shared mode of addition constructs acquisition, can also construct acquisition in such a way that multiplication is shared.Correspondingly, temporary private can lead to It crosses the shared mode of addition and constructs acquisition, acquisition can also be constructed in such a way that multiplication is shared.
Individually below by taking temporary private is shared by addition is shared with multiplication respectively as an example, it is illustrated respectively.
Embodiment one: temporary private is shared shaped like addition.
In one embodiment, the mode of temporary private is constructed based on addition sharing, is referred to as total shaped like addition It enjoys.When by addition sharing to construct temporary private, form can be denoted as k=k1+k2
Under the premise of addition sharing constructs temporary private, private key can be constructed by addition sharing, form can It is denoted as d=d1+d2;It can also be shared by multiplication and construct private key, form can be denoted as d=d1d2.Wherein d is shared private key, It is a complete private key, d1It is the private key share (the first private key share is denoted as in the embodiment of the present application) that participant 1 is held, d2 It is the private key share (the second private key share is denoted as in the embodiment of the present application) that participant 2 is held.K is temporarily to share private key, is one The complete temporary private of part, k1It is that the temporary private share that participant 1 is held (is denoted as the first temporary private in the embodiment of the present application Share), k2It is the temporary private share (the second temporary private share is denoted as in the embodiment of the present application) that participant 2 is held.
Therefore, in the present embodiment, may include two schemes: one of which is that addition shares temporary private k=k1+k2 Share private key d=d with addition1+d2;Another shares temporary private k=k for addition1+k2Share private key d=d with multiplication1d2
Refering to what is shown in Fig. 4, in this embodiment, in the specific implementation, participant 1 carries out abstract fortune to data to be signed M It calculates, obtains data summarization e=H (M).Then, participant 1 generates the first private key share d that participant 1 is held1∈ [1, n-1], First private key share d1It can be generated by random manner, and based on the first private key share d held1Calculate the of participant 1 One public key share D1=d1G.Participant 1 also generates the first temporary private share k that participant 1 is held1∈ [1, n-1], and be based on The the first temporary private share k held1Calculate the first temporary public key share K of participant 11=k1G.Wherein, G is elliptic curve The generation member that cipher system parameter scala media is prime number n, generation member G can be arranged jointly by participant 1 and participant 2.It participates in The key schedule KeyGen of homomorphism cipher system is also called to generate key pair (pk, sk) in side 1.
Then, participant 1 sends first message to participant 2, which carries data summarization e, first public key part Volume D1With the first temporary public key share K1
After participant 2 receives the first message of the transmission of participant 1, it is performed in unison with participant 1 for the first participant The proof and Qualify Phase of the proof Knowledge Protocols of signature parameter ciphertext.In the present embodiment, the first participant signature parameter is close Text includes the first private key share ciphertext and the first temporary private share ciphertext.In one embodiment, the first private key share ciphertext and First temporary private share ciphertext can generate in the proof procedure for proving Knowledge Protocols, wherein participant 1 is to the first private key Share d1 is encrypted, and obtains the first private key share ciphertext, and to the first temporary private share k1It is encrypted, obtains first and face When private key share ciphertext.Specific cipher mode can be carried out using any possible mode, indicated Encryption Algorithm with Enc, obtained The the first private key share ciphertext obtained can be denoted as de=Enc (d1), the first temporary private share ciphertext of acquisition can be denoted as ke=Enc (k1)。
When executing the proof and verifying that prove Knowledge Protocols, different proof Knowledge Protocols can be used.Such as, it was demonstrated that Plaintext Knowledge Protocols.In proving plaintext Knowledge Protocols, under the premise of not betraying the pot to the roses information, it was demonstrated that person proves to verifier Know the corresponding plaintext m of ciphertext c, meets certain relationship, such as REnc=((c, pk), (m, r)) | c=Encpk(m, r) }.This When, in this process, after participant 2 receives the first message of the transmission of participant 1, participant 1 is used as certifier, participant 2 As verifier, the proof and verifying that prove plaintext Knowledge Protocols are completed.
Due to proving that plaintext Knowledge Protocols are related to two types, one kind is interactive, is indicated with PPK (c, m);One kind is Non-interactive is indicated with NIPPK (c, m).
The principle of the proof plaintext Knowledge Protocols PPK (c, m) of interactive is as described below.In the stage of proof, it was demonstrated that person is based on Plaintext m calculates ciphertext c, and calculates and promise to undertake B.Calculated ciphertext c can be c=g in one embodimentmrnmod n2, hold Promise B can be B=gxunmod n2, wherein g, r, n are the relevant parameter of homomorphism cipher system, x ∈ Zn,Then, Certifier is by ciphertext c and promises to undertake that B is sent to verifier.Verifier selects random challenge q ∈ ZnAnd it is sent to certifier.Certifier Receive random challenge q ∈ ZnLater, in conjunction with plaintext m and challenge q ∈ ZnResponse w and Z is calculated, is calculated in one embodiment Response w and Z can be with are as follows: w=(x+qm) mod n and Z=urqgtmod n2, wherein t meets condition x+qm=w+tn.Then, Calculated response w and Z is sent to verifier by certifier.In Qualify Phase, verifier calculates the ciphertext c received and promise B, with this received response w and Z, if meet certain mathematical operation relationship, g can be calculated in an application examplewZnmod n2Whether Bc is equal toqmod n2.If meet (such as g in above-mentioned examplewZnmod n2Equal to Bcqmod n2), then show ciphertext c It is the encryption of plaintext m.
Wherein, g be fromThe generation member of middle selection;M is from ZnThe plaintext of middle selection;R be fromMiddle selection it is random Number;N is RSA modulus;X is from ZnThe random number of middle selection;U be fromThe random number of middle selection;ZnIt is all just whole less than n Array at set;Q is cryptographic Hash.
Specifically in the present embodiment, the detailed proof plaintext Knowledge Protocols PPK (c, m) based on interactive, for first Participant signature parameter ciphertext (being the first private key share ciphertext and the first temporary private share ciphertext in the present embodiment) is demonstrate,proved When the proof and verifying of bright Knowledge Protocols, to the proof and verifying of the first private key share ciphertext and the first temporary private share ciphertext It can be in no particular order sequentially parallel to execute.
For the first private key share ciphertext is proved and be verified, the detailed proof plaintext knowledge based on interactive The proof of agreement and the detailed process of verifying may include steps of A1 to step A4.
Step A1: participant 1 is used as certifier, calculates the first private key share ciphertext based on the first private key share, and count It calculates and promises to undertake and (be known as the first participant in the present embodiment to promise to undertake), and send first to participant 2 to prove message, first proves message It include: that the first private key share ciphertext and the first participant are promised to undertake.
Step A2: participant 2 is used as verifier, and receiving first proves message, and random challenge is selected (to claim in the present embodiment For the second participant challenge), and the second participant challenge is sent to participant 1.
Step A3: participant 1 receives the second participant challenge, and calculates response w and Z based on the second participant challenge, The w and Z that the challenge that will be returned based on participant 2 in the present embodiment is generated are referred to as the first response and the second response, and to ginseng Sending second with side 2 proves that message, the second proof message include: the first response and the second response.
In one application example, the first response can be calculated based on plaintext m and the second participant challenge, and be based on second The relevant parameter of participant challenge and homomorphism cipher system calculates the second response.
Step A4: participant 2, which receives second, proves message, and proves that message and first proves that message satisfaction is certain second Mathematical operation relationship when, it was demonstrated that participant 1 knows the corresponding plaintext of the first private key share ciphertext, completes to prove and the mistake of verifying Journey.Wherein, second prove message and first prove message meet mathematical operation relationship, can be the first private key share ciphertext and First participant is promised to undertake, responds the mathematical operation relationship met between the second response, in above-mentioned example, example first It such as can be gwZnmod n2Equal to Bcqmod n2
Proof plaintext Knowledge Protocols based on interactive, can to the proof and verification process of the first temporary private share ciphertext With similar with proof and verification process of the above-mentioned proof plaintext Knowledge Protocols based on interactive to the first private key share ciphertext, This is not reinflated to repeat.
The principle of the proof plaintext Knowledge Protocols NIPPK (c, m) of non-interactive is as described below.In the stage of proof, it was demonstrated that person Ciphertext c is calculated based on plaintext m, and calculates and promises to undertake B.Calculated ciphertext c can be c=g in one embodimentmrnmod n2, promise to undertake that B can be B=gxunmod n2, wherein g, r, n are the relevant parameter of homomorphism cipher system, x ∈ Zn, Then, it was demonstrated that person calculate challenge q, as long as can guarantee challenge q randomness and uncertainty, it was demonstrated that person can by it is any can The mode of energy calculates can calculate challenge q by hash function in challenge q, such as one embodiment, such as q=H (c | | B) Mod n, wherein H () is secure hash function, and calculates response w and Z, and calculated response w and Z can be in one embodiment Are as follows: w=(x+qm) mod n and Z=urqgtmod n2, wherein t meets condition x+qm=w+tn.Then, it was demonstrated that person by c, B, w and Z is sent to verifier.In Qualify Phase, verifier calculates challenge q=H (c | | B) mod n, and calculate the ciphertext c received and B is promised to undertake, with the response w and Z received, if meet certain mathematical operation relationship, can calculate in an application example gwZnmod n2Whether Bc is equal toqmod n2;If meet (such as g in above-mentioned examplewZnmod n2Equal to Bcqmod n2), then table Bright ciphertext c is the encryption of plaintext m.
Wherein, g be fromThe generation member of middle selection;M is from ZnThe plaintext of middle selection;R be fromMiddle selection it is random Number;N is RSA modulus;X is from ZnThe random number of middle selection;U be fromThe random number of middle selection;ZnIt is all just whole less than n Array at set;Q is cryptographic Hash.
Specifically in the present embodiment, the detailed proof plaintext Knowledge Protocols NIPPK (c, m) based on non-interactive, for First participant signature parameter ciphertext (in the present embodiment for the first private key share ciphertext and the first temporary private share ciphertext) into When the proof and verifying of line justification Knowledge Protocols, to the proof of the first private key share ciphertext and the first temporary private share ciphertext and Verifying can be in no particular order sequentially parallel to execute.
For the first private key share ciphertext is proved and be verified, the detailed proof based on non-interactive is known in plain text The detailed process of the proof and verifying of knowing agreement may include steps of B1 to step B3.
Step B1: participant 1 is used as certifier, calculates the first private key share ciphertext based on the first private key share, and count It calculates and promises to undertake and (be known as the first participant in the present embodiment to promise to undertake).
Step B2: participant 1 is used as certifier, calculates challenge (being known as the first participant challenge in the present embodiment), and base Response w and Z, the w and Z that will be generated based on the challenge that participant 1 itself generates in the present embodiment are calculated in the first participant challenge It is referred to as third response and the 4th response, and sends proof message to participant 2, it was demonstrated that message includes: the first private key share Ciphertext, the first participant are promised to undertake, third response and the 4th responds.
In one application example, third response can be calculated based on plaintext m and the first participant challenge, and be based on first The relevant parameter of participant challenge and homomorphism cipher system calculates the 4th response.
Step B3: participant 2 calculates challenge (being known as the second participant challenge in the present embodiment), wherein the second participant Challenge is equal with the challenge of the first participant, and is based on the second participant challenge, verifies the first private key share ciphertext and first and participates in When meeting certain mathematical operation relationship between Fang Chengnuo, with third response and the 4th response, in above-mentioned example, such as It can be gwZnmod n2Equal to Bcqmod n2, it was demonstrated that participant 1 knows the corresponding plaintext of the first private key share ciphertext, completes card Bright and verifying process.
Proof plaintext Knowledge Protocols based on non-interactive to the proof and verification process of the first temporary private share ciphertext, It can be with the above-mentioned proof plaintext Knowledge Protocols based on non-interactive to the proof and verification process class of the first private key share ciphertext Seemingly, not reinflated herein to repeat.
It accordingly, in the present embodiment, (is the first private in the present embodiment executing for the first participant signature parameter ciphertext Key share ciphertext and the first temporary private share ciphertext) proof Knowledge Protocols proof and Qualify Phase when, can combine upper The mode of stating proves and verifies the encryption that the first private key share ciphertext is the first private key share of the first participant, the first temporary private Share ciphertext is the encryption of the first temporary private share.
If proving the authentication failed of plaintext Knowledge Protocols, terminates process and exit.If proving plaintext Knowledge Protocols Be verified, then enter subsequent step.
Participant 2 generates the second private key share d2∈ [[1, n-1], the second private key share d2It can be raw by random manner At, and it is based on the second private key share d2With the first public key share D1Obtain complete public key D.In one embodiment, complete public key D can Being shared by participant 1 and 2 multiplication of participant, D=d at this time2D1=d1d2G=dG.In another embodiment, complete public key D It can be and shared by participant 1 and 2 addition of participant, at this point, being also possible to based on the second private key share d2Calculate the second public affairs Key share D2=d2After G, it is based on the first public key share D1With the second public key share D2Obtain complete public key D=D1+D2=(d1+ d2) G=dG.After obtaining complete public key D, ECC digital certificate corresponding with complete public key D is generated.
Participant 2 generates the second temporary private share k2∈ [1, n-1], the second temporary private share k2∈ [1, n-1] can It is generated by random manner, and is based on the second temporary private share k2Calculate the second temporary public key share K2=k2After G, Based on the first temporary public key share K1With the second temporary public key share K2Obtain complete temporary public key K=K1+K2=(k1+k2) G= KG=(x1, y1)。
Then, participant 2 selects provisional random number as blinding factor x ' ∈ [1, n-1] and (is denoted as first in the present embodiment Blinding factor), and to the first temporary private share ciphertext ke=Enc (k1), the second temporary private share k2∈ [1, n-1] and First blinding factor x ' ∈ [1, n-1] is synthesized, and acquisition blinds interim signature share ciphertext: reversee=(ke·Enc (k2))x′=(Enc (k1)·Enc(k2))x′=Enc ((k1+k2)x′mod n)。
Then, participant 2 is used as certifier, and participant 1 is used as verifier, and participant 2 and participant 1 are to blinding interim label Name share ciphertext prove the proof and verifying of Knowledge Protocols.
Wherein, when prove the proof and verifying of Knowledge Protocols, the proof for proving plaintext Knowledge Protocols can be carried out And verifying.As set forth above, it is possible to which the proof plaintext Knowledge Protocols PPK (c, m) using interactive is carried out, nonreciprocal can also be used The proof plaintext Knowledge Protocols NIPPK (c, m) of type is carried out.Specifically to blinding interim signature share ciphertext reverseeIt is demonstrate,proved The obviously literary proof of Knowledge Protocols and the principle of verifying, it is identical as the principle of above-mentioned proof plaintext Knowledge Protocols, it no longer opens up herein It opens and repeats.
If proving the authentication failed of Knowledge Protocols, terminates process and exit.If proving that the verifying of Knowledge Protocols is logical It crosses, then enters subsequent step.
The decryption of participant 1 blinds interim signature share ciphertext reversee, obtain blinding interim signature share reverse= Dec(Enc(reversee))=(k1+k2)x′mod n.Then, participant 1 is based on blinding interim signature share reverse acquisition First blinds signature share reverse '.Signature share is blinded being based on blinding temporarily signature share reverse acquisition first When reverse ', it can be carried out using any possible mode, it in one embodiment, can be by blinding interim signature part Volume reverse take it is inverse, thus obtain first blind signature share reverse ', i.e. reverse '=((k1+k2)x′)-1mod n =(k1+k2)-1x′-1mod n.It obtains first and blinds signature share reverse ' later, participant 1 blinds signature share to first Reverse ' is encrypted, and is obtained first and is blinded signature share ciphertext reverse 'e=Enc (reverse ').
Then, participant 1 is used as certifier, and participant 2 is used as verifier, and participant 1 and participant 2 blind label to first Name share ciphertext reverse 'eProve the proof and verifying of Knowledge Protocols.
Wherein, when prove the proof and verifying of Knowledge Protocols, the proof for proving plaintext Knowledge Protocols can be carried out And verifying.As set forth above, it is possible to which the proof plaintext Knowledge Protocols PPK (c, m) using interactive is carried out, nonreciprocal can also be used The proof plaintext Knowledge Protocols NIPPK (c, m) of type is carried out.Specifically signature share ciphertext reverse ' is blinded to firsteIt carries out Prove the proof of plaintext Knowledge Protocols and the principle of verifying, it is identical as the principle of above-mentioned proof plaintext Knowledge Protocols, herein no longer Expansion repeats.
As noted previously, as proving that Knowledge Protocols are related to interactive PPK (c, m) and non-interactive NIPPK (c, m).Therefore, When using the proof Knowledge Protocols of interactive, then PPK (reverse ' is executede, reverse ') proof and verifying, using When the proof Knowledge Protocols of non-interactive, then NIPPK (reverse ' is executede, reverse ') proof and verifying.
If proving the authentication failed of Knowledge Protocols, terminates process and exit.If proving that the verifying of Knowledge Protocols is logical It crosses, then enters subsequent step.
Participant 2 calculates the second participant signature share, and second participant signature share can be ECC signature share, Second participant signature share can be based on complete temporary public key K=(x1, y1) parameter x1Depending on, such as the second participant is signed Share is r=x1mod n.If calculated result is r=0, participant 2 returns to the step of above-mentioned the second temporary private of generation share Suddenly, the second new temporary private share is regenerated, and is repeated the above process.Otherwise, into subsequent step.
Then, participant 2 blinds signature share ciphertext reverse ' to the first blinding factor x ' and firsteSynthesize To the first son signature share ciphertext s '1, one of composite calulation mode can be denoted as:
Participant 2 is to the first private key share ciphertext de, the second private key share d2, the second participant signature share r and data pluck It wants e to be synthesized, obtains the second son signature share ciphertext s '2
In one embodiment, in the case where complete public key D is by participant 1 and shared 2 addition of participant, it can be denoted as:
In another embodiment, in the case where complete public key D is by participant 1 and shared 2 multiplication of participant, Ke Yiji Are as follows:
Participant 2 is to the first son signature share ciphertext s '1With the second son signature share ciphertext s '2It is synthesized, obtains first Participant signature share ciphertext se, s can be denoted ase=s '1·s′2=Enc (k-1(e+dr)mod n)。
Then, participant 2 sends second message to participant 1, and second message includes the second participant signature share r and the One participant signature share ciphertext se
Participant 1 receives the second message, to the first participant signature share ciphertext seIt is decrypted, to obtain first Participant signature share s=Dec (Enc (se))=k-1(e+dr)mod n.The share s=if the first participant obtained is signed 0, then the step of above-mentioned participant 2 generates the second temporary private share is returned to, participant 2 regenerates the second new temporary private Share, and repeat the above process.Otherwise, acquisition by the second participant sign share r and the first participant signature share s form Signature be exactly that legal ECC signs to (r, s).
Embodiment two: temporary private is shared shaped like multiplication.
In one embodiment, the mode of temporary private is constructed based on multiplication sharing, is referred to as total shaped like multiplication It enjoys.When by multiplication sharing to construct temporary private, form can be denoted as k=k1*k2
Under the premise of multiplication sharing constructs temporary private, private key can be constructed by multiplication sharing, form can It is denoted as d=d1d2;Private key can also be constructed by addition sharing, form can be denoted as d=d1+d2.Wherein d is shared private Key is a complete private key, d1It is that the private key share that participant 1 is held (is denoted as first private key part in the embodiment of the present application Volume), d2It is the private key share (the second private key share is denoted as in the embodiment of the present application) that participant 2 is held.K is interim shared private Key is a complete temporary private, k1It is that the temporary private share that participant 1 is held (is denoted as first in the embodiment of the present application Temporary private share), k2It is that the temporary private share that participant 2 is held (is denoted as second temporary private part in the embodiment of the present application Volume).
Therefore, in the present embodiment, may include two schemes: one of which is that multiplication shares temporary private k=k1*k2 Share private key d=d with multiplication1d2;Another shares temporary private k=k for multiplication1*k2Share private key d=d with addition1+d2
In this embodiment, refering to what is shown in Fig. 5, in the specific implementation, participant 1 carries out abstract fortune to data to be signed M It calculates, obtains data summarization e=H (M).Then, participant 1 generates the first private key share d that participant 1 is held1∈ [1, n-1]. First private key share d1It can be generated by random manner, and calculate the of participant 1 based on the first private key share for holding One public key share D1=d1G.Participant 1 also generates the first temporary private share k that participant 1 is held1∈ [1, n-1], and be based on The the first temporary private share k held1Calculate the first temporary public key share K of participant 11=k1G.Participant 1 also calls homomorphism The key schedule KeyGen of cipher system generates key pair (pk, sk).
Then, participant 1 sends first message to participant 2, which carries data summarization e, first public key part Volume D1With the first temporary public key share K1
Participant 2 receive participant 1 transmission first message after, with participant 1 be performed in unison with for first signature because The proof and Qualify Phase of the proof Knowledge Protocols of sub- ciphertext and third signature factor ciphertext.In the present embodiment, it first participates in Square signature parameter ciphertext includes the first signature factor ciphertext and third signature factor ciphertext.
In one embodiment, the first signature factor ciphertext and third signature factor ciphertext can be in the cards for proving Knowledge Protocols It is generated during bright.During proving the proof and verifying of Knowledge Protocols, participant 1 calculates the first signature factor ciphertext With third signature factor ciphertext.
In one embodiment, the first temporary private share k can be based on1The first signature factor u is calculated, such asAnd it is based on the first temporary private share k1With the first private key share d1Third signature factor v is calculated, such as
In another embodiment, participant 1 (can also be denoted as second to blind selecting blinding factor x in the present embodiment The factor) after, it is based on the first temporary private share k1The first signature factor u is calculated with the second blinding factor x, such asAnd it is based on the first temporary private share k1, the first private key share d1And second blinding factor x calculate Three signature factor v, such asIt is appreciated that in actual techniques application, it can also be using other mode meters Calculate the first signature factor u and third signature factor v.
Then, first signature of the encryption of participant 1 factor u obtains the first signature factor ciphertext, and encrypts the third signature factor V obtains third signature factor ciphertext.Specific cipher mode can be carried out using any possible mode, indicate encryption with Enc First signature factor ciphertext of algorithm, acquisition can be denoted as ueThe third signature factor ciphertext of=Enc (u), acquisition can be denoted as ve= Enc(v)。
When executing the proof and verifying that prove Knowledge Protocols, different proof Knowledge Protocols can be used.For example, this reality After applying the proof and verifying that can complete to prove null element Knowledge Protocols in example, then completes to prove the proof of plaintext Knowledge Protocols and test Card.Prove the protocol theory of plaintext Knowledge Protocols in the above-described embodiments it is stated that details are not described herein.
It proves in null element Knowledge Protocols, under the premise of not betraying the pot to the roses information, it was demonstrated that person proves that ciphertext c is to verifier The encryption of null element 0 meets certain relationship, such as: LZero=((c, pk), (0, r)) | c=EncpK (0, r) }.At this point, at this In the process, after participant 2 receives the first message that participant 1 is sent, participant 1 is used as certifier, and participant 2 is as verifying Person completes the proof and verifying that prove null element Knowledge Protocols.
Due to proving that null element Knowledge Protocols are related to two types, one kind is interactive, is indicated with PZK (c, m);One kind is Non-interactive is indicated with NIPZK (c, m).
The principle of the proof null element Knowledge Protocols PZK (c, m) of interactive is as described below.In the stage of proof, it was demonstrated that person is based on Plaintext m calculates ciphertext c, and calculates and promise to undertake B.Calculated ciphertext c can be c=g in one embodimentmrnmod n2If ( M=0, then c=rnmod n2), promise to undertake that B can be B=unmod n2, wherein g, r, n are the related ginsengs of homomorphism cipher system Number,Then, it was demonstrated that person is by ciphertext c and promises to undertake that B is sent to verifier.Verifier selects random challenge q ∈ ZnConcurrently Give certifier.Certifier receives random challenge q ∈ ZnLater, in conjunction with challenge q ∈ ZnIt calculates and responds Z, in one embodiment Calculated response Z can be with are as follows: Z=urqmod n2.Then, it was demonstrated that calculated response Z is sent to verifier by person.It is verifying Stage, verifier calculate the ciphertext c received, promise to undertake B and this received response Z, if meet certain mathematical operation and close It is that can calculate Z in an application examplenmod n2Whether Bc is equal toqmod n2;If equal, show that ciphertext c is null element 0 Encryption.
Wherein, g be fromThe generation member of middle selection;M is from ZnThe plaintext of middle selection;R be fromMiddle selection it is random Number;N is RSA modulus;U be fromThe random number of middle selection;ZnIt is the set of all positive integer compositions less than n;Q is Hash Value.
Specifically in the present embodiment, the detailed proof null element Knowledge Protocols PZK (c, m) based on interactive, for first Participant signature parameter ciphertext (being the first signature factor ciphertext and third signature factor ciphertext in the present embodiment) carries out proving to know It, can be regardless of to the proof and verifying of the first signature factor ciphertext and the third signature factor ciphertext when knowing the proof and verifying of agreement Sequencing, it is parallel to execute.
For the first signature factor ciphertext is proved and be verified, the detailed proof null element knowledge based on interactive The proof of agreement PZK (c, m) and the detailed process of verifying may include steps of C1 to step C4.
Step C1: participant 1 is used as certifier, calculates the first signature factor ciphertext, and calculate promise (in the present embodiment Referred to as the first participant is promised to undertake), and the first proof message is sent to participant 2, first proves that message includes: the first signature factor Ciphertext and the first participant are promised to undertake.
Step C2: participant 2 is used as verifier, and receiving first proves message, and random challenge is selected (to claim in the present embodiment For the second participant challenge), and the second participant challenge is sent to participant 1.
Step C3: participant 1 receives the second participant challenge, and calculates response Z, this reality based on the second participant challenge It applies in example and the Z generated based on the challenge that participant 2 returns is known as the 5th response, and send second to participant 2 to prove message, Second proof message includes: the 5th response.
In one embodiment, the 5th sound can be calculated with the relevant parameter of the second participant challenge and homomorphism cipher system It answers.
Step C4: participant 2, which receives second, proves message, and proves that message and first proves that message satisfaction is certain second Mathematical operation relationship when, it was demonstrated that participant 1 knows the corresponding plaintext of the first signature factor ciphertext, completes to prove and the mistake of verifying Journey.Wherein, it second proves that message and first proves the operation relation of message satisfaction, can be the first signature factor ciphertext and first Participant promises to undertake that the mathematical operation relationship met between the 5th response in above-mentioned example, such as can be Znmod n2Whether Bc is equal toqmod n2
Proof and verification process of the proof null element Knowledge Protocols based on interactive to third signature factor ciphertext, Ke Yiyu The above-mentioned proof null element Knowledge Protocols based on interactive are similar with verification process to the proof of the first signature factor ciphertext, herein not It is reinflated to repeat.
The principle of the proof null element Knowledge Protocols NIPZK (c, m) of non-interactive is as described below.In the stage of proof, it was demonstrated that person Ciphertext c is calculated based on plaintext m, and calculates and promises to undertake B.Calculated ciphertext c can be c=g in one embodimentmrnmod n2If (m=0, c=rnmod n2), promise to undertake that B can be B=unmod n2, wherein g, r, n are the phases of homomorphism cipher system Parameter is closed,Then, it was demonstrated that person calculates challenge q, as long as can guarantee the randomness and uncertainty of challenge q, it was demonstrated that Person can be calculated by any possible mode in challenge q, such as one embodiment can calculate challenge by hash function Q, for example, q=H (c | | B) mod n, wherein H () is secure hash function, and calculates response Z, is calculated in one embodiment Response Z can be with are as follows: Z=urqmod n2.Then, it was demonstrated that c, B and Z are sent to verifier by person.In Qualify Phase, verifier's meter Calculation challenge q=H (c | | B) mod n, and calculate the ciphertext c received and promise to undertake B, with the response Z received, if satisfaction is certain Mathematical operation relationship, one application example in can calculate Znmod n2Whether Bc is equal toqmod n2;If equal, show close Literary c is the encryption of null element 0.
Wherein, g be fromThe generation member of middle selection;M is from ZnThe plaintext of middle selection;R be fromMiddle selection it is random Number;N is RSA modulus;U be fromThe random number of middle selection;ZnIt is the set of all positive integer compositions less than n;Q is Hash Value.
Specifically in the present embodiment, the detailed proof null element Knowledge Protocols NIPZK (c, m) based on non-interactive, for First participant signature parameter ciphertext (being the first signature factor ciphertext and third signature factor ciphertext in the present embodiment) is demonstrate,proved It, can be with to the proof and verifying of the first signature factor ciphertext and the third signature factor ciphertext when proof and verifying of bright Knowledge Protocols Sequence in no particular order, it is parallel to execute.
For the first signature factor ciphertext is proved and be verified, the detailed proof null element based on non-interactive is known The detailed process of the proof and verifying of knowing agreement NIPZK (c, m) may include steps of D1 to step D4.
Step D1: participant 1 is used as certifier, calculates the first signature factor ciphertext, and calculate promise (in the present embodiment Referred to as the first participant is promised to undertake).
Step D2: participant 1 is used as certifier, calculates challenge (being known as the first participant challenge in the present embodiment), and base Response Z is calculated in the first participant challenge, the Z of the challenge generation generated based on participant 1 itself is known as the in the present embodiment Six response, and to participant 2 send prove message, it was demonstrated that message include: the first signature factor ciphertext, the first participant promise to undertake and 6th response.
In one application example, the can be calculated based on the relevant parameter of the first participant challenge and homomorphism cipher system Six responses.
Step D3: participant 2 calculates challenge (being known as the second participant challenge in the present embodiment), wherein the second participant is chosen It fights equal with the challenge of the first participant, and is based on the second participant challenge, the first signature factor ciphertext of verifying and the first participant It promises to undertake, when meeting certain mathematical operation relationship between the 6th response, in above-mentioned example, such as can be Znmod n2Whether Bc is equal toqmod n2, it was demonstrated that participant 1 knows the corresponding plaintext of the first signature factor ciphertext, what completion was proved and verified Process.
Proof null element Knowledge Protocols based on non-interactive, can be with to the proof and verification process of third signature factor ciphertext It is similar with proof and verification process of the above-mentioned proof null element Knowledge Protocols based on non-interactive to the first signature factor ciphertext, This is not reinflated to repeat.
Accordingly, in the present embodiment, the proof for the first signature factor ciphertext and third signature factor ciphertext is being executed , can be in conjunction with aforesaid way when the proof and Qualify Phase of Knowledge Protocols, the advanced hand-manipulating of needle is to the first signature factor ciphertext and third Factor ciphertext of signing executes the proof and verifying for proving null element Knowledge Protocols, if proving being proved to be successful for null element Knowledge Protocols, Then terminate process and exit, if proving the authentication failed of null element Knowledge Protocols, then for the first signature factor ciphertext and third Factor ciphertext of signing executes the proof and verifying for proving plaintext Knowledge Protocols, if proving the authentication failed of plaintext Knowledge Protocols, Then terminate process and exits.If proving being verified for plaintext Knowledge Protocols, enter subsequent step.
Participant 2 generates the second private key share d2∈ [1, n-1], the second private key share d2It can be raw by random manner At, and it is based on the second private key share d2With the first public key share D1Obtain complete public key D.In one embodiment, complete public key D can Being shared by participant 1 and 2 multiplication of participant, D=d at this time2D1=d1d2G=dG.In another embodiment, complete public key D It can be and shared by participant 1 and 2 addition of participant, at this point, being also possible to based on the second private key share d2Calculate the second public affairs Key share D2=d2After G, it is based on the first public key share D1With the second public key share D2Obtain complete public key D=D1+D2=(d1+ d2) G=dG.After obtaining complete public key D, ECC digital certificate corresponding with complete public key D is generated.
Participant 2 generates the second temporary private share k2∈ [1, n-1], the second temporary private share k2∈ [1, n-1] can It is generated by random manner, and is based on the second temporary private share k2With the first temporary public key share K1It obtains complete interim public Key K=k2K1=k1k2G=kG=(x1, y1)。
Then, participant 2 calculates the second participant signature share, and second participant signature share can be ECC signature Share, second participant signature share can be based on complete temporary public key K=(x1, y1) parameter x1Depending on, such as the second participant Signature share is r=x1mod n.If calculated result is r=0, participant 2 returns to above-mentioned the second temporary private of generation share Step regenerates the second new temporary private share, and repeats the above process.Otherwise, into subsequent step.
Then, participant 2 calculates the first participant signature share ciphertext se
In one embodiment, in the case where complete public key D is by participant 1 and shared 2 multiplication of participant, participant 2 can The first participant signature share ciphertext s is calculated by following mannere
Participant 2 calculates the second signature factor a and the 4th signature factor b.It, can be interim based on second in one embodiment Private key share k2The second signature factor a is calculated with data summarization e, such asAnd it is based on second temporary private part Volume k2, the second private key share d2The 4th signature factor b is calculated with the second participant signature share r, such as In another embodiment, participant 2 can also after selecting blinding factor y (in the present embodiment be known as third blinding factor), Based on the second temporary private share k2, data summarization e and third blinding factor y calculate the second signature factor a, such asAnd it is based on the second temporary private share k2, the second private key share d2, the second participant signature share r and the Three blinding factor y calculate the 4th signature factor b, such asIt is appreciated that in actual techniques application, The signature of the second signature factor a and the 4th factor b can be calculated using other modes.
Then, participant 2 is based on the first signature factor ciphertext ue, second signature factor a, third sign factor ciphertext veWith And the 4th signature factor b synthesized, obtain the first participant sign share ciphertext se.It can be denoted as:
In another embodiment, in the case where complete public key D is by participant 1 and shared 2 addition of participant, participant 2 can calculate the first participant signature share ciphertext s by following mannere
Participant 2 calculates the second signature factor a, the 4th signature factor b and the 5th signature factor c.
In one Application Example, the second temporary private share k can be based on2The second signature is calculated with data summarization e Factor a, such asAnd it is based on the second temporary private share k2The 4th is calculated with the second participant signature share r Sign factor b, such asAnd it is based on the second temporary private share k2, the second private key share d2With the second participant label Name share r calculates the 5th signature factor c, such as
In another Application Example, participant 2 (can also be known as the 4th selecting blinding factor z in the present embodiment Blinding factor) after, it is based on the second temporary private share k2, data summarization e and the 4th blinding factor z calculate the second signature factor A, such asAnd it is based on the second temporary private share k2, the second participant sign share r and the 4th blinding factor z The 4th signature factor b is calculated, such asAnd it is based on the second temporary private share k2, the second private key share d2, Two participants signature share r and the 4th blinding factor z calculates the 5th signature factor c, such asIt can manage Solution can also calculate the second signature factor a, the 4th signature factor b and the in actual techniques application using other modes Five signature factor c.
At this point, in the case where having calculated the second signature factor a, the 4th signature factor b and the 5th signature factor c, ginseng It can be based on the first signature factor ciphertext u with side 2e, second signature factor a, third sign factor ciphertext ve, the 4th signature factor b with And the 5th signature factor c synthesized, obtain the first participant sign share ciphertext se.It can be denoted as:
Obtaining the first participant signature share ciphertext seLater, participant 2 to participant 1 send second message, second Message includes the second participant signature share r and the first participant signature share ciphertext se
Participant 1 receives the second message, to the first participant signature share ciphertext seIt is decrypted, to obtain first Participant signature share s=Dec (Enc (se))=k-1(e+dr)mod n.The share s=if the first participant obtained is signed 0, then the step of above-mentioned participant 2 generates the second temporary private share is returned to, participant 2 regenerates the second new temporary private Share, and repeat the above process.Otherwise, acquisition by the second participant sign share r and the first participant signature share s form Signature be exactly that legal ECC signs to (r, s).
Each technical characteristic of above embodiments can be combined arbitrarily, for simplicity of description, not to above-described embodiment In each technical characteristic it is all possible combination be all described, as long as however, the combination of these technical characteristics be not present lance Shield all should be considered as described in this specification.
The several embodiments of the application above described embodiment only expresses, the description thereof is more specific and detailed, but simultaneously It cannot therefore be construed as limiting the scope of the patent.It should be pointed out that coming for those of ordinary skill in the art It says, without departing from the concept of this application, various modifications and improvements can be made, these belong to the protection of the application Range.Therefore, the scope of protection shall be subject to the appended claims for the application patent.

Claims (23)

1. a kind of digital signature method of co-EC C characterized by comprising
First participant calculates the abstract of data to be signed, obtains data summarization, and send first message, institute to the second participant It states first message and carries the data summarization;
Second participant receives the first message, and the signature share of the second participant based on the second participant and the number It is synthesized according to abstract, obtains the first participant signature share ciphertext;
Second, which participates in the first participant of direction, sends second message, and the second message carries the first participant signature share Ciphertext;
First participant decrypts the first participant signature share ciphertext, obtains the first participant signature share.
2. the method according to claim 1, wherein being based on after the second participant receives the first message The second participant signature share of second participant and the data summarization are synthesized, and the first participant signature share is obtained Before ciphertext, further includes:
Second participant and the first participant are performed in unison with the proof knowledge association for the first participant signature parameter ciphertext The proof and verifying of view.
3. according to the method described in claim 2, it is characterized in that, the first participant signature parameter ciphertext includes: to One private key share carries out the first private key share ciphertext of encryption acquisition, and carries out encryption acquisition to the first temporary private share First temporary private share ciphertext.
4. according to the method described in claim 3, it is characterized in that, the second participant is performed in unison with the first participant to described The proof and verifying of the proof Knowledge Protocols of first participant signature parameter ciphertext, comprising:
Second participant and the first participant are performed in unison with the proof of the proof Knowledge Protocols to the first private key share ciphertext And verifying;
Second participant and the first participant are performed in unison with to the proof Knowledge Protocols of the first temporary private share ciphertext It proves and verifies.
5. according to the method described in claim 4, it is characterized in that, the second participant is performed in unison with the first participant to described The proof and verifying of the proof plaintext Knowledge Protocols of first private key share ciphertext, comprising:
First participant is based on the first private key share and calculates the first private key share ciphertext, calculates the first participant and promises to undertake, and to Second participant, which sends first, proves message, and the first proof message includes: the first private key share ciphertext and described the One participant is promised to undertake;
Second participant, which receives first, proves message, selects the second participant challenge, and the second participant challenge is sent to the One participant;
First participant receives the second participant challenge, calculates the first response and the second response based on the second participant challenge, and Sending second to the second participant proves that message, the second proof message include: first response and second response;
Second participant, which receives second, proves message, and meets scheduled operation in the second proof message and the first proof message and close When being, the process for proving and verifying is completed.
6. according to the method described in claim 4, it is characterized in that, the second participant is performed in unison with the first participant to described The proof and verifying of the proof plaintext Knowledge Protocols of first private key share ciphertext, comprising:
First participant is based on the first private key share and calculates the first private key share ciphertext, and calculates the first participant and promise to undertake;
First participant calculates the first participant challenge, calculates third response and the 4th response based on the first participant challenge, and Sending to the second participant proves message, and the proof message includes: the first private key share ciphertext, first participant It promises to undertake, third response and the described 4th responds;
Second participant calculate the second participant challenge, and be based on the second participant challenge, verifying the first private key share ciphertext and When meeting scheduled operation relation between the first participant promise, third response and the 4th response, what completion was proved and verified Process.
7. according to method described in claim 3 to 6 any one, which is characterized in that the second participant is based on the second participant The second participant signature share and the data summarization synthesized, obtain the first participant sign share ciphertext, comprising:
Second participant based on the second participant the second participant signature share, the first participant signature parameter ciphertext with And the data summarization is synthesized, and the first participant signature share ciphertext is obtained.
8. the method according to the description of claim 7 is characterized in that second participant of second participant based on the second participant Signature share, the first participant signature parameter ciphertext and the data summarization are synthesized, and the first participant label are obtained Name share ciphertext, comprising:
Second participant determines the first blinding factor;
Second participant and the first participant are performed in unison with for the proof plaintext Knowledge Protocols for blinding interim signature share ciphertext Proof and verifying, it is described to blind interim signature share ciphertext and be based on the first temporary private share ciphertext, second temporary private part Volume and the first blinding factor carry out synthesis acquisition;
First participant and the second participant be performed in unison with for first blind signature share ciphertext carry out prove plaintext knowledge association The proof and verifying of view;By blinding interim signature share ciphertext described in decryption, acquisition blinds interim signature share;And based on blind Change temporarily signature share acquisition first and blind signature share, encryption described first blinds signature share acquisition described first and blinds label Name share ciphertext;
Second participant calculates the second participant signature share;And based on the first blinding factor, first blind signature share ciphertext, First private key share ciphertext, the second private key share, the second participant signature share and data summarization are synthesized, and the first ginseng is obtained With side's signature share ciphertext.
9. according to the method described in claim 8, it is characterised in that it includes it is following items at least one of:
First item:
First participant blinds interim signature share and takes inverse to described, obtains described first and blinds signature share;
Section 2:
Second participant blinds signature share ciphertext, the first private key share ciphertext, the second private key based on the first blinding factor, first Share, the second participant signature share and data summarization are synthesized, and the first participant signature share ciphertext is obtained, comprising:
Second participant blinds signature share ciphertext based on the first blinding factor and first and carries out the sub part of signing of synthesis acquisition first Volume ciphertext;
Second participant to the first private key share ciphertext, the second private key share, the second participant signature share and data summarization into Row synthesis obtains the second son signature share ciphertext;
Second participant is based on the first son signature share ciphertext and the second son signature share ciphertext is synthesized, and obtains first and participates in Side's signature share ciphertext.
10. according to the method described in claim 2, it is characterized in that, the first participant signature parameter ciphertext includes: first The first participant signature factor that participant carries out encryption acquisition to the first participant signature factor that the first participant generates is close Text.
11. according to the method described in claim 10, it is characterized in that, first participant signature factor includes: the first ginseng With the first signature factor and the third signature factor that just generate, the first participant signature factor ciphertext includes: the first signature Factor ciphertext and third signature factor ciphertext.
12. according to the method for claim 11, which is characterized in that the second participant and the first participant are performed in unison with to institute State the proof and verifying of the proof Knowledge Protocols of the first participant signature parameter ciphertext, comprising:
Second participant and the first participant are performed in unison with the proof of the proof Knowledge Protocols to the first signature factor ciphertext And verifying;
Second participant and the first participant are performed in unison with the proof of the proof Knowledge Protocols to third signature factor ciphertext And verifying.
13. according to the method for claim 12, which is characterized in that the second participant and the first participant are performed in unison with to institute State the proof and verifying of the proof Knowledge Protocols of the first signature factor ciphertext, comprising:
Second participant and the first participant are performed in unison with to the proof null element Knowledge Protocols of the first signature factor ciphertext It proves and verifies;
Second participant and the first participant are performed in unison with to the proof plaintext Knowledge Protocols of the first signature factor ciphertext It proves and verifies.
14. according to the method for claim 13, which is characterized in that the second participant and the first participant are performed in unison with to institute State the proof and verifying of the proof null element Knowledge Protocols of the first signature factor ciphertext, comprising:
First participant calculates the first signature factor ciphertext, calculates the first participant and promises to undertake, and sends first to the second participant Prove that message, the first proof message include: that the first signature factor ciphertext and the first participant are promised to undertake;
Second participant, which receives first, proves message, selects the second participant challenge, and the second participant challenge is sent to the One participant;
First participant receives the second participant challenge, calculates the 5th response based on the second participant challenge, and join to second Sending second with side proves that message, the second proof message include: the 5th response;
Second participant, which receives second, proves message, and meets scheduled operation in the second proof message and the first proof message and close When being, the process for proving and verifying is completed.
15. according to the method for claim 13, which is characterized in that the second participant and the first participant are performed in unison with to institute State the proof and verifying of the proof null element Knowledge Protocols of the first signature factor ciphertext, comprising:
First participant calculates the first signature factor ciphertext, and calculates the first participant and promise to undertake;
First participant calculates the first participant challenge, calculates the 6th response based on the first participant challenge, and participate in second Side send prove message, the proofs message include: it is described first signature factor ciphertext, first participant promise and it is described 6th response;
Second participant calculates the second participant challenge, and is based on the second participant challenge, the first signature of verifying factor ciphertext, the When meeting scheduled operation relation between one participant promise and the 6th response, the process for proving and verifying is completed.
16. according to the method for claim 11, which is characterized in that including any one in following two:
First item:
First participant is based on the first temporary private share and calculates the first signature factor;
First participant is based on the first temporary private share and the first private key share calculates the third signature factor;
Section 2:
First participant selects the second blinding factor;
First participant is based on the first temporary private share, the second blinding factor calculates the first signature factor;
First participant be based on the first temporary private share, the first private key share and the second blinding factor calculate third signature because Son.
17. method described in 0 to 16 any one according to claim 1, which is characterized in that the second participant is based on second and participates in The second participant signature share, the first participant signature parameter ciphertext and the data summarization of side are synthesized, and are obtained Obtain the first participant signature share ciphertext, comprising:
Second participant is generated second and is participated in based on the second participant signature share of the second participant and the data summarization Side's signature factor;
Second participant is based on the first participant signature factor ciphertext and the second participant signature factor is synthesized, and obtains the One participant signature share ciphertext.
18. according to the method for claim 17, which is characterized in that the second participant signature factor includes the second signature factor With the 4th signature factor.
19. according to the method for claim 18, which is characterized in that including any one in following two:
First item:
Second participant generates the second participant signature factor, comprising:
Second participant is based on the second temporary private share and data digest calculations go out the second signature factor;
Second participant is based on the second temporary private share, the second private key share and the second participant signature share and calculates the 4th The signature factor;
Section 2:
Second participant generates the second participant signature factor, comprising:
Second participant selects third blinding factor;
Second participant is based on the second temporary private share, data summarization and third blinding factor and calculates the second signature factor;
Second participant is based on the second temporary private share, the second private key share, the second participant signature share and third and blinds The factor calculates the 4th signature factor.
20. according to the method for claim 17, which is characterized in that the second participant sign the factor include second signature because Son, the 4th signature factor and the 5th signature factor.
21. according to the method for claim 20, which is characterized in that including any one in following two:
First item:
Second participant generates the second participant signature factor, comprising:
Second participant is based on the second temporary private share and data digest calculations go out the second signature factor;
Second participant is based on the second temporary private share and the second participant signature share calculates the 4th signature factor;
Second participant is based on the second temporary private share, the second private key share and the second participant signature share and calculates the 5th The signature factor;
Section 2:
Second participant generates the second participant signature factor, comprising:
Second participant selects the 4th blinding factor;
Second participant is based on the second temporary private share, data summarization and the 4th blinding factor and calculates the second signature factor;
Second participant is based on the second temporary private share, the second participant signature share and the 4th blinding factor and calculates the 4th The signature factor;
It is blind that second participant is based on the second temporary private share, the second private key share, the second participant signature share and the 4th Change the factor and calculates the 5th signature factor.
22. the method according to claim 1, wherein the second participant, which is based on complete temporary public key, calculates second Participant signature share.
23. according to the method for claim 11, which is characterized in that the first message also carries what the first participant was held The first temporary public key share that first public key share and the first participant are held;
Second participant is obtained complete public based on the second private key share that the first public key share and the second participant are held Key, and it is complete interim based on the second temporary private share acquisition that the first temporary public key share and the second participant are held Public key.
CN201810796674.5A 2018-07-19 2018-07-19 Digital signature method for cooperation with ECC Active CN108964906B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201810796674.5A CN108964906B (en) 2018-07-19 2018-07-19 Digital signature method for cooperation with ECC

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201810796674.5A CN108964906B (en) 2018-07-19 2018-07-19 Digital signature method for cooperation with ECC

Publications (2)

Publication Number Publication Date
CN108964906A true CN108964906A (en) 2018-12-07
CN108964906B CN108964906B (en) 2021-05-28

Family

ID=64482015

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201810796674.5A Active CN108964906B (en) 2018-07-19 2018-07-19 Digital signature method for cooperation with ECC

Country Status (1)

Country Link
CN (1) CN108964906B (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111565108A (en) * 2020-07-15 2020-08-21 北京信安世纪科技股份有限公司 Signature processing method, device and system
CN113158258A (en) * 2021-03-31 2021-07-23 郑州信大捷安信息技术股份有限公司 Collaborative signature method, device and system based on elliptic curve

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20160358165A1 (en) * 2015-06-08 2016-12-08 Blockstream Corporation Cryptographically concealing amounts transacted on a ledger while preserving a network's ability to verify the transaction
CN106685651A (en) * 2016-12-22 2017-05-17 北京信安世纪科技有限公司 Method for creating digital signatures by cooperation of client and server
CN106789087A (en) * 2017-01-26 2017-05-31 数安时代科技股份有限公司 Determine the data summarization of message, the method and system based on multi-party digital signature
CN107682151A (en) * 2017-10-30 2018-02-09 武汉大学 A kind of GOST digital signature generation method and system

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20160358165A1 (en) * 2015-06-08 2016-12-08 Blockstream Corporation Cryptographically concealing amounts transacted on a ledger while preserving a network's ability to verify the transaction
CN106685651A (en) * 2016-12-22 2017-05-17 北京信安世纪科技有限公司 Method for creating digital signatures by cooperation of client and server
CN106789087A (en) * 2017-01-26 2017-05-31 数安时代科技股份有限公司 Determine the data summarization of message, the method and system based on multi-party digital signature
CN107682151A (en) * 2017-10-30 2018-02-09 武汉大学 A kind of GOST digital signature generation method and system

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
ROSARIO GENNARO: "Fast Multiparty Threshold ECDSA with Fast Trustless Setup", 《CCS"18-SESSION 6C: CRYPTO 3》 *
YEHUDA LINDELL: "Fast secure two-party ecdsa signing", 《ADVANCES IN CRYPTOLOGY –CRYPTO 2017. LECTURE NOTES IN COMPUTER SCIENCE》 *

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111565108A (en) * 2020-07-15 2020-08-21 北京信安世纪科技股份有限公司 Signature processing method, device and system
CN113158258A (en) * 2021-03-31 2021-07-23 郑州信大捷安信息技术股份有限公司 Collaborative signature method, device and system based on elliptic curve
CN113158258B (en) * 2021-03-31 2022-02-11 郑州信大捷安信息技术股份有限公司 Collaborative signature method, device and system based on elliptic curve

Also Published As

Publication number Publication date
CN108964906B (en) 2021-05-28

Similar Documents

Publication Publication Date Title
CN108667625A (en) Cooperate with the digital signature method of SM2
CN110740033B (en) Block chain multi-party data sharing method based on secret sharing technology
Ling et al. Group signatures from lattices: simpler, tighter, shorter, ring-based
Jakobsson et al. An optimally robust hybrid mix network
Diffie et al. Authentication and authenticated key exchanges
CN107707358B (en) EC-KCDSA digital signature generation method and system
CN114157427B (en) SM2 digital signature-based threshold signature method
CN109309569A (en) The method, apparatus and storage medium of collaboration signature based on SM2 algorithm
Backes et al. Asynchronous computational VSS with reduced communication complexity
Morrissey et al. The TLS handshake protocol: A modular analysis
CN111162912B (en) Verification method and device suitable for block chain and storage medium
CN110011803A (en) A kind of method that two side of lightweight SM2 cooperates with generation digital signature
CN109639439A (en) A kind of ECDSA digital signature method based on two sides collaboration
CN111159745A (en) Verification method and device suitable for block chain
Gennaro et al. Okamoto-Tanaka revisited: Fully authenticated Diffie-Hellman with minimal overhead
JP2023552263A (en) Redistribution of secret sharing
Ranjani et al. An Extended Identity Based Authenticated Asymmetric Group Key Agreement Protocol.
Battagliola et al. Threshold ecdsa with an offline recovery party
Kiayias et al. Concurrent blind signatures without random oracles
CN108964906A (en) The digital signature method of co-EC C
Catalano et al. Certificateless onion routing
CN113132104A (en) Active and safe ECDSA (electronic signature SA) digital signature two-party generation method
CN108768634B (en) Verifiable cryptographic signature generation method and system
Zeng et al. A Practical Framework for $ t $-Out-of-$ n $ Oblivious Transfer With Security Against Covert Adversaries
Chen et al. Feldman's Verifiable Secret Sharing for a Dishonest Majority

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant