CN110061847A - The digital signature method that key distribution generates - Google Patents

The digital signature method that key distribution generates Download PDF

Info

Publication number
CN110061847A
CN110061847A CN201910271243.1A CN201910271243A CN110061847A CN 110061847 A CN110061847 A CN 110061847A CN 201910271243 A CN201910271243 A CN 201910271243A CN 110061847 A CN110061847 A CN 110061847A
Authority
CN
China
Prior art keywords
signature
participant
parameter
indicate
sub
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201910271243.1A
Other languages
Chinese (zh)
Other versions
CN110061847B (en
Inventor
庞辽军
叩曼
魏萌萌
李慧贤
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Xidian University
Original Assignee
Xidian University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Xidian University filed Critical Xidian University
Priority to CN201910271243.1A priority Critical patent/CN110061847B/en
Publication of CN110061847A publication Critical patent/CN110061847A/en
Application granted granted Critical
Publication of CN110061847B publication Critical patent/CN110061847B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/008Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols involving homomorphic encryption
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
    • H04L9/3252Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures using DSA or related signature schemes, e.g. elliptic based signatures, ElGamal or Schnorr schemes
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
    • H04L9/3255Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures using group based signatures, e.g. ring or threshold signatures
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3236Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer And Data Communications (AREA)
  • Storage Device Security (AREA)

Abstract

The invention discloses the digital signature methods that a kind of key distribution generates, the technical issues of for solving existing digital signature method low efficiency.Technical solution is in key generation phase, and t signature participant chooses the sub- private key of oneself, by with the generation for interact completion private key of first participant that signs.In the signature stage, the sub- private key that t signature participant is successively held using oneself carries out distributed signature, then synthesizing for signature second part is completed under the conditions of homomorphic cryptography by t-th of participant that signs, then final signature is completed by first signature participant and is synthesized and verifying.The present invention utilizes paillier homomorphic encryption algorithm, each signature participant does not need the correctness for guaranteeing signature using zero-knowledge proof, last signature verification only needs the point multiplication operation on point add operation and two elliptic curves on an elliptic curve, compared with t zero-knowledge proof of background technique, computational efficiency is improved.

Description

The digital signature method that key distribution generates
Technical field
The present invention relates to a kind of digital signature method, in particular to a kind of digital signature method of key distribution generation.
Background technique
Document " Goldfeder S, Gennaro R, Kalodner H, et al.Securing Bitcoin wallets A kind of distributed thresholding label are proposed in via a new DSA/ECDSA threshold signature scheme.2015. " Name method, the major technique that this method utilizes is paillier homomorphic encryption algorithm and zero-knowledge proof.In this method, signature Private key is grasped by t people, and signature process needs t people to participate in completing, therefore improves the safety of signature private key.However, this A large amount of zero-knowledge proof has been used to operate in a method, zero-knowledge proof needs authentication repeatedly to be handed over the side of being verified Mutually, the magnitude of interaction times is higher, and the confidence level for the side of being verified is higher, this is a time-consuming operation, therefore the efficiency of this method It is relatively low.In the method, it completes once signed to need to carry out t zero-knowledge proof, it is assumed that carry out a zero-knowledge proof Need tzSecondary interaction, then completing all zero-knowledge proofs just needs ttzSecondary interaction, interactive number lead to the party too much Method is not appropriate for applying in real scene.
Summary of the invention
In order to overcome the shortcomings of that existing digital signature method low efficiency, the present invention provide a kind of number that key distribution generates Word endorsement method.This method chooses the sub- private key of oneself in key generation phase, t signature participant, by signing with first The generation of private key is completed in the interaction of name participant.In the sub- private key that signature stage, t signature participant are successively held using oneself Distributed signature is carried out, then completes synthesizing for signature second part under the conditions of homomorphic cryptography by t-th of participant that signs, then Final signature is completed by first signature participant to synthesize and verifying.The present invention utilizes paillier homomorphic encryption algorithm, often A signature participant does not need the correctness for guaranteeing signature using zero-knowledge proof, it is only necessary to by first signature participant couple Signature carries out verifying and ensures that the correctness finally signed, and last signature verification only needs the point on an elliptic curve Add the point multiplication operation in operation and two elliptic curves, compared with t zero-knowledge proof of background technique, improves computational efficiency.
A kind of the technical solution adopted by the present invention to solve the technical problems: digital signature side that key distribution generates Method, its main feature is that the following steps are included:
Step 1: first signature participant ID1Choose the sub- private key d of oneself1∈ { 1,2 ..., n-1 } is then calculated certainly Oneself sub- private key d1It whether there is multiplicative inverse at mould nIf it is present performing the next step suddenly, if it does not exist, then weight Newly choose the sub- private key d of oneself1∈ { 1,2 ..., n-1 } and the sub- private key d for recalculating oneself1It whether there is multiplication at mould n Inverse elementUntil finding one, there are multiplicative inversesSub- private key d1, then perform the next step rapid;
Wherein, ID1Indicate first signature participant, d1Indicate first signature participant ID1Sub- private key,It indicates First signature participant ID1Sub- private key d1Multiplicative inverse at mould n, n are positive integer, indicate the rank of elliptic curve basic point;
Step 2: according to the following formula, first signature participant ID1Calculate the sub- public key Q of oneself1With pseudo- sub- public key Q1', so Afterwards by sub- public key Q1With pseudo- sub- public key Q1' all it is broadcast to all signature participants:
Q1=d1G
Wherein, Q1Indicate first signature participant ID1Sub- public key, Q1' indicate first signature participant ID1Puppet Sub- public key, G indicate the basic point that a rank is n on elliptic curve;
Step 3: receiving first signature participant ID1Sub- public key Q1With pseudo- sub- public key Q1' after, i-th of signature ginseng With person IDiChoose the sub- private key d of oneselfi∈ { 1,2 ..., n-1 } then according to the following formula calculates the sub- public key Q of puppet of oneselfi', and By pseudo- sub- public key Qi' it is sent to first signature participant ID1, i=2,3 ..., t:
Qi'=diQ1
Wherein, IDiIndicate i-th of signature participant, diIndicate i-th of signature participant IDiSub- private key, Qi' indicate the I signature participant IDiThe sub- public key of puppet, t is positive integer, indicates signature participant IDiNumber;
Step 4: first signature participant ID1In the sub- public key Q of puppet for receiving all signature participantsi' after, under Formula successively calculates each signature participant IDiSub- public key Qi, then by all calculated sub- public key QiIt is open:
Qi=d1Qi
Wherein, QiIndicate i-th of signature participant IDiSub- public key;
Step 5: each signature participant IDiReceive first signature participant ID1Disclosed sub- public key QiAfterwards, it tests Demonstrate,prove equation
Qi=diG
It is whether true, if the verification result of each signature participant is to set up, perform the next step it is rapid, if there is The verification result of any one signature participant is invalid, then return step one;
Step 6: according to the following formula, each signature participant IDiCalculate the signature public key Q simultaneously carries out public signature key Q public It opens:
Wherein, Q indicates public signature key, and ∑ indicates sum operation;
Step 7: first signature participant ID1Choose the secret value k of oneself1∈ { 1,2 ..., n-1 } is then calculated certainly Oneself secret value k1It whether there is multiplicative inverse at mould nIf it is present performing the next step suddenly, if it does not exist, then weight Newly choose the secret value k of oneself1∈ { 1,2 ..., n-1 } and the secret value k for recalculating oneself1It whether there is multiplication at mould n Inverse elementUntil finding one, there are multiplicative inversesSecret value k1, then perform the next step rapid;
Wherein, k1Indicate first signature participant ID1Secret value,Indicate first signature participant ID1Secret Value k1Multiplicative inverse at mould n;
Step 8: according to the following formula, first signature participant ID1Calculate first signature parameter median R1, and by first A signature parameter median R1It is sent to second signature participant ID2:
R1=k1G
Wherein, R1Indicate first signature parameter median, ID2Indicate second signature participant;
Step 9: i-th of signature participant IDiReceive (i-1)-th signature parameter median Ri-1Afterwards, oneself is chosen Secret value ki∈ { 1,2 ..., n-1 } then calculates the secret value k of oneselfiIt whether there is multiplicative inverse k at mould ni -1If deposited It is then performing the next step suddenly, if it does not exist, then choosing the secret value k of oneself againi∈ 1,2 ..., n-1 } and recalculate The secret value k of oneselfiIt whether there is multiplicative inverse at mould nUntil finding one, there are multiplicative inversesSecret value ki, Then rapid, i=2,3 ..., t-1 are performed the next step;
Wherein, kiIndicate i-th of signature participant IDiSecret value,Indicate i-th of signature participant IDiSecret value kiMultiplicative inverse at mould n;
Step 10: according to the following formula, i-th of signature participant IDiCalculate i-th of signature parameter median Ri, and by i-th Signature parameter median RiIt is sent to i+1 signature participant IDi+1, i=2,3 ..., t-1:
Ri=kiRi-1
Wherein, RiIndicate i-th of signature parameter median, Ri-1Indicate (i-1)-th signature parameter median, IDi+1It indicates I+1 signature participant;
Step 11: t-th of signature participant IDtReceive the t-1 signature parameter median Rt-1Afterwards, oneself is chosen Secret value kt∈ { 1,2 ..., n-1 } then calculates the secret value k of oneselftIt whether there is multiplicative inverse at mould nIf In the presence of, then perform the next step it is rapid, if it does not exist, then choosing the secret value k of oneself againt∈ 1,2 ..., n-1 } and count again Calculate the secret value k of oneselftIt whether there is multiplicative inverse at mould nUntil finding one, there are multiplicative inversesSecret value kt, then perform the next step rapid;
Wherein, IDtIndicate t-th of signature participant, ktIndicate t-th of signature participant IDtSecret value,Indicate t A signature participant IDtSecret value ktMultiplicative inverse at mould n;
Step 12: according to the following formula, t-th of signature participant IDtThen calculate the signature parameter R judges that signature parameter R is The no zero point on elliptic curve, if it is, return step six, if it is not, then signature parameter R to be broadcast to all label Name participant:
R=ktRt-1=(xR,yR)
Wherein, Rt-1Indicate the t-1 signature parameter median, R indicates signature parameter, xRIndicate the horizontal seat of signature parameter R Mark, yRIndicate the ordinate of signature parameter R;
Step 13: i-th of signature participant IDiAfter receiving signature parameter R, according to the following formula, first part's label are calculated Name r:
R=xRmod n
Then judge whether r=0 is true, if set up, return step three continues to execute next if invalid Step;
Wherein, r indicates that first part's signature, mod indicate modulus operation;
Step 14: according to the following formula, first signature participant ID1The cryptographic Hash H for calculating message M, then according to data H is converted to an integer e by type transformation rule:
H=hash (M)
Wherein, M indicates message, and H indicates the cryptographic Hash of message M, and hash indicates that a cryptographic hash algorithm, e indicate Hash Integer value after value H conversion;
Step 15: first signature participant ID1The private key sk and public key pk of paillier homomorphic encryption algorithm are selected, Private key sk secret is saved, and public key pk is disclosed;
Wherein, paillier indicates homomorphic encryption algorithm, and sk indicates the private key of paillier homomorphic encryption algorithm, for doing Operation is decrypted, pk indicates the public key of paillier homomorphic encryption algorithm, for doing cryptographic calculation;
Step 16: according to the following formula, first signature participant ID1It calculates first signature and generates parameter first part α1 Parameter second part β is generated with first signature1, first signature is then generated into parameter first part α1It signs with first Generate parameter second part β1It is sent to second signature participant ID2:
β1=Epk(rd1mod n)
Wherein, α1Indicate that first signature generates parameter first part, β1Indicate that first signature generates parameter second Point, EpkThe cryptographic calculation of () expression paillier homomorphic encryption algorithm;
Step 17: i-th of signature participant IDiIt receives (i-1)-th signature and generates parameter first part αi-1With i-th- 1 signature generates parameter second part βi-1Afterwards, according to the following formula, it calculates i-th of signature and generates parameter first part αiWith i-th Signature generates parameter second part βi, i-th of signature is then generated into parameter first part αiParameter the is generated with i-th signature Two part βiIt is sent to i+1 signature participant IDi+1, i=2,3 ..., t-1:
βi=Epk(rdimodn)+Eβi-1
Wherein, αiIndicate that i-th of signature generates parameter first part, βiIndicate that i-th of signature generates parameter second part, αi-1Indicate that (i-1)-th signature generates parameter first part, βi-1Indicate that (i-1)-th signature generates parameter second part, ×EIt indicates Multiplicative homomorphic operation under paillier homomorphic encryption algorithm ,+EIndicate the additive homomorphism fortune under paillier homomorphic encryption algorithm It calculates;
Step 18: t-th of signature participant IDtIt receives the t-1 signature and generates parameter first part αt-1With t- 1 signature generates parameter second part βt-1Afterwards, according to the following formula, it calculates t-th of signature and generates parameter first part αtWith t-th Signature generates parameter second part βt:
βt=Epk(rdtmod n)+Eβt-1
Wherein, αtIndicate that t-th of signature generates parameter first part, βtIndicate that t-th of signature generates parameter second part, αt-1Indicate that the t-1 signature generates parameter first part, βt-1Indicate that the t-1 signature generates parameter second part, dtIt indicates T-th of signature participant IDtSub- private key;
Step 19: t-th of signature participant IDtIt chooses secret and obscures value ρ ∈ { 1,2 ..., n-1 }, then calculate secret Value ρ is obscured at mould n with the presence or absence of multiplicative inverse ρ-1, if it is present performing the next step suddenly, if it does not exist, then selecting again It takes secret to obscure value ρ ∈ { 1,2 ..., n-1 } and recalculates secret and obscure value ρ at mould n with the presence or absence of multiplicative inverse ρ-1, directly To finding one, there are multiplicative inverse ρ-1Secret obscure value ρ, then perform the next step rapid;
Wherein, ρ indicates that secret obscures value, ρ-1Indicate that secret obscures multiplicative inverse of the value ρ at mould n;
Step 20: according to the following formula, t-th of signature participant IDtIt calculates the t+1 signature and generates parameter second part βt+1, the t+1 signature is then generated into parameter second part βt+1It is sent to the t-1 signature participant IDt-1:
Wherein, βt+1Indicate that the t+1 signature generates parameter second part, IDt-1Indicate the t-1 signature participant;
Step 2 11, according to the following formula, i-th of signature participant IDiIt calculates the 2t-i+1 signature and generates parameter second Part β2t-i+1, the 2t-i+1 signature is then generated into parameter second part β2t-i+1It is sent to (i-1)-th signature participant IDi-1, i=t-1, t-2 ..., 2:
Wherein, β2t-i+1Indicate that the 2t-i+1 signature generates parameter second part, β2t-iIndicate that the 2t-i signature generates Parameter second part;
Step 2 12, according to the following formula, first signature participant ID1It calculates the 2t signature and generates parameter second part β2t, the 2t signature is then generated into parameter second part β2tIt is sent to t-th of signature participant IDt:
Wherein, β2tIndicate that the 2t signature generates parameter second part, β2t-1Indicate that the 2t-1 signature generates parameter the Two parts;
Step 2 13, according to the following formula, t-th of signature participant IDtIt calculates the 2t+1 signature and generates parameter second Divide β2t+1:
β2t+12t×Eρ-1
Wherein, β2t+1Indicate that the 2t+1 signature generates parameter second part;
Step 2 14, according to the following formula, t-th of signature participant IDtSecond part signature s is calculated in paillier homomorphism Then ciphertext C of the second part signature s under paillier homomorphic cryptography is sent to first signature by the ciphertext C under encryption Participant ID1:
C=αt+Eβ2t+1
Wherein, s indicates that second part signature, C indicate ciphertext of the second part signature s under paillier homomorphic cryptography;
Step 2 15, according to the following formula, first signature participant ID1Calculate second part signature s:
S=Dsk(C)mod n
Wherein, DskThe decryption operation of () expression paillier homomorphic encryption algorithm;
Step 2 16, according to the following formula, first signature participant ID1Calculate the signature certificate parameter R ', R '=(xR′, yR'):
R '=s-1(eG+rQ)
Wherein, R ' expression signature verification parameter, xRThe abscissa of ' expression signature verification parameter R ', yR' indicate signature verification The ordinate of parameter R ', s-1Indicate multiplicative inverse of the second part signature s at mould n;
Step 2 17, according to the following formula, first signature participant ID1The certificate parameter r ' of first part's signature is calculated, Then judge whether equation r '=r is true, if set up, perform the next step suddenly, if invalid, sign and fail, return Step 6:
r′≡xR′mod n
Wherein, the certificate parameter of r ' expression first part signature, ≡ indicate congruence symbol;
18, first signature participant ID of step 21Signature (r, s) is extracted, is then broadcast to signature (r, s) all Sign participant;
Wherein, (r, s) indicates the signature ultimately generated.
The beneficial effects of the present invention are: this method, in key generation phase, the son that t signature participant chooses oneself is private Key, by with first sign participant interact completion private key generation.In the signature stage, t signature participant is successively sharp The sub- private key held with oneself carries out distributed signature, then completes label under the conditions of homomorphic cryptography by t-th of signature participant The synthesis of name second part, then final signature is completed by first signature participant and is synthesized and verifying.The present invention utilizes Paillier homomorphic encryption algorithm, each signature participant do not need the correctness for guaranteeing signature using zero-knowledge proof, only It needs to carry out verifying to signature by first signature participant to ensure that the correctness finally signed, last signature verification The point multiplication operation on the point add operation and two elliptic curves on an elliptic curve is only needed, with t Zero Knowledge of background technique Proof is compared, and computational efficiency is improved.
It generates and stores in addition, the present invention realizes the distributed of private key, the generation of private key does not need trusted party, private key Safety it is higher.
The present invention realizes the function that signature is generated by t people's distribution, does not need explicitly to synthesize private key in signature, It avoids private key and reveals brought risk.
It elaborates with reference to the accompanying drawings and detailed description to the present invention.
Detailed description of the invention
Fig. 1 is the flow chart for the digital signature method that key distribution of the present invention generates.
Specific embodiment
Explanation of nouns:
T: the parameter of elliptic curve secp256k1;
P: finite field F is generatedpBig prime, value FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF FFFFFFFFFFFFFFFFEFFFFFC2F=2256-232-29-28-27-26-24-1;
A, b: the parameter of elliptic equation, a=0, b=7;
G: the basic point that a rank is n on elliptic curve, value 0479BE667EF9DCBBAC55A06295CE870B07 029BFCDB2DCE28D959F2815B16F81798483ADA7726A3C4655DA4FBFC0E1108A8FD17B448A685 54199C47D08FFB10D4B8;
N: the rank of elliptic curve basic point G, value FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEBAAEDCE6AF 48A03BBFD25E8CD0364141;
H: cofactor controls the density of selected point, value 01;
ID1: first signature participant;
ID2: second signature participant;
IDi: i-th of signature participant;
IDi+1: i+1 signature participant;
IDt: t-th of signature participant;
IDt-1: the t-1 signature participant;
T: positive integer indicates signature participant IDiNumber;
d1: first signature participant ID1Sub- private key;
First signature participant ID1Sub- private key d1Multiplicative inverse at mould n;
di: i-th of signature participant IDiSub- private key;
dt: t-th of signature participant IDtSub- private key;
Q1: first signature participant ID1Sub- public key;
Q1': indicate first signature participant ID1The sub- public key of puppet;
Qi: i-th of signature participant IDiSub- public key;
Qi': i-th of signature participant IDiThe sub- public key of puppet;
Q: public signature key;
∑: sum operation, such as
k1: first signature participant ID1Secret value;
First signature participant ID1Secret value k1Multiplicative inverse at mould n;
ki: i-th of signature participant IDiSecret value;
I-th of signature participant IDiSecret value kiMultiplicative inverse at mould n;
kt: t-th of signature participant IDtSecret value;
T-th of signature participant IDtSecret value ktMultiplicative inverse at mould n;
R1: first signature parameter median;
Ri: i-th of signature parameter median;
Ri-1: (i-1)-th signature parameter median;
Rt-1: the t-1 signature parameter median;
R: signature parameter;
xR: the abscissa of signature parameter R;
yR: the ordinate of signature parameter R;
R: first part's signature;
Mod: modulus operation, such as 7mod4=3;
M: message;
H: the cryptographic Hash of message M;
Hash: cryptographic hash algorithm;
Integer value after e: cryptographic Hash H conversion;
Paillier: homomorphic encryption algorithm;
The private key of sk:paillier homomorphic encryption algorithm;
The public key of pk:paillier homomorphic encryption algorithm;
Epk(): the cryptographic calculation of paillier homomorphic encryption algorithm;
Dsk(): the decryption operation of paillier homomorphic encryption algorithm;
×E: the multiplicative homomorphic operation under paillier homomorphic encryption algorithm;
+E: the additive homomorphism operation under paillier homomorphic encryption algorithm;
α1: first signature generates parameter first part;
αi: i-th of signature generates parameter first part;
αi-1: (i-1)-th signature generates parameter first part;
αt-1: the t-1 signature generates parameter first part;
αt: t-th of signature generates parameter first part;
β1: first signature generates parameter second part;
βi: i-th of signature generates parameter second part;
βi-1: (i-1)-th signature generates parameter second part;
βt-1: the t-1 signature generates parameter second part;
βt: t-th of signature generates parameter second part;
βt+1: the t+1 signature generates parameter second part;
β2t-i+1: the 2t-i+1 signature generates parameter second part;
β2t-i: the 2t-i signature generates parameter second part;
β2t: the 2t signature generates parameter second part;
β2t-1: the 2t-1 signature generates parameter second part;
β2t+1: the 2t+1 signature generates parameter second part;
ρ: secret obscures value;
ρ-1: secret obscures multiplicative inverse of the value ρ at mould n;
S: second part signature;
s-1: multiplicative inverse of the second part signature s at mould n;
C: the second part signature s ciphertext under paillier homomorphic cryptography;
R ': signature verification parameter;
xR': the abscissa of signature verification parameter R ';
yR': the ordinate of signature verification parameter R ';
R ': the certificate parameter of first part's signature;
≡: congruence symbol;
(r, s): the signature ultimately generated.
Referring to Fig.1.Specific step is as follows for the digital signature method that key distribution of the present invention generates:
Determine system parameter: this is the preparation before being embodied.
Elliptic curve secp256k1 is chosen, determines parameter T=(p, a, b, G, n, h), wherein T indicates elliptic curve The parameter of secp256k1, p indicate to generate finite field FpBig prime, p=FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF FFFFFFFFFFFFFFFFFFFFFFFFEFFFFFC2F=2256-232-29-28-27-26-24The ginseng of -1, a, b expression elliptic equation Number, a=0, b=7, G indicate the basic point that a rank is n on elliptic curve, G=0479BE667EF9DCBBAC55A06295CE8 70B07029BFCDB2DCE28D959F2815B16F81798483ADA7726A3C4655DA4FBFC0E1108A8FD17B44 8A68554199C47D08FFB10D4B8, n indicate the rank of elliptic curve basic point G, n=FFFFFFFFFFFFFFFFFFFFFFFF FFFFFFFEBAAEDCE6AF48A03BBFD25E8CD0364141, h indicate cofactor, control the density of selected point, h=01.
Step 1: first signature participant ID1Choose the sub- private key d of oneself1∈ { 1,2 ..., n-1 } is then calculated certainly Oneself sub- private key d1It whether there is multiplicative inverse d at mould n1 -1, if it is present perform the next step suddenly, if it does not exist, then Again the sub- private key d of oneself is chosen1∈ { 1,2 ..., n-1 } and the sub- private key d for recalculating oneself1It whether there is at mould n and multiply Method inverse elementUntil finding one, there are multiplicative inversesSub- private key d1, then perform the next step rapid;
Wherein, ID1Indicate first signature participant, d1Indicate first signature participant ID1Sub- private key,It indicates First signature participant ID1Sub- private key d1Multiplicative inverse at mould n, n are positive integer, indicate the rank of elliptic curve basic point;
Step 2: according to the following formula, first signature participant ID1Calculate the sub- public key Q of oneself1With pseudo- sub- public key Q1', so Afterwards by sub- public key Q1With pseudo- sub- public key Q1' all it is broadcast to all signature participants:
Q1=d1G
Wherein, Q1Indicate first signature participant ID1Sub- public key, Q1' indicate first signature participant ID1Puppet Sub- public key, G indicate the basic point that a rank is n on elliptic curve;
Step 3: receiving first signature participant ID1Sub- public key Q1With pseudo- sub- public key Q1' after, i-th of signature ginseng With person IDiChoose the sub- private key d of oneselfi∈ { 1,2 ..., n-1 } then according to the following formula calculates the sub- public key Q of puppet of oneselfi', and By pseudo- sub- public key Qi' it is sent to first signature participant ID1, i=2,3 ..., t:
Qi'=diQ1
Wherein, IDiIndicate i-th of signature participant, diIndicate i-th of signature participant IDiSub- private key, Qi' indicate the I signature participant IDiThe sub- public key of puppet, t is positive integer, indicates signature participant IDiNumber;
Step 4: first signature participant ID1In the sub- public key Q of puppet for receiving all signature participantsi' after, under Formula successively calculates each signature participant IDiSub- public key Qi, then by all calculated sub- public key QiIt is open:
Qi=d1Qi
Wherein, QiIndicate i-th of signature participant IDiSub- public key;
Step 5: each signature participant IDiReceive first signature participant ID1Disclosed sub- public key QiAfterwards, it tests Demonstrate,prove equation
Qi=diG
It is whether true, if the verification result of each signature participant is to set up, perform the next step it is rapid, if there is The verification result of any one signature participant is invalid, then return step one;
Step 6: according to the following formula, each signature participant IDiCalculate the signature public key Q simultaneously carries out public signature key Q public It opens:
Wherein, Q indicates public signature key, and ∑ indicates sum operation;
Step 7: first signature participant ID1Choose the secret value k of oneself1∈ { 1,2 ..., n-1 } is then calculated certainly Oneself secret value k1It whether there is multiplicative inverse at mould nIf it is present performing the next step suddenly, if it does not exist, then weight Newly choose the secret value k of oneself1∈ { 1,2 ..., n-1 } and the secret value k for recalculating oneself1It whether there is multiplication at mould n Inverse elementUntil finding one, there are multiplicative inversesSecret value k1, then perform the next step rapid;
Wherein, k1Indicate first signature participant ID1Secret value,Indicate first signature participant ID1Secret Value k1Multiplicative inverse at mould n;
Step 8: according to the following formula, first signature participant ID1Calculate first signature parameter median R1, and by first A signature parameter median R1It is sent to second signature participant ID2:
R1=k1G
Wherein, R1Indicate first signature parameter median, ID2Indicate second signature participant;
Step 9: i-th of signature participant IDiReceive (i-1)-th signature parameter median Ri-1Afterwards, oneself is chosen Secret value ki∈ { 1,2 ..., n-1 } then calculates the secret value k of oneselfiIt whether there is multiplicative inverse k at mould ni -1, if In the presence of, then perform the next step it is rapid, if it does not exist, then choosing the secret value k of oneself againi∈ 1,2 ..., n-1 } and count again Calculate the secret value k of oneselfiIt whether there is multiplicative inverse at mould nUntil finding one, there are multiplicative inversesSecret value ki, then perform the next step rapid, i=2,3 ..., t-1;
Wherein, kiIndicate i-th of signature participant IDiSecret value,Indicate i-th of signature participant IDiSecret value kiMultiplicative inverse at mould n;
Step 10: according to the following formula, i-th of signature participant IDiCalculate i-th of signature parameter median Ri, and by i-th Signature parameter median RiIt is sent to i+1 signature participant IDi+1, i=2,3 ..., t-1:
Ri=kiRi-1
Wherein, RiIndicate i-th of signature parameter median, Ri-1Indicate (i-1)-th signature parameter median, IDi+1It indicates I+1 signature participant;
Step 11: t-th of signature participant IDtReceive the t-1 signature parameter median Rt-1Afterwards, oneself is chosen Secret value kt∈ { 1,2 ..., n-1 } then calculates the secret value k of oneselftIt whether there is multiplicative inverse at mould nIf In the presence of, then perform the next step it is rapid, if it does not exist, then choosing the secret value k of oneself againt∈ 1,2 ..., n-1 } and count again Calculate the secret value k of oneselftIt whether there is multiplicative inverse at mould nUntil finding one, there are multiplicative inversesSecret value kt, then perform the next step rapid;
Wherein, IDtIndicate t-th of signature participant, ktIndicate t-th of signature participant IDtSecret value,Indicate t A signature participant IDtSecret value ktMultiplicative inverse at mould n;
Step 12: according to the following formula, t-th of signature participant IDtThen calculate the signature parameter R judges that signature parameter R is The no zero point on elliptic curve, if it is, return step six, if it is not, then signature parameter R to be broadcast to all label Name participant:
R=ktRt-1=(xR,yR)
Wherein, Rt-1Indicate the t-1 signature parameter median, R indicates signature parameter, xRIndicate the horizontal seat of signature parameter R Mark, yRIndicate the ordinate of signature parameter R;
Step 13: i-th of signature participant IDiAfter receiving signature parameter R, according to the following formula, first part's label are calculated Name r:
R=xRmod n
Then judge whether r=0 is true, if set up, return step three continues to execute next if invalid Step;
Wherein, r indicates that first part's signature, mod indicate modulus operation;
Step 14: according to the following formula, first signature participant ID1The cryptographic Hash H for calculating message M, then according to data H is converted to an integer e by type transformation rule:
H=hash (M)
Wherein, M indicates message, and H indicates the cryptographic Hash of message M, and hash indicates that a cryptographic hash algorithm, e indicate Hash Integer value after value H conversion;
Step 15: first signature participant ID1The private key sk and public key pk of paillier homomorphic encryption algorithm are selected, Private key sk secret is saved, and public key pk is disclosed;
Wherein, paillier indicates homomorphic encryption algorithm, and sk indicates the private key of paillier homomorphic encryption algorithm, for doing Operation is decrypted, pk indicates the public key of paillier homomorphic encryption algorithm, for doing cryptographic calculation;
Step 16: according to the following formula, first signature participant ID1It calculates first signature and generates parameter first part α1 Parameter second part β is generated with first signature1, first signature is then generated into parameter first part α1It signs with first Generate parameter second part β1It is sent to second signature participant ID2:
β1=Epk(rd1mod n)
Wherein, α1Indicate that first signature generates parameter first part, β1Indicate that first signature generates parameter second Point, EpkThe cryptographic calculation of () expression paillier homomorphic encryption algorithm;
Step 17: i-th of signature participant IDiIt receives (i-1)-th signature and generates parameter first part αi-1With i-th- 1 signature generates parameter second part βi-1Afterwards, according to the following formula, it calculates i-th of signature and generates parameter first part αiWith i-th Signature generates parameter second part βi, i-th of signature is then generated into parameter first part αiParameter the is generated with i-th signature Two part βiIt is sent to i+1 signature participant IDi+1, i=2,3 ..., t-1:
βi=Epk(rdimod n)+Eβi-1
Wherein, αiIndicate that i-th of signature generates parameter first part, βiIndicate that i-th of signature generates parameter second part, αi-1Indicate that (i-1)-th signature generates parameter first part, βi-1Indicate that (i-1)-th signature generates parameter second part, ×EIt indicates Multiplicative homomorphic operation under paillier homomorphic encryption algorithm ,+EIndicate the additive homomorphism fortune under paillier homomorphic encryption algorithm It calculates;
Step 18: t-th of signature participant IDtIt receives the t-1 signature and generates parameter first part αt-1With t- 1 signature generates parameter second part βt-1Afterwards, according to the following formula, it calculates t-th of signature and generates parameter first part αtWith t-th Signature generates parameter second part βt:
βt=Epk(rdtmod n)+Eβt-1
Wherein, αtIndicate that t-th of signature generates parameter first part, βtIndicate that t-th of signature generates parameter second part, αt-1Indicate that the t-1 signature generates parameter first part, βt-1Indicate that the t-1 signature generates parameter second part, dtIt indicates T-th of signature participant IDtSub- private key;
Step 19: t-th of signature participant IDtIt chooses secret and obscures value ρ ∈ { 1,2 ..., n-1 }, then calculate secret Value ρ is obscured at mould n with the presence or absence of multiplicative inverse ρ-1, if it is present performing the next step suddenly, if it does not exist, then selecting again It takes secret to obscure value ρ ∈ { 1,2 ..., n-1 } and recalculates secret and obscure value ρ at mould n with the presence or absence of multiplicative inverse ρ-1, directly To finding one, there are multiplicative inverse ρ-1Secret obscure value ρ, then perform the next step rapid;
Wherein, ρ indicates that secret obscures value, ρ-1Indicate that secret obscures multiplicative inverse of the value ρ at mould n;
Step 20: according to the following formula, t-th of signature participant IDtIt calculates the t+1 signature and generates parameter second part βt+1, the t+1 signature is then generated into parameter second part βt+1It is sent to the t-1 signature participant IDt-1:
Wherein, βt+1Indicate that the t+1 signature generates parameter second part, IDt-1Indicate the t-1 signature participant;
Step 2 11, according to the following formula, i-th of signature participant IDiIt calculates the 2t-i+1 signature and generates parameter second Part β2t-i+1, the 2t-i+1 signature is then generated into parameter second part β2t-i+1It is sent to (i-1)-th signature participant IDi-1, i=t-1, t-2 ..., 2:
Wherein, β2t-i+1Indicate that the 2t-i+1 signature generates parameter second part, β2t-iIndicate that the 2t-i signature generates Parameter second part;
Step 2 12, according to the following formula, first signature participant ID1It calculates the 2t signature and generates parameter second part β2t, the 2t signature is then generated into parameter second part β2tIt is sent to t-th of signature participant IDt:
Wherein, β2tIndicate that the 2t signature generates parameter second part, β2t-1Indicate that the 2t-1 signature generates parameter the Two parts;
Step 2 13, according to the following formula, t-th of signature participant IDtIt calculates the 2t+1 signature and generates parameter second Divide β2t+1:
β2t+12t×Eρ-1
Wherein, β2t+1Indicate that the 2t+1 signature generates parameter second part;
Step 2 14, according to the following formula, t-th of signature participant IDtSecond part signature s is calculated in paillier homomorphism Then ciphertext C of the second part signature s under paillier homomorphic cryptography is sent to first signature by the ciphertext C under encryption Participant ID1:
C=αt+Eβ2t+1
Wherein, s indicates that second part signature, C indicate ciphertext of the second part signature s under paillier homomorphic cryptography;
Step 2 15, according to the following formula, first signature participant ID1Calculate second part signature s:
S=Dsk(C)mod n
Wherein, DskThe decryption operation of () expression paillier homomorphic encryption algorithm;
Step 2 16, according to the following formula, first signature participant ID1Calculate the signature certificate parameter R ', R '=(xR′, yR'):
R '=s-1(eG+rQ)
Wherein, R ' expression signature verification parameter, xRThe abscissa of ' expression signature verification parameter R ', yR' indicate signature verification The ordinate of parameter R ', s-1Indicate multiplicative inverse of the second part signature s at mould n;
Step 2 17, according to the following formula, first signature participant ID1The certificate parameter r ' of first part's signature is calculated, Then judge whether equation r '=r is true, if set up, perform the next step suddenly, if invalid, sign and fail, return Step 6:
r′≡xR′mod n
Wherein, the certificate parameter of r ' expression first part signature, ≡ indicate congruence symbol;
18, first signature participant ID of step 21Signature (r, s) is extracted, is then broadcast to signature (r, s) all Sign participant;
Wherein, (r, s) indicates the signature ultimately generated.

Claims (1)

1. the digital signature method that a kind of key distribution generates, it is characterised in that the following steps are included:
Step 1: first signature participant ID1Choose the sub- private key d of oneself1∈ { 1,2 ..., n-1 }, then calculates oneself Sub- private key d1It whether there is multiplicative inverse at mould nIf it is present performing the next step suddenly, if it does not exist, then selecting again It is derived from oneself sub- private key d1∈ { 1,2 ..., n-1 } and the sub- private key d for recalculating oneself1It whether there is multiplicative inverse at mould nUntil finding one, there are multiplicative inversesSub- private key d1, then perform the next step rapid;
Wherein, ID1Indicate first signature participant, d1Indicate first signature participant ID1Sub- private key,Indicate first A signature participant ID1Sub- private key d1Multiplicative inverse at mould n, n are positive integer, indicate the rank of elliptic curve basic point;
Step 2: according to the following formula, first signature participant ID1Calculate the sub- public key Q of oneself1With pseudo- sub- public key Q1', then will Sub- public key Q1With pseudo- sub- public key Q1' all it is broadcast to all signature participants:
Q1=d1G
Wherein, Q1Indicate first signature participant ID1Sub- public key, Q1' indicate first signature participant ID1Puppet it is public Key, G indicate the basic point that a rank is n on elliptic curve;
Step 3: receiving first signature participant ID1Sub- public key Q1With pseudo- sub- public key Q1' after, i-th of signature participant IDiChoose the sub- private key d of oneselfi∈ { 1,2 ..., n-1 } then according to the following formula calculates the sub- public key Q of puppet of oneselfi', and will be pseudo- Sub- public key Qi' it is sent to first signature participant ID1, i=2,3 ..., t:
Qi'=diQ1
Wherein, IDiIndicate i-th of signature participant, diIndicate i-th of signature participant IDiSub- private key, Qi' indicate i-th of label Name participant IDiThe sub- public key of puppet, t is positive integer, indicates signature participant IDiNumber;
Step 4: first signature participant ID1In the sub- public key Q of puppet for receiving all signature participantsi' after, according to the following formula, Successively calculate each signature participant IDiSub- public key Qi, then by all calculated sub- public key QiIt is open:
Qi=d1Qi
Wherein, QiIndicate i-th of signature participant IDiSub- public key;
Step 5: each signature participant IDiReceive first signature participant ID1Disclosed sub- public key QiAfterwards, verifying etc. Formula
Qi=diG
It is whether true, if the verification result of each signature participant is to set up, perform the next step suddenly, if there is any The verification result of one signature participant is invalid, then return step one;
Step 6: according to the following formula, each signature participant IDiCalculate the signature public key Q simultaneously carries out disclosure to public signature key Q:
Wherein, Q indicates public signature key, and ∑ indicates sum operation;
Step 7: first signature participant ID1Choose the secret value k of oneself1∈ { 1,2 ..., n-1 }, then calculates oneself Secret value k1It whether there is multiplicative inverse at mould nIf it is present performing the next step suddenly, if it does not exist, then selecting again It is derived from oneself secret value k1∈ { 1,2 ..., n-1 } and the secret value k for recalculating oneself1It whether there is multiplicative inverse at mould nUntil finding one, there are multiplicative inversesSecret value k1, then perform the next step rapid;
Wherein, k1Indicate first signature participant ID1Secret value,Indicate first signature participant ID1Secret value k1 Multiplicative inverse at mould n;
Step 8: according to the following formula, first signature participant ID1Calculate first signature parameter median R1, and first is signed Name parameter median R1It is sent to second signature participant ID2:
R1=k1G
Wherein, R1Indicate first signature parameter median, ID2Indicate second signature participant;
Step 9: i-th of signature participant IDiReceive (i-1)-th signature parameter median Ri-1Afterwards, the secret value of oneself is chosen ki∈ { 1,2 ..., n-1 } then calculates the secret value k of oneselfiIt whether there is multiplicative inverse at mould nIf it is present It performs the next step suddenly, if it does not exist, then choosing the secret value k of oneself againi∈ 1,2 ..., n-1 } and recalculate oneself Secret value kiIt whether there is multiplicative inverse at mould nUntil finding one, there are multiplicative inversesSecret value ki, then Perform the next step rapid, i=2,3 ..., t-1;
Wherein, kiIndicate i-th of signature participant IDiSecret value,Indicate i-th of signature participant IDiSecret value ki? Multiplicative inverse under mould n;
Step 10: according to the following formula, i-th of signature participant IDiCalculate i-th of signature parameter median Ri, and i-th is signed Parameter median RiIt is sent to i+1 signature participant IDi+1, i=2,3 ..., t-1:
Ri=kiRi-1
Wherein, RiIndicate i-th of signature parameter median, Ri-1Indicate (i-1)-th signature parameter median, IDi+1Indicate i+1 A signature participant;
Step 11: t-th of signature participant IDtReceive the t-1 signature parameter median Rt-1Afterwards, the secret of oneself is chosen Value kt∈ { 1,2 ..., n-1 } then calculates the secret value k of oneselftIt whether there is multiplicative inverse at mould nIf it does, It then performs the next step suddenly, if it does not exist, then choosing the secret value k of oneself againt∈ 1,2 ..., n-1 } and recalculate certainly Oneself secret value ktIt whether there is multiplicative inverse at mould nUntil finding one, there are multiplicative inversesSecret value kt, so After perform the next step it is rapid;
Wherein, IDtIndicate t-th of signature participant, ktIndicate t-th of signature participant IDtSecret value,Indicate t-th of label Name participant IDtSecret value ktMultiplicative inverse at mould n;
Step 12: according to the following formula, t-th of signature participant IDtCalculate the signature parameter R, then judge signature parameter R whether be Zero point on elliptic curve, if it is, return step six, joins if it is not, then signature parameter R is broadcast to all signatures With person:
R=ktRt-1=(xR,yR)
Wherein, Rt-1Indicate the t-1 signature parameter median, R indicates signature parameter, xRIndicate the abscissa of signature parameter R, yR Indicate the ordinate of signature parameter R;
Step 13: i-th of signature participant IDiAfter receiving signature parameter R, according to the following formula, first part signature r is calculated:
R=xR modn
Then judge whether r=0 is true, if set up, return step three continues to execute next step if invalid;
Wherein, r indicates that first part's signature, mod indicate modulus operation;
Step 14: according to the following formula, first signature participant ID1The cryptographic Hash H of message M is calculated, is then turned according to data type Rule is changed, H is converted into an integer e:
H=hash (M)
Wherein, M indicates message, and H indicates the cryptographic Hash of message M, and hash indicates that a cryptographic hash algorithm, e indicate that cryptographic Hash H turns Integer value after changing;
Step 15: first signature participant ID1The private key sk and public key pk for selecting paillier homomorphic encryption algorithm, will be private Key sk secret saves, and public key pk is disclosed;
Wherein, paillier indicates homomorphic encryption algorithm, and sk indicates the private key of paillier homomorphic encryption algorithm, for decrypting Operation, pk indicates the public key of paillier homomorphic encryption algorithm, for doing cryptographic calculation;
Step 16: according to the following formula, first signature participant ID1It calculates first signature and generates parameter first part α1With One signature generates parameter second part β1, first signature is then generated into parameter first part α1It is generated with first signature Parameter second part β1It is sent to second signature participant ID2:
β1=Epk(rd1 modn)
Wherein, α1Indicate that first signature generates parameter first part, β1Indicate that first signature generates parameter second part, Epk The cryptographic calculation of () expression paillier homomorphic encryption algorithm;
Step 17: i-th of signature participant IDiIt receives (i-1)-th signature and generates parameter first part αi-1It is signed with (i-1)-th Name generates parameter second part βi-1Afterwards, according to the following formula, it calculates i-th of signature and generates parameter first part αiIt is given birth to i-th of signature At parameter second part βi, i-th of signature is then generated into parameter first part αiParameter second part is generated with i-th of signature βiIt is sent to i+1 signature participant IDi+1, i=2,3 ..., t-1:
βi=Epk(rdi mod n)+Eβi-1
Wherein, αiIndicate that i-th of signature generates parameter first part, βiIndicate that i-th of signature generates parameter second part, αi-1Table Show that (i-1)-th signature generates parameter first part, βi-1Indicate that (i-1)-th signature generates parameter second part, ×EIt indicates Multiplicative homomorphic operation under paillier homomorphic encryption algorithm ,+EIndicate the additive homomorphism fortune under paillier homomorphic encryption algorithm It calculates;
Step 18: t-th of signature participant IDtIt receives the t-1 signature and generates parameter first part αt-1It is signed with the t-1 Name generates parameter second part βt-1Afterwards, according to the following formula, it calculates t-th of signature and generates parameter first part αtIt is given birth to t-th of signature At parameter second part βt:
βt=Epk(rdt mod n)+Eβt-1
Wherein, αtIndicate that t-th of signature generates parameter first part, βtIndicate that t-th of signature generates parameter second part, αt-1Table Show that the t-1 signature generates parameter first part, βt-1Indicate that the t-1 signature generates parameter second part, dtIt indicates t-th Sign participant IDtSub- private key;
Step 19: t-th of signature participant IDtIt chooses secret and obscures value ρ ∈ { 1,2 ..., n-1 }, then calculate secret and obscure Value ρ whether there is multiplicative inverse ρ at mould n-1, if it is present performing the next step suddenly, if it does not exist, then choosing again secret It is close obscure value ρ ∈ { 1,2 ..., n-1 } and recalculate secret obscure value ρ at mould n with the presence or absence of multiplicative inverse ρ-1, until looking for To one, there are multiplicative inverse ρ-1Secret obscure value ρ, then perform the next step rapid;
Wherein, ρ indicates that secret obscures value, ρ-1Indicate that secret obscures multiplicative inverse of the value ρ at mould n;
Step 20: according to the following formula, t-th of signature participant IDtIt calculates the t+1 signature and generates parameter second part βt+1, so The t+1 signature is generated into parameter second part β afterwardst+1It is sent to the t-1 signature participant IDt-1:
Wherein, βt+1Indicate that the t+1 signature generates parameter second part, IDt-1Indicate the t-1 signature participant;
Step 2 11, according to the following formula, i-th of signature participant IDiIt calculates the 2t-i+1 signature and generates parameter second part β2t-i+1, the 2t-i+1 signature is then generated into parameter second part β2t-i+1It is sent to (i-1)-th signature participant IDi-1, i =t-1, t-2 ..., 2:
Wherein, β2t-i+1Indicate that the 2t-i+1 signature generates parameter second part, β2t-iIndicate that the 2t-i signature generates parameter Second part;
Step 2 12, according to the following formula, first signature participant ID1It calculates the 2t signature and generates parameter second part β2t, Then the 2t signature is generated into parameter second part β2tIt is sent to t-th of signature participant IDt:
Wherein, β2tIndicate that the 2t signature generates parameter second part, β2t-1Indicate that the 2t-1 signature generates parameter second Point;
Step 2 13, according to the following formula, t-th of signature participant IDtIt calculates the 2t+1 signature and generates parameter second part β2t+1:
β2t+12t×Eρ-1
Wherein, β2t+1Indicate that the 2t+1 signature generates parameter second part;
Step 2 14, according to the following formula, t-th of signature participant IDtSecond part signature s is calculated in paillier homomorphic cryptography Under ciphertext C, ciphertext C of the second part signature s under paillier homomorphic cryptography is then sent to first signature participation Person ID1:
C=αt+E β2t+1
Wherein, s indicates that second part signature, C indicate ciphertext of the second part signature s under paillier homomorphic cryptography;
Step 2 15, according to the following formula, first signature participant ID1Calculate second part signature s:
S=Dsk(C)mod n
Wherein, DskThe decryption operation of () expression paillier homomorphic encryption algorithm;
Step 2 16, according to the following formula, first signature participant ID1Calculate the signature certificate parameter R ', R '=(xR′,yR'):
R '=s-1(eG+rQ)
Wherein, R ' expression signature verification parameter, xRThe abscissa of ' expression signature verification parameter R ', yR' indicate signature verification parameter The ordinate of R ', s-1Indicate multiplicative inverse of the second part signature s at mould n;
Step 2 17, according to the following formula, first signature participant ID1The certificate parameter r ' for calculating first part's signature, then sentences Whether disconnected equation r '=r is true, if set up, performs the next step suddenly, if invalid, sign and fail, return step six:
r′≡xR′mod n
Wherein, the certificate parameter of r ' expression first part signature, ≡ indicate congruence symbol;
18, first signature participant ID of step 21Signature (r, s) is extracted, signature (r, s) is then broadcast to all signatures Participant;
Wherein, (r, s) indicates the signature ultimately generated.
CN201910271243.1A 2019-04-04 2019-04-04 Digital signature method for key distributed generation Active CN110061847B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201910271243.1A CN110061847B (en) 2019-04-04 2019-04-04 Digital signature method for key distributed generation

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201910271243.1A CN110061847B (en) 2019-04-04 2019-04-04 Digital signature method for key distributed generation

Publications (2)

Publication Number Publication Date
CN110061847A true CN110061847A (en) 2019-07-26
CN110061847B CN110061847B (en) 2021-05-04

Family

ID=67318328

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201910271243.1A Active CN110061847B (en) 2019-04-04 2019-04-04 Digital signature method for key distributed generation

Country Status (1)

Country Link
CN (1) CN110061847B (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112100644A (en) * 2020-11-19 2020-12-18 飞天诚信科技股份有限公司 Method and device for generating data signature
CN114338028A (en) * 2020-09-28 2022-04-12 华为技术有限公司 Threshold signature method and device, electronic equipment and readable storage medium

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP2676452A1 (en) * 2011-02-15 2013-12-25 P2S Media Group OY Quarantine method for sellable virtual goods
CN107707358A (en) * 2017-10-30 2018-02-16 武汉大学 A kind of EC KCDSA digital signature generation method and system
CN108173639A (en) * 2018-01-22 2018-06-15 中国科学院数据与通信保护研究教育中心 A kind of two side's cooperation endorsement methods based on SM9 signature algorithms
CN109064170A (en) * 2018-07-23 2018-12-21 西安电子科技大学 Group signature method without trusted party

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP2676452A1 (en) * 2011-02-15 2013-12-25 P2S Media Group OY Quarantine method for sellable virtual goods
CN107707358A (en) * 2017-10-30 2018-02-16 武汉大学 A kind of EC KCDSA digital signature generation method and system
CN108173639A (en) * 2018-01-22 2018-06-15 中国科学院数据与通信保护研究教育中心 A kind of two side's cooperation endorsement methods based on SM9 signature algorithms
CN109064170A (en) * 2018-07-23 2018-12-21 西安电子科技大学 Group signature method without trusted party

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
陈思: "《比特币的匿名性和密钥管理研究》", 《中国优秀硕士学位论文全文数据库》 *

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114338028A (en) * 2020-09-28 2022-04-12 华为技术有限公司 Threshold signature method and device, electronic equipment and readable storage medium
CN112100644A (en) * 2020-11-19 2020-12-18 飞天诚信科技股份有限公司 Method and device for generating data signature
CN112100644B (en) * 2020-11-19 2021-03-16 飞天诚信科技股份有限公司 Method and device for generating data signature

Also Published As

Publication number Publication date
CN110061847B (en) 2021-05-04

Similar Documents

Publication Publication Date Title
CN108667626B (en) Secure two-party collaboration SM2 signature method
CN107707358B (en) EC-KCDSA digital signature generation method and system
CN107634836B (en) SM2 digital signature generation method and system
CN107733648B (en) Identity-based RSA digital signature generation method and system
CN107438006B (en) Full multi-receiver label decryption method of the anonymity without certificate
Garay et al. Timed release of standard digital signatures
CN110061828A (en) Distributed digital endorsement method without trusted party
CN110011803B (en) Method for cooperatively generating digital signature by two parties of light SM2
CN106936584B (en) Method for constructing certificateless public key cryptosystem
US20050278536A1 (en) Fair blind signature process
WO2016049406A1 (en) Method and apparatus for secure non-interactive threshold signatures
CN108833345B (en) Certificateless multi-receiver signcryption method capable of tracking identity of anonymous sender
CN109639439A (en) A kind of ECDSA digital signature method based on two sides collaboration
CN115834056A (en) Certificateless ordered aggregation signature method, certificateless ordered aggregation signature system and related devices
CN110061847A (en) The digital signature method that key distribution generates
US20110064216A1 (en) Cryptographic message signature method having strengthened security, signature verification method, and corresponding devices and computer program products
Battagliola et al. Threshold ecdsa with an offline recovery party
CN112398637A (en) Equality test method based on certificate-free bookmark password
CN109064170B (en) Group signature method without trusted center
CN108768634B (en) Verifiable cryptographic signature generation method and system
Pan et al. Multi-signatures for ECDSA and Its Applications in Blockchain
Chia et al. Digital signature schemes with strong existential unforgeability
CN112383403A (en) Heterogeneous ring signature method
CN116318736A (en) Two-level threshold signature method and device for hierarchical management
Park et al. A tightly-secure multisignature scheme with improved verification

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant