CN110061847A - The digital signature method that key distribution generates - Google Patents
The digital signature method that key distribution generates Download PDFInfo
- Publication number
- CN110061847A CN110061847A CN201910271243.1A CN201910271243A CN110061847A CN 110061847 A CN110061847 A CN 110061847A CN 201910271243 A CN201910271243 A CN 201910271243A CN 110061847 A CN110061847 A CN 110061847A
- Authority
- CN
- China
- Prior art keywords
- signature
- participant
- parameter
- indicate
- sub
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/008—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols involving homomorphic encryption
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3247—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
- H04L9/3252—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures using DSA or related signature schemes, e.g. elliptic based signatures, ElGamal or Schnorr schemes
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3247—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
- H04L9/3255—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures using group based signatures, e.g. ring or threshold signatures
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3236—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer And Data Communications (AREA)
- Storage Device Security (AREA)
Abstract
The invention discloses the digital signature methods that a kind of key distribution generates, the technical issues of for solving existing digital signature method low efficiency.Technical solution is in key generation phase, and t signature participant chooses the sub- private key of oneself, by with the generation for interact completion private key of first participant that signs.In the signature stage, the sub- private key that t signature participant is successively held using oneself carries out distributed signature, then synthesizing for signature second part is completed under the conditions of homomorphic cryptography by t-th of participant that signs, then final signature is completed by first signature participant and is synthesized and verifying.The present invention utilizes paillier homomorphic encryption algorithm, each signature participant does not need the correctness for guaranteeing signature using zero-knowledge proof, last signature verification only needs the point multiplication operation on point add operation and two elliptic curves on an elliptic curve, compared with t zero-knowledge proof of background technique, computational efficiency is improved.
Description
Technical field
The present invention relates to a kind of digital signature method, in particular to a kind of digital signature method of key distribution generation.
Background technique
Document " Goldfeder S, Gennaro R, Kalodner H, et al.Securing Bitcoin wallets
A kind of distributed thresholding label are proposed in via a new DSA/ECDSA threshold signature scheme.2015. "
Name method, the major technique that this method utilizes is paillier homomorphic encryption algorithm and zero-knowledge proof.In this method, signature
Private key is grasped by t people, and signature process needs t people to participate in completing, therefore improves the safety of signature private key.However, this
A large amount of zero-knowledge proof has been used to operate in a method, zero-knowledge proof needs authentication repeatedly to be handed over the side of being verified
Mutually, the magnitude of interaction times is higher, and the confidence level for the side of being verified is higher, this is a time-consuming operation, therefore the efficiency of this method
It is relatively low.In the method, it completes once signed to need to carry out t zero-knowledge proof, it is assumed that carry out a zero-knowledge proof
Need tzSecondary interaction, then completing all zero-knowledge proofs just needs ttzSecondary interaction, interactive number lead to the party too much
Method is not appropriate for applying in real scene.
Summary of the invention
In order to overcome the shortcomings of that existing digital signature method low efficiency, the present invention provide a kind of number that key distribution generates
Word endorsement method.This method chooses the sub- private key of oneself in key generation phase, t signature participant, by signing with first
The generation of private key is completed in the interaction of name participant.In the sub- private key that signature stage, t signature participant are successively held using oneself
Distributed signature is carried out, then completes synthesizing for signature second part under the conditions of homomorphic cryptography by t-th of participant that signs, then
Final signature is completed by first signature participant to synthesize and verifying.The present invention utilizes paillier homomorphic encryption algorithm, often
A signature participant does not need the correctness for guaranteeing signature using zero-knowledge proof, it is only necessary to by first signature participant couple
Signature carries out verifying and ensures that the correctness finally signed, and last signature verification only needs the point on an elliptic curve
Add the point multiplication operation in operation and two elliptic curves, compared with t zero-knowledge proof of background technique, improves computational efficiency.
A kind of the technical solution adopted by the present invention to solve the technical problems: digital signature side that key distribution generates
Method, its main feature is that the following steps are included:
Step 1: first signature participant ID1Choose the sub- private key d of oneself1∈ { 1,2 ..., n-1 } is then calculated certainly
Oneself sub- private key d1It whether there is multiplicative inverse at mould nIf it is present performing the next step suddenly, if it does not exist, then weight
Newly choose the sub- private key d of oneself1∈ { 1,2 ..., n-1 } and the sub- private key d for recalculating oneself1It whether there is multiplication at mould n
Inverse elementUntil finding one, there are multiplicative inversesSub- private key d1, then perform the next step rapid;
Wherein, ID1Indicate first signature participant, d1Indicate first signature participant ID1Sub- private key,It indicates
First signature participant ID1Sub- private key d1Multiplicative inverse at mould n, n are positive integer, indicate the rank of elliptic curve basic point;
Step 2: according to the following formula, first signature participant ID1Calculate the sub- public key Q of oneself1With pseudo- sub- public key Q1', so
Afterwards by sub- public key Q1With pseudo- sub- public key Q1' all it is broadcast to all signature participants:
Q1=d1G
Wherein, Q1Indicate first signature participant ID1Sub- public key, Q1' indicate first signature participant ID1Puppet
Sub- public key, G indicate the basic point that a rank is n on elliptic curve;
Step 3: receiving first signature participant ID1Sub- public key Q1With pseudo- sub- public key Q1' after, i-th of signature ginseng
With person IDiChoose the sub- private key d of oneselfi∈ { 1,2 ..., n-1 } then according to the following formula calculates the sub- public key Q of puppet of oneselfi', and
By pseudo- sub- public key Qi' it is sent to first signature participant ID1, i=2,3 ..., t:
Qi'=diQ1′
Wherein, IDiIndicate i-th of signature participant, diIndicate i-th of signature participant IDiSub- private key, Qi' indicate the
I signature participant IDiThe sub- public key of puppet, t is positive integer, indicates signature participant IDiNumber;
Step 4: first signature participant ID1In the sub- public key Q of puppet for receiving all signature participantsi' after, under
Formula successively calculates each signature participant IDiSub- public key Qi, then by all calculated sub- public key QiIt is open:
Qi=d1Qi′
Wherein, QiIndicate i-th of signature participant IDiSub- public key;
Step 5: each signature participant IDiReceive first signature participant ID1Disclosed sub- public key QiAfterwards, it tests
Demonstrate,prove equation
Qi=diG
It is whether true, if the verification result of each signature participant is to set up, perform the next step it is rapid, if there is
The verification result of any one signature participant is invalid, then return step one;
Step 6: according to the following formula, each signature participant IDiCalculate the signature public key Q simultaneously carries out public signature key Q public
It opens:
Wherein, Q indicates public signature key, and ∑ indicates sum operation;
Step 7: first signature participant ID1Choose the secret value k of oneself1∈ { 1,2 ..., n-1 } is then calculated certainly
Oneself secret value k1It whether there is multiplicative inverse at mould nIf it is present performing the next step suddenly, if it does not exist, then weight
Newly choose the secret value k of oneself1∈ { 1,2 ..., n-1 } and the secret value k for recalculating oneself1It whether there is multiplication at mould n
Inverse elementUntil finding one, there are multiplicative inversesSecret value k1, then perform the next step rapid;
Wherein, k1Indicate first signature participant ID1Secret value,Indicate first signature participant ID1Secret
Value k1Multiplicative inverse at mould n;
Step 8: according to the following formula, first signature participant ID1Calculate first signature parameter median R1, and by first
A signature parameter median R1It is sent to second signature participant ID2:
R1=k1G
Wherein, R1Indicate first signature parameter median, ID2Indicate second signature participant;
Step 9: i-th of signature participant IDiReceive (i-1)-th signature parameter median Ri-1Afterwards, oneself is chosen
Secret value ki∈ { 1,2 ..., n-1 } then calculates the secret value k of oneselfiIt whether there is multiplicative inverse k at mould ni -1If deposited
It is then performing the next step suddenly, if it does not exist, then choosing the secret value k of oneself againi∈ 1,2 ..., n-1 } and recalculate
The secret value k of oneselfiIt whether there is multiplicative inverse at mould nUntil finding one, there are multiplicative inversesSecret value ki,
Then rapid, i=2,3 ..., t-1 are performed the next step;
Wherein, kiIndicate i-th of signature participant IDiSecret value,Indicate i-th of signature participant IDiSecret value
kiMultiplicative inverse at mould n;
Step 10: according to the following formula, i-th of signature participant IDiCalculate i-th of signature parameter median Ri, and by i-th
Signature parameter median RiIt is sent to i+1 signature participant IDi+1, i=2,3 ..., t-1:
Ri=kiRi-1
Wherein, RiIndicate i-th of signature parameter median, Ri-1Indicate (i-1)-th signature parameter median, IDi+1It indicates
I+1 signature participant;
Step 11: t-th of signature participant IDtReceive the t-1 signature parameter median Rt-1Afterwards, oneself is chosen
Secret value kt∈ { 1,2 ..., n-1 } then calculates the secret value k of oneselftIt whether there is multiplicative inverse at mould nIf
In the presence of, then perform the next step it is rapid, if it does not exist, then choosing the secret value k of oneself againt∈ 1,2 ..., n-1 } and count again
Calculate the secret value k of oneselftIt whether there is multiplicative inverse at mould nUntil finding one, there are multiplicative inversesSecret value
kt, then perform the next step rapid;
Wherein, IDtIndicate t-th of signature participant, ktIndicate t-th of signature participant IDtSecret value,Indicate t
A signature participant IDtSecret value ktMultiplicative inverse at mould n;
Step 12: according to the following formula, t-th of signature participant IDtThen calculate the signature parameter R judges that signature parameter R is
The no zero point on elliptic curve, if it is, return step six, if it is not, then signature parameter R to be broadcast to all label
Name participant:
R=ktRt-1=(xR,yR)
Wherein, Rt-1Indicate the t-1 signature parameter median, R indicates signature parameter, xRIndicate the horizontal seat of signature parameter R
Mark, yRIndicate the ordinate of signature parameter R;
Step 13: i-th of signature participant IDiAfter receiving signature parameter R, according to the following formula, first part's label are calculated
Name r:
R=xRmod n
Then judge whether r=0 is true, if set up, return step three continues to execute next if invalid
Step;
Wherein, r indicates that first part's signature, mod indicate modulus operation;
Step 14: according to the following formula, first signature participant ID1The cryptographic Hash H for calculating message M, then according to data
H is converted to an integer e by type transformation rule:
H=hash (M)
Wherein, M indicates message, and H indicates the cryptographic Hash of message M, and hash indicates that a cryptographic hash algorithm, e indicate Hash
Integer value after value H conversion;
Step 15: first signature participant ID1The private key sk and public key pk of paillier homomorphic encryption algorithm are selected,
Private key sk secret is saved, and public key pk is disclosed;
Wherein, paillier indicates homomorphic encryption algorithm, and sk indicates the private key of paillier homomorphic encryption algorithm, for doing
Operation is decrypted, pk indicates the public key of paillier homomorphic encryption algorithm, for doing cryptographic calculation;
Step 16: according to the following formula, first signature participant ID1It calculates first signature and generates parameter first part α1
Parameter second part β is generated with first signature1, first signature is then generated into parameter first part α1It signs with first
Generate parameter second part β1It is sent to second signature participant ID2:
β1=Epk(rd1mod n)
Wherein, α1Indicate that first signature generates parameter first part, β1Indicate that first signature generates parameter second
Point, EpkThe cryptographic calculation of () expression paillier homomorphic encryption algorithm;
Step 17: i-th of signature participant IDiIt receives (i-1)-th signature and generates parameter first part αi-1With i-th-
1 signature generates parameter second part βi-1Afterwards, according to the following formula, it calculates i-th of signature and generates parameter first part αiWith i-th
Signature generates parameter second part βi, i-th of signature is then generated into parameter first part αiParameter the is generated with i-th signature
Two part βiIt is sent to i+1 signature participant IDi+1, i=2,3 ..., t-1:
βi=Epk(rdimodn)+Eβi-1
Wherein, αiIndicate that i-th of signature generates parameter first part, βiIndicate that i-th of signature generates parameter second part,
αi-1Indicate that (i-1)-th signature generates parameter first part, βi-1Indicate that (i-1)-th signature generates parameter second part, ×EIt indicates
Multiplicative homomorphic operation under paillier homomorphic encryption algorithm ,+EIndicate the additive homomorphism fortune under paillier homomorphic encryption algorithm
It calculates;
Step 18: t-th of signature participant IDtIt receives the t-1 signature and generates parameter first part αt-1With t-
1 signature generates parameter second part βt-1Afterwards, according to the following formula, it calculates t-th of signature and generates parameter first part αtWith t-th
Signature generates parameter second part βt:
βt=Epk(rdtmod n)+Eβt-1
Wherein, αtIndicate that t-th of signature generates parameter first part, βtIndicate that t-th of signature generates parameter second part,
αt-1Indicate that the t-1 signature generates parameter first part, βt-1Indicate that the t-1 signature generates parameter second part, dtIt indicates
T-th of signature participant IDtSub- private key;
Step 19: t-th of signature participant IDtIt chooses secret and obscures value ρ ∈ { 1,2 ..., n-1 }, then calculate secret
Value ρ is obscured at mould n with the presence or absence of multiplicative inverse ρ-1, if it is present performing the next step suddenly, if it does not exist, then selecting again
It takes secret to obscure value ρ ∈ { 1,2 ..., n-1 } and recalculates secret and obscure value ρ at mould n with the presence or absence of multiplicative inverse ρ-1, directly
To finding one, there are multiplicative inverse ρ-1Secret obscure value ρ, then perform the next step rapid;
Wherein, ρ indicates that secret obscures value, ρ-1Indicate that secret obscures multiplicative inverse of the value ρ at mould n;
Step 20: according to the following formula, t-th of signature participant IDtIt calculates the t+1 signature and generates parameter second part
βt+1, the t+1 signature is then generated into parameter second part βt+1It is sent to the t-1 signature participant IDt-1:
Wherein, βt+1Indicate that the t+1 signature generates parameter second part, IDt-1Indicate the t-1 signature participant;
Step 2 11, according to the following formula, i-th of signature participant IDiIt calculates the 2t-i+1 signature and generates parameter second
Part β2t-i+1, the 2t-i+1 signature is then generated into parameter second part β2t-i+1It is sent to (i-1)-th signature participant
IDi-1, i=t-1, t-2 ..., 2:
Wherein, β2t-i+1Indicate that the 2t-i+1 signature generates parameter second part, β2t-iIndicate that the 2t-i signature generates
Parameter second part;
Step 2 12, according to the following formula, first signature participant ID1It calculates the 2t signature and generates parameter second part
β2t, the 2t signature is then generated into parameter second part β2tIt is sent to t-th of signature participant IDt:
Wherein, β2tIndicate that the 2t signature generates parameter second part, β2t-1Indicate that the 2t-1 signature generates parameter the
Two parts;
Step 2 13, according to the following formula, t-th of signature participant IDtIt calculates the 2t+1 signature and generates parameter second
Divide β2t+1:
β2t+1=β2t×Eρ-1
Wherein, β2t+1Indicate that the 2t+1 signature generates parameter second part;
Step 2 14, according to the following formula, t-th of signature participant IDtSecond part signature s is calculated in paillier homomorphism
Then ciphertext C of the second part signature s under paillier homomorphic cryptography is sent to first signature by the ciphertext C under encryption
Participant ID1:
C=αt+Eβ2t+1
Wherein, s indicates that second part signature, C indicate ciphertext of the second part signature s under paillier homomorphic cryptography;
Step 2 15, according to the following formula, first signature participant ID1Calculate second part signature s:
S=Dsk(C)mod n
Wherein, DskThe decryption operation of () expression paillier homomorphic encryption algorithm;
Step 2 16, according to the following formula, first signature participant ID1Calculate the signature certificate parameter R ', R '=(xR′,
yR'):
R '=s-1(eG+rQ)
Wherein, R ' expression signature verification parameter, xRThe abscissa of ' expression signature verification parameter R ', yR' indicate signature verification
The ordinate of parameter R ', s-1Indicate multiplicative inverse of the second part signature s at mould n;
Step 2 17, according to the following formula, first signature participant ID1The certificate parameter r ' of first part's signature is calculated,
Then judge whether equation r '=r is true, if set up, perform the next step suddenly, if invalid, sign and fail, return
Step 6:
r′≡xR′mod n
Wherein, the certificate parameter of r ' expression first part signature, ≡ indicate congruence symbol;
18, first signature participant ID of step 21Signature (r, s) is extracted, is then broadcast to signature (r, s) all
Sign participant;
Wherein, (r, s) indicates the signature ultimately generated.
The beneficial effects of the present invention are: this method, in key generation phase, the son that t signature participant chooses oneself is private
Key, by with first sign participant interact completion private key generation.In the signature stage, t signature participant is successively sharp
The sub- private key held with oneself carries out distributed signature, then completes label under the conditions of homomorphic cryptography by t-th of signature participant
The synthesis of name second part, then final signature is completed by first signature participant and is synthesized and verifying.The present invention utilizes
Paillier homomorphic encryption algorithm, each signature participant do not need the correctness for guaranteeing signature using zero-knowledge proof, only
It needs to carry out verifying to signature by first signature participant to ensure that the correctness finally signed, last signature verification
The point multiplication operation on the point add operation and two elliptic curves on an elliptic curve is only needed, with t Zero Knowledge of background technique
Proof is compared, and computational efficiency is improved.
It generates and stores in addition, the present invention realizes the distributed of private key, the generation of private key does not need trusted party, private key
Safety it is higher.
The present invention realizes the function that signature is generated by t people's distribution, does not need explicitly to synthesize private key in signature,
It avoids private key and reveals brought risk.
It elaborates with reference to the accompanying drawings and detailed description to the present invention.
Detailed description of the invention
Fig. 1 is the flow chart for the digital signature method that key distribution of the present invention generates.
Specific embodiment
Explanation of nouns:
T: the parameter of elliptic curve secp256k1;
P: finite field F is generatedpBig prime, value FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
FFFFFFFFFFFFFFFFEFFFFFC2F=2256-232-29-28-27-26-24-1;
A, b: the parameter of elliptic equation, a=0, b=7;
G: the basic point that a rank is n on elliptic curve, value 0479BE667EF9DCBBAC55A06295CE870B07
029BFCDB2DCE28D959F2815B16F81798483ADA7726A3C4655DA4FBFC0E1108A8FD17B448A685
54199C47D08FFB10D4B8;
N: the rank of elliptic curve basic point G, value FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEBAAEDCE6AF
48A03BBFD25E8CD0364141;
H: cofactor controls the density of selected point, value 01;
ID1: first signature participant;
ID2: second signature participant;
IDi: i-th of signature participant;
IDi+1: i+1 signature participant;
IDt: t-th of signature participant;
IDt-1: the t-1 signature participant;
T: positive integer indicates signature participant IDiNumber;
d1: first signature participant ID1Sub- private key;
First signature participant ID1Sub- private key d1Multiplicative inverse at mould n;
di: i-th of signature participant IDiSub- private key;
dt: t-th of signature participant IDtSub- private key;
Q1: first signature participant ID1Sub- public key;
Q1': indicate first signature participant ID1The sub- public key of puppet;
Qi: i-th of signature participant IDiSub- public key;
Qi': i-th of signature participant IDiThe sub- public key of puppet;
Q: public signature key;
∑: sum operation, such as
k1: first signature participant ID1Secret value;
First signature participant ID1Secret value k1Multiplicative inverse at mould n;
ki: i-th of signature participant IDiSecret value;
I-th of signature participant IDiSecret value kiMultiplicative inverse at mould n;
kt: t-th of signature participant IDtSecret value;
T-th of signature participant IDtSecret value ktMultiplicative inverse at mould n;
R1: first signature parameter median;
Ri: i-th of signature parameter median;
Ri-1: (i-1)-th signature parameter median;
Rt-1: the t-1 signature parameter median;
R: signature parameter;
xR: the abscissa of signature parameter R;
yR: the ordinate of signature parameter R;
R: first part's signature;
Mod: modulus operation, such as 7mod4=3;
M: message;
H: the cryptographic Hash of message M;
Hash: cryptographic hash algorithm;
Integer value after e: cryptographic Hash H conversion;
Paillier: homomorphic encryption algorithm;
The private key of sk:paillier homomorphic encryption algorithm;
The public key of pk:paillier homomorphic encryption algorithm;
Epk(): the cryptographic calculation of paillier homomorphic encryption algorithm;
Dsk(): the decryption operation of paillier homomorphic encryption algorithm;
×E: the multiplicative homomorphic operation under paillier homomorphic encryption algorithm;
+E: the additive homomorphism operation under paillier homomorphic encryption algorithm;
α1: first signature generates parameter first part;
αi: i-th of signature generates parameter first part;
αi-1: (i-1)-th signature generates parameter first part;
αt-1: the t-1 signature generates parameter first part;
αt: t-th of signature generates parameter first part;
β1: first signature generates parameter second part;
βi: i-th of signature generates parameter second part;
βi-1: (i-1)-th signature generates parameter second part;
βt-1: the t-1 signature generates parameter second part;
βt: t-th of signature generates parameter second part;
βt+1: the t+1 signature generates parameter second part;
β2t-i+1: the 2t-i+1 signature generates parameter second part;
β2t-i: the 2t-i signature generates parameter second part;
β2t: the 2t signature generates parameter second part;
β2t-1: the 2t-1 signature generates parameter second part;
β2t+1: the 2t+1 signature generates parameter second part;
ρ: secret obscures value;
ρ-1: secret obscures multiplicative inverse of the value ρ at mould n;
S: second part signature;
s-1: multiplicative inverse of the second part signature s at mould n;
C: the second part signature s ciphertext under paillier homomorphic cryptography;
R ': signature verification parameter;
xR': the abscissa of signature verification parameter R ';
yR': the ordinate of signature verification parameter R ';
R ': the certificate parameter of first part's signature;
≡: congruence symbol;
(r, s): the signature ultimately generated.
Referring to Fig.1.Specific step is as follows for the digital signature method that key distribution of the present invention generates:
Determine system parameter: this is the preparation before being embodied.
Elliptic curve secp256k1 is chosen, determines parameter T=(p, a, b, G, n, h), wherein T indicates elliptic curve
The parameter of secp256k1, p indicate to generate finite field FpBig prime, p=FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
FFFFFFFFFFFFFFFFFFFFFFFFEFFFFFC2F=2256-232-29-28-27-26-24The ginseng of -1, a, b expression elliptic equation
Number, a=0, b=7, G indicate the basic point that a rank is n on elliptic curve, G=0479BE667EF9DCBBAC55A06295CE8
70B07029BFCDB2DCE28D959F2815B16F81798483ADA7726A3C4655DA4FBFC0E1108A8FD17B44
8A68554199C47D08FFB10D4B8, n indicate the rank of elliptic curve basic point G, n=FFFFFFFFFFFFFFFFFFFFFFFF
FFFFFFFEBAAEDCE6AF48A03BBFD25E8CD0364141, h indicate cofactor, control the density of selected point, h=01.
Step 1: first signature participant ID1Choose the sub- private key d of oneself1∈ { 1,2 ..., n-1 } is then calculated certainly
Oneself sub- private key d1It whether there is multiplicative inverse d at mould n1 -1, if it is present perform the next step suddenly, if it does not exist, then
Again the sub- private key d of oneself is chosen1∈ { 1,2 ..., n-1 } and the sub- private key d for recalculating oneself1It whether there is at mould n and multiply
Method inverse elementUntil finding one, there are multiplicative inversesSub- private key d1, then perform the next step rapid;
Wherein, ID1Indicate first signature participant, d1Indicate first signature participant ID1Sub- private key,It indicates
First signature participant ID1Sub- private key d1Multiplicative inverse at mould n, n are positive integer, indicate the rank of elliptic curve basic point;
Step 2: according to the following formula, first signature participant ID1Calculate the sub- public key Q of oneself1With pseudo- sub- public key Q1', so
Afterwards by sub- public key Q1With pseudo- sub- public key Q1' all it is broadcast to all signature participants:
Q1=d1G
Wherein, Q1Indicate first signature participant ID1Sub- public key, Q1' indicate first signature participant ID1Puppet
Sub- public key, G indicate the basic point that a rank is n on elliptic curve;
Step 3: receiving first signature participant ID1Sub- public key Q1With pseudo- sub- public key Q1' after, i-th of signature ginseng
With person IDiChoose the sub- private key d of oneselfi∈ { 1,2 ..., n-1 } then according to the following formula calculates the sub- public key Q of puppet of oneselfi', and
By pseudo- sub- public key Qi' it is sent to first signature participant ID1, i=2,3 ..., t:
Qi'=diQ1′
Wherein, IDiIndicate i-th of signature participant, diIndicate i-th of signature participant IDiSub- private key, Qi' indicate the
I signature participant IDiThe sub- public key of puppet, t is positive integer, indicates signature participant IDiNumber;
Step 4: first signature participant ID1In the sub- public key Q of puppet for receiving all signature participantsi' after, under
Formula successively calculates each signature participant IDiSub- public key Qi, then by all calculated sub- public key QiIt is open:
Qi=d1Qi′
Wherein, QiIndicate i-th of signature participant IDiSub- public key;
Step 5: each signature participant IDiReceive first signature participant ID1Disclosed sub- public key QiAfterwards, it tests
Demonstrate,prove equation
Qi=diG
It is whether true, if the verification result of each signature participant is to set up, perform the next step it is rapid, if there is
The verification result of any one signature participant is invalid, then return step one;
Step 6: according to the following formula, each signature participant IDiCalculate the signature public key Q simultaneously carries out public signature key Q public
It opens:
Wherein, Q indicates public signature key, and ∑ indicates sum operation;
Step 7: first signature participant ID1Choose the secret value k of oneself1∈ { 1,2 ..., n-1 } is then calculated certainly
Oneself secret value k1It whether there is multiplicative inverse at mould nIf it is present performing the next step suddenly, if it does not exist, then weight
Newly choose the secret value k of oneself1∈ { 1,2 ..., n-1 } and the secret value k for recalculating oneself1It whether there is multiplication at mould n
Inverse elementUntil finding one, there are multiplicative inversesSecret value k1, then perform the next step rapid;
Wherein, k1Indicate first signature participant ID1Secret value,Indicate first signature participant ID1Secret
Value k1Multiplicative inverse at mould n;
Step 8: according to the following formula, first signature participant ID1Calculate first signature parameter median R1, and by first
A signature parameter median R1It is sent to second signature participant ID2:
R1=k1G
Wherein, R1Indicate first signature parameter median, ID2Indicate second signature participant;
Step 9: i-th of signature participant IDiReceive (i-1)-th signature parameter median Ri-1Afterwards, oneself is chosen
Secret value ki∈ { 1,2 ..., n-1 } then calculates the secret value k of oneselfiIt whether there is multiplicative inverse k at mould ni -1, if
In the presence of, then perform the next step it is rapid, if it does not exist, then choosing the secret value k of oneself againi∈ 1,2 ..., n-1 } and count again
Calculate the secret value k of oneselfiIt whether there is multiplicative inverse at mould nUntil finding one, there are multiplicative inversesSecret value
ki, then perform the next step rapid, i=2,3 ..., t-1;
Wherein, kiIndicate i-th of signature participant IDiSecret value,Indicate i-th of signature participant IDiSecret value
kiMultiplicative inverse at mould n;
Step 10: according to the following formula, i-th of signature participant IDiCalculate i-th of signature parameter median Ri, and by i-th
Signature parameter median RiIt is sent to i+1 signature participant IDi+1, i=2,3 ..., t-1:
Ri=kiRi-1
Wherein, RiIndicate i-th of signature parameter median, Ri-1Indicate (i-1)-th signature parameter median, IDi+1It indicates
I+1 signature participant;
Step 11: t-th of signature participant IDtReceive the t-1 signature parameter median Rt-1Afterwards, oneself is chosen
Secret value kt∈ { 1,2 ..., n-1 } then calculates the secret value k of oneselftIt whether there is multiplicative inverse at mould nIf
In the presence of, then perform the next step it is rapid, if it does not exist, then choosing the secret value k of oneself againt∈ 1,2 ..., n-1 } and count again
Calculate the secret value k of oneselftIt whether there is multiplicative inverse at mould nUntil finding one, there are multiplicative inversesSecret value
kt, then perform the next step rapid;
Wherein, IDtIndicate t-th of signature participant, ktIndicate t-th of signature participant IDtSecret value,Indicate t
A signature participant IDtSecret value ktMultiplicative inverse at mould n;
Step 12: according to the following formula, t-th of signature participant IDtThen calculate the signature parameter R judges that signature parameter R is
The no zero point on elliptic curve, if it is, return step six, if it is not, then signature parameter R to be broadcast to all label
Name participant:
R=ktRt-1=(xR,yR)
Wherein, Rt-1Indicate the t-1 signature parameter median, R indicates signature parameter, xRIndicate the horizontal seat of signature parameter R
Mark, yRIndicate the ordinate of signature parameter R;
Step 13: i-th of signature participant IDiAfter receiving signature parameter R, according to the following formula, first part's label are calculated
Name r:
R=xRmod n
Then judge whether r=0 is true, if set up, return step three continues to execute next if invalid
Step;
Wherein, r indicates that first part's signature, mod indicate modulus operation;
Step 14: according to the following formula, first signature participant ID1The cryptographic Hash H for calculating message M, then according to data
H is converted to an integer e by type transformation rule:
H=hash (M)
Wherein, M indicates message, and H indicates the cryptographic Hash of message M, and hash indicates that a cryptographic hash algorithm, e indicate Hash
Integer value after value H conversion;
Step 15: first signature participant ID1The private key sk and public key pk of paillier homomorphic encryption algorithm are selected,
Private key sk secret is saved, and public key pk is disclosed;
Wherein, paillier indicates homomorphic encryption algorithm, and sk indicates the private key of paillier homomorphic encryption algorithm, for doing
Operation is decrypted, pk indicates the public key of paillier homomorphic encryption algorithm, for doing cryptographic calculation;
Step 16: according to the following formula, first signature participant ID1It calculates first signature and generates parameter first part α1
Parameter second part β is generated with first signature1, first signature is then generated into parameter first part α1It signs with first
Generate parameter second part β1It is sent to second signature participant ID2:
β1=Epk(rd1mod n)
Wherein, α1Indicate that first signature generates parameter first part, β1Indicate that first signature generates parameter second
Point, EpkThe cryptographic calculation of () expression paillier homomorphic encryption algorithm;
Step 17: i-th of signature participant IDiIt receives (i-1)-th signature and generates parameter first part αi-1With i-th-
1 signature generates parameter second part βi-1Afterwards, according to the following formula, it calculates i-th of signature and generates parameter first part αiWith i-th
Signature generates parameter second part βi, i-th of signature is then generated into parameter first part αiParameter the is generated with i-th signature
Two part βiIt is sent to i+1 signature participant IDi+1, i=2,3 ..., t-1:
βi=Epk(rdimod n)+Eβi-1
Wherein, αiIndicate that i-th of signature generates parameter first part, βiIndicate that i-th of signature generates parameter second part,
αi-1Indicate that (i-1)-th signature generates parameter first part, βi-1Indicate that (i-1)-th signature generates parameter second part, ×EIt indicates
Multiplicative homomorphic operation under paillier homomorphic encryption algorithm ,+EIndicate the additive homomorphism fortune under paillier homomorphic encryption algorithm
It calculates;
Step 18: t-th of signature participant IDtIt receives the t-1 signature and generates parameter first part αt-1With t-
1 signature generates parameter second part βt-1Afterwards, according to the following formula, it calculates t-th of signature and generates parameter first part αtWith t-th
Signature generates parameter second part βt:
βt=Epk(rdtmod n)+Eβt-1
Wherein, αtIndicate that t-th of signature generates parameter first part, βtIndicate that t-th of signature generates parameter second part,
αt-1Indicate that the t-1 signature generates parameter first part, βt-1Indicate that the t-1 signature generates parameter second part, dtIt indicates
T-th of signature participant IDtSub- private key;
Step 19: t-th of signature participant IDtIt chooses secret and obscures value ρ ∈ { 1,2 ..., n-1 }, then calculate secret
Value ρ is obscured at mould n with the presence or absence of multiplicative inverse ρ-1, if it is present performing the next step suddenly, if it does not exist, then selecting again
It takes secret to obscure value ρ ∈ { 1,2 ..., n-1 } and recalculates secret and obscure value ρ at mould n with the presence or absence of multiplicative inverse ρ-1, directly
To finding one, there are multiplicative inverse ρ-1Secret obscure value ρ, then perform the next step rapid;
Wherein, ρ indicates that secret obscures value, ρ-1Indicate that secret obscures multiplicative inverse of the value ρ at mould n;
Step 20: according to the following formula, t-th of signature participant IDtIt calculates the t+1 signature and generates parameter second part
βt+1, the t+1 signature is then generated into parameter second part βt+1It is sent to the t-1 signature participant IDt-1:
Wherein, βt+1Indicate that the t+1 signature generates parameter second part, IDt-1Indicate the t-1 signature participant;
Step 2 11, according to the following formula, i-th of signature participant IDiIt calculates the 2t-i+1 signature and generates parameter second
Part β2t-i+1, the 2t-i+1 signature is then generated into parameter second part β2t-i+1It is sent to (i-1)-th signature participant
IDi-1, i=t-1, t-2 ..., 2:
Wherein, β2t-i+1Indicate that the 2t-i+1 signature generates parameter second part, β2t-iIndicate that the 2t-i signature generates
Parameter second part;
Step 2 12, according to the following formula, first signature participant ID1It calculates the 2t signature and generates parameter second part
β2t, the 2t signature is then generated into parameter second part β2tIt is sent to t-th of signature participant IDt:
Wherein, β2tIndicate that the 2t signature generates parameter second part, β2t-1Indicate that the 2t-1 signature generates parameter the
Two parts;
Step 2 13, according to the following formula, t-th of signature participant IDtIt calculates the 2t+1 signature and generates parameter second
Divide β2t+1:
β2t+1=β2t×Eρ-1
Wherein, β2t+1Indicate that the 2t+1 signature generates parameter second part;
Step 2 14, according to the following formula, t-th of signature participant IDtSecond part signature s is calculated in paillier homomorphism
Then ciphertext C of the second part signature s under paillier homomorphic cryptography is sent to first signature by the ciphertext C under encryption
Participant ID1:
C=αt+Eβ2t+1
Wherein, s indicates that second part signature, C indicate ciphertext of the second part signature s under paillier homomorphic cryptography;
Step 2 15, according to the following formula, first signature participant ID1Calculate second part signature s:
S=Dsk(C)mod n
Wherein, DskThe decryption operation of () expression paillier homomorphic encryption algorithm;
Step 2 16, according to the following formula, first signature participant ID1Calculate the signature certificate parameter R ', R '=(xR′,
yR'):
R '=s-1(eG+rQ)
Wherein, R ' expression signature verification parameter, xRThe abscissa of ' expression signature verification parameter R ', yR' indicate signature verification
The ordinate of parameter R ', s-1Indicate multiplicative inverse of the second part signature s at mould n;
Step 2 17, according to the following formula, first signature participant ID1The certificate parameter r ' of first part's signature is calculated,
Then judge whether equation r '=r is true, if set up, perform the next step suddenly, if invalid, sign and fail, return
Step 6:
r′≡xR′mod n
Wherein, the certificate parameter of r ' expression first part signature, ≡ indicate congruence symbol;
18, first signature participant ID of step 21Signature (r, s) is extracted, is then broadcast to signature (r, s) all
Sign participant;
Wherein, (r, s) indicates the signature ultimately generated.
Claims (1)
1. the digital signature method that a kind of key distribution generates, it is characterised in that the following steps are included:
Step 1: first signature participant ID1Choose the sub- private key d of oneself1∈ { 1,2 ..., n-1 }, then calculates oneself
Sub- private key d1It whether there is multiplicative inverse at mould nIf it is present performing the next step suddenly, if it does not exist, then selecting again
It is derived from oneself sub- private key d1∈ { 1,2 ..., n-1 } and the sub- private key d for recalculating oneself1It whether there is multiplicative inverse at mould nUntil finding one, there are multiplicative inversesSub- private key d1, then perform the next step rapid;
Wherein, ID1Indicate first signature participant, d1Indicate first signature participant ID1Sub- private key,Indicate first
A signature participant ID1Sub- private key d1Multiplicative inverse at mould n, n are positive integer, indicate the rank of elliptic curve basic point;
Step 2: according to the following formula, first signature participant ID1Calculate the sub- public key Q of oneself1With pseudo- sub- public key Q1', then will
Sub- public key Q1With pseudo- sub- public key Q1' all it is broadcast to all signature participants:
Q1=d1G
Wherein, Q1Indicate first signature participant ID1Sub- public key, Q1' indicate first signature participant ID1Puppet it is public
Key, G indicate the basic point that a rank is n on elliptic curve;
Step 3: receiving first signature participant ID1Sub- public key Q1With pseudo- sub- public key Q1' after, i-th of signature participant
IDiChoose the sub- private key d of oneselfi∈ { 1,2 ..., n-1 } then according to the following formula calculates the sub- public key Q of puppet of oneselfi', and will be pseudo-
Sub- public key Qi' it is sent to first signature participant ID1, i=2,3 ..., t:
Qi'=diQ1′
Wherein, IDiIndicate i-th of signature participant, diIndicate i-th of signature participant IDiSub- private key, Qi' indicate i-th of label
Name participant IDiThe sub- public key of puppet, t is positive integer, indicates signature participant IDiNumber;
Step 4: first signature participant ID1In the sub- public key Q of puppet for receiving all signature participantsi' after, according to the following formula,
Successively calculate each signature participant IDiSub- public key Qi, then by all calculated sub- public key QiIt is open:
Qi=d1Qi′
Wherein, QiIndicate i-th of signature participant IDiSub- public key;
Step 5: each signature participant IDiReceive first signature participant ID1Disclosed sub- public key QiAfterwards, verifying etc.
Formula
Qi=diG
It is whether true, if the verification result of each signature participant is to set up, perform the next step suddenly, if there is any
The verification result of one signature participant is invalid, then return step one;
Step 6: according to the following formula, each signature participant IDiCalculate the signature public key Q simultaneously carries out disclosure to public signature key Q:
Wherein, Q indicates public signature key, and ∑ indicates sum operation;
Step 7: first signature participant ID1Choose the secret value k of oneself1∈ { 1,2 ..., n-1 }, then calculates oneself
Secret value k1It whether there is multiplicative inverse at mould nIf it is present performing the next step suddenly, if it does not exist, then selecting again
It is derived from oneself secret value k1∈ { 1,2 ..., n-1 } and the secret value k for recalculating oneself1It whether there is multiplicative inverse at mould nUntil finding one, there are multiplicative inversesSecret value k1, then perform the next step rapid;
Wherein, k1Indicate first signature participant ID1Secret value,Indicate first signature participant ID1Secret value k1
Multiplicative inverse at mould n;
Step 8: according to the following formula, first signature participant ID1Calculate first signature parameter median R1, and first is signed
Name parameter median R1It is sent to second signature participant ID2:
R1=k1G
Wherein, R1Indicate first signature parameter median, ID2Indicate second signature participant;
Step 9: i-th of signature participant IDiReceive (i-1)-th signature parameter median Ri-1Afterwards, the secret value of oneself is chosen
ki∈ { 1,2 ..., n-1 } then calculates the secret value k of oneselfiIt whether there is multiplicative inverse at mould nIf it is present
It performs the next step suddenly, if it does not exist, then choosing the secret value k of oneself againi∈ 1,2 ..., n-1 } and recalculate oneself
Secret value kiIt whether there is multiplicative inverse at mould nUntil finding one, there are multiplicative inversesSecret value ki, then
Perform the next step rapid, i=2,3 ..., t-1;
Wherein, kiIndicate i-th of signature participant IDiSecret value,Indicate i-th of signature participant IDiSecret value ki?
Multiplicative inverse under mould n;
Step 10: according to the following formula, i-th of signature participant IDiCalculate i-th of signature parameter median Ri, and i-th is signed
Parameter median RiIt is sent to i+1 signature participant IDi+1, i=2,3 ..., t-1:
Ri=kiRi-1
Wherein, RiIndicate i-th of signature parameter median, Ri-1Indicate (i-1)-th signature parameter median, IDi+1Indicate i+1
A signature participant;
Step 11: t-th of signature participant IDtReceive the t-1 signature parameter median Rt-1Afterwards, the secret of oneself is chosen
Value kt∈ { 1,2 ..., n-1 } then calculates the secret value k of oneselftIt whether there is multiplicative inverse at mould nIf it does,
It then performs the next step suddenly, if it does not exist, then choosing the secret value k of oneself againt∈ 1,2 ..., n-1 } and recalculate certainly
Oneself secret value ktIt whether there is multiplicative inverse at mould nUntil finding one, there are multiplicative inversesSecret value kt, so
After perform the next step it is rapid;
Wherein, IDtIndicate t-th of signature participant, ktIndicate t-th of signature participant IDtSecret value,Indicate t-th of label
Name participant IDtSecret value ktMultiplicative inverse at mould n;
Step 12: according to the following formula, t-th of signature participant IDtCalculate the signature parameter R, then judge signature parameter R whether be
Zero point on elliptic curve, if it is, return step six, joins if it is not, then signature parameter R is broadcast to all signatures
With person:
R=ktRt-1=(xR,yR)
Wherein, Rt-1Indicate the t-1 signature parameter median, R indicates signature parameter, xRIndicate the abscissa of signature parameter R, yR
Indicate the ordinate of signature parameter R;
Step 13: i-th of signature participant IDiAfter receiving signature parameter R, according to the following formula, first part signature r is calculated:
R=xR modn
Then judge whether r=0 is true, if set up, return step three continues to execute next step if invalid;
Wherein, r indicates that first part's signature, mod indicate modulus operation;
Step 14: according to the following formula, first signature participant ID1The cryptographic Hash H of message M is calculated, is then turned according to data type
Rule is changed, H is converted into an integer e:
H=hash (M)
Wherein, M indicates message, and H indicates the cryptographic Hash of message M, and hash indicates that a cryptographic hash algorithm, e indicate that cryptographic Hash H turns
Integer value after changing;
Step 15: first signature participant ID1The private key sk and public key pk for selecting paillier homomorphic encryption algorithm, will be private
Key sk secret saves, and public key pk is disclosed;
Wherein, paillier indicates homomorphic encryption algorithm, and sk indicates the private key of paillier homomorphic encryption algorithm, for decrypting
Operation, pk indicates the public key of paillier homomorphic encryption algorithm, for doing cryptographic calculation;
Step 16: according to the following formula, first signature participant ID1It calculates first signature and generates parameter first part α1With
One signature generates parameter second part β1, first signature is then generated into parameter first part α1It is generated with first signature
Parameter second part β1It is sent to second signature participant ID2:
β1=Epk(rd1 modn)
Wherein, α1Indicate that first signature generates parameter first part, β1Indicate that first signature generates parameter second part, Epk
The cryptographic calculation of () expression paillier homomorphic encryption algorithm;
Step 17: i-th of signature participant IDiIt receives (i-1)-th signature and generates parameter first part αi-1It is signed with (i-1)-th
Name generates parameter second part βi-1Afterwards, according to the following formula, it calculates i-th of signature and generates parameter first part αiIt is given birth to i-th of signature
At parameter second part βi, i-th of signature is then generated into parameter first part αiParameter second part is generated with i-th of signature
βiIt is sent to i+1 signature participant IDi+1, i=2,3 ..., t-1:
βi=Epk(rdi mod n)+Eβi-1
Wherein, αiIndicate that i-th of signature generates parameter first part, βiIndicate that i-th of signature generates parameter second part, αi-1Table
Show that (i-1)-th signature generates parameter first part, βi-1Indicate that (i-1)-th signature generates parameter second part, ×EIt indicates
Multiplicative homomorphic operation under paillier homomorphic encryption algorithm ,+EIndicate the additive homomorphism fortune under paillier homomorphic encryption algorithm
It calculates;
Step 18: t-th of signature participant IDtIt receives the t-1 signature and generates parameter first part αt-1It is signed with the t-1
Name generates parameter second part βt-1Afterwards, according to the following formula, it calculates t-th of signature and generates parameter first part αtIt is given birth to t-th of signature
At parameter second part βt:
βt=Epk(rdt mod n)+Eβt-1
Wherein, αtIndicate that t-th of signature generates parameter first part, βtIndicate that t-th of signature generates parameter second part, αt-1Table
Show that the t-1 signature generates parameter first part, βt-1Indicate that the t-1 signature generates parameter second part, dtIt indicates t-th
Sign participant IDtSub- private key;
Step 19: t-th of signature participant IDtIt chooses secret and obscures value ρ ∈ { 1,2 ..., n-1 }, then calculate secret and obscure
Value ρ whether there is multiplicative inverse ρ at mould n-1, if it is present performing the next step suddenly, if it does not exist, then choosing again secret
It is close obscure value ρ ∈ { 1,2 ..., n-1 } and recalculate secret obscure value ρ at mould n with the presence or absence of multiplicative inverse ρ-1, until looking for
To one, there are multiplicative inverse ρ-1Secret obscure value ρ, then perform the next step rapid;
Wherein, ρ indicates that secret obscures value, ρ-1Indicate that secret obscures multiplicative inverse of the value ρ at mould n;
Step 20: according to the following formula, t-th of signature participant IDtIt calculates the t+1 signature and generates parameter second part βt+1, so
The t+1 signature is generated into parameter second part β afterwardst+1It is sent to the t-1 signature participant IDt-1:
Wherein, βt+1Indicate that the t+1 signature generates parameter second part, IDt-1Indicate the t-1 signature participant;
Step 2 11, according to the following formula, i-th of signature participant IDiIt calculates the 2t-i+1 signature and generates parameter second part
β2t-i+1, the 2t-i+1 signature is then generated into parameter second part β2t-i+1It is sent to (i-1)-th signature participant IDi-1, i
=t-1, t-2 ..., 2:
Wherein, β2t-i+1Indicate that the 2t-i+1 signature generates parameter second part, β2t-iIndicate that the 2t-i signature generates parameter
Second part;
Step 2 12, according to the following formula, first signature participant ID1It calculates the 2t signature and generates parameter second part β2t,
Then the 2t signature is generated into parameter second part β2tIt is sent to t-th of signature participant IDt:
Wherein, β2tIndicate that the 2t signature generates parameter second part, β2t-1Indicate that the 2t-1 signature generates parameter second
Point;
Step 2 13, according to the following formula, t-th of signature participant IDtIt calculates the 2t+1 signature and generates parameter second part
β2t+1:
β2t+1=β2t×Eρ-1
Wherein, β2t+1Indicate that the 2t+1 signature generates parameter second part;
Step 2 14, according to the following formula, t-th of signature participant IDtSecond part signature s is calculated in paillier homomorphic cryptography
Under ciphertext C, ciphertext C of the second part signature s under paillier homomorphic cryptography is then sent to first signature participation
Person ID1:
C=αt+E β2t+1
Wherein, s indicates that second part signature, C indicate ciphertext of the second part signature s under paillier homomorphic cryptography;
Step 2 15, according to the following formula, first signature participant ID1Calculate second part signature s:
S=Dsk(C)mod n
Wherein, DskThe decryption operation of () expression paillier homomorphic encryption algorithm;
Step 2 16, according to the following formula, first signature participant ID1Calculate the signature certificate parameter R ', R '=(xR′,yR'):
R '=s-1(eG+rQ)
Wherein, R ' expression signature verification parameter, xRThe abscissa of ' expression signature verification parameter R ', yR' indicate signature verification parameter
The ordinate of R ', s-1Indicate multiplicative inverse of the second part signature s at mould n;
Step 2 17, according to the following formula, first signature participant ID1The certificate parameter r ' for calculating first part's signature, then sentences
Whether disconnected equation r '=r is true, if set up, performs the next step suddenly, if invalid, sign and fail, return step six:
r′≡xR′mod n
Wherein, the certificate parameter of r ' expression first part signature, ≡ indicate congruence symbol;
18, first signature participant ID of step 21Signature (r, s) is extracted, signature (r, s) is then broadcast to all signatures
Participant;
Wherein, (r, s) indicates the signature ultimately generated.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201910271243.1A CN110061847B (en) | 2019-04-04 | 2019-04-04 | Digital signature method for key distributed generation |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201910271243.1A CN110061847B (en) | 2019-04-04 | 2019-04-04 | Digital signature method for key distributed generation |
Publications (2)
Publication Number | Publication Date |
---|---|
CN110061847A true CN110061847A (en) | 2019-07-26 |
CN110061847B CN110061847B (en) | 2021-05-04 |
Family
ID=67318328
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201910271243.1A Active CN110061847B (en) | 2019-04-04 | 2019-04-04 | Digital signature method for key distributed generation |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN110061847B (en) |
Cited By (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN112100644A (en) * | 2020-11-19 | 2020-12-18 | 飞天诚信科技股份有限公司 | Method and device for generating data signature |
CN114338028A (en) * | 2020-09-28 | 2022-04-12 | 华为技术有限公司 | Threshold signature method and device, electronic equipment and readable storage medium |
Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
EP2676452A1 (en) * | 2011-02-15 | 2013-12-25 | P2S Media Group OY | Quarantine method for sellable virtual goods |
CN107707358A (en) * | 2017-10-30 | 2018-02-16 | 武汉大学 | A kind of EC KCDSA digital signature generation method and system |
CN108173639A (en) * | 2018-01-22 | 2018-06-15 | 中国科学院数据与通信保护研究教育中心 | A kind of two side's cooperation endorsement methods based on SM9 signature algorithms |
CN109064170A (en) * | 2018-07-23 | 2018-12-21 | 西安电子科技大学 | Group signature method without trusted party |
-
2019
- 2019-04-04 CN CN201910271243.1A patent/CN110061847B/en active Active
Patent Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
EP2676452A1 (en) * | 2011-02-15 | 2013-12-25 | P2S Media Group OY | Quarantine method for sellable virtual goods |
CN107707358A (en) * | 2017-10-30 | 2018-02-16 | 武汉大学 | A kind of EC KCDSA digital signature generation method and system |
CN108173639A (en) * | 2018-01-22 | 2018-06-15 | 中国科学院数据与通信保护研究教育中心 | A kind of two side's cooperation endorsement methods based on SM9 signature algorithms |
CN109064170A (en) * | 2018-07-23 | 2018-12-21 | 西安电子科技大学 | Group signature method without trusted party |
Non-Patent Citations (1)
Title |
---|
陈思: "《比特币的匿名性和密钥管理研究》", 《中国优秀硕士学位论文全文数据库》 * |
Cited By (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN114338028A (en) * | 2020-09-28 | 2022-04-12 | 华为技术有限公司 | Threshold signature method and device, electronic equipment and readable storage medium |
CN112100644A (en) * | 2020-11-19 | 2020-12-18 | 飞天诚信科技股份有限公司 | Method and device for generating data signature |
CN112100644B (en) * | 2020-11-19 | 2021-03-16 | 飞天诚信科技股份有限公司 | Method and device for generating data signature |
Also Published As
Publication number | Publication date |
---|---|
CN110061847B (en) | 2021-05-04 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN108667626B (en) | Secure two-party collaboration SM2 signature method | |
CN107707358B (en) | EC-KCDSA digital signature generation method and system | |
CN107634836B (en) | SM2 digital signature generation method and system | |
Garay et al. | Timed release of standard digital signatures | |
CN110061828A (en) | Distributed digital endorsement method without trusted party | |
CN102387019B (en) | Certificateless partially blind signature method | |
Brakerski et al. | A framework for efficient signatures, ring signatures and identity based encryption in the standard model | |
CN110011803B (en) | Method for cooperatively generating digital signature by two parties of light SM2 | |
CN106936584B (en) | Method for constructing certificateless public key cryptosystem | |
US20050278536A1 (en) | Fair blind signature process | |
CN107968710A (en) | SM9 digital signature separation interaction generation method and system | |
WO2016049406A1 (en) | Method and apparatus for secure non-interactive threshold signatures | |
CN108833345B (en) | Certificateless multi-receiver signcryption method capable of tracking identity of anonymous sender | |
CN109639439A (en) | A kind of ECDSA digital signature method based on two sides collaboration | |
CN115834056A (en) | Certificateless ordered aggregation signature method, certificateless ordered aggregation signature system and related devices | |
Battagliola et al. | Threshold ecdsa with an offline recovery party | |
CN110061847A (en) | The digital signature method that key distribution generates | |
US20110064216A1 (en) | Cryptographic message signature method having strengthened security, signature verification method, and corresponding devices and computer program products | |
CN112398637A (en) | Equality test method based on certificate-free bookmark password | |
CN109064170B (en) | Group signature method without trusted center | |
CN108768634B (en) | Verifiable cryptographic signature generation method and system | |
Pan et al. | Multi-signatures for ECDSA and Its Applications in Blockchain | |
CN112383403A (en) | Heterogeneous ring signature method | |
CN110798313B (en) | Secret dynamic sharing-based collaborative generation method and system for number containing secret | |
CN116318736A (en) | Two-level threshold signature method and device for hierarchical management |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |