CN110798313B - Secret dynamic sharing-based collaborative generation method and system for number containing secret - Google Patents

Secret dynamic sharing-based collaborative generation method and system for number containing secret Download PDF

Info

Publication number
CN110798313B
CN110798313B CN201911056875.2A CN201911056875A CN110798313B CN 110798313 B CN110798313 B CN 110798313B CN 201911056875 A CN201911056875 A CN 201911056875A CN 110798313 B CN110798313 B CN 110798313B
Authority
CN
China
Prior art keywords
integer
secret
mod
calculated
interval
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201911056875.2A
Other languages
Chinese (zh)
Other versions
CN110798313A (en
Inventor
龙毅宏
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Wuhan University of Technology WUT
Original Assignee
Wuhan University of Technology WUT
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Wuhan University of Technology WUT filed Critical Wuhan University of Technology WUT
Priority to CN201911056875.2A priority Critical patent/CN110798313B/en
Publication of CN110798313A publication Critical patent/CN110798313A/en
Application granted granted Critical
Publication of CN110798313B publication Critical patent/CN110798313B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/085Secret sharing or secret splitting, e.g. threshold schemes
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/008Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols involving homomorphic encryption

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Complex Calculations (AREA)

Abstract

The invention provides a cooperative generation method and a system of numbers containing secrets based on dynamic secret sharing, wherein the method comprises the following steps: two devices obtain the satisfied relation d by using homomorphic encryption dynamic calculation0(d1+d2) mod n ═ d or (d)1+d0d2) D of mod n ═ d0、d1、d2Wherein d is [1, n-1]]Inner integer secret, d0Is [1, n-1]]Integer secret for devices No. 1, d1Is [0, n-1]]Integer secret for devices No. 1, d2Is [0, n-1]]An integer secret for the 2 nd device; when d is0、d1、d2Satisfy the relation d0(d1+d2) When mod n is d, two devices use d0、d1、d2The synergistic calculation results in u ═ w1w2(z + rd)) mod n, when d0、d1、d2Satisfies the relationship (d)1+d0d2) When mod n is d, two devices use d0、d1、d2The synergistic calculation results in u ═ w1w2z + rd) mod n, where w1、w2Respectively, the 1 st and the 2 nd devices are arranged in [1, n-1]]An internal randomly selected integer secret or an integer calculated from random integers, r, z being insecure integers.

Description

Secret dynamic sharing-based collaborative generation method and system for number containing secret
Technical Field
The invention belongs to the technical field of passwords, in particular to a secret dynamic sharing method and a system for generating numbers containing secrets based on the secret dynamic sharing method.
Background
In cryptographic technology applications, due to application requirements, such as requirements for security protection of private keys, it is often necessary to employ secret sharing-based cryptographic operations, such as secret sharing-based ecdsa (explicit current digital signature) digital signature generation, secret sharing-based SM2 elliptic Curve digital signature generation, secret sharing-based SM9 elliptic Curve digital signature generation, secret sharing-based SM9 identity private key collaborative generation, and the like. The following are some specific examples (of course not all).
1. ECDSA digital signature collaborative generation
Setting G as a base point of an elliptic curve point group, setting a prime number n as an order of G (namely the order of the elliptic curve point group), and setting d as a private key of a user;
when a message M needs to be digitally signed using the user private key d, a possible or desirable secret sharing based calculation procedure is as follows:
devices 1, 2 in [1, n-1]]Inner separately randomly selecting integer k1、k2And cooperatively calculating to obtain k1k2G=(x1,y1) Taking r as x1mod n, e hash (m), and then the two devices cooperatively compute s (k) by sharing the secret of d1k2)-1(e + rd) mod n, resulting in a digital signature (r, s) for message m, where (k) is1k2)-1Is (k)1k2) mod n is the inverse of the modulo n multiplication.
2. SM2 digital signature collaborative generation
Let G be the base point of the elliptic curve point group, the prime number n be the order of G (i.e., the order of the elliptic curve point group), dAIs the private key of the user;
when a message M needs to be digitally signed using the user private key d, a possible or desirable secret sharing based calculation procedure is as follows:
is calculated in advance as Gd=[1+dA]G (in SM2 [ k ]]G represents the number of G times k, or k times the point addition of G); devices 1, 2 in [1, n-1]]Inner separately randomly selecting integer k1、k2And cooperatively calculating to obtain [ k1k2]Gd=(x1,y1) Taking r as (e + x)1) mod n, e is the hash value of message m, then the two devices pass through the pair (1+ d)A)-1S is obtained by secret sharing cooperative computing0=(k1k2+r(1+dA)-1)mod n,s=(s0R) mod n, thereby obtaining a digital signature (r, s) for the message m.
3. SM9 digital signature collaborative generation
There is a two-line mapping e: g1×G2→GTIn which G is1、G2Is an additive cyclic group, GTIs a multiplication loop group, G1、G2、GTIs a prime number n (note: in the SM9 specification, G1、G2、GTThe order of (1) is the capital letter N, and the patent application adopts the lower case N); p1Is G1The generator of (1), PpubIs the master public key (i.e. P)pub=[s]P2S is a master private or master key, P2Is G2See SM9 specification; note that here the sign used by the master private key or master key, master public key, user identification private key is slightly different from the SM9 specification).
When a message M needs to be digitally signed using the user private key d, a possible or desirable secret sharing based calculation procedure is as follows:
let dAIdentify a private key for the user's SM 9; precalculate gb=g^b-1,PA=[b-1]dAWherein b is in [1, n-1]]G ═ e (P), a randomly selected integer as a secret1,Ppub) A represents an exponentiation (exponentiation is performed on the element before a, the integer after a is the number of exponentiations);
devices 1, 2 in [1, n-1]]Random selection of integer r1、r2And obtaining w ═ g by cooperative calculationb^(r1r2) Calculating H as H2(M | | w, n), wherein H2For the hash function specified in SM9, M | | | w represents the merging of strings of M and w, and n is G1、G2、GT(iii) order (see SM9 specification); two devices obtain l ═ r (r) through secret sharing cooperative calculation on b1r2-bh) mod n, then calculate S ═ l]PAResulting in a digital signature (h, S) for the message M.
4. SM9 signature private key collaborative generation
SM9 is an identification cryptographic algorithm issued by the national commercial crypto authority. Here we refer to the split generation of SM9 signed private keys (secret sharing based private key generation) (split generation of private keys for encryption is entirely similar).
Assuming that the master Key of the Private Key Generator (Private Key Generator) is s, the Private Key for signature corresponding to one user identification ID is:dA=[s(hID+s)-1]P1where s is the system master key (master private key), hIDIs a hash value, P, calculated from the user ID and other information1Being the first of two groups G in the source domain of the bilinear map1The generation element of (a) is generated,
(hID+s)-1is (h)IDN is the inverse of the modulo n multiplication of + s), n being P1The order of (a).
Suppose that the user private key d needs to be generated by two private key generators in a secret split (shared) mannerAThe possible or desired private key co-generation process is as follows:
will dAAfter the calculation formula of (a) is transformed byA=P1-[hID(hID+s)-1]P1
The 1 st and 2 nd private key generators are respectively arranged at [1, n-1]]In the random selection of an integer w1、w2And obtaining u-w by secret sharing cooperative calculation of s1w2(hID+s)mod n;
Thereafter, the 1 st private key generator calculates Q1=[(w1hIDu-1)mod n]P1Wherein u is-1Is the inverse of the modulo n multiplication of u; 1 st private key generator submits Q to 2 nd private key generator1(ii) a 2 nd private Key Generator computation Q2=P1-[w2]G1
Alternatively, the 2 nd private key generator calculates Q1=[(w2hIDu-1)mod n]P1Wherein u is-1Is the inverse of the modulo n multiplication of u; 1 st private key generator submits Q to 1 st private key generator1(ii) a 1 st private Key Generator computation Q2=P1-[w1]G1
Then Q is2Namely the private key d corresponding to the user IDA
By way of analysis, it can be seen that in the possible or desirable computational processes of these secret sharing based cryptographic operations, it is often necessary to co-compute u ═ without revealing the respective secrets of the two devices (w ═ c)1w2(z + rd)) mod n or u ═ w1w2z + rd) mod n, where n is a prime number and d is [1, n-1]]An integer secret (such as a private key or a secret related to a private key) shared (shared) by two devices, w1、w2Respectively, the 1 st and the 2 nd devices are arranged in [1, n-1]]And r and z are insecure integers. In practice, however, it is not easy to achieve the above possible or desired calculation results without revealing the secrets of the two devices. Through further analysis, it can be found that in the prior art, a way of statically sharing (sharing) the secret d is adopted, that is, the secret share of the secret d shared by two devices is kept unchanged, and since the secret share of the secret d shared by two devices is static and unchanged, it is difficult to ensure that the secret of each device is not leaked in the calculation process, so that the collaborative calculation process is complicated.
Disclosure of Invention
The invention aims to provide a secret dynamic sharing technical scheme and a cooperative generation technical scheme of numbers containing secrets on the basis of the secret dynamic sharing technical scheme so as to meet the requirement of secret sharing-based cryptographic operation in cryptographic technology application.
Aiming at the purpose, the technical scheme provided by the invention comprises two secret dynamic sharing methods, and a method and a system for generating two numbers containing secrets in a coordinated manner based on the two methods. The specific description is as follows.
Secret dynamic sharing method I,
Secret dynamic sharing method one involves two devices, called device 1 and device 2;
d is an integer secret unknown to both devices within the interval [1, n-1], n is a prime number;
c-E ((a) is calculated in advance1d) mod n) where E (-) represents an encryption operation using the homomorphic encryption public key of device 2 for additive homomorphic encryption, a1Is the interval [1, n-1]]An integer within;
a1is a secret of the 1 st device or is not a secret of the 1 st device; if a1Not of the interval [1, n-1]Secret belonging to the 1 st deviceThen c is saved as a secret by the 1 st device;
the two devices cooperatively calculate the satisfied relation d in the following way0(d1+d2) D, integer secret d0、d1、d2Wherein d is0Is the interval [1, n-1]]Integer secret known only to the 1 st device, d1Is the interval [0, n-1]]Integer secret known only to the 1 st device, d2Is the interval [0, n-1]]Integer secret known only to the 2 nd device:
device number 1 in interval [1, n-1]]Randomly selecting an integer as d0In the interval [0, n-1]]Randomly selecting an integer as d1In the interval [0, n-1]]Randomly selecting an integer b1Calculating c0=(b1-d1)mod n,c1=E(-b1+z1n)((((a1d0)mod n)-1+z0n) ⊙ c), wherein (a)1d0)mod n)-1Is (a)1d0) mod n, the inverse of the modulo n multiplication (note that if the addition homomorphic encryption is m modulo the plaintext number being encrypted, m is different than n);
alternatively, the first and second electrodes may be,
device number 1 in interval [1, n-1]]Randomly selecting an integer as d0In the interval [0, n-1]]Randomly selecting an integer as d1Taking c0When it is 0, calculate c1=E(-d1+z1n)((((a1d0)modn)-1+z0n)⊙c);
Then, the 1 st device will c0、c1To the 2 nd device;
the 2 nd device calculates d2=(c0+(D(c1) mod n)) mod n, where D (-) represents a decryption operation for an additive homomorphic encryption using the homomorphic encryption private key of device 2.
Secret dynamic sharing method II,
The second secret dynamic sharing method also involves two devices, referred to as the 1 st device and the 2 nd device;
d is an integer secret unknown to both devices within the interval [1, n-1], n is a prime number;
c-E ((a) is calculated in advance1d) mod n) where E (-) represents an encryption operation using the homomorphic encryption public key of device 2 for additive homomorphic encryption, a1Is the interval [1, n-1]]An integer within;
a1is a secret of the 1 st device or is not a secret of the 1 st device; if a1Not of the interval [1, n-1]If c is a secret belonging to the 1 st device, the 1 st device stores c as the secret;
the two devices cooperatively calculate the satisfaction relation (d) as follows1+d0d2) D, integer secret d0、d1、d2Wherein d is0Is the interval [1, n-1]]Integer secret known only to the 1 st device, d1Is the interval [0, n-1]]Integer secret known only to the 1 st device, d2Is the interval [0, n-1]]Integer secret known only to the 2 nd device:
device number 1 in interval [1, n-1]]Randomly selecting an integer as d0In the interval [0, n-1]]Randomly selecting an integer as d1In the interval [0, n-1]]Randomly selecting an integer b1Calculating c0=(-(d0)-1d1-b1)mod n,c1=E(b1+z1n)((((a1d0)mod n)-1+z0n) ⊙ c), wherein (d)0)-1Is d0Inverse modulo n multiplication, ((a)1d0)mod n)-1Is (a)1d0) mod n, the inverse of the modulo n multiplication (note that if the addition homomorphic encryption is m modulo the plaintext number being encrypted, m is different than n);
alternatively, the first and second electrodes may be,
device number 1 in interval [1, n-1]]Randomly selecting an integer as d0In the interval [0, n-1]]Randomly selecting an integer as d1Taking c0When it is 0, calculate c1=E(((-(d0)-1d1)mod n)+z1n)((((a1d0)mod n)-1+z0n)⊙c);
1 st device will c0、c1To the 2 nd device;
the 2 nd device calculates d2=(c0+(D(c1) mod n)) mod n, where D (-) represents a decryption operation for an additive homomorphic encryption using the homomorphic encryption private key of device 2.
In the above-described secret dynamic sharing methods one and two,
Figure GDA0002540688500000061
indicating the addition of the number of ciphers in homomorphic encryption (corresponding to the result of the encryption after the addition of the corresponding number of ciphers), ⊙ indicating the multiplication of the number of ciphers with the number of ciphers in homomorphic encryption (corresponding to the accumulation of a plurality of numbers of identical ciphers); z0、z1Is an integer known only to device 1;
z is0Is an integer randomly selected by the 1 st device, or an integer selected by the 1 st device according to a predetermined rule, or an integer fixedly selected by the 1 st device according to convention or requirement (including a fixed value of 0), and z is1Is an integer randomly selected by device 1;
z is0、z1Is not limited to [1, n-1]]And z is0、z1The value of (A) is an integer (which can be positive or negative and can be 0); when c corresponds to the number of plaintext (i.e., (a)1d) mod n) is taken to be [1, n-1]]In range, z0、z1Is taken so that c1The corresponding plaintext number does not exceed the range of representation of the complement of the plaintext number for the addition homomorphic encryption (the complement is a way of representing positive, negative integers and 0 by non-negative integers, e.g., if the modulus of the addition homomorphic encryption for the plaintext number being encrypted is m, then negative-k is represented as m-k), or such that c1The probability that the corresponding plaintext number exceeds the representation range of the complement number of the plaintext number encrypted in the same way by the addition method is extremely small, and the extremely small probability refers to the allowed probability determined in specific application;
in the first and second secret dynamic sharing methods, the modulo m corresponding to the operation performed on the encrypted plaintext number by the used addition homomorphic encryption is greater than n.
For theIn the above-mentioned first and second secret dynamic sharing methods, if d is known in advance, then in the initialization phase, the device (one of the two devices or another device) which knows d in advance is [1, n-1]]In the step (a) randomly selects an integer as a1Or take a1Is a fixed integer (including a1Is 1), c ═ E ((a) is calculated1d) modn), then c, a1The first device 1 is handed to store and use;
if d is not known in advance, the two devices cooperatively generate d and calculate c ═ E ((a) in the initialization phase1d) mod n); two devices cooperatively generate d and calculate c ═ E ((a)1d) mod n) as follows (not all possible):
device 1 in [1, n-1]]Two integers are selected as g1、a1Calculate g0=(g1a1) mod n, and g0Sending to the 2 nd device;
arrangement 2 in [1, n-1]]Randomly selecting an integer as g2And calculating c ═ E ((g)0g2) modn), then (implicitly) d ═ g1g2)mod n;
After that, the 2 nd device delivers c to the 1 st device for storage and use (after the 1 st device receives c, it is usually necessary to check the encryption result of whether c is 0).
Based on the first and second secret dynamic sharing methods, a corresponding collaborative generation method of the number containing the secret can be constructed, which is specifically as follows.
Method I for the cooperative generation of numbers including secrets,
The cooperative generation method of the number including the secret is to construct the first secret dynamic sharing method described above, in which case, the 1 st device has [1, n-1]]Internally randomly selected integer secret w1Or with a group consisting of [1, n-1]]Integer secret w calculated from internally randomly selected integer secrets1(ii) a The 2 nd device has [1, n-1]]Internally randomly selected integer secret w2Or with a group consisting of [1, n-1]]Integer secret w calculated from internally randomly selected integer secrets2(ii) a The two clothesThe inclusion secret w is synergistically generated as follows1、w2And d is the number u ═ w1w2(z + rd)) mod n, where z, r are [1, n-1]]The insecure integer of (1):
first, the two devices calculate the integer secret d according to the secret dynamic sharing method0、d1、d2
Thereafter, the 1 st device calculates u1=((d0)-1z+rd1)mod n,w0=(d0w1) mod n, where (d)0)-1Is d0The inverse of the modulo n multiplication of;
1 st device will u1Submitting to the 2 nd device;
the 2 nd device calculates u2=(w2(u1+rd2))mod n;
Finally, the 1 st or 2 nd or one of the other two devices calculates u ═ w (w)0u2)mod n(w0An unsecured number);
then u is the result.
In the first method for cooperative generation of a number including a secret described above, if the 1 st device calculates u ═ w (w)0u2) mod n, and device 1 does not disclose the calculated u, and at w1If the integer constant is used, d cannot be calculated from public data calculated by u, and secret data calculated by d cannot be calculated from public data calculated by u (for example, if d can be calculated from public data calculated by u [ d ] or]PAIn which P isAIs a point in the group of elliptic curve points, and d]PAA user private key, which is the case where the secret data calculated by d can be calculated from the public data calculated by u), w1Allow is an integer constant;
if u ═ w is calculated by the 1 st device0u2) mod n, and device 1 does not disclose the calculated u, and at d0Or d1If the integer constant is secret, d cannot be calculated from public data calculated by u, and d cannot be calculated from public data calculated by uD is calculated to obtain the secret data calculated by d in the obtained public data, and the corresponding d0Or d1Permission is a secret integer constant;
if u ═ w is calculated by the 1 st device0u2) mod n (of course w)0Not disclosed), and the 1 st device does not disclose the calculated u, and at w1Is an integer constant, d0Or d1If d cannot be calculated from the public data calculated by u and the secret data calculated by d cannot be calculated from the public data calculated by u, w is a secret integer constant1Allowed is an integer constant, corresponding to d0Or d1Permission is a secret integer constant;
if u ═ w is calculated by the 2 nd device0u2) mod n (of course w)0Not disclosed), and the 2 nd device does not disclose the calculated u, and at w2If the integer constant is d, the secret data calculated from d cannot be calculated from the public data calculated from u, and w is2Allow is an integer constant;
said w1Or w2Cases where permission is an integer constant include permission w1Or w2Is a secret integer constant or a non-secret integer constant (where a non-secret integer constant includes the case of constant 1).
Method II for cooperative generation of numbers including secret,
The second method for generating the number containing the secret cooperatively constructs the second secret dynamic sharing method, in which case the 1 st device has [1, n-1]]Internally randomly selected integer secret w1Or with a group consisting of [1, n-1]]Integer secret w calculated from internally randomly selected integer secrets1(ii) a The 2 nd device has [1, n-1]]Internally randomly selected integer secret w2Or with a group consisting of [1, n-1]]Integer secret w calculated from internally randomly selected integer secrets2(ii) a The two devices cooperatively generate the inclusion secret w in one of the following ways1、w2And d is the number u ═ w1w2z + rd) mod n, where z,r is [1, n-1]]The insecure integer of (1):
the first method is as follows:
firstly, the two devices calculate the integer secret d according to the secret dynamic sharing method II0、d1、d2
Thereafter, the 1 st device is at [1, n-1]]Randomly selecting an integer v, and calculating t0=(vd0)modn,t1=(vw1) mod n, will t0、t1Submitting to the 2 nd device;
the 2 nd device calculates u1=(w2zt1+rd2t0) mod n, will u1Submitting the 1 st device;
the 1 st device calculates u ═ v-1u1+rd1) mod n, where v-1The modulo n multiplication inverse of v;
u is the result;
the second method comprises the following steps:
first, the 1 st device is set at w1As d0Two devices calculate the integer secret d according to the secret dynamic sharing method1、d2
Thereafter, the 2 nd device calculates u1=(w2z+rd2) mod n, will u1Submitting to the 1 st device;
the 1 st device calculates u ═ w1u1+rd1)mod n;
Then u is the result.
In the second method for cooperative generation of a number including a secret described above, if the device 1 does not disclose the calculated u, w is1、d0、d1If one or two or all of the three parameters are integer constants, d cannot be calculated from public data calculated by u, or secret data calculated by d cannot be calculated from public data calculated by u, w1、d0、d1A respective one or two or all of the three parameters are allowed to be integer constants;
said w1、d0、d1The case where a respective one or two or all of the three parameters are allowed to be integer constants includes allowing w1Is a secret integer constant or a non-secret integer constant (where a non-secret integer constant includes the case of constant 1), allowing d0、d1One is an insecure integer constant and the other is a secure integer constant, or both are secure integer constants, but d0、d1And cannot be simultaneously insecure integer constants.
Based on the first and second methods for cooperative generation of numbers including secrets, a cooperative generation system of numbers including secrets may be constructed, including two devices referred to as the 1 st device and the 2 nd device; the two devices cooperatively generate the secret-containing w according to the cooperative generation method of the secret-containing number1、w2And the number (w) of secret d1w2(z + rd)) mod n, or the cooperative generation of the secret-containing w according to said secret-containing number cooperative generation method two1、w2And the number u of secret d ═ w1w2z+rd)modn。
Based on the method and the system of the invention, two devices cooperatively generate a secret-containing number u ═ w (w) by dynamically sharing the secret1w2(z + rd)) mod n or u ═ w1w2z + rd) mod n, where n is a prime number and d is [1, n-1]]An integer secret (such as a private key or a secret related to a private key) shared (shared) by two devices, w1、w2Respectively, the 1 st and the 2 nd devices are arranged in [1, n-1]]An internal randomly selected integer secret, r and z are insecure integers; in combination with the implementation and application of the invention, the method can conveniently realize various secret sharing-based cryptographic operations on the basis of the method. Different from the prior art that the secret d is statically shared (shared), the secret share shared by the two devices is dynamically variable, so that the secret of each device is not leaked easily in the calculation process, and the cooperative calculation process is simple.
Detailed Description
For additive homomorphic encryption algorithms, there are many such algorithms (or homomorphic encryption algorithms that support additive homomorphism) and one algorithm may be selected from them. When the addition homomorphic encryption algorithm is implemented, the modulus m of the implemented addition homomorphic encryption for the plaintext number before encryption is much larger than n, and if the binary digit number of m is L and the binary digit number of n is S, L is at least twice of S.
The present invention will now be further described with reference to examples and applications thereof, which are not intended to represent all possible examples and applications thereof, but are not intended to limit the present invention.
Examples 1,
This embodiment relates to the first secret dynamic sharing method of the present invention. This embodiment includes two devices referred to as the 1 st device and the 2 nd device; in this embodiment, d is the interval [1, n-1]]Integer secrets that need to be shared (shared) unknown to both devices within, n is a prime number; c-E ((a) is calculated in advance1d) mod n) where E (-) represents an encryption operation using the homomorphic encryption public key of device 2 for additive homomorphic encryption, a1Is the interval [1, n-1]]An integer within; here, a1Is a secret of the 1 st device or is not a secret of the 1 st device; if a1Not of the interval [1, n-1]If c is a secret belonging to the 1 st device, the 1 st device stores c as the secret;
the two devices of this embodiment cooperatively calculate the satisfaction relationship d as follows0(d1+d2) D, integer secret d0、d1、d2Wherein d is0Is the interval [1, n-1]]Integer secret known only to the 1 st device, d1Is the interval [0, n-1]]Integer secret known only to the 1 st device, d2Is the interval [0, n-1]]Integer secret known only to the 2 nd device:
device number 1 in interval [1, n-1]]Randomly selecting an integer as d0In the interval [0, n-1]]Randomly selecting an integer as d1In the interval [1, n-1]]Randomly selecting an integer b1Calculating c0=(b1-d1)mod n,c1=E(-b1+z1n)((((a1d0)mod n)-1+z0n) ⊙ c), wherein (a)1d0)mod n)-1Is (a)1d0) mod n, the inverse of the modulo n multiplication (note that if the addition homomorphic encryption is m modulo the plaintext number being encrypted, m is different than n);
alternatively, the first and second electrodes may be,
device number 1 in interval [1, n-1]]Randomly selecting an integer as d0In the interval [0, n-1]]Randomly selecting an integer as d1Taking c0When it is 0, calculate c1=E(-d1+z1n)((((a1d0)modn)-1+z0n)⊙c);
Then, the 1 st device will c0、c1To the 2 nd device;
the 2 nd device calculates d2=(c0+(D(c1) mod n)) mod n, where D (-) represents a decryption operation with additive homomorphic encryption using the homomorphic encryption private key of device 2;
in the course of the above calculation process,
Figure GDA0002540688500000131
indicating the addition of the number of ciphers in homomorphic encryption (corresponding to the result of the encryption after the addition of the corresponding number of ciphers), ⊙ indicating the multiplication of the number of ciphers with the number of ciphers in homomorphic encryption (corresponding to the accumulation of a plurality of numbers of identical ciphers); z0、z1Is an integer known only to device 1;
z is0Is an integer randomly selected by the 1 st device, or an integer selected by the 1 st device according to a predetermined rule, or an integer fixedly selected by the 1 st device according to convention or requirement (including a fixed value of 0), and z is1Is an integer randomly selected by device 1;
z is0、z1Is not limited to [1, n-1]]And z is0、z1The value of (A) is an integer (which can be positive or negative and can be 0); when c corresponds to the number of plaintext (i.e., (a)1d) mod n) is taken to be [1, n-1]]In range, z0、z1Is taken so that c1The corresponding plaintext number not exceeding the complement of the plaintext number for the additive homomorphic encryptionDenotes a range, or is such that c1The probability that the corresponding plaintext number exceeds the representation range of the complement of the addition homomorphic encrypted plaintext number is minimal, which is determined to be an allowable probability in a specific application.
In this example, c ═ E ((a)1d) mod n) can be calculated as follows.
If d is known in advance, then in the initialization phase, the device (one of the two devices or one device other than the two devices) that knows d in advance is [1, n-1]]In the step (a) randomly selects an integer as a1Or take a1Is a fixed integer (including a1Is 1), c ═ E ((a) is calculated1d) mod n), then c, a1The first device 1 is handed to store and use;
if d is not known in advance, the two devices cooperatively generate d and calculate c ═ E ((a) in the initialization phase1d) mod n); two devices cooperatively generate d and calculate c ═ E ((a)1d) mod n) as follows (not all possible):
device 1 in [1, n-1]]Two integers are selected as g1、a1Calculate g0=(g1a1) mod n, and g0Sending to the 2 nd device;
arrangement 2 in [1, n-1]]Randomly selecting an integer as g2And calculating c ═ E ((g)0g2) modn), then (implicitly) d ═ g1g2)mod n;
After that, the 2 nd device delivers c to the 1 st device for storage and use (after the 1 st device receives c, it is usually necessary to check the encryption result of whether c is 0).
Examples 2,
Embodiment 2 is a first method of cooperative generation of numbers including secrets according to the present invention implemented on the basis of embodiment 1.
Based on example 1, the 1 st device has [1, n-1]]Internally randomly selected integer secret w1Or with a group consisting of [1, n-1]]Integer secret w calculated from internally randomly selected integer secrets1(ii) a Device 2 has [1, n-1]]Internal random selectionIs the integer secret w2Or with a group consisting of [1, n-1]]Integer secret w calculated from internally randomly selected integer secrets2(ii) a Two devices cooperatively generate the inclusion secret w as follows1、w2And d is the number u ═ w1w2(z + rd)) mod n, where z, r are [1, n-1]]The insecure integer of (1):
firstly, the two devices calculate the integer secret d according to the secret dynamic sharing method I0、d1、d2
Thereafter, the 1 st device calculates u1=((d0)-1z+rd1)mod n,w0=(d0w1) mod n, where (d)0)-1Is d0The inverse of the modulo n multiplication of;
1 st device will u1Submitting to the 2 nd device;
the 2 nd device calculates u2=(w2(u1+rd2))mod n;
Finally, the 1 st or 2 nd or one of the other two devices calculates u ═ w (w)0u2)mod n(w0An unsecured number);
then u is the calculated u ═ w (w)1w2(z+rd))mod n。
One specific application of this embodiment is to implement secret sharing based ECDSA digital signatures. At this time, the user private key d is a secret shared by the two devices; when a digital signature needs to be cooperatively generated for a message M by using a user private key d, a 1 st device and a 2 nd device are respectively arranged at [1, n-1]]Internally randomly selecting an integer k requiring privacy1、k2And cooperatively calculating to obtain k1k2G=(x1,y1) Then get r ═ x1mod n, e ═ hash (m); then the two devices are respectively provided with (k)1)-1Is w1To (k) with2)-1Is w2Wherein (k)1)-1Is k1Modulo n inverse of (k)2)-1Is k2Is inverted, with e as z, by secret sharing of the user's private key d (where the user's private key d is the secret move)Shared secret d) in the state sharing method, the cooperative generation method of the number including the secret of the present invention-cooperative calculation to obtain u ═ (k)1k2)-1(e + rd) mod n, take s ═ u, then (r, s) is the digital signature for message M.
Another specific application of this embodiment is to enable secret sharing based SM9 signature private key collaborative generation.
At this time, there are two private key generators, the 1 st and the 2 nd private key generators, which correspond to the 1 st and the 2 nd devices of the invention, respectively; the 1 st and 2 nd private key generators are respectively arranged at [1, n-1]]In the random selection of an integer w1、w2Then, the hash value h is obtained by calculation by using the user IDIDZ, r is 1, the master key s is used as the shared secret d in the first secret dynamic sharing method of the present invention, and u-w is obtained by performing a cooperative calculation according to the first cooperative generation method of the number including the secret of the present invention1w2(hID+s)mod n;
Thereafter, the 1 st private key generator calculates Q1=[(w1hIDu-1)mod n]P1Wherein u is-1Is the inverse of the modulo n multiplication of u; 1 st private key generator submits Q to 2 nd private key generator1(ii) a 2 nd private Key Generator computation Q2=P1-[w2]G1
Alternatively, the 2 nd private key generator calculates Q1=[(w2hIDu-1)mod n]P1Wherein u is-1Is the inverse of the modulo n multiplication of u; 1 st private key generator submits Q to 1 st private key generator1(ii) a 1 st private Key Generator computation Q2=P1-[w1]G1
Then Q is2Namely the private key d corresponding to the user IDA
Examples 3,
This embodiment differs from embodiment 2 in that u ═ w (w) is calculated by the 1 st device0u2) mod n (of course w)0Not disclosed), and the 1 st device does not disclose the calculated u, and at w1If the integer constant is used, d cannot be calculated from public data calculated by u, nor cannot be calculated from public data calculated by uThe secret data calculated by d is calculated from the public data calculated by u, so in this embodiment, w1The value is an integer constant; where w is1Cases where it is an integer constant include w1Is a secret integer constant or a non-secret integer constant (where a non-secret integer constant includes the case of constant 1).
One specific application of this embodiment is to enable secret sharing based SM9 signature private key collaborative generation.
At this time, two private key generators, the 1 st and the 2 nd private key generators, respectively correspond to the 1 st and the 2 nd devices of the invention; 1 st private key generator fetch w1Has a value of 1, and the 2 nd private key generator is in [1, n-1]]In the step (2), an integer is randomly selected as w2Two private key generators to compute a hash value h using the user IDIDZ, r is 1, the master key s is used as the shared secret d, and u-w is obtained by collaborative calculation according to the collaborative generation method of the number including the secret of the invention2(hID+ s) mod n and u ═ w calculated by the 1 st private key generator0u2) mod n; thereafter, the 1 st private key generator calculates Q1=[(hIDu-1)modn]P1Wherein u is-1Is the inverse of the modulo n multiplication of u; 1 st private key generator submits Q to 2 nd private key generator1(ii) a 2 nd private Key Generator computation Q2=P1-[w2]G1(ii) a Then Q is2Namely the private key d corresponding to the user IDA
Examples 4,
This embodiment differs from embodiment 3 in that u ═ w (w) is calculated by the 1 st device0u2) mod n (of course w)0Not disclosed), and the 1 st device does not disclose the calculated u, and at d0Or d1D cannot be calculated from the public data calculated by u, and the secret data calculated by d cannot be calculated from the public data calculated by u when the secret integer constant is set, so that d is calculated correspondingly in this embodiment0Or d1Is a secret integer constant.
One specific application scenario of this embodiment is for implementing secret sharing based SM9 signature private key collaborative generation.
At this time, two private key generators, the 1 st and the 2 nd private key generators, respectively correspond to the 1 st and the 2 nd devices of the invention; the 1 st and 2 nd private key generators are respectively arranged at [1, n-1]]In the random selection of an integer w1、w2To obtain a hash value h by calculation using the user IDIDZ, r is taken as 1, a master key s is taken as a shared secret d in the first secret dynamic sharing method, and d is taken0Or d1Is a secret integer constant, and then the value of u-w is obtained by collaborative calculation using the collaborative generation method of secret-containing numbers of the present invention1w2(hID+ s) mod n and u ═ w calculated by the 1 st private key generator0u2) mod n; thereafter, the 1 st private key generator calculates Q1=[(w1hIDu-1)mod n]P1Wherein u is-1Is the inverse of the modulo n multiplication of u; 1 st private key generator submits Q to 2 nd private key generator1(ii) a 2 nd private Key Generator computation Q2=P1-[w2]G1(ii) a Then Q is2Namely the private key d corresponding to the user IDA
Examples 5,
This embodiment differs from embodiments 3 and 4 in that the calculation of u ═ w by the 1 st device0u2) mod n, and device 1 does not disclose the calculated u, and at w1Is an integer constant, d0Or d1Is a secret integer constant, d cannot be calculated from public data calculated using u, nor secret data calculated using d cannot be calculated from public data calculated using u, so w in this embodiment1Is an integer constant, corresponding to d0Or d1Is a secret integer constant; where w is1Cases where it is an integer constant include w1Is a secret integer constant or a non-secret integer constant (where a non-secret integer constant includes the case of constant 1).
One specific application scenario of this embodiment is for implementing secret sharing based SM9 signature private key collaborative generation.
At this time, two private key generators, the 1 st and the 2 nd private key generators, respectively correspond to the 1 st and the 2 nd devices of the invention; 1 st private key generator in 1, n-1]Wherein an integer is selected as w1(may take w11), the 2 nd private key generator is in [1, n-1]]In the random selection of an integer w2To obtain a hash value h by calculation using the user IDIDZ, r is taken as 1, a master key s is taken as a shared secret d in the first secret dynamic sharing method, and d is taken0Or d1Is a secret integer constant, and u-w is obtained by collaborative calculation using the collaborative generation method of secret-containing numbers of the present invention1w2(hID+ s) mod n and u ═ w calculated by the 1 st private key generator0u2) mod n; thereafter, the 1 st private key generator calculates Q1=[(w1hIDu-1)mod n]P1Wherein u is-1Is the inverse of the modulo n multiplication of u; 1 st private key generator submits Q to 2 nd private key generator1(ii) a 2 nd private Key Generator computation Q2=P1-[w2]G1(ii) a Then Q is2Namely the private key d corresponding to the user IDA
Examples 6,
This embodiment differs from embodiments 3, 4 and 5 in that the calculation of u ═ w by the 2 nd device0u2) mod n, and device 2 does not disclose the calculated u, and at w2Is an integer constant, d cannot be calculated from public data calculated using u, and confidential data calculated using d cannot be calculated from public data calculated using u, so w in this embodiment2Is an integer constant; where w is2Cases where permission is an integer constant include w2Is a secret integer constant or a non-secret integer constant (where a non-secret integer constant includes the case of constant 1).
One specific application of this embodiment is to enable secret sharing based SM9 signature private key collaborative generation.
At this time, two private key generators, the 1 st and the 2 nd private key generators, respectively correspond to the 1 st and the 2 nd devices of the invention; 1 st private key generator in 1, n-1]Medium random selectionAn integer is selected as w1Of the 2 nd private key generator takes w2Is 1, two private key generators to compute a hash value h using the user IDIDTaking r as 1, taking the master key s as the secret d in the first secret dynamic sharing method, and obtaining u-w by the cooperative calculation according to the cooperative generation method-cooperative calculation of the number including the secret of the invention1(hID+ s) mod n and u ═ w calculated by the 1 st private key generator0u2) mod n; thereafter, the 2 nd private key generator calculates Q1=[(hIDu-1)mod n]P1Wherein u is-1Is the inverse of the modulo n multiplication of u; 1 st private key generator submits Q to 1 st private key generator1(ii) a 1 st private Key Generator computation Q2=P1-[w1]G1(ii) a Then Q is2Namely the private key d corresponding to the user IDA
Example 7,
This embodiment relates to the secret dynamic sharing method two of the present invention. This embodiment includes two devices referred to as the 1 st device and the 2 nd device; in this embodiment, d is the interval [1, n-1]]An integer secret unknown to both devices within, n is a prime number; c-E ((a) is calculated in advance1d) mod n) where E (-) represents an encryption operation using the homomorphic encryption public key of device 2 for additive homomorphic encryption, a1Is the interval [1, n-1]]An integer within; here, a1Is a secret of the 1 st device or is not a secret of the 1 st device; if a1Not of the interval [1, n-1]If c is a secret belonging to the 1 st device, the 1 st device stores c as the secret;
in this embodiment, the two devices cooperatively calculate the satisfaction relationship (d) as follows1+d0d2) D, integer secret d0、d1、d2Wherein d is0Is the interval [1, n-1]]Integer secret known only to the 1 st device, d1Is the interval [0, n-1]]Integer secret known only to the 1 st device, d2Is the interval [0, n-1]]Integer secret known only to the 2 nd device:
device number 1 in interval [1, n-1]]Randomly selecting an integer as d0In the interval [, ]0,n-1]Randomly selecting an integer as d1In the interval [0, n-1]]Randomly selecting an integer b1Calculating c0=(-(d0)-1d1-b1)mod n,c1=E(b1+z1n)((((a1d0)mod n)-1+z0n) ⊙ c), wherein (d)0)-1Is d0Inverse modulo n multiplication, ((a)1d0)mod n)-1Is (a)1d0) mod n, the inverse of the modulo n multiplication (note that if the addition homomorphic encryption is m modulo the plaintext number being encrypted, m is different than n);
alternatively, the first and second electrodes may be,
device number 1 in interval [1, n-1]]Randomly selecting an integer as d0In the interval [0, n-1]]Randomly selecting an integer as d1Taking c0When it is 0, calculate c1=E(((-(d0)-1d1)mod n)+z1n)((((a1d0)mod n)-1+z0n)⊙c);
1 st device will c0、c1To the 2 nd device;
the 2 nd device calculates d2=(c0+(D(c1) mod n)) mod n, where D (-) represents a decryption operation with additive homomorphic encryption using the homomorphic encryption private key of device 2;
in the course of the above calculation process,
Figure GDA0002540688500000191
indicating the addition of the number of ciphers in homomorphic encryption (corresponding to the result of the encryption after the addition of the corresponding number of ciphers), ⊙ indicating the multiplication of the number of ciphers with the number of ciphers in homomorphic encryption (corresponding to the accumulation of a plurality of numbers of identical ciphers); z0、z1Is an integer known only to device 1;
z is0Is an integer randomly selected by the 1 st device, or an integer selected by the 1 st device according to a predetermined rule, or an integer fixedly selected by the 1 st device according to convention or requirement (including a fixed value of 0), and z is1Is an integer randomly selected by device 1;
z is0、z1Is not limited to [1, n-1]]And z is0、z1The value of (A) is an integer (which can be positive or negative and can be 0); when c corresponds to the number of plaintext (i.e., (a)1d) mod n) is taken to be [1, n-1]]In range, z0、z1Is taken so that c1The corresponding plaintext number does not exceed the representation range of the complement of the plaintext number of the addition homomorphic encryption, or c1The probability that the corresponding plaintext number exceeds the representation range of the complement of the addition homomorphic encrypted plaintext number is minimal, which is determined to be an allowable probability in a specific application.
In this example, c ═ E ((a)1d) mod n) is calculated as follows.
If d is known in advance, then in the initialization phase, the device (one of the two devices or one device other than the two devices) that knows d in advance is [1, n-1]]In the step (a) randomly selects an integer as a1Or take a1Is a fixed integer (including a1Is 1), c ═ E ((a) is calculated1d) mod n), then c, a1The first device 1 is handed to store and use;
if d is not known in advance, the two devices cooperatively generate d and calculate c ═ E ((a) in the initialization phase1d) mod n); two devices cooperatively generate d and calculate c ═ E ((a)1d) mod n) as follows (not all possible):
device 1 in [1, n-1]]Two integers are selected as g1、a1Calculate g0=(g1a1) mod n, and g0Sending to the 2 nd device;
arrangement 2 in [1, n-1]]Randomly selecting an integer as g2And calculating c ═ E ((g)0g2) modn), then (implicitly) d ═ g1g2)mod n;
After that, the 2 nd device delivers c to the 1 st device for storage and use (after the 1 st device receives c, it is usually necessary to check the encryption result of whether c is 0).
Example 8,
Embodiment 8 is a second cooperative generation method including secret numbers according to the present invention, which is implemented on the basis of embodiment 7.
Example 7 based on the 1 st device [1, n-1]]Internally randomly selected integer secret w1Or with a group consisting of [1, n-1]]Integer secret w calculated from internally randomly selected integer secrets1(ii) a Device 2 has [1, n-1]]Internally randomly selected integer secret w2Or with a group consisting of [1, n-1]]Integer secret w calculated from internally randomly selected integer secrets2(ii) a The two devices cooperatively generate the inclusion secret w in one of the following ways1、w2And d is the number u ═ w1w2z + rd) mod n, where z, r are [1, n-1]]The insecure integer of (1):
the first method is as follows:
firstly, the two devices calculate the integer secret d according to the secret dynamic sharing method II0、d1、d2
Thereafter, the 1 st device is at [1, n-1]]Randomly selecting an integer v, and calculating t0=(vd0)modn,t1=(vw1) mod n, will t0、t1Submitting to the 2 nd device;
the 2 nd device calculates u1=(w2zt1+rd2t0) mod n, will u1Submitting the 1 st device;
the 1 st device calculates u ═ v-1u1+rd1) mod n, where v-1The modulo n multiplication inverse of v;
u is the result;
the second method comprises the following steps:
first, the 1 st device is set at w1As d0Two devices calculate to obtain integer secret d according to the secret dynamic sharing method II1、d2
Thereafter, the 2 nd device calculates u1=(w2z+rd2) mod n, will u1Submitting to the 1 st device;
the 1 st device calculates u ═ w1u1+rd1)mod n;
The value of u is then the value of (w) obtained1w2z+rd)mod n。
One specific application of this embodiment is to enable secret sharing based SM2 digital signature co-generation.
Let G be the base point of the elliptic curve point group, the prime number n be the order of G (i.e., the order of the elliptic curve point group), dAIs the private key of the user; is calculated in advance as Gd=[1+dA]G (in SM2 [ k ]]G represents the number of G times k, or k times the point addition of G); when the message M needs to be digitally signed by using the private key d of the user, the 1 st device and the 2 nd device are in [1, n-1]]Inner separately randomly selecting integer k1、k2And cooperatively calculating to obtain [ k1k2]Gd=(x1,y1) Taking r as (e + x)1) mod n, e is the hash value of message M, followed by two devices with (1+ d)A)-1As secret d in secret dynamic sharing method two, k1As w1In k, with2As w2Taking the value of z as 1, using the calculated r, s is obtained by cooperative calculation according to the cooperative generation method of the number including the secret of the present invention0=(k1k2+r(1+dA)-1) mod n, then calculate s ═ s(s)0R) mod n, then (r, s) is a digital signature for message M.
Another specific application of this embodiment is to enable secret sharing based SM9 digital signature co-generation.
There is a two-line mapping e: g1×G2→GTIn which G is1、G2Is an additive cyclic group, GTIs a multiplication loop group, G1、G2、GTIs a prime number n (note: in the SM9 specification, G1、G2、GTThe order of (1) is the capital letter N, and the patent application adopts the lower case N); p1Is G1The generator of (1), PpubIs the master public key (i.e. P)pub=[s]P2S is a master private or master key, P2Is G2See SM9 specification; note that the Master private or Master Key, Master, hereThe sign used by public key, user identification private key is slightly different from the SM9 specification).
Let dAIdentify a private key for the user's SM 9; precalculate gb=g^b-1,PA=[b-1]dAWherein b is in [1, n-1]]Of a randomly selected integer as a secret, dAIs the user's private key, g ═ e (P)1,Ppub) A represents an exponentiation (exponentiation is performed on the element before a, the integer after a is the number of exponentiations);
when it is desired to use the user private key dAWhen the message M is digitally signed, the 1 st device and the 2 nd device are in [1, n-1]]Random selection of integer r1、r2And obtaining w ═ g by cooperative calculationb^(r1r2) Calculating H as H2(M | | w, n), wherein H2For the hash function specified in SM9, M | | | w represents the merging of strings of M and w, and n is G1、G2、GT(iii) order (see SM9 specification); after that, the two devices are driven by r1As w1In 1, with r2As w2Taking the value of z as 1, and-b as the secret d in the secret dynamic sharing method two, the collaborative calculation according to the collaborative generation method two of the number including the secret of the present invention obtains u ═ (r)1r2-bh) mod n, and finally, S ═ u is calculated]PAThen (h, S) is the generated digital signature for message M.
Examples 9,
The difference between this example and example 8 is that device 1 does not disclose the calculated u and is at w1、d0、d1In the case where one or two or all of the three parameters are integer constants, d cannot be calculated from public data calculated by u, and confidential data calculated by d cannot be calculated from public data calculated by u, so that the device 1 in this embodiment takes w1、d0、d1One or two or all of the three parameters are integer constants; w is a1、d0、d1Cases where a respective one or two or all of the three parameters are integer constants include allowingw1、d0、d1One or two or all of the three parameters are secret integer constants or insecure integer constants (where insecure integer constants include the case of constant 1), allowing d0、d1One is an insecure integer constant and the other is a secure integer constant, or both are secure integer constants, but d0、d1And cannot be simultaneously insecure integer constants.
An application of this embodiment is that in the embodiment 8, the SM2 or SM9 digital signature is cooperatively generated, in this case, the digital signature is used for the authentication of the 1 st device to the 2 nd device, the message M therein is a random string returned to the 2 nd device by the 1 st device during the authentication, the finally formed digital signature (r, S) or (h, S) is not required to be disclosed, and after the validity verification of the digital signature by the 1 st device using the 2 nd device' S public key is passed, the digital signature is not required to be reused and is discarded by the 1 st device, so, in this case, w is w1、d0、d1The values of one or two or all of the three parameters may be integer constants, even allowing w1And d and0and d1One of which is an insecure constant.
The cooperative generation system capable of constructing the number containing the secret based on the cooperative generation method of the number containing the secret of the present invention includes two devices called a 1 st device and a 2 nd device; the two devices cooperatively generate the secret-containing w according to the cooperative generation method of the secret-containing number1、w2And the number (w) of secret d1w2(z + rd)) mod n, or the cooperative generation of the secret-containing w according to said secret-containing number cooperative generation method two1、w2And the number u of secret d ═ w1w2z+rd)mod n。
Other specific technical implementations not described are well known to those skilled in the relevant art and will be apparent to those skilled in the relevant art.

Claims (10)

1. A secret dynamic sharing method is characterized in that:
the secret dynamic sharing method involves two devices, referred to as the 1 st device and the 2 nd device;
d is an integer secret unknown to both devices within the interval [1, n-1], n is a prime number;
c-E ((a) is calculated in advance1d) mod n) where E (-) represents an encryption operation using the homomorphic encryption public key of device 2 for additive homomorphic encryption, a1Is the interval [1, n-1]]An integer within;
a1is a secret of the 1 st device or is not a secret of the 1 st device; if a1Not of the interval [1, n-1]If c is a secret belonging to the 1 st device, the 1 st device stores c as the secret;
the two devices cooperatively calculate the satisfied relation d in the following way0(d1+d2) D, integer secret d0、d1、d2Wherein d is0Is the interval [1, n-1]]Integer secret known only to the 1 st device, d1Is the interval [0, n-1]]Integer secret known only to the 1 st device, d2Is the interval [0, n-1]]Integer secret known only to the 2 nd device:
device number 1 in interval [1, n-1]]Randomly selecting an integer as d0In the interval [0, n-1]]Randomly selecting an integer as d1In the interval [0, n-1]]Randomly selecting an integer b1Calculating c0=(b1-d1)mod n,c1=E(-b1+z1n)((((a1d0)mod n)-1+z0n) ⊙ c), wherein (a)1d0)mod n)-1Is (a)1d0) The modulo n multiplication inverse of mod n;
alternatively, the first and second electrodes may be,
device number 1 in interval [1, n-1]]Randomly selecting an integer as d0In the interval [0, n-1]]Randomly selecting an integer as d1Taking c0When it is 0, calculate c1=E(-d1+z1n)((((a1d0)mod n)-1+z0n)⊙c);
Then, the 1 st device will c0、c1To the 2 nd device;
the 2 nd device calculates d2=(c0+(D(c1) mod n)) mod n, where D (-) represents a decryption operation with additive homomorphic encryption using the homomorphic encryption private key of device 2;
in the calculation process, ⊕ represents the addition operation of the number of encrypted ciphertext in homomorphic encryption, ⊙ represents the multiplication operation of the number of plaintext and the number of ciphertext in homomorphic encryption, and z0、z1Is an integer known only to device 1;
z is0Is an integer randomly selected by the 1 st device, or an integer selected by the 1 st device according to a predetermined rule, or an integer fixedly selected by the 1 st device according to a convention or requirement, and z is1Is an integer randomly selected by device 1;
z is0、z1Is not limited to [1, n-1]]And z is0、z1Is an integer; when the value of the plaintext number corresponding to c is [1, n-1]]In range, z0、z1Is taken so that c1The corresponding plaintext number does not exceed the representation range of the complement of the plaintext number of the addition homomorphic encryption, or c1The probability that the corresponding plaintext number exceeds the representation range of the complement number of the plaintext number encrypted in the same way by the addition method is extremely small, and the extremely small probability refers to the allowed probability determined in specific application;
the modulo m corresponding to the arithmetic operation performed on the encrypted plaintext number by the addition homomorphic encryption used in the above calculation process is greater than n.
2. The secret dynamic sharing method according to claim 1, wherein:
if d is known in advance, then in the initialization phase, the device knowing d in advance is [1, n-1]]In the step (a) randomly selects an integer as a1Or take a1Is a fixed integer, and c ═ E ((a) is calculated1d) mod n), then c, a1The first device 1 is handed to store and use;
if d is not known in advance, the two devices cooperatively generate d and calculate c ═ E ((a) in the initialization phase1d) modn); two clothesC ═ E ((a) is obtained by calculation1d) mod n) as follows:
device 1 in [1, n-1]]Two integers are selected as g1、a1Calculate g0=(g1a1) mod n, and g0Sending to the 2 nd device;
arrangement 2 in [1, n-1]]Randomly selecting an integer as g2And calculating c ═ E ((g)0g2) mod n), then d ═ g1g2)mod n;
After that, the 2 nd device transfers c to the 1 st device for storage and use.
3. A cooperative generation method of a number including a secret based on the secret dynamic sharing method according to claim 1 or 2, characterized in that:
the 1 st device has [1, n-1]]Internally randomly selected integer secret w1Or with a group consisting of [1, n-1]]Integer secret w calculated from internally randomly selected integer secrets1(ii) a The 2 nd device has [1, n-1]]Internally randomly selected integer secret w2Or with a group consisting of [1, n-1]]Integer secret w calculated from internally randomly selected integer secrets2(ii) a The two devices cooperatively generate the inclusion secret w as follows1、w2And d is the number u ═ w1w2(z + rd)) mod n, where z, r are [1, n-1]]The insecure integer of (1):
firstly, the two devices calculate the integer secret d according to the secret dynamic sharing method0、d1、d2
Thereafter, the 1 st device calculates u1=((d0)-1z+rd1)mod n,w0=(d0w1) mod n, where (d)0)-1Is d0The inverse of the modulo n multiplication of;
1 st device will u1Submitting to the 2 nd device;
the 2 nd device calculates u2=(w2(u1+rd2))mod n;
Finally, either the 1 st device or the 2 nd device or both devicesOne device of (a) calculates (w)0u2)mod n;
Then u is the result.
4. The cooperative generation method of a number including a secret according to claim 3, comprising:
if u ═ w is calculated by the 1 st device0u2) mod n, and device 1 does not disclose the calculated u, and at w1If the integer constant is d, the secret data calculated from d cannot be calculated from the public data calculated from u, and w is1Allow is an integer constant;
if u ═ w is calculated by the 1 st device0u2) mod n, and device 1 does not disclose the calculated u, and at d0Or d1If d is a secret integer constant, d cannot be calculated from the public data calculated by u, or the secret data calculated by d cannot be calculated from the public data calculated by u, and corresponding d0Or d1Permission is a secret integer constant;
if u ═ w is calculated by the 1 st device0u2) mod n, and device 1 does not disclose the calculated u, and at w1Is an integer constant, d0Or d1If d cannot be calculated from the public data calculated by u and the secret data calculated by d cannot be calculated from the public data calculated by u, w is a secret integer constant1Allowed is an integer constant, corresponding to d0Or d1Permission is a secret integer constant;
if u ═ w is calculated by the 2 nd device0u2) mod n, and device 2 does not disclose the calculated u, and at w2If the integer constant is d, the secret data calculated from d cannot be calculated from the public data calculated from u, and w is2Allow is an integer constant;
said w1Or w2Allowing to be integer constantsThe situation includes allowing w1Or w2Is a secret integer constant or a non-secret integer constant.
5. A cooperative generation system of numbers including secrets based on the cooperative generation method of numbers including secrets according to claim 4, characterized in that:
the system includes two devices referred to as device 1, device 2; the two devices cooperatively generate the inclusion secret w according to the cooperative generation method of the number including the secret1、w2And d is the number u ═ w1w2(z+rd))mod n。
6. A secret dynamic sharing method is characterized in that:
the secret dynamic sharing method involves two devices, referred to as the 1 st device and the 2 nd device;
d is an integer secret unknown to both devices within the interval [1, n-1], n is a prime number;
c-E ((a) is calculated in advance1d) mod n) where E (-) represents an encryption operation using the homomorphic encryption public key of device 2 for additive homomorphic encryption, a1Is the interval [1, n-1]]An integer within;
a1is a secret of the 1 st device or is not a secret of the 1 st device; if a1Not of the interval [1, n-1]If c is a secret belonging to the 1 st device, the 1 st device stores c as the secret;
the two devices cooperatively calculate the satisfaction relation (d) as follows1+d0d2) D, integer secret d0、d1、d2Wherein d is0Is the interval [1, n-1]]Integer secret known only to the 1 st device, d1Is the interval [0, n-1]]Integer secret known only to the 1 st device, d2Is the interval [0, n-1]]Integer secret known only to the 2 nd device:
device number 1 in interval [1, n-1]]Randomly selecting an integer as d0In the interval [0, n-1]]Randomly selecting an integer as d1In the interval [0, n-1]]Randomly selecting an integer b1Calculating c0=(-(d0)-1d1-b1)mod n,c1=E(b1+z1n) ((((a1d0)mod n)-1+z0n) ⊙ c), wherein (d)0)-1Is d0Inverse modulo n multiplication, ((a)1d0)mod n)-1Is (a)1d0) The modulo n multiplication inverse of modn;
alternatively, the first and second electrodes may be,
device number 1 in interval [1, n-1]]Randomly selecting an integer as d0In the interval [0, n-1]]Randomly selecting an integer as d1Taking c0When it is 0, calculate c1=E(((-(d0)-1d1)mod n)+z1n) ((((a1d0)mod n)-1+z0n)⊙c);
1 st device will c0、c1To the 2 nd device;
the 2 nd device calculates d2=(c0+(D(c1) mod n)) mod n, where D (-) represents a decryption operation with additive homomorphic encryption using the homomorphic encryption private key of device 2;
in the calculation process, ⊕ represents the addition operation of the number of encrypted ciphertext in homomorphic encryption, ⊙ represents the multiplication operation of the number of plaintext and the number of ciphertext in homomorphic encryption, and z0、z1Is an integer known only to device 1;
z is0Is an integer randomly selected by the 1 st device, or an integer selected by the 1 st device according to a predetermined rule, or an integer fixedly selected by the 1 st device according to a convention or requirement, and z is1Is an integer randomly selected by device 1;
z is0、z1Is not limited to [1, n-1]]And z is0、z1Is an integer; when the value of the plaintext number corresponding to c is [1, n-1]]In range, z0、z1Is taken so that c1The corresponding plaintext number does not exceed the representation range of the complement of the plaintext number of the addition homomorphic encryption, or c1Complement of corresponding plaintext number exceeding plaintext number for addition homomorphic encryptionThe probability minimums for the representation range of numbers, which refer to the allowed probabilities determined in a particular application;
the modulo m corresponding to the arithmetic operation performed on the encrypted plaintext number by the addition homomorphic encryption used in the above calculation process is greater than n.
7. The secret dynamic sharing method according to claim 6, wherein:
if d is known in advance, then in the initialization phase, the device knowing d in advance is [1, n-1]]In the step (a) randomly selects an integer as a1Or take a1Is a fixed integer, and c ═ E ((a) is calculated1d) mod n), then c, a1The first device 1 is handed to store and use;
if d is not known in advance, the two devices cooperatively generate d and calculate c ═ E ((a) in the initialization phase1d) modn); two devices cooperatively generate d and calculate c ═ E ((a)1d) mod n) as follows:
device 1 in [1, n-1]]Two integers are selected as g1、a1Calculate g0=(g1a1) mod n, and g0Sending to the 2 nd device;
arrangement 2 in [1, n-1]]Randomly selecting an integer as g2And calculating c ═ E ((g)0g2) mod n), then d ═ g1g2)mod n;
After that, the 2 nd device transfers c to the 1 st device for storage and use.
8. A cooperative generation method of a number including a secret based on the secret dynamic sharing method according to claim 6 or 7, characterized in that:
the 1 st device has [1, n-1]]Internally randomly selected integer secret w1Or with a group consisting of [1, n-1]]Integer secret w calculated from internally randomly selected integer secrets1(ii) a The 2 nd device has [1, n-1]]Internally randomly selected integer secret w2Or with a group consisting of [1, n-1]]Integer secret w calculated from internally randomly selected integer secrets2(ii) a The two devices cooperatively generate the inclusion secret w in one of the following ways1、w2And d is the number u ═ w1w2z + rd) mod n, where z, r are [1, n-1]]The insecure integer of (1):
the first method is as follows:
firstly, the two devices calculate the integer secret d according to the secret dynamic sharing method0、d1、d2
Thereafter, the 1 st device is at [1, n-1]]Randomly selecting an integer v, and calculating t0=(vd0)mod n,t1=(vw1) mod n, will t0、t1Submitting to the 2 nd device;
the 2 nd device calculates u1=(w2zt1+rd2t0) mod n, will u1Submitting the 1 st device;
the 1 st device calculates u ═ v-1u1+rd1) mod n, where v-1The modulo n multiplication inverse of v;
u is the result;
the second method comprises the following steps:
first, the 1 st device is set at w1As d0Two devices calculate the integer secret d according to the secret dynamic sharing method1、d2
Thereafter, the 2 nd device calculates u1=(w2z+rd2) mod n, will u1Submitting to the 1 st device;
the 1 st device calculates u ═ w1u1+rd1)mod n;
Then u is the result.
9. The cooperative generation method of a number including a secret according to claim 8, comprising:
if device 1 does not disclose the calculated u, and at w1、d0、d1When one or two or all of the three parameters are integer constants, d cannot be calculated from public data calculated by u, and d cannot be calculated from public data calculated by uComputing the secret data computed from d, then w1、d0、d1A respective one or two or all of the three parameters are allowed to be integer constants;
said w1、d0、d1The case where a respective one or two or all of the three parameters are allowed to be integer constants includes allowing w1Is a secret integer constant or a non-secret integer constant, allowed d0、d1One is an insecure integer constant and the other is a secure integer constant, or both are secure integer constants, but d0、d1And cannot be simultaneously insecure integer constants.
10. A cooperative generation system of a number with a secret according to the cooperative generation method of a number with a secret of claim 9, comprising:
the system includes two devices referred to as device 1, device 2; the two devices cooperatively generate the inclusion secret w according to the cooperative generation method of the number including the secret1、w2And d is the number u ═ w1w2z+rd)mod n。
CN201911056875.2A 2019-10-31 2019-10-31 Secret dynamic sharing-based collaborative generation method and system for number containing secret Active CN110798313B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201911056875.2A CN110798313B (en) 2019-10-31 2019-10-31 Secret dynamic sharing-based collaborative generation method and system for number containing secret

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201911056875.2A CN110798313B (en) 2019-10-31 2019-10-31 Secret dynamic sharing-based collaborative generation method and system for number containing secret

Publications (2)

Publication Number Publication Date
CN110798313A CN110798313A (en) 2020-02-14
CN110798313B true CN110798313B (en) 2020-10-02

Family

ID=69442390

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201911056875.2A Active CN110798313B (en) 2019-10-31 2019-10-31 Secret dynamic sharing-based collaborative generation method and system for number containing secret

Country Status (1)

Country Link
CN (1) CN110798313B (en)

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111342967B (en) * 2020-03-06 2021-03-19 北京中宇万通科技股份有限公司 Method and device for solving block chain user certificate loss or damage
CN114039722A (en) * 2021-01-26 2022-02-11 中安网脉(北京)技术股份有限公司 Secret sharing hidden identity SM2 signature private key generation device and method thereof

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101236590A (en) * 2008-03-07 2008-08-06 北京邮电大学 Threshold password system based software division protection accomplishing method
EP3334083A1 (en) * 2016-12-08 2018-06-13 Gemalto SA Method of rsa signature or decryption protected using a homomorphic encryption
CN109474422A (en) * 2018-11-19 2019-03-15 武汉大学 A kind of method that multi-party collaboration generates SM2 digital signature

Family Cites Families (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US10250591B2 (en) * 2016-02-12 2019-04-02 International Business Machines Corporation Password-based authentication
CN107483205B (en) * 2017-09-28 2019-08-20 武汉理工大学 A kind of the digital signature generation method and system of the private key secret based on encryption
CN108173639B (en) * 2018-01-22 2020-10-27 中国科学院数据与通信保护研究教育中心 Two-party cooperative signature method based on SM9 signature algorithm
WO2019169297A1 (en) * 2018-03-02 2019-09-06 Intertrust Technologies Corporation Trust and identity management systems and methods

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101236590A (en) * 2008-03-07 2008-08-06 北京邮电大学 Threshold password system based software division protection accomplishing method
EP3334083A1 (en) * 2016-12-08 2018-06-13 Gemalto SA Method of rsa signature or decryption protected using a homomorphic encryption
CN109474422A (en) * 2018-11-19 2019-03-15 武汉大学 A kind of method that multi-party collaboration generates SM2 digital signature

Non-Patent Citations (4)

* Cited by examiner, † Cited by third party
Title
《Practical homomorphic encryption over the integers for secure computation in the cloud》;James Dyer et al.;《International Journal of Information Security》;20190209;全文 *
《Study on Secret Sharing for SM2 Digital Signature and Its Application》;Fan Ding et al.;《2018 14th International Conference on Computational Intelligence and Security(CIS)》;20181119;全文 *
《基于IOS终端的SM2移动密码系统》;邓高宇等;《软件》;20180228;第39卷(第2期);全文 *
《秘密共享技术及其应用的研究》;袁理锋;《中国博士学位论文全文数据库 信息科技辑》;20171015;全文 *

Also Published As

Publication number Publication date
CN110798313A (en) 2020-02-14

Similar Documents

Publication Publication Date Title
CN108173639B (en) Two-party cooperative signature method based on SM9 signature algorithm
CN107707358B (en) EC-KCDSA digital signature generation method and system
US8429408B2 (en) Masking the output of random number generators in key generation protocols
CN110545279A (en) block chain transaction method, device and system with privacy and supervision functions
CN109547209B (en) Two-party SM2 digital signature generation method
CN107872322A (en) Digital signature collaboration generation method and system based on homomorphic cryptography
US11804960B2 (en) Distributed symmetric encryption
CN112564907A (en) Key generation method and device, encryption method and device, and decryption method and device
CN109361519B (en) Improved secret-containing number generation method and system
WO2013021360A1 (en) Encryption and decryption method
CN111030801A (en) Multi-party distributed SM9 key generation and ciphertext decryption method and medium
CN110798313B (en) Secret dynamic sharing-based collaborative generation method and system for number containing secret
CN113132104A (en) Active and safe ECDSA (electronic signature SA) digital signature two-party generation method
CN108055134B (en) Collaborative computing method and system for elliptic curve point multiplication and pairing operation
CN110401524B (en) Method and system for collaborative generation of secret-containing numbers by means of homomorphic encryption
EP2395698B1 (en) Implicit certificate generation in the case of weak pseudo-random number generators
WO2016187690A1 (en) Key agreement protocol
CN112769539B (en) Method and system for generating RSA key and cooperating with RSA signature and decryption
WO2022172041A1 (en) Asymmetric cryptographic schemes
Viswanath et al. A secure cryptosystem using the decimal expansion of an Irrational number
CN114362912A (en) Identification password generation method based on distributed key center, electronic device and medium
CN112511310A (en) Confusion method for encrypting identity blind signature
Mohapatra Signcryption schemes with forward secrecy based on elliptic curve cryptography
CN113708925B (en) Group using method and system for common cryptographic algorithm key
CN110943828B (en) Secret number operation conversion method and system

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant