CN113507374A - Threshold signature method, device, equipment and storage medium - Google Patents

Threshold signature method, device, equipment and storage medium Download PDF

Info

Publication number
CN113507374A
CN113507374A CN202110748702.8A CN202110748702A CN113507374A CN 113507374 A CN113507374 A CN 113507374A CN 202110748702 A CN202110748702 A CN 202110748702A CN 113507374 A CN113507374 A CN 113507374A
Authority
CN
China
Prior art keywords
secret
signature
participant
commitment
value
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202110748702.8A
Other languages
Chinese (zh)
Other versions
CN113507374B (en
Inventor
童世红
柳宇航
胡慧潘
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Hundsun Technologies Inc
Original Assignee
Hundsun Technologies Inc
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Hundsun Technologies Inc filed Critical Hundsun Technologies Inc
Priority to CN202110748702.8A priority Critical patent/CN113507374B/en
Publication of CN113507374A publication Critical patent/CN113507374A/en
Application granted granted Critical
Publication of CN113507374B publication Critical patent/CN113507374B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
    • H04L9/3255Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures using group based signatures, e.g. ring or threshold signatures
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/008Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols involving homomorphic encryption
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/085Secret sharing or secret splitting, e.g. threshold schemes
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3218Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using proof of knowledge, e.g. Fiat-Shamir, GQ, Schnorr, ornon-interactive zero-knowledge proofs
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
    • H04L9/3252Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures using DSA or related signature schemes, e.g. elliptic based signatures, ElGamal or Schnorr schemes

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Information Retrieval, Db Structures And Fs Structures Therefor (AREA)
  • Storage Device Security (AREA)

Abstract

The invention provides a threshold signature method, a device, equipment and a storage medium based on SM2 signature algorithm, wherein in the sharing link of secret inverse elements, a homomorphic encryption public key of an opposite side is used for encrypting temporary secrets, ciphertext and interference factors by a homomorphic encryption method to obtain first encrypted data, when the opposite side verifies that zero knowledge proves to be legal, a homomorphic encryption private key of the opposite side is used for decrypting first encrypted data to obtain first interactive secrets, after a basic value of the shared secrets is calculated, the basic value of the shared secrets of each participant is used for calculating to obtain the inverse elements of the shared secrets; it can be seen that: the homomorphic encryption method is adopted to complete the inverse element of the shared secret, and the order doubling of a polynomial does not exist, so that in the (t, n) threshold, only the participant n of the threshold signature method based on the SM2 signature algorithm needs to be more than or equal to the participant t participating in the signature, and an effective digital signature can be generated without 2t +1 participants.

Description

Threshold signature method, device, equipment and storage medium
Technical Field
The invention relates to the technical field of data processing, in particular to a threshold signature method, a device, equipment and a storage medium based on an SM2 signature algorithm.
Background
The SM2 digital signature means that for a public-private key pair [ d, P ] and a plaintext M, a signer holding a secret key d generates a digital string which cannot be forged by others, and other users can use the public key P and the plaintext M for verification. In the (t, n) threshold signature scheme, the secret key is shared as a share among n participants, any more than t participants can calculate the final signature, and any information about the private key and the sub-private keys of the participants is not disclosed in the scheme execution process.
Based on this, there is a threshold signature scheme based on the SM2 signature algorithm in the prior art. In the current threshold signature scheme based on the SM2 signature algorithm, in the distributed key generation stage, the secret inverse elements need to be shared, order doubling of the polynomial exists during the sharing of the secret inverse elements, n is not less than 2t, and 2t +1 participators can generate an effective digital signature.
Disclosure of Invention
In view of this, embodiments of the present invention provide a threshold signature method, apparatus, device and storage medium based on the SM2 signature algorithm, so that only n is greater than or equal to t, and only t participants are needed to generate an effective signature.
In order to achieve the above purpose, the embodiments of the present invention provide the following technical solutions:
the first aspect of the present application provides a threshold signature method based on an SM2 signature algorithm, including three stages of generating a distributed key, signing a plaintext to be signed, and verifying a signature, where sharing of a secret inverse element in the stage of generating the distributed key includes:
method for encrypting self temporary secret by homomorphic encryption public key of opposite partya i Cipher textE j (k j ) And interference factorβ i,j Obtaining first encrypted data; wherein the ciphertextE j (k j ) Use of a homomorphic encryption public key P by the opposite party j Encrypting its own random secret k j Obtaining; the opponents refer to n participators of the threshold signature method based on SM2 signature algorithmEach participant in (a);
calculating the temporary secreta i And interference factorβ i,j Zero knowledge proof of (2);
sending the temporary secret and a zero-knowledge proof of an interference factor, and the first encrypted data to the other party;
receiving a base value delta of the shared secret sent by the other partyi(ii) a Wherein the base value of the shared secret is used by the partner with its own temporary secreta i Random secret k i Interference factor, and a first interaction secret alpha for each participanti,jCalculating to obtain; wherein the first interaction secret ai,jWhen the other party verifies that the zero knowledge proof of the temporary secret and the interference factor is legal, decrypting the first encrypted data by using a homomorphic encryption private key of the other party to obtain the first encrypted data;
and calculating to obtain the inverse element of the shared secret by using the basic value of the shared secret of each participant.
Optionally, the signing plaintext to be signed includes:
method for homomorphic encryption by using homomorphic encryption public key of opposite party participant, encryption weight value wiCipher textE j (k j ) And interference factorβ i,j Obtaining second encrypted data; wherein the ciphertextE j (k j ) Use of a homomorphic cryptographic public key P by a counterpart participant j Encrypting a random secret k j Obtaining; the weight value wiSharing shares s by secretiConverting to obtain; the counterparty participant refers to each participant in the signed set of participants;
calculating the weight value wiAnd interference factorβ i,j Zero knowledge proof of (2);
sending zero knowledge proof of the weight value and the interference factor and second encrypted data to the opposite party participant;
receiving a random secret k sent by a counterpart participant j The second commitment of (a);
after verifying the random secret k j When the second commitment is legal, obtaining the random secret k j Target value k in the second commitment ofjG, using a random secret k for each participant j Target value k in the second commitment ofjG, calculating to obtain a target value R, and calculating to obtain a first signature value R by using the target value R and an integer e corresponding to the plaintext M to be signed;
calculating to obtain the signature basic value s of the selfiAnd using the signature base value s of each participantiThe first signature value r is calculated to obtain a second signature value s; wherein the signature base value siUsing the base value deltaiWeight value wiAnd the first signature value r is obtained by calculation; the base value deltaiUsing its own weight value wiRandom secret k i Interference factor and second interaction secret alpha of each participanti,jCalculating to obtain; the second interaction secret ai,jWhen the opposite party verifies that the zero knowledge proof of the weight value and the interference factor is legal, the second encrypted data is decrypted by using a homomorphic encryption private key of the opposite party to obtain the second encrypted data;
and combining the first signature value and the second signature value to obtain a final signature (r, s).
Optionally, the signing is performed before plaintext to be signed, and the method further includes generating a participant set participating in the signing, where the generating the participant set participating in the signing includes:
generating a homomorphic encryption public key and a homomorphic encryption private key pair, and calculating to obtain a first commitment and a second commitment; the first commitment is a commitment of an integer e corresponding to an elliptic curve base point G, a public key P and a plaintext M to be signed; the second commitment is a random secret k of the second commitment i The commitment of (a);
receiving a first promise, a second promise and a homomorphic encryption public key broadcasted by the other party;
and if the first commitment broadcasted by the opposite party is verified to be the same as the first commitment of the opposite party, the opposite party is used as a participant participating in the signature and added into the participant set participating in the signature, and the homomorphic encryption public key and the second commitment of the opposite party are saved.
Optionally, the computing a public key and a share in the phase of generating a distributed key includes:
receiving X-axis abscissa X of the counterpart broadcast i Commitment of polynomial coefficients, and random secret k i First commitment D i
Checking the X-axis abscissa X of the other party's broadcast i Verifying the random secret k of the other party when not repeated i Second commitment C i Whether it is legal;
if the random secret k is verified i If the second commitment is legal, then the random secret k is obtained i Target value k in the second commitment ofiG, and using a random secret k for each participant i The target value in the second commitment is calculated to obtain the public key
Figure 58438DEST_PATH_IMAGE001
A polynomial execution result v on receiving the counterpart broadcast i,j While, verifying the target polynomial pj(x) Whether the calculated result of (a) is equal to the target result; wherein the target polynomial pj(x) The target result is the polynomial execution result v of the opposite party i,j Product with the base point G of the elliptic curve;
if the target polynomial p is verifiedj(x) Is equal to the target result, the result v is executed using the polynomial of each participant i,j And the t-1 order polynomial of the user calculates share si
Optionally, said performing the result v with a polynomial of each participant i,j And the t-1 order polynomial of the user calculates share siThen, the method further comprises the following steps:
calculating the share siAnd broadcast to the other party;
Share s broadcast at each participantiWhen verifying the share s of each participantiIf the zero knowledge of (a) is legal, then the share s of each participant is obtainediCharacteristic values of zero knowledge proof of (1);
verifying whether a target equation is established, wherein the target equation is as follows:
Figure 506736DEST_PATH_IMAGE002
(ii) a In the formula, siDenotes share per participant, G denotes base point of elliptic curve, delta-1Refers to the inverse of the shared secret,a i a temporary secret referring to each participant;
and if the target equation is verified to be established, judging that the generation of the share and the public key is finished.
A second aspect of the present application provides a threshold signing apparatus based on SM2 signature algorithm, configured to perform three stages of generating a distributed key, signing a plaintext to be signed, and signing an encrypted text, where when the threshold signing apparatus generates a secret inverse element in the distributed key stage, the threshold signing apparatus includes:
a first encryption unit for encrypting the temporary secret of itself by homomorphic encryption method using the homomorphic encryption public key of the other partya i Cipher textE j (k j ) And interference factorβ i,j Obtaining first encrypted data; wherein the ciphertextE j (k j ) Use of a homomorphic encryption public key P by the opposite party j Encrypting its own random secret k j Obtaining; the counterpart refers to each of the n participants of the SM2 signature algorithm based threshold signature method;
a first calculation unit for calculating the temporary secreta i And interference factorβ i,j Zero knowledge proof of (2);
a first transmitting unit, configured to transmit, to the other party, the temporary secret and a zero-knowledge proof of an interference factor, and the first encrypted data;
a first receiving unit, configured to receive a basic value δ of the shared secret sent by the other partyi(ii) a Wherein the base value of the shared secret is used by the partner with its own temporary secreta i Random secret k i Interference factor, and a first interaction secret alpha for each participanti,jCalculating to obtain; wherein the first interaction secret ai,jWhen the other party verifies that the zero knowledge proof of the temporary secret and the interference factor is legal, decrypting the first encrypted data by using a homomorphic encryption private key of the other party to obtain the first encrypted data;
and the second calculation unit is used for calculating the inverse element of the shared secret by utilizing the basic value of the shared secret of each participant.
Optionally, when the threshold signature apparatus signs a plaintext to be signed, the method includes:
a second encryption unit for encrypting the weight value w by homomorphic encryption method using homomorphic encryption public key of opposite partyiCipher textE j (k j ) And interference factorβ i,j Obtaining second encrypted data; wherein the ciphertextE j (k j ) Use of a homomorphic cryptographic public key P by a counterpart participant j Encrypting a random secret k j Obtaining; the weight value wiSharing shares s by secretiConverting to obtain; the counterparty participant refers to each participant in the signed set of participants;
a third calculation unit for calculating the weight value wiAnd interference factorβ i,j Zero knowledge proof of (2);
a second sending unit, configured to send the zero-knowledge proof of the weight value and the interference factor, and second encrypted data to the opposite party participant;
a second receiving unit for receiving the random secret k sent by the opposite party j The second commitment of (a);
first treatmentA unit for verifying the random secret k j When the second commitment is legal, obtaining the random secret k j Target value k in the second commitment ofjG, using a random secret k for each participant j Target value k in the second commitment ofjG, calculating to obtain a target value R, and calculating to obtain a first signature value by using the target value R and an integer e corresponding to the plaintext M to be signed;
a fourth calculating unit for calculating the signature basic value siAnd using the signature base value s of each participantiThe first signature value r is calculated to obtain a second signature value s; wherein the signature base value siUsing the base value deltaiWeight value wiAnd the first signature value r is obtained by calculation; the base value deltaiUsing its own weight value wiRandom secret k i Interference factor and second interaction secret alpha of each participanti,jCalculating to obtain; the second interaction secret ai,jWhen the opposite party verifies that the zero knowledge proof of the weight value and the interference factor is legal, the second encrypted data is decrypted by using a homomorphic encryption private key of the opposite party to obtain the second encrypted data;
and the combining unit is used for combining the first signature value and the second signature value to obtain a final signature (r, s).
Optionally, the method further comprises:
the generating unit is used for generating homomorphic encryption public key and private key pairs and calculating to obtain a first commitment and a second commitment; the first commitment is a commitment of an integer e corresponding to an elliptic curve base point G, a public key P and a plaintext M to be signed; the second commitment is a random secret k of the second commitment i The commitment of (a);
a third receiving unit, configured to receive the first promise, the second promise, and a homomorphic encryption public key broadcast by the other party;
and the storage unit is used for verifying that the first commitment broadcasted by the other party is the same as the first commitment of the other party, adding the other party serving as a signing participant into the signing participant set, and storing the homomorphic encryption public key and the second commitment of the other party.
Optionally, the computing a public key and a share in the stage of generating the distributed key by the threshold signing apparatus includes:
a fourth receiving unit for receiving X-axis abscissa X of the counterpart broadcast i Commitment of polynomial coefficients, and random secret k i First commitment D i
A first verification unit for checking X-axis abscissa X of the counterpart broadcast i Verifying the random secret k of the other party when not repeated i Second commitment C i Whether it is legal;
a second processing unit for verifying the random secret k i If the second commitment is legal, then the random secret k is obtained i Target value k in the second commitment ofiG, and using a random secret k for each participant i The target value in the second commitment is calculated to obtain a public key;
a second verification unit for verifying the polynomial execution result v broadcast by the other party when receiving the polynomial execution result v i,j While, verifying the target polynomial pj(x) Whether the calculated result of (a) is equal to the target result; wherein the target polynomial pj(x) The target result is the polynomial execution result v of the opposite party i,j Product with the base point G of the elliptic curve;
a fifth calculation unit for calculating a target polynomial p if verifiedj(x) Is equal to the target result, the result v is executed using the polynomial of each participant i,j And the t-1 order polynomial of the user calculates share si
Optionally, the method further comprises:
a sixth calculation unit configured to calculate the share fraction siZero knowledge proof of (2);
a third transmitting unit for broadcasting to the counterpart;
an acquisition unit for receiving the broadcast of each participantShare siWhen verifying the share s of each participantiIf the zero knowledge of (a) is legal, then the share s of each participant is obtainediCharacteristic values of zero knowledge proof of (1);
a third verifying unit, configured to verify whether a target equation is satisfied, where the target equation is:
Figure 817632DEST_PATH_IMAGE003
(ii) a In the formula, siDenotes share per participant, G denotes base point of elliptic curve, delta-1Refers to the inverse of the shared secret,a i a temporary secret referring to each participant;
and the judging unit is used for judging that the generation of the share and the public key is finished if the target equation is verified to be established.
A third aspect of the present application provides a computer storage medium for storing a computer program, which when executed is specifically configured to implement the threshold signature method based on the SM2 signature algorithm in any one of the first aspects.
A fourth aspect of the present application provides an electronic device comprising a memory and a processor;
wherein the memory is for storing a computer program;
the processor is configured to execute the computer program, and in particular, to implement the threshold signature method based on the SM2 signature algorithm according to any one of the first aspect.
Based on the threshold signature method, the device, the equipment and the storage medium based on the SM2 signature algorithm, in a secret inverse element sharing link in a distributed secret key generation stage, a homomorphic encryption public key of an opposite side is used for encrypting a self temporary secret, a ciphertext and an interference factor to obtain first encrypted data, when the opposite side verifies that zero knowledge of the temporary secret and the interference factor proves to be legal, a homomorphic encryption private key of the self is used for decrypting a first interactive secret obtained by the first encrypted data, and after a basic value of the shared secret is obtained through calculation, a basic value of the shared secret of each participant is used for obtaining an inverse element of the shared secret through calculation; it can be seen that: by adopting a homomorphic encryption method, the inverse element of the shared secret is obtained through calculation, a polynomial does not need to be constructed, and the order doubling of the polynomial does not exist, so that in the (t, n) threshold, only the participant n of the threshold signature method based on the SM2 signature algorithm needs to be more than or equal to the participant t participating in the signature, and an effective digital signature can be generated without 2t +1 participants.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, it is obvious that the drawings in the following description are only embodiments of the present invention, and for those skilled in the art, other drawings can be obtained according to the provided drawings without creative efforts.
Fig. 1 is a timing diagram illustrating a secret inverse sharing method according to an embodiment of the present disclosure;
fig. 2 is a timing diagram illustrating a method for calculating public keys and share shares according to another embodiment of the present disclosure;
FIG. 3 is a timing diagram illustrating a method for generating a participant set participating in a signature according to another embodiment of the present application;
FIG. 4 is a timing diagram illustrating a method for computing a signature according to another embodiment of the present application;
fig. 5 is a structural diagram of a threshold signature apparatus based on the SM2 signature algorithm according to another embodiment of the present application;
fig. 6 is a structural diagram of a threshold signature apparatus based on the SM2 signature algorithm according to another embodiment of the present application;
fig. 7 is a block diagram of an electronic device according to another embodiment of the present application.
Detailed Description
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
In this application, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other identical elements in a process, method, article, or apparatus that comprises the element.
The embodiment of the invention provides a threshold signature method, a device, equipment and a storage medium based on an SM2 signature algorithm, so that only n is greater than or equal to t, and only t participants are needed to generate effective signatures.
The threshold signature method based on the SM2 signature algorithm disclosed by the embodiment of the application mainly comprises three stages, specifically as follows:
1. distributed key generation
For a (t, n) threshold, n participants generate a public key P by interaction, each holding a secret share.
2. Signature
Among the n participants, t or more participants with secret shares calculate the plaintext M to be signed to obtain an unforgeable digital signature, and the public key P is used for signature verification.
3. Verification label
The public key P, the plaintext M and the digital signature are used to verify whether the signature is valid.
It should be noted that, in the stage of generating the distributed key, the distributed key may also be completed by being divided into three stages, mainly a preparation stage, a secure computation of the inverse element of k × a, and a computation of the public key and the share, which are respectively described below by embodiments.
Firstly, a preparation stage:
each participant (called U) i ) Each performing the following operations:
1) an SM2 national secret elliptic curve is selected, the base point is G, and the order is N.
2) Each using a secure random number to generate a random secret k i ,k i [1, N-1], calculating the respectivek i ·G And its hash acceptanceC i , D i H; wherein: acceptance verification D i = {data:k i ·G,salt: rand }, commitmentC i =Hash(data +bsalt)。
Acceptance verification D i May be referred to as a random secret k i First promise of, promiseC i May be referred to as a random secret k i Second commitment of (2), verifying at commitment D i In, data refers tok i ·G(ii) a salt refers to rand. salt is randomly added into salt +bIs binary merging.
3) Each using a secure random number to generate a temporary secreta i a i [1, N-1], and respective fixed points R are calculated i =a i ·G
4) A homomorphic encrypted public-private key pair is generated (any algorithm that supports additive multiplicative homomorphism may be used).
5) Broadcast random secret k i Hash promise of C i Fixed point R i And homomorphic encryption public key P i
6) After each participant receives the other party broadcast message, it stores the random secret k i Hash promise of C i And a fixed point R i
And secondly, safely calculating the inverse element of k × a:
the method for sharing the secret inverse element disclosed by the embodiment of the application, as shown in fig. 1, includes the steps of:
s101, each participant (called U) j ) Using its own homomorphic cryptographic public key P j For held random secret k j Encrypting to obtain a random secret k j Is encrypted by the encryption keyE j (k j ) And broadcast to other participants U i
Each receiver U i Receive fromE j (k j ) Then, the following steps are executed:
s102, generating a [0, N-1] by using a secure random number]As interference factorsβ i,j And calculateβ i,j =-β i,j
S103, using other participators UjIs encrypted with a public key PjTemporary secrets to itselfa i Cipher textE j (k j )And interference factorβ i,j Performing homomorphic encryption to obtain first encrypted data E (alpha)i,j)。
Wherein the first encrypted data E (alpha)i,j) The calculation formula of (2) is as follows: e (. alpha.) ofi,j)=a i × E j (k j ),+E(β i,j )。
S104, calculating the temporary secret held by the usera i And interference factorβ i,j Zero knowledge proof of (a).
Wherein any supporting zero knowledge proof of knowledge algorithm may be used to computea i Andβ i,j zero knowledge proof of (a). The extended Schnorr non-interactive zero knowledge proof of knowledge protocol is described below as an example.
Computinga i Andβ i,j the step of zero knowledge proof of (2) comprises:
①U i using self-held temporary secretsa iInterference factorβ i,j And its own fixing point RiAnd calculating the V value by the following formula: v ═ Va i ·Gβ i,j ·Ri
Generating two random numbers m, n and calculating an alpha value: alpha = m·GRi
C = H (G | | | V | | | R) is calculatedi| alpha), H is the Hash algorithm of the convention, such as SM 3.
Calculating u = (m + c =) a i )modN ,t=(n+c*β i,j ) modN. N is the order of the SM2 elliptic curve.
The result (V, u, t, alpha) is the testable proof that the verifier can receive the fixed point R of the other party in the previous stepiAnd the certification is carried out to prove that the other party really holdsa i Andβ i,j and the actual value cannot be known.
S105, the first encrypted data E (alpha)i,j) And zero knowledge proof is returned to the other party.
Participant U j Receiving the first encrypted data E (alpha) sent back by the other partyi,j) And zero proof of knowledge proof, performing the following steps:
and S106, verifying zero knowledge proof.
Take the extended Schnorr non-interactive zero knowledge proof as an example:
using the opposite side U obtained in the previous step i Fixed point R of i And received zero knowledge proof (V, u, t, alpha), calculate c = H (G | | | V | | R)j||alpha)。
Calculating and checking whether the equation is true: t is t·GRj==alpha+c·V(ii) a Wherein: g is the base point of the SM2 elliptic curve,. represents the elliptic curve point multiplication, and + represents the elliptic curve point addition.
S107, when verifying that the zero-knowledge proof is legal, decrypting the first encrypted data by using the homomorphic encryption private key of the user to obtain a first interaction secret alphai,jThe value of which is equal to:a i * kj+ β i,j
s108, after collecting the information of other participators, using the temporary secret of the participatorsa i Random secret k i Interference factor, and a first interaction secret alpha for each participanti,jCalculating a base value delta of a shared secreti(ii) a The calculation formula is as follows:
Figure 232083DEST_PATH_IMAGE004
and broadcast to other participants.
Each participant receives the base value delta of the shared secret of the other participantsiAfter the following steps are executed:
s109, calculating the shared secret
Figure 577613DEST_PATH_IMAGE005
Due to the fact that
Figure 931234DEST_PATH_IMAGE006
Therefore:
Figure 276896DEST_PATH_IMAGE007
according to the additive exchange law, the following results are obtained:
Figure 6955DEST_PATH_IMAGE008
due to the fact thatβ i,j =-β i,j And zero after accumulation, it can be known that δ is the product of the shared secret a and k:
Figure 941413DEST_PATH_IMAGE009
s110, calculating an inverse element delta of the shared secret delta to the SM2 elliptic curve-1
From the above, it can be seen that: obtaining two secrets k distributed over the hands of n participantsiAnd aiSecret product sharing ofThe inverse element of (2):
Figure 747826DEST_PATH_IMAGE010
it can further be seen that: k = ∑ k for shared secretiAnd a temporary shared secreta=∑a iδ = a × k is obtained by security calculation. Known from the multiplicative allocation law:
Figure 564472DEST_PATH_IMAGE011
the inverse of δ is further computed so that the participants all hold the same inverse of the product of the shared secret a and the secret k.
According to the threshold signature method provided by the embodiment of the application, in a step of calculating the inverse element of k x a, namely a step of sharing the secret inverse element in a distributed secret key generation stage, a homomorphic encryption public key of an opposite side is used for encrypting a self temporary secret, a ciphertext and an interference factor to obtain first encrypted data, when the opposite side verifies that zero knowledge of the temporary secret and the interference factor proves to be legal, the homomorphic encryption private key of the opposite side is used for decrypting a first interactive secret obtained by the first encrypted data, and after the basic value of the obtained shared secret is calculated, the basic value of the shared secret of each participant is used for calculating to obtain the inverse element of the shared secret; it can be seen that: by adopting a homomorphic encryption method, the inverse element of the shared secret is obtained through calculation, a polynomial does not need to be constructed, and the order doubling of the polynomial does not exist, so that in the (t, n) threshold, only the participant n of the threshold signature method based on the SM2 signature algorithm needs to be more than or equal to the participant t participating in the signature, and an effective digital signature can be generated without 2t +1 participants. In addition, interference factors are introduced in the sharing link of the secret inverse elements, so that secret leakage can be effectively prevented.
Thirdly, calculating public key and share
A method for calculating a public key and a share disclosed in another embodiment of the present application, as shown in fig. 2, includes the steps of:
each participant U i The following steps are performed:
s201, generating a random numberx iAs the respective X-axis abscissa, wherein,x i [1, N-1], and it is required that the value held by each participant cannot be the same.
S202, generating a t-1 order polynomial:
Figure 645692DEST_PATH_IMAGE012
using self-held temporary secretsa i Multiplying the shared secret delta inverse to form a shared secret slice delta-1 a i modNAs a constant, a coefficient of (u i,j )[1, N-1], N is the order of the SM2 elliptic curve.
S203, calculating Hash promise { u ] of polynomial coefficientsi,j· G}。
S204, broadcasting the X-axis abscissa X owned by the self i Hash commitment of polynomial coefficients, random secret k i Validation of commitment D i = {data:k i ·G,salt:rand}。
Participant U j Receiving participant U i X axis abscissa X i Random secret k i Validation of commitment D i And performing the following steps after Hash commitment of the polynomial coefficients:
s205, checking participant U i Is repeated.
Wherein, if the X coordinate of the received counterpart is the same as that of the counterpart, the X-axis abscissa X broadcasted in step S204 is received again i Hash commitment of polynomial coefficients, random secret k i The commitment of (1). If the X coordinate of the received counterpart is not the same as that of the counterpart, the following steps are continuously executed:
s206, verifying the random secret kiSecond commitment C i When legal, obtain the random secret kiTarget value k in the second commitment of i ·G。
In particular, the Hash acceptance C received during the preparation phase is verified i If it is legal, then from the random secret kiValidation of commitment D i = {data:k i ·G,salt: rand } to obtain k i ·G。
S207, calculating a public key corresponding to the shared secret by using the target value of each participant
Figure 496973DEST_PATH_IMAGE013
Figure 268095DEST_PATH_IMAGE014
Thus, it can be seen that: the actual secret shared private key is (k-1).
S208, using the X coordinate X of the other side i Obtaining a polynomial execution result v by calculating with a self-held polynomiali,j = fj(xi) And sends back to the other party U i
Each participant U i Receiving the polynomial execution result v of the other party i,j Then, the following steps are executed:
s209, verifying the target polynomial pj(x) Is equal to the target result.
Specifically, the method comprises the following steps: constructing a target polynomial p using a counterpart polynomial coefficient commitment as a coefficientj(x) Then, the X coordinate parameter of the self-body is used for calculation, and whether the calculation result is equal to v or not is verifiedi,jG this target result. The target result is the polynomial execution result v of the other party i,j Product with the base point G of the elliptic curve.
S210, if the target polynomial p is verifiedj(x) Is equal to the target result, the result v is executed using the polynomial of each participant i,j And the t-1 order polynomial of the user calculates share:
Figure 40879DEST_PATH_IMAGE015
s211, calculating and broadcasting share SiZero knowledge proof of (a).
Alternatively, s may be calculated using the standard Schnorr non-interactive zero-knowledge proof of knowledge protocoliComprises the following steps:
calculating V = si ·G 。
And secondly, generating two random numbers m, N, m and N which belong to [1, N-1], wherein N is the order of an SM2 elliptic curve.
Computing alpha = m · G + n · G.
And fourthly, calculating c = H (G | | | V | | G | | | alpha).
Calculating u = (m + c × s)i) modN, t = n; n is the order of the SM2 elliptic curve.
Wherein: the result of the calculation (V, u, t, alpha) is a verifiable zero knowledge proof.
Each participant receives a share siAfter zero knowledge proof the following steps are performed:
s212, verifying share SiZero knowledge proof of (2):
calculating c = H (G | | | V | | | G | | | alpha).
Secondly, whether the equation is established is verified: t is t·GG==alpha+c·V(ii) a Where G is the base point of the SM2 elliptic curve, represents the elliptic curve point multiplication, and + represents the elliptic curve point addition.
S213, obtaining share S of participantsiS of zero knowledge proofiG value, i.e. V value in the acquisition zero knowledge proof.
S214, verifying whether the target equation is satisfied:
Figure 597894DEST_PATH_IMAGE016
. In the formula, siDenotes share per participant, G denotes base point of elliptic curve, delta-1Refers to the inverse of the shared secret,a i refers to the temporal secret of each participant.
If the verification target equation is passed, step S215 is executed to determine that the generation of the share and the public key is completed.
Through the above interaction process, n participants each hold a public X abscissa and a Feldman verifiable secret share, and for a [ t, n ] threshold, t participant interactions can generate correct signatures.
For a public-private key pair of SM2 encryption algorithm: { d, P }, the actual shared secret is the inverse of (1+ d), thereby simplifying the process of subsequent multi-party signatures:
Figure 772523DEST_PATH_IMAGE017
the information of the shared secret cannot be revealed in the interaction process, and the safety of the interaction process is ensured by adopting Hash commitment and zero knowledge proof technology in the process.
The public key of the shared secret is:
Figure 373269DEST_PATH_IMAGE018
it should be further noted that steps S211 to S214 are selectively performed, and the shared share S does not need to be verified through zero knowledge proofiIn this case, step S211 to step S214 may not need to be performed.
The following also describes the process of signing by way of example.
Firstly, a preparation stage:
in the preparation stage, a participant set with a participation signature can be constructed, wherein the participant set comprises participants with the participation signature, and specifically, the participant set with the participation signature is completed by finding t participants from n participants of a threshold signature method based on the SM2 signature algorithm.
In the generation method of the participant set participating in the signature, each participant of the n threshold signature methods based on the SM2 signature algorithm performs the following steps. Following to the participant U i And participant UjThe following steps are performed by each participant in the method for generating a set of participants participating in a signature, as shown in fig. 3, with participant U i For the sake of example:
s301, converting a plaintext M to be signed into an integer e = H (Z)A||M)。
Wherein: zA = H(ENTLA||IDA||a||b||xG||yG||xA||yA) According to the SM2 elliptic curve public key cryptographic algorithm, coordinates x of elliptic curve equation parameters a, b and G are usedG 、 yGAnd PACoordinate xA 、 yAConverting the data type of the data into a bit string; h is the hash algorithm, which for SM3WITHSM2 signature algorithm is SM 3.
S302, calculating a Hash promise of an integer e corresponding to the SM2 elliptic curve base point G, the public key P and the plaintext M to be signed, wherein the integer e is used as follows: hash (G | | e.P), this commitment is called the first commitment.
S303, selecting a random secret keyk i [1, N-1], and calculating Hash commitment of Hash (k)iG), this commitment is referred to as the second commitment.
S304, generating a homomorphic encrypted public and private key pair; wherein the homomorphic encryption public key is Pi
S305, broadcasting the first promise, the second promise and the homomorphic encryption public key Pi
Wherein, participant U i The first commitment, the second commitment, and the homomorphic cryptographic public key P are broadcast to the respective participants.
S306, each party receives the first promise, the second promise and the homomorphic encryption public key PiThen, it is verified whether the first commitment Hash (G | | e · P) is the same as the first commitment owned by oneself.
Wherein, participant UjWill receive the first promise, the second promise and the homomorphic encryption public key PiAfter receiving, verifying whether the first commitment is the same as the received first commitment, and executing the following steps.
If the verification is the same, the opposite party is proved to be a legal signature participant, and the same public key P and the integer e corresponding to the plaintext M to be signed are held, and S307 and S308 are executed.
And S307, recording the legal signature participant in the participant set | S | participating in the signature.
S308, storing the homomorphic encryption public key P broadcasted by the other partyiAnd a random key kiFor standby, i.e. holding a homomorphic cryptographic public key PiAnd a second commitment.
It should be noted that, when the participant set | S | ≧ t participating in the signature is confirmed, the joint signature calculation is started.
Two, shared share weight conversion
For a polynomial of order t-1
Figure 633349DEST_PATH_IMAGE019
When t non-coincident points or more are known, the solution can be obtained.
According to the Lagrange interpolation method, an interpolation function polynomial L with the degree not exceeding t can be constructedn(x) So that L isn(xi)= yi=f(xi) It holds, its lagrange interpolation formula:
Figure 790792DEST_PATH_IMAGE020
therefore, for a set | S | of participants equal to or greater than t participants who participate in a signature, the x coordinate value of each participant is known, and the held secret share S can be shared by using the lagrange interpolation formulaiConversion to weights
Figure 351086DEST_PATH_IMAGE021
Such that the shared secret f (0) satisfies:
Figure 139045DEST_PATH_IMAGE022
thirdly, calculating the signature
The t participants in the participant set participating in the signature constructed by the above embodiment mutually interact to complete the signature of the plaintext to be signed. Also, with participant U i And participant UjThe following steps are performed for t participants in the signed participant set, as shown in fig. 4, by participant UjFor illustration purposes.
S401, participant UjUsing a homomorphic cryptographic public key P j For held random secret k j Encryption to obtain a random secret k j Is encrypted by the encryption keyE j (k j ) And broadcast to other participants.
Each participant receives a participant UjBroadcast cipher textE j (k j ) Thereafter, the following steps are performed, also referred to as participant U below i For illustration purposes.
S402, participant U i Receiving the secret text E encrypted by the other partyj(kj) Then, a random interference factor beta is generatedi,jAnd calculating beta' = -betai,j
S403, utilizing the participant UjThe homomorphic encryption public key is used for homomorphic encryption, and the encryption weight value wiCipher textE j (k j ) And interference factorβ i,j And obtaining second encrypted data.
Wherein the public representation of the second encrypted data is: e (. alpha.) ofi,j)=w i × E (k j ) +E(β )。
S404, calculating a weight value wiAnd interference factor betai,jZero knowledge proof of (a).
Wherein any supporting zero knowledge proof of knowledge algorithm may be used to calculate the weight values wiAnd interference factor betai,jZero knowledge proof of (a). The following description also takes the extended Schnorr non-interactive zero knowledge proof of knowledge protocol as an example.
Calculating a weight value wiAnd interference factor betai,jThe step of zero knowledge proof of (1), comprising:
①U i using self-held weight values wi、Interference factor betai,jAnd its own fixing point RiAnd calculating the V value by the following formula: v = w i ·G +β i,j ·R i
Generating two random numbers m, n and calculating an alpha value: alpha = m·GRi
(iii) calculate c = H (G | | | V | | non-woven phosphor) R i | alpha), H is the Hash algorithm of the convention, such as SM 3.
Calculating u = (m + c =)a i )modN ,t=(n+c*β i,j ) modN. N is the order of the SM2 elliptic curve.
Fifthly, the result (V, u, t, alpha) is the proof of verifiability.
S405, sending second encrypted data E (alpha)i,j) And a weight value wiAnd interference factor betai,jIs proved to the other party.
Participant UjAfter receiving the message, executing the following steps:
s406, participant UjAfter receiving the message, verifying the weight value wiAnd interference factor betai,jZero knowledge proof of (a).
S407, if the verification of the zero knowledge proof is passed, decrypting the second encrypted data E (alpha) by using the homomorphic encryption private key held by the useri,j) Obtaining a second interaction secret alphai,j =ki wj+β j,i
S408, from the weight value wiAnd interference factor betai,jIn the zero knowledge proof, the participant U is obtained i W ofiThe value of G.
S409, after collecting the information of each participant, utilizing the weight value w of each participantiRandom secret
Figure 152000DEST_PATH_IMAGE023
Interference factor betai,jAnd a second interaction secret alpha for each participanti,jCalculating to obtain a basic value deltai
Figure 127782DEST_PATH_IMAGE024
S410, broadcasting the random secret k j The second commitment of (i.e., k) j G promise.
Participant U i Receive k j After commitment of G, the following steps are performed:
s411, receiving kjG promise, verification kjWhen the commitment of G is legal, from kjG commitment to take out the target value in the commitment, i.e. kjG, and using a random secret k for each participant j K in the second commitment of (1)jG value, calculated to obtain the target value
Figure 11425DEST_PATH_IMAGE025
S412, calculating by using the target value R and the integer e corresponding to the plaintext M to be signed to obtain a first signature value R, wherein the calculation formula is as follows: r = Rx + e mod N. N is the order of the SM2 elliptic curve.
S413, calculating the signature basic value S of the useri i+wiR, and broadcasting the signature base value.
S414, collecting the S of other participants participating in signatureiThereafter, the signature base value s of each participant is utilizediAnd a first signature value r, and a second signature value s is obtained by calculation, wherein s = ∑ si-r。
And S415, combining the first signature value and the second signature value to obtain a final signature (r, S).
It should be noted that, in the threshold signature scheme based on the SM2 signature algorithm in the prior art, in the signature stage, the secret product needs to be shared, and a polynomial also needs to be constructed, so that the order of the polynomial is doubled, n is greater than or equal to 2t, and 2t +1 participators can generate an effective digital signature.
In the threshold signature method provided by the embodiment of the application, in the signature link, the weight value, the ciphertext and the interference factor are encrypted by using a homomorphic encryption public key of the opposite party in a homomorphic encryption method to obtain second encrypted data, and zero knowledge proof of the weight value and the interference factor is calculated; when receiving a second commitment of the random secret sent by a participant of the other party and verifying that the second commitment of the random secret is legal, acquiring a target value in the second commitment of the random secret, calculating by using the target value in the second commitment of the random secret of each participant to obtain a target value, and calculating by using the target value and an integer corresponding to a plaintext to be signed to obtain a first signature value; when the opposite party verifies that the zero knowledge proof of the weight value and the interference factor is legal, decrypting second encrypted data by using a homomorphic encryption private key of the opposite party to obtain a second interaction secret, calculating by using the weight value, the random secret, the interference factor and the second interaction secret of each party to obtain a basic value, and calculating by using the basic value, the weight value and the first signature value to obtain a signature basic value; calculating to obtain a second signature value by using the signature basic value and the first signature value of each participant; the first signature value and the second signature value are combined to obtain the final signature. It can thus be seen that: in the signing link, a homomorphic encryption method is used, namely, the signature of a plaintext to be signed does not need to construct a polynomial, and the order doubling of the polynomial does not exist, so that in the (t, n) threshold, the participator n of the threshold signing method based on the SM2 signature algorithm is further ensured to be only required to be more than or equal to the participator t participating in the signature, and 2t +1 participators are not required to generate an effective digital signature.
It should also be noted that, as long as the participants of the threshold signature method based on the SM2 signature algorithm perform encryption and decryption once in the sharing link of the secret inverse element and perform encryption and decryption once in the signing link, no complex algorithm is needed, the performance can be greatly improved, and in the interaction process between the participants, no full-text format of the secret key exists, thereby ensuring the security.
Signature verification
Because the signature (r, s) obtained by signing the plaintext M to be signed by adopting the signature method disclosed by the embodiment completely conforms to the SM2 algorithm specification of the national secret, the signature verification calculation can be carried out by using the public key, the digital signature and the signature content directly according to the specification of GM/T0003.2 (SM 2 elliptic curve public key cryptographic algorithm part 2-digital signature algorithm). The brief steps of the signature verification are as follows:
after receiving the signature (r, s) and the plaintext M to be signed:
1) converting a plaintext M to be signed into an integer e = H (Z) according to the specification of GM/T0003.2 part 2 digital signature algorithm of SM2 elliptic curve public key cryptographic algorithmA||M)。
Wherein: zA = H(ENTLA||IDA||a||b||xG||yG||xA||yA) Coordinates x of the parameters a, b and G of the elliptic curve equationG 、 yGCoordinates x of and PAA 、 yAConverting the data type of the data into a bit string; h is the hash algorithm, which is SM3 for the SM3WITHSM2 signature algorithm; and M is data to be checked.
2) It is calculated whether the following formula holds.
The formula is as follows: (x ) =s·G +(r+s)·PWherein: g is the base point of the SM2 elliptic curve, and P is the public key.
3) Judging whether the equation is established: (x' + e) is equal to r in the signature.
Compared with the prior art, the threshold signature method based on the SM2 signature algorithm provided by the embodiment of the application is greatly improved in execution efficiency, and the practicability of the threshold signature method is improved. The following may be compared from two dimensions of network interaction and computational effort.
Network interaction: the complexity of network interaction can be divided into interaction times and data volume, the network interaction times represent the network complexity of the algorithm, and the interactive data volume represents the occupation of network bandwidth resources. Calculation amount: and evaluating the computational complexity of the algorithm and the use efficiency of computational resources.
The comparison of network interaction complexity is shown in the following table:
Figure 485131DEST_PATH_IMAGE027
in order to evaluate the calculation efficiency of the algorithm more carefully, the threshold signature scheme provided by the application firstly carries out benchmark performance evaluation on key operations, and in order to ensure comparability, homomorphic encryption selects the same algorithm, namely a Paillier algorithm:
Figure 454224DEST_PATH_IMAGE029
from benchmark tests it can be seen that homomorphic encryption is very resource consuming.
Comparison of calculated quantity evaluations is shown in the following table:
Figure 156732DEST_PATH_IMAGE030
another embodiment of the present application further discloses a threshold signing apparatus based on SM2 signature algorithm, configured to perform three stages of generating a distributed key, signing a plaintext to be signed, and signing an encrypted text, where when the threshold signing apparatus generates a secret inverse element in the distributed key stage, as shown in fig. 5, the threshold signing apparatus includes:
a first encryption unit 501, configured to encrypt a temporary secret, a ciphertext, and an interference factor of an own by using a homomorphic encryption public key of an opposite party in a homomorphic encryption method to obtain first encrypted data; wherein, the ciphertext is encrypted by the opposite party by using the homomorphic encryption public key to encrypt the random secret k of the opposite party j Obtaining; each participant in the n participants of the threshold signature method based on the SM2 signature algorithm is referred by a counterpart;
a first calculation unit 502 for calculating a zero-knowledge proof of the temporary secret and the interference factor;
a first sending unit 503, configured to send the temporary secret and the zero-knowledge proof of the interference factor, and the first encrypted data to the other party;
a first receiving unit 504, configured to receive a basic value of the shared secret sent by the other party; the basic value of the shared secret is calculated by the other party by using the own temporary secret, random secret, interference factor and the first interaction secret of each participant; when the first interactive secret is proved to be legal by the other party through verifying the temporary secret and zero knowledge of the interference factor, decrypting the first encrypted data by using the homomorphic encryption private key of the first interactive secret;
and a second calculating unit 505, configured to calculate an inverse element of the shared secret by using the basic value of the shared secret of each participant.
For a specific working process of the units disclosed in the embodiments of the present application, reference may be made to the contents of the embodiment corresponding to fig. 1, which are not described herein again.
Optionally, in another embodiment of the present application, when the threshold signing apparatus signs a plaintext to be signed, the method includes:
the second encryption unit is used for encrypting the weighted value, the ciphertext and the interference factor by using a homomorphic encryption public key of the opposite party participant in a homomorphic encryption method to obtain second encrypted data; the ciphertext is obtained by encrypting a random secret by using a homomorphic encryption public key by an opposite party participant; the weight value is obtained by converting the secret share; a counterpart participant refers to each participant in the signed set of participants;
the third calculation unit is used for calculating zero knowledge proof of the weight value and the interference factor;
the second sending unit is used for sending zero knowledge proof of the weight value and the interference factor and second encrypted data to the opposite party;
a second receiving unit, configured to receive a second commitment of the random secret sent by the opposite party;
the first processing unit is used for acquiring a target value in the second commitment of the random secret when the second commitment of the random secret is verified to be legal, calculating the target value by using the target value in the second commitment of the random secret of each participant, and calculating a first signature value by using the target value and an integer corresponding to a plaintext to be signed;
the fourth calculation unit is used for calculating to obtain a signature basic value of the fourth calculation unit, and calculating to obtain a second signature value by using the signature basic value of each participant and the first signature value; wherein the signature base value siUsing base value, weight value andcalculating a signature value; the basic value is obtained by calculating the weight value of the basic value, the random secret, the interference factor and the second interaction secret of each participant; when the second interaction secret is obtained by verifying that the zero knowledge proof of the weight value and the interference factor is legal, the opposite party participant decrypts the second encrypted data by using a homomorphic encryption private key of the opposite party participant;
and the combining unit is used for combining the first signature value and the second signature value to obtain the final signature.
For a specific working process of the unit disclosed in the embodiment of the present application, reference may be made to the content of the embodiment corresponding to fig. 4, which is not described herein again.
Optionally, in another embodiment of the present application, as shown in fig. 6, the threshold signature apparatus based on the SM2 signature algorithm further includes, in addition to the first encryption unit 601, the first calculation unit 602, the first sending unit 603, the first receiving unit 604, and the second calculation unit 605:
a generating unit 606, configured to generate a homomorphic encryption public key and a private key pair, and calculate to obtain a first commitment and a second commitment; the first commitment is a commitment of an integer corresponding to an elliptic curve base point, a public key and a plaintext to be signed; the second commitment is a commitment to a random secret of itself.
A third receiving unit 607, configured to receive the first commitment, the second commitment, and the homomorphic encryption public key broadcasted by the other party.
A saving unit 608, configured to verify that the first commitment broadcasted by the other party is the same as the first commitment of the other party, add the other party as a participant participating in the signature into the participant set participating in the signature, and save the homomorphic encrypted public key and the second commitment of the other party.
The specific working process of the generating unit 606, the third receiving unit 607 and the saving unit 608, which cooperate to generate the participant set participating in the signature, may refer to the content corresponding to the embodiment of fig. 3, and is not described herein again.
Optionally, in another embodiment of the present application, the computing a public key and a share in the phase of generating the distributed key by the threshold signature apparatus includes:
and a fourth receiving unit for receiving the X-axis abscissa, the commitment of the polynomial coefficient, and the first commitment of the random secret broadcast by the other party.
And the first verification unit is used for verifying whether the second commitment of the random secret of the opposite party is legal or not when the X-axis abscissa broadcasted by the opposite party is not repeated.
And the second processing unit is used for acquiring a target value in the second commitment of the random secret if the second commitment of the random secret is verified to be legal, and calculating to obtain a public key by using the target value in the second commitment of the random secret of each participant.
A second verification unit configured to verify whether a calculation result of a target polynomial is equal to a target result when receiving a polynomial execution result broadcast by the other party; the target polynomial is constructed by using the coefficient commitment of the opposite side polynomial as a coefficient, and the target result is the product of the polynomial execution result of the opposite side and an elliptic curve base point.
And the fifth calculating unit is used for calculating the share by using the polynomial execution result of each participant and the t-1 order polynomial of the participant if the calculation result of the target polynomial is verified to be equal to the target result.
Optionally, in another embodiment of the present application, the threshold signature apparatus based on the SM2 signature algorithm further includes:
and the sixth calculating unit is used for calculating the zero knowledge proof of the share.
And a third transmitting unit for broadcasting to the counterpart.
The acquisition unit is used for acquiring a characteristic value of the zero knowledge proof of the share of each participant if the zero knowledge proof of the share of each participant is verified to be legal when the zero knowledge proof of the share of each participant is received.
A third verifying unit, configured to verify whether a target equation is satisfied, where the target equation is:
Figure 160460DEST_PATH_IMAGE031
(ii) a Formula (II)In, si Denotes share per participant, G denotes base point of elliptic curve, delta-1Refers to the inverse of the shared secret,a i refers to the temporal secret of each participant.
And the judging unit is used for judging that the generation of the share and the public key is finished if the verification target equation is established.
For the specific working processes of the units provided in the above two embodiments, reference may be made to the content of the embodiment shown in fig. 2, which is not described herein again.
Another embodiment of the present application provides an electronic device, as shown in fig. 7, including:
one or more processors 701.
A memory 702 having one or more programs stored thereon.
The one or more programs, when executed by the one or more processors 701, cause the one or more processors 701 to implement a method as in any of the above embodiments.
Another embodiment of the present application provides a computer storage medium having a computer program stored thereon, wherein the computer program, when executed by a processor, implements the method as described in any of the above embodiments.
The embodiments in the present specification are described in a progressive manner, and the same and similar parts among the embodiments are referred to each other, and each embodiment focuses on the differences from the other embodiments. In particular, the system or system embodiments are substantially similar to the method embodiments and therefore are described in a relatively simple manner, and reference may be made to some of the descriptions of the method embodiments for related points. The above-described system and system embodiments are only illustrative, wherein the units described as separate parts may or may not be physically separate, and the parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the modules may be selected according to actual needs to achieve the purpose of the solution of the present embodiment. One of ordinary skill in the art can understand and implement it without inventive effort.
Those of skill would further appreciate that the various illustrative elements and algorithm steps described in connection with the embodiments disclosed herein may be implemented as electronic hardware, computer software, or combinations of both, and that the various illustrative components and steps have been described above generally in terms of their functionality in order to clearly illustrate this interchangeability of hardware and software. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the implementation. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present invention.
The previous description of the disclosed embodiments is provided to enable any person skilled in the art to make or use the present invention. Various modifications to these embodiments will be readily apparent to those skilled in the art, and the generic principles defined herein may be applied to other embodiments without departing from the spirit or scope of the invention. Thus, the present invention is not intended to be limited to the embodiments shown herein but is to be accorded the widest scope consistent with the principles and novel features disclosed herein.

Claims (12)

1. A threshold signature method based on SM2 signature algorithm is characterized by comprising three stages of generating a distributed secret key, signing a plaintext to be signed and verifying a signature, wherein the sharing of secret inverse elements in the stage of generating the distributed secret key comprises the following steps:
method for encrypting self temporary secret by homomorphic encryption public key of opposite partya i Cipher textE j (k j )And interference factorβ i,j Obtaining first encrypted data; wherein the ciphertextE j (k j )Use of a homomorphic encryption public key P by the opposite party j Encrypting its own random secretk j Obtaining; the counterpart refers to each of the n participants of the SM2 signature algorithm based threshold signature method;
calculating the temporary secreta i And interference factorβ i,j Zero knowledge proof of (2);
sending the temporary secret and a zero-knowledge proof of an interference factor, and the first encrypted data to the other party;
receiving a base value delta of the shared secret sent by the other partyi(ii) a Wherein the base value of the shared secret is used by the partner with its own temporary secreta i Random secretk i Interference factor, and a first interaction secret alpha for each participanti,jCalculating to obtain; wherein the first interaction secret ai,jWhen the other party verifies that the zero knowledge proof of the temporary secret and the interference factor is legal, decrypting the first encrypted data by using a homomorphic encryption private key of the other party to obtain the first encrypted data;
and calculating to obtain the inverse element of the shared secret by using the basic value of the shared secret of each participant.
2. The threshold signature method of claim 1, wherein said signing plaintext to be signed comprises:
method for homomorphic encryption by using homomorphic encryption public key of opposite party participant, encryption weight value wiCipher textE j (k j )And interference factorβ i,j Obtaining second encrypted data; wherein the ciphertextE j (k j )Use of a homomorphic cryptographic public key P by a counterpart participant j Encrypting random secretsk j Obtaining; the weight value wiSharing shares s by secretiConverting to obtain; the counterparty participant refers to each participant in the signed set of participants;
calculating the weight value wiAnd interference factorβ i,j Zero knowledge ofProving;
sending zero knowledge proof of the weight value and the interference factor and second encrypted data to the opposite party participant;
receiving a random secret transmitted by a counterpart participantk j The second commitment of (a);
after verifying the random secretk j When the second commitment is legal, obtaining the random secretk j Target value in the second commitmentk j ·GUsing random secrets for each participantk j Target value in the second commitmentk j ·GCalculating to obtain a target value R, and calculating to obtain a first signature value R by using the target value R and an integer e corresponding to a plaintext M to be signed;
calculating to obtain the signature basic value s of the selfiAnd using the signature base value s of each participantiThe first signature value r is calculated to obtain a second signature value s; wherein the signature base value siUsing the base value deltaiWeight value wiAnd the first signature value r is obtained by calculation; the base value deltaiUsing its own weight value wiRandom secret k i Interference factor and second interaction secret alpha of each participanti,jCalculating to obtain; the second interaction secret ai,jWhen the opposite party verifies that the zero knowledge proof of the weight value and the interference factor is legal, the second encrypted data is decrypted by using a homomorphic encryption private key of the opposite party to obtain the second encrypted data;
and combining the first signature value and the second signature value to obtain a final signature.
3. The threshold signature method of claim 2, wherein the signature is preceded by a plaintext to be signed, and further comprising generating a set of participants who participate in the signature, wherein the generating the set of participants who participate in the signature comprises:
generating a homomorphic encryption public key and a homomorphic encryption private key pair, and calculating to obtain a first commitment and a second commitment; wherein the first commitment is an elliptic curve base point G,The public key P and the promise of an integer e corresponding to the plaintext M to be signed; the second commitment is a random secret k of the second commitment i The commitment of (a);
receiving a first promise, a second promise and a homomorphic encryption public key broadcasted by the other party;
and if the first commitment broadcasted by the opposite party is verified to be the same as the first commitment of the opposite party, the opposite party is used as a participant participating in the signature and added into the participant set participating in the signature, and the homomorphic encryption public key and the second commitment of the opposite party are saved.
4. The threshold signature method of claim 1, wherein the computing public keys and share shares in the phase of generating the distributed key comprises:
receiving X-axis abscissa X of the counterpart broadcast i Commitment of polynomial coefficients, and random secret k i First commitment D i
Checking the X-axis abscissa X of the other party's broadcast i Verifying the random secret k of the other party when not repeated i Second commitment C i Whether it is legal;
if the random secret k is verified i If the second commitment is legal, then the random secret k is obtained i Target value in the second commitmentk i ·GAnd using a random secret k for each participant i The target value in the second commitment is calculated to obtain the public key
Figure 709312DEST_PATH_IMAGE001
A polynomial execution result v on receiving the counterpart broadcast i,j While, verifying the target polynomial pj(x) Whether the calculated result of (a) is equal to the target result; wherein the target polynomial pj(x) The target result is the polynomial execution result v of the opposite party i,j Base point of elliptic curveThe product of G;
if the target polynomial p is verifiedj(x) Is equal to the target result, the result v is executed using the polynomial of each participant i,j And the t-1 order polynomial of the user calculates share si
5. Threshold signature method as claimed in claim 4, characterized in that said execution of the result v with a polynomial of each participant is performed i,j And the t-1 order polynomial of the user calculates share siThen, the method further comprises the following steps:
calculating the shares i And broadcast to the other party;
share s broadcast at each participantiWhen verifying the share s of each participantiIf the zero knowledge of (a) is legal, then the share s of each participant is obtainediCharacteristic values of zero knowledge proof of (1);
verifying whether a target equation is established, wherein the target equation is as follows:
Figure 62933DEST_PATH_IMAGE002
(ii) a In the formula, siDenotes share per participant, G denotes base point of elliptic curve, delta-1Refers to the inverse of the shared secret,a i a temporary secret referring to each participant;
and if the target equation is verified to be established, judging that the generation of the share and the public key is finished.
6. A threshold signature device based on SM2 signature algorithm is characterized in that the device is used for executing three stages of generating a distributed key, signing a plaintext to be signed and verifying a signature, wherein when the threshold signature device generates a share of a secret inverse element in the distributed key stage, the device comprises:
a first encryption unit for encrypting the temporary secret of itself by homomorphic encryption method using the homomorphic encryption public key of the other partya i Cipher textE j (k j )And interference factorβ i,j Obtaining first encrypted data; wherein the ciphertextE j (k j )Use of a homomorphic encryption public key P by the opposite party j Encrypting its own random secretk j Obtaining; the counterpart refers to each of the n participants of the SM2 signature algorithm based threshold signature method;
a first calculation unit for calculating the temporary secreta i And interference factorβ i,j Zero knowledge proof of (2);
a first transmitting unit, configured to transmit, to the other party, the temporary secret and a zero-knowledge proof of an interference factor, and the first encrypted data;
a first receiving unit, configured to receive a basic value δ of the shared secret sent by the other partyi(ii) a Wherein the base value of the shared secret is used by the partner with its own temporary secreta i Random secret k i Interference factor, and a first interaction secret alpha for each participanti,jCalculating to obtain; wherein the first interaction secret ai,jWhen the other party verifies that the zero knowledge proof of the temporary secret and the interference factor is legal, decrypting the first encrypted data by using a homomorphic encryption private key of the other party to obtain the first encrypted data;
and the second calculation unit is used for calculating the inverse element of the shared secret by utilizing the basic value of the shared secret of each participant.
7. The threshold signature apparatus of claim 6, wherein the threshold signature apparatus, when signing a plaintext to be signed, comprises:
a second encryption unit for encrypting the weight value w by homomorphic encryption method using homomorphic encryption public key of opposite partyiCipher textE j (k j )And interference factorβ i,j Obtaining second encrypted data(ii) a Wherein the ciphertextE j (k j )Use of a homomorphic cryptographic public key P by a counterpart participant j Encrypting random secretsk j Obtaining; the weight value wiSharing shares s by secretiConverting to obtain; the counterparty participant refers to each participant in the signed set of participants;
a third calculation unit for calculating the weight value wiAnd interference factorβ i,j Zero knowledge proof of (2);
a second sending unit, configured to send the zero-knowledge proof of the weight value and the interference factor, and second encrypted data to the opposite party participant;
a second receiving unit for receiving the random secret transmitted by the opposite partyk j The second commitment of (a);
a first processing unit for verifying the random secretk j When the second commitment is legal, obtaining the random secretk j Target value in the second commitmentk j ·GUsing random secrets for each participantk j Target value in the second commitmentk j ·GCalculating to obtain a target value R, and calculating to obtain a first signature value by using the target value R and an integer e corresponding to a plaintext M to be signed;
a fourth calculating unit for calculating the signature basic value siAnd using the signature base value s of each participantiThe first signature value r is calculated to obtain a second signature value s; wherein the signature base value siUsing the base value deltaiWeight value wiAnd the first signature value r is obtained by calculation; the base value deltaiUsing its own weight value wiRandom secret k i Interference factor and second interaction secret alpha of each participanti,jCalculating to obtain; the second interaction secret ai,jWhen the opposite party verifies that the zero knowledge proof of the weight value and the interference factor is legal, the homomorphic addition of the opposite party is utilizedThe second encrypted data is decrypted by the secret key to obtain the second encrypted data;
and the combining unit is used for combining the first signature value and the second signature value to obtain a final signature.
8. The threshold signature apparatus of claim 7, further comprising:
the generating unit is used for generating homomorphic encryption public key and private key pairs and calculating to obtain a first commitment and a second commitment; the first commitment is a commitment of an integer e corresponding to an elliptic curve base point G, a public key P and a plaintext M to be signed; the second commitment being a random secret of itselfk i The commitment of (a);
a third receiving unit, configured to receive the first promise, the second promise, and a homomorphic encryption public key broadcast by the other party;
and the storage unit is used for verifying that the first commitment broadcasted by the other party is the same as the first commitment of the other party, adding the other party serving as a signing participant into the signing participant set, and storing the homomorphic encryption public key and the second commitment of the other party.
9. The threshold signature apparatus of claim 6, wherein the threshold signature apparatus generates the public key and the share in the distributed key generation stage, and comprises:
a fourth receiving unit for receiving X-axis abscissa X of the counterpart broadcast i Commitment of polynomial coefficients, and random secret k i First commitment D i
A first verification unit for checking X-axis abscissa X of the counterpart broadcast i Verifying the random secret k of the other party when not repeated i Second commitment C i Whether it is legal;
a second processing unit for verifying the random secret k i If the second commitment is legal, then the random secret k is obtained i Target value in the second commitmentk i ·GAnd using a random secret k for each participant i The target value in the second commitment is calculated to obtain the public key
Figure 362589DEST_PATH_IMAGE003
A second verification unit for verifying the polynomial execution result v broadcast by the other party when receiving the polynomial execution result v i,j While, verifying the target polynomial pj(x) Whether the calculated result of (a) is equal to the target result; wherein the target polynomial pj(x) The target result is the polynomial execution result v of the opposite party i,j Product with the base point G of the elliptic curve;
a fifth calculation unit for calculating a target polynomial p if verifiedj(x) Is equal to the target result, the result v is executed using the polynomial of each participant i,j And the t-1 order polynomial of the user calculates share si
10. The threshold signature apparatus of claim 9, further comprising:
a sixth calculation unit configured to calculate the share fraction siZero knowledge proof of (2);
a third transmitting unit for broadcasting to the counterpart;
an acquisition unit, configured to receive the share s broadcasted by each participantiWhen verifying the share s of each participantiIf the zero knowledge of (a) is legal, then the share s of each participant is obtainediCharacteristic values of zero knowledge proof of (1);
a third verifying unit, configured to verify whether a target equation is satisfied, where the target equation is:
Figure 295910DEST_PATH_IMAGE004
(ii) a In the formula, siDenotes share per participant, G denotes base point of elliptic curve, delta-1Refers to the inverse of the shared secret,a i a temporary secret referring to each participant;
and the judging unit is used for judging that the generation of the share and the public key is finished if the target equation is verified to be established.
11. A computer storage medium for storing a computer program, which, when executed, is particularly adapted to implement the SM2 signature algorithm based threshold signature method according to any one of claims 1 to 5.
12. An electronic device comprising a memory and a processor;
wherein the memory is for storing a computer program;
the processor is configured to execute the computer program, in particular to implement the threshold signature method based on the SM2 signature algorithm according to any one of claims 1 to 5.
CN202110748702.8A 2021-07-02 2021-07-02 Threshold signature method, device, equipment and storage medium Active CN113507374B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202110748702.8A CN113507374B (en) 2021-07-02 2021-07-02 Threshold signature method, device, equipment and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202110748702.8A CN113507374B (en) 2021-07-02 2021-07-02 Threshold signature method, device, equipment and storage medium

Publications (2)

Publication Number Publication Date
CN113507374A true CN113507374A (en) 2021-10-15
CN113507374B CN113507374B (en) 2021-11-30

Family

ID=78009869

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202110748702.8A Active CN113507374B (en) 2021-07-02 2021-07-02 Threshold signature method, device, equipment and storage medium

Country Status (1)

Country Link
CN (1) CN113507374B (en)

Cited By (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114070556A (en) * 2021-11-15 2022-02-18 成都卫士通信息产业股份有限公司 Threshold ring signature method and device, electronic equipment and readable storage medium
CN114157427A (en) * 2021-12-02 2022-03-08 南京邮电大学 Threshold signature method based on SM2 digital signature
CN114444069A (en) * 2021-12-17 2022-05-06 中国科学院信息工程研究所 Efficient threshold safety multi-party calculation method under malicious model
CN115412260A (en) * 2022-08-30 2022-11-29 云海链控股股份有限公司 SM2 threshold signature method, system, equipment and computer readable storage medium
CN115580401A (en) * 2022-10-25 2023-01-06 商密(广州)信息科技有限公司 Certificateless SM2 secret key generation method based on verifiable secret sharing
CN116132049A (en) * 2023-01-04 2023-05-16 声龙(新加坡)私人有限公司 Data encryption method, device, equipment and storage medium
CN117155584A (en) * 2023-10-27 2023-12-01 北京信安世纪科技股份有限公司 Schnorr digital signature method, system and equipment
CN117278213A (en) * 2023-10-31 2023-12-22 杭州趣链科技有限公司 Polynomial commitment based method, electronic device and readable storage medium

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109547212A (en) * 2018-12-04 2019-03-29 中国电子科技集团公司第三十研究所 A kind of Threshold Signature method based on SM2 signature algorithm
CN110061828A (en) * 2019-04-04 2019-07-26 西安电子科技大学 Distributed digital endorsement method without trusted party
US10630477B1 (en) * 2018-12-27 2020-04-21 Blue Helix Efficient threshold distributed elliptic curve key generation and signature method and system

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109547212A (en) * 2018-12-04 2019-03-29 中国电子科技集团公司第三十研究所 A kind of Threshold Signature method based on SM2 signature algorithm
US10630477B1 (en) * 2018-12-27 2020-04-21 Blue Helix Efficient threshold distributed elliptic curve key generation and signature method and system
CN110061828A (en) * 2019-04-04 2019-07-26 西安电子科技大学 Distributed digital endorsement method without trusted party

Cited By (15)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114070556A (en) * 2021-11-15 2022-02-18 成都卫士通信息产业股份有限公司 Threshold ring signature method and device, electronic equipment and readable storage medium
CN114157427A (en) * 2021-12-02 2022-03-08 南京邮电大学 Threshold signature method based on SM2 digital signature
CN114157427B (en) * 2021-12-02 2023-06-20 南京邮电大学 SM2 digital signature-based threshold signature method
CN114444069B (en) * 2021-12-17 2023-04-07 中国科学院信息工程研究所 Efficient threshold safety multi-party calculation method under malicious model
CN114444069A (en) * 2021-12-17 2022-05-06 中国科学院信息工程研究所 Efficient threshold safety multi-party calculation method under malicious model
CN115412260B (en) * 2022-08-30 2023-10-20 云海链控股股份有限公司 SM2 threshold signature method, system, device and computer readable storage medium
CN115412260A (en) * 2022-08-30 2022-11-29 云海链控股股份有限公司 SM2 threshold signature method, system, equipment and computer readable storage medium
CN115580401A (en) * 2022-10-25 2023-01-06 商密(广州)信息科技有限公司 Certificateless SM2 secret key generation method based on verifiable secret sharing
CN115580401B (en) * 2022-10-25 2023-12-22 商密(广州)信息科技有限公司 Certificateless SM2 key generation method based on verifiable secret sharing
CN116132049A (en) * 2023-01-04 2023-05-16 声龙(新加坡)私人有限公司 Data encryption method, device, equipment and storage medium
CN116132049B (en) * 2023-01-04 2023-09-08 声龙(新加坡)私人有限公司 Data encryption method, device, equipment and storage medium
CN117155584A (en) * 2023-10-27 2023-12-01 北京信安世纪科技股份有限公司 Schnorr digital signature method, system and equipment
CN117155584B (en) * 2023-10-27 2024-01-26 北京信安世纪科技股份有限公司 Schnorr digital signature method, system and equipment
CN117278213A (en) * 2023-10-31 2023-12-22 杭州趣链科技有限公司 Polynomial commitment based method, electronic device and readable storage medium
CN117278213B (en) * 2023-10-31 2024-02-09 杭州趣链科技有限公司 Polynomial commitment based method, electronic device and readable storage medium

Also Published As

Publication number Publication date
CN113507374B (en) 2021-11-30

Similar Documents

Publication Publication Date Title
CN113507374B (en) Threshold signature method, device, equipment and storage medium
CN108667625B (en) Digital signature method of cooperative SM2
CN107634836B (en) SM2 digital signature generation method and system
Zhou et al. ExpSOS: Secure and verifiable outsourcing of exponentiation operations for mobile cloud computing
CN112906030B (en) Data sharing method and system based on multi-party homomorphic encryption
CN109309569A (en) The method, apparatus and storage medium of collaboration signature based on SM2 algorithm
EP1526676A1 (en) Conference session key distribution method on an id-based cryptographic system
CN110545279A (en) block chain transaction method, device and system with privacy and supervision functions
CN107248909A (en) It is a kind of based on SM2 algorithms without Credential-Security endorsement method
EP1964306A1 (en) Group signature scheme with improved efficiency, in particular in a join procedure
CN110011803A (en) A kind of method that two side of lightweight SM2 cooperates with generation digital signature
CN115834056A (en) Certificateless ordered aggregation signature method, certificateless ordered aggregation signature system and related devices
CN115396115B (en) Block chain data privacy protection method, device, equipment and readable storage medium
CN113132104A (en) Active and safe ECDSA (electronic signature SA) digital signature two-party generation method
CN108964906B (en) Digital signature method for cooperation with ECC
Kwak et al. Efficient distributed signcryption scheme as group signcryption
Liu et al. Secure and efficient two-party collaborative SM9 signature scheme suitable for smart home
CN117220891A (en) Threshold ECDSA signature method and system based on non-interactive distributed key
CN111669275A (en) Master-slave cooperative signature method capable of selecting slave nodes in wireless network environment
CN112667995A (en) Restricted Paillier encryption system and application method thereof in key distribution and identity authentication
Han et al. Efficient two-party SM2 signing protocol based on secret sharing
JP3074164B2 (en) Exclusive key agreement
Kwak et al. A secure extension of the Kwak–Moon group signcryption scheme
CN114070549A (en) Key generation method, device, equipment and storage medium
Dehkordi et al. Certificateless identification protocols from super singular elliptic curve

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant