CN114553505A - Method and device for generating random number by cooperation of multiple parties - Google Patents

Method and device for generating random number by cooperation of multiple parties Download PDF

Info

Publication number
CN114553505A
CN114553505A CN202210120949.XA CN202210120949A CN114553505A CN 114553505 A CN114553505 A CN 114553505A CN 202210120949 A CN202210120949 A CN 202210120949A CN 114553505 A CN114553505 A CN 114553505A
Authority
CN
China
Prior art keywords
node
nodes
aggregation
random number
ciphertexts
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202210120949.XA
Other languages
Chinese (zh)
Other versions
CN114553505B (en
Inventor
杨飞鸿
马环宇
雷浩
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Ant Blockchain Technology Shanghai Co Ltd
Original Assignee
Ant Blockchain Technology Shanghai Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Ant Blockchain Technology Shanghai Co Ltd filed Critical Ant Blockchain Technology Shanghai Co Ltd
Priority to CN202210120949.XA priority Critical patent/CN114553505B/en
Publication of CN114553505A publication Critical patent/CN114553505A/en
Application granted granted Critical
Publication of CN114553505B publication Critical patent/CN114553505B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/0442Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply asymmetric encryption, i.e. different keys for encryption and decryption
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/06Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols the encryption apparatus using shift registers or memories for block-wise or stream coding, e.g. DES systems or RC4; Hash functions; Pseudorandom sequence generators
    • H04L9/0618Block ciphers, i.e. encrypting groups of characters of a plain text message using fixed encryption transformation
    • H04L9/0631Substitution permutation network [SPN], i.e. cipher composed of a number of stages or rounds each involving linear and nonlinear transformations, e.g. AES algorithms
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • H04L9/0869Generation of secret information including derivation or calculation of cryptographic keys or passwords involving random numbers or seeds
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/30Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy
    • H04L9/3066Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy involving algebraic varieties, e.g. elliptic or hyper-elliptic curves
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2209/00Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
    • H04L2209/08Randomization, e.g. dummy operations or using noise
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2209/00Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
    • H04L2209/46Secure multiparty computation, e.g. millionaire problem

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Signal Processing (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Theoretical Computer Science (AREA)
  • Computing Systems (AREA)
  • Algebra (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Mathematical Analysis (AREA)
  • Mathematical Optimization (AREA)
  • Mathematical Physics (AREA)
  • Pure & Applied Mathematics (AREA)
  • Computer Hardware Design (AREA)
  • Storage Device Security (AREA)
  • Information Retrieval, Db Structures And Fs Structures Therefor (AREA)

Abstract

In an embodiment of the present specification, a method for generating a random number in cooperation with multiple parties is provided, where the method is performed by a first node that is any one of N nodes, and the method includes, in a single round of generating the random number: generating N fragments corresponding to the N nodes according to the privacy numerical value held by the first node; acquiring t aggregation results generated by t nodes which are larger than a preset threshold value in the N nodes, wherein the aggregation result of any second node in the t nodes is generated based on a plurality of fragments corresponding to the second node, and the fragments corresponding to the second node are generated by a plurality of nodes in the N nodes based on privacy values held by the nodes; and generating a random number according to the t aggregation results.

Description

Method and device for generating random number by cooperation of multiple parties
Technical Field
One or more embodiments of the present disclosure relate to the field of computers, and in particular, to a method and an apparatus for generating random numbers by multiple parties in a collaborative manner.
Background
For a distributed system comprising a plurality of nodes, it may be desirable to generate the same random number based on privacy values that the plurality of nodes each hold. For example, in the course of generating a new tile, a transaction belonging to the new tile may desire to implement the corresponding transaction using a random number; wherein to ensure fairness of the random number, the random number may need to be generated based on privacy values that are each held by a plurality of blockchain nodes of the blockchain system.
It is desirable to have a new scheme in which a more efficient implementation is achieved in which multiple nodes cooperate to generate random numbers.
Disclosure of Invention
One or more embodiments of the present specification provide a method and apparatus for generating random numbers cooperatively by multiple parties.
In a first aspect, there is provided a method for generating random numbers cooperatively by multiple parties, the multiple parties including N nodes, the method being performed by a first node of any of the N nodes, the method including, in a single round of random number generation: generating N fragments corresponding to the N nodes according to the privacy numerical value held by the first node; acquiring t aggregation results generated by t nodes which are larger than a preset threshold value in the N nodes, wherein the aggregation result of any second node in the t nodes is generated based on a plurality of fragments corresponding to the second node, and the fragments corresponding to the second node are generated by a plurality of nodes in the N nodes based on respective privacy numerical values; and generating a random number according to the t aggregation results.
In one possible embodiment, the method further comprises: encrypting the N fragments corresponding to the N nodes according to the public keys corresponding to the N nodes respectively to generate N fragment ciphertexts corresponding to the N nodes; sending the respective corresponding fragment ciphertext to the rest N-1 nodes, and receiving the N-1 fragment ciphertexts corresponding to the first node from the N-1 nodes; and generating an aggregation result of the second node based on a private key corresponding to the second node and a plurality of fragment ciphertexts corresponding to the second node.
In one possible embodiment, the receiving N-1 sliced ciphertexts corresponding to the first node from the N-1 nodes includes: and receiving N-1 broadcast messages from the N-1 nodes, wherein the single broadcast message comprises N fragment ciphertexts which are generated by the corresponding node and correspond to the N nodes.
In one possible embodiment, the method further comprises: receiving N-1 first proofs from the N-1 nodes; for any third node in the N-1 nodes, verifying whether N fragment ciphertexts contained in a broadcast message from the third node can be used for recovering a privacy value held by the third node according to a first certificate from the third node; and if so, taking the fragment ciphertext corresponding to the first node contained in the broadcast message from the third node as the fragment ciphertext used for the first node to generate a first aggregation result.
In a possible implementation manner, the sending the respective fragment ciphertexts to the remaining N-1 nodes includes: and sending a broadcast message to the N-1 nodes, wherein the broadcast message comprises N fragment ciphertexts corresponding to the N nodes.
In one possible embodiment, the method further comprises: and sending a first certificate to the N-1 nodes for verifying that the N sliced ciphertexts contained in the broadcast message can be used for recovering the privacy value held by the first node.
In a possible implementation, the obtaining t aggregation results generated by t nodes greater than a preset threshold from among the N nodes includes: generating a first aggregation result for the first node; receiving, from at least two of the N-1 nodes, their respective generated second aggregated results; selecting t aggregation results from the first aggregation result and each of the second aggregation results.
In one possible embodiment, the generating the first aggregated result of the first node includes: and aggregating the plurality of fragment ciphertexts corresponding to the first node to generate an aggregate ciphertext, and decrypting the generated aggregate ciphertext according to a private key corresponding to the first node to generate a first aggregation result of the first node.
In one possible embodiment, the generating the first aggregated result of the first node includes: and decrypting the plurality of segment ciphertexts corresponding to the first node according to the private key corresponding to the first node to generate a plurality of segments corresponding to the first node, and aggregating the plurality of segments corresponding to the first node to generate a first aggregation result of the first node.
In one possible embodiment, the method further comprises: sending the first aggregation result to the N-1 nodes; and sending a second certificate to the N-1 nodes for verifying that the first aggregation result is generated based on a private key corresponding to the first node and a plurality of fragment ciphertexts corresponding to the first node.
In one possible embodiment, the method further comprises: receiving from the at least two nodes their respective generated second proofs; for any third node in the at least two nodes, verifying whether a second aggregation result from the third node is generated based on a private key corresponding to the third node and a plurality of fragment ciphertexts corresponding to the third node according to a second certificate from the third node; if so, the second aggregated result from the third node is one of the target aggregated results allowed for generating the random number.
In a possible embodiment, said selecting t aggregation results from said first aggregation result and each of said second aggregation results comprises: and selecting t aggregation results from the first aggregation result and the target results.
In a possible implementation manner, the generating N pieces corresponding to the N nodes according to the privacy numerical value held by the first node specifically includes: generating N fragments corresponding to the N nodes according to the privacy numerical value held by the first node and the respective numbers of the N nodes; generating a random number according to the t aggregation results specifically includes: and performing interpolation processing on the t aggregation results according to the respective numbers of the t nodes, and generating random numbers based on the interpolation processing results.
In a possible embodiment, the N nodes are N blockchain nodes of a blockchain system, the preset threshold is determined based on the number of malicious nodes allowed by the blockchain system, a single random number generation round corresponds to one block in the blockchain system, and the generated random number is used for a transaction in the block.
In a possible implementation, the first node executes different stages of the plurality of random number generation rounds in parallel, so that the plurality of random number generation rounds generate a corresponding plurality of random numbers at the block-out time of a corresponding plurality of blocks.
In a second aspect, an apparatus for generating a common random number by a plurality of parties in a collaborative manner is provided, the plurality of parties including N nodes, the apparatus being deployed at a first node of any of the N nodes, the apparatus comprising: the fragment processing unit is configured to generate N fragments corresponding to the N nodes according to the privacy numerical value held by the first node in a single random number generation turn; a data obtaining unit configured to obtain t aggregation results generated by t nodes that are greater than a preset threshold value among the N nodes, where an aggregation result of any second node among the t nodes is generated based on a plurality of fragments corresponding to the second node, and a plurality of fragments corresponding to the second node are generated by a plurality of nodes among the N nodes based on privacy values that the plurality of nodes respectively hold; and the random number generation unit is configured to generate random numbers according to the t aggregation results.
In a third aspect, there is provided a computer readable storage medium having stored thereon a computer program/instructions which, when executed in a computing device, the computing device performs the method according to any of the first aspect.
In a fourth aspect, there is provided a computing device comprising a memory having stored therein a computer program/instructions, and a processor that, when executing the computer program/instructions, implements the method according to any one of the first aspect.
By the method and the device provided in one or more embodiments of the present specification, in the process of generating the random number by the cooperation of the N nodes, it is not necessary to consume too long time to recover the privacy value held by a single node, and the generation of the public random number by the cooperation of the N nodes can be completed more quickly and efficiently.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present disclosure, the drawings used in the description of the embodiments will be briefly introduced below, and it is obvious that the drawings in the following description are only some embodiments of the present disclosure, and it is obvious for those skilled in the art that other drawings can be obtained according to the drawings without creative efforts.
FIG. 1 is a system framework diagram of the solution provided in the examples of this specification;
FIG. 2 is a flow chart of a method for generating random numbers cooperatively by multiple parties provided in an embodiment of the present specification;
FIG. 3 is a flow chart of another method for generating random numbers cooperatively by multiple parties provided in an embodiment of the present specification;
fig. 4 is a schematic diagram of a first node in any of N nodes obtaining t aggregation results;
FIG. 5 is a schematic diagram of a first node of any of N nodes executing multiple rounds of random number generation in parallel;
fig. 6 is a schematic diagram of an apparatus for generating random numbers cooperatively by multiple parties, provided in an embodiment of the present specification.
Detailed Description
Various non-limiting embodiments provided by the present specification are described in detail below with reference to the attached figures.
Fig. 1 is a system framework diagram of the technical solution provided in the embodiment of the present specification. As shown in fig. 1, for a distributed system including N nodes, such as node 1 to node N, in order to ensure fairness of random numbers generated cooperatively by multiple parties, it is generally required that the nodes 1 to node N promise privacy values respectively in advance, and then in a subsequent process, according to actual requirements of the distributed system, perform a plurality of rounds of communication based on the privacy values promised by the respective nodes of N nodes, so as to complete generation of a common random number for the distributed system or other computer programs by cooperation of the N nodes.
In one embodiment, the process of cooperatively generating random numbers by N nodes may be divided into a commit (commit) phase, a reveal (reveal) phase, and a recovery (recovery) phase. In a commitment stage, each node in the N nodes sends the corresponding fragment and the corresponding commitment to the other N-1 nodes based on the privacy value of the node; in the disclosure stage, each node in the N nodes discloses a privacy value held by each node, and the other N-1 nodes verify the validity of the privacy value disclosed by the node based on commitments sent by the node, so as to generate a public random number according to the N valid privacy values disclosed by the N nodes; when a certain malicious node in the N nodes does not disclose or reveals an invalid privacy value, a recovery stage needs to be executed, and other nodes recover the privacy values held by the malicious node based on the fragments sent by the malicious node, so that the public random number is generated based on the privacy values held by the N nodes.
In the foregoing embodiment, if there are a plurality of malicious nodes in the N nodes, it is necessary to recover, at the recovery stage, the privacy values held by the malicious nodes from the fragments sent by the malicious nodes by other nodes, and a longer time will be consumed to recover the privacy values held by the malicious nodes, which will result in that the generation of the random number cannot be completed more quickly.
In view of the foregoing problems, embodiments of the present disclosure provide a method and an apparatus for generating a random number in a multi-party cooperative manner, where in a process of generating a random number by cooperating N nodes, it is not necessary to consume too long time to recover a privacy value held by a single node, and the generation of a public random number by cooperating N nodes can be completed more quickly and efficiently.
Fig. 2 is a flowchart of a method for generating random numbers cooperatively by multiple parties in an embodiment of the present specification. Wherein any first node of the N nodes may perform the method in a single round of random number generation, such that the N nodes may generate the same random number. The N nodes may typically belong to the same distributed system, e.g. the N nodes may be N blockchain nodes belonging to the same blockchain system. When the N nodes are N blockchain nodes belonging to the same blockchain system, a single random number generation round corresponds to a single block in the blockchain, and the random numbers generated by the N blockchain nodes in the single random number generation round can be used for the corresponding block, for example, for transactions in the corresponding block.
Furthermore, before the method for generating random numbers by multi-party cooperation provided in the embodiments of the present specification is performed, N nodes may be initialized first, for example, the N nodes initialize a prime order elliptic curve group, and initialize generator elements g and h based on the elliptic curve group and having unknown discrete logarithm relations. The public key and the private key corresponding to each of the N nodes may also be initialized, for example, the N nodes may be numbered in sequence, where the number of an ith node in any of the N nodes may be denoted as i, and therefore, the node numbered as i is also denoted as node i hereinafter, and similarly, the node numbered as j is also denoted as a jth node or node j; then, aiming at the node i/the node j, initializing the corresponding private key skiPrivate key skjAnd generating a public key corresponding to the node i/node j based on the generator h and a private key corresponding to the node i/node j
Figure BDA0003498386080000051
Public key
Figure BDA0003498386080000052
For a single random number generation round, as shown in fig. 2, the method may include at least the following steps 21 to 25.
First, in step 201, the first node generates N pieces corresponding to N nodes according to the privacy values held by the first node.
For convenience, the technical solutions can be described in the following for clarity and accuracyThe first node can be characterized by node i, by siCharacterizing the privacy value held by node i, using sijAnd the characterization node i generates a fragment corresponding to any node j in the N nodes.
Illustratively, any node i in the N nodes may obtain a corresponding random number and use the random number as the privacy value s held by the node iiThen randomly selecting t-1 random numbers c1,...,ct-1To construct a polynomial
Figure BDA0003498386080000053
Wherein c in the polynomial0Is equal to the privacy value s held by the node ii. Then, the privacy value s is calculated based on the polynomial and the respective numbers of the N nodesiSlicing is carried out, and N slices corresponding to the N nodes are generated; for example, the number j of any jth node in the N nodes is substituted into the variable x in the polynomial to calculate p (j), and the value of p (j) is the fragment s corresponding to the node jij. It should be particularly noted that the value of t may be determined based on a preset threshold, for example, when the N nodes are N blockchain nodes belonging to the same blockchain system, the preset threshold may be the number of malicious nodes allowed in the blockchain system, and the value of t may specifically be any integer greater than the preset threshold and not greater than N.
In a possible implementation manner, as shown in fig. 3, the method may further include step 31, where the first node encrypts, according to the public key corresponding to each of the N nodes, the N segments corresponding to the N nodes, and generates N segment ciphertexts corresponding to the N nodes. For example, for a segment s corresponding to node jijNode i can utilize the public key pk of node jjEncrypted slice sijTo obtain a sliced ciphertext corresponding to node j
Figure BDA0003498386080000054
Wherein the public key pkjThat is to say as described hereinbefore
Figure BDA0003498386080000055
On the basis of the foregoing step 31, the first node may further send its respective corresponding segment ciphertexts to the remaining N-1 nodes, and receive N-1 segment ciphertexts corresponding to the first node from the remaining N-1 nodes. In order to enable each node to verify the validity of the sliced ciphertext received by the node, on the basis of the foregoing step 31, the method may further include: step 331, the first node sends a broadcast message to the remaining N-1 nodes, where the broadcast message includes N segment ciphertexts generated by the first node and corresponding to the N nodes; in step 333, the first node receives N-1 broadcast messages from the remaining N-1 nodes, where a single broadcast message includes N segment ciphertexts generated by its corresponding node and corresponding to the N nodes.
With continuing reference to fig. 3, based on steps 331 and 333, the method may further include all or a portion of steps 351 to 357.
Step 351, the first node sends a first certificate to the remaining N-1 nodes, where the first certificate is used to verify that the N fragment ciphertexts included in the broadcast message sent by the first node can be used to recover the privacy value held by the first node.
Illustratively, any node i of the N nodes may first generate a polynomial commitment
Figure BDA0003498386080000061
Wherein for the jth element v of any of the N elements contained in the polynomial commitmentjThe value can be based on the generator g and the fragment sijGenerated by
Figure BDA0003498386080000062
The node i may then generate a first proof based on the polynomial commitment1(ii) a For example, the node i may specifically select a random number w, and then based on w, the aforementioned generator g, and the public key pk of the node jjGenerating two random numbers a corresponding to the node j1j=gwAnd
Figure BDA0003498386080000063
then, based on N elements in the polynomial commitment, two random numbers respectively corresponding to N nodes and N fragment ciphertexts corresponding to the N nodes, calculating to obtain a summary value of the node i
Figure BDA0003498386080000064
And based on the random number w, the abstract value c of the node i and the fragment s corresponding to the node jijGenerating a commitment value r corresponding to the node jj=w-sijC, and generating commitments, summary values and vectors from the polynomial
Figure BDA0003498386080000065
Proof of composition1Wherein the vector
Figure BDA0003498386080000066
The jth element in (b) is the commitment value r corresponding to the node jj
At step 353, the first node receives N-1 first proofs from the remaining N-1 nodes.
Proof sent by any node i in N nodes1Can be contained in the broadcast message sent by the node i to the rest N-1 nodes, namely the node i can finish sending the proof generated by the node i to the rest N-1 nodes by sending a single broadcast message1And N sliced ciphertexts corresponding to the N nodes. Similarly, the single broadcast message received by the node i may include proof generated by the node corresponding to the broadcast message1And N sliced ciphertexts corresponding to the N nodes.
Step 355, for any third node in the N-1 nodes, the first node verifies whether the N fragment ciphertexts included in the broadcast message from the third node can be used for recovering the privacy value held by the third node according to the first certificate from the third node. Node i receives proof from any node j1Thereafter, the polynomial validity may be verified first; for example, randomly selecting N-t-1 order polynomial to generate dual code
Figure BDA0003498386080000067
Wherein the values of i and j in the formula for calculating the dual code are both in the interval [0, t]If in proof from node j1Wherein the N elements of the polynomial commitment are capable of generating a unique polynomial, then
Figure BDA0003498386080000068
When the polynomial validity verification is passed, the discrete logarithm validity verification is continuously executed for the node j, otherwise
Figure BDA0003498386080000069
If the polynomial validity verification fails, the discrete logarithm validity verification is not continued for the node j, in other words, in this case, the node i does not use the fragment ciphertext from the node j to generate the random number in the subsequent process. If node j passes polynomial validity verification and is based on proof from node j1When the discrete logarithm validity verification is carried out, the verification is also passed, and then the N sliced ciphertexts included in the broadcast message from the node j can be used for recovering the privacy value held by the node j, that is to say, the sliced ciphertexts from the node j pass the validity verification.
Step 357, if the N segment ciphertexts included in the broadcast message from the third node can be used to recover the privacy value held by the third node, taking the segment ciphertexts corresponding to the first node included in the broadcast message from the third node as one of the target segment ciphertexts used to generate the first aggregation result.
Returning to fig. 2, at step 23, the first node obtains t aggregation results generated by t of the N nodes.
In one possible implementation, as shown in fig. 4, step 23 may include steps 231 through 235 as follows.
In step 231, the first node generates a first aggregation result.
More specifically, with continued reference to FIG. 3, based on steps 355 and 357, step 231 may include step 2311, where the first node fragments the ciphertext according to the respective targetsAnd generating a first aggregation result of the first node by the fragment ciphertext generated by the first node and corresponding to the first node. For example, node i may aggregate several fragmented ciphertexts corresponding to node i to generate an aggregate ciphertext
Figure BDA0003498386080000071
For example, the aggregation ciphertext of the node i is obtained by calculating and multiplying a plurality of fragment ciphertexts corresponding to the node i
Figure BDA0003498386080000072
And according to the private key sk corresponding to the node iiAggregate ciphertext generated therefrom
Figure BDA0003498386080000073
Decrypting to generate an aggregated result T for node ii(ii) a Or, the node i may be according to the private key sk corresponding to the node iiDecrypting the plurality of fragment ciphertexts corresponding to the node i to generate a plurality of fragments corresponding to the node i, and aggregating the plurality of fragments corresponding to the node i to generate an aggregation result T of the node iiFor example, the aggregation result T of the node i is obtained by calculating and multiplying a plurality of fragments corresponding to the node ii. The plurality of segment ciphertexts corresponding to the node i include the segment ciphertexts corresponding to the node i generated by the node i, and each target segment ciphertexts obtained by the node i through the foregoing step 357 or other similar methods.
For example, if all the fragment ciphertexts received by the node i from the rest N-1 nodes pass the validity verification, the aggregation result is obtained
Figure BDA0003498386080000074
Based on TiThe computing process and the expression of (a) are not difficult to understand, when the segment ciphertext from the malicious node fails to pass the verification, the segment corresponding to the node i generated by the malicious node will not participate in the TiAnd (4) calculating.
In step 233, the first node receives at least two second aggregated results from at least two of the remaining N-1 nodes.
In step 235, the first node selects t aggregation results from the first aggregation result and the at least two second aggregation results.
In one possible embodiment, the method may further include steps 232 through 2345 as follows.
Step 232, the first node sends the first aggregation result and the second proof to the remaining N-1 nodes.
Any node i in the N nodes can specifically select a random number w, and two random numbers a corresponding to the node i are generated based on w1i=gwAnd
Figure BDA0003498386080000075
then based on its public key pkx, aggregate the ciphertext
Figure BDA0003498386080000076
And calculating the abstract value of the node i by the two random numbers corresponding to the node i
Figure BDA0003498386080000077
And generating a commitment value r based on the abstract value of the node ii=w-skiciAnd further, the summary value and the commitment value of the node i form a second proof of the node i2
At step 2341, the first node receives from at least two nodes its respective generated second credentials.
It should be noted that the second certificate issued by the first node to the remaining N-1 nodes and the first aggregation result may be included in the same broadcast message. Similarly, node i may also receive a broadcast message from one of the remaining N-1 nodes containing the second aggregation result and the second proof generated by that node.
Step 2343, for any third node of the at least two nodes, according to the second certificate from the third node, verifying whether the second aggregation result from the third node is generated according to the private key corresponding to the third node and the plurality of segment ciphertexts corresponding to the third node. Wherein for a second proof from an arbitrary node j2Section (C)Point i may specifically be based on proof2The digest value c of the node j contained injAnd a commitment value rjVerification of
Figure BDA0003498386080000081
And if so, generating an aggregation result from the node j according to a private key corresponding to the node j and a plurality of fragment ciphertexts corresponding to the node j, and verifying the validity of the aggregation result from the node j.
Step 2345, if the second aggregated result from the third node is verified, then the second aggregated result from the third node is taken as one of the target aggregated results allowed for generating the random number.
Based on the foregoing steps 232 to 2345, the foregoing step 235 may specifically include step 2351, where the first node selects t aggregation results from the first aggregation result and the target aggregation results.
Finally, in step 25, the first node generates a random number from the t aggregation results. Any node i may specifically perform interpolation processing, such as lagrangian interpolation, on the t aggregation results selected by the node i according to respective numbers of the t nodes corresponding to the t aggregation results, and further generate a random number based on the result of the interpolation processing.
When the N nodes are N blockchain nodes in the same blockchain system, any first node in the N nodes may execute different stages of multiple random number generation rounds as shown in fig. 3 in parallel, so that the multiple random number generation rounds generate corresponding multiple random numbers at block time/block out time of corresponding multiple blocks. More specifically, a single random number generation round may be divided into a plurality of execution stages, and block time actually consumed by each execution stage may be defined, so that the first node may generate a random number for a corresponding block within each block time by executing different stages of the plurality of random number generation rounds in parallel, so as to be used for a transaction in the corresponding block.
Referring to fig. 5, a single random number generation round may be divided into: a secret value slice encryption phase, which corresponds to the aforementioned steps 21 and 31, and which requires 2 block times to be consumed; a first communication stage, which corresponds to the aforementioned steps 331, 333, 351 and 355 and defines that 1 block of time is consumed in the stage; an aggregation and decryption stage, which corresponds to the aforementioned steps 355, 357 and 2311, and defines that 5 block times are consumed in the stage; a second communication and random number recovery phase, which corresponds to the aforementioned step 232 and all subsequent steps, and which is defined to consume 1 block of time. As can be appreciated with reference to the example of fig. 5, a single random number generation round may consume 9 blocks of time, and a first node of any of the N nodes may substantially execute different stages of the 9 random number generation rounds in parallel, so that after the first node generates, for example, random number 1 for a block, it can sequentially generate, for example, random number 2 and random number 3 for the next two blocks of the block in the next two block times.
It should be particularly noted that fig. 5 is only used to assist in explaining the technical solution in the embodiment of the present specification, and in an actual scenario, it is also possible to divide a plurality of execution stages included in a single random number generation round in other ways and define block time that needs to be consumed by each execution stage in other ways, which is not limited in any way in the embodiment of the present specification.
It should be particularly noted that there are various ways of generating the proof and verifying the validity of the related data according to the proof, that is, it is also possible to implement the way of generating the first proof and verifying the validity of the sliced ciphertext according to the first proof by adopting other ways besides the aforementioned examples, and it is also possible to implement the way of generating the second proof and verifying the validity of the aggregated result according to the second proof by adopting other ways besides the aforementioned examples.
Based on the same concept as the foregoing method embodiment, in this specification embodiment, there is further provided an apparatus for generating a public random number cooperatively by multiple parties, where the multiple parties include N nodes, and the apparatus is deployed at a first node of any of the N nodes. As shown in fig. 6, the apparatus includes: the fragment processing unit 61 is configured to generate N fragments corresponding to the N nodes according to the privacy values held by the first node in a single random number generation turn; a data obtaining unit 63, configured to obtain t aggregation results generated by t nodes that are greater than a preset threshold value, from among the N nodes, where an aggregation result of any second node among the t nodes is generated based on a plurality of fragments corresponding to the second node, and a plurality of fragments corresponding to the second node are generated by a plurality of nodes among the N nodes based on privacy values that the nodes respectively hold; a random number generating unit 65 configured to generate a random number according to the t aggregation results.
Those skilled in the art will recognize that in one or more of the examples described above, the functions described in this specification can be implemented in hardware, software, firmware, or any combination thereof. When implemented in software, a computer program corresponding to these functions may be stored in a computer-readable medium or transmitted as one or more instructions/codes on the computer-readable medium, so that when the computer program corresponding to these functions is executed by a computer, the method described in any one of the embodiments of the present specification is implemented by the computer.
Also provided in an embodiment of the present specification is a computer-readable storage medium having a computer program stored thereon, which, when executed in a computing device, performs the method performed by the first node in any one of the embodiments of the present specification.
The embodiment of the present specification further provides a computing device, which includes a memory and a processor, where the memory stores executable codes, and when the processor executes the executable codes, the computing device implements the method executed by the first node in any one of the embodiments of the present specification.
The embodiments in the present description are described in a progressive manner, and the same and similar parts in the embodiments are referred to each other, and each embodiment focuses on the differences from the other embodiments. In particular, as for the apparatus embodiment, since it is substantially similar to the method embodiment, the description is relatively simple, and for the relevant points, reference may be made to the partial description of the method embodiment.
The foregoing description has been directed to specific embodiments of this disclosure. Other embodiments are within the scope of the following claims. In some cases, the actions or steps recited in the claims may be performed in a different order than in the embodiments and still achieve desirable results. In addition, the processes depicted in the accompanying figures do not necessarily require the particular order shown, or sequential order, to achieve desirable results. In some embodiments, multitasking and parallel processing may also be possible or may be advantageous.
The above-mentioned embodiments, objects, technical solutions and advantages of the present invention are further described in detail, it should be understood that the above-mentioned embodiments are only exemplary embodiments of the present invention, and are not intended to limit the scope of the present invention, and any modifications, equivalent substitutions, improvements and the like made on the basis of the technical solutions of the present invention should be included in the scope of the present invention.

Claims (17)

1. A method of cooperative generation of random numbers by multiple parties, the parties comprising N nodes, the method being performed by a first node of any of the N nodes, the method comprising, in a single round of random number generation:
generating N fragments corresponding to the N nodes according to the privacy numerical value held by the first node;
acquiring t aggregation results generated by t nodes which are larger than a preset threshold value in the N nodes, wherein the aggregation result of any second node in the t nodes is generated based on a plurality of fragments corresponding to the second node, and the fragments corresponding to the second node are generated by a plurality of nodes in the N nodes based on respective privacy numerical values;
and generating a random number according to the t aggregation results.
2. The method of claim 1, further comprising:
encrypting the N fragments corresponding to the N nodes according to the public keys corresponding to the N nodes respectively to generate N fragment ciphertexts corresponding to the N nodes;
sending the respective corresponding fragment ciphertext to the rest N-1 nodes, and receiving the N-1 fragment ciphertexts corresponding to the first node from the N-1 nodes;
and generating an aggregation result of the second node based on a private key corresponding to the second node and a plurality of fragment ciphertexts corresponding to the second node.
3. The method of claim 2, wherein said receiving N-1 sliced ciphertexts corresponding to the first node from the N-1 nodes comprises: and receiving N-1 broadcast messages from the N-1 nodes, wherein the single broadcast message comprises N fragment ciphertexts which are generated by the corresponding node and correspond to the N nodes.
4. The method of claim 3, further comprising:
receiving N-1 first proofs from the N-1 nodes;
for any third node in the N-1 nodes, verifying whether N fragment ciphertexts contained in a broadcast message from the third node can be used for recovering a privacy value held by the third node according to a first certificate from the third node; and if so, taking the fragment ciphertext corresponding to the first node contained in the broadcast message from the third node as the fragment ciphertext used for the first node to generate a first aggregation result.
5. The method of claim 2, wherein said sending the respective corresponding sliced ciphertexts to the remaining N-1 nodes comprises: and sending a broadcast message to the N-1 nodes, wherein the broadcast message comprises N fragment ciphertexts corresponding to the N nodes.
6. The method of claim 5, further comprising: and sending a first certificate to the N-1 nodes for verifying that the N sliced ciphertexts contained in the broadcast message can be used for recovering the privacy value held by the first node.
7. The method of claim 2, wherein the obtaining t aggregation results generated by t nodes of the N nodes that are greater than a preset threshold comprises:
generating a first aggregation result for the first node;
receiving, from at least two of the N-1 nodes, their respective generated second aggregated results;
selecting t aggregation results from the first aggregation result and each of the second aggregation results.
8. The method of claim 7, wherein the generating an aggregated result for the first node comprises:
aggregating the plurality of fragment ciphertexts corresponding to the first node to generate an aggregate ciphertext, and decrypting the generated aggregate ciphertext according to a private key corresponding to the first node to generate a first aggregation result of the first node; alternatively, the first and second electrodes may be,
and decrypting the plurality of segment ciphertexts corresponding to the first node according to the private key corresponding to the first node to generate a plurality of segments corresponding to the first node, and aggregating the plurality of segments corresponding to the first node to generate a first aggregation result of the first node.
9. The method of claim 8, further comprising:
sending the first aggregation result to the N-1 nodes; and the number of the first and second groups,
and sending a second certificate to the N-1 nodes for verifying that the first aggregation result is generated based on a private key corresponding to the first node and a plurality of fragment ciphertexts corresponding to the first node.
10. The method of claim 7, further comprising:
receiving from the at least two nodes their respective generated second proofs;
for any third node in the at least two nodes, verifying whether a second aggregation result from the third node is generated based on a private key corresponding to the third node and a plurality of fragment ciphertexts corresponding to the third node according to a second certificate from the third node; if so, the second aggregated result from the third node is one of the target aggregated results allowed for generating the random number.
11. The method according to claim 10, wherein the selecting t aggregation results from the first aggregation result and the respective second aggregation results specifically comprises: and selecting t aggregation results from the first aggregation result and the target results.
12. The method of any one of claims 1-11,
the generating N segments corresponding to the N nodes according to the privacy values held by the first node specifically includes: generating N fragments corresponding to the N nodes according to the privacy numerical value held by the first node and the respective numbers of the N nodes;
generating a random number according to the t aggregation results specifically includes: and performing interpolation processing on the t aggregation results according to the respective numbers of the t nodes, and generating random numbers based on the interpolation processing results.
13. The method of any of claims 1-11, wherein the N nodes are N blockchain nodes of a blockchain system, the preset threshold is determined based on a number of malicious nodes allowed by the blockchain system, a single random number generation round corresponds to a block in the blockchain system, and the generated random numbers are used for transactions in the block.
14. The method of claim 13, wherein the first node performs different stages of the plurality of random number generation rounds in parallel such that the plurality of random number generation rounds generate a corresponding plurality of random numbers at the block out times of a corresponding plurality of blocks.
15. An apparatus for cooperative generation of a common random number by a plurality of parties, the plurality of parties including N nodes, the apparatus being deployed at a first node of any of the N nodes, the apparatus comprising:
the fragment processing unit is configured to generate N fragments corresponding to the N nodes according to the privacy numerical value held by the first node in a single random number generation turn;
a data obtaining unit configured to obtain t aggregation results generated by t nodes that are greater than a preset threshold value among the N nodes, where an aggregation result of any second node among the t nodes is generated based on a number of fragments corresponding to the second node, and a number of fragments corresponding to the second node are generated by a number of nodes among the N nodes based on privacy values that the nodes respectively hold;
and the random number generation unit is configured to generate random numbers according to the t aggregation results.
16. A computer-readable storage medium having stored thereon a computer program which, when executed in a computing device, performs the method of any of claims 1-14.
17. A computing device comprising a memory having stored therein a computer program and a processor that, when executing the computer program, implements the method of any of claims 1-14.
CN202210120949.XA 2022-02-09 2022-02-09 Method, device, storage medium and computing equipment for generating random numbers cooperatively by multiple parties Active CN114553505B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202210120949.XA CN114553505B (en) 2022-02-09 2022-02-09 Method, device, storage medium and computing equipment for generating random numbers cooperatively by multiple parties

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210120949.XA CN114553505B (en) 2022-02-09 2022-02-09 Method, device, storage medium and computing equipment for generating random numbers cooperatively by multiple parties

Publications (2)

Publication Number Publication Date
CN114553505A true CN114553505A (en) 2022-05-27
CN114553505B CN114553505B (en) 2023-08-04

Family

ID=81673746

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210120949.XA Active CN114553505B (en) 2022-02-09 2022-02-09 Method, device, storage medium and computing equipment for generating random numbers cooperatively by multiple parties

Country Status (1)

Country Link
CN (1) CN114553505B (en)

Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110365479A (en) * 2019-07-11 2019-10-22 湖南天河国云科技有限公司 Random digit generation method and device based on block chain
CN110515591A (en) * 2019-08-05 2019-11-29 湖南天河国云科技有限公司 Random digit generation method and device based on block chain
CN110971413A (en) * 2019-06-20 2020-04-07 腾讯科技(深圳)有限公司 Random number generation method, random number generation device and storage medium
CN111600707A (en) * 2020-05-15 2020-08-28 华南师范大学 Decentralized federal machine learning method under privacy protection
US20200396063A1 (en) * 2018-03-09 2020-12-17 Koninklijke Philips N.V. Batch-wise verification of multiparty computations
US10903991B1 (en) * 2019-08-01 2021-01-26 Coinbase, Inc. Systems and methods for generating signatures
CN113988831A (en) * 2021-10-08 2022-01-28 深圳前海微众银行股份有限公司 Transfer method based on alliance chain

Patent Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20200396063A1 (en) * 2018-03-09 2020-12-17 Koninklijke Philips N.V. Batch-wise verification of multiparty computations
CN110971413A (en) * 2019-06-20 2020-04-07 腾讯科技(深圳)有限公司 Random number generation method, random number generation device and storage medium
CN110365479A (en) * 2019-07-11 2019-10-22 湖南天河国云科技有限公司 Random digit generation method and device based on block chain
US10903991B1 (en) * 2019-08-01 2021-01-26 Coinbase, Inc. Systems and methods for generating signatures
CN110515591A (en) * 2019-08-05 2019-11-29 湖南天河国云科技有限公司 Random digit generation method and device based on block chain
CN111600707A (en) * 2020-05-15 2020-08-28 华南师范大学 Decentralized federal machine learning method under privacy protection
CN113988831A (en) * 2021-10-08 2022-01-28 深圳前海微众银行股份有限公司 Transfer method based on alliance chain

Also Published As

Publication number Publication date
CN114553505B (en) 2023-08-04

Similar Documents

Publication Publication Date Title
Afshar et al. Non-interactive secure computation based on cut-and-choose
Ben-Sasson et al. Near-linear unconditionally-secure multiparty computation with a dishonest minority
CN106130716B (en) Key exchange system and method based on authentication information
CN102187615B (en) Method of generating a cryptographic key and network therefor
RU2534944C2 (en) Method for secure communication in network, communication device, network and computer programme therefor
US9621519B2 (en) System and method for key exchange based on authentication information
CN112787796B (en) Aggregation method and device for detecting false data injection in edge calculation
Alkeilani Alkadri et al. BLAZE: practical lattice-based blind signatures for privacy-preserving applications
EP3970049B1 (en) Systems and methods for mining on a proof-of-work blockchain network
AU2018422776A1 (en) Sybil-resistant identity generation
Choudhury et al. Optimally resilient asynchronous MPC with linear communication complexity
US20220158842A1 (en) Distributed network with blinded identities
KR20230078767A (en) Redistribution of secret shares
Jayaraman et al. Decentralized certificate authorities
Xu et al. Provably secure three-party password authenticated key exchange protocol based on ring learning with error
CN113726517A (en) Information sharing method and device
Chen et al. Witness-based searchable encryption with optimal overhead for cloud-edge computing
CN112202562A (en) RSA key generation method, computer device and medium
Ramesh et al. Secure data storage in cloud: an e-stream cipher-based secure and dynamic updation policy
KR101131929B1 (en) Public key-based authentication apparatus and method for authentication
CN107465508B (en) Method, system and equipment for constructing true random number by combining software and hardware
CN110784318B (en) Group key updating method, device, electronic equipment, storage medium and communication system
CN114329421B (en) Anonymous authentication method, device, system, medium and equipment
CN114553505A (en) Method and device for generating random number by cooperation of multiple parties
Zarepour-Ahmadabadi et al. A new gradual secret sharing scheme with diverse access structure

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant