CN114553505B - Method, device, storage medium and computing equipment for generating random numbers cooperatively by multiple parties - Google Patents

Method, device, storage medium and computing equipment for generating random numbers cooperatively by multiple parties Download PDF

Info

Publication number
CN114553505B
CN114553505B CN202210120949.XA CN202210120949A CN114553505B CN 114553505 B CN114553505 B CN 114553505B CN 202210120949 A CN202210120949 A CN 202210120949A CN 114553505 B CN114553505 B CN 114553505B
Authority
CN
China
Prior art keywords
node
nodes
generated
random number
ciphertext
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202210120949.XA
Other languages
Chinese (zh)
Other versions
CN114553505A (en
Inventor
杨飞鸿
马环宇
雷浩
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Ant Blockchain Technology Shanghai Co Ltd
Original Assignee
Ant Blockchain Technology Shanghai Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Ant Blockchain Technology Shanghai Co Ltd filed Critical Ant Blockchain Technology Shanghai Co Ltd
Priority to CN202210120949.XA priority Critical patent/CN114553505B/en
Publication of CN114553505A publication Critical patent/CN114553505A/en
Application granted granted Critical
Publication of CN114553505B publication Critical patent/CN114553505B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/0442Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply asymmetric encryption, i.e. different keys for encryption and decryption
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/06Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols the encryption apparatus using shift registers or memories for block-wise or stream coding, e.g. DES systems or RC4; Hash functions; Pseudorandom sequence generators
    • H04L9/0618Block ciphers, i.e. encrypting groups of characters of a plain text message using fixed encryption transformation
    • H04L9/0631Substitution permutation network [SPN], i.e. cipher composed of a number of stages or rounds each involving linear and nonlinear transformations, e.g. AES algorithms
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • H04L9/0869Generation of secret information including derivation or calculation of cryptographic keys or passwords involving random numbers or seeds
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/30Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy
    • H04L9/3066Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy involving algebraic varieties, e.g. elliptic or hyper-elliptic curves
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2209/00Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
    • H04L2209/08Randomization, e.g. dummy operations or using noise
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2209/00Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
    • H04L2209/46Secure multiparty computation, e.g. millionaire problem

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Theoretical Computer Science (AREA)
  • Computing Systems (AREA)
  • Algebra (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Mathematical Analysis (AREA)
  • Mathematical Optimization (AREA)
  • Mathematical Physics (AREA)
  • Pure & Applied Mathematics (AREA)
  • Computer Hardware Design (AREA)
  • Information Retrieval, Db Structures And Fs Structures Therefor (AREA)
  • Storage Device Security (AREA)

Abstract

In an embodiment of the present disclosure, there is provided a method for generating random numbers cooperatively by multiple parties, where the method is performed by any first node of N nodes, and the method includes, in a single random number generation round: generating N fragments corresponding to the N nodes according to the privacy value held by the first node; acquiring t aggregation results generated by t nodes greater than a preset threshold value in N nodes, wherein the aggregation result of any second node in the t nodes is generated based on a plurality of fragments corresponding to the second node, and the plurality of fragments corresponding to the second node are generated by a plurality of nodes in the N nodes based on privacy values held by the nodes; generating random numbers according to t aggregation results.

Description

Method, device, storage medium and computing equipment for generating random numbers cooperatively by multiple parties
Technical Field
One or more embodiments of the present disclosure relate to the field of computers, and in particular, to a method and apparatus for generating random numbers in cooperation with multiple parties.
Background
For a distributed system comprising a plurality of nodes, it may be desirable to generate the same random number based on the privacy value held by each of the plurality of nodes. For example, in generating a new chunk, a blockchain system may desire to use random numbers to implement the corresponding transaction for transactions belonging to the new chunk; wherein to ensure fairness of random numbers, it may be necessary to generate the random numbers based on privacy values held by each of a plurality of block link points of the blockchain system.
It is desirable to have a new scheme whereby a more efficient implementation is achieved where multiple nodes cooperate to generate random numbers.
Disclosure of Invention
One or more embodiments of the present specification provide a method and apparatus for generating random numbers in cooperation with multiple parties.
In a first aspect, there is provided a method of multiparty collaborative generation of random numbers, the multiparty comprising N nodes, the method being performed by any first node of the N nodes, the method comprising, in a single random number generation round: generating N fragments corresponding to the N nodes according to the privacy value held by the first node; acquiring t aggregation results generated by t nodes greater than a preset threshold value in the N nodes, wherein the aggregation result of any second node in the t nodes is generated based on a plurality of fragments corresponding to the second node, and the plurality of fragments corresponding to the second node are generated by a plurality of nodes in the N nodes based on privacy values held by the nodes; and generating random numbers according to the t aggregation results.
In one possible embodiment, the method further comprises: encrypting N fragments corresponding to the N nodes according to the public keys corresponding to the N nodes respectively to generate N fragment ciphertexts corresponding to the N nodes; transmitting the corresponding piece-wise ciphertexts to the rest N-1 nodes, and receiving N-1 piece-wise ciphertexts corresponding to the first node from the N-1 nodes; the aggregation result of the second node is specifically generated based on the private key corresponding to the second node and a plurality of fragment ciphertexts corresponding to the second node.
In one possible implementation manner, the receiving the N-1 piece of ciphertext corresponding to the first node from the N-1 nodes includes: and receiving N-1 broadcast messages from the N-1 nodes, wherein the single broadcast message comprises N piece of ciphertext corresponding to the N nodes, which is generated by the corresponding nodes.
In one possible embodiment, the method further comprises: receiving N-1 first proofs from the N-1 nodes; for any third node in the N-1 nodes, verifying whether N piece-wise ciphertexts contained in a broadcast message from the third node can be used for recovering the privacy value held by the third node according to the first evidence from the third node; and if so, taking the fragment ciphertext corresponding to the first node contained in the broadcast message from the third node as the fragment ciphertext for the first node to generate a first aggregation result.
In one possible implementation manner, the sending the corresponding piece of ciphertext to the other N-1 nodes respectively includes: and sending a broadcast message to the N-1 nodes, wherein the broadcast message comprises N piece ciphertext corresponding to the N nodes.
In one possible embodiment, the method further comprises: and sending a first proof to the N-1 nodes, wherein the first proof is used for verifying that N piece of ciphertext contained in the broadcast message can be used for recovering the privacy value held by the first node.
In a possible implementation manner, the obtaining t aggregation results generated by t nodes greater than a preset threshold value in the N nodes includes: generating a first aggregation result of the first node; receiving second polymerization results generated by at least two nodes in the N-1 nodes respectively; t polymerization results are selected from the first polymerization result and each of the second polymerization results.
In one possible implementation manner, the generating the first aggregation result of the first node includes: and aggregating the plurality of fragment ciphertexts corresponding to the first node to generate an aggregate ciphertext, and decrypting the generated aggregate ciphertext according to the private key corresponding to the first node to generate a first aggregation result of the first node.
In one possible implementation manner, the generating the first aggregation result of the first node includes: decrypting the plurality of fragments of ciphertext corresponding to the first node according to the private key corresponding to the first node to generate a plurality of fragments corresponding to the first node, and aggregating the plurality of fragments corresponding to the first node to generate a first aggregation result of the first node.
In one possible embodiment, the method further comprises: transmitting the first aggregation result to the N-1 nodes; and sending a second certificate to the N-1 nodes, wherein the second certificate is used for verifying that the first aggregation result is generated based on a private key corresponding to the first node and a plurality of piece ciphertext corresponding to the first node.
In one possible embodiment, the method further comprises: receiving from the at least two nodes their respective generated second credentials; for any third node of the at least two nodes, verifying whether a second aggregation result from the third node is generated based on a private key corresponding to the third node and a plurality of fragment ciphertexts corresponding to the third node according to a second proof from the third node; and if so, taking the second aggregation result from the third node as one of target aggregation results allowed to be used for generating the random number.
In a possible implementation manner, the selecting t polymerization results from the first polymerization result and each of the second polymerization results includes: t aggregation results are selected from the first aggregation results and the target results.
In one possible implementation manner, the generating N slices corresponding to the N nodes according to the privacy value held by the first node specifically includes: generating N fragments corresponding to the N nodes according to the privacy value held by the first node and the respective numbers of the N nodes; the generating random numbers according to the t aggregation results specifically includes: and carrying out interpolation processing on the t aggregation results according to the numbers of the t nodes, and generating random numbers based on the interpolation processing results.
In one possible implementation, the N nodes are N blockchain nodes of a blockchain system, the preset threshold is determined based on a number of malicious nodes allowed by the blockchain system, a single random number generation round corresponds to a block in the blockchain system, and the generated random number is used for transactions in the block.
In one possible implementation, the first node performs different phases of a plurality of the random number generation rounds in parallel, such that the plurality of random number generation rounds generate a corresponding plurality of random numbers at the block-out times of a corresponding plurality of blocks.
In a second aspect, there is provided an apparatus for cooperative generation of a public random number by a plurality of parties, the parties including N nodes, the apparatus being disposed at any first node of the N nodes, the apparatus comprising: the fragmentation processing unit is configured to generate N fragments corresponding to the N nodes according to the privacy value held by the first node in a single random number generation round; a data acquisition unit configured to acquire t aggregation results generated by t nodes greater than a preset threshold value in the N nodes, wherein the aggregation result of any second node in the t nodes is generated based on a plurality of fragments corresponding to the second node, and the plurality of fragments corresponding to the second node are generated by a plurality of nodes in the N nodes based on privacy values held by the nodes; and the random number generation unit is configured to generate random numbers according to the t aggregation results.
In a third aspect, there is provided a computer readable storage medium having stored thereon a computer program/instruction which, when executed in a computing device, performs the method of any of the first aspects.
In a fourth aspect, there is provided a computing device comprising a memory having stored therein a computer program/instruction which when executed by the processor implements the method of any of the first aspects.
According to the method and the device provided by one or more embodiments of the present disclosure, in the process of generating the random number by cooperation of the N nodes, it is unnecessary to consume too long time to recover the privacy value held by the single node, and the co-operation of the N nodes to generate the public random number can be completed more quickly and efficiently.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present description, the drawings that are needed in the description of the embodiments will be briefly introduced below, it being obvious that the drawings in the following description are only some embodiments of the present invention, and that other drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.
FIG. 1 is a system frame diagram of the technical solution provided in the embodiments of the present specification;
FIG. 2 is a flow chart of a method for multi-party collaborative generation of random numbers provided in an embodiment of the present description;
FIG. 3 is a flow chart of another method for multi-party collaborative generation of random numbers provided in an embodiment of the present description;
FIG. 4 is a schematic diagram of an arbitrary first node in N nodes acquiring t aggregation results;
FIG. 5 is a schematic diagram of a first node of N nodes executing multiple rounds of random number generation in parallel;
fig. 6 is a schematic diagram of an apparatus for generating random numbers in cooperation with multiple parties according to an embodiment of the present disclosure.
Detailed Description
Various non-limiting embodiments provided by the present specification are described in detail below with reference to the attached drawings.
Fig. 1 is a system frame diagram of a technical solution provided in an embodiment of the present disclosure. As shown in fig. 1, for a distributed system including N nodes, such as nodes 1 to N, in order to ensure fairness of random numbers generated by cooperation of multiple parties, it is generally required that the nodes 1 to N pre-promise their respective privacy values, and then in a subsequent process, according to actual requirements of the distributed system, communicate for several rounds based on the privacy values promised by the N nodes, so as to complete cooperation of the N nodes to generate a public random number for use by the distributed system or other computer programs.
In one embodiment, the process of cooperatively generating random numbers by N nodes may be divided into a commitment (commit) phase, a disclosure (real) phase, and a recovery (recovery) phase. In the promise stage, each node in N nodes sends the corresponding fragments and corresponding promise to the other N-1 nodes based on the privacy value held by each node; in the disclosure stage, each node in N nodes reveals its own privacy value, and the other N-1 nodes verify the validity of the privacy value revealed by the node based on the promise sent by the node, so as to generate public random numbers according to N valid privacy values revealed by N nodes; when some malicious node does not disclose or disclose invalid privacy values in the N nodes, a recovery stage needs to be executed, and other nodes recover the privacy values held by the malicious node based on the fragments sent by the malicious node, so that the generation of public random numbers based on the privacy values held by the N nodes is realized.
In the foregoing embodiment, if there are a plurality of malicious nodes in the N nodes, when the privacy values held by the respective malicious nodes need to be restored by other nodes in the restoration stage based on the fragments sent by the malicious nodes, a long time will be consumed for restoring the privacy values held by the respective malicious nodes, which will result in a failure to complete generating the random number more quickly.
In view of the above problems, the embodiments of the present disclosure provide a method and apparatus for generating a random number by cooperation of multiple parties, where in the process of generating a random number by cooperation of N nodes, it is unnecessary to consume too long time to recover a privacy value held by a single node, and the cooperation of N nodes to generate a public random number can be completed more quickly and efficiently.
Fig. 2 is a flow chart of a method for generating random numbers in cooperation with multiple parties provided in an embodiment of the present specification. Wherein in a single random number generation round, any first node of the N nodes may perform the method such that the N nodes may generate the same random number. The N nodes may typically belong to the same distributed system, e.g., the N nodes may be N blockchain nodes belonging to the same blockchain system. When the N nodes are N blockchain nodes belonging to the same blockchain system, a single random number generation round corresponds to a single block in the blockchain, and random numbers generated by the N blockchain nodes in the single random number generation round may be used for the corresponding block, for example, for transactions in the corresponding block.
Furthermore, before executing the method for generating random numbers in cooperation with multiple parties provided in the embodiments of the present disclosure, N nodes may be initialized first, for example, N nodes initialize a prime-order elliptic curve group, and generate elements g and h based on the elliptic curve group and whose discrete logarithmic relationship is unknown. N can also be initializedThe public key and the private key corresponding to each node may, for example, first number N nodes in order, where the number of any ith node in the N nodes may be denoted as i, so that the node denoted as i is hereinafter also denoted as node i, and similarly the node denoted as j is also denoted as jth node or node j; then initializing the corresponding private key sk for the node i/node j i Private key sk j And generating a public key corresponding to the node i/node j based on the generating element h and the private key corresponding to the node i/node jPublic key->
For a single random number generation pass, as shown in fig. 2, the method may include at least the following steps 21-25.
First, in step 201, a first node generates N slices corresponding to N nodes according to privacy values held by the first node.
In the following, for convenience, clarity and accuracy, the technical solution may be described by using node i to represent the first node and s to be used i Characterizing privacy values held by node i, using s ij And characterizing the generated fragments corresponding to any node j in the N nodes by the node i.
Illustratively, any node i of the N nodes may obtain a corresponding random number and use it as the privacy value s held by the node i i Then randomly selecting t-1 random numbers c 1 ,...,c t-1 To construct polynomialsWherein c in the polynomial 0 Is equal to the privacy value s held by the node i i . Then the privacy value s is mapped on the basis of the number of each of the polynomial and N nodes i Slicing is carried out, and N slices corresponding to the N nodes are generated; for example, the number j of any j-th node in N nodes is substituted into the variable x in the polynomial to calculate p (j), and the value of p (j) is the score corresponding to the node jSheet s ij . It should be specifically noted that, the value of t may be determined based on a preset threshold, for example, when N nodes are N blockchain nodes belonging to the same blockchain system, the preset threshold may be the number of allowed malicious nodes in the blockchain system, and the value of t may specifically be any integer greater than the preset threshold and not greater than N.
In one possible implementation, as shown in fig. 3, the method may further include step 31, where the first node encrypts N fragments corresponding to the N nodes according to the public keys corresponding to the N nodes, to generate N fragment ciphertexts corresponding to the N nodes. For example, for the slice s corresponding to node j ij Node i may utilize public key pk of node j j Encryption fragment s ij To obtain the sliced ciphertext corresponding to node jWherein the public key pk j That is +.>
On the basis of the foregoing step 31, the first node may further send the respective corresponding piece of ciphertext to the remaining N-1 nodes, and receive the N-1 piece of ciphertext corresponding to the first node from the remaining N-1 nodes. Wherein in order to enable each node to verify the validity of the fragment ciphertext it receives, the method may further comprise, on the basis of the foregoing step 31: step 331, the first node sends a broadcast message to the remaining N-1 nodes, where the broadcast message includes N fragment ciphertexts generated by the first node and corresponding to the N nodes; in step 333, the first node receives N-1 broadcast messages from the remaining N-1 nodes, where the single broadcast message includes N piece of ciphertext generated by its corresponding node and corresponding to the N nodes.
With continued reference to fig. 3, the method may further include all or part of the following steps 351-357, based on the steps 331 and 333 described above.
In step 351, the first node sends a first certificate to the remaining N-1 nodes, where the first certificate is used to verify that N piece ciphertexts included in the broadcast message sent by the first node can be used to restore the privacy value held by the first node.
For example, any node i of the N nodes may first generate a polynomial commitmentWherein v is any j-th element of N elements contained in the polynomial commitment j The value of which can be based on the generator g and the fragments s ij Generated->The node i may then generate a first proof of issue based on the polynomial commitment 1 The method comprises the steps of carrying out a first treatment on the surface of the For example, the node i may specifically select a random number w, and then based on w, the generator g and the public key pk of node j j Generating two random numbers a corresponding to node j 1j =g w And->Then based on N elements in the polynomial promise, two random numbers corresponding to N nodes and N piece ciphertext corresponding to N nodes, calculating to obtain the abstract value of the node iAnd based on the random number w, the digest value c of the node i and the slice s corresponding to the node j ij Generating a promise value r corresponding to the node j j =w-s ij * c, generating promise, digest value and vector by the polynomial>Composition of 1 Wherein vector->The j-th element in the list is the promise value r corresponding to the node j j
The first node receives N-1 first proofs from the remaining N-1 nodes, step 353.
N nodesProof issued by any node i 1 Can be contained in the broadcast messages sent by the node i to the rest N-1 nodes, i.e. the node i can finish sending the generated proof to the rest N-1 nodes by sending a single broadcast message 1 And N piece of ciphertext corresponding to the N nodes. Similarly, a single broadcast message received by node i may include a proof generated by a node corresponding to the broadcast message 1 And N piece of ciphertext corresponding to the N nodes.
Step 355, for any third node of the N-1 nodes, the first node verifies, according to the first proof from the third node, whether the N piece-wise ciphertexts included in the broadcast message from the third node can be used to recover the privacy value held by the third node. Node i receives proof from any node j 1 After that, the validity of the polynomial can be verified first; for example, generating dual codes by randomly selecting N-t-1 polynomialsWherein the values of i and j in the formula for calculating the dual code are in the interval [0, t]In, if in proof from node j 1 In which N elements contained in the polynomial commitment are able to generate a unique polynomial, then +.>If yes, polynomial validity verification passes, at the moment, discrete logarithm validity verification is continuously performed on the node j, otherwise +.>The polynomial validity verification is not established and is not passed, at which time the discrete logarithm validity verification for node j will not continue, in other words, in this case node i will not use the sliced ciphertext from node j in the subsequent process to generate the random number. If node j passes the polynomial validity verification and is based on proof from node j 1 If the discrete logarithm validity verification is performed, the verification is passed, and then the N pieces of fragment ciphertexts contained in the broadcast message from the node j can be used for recovering the privacy value held by the node j, namely from the nodeAnd j, the fragment ciphertext passes the validity verification.
In step 357, if the N piece-wise ciphertexts included in the broadcast message from the third node can be used to recover the privacy value held by the third node, the piece-wise ciphertext corresponding to the first node included in the broadcast message from the third node is used as one of the target piece-wise ciphertexts for generating the first aggregation result.
Returning to fig. 2, in step 23, the first node obtains t aggregation results generated by t nodes of the N nodes.
In one possible embodiment, as shown in FIG. 4, step 23 may include the following steps 231-235.
In step 231, the first node generates a first aggregation result.
More specifically, referring to fig. 3, step 231 may include step 2311, based on the foregoing steps 355 and 357, of generating, by the first node, the first aggregation result of the first node according to each target piece of ciphertext and the piece of ciphertext corresponding to the first node generated by the first node. For example, node i may aggregate several piece ciphertexts corresponding to node i to generate an aggregate ciphertextFor example, the aggregate ciphertext ++of the node i is calculated by multiplying a plurality of block ciphertexts corresponding to the node i>And according to the private key sk corresponding to the node i i Aggregate ciphertext generated for it>Decryption to generate an aggregate result T for node i i The method comprises the steps of carrying out a first treatment on the surface of the Alternatively, the node i may be based on the private key sk corresponding to the node i i Decrypting the plurality of fragment ciphertexts corresponding to the node i to generate a plurality of fragments corresponding to the node i, and aggregating the plurality of fragments corresponding to the node i to generate an aggregation result T of the node i i For example, the node i is calculated by multiplying a plurality of fragments corresponding to the node iPolymerization results T i . Wherein the plurality of piece-wise ciphertexts corresponding to node i include the piece-wise ciphertext corresponding to node i generated by node i, and the respective target piece-wise ciphertexts obtained by node i through step 357 or other similar methods as described above.
For example, if the fragmented ciphertext received by node i from the remaining N-1 nodes is all validated, then it aggregates the resultsBased on T i As will be appreciated, when the ciphertext of a fragment from a malicious node fails to pass verification, the fragment corresponding to node i generated by the malicious node will not participate in T i Is calculated by the computer.
At step 233, the first node receives at least two second polymerization results from at least two of the remaining N-1 nodes.
In step 235, the first node selects t aggregation results from the first aggregation result and at least two second aggregation results.
In one possible embodiment, the method may further include the following steps 232-2345.
Step 232, the first node sends the first aggregate result and the second proof to the remaining N-1 nodes.
Any node i in the N nodes can specifically select a random number w, and two random numbers a corresponding to the node i are generated based on the w 1i =g w Andthen aggregate ciphertext based on its public key pkx>And the two random numbers corresponding to node i calculate the digest value +.>And generates a commitment value r based on the digest value of the node i i =w-sk i c i Further, the digest value and the promise value of the node i form a second proof of the node i 2
In step 2341, the first node receives its respective generated second credentials from the at least two nodes.
It should be noted that, the second proof sent by the first node to the remaining N-1 nodes and the first aggregation result may be included in the same broadcast message. Similarly, node i may also receive a broadcast message from one of the remaining N-1 nodes that contains the second aggregation result and the second attestation generated by that node.
Step 2343, for any third node of the at least two nodes, verifying, based on the second proof from the third node, whether the second aggregation result from the third node is generated based on the private key corresponding to the third node and the plurality of piece-wise ciphertext corresponding to the third node. Wherein, for a second proof from any node j 2 Node i may be based on proof 2 Digest value c of node j contained therein j And a commitment value r j Verification ofIf so, the aggregation result from the node j is generated according to the private key corresponding to the node j and a plurality of fragment ciphertexts corresponding to the node j, and the aggregation result from the node j passes the validity verification.
Step 2345, if the second aggregation result from the third node is validated, the second aggregation result from the third node is taken as one of the target aggregation results allowed for generating the random number.
In addition to the foregoing steps 232 to 2345, the foregoing step 235 may specifically include step 2351, where the first node selects t aggregation results from the first aggregation results and the respective target aggregation results.
Finally, in step 25, the first node generates a random number based on the t aggregation results. Any node i can specifically perform interpolation processing on t aggregation results selected by the node i according to the numbers of the t nodes corresponding to the t aggregation results, for example, perform lagrangian interpolation, and further generate a random number based on the interpolation processing result.
When the N nodes are N blockchain nodes in the same blockchain system, any first node of the N nodes may execute different phases of a plurality of random number generation rounds as shown in fig. 3 in parallel, so that the plurality of random number generation rounds generate a corresponding plurality of random numbers at the block time/the block out time of the corresponding plurality of blocks. More specifically, a single random number generation round may be divided into a plurality of execution phases, and a block time actually required to be consumed by each execution phase is defined, so that the first node can generate a random number for a corresponding block in each block time by executing different phases of the plurality of random number generation rounds in parallel, so as to be used for transactions in the corresponding block.
Referring to fig. 5, the single random number generation round may be divided into, for example: a secret value slice encryption stage corresponding to the aforementioned step 21 and step 31, which requires 2 block times to be consumed; a first communication stage corresponding to the aforementioned steps 331, 333, 351, and 355, and defining that the stage requires 1 block time to be consumed; an aggregation and decryption stage corresponding to the aforementioned steps 355, 357 and 2311, and defining that the stage requires 5 blocks of time to be consumed; the second communication and recovery of the random number phase corresponds to the step 232 and all the steps that follow it and defines that this phase requires 1 block time to be consumed. As can be appreciated with reference to the example of fig. 5, a single random number generation round needs to consume 9 block times, and any first node of the N nodes can essentially execute different phases of the 9 random number generation rounds in parallel, so that after generating, for example, a random number 1, for a block, the first node can sequentially generate, for example, a random number 2 and a random number 3, for the next two blocks of the block, corresponding to the next two block times.
It should be noted that fig. 5 is only used to assist in describing the technical solution in the embodiment of the present disclosure, and it is also possible to divide the execution phases included in a single random number generation round in other ways and define the block time consumed by each execution phase in other ways in a practical scenario, which is not limited in any way in the embodiment of the present disclosure.
It should be noted in particular that there are a number of ways in which the secret sharing (verifiable secret sharing, VSS) can be verified to generate a certificate and verify the validity of the relevant data in accordance with the certificate, i.e. it is also possible to implement the generation of a first certificate and verify the validity of the piece of ciphertext in accordance with the first certificate in other ways than the examples described above, and to implement the generation of a second certificate and verify the validity of the aggregated result in accordance with the second certificate in other ways than the examples described above.
Based on the same conception as the foregoing method embodiment, an apparatus for generating a public random number cooperatively by multiple parties is also provided in the embodiments of the present specification, where the multiple parties include N nodes, and the apparatus is disposed at any first node of the N nodes. As shown in fig. 6, the apparatus includes: a fragmentation processing unit 61 configured to generate N fragments corresponding to the N nodes according to the privacy value held by the first node in a single random number generation round; a data obtaining unit 63 configured to obtain t aggregation results generated by t nodes greater than a preset threshold value among the N nodes, where an aggregation result of any second node among the t nodes is generated based on a plurality of fragments corresponding to the second node, and a plurality of fragments corresponding to the second node is generated by a plurality of nodes among the N nodes based on privacy values held by each of the nodes; a random number generation unit 65 configured to generate a random number according to the t aggregation results.
Those of skill in the art will appreciate that in one or more of the examples described above, the functions described herein may be implemented in hardware, software, firmware, or any combination thereof. When implemented in software, the computer programs corresponding to these functions may be stored in a computer readable medium or transmitted as one or more instructions/codes on a computer readable medium, so that the computer programs corresponding to these functions are executed by a computer, by which the methods described in any of the embodiments of the present specification are implemented.
There is also provided in embodiments of the present specification a computer readable storage medium having stored thereon a computer program which, when executed in a computing device, performs the method performed by the first node in any of the embodiments of the present specification.
The embodiment of the present specification also provides a computing device, including a memory and a processor, where the memory stores executable code, and the processor executes the executable code to implement a method performed by the first node in any one of the embodiments of the present specification.
In this specification, each embodiment is described in a progressive manner, and the same and similar parts in each embodiment are referred to each other, and each embodiment is mainly described in a different point from other embodiments. In particular, for the device embodiments, since they are substantially similar to the method embodiments, the description is relatively simple, and reference is made to the description of the method embodiments in part.
The foregoing describes specific embodiments of the present disclosure. Other embodiments are within the scope of the following claims. In some cases, the actions or steps recited in the claims can be performed in a different order than in the embodiments and still achieve desirable results. In addition, the processes depicted in the accompanying figures do not necessarily require the particular order shown, or sequential order, to achieve desirable results. In some embodiments, multitasking and parallel processing are also possible or may be advantageous.
The foregoing embodiments have been provided for the purpose of illustrating the general principles of the present invention in further detail, and are not to be construed as limiting the scope of the invention, but are merely intended to cover any modifications, equivalents, improvements, etc. based on the teachings of the invention.

Claims (16)

1. A method of multi-party collaborative generation of a random number, the multi-party comprising N nodes, the method performed by a first node of any of the N nodes, the method comprising, in a single random number generation round:
generating N fragments corresponding to the N nodes according to the privacy value held by the first node and the respective numbers of the N nodes;
acquiring t aggregation results generated by t nodes greater than a preset threshold value in the N nodes, wherein the aggregation result of any second node in the t nodes is generated based on a plurality of fragments corresponding to the second node, and the plurality of fragments corresponding to the second node are generated by a plurality of nodes in the N nodes based on privacy values held by the nodes;
and carrying out interpolation processing on the t aggregation results according to the numbers of the t nodes, and generating random numbers based on the interpolation processing results.
2. The method of claim 1, the method further comprising:
encrypting N fragments corresponding to the N nodes according to the public keys corresponding to the N nodes respectively to generate N fragment ciphertexts corresponding to the N nodes;
transmitting the corresponding piece-wise ciphertexts to the rest N-1 nodes, and receiving N-1 piece-wise ciphertexts corresponding to the first node from the N-1 nodes;
the aggregation result of the second node is specifically generated based on the private key corresponding to the second node and a plurality of fragment ciphertexts corresponding to the second node.
3. The method of claim 2, wherein the receiving N-1 piece of ciphertext from the N-1 nodes corresponding to the first node comprises: and receiving N-1 broadcast messages from the N-1 nodes, wherein the single broadcast message comprises N piece of ciphertext corresponding to the N nodes, which is generated by the corresponding nodes.
4. A method according to claim 3, the method further comprising:
receiving N-1 first proofs from the N-1 nodes;
for any third node in the N-1 nodes, verifying whether N piece-wise ciphertexts contained in a broadcast message from the third node can be used for recovering the privacy value held by the third node according to the first evidence from the third node; and if so, taking the fragment ciphertext corresponding to the first node contained in the broadcast message from the third node as the fragment ciphertext for the first node to generate a first aggregation result.
5. The method of claim 2, wherein the sending the respective corresponding piece of ciphertext to the remaining N-1 nodes comprises: and sending a broadcast message to the N-1 nodes, wherein the broadcast message comprises N piece ciphertext corresponding to the N nodes.
6. The method of claim 5, the method further comprising: and sending a first proof to the N-1 nodes, wherein the first proof is used for verifying that N piece of ciphertext contained in the broadcast message can be used for recovering the privacy value held by the first node.
7. The method of claim 2, wherein the obtaining t aggregate results generated by t nodes of the N nodes that are greater than a preset threshold comprises:
generating a first aggregation result of the first node;
receiving second polymerization results generated by at least two nodes in the N-1 nodes respectively;
t polymerization results are selected from the first polymerization result and each of the second polymerization results.
8. The method of claim 7, wherein the generating the aggregate result for the first node comprises:
the method comprises the steps of aggregating a plurality of piece ciphertext corresponding to a first node to generate aggregate ciphertext, and decrypting the generated aggregate ciphertext according to a private key corresponding to the first node to generate a first aggregation result of the first node; or alternatively, the process may be performed,
decrypting the plurality of fragments of ciphertext corresponding to the first node according to the private key corresponding to the first node to generate a plurality of fragments corresponding to the first node, and aggregating the plurality of fragments corresponding to the first node to generate a first aggregation result of the first node.
9. The method of claim 8, the method further comprising:
transmitting the first aggregation result to the N-1 nodes; the method comprises the steps of,
and sending a second certificate to the N-1 nodes, wherein the second certificate is used for verifying that the first aggregation result is generated based on a private key corresponding to the first node and a plurality of piece ciphertext corresponding to the first node.
10. The method of claim 7, the method further comprising:
receiving from the at least two nodes their respective generated second credentials;
for any third node of the at least two nodes, verifying whether a second aggregation result from the third node is generated based on a private key corresponding to the third node and a plurality of fragment ciphertexts corresponding to the third node according to a second proof from the third node; and if so, taking the second aggregation result from the third node as one of target aggregation results allowed to be used for generating the random number.
11. The method according to claim 10, wherein the selecting t polymerization results from the first polymerization result and each of the second polymerization results, specifically comprises: t aggregation results are selected from the first aggregation results and the target results.
12. The method of any of claims 1-11, wherein the N nodes are N blockchain nodes of a blockchain system, the preset threshold is determined based on a number of malicious nodes allowed by the blockchain system, a single random number generation round corresponds to a block in the blockchain system, and the generated random number is used for transactions in the block.
13. The method of claim 12, wherein the first node performs different phases of a plurality of the random number generation rounds in parallel such that the plurality of random number generation rounds generate a corresponding plurality of random numbers at a corresponding plurality of block out times.
14. An apparatus for co-generating a public random number by a plurality of parties, the plurality of parties including N nodes, the apparatus being disposed at any first node of the N nodes, the apparatus comprising:
the fragmentation processing unit is configured to generate N fragments corresponding to the N nodes according to the privacy value held by the first node and the serial numbers of the N nodes in a single random number generation round;
a data acquisition unit configured to acquire t aggregation results generated by t nodes greater than a preset threshold value in the N nodes, wherein the aggregation result of any second node in the t nodes is generated based on a plurality of fragments corresponding to the second node, and the plurality of fragments corresponding to the second node are generated by a plurality of nodes in the N nodes based on privacy values held by the nodes;
and the random number generation unit is configured to perform interpolation processing on the t aggregation results according to the numbers of the t nodes, and generate random numbers based on the interpolation processing results.
15. A computer readable storage medium having stored thereon a computer program which, when executed in a computing device, performs the method of any of claims 1-13.
16. A computing device comprising a memory and a processor, the memory having stored therein a computer program which, when executed by the processor, implements the method of any of claims 1-13.
CN202210120949.XA 2022-02-09 2022-02-09 Method, device, storage medium and computing equipment for generating random numbers cooperatively by multiple parties Active CN114553505B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202210120949.XA CN114553505B (en) 2022-02-09 2022-02-09 Method, device, storage medium and computing equipment for generating random numbers cooperatively by multiple parties

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210120949.XA CN114553505B (en) 2022-02-09 2022-02-09 Method, device, storage medium and computing equipment for generating random numbers cooperatively by multiple parties

Publications (2)

Publication Number Publication Date
CN114553505A CN114553505A (en) 2022-05-27
CN114553505B true CN114553505B (en) 2023-08-04

Family

ID=81673746

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210120949.XA Active CN114553505B (en) 2022-02-09 2022-02-09 Method, device, storage medium and computing equipment for generating random numbers cooperatively by multiple parties

Country Status (1)

Country Link
CN (1) CN114553505B (en)

Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110365479A (en) * 2019-07-11 2019-10-22 湖南天河国云科技有限公司 Random digit generation method and device based on block chain

Family Cites Families (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US11818255B2 (en) * 2018-03-09 2023-11-14 Koninklijke Philips N.V. Batch-wise verification of multiparty computations
CN110213059B (en) * 2019-06-20 2021-07-06 腾讯科技(深圳)有限公司 Random number generation method, random number generation device and storage medium
CN114730420A (en) * 2019-08-01 2022-07-08 科恩巴斯公司 System and method for generating signatures
CN110515591B (en) * 2019-08-05 2023-04-11 湖南天河国云科技有限公司 Random number generation method and device based on block chain
CN111600707B (en) * 2020-05-15 2023-04-14 华南师范大学 Decentralized federal machine learning method under privacy protection
CN113988831A (en) * 2021-10-08 2022-01-28 深圳前海微众银行股份有限公司 Transfer method based on alliance chain

Patent Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110365479A (en) * 2019-07-11 2019-10-22 湖南天河国云科技有限公司 Random digit generation method and device based on block chain

Also Published As

Publication number Publication date
CN114553505A (en) 2022-05-27

Similar Documents

Publication Publication Date Title
Afshar et al. Non-interactive secure computation based on cut-and-choose
EP3265943B1 (en) Authentication system and device including physical unclonable function and threshold cryptography
Dong et al. Fair private set intersection with a semi-trusted arbiter
Chen et al. Data dynamics for remote data possession checking in cloud storage
CN112787796B (en) Aggregation method and device for detecting false data injection in edge calculation
US20200021656A1 (en) Method for storing data in a cloud and network for carrying out the method
US20230052608A1 (en) Remote attestation
CN110635912B (en) Data processing method and device
Xue et al. Efficient online-friendly two-party ECDSA signature
Choudhury et al. Optimally resilient asynchronous MPC with linear communication complexity
Xu et al. Provably secure three-party password authenticated key exchange protocol based on ring learning with error
KR20230078767A (en) Redistribution of secret shares
Yang et al. Secure and efficient parallel hash function construction and its application on cloud audit
Tian et al. DIVRS: Data integrity verification based on ring signature in cloud storage
Ramesh et al. Secure data storage in cloud: an e-stream cipher-based secure and dynamic updation policy
Crutchfield et al. Generic on-line/off-line threshold signatures
US20230318857A1 (en) Method and apparatus for producing verifiable randomness within a decentralized computing network
JP7042414B2 (en) Learning equipment, learning systems, learning methods and learning programs
CN114553505B (en) Method, device, storage medium and computing equipment for generating random numbers cooperatively by multiple parties
CN108964906B (en) Digital signature method for cooperation with ECC
CN114221753B (en) Key data processing method and electronic equipment
Tan et al. ZKBdf: a ZKBoo-based quantum-secure verifiable delay function with prover-secret
CN112637233B (en) Safe averaging method based on multi-user data
Li et al. Completely anonymous certificateless multi-receiver signcryption scheme with sender traceability
Zarepour-Ahmadabadi et al. A new gradual secret sharing scheme with diverse access structure

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant