CN116915414A - Method for realizing threshold signature, computer equipment and storage medium - Google Patents
Method for realizing threshold signature, computer equipment and storage medium Download PDFInfo
- Publication number
- CN116915414A CN116915414A CN202311120249.1A CN202311120249A CN116915414A CN 116915414 A CN116915414 A CN 116915414A CN 202311120249 A CN202311120249 A CN 202311120249A CN 116915414 A CN116915414 A CN 116915414A
- Authority
- CN
- China
- Prior art keywords
- random value
- private key
- participants
- secret
- signature
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 79
- 238000003860 storage Methods 0.000 title claims description 17
- 238000004422 calculation algorithm Methods 0.000 claims abstract description 36
- 230000000873 masking effect Effects 0.000 claims abstract description 23
- 238000012795 verification Methods 0.000 description 47
- 230000005540 biological transmission Effects 0.000 description 25
- 230000008569 process Effects 0.000 description 21
- 238000004364 calculation method Methods 0.000 description 18
- 230000006870 function Effects 0.000 description 12
- 238000010586 diagram Methods 0.000 description 8
- 239000012634 fragment Substances 0.000 description 8
- 230000006872 improvement Effects 0.000 description 8
- 238000004590 computer program Methods 0.000 description 7
- 238000012545 processing Methods 0.000 description 7
- 239000000047 product Substances 0.000 description 7
- 238000004891 communication Methods 0.000 description 5
- 238000005516 engineering process Methods 0.000 description 5
- 238000012546 transfer Methods 0.000 description 5
- 239000000654 additive Substances 0.000 description 4
- 230000000996 additive effect Effects 0.000 description 4
- 238000009826 distribution Methods 0.000 description 4
- 230000006399 behavior Effects 0.000 description 3
- 230000008878 coupling Effects 0.000 description 3
- 238000010168 coupling process Methods 0.000 description 3
- 238000005859 coupling reaction Methods 0.000 description 3
- 238000009795 derivation Methods 0.000 description 3
- 206010000210 abortion Diseases 0.000 description 2
- 230000008901 benefit Effects 0.000 description 2
- 125000004122 cyclic group Chemical group 0.000 description 2
- 239000004973 liquid crystal related substance Substances 0.000 description 2
- 238000004519 manufacturing process Methods 0.000 description 2
- 239000000463 material Substances 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000003287 optical effect Effects 0.000 description 2
- OKTJSMMVPCPJKN-UHFFFAOYSA-N Carbon Chemical compound [C] OKTJSMMVPCPJKN-UHFFFAOYSA-N 0.000 description 1
- 206010061619 Deformity Diseases 0.000 description 1
- 108010001267 Protein Subunits Proteins 0.000 description 1
- 230000004931 aggregating effect Effects 0.000 description 1
- 230000002776 aggregation Effects 0.000 description 1
- 238000004220 aggregation Methods 0.000 description 1
- 230000004075 alteration Effects 0.000 description 1
- 238000013459 approach Methods 0.000 description 1
- 230000001413 cellular effect Effects 0.000 description 1
- 230000008859 change Effects 0.000 description 1
- 239000007795 chemical reaction product Substances 0.000 description 1
- 238000010276 construction Methods 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 229910021389 graphene Inorganic materials 0.000 description 1
- 230000003993 interaction Effects 0.000 description 1
- 230000005055 memory storage Effects 0.000 description 1
- 229920001296 polysiloxane Polymers 0.000 description 1
- 230000000750 progressive effect Effects 0.000 description 1
- 238000011084 recovery Methods 0.000 description 1
- 239000010979 ruby Substances 0.000 description 1
- 229910001750 ruby Inorganic materials 0.000 description 1
- 230000003068 static effect Effects 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3247—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
- H04L9/3255—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures using group based signatures, e.g. ring or threshold signatures
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/008—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols involving homomorphic encryption
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0861—Generation of secret information including derivation or calculation of cryptographic keys or passwords
- H04L9/0869—Generation of secret information including derivation or calculation of cryptographic keys or passwords involving random numbers or seeds
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Storage Device Security (AREA)
Abstract
A method of implementing a distributed threshold signature, comprising: a distributed key generation stage: each of the n participants generates a respective private key share through a distributed key generation protocol, generates a homomorphic encryption public-private key pair respectively, and sends the homomorphic encryption public key to other participants; offline stage: at least t+1 participators generate respective first random value and second random value, each participator also adopts homomorphic encryption algorithm of the homomorphic encryption public-private key pair, obtains coordinate components through offline stage protocol and second random value, and obtains private key share component masking value based on respective private key shares; on-line stage: the at least t+1 participants sign the same message by adopting the first random value, the private key share component masking value and the coordinate component of the at least t+1 participants in the online stage to obtain at least t+1 signature shares.
Description
Technical Field
The embodiment of the specification belongs to the technical field of cryptography, and particularly relates to a method for realizing threshold signature, computer equipment and a storage medium.
Background
In cryptography, public key cryptography, known as public key cryptography for short, is cryptography using a pair of public and private keys (public-private keys are denoted pk-sk, where pk represents public key, sk represents secret key), corresponding to cryptography using only one private key. Public key cryptography includes encryption algorithms and digital signature algorithms. Public-private key cryptography pairs are the basis for modern cryptographic security, and many applications are based on pk-sk, such as https (Hypertext Transfer Protocol Secure, secure hypertext transfer protocol) based application layer encrypted transport protocols, blockchain, etc.
The private key generally represents the identity of the party that owns the private key, which can only be held by the owner of the private key and cannot be disclosed, while the corresponding public key can be disclosed. Signing with the private key may represent approval by the private key owner of certain information of the digital world, and the signed information may also represent certain behavior of the private key owner in the message of the agreement. In general, an owner has a private key alone, and then the owner can sign a certain information by using its private key and send the signed information to other parties. After receiving this signature, the receiver can verify the signature using the corresponding public key. The recipient can confirm that the owner signed the information and that the signed information has not been tampered with.
Sometimes an account requires a flexible access control policy, especially where one account is commonly controlled by multiple parties on a blockchain. Under some requirements, one account needs to be commonly controlled by n participants. Thus, controlling the account, such as a transfer, requires approval by all n parties to control the account's transfer. In other demands, the account may be controlled without all agreement by n participants, but with t+1 of them (t < n, t is also referred to as threshold), which may be achieved by a threshold signature. In the threshold cryptography, private key information is shared to a plurality of independent participants, and each private key calculation requires agreement of the plurality of participants, so that the algorithm security is improved; and when a small number of participants fail and are not available, the usability of the private key is not affected. A secure (t, n) threshold cryptographic algorithm should be satisfied that (1) any more than t participants can calculate the final signature, exchanged keys or plaintext, while t or less than t participants cannot get any information about the above result; (2) No information about the private key and the private key shares of the participants is revealed during the execution of the algorithm.
Disclosure of Invention
The invention aims to provide a method, computer equipment and storage medium for realizing threshold signature, which comprises the following steps:
a distributed threshold signature method, comprising:
a distributed key generation stage: each of the n participants generates a respective private key share through a distributed key generation protocol, generates a homomorphic encryption public-private key pair respectively, and sends the homomorphic encryption public key to other participants;
offline stage: at least t+1 participators generate respective first random value and second random value, each participator also adopts homomorphic encryption algorithm of the homomorphic encryption public-private key pair, obtains coordinate components through offline stage protocol and second random value, and obtains private key share component covering value based on respective private key shares;
on-line stage: the at least t+1 participators sign the same message by adopting the first random value, the private key share component masking value and the coordinate component of the participators in the online stage to obtain at least t+1 signature shares.
A computer device, comprising:
a processor;
and a memory in which a program is stored, wherein when the processor executes the program, the following operations are performed:
Generating a private key share through a distributed key generation protocol, generating a homomorphic encryption public-private key pair, and transmitting the homomorphic encryption public key;
generating respective first random values and second random values, further adopting a homomorphic encryption algorithm of the homomorphic encryption public-private key pair, obtaining coordinate components through an offline stage protocol and the second random values, and obtaining private key share component masking values based on respective private key shares;
and signing the same message by adopting the first random value, the private key share component masking value and the coordinate component of the first message to obtain at least t+1 signature shares.
A storage medium storing a program, wherein the program when executed performs the operations of:
generating a private key share through a distributed key generation protocol, generating a homomorphic encryption public-private key pair, and transmitting the homomorphic encryption public key;
generating respective first random values and second random values, further adopting a homomorphic encryption algorithm of the homomorphic encryption public-private key pair, obtaining coordinate components through an offline stage protocol and the second random values, and obtaining private key share component masking values based on respective private key shares;
and signing the same message by adopting the first random value, the private key share component masking value and the coordinate component of the first message to obtain at least t+1 signature shares.
The scheme provided by the application can support any threshold value.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present disclosure, the drawings that are needed in the description of the embodiments will be briefly described below, and it is obvious that the drawings in the following description are only some embodiments described in the present disclosure, and that other drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.
FIG. 1 is a schematic diagram of distributed threshold key generation in one embodiment;
figure 2 is a schematic diagram of a distributed threshold signature in one embodiment.
Detailed Description
In order to make the technical solutions in the present specification better understood by those skilled in the art, the technical solutions in the embodiments of the present specification will be clearly and completely described below with reference to the drawings in the embodiments of the present specification, and it is obvious that the described embodiments are only some embodiments of the present specification, not all embodiments. All other embodiments, which can be made by one of ordinary skill in the art without undue burden from the present disclosure, are intended to be within the scope of the present disclosure.
DKG (Distributed Key Generation) protocol, a distributed key generation protocol, refers to a distributed protocol that cooperatively generates a set of keys among a plurality of parties participating in the protocol. The VSS (Verifiable Secret Sharing) protocol, namely the verifiable secret sharing protocol, is an important theoretical basis of the DKG protocol.
VSS refers to the fact that, when sharing one piece of secret data among a plurality of parties, the secret data can be split into a plurality of pieces without revealing the secret data itself, and the pieces can be stored in the plurality of parties. Then, when the secret data needs to be restored, all the fragments need to be collected to successfully restore the complete secret data.
The VSS protocol was first proposed by Shamir in 1979 to be a polynomial-based secret sharing protocol. The VSS protocol was developed by Shamir's Secret Sharing (SSS), and Shamir Secret Sharing was first introduced.
Shamir secret sharing, which includes two phases of secret sharing (or secret distribution) and secret reconstruction, first requires the construction of a polynomial by a Dealer:
f(x)=a 0 +a 1 x+a 2 x 2 +…+a n x n polynomial (, x)
Wherein a is 0 Is secret data to be shared.
The n-degree polynomial is composed of a set of coefficients (a 0 ,a 1 ,a 2 ,…,a n ) The unique determination, the set of coefficients includes n+1 values. Thus, if the curve corresponding to the n th order polynomial is known to pass through a planeN+1 different points on the coordinate (x) 1 ,y 1 ),(x 2 ,y 2 ),…,(x n ,y n ),(x n+1 ,y n+1 ) Then a system of (n+1) th-order equations of n+1 equations can be obtained, from which the n+1 coefficients a can be determined 0 ,a 1 ,a 2 ,…,a n Further determining the polynomial (x), finally obtaining the secret data a 0 Is a value of (2). Coordinates (x) 1 ,y 1 ),(x 2 ,y 2 ),…,(x n ,y n ),(x n+1 ,y n+1 ) I.e. n +1 secret slices.
With respect to solving for curves passing through points from existing points, this solving process is called polynomial interpolation. There are various ways to implement polynomial interpolation, and a common lagrangian (Lagrange) interpolation method is described below. Given an n-degree polynomial, the polynomial is known to correspond to a curve passing through n+1 points (x 1 ,y 1 ),(x 2 ,y 2 ),…,(x n ,y n ),(x n+1 ,y n+1 ) The polynomial of the nth order curve can be obtained by lagrangian interpolation as follows:
the polynomial (x) is in fact equivalent to the polynomial (x). Let x=0 in polynomial (x), then f (0) =a 0 I.e. the secret data a can be obtained 0 Is a value of (2). Therefore, the secret data a can also be obtained by setting x=0 in the polynomial (x:) 0 The value of (i.e. f (0) =a) 0 。
For n+1 points (x 1 ,y 1 ),…,(x n ,y n ),(x n+1 ,y n+1 ) The above polynomial (x) can also be expressed as:
wherein, the liquid crystal display device comprises a liquid crystal display device,likewise, there is +.>
In summary, n+1 points on the polynomial may be taken and shared among n+1 participants, e.g., each participant obtains coordinates of one point. Collecting coordinates of any less than n+1 points does not infer the original secret data a 0 The secret data a can be restored by reconstructing the polynomial coefficients only after all n+1 points have been obtained 0 Is a value of (2). In addition, even if the coordinates of any less than n+1 points, for example, the coordinates of n points are collected, since there are innumerable n-th-order curves passing through the n points, the secret data a cannot be leaked from the probability 0 Is a value of (2). The degree of the polynomial is also referred to herein as the degree of the degree n.
Based on the method, threshold Shamir secret sharing can be achieved. For example, t-of-n secret sharing is to share secrets among n participants and specifies that the minimum secret shards required for recovery have a threshold value greater than t, i.e., greater than or equal to t+1. For example, in a transaction in which 4 parties participate, the agreed threshold is 3, i.e., n=4, t=2, and if t+1=3 parties are greater than or equal to t+1=3 parties provide own secret fragments, the secret can be restored, otherwise, the secret cannot be restored. Specifically, a polynomial of t=2 degrees may be constructed:
f(x)=a 0 +a 1 x+a 2 x 2 Polynomial (/ x)
Can obtain 4 different points on the curve passing plane corresponding to the 2-degree polynomial, namely obtain coordinates (x) 1 ,y 1 ),(x 2 ,y 2 ),(x 3 ,y 3 ),(x 4 ,y 4 ) And in secret divisionThe sharing phase distributes the coordinates of the 4 points to one participant, respectively. The 4 participants were set to Party 1 ,Party 2 ,Party 3 ,Party 4 Thus, assume Party 1 Having slices (x) 1 ,y 1 ),Party 2 Having slices (x) 2 ,y 2 ),Party 3 Having slices (x) 3 ,y 3 ),Party 4 Having slices (x) 4 ,y 4 ). Since the polynomial (x) can be determined from any 3 points on the corresponding curve, party is therefore i When any three parties provide own secret shards in (i epsilon {1,2,3,4 }), a polynomial (x) can be restored in the secret reconstruction stage, so that a secret value a can be obtained 0 . When any less than three parties provide own secret shards, the polynomial (x) cannot be restored, and the secret value a cannot be obtained 0 . The above t is also referred to as a threshold.
The above Shamir secret sharing and threshold Shamir secret sharing require a role of generating polynomials and distributing secret patches, which may be referred to as Dealer. This Dealer is an entity that knows the secret and needs to be a trusted third party for each party. There is also a need for an entity, e.g. a Dealer or a party, but also other entities, for aggregating at least t+1 fragments and deriving secrets.
In engineering practice, polynomials are often defined in a finite or prime number domain, rather than a real or natural number domain.
In the classical Shamir secret sharing scheme, the participants are assumed to be honest. In practice there may be dishonest behaviour, or so-called devil behaviour, e.g. deception of a certain party or parties, distribution of erroneous secret fragments to the party or parties, etc.
In secret sharing, verifiable secret sharing (Verifiable Secret Sharing, VSS) is proposed in order to verify a disfigurement, such as a party verifying that a Dealer spoofs itself (verifying whether the Dealer sent a wrong secret piece as described above). Feldman VSS is a practical VSS solution based on the Shamir secret sharing architecture, comprising:
the Dealer has a secret and distributes n fragments of the secret to n participants, where t participants can reconstruct the secret, and a t degree polynomial can be constructed using a threshold Shamir secret sharing scheme similar to that described above:
f(x)=a 0 +a 1 x+a 2 x 2 +…+a t x t polynomial (/ x)
Dealer is Party for each participant i Optionally selecting a non-0 x i Calculate s i =f(x i ) And secret the child s i Encryption of Party sent to participant i . Meanwhile, dealer calculationWhere j=0, 1,2,.. t, and disclose A j I.e. publication { A 0 ,A 1 ,A 2 ,…,A t }。A j Also referred to as public verification parameters. Here A j The method of generating (a) is the same as the method of generating the public key based on the private key on the elliptic curve, and thus, a j May also be referred to as public key sharding (or public key sharing, public key share).
For the case where the selected polynomial is a corresponding elliptic curve, disclosure A j Is safe because according to the nature of elliptic curve, it cannot be according to A j Back-pushing to obtain a j 。
Public authentication parameter { A 0 ,A 1 ,A 2 ,…,A t Also known as commitment. The commitment can be used to verify whether a value of the polynomial is correct, since the coefficients of the polynomial are bound. In a discrete logarithm based implementation, g is the generator of the cyclic group over the finite field, g may be the generator of the cyclic group over the Dealer and Party i Pre-configured. The above-mentioned sub-secrets may also be referred to as secret shares.
The party receives the sub-secret s i Thereafter, the common verification parameters may be employed to verify s i Is effective in the following. S can be verified by verifying whether the following equation holds true i Whether or not to be effective:
polynomial (.) x) of the following formula the right side can be derived as follows:
the right side of the polynomial (x) can also be written as:
it can be seen that for Party i The Dealer selects a non-0 x for it i ,x i For example i, then Party i I and a common authentication parameter { A }, may be employed 0 ,A 1 ,A 2 ,…,A t To the right of the polynomial (x) is computed and the generator g and the subsecret s are used i To calculate the left side of the polynomial (x) and to determine whether the left and right sides of the polynomial (x) are equalWhether or not it is { A 0 ,A 1 ,A 2 ,…,A t Corresponds to a point on the curve. This verification belongs to the verification of the secret distribution phase. For simplicity, x can be taken generally i =i。
In engineering, the method is generally realized based on discrete logarithm, and modulo operation, such as mod p, where p is a large prime number, and p is also Dealer and Party i Pre-configured. mod p is also omitted in the following analogy.
In the secret reconstruction phase, for example, at least t+1 participants respectively send their secret fragments to the Dealer, the Dealer can verify each secret fragment using the common verification parameters corresponding to the polynomial. Verification is not passed, and the party sending the secret shard can be proved to be wrongly; the secret shards that pass verification can be used as the basis for reconstructing the secret.
And in the secret reconstruction stage, after collecting secret fragments of at least t+1 participants, reconstructing a polynomial f (x) through a Lagrange interpolation method, thereby obtaining a value of f (0), and obtaining the secret value.
Furthermore, by the common authentication parameter { A } 0 ,A 1 ,A 2 ,…,A t May also be applied to secret a 0 Is verified, i.e. can verify (0, a) 0 ) Whether it is a point on the curve, because the following relationship exists:
that is, for the secret a 0 Is verified by the validity of the (A) and can be simplified to pass through the public verification parameter A 0 Realizing the method.
In the above derivation, 0 is defined 0 =1, and 0 k =0,k≠0。
In the above scenario, a Dealer is required, which is centralized, is a secret-aware entity, and as previously described, needs to be a trusted third party, or requires that the participants all trust the Dealer. In a distributed scenario, both distributed secret distribution and distributed secret reconstruction are required, which requires the removal of a centralized Dealer, thus implementing the de-trust. To address this problem, an improved protocol called join-Feldman was proposed by Rabin et al in 1999. The basic idea of this protocol is to execute the Feldman VSS protocol in parallel, where each participant generates a random polynomial locally and then shares the randomly selected secret value among all participants. Since it is a promise of the secret that is shared and not the secret itself, the secret cannot be recovered as long as multi-person collusion cheating exceeding the threshold t does not occur. Such Distributed VSS protocol with trusted third parties removed is also known as DVSS protocol (Distributed VSS).
Specifically, taking 4 participants as an example, assuming that the threshold t=2, the degree of the polynomial is also t=2, and the decentralizing threshold secret sharing, that is, the Joint-Feldman implementation scheme, includes the following steps:
each P i (Party i Abbreviated as P i I e {1,2,3,4 }) sets the secret s to be shared i0 And randomly select other parameters to generate a t-1 degree polynomial:
participant P 1 Generating a 2 degree polynomial:
f 1 (z)=a 10 +a 11 z+a 12 z 2 wherein a is 10 Is P 1 Set secret s 1 ;
Participant P 2 Generating a 2 degree polynomial:
f 2 (z)=a 20 +a 21 z+a 22 z 2 wherein a is 20 Is P 2 Set secret s 2 ;
Participant P 3 Generating a 2 degree polynomial:
f 3 (z)=a 30 +a 31 z+a 32 z 2 wherein a is 30 Is P 3 Set secret s 3 ;
Participant P 4 Generating a 2 degree polynomial:
f 4 (z)=a 40 +a 41 z+a 42 z 2 wherein a is 40 Is P 4 Set secret s 4 。
Next, each party P i Generating n values on the curve corresponding to the t degree polynomial of the self and distributing, wherein n=4, t=2, n=1, 2,3,4 are still set, and then:
participant P 1 Generating s 11 =f 1 (1)、s 12 =f 1 (2)、s 13 =f 1 (3)、s 14 =f 1 (4) Self-reserve s 11 And respectively encrypt and send s 12 To P 2 Encrypted transmission s 13 To P 3 Encrypted transmission s 14 To P 4 ;
Participant P 2 Generating s 21 =f 2 (1)、s 22 =f 2 (2)、s 23 =f 2 (3)、s 24 =f 2 (4) Self-reserve s 22 And respectively encrypt and send s 21 To P 1 Encrypted transmission s 23 To P 3 Encrypted transmission s 24 To P 4 ;
Participant P 3 Generating s 31 =f 3 (1)、s 32 =f 3 (2)、s 33 =f 3 (3)、s 34 =f 3 (4) Self-reserve s 33 And respectively encrypt and send s 31 To P 1 Encrypted transmission s 32 To P 2 Encrypted transmission s 34 To P 4 ;
Participant P 4 Generating s 41 =f 4 (1)、s 42 =f 4 (2)、s 43 =f 4 (3)、s 44 =f 4 (4) Self-reserve s 44 And respectively encrypt and send s 41 To P 1 Encrypted transmission s 42 To P 2 Encrypted transmission s 43 To P 3 。
Also, each participant P i Generating public verification parameters corresponding to the self t-1 degree polynomialWhere k=0, 1, …, t, and published to each party, specifically:
participant P 1 Generatingk=0, 1, …, t, including +.>Broadcast { A 10 ,A 11 ,A 12 Go to P 2 、P 3 And P 4 ;
Participant P 2 Generatingk=0, 1, …, t, including +.>Broadcast { A 20 ,A 21 ,A 22 Go to P 1 、P 3 And P 4 ;
Participant P 3 Generatingk=0, 1, …, t, including +.>Broadcast { A 30 ,A 31 ,A 32 Go to P 1 、P 2 And P 4 ;
Participant P 4 Generatingk=0, 1, …, t, including +.>Broadcast { A 40 ,A 41 ,A 42 Go to P 1 、P 2 And P 3 。
Thus P 1 Receiving s 21 After that, { A } 20 ,A 21 ,A 22 Verifying; p (P) 1 Receiving s 31 After that, { A } 30 ,A 31 ,A 32 Verifying; p (P) 1 Receiving s 41 After that, { A } 40 ,A 41 ,A 42 Verifying; the verification method is similar to the above, and will not be repeated.
Similarly, P 2 Receiving s 12 After that, { A } 10 ,A 11 ,A 12 Verifying; p (P) 2 Receiving s 32 After that, { A } 30 ,A 31 ,A 32 Verifying; p (P) 2 Receiving s 42 After that, { A } 40 ,A 41 ,A 42 Go intoPerforming row verification;
similarly, P 3 Receiving s 13 After that, { A } 10 ,A 11 ,A 12 Verifying; p (P) 3 Receiving s 23 After that, { A } 20 ,A 21 ,A 22 Verifying; p (P) 3 Receiving s 43 After that, { A } 40 ,A 41 ,A 42 Verifying;
Similarly, P 4 Receiving s 14 After that, { A } 10 ,A 11 ,A 12 Verifying; p (P) 4 Receiving s 24 After that, { A } 20 ,A 21 ,A 22 Verifying; p (P) 4 Receiving s 34 After that, { A } 30 ,A 31 ,A 32 Verifying.
Assuming that the set of authenticated participants obtained after each participant is authenticated is set as Qual, and qual= { P is set 1 ,P 2 ,P 3 ,P 4 -such that:
P 1 locally generated secret shares s with different parties 11 、s 21 、s 31 、s 41 And a common authentication parameter { A } 10 ,A 11 ,A 12 },{A 20 ,A 21 ,A 22 },{A 30 ,A 31 ,A 32 },{A 40 ,A 41 ,A 42 };
P 2 Locally generated secret shares s with different parties 12 、s 22 、s 32 、s 42 And a common authentication parameter { A } 10 ,A 11 ,A 12 },{A 20 ,A 21 ,A 22 },{A 30 ,A 31 ,A 32 },{A 40 ,A 41 ,A 42 };
P 3 Locally generated secret shares s with different parties 13 、s 23 、s 33 、s 43 And a common authentication parameter { A } 10 ,A 11 ,A 12 },{A 20 ,A 21 ,A 22 },{A 30 ,A 31 ,A 32 },{A 40 ,A 41 ,A 42 };
P 4 Locally generated secret shares s with different parties 14 、s 24 、s 34 、s 44 And a common authentication parameter { A } 10 ,A 11 ,A 12 },{A 20 ,A 21 ,A 22 },{A 30 ,A 31 ,A 32 },{A 40 ,A 41 ,A 42 }。
Then:
participant P 1 Can calculate the secret share s 1 The method comprises the following steps: s is(s) 1 =s 11 +s 21 +s 31 +s 41 ;
Participant P 2 Can calculate the secret share s 2 The method comprises the following steps: s is(s) 2 =s 12 +s 22 +s 32 +s 42 ;
Participant P 3 Can calculate the secret share s 3 The method comprises the following steps: s is(s) 3 =s 13 +s 23 +s 33 +s 43 ;
Participant P 4 Can calculate the secret share s 4 The method comprises the following steps: s is(s) 4 =s 14 +s 24 +s 34 +s 44 ;
Each participant P i Can calculate the secret share s by itself i Broadcast to other participants. Each party P i Collect the alignment { s ] 1 ,s 2 ,s 3 ,s 4 After at least t+1 secret shares, the secret s can be reconstructed 0 . Here, for t=2, each party P i After collecting at least t+1=2+1=3 secret shares, the secret s can also be reconstructed 0 。
This is because the sum of the curves of the participants can be summed to give a total curve:
f(z)=f 1 (z)+f 2 (z)+f 3 (z)+f 4 (z)
f(z)=(a 10 +a 11 z+a 12 z 2 )+(a 20 +a 21 z+a 22 z 2 )+(a 30 +a 31 z+a 32 z 2 )
+(a 40 +a 41 z+a 42 z 2 )
f(z)=(a 10 +a 20 +a 30 +a 40 )+(a 11 +a 21 +a 31 +a 41 )z+(a 12 +a 22 +a 32 +a 42 )z 2
polynomial (I)
This is the case:
s 1 =s 11 +s 21 +s 31 +s 41 =f 1 (1)+f 2 (1)+f 3 (1)+f 4 (1);
s 2 =s 12 +s 22 +s 32 +s 42 =f 1 (2)+f 2 (2)+f 3 (2)+f 4 (2);
s 3 =s 13 +s 23 +s 33 +s 43 =f 1 (3)+f 2 (3)+f 3 (3)+f 4 (3);
s 4 =s 14 +s 24 +s 34 +s 44 =f 1 (4)+f 2 (4)+f 3 (4)+f 4 (4);
for the total curve f (z), there is a relationship:
s 1 =f 1 (1)+f 2 (1)+f 3 (1)+f 4 (1)=f(1);
s 2 =f 1 (2)+f 2 (2)+f 3 (2)+f 4 (2)=f(2);
s 3 =f 1 (3)+f 2 (3)+f 3 (3)+f 4 (3)=f(3);
s 4 =f 1 (4)+f 2 (4)+f 3 (4)+f 4 (4)=f(4);
secret s 0 =a 10 +a 20 +a 30 +a 40 。
Thus, either oneParticipant P i Collecting secret shares s 1 、s 2 、s 3 、s 4 After at least 3 points on the corresponding curve of the polynomial (I) are obtained, namely (x) 1 =1,y 1 =s 1 ),(x 2 =2,y 2 =s 2 ),(x 3 =3,y 3 =s 3 ),(x 4 =4,y 4 =s 4 ) At least 3 of these 4 coordinates, so that the total curve f (z) can be restored. Further, f (0) =a can be calculated 10 +a 20 +a 30 +a 40 =s 0 Thus, the secret s can be obtained 0 。
Also, by verifying the parameter { A } 10 ,A 11 ,A 12 },{A 20 ,A 21 ,A 22 },{A 30 ,A 31 ,A 32 },{A 40 ,A 41 ,A 42 May also be applied to secret s i Can be verified by verifying the validity of (0, s) i ) Whether it is a point on the total curve. Specifically, the validity is judged by verifying whether the following equation is established:
this is because the following relationship exists:
the right side of the polynomial (II) equal sign is also commonly referred to as public key share and is denoted as pub i I=1, 2, …, n for verifying the corresponding private key share.
As previously mentioned, x can be taken generally i I for eachi=1, 2, …, n. Thus, i can be the number of each participant.
For secret s 0 Verification of (x), i.e. x i =0, the above formula can be further deduced as follows:
definition 0 0 =1, and 0 k =0, k+.0, so the above equation can be further derived:
It can be seen that based on the polynomial (III), s can be verified 0 Is the legitimacy of (2).
Moreover, based on the derivation in the above polynomial (III), for verification s 0 Can be further simplified into:
the right side of the polynomial (IV) is also generally designated as the total public key and is denoted as pub.
The join-Feldman protocol can realize distributed secret sharing, namely, the main content of DKG is completed. The above-described secret sharing implementation is a series of secret sharing implementations starting from Shamir to threshold Shamir, feldman VSS protocol, and then to join-Feldman DVSS protocol. In fact, besides the series of schemes taking Shamir secret sharing as a starting point, there are schemes based on additive secret sharing (Additive Secret Share), SPDZ (an important protocol in multiparty security computation, which was first proposed in 2012), or chinese remainder theorem, etc., and finally DKG may also be implemented, which is omitted here and not repeated.
By implementing the DKG protocol, the generation of keys by a single entity can be overcomeBut with a single point of failure resulting in a problem of overall unavailability and a problem of a single point of trust in the generated key. However, due to the individual parties P i Broadcast-generated secret shares s ij I, j e (1, 2, …, n), n being the number of participants, and each participant P i Can calculate the secret share s by itself i Broadcast to other participants so that each participant P i Collect the alignment { s ] 1 ,s 2 ,s 3 ,s 4 After at least t+1 secret shares, the secret s can be reconstructed 0 In this way, at least t+1 participants will be led to obtain the final reconstructed secret s 0 I.e. the secret s will be exposed 0 The total curve will also become unusable. If a new secret s is to be generated again next time 0 The process of executing the DKG protocol needs to be repeated.
The DKG protocol can be used for constructing a distributed threshold signature protocol by combining the properties of threshold and secret promise and the like and a threshold signature algorithm matched with the DKG protocol. Blockchains are largely used as distributed systems with signature algorithms. In this way, nodes in the blockchain generate secret shares in a distributed manner through DKG, at least t+1 blockchain nodes adopt the secret shares as private key shares to sign information to be signed and broadcast, any blockchain node which collects at least t+1 signature shares can recover the total signature and recover the total public key in the mode, and the recovered total signature can be verified by the total public key, so that threshold signature is realized. Moreover, this has the advantage that the secret shares held by each block link point need not be broadcasted to other nodes, so that the secret shares of each block link point are not exposed, i.e. the private key is not exposed, and therefore the secret shares generated by one DKG can be reused many times without performing one DKG protocol for each threshold signature.
The underlying ECDSA signature algorithm includes:
the signing party Alice selects an elliptic curve E q (a, b) and a base point G, and share this information to a verifier Bob, where q is a modulus.
Alice is in finite fieldSelecting a private key X, and generating a public key x=x·g according to the private key;
alice is in finite fieldA random number k is selected and r=k is calculated -1 G, calculating r=f (R), and r+.0; wherein f (R) may be the abscissa of R.
Alice calculates the message m to be signed by hash to obtain a digest value h, i.e. h=hash (m), and calculates:
sigma=k (h+x.r) mod q formula (a)
Alice generates a signature sig= (r, σ) and sends a message m, signature sig, public key X to signature verifier Bob.
Bob verifies the following equation with public key X for the received message m and signature sig:
r=f(σ -1 ·h·G+σ -1 r.X) formula (b)
If equation b holds, then the signature is indicated as valid, otherwise the signature is invalid. This is because, as can be obtained by the formula (a): k (k) -1 =σ -1 (h+x·r) mod q, and r=k can be further calculated -1 G and k -1 Substitution r=f (R) can be obtained:
r=f(R)=f(k -1 ·G)=f(σ -1 (h+x·r)·G)=f(σ -1 ·h·G+σ -1 ·x·r·G)=f(σ -1 ·h·G+σ -1 ·r·X)
i.e. according to the right side of equation (b), bob can use σ, r in the received signature and the message m and public key X to calculate, verify if the calculation is equal to r in the signature.
The basic ECDSA signature algorithm described above can be extended to a threshold signature algorithm. For example, through the DKG procedure described above, n signers P 1 ,P 2 ,…,P n Each having its own secret share and having a total public key, wherein the threshold value is t, and t<n. At least t+1 signers in the n participators respectively adopt own secret shares as secret shares respectivelyAfter signing and broadcasting the same information to be signed, any verifier collecting at least t+1 signature shares can recover the total signature and verify the total signature by adopting the total public key, thereby realizing the threshold signature. One specific implementation is the publication UC Non-Interactive, proactive, threshold ECDSA with Identifiable Aborts by Fireblock corporation in CCS 20. The article builds a distributed ECDSA signature scheme under a malicious model. The disadvantage of this approach is that a large amount of zero knowledge proof is required to combat malicious adversaries, thus requiring large communication and computation costs. Meanwhile, the threshold value of the scheme is fixed to be t=n-1, and no scheme with any threshold value is given.
The embodiment of the application provides a distributed threshold signature method based on ECDSA. In this embodiment, each signer may generate a threshold private key by means of a threshold Shamir, feldman or a Dealer or non-Dealer protocol such as the join-Feldman protocol, or by other DKG schemes. As a result of implementation of such DKG scheme, party P i (i e n) has a private key share ω i Any at least t+1 shares of private key corresponds to a total private key ω. The result of the DKG may also generate a total public key X. This total public key X has a relationship with the total private key ω: ω·g=x.
In addition, after n participants obtain respective private key shares based on the DKG, the same message may be signed with its own private key share to generate a signature share. Any at least t+1 signature shares may be aggregated into a total signature, and the total signature may be verified by a total public key.
The above relationship may be represented by the distributed threshold key generation of fig. 1 and the distributed threshold signature of fig. 2.
The embodiment of the application can comprise two parts, namely a distributed threshold key generation part and a distributed threshold signature part, wherein the two parts are processes of how to mutually transmit data and how to process the data through a protocol form between the parties, so that the specific purpose is realized by cooperation. Wherein the distributed threshold signature comprises an offline stage and an online stage.
The following are the followingFirst, a procedure of the distributed threshold key generation protocol will be described. In this process, it is assumed that there are n participants, P 1 ,P 2 ,…,P n . Each party P via a distributed threshold key generation protocol i (i= {1,2, …, n }) may generate respective private key shares.
Specifically, each party P i A t degree polynomial f may be generated i (z)=a i0 +a i1 z+a i2 z 2 +…+a it z t Wherein a is i0 Is P i Set secret s i0 . Here the threshold is t) so that the degree of the polynomial is also t.
Let the threshold be 2 and let the total number of participants be 5, i.e. t=2, n=5, there are a total of 5 participants P 1 ,P 2 ,P 3 ,P 4 ,P 5 Wherein:
P 1 generating a 2 degree (t=2) polynomial: f (f) 1 (z)=a 10 +a 11 z+a 12 z 2 Wherein a is 10 Is P 1 Set secret s 10 ;
P 2 Generating a 2 degree (t=2) polynomial: f (f) 2 (z)=a 20 +a 21 z+a 22 z 2 Wherein a is 20 Is P 2 Set secret s 20 ;
P 3 Generating a 2 degree (t=2) polynomial: f (f) 3 (z)=a 30 +a 31 z+a 32 z 2 Wherein a is 30 Is P 3 Set secret s 30 ;
P 4 Generating a 2 degree (t=2) polynomial: f (f) 4 (z)=a 40 +a 41 z+a 42 z 2 Wherein a is 40 Is P 4 Set secret s 40 ;
P 5 Generating a 2 degree (t=2) polynomial: f (f) 5 (z)=a 50 +a 51 z+a 52 z 2 Wherein a is 50 Is P 5 Set secret s 50 ;
Further, each of the ginsengParty P i N secret shares may be generated, one of which is reserved by itself, and the remaining secret shares sent to the other participants are encrypted. For example, party P i Generating coordinates of n points on a polynomial corresponding curve of the self as n secret shares, reserving the coordinates of one point of the self, and encrypting and transmitting the coordinates of the other points to other participants.
Specifically, for example:
P 1 generating s 11 =f 1 (1)、s 12 =f 1 (2)、s 13 =f 1 (3)、s 14 =f 1 (4)、s 15 =f 1 (5) Self-reserve s 11 And respectively encrypt and send s 12 To P 2 Encrypted transmission s 13 To P 3 Encrypted transmission s 14 To P 4 Encrypted transmission s 15 To P 5 ;
P 2 Generating s 21 =f 2 (1)、s 22 =f 2 (2)、s 23 =f 2 (3)、s 24 =f 2 (4)、s 25 =f 2 (5) Self-reserve s 22 And respectively encrypt and send s 21 To P 1 Encrypted transmission s 23 To P 3 Encrypted transmission s 24 To P 4 Encrypted transmission s 25 To P 5 ;
P 3 Generating s 31 =f 3 (1)、s 32 =f 3 (2)、s 33 =f 3 (3)、s 34 =f 3 (4)、s 35 =f 3 (5) Self-reserve s 33 And respectively encrypt and send s 31 To P 1 Encrypted transmission s 32 To P 2 Encrypted transmission s 34 To P 4 Encrypted transmission s 35 To P 5 ;
P 4 Generating s 41 =f 4 (1)、s 42 =f 4 (2)、s 43 =f 4 (3)、s 44 =f 4 (4)、s 45 =f 4 (5) Self-reserve s 44 And respectively encrypt and sends 41 To P 1 Encrypted transmission s 42 To P 2 Encrypted transmission s 43 To P 3 Encrypted transmission s 45 To P 5 ;
P 5 Generating s 51 =f 5 (1)、s 52 =f 5 (2)、s 53 =f 5 (3)、s 54 =f 5 (4)、s 55 =f 5 (5) Self-reserve s 55 And respectively encrypt and send s 51 To P 1 Encrypted transmission s 52 To P 2 Encrypted transmission s 53 To P 3 Encrypted transmission s 54 To P 4 ;
This is the case:
P 1 locally generated secret shares s with different parties 11 、s 21 、s 31 、s 41 、s 51 ;
P 2 Locally generated secret shares s with different parties 12 、s 22 、s 32 、s 42 、s 52 ;
P 3 Locally generated secret shares s with different parties 13 、s 23 、s 33 、s 43 、s 53 ;
P 4 Locally generated secret shares s with different parties 14 、s 24 、s 34 、s 44 、s 54 ;
P 5 Locally generated secret shares s with different parties 15 、s 25 、s 35 、s 45 、s 55 。
Then, each party P i One secret share s that can be reserved by itself ii And from other participants P j The resulting secret share s ji The private key shares are obtained after a summation, e.g. by summing, e.g. by party P i Private key share of (2)Specific examples are: />
Participant P 1 The private key share s can be calculated 1 The method comprises the following steps: s is(s) 1 =s 11 +s 21 +s 31 +s 41 +s 51 ;
Participant P 2 The private key share s can be calculated 2 The method comprises the following steps: s is(s) 2 =s 12 +s 22 +s 32 +s 42 +s 52 ;
Participant P 3 The private key share s can be calculated 3 The method comprises the following steps: s is(s) 3 =s 13 +s 23 +s 33 +s 43 +s 53 ;
Participant P 4 The private key share s can be calculated 4 The method comprises the following steps: s is(s) 4 =s 14 +s 24 +s 34 +s 44 +s 54 ;
Participant P 5 The private key share s can be calculated 5 The method comprises the following steps: s is(s) 5 =s 15 +s 25 +s 35 +s 45 +s 55 。
Also, each participant P i Can also generate a public verification parameter A corresponding to the self t degree polynomial ik =a ik G, where k=0, 1, …, t, and published to each party, specifically:
participant P 1 Generation A 1k =a 1k G, k=0, 1, …, t=2, including a 10 =a 10 G=s 10 G,A 11 =a 11 G,
A 12 =a 12 G, broadcast { A 10 ,A 11 ,A 12 Go to P 2 、P 3 、P 4 And P 5 ;
Participant P 2 Generation A 2k =a 2k G, k=0, 1, …, t=2, including a 20 =a 20 G=s 20 G,A 21 =a 21 G,
A 22 =a 22 G, broadcast { A 20 ,A 21 ,A 22 Go to P 1 、P 3 、P 4 And P 5 ;
Participant P 3 Generation A 3k =a 3k G, k=0, 1, …, t=2, including a 30 =a 30 G=s 30 G,A 31 =a 31 G,
A 32 =a 32 G, broadcast { A 30 ,A 31 ,A 32 Go to P 1 、P 2 、P 4 And P 5 ;
Participant P 4 Generation A 4k =a 4k G, k=0, 1, …, t=2, including a 40 =a 40 G=s 40 G,A 41 =a 41 G,
A 42 =a 42 G, broadcast { A 40 ,A 41 ,A 42 Go to P 1 、P 2 、P 3 And P 5 ;
Participant P 5 Generation A 5k =a 5k G, k=0, 1, …, t=2, including a 50 =a 50 G=s 50 G,A 51 =a 51 G,
A 52 =a 52 G, broadcast { A 50 ,A 51 ,A 52 Go to P 1 、P 2 、P 3 And P 4 。
Each participant P i Can also be according to P j Public authentication parameter { A } j0 ,A j1 ,…,A jt Verification P j The transmitted secret share s ji For example, by the following formula:
s ji G=A j0 +iA j1 +…+i t A jt
specific:
participant P 1 Through s 21 G=A 20 +A 21 +A 22 Verification s 21 Through s 31 G=A 30 +A 31 +A 32 Verification s 31 Through s 41 G=A 40 +A 21 +A 42 Verification s 41 Through s 51 G=A 50 +A 51 +A 52 Verification s 51 ;
Participant P 2 Through s 12 G=A 10 +2A 11 +2 2 A 12 Verification s 12 Through s 32 G=A 30 +2A 31 +2 2 A 32 Verification s 32 Through s 42 G=A 40 +2A 21 +2 2 A 42 Verification s 42 Through s 52 G=A 50 +2A 51 +2 2 A 52 Verification s 52 ;
Participant P 3 Through s 13 G=A 10 +3A 11 +3 2 A 12 Verification s 13 Through s 23 G=A 30 +3A 31 +3 2 A 32 Verification s 23 Through s 43 G=A 40 +3A 21 +3 2 A 42 Verification s 43 Through s 53 G=A 50 +3A 51 +3 2 A 52 Verification s 53 ;
Participant P 4 Through s 14 G=A 10 +4A 11 +4 2 A 12 Verification s 14 Through s 24 G=A 20 +4A 21 +4 2 A 22 Verification s 24 Through s 34 G=A 40 +4A 21 +4 2 A 42 Verification s 42 Through s 54 G=A 50 +4A 51 +4 2 A 52 Verification s 52 ;
Participant P 5 Through s 15 G=A 10 +5A 11 +5 2 A 12 Verification s 15 Through s 25 G=A 20 +5A 21 +5 2 A 22 Verification s 25 Through s 35 G=A 30 +5A 31 +5 2 A 32 Verification s 35 Through s 45 G=A 40 +5A 41 +5 2 A 42 Verification s 45 ;
Either party may terminate the protocol if the authentication is not passed.
On the other hand, each party P i The total public key X may be calculated in a similar manner as described above, for example by the following formula:
as previously described, this total public key may be used to verify the total signature after subsequent aggregation.
In addition, to combat attacks by malicious adversaries, each party P further i A hash value of the private corresponding public key itself may be generated and broadcast so that the receiver can verify each party P by the hash value i The sent secret corresponds to the correctness of the public key. For example:
P 1 calculation ofH 1 () A is a hash algorithm 10 =a 10 G is a secret s 10 The corresponding public key (obtained by an operation on an elliptic curve, here in the form of a product); p (P) 1 Can broadcast +.>To other participants, any receiver receives +. >After that, the +.>Verification A 10 The correctness of the code (C) can resist the attack of malicious enemies;
P 2 calculation ofH 1 () A is a hash algorithm 20 =a 20 G is a secret s 20 The corresponding public key (obtained by an operation on an elliptic curve, here in the form of a product); p (P) 2 Can broadcast +.>To other participants, any receiver receives +.>After that, the +.>Verification A 20 The correctness of the code (C) can resist the attack of malicious enemies;
P 3 calculation ofH 1 () A is a hash algorithm 30 =a 30 G is a secret s 30 The corresponding public key (obtained by an operation on an elliptic curve, here in the form of a product); p (P) 3 Can broadcast +.>To other participants, any receiver receives +.>After that, the +.>Verification A 30 The correctness of the code (C) can resist the attack of malicious enemies;
P 4 calculation ofH 1 () A is a hash algorithm 40 =a 40 G is a secret s 40 The corresponding public key (obtained by an operation on an elliptic curve, here in the form of a product); p (P) 4 Can broadcast +.>To other participants, any receiver receives +.>After that, the +.>Verification A 40 The correctness of the code (C) can resist the attack of malicious enemies;
P 5 calculation ofH 1 () A is a hash algorithm 50 =a 50 G is a secret s 50 The corresponding public key (obtained by an operation on an elliptic curve, here in the form of a product); p (P) 5 Can broadcast +.>To other participants, any receiver receives +. >After that, the +.>Verification A 50 The correctness of the code (C) can resist the attack of malicious enemies;
in addition, each party P i An own public-private key pair for homomorphic encryption, such as the Paillier public-private key pair (E i ,e i ) Wherein e is i Is a private key, E i Is the corresponding public key. Homomorphic encryption techniques can "homomorphic" the plaintext data, i.e., map the plaintext data to a new, secure state, such that only recipients with a secret key can obtain the plaintext data. Paillier homomorphic addition is a public key encryption system widely used in cryptography, proposed by Pascal Paillier (1999). Its main feature is that it has additive homomorphic property, which means that given two ciphertexts, the ciphertexts of their corresponding plain text sum can be calculated without decryption. Specifically, assume that there are two plain texts m1 and m2, pa of whichThe illier encrypted ciphertext is c1 and c2, respectively. The additive homomorphism of Paillier can be implemented as a new ciphertext c, which is exactly the ciphertext of the sum of m1 and m2, obtained by computing the product of c1 and c2. This homomorphism property allows some form of computation of the encrypted data to be accomplished without revealing the original data.
Each participant P i After the generated homomorphic encryption public and private key pair, the public key can be sent to other participants.
For example, party P 1 Generating a Paillier encrypted public-private key (E 1 ,e 1 ) Then, homomorphic encryption public key E 1 Broadcasting to other participants; participant P 2 Generating a Paillier encrypted public-private key (E 2 ,e 2 ) Then, homomorphic encryption public key E 2 Broadcasting to other participants; participant P 3 Generating a Paillier encrypted public-private key (E 3 ,e 3 ) Then, homomorphic encryption public key E 3 Broadcasting to other participants; participant P 4 Generating a Paillier encrypted public-private key (E 4 ,e 4 ) Then, homomorphic encryption public key E 4 Broadcasting to other participants; participant P 5 Generating a Paillier encrypted public-private key (E 5 ,e 5 ) Then, homomorphic encryption public key E 5 Broadcast to other participants.
Thus, each party P i The local may store the own secret, own private key shares, own homomorphic encryption private keys, the total public key, and homomorphic encryption public keys for each party.
In one embodiment, to combat attacks by malicious adversaries, a first zero knowledge proof may be employed to provide proof of homomorphic encryption public keys. For example, each party P i A first zero knowledge proof ψ may be generated i The psi is i Can be used for proving public key E i Is a legal Paillier public key. Correspondingly, the receiver receiving the homomorphic encryption public key and the corresponding first zero knowledge proof can verify the corresponding homomorphic encryption public key through the first zero knowledge proof. For example, any of the receivers P j Receiving party P i The transmitted psi i And E is i Thereafter, it may be described as E j Sum phi j Verification of ψ for input (proof algorithm input to zero knowledge proof) j Whether or not it is E j Is an acceptable proof of legal Paillier public key. If the verification is passed, the flow of the embodiment can continue the subsequent process, otherwise, the description is illegal, and the flow can be terminated.
Through the distributed threshold key generation process, there is a total polynomial:
f(z)=f 1 (z)+f 2 (z)+f 3 (z)+f 4 (z)+f 5 (z)
=a 10 +a 11 z+a 12 z 2 +a 20 +a 21 z+a 22 z 2 +a 30 +a 31 z+a 32 z 2 +a 40 +a 41 z
+a 42 z 2 +a 50 +a 51 z+a 52 z 2
=(a 10 +a 20 +a 30 +a 40 +a 50 )+(a 11 +a 21 +a 31 +a 41 +a 51 )z
+(a 12 +a 22 +a 32 +a 42 +a 52 )z 2
as previously mentioned, the polynomial corresponds to a total curve and there is the following relationship:
s 1 =f 1 (1)+f 2 (1)+f 3 (1)+f 4 (1)+f 5 (1)=f(1);
s 2 =f 1 (2)+f 2 (2)+f 3 (2)+f 4 (2)+f 5 (2)=f(2);
s 3 =f 1 (3)+f 2 (3)+f 3 (3)+f 4 (3)+f 5 (3)=f(3);
s 4 =f 1 (4)+f 2 (4)+f 3 (4)+f 4 (4)+f 5 (4)=f(4);
s 5 =f 1 (5)+f 2 (5)+f 3 (5)+f 4 (5)+f 5 (5)=f(5);
in the aforementioned DKG scheme, each party P i Can calculate the secret share s by itself i Broadcast to other participants. Each party P i Collect the alignment { s ] 1 ,s 2 ,s 3 ,s 4 ,s 5 After at least t+1 secret shares, the secret s can be reconstructed 0 . For example for a threshold of 2, each party P i After collecting at least 3 secret shares, the secret s can also be reconstructed 0 。
In the present embodiment, however, the purpose is to achieve a distributed threshold signature, so that the secret share s is not to be used i Sent to other parties, but rather as a private key share. In this way, at least t+1 secret shares are not obtained by any party or other parties, and then the total secret is recovered, namely the total private key is not obtained, so that the private key shares obtained by a plurality of parties through one-time distributed threshold key generation protocol are ensured, and the distributed threshold signature can be repeatedly carried out in the follow-up process.
The distributed threshold signature process in this embodiment is described below and may include both an offline phase and an online phase. The distributed key generation process described above requires n participants to participate in the protocol process together. The distributed threshold signature process described below requires only at least t+1 participants to participate in the protocol process together. Here again, the threshold t=2 is taken as an example.
Offline stage: at least t+1 participants generate respective first random values k i And a second random value gamma i Each participant also adopts homomorphic encryption algorithm and obtains a coordinate component r and a private key share component masking value χ of each participant through offline phase protocol i . Specifically, the method comprises the following steps:
t+1 participants, each participant P i Calculation of Lagrange coefficientsAnd calculates a private key share component x i =λ i s i . Here, for example, i is 1, 2, 3, then:
Participant P 1 Calculation of Lagrange coefficientsAnd calculates a private key share component x 1 =λ 1 s 1 ;/>
Participant P 2 Calculation of Lagrange coefficientsAnd calculates a private key share component x 2 =λ 2 s 2 ;
Participant P 3 Calculation of Lagrange coefficientsAnd calculates a private key share component x 3 =λ 3 s 3 。
S11:
Each of the at least t+1 parties generates a first random value and a second random value, and a corresponding first random value homomorphic ciphertext and a second random value public key hash. In particular, for example, party P i ,i∈[1,t+1]Generating a first random value k i And a second random value gamma i And k is i ,On the basis of this, party P i The first random value homomorphic ciphertext, e.g. Paillier ciphertext K, may be calculated i =E i (k i ) And computing a second random value public key hash, such as g i =H 1 (γ i G),H 1 () Is a hash algorithm, similar to that described above. t+1 is 3, the participation party is P 1 、P 2 、P 3 When (1):
P 1 generating a first random value k 1 And a second random value gamma 1 And calculates the Paillier ciphertext K of the first random value 1 =E 1 (k 1 ) And calculating a second random value public key hash g 1 =H 1 (γ 1 G);
P 2 Generating a firstRandom value k 2 And a second random value gamma 2 And calculates the Paillier ciphertext K of the first random value 2 =E 2 (k 2 ) And calculating a second random value public key hash g 2 =H 1 (γ 2 G);
P 3 Generating a first random value k 3 And a second random value gamma 3 And calculates the Paillier ciphertext K of the first random value 3 =E 3 (k 3 ) And calculating a second random value public key hash g 3 =H 1 (γ 3 G);
Further, each of at least t+1 participants, P i The generated first random value homomorphic ciphertext may be sent to other parties, such as:
P 1 broadcast K 1 To P 2 And P 3 ;
P 2 Broadcast K 2 To P 1 And P 2 ;
P 3 Broadcast K 3 To P 1 And P 2 ;
S12:
Participant P receiving broadcast i For P j K sent out j Selecting two mask numbers beta i,j , Here, the value range of the finite field subscript is represented as the 5 th power of q, which is a proven value range with cryptographic security. Mask number beta i,j ,/>Can be generally +.>Larger values are selected within the range. Further, P i Intermediate ciphertext D may be calculated by homomorphic algorithm i,j And->And send to P j :
The above two formulas are as follows,Respectively representing homomorphic multiplication and homomorphic addition operations.
Specific:
P 1 receiving P 2 Broadcast K 2 =E 2 (k 2 ) Then, two mask numbers beta are selected 1,2 ,And then P 1 Intermediate ciphertext D may be calculated by homomorphic algorithm 1,2 And->And send to P 2 Wherein:
/>
thus P 2 Receipt D 1,2 =E 2 (α 1,2 ) Andalthough P 2 With a corresponding Paillier private key e 2 ,k 2 Also P 2 Generated but due to P therein 1 Selected mask number beta 1,2 ,/>Masking effect of P 2 Cannot estimate P 1 Private key share x of (2) 1 Random value gamma 1 Thereby completing the information transfer on the basis. Similar to the above, the description is omitted.
P 1 Receiving P 3 Broadcast K 3 =E 3 (k 3 ) After that, the intermediate ciphertext D can be calculated by homomorphic algorithm 1,3 Andand send to P 3 Wherein:
similarly, P 2 Receiving P 1 Broadcast K 1 =E 1 (k 1 ) After that, the intermediate ciphertext D can be calculated by homomorphic algorithm 2,1 Andand send to P 1 Wherein:
P 2 receiving P 3 Broadcast K 3 =E 3 (k 3 ) After that, the intermediate ciphertext D can be calculated by homomorphic algorithm 2,3 Andand send to P 3 Wherein:
similarly, P 3 Receiving P 1 Broadcast K 1 =E 1 (k 1 ) After that, the intermediate ciphertext D can be calculated by homomorphic algorithm 3,1 Andand send to P 1 Wherein:
P 3 receiving P 2 Broadcast K 2 =E 2 (k 2 ) After that, the intermediate ciphertext D can be calculated by homomorphic algorithm 3,2 Andand send to P 2 Wherein:
S13:
further, each party P i Received intermediate ciphertext D j,i Anddecrypting by adopting corresponding homomorphic encryption private keys to obtain plaintext alpha respectively j,i ,/>Referred to herein as intermediate plaintext, wherein: alpha j,i =γ j ·k i -β j,i ,/>
And may be based on the first random value k i And a second random value gamma i Intermediate plaintext alpha j,i ,Calculating the intermediate value delta i And may be based on private key share component x i And a first random value k i Intermediate plaintext alpha j,i ,/>Calculating a private key share component masking value χ i :
/>
Here, there are two relations:
this is because:
in addition, a second random value γ can be calculated i Corresponding public key Γ i =γ i G。
Further, P i The intermediate value delta can be calculated i And a second random value gamma i Corresponding public key Γ i To other parties.
Specific:
P 1 received ciphertext D 2,1 Anddecrypting by adopting corresponding homomorphic encryption private keys to respectively obtain intermediate plaintext alpha 2,1 ,/>Wherein: alpha 2,1 =γ 2 ·k 1 -β 2,1 ,/>P 1 Received ciphertext D 3,1 And->Decrypting by adopting corresponding homomorphic encryption private keys to respectively obtain intermediate plaintext alpha 3,1 ,/>Wherein: alpha 3,1 =γ 3 ·k 1 -β 3,1 ,Further calculate delta 1 =γ 1 k 1 +(α 2,1 +β 2,1 +α 3,1 +β 3,1 ),/> In addition, P 1 A second random value gamma can be calculated 1 Corresponding public key Γ 1 =γ 1 G. Further, P 1 The intermediate value delta can be calculated 1 And a second random value gamma 1 Corresponding public key Γ 1 To other party P 2 And P 3 。
P 2 Received ciphertext D 1,2 Anddecrypting by adopting corresponding homomorphic encryption private keys to respectively obtain intermediate plaintext alpha 1,2 ,/>Wherein: alpha 1,2 =γ 1 ·k 2 -β 1,2 ,/>P 2 Received ciphertext D 3,2 And->Decrypting by adopting corresponding homomorphic encryption private keys to respectively obtain intermediate plaintext alpha 3,2 ,/>Wherein: alpha 3,2 =γ 3 ·k 2 -β 3,2 ,Further calculate delta 2 =γ 2 k 2 +(α 1,2 +β 1,2 +α 3,2 +β 3,2 ),/> In addition, P 2 A second random value gamma can be calculated 2 Corresponding public key Γ 2 =γ 2 G. Further, P 2 The intermediate value delta can be calculated 2 And a second random value gamma 2 Corresponding public key Γ 2 To other party P 1 And P 2 。
P 3 Received ciphertext D 1,3 Anddecrypting by adopting corresponding homomorphic encryption private keys to respectively obtain intermediate plaintext alpha 1,3 ,/>Wherein: alpha 1,3 =γ 1 ·k 3 -β 1,3 ,/>P 3 Received ciphertext D 2,3 And->Decrypting by adopting corresponding homomorphic encryption private keys to respectively obtain intermediate plaintext alpha 2,3 ,/>Wherein: alpha 2,3 =γ 2 ·k 3 -β 2,3 ,Further calculate delta 3 =γ 3 k 3 +(α 1,3 +β 1,3 +α 2,3 +β 2,3 ),/> In addition, P 3 A second random value gamma can be calculated 3 Corresponding public key Γ 3 =γ 3 G. Further, P 3 The intermediate value delta can be calculated 3 And a second random value gamma 3 Corresponding public key Γ 3 To other party P 1 And P 2 。
To this end, P i Local has delta j∈[t+1] ,Γ j∈[t+1] ,k i ,χ i . Thus, P i The point r= (Σ) can be calculated j∈[t+1] δ j ) -1 ·(∑ j∈[t+1] Γ j )). In fact, as can be derived from the above relationship 1, r= (Σ) j∈[t+1] δ j ) -1 ·(∑ j∈[t+1] Γ j )=((k 1 +k 2 +…+k t+1 )·(γ 1 +γ 2 +…+γ t+1 )) -1 ·(∑ j∈[t+1] Γ j )=k -1 ·γ -1 ·(∑ j∈[t+1] Γ j )=k -1 ·γ -1 ·
(∑ j∈[t+1] γ j G)=k -1 ·γ -1 ·γG=k -1 G, it can be seen that this is the same as the form of ECDSA described previously. P (P) i R=f (R) can be calculated, f (R) can be the abscissa of the point R as before. Thus, P i Can be stored locally (r, k) i ,χ i ) The off-line phase ends.
For example:
P 1 local has delta 1 ,Γ 1 ,δ 2 ,Γ 2 ,δ 3 ,Γ 3 ,k 1 ,χ 1 . As above, P 1 May be based on delta 1 ,Γ 1 ,δ 2 ,Γ 2 ,δ 3 ,Γ 3 The calculation results in a point R, where r=f (R), P 1 Can be stored locally (r, k 1 ,χ 1 )。
Similarly, P 2 Local has delta 1 ,Γ 1 ,δ 2 ,Γ 2 ,δ 3 ,Γ 3 ,k 1 ,χ 1 . As above, P 2 May be based on delta 1 ,Γ 1 ,δ 2 ,Γ 2 ,δ 3 ,Γ 3 The calculation results in a point R, where r=f (R), P 2 Can be stored locally (r, k 2 ,χ 2 )。
Similarly, P 3 Local has delta 1 ,Γ 1 ,δ 2 ,Γ 2 ,δ 3 ,Γ 3 ,k 1 ,χ 1 . As above, P 3 May be based on delta 1 ,Γ 1 ,δ 2 ,Γ 2 ,δ 3 ,Γ 3 The calculation results in a point R, where r=f (R), P 3 Can be stored locally (r, k 3 ,χ 3 )。
In addition, in S11, each of the participants may also generate a first random value homomorphic ciphertext K i Second zero knowledge proof of phi i And broadcast to other participants; correspondingly, in S12, each participant receives a first random value homomorphic ciphertext K i And a corresponding second zero knowledge proof Φ i Thereafter, prove phi through the second zero knowledge i Verifying the corresponding first random value homomorphic ciphertext K i . Thus, the attack of malicious adversaries can be resisted. If the verification is passed, the flow of the embodiment can continue the subsequent process, otherwise, the description is illegal, and the flow can be terminated.
In addition, in S11, each of the participants may also generate a second random value public key Γ i =γ i Corresponding hash G of G i =H 1 (γ i G)=H 1 (Γ i ) And broadcast to other participants; correspondingly, in the subsequent offline stage, each participant is connected withReceiving a second random value public key Γ i =γ i G and corresponding hash G i After that, through the hash g i Verifying the corresponding second random value public key Γ i . Thus, the attack of malicious adversaries can be resisted. If the verification is passed, the flow of the embodiment can continue the subsequent process, otherwise, the description is illegal, and the flow can be terminated.
In addition, in S12, each of the participants may also generate a third zero knowledge proof Φ i,j Fourth zero knowledge proofΦ i,j Attesting to intermediate ciphertext D i,j Corresponding->Zero knowledge proof- >Prove intermediate ciphertext->Corresponding->Correspondingly, in S13, each participant receives the intermediate ciphertext D i,j And a corresponding third zero knowledge proof phi i,j Thereafter, prove phi through the third zero knowledge i,j Verifying the corresponding intermediate ciphertext D i,j And similarly, each party receives the intermediate ciphertext +.>And the corresponding fourth zero knowledge proof ++>After that, by this fourth zero knowledge +.>Verifying the corresponding intermediate ciphertext->Thus, the attack of malicious adversaries can be resisted. If the verification is passed, the flow of the embodiment can continue the subsequent process, otherwise, the description is illegal, and the flow can be terminated.
On-line stage: the at least t+1 participants each adopt their own first random value k i Private key share component masking value χ i And said coordinate component r signing the same message, resulting in a signature share sigma of at least t+1 number i 。
For message m, its hash value is H (m). At least t+1 participants each P i Using locally stored (r, k) i ,χ i ) H (m) can be calculated to obtain the signature share sig i =(r,σ i ) Specifically, sigma i The following formula can be used for calculation:
σ i =k i H(m)+χ i r
in this way, after any party obtains at least a t+1 number of signature shares, the at least t+1 number of signature shares may be aggregated into a total signature sig= (r, σ). The correctness of the total signature σ can be verified by using the aforementioned total public key X. This is because the form of the formula is identical to that in the ECDSA described above.
It should be noted first that the following relationship exists:
thus, at least t+1 number of signature shares aggregate into a total signature σ ] as:
here x=s 10 +s 20 +…+s n0 =f (0), see σ here]=k·h (m) +k·x·r, substantially identical to the formula (a) in the ECDSA signature algorithm described aboveAlso, it is therefore apparent that the total public key X verification can be employed.
Continuing the example above, either party (either one of n=5 parties or one other than n=5 parties) obtains a signature share of t+1=3:
σ] 1 =k 1 H(m)+χ 1 r
σ 2 =k 2 H(m)+χ 2 r
σ 3 =k 3 H(m)+χ 3 r
first, the following relationship exists:
then sigma = Σis calculated i∈[1,3] σ i =∑ i∈[1,3] (k i H(m)+χ i r)=∑ i∈[1,3] k i H(m)+∑ j∈[1,3] χ i r
=(k 1 +k 2 +k 3 )·H(m)+(k 1 +k 2 +k 3 )·(x 1 +x 2 +x 3 )·r=k·H(m)+k·x·r
Here x=s 10 +s 20 +…+s 50 =f (0), i.e. equal to the sum of the secrets set by each of the n participants in the distributed threshold signature protocol. It can be seen that σ=k·h (m) +k·x·r here is substantially the same as equation (a) in the ECDSA signature algorithm described above, and therefore, it is obvious that the total public key X can be used for verification.
In the above example, the case where t+1 is the right value will be mainly described. In practice, it may be the case that there are more than t+1 participants, which is x above 1 +x 2 +x 3 =λ 1 s 1 +λ 2 s 2 +λ 3 s 3 For example, the relation of (2) is:
x 1 +x 2 +x 3 +x 4 =λ 1 s 1 +λ 2 s 2 +λ 3 s 3 +λ 4 s 4
the result of the derivation of this formula is also equal to f (0) =s 10 +s 20 +s 30 +s 40 +s 50 I.e. also equal to the sum of the secrets set by each of the n participants in the distributed threshold signature protocol, which is also the result of the above calculation using lagrangian interpolation. It can be seen that when the number of participants in the distributed signature protocol phase is greater than t+1, the same aggregate signature can still be obtained through the above procedure as when t+1 is equal, and thus can still be verified by the total public key.
The effect of the embodiment of the present application is that, first, any threshold value can be supported. Second, to combat malicious adversaries, fireblock corporation published in CCS20, UC Non-Interactive, reactive, threshold ECDSA with Identifiable Aborts, uses a number of zero knowledge certificates. Compared with the method, the method and the device for proving the Paillier ciphertext have the advantages that only the Paillier ciphertext is required to be proved to belong to a specific range in the distributed signature protocol, no other zero knowledge proof is required, the calculation and communication complexity is reduced by 40%, and the scheme provided by the application can prove safety under a general group model.
Similar to the ECC-based cryptography scheme, the same k cannot be encrypted twice, otherwise it would be cracked by others to get k. Therefore, a new k is preferably used during each signature. It may be that the offline phase is performed again by at least t+1 participants to generate at least t+1 k i Thereby obtaining a new k.
The above procedure may be that the distributed key generation phase is performed cooperatively by n participants once, and then the off-line phase + on-line phase is performed by at least t +1 participants each time the signature is made. It is also possible that after n participants cooperatively perform a distributed key generation phase, at least t+1 participants perform multiple offline phases, thereby generating multiple different k values, and thus different R values and corresponding R values, for signature of each subsequent online phase.
An embodiment of a computer device of the present application is described below, comprising:
a processor;
and a memory in which a program is stored, wherein when the processor executes the program, the following operations are performed:
generating private key shares s by a distributed key generation protocol i Generating a homomorphic encryption public-private key pair and sending the homomorphic encryption public key;
generating respective first random values k i And a second random value gamma i The homomorphic encryption algorithm of the homomorphic encryption public and private key pair is adopted and passes through an offline stage protocol and a second random value gamma i Obtaining the coordinate component r and based on the respective private key shares s i Obtaining a private key share component masking value χ i ;
Using the first random value k of itself i Private key share component masking value χ i And said coordinate component r signing the same message, resulting in at least t+1 signature shares σ i 。
The following describes an embodiment of a storage medium of the present application for storing a program, wherein the program when executed performs the following operations:
generating private key shares s by a distributed key generation protocol i Generating a homomorphic encryption public-private key pair and sending the homomorphic encryption public key;
generating respective first random values k i And a second random value gamma i The homomorphic encryption algorithm of the homomorphic encryption public and private key pair is adopted and passes through an offline stage protocol and a second random value gamma i Obtaining the coordinate component r and based on the respective private key shares s i Obtaining a private key share component masking value χ i ;
Using the first random value k of itself i Private key share component masking value χ i And said coordinate component r signing the same message, resulting in at least t+1 signature shares σ i 。
In the 90 s of the 20 th century, improvements to one technology could clearly be distinguished as improvements in hardware (e.g., improvements to circuit structures such as diodes, transistors, switches, etc.) or software (improvements to the process flow). However, with the development of technology, many improvements of the current method flows can be regarded as direct improvements of hardware circuit structures. Designers almost always obtain corresponding hardware circuit structures by programming improved method flows into hardware circuits. Therefore, an improvement of a method flow cannot be said to be realized by a hardware entity module. For example, a programmable logic device (Programmable Logic Device, PLD) (e.g., field programmable gate array (Field Programmable Gate Array, FPGA)) is an integrated circuit whose logic function is determined by the programming of the device by a user. A designer programs to "integrate" a digital system onto a PLD without requiring the chip manufacturer to design and fabricate application-specific integrated circuit chips. Moreover, nowadays, instead of manually manufacturing integrated circuit chips, such programming is mostly implemented by using "logic compiler" software, which is similar to the software compiler used in program development and writing, and the original code before the compiling is also written in a specific programming language, which is called hardware description language (Hardware Description Language, HDL), but not just one of the hdds, but a plurality of kinds, such as ABEL (Advanced Boolean Expression Language), AHDL (Altera Hardware Description Language), confluence, CUPL (Cornell University Programming Language), HDCal, JHDL (Java Hardware Description Language), lava, lola, myHDL, PALASM, RHDL (Ruby Hardware Description Language), etc., VHDL (Very-High-Speed Integrated Circuit Hardware Description Language) and Verilog are currently most commonly used. It will also be apparent to those skilled in the art that a hardware circuit implementing the logic method flow can be readily obtained by merely slightly programming the method flow into an integrated circuit using several of the hardware description languages described above.
The controller may be implemented in any suitable manner, for example, the controller may take the form of, for example, a microprocessor or processor and a computer readable medium storing computer readable program code (e.g., software or firmware) executable by the (micro) processor, logic gates, switches, application specific integrated circuits (Application Specific Integrated Circuit, ASIC), programmable logic controllers, and embedded microcontrollers, examples of which include, but are not limited to, the following microcontrollers: ARC 625D, atmel AT91SAM, microchip PIC18F26K20, and Silicone Labs C8051F320, the memory controller may also be implemented as part of the control logic of the memory. Those skilled in the art will also appreciate that, in addition to implementing the controller in a pure computer readable program code, it is well possible to implement the same functionality by logically programming the method steps such that the controller is in the form of logic gates, switches, application specific integrated circuits, programmable logic controllers, embedded microcontrollers, etc. Such a controller may thus be regarded as a kind of hardware component, and means for performing various functions included therein may also be regarded as structures within the hardware component. Or even means for achieving the various functions may be regarded as either software modules implementing the methods or structures within hardware components.
The system, apparatus, module or unit set forth in the above embodiments may be implemented in particular by a computer chip or entity, or by a product having a certain function. One typical implementation device is a server system. Of course, the application does not exclude that as future computer technology advances, the computer implementing the functions of the above-described embodiments may be, for example, a personal computer, a laptop computer, a car-mounted human-computer interaction device, a cellular telephone, a camera phone, a smart phone, a personal digital assistant, a media player, a navigation device, an email device, a game console, a tablet computer, a wearable device, or a combination of any of these devices.
Although one or more embodiments of the present description provide method operational steps as described in the embodiments or flowcharts, more or fewer operational steps may be included based on conventional or non-inventive means. The order of steps recited in the embodiments is merely one way of performing the order of steps and does not represent a unique order of execution. When implemented in an actual device or end product, the instructions may be executed sequentially or in parallel (e.g., in a parallel processor or multi-threaded processing environment, or even in a distributed data processing environment) as illustrated by the embodiments or by the figures. The terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, it is not excluded that additional identical or equivalent elements may be present in a process, method, article, or apparatus that comprises a described element. For example, if first, second, etc. words are used to indicate a name, but not any particular order.
For convenience of description, the above devices are described as being functionally divided into various modules, respectively. Of course, when one or more of the present description is implemented, the functions of each module may be implemented in the same piece or pieces of software and/or hardware, or a module that implements the same function may be implemented by a plurality of sub-modules or a combination of sub-units, or the like. The above-described apparatus embodiments are merely illustrative, for example, the division of the units is merely a logical function division, and there may be additional divisions when actually implemented, for example, multiple units or components may be combined or integrated into another system, or some features may be omitted or not performed. Alternatively, the coupling or direct coupling or communication connection shown or discussed with each other may be an indirect coupling or communication connection via some interfaces, devices or units, which may be in electrical, mechanical or other form.
The present invention is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems) and computer program products according to embodiments of the invention. It will be understood that each flow and/or block of the flowchart illustrations and/or block diagrams, and combinations of flows and/or blocks in the flowchart illustrations and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
In one typical configuration, a computing device includes one or more processors (CPUs), input/output interfaces, network interfaces, and memory.
The memory may include volatile memory in a computer-readable medium, random Access Memory (RAM) and/or nonvolatile memory, such as Read Only Memory (ROM) or flash memory (flash RAM). Memory is an example of computer-readable media.
Computer readable media, including both non-transitory and non-transitory, removable and non-removable media, may implement information storage by any method or technology. The information may be computer readable instructions, data structures, modules of a program, or other data. Examples of storage media for a computer include, but are not limited to, phase change memory (PRAM), static Random Access Memory (SRAM), dynamic Random Access Memory (DRAM), other types of Random Access Memory (RAM), read Only Memory (ROM), electrically Erasable Programmable Read Only Memory (EEPROM), flash memory or other memory technology, read only compact disc read only memory (CD-ROM), digital Versatile Discs (DVD) or other optical storage, magnetic cassettes, magnetic tape magnetic disk storage, graphene storage or other magnetic storage devices, or any other non-transmission medium, which can be used to store information that can be accessed by a computing device. Computer-readable media, as defined herein, does not include transitory computer-readable media (transmission media), such as modulated data signals and carrier waves.
One skilled in the relevant art will recognize that one or more embodiments of the present description may be provided as a method, system, or computer program product. Accordingly, one or more embodiments of the present description may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Moreover, one or more embodiments of the present description can take the form of a computer program product on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, etc.) having computer-usable program code embodied therein.
One or more embodiments of the present specification may be described in the general context of computer-executable instructions, such as program modules, being executed by a computer. Generally, program modules include routines, programs, objects, components, data structures, etc. that perform particular tasks or implement particular abstract data types. One or more embodiments of the present specification may also be practiced in distributed computing environments where tasks are performed by remote processing devices that are linked through a communications network. In a distributed computing environment, program modules may be located in both local and remote computer storage media including memory storage devices.
In this specification, each embodiment is described in a progressive manner, and identical and similar parts of each embodiment are all referred to each other, and each embodiment mainly describes differences from other embodiments. In particular, for system embodiments, since they are substantially similar to method embodiments, the description is relatively simple, as relevant to see a section of the description of method embodiments. In the description of the present specification, a description referring to terms "one embodiment," "some embodiments," "examples," "specific examples," or "some examples," etc., means that a particular feature, structure, material, or characteristic described in connection with the embodiment or example is included in at least one embodiment or example of the present specification. In this specification, schematic representations of the above terms are not necessarily directed to the same embodiment or example. Furthermore, the particular features, structures, materials, or characteristics described may be combined in any suitable manner in any one or more embodiments or examples. Furthermore, the different embodiments or examples described in this specification and the features of the different embodiments or examples may be combined and combined by those skilled in the art without contradiction.
The foregoing is merely an example of one or more embodiments of the present specification and is not intended to limit the one or more embodiments of the present specification. Various modifications and alterations to one or more embodiments of this description will be apparent to those skilled in the art. Any modification, equivalent replacement, improvement, or the like, which is within the spirit and principles of the present specification, should be included in the scope of the claims.
Claims (12)
1. A method of implementing a distributed threshold signature, comprising:
a distributed key generation stage: each of the n participants generates a respective private key share through a distributed key generation protocol, generates a homomorphic encryption public-private key pair respectively, and sends the homomorphic encryption public key to other participants;
an offline phase of distributed signing, each of at least t+1 participants performs: generating a first random value and a second random value of the self, adopting a homomorphic encryption algorithm of the homomorphic encryption public-private key pair, obtaining a coordinate component through an offline stage protocol and the second random value, and obtaining a private key share component masking value based on respective private key shares;
an online phase of the distributed signature, each of the at least t+1 participants performing: and signing the message by adopting the first random value, the private key share component masking value and the coordinate component of the signature to obtain a signature share.
2. The method of claim 1, each of the n participants generating a respective private key share via a distributed key generation protocol, comprising:
each of the n participants sets own secret and corresponding public key, generates hash value of own secret corresponding public key, and broadcasts the secret corresponding public key and hash value of secret corresponding public key;
each of the n participants receives the secret corresponding public key broadcast by the other participant and the hash value of the secret corresponding public key, and verifies the secret corresponding public key sent by the other participant through the hash value.
3. The method of claim 1, further comprising:
each of the n participants employing a first zero knowledge proof to provide proof of the generated homomorphic encryption public key;
after each of the n participants receives the homomorphic encryption public key and the corresponding first zero knowledge proof, the corresponding homomorphic encryption public key is verified through the first zero knowledge proof.
4. The method of claim 1, each of at least t+1 number of participants in the offline phase performing:
s11: generating a first random value and a second random value, calculating a first random value homomorphic ciphertext and broadcasting;
S12: receiving a first random value homomorphic ciphertext, calculating an intermediate ciphertext based on the first random value homomorphic ciphertext, and broadcasting;
s13: receiving intermediate ciphertext broadcast by other participants, decrypting to obtain intermediate plaintext, calculating an intermediate value based on a first random value and a second random value of the intermediate ciphertext and the intermediate plaintext obtained by decryption, calculating a public key corresponding to the second random value, and broadcasting the public key corresponding to the intermediate value and the second random value; calculating a private key share component based on the private key share, calculating a private key share component masking value based on the private key share component, the first random value and the intermediate plaintext, and storing the private key share component masking value;
s14: and calculating and storing coordinate components based on the public key corresponding to the intermediate value and the second random value.
5. The method of claim 4, wherein the calculating the intermediate ciphertext based on the first random value homomorphic ciphertext comprises:
and selecting two mask numbers, and calculating an intermediate ciphertext based on the two selected mask numbers, the second random value and the homomorphic ciphertext of the first random value.
6. The method of claim 4, wherein each of the participants also generates a second zero knowledge proof of the first random value homomorphic ciphertext and broadcasts to the other participants in S11;
correspondingly, in S12, after each participant receives the first random value homomorphic ciphertext and the corresponding second zero knowledge proof, the corresponding first random value homomorphic ciphertext is verified through the second zero knowledge proof.
7. The method of claim 4, each of the participants further generating a corresponding hash of the second random value public key and broadcasting to the other participants;
correspondingly, in the subsequent offline stage, after each participant receives the second random value public key and the corresponding hash, the corresponding second random value public key is verified through the hash.
8. The method of claim 5, wherein in S12, each of the participants may also generate a third zero-knowledge proof and a fourth zero-knowledge proof;
correspondingly, in S13, after each participant receives the intermediate ciphertext and the corresponding third zero knowledge proof, verifying the corresponding intermediate ciphertext through the third zero knowledge proof; after each participant receives the intermediate ciphertext and the corresponding fourth zero knowledge proof, the corresponding intermediate ciphertext is verified through the fourth zero knowledge proof.
9. The method of claim 1, wherein after any party obtains at least t+1 signature shares, the at least t+1 signature shares are aggregated into a total signature.
10. The method of claim 2, the n participants further generating a total public key via a distributed key generation protocol; after any party obtains the total signature and the total public key, the correctness of the total signature is verified by adopting the total public key.
11. A computer device, comprising:
a processor;
and a memory in which a program is stored, wherein when the processor executes the program, the following operations are performed:
generating a private key share through a distributed key generation protocol, generating a homomorphic encryption public-private key pair, and transmitting the homomorphic encryption public key;
generating a first random value and a second random value, further adopting a homomorphic encryption algorithm of the homomorphic encryption public-private key pair, obtaining a coordinate component through an offline stage protocol and the second random value, and obtaining a private key share component masking value based on respective private key shares;
and signing the message by adopting the first random value, the private key share component masking value and the coordinate component of the signature to obtain a signature share.
12. A storage medium storing a program, wherein the program when executed performs the operations of:
generating a private key share through a distributed key generation protocol, generating a homomorphic encryption public-private key pair, and transmitting the homomorphic encryption public key;
generating a first random value and a second random value, further adopting a homomorphic encryption algorithm of the homomorphic encryption public-private key pair, obtaining a coordinate component through an offline stage protocol and the second random value, and obtaining a private key share component masking value based on respective private key shares;
And signing the message by adopting the first random value, the private key share component masking value and the coordinate component of the signature to obtain a signature share.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311120249.1A CN116915414A (en) | 2023-08-31 | 2023-08-31 | Method for realizing threshold signature, computer equipment and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311120249.1A CN116915414A (en) | 2023-08-31 | 2023-08-31 | Method for realizing threshold signature, computer equipment and storage medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN116915414A true CN116915414A (en) | 2023-10-20 |
Family
ID=88366972
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202311120249.1A Pending CN116915414A (en) | 2023-08-31 | 2023-08-31 | Method for realizing threshold signature, computer equipment and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN116915414A (en) |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN117728959A (en) * | 2024-02-06 | 2024-03-19 | 中国信息通信研究院 | Threshold signature method and device, electronic equipment and storage medium |
| CN117728959B (en) * | 2024-02-06 | 2024-05-10 | 中国信息通信研究院 | Threshold signature method and device, electronic equipment and storage medium |
-
2023
- 2023-08-31 CN CN202311120249.1A patent/CN116915414A/en active Pending
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN117728959A (en) * | 2024-02-06 | 2024-03-19 | 中国信息通信研究院 | Threshold signature method and device, electronic equipment and storage medium |
| CN117728959B (en) * | 2024-02-06 | 2024-05-10 | 中国信息通信研究院 | Threshold signature method and device, electronic equipment and storage medium |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| JP7301039B2 (en) | Threshold digital signature method and system | |
| Das et al. | Asynchronous data dissemination and its applications | |
| CN110971405B (en) | SM2 signing and decrypting method and system with cooperation of multiple parties | |
| US20190190726A1 (en) | Authentication system and device including physical unclonable function and threshold cryptography | |
| Das et al. | Spurt: Scalable distributed randomness beacon with transparent setup | |
| CN108667625B (en) | Digital signature method of cooperative SM2 | |
| EP1710952B1 (en) | Cryptographic Applications of the Cartier Pairing | |
| CN114157427B (en) | SM2 digital signature-based threshold signature method | |
| Schindler et al. | Ethdkg: Distributed key generation with ethereum smart contracts | |
| EP3265943B1 (en) | Authentication system and device including physical unclonable function and threshold cryptography | |
| Dong et al. | Fair private set intersection with a semi-trusted arbiter | |
| CN110120939B (en) | Encryption method and system capable of repudiation authentication based on heterogeneous system | |
| US9037623B2 (en) | Proxy calculation system, proxy calculation method, proxy calculation requesting apparatus, and proxy calculation program and recording medium therefor | |
| CN110011995B (en) | Encryption and decryption method and device in multicast communication | |
| CN110113150B (en) | Encryption method and system based on non-certificate environment and capable of repudiation authentication | |
| Hassan et al. | An efficient outsourced privacy preserving machine learning scheme with public verifiability | |
| CN104168114A (en) | Distributed type (k, n) threshold certificate-based encrypting method and system | |
| CN112417489A (en) | Digital signature generation method and device and server | |
| CN116391346A (en) | Redistribution of secret sharing | |
| CN117040764A (en) | Secret key share updating method, computer equipment and storage medium | |
| CN117240467A (en) | Method, system and node for realizing threshold signature | |
| Wu et al. | A robust and lightweight privacy-preserving data aggregation scheme for smart grid | |
| Ramesh et al. | Secure data storage in cloud: an e-stream cipher-based secure and dynamic updation policy | |
| Peng et al. | Efficient distributed decryption scheme for IoT gateway-based applications | |
| Lai et al. | Efficient k-out-of-n oblivious transfer scheme with the ideal communication cost |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |