CN117155551A - Secret information sharing method, system, equipment and storage medium - Google Patents
Secret information sharing method, system, equipment and storage medium Download PDFInfo
- Publication number
- CN117155551A CN117155551A CN202310954869.9A CN202310954869A CN117155551A CN 117155551 A CN117155551 A CN 117155551A CN 202310954869 A CN202310954869 A CN 202310954869A CN 117155551 A CN117155551 A CN 117155551A
- Authority
- CN
- China
- Prior art keywords
- secret
- participating
- participating nodes
- shares
- share
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 82
- 239000013598 vector Substances 0.000 claims abstract description 48
- 239000011159 matrix material Substances 0.000 claims description 39
- 238000006243 chemical reaction Methods 0.000 claims description 20
- 238000004590 computer program Methods 0.000 claims description 12
- 238000004364 calculation method Methods 0.000 claims description 11
- 238000012937 correction Methods 0.000 claims description 10
- 230000005540 biological transmission Effects 0.000 claims description 5
- 230000000717 retained effect Effects 0.000 claims description 4
- 230000008569 process Effects 0.000 abstract description 13
- 238000005516 engineering process Methods 0.000 abstract description 6
- 238000010586 diagram Methods 0.000 description 5
- 238000004422 calculation algorithm Methods 0.000 description 3
- 238000007726 management method Methods 0.000 description 3
- 230000009286 beneficial effect Effects 0.000 description 2
- 238000004891 communication Methods 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 238000010187 selection method Methods 0.000 description 2
- 230000008901 benefit Effects 0.000 description 1
- 230000008859 change Effects 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 238000004806 packaging method and process Methods 0.000 description 1
- 238000011160 research Methods 0.000 description 1
- 230000002441 reversible effect Effects 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0816—Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
- H04L9/085—Secret sharing or secret splitting, e.g. threshold schemes
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Storage Device Security (AREA)
Abstract
本发明公开了一种秘密信息的共享方法、系统、设备及存储介质,应用于信息安全技术领域,解决了经典秘密共享方案可靠性低灵活性差的问题,包括:将秘密信息转换伽罗华域中的一个元素,作为秘密元素,并与伽罗华域中的k‑1个元素构成待编码向量;基于广义里德所罗门码的编码规则,通过n个参与节点的身份信息对待编码向量编码,得到包括n个元素的编码结果并划分为n个份额发送给n个参与节点,使得r个参与节点利用r个份额进行秘密重构。应用本发明的方案,能够有效应对秘密重构阶段存在的参与节点恶意欺诈的情况,是信息论安全而不是计算意义上的安全,秘密重构时无需分发节点参与,秘密分发过程没有数据扩展,有利于进一步保障安全性。
The invention discloses a secret information sharing method, system, equipment and storage medium, which are applied in the field of information security technology and solve the problem of low reliability and poor flexibility of the classic secret sharing scheme, including: converting the secret information into a Galois domain An element in is used as a secret element and forms a vector to be encoded with k -1 elements in the Galois field; based on the encoding rules of the generalized Reed Solomon code, the vector to be encoded is encoded through the identity information of n participating nodes, The encoding result including n elements is obtained and divided into n shares and sent to n participating nodes, so that r participating nodes use r shares for secret reconstruction. Applying the solution of the present invention can effectively deal with the malicious fraud of participating nodes in the secret reconstruction stage. It is information-theoretic security rather than security in the computational sense. There is no need for distribution nodes to participate in secret reconstruction, and there is no data expansion in the secret distribution process. Conducive to further ensuring security.
Description
技术领域Technical field
本发明涉及信息安全技术领域,特别是涉及一种秘密信息的共享方法、系统、设备及存储介质。The present invention relates to the field of information security technology, and in particular to a secret information sharing method, system, equipment and storage medium.
背景技术Background technique
随着信息化、数字化、智能化的持续发展,数据泄露成为一个日益严峻的问题。密码学为保障数据安全提供了许多实用技术,如加密和数字签名等。在密码体系中,由于密码算法本身的安全性要求和密码算法应用的普及化,使得密码算法的实现细节总是公开的。因此,商用密码体系的安全性取决于密钥的机密性,密钥管理是密码学领域的一个重要研究方向。With the continuous development of informatization, digitization, and intelligence, data leakage has become an increasingly serious problem. Cryptography provides many practical technologies to ensure data security, such as encryption and digital signatures. In the cryptographic system, due to the security requirements of the cryptographic algorithm itself and the popularization of cryptographic algorithm applications, the implementation details of the cryptographic algorithm are always public. Therefore, the security of commercial cryptography systems depends on the confidentiality of keys, and key management is an important research direction in the field of cryptography.
如图1所示,为目前一种常用的密钥管理方法的示意图,图1是门限秘密共享方案,它将密钥或其他敏感信息分割成若干份额,即分割成若干部分,然后交给不同的参与者保管。门限秘密共享方案要求只有不少于一定数量(门限值k)的参与者合作时,才能恢复出秘密,少于门限值的参与者则无法恢复出秘密。能够重构秘密的参与者集合叫做授权集,否则叫做非授权集,所有授权集构成了秘密共享方案的存取结构。As shown in Figure 1, it is a schematic diagram of a commonly used key management method. Figure 1 is a threshold secret sharing scheme, which divides the key or other sensitive information into several shares, that is, divided into several parts, and then handed over to different safekeeping of the participants. The threshold secret sharing scheme requires that the secret can be recovered only when no less than a certain number of participants (threshold value k ) cooperate, and the secret cannot be recovered by participants less than the threshold value. The set of participants who can reconstruct the secret is called the authorized set, otherwise it is called the non-authorized set. All authorized sets constitute the access structure of the secret sharing scheme.
图1这种经典秘密共享技术的有效性依赖于一定的假设,即所有参与者都是诚实的。然而现实中这种假设是不合理的,因为在秘密重构阶段某些参与者可能出示虚假的份额,致使诚实的参与者无法恢复出秘密或者得到错误的结果,而欺诈者却可以利用诚实参与者的份额重构出秘密,从而使系统的可靠性受到重大威胁。此外,目前的方案中,一些防欺诈的方法是构造可验证的秘密共享方案,例如采用数字签名的方法验证参与者的份额,在份额之外引入所谓的影子份额等等。然而,这类方案的安全性是依赖于离散对数问题或者质因子分解问题的困难性,因此是计算层面的安全,而无法抵抗具有极大计算能力的量子计算攻击。Figure 1 The effectiveness of this classic secret sharing technique relies on certain assumptions, that is, all participants are honest. However, this assumption is unreasonable in reality, because some participants may produce false shares during the secret reconstruction stage, causing honest participants to be unable to recover the secret or obtain wrong results, while fraudsters can take advantage of honest participation The secret is reconstructed from the attacker's share, thereby posing a major threat to the reliability of the system. In addition, in the current scheme, some anti-fraud methods are to construct a verifiable secret sharing scheme, such as using digital signatures to verify the participants' shares, introducing so-called shadow shares in addition to the shares, and so on. However, the security of this type of scheme relies on the difficulty of the discrete logarithm problem or the prime factorization problem, so it is security at the computational level and cannot resist quantum computing attacks with extremely large computing power.
综上所述,如何有效地实现秘密信息的共享,提高可靠性,是目前本领域技术人员急需解决的技术问题。To sum up, how to effectively realize the sharing of secret information and improve reliability is an urgent technical problem that those skilled in the art need to solve.
发明内容Contents of the invention
本发明的目的是提供一种秘密信息的共享方法、系统、设备及存储介质,以有效地实现秘密信息的共享,提高可靠性。The purpose of the present invention is to provide a secret information sharing method, system, equipment and storage medium, so as to effectively realize the sharing of secret information and improve reliability.
为解决上述技术问题,本发明提供如下技术方案:In order to solve the above technical problems, the present invention provides the following technical solutions:
一种秘密信息的共享方法,包括:A method of sharing secret information, including:
按照设定的转换规则,将秘密信息转换为设定的伽罗华域中的一个元素,作为秘密元素;According to the set conversion rules, the secret information is converted into an element in the set Galois domain as a secret element;
从设定的伽罗华域中选取出n个互异的元素,作为n个参与节点的公开的身份信息;Select n different elements from the set Galois field as the public identity information of n participating nodes;
从所述伽罗华域中选取出k-1个元素,并与所述秘密元素一起构成一个包含k个元素的待编码向量;Select k -1 elements from the Galois field, and together with the secret element form a vector to be encoded containing k elements;
基于广义里德所罗门码的编码规则,通过n个参与节点的身份信息对所述待编码向量进行编码,得到包括n个元素的编码结果;Based on the encoding rules of the generalized Reed-Solomon code, the vector to be encoded is encoded through the identity information of n participating nodes to obtain an encoding result including n elements;
按照元素位置的不同,将所述编码结果划分为n个份额并分别发送给n个参与节点,以使得当r个参与节点利用r个份额进行秘密重构时,如果r=k,则基于r个份额重构出所述秘密元素并确定出对应于所述秘密元素的秘密信息,如果r>k且判断出r个份额中存在虚假份额时,进行虚假份额的纠正之后再重构出所述秘密元素,并确定出对应于所述秘密元素的秘密信息;According to the different positions of the elements, the encoding result is divided into n shares and sent to n participating nodes respectively, so that when r participating nodes use r shares for secret reconstruction, if r = k , then based on r The secret elements are reconstructed from the shares and the secret information corresponding to the secret elements is determined. If r > k and it is judged that there are false shares among the r shares, the false shares are corrected and then the secret information is reconstructed. a secret element and determining the secret information corresponding to said secret element;
其中,n为不小于2的正整数,k为正整数表示的是实现秘密重构的最小份额数量,r为正整数,且r<k时无法实现秘密重构,r>k时虚假份额的纠正数量不超过。Among them, n is a positive integer not less than 2, k is a positive integer indicating the minimum number of shares to achieve secret reconstruction, r is a positive integer, and when r < k , secret reconstruction cannot be achieved, and when r > k , false shares The number of corrections shall not exceed .
在一种实施方式中,所述从设定的伽罗华域中选取出n个互异的元素,作为n个参与节点的公开的身份信息,包括:In one implementation, n different elements are selected from the set Galois field as the public identity information of n participating nodes, including:
从设定的伽罗华域中随机地选取出n个互异的元素,作为n个参与节点的公开的身份信息。 n different elements are randomly selected from the set Galois field as the public identity information of n participating nodes.
在一种实施方式中,所述从设定的伽罗华域中随机地选取出n个互异的元素,作为n个参与节点的公开的身份信息,包括:In one implementation, n different elements are randomly selected from the set Galois field as the public identity information of n participating nodes, including:
从设定的伽罗华域中均匀随机地选取出n个互异的元素,作为n个参与节点的公开的身份信息。 N different elements are uniformly and randomly selected from the set Galois field as the public identity information of the n participating nodes.
在一种实施方式中,所述从所述伽罗华域中选取出k-1个元素,并与所述秘密元素一起构成一个包含k个元素的待编码向量,包括In one implementation, k -1 elements are selected from the Galois field, and together with the secret element, a vector to be encoded containing k elements is formed, including
从所述伽罗华域中均匀随机地选取出k-1个元素,并与所述秘密元素一起构成一个包含k个元素的待编码向量。 k -1 elements are uniformly and randomly selected from the Galois field, and together with the secret elements form a vector to be encoded containing k elements.
在一种实施方式中,所述基于广义里德所罗门码的编码规则,通过n个参与节点的身份信息对所述待编码向量进行编码,得到包括n个元素的编码结果,包括:In one implementation, the encoding rule based on the generalized Reed-Solomon code encodes the vector to be encoded through the identity information of n participating nodes to obtain an encoding result including n elements, including:
基于广义里德所罗门码的编码规则,通过n个参与节点的身份信息建立范德蒙矩阵,并通过建立的所述范德蒙矩阵对所述待编码向量进行编码,得到包括n个元素的编码结果。Based on the encoding rules of the generalized Reed-Solomon code, a Vandermond matrix is established through the identity information of n participating nodes, and the vector to be encoded is encoded through the established Vandermond matrix to obtain an encoding result including n elements.
在一种实施方式中,所述基于广义里德所罗门码的编码规则,通过n个参与节点的身份信息建立范德蒙矩阵,并通过建立的所述范德蒙矩阵对所述待编码向量进行编码,得到包括n个元素的编码结果,包括:In one implementation, the encoding rule based on the generalized Reed-Solomon code establishes a Vandermond matrix through the identity information of n participating nodes, and encodes the vector to be encoded through the established Vandermond matrix to obtain: The encoding result of n elements includes:
基于广义里德所罗门码的编码规则,通过n个参与节点的身份信息,按照(s 1,...,s n )=a·G的计算方式,对所述待编码向量进行编码,得到包括n个元素的编码结果;Based on the coding rules of the generalized Reed-Solomon code, the identity information of n participating nodes is used to encode the vector to be encoded according to the calculation method of ( s 1 ,..., s n ) = a · G , and the result includes: Encoding result of n elements;
其中,a为包含k个元素的所述待编码向量,G为通过n个参与节点的身份信息建立的范德蒙矩阵,且,s 1至s n 为得到的包括n个元素的编码结果,/>至/>为n个参与节点各自的身份信息。Where, a is the vector to be encoded containing k elements, G is a Vandermond matrix established through the identity information of n participating nodes, and , s 1 to s n are the obtained encoding results including n elements, /> to/> is the identity information of each of the n participating nodes.
在一种实施方式中,还包括:In one embodiment, it also includes:
当需要新增加1个参与节点时,由当前参与节点中不少于k个参与节点,按照预设的份额新增规则进行操作,以使得新增加的参与节点得到1个新增份额。When a new participating node needs to be added, no less than k participating nodes among the current participating nodes will operate according to the preset share addition rules, so that the newly added participating node gets an additional share.
在一种实施方式中,当需要新增加1个参与节点时,由当前参与节点中不少于k个参与节点,按照预设的份额新增规则进行操作,以使得新增加的参与节点得到1个新增份额,包括:In one implementation, when a new participating node needs to be added, no less than k participating nodes among the current participating nodes will operate according to the preset share addition rules, so that the newly added participating node gets 1 new shares, including:
当需要新增加1个参与节点时,由当前的n个参与节点中的r个参与节点进行各自的中间值的计算;When a new participating node needs to be added, the r participating nodes among the current n participating nodes will calculate their respective intermediate values;
其中,r个参与节点中的第i个参与节点所计算出的中间值表示为,s i 为第i个参与节点的份额,m i 为M -1的前k列子矩阵的第i行向量,矩阵/>,M -1为M的逆矩阵,/>,/>至为n个参与节点各自的身份信息,/>为新增加的参与节点的身份信息,T为转置矩阵符号,r≥k;Among them, the intermediate value calculated by the i- th participating node among the r participating nodes Expressed as , s i is the share of the i- th participating node, m i is the i- th row vector of the first k -column submatrix of M -1 , matrix /> , M -1 is the inverse matrix of M , /> ,/> to is the identity information of each of the n participating nodes,/> is the identity information of the newly added participating nodes, T is the symbol of the transposed matrix, r ≥ k ;
基于预设的信息安全发送方式,使得新增加的参与节点确定出至/>的总和,并将所述总和作为新增加的参与节点所得到的1个新增份额,且使得新增加的参与节点无法确定出/>至/>中的任何1个中间值。Based on the preset secure information sending method, the newly added participating nodes determine to/> The total of , and the sum will be used as 1 new share obtained by the newly added participating nodes, and the newly added participating nodes cannot be determined/> to/> any intermediate value in .
在一种实施方式中,基于预设的信息安全发送方式,使得新增加的参与节点确定出至/>的总和,并将所述总和作为新增加的参与节点所得到的1个新增份额,且使得新增加的参与节点无法确定出/>至/>中的任何1个中间值,包括:In one implementation, based on the preset secure information sending method, newly added participating nodes determine to/> The total of , and the sum will be used as 1 new share obtained by the newly added participating nodes, and the newly added participating nodes cannot be determined/> to/> Any intermediate value in , including:
对于r个参与节点中的每1个参与节点,该参与节点将自身计算出的中间值分成r个数据,以使得分成的r个数据的和等于自身计算出的中间值,并且该参与节点在保留r个数据中的1个数据之后,将其余的r-1个数据分别发送给其余的r-1个参与节点;For each participating node among r participating nodes, the participating node divides the intermediate value calculated by itself into r data, so that the sum of the divided r data is equal to the intermediate value calculated by itself, and the participating node is in After retaining 1 piece of r data, the remaining r- 1 data are sent to the remaining r- 1 participating nodes;
对于r个参与节点中的每1个参与节点,该参与节点将保留的1个数据与接收到的r-1个数据进行求和,并将求和结果发送给新增加的参与节点,以使得新增加的参与节点将r个参与节点的发送数据进行求和之后得到至/>的总和,并将所述总和作为新增加的参与节点所得到的1个新增份额。For each participating node among r participating nodes, the participating node sums the retained 1 data with the received r- 1 data, and sends the summation result to the newly added participating node, so that The newly added participating node sums the sent data of r participating nodes and obtains to/> The sum will be regarded as one new share obtained by the newly added participating nodes.
在一种实施方式中,还包括:In one embodiment, it also includes:
当需要移除1个参与节点时,由当前参与节点中不少于k个参与节点,按照预设的参与节点移除规则进行操作,以使得除去被移除的参与节点之外的剩余的各个参与节点均得到1个新份额以替换原本的份额。When a participating node needs to be removed, no less than k participating nodes among the current participating nodes will be operated according to the preset participating node removal rules, so that the remaining participating nodes except the removed participating node will be removed. Participating nodes each receive a new share to replace the original share.
在一种实施方式中,当需要移除1个参与节点时,由当前参与节点中不少于k个参与节点,按照预设的参与节点移除规则进行操作,以使得除去被移除的参与节点之外的剩余的各个参与节点均得到1个新份额以替换原本的份额,包括:In one embodiment, when one participating node needs to be removed, no less than k participating nodes among the current participating nodes operate according to the preset participating node removal rules, so that the removed participating nodes are removed. Each remaining participating node other than the node will receive a new share to replace the original share, including:
当需要移除1个参与节点时,由当前的n个参与节点中的r个参与节点基于各自当前的份额,进行各自的子秘密数据的计算;When one participating node needs to be removed, the r participating nodes among the current n participating nodes will calculate their respective sub-secret data based on their current shares;
其中,r个参与节点中的第i个参与节点所计算出的子秘密数据a i0表示为,s i 为第i个参与节点的份额,M i0为/>在M中的代数余子式,矩阵,det(M)表示的是M的行列式,/>至/>为n个参与节点各自的身份信息,r≥k;Among them, the sub-secret data a i 0 calculated by the i- th participating node among the r participating nodes is expressed as , s i is the share of the i- th participating node, M i 0 is/> Algebraic cofactors in M , matrices , det( M ) represents the determinant of M ,/> to/> is the identity information of each of the n participating nodes, r ≥ k ;
基于r个子秘密数据,由r个参与节点按照预设的份额安全生成方式进行操作,以使得除去被移除的参与节点之外的剩余的各个参与节点均得到1个新份额以替换原本的份额,且使得任一参与节点无法获取到其他任一参与节点的子秘密数据。Based on r sub-secret data, r participating nodes operate according to the preset secure share generation method, so that each remaining participating node except the removed participating node gets a new share to replace the original share. , and makes it impossible for any participating node to obtain the sub-secret data of any other participating node.
在一种实施方式中,基于r个子秘密数据,由r个参与节点按照预设的份额安全生成方式进行操作,以使得除去被移除的参与节点之外的剩余的各个参与节点均得到1个新份额以替换原本的份额,且使得任一参与节点无法获取到其他任一参与节点的子秘密数据,包括:In one implementation, based on r sub-secret data, r participating nodes operate according to a preset safe generation method of shares, so that each remaining participating node except the removed participating node gets 1 The new share replaces the original share and makes it impossible for any participating node to obtain the sub-secret data of any other participating node, including:
对于r个参与节点中的每1个参与节点,该参与节点通过自身计算出的子秘密数据,以及自身构造的第一多项式,计算出n-1个子份额数值,并将计算出的n-1个子份额数值分别分配给除去被移除的参与节点之外的包括自身在内的n-1个剩余的参与节点;For each participating node among the r participating nodes, the participating node calculates n -1 sub-share values through the sub-secret data calculated by itself and the first polynomial constructed by itself, and calculates the calculated n -1 sub-share value is allocated to the n -1 remaining participating nodes, including itself, excluding the removed participating nodes;
对于当前除去被移除的参与节点之外的剩余的n-1个参与节点,该参与节点在得到了r个子份额数值之后,将自身得到的r个子份额数值求和,作为得到的自身的新份额以替换自身的原本的份额;For the remaining n -1 participating nodes except the removed participating nodes, after obtaining the r sub-share values, the participating node sums up the r sub-share values it obtained as its own new share to replace its own original share;
其中,r个参与节点中第i个参与节点所构造的所述第一多项式表示为,t为正整数且1≤t≤k-1,a i1至a i(k-1)为第i个参与节点从所述伽罗华域中选取出的k-1个元素;第i个参与节点通过将所构造的所述第一多项式的自变量x的取值依次取值为除去被移除的参与节点之外的剩余的n-1个参与节点的身份信息,依次计算出n-1个子份额数值。Wherein, the first polynomial constructed by the i- th participating node among the r participating nodes is expressed as , t is a positive integer and 1≤ t ≤ k -1, a i 1 to a i ( k -1) are the k -1 elements selected by the i- th participating node from the Galois field; the i-th The participating nodes are calculated sequentially by taking the value of the independent variable x of the constructed first polynomial to the identity information of the remaining n -1 participating nodes excluding the removed participating nodes. Output n -1 sub-share values.
在一种实施方式中,还包括:In one embodiment, it also includes:
当需要调整实现秘密重构的最小份额数量k的数值时,由当前参与节点中不少于k个参与节点,按照预设的门限调整规则进行操作,以使得当前的各个参与节点均得到1个新份额以替换原本的份额,且使得实现秘密重构的最小份额数量从k调整为;When it is necessary to adjust the value of the minimum number of shares k to achieve secret reconstruction, no less than k participating nodes among the current participating nodes will operate according to the preset threshold adjustment rules, so that each current participating node gets 1 The new shares replace the original shares, and the minimum number of shares to achieve secret reconstruction is adjusted from k to ;
表示的是调整之后的实现秘密重构的最小份额数量。 Indicates the minimum number of shares required to achieve secret reconstruction after adjustment.
在一种实施方式中,当需要调整实现秘密重构的最小份额数量k的数值时,由当前参与节点中不少于k个参与节点,按照预设的门限调整规则进行操作,以使得当前的各个参与节点均得到1个新份额以替换原本的份额,且使得实现秘密重构的最小份额数量从k调整为,包括:In one implementation, when it is necessary to adjust the value of the minimum number of shares k to achieve secret reconstruction, no less than k participating nodes among the current participating nodes operate according to the preset threshold adjustment rules, so that the current Each participating node gets a new share to replace the original share, and the minimum number of shares to achieve secret reconstruction is adjusted from k to ,include:
当需要调整实现秘密重构的最小份额数量k的数值时,由当前的n个参与节点中的r个参与节点基于各自当前的份额,进行各自的子秘密数据的计算;When it is necessary to adjust the value of the minimum number of shares k to achieve secret reconstruction, the r participating nodes among the current n participating nodes will calculate their respective sub-secret data based on their current shares;
其中,r个参与节点中的第i个参与节点所计算出的子秘密数据a i0表示为:,s i 为第i个参与节点的份额,M i0为/>在M中的代数余子式,矩阵,det(M)表示的是M的行列式,/>至/>为n个参与节点各自的身份信息,r≥k;Among them, the sub-secret data a i 0 calculated by the i- th participating node among the r participating nodes is expressed as: , s i is the share of the i- th participating node, M i 0 is/> Algebraic cofactors in M , matrices , det( M ) represents the determinant of M ,/> to/> is the identity information of each of the n participating nodes, r ≥ k ;
基于r个子秘密数据,由r个参与节点按照预设的门限调整方式进行操作,以使得各个参与节点均得到1个新份额以替换原本的份额,且使得任一参与节点无法获取到其他任一参与节点的子秘密数据,且使得实现秘密重构的最小份额数量从k调整为。Based on r sub-secret data, r participating nodes operate according to the preset threshold adjustment method, so that each participating node gets a new share to replace the original share, and no participating node can obtain any other The child secret data of participating nodes, and the minimum number of shares to achieve secret reconstruction is adjusted from k to .
在一种实施方式中,基于r个子秘密数据,由r个参与节点按照预设的门限调整方式进行操作,以使得各个参与节点均得到1个新份额以替换原本的份额,且使得任一参与节点无法获取到其他任一参与节点的子秘密数据,且使得实现秘密重构的最小份额数量从k调整为,包括:In one implementation, based on r sub-secret data, r participating nodes operate according to a preset threshold adjustment method, so that each participating node obtains a new share to replace the original share, and any participating node The node cannot obtain the sub-secret data of any other participating node, and the minimum number of shares to achieve secret reconstruction is adjusted from k to ,include:
对于r个参与节点中的每1个参与节点,该参与节点通过自身计算出的子秘密数据,以及自身构造的第二多项式,计算出n个子份额数值,并将计算出的n个子份额数值分别分配给包括自身在内的n个参与节点;For each participating node among the r participating nodes, the participating node calculates the n sub-share values through the sub-secret data calculated by itself and the second polynomial constructed by itself, and uses the calculated n sub-shares Values are assigned to n participating nodes including itself;
对于n个参与节点中的每一个参与节点,该参与节点在得到了r个子份额数值之后,将自身得到的r个子份额数值求和,作为得到的自身的新份额以替换自身的原本的份额;For each participating node among the n participating nodes, after obtaining the r sub-share values, the participating node sums up the r sub-share values it obtained as its own new share to replace its original share;
其中,r个参与节点中第i个参与节点所构造的所述第二多项式表示为,c为正整数且/>,a i1至/>为第i个参与节点从所述伽罗华域中选取出的/>个元素;第i个参与节点通过将所构造的所述第二多项式的自变量x的取值依次取值为当前的n个参与节点的身份信息,依次计算出n个子份额数值。Wherein, the second polynomial constructed by the i- th participating node among the r participating nodes is expressed as , c is a positive integer and/> , a i 1 to/> Selected from the Galois field for the i- th participating node/> elements; the i -th participating node sequentially calculates n sub-share values by taking the values of the independent variable x of the constructed second polynomial as the identity information of the current n participating nodes.
在一种实施方式中,所述按照元素位置的不同,将所述编码结果划分为n个份额并分别发送给n个参与节点,以使得当r个参与节点利用r个份额进行秘密重构时,如果r=k,则基于r个份额重构出所述秘密元素并确定出对应于所述秘密元素的秘密信息,如果r>k且判断出r个份额中存在虚假份额时,进行虚假份额的纠正之后再重构出所述秘密元素,并确定出对应于所述秘密元素的秘密信息,包括:In one implementation, the encoding result is divided into n shares according to different element positions and sent to n participating nodes respectively, so that when r participating nodes use r shares to perform secret reconstruction , if r = k , reconstruct the secret element based on r shares and determine the secret information corresponding to the secret element. If r > k and it is determined that there are false shares among the r shares, perform false shares After correction, the secret element is reconstructed, and the secret information corresponding to the secret element is determined, including:
按照元素位置的不同,将所述编码结果划分为n个份额并分别发送给n个参与节点,以使得当r个参与节点利用r个份额进行秘密重构时,如果r=k,则基于r个份额重构出所述秘密元素并确定出对应于所述秘密元素的秘密信息,如果r>k,则判断s·H T =0是否成立,如果不成立,则判断出r个份额中存在虚假份额时,在进行虚假份额的纠正之后再重构出所述秘密元素,并确定出对应于所述秘密元素的秘密信息;According to the different positions of the elements, the encoding result is divided into n shares and sent to n participating nodes respectively, so that when r participating nodes use r shares for secret reconstruction, if r = k , then based on r The secret elements are reconstructed from the shares and the secret information corresponding to the secret elements is determined. If r > k , it is judged whether s · H T =0 is established. If it is not established, it is judged that there is falsehood in r shares. When a share is obtained, the secret element is reconstructed after correcting the false share, and the secret information corresponding to the secret element is determined;
其中,H为满足M k H T =0的(r-k)×r阶满秩矩阵,M k 为矩阵M的前k行构成的子矩阵,T为转置矩阵符号,矩阵,/>至/>为n个参与节点各自的身份信息,/>,s 1至s r 表示的是进行秘密重构的r个参与节点各自的份额。Among them, H is a ( r - k ) × r- order full-rank matrix that satisfies M k H T =0, M k is a submatrix composed of the first k rows of matrix M , T is the transpose matrix symbol, and the matrix ,/> to/> is the identity information of each of the n participating nodes,/> , s 1 to s r represent the respective shares of the r participating nodes that perform secret reconstruction.
在一种实施方式中,还包括:In one embodiment, it also includes:
当r个参与节点利用r个份额进行秘密重构,并且在判断出r个份额中存在虚假份额时,如果虚假份额数量不超过,r个参与节点均确定出各个虚假份额各自对应的参与节点的身份信息。When r participating nodes use r shares for secret reconstruction, and when it is determined that there are false shares among the r shares, if the number of false shares does not exceed , r participating nodes all determine the identity information of the participating nodes corresponding to each false share.
在一种实施方式中,如果r=k,则基于r个份额重构出所述秘密元素并确定出对应于所述秘密元素的秘密信息,包括:In one implementation, if r = k , reconstruct the secret element based on r shares and determine the secret information corresponding to the secret element, including:
如果r=k,则基于r个份额,通过计算的方式重构出所述秘密元素并确定出对应于所述秘密元素的秘密信息。If r = k , then based on r shares, calculate The secret element is reconstructed and the secret information corresponding to the secret element is determined.
在一种实施方式中,还包括:In one embodiment, it also includes:
当r个参与节点利用r个份额进行秘密重构且r=k时,在基于r个份额重构出所述秘密元素之后,r个参与节点均输出重构出的所述秘密元素存在安全隐患的提示信息。When r participating nodes use r shares to perform secret reconstruction and r = k , after reconstructing the secret element based on r shares, all r participating nodes output the reconstructed secret element, which may cause security risks. prompt information.
一种秘密信息的共享系统,包括:分发节点和n个参与节点;A secret information sharing system, including: distribution node and n participating nodes;
所述分发节点,用于:The distribution node is used for:
按照设定的转换规则,将秘密信息转换为设定的伽罗华域中的一个元素,作为秘密元素;According to the set conversion rules, the secret information is converted into an element in the set Galois domain as a secret element;
从设定的伽罗华域中选取出n个互异的元素,作为n个参与节点的公开的身份信息;Select n different elements from the set Galois field as the public identity information of n participating nodes;
从所述伽罗华域中选取出k-1个元素,并与所述秘密元素一起构成一个包含k个元素的待编码向量;Select k -1 elements from the Galois field, and together with the secret element form a vector to be encoded containing k elements;
基于广义里德所罗门码的编码规则,通过n个参与节点的身份信息对所述待编码向量进行编码,得到包括n个元素的编码结果;Based on the encoding rules of the generalized Reed-Solomon code, the vector to be encoded is encoded through the identity information of n participating nodes to obtain an encoding result including n elements;
按照元素位置的不同,将所述编码结果划分为n个份额并分别发送给n个参与节点;According to the different positions of the elements, the encoding result is divided into n shares and sent to n participating nodes respectively;
所述参与节点用于:The participating nodes are used for:
当r个参与节点利用r个份额进行秘密重构时,如果r=k,则基于r个份额重构出所述秘密元素,如果r>k且判断出r个份额中存在虚假份额时,进行虚假份额的纠正之后再重构出所述秘密元素;When r participating nodes use r shares to reconstruct the secret, if r = k , the secret element is reconstructed based on r shares. If r > k and it is judged that there are false shares among the r shares, proceed Correction of false shares followed by reconstruction of said secret elements;
基于重构出的所述秘密元素,确定出对应的秘密信息;Based on the reconstructed secret elements, determine the corresponding secret information;
其中,n为不小于2的正整数,k为正整数表示的是实现秘密重构的最小份额数量,r为正整数且r<k时无法实现秘密重构,r>k时虚假份额的纠正数量不超过。Among them, n is a positive integer not less than 2, k is a positive integer indicating the minimum number of shares to achieve secret reconstruction, r is a positive integer and when r < k , secret reconstruction cannot be achieved, and when r > k , false shares are corrected. The quantity does not exceed .
一种秘密信息的共享设备,包括:A device for sharing secret information, including:
存储器,用于存储计算机程序;Memory, used to store computer programs;
处理器,用于执行所述计算机程序以实现上述所述的秘密信息的共享方法的步骤。A processor, configured to execute the computer program to implement the steps of the secret information sharing method described above.
一种计算机可读存储介质,所述计算机可读存储介质上存储有计算机程序,所述计算机程序被处理器执行时实现如上述所述的秘密信息的共享方法的步骤。A computer-readable storage medium. A computer program is stored on the computer-readable storage medium. When the computer program is executed by a processor, the steps of the secret information sharing method as described above are implemented.
应用本发明实施例所提供的技术方案,有益效果在于,本发明的方案是基于广义里德所罗门码来实现秘密信息的共享,可以有效地应对欺诈者提供虚假份额的情况。并且本发明的方案的安全性不依赖于任何计算困难性的假设,即本发明的方案是信息论安全而不是经典方案计算意义上的安全,因此本发明的方案能够抵抗量子计算攻击。此外,在进行秘密分发之后,包括秘密重构在内的后续各阶段,本发明的方案均不需要分发节点的参与,有利于进一步地提高灵活性和可靠性。参与节点所保存的份额与秘密元素具有相同长度,使得本发明方案的秘密分发过程没有数据扩展,也有利于进一步地保障安全性。The beneficial effect of applying the technical solutions provided by the embodiments of the present invention is that the solution of the present invention is based on the generalized Reed-Solomon code to realize the sharing of secret information, and can effectively deal with the situation where fraudsters provide false shares. Moreover, the security of the solution of the present invention does not depend on any assumption of computational difficulty, that is, the solution of the present invention is information-theoretic security rather than security in the computational sense of the classical solution. Therefore, the solution of the present invention can resist quantum computing attacks. In addition, after secret distribution, the solution of the present invention does not require the participation of distribution nodes in subsequent stages including secret reconstruction, which is conducive to further improving flexibility and reliability. The shares saved by the participating nodes have the same length as the secret elements, so that there is no data expansion in the secret distribution process of the solution of the present invention, and it is also conducive to further ensuring security.
具体的,为了后续能够基于广义里德所罗门码实现编码,本发明的方案中,分发节点按照需要设定的转换规则,将秘密信息转换为设定的伽罗华域中的一个元素,作为秘密元素,该秘密元素可以与从伽罗华域中选取出的k-1个元素,一起构成一个包含k个元素的待编码向量,即该待编码向量中携带有秘密元素。对于n个参与节点,需要从设定的伽罗华域中选取出n个互异的元素,作为n个参与节点的公开的身份信息。基于广义里德所罗门码的编码规则,通过n个参与节点的身份信息对待编码向量进行编码,得到包括n个元素的编码结果。编码结果中包括n个元素,每个元素作为1个份额,使得编码结果可以划分为n个份额从而分别交给n个参与节点保管。基于广义里德所罗门码的原理,当r个参与节点利用r个份额进行秘密重构时,如果r=k,则可以基于r个份额重构出秘密元素并确定出对应于秘密元素的秘密信息,当然,此时重构无法保障准确性,即r=k时要求r个参与节点均是诚实参与节点才能够重构出正确的秘密元素,从而按照转换规则,确定出对应于秘密元素的秘密信息。而r>k时,本发明的方案中能够判断出r个份额中是否存在虚假份额,如果存在,则能够纠正数量不超过的虚假份额,在进行了虚假份额的纠正之后便可以重构出秘密元素,并确定出对应于秘密元素的秘密信息;Specifically, in order to be able to implement subsequent coding based on the generalized Reed-Solomon code, in the solution of the present invention, the distribution node converts the secret information into an element in the set Galois field as the secret according to the conversion rules set as needed. element, the secret element can be combined with the k -1 elements selected from the Galois field to form a vector to be encoded containing k elements, that is, the vector to be encoded carries the secret element. For n participating nodes, n different elements need to be selected from the set Galois field as the public identity information of the n participating nodes. Based on the encoding rules of the generalized Reed-Solomon code, the to-be-encoded vector is encoded through the identity information of n participating nodes, and the encoding result including n elements is obtained. The encoding result includes n elements, each element is regarded as a share, so that the encoding result can be divided into n shares and handed over to n participating nodes for safekeeping. Based on the principle of generalized Reed-Solomon code, when r participating nodes use r shares to reconstruct the secret, if r = k , the secret element can be reconstructed based on the r shares and the secret information corresponding to the secret element can be determined , of course, the accuracy of the reconstruction cannot be guaranteed at this time, that is, when r = k , all r participating nodes are required to be honest participating nodes to reconstruct the correct secret element, so as to determine the secret corresponding to the secret element according to the conversion rules. information. When r > k , the solution of the present invention can determine whether there are false shares among the r shares. If there are false shares, the number can be corrected to not exceed After correcting the false shares, the secret elements can be reconstructed and the secret information corresponding to the secret elements can be determined;
可以看出,本发明的方案能够判断出r个份额中是否存在虚假份额,且能够纠正数量不超过的虚假份额,即本发明的方案能够可以有效地应对欺诈者提供虚假份额的情况。并且r小于k时,无论攻击者具有多高的计算资源也无法实现秘密重构,即本发明的方案的安全性不依赖于任何计算困难性的假设是信息论安全的而不是经典方案计算意义上的安全,使得本发明的方案能够抵抗量子计算攻击。此外可以看出,本发明的方案中,分发节点只需要完成份额的分发即可,在进行包括秘密重构在内的后续各阶段的操作时,本发明的方案并不需要分发节点的参与,有利于进一步地提高可靠性。参与节点所保存的份额与秘密元素均是伽罗华域中的元素,具有相同长度,使得本发明方案的秘密分发过程没有数据扩展,也有利于进一步地保障安全性。It can be seen that the solution of the present invention can determine whether there are false shares among r shares, and can correct the number not exceeding false shares, that is, the solution of the present invention can effectively deal with the situation where fraudsters provide false shares. And when r is less than k , no matter how high the computing resources of the attacker are, the secret reconstruction cannot be achieved. That is, the security of the scheme of the present invention does not depend on the assumption of any computational difficulty, which is information theoretic security rather than the classical scheme calculation sense. The security makes the solution of the present invention resistant to quantum computing attacks. In addition, it can be seen that in the solution of the present invention, the distribution node only needs to complete the distribution of shares. When performing operations in subsequent stages including secret reconstruction, the solution of the present invention does not require the participation of the distribution node. Helps further improve reliability. The shares and secret elements saved by the participating nodes are elements in the Galois domain and have the same length, so that there is no data expansion in the secret distribution process of the solution of the present invention, and it is also conducive to further ensuring security.
附图说明Description of the drawings
为了更清楚地说明本发明实施例或现有技术中的技术方案,下面将对实施例或现有技术描述中所需要使用的附图作简单地介绍,显而易见地,下面描述中的附图仅仅是本发明的一些实施例,对于本领域普通技术人员来讲,在不付出创造性劳动的前提下,还可以根据这些附图获得其他的附图。In order to explain the embodiments of the present invention or the technical solutions in the prior art more clearly, the drawings needed to be used in the description of the embodiments or the prior art will be briefly introduced below. Obviously, the drawings in the following description are only These are some embodiments of the present invention. For those of ordinary skill in the art, other drawings can be obtained based on these drawings without exerting creative efforts.
图1为目前一种常用的密钥管理方法的示意图;Figure 1 is a schematic diagram of a currently commonly used key management method;
图2为本发明中一种秘密信息的共享方法的实施流程图;Figure 2 is an implementation flow chart of a secret information sharing method in the present invention;
图3为本发明中一种秘密信息的共享系统的结构示意图;Figure 3 is a schematic structural diagram of a secret information sharing system in the present invention;
图4为本发明中一种秘密信息的共享设备的结构示意图;Figure 4 is a schematic structural diagram of a secret information sharing device in the present invention;
图5为本发明中一种计算机可读存储介质的结构示意图。Figure 5 is a schematic structural diagram of a computer-readable storage medium in the present invention.
具体实施方式Detailed ways
本发明的核心是提供一种秘密信息的共享方法、系统、设备及存储介质,能够有效应对存在虚假份额的情况,是信息论安全而不是计算意义上的安全,秘密分发后续各阶段的实现均无需分发节点参与,秘密分发过程没有数据扩展,有利于进一步保障安全性。The core of the present invention is to provide a secret information sharing method, system, equipment and storage medium, which can effectively deal with the situation where false shares exist. It is information-theoretic security rather than security in the computational sense. The implementation of subsequent stages of secret distribution does not require Distribution nodes participate, and there is no data expansion in the secret distribution process, which is conducive to further ensuring security.
为了使本技术领域的人员更好地理解本发明方案,下面结合附图和具体实施方式对本发明作进一步的详细说明。显然,所描述的实施例仅仅是本发明一部分实施例,而不是全部的实施例。基于本发明中的实施例,本领域普通技术人员在没有做出创造性劳动前提下所获得的所有其他实施例,都属于本发明保护的范围。In order to enable those skilled in the art to better understand the solution of the present invention, the present invention will be further described in detail below in conjunction with the accompanying drawings and specific embodiments. Obviously, the described embodiments are only some of the embodiments of the present invention, but not all of the embodiments. Based on the embodiments of the present invention, all other embodiments obtained by those of ordinary skill in the art without creative efforts fall within the scope of protection of the present invention.
请参考图2,图2为本发明中一种秘密信息的共享方法的实施流程图,该秘密信息的共享方法可以包括以下步骤:Please refer to Figure 2. Figure 2 is an implementation flow chart of a secret information sharing method in the present invention. The secret information sharing method may include the following steps:
步骤S101:按照设定的转换规则,将秘密信息转换为设定的伽罗华域中的一个元素,作为秘密元素。Step S101: Convert the secret information into an element in the set Galois field as a secret element according to the set conversion rules.
分发节点也可以称为分发中心,能够实现秘密的分发,即能够生成秘密的各个份额并发送给各个参与节点,参与节点也可以称为参与者,能够接收相应份额,并且可以由不低于k个参与节点实现秘密重构。The distribution node can also be called the distribution center, which can realize the distribution of secrets, that is, it can generate each share of the secret and send it to each participating node. The participating nodes can also be called participants, can receive the corresponding shares, and can be sent by no less than k Participating nodes realize secret reconstruction.
秘密信息表示的是待加密的信息,并且可以理解的是,秘密信息的具体形式可以有多种,例如可以是一段文字,可以是一串数字,可以是包括字母以及符号的密钥,而本发明的方案中,后续进行编码时,是基于广义里德所罗门码的编码规则进行编码,因此,需要将秘密信息转换为伽罗华域中的一个元素,才能够使得后续步骤中,能够基于广义里德所罗门码的编码规则实现编码。The secret information represents the information to be encrypted, and it can be understood that the secret information can be in many specific forms, for example, it can be a piece of text, a string of numbers, or a key including letters and symbols. This document In the invented scheme, subsequent encoding is based on the encoding rules of the generalized Reed-Solomon code. Therefore, the secret information needs to be converted into an element in the Galois field so that subsequent steps can be based on the generalized Reed-Solomon code. The encoding rules of Reed-Solomon code implement encoding.
转换规则的具体内容可以根据实际需要进行设定和调整,只要能够按照设定的转换规则,将秘密信息转换为设定的伽罗华域中的一个元素即可,转换出的这一元素称为秘密元素。例如一种场合中,秘密信息是包括字母以及符号的密钥,而在转换规则中,规定了对于不同字母以及符号,会被转换为相对应的固定bit的二进制数值,进而再基于得到的各个二进制数值,映射为设定的伽罗华域中的一个元素。此外可以理解的是,该转换规则需要进行保存,使得该转换过程是可逆的,即,使得在进行秘密重构时,参与节点在得到秘密元素之后,能够按照该转换规则反向确定出秘密信息,例如实际应用中,该转换规则可以由分发节点进行公开保存,又如,各个参与节点均进行了该转换规则的保存。The specific content of the conversion rules can be set and adjusted according to actual needs. As long as the secret information can be converted into an element in the set Galois domain according to the set conversion rules, the converted element is called as a secret element. For example, in one situation, the secret information is a key including letters and symbols, and the conversion rules stipulate that different letters and symbols will be converted into corresponding fixed-bit binary values, and then based on the obtained each Binary value, mapped to an element in the set Galois field. In addition, it can be understood that the conversion rules need to be saved so that the conversion process is reversible, that is, when performing secret reconstruction, the participating nodes can reversely determine the secret information according to the conversion rules after obtaining the secret elements. , for example, in practical applications, the conversion rules can be publicly saved by the distribution node, or, for example, each participating node saves the conversion rules.
伽罗华域也可以称为有限域,后文中将伽罗华域表示为,伽罗华域的具体参数设置可以根据实际需要进行设定和调整。The Galois field can also be called a finite field. In the following, the Galois field is expressed as , the specific parameter settings of the Galois domain can be set and adjusted according to actual needs.
步骤S102:从设定的伽罗华域中选取出n个互异的元素,作为n个参与节点的公开的身份信息。Step S102: Select n different elements from the set Galois field as the public identity information of n participating nodes.
在秘密分发阶段,分发节点可以执行步骤S101至步骤S105的操作,从而划分出n个份额并分别发送给n个参与节点。也就是说,在执行步骤S102时,可以由分发节点从设定的伽罗华域中选取出n个互异的元素,作为n个参与节点的公开的身份信息。In the secret distribution stage, the distribution node can perform the operations from step S101 to step S105, thereby dividing n shares and sending them to n participating nodes respectively. That is to say, when performing step S102, the distribution node can select n different elements from the set Galois field as the public identity information of the n participating nodes.
在本发明的一种具体实施方式中,步骤S102可以包括:从设定的伽罗华域中随机地选取出n个互异的元素,作为n个参与节点的公开的身份信息。In a specific implementation of the present invention, step S102 may include: randomly selecting n different elements from the set Galois field as the public identity information of the n participating nodes.
该种实施方式考虑到,对于n个参与节点的公开的身份信息,本发明并不进行限定,只要是设定的伽罗华域中的n个互异的元素即可,对此,该种实施方式中,便是从伽罗华域中随机地选取出n个互异的元素,随机选取的方式在实现上较为方便。This implementation mode takes into account that the present invention is not limited to the public identity information of n participating nodes, as long as it is n mutually different elements in the set Galois field. In this regard, this kind of In the implementation, n different elements are randomly selected from the Galois field. The random selection method is more convenient in implementation.
进一步的,在一种实施方式中,步骤S102可以包括:从设定的伽罗华域中均匀随机地选取出n个互异的元素,作为n个参与节点的公开的身份信息。Further, in one implementation, step S102 may include: uniformly and randomly selecting n different elements from the set Galois field as the public identity information of the n participating nodes.
该种实施方式考虑到,对于伽罗华域中的各个元素,被选取作为身份信息时,理想情况下,选取概率应当是一致的,即在随机选取时,伽罗华域中的各个元素均有相同的概率被选取出,作为相应参与节点的身份信息,因此该种实施方式中,会从设定的伽罗华域中均匀随机地选取出n个互异的元素,作为n个参与节点的公开的身份信息。This implementation method takes into account that when each element in the Galois field is selected as identity information, ideally, the selection probability should be consistent, that is, when randomly selected, each element in the Galois field is equal to have the same probability of being selected as the identity information of the corresponding participating nodes. Therefore, in this implementation, n different elements are uniformly and randomly selected from the set Galois field as n participating nodes. publicly identifiable information.
该种实施方式中描述的均匀随机,表示的是在随机选取时,伽罗华域中的各个元素具有相同的被选取概率,用公式可以表示为,/>至/>便是从伽罗华域/>中均匀随机地选取出的n个互异的元素,也即/>至/>为n个参与节点各自的身份信息,或者称为n个参与节点各自的ID。后文中出现的相同符号也表示的是均匀随机的选取方式。The uniform randomness described in this implementation means that when randomly selected, each element in the Galois field has the same probability of being selected, which can be expressed as ,/> to/> That’s from the Galava Realm/> n different elements uniformly and randomly selected from , that is,/> to/> is the identity information of each of the n participating nodes, or the ID of each of the n participating nodes. The same symbols appearing in the following text also represent the uniform random selection method.
步骤S103:从伽罗华域中选取出k-1个元素,并与秘密元素一起构成一个包含k个元素的待编码向量。Step S103: Select k -1 elements from the Galois field, and together with the secret element form a vector to be encoded containing k elements.
与上文同理,在从伽罗华域中选取出k-1个元素时,可以采用随机选取的方式,便于实施。并且,在从伽罗华域中选取出k-1个元素时,理想情况下,各元素的选取概率也应当是一致的,因此在本发明的一种具体实施方式中,步骤S103可以具体包括:In the same way as above, when selecting k -1 elements from the Galois field, random selection can be used to facilitate implementation. Moreover, when k -1 elements are selected from the Galois field, ideally, the selection probabilities of each element should also be consistent. Therefore, in a specific implementation of the present invention, step S103 may specifically include :
从伽罗华域中均匀随机地选取出k-1个元素,并与秘密元素一起构成一个包含k个元素的待编码向量。 k -1 elements are uniformly and randomly selected from the Galois field, and together with the secret elements form a vector to be encoded containing k elements.
该种实施方式中描述的均匀随机,表示在随机选取时,伽罗华域中的各个元素具有相同的被选取概率,因此采用该种实施方式执行步骤S103时,分发节点会均匀随机地从伽罗华域中选取出k-1个元素,可以表示为,即选取出的k-1个元素依次记作a 1至a k-1。The uniform randomness described in this implementation means that when randomly selected, each element in the Galois field has the same probability of being selected. Therefore, when performing step S103 using this implementation, the distribution node will uniformly and randomly select from the Galois field. Select k -1 elements from the Luohua domain, which can be expressed as , that is, the selected k -1 elements are recorded as a 1 to a k -1 in sequence.
从伽罗华域中选取出k-1个元素之后,与步骤S101中得到的秘密元素一起,便构成了一个包含k个元素的待编码向量。例如将秘密元素表示为a 0,则包含k个元素的待编码向量可以表示为a =(a 0,a 1,...,a k-1)。After k -1 elements are selected from the Galois field, together with the secret elements obtained in step S101, a vector to be encoded containing k elements is formed. For example, if the secret element is expressed as a 0 , the vector to be encoded containing k elements can be expressed as a = ( a 0 , a 1 ,..., a k -1 ).
步骤S104:基于广义里德所罗门码的编码规则,通过n个参与节点的身份信息对待编码向量进行编码,得到包括n个元素的编码结果。Step S104: Based on the encoding rules of the generalized Reed-Solomon code, encode the vector to be encoded using the identity information of n participating nodes to obtain an encoding result including n elements.
待编码向量中携带有秘密元素,本发明的方案中,会基于GRS(Generalized Reed-Solomon,广义里德所罗门码)的编码规则实现编码,使得能够实现信息论层面的安全性。The vector to be encoded carries a secret element. In the solution of the present invention, the encoding is implemented based on the encoding rules of GRS (Generalized Reed-Solomon code), so that security at the information theory level can be achieved.
基于广义里德所罗门码的编码规则实现编码时,通常可以基于范德蒙矩阵实现编码,因此,在本发明的一种具体实施方式中,步骤S104可以具体包括:When encoding is implemented based on the encoding rules of the generalized Reed-Solomon code, encoding can usually be implemented based on the Vandermond matrix. Therefore, in a specific implementation of the present invention, step S104 may specifically include:
基于广义里德所罗门码的编码规则,通过n个参与节点的身份信息建立范德蒙矩阵,并通过建立的范德蒙矩阵对待编码向量进行编码,得到包括n个元素的编码结果。Based on the coding rules of the generalized Reed-Solomon code, a Vandermond matrix is established through the identity information of n participating nodes, and the to-be-encoded vector is encoded through the established Vandermond matrix to obtain a coding result including n elements.
该种实施方式中,基于范德蒙矩阵可以方便有效地实现广义里德所罗门码的编码。In this implementation, the coding of the generalized Reed-Solomon code can be implemented conveniently and effectively based on the Vandermond matrix.
例如在本发明的一种具体实施方式中,步骤S104可以具体包括:For example, in a specific implementation of the present invention, step S104 may specifically include:
基于广义里德所罗门码的编码规则,通过n个参与节点的身份信息,按照(s 1,...,s n )=a·G的计算方式,对待编码向量进行编码,得到包括n个元素的编码结果;Based on the encoding rules of the generalized Reed-Solomon code, the identity information of n participating nodes is used to encode the vector to be encoded according to the calculation method of ( s 1 ,..., s n ) = a · G , and the result includes n elements. the coding results;
其中,a为包含k个元素的待编码向量,G为通过n个参与节点的身份信息建立的范德蒙矩阵,且,s 1至s n 为得到的包括n个元素的编码结果,/>至/>为n个参与节点各自的身份信息。Among them, a is a vector to be encoded containing k elements, G is a Vandermond matrix established through the identity information of n participating nodes, and , s 1 to s n are the obtained encoding results including n elements, /> to/> is the identity information of each of the n participating nodes.
该种实施方式中,通过n个参与节点的身份信息建立了范德蒙矩阵G,通过将待编码向量a与该范德蒙矩阵G相乘,便可以方便有效地确定出包括n个元素的编码结果,得到的包括n个元素的编码结果表示为(s 1,...,s n )。In this implementation, the Vandermond matrix G is established through the identity information of n participating nodes. By multiplying the vector a to be encoded by the Vandermond matrix G , the encoding result including n elements can be determined conveniently and effectively, and we get The encoding result including n elements is expressed as ( s 1 ,..., s n ).
步骤S105:按照元素位置的不同,将编码结果划分为n个份额并分别发送给n个参与节点,以使得当r个参与节点利用r个份额进行秘密重构时,如果r=k,则基于r个份额重构出秘密元素并确定出对应于秘密元素的秘密信息,如果r>k且判断出r个份额中存在虚假份额时,进行虚假份额的纠正之后再重构出秘密元素,并确定出对应于秘密元素的秘密信息;Step S105: Divide the encoding result into n shares according to different element positions and send them to n participating nodes respectively, so that when r participating nodes use r shares to perform secret reconstruction, if r = k , then based on r shares reconstruct the secret elements and determine the secret information corresponding to the secret elements. If r > k and it is determined that there are false shares among the r shares, correct the false shares and then reconstruct the secret elements and determine to produce a secret message corresponding to the secret element;
其中,n为不小于2的正整数,k为正整数表示的是实现秘密重构的最小份额数量,r为正整数,且r<k时无法实现秘密重构,r>k时虚假份额的纠正数量不超过。Among them, n is a positive integer not less than 2, k is a positive integer indicating the minimum number of shares to achieve secret reconstruction, r is a positive integer, and when r < k , secret reconstruction cannot be achieved, and when r > k , false shares The number of corrections shall not exceed .
分发中心在执行了上述步骤S101至步骤S104的操作之后,便可以得到包括n个元素的编码结果(s 1,...,s n )。然后便可以进行份额的分发。After the distribution center performs the above-mentioned operations from step S101 to step S104, it can obtain the encoding result ( s 1 ,..., s n ) including n elements. Then the shares can be distributed.
在进行份额的分发时,是按照元素位置的不同,将编码结果划分为n个份额,也就是说,对于编码结果中的n个元素,每个元素作为1个份额,因此可以划分出n个份额,而每个n个份额需要发送给相应的1个参与节点,例如将第1个份额s 1发送给第1个参与节点,将第2个份额s 2发送给第2个参与节点,以此类推。分发之后,要使得n个参与节点中的每个参与节点都得到了1个份额。When distributing shares, the coding result is divided into n shares according to the different positions of the elements. That is to say, for the n elements in the coding result, each element is regarded as 1 share, so n can be divided into Shares, and each n shares need to be sent to the corresponding 1 participating node, for example, the first share s 1 is sent to the first participating node, and the second share s 2 is sent to the second participating node, so as to And so on. After distribution, each participating node among the n participating nodes must receive 1 share.
此外可以理解的是,实际应用中,在将编码结果划分为n个份额并分别发送给n个参与节点时,为了保障通信安全,信息传输需要以秘密方式进行,以将第1个份额s 1发送给第1个参与节点为例,分发中心可以用加密通信的方式,将第1个份额s 1发送给第1个参与节点,使得除了第1参与节点之外,其他参与节点并不能得到第1个份额s 1。同样的,后续的实施方式中,如无特别说明,分发节点和参与节点之间,以及不同参与节点相互之间的信息传输均应当以秘密的方式进行来保障信息传输的安全性。In addition, it can be understood that in practical applications, when the encoding result is divided into n shares and sent to n participating nodes respectively, in order to ensure communication security, the information transmission needs to be carried out in a secret manner, so that the first share s 1 Send to the first participating node as an example. The distribution center can use encrypted communication to send the first share s 1 to the first participating node, so that except for the first participating node, other participating nodes cannot get the first participating node. 1 share s 1 . Similarly, in subsequent implementations, unless otherwise specified, information transmission between distribution nodes and participating nodes, as well as between different participating nodes, should be conducted in a confidential manner to ensure the security of information transmission.
本发明的方案中,分发节点将编码结果划分为n个份额并分别发送给n个参与节点之后,分发节点的秘密分发的工作便已经执行完成,对于后续的秘密重构,以及部分实施方式中存在的增加参与节点,移除参与节点,调整门限值等操作,均无需分发节点的参与,有利于进一步地保障本发明方案的安全性。因此在实际应用中,分发节点在完成了秘密分发的工作之后,便可以将存储的相关信息全部删除。In the solution of the present invention, after the distribution node divides the encoding result into n shares and sends them to n participating nodes respectively, the secret distribution work of the distribution node has been completed. For subsequent secret reconstruction, and in some embodiments Existing operations such as adding participating nodes, removing participating nodes, and adjusting threshold values do not require the participation of distribution nodes, which is conducive to further ensuring the security of the solution of the present invention. Therefore, in practical applications, the distribution node can delete all the stored relevant information after completing the secret distribution work.
还需要说明的是,在进行份额的分发时,是按照元素位置的不同,将编码结果划分为n个份额,即不同的份额以及秘密元素均是伽罗华域中的元素,在计算机中可以使用相同大小的空间来实现单个伽罗华域中的元素的存储,即本发明的方案中,参与节点所保存的份额与秘密元素具有相同长度,使得本发明方案的秘密分发过程没有数据扩展,也有利于进一步地保障安全性。It should also be noted that when the shares are distributed, the encoding result is divided into n shares according to the different positions of the elements. That is, the different shares and secret elements are all elements in the Galois field. In the computer, it can be The same size of space is used to realize the storage of elements in a single Galois field, that is, in the scheme of the present invention, the shares saved by the participating nodes have the same length as the secret elements, so that there is no data expansion in the secret distribution process of the scheme of the present invention. It is also helpful to further ensure security.
在按照上文的描述进行了编码并且划分了份额之后,如果要实现秘密重构,参与秘密重构的参与节点的数量不能低于k,k为正整数,表示的是实现秘密重构的最小份额数量,也可以称为门限值。After encoding and dividing the shares as described above, if the secret reconstruction is to be realized, the number of participating nodes participating in the secret reconstruction cannot be less than k . k is a positive integer, which represents the minimum number of nodes to realize the secret reconstruction. The number of shares can also be called the threshold value.
也就是说,当r个参与节点利用r个份额进行秘密重构时,要求r≥k才能够实现秘密重构。如果r=k,此时没有纠错的能力,也就是说,此时只有r个参与节点均是诚实的,均未提供虚假份额时,能够基于r个份额重构出秘密元素,进而按照步骤S101中描述的转换规则,确定出对应于秘密元素的秘密信息。That is to say, when r participating nodes use r shares to perform secret reconstruction, r ≥ k is required to achieve secret reconstruction. If r = k , there is no error correction capability at this time. That is to say, at this time, only r participating nodes are honest and no false shares are provided. The secret elements can be reconstructed based on r shares, and then follow the steps The conversion rules described in S101 determine the secret information corresponding to the secret element.
而如果r>k,则可以判断r个份额中是否存在虚假份额,此时可以检测出不多于r-k个虚假份额,并且,可以先进行虚假份额的纠正,纠正之后再重构出秘密元素,进而按照步骤S101中描述的转换规则,确定出对应于秘密元素的秘密信息。在进行虚假份额的纠正时,虚假份额的纠正数量不超过。And if r > k , it can be determined whether there are false shares among r shares. At this time, no more than r - k false shares can be detected, and the false shares can be corrected first, and then the secret can be reconstructed after correction element, and then determine the secret information corresponding to the secret element according to the conversion rule described in step S101. When correcting false shares, the correction amount of false shares shall not exceed .
在经典的秘密共享技术中,秘密分发阶段结束后,系统所能实现的存取结构也随之固定。然而,从秘密分发到秘密重构期间,参与者集合或秘密重构的门限值可能发生变化。例如,某个参与者离开或遗失份额,将对整个系统的安全性造成重大威胁。产生这个问题的原因在于经典的秘密共享技术是针对固定的存取结构设计的,不能适应存取结构发生变化的情况,即不具备“动态”的性质。In the classic secret sharing technology, after the secret distribution phase is completed, the access structure that the system can achieve is also fixed. However, during the period from secret distribution to secret reconstruction, the set of participants or the threshold for secret reconstruction may change. For example, if a participant leaves or loses his shares, it will pose a major threat to the security of the entire system. The reason for this problem is that the classic secret sharing technology is designed for a fixed access structure and cannot adapt to changes in the access structure, that is, it does not have "dynamic" properties.
而本发明的方案中,能够支持增加参与节点,移除参与节点以及门限值的动态调整,并且均无需分发节点的参与。In the solution of the present invention, the addition of participating nodes, the removal of participating nodes and the dynamic adjustment of threshold values can be supported without the participation of distribution nodes.
在本发明的一种具体实施方式中,还可以包括:In a specific implementation of the present invention, it may also include:
当需要新增加1个参与节点时,由当前参与节点中不少于k个参与节点,按照预设的份额新增规则进行操作,以使得新增加的参与节点得到1个新增份额。When a new participating node needs to be added, no less than k participating nodes among the current participating nodes will operate according to the preset share addition rules, so that the newly added participating node gets an additional share.
该种实施方式中,如果需要新增加1个参与节点时,可以由不少于k个参与节点按照预设的份额新增规则进行操作,从而能够得到1个新增份额,作为新增加的参与节点的份额,因此该种实施方式有效地实现了份额的增加。In this implementation, if a new participating node needs to be added, no less than k participating nodes can operate according to the preset share adding rules, so that a new shared share can be obtained as a newly added participating node. Node share, so this implementation effectively achieves an increase in share.
对于预设的份额新增规则,可以根据实际需要,结合广义里德所罗门码的编码规则进行设定,例如,可以利用方程组求解的克莱姆法则,进行分布式计算,最终得到1个新增份额。The preset new share rules can be set according to actual needs in combination with the encoding rules of the generalized Reed-Solomon code. For example, the Clem's rule for solving a system of equations can be used to perform distributed calculations and finally obtain a new increase share.
在本发明的一种具体实施方式中,当需要新增加1个参与节点时,由当前参与节点中不少于k个参与节点,按照预设的份额新增规则进行操作,以使得新增加的参与节点得到1个新增份额,可以具体包括:In a specific implementation of the present invention, when a new participating node needs to be added, no less than k participating nodes among the current participating nodes will operate according to the preset share addition rules, so that the newly added Participating nodes get 1 new share, which can specifically include:
步骤一:当需要新增加1个参与节点时,由当前的n个参与节点中的r个参与节点进行各自的中间值的计算;Step 1: When a new participating node needs to be added, the r participating nodes among the current n participating nodes calculate their respective intermediate values;
其中,r个参与节点中的第i个参与节点所计算出的中间值表示为,s i 为第i个参与节点的份额,m i 为M -1的前k列子矩阵的第i行向量,矩阵/>,M -1为M的逆矩阵,/>,/>至/>为n个参与节点各自的身份信息,/>为新增加的参与节点的身份信息,T为转置矩阵符号,r≥k;Among them, the intermediate value calculated by the i- th participating node among the r participating nodes Expressed as , s i is the share of the i- th participating node, m i is the i- th row vector of the first k -column submatrix of M -1 , matrix /> , M -1 is the inverse matrix of M , /> ,/> to/> is the identity information of each of the n participating nodes,/> is the identity information of the newly added participating nodes, T is the symbol of the transposed matrix, r ≥ k ;
步骤二:基于预设的信息安全发送方式,使得新增加的参与节点确定出至/>的总和,并将总和作为新增加的参与节点所得到的1个新增份额,且使得新增加的参与节点无法确定出/>至/>中的任何1个中间值。Step 2: Based on the preset information security sending method, the newly added participating nodes are determined to/> The sum of , and the sum will be used as 1 new share obtained by the newly added participating nodes, and the newly added participating nodes cannot be determined/> to/> any intermediate value in .
该种实施方式中,给出了按照预设的份额新增规则进行操作,使得新增加的参与节点得到1个新增份额的具体实现。In this implementation mode, a specific implementation is provided to operate according to the preset share addition rules so that newly added participating nodes obtain one new share.
在未新增这1个参与节点之前,有n个参与节点,即新增加的参与节点是第n+1个参与节点,新增加的参与节点的身份信息表示为。可以理解的是,与/>至/>同理,对于新增加的参与节点的身份信息/>,也是从设定的伽罗华域中选取出的1个元素,并且与/>至/>均不相同。Before adding this 1 participating node, there were n participating nodes, that is, the newly added participating node is the n +1th participating node, and the identity information of the newly added participating node is expressed as . Understandably, with/> to/> In the same way, for the identity information of newly added participating nodes/> , which is also an element selected from the set Galois field, and with/> to/> All are different.
该种实施方式中进行中间值的计算的r个参与节点,可以是当前的n个参与节点中的任意r个参与节点。对于这r个参与节点,每个参与节点均会基于自身所保存的份额,利用方程组求解的克莱姆法则,来计算出1个中间值,从而实现了本发明的分布式计算的目的。In this implementation, the r participating nodes that perform intermediate value calculations may be any r participating nodes among the current n participating nodes. For these r participating nodes, each participating node will calculate an intermediate value based on its own saved share and use Clem's rule to solve the system of equations, thereby achieving the purpose of distributed computing of the present invention.
以r个参与节点中的第i个参与节点为例,第i个参与节点所计算出的中间值表示为/>,s i 为第i个参与节点的份额,m i 为M -1的前k列子矩阵的第i行向量, />,可以看出,对于第i个参与节点而言,s i ,m i 以及/>均是已知的。Taking the i- th participating node among r participating nodes as an example, the intermediate value calculated by the i- th participating node Expressed as/> , s i is the share of the i- th participating node, m i is the i- th row vector of the first k- column submatrix of M -1 , /> , it can be seen that for the i -th participating node, s i , m i and/> All are known.
r个参与节点均可以计算出相应的1个中间值,因此一共会得到r个中间值,这r个中间值的总和,也就是新增加的参与节点所得到的1个新增份额。Each of the r participating nodes can calculate a corresponding intermediate value, so a total of r intermediate values will be obtained. The sum of these r intermediate values is the new share obtained by the newly added participating nodes.
并且需要说明的是,对于r个参与节点而言,是基于预设的信息安全发送方式,使得新增加的参与节点能够确定出至/>的总和,但是又无法确定出/>至/>中的任何1个数值。这是因为如果r个参与节点直接将/>至/>发送给新增加的参与节点,该参与节点便能够基于/>至/>确定出相应的s 1至s r ,导致新增加的这一参与节点得到了多个份额,造成极大的安全隐患。And it should be noted that for the r participating nodes, it is based on the preset information security sending method, so that the newly added participating nodes can determine to/> The sum of , but it is impossible to determine/> to/> any value in . This is because if r participating nodes directly // to/> Sent to the newly added participating node, the participating node can then be based on/> to/> The corresponding s 1 to s r are determined, causing the newly added participating node to obtain multiple shares, causing great security risks.
基于预设的信息安全发送方式的具体规则可以根据实际需要进行设定和调整,只要能够实现本发明的目的即可,即要使得新增加的参与节点能够确定出至/>的总和,但又无法确定出/>至/>中的任何1个中间值。The specific rules based on the preset information security transmission method can be set and adjusted according to actual needs, as long as the purpose of the present invention can be achieved, that is, the newly added participating nodes can determine to/> The total of , but it is impossible to determine/> to/> any intermediate value in .
在本发明的一种具体实施方式中,上述步骤二可以具体包括:In a specific implementation of the present invention, the above step two may specifically include:
对于r个参与节点中的每1个参与节点,该参与节点将自身计算出的中间值分成r个数据,以使得分成的r个数据的和等于自身计算出的中间值,并且该参与节点在保留r个数据中的1个数据之后,将其余的r-1个数据分别发送给其余的r-1个参与节点;For each participating node among r participating nodes, the participating node divides the intermediate value calculated by itself into r data, so that the sum of the divided r data is equal to the intermediate value calculated by itself, and the participating node is in After retaining 1 piece of r data, the remaining r- 1 data are sent to the remaining r- 1 participating nodes;
对于r个参与节点中的每1个参与节点,该参与节点将保留的1个数据与接收到的r-1个数据进行求和,并将求和结果发送给新增加的参与节点,以使得新增加的参与节点将r个参与节点的发送数据进行求和之后得到至/>的总和,并将总和作为新增加的参与节点所得到的1个新增份额。For each participating node among r participating nodes, the participating node sums the retained 1 data with the received r- 1 data, and sends the summation result to the newly added participating node, so that The newly added participating node sums the sent data of r participating nodes and obtains to/> The total of , and the total is used as 1 new share obtained by the newly added participating nodes.
该种实施方式中,对于r个参与节点中的每1个参与节点,该参与节点将自身计算出的中间值分成r个数据,以使得分成的r个数据的和等于自身计算出的中间值,这在伽罗华域中可以方便地实现。In this implementation, for each participating node among the r participating nodes, the participating node divides the intermediate value calculated by itself into r pieces of data, so that the sum of the divided r pieces of data is equal to the intermediate value calculated by itself. , which can be easily implemented in the Galois domain.
以r个参与节点中的第i个参与节点为例,第i个参与节点所计算出的中间值为,然后,第i个参与节点需要从伽罗华域中选取出r个数据:/>,需要满足。对于选取出的/>至/>这r个数据,第i个参与节点需要保留这r个数据中的1个数据,并将其余的r-1个数据分别发送给其余的r-1个参与节点。Taking the i- th participating node among r participating nodes as an example, the intermediate value calculated by the i- th participating node is , then, the i -th participating node needs to select r pieces of data from the Galois field:/> , need to satisfy . For the selected/> to/> For this r data, the i -th participating node needs to retain 1 of the r data, and send the remaining r- 1 data to the remaining r- 1 participating nodes.
也就是说,算上自身保留的1个数据,以及其余的r-1个参与节点发送的r-1个数据,r个参与节点中的每1个参与节点都可以得到r个数据,并且会将这r个数据的求和结果发送给新增加的参与节点。That is to say, counting the 1 data retained by itself and the r- 1 data sent by the remaining r- 1 participating nodes, each of the r participating nodes can get r data and will Send the summation result of these r data to the newly added participating nodes.
可以看出,新增加的参与节点可以接收到r个参与节点发送的一共r个求和结果,将这r个求和结果进行求和,得到总和便是至/>的总和,从而将该总和作为新增加的参与节点所得到的1个新增份额。并且可以看出,由于该种实施方式中是将/>至/>进行了拆分再汇总,使得新增加的参与节点无法确定出/>至/>中的任何1个中间值。It can be seen that the newly added participating node can receive a total of r summation results sent by r participating nodes. These r summation results are summed to obtain the sum. to/> The total is regarded as one new share obtained by the newly added participating nodes. And it can be seen that since in this implementation mode/> to/> It was split and then summarized, making it impossible to determine the newly added participating nodes/> to/> any intermediate value in .
此外还需要指出的是,上文中,是以当前具有n个参与节点为例,即新增的参与节点是第n+1个参与节点,在实际应用中,可以进一步地增加1个或者多个参与节点,每次增加1个参与节点时,原理与上文相同。同样的,后文中,也是以当前具有n个参与节点为例,对移除第n个参与节点进行说明,在实际应用中,可以进一步地移除1个或者多个参与节点,原理与此相同。In addition, it should be pointed out that in the above, there are currently n participating nodes as an example, that is, the new participating node is the n+ 1th participating node. In actual applications, one or more participating nodes can be further added. Node, each time a participating node is added, the principle is the same as above. Similarly, in the following article, we will also take the current n participating nodes as an example to explain the removal of the nth participating node. In actual applications, one or more participating nodes can be further removed. The principle is the same. .
在本发明的一种具体实施方式中,还可以包括:In a specific implementation of the present invention, it may also include:
当需要移除1个参与节点时,由当前参与节点中不少于k个参与节点,按照预设的参与节点移除规则进行操作,以使得除去被移除的参与节点之外的剩余的各个参与节点均得到1个新份额以替换原本的份额。When a participating node needs to be removed, no less than k participating nodes among the current participating nodes will be operated according to the preset participating node removal rules, so that the remaining participating nodes except the removed participating node will be removed. Participating nodes each receive a new share to replace the original share.
如上文的描述,在经典的秘密共享技术中,秘密分发阶段结束后,系统所能实现的存取结构也随之固定,不能适应存取结构发生变化的情况,即不具备“动态”的性质。本发明的方案中,能够支持增加参与节点,移除参与节点以及门限值的动态调整,并且均无需分发节点的参与。As described above, in the classic secret sharing technology, after the secret distribution phase is over, the access structure that the system can achieve is also fixed, and it cannot adapt to changes in the access structure, that is, it does not have "dynamic" properties. . In the solution of the present invention, the addition of participating nodes, the removal of participating nodes and the dynamic adjustment of threshold values can be supported, without the participation of distribution nodes.
该种实施方式中,如果需要移除1个参与节点,可以由不少于k个参与节点按照预设的参与节点移除规则进行操作,从而使得除去被移除的参与节点之外的剩余的各个参与节点均可以得到1个新份额以替换旧的失效份额,因此该种实施方式有效地实现了参与节点的移除。In this implementation, if one participating node needs to be removed, no less than k participating nodes can operate according to the preset participating node removal rules, so that the remaining participating nodes except the removed participating nodes can Each participating node can obtain a new share to replace the old invalid share, so this implementation method effectively realizes the removal of participating nodes.
对于预设的参与节点移除规则,可以根据实际需要,结合广义里德所罗门码的编码规则进行设定,例如,可以利用方程组求解的克莱姆法则,进行分布式计算,最终为当前剩余的各个参与节点配置1个新份额。The preset participating node removal rules can be set according to actual needs in combination with the encoding rules of the generalized Reed-Solomon code. For example, the Clem's rule for solving a system of equations can be used to perform distributed calculations, and finally the current residual Each participating node is configured with a new share.
在本发明的一种具体实施方式中,当需要移除1个参与节点时,由当前参与节点中不少于k个参与节点,按照预设的参与节点移除规则进行操作,以使得除去被移除的参与节点之外的剩余的各个参与节点均得到1个新份额以替换原本的份额,可以具体包括:In a specific implementation of the present invention, when one participating node needs to be removed, no less than k participating nodes among the current participating nodes operate according to the preset participating node removal rules, so that the removed Each remaining participating node except the removed participating nodes will receive a new share to replace the original share, which can specifically include:
第一个步骤:当需要移除1个参与节点时,由当前的n个参与节点中的r个参与节点基于各自当前的份额,进行各自的子秘密数据的计算;The first step: When one participating node needs to be removed, the r participating nodes among the current n participating nodes will calculate their respective sub-secret data based on their current shares;
其中,r个参与节点中的第i个参与节点所计算出的子秘密数据a i0表示为,s i 为第i个参与节点的份额,M i0为/>在M中的代数余子式,矩阵,det(M)表示的是M的行列式,/>至/>为n个参与节点各自的身份信息,r≥k;Among them, the sub-secret data a i 0 calculated by the i- th participating node among the r participating nodes is expressed as , s i is the share of the i- th participating node, M i 0 is/> Algebraic cofactors in M , matrices , det( M ) represents the determinant of M ,/> to/> is the identity information of each of the n participating nodes, r ≥ k ;
第二个步骤:基于r个子秘密数据,由r个参与节点按照预设的份额安全生成方式进行操作,以使得除去被移除的参与节点之外的剩余的各个参与节点均得到1个新份额以替换原本的份额,且使得任一参与节点无法获取到其他任一参与节点的子秘密数据。The second step: Based on r sub-secret data, r participating nodes operate according to the preset secure share generation method, so that all remaining participating nodes except the removed participating nodes receive a new share. to replace the original share and make it impossible for any participating node to obtain the sub-secret data of any other participating node.
该种实施方式中,给出了按照预设的参与节点移除规则进行操作,完成参与节点移除的具体实现。In this implementation mode, a specific implementation is provided to operate according to the preset participating node removal rules and complete the removal of participating nodes.
该种实施方式中,在未移除这1个参与节点之前,有n个参与节点,例如需要被移除的参与节点是第n个参与节点。In this implementation manner, before this one participating node is removed, there are n participating nodes. For example, the participating node that needs to be removed is the nth participating node.
该种实施方式中进行子秘密数据的计算的r个参与节点,可以是当前的n个参与节点中的任意r个参与节点,当然,r个参与节点中不会包括要被移除的参与节点。对于这r个参与节点,每个参与节点均会基于自身所保存的份额,来计算出1个子秘密数据,从而实现了本发明的分布式计算的目的。In this implementation, the r participating nodes that perform calculation of sub-secret data can be any r participating nodes among the current n participating nodes. Of course, the r participating nodes will not include participating nodes to be removed. . For these r participating nodes, each participating node will calculate a sub-secret data based on its own saved share, thereby achieving the purpose of distributed computing of the present invention.
以r个参与节点中的第i个参与节点为例,第i个参与节点所计算出的子秘密数据a i0表示为,可以看出,对于第i个参与节点而言,s i ,M i0以及det(M)均是已知的。Taking the i- th participating node among r participating nodes as an example, the sub-secret data a i 0 calculated by the i -th participating node is expressed as , it can be seen that for the i -th participating node, s i , Mi 0 and det ( M ) are all known.
r个参与节点均可以基于自身的份额,计算出1个相应的子秘密数据,因此一共会得到r个子秘密数据,基于这r个子秘密数据,由r个参与节点按照预设的份额安全生成方式进行操作,以使得除去被移除的参与节点之外的剩余的各个参与节点均可以得到1个新份额以替换原本的份额,且使得任一参与节点无法获取到其他任一参与节点的子秘密数据。Each r participating node can calculate a corresponding sub-secret data based on its own share, so a total of r sub-secret data will be obtained. Based on these r sub-secret data, the r participating nodes will generate it safely according to the preset share method. Carry out operations so that all remaining participating nodes except the removed participating node can obtain a new share to replace the original share, and make it impossible for any participating node to obtain the sub-secret of any other participating node. data.
需要说明的是,该种实施方式中对于r个参与节点而言,是按照预设的份额安全生成方式进行操作,不仅达到了除去被移除的参与节点之外的剩余的各个参与节点均得到1个新份额这一目的,还使得任一参与节点无法获取到其他任一参与节点的子秘密数据。这是考虑到如果在得到各个新份额的这一过程中,某个参与节点获取到其他参与节点的子秘密数据,便可以据此确定出相应的参与节点的份额或者对r个子秘密数据求和得到秘密元素,会造成极大的安全隐患。It should be noted that in this implementation, for the r participating nodes, the operation is performed according to the preset safe generation method of shares, which not only achieves the goal of all remaining participating nodes except the removed participating nodes. The purpose of creating a new share also makes it impossible for any participating node to obtain the sub-secret data of any other participating node. This is taken into account that if in the process of obtaining each new share, a participating node obtains the sub-secret data of other participating nodes, it can determine the share of the corresponding participating node or sum the r sub-secret data accordingly. Obtaining secret elements will cause great security risks.
预设的份额安全生成方式的具体规则可以根据实际需要进行设定和调整,只要能够实现本发明的目的即可,即,要使得除去被移除的参与节点之外的剩余的各个参与节点均得到1个新份额以替换原本的份额,同时,使得任一参与节点无法获取到其他任一参与节点的子秘密数据。The specific rules of the preset safe share generation method can be set and adjusted according to actual needs, as long as the purpose of the present invention can be achieved, that is, to ensure that all remaining participating nodes except the removed participating nodes are A new share is obtained to replace the original share, and at the same time, any participating node cannot obtain the sub-secret data of any other participating node.
在本发明的一种具体实施方式中,上述第二个步骤可以具体包括:In a specific implementation of the present invention, the above second step may specifically include:
对于r个参与节点中的每1个参与节点,该参与节点通过自身计算出的子秘密数据,以及自身构造的第一多项式,计算出n-1个子份额数值,并将计算出的n-1个子份额数值分别分配给除去被移除的参与节点之外的包括自身在内的n-1个剩余的参与节点;For each participating node among the r participating nodes, the participating node calculates n -1 sub-share values through the sub-secret data calculated by itself and the first polynomial constructed by itself, and calculates the calculated n -1 sub-share value is allocated to the n -1 remaining participating nodes, including itself, excluding the removed participating nodes;
对于当前除去被移除的参与节点之外的剩余的n-1个参与节点,该参与节点在得到了r个子份额数值之后,将自身得到的r个子份额数值求和,作为得到的自身的新份额以替换自身的原本的份额;For the remaining n -1 participating nodes except the removed participating nodes, after obtaining the r sub-share values, the participating node sums up the r sub-share values it obtained as its own new share to replace its own original share;
其中,r个参与节点中第i个参与节点所构造的第一多项式表示为,t为正整数且1≤t≤k-1,a i1至a i(k-1)为第i个参与节点从伽罗华域中选取出的k-1个元素;第i个参与节点通过将所构造的第一多项式的自变量x的取值依次取值为除去被移除的参与节点之外的剩余的n-1个参与节点的身份信息,依次计算出n-1个子份额数值。Among them, the first polynomial constructed by the i- th participating node among the r participating nodes is expressed as , t is a positive integer and 1≤ t ≤ k -1, a i 1 to a i ( k -1) are the k -1 elements selected from the Galois field by the i -th participating node; the i -th participating node The node calculates n -1 in sequence by taking the value of the independent variable x of the constructed first polynomial to the identity information of the remaining n -1 participating nodes excluding the removed participating nodes. sub-share value.
该种实施方式中,对于r个参与节点中的每1个参与节点,该参与节点将自身计算出的子秘密数据用第一多项式来进行体现,这在伽罗华域中可以方便地实现,并且不会暴露出自身计算出的子秘密数据。In this implementation, for each participating node among the r participating nodes, the participating node uses the first polynomial to represent the sub-secret data calculated by itself. This can be conveniently done in the Galois field. Implemented without exposing self-computed sub-secret data.
以r个参与节点中的第i个参与节点为例,第i个参与节点所计算出的子秘密数据为a i0,需要从伽罗华域中选取出的k-1个元素:,可以看出,此处的a i1至a i(k-1)表示的是第i个参与节点从伽罗华域中均匀随机地选取出的k-1个元素,a i1至a i(k-1)这k-1个的元素是用来作为第i个参与节点所构造的第一多项式的系数。即,第i个参与节点所构造的第一多项式表示为/>。此外可以理解的是,对于不同的参与节点,所构造的第一多项式中的各项系数可以不同。Taking the i- th participating node among r participating nodes as an example, the sub-secret data calculated by the i -th participating node is a i 0 , and k -1 elements need to be selected from the Galois field: , it can be seen that a i 1 to a i ( k -1) here represent the k -1 elements uniformly and randomly selected by the i- th participating node from the Galois field, a i 1 to a The k -1 elements of i ( k -1) are used as coefficients of the first polynomial constructed by the i- th participating node. That is, the first polynomial constructed by the i- th participating node is expressed as/> . In addition, it can be understood that for different participating nodes, the coefficients in the constructed first polynomial may be different.
第i个参与节点构造了自身的第一多项式之后,会将第一多项式的自变量x的取值依次取值为除去被移除的参与节点之外的剩余的n-1个参与节点的身份信息,从而依次计算出n-1个子份额数值。例如至/>为n个参与节点各自的身份信息,且第n个参与节点是被移除的参与节点,则x依次取值为/>至/>,第i个参与节点便可以计算出n-1个子份额数值,进而将计算出的这n-1个子份额数值分别分配给包括自身在内的n-1个剩余的参与节点,即该例子中将计算出的这n-1个子份额数值分别分配给第1个参与节点至第n-1个参与节点。After the i- th participating node constructs its own first polynomial, the value of the independent variable x of the first polynomial will be successively taken as the remaining n -1 values excluding the removed participating node. The identity information of the participating nodes is used to calculate n -1 sub-share values in sequence. For example to/> is the identity information of each of the n participating nodes, and the nth participating node is the removed participating node, then the value of x is/> to/> , the i -th participating node can calculate the n -1 sub-share values, and then distribute the calculated n -1 sub-share values to the n -1 remaining participating nodes including itself, that is, in this example The calculated n -1 sub-share values are allocated to the first participating node to the n -1 participating node respectively.
可以看出,对于当前除去被移除的参与节点之外的剩余的n-1个参与节点,其中的每个参与节点均能够得到r个子份额数值,得到之后,将自身得到的这r个子份额数值求和,便确定出了自身的新份额,自身的原本的份额此时已经失效,可以删除。并且可以看出,由于该种实施方式中使用第一多项式使得不会直接暴露出子秘密数据,使得任一参与节点均无法获取到其他任一参与节点的子秘密数据。It can be seen that for the remaining n -1 participating nodes except the removed participating nodes, each participating node can obtain the r sub-share value. After obtaining it, the r sub-share value obtained by itself will be By summing the values, one's new share is determined. The one's original share is now invalid and can be deleted. And it can be seen that since the first polynomial is used in this implementation, the sub-secret data will not be directly exposed, so that no participating node can obtain the sub-secret data of any other participating node.
在本发明的一种具体实施方式中,还可以包括:In a specific implementation of the present invention, it may also include:
当需要调整实现秘密重构的最小份额数量k的数值时,由当前参与节点中不少于k个参与节点,按照预设的门限调整规则进行操作,以使得当前的各个参与节点均得到1个新份额以替换原本的份额,且使得实现秘密重构的最小份额数量从k调整为。可以理解的是,/>表示的是调整之后的实现秘密重构的最小份额数量。When it is necessary to adjust the value of the minimum number of shares k to achieve secret reconstruction, no less than k participating nodes among the current participating nodes will operate according to the preset threshold adjustment rules, so that each current participating node gets 1 The new shares replace the original shares, and the minimum number of shares to achieve secret reconstruction is adjusted from k to . Understandably,/> Indicates the minimum number of shares required to achieve secret reconstruction after adjustment.
本发明的方案中,能够支持增加参与节点,移除参与节点以及门限值的动态调整,并且均无需分发节点的参与。In the solution of the present invention, the addition of participating nodes, the removal of participating nodes and the dynamic adjustment of threshold values can be supported, without the participation of distribution nodes.
该种实施方式中,如果需要调整实现秘密重构的最小份额数量k的数值,即如果需要调整门限值,可以由不少于k个参与节点按照预设的门限调整规则进行操作,从而使得当前的各个参与节点均得到1个新份额以替换原本的份额,且使得实现秘密重构的最小份额数量从k调整为,因此该种实施方式有效地实现了门限值的调整。In this implementation, if it is necessary to adjust the value of the minimum number of shares k to achieve secret reconstruction, that is, if the threshold value needs to be adjusted, no less than k participating nodes can operate according to the preset threshold adjustment rules, so that Each current participating node gets a new share to replace the original share, and the minimum number of shares to achieve secret reconstruction is adjusted from k to , so this implementation effectively realizes the adjustment of the threshold value.
对于预设的门限调整规则,可以根据实际需要,结合广义里德所罗门码的编码规则进行设定,例如,可以利用方程组求解的克莱姆法则,进行分布式计算来实现门限值的调整。The preset threshold adjustment rules can be set according to actual needs in combination with the encoding rules of the generalized Reed-Solomon code. For example, the Clem's rule for solving a system of equations can be used to perform distributed calculations to adjust the threshold value. .
在本发明的一种具体实施方式中,当需要调整实现秘密重构的最小份额数量k的数值时,由当前参与节点中不少于k个参与节点,按照预设的门限调整规则进行操作,以使得当前的各个参与节点均得到1个新份额以替换原本的份额,且使得实现秘密重构的最小份额数量从k调整为,可以包括:In a specific implementation of the present invention, when it is necessary to adjust the value of the minimum number of shares k to achieve secret reconstruction, no less than k participating nodes among the current participating nodes will operate according to the preset threshold adjustment rules. So that each current participating node gets a new share to replace the original share, and the minimum number of shares to achieve secret reconstruction is adjusted from k to , which can include:
当需要调整实现秘密重构的最小份额数量k的数值时,由当前的n个参与节点中的r个参与节点基于各自当前的份额,进行各自的子秘密数据的计算;When it is necessary to adjust the value of the minimum number of shares k to achieve secret reconstruction, the r participating nodes among the current n participating nodes will calculate their respective sub-secret data based on their current shares;
其中,r个参与节点中的第i个参与节点所计算出的子秘密数据a i0表示为:,s i 为第i个参与节点的份额,M i0为/>在M中的代数余子式,矩阵/>,det(M)表示的是M的行列式,/>至/>为n个参与节点各自的身份信息,r≥k;Among them, the sub-secret data a i 0 calculated by the i- th participating node among the r participating nodes is expressed as: , s i is the share of the i- th participating node, M i 0 is/> Algebraic cofactors in M , matrices/> , det( M ) represents the determinant of M ,/> to/> is the identity information of each of the n participating nodes, r ≥ k ;
基于r个子秘密数据,由r个参与节点按照预设的门限调整方式进行操作,以使得各个参与节点均得到1个新份额以替换原本的份额,且使得任一参与节点无法获取到其他任一参与节点的子秘密数据,且使得实现秘密重构的最小份额数量从k调整为。Based on r sub-secret data, r participating nodes operate according to the preset threshold adjustment method, so that each participating node gets a new share to replace the original share, and no participating node can obtain any other The child secret data of participating nodes, and the minimum number of shares to achieve secret reconstruction is adjusted from k to .
该种实施方式中,给出了按照预设的门限调整规则进行操作,完成参与门限值调整的具体实现。In this implementation manner, a specific implementation is provided to operate according to the preset threshold adjustment rules and complete the adjustment of the participation threshold value.
该种实施方式中完成门限值调整的r个参与节点,可以是当前的n个参与节点中的任意r个参与节点。对于这r个参与节点,每个参与节点均会基于自身所保存的份额,来计算出1个相应的子秘密数据,从而实现了本发明的分布式计算的目的。In this implementation, the r participating nodes that complete the threshold value adjustment can be any r participating nodes among the current n participating nodes. For these r participating nodes, each participating node will calculate a corresponding sub-secret data based on its own saved share, thus achieving the purpose of distributed computing of the present invention.
以r个参与节点中的第i个参与节点为例,第i个参与节点所计算出的子秘密数据a i0表示为,可参阅上文的描述此处便不再重复说明。Taking the i- th participating node among r participating nodes as an example, the sub-secret data a i 0 calculated by the i -th participating node is expressed as , please refer to the above description and will not repeat the description here.
r个参与节点均可以基于自身的份额,计算出1个子秘密数据,因此一共会得到r个子秘密数据,基于这r个子秘密数据,由r个参与节点按照预设的门限调整方式进行操作,以使得n个参与节点中的每个参与节点均可以得到1个新份额以替换原本的份额,且使得任一参与节点无法获取到其他任一参与节点的子秘密数据,且使得实现秘密重构的最小份额数量从k调整为。Each r participating node can calculate 1 sub-secret data based on its own share, so a total of r sub-secret data will be obtained. Based on this r sub-secret data, the r participating nodes operate according to the preset threshold adjustment method to This allows each participating node among the n participating nodes to obtain a new share to replace the original share, and makes it impossible for any participating node to obtain the sub-secret data of any other participating node, and makes it possible to achieve secret reconstruction. The minimum number of shares is adjusted from k to .
需要说明的是,该种实施方式中对于r个参与节点而言,是按照预设的门限调整方式进行操作,不仅达到了门限值调整的目的,还使得任一参与节点无法获取到其他任一参与节点的子秘密数据。这是考虑到如果在门限值调整的过程中,如果某个参与节点获取到其他参与节点的子秘密数据,便可以据此确定出相应的参与节点的份额,造成极大的安全隐患。It should be noted that in this implementation, the r participating nodes are operated according to the preset threshold adjustment method, which not only achieves the purpose of threshold value adjustment, but also makes it impossible for any participating node to obtain any other The child secret data of a participating node. This is because during the threshold adjustment process, if a participating node obtains the sub-secret data of other participating nodes, it can determine the share of the corresponding participating nodes based on this, causing a huge security risk.
预设的门限调整方式的具体规则可以根据实际需要进行设定和调整,只要能够实现本发明的目的即可,即,不仅要实现门限值的调整,同时,使得任一参与节点无法获取到其他任一参与节点的子秘密数据。The specific rules of the preset threshold adjustment method can be set and adjusted according to actual needs, as long as the purpose of the present invention can be achieved, that is, not only the adjustment of the threshold value must be realized, but at the same time, any participating node cannot obtain the The child secret data of any other participating node.
在本发明的一种具体实施方式中,基于r个子秘密数据,由r个参与节点按照预设的门限调整方式进行操作,以使得各个参与节点均得到1个新份额以替换原本的份额,且使得任一参与节点无法获取到其他任一参与节点的子秘密数据,且使得实现秘密重构的最小份额数量从k调整为,可以具体包括:In a specific implementation of the present invention, based on r sub-secret data, r participating nodes operate according to a preset threshold adjustment method, so that each participating node obtains a new share to replace the original share, and This makes it impossible for any participating node to obtain the sub-secret data of any other participating node, and the minimum number of shares to achieve secret reconstruction is adjusted from k to , which can specifically include:
对于r个参与节点中的每1个参与节点,该参与节点通过自身计算出的子秘密数据,以及自身构造的第二多项式,计算出n个子份额数值,并将计算出的n个子份额数值分别分配给包括自身在内的n个参与节点;For each participating node among the r participating nodes, the participating node calculates the n sub-share values through the sub-secret data calculated by itself and the second polynomial constructed by itself, and uses the calculated n sub-shares Values are assigned to n participating nodes including itself;
对于n个参与节点中的每一个参与节点,该参与节点在得到了r个子份额数值之后,将自身得到的r个子份额数值求和,作为得到的自身的新份额以替换自身的原本的份额;For each participating node among the n participating nodes, after obtaining the r sub-share values, the participating node sums up the r sub-share values it obtained as its own new share to replace its original share;
其中,r个参与节点中第i个参与节点所构造的第二多项式表示为,c为正整数且/>,a i1至/>为第i个参与节点从伽罗华域中选取出的/>个元素;第i个参与节点通过将所构造的第二多项式的自变量x的取值依次取值为当前的n个参与节点的身份信息,依次计算出n个子份额数值。Among them, the second polynomial constructed by the i- th participating node among the r participating nodes is expressed as , c is a positive integer and/> , a i 1 to/> Selected from the Galois field for the i- th participating node/> elements; the i -th participating node successively calculates n sub-share values by taking the value of the independent variable x of the constructed second polynomial as the identity information of the current n participating nodes.
与上文的实施方式同理,该种实施方式中,对于r个参与节点中的每1个参与节点,该参与节点将自身计算出的子秘密数据用第二多项式来体现,这在伽罗华域中可以方便地实现,并且不会暴露出自身计算出的子秘密数据。In the same manner as the above implementation, in this implementation, for each participating node among the r participating nodes, the participating node uses a second polynomial to represent the sub-secret data calculated by itself, which is It can be easily implemented in the Galois field without exposing the sub-secret data calculated by itself.
以r个参与节点中的第i个参与节点为例,第i个参与节点所计算出的子秘密数据为a i0,由于门限值进行了调整,即k的数值调整为,因此,第i个参与节点需要从伽罗华域中选取出/>个元素:/>,可以看出,此处的a i1至/>表示的是第i个参与节点从伽罗华域中均匀随机地选取出的/>个元素,a i1至/>这/>个元素用来作为第i个参与节点所构造的第二多项式的系数。即,第i个参与节点所构造的第二多项式表示为/>。此外可以理解的是,对于不同的参与节点,所构造的第二多项式中的各项系数可以不同。Taking the i- th participating node among r participating nodes as an example, the sub-secret data calculated by the i -th participating node is a i 0 . Since the threshold value has been adjusted, that is, the value of k is adjusted to , therefore, the i -th participating node needs to be selected from the Galois field/> elements:/> , it can be seen that a i 1 to/> It represents that the i- th participating node is uniformly and randomly selected from the Galois field/> elements, a i 1 to/> This/> elements are used as coefficients of the second polynomial constructed by the i- th participating node. That is, the second polynomial constructed by the i- th participating node is expressed as/> . In addition, it can be understood that for different participating nodes, the coefficients in the constructed second polynomial may be different.
第i个参与节点构造了自身的第二多项式之后,会将第二多项式的自变量x的取值依次取值为当前的n个参与节点的身份信息,从而依次计算出n个子份额数值。例如至为n个参与节点各自的身份信息,则x依次取值为/>至/>,第i个参与节点便可以计算出n个子份额数值,进而将计算出的这n个子份额数值分别分配给包括自身在内的n个参与节点。After the i- th participating node constructs its own second polynomial, the value of the independent variable x of the second polynomial will be taken as the identity information of the current n participating nodes, thereby calculating n sub- Share value. For example to is the identity information of each of the n participating nodes, then the value of x is/> to/> , the i -th participating node can calculate the n sub-share values, and then distribute the calculated n sub-share values to n participating nodes including itself.
可以看出,对于n个参与节点的每个参与节点,均能够得到r个子份额数值,得到之后,将自身得到的这r个子份额数值求和,便确定出了自身的新份额,自身的原本的份额此时已经失效,可以删除。可以看出,由于该种实施方式中使用多项式进行了包装,使得任一参与节点均无法获取到其他任一参与节点的子秘密数据。It can be seen that for each of the n participating nodes, r sub-share values can be obtained. After obtaining the r sub-share values, the r sub-share values obtained by it are summed to determine its own new share and its original share. The share has expired at this time and can be deleted. It can be seen that since polynomials are used for packaging in this implementation, no participating node can obtain the sub-secret data of any other participating node.
在本发明的一种具体实施方式中,步骤S105可以具体包括:In a specific implementation of the present invention, step S105 may specifically include:
按照元素位置的不同,将编码结果划分为n个份额并分别发送给n个参与节点,以使得当r个参与节点利用r个份额进行秘密重构时,如果r=k,则基于r个份额重构出秘密元素并确定出对应于秘密元素的秘密信息,如果r>k,则判断s·H T =0是否成立,如果不成立,则判断出r个份额中存在虚假份额时,在进行虚假份额的纠正之后再重构出秘密元素,并确定出对应于秘密元素的秘密信息;According to the different positions of the elements, the encoding result is divided into n shares and sent to n participating nodes respectively, so that when r participating nodes use r shares for secret reconstruction, if r = k , then based on r shares Reconstruct the secret element and determine the secret information corresponding to the secret element. If r > k , then judge whether s · H T =0 is true. If not, then judge that there are false shares among r shares. When performing false After the share is corrected, the secret element is reconstructed, and the secret information corresponding to the secret element is determined;
其中,H为满足M k H T =0的(r-k)×r阶满秩矩阵,M k 为矩阵M的前k行构成的子矩阵,T为转置矩阵符号,矩阵,/>至/>为n个参与节点各自的身份信息,/>,s 1至s r 表示的是进行秘密重构的r个参与节点各自的份额。Among them, H is a ( r - k ) × r- order full-rank matrix that satisfies M k H T =0, M k is a submatrix composed of the first k rows of matrix M , T is the transpose matrix symbol, and the matrix ,/> to/> is the identity information of each of the n participating nodes,/> , s 1 to s r represent the respective shares of the r participating nodes that perform secret reconstruction.
如上文的描述,当r个参与节点利用r个份额进行秘密重构时,要求r≥k才能够实现秘密重构。如果r>k,则可以判断r个份额中是否存在虚假份额,此时可以检测出不多于r-k个虚假份额。As described above, when r participating nodes use r shares to perform secret reconstruction, r ≥ k is required to achieve secret reconstruction. If r > k , it can be determined whether there are false shares among r shares. At this time, no more than r - k false shares can be detected.
该种实施方式中,r>k时,可以判断s·H T =0是否成立,来确定出r个参与节点是否均是诚实的。In this implementation, when r > k , it can be judged whether s · HT =0 is established to determine whether all r participating nodes are honest.
如果s·H T =0成立,可以确定没有参与节点提供虚假份额,因此可以直接基于r个份额重构出秘密元素并确定出对应于秘密元素的秘密信息,如果s·H T =0不成立,则需要在进行虚假份额的纠正之后再重构出秘密元素,并确定出对应于秘密元素的秘密信息。If s · H T =0 holds, it can be determined that no participating node provides false shares, so the secret element can be reconstructed directly based on r shares and the secret information corresponding to the secret element can be determined. If s · H T =0 does not hold, Then it is necessary to reconstruct the secret element after correcting the false shares, and determine the secret information corresponding to the secret element.
在本发明的一种具体实施方式中,还可以包括:In a specific implementation of the present invention, it may also include:
当r个参与节点利用r个份额进行秘密重构,并且在判断出r个份额中存在虚假份额时,如果虚假份额数量不超过,r个参与节点均确定出各个虚假份额各自对应的参与节点的身份信息。When r participating nodes use r shares for secret reconstruction, and when it is determined that there are false shares among the r shares, if the number of false shares does not exceed , r participating nodes all determine the identity information of the participating nodes corresponding to each false share.
基于广义里德所罗门码的原理,如果r>k时,如果虚假份额数量不超过r-k,则能够判断出存在虚假份额。而如果虚假份额数量不超过,则不仅可以判断出r个份额中是否存在虚假份额,还可以进一步地确定出具体哪1个或者哪几个份额是虚假份额,即该种实施方式中,在判断出r个份额中存在虚假份额时,如果虚假份额数量不超过/>,r个参与节点均可以确定出各个虚假份额各自对应的参与节点的身份信息,即找到提高了虚假份额的参与节点的ID,实现其身份确定。此外可以理解的是,如果虚假份额数量超过了但是不超过r-k,则只能够判断出存在虚假份额,但是无法实现虚假份额的定位。Based on the principle of generalized Reed-Solomon code, if r > k , if the number of false shares does not exceed r - k , it can be determined that there are false shares. And if the number of false shares does not exceed , it can not only determine whether there are false shares among the r shares, but also further determine which one or several shares are false shares. That is, in this implementation, it is possible to determine whether there are false shares among the r shares. shares, if the number of false shares does not exceed/> , r participating nodes can all determine the identity information of the participating nodes corresponding to each false share, that is, find the ID of the participating node that has increased the false share, and determine its identity. Furthermore, it is understandable that if the number of false shares exceeds But if it does not exceed r - k , it can only be judged that there is a false share, but the positioning of the false share cannot be achieved.
在本发明的一种具体实施方式中,如果r=k,则基于r个份额重构出秘密元素并确定出对应于秘密元素的秘密信息,包括:In a specific implementation of the present invention, if r = k , reconstruct the secret element based on r shares and determine the secret information corresponding to the secret element, including:
如果r=k,则基于r个份额,通过计算的方式重构出秘密元素并确定出对应于秘密元素的秘密信息。If r = k , then based on r shares, calculate The method reconstructs the secret elements and determines the secret information corresponding to the secret elements.
该种实施方式中,在基于r个份额实现秘密重构时,是通过计算的方式重构出秘密元素,计算上较为简单方便。例如上文例子中,秘密元素表示为a 0,且包含k个元素的待编码向量为a =(a 0,a 1,...,a k-1),即秘密元素a 0是在待编码向量的第一个元素位置处,则计算/>之后,得到的第1个分量便是秘密元素a 0。In this implementation, when realizing secret reconstruction based on r shares, it is calculated by The secret element is reconstructed in this way, which is relatively simple and convenient in calculation. For example, in the above example, the secret element is represented as a 0 , and the vector to be encoded containing k elements is a = ( a 0 , a 1 ,..., a k -1 ), that is, the secret element a 0 is to be encoded At the position of the first element of the encoding vector, calculate/> After that, the first component obtained is the secret element a 0 .
此外可以理解的是,在r>k时且进行了虚假份额的纠正之后,同样可以通过计算的方式重构出秘密元素。In addition, it can be understood that when r > k and after correcting the false shares, it can also be calculated by way to reconstruct the secret elements.
在本发明的一种具体实施方式中,还可以包括:In a specific implementation of the present invention, it may also include:
当r个参与节点利用r个份额进行秘密重构且r=k时,在基于r个份额重构出秘密元素之后,r个参与节点均输出重构出的秘密元素存在安全隐患的提示信息。When r participating nodes use r shares to perform secret reconstruction and r = k , after reconstructing the secret element based on r shares, all r participating nodes output prompt information indicating that the reconstructed secret element has security risks.
如上文的描述,r=k时也能够实现正确的秘密重构,但前提是没有参与节点提供虚假份额。并且r=k时,即便进行了秘密重构,也无法确定是否有参与节点提供的是虚假份额,因此,该种实施方式中,会在这种情况下输出秘密元素存在安全隐患的提示信息,以便提醒各个参与节点注意该情况。As described above, correct secret reconstruction can also be achieved when r = k , but only if no participating nodes provide false shares. And when r = k , even if the secret is reconstructed, it cannot be determined whether any participating node provides false shares. Therefore, in this implementation, a prompt message indicating that the secret element has security risks will be output in this case. In order to remind all participating nodes to pay attention to this situation.
应用本发明实施例所提供的技术方案,有益效果在于,本发明的方案是基于广义里德所罗门码来实现秘密信息的共享,可以有效地应对欺诈者提供虚假份额的情况。并且本发明的方案的安全性不依赖于任何计算困难性的假设,即本发明的方案是信息论安全而不是经典方案计算意义上的安全,因此本发明的方案能够抵抗量子计算攻击。此外,在进行秘密分发之后,包括秘密重构在内的后续各阶段,本发明的方案均不需要分发节点的参与,有利于进一步地提高灵活性和可靠性。参与节点所保存的份额与秘密元素具有相同长度,使得本发明方案的秘密分发过程没有数据扩展,也有利于进一步地保障安全性。The beneficial effect of applying the technical solutions provided by the embodiments of the present invention is that the solution of the present invention is based on the generalized Reed-Solomon code to realize the sharing of secret information, and can effectively deal with the situation where fraudsters provide false shares. Moreover, the security of the solution of the present invention does not depend on any assumption of computational difficulty, that is, the solution of the present invention is information-theoretic security rather than security in the computational sense of the classical solution. Therefore, the solution of the present invention can resist quantum computing attacks. In addition, after secret distribution, the solution of the present invention does not require the participation of distribution nodes in subsequent stages including secret reconstruction, which is conducive to further improving flexibility and reliability. The shares saved by the participating nodes have the same length as the secret elements, so that there is no data expansion in the secret distribution process of the solution of the present invention, and it is also conducive to further ensuring security.
具体的,为了后续能够基于广义里德所罗门码实现编码,本发明的方案中,分发节点按照需要设定的转换规则,将秘密信息转换为设定的伽罗华域中的一个元素,作为秘密元素,该秘密元素可以与从伽罗华域中选取出的k-1个元素,一起构成一个包含k个元素的待编码向量,即该待编码向量中携带有秘密元素。对于n个参与节点,需要从设定的伽罗华域中选取出n个互异的元素,作为n个参与节点的公开的身份信息。基于广义里德所罗门码的编码规则,通过n个参与节点的身份信息对待编码向量进行编码,得到包括n个元素的编码结果。编码结果中包括n个元素,每个元素作为1个份额,使得编码结果可以划分为n个份额从而分别交给n个参与节点保管。基于广义里德所罗门码的原理,当r个参与节点利用r个份额进行秘密重构时,如果r=k,则可以基于r个份额重构出秘密元素并确定出对应于秘密元素的秘密信息,当然,此时重构无法保障准确性,即r=k时要求r个参与节点均是诚实参与节点才能够重构出正确的秘密元素,从而按照转换规则,确定出对应于秘密元素的秘密信息。而r>k时,本发明的方案中能够判断出r个份额中是否存在虚假份额,如果存在,则能够纠正数量不超过的虚假份额,在进行了虚假份额的纠正之后便可以重构出秘密元素,并确定出对应于秘密元素的秘密信息;Specifically, in order to be able to implement subsequent coding based on the generalized Reed-Solomon code, in the solution of the present invention, the distribution node converts the secret information into an element in the set Galois field as the secret according to the conversion rules set as needed. element, the secret element can be combined with the k -1 elements selected from the Galois field to form a vector to be encoded containing k elements, that is, the vector to be encoded carries the secret element. For n participating nodes, n different elements need to be selected from the set Galois field as the public identity information of the n participating nodes. Based on the encoding rules of the generalized Reed-Solomon code, the to-be-encoded vector is encoded through the identity information of n participating nodes, and the encoding result including n elements is obtained. The encoding result includes n elements, each element is regarded as a share, so that the encoding result can be divided into n shares and handed over to n participating nodes for safekeeping. Based on the principle of generalized Reed-Solomon code, when r participating nodes use r shares to reconstruct the secret, if r = k , the secret element can be reconstructed based on the r shares and the secret information corresponding to the secret element can be determined , of course, the accuracy of the reconstruction cannot be guaranteed at this time, that is, when r = k , all r participating nodes are required to be honest participating nodes to reconstruct the correct secret element, so as to determine the secret corresponding to the secret element according to the conversion rules. information. When r > k , the solution of the present invention can determine whether there are false shares among the r shares. If there are false shares, the number can be corrected to not exceed After correcting the false shares, the secret elements can be reconstructed and the secret information corresponding to the secret elements can be determined;
可以看出,本发明的方案能够判断出r个份额中是否存在虚假份额,且能够纠正数量不超过的虚假份额,即本发明的方案能够可以有效地应对欺诈者提供虚假份额的情况。并且r小于k时,无论攻击者具有多高的计算资源也无法实现秘密重构,即本发明的方案的安全性不依赖于任何计算困难性的假设是信息论安全的而不是经典方案计算意义上的安全,使得本发明的方案能够抵抗量子计算攻击。此外可以看出,本发明的方案中,分发节点只需要完成份额的分发即可,在进行包括秘密重构在内的后续各阶段的操作时,本发明的方案并不需要分发节点的参与,有利于进一步地提高可靠性。参与节点所保存的份额与秘密元素均是伽罗华域中的元素,具有相同长度,使得本发明方案的秘密分发过程没有数据扩展,也有利于进一步地保障安全性。It can be seen that the solution of the present invention can determine whether there are false shares among r shares, and can correct the number not exceeding false shares, that is, the solution of the present invention can effectively deal with the situation where fraudsters provide false shares. And when r is less than k , no matter how high the computing resources of the attacker are, the secret reconstruction cannot be achieved. That is, the security of the scheme of the present invention does not depend on the assumption of any computational difficulty, which is information theoretic security rather than the classical scheme calculation sense. The security makes the solution of the present invention resistant to quantum computing attacks. In addition, it can be seen that in the solution of the present invention, the distribution node only needs to complete the distribution of shares. When performing operations in subsequent stages including secret reconstruction, the solution of the present invention does not require the participation of the distribution node. Helps further improve reliability. The shares and secret elements saved by the participating nodes are elements in the Galois domain and have the same length, so that there is no data expansion in the secret distribution process of the solution of the present invention, and it is also conducive to further ensuring security.
相应于上面的方法实施例,本发明实施例还提供了一种秘密信息的共享系统,可与上文相互对应参照。Corresponding to the above method embodiments, embodiments of the present invention also provide a secret information sharing system, which can be mutually referenced with the above.
可参阅图3,该秘密信息的共享系统包括:分发节点31和n个参与节点32。图3中示出了3个参与节点32,依次称为第1个至第3个参与节点。Referring to Figure 3, the secret information sharing system includes: a distribution node 31 and n participating nodes 32. Three participating nodes 32 are shown in FIG. 3 , which are called the first to third participating nodes in sequence.
所述分发节点31,用于:The distribution node 31 is used for:
按照设定的转换规则,将秘密信息转换为设定的伽罗华域中的一个元素,作为秘密元素;According to the set conversion rules, the secret information is converted into an element in the set Galois domain as a secret element;
从设定的伽罗华域中选取出n个互异的元素,作为n个参与节点的公开的身份信息;Select n different elements from the set Galois field as the public identity information of n participating nodes;
从所述伽罗华域中选取出k-1个元素,并与所述秘密元素一起构成一个包含k个元素的待编码向量;Select k -1 elements from the Galois field, and together with the secret element form a vector to be encoded containing k elements;
基于广义里德所罗门码的编码规则,通过n个参与节点的身份信息对所述待编码向量进行编码,得到包括n个元素的编码结果;Based on the encoding rules of the generalized Reed-Solomon code, the vector to be encoded is encoded through the identity information of n participating nodes to obtain an encoding result including n elements;
按照元素位置的不同,将所述编码结果划分为n个份额并分别发送给n个参与节点;According to the different positions of the elements, the encoding result is divided into n shares and sent to n participating nodes respectively;
所述参与节点32用于:The participating node 32 is used for:
当r个参与节点利用r个份额进行秘密重构时,如果r=k,则基于r个份额重构出所述秘密元素,如果r>k且判断出r个份额中存在虚假份额时,进行虚假份额的纠正之后再重构出所述秘密元素;When r participating nodes use r shares to reconstruct the secret, if r = k , the secret element is reconstructed based on r shares. If r > k and it is judged that there are false shares among the r shares, proceed Correction of false shares followed by reconstruction of said secret elements;
基于重构出的所述秘密元素,确定出对应的秘密信息;Based on the reconstructed secret elements, determine the corresponding secret information;
其中,n为不小于2的正整数,k为正整数表示的是实现秘密重构的最小份额数量,r为正整数且r<k时无法实现秘密重构,r>k时虚假份额的纠正数量不超过。Among them, n is a positive integer not less than 2, k is a positive integer indicating the minimum number of shares to achieve secret reconstruction, r is a positive integer and when r < k , secret reconstruction cannot be achieved, and when r > k , false shares are corrected. The quantity does not exceed .
相应于上面的方法和系统实施例,本发明实施例还提供了一种秘密信息的共享设备以及一种计算机可读存储介质,可与上文相互对应参照。Corresponding to the above method and system embodiments, embodiments of the present invention also provide a secret information sharing device and a computer-readable storage medium, which may be mutually referenced with the above.
可参阅图4,该秘密信息的共享设备可以包括:Referring to Figure 4, the secret information sharing device may include:
存储器401,用于存储计算机程序;Memory 401, used to store computer programs;
处理器402,用于执行所述计算机程序以实现如上述任一实施例中的秘密信息的共享方法的步骤。Processor 402, configured to execute the computer program to implement the steps of the secret information sharing method in any of the above embodiments.
可参阅图5,该计算机可读存储介质50上存储有计算机程序51,计算机程序51被处理器执行时实现如上述任一实施例中的秘密信息的共享方法的步骤。这里所说的计算机可读存储介质50包括随机存储器(RAM)、内存、只读存储器(ROM)、电可编程ROM、电可擦除可编程ROM、寄存器、硬盘、可移动磁盘、CD-ROM、或技术领域内所公知的任意其它形式的存储介质。Referring to FIG. 5 , a computer program 51 is stored on the computer-readable storage medium 50 . When the computer program 51 is executed by a processor, the steps of the secret information sharing method in any of the above embodiments are implemented. The computer-readable storage medium 50 mentioned here includes random access memory (RAM), memory, read-only memory (ROM), electrically programmable ROM, electrically erasable programmable ROM, register, hard disk, removable disk, CD-ROM , or any other form of storage medium known in the technical field.
还需要说明的是,在本文中,诸如第一和第二等之类的关系术语仅仅用来将一个实体或者操作与另一个实体或操作区分开来,而不一定要求或者暗示这些实体或操作之间存在任何这种实际的关系或者顺序。而且,术语“包括”、“包含”或者其任何其他变体意在涵盖非排他性的包含,从而使得包括一系列要素的过程、方法、物品或者设备不仅包括那些要素,而且还包括没有明确列出的其他要素,或者是还包括为这种过程、方法、物品或者设备所固有的要素。在没有更多限制的情况下,由语句“包括一个……”限定的要素,并不排除在包括所述要素的过程、方法、物品或者设备中还存在另外的相同要素。It should also be noted that in this article, relational terms such as first and second are only used to distinguish one entity or operation from another entity or operation, and do not necessarily require or imply that these entities or operations There is no such actual relationship or sequence between them. Furthermore, the terms "comprises," "comprises," or any other variations thereof are intended to cover a non-exclusive inclusion such that a process, method, article, or apparatus that includes a list of elements includes not only those elements, but also those not expressly listed other elements, or elements inherent to the process, method, article or equipment. Without further limitation, an element defined by the statement "comprises a..." does not exclude the presence of additional identical elements in a process, method, article, or apparatus that includes the stated element.
本文中应用了具体个例对本发明的原理及实施方式进行了阐述,以上实施例的说明只是用于帮助理解本发明的技术方案及其核心思想。应当指出,对于本技术领域的普通技术人员来说,在不脱离本发明原理的前提下,还可以对本发明进行若干改进和修饰,这些改进和修饰也落入本发明的保护范围内。This article uses specific examples to illustrate the principles and implementation methods of the present invention. The description of the above embodiments is only used to help understand the technical solutions and core ideas of the present invention. It should be noted that for those of ordinary skill in the art, several improvements and modifications can be made to the present invention without departing from the principles of the present invention, and these improvements and modifications also fall within the protection scope of the present invention.
Claims (22)
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310954869.9A CN117155551A (en) | 2023-08-01 | 2023-08-01 | Secret information sharing method, system, equipment and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310954869.9A CN117155551A (en) | 2023-08-01 | 2023-08-01 | Secret information sharing method, system, equipment and storage medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN117155551A true CN117155551A (en) | 2023-12-01 |
Family
ID=88903475
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202310954869.9A Pending CN117155551A (en) | 2023-08-01 | 2023-08-01 | Secret information sharing method, system, equipment and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN117155551A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN117857039A (en) * | 2024-03-04 | 2024-04-09 | 浪潮(北京)电子信息产业有限公司 | Multiparty security computing method, device, equipment and medium |
-
2023
- 2023-08-01 CN CN202310954869.9A patent/CN117155551A/en active Pending
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN117857039A (en) * | 2024-03-04 | 2024-04-09 | 浪潮(北京)电子信息产业有限公司 | Multiparty security computing method, device, equipment and medium |
| CN117857039B (en) * | 2024-03-04 | 2024-05-28 | 浪潮(北京)电子信息产业有限公司 | Multiparty security computing method, device, equipment and medium |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Schlegel et al. | CodedPaddedFL and CodedSecAgg: Straggler mitigation and secure aggregation in federated learning | |
| CN109672518B (en) | Node data processing of quantum attack resistant blockchains | |
| CN111492615B (en) | Encryption device with updatable shared matrix | |
| CN110138549B (en) | Digital signature method based on lattice | |
| Garg et al. | Comparative analysis of cloud data integrity auditing protocols | |
| CN112997448A (en) | Public/private key system with reduced public key size | |
| Chattopadhyay et al. | A verifiable multi-secret image sharing scheme using XOR operation and hash function | |
| US20210266164A1 (en) | Key encapsulation protocols | |
| CN114219483A (en) | Blockchain data sharing method, equipment and storage medium based on LWE-CPABE | |
| Kumar et al. | Learning with error‐based key agreement and authentication scheme for satellite communication | |
| CN113810175B (en) | A method and device for realizing privacy amplification in quantum key distribution | |
| Vambol et al. | Mceliece and niederreiter cryptosystems analysis in the context of post-quantum network security | |
| Lee et al. | Modification of frodokem using gray and error-correcting codes | |
| CN105653983B (en) | Information distribution, reduction, integrity verification method and device based on cloud storage | |
| CN117155551A (en) | Secret information sharing method, system, equipment and storage medium | |
| Ramesh et al. | Secure data storage in cloud: an e-stream cipher-based secure and dynamic updation policy | |
| Song et al. | A new multi‐use multi‐secret sharing scheme based on the duals of minimal linear codes | |
| Shooshtari et al. | Provably secure strong designated verifier signature scheme based on coding theory | |
| CN113132100B (en) | McElience system encryption and decryption method based on sliding window QC-LDPC code | |
| CN110011790B (en) | Anti-quantum key negotiation method based on coding | |
| CN111865578A (en) | A Multi-receiver Public Key Encryption Method Based on SM2 | |
| CN105099693B (en) | A kind of transmission method and transmitting device | |
| CN117034334A (en) | Privacy protection verifiable polynomial computing outsourcing method based on blockchain | |
| CN114826551B (en) | A method and system for protecting data of the entire life cycle of a smart grid | |
| Nikiforov et al. | Side-channel analysis of privacy amplification in postprocessing software for a quantum key distribution system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |