CN117155551A - Secret information sharing method, system, equipment and storage medium - Google Patents

Secret information sharing method, system, equipment and storage medium Download PDF

Info

Publication number
CN117155551A
CN117155551A CN202310954869.9A CN202310954869A CN117155551A CN 117155551 A CN117155551 A CN 117155551A CN 202310954869 A CN202310954869 A CN 202310954869A CN 117155551 A CN117155551 A CN 117155551A
Authority
CN
China
Prior art keywords
secret
participating
individual
participating node
share
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202310954869.9A
Other languages
Chinese (zh)
Inventor
郭文烁
李雪雷
李茹杨
赵雅倩
李仁刚
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Inspur Beijing Electronic Information Industry Co Ltd
Original Assignee
Inspur Beijing Electronic Information Industry Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Inspur Beijing Electronic Information Industry Co Ltd filed Critical Inspur Beijing Electronic Information Industry Co Ltd
Priority to CN202310954869.9A priority Critical patent/CN117155551A/en
Publication of CN117155551A publication Critical patent/CN117155551A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/085Secret sharing or secret splitting, e.g. threshold schemes

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Storage Device Security (AREA)

Abstract

The invention discloses a secret information sharing method, a system, equipment and a storage medium, which are applied to the technical field of information security and solve the problems of low reliability and poor flexibility of a classical secret sharing scheme, and comprise the following steps: converting secret information into an element in a Galois field as a secret element, and associating the secret element with the Galois fieldk-1 element constitutes a vector to be encoded; coding rules based on generalized Reed Solomon code bynEncoding the vectors to be encoded by the identity information of each participating node to obtain the information comprisingnThe coding result of each element is divided intonThe individual shares are sent tonEach participating node such thatrIndividual participating node utilizationrThe individual shares are subject to secret reconstruction. By applying the scheme of the invention, the situation of malicious fraud of the participating nodes existing in the secret reconstruction stage can be effectively treated, the security is information theory security rather than security in the calculation sense, the participating of the distributing nodes is not needed during secret reconstruction, the secret distributing process has no data expansion, and the security is further guaranteed.

Description

Secret information sharing method, system, equipment and storage medium
Technical Field
The present invention relates to the field of information security technologies, and in particular, to a method, a system, an apparatus, and a storage medium for sharing secret information.
Background
With the continuous development of informatization, digitalization and intelligence, data leakage becomes an increasingly serious problem. Cryptography provides many practical techniques for securing data, such as encryption and digital signatures. In the cryptographic system, the implementation details of the cryptographic algorithm are always disclosed due to the security requirements of the cryptographic algorithm itself and the popularization of the application of the cryptographic algorithm. Thus, the security of commercial cryptography depends on the confidentiality of keys, and key management is an important research direction in the field of cryptography.
As shown in fig. 1, which is a schematic diagram of a key management method commonly used at present, fig. 1 is a threshold secret sharing scheme, which divides a key or other sensitive information into several shares, i.e. into several parts, and then gives the parts to different participants for keeping. The threshold secret sharing scheme requires that only a certain number (threshold valuek) The secret can be recovered only when the participants cooperate, and the secret cannot be recovered by the participants with less than the threshold value. The set of participants that can reconstruct the secret is called an authorized set, otherwise an unauthorized set, all of which constitute the access structure of the secret sharing scheme.
The effectiveness of the classical secret sharing technique of fig. 1 relies on the assumption that all participants are honest. However, in reality this assumption is not reasonable, since some participants may show false shares during the secret reconstruction phase, so that the honest participants cannot recover the secret or get erroneous results, whereas the fraudsters can reconstruct the secret using the shares of the honest participants, thus jeopardizing the reliability of the system. Furthermore, some of the current approaches to fraud prevention are to construct verifiable secret sharing schemes, such as verifying the participants' shares by means of digital signatures, introducing so-called shadow shares outside the shares, etc. However, the security of such schemes is a difficulty that relies on discrete logarithm or quality factor decomposition issues, and is therefore computationally secure, and cannot resist quantum computing attacks with great computational power.
In summary, how to effectively realize sharing of secret information and improve reliability is a technical problem that needs to be solved by those skilled in the art.
Disclosure of Invention
The invention aims to provide a secret information sharing method, a secret information sharing system, secret information sharing equipment and a secret information storage medium, so that secret information sharing is effectively achieved, and reliability is improved.
In order to solve the technical problems, the invention provides the following technical scheme:
a method of sharing secret information, comprising:
according to the set conversion rule, converting the secret information into an element in the set Galois field as a secret element;
selected from a set Galois fieldnIndividual disparate elements asnPublic identity information of the individual participating nodes;
selected from the Galois fieldk-1 element and together with said secret element constitutes a single unit comprisingkVectors to be encoded of the individual elements;
coding rules based on generalized Reed Solomon code bynThe identity information of each participating node encodes the vector to be encoded to obtain a code comprisingnEncoding results of the individual elements;
dividing the coding result into the following elements according to the difference of the element positionsnIndividual shares and send to respectivelynMultiple participating nodes to make the rightrIndividual participating node utilizationrIf secret reconstruction is performed on individual sharesr=kThen based onrReconstructing the secret element from the individual shares and determining secret information corresponding to the secret element ifrkAnd judge outrWhen false shares exist in the shares, reconstructing the secret element after correcting the false shares, and determining secret information corresponding to the secret element;
Wherein,nis a positive integer not less than 2,kexpressed as a positive integer is the minimum number of shares that enable secret reconstruction,ris a positive integer, andrkthe secret reconstruction cannot be achieved at this time,rkthe correction amount of the false shares is not more than
In one embodiment, the one or more selected from the set Galois fieldnIndividual disparate elements asnPublic identity information of individual participating nodes, comprising:
randomly selected from a set Galois fieldnIndividual disparate elements asnPublic identity information of the individual participating nodes.
In one embodiment, the random selection from the set Galois fieldnIndividual disparate elements asnPublic identity information of individual participating nodes, comprising:
uniformly and randomly selecting from a set Galois fieldnIndividual disparate elements asnPublic identity information of the individual participating nodes.
In one embodiment, the one or more additional agents are selected from the Galois fieldk-1 element and together with said secret element constitutes a single unit comprisingkVectors to be encoded of individual elements, comprising
Uniformly and randomly selected from the Galois fieldk-1 element and together with said secret element constitutes a single unit comprisingkVectors to be encoded of the individual elements.
In one embodiment, the coding rule based on the generalized Reed-Solomon code is implemented bynThe identity information of each participating node encodes the vector to be encoded to obtain a code comprisingnA result of encoding of the individual elements, comprising:
coding rules based on generalized Reed Solomon code bynEstablishing a vandermonde matrix according to the identity information of each participating node, and encoding the vector to be encoded through the established vandermonde matrix to obtain a code comprising the following steps ofnThe result of encoding the individual elements.
In one embodiment, the coding rule based on the generalized Reed-Solomon code is implemented bynIdentity information of individual participating nodesEstablishing a vandermonde matrix, and encoding the vector to be encoded through the established vandermonde matrix to obtain a vector to be encoded, wherein the vector to be encoded comprisesnA result of encoding of the individual elements, comprising:
coding rules based on generalized Reed Solomon code bynIdentity information of each participating node according to%s 1 ,...,s n )=a·GThe vector to be coded is coded to obtain the calculation mode comprisingnEncoding results of the individual elements;
wherein,ais comprised ofkThe vectors to be encoded of the individual elements,Gto pass throughnVandermonde matrix established by identity information of each participating node, and s 1 To the point ofs n To get the inclusionnEncoding result of individual element->To->Is thatnThe identity information of each participating node.
In one embodiment, the method further comprises:
when 1 participating node needs to be newly added, the number of the current participating nodes is not less thankAnd the participating nodes operate according to a preset share adding rule, so that the newly added participating nodes obtain 1 newly added share.
In one embodiment, when 1 participating node needs to be newly added, no less than 1 participating node is selected from the current participating nodeskThe participating nodes operate according to a preset share adding rule, so that the newly added participating nodes obtain 1 newly added share, and the method comprises the following steps:
when 1 participating node needs to be newly added, the current participating node is used for the current operationnIn individual participating nodesrThe participation nodes calculate respective intermediate values;
wherein,rthe first participating nodeiCalculated by each participating nodeIntermediate valueRepresented ass i Is the firstiThe share of the individual participating nodes,m i is thatM -1 Front of (2)kColumn sub-matrix of the first columniRow vector, matrix->M -1 Is thatMInverse matrix of>,/>To the point ofIs thatnIdentity information of each participating node, +.>For the identity information of the newly added participating node,Tfor the transposed matrix symbol,rk
based on a preset information safety transmission mode, the newly added participating node determines To->And taking the sum as 1 newly added share obtained by the newly added participating node, and making the newly added participating node unable to determine +.>To->Any 1 intermediate value in (c).
In one embodimentBased on a preset information safety transmission mode, the newly added participating node determinesTo->And taking the sum as 1 newly added share obtained by the newly added participating node, and making the newly added participating node unable to determine +.>To->Intermediate values of any 1 of (a), including:
for the followingrEvery 1 of the participating nodes, the participating nodes divide the intermediate value calculated by the participating nodes intorData such that it is divided intorThe sum of the individual data is equal to the intermediate value calculated by itself and the participating node remainsrAfter 1 data in the data, the restr-1 data is sent to the rest respectivelyr-1 participating node;
for the followingrEach 1 of the participating nodes that combine the reserved 1 data with the receivedr-1 data are summed and the result of the summation is sent to the newly added participating node so that the newly added participating node willrThe transmitted data of the participating nodes are summed to obtain To->And takes the sum as 1 new share obtained by the newly added participating node.
In one embodiment, the method further comprises:
when 1 participating node needs to be removed, not less than the current participating nodekEach participating node operates according to a preset participating node removing rule toSo that each of the remaining participating nodes except the removed participating node gets 1 new share to replace the original share.
In one embodiment, when 1 participating node needs to be removed, no less than 1 participating node is selected from the current participating nodeskThe method comprises the steps that each participating node operates according to a preset participating node removing rule, so that each remaining participating node except the removed participating node obtains 1 new share to replace an original share, and the method comprises the following steps:
when 1 participating node needs to be removed, the current node is used for the current nodenIn individual participating nodesrThe individual participating nodes calculate the respective sub-secret data based on the respective current shares;
wherein,rthe first participating nodeiSub-secret data calculated by each participating nodea i0 Represented ass i Is the firstiThe share of the individual participating nodes,M i0 is->At the position ofMAlgebraic remainder of (a), matrix ,det(M) RepresentingMIs>To->Is thatnThe identity information of each of the participating nodes,rk
based onrSub-secret data, composed ofrThe method comprises the steps that each participating node operates according to a preset share security generation mode, so that each remaining participating node except the removed participating node obtains 1 new share to replace the original share, and any participating node cannot acquire the sub-secret of any other participating nodeData.
In one embodiment, based onrSub-secret data, composed ofrThe method comprises the steps that each participating node operates according to a preset share security generation mode, so that each remaining participating node except the removed participating node obtains 1 new share to replace an original share, any participating node cannot acquire sub-secret data of any other participating node, and the method comprises the following steps:
for the followingrEach 1 of the participating nodes calculates from its own calculated sub-secret data and its own constructed first polynomialn-1 sub-share value and to be calculatedn-1 sub-share value being assigned to each of the other participating nodes excluding the removed participating node, including itself n-1 remaining participating nodes;
for the remainder of the current removed participating nodesn-1 participating node, which is obtainingrAfter the sub-share value, the sub-share value is obtained by itselfrThe sub-share values are summed to replace the original share of the self as the new share of the self;
wherein,ramong the participating nodesiThe first polynomial constructed by the participating nodes is expressed astIs a positive integer and is more than or equal to 1tk-1,a i1 To the point ofa i k(-1) Is the firstiThe participating nodes are selected from the Galois fieldk-1 element; first, theiThe participating nodes are constructed by combining the arguments of the first polynomialxSequentially valued as the remainder excluding the removed participating nodesn-identity information of 1 participating node, calculated in turnn-1 sub-share value.
In one embodiment, the method further comprises:
when the minimum share number for realizing secret reconstruction needs to be adjustedkIs not less than the number of the current participating nodekEach participating nodeOperating according to a preset threshold adjustment rule, so that each current participating node obtains 1 new share to replace the original share, and the minimum share number for realizing secret reconstruction is calculated from kIs adjusted to
Indicated is the minimum number of shares after adjustment that enable secret reconstruction.
In one embodiment, when it is desired to adjust the minimum number of shares that enable secret reconstructionkIs not less than the number of the current participating nodekThe participating nodes operate according to a preset threshold adjustment rule, so that each current participating node obtains 1 new share to replace the original share, and the minimum share number for realizing secret reconstruction is calculated fromkIs adjusted toComprising:
when the minimum share number for realizing secret reconstruction needs to be adjustedkIs determined by the current valuenIn individual participating nodesrThe individual participating nodes calculate the respective sub-secret data based on the respective current shares;
wherein,rthe first participating nodeiSub-secret data calculated by each participating nodea i0 Expressed as:s i is the firstiThe share of the individual participating nodes,M i0 is->At the position ofMAlgebraic remainder of (a), matrix,det(M) RepresentingMIs>To->Is thatnThe identity information of each of the participating nodes,rk
based onrSub-secret data, composed ofrThe method comprises the steps that each participating node operates according to a preset threshold adjustment mode, so that each participating node obtains 1 new share to replace an original share, any participating node cannot obtain sub-secret data of any other participating node, and the minimum share number for realizing secret reconstruction is from kIs adjusted to
In one embodiment, based onrSub-secret data, composed ofrThe method comprises the steps that each participating node operates according to a preset threshold adjustment mode, so that each participating node obtains 1 new share to replace an original share, any participating node cannot obtain sub-secret data of any other participating node, and the minimum share number for realizing secret reconstruction is fromkIs adjusted toComprising:
for the followingrEach 1 of the participating nodes calculates from its own calculated sub-secret data and its own constructed second polynomialnSub-share values and to be calculatednThe sub-share values being respectively allocated to the units including themselvesnEach participating node;
for the followingnEach of the participating nodes, which is obtainingrAfter the sub-share value, the sub-share value is obtained by itselfrThe sub-share values are summed to replace the original share of the self as the new share of the self;
wherein,ramong the participating nodesiThe second plurality of participating nodesThe term is expressed ascIs a positive integer and->a i1 To->Is the firstiThe participating nodes are selected from the Galois field >An element; first, theiThe participating nodes are constructed by the independent variables of the second polynomialxSequentially takes the values as the current valuenIdentity information of each participating node is sequentially calculatednA sub-share value.
In one embodiment, the coding result is divided into the following elements according to the difference of the element positionsnIndividual shares and send to respectivelynMultiple participating nodes to make the rightrIndividual participating node utilizationrIf secret reconstruction is performed on individual sharesr=kThen based onrReconstructing the secret element from the individual shares and determining secret information corresponding to the secret element ifrkAnd judge outrWhen false shares exist in the shares, reconstructing the secret element after correcting the false shares, and determining secret information corresponding to the secret element, wherein the method comprises the following steps:
dividing the coding result into the following elements according to the difference of the element positionsnIndividual shares and send to respectivelynMultiple participating nodes to make the rightrIndividual participating node utilizationrIf secret reconstruction is performed on individual sharesr=kThen based onrReconstructing the secret element from the individual shares and determining secret information corresponding to the secret element ifrkJudgings·H T Whether or not =0 is satisfied, if not, judge rWhen a false share exists in the individual shares, the secret is reconstructed after correction of the false share is performedA secret element, and determining secret information corresponding to the secret element;
wherein,Hto meet the requirements ofM k H T =0%r-k)×rThe full order matrix of the rank is presented,M k is a matrixMFront of (2)kA sub-matrix of rows is formed,Tto transpose matrix symbols, matrix,/>To->Is thatnIdentity information of each participating node, +.>s 1 To the point ofs r Representing secret reconstructionrThe respective shares of the participating nodes.
In one embodiment, the method further comprises:
when (when)rIndividual participating node utilizationrSecret reconstruction of individual shares and upon determinationrWhen there are false shares in the individual shares, if the number of false shares does not exceedrEach participating node determines identity information of the participating node corresponding to each false share.
In one embodiment, ifr=kThen based onrReconstructing the secret element from the individual shares and determining secret information corresponding to the secret element, comprising:
if it isr=kThen based onrIndividual shares by calculationReconstructing the secret element and determining secret information corresponding to the secret element.
In one embodiment, the method further comprises:
when (when)rIndividual participating node utilization rSecret reconstruction of individual sharesr=kWhen based onrAfter reconstruction of the secret element from the individual shares,rand each participating node outputs the reconstructed prompt information that the secret element has potential safety hazard.
A sharing system of secret information, comprising: distribution nodenEach participating node;
the distribution node is configured to:
according to the set conversion rule, converting the secret information into an element in the set Galois field as a secret element;
selected from a set Galois fieldnIndividual disparate elements asnPublic identity information of the individual participating nodes;
selected from the Galois fieldk-1 element and together with said secret element constitutes a single unit comprisingkVectors to be encoded of the individual elements;
coding rules based on generalized Reed Solomon code bynThe identity information of each participating node encodes the vector to be encoded to obtain a code comprisingnEncoding results of the individual elements;
dividing the coding result into the following elements according to the difference of the element positionsnIndividual shares and send to respectivelynEach participating node;
the participating node is configured to:
when (when)rIndividual participating node utilizationrIf secret reconstruction is performed on individual sharesr=kThen based on rReconstructing the secret element from the individual shares, ifrkAnd judge outrWhen false shares exist in the individual shares, reconstructing the secret element after correcting the false shares;
determining corresponding secret information based on the reconstructed secret element;
wherein,nis a positive integer not less than 2,kexpressed as a positive integer is the minimum number of shares that enable secret reconstruction,ris a positive integer andrkthe secret reconstruction cannot be achieved at this time,rkthe correction amount of the false shares is not more than
A sharing device of secret information, comprising:
a memory for storing a computer program;
and a processor for executing the computer program to implement the steps of the secret information sharing method.
A computer readable storage medium having stored thereon a computer program which, when executed by a processor, implements the steps of the secret information sharing method as described above.
The technical scheme provided by the embodiment of the invention has the beneficial effects that the scheme of the invention realizes the sharing of secret information based on the generalized Reed Solomon code, and can effectively cope with the situation that a fraudster provides false shares. The security of the scheme of the invention does not depend on any assumption of computational difficulty, namely the scheme of the invention is information theory security rather than security in the classical scheme computational sense, so the scheme of the invention can resist quantum computing attacks. In addition, after secret distribution, the proposal of the invention does not need the participation of distribution nodes in the subsequent stages including secret reconstruction, thereby being beneficial to further improving the flexibility and the reliability. The shares stored by the participating nodes and the secret elements have the same length, so that the secret distribution process of the scheme of the invention has no data expansion, and the security is further ensured.
Specifically, in order to realize the encoding based on the generalized reed-solomon code later, in the scheme of the invention, the distribution node converts the secret information into an element in the set galois field as a secret element according to the conversion rule set by the requirement, and the secret element can be selected from the galois fieldk-1 element together forming a single containingkThe vector to be encoded of the individual elements, i.e. the secret element is carried in the vector to be encoded. For the followingnA plurality of participating nodes selected from the set Galois fieldnIndividual disparate elements asnPublic identity information of the individual participating nodes. Coding rules based on generalized Reed Solomon code bynEncoding the vectors to be encoded by the identity information of each participating node to obtain the information comprisingnThe result of encoding the individual elements. The coding result includesnElements each as 1 share, so that the encoding result can be divided intonIndividual shares are thus handed over tonAnd the individual participating nodes keep. Based on the principle of generalized Reed Solomon coderIndividual participating node utilizationrIf secret reconstruction is performed on individual sharesr=kThen it can be based onrReconstructing the individual shares to obtain the secret element and determining the secret information corresponding to the secret element, wherein the reconstruction cannot guarantee the accuracy, i.e r=kTime requirementrEach participating node is an honest participating node, and can reconstruct correct secret elements, so that secret information corresponding to the secret elements is determined according to the conversion rules. WhilerkIn the scheme of the invention, it can be judged thatrWhether there are false shares in the individual shares, if so, the number can be corrected not to exceedAfter correction of the false shares, the secret element can be reconstructed and the secret information corresponding to the secret element can be determined;
it can be seen that the scheme of the invention can judgerWhether there are false shares in the individual shares and the number can be corrected not to exceedThe inventive solution can effectively cope with situations where a fraudster provides a false share. And is also provided withrLess thankWhen the attacker has high computing resources, secret reconstruction cannot be realized, namely the assumption that the security of the scheme of the invention does not depend on any computing difficulty is information theory security rather than security in the classical scheme computing sense, so that the scheme of the invention can resist the amountSub-computation attacks. In addition, it can be seen that in the scheme of the invention, the distribution node only needs to complete the distribution of the shares, and the scheme of the invention does not need the participation of the distribution node when the operation of the subsequent stages including secret reconstruction is performed, thereby being beneficial to further improving the reliability. The share and the secret element saved by the participating node are elements in the Galois field and have the same length, so that the secret distribution process of the scheme of the invention has no data expansion, and the security is further ensured.
Drawings
In order to more clearly illustrate the embodiments of the invention or the technical solutions in the prior art, the drawings that are required in the embodiments or the description of the prior art will be briefly described, it being obvious that the drawings in the following description are only some embodiments of the invention, and that other drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.
FIG. 1 is a schematic diagram of a conventional key management method;
FIG. 2 is a flow chart of a method for sharing secret information according to the present invention;
FIG. 3 is a schematic diagram of a secret information sharing system according to the present invention;
fig. 4 is a schematic structural diagram of a secret information sharing device according to the present invention;
fig. 5 is a schematic structural diagram of a computer readable storage medium according to the present invention.
Detailed Description
The core of the invention is to provide a secret information sharing method, a secret information sharing system, a secret information sharing device and a secret information storage medium, which can effectively cope with the situation of false shares, is safe in information theory rather than computation, does not need to participate in a distribution node in the subsequent stages of secret distribution, has no data expansion in the secret distribution process, and is favorable for further guaranteeing the safety.
In order to better understand the aspects of the present invention, the present invention will be described in further detail with reference to the accompanying drawings and detailed description. It will be apparent that the described embodiments are only some, but not all, embodiments of the invention. All other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to be within the scope of the invention.
Referring to fig. 2, fig. 2 is a flowchart illustrating an implementation of a secret information sharing method according to the present invention, where the secret information sharing method may include the following steps:
step S101: according to the set conversion rule, the secret information is converted into one element in the set Galois field as a secret element.
The distribution node may also be referred to as a distribution center, which enables distribution of the secret, i.e. the respective shares of the secret can be generated and sent to the respective participant nodes, which may also be referred to as participants, which can receive the respective shares, and which may be made up of no lower thankThe individual participating nodes implement secret reconstruction.
The secret information represents information to be encrypted, and it can be understood that the specific form of the secret information can be various, for example, a text, a string of numbers, and a key comprising letters and symbols, and in the scheme of the invention, when the encoding is carried out subsequently, the encoding is carried out based on the encoding rule of the generalized reed-solomon code, so that the secret information needs to be converted into an element in the galois field, and the encoding can be realized based on the encoding rule of the generalized reed-solomon code in the subsequent step.
The specific content of the conversion rule can be set and adjusted according to actual needs, so long as secret information can be converted into one element in the set Galois field according to the set conversion rule, and the converted element is called a secret element. For example, in one case, the secret information is a key including letters and symbols, and in the conversion rule, it is specified that the binary values of the corresponding fixed bits are converted for different letters and symbols, and then mapped to one element in the set galois field based on the obtained binary values. It is further understood that the conversion rule needs to be stored, so that the conversion process is reversible, that is, when the secret is reconstructed, the participating nodes can reversely determine the secret information according to the conversion rule after obtaining the secret element, for example, in practical application, the conversion rule can be stored in public by the distribution node, and for example, each participating node stores the conversion rule.
Galois field may also be referred to as finite field, hereinafter referred to as Galois fieldThe specific parameter settings of the Galois field can be set and adjusted according to actual needs.
Step S102: selected from a set Galois fieldnIndividual disparate elements asnPublic identity information of the individual participating nodes.
In the secret distribution phase, the distribution node may perform the operations of steps S101 to S105, thereby dividingnIndividual shares and send to respectivelynAnd the participating nodes. That is, in performing step S102, a distribution node may select from the set galois fieldnIndividual disparate elements asnPublic identity information of the individual participating nodes.
In a specific embodiment of the present invention, step S102 may include: randomly selected from a set Galois fieldnIndividual disparate elements asnPublic identity information of the individual participating nodes.
This embodiment takes into account, fornThe present invention is not limited by the public identity information of each participating node, as long as it is in a set Galois fieldnThe elements may be different from each other, and in this embodiment are selected randomly from the Galois fieldnThe random selection mode of the different elements is convenient to realize.
Further, in one embodiment, step S102 may include: uniformly and randomly selecting from a set Galois field nIndividual disparate elements asnRadix Ginseng IndiciPublic identity information with the node.
This embodiment allows for the fact that when each element in the Galois field is selected as identity information, the probability of selection should ideally be uniform, i.e. when selected randomly, each element in the Galois field has the same probability of being selected as identity information of the corresponding participating node, and thus in this embodiment is selected uniformly and randomly from the set Galois fieldnIndividual disparate elements asnPublic identity information of the individual participating nodes.
The uniform randomness described in this embodiment, which means that each element in the Galois field has the same probability of being selected when randomly selected, can be expressed as,/>To->It is from the Galois field->Is uniformly and randomly selected outnThe individual elements being different, i.e.)>To->Is thatnThe identity information of each participating node, otherwise known asnThe respective IDs of the participating nodes. The same symbols appearing hereinafter also represent a uniform random selection pattern.
Step S103: selected from the Galois fieldk-1 element and together with the secret element constitutes a single unit comprising kVectors to be encoded of the individual elements.
In the same way as above, in the selection from the Galois fieldkAnd when the number of the elements is 1, a random selection mode can be adopted, so that the implementation is convenient.And is selected from the Galois fieldkAt 1 element, the probability of selection of each element should also be uniform, so in one embodiment of the present invention, step S103 may specifically include:
uniformly and randomly selected from the Galois fieldk-1 element and together with the secret element constitutes a single unit comprisingkVectors to be encoded of the individual elements.
The uniform randomness described in this embodiment means that the elements in the Galois field have the same probability of being selected when randomly selected, and therefore when step S103 is performed using this embodiment, the distribution node will uniformly randomly select from the Galois fieldk-1 element, which can be expressed asI.e. selectedk-1 element is written in turn asa 1 To the point ofa k-1
Selected from the Galois fieldkAfter 1 element, together with the secret element obtained in step S101, a composition comprisingkVectors to be encoded of the individual elements. For example, the secret element is represented asa 0 Then compriseskThe vectors to be encoded of the individual elements can be expressed as a =(a 0a 1 ,...,a k-1 )。
Step S104: coding rules based on generalized Reed Solomon code bynEncoding the vectors to be encoded by the identity information of each participating node to obtain the information comprisingnThe result of encoding the individual elements.
The vector to be encoded carries secret elements, and in the scheme of the invention, encoding can be realized based on the encoding rule of GRS (Generalized Reed-Solomon code), so that the security of the information theory layer can be realized.
When the coding is implemented based on the coding rule of the generalized reed-solomon code, the coding may be implemented based on the vandermonde matrix, so in a specific embodiment of the present invention, step S104 may specifically include:
coding rules based on generalized Reed Solomon code bynEstablishing a vandermonde matrix according to the identity information of each participating node, and encoding vectors to be encoded through the established vandermonde matrix to obtain the data comprisingnThe result of encoding the individual elements.
In this embodiment, coding of the generalized reed-solomon code can be conveniently and effectively implemented based on the vandermonde matrix.
For example, in one embodiment of the present invention, step S104 may specifically include:
coding rules based on generalized Reed Solomon code by nIdentity information of each participating node according to%s 1 ,...,s n )=a·GEncoding the vector to be encoded to obtain the vector comprisingnEncoding results of the individual elements;
wherein,ais comprised ofkThe vectors to be encoded for the individual elements,Gto pass throughnVandermonde matrix established by identity information of each participating node, ands 1 to the point ofs n To get the inclusionnEncoding result of individual element->To->Is thatnThe identity information of each participating node.
In this embodiment, bynIdentity information of each participating node establishes a vandermonde matrixGBy combining vectors to be encodedaAnd the Van der Monte matrixGThe multiplication can conveniently and effectively determine the inclusionnThe result of the encoding of the individual elements, the obtained result comprisingnThe coding result of each element is expressed as%s 1 ,...,s n )。
Step S105: dividing the coding result into the following elements according to the difference of the element positionsnIndividual share andrespectively sent tonMultiple participating nodes to make the rightrIndividual participating node utilizationrIf secret reconstruction is performed on individual sharesr=kThen based onrReconstructing the secret element from the individual shares and determining secret information corresponding to the secret element, ifrkAnd judge outrWhen false shares exist in the individual shares, reconstructing a secret element after correcting the false shares, and determining secret information corresponding to the secret element;
Wherein,nis a positive integer not less than 2,kexpressed as a positive integer is the minimum number of shares that enable secret reconstruction,ris a positive integer, andrkthe secret reconstruction cannot be achieved at this time,rkthe correction amount of the false shares is not more than
After the distribution center performs the operations of the above steps S101 to S104, it can obtain a distribution center includingnCoding result of individual elementss 1 ,...,s n ). The distribution of shares can then take place.
In the distribution of the shares, the coding result is divided into the following parts according to the difference of the element positionsnIndividual shares, i.e. for the coding resultnElements, each element being 1 share, so that it can be dividednEach share ofnThe shares need to be sent to the corresponding 1 participating node, e.g. the 1 st shares 1 Send to the 1 st participating node, share 2s 2 To the 2 nd participating node, and so on. After distribution, to makenEach of the participating nodes gets 1 share.
It will be appreciated that in practice, the coding results are divided intonIndividual shares and send to respectivelynWhen participating in the node, in order to ensure the communication security, the information transmission needs to be carried out in a secret manner so as to ensure the 1 st share s 1 For example, to the 1 st participating node, the distribution center may communicate with the network using encryptionIn the way of (1) st shares 1 Is sent to the 1 st participating node so that other participating nodes except the 1 st participating node cannot obtain the 1 st shares 1 . Similarly, in the following embodiments, unless otherwise specified, information transmission between the distribution node and the participating nodes, and between the different participating nodes should be performed in a secret manner to ensure the security of information transmission.
In the scheme of the invention, the distribution node divides the coding result into the following stepsnIndividual shares and send to respectivelynAfter the participation nodes, the secret distribution work of the distribution nodes is completed, and the operations of adding the participation nodes, removing the participation nodes, adjusting the threshold value and the like existing in the follow-up secret reconstruction and part of the implementation modes do not need the participation of the distribution nodes, so that the safety of the scheme of the invention is further guaranteed. Therefore, in practical application, after the distribution node completes the secret distribution work, the stored related information can be completely deleted.
It should be noted that, when the share is distributed, the encoding result is divided into the following components according to the different element positions nThe shares, namely different shares and secret elements are all elements in the Galois field, and the storage of the elements in the single Galois field can be realized by using the same space in the computer, namely, in the scheme of the invention, the shares stored by the participating nodes and the secret elements have the same length, so that the secret distribution process of the scheme of the invention has no data expansion, and the security is further ensured.
After encoding and dividing the shares as described above, if secret reconstruction is to be achieved, the number of participating nodes participating in the secret reconstruction cannot be lower thankkBeing a positive integer, the minimum number of shares, which may also be referred to as a threshold value, is indicated to enable secret reconstruction.
That is, whenrIndividual participating node utilizationrWhen secret reconstruction is carried out on individual shares, requirements are maderkSecret reconstruction can be achieved. If it isr=kAt this time, there is no error correction capability,that is, only at this timerEach participating node is honest, and can be based on when no false share is providedrThe individual shares reconstruct the secret element, and the secret information corresponding to the secret element is determined according to the conversion rule described in step S101.
And if it rkThen it can be judged thatrWhether there are false shares in the individual shares, in which case no more thanr-kAnd, the correction of the false shares may be performed first, and then the secret element is reconstructed, so that the secret information corresponding to the secret element is determined according to the conversion rule described in step S101. In correcting the false shares, the number of correction of the false shares does not exceed
In classical secret sharing techniques, after the secret distribution phase is over, the access structure that the system can implement is also fixed. However, the threshold value of the participant set or the secret reconstruction may change during the time from secret distribution to secret reconstruction. For example, a certain participant leaving or losing shares would pose a significant threat to the security of the overall system. The reason for this problem is that classical secret sharing techniques are designed for a fixed access structure and cannot accommodate the changing access structure, i.e. do not have the "dynamic" nature.
In the scheme of the invention, the addition of the participation node, the removal of the participation node and the dynamic adjustment of the threshold value can be supported, and the participation of the distribution node is not needed.
In one embodiment of the present invention, the method may further include:
when 1 participating node needs to be newly added, the number of the current participating nodes is not less thankAnd the participating nodes operate according to a preset share adding rule, so that the newly added participating nodes obtain 1 newly added share.
In this embodiment, if 1 participating node needs to be newly added, the number of the participating nodes can be not less thankEach participating node is according to the preset partThe quota adding rule operates so that 1 new quota can be obtained as the quota of the newly added participating node, and therefore the quota adding is effectively realized by the embodiment.
For the preset share newly-added rule, the coding rule of the generalized Reed-Solomon code can be set according to actual needs, for example, the Cramer rule solved by an equation set can be utilized to perform distributed calculation, and finally 1 newly-added share is obtained.
In one embodiment of the present invention, when 1 participating node needs to be newly added, the number of the current participating nodes is not less thankThe participating nodes operate according to a preset share adding rule, so that the newly added participating nodes obtain 1 newly added share, which may specifically include:
Step one: when 1 participating node needs to be newly added, the current participating node is used for the current operationnIn individual participating nodesrThe participation nodes calculate respective intermediate values;
wherein,rthe first participating nodeiIntermediate values calculated by each participating nodeRepresented ass i Is the firstiThe share of the individual participating nodes,m i is thatM -1 Front of (2)kColumn sub-matrix of the first columniRow vector, matrix->M -1 Is thatMInverse matrix of>,/>To->Is thatnIndividual participating nodesInformation of parts->For the identity information of the newly added participating node,Tfor the transposed matrix symbol,rk
step two: based on a preset information safety transmission mode, the newly added participating node determinesTo->And taking the sum as 1 newly added share obtained by the newly added participating node, and making the newly added participating node unable to determine +.>To->Any 1 intermediate value in (c).
In this embodiment, operation according to a preset share adding rule is provided, so that the newly added participating node obtains a specific implementation of 1 new share.
Before the 1 participating node is not newly added, there arenThe participating nodes, i.e. the newly added participating node is the thn+1 participating nodes, the identity information of the newly added participating node is expressed as . It will be appreciated that with +.>To->Similarly, identity information for newly added participating node +.>Also 1 element selected from the set Galois field, andand->To->All are different.
In this embodiment, the intermediate value is calculatedrEach participating node may be currentnAny of the participating nodesrAnd the participating nodes. For this purposerEach participating node calculates 1 intermediate value by utilizing the Cramer rule solved by the equation set based on the share saved by the participating nodes, thereby realizing the purpose of distributed calculation.
To be used forrThe first participating nodeiBy way of example, the participating nodes, the firstiIntermediate values calculated by each participating nodeDenoted as->s i Is the firstiThe share of the individual participating nodes,m i is thatM -1 Front of (2)kColumn sub-matrix of the first columniRow vector->It can be seen that for the firstiIn the case of the individual participating nodes,s i m i and +.>Are known.
rEach participating node can calculate 1 corresponding intermediate value, thus together obtainingrIntermediate values ofrThe sum of the intermediate values, i.e. 1 new share obtained by the newly added participating node.
And it should be noted that forrRadix Ginseng IndiciBased on a preset information security transmission mode, the newly added participating node can determine To->But cannot determine +.>To->Any 1 number in (a). This is because ifrThe individual participating nodes will be directly->To->To a newly added participating node, which can be based on +.>To->Determining the correspondings 1 To the point ofs r This participating node, which results in a new addition, gets multiple shares, creating a significant security risk.
The specific rule based on the preset information safety transmission mode can be set and adjusted according to actual needs, so long as the purpose of the invention can be achieved, namely, newly added participating nodes can be determinedTo->But cannot determine +.>To->Any 1 intermediate value in (c).
In an embodiment of the present invention, the step two may specifically include:
for the followingrEvery 1 of the participating nodes, the participating nodes divide the intermediate value calculated by the participating nodes intorData such that it is divided intorThe sum of the individual data is equal to the intermediate value calculated by itself and the participating node remainsrAfter 1 data in the data, the restr-1 data is sent to the rest respectivelyr-1 participating node;
for the followingrEach 1 of the participating nodes that combine the reserved 1 data with the received r-1 data are summed and the result of the summation is sent to the newly added participating node so that the newly added participating node willrThe transmitted data of the participating nodes are summed to obtainTo->And takes the sum as 1 new share obtained by the newly added participating node.
In this embodiment, forrEvery 1 of the participating nodes, the participating nodes divide the intermediate value calculated by the participating nodes intorData such that it is divided intorThe sum of the individual data is equal to the intermediate value calculated by itself, which can be conveniently achieved in the galois field.
To be used forrThe first participating nodeiBy way of example, the participating nodes, the firstiThe intermediate value calculated by each participating node isThen, the firstiThe participating nodes need to be selected from the Galois fieldrData of: />Needs to meet. For selected +.>To->This isrData, the firstiThe individual participating nodes need to keep thisr1 data in the data and the restr-1 data is sent to the rest respectivelyr-1 participating node.
That is, 1 data is calculated to be reserved by itself, and the restr-Sent by 1 participating noder-The data set of 1 is used to determine,reach 1 of the participating nodes is available to rData, and will do sorThe result of the summation of the individual data is sent to the newly added participating node.
It can be seen that the newly added participating node can receiverCo-transmission by individual participating nodesrThe sum results are then addedrThe summation results are summed to obtain a sumTo->So that the sum is taken as 1 new share of the newly added participating node. And it can be seen that since in this embodiment +.>To->Splitting and summarizing are performed so that newly added participating nodes cannot determine ++>To->Any 1 intermediate value in (c).
It should also be noted that, in the above, it is the case that there is currentlynThe participating nodes are exemplified, i.e. the newly added participating node is the thn+1 participating node, in practical application, 1 or more participating nodes can be further added, and the principle is the same as above when 1 participating node is added each time. Also, hereinafter, too, as currently havingnBy way of example, for removing the first participating nodenThe description of the participating nodes shows that in practical application, 1 or more participating nodes can be further removed, and the principle is the same as that of the participating nodes.
In one embodiment of the present invention, the method may further include:
When 1 participating node needs to be removed, not less than the current participating nodekAnd the participating nodes operate according to a preset participating node removing rule, so that each remaining participating node except the removed participating node obtains 1 new share to replace the original share.
As described above, in the classical secret sharing technology, after the secret distribution phase is finished, the access structure that can be implemented by the system is also fixed, and the access structure cannot be adapted to the situation that the access structure is changed, that is, the system has no "dynamic" property. According to the scheme, the addition of the participation nodes, the removal of the participation nodes and the dynamic adjustment of the threshold value can be supported, and the participation of the distribution nodes is not needed.
In this embodiment, if 1 participating node needs to be removed, it can be made of not less thankThe method and the system for removing the lost shared share of the multi-node network have the advantages that each participating node operates according to a preset participating node removing rule, so that each remaining participating node except the removed participating node can obtain 1 new shared share to replace the old lost shared share, and therefore the method and the system for removing the lost shared share of the multi-node network effectively achieve removing of the participating nodes.
For the preset participating node removing rule, the generalized Reed Solomon code coding rule can be combined according to actual needs, for example, the Cramer rule solved by the equation set can be utilized to perform distributed calculation, and finally, 1 new share is configured for each currently remaining participating node.
In one embodiment of the present invention, when 1 participating node needs to be removed, no less than 1 participating node is selected from the current participating nodeskThe participating nodes operate according to a preset participating node removing rule, so that each remaining participating node except the removed participating node obtains 1 new share to replace the original share, and the method specifically comprises the following steps:
the first step: when 1 participating node needs to be removed, the current node is used for the current nodenIn individual participating nodesrThe individual participating nodes calculate the respective sub-secret data based on the respective current shares;
wherein,rthe first participating nodeiSub-secret data calculated by each participating nodea i0 Represented ass i Is the firstiThe share of the individual participating nodes,M i0 is->At the position ofMAlgebraic remainder of (a), matrix,det(M) RepresentingMIs>To->Is thatnThe identity information of each of the participating nodes,rk
and a second step of: based onrSub-secret data, composed ofrEach participating node operates according to a preset share security generation mode, so that each remaining participating node except the removed participating node obtains 1 new share to replace the original share, and any one participating node is enabled to obtainThe participating node cannot acquire the sub-secret data of any other participating node.
In this embodiment, the operation is performed according to a preset participating node removing rule, so as to complete the specific implementation of participating node removing.
In this embodiment, before the 1 participating node is not removed, there isnThe participating nodes, e.g. the participating node that needs to be removed, is the thnAnd the participating nodes.
In this embodiment, the calculation of the sub-secret data is performedrEach participating node may be currentnAny of the participating nodesrThe number of participating nodes, of course,rthe participating nodes to be removed are not included in the individual participating nodes. For this purposerEach participating node calculates 1 piece of sub secret data based on the share saved by the participating node, thereby realizing the purpose of distributed computation of the invention.
To be used forrThe first participating nodeiBy way of example, the participating nodes, the firstiSub-secret data calculated by each participating nodea i0 Represented asIt can be seen that for the firstiIn the case of the individual participating nodes,s i M i0 det%M) Are known.
rEach participating node can calculate 1 corresponding sub-secret data based on its own share, so that a total ofrSub-secret data based onrSub-secret data, composed of rThe participating nodes operate according to a preset share security generation mode, so that each of the remaining participating nodes except the removed participating node can obtain 1 new share to replace the original share, and any participating node cannot acquire sub-secret data of any other participating node.
In this embodiment, forrEach participating node operates according to a preset share security generation modeBy the method, the purpose that each of the rest of the participation nodes except the removed participation nodes obtains 1 new share is achieved, and any one of the participation nodes cannot acquire the sub-secret data of any other participation node. This is to take into account that if a certain participating node acquires sub-secret data of other participating nodes in the process of obtaining each new share, the share or pair of the corresponding participating node can be determined according to the sub-secret datarSumming up the sub-secret data to obtain the secret element can cause a great potential safety hazard.
The specific rule of the preset share security generation mode can be set and adjusted according to actual needs, so long as the purpose of the invention can be achieved, namely, each of the rest of the participating nodes except the removed participating node is enabled to obtain 1 new share to replace the original share, and meanwhile, any participating node cannot acquire the sub secret data of any other participating node.
In one embodiment of the present invention, the second step may specifically include:
for the followingrEach 1 of the participating nodes calculates from its own calculated sub-secret data and its own constructed first polynomialn-1 sub-share value and to be calculatedn-1 sub-share value being assigned to each of the other participating nodes excluding the removed participating node, including itselfn-1 remaining participating nodes;
for the remainder of the current removed participating nodesn-1 participating node, which is obtainingrAfter the sub-share value, the sub-share value is obtained by itselfrThe sub-share values are summed to replace the original share of the self as the new share of the self;
wherein,ramong the participating nodesiThe first polynomial constructed by the participating nodes is expressed astIs a positive integer and is more than or equal to 1tk-1,a i1 To the point ofa i k(-1) Is the firstiThe participating nodes being selected from the Galois fieldk-1 element; first, theiThe participating nodes determine the independent variables of the first polynomial by constructingxSequentially valued as the remainder excluding the removed participating nodesn-identity information of 1 participating node, calculated in turn n-1 sub-share value.
In this embodiment, forrEvery 1 of the participating nodes embody the self-calculated sub-secret data with a first polynomial, which can be conveniently implemented in the galois field and does not expose the self-calculated sub-secret data.
To be used forrThe first participating nodeiBy way of example, the participating nodes, the firstiThe sub-secret data calculated by each participating node isa i0 Requiring selection from the Galois fieldk-1 element:it can be seen that herea i1 To the point ofa i k(-1) Representing the firstiThe individual participating nodes are uniformly and randomly selected from the Galois fieldk-a number of elements of the order of 1,a i1 to the point ofa i k(-1) This isk-1 element is used as the first elementiCoefficients of a first polynomial constructed by the participating nodes. Namely, the firstiThe first polynomial constructed by the individual participating nodes is denoted +.>. It will be appreciated that the coefficients in the constructed first polynomial may be different for different participating nodes.
First, theiAfter each participating node constructs its own first polynomial, the independent variables of the first polynomial are determinedxSequentially valued as the remainder excluding the removed participating nodesn-identity information of 1 participating node, thereby sequentially calculating n-1 sub-share value. For exampleTo->Is thatnIdentity information of each participating node, andnthe participating nodes are removed participating nodes, thenxThe values are +.>To->First, theiThe individual participating nodes can calculaten-1 sub-share value, which in turn will be calculatedn-1 number of sub-shares being assigned to each of the sub-shares including itselfn1 remaining participating nodes, i.e. this to be calculated in this examplen-1 number of sub-shares is assigned to the 1 st participating node, respectivelyn-1 participating node.
It can be seen that for the remainder of the current removed participating nodesn-1 participating node, each of which is availablerSub-share values, which are obtained by itself after obtainingrThe sub-share values are summed to determine a new share of the self, and the original share of the self is invalid and can be deleted. And it can be seen that, because the first polynomial is used in this embodiment so that the sub-secret data is not directly exposed, any participating node cannot obtain the sub-secret data of any other participating node.
In one embodiment of the present invention, the method may further include:
When the minimum share number for realizing secret reconstruction needs to be adjustedkIs not less than the number of the current participating nodekThe participating nodes operate according to a preset threshold adjustment rule, so that each current participating node obtains 1 new share to replace the original share, and the minimum share number for realizing secret reconstruction is calculated fromkIs adjusted to. It will be appreciated that->Indicated is the minimum number of shares after adjustment that enable secret reconstruction.
According to the scheme, the addition of the participation nodes, the removal of the participation nodes and the dynamic adjustment of the threshold value can be supported, and the participation of the distribution nodes is not needed.
In such an embodiment, the minimum number of shares to achieve secret reconstruction is adjusted if necessarykThe value of (2), i.e. if the threshold value needs to be adjusted, can be made of not less thankThe participating nodes operate according to a preset threshold adjustment rule, so that each current participating node obtains 1 new share to replace the original share, and the minimum share number for realizing secret reconstruction is calculated fromkIs adjusted toThis embodiment thus effectively enables adjustment of the threshold value.
For a preset threshold adjustment rule, the threshold adjustment rule can be set according to actual needs by combining with a coding rule of a generalized Reed Solomon code, for example, the Cramer rule solved by an equation set can be utilized to implement the adjustment of the threshold value by distributed calculation.
In one embodiment of the invention, when it is desired to adjust the minimum number of shares that enable secret reconstructionkIs not less than the number of the current participating nodekThe participating nodes operate according to a preset threshold adjustment rule, so that each current participating node obtains 1 new share to replace the original share, and the minimum share number for realizing secret reconstruction is calculated fromkIs adjusted toMay include:
when the minimum share number for realizing secret reconstruction needs to be adjustedkIs determined by the current valuenIn individual participating nodesrEach participating node baseCalculating the respective sub-secret data from the respective current shares;
wherein,rthe first participating nodeiSub-secret data calculated by each participating nodea i0 Expressed as:s i is the firstiThe share of the individual participating nodes,M i0 is->At the position ofMAlgebraic remainder of (a) matrix->,det(M) RepresentingMIs>To->Is thatnThe identity information of each of the participating nodes,rk
based onrSub-secret data, composed ofrThe method comprises the steps that each participating node operates according to a preset threshold adjustment mode, so that each participating node obtains 1 new share to replace an original share, any participating node cannot obtain sub-secret data of any other participating node, and the minimum share number for realizing secret reconstruction is from kIs adjusted to
In this embodiment, the operation is performed according to a preset threshold adjustment rule, so as to complete the specific implementation of participating in the threshold adjustment.
In this embodiment, threshold adjustment is accomplishedrEach participating node may be currentnAny of the participating nodesrAnd the participating nodes. For this purposerEach participating node counts based on its own saved share1 corresponding sub secret data is calculated, thereby realizing the purpose of distributed computation of the invention.
To be used forrThe first participating nodeiBy way of example, the participating nodes, the firstiSub-secret data calculated by each participating nodea i0 Represented asReference is made to the above description and the description is not repeated here.
rEach participating node can calculate 1 piece of sub-secret data based on its own share, so that a total is obtainedrSub-secret data based onrSub-secret data, composed ofrThe participating nodes operate according to a preset threshold adjustment mode so as to enablenEach of the participating nodes can obtain 1 new share to replace the original share, and any participating node can not obtain the sub-secret data of any other participating node, and the minimum share number for realizing secret reconstruction is determined from kIs adjusted to
In this embodiment, forrThe operation of each participating node is performed according to a preset threshold adjustment mode, so that the purpose of threshold adjustment is achieved, and any participating node cannot acquire the sub-secret data of any other participating node. This is to consider that if a certain participating node obtains sub-secret data of other participating nodes in the process of threshold value adjustment, the share of the corresponding participating node can be determined accordingly, which causes a great potential safety hazard.
The specific rule of the preset threshold adjustment mode can be set and adjusted according to actual needs, so long as the purpose of the invention can be achieved, namely, not only the adjustment of the threshold value is needed to be achieved, but also any participating node can not acquire the sub-secret data of any other participating node.
In one embodiment of the invention, the method is based onrSub-secret data, composed ofrThe method comprises the steps that each participating node operates according to a preset threshold adjustment mode, so that each participating node obtains 1 new share to replace an original share, any participating node cannot obtain sub-secret data of any other participating node, and the minimum share number for realizing secret reconstruction is from kIs adjusted toThe method specifically comprises the following steps:
for the followingrEach 1 of the participating nodes calculates from its own calculated sub-secret data and its own constructed second polynomialnSub-share values and to be calculatednThe sub-share values being respectively allocated to the units including themselvesnEach participating node;
for the followingnEach of the participating nodes, which is obtainingrAfter the sub-share value, the sub-share value is obtained by itselfrThe sub-share values are summed to replace the original share of the self as the new share of the self;
wherein,ramong the participating nodesiThe second polynomial constructed by the participating nodes is expressed ascIs a positive integer and->a i1 To->Is the firstiThe participating nodes are selected from the Galois field>An element; first, theiThe participating nodes determine the independent variables of the constructed second polynomialxSequentially takes the values as the current valuenIdentity information of each participating node is sequentially calculatednA sub-share value.
As in the previous embodiment, in this embodiment, forrEvery 1 of the participating nodes embody the self-calculated sub-secret data with a second polynomial, which can be conveniently implemented in the galois field and does not expose the self-calculated sub-secret data.
To be used forrThe first participating nodeiBy way of example, the participating nodes, the firstiThe sub-secret data calculated by each participating node isa i0 Due to adjustment of the threshold value, i.e.kIs adjusted to the value ofThus, the firstiThe individual participating nodes need to select +.>The following elements: />It can be seen that herea i1 To->Representing the firstiThe individual participating nodes are selected uniformly and randomly from the Galois field>The number of elements to be added to the composition,a i1 to->This->The element is used as the firstiCoefficients of a second polynomial constructed by the participating nodes. Namely, the firstiThe second polynomial constructed by the individual participating nodes is denoted +.>. It will be appreciated that, for different participating nodes, the coefficients in the constructed second polynomial mayDifferent from each other.
First, theiAfter each participating node constructs its own second polynomial, the independent variables of the second polynomial are determinedxSequentially takes the values as the current valuenIdentity information of each participating node is sequentially calculatednA sub-share value. For exampleTo the point ofIs thatnIdentity information of each participating nodexThe values are +.>To->First, theiThe individual participating nodes can calculatenThe value of the sub-share and thus the calculated valuenThe sub-share values being respectively allocated to the units including themselves nAnd the participating nodes.
It can be seen that for the followingnEach participating node of the participating nodes can obtainrSub-share values, which are obtained by itself after obtainingrThe sub-share values are summed to determine a new share of the self, and the original share of the self is invalid and can be deleted. It can be seen that, due to the use of the polynomial in this embodiment, no one of the participating nodes can obtain the sub-secret data of any other participating node.
In one embodiment of the present invention, step S105 may specifically include:
dividing the coding result into the following elements according to the difference of the element positionsnIndividual shares and send to respectivelynMultiple participating nodes to make the rightrIndividual participating node utilizationrIf secret reconstruction is performed on individual sharesr=kThen based onrReconstructing the secret element from the individual shares and determining secret information corresponding to the secret element, ifrkJudgings·H T Whether or not =0 is satisfied, if not, judgerReconstructing the secret element after correcting the false shares when the false shares exist in the individual shares, and determining secret information corresponding to the secret element;
wherein,Hto meet the requirements of M k H T =0%r-k)×rThe full order matrix of the rank is presented,M k is a matrixMFront of (2)kA sub-matrix of rows is formed,Tto transpose matrix symbols, matrix,/>To->Is thatnIdentity information of each participating node, +.>s 1 To the point ofs r Representing secret reconstructionrThe respective shares of the participating nodes.
As described above, whenrIndividual participating node utilizationrWhen secret reconstruction is carried out on individual shares, requirements are maderkSecret reconstruction can be achieved. If it isrkThen it can be judged thatrWhether there are false shares in the individual shares, in which case no more thanr-kA false share.
In this embodiment of the present invention, the process is performed,rkat the time, it can be judged thats·H T Whether or not=0 is satisfied to determinerWhether each participating node is honest.
If it iss·H T =0, it can be determined that no participating nodes provide spurious shares, and can therefore be directly based onrReconstructing the secret element from the individual shares and determining secret information corresponding to the secret element, ifs·H T If 0 is not true, then a false share is requiredAfter correction of (a) the secret element is reconstructed and secret information corresponding to the secret element is determined.
In one embodiment of the present invention, the method may further include:
when (when)rIndividual participating node utilizationrSecret reconstruction of individual shares and upon determination rWhen there are false shares in the individual shares, if the number of false shares does not exceedrEach participating node determines identity information of the participating node corresponding to each false share.
Based on the principle of generalized Reed-Solomon code, ifrkIf the number of false shares does not exceedr-kIt can be determined that there is a false share. And if the number of spurious shares does not exceedNot only can judgerWhether there is a false share in the individual shares may be further determined which 1 or which shares are false shares, i.e., in this embodiment, in determiningrIf there are false shares in the individual shares, if the number of false shares does not exceed +.>rEach participating node can determine the identity information of the participating node corresponding to each false share, namely, the ID of the participating node with the false share improved is found, and the identity determination is realized. It will be appreciated that if the number of spurious shares exceedsBut not exceedr-kOnly the existence of the false share can be judged, but the location of the false share cannot be realized.
In one embodiment of the invention, ifr=kThen based onrReconstructing the secret element from the individual shares and determining secret information corresponding to the secret element, comprising:
If it isr=kThen based onrIndividual shares by calculationReconstructing the secret element and determining secret information corresponding to the secret element.
In this embodiment, the method is based onrWhen secret reconstruction is realized by individual shares, the secret reconstruction is realized by calculationThe secret element is reconstructed by the method of the method, and the method is simple and convenient to calculate. For example, in the above example, the secret element is represented asa 0 And compriseskThe vectors to be encoded of the individual elements area =(a 0a 1 ,...,a k-1 ) I.e. secret elementsa 0 At the first element position of the vector to be encoded, then calculate +.>The 1 st component obtained is then the secret elementa 0
It will also be appreciated that, inrkAt the time and after correction of the spurious shares, the same can be done by calculationA secret element is reconstructed by means of (a) a.
In one embodiment of the present invention, the method may further include:
when (when)rIndividual participating node utilizationrSecret reconstruction of individual sharesr=kWhen based onrAfter the individual shares have been reconstructed into the secret element,rand each participating node outputs the prompt information that the reconstructed secret element has potential safety hazard.
As described in the foregoing description of the present invention,r=kcorrect secret reconstruction can also be achieved at that time, provided that no participating nodes provide false shares. And is also provided withr=kIn this case, even if secret reconstruction is performed, it cannot be determined whether or not there are any participating nodes providing Is a false share, and therefore in this embodiment, a hint is output that the secret element has a potential safety hazard in order to alert the individual participating nodes to the situation.
The technical scheme provided by the embodiment of the invention has the beneficial effects that the scheme of the invention realizes the sharing of secret information based on the generalized Reed Solomon code, and can effectively cope with the situation that a fraudster provides false shares. The security of the scheme of the invention does not depend on any assumption of computational difficulty, namely the scheme of the invention is information theory security rather than security in the classical scheme computational sense, so the scheme of the invention can resist quantum computing attacks. In addition, after secret distribution, the proposal of the invention does not need the participation of distribution nodes in the subsequent stages including secret reconstruction, thereby being beneficial to further improving the flexibility and the reliability. The shares stored by the participating nodes and the secret elements have the same length, so that the secret distribution process of the scheme of the invention has no data expansion, and the security is further ensured.
Specifically, in order to realize the encoding based on the generalized reed-solomon code later, in the scheme of the invention, the distribution node converts the secret information into an element in the set galois field as a secret element according to the conversion rule set by the requirement, and the secret element can be selected from the galois field k-1 element together forming a single containingkThe vector to be encoded of the individual elements, i.e. the secret element is carried in the vector to be encoded. For the followingnA plurality of participating nodes selected from the set Galois fieldnIndividual disparate elements asnPublic identity information of the individual participating nodes. Coding rules based on generalized Reed Solomon code bynEncoding the vectors to be encoded by the identity information of each participating node to obtain the information comprisingnThe result of encoding the individual elements. The coding result includesnElements each as 1 share, so that the encoding result can be divided intonIndividual shares are thus handed over tonAnd the individual participating nodes keep. Based on the principle of generalized Reed Solomon coderIndividual participating node utilizationrIf secret reconstruction is performed on individual sharesr=kThen it can be based onrReconstructing the individual shares to obtain the secret element and determining the secret information corresponding to the secret element, wherein the reconstruction cannot guarantee the accuracy, i.er=kTime requirementrEach participating node is an honest participating node, and can reconstruct correct secret elements, so that secret information corresponding to the secret elements is determined according to the conversion rules. WhilerkIn the scheme of the invention, it can be judged that rWhether there are false shares in the individual shares, if so, the number can be corrected not to exceedAfter correction of the false shares, the secret element can be reconstructed and the secret information corresponding to the secret element can be determined;
it can be seen that the scheme of the invention can judgerWhether there are false shares in the individual shares and the number can be corrected not to exceedThe inventive solution can effectively cope with situations where a fraudster provides a false share. And is also provided withrLess thankWhen the method is used, no matter how high the computing resource an attacker has, secret reconstruction cannot be realized, namely, the assumption that the security of the scheme of the invention does not depend on any computing difficulty is information theory security rather than security in the classical scheme computing sense, so that the scheme of the invention can resist quantum computing attacks. In addition, it can be seen that in the scheme of the invention, the distribution node only needs to complete the distribution of the shares, and the scheme of the invention does not need the participation of the distribution node when the operation of the subsequent stages including secret reconstruction is performed, thereby being beneficial to further improving the reliability. The share and the secret element saved by the participating node are elements in the Galois field and have the same length, so that the secret distribution process of the scheme of the invention has no data expansion, and the security is further ensured.
Corresponding to the above method embodiment, the embodiment of the invention also provides a secret information sharing system, which can be referred to correspondingly with the above.
Referring to fig. 3, the secret information sharing system includes: distribution node 31nAnd the participating nodes 32. In fig. 3, 3 participating nodes 32 are shown, in turn referred to as 1 st through 3 rd participating nodes.
The distribution node 31 is configured to:
according to the set conversion rule, converting the secret information into an element in the set Galois field as a secret element;
selected from a set Galois fieldnIndividual disparate elements asnPublic identity information of the individual participating nodes;
selected from the Galois fieldk-1 element and together with said secret element constitutes a single unit comprisingkVectors to be encoded of the individual elements;
coding rules based on generalized Reed Solomon code bynThe identity information of each participating node encodes the vector to be encoded to obtain a code comprisingnEncoding results of the individual elements;
dividing the coding result into the following elements according to the difference of the element positionsnIndividual shares and send to respectivelynEach participating node;
the participating node 32 is configured to:
when (when)rIndividual participating node utilization rIf secret reconstruction is performed on individual sharesr=kThen based onrReconstructing the secret element from the individual shares, ifrkAnd judge outrWhen false shares exist in the individual shares, reconstructing the secret element after correcting the false shares;
determining corresponding secret information based on the reconstructed secret element;
wherein,nis a positive integer not less than 2,kexpressed as a positive integer is the minimum number of shares that enable secret reconstruction,ris a positive integer andrkthe secret reconstruction cannot be achieved at this time,rkthe correction amount of the false shares is not more than
Corresponding to the above method and system embodiments, the embodiments of the present invention also provide a secret information sharing device and a computer readable storage medium, which can be referred to in correspondence with the above.
Referring to fig. 4, the sharing device of secret information may include:
a memory 401 for storing a computer program;
a processor 402 for executing the computer program to implement the steps of the secret information sharing method as in any of the embodiments described above.
Referring to fig. 5, the computer-readable storage medium 50 has stored thereon a computer program 51, which when executed by a processor, implements the steps of the secret information sharing method as in any of the embodiments described above. The computer readable storage medium 50 as described herein includes Random Access Memory (RAM), memory, read Only Memory (ROM), electrically programmable ROM, electrically erasable programmable ROM, registers, hard disk, a removable disk, a CD-ROM, or any other form of storage medium known in the art.
It is further noted that relational terms such as first and second, and the like are used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Moreover, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising one … …" does not exclude the presence of other like elements in a process, method, article, or apparatus that comprises the element.
The principles and embodiments of the present invention have been described herein with reference to specific examples, but the description of the examples above is only for aiding in understanding the technical solution of the present invention and its core ideas. It should be noted that it will be apparent to those skilled in the art that the present invention may be modified and practiced without departing from the spirit of the present invention.

Claims (22)

1. A method of sharing secret information, comprising:
according to the set conversion rule, converting the secret information into an element in the set Galois field as a secret element;
selected from a set Galois fieldnIndividual disparate elements asnPublic identity information of the individual participating nodes;
selected from the Galois fieldk-1 element and together with said secret element constitutes a single unit comprisingkVectors to be encoded of the individual elements;
coding rules based on generalized Reed Solomon code bynThe identity information of each participating node encodes the vector to be encoded to obtain a code comprisingnEncoding results of the individual elements;
dividing the coding result into the following elements according to the difference of the element positionsnIndividual shares and send to respectivelynMultiple participating nodes to make the rightrIndividual participating node utilizationrIf secret reconstruction is performed on individual sharesr=kThen based onrReconstructing the secret element from the individual shares and determining secret information corresponding to the secret element ifrkAnd judge outrWhen false shares exist in the shares, reconstructing the secret element after correcting the false shares, and determining secret information corresponding to the secret element;
Wherein,nis a positive integer not less than 2,kexpressed as a positive integer is the minimum number of shares that enable secret reconstruction,ris a positive integer, andrkthe secret reconstruction cannot be achieved at this time,rkthe correction amount of the false shares is not exceededPassing through
2. The method for sharing secret information according to claim 1, wherein the selected from the set galois fieldnIndividual disparate elements asnPublic identity information of individual participating nodes, comprising:
randomly selected from a set Galois fieldnIndividual disparate elements asnPublic identity information of the individual participating nodes.
3. The method for sharing secret information according to claim 2, wherein the random selection is made from a set galois fieldnIndividual disparate elements asnPublic identity information of individual participating nodes, comprising:
uniformly and randomly selecting from a set Galois fieldnIndividual disparate elements asnPublic identity information of the individual participating nodes.
4. The method of sharing secret information according to claim 1, wherein the selected from the galois fieldk-1 element and together with said secret element constitutes a single unit comprising kVectors to be encoded of individual elements, comprising
Uniformly and randomly selected from the Galois fieldk-1 element and together with said secret element constitutes a single unit comprisingkVectors to be encoded of the individual elements.
5. The method for sharing secret information according to claim 1, wherein the code rule based on the generalized reed-solomon code is defined bynThe identity information of each participating node encodes the vector to be encoded to obtain a code comprisingnA result of encoding of the individual elements, comprising:
coding rules based on generalized Reed Solomon code bynIndividual participation inEstablishing a vandermonde matrix according to the identity information of the nodes, and encoding the vector to be encoded through the established vandermonde matrix to obtain a vector to be encoded, wherein the vector to be encoded comprisesnThe result of encoding the individual elements.
6. The method for sharing secret information according to claim 5, wherein the code rule based on the generalized reed-solomon code is defined bynEstablishing a vandermonde matrix according to the identity information of each participating node, and encoding the vector to be encoded through the established vandermonde matrix to obtain a code comprising the following steps ofnA result of encoding of the individual elements, comprising:
coding rules based on generalized Reed Solomon code by nIdentity information of each participating node according to%s 1 ,...,s n )=a·GThe vector to be coded is coded to obtain the calculation mode comprisingnEncoding results of the individual elements;
wherein,ais comprised ofkThe vectors to be encoded of the individual elements,Gto pass throughnVandermonde matrix established by identity information of each participating node, ands 1 to the point ofs n To get the inclusionnThe result of the encoding of the individual elements,to->Is thatnThe identity information of each participating node.
7. The method for sharing secret information according to claim 1, further comprising:
when 1 participating node needs to be newly added, the number of the current participating nodes is not less thankThe participating nodes operate according to a preset share newly-added rule so that the newly-added participating nodes obtain1 new share.
8. The method for sharing secret information according to claim 7, wherein when 1 participating node needs to be newly added, not less than the current participating nodekThe participating nodes operate according to a preset share adding rule, so that the newly added participating nodes obtain 1 newly added share, and the method comprises the following steps:
when 1 participating node needs to be newly added, the current participating node is used for the current operationnIn individual participating nodesrThe participation nodes calculate respective intermediate values;
Wherein,rthe first participating nodeiIntermediate values calculated by each participating nodeRepresented ass i Is the firstiThe share of the individual participating nodes,m i is that M -1 Front of (2)kColumn sub-matrix of the first columniRow vector, matrix-> M -1 Is thatMInverse matrix of>,/>To the point ofIs thatnIdentity information of each participating node, +.>For the identity information of the newly added participating node,Tfor the transposed matrix symbol,rk
based on a preset information safety transmission mode, the newly added participating node determinesTo->And taking the sum as 1 newly added share obtained by the newly added participating node, and making the newly added participating node unable to determine +.>To->Any 1 intermediate value in (c).
9. The method for sharing secret information according to claim 8, wherein the newly added participating node is determined based on a preset information security transmission mannerTo->And taking the sum as 1 newly added share obtained by the newly added participating node, and making the newly added participating node unable to determine +.>To->Intermediate values of any 1 of (a), including:
for the followingrEvery 1 of the participating nodes, the participating nodes divide the intermediate value calculated by the participating nodes intorData such that it is divided into rThe sum of the individual data is equal to the intermediate value calculated by itself and the participating node remainsrPersonal dataAfter 1 data in (2), the restr-1 data is sent to the rest respectivelyr-1 participating node;
for the followingrEach 1 of the participating nodes that combine the reserved 1 data with the receivedr-1 data are summed and the result of the summation is sent to the newly added participating node so that the newly added participating node willrThe transmitted data of the participating nodes are summed to obtainTo->And takes the sum as 1 new share obtained by the newly added participating node.
10. The method for sharing secret information according to claim 1, further comprising:
when 1 participating node needs to be removed, not less than the current participating nodekAnd the participating nodes operate according to a preset participating node removing rule, so that each remaining participating node except the removed participating node obtains 1 new share to replace the original share.
11. The method for sharing secret information according to claim 10, wherein when 1 participating node needs to be removed, not less than 1 participating node is selected from the current participating nodes kThe method comprises the steps that each participating node operates according to a preset participating node removing rule, so that each remaining participating node except the removed participating node obtains 1 new share to replace an original share, and the method comprises the following steps:
when 1 participating node needs to be removed, the current node is used for the current nodenIn individual participating nodesrThe individual participating nodes calculate the respective sub-secret data based on the respective current shares;
wherein,rthe first participating nodeiCalculated by each participating nodeSub-secret dataa i0 Represented ass i Is the firstiThe share of the individual participating nodes,M i0 is->At the position ofMAlgebraic remainder of (a), matrix,det(M) RepresentingMIs>To->Is thatnThe identity information of each of the participating nodes,rk
based onrSub-secret data, composed ofrThe method comprises the steps that each participating node operates according to a preset share security generation mode, so that each remaining participating node except the removed participating node obtains 1 new share to replace an original share, and any participating node cannot acquire sub-secret data of any other participating node.
12. The method for sharing secret information according to claim 11, wherein the method is based onrSub-secret data, composed of rThe method comprises the steps that each participating node operates according to a preset share security generation mode, so that each remaining participating node except the removed participating node obtains 1 new share to replace an original share, any participating node cannot acquire sub-secret data of any other participating node, and the method comprises the following steps:
for the followingrEach 1 of the participating nodes calculates from its own calculated sub-secret data and its own constructed first polynomialn-1 sub-share value and to be calculatedn-1 sub-share value being assigned to each of the other participating nodes excluding the removed participating node, including itselfn-1 remaining participating nodes;
for the remainder of the current removed participating nodesn-1 participating node, which is obtainingrAfter the sub-share value, the sub-share value is obtained by itselfrThe sub-share values are summed to replace the original share of the self as the new share of the self;
wherein,ramong the participating nodesiThe first polynomial constructed by the participating nodes is expressed astIs a positive integer and is more than or equal to 1tk-1,a i1 To the point ofa i k(-1) Is the firstiThe participating nodes are selected from the Galois field k-1 element; first, theiThe participating nodes are constructed by combining the arguments of the first polynomialxSequentially valued as the remainder excluding the removed participating nodesn-identity information of 1 participating node, calculated in turnn-1 sub-share value.
13. The method for sharing secret information according to claim 1, further comprising:
when the minimum share number for realizing secret reconstruction needs to be adjustedkIs not less than the number of the current participating nodekThe participating nodes operate according to a preset threshold adjustment rule, so that each current participating node obtains 1 new share to replace the original share, and the minimum share number for realizing secret reconstruction is calculated fromkIs adjusted to
Indicated is the minimum number of shares after adjustment that enable secret reconstruction.
14. The method for sharing secret information according to claim 13, wherein the minimum number of shares for realizing the secret reconstruction is adjusted when necessarykIs not less than the number of the current participating nodekThe participating nodes operate according to a preset threshold adjustment rule, so that each current participating node obtains 1 new share to replace the original share, and the minimum share number for realizing secret reconstruction is calculated from kIs adjusted toComprising:
when the minimum share number for realizing secret reconstruction needs to be adjustedkIs determined by the current valuenIn individual participating nodesrThe individual participating nodes calculate the respective sub-secret data based on the respective current shares;
wherein,rthe first participating nodeiSub-secret data calculated by each participating nodea i0 Expressed as:s i is the firstiThe share of the individual participating nodes,M i0 is->At the position ofMAlgebraic remainder of (a), matrix,det(M) RepresentingMIs>To->Is thatnThe identity information of each of the participating nodes,rk
based onrSub-secret data, composed ofrThe method comprises the steps that each participating node operates according to a preset threshold adjustment mode, so that each participating node obtains 1 new share to replace an original share, any participating node cannot obtain sub-secret data of any other participating node, and the minimum share number for realizing secret reconstruction is fromkIs adjusted to
15. The method for sharing secret information according to claim 14, wherein the method is based onrSub-secret data, composed ofrThe method comprises the steps that each participating node operates according to a preset threshold adjustment mode, so that each participating node obtains 1 new share to replace an original share, any participating node cannot obtain sub-secret data of any other participating node, and the minimum share number for realizing secret reconstruction is from kIs adjusted toComprising:
for the followingrEach 1 of the participating nodes calculates from its own calculated sub-secret data and its own constructed second polynomialnSub-share values and to be calculatednThe sub-share values being respectively allocated to the units including themselvesnEach participating node;
for the followingnEach of the participating nodes, which is obtainingrAfter the sub-share value, the sub-share value is obtained by itselfrThe sub-share values are summed to replace the original share of the self as the new share of the self;
wherein,ramong the participating nodesiThe second polynomial constructed by the participating nodes is expressed ascIs a positive integer and-> a i1 To->Is the firstiThe participating nodes are selected from the Galois field>An element; first, theiThe participating nodes are constructed by the independent variables of the second polynomialxSequentially takes the values as the current valuenIdentity information of each participating node is sequentially calculatednA sub-share value.
16. A method for sharing secret information according to any one of claims 1 to 15, wherein the encoding result is divided into nIndividual shares and send to respectivelynMultiple participating nodes to make the rightrIndividual participating node utilizationrIf secret reconstruction is performed on individual sharesr=kThen based onrReconstructing the secret element from the individual shares and determining secret information corresponding to the secret element ifrkAnd judge outrWhen false shares exist in the shares, reconstructing the secret element after correcting the false shares, and determining secret information corresponding to the secret element, wherein the method comprises the following steps:
dividing the coding result into the following elements according to the difference of the element positionsnIndividual shares and send to respectivelynMultiple participating nodes to make the rightrIndividual participating node utilizationrIf secret reconstruction is performed on individual sharesr=kThen based onrReconstructing the secret element from the individual shares and determining secret information corresponding to the secret element ifrkJudgings·H T Whether or not =0 is satisfied, if not, judgerPresence in individual sharesReconstructing the secret element after correcting the false share when the false share is performed, and determining secret information corresponding to the secret element;
wherein,Hto meet the requirements ofM k H T =0%r-k)×rThe full order matrix of the rank is presented,M k is a matrixMFront of (2)kA sub-matrix of rows is formed, TTo transpose matrix symbols, matrix,/>To->Is thatnIdentity information of each participating node, +.>s 1 To the point ofs r Representing secret reconstructionrThe respective shares of the participating nodes.
17. The method for sharing secret information according to claim 16, further comprising:
when (when)rIndividual participating node utilizationrSecret reconstruction of individual shares and upon determinationrWhen there are false shares in the individual shares, if the number of false shares does not exceedrEach participating node determines identity information of the participating node corresponding to each false share.
18. The method for sharing secret information according to claim 16, wherein ifr=kThen based onrReconstructing the secret element from the individual shares and determining a value corresponding to the secret elementComprises:
if it isr=kThen based onrIndividual shares by calculationReconstructing the secret element and determining secret information corresponding to the secret element.
19. The method for sharing secret information according to claim 16, further comprising:
when (when)rIndividual participating node utilizationrSecret reconstruction of individual sharesr=kWhen based onrAfter reconstruction of the secret element from the individual shares, rAnd each participating node outputs the reconstructed prompt information that the secret element has potential safety hazard.
20. A secret information sharing system, comprising: distribution nodenEach participating node;
the distribution node is configured to:
according to the set conversion rule, converting the secret information into an element in the set Galois field as a secret element;
selected from a set Galois fieldnIndividual disparate elements asnPublic identity information of the individual participating nodes;
selected from the Galois fieldk-1 element and together with said secret element constitutes a single unit comprisingkVectors to be encoded of the individual elements;
coding rules based on generalized Reed Solomon code bynThe identity information of each participating node encodes the vector to be encoded to obtain a code comprisingnEncoding results of the individual elements;
dividing the coding result into the following elements according to the difference of the element positionsnIndividual shares and send to respectivelynEach participating node;
the participating node is configured to:
when (when)rIndividual participating node utilizationrIf secret reconstruction is performed on individual sharesr=kThen based onrReconstructing the secret element from the individual shares, ifrkAnd judge outrWhen false shares exist in the individual shares, reconstructing the secret element after correcting the false shares;
Determining corresponding secret information based on the reconstructed secret element;
wherein,nis a positive integer not less than 2,kexpressed as a positive integer is the minimum number of shares that enable secret reconstruction,ris a positive integer andrkthe secret reconstruction cannot be achieved at this time,rkthe correction amount of the false shares is not more than
21. A sharing device of secret information, comprising:
a memory for storing a computer program;
processor for executing the computer program to implement the steps of the secret information sharing method as claimed in any one of claims 1 to 19.
22. A computer-readable storage medium, on which a computer program is stored, which computer program, when being executed by a processor, implements the steps of the secret information sharing method as claimed in any one of claims 1 to 19.
CN202310954869.9A 2023-08-01 2023-08-01 Secret information sharing method, system, equipment and storage medium Pending CN117155551A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202310954869.9A CN117155551A (en) 2023-08-01 2023-08-01 Secret information sharing method, system, equipment and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202310954869.9A CN117155551A (en) 2023-08-01 2023-08-01 Secret information sharing method, system, equipment and storage medium

Publications (1)

Publication Number Publication Date
CN117155551A true CN117155551A (en) 2023-12-01

Family

ID=88903475

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202310954869.9A Pending CN117155551A (en) 2023-08-01 2023-08-01 Secret information sharing method, system, equipment and storage medium

Country Status (1)

Country Link
CN (1) CN117155551A (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN117857039A (en) * 2024-03-04 2024-04-09 浪潮(北京)电子信息产业有限公司 Multiparty security computing method, device, equipment and medium

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN117857039A (en) * 2024-03-04 2024-04-09 浪潮(北京)电子信息产业有限公司 Multiparty security computing method, device, equipment and medium
CN117857039B (en) * 2024-03-04 2024-05-28 浪潮(北京)电子信息产业有限公司 Multiparty security computing method, device, equipment and medium

Similar Documents

Publication Publication Date Title
JP7554493B2 (en) Computer-Implemented Method for Generating a Threshold Vault - Patent application
CN110610105B (en) Secret sharing-based authentication method for three-dimensional model file in cloud environment
CN114219483B (en) Method, equipment and storage medium for sharing block chain data based on LWE-CPBE
CN112104619A (en) Data access control system and method based on outsourcing ciphertext attribute encryption
JP5506704B2 (en) Decryption system, key device, decryption method, and program
CN112769542B (en) Multiplication triple generation method, device, equipment and medium based on elliptic curve
CN113158239A (en) Selection problem processing method for protecting data privacy
CN117155551A (en) Secret information sharing method, system, equipment and storage medium
US20240340171A1 (en) Method and apparatus for implementing privacy amplification in quantum key distribution
Song et al. A new multi‐use multi‐secret sharing scheme based on the duals of minimal linear codes
CN112035574A (en) Private data distributed storage method based on block chain technology
CN113407991B (en) Privacy data two-party safety comparison method based on trusted third party
CN112202562A (en) RSA key generation method, computer device and medium
CN113407992B (en) Privacy data two-party safety equality testing method based on trusted third party
CN114640436A (en) Packet statistical parameter calculation method and device based on privacy protection
Shi et al. Threshold eddsa signature for blockchain-based decentralized finance applications
CN116915414A (en) Method for realizing threshold signature, computer equipment and storage medium
CN117040764A (en) Secret key share updating method, computer equipment and storage medium
CN116961917A (en) ECDSA-based multiparty cooperative threshold signature method, device and system
CN108171665B (en) Multi-version backup and restrictive dual authentication master key (t, s, k, n) image separate storage method
CN112565201B (en) Private key processing method and device in block chain and computer storage medium
CN114221753B (en) Key data processing method and electronic equipment
Shao et al. Pairwise and parallel: enhancing the key mismatch attacks on kyber and beyond
CN113806775B (en) Block chain message processing method and device based on convolution optimization
Yang et al. Identity‐Based Unidirectional Collusion‐Resistant Proxy Re‐Encryption from U‐LWE

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination