CN117728959B - Threshold signature method and device, electronic equipment and storage medium - Google Patents

Threshold signature method and device, electronic equipment and storage medium Download PDF

Info

Publication number
CN117728959B
CN117728959B CN202410172276.1A CN202410172276A CN117728959B CN 117728959 B CN117728959 B CN 117728959B CN 202410172276 A CN202410172276 A CN 202410172276A CN 117728959 B CN117728959 B CN 117728959B
Authority
CN
China
Prior art keywords
participants
participant
random value
public
signature
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202410172276.1A
Other languages
Chinese (zh)
Other versions
CN117728959A (en
Inventor
刘乃嘉
郭健
李海花
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
China Academy of Information and Communications Technology CAICT
Original Assignee
China Academy of Information and Communications Technology CAICT
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by China Academy of Information and Communications Technology CAICT filed Critical China Academy of Information and Communications Technology CAICT
Priority to CN202410172276.1A priority Critical patent/CN117728959B/en
Publication of CN117728959A publication Critical patent/CN117728959A/en
Application granted granted Critical
Publication of CN117728959B publication Critical patent/CN117728959B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Landscapes

  • Management, Administration, Business Operations System, And Electronic Commerce (AREA)

Abstract

The embodiment of the disclosure discloses a threshold signature method and device, electronic equipment and storage medium, wherein the method comprises the following steps: when a plurality of participants receive target information, each participant respectively generates a first random value, and the threshold private key of each participant meets the following conditions: obtaining a public private key through a threshold private key of each participant by using an interpolation algorithm, wherein a public signature obtained based on the public private key is the same as a public signature obtained based on the threshold private key of each participant; each participant generates first verification information based on the first random value and sends the first verification information to other participants; responding to the first verification information of each participant passing verification, and each participant carrying out signature processing on the target information by using a threshold private key of the participant based on a homomorphic encryption algorithm to obtain a corresponding signature share; a common signature for the target information is determined based on the share signatures of the respective participants.

Description

Threshold signature method and device, electronic equipment and storage medium
Technical Field
The disclosure relates to the technical field of cryptography, in particular to a threshold signature method and device, electronic equipment and a storage medium.
Background
ECDSA (Elliptic Curve Digital Signature Algorithm ) is applied to information encryption in various fields. Such as applying a signature of transaction data on the blockchain, etc. In the related art, a digital wallet is generally used for managing a public and private key pair of a user, a specific digital wallet is used for managing the public and private key pair through an ECDSA, the digital wallet generally stores a private key in a seed mode, when the private key is required to be signed, the corresponding private key can be obtained through the seed, however, a great risk exists in the mode of storing the seed in a single point mode, the private key is lost when the seed is lost or leaked, and therefore the digital asset of the user has data security risks.
Disclosure of Invention
In order to solve the technical problems described above, embodiments of the present disclosure provide a threshold signature method and apparatus, an electronic device, and a storage medium.
In one aspect of the disclosed embodiments, a threshold signature method is provided, applied to a plurality of participants, including: in response to the plurality of participants receiving the target information, each of the plurality of participants respectively generating a first random value, each of the participants respectively holding a public key and a threshold private key, the public key being used to verify public signatures generated based on the threshold private keys of each of the participants, the threshold private keys of each of the participants satisfying the following conditions: obtaining public private keys through the threshold private keys of all the participants by using an interpolation algorithm, wherein the public signature obtained based on the public private keys is the same as the public signature obtained based on the threshold private keys of all the participants; each participant generates first verification information based on the first random value and sends the first verification information to other participants; responding to the first verification information of each participant passing verification, each participant respectively carrying out signature processing on the target information by using a threshold private key of each participant based on a homomorphic encryption algorithm to obtain a corresponding signature share; a common signature for the target information is determined based on the share signatures of the respective participants.
In another aspect of the embodiments of the present disclosure, there is provided a threshold signature apparatus applied to a plurality of participants, including: the first generation module is used for responding to the target information received by the plurality of participants, each participant in the plurality of participants respectively generates a first random value, each participant respectively holds a public key and a threshold private key, the public key is used for verifying a public signature generated based on the threshold private key of each participant, and the threshold private key of each participant meets the following conditions: obtaining public private keys through the threshold private keys of all the participants by using an interpolation algorithm, wherein the public signature obtained based on the public private keys is the same as the public signature obtained based on the threshold private keys of all the participants; the first generation module is used for generating first verification information based on the first random values respectively by all the participants and sending the first verification information to other participants; the first signature module is used for responding to the fact that the first verification information of each participant passes verification, each participant respectively carries out signature processing on the target information by utilizing a threshold private key of the first signature module based on homomorphic encryption algorithm, and a corresponding signature share is obtained; and the second signature module is used for determining a public signature of the target information based on the share signature of each participant.
In yet another aspect of the disclosed embodiments, there is provided an electronic device including: a memory for storing a computer program; and the processor is used for executing the computer program stored in the memory and realizing the threshold signature method when the computer program is executed.
In yet another aspect of the disclosed embodiments, a computer-readable storage medium is provided having a computer program stored thereon that, when executed by a processor, implements a threshold signature method.
In the embodiment of the disclosure, when a plurality of participants receive target information, each participant generates a first random value, a threshold private key of each participant satisfies that a public private key can be obtained through interpolation algorithm of the threshold private key of each participant, and a public signature obtained based on the public private key is the same as a public signature obtained based on the threshold private key of each participant; each participant generates first verification information based on a first random value of the participant and sends the first verification information to other participants; when the first verification information of each participant passes verification, each participant carries out signature processing on the target information by using a threshold private key of the participant based on a homomorphic encryption algorithm to obtain a signature share corresponding to each participant; a common signature for the target information is then determined based on the share signatures of the respective participants. Therefore, the problem that the private key is poor in safety and easy to lose due to single-point storage of the private key is solved by respectively holding the threshold private keys by all the participants, the safety of the private key is improved, and the safety of data is further improved. Meanwhile, the authenticity of the identity of each participant is effectively ensured by verifying the first verification information of each participant, the problem of malignant signature is avoided, and in addition, the public signature of the target information is determined based on the share signature of each participant, so that the reliability of the signature is effectively ensured.
The technical scheme of the present disclosure is described in further detail below through the accompanying drawings and examples.
Drawings
The accompanying drawings, which are incorporated in and constitute a part of this specification, illustrate embodiments of the disclosure and together with the description, serve to explain the principles of the disclosure.
The disclosure may be more clearly understood from the following detailed description taken in conjunction with the accompanying drawings in which:
FIG. 1 is a flow chart of a threshold signature method provided by an exemplary embodiment of the present disclosure;
FIG. 2 is a flow chart of step S130 provided by an exemplary embodiment of the present disclosure;
FIG. 3 is a flow chart of obtaining a threshold key provided by an exemplary embodiment of the present disclosure;
FIG. 4 is a flow chart of obtaining a public key provided by an exemplary embodiment of the present disclosure;
FIG. 5 is a flow chart of a threshold signature method provided by another exemplary embodiment of the present disclosure;
FIG. 6 is a flow chart of a threshold signature method provided by yet another exemplary embodiment of the present disclosure;
FIG. 7 is a block diagram of a threshold signature apparatus provided in an exemplary embodiment of the present disclosure;
fig. 8 is a schematic structural diagram of an application embodiment of the electronic device of the present disclosure.
Detailed Description
Various exemplary embodiments of the present disclosure will now be described in detail with reference to the accompanying drawings. It should be noted that: the relative arrangement of the components and steps, numerical expressions and numerical values set forth in these embodiments do not limit the scope of the present disclosure unless it is specifically stated otherwise.
It will be appreciated by those of skill in the art that the terms "first," "second," etc. in embodiments of the present disclosure are used merely to distinguish between different steps, devices or modules, etc., and do not represent any particular technical meaning nor necessarily logical order between them.
It should also be understood that in embodiments of the present disclosure, "plurality" may refer to two or more, and "at least one" may refer to one, two or more.
It should also be appreciated that any component, data, or structure referred to in the presently disclosed embodiments may be generally understood as one or more without explicit limitation or the contrary in the context.
In addition, the term "and/or" in this disclosure is merely an association relationship describing an association object, and indicates that three relationships may exist, for example, a and/or B may indicate: a exists alone, A and B exist together, and B exists alone. In addition, the character "/" in the present disclosure generally indicates that the front and rear association objects are an or relationship.
It should also be understood that the description of the various embodiments of the present disclosure emphasizes the differences between the various embodiments, and that the same or similar features may be referred to each other, and for brevity, will not be described in detail.
Meanwhile, it should be understood that the sizes of the respective parts shown in the drawings are not drawn in actual scale for convenience of description.
The following description of at least one exemplary embodiment is merely illustrative in nature and is in no way intended to limit the disclosure, its application, or uses.
Techniques, methods, and apparatus known to one of ordinary skill in the relevant art may not be discussed in detail, but are intended to be part of the specification where appropriate.
It should be noted that: like reference numerals and letters denote like items in the following figures, and thus once an item is defined in one figure, no further discussion thereof is necessary in subsequent figures.
Embodiments of the present disclosure may be applicable to electronic devices such as terminal devices, computer systems, servers, etc., which may operate with numerous other general purpose or special purpose computing system environments or configurations. Examples of well known terminal devices, computing systems, environments, and/or configurations that may be suitable for use with the terminal device, computer system, server, or other electronic device include, but are not limited to: personal computer systems, server computer systems, thin clients, thick clients, hand-held or laptop devices, microprocessor-based systems, set-top boxes, programmable consumer electronics, network personal computers, small computer systems, mainframe computer systems, and distributed cloud computing technology environments that include any of the foregoing, and the like.
Electronic devices such as terminal devices, computer systems, servers, etc. may be described in the general context of computer system-executable instructions, such as program modules, being executed by a computer system. Generally, program modules may include routines, programs, objects, components, logic, data structures, etc., that perform particular tasks or implement particular abstract data types. The computer system/server may be implemented in a distributed cloud computing environment in which tasks are performed by remote processing devices that are linked through a communications network. In a distributed cloud computing environment, program modules may be located in both local and remote computing system storage media including memory storage devices.
In the disclosed embodiments:
The Block Chain (Block Chain) is a distributed account book technology based on a point-to-point network, each Node (Node) in the Block Chain network has the same complete data, and the nodes realize the data consistency on the Chain of each Node through a consensus mechanism. Nodes in a blockchain network, commonly referred to as computing devices in the blockchain network, that is, any computing device connected to the blockchain network (including cell phones, servers, etc.) are referred to as nodes, wherein the nodes may be used to store, run, validate, etc. blockdata in the blockchain network.
Fig. 1 is a flow chart illustrating a threshold signature method according to an exemplary embodiment of the present disclosure. The embodiment is applied to a plurality of participants, as shown in fig. 1, and includes the following steps:
in step S110, in response to the plurality of participants receiving the target information, each of the plurality of participants generates a first random value, respectively.
Wherein the plurality of participants may include, for example, but not limited to: enterprises, individuals or groups, etc. Each participant has a client, and the clients of the plurality of participants are communicatively connected. The client of each participant may be a computing device, which may be, for example, a computer, a server, a smart phone, or the like. In one particular implementation, the number of participants is greater than or equal to 3, and each participant's client may be deployed on a node in the blockchain network, each client being provided with a digital wallet for managing the participants' public key and threshold private key.
In one particular implementation, multiple participants are each connected to a signature platform that can be deployed on a node. And the user sends the target information to the signature platform through the client of the user, and the signature platform sends the target information to each client respectively. For each of a plurality of participants, the participant holds a public key and a threshold private key. The public key is used for verifying public signatures generated based on the threshold private keys of all the participants, and the threshold private keys of all the participants meet the following conditions: the public private key is obtained through the threshold private key of each participant by utilizing an interpolation algorithm, and the public signature obtained based on the public private key is the same as the public signature obtained based on the threshold private key of each participant.
The public private key may also be obtained by the private keys of the respective participants, e.g. the private keys of the respective participants may be added to obtain the public private key. The public private key may be used to sign information and to obtain a public signature of the information by signing the information with the public private key, which is the same as signing the information based on the threshold private key of each party. The public key may verify a public signature generated by the public-private key.
In an alternative embodiment, each party has a pair of public and private key pairs calculated using homomorphic encryption algorithms. The public key and the threshold private key of each participant can be calculated by using a homomorphic encryption algorithm and a secret sharing algorithm based on the private keys of the public and private key pairs of each participant. The homomorphic encryption algorithm may be a Paillier homomorphic encryption algorithm, and the secret sharing algorithm may be a Shamir secret sharing algorithm. The public private key is calculated by the threshold private key of each participant using an interpolation algorithm, for example, a lagrangian interpolation algorithm.
For convenience of description, the number of participants 3 is illustrated in this embodiment. The three participants are P 1、P2、P3 respectively, wherein the identification of P 1 is 1, the identification of the threshold private key is x 1;P2 is 2, the identification of the threshold private key is x 2;P3 is 3, and the threshold private key is x 3. Calculating the Lagrangian difference coefficient of P 1 based on the formula (1)Calculating the Lagrange difference coefficient of P 2 based on formula (2)Calculating the Lagrangian difference coefficient/> of P 3 based on formula (3); The public private key sk can be obtained based on the calculation of formula (4);
(1)
(2)
(3)
(4)。
step S120, each participant generates corresponding first verification information based on the first random value of the participant and sends the first verification information to other participants.
Wherein the first authentication information for each party may include a commitment and an open commitment for that party.
In one particular implementation, the promise may be represented by KGC and the open promise may be represented by KGD.
Each party can randomly generate a first random value gamma, then, a random point gamma is obtained based on gamma.G by using the first random value gamma and a generating element G of an elliptic curve corresponding to the party, the hash value of the random point gamma is taken as a commitment KGC, and the random point gamma is taken as an opening commitment KGD.
Each party sends its own first authentication information to the other parties of the plurality of parties, i.e., P 1 sends the first authentication information of P 1 to P 2 and P 3;P2 sends the first authentication information of P 2 to P 1 and P 3;P3 sends the first authentication information of P 3 to P 1 and P 2.
Step S130, in response to the first verification information of each participant passing verification, each participant performs signature processing on the target information by using a threshold private key of the participant based on a homomorphic encryption algorithm to obtain a corresponding signature share.
In one particular implementation, each party authenticates the first authentication information of the other party. Illustratively, P 1 verifies the first verification information of P 2 and the first verification information of P 3, P 2 verifies the first verification information of P 1 and the first verification information of P 3, and P 3 verifies the first verification information of P 1 and the first verification information of P 2. Taking P 1 to verify the first verification information of P 2 as an example, P 1 calculates a hash value of the open promise in the first verification information of P 2, and if the hash value of the open promise is the same as the promise in the first verification information of P 2, determines that the first verification information of P 2 passes the verification.
When the first verification information of each party passes verification, for each party, the party carries out signature processing on the target information by using a threshold private key of the party based on a homomorphic encryption algorithm, for example, a Paillier homomorphic encryption algorithm, so as to obtain a signature share corresponding to the party.
Step S140, determining a public signature for the target information based on the share signatures of the respective participants.
Wherein, the public signature of the target information can be determined according to the share signature of each participant by utilizing the Paillier homomorphic encryption algorithm.
In the embodiment of the disclosure, when a plurality of participants receive target information, each participant generates a first random value, a threshold private key of each participant satisfies that a public private key can be obtained through interpolation algorithm of the threshold private key of each participant, and a public signature obtained based on the public private key is the same as a public signature obtained based on the threshold private key of each participant; each participant generates first verification information based on a first random value of the participant and sends the first verification information to other participants; when the first verification information of each participant passes verification, each participant carries out signature processing on the target information by using a threshold private key of the participant based on a homomorphic encryption algorithm to obtain a signature share corresponding to each participant; a common signature for the target information is then determined based on the share signatures of the respective participants. Therefore, the problem that the private key is poor in safety and easy to lose due to single-point storage of the private key is solved by respectively holding the threshold private keys by all the participants, the safety of the private key is improved, and the safety of data is further improved. Meanwhile, the authenticity of the identity of each participant is effectively ensured by verifying the first verification information of each participant, the problem of malignant signature is avoided, and in addition, the public signature of the target information is determined based on the share signature of each participant, so that the reliability of the signature is effectively ensured.
Fig. 2 is a flow chart of step S130 provided in an exemplary embodiment of the present disclosure. In an alternative implementation, as shown in fig. 2, step S130 in the embodiment of the present disclosure may include the following steps:
In step S131, each participant generates a second random value.
Wherein each participant generates a second random value, i.e. each participant holds the first random value and the second random value.
In step S132, any two of the multiple participants perform share conversion on the first multiplication shares of any two participants by using the homomorphic encryption algorithm, so as to obtain first addition shares of each of the any two participants.
Wherein the first multiplicative share of the arbitrary two participants is formed by a first random value of one of the arbitrary two participants and a second random value of the other participant.
In one particular implementation, for participants P i and P j, where i is 1,2, or 3 and j is 1,2, or 3. Assume that the first random value and the second random value of the party P i are respectivelyAnd k i,Pj are/>, respectivelyAnd k j.Pi and P j comprises: /(I)And/>
The first multiplicative fraction can be added to the first multiplicative fraction as followsConverting to a first additive share, comprising:
p i and P j may each randomly generate an elliptic curve. P i obtains ciphertext c i based on equation (5), and sends ciphertext c i to P j, where Enc N represents an encryption calculation;
ci=EncN(ki) (5);
after P j receives ciphertext c i, P j selects the original random number The/>Zn is all congruence class sets of modulo n, n being the order of elliptic curves. P j generates ciphertext c j using homomorphic equation (6), where/>Representing homomorphic multiplication calculations,/>Representing homomorphic addition calculation;
(6)
Sending seal c j to P i,Pi decrypts c j using the homomorphic public key of P i to obtain the first additive share of P i ,/>; P j will/>First additive portion/>, as P j Wherein/>
Similarly, the first multiplication share can be determined according to the aboveConversion to the first additive share mode, converting/>, in the first multiplicative shareConversion to a first additive fraction yields a first additive fraction/>, of P j And a first additive share/>, of P i I.e. the first additive fraction of P 1 comprises a first additive fraction of a 1,21,31,21,3,P2 comprises a first additive fraction of a 2,12,32,12,3,P3 comprises a first additive fraction of a 3,13,23,13,2.
And step S133, performing share conversion on the second multiplication shares of the arbitrary two participants by using a homomorphic encryption algorithm to obtain second addition shares of each of the arbitrary two participants.
Wherein the second multiplicative share of any two participants is formed by the second random value of one of the any two participants and the threshold private key of the other participant.
In one particular implementation, the second multiplicative shares of P i and P j comprise: k iwj、kjwi, where w j is the threshold private key additive share of P j and w i is the threshold private key additive share of P i.
The second multiplicative fraction k iwj may be converted into a second additive fraction by:
P j obtains a threshold private key additive share w j using equation (7);
wjj·xj (7)
Wherein λ j is the lagrangian difference coefficient of P j, x j is the threshold private key of P j;
P i obtains ciphertext c i based on equation (5), and sends ciphertext c i to P j;
after P j receives ciphertext c i, P j selects the original random number The/>. P j generates ciphertext c j1 by using homomorphic calculation formula (8);
(8)
Sending seal c j1 to P i,Pi to decrypt c j1 to get the second additive share u i,j,Pj of P i to As a second additive fraction v j,i of P j, u i,j+vj,i= kiwj.
Similarly, k jwi in the second multiplication share may be converted into the second addition share according to the manner of converting k iwj in the second multiplication share into the second addition share, to obtain a second addition share u j,i of P j, and a second addition share v j,i of P j, that is, a first addition share including u 1,2,u1,3,v1,2,v1,3,P2 and a first addition share including u 2,1,u2,3,v2,1,v2,3,P3 and a first addition share including u 3,1,u3,2,v3,1,v3,2 of P 1.
In step S134, each participant performs signature processing on the target information based on the first added portion and the second added portion thereof, so as to obtain a corresponding signature portion, and sends the corresponding signature portion thereof to other participants.
Wherein, for P 1, a first intermediate parameter θ 1 and a second intermediate parameter are calculated based on the formula (9) and the formula (10)Wherein w 1 is the threshold private key additive share of P 1;
(9)
(10)
For P 2, calculate third intermediate parameter θ 2 and fourth intermediate parameter based on equation (11) and equation (12) Wherein w 2 is the threshold private key additive share of P 2;
(11)
(12)
For P 3, a fifth intermediate parameter θ 3 and a sixth intermediate parameter are calculated based on equation (13) and equation (14) Wherein w 3 is the threshold private key additive share of P 3;
(13)
(14)
P 1 sends the first intermediate parameter θ 1 to P 2 and P 3;P2 sends the third intermediate parameter θ 2 to P 1 and P 3;P3 sends the fifth intermediate parameter θ 3 to P 2 and P 3.
P 1、P2 and P 3 calculate the inverse parameter θ -1 based on equation (15), respectively;
(15)
P 1、P2 and P 3 calculate the signature random numbers r of P 1、P2 and P 3 based on formulas (16), (17), respectively;
(16)
(17)
wherein R is a seventh intermediate parameter, f 1 is an open promise in the first authentication information of P 1, f 2 is an open promise in the first authentication information of P 2, f 3 is an open promise in the first authentication information of P 3, x is an abscissa of any point in the elliptic curve, i.e. x is an abscissa of any point in the P 1 elliptic curve when P 1, x is an abscissa of any point in the P 2 elliptic curve when P 2, and x is an abscissa of any point in the P 3 elliptic curve when P 3;
p 1、P2 and P 3 calculate an eighth intermediate parameter M based on the target message M by using formula (18);
(18)
for P 1, based on the eighth intermediate parameter m, using equation (19), a signature additive share s 1 of P 1 is calculated, where k 1 is the second random value of P 1;
(19)
The signature share (r, s 1) corresponding to the P 1 is formed by r and s 1;
For P 2, based on the eighth intermediate parameter m, using equation (20), a signature additive share s 2 of P 2 is calculated, where k 2 is the second random value of P 2;
(20)
the signature share (r, s 2) corresponding to the P 2 is formed by r and s 2;
For P 3, based on the eighth intermediate parameter m, using equation (21), a signature additive share s 3 of P 3 is calculated, where k 3 is the second random value of P 3;
(21)
The signature shares (r, s 3) corresponding to P 3 are formed by r and s 3.
Accordingly, step S140 may include: p 1、P2 and P 3 share s 1、s2 and s 3,P1、P2, respectively, and P 3 calculate a common additive share s, where s=s 1+s2+s3, respectively; a common signature (r, s) of the target information is formed by r and s.
Fig. 3 is a schematic flow chart of obtaining a threshold key according to an exemplary embodiment of the present disclosure. In an alternative implementation, as shown in fig. 3, the embodiment of the disclosure further includes the following steps:
step S210, each participant generates a homomorphic public-private key pair, a third random value, a fourth random value and a fifth random value respectively.
Each participant randomly generates a third random value, a fourth random value and a fifth random value of the participant, wherein the third random value and the fourth random value of each participant belong to an elliptic curve scalar domain of the participant, and the fifth random value can be any random number.
In one particular implementation, each participant may utilize a Paillier homomorphic encryption algorithm to generate a pair of homomorphic public and private key pairs, including a homomorphic public key and a homomorphic private key.
Step S220, respectively, for a plurality of participants, the participant generates second authentication information of the participant according to the third random value, the fourth random value and the fifth random value of the participant, and sends the second authentication information of the participant to other participants.
In one specific implementation, for P 1, the first Feldman (friedman) check tuple of P 1 is taken as the second authentication information of P 1, where the first Feldman check tuple of P 1 includes: G1 is the generator of the elliptic curve of P 1, a 1 is the third random value of P 1, B 1 is the fourth random value of P 1, a 1 and B 1 are the first verification parameters of P 1; for P 2, the first Feldman check tuple of P 2 is taken as the second authentication information of P 2, wherein the first Feldman check tuple of P 2 comprises: /(I) G2 is the generator of the elliptic curve of P 2, a 2 is the third random value of P 2, B 2 is the fourth random value of P 2, a 2 and B 2 are the first verification parameters of P 2; for P 3, the first Feldman check tuple of P 3 is taken as the second authentication information of P 3, wherein the first Feldman check tuple of P 3 comprises: /(I)G3 is the generator of the elliptic curve of P 3, a 3 is the third random value of P 3, B 3 is the fourth random value of P 3, a 3 and B 3 are the first verification parameters of P 3.
P 1 sends the second authentication information of P 1 to P 2 and P 3,P2 sends the second authentication information of P 2 to P 1 and P 3,P3 sends the second authentication information of P 3 to P 1 and P 2.
In step S230, the participant generates a first t-1 order polynomial of the participant according to the third random value, the fourth random value and the fifth random value of the participant.
Where t is the threshold number.
In one specific implementation, the threshold number is the same as the number of participants, i.e., in the disclosed embodiment, the threshold number t=3. Building a first order 2 polynomial (i.e., a first t-1 polynomial) for P 1,P1: Where y is the identity of the party and u 1 is the fifth random value of P 1; building a first order 2 polynomial for P 2,P2: Wherein u 2 is the fifth random value of P 2; for P 3,P3, a polynomial of order 2 is constructed: Wherein u 3 is the fifth random value of P 3.
Step S240, the participant generates partial secret information corresponding to each participant based on the first t-1 order polynomial of the participant and the identification of each participant.
In a specific implementation manner, at P 1, the identifiers 1,2, and 3 of P 1、P2 and P 3 are substituted into the first 2 nd order polynomial constructed by P 1 respectively, so as to obtain partial secret information of the lagrangian redundancy P 1(1)(P1 of P 1), partial secret information of the lagrangian redundancy P 1(2)(P2 of P 2, and partial secret information of the lagrangian redundancy P 1(3)(P3 of P 3), the lagrangian redundancy P 1 (2) of P 2 is sent to P 2, and the lagrangian redundancy P 1 (3) of P 3 is sent to P 3;
In P 2, substituting the identifications 1,2 and 3 of P 1、P2 and P 3 into a first 2-order polynomial constructed by P 2 respectively to obtain partial secret information of the Lagrangian redundancy P 2(1)(P1 of P 1), partial secret information of the Lagrangian redundancy P 2(2)(P2 of P 2 and partial secret information of the Lagrangian redundancy P 2(3)(P3 of P 3), transmitting the Lagrangian redundancy P 2 (1) of P 1 to P 1 and the Lagrangian redundancy P 2 (3) of P 3 to P 3;
At P 3, the identifications 1, 2 and 3 of P 1、P2 and P 3 are respectively substituted into a first 2-order polynomial constructed by P 3 to obtain partial secret information of the Lagrangian redundancy P 3(1)(P1 of P 1), partial secret information of the Lagrangian redundancy P 3(2)(P2 of P 2 and partial secret information of the Lagrangian redundancy P 3(3)(P3 of P 3), the Lagrangian redundancy P 3 (1) of P 1 is sent to P 1, and the Lagrangian redundancy P 3 (2) of P 2 is sent to P 2. Thus, P 1 holds P 1(1)、p2 (1) and P 3(1);P2 holds P 1(2)、p2 (2) and P 3(2);P3 holds P 1(3)、p2 (3) and P 3 (3).
Step S250, in response to the second verification information of each party passing verification, the party determines the threshold private key of the party based on the partial secret information corresponding to the party generated by each party.
And each participant verifies the second verification information of each participant by utilizing a Feldman verification mode.
In a specific implementation manner, the second verification information may be verified by the following manner, which specifically includes: for P 1, when、/>And/>The second verification information of each party passes the verification of P 1, wherein U 1 is the random point of the elliptic curve corresponding to P 1,/>; For P 2,/>、/>And/>The second verification information of each party passes the verification of P 2, where U 2 is a random point of the elliptic curve corresponding to P 2,; For P 3,/>,/>And is also provided withThe second verification information of each party passes the verification of P 3, wherein U 3 is the random point of the elliptic curve corresponding to P 3,/>; When the second authentication information of each party passes the authentication of P 1、P2 and P 3, the second authentication information of each party is determined to pass the authentication.
In one particular implementation, at P 1, a threshold private key x 1 of P 1 is generated according to equation (22); at P 2, generating a threshold private key x 2 of P 2 according to equation (23); at P 3, generating a threshold private key x 3 of P 3 according to equation (24);
Fig. 4 is a schematic flow chart of obtaining a public key according to an exemplary embodiment of the present disclosure. In an alternative implementation, in an embodiment of the present disclosure, as shown in fig. 4, the embodiment of the present disclosure further includes the following steps:
step S310, for a plurality of participants, the participant generates random public information of the participant according to the fifth random value of the participant and the elliptic curve corresponding to the participant, and sends the random public information of the participant to other participants.
Wherein the random public information of each participant may include random points of the elliptic curve corresponding to the participant.
In a specific implementation manner, the random public information of P 1 includes a random point U 1 of an elliptic curve corresponding to P 1, the random public information of U 1;P2 may be obtained based on U 1=G1·u1 and includes a random point U 2 of an elliptic curve corresponding to P 2, the random public information of U 2;P3 may be obtained based on U 2=G2·u2 and includes a random point U 3 of an elliptic curve corresponding to P 3, and U 3 may be obtained based on U 3=G3·u3;
P 1 shares the random public information of P 1 to P 2 and P 3;P2, shares the random public information of P 2 to P 1 and P 3;P3, and shares the random public information of P 3 to P 1 and P 2. Namely, P 1、P2 and P 3 each hold the random public information of P 1, the random public information of P 2, and the random public information of P 3.
Step S320, the party generates a public key based on the random public information of each party.
Wherein each party adds the random public information of each party to obtain a public key.
In one particular implementation, at P 1、P2 and P 3, the public key PK may be obtained based on pk=u 1+U2+U3.
In an optional implementation manner, the threshold signature method in the embodiment of the present disclosure further includes: and determining the sliced public key of the participant based on the public key, the third random value, the fourth random value and the elliptic curve corresponding to the participant for the plurality of participants respectively, and sending the sliced public key of the participant to other participants.
In one particular implementation, at P 1, a shard public key X 1 of P 1 is generated according to equation (25); at P 2, generating a shard public key X 2 of P 2 according to equation (26); at P 3, generating a shard public key X 3 of P 3 according to equation (27);
Wherein P 1 shares the public key of fragments X 1 of P 1 with P 2 and P 3;P2 and the public key of fragments X 2 of P 2 with P 1 and P 3;P3 and the public key of fragments X 3 of P 3 with P 1 and P 2. Namely, P 1、P2 and P 3 each hold a shard public key X 1, shard public key X 2, and shard public key X 3.
In this embodiment, the participants may generate a public key based on the fragmented public keys of the respective participants.
In one particular implementation, P 1、P2 and P 3 generate a public key PK using equation (28);
(28)。
fig. 5 is a flow chart illustrating a threshold signature method provided in another exemplary embodiment of the present disclosure. In an alternative embodiment, as shown in fig. 5, the method further comprises the steps of:
In step S410, each participant generates a sixth random value and a seventh random value, respectively.
Wherein each participant randomly generates a sixth random value and a seventh random value for the participant, the sixth random value and the seventh random value for each participant belonging to an elliptic curve scalar field for the participant.
Step S420, for a plurality of participants, the participant generates third authentication information of the participant according to the sixth random value and the seventh random value of the participant, and sends the third authentication information of the participant to other participants.
In one specific implementation, for P 1, the second Feldman check tuple of P 1 is taken as the third authentication information of P 1, where the second Feldman check tuple of P 1 includes: wherein/> Sixth random value of P 1,/>Seventh random value of P 1,/>And/>A second calibration parameter of P 1; for P 2, the second Feldman check tuple of P 2 is taken as the third authentication information of P 2, wherein the second Feldman check tuple of P 2 comprises: wherein/> Sixth random value of P 2,/>Seventh random value of P 2,/>And/>A second calibration parameter of P 2; for P 3, the second Feldman check tuple of P 3 is taken as the third authentication information of P 3, wherein the second Feldman check tuple of P 3 comprises: /(I)Wherein/>Sixth random value of P 3,/>Seventh random value of P 3,/>And/>Is the second checking parameter of P 3.
P 1 sends the third authentication information of P 1 to P 2 and P 3;P2 sends the third authentication information of P 2 to P 1 and P 3;P3 sends the third authentication information of P 3 to P 2 and P 3.
Step S430, the participant constructs a second t-1 order polynomial of the participant based on the sixth random value and the seventh random value of the participant.
In one specific implementation, a second order 2 polynomial (i.e., a second t-1 order polynomial) is constructed for P 1,P1: ; a second order 2 polynomial is constructed for P 2,P2: /(I) ; For P 3,P3, a polynomial of order 2 is constructed: /(I)
Step S440, the participant generates updated partial secret information corresponding to each participant based on the second t-1 order polynomial of the participant and the identification information of each participant.
In one specific implementation, at P 1, the identities 1, 2,3 of P 1、P2 and P 3 are substituted into the second order 2 polynomial constructed by P 1, respectively, to obtain updated Lagrangian redundancy of P 1 (Updated partial secret information of P 1), updated Lagrangian redundancy of P 2/>(Updated partial secret information of P 2) and updated Lagrangian redundancy/>, of P 3 (Updated partial secret information of P 3).
In P 2, the marks 1, 2 and 3 of P 1、P2 and P 3 are respectively substituted into a second 2-order polynomial constructed by P 2 to obtain updated Lagrangian redundancy of P 1 (Updated partial secret information of P 1), updated Lagrangian redundancy of P 2/>(Updated partial secret information of P 2) and updated Lagrangian redundancy/>, of P 3 (Updated partial secret information of P 3).
In P 3, the marks 1, 2 and 3 of P 1、P2 and P 3 are respectively substituted into a second 2-order polynomial constructed by P 3 to obtain updated Lagrangian redundancy of P 1 (Updated partial secret information of P 1), updated Lagrangian redundancy of P 2/>(Updated partial secret information of P 2) and updated Lagrangian redundancy/>, of P 3 (Updated partial secret information of P 3).
In step S450, the party sends the updated partial secret information corresponding to the other parties respectively.
In one particular implementation, P 1 adds up the updated Lagrangian redundancy of P 2 Sent to P 2, updated Lagrangian redundancy of P 3/>Sending to P 3;P2 updated Lagrangian redundancy/>, of P 1 Sent to P 1, updated Lagrangian redundancy of P 3/>Sending to P 3;P3 updated Lagrangian redundancy/>, of P 1 Sent to P 1, update P 2 with Lagrangian redundancy/>And sent to P 2.
P 1 hold、/>And/>; P 2 holding/>、/>And/>; P 3 holding/>And/>
Step S460, in response to the third verification information of each participant passing verification, the participant performs update processing on the threshold private key of the participant based on the updated partial secret information corresponding to the participant generated by each participant, so as to obtain the updated threshold private key of the participant.
And each participant verifies the third verification information of each participant by utilizing a Feldman verification mode.
In a specific implementation manner, the third verification information may be verified by the following manner, which specifically includes: for P 1, when、/>And/>The third verification information of each participant passes the verification of P 1; for P 2,/>、/>And is also provided withThe third verification information of each participant passes the verification of P 2; for P 3, when、/>And/>The third authentication information of each party passes the authentication of P 3. When the third verification information of each party passes the verification of P 1、P2 and P 3, the third verification information of each party is determined to pass the verification.
In a specific implementation manner, the threshold private key of the participant can be updated by the following steps:
At P 1, an updated threshold private key of P 1 is generated according to equation (29) ; At P 2, an updated threshold private key/>, of P 2 is generated according to equation (30); At P 3, an updated threshold private key/>, of P 3 is generated according to equation (31)
(29)
(30)
(31)。
Fig. 6 is a flow chart illustrating a threshold signature method according to still another exemplary embodiment of the present disclosure. In an alternative embodiment, as shown in fig. 6, the method further comprises the steps of:
Step S510, for a plurality of participants, the participant determines an updated sliced public key of the participant based on the homomorphic public key, the sixth random value, the seventh random value and the elliptic curve corresponding to the participant, and sends the updated sliced public key of the participant to other participants.
In one particular implementation, at P 1, an updated shard public key of P 1 is generated according to equation (32); At P 2, an updated shard public key/>, of P 2 is generated according to equation (33); At P 3, an updated shard public key/>, of P 3 is generated according to equation (34)
(32)
(33)
(34)
P 1 fragments the update of P 1 to the public keySharing to P 2 and P 3;P2 updates the shard public key/>, of P 2 Sharing to P 1 and P 3;P3 updates the shard public key/>, of P 3 Shared to P 1 and P 2. I.e., P 1、P2 and P 3 both hold updated shard public keys/>Update shard public key/>And updating the shard public key/>
In step S520, the party generates an updated public key according to the updated shard public key of each party.
In one particular implementation, P 1、P2 and P 3 each generate an updated public key using equation (35)
(35)。/>
Fig. 7 is a block diagram of a threshold signature apparatus provided in an exemplary embodiment of the present disclosure. As shown in fig. 7, the threshold signature method apparatus includes:
A first generating module 600, configured to, in response to the multiple parties receiving the target information, generate first random values respectively for each of the multiple parties, where each party holds a public key and a threshold private key, the public key is used to verify a public signature generated based on the threshold private key of each party, and the threshold private key of each party satisfies the following conditions: obtaining public private keys through the threshold private keys of all the participants by using an interpolation algorithm, wherein the public signature obtained based on the public private keys is the same as the public signature obtained based on the threshold private keys of all the participants;
A first generating module 610, configured to generate first verification information by each participant based on the first random values, and send the first verification information to other participants;
The first signature module 620 is configured to, in response to the first verification information of each participant passing verification, perform signature processing on the target information by using a threshold private key of each participant based on a homomorphic encryption algorithm, so as to obtain a corresponding signature share;
a second signature module 630 for determining a public signature of the target information based on the share signatures of the respective participants.
In one embodiment of the present disclosure, the first signature module 620 in an embodiment of the present disclosure includes:
The first generation submodule is used for respectively generating second random values by the participants;
The first conversion sub-module is used for carrying out share conversion on first multiplication shares of any two participants by using a homomorphic encryption algorithm to obtain first addition shares of each participant in the any two participants, wherein the first multiplication shares are formed by a first random value of one participant in the any two participants and a second random value of the other participant;
The second conversion sub-module is used for carrying out share conversion on the second multiplication share of any two participants by using a homomorphic encryption algorithm to obtain a second addition share of each participant in the any two participants, wherein the second multiplication share is formed by a second random value of one participant in the any two participants and a threshold private key of the other participant;
and the second generation sub-module is used for each participant to carry out signature processing on the target information based on the first addition share and the second addition share of each participant, so as to obtain a corresponding signature share.
In one embodiment of the present disclosure, the threshold signature apparatus in an embodiment of the present disclosure further includes:
the first acquisition module is used for respectively generating a homomorphic public-private key pair, a third random value, a fourth random value and a fifth random value by all the participants, wherein the homomorphic public-private key pair of any participant comprises a homomorphic public key and a homomorphic private key;
A third generating module, configured to generate second authentication information of the participants according to the third random value, the fourth random value, and the fifth random value, for the multiple participants, respectively, and send the second authentication information of the participants to other participants;
A fourth generation module, configured to generate a first t-1 order polynomial of the participant according to the third random value, the fourth random value, and the fifth random value, where t is a threshold number;
A fifth generating module, configured to generate, by the participants, partial secret information corresponding to each participant based on the first t-1 order polynomial and the identifiers of each participant, respectively;
and the sixth generation module is used for responding to the second verification information of each participant to pass verification, and the participant determines the threshold private key of the participant based on the partial secret information corresponding to the participant, which is generated by each participant.
In one embodiment of the present disclosure, the threshold signature apparatus in an embodiment of the present disclosure further includes:
A seventh generating module, configured to generate, for the multiple participants, random public information of the participants according to the fifth random value and an elliptic curve corresponding to the participant, and send the random public information of the participants to other participants;
and an eighth generation module, configured to generate the public key by the participants based on random public information of each participant.
In one embodiment of the present disclosure, the threshold signature apparatus in an embodiment of the present disclosure further includes:
And a ninth generation module, configured to determine, for each of the multiple participants, a fragmented public key of the participant based on the public key, the third random value, the fourth random value, and an elliptic curve corresponding to the participant, and send the fragmented public key of the participant to other participants.
In one embodiment of the present disclosure, the threshold signature apparatus in an embodiment of the present disclosure further includes:
a tenth generation module, configured to generate a sixth random value and a seventh random value respectively for each participant;
An eleventh generating module, configured to generate third authentication information of the participant according to a sixth random value and a seventh random value of the participant, and send the third authentication information of the participant to other participants, where the third authentication information is respectively for the multiple participants;
A twelfth generation module, configured to construct a second t-1 order polynomial of the participant based on the sixth random value and the seventh random value;
A thirteenth generating module, configured to generate updated partial secret information corresponding to each participant based on the second t-1 order polynomial and the identification information of each participant;
the fourteenth generation module is used for the participants to respectively send the updated partial secret information corresponding to the other participants;
And the first updating module is used for responding to the fact that the third verification information of each participant passes verification, and updating the threshold private key of each participant based on the updated partial secret information corresponding to the participant generated by each participant to obtain the updated threshold private key of the participant.
In one embodiment of the present disclosure, the threshold signature apparatus in an embodiment of the present disclosure further includes:
A fifteenth generation module, configured to determine, for each of the plurality of participants, an updated sliced public key of the participant based on the public key, a sixth random value of the participant, a seventh random value, and a corresponding elliptic curve, and send the updated sliced public key of the participant to other participants;
and the second updating module is used for generating an updated public key by the participants according to the updated sliced public key of each participant.
The threshold signature device in the embodiment of the present disclosure corresponds to the embodiment of the threshold signature method in the present disclosure, and the related contents may be referred to each other, which is not described herein again.
The beneficial technical effects corresponding to the exemplary embodiments of the threshold signature apparatus according to the embodiments of the present disclosure may refer to the corresponding beneficial technical effects of the corresponding exemplary method section described above, and will not be described herein.
In addition, the embodiment of the disclosure also provides an electronic device, which comprises:
A memory for storing a computer program;
and a processor, configured to execute the computer program stored in the memory, and when the computer program is executed, implement the threshold signature method according to any one of the embodiments of the disclosure.
Fig. 8 is a schematic structural diagram of an application embodiment of the electronic device of the present disclosure. Next, an electronic device according to an embodiment of the present disclosure is described with reference to fig. 8. The electronic device may be either or both of the first device and the second device, or a stand-alone device independent thereof, which may communicate with the first device and the second device to receive the acquired input signals therefrom.
As shown in fig. 8, the electronic device includes one or more processors and memory.
The processor may be a Central Processing Unit (CPU) or other form of processing unit having data processing and/or instruction execution capabilities, and may control other components in the electronic device to perform the desired functions.
The memory may include one or more computer program products that may include various forms of computer-readable storage media, such as volatile memory and/or non-volatile memory. The volatile memory may include, for example, random Access Memory (RAM) and/or cache memory (cache), and the like. The non-volatile memory may include, for example, read Only Memory (ROM), hard disk, flash memory, and the like. One or more computer program instructions may be stored on the computer readable storage medium that can be executed by a processor to implement the threshold signature method and/or other desired functions of the various embodiments of the present disclosure described above.
In one example, the electronic device may further include: input devices and output devices, which are interconnected by a bus system and/or other forms of connection mechanisms (not shown).
In addition, the input device may include, for example, a keyboard, a mouse, and the like.
The output device may output various information including the determined distance information, direction information, etc., to the outside. The output devices may include, for example, a display, speakers, a printer, and a communication network and remote output devices connected thereto, etc.
Of course, only some of the components of the electronic device relevant to the present disclosure are shown in fig. 8, components such as buses, input/output interfaces, and the like are omitted for simplicity. In addition, the electronic device may include any other suitable components depending on the particular application.
In addition to the methods and apparatus described above, embodiments of the present disclosure may also be a computer program product comprising computer program instructions which, when executed by a processor, cause the processor to perform steps in a threshold signature method according to various embodiments of the present disclosure described in the above section of the present description.
The computer program product may write program code for performing the operations of embodiments of the present disclosure in any combination of one or more programming languages, including an object oriented programming language such as Java, C++ or the like and conventional procedural programming languages, such as the "C" programming language or similar programming languages. The program code may execute entirely on the user's computing device, partly on the user's device, as a stand-alone software package, partly on the user's computing device, partly on a remote computing device, or entirely on the remote computing device or server.
Furthermore, embodiments of the present disclosure may also be a computer-readable storage medium, having stored thereon computer program instructions, which when executed by a processor, cause the processor to perform steps in a threshold signature method according to various embodiments of the present disclosure described in the above section of the present description.
The computer readable storage medium may employ any combination of one or more readable media. The readable medium may be a readable signal medium or a readable storage medium. The readable storage medium may include, for example, but is not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or a combination of any of the foregoing. More specific examples (a non-exhaustive list) of the readable storage medium would include the following: an electrical connection having one or more wires, a portable disk, a hard disk, random Access Memory (RAM), read-only memory (ROM), erasable programmable read-only memory (EPROM or flash memory), optical fiber, portable compact disk read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing.
Those of ordinary skill in the art will appreciate that: all or part of the steps for implementing the above method embodiments may be implemented by hardware associated with program instructions, where the foregoing program may be stored in a computer readable storage medium, and when executed, the program performs steps including the above method embodiments; and the aforementioned storage medium includes: various media that can store program code, such as ROM, RAM, magnetic disk, or optical disk.
The basic principles of the present disclosure have been described above in connection with specific embodiments, but it should be noted that the advantages, benefits, effects, etc. mentioned in the present disclosure are merely examples and not limiting, and these advantages, benefits, effects, etc. are not to be considered as necessarily possessed by the various embodiments of the present disclosure. Furthermore, the specific details disclosed herein are for purposes of illustration and understanding only, and are not intended to be limiting, since the disclosure is not necessarily limited to practice with the specific details described.
In this specification, each embodiment is described in a progressive manner, and each embodiment is mainly described in a different manner from other embodiments, so that the same or similar parts between the embodiments are mutually referred to. For system embodiments, the description is relatively simple as it essentially corresponds to method embodiments, and reference should be made to the description of method embodiments for relevant points.
The block diagrams of the devices, apparatuses, devices, systems referred to in this disclosure are merely illustrative examples and are not intended to require or imply that the connections, arrangements, configurations must be made in the manner shown in the block diagrams. As will be appreciated by one of skill in the art, the devices, apparatuses, devices, systems may be connected, arranged, configured in any manner. Words such as "including," "comprising," "having," and the like are words of openness and mean "including but not limited to," and are used interchangeably therewith. The terms "or" and "as used herein refer to and are used interchangeably with the term" and/or "unless the context clearly indicates otherwise. The term "such as" as used herein refers to, and is used interchangeably with, the phrase "such as, but not limited to.
The methods and apparatus of the present disclosure may be implemented in a number of ways. For example, the methods and apparatus of the present disclosure may be implemented by software, hardware, firmware, or any combination of software, hardware, firmware. The above-described sequence of steps for the method is for illustration only, and the steps of the method of the present disclosure are not limited to the sequence specifically described above unless specifically stated otherwise. Furthermore, in some embodiments, the present disclosure may also be implemented as programs recorded in a recording medium, the programs including machine-readable instructions for implementing the methods according to the present disclosure. Thus, the present disclosure also covers a recording medium storing a program for executing the method according to the present disclosure.
It is also noted that in the apparatus, devices and methods of the present disclosure, components or steps may be disassembled and/or assembled. Such decomposition and/or recombination should be considered equivalent to the present disclosure.
The previous description of the disclosed aspects is provided to enable any person skilled in the art to make or use the present disclosure. Various modifications to these aspects will be readily apparent to those skilled in the art, and the generic principles defined herein may be applied to other aspects without departing from the scope of the disclosure. Thus, the present disclosure is not intended to be limited to the aspects shown herein but is to be accorded the widest scope consistent with the principles and novel features disclosed herein.
The foregoing description has been presented for purposes of illustration and description. Furthermore, this description is not intended to limit the embodiments of the disclosure to the form disclosed herein. Although a number of example aspects and embodiments have been discussed above, a person of ordinary skill in the art will recognize certain variations, modifications, alterations, additions, and subcombinations thereof.

Claims (9)

1. A threshold signature method, for use with a plurality of participants, comprising:
in response to the plurality of participants receiving the target information, each of the plurality of participants respectively generating a first random value, each of the participants respectively holding a public key and a threshold private key, the public key being used to verify public signatures generated based on the threshold private keys of each of the participants, the threshold private keys of each of the participants satisfying the following conditions: obtaining public private keys through the threshold private keys of all the participants by using an interpolation algorithm, wherein the public signature obtained based on the public private keys is the same as the public signature obtained based on the threshold private keys of all the participants;
Each participant generates first verification information based on the first random value and sends the first verification information to other participants;
Responding to the first verification information of each participant passing verification, and each participant respectively generating a second random value; any two participants in the plurality of participants perform share conversion on first multiplication shares of the any two participants by using a homomorphic encryption algorithm to obtain first addition shares of each participant in the any two participants, wherein the first multiplication shares are formed by a first random value of one participant in the any two participants and a second random value of the other participant; performing share conversion on the second multiplication share of any two participants by using a homomorphic encryption algorithm to obtain a second addition share of each participant in the any two participants, wherein the second multiplication share is formed by a second random value of one participant in the any two participants and a threshold private key of the other participant; each participant performs signature processing on the target information based on the first addition share and the second addition share of each participant, so as to obtain a corresponding signature share;
A common signature for the target information is determined based on the share signatures of the respective participants.
2. The method of claim 1, wherein each party obtains the party's threshold key by:
each participant generates a homomorphic public-private key pair, a third random value, a fourth random value and a fifth random value respectively, wherein the homomorphic public-private key pair of any participant comprises a homomorphic public key and a homomorphic private key;
Generating second authentication information of the participants according to the third random value, the fourth random value and the fifth random value by the participants respectively aiming at the multiple participants, and sending the second authentication information of the participants to other participants;
The participant generates a first t-1 order polynomial of the participant according to the third random value, the fourth random value and the fifth random value, wherein t is the threshold number;
the participants respectively generate partial secret information corresponding to each participant based on the first t-1 order polynomial and the identification of each participant;
And responding to the second verification information of each party to pass verification, and determining a threshold private key of each party by the party based on the partial secret information corresponding to the party generated by each party.
3. The method according to claim 2, characterized in that each party obtains the public key by:
the random public information of the participants is generated by the participants according to the fifth random value and the elliptic curve corresponding to the participants, and the random public information of the participants is sent to other participants;
the participants generate the public key based on random public information of each participant.
4. A method according to claim 3, further comprising:
And respectively aiming at the multiple participants, the participant determines the sliced public key of the participant based on the public key, the third random value, the fourth random value and the elliptic curve corresponding to the participant, and sends the sliced public key of the participant to other participants.
5. The method of any one of claims 1-4, further comprising:
each participant generates a sixth random value and a seventh random value respectively;
generating third verification information of the participants according to a sixth random value and a seventh random value of the participants by the participants respectively aiming at the multiple participants, and sending the third verification information of the participants to other participants;
the participant constructs a second t-1 order polynomial of the participant based on a sixth random value and a seventh random value of the participant;
The participants generate updated partial secret information corresponding to each participant respectively based on the second t-1 order polynomial and the identification information of each participant;
the participants respectively send the updated partial secret information corresponding to the other participants;
And responding to the third verification information of each party to pass verification, and updating the threshold private key of each party by the party based on the updated partial secret information corresponding to the party generated by each party to obtain the updated threshold private key of the party.
6. The method as recited in claim 5, further comprising:
The method comprises the steps that the updated fragmented public key of the participant is determined by the participant based on the public key, a sixth random value, a seventh random value and a corresponding elliptic curve respectively for the plurality of participants, and the updated fragmented public key of the participant is sent to other participants;
The participants generate updated public keys according to the updated sharded public keys of the participants.
7. A threshold signature apparatus for use with a plurality of parties, comprising:
The first generation module is used for responding to the target information received by the plurality of participants, each participant in the plurality of participants respectively generates a first random value, each participant respectively holds a public key and a threshold private key, the public key is used for verifying a public signature generated based on the threshold private key of each participant, and the threshold private key of each participant meets the following conditions: obtaining public private keys through the threshold private keys of all the participants by using an interpolation algorithm, wherein the public signature obtained based on the public private keys is the same as the public signature obtained based on the threshold private keys of all the participants;
the first generation module is used for generating first verification information based on the first random values respectively by all the participants and sending the first verification information to other participants;
the first signature module is used for responding to the fact that the first verification information of each participant passes verification, each participant respectively carries out signature processing on the target information by utilizing a threshold private key of the first signature module based on homomorphic encryption algorithm, and a corresponding signature share is obtained;
a second signature module for determining a public signature for the target information based on the share signatures of the respective participants;
the first signature module includes:
The first generation submodule is used for respectively generating second random values by the participants;
The first conversion sub-module is used for carrying out share conversion on first multiplication shares of any two participants by using a homomorphic encryption algorithm to obtain first addition shares of each participant in the any two participants, wherein the first multiplication shares are formed by a first random value of one participant in the any two participants and a second random value of the other participant;
The second conversion sub-module is used for carrying out share conversion on the second multiplication share of any two participants by using a homomorphic encryption algorithm to obtain a second addition share of each participant in the any two participants, wherein the second multiplication share is formed by a second random value of one participant in the any two participants and a threshold private key of the other participant;
and the second generation sub-module is used for each participant to carry out signature processing on the target information based on the first addition share and the second addition share of each participant, so as to obtain a corresponding signature share.
8. An electronic device, comprising:
A memory for storing a computer program;
A processor for executing a computer program stored in said memory and which, when executed, implements the threshold signature method of any of the preceding claims 1-6.
9. A computer readable storage medium having stored thereon a computer program, which when executed by a processor, implements the threshold signature method of any of the preceding claims 1-6.
CN202410172276.1A 2024-02-06 2024-02-06 Threshold signature method and device, electronic equipment and storage medium Active CN117728959B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202410172276.1A CN117728959B (en) 2024-02-06 2024-02-06 Threshold signature method and device, electronic equipment and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202410172276.1A CN117728959B (en) 2024-02-06 2024-02-06 Threshold signature method and device, electronic equipment and storage medium

Publications (2)

Publication Number Publication Date
CN117728959A CN117728959A (en) 2024-03-19
CN117728959B true CN117728959B (en) 2024-05-10

Family

ID=90202002

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202410172276.1A Active CN117728959B (en) 2024-02-06 2024-02-06 Threshold signature method and device, electronic equipment and storage medium

Country Status (1)

Country Link
CN (1) CN117728959B (en)

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101267308A (en) * 2008-04-24 2008-09-17 上海交通大学 Democratic signature method with threshold tracking
CN111541551A (en) * 2020-05-22 2020-08-14 杭州时戳信息科技有限公司 Threshold signature message processing method, system, storage medium and server
CN114338028A (en) * 2020-09-28 2022-04-12 华为技术有限公司 Threshold signature method and device, electronic equipment and readable storage medium
CN116915414A (en) * 2023-08-31 2023-10-20 蚂蚁区块链科技(上海)有限公司 Method for realizing threshold signature, computer equipment and storage medium
CN116961917A (en) * 2023-06-14 2023-10-27 华中科技大学 ECDSA-based multiparty cooperative threshold signature method, device and system

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
SG11202000804PA (en) * 2017-08-15 2020-02-27 Nchain Holdings Ltd Threshold digital signature method and system

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101267308A (en) * 2008-04-24 2008-09-17 上海交通大学 Democratic signature method with threshold tracking
CN111541551A (en) * 2020-05-22 2020-08-14 杭州时戳信息科技有限公司 Threshold signature message processing method, system, storage medium and server
CN114338028A (en) * 2020-09-28 2022-04-12 华为技术有限公司 Threshold signature method and device, electronic equipment and readable storage medium
CN116961917A (en) * 2023-06-14 2023-10-27 华中科技大学 ECDSA-based multiparty cooperative threshold signature method, device and system
CN116915414A (en) * 2023-08-31 2023-10-20 蚂蚁区块链科技(上海)有限公司 Method for realizing threshold signature, computer equipment and storage medium

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
标准模型下高效的门限签名方案;石贤芝;林昌露;张胜元;唐飞;;计算机应用;20130101(01);全文 *
石贤芝 ; 林昌露 ; 张胜元 ; 唐飞 ; .标准模型下高效的门限签名方案.计算机应用.2013,(01),全文. *

Also Published As

Publication number Publication date
CN117728959A (en) 2024-03-19

Similar Documents

Publication Publication Date Title
CN110011781B (en) Homomorphic encryption method and medium for transaction amount encryption and supporting zero knowledge proof
US10230525B2 (en) Public key rollup for merkle tree signature scheme
CN114730420A (en) System and method for generating signatures
CN106487503B (en) Multi-element public key cryptosystem and method based on tailored Hopfield neural network
EP3738271A1 (en) Computer-implemented method for managing user-submitted reviews using anonymous reputation system
CN110597836B (en) Information inquiry request response method and device based on block chain network
Feng et al. Distributed signing protocol for IEEE P1363‐compliant identity‐based signature scheme
CN106789087B (en) Method and system for determining data digest of message and multi-party-based digital signature
JP2023547156A (en) Identifying denial of service attacks
CN115529141A (en) Traceable ring signature generation method and system for logarithmic signature size
US20240121109A1 (en) Digital signatures
CN112926075B (en) SM9 key generation method, device, equipment and storage medium
WO2022116175A1 (en) Method and apparatus for generating digital signature and server
JP2023522748A (en) (EC)DSA threshold signature with secret sharing
CN117728959B (en) Threshold signature method and device, electronic equipment and storage medium
Lin et al. F2P‐ABS: A fast and secure attribute‐based signature for mobile platforms
Ersoy et al. Practical exchange for unique digital goods
CN116975935B (en) Data comparison method, storage medium and electronic device
CN116896440B (en) Block chain-based declaration data verification method and device, equipment and medium
CN116303551B (en) Hidden query method and device
CN115801258B (en) Data processing method, device, electronic equipment and computer readable storage medium
CN117155570B (en) Ciphertext replacement method, storage medium and electronic device
Guan et al. Unforgeability of an improved certificateless signature scheme in the standard model
Langute et al. Survey: Identity-based encryption in cloud computing
Li et al. Bilinear‐map accumulator‐based verifiable intersection operations on encrypted data in cloud

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant