TW202029040A - Threshold signature system with prevent memory dump and method thereof - Google Patents
Threshold signature system with prevent memory dump and method thereof Download PDFInfo
- Publication number
- TW202029040A TW202029040A TW108102432A TW108102432A TW202029040A TW 202029040 A TW202029040 A TW 202029040A TW 108102432 A TW108102432 A TW 108102432A TW 108102432 A TW108102432 A TW 108102432A TW 202029040 A TW202029040 A TW 202029040A
- Authority
- TW
- Taiwan
- Prior art keywords
- value
- sharing unit
- execution node
- private key
- signature
- Prior art date
Links
Images
Landscapes
- Storage Device Security (AREA)
Abstract
Description
本發明涉及一種簽章系統及其方法,特別是防止記憶體傾印的門檻式簽章系統及其方法。The invention relates to a signature system and a method thereof, in particular to a threshold signature system and a method thereof for preventing memory dumping.
近年來,隨著政府、組織及民眾等對資訊安全的重視,各種基於電子簽章(以下簡稱簽章)的應用便如雨後春筍般出現。然而,如何確保簽章的公正性一直是各家廠商即欲解決的問題之一。In recent years, as governments, organizations, and people attach importance to information security, various applications based on electronic signatures (hereinafter referred to as signatures) have sprung up. However, how to ensure the fairness of the signature has always been one of the problems that manufacturers want to solve.
一般而言,簽章是指使用私鑰(Private Key)對資料簽名,所以私鑰的安全性與簽章的公正性呈現正相關。實際上,為了維持私鑰的安全性,私鑰通常是加密後儲存在資料庫中,或以檔案形式儲存,例如,使用線上資料庫、一般檔案系統或離線設備,或是利用硬體安全模組(Hardware Security Module, HSM)來儲存。然而,上述方式存在一個共同的問題,即:沒有辦法防止記憶體傾印(Memory Dump)攻擊,因為在某個時間點上,私鑰會被讀取至記憶體中,例如,在生成私鑰的時候,會以亂數方式產生一組私鑰,並且經過加密後再進行儲存,而這個過程中,私鑰會短暫存在記憶體中,另外,在對交易訊息進行簽章的時候,需要將私鑰取出以進行簽章,這時候在記憶體中同樣會有一份私鑰訊息。Generally speaking, signing refers to the use of a private key (Private Key) to sign data, so the security of the private key is positively related to the fairness of the signature. In fact, in order to maintain the security of the private key, the private key is usually encrypted and stored in a database, or stored in the form of a file, for example, using an online database, general file system or offline device, or using a hardware security model. Group (Hardware Security Module, HSM) to store. However, the above methods have a common problem, that is: there is no way to prevent Memory Dump attacks, because at a certain point in time, the private key will be read into the memory, for example, when the private key is generated At the time, a set of private keys will be generated in a random number method, and then stored after being encrypted. During this process, the private key will be stored in the memory for a short time. In addition, when signing the transaction message, you need to The private key is taken out for signing. At this time, there will also be a private key message in the memory.
有鑑於此,便有廠商提出門檻式簽章的技術,其透過多個私鑰共同進行簽章,當簽章的數量達到門檻時,才代表簽章有效。如此一來,可以降低單一使用者的私鑰外洩所造成的影響,有效增加記憶體傾印攻擊的困難度。然而,此方式同樣會使各自的私鑰存在於各自的記憶體中,故此方式仍然無法有效解決私鑰可能遭到記憶體傾印攻擊的問題。In view of this, some manufacturers have proposed a threshold-type signature technology, which uses multiple private keys to sign together. When the number of signatures reaches the threshold, the signature is valid. In this way, the impact of the leakage of a single user's private key can be reduced, and the difficulty of a memory dump attack can be effectively increased. However, this method also causes the respective private keys to exist in their respective memory, so this method still cannot effectively solve the problem that the private key may be attacked by memory dumping.
綜上所述,可知先前技術中長期以來一直存在私鑰可能遭到記憶體傾印攻擊之問題,因此實有必要提出改進的技術手段,來解決此一問題。In summary, it can be seen that the private key may be attacked by memory dumping for a long time in the prior art. Therefore, it is necessary to propose improved technical means to solve this problem.
本發明揭露一種防止記憶體傾印的門檻式簽章系統及其方法。The invention discloses a threshold type signature system and method for preventing memory dumping.
首先,本發明揭露一種防止記憶體傾印的門檻式簽章系統,此系統包含:客戶端及伺服端。所述客戶端允許作為多個執行節點其中之一,以及傳送交易請求、替換請求及包含門檻值及總數值的金鑰請求,其中,門檻值小於或等於總數值,並且門檻值及總數值皆為大於數值1的正整數。First, the present invention discloses a threshold signature system to prevent memory dumping. The system includes a client and a server. The client is allowed to be one of multiple execution nodes, and to send transaction requests, replacement requests, and key requests including thresholds and totals, where the threshold is less than or equal to the total, and the threshold and total are both Is a positive integer greater than the
在伺服端的部分,此伺服端包含前端主機及多個節點。所述前端主機用以接收金鑰請求、交易請求及替換請求,其中,根據接收到的金鑰請求選擇與總數值相同數量的執行節點,根據接收到的交易請求及預設的區塊鏈交易格式生成對應的交易訊息以進行傳送,以及根據接收到的替換請求向執行節點發送替換指令;所述節點連接前端主機,並且將前端主機選擇的節點作為執行節點,每一執行節點包含:金鑰生成模組、簽章模組及替換模組。其中,金鑰生成模組用以執行聯合隨機秘密共享(Joint Random Secret Sharing, JRSS)演算法,選擇隨機多項式進行計算,並且與每一執行節點交換計算結果以生成相應的私鑰共享單元,以及將每一執行節點的私鑰共享單元與基點相乘並相互加總以生成公鑰;簽章模組連接金鑰生成模組,用以在對交易訊息進行簽章時,執行多次聯合隨機秘密共享演算法,生成隨機共享單元及多個遮罩共享單元,並且根據隨機共享單元及遮罩共享單元計算第一廣播值,以及根據遮罩共享單元及基點計算第二廣播值,並且廣播第一廣播值及第二廣播值,使每一執行節點根據所有第一廣播值及第二廣播值計算曲線點X座標,以及根據隨機共享單元、交易訊息、私鑰共享單元、曲線點X座標及遮罩共享單元計算出對應交易訊息的簽章訊息並嵌入交易訊息;替換模組連接金鑰生成模組,用以在接收到前端主機發送的替換指令時,根據替換指令選擇多項式,並且帶入N個數值至選擇的多項式以計算出相應的N個計算結果,其中,每一數值分別對應不同的執行節點,而且N為等於總數值的正整數,以及將對應數值的計算結果傳送至對應數值的執行節點,使每一執行節點根據獲得的計算結果生成相應的新共享單元,並且將私鑰共享單元替換為私鑰共享單元與新共享單元的總和以作為新的私鑰共享單元。On the server side, this server side includes a front-end host and multiple nodes. The front-end host is used to receive key requests, transaction requests, and replacement requests, wherein the same number of execution nodes as the total value is selected according to the received key request, and according to the received transaction request and preset blockchain transaction The format generates a corresponding transaction message for transmission, and sends a replacement instruction to the execution node according to the received replacement request; the node is connected to the front-end host, and the node selected by the front-end host is used as the execution node, and each execution node contains: a key Generate modules, signature modules and replacement modules. Among them, the key generation module is used to execute the Joint Random Secret Sharing (JRSS) algorithm, select random polynomials for calculation, and exchange calculation results with each execution node to generate the corresponding private key sharing unit, and Multiply the private key sharing unit of each execution node and the base point and add them to each other to generate a public key; the signing module is connected to the key generation module to perform multiple joint randomizations when signing transaction messages The secret sharing algorithm generates a random sharing unit and multiple mask sharing units, and calculates the first broadcast value according to the random sharing unit and the mask sharing unit, and calculates the second broadcast value according to the mask sharing unit and the base point, and broadcasts the first broadcast value. A broadcast value and a second broadcast value enable each execution node to calculate the X coordinate of the curve point according to all the first broadcast values and the second broadcast value, and according to the random sharing unit, transaction message, private key sharing unit, curve point X coordinate and The mask sharing unit calculates the signature message corresponding to the transaction message and embeds the transaction message; the replacement module is connected to the key generation module to select a polynomial according to the replacement instruction when receiving the replacement instruction sent by the front-end host, and bring it in N values to the selected polynomial to calculate the corresponding N calculation results, where each value corresponds to a different execution node, and N is a positive integer equal to the total value, and the calculation result of the corresponding value is transmitted to the corresponding value Each execution node generates a corresponding new sharing unit according to the obtained calculation results, and replaces the private key sharing unit with the sum of the private key sharing unit and the new sharing unit as the new private key sharing unit.
另外,本發明揭露一種防止記憶體傾印的門檻式簽章方法,應用在具有客戶端及伺服端的網路環境中,此伺服端包含前端主機及多個節點,其步驟包括:客戶端傳送包含門檻值及總數值的金鑰請求至伺服端的前端主機,其中,門檻值小於或等於總數值,並且門檻值及總數值皆為大於數值1的正整數;前端主機根據接收到的金鑰請求,自節點及客戶端中選擇與總數值相同的數量作為執行節點;每一執行節點各自執行聯合隨機秘密共享演算法,用以根據各自選擇的隨機多項式進行計算及交換計算結果以生成相應的私鑰共享單元,以及將每一執行節點的私鑰共享單元與基點相乘再相互加總以生成公鑰;當前端主機接收到客戶端的交易請求時,根據接收到的交易請求及預設的區塊鏈交易格式生成對應的交易訊息以傳送至執行節點進行簽章;每一執行節點在對交易訊息進行簽章時,各自執行多次聯合隨機秘密共享演算法,用以生成隨機共享單元及遮罩共享單元,並且根據隨機共享單元及遮罩共享單元計算第一廣播值,以及根據遮罩共享單元及基點計算第二廣播值;每一執行節點廣播各自計算出的第一廣播值及第二廣播值,使每一執行節點根據所有第一廣播值及第二廣播值計算曲線點X座標,以及根據隨機共享單元、交易訊息、私鑰共享單元、曲線點X座標及遮罩共享單元計算出對應交易訊息的簽章訊息並嵌入交易訊息;當前端主機接收到客戶端的替換請求時,根據接收到的替換請求向執行節點發送替換指令;每一執行節點根據替換指令選擇多項式,並且帶入N個數值至選擇的多項式以計算出相應的N個計算結果,其中,每一數值分別對應不同的執行節點,而且N為等於總數值的正整數;每一執行節點將對應數值的計算結果傳送至對應數值的執行節點,使每一執行節點根據獲得的計算結果生成相應的新共享單元,並且將私鑰共享單元替換為私鑰共享單元與新共享單元的總和以作為新的私鑰共享單元。In addition, the present invention discloses a threshold signature method to prevent memory dumping, which is applied in a network environment with a client and a server. The server includes a front-end host and multiple nodes. The steps include: A key request for the threshold and total value is sent to the front-end host on the server side, where the threshold is less than or equal to the total value, and the threshold and total value are both positive integers greater than the
本發明所揭露之系統與方法如上,與先前技術的差異在於本發明是透過前端主機選擇多個執行節點,由執行節點執行聯合隨機秘密分享演算法產生允許替換的共享單元,用以取代直接生成私鑰的方式,並且透過安全多方運算對共享單元進行計算及交換訊息,以便根據計算及交換訊息的結果生成對應共享單元的公鑰及交易簽章,以及將交易簽章嵌入交易訊息。The system and method disclosed in the present invention are as above. The difference from the prior art is that the present invention selects multiple execution nodes through the front-end host, and the execution nodes execute a joint random secret sharing algorithm to generate a shared unit that allows replacement instead of direct generation. The private key is used to calculate and exchange messages on the shared unit through secure multi-party operations, so as to generate the corresponding public key and transaction signature of the shared unit based on the results of the calculation and exchange of messages, and embed the transaction signature in the transaction message.
透過上述的技術手段,本發明可以藉由不直接生成私鑰,達成防止私鑰遭到記憶體傾印攻擊之技術功效。Through the above-mentioned technical means, the present invention can achieve the technical effect of preventing the private key from being attacked by memory dumping by not directly generating the private key.
以下將配合圖式及實施例來詳細說明本發明之實施方式,藉此對本發明如何應用技術手段來解決技術問題並達成技術功效的實現過程能充分理解並據以實施。Hereinafter, the implementation of the present invention will be described in detail with the drawings and embodiments, so as to fully understand and implement the implementation process of how the present invention uses technical means to solve technical problems and achieve technical effects.
在說明本發明所揭露之防止記憶體傾印的門檻式簽章系統及其方法之前,先對本發明所自行定義的名詞作說明,本發明所述的各種「共享單元(Share)」,如:「私鑰共享單元」、「隨機共享單元」、「遮罩共享單元」及「新共享單元」,均是指執行秘密共享演算法(例如:聯合隨機秘密共享演算法)的過程中,進行計算時所需的元素,這些元素會在執行安全多方運算(Secure Multi-Party Computation, SMC/MPC)時,在不同的執行節點之間進行相互交換,並且用來計算出符合橢圓曲線數位簽名演算法(Elliptic Curve Digital Signature Algorithm, ECDSA)的簽章格式之交易簽章(或稱為「簽名」),即:「(r, s)」,其中,「r」為曲線座標點的X座標(或稱之為「曲線點X座標」),「s」為透過插值法(如:拉格朗日插值法)計算出的簽章值,接著,所述第一廣播值及第二廣播值是指執行JRSS演算法時,需要廣播給其它執行節點的數值,如:「vi 」及「wi 」,稍後將針對各計算方式做進一步說明。Before describing the threshold signature system and method for preventing memory dumping disclosed in the present invention, the self-defined terms of the present invention will be explained. The various "shares" mentioned in the present invention, such as: "Private key sharing unit", "random sharing unit", "masking sharing unit" and "new sharing unit" all refer to calculations during the execution of secret sharing algorithms (for example, joint random secret sharing algorithms) These elements will be exchanged between different execution nodes during the execution of Secure Multi-Party Computation (SMC/MPC), and used to calculate the elliptic curve digital signature algorithm (Elliptic Curve Digital Signature Algorithm, ECDSA) transaction signature (or “signature”) in the signature format, namely: “(r, s)”, where “r” is the X coordinate of the curve coordinate point (or Call it "curve point X coordinate"), "s" is the signature value calculated by interpolation (such as Lagrangian interpolation), and then, the first broadcast value and the second broadcast value refer to JRSS algorithm is executed, the value needs to be broadcast to other nodes to perform, such as: "v i" and "w i", will be further described later for each calculation.
以下配合圖式對本發明防止記憶體傾印的門檻式簽章系統及其方法做進一步說明,請先參閱「第1圖」,「第1圖」為本發明防止記憶體傾印的門檻式簽章系統的系統方塊圖,此系統包含:客戶端110及伺服端120。其中,客戶端110用以允許作為多個執行節點130其中之一,以及傳送交易請求、替換請求及包含門檻值及總數值的金鑰請求,其中,門檻值小於或等於總數值,並且門檻值及總數值皆為大於數值1的正整數。在實際實施上,所述客戶端110及執行節點130均預先設置相同的秘密共享參數,此秘密共享參數包含橢圓曲線、質數、基點及階數等等的數值,以供執行聯合隨機秘密共享演算法之用,實際上,可以使用ECDSA這個通用演算法在 「Secp256k1」 這條曲線上的參數作為秘密共享參數。The following is a further description of the threshold signature system and method for preventing memory dumping of the present invention in conjunction with the figures. Please refer to "Figure 1" first. "Figure 1" is the threshold signature for preventing memory dumping of the present invention. Chapter system block diagram, this system includes:
伺服端120包含:前端主機121及節點122,其中,前端主機121用以接收金鑰請求、交易請求及替換請求,其中,根據接收到的金鑰請求選擇與總數值相同數量的執行節點130,根據接收到的交易請求及預設的區塊鏈交易格式生成對應的交易訊息以進行傳送,以及根據接收到的替換請求向執行節點130發送替換指令。在實際實施上,所述金鑰請求是指客戶端110欲建立帳戶時,向前端主機121發出的請求,以便獲得相應此帳戶的私鑰共享單元及公鑰。所述交易請求可包含來源地址,如:客戶端110的區塊鏈地址(或稱為「帳戶地址」),以便伺服端120能夠根據此來源地址自儲存空間(例如:資料庫)中查詢出相應客戶端110的共享單元,用以在執行門檻簽章協定時,將查詢出的共享單元用來對交易訊息進行計算以生成簽章。另外,所述區塊鏈資料格式包含比特幣(Bitcoin)區塊鏈、以太坊(Ethereum)區塊鏈或其它相似區塊鏈的資料格式,假設區塊鏈資料格式為比特幣區塊鏈,那麼會將區塊鏈的交易請求轉換為比特幣的交易資料格式,假設區塊鏈資料格式為以太坊區塊鏈,則會將區塊鏈的交易請求轉換為以太坊的交易資料格式。至於所述替換請求則是在欲替換原本的私鑰共享單元時,傳送至前端主機121,由前端主機121查找相應的私鑰共享單元,並且選擇執行節點130重新計算及交換訊息以生成新的私鑰共享單元,稍後將針對重新生成新的私鑰共享單元的計算方式作詳細說明。The
節點122連接前端主機121,並且將前端主機121選擇的節點122作為執行節點130,換句話說,節點122與執行節點130的差異僅在於是否被前端主機121選擇,實際上,所述節點122是位於前端主機121後方的叢集主機。每一執行節點130包含:金鑰生成模組131、簽章模組132及替換模組133。其中,金鑰生成模組131用以執行JRSS演算法,選擇隨機多項式進行計算,並且與每一執行節點130交換計算結果以生成相應的私鑰共享單元,以及將每一執行節點130的私鑰共享單元與基點相乘再相互加總以生成公鑰。在實際實施上,JRSS演算法是透過MPC來進行計算及交換訊息,每當利用MPC計算一個數值出來時,各執行節點130需要同時在線上。另外,執行JRSS演算法的目的主要是為了讓每一執行節點130產生亂數,而且可以經過計算將這些產生的亂數組合起來後,剛好轉換為欲獲得的數值,如:「d*r」的數值,其中,「d」代表私鑰、「r」代表曲線點X座標。如此一來,在具有「d*r」的計算式子中,是否實際生成私鑰「d」便不再重要,因為已經直接得知「d*r」的數值。至於生成的公鑰可以經過雜湊處理後作為客戶端110的帳戶地址,以便透過帳戶地址進行區塊鏈交易,所述雜湊處理是指使用安全雜湊演算法(Secure Hash Algorithm, SHA),如:SHA3、SHA256、或其相似演算法進行計算。The
簽章模組132連接金鑰生成模組131,用以在對交易訊息進行簽章時,執行多次JRSS演算法,生成隨機共享單元及多個遮罩共享單元,並且根據隨機共享單元及遮罩共享單元計算第一廣播值,以及根據遮罩共享單元及基點計算第二廣播值,其中,生成隨機共享單元及多個遮罩共享單元的方式與前述生成金鑰共享單元的方式大同小異,其差別僅在於選擇的隨機多項式及其常數項不同,例如,常數項可選擇零或非零值。假設隨機共享單元為「ki
」、遮罩共享單元為「ai
」、「bi
」及「ci
」、第一廣播值為「vi
」、第二廣播值為「wi
」及基點為「G」,那麼,第一廣播值的計算方式為「vi
=ki
*ai
+bi
」、第二廣播值的計算方式為「wi
=ai
*G」,其中,「i」代表第幾個執行節點130,「i」為數值1代表第一個執行節點130、「i」為數值2代表第二個執行節點130,並以此類推,「i」為數值5代表第五個執行節點130,也就是說,「i」的數值與總數值相等。特別要說明的是,遮罩共享單元「ai
」、「bi
」及「ci
」在計算式子中的目的是作為避免洩漏隨機共享單元為「ki
」的遮罩(Mask)。另外,所述計算式子可以是取其餘數的數值,以「vi
=ki
*ai
+bi
」為例,其可以是「vi
=ki
*ai
+bi
mod q」,其中「q」為除數。The
承上所述,當每一執行節點130各自計算出第一廣播值為「vi
」及第二廣播值為「wi
」之後,會將其廣播以實現交換訊息,使每一執行節點130能夠根據所有的第一廣播值及第二廣播值計算出曲線點X座標,具體來說,曲線點X座標係將每一執行節點130各自的第一廣播數值以拉格朗日差值法進行計算並取其倒數,再乘以每一執行節點130各自的第二廣播數值的總和,用以計算出曲線座標點「(Rx
, Ry
)」後,再將此曲線座標點的X座標設為曲線點X座標。以上述五個執行節點130為例,每一執行節點130會根據所有第一廣播值進行拉格朗日插值計算,即:「v=L[(1,v1
)+(2,v2
)+(3,v3
)+(4,v4
)+(5,v5
)][0]」,其中,L代表拉格朗日插值法,「[0]」代表取值在x=0」,再將計算結果的倒數乘以所有第二廣播值的總和,即:「w=w1
+w2
+w3
+w4
+w5
」,用以計算出曲線座標點「(Rx
, Ry
)」,其數學式為「(Rx
, Ry
)=w*v-1
」,然後取其X座標「Rx
」作為曲線點X座標「r」。接下來,根據交易訊息「m」、曲線點X座標(即:r=Rx
)及各自擁有的隨機共享單元「ki
」、私鑰共享單元「Sdi
」及遮罩共享單元「ci
」進行計算及交換訊息,當計算及交換訊息的數量滿足門檻值時,由執行節點130至少其中之一根據計算及交換訊息的結果生成交易簽章「(r, s)」,其中,「r」為曲線點X座標;「s」的計算方式則是先由各執行節點130交換各自根據計算式子「si
= ki
(e + Sdi
r)」所計算出的結果,再進行插值(Interpolation)計算所得,其中,「e」為經雜湊處理的交易訊息「m」。以上述五個執行節點130為例,第一個執行節點130的計算式子為「s1
= k1
(e + Sd1
r)」、第二個執行節點130的計算式子為「s2
= k2
(e + Sd2
r)」、並且以此類推,第五個執行節點130的計算式子為「s5
= k5
(e + Sd5
r)」,經過MPC的計算及交換訊息後,每一個執行節點130皆具有「s1
」至「s5
」,因此,使用拉格朗日插值法即可計算出簽章值「s」,例如:「s=L[(1,s1
)+(2,s2
)+(3,s3
)+(4,s4
)+(5,s5
)][0]」,其中,L代表拉格朗日插值法,「[0]」代表取值在x=0。如此一來,便可將「r」的數值與「s」的數值組合成一對作為交易簽章「(r, s)」。最後,將此交易簽章嵌入交易訊息以完成簽章。特別要說明的是,在計算過程中,倘若「r」或「s」的數值為零,那麼,將重新進行計算直到數值不為零為止。The bearing, after each execution of each
替換模組133用以連接金鑰生成模組131,用以在接收到前端主機121發送的替換指令時,根據替換指令選擇多項式,並且帶入N個數值至選擇的多項式以計算出相應的N個計算結果,其中,每一數值分別對應不同的執行節點130,而且N為等於總數值的正整數。舉例來說,數值1對應第一個執行節點130;數值2對應第二個執行節點130,並以此類推,數值5對應第五個執行節點130。接著,將對應數值的計算結果傳送至對應數值的執行節點130,以上例而言,將數值1帶入多項式的x所得到的計算結果會傳送給第一個執行節點130,將數值2帶入多項式的x所得到的計算結果會傳送給第二個執行節點130,並以此類推,將數值5帶入多項式的x所得到的計算結果會傳送給第五個執行節點130。使每一執行節點130根據獲得的計算結果生成相應的新共享單元,並且將私鑰共享單元替換為私鑰共享單元與新共享單元的總和以作為新的私鑰共享單元,稍後將配合圖式作詳細說明。The
特別要說明的是,在實際實施上,本發明所述的各模組皆可利用各種方式來實現,包含軟體、硬體或其任意組合,例如,在某些實施方式中,各模組可利用軟體及硬體或其中之一來實現,除此之外,本發明亦可部分地或完全地基於硬體來實現,例如,系統中的一個或多個模組可以透過積體電路晶片、系統單晶片(System on Chip, SoC)、複雜可程式邏輯裝置(Complex Programmable Logic Device, CPLD)、現場可程式邏輯閘陣列(Field Programmable Gate Array, FPGA)等來實現。本發明可以是系統、方法及/或電腦程式。電腦程式可以包括電腦可讀儲存媒體,其上載有用於使處理器實現本發明的各個方面的電腦可讀程式指令,電腦可讀儲存媒體可以是可以保持和儲存由指令執行設備使用的指令的有形設備。電腦可讀儲存媒體可以是但不限於電儲存設備、磁儲存設備、光儲存設備、電磁儲存設備、半導體儲存設備或上述的任意合適的組合。電腦可讀儲存媒體的更具體的例子(非窮舉的列表)包括:硬碟、隨機存取記憶體、唯讀記憶體、快閃記憶體、光碟、軟碟以及上述的任意合適的組合。此處所使用的電腦可讀儲存媒體不被解釋爲瞬時信號本身,諸如無線電波或者其它自由傳播的電磁波、通過波導或其它傳輸媒介傳播的電磁波(例如,通過光纖電纜的光信號)、或者通過電線傳輸的電信號。另外,此處所描述的電腦可讀程式指令可以從電腦可讀儲存媒體下載到各個計算/處理設備,或者通過網路,例如:網際網路、區域網路、廣域網路及/或無線網路下載到外部電腦設備或外部儲存設備。網路可以包括銅傳輸電纜、光纖傳輸、無線傳輸、路由器、防火牆、交換器、集線器及/或閘道器。每一個計算/處理設備中的網路卡或者網路介面從網路接收電腦可讀程式指令,並轉發此電腦可讀程式指令,以供儲存在各個計算/處理設備中的電腦可讀儲存媒體中。執行本發明操作的電腦程式指令可以是組合語言指令、指令集架構指令、機器指令、機器相關指令、微指令、韌體指令、或者以一種或多種程式語言的任意組合編寫的原始碼或目的碼(Object Code),所述程式語言包括物件導向的程式語言,如:Common Lisp、Python、C++、Objective-C、Smalltalk、Delphi、Java、Swift、C#、Perl、Ruby與PHP等,以及常規的程序式(Procedural)程式語言,如:C語言或類似的程式語言。計算機可讀程式指令可以完全地在電腦上執行、部分地在電腦上執行、作爲一個獨立的軟體執行、部分在客戶端電腦上部分在遠端電腦上執行、或者完全在遠端電腦或伺服器上執行。In particular, it should be noted that in actual implementation, each module described in the present invention can be implemented in various ways, including software, hardware, or any combination thereof. For example, in some embodiments, each module can be It can be implemented by software and hardware or one of them. In addition, the present invention can also be implemented partially or completely based on hardware. For example, one or more modules in the system can be implemented through integrated circuit chips, System on Chip (SoC), Complex Programmable Logic Device (CPLD), Field Programmable Gate Array (FPGA) and so on. The present invention can be a system, method and/or computer program. The computer program may include a computer-readable storage medium loaded with computer-readable program instructions for enabling the processor to implement various aspects of the present invention. The computer-readable storage medium may be a tangible storage medium that can hold and store instructions used by an instruction execution device. equipment. The computer-readable storage medium can be, but is not limited to, an electrical storage device, a magnetic storage device, an optical storage device, an electromagnetic storage device, a semiconductor storage device, or any suitable combination of the foregoing. More specific examples (non-exhaustive list) of computer-readable storage media include hard disks, random access memory, read-only memory, flash memory, optical disks, floppy disks, and any suitable combination of the foregoing. The computer-readable storage medium used here is not interpreted as the instantaneous signal itself, such as radio waves or other freely propagating electromagnetic waves, electromagnetic waves propagating through waveguides or other transmission media (for example, optical signals through fiber optic cables), or through wires Transmission of electrical signals. In addition, the computer-readable program instructions described herein can be downloaded from a computer-readable storage medium to various computing/processing devices, or downloaded via a network, such as the Internet, local area network, wide area network and/or wireless network To an external computer device or external storage device. The network may include copper transmission cables, optical fiber transmission, wireless transmission, routers, firewalls, switches, hubs and/or gateways. The network card or network interface in each computing/processing device receives computer-readable program instructions from the network, and forwards the computer-readable program instructions for storage in the computer-readable storage media in each computing/processing device in. The computer program instructions for performing the operations of the present invention may be combined language instructions, instruction set architecture instructions, machine instructions, machine-related instructions, micro instructions, firmware instructions, or source code or object code written in any combination of one or more programming languages (Object Code), the programming language includes object-oriented programming languages, such as: Common Lisp, Python, C++, Objective-C, Smalltalk, Delphi, Java, Swift, C#, Perl, Ruby, PHP, etc., as well as conventional programs Procedural programming language, such as C language or similar programming language. Computer readable program instructions can be executed entirely on the computer, partly on the computer, executed as a stand-alone software, partly on the client computer and partly on the remote computer, or entirely on the remote computer or server Executed on.
請參閱「第2A圖」及「第2B圖」,「第2A圖」及「第2B圖」為本發明防止記憶體傾印的門檻式簽章方法的方法流程圖,應用在具有客戶端110及伺服端120的網路環境中,所述伺服端120包含前端主機121及節點122,其步驟包括:客戶端110傳送包含門檻值及總數值的金鑰請求至伺服端120的前端主機121,其中,門檻值小於或等於總數值,並且門檻值及總數值皆為大於數值1的正整數(步驟210);前端主機121根據接收到的金鑰請求,自節點122及客戶端110中選擇與總數值相同的數量作為執行節點130(步驟220);每一執行節點130各自執行JRSS演算法,用以根據各自選擇的隨機多項式進行計算及交換計算結果以生成相應的私鑰共享單元,以及將每一執行節點130的私鑰共享單元與基點相乘再相互加總以生成公鑰(步驟230);當前端主機121接收到客戶端110的交易請求時,根據接收到的交易請求及預設的區塊鏈交易格式生成對應的交易訊息以傳送至執行節點130進行簽章(步驟240);每一執行節點130在對交易訊息進行簽章時,各自執行多次JRSS演算法,用以生成隨機共享單元及遮罩共享單元,並且根據隨機共享單元及遮罩共享單元計算第一廣播值,以及根據遮罩共享單元及基點計算第二廣播值(步驟250);每一執行節點130廣播各自計算出的第一廣播值及第二廣播值,使每一執行節點130根據所有第一廣播值及第二廣播值計算曲線點X座標,以及根據隨機共享單元、交易訊息、私鑰共享單元、曲線點X座標及遮罩共享單元計算出對應交易訊息的簽章訊息並嵌入交易訊息(步驟260);當前端主機121接收到客戶端的替換請求時,根據接收到的替換請求向執行節點130發送替換指令(步驟270);每一執行節點130根據替換指令選擇多項式,並且帶入N個數值至選擇的多項式以計算出相應的N個計算結果,其中,每一數值分別對應不同的執行節點130,而且N為等於總數值的正整數(步驟280);每一執行節點130將對應數值的計算結果傳送至對應數值的執行節點130,使每一執行節點130根據獲得的計算結果生成相應的新共享單元,並且將私鑰共享單元替換為私鑰共享單元與新共享單元的總和以作為新的私鑰共享單元(步驟290)。透過上述步驟,即可透過前端主機121選擇多個執行節點,由執行節點130執行JRSS演算法產生允許替換的共享單元,用以取代直接生成私鑰的方式,並且透過安全多方運算對共享單元進行計算及交換訊息,以便根據計算及交換訊息的結果生成對應共享單元的公鑰及交易簽章,以及將生成的交易簽章嵌入交易訊息。Please refer to "Figure 2A" and "Figure 2B". "Figure 2A" and "Figure 2B" are flowcharts of the threshold signature method for preventing memory dumping in the present invention, which is applied to a
以下配合「第3圖」及「第4圖」以實施例的方式進行如下說明,請先參閱「第3圖」,「第3圖」為應用本發明產生私鑰共享單元之示意圖。假設有五個執行節點130,在執行JRSS演算法時,每一個執行節點130各自選擇一個隨機多項式,舉例來說,第一個執行節點130選擇隨機多項式「d1」、第二個執行節點130選擇隨機多項式「d2」,並以此類推,第五個執行節點130選擇隨機多項式「d5」,這五個隨機多項式「d1」至「d5」如「第3圖」所示意,其中,常數項為每一執行節點130各自選擇的隨機整數(或稱為「密文(Secret)」)。接著,每一執行節點130分別將不同的數值(例如:數值1至數值5)帶入各自選擇的隨機多項式進行計算,例如,第一個執行節點130將數值1至數值5帶入隨機多項式「d1」計算出5個計算結果(即:「d1(1)」、「d1(2)」、「d1(3)」、「d1(4)」及「d1(5) 」),第二個執行節點130同樣將數值1至數值5帶入隨機多項式「d2」計算出5個計算結果(即:「d2(1)」、「d2(2)」、「d2(3)」、「d2(4)」及「d2(5) 」),並且以此類推,第五個執行節點130同樣將數值1至數值5帶入隨機多項式「d5」計算出5個計算結果(即:「d5(1)」、「d5(2)」、「d5(3)」、「d5(4)」及「d5(5) 」),總共可計算出25個計算結果,然後,每一執行節點130相互交換訊息,也就是說,這五個執行節點130各自將帶入數值1的計算結果(即:「d1(1)」、「d2(1)」、「d3(1)」、「d4(1)」及「d5(1) 」),提供給第一個執行節點130加總以得到相應的私鑰共享單元「Sd1」(即:「Sd1=d1(1)+d2(1)+d3(1)+d4(1)+d5(1) 」)、將帶入數值2的計算結果(即:「d1(2)」、「d2(2)」、「d3(2)」、「d4(2)」及「d5(2) 」),提供給第二個執行節點130加總以得到相應的私鑰共享單元「Sd2」(即:「Sd2=d1(2)+d2(2)+d3(2)+d4(2)+d5(2) 」),並且以此類推,將帶入數值5的計算結果(即:「d1(5)」、「d2(5)」、「d3(5)」、「d4(5)」及「d5(5) 」),提供給第五個執行節點130加總以得到相應的私鑰共享單元「Sd5」(即:「Sd5=d1(5)+d2(5)+d3(5)+d4(5)+d5(5) 」),使每一執行節點130經過MPC計算及交換訊息後,如「第3圖」所示意,各自得到相應的私鑰共享單元(第一個執行節點130得到私鑰共享單元「Sd1」、第二個執行節點130得到私鑰共享單元「Sd2」,並以此類推,第五個執行節點130得到私鑰共享單元「Sd5」)。特別要說明的是,這五個私鑰共享單元若使用拉格朗日插值法可以計算出如「第3圖」所示意的多項式「10x2
+74x+56」,其中,將數值0帶入x所計算出的解為數值56(即:私鑰「d」),然而,此處將私鑰「d」計算出來只是為了方便說明及驗證此數值的確是上述五個隨機多項式的常數項之總和(即:「d=d1(0)+d2(0)+d3(0)+d4(0)+d5(0)」),在實際應用上不會將此數值計算出來,因為在具有「d*r」的簽章計算式子中,如:「s=k(e+d*r)」,如果能夠直接得知「d*r」的數值,那麼便不需要再實際計算出私鑰「d」。以此例來說,由於已知「Sd1*r」至「Sd5*r」,所以使用拉格朗日插值法即可計算出「d*r」的值,而不需要計算出私鑰「d」。因此,可以有效防止記憶體傾印導致私鑰「d」外洩的可能。另外,這五個私鑰共享單元「Sd1」至「Sd5」分別乘以基點「G」再加總可得到公鑰「Q」,即:「Q=Sd1*G+Sd2*G+Sd3*G+Sd4*G+Sd5*G」,此公鑰「Q」經雜湊處理後即成為帳戶地址。The following description will be given in conjunction with "Figure 3" and "Figure 4" by way of embodiment. Please refer to "Figure 3" first. "Figure 3" is a schematic diagram of applying the present invention to generate a private key sharing unit. Suppose there are five
如「第4圖」所示意,「第4圖」為應用本發明替換私鑰共享單元之示意圖。當執行節點130接收到來自前端主機的替換指令時,將選擇一個多項式,此多項式會隨著要替換的私鑰共享單元之數量而有所不同,假設有n個私鑰共享單元,欲維持t個私鑰共享單元不變,其中,n及t為正整數,那麼,多項式可為「(x-1)*…*(x-t)*(x+xn-t-1
)」。舉例來說,假設有五個私鑰共享單元,要維持其中二個私鑰共享單元不變,其多項式可為「(x-1)*(x-2)*(x+x2
)」。在實際實施上,五個執行節點130所選擇的多項式可分別如「第4圖」所示意的「g1」至 「g5」。接著,每一執行節點130分別將不同的數值(例如:數值1至數值5)帶入各自選擇的多項式進行計算,例如,第一個執行節點130將數值1至數值5帶入多項式「g1」計算出5個計算結果(即:「g1(1)」、「g1(2)」、「g1(3)」、「g1(4)」及「g1(5) 」),第二個執行節點130同樣將數值1至數值5帶入多項式「g2」計算出5個計算結果(即:「g2(1)」、「g2(2)」、「g2(3)」、「g2(4)」及「g2(5) 」),並且以此類推,第五個執行節點130同樣將數值1至數值5帶入多項式「g5」計算出5個計算結果(即:「g5(1)」、「g5(2)」、「g5(3)」、「g5(4)」及「g5(5) 」),總共可計算出25個計算結果,然後,每一執行節點130相互交換訊息,也就是說,這五個執行節點130各自將帶入數值1的計算結果(即:「g1(1)」、「g2(1)」、「g3(1)」、「g4(1)」及「g5(1) 」),提供給第一個執行節點130加總以得到相應的新共享單元「Sg1」(即:「Sg1=g1(1)+g2(1)+g3(1)+g4(1)+g5(1) 」)、將帶入數值2的計算結果(即:「g1(2)」、「g2(2)」、「g3(2)」、「g4(2)」及「g5(2) 」),提供給第二個執行節點130加總以得到相應的新共享單元「Sg2」(即:「Sg2=g1(2)+g2(2)+g3(2)+g4(2)+g5(2) 」),並且以此類推,將帶入數值5的計算結果(即:「g1(5)」、「g2(5)」、「g3(5)」、「g4(5)」及「g5(5) 」),提供給第五個執行節點130加總以得到相應的新共享單元「Sg5」(即:「Sg5=g1(5)+g2(5)+g3(5)+g4(5)+g5(5) 」),使每一執行節點130經過MPC計算及交換訊息後,如「第4圖」所示意,各自得到相應的新共享單元(第一個執行節點130得到新共享單元「Sg1」、第二個執行節點130得到新共享單元「Sg2」,並以此類推,第五個執行節點130得到新共享單元「Sg5」)。接下來,將私鑰共享單元替換為私鑰共享單元與新共享單元的總和以作為新的私鑰共享單元,以第一個執行節點130為例,新的私鑰共享單元「NSd1」等於私鑰共享單元「Sd1」及新共享單元「Sg1」的總和(即:NSd1=Sd1+Sg1)。如此一來,將數值1及2帶入多項式「g1」及「g2」皆會得到數值0,使相應的二個新的私鑰共享單元「NSd1」及「NSd2」的值仍然會維持不變。特別要說明的是,這五個新的私鑰共享單元(即:「NSd1」至「NSd5」),若使用拉格朗日插值法可以計算出如「第4圖」所示意的多項式「19x4
+115…...621x3
+3x2
+104x+56」,其中,將數值0帶入x所計算出的解仍然為數值56(與「第3圖」使用拉格朗日插值法的計算結果相同),換句話說,即使已經替換為新的私鑰共享單元,簽章的計算結果仍然維持不變,等同使用同一把私鑰進行簽章。As shown in "Figure 4", "Figure 4" is a schematic diagram of applying the present invention to replace the private key sharing unit. When the
綜上所述,可知本發明與先前技術之間的差異在於透過前端主機選擇多個執行節點,由執行節點執行聯合隨機秘密分享演算法產生允許替換的共享單元,用以取代直接生成私鑰的方式,並且透過安全多方運算對共享單元進行計算及交換訊息,以便根據計算及交換訊息的結果生成對應共享單元的公鑰及交易簽章,以及將交易簽章嵌入交易訊息,藉由此一技術手段可以解決先前技術所存在的問題,進而在不生成私鑰的前提下,達成防止私鑰遭到記憶體傾印攻擊之技術功效。In summary, it can be seen that the difference between the present invention and the prior art is that multiple execution nodes are selected through the front-end host, and the execution nodes execute a joint random secret sharing algorithm to generate a shared unit that allows replacement, instead of directly generating private keys. The shared unit is calculated and exchanged through secure multi-party operations, so that the public key and transaction signature of the corresponding shared unit are generated based on the results of the calculation and exchange of messages, and the transaction signature is embedded in the transaction message. This technology The method can solve the problems of the previous technology, and achieve the technical effect of preventing the private key from being attacked by memory dumping without generating the private key.
雖然本發明以前述之實施例揭露如上,然其並非用以限定本發明,任何熟習相像技藝者,在不脫離本發明之精神和範圍內,當可作些許之更動與潤飾,因此本發明之專利保護範圍須視本說明書所附之申請專利範圍所界定者為準。Although the present invention is disclosed in the foregoing embodiments as above, it is not intended to limit the present invention. Anyone familiar with similar art can make some changes and modifications without departing from the spirit and scope of the present invention. Therefore, the present invention The scope of patent protection shall be determined by the scope of the patent application attached to this specification.
110:客戶端120:伺服端121:前端主機122:節點130:執行節點131:金鑰生成模組132:簽章模組133:替換模組步驟210:客戶端傳送包含一門檻值及一總數值的一金鑰請求至伺服端的前端主機,其中,該門檻值小於或等於該總數值,並且該門檻值及該總數值皆為大於數值1的正整數步驟220:該前端主機根據接收到的該金鑰請求,自節點及該客戶端中選擇與該總數值相同的數量作為多個執行節點步驟230:每一執行節點各自執行一聯合隨機秘密共享(Joint Random Secret Sharing, JRSS)演算法,用以根據各自選擇的一隨機多項式進行計算及交換計算結果以生成相應的一私鑰共享單元,以及將每一執行節點的該私鑰共享單元與一基點相乘再相互加總以生成一公鑰步驟240:當該前端主機接收到該客戶端的一交易請求時,根據接收到的該交易請求及預設的區塊鏈交易格式生成對應的一交易訊息以傳送至所述執行節點進行簽章步驟250:每一執行節點在對該交易訊息進行簽章時,各自執行多次該聯合隨機秘密共享演算法,用以生成一隨機共享單元及多個遮罩共享單元,並且根據該隨機共享單元及所述遮罩共享單元計算一第一廣播值,以及根據所述遮罩共享單元及該基點計算一第二廣播值步驟260:每一執行節點廣播各自計算出的該第一廣播值及該第二廣播值,使每一執行節點根據所有該第一廣播值及該第二廣播值計算一曲線點X座標,以及根據所述隨機共享單元、該交易訊息、所述私鑰共享單元、該曲線點X座標及所述遮罩共享單元計算出對應該交易訊息的一簽章訊息並嵌入該交易訊息步驟270:當該前端主機接收到該客戶端的一替換請求時,根據接收到的該替換請求向所述執行節點發送一替換指令步驟280:每一執行節點根據該替換指令選擇一多項式,並且帶入N個數值至選擇的該多項式以計算出相應的N個計算結果,其中,每一數值分別對應不同的所述執行節點,而且N為等於該總數值的正整數步驟290:每一執行節點將對應所述數值的所述計算結果傳送至對應所述數值的所述執行節點,使每一執行節點根據獲得的所述計算結果生成相應的一新共享單元,並且將該私鑰共享單元替換為該私鑰共享單元與該新共享單元的總和以作為新的該私鑰共享單元110: client 120: server 121: front-end host 122: node 130: execution node 131: key generation module 132: signature module 133: replacement module Step 210: client transmission includes a threshold and a total The value of a key is requested to the front-end host of the server, where the threshold value is less than or equal to the total value, and the threshold value and the total value are both positive integers greater than the
第1圖為本發明防止記憶體傾印的門檻式簽章系統之系統方塊圖。 第2A圖及第2B圖為本發明防止記憶體傾印的門檻式簽章方法之方法流程圖。 第3圖為應用本發明產生私鑰共享單元之示意圖。 第4圖為應用本發明替換私鑰共享單元之示意圖。Figure 1 is a system block diagram of the threshold signature system for preventing memory dumping according to the present invention. Figures 2A and 2B are flowcharts of the threshold signature method for preventing memory dumping according to the present invention. Figure 3 is a schematic diagram of the application of the present invention to generate a private key sharing unit. Figure 4 is a schematic diagram of applying the present invention to replace the private key sharing unit.
110:客戶端 110: client
120:伺服端 120: server
121:前端主機 121: front-end host
122:節點 122: Node
130:執行節點 130: execution node
131:金鑰生成模組 131: Key Generation Module
132:簽章模組 132: Signature Module
133:替換模組 133: Replacement Module
Claims (10)
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
TW108102432A TWI694349B (en) | 2019-01-22 | 2019-01-22 | Threshold signature system with prevent memory dump and method thereof |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
TW108102432A TWI694349B (en) | 2019-01-22 | 2019-01-22 | Threshold signature system with prevent memory dump and method thereof |
Publications (2)
Publication Number | Publication Date |
---|---|
TWI694349B TWI694349B (en) | 2020-05-21 |
TW202029040A true TW202029040A (en) | 2020-08-01 |
Family
ID=71896211
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
TW108102432A TWI694349B (en) | 2019-01-22 | 2019-01-22 | Threshold signature system with prevent memory dump and method thereof |
Country Status (1)
Country | Link |
---|---|
TW (1) | TWI694349B (en) |
Family Cites Families (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
TWI436372B (en) * | 2010-01-28 | 2014-05-01 | Phison Electronics Corp | Flash memory storage system, and controller and method for anti-falsifying data thereof |
US8799656B2 (en) * | 2010-07-26 | 2014-08-05 | Intel Corporation | Methods for anonymous authentication and key agreement |
TWI472189B (en) * | 2012-01-05 | 2015-02-01 | Ind Tech Res Inst | Network monitoring system and method for managing key |
GB201705621D0 (en) * | 2017-04-07 | 2017-05-24 | Nchain Holdings Ltd | Computer-implemented system and method |
JP7194127B2 (en) * | 2017-06-14 | 2022-12-21 | エヌチェーン ライセンシング アーゲー | Systems and methods for addressing security-related vulnerabilities arising on off-blockchain channels during network failures |
-
2019
- 2019-01-22 TW TW108102432A patent/TWI694349B/en active
Also Published As
Publication number | Publication date |
---|---|
TWI694349B (en) | 2020-05-21 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US11784801B2 (en) | Key management method and related device | |
CN110247757B (en) | Block chain processing method, device and system based on cryptographic algorithm | |
Schneider et al. | GMW vs. Yao? Efficient secure two-party computation with low depth circuits | |
JP5068176B2 (en) | Enhanced verification of digital signatures and public keys | |
WO2020006692A1 (en) | Fully homomorphic encryption method and device and computer readable storage medium | |
CN109299149B (en) | Data query method, computing device and system | |
JP2024109714A (en) | Computer-implemented system and method for distributing shares of digitally signed data - Patents.com | |
JP5405658B2 (en) | Efficient method for calculating secret functions using resettable tamper-resistant hardware tokens | |
US20220172180A1 (en) | Method for Storing Transaction that Represents Asset Transfer to Distributed Network and Program for Same | |
CN110784318B (en) | Group key updating method, device, electronic equipment, storage medium and communication system | |
CN117134900A (en) | Structure for realizing asymmetric encryption and control method | |
CN110570309B (en) | Method and system for replacing a leader of a blockchain network | |
TWI694349B (en) | Threshold signature system with prevent memory dump and method thereof | |
TWI759138B (en) | Threshold signature scheme system based on inputting password and method thereof | |
TW202236822A (en) | Threshold signature scheme system for hierarchical deterministic wallet and method thereof | |
TWI689194B (en) | Threshold signature system based on secret sharing without dealer and method thereof | |
TWI734087B (en) | Signature system based on homomorphic encryption and method thereof | |
TWI737956B (en) | Threshold signature system based on secret sharing and method thereof | |
TW202236130A (en) | Asset cross-chain exchanging system based on threshold signature scheme and method thereof | |
TWI702820B (en) | Secret sharing signature system with hierarchical mechanism and method thereof | |
TWI764811B (en) | Key generating system for hierarchical deterministic wallet and method thereof | |
TWI799286B (en) | Random number generation system for threshold signature scheme and method thereof | |
CN118199881B (en) | Multiplexing method and device for multi-source heterogeneous password resource pool | |
TWI710987B (en) | Wallet service system with multi-signature and method thereof | |
CN114021173B (en) | Quantum key expansion method, system, medium and terminal based on SM9 key exchange |