TW202029687A - Threshold signature system based on secret sharing without dealer and method thereof - Google Patents

Threshold signature system based on secret sharing without dealer and method thereof Download PDF

Info

Publication number
TW202029687A
TW202029687A TW108102431A TW108102431A TW202029687A TW 202029687 A TW202029687 A TW 202029687A TW 108102431 A TW108102431 A TW 108102431A TW 108102431 A TW108102431 A TW 108102431A TW 202029687 A TW202029687 A TW 202029687A
Authority
TW
Taiwan
Prior art keywords
value
sharing
unit
signature
broadcast
Prior art date
Application number
TW108102431A
Other languages
Chinese (zh)
Other versions
TWI689194B (en
Inventor
林祐德
陳昶吾
莊治耘
Original Assignee
開曼群島商現代財富控股有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 開曼群島商現代財富控股有限公司 filed Critical 開曼群島商現代財富控股有限公司
Priority to TW108102431A priority Critical patent/TWI689194B/en
Application granted granted Critical
Publication of TWI689194B publication Critical patent/TWI689194B/en
Publication of TW202029687A publication Critical patent/TW202029687A/en

Links

Images

Landscapes

  • Storage Device Security (AREA)
  • Information Retrieval, Db Structures And Fs Structures Therefor (AREA)

Abstract

A threshold signature system based on secret sharing and method thereof is disclosed. By selecting a plurality of execution nodes through a front end host, and executing a joint random secret sharing (JRSS) algorithm and a joint random zero-value secret sharing (JZSS) algorithm to generate a plurality of shares by the selected execution nodes, and computing and exchanging messages on the execution nodes through a multi-party computation (MPC), so as to generate a public key and a transaction signature of the corresponding shares according to the result of computing and exchanging message, and embedding the transaction signature in a raw transaction message and then broadcasting that to a blockchain network. The mechanism is help to improve the impartiality of the signature without generating a private key.

Description

基於無分派者秘密共享的門檻式簽章系統及其方法Threshold type signature system and method based on secret sharing of no dispatcher

本發明涉及一種簽章系統及其方法,特別是基於無分派者秘密共享的門檻式簽章系統及其方法。The invention relates to a signature system and a method thereof, in particular to a threshold type signature system and a method based on secret sharing without dispatchers.

近年來,隨著政府、組織及民眾等對資訊安全的重視,各種基於電子簽章(以下簡稱簽章)的應用便如雨後春筍般出現。其中又以多方簽章(Multisig)的應用最受矚目。In recent years, as governments, organizations, and people attach importance to information security, various applications based on electronic signatures (hereinafter referred to as signatures) have sprung up. Among them, the application of Multisig (Multisig) has attracted the most attention.

一般而言,多方簽章是指多個用戶對同一個訊息進行簽章,舉例來說,在區塊鏈交易(Blockchain Transaction)中,一個交易允許N個用戶使用各自的私鑰(Private Key)對其簽章,也就是說,允許N個私鑰進行簽章,而其中只要有M個用戶簽章時(M<N),即代表允許支付交易。由於可參與交易的用戶數量變多,所以可以應用的交易方式也更具多樣性。然而,多方簽章也存在許多問題,例如:多方簽章會使交易訊息變大,導致手續費變貴;隱私性較低,外人可以知道M或N是那些地址,進而追蹤各別地址的其它交易;以智能合約實現需要多個交易才能完成;汰換M成員需要重新建立錢包,或是依照智能合約內容汰換。Generally speaking, multi-party signing means that multiple users sign the same message. For example, in a blockchain transaction (Blockchain Transaction), a transaction allows N users to use their own private key (Private Key) To sign it, that is to say, N private keys are allowed to be signed, and as long as there are M users signing (M<N), it means that the payment transaction is allowed. As the number of users who can participate in transactions increases, the transaction methods that can be applied are also more diverse. However, there are many problems with multi-party signatures. For example, multi-party signatures will increase transaction messages and result in more expensive handling fees; privacy is low, and outsiders can know which addresses M or N are, and then track other addresses in each address. Transaction; the realization of smart contract requires multiple transactions to complete; the replacement of M members needs to re-establish the wallet, or replace according to the content of the smart contract.

有鑑於此,便有廠商提出搭配秘密共享演算法的技術,其透過將私鑰分解為多個共享單元(Share),由每一方分別持有不同的共享單元,用以對同一個區塊鏈交易訊息進行計算以生成簽章。如此一來,可有效控制交易訊息的大小,並且因為不使用完整的地址,所以更具隱私性,在汰換成員時,能夠更新所有共享單元,但維持使用原本的私鑰,所以更具靈活性。然而,此方式會由伺服端產生私鑰,當伺服端被入侵時,將導致私鑰外洩而使得未獲授權者得以使用此私鑰進行簽章,破壞簽章的公正性,故以此方式具有簽章的公正性不佳的問題。In view of this, some manufacturers have proposed a technology with a secret sharing algorithm. By decomposing the private key into multiple shared units (Share), each party holds a different shared unit to share the same blockchain. The transaction information is calculated to generate a signature. In this way, the size of the transaction message can be effectively controlled, and because the complete address is not used, it is more private. When members are replaced, all shared units can be updated, but the original private key is maintained, so it is more flexible Sex. However, this method will generate a private key on the server side. When the server side is hacked, the private key will be leaked, allowing unauthorized persons to use the private key for signing and destroying the integrity of the signature. The method has the problem of poor impartiality of the signature.

綜上所述,可知先前技術中長期以來一直存在簽章的公正性不佳之問題,因此實有必要提出改進的技術手段,來解決此一問題。In summary, it can be seen that the prior art has always had the problem of poor integrity of signatures for a long time. Therefore, it is necessary to propose improved technical means to solve this problem.

本發明揭露一種基於無分派者秘密共享的門檻式簽章系統及其方法。The present invention discloses a threshold type signature system and method based on secret sharing without dispatchers.

首先,本發明揭露一種基於無分派者秘密共享的門檻式簽章系統,此系統包含:客戶端及伺服端。所述客戶端允許作為多個執行節點其中之一,以及傳送交易請求及包含門檻值及總數值的金鑰請求,其中,門檻值小於或等於總數值,並且門檻值及總數值皆為大於數值1的正整數。First of all, the present invention discloses a threshold signature system based on secret sharing without dispatchers. The system includes a client and a server. The client is allowed to be one of multiple execution nodes, and to send transaction requests and key requests including threshold and total values, where the threshold is less than or equal to the total value, and the threshold and total value are both greater than the value A positive integer of 1.

在伺服端的部分,其包含前端主機及多個節點。其中,所述前端主機用以接收交易請求及金鑰請求,並且根據金鑰請求選擇與總數值相同數量的執行節點,以及在區塊鏈交易初始時,根據交易請求及區塊鏈資料格式生成對應的原始交易訊息以進行傳送;所述節點連接前端主機,並且將前端主機選擇的節點作為執行節點,每一執行節點包含:執行模組、金鑰模組、計算模組及簽章模組。其中,執行模組用以執行聯合隨機秘密共享(Joint Random Secret Sharing, JRSS)演算法,選擇隨機多項式進行計算,並且與每一執行節點交換計算結果以生成相應的私鑰共享單元,以及執行二次聯合隨機秘密共享演算法以生成相應的第一共享單元及第二共享單元,再執行二次聯合隨機零值秘密共享(Joint Random Zero Secret Sharing, JZSS)演算法以生成相應的第三共享單元及第四共享單元;金鑰模組連接執行模組,用以廣播生成的私鑰共享單元對基點(Base Point)的乘積值,以及根據每一執行節點廣播的乘積值的數值總和計算出公鑰;計算模組連接執行模組,用以根據每一執行節點各自擁有的第一共享單元、第二共享單元、第三共享單元及第四共享單元計算相應的第一廣播數值及第二廣播數值,其中,第一廣播數值為第一共享單元乘以第二共享單元後,加上第三共享單元,第二廣播數值為第二共享單元乘以基點,以及廣播各自計算出的第一廣播數值及第二廣播數值,並且根據所有第一廣播數值及第二廣播數值計算曲線座標點;簽章模組連接執行模組、金鑰模組及計算模組,用以執行橢圓曲線數位簽名演算法(Elliptic Curve Digital Signature Algorithm, ECDSA)的門檻簽章協定,根據原始交易訊息、曲線座標點的X座標及各自擁有的第一共享單元、私鑰共享單元及第四共享單元進行計算及交換訊息,當計算及交換訊息的數量滿足門檻值時,由執行節點至少其中之一根據計算及交換訊息的結果生成交易簽章,並且將此交易簽章嵌入原始交易訊息以生成已簽章交易訊息,以及將已簽章交易訊息廣播至區塊鏈網路。On the server side, it includes a front-end host and multiple nodes. Wherein, the front-end host is used to receive the transaction request and the key request, and select the same number of execution nodes as the total value according to the key request, and generate according to the transaction request and the blockchain data format when the blockchain transaction is initiated The corresponding original transaction message is transmitted; the node is connected to the front-end host, and the node selected by the front-end host is used as the execution node. Each execution node includes: an execution module, a key module, a calculation module, and a signature module . Among them, the execution module is used to execute the Joint Random Secret Sharing (JRSS) algorithm, select random polynomials for calculation, and exchange calculation results with each execution node to generate the corresponding private key sharing unit, and execute two The second joint random secret sharing algorithm generates the corresponding first and second shared units, and then performs the second joint random zero secret sharing (JZSS) algorithm to generate the corresponding third shared unit And the fourth sharing unit; the key module is connected to the execution module to broadcast the product value of the generated private key sharing unit to the base point (Base Point), and calculate the public based on the sum of the product values broadcast by each execution node Key; The calculation module is connected to the execution module to calculate the corresponding first broadcast value and second broadcast according to the first shared unit, second shared unit, third shared unit, and fourth shared unit owned by each execution node Value, where the first broadcast value is the first shared unit multiplied by the second shared unit, plus the third shared unit, and the second broadcast value is the second shared unit multiplied by the base point, and the first broadcast calculated by each broadcast The numerical value and the second broadcast value, and the curve coordinate point is calculated according to all the first broadcast value and the second broadcast value; the signature module is connected to the execution module, the key module and the calculation module to perform the elliptic curve digital signature calculation Method (Elliptic Curve Digital Signature Algorithm, ECDSA) threshold signing agreement, based on the original transaction message, the X coordinate of the curve coordinate point, and the first shared unit, private key shared unit and fourth shared unit owned by each to perform calculations and exchange messages When the number of calculated and exchanged messages meets the threshold, at least one of the execution nodes generates a transaction signature based on the result of the calculation and exchange of messages, and embeds this transaction signature into the original transaction message to generate a signed transaction message, And broadcast the signed transaction message to the blockchain network.

另外,本發明揭露一種基於無分派者秘密共享的門檻式簽章方法,應用在具有客戶端及伺服端的網路環境中,此伺服端包含前端主機及多個節點,其步驟包括:客戶端傳送包含門檻值及總數值的金鑰請求至伺服端的前端主機,其中,門檻值小於或等於總數值,並且門檻值及總數值皆為大於數值1的正整數;前端主機根據接收到的金鑰請求,自節點及客戶端中選擇與總數值相同的數量作為執行節點,每一執行節點皆執行聯合隨機秘密共享演算法,用以分別選擇隨機多項式進行計算,並且與每一執行節點交換計算結果以生成相應的私鑰共享單元;每一執行節點廣播生成的私鑰共享單元對基點的乘積值,以及根據每一執行節點廣播的乘積值的數值總和計算出公鑰;在區塊鏈交易初始時,伺服端的前端主機接收來自客戶端的交易請求,並且根據交易請求及區塊鏈資料格式生成對應的原始交易訊息,以及將原始交易訊息傳送至客戶端及每一執行節點;每一執行節點執行二次JRSS演算法以生成相應的第一共享單元及第二共享單元,以及執行二次JZSS演算法以生成相應的第三共享單元及第四共享單元;每一執行節點根據各自擁有的第一共享單元、第二共享單元、第三共享單元及第四共享單元計算相應的第一廣播數值及第二廣播數值,其中,第一廣播數值為第一共享單元乘以第二共享單元後,加上第三共享單元,第二廣播數值為第二共享單元乘以基點;每一執行節點廣播各自計算出的第一廣播數值及第二廣播數值,並且根據所有第一廣播數值及第二廣播數值計算曲線座標點;以及每一執行節點執行橢圓曲線數位簽名演算法的門檻簽章協定,用以根據原始交易訊息、曲線座標點的X座標及各自擁有的第一共享單元、私鑰共享單元及第四共享單元進行計算及交換訊息,當計算及交換訊息的數量滿足門檻值時,由執行節點至少其中之一根據計算及交換訊息的結果生成交易簽章,並且將交易簽章嵌入原始交易訊息以生成已簽章交易訊息,以及將已簽章交易訊息廣播至區塊鏈網路。In addition, the present invention discloses a threshold signature method based on secret sharing without dispatchers, which is applied in a network environment with a client and a server. The server includes a front-end host and multiple nodes. The steps include: client transmission A key request including the threshold value and total value is sent to the front-end host of the server, where the threshold value is less than or equal to the total value, and the threshold and total value are both positive integers greater than the value 1. The front-end host requests the key according to the received key , Select the same number as the total value from the nodes and clients as the execution nodes. Each execution node executes a joint random secret sharing algorithm to select random polynomials for calculations, and exchanges the calculation results with each execution node Generate the corresponding private key sharing unit; each execution node broadcasts the product value of the private key sharing unit to the base point, and calculates the public key according to the sum of the product values broadcast by each execution node; at the beginning of the blockchain transaction , The front-end host of the server receives the transaction request from the client, and generates the corresponding original transaction message according to the transaction request and the blockchain data format, and sends the original transaction message to the client and each execution node; each execution node executes two The second JRSS algorithm is used to generate the corresponding first shared unit and the second shared unit, and the second JZSS algorithm is executed to generate the corresponding third shared unit and the fourth shared unit; each execution node is based on its own first shared unit The unit, the second sharing unit, the third sharing unit, and the fourth sharing unit calculate the corresponding first broadcast value and the second broadcast value, where the first broadcast value is the first sharing unit multiplied by the second sharing unit, plus The third sharing unit, the second broadcast value is the second sharing unit multiplied by the base point; each execution node broadcasts the first broadcast value and the second broadcast value calculated separately, and is calculated based on all the first broadcast values and the second broadcast value The curve coordinate point; and the threshold signature agreement for each execution node to execute the elliptic curve digital signature algorithm, which is used according to the original transaction message, the X coordinate of the curve coordinate point and the first shared unit, private key shared unit and The four shared units perform calculations and exchange messages. When the number of calculations and exchanges meets the threshold, at least one of the execution nodes generates a transaction signature based on the results of the calculation and exchange of messages, and embeds the transaction signature into the original transaction message. Generate signed transaction messages and broadcast the signed transaction messages to the blockchain network.

本發明所揭露之系統與方法如上,與先前技術的差異在於本發明是透過前端主機選擇多個執行節點,由執行節點執行聯合隨機秘密分享演算法及聯合隨機零值秘密分享演算法產生共享單元,並且透過安全多方運算對共享單元進行計算及交換訊息,以便根據計算及交換訊息的結果生成對應共享單元的公鑰及交易簽章,並且將交易簽章嵌入原始交易訊息後廣播至區塊鏈網路,並且將已簽章交易訊息廣播至區塊鏈網路。The system and method disclosed in the present invention are as above. The difference from the prior art is that the present invention selects multiple execution nodes through the front-end host, and the execution nodes execute the joint random secret sharing algorithm and the joint random zero-value secret sharing algorithm to generate shared units , And calculate and exchange messages on the shared unit through secure multi-party operations, so as to generate the public key and transaction signature of the corresponding shared unit based on the results of the calculation and exchange of messages, and embed the transaction signature into the original transaction message and broadcast it to the blockchain And broadcast the signed transaction information to the blockchain network.

透過上述的技術手段,本發明可以在不生成私鑰的前提下,達成提高簽章的公正性之技術功效。Through the above-mentioned technical means, the present invention can achieve the technical effect of improving the fairness of the signature without generating a private key.

以下將配合圖式及實施例來詳細說明本發明之實施方式,藉此對本發明如何應用技術手段來解決技術問題並達成技術功效的實現過程能充分理解並據以實施。Hereinafter, the implementation of the present invention will be described in detail with the drawings and embodiments, so as to fully understand and implement the implementation process of how the present invention uses technical means to solve technical problems and achieve technical effects.

在說明本發明所揭露之基於無分派者秘密共享的門檻式簽章系統及其方法之前,先對本發明所自行定義的名詞作說明,本發明所述的各種「共享單元(Share)」,如:「私鑰共享單元」、「第一共享單元」、「第二共享單元」、「第三共享單元」、「第四共享單元」及「簽章共享單元」,均是指執行秘密共享演算法,如:聯合隨機秘密共享演算法、聯合隨機零值秘密共享演算法等的過程中,進行計算時所需的元素,這些元素會在執行安全多方運算(Secure Multi-Party Computation, SMC/MPC)時,在不同的執行節點之間進行相互交換,並且用來計算出交易簽章(或稱為「簽名」),即:「(r, s)」,其中,「r」為曲線座標點的X座標,「s」為透過內插法計算出的簽章值,稍後將針對交易簽章的計算方式做進一步說明。接著,所述第一廣播數值及第二廣播數值是指執行JRSS及JZSS時,需要廣播給其它執行節點的數值,如:「vi 」及「wi 」,另外,所述無分派者是指並非由單一方產生及分派私鑰,而是由多方經過JRSS及JZSS共同計算及交換訊息後,計算出相應公鑰及符合ECDSA簽章格式的交易簽章。Before explaining the threshold signature system and method based on secret sharing without dispatcher disclosed in the present invention, firstly, the self-defined terms of the present invention will be explained. The various "shares" mentioned in the present invention are as follows: :"Private Key Sharing Unit", "First Sharing Unit", "Second Sharing Unit", "Third Sharing Unit", "Fourth Sharing Unit" and "Signature Sharing Unit" all refer to the execution of secret sharing calculations Methods, such as: joint random secret sharing algorithm, joint random zero-value secret sharing algorithm, etc., the elements required for calculation, these elements will be executed in the secure multi-party calculation (Secure Multi-Party Computation, SMC/MPC) ), exchange between different execution nodes, and used to calculate the transaction signature (or "signature"), namely: "(r, s)", where "r" is the curve coordinate point The X coordinate of "s" is the signature value calculated by interpolation. The calculation method of transaction signature will be further explained later. Next, the first broadcast and the second broadcast numerical value and means when executed JRSS JZSS, other values need to be broadcast to the node is performed, such as: "v i" and "w i" Further, the dispatcher is not the It means that the private key is not generated and distributed by a single party, but the corresponding public key and the transaction signature conforming to the ECDSA signature format are calculated by multiple parties after the JRSS and JZSS jointly calculate and exchange messages.

以下配合圖式對本發明基於無分派者秘密共享的門檻式簽章系統及其方法做進一步說明,請先參閱「第1圖」,「第1圖」為本發明基於無分派者秘密共享的門檻式簽章系統的系統方塊圖,此系統包含:客戶端110及伺服端120。其中,客戶端110用以允許作為多個執行節點其中之一,以及傳送交易請求及包含門檻值及總數值的金鑰請求,其中,門檻值小於或等於總數值,並且門檻值及總數值皆為大於數值1的正整數。在實際實施上,所述客戶端110及執行節點130均預先設置相同的秘密共享參數,此秘密共享參數包含橢圓曲線、質數、基點及階數的數值,以供執行聯合隨機秘密共享演算法及聯合隨機零值秘密共享演算法之用,舉例來說,可以使用ECDSA這個通用演算法在 「Secp256k1」 這條曲線上的參數作為秘密共享參數。The following diagrams will further explain the threshold signature system and method of the present invention based on secret sharing without dispatchers. Please refer to "Figure 1" first. "Figure 1" is the threshold of the present invention based on secret sharing without dispatchers. The system block diagram of the type signature system. This system includes: a client 110 and a server 120. Among them, the client 110 is used to allow being one of multiple execution nodes, and to send transaction requests and key requests including thresholds and total values, where the threshold is less than or equal to the total, and both the threshold and total are Is a positive integer greater than the value 1. In actual implementation, both the client 110 and the execution node 130 set the same secret sharing parameters in advance. The secret sharing parameters include elliptic curve, prime number, base point, and order values for executing the joint random secret sharing algorithm and The joint random zero-valued secret sharing algorithm is used. For example, the parameters on the curve of "Secp256k1" of the general algorithm of ECDSA can be used as the secret sharing parameters.

伺服端120包含:前端主機121及節點122,其中,前端主機121用以接收交易請求及金鑰請求,並且根據金鑰請求選擇與總數值相同數量的執行節點130,以及在區塊鏈交易初始時,根據交易請求及區塊鏈資料格式生成對應的原始交易訊息以進行傳送。在實際實施上,所述交易請求可包含來源地址,如:客戶端110的區塊鏈地址(或稱為「帳戶地址」),以便伺服端120能夠根據此來源地址自儲存空間(例如:資料庫)中查詢出相應客戶端110的共享單元,用以在執行門檻簽章協定時,將查詢出的共享單元用來對原始交易訊息進行計算以生成簽章。另外,所述區塊鏈資料格式包含比特幣(Bitcoin)區塊鏈、以太坊(Ethereum)區塊鏈或其它相似區塊鏈的資料格式,假設區塊鏈資料格式為比特幣區塊鏈,那麼會將區塊鏈的交易請求轉換為比特幣的交易資料格式,假設區塊鏈資料格式為以太坊區塊鏈,則會將區塊鏈的交易請求轉換為以太坊的交易資料格式。The server 120 includes: a front-end host 121 and a node 122, where the front-end host 121 is used to receive transaction requests and key requests, and select the same number of execution nodes 130 as the total value according to the key request, and in the initial block chain transaction When, according to the transaction request and the blockchain data format, the corresponding original transaction message is generated for transmission. In actual implementation, the transaction request may include a source address, such as the blockchain address of the client 110 (or “account address”), so that the server 120 can self-storage space (for example: data) based on the source address. The shared unit of the corresponding client 110 is queried in the library) to use the queried shared unit to calculate the original transaction message to generate the signature when the threshold signing agreement is executed. In addition, the blockchain data format includes the data format of the Bitcoin blockchain, the Ethereum blockchain or other similar blockchains. Assuming that the blockchain data format is the Bitcoin blockchain, Then the transaction request of the blockchain will be converted to the transaction data format of Bitcoin. If the data format of the blockchain is the Ethereum blockchain, the transaction request of the blockchain will be converted to the transaction data format of Ethereum.

節點122連接前端主機121,並且將前端主機121選擇的節點122作為執行節點130,換句話說,節點122與執行節點130的差異僅在於是否被前端主機121選擇。每一執行節點130包含:執行模組131、金鑰模組132、計算模組133及簽章模組134。其中,執行模組131用以執行聯合隨機秘密共享演算法,選擇隨機多項式進行計算,並且與每一執行節點交換計算結果以生成相應的私鑰共享單元,以及執行二次聯合隨機秘密共享演算法以生成相應的第一共享單元及第二共享單元,再執行二次聯合隨機零值秘密共享演算法以生成相應的第三共享單元及第四共享單元。在實際實施上,JRSS演算法及JZSS演算法是透過安全多方運算來進行計算及交換訊息,每當利用MPC計算一個數值出來時,各執行節點130需要同時在線上。另外,執行JRSS演算法及JZSS演算法的目的主要是為了讓每一執行節點130產生亂數,而且可以經過計算將這些產生的亂數組合起來後,剛好轉換為欲獲得的數值,如:「d*r」的數值,其中,「d」代表私鑰、「r」代表曲線座標點中的X座標。如此一來,在具有「d*r」的計算式子中,是否有「d」便不再重要,因為已經直接得知「d*r」的數值。另外,為了提高安全性,每一執行節點130可執行聯合隨機零值秘密共享演算法以生成相應的隨機數值「zi 」,並且將此隨機數值與各自的私鑰共享單元「Sdi 」相加成為隨機的數值「Sd i 」。The node 122 is connected to the front-end host 121, and uses the node 122 selected by the front-end host 121 as the execution node 130. In other words, the difference between the node 122 and the execution node 130 is only whether it is selected by the front-end host 121. Each execution node 130 includes: an execution module 131, a key module 132, a calculation module 133, and a signature module 134. The execution module 131 is used to execute a joint random secret sharing algorithm, select a random polynomial for calculation, and exchange calculation results with each execution node to generate a corresponding private key sharing unit, and execute a second joint random secret sharing algorithm To generate the corresponding first sharing unit and the second sharing unit, and then execute the second joint random zero value secret sharing algorithm to generate the corresponding third sharing unit and the fourth sharing unit. In actual implementation, the JRSS algorithm and the JZSS algorithm perform calculations and exchange messages through secure multi-party calculations. Whenever a value is calculated using MPC, each execution node 130 needs to be online at the same time. In addition, the purpose of executing the JRSS algorithm and the JZSS algorithm is mainly to make each execution node 130 generate random numbers, and these generated random numbers can be combined through calculations and then just converted into the desired value, such as: The value of d*r", where "d" represents the private key and "r" represents the X coordinate in the curve coordinate point. In this way, in the calculation formula with "d*r", whether there is "d" is no longer important, because the value of "d*r" is directly known. In order to improve security, the joint 130 may perform a random value of zero for each node performing secret sharing algorithm to generate a corresponding random number value "z i", and this random number value with a respective private key sharing unit "Sd i" phase Add a random value "Sd ' i ".

金鑰模組132連接執行模組131,用以廣播生成的私鑰共享單元「Sdi 」對基點「G」的乘積值,以及根據每一執行節點130廣播的乘積值的數值總和計算出公鑰。舉例來說,假設廣播的乘積值分別為「Sd1 *G」、「Sd2 *G」及「Sd3 *G」,公鑰「Q」的計算式即為「Q=Sd1 *G+Sd2 *G+Sd3 *G」。在實際實施上,公鑰可以經過雜湊處理後作為客戶端110的帳戶地址,以便透過帳戶地址進行區塊鏈交易,所述雜湊處理是指使用安全雜湊演算法(Secure Hash Algorithm, SHA),如:SHA3、SHA256、或其相似演算法進行計算。Key module 132 performs the connection module 131 to generate a multiplied value of the private key shared broadcast unit "Sd i" to point "G", and the value calculated according to well sum of product values 130 for each execution node broadcasts key. For example, if the broadcast product values are "Sd 1 *G", "Sd 2 *G" and "Sd 3 *G", the calculation formula of the public key "Q" is "Q=Sd 1 *G+" Sd 2 *G+Sd 3 *G". In actual implementation, the public key can be hashed and used as the account address of the client 110 so that blockchain transactions can be carried out through the account address. The hashing refers to the use of Secure Hash Algorithm (SHA), such as : SHA3, SHA256, or similar algorithms for calculation.

計算模組133用以連接執行模組131,用以根據每一執行節點130各自擁有的第一共享單元、第二共享單元、第三共享單元及第四共享單元計算相應的第一廣播數值及第二廣播數值,其中,第一廣播數值為第一共享單元乘以第二共享單元後,加上第三共享單元,第二廣播數值為第二共享單元乘以基點,以及廣播各自計算出的第一廣播數值及第二廣播數值,並且根據所有第一廣播數值及第二廣播數值計算曲線座標點。舉例來說,假設第一共享單元為「ki 」、第二共享單元為「ai 」、第三共享單元為「bi 」、第四共享單元為「ci 」、第一廣播數值為「vi 」、第二廣播數值為「wi 」及基點為「G」,那麼,第一廣播數值的計算方式為「vi =ki *ai +bi 」、第二廣播數值的計算方式為「wi =ai *G」,其中,「i」代表第幾個執行節點130,「i」為數值1代表第一個執行節點130、「i」為數值2代表第二個執行節點130,並以此類推,「i」為數值5代表第五個執行節點130,也就是說,「i」的數值與總數值相等。特別要說明的是,第二共享單元為「ai 」、第三共享單元為「bi 」及第四共享單元為「ci 」在計算式子中目的是作為避免洩漏第一共享單元為「ki 」的遮罩(Mask)。另外,所述計算式子可以是取其餘數的數值,以「vi =ki *ai +bi 」為例,其可以是「vi =ki *ai +bi mod q」,其中「q」為除數。The calculation module 133 is connected to the execution module 131 for calculating the corresponding first broadcast value and the corresponding first shared unit, second shared unit, third shared unit, and fourth shared unit owned by each execution node 130. The second broadcast value, where the first broadcast value is the first shared unit multiplied by the second shared unit, plus the third shared unit, and the second broadcast value is the second shared unit multiplied by the base point, and the calculated value of each broadcast The first broadcast value and the second broadcast value, and the curve coordinate points are calculated based on all the first broadcast values and the second broadcast value. For example, suppose that the first shared unit is "k i ", the second shared unit is "a i ", the third shared unit is "b i ", the fourth shared unit is "c i ", and the first broadcast value is "V i ", the second broadcast value is "w i ", and the base point is "G", then the calculation method of the first broadcast value is "v i = k i *a i + b i ", the second broadcast value is The calculation method is "w i =a i *G", where "i" represents the number of execution nodes 130, "i" is the value 1 for the first execution node 130, and "i" is the value 2 for the second Execution node 130, and so on, "i" is the value 5 representing the fifth execution node 130, that is, the value of "i" is equal to the total value. In particular, the second shared unit is "a i ", the third shared unit is "b i ", and the fourth shared unit is "c i ". The purpose of the calculation formula is to avoid leakage. The first shared unit is "k i" mask (mask). In addition, the calculation formula can be the value of the remaining number, taking "v i = k i *a i + b i "as an example, it can be "v i = k i *a i + b i mod q" , Where "q" is the divisor.

簽章模組134連接執行模組131、金鑰模組132及計算模組133,用以執行橢圓曲線數位簽名演算法的門檻簽章協定,以便根據原始交易訊息、曲線座標點的X座標及各自擁有的第一共享單元、選擇的一組數值及第四共享單元進行計算及交換訊息,舉例來說,假設原始交易訊息經雜湊處理後的數值為「e」、曲線座標點的X座標為「r」、第一共享單元為「ki 」、私鑰共享單元為「Sdi 」及第四共享單元為「ci 」,那麼可根據計算式子「si = ki -1 (e+Sdi r)」計算出相應各執行節點130的簽章共享單元「si 」,並將其作為欲交換的訊息。當計算及交換訊息的數量滿足門檻值時(例如:「si 」的數量及門檻值皆為數值3),由執行節點130至少其中之一根據計算及交換訊息的結果生成交易簽章,以上例而言,由於執行節點130除了本身將計算出簽章共享單元之外,在交換訊息後還會得到其它執行節點130所計算出簽章共享單元,因此,將所有執行節點130所計算出的各簽章共享單元使用拉格朗日插值法即可計算出簽章值「s」,舉例來說,假設有三個執行節點130,簽章值的計算方式為「s=L[(1,s1 )+(2,s2 )+(3,s3 )][0]」,其中,L代表拉格朗日插值法,「[0]」代表取值在x=0,並且與曲線座標點的X座標「r」組成一對(Pair),進而獲得交易簽章「(r, s)」。接著,再將此交易簽章「(r, s)」嵌入原始交易訊息以生成已簽章交易訊息,以及將已簽章交易訊息廣播至區塊鏈網路。特別要說明的是,在計算過程中,倘若「r」或「s」的數值為零,那麼,將重新進行計算直到不為數值零為止。The signature module 134 is connected to the execution module 131, the key module 132, and the calculation module 133 to execute the threshold signature agreement of the elliptic curve digital signature algorithm, so as to be based on the original transaction message, the X coordinate of the curve coordinate point and Each has the first shared unit, a selected set of values, and the fourth shared unit to calculate and exchange messages. For example, suppose the value of the original transaction message after the hash processing is "e", and the X coordinate of the curve coordinate point is "r", the first sharing unit is "k i", the private key sharing unit is "Sd i" sharing unit and the fourth is "c i", it can be "s i = k i -1 (e calculated according to the equation +Sd i r)" calculates the signature sharing unit "s i "of each execution node 130, and uses it as the message to be exchanged. When the number of calculated and exchanged messages meets the threshold (for example, the number of "s i "and the threshold are both the value 3), at least one of the execution nodes 130 will generate a transaction signature based on the result of the calculation and exchange of messages. For example, since the execution node 130 will calculate the signature sharing unit by itself, it will also obtain the signature sharing unit calculated by other execution nodes 130 after exchanging messages. Therefore, all the execution nodes 130 calculated Each signature sharing unit uses Lagrangian interpolation to calculate the signature value "s". For example, assuming there are three execution nodes 130, the signature value is calculated as "s=L[(1,s 1 )+(2,s 2 )+(3,s 3 )][0]”, where L stands for Lagrangian interpolation, and “[0]” stands for the value at x=0 and is in line with the curve coordinate The X coordinate "r" of the point forms a pair (Pair), and then the transaction signature "(r, s)" is obtained. Then, embed the transaction signature "(r, s)" into the original transaction message to generate a signed transaction message, and broadcast the signed transaction message to the blockchain network. In particular, during the calculation process, if the value of "r" or "s" is zero, then the calculation will be repeated until the value is not zero.

特別要說明的是,在實際實施上,本發明所述的各模組皆可利用各種方式來實現,包含軟體、硬體或其任意組合,例如,在某些實施方式中,各模組可利用軟體及硬體或其中之一來實現,除此之外,本發明亦可部分地或完全地基於硬體來實現,例如,系統中的一個或多個模組可以透過積體電路晶片、系統單晶片(System on Chip, SoC)、複雜可程式邏輯裝置(Complex Programmable Logic Device, CPLD)、現場可程式邏輯閘陣列(Field Programmable Gate Array, FPGA)等來實現。本發明可以是系統、方法及/或電腦程式。電腦程式可以包括電腦可讀儲存媒體,其上載有用於使處理器實現本發明的各個方面的電腦可讀程式指令,電腦可讀儲存媒體可以是可以保持和儲存由指令執行設備使用的指令的有形設備。電腦可讀儲存媒體可以是但不限於電儲存設備、磁儲存設備、光儲存設備、電磁儲存設備、半導體儲存設備或上述的任意合適的組合。電腦可讀儲存媒體的更具體的例子(非窮舉的列表)包括:硬碟、隨機存取記憶體、唯讀記憶體、快閃記憶體、光碟、軟碟以及上述的任意合適的組合。此處所使用的電腦可讀儲存媒體不被解釋爲瞬時信號本身,諸如無線電波或者其它自由傳播的電磁波、通過波導或其它傳輸媒介傳播的電磁波(例如,通過光纖電纜的光信號)、或者通過電線傳輸的電信號。另外,此處所描述的電腦可讀程式指令可以從電腦可讀儲存媒體下載到各個計算/處理設備,或者通過網路,例如:網際網路、區域網路、廣域網路及/或無線網路下載到外部電腦設備或外部儲存設備。網路可以包括銅傳輸電纜、光纖傳輸、無線傳輸、路由器、防火牆、交換器、集線器及/或閘道器。每一個計算/處理設備中的網路卡或者網路介面從網路接收電腦可讀程式指令,並轉發此電腦可讀程式指令,以供儲存在各個計算/處理設備中的電腦可讀儲存媒體中。執行本發明操作的電腦程式指令可以是組合語言指令、指令集架構指令、機器指令、機器相關指令、微指令、韌體指令、或者以一種或多種程式語言的任意組合編寫的原始碼或目的碼(Object Code),所述程式語言包括物件導向的程式語言,如:Common Lisp、Python、C++、Objective-C、Smalltalk、Delphi、Java、Swift、C#、Perl、Ruby與PHP等,以及常規的程序式(Procedural)程式語言,如:C語言或類似的程式語言。計算機可讀程式指令可以完全地在電腦上執行、部分地在電腦上執行、作爲一個獨立的軟體執行、部分在客戶端電腦上部分在遠端電腦上執行、或者完全在遠端電腦或伺服器上執行。In particular, it should be noted that in actual implementation, each module described in the present invention can be implemented in various ways, including software, hardware, or any combination thereof. For example, in some embodiments, each module can be It can be implemented by software and hardware or one of them. In addition, the present invention can also be implemented partially or completely based on hardware. For example, one or more modules in the system can be implemented through integrated circuit chips, System on Chip (SoC), Complex Programmable Logic Device (CPLD), Field Programmable Gate Array (FPGA) and so on. The present invention can be a system, method and/or computer program. The computer program may include a computer-readable storage medium loaded with computer-readable program instructions for enabling the processor to implement various aspects of the present invention. The computer-readable storage medium may be a tangible storage medium that can hold and store instructions used by an instruction execution device. equipment. The computer-readable storage medium can be, but is not limited to, an electrical storage device, a magnetic storage device, an optical storage device, an electromagnetic storage device, a semiconductor storage device, or any suitable combination of the foregoing. More specific examples (non-exhaustive list) of computer-readable storage media include hard disks, random access memory, read-only memory, flash memory, optical disks, floppy disks, and any suitable combination of the foregoing. The computer-readable storage medium used here is not interpreted as the instantaneous signal itself, such as radio waves or other freely propagating electromagnetic waves, electromagnetic waves propagating through waveguides or other transmission media (for example, optical signals through fiber optic cables), or through wires Transmission of electrical signals. In addition, the computer-readable program instructions described herein can be downloaded from a computer-readable storage medium to various computing/processing devices, or downloaded via a network, such as the Internet, local area network, wide area network and/or wireless network To an external computer device or external storage device. The network may include copper transmission cables, optical fiber transmission, wireless transmission, routers, firewalls, switches, hubs and/or gateways. The network card or network interface in each computing/processing device receives computer-readable program instructions from the network, and forwards the computer-readable program instructions for storage in the computer-readable storage media in each computing/processing device in. The computer program instructions for performing the operations of the present invention may be combined language instructions, instruction set architecture instructions, machine instructions, machine-related instructions, micro instructions, firmware instructions, or source code or object code written in any combination of one or more programming languages (Object Code), the programming language includes object-oriented programming languages, such as: Common Lisp, Python, C++, Objective-C, Smalltalk, Delphi, Java, Swift, C#, Perl, Ruby, PHP, etc., as well as conventional programs Procedural programming language, such as C language or similar programming language. Computer readable program instructions can be executed entirely on the computer, partly on the computer, executed as a stand-alone software, partly on the client computer and partly on the remote computer, or entirely on the remote computer or server Executed on.

請參閱「第2A圖」及「第2B圖」,「第2A圖」及「第2B圖」為本發明基於無分派者秘密共享的門檻式簽章方法的方法流程圖,應用在具有客戶端110及伺服端120的網路環境中,所述伺服端120包含前端主機121及節點122,其步驟包括:客戶端110傳送包含門檻值及總數值的金鑰請求至伺服端120的前端主機121,其中,門檻值小於或等於總數值,並且門檻值及總數值皆為大於數值1的正整數(步驟210);前端主機121根據接收到的金鑰請求,自節點122及客戶端110中選擇與總數值相同的數量作為多個執行節點130,每一執行節點130皆執行聯合隨機秘密共享演算法,用以分別選擇一隨機多項式進行計算,並且與每一執行節點交換計算結果以生成相應的私鑰共享單元(步驟220);每一執行節點130廣播生成的私鑰共享單元對基點的乘積值,以及根據每一執行節點130廣播的乘積值的數值總和計算出公鑰(步驟230);在區塊鏈交易初始時,伺服端120的前端主機121接收來自客戶端110的交易請求,並且根據此交易請求及區塊鏈資料格式生成對應的原始交易訊息,以及將此原始交易訊息傳送至客戶端110及每一執行節點130(步驟240);每一執行節點130執行二次聯合隨機秘密共享演算法以生成相應的第一共享單元及第二共享單元,以及執行二次聯合隨機零值秘密共享演算法以生成相應的第三共享單元及第四共享單元(步驟250);每一執行節點130根據各自擁有的第一共享單元、第二共享單元、第三共享單元及第四共享單元計算相應的第一廣播數值及第二廣播數值,其中,第一廣播數值為第一共享單元乘以第二共享單元後,加上第三共享單元,第二廣播數值為第二共享單元乘以基點(步驟260);每一執行節點130廣播各自計算出的第一廣播數值及第二廣播數值,並且根據所有第一廣播數值及第二廣播數值計算曲線座標點(步驟270);每一執行節點130執行橢圓曲線數位簽名演算法的門檻簽章協定,用以根據原始交易訊息、曲線座標點的X座標及各自擁有的第一共享單元、私鑰共享單元及第四共享單元進行計算及交換訊息,當計算及交換訊息的數量滿足門檻值時,由執行節點130至少其中之一根據計算及交換訊息的結果生成交易簽章,並且將此交易簽章嵌入原始交易訊息以生成已簽章交易訊息,以及將已簽章交易訊息廣播至區塊鏈網路(步驟280)。透過上述步驟,即可透過前端主機121選擇多個執行節點130,由執行節點130執行聯合隨機秘密分享演算法及聯合隨機零值秘密分享演算法產生共享單元,並且透過安全多方運算對共享單元進行計算及交換訊息,以便根據計算及交換訊息的結果生成對應共享單元的公鑰及交易簽章,並且將交易簽章嵌入原始交易訊息後廣播至區塊鏈網路。Please refer to "Figure 2A" and "Figure 2B". "Figure 2A" and "Figure 2B" are the flowcharts of the threshold signature method based on the secret sharing of no dispatcher in the present invention. In the network environment of 110 and the server 120, the server 120 includes a front-end host 121 and a node 122, and the steps include: the client 110 sends a key request including a threshold value and a total value to the front-end host 121 of the server 120 , Where the threshold value is less than or equal to the total value, and both the threshold value and the total value are positive integers greater than the value 1 (step 210); the front-end host 121 selects from the node 122 and the client 110 according to the received key request The same number as the total value is used as multiple execution nodes 130. Each execution node 130 executes a joint random secret sharing algorithm to select a random polynomial for calculation, and exchange the calculation results with each execution node to generate a corresponding Private key sharing unit (step 220); each execution node 130 broadcasts the product value of the private key sharing unit to the base point, and calculates the public key based on the sum of the product values broadcast by each execution node 130 (step 230); At the beginning of the blockchain transaction, the front-end host 121 of the server 120 receives the transaction request from the client 110, generates the corresponding original transaction message according to the transaction request and the blockchain data format, and sends the original transaction message to Client 110 and each execution node 130 (step 240); each execution node 130 executes a second joint random secret sharing algorithm to generate the corresponding first and second shared units, and executes a second joint random zero value The secret sharing algorithm is used to generate the corresponding third sharing unit and fourth sharing unit (step 250); each execution node 130 according to its own first sharing unit, second sharing unit, third sharing unit and fourth sharing unit Calculate the corresponding first broadcast value and second broadcast value, where the first broadcast value is the first shared unit multiplied by the second shared unit, plus the third shared unit, and the second broadcast value is the second shared unit multiplied by Base point (step 260); each execution node 130 broadcasts its own calculated first broadcast value and second broadcast value, and calculates the curve coordinate point based on all the first broadcast values and the second broadcast value (step 270); each execution The node 130 executes the threshold signing agreement of the elliptic curve digital signature algorithm for calculation and exchange based on the original transaction message, the X coordinate of the curve coordinate point, and the first shared unit, private key shared unit, and fourth shared unit owned by each Message, when the number of calculated and exchanged messages meets the threshold, at least one of the execution nodes 130 generates a transaction signature based on the result of the calculation and exchange of messages, and embeds the transaction signature into the original transaction message to generate a signed transaction Message and broadcast the signed transaction message to the blockchain network (step 280). Through the above steps, multiple execution nodes 130 can be selected through the front-end host 121. The execution nodes 130 execute the joint random secret sharing algorithm and the joint random zero-value secret sharing algorithm to generate shared units, and perform secure multi-party operations on the shared units. Calculate and exchange messages so as to generate the public key and transaction signature of the corresponding shared unit based on the results of the calculation and message exchange, and embed the transaction signature into the original transaction message and broadcast it to the blockchain network.

以下配合「第3圖」及「第4圖」以實施例的方式進行如下說明,請先參閱「第3圖」,「第3圖」為應用本發明產生私鑰共享單元及計算公鑰之示意圖。在實際實施上,當客戶端110發送金鑰請求給伺服端120的前端主機121後,伺服端120的前端主機121會根據接收到的金鑰請求,從伺服端120的節點122及客戶端110中選擇與總數值相同的數量作為執行節點130。接著,每一執行節點130皆執行JRSS演算法,用以分別選擇一隨機多項式「di 」進行計算,舉例來說,假設有三個執行節點130,第一個執行節點130選擇隨機多項式「d1 =x2 +x+1」,並且將數值1至3分別帶入x得到三個計算結果;第二個執行節點130選擇隨機多項式「d2 =x2 +x+3」,並且同樣將數值1至3分別帶入x得到三個計算結果,以此類推,第三個執行節點130選擇隨機多項式「d3 =x2 +x+4」,並且同樣將數值1至3分別帶入x得到三個計算結果,接下來,每一執行節點130會交換計算結果(即:每一執行節點130會將對應數值1的計算結果提供給第一個執行節點130、將對應數值2的計算結果提供給第二個執行節點130,以及將對應數值3的計算結果提供給第三個執行節點130)以生成相應的共享單元(即:私鑰共享單元「Sdi 」),並且可將其儲存至資料庫。然後,透過MPC繼續執行JRSS演算法的計算及交換訊息,以便廣播生成的私鑰共享單元「Sdi 」對基點「G」的乘積值「Sdi *G」,以及根據每一個執行節點130廣播的乘積值的數值總和計算出公鑰「Q」,並且可將公鑰儲存至資料庫與對應的私鑰共享單元相對應。舉例來說,假設門檻值為數值2、總數量為數值3,前端主機121會選擇三個執行節點130,這些執行節點在執行JRSS演算法時,假設第一個執行節點130生成私鑰共享單元「Sd1 」、第二個執行節點130生成私鑰共享單元「Sd2 」及第三個執行節點130生成私鑰共享單元「Sd3 」,並且同樣乘以基點「G」後分別得到「Sd1 *G」、「Sd2 *G」及「Sd3 *G」作為私鑰共享單元對基點的乘積值並進行廣播。如此一來,各執行節點130都會擁有三個私鑰共享單元對基點的乘積值「Sd1 *G」、「Sd2 *G」及「Sd3 *G」,此時,每一執行節點130只要將這三個私鑰共享單元對基點的乘積值相加後,都可以計算出公鑰「Q」,其計算式為「Q=Sd1 *G+Sd2 *G+Sd3 *G」。以此方式可以確保沒有人可以得知私鑰「d」,因為「d=Sd1 +Sd2 +Sd3 」,但是在橢圓曲線上有個難題是,即使已知「d*G」及「G」,欲知「d」仍然十分困難。另外,將公鑰「Q」進行雜湊處理後可以作為客戶端130的帳戶地址。要補充說明的是,前面提到,從伺服端120的節點122及客戶端110中選擇與總數值相同的數量作為執行節點130,其目的是為了讓客戶端110也有參與其中的機會,而不是僅由伺服端120來計算及儲存。換句話說,倘若選擇到客戶端110作為其中一個執行節點130,那麼客戶端110便能夠參與計算及儲存,倘若沒選擇到客戶端110,那麼便全部由伺服端120的執行節點130進行計算及儲存。因此,客戶端110可以包含執行節點130的所有模組及其功能,以便在前端主機121選擇客戶端110時,能夠成為其中一個執行節點130。The following description will be given in the form of embodiment in conjunction with "Figure 3" and "Figure 4". Please refer to "Figure 3" first. "Figure 3" is the application of the present invention to generate a private key sharing unit and calculate a public key. Schematic. In actual implementation, after the client 110 sends a key request to the front-end host 121 of the server 120, the front-end host 121 of the server 120 will send a request from the node 122 of the server 120 and the client 110 according to the received key request. The same number as the total value is selected as the execution node 130. Then, each execution node 130 executes the JRSS algorithm to select a random polynomial "d i "for calculation. For example, assuming there are three execution nodes 130, the first execution node 130 selects the random polynomial "d 1 =x 2 +x+1", and the values 1 to 3 are respectively brought into x to obtain three calculation results; the second execution node 130 selects a random polynomial "d 2 = x 2 + x+3", and also changes the values 1 to 3 are brought into x to obtain three calculation results, and so on, the third execution node 130 selects a random polynomial "d 3 = x 2 + x+4", and also brings the values 1 to 3 into x to get Three calculation results. Next, each execution node 130 will exchange the calculation results (ie: each execution node 130 will provide the calculation result corresponding to the value 1 to the first execution node 130, and provide the calculation result corresponding to the value 2 To the second execution node 130, and the calculation result corresponding to the value 3 is provided to the third execution node 130) to generate the corresponding shared unit (ie: private key sharing unit "Sd i "), which can be stored in database. Then, continue to perform JRSS algorithm calculations and exchange messages through MPC to broadcast the generated private key sharing unit "Sd i "to the base point "G" product value "Sd i *G", and broadcast according to each execution node 130 The public key "Q" is calculated by the sum of the product values of, and the public key can be stored in the database corresponding to the corresponding private key sharing unit. For example, assuming the threshold value is 2 and the total number is 3, the front-end host 121 will select three execution nodes 130. When these execution nodes execute the JRSS algorithm, assume that the first execution node 130 generates a private key sharing unit "Sd 1 ", the second execution node 130 generates the private key sharing unit "Sd 2 ", and the third execution node 130 generates the private key sharing unit "Sd 3 ", and multiply the base point "G" to obtain "Sd" respectively. 1 *G", "Sd 2 *G" and "Sd 3 *G" are used as the product value of the base point of the private key sharing unit and broadcast. In this way, each execution node 130 will have the product values "Sd 1 *G", "Sd 2 *G" and "Sd 3 *G" of the three private key sharing units to the base point. At this time, each execution node 130 As long as the product values of these three private key sharing units to the base point are added, the public key "Q" can be calculated, and the calculation formula is "Q=Sd 1 *G+Sd 2 *G+Sd 3 *G" . In this way, it can be ensured that no one can know the private key "d", because "d=Sd 1 +Sd 2 +Sd 3 ", but there is a problem on the elliptic curve, even if "d*G" and "G", it is still very difficult to know "d". In addition, the public key "Q" can be used as the account address of the client 130 after hashing. It should be added that, as mentioned earlier, the number of nodes 122 and client 110 of the server 120 and the client 110 are selected as the execution node 130. The purpose is to allow the client 110 to have the opportunity to participate in it, not It is calculated and stored only by the server 120. In other words, if the client 110 is selected as one of the execution nodes 130, then the client 110 can participate in the calculation and storage. If the client 110 is not selected, then the execution node 130 of the server 120 will perform the calculation and storage. store. Therefore, the client 110 may include all modules and functions of the execution node 130, so that when the front-end host 121 selects the client 110, it can become one of the execution nodes 130.

如「第4圖」所示意,「第4圖」為應用本發明計算及生成簽章之示意圖。在區塊鏈交易初始時,客戶端110會發送交易請求給伺服端120,由伺服端120根據此交易請求的來源地址,自儲存空間(例如:資料庫)中查詢出相應此客戶端110的共享單元。同時,伺服端120會根據交易請求及區塊鏈資料格式來產生原始交易訊息,也就是說,假設區塊鏈資料格式是使用以太坊的資料格式,那麼產生的原始交易訊息就會符合以太坊的資料格式;假設區塊鏈資料格式是使用比特幣的資料格式,那麼產生的原始交易訊息就會符合比特幣的資料格式。接著,伺服端120會將產生的原始交易訊息傳送給客戶端110及執行節點130。假設客戶端110是其中一個執行節點,客戶端110與伺服端120的執行節點130會進行MPC來針對原始交易訊息進行門檻式簽章,其中,MPC包含了執行多次JRSS演算法及JZSS演算法的計算及交換訊息的步驟,最後生成交易簽章嵌入原始交易訊息以生成已簽章交易訊息,並且將生成的已簽章交易訊息廣播至區塊鏈網路。As shown in "Figure 4", "Figure 4" is a schematic diagram of calculating and generating signatures using the present invention. At the beginning of the blockchain transaction, the client 110 will send a transaction request to the server 120, and the server 120 will query the corresponding client 110 from the storage space (for example: database) according to the source address of the transaction request. Shared unit. At the same time, the server 120 will generate the original transaction message according to the transaction request and the blockchain data format. That is to say, assuming that the blockchain data format uses the data format of Ethereum, the original transaction message generated will conform to the Ethereum data format. Data format; assuming that the blockchain data format is the data format of Bitcoin, the original transaction message generated will conform to the data format of Bitcoin. Then, the server 120 sends the generated original transaction message to the client 110 and the execution node 130. Assuming that the client 110 is one of the execution nodes, the execution node 130 of the client 110 and the server 120 will perform MPC to perform threshold signatures on the original transaction message, where MPC includes multiple executions of the JRSS algorithm and the JZSS algorithm Steps of calculating and exchanging messages, finally generate a transaction signature and embed the original transaction message to generate a signed transaction message, and broadcast the generated signed transaction message to the blockchain network.

在實際實施上,由於一開始資料庫不會存在相應的共享單元,因此,第i個執行節點130會執行二次JRSS演算法以生成相應的第一共享單元「ki 」及第二共享單元「ai 」,以及執行二次JZSS演算法以生成相應的第三共享單元「bi 」及第四共享單元「ci 」。接著,每一執行節點130根據各自擁有的第一共享單元「ki 」、第二共享單元「ai 」、第三共享單元「bi 」及第四共享單元「ci 」計算相應的第一廣播數值「vi 」及第二廣播數值「wi 」,其中,第一廣播數值「vi 」為第一共享單元「ki 」乘以第二共享單元「ai 」後,加上第三共享單元「bi 」,亦即「vi =ki *ai +bi 」;第二廣播數值「wi 」為第二共享單元「ai 」乘以基點「G」,亦即「wi =ai *G」。然後,每一執行節點130廣播各自計算出的第一廣播數值「vi 」及第二廣播數值「wi 」,並且根據所有第一廣播數值進行拉格朗日插值計算,以上述三個執行節點130為例,即:「v=L[(1,v1 )+(2,v2 )+(3,v3 )][0]」,其中,L代表拉格朗日插值法,「[0]」代表取值在x=0」,再將計算結果的倒數乘以所有第二廣播值的總和,即:「w=w1 +w2 +w3 」,用以計算曲線座標點「(Rx , Ry )」,其計算方式為「(Rx , Ry )=w*v-1 」。接下來,每一執行節點130執行橢圓曲線數位簽名演算法的門檻簽章協定,用以根據原始交易訊息「m」、曲線座標點的X座標(即:r=Rx )及各自擁有的第一共享單元「ki 」、私鑰共享單元「Sdi 」及第四共享單元「ci 」進行計算及交換訊息,當計算及交換訊息的數量滿足門檻值時,由執行節點130至少其中之一根據計算及交換訊息的結果生成交易簽章「(r, s)」,其中,「r」為曲線座標點的X座標;「s」的計算方式是先由各執行節點130交換各自根據計算式子「si = ki -1 (e+Sdi r)」所計算出的結果,再進行插值(Interpolation)計算所得,其中,「e」為經雜湊處理的原始交易訊息「m」。舉例來說,假設有三個執行節點130,第一個執行節點130的計算式子為「s1 = k1 -1 (e+Sd1 r)」;第二個執行節點130的計算式子為「s2 = k2 -1 (e+Sd2 r)」;第三個執行節點130的計算式子為「s3 = k3 -1 (e+Sd3 r)」,經過MPC的計算及交換訊息後,每一個執行節點130皆具有「s1 」、「s2 」及「s3 」,因此,使用拉格朗日插值法即可計算出簽章值「s」,例如:「s=L[(1,s1 )+(2,s2 )+(3,s3 )][0]」,其中,L代表拉格朗日插值法,「[0]」代表取值在x=0。如此一來,便可將「r」的數值與「s」的數值組合成一對作為交易簽章「(r, s)」。最後,將此交易簽章嵌入原始交易訊息以生成已簽章交易訊息,以及將已簽章交易訊息廣播至區塊鏈網路。In practical implementation, since the beginning of the database does not exist corresponding shared cell, so the i-th execution node 130 performs secondary JRSS algorithm to generate a corresponding share of the first unit "k i" and the second shared cell "A i ", and execute the second JZSS algorithm to generate the corresponding third shared unit "b i "and fourth shared unit "c i ". Next, each node 130 according to a first execution units each have shared "k i", the second sharing unit "a i", the third sharing unit "b i" and the fourth shared element "c i" corresponding to the first computing broadcasting a value "v i" and the second broadcast values "w i", wherein the first broadcast value "v i" of a first shared element "k i" is multiplied by the second sharing unit "a i" plus The third shared unit "b i ", that is, "v i = k i *a i + b i "; the second broadcast value "w i "is the second shared unit "a i " multiplied by the base point "G", also That is "w i =a i *G". Then, each execution node 130 broadcasts the first broadcast value "v i "and the second broadcast value "w i " calculated separately, and performs Lagrangian interpolation calculations based on all the first broadcast values, and executes the above three Take node 130 as an example, that is: "v=L[(1,v 1 )+(2,v 2 )+(3,v 3 )][0]", where L represents Lagrangian interpolation, ""[0]" represents the value at x=0", and then multiply the reciprocal of the calculation result by the sum of all the second broadcast values, namely: "w=w 1 +w 2 +w 3 " to calculate the curve coordinate point "(R x , R y )", the calculation method is "(R x , R y )=w*v -1 ". Next, each execution node 130 executes the threshold signature agreement of the elliptic curve digital signature algorithm, which is used according to the original transaction message "m", the X coordinate of the curve coordinate point (ie: r=R x ), and their own a shared cell "k i", the private key sharing unit "Sd i" and the fourth shared element "c i" is calculated and exchange messages, when the amount of calculation and to exchange messages satisfy the threshold, the node 130 by the execution of at least 1. Generate a transaction signature "(r, s)" based on the results of calculation and exchange of messages, where "r" is the X coordinate of the curve coordinate point; the calculation method of "s" is that each execution node 130 exchanges their respective calculations The result calculated by the formula "s i = k i -1 (e+Sd i r)" is calculated by interpolation (Interpolation), where "e" is the original transaction message "m" after hashing. For example, if there are three execution nodes 130, the calculation formula of the first execution node 130 is "s 1 = k 1 -1 (e+Sd 1 r)"; the calculation formula of the second execution node 130 is "S 2 = k 2 -1 (e+Sd 2 r)"; the calculation formula of the third execution node 130 is "s 3 = k 3 -1 (e+Sd 3 r)", which is calculated by MPC and After exchanging messages, each execution node 130 has "s 1 ", "s 2 "and "s 3 ". Therefore, the signature value "s" can be calculated using Lagrangian interpolation, for example: "s =L[(1,s 1 )+(2,s 2 )+(3,s 3 )][0]”, where L stands for Lagrangian interpolation, and “[0]” stands for x =0. In this way, the value of "r" and the value of "s" can be combined into a pair as the transaction signature "(r, s)". Finally, embed the transaction signature into the original transaction message to generate a signed transaction message, and broadcast the signed transaction message to the blockchain network.

綜上所述,可知本發明與先前技術之間的差異在於透過前端主機選擇多個執行節點,由執行節點執行聯合隨機秘密分享演算法及聯合隨機零值秘密分享演算法產生共享單元,並且透過安全多方運算對共享單元進行計算及交換訊息,以便根據計算及交換訊息的結果生成對應共享單元的公鑰及交易簽章,並且將交易簽章嵌入原始交易訊息後廣播至區塊鏈網路,藉由此一技術手段可以解決先前技術所存在的問題,進而在不生成私鑰的前提下,達成提高簽章的公正性之技術功效。In summary, it can be seen that the difference between the present invention and the prior art is that multiple execution nodes are selected by the front-end host, and the execution nodes execute the joint random secret sharing algorithm and the joint random zero-value secret sharing algorithm to generate shared units, and through Secure multi-party calculations calculate and exchange messages on the shared unit, so as to generate the corresponding public key and transaction signature of the shared unit based on the results of the calculation and exchange of messages, and embed the transaction signature into the original transaction message and broadcast it to the blockchain network. With this technical means, the problems of the prior art can be solved, and the technical effect of improving the fairness of the signature can be achieved without generating a private key.

雖然本發明以前述之實施例揭露如上,然其並非用以限定本發明,任何熟習相像技藝者,在不脫離本發明之精神和範圍內,當可作些許之更動與潤飾,因此本發明之專利保護範圍須視本說明書所附之申請專利範圍所界定者為準。Although the present invention is disclosed in the foregoing embodiments as above, it is not intended to limit the present invention. Anyone familiar with similar art can make some changes and modifications without departing from the spirit and scope of the present invention. Therefore, the present invention The scope of patent protection shall be determined by the scope of the patent application attached to this specification.

110:客戶端120:伺服端121:前端主機122:節點130:執行節點131:執行模組132:金鑰模組133:計算模組134:簽章模組步驟210:客戶端傳送包含一門檻值及一總數值的一金鑰請求至伺服端的前端主機,其中,該門檻值小於或等於該總數值,並且該門檻值及該總數值皆為大於數值1的正整數步驟220:該前端主機根據接收到的該金鑰請求,自節點及該客戶端中選擇與該總數值相同的數量作為多個執行節點,每一執行節點皆執行一聯合隨機秘密共享演算法,用以分別選擇一隨機多項式進行計算,並且與每一執行節點交換計算結果以生成相應的一私鑰共享單元步驟230:每一執行節點廣播生成的該私鑰共享單元對一基點的一乘積值,以及根據每一執行節點廣播的該乘積值的數值總和計算出一公鑰步驟240:在區塊鏈交易初始時,該伺服端的該前端主機接收來自該客戶端的一交易請求,並且根據該交易請求及區塊鏈資料格式生成對應的一原始交易訊息,以及將該原始交易訊息傳送至該客戶端及每一執行節點步驟250:每一執行節點執行二次該聯合隨機秘密共享演算法以生成相應的一第一共享單元及一第二共享單元,以及執行二次一聯合隨機零值秘密共享演算法以生成相應的一第三共享單元及一第四共享單元步驟260:每一執行節點根據各自擁有的該第一共享單元、該第二共享單元、該第三共享單元及該第四共享單元計算相應的一第一廣播數值及一第二廣播數值,其中,該第一廣播數值為該第一共享單元乘以該第二共享單元後,加上該第三共享單元,該第二廣播數值為該第二共享單元乘以該基點步驟270:每一執行節點廣播各自計算出的該第一廣播數值及該第二廣播數值,並且根據所有該第一廣播數值及該第二廣播數值計算一曲線座標點步驟280:每一執行節點執行橢圓曲線數位簽名演算法的一門檻簽章協定,用以根據該原始交易訊息、該曲線座標點的一X座標及各自擁有的所述第一共享單元、所述私鑰共享單元及所述第四共享單元進行計算及交換訊息,當計算及交換訊息的數量滿足門檻值時,由所述執行節點至少其中之一根據計算及交換訊息的結果生成一交易簽章,並且將該交易簽章嵌入該原始交易訊息以生成一已簽章交易訊息,以及將該已簽章交易訊息廣播至區塊鏈網路110: client 120: server 121: front-end host 122: node 130: execution node 131: execution module 132: key module 133: calculation module 134: signature module Step 210: client transmission includes a threshold A key of the value and a total value is requested to the front-end host of the server, where the threshold value is less than or equal to the total value, and the threshold and the total value are both positive integers greater than the value 1. Step 220: the front-end host According to the received key request, the self node and the client select the same number as the total number as multiple execution nodes, and each execution node executes a joint random secret sharing algorithm to select a random Polynomial is calculated, and the calculation result is exchanged with each execution node to generate a corresponding private key sharing unit. Step 230: Each execution node broadcasts a product value of the private key sharing unit generated by each execution node to a base point, and according to each execution The total value of the product value broadcast by the node calculates a public key. Step 240: At the beginning of the blockchain transaction, the front-end host of the server receives a transaction request from the client, and based on the transaction request and the blockchain data Format to generate a corresponding original transaction message, and send the original transaction message to the client and each execution node Step 250: Each execution node executes the joint random secret sharing algorithm twice to generate a corresponding first share Unit and a second shared unit, and execute a second-time-joint random zero-valued secret sharing algorithm to generate a corresponding third shared unit and a fourth shared unit Step 260: Each execution node according to its own first The sharing unit, the second sharing unit, the third sharing unit, and the fourth sharing unit calculate a corresponding first broadcast value and a second broadcast value, where the first broadcast value is the first sharing unit multiplied by After the second sharing unit, the third sharing unit is added, and the second broadcast value is the second sharing unit multiplied by the base point. Step 270: Each execution node broadcasts the first broadcast value and the first broadcast value calculated by each execution node. Two broadcast values, and calculate a curve coordinate point according to all the first broadcast values and the second broadcast values. Step 280: Each execution node executes a threshold signature agreement of the elliptic curve digital signature algorithm for the original transaction The message, an X coordinate of the curve coordinate point, and the first sharing unit, the private key sharing unit, and the fourth sharing unit owned by each of them perform calculations and exchange messages, when the number of calculations and exchange messages meets the threshold At this time, at least one of the execution nodes generates a transaction signature according to the result of calculation and exchange of messages, and embeds the transaction signature into the original transaction message to generate a signed transaction message, and the signed transaction message Broadcast transaction information to the blockchain network

第1圖為本發明基於無分派者秘密共享的門檻式簽章系統之系統方塊圖。 第2A圖及第2B圖為本發明基於無分派者秘密共享的門檻式簽章方法之方法流程圖。 第3圖為應用本發明產生私鑰共享單元及計算公鑰之示意圖。 第4圖為應用本發明計算及生成簽章之示意圖。Figure 1 is a system block diagram of the threshold signature system based on secret sharing without dispatchers of the present invention. Fig. 2A and Fig. 2B are flowcharts of the threshold signature method based on the secret sharing of no dispatcher of the present invention. Figure 3 is a schematic diagram of applying the present invention to generate a private key sharing unit and calculate a public key. Figure 4 is a schematic diagram of calculating and generating signatures using the present invention.

110:客戶端 110: client

120:伺服端 120: server

121:前端主機 121: front-end host

122:節點 122: Node

130:執行節點 130: execution node

131:執行模組 131: Execution module

132:金鑰模組 132: Key Module

133:計算模組 133: Computing Module

134:簽章模組 134: Signature Module

Claims (10)

一種基於無分派者秘密共享的門檻式簽章系統,該系統包含: 一客戶端,用以允許作為多個執行節點其中之一,以及傳送一交易請求及包含一門檻值及一總數值的一金鑰請求,其中,該門檻值小於或等於該總數值,並且該門檻值及該總數值皆為大於數值1的正整數;以及 一伺服端,該伺服端包含: 一前端主機,用以接收該交易請求及該金鑰請求,並且根據該金鑰請求選擇與該總數值相同數量的所述執行節點,以及在區塊鏈交易初始時,根據該交易請求及區塊鏈資料格式生成對應的一原始交易訊息以進行傳送;以及 多個節點,連接該前端主機,並且將該前端主機選擇的所述節點作為所述執行節點,每一執行節點包含: 一執行模組,用以執行一聯合隨機秘密共享(Joint Random Secret Sharing, JRSS)演算法,選擇一隨機多項式進行計算,並且與每一執行節點交換計算結果以生成相應的一私鑰共享單元,以及執行二次該聯合隨機秘密共享演算法以生成相應的一第一共享單元及一第二共享單元,再執行二次一聯合隨機零值秘密共享(Joint Random Zero Secret Sharing, JZSS)演算法以生成相應的一第三共享單元及一第四共享單元; 一金鑰模組,連接該執行模組,用以廣播生成的該私鑰共享單元對一基點的一乘積值,以及根據每一執行節點廣播的該乘積值的數值總和計算出一公鑰; 一計算模組,連接該執行模組,用以根據每一執行節點各自擁有的該第一共享單元、該第二共享單元、該第三共享單元及該第四共享單元計算相應的一第一廣播數值及一第二廣播數值,其中,該第一廣播數值為該第一共享單元乘以該第二共享單元後,加上該第三共享單元,該第二廣播數值為該第二共享單元乘以該基點,以及廣播各自計算出的該第一廣播數值及該第二廣播數值,並且根據所有該第一廣播數值及該第二廣播數值計算一曲線座標點;以及 一簽章模組,連接該執行模組、該金鑰模組及該計算模組,用以執行橢圓曲線數位簽名演算法的一門檻簽章協定,根據該原始交易訊息、該曲線座標點的一X座標及各自擁有的所述第一共享單元、所述私鑰共享單元及所述第四共享單元進行計算及交換訊息,當計算及交換訊息的數量滿足門檻值時,由所述執行節點至少其中之一根據計算及交換訊息的結果生成一交易簽章,並且將該交易簽章嵌入該原始交易訊息以生成一已簽章交易訊息,以及將該已簽章交易訊息廣播至區塊鏈網路。A threshold-type signature system based on secret sharing without dispatchers. The system includes: a client to allow being one of multiple execution nodes, and transmitting a transaction request and a threshold value and a total value A key request, wherein the threshold value is less than or equal to the total value, and the threshold value and the total value are both positive integers greater than the value 1; and a server end including: a front-end host for receiving The transaction request and the key request, and according to the key request, select the same number of execution nodes as the total value, and at the beginning of the blockchain transaction, generate the corresponding corresponding to the transaction request and the blockchain data format An original transaction message for transmission; and a plurality of nodes connected to the front-end host, and the node selected by the front-end host is used as the execution node, each execution node includes: an execution module for executing a joint Joint Random Secret Sharing (JRSS) algorithm, selects a random polynomial for calculation, exchanges calculation results with each execution node to generate a corresponding private key sharing unit, and executes the joint random secret sharing calculation twice Method to generate a corresponding first shared unit and a second shared unit, and then perform a second joint random zero secret sharing (Joint Random Zero Secret Sharing, JZSS) algorithm to generate a corresponding third shared unit and a The fourth sharing unit; a key module connected to the execution module for broadcasting a product value of the generated private key sharing unit to a base point, and calculating the sum of the product values broadcast by each execution node A public key; a calculation module connected to the execution module to calculate according to the first shared unit, the second shared unit, the third shared unit, and the fourth shared unit owned by each execution node Correspondingly a first broadcast value and a second broadcast value, where the first broadcast value is the first shared unit multiplied by the second shared unit and the third shared unit is added, and the second broadcast value is The second sharing unit multiplies the base point, broadcasts the first broadcast value and the second broadcast value calculated respectively, and calculates a curve coordinate point based on all the first broadcast values and the second broadcast value; and The signature module is connected to the execution module, the key module and the calculation module to execute a threshold signature agreement of the elliptic curve digital signature algorithm, according to the original transaction message and a curve coordinate point The X coordinate and the first sharing unit, the private key sharing unit, and the fourth sharing unit owned by each of them perform calculations and exchange messages. When the number of calculations and exchange messages meets the threshold, the execution node at least One of them generates a transaction signature based on the results of calculation and exchange of messages, and embeds the transaction signature into the original transaction message to generate a signed transaction message, and broadcasts the signed transaction message to the blockchain network road. 根據申請專利範圍第1項之基於無分派者秘密共享的門檻式簽章系統,其中該客戶端及所述執行節點預先設置相同的一秘密共享參數,該秘密共享參數包含橢圓曲線、質數、該基點及階數的數值,以供執行該聯合隨機秘密共享演算法及該聯合隨機零值秘密共享演算法之用。According to the first item of the scope of patent application, the threshold signature system based on secret sharing without dispatcher, wherein the client and the execution node are preset with the same secret sharing parameter, and the secret sharing parameter includes elliptic curve, prime number, and The values of the base point and the order are used for executing the joint random secret sharing algorithm and the joint random zero-value secret sharing algorithm. 根據申請專利範圍第1項之基於無分派者秘密共享的門檻式簽章系統,其中每一執行節點根據該原始交易訊息、該X座標及各自擁有的所述第一共享單元、所述私鑰共享單元及所述第四共享單元計算出相應的一簽章共享單元,並且執行安全多方運算廣播每一執行節點的該簽章共享單元再以內插法計算出一簽章值,以及根據該X座標及該簽章值生成該交易簽章。According to item 1 of the scope of patent application, a threshold signature system based on secret sharing without dispatchers, where each execution node is based on the original transaction message, the X coordinate, and the first shared unit and the private key owned by each execution node The sharing unit and the fourth sharing unit calculate a corresponding signature sharing unit, and perform a secure multi-party operation to broadcast the signature sharing unit of each execution node to calculate a signature value by interpolation, and according to the X The coordinates and the signature value generate the transaction signature. 根據申請專利範圍第1項之基於無分派者秘密共享的門檻式簽章系統,其中該公鑰進行雜湊處理後作為該客戶端的一帳戶地址,用以透過該帳戶地址進行區塊鏈交易,所述雜湊處理包含安全雜湊演算法(Secure Hash Algorithm, SHA)。According to the first item of the scope of patent application, the threshold signature system based on secret sharing without assignees, in which the public key is hashed and used as an account address of the client, which is used to conduct blockchain transactions through the account address. The hash processing includes Secure Hash Algorithm (SHA). 根據申請專利範圍第1項之基於無分派者秘密共享的門檻式簽章系統,其中每一執行節點執行該聯合隨機零值秘密共享演算法以生成相應的一隨機數值,並且將該隨機數值與各自的所述私鑰共享單元相加。According to the threshold signature system based on the secret sharing of no dispatcher according to item 1 of the scope of patent application, each execution node executes the joint random zero-value secret sharing algorithm to generate a corresponding random value, and the random value is combined with The respective private key sharing units are added. 一種基於無分派者秘密共享的門檻式簽章方法,應用在具有一客戶端及一伺服端的網路環境中,該伺服端包含一前端主機及多個節點,其步驟包括: 該客戶端傳送包含一門檻值及一總數值的一金鑰請求至該伺服端的該前端主機,其中,該門檻值小於或等於該總數值,並且該門檻值及該總數值皆為大於數值1的正整數; 該前端主機根據接收到的該金鑰請求,自所述節點及該客戶端中選擇與該總數值相同的數量作為多個執行節點,每一執行節點皆執行一聯合隨機秘密共享(Joint Random Secret Sharing, JRSS)演算法,用以分別選擇一隨機多項式進行計算,並且與每一執行節點交換計算結果以生成相應的一私鑰共享單元; 每一執行節點廣播生成的該私鑰共享單元對一基點的一乘積值,以及根據每一執行節點廣播的該乘積值的數值總和計算出一公鑰; 在區塊鏈交易初始時,該伺服端的該前端主機接收來自該客戶端的一交易請求,並且根據該交易請求及區塊鏈資料格式生成對應的一原始交易訊息,以及將該原始交易訊息傳送至該客戶端及每一執行節點; 每一執行節點執行二次該聯合隨機秘密共享演算法以生成相應的一第一共享單元及一第二共享單元,以及執行二次一聯合隨機零值秘密共享(Joint Random Zero Secret Sharing, JZSS)演算法以生成相應的一第三共享單元及一第四共享單元; 每一執行節點根據各自擁有的該第一共享單元、該第二共享單元、該第三共享單元及該第四共享單元計算相應的一第一廣播數值及一第二廣播數值,其中,該第一廣播數值為該第一共享單元乘以該第二共享單元後,加上該第三共享單元,該第二廣播數值為該第二共享單元乘以該基點; 每一執行節點廣播各自計算出的該第一廣播數值及該第二廣播數值,並且根據所有該第一廣播數值及該第二廣播數值計算一曲線座標點;以及 每一執行節點執行橢圓曲線數位簽名演算法的一門檻簽章協定,用以根據該原始交易訊息、該曲線座標點的一X座標及各自擁有的所述第一共享單元、所述私鑰共享單元及所述第四共享單元進行計算及交換訊息,當計算及交換訊息的數量滿足門檻值時,由所述執行節點至少其中之一根據計算及交換訊息的結果生成一交易簽章,並且將該交易簽章嵌入該原始交易訊息以生成一已簽章交易訊息,以及將該已簽章交易訊息廣播至區塊鏈網路。A threshold-type signature method based on secret sharing without dispatchers is applied in a network environment with a client and a server. The server includes a front-end host and multiple nodes. The steps include: A key request of a threshold value and a total value is requested to the front-end host of the server, wherein the threshold value is less than or equal to the total value, and the threshold value and the total value are both positive integers greater than the value 1. According to the received key request, the front-end host selects the same number as the total number from the node and the client as multiple execution nodes, and each execution node performs a joint random secret sharing (Joint Random Secret Sharing). , JRSS) algorithm to select a random polynomial for calculation, and exchange calculation results with each execution node to generate a corresponding private key sharing unit; each execution node broadcasts the generated private key sharing unit to a base point And calculate a public key according to the sum of the product values broadcast by each execution node; at the beginning of the blockchain transaction, the front-end host of the server receives a transaction request from the client, and according to The transaction request and the blockchain data format generate a corresponding original transaction message, and send the original transaction message to the client and each execution node; each execution node executes the joint random secret sharing algorithm twice to generate Corresponding to a first sharing unit and a second sharing unit, and performing a second joint random zero secret sharing (Joint Random Zero Secret Sharing, JZSS) algorithm to generate a corresponding third sharing unit and a fourth sharing unit Unit; each execution node calculates a corresponding first broadcast value and a second broadcast value according to the first shared unit, the second shared unit, the third shared unit, and the fourth shared unit owned by each execution node, wherein, The first broadcast value is the first shared unit multiplied by the second shared unit, plus the third shared unit, and the second broadcast value is the second shared unit multiplied by the base point; each execution node broadcasts its own The first broadcast value and the second broadcast value are calculated, and a curve coordinate point is calculated based on all the first broadcast values and the second broadcast value; and a threshold for each execution node to execute the elliptic curve digital signature algorithm Signing agreement for calculating and exchanging messages based on the original transaction message, an X coordinate of the curve coordinate point, and the first sharing unit, the private key sharing unit and the fourth sharing unit owned by each, When the number of calculated and exchanged messages meets the threshold, at least one of the execution nodes generates a transaction signature based on the result of the calculation and exchange of messages, and embeds the transaction signature into the original transaction message to generate a signed transaction Chapter transaction information, and broadcast the signed transaction information to the blockchain network. 根據申請專利範圍第6項之基於無分派者秘密共享的門檻式簽章方法,其中該客戶端及所述執行節點預先設置相同的一秘密共享參數,該秘密共享參數包含橢圓曲線、質數、該基點及階數的數值,以供執行該聯合隨機秘密共享演算法及該聯合隨機零值秘密共享演算法之用。According to item 6 of the scope of patent application, the threshold signature method based on secret sharing without dispatcher, wherein the client and the execution node are preset with the same secret sharing parameter, the secret sharing parameter includes elliptic curve, prime number, and The values of the base point and the order are used for executing the joint random secret sharing algorithm and the joint random zero-value secret sharing algorithm. 根據申請專利範圍第6項之基於無分派者秘密共享的門檻式簽章方法,其中每一執行節點根據該原始交易訊息、該X座標及各自擁有的所述第一共享單元、所述私鑰共享單元及所述第四共享單元計算出相應的一簽章共享單元,並且執行安全多方運算廣播每一執行節點的該簽章共享單元再以內插法計算出一簽章值,以及根據該X座標及該簽章值生成該交易簽章。According to item 6 of the scope of patent application, the threshold type signature method based on secret sharing without dispatcher, wherein each execution node is based on the original transaction message, the X coordinate, and the first shared unit and the private key owned by each The sharing unit and the fourth sharing unit calculate a corresponding signature sharing unit, and perform a secure multi-party operation to broadcast the signature sharing unit of each execution node to calculate a signature value by interpolation, and according to the X The coordinates and the signature value generate the transaction signature. 根據申請專利範圍第6項之基於無分派者秘密共享的門檻式簽章方法,其中該公鑰進行雜湊處理後作為該客戶端的一帳戶地址,用以透過該帳戶地址進行區塊鏈交易,所述雜湊處理包含安全雜湊演算法(Secure Hash Algorithm, SHA)。According to item 6 of the scope of patent application, the threshold-style signature method based on secret sharing without assignors, in which the public key is hashed and used as an account address of the client to perform blockchain transactions through the account address. The hash processing includes Secure Hash Algorithm (SHA). 根據申請專利範圍第6項之基於無分派者秘密共享的門檻式簽章方法,其中每一執行節點執行該聯合隨機零值秘密共享演算法以生成相應的一隨機數值,並且將該隨機數值與各自的所述私鑰共享單元相加。According to the threshold signature method based on the secret sharing of no dispatcher in item 6 of the scope of patent application, each execution node executes the joint random zero-value secret sharing algorithm to generate a corresponding random value, and the random value is combined with The respective private key sharing units are added.
TW108102431A 2019-01-22 2019-01-22 Threshold signature system based on secret sharing without dealer and method thereof TWI689194B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
TW108102431A TWI689194B (en) 2019-01-22 2019-01-22 Threshold signature system based on secret sharing without dealer and method thereof

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
TW108102431A TWI689194B (en) 2019-01-22 2019-01-22 Threshold signature system based on secret sharing without dealer and method thereof

Publications (2)

Publication Number Publication Date
TWI689194B TWI689194B (en) 2020-03-21
TW202029687A true TW202029687A (en) 2020-08-01

Family

ID=70767048

Family Applications (1)

Application Number Title Priority Date Filing Date
TW108102431A TWI689194B (en) 2019-01-22 2019-01-22 Threshold signature system based on secret sharing without dealer and method thereof

Country Status (1)

Country Link
TW (1) TWI689194B (en)

Family Cites Families (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9569771B2 (en) * 2011-04-29 2017-02-14 Stephen Lesavich Method and system for storage and retrieval of blockchain blocks using galois fields
EP3132560A4 (en) * 2014-04-17 2017-12-20 Hrl Laboratories, Llc A method for secure and resilient distributed generation of elliptic curve digital signature algorithm (ecdsa) based digital signatures with proactive security
GB201705621D0 (en) * 2017-04-07 2017-05-24 Nchain Holdings Ltd Computer-implemented system and method
GB201707168D0 (en) * 2017-05-05 2017-06-21 Nchain Holdings Ltd Computer-implemented system and method
CN107801059B (en) * 2017-09-26 2018-09-04 武汉斗鱼网络科技有限公司 A kind of method for authenticating and server

Also Published As

Publication number Publication date
TWI689194B (en) 2020-03-21

Similar Documents

Publication Publication Date Title
US11601407B2 (en) Fast oblivious transfers
CN114586313B (en) System and method for signing information
CN110247757B (en) Block chain processing method, device and system based on cryptographic algorithm
TWI807125B (en) Computer implemented system and method for distributing shares of digitally signed data
TW201946412A (en) Computer implemented method and system for transferring control of a digital asset
WO2019047418A1 (en) Digital signature method, device and system
JP2021145388A (en) Digital signature method, signature information verification method, related equipment, and electronic device
CN112953700B (en) Method, system and storage medium for improving safe multiparty computing efficiency
CN114301677B (en) Key negotiation method, device, electronic equipment and storage medium
TWI782701B (en) Non-interactive approval system for blockchain wallet and method thereof
TWI759138B (en) Threshold signature scheme system based on inputting password and method thereof
TWI689194B (en) Threshold signature system based on secret sharing without dealer and method thereof
TWI737956B (en) Threshold signature system based on secret sharing and method thereof
TWI694349B (en) Threshold signature system with prevent memory dump and method thereof
TW202236130A (en) Asset cross-chain exchanging system based on threshold signature scheme and method thereof
TWI734087B (en) Signature system based on homomorphic encryption and method thereof
TWI702820B (en) Secret sharing signature system with hierarchical mechanism and method thereof
TWI776416B (en) Threshold signature scheme system for hierarchical deterministic wallet and method thereof
CN111552950A (en) Software authorization method and device and computer readable storage medium
TWI764811B (en) Key generating system for hierarchical deterministic wallet and method thereof
TWI782486B (en) Threshold and number of participation adjusting system for threshold signature scheme and method thereof
TWI783804B (en) Shares generation system based on linear integer secret sharing and method thereof
TWI799286B (en) Random number generation system for threshold signature scheme and method thereof
CN113381850B (en) SM9 user key generation method, device, equipment and storage medium
WO2024140259A1 (en) Blockchain-based transaction supervision method, system and apparatus, and electronic device