TW202345542A - Threshold signature generation system based on garbled circuit and method thereof - Google Patents
Threshold signature generation system based on garbled circuit and method thereof Download PDFInfo
- Publication number
- TW202345542A TW202345542A TW111116933A TW111116933A TW202345542A TW 202345542 A TW202345542 A TW 202345542A TW 111116933 A TW111116933 A TW 111116933A TW 111116933 A TW111116933 A TW 111116933A TW 202345542 A TW202345542 A TW 202345542A
- Authority
- TW
- Taiwan
- Prior art keywords
- parameter
- value
- circuit
- host
- bollinger
- Prior art date
Links
- 238000000034 method Methods 0.000 title claims abstract description 31
- 238000011156 evaluation Methods 0.000 claims abstract description 82
- 238000012795 verification Methods 0.000 claims abstract description 44
- 238000004364 calculation method Methods 0.000 claims description 56
- 238000010200 validation analysis Methods 0.000 claims description 6
- 230000014509 gene expression Effects 0.000 claims description 4
- 239000004744 fabric Substances 0.000 claims 1
- 230000006870 function Effects 0.000 description 10
- 230000005540 biological transmission Effects 0.000 description 4
- 238000004590 computer program Methods 0.000 description 4
- 238000010586 diagram Methods 0.000 description 4
- 230000000694 effects Effects 0.000 description 3
- 238000005516 engineering process Methods 0.000 description 3
- 230000003287 optical effect Effects 0.000 description 3
- 238000012545 processing Methods 0.000 description 3
- 239000000835 fiber Substances 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 230000001902 propagating effect Effects 0.000 description 2
- RYGMFSIKBFXOCR-UHFFFAOYSA-N Copper Chemical compound [Cu] RYGMFSIKBFXOCR-UHFFFAOYSA-N 0.000 description 1
- 229910052802 copper Inorganic materials 0.000 description 1
- 239000010949 copper Substances 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 239000004065 semiconductor Substances 0.000 description 1
- 230000001052 transient effect Effects 0.000 description 1
Images
Landscapes
- Storage Device Security (AREA)
Abstract
Description
本發明涉及一種簽章生成系統及其方法,特別是基於混淆電路的門檻式簽章生成系統及其方法。The present invention relates to a signature generation system and a method thereof, in particular to a threshold signature generation system and method based on a confusion circuit.
近年來,隨著區塊鏈的普及與蓬勃發展,各種基於區塊鏈的交易技術如雨後春筍般湧現。然而,傳統單純由一方生成簽章(或稱為簽名)的方式已經不夠安全,這也使得各家廠商亟欲尋求更安全地生成簽章的方法。In recent years, with the popularity and vigorous development of blockchain, various blockchain-based transaction technologies have sprung up. However, the traditional method of simply generating a signature (or signature) by one party is no longer safe enough, which makes manufacturers eager to find ways to generate signatures more securely.
一般而言,傳統的簽章方式是由交易的一方透過私鑰加密,再將加密結果提供給交易的另一方使用與私鑰相應的公鑰進行驗證。然而,倘若遺失私鑰將導致簽章有被偽造的可能。因此,為了強化資產及交易安全性,便有廠商進一步發展可通過多個不同的私鑰產生相應數量的簽章,並且在擁有一定數量的簽章時才會使交易成功的技術手段,如此一來,即使其中一個私鑰被竊、遺失等等,也可以確保交易的安全性。然而,此方式在遺失的私鑰數量滿足門檻時便不再安全了,因此,仍然存在安全性不足的問題。Generally speaking, the traditional signature method is for one party to the transaction to encrypt with the private key, and then provide the encryption result to the other party for verification using the public key corresponding to the private key. However, if the private key is lost, the signature may be forged. Therefore, in order to strengthen the security of assets and transactions, some manufacturers have further developed technical means that can generate a corresponding number of signatures through multiple different private keys, and only when a certain number of signatures are obtained, the transaction will be successful. In this way Come, even if one of the private keys is stolen, lost, etc., the security of the transaction can be ensured. However, this method is no longer secure when the number of lost private keys reaches the threshold, so there is still a problem of insufficient security.
有鑑於此,各家廠商亟需一種能夠在不需要完整私鑰便能生成可通過驗證的EdDSA簽章,並且完全符合EdDSA所定義的生成方式,藉由此方式可以大幅增加生成EdDSA簽章的安全性,有效避免因為記憶體快取旁路攻擊而被非法取得私鑰,進而存在被偽造簽章的可能性。In view of this, various manufacturers urgently need a method that can generate a verifiable EdDSA signature without requiring a complete private key, and fully complies with the generation method defined by EdDSA. This method can greatly increase the number of EdDSA signatures generated. Security, effectively preventing the private key from being illegally obtained due to memory cache side-channel attacks, and thus the possibility of forged signatures.
綜上所述,可知先前技術中長期以來一直存在傳統生成EdDSA簽章的安全性不足的問題,因此實有必要提出改進的技術手段,來解決此一問題。To sum up, it can be seen that there has long been a problem of insufficient security in the traditional generation of EdDSA signatures in the previous technology. Therefore, it is necessary to propose improved technical means to solve this problem.
本發明揭露一種基於混淆電路的門檻式簽章生成系統及其方法。The invention discloses a threshold signature generation system and method based on confusion circuit.
首先,本發明揭露一種基於混淆電路的門檻式簽章生成系統,其包含:二個主機,分別為第一主機及第二主機,所述第一主機具有秘密d 1、秘密k 1、X座標x 1及層級值n 1,所述第二主機具有秘密d 2、秘密k 2、X座標x 2及層級值n 2,同時秘密d 1、秘密k 1、秘密d 2及秘密k 2滿足下列運算式以生成秘密d及秘密k: First, the present invention discloses a threshold signature generation system based on a confusion circuit, which includes: two hosts, a first host and a second host respectively. The first host has a secret d 1 , a secret k 1 , and an X coordinate. x 1 and level value n 1 , the second host has secret d 2 , secret k 2 , X coordinate x 2 and level value n 2 , and secret d 1 , secret k 1 , secret d 2 and secret k 2 satisfy the following Operation formula to generate secret d and secret k:
「BK(x1,n1) * d1 + BK(x2,n2) * d2 = d」;以及"BK(x1,n1) * d1 + BK(x2,n2) * d2 = d"; and
「BK(x1,n1) * k1 + BK(x2,n2) * k2 = k」。"BK(x1,n1) * k1 + BK(x2,n2) * k2 = k".
其中,「BK(x j, n j)」代表伯克霍夫係數(Birkhoff Coefficient),j為1或2,並且令EdDSA公鑰A為 d * B,以及令驗證橢圓點L為k * B,B為Ed25519或sr25519橢圓曲線群的基點(Base point),每一所述主機皆包含:混淆模組、生成模組、第一計算模組、第二計算模組、驗證模組及簽章模組。其中,混淆模組用以建立作為混淆電路的第一布林電路及第二布林電路,所述第一布林電路允許輸入多個輸入參數,所述輸入參數包含參數v1、參數v2、參數r1、參數r2、參數n及訊息m且輸出第一評估值,每一所述輸入參數允許各自帶入一組位元值,所述第二布林電路允許輸入參數v1、參數v2、參數r1及參數r2且輸出第二評估值,所述第一評估值為「H 2(k,m) + r1 + r2 mod n」,所述第二評估值為「k + r1 + r2」,其中,H 2(k,m)代表將秘密k與訊息m串聯後進行雜湊、H 2代表雜湊函式,通常選擇為SHA-512、m為訊息、參數n為給定橢圓曲線群的個數、參數v1的值為「BK(x 1,n 1)k 1mod n」、參數v2的值為「BK(x 2,n 2)k 2mod n」;生成模組用以在所述主機為第一主機時,產生隨機亂數以作為參數r1且公開第一雜湊值,以及在所述主機為第二主機時,產生隨機亂數以作為參數r2且公開第二雜湊值,其中,第一雜湊值的運算式為「H(r1 * B)」,第二雜湊值的運算式為「H(r2 * B)」,H代表雜湊函式;第一計算模組連接生成模組及混淆模組,當所述主機為第一主機時,使用本身的參數v1、參數r1及訊息m輸入至第一布林電路,以及當所述主機為第二主機時,使用本身的參數v2及參數r2輸入至第一布林電路,用以共同執行第一布林電路,使第二主機根據第一布林電路獲得第一評估值,再使用相同的參數v1、參數v2、參數r1及參數r2共同執行第二布林電路以獲得第二評估值,以及公開第一公開值,所述第一公開值的運算式為「r1 * B」;第二計算模組連接生成模組及混淆模組,用以在所述主機為第二主機時,使用本身的參數v2、參數r2及訊息m輸入至第一布林電路,以及在所述主機為第一主機時,使用本身的參數v1及參數r1輸入至第一布林電路,用以共同執行第一布林電路,使第一主機根據第一布林電路獲得第一評估值,再使用相同的參數v1、參數v2、參數r1及參數r2共同執行第二布林電路以獲得第二評估值,以及公開第二公開值,所述第二公開值的運算式為「r2 * B」;驗證模組連接第一計算模組及第二計算模組,用以驗證本身獲得的第一公開值(即:「r1 * B」)和第二公開值(即:「r2 * B」)所計算出的雜湊值是否與收到的第一雜湊值(即:「H(r1 * B)」)和第二雜湊值(即:「H(r2 * B)」)相等且第二評估值與基點的乘積是否與驗證橢圓點L、第一公開值及第二公開值的總和相等,當驗證結果皆為相等時,根據訊息m、第一公開值、第二公開值及基點計算出第一簽章值R,以及根據第一簽章值R、EdDSA公鑰A及訊息m計算雜湊值c,再根據秘密k、訊息m、雜湊值c、本身的伯克霍夫(Birkhoff)係數b i及所述秘密d i計算出相應的數值S i,其中,i為正整數;以及簽章模組連接驗證模組,用以執行安全驗證協定(Secure Validation Protocol)以相互驗證第一主機及第二主機雙方在第一布林電路所獲得的第一評估值相同,當相同時,加總所有所述數值S i以生成第二簽章值s,並且根據第一簽章值R與第二簽章值s生成EdDSA數位簽章。 Among them, "BK(x j , n j )" represents the Birkhoff Coefficient, j is 1 or 2, and let the EdDSA public key A be d * B, and let the verification ellipse point L be k * B , B is the base point of Ed25519 or sr25519 elliptic curve group. Each host includes: confusion module, generation module, first calculation module, second calculation module, verification module and signature Mods. Among them, the obfuscation module is used to establish a first Bollinger circuit and a second Bollinger circuit as a confusion circuit. The first Bollinger circuit allows the input of multiple input parameters. The input parameters include parameter v1, parameter v2, parameter r1, parameter r2, parameter n and message m and output the first evaluation value. Each input parameter is allowed to bring in a set of bit values. The second Bollinger circuit is allowed to input parameter v1, parameter v2 and parameter r1. and parameter r2 and output a second evaluation value, the first evaluation value is "H 2 (k,m) + r1 + r2 mod n", the second evaluation value is "k + r1 + r2", where, H 2 (k, m) represents the concatenation of secret k and message m and then hashing. H 2 represents the hash function, usually selected as SHA-512. m is the message. The parameter n is the number and parameters of the given elliptic curve group. The value of v1 is "BK(x 1 ,n 1 )k 1 mod n", and the value of parameter v2 is "BK(x 2 ,n 2 )k 2 mod n"; the generated module is used to generate the module for the host When there is a host, a random number is generated as the parameter r1 and the first hash value is disclosed, and when the host is a second host, a random number is generated as the parameter r2 and the second hash value is disclosed, where the first hash value The operation formula of the value is "H(r1 * B)", the operation formula of the second hash value is "H(r2 * B)", H represents the hash function; the first calculation module connects the generation module and the confusion module , when the host is the first host, use its own parameter v1, parameter r1 and message m to input to the first Bollinger circuit, and when the host is the second host, use its own parameter v2 and parameter r2 to input to the first Bollinger circuit to jointly execute the first Bollinger circuit, so that the second host obtains the first evaluation value according to the first Bollinger circuit, and then uses the same parameter v1, parameter v2, parameter r1 and parameter r2 to jointly execute The second Bollinger circuit obtains the second evaluation value and discloses the first public value. The calculation formula of the first public value is "r1 * B"; the second calculation module is connected to the generation module and the confusion module, using When the host is the second host, use its own parameter v2, parameter r2 and message m to input to the first Bollinger circuit, and when the host is the first host, use its own parameter v1 and parameter r1 to input to the first Bollinger circuit, used to jointly execute the first Bollinger circuit, so that the first host obtains the first evaluation value according to the first Bollinger circuit, and then uses the same parameter v1, parameter v2, parameter r1 and parameter r2 to jointly execute The second Bollinger circuit obtains the second evaluation value and discloses the second public value. The calculation formula of the second public value is "r2 * B"; the verification module is connected to the first calculation module and the second calculation module , used to verify whether the hash value calculated by the first public value (i.e.: "r1 * B") and the second public value (i.e.: "r2 * B") obtained by itself is consistent with the first hash value received (i.e. That is: "H(r1 * B)") and the second hash value (ie: "H(r2 * B)") are equal and whether the product of the second evaluation value and the base point is equal to the verification ellipse point L, the first public value and The sum of the second public values is equal. When the verification results are all equal, the first signature value R is calculated based on the message m, the first public value, the second public value and the base point, and based on the first signature value R, EdDSA The public key A and the message m calculate the hash value c, and then calculate the corresponding value S i based on the secret k, the message m, the hash value c, its own Birkhoff coefficient b i and the secret d i , where , i is a positive integer; and the signature module connection verification module is used to execute the Secure Validation Protocol to mutually verify the first evaluation obtained by both the first host and the second host in the first Bollinger circuit. The values are the same. When they are the same, all the values Si are added to generate the second signature value s, and the EdDSA digital signature is generated based on the first signature value R and the second signature value s.
接著,本發明揭露一種基於混淆電路的門檻式簽章生成方法,其步驟包括:(A)提供第一主機及第二主機,所述第一主機具有秘密d 1、秘密k 1、X座標x 1及層級值n 1,所述第二主機具有秘密d 2、秘密k 2、X座標x 2及層級值n 2,同時秘密d 1、秘密k 1、秘密d 2及秘密k 2滿足下列運算式以生成秘密d及秘密k: Next, the present invention discloses a threshold signature generation method based on a confusion circuit. The steps include: (A) providing a first host and a second host. The first host has a secret d 1 , a secret k 1 , and an X coordinate x 1 and level value n 1 , the second host has secret d 2 , secret k 2 , X coordinate x 2 and level value n 2 , while secret d 1 , secret k 1 , secret d 2 and secret k 2 satisfy the following operations Formula to generate secret d and secret k:
「BK(x 1,n 1) * d 1+ BK(x 2,n 2) * d 2= d」;以及 "BK(x 1 ,n 1 ) * d 1 + BK(x 2 ,n 2 ) * d 2 = d"; and
「BK(x 1,n 1) * k 1+ BK(x 2,n 2) * k 2= k」。 "BK(x 1 ,n 1 ) * k 1 + BK(x 2 ,n 2 ) * k 2 = k".
其中,「BK(x j, n j)」代表伯克霍夫係數,j為1或2,並且令EdDSA公鑰A為 d * B,以及令驗證橢圓點L為k * B,B為Ed25519或sr25519橢圓曲線群的基點;(B)提供作為混淆電路的第一布林電路及第二布林電路,所述第一布林電路允許輸入多個輸入參數,所述輸入參數包含參數v1、參數v2、參數r1、參數r2、參數n及訊息m且輸出第一評估值,每一所述輸入參數允許各自帶入一組位元值,所述第二布林電路允許輸入參數v1、參數v2、參數r1及參數r2且輸出第二評估值,所述第一評估值為「H 2(k,m) + r1 + r2 mod n」,所述第二評估值為「k + r1 + r2」,其中,H 2(k,m)代表將秘密k與訊息m串聯後進行雜湊、參數n為給定橢圓曲線群的個數、參數v1的值為「BK(x 1,n 1)k 1mod n」、參數v2的值為「BK(x 2,n 2)k 2mod n」;(C)第一主機產生隨機亂數以作為參數r1且公開第一雜湊值,第二主機產生隨機亂數以作為參數r2且公開第二雜湊值,其中,第一雜湊值的運算式為「H(r1 * B)」,第二雜湊值的運算式為「H(r2 * B)」,H代表雜湊函式;(D)第一主機使用本身的參數v1、參數r1及訊息m與第二主機使用本身的參數v2及參數r2共同執行第一布林電路,使第二主機根據第一布林電路獲得第一評估值,再使用相同的參數v1、參數v2、參數r1及參數r2共同執行第二布林電路以獲得第二評估值,以及公開第一公開值,所述第一公開值的運算式為「r1 * B」;(E)第二主機使用本身的參數v2、參數r2及訊息m與第一主機使用本身的參數v1及參數r1共同執行第一布林電路,使第一主機根據第一布林電路獲得第一評估值,再使用相同的參數v1、參數v2、參數r1及參數r2共同執行第二布林電路以獲得第二評估值,以及公開第二公開值,所述第二公開值的運算式為「r2 * B」;(F)第一主機及第二主機各自驗證本身獲得的第一公開值和第二公開值所計算出的雜湊值是否與收到的第一雜湊值和第二雜湊值相等且第二評估值與基點的乘積是否與所述驗證橢圓點L、第一公開值及第二公開值的總和相等,當驗證結果皆為相等時,根據訊息m、第一公開值、第二公開值及基點計算出第一簽章值R,以及根據第一簽章值R、EdDSA公鑰A及訊息m計算雜湊值c,再根據秘密k、訊息m、雜湊值c、本身的伯克霍夫係數b i及所述秘密d i計算出相應的數值S i,其中,i為正整數;(G)第一主機及第二主機皆執行安全驗證協定(Secure Validation Protocol)以相互驗證雙方在第一布林電路所獲得的第一評估值相同;以及(H)第一主機及第二主機分別加總所有所述數值S i以生成第二簽章值s,並且根據第一簽章值R與第二簽章值s生成EdDSA數位簽章。其中,步驟(D)及步驟(E)允許同時執行,以及步驟(G)及步驟(H)允許同時執行。 Among them, "BK(x j , n j )" represents the Birkhoff coefficient, j is 1 or 2, and let the EdDSA public key A be d * B, and let the verification ellipse point L be k * B, and B be Ed25519 Or the base point of the sr25519 elliptic curve group; (B) Provide a first Bollinger circuit and a second Bollinger circuit as a confusion circuit. The first Bollinger circuit allows the input of multiple input parameters, and the input parameters include parameters v1, Parameter v2, parameter r1, parameter r2, parameter n and message m and output the first evaluation value. Each of the input parameters is allowed to bring in a set of bit values. The second Bollinger circuit allows the input of parameter v1 and parameter v2, parameter r1 and parameter r2 and output a second evaluation value, the first evaluation value is "H 2 (k,m) + r1 + r2 mod n", the second evaluation value is "k + r1 + r2 ”, where H 2 (k, m) represents the concatenation of secret k and message m before hashing, the parameter n is the number of given elliptic curve groups, and the value of parameter v1 is “BK (x 1 ,n 1 )k 1 mod n", the value of parameter v2 is "BK(x 2 ,n 2 )k 2 mod n"; (C) The first host generates random numbers as parameter r1 and discloses the first hash value, and the second host generates The random number is used as parameter r2 and the second hash value is disclosed, where the calculation formula of the first hash value is "H(r1 * B)", and the calculation formula of the second hash value is "H(r2 * B)", H represents hash function; (D) The first host uses its own parameter v1, parameter r1 and message m and the second host uses its own parameter v2 and parameter r2 to jointly execute the first Bollinger circuit, causing the second host to execute the first Bollinger circuit according to the first The Bollinger circuit obtains the first evaluation value, and then uses the same parameter v1, parameter v2, parameter r1, and parameter r2 to jointly execute the second Bollinger circuit to obtain the second evaluation value, and discloses the first public value. The calculation formula of the value is "r1 * B"; (E) The second host uses its own parameter v2, parameter r2 and message m and the first host uses its own parameter v1 and parameter r1 to jointly execute the first Bollinger circuit, so that the second host uses its own parameter v1 and parameter r1 to jointly execute the first Bollinger circuit. A host obtains the first evaluation value according to the first Bollinger circuit, then uses the same parameter v1, parameter v2, parameter r1 and parameter r2 to jointly execute the second Bollinger circuit to obtain the second evaluation value, and discloses the second public value, The calculation formula of the second public value is "r2 * B"; (F) The first host and the second host each verify whether the hash value calculated by the first public value and the second public value obtained by itself is consistent with the received value. The first hash value and the second hash value are equal and whether the product of the second evaluation value and the base point is equal to the sum of the verification ellipse point L, the first public value and the second public value, when the verification results are all equal, The first signature value R is calculated based on the message m, the first public value, the second public value and the base point, and the hash value c is calculated based on the first signature value R, the EdDSA public key A and the message m, and then the hash value c is calculated based on the secret k, The message m, the hash value c, its own Birkhoff coefficient b i and the secret d i calculate the corresponding value S i , where i is a positive integer; (G) Both the first host and the second host execute security The verification protocol (Secure Validation Protocol) mutually verifies that the first evaluation value obtained by both parties in the first Bollinger circuit is the same; and (H) the first host and the second host respectively add up all the values Si to generate the second signature value s, and generate an EdDSA digital signature based on the first signature value R and the second signature value s. Among them, step (D) and step (E) are allowed to be executed at the same time, and step (G) and step (H) are allowed to be executed at the same time.
本發明所揭露之系統與方法如上,與先前技術的差異在於本發明是透過提供作為混淆電路的第一布林電路及第二布林電路以供二個主機輸入多個輸入參數並共同執行安全多方計算,使二個主機各自獲得第一布林電路的第一評估值及第二布林電路的第二評估值,以及廣播各主機的隨機亂數與基點的乘積,以便驗證雙方的輸入參數是否正確及通過混淆電路獲得的結果是否相同,進而在正確且相同時生成能夠通過驗證的EdDSA簽章,達到提高生成EdDSA簽章的安全性之技術功效。The system and method disclosed by the present invention are as above. The difference from the prior art is that the present invention provides a first Bollinger circuit and a second Bollinger circuit as a confusion circuit for two hosts to input multiple input parameters and jointly execute security. Multi-party calculations enable the two hosts to each obtain the first evaluation value of the first Bollinger circuit and the second evaluation value of the second Bollinger circuit, and broadcast the product of the random number and the base point of each host to verify the input parameters of both parties. Whether it is correct and whether the result obtained through the obfuscation circuit is the same, and then when it is correct and the same, an EdDSA signature that can pass the verification is generated, thereby achieving the technical effect of improving the security of generating the EdDSA signature.
透過上述的技術手段,本發明可以達成提高生成EdDSA簽章的安全性之技術功效。Through the above technical means, the present invention can achieve the technical effect of improving the security of generating EdDSA signatures.
以下將配合圖式及實施例來詳細說明本發明之實施方式,藉此對本發明如何應用技術手段來解決技術問題並達成技術功效的實現過程能充分理解並據以實施。The embodiments of the present invention will be described in detail below with reference to the drawings and examples, so that the implementation process of how to apply technical means to solve technical problems and achieve technical effects of the present invention can be fully understood and implemented accordingly.
首先,在說明本發明所揭露之基於混淆電路的門檻式簽章生成系統及其方法之前,先對本發明自行定義的名詞作說明,本發明所述的「EdDSA公鑰(以「A」示意)」是指公布給各方知道,以便用於進行簽名(或稱簽章)驗證的金鑰。接著,由於在EdDSA私鑰產生過程中,會使用雜湊函式(如:SHA512)進行雜湊,並且將雜湊後所獲得的雜湊值的前半部分作為私鑰,而後半部分即為本發明所述的「驗證橢圓點(以「L」示意)」,其目的是為了確定雙方執行混淆電路時,雙方使用的輸入是正確的輸入。在實際實施上,EdDSA公鑰A的值與 d * B相等,以及驗證橢圓點L的值與k * B相等,其中,d、k為秘密(如:密文、私鑰),B為Ed25519或sr25519橢圓曲線群的基點。First, before describing the threshold signature generation system and method based on obfuscated circuits disclosed in the present invention, the terms defined by the present invention are first explained. The "EdDSA public key (indicated by "A") described in the present invention ” refers to the key that is published to all parties for signature (or signature) verification. Next, during the EdDSA private key generation process, a hash function (such as SHA512) will be used for hashing, and the first half of the hash value obtained after hashing will be used as the private key, and the second half will be the private key of the present invention. The purpose of "verification ellipse point (indicated by "L")" is to ensure that when both parties execute the obfuscation circuit, the input used by both parties is the correct input. In actual implementation, the value of EdDSA public key A is equal to d * B, and the value of verification ellipse point L is equal to k * B, where d and k are secrets (such as ciphertext, private key), and B is Ed25519 Or the base point of sr25519 elliptic curve group.
以下配合圖式對本發明基於混淆電路的門檻式簽章生成系統及其方法做進一步說明,請先參閱「第1圖」,「第1圖」為本發明基於混淆電路的門檻式簽章生成系統的第一實施例之系統方塊圖,此系統包含:二個主機(100a、100b),分別為第一主機100a及第二主機100b,所述第一主機100a具有秘密d
1、秘密k
1、X座標x
1及層級值(Rank)n
1,所述第二主機100b具有秘密d
2、秘密k
2、X座標x
2及層級值n
2,同時秘密d
1、秘密k
1、秘密d
2及秘密k
2滿足下列運算式以生成秘密d及秘密k:
The following is a further explanation of the threshold signature generation system and method based on the obfuscation circuit of the present invention with reference to the figures. Please refer to "Figure 1" first. "Figure 1" shows the threshold type signature generation system based on the obfuscation circuit of the present invention. System block diagram of the first embodiment. This system includes: two hosts (100a, 100b), respectively the
「BK(x 1,n 1) * d 1+ BK(x 2,n 2) * d 2= d」;以及 "BK(x 1 ,n 1 ) * d 1 + BK(x 2 ,n 2 ) * d 2 = d"; and
「BK(x 1,n 1) * k 1+ BK(x 2,n 2) * k 2= k」。 "BK(x 1 ,n 1 ) * k 1 + BK(x 2 ,n 2 ) * k 2 = k".
其中,「BK(x
j, n
j)」代表伯克霍夫係數,j為1或2,並且令EdDSA公鑰A為 d * B,以及令驗證橢圓點L為k * B,B為Ed25519或sr25519橢圓曲線群的基點,每一所述主機(100a、100b)皆包含:混淆模組110、生成模組120、第一計算模組130、第二計算模組140、驗證模組150及簽章模組160。其中,混淆模組110用以建立作為混淆電路的第一布林電路及第二布林電路,所述第一布林電路允許輸入多個輸入參數,所述輸入參數包含參數v1、參數v2、參數r1、參數r2、參數n及訊息m且輸出第一評估值,每一所述輸入參數允許各自帶入一組位元值,所述第二布林電路允許輸入參數v1、參數v2、參數r1及參數r2且輸出第二評估值,所述第一評估值為「H
2(k,m) + r1 + r2 mod n」,所述第二評估值為「k + r1 + r2」,其中,H
2(k,m)代表將秘密k與訊息m串聯後進行雜湊、參數n為給定橢圓曲線群的個數、參數v1的值為「BK(x
1,n
1)k
1mod n」、參數v2的值為「BK(x
2,n
2)k
2mod n」。具體而言,混淆電路本質上是一個布林電路(Boolean circuit),其通過布林電路的觀點構造函式以進行計算,以便參與者可以針對某個數值來計算答案,而不需要知道參與者在函式中輸入的具體數字,混淆電路裡的安全多方計算可通過電路的方式來實現。在實際實施上,第一布林電路及該第二布林電路可通過及運算(AND)與互斥或運算(XOR)至少其中之一的方式實現混淆電路及安全多方計算(Multi-Party Computation, MPC),並且具有多個輸入線(Wire)以輸入所述輸入參數,每一所述輸入參數帶入的該組位元值為256位元的值,以六個輸入參數為例,合計帶入六個256位元的值,所述第一布林電路為滿足條件「MPCEdDSA(v1,v2,r1,r2,n,m) = H2(k,m) + r1 + r2 mod n」的邏輯電路,所述第二布林電路為滿足條件「ModAdd(v1,v2,r1,r2) = k + r1 + r2」的邏輯電路。特別要說明的是,有別於ECDSA,秘密k
1及秘密k
2的生成方式已經明確定義在EdDSA中,而非使用隨機亂數生成。
Among them, "BK(x j , n j )" represents the Birkhoff coefficient, j is 1 or 2, and let the EdDSA public key A be d * B, and let the verification ellipse point L be k * B, and B be Ed25519 Or the base point of the SR25519 elliptic curve group, each host (100a, 100b) includes: a
生成模組120用以在所述主機(100a、100b)為第一主機100a時,產生隨機亂數以作為參數r1且公開第一雜湊值,以及在所述主機(100a、100b)為第二主機100b時,產生隨機亂數以作為參數r2且公開第二雜湊值,其中,第一雜湊值的運算式為「H(r1 * B)」,第二雜湊值的運算式為「H(r2 * B)」,H代表雜湊函式。The
第一計算模組130連接生成模組120及混淆模組110,當所述主機(100a、100b)為第一主機100a時,使用本身的參數v1、參數r1及訊息m輸入至第一布林電路,以及當所述主機(100a、100b)為第二主機100b時,使用本身的參數v2及參數r2輸入至第一布林電路,用以共同執行第一布林電路,使第二主機根據第一布林電路獲得第一評估值,再使用相同的參數v1、參數v2、參數r1及參數r2共同執行第二布林電路以獲得第二評估值,以及公開第一公開值,所述第一公開值的運算式為「r1 * B」。在實際實施上,可通過廣播(Broadcast)的方式公開第一公開值。The
第二計算模組140連接生成模組120及混淆模組110,用以在所述主機(100a、100b)為第二主機100b時,使用本身的參數v2、參數r2及訊息m輸入至第一布林電路,以及在所述主機(100a、100b)為第一主機100a時,使用本身的參數v1及參數r1輸入至第一布林電路,用以共同執行第一布林電路,使第一主機根據第一布林電路獲得第一評估值,再使用相同的參數v1、參數v2、參數r1及參數r2共同執行第二布林電路以獲得第二評估值,以及公開第二公開值,所述第二公開值的運算式為「r2 * B」。同樣地,在實際實施上,可通過廣播的方式公開第二公開值。The
驗證模組150連接第一計算模組130及第二計算模組140,用以驗證本身獲得的第一公開值和第二公開值所計算出的雜湊值是否與收到的第一雜湊值和第二雜湊值相等且第二評估值與基點的乘積是否與驗證橢圓點L、第一公開值及第二公開值的總和相等(即:ModAdd(v1,v2,r1,r2) * B = 驗證橢圓點L + r1 * B + r2 * B,其中,ModAdd(v1,v2,r1,r2)代表第二布林電路輸出的第二評估值「k + r1 + r2」),當驗證結果皆為相等時,根據訊息m、第一公開值、第二公開值及基點計算出第一簽章值R,以及根據第一簽章值R、EdDSA公鑰A及訊息m計算雜湊值c,再根據秘密k、訊息m、雜湊值c、本身的伯克霍夫(Birkhoff)係數b
i及所述秘密d
i計算出相應的數值S
i,其中,i為正整數。在實際實施上,所述第一簽章值R的運算式為「R = MPCEdDSA(v1,v2,r1,r2,n,m) * B – r1 * B – r2 * B」,其中,「MPCEdDSA(v1,v2,r1,r2,n,m) = H
2(k,m) + r1 + r2 mod n」,「MPCEdDSA(v1,v2,r1,r2,n,m)」代表所述第一布林電路;「H
2(k,m) + r1 + r2 mod n」為第一評估值;所述雜湊值c的運算式為「c = SHA512(R || A || m)」,其中,SHA512為雜湊函式,符號「||」代表串聯,假設R為字串「aa」、A為字串「bb」,則「R || A」為字串「aabb」。在實際實施上,假設「ModAdd(v1,v2,r1,r2) * B」與「驗證橢圓點L + r1 * B + r2 * B」不相等,代表無法滿足恆等式「v1 + v2 = 驗證橢圓點L」,也就是說雙方輸入的參數v1和v2不是正確的輸入,故停止執行。換句話說,通過雙方已知的驗證橢圓點L(即:「k * B」)、前面廣播的第一公開值「r1 * B」及第二公開值「r2 * B」可以驗證「ModAdd(v1,v2,r1,r2) * B = (k + r1 + r2) * B」,進而確認混淆電路的輸入都是正確的,倘若中間任一處出錯都會造成驗證錯誤。
The
簽章模組160連接驗證模組150,用以執行安全驗證協定以相互驗證第一主機100a及第二主機100b雙方在第一布林電路獲得的第一評估值相同,當相同時,加總所有所述數值S
i以生成第二簽章值s,並且根據第一簽章值R與第二簽章值s生成EdDSA數位簽章。在實際實施上,所述數值S
i的運算式為「S
i= r + c * b
i* d
i」,其中,r = H
2(k,m)。
The
特別要說明的是,在實際實施上,本發明所述的模組皆可利用各種方式來實現,包含軟體、硬體或其任意組合,例如,在某些實施方式中,各模組可利用軟體及硬體或其中之一來實現,除此之外,本發明亦可部分地或完全地基於硬體來實現,例如,系統中的一個或多個模組可以透過積體電路晶片、系統單晶片(System on Chip, SoC)、複雜可程式邏輯裝置(Complex Programmable Logic Device, CPLD)、現場可程式邏輯閘陣列(Field Programmable Gate Array, FPGA)等來實現。本發明可以是系統、方法及/或電腦程式。電腦程式可以包括電腦可讀儲存媒體,其上載有用於使處理器實現本發明的各個方面的電腦可讀程式指令,電腦可讀儲存媒體可以是可以保持和儲存由指令執行設備使用的指令的有形設備。電腦可讀儲存媒體可以是但不限於電儲存設備、磁儲存設備、光儲存設備、電磁儲存設備、半導體儲存設備或上述的任意合適的組合。電腦可讀儲存媒體的更具體的例子(非窮舉的列表)包括:硬碟、隨機存取記憶體、唯讀記憶體、快閃記憶體、光碟、軟碟以及上述的任意合適的組合。此處所使用的電腦可讀儲存媒體不被解釋爲瞬時訊號本身,諸如無線電波或者其它自由傳播的電磁波、通過波導或其它傳輸媒介傳播的電磁波(例如,通過光纖電纜的光訊號)、或者通過電線傳輸的電訊號。另外,此處所描述的電腦可讀程式指令可以從電腦可讀儲存媒體下載到各個計算/處理設備,或者通過網路,例如:網際網路、區域網路、廣域網路及/或無線網路下載到外部電腦設備或外部儲存設備。網路可以包括銅傳輸電纜、光纖傳輸、無線傳輸、路由器、防火牆、交換器、集線器及/或閘道器。每一個計算/處理設備中的網路卡或者網路介面從網路接收電腦可讀程式指令,並轉發此電腦可讀程式指令,以供儲存在各個計算/處理設備中的電腦可讀儲存媒體中。執行本發明操作的電腦程式指令可以是組合語言指令、指令集架構指令、機器指令、機器相關指令、微指令、韌體指令、或者以一種或多種程式語言的任意組合編寫的原始碼或目的碼(Object Code),所述程式語言包括物件導向的程式語言,如:Common Lisp、Python、C++、Objective-C、Smalltalk、Delphi、Java、Swift、C#、Perl、Ruby與PHP等,以及常規的程序式(Procedural)程式語言,如:C語言或類似的程式語言。所述電腦程式指令可以完全地在電腦上執行、部分地在電腦上執行、作爲一個獨立的軟體執行、部分在客戶端電腦上部分在遠端電腦上執行、或者完全在遠端電腦或伺服器上執行。It should be noted that in actual implementation, the modules described in the present invention can be implemented in various ways, including software, hardware or any combination thereof. For example, in some implementations, each module can be implemented using software and hardware, or one of them. In addition, the present invention can also be implemented partially or completely based on hardware. For example, one or more modules in the system can be implemented through integrated circuit chips, system Single chip (System on Chip, SoC), Complex Programmable Logic Device (CPLD), Field Programmable Gate Array (FPGA), etc. are implemented. The invention may be a system, method and/or computer program. The computer program may include a computer-readable storage medium having computer-readable program instructions for causing a processor to implement various aspects of the invention. The computer-readable storage medium may be a tangible device that can hold and store instructions for use by an instruction execution device. equipment. The computer-readable storage medium may be, but is not limited to, an electrical storage device, a magnetic storage device, an optical storage device, an electromagnetic storage device, a semiconductor storage device, or any suitable combination of the above. More specific examples (non-exhaustive list) of computer-readable storage media include: hard disks, random access memory, read-only memory, flash memory, optical disks, floppy disks, and any suitable combination of the foregoing. As used herein, computer-readable storage media is not to be construed as a reference to transient signals per se, such as radio waves or other freely propagating electromagnetic waves, electromagnetic waves propagating through waveguides or other transmission media (e.g., optical signals through fiber optic cables), or through electrical wires. transmitted electrical signals. In addition, the computer-readable program instructions described herein can be downloaded from a computer-readable storage medium to various computing/processing devices, or downloaded through a network, such as the Internet, a local area network, a wide area network, and/or a wireless network. to an external computer device or external storage device. Networks may include copper transmission cables, fiber optic transmission, wireless transmission, routers, firewalls, switches, hubs and/or gateways. A network card or network interface in each computing/processing device receives computer-readable program instructions from the network and forwards the computer-readable program instructions for storage on a computer-readable storage medium in each computing/processing device middle. Computer program instructions that perform operations of the present invention may be combination language instructions, instruction set architecture instructions, machine instructions, machine-related instructions, micro-instructions, firmware instructions, or source code or object code written in any combination of one or more programming languages. (Object Code), the programming languages include object-oriented programming languages, such as: Common Lisp, Python, C++, Objective-C, Smalltalk, Delphi, Java, Swift, C#, Perl, Ruby and PHP, etc., as well as conventional programs Procedural programming language, such as C language or similar programming language. The computer program instructions may execute entirely on the computer, partly on the computer, as stand-alone software, partly on the client computer and partly on a remote computer, or entirely on the remote computer or server execute on.
請參閱「第2A圖」至「第2C圖」,「第2A圖」至「第2C圖」為本發明基於混淆電路的門檻式簽章生成方法的第一實施例之方法流程圖,其步驟包括:提供第一主機及第二主機,所述第一主機具有秘密d 1、秘密k 1、X座標x 1及層級值n 1,所述第二主機具有秘密d 2、秘密k 2、X座標x 2及層級值n 2,同時秘密d 1、秘密k 1、秘密d 2及秘密k 2滿足下列運算式以生成秘密d及秘密k: Please refer to "Figure 2A" to "Figure 2C". "Figure 2A" to "Figure 2C" are method flow charts of the first embodiment of the threshold signature generation method based on confusion circuits of the present invention. The steps are The method includes: providing a first host and a second host. The first host has secret d 1 , secret k 1 , X coordinate x 1 and level value n 1 . The second host has secret d 2 , secret k 2 , X The coordinate x 2 and the level value n 2 , while the secret d 1 , secret k 1 , secret d 2 and secret k 2 satisfy the following calculation formulas to generate secret d and secret k:
BK(x 1,n 1) * d 1+ BK(x 2,n 2) * d 2= d, BK(x 1 ,n 1 ) * d 1 + BK(x 2 ,n 2 ) * d 2 = d,
BK(x 1,n 1) * k 1+ BK(x 2,n 2) * k 2= k, BK(x 1 ,n 1 ) * k 1 + BK(x 2 ,n 2 ) * k 2 = k,
其中,「BK(x j, n j)」代表伯克霍夫係數,j為1或2,並且令EdDSA公鑰A為 d * B,以及令驗證橢圓點L為k * B,B為Ed25519或sr25519橢圓曲線群的基點(步驟210);提供作為混淆電路的第一布林電路及第二布林電路,所述第一布林電路允許輸入多個輸入參數,所述輸入參數包含參數v1、參數v2、參數r1、參數r2、參數n及訊息m且輸出第一評估值,每一所述輸入參數允許各自帶入一組位元值,所述第二布林電路允許輸入參數v1、參數v2、參數r1及參數r2且輸出第二評估值,所述第一評估值為「H 2(k,m) + r1 + r2 mod n」,所述第二評估值為「k + r1 + r2」,其中,H 2(k,m)代表將秘密k與訊息m串聯後進行雜湊、訊息m、參數n為給定橢圓曲線群的個數、參數v1的值為「BK(x 1,n 1)k 1mod n」、參數v2的值為「BK(x 2,n 2)k 2mod n」(步驟220);第一主機產生隨機亂數以作為參數r1且公開第一雜湊值,第二主機產生隨機亂數以作為參數r2且公開第二雜湊值,其中,第一雜湊值的運算式為「H(r1 * B)」,第二雜湊值的運算式為「H(r2 * B)」,H代表雜湊函式(步驟230);第一主機使用本身的參數v1、參數r1及訊息m與第二主機使用本身的參數v2及參數r2共同執行第一布林電路,使第二主機根據第一布林電路獲得第一評估值,再使用相同的參數v1、參數v2、參數r1及參數r2共同執行第二布林電路以獲得第二評估值,以及公開第一公開值,所述第一公開值的運算式為「r1 * B」(步驟240);第二主機使用本身的參數v2、參數r2及訊息m與第一主機使用本身的參數v1及參數r1共同執行第一布林電路,使第一主機根據第一布林電路獲得第一評估值,再使用相同的參數v1、參數v2、參數r1及參數r2共同執行第二布林電路以獲得第二評估值,以及公開第二公開值,所述第二公開值的運算式為「r2 * B」(步驟250);第一主機及第二主機各自驗證本身獲得的第一公開值和第二公開值所計算出的雜湊值是否與收到的第一雜湊值和第二雜湊值相等且第二評估值與基點的乘積是否與所述驗證橢圓點L、第一公開值及第二公開值的總和相等,當驗證結果皆為相等時,根據訊息m、第一公開值、第二公開值及基點計算出第一簽章值R,以及根據第一簽章值R、EdDSA公鑰A及訊息m計算雜湊值c,再根據秘密k、訊息m、雜湊值c、本身的伯克霍夫係數b i及所述秘密d i計算出相應的數值S i,其中,i為正整數(步驟260);第一主機及第二主機皆執行安全驗證協定(Secure Validation Protocol)以相互驗證雙方在第一布林電路所獲得的第一評估值相同(步驟270);以及第一主機及第二主機分別加總所有所述數值S i以生成第二簽章值s,並且根據第一簽章值R與第二簽章值s生成EdDSA數位簽章(步驟280)。其中,步驟240及步驟250允許同時執行,以及步驟270及步驟280允許同時執行。 Among them, "BK(x j , n j )" represents the Birkhoff coefficient, j is 1 or 2, and let the EdDSA public key A be d * B, and let the verification ellipse point L be k * B, and B be Ed25519 Or the base point of the sr25519 elliptic curve group (step 210); provide a first Bollinger circuit and a second Bollinger circuit as a confusion circuit, the first Bollinger circuit allows the input of multiple input parameters, the input parameters include the parameter v1 , parameter v2, parameter r1, parameter r2, parameter n and message m and output the first evaluation value, each of the input parameters is allowed to bring in a set of bit values, and the second Bollinger circuit is allowed to input parameters v1, Parameter v2, parameter r1 and parameter r2 and output a second evaluation value, the first evaluation value is "H 2 (k,m) + r1 + r2 mod n", the second evaluation value is "k + r1 + r2", where H 2 (k,m) represents the concatenation of secret k and message m before hashing, message m, parameter n is the number of given elliptic curve groups, and the value of parameter v1 is "BK (x 1 , n 1 )k 1 mod n", the value of parameter v2 is "BK (x 2 ,n 2 )k 2 mod n" (step 220); the first host generates random numbers as parameter r1 and discloses the first hash value , the second host generates random numbers as parameter r2 and discloses the second hash value, where the calculation formula of the first hash value is "H(r1 * B)", and the calculation formula of the second hash value is "H(r2) * B)", H represents the hash function (step 230); the first host uses its own parameter v1, parameter r1 and message m and the second host uses its own parameter v2 and parameter r2 to jointly execute the first Bollinger circuit, so that The second host obtains the first evaluation value according to the first Bollinger circuit, then uses the same parameters v1, parameter v2, parameter r1 and parameter r2 to jointly execute the second Bollinger circuit to obtain the second evaluation value, and discloses the first public value. , the calculation formula of the first public value is "r1 * B" (step 240); the second host uses its own parameter v2, parameter r2 and message m to jointly execute the first host using its own parameter v1 and parameter r1. A Bollinger circuit enables the first host to obtain the first evaluation value according to the first Bollinger circuit, and then uses the same parameter v1, parameter v2, parameter r1 and parameter r2 to jointly execute the second Bollinger circuit to obtain the second evaluation value, And publish a second public value, the calculation formula of the second public value is "r2 * B" (step 250); the first host and the second host each verify the calculation of the first public value and the second public value obtained by themselves. Whether the obtained hash value is equal to the received first hash value and the second hash value and whether the product of the second evaluation value and the base point is equal to the sum of the verification ellipse point L, the first public value and the second public value, When the verification results are all equal, the first signature value R is calculated based on the message m, the first public value, the second public value and the base point, and the hash is calculated based on the first signature value R, the EdDSA public key A and the message m. value c, and then calculate the corresponding value S i based on the secret k, message m, hash value c, its own Birkhoff coefficient b i and the secret di, where i is a positive integer (step 260); Both the first host and the second host execute the Secure Validation Protocol to mutually verify that the first evaluation values obtained by both parties in the first Bollinger circuit are the same (step 270); and the first host and the second host add up respectively. All the values Si are used to generate a second signature value s, and an EdDSA digital signature is generated based on the first signature value R and the second signature value s (step 280). Among them, steps 240 and 250 are allowed to be executed simultaneously, and steps 270 and 280 are allowed to be executed simultaneously.
以下配合「第3圖」以實施例的方式進行如下說明,「第3圖」為應用本發明的混淆電路的示意圖。在實際實施上,本發明的混淆電路包含第一布林電路310及第二布林電路320。其中,第一布林電路310提供輸入線以輸入參數v1(即:「BK(x
1,n
1)k
1mod n」)、參數v2(即:「BK(x
2,n
2)k
2mod n」)、參數r1(即:第一主機100a隨機挑選的亂數)、參數r2(即:第二主機100b隨機挑選的亂數)、參數n(即:給定橢圓曲線群的個數)及訊息m,可示意為「MPCEdDSA(v1,v2,r1,r2,n,m)」,並且輸出第一評估值「H
2(k,m) + r1 + r2 mod n」(其中,「H
2(k,m)」可視為「SHA512(k || m)」,代表先將秘密k與訊息m串聯再進行雜湊後的值);第二布林電路320提供輸入線以輸入參數v1、參數v2、參數r1及參數r2,可示意為「ModAdd(v1,v2,r1,r2)」,並且輸出第二評估值「k + r1 + r2」。在建立上述第一布林電路310時,可使用「及運算(AND)」與「互斥或運算(XOR)」至少其中之一架構滿足條件「MPCEdDSA(v1,v2,r1,r2,n,m) = H
2(k,m) + r1 + r2 mod n」的邏輯電路,而在建立第二布林電路時320,則同樣使用「及運算(AND)」與「互斥或運算(XOR)」至少其中之一架構滿足條件「ModAdd(v1,v2,r1,r2) = k + r1 + r2」的邏輯電路。特別要說明的是,在同一次簽名中,第一布林電路310輸入的參數v1、參數v2、參數r1及參數r2等,同時也是第二布林電路320輸入的參數v1、參數v2、參數r1及參數r2,而每次簽名都會重新選取參數r1及參數r2。
The following description will be made in the form of an embodiment with reference to "Fig. 3". "Fig. 3" is a schematic diagram of a confusion circuit applying the present invention. In actual implementation, the obfuscation circuit of the present invention includes a
綜上所述,可知本發明與先前技術之間的差異在於透過提供作為混淆電路的第一布林電路及第二布林電路以供二個主機輸入多個輸入參數並共同執行安全多方計算,使二個主機各自獲得第一布林電路的第一評估值及第二布林電路的第二評估值,以及廣播各主機的隨機亂數與基點的乘積,以便驗證雙方的輸入參數是否正確及通過混淆電路獲得的結果是否相同,進而在正確且相同時生成能夠通過驗證的EdDSA簽章,藉由此一技術手段可以解決先前技術所存在的問題,進而達成提高生成EdDSA簽章的安全性之技術功效。In summary, it can be seen that the difference between the present invention and the prior art is that by providing the first Bollinger circuit and the second Bollinger circuit as confusion circuits for two hosts to input multiple input parameters and jointly perform secure multi-party calculations, Let the two hosts each obtain the first evaluation value of the first Bollinger circuit and the second evaluation value of the second Bollinger circuit, and broadcast the product of the random number and the base point of each host to verify whether the input parameters of both parties are correct and Whether the results obtained by obfuscating the circuit are the same, and then generating an EdDSA signature that can pass verification when correct and the same, this technical means can solve the problems existing in the previous technology, thereby improving the security of generating EdDSA signatures. Technical efficacy.
雖然本發明以前述之實施例揭露如上,然其並非用以限定本發明,任何熟習相像技藝者,在不脫離本發明之精神和範圍內,當可作些許之更動與潤飾,因此本發明之專利保護範圍須視本說明書所附之申請專利範圍所界定者為準。Although the present invention has been disclosed in the foregoing embodiments, they are not intended to limit the present invention. Anyone skilled in the similar art can make some modifications and modifications without departing from the spirit and scope of the present invention. Therefore, the present invention is The scope of patent protection shall be determined by the scope of the patent application attached to this specification.
100a,100b:主機 110:混淆模組 120:生成模組 130:第一計算模組 140:第二計算模組 150:驗證模組 160:簽章模組 310:第一布林電路 320:第二布林電路 步驟210:提供一第一主機及一第二主機,該第一主機具有一秘密d 1、一秘密k 1、一X座標x 1及一層級值n 1,以及該第二主機具有一秘密d 2、一秘密k 2、一X座標x 2及一層級值n 2,同時該秘密d 1、該秘密k 1、該秘密d 2及該秘密k 2滿足下列運算式以生成一秘密d及一秘密k: BK(x 1,n 1) * d 1+ BK(x 2,n 2) * d 2= d, BK(x 1,n 1) * k 1+ BK(x 2,n 2) * k 2= k, 其中,BK(x j, n j)代表伯克霍夫係數,j為1或2,並且令一EdDSA公鑰A為 d * B,以及令一驗證橢圓點L為k * B,B為Ed25519或sr25519橢圓曲線群的一基點 步驟220:提供作為混淆電路的一第一布林電路及一第二布林電路,該第一布林電路允許輸入多個輸入參數,所述輸入參數包含一參數v1、一參數v2、一參數r1、一參數r2、一參數n及一訊息m且輸出一第一評估值,每一所述輸入參數允許各自帶入一組位元值,該第二布林電路允許輸入該參數v1、該參數v2、該參數r1及該參數r2且輸出一第二評估值,所述第一評估值為H 2(k,m) + r1 + r2 mod n,所述第二評估值為k + r1 + r2,其中,H 2(k,m)代表將該秘密k與該訊息m串聯後進行雜湊、該參數n為給定橢圓曲線群的個數、該參數v1的值為BK(x1,n1)k1 mod n、該參數v2的值為BK(x2,n2)k2 mod n 步驟230:該第一主機產生隨機亂數以作為該參數r1且公開一第一雜湊值,該第二主機產生隨機亂數以作為該參數r2且公開一第二雜湊值,其中,該第一雜湊值的運算式為H(r1 * B),該第二雜湊值的運算式為H(r2 * B),H代表雜湊函式 步驟240:該第一主機使用本身的該參數v1、該參數r1及該訊息m與該第二主機使用本身的該參數v2及該參數r2共同執行該第一布林電路,使該第二主機根據該第一布林電路獲得該第一評估值,再使用相同的該參數v1、該參數v2、該參數r1及該參數r2共同執行該第二布林電路以獲得該第二評估值,以及公開一第一公開值,該第一公開值的運算式為r1 * B 步驟250:該第二主機使用本身的該參數v2、該參數r2及該訊息m與該第一主機使用本身的該參數v1及該參數r1共同執行該第一布林電路,使該第一主機根據該第一布林電路獲得該第一評估值,再使用相同的該參數v1、該參數v2、該參數r1及該參數r2共同執行該第二布林電路以獲得該第二評估值,以及公開一第二公開值,該第二公開值的運算式為r2 * B 步驟260:該第一主機及該第二主機各自驗證本身獲得的該第一公開值和該第二公開值所計算出的雜湊值是否與收到的該第一雜湊值和該第二雜湊值相等且該第二評估值與該基點的乘積是否與該驗證橢圓點L、該第一公開值及該第二公開值的總和相等,當驗證結果皆為相等時,各自根據該訊息m、該第一公開值、該第二公開值及該基點計算出一第一簽章值R,以及根據該第一簽章值R、該EdDSA公鑰A及該訊息m計算一雜湊值c,再根據該秘密k、該訊息m、該雜湊值c、本身的一伯克霍夫(Birkhoff)係數b i及所述秘密d i計算出相應的一數值S i,其中,i為正整數 步驟270:該第一主機及該第二主機皆執行安全驗證協定(Secure Validation Protocol)以相互驗證雙方在該第一布林電路所獲得的該第一評估值相同 步驟280:該第一主機及該第二主機分別加總所有所述數值S i以生成一第二簽章值s,並且根據該第一簽章值R與該第二簽章值s生成EdDSA數位簽章 100a, 100b: Host 110: Confusion module 120: Generation module 130: First calculation module 140: Second calculation module 150: Verification module 160: Signature module 310: First Bollinger circuit 320: No. Two Bollinger Circuit Step 210: Provide a first host and a second host. The first host has a secret d 1 , a secret k 1 , an X coordinate x 1 and a level value n 1 , and the second host There is a secret d 2 , a secret k 2 , an Secret d and a secret k: BK(x 1 ,n 1 ) * d 1 + BK(x 2 ,n 2 ) * d 2 = d, BK(x 1 ,n 1 ) * k 1 + BK(x 2 , n 2 ) * k 2 = k, where BK(x j , n j ) represents the Birkhoff coefficient, j is 1 or 2, and let an EdDSA public key A be d * B, and let a verification ellipse point L is k * B, and B is a base point of the Ed25519 or sr25519 elliptic curve group. Step 220: Provide a first Bollinger circuit and a second Bollinger circuit as a confusion circuit. The first Bollinger circuit allows multiple inputs. Parameters, the input parameters include a parameter v1, a parameter v2, a parameter r1, a parameter r2, a parameter n and a message m and output a first evaluation value, each of the input parameters is allowed to enter a group Bit value, the second Bollinger circuit allows input of the parameter v1, the parameter v2, the parameter r1 and the parameter r2 and outputs a second evaluation value, the first evaluation value is H 2 (k,m) + r1 + r2 mod n, the second evaluation value is k + r1 + r2, where H 2 (k, m) represents the concatenation of the secret k and the message m before hashing, and the parameter n is a given elliptic curve The number of groups, the value of parameter v1 is BK(x1,n1)k1 mod n, the value of parameter v2 is BK(x2,n2)k2 mod n. Step 230: The first host generates random numbers as the The parameter r1 discloses a first hash value. The second host generates a random number as the parameter r2 and discloses a second hash value. The calculation formula of the first hash value is H(r1 * B). The calculation formula of the second hash value is H(r2 * B), and H represents the hash function. Step 240: The first host uses its own parameter v1, the parameter r1 and the message m, and the second host uses its own Parameter v2 and parameter r2 jointly execute the first Bollinger circuit, so that the second host obtains the first evaluation value according to the first Bollinger circuit, and then uses the same parameter v1, parameter v2, parameter r1 and The parameter r2 jointly executes the second Bollinger circuit to obtain the second evaluation value, and discloses a first public value. The calculation formula of the first public value is r1 * B. Step 250: The second host uses its own The parameter v2, the parameter r2 and the message m and the first host use the parameter v1 and the parameter r1 to jointly execute the first Bollinger circuit, so that the first host obtains the first Bollinger circuit according to the first Bollinger circuit. Evaluation value, and then use the same parameter v1, parameter v2, parameter r1 and parameter r2 to jointly execute the second Bollinger circuit to obtain the second evaluation value, and disclose a second public value, the second public value The calculation formula of the value is r2 * B. Step 260: The first host and the second host each verify whether the hash value calculated by the first public value and the second public value obtained by itself is consistent with the received first public value. The hash value is equal to the second hash value and whether the product of the second evaluation value and the base point is equal to the sum of the verification ellipse point L, the first public value and the second public value, when the verification results are all equal , each calculates a first signature value R based on the message m, the first public value, the second public value and the base point, and calculates a first signature value R based on the first signature value R, the EdDSA public key A and the message m Calculate a hash value c, and then calculate a corresponding value S i based on the secret k, the message m, the hash value c, its own Birkhoff coefficient b i and the secret d i , where , i is a positive integer. Step 270: Both the first host and the second host execute the Secure Validation Protocol to mutually verify that the first evaluation value obtained by both parties in the first Bollinger circuit is the same. Step 280: The first host and the second host respectively add up all the values Si to generate a second signature value s, and generate an EdDSA digital signature based on the first signature value R and the second signature value s.
第1圖為本發明基於混淆電路的門檻式簽章生成系統的系統方塊圖。 第2A圖至第2C圖為本發明基於混淆電路的門檻式簽章生成方法的方法流程圖。 第3圖為應用本發明的混淆電路的示意圖。 Figure 1 is a system block diagram of the threshold signature generation system based on obfuscation circuits of the present invention. Figures 2A to 2C are method flow charts of the threshold signature generation method based on obfuscation circuits of the present invention. Figure 3 is a schematic diagram of a confusion circuit using the present invention.
100a,100b:主機 100a,100b: Host
110:混淆模組 110:Confusion module
120:生成模組 120: Generate module
130:第一計算模組 130:The first computing module
140:第二計算模組 140: Second computing module
150:驗證模組 150: Verification module
160:簽章模組 160:Signature module
Claims (10)
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
TW111116933A TWI795284B (en) | 2022-05-05 | 2022-05-05 | Threshold signature generation system based on garbled circuit and method thereof |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
TW111116933A TWI795284B (en) | 2022-05-05 | 2022-05-05 | Threshold signature generation system based on garbled circuit and method thereof |
Publications (2)
Publication Number | Publication Date |
---|---|
TWI795284B TWI795284B (en) | 2023-03-01 |
TW202345542A true TW202345542A (en) | 2023-11-16 |
Family
ID=86692344
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
TW111116933A TWI795284B (en) | 2022-05-05 | 2022-05-05 | Threshold signature generation system based on garbled circuit and method thereof |
Country Status (1)
Country | Link |
---|---|
TW (1) | TWI795284B (en) |
Family Cites Families (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US11210664B2 (en) * | 2018-10-02 | 2021-12-28 | Capital One Services, Llc | Systems and methods for amplifying the strength of cryptographic algorithms |
US11240025B2 (en) * | 2018-11-09 | 2022-02-01 | Ares Technologies, Inc. | Systems and methods for distributed key storage |
CN114338028A (en) * | 2020-09-28 | 2022-04-12 | 华为技术有限公司 | Threshold signature method and device, electronic equipment and readable storage medium |
TWI759138B (en) * | 2021-03-15 | 2022-03-21 | 英屬開曼群島商現代財富控股有限公司 | Threshold signature scheme system based on inputting password and method thereof |
CN113972981B (en) * | 2021-09-29 | 2023-07-04 | 中国科学院大学 | SM2 cryptographic algorithm-based efficient threshold signature method |
CN114070556B (en) * | 2021-11-15 | 2023-07-25 | 成都卫士通信息产业股份有限公司 | Threshold ring signature method and device, electronic equipment and readable storage medium |
-
2022
- 2022-05-05 TW TW111116933A patent/TWI795284B/en active
Also Published As
Publication number | Publication date |
---|---|
TWI795284B (en) | 2023-03-01 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN113424185B (en) | Fast inadvertent transmission | |
JP2023134669A (en) | Computer implemented method and system for transferring access to digital asset | |
WO2021228239A1 (en) | Asset type consistency evidence generation method and system, transaction method and system, and transaction verification method and system | |
US11374910B2 (en) | Method and apparatus for effecting a data-based activity | |
JP2021510954A (en) | Computer-implemented methods and systems for obtaining digitally signed data | |
CN111586142B (en) | Safe multiparty computing method and system | |
JP2022500920A (en) | Systems and methods for sharing common secrets implemented by computers | |
US11637817B2 (en) | Method and apparatus for effecting a data-based activity | |
Jayaraman et al. | Decentralized certificate authorities | |
TWI795284B (en) | Threshold signature generation system based on garbled circuit and method thereof | |
TWI799286B (en) | Random number generation system for threshold signature scheme and method thereof | |
TWI759138B (en) | Threshold signature scheme system based on inputting password and method thereof | |
US10797866B1 (en) | System and method for enforcement of correctness of inputs of multi-party computations | |
TWI764811B (en) | Key generating system for hierarchical deterministic wallet and method thereof | |
CN111885056A (en) | Zero knowledge proving method and device based on block chain and electronic equipment | |
TWI776416B (en) | Threshold signature scheme system for hierarchical deterministic wallet and method thereof | |
TWI734087B (en) | Signature system based on homomorphic encryption and method thereof | |
WO2023055582A1 (en) | Round optimal oblivious transfers from isogenies | |
TWI737956B (en) | Threshold signature system based on secret sharing and method thereof | |
Zhang et al. | A New Way to Prevent UKS Attacks Using Hardware Security Chips. | |
TWI702820B (en) | Secret sharing signature system with hierarchical mechanism and method thereof | |
US20240137217A1 (en) | Multi-party privacy computing method and device based on semi-trusted hardware | |
Efraim et al. | Turbospeedz: Double Your Online SPDZ! Improving SPDZ using Function Dependent Preprocessing | |
Pashchenko et al. | Formalized Description of Message Encryption in Messaging Apps Using Automata Theory | |
WO2022207436A1 (en) | Quantum safe key exchange scheme |