TW202345542A - Threshold signature generation system based on garbled circuit and method thereof - Google Patents

Threshold signature generation system based on garbled circuit and method thereof Download PDF

Info

Publication number
TW202345542A
TW202345542A TW111116933A TW111116933A TW202345542A TW 202345542 A TW202345542 A TW 202345542A TW 111116933 A TW111116933 A TW 111116933A TW 111116933 A TW111116933 A TW 111116933A TW 202345542 A TW202345542 A TW 202345542A
Authority
TW
Taiwan
Prior art keywords
parameter
value
circuit
host
bollinger
Prior art date
Application number
TW111116933A
Other languages
Chinese (zh)
Other versions
TWI795284B (en
Inventor
莊治耘
Original Assignee
英屬開曼群島商現代財富控股有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 英屬開曼群島商現代財富控股有限公司 filed Critical 英屬開曼群島商現代財富控股有限公司
Priority to TW111116933A priority Critical patent/TWI795284B/en
Application granted granted Critical
Publication of TWI795284B publication Critical patent/TWI795284B/en
Publication of TW202345542A publication Critical patent/TW202345542A/en

Links

Images

Landscapes

  • Storage Device Security (AREA)

Abstract

A threshold signature generation system based on garbled circuit and method thereof is disclosed. By providing a first Boolean circuit and a second Boolean circuit as the garbled circuit for two hosts to input a plurality of input parameters and jointly to perform secure multi-party computation, so as to the two hosts each obtain a first evaluation value of the first Boolean circuit and a second evaluation value of the second Boolean circuit, and broadcasting the product of the random number and the base point of each host, and verifying whether the input parameters of both parties are correct and whether the results obtained by the garbled circuit are the same, and then generating a Edwards-curve Digital Signature Algorithm (EdDSA) signature that can pass the verification when they are correct and the same. The mechanism is help to improve the security when generating the EdDSA signature.

Description

基於混淆電路的門檻式簽章生成系統及其方法Threshold signature generation system and method based on confusion circuit

本發明涉及一種簽章生成系統及其方法,特別是基於混淆電路的門檻式簽章生成系統及其方法。The present invention relates to a signature generation system and a method thereof, in particular to a threshold signature generation system and method based on a confusion circuit.

近年來,隨著區塊鏈的普及與蓬勃發展,各種基於區塊鏈的交易技術如雨後春筍般湧現。然而,傳統單純由一方生成簽章(或稱為簽名)的方式已經不夠安全,這也使得各家廠商亟欲尋求更安全地生成簽章的方法。In recent years, with the popularity and vigorous development of blockchain, various blockchain-based transaction technologies have sprung up. However, the traditional method of simply generating a signature (or signature) by one party is no longer safe enough, which makes manufacturers eager to find ways to generate signatures more securely.

一般而言,傳統的簽章方式是由交易的一方透過私鑰加密,再將加密結果提供給交易的另一方使用與私鑰相應的公鑰進行驗證。然而,倘若遺失私鑰將導致簽章有被偽造的可能。因此,為了強化資產及交易安全性,便有廠商進一步發展可通過多個不同的私鑰產生相應數量的簽章,並且在擁有一定數量的簽章時才會使交易成功的技術手段,如此一來,即使其中一個私鑰被竊、遺失等等,也可以確保交易的安全性。然而,此方式在遺失的私鑰數量滿足門檻時便不再安全了,因此,仍然存在安全性不足的問題。Generally speaking, the traditional signature method is for one party to the transaction to encrypt with the private key, and then provide the encryption result to the other party for verification using the public key corresponding to the private key. However, if the private key is lost, the signature may be forged. Therefore, in order to strengthen the security of assets and transactions, some manufacturers have further developed technical means that can generate a corresponding number of signatures through multiple different private keys, and only when a certain number of signatures are obtained, the transaction will be successful. In this way Come, even if one of the private keys is stolen, lost, etc., the security of the transaction can be ensured. However, this method is no longer secure when the number of lost private keys reaches the threshold, so there is still a problem of insufficient security.

有鑑於此,各家廠商亟需一種能夠在不需要完整私鑰便能生成可通過驗證的EdDSA簽章,並且完全符合EdDSA所定義的生成方式,藉由此方式可以大幅增加生成EdDSA簽章的安全性,有效避免因為記憶體快取旁路攻擊而被非法取得私鑰,進而存在被偽造簽章的可能性。In view of this, various manufacturers urgently need a method that can generate a verifiable EdDSA signature without requiring a complete private key, and fully complies with the generation method defined by EdDSA. This method can greatly increase the number of EdDSA signatures generated. Security, effectively preventing the private key from being illegally obtained due to memory cache side-channel attacks, and thus the possibility of forged signatures.

綜上所述,可知先前技術中長期以來一直存在傳統生成EdDSA簽章的安全性不足的問題,因此實有必要提出改進的技術手段,來解決此一問題。To sum up, it can be seen that there has long been a problem of insufficient security in the traditional generation of EdDSA signatures in the previous technology. Therefore, it is necessary to propose improved technical means to solve this problem.

本發明揭露一種基於混淆電路的門檻式簽章生成系統及其方法。The invention discloses a threshold signature generation system and method based on confusion circuit.

首先,本發明揭露一種基於混淆電路的門檻式簽章生成系統,其包含:二個主機,分別為第一主機及第二主機,所述第一主機具有秘密d 1、秘密k 1、X座標x 1及層級值n 1,所述第二主機具有秘密d 2、秘密k 2、X座標x 2及層級值n 2,同時秘密d 1、秘密k 1、秘密d 2及秘密k 2滿足下列運算式以生成秘密d及秘密k: First, the present invention discloses a threshold signature generation system based on a confusion circuit, which includes: two hosts, a first host and a second host respectively. The first host has a secret d 1 , a secret k 1 , and an X coordinate. x 1 and level value n 1 , the second host has secret d 2 , secret k 2 , X coordinate x 2 and level value n 2 , and secret d 1 , secret k 1 , secret d 2 and secret k 2 satisfy the following Operation formula to generate secret d and secret k:

「BK(x1,n1) * d1 + BK(x2,n2) * d2 = d」;以及"BK(x1,n1) * d1 + BK(x2,n2) * d2 = d"; and

「BK(x1,n1) * k1 + BK(x2,n2) * k2 = k」。"BK(x1,n1) * k1 + BK(x2,n2) * k2 = k".

其中,「BK(x j, n j)」代表伯克霍夫係數(Birkhoff Coefficient),j為1或2,並且令EdDSA公鑰A為 d * B,以及令驗證橢圓點L為k * B,B為Ed25519或sr25519橢圓曲線群的基點(Base point),每一所述主機皆包含:混淆模組、生成模組、第一計算模組、第二計算模組、驗證模組及簽章模組。其中,混淆模組用以建立作為混淆電路的第一布林電路及第二布林電路,所述第一布林電路允許輸入多個輸入參數,所述輸入參數包含參數v1、參數v2、參數r1、參數r2、參數n及訊息m且輸出第一評估值,每一所述輸入參數允許各自帶入一組位元值,所述第二布林電路允許輸入參數v1、參數v2、參數r1及參數r2且輸出第二評估值,所述第一評估值為「H 2(k,m) + r1 + r2 mod n」,所述第二評估值為「k + r1 + r2」,其中,H 2(k,m)代表將秘密k與訊息m串聯後進行雜湊、H 2代表雜湊函式,通常選擇為SHA-512、m為訊息、參數n為給定橢圓曲線群的個數、參數v1的值為「BK(x 1,n 1)k 1mod n」、參數v2的值為「BK(x 2,n 2)k 2mod n」;生成模組用以在所述主機為第一主機時,產生隨機亂數以作為參數r1且公開第一雜湊值,以及在所述主機為第二主機時,產生隨機亂數以作為參數r2且公開第二雜湊值,其中,第一雜湊值的運算式為「H(r1 * B)」,第二雜湊值的運算式為「H(r2 * B)」,H代表雜湊函式;第一計算模組連接生成模組及混淆模組,當所述主機為第一主機時,使用本身的參數v1、參數r1及訊息m輸入至第一布林電路,以及當所述主機為第二主機時,使用本身的參數v2及參數r2輸入至第一布林電路,用以共同執行第一布林電路,使第二主機根據第一布林電路獲得第一評估值,再使用相同的參數v1、參數v2、參數r1及參數r2共同執行第二布林電路以獲得第二評估值,以及公開第一公開值,所述第一公開值的運算式為「r1 * B」;第二計算模組連接生成模組及混淆模組,用以在所述主機為第二主機時,使用本身的參數v2、參數r2及訊息m輸入至第一布林電路,以及在所述主機為第一主機時,使用本身的參數v1及參數r1輸入至第一布林電路,用以共同執行第一布林電路,使第一主機根據第一布林電路獲得第一評估值,再使用相同的參數v1、參數v2、參數r1及參數r2共同執行第二布林電路以獲得第二評估值,以及公開第二公開值,所述第二公開值的運算式為「r2 * B」;驗證模組連接第一計算模組及第二計算模組,用以驗證本身獲得的第一公開值(即:「r1 * B」)和第二公開值(即:「r2 * B」)所計算出的雜湊值是否與收到的第一雜湊值(即:「H(r1 * B)」)和第二雜湊值(即:「H(r2 * B)」)相等且第二評估值與基點的乘積是否與驗證橢圓點L、第一公開值及第二公開值的總和相等,當驗證結果皆為相等時,根據訊息m、第一公開值、第二公開值及基點計算出第一簽章值R,以及根據第一簽章值R、EdDSA公鑰A及訊息m計算雜湊值c,再根據秘密k、訊息m、雜湊值c、本身的伯克霍夫(Birkhoff)係數b i及所述秘密d i計算出相應的數值S i,其中,i為正整數;以及簽章模組連接驗證模組,用以執行安全驗證協定(Secure Validation Protocol)以相互驗證第一主機及第二主機雙方在第一布林電路所獲得的第一評估值相同,當相同時,加總所有所述數值S i以生成第二簽章值s,並且根據第一簽章值R與第二簽章值s生成EdDSA數位簽章。 Among them, "BK(x j , n j )" represents the Birkhoff Coefficient, j is 1 or 2, and let the EdDSA public key A be d * B, and let the verification ellipse point L be k * B , B is the base point of Ed25519 or sr25519 elliptic curve group. Each host includes: confusion module, generation module, first calculation module, second calculation module, verification module and signature Mods. Among them, the obfuscation module is used to establish a first Bollinger circuit and a second Bollinger circuit as a confusion circuit. The first Bollinger circuit allows the input of multiple input parameters. The input parameters include parameter v1, parameter v2, parameter r1, parameter r2, parameter n and message m and output the first evaluation value. Each input parameter is allowed to bring in a set of bit values. The second Bollinger circuit is allowed to input parameter v1, parameter v2 and parameter r1. and parameter r2 and output a second evaluation value, the first evaluation value is "H 2 (k,m) + r1 + r2 mod n", the second evaluation value is "k + r1 + r2", where, H 2 (k, m) represents the concatenation of secret k and message m and then hashing. H 2 represents the hash function, usually selected as SHA-512. m is the message. The parameter n is the number and parameters of the given elliptic curve group. The value of v1 is "BK(x 1 ,n 1 )k 1 mod n", and the value of parameter v2 is "BK(x 2 ,n 2 )k 2 mod n"; the generated module is used to generate the module for the host When there is a host, a random number is generated as the parameter r1 and the first hash value is disclosed, and when the host is a second host, a random number is generated as the parameter r2 and the second hash value is disclosed, where the first hash value The operation formula of the value is "H(r1 * B)", the operation formula of the second hash value is "H(r2 * B)", H represents the hash function; the first calculation module connects the generation module and the confusion module , when the host is the first host, use its own parameter v1, parameter r1 and message m to input to the first Bollinger circuit, and when the host is the second host, use its own parameter v2 and parameter r2 to input to the first Bollinger circuit to jointly execute the first Bollinger circuit, so that the second host obtains the first evaluation value according to the first Bollinger circuit, and then uses the same parameter v1, parameter v2, parameter r1 and parameter r2 to jointly execute The second Bollinger circuit obtains the second evaluation value and discloses the first public value. The calculation formula of the first public value is "r1 * B"; the second calculation module is connected to the generation module and the confusion module, using When the host is the second host, use its own parameter v2, parameter r2 and message m to input to the first Bollinger circuit, and when the host is the first host, use its own parameter v1 and parameter r1 to input to the first Bollinger circuit, used to jointly execute the first Bollinger circuit, so that the first host obtains the first evaluation value according to the first Bollinger circuit, and then uses the same parameter v1, parameter v2, parameter r1 and parameter r2 to jointly execute The second Bollinger circuit obtains the second evaluation value and discloses the second public value. The calculation formula of the second public value is "r2 * B"; the verification module is connected to the first calculation module and the second calculation module , used to verify whether the hash value calculated by the first public value (i.e.: "r1 * B") and the second public value (i.e.: "r2 * B") obtained by itself is consistent with the first hash value received (i.e. That is: "H(r1 * B)") and the second hash value (ie: "H(r2 * B)") are equal and whether the product of the second evaluation value and the base point is equal to the verification ellipse point L, the first public value and The sum of the second public values is equal. When the verification results are all equal, the first signature value R is calculated based on the message m, the first public value, the second public value and the base point, and based on the first signature value R, EdDSA The public key A and the message m calculate the hash value c, and then calculate the corresponding value S i based on the secret k, the message m, the hash value c, its own Birkhoff coefficient b i and the secret d i , where , i is a positive integer; and the signature module connection verification module is used to execute the Secure Validation Protocol to mutually verify the first evaluation obtained by both the first host and the second host in the first Bollinger circuit. The values are the same. When they are the same, all the values Si are added to generate the second signature value s, and the EdDSA digital signature is generated based on the first signature value R and the second signature value s.

接著,本發明揭露一種基於混淆電路的門檻式簽章生成方法,其步驟包括:(A)提供第一主機及第二主機,所述第一主機具有秘密d 1、秘密k 1、X座標x 1及層級值n 1,所述第二主機具有秘密d 2、秘密k 2、X座標x 2及層級值n 2,同時秘密d 1、秘密k 1、秘密d 2及秘密k 2滿足下列運算式以生成秘密d及秘密k: Next, the present invention discloses a threshold signature generation method based on a confusion circuit. The steps include: (A) providing a first host and a second host. The first host has a secret d 1 , a secret k 1 , and an X coordinate x 1 and level value n 1 , the second host has secret d 2 , secret k 2 , X coordinate x 2 and level value n 2 , while secret d 1 , secret k 1 , secret d 2 and secret k 2 satisfy the following operations Formula to generate secret d and secret k:

「BK(x 1,n 1) * d 1+ BK(x 2,n 2) * d 2= d」;以及 "BK(x 1 ,n 1 ) * d 1 + BK(x 2 ,n 2 ) * d 2 = d"; and

「BK(x 1,n 1) * k 1+ BK(x 2,n 2) * k 2= k」。 "BK(x 1 ,n 1 ) * k 1 + BK(x 2 ,n 2 ) * k 2 = k".

其中,「BK(x j, n j)」代表伯克霍夫係數,j為1或2,並且令EdDSA公鑰A為 d * B,以及令驗證橢圓點L為k * B,B為Ed25519或sr25519橢圓曲線群的基點;(B)提供作為混淆電路的第一布林電路及第二布林電路,所述第一布林電路允許輸入多個輸入參數,所述輸入參數包含參數v1、參數v2、參數r1、參數r2、參數n及訊息m且輸出第一評估值,每一所述輸入參數允許各自帶入一組位元值,所述第二布林電路允許輸入參數v1、參數v2、參數r1及參數r2且輸出第二評估值,所述第一評估值為「H 2(k,m) + r1 + r2 mod n」,所述第二評估值為「k + r1 + r2」,其中,H 2(k,m)代表將秘密k與訊息m串聯後進行雜湊、參數n為給定橢圓曲線群的個數、參數v1的值為「BK(x 1,n 1)k 1mod n」、參數v2的值為「BK(x 2,n 2)k 2mod n」;(C)第一主機產生隨機亂數以作為參數r1且公開第一雜湊值,第二主機產生隨機亂數以作為參數r2且公開第二雜湊值,其中,第一雜湊值的運算式為「H(r1 * B)」,第二雜湊值的運算式為「H(r2 * B)」,H代表雜湊函式;(D)第一主機使用本身的參數v1、參數r1及訊息m與第二主機使用本身的參數v2及參數r2共同執行第一布林電路,使第二主機根據第一布林電路獲得第一評估值,再使用相同的參數v1、參數v2、參數r1及參數r2共同執行第二布林電路以獲得第二評估值,以及公開第一公開值,所述第一公開值的運算式為「r1 * B」;(E)第二主機使用本身的參數v2、參數r2及訊息m與第一主機使用本身的參數v1及參數r1共同執行第一布林電路,使第一主機根據第一布林電路獲得第一評估值,再使用相同的參數v1、參數v2、參數r1及參數r2共同執行第二布林電路以獲得第二評估值,以及公開第二公開值,所述第二公開值的運算式為「r2 * B」;(F)第一主機及第二主機各自驗證本身獲得的第一公開值和第二公開值所計算出的雜湊值是否與收到的第一雜湊值和第二雜湊值相等且第二評估值與基點的乘積是否與所述驗證橢圓點L、第一公開值及第二公開值的總和相等,當驗證結果皆為相等時,根據訊息m、第一公開值、第二公開值及基點計算出第一簽章值R,以及根據第一簽章值R、EdDSA公鑰A及訊息m計算雜湊值c,再根據秘密k、訊息m、雜湊值c、本身的伯克霍夫係數b i及所述秘密d i計算出相應的數值S i,其中,i為正整數;(G)第一主機及第二主機皆執行安全驗證協定(Secure Validation Protocol)以相互驗證雙方在第一布林電路所獲得的第一評估值相同;以及(H)第一主機及第二主機分別加總所有所述數值S i以生成第二簽章值s,並且根據第一簽章值R與第二簽章值s生成EdDSA數位簽章。其中,步驟(D)及步驟(E)允許同時執行,以及步驟(G)及步驟(H)允許同時執行。 Among them, "BK(x j , n j )" represents the Birkhoff coefficient, j is 1 or 2, and let the EdDSA public key A be d * B, and let the verification ellipse point L be k * B, and B be Ed25519 Or the base point of the sr25519 elliptic curve group; (B) Provide a first Bollinger circuit and a second Bollinger circuit as a confusion circuit. The first Bollinger circuit allows the input of multiple input parameters, and the input parameters include parameters v1, Parameter v2, parameter r1, parameter r2, parameter n and message m and output the first evaluation value. Each of the input parameters is allowed to bring in a set of bit values. The second Bollinger circuit allows the input of parameter v1 and parameter v2, parameter r1 and parameter r2 and output a second evaluation value, the first evaluation value is "H 2 (k,m) + r1 + r2 mod n", the second evaluation value is "k + r1 + r2 ”, where H 2 (k, m) represents the concatenation of secret k and message m before hashing, the parameter n is the number of given elliptic curve groups, and the value of parameter v1 is “BK (x 1 ,n 1 )k 1 mod n", the value of parameter v2 is "BK(x 2 ,n 2 )k 2 mod n"; (C) The first host generates random numbers as parameter r1 and discloses the first hash value, and the second host generates The random number is used as parameter r2 and the second hash value is disclosed, where the calculation formula of the first hash value is "H(r1 * B)", and the calculation formula of the second hash value is "H(r2 * B)", H represents hash function; (D) The first host uses its own parameter v1, parameter r1 and message m and the second host uses its own parameter v2 and parameter r2 to jointly execute the first Bollinger circuit, causing the second host to execute the first Bollinger circuit according to the first The Bollinger circuit obtains the first evaluation value, and then uses the same parameter v1, parameter v2, parameter r1, and parameter r2 to jointly execute the second Bollinger circuit to obtain the second evaluation value, and discloses the first public value. The calculation formula of the value is "r1 * B"; (E) The second host uses its own parameter v2, parameter r2 and message m and the first host uses its own parameter v1 and parameter r1 to jointly execute the first Bollinger circuit, so that the second host uses its own parameter v1 and parameter r1 to jointly execute the first Bollinger circuit. A host obtains the first evaluation value according to the first Bollinger circuit, then uses the same parameter v1, parameter v2, parameter r1 and parameter r2 to jointly execute the second Bollinger circuit to obtain the second evaluation value, and discloses the second public value, The calculation formula of the second public value is "r2 * B"; (F) The first host and the second host each verify whether the hash value calculated by the first public value and the second public value obtained by itself is consistent with the received value. The first hash value and the second hash value are equal and whether the product of the second evaluation value and the base point is equal to the sum of the verification ellipse point L, the first public value and the second public value, when the verification results are all equal, The first signature value R is calculated based on the message m, the first public value, the second public value and the base point, and the hash value c is calculated based on the first signature value R, the EdDSA public key A and the message m, and then the hash value c is calculated based on the secret k, The message m, the hash value c, its own Birkhoff coefficient b i and the secret d i calculate the corresponding value S i , where i is a positive integer; (G) Both the first host and the second host execute security The verification protocol (Secure Validation Protocol) mutually verifies that the first evaluation value obtained by both parties in the first Bollinger circuit is the same; and (H) the first host and the second host respectively add up all the values Si to generate the second signature value s, and generate an EdDSA digital signature based on the first signature value R and the second signature value s. Among them, step (D) and step (E) are allowed to be executed at the same time, and step (G) and step (H) are allowed to be executed at the same time.

本發明所揭露之系統與方法如上,與先前技術的差異在於本發明是透過提供作為混淆電路的第一布林電路及第二布林電路以供二個主機輸入多個輸入參數並共同執行安全多方計算,使二個主機各自獲得第一布林電路的第一評估值及第二布林電路的第二評估值,以及廣播各主機的隨機亂數與基點的乘積,以便驗證雙方的輸入參數是否正確及通過混淆電路獲得的結果是否相同,進而在正確且相同時生成能夠通過驗證的EdDSA簽章,達到提高生成EdDSA簽章的安全性之技術功效。The system and method disclosed by the present invention are as above. The difference from the prior art is that the present invention provides a first Bollinger circuit and a second Bollinger circuit as a confusion circuit for two hosts to input multiple input parameters and jointly execute security. Multi-party calculations enable the two hosts to each obtain the first evaluation value of the first Bollinger circuit and the second evaluation value of the second Bollinger circuit, and broadcast the product of the random number and the base point of each host to verify the input parameters of both parties. Whether it is correct and whether the result obtained through the obfuscation circuit is the same, and then when it is correct and the same, an EdDSA signature that can pass the verification is generated, thereby achieving the technical effect of improving the security of generating the EdDSA signature.

透過上述的技術手段,本發明可以達成提高生成EdDSA簽章的安全性之技術功效。Through the above technical means, the present invention can achieve the technical effect of improving the security of generating EdDSA signatures.

以下將配合圖式及實施例來詳細說明本發明之實施方式,藉此對本發明如何應用技術手段來解決技術問題並達成技術功效的實現過程能充分理解並據以實施。The embodiments of the present invention will be described in detail below with reference to the drawings and examples, so that the implementation process of how to apply technical means to solve technical problems and achieve technical effects of the present invention can be fully understood and implemented accordingly.

首先,在說明本發明所揭露之基於混淆電路的門檻式簽章生成系統及其方法之前,先對本發明自行定義的名詞作說明,本發明所述的「EdDSA公鑰(以「A」示意)」是指公布給各方知道,以便用於進行簽名(或稱簽章)驗證的金鑰。接著,由於在EdDSA私鑰產生過程中,會使用雜湊函式(如:SHA512)進行雜湊,並且將雜湊後所獲得的雜湊值的前半部分作為私鑰,而後半部分即為本發明所述的「驗證橢圓點(以「L」示意)」,其目的是為了確定雙方執行混淆電路時,雙方使用的輸入是正確的輸入。在實際實施上,EdDSA公鑰A的值與 d * B相等,以及驗證橢圓點L的值與k * B相等,其中,d、k為秘密(如:密文、私鑰),B為Ed25519或sr25519橢圓曲線群的基點。First, before describing the threshold signature generation system and method based on obfuscated circuits disclosed in the present invention, the terms defined by the present invention are first explained. The "EdDSA public key (indicated by "A") described in the present invention ” refers to the key that is published to all parties for signature (or signature) verification. Next, during the EdDSA private key generation process, a hash function (such as SHA512) will be used for hashing, and the first half of the hash value obtained after hashing will be used as the private key, and the second half will be the private key of the present invention. The purpose of "verification ellipse point (indicated by "L")" is to ensure that when both parties execute the obfuscation circuit, the input used by both parties is the correct input. In actual implementation, the value of EdDSA public key A is equal to d * B, and the value of verification ellipse point L is equal to k * B, where d and k are secrets (such as ciphertext, private key), and B is Ed25519 Or the base point of sr25519 elliptic curve group.

以下配合圖式對本發明基於混淆電路的門檻式簽章生成系統及其方法做進一步說明,請先參閱「第1圖」,「第1圖」為本發明基於混淆電路的門檻式簽章生成系統的第一實施例之系統方塊圖,此系統包含:二個主機(100a、100b),分別為第一主機100a及第二主機100b,所述第一主機100a具有秘密d 1、秘密k 1、X座標x 1及層級值(Rank)n 1,所述第二主機100b具有秘密d 2、秘密k 2、X座標x 2及層級值n 2,同時秘密d 1、秘密k 1、秘密d 2及秘密k 2滿足下列運算式以生成秘密d及秘密k: The following is a further explanation of the threshold signature generation system and method based on the obfuscation circuit of the present invention with reference to the figures. Please refer to "Figure 1" first. "Figure 1" shows the threshold type signature generation system based on the obfuscation circuit of the present invention. System block diagram of the first embodiment. This system includes: two hosts (100a, 100b), respectively the first host 100a and the second host 100b. The first host 100a has a secret d 1 , a secret k 1 , X coordinate x 1 and rank value (Rank) n 1 , the second host 100b has secret d 2 , secret k 2 , X coordinate x 2 and rank value n 2 , and secret d 1 , secret k 1 , secret d 2 and secret k 2 satisfy the following operational expressions to generate secret d and secret k:

「BK(x 1,n 1) * d 1+ BK(x 2,n 2) * d 2= d」;以及 "BK(x 1 ,n 1 ) * d 1 + BK(x 2 ,n 2 ) * d 2 = d"; and

「BK(x 1,n 1) * k 1+ BK(x 2,n 2) * k 2= k」。 "BK(x 1 ,n 1 ) * k 1 + BK(x 2 ,n 2 ) * k 2 = k".

其中,「BK(x j, n j)」代表伯克霍夫係數,j為1或2,並且令EdDSA公鑰A為 d * B,以及令驗證橢圓點L為k * B,B為Ed25519或sr25519橢圓曲線群的基點,每一所述主機(100a、100b)皆包含:混淆模組110、生成模組120、第一計算模組130、第二計算模組140、驗證模組150及簽章模組160。其中,混淆模組110用以建立作為混淆電路的第一布林電路及第二布林電路,所述第一布林電路允許輸入多個輸入參數,所述輸入參數包含參數v1、參數v2、參數r1、參數r2、參數n及訊息m且輸出第一評估值,每一所述輸入參數允許各自帶入一組位元值,所述第二布林電路允許輸入參數v1、參數v2、參數r1及參數r2且輸出第二評估值,所述第一評估值為「H 2(k,m) + r1 + r2 mod n」,所述第二評估值為「k + r1 + r2」,其中,H 2(k,m)代表將秘密k與訊息m串聯後進行雜湊、參數n為給定橢圓曲線群的個數、參數v1的值為「BK(x 1,n 1)k 1mod n」、參數v2的值為「BK(x 2,n 2)k 2mod n」。具體而言,混淆電路本質上是一個布林電路(Boolean circuit),其通過布林電路的觀點構造函式以進行計算,以便參與者可以針對某個數值來計算答案,而不需要知道參與者在函式中輸入的具體數字,混淆電路裡的安全多方計算可通過電路的方式來實現。在實際實施上,第一布林電路及該第二布林電路可通過及運算(AND)與互斥或運算(XOR)至少其中之一的方式實現混淆電路及安全多方計算(Multi-Party Computation, MPC),並且具有多個輸入線(Wire)以輸入所述輸入參數,每一所述輸入參數帶入的該組位元值為256位元的值,以六個輸入參數為例,合計帶入六個256位元的值,所述第一布林電路為滿足條件「MPCEdDSA(v1,v2,r1,r2,n,m) = H2(k,m) + r1 + r2 mod n」的邏輯電路,所述第二布林電路為滿足條件「ModAdd(v1,v2,r1,r2) = k + r1 + r2」的邏輯電路。特別要說明的是,有別於ECDSA,秘密k 1及秘密k 2的生成方式已經明確定義在EdDSA中,而非使用隨機亂數生成。 Among them, "BK(x j , n j )" represents the Birkhoff coefficient, j is 1 or 2, and let the EdDSA public key A be d * B, and let the verification ellipse point L be k * B, and B be Ed25519 Or the base point of the SR25519 elliptic curve group, each host (100a, 100b) includes: a confusion module 110, a generation module 120, a first calculation module 130, a second calculation module 140, a verification module 150 and Signature module 160. Among them, the obfuscation module 110 is used to establish a first Bollinger circuit and a second Bollinger circuit as a confusion circuit. The first Bollinger circuit allows the input of multiple input parameters, and the input parameters include parameter v1, parameter v2, Parameter r1, parameter r2, parameter n and message m and output a first evaluation value. Each of the input parameters is allowed to bring in a set of bit values. The second Bollinger circuit allows input of parameter v1, parameter v2, parameter r1 and parameter r2 and output a second evaluation value, the first evaluation value is "H 2 (k,m) + r1 + r2 mod n", the second evaluation value is "k + r1 + r2", where , H 2 (k, m) represents the concatenation of secret k and message m and then hashing. The parameter n is the number of given elliptic curve groups. The value of parameter v1 is "BK (x 1 ,n 1 )k 1 mod n ”, the value of parameter v2 is “BK(x 2 ,n 2 )k 2 mod n”. Specifically, a confusion circuit is essentially a Boolean circuit that constructs a function from the perspective of a Boolean circuit to perform calculations so that participants can calculate the answer for a certain value without knowing the participants By inputting specific numbers into the function, secure multi-party computation in obfuscated circuits can be implemented circuit-wise. In actual implementation, the first Bollinger circuit and the second Bollinger circuit can implement confusion circuits and secure multi-party computation (Multi-Party Computation) through at least one of AND operation (AND) and exclusive OR operation (XOR). , MPC), and has multiple input lines (Wire) to input the input parameters. The set of bit values brought in by each input parameter is a 256-bit value. Taking six input parameters as an example, the total Bringing in six 256-bit values, the first Bollinger circuit satisfies the condition "MPCEdDSA(v1,v2,r1,r2,n,m) = H2(k,m) + r1 + r2 mod n" Logic circuit, the second Bollinger circuit is a logic circuit that satisfies the condition "ModAdd(v1,v2,r1,r2) = k + r1 + r2". In particular, it should be noted that, unlike ECDSA, the generation method of secret k 1 and secret k 2 has been clearly defined in EdDSA, instead of using random random numbers.

生成模組120用以在所述主機(100a、100b)為第一主機100a時,產生隨機亂數以作為參數r1且公開第一雜湊值,以及在所述主機(100a、100b)為第二主機100b時,產生隨機亂數以作為參數r2且公開第二雜湊值,其中,第一雜湊值的運算式為「H(r1 * B)」,第二雜湊值的運算式為「H(r2 * B)」,H代表雜湊函式。The generation module 120 is used to generate random numbers as parameters r1 and disclose the first hash value when the host (100a, 100b) is the first host 100a, and when the host (100a, 100b) is the second host 100a. When the host 100b is used, a random number is generated as the parameter r2 and the second hash value is disclosed, in which the calculation formula of the first hash value is "H(r1 * B)" and the calculation formula of the second hash value is "H(r2) * B)", H represents hash function.

第一計算模組130連接生成模組120及混淆模組110,當所述主機(100a、100b)為第一主機100a時,使用本身的參數v1、參數r1及訊息m輸入至第一布林電路,以及當所述主機(100a、100b)為第二主機100b時,使用本身的參數v2及參數r2輸入至第一布林電路,用以共同執行第一布林電路,使第二主機根據第一布林電路獲得第一評估值,再使用相同的參數v1、參數v2、參數r1及參數r2共同執行第二布林電路以獲得第二評估值,以及公開第一公開值,所述第一公開值的運算式為「r1 * B」。在實際實施上,可通過廣播(Broadcast)的方式公開第一公開值。The first calculation module 130 is connected to the generation module 120 and the obfuscation module 110. When the host (100a, 100b) is the first host 100a, it uses its own parameter v1, parameter r1 and message m to input to the first brin circuit, and when the host (100a, 100b) is the second host 100b, use its own parameter v2 and parameter r2 to input to the first Bollinger circuit to jointly execute the first Bollinger circuit, so that the second host can The first Bollinger circuit obtains the first evaluation value, and then uses the same parameter v1, parameter v2, parameter r1, and parameter r2 to jointly execute the second Bollinger circuit to obtain the second evaluation value, and discloses the first public value. The expression of a public value is "r1 * B". In actual implementation, the first public value can be disclosed through broadcast.

第二計算模組140連接生成模組120及混淆模組110,用以在所述主機(100a、100b)為第二主機100b時,使用本身的參數v2、參數r2及訊息m輸入至第一布林電路,以及在所述主機(100a、100b)為第一主機100a時,使用本身的參數v1及參數r1輸入至第一布林電路,用以共同執行第一布林電路,使第一主機根據第一布林電路獲得第一評估值,再使用相同的參數v1、參數v2、參數r1及參數r2共同執行第二布林電路以獲得第二評估值,以及公開第二公開值,所述第二公開值的運算式為「r2 * B」。同樣地,在實際實施上,可通過廣播的方式公開第二公開值。The second computing module 140 is connected to the generation module 120 and the confusion module 110, and is used to use its own parameter v2, parameter r2 and message m to input to the first computer when the host (100a, 100b) is the second host 100b. Bollinger circuit, and when the host (100a, 100b) is the first host 100a, use its own parameter v1 and parameter r1 to input to the first Bollinger circuit to jointly execute the first Bollinger circuit, so that the first The host obtains the first evaluation value based on the first Bollinger circuit, then uses the same parameter v1, parameter v2, parameter r1, and parameter r2 to jointly execute the second Bollinger circuit to obtain the second evaluation value, and discloses the second public value, so The calculation formula of the second public value is "r2 * B". Similarly, in actual implementation, the second public value can be disclosed through broadcasting.

驗證模組150連接第一計算模組130及第二計算模組140,用以驗證本身獲得的第一公開值和第二公開值所計算出的雜湊值是否與收到的第一雜湊值和第二雜湊值相等且第二評估值與基點的乘積是否與驗證橢圓點L、第一公開值及第二公開值的總和相等(即:ModAdd(v1,v2,r1,r2) * B = 驗證橢圓點L + r1 * B + r2 * B,其中,ModAdd(v1,v2,r1,r2)代表第二布林電路輸出的第二評估值「k + r1 + r2」),當驗證結果皆為相等時,根據訊息m、第一公開值、第二公開值及基點計算出第一簽章值R,以及根據第一簽章值R、EdDSA公鑰A及訊息m計算雜湊值c,再根據秘密k、訊息m、雜湊值c、本身的伯克霍夫(Birkhoff)係數b i及所述秘密d i計算出相應的數值S i,其中,i為正整數。在實際實施上,所述第一簽章值R的運算式為「R = MPCEdDSA(v1,v2,r1,r2,n,m) * B – r1 * B – r2 * B」,其中,「MPCEdDSA(v1,v2,r1,r2,n,m) = H 2(k,m) + r1 + r2 mod n」,「MPCEdDSA(v1,v2,r1,r2,n,m)」代表所述第一布林電路;「H 2(k,m) + r1 + r2 mod n」為第一評估值;所述雜湊值c的運算式為「c = SHA512(R || A || m)」,其中,SHA512為雜湊函式,符號「||」代表串聯,假設R為字串「aa」、A為字串「bb」,則「R || A」為字串「aabb」。在實際實施上,假設「ModAdd(v1,v2,r1,r2) * B」與「驗證橢圓點L + r1 * B + r2 * B」不相等,代表無法滿足恆等式「v1 + v2 = 驗證橢圓點L」,也就是說雙方輸入的參數v1和v2不是正確的輸入,故停止執行。換句話說,通過雙方已知的驗證橢圓點L(即:「k * B」)、前面廣播的第一公開值「r1 * B」及第二公開值「r2 * B」可以驗證「ModAdd(v1,v2,r1,r2) * B = (k + r1 + r2) * B」,進而確認混淆電路的輸入都是正確的,倘若中間任一處出錯都會造成驗證錯誤。 The verification module 150 is connected to the first calculation module 130 and the second calculation module 140 to verify whether the hash value calculated by the first public value and the second public value obtained by itself is the same as the received first hash value. The second hash value is equal and the product of the second evaluation value and the base point is equal to the sum of the verification ellipse point L, the first public value and the second public value (ie: ModAdd(v1,v2,r1,r2) * B = Verification Ellipse point L + r1 * B + r2 * B, where ModAdd(v1,v2,r1,r2) represents the second evaluation value "k + r1 + r2" output by the second Bollinger circuit), when the verification results are all When they are equal, the first signature value R is calculated based on the message m, the first public value, the second public value and the base point, and the hash value c is calculated based on the first signature value R, the EdDSA public key A and the message m, and then based on The secret k, the message m, the hash value c, its own Birkhoff coefficient b i and the secret di are used to calculate the corresponding value S i , where i is a positive integer. In actual implementation, the calculation formula of the first signature value R is "R = MPCEdDSA(v1,v2,r1,r2,n,m) * B – r1 * B – r2 * B", where, "MPCEdDSA (v1,v2,r1,r2,n,m) = H 2 (k,m) + r1 + r2 mod n", "MPCEdDSA(v1,v2,r1,r2,n,m)" represents the first Bollinger circuit; "H 2 (k,m) + r1 + r2 mod n" is the first evaluation value; the calculation formula of the hash value c is "c = SHA512(R || A || m)", where , SHA512 is a hash function, and the symbol "||" represents concatenation. Suppose R is the string "aa" and A is the string "bb", then "R || A" is the string "aabb". In actual implementation, assuming that "ModAdd(v1,v2,r1,r2) * B" and "verification ellipse point L + r1 * B + r2 * B" are not equal, it means that the identity "v1 + v2 = verification ellipse point" cannot be satisfied. L", that is to say, the parameters v1 and v2 entered by both parties are not correct inputs, so execution stops. In other words, "ModAdd ( v1,v2,r1,r2) * B = (k + r1 + r2) * B", and then confirm that the inputs of the obfuscation circuit are correct. If any error occurs in the middle, it will cause a verification error.

簽章模組160連接驗證模組150,用以執行安全驗證協定以相互驗證第一主機100a及第二主機100b雙方在第一布林電路獲得的第一評估值相同,當相同時,加總所有所述數值S i以生成第二簽章值s,並且根據第一簽章值R與第二簽章值s生成EdDSA數位簽章。在實際實施上,所述數值S i的運算式為「S i= r + c * b i* d i」,其中,r  = H 2(k,m)。 The signature module 160 is connected to the verification module 150 to execute the security verification protocol to mutually verify that the first evaluation values obtained by the first host 100a and the second host 100b in the first Bollinger circuit are the same. When they are the same, the sum is added. All the numerical values S i are used to generate a second signature value s, and an EdDSA digital signature is generated based on the first signature value R and the second signature value s. In actual implementation, the calculation formula of the numerical value S i is "S i = r + c * b i * d i ", where r = H 2 (k,m).

特別要說明的是,在實際實施上,本發明所述的模組皆可利用各種方式來實現,包含軟體、硬體或其任意組合,例如,在某些實施方式中,各模組可利用軟體及硬體或其中之一來實現,除此之外,本發明亦可部分地或完全地基於硬體來實現,例如,系統中的一個或多個模組可以透過積體電路晶片、系統單晶片(System on Chip, SoC)、複雜可程式邏輯裝置(Complex Programmable Logic Device, CPLD)、現場可程式邏輯閘陣列(Field Programmable Gate Array, FPGA)等來實現。本發明可以是系統、方法及/或電腦程式。電腦程式可以包括電腦可讀儲存媒體,其上載有用於使處理器實現本發明的各個方面的電腦可讀程式指令,電腦可讀儲存媒體可以是可以保持和儲存由指令執行設備使用的指令的有形設備。電腦可讀儲存媒體可以是但不限於電儲存設備、磁儲存設備、光儲存設備、電磁儲存設備、半導體儲存設備或上述的任意合適的組合。電腦可讀儲存媒體的更具體的例子(非窮舉的列表)包括:硬碟、隨機存取記憶體、唯讀記憶體、快閃記憶體、光碟、軟碟以及上述的任意合適的組合。此處所使用的電腦可讀儲存媒體不被解釋爲瞬時訊號本身,諸如無線電波或者其它自由傳播的電磁波、通過波導或其它傳輸媒介傳播的電磁波(例如,通過光纖電纜的光訊號)、或者通過電線傳輸的電訊號。另外,此處所描述的電腦可讀程式指令可以從電腦可讀儲存媒體下載到各個計算/處理設備,或者通過網路,例如:網際網路、區域網路、廣域網路及/或無線網路下載到外部電腦設備或外部儲存設備。網路可以包括銅傳輸電纜、光纖傳輸、無線傳輸、路由器、防火牆、交換器、集線器及/或閘道器。每一個計算/處理設備中的網路卡或者網路介面從網路接收電腦可讀程式指令,並轉發此電腦可讀程式指令,以供儲存在各個計算/處理設備中的電腦可讀儲存媒體中。執行本發明操作的電腦程式指令可以是組合語言指令、指令集架構指令、機器指令、機器相關指令、微指令、韌體指令、或者以一種或多種程式語言的任意組合編寫的原始碼或目的碼(Object Code),所述程式語言包括物件導向的程式語言,如:Common Lisp、Python、C++、Objective-C、Smalltalk、Delphi、Java、Swift、C#、Perl、Ruby與PHP等,以及常規的程序式(Procedural)程式語言,如:C語言或類似的程式語言。所述電腦程式指令可以完全地在電腦上執行、部分地在電腦上執行、作爲一個獨立的軟體執行、部分在客戶端電腦上部分在遠端電腦上執行、或者完全在遠端電腦或伺服器上執行。It should be noted that in actual implementation, the modules described in the present invention can be implemented in various ways, including software, hardware or any combination thereof. For example, in some implementations, each module can be implemented using software and hardware, or one of them. In addition, the present invention can also be implemented partially or completely based on hardware. For example, one or more modules in the system can be implemented through integrated circuit chips, system Single chip (System on Chip, SoC), Complex Programmable Logic Device (CPLD), Field Programmable Gate Array (FPGA), etc. are implemented. The invention may be a system, method and/or computer program. The computer program may include a computer-readable storage medium having computer-readable program instructions for causing a processor to implement various aspects of the invention. The computer-readable storage medium may be a tangible device that can hold and store instructions for use by an instruction execution device. equipment. The computer-readable storage medium may be, but is not limited to, an electrical storage device, a magnetic storage device, an optical storage device, an electromagnetic storage device, a semiconductor storage device, or any suitable combination of the above. More specific examples (non-exhaustive list) of computer-readable storage media include: hard disks, random access memory, read-only memory, flash memory, optical disks, floppy disks, and any suitable combination of the foregoing. As used herein, computer-readable storage media is not to be construed as a reference to transient signals per se, such as radio waves or other freely propagating electromagnetic waves, electromagnetic waves propagating through waveguides or other transmission media (e.g., optical signals through fiber optic cables), or through electrical wires. transmitted electrical signals. In addition, the computer-readable program instructions described herein can be downloaded from a computer-readable storage medium to various computing/processing devices, or downloaded through a network, such as the Internet, a local area network, a wide area network, and/or a wireless network. to an external computer device or external storage device. Networks may include copper transmission cables, fiber optic transmission, wireless transmission, routers, firewalls, switches, hubs and/or gateways. A network card or network interface in each computing/processing device receives computer-readable program instructions from the network and forwards the computer-readable program instructions for storage on a computer-readable storage medium in each computing/processing device middle. Computer program instructions that perform operations of the present invention may be combination language instructions, instruction set architecture instructions, machine instructions, machine-related instructions, micro-instructions, firmware instructions, or source code or object code written in any combination of one or more programming languages. (Object Code), the programming languages include object-oriented programming languages, such as: Common Lisp, Python, C++, Objective-C, Smalltalk, Delphi, Java, Swift, C#, Perl, Ruby and PHP, etc., as well as conventional programs Procedural programming language, such as C language or similar programming language. The computer program instructions may execute entirely on the computer, partly on the computer, as stand-alone software, partly on the client computer and partly on a remote computer, or entirely on the remote computer or server execute on.

請參閱「第2A圖」至「第2C圖」,「第2A圖」至「第2C圖」為本發明基於混淆電路的門檻式簽章生成方法的第一實施例之方法流程圖,其步驟包括:提供第一主機及第二主機,所述第一主機具有秘密d 1、秘密k 1、X座標x 1及層級值n 1,所述第二主機具有秘密d 2、秘密k 2、X座標x 2及層級值n 2,同時秘密d 1、秘密k 1、秘密d 2及秘密k 2滿足下列運算式以生成秘密d及秘密k: Please refer to "Figure 2A" to "Figure 2C". "Figure 2A" to "Figure 2C" are method flow charts of the first embodiment of the threshold signature generation method based on confusion circuits of the present invention. The steps are The method includes: providing a first host and a second host. The first host has secret d 1 , secret k 1 , X coordinate x 1 and level value n 1 . The second host has secret d 2 , secret k 2 , X The coordinate x 2 and the level value n 2 , while the secret d 1 , secret k 1 , secret d 2 and secret k 2 satisfy the following calculation formulas to generate secret d and secret k:

BK(x 1,n 1) * d 1+ BK(x 2,n 2) * d 2= d, BK(x 1 ,n 1 ) * d 1 + BK(x 2 ,n 2 ) * d 2 = d,

BK(x 1,n 1) * k 1+ BK(x 2,n 2) * k 2= k, BK(x 1 ,n 1 ) * k 1 + BK(x 2 ,n 2 ) * k 2 = k,

其中,「BK(x j, n j)」代表伯克霍夫係數,j為1或2,並且令EdDSA公鑰A為 d * B,以及令驗證橢圓點L為k * B,B為Ed25519或sr25519橢圓曲線群的基點(步驟210);提供作為混淆電路的第一布林電路及第二布林電路,所述第一布林電路允許輸入多個輸入參數,所述輸入參數包含參數v1、參數v2、參數r1、參數r2、參數n及訊息m且輸出第一評估值,每一所述輸入參數允許各自帶入一組位元值,所述第二布林電路允許輸入參數v1、參數v2、參數r1及參數r2且輸出第二評估值,所述第一評估值為「H 2(k,m) + r1 + r2 mod n」,所述第二評估值為「k + r1 + r2」,其中,H 2(k,m)代表將秘密k與訊息m串聯後進行雜湊、訊息m、參數n為給定橢圓曲線群的個數、參數v1的值為「BK(x 1,n 1)k 1mod n」、參數v2的值為「BK(x 2,n 2)k 2mod n」(步驟220);第一主機產生隨機亂數以作為參數r1且公開第一雜湊值,第二主機產生隨機亂數以作為參數r2且公開第二雜湊值,其中,第一雜湊值的運算式為「H(r1 * B)」,第二雜湊值的運算式為「H(r2 * B)」,H代表雜湊函式(步驟230);第一主機使用本身的參數v1、參數r1及訊息m與第二主機使用本身的參數v2及參數r2共同執行第一布林電路,使第二主機根據第一布林電路獲得第一評估值,再使用相同的參數v1、參數v2、參數r1及參數r2共同執行第二布林電路以獲得第二評估值,以及公開第一公開值,所述第一公開值的運算式為「r1 * B」(步驟240);第二主機使用本身的參數v2、參數r2及訊息m與第一主機使用本身的參數v1及參數r1共同執行第一布林電路,使第一主機根據第一布林電路獲得第一評估值,再使用相同的參數v1、參數v2、參數r1及參數r2共同執行第二布林電路以獲得第二評估值,以及公開第二公開值,所述第二公開值的運算式為「r2 * B」(步驟250);第一主機及第二主機各自驗證本身獲得的第一公開值和第二公開值所計算出的雜湊值是否與收到的第一雜湊值和第二雜湊值相等且第二評估值與基點的乘積是否與所述驗證橢圓點L、第一公開值及第二公開值的總和相等,當驗證結果皆為相等時,根據訊息m、第一公開值、第二公開值及基點計算出第一簽章值R,以及根據第一簽章值R、EdDSA公鑰A及訊息m計算雜湊值c,再根據秘密k、訊息m、雜湊值c、本身的伯克霍夫係數b i及所述秘密d i計算出相應的數值S i,其中,i為正整數(步驟260);第一主機及第二主機皆執行安全驗證協定(Secure Validation Protocol)以相互驗證雙方在第一布林電路所獲得的第一評估值相同(步驟270);以及第一主機及第二主機分別加總所有所述數值S i以生成第二簽章值s,並且根據第一簽章值R與第二簽章值s生成EdDSA數位簽章(步驟280)。其中,步驟240及步驟250允許同時執行,以及步驟270及步驟280允許同時執行。 Among them, "BK(x j , n j )" represents the Birkhoff coefficient, j is 1 or 2, and let the EdDSA public key A be d * B, and let the verification ellipse point L be k * B, and B be Ed25519 Or the base point of the sr25519 elliptic curve group (step 210); provide a first Bollinger circuit and a second Bollinger circuit as a confusion circuit, the first Bollinger circuit allows the input of multiple input parameters, the input parameters include the parameter v1 , parameter v2, parameter r1, parameter r2, parameter n and message m and output the first evaluation value, each of the input parameters is allowed to bring in a set of bit values, and the second Bollinger circuit is allowed to input parameters v1, Parameter v2, parameter r1 and parameter r2 and output a second evaluation value, the first evaluation value is "H 2 (k,m) + r1 + r2 mod n", the second evaluation value is "k + r1 + r2", where H 2 (k,m) represents the concatenation of secret k and message m before hashing, message m, parameter n is the number of given elliptic curve groups, and the value of parameter v1 is "BK (x 1 , n 1 )k 1 mod n", the value of parameter v2 is "BK (x 2 ,n 2 )k 2 mod n" (step 220); the first host generates random numbers as parameter r1 and discloses the first hash value , the second host generates random numbers as parameter r2 and discloses the second hash value, where the calculation formula of the first hash value is "H(r1 * B)", and the calculation formula of the second hash value is "H(r2) * B)", H represents the hash function (step 230); the first host uses its own parameter v1, parameter r1 and message m and the second host uses its own parameter v2 and parameter r2 to jointly execute the first Bollinger circuit, so that The second host obtains the first evaluation value according to the first Bollinger circuit, then uses the same parameters v1, parameter v2, parameter r1 and parameter r2 to jointly execute the second Bollinger circuit to obtain the second evaluation value, and discloses the first public value. , the calculation formula of the first public value is "r1 * B" (step 240); the second host uses its own parameter v2, parameter r2 and message m to jointly execute the first host using its own parameter v1 and parameter r1. A Bollinger circuit enables the first host to obtain the first evaluation value according to the first Bollinger circuit, and then uses the same parameter v1, parameter v2, parameter r1 and parameter r2 to jointly execute the second Bollinger circuit to obtain the second evaluation value, And publish a second public value, the calculation formula of the second public value is "r2 * B" (step 250); the first host and the second host each verify the calculation of the first public value and the second public value obtained by themselves. Whether the obtained hash value is equal to the received first hash value and the second hash value and whether the product of the second evaluation value and the base point is equal to the sum of the verification ellipse point L, the first public value and the second public value, When the verification results are all equal, the first signature value R is calculated based on the message m, the first public value, the second public value and the base point, and the hash is calculated based on the first signature value R, the EdDSA public key A and the message m. value c, and then calculate the corresponding value S i based on the secret k, message m, hash value c, its own Birkhoff coefficient b i and the secret di, where i is a positive integer (step 260); Both the first host and the second host execute the Secure Validation Protocol to mutually verify that the first evaluation values obtained by both parties in the first Bollinger circuit are the same (step 270); and the first host and the second host add up respectively. All the values Si are used to generate a second signature value s, and an EdDSA digital signature is generated based on the first signature value R and the second signature value s (step 280). Among them, steps 240 and 250 are allowed to be executed simultaneously, and steps 270 and 280 are allowed to be executed simultaneously.

以下配合「第3圖」以實施例的方式進行如下說明,「第3圖」為應用本發明的混淆電路的示意圖。在實際實施上,本發明的混淆電路包含第一布林電路310及第二布林電路320。其中,第一布林電路310提供輸入線以輸入參數v1(即:「BK(x 1,n 1)k 1mod n」)、參數v2(即:「BK(x 2,n 2)k 2mod n」)、參數r1(即:第一主機100a隨機挑選的亂數)、參數r2(即:第二主機100b隨機挑選的亂數)、參數n(即:給定橢圓曲線群的個數)及訊息m,可示意為「MPCEdDSA(v1,v2,r1,r2,n,m)」,並且輸出第一評估值「H 2(k,m) + r1 + r2 mod n」(其中,「H 2(k,m)」可視為「SHA512(k || m)」,代表先將秘密k與訊息m串聯再進行雜湊後的值);第二布林電路320提供輸入線以輸入參數v1、參數v2、參數r1及參數r2,可示意為「ModAdd(v1,v2,r1,r2)」,並且輸出第二評估值「k + r1 + r2」。在建立上述第一布林電路310時,可使用「及運算(AND)」與「互斥或運算(XOR)」至少其中之一架構滿足條件「MPCEdDSA(v1,v2,r1,r2,n,m) = H 2(k,m) + r1 + r2 mod n」的邏輯電路,而在建立第二布林電路時320,則同樣使用「及運算(AND)」與「互斥或運算(XOR)」至少其中之一架構滿足條件「ModAdd(v1,v2,r1,r2) = k + r1 + r2」的邏輯電路。特別要說明的是,在同一次簽名中,第一布林電路310輸入的參數v1、參數v2、參數r1及參數r2等,同時也是第二布林電路320輸入的參數v1、參數v2、參數r1及參數r2,而每次簽名都會重新選取參數r1及參數r2。 The following description will be made in the form of an embodiment with reference to "Fig. 3". "Fig. 3" is a schematic diagram of a confusion circuit applying the present invention. In actual implementation, the obfuscation circuit of the present invention includes a first Bollinger circuit 310 and a second Bollinger circuit 320 . Among them, the first Bollinger circuit 310 provides input lines to input parameter v1 (ie: "BK(x 1 ,n 1 )k 1 mod n"), parameter v2 (ie: "BK(x 2 ,n 2 )k 2 mod n"), parameter r1 (i.e., a random number randomly selected by the first host 100a), parameter r2 (i.e., a random number randomly selected by the second host 100b), parameter n (i.e., the number of given elliptic curve groups ) and message m, which can be expressed as "MPCEdDSA(v1,v2,r1,r2,n,m)", and output the first evaluation value "H 2 (k,m) + r1 + r2 mod n" (where, " H 2 (k,m)" can be regarded as "SHA512(k || m)", which represents the value obtained by first concatenating the secret k and the message m and then hashing it); the second Bollinger circuit 320 provides an input line to input the parameter v1 , parameter v2, parameter r1 and parameter r2 can be expressed as "ModAdd(v1,v2,r1,r2)", and the second evaluation value "k + r1 + r2" is output. When establishing the above-mentioned first Bollinger circuit 310, at least one of the "AND operation (AND)" and "XOR operation (XOR)" can be used to satisfy the condition "MPCEdDSA(v1,v2,r1,r2,n, m) = H 2 (k,m) + r1 + r2 mod n" logic circuit. When establishing the second Bollinger circuit 320, "AND" and "XOR" are also used. )" At least one of them constructs a logic circuit that satisfies the condition "ModAdd(v1,v2,r1,r2) = k + r1 + r2". It should be noted in particular that in the same signature, the parameters v1, parameter v2, parameter r1, parameter r2, etc. input by the first Bollinger circuit 310 are also the parameters v1, parameter v2, parameter input by the second Bollinger circuit 320. r1 and parameter r2, and each signature will reselect parameter r1 and parameter r2.

綜上所述,可知本發明與先前技術之間的差異在於透過提供作為混淆電路的第一布林電路及第二布林電路以供二個主機輸入多個輸入參數並共同執行安全多方計算,使二個主機各自獲得第一布林電路的第一評估值及第二布林電路的第二評估值,以及廣播各主機的隨機亂數與基點的乘積,以便驗證雙方的輸入參數是否正確及通過混淆電路獲得的結果是否相同,進而在正確且相同時生成能夠通過驗證的EdDSA簽章,藉由此一技術手段可以解決先前技術所存在的問題,進而達成提高生成EdDSA簽章的安全性之技術功效。In summary, it can be seen that the difference between the present invention and the prior art is that by providing the first Bollinger circuit and the second Bollinger circuit as confusion circuits for two hosts to input multiple input parameters and jointly perform secure multi-party calculations, Let the two hosts each obtain the first evaluation value of the first Bollinger circuit and the second evaluation value of the second Bollinger circuit, and broadcast the product of the random number and the base point of each host to verify whether the input parameters of both parties are correct and Whether the results obtained by obfuscating the circuit are the same, and then generating an EdDSA signature that can pass verification when correct and the same, this technical means can solve the problems existing in the previous technology, thereby improving the security of generating EdDSA signatures. Technical efficacy.

雖然本發明以前述之實施例揭露如上,然其並非用以限定本發明,任何熟習相像技藝者,在不脫離本發明之精神和範圍內,當可作些許之更動與潤飾,因此本發明之專利保護範圍須視本說明書所附之申請專利範圍所界定者為準。Although the present invention has been disclosed in the foregoing embodiments, they are not intended to limit the present invention. Anyone skilled in the similar art can make some modifications and modifications without departing from the spirit and scope of the present invention. Therefore, the present invention is The scope of patent protection shall be determined by the scope of the patent application attached to this specification.

100a,100b:主機 110:混淆模組 120:生成模組 130:第一計算模組 140:第二計算模組 150:驗證模組 160:簽章模組 310:第一布林電路 320:第二布林電路 步驟210:提供一第一主機及一第二主機,該第一主機具有一秘密d 1、一秘密k 1、一X座標x 1及一層級值n 1,以及該第二主機具有一秘密d 2、一秘密k 2、一X座標x 2及一層級值n 2,同時該秘密d 1、該秘密k 1、該秘密d 2及該秘密k 2滿足下列運算式以生成一秘密d及一秘密k: BK(x 1,n 1) * d 1+ BK(x 2,n 2) * d 2= d, BK(x 1,n 1) * k 1+ BK(x 2,n 2) * k 2= k, 其中,BK(x j, n j)代表伯克霍夫係數,j為1或2,並且令一EdDSA公鑰A為 d * B,以及令一驗證橢圓點L為k * B,B為Ed25519或sr25519橢圓曲線群的一基點 步驟220:提供作為混淆電路的一第一布林電路及一第二布林電路,該第一布林電路允許輸入多個輸入參數,所述輸入參數包含一參數v1、一參數v2、一參數r1、一參數r2、一參數n及一訊息m且輸出一第一評估值,每一所述輸入參數允許各自帶入一組位元值,該第二布林電路允許輸入該參數v1、該參數v2、該參數r1及該參數r2且輸出一第二評估值,所述第一評估值為H 2(k,m) + r1 + r2 mod n,所述第二評估值為k + r1 + r2,其中,H 2(k,m)代表將該秘密k與該訊息m串聯後進行雜湊、該參數n為給定橢圓曲線群的個數、該參數v1的值為BK(x1,n1)k1 mod n、該參數v2的值為BK(x2,n2)k2 mod n 步驟230:該第一主機產生隨機亂數以作為該參數r1且公開一第一雜湊值,該第二主機產生隨機亂數以作為該參數r2且公開一第二雜湊值,其中,該第一雜湊值的運算式為H(r1 * B),該第二雜湊值的運算式為H(r2 * B),H代表雜湊函式 步驟240:該第一主機使用本身的該參數v1、該參數r1及該訊息m與該第二主機使用本身的該參數v2及該參數r2共同執行該第一布林電路,使該第二主機根據該第一布林電路獲得該第一評估值,再使用相同的該參數v1、該參數v2、該參數r1及該參數r2共同執行該第二布林電路以獲得該第二評估值,以及公開一第一公開值,該第一公開值的運算式為r1 * B 步驟250:該第二主機使用本身的該參數v2、該參數r2及該訊息m與該第一主機使用本身的該參數v1及該參數r1共同執行該第一布林電路,使該第一主機根據該第一布林電路獲得該第一評估值,再使用相同的該參數v1、該參數v2、該參數r1及該參數r2共同執行該第二布林電路以獲得該第二評估值,以及公開一第二公開值,該第二公開值的運算式為r2 * B 步驟260:該第一主機及該第二主機各自驗證本身獲得的該第一公開值和該第二公開值所計算出的雜湊值是否與收到的該第一雜湊值和該第二雜湊值相等且該第二評估值與該基點的乘積是否與該驗證橢圓點L、該第一公開值及該第二公開值的總和相等,當驗證結果皆為相等時,各自根據該訊息m、該第一公開值、該第二公開值及該基點計算出一第一簽章值R,以及根據該第一簽章值R、該EdDSA公鑰A及該訊息m計算一雜湊值c,再根據該秘密k、該訊息m、該雜湊值c、本身的一伯克霍夫(Birkhoff)係數b i及所述秘密d i計算出相應的一數值S i,其中,i為正整數 步驟270:該第一主機及該第二主機皆執行安全驗證協定(Secure Validation Protocol)以相互驗證雙方在該第一布林電路所獲得的該第一評估值相同 步驟280:該第一主機及該第二主機分別加總所有所述數值S i以生成一第二簽章值s,並且根據該第一簽章值R與該第二簽章值s生成EdDSA數位簽章 100a, 100b: Host 110: Confusion module 120: Generation module 130: First calculation module 140: Second calculation module 150: Verification module 160: Signature module 310: First Bollinger circuit 320: No. Two Bollinger Circuit Step 210: Provide a first host and a second host. The first host has a secret d 1 , a secret k 1 , an X coordinate x 1 and a level value n 1 , and the second host There is a secret d 2 , a secret k 2 , an Secret d and a secret k: BK(x 1 ,n 1 ) * d 1 + BK(x 2 ,n 2 ) * d 2 = d, BK(x 1 ,n 1 ) * k 1 + BK(x 2 , n 2 ) * k 2 = k, where BK(x j , n j ) represents the Birkhoff coefficient, j is 1 or 2, and let an EdDSA public key A be d * B, and let a verification ellipse point L is k * B, and B is a base point of the Ed25519 or sr25519 elliptic curve group. Step 220: Provide a first Bollinger circuit and a second Bollinger circuit as a confusion circuit. The first Bollinger circuit allows multiple inputs. Parameters, the input parameters include a parameter v1, a parameter v2, a parameter r1, a parameter r2, a parameter n and a message m and output a first evaluation value, each of the input parameters is allowed to enter a group Bit value, the second Bollinger circuit allows input of the parameter v1, the parameter v2, the parameter r1 and the parameter r2 and outputs a second evaluation value, the first evaluation value is H 2 (k,m) + r1 + r2 mod n, the second evaluation value is k + r1 + r2, where H 2 (k, m) represents the concatenation of the secret k and the message m before hashing, and the parameter n is a given elliptic curve The number of groups, the value of parameter v1 is BK(x1,n1)k1 mod n, the value of parameter v2 is BK(x2,n2)k2 mod n. Step 230: The first host generates random numbers as the The parameter r1 discloses a first hash value. The second host generates a random number as the parameter r2 and discloses a second hash value. The calculation formula of the first hash value is H(r1 * B). The calculation formula of the second hash value is H(r2 * B), and H represents the hash function. Step 240: The first host uses its own parameter v1, the parameter r1 and the message m, and the second host uses its own Parameter v2 and parameter r2 jointly execute the first Bollinger circuit, so that the second host obtains the first evaluation value according to the first Bollinger circuit, and then uses the same parameter v1, parameter v2, parameter r1 and The parameter r2 jointly executes the second Bollinger circuit to obtain the second evaluation value, and discloses a first public value. The calculation formula of the first public value is r1 * B. Step 250: The second host uses its own The parameter v2, the parameter r2 and the message m and the first host use the parameter v1 and the parameter r1 to jointly execute the first Bollinger circuit, so that the first host obtains the first Bollinger circuit according to the first Bollinger circuit. Evaluation value, and then use the same parameter v1, parameter v2, parameter r1 and parameter r2 to jointly execute the second Bollinger circuit to obtain the second evaluation value, and disclose a second public value, the second public value The calculation formula of the value is r2 * B. Step 260: The first host and the second host each verify whether the hash value calculated by the first public value and the second public value obtained by itself is consistent with the received first public value. The hash value is equal to the second hash value and whether the product of the second evaluation value and the base point is equal to the sum of the verification ellipse point L, the first public value and the second public value, when the verification results are all equal , each calculates a first signature value R based on the message m, the first public value, the second public value and the base point, and calculates a first signature value R based on the first signature value R, the EdDSA public key A and the message m Calculate a hash value c, and then calculate a corresponding value S i based on the secret k, the message m, the hash value c, its own Birkhoff coefficient b i and the secret d i , where , i is a positive integer. Step 270: Both the first host and the second host execute the Secure Validation Protocol to mutually verify that the first evaluation value obtained by both parties in the first Bollinger circuit is the same. Step 280: The first host and the second host respectively add up all the values Si to generate a second signature value s, and generate an EdDSA digital signature based on the first signature value R and the second signature value s.

第1圖為本發明基於混淆電路的門檻式簽章生成系統的系統方塊圖。 第2A圖至第2C圖為本發明基於混淆電路的門檻式簽章生成方法的方法流程圖。 第3圖為應用本發明的混淆電路的示意圖。 Figure 1 is a system block diagram of the threshold signature generation system based on obfuscation circuits of the present invention. Figures 2A to 2C are method flow charts of the threshold signature generation method based on obfuscation circuits of the present invention. Figure 3 is a schematic diagram of a confusion circuit using the present invention.

100a,100b:主機 100a,100b: Host

110:混淆模組 110:Confusion module

120:生成模組 120: Generate module

130:第一計算模組 130:The first computing module

140:第二計算模組 140: Second computing module

150:驗證模組 150: Verification module

160:簽章模組 160:Signature module

Claims (10)

一種基於混淆電路的門檻式簽章生成系統,該系統包含: 二個主機,分別為一第一主機及一第二主機,該第一主機具有一秘密d 1、一秘密k 1、一X座標x 1及一層級值n 1,該第二主機具有一秘密d 2、一秘密k 2、一X座標x 2及一層級值n 2,同時該秘密d 1、該秘密k 1、該秘密d 2及該秘密k 2滿足下列運算式以生成一秘密d及一秘密k: BK(x 1,n 1) * d 1+ BK(x 2,n 2) * d 2= d, BK(x 1,n 1) * k 1+ BK(x 2,n 2) * k 2= k, 其中,BK(x j, n j)代表伯克霍夫係數,j為1或2,並且令一EdDSA公鑰A為 d * B,以及令一驗證橢圓點L為k * B,B為Ed25519或sr25519橢圓曲線群的一基點,每一所述主機皆包含: 一混淆模組,用以建立作為混淆電路的一第一布林電路及一第二布林電路,該第一布林電路允許輸入多個輸入參數,所述輸入參數包含一參數v1、一參數v2、一參數r1、一參數r2、一參數n及一訊息m且輸出一第一評估值,每一所述輸入參數允許各自帶入一組位元值,該第二布林電路允許輸入該參數v1、該參數v2、該參數r1及該參數r2且輸出一第二評估值,所述第一評估值為H 2(k,m) + r1 + r2 mod n,所述第二評估值為k + r1 + r2,其中,H 2(k,m)代表將該秘密k與該訊息m串聯後進行雜湊、該參數n為給定橢圓曲線群的個數、該參數v1的值為BK(x 1,n 1)k 1mod n、該參數v2的值為BK(x 2,n 2)k 2mod n; 一生成模組,用以在所述主機為該第一主機時,產生隨機亂數以作為該參數r1且公開一第一雜湊值,以及在所述主機為該第二主機時,產生隨機亂數以作為該參數r2且公開一第二雜湊值,其中,該第一雜湊值的運算式為H(r1 * B),該第二雜湊值的運算式為H(r2 * B),H代表雜湊函式; 一第一計算模組,連接該生成模組及該混淆模組,當所述主機為該第一主機時,使用本身的該參數v1、該參數r1及該訊息m輸入至該第一布林電路,以及當所述主機為該第二主機時,使用本身的該參數v2及該參數r2輸入至該第一布林電路,用以共同執行該第一布林電路,使該第二主機根據該第一布林電路獲得該第一評估值,再使用相同的該參數v1、該參數v2、該參數r1及該參數r2共同執行該第二布林電路以獲得該第二評估值,以及公開一第一公開值,該第一公開值的運算式為r1 * B; 一第二計算模組,連接該生成模組及該混淆模組,用以在所述主機為該第二主機時,使用本身的該參數v2、該參數r2及該訊息m輸入至該第一布林電路,以及在所述主機為該第一主機時,使用本身的該參數v1及該參數r1輸入至該第一布林電路,用以共同執行該第一布林電路,使該第一主機根據該第一布林電路獲得該第一評估值,再使用相同的該參數v1、該參數v2、該參數r1及該參數r2共同執行該第二布林電路以獲得該第二評估值,以及公開一第二公開值,該第二公開值的運算式為r2 * B; 一驗證模組,連接該第一計算模組及該第二計算模組,用以驗證本身獲得的該第一公開值和該第二公開值所計算出的雜湊值是否與收到的該第一雜湊值和該第二雜湊值相等且該第二評估值與該基點的乘積是否與該驗證橢圓點L、該第一公開值及該第二公開值的總和相等,當驗證結果皆為相等時,根據該訊息m、該第一公開值、該第二公開值及該基點計算出一第一簽章值R,以及根據該第一簽章值R、該EdDSA公鑰A及該訊息m計算一雜湊值c,再根據該秘密k、該訊息m、該雜湊值c、本身的一伯克霍夫(Birkhoff)係數b i及所述秘密d i計算出相應的一數值S i,其中,i為正整數;以及 一簽章模組,連接該驗證模組,用以執行安全驗證協定(Secure Validation Protocol)以相互驗證該第一主機及該第二主機雙方在該第一布林電路所獲得的該第一評估值相同,當相同時,加總所有所述數值S i以生成一第二簽章值s,並且根據該第一簽章值R與該第二簽章值s生成EdDSA數位簽章。 A threshold signature generation system based on confusion circuit. The system includes: two hosts, namely a first host and a second host. The first host has a secret d 1 , a secret k 1 , and an X coordinate. x 1 and a level value n 1 , the second host has a secret d 2 , a secret k 2 , an X coordinate x 2 and a level value n 2 , and at the same time the secret d 1 , the secret k 1 , the secret d 2 and the secret k 2 satisfy the following operational expressions to generate a secret d and a secret k: BK(x 1 ,n 1 ) * d 1 + BK(x 2 ,n 2 ) * d 2 = d, BK(x 1 ,n 1 ) * k 1 + BK(x 2 ,n 2 ) * k 2 = k, where, BK(x j , n j ) represents the Birkhoff coefficient, j is 1 or 2, and let an EdDSA The key A is d * B, and let a verification ellipse point L be k * B, and B is a base point of the Ed25519 or sr25519 elliptic curve group. Each of the hosts includes: a confusion module to establish a confusion circuit A first Bollinger circuit and a second Bollinger circuit, the first Bollinger circuit allows the input of multiple input parameters, the input parameters include a parameter v1, a parameter v2, a parameter r1, a parameter r2, a Parameter n and a message m and output a first evaluation value, each of the input parameters is allowed to bring in a set of bit values, and the second Bollinger circuit is allowed to input the parameter v1, the parameter v2, the parameter r1 and This parameter r2 also outputs a second evaluation value, the first evaluation value is H 2 (k,m) + r1 + r2 mod n, and the second evaluation value is k + r1 + r2, where H 2 ( k,m) represents concatenating the secret k and the message m and then hashing it. The parameter n is the number of the given elliptic curve group. The value of the parameter v1 is BK(x 1 ,n 1 )k 1 mod n. The value of the parameter v2 is BK (x 2 , n 2 )k 2 mod n; a generation module used to generate random numbers as the parameter r1 when the host is the first host and disclose a first A hash value, and when the host is the second host, a random number is generated as the parameter r2 and a second hash value is disclosed, wherein the calculation formula of the first hash value is H(r1 * B) , the calculation formula of the second hash value is H (r2 * B), H represents the hash function; a first calculation module, connected to the generation module and the confusion module, when the host is the first host When the host is the second host, use the parameter v1, the parameter r1 and the message m to input to the first Bollinger circuit, and when the host is the second host, use the parameter v2 and the parameter r2 to input to the The first Bollinger circuit is used to jointly execute the first Bollinger circuit, so that the second host obtains the first evaluation value according to the first Bollinger circuit, and then uses the same parameter v1, parameter v2, and parameter r1 and the parameter r2 jointly execute the second Bollinger circuit to obtain the second evaluation value, and disclose a first public value, the calculation formula of the first public value is r1 * B; a second calculation module, connected The generation module and the confusion module are used to input the parameter v2, the parameter r2 and the message m to the first Bollinger circuit when the host is the second host, and when the host is the second host, When the host is the first host, it uses its own parameter v1 and parameter r1 to input to the first Bollinger circuit to jointly execute the first Bollinger circuit, so that the first host can execute the first Bollinger circuit according to the first Bollinger circuit. Obtain the first evaluation value, then use the same parameter v1, parameter v2, parameter r1 and parameter r2 to jointly execute the second Bollinger circuit to obtain the second evaluation value, and disclose a second public value, The calculation formula of the second public value is r2 * B; a verification module connected to the first calculation module and the second calculation module to verify the first public value and the second public value obtained by itself Whether the calculated hash value is equal to the received first hash value and the second hash value and whether the product of the second evaluation value and the base point is equal to the verification ellipse point L, the first public value and the third The sum of the two public values is equal. When the verification results are equal, a first signature value R is calculated based on the message m, the first public value, the second public value and the base point, and based on the first signature The chapter value R, the EdDSA public key A and the message m calculate a hash value c, and then calculate a hash value c based on the secret k, the message m, the hash value c, its own Birkhoff coefficient b i and the above The secret di i calculates a corresponding value S i , where i is a positive integer; and a signature module is connected to the verification module to execute the Secure Validation Protocol to mutually verify the first host The first evaluation value obtained by both the second host and the second host in the first Bollinger circuit is the same. When they are the same, all the values Si are added to generate a second signature value s, and according to the first The signature value R and the second signature value s generate an EdDSA digital signature. 如請求項1之基於混淆電路的門檻式簽章生成系統,其中該第一布林電路及該第二布林電路係通過及運算(AND)與互斥或運算(XOR)至少其中之一的方式實現混淆電路及安全多方計算(Multi-Party Computation, MPC),並且具有多個輸入線(Wire)以輸入所述輸入參數,每一所述輸入參數帶入的該組位元值為256位元的值,所述第一布林電路為滿足下列條件的邏輯電路: MPCEdDSA(v1,v2,r1,r2,n,m) = H 2(k,m) + r1 + r2 mod n, 所述第二布林電路為滿足下列條件的邏輯電路: ModAdd(v1,v2,r1,r2) = k + r1 + r2。 For example, the threshold signature generation system based on confusion circuit of claim 1, wherein the first Bollinger circuit and the second Bollinger circuit are generated by at least one of AND operation (AND) and exclusive OR operation (XOR). The method implements confusing circuits and secure multi-party computation (Multi-Party Computation, MPC), and has multiple input wires (Wires) to input the input parameters. The set of bit values brought in by each input parameter is 256 bits. The value of the element, the first Bollinger circuit is a logic circuit that meets the following conditions: MPCEdDSA(v1,v2,r1,r2,n,m) = H 2 (k,m) + r1 + r2 mod n, as described The second Bollinger circuit is a logic circuit that meets the following conditions: ModAdd(v1,v2,r1,r2) = k + r1 + r2. 如請求項1之基於混淆電路的門檻式簽章生成系統,其中該第一簽章值R的運算式如下: R = MPCEdDSA(v1,v2,r1,r2,n,m) * B – r1 * B – r2 * B, 其中,MPCEdDSA(v1,v2,r1,r2,n,m) 代表所述第一布林電路,並且獲得該第一評估值。 For example, in the threshold signature generation system based on obfuscation circuit of claim 1, the calculation formula of the first signature value R is as follows: R = MPCEdSA(v1,v2,r1,r2,n,m) * B – r1 * B – r2 * B, Wherein, MPCEdSA(v1,v2,r1,r2,n,m) represents the first Bollinger circuit, and the first evaluation value is obtained. 如請求項1之基於混淆電路的門檻式簽章生成系統,其中所述數值S i的運算式如下: S i= r + c * b i* d i,其中,r  = H 2(k,w)。 For example, the threshold signature generation system based on confusion circuit of claim 1, wherein the calculation formula of the value Si is as follows: Si = r + c * b i * d i , where r = H 2 (k,w ). 如請求項1之基於混淆電路的門檻式簽章生成系統,其中該雜湊值c的運算式如下: c = SHA512(R || A || m),其中,SHA512為雜湊函式,符號||代表串聯。 For example, in the threshold signature generation system based on obfuscation circuit of claim 1, the calculation formula of the hash value c is as follows: c = SHA512(R || A || m), where SHA512 is a hash function, and the symbol || represents concatenation. 一種基於混淆電路的門檻式簽章生成方法,其步驟包括: (A)提供一第一主機及一第二主機,該第一主機具有一秘密d 1、一秘密k 1、一X座標x 1及一層級值n 1,以及該第二主機具有一秘密d 2、一秘密k 2、一X座標x 2及一層級值n 2,同時該秘密d 1、該秘密k 1、該秘密d 2及該秘密k 2滿足下列運算式以生成一秘密d及一秘密k: BK(x 1,n 1) * d 1+ BK(x 2,n 2) * d 2= d, BK(x 1,n 1) * k 1+ BK(x 2,n 2) * k 2= k, 其中,BK(x j, n j)代表伯克霍夫係數,j為1或2,並且令一EdDSA公鑰A為 d * B,以及令一驗證橢圓點L為k * B,B為Ed25519或sr25519橢圓曲線群的一基點; (B)提供作為混淆電路的一第一布林電路及一第二布林電路,該第一布林電路允許輸入多個輸入參數,所述輸入參數包含一參數v1、一參數v2、一參數r1、一參數r2、一參數n及一訊息m且輸出一第一評估值,每一所述輸入參數允許各自帶入一組位元值,該第二布林電路允許輸入該參數v1、該參數v2、該參數r1及該參數r2且輸出一第二評估值,所述第一評估值為H 2(k,m) + r1 + r2 mod n,所述第二評估值為k + r1 + r2,其中,H 2(k,m)代表將該秘密k與該訊息m串聯後進行雜湊、該參數n為給定橢圓曲線群的個數、該參數v1的值為BK(x 1,n 1)k 1mod n、該參數v2的值為BK(x 2,n 2)k 2mod n; (C)該第一主機產生隨機亂數以作為該參數r1且公開一第一雜湊值,該第二主機產生隨機亂數以作為該參數r2且公開一第二雜湊值,其中,該第一雜湊值的運算式為H(r1 * B),該第二雜湊值的運算式為H(r2 * B),H代表雜湊函式; (D)該第一主機使用本身的該參數v1、該參數r1及該訊息m與該第二主機使用本身的該參數v2及該參數r2共同執行該第一布林電路,使該第二主機根據該第一布林電路獲得該第一評估值,再使用相同的該參數v1、該參數v2、該參數r1及該參數r2共同執行該第二布林電路以獲得該第二評估值,以及公開一第一公開值,該第一公開值的運算式為r1 * B; (E)該第二主機使用本身的該參數v2、該參數r2及該訊息m與該第一主機使用本身的該參數v1及該參數r1共同執行該第一布林電路,使該第一主機根據該第一布林電路獲得該第一評估值,再使用相同的該參數v1、該參數v2、該參數r1及該參數r2共同執行該第二布林電路以獲得該第二評估值,以及公開一第二公開值,該第二公開值的運算式為r2 * B; (F)該第一主機及該第二主機各自驗證本身獲得的該第一公開值和該第二公開值所計算出的雜湊值是否與收到的該第一雜湊值和該第二雜湊值相等且該第二評估值與該基點的乘積是否與該驗證橢圓點L、該第一公開值及該第二公開值的總和相等,當驗證結果皆為相等時,各自根據該訊息m、該第一公開值、該第二公開值及該基點計算出一第一簽章值R,以及根據該第一簽章值R、該EdDSA公鑰A及該訊息m計算一雜湊值c,再根據該秘密k、該訊息m、該雜湊值c、本身的一伯克霍夫(Birkhoff)係數b i及所述秘密d i計算出相應的一數值S i,其中,i為正整數; (G)該第一主機及該第二主機皆執行安全驗證協定(Secure Validation Protocol)以相互驗證雙方在該第一布林電路所獲得的該第一評估值相同;以及 (H)該第一主機及該第二主機分別加總所有所述數值S i以生成一第二簽章值s,並且根據該第一簽章值R與該第二簽章值s生成EdDSA數位簽章; 其中,步驟(D)及步驟(E)允許同時執行,以及步驟(G)及步驟(H)允許同時執行。 A threshold signature generation method based on confusion circuit, the steps include: (A) Provide a first host and a second host, the first host has a secret d 1 , a secret k 1 , and an X coordinate x 1 and a level value n 1 , and the second host has a secret d 2 , a secret k 2 , an X coordinate x 2 and a level value n 2 , and at the same time the secret d 1 , the secret k 1 , the secret d 2 And the secret k 2 satisfies the following operational expressions to generate a secret d and a secret k: BK(x 1 ,n 1 ) * d 1 + BK(x 2 ,n 2 ) * d 2 = d, BK(x 1 , n 1 ) * k 1 + BK(x 2 ,n 2 ) * k 2 = k, where BK(x j , n j ) represents the Birkhoff coefficient, j is 1 or 2, and let an EdDSA public key A is d * B, and let a verification ellipse point L be k * B, and B is a base point of the Ed25519 or sr25519 elliptic curve group; (B) Provide a first Bollinger circuit and a second Bollinger circuit as a confusion circuit Circuit, the first Bollinger circuit allows input of multiple input parameters, the input parameters include a parameter v1, a parameter v2, a parameter r1, a parameter r2, a parameter n and a message m and outputs a first evaluation value , each of the input parameters is allowed to bring in a set of bit values, and the second Bollinger circuit is allowed to input the parameter v1, the parameter v2, the parameter r1 and the parameter r2 and output a second evaluation value, the The first evaluation value is H 2 (k,m) + r1 + r2 mod n, and the second evaluation value is k + r1 + r2, where H 2 (k,m) represents the combination of the secret k and the message m After concatenation, hash is performed. The parameter n is the number of the given elliptic curve group. The value of the parameter v1 is BK(x 1 ,n 1 )k 1 mod n. The value of the parameter v2 is BK(x 2 ,n 2 )k 2 mod n; (C) The first host generates random numbers as the parameter r1 and discloses a first hash value, and the second host generates random numbers as the parameter r2 and discloses a second hash value , where the calculation formula of the first hash value is H(r1 * B), the calculation formula of the second hash value is H(r2 * B), H represents the hash function; (D) The first host uses its own The parameter v1, the parameter r1 and the message m and the second host use its own parameter v2 and parameter r2 to jointly execute the first Bollinger circuit, so that the second host obtains the first Bollinger circuit according to the first Bollinger circuit. first evaluation value, and then use the same parameter v1, parameter v2, parameter r1 and parameter r2 to jointly execute the second Bollinger circuit to obtain the second evaluation value, and disclose a first public value, and the third The calculation formula of a public value is r1 * B; (E) The second host uses its own parameter v2, the parameter r2 and the message m and the first host uses its own parameter v1 and the parameter r1 to jointly execute the The first Bollinger circuit enables the first host to obtain the first evaluation value according to the first Bollinger circuit, and then use the same parameter v1, the parameter v2, the parameter r1 and the parameter r2 to jointly execute the second cloth The forest circuit obtains the second evaluation value and discloses a second public value. The calculation formula of the second public value is r2 * B; (F) The first host and the second host each verify the third value obtained by themselves. Whether the hash value calculated from a public value and the second public value is equal to the received first hash value and the second hash value and whether the product of the second evaluation value and the base point is equal to the verification ellipse point L , the sum of the first public value and the second public value is equal. When the verification results are all equal, a first signature is calculated based on the message m, the first public value, the second public value and the base point. seal value R, and calculate a hash value c based on the first signature value R, the EdDSA public key A and the message m, and then calculate a hash value c based on the secret k, the message m, the hash value c, and its own Burkholder Calculate a corresponding value Si based on the Birkhoff coefficient b i and the secret di , where i is a positive integer; (G) Both the first host and the second host execute the Security Validation Protocol ) to mutually verify that the first evaluation value obtained by both parties in the first Bollinger circuit is the same; and (H) the first host and the second host respectively add up all the values Si to generate a second signature seal value s, and generate an EdDSA digital signature based on the first signature value R and the second signature value s; wherein step (D) and step (E) are allowed to be executed simultaneously, and step (G) and step ( H) Simultaneous execution is allowed. 如請求項6之基於混淆電路的門檻式簽章生成方法,其中該第一布林電路及該第二布林電路係通過及運算(AND)與互斥或運算(XOR)至少其中之一的方式實現混淆電路及安全多方計算(Multi-Party Computation, MPC),並且具有多個輸入線(Wire)以輸入所述輸入參數,每一所述輸入參數帶入的該組位元值為256位元的值,所述第一布林電路為滿足下列條件的邏輯電路: MPCEdDSA(v1,v2,r1,r2,n,m) = H 2(k,m) + r1 + r2 mod n, 所述第二布林電路為滿足下列條件的邏輯電路: ModAdd(v1,v2,r1,r2) = k + r1 + r2。 For example, the threshold signature generation method based on confusion circuit of claim 6, wherein the first Bollinger circuit and the second Bollinger circuit are generated by at least one of AND operation (AND) and exclusive OR operation (XOR). The method implements confusing circuits and secure multi-party computation (Multi-Party Computation, MPC), and has multiple input wires (Wires) to input the input parameters. The set of bit values brought in by each input parameter is 256 bits. The value of the element, the first Bollinger circuit is a logic circuit that meets the following conditions: MPCEdDSA(v1,v2,r1,r2,n,m) = H 2 (k,m) + r1 + r2 mod n, as described The second Bollinger circuit is a logic circuit that meets the following conditions: ModAdd(v1,v2,r1,r2) = k + r1 + r2. 如請求項6之基於混淆電路的門檻式簽章生成方法,其中該第一簽章值R的運算式如下: R = MPCEdDSA(v1,v2,r1,r2,n,m) * B – r1 * B – r2 * B, 其中,MPCEdDSA(v1,v2,r1,r2,n,m) 代表所述第一布林電路,並且獲得該第一評估值。 For example, in the threshold signature generation method based on obfuscation circuit of claim 6, the calculation formula of the first signature value R is as follows: R = MPCEdSA(v1,v2,r1,r2,n,m) * B – r1 * B – r2 * B, Wherein, MPCEdSA(v1,v2,r1,r2,n,m) represents the first Bollinger circuit, and the first evaluation value is obtained. 如請求項6之基於混淆電路的門檻式簽章生成方法,其中所述數值S i的運算式如下: S i= r + c * b i* d i,其中,r  = H 2(k,m)。 Such as the threshold signature generation method based on confusion circuit in claim 6, wherein the calculation formula of the value S i is as follows: S i = r + c * b i * d i , where r = H 2 (k,m ). 如請求項6之基於混淆電路的門檻式簽章生成方法,其中該雜湊值c的運算式如下: c = SHA512(R || A || m),其中,SHA512為雜湊函式,符號||代表串聯。 For example, in request item 6, the threshold signature generation method based on obfuscation circuit, the calculation formula of the hash value c is as follows: c = SHA512(R || A || m), where SHA512 is a hash function, and the symbol || represents concatenation.
TW111116933A 2022-05-05 2022-05-05 Threshold signature generation system based on garbled circuit and method thereof TWI795284B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
TW111116933A TWI795284B (en) 2022-05-05 2022-05-05 Threshold signature generation system based on garbled circuit and method thereof

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
TW111116933A TWI795284B (en) 2022-05-05 2022-05-05 Threshold signature generation system based on garbled circuit and method thereof

Publications (2)

Publication Number Publication Date
TWI795284B TWI795284B (en) 2023-03-01
TW202345542A true TW202345542A (en) 2023-11-16

Family

ID=86692344

Family Applications (1)

Application Number Title Priority Date Filing Date
TW111116933A TWI795284B (en) 2022-05-05 2022-05-05 Threshold signature generation system based on garbled circuit and method thereof

Country Status (1)

Country Link
TW (1) TWI795284B (en)

Family Cites Families (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US11210664B2 (en) * 2018-10-02 2021-12-28 Capital One Services, Llc Systems and methods for amplifying the strength of cryptographic algorithms
US11240025B2 (en) * 2018-11-09 2022-02-01 Ares Technologies, Inc. Systems and methods for distributed key storage
CN114338028A (en) * 2020-09-28 2022-04-12 华为技术有限公司 Threshold signature method and device, electronic equipment and readable storage medium
TWI759138B (en) * 2021-03-15 2022-03-21 英屬開曼群島商現代財富控股有限公司 Threshold signature scheme system based on inputting password and method thereof
CN113972981B (en) * 2021-09-29 2023-07-04 中国科学院大学 SM2 cryptographic algorithm-based efficient threshold signature method
CN114070556B (en) * 2021-11-15 2023-07-25 成都卫士通信息产业股份有限公司 Threshold ring signature method and device, electronic equipment and readable storage medium

Also Published As

Publication number Publication date
TWI795284B (en) 2023-03-01

Similar Documents

Publication Publication Date Title
CN113424185B (en) Fast inadvertent transmission
JP2023134669A (en) Computer implemented method and system for transferring access to digital asset
WO2021228239A1 (en) Asset type consistency evidence generation method and system, transaction method and system, and transaction verification method and system
US11374910B2 (en) Method and apparatus for effecting a data-based activity
JP2021510954A (en) Computer-implemented methods and systems for obtaining digitally signed data
CN111586142B (en) Safe multiparty computing method and system
JP2022500920A (en) Systems and methods for sharing common secrets implemented by computers
US11637817B2 (en) Method and apparatus for effecting a data-based activity
Jayaraman et al. Decentralized certificate authorities
TWI795284B (en) Threshold signature generation system based on garbled circuit and method thereof
TWI799286B (en) Random number generation system for threshold signature scheme and method thereof
TWI759138B (en) Threshold signature scheme system based on inputting password and method thereof
US10797866B1 (en) System and method for enforcement of correctness of inputs of multi-party computations
TWI764811B (en) Key generating system for hierarchical deterministic wallet and method thereof
CN111885056A (en) Zero knowledge proving method and device based on block chain and electronic equipment
TWI776416B (en) Threshold signature scheme system for hierarchical deterministic wallet and method thereof
TWI734087B (en) Signature system based on homomorphic encryption and method thereof
WO2023055582A1 (en) Round optimal oblivious transfers from isogenies
TWI737956B (en) Threshold signature system based on secret sharing and method thereof
Zhang et al. A New Way to Prevent UKS Attacks Using Hardware Security Chips.
TWI702820B (en) Secret sharing signature system with hierarchical mechanism and method thereof
US20240137217A1 (en) Multi-party privacy computing method and device based on semi-trusted hardware
Efraim et al. Turbospeedz: Double Your Online SPDZ! Improving SPDZ using Function Dependent Preprocessing
Pashchenko et al. Formalized Description of Message Encryption in Messaging Apps Using Automata Theory
WO2022207436A1 (en) Quantum safe key exchange scheme