TWI795284B - Threshold signature generation system based on garbled circuit and method thereof - Google Patents

Threshold signature generation system based on garbled circuit and method thereof Download PDF

Info

Publication number
TWI795284B
TWI795284B TW111116933A TW111116933A TWI795284B TW I795284 B TWI795284 B TW I795284B TW 111116933 A TW111116933 A TW 111116933A TW 111116933 A TW111116933 A TW 111116933A TW I795284 B TWI795284 B TW I795284B
Authority
TW
Taiwan
Prior art keywords
parameter
value
circuit
host
bollinger
Prior art date
Application number
TW111116933A
Other languages
Chinese (zh)
Other versions
TW202345542A (en
Inventor
莊治耘
Original Assignee
英屬開曼群島商現代財富控股有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 英屬開曼群島商現代財富控股有限公司 filed Critical 英屬開曼群島商現代財富控股有限公司
Priority to TW111116933A priority Critical patent/TWI795284B/en
Application granted granted Critical
Publication of TWI795284B publication Critical patent/TWI795284B/en
Publication of TW202345542A publication Critical patent/TW202345542A/en

Links

Images

Abstract

A threshold signature generation system based on garbled circuit and method thereof is disclosed. By providing a first Boolean circuit and a second Boolean circuit as the garbled circuit for two hosts to input a plurality of input parameters and jointly to perform secure multi-party computation, so as to the two hosts each obtain a first evaluation value of the first Boolean circuit and a second evaluation value of the second Boolean circuit, and broadcasting the product of the random number and the base point of each host, and verifying whether the input parameters of both parties are correct and whether the results obtained by the garbled circuit are the same, and then generating a Edwards-curve Digital Signature Algorithm (EdDSA) signature that can pass the verification when they are correct and the same. The mechanism is help to improve the security when generating the EdDSA signature.

Description

基於混淆電路的門檻式簽章生成系統及其方法Threshold signature generation system and method based on obfuscation circuit

本發明涉及一種簽章生成系統及其方法,特別是基於混淆電路的門檻式簽章生成系統及其方法。The invention relates to a signature generating system and method thereof, in particular to a threshold-type signature generating system and method based on an obfuscation circuit.

近年來,隨著區塊鏈的普及與蓬勃發展,各種基於區塊鏈的交易技術如雨後春筍般湧現。然而,傳統單純由一方生成簽章(或稱為簽名)的方式已經不夠安全,這也使得各家廠商亟欲尋求更安全地生成簽章的方法。In recent years, with the popularization and vigorous development of blockchain, various blockchain-based transaction technologies have sprung up like mushrooms. However, the traditional method of simply generating a signature (or signature) by one party is no longer secure enough, which makes various manufacturers eager to find a more secure way to generate a signature.

一般而言,傳統的簽章方式是由交易的一方透過私鑰加密,再將加密結果提供給交易的另一方使用與私鑰相應的公鑰進行驗證。然而,倘若遺失私鑰將導致簽章有被偽造的可能。因此,為了強化資產及交易安全性,便有廠商進一步發展可通過多個不同的私鑰產生相應數量的簽章,並且在擁有一定數量的簽章時才會使交易成功的技術手段,如此一來,即使其中一個私鑰被竊、遺失等等,也可以確保交易的安全性。然而,此方式在遺失的私鑰數量滿足門檻時便不再安全了,因此,仍然存在安全性不足的問題。Generally speaking, in the traditional signature method, one party to the transaction encrypts with a private key, and then provides the encrypted result to the other party of the transaction to use the public key corresponding to the private key for verification. However, if the private key is lost, the signature may be forged. Therefore, in order to strengthen the security of assets and transactions, some manufacturers have further developed technical means that can generate a corresponding number of signatures through multiple different private keys, and only when they have a certain number of signatures can the transaction be successful. Come, even if one of the private keys is stolen, lost, etc., the security of the transaction can be ensured. However, this method is no longer safe when the number of lost private keys meets the threshold, so there is still a problem of insufficient security.

有鑑於此,各家廠商亟需一種能夠在不需要完整私鑰便能生成可通過驗證的EdDSA簽章,並且完全符合EdDSA所定義的生成方式,藉由此方式可以大幅增加生成EdDSA簽章的安全性,有效避免因為記憶體快取旁路攻擊而被非法取得私鑰,進而存在被偽造簽章的可能性。In view of this, various manufacturers urgently need a method that can generate verifiable EdDSA signatures without the need for a complete private key, and is fully compliant with the generation method defined by EdDSA. This method can greatly increase the generation of EdDSA signatures. Security, effectively avoiding the possibility of illegally obtaining private keys due to memory cache bypass attacks, and then having forged signatures.

綜上所述,可知先前技術中長期以來一直存在傳統生成EdDSA簽章的安全性不足的問題,因此實有必要提出改進的技術手段,來解決此一問題。To sum up, it can be seen that there has been a problem of insufficient security in the traditional generation of EdDSA signatures in the prior art for a long time, so it is necessary to propose improved technical means to solve this problem.

本發明揭露一種基於混淆電路的門檻式簽章生成系統及其方法。The invention discloses a threshold-type signature generation system and method based on an obfuscation circuit.

首先,本發明揭露一種基於混淆電路的門檻式簽章生成系統,其包含:二個主機,分別為第一主機及第二主機,所述第一主機具有秘密d 1、秘密k 1、X座標x 1及層級值n 1,所述第二主機具有秘密d 2、秘密k 2、X座標x 2及層級值n 2,同時秘密d 1、秘密k 1、秘密d 2及秘密k 2滿足下列運算式以生成秘密d及秘密k: First, the present invention discloses a threshold-type signature generation system based on an obfuscation circuit, which includes: two hosts, namely the first host and the second host, the first host has a secret d 1 , a secret k 1 , and an X coordinate x 1 and level value n 1 , the second host has secret d 2 , secret k 2 , X coordinate x 2 and level value n 2 , while secret d 1 , secret k 1 , secret d 2 and secret k 2 satisfy the following Formula to generate secret d and secret k:

「BK(x1,n1) * d1 + BK(x2,n2) * d2 = d」;以及"BK(x1,n1) * d1 + BK(x2,n2) * d2 = d"; and

「BK(x1,n1) * k1 + BK(x2,n2) * k2 = k」。"BK(x1,n1) * k1 + BK(x2,n2) * k2 = k".

其中,「BK(x j, n j)」代表伯克霍夫係數(Birkhoff Coefficient),j為1或2,並且令EdDSA公鑰A為 d * B,以及令驗證橢圓點L為k * B,B為Ed25519或sr25519橢圓曲線群的基點(Base point),每一所述主機皆包含:混淆模組、生成模組、第一計算模組、第二計算模組、驗證模組及簽章模組。其中,混淆模組用以建立作為混淆電路的第一布林電路及第二布林電路,所述第一布林電路允許輸入多個輸入參數,所述輸入參數包含參數v1、參數v2、參數r1、參數r2、參數n及訊息m且輸出第一評估值,每一所述輸入參數允許各自帶入一組位元值,所述第二布林電路允許輸入參數v1、參數v2、參數r1及參數r2且輸出第二評估值,所述第一評估值為「H 2(k,m) + r1 + r2 mod n」,所述第二評估值為「k + r1 + r2」,其中,H 2(k,m)代表將秘密k與訊息m串聯後進行雜湊、H 2代表雜湊函式,通常選擇為SHA-512、m為訊息、參數n為給定橢圓曲線群的個數、參數v1的值為「BK(x 1,n 1)k 1mod n」、參數v2的值為「BK(x 2,n 2)k 2mod n」;生成模組用以在所述主機為第一主機時,產生隨機亂數以作為參數r1且公開第一雜湊值,以及在所述主機為第二主機時,產生隨機亂數以作為參數r2且公開第二雜湊值,其中,第一雜湊值的運算式為「H(r1 * B)」,第二雜湊值的運算式為「H(r2 * B)」,H代表雜湊函式;第一計算模組連接生成模組及混淆模組,當所述主機為第一主機時,使用本身的參數v1、參數r1及訊息m輸入至第一布林電路,以及當所述主機為第二主機時,使用本身的參數v2及參數r2輸入至第一布林電路,用以共同執行第一布林電路,使第二主機根據第一布林電路獲得第一評估值,再使用相同的參數v1、參數v2、參數r1及參數r2共同執行第二布林電路以獲得第二評估值,以及公開第一公開值,所述第一公開值的運算式為「r1 * B」;第二計算模組連接生成模組及混淆模組,用以在所述主機為第二主機時,使用本身的參數v2、參數r2及訊息m輸入至第一布林電路,以及在所述主機為第一主機時,使用本身的參數v1及參數r1輸入至第一布林電路,用以共同執行第一布林電路,使第一主機根據第一布林電路獲得第一評估值,再使用相同的參數v1、參數v2、參數r1及參數r2共同執行第二布林電路以獲得第二評估值,以及公開第二公開值,所述第二公開值的運算式為「r2 * B」;驗證模組連接第一計算模組及第二計算模組,用以驗證本身獲得的第一公開值(即:「r1 * B」)和第二公開值(即:「r2 * B」)所計算出的雜湊值是否與收到的第一雜湊值(即:「H(r1 * B)」)和第二雜湊值(即:「H(r2 * B)」)相等且第二評估值與基點的乘積是否與驗證橢圓點L、第一公開值及第二公開值的總和相等,當驗證結果皆為相等時,根據訊息m、第一公開值、第二公開值及基點計算出第一簽章值R,以及根據第一簽章值R、EdDSA公鑰A及訊息m計算雜湊值c,再根據秘密k、訊息m、雜湊值c、本身的伯克霍夫(Birkhoff)係數b i及所述秘密d i計算出相應的數值S i,其中,i為正整數;以及簽章模組連接驗證模組,用以執行安全驗證協定(Secure Validation Protocol)以相互驗證第一主機及第二主機雙方在第一布林電路所獲得的第一評估值相同,當相同時,加總所有所述數值S i以生成第二簽章值s,並且根據第一簽章值R與第二簽章值s生成EdDSA數位簽章。 Among them, "BK(x j , n j )" represents the Birkhoff Coefficient (Birkhoff Coefficient), j is 1 or 2, and let the EdDSA public key A be d * B, and let the verification ellipse point L be k * B , B is the base point (Base point) of the Ed25519 or sr25519 elliptic curve group, and each host includes: confusion module, generation module, first calculation module, second calculation module, verification module and signature mod. Among them, the confusion module is used to establish the first Bollinger circuit and the second Bollinger circuit as a confusing circuit, and the first Bollinger circuit allows input of multiple input parameters, and the input parameters include parameter v1, parameter v2, parameter r1, parameter r2, parameter n, and message m and output the first evaluation value, each of the input parameters is allowed to bring in a set of bit values, and the second Bollinger circuit allows input of parameter v1, parameter v2, and parameter r1 and parameter r2 and output a second evaluation value, the first evaluation value is "H 2 (k,m) + r1 + r2 mod n", the second evaluation value is "k + r1 + r2", wherein, H 2 (k,m) represents the hashing of the secret k and the message m in series, H 2 represents the hash function, usually SHA-512, m is the message, and the parameter n is the number of the given elliptic curve group, the parameter The value of v1 is "BK(x 1 ,n 1 )k 1 mod n", the value of parameter v2 is "BK(x 2 ,n 2 )k 2 mod n"; the generated module is used for When a host is a host, generate a random random number as a parameter r1 and disclose a first hash value, and when the host is a second host, generate a random random number as a parameter r2 and disclose a second hash value, wherein the first hash The calculation formula of the value is "H(r1 * B)", the calculation formula of the second hash value is "H(r2 * B)", H represents the hash function; the first calculation module is connected to the generation module and the confusion module , when the host is the first host, use its own parameter v1, parameter r1 and message m to input to the first Bollinger circuit, and when the said host is the second host, use its own parameter v2 and parameter r2 to input To the first Bollinger circuit, to jointly execute the first Bollinger circuit, so that the second host can obtain the first evaluation value according to the first Bollinger circuit, and then use the same parameter v1, parameter v2, parameter r1 and parameter r2 to jointly execute The second Bollinger circuit obtains the second evaluation value, and discloses the first public value, the calculation formula of the first public value is "r1 * B"; the second calculation module is connected to the generation module and the confusion module, using When the host is the second host, use its own parameter v2, parameter r2 and message m to input to the first Bollinger circuit, and when the host is the first host, use its own parameter v1 and parameter r1 to input To the first Bollinger circuit, to jointly execute the first Bollinger circuit, so that the first host can obtain the first evaluation value according to the first Bollinger circuit, and then use the same parameter v1, parameter v2, parameter r1 and parameter r2 to jointly execute The second Bollinger circuit obtains the second evaluation value, and discloses the second public value, the calculation formula of the second public value is "r2 * B"; the verification module is connected to the first calculation module and the second calculation module , to verify whether the hash value calculated by the first public value obtained by itself (ie: "r1 * B") and the second public value (ie: "r2 * B") is consistent with the received first hash value ( ie: "H(r1 * B)") and the second hash value (ie: "H(r2 * B)") is equal and whether the product of the second evaluation value and the base point is equal to the sum of the verification ellipse point L, the first public value, and the second public value. When the verification results are all equal, according to the message m , the first public value, the second public value and the base point to calculate the first signature value R, and calculate the hash value c according to the first signature value R, EdDSA public key A and message m, and then according to the secret k, message m, The hash value c, its own Birkhoff coefficient b i and the secret d i calculate the corresponding value S i , where i is a positive integer; and the signature module is connected to the verification module to execute The Secure Validation Protocol (Secure Validation Protocol) is used to mutually verify that the first evaluation values obtained by both the first host and the second host in the first Bollinger circuit are the same, and when they are the same, add all the values S i to generate the second signature value s, and generate an EdDSA digital signature according to the first signature value R and the second signature value s.

接著,本發明揭露一種基於混淆電路的門檻式簽章生成方法,其步驟包括:(A)提供第一主機及第二主機,所述第一主機具有秘密d 1、秘密k 1、X座標x 1及層級值n 1,所述第二主機具有秘密d 2、秘密k 2、X座標x 2及層級值n 2,同時秘密d 1、秘密k 1、秘密d 2及秘密k 2滿足下列運算式以生成秘密d及秘密k: Next, the present invention discloses a threshold signature generation method based on an obfuscation circuit, the steps of which include: (A) providing a first host and a second host, the first host has a secret d 1 , a secret k 1 , and an X coordinate x 1 and level value n 1 , the second host has secret d 2 , secret k 2 , X coordinate x 2 and level value n 2 , while secret d 1 , secret k 1 , secret d 2 and secret k 2 satisfy the following operations Formula to generate secret d and secret k:

「BK(x 1,n 1) * d 1+ BK(x 2,n 2) * d 2= d」;以及 "BK(x 1 ,n 1 ) * d 1 + BK(x 2 ,n 2 ) * d 2 = d"; and

「BK(x 1,n 1) * k 1+ BK(x 2,n 2) * k 2= k」。 "BK(x 1 ,n 1 ) * k 1 + BK(x 2 ,n 2 ) * k 2 = k".

其中,「BK(x j, n j)」代表伯克霍夫係數,j為1或2,並且令EdDSA公鑰A為 d * B,以及令驗證橢圓點L為k * B,B為Ed25519或sr25519橢圓曲線群的基點;(B)提供作為混淆電路的第一布林電路及第二布林電路,所述第一布林電路允許輸入多個輸入參數,所述輸入參數包含參數v1、參數v2、參數r1、參數r2、參數n及訊息m且輸出第一評估值,每一所述輸入參數允許各自帶入一組位元值,所述第二布林電路允許輸入參數v1、參數v2、參數r1及參數r2且輸出第二評估值,所述第一評估值為「H 2(k,m) + r1 + r2 mod n」,所述第二評估值為「k + r1 + r2」,其中,H 2(k,m)代表將秘密k與訊息m串聯後進行雜湊、參數n為給定橢圓曲線群的個數、參數v1的值為「BK(x 1,n 1)k 1mod n」、參數v2的值為「BK(x 2,n 2)k 2mod n」;(C)第一主機產生隨機亂數以作為參數r1且公開第一雜湊值,第二主機產生隨機亂數以作為參數r2且公開第二雜湊值,其中,第一雜湊值的運算式為「H(r1 * B)」,第二雜湊值的運算式為「H(r2 * B)」,H代表雜湊函式;(D)第一主機使用本身的參數v1、參數r1及訊息m與第二主機使用本身的參數v2及參數r2共同執行第一布林電路,使第二主機根據第一布林電路獲得第一評估值,再使用相同的參數v1、參數v2、參數r1及參數r2共同執行第二布林電路以獲得第二評估值,以及公開第一公開值,所述第一公開值的運算式為「r1 * B」;(E)第二主機使用本身的參數v2、參數r2及訊息m與第一主機使用本身的參數v1及參數r1共同執行第一布林電路,使第一主機根據第一布林電路獲得第一評估值,再使用相同的參數v1、參數v2、參數r1及參數r2共同執行第二布林電路以獲得第二評估值,以及公開第二公開值,所述第二公開值的運算式為「r2 * B」;(F)第一主機及第二主機各自驗證本身獲得的第一公開值和第二公開值所計算出的雜湊值是否與收到的第一雜湊值和第二雜湊值相等且第二評估值與基點的乘積是否與所述驗證橢圓點L、第一公開值及第二公開值的總和相等,當驗證結果皆為相等時,根據訊息m、第一公開值、第二公開值及基點計算出第一簽章值R,以及根據第一簽章值R、EdDSA公鑰A及訊息m計算雜湊值c,再根據秘密k、訊息m、雜湊值c、本身的伯克霍夫係數b i及所述秘密d i計算出相應的數值S i,其中,i為正整數;(G)第一主機及第二主機皆執行安全驗證協定(Secure Validation Protocol)以相互驗證雙方在第一布林電路所獲得的第一評估值相同;以及(H)第一主機及第二主機分別加總所有所述數值S i以生成第二簽章值s,並且根據第一簽章值R與第二簽章值s生成EdDSA數位簽章。其中,步驟(D)及步驟(E)允許同時執行,以及步驟(G)及步驟(H)允許同時執行。 Among them, "BK(x j , n j )" represents the Burkhoff coefficient, j is 1 or 2, and the EdDSA public key A is d * B, and the verification ellipse point L is k * B, B is Ed25519 or the base point of sr25519 elliptic curve group; (B) providing a first Bollinger circuit and a second Bollinger circuit as a confusion circuit, the first Bollinger circuit allows input of multiple input parameters, and the input parameters include parameters v1, Parameter v2, parameter r1, parameter r2, parameter n and message m and output the first evaluation value, each of the input parameters is allowed to bring in a set of bit values, and the second Boolean circuit allows input of parameter v1, parameter v2, parameter r1 and parameter r2 and output a second evaluation value, the first evaluation value is "H 2 (k,m) + r1 + r2 mod n", and the second evaluation value is "k + r1 + r2 ”, where H 2 (k,m) represents hashing after concatenation of secret k and message m, parameter n is the number of given elliptic curve groups, and the value of parameter v1 is “BK(x 1 ,n 1 )k 1 mod n", the value of parameter v2 is "BK(x 2 ,n 2 )k 2 mod n"; (C) the first host generates a random random number as parameter r1 and discloses the first hash value, and the second host generates A random random number is used as the parameter r2 and the second hash value is disclosed, wherein the calculation formula of the first hash value is "H(r1 * B)", and the calculation formula of the second hash value is "H(r2 * B)", H stands for hash function; (D) The first host uses its own parameter v1, parameter r1 and message m and the second host uses its own parameter v2 and parameter r2 to jointly execute the first Bollinger circuit, so that the second host uses the first The Bollinger circuit obtains the first evaluation value, and then uses the same parameter v1, parameter v2, parameter r1 and parameter r2 to jointly execute the second Bollinger circuit to obtain the second evaluation value, and disclose the first public value, the first public The calculation formula of the value is "r1 * B"; (E) The second host uses its own parameter v2, parameter r2 and message m to execute the first Bollinger circuit with the first host using its own parameter v1 and parameter r1, so that the second host A host obtains the first evaluation value according to the first Bollinger circuit, and then uses the same parameter v1, parameter v2, parameter r1, and parameter r2 to jointly execute the second Bollinger circuit to obtain the second evaluation value, and disclose the second public value, The calculation formula of the second public value is "r2 * B"; (F) The first host and the second host each verify whether the hash value calculated by the first public value and the second public value obtained by itself is consistent with the received The first hash value and the second hash value are equal and whether the product of the second evaluation value and the base point is equal to the sum of the verification ellipse point L, the first public value and the second public value, when the verification results are all equal, Calculate the first signature value R according to the message m, the first public value, the second public value and the base point, and calculate the hash value c according to the first signature value R, the EdDSA public key A and the message m, and then according to the secret k, The corresponding value S i is calculated from the message m, the hash value c, its own Berkhov coefficient b i and the secret d i , where i is a positive integer; (G) both the first host and the second host execute security The verification protocol (Secure Validation Protocol) is to mutually verify that the first evaluation value obtained by the two parties in the first Bollinger circuit is the same; and (H) the first host and the second host respectively add up all the values S i to generate the second signature value s, and generate an EdDSA digital signature according to the first signature value R and the second signature value s. Wherein, step (D) and step (E) are allowed to be executed at the same time, and step (G) and step (H) are allowed to be executed at the same time.

本發明所揭露之系統與方法如上,與先前技術的差異在於本發明是透過提供作為混淆電路的第一布林電路及第二布林電路以供二個主機輸入多個輸入參數並共同執行安全多方計算,使二個主機各自獲得第一布林電路的第一評估值及第二布林電路的第二評估值,以及廣播各主機的隨機亂數與基點的乘積,以便驗證雙方的輸入參數是否正確及通過混淆電路獲得的結果是否相同,進而在正確且相同時生成能夠通過驗證的EdDSA簽章,達到提高生成EdDSA簽章的安全性之技術功效。The system and method disclosed in the present invention are as above, and the difference from the prior art is that the present invention provides the first Bollinger circuit and the second Bollinger circuit as a confusing circuit for two hosts to input multiple input parameters and jointly execute security Multi-party calculation, so that the two hosts can obtain the first evaluation value of the first Bollinger circuit and the second evaluation value of the second Bollinger circuit, and broadcast the product of the random random number and the base point of each host, so as to verify the input parameters of both parties Whether it is correct and whether the results obtained through the obfuscation circuit are the same, and then generate an EdDSA signature that can pass verification when it is correct and the same, so as to achieve the technical effect of improving the security of generating the EdDSA signature.

透過上述的技術手段,本發明可以達成提高生成EdDSA簽章的安全性之技術功效。Through the above-mentioned technical means, the present invention can achieve the technical effect of improving the security of generating EdDSA signatures.

以下將配合圖式及實施例來詳細說明本發明之實施方式,藉此對本發明如何應用技術手段來解決技術問題並達成技術功效的實現過程能充分理解並據以實施。The implementation of the present invention will be described in detail below in conjunction with the drawings and examples, so as to fully understand and implement the implementation process of how the present invention uses technical means to solve technical problems and achieve technical effects.

首先,在說明本發明所揭露之基於混淆電路的門檻式簽章生成系統及其方法之前,先對本發明自行定義的名詞作說明,本發明所述的「EdDSA公鑰(以「A」示意)」是指公布給各方知道,以便用於進行簽名(或稱簽章)驗證的金鑰。接著,由於在EdDSA私鑰產生過程中,會使用雜湊函式(如:SHA512)進行雜湊,並且將雜湊後所獲得的雜湊值的前半部分作為私鑰,而後半部分即為本發明所述的「驗證橢圓點(以「L」示意)」,其目的是為了確定雙方執行混淆電路時,雙方使用的輸入是正確的輸入。在實際實施上,EdDSA公鑰A的值與 d * B相等,以及驗證橢圓點L的值與k * B相等,其中,d、k為秘密(如:密文、私鑰),B為Ed25519或sr25519橢圓曲線群的基點。First of all, before explaining the obfuscated circuit-based threshold-type signature generation system and method disclosed in the present invention, the self-defined terms of the present invention will be described first. The "EdDSA public key" (indicated by "A") "Refers to the public key known to all parties for signature (or signature) verification. Next, because in the EdDSA private key generation process, a hash function (such as: SHA512) is used for hashing, and the first half of the hash value obtained after hashing is used as the private key, and the second half is the The purpose of "verifying the ellipse point (indicated by "L")" is to confirm that when the two parties execute the obfuscation circuit, the input used by both parties is the correct input. In actual implementation, the value of EdDSA public key A is equal to d * B, and the value of verification ellipse point L is equal to k * B, where d and k are secrets (such as: ciphertext, private key), and B is Ed25519 or the base points of SR25519 elliptic curve groups.

以下配合圖式對本發明基於混淆電路的門檻式簽章生成系統及其方法做進一步說明,請先參閱「第1圖」,「第1圖」為本發明基於混淆電路的門檻式簽章生成系統的第一實施例之系統方塊圖,此系統包含:二個主機(100a、100b),分別為第一主機100a及第二主機100b,所述第一主機100a具有秘密d 1、秘密k 1、X座標x 1及層級值(Rank)n 1,所述第二主機100b具有秘密d 2、秘密k 2、X座標x 2及層級值n 2,同時秘密d 1、秘密k 1、秘密d 2及秘密k 2滿足下列運算式以生成秘密d及秘密k: The following is a further description of the threshold-type signature generation system based on the obfuscation circuit and its method in accordance with the drawings. Please refer to "Fig. 1" first. "Fig. 1" is the threshold-type signature generation system based on the obfuscation circuit of the present invention The system block diagram of the first embodiment, the system includes: two hosts (100a, 100b), respectively the first host 100a and the second host 100b, the first host 100a has secret d 1 , secret k 1 , X coordinate x 1 and rank value (Rank) n 1 , the second host 100b has secret d 2 , secret k 2 , X coordinate x 2 and rank value n 2 , and secret d 1 , secret k 1 , and secret d 2 and secret k 2 satisfy the following formula to generate secret d and secret k:

「BK(x 1,n 1) * d 1+ BK(x 2,n 2) * d 2= d」;以及 "BK(x 1 ,n 1 ) * d 1 + BK(x 2 ,n 2 ) * d 2 = d"; and

「BK(x 1,n 1) * k 1+ BK(x 2,n 2) * k 2= k」。 "BK(x 1 ,n 1 ) * k 1 + BK(x 2 ,n 2 ) * k 2 = k".

其中,「BK(x j, n j)」代表伯克霍夫係數,j為1或2,並且令EdDSA公鑰A為 d * B,以及令驗證橢圓點L為k * B,B為Ed25519或sr25519橢圓曲線群的基點,每一所述主機(100a、100b)皆包含:混淆模組110、生成模組120、第一計算模組130、第二計算模組140、驗證模組150及簽章模組160。其中,混淆模組110用以建立作為混淆電路的第一布林電路及第二布林電路,所述第一布林電路允許輸入多個輸入參數,所述輸入參數包含參數v1、參數v2、參數r1、參數r2、參數n及訊息m且輸出第一評估值,每一所述輸入參數允許各自帶入一組位元值,所述第二布林電路允許輸入參數v1、參數v2、參數r1及參數r2且輸出第二評估值,所述第一評估值為「H 2(k,m) + r1 + r2 mod n」,所述第二評估值為「k + r1 + r2」,其中,H 2(k,m)代表將秘密k與訊息m串聯後進行雜湊、參數n為給定橢圓曲線群的個數、參數v1的值為「BK(x 1,n 1)k 1mod n」、參數v2的值為「BK(x 2,n 2)k 2mod n」。具體而言,混淆電路本質上是一個布林電路(Boolean circuit),其通過布林電路的觀點構造函式以進行計算,以便參與者可以針對某個數值來計算答案,而不需要知道參與者在函式中輸入的具體數字,混淆電路裡的安全多方計算可通過電路的方式來實現。在實際實施上,第一布林電路及該第二布林電路可通過及運算(AND)與互斥或運算(XOR)至少其中之一的方式實現混淆電路及安全多方計算(Multi-Party Computation, MPC),並且具有多個輸入線(Wire)以輸入所述輸入參數,每一所述輸入參數帶入的該組位元值為256位元的值,以六個輸入參數為例,合計帶入六個256位元的值,所述第一布林電路為滿足條件「MPCEdDSA(v1,v2,r1,r2,n,m) = H2(k,m) + r1 + r2 mod n」的邏輯電路,所述第二布林電路為滿足條件「ModAdd(v1,v2,r1,r2) = k + r1 + r2」的邏輯電路。特別要說明的是,有別於ECDSA,秘密k 1及秘密k 2的生成方式已經明確定義在EdDSA中,而非使用隨機亂數生成。 Among them, "BK(x j , n j )" represents the Burkhoff coefficient, j is 1 or 2, and the EdDSA public key A is d * B, and the verification ellipse point L is k * B, B is Ed25519 or the base point of sr25519 elliptic curve group, each of the hosts (100a, 100b) includes: confusion module 110, generation module 120, first calculation module 130, second calculation module 140, verification module 150 and Signature module 160. Wherein, the confusion module 110 is used to establish a first Bollinger circuit and a second Bollinger circuit as a confusing circuit, and the first Bollinger circuit allows input of multiple input parameters, and the input parameters include parameter v1, parameter v2, Parameter r1, parameter r2, parameter n and message m and output the first evaluation value, each of the input parameters is allowed to bring in a set of bit values, and the second Boolean circuit allows input of parameter v1, parameter v2, parameter r1 and parameter r2 and output a second evaluation value, the first evaluation value is "H 2 (k,m) + r1 + r2 mod n", the second evaluation value is "k + r1 + r2", wherein , H 2 (k,m) means to hash the secret k and the message m in series, the parameter n is the number of given elliptic curve groups, the value of the parameter v1 is "BK(x 1 ,n 1 )k 1 mod n ", the value of parameter v2 is "BK(x 2 ,n 2 )k 2 mod n". Specifically, the confusion circuit is essentially a Boolean circuit (Boolean circuit), which uses the viewpoint constructor of the Boolean circuit to perform calculations, so that participants can calculate the answer for a certain value without knowing that the participants The specific number entered in the function, the secure multi-party calculation in the confusing circuit can be realized by means of a circuit. In actual implementation, the first Bollinger circuit and the second Bollinger circuit can implement at least one of AND operation (AND) and exclusive OR operation (XOR) to realize confusion circuit and secure multi-party computation (Multi-Party Computation) , MPC), and has multiple input lines (Wire) to input the input parameters, the set of bit values brought by each input parameter is a value of 256 bits, taking six input parameters as an example, the total Bring in six 256-bit values, and the first Bollinger circuit satisfies the condition "MPCEdDSA(v1,v2,r1,r2,n,m) = H2(k,m) + r1 + r2 mod n" A logic circuit, the second Bollinger circuit is a logic circuit satisfying the condition "ModAdd(v1, v2, r1, r2) = k + r1 + r2". In particular, it should be noted that, unlike ECDSA, the generation methods of secret k 1 and secret k 2 have been clearly defined in EdDSA instead of random random number generation.

生成模組120用以在所述主機(100a、100b)為第一主機100a時,產生隨機亂數以作為參數r1且公開第一雜湊值,以及在所述主機(100a、100b)為第二主機100b時,產生隨機亂數以作為參數r2且公開第二雜湊值,其中,第一雜湊值的運算式為「H(r1 * B)」,第二雜湊值的運算式為「H(r2 * B)」,H代表雜湊函式。The generating module 120 is used to generate a random random number as the parameter r1 and disclose the first hash value when the host (100a, 100b) is the first host 100a, and to disclose the first hash value when the host (100a, 100b) is the second When the host 100b generates a random random number as the parameter r2 and discloses the second hash value, wherein, the calculation formula of the first hash value is "H(r1 * B)", and the calculation formula of the second hash value is "H(r2 * B)", H stands for hash function.

第一計算模組130連接生成模組120及混淆模組110,當所述主機(100a、100b)為第一主機100a時,使用本身的參數v1、參數r1及訊息m輸入至第一布林電路,以及當所述主機(100a、100b)為第二主機100b時,使用本身的參數v2及參數r2輸入至第一布林電路,用以共同執行第一布林電路,使第二主機根據第一布林電路獲得第一評估值,再使用相同的參數v1、參數v2、參數r1及參數r2共同執行第二布林電路以獲得第二評估值,以及公開第一公開值,所述第一公開值的運算式為「r1 * B」。在實際實施上,可通過廣播(Broadcast)的方式公開第一公開值。The first calculation module 130 is connected to the generation module 120 and the confusion module 110, and when the host (100a, 100b) is the first host 100a, use its own parameter v1, parameter r1 and message m to input to the first Bollinger circuit, and when the host (100a, 100b) is the second host 100b, use its own parameter v2 and parameter r2 to input to the first Bollinger circuit, so as to jointly execute the first Bollinger circuit, so that the second host according to The first Bollinger circuit obtains the first evaluation value, and then uses the same parameter v1, parameter v2, parameter r1, and parameter r2 to jointly execute the second Bollinger circuit to obtain the second evaluation value, and disclose the first public value. The calculation formula of a public value is "r1 * B". In actual implementation, the first public value may be disclosed in a broadcast (Broadcast) manner.

第二計算模組140連接生成模組120及混淆模組110,用以在所述主機(100a、100b)為第二主機100b時,使用本身的參數v2、參數r2及訊息m輸入至第一布林電路,以及在所述主機(100a、100b)為第一主機100a時,使用本身的參數v1及參數r1輸入至第一布林電路,用以共同執行第一布林電路,使第一主機根據第一布林電路獲得第一評估值,再使用相同的參數v1、參數v2、參數r1及參數r2共同執行第二布林電路以獲得第二評估值,以及公開第二公開值,所述第二公開值的運算式為「r2 * B」。同樣地,在實際實施上,可通過廣播的方式公開第二公開值。The second calculation module 140 is connected to the generation module 120 and the confusion module 110, so that when the host (100a, 100b) is the second host 100b, it uses its own parameter v2, parameter r2 and message m to input to the first Bollinger circuit, and when the host (100a, 100b) is the first host 100a, use its own parameter v1 and parameter r1 to input to the first Bollinger circuit to jointly execute the first Bollinger circuit, so that the first The host obtains the first evaluation value according to the first Bollinger circuit, and then uses the same parameter v1, parameter v2, parameter r1, and parameter r2 to jointly execute the second Bollinger circuit to obtain the second evaluation value, and disclose the second public value, so The calculation formula of the second public value is "r2 * B". Likewise, in actual implementation, the second public value may be disclosed in a broadcast manner.

驗證模組150連接第一計算模組130及第二計算模組140,用以驗證本身獲得的第一公開值和第二公開值所計算出的雜湊值是否與收到的第一雜湊值和第二雜湊值相等且第二評估值與基點的乘積是否與驗證橢圓點L、第一公開值及第二公開值的總和相等(即:ModAdd(v1,v2,r1,r2) * B = 驗證橢圓點L + r1 * B + r2 * B,其中,ModAdd(v1,v2,r1,r2)代表第二布林電路輸出的第二評估值「k + r1 + r2」),當驗證結果皆為相等時,根據訊息m、第一公開值、第二公開值及基點計算出第一簽章值R,以及根據第一簽章值R、EdDSA公鑰A及訊息m計算雜湊值c,再根據秘密k、訊息m、雜湊值c、本身的伯克霍夫(Birkhoff)係數b i及所述秘密d i計算出相應的數值S i,其中,i為正整數。在實際實施上,所述第一簽章值R的運算式為「R = MPCEdDSA(v1,v2,r1,r2,n,m) * B – r1 * B – r2 * B」,其中,「MPCEdDSA(v1,v2,r1,r2,n,m) = H 2(k,m) + r1 + r2 mod n」,「MPCEdDSA(v1,v2,r1,r2,n,m)」代表所述第一布林電路;「H 2(k,m) + r1 + r2 mod n」為第一評估值;所述雜湊值c的運算式為「c = SHA512(R || A || m)」,其中,SHA512為雜湊函式,符號「||」代表串聯,假設R為字串「aa」、A為字串「bb」,則「R || A」為字串「aabb」。在實際實施上,假設「ModAdd(v1,v2,r1,r2) * B」與「驗證橢圓點L + r1 * B + r2 * B」不相等,代表無法滿足恆等式「v1 + v2 = 驗證橢圓點L」,也就是說雙方輸入的參數v1和v2不是正確的輸入,故停止執行。換句話說,通過雙方已知的驗證橢圓點L(即:「k * B」)、前面廣播的第一公開值「r1 * B」及第二公開值「r2 * B」可以驗證「ModAdd(v1,v2,r1,r2) * B = (k + r1 + r2) * B」,進而確認混淆電路的輸入都是正確的,倘若中間任一處出錯都會造成驗證錯誤。 The verification module 150 is connected to the first calculation module 130 and the second calculation module 140 to verify whether the hash value calculated by the first public value and the second public value obtained by itself is consistent with the received first hash value and The second hash value is equal and whether the product of the second evaluation value and the base point is equal to the sum of the verification ellipse point L, the first public value and the second public value (ie: ModAdd(v1,v2,r1,r2) * B = verification Ellipse point L + r1 * B + r2 * B, where ModAdd(v1, v2, r1, r2) represents the second evaluation value "k + r1 + r2" output by the second Bollinger circuit), when the verification results are all When they are equal, calculate the first signature value R according to the message m, the first public value, the second public value and the base point, and calculate the hash value c according to the first signature value R, the EdDSA public key A and the message m, and then according to The secret k, the message m, the hash value c, the Birkhoff coefficient b i of itself, and the secret d i calculate the corresponding value S i , where i is a positive integer. In actual implementation, the calculation formula of the first signature value R is "R = MPCEdDSA(v1,v2,r1,r2,n,m) * B - r1 * B - r2 * B", wherein, "MPCEdDSA (v1,v2,r1,r2,n,m) = H 2 (k,m) + r1 + r2 mod n", "MPCEdDSA(v1,v2,r1,r2,n,m)" represents the first Bollinger circuit; "H 2 (k,m) + r1 + r2 mod n" is the first evaluation value; the calculation formula of the hash value c is "c = SHA512(R || A || m)", where , SHA512 is a hash function, the symbol "||" represents concatenation, assuming that R is the string "aa" and A is the string "bb", then "R || A" is the string "aabb". In actual implementation, assuming that "ModAdd(v1,v2,r1,r2) * B" is not equal to "verification ellipse point L + r1 * B + r2 * B", it means that the identity "v1 + v2 = verification ellipse point" cannot be satisfied L", that is to say, the parameters v1 and v2 input by both parties are not correct inputs, so the execution is stopped. In other words, the verification ellipse point L known to both parties (namely: "k * B"), the previously broadcast first public value "r1 * B" and the second public value "r2 * B" can verify "ModAdd( v1,v2,r1,r2) * B = (k + r1 + r2) * B", and then confirm that the input of the confusion circuit is correct, if any error in the middle will cause a verification error.

簽章模組160連接驗證模組150,用以執行安全驗證協定以相互驗證第一主機100a及第二主機100b雙方在第一布林電路獲得的第一評估值相同,當相同時,加總所有所述數值S i以生成第二簽章值s,並且根據第一簽章值R與第二簽章值s生成EdDSA數位簽章。在實際實施上,所述數值S i的運算式為「S i= r + c * b i* d i」,其中,r  = H 2(k,m)。 The signature module 160 is connected to the verification module 150 to execute the security verification protocol to mutually verify that the first evaluation values obtained by the first host 100a and the second host 100b in the first Bollinger circuit are the same. All the values S i are used to generate a second signature value s, and an EdDSA digital signature is generated according to the first signature value R and the second signature value s. In practical implementation, the calculation formula of the value S i is "S i = r + c * b i * d i ", where r = H 2 (k,m).

特別要說明的是,在實際實施上,本發明所述的模組皆可利用各種方式來實現,包含軟體、硬體或其任意組合,例如,在某些實施方式中,各模組可利用軟體及硬體或其中之一來實現,除此之外,本發明亦可部分地或完全地基於硬體來實現,例如,系統中的一個或多個模組可以透過積體電路晶片、系統單晶片(System on Chip, SoC)、複雜可程式邏輯裝置(Complex Programmable Logic Device, CPLD)、現場可程式邏輯閘陣列(Field Programmable Gate Array, FPGA)等來實現。本發明可以是系統、方法及/或電腦程式。電腦程式可以包括電腦可讀儲存媒體,其上載有用於使處理器實現本發明的各個方面的電腦可讀程式指令,電腦可讀儲存媒體可以是可以保持和儲存由指令執行設備使用的指令的有形設備。電腦可讀儲存媒體可以是但不限於電儲存設備、磁儲存設備、光儲存設備、電磁儲存設備、半導體儲存設備或上述的任意合適的組合。電腦可讀儲存媒體的更具體的例子(非窮舉的列表)包括:硬碟、隨機存取記憶體、唯讀記憶體、快閃記憶體、光碟、軟碟以及上述的任意合適的組合。此處所使用的電腦可讀儲存媒體不被解釋爲瞬時訊號本身,諸如無線電波或者其它自由傳播的電磁波、通過波導或其它傳輸媒介傳播的電磁波(例如,通過光纖電纜的光訊號)、或者通過電線傳輸的電訊號。另外,此處所描述的電腦可讀程式指令可以從電腦可讀儲存媒體下載到各個計算/處理設備,或者通過網路,例如:網際網路、區域網路、廣域網路及/或無線網路下載到外部電腦設備或外部儲存設備。網路可以包括銅傳輸電纜、光纖傳輸、無線傳輸、路由器、防火牆、交換器、集線器及/或閘道器。每一個計算/處理設備中的網路卡或者網路介面從網路接收電腦可讀程式指令,並轉發此電腦可讀程式指令,以供儲存在各個計算/處理設備中的電腦可讀儲存媒體中。執行本發明操作的電腦程式指令可以是組合語言指令、指令集架構指令、機器指令、機器相關指令、微指令、韌體指令、或者以一種或多種程式語言的任意組合編寫的原始碼或目的碼(Object Code),所述程式語言包括物件導向的程式語言,如:Common Lisp、Python、C++、Objective-C、Smalltalk、Delphi、Java、Swift、C#、Perl、Ruby與PHP等,以及常規的程序式(Procedural)程式語言,如:C語言或類似的程式語言。所述電腦程式指令可以完全地在電腦上執行、部分地在電腦上執行、作爲一個獨立的軟體執行、部分在客戶端電腦上部分在遠端電腦上執行、或者完全在遠端電腦或伺服器上執行。In particular, it should be noted that in actual implementation, the modules described in the present invention can be implemented in various ways, including software, hardware or any combination thereof. For example, in some implementations, each module can use software and hardware or one of them. In addition, the present invention can also be realized partially or completely based on hardware. For example, one or more modules in the system can be implemented through integrated circuit chips, system Single chip (System on Chip, SoC), complex programmable logic device (Complex Programmable Logic Device, CPLD), field programmable logic gate array (Field Programmable Gate Array, FPGA) and so on. The present invention can be a system, method and/or computer program. The computer program may include a computer-readable storage medium loaded with computer-readable program instructions for causing a processor to implement various aspects of the present invention, the computer-readable storage medium may be a tangible and equipment. A computer readable storage medium may be, but is not limited to, an electrical storage device, a magnetic storage device, an optical storage device, an electromagnetic storage device, a semiconductor storage device, or any suitable combination of the foregoing. More specific examples (non-exhaustive list) of computer-readable storage media include hard disks, random access memory, read-only memory, flash memory, optical disks, floppy disks, and any suitable combination of the foregoing. As used herein, computer-readable storage media are not to be construed as transient signals per se, such as radio waves or other freely propagating electromagnetic waves, electromagnetic waves propagating through waveguides or other transmission media (for example, light signals through fiber optic cables), or transmitted electrical signals. Additionally, the computer-readable program instructions described herein may be downloaded from a computer-readable storage medium to various computing/processing devices, or downloaded over a network, such as the Internet, local area network, wide area network, and/or wireless network to an external computer device or external storage device. The network may include copper transmission cables, fiber optic transmission, wireless transmission, routers, firewalls, switches, hubs and/or gateways. The network card or network interface in each computing/processing device receives computer-readable program instructions from the network and forwards the computer-readable program instructions for storage in computer-readable storage media in each computing/processing device middle. The computer program instructions for performing the operations of the present invention may be assembly language instructions, instruction set architecture instructions, machine instructions, machine-related instructions, micro instructions, firmware instructions, or source code or object code written in any combination of one or more programming languages (Object Code), the programming language includes object-oriented programming languages, such as: Common Lisp, Python, C++, Objective-C, Smalltalk, Delphi, Java, Swift, C#, Perl, Ruby and PHP, etc., as well as conventional programs Procedural programming language, such as: C language or similar programming language. The computer program instructions may be executed entirely on the computer, partly on the computer, as a stand-alone piece of software, partly on the client computer and partly on the remote computer, or entirely on the remote computer or server to execute.

請參閱「第2A圖」至「第2C圖」,「第2A圖」至「第2C圖」為本發明基於混淆電路的門檻式簽章生成方法的第一實施例之方法流程圖,其步驟包括:提供第一主機及第二主機,所述第一主機具有秘密d 1、秘密k 1、X座標x 1及層級值n 1,所述第二主機具有秘密d 2、秘密k 2、X座標x 2及層級值n 2,同時秘密d 1、秘密k 1、秘密d 2及秘密k 2滿足下列運算式以生成秘密d及秘密k: Please refer to "Fig. 2A" to "Fig. 2C". "Fig. 2A" to "Fig. 2C" are the method flow chart of the first embodiment of the threshold-type signature generation method based on the confusion circuit of the present invention, and its steps Including: providing a first host and a second host, the first host has secret d 1 , secret k 1 , X coordinate x 1 and level value n 1 , the second host has secret d 2 , secret k 2 , X Coordinate x 2 and level value n 2 , while secret d 1 , secret k 1 , secret d 2 and secret k 2 satisfy the following formulas to generate secret d and secret k:

BK(x 1,n 1) * d 1+ BK(x 2,n 2) * d 2= d, BK(x 1 ,n 1 ) * d 1 + BK(x 2 ,n 2 ) * d 2 = d,

BK(x 1,n 1) * k 1+ BK(x 2,n 2) * k 2= k, BK(x 1 ,n 1 ) * k 1 + BK(x 2 ,n 2 ) * k 2 = k,

其中,「BK(x j, n j)」代表伯克霍夫係數,j為1或2,並且令EdDSA公鑰A為 d * B,以及令驗證橢圓點L為k * B,B為Ed25519或sr25519橢圓曲線群的基點(步驟210);提供作為混淆電路的第一布林電路及第二布林電路,所述第一布林電路允許輸入多個輸入參數,所述輸入參數包含參數v1、參數v2、參數r1、參數r2、參數n及訊息m且輸出第一評估值,每一所述輸入參數允許各自帶入一組位元值,所述第二布林電路允許輸入參數v1、參數v2、參數r1及參數r2且輸出第二評估值,所述第一評估值為「H 2(k,m) + r1 + r2 mod n」,所述第二評估值為「k + r1 + r2」,其中,H 2(k,m)代表將秘密k與訊息m串聯後進行雜湊、訊息m、參數n為給定橢圓曲線群的個數、參數v1的值為「BK(x 1,n 1)k 1mod n」、參數v2的值為「BK(x 2,n 2)k 2mod n」(步驟220);第一主機產生隨機亂數以作為參數r1且公開第一雜湊值,第二主機產生隨機亂數以作為參數r2且公開第二雜湊值,其中,第一雜湊值的運算式為「H(r1 * B)」,第二雜湊值的運算式為「H(r2 * B)」,H代表雜湊函式(步驟230);第一主機使用本身的參數v1、參數r1及訊息m與第二主機使用本身的參數v2及參數r2共同執行第一布林電路,使第二主機根據第一布林電路獲得第一評估值,再使用相同的參數v1、參數v2、參數r1及參數r2共同執行第二布林電路以獲得第二評估值,以及公開第一公開值,所述第一公開值的運算式為「r1 * B」(步驟240);第二主機使用本身的參數v2、參數r2及訊息m與第一主機使用本身的參數v1及參數r1共同執行第一布林電路,使第一主機根據第一布林電路獲得第一評估值,再使用相同的參數v1、參數v2、參數r1及參數r2共同執行第二布林電路以獲得第二評估值,以及公開第二公開值,所述第二公開值的運算式為「r2 * B」(步驟250);第一主機及第二主機各自驗證本身獲得的第一公開值和第二公開值所計算出的雜湊值是否與收到的第一雜湊值和第二雜湊值相等且第二評估值與基點的乘積是否與所述驗證橢圓點L、第一公開值及第二公開值的總和相等,當驗證結果皆為相等時,根據訊息m、第一公開值、第二公開值及基點計算出第一簽章值R,以及根據第一簽章值R、EdDSA公鑰A及訊息m計算雜湊值c,再根據秘密k、訊息m、雜湊值c、本身的伯克霍夫係數b i及所述秘密d i計算出相應的數值S i,其中,i為正整數(步驟260);第一主機及第二主機皆執行安全驗證協定(Secure Validation Protocol)以相互驗證雙方在第一布林電路所獲得的第一評估值相同(步驟270);以及第一主機及第二主機分別加總所有所述數值S i以生成第二簽章值s,並且根據第一簽章值R與第二簽章值s生成EdDSA數位簽章(步驟280)。其中,步驟240及步驟250允許同時執行,以及步驟270及步驟280允許同時執行。 Among them, "BK(x j , n j )" represents the Burkhoff coefficient, j is 1 or 2, and the EdDSA public key A is d * B, and the verification ellipse point L is k * B, B is Ed25519 Or the base point of the sr25519 elliptic curve group (step 210); providing the first Bollinger circuit and the second Bollinger circuit as a confusing circuit, the first Bollinger circuit allows input of multiple input parameters, and the input parameters include parameter v1 , parameter v2, parameter r1, parameter r2, parameter n and message m and output the first evaluation value, each of the input parameters is allowed to bring in a set of bit values, and the second Bollinger circuit allows the input parameters v1, Parameter v2, parameter r1 and parameter r2 and output a second evaluation value, the first evaluation value is "H 2 (k,m) + r1 + r2 mod n", and the second evaluation value is "k + r1 + r2", where H 2 (k,m) represents the hashing of secret k and message m in series, message m, parameter n is the number of given elliptic curve groups, and the value of parameter v1 is "BK(x 1 , n 1 )k 1 mod n", the value of parameter v2 is "BK(x 2 ,n 2 )k 2 mod n" (step 220); the first host generates a random random number as parameter r1 and discloses the first hash value , the second host generates a random random number as the parameter r2 and discloses the second hash value, wherein the calculation formula of the first hash value is "H(r1 * B)", and the calculation formula of the second hash value is "H(r2 * B)", H represents the hash function (step 230); the first host uses its own parameter v1, parameter r1 and message m and the second host uses its own parameter v2 and parameter r2 to jointly execute the first Boolean circuit, so that The second host obtains the first evaluation value according to the first Bollinger circuit, and then uses the same parameter v1, parameter v2, parameter r1, and parameter r2 to jointly execute the second Bollinger circuit to obtain the second evaluation value, and disclose the first public value , the calculation formula of the first public value is "r1 * B" (step 240); the second host uses its own parameter v2, parameter r2 and message m and the first host uses its own parameter v1 and parameter r1 to jointly execute the second A Bollinger circuit, so that the first host obtains a first evaluation value according to the first Bollinger circuit, and then uses the same parameter v1, parameter v2, parameter r1, and parameter r2 to jointly execute a second Bollinger circuit to obtain a second evaluation value, And disclose the second public value, the calculation formula of the second public value is "r2 * B" (step 250); the first host and the second host respectively verify the calculation of the first public value and the second public value obtained by themselves Whether the output hash value is equal to the received first hash value and second hash value and whether the product of the second evaluation value and the base point is equal to the sum of the verification ellipse point L, the first public value and the second public value, When the verification results are all equal, calculate the first signature value R according to the message m, the first public value, the second public value and the base point, and calculate the first signature value R, Ed The DSA public key A and the message m calculate the hash value c, and then calculate the corresponding value S i according to the secret k, the message m, the hash value c, its own Burkhov coefficient b i and the secret d i , where i is a positive integer (step 260); both the first host and the second host implement the Secure Validation Protocol (Secure Validation Protocol) to mutually verify that the first evaluation value obtained by both parties in the first Bollinger circuit is the same (step 270); and A host and a second host respectively add up all the values S i to generate a second signature value s, and generate an EdDSA digital signature according to the first signature value R and the second signature value s (step 280 ). Wherein, step 240 and step 250 are allowed to be executed at the same time, and steps 270 and 280 are allowed to be executed at the same time.

以下配合「第3圖」以實施例的方式進行如下說明,「第3圖」為應用本發明的混淆電路的示意圖。在實際實施上,本發明的混淆電路包含第一布林電路310及第二布林電路320。其中,第一布林電路310提供輸入線以輸入參數v1(即:「BK(x 1,n 1)k 1mod n」)、參數v2(即:「BK(x 2,n 2)k 2mod n」)、參數r1(即:第一主機100a隨機挑選的亂數)、參數r2(即:第二主機100b隨機挑選的亂數)、參數n(即:給定橢圓曲線群的個數)及訊息m,可示意為「MPCEdDSA(v1,v2,r1,r2,n,m)」,並且輸出第一評估值「H 2(k,m) + r1 + r2 mod n」(其中,「H 2(k,m)」可視為「SHA512(k || m)」,代表先將秘密k與訊息m串聯再進行雜湊後的值);第二布林電路320提供輸入線以輸入參數v1、參數v2、參數r1及參數r2,可示意為「ModAdd(v1,v2,r1,r2)」,並且輸出第二評估值「k + r1 + r2」。在建立上述第一布林電路310時,可使用「及運算(AND)」與「互斥或運算(XOR)」至少其中之一架構滿足條件「MPCEdDSA(v1,v2,r1,r2,n,m) = H 2(k,m) + r1 + r2 mod n」的邏輯電路,而在建立第二布林電路時320,則同樣使用「及運算(AND)」與「互斥或運算(XOR)」至少其中之一架構滿足條件「ModAdd(v1,v2,r1,r2) = k + r1 + r2」的邏輯電路。特別要說明的是,在同一次簽名中,第一布林電路310輸入的參數v1、參數v2、參數r1及參數r2等,同時也是第二布林電路320輸入的參數v1、參數v2、參數r1及參數r2,而每次簽名都會重新選取參數r1及參數r2。 The following description will be made in the form of an embodiment in conjunction with "Fig. 3", where "Fig. 3" is a schematic diagram of an obfuscation circuit applying the present invention. In practice, the confusion circuit of the present invention includes a first Bollinger circuit 310 and a second Bollinger circuit 320 . Among them, the first Bollinger circuit 310 provides input lines to input parameters v1 (ie: "BK(x 1 ,n 1 )k 1 mod n"), parameters v2 (ie: "BK(x 2 ,n 2 )k 2 mod n"), parameter r1 (namely: a random number randomly selected by the first host 100a), parameter r2 (namely: a random number randomly selected by the second host 100b), parameter n (namely: the number of given elliptic curve groups ) and message m, which can be expressed as "MPCEdDSA(v1,v2,r1,r2,n,m)", and output the first evaluation value "H 2 (k,m) + r1 + r2 mod n" (where, " H 2 (k,m)" can be regarded as "SHA512(k || m)", which represents the value obtained by first concatenating the secret k and the message m and then hashing); the second Bollinger circuit 320 provides an input line to input the parameter v1 , parameter v2, parameter r1 and parameter r2 can be expressed as "ModAdd(v1, v2, r1, r2)", and output the second evaluation value "k + r1 + r2". When establishing the above-mentioned first Bollinger circuit 310, at least one of "and operation (AND)" and "exclusive or operation (XOR)" can be used to satisfy the condition "MPCEdDSA(v1,v2,r1,r2,n, m) = H 2 (k,m) + r1 + r2 mod n" logic circuit, and when building the second Bollinger circuit 320, it also uses "and operation (AND)" and "exclusive or operation (XOR) )" At least one of the structures satisfies the condition "ModAdd(v1,v2,r1,r2) = k + r1 + r2" logic circuit. In particular, it should be noted that in the same signature, the parameters v1, v2, r1, and r2 input by the first Bollinger circuit 310 are also the parameters v1, v2, and r2 input by the second Bollinger circuit 320. r1 and parameter r2, and parameters r1 and parameter r2 will be reselected for each signature.

綜上所述,可知本發明與先前技術之間的差異在於透過提供作為混淆電路的第一布林電路及第二布林電路以供二個主機輸入多個輸入參數並共同執行安全多方計算,使二個主機各自獲得第一布林電路的第一評估值及第二布林電路的第二評估值,以及廣播各主機的隨機亂數與基點的乘積,以便驗證雙方的輸入參數是否正確及通過混淆電路獲得的結果是否相同,進而在正確且相同時生成能夠通過驗證的EdDSA簽章,藉由此一技術手段可以解決先前技術所存在的問題,進而達成提高生成EdDSA簽章的安全性之技術功效。In summary, it can be seen that the difference between the present invention and the prior art lies in that by providing the first Bollinger circuit and the second Bollinger circuit as confusing circuits for two hosts to input multiple input parameters and jointly execute secure multi-party calculations, Make the two hosts obtain the first evaluation value of the first Bollinger circuit and the second evaluation value of the second Bollinger circuit, and broadcast the product of the random random number and the base point of each host, so as to verify whether the input parameters of both parties are correct and Whether the results obtained by confusing the circuit are the same, and then generate an EdDSA signature that can pass the verification when it is correct and the same. This technical means can solve the problems existing in the previous technology, and then achieve the goal of improving the security of generating the EdDSA signature. Technical efficacy.

雖然本發明以前述之實施例揭露如上,然其並非用以限定本發明,任何熟習相像技藝者,在不脫離本發明之精神和範圍內,當可作些許之更動與潤飾,因此本發明之專利保護範圍須視本說明書所附之申請專利範圍所界定者為準。Although the present invention is disclosed above with the aforementioned embodiments, it is not intended to limit the present invention. Any person familiar with similar skills may make some changes and modifications without departing from the spirit and scope of the present invention. Therefore, the present invention The scope of patent protection shall be subject to what is defined in the scope of patent application attached to this manual.

100a,100b:主機 110:混淆模組 120:生成模組 130:第一計算模組 140:第二計算模組 150:驗證模組 160:簽章模組 310:第一布林電路 320:第二布林電路 步驟210:提供一第一主機及一第二主機,該第一主機具有一秘密d 1、一秘密k 1、一X座標x 1及一層級值n 1,以及該第二主機具有一秘密d 2、一秘密k 2、一X座標x 2及一層級值n 2,同時該秘密d 1、該秘密k 1、該秘密d 2及該秘密k 2滿足下列運算式以生成一秘密d及一秘密k: BK(x 1,n 1) * d 1+ BK(x 2,n 2) * d 2= d, BK(x 1,n 1) * k 1+ BK(x 2,n 2) * k 2= k, 其中,BK(x j, n j)代表伯克霍夫係數,j為1或2,並且令一EdDSA公鑰A為 d * B,以及令一驗證橢圓點L為k * B,B為Ed25519或sr25519橢圓曲線群的一基點 步驟220:提供作為混淆電路的一第一布林電路及一第二布林電路,該第一布林電路允許輸入多個輸入參數,所述輸入參數包含一參數v1、一參數v2、一參數r1、一參數r2、一參數n及一訊息m且輸出一第一評估值,每一所述輸入參數允許各自帶入一組位元值,該第二布林電路允許輸入該參數v1、該參數v2、該參數r1及該參數r2且輸出一第二評估值,所述第一評估值為H 2(k,m) + r1 + r2 mod n,所述第二評估值為k + r1 + r2,其中,H 2(k,m)代表將該秘密k與該訊息m串聯後進行雜湊、該參數n為給定橢圓曲線群的個數、該參數v1的值為BK(x1,n1)k1 mod n、該參數v2的值為BK(x2,n2)k2 mod n 步驟230:該第一主機產生隨機亂數以作為該參數r1且公開一第一雜湊值,該第二主機產生隨機亂數以作為該參數r2且公開一第二雜湊值,其中,該第一雜湊值的運算式為H(r1 * B),該第二雜湊值的運算式為H(r2 * B),H代表雜湊函式 步驟240:該第一主機使用本身的該參數v1、該參數r1及該訊息m與該第二主機使用本身的該參數v2及該參數r2共同執行該第一布林電路,使該第二主機根據該第一布林電路獲得該第一評估值,再使用相同的該參數v1、該參數v2、該參數r1及該參數r2共同執行該第二布林電路以獲得該第二評估值,以及公開一第一公開值,該第一公開值的運算式為r1 * B 步驟250:該第二主機使用本身的該參數v2、該參數r2及該訊息m與該第一主機使用本身的該參數v1及該參數r1共同執行該第一布林電路,使該第一主機根據該第一布林電路獲得該第一評估值,再使用相同的該參數v1、該參數v2、該參數r1及該參數r2共同執行該第二布林電路以獲得該第二評估值,以及公開一第二公開值,該第二公開值的運算式為r2 * B 步驟260:該第一主機及該第二主機各自驗證本身獲得的該第一公開值和該第二公開值所計算出的雜湊值是否與收到的該第一雜湊值和該第二雜湊值相等且該第二評估值與該基點的乘積是否與該驗證橢圓點L、該第一公開值及該第二公開值的總和相等,當驗證結果皆為相等時,各自根據該訊息m、該第一公開值、該第二公開值及該基點計算出一第一簽章值R,以及根據該第一簽章值R、該EdDSA公鑰A及該訊息m計算一雜湊值c,再根據該秘密k、該訊息m、該雜湊值c、本身的一伯克霍夫(Birkhoff)係數b i及所述秘密d i計算出相應的一數值S i,其中,i為正整數 步驟270: 該第一主機及該第二主機皆執行安全驗證協定(Secure Validation Protocol)以相互驗證雙方在該第一布林電路所獲得的該第一評估值相同 步驟280:該第一主機及該第二主機分別加總所有所述數值S i以生成一第二簽章值s,並且根據該第一簽章值R與該第二簽章值s生成EdDSA數位簽章100a, 100b: host 110: confusion module 120: generation module 130: first calculation module 140: second calculation module 150: verification module 160: signature module 310: first Bollinger circuit 320: second Two Bollinger circuit step 210: provide a first host and a second host, the first host has a secret d 1 , a secret k 1 , an X coordinate x 1 and a level value n 1 , and the second host have a secret d 2 , a secret k 2 , an X coordinate x 2 and a level value n 2 , and at the same time the secret d 1 , the secret k 1 , the secret d 2 and the secret k 2 satisfy the following formula to generate a Secret d and a secret k: BK(x 1 ,n 1 ) * d 1 + BK(x 2 ,n 2 ) * d 2 = d, BK(x 1 ,n 1 ) * k 1 + BK(x 2 , n 2 ) * k 2 = k, where BK(x j , n j ) represents the Burkhoff coefficient, j is 1 or 2, and let an EdDSA public key A be d * B, and let a verification ellipse point L is k*B, B is a basic point of Ed25519 or sr25519 elliptic curve group Step 220: provide a first Bollinger circuit and a second Bollinger circuit as a confusing circuit, and this first Bollinger circuit allows multiple inputs Parameters, the input parameters include a parameter v1, a parameter v2, a parameter r1, a parameter r2, a parameter n and a message m and output a first evaluation value, each of the input parameters is allowed to bring in a group Bit value, the second Bollinger circuit allows input of the parameter v1, the parameter v2, the parameter r1 and the parameter r2 and outputs a second evaluation value, the first evaluation value is H 2 (k,m) + r1 + r2 mod n, the second evaluation value is k + r1 + r2, wherein, H 2 (k, m) represents hashing after concatenating the secret k and the message m, and the parameter n is a given elliptic curve The number of groups, the value of the parameter v1 is BK(x1,n1)k1 mod n, the value of the parameter v2 is BK(x2,n2)k2 mod n Step 230: The first host generates a random random number as the The parameter r1 discloses a first hash value, and the second host generates a random random number as the parameter r2 and discloses a second hash value, wherein the calculation formula of the first hash value is H(r1 * B), and the The calculation formula of the second hash value is H(r2*B), H represents the hash function step 240: the first host uses its own parameter v1, the parameter r1 and the message m and the second host uses its own The parameter v2 and the parameter r2 jointly execute the first Bollinger circuit, so that the second host can obtain the first evaluation value according to the first Bollinger circuit, and then use the same parameter v1, the parameter v2, the parameter r1 and The parameter r2 jointly executes the second Bollinger circuit to obtain the second evaluation value, And disclose a first public value, the calculation formula of the first public value is r1 * B Step 250: The second host uses its own parameter v2, the parameter r2 and the message m and the first host uses its own the The parameter v1 and the parameter r1 jointly execute the first Bollinger circuit, so that the first host can obtain the first evaluation value according to the first Bollinger circuit, and then use the same parameter v1, the parameter v2, the parameter r1 and The parameter r2 jointly executes the second Bollinger circuit to obtain the second evaluation value, and discloses a second public value. The calculation formula of the second public value is r2 * B. Step 260: the first host and the second Each host verifies whether the hash value calculated by the first public value and the second public value obtained by itself is equal to the received first hash value and the second hash value, and whether the second evaluation value is equal to the base point's Whether the product is equal to the sum of the verification ellipse point L, the first public value and the second public value, when the verification results are all equal, according to the message m, the first public value, the second public value and The base point calculates a first signature value R, and calculates a hash value c based on the first signature value R, the EdDSA public key A, and the message m, and then calculates a hash value c based on the secret k, the message m, and the hash value c. A corresponding value S i is calculated from a Birkhoff coefficient b i of itself and the secret d i , where i is a positive integer. Step 270: Both the first host and the second host execute Secure Validation Protocol (Secure Validation Protocol) to mutually verify that the first evaluation value obtained by both parties in the first Bollinger circuit is the same. Step 280: the first host and the second host respectively add up all the values S i to Generate a second signature value s, and generate an EdDSA digital signature based on the first signature value R and the second signature value s

第1圖為本發明基於混淆電路的門檻式簽章生成系統的系統方塊圖。 第2A圖至第2C圖為本發明基於混淆電路的門檻式簽章生成方法的方法流程圖。 第3圖為應用本發明的混淆電路的示意圖。Fig. 1 is a system block diagram of the threshold type signature generation system based on the confusion circuit of the present invention. Fig. 2A to Fig. 2C are method flow charts of the method for generating a threshold-type signature based on an obfuscation circuit in the present invention. Fig. 3 is a schematic diagram of an obfuscation circuit applying the present invention.

100a,100b:主機 100a, 100b: host

110:混淆模組 110: Confusion Module

120:生成模組 120: Generate modules

130:第一計算模組 130: The first computing module

140:第二計算模組 140: Second computing module

150:驗證模組 150: Verification module

160:簽章模組 160: Signature module

Claims (10)

一種基於混淆電路的門檻式簽章生成系統,該系統包含: 二個主機,分別為一第一主機及一第二主機,該第一主機具有一秘密d 1、一秘密k 1、一X座標x 1及一層級值n 1,該第二主機具有一秘密d 2、一秘密k 2、一X座標x 2及一層級值n 2,同時該秘密d 1、該秘密k 1、該秘密d 2及該秘密k 2滿足下列運算式以生成一秘密d及一秘密k: BK(x 1,n 1) * d 1+ BK(x 2,n 2) * d 2= d, BK(x 1,n 1) * k 1+ BK(x 2,n 2) * k 2= k, 其中,BK(x j, n j)代表伯克霍夫係數,j為1或2,並且令一EdDSA公鑰A為 d * B,以及令一驗證橢圓點L為k * B,B為Ed25519或sr25519橢圓曲線群的一基點,每一所述主機皆包含: 一混淆模組,用以建立作為混淆電路的一第一布林電路及一第二布林電路,該第一布林電路允許輸入多個輸入參數,所述輸入參數包含一參數v1、一參數v2、一參數r1、一參數r2、一參數n及一訊息m且輸出一第一評估值,每一所述輸入參數允許各自帶入一組位元值,該第二布林電路允許輸入該參數v1、該參數v2、該參數r1及該參數r2且輸出一第二評估值,所述第一評估值為H 2(k,m) + r1 + r2 mod n,所述第二評估值為k + r1 + r2,其中,H 2(k,m)代表將該秘密k與該訊息m串聯後進行雜湊、該參數n為給定橢圓曲線群的個數、該參數v1的值為BK(x 1,n 1)k 1mod n、該參數v2的值為BK(x 2,n 2)k 2mod n; 一生成模組,用以在所述主機為該第一主機時,產生隨機亂數以作為該參數r1且公開一第一雜湊值,以及在所述主機為該第二主機時,產生隨機亂數以作為該參數r2且公開一第二雜湊值,其中,該第一雜湊值的運算式為H(r1 * B),該第二雜湊值的運算式為H(r2 * B),H代表雜湊函式; 一第一計算模組,連接該生成模組及該混淆模組,當所述主機為該第一主機時,使用本身的該參數v1、該參數r1及該訊息m輸入至該第一布林電路,以及當所述主機為該第二主機時,使用本身的該參數v2及該參數r2輸入至該第一布林電路,用以共同執行該第一布林電路,使該第二主機根據該第一布林電路獲得該第一評估值,再使用相同的該參數v1、該參數v2、該參數r1及該參數r2共同執行該第二布林電路以獲得該第二評估值,以及公開一第一公開值,該第一公開值的運算式為r1 * B; 一第二計算模組,連接該生成模組及該混淆模組,用以在所述主機為該第二主機時,使用本身的該參數v2、該參數r2及該訊息m輸入至該第一布林電路,以及在所述主機為該第一主機時,使用本身的該參數v1及該參數r1輸入至該第一布林電路,用以共同執行該第一布林電路,使該第一主機根據該第一布林電路獲得該第一評估值,再使用相同的該參數v1、該參數v2、該參數r1及該參數r2共同執行該第二布林電路以獲得該第二評估值,以及公開一第二公開值,該第二公開值的運算式為r2 * B; 一驗證模組,連接該第一計算模組及該第二計算模組,用以驗證本身獲得的該第一公開值和該第二公開值所計算出的雜湊值是否與收到的該第一雜湊值和該第二雜湊值相等且該第二評估值與該基點的乘積是否與該驗證橢圓點L、該第一公開值及該第二公開值的總和相等,當驗證結果皆為相等時,根據該訊息m、該第一公開值、該第二公開值及該基點計算出一第一簽章值R,以及根據該第一簽章值R、該EdDSA公鑰A及該訊息m計算一雜湊值c,再根據該秘密k、該訊息m、該雜湊值c、本身的一伯克霍夫(Birkhoff)係數b i及所述秘密d i計算出相應的一數值S i,其中,i為正整數;以及 一簽章模組,連接該驗證模組,用以執行安全驗證協定(Secure Validation Protocol)以相互驗證該第一主機及該第二主機雙方在該第一布林電路所獲得的該第一評估值相同,當相同時,加總所有所述數值S i以生成一第二簽章值s,並且根據該第一簽章值R與該第二簽章值s生成EdDSA數位簽章。 A threshold-type signature generation system based on obfuscation circuits, the system includes: two hosts, respectively a first host and a second host, the first host has a secret d 1 , a secret k 1 , and an X coordinate x 1 and a level value n 1 , the second host has a secret d 2 , a secret k 2 , an X coordinate x 2 and a level value n 2 , while the secret d 1 , the secret k 1 , the secret d 2 and the secret k 2 satisfy the following formula to generate a secret d and a secret k: BK(x 1 ,n 1 ) * d 1 + BK(x 2 ,n 2 ) * d 2 = d, BK(x 1 ,n 1 ) * k 1 + BK(x 2 ,n 2 ) * k 2 = k, where BK(x j , n j ) represents the Burkhoff coefficient, j is 1 or 2, and let an EdDSA formula The key A is d * B, and let a verification elliptic point L be k * B, B is a base point of Ed25519 or sr25519 elliptic curve group, each of said hosts includes: an obfuscation module, used to establish as an obfuscation circuit A first Bollinger circuit and a second Bollinger circuit, the first Bollinger circuit allows input of multiple input parameters, the input parameters include a parameter v1, a parameter v2, a parameter r1, a parameter r2, a Parameter n and a message m and output a first evaluation value, each of the input parameters is allowed to bring in a set of bit values, the second Bollinger circuit allows input of the parameter v1, the parameter v2, the parameter r1 and The parameter r2 and output a second evaluation value, the first evaluation value is H 2 (k, m) + r1 + r2 mod n, the second evaluation value is k + r1 + r2, wherein, H 2 ( k, m) means that the secret k and the message m are concatenated and hashed, the parameter n is the number of given elliptic curve groups, the value of the parameter v1 is BK(x 1 ,n 1 )k 1 mod n, The value of the parameter v2 is BK(x 2 ,n 2 )k 2 mod n; a generation module, used to generate a random random number as the parameter r1 and disclose a first host when the host is the first host A hash value, and when the host is the second host, a random random number is generated as the parameter r2 and a second hash value is disclosed, wherein the calculation formula of the first hash value is H(r1 * B) , the calculation formula of the second hash value is H(r2 * B), H represents a hash function; a first calculation module, connected to the generation module and the confusion module, when the host is the first host When the host is the second host, use its own parameter v1, the parameter r1 and the message m to input to the first Bollinger circuit, and when the host is the second host, use its own parameter v2 and the parameter r2 to input to the The first Bollinger circuit is used to jointly execute the first Bollinger circuit, so that the second host can obtain the first evaluation value according to the first Bollinger circuit, and then use the same The parameter v1, the parameter v2, the parameter r1 and the parameter r2 jointly execute the second Bollinger circuit to obtain the second evaluation value, and disclose a first public value, the formula of the first public value is r1 * B; A second calculation module, connected to the generation module and the confusion module, used to input the parameter v2, the parameter r2 and the message m to the computer when the host is the second host The first Bollinger circuit, and when the host is the first host, use its own parameter v1 and the parameter r1 to input to the first Bollinger circuit to jointly execute the first Bollinger circuit, so that the The first host obtains the first evaluation value according to the first Bollinger circuit, and then uses the same parameter v1, the parameter v2, the parameter r1, and the parameter r2 to jointly execute the second Bollinger circuit to obtain the second evaluation value, and disclose a second public value, the calculation formula of the second public value is r2 * B; a verification module, connected to the first calculation module and the second calculation module, to verify the obtained by itself Whether the hash value calculated by the first public value and the second public value is equal to the received first hash value and the second hash value and whether the product of the second evaluation value and the base point is equal to the verification ellipse point L. The sum of the first public value and the second public value is equal, and when the verification results are all equal, a first sign is calculated according to the message m, the first public value, the second public value and the base point seal value R, and calculate a hash value c based on the first signature value R, the EdDSA public key A, and the message m, and then calculate a hash value c based on the secret k, the message m, the hash value c, and its own Birkenstock Birkhoff (Birkhoff) coefficient b i and the secret d i calculate a corresponding value S i , where i is a positive integer; and a signature module connected to the verification module to execute the security verification protocol (Secure Validation Protocol) to mutually verify that the first evaluation value obtained by both the first host and the second host in the first Bollinger circuit is the same, and if they are the same, add up all the values S i to generate a second signature value s, and generate an EdDSA digital signature according to the first signature value R and the second signature value s. 如請求項1之基於混淆電路的門檻式簽章生成系統,其中該第一布林電路及該第二布林電路係通過及運算(AND)與互斥或運算(XOR)至少其中之一的方式實現混淆電路及安全多方計算(Multi-Party Computation, MPC),並且具有多個輸入線(Wire)以輸入所述輸入參數,每一所述輸入參數帶入的該組位元值為256位元的值,所述第一布林電路為滿足下列條件的邏輯電路: MPCEdDSA(v1,v2,r1,r2,n,m) = H 2(k,m) + r1 + r2 mod n, 所述第二布林電路為滿足下列條件的邏輯電路: ModAdd(v1,v2,r1,r2) = k + r1 + r2。 The threshold-type signature generation system based on obfuscated circuits as claimed in claim 1, wherein the first Bollinger circuit and the second Bollinger circuit are at least one of AND operation (AND) and exclusive OR operation (XOR) Confused circuits and secure multi-party computation (Multi-Party Computation, MPC) are implemented in a way, and there are multiple input wires (Wire) to input the input parameters, and the set of bit values brought by each input parameter is 256 bits The value of element, the first Bollinger circuit is a logic circuit satisfying the following conditions: MPCEdDSA(v1,v2,r1,r2,n,m) = H 2 (k,m) + r1 + r2 mod n, the The second Boolean circuit is a logic circuit that satisfies the following condition: ModAdd(v1,v2,r1,r2) = k + r1 + r2. 如請求項1之基於混淆電路的門檻式簽章生成系統,其中該第一簽章值R的運算式如下: R = MPCEdDSA(v1,v2,r1,r2,n,m) * B – r1 * B – r2 * B, 其中,MPCEdDSA(v1,v2,r1,r2,n,m) 代表所述第一布林電路,並且獲得該第一評估值。 For example, the threshold-type signature generation system based on obfuscated circuits in claim 1, wherein the calculation formula of the first signature value R is as follows: R = MPCEdDSA(v1,v2,r1,r2,n,m) * B - r1 * B - r2 * B, Wherein, MPCEdDSA(v1, v2, r1, r2, n, m) represents the first Bollinger circuit, and obtains the first evaluation value. 如請求項1之基於混淆電路的門檻式簽章生成系統,其中所述數值S i的運算式如下: S i= r + c * b i* d i,其中,r  = H 2(k,w)。 As in claim item 1, the threshold-type signature generation system based on obfuscated circuits, wherein the calculation formula of the value S i is as follows: S i = r + c * b i * d i , where r = H 2 (k,w ). 如請求項1之基於混淆電路的門檻式簽章生成系統,其中該雜湊值c的運算式如下: c = SHA512(R || A || m),其中,SHA512為雜湊函式,符號||代表串聯。 For example, the threshold-type signature generation system based on obfuscated circuits in claim 1, wherein the calculation formula of the hash value c is as follows: c = SHA512(R || A || m), where SHA512 is a hash function, and the symbol || represents concatenation. 一種基於混淆電路的門檻式簽章生成方法,其步驟包括: (A)提供一第一主機及一第二主機,該第一主機具有一秘密d 1、一秘密k 1、一X座標x 1及一層級值n 1,以及該第二主機具有一秘密d 2、一秘密k 2、一X座標x 2及一層級值n 2,同時該秘密d 1、該秘密k 1、該秘密d 2及該秘密k 2滿足下列運算式以生成一秘密d及一秘密k: BK(x 1,n 1) * d 1+ BK(x 2,n 2) * d 2= d, BK(x 1,n 1) * k 1+ BK(x 2,n 2) * k 2= k, 其中,BK(x j, n j)代表伯克霍夫係數,j為1或2,並且令一EdDSA公鑰A為 d * B,以及令一驗證橢圓點L為k * B,B為Ed25519或sr25519橢圓曲線群的一基點; (B)提供作為混淆電路的一第一布林電路及一第二布林電路,該第一布林電路允許輸入多個輸入參數,所述輸入參數包含一參數v1、一參數v2、一參數r1、一參數r2、一參數n及一訊息m且輸出一第一評估值,每一所述輸入參數允許各自帶入一組位元值,該第二布林電路允許輸入該參數v1、該參數v2、該參數r1及該參數r2且輸出一第二評估值,所述第一評估值為H 2(k,m) + r1 + r2 mod n,所述第二評估值為k + r1 + r2,其中,H 2(k,m)代表將該秘密k與該訊息m串聯後進行雜湊、該參數n為給定橢圓曲線群的個數、該參數v1的值為BK(x 1,n 1)k 1mod n、該參數v2的值為BK(x 2,n 2)k 2mod n; (C)該第一主機產生隨機亂數以作為該參數r1且公開一第一雜湊值,該第二主機產生隨機亂數以作為該參數r2且公開一第二雜湊值,其中,該第一雜湊值的運算式為H(r1 * B),該第二雜湊值的運算式為H(r2 * B),H代表雜湊函式; (D)該第一主機使用本身的該參數v1、該參數r1及該訊息m與該第二主機使用本身的該參數v2及該參數r2共同執行該第一布林電路,使該第二主機根據該第一布林電路獲得該第一評估值,再使用相同的該參數v1、該參數v2、該參數r1及該參數r2共同執行該第二布林電路以獲得該第二評估值,以及公開一第一公開值,該第一公開值的運算式為r1 * B; (E)該第二主機使用本身的該參數v2、該參數r2及該訊息m與該第一主機使用本身的該參數v1及該參數r1共同執行該第一布林電路,使該第一主機根據該第一布林電路獲得該第一評估值,再使用相同的該參數v1、該參數v2、該參數r1及該參數r2共同執行該第二布林電路以獲得該第二評估值,以及公開一第二公開值,該第二公開值的運算式為r2 * B; (F)該第一主機及該第二主機各自驗證本身獲得的該第一公開值和該第二公開值所計算出的雜湊值是否與收到的該第一雜湊值和該第二雜湊值相等且該第二評估值與該基點的乘積是否與該驗證橢圓點L、該第一公開值及該第二公開值的總和相等,當驗證結果皆為相等時,各自根據該訊息m、該第一公開值、該第二公開值及該基點計算出一第一簽章值R,以及根據該第一簽章值R、該EdDSA公鑰A及該訊息m計算一雜湊值c,再根據該秘密k、該訊息m、該雜湊值c、本身的一伯克霍夫(Birkhoff)係數b i及所述秘密d i計算出相應的一數值S i,其中,i為正整數; (G)該第一主機及該第二主機皆執行安全驗證協定(Secure Validation Protocol)以相互驗證雙方在該第一布林電路所獲得的該第一評估值相同;以及 (H)該第一主機及該第二主機分別加總所有所述數值S i以生成一第二簽章值s,並且根據該第一簽章值R與該第二簽章值s生成EdDSA數位簽章; 其中,步驟(D)及步驟(E)允許同時執行,以及步驟(G)及步驟(H)允許同時執行。 A threshold-type signature generation method based on an obfuscation circuit, the steps of which include: (A) providing a first host and a second host, the first host has a secret d 1 , a secret k 1 , and an X coordinate x 1 and a level value n 1 , and the second host has a secret d 2 , a secret k 2 , an X coordinate x 2 and a level value n 2 , while the secret d 1 , the secret k 1 , the secret d 2 And the secret k 2 satisfies the following formula to generate a secret d and a secret k: BK(x 1 ,n 1 ) * d 1 + BK(x 2 ,n 2 ) * d 2 = d, BK(x 1 , n 1 ) * k 1 + BK(x 2 ,n 2 ) * k 2 = k, where BK(x j , n j ) represents the Burkhoff coefficient, j is 1 or 2, and let an EdDSA public key A is d * B, and let a verification elliptic point L be k * B, B is a base point of Ed25519 or sr25519 elliptic curve group; (B) Provide a first Bollinger circuit and a second Bollinger circuit as a confusion circuit A circuit, the first Bollinger circuit allows input of a plurality of input parameters, the input parameters include a parameter v1, a parameter v2, a parameter r1, a parameter r2, a parameter n and a message m and output a first evaluation value , each of the input parameters is allowed to bring in a set of bit values, the second Boolean circuit allows input of the parameter v1, the parameter v2, the parameter r1 and the parameter r2 and outputs a second evaluation value, the The first evaluation value is H 2 (k,m) + r1 + r2 mod n, and the second evaluation value is k + r1 + r2, wherein H 2 (k,m) represents the combination of the secret k and the message m Hash after concatenation, the parameter n is the number of given elliptic curve groups, the value of the parameter v1 is BK(x 1 ,n 1 )k 1 mod n, the value of the parameter v2 is BK(x 2 ,n 2 )k 2 mod n; (C) The first host generates a random random number as the parameter r1 and discloses a first hash value, and the second host generates a random random number as the parameter r2 and discloses a second hash value , wherein, the calculation formula of the first hash value is H(r1 * B), the calculation formula of the second hash value is H(r2 * B), and H represents the hash function; (D) The first host uses itself The parameter v1, the parameter r1 and the message m and the second host use its own parameter v2 and the parameter r2 to jointly execute the first Boolean circuit, so that the second host can obtain the The first evaluation value, and then use the same parameter v1, the parameter v2, the parameter r1 and the parameter r2 to jointly execute the second Bollinger circuit to obtain the second evaluation value, and disclose a first public value, the first public value The calculation formula of a public value is r1 * B; (E) The second host uses its own parameter v2, the parameter r2 and The message m and the first host use the parameter v1 and the parameter r1 to execute the first Bollinger circuit together, so that the first host can obtain the first evaluation value according to the first Bollinger circuit, and then use the same The parameter v1, the parameter v2, the parameter r1 and the parameter r2 jointly execute the second Bollinger circuit to obtain the second evaluation value, and disclose a second public value, the formula of the second public value is r2 * B; (F) The first host and the second host each verify whether the hash value calculated by the first public value and the second public value obtained by itself is consistent with the received first hash value and the second The hash values are equal and whether the product of the second evaluation value and the base point is equal to the sum of the verification ellipse point L, the first public value, and the second public value. When the verification results are all equal, each according to the message m , the first public value, the second public value and the base point to calculate a first signature value R, and calculate a hash value c according to the first signature value R, the EdDSA public key A and the message m, Then calculate a corresponding value S i according to the secret k, the message m, the hash value c, a Birkhoff coefficient b i of itself, and the secret d i , where i is a positive integer; (G) Both the first host and the second host execute the Secure Validation Protocol to mutually verify that the first evaluation value obtained by the two parties in the first Bollinger circuit is the same; and (H) the first The host and the second host respectively add up all the values S i to generate a second signature value s, and generate an EdDSA digital signature according to the first signature value R and the second signature value s; wherein, Step (D) and step (E) are allowed to be performed simultaneously, and steps (G) and step (H) are allowed to be performed simultaneously. 如請求項6之基於混淆電路的門檻式簽章生成方法,其中該第一布林電路及該第二布林電路係通過及運算(AND)與互斥或運算(XOR)至少其中之一的方式實現混淆電路及安全多方計算(Multi-Party Computation, MPC),並且具有多個輸入線(Wire)以輸入所述輸入參數,每一所述輸入參數帶入的該組位元值為256位元的值,所述第一布林電路為滿足下列條件的邏輯電路: MPCEdDSA(v1,v2,r1,r2,n,m) = H 2(k,m) + r1 + r2 mod n, 所述第二布林電路為滿足下列條件的邏輯電路: ModAdd(v1,v2,r1,r2) = k + r1 + r2。 As in claim 6, the method for generating a threshold signature based on an obfuscated circuit, wherein the first Bollinger circuit and the second Bollinger circuit are at least one of an AND operation (AND) and an exclusive OR operation (XOR) Confused circuits and secure multi-party computation (Multi-Party Computation, MPC) are implemented in a way, and there are multiple input wires (Wire) to input the input parameters, and the set of bit values brought by each input parameter is 256 bits The value of element, the first Bollinger circuit is a logic circuit satisfying the following conditions: MPCEdDSA(v1,v2,r1,r2,n,m) = H 2 (k,m) + r1 + r2 mod n, the The second Boolean circuit is a logic circuit that satisfies the following condition: ModAdd(v1,v2,r1,r2) = k + r1 + r2. 如請求項6之基於混淆電路的門檻式簽章生成方法,其中該第一簽章值R的運算式如下: R = MPCEdDSA(v1,v2,r1,r2,n,m) * B – r1 * B – r2 * B, 其中,MPCEdDSA(v1,v2,r1,r2,n,m) 代表所述第一布林電路,並且獲得該第一評估值。 For example, the threshold signature generation method based on obfuscated circuit in claim 6, wherein the calculation formula of the first signature value R is as follows: R = MPCEdDSA(v1,v2,r1,r2,n,m) * B - r1 * B - r2 * B, Wherein, MPCEdDSA(v1, v2, r1, r2, n, m) represents the first Bollinger circuit, and obtains the first evaluation value. 如請求項6之基於混淆電路的門檻式簽章生成方法,其中所述數值S i的運算式如下: S i= r + c * b i* d i,其中,r  = H 2(k,m)。 As in claim item 6, the threshold-type signature generation method based on obfuscated circuits, wherein the calculation formula of the value S i is as follows: S i = r + c * b i * d i , where r = H 2 (k,m ). 如請求項6之基於混淆電路的門檻式簽章生成方法,其中該雜湊值c的運算式如下: c = SHA512(R || A || m),其中,SHA512為雜湊函式,符號||代表串聯。 For example, the threshold-type signature generation method based on obfuscation circuit in claim 6, wherein the calculation formula of the hash value c is as follows: c = SHA512(R || A || m), where SHA512 is a hash function, and the symbol || represents concatenation.
TW111116933A 2022-05-05 2022-05-05 Threshold signature generation system based on garbled circuit and method thereof TWI795284B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
TW111116933A TWI795284B (en) 2022-05-05 2022-05-05 Threshold signature generation system based on garbled circuit and method thereof

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
TW111116933A TWI795284B (en) 2022-05-05 2022-05-05 Threshold signature generation system based on garbled circuit and method thereof

Publications (2)

Publication Number Publication Date
TWI795284B true TWI795284B (en) 2023-03-01
TW202345542A TW202345542A (en) 2023-11-16

Family

ID=86692344

Family Applications (1)

Application Number Title Priority Date Filing Date
TW111116933A TWI795284B (en) 2022-05-05 2022-05-05 Threshold signature generation system based on garbled circuit and method thereof

Country Status (1)

Country Link
TW (1) TWI795284B (en)

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20200162251A1 (en) * 2018-11-09 2020-05-21 Ares Technologies, Inc. Systems and methods for distributed key storage
CN113972981A (en) * 2021-09-29 2022-01-25 中国科学院大学 Efficient threshold signature method based on SM2 cryptographic algorithm
CN114070556A (en) * 2021-11-15 2022-02-18 成都卫士通信息产业股份有限公司 Threshold ring signature method and device, electronic equipment and readable storage medium
US20220058642A1 (en) * 2018-10-02 2022-02-24 Capital One Services, Llc Systems and methods for amplifying the strength of cryptographic algorithms
TWI759138B (en) * 2021-03-15 2022-03-21 英屬開曼群島商現代財富控股有限公司 Threshold signature scheme system based on inputting password and method thereof
CN114338028A (en) * 2020-09-28 2022-04-12 华为技术有限公司 Threshold signature method and device, electronic equipment and readable storage medium

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20220058642A1 (en) * 2018-10-02 2022-02-24 Capital One Services, Llc Systems and methods for amplifying the strength of cryptographic algorithms
US20200162251A1 (en) * 2018-11-09 2020-05-21 Ares Technologies, Inc. Systems and methods for distributed key storage
CN114338028A (en) * 2020-09-28 2022-04-12 华为技术有限公司 Threshold signature method and device, electronic equipment and readable storage medium
TWI759138B (en) * 2021-03-15 2022-03-21 英屬開曼群島商現代財富控股有限公司 Threshold signature scheme system based on inputting password and method thereof
CN113972981A (en) * 2021-09-29 2022-01-25 中国科学院大学 Efficient threshold signature method based on SM2 cryptographic algorithm
CN114070556A (en) * 2021-11-15 2022-02-18 成都卫士通信息产业股份有限公司 Threshold ring signature method and device, electronic equipment and readable storage medium

Also Published As

Publication number Publication date
TW202345542A (en) 2023-11-16

Similar Documents

Publication Publication Date Title
CN113424185B (en) Fast inadvertent transmission
US11057293B2 (en) Method and system for validating ordered proof of transit of traffic packets in a network
US10944566B2 (en) Methods and systems for supporting fairness in secure computations
CN105337736B (en) Full homomorphism message authentication method, apparatus and system
WO2020072882A1 (en) Leveraging multiple devices to enhance security of biometric authentication
US20220051314A1 (en) Information processing apparatus, information processing system, member identification method, and non-transitory computer readable medium storing program
WO2021228239A1 (en) Asset type consistency evidence generation method and system, transaction method and system, and transaction verification method and system
WO2020216078A1 (en) Blockchain-based competition ranking method and apparatus
US20230299947A1 (en) Computer implemented system and method for sharing a common secret
TWI511517B (en) Information processing apparatus, information processing method, program and recording medium
TWI795284B (en) Threshold signature generation system based on garbled circuit and method thereof
CN117195306A (en) Malicious participation behavior detection method based on multiparty energy data privacy calculation
TWI799286B (en) Random number generation system for threshold signature scheme and method thereof
TWI759138B (en) Threshold signature scheme system based on inputting password and method thereof
TWI764811B (en) Key generating system for hierarchical deterministic wallet and method thereof
WO2021206727A1 (en) Neural networks
CN111885056A (en) Zero knowledge proving method and device based on block chain and electronic equipment
TWI776416B (en) Threshold signature scheme system for hierarchical deterministic wallet and method thereof
KR20200055672A (en) Encryption systems and method using permutaion group based cryptographic techniques
TWI734087B (en) Signature system based on homomorphic encryption and method thereof
WO2024045677A1 (en) Electronic devices and identity recognition method between electronic devices
TWI778828B (en) Blockchain-based internet of things mutual authentication method
TWI694349B (en) Threshold signature system with prevent memory dump and method thereof
CN112715017B (en) Cryptographic key configuration using physically unclonable functions
TWI737956B (en) Threshold signature system based on secret sharing and method thereof