TWI799286B - Random number generation system for threshold signature scheme and method thereof - Google Patents

Random number generation system for threshold signature scheme and method thereof Download PDF

Info

Publication number
TWI799286B
TWI799286B TW111121123A TW111121123A TWI799286B TW I799286 B TWI799286 B TW I799286B TW 111121123 A TW111121123 A TW 111121123A TW 111121123 A TW111121123 A TW 111121123A TW I799286 B TWI799286 B TW I799286B
Authority
TW
Taiwan
Prior art keywords
parameter
host
value
circuit
bollinger
Prior art date
Application number
TW111121123A
Other languages
Chinese (zh)
Other versions
TW202349241A (en
Inventor
莊治耘
Original Assignee
英屬開曼群島商現代財富控股有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 英屬開曼群島商現代財富控股有限公司 filed Critical 英屬開曼群島商現代財富控股有限公司
Priority to TW111121123A priority Critical patent/TWI799286B/en
Application granted granted Critical
Publication of TWI799286B publication Critical patent/TWI799286B/en
Publication of TW202349241A publication Critical patent/TW202349241A/en

Links

Images

Abstract

A random number generation system for threshold signature scheme (TSS) and method thereof is disclosed. By providing a first Boolean circuit and a second Boolean circuit as the garbled circuit for two hosts to input a plurality of input parameters and jointly to perform secure multi-party computation, so as to the two hosts each obtain a first evaluation value of the first Boolean circuit and a second evaluation value of the second Boolean circuit, and calculating a random value for TSS respectively, and then broadcasting the product of the random number and the base point of each host for verifying whether the input parameters of both parties are correct and whether the results obtained by the garbled circuit are the same, so as to determine that the calculated random number conforms to a request for comments (RFC) 6979 standard, so that the signature generated based on the random number can be used to generate a layer2 private key without revealing the original private key. The mechanism is help to improve the availability of signatures.

Description

門檻式簽章的亂數生成系統及其方法Random Number Generation System and Method for Threshold Signature

本發明涉及一種亂數生成系統及其方法,特別是門檻式簽章的亂數生成系統及其方法。 The invention relates to a random number generating system and method thereof, in particular to a threshold type signature random number generating system and method thereof.

近年來,隨著區塊鏈的普及與蓬勃發展,各種基於區塊鏈的交易技術如雨後春筍般湧現,而為了強化交易的安全性,便有廠商提出改用多方共同簽章(或稱為簽名)的方式,在不還原私鑰的前提下產生簽章來避免因私鑰外洩導致簽章可能被偽造的問題。 In recent years, with the popularization and vigorous development of blockchain, various transaction technologies based on blockchain have sprung up like mushrooms. In order to strengthen the security of transactions, some manufacturers have proposed to use multi-party joint signature (or signature ) method to generate a signature without restoring the private key to avoid the problem that the signature may be forged due to the leakage of the private key.

一般而言,傳統橢圓曲線數位簽章演算法(Elliptic Curve Digital Signature Algorithm,ECDSA)的簽章是透過請求意見稿(Request for Comments,RFC)6979標準所定義的方式生成簽章過程中所使用的亂數k,此亂數k是由私鑰和訊息以函數(如:HMAC-SHA256)透過RFC 6979定義的流程生成。然而,由於原本的ECDSA的簽章方法並未強制亂數k必須使用定義的方式來生成,所以在不還原私鑰的前提下,改用N個使用者共同執行ECDSA時,通常是使用各自隨機選取的亂數ki來產生亂數k且其滿足「k=k1+...+kn」,在這種情況下,亂數 k並不符合RFC 6979定義的方式所計算出來的值,這將導致在以太坊(Ethereum)需要生成第二層(Layer 2)私鑰的情況中發生問題,舉例來說,在生成第二層私鑰時會將已產生的ECDSA簽章作為一個種子(Seed),再基於此種子以演算法生成第二層私鑰,但是使用非RFC 6979定義的方式產生的亂數k所生成的簽章,存在無法確保第二層私鑰的生成且不洩漏原本私鑰的問題。 Generally speaking, the signature of the traditional Elliptic Curve Digital Signature Algorithm (ECDSA) is used in the process of generating the signature through the method defined in the Request for Comments (RFC) 6979 standard Random number k, this random number k is generated by the process defined by RFC 6979 by a private key and a message using a function (eg: HMAC-SHA256). However, since the original ECDSA signature method does not force the random number k to be generated in a defined way, without restoring the private key, when using N users to jointly execute ECDSA, usually use their own random number k. Select random number k i to generate random number k and satisfy "k=k 1 +...+k n ", in this case, random number k does not conform to the value calculated by the method defined in RFC 6979 , which will cause problems in the case where Ethereum needs to generate the second layer (Layer 2) private key, for example, when generating the second layer private key, the generated ECDSA signature will be used as a seed (Seed), and then generate the second-level private key with an algorithm based on this seed, but the signature generated by using the random number k generated in a way not defined by RFC 6979 cannot ensure the generation of the second-level private key without leakage The original private key problem.

綜上所述,可知先前技術中長期以來一直具有在不還原私鑰的前提下,門檻式簽章的亂數合規性不佳的問題,因此實有必要提出改進的技術手段,來解決此一問題。 To sum up, it can be seen that the previous technology has long had the problem of poor compliance of the random numbers of threshold signatures without restoring the private key. Therefore, it is necessary to propose improved technical means to solve this problem. a question.

本發明揭露一種門檻式簽章的亂數生成系統及其方法。 The invention discloses a random number generation system and method for a threshold signature.

首先,本發明揭露一種門檻式簽章的亂數生成系統,其包含:二個主機,分別為第一主機及第二主機,所述第一主機具有秘密d1、X座標x1及層級值n1,所述第二主機具有秘密d2、X座標x2及層級值n2,並且該秘密d1、該X座標x1、該層級值n1、該秘密d2、該X座標x2及該層級值n2滿足下列運算式以與私鑰d相等:「d=B(x1,n1)* d1+B(x2,n2)* d2」,其中,B(xi,ni)代表伯克霍夫係數(Birkhoff coefficient),以及i為1或2,每一所述主機皆包含:混淆模組、生成模組、第一計算模組、第二計算模組、驗證模組及確認模組。其中,混淆模組用以建立作為混淆電路的第一布林電路及第二布林電路,所述第一布林電路允許輸入多個輸入參數,所述輸入參數包含參數v1、參數v2、參數r1、參數r2、參數n及訊息m且輸出第一評估 值,每一所述輸入參數允許各自帶入一組位元值,所述第二布林電路允許輸入參數v1、參數v2、參數r1及參數r2且輸出第二評估值,所述第一評估值的運算式為「RFC6979(d,m)+r1+r2 mod n」,所述第二評估值的運算式為「d+r1+r2」,其中,RFC6979(d,m)的值與根據私鑰d及訊息m所生成的亂數k相同、參數n為給定橢圓曲線群的個數,參數v1的運算式為「B(x1,n1)d1 mod n」、參數v2的運算式為「B(x2,n2)d2 mod n」;生成模組用以在所述主機為第一主機時,產生隨機亂數以作為參數r1且公開第一雜湊值,以及在所述主機為第二主機時,產生隨機亂數以作為參數r2且公開第二雜湊值,其中,第一雜湊值的運算式為「H(r1 * G)」,第二雜湊值的運算式為「H(r2 * G)」,H代表雜湊函式,G為橢圓曲線群的基點(Base Point);第一計算模組連接生成模組及混淆模組,當所述主機為第一主機時,使用本身的參數v1、參數r1及訊息m輸入至第一布林電路,以及當所述主機為第二主機時,使用本身的參數v2及參數r2輸入至第一布林電路,用以共同執行第一布林電路,使第二主機根據第一布林電路獲得第一評估值且計算k2值,此k2值的運算式為「k2=(m2-2 * r2)/2 mod n」,其中,m2為第二主機獲得的第一評估值,第一主機及第二主機再使用相同的參數v1、參數v2、參數r1及參數r2共同執行第二布林電路以獲得第二評估值,以及公開第一公開值,所述第一公開值的運算式為「r1 * G」;第二計算模組連接生成模組及混淆模組,用以在所述主機為第二主機時,使用本身的參數v2、參數r2及訊息m輸入至第一布林電路,以及在所述主機為第一主機時,使用本身的參數v1及參數r1輸入至第一布林電路,用以共同執行第一布林電路,使第一主機根據第一布林電路獲得第一評估值且計算k1值,此k1值的運算式為「k1=(m1-2 * r1)/2 mod n」,其中,m1為第一主機獲得的第一評估值,第一主機及第二主機再使用相同的參數v1、參 數v2、參數r1及參數r2共同執行第二布林電路以獲得第二評估值,以及公開第二公開值,所述第二公開值的運算式為「r2 * G」;驗證模組連接第一計算模組及第二計算模組,用以驗證私鑰d、參數r1、參數r2、第一公開值、第二公開值及公鑰P是否滿足下列運算式:(d+r1+r2)* G=P+r1 * G+r2 * G,當滿足時,第一主機及第二主機再執行安全驗證協定(Secure Validation Protocol)以驗證雙方在第一布林電路所獲得的第一評估值是否相同;以及在驗證結果為相同時,第一主機將k1值作為本身執行門檻式簽章時使用的亂數,以及第二主機將k2值作為本身執行門檻式簽章時使用的亂數。 First of all, the present invention discloses a random number generation system for a threshold signature, which includes: two hosts, namely the first host and the second host, the first host has a secret d 1 , an X coordinate x 1 and a level value n 1 , the second host has secret d 2 , X coordinate x 2 and level value n 2 , and the secret d 1 , the X coordinate x 1 , the level value n 1 , the secret d 2 , the X coordinate x 2 and the level value n 2 satisfy the following formula to be equal to the private key d: "d=B(x 1 ,n 1 )* d 1 +B(x 2 ,n 2 )* d 2 ", where B( x i , ni ) represent the Birkhoff coefficient (Birkhoff coefficient), and i is 1 or 2, and each host includes: a confusion module, a generation module, a first calculation module, and a second calculation module group, verification module and validation module. Among them, the confusion module is used to establish the first Bollinger circuit and the second Bollinger circuit as a confusing circuit, and the first Bollinger circuit allows input of multiple input parameters, and the input parameters include parameter v1, parameter v2, parameter r1, parameter r2, parameter n, and message m and output the first evaluation value, each of the input parameters is allowed to bring in a set of bit values, and the second Bollinger circuit allows input of parameter v1, parameter v2, and parameter r1 and parameter r2 and output the second evaluation value, the calculation formula of the first evaluation value is "RFC6979(d,m)+r1+r2 mod n", the calculation formula of the second evaluation value is "d+r1+ r2", where the value of RFC6979(d,m) is the same as the random number k generated according to the private key d and message m, the parameter n is the number of given elliptic curve groups, and the calculation formula of the parameter v1 is "B( x 1 ,n 1 )d 1 mod n", the calculation formula of parameter v2 is "B(x 2 ,n 2 )d 2 mod n"; the generation module is used to generate random A random number is used as a parameter r1 and a first hash value is disclosed, and when the host is a second host, a random random number is generated as a parameter r2 and a second hash value is disclosed, wherein the calculation formula of the first hash value is " H(r1 * G)", the calculation formula of the second hash value is "H(r2 * G)", H represents the hash function, G is the base point (Base Point) of the elliptic curve group; the first calculation module is connected to generate module and confusion module, when the host is the first host, use its own parameter v1, parameter r1 and message m to input to the first Bollinger circuit, and when the host is the second host, use its own Parameter v2 and parameter r2 are input to the first Bollinger circuit to jointly execute the first Bollinger circuit, so that the second host can obtain the first evaluation value and calculate the k2 value according to the first Bollinger circuit. The calculation formula of the k2 value is "k2=(m2-2 * r2)/2 mod n", where m2 is the first evaluation value obtained by the second host, and the first host and the second host use the same parameter v1, parameter v2, parameter r1 and The parameter r2 jointly executes the second Bollinger circuit to obtain the second evaluation value, and discloses the first public value. The calculation formula of the first public value is "r1 * G"; the second calculation module is connected to the generation module and the confusion A module for inputting its own parameter v2, parameter r2 and message m to the first Bollinger circuit when the host is the second host, and using its own parameter v1 when the host is the first host and the parameter r1 are input to the first Bollinger circuit to jointly execute the first Bollinger circuit, so that the first host can obtain the first evaluation value and calculate the value of k1 according to the first Bollinger circuit. The formula for the value of k1 is "k1 =(m1-2 * r1)/2 mod n", where m1 is the first evaluation value obtained by the first host, and the first host and the second host use the same parameter v1, parameter v2, parameter r1 and parameter r2 Jointly execute the second Bollinger circuit to obtain the second evaluation value, and disclose the second public value, the calculation formula of the second public value is "r2 * G"; the verification module is connected to the first calculation module and the second calculation module The module is used to verify whether the private key d, parameter r1, parameter r2, first public value, second public value and public key P satisfy the following formula: (d+r1+r2)* G=P+r1 * G + r2 * G, when satisfied, the first host and the second host then execute the Secure Validation Protocol to verify whether the first evaluation values obtained by the two parties in the first Bollinger circuit are the same; and when the verification result is At the same time, the first host uses the k1 value as the random number used when it performs the threshold signature, and the second host uses the k2 value as the random number it uses when it executes the threshold signature.

接著,本發明揭露一種門檻式簽章的亂數生成方法,其步驟包括:(A)第一主機具有秘密d1、X座標x1及層級值n1,第二主機具有秘密d2、X座標x2及層級值n2,並且秘密d1、X座標x1、層級值n1、秘密d2、X座標x2及層級值n2滿足下列運算式以與私鑰d相等:「d=B(x1,n1)* d1+B(x2,n2)* d2」,其中,B(xi,ni)代表伯克霍夫係數,以及i為1或2;(B)第一主機及第二主機皆提供作為混淆電路的第一布林電路及第二布林電路,第一布林電路允許輸入多個輸入參數,所述輸入參數包含參數v1、參數v2、參數r1、參數r2、參數n及訊息m且輸出第一評估值,每一所述輸入參數允許各自帶入一組位元值,第二布林電路允許輸入參數v1、參數v2、參數r1及參數r2且輸出第二評估值,所述第一評估值的運算式為「RFC6979(d,m)+r1+r2 mod n」,所述第二評估值的運算式為「d+r1+r2」,其中,「RFC6979(d,m)」的值與根據私鑰d及訊息m所生成的亂數k相同、參數n為給定橢圓曲線群的個數、參數v1的運算式為 「B(x1,n1)d1 mod n」、參數v2的運算式為「B(x2,n2)d2 mod n」;(C)第一主機產生隨機亂數以作為參數r1且公開第一雜湊值,第二主機產生隨機亂數以作為參數r2且公開第二雜湊值,其中,第一雜湊值的運算式為「H(r1 * G)」,第二雜湊值的運算式為「H(r2 * G)」,H代表雜湊函式,G為橢圓曲線群的基點;(D)第一主機使用本身的參數v1、參數r1及訊息m與第二主機使用本身的參數v2及參數r2共同執行第一布林電路,使第二主機根據第一布林電路獲得第一評估值且計算k2值,此k2值的運算式如下:k2=(m2-2 * r2)/2 mod n,其中,m2為第二主機獲得的第一評估值,第一主機及第二主機再使用相同的參數v1、參數v2、參數r1及參數r2共同執行第二布林電路以獲得第二評估值,以及公開第一公開值,所述第一公開值的運算式為「r1 * G」;(E)第二主機使用本身的參數v2、參數r2及訊息m與第一主機使用本身的參數v1及參數r1共同執行第一布林電路,使第一主機根據第一布林電路獲得第一評估值且計算k1值,此k1值的運算式如下:k1=(m1-2 * r1)/2 mod n,其中,m1為第一主機獲得的第一評估值,第一主機及第二主機再使用相同的參數v1、參數v2、參數r1及參數r2共同執行第二布林電路以獲得第二評估值,以及公開第二公開值,所述第二公開值的運算式為「r2 * G」;(F)第一主機及第二主機均驗證私鑰d、參數r1、參數r2、第一公開值、第二公開值及公鑰P是否滿足下列運算式:(d+r1+r2)* G=P+r1 * G+r2 * G, 當滿足時,第一主機及第二主機再執行安全驗證協定(Secure Validation Protocol)以驗證雙方在第一布林電路所獲得的第一評估值是否相同;(G)當驗證結果為相同時,第一主機將k1值作為本身執行門檻式簽章時使用的亂數,以及第二主機將k2值作為本身執行門檻式簽章時使用的亂數。其中,步驟(D)及步驟(E)允許同時執行。 Next, the present invention discloses a random number generation method of a threshold signature, the steps of which include: (A) the first host has secret d 1 , X coordinate x 1 and level value n 1 , the second host has secret d 2 , X The coordinate x 2 and the level value n 2 , and the secret d 1 , the X coordinate x 1 , the level value n 1 , the secret d 2 , the X coordinate x 2 and the level value n 2 satisfy the following formula to be equal to the private key d: "d =B(x 1 ,n 1 )* d 1 +B(x 2 ,n 2 )* d 2 ”, where B(x i ,n i ) represents the Burkhoff coefficient, and i is 1 or 2; (B) Both the first host and the second host provide the first Bollinger circuit and the second Bollinger circuit as confusing circuits, the first Bollinger circuit allows input of multiple input parameters, and the input parameters include parameter v1 and parameter v2 , parameter r1, parameter r2, parameter n, and message m, and output the first evaluation value, each of the input parameters is allowed to bring in a set of bit values, and the second Boolean circuit allows input of parameter v1, parameter v2, and parameter r1 and parameter r2 and output the second evaluation value, the calculation formula of the first evaluation value is "RFC6979(d,m)+r1+r2 mod n", the calculation formula of the second evaluation value is "d+r1+ r2", where the value of "RFC6979(d,m)" is the same as the random number k generated according to the private key d and message m, the parameter n is the number of given elliptic curve groups, and the expression of the parameter v1 is " B(x 1 ,n 1 )d 1 mod n", the calculation formula of parameter v2 is "B(x 2 ,n 2 )d 2 mod n"; (C) the first host generates a random random number as parameter r1 and The first hash value is disclosed, and the second host generates a random random number as parameter r2 and discloses the second hash value, wherein the calculation formula of the first hash value is "H(r1 * G)", and the calculation formula of the second hash value It is "H(r2 * G)", H represents the hash function, G is the base point of the elliptic curve group; (D) the first host uses its own parameter v1, parameter r1 and message m, and the second host uses its own parameter v2 Execute the first Bollinger circuit together with the parameter r2, so that the second host can obtain the first evaluation value and calculate the k2 value according to the first Bollinger circuit. The calculation formula of the k2 value is as follows: k2=(m2-2 * r2)/2 mod n, where m2 is the first evaluation value obtained by the second host, and the first host and the second host use the same parameter v1, parameter v2, parameter r1 and parameter r2 to jointly execute the second Bollinger circuit to obtain the second Evaluation value, and disclose the first public value, the calculation formula of the first public value is "r1 * G"; (E) The second host uses its own parameter v2, parameter r2 and message m and the first host uses its own The parameters v1 and r1 jointly execute the first Bollinger circuit, so that the first host can obtain the first evaluation value and calculate the k1 value according to the first Bollinger circuit. The calculation formula of the k1 value is as follows: k1=(m1-2 * r1) /2 mod n, where m1 is the first evaluation value obtained by the first host, and the first host and the second host use the same parameter v1, parameter v2, parameter r1 and parameter r2 to jointly execute the second Bollinger circuit to obtain The second evaluation value, and disclose the second public value, the calculation formula of the second public value is "r2 * G"; (F) Both the first host and the second host verify the private key d, parameter r1, parameter r2, Whether the first public value, the second public value, and the public key P satisfy the following calculation formula: (d+r1+r2)* G=P+r1 * G+r2 * G, when satisfied, the first host and the second host Then execute the Secure Validation Protocol to verify whether the first evaluation values obtained by both parties in the first Bollinger circuit are the same; (G) when the verification results are the same, the first host uses the k1 value as its own execution threshold The random number used when signing, and the random number used when the second host uses the k2 value as its own threshold signature. Wherein, step (D) and step (E) are allowed to be executed at the same time.

本發明所揭露之系統與方法如上,與先前技術的差異在於本發明是透過提供作為混淆電路的第一布林電路及第二布林電路以供二個主機輸入多個輸入參數並共同執行安全多方計算,使二個主機各自獲得第一布林電路的第一評估值及第二布林電路的第二評估值,以及分別計算出各自用於門檻式簽章的亂數值,再廣播各主機的隨機亂數與基點的乘積,用以驗證雙方的輸入參數是否正確及通過混淆電路獲得的結果是否相同,進而確定計算出的亂數值符合RFC 6979標準,以便使基於此亂數值生成的簽章能夠用於生成第二層私鑰且不洩漏原私鑰。 The system and method disclosed in the present invention are as above, and the difference from the prior art is that the present invention provides the first Bollinger circuit and the second Bollinger circuit as a confusing circuit for two hosts to input multiple input parameters and jointly execute security Multi-party calculation, so that the two hosts can respectively obtain the first evaluation value of the first Bollinger circuit and the second evaluation value of the second Bollinger circuit, and respectively calculate the random value used for the threshold signature, and then broadcast to each host The product of the random random number and the base point is used to verify whether the input parameters of both parties are correct and whether the results obtained through the confusion circuit are the same, and then determine that the calculated random value conforms to the RFC 6979 standard, so that the signature generated based on this random value It can be used to generate the second layer private key without revealing the original private key.

透過上述的技術手段,本發明可以達成提高簽章的可用性之技術功效。 Through the above-mentioned technical means, the present invention can achieve the technical effect of improving the usability of the signature.

100a,100b:主機 100a, 100b: host

110:混淆模組 110: Confusion Module

120:生成模組 120: Generate modules

130:第一計算模組 130: The first computing module

140:第二計算模組 140: Second computing module

150:驗證模組 150: Verification module

160:確認模組 160: Confirm the module

310:第一布林電路 310: The first Bollinger circuit

320:第二布林電路 320: Second Bollinger circuit

步驟210:一第一主機具有一秘密d1、一X座標x1及一層級值n1,以及一第二主機具有一秘密d2、一X座標x2及一層級值n2,並且該秘密d1、該X座標x1、該層級值n1、該秘密d2、該X座標x2及該層級值n2滿足下列運算式以與一私鑰d相等:d=B(x1,n1)* d1+B(x2,n2)* d2,其中,B(xi,ni)代表伯克霍夫係數(Birkhoff coefficient),以及i為1或2 Step 210: A first host has a secret d 1 , an X coordinate x 1 and a level value n 1 , and a second host has a secret d 2 , an X coordinate x 2 and a level value n 2 , and the The secret d 1 , the X coordinate x 1 , the level value n 1 , the secret d 2 , the X coordinate x 2 and the level value n 2 satisfy the following formula to be equal to a private key d: d=B(x 1 ,n 1 )* d 1 +B(x 2 ,n 2 )* d 2 , where B( xi ,n i ) represents the Birkhoff coefficient, and i is 1 or 2

步驟220:提供作為混淆電路的一第一布林電路及一第二布林電路,該第一布林電路允許輸入多個輸入參數,所述輸入參數包含一參數v1、一參數v2、一參數r1、一參數r2、一參數n及一訊息m且輸出一第一評估值,每一所述輸入參數允許各自帶入一組位元值,該第二布林電路允許輸入該參數v1、該參數v2、該參數r1及該參數r2且輸出一第二評估值,所述第一評估值的運算式為RFC6979(d,m)+r1+r2 mod n,所述第二評估值的運算式為d+r1+r2,其中,RFC6979(d,m)的值與根據該私鑰d及一訊息m所生成的一亂數k相同、該參數n為給定橢圓曲線群的個數、該參數v1的運算式為B(x1,n1)d1 mod n、該參數v2的運算式為B(x2,n2)d2 mod n Step 220: provide a first Bollinger circuit and a second Bollinger circuit as a confusing circuit, the first Bollinger circuit allows input of multiple input parameters, the input parameters include a parameter v1, a parameter v2, a parameter r1, a parameter r2, a parameter n and a message m and output a first evaluation value, each of the input parameters is allowed to bring in a set of bit values, the second Boolean circuit allows input of the parameters v1, the Parameter v2, the parameter r1 and the parameter r2 and output a second evaluation value, the calculation formula of the first evaluation value is RFC6979(d, m)+r1+r2 mod n, the calculation formula of the second evaluation value is d+r1+r2, wherein, the value of RFC6979(d, m) is the same as a random number k generated according to the private key d and a message m, the parameter n is the number of given elliptic curve groups, the The calculation formula of the parameter v1 is B(x 1 ,n 1 )d 1 mod n, and the calculation formula of the parameter v2 is B(x 2 ,n 2 )d 2 mod n

步驟230:該第一主機產生隨機亂數以作為該參數r1且公開一第一雜湊值,該第二主機產生隨機亂數以作為該參數r2且公開一第二雜湊值,其中,該第一雜湊值的運算式為H(r1 * G),該第二雜湊值的運算式為H(r2 * G),H代表雜湊函式,G為橢圓曲線群的基點(Base Point) Step 230: The first host generates a random random number as the parameter r1 and discloses a first hash value, the second host generates a random random number as the parameter r2 and discloses a second hash value, wherein the first The calculation formula of the hash value is H(r1 * G), the calculation formula of the second hash value is H(r2 * G), H represents the hash function, and G is the base point of the elliptic curve group (Base Point)

步驟240:該第一主機使用本身的該參數v1、該參數r1及該訊息m與該第二主機使用本身的該參數v2及該參數r2共同執行該第一布林電路,使該第二主機根據該第一布林電路獲得該第一評估值且計算一k2值,該k2值的運算式如下:k2=(m2-2 * r2)/2 mod n,其中,m2為該第二主機獲得的該第一評估值,該第一主機及該第二主機再使用相同的該參數v1、該參數v2、該參數r1及該參數r2共同執行該第二布林電路以獲得該第二評估值,以及公開一第一公開值,該第一公開值的運算式為r1 * G Step 240: The first host uses its own parameter v1, the parameter r1, and the message m and the second host uses its own parameter v2 and the parameter r2 to jointly execute the first Bollinger circuit, so that the second host The first evaluation value is obtained according to the first Bollinger circuit and a k2 value is calculated. The calculation formula of the k2 value is as follows: k2=(m2-2*r2)/2 mod n, wherein, m2 is obtained by the second host The first evaluation value, the first host and the second host then use the same parameter v1, the parameter v2, the parameter r1 and the parameter r2 to jointly execute the second Bollinger circuit to obtain the second evaluation value , and disclose a first public value, the formula of the first public value is r1 * G

步驟250:該第二主機使用本身的該參數v2、該參數r2及該訊息m與該第一主機使用本身的該參數v1及該參數r1共同執行該第一布林電路,使該第一主機根據該第一布林電路獲得該第一評估值且計算一k1值,該k1值的運算式如下:k1=(m1-2 * r1)/2 mod n,其中,m1為該第一主機獲得的該第一評估值,該第一主機及該第二主機再使用相同的該參數v1、該參數v2、該參數r1及該參數r2共同執行該第二布林電路以獲得該第二評估值,以及公開一第二公開值,該第二公開值的運算式為r2 * G Step 250: The second host uses its own parameter v2, the parameter r2 and the message m to execute the first Bollinger circuit with the first host using its own parameter v1 and the parameter r1, so that the first host The first evaluation value is obtained according to the first Bollinger circuit and a k1 value is calculated. The calculation formula of the k1 value is as follows: k1=(m1-2*r1)/2 mod n, wherein, m1 is obtained by the first host The first evaluation value, the first host and the second host then use the same parameter v1, the parameter v2, the parameter r1 and the parameter r2 to jointly execute the second Bollinger circuit to obtain the second evaluation value , and disclose a second public value, the calculation formula of the second public value is r2 * G

步驟260:該第一主機及該第二主機均驗證該私鑰d、該參數r1、該參數r2、該第一公開值、該第二公開值及一公鑰P是否滿足下列運算式:(d+r1+r2)* G=P+r1 * G+r2 * G, 當滿足時,該第一主機及該第二主機再執行一安全驗證協定(Secure Validation Protocol)以驗證雙方在該第一布林電路所獲得的該第一評估值是否相同 Step 260: Both the first host and the second host verify whether the private key d, the parameter r1, the parameter r2, the first public value, the second public value, and a public key P satisfy the following formula: ( d+r1+r2)*G=P+r1*G+r2*G, When satisfied, the first host and the second host execute a Secure Validation Protocol (Secure Validation Protocol) to verify whether the first evaluation value obtained by the two parties in the first Bollinger circuit is the same

步驟270:當驗證結果為相同時,該第一主機將該k1值作為本身執行門檻式簽章時使用的亂數,以及該第二主機將該k2值作為本身執行門檻式簽章時使用的亂數 Step 270: When the verification results are the same, the first host uses the k1 value as the random number used when it performs the threshold signature, and the second host uses the k2 value as the random number used when it executes the threshold signature. random number

第1圖為本發明門檻式簽章的亂數生成系統的系統方塊圖。 Fig. 1 is a system block diagram of the random number generating system of the threshold type signature of the present invention.

第2A圖至第2C圖為本發明門檻式簽章的亂數生成方法的方法流程圖。 Fig. 2A to Fig. 2C are method flow charts of the random number generation method of the threshold type signature of the present invention.

第3圖為應用本發明的混淆電路的示意圖。 Fig. 3 is a schematic diagram of an obfuscation circuit applying the present invention.

以下將配合圖式及實施例來詳細說明本發明之實施方式,藉此對本發明如何應用技術手段來解決技術問題並達成技術功效的實現過程能充分理解並據以實施。 The implementation of the present invention will be described in detail below in conjunction with the drawings and examples, so as to fully understand and implement the implementation process of how the present invention uses technical means to solve technical problems and achieve technical effects.

首先,在說明本發明所揭露之門檻式簽章的亂數生成系統及其方法之前,先對本發明的目的作說明,本發明的目的是要在門檻式簽章的環境下,以不還原私鑰為基礎,使每個主機共同執行ECDSA時,用於生成簽章的亂數需符合RFC 6979定義的生成方式,以便產生的簽章能夠應用在如:零知識匯總(ZK-Rollups)的環境以作為生成第二層私鑰之用,並且不會洩漏原私鑰。 First of all, before explaining the random number generation system and method of the threshold signature disclosed in the present invention, the purpose of the present invention will be described first. The purpose of the present invention is to avoid restoring private Key-based, so that when each host executes ECDSA together, the random number used to generate the signature must conform to the generation method defined by RFC 6979, so that the generated signature can be applied in an environment such as: zero-knowledge rollup (ZK-Rollups) It is used to generate the second-level private key, and the original private key will not be disclosed.

以下配合圖式對本發明門檻式簽章的亂數生成系統及其方法做進一步說明,請先參閱「第1圖」,「第1圖」為本發明門檻式簽章的亂數生成系統的第一實施例之系統方塊圖,此系統包含:二個主機(100a、100b),分別為第一主機100a及第二主機100b,所述第一主機100a具有秘密d1、X座標x1及層級值(Rank)n1,所述第二主機100b具有秘密d2、X座標x2及層級值n2,並且秘密d1、X座標x1、層級值n1、秘密d2、X座標x2及層級值n2兩足下列運算式以與私鑰d相等:「d=B(x1,n1)* d1+B(x2,n2)* d2」;以及。 The random number generation system and method of the threshold-type signature of the present invention will be further described below in conjunction with the drawings. Please refer to "Fig. 1" first. "Fig. 1" is the first random number generation system of the threshold-type signature of the present invention. A system block diagram of an embodiment, the system includes: two hosts (100a, 100b), respectively the first host 100a and the second host 100b, the first host 100a has a secret d 1 , an X coordinate x 1 and a level value (Rank) n 1 , the second host 100b has secret d 2 , X coordinate x 2 and rank value n 2 , and secret d1, X coordinate x1, rank value n1, secret d2, X coordinate x2 and rank value n2 The biped following operation formula is equal to the private key d: "d=B(x 1 ,n 1 )*d 1 +B(x 2 ,n 2 )*d 2 "; and.

其中,B(xi,ni)代表伯克霍夫係數,以及i為1或2,每一所述主機(100a、100b)皆包含:混淆模組110、生成模組120、第一計算模組130、第二計算模組140、驗證模組150及確認模組160。其中,混淆模組110用以建立作為混淆電路的第一布林電路及第二布林電路,所述第一布林電路允許輸入多個輸入參數,所述輸入參數包含參數v1、參數v2、參數r1、參數r2、參數n及訊息m 且輸出第一評估值,每一所述輸入參數允許各自帶入一組位元值,所述第二布林電路允許輸入參數v1、參數v2、參數r1及參數r2且輸出第二評估值,所述第一評估值的運算式為「RFC6979(d,m)+r1+r2 mod n」,所述第二評估值的運算式為「d+r1+r2」,其中,RFC6979(d,m)的值與根據私鑰d及訊息m所生成的亂數k相同、所述參數n為給定橢圓曲線群的個數,所述訊息m為訊息m的雜湊值、所述參數v1的運算式為「B(x1,n1)d1 mod n」、所述參數v2的運算式為「B(x2,n2)d2 mod n」。具體而言,混淆電路本質上是一個布林電路(Boolean circuit),其通過布林電路的觀點構造函式以進行計算,以便參與者可以針對某個數值來計算答案,而不需要知道參與者在函式中輸入的具體數字,混淆電路裡的安全多方計算可通過電路的方式來實現。在實際實施上,第一布林電路及該第二布林電路可通過及運算(AND)與互斥或運算(XOR)至少其中之一的方式實現混淆電路及安全多方計算(Multi-Party Computation,MPC),並且具有多個輸入線(Wire)以輸入所述輸入參數,每一所述輸入參數帶入的該組位元值為256位元的值,以六個輸入參數為例,合計帶入六個256位元的值。所述第一布林電路為滿足條件「MPCRFC6979(v1,v2,r1,r2,n,m)=RFC6979(d,m)+r1+r2 mod n」的邏輯電路,所述第二布林電路為滿足條件「ModAdd(v1,v2,r1,r2)=d+r1+r2」的邏輯電路。其中,「MPCRFC6979(v1,v2,r1,r2,n,m)」代表所述第一布林電路,「ModAdd(v1,v2,r1,r2)」代表第二布林電路。另外,所述亂數k係基於RFC 6979標準以私鑰d及訊息m,搭配雜湊訊息認證碼(Hash-based Message Authentication Code,HMAC)及雜湊演算法生成,但是實際上,第一主機100a及第二主機100b皆不知道亂數k的值。 Wherein, B( xi ,n i ) represents the Berkhoff coefficient, and i is 1 or 2, and each host (100a, 100b) includes: confusion module 110, generation module 120, first calculation The module 130 , the second calculation module 140 , the verification module 150 and the confirmation module 160 . Wherein, the confusion module 110 is used to establish a first Bollinger circuit and a second Bollinger circuit as a confusing circuit, and the first Bollinger circuit allows input of multiple input parameters, and the input parameters include parameter v1, parameter v2, Parameter r1, parameter r2, parameter n and message m and output the first evaluation value, each of the input parameters is allowed to bring in a set of bit values, and the second Boolean circuit allows input of parameter v1, parameter v2, parameter r1 and parameter r2 and output the second evaluation value, the calculation formula of the first evaluation value is "RFC6979(d,m)+r1+r2 mod n", the calculation formula of the second evaluation value is "d+r1 +r2", where the value of RFC6979 (d, m) is the same as the random number k generated according to the private key d and message m, the parameter n is the number of given elliptic curve groups, and the message m is the message The hash value of m, the calculation formula of the parameter v1 is "B(x 1 ,n 1 )d 1 mod n", the calculation formula of the parameter v2 is "B(x 2 ,n 2 )d 2 mod n" . Specifically, the confusion circuit is essentially a Boolean circuit (Boolean circuit), which uses the Boolean circuit's view constructor to perform calculations, so that participants can calculate the answer for a certain value without knowing that the participants The specific number entered in the function, the secure multi-party calculation in the confusing circuit can be realized by means of a circuit. In practical implementation, the first Bollinger circuit and the second Bollinger circuit can implement at least one of AND operation (AND) and exclusive OR operation (XOR) to realize confusion circuit and secure multi-party computation (Multi-Party Computation) , MPC), and has a plurality of input lines (Wire) to input the input parameters, the set of bit values brought by each input parameter is a value of 256 bits, taking six input parameters as an example, the total Enter six 256-bit values. The first Bollinger circuit is a logic circuit satisfying the condition "MPCRFC6979(v1,v2,r1,r2,n,m)=RFC6979(d,m)+r1+r2 mod n", and the second Bollinger circuit It is a logic circuit satisfying the condition "ModAdd(v1, v2, r1, r2)=d+r1+r2". Wherein, "MPCRFC6979(v1, v2, r1, r2, n, m)" represents the first Bollinger circuit, and "ModAdd(v1, v2, r1, r2)" represents the second Bollinger circuit. In addition, the random number k is generated based on the RFC 6979 standard with the private key d and the message m, combined with a hash-based message authentication code (Hash-based Message Authentication Code, HMAC) and a hash algorithm, but in fact, the first host 100a and Neither the second host 100b knows the value of the random number k.

生成模組120用以在所述主機(100a、100b)為第一主機100a時,產生隨機亂數以作為參數r1且公開第一雜湊值,以及在所述主機(100a、100b)為第二主機100b時,產生隨機亂數以作為參數r2且公開第二雜湊值,其中,第一雜湊值的運算式為「H(r1 * G)」,第二雜湊值的運算式為「H(r2 * G)」,G為橢圓曲線群的基點。 The generation module 120 is used to generate a random random number as the parameter r1 and disclose the first hash value when the host (100a, 100b) is the first host 100a, and to disclose the first hash value when the host (100a, 100b) is the second In the case of the host 100b, a random random number is generated as a parameter r2 and a second hash value is disclosed, wherein the calculation formula of the first hash value is "H(r1 * G)", and the calculation formula of the second hash value is "H(r2 * G)", G is the base point of the elliptic curve group.

第一計算模組130連接生成模組120及混淆模組110,當所述主機(100a、100b)為第一主機100a時,使用本身的參數v1、參數r1及訊息m輸入至第一布林電路,以及當所述主機(100a、100b)為第二主機100b時,使用本身的參數v2及參數r2輸入至第一布林電路,用以共同執行第一布林電路,使第二主機根據第一布林電路獲得第一評估值且計算k2值,所述k2值的運算式為k2=(m2-2 * r2)/2 mod n,其中,m2為第二主機100b獲得的第一評估值,第一主機100a及第二主機100b再使用相同的參數v1、參數v2、參數r1及參數r2共同執行第二布林電路以獲得第二評估值,以及公開第一公開值,所述第一公開值的運算式為「r1 * G」。在實際實施上,可通過廣播(Broadcast)的方式公開第一公開值。 The first calculation module 130 is connected to the generation module 120 and the confusion module 110. When the host (100a, 100b) is the first host 100a, use its own parameter v1, parameter r1 and message m to input to the first Bollinger circuit, and when the host (100a, 100b) is the second host 100b, use its own parameter v2 and parameter r2 to input to the first Bollinger circuit, to jointly execute the first Bollinger circuit, so that the second host according to The first Bollinger circuit obtains the first evaluation value and calculates the value of k2, the formula of the k2 value is k2=(m2-2*r2)/2 mod n, wherein, m2 is the first evaluation obtained by the second host 100b Value, the first host 100a and the second host 100b use the same parameter v1, parameter v2, parameter r1 and parameter r2 to jointly execute the second Bollinger circuit to obtain the second evaluation value, and disclose the first public value, the first public value The calculation formula of a public value is "r1 * G". In actual implementation, the first public value may be disclosed in a broadcast manner.

第二計算模組140連接生成模組120及混淆模組110,用以在所述主機(100a、100b)為第二主機100b時,使用本身的參數v2、參數r2及訊息m輸入至第一布林電路,以及在所述主機(100a、100b)為第一主機100a時,使用本身的參數v1及參數r1輸入至第一布林電路,用以共同執行第一布林電路,使第一主機根據第一布林電路獲得第一評估值且計算k1值,此k1值的運算式為k1=(m1-2 * r1)/2 mod n,其中,m1為第一主機100a獲得的第一評估值,第一主機100a及第二主機100b再使用相同的參數v1、參數v2、參數r1及參數r2共同執行第二布 林電路以獲得第二評估值,以及公開第二公開值,所述第二公開值的運算式為「r2 * G」。同樣地,在實際實施上,可通過廣播的方式公開第二公開值。 The second calculation module 140 is connected to the generation module 120 and the confusion module 110, so that when the host (100a, 100b) is the second host 100b, it uses its own parameter v2, parameter r2 and message m to input to the first Bollinger circuit, and when the host (100a, 100b) is the first host 100a, use its own parameter v1 and parameter r1 to input to the first Bollinger circuit to jointly execute the first Bollinger circuit, so that the first The host obtains the first evaluation value according to the first Bollinger circuit and calculates the value of k1. The formula for the value of k1 is k1=(m1-2*r1)/2 mod n, where m1 is the first evaluation value obtained by the first host 100a. Evaluation value, the first host 100a and the second host 100b use the same parameter v1, parameter v2, parameter r1, and parameter r2 to jointly execute the second distribution The forest circuit obtains a second evaluation value, and discloses a second public value, and the calculation formula of the second public value is "r2 * G". Likewise, in actual implementation, the second public value may be disclosed in a broadcast manner.

驗證模組150連接第一計算模組130及第二計算模組140,用以驗證私鑰d、參數r1、參數r2、第一公開值、第二公開值及公鑰P是否滿足運算式「(d+r1+r2)* G=P+r1 * G+r2 * G」,當滿足時,第一主機100a及第二主機100b再執行安全驗證協定以驗證雙方在第一布林電路所獲得的第一評估值是否相同。在實際實施上,驗證模組150在驗證結果為不同時,將驅動所述主機(100a、100b)重新產生k1值及k2值,直到驗證結果為相同為止,也就是第一主機100a會重新產生k1值、第二主機100b會重新產生k2值。 The verification module 150 is connected to the first calculation module 130 and the second calculation module 140 to verify whether the private key d, parameter r1, parameter r2, first public value, second public value and public key P satisfy the formula " (d+r1+r2)* G=P+r1 * G+r2 * G", when satisfied, the first host 100a and the second host 100b execute the security verification protocol to verify the two parties obtained in the first Bollinger circuit whether the first evaluation value of is the same. In actual implementation, when the verification results are different, the verification module 150 will drive the hosts (100a, 100b) to regenerate the k1 and k2 values until the verification results are the same, that is, the first host 100a will regenerate For the k1 value, the second host 100b will regenerate the k2 value.

確認模組160連接驗證模組150,用以在驗證結果為相同時,第一主機100a將k1值作為本身執行門檻式簽章時使用的亂數,以及第二主機100b將k2值作為本身執行門檻式簽章時使用的亂數。如此一來,即可獲得門檻式簽章中使用的亂數k1和k2,同時滿足RFC 6979所定義的亂數生成方式所計算出的值,以便在雙方都不知道真正的亂數k的情況下,使得「k=k1+k2」且k1值只有第一主機100a知道,k2值只有第二主機100b知道,進而利用k1值和k2值生成符合RFC 6979定義的ECDSA簽章。 The confirmation module 160 is connected to the verification module 150, so that when the verification results are the same, the first host 100a uses the k1 value as the random number used when performing the threshold signature, and the second host 100b uses the k2 value as the self-execution The random number used for threshold signature. In this way, the random numbers k1 and k2 used in the threshold signature can be obtained, while meeting the values calculated by the random number generation method defined in RFC 6979, so that when neither party knows the real random number k Next, make "k=k1+k2" and only the first host 100a knows the value of k1, and only the second host 100b knows the value of k2, and then use the values of k1 and k2 to generate an ECDSA signature conforming to the definition of RFC 6979.

特別要說明的是,在實際實施上,本發明所述的模組皆可利用各種方式來實現,包含軟體、硬體或其任意組合,例如,在某些實施方式中,各模組可利用軟體及硬體或其中之一來實現,除此之外,本發明亦可部分地或完全地基於硬體來實現,例如,系統中的一個或多個模組可以透過積體電路晶片、系統單晶片(System on Chip,SoC)、複雜可程式邏輯裝置(Complex Programmable Logic Device,CPLD)、現場可程式邏輯閘陣列(Field Programmable Gate Array, FPGA)等來實現。本發明可以是系統、方法及/或電腦程式。電腦程式可以包括電腦可讀儲存媒體,其上載有用於使處理器實現本發明的各個方面的電腦可讀程式指令,電腦可讀儲存媒體可以是可以保持和儲存由指令執行設備使用的指令的有形設備。電腦可讀儲存媒體可以是但不限於電儲存設備、磁儲存設備、光儲存設備、電磁儲存設備、半導體儲存設備或上述的任意合適的組合。電腦可讀儲存媒體的更具體的例子(非窮舉的列表)包括:硬碟、隨機存取記憶體、唯讀記憶體、快閃記憶體、光碟、軟碟以及上述的任意合適的組合。此處所使用的電腦可讀儲存媒體不被解釋為瞬時訊號本身,諸如無線電波或者其它自由傳播的電磁波、通過波導或其它傳輸媒介傳播的電磁波(例如,通過光纖電纜的光訊號)、或者通過電線傳輸的電訊號。另外,此處所描述的電腦可讀程式指令可以從電腦可讀儲存媒體下載到各個計算/處理設備,或者通過網路,例如:網際網路、區域網路、廣域網路及/或無線網路下載到外部電腦設備或外部儲存設備。網路可以包括銅傳輸電纜、光纖傳輸、無線傳輸、路由器、防火牆、交換器、集線器及/或閘道器。每一個計算/處理設備中的網路卡或者網路介面從網路接收電腦可讀程式指令,並轉發此電腦可讀程式指令,以供儲存在各個計算/處理設備中的電腦可讀儲存媒體中。執行本發明操作的電腦程式指令可以是組合語言指令、指令集架構指令、機器指令、機器相關指令、微指令、韌體指令、或者以一種或多種程式語言的任意組合編寫的原始碼或目的碼(Object Code),所述程式語言包括物件導向的程式語言,如:Common Lisp、Python、C++、Objective-C、Smalltalk、Delphi、Java、Swift、C#、Perl、Ruby與PHP等,以及常規的程序式(Procedural)程式語言,如:C語言或類似的程式語言。所述電腦程式指令可以完全地在電腦上執行、部分地在電腦上執行、作 為一個獨立的軟體執行、部分在客戶端電腦上部分在遠端電腦上執行、或者完全在遠端電腦或伺服器上執行。 In particular, it should be noted that in actual implementation, the modules described in the present invention can be implemented in various ways, including software, hardware or any combination thereof. For example, in some implementations, each module can use software and hardware or one of them. In addition, the present invention can also be realized partially or completely based on hardware. For example, one or more modules in the system can be implemented through integrated circuit chips, system Single chip (System on Chip, SoC), complex programmable logic device (Complex Programmable Logic Device, CPLD), field programmable logic gate array (Field Programmable Gate Array, FPGA) etc. to achieve. The present invention can be a system, method and/or computer program. The computer program may include a computer-readable storage medium loaded with computer-readable program instructions for causing a processor to implement various aspects of the present invention, the computer-readable storage medium may be a tangible and equipment. A computer readable storage medium may be, but is not limited to, an electrical storage device, a magnetic storage device, an optical storage device, an electromagnetic storage device, a semiconductor storage device, or any suitable combination of the foregoing. More specific examples (non-exhaustive list) of computer-readable storage media include hard disks, random access memory, read-only memory, flash memory, optical disks, floppy disks, and any suitable combination of the foregoing. As used herein, computer-readable storage media are not to be construed as transient signals per se, such as radio waves or other freely propagating electromagnetic waves, electromagnetic waves propagating through waveguides or other transmission media (for example, optical signals through fiber optic cables), or transmitted electrical signals. In addition, the computer-readable program instructions described herein can be downloaded from a computer-readable storage medium to each computing/processing device, or downloaded over a network, such as the Internet, a local area network, a wide area network, and/or a wireless network to an external computer device or external storage device. The network may include copper transmission cables, fiber optic transmission, wireless transmission, routers, firewalls, switches, hubs and/or gateways. The network card or network interface in each computing/processing device receives computer-readable program instructions from the network, and forwards the computer-readable program instructions for storage in computer-readable storage media in each computing/processing device middle. The computer program instructions for performing the operations of the present invention may be assembly language instructions, instruction set architecture instructions, machine instructions, machine-related instructions, micro instructions, firmware instructions, or source code or object code written in any combination of one or more programming languages (Object Code), the programming language includes object-oriented programming language, such as: Common Lisp, Python, C++, Objective-C, Smalltalk, Delphi, Java, Swift, C#, Perl, Ruby and PHP, etc., as well as conventional programs Procedural programming language, such as: C language or similar programming language. The computer program instructions can be completely executed on the computer, partially executed on the computer, or Execute as a stand-alone piece of software, partly on the client computer and partly on the remote computer, or entirely on the remote computer or server.

請參閱「第2A圖」至「第2C圖」,「第2A圖」至「第2C圖」為本發明門檻式簽章的亂數生成方法的第一實施例之方法流程圖,其步驟包括:第一主機具有秘密d1、X座標x1及層級值n1,第二主機具有秘密d2、X座標x2及層級值n2,並且秘密d1、X座標x1、層級值n1、秘密d2、X座標x2及層級值n2滿足下列運算式以與私鑰d相等:d=B(x1,n1)* d1+B(x2,n2)* d2,其中,B(xi,ni)代表伯克霍夫係數,以及i為1或2(步驟210);提供作為混淆電路的第一布林電路及第二布林電路,所述第一布林電路允許輸入多個輸入參數,所述輸入參數包含參數v1、參數v2、參數r1、參數r2、參數n及訊息m且輸出第一評估值,每一所述輸入參數允許各自帶入一組位元值,所述第二布林電路允許輸入參數v1、參數v2、參數r1及參數r2且輸出第二評估值,所述第一評估值的運算式為「RFC6979(d,m)+r1+r2 mod n」,所述第二評估值的運算式為「d+r1+r2」,其中,RFC6979(d,m)的值與根據私鑰d及訊息m所生成的亂數k相同、參數n為給定橢圓曲線群的個數、參數v1的運算式為「B(x1,n1)d1 mod n」、參數v2的運算式為「B(x2,n2)d2 mod n」(步驟220);第一主機產生隨機亂數以作為參數r1且公開第一雜湊值,第二主機產生隨機亂數以作為參數r2且公開第二雜湊值,其中,第一雜湊值的運算式為「H(r1 * G)」,第二雜湊值的運算式為「H(r2 * G)」,H代表雜湊函式,G為橢圓曲線群的基點(Base Point)(步驟230);第一主機使用本身的參數v1、參數r1及訊息m與第二主機使用本身的參數v2及參數r2共同執行第一布林電路,使第二主機根據第一布林電路獲得第一 評估值且計算k2值,此k2值的運算式為「k2=(m2-2 * r2)/2 mod n」,其中,m2為第二主機100b獲得的第一評估值,第一主機100a及第二主機100b再使用相同的參數v1、參數v2、參數r1及參數r2共同執行第二布林電路以獲得第二評估值,以及公開第一公開值,所述第一公開值的運算式為「r1 * G」(步驟240);第二主機使用本身的參數v2、參數r2及訊息m與第一主機使用本身的參數v1及參數r1共同執行第一布林電路,使第一主機100a根據第一布林電路獲得第一評估值且計算k1值,此k1值的運算式為「k1=(m1-2 * r1)/2 mod n」,第一主機100a及第二主機100b再使用相同的參數v1、參數v2、參數r1及參數r2共同執行第二布林電路以獲得第二評估值,以及公開第二公開值,所述第二公開值的運算式為「r2 * G」(步驟250);第一主機100a及第二主機100b均驗證私鑰d、參數r1、參數r2、第一公開值、第二公開值及公鑰P是否滿足運算式「(d+r1+r2)* G=P+r1 * G+r2 * G」,當滿足時,第一主機100a及第二主機100b再執行安全驗證協定以驗證雙方在第一布林電路所獲得的第一評估值是否相同(步驟260);以及當驗證結果為相同時,第一主機100a將k1值作為本身執行門檻式簽章時使用的亂數,以及第二主機100b將k2值作為本身執行門檻式簽章時使用的亂數(步驟270)。其中,步驟240及步驟250允許同時執行。藉由上述步驟即可透過提供作為混淆電路的第一布林電路及第二布林電路以供二個主機輸入多個輸入參數並共同執行安全多方計算,使二個主機各自獲得第一布林電路的第一評估值及第二布林電路的第二評估值,以及分別計算出各自用於門檻式簽章的亂數值,再廣播各主機的隨機亂數與基點的乘積,用以驗證雙方的輸入參數是否正確及通過混淆電路獲得的結果是否相同,進而確定計算出的亂數值符合RFC 6979標準,以便使基於此亂數值生成的簽章能夠用於生成第二層私鑰且不洩漏原私鑰。 Please refer to "Fig. 2A" to "Fig. 2C". "Fig. 2A" to "Fig. 2C" are the method flow chart of the first embodiment of the random number generation method of the threshold type signature of the present invention, and the steps include : The first host has secret d 1 , X coordinate x 1 and level value n 1 , the second host has secret d 2 , X coordinate x 2 and level value n 2 , and secret d 1 , X coordinate x 1 , level value n 1. Secret d 2 , X coordinate x 2 and level value n 2 satisfy the following formula to be equal to private key d: d=B(x 1 ,n 1 )* d 1 +B(x 2 ,n 2 )* d 2 , wherein, B( xi , ni ) represents the Birkhoff coefficient, and i is 1 or 2 (step 210); provide the first Bollinger circuit and the second Bollinger circuit as a confusing circuit, the first Bollinger circuit A Bollinger circuit allows multiple input parameters to be input. The input parameters include parameter v1, parameter v2, parameter r1, parameter r2, parameter n and message m and output the first evaluation value. Each of the input parameters is allowed to be brought in A set of bit values, the second Bollinger circuit allows input of parameter v1, parameter v2, parameter r1 and parameter r2 and outputs a second evaluation value, the calculation formula of the first evaluation value is "RFC6979(d, m) +r1+r2 mod n", the calculation formula of the second evaluation value is "d+r1+r2", wherein, the value of RFC6979 (d, m) and the random number k generated according to the private key d and the message m Same, the parameter n is the number of given elliptic curve groups, the calculation formula of the parameter v1 is "B(x 1 ,n 1 )d 1 mod n", the calculation formula of the parameter v2 is "B(x 2 ,n 2 ) d 2 mod n" (step 220); the first host generates a random random number as parameter r1 and discloses the first hash value, and the second host generates random random number as parameter r2 and discloses the second hash value, wherein the first The calculation formula of the hash value is "H(r1 * G)", the calculation formula of the second hash value is "H(r2 * G)", H represents the hash function, and G is the base point of the elliptic curve group (Base Point) ( Step 230); the first host uses its own parameter v1, parameter r1 and message m and the second host uses its own parameter v2 and parameter r2 to jointly execute the first Bollinger circuit, so that the second host can obtain the first Bollinger circuit according to the first Bollinger circuit. an evaluation value and calculate the k2 value, the calculation formula of the k2 value is "k2=(m2-2*r2)/2 mod n", wherein, m2 is the first evaluation value obtained by the second host 100b, and the first host 100a and the second host 100b use the same parameter v1, parameter v2, parameter r1 and parameter r2 to jointly execute the second Bollinger circuit to obtain the second evaluation value, and disclose the first public value, the calculation formula of the first public value is "r1 * G" (step 240); the second host uses its own parameter v2, parameter r2 and message m to execute the first Bollinger circuit with the first host using its own parameter v1 and parameter r1, so that the first host 100a Obtain the first evaluation value and calculate the value of k1 according to the first Bollinger circuit. The calculation formula of the value of k1 is "k1=(m1-2 * r1)/2 mod n", which is used by the first host 100a and the second host 100b The same parameter v1, parameter v2, parameter r1 and parameter r2 jointly execute the second Bollinger circuit to obtain the second evaluation value, and disclose the second public value, the calculation formula of the second public value is "r2 * G" ( Step 250); the first host 100a and the second host 100b verify whether the private key d, parameter r1, parameter r2, first public value, second public value and public key P satisfy the formula "(d+r1+r2) * G=P+r1 * G+r2 * G", when satisfied, the first host 100a and the second host 100b execute the security verification protocol to verify whether the first evaluation values obtained by the two parties in the first Bollinger circuit are the same (step 260); and when the verification result is the same, the first host 100a uses the k1 value as the random number used when performing the threshold signature, and the second host 100b uses the k2 value as the random number used when performing the threshold signature itself random number (step 270). Wherein, step 240 and step 250 are allowed to be executed at the same time. Through the above steps, the first Bollinger circuit and the second Bollinger circuit can be provided as a confusing circuit for the two hosts to input multiple input parameters and jointly perform secure multi-party calculations, so that the two hosts can each obtain the first Bollinger circuit The first evaluation value of the circuit and the second evaluation value of the second Bollinger circuit, and respectively calculate the random value used for the threshold signature, and then broadcast the product of the random number and the base point of each host to verify both parties Whether the input parameters are correct and whether the results obtained through the obfuscation circuit are the same, and then determine that the calculated random value conforms to the RFC 6979 standard, so that the signature generated based on this random value can be used to generate the second-level private key without leaking the original private key.

以下配合「第3圖」以實施例的方式進行如下說明,「第3圖」為應用本發明的混淆電路的示意圖。在實際實施上,本發明的混淆電路包含第一布林電路310及第二布林電路320。其中,第一布林電路310提供輸入線以輸入參數v1(即:「B(x1,n1)d1 mod n」)、參數v2(即:「B(x2,n2)d2 mod n」)、參數r1(即:第一主機100a隨機挑選的亂數)、參數r2(即:第二主機100b隨機挑選的亂數)、參數n(即:給定橢圓曲線群的個數)及訊息m,可示意為「MPCEdDSA(v1,v2,r1,r2,n,m)」,並且輸出第一評估值「RFC6979(d,m)+r1+r2 mod n」其中,「RFC6979(d,m)」基本上是由雜湊函數「H(d∥m∥其他填補資訊)」為基底所組合而成,符號「∥」代表串聯,例如:「A∥B」代表「A」與「B」串聯即為「AB」,「AA∥BB」代表「AA」與「BB」串聯即為「AABB」;第二布林電路320提供輸入線以輸入參數v1、參數v2、參數r1及參數r2,可示意為「ModAdd(v1,v2,r1,r2)」,並且輸出第二評估值「d+r1+r2」。在建立上述第一布林電路310時,可使用「及運算(AND)」與「互斥或運算(XOR)」至少其中之一架構滿足條件「MPCEdDSA(v1,v2,r1,r2,n,m)=RFC6979(d,m)+r1+r2 mod n」的邏輯電路,而在建立第二布林電路時320,則同樣使用「及運算(AND)」與「互斥或運算(XOR)」至少其中之一架構滿足條件「ModAdd(v1,v2,r1,r2)=d+r1+r2」的邏輯電路。特別要說明的是,在同一次簽章中,第一布林電路310輸入的參數v1、參數v2、參數r1及參數r2等,同時也是第二布林電路320輸入的參數v1、參數v2、參數r1及參數r2,而每次簽章都會重新選取參數r1及參數r2。 The following description will be made in the form of an embodiment in conjunction with "Fig. 3", where "Fig. 3" is a schematic diagram of an obfuscation circuit applying the present invention. In practice, the confusion circuit of the present invention includes a first Bollinger circuit 310 and a second Bollinger circuit 320 . Wherein, the first Bollinger circuit 310 provides input lines to input parameters v1 (namely: "B(x 1 ,n 1 )d 1 mod n"), parameters v2 (namely: "B(x 2 ,n 2 )d 2 mod n"), parameter r1 (namely: the random number randomly selected by the first host 100a), parameter r2 (ie: the random number randomly selected by the second host 100b), parameter n (namely: the number of given elliptic curve groups ) and message m, which can be expressed as "MPCEdDSA(v1,v2,r1,r2,n,m)", and output the first evaluation value "RFC6979(d,m)+r1+r2 mod n" where, "RFC6979( d,m)" is basically composed of the hash function "H(d∥m∥other filling information)" as the base, and the symbol "∥" represents concatenation, for example: "A∥B" represents "A" and " The series connection of "B" is "AB", "AA∥BB" means "AA" and "BB" in series are "AABB"; the second Bollinger circuit 320 provides input lines to input parameters v1, parameters v2, parameters r1 and parameters r2, can be expressed as "ModAdd(v1, v2, r1, r2)", and output the second evaluation value "d+r1+r2". When establishing the above-mentioned first Bollinger circuit 310, at least one of "and operation (AND)" and "exclusive or operation (XOR)" can be used to satisfy the condition "MPCEdDSA(v1, v2, r1, r2, n, m)=RFC6979(d,m)+r1+r2 mod n" logic circuit, and when building the second Bollinger circuit 320, it also uses "and operation (AND)" and "exclusive or operation (XOR) "At least one of the structures satisfies the condition "ModAdd(v1, v2, r1, r2) = d+r1+r2" logic circuit. It should be noted that in the same signature, the parameters v1, v2, r1 and r2 input by the first Bollinger circuit 310 are also the parameters v1, v2, Parameter r1 and parameter r2, and each signature will reselect parameter r1 and parameter r2.

綜上所述,可知本發明與先前技術之間的差異在於透過提供作為混淆電路的第一布林電路及第二布林電路以供二個主機輸入多個輸入參數並共同執行安全多方計算,使二個主機各自獲得第一布林電路的第一評估值及第二 布林電路的第二評估值,以及分別計算出各自用於門檻式簽章的亂數值,再廣播各主機的隨機亂數與基點的乘積,用以驗證雙方的輸入參數是否正確及通過混淆電路獲得的結果是否相同,進而確定計算出的亂數值符合RFC 6979標準,以便使基於此亂數值生成的簽章能夠用於生成第二層私鑰且不洩漏原私鑰,藉由此一技術手段可以解決先前技術所存在的問題,進而達成提高簽章的可用性之技術功效。 In summary, it can be seen that the difference between the present invention and the prior art lies in that by providing the first Bollinger circuit and the second Bollinger circuit as confusing circuits for two hosts to input multiple input parameters and jointly execute secure multi-party calculations, Make the two hosts respectively obtain the first evaluation value and the second evaluation value of the first Bollinger circuit The second evaluation value of the Bollinger circuit, and calculate the respective random value for the threshold signature, and then broadcast the product of the random random number and the base point of each host to verify whether the input parameters of both parties are correct and pass the confusion circuit Whether the results obtained are the same, and then determine that the calculated random value conforms to the RFC 6979 standard, so that the signature generated based on this random value can be used to generate the second-level private key without revealing the original private key. By this technical means The problems existing in the prior art can be solved, and then the technical effect of improving the usability of the signature can be achieved.

雖然本發明以前述之實施例揭露如上,然其並非用以限定本發明,任何熟習相像技藝者,在不脫離本發明之精神和範圍內,當可作些許之更動與潤飾,因此本發明之專利保護範圍須視本說明書所附之申請專利範圍所界定者為準。 Although the present invention is disclosed above with the aforementioned embodiments, it is not intended to limit the present invention. Any person familiar with similar skills may make some changes and modifications without departing from the spirit and scope of the present invention. Therefore, the present invention The scope of patent protection shall be subject to what is defined in the scope of patent application attached to this specification.

100a,100b:主機 100a, 100b: host

110:混淆模組 110: Confusion Module

120:生成模組 120: Generate modules

130:第一計算模組 130: The first computing module

140:第二計算模組 140: Second computing module

150:驗證模組 150: Verification module

160:確認模組 160: Confirm the module

Claims (10)

一種門檻式簽章的亂數生成系統,該系統包含:二個主機,分別為一第一主機及一第二主機,該第一主機具有一秘密d1、一X座標x1及一層級值n1,該第二主機具有一秘密d2、一X座標x2及一層級值n2,並且該秘密d1、該X座標x1、該層級值n1、該秘密d2、該X座標x2及該層級值n2滿足下列運算式以與一私鑰d相等:d=B(x1,n1)* d1+B(x2,n2)* d2,其中,B(xi,ni)代表伯克霍夫係數(Birkhoff coefficient),以及i為1或2,每一所述主機皆包含:一混淆模組,用以建立作為混淆電路的一第一布林電路及一第二布林電路,該第一布林電路允許輸入多個輸入參數,所述輸入參數包含一參數v1、一參數v2、一參數r1、一參數r2、一參數n及一訊息m且輸出一第一評估值,每一所述輸入參數允許各自帶入一組位元值,該第二布林電路允許輸入該參數v1、該參數v2、該參數r1及該參數r2且輸出一第二評估值,所述第一評估值的運算式為RFC6979(d,m)+r1+r2 mod n,所述第二評估值的運算式為d+r1+r2,其中,RFC6979(d,m)的值與根據該私鑰d及一訊息m所生成的一亂數k相同、該參數n為給定橢圓曲線群的個數、該參數v1的運算式為B(x1,n1)d1 mod n、該參數v2的運算式為B(x2,n2)d2 mod n; 一生成模組,用以在所述主機為該第一主機時,產生隨機亂數以作為該參數r1且公開一第一雜湊值,以及在所述主機為該第二主機時,產生隨機亂數以作為該參數r2且公開一第二雜湊值,其中,該第一雜湊值的運算式為H(r1 * G),該第二雜湊值的運算式為H(r2 * G),H代表雜湊函式,G為橢圓曲線群的基點(Base Point);一第一計算模組,連接該生成模組及該混淆模組,當所述主機為該第一主機時,使用本身的該參數v1、該參數r1及該訊息m輸入至該第一布林電路,以及當所述主機為該第二主機時,使用本身的該參數v2及該參數r2輸入至該第一布林電路,用以共同執行該第一布林電路,使該第二主機根據該第一布林電路獲得該第一評估值且計算一k2值,該k2值的運算式為k2=(m2-2 * r2)/2 mod n,其中,m2為該第二主機獲得的該第一評估值,該第一主機及該第二主機再使用相同的該參數v1、該參數v2、該參數r1及該參數r2共同執行該第二布林電路以獲得該第二評估值,以及公開一第一公開值,該第一公開值的運算式為r1 * G;一第二計算模組,連接該生成模組及該混淆模組,用以在所述主機為該第二主機時,使用本身的該參數v2、該參數r2及該訊息m輸入至該第一布林電路,以及在所述主機為該第一主機時,使用本身的該參數v1及該參數r1輸入至該第一布林電路,用以共同執行該第一布林電路,使該第 一主機根據該第一布林電路獲得該第一評估值且計算一k1值,該k1值的運算式為k1=(m1-2 * r1)/2 mod n,其中,m1為該第一主機獲得的該第一評估值,該第一主機及該第二主機再使用相同的該參數v1、該參數v2、該參數r1及該參數r2共同執行該第二布林電路以獲得該第二評估值,以及公開一第二公開值,該第二公開值的運算式為r2 * G;一驗證模組,連接該第一計算模組及該第二計算模組,用以驗證該私鑰d、該參數r1、該參數r2、該第一公開值、該第二公開值及一公鑰P是否滿足下列運算式:(d+r1+r2)* G=P+r1 * G+r2 * G,當滿足時,該第一主機及該第二主機再執行一安全驗證協定(Secure Validation Protocol)以驗證雙方在該第一布林電路所獲得的該第一評估值是否相同;以及一確認模組,連接該驗證模組,用以在驗證結果為相同時,該第一主機將該k1值作為本身執行門檻式簽章時使用的亂數,以及該第二主機將該k2值作為本身執行門檻式簽章時使用的亂數。 A random number generation system for a threshold signature, the system includes: two hosts, respectively a first host and a second host, the first host has a secret d 1 , an X coordinate x 1 and a level value n 1 , the second host has a secret d 2 , an X coordinate x 2 and a level value n 2 , and the secret d 1 , the X coordinate x 1 , the level value n 1 , the secret d 2 , the X The coordinate x 2 and the level value n 2 satisfy the following formula to be equal to a private key d: d=B(x 1 ,n 1 )*d 1 +B(x 2 ,n 2 )*d 2 , where, B ( xi ,n i ) represent the Birkhoff coefficient (Birkhoff coefficient), and i is 1 or 2, and each host includes: an obfuscation module for establishing a first Boolean as an obfuscation circuit circuit and a second Bollinger circuit, the first Bollinger circuit allows multiple input parameters to be input, and the input parameters include a parameter v1, a parameter v2, a parameter r1, a parameter r2, a parameter n and a message m And output a first evaluation value, each of the input parameters is allowed to bring in a set of bit values, the second Bollinger circuit allows input of the parameter v1, the parameter v2, the parameter r1 and the parameter r2 and outputs a The second evaluation value, the calculation formula of the first evaluation value is RFC6979(d, m)+r1+r2 mod n, the calculation formula of the second evaluation value is d+r1+r2, wherein, RFC6979(d, The value of m) is the same as a random number k generated according to the private key d and a message m, the parameter n is the number of given elliptic curve groups, and the calculation formula of the parameter v1 is B(x 1 ,n 1 )d 1 mod n, the calculation formula of the parameter v2 is B(x 2 ,n 2 )d 2 mod n; a generation module, used to generate random random numbers as the first host when the host is the first host The parameter r1 also discloses a first hash value, and when the host is the second host, generates a random random number as the parameter r2 and discloses a second hash value, wherein the calculation formula of the first hash value is H(r1*G), the operational formula of the second hash value is H(r2*G), H represents the hash function, and G is the base point (Base Point) of the elliptic curve group; a first calculation module, connected The generation module and the obfuscation module, when the host is the first host, use their own parameter v1, the parameter r1 and the message m to input to the first Bollinger circuit, and when the host is When the second host uses its own parameters v2 and r2 to input to the first Bollinger circuit to jointly execute the first Bollinger circuit, so that the second host can obtain the The first evaluation value and calculate a k2 value, the calculation formula of the k2 value is k2=(m2-2*r2)/2 mod n, wherein, m2 is the first evaluation value obtained by the second host, and the first The host and the second host then use the same parameter v1, the parameter v2, the parameter r1, and the parameter r2 to jointly execute the second Bollinger circuit to obtain the second evaluation value, and disclose a first public value, the The calculation formula of the first public value is r1 * G; a second calculation module, connected to the generation module and the confusion module, is used to use its own parameters v2, v2, when the host is the second host The parameter r2 and the message m are input to the first Bollinger circuit, and when the host is the first host, the parameter v1 and the parameter r1 are input to the first Bollinger circuit for common Executing the first Bollinger circuit, so that the first host obtains the first evaluation value according to the first Bollinger circuit and calculates a k1 value, the calculation formula of the k1 value is k1=(m1-2*r1)/2 mod n, wherein, m1 is the first evaluation value obtained by the first host, and the first host and the second host use the same parameter v1, the parameter v2, the parameter r1, and the parameter r2 to jointly execute the The second Bollinger circuit obtains the second evaluation value, and discloses a second public value, the calculation formula of the second public value is r2 * G; a verification module, connected to the first calculation module and the second Calculation module for verifying whether the private key d, the parameter r1, the parameter r2, the first public value, the second public value and a public key P satisfy the following formula: (d+r1+r2)* G=P+r1 * G+r2 * G, when satisfied, the first host and the second host execute a Secure Validation Protocol (Secure Validation Protocol) to verify the two parties obtained in the first Bollinger circuit Whether the first evaluation values are the same; and a confirmation module connected to the verification module, so that when the verification results are the same, the first host uses the k1 value as a random number used when it executes the threshold signature, and The second host uses the k2 value as a random number used when it performs threshold signature. 如請求項1之門檻式簽章的亂數生成系統,其中該第一布林電路及該第二布林電路係通過及運算(AND)與互斥或運算(XOR)至少其中之一的方式實現混淆電路及安全多方計算(Multi-Party Computation,MPC),並且具有多個輸入線(Wire) 以輸入所述輸入參數,每一所述輸入參數帶入的該組位元值為256位元的值,所述第一布林電路為滿足下列條件的邏輯電路:MPCRFC6979(v1,v2,r1,r2,n,m)=RFC6979(d,m)+r1+r2 mod n,所述第二布林電路為滿足下列條件的邏輯電路:ModAdd(v1,v2,r1,r2)=d+r1+r2。 The random number generation system of the threshold signature as in claim 1, wherein the first Bollinger circuit and the second Bollinger circuit are at least one of AND operation (AND) and exclusive OR operation (XOR) Implement confusing circuits and secure multi-party computation (Multi-Party Computation, MPC), and have multiple input lines (Wire) To input the input parameters, the group of bit values brought by each input parameter is a value of 256 bits, and the first Bollinger circuit is a logic circuit satisfying the following conditions: MPCRFC6979 (v1, v2, r1 ,r2,n,m)=RFC6979(d,m)+r1+r2 mod n, the second Bollinger circuit is a logic circuit satisfying the following conditions: ModAdd(v1,v2,r1,r2)=d+r1 +r2. 如請求項1之門檻式簽章的亂數生成系統,其中該第一主機及該第二主機在執行門檻式簽章時,在不還原該私鑰d且不知該亂數k的前提下,滿足下列條件:k1+k2=RFC6979(d,m)。 For example, the random number generation system of threshold signature in claim 1, wherein the first host and the second host do not restore the private key d and do not know the random number k when performing threshold signature, Satisfy the following condition: k1+k2=RFC6979(d,m). 如請求項1之門檻式簽章的亂數生成系統,其中該亂數k係基於RFC 6979標準以該私鑰d及該訊息m,搭配雜湊訊息認證碼(Hash-based Message Authentication Code,HMAC)及雜湊演算法生成。 For example, the random number generation system of the threshold signature in claim item 1, wherein the random number k is based on the RFC 6979 standard with the private key d and the message m, combined with a hash-based message authentication code (Hash-based Message Authentication Code, HMAC) And hash algorithm generation. 如請求項1之門檻式簽章的亂數生成系統,其中該驗證模組在驗證結果為不同時,驅動所述主機重新產生該k1值及該k2值,直到驗證結果為相同為止。 A random number generation system for a threshold signature as in claim 1, wherein the verification module drives the host to regenerate the k1 value and the k2 value when the verification result is different until the verification result is the same. 一種門檻式簽章的亂數生成方法,其步驟包括:(A)一第一主機具有一秘密d1、一X座標x1及一層級值n1,以及一第二主機具有一秘密d2、一X座標x2及一層級值n2,並且該秘密d1、該X座標x1、該層級值n1、該秘密d2、該X座標x2及該層級值n2滿足下列運算式以與一私鑰d相等: d=B(x1,n1)* d1+B(x2,n2)* d2,其中,B(xi,ni)代表伯克霍夫係數(Birkhoff coefficient),以及i為1或2;(B)該第一主機及該第二主機皆提供作為混淆電路的一第一布林電路及一第二布林電路,該第一布林電路允許輸入多個輸入參數,所述輸入參數包含一參數v1、一參數v2、一參數r1、一參數r2、一參數n及一訊息m且輸出一第一評估值,每一所述輸入參數允許各自帶入一組位元值,該第二布林電路允許輸入該參數v1、該參數v2、該參數r1及該參數r2且輸出一第二評估值,所述第一評估值的運算式為RFC6979(d,m)+r1+r2 mod n,所述第二評估值的運算式為d+r1+r2,其中,RFC6979(d,m)的值與根據該私鑰d及一訊息m所生成的一亂數k相同、該參數n為給定橢圓曲線群的個數、該參數v1的運算式為B(x1,n1)d1 mod n、該參數v2的運算式為B(x2,n2)d2 mod n;(C)該第一主機產生隨機亂數以作為該參數r1且公開一第一雜湊值,該第二主機產生隨機亂數以作為該參數r2且公開一第二雜湊值,其中,該第一雜湊值的運算式為H(r1 * G),該第二雜湊值的運算式為H(r2 * G),H代表雜湊函式,G為橢圓曲線群的基點(Base Point);(D)該第一主機使用本身的該參數v1、該參數r1及該訊息m與該第二主機使用本身的該參數v2及該參數r2共同執行該第 一布林電路,使該第二主機根據該第一布林電路獲得該第一評估值且計算一k2值,該k2值的運算式如下:k2=(m2-2 * r2)/2 mod n,其中,m2為該第二主機獲得的該第一評估值,該第一主機及該第二主機再使用相同的該參數v1、該參數v2、該參數r1及該參數r2共同執行該第二布林電路以獲得該第二評估值,以及公開一第一公開值,該第一公開值的運算式為r1 * G;(E)該第二主機使用本身的該參數v2、該參數r2及該訊息m與該第一主機使用本身的該參數v1及該參數r1共同執行該第一布林電路,使該第一主機根據該第一布林電路獲得該第一評估值且計算一k1值,該k1值的運算式如下:k1=(m1-2 * r1)/2 mod n,其中,m1為該第一主機獲得的該第一評估值,該第一主機及該第二主機再使用相同的該參數v1、該參數v2、該參數r1及該參數r2共同執行該第二布林電路以獲得該第二評估值,以及公開一第二公開值,該第二公開值的運算式為r2 * G;(F)該第一主機及該第二主機均驗證該私鑰d、該參數r1、該參數r2、該第一公開值、該第二公開值及一公鑰P是否滿足下列運算式:(d+r1+r2)* G=P+r1 * G+r2 * G, 當滿足時,該第一主機及該第二主機再執行一安全驗證協定(Secure Validation Protocol)以驗證雙方在該第一布林電路所獲得的該第一評估值是否相同;以及(G)當驗證結果為相同時,該第一主機將該k1值作為本身執行門檻式簽章時使用的亂數,以及該第二主機將該k2值作為本身執行門檻式簽章時使用的亂數;其中,步驟(D)及步驟(E)允許同時執行。 A random number generation method for a threshold signature, the steps of which include: (A) a first host has a secret d 1 , an X coordinate x 1 and a level value n 1 , and a second host has a secret d 2 , an X coordinate x 2 and a level value n 2 , and the secret d 1 , the X coordinate x 1 , the level value n 1 , the secret d 2 , the X coordinate x 2 and the level value n 2 satisfy the following operations The formula is equal to a private key d: d=B(x 1 ,n 1 )* d 1 +B(x 2 ,n 2 )* d 2 , where B( xi ,n i ) represents Berkhoff coefficient (Birkhoff coefficient), and i is 1 or 2; (B) the first host and the second host provide a first Bollinger circuit and a second Bollinger circuit as a confusion circuit, the first Bollinger The circuit allows multiple input parameters to be input, the input parameters include a parameter v1, a parameter v2, a parameter r1, a parameter r2, a parameter n and a message m and output a first evaluation value, each of the input parameters A set of bit values are allowed to be brought in respectively. The second Bollinger circuit allows input of the parameter v1, the parameter v2, the parameter r1, and the parameter r2 and outputs a second evaluation value. The calculation formula of the first evaluation value is RFC6979(d,m)+r1+r2 mod n, the calculation formula of the second evaluation value is d+r1+r2, wherein, the value of RFC6979(d,m) is based on the private key d and a message m The generated random number k is the same, the parameter n is the number of given elliptic curve groups, the formula of the parameter v1 is B(x 1 ,n 1 )d 1 mod n, the formula of the parameter v2 is B (x 2 ,n 2 )d 2 mod n; (C) the first host generates a random random number as the parameter r1 and discloses a first hash value, the second host generates a random random number as the parameter r2 and A second hash value is disclosed, wherein the calculation formula of the first hash value is H(r1 * G), the calculation formula of the second hash value is H(r2 * G), H represents a hash function, and G is an ellipse The base point of the curve group (Base Point); (D) the first host uses its own parameter v1, the parameter r1 and the message m and the second host uses its own parameter v2 and the parameter r2 to jointly execute the first Bollinger circuit, so that the second host obtains the first evaluation value according to the first Bollinger circuit and calculates a k2 value, the calculation formula of the k2 value is as follows: k2=(m2-2*r2)/2 mod n, Wherein, m2 is the first evaluation value obtained by the second host, and the first host and the second host use the same parameter v1, the parameter v2, the parameter r1, and the parameter r2 to jointly execute the second distribution The forest circuit obtains the second evaluation value, and discloses a first public value, the calculation formula of the first public value is r1 * G; (E) the second host uses its own parameter v2, the parameter r2 and the The message m and the first host use the parameter v1 and the parameter r1 to jointly execute the first Bollinger circuit, so that the first host obtains the first evaluation value and calculates a k1 value according to the first Bollinger circuit, The calculation formula of the k1 value is as follows: k1=(m1-2*r1)/2 mod n, wherein, m1 is the first evaluation value obtained by the first host, and the first host and the second host use the same The parameter v1, the parameter v2, the parameter r1 and the parameter r2 jointly execute the second Bollinger circuit to obtain the second evaluation value, and disclose a second public value, and the calculation formula of the second public value is r2 * G; (F) Both the first host and the second host verify whether the private key d, the parameter r1, the parameter r2, the first public value, the second public value and a public key P satisfy the following operations Formula: (d+r1+r2)* G=P+r1 * G+r2 * G, when satisfied, the first host and the second host execute a security verification protocol (Secure Validation Protocol) to verify that both parties are in Whether the first evaluation value obtained by the first Bollinger circuit is the same; and (G) when the verification result is the same, the first host uses the k1 value as a random number used when performing threshold signature, and The second host takes the k2 value as a random number used when it executes the threshold signature; wherein, step (D) and step (E) are allowed to be executed at the same time. 如請求項6之門檻式簽章的亂數生成方法,其中該第一布林電路及該第二布林電路係通過及運算(AND)與互斥或運算(XOR)至少其中之一的方式實現混淆電路及安全多方計算(Multi-Party Computation,MPC),並且具有多個輸入線(Wire)以輸入所述輸入參數,每一所述輸入參數帶入的該組位元值為256位元的值,所述第一布林電路為滿足下列條件的邏輯電路:MPCRFC6979(v1,v2,r1,r2,n,m)=RFC6979(d,m)+r1+r2 mod n,所述第二布林電路為滿足下列條件的邏輯電路:ModAdd(v1,v2,r1,r2)=d+r1+r2。 The random number generation method of a threshold signature as in claim 6, wherein the first Bollinger circuit and the second Bollinger circuit are at least one of AND operation (AND) and exclusive OR operation (XOR) Realize confusion circuit and secure multi-party computation (Multi-Party Computation, MPC), and have multiple input wires (Wire) to input the input parameters, and the group bit value brought by each input parameter is 256 bits value, the first Bollinger circuit is a logic circuit that satisfies the following conditions: MPCRFC6979(v1,v2,r1,r2,n,m)=RFC6979(d,m)+r1+r2 mod n, the second A Bollinger circuit is a logic circuit that satisfies the following condition: ModAdd(v1,v2,r1,r2)=d+r1+r2. 如請求項6之門檻式簽章的亂數生成方法,其中該第一主機及該第二主機在執行門檻式簽章時,在不還原該私鑰d且不知該亂數k的前提下,滿足下列條件:k1+k2=RFC6979(d,m)。 For example, the method for generating a random number of a threshold signature in claim 6, wherein the first host and the second host do not restore the private key d and do not know the random number k when executing the threshold signature, Satisfy the following condition: k1+k2=RFC6979(d,m). 如請求項6之門檻式簽章的亂數生成方法,其中該亂數k係基於RFC 6979標準以該私鑰d及該訊息m,搭配雜湊訊息認證碼(Hash-based Message Authentication Code,HMAC)及雜湊演算法生成。 For example, the random number generation method of the threshold-type signature in claim item 6, wherein the random number k is based on the RFC 6979 standard, using the private key d and the message m together with a hash-based message authentication code (Hash-based Message Authentication Code, HMAC) And hash algorithm generation. 如請求項6之門檻式簽章的亂數生成方法,其中當驗證結果為不同時,重新執行步驟(B)至步驟(F)以重新產生該k1值及該k2值,直到驗證結果為相同為止。 For example, the method for generating random numbers of threshold-type signatures in claim item 6, wherein when the verification results are different, re-execute steps (B) to (F) to regenerate the k1 value and the k2 value until the verification results are the same until.
TW111121123A 2022-06-07 2022-06-07 Random number generation system for threshold signature scheme and method thereof TWI799286B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
TW111121123A TWI799286B (en) 2022-06-07 2022-06-07 Random number generation system for threshold signature scheme and method thereof

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
TW111121123A TWI799286B (en) 2022-06-07 2022-06-07 Random number generation system for threshold signature scheme and method thereof

Publications (2)

Publication Number Publication Date
TWI799286B true TWI799286B (en) 2023-04-11
TW202349241A TW202349241A (en) 2023-12-16

Family

ID=86948727

Family Applications (1)

Application Number Title Priority Date Filing Date
TW111121123A TWI799286B (en) 2022-06-07 2022-06-07 Random number generation system for threshold signature scheme and method thereof

Country Status (1)

Country Link
TW (1) TWI799286B (en)

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20110197068A1 (en) * 1996-07-30 2011-08-11 Holden James M Methods for providing security over untrusted networks
US20110225223A1 (en) * 2010-03-12 2011-09-15 Plx Technology, Inc. Generating unique random numbers for multiple instantiations
TW201242391A (en) * 2011-04-06 2012-10-16 A Men Technology Corp A method of the data transmission of the mobile phone and the system therefore
TW201426395A (en) * 2012-12-26 2014-07-01 Chunghwa Telecom Co Ltd Data security system and method

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20110197068A1 (en) * 1996-07-30 2011-08-11 Holden James M Methods for providing security over untrusted networks
US20110225223A1 (en) * 2010-03-12 2011-09-15 Plx Technology, Inc. Generating unique random numbers for multiple instantiations
TW201242391A (en) * 2011-04-06 2012-10-16 A Men Technology Corp A method of the data transmission of the mobile phone and the system therefore
TW201426395A (en) * 2012-12-26 2014-07-01 Chunghwa Telecom Co Ltd Data security system and method

Also Published As

Publication number Publication date
TW202349241A (en) 2023-12-16

Similar Documents

Publication Publication Date Title
US11601407B2 (en) Fast oblivious transfers
US8891766B2 (en) Input consistency verification for two-party secure function evaluation
Schneider et al. GMW vs. Yao? Efficient secure two-party computation with low depth circuits
US11050762B2 (en) High throughput secure multi-party computation with identifiable abort
WO2021228239A1 (en) Asset type consistency evidence generation method and system, transaction method and system, and transaction verification method and system
JP2021507563A (en) Systems and methods for multi-party generation of blockchain-based smart contracts
JP2021515270A (en) Computer-implemented methods and systems for transferring control of digital assets
US11616641B2 (en) Computer implemented system and method for sharing a common secret
US10795658B2 (en) Updatable random functions
TWI799286B (en) Random number generation system for threshold signature scheme and method thereof
JP7472158B2 (en) Method for providing a digital signature to a message
TWI759138B (en) Threshold signature scheme system based on inputting password and method thereof
TWI795284B (en) Threshold signature generation system based on garbled circuit and method thereof
TWI764811B (en) Key generating system for hierarchical deterministic wallet and method thereof
TWI776416B (en) Threshold signature scheme system for hierarchical deterministic wallet and method thereof
CN111885056A (en) Zero knowledge proving method and device based on block chain and electronic equipment
TWI737956B (en) Threshold signature system based on secret sharing and method thereof
TWI694349B (en) Threshold signature system with prevent memory dump and method thereof
TWI689194B (en) Threshold signature system based on secret sharing without dealer and method thereof
TWI702820B (en) Secret sharing signature system with hierarchical mechanism and method thereof
TWI734087B (en) Signature system based on homomorphic encryption and method thereof
TW202243437A (en) Threshold and number of participation adjusting system for threshold signature scheme and method thereof
CN115883100A (en) Identity authentication method based on twin block chain and related equipment
Tyagi A Review on Zero Knowledge Proof Vulnerabilities in Zcash
CN113362065A (en) Online signature transaction implementation method based on distributed private key