WO2015160839A1 - A method for secure and resilient distributed generation of elliptic curve digital signature algorithm (ecdsa) based digital signatures with proactive security - Google Patents

A method for secure and resilient distributed generation of elliptic curve digital signature algorithm (ecdsa) based digital signatures with proactive security Download PDF

Info

Publication number
WO2015160839A1
WO2015160839A1 PCT/US2015/025804 US2015025804W WO2015160839A1 WO 2015160839 A1 WO2015160839 A1 WO 2015160839A1 US 2015025804 W US2015025804 W US 2015025804W WO 2015160839 A1 WO2015160839 A1 WO 2015160839A1
Authority
WO
WIPO (PCT)
Prior art keywords
servers
private key
shares
protocol
secret
Prior art date
Application number
PCT/US2015/025804
Other languages
English (en)
French (fr)
Inventor
Karim El Defrawy
Joshua D. LAMPKINS
Original Assignee
Hrl Laboratories, Llc
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Hrl Laboratories, Llc filed Critical Hrl Laboratories, Llc
Priority to EP15780610.0A priority Critical patent/EP3132560A4/de
Priority to CN201580019894.1A priority patent/CN106664205B/zh
Publication of WO2015160839A1 publication Critical patent/WO2015160839A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
    • H04L9/3252Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures using DSA or related signature schemes, e.g. elliptic based signatures, ElGamal or Schnorr schemes
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/085Secret sharing or secret splitting, e.g. threshold schemes
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
    • H04L9/3255Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures using group based signatures, e.g. ring or threshold signatures

Definitions

  • the present invention relates to a system for generating Elliptic Curve Digital Signature Algorithm (ECDSA) based digital signatures and, more particularly, to a system for generating ECDSA based digital signatures in a distributed maimer.
  • ECDSA Elliptic Curve Digital Signature Algorithm
  • EDSA Elliptic Curve Digital Signature Algorithm
  • the present invention relates to a system for generating Elliptic Curve Digital Signature Algorithm (ECDSA) based digital signatures and, more particularly, to a system for generating ECDSA based digital signatures in a distributed manner.
  • the system comprises one or more processors and a memory having instructions such that when the msir ctions are executed, the one or more processors perform multiple operations.
  • a Secret-Share protocol is initialized between a client C and a set of /? servers, wherein the client C shares a set of shares of a private key s among the set of » servers.
  • the set of n servers initializes a protocol to generate a digital signature on a message m using the set of shares of the private key s' without reconstructing or reveal ng the private ke $.
  • the set of n servers periodically initializes a Secret-Redistribute protocol on each s hare of the private ke . « to re-randomize the set of shares.
  • a Secret-Open protocol is initialized to reveal the private key s to an intended recipient, wherein the private key * v is used to compute the digital signature
  • a threshold t of up to nil of the set of // servers can be completely corrupted while the confidentiality of the private key s and correctness of the digital signature remain uoconipromised.
  • corrupted servers are restored to an uiicorrapted state.
  • the present invention also comprises a method for causing a processor to perform the operations described herein.
  • the present invention also comprises a computer program product comprising computer-readable instructions stored on a non-transitory computer-readable medium that are executable by a computer having a processor for causing the processor to perform the operations described herein.
  • FIG. t is a block diagram depicting the components of a system for generating Elliptic Curve Digital Signature Algorithm (ECDSA) based digital signatures according to the principles of the present invention
  • FIG. 2 is an illustration of a computer program product according to the principles of the present invention.
  • FIG. 3 is an illustration of a client uploading shares of a private key 5 to a set of servers accordi g to the principles of the present in venti n;
  • FIG. 4 is an illustration of the set of servers generating signatures on messages using their shares of the private key ,v without revealing the private key s according to the principles of the present invention
  • FIG. 5 is an illus tratio of the set of servers periodically performing a .Proactive-Refresh protocol to correct any shares thai ma have been corrupted according to the principles of the present invention.
  • FIG. 6 is a flow diagram illustrating distributed generation of elliptic curve digital signature algorithm (ECDSA) based digital signatures with proacti ve security according to the principles of the present invention.
  • EDSA elliptic curve digital signature algorithm
  • the present invention relates to a system for generating Elliptic Curve Digital Signature Algorithm (ECDSA) based digital signatures and, more particularly, to a system for generating ECDSA based digital signatures in a distributed manner.
  • ECDSA Elliptic Curve Digital Signature Algorithm
  • the labels left, right, front, back, top, bottom, forward, reverse, clockwise and counter-clockwise have been used for convenience purposes only and are not intended to imply any particular fixed direction. Instead, they are used to reflect relative locations and or directions between various portions of an object. As such, as the present invention is changed, the above labels may change their orientation.
  • the present invention has three "principal" aspects.
  • the first is a system for generating Elliptic Curve Digital Signature Algorithm
  • the system is typically in the form of a computer system operating software or in the form of a "hard-coded" instruction set. This system may be incorporated into a wide variety of devices that provide different functionalities.
  • the second principal aspect is a method, typically in the form of software, operated using a data processing system (computer).
  • the third principal aspect is a computer progra product.
  • the computer program product generally represents computer-readable instructions stored on a non-transitory computer-readable medium such as an optical storage device, e.g., a compact disc (CD) or digital versatile disc (DVD), or a magnetic storage device such as a floppy disk or magnetic tape.
  • a non-transitory computer-readable medium such as an optical storage device, e.g., a compact disc (CD) or digital versatile disc (DVD), or a magnetic storage device such as a floppy disk or magnetic tape.
  • a non-transitory computer-readable medium such as an optical storage device, e.g., a compact disc (CD) or digital versatile disc (DVD), or a magnetic storage device such as a floppy disk or magnetic tape.
  • CD compact disc
  • DVD digital versatile disc
  • magnetic storage device such as a floppy disk or magnetic tape.
  • Other, non-limiting examples of computer-readable media include hard disks, read-only memory (ROM), and flash-type memories- These aspects will be described in more detail
  • FIG. 1 A block diagram depicting an example of a system (i.e.. computer system 100) of the present in vention is provided in FIG. 1.
  • the computer system 100 is configured to perform calculations, processes, operations, and/or functions associated with a program or algorithm.
  • certain processes and steps discussed herein are realized as a series of instructions (e.g., software program) that reside within computer readable memory units and are executed by one or more processors of the computer system 100. When executed, the instructions cause the computer system 100 to perform specific actions and exhibit specific behavior, such as described herein.
  • the computer system 100 may include an address/data bus 102 that is configured to communicate information. Additionally, one or more data processing units, such as a processor 104 (or processors), are coupled with the address/data bus 102. The processor 104 is configured to process information and instructions. In an aspect, the processor 1 4 is a
  • processor 104 may be a different type of processor such as a parallel processor, or a field programmable gate array.
  • the computer system 1 0 is configured to utilize one or more data storage unite.
  • the computer system 100 may include a volatile memory unit 10 (e.g., random access memory (“RAM”), static RAM, dynamic RAM, etc) coupled with the address/data bus 102, wherein a volatile memory unit 106 is configured to store mformation and instructions for the processor 1 4.
  • the computer system 100 further may include a non- volatile memory unit 108 (e.g., read-only memory (“ROM”),
  • the compoier system 100 may execute instructions retrieved irom an online data storage unit such as in "Cloud” computing- in an aspect, the computer system 100 also may include one or more interfaces, such as an interface 1 1.0, coupled with the address/data bus 102. The one or more interfaces are configured to enable the computer system 100 to interface with other electronic devices and computer systems.
  • the communication interfaces implemented by the one or more interfaces may include wireline (e.g., serial cables, modems, network adaptors, etc.) and/or wireless (e.g., wireless modems, wireless network adaptors, etc) communication technology.
  • the computer system 100 may include an input device 112 coupled with the address/data bus 102, wherein the input device 1 12 is configured to communicate information and command selections to the processor 100.
  • the input device 1.12 is an alphanumeric input device, such as a keyboard, that may include alphanumeric and/or function keys.
  • the input device 12 may be an input device other than an alphanumeric input device.
  • the computer system 100 may include a cursor control device 114 coupled with the address/data bus 102, wherein the cursor control device .1 14 is configured to communicate user input information and/or command selections to the processor j 00.
  • the cursor control device 114 is implemented using a device such as a mouse, a track-ball, a track-pad, an optical tracking device, or a touch screen.
  • the cursor control device 1 14 is directed and/or activated via input from the input device 1 12, such as in response to the use of special keys and key sequence commands associated with the input device 1 12.
  • the cursor control device 1 14 is configured to be directed or guided by voice commands.
  • the computer system 1 0 further may include one or more optional computer usable data storage devices, such as a storage device 1 16, coupled with the address/data bus 102.
  • the storage device 1 16 is configured to store information and/or computer executable instructions.
  • the storage device 1 16 is a storage device such as a magnetic or optical disk drive (e.g., hard disk, drive (“HDD”), floppy diskette, compact disk read only memory ( "CD-ROM” ), digital versatile disk (“DVD”)).
  • a display device I IS is coupled with the address/data bus 102, wherein the display device 1 18 is ⁇ configured to display video and/or graphics.
  • the display device 1 .1 S may include a cathode ray tube ("CRT"), liquid crystal display (“LCD”), field emission display (“FED”), plasma display, or any other display device suitable for displaying video and/or graphic images and alphanumeric characters recognizable to a user.
  • CTR cathode ray tube
  • LCD liquid crystal display
  • FED field emission display
  • plasma display or any other display device suitable for displaying video and/or graphic images and alphanumeric characters recognizable to a user.
  • the computer system 100 presented herein is an example computing environment in accordance with an aspect.
  • the non-limiting example of the computer system 300 is not strictly limited to being a computer system.
  • an aspect provides that the computer system 100 represents a type of data processing analysis that may be used in accordance with various aspects described herein.
  • other computing systems may also be implemented. Indeed, the spirit and scope of the present technology is not limited to any single data processing environment.
  • one or more operations of various aspects of the present technology are controlled or implemented using computer-executable instructions, such as program modules, being executed by a computer
  • program modules include routines, programs, objects, compooents and/or date structures that are configured to perform particular tasks or implement particular abstract data types.
  • an aspect provides that one or more aspects of the present technology are implemented by utilizing one or more distributed computing environments, such as where tasks are perforated by remote processing de vices thai are linked through a communications network, or such as where various program modules are located in both local and remote computer-storage media including memory-storage devices.
  • FIG. 2 An illustrative diagram of a computer program product, (i.e.. storage device) embodying the present invention is depicted in FIG. 2.
  • the computer program product is depicted as floppy disk 200 or an optical disk 202 such as a CD or DVD.
  • the computer program product generally represents computer-readable instructions stored on any compatible non-transitory computer-readable medium.
  • the term "instructions” as used with respect to this invention generally indicates a set of opera tions to be performed on a computer, and may represent pieces of a whole program or indi vidual, separable, software modules.
  • Non-limiting examples of "instruction” include computer program code (source or object code) and "hard-coded" electronics (i.e.
  • the "instruction' " is stored on any non-transitory computer-readable medium, such as in the memory of a computer or on a flopp disk, a CD-ROM, and a flash drive. In either event, the instructions are encoded on a non- transitory computer-readab I e medi um.
  • ECDSA Elliptic Curve Digital Signature Algorithm
  • the ECDSA is described in Literature Reference No. 6.
  • ECDSA signatures are generated using a private key, and signatures are verified using a corresponding public ke
  • the signature on a message m using private key s is denoted as ECDSA_,s (m).
  • the algorithm is such that anyone holding the public key can easily verify that ECDS A ji (m) is a signature on message m, but no one can generate ECDSA .v (» ⁇ without knowing ⁇
  • a client 300 (computer hardware or software) first uploads shares of his/her private key s to a set of servers 302 using secret sharing
  • the server's 302 can then use their shares to joint ly generate signatures 400 on messages 402 without, reconstructing or revealing the private key, as depicted in FIG. 4.
  • FIG. 5. over the course of the protocol some of the shares in the sets of shares 500 may become corrupted (forming corrupted shares 502), either due to accidental faults or malicious behavior.
  • the servers 302 periodically perform a Proactive-Refresh protocol 504 to correct an shares that may have been corrupted. So long as the majority of shares 500 of any gi ven private key are not corrupted, this will allow the servers 302 to jointly restore corrupted shares 502 to a uncorrupted state.
  • a threshold (?) of up to nil (i.e. , t ⁇ tf/2), of the n servers can be maliciously and completely corrupted or compromised, and the confidentiality of the private key used to generate the signature will not be compromised. Furthermore, the correctness of the generated signature will not be compromised.
  • Proactive security is also guaranteed
  • stage The period between adjacent redistributions.
  • the period befor the first redistribution is a stage, and the period
  • the adversary may adaptiveiy corrupt and de- corrupt servers at will, so long as the number of corruptions per stage does not exceed the threshold. Any server that is corrupt during a secret
  • Ilie secret sharing scheme used in the system according to the principles of the present, invention is based cm Shamir's secret sharing scheme (see Literature Reference No. 14 for a description of Shamir's secret sharing scheme) in which the shares of a. secret (the private key in the ECDSA case described here) are points on a polynomial, the constant terra of the polynomial being the secret. Denote by 4 the degree of the polynomial used to distribute the secret. Therefore, knowing any d ' H points on the polynomial allows one to interpolate the secret, but knowing d or fewer points does not reveal any information about the secret. For the polynomials t at store the private keys, set tl - / is set,
  • ⁇ + v(a-i)h are also public knowledge (as they can be computed from the U .Q ⁇ f ⁇ V ⁇ h). This allows servers to verify that the shares they received are consistent with the commitments broadcast by the dealer. Feldraaa commitments are the same as Pedersen commitments, except that the auxiliary polynomial is zero.
  • each server has a public key encryption scheme, and the encryption of MESSAGE for server Pf is denoted
  • MESSAGE ENCp .
  • SIGp SIGp
  • RAND RAND
  • the system operates as follows, as shown in. FIG. 6.
  • the client C
  • the servers may run instances of a Robt4Si-Sig-Gen protocol (Robusi-Sigtimw protocol 602 in FIG, 6 ⁇ (t, P, Corr, [s], m) or a Oient-Sig-Gen protocol
  • the present invention provides the protocols and algorithms to perform such a redistribution; when and why the redistribution is performed can be determined by various other means and ali could be seamlessly integrated with the system according to the principles of the present invention.
  • the servers 302 periodic lly perform the Proactive-Refresh protocol 504 to correct any shares that may have been corrupted.
  • a Secret- Open protocol 606 is initialized to reveal the pri vate key s to an intended recipient, wherein the private key s is used to compute the digital signature.
  • ECDSA signature scheme (i.e., thai which is computed on. a single server and where the private key s is not shared among multiple servers).
  • the standard ECDSA signature scheme is described in Literature Reference Nos. 5 and 10.
  • Each server computes e ⁇ SNA- 1 (m) and converts e to an integer using the approach in Literature Reference No. 16.
  • the servers compute [vk] ⁇ Multiply(t > PXorr, ⁇ v], [&]).
  • the servers run Secret-Open (t, P, ⁇ vk ⁇ ) to reveal vk. If vk ⁇ 0. then go to step 2.
  • the servers locally compute [z] ⁇ [ c "1 ] ⁇ + [w]r so that the shared value is Z— k " 1 ⁇ + rs)mod q. .10.
  • the servers ran Sec i-Opim (£, P, [z]) to reveal 2. Ifz ⁇ » ⁇ 0 go to step
  • Cii ni-Sig-Gen protocol is similar to the Robust-Sig-Gert protocol in that it aiiows the servers to generate an ECDSA signature using a sharing of the private key. it differs in that the client C (on behalf of whom the servers are storing the private key) interacts with the servers, allowing for increased efficiency.
  • the client C computes e SHA ⁇ l(m) and converts e to an integer using the approach in Literature Reference No. 16,
  • the client broadcasts e to the servers.
  • the client selects 3 random values a, b, and k ⁇ 0 from Z q and
  • the client and the servers execute 4 instances of the Secret-Share protocol (t, C,s, P U ⁇ C ⁇ , Cmr) to generate sharings of , b ⁇ e, and k 1 . If me client is found to be corrupt during execution, the protocol terminates.
  • the Secret-Share protocol t, C,s, P U ⁇ C ⁇ , Cmr
  • the servers invoke the Secret-Open protocol (t, P, [a]) and the Secret- Open protocol (t, P, [/?]) in paraHel.
  • the servers run the Secret-Open protocol (t, P, [z]) to reveal 2. If 2 ⁇ 0, the protocol terminates.
  • Patent Application No. 14/207,321. which is hereby incorporated by reference as though fully set. forth herein, were used. These will.
  • Pedersen commitments Also described is a variant of the protocol that uses Feidman commitment, which is equivalent to a Pedersen
  • Pedersen version is used, unless it is explicitly stated that the Feidman version is used.
  • V ⁇ x V 0 + V t X H h V d X d . If this is the Feidman version of the protocol, it is required that v be the all-zero polynomial .1.2 p computes € ⁇ ⁇ g 4" Il for each £ TM 0, ... , d and broadcasts
  • step 2.4 Each server checks to see if the defenses broadcast in step 2.3 are correct (i.e., the defense was weii-fermed, the pair encrypts to the same message broadcast in step 1 ,2 when the given randomness is used, and the pair passes the checks in step 2. i). For each accusation that was rebutted with a correct defense, the accuser is added to Corr. If any accusation was not correctly rebutted, P Q is added to Corr, if ⁇ is not found to be corrupt, the protocol terminates successfully.
  • the communication complexity of the Secret-Share protocol is (Xn) field elements, it takes three rounds of communication. Multiple instances of the Secret-Share protocol can be run in parallel without affecting the round complexity. Note that the protocol does not necessarily terminate successfully if the dealer is corrupt.
  • Each server P 3 ⁇ 4 COTT checks for each pair received in the previous step that Qf adg o/e3 ⁇ 4. if this is the Feldrogn version of the protocol, Pf also checks
  • step 2.4 Each server checks to see if the defenses broadcast in step 2.3 are correct (i.e., the defense was well-formed, the pair encrypts to the same message broadcast in step 1.2 when the given randomness is used, and the pair passes the checks in step 2.1 ). For each accusation that was rebutted with a correct defense, the accuser is added to Corr. For each accusation that was not correctly rebutted, the accused server is added to Corr.
  • the y ⁇ ' is similarly used to construct the auxiliary polynomials for the R S
  • Each server locally computes the Petersen (or Fektman) commitments for these polynomials, so output is the set of shares of g with the shares of the corresponding auxiliary
  • GenPofy (t, P, Corr, n + 1, d— 1) in parallel to generate 0 and of degree d ⁇ 1 with auxiliary polynomials ⁇ and i jjO) respectively.
  • the k tn coefficient of O is and similarly for ⁇ ,
  • SiGp VSSp-X The idea is thai for P.% the servers .mask u w th the polynomial X (Xj ⁇ R ⁇ X, and similarly for v,
  • the communication complexity of the Secret-Open protocol is 0(n) field elements. It takes one round of communication. Multiple instances of the Secret-Open protocol can be i nvoked in parallel whi le still taking only one round of communication.
  • Multiplication triples of shared secrets need to be generated in a verifiable manner.
  • the protocol for generating multiplication triples i Literature Reterence No. 4 uses a degree d sharing of a random number r, together with a degree Id sharing of the same value. Using a 2d sharing would be problematic for the protocol according to the principles of the present invention, so instead two random sharings [r] and [$) are used, and when a degree 2d sharing of r is wanted, the servers locally compute
  • RANDf is the randomness used to encrypt * s shares i the invocation of Secret-Share in step 1.
  • CorSh P . ⁇ ( (a fc ) pfeeCorr aiongwith SIG P .(CorSh Pf .
  • Each server checks for each pair broadcast i step 3.2 that it corresponds to the publicly known Pedersen commitments.
  • the shares that pass the check are used to interpolate the shares of [a], [f ⁇ ], and [s ⁇ ] belonging to servers i Corr, and together with the shares broadcast hi the previous step, these are used to compute the corrupt servers' shares of ab® + r ⁇ .
  • Steps 2 and 3 are also performed to distribute and check shares of
  • Multiplication is used as a subprotocol in the Kohmi-Sig ⁇ Gert protocol.
  • the servers invoke Multiplication-Triple using the 2- ⁇ 4 « random sharings generated in the previous step as input; denote the output triple as ([a], [b], [c]) with c— ah,
  • the servers locally compute the output of the protocol as [xy]— ⁇ ⁇ a[h ⁇ - ⁇ [ ⁇ ] + [c].
  • the communication complexity of the Multiply protocol is 0(?l 2 ).
  • DSS Digital Signature Standard
  • Literature Reference No. 5 are used to generate digital signatures which ensure integrity of transmitted data online, can be used for authentication of data and entities online, and are also used in a variety of digital currency and financial transactions (e.g., Bitcoin, Liiecoin, Ripple, and others digital currencies).
  • the present invention thus, has a large set of applications to wliich it could be applied.
  • companies can use the present invention to design and implement remote access to internet-enabled/connected vehicles, individuals who have access to the vehicle can do so without risk of compromise of their private keys, which can be stored in a distributed manner on a user's mobile device(s), security toke and/or backend servers. If a user's device or backend server, or the operator thereof, is compromised, the private key will not be revealed. Requiring a private key for authentication will guarantee that individuals without proper access will not be able to access the vehicle.
  • a bionietric e.g., fingerprint, palm vein scan
  • ECDSA electronic book reader
  • biomet ic data can be used for authentication.
  • Certificates in their operation Manufacturers will need to generate such certificates and load them into vehicles. Those certificates have to be signed by a manufacturer's private key (or multiple keys) which have to be stored securely.
  • the system according to the principles of the present invention would allow a manufacturer and/or it's supplier to secure the private keys and compute such signatures in a distributed manner. The ability to efficiently perform distributed computations using secret shared private keys is a very important step to securing future infrastructure of connected vehicles.
  • companies can utilize the system described herein for facility access to extremely sensitive facilities. Such facilities may not wish to store lists of indi iduals who may access particular rooms, such as sensitive compartmented information facilities (SCIFs).
  • SCIFs sensitive compartmented information facilities
PCT/US2015/025804 2014-04-17 2015-04-14 A method for secure and resilient distributed generation of elliptic curve digital signature algorithm (ecdsa) based digital signatures with proactive security WO2015160839A1 (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
EP15780610.0A EP3132560A4 (de) 2014-04-17 2015-04-14 Verfahren zur sicheren und elastischen verteilten erzeugung digitaler signaturen auf der basis eines elliptischen kurvenalgorithmus für digitale signaturen (ecdsa) mit proaktiver sicherheit
CN201580019894.1A CN106664205B (zh) 2014-04-17 2015-04-14 生成数字签名的系统和方法、非瞬时计算机可读存储介质

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
US201461981191P 2014-04-17 2014-04-17
US61/981,191 2014-04-17

Publications (1)

Publication Number Publication Date
WO2015160839A1 true WO2015160839A1 (en) 2015-10-22

Family

ID=54324506

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/US2015/025804 WO2015160839A1 (en) 2014-04-17 2015-04-14 A method for secure and resilient distributed generation of elliptic curve digital signature algorithm (ecdsa) based digital signatures with proactive security

Country Status (3)

Country Link
EP (1) EP3132560A4 (de)
CN (1) CN106664205B (de)
WO (1) WO2015160839A1 (de)

Cited By (15)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2017075609A1 (en) * 2015-10-29 2017-05-04 Hrl Laboratories, Llc An information secure protocol for mobile proactive secret sharing with near-optimal resilience
US9787472B1 (en) 2013-03-13 2017-10-10 Hrl Laboratories, Llc Information secure protocol for mobile proactive secret sharing with near-optimal resilience
WO2018203186A1 (en) * 2017-05-05 2018-11-08 nChain Holdings Limited Secure dynamic threshold signature scheme employing trusted hardware
WO2019116157A1 (en) * 2017-12-13 2019-06-20 nChain Holdings Limited Computer-implemented systems and methods for performing computational tasks across a group operating in a trust-less or dealer-free manner
WO2019116249A1 (en) * 2017-12-15 2019-06-20 nChain Holdings Limited Computer-implemented systems and methods for authorising blockchain transactions with low-entropy passwords
CN110278078A (zh) * 2019-06-17 2019-09-24 矩阵元技术(深圳)有限公司 一种数据处理方法、装置及系统
WO2020012079A1 (fr) * 2018-07-11 2020-01-16 Ledger, Sas Gouvernance de sécurité du traitement d'une requête numérique
CN110999207A (zh) * 2017-08-15 2020-04-10 区块链控股有限公司 生成阈值库的计算机实现方法
EP3675413A1 (de) * 2018-12-27 2020-07-01 Blue Helix Effiziente schwellenverteilte elliptische kurvenschlüsselerzeugung sowie signaturverfahren und -system
CN111615810A (zh) * 2018-01-16 2020-09-01 区块链控股有限公司 获取数字签名的数据的计算机实现方法和系统
WO2020177977A1 (en) 2019-03-05 2020-09-10 Sepior Aps A method for providing a digital signature to a message
CN113434886A (zh) * 2021-07-01 2021-09-24 支付宝(杭州)信息技术有限公司 联合生成用于安全计算的数据元组的方法及装置
GB2603495A (en) * 2021-02-05 2022-08-10 Nchain Holdings Ltd Generating shared keys
US11671255B2 (en) 2017-08-15 2023-06-06 Nchain Licensing Ag Threshold digital signature method and system
US11791992B2 (en) 2018-03-02 2023-10-17 Nchain Licensing Ag Computer implemented method and system for transferring control of a digital asset

Families Citing this family (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112385176B (zh) * 2018-08-09 2024-04-16 赫尔实验室有限公司 匿名工作分配和多数表决的系统、方法和介质
US11316668B2 (en) 2018-11-16 2022-04-26 Safetech Bv Methods and systems for cryptographic private key management for secure multiparty storage and transfer of information
CN111435911B (zh) * 2019-01-14 2023-02-17 海南自贸区图灵区块链科技有限公司 一种在线多方安全数据处理方法及装置
TWI689194B (zh) * 2019-01-22 2020-03-21 開曼群島商現代財富控股有限公司 基於無分派者秘密共享的門檻式簽章系統及其方法
CN110674511A (zh) * 2019-08-30 2020-01-10 深圳壹账通智能科技有限公司 基于椭圆曲线加密算法的离线数据保护方法及系统

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20120179911A1 (en) * 2003-12-23 2012-07-12 Wells Fargo Bank, N.A. Cryptographic key backup and escrow system
US20120254619A1 (en) * 2011-04-01 2012-10-04 Cleversafe, Inc. Generating a secure signature utilizing a plurality of key shares
US20130191632A1 (en) * 2012-01-25 2013-07-25 Certivox, Ltd. System and method for securing private keys issued from distributed private key generator (d-pkg) nodes
US20130268760A1 (en) * 2008-02-22 2013-10-10 Security First Corp. Systems and methods for secure workgroup management and communication
US20140089683A1 (en) * 2012-09-26 2014-03-27 Pure Storage, Inc. Multi-drive cooperation to generate an encryption key

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7209555B2 (en) * 2001-10-25 2007-04-24 Matsushita Electric Industrial Co., Ltd. Elliptic curve converting device, elliptic curve converting method, elliptic curve utilization device and elliptic curve generating device
CN101710859B (zh) * 2009-11-17 2014-02-12 深圳国微技术有限公司 一种认证密钥协商方法
EP2363976A1 (de) * 2010-02-25 2011-09-07 Certicom Corp. Verbesserte digitale Signatur und Schlüsselvereinbarungsschemen

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20120179911A1 (en) * 2003-12-23 2012-07-12 Wells Fargo Bank, N.A. Cryptographic key backup and escrow system
US20130268760A1 (en) * 2008-02-22 2013-10-10 Security First Corp. Systems and methods for secure workgroup management and communication
US20120254619A1 (en) * 2011-04-01 2012-10-04 Cleversafe, Inc. Generating a secure signature utilizing a plurality of key shares
US20130191632A1 (en) * 2012-01-25 2013-07-25 Certivox, Ltd. System and method for securing private keys issued from distributed private key generator (d-pkg) nodes
US20140089683A1 (en) * 2012-09-26 2014-03-27 Pure Storage, Inc. Multi-drive cooperation to generate an encryption key

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
See also references of EP3132560A4 *

Cited By (32)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9787472B1 (en) 2013-03-13 2017-10-10 Hrl Laboratories, Llc Information secure protocol for mobile proactive secret sharing with near-optimal resilience
CN108028751A (zh) * 2015-10-29 2018-05-11 赫尔实验室有限公司 用于具有近似最佳弹性的移动主动秘密共享的信息安全协议
WO2017075609A1 (en) * 2015-10-29 2017-05-04 Hrl Laboratories, Llc An information secure protocol for mobile proactive secret sharing with near-optimal resilience
CN108028751B (zh) * 2015-10-29 2021-08-27 赫尔实验室有限公司 用于移动主动秘密共享的系统、计算机可读介质和方法
CN110603783B (zh) * 2017-05-05 2023-02-28 区块链控股有限公司 采用可信硬件的安全动态阈值签名方案
WO2018203186A1 (en) * 2017-05-05 2018-11-08 nChain Holdings Limited Secure dynamic threshold signature scheme employing trusted hardware
EP3985916A1 (de) * 2017-05-05 2022-04-20 Nchain Holdings Limited Sicheres dynamisches schwellensignaturschema unter verwendung von vertrauenswürdiger hardware
US11228447B2 (en) 2017-05-05 2022-01-18 Nchain Licensing Ag Secure dynamic threshold signature scheme employing trusted hardware
CN110603783A (zh) * 2017-05-05 2019-12-20 区块链控股有限公司 采用可信硬件的安全动态阈值签名方案
US11381389B2 (en) 2017-08-15 2022-07-05 Nchain Holdings Ltd. Computer-implemented method of generating a threshold vault
CN110999207A (zh) * 2017-08-15 2020-04-10 区块链控股有限公司 生成阈值库的计算机实现方法
US11671255B2 (en) 2017-08-15 2023-06-06 Nchain Licensing Ag Threshold digital signature method and system
US11438144B2 (en) 2017-12-13 2022-09-06 Nchain Licensing Ag Computer-implemented systems and methods for performing computational tasks across a group operating in a trust-less or dealer-free manner
EP3998740A1 (de) * 2017-12-13 2022-05-18 Nchain Holdings Limited Computerimplementierte systeme und verfahren zur durchführung von rechenaufgaben über eine gruppe, die auf vertrauenslose oder dealer-freie weise agiert
WO2019116157A1 (en) * 2017-12-13 2019-06-20 nChain Holdings Limited Computer-implemented systems and methods for performing computational tasks across a group operating in a trust-less or dealer-free manner
EP4235479A1 (de) * 2017-12-15 2023-08-30 nChain Licensing AG Computerimplementierte systeme und verfahren zur autorisierung von blockchain-transaktionen mit niederentropiepasswörtern
US11429956B2 (en) * 2017-12-15 2022-08-30 nChain Holdings Limited Computer-implemented systems and methods for authorising blockchain transactions with low-entropy passwords
WO2019116249A1 (en) * 2017-12-15 2019-06-20 nChain Holdings Limited Computer-implemented systems and methods for authorising blockchain transactions with low-entropy passwords
CN111615810A (zh) * 2018-01-16 2020-09-01 区块链控股有限公司 获取数字签名的数据的计算机实现方法和系统
US11791992B2 (en) 2018-03-02 2023-10-17 Nchain Licensing Ag Computer implemented method and system for transferring control of a digital asset
WO2020012079A1 (fr) * 2018-07-11 2020-01-16 Ledger, Sas Gouvernance de sécurité du traitement d'une requête numérique
FR3085815A1 (fr) * 2018-07-11 2020-03-13 Ledger Gouvernance de securite du traitement d'une requete numerique
US11757660B2 (en) 2018-07-11 2023-09-12 Ledger, Sas Security governance of the processing of a digital request
EP3675413A1 (de) * 2018-12-27 2020-07-01 Blue Helix Effiziente schwellenverteilte elliptische kurvenschlüsselerzeugung sowie signaturverfahren und -system
CN113508554A (zh) * 2019-03-05 2021-10-15 塞皮奥有限责任公司 一种用于向消息提供数字签名的方法
WO2020177977A1 (en) 2019-03-05 2020-09-10 Sepior Aps A method for providing a digital signature to a message
US11757657B2 (en) 2019-03-05 2023-09-12 Sepior Aps Method for providing a digital signature to a message
CN110278078B (zh) * 2019-06-17 2022-03-22 矩阵元技术(深圳)有限公司 一种数据处理方法、装置及系统
CN110278078A (zh) * 2019-06-17 2019-09-24 矩阵元技术(深圳)有限公司 一种数据处理方法、装置及系统
GB2603495A (en) * 2021-02-05 2022-08-10 Nchain Holdings Ltd Generating shared keys
CN113434886B (zh) * 2021-07-01 2022-05-17 支付宝(杭州)信息技术有限公司 联合生成用于安全计算的数据元组的方法及装置
CN113434886A (zh) * 2021-07-01 2021-09-24 支付宝(杭州)信息技术有限公司 联合生成用于安全计算的数据元组的方法及装置

Also Published As

Publication number Publication date
CN106664205A (zh) 2017-05-10
EP3132560A4 (de) 2017-12-20
EP3132560A1 (de) 2017-02-22
CN106664205B (zh) 2020-06-05

Similar Documents

Publication Publication Date Title
US9489522B1 (en) Method for secure and resilient distributed generation of elliptic curve digital signature algorithm (ECDSA) based digital signatures with proactive security
WO2015160839A1 (en) A method for secure and resilient distributed generation of elliptic curve digital signature algorithm (ecdsa) based digital signatures with proactive security
US20230013158A1 (en) Computer-implemented method of generating a threshold vault
US10083310B1 (en) System and method for mobile proactive secure multi-party computation (MPMPC) using commitments
Ti Fault attack on supersingular isogeny cryptosystems
US9264406B2 (en) Public key cryptography with reduced computational load
Chang et al. A threshold signature scheme for group communications without a shared distribution center
JP7316283B2 (ja) デジタル署名されたデータを取得するためのコンピュータにより実施される方法及びシステム
JP2022547876A (ja) メッセージの署名のためのシステムおよび方法
Harn et al. Fair secret reconstruction in (t, n) secret sharing
US9614676B1 (en) Cryptographically-secure packed proactive secret sharing (PPSS) protocol
JP2024010226A (ja) デジタルアセットの制御を移転するための、コンピュータにより実施される方法およびシステム
JP7091322B2 (ja) 複合デジタル署名
CN108055128B (zh) Rsa密钥的生成方法、装置、存储介质及计算机设备
EP3871365A1 (de) Computerimplementiertes system und verfahren zur verteilung von anteilen von digital signierten daten
WO2017030111A1 (ja) 計算システム、計算装置、その方法、およびプログラム
Chien Combining Rabin cryptosystem and error correction codes to facilitate anonymous authentication with un-traceability for low-end devices
Pilaram et al. An efficient lattice‐based threshold signature scheme using multi‐stage secret sharing
Tahat et al. Hybrid publicly verifiable authenticated encryption scheme based on chaotic maps and factoring problems
Hong et al. Quantum digital signature in a network
US9443089B1 (en) System and method for mobile proactive secret sharing
Autry et al. Fully Decentralized Post-Quantum Resistant Authentication, Encryption Protocol with Full Data Interoperability Universally Deployable in any Network Environment
Wu et al. Batch public key cryptosystem with batch multi-exponentiation
US11438146B1 (en) System and method for performing key exchange while overcoming a malicious adversary party
CN114586313B (zh) 用于签署一信息的系统及方法

Legal Events

Date Code Title Description
DPE2 Request for preliminary examination filed before expiration of 19th month from priority date (pct application filed from 20040101)
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 15780610

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

REEP Request for entry into the european phase

Ref document number: 2015780610

Country of ref document: EP

WWE Wipo information: entry into national phase

Ref document number: 2015780610

Country of ref document: EP