WO2016049406A1 - Method and apparatus for secure non-interactive threshold signatures - Google Patents
Method and apparatus for secure non-interactive threshold signatures Download PDFInfo
- Publication number
- WO2016049406A1 WO2016049406A1 PCT/US2015/052129 US2015052129W WO2016049406A1 WO 2016049406 A1 WO2016049406 A1 WO 2016049406A1 US 2015052129 W US2015052129 W US 2015052129W WO 2016049406 A1 WO2016049406 A1 WO 2016049406A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- signature
- partial
- signatures
- key
- responsive
- Prior art date
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3247—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
- H04L9/3255—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures using group based signatures, e.g. ring or threshold signatures
Definitions
- This invention relates to a method and an apparatus for cryptography, and more particularly, to a method and an apparatus for secure non-interactive threshold signatures.
- threshold signatures the private key is shared among n players in such a way that at least t out of these n players have to contribute to each signature generation.
- most existing threshold signature schemes either require interaction among the players during the signing process or only provide security against static corruptions.
- Gap-Diffie-Hellman-Group Signature Scheme in Public-Key Cryptography - PKC 2003, LNCS 2567, pp. 31-46, Springer, 2003, or in an article by H. Wee, entitled “Threshold and Revocation Cryptosystems via Extractable Hash Proofs,” in Advances in Cryptology - Eurocrypt 2011, LNCS 6632, pp. 589-609, Springer, 2011 are only known to resist static adversaries, who have to choose which players they want to corrupt before even seeing the public key.
- Adaptively secure threshold signatures can be obtained from distributed RSA (Rivest, Shamir, and Adleman) signatures, which are deterministic and thus potentially easier to thresholdize in the non-interactive setting: indeed, threshold RSA signatures do not require the players to jointly generate a randomized signature component in a first round before starting a second round.
- distributed RSA Raster, Shamir, and Adleman
- the constructions of adaptively secure threshold signatures may rely on a technique, called “single inconsistent player” (SIP) technique, which inherently requires interaction.
- SIP single inconsistent player
- the SIP technique basically consists in converting a t-out-of-n secret sharing into an n-out-of-n secret sharing in such a way that, in the latter case, there is only one player whose internal state cannot consistently be revealed to the adversary. Since this player is chosen at random by the simulator among the n players, it is only corrupted with probability 1 /2 and, when this undesirable event occurs, the simulator can simply rewind the adversary back to one of its previous states. After this backtracking operation, the simulator uses different random coins to simulate the view of the adversary, hoping that the inconsistent player will not be corrupted again.
- threshold RSA signatures A variant of Rabin' s threshold RSA signatures is proved to be adaptively secure using the SIP technique. While the SIP technique does provide adaptively secure threshold RSA signatures, it may fall short of minimizing the amount of interaction.
- the constructions of threshold RSA signatures can proceed by turning a (t,n) polynomial secret sharing into a (t, t) additive secret sharing by first selecting a pool of at least t participants. However, if only one of these fails to provide a valid contribution to the signing process, the whole protocol must be restarted from scratch.
- the protocol of threshold RSA signatures can also proceed by sharing an RSA private key in an additive (n, n) fashion (i.e. , the private RSA exponent d is split into shares d 1 , ... , d n such that In turn, each additive share d i is shared in a (t, n)
- the present principles provide a method for signing a message using threshold signatures, comprising: accessing a plurality of linearly independent vectors, each vector including one or more of generators g, h, g, h, , X and Y; determining a partial homomorphic signature on one of the plurality of linearly independent vectors, wherein the partial homomorphic signature is suitable for use in determining a public key; determining a private key share responsive to a set of random polynomials; and determining a partial signature for the message responsive to the private key share, the partial signature, in combination with other partial signatures, suitable for generating a signature of the message, and the signature suitable for verification using the public key.
- the present principles also provide an apparatus for performing these steps.
- the present principles also provide a computer readable storage medium having stored thereon instructions for signing a message using threshold signatures according to the methods described above.
- the present principles also provide a method for verifying a signature of a message, comprising: accessing the message, the signature, a public key and a verification key, wherein the signature is generated from a plurality of partial signatures, each one of the plurality of partial signatures being generated responsive to a private key share, wherein the private key share is determined responsive to a set of random polynomials, and wherein the public key is generated responsive to a partial homomorphic signature, the partial homomorphic signature being determined responsive to one of a plurality of linearly independent vectors, each vector including one or more of generators
- the present principles also provide an apparatus for performing these steps. [12]
- the present principles also provide a computer readable storage medium having stored thereon instructions for verifying a signature of a message according to the methods described above.
- FIG. 1 depicts a block diagram of an exemplary threshold signature system, in accordance with an embodiment of the present principles.
- FIG. 2 is a flow diagram depicting an exemplary threshold signature scheme, in accordance with an embodiment of the present principles.
- FIG. 3 is a flow diagram depicting an exemplary method for generating the public key, private key shares and verification key, in accordance with an embodiment of the present principles.
- FIG. 4 is a block diagram depicting an exemplary system where threshold signatures can be used, in accordance with an embodiment of the present principles.
- a non- interactive (t, n) -threshold signature scheme consists of a tuple
- Dist-Keygen(para ms, ⁇ , t, n) This is an protocol involving n players P 1 , ... , P n , which all take as input common public parameters pa ra ms, a security parameter as well as a pair of integers such that where ⁇ means that t
- n are polynomial in The outcome of the protocol is the generation of a public key PK, a vector of private key shares where only obtains for each and a public vector of verification keys
- [21] is a possibly randomized algorithm that takes in a message M and a private key share SK i . It outputs a signature share
- [22] is a deterministic algorithm that takes as input a message M, the public key PK, the verification key VK and a pair consisting of an index and signature share It outputs 1 or 0 depending on whether is deemed as a valid signature share or not.
- [23] takes as input a public key PK, a message M and a subset with pairs
- ⁇ i is a signature share. This algorithm outputs either a full signature contains ill-formed partial signatures.
- [24] is a deterministic algorithm that takes as input a message M, the
- FIG. 1 depicts a block diagram of an exemplary threshold signature system according to an embodiment of the present principles, which includes key generator 110, broadcast channel 120, players P 1 , ... , P n (130, 140, 150), combiner 160 and verifier 170.
- Private key share SK i is distributed to player P i via broadcast channel 120.
- the verification key and public key are also distributed to the players, combiner and verifier via broadcast channel 120.
- each player may define its private key share and the verification key for its signature share.
- a player in the threshold signature scheme may correspond to a device (for example, a computer, a tablet, a mobile phone) or a software application (for example, a web browser that supports secure communication).
- Player P i (130, 140, 150) takes in message M and private key share SK i , and outputs signature share Any player P i (130, 140, 150), the combiner (160) or the verifier (170) may also verify whether signature share ⁇ i is a valid signature share or not.
- Combiner 160 takes as input public key PK, message M and t signature shares, and outputs either a full signature ⁇ or 1 if some signature shares are ill-formed.
- Verifier 170 takes as input message M, public key PK and signature ⁇ , and verifies whether ⁇ is a valid share or not.
- non-interactive threshold signatures can be defined as follows. [29] Definition 1. A non- interactive threshold signature scheme is adaptively secure against chosen-message attacks if no PPT adversary has non-negligible advantage in the game hereunder. At any time, we denote by
- the challenger plays the role of honest players P i and the adversary is allowed to corrupt
- the challenger sets and returns the internal state of P i . Moreover, is allowed to act on behalf
- the protocol ends with the generation of a public key PK, a vector of private key shares and the corresponding verification keys
- Signing query For any can also submit a pair (i, M) and ask for a
- the private key is while the public key consists of
- the present principles are directed to devise a new construction of threshold signatures in the standard model which is as efficient as the PF 140044 reference from a computational standpoint and in terms of signature and private storage.
- the public key should be jointly generated by all players while guaranteeing the security of the scheme against an adaptive adversary.
- the key generation phase should be as communication-efficient as possible. Ideally, a single communication round should be needed when the players follow the protocol.
- the present principles attempt to avoid interaction during the distributed signing process: each player should only send a single message to the combiner without having to interact with other players at any time.
- the construction is a variant of a signature scheme described in an article by C. Jutla and A. Roy, entitled “Shorter Quasi- Adaptive NIZK Proofs for Linear Subspaces," in Advances in Cryptology - Asiacrypt 2013, LNCS 8269, pp.
- the Jutla reference teaches signing messages by encrypting a secret value, which is part of the private key, using the message as a label.
- the signature also contains a NIZK (Non-Interactive Zero- Knowledge) proof that the ciphertext encrypts a persistent hidden value.
- NIZK proof is a quasi- adaptive NIZK proof generated for an affine subspace, where the verifier only uses a portion of the CRS (Common Reference String) that does not depend on the statement. [47] In its centralized ⁇ i.e.
- NIZK proof In the security proof, we use a sequence of hybrid games where we gradually move to a game where all signatures contain encryptions of random group elements (instead of an opening of the Pedersen commitment).
- FIG. 2 illustrates a flowchart for an exemplary threshold signature scheme 200 according to an embodiment of the present principles.
- it generate public key, verification key, and private key shares.
- partial signatures are created based on private key shares for a message.
- it verifies if individual partial signatures are valid.
- valid partial signatures are combined to generate a signature.
- it verifies whether the signature generated at step 240 is valid or not. In the present application, these steps are also denoted as Dist-Keygen, Share-Sign,
- FIG. 3 illustrates an exemplary method 300 for generating the public key, private key shares and verification key.
- Method 300 starts at step 310.
- it performs initialization, for example, determining public parameters para ms, security parameter ⁇ and integers t, n.
- Each player P t does the following: a. At step 320, choose a set of random (t— 1)-degree polynomials over
- step 330 generate a partial homomorphic signature on the linearly independent vectors
- player P verifies that
- Phase 4 The public key PK may be obtained at step 360 as
- the public key may also be obtained as
- step 330 may be performed before step 325, and/or step 390 may be performed before step 380.
- step 330 may be performed before step 325, and/or step 390 may be performed before step 380.
- step 380 In order to create a partial signature on a message using his private key share > player P i chooses and
- the random coins are erased from the memory such that an attacker cannot access
- FIG. 4 depicts an exemplary system 400 wherein threshold signatures can be used according to an embodiment of the present principles.
- Multiple devices may be connected through a network 490, for example, through Internet or mobile network.
- the devices (410, 420, 430) may receive a message through input devices, for example, a keyboard, touchscreen or voice/video input.
- the devices communicate with each other to generate private key shares, public key and verification key.
- the keys may then be stored in the memory of devices.
- the players generate partial signatures, which may then be combined to generate a signature.
- the device used to combine the partial signatures can be the same as the device that acts as the player.
- Another device 440 acts as a verifier.
- FIG. 4 we show that there are multiple devices in the system. In different variations, there may be a different number of devices in the system.
- the threshold signature scheme according to the present principles can be used , for example, but not limited to, a large bank transaction, a certification authority, a bitcoin ecosystem, routing in a wireless or ad hoc network, or other places where secure
- Key generator 110 may be a computer employed by the bank
- Broadcast channel 120 may be internet or wireless network
- Players (130, 140, 150) may be computers employed by the bank, or computers employed by the organization/group who performs the bank transaction with the bank
- Combiner 160 may be another computer employed by the bank, or the same computer used as Key generator
- Verifier 170 may be yet another computer employed by the bank, or the same computer used as Key generator/Combiner. All computers employed by the bank may be operated by a third party who provides security service to the bank.
- the different computers in the system may run a web browser or a software module to collectively perform the threshold signature scheme.
- the implementations described herein may be implemented in, for example, a method or a process, an apparatus, a software program, a data stream, or a signal. Even if only discussed in the context of a single form of implementation (for example, discussed only as a method), the implementation of features discussed may also be implemented in other forms (for example, an apparatus or program).
- An apparatus may be implemented in, for example, appropriate hardware, software, and firmware.
- the methods may be implemented in, for example, an apparatus such as, for example, a processor, which refers to processing devices in general, including, for example, a computer, a microprocessor, an integrated circuit, or a programmable logic device. Processors also include communication devices, such as, for example, computers, cell phones, portable/personal digital assistants ("PDAs”), and other devices that facilitate communication of information between end-users.
- PDAs portable/personal digital assistants
- the appearances of the phrase “in one embodiment” or “in an embodiment” or “in one implementation” or “in an implementation”, as well any other variations, appearing in various places throughout the specification are not necessarily all referring to the same embodiment.
- Determining the information may include one or more of, for example, estimating the information, calculating the information, predicting the information, or retrieving the information from memory.
- Accessing the information may include one or more of, for example, receiving the information, retrieving the information (for example, from memory), storing the information, processing the information, transmitting the information, moving the information, copying the information, erasing the information, calculating the information, determining the information, predicting the information, or estimating the information.
- this application or its claims may refer to "receiving" various pieces of information. Receiving is, as with "accessing", intended to be a broad term. Receiving the information may include one or more of, for example, accessing the information, or retrieving the information (for example, from memory).
- receiving is typically involved, in one way or another, during operations such as, for example, storing the information, processing the information, transmitting the information, moving the information, copying the information, erasing the information, calculating the information, determining the information, predicting the information, or estimating the information.
- implementations may produce a variety of signals formatted to carry information that may be, for example, stored or transmitted.
- the information may include, for example, instructions for performing a method, or data produced by one of the described implementations.
- a signal may be formatted to carry the bitstream of a described embodiment.
- Such a signal may be formatted, for example, as an electromagnetic wave (for example, using a radio frequency portion of spectrum) or as a baseband signal.
- the formatting may include, for example, encoding a data stream and modulating a carrier with the encoded data stream.
- the information that the signal carries may be, for example, analog or digital information.
- the signal may be transmitted over a variety of different wired or wireless links, as is known.
- the signal may be stored on a processor-readable medium.
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Financial Or Insurance-Related Operations Such As Payment And Settlement (AREA)
Abstract
The present principles provide a threshold signature scheme. Considering n players, given asymmetric bilinear groups (G, Ĝ, G T ) with generators g, h, g̃, h̃, X, Y ∈R G and g̃z, g̃r ∈R Ĝ, each player chooses a set of random t-degree polynomials, and generate a set of partial homomorphic signature on several linearly independent vectors. The public key PK may be obtained based on the set of polynomials and the partial homomorphic signatures of n players. The private key share and verification key for a player can be defined based on the set of polynomials. The signature for the message can be obtained from t partial signatures, wherein each partial signature can be generated based on the player's private key share and some random variables. Whether a partial signature is valid can be determined based on the public key PK and the verification key. Whether the signature for the message is valid can be determined based on the public key PK.
Description
Method and Apparatus for Secure Non-Interactive Threshold Signatures
TECHNICAL FIELD
[1] This invention relates to a method and an apparatus for cryptography, and more particularly, to a method and an apparatus for secure non-interactive threshold signatures.
BACKGROUND
[2] In threshold signatures, the private key is shared among n players in such a way that at least t out of these n players have to contribute to each signature generation. Until recently, most existing threshold signature schemes either require interaction among the players during the signing process or only provide security against static corruptions.
Currently known fully non-interactive adaptively secure constructions suffer from certain shortcomings. For example, the solutions proposed in an article by A. Boldyreva, entitled "Threshold Signatures, Multisignatures and Blind Signatures Based on the
Gap-Diffie-Hellman-Group Signature Scheme," in Public-Key Cryptography - PKC 2003, LNCS 2567, pp. 31-46, Springer, 2003, or in an article by H. Wee, entitled "Threshold and Revocation Cryptosystems via Extractable Hash Proofs," in Advances in Cryptology - Eurocrypt 2011, LNCS 6632, pp. 589-609, Springer, 2011 are only known to resist static adversaries, who have to choose which players they want to corrupt before even seeing the public key. [3] Adaptively secure threshold signatures can be obtained from distributed RSA (Rivest, Shamir, and Adleman) signatures, which are deterministic and thus potentially easier to thresholdize in the non-interactive setting: indeed, threshold RSA signatures do not require the players to jointly generate a randomized signature component in a first round before
starting a second round.
[4] The constructions of adaptively secure threshold signatures may rely on a technique, called "single inconsistent player" (SIP) technique, which inherently requires interaction. The SIP technique basically consists in converting a t-out-of-n secret sharing into an n-out-of-n secret sharing in such a way that, in the latter case, there is only one player whose internal state cannot consistently be revealed to the adversary. Since this player is chosen at random by the simulator among the n players, it is only corrupted with probability 1 /2 and, when this undesirable event occurs, the simulator can simply rewind the adversary back to one of its previous states. After this backtracking operation, the simulator uses different random coins to simulate the view of the adversary, hoping that the inconsistent player will not be corrupted again.
[5] A variant of Rabin' s threshold RSA signatures is proved to be adaptively secure using the SIP technique. While the SIP technique does provide adaptively secure threshold RSA signatures, it may fall short of minimizing the amount of interaction. The constructions of threshold RSA signatures can proceed by turning a (t,n) polynomial secret sharing into a (t, t) additive secret sharing by first selecting a pool of at least t participants. However, if only one of these fails to provide a valid contribution to the signing process, the whole protocol must be restarted from scratch.
[6] The protocol of threshold RSA signatures can also proceed by sharing an RSA private key in an additive (n, n) fashion (i.e. , the private RSA exponent d is split into shares d1, ... , dn such that In turn, each additive share di is shared in a (t, n)
fashion using a polynomial verifiable secret sharing and each share di,j of di is distributed to another player j. This is done in such a way that, if one participant fails to provide a valid RSA signature share H(M)di, the missing signature share can be reconstructed by
running the reconstruction algorithm of the verifiable secret sharing scheme that was used to share di. The first drawback of this approach is that it is only non- interactive when all players are honest: if even only one additive signature share H(M)di is missing, the remaining participants have to conduct a second round of interaction to reconstruct the missing signature shares H(M)di. Another drawback of this approach is that each player has to store 0 (n) values, where n is the number of players (as each player has to store a polynomial share of other players' additive share). Ideally, we would like a solution where each player only stores 0(1) elements, regardless of the number of players.
[7] An adaptively secure threshold variant of Waters signatures using groups of composite order is suggested in an article by B. Libert and M. Yung, entitled "Adaptively Secure Non-Interactive Threshold Cryptosystems," Theoretical Computer Science, vol. 478, pp. 76-100, March 2013. Extended abstract in ICALP 2011, LNCS 6756, pp. 588-600, Springer, 2011. The use of composite order groups makes the scheme very expensive when it comes to verify signatures: computing a bilinear map in composite order groups is at least 50 times slower than evaluating the same bilinear map in prime order groups at the 80-bit security level (things can only get worse at higher security levels). In the resulting construction, each signature consists of 6 group elements. The use of asymmetric bilinear maps allows reducing the signature size to 4 group elements.
[8] A commonly owned EP patent application, titled "Round-Optimal Adaptively Secure Threshold Signatures in the Standard Model" by M. Joye and B. Libert (EP Patent
Application No. 14305175.3, Attorney Docket No. PF140044, hereinafter "PF140044"), the teachings of which are specifically incorporated herein by reference, discloses a
round-optimal adaptively secure non-interactive threshold signatures in the standard model. The scheme was shown to remain secure when used in combination with Pedersen' s
distributed key generation protocol, and may be currently the most efficient adaptively secure non-interactive threshold signature in the standard model. However, it requires common public parameters (possibly shared by several distributed signers) comprising 0 (λ) group elements, where
is the security parameter. SUMMARY
[9] The present principles provide a method for signing a message using threshold signatures, comprising: accessing a plurality of linearly independent vectors, each vector including one or more of generators g, h, g, h, , X and Y; determining a partial homomorphic signature on one of the plurality of linearly independent vectors, wherein the partial homomorphic signature is suitable for use in determining a public key; determining a private key share responsive to a set of random polynomials; and determining a partial signature for the message responsive to the private key share, the partial signature, in combination with other partial signatures, suitable for generating a signature of the message, and the signature suitable for verification using the public key. The present principles also provide an apparatus for performing these steps.
[10] The present principles also provide a computer readable storage medium having stored thereon instructions for signing a message using threshold signatures according to the methods described above.
[11] The present principles also provide a method for verifying a signature of a message, comprising: accessing the message, the signature, a public key and a verification key, wherein the signature is generated from a plurality of partial signatures, each one of the plurality of partial signatures being generated responsive to a private key share, wherein the private key share is determined responsive to a set of random polynomials, and wherein the public key is generated responsive to a partial homomorphic signature, the partial
homomorphic signature being determined responsive to one of a plurality of linearly independent vectors, each vector including one or more of generators
and verifying whether the signature is valid. The present principles also provide an apparatus for performing these steps. [12] The present principles also provide a computer readable storage medium having stored thereon instructions for verifying a signature of a message according to the methods described above.
BRIEF DESCRIPTION OF THE DRAWINGS
[13] FIG. 1 depicts a block diagram of an exemplary threshold signature system, in accordance with an embodiment of the present principles.
[14] FIG. 2 is a flow diagram depicting an exemplary threshold signature scheme, in accordance with an embodiment of the present principles.
[15] FIG. 3 is a flow diagram depicting an exemplary method for generating the public key, private key shares and verification key, in accordance with an embodiment of the present principles.
[16] FIG. 4 is a block diagram depicting an exemplary system where threshold signatures can be used, in accordance with an embodiment of the present principles.
DETAILED DESCRIPTION
[17] In the present application, we use the terms "player" and "signer" interchangeably, and use the terms "partial signature" and "signature share" interchangeably. TABLE 1 summarizes some abbreviations used in the present application.
TABLE 1
[18] Definitions for Threshold Signatures
[19] A non- interactive (t, n) -threshold signature scheme consists of a tuple
(Dist-Keygen, Share-Sign, Share-Verify, Verify, Combine) of efficient algorithms or protocols.
[20] Dist-Keygen(para ms, λ, t, n): This is an protocol involving n players P1, ... , Pn, which all take as input common public parameters pa ra ms, a security parameter
as well as a pair of integers such that where ρο^ means that t
and n are polynomial in
The outcome of the protocol is the generation of a public key PK, a vector of private key shares where only obtains for
each and a public vector of verification keys
[21]
is a possibly randomized algorithm that takes in a message M and a private key share SKi. It outputs a signature share
[22]
is a deterministic algorithm that takes as input a message M, the public key PK, the verification key VK and a pair
consisting of an index
and signature share It outputs 1 or 0 depending on whether
is deemed as a valid signature share or not.
and σi is a signature share. This algorithm outputs either a full signature
contains ill-formed partial signatures.
public key PK and a signature σ. It outputs 1 or 0 depending on whether σ is deemed valid share or not.
[25] We use the same communication model as in, e.g. , an article by R. Gennaro, S.
Jarecki, H. Krawczyk, and T. Rabin, entitled "Secure Distributed Key Generation for
Discrete-Log Based Cryptosystems," in Advances in Cryptology— Eurocrypt'99, LNCS 1592, pp. 295-310, Springer, 1999. Namely, all players have access to a public broadcast channel, which the adversary can use as a sender and a receiver. However, the adversary cannot modify messages sent over this channel, nor prevent their delivery. In addition, we assume private and authenticated channels between all pairs of players.
[26] FIG. 1 depicts a block diagram of an exemplary threshold signature system according to an embodiment of the present principles, which includes key generator 110, broadcast channel 120, players P1, ... , Pn (130, 140, 150), combiner 160 and verifier 170. Key generator 110 takes security parameter λ, public parameters params and integers (t, ri) as input, and outputs a public key PK, a vector of private key shares SK = (SK1, ... , SKn) and a vector of verification keys VK = (Vk1 ,.. , VKn). Private key share SKi is distributed to player Pi via broadcast channel 120. The verification key and public key are also distributed to the players, combiner and verifier via broadcast channel 120. Alternatively, each player may define its private key share and the verification key for its signature share. A player in the threshold signature scheme may correspond to a device (for example, a computer, a tablet, a mobile phone) or a software application (for example, a web browser that supports secure communication).
[27] Player Pi (130, 140, 150) takes in message M and private key share SKi, and outputs signature share
Any player Pi (130, 140, 150), the combiner (160) or the verifier (170) may also verify whether signature share σi is a valid signature share or not. Combiner 160 takes as input public key PK, message M and t signature shares, and outputs either a full signature σ or 1 if some signature shares are ill-formed. Verifier 170 takes as input message M, public key PK and signature σ, and verifies whether σ is a valid share or not.
[28] In the adaptive corruption setting, the security of non-interactive threshold signatures can be defined as follows. [29] Definition 1. A non- interactive threshold signature scheme
is adaptively secure against chosen-message attacks if no PPT adversary
has non-negligible advantage in the game hereunder. At any time, we denote by
players at any time. When
chooses to corrupt player Pt, the challenger sets
and returns the internal state of Pi . Moreover, is allowed to act on behalf
of Pi from this point forward. The protocol ends with the generation of a public key PK, a vector of private key shares and the corresponding verification keys
[31] 2. On polynomially many occasions, adaptively interleaves two kinds of queries.
Corruption query: At any time, can choose to corrupt a player. To this end,
chooses and the challenger returns SKi before setting and
Signing query: For any can also submit a pair (i, M) and ask for a
signature share on an arbitrary message M on behalf of player Pi . The challenger responds by computing and returning
[32] 3. outputs a message M* and a signature
The adversary wins if the following conditions hold: (i)
did not obtain any partial signature on
[33 advantage is defined as its probability of success, taken over all coin tosses. [34] Hardness Assumptions
[35] We first recall the definition of the Decision Diffie-Hellman problem.
with wherein "R" indicates a probabilistic process. The Decision
Diffie-Hellman Assumption is the intractability of DDH for any PPT algorithm D.
in asymmetric pairings, where we have
so as to allow the DDH assumption to hold in (see, e.g. , an article by M. Scott, entitled "Authenticated ID-based Key Exchange and remote log-in with simple token and PIN number," Cryptology ePrint Archive: Report 2002/164, 2002). In certain asymmetric pairing configurations, DDH is even believed to hold in both G and G. This assumption is called Symmetric external Diffie-Hellman
(SXDH) assumption and it implies that no isomorphism from
be efficiently computable.
[38] One-Time Linearly Homomorphic Structure-Preserving Signatures
[39] In an article by B. Libert, T. Peters, M. Joye, and M. Yung, entitled "Linearly Homomorphic Structure-Preserving Signatures and their Applications," in Advances in
Cryptology - Crypto 2013, LNCS 8043, pp. 289-307, Springer, 2013, Libert et al. described linearly homomorphic signatures where messages and signatures only consist of group elements. They suggested the following scheme, which is a one-time linearly homomorphic signature (i.e. , it only allows signing one linear subspace) based on the DDH assumption in
conduct the following steps.
1. Choose
2. For k = 1 to N, choose
is the set of integers between 0 and p— 1, where p is a prime, and compute
[42] each
[44] The present principles are directed to devise a new construction of threshold signatures in the standard model which is as efficient as the PF 140044 reference from a computational standpoint and in terms of signature and private storage. In particular, we want to retain private key shares of 0 (1) size, regardless of the number of players involved in the protocol. Moreover, we do not want to rely on a trusted dealer in the key generation phase. The public key should be jointly generated by all players while guaranteeing the security of the scheme against an adaptive adversary.
[45] In addition, the key generation phase should be as communication-efficient as possible. Ideally, a single communication round should be needed when the players follow the protocol. The present principles attempt to avoid interaction during the distributed signing process: each player should only send a single message to the combiner without having to interact with other players at any time. We also aim at improving the PF140044 reference by reducing the size of common public parameters to a constant number of group elements.
[46] The construction is a variant of a signature scheme described in an article by C. Jutla and A. Roy, entitled "Shorter Quasi- Adaptive NIZK Proofs for Linear Subspaces," in Advances in Cryptology - Asiacrypt 2013, LNCS 8269, pp. 1-20, Springer, 2013 (hereinafter "Jutla"). The Jutla reference teaches signing messages by encrypting a secret value, which is part of the private key, using the message as a label. The signature also contains a NIZK (Non-Interactive Zero- Knowledge) proof that the ciphertext encrypts a persistent hidden value. In the Jutla reference, the NIZK proof is a quasi- adaptive NIZK proof generated for an affine subspace, where the verifier only uses a portion of the CRS (Common Reference String) that does not depend on the statement. [47] In its centralized {i.e. , non-threshold) version, the underlying idea of the signature scheme is that each signature demonstrates that the signer "knows" an opening of a Pedersen commitment Ω = g^h^ . Each signature is made of two components which can be seen as (a weak form of) Cramer-Shoup encryptions of g^ and h$ , respectively, augmented with a quasi-adaptive NIZK proof that the encrypted value is an opening of the Pedersen commitment Ω = g^h? . In the security proof, we use a sequence of hybrid games where we gradually move to a game where all signatures contain encryptions of random group elements (instead of an opening of the Pedersen commitment). At the same time, unless the semantic security (which relies on the DDH assumption in Q) of the weak encryption system can be broken, the adversary should remain able to output an opening of the Pedersen commitment in the last game. However, we can prove that it is impossible unless the DDH assumption is false in Q.
[48] In the threshold setting, we would like to minimize the number of public parameters that are trusted to be uniformly distributed, which implies that the CRS of the quasi-adaptive NIZK proof system must be generated during the distributed key generation phase. Using
Pedersen's protocol, it is not clear how this can be achieved for the quasi-adaptive NIZK proofs of the Jutla reference (see also C. Jutla, A. Roy, "Switching Lemma for Bilinear Tests and Constant-size NIZK Proofs for Linear Subspaces," in Cryptology ePrint Archive: Report 2013/670, 2013) as their CRS generation entails to exponentiate matrices that are inverses of one another. It was observed in an article by B. Libert, T. Peters, M. Joye, and M. Yung, entitled "Non-Malleability from Malleability: Simulation-Sound Quasi- Adaptive NIZK Proofs and CCA2-Secure Encryption from Homomorphic Signatures," in Advances in Cryptology - Eurocrypt 2014, LNCS 8441, pp. 514— 532, Springer, 2014 (hereinafter "Libert"), that LHSPS (Linearly Homomorphic Structure Preserving Signatures) schemes can be used to build very short quasi- adaptive NIZK proofs, where the generation of the CRS only requires linear operations. We thus use a quasi- adaptive NIZK proof for affine subspaces and exploit the property that, in the quasi- adaptive proofs of the Libert reference, the CRS is the verification key of a one-time LHSPS. Consequently, in the threshold setting, if Pedersen's protocol is used to generate the CRS, we can still prove security if the latter is not uniformly distributed.
[49] FIG. 2 illustrates a flowchart for an exemplary threshold signature scheme 200 according to an embodiment of the present principles. At step 210, it generate public key, verification key, and private key shares. At step 220, partial signatures are created based on private key shares for a message. Optionally, at step 230, it verifies if individual partial signatures are valid. At step 240, valid partial signatures are combined to generate a signature. At step 250, it verifies whether the signature generated at step 240 is valid or not. In the present application, these steps are also denoted as Dist-Keygen, Share-Sign,
Share- Verify, Combine, Verify, respectively, and are discussed in further detail below.
[50] First Embodiment [51] In one embodiment, we assume that the players agree on public parameters pa rams
comprising asymmetric bilinear groups of prime order with generators
and
[52] Given para ms
follows.
[53] FIG. 3 illustrates an exemplary method 300 for generating the public key, private key shares and verification key. Method 300 starts at step 310. At step 310, it performs initialization, for example, determining public parameters para ms, security parameter λ and integers t, n.
[54] Phase 1. Each player Pt does the following: a. At step 320, choose a set of random (t— 1)-degree polynomials over
Then, at step 330, generate a partial homomorphic signature on the linearly independent vectors
i 340.
order to verify whether the share is valid, player P; verifies that
and
If equalities (1) do not hold, Pi broadcasts a complaint against Pj.
[56] Phase 3. Any player P; who sent incorrect verification values
received more than t complaints from other players is immediately disqualified. Each player Pj who received a complaint from another player Pj returns the corresponding (supposedly correct) shares
If any of these new shares fail to satisfy (1), then Pi is disqualified. Let be the set of
non-disqualified players at the end of Phase 3.
[57] Phase 4. The public key PK may be obtained at step 360 as
for each Each Pi erases his polynomials
Anyone can publicly (i.e., without extra secret information) compute his verification key at step 390 as
they are not used in the scheme. In the security proof, however, it will be useful to consider the additive shares
[60] The steps in method 300 may proceed at a different order from what is shown in FIG. 3, for example, step 330 may be performed before step 325, and/or step 390 may be performed before step 380.
[61] In order to create a partial signature on a message
using his private key share > player Pi chooses and
is in the linear span of
[62]
[63] Given a t-set with valid partial signatures
Then, re-randomize the obtained tuple
and return the resulting
as the signature.
[64]
and return 0 if it does not parse properly. Then, return 1 if and only if is a valid homomorphic
[65] FIG. 4 depicts an exemplary system 400 wherein threshold signatures can be used according to an embodiment of the present principles. Multiple devices may be connected through a network 490, for example, through Internet or mobile network. The devices (410, 420, 430) may receive a message through input devices, for example, a keyboard, touchscreen or voice/video input. The devices communicate with each other to generate private key shares, public key and verification key. The keys may then be stored in the memory of devices. The players generate partial signatures, which may then be combined to generate a signature. The device used to combine the partial signatures can be the same as the device that acts as the player. Another device 440 acts as a verifier. In FIG. 4, we show that there are multiple devices in the system. In different variations, there may be a different number of devices in the system.
[66] The threshold signature scheme according to the present principles can be used , for example, but not limited to, a large bank transaction, a certification authority, a bitcoin ecosystem, routing in a wireless or ad hoc network, or other places where secure
communication is desired. When the threshold signature scheme is used in bank transactions, Key generator 110 may be a computer employed by the bank, Broadcast channel 120 may be internet or wireless network, Players (130, 140, 150) may be computers employed by the bank, or computers employed by the organization/group who performs the bank transaction with the bank, Combiner 160 may be another computer employed by the bank, or the same computer used as Key generator, Verifier 170 may be yet another computer
employed by the bank, or the same computer used as Key generator/Combiner. All computers employed by the bank may be operated by a third party who provides security service to the bank. The different computers in the system may run a web browser or a software module to collectively perform the threshold signature scheme. [67] At the 128-bit security level, if each element of
has a 256-bit representation on Barreto-Naehrig curves, we only need 2048 bits per signature.
[68] In the security proof, we use the fact that several kinds of signature shares satisfy the share verification algorithm. The reason why we need erasures is to make sure that, if a simulated honest player is dynamically corrupted, it will not have to explain its old Type B partial signatures as a Type A signatures. The solution is to have the reduction pretends that the player erased its random coins after the generation of each partial signature.
[69] The strategy of the proof is to show that, if the adversary only observes Type A signature shares, it can only output a Type A forgery unless the DDH assumption is false in G. Then, we gradually move to a game where all partial signatures are progressively turned into Type B signature shares. Still, we argue that, unless the assumption is false in G,
the adversary's forgery will still be a Type A forgery. In the last game, the adversary only observes Type B signatures shares, which are generated without using the opening of the commitment Yet, it can be argued that the adversary cannot output a Type B
forgery if the DDH assumption holds in
At this point, in the last game, it is easy to show that a Type A forgery also contradicts the DDH assumption in
[70] We can prove that our proposed scheme provides adaptive security in the erasure-enabled model under the SXDH assumption. For any PPT adversary there exist
respectively.
[71] The implementations described herein may be implemented in, for example, a method or a process, an apparatus, a software program, a data stream, or a signal. Even if only discussed in the context of a single form of implementation (for example, discussed only as a method), the implementation of features discussed may also be implemented in other forms (for example, an apparatus or program). An apparatus may be implemented in, for example, appropriate hardware, software, and firmware. The methods may be implemented in, for example, an apparatus such as, for example, a processor, which refers to processing devices in general, including, for example, a computer, a microprocessor, an integrated circuit, or a programmable logic device. Processors also include communication devices, such as, for example, computers, cell phones, portable/personal digital assistants ("PDAs"), and other devices that facilitate communication of information between end-users.
[72] Reference to "one embodiment" or "an embodiment" or "one implementation" or "an implementation" of the present principles, as well as other variations thereof, mean that a particular feature, structure, characteristic, and so forth described in connection with the embodiment is included in at least one embodiment of the present principles. Thus, the appearances of the phrase "in one embodiment" or "in an embodiment" or "in one implementation" or "in an implementation", as well any other variations, appearing in various places throughout the specification are not necessarily all referring to the same embodiment.
[73] Additionally, this application or its claims may refer to "determining" various pieces of information. Determining the information may include one or more of, for example, estimating the information, calculating the information, predicting the information, or retrieving the information from memory.
[74] Further, this application or its claims may refer to "accessing" various pieces of information. Accessing the information may include one or more of, for example, receiving
the information, retrieving the information (for example, from memory), storing the information, processing the information, transmitting the information, moving the information, copying the information, erasing the information, calculating the information, determining the information, predicting the information, or estimating the information. [75] Additionally, this application or its claims may refer to "receiving" various pieces of information. Receiving is, as with "accessing", intended to be a broad term. Receiving the information may include one or more of, for example, accessing the information, or retrieving the information (for example, from memory). Further, "receiving" is typically involved, in one way or another, during operations such as, for example, storing the information, processing the information, transmitting the information, moving the information, copying the information, erasing the information, calculating the information, determining the information, predicting the information, or estimating the information.
[76] As will be evident to one of skill in the art, implementations may produce a variety of signals formatted to carry information that may be, for example, stored or transmitted. The information may include, for example, instructions for performing a method, or data produced by one of the described implementations. For example, a signal may be formatted to carry the bitstream of a described embodiment. Such a signal may be formatted, for example, as an electromagnetic wave (for example, using a radio frequency portion of spectrum) or as a baseband signal. The formatting may include, for example, encoding a data stream and modulating a carrier with the encoded data stream. The information that the signal carries may be, for example, analog or digital information. The signal may be transmitted over a variety of different wired or wireless links, as is known. The signal may be stored on a processor-readable medium.
Claims
1. A method for signing a message using threshold signatures, comprising:
accessing a plurality of linearly independent vectors, each vector including one or more of generators
determining a partial homomorphic signature on one of the plurality of linearly independent vectors, wherein the partial homomorphic signature is suitable for use in determining a public key;
determining a private key share responsive to a set of random polynomials; and determining a partial signature for the message responsive to the private key share, the partial signature, in combination with other partial signatures, suitable for generating a signature of the message, and the signature suitable for verification using the public key.
3. The method of claim 1, wherein the partial homomorphic signature is one of
4. The method of claim 1, wherein the partial signature is determined by a first signer, and wherein each of the other partial signatures is determined by a respective one of other signers, further comprising:
sending the partial signature and the partial homomorphic signature to the other signers.
5. The method of claim 1, further comprising:
determining a verification key responsive to the generators g, h and the set of random polynomials.
6. The method of claim 5, further comprising:
verifying the partial signature responsive to the verification key and the public key.
7. A method for verifying a signature of a message, comprising:
accessing the message, the signature, a public key and a verification key,
wherein the signature is generated from a plurality of partial signatures, each one of the plurality of partial signatures being generated responsive to a private key share, wherein the private key share is determined responsive to a set of random polynomials, and
wherein the public key is generated responsive to a partial homomorphic signature, the partial homomorphic signature being determined responsive to one of a plurality of linearly independent vectors, each vector including one or more of generators
verifying whether the signature is valid.
9. The method of claim 7, wherein the partial homomorphic signature for signer i is one of
10. The method of claim 7, wherein the verification key is generated responsive to the generators g, h and the set of random polynomials.
11. An apparatus for signing a message using threshold signatures, comprising: a signer (130, 140, 150) configured to
determine a partial homomorphic signature on one of the plurality of linearly independent vectors, wherein the partial homomorphic signature is suitable for use in determining a public key;
determine a private key share responsive to a set of random polynomials; and determine a partial signature for the message responsive to the private key share, the partial signature, in combination with other partial signatures, suitable for generating a signature of the message, and the signature suitable for verification using the public key.
13. The apparatus of claim 11, wherein the partial homomorphic signature is one of
14. The apparatus of claim 11, wherein the partial signature is determined by a first signer, and wherein each of the other partial signatures is determined by a respective one of other signers, and wherein the first signer is further configured to send the partial signature and the partial homomorphic signature to the other signers.
15. The apparatus of claim 11, wherein the signer is further configured to determine a verification key responsive to the generators g, h and the set of random polynomials.
16. The apparatus of claim 15, wherein the signer is further configured to verify the partial signature responsive to the verification key and the public key.
17. A apparatus for verifying a signature of a message, comprising: a verifier (170) configured to access the message, the signature, a public key and a verification key, wherein the signature is generated from a plurality of partial signatures, each one of the plurality of partial signatures being generated responsive to a private key share, wherein the private key share is determined responsive to a set of random polynomials, and wherein the public key is generated responsive to a partial homomorphic signature, the partial homomorphic signature being determined responsive to one of a plurality of linearly independent vectors, each vector including one or more of generators
verify whether the signature is valid.
19. The apparatus of claim 17, wherein the partial homomorphic signature for signer i is one of
20. The apparatus of claim 17, wherein the verification key is generated responsive to the generators g, h and the set of random polynomials.
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US201462055804P | 2014-09-26 | 2014-09-26 | |
US62/055,804 | 2014-09-26 |
Publications (1)
Publication Number | Publication Date |
---|---|
WO2016049406A1 true WO2016049406A1 (en) | 2016-03-31 |
Family
ID=54256862
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/US2015/052129 WO2016049406A1 (en) | 2014-09-26 | 2015-09-25 | Method and apparatus for secure non-interactive threshold signatures |
Country Status (1)
Country | Link |
---|---|
WO (1) | WO2016049406A1 (en) |
Cited By (14)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
EP3379767A1 (en) * | 2017-03-24 | 2018-09-26 | Hewlett-Packard Development Company, L.P. | Distributed authentication |
US10397003B2 (en) | 2017-02-10 | 2019-08-27 | International Business Machines Corporation | Signature scheme for homomorphic message encoding functions |
WO2019193452A1 (en) * | 2018-04-05 | 2019-10-10 | nChain Holdings Limited | Computer implemented method and system for transferring access to a digital asset |
CN110999207A (en) * | 2017-08-15 | 2020-04-10 | 区块链控股有限公司 | Computer-implemented method of generating a threshold library |
JP2020515885A (en) * | 2018-12-21 | 2020-05-28 | アリババ・グループ・ホールディング・リミテッドAlibaba Group Holding Limited | Blockchain data protection based on universal account model and homomorphic encryption |
CN111342976A (en) * | 2020-03-04 | 2020-06-26 | 中国人民武装警察部队工程大学 | Verifiable ideal lattice upper threshold proxy re-encryption method and system |
CN111480315A (en) * | 2017-12-15 | 2020-07-31 | 区块链控股有限公司 | Computer-implemented system and method for authorizing blockchain transactions using low-entropy ciphers |
JP2020532928A (en) * | 2017-09-05 | 2020-11-12 | 深▲せん▼奥聯信息安全技術有限公司Shenzhen Olym Information Security Techology Co.,Ltd. | Digital signature methods, devices and systems |
JP2021516902A (en) * | 2018-03-09 | 2021-07-08 | エヌチェーン ホールディングス リミテッドNchain Holdings Limited | Methods and systems for controlling access and integrity of resources on the blockchain |
US11063769B2 (en) | 2018-12-21 | 2021-07-13 | Advanced New Technologies Co., Ltd. | Blockchain data protection based on generic account model and homomorphic encryption |
US11316668B2 (en) | 2018-11-16 | 2022-04-26 | Safetech Bv | Methods and systems for cryptographic private key management for secure multiparty storage and transfer of information |
US11329807B2 (en) | 2017-06-26 | 2022-05-10 | Nchain Licensing Ag | Controlled cryptographic private key release |
CN117455488A (en) * | 2023-11-13 | 2024-01-26 | 电子科技大学 | Threshold supervision method for privacy protection cryptocurrency |
EP4097914A4 (en) * | 2020-01-31 | 2024-02-21 | Visa International Service Association | Distributed symmetric encryption |
-
2015
- 2015-09-25 WO PCT/US2015/052129 patent/WO2016049406A1/en active Application Filing
Non-Patent Citations (13)
Cited By (25)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US10397003B2 (en) | 2017-02-10 | 2019-08-27 | International Business Machines Corporation | Signature scheme for homomorphic message encoding functions |
US10397002B2 (en) | 2017-02-10 | 2019-08-27 | International Business Machines Corporation | Signature scheme for homomorphic message encoding functions |
EP3379767A1 (en) * | 2017-03-24 | 2018-09-26 | Hewlett-Packard Development Company, L.P. | Distributed authentication |
US10771444B2 (en) | 2017-03-24 | 2020-09-08 | Hewlett-Packard Development Company, L.P. | Distributed authentication |
US11870894B2 (en) | 2017-06-26 | 2024-01-09 | Nchain Licensing Ag | Controlled cryptographic private key release |
US11329807B2 (en) | 2017-06-26 | 2022-05-10 | Nchain Licensing Ag | Controlled cryptographic private key release |
CN110999207B (en) * | 2017-08-15 | 2024-05-31 | 区块链控股有限公司 | Computer-implemented method of generating a threshold library |
CN110999207A (en) * | 2017-08-15 | 2020-04-10 | 区块链控股有限公司 | Computer-implemented method of generating a threshold library |
JP2020532928A (en) * | 2017-09-05 | 2020-11-12 | 深▲せん▼奥聯信息安全技術有限公司Shenzhen Olym Information Security Techology Co.,Ltd. | Digital signature methods, devices and systems |
JP7105308B2 (en) | 2017-09-05 | 2022-07-22 | 深▲せん▼奥聯信息安全技術有限公司 | Digital signature method, device and system |
CN111480315A (en) * | 2017-12-15 | 2020-07-31 | 区块链控股有限公司 | Computer-implemented system and method for authorizing blockchain transactions using low-entropy ciphers |
JP2021516902A (en) * | 2018-03-09 | 2021-07-08 | エヌチェーン ホールディングス リミテッドNchain Holdings Limited | Methods and systems for controlling access and integrity of resources on the blockchain |
JP7275155B2 (en) | 2018-03-09 | 2023-05-17 | エヌチェーン ライセンシング アーゲー | Methods and systems for controlling access and integrity to resources on blockchain |
EP4152683A1 (en) * | 2018-04-05 | 2023-03-22 | nChain Licensing AG | Computer implemented method and system for transferring access to a digital asset |
EP4340295A3 (en) * | 2018-04-05 | 2024-05-01 | nChain Licensing AG | Computer implemented method and system for transferring access to a digital asset |
US11641283B2 (en) | 2018-04-05 | 2023-05-02 | Nchain Licensing Ag | Computer implemented method and system for transferring access to a digital asset |
WO2019193452A1 (en) * | 2018-04-05 | 2019-10-10 | nChain Holdings Limited | Computer implemented method and system for transferring access to a digital asset |
US11979507B2 (en) | 2018-04-05 | 2024-05-07 | Nchain Licensing Ag | Computer implemented method and system for transferring access to a digital asset |
US11316668B2 (en) | 2018-11-16 | 2022-04-26 | Safetech Bv | Methods and systems for cryptographic private key management for secure multiparty storage and transfer of information |
US11063769B2 (en) | 2018-12-21 | 2021-07-13 | Advanced New Technologies Co., Ltd. | Blockchain data protection based on generic account model and homomorphic encryption |
JP2020515885A (en) * | 2018-12-21 | 2020-05-28 | アリババ・グループ・ホールディング・リミテッドAlibaba Group Holding Limited | Blockchain data protection based on universal account model and homomorphic encryption |
EP4097914A4 (en) * | 2020-01-31 | 2024-02-21 | Visa International Service Association | Distributed symmetric encryption |
CN111342976A (en) * | 2020-03-04 | 2020-06-26 | 中国人民武装警察部队工程大学 | Verifiable ideal lattice upper threshold proxy re-encryption method and system |
CN111342976B (en) * | 2020-03-04 | 2023-06-30 | 中国人民武装警察部队工程大学 | Verifiable ideal on-grid threshold proxy re-encryption method and system |
CN117455488A (en) * | 2023-11-13 | 2024-01-26 | 电子科技大学 | Threshold supervision method for privacy protection cryptocurrency |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
WO2016049406A1 (en) | Method and apparatus for secure non-interactive threshold signatures | |
Castagnos et al. | Bandwidth-efficient threshold EC-DSA | |
US11722305B2 (en) | Password based threshold token generation | |
Ling et al. | Group signatures from lattices: simpler, tighter, shorter, ring-based | |
Libert et al. | Born and raised distributively: Fully distributed non-interactive adaptively-secure threshold signatures with short shares | |
Chang et al. | A secure single sign-on mechanism for distributed computer networks | |
Jonsson et al. | On the security of RSA encryption in TLS | |
US9356783B2 (en) | Method for ciphering and deciphering, corresponding electronic device and computer program product | |
US20170061833A1 (en) | Method for ciphering and deciphering digital data, based on an identity, in a multi-authorities context | |
Vergnaud | RSA-based secret handshakes | |
Blazy et al. | Short blind signatures | |
TWI455555B (en) | Authentication device, authentication method, and program | |
Li et al. | Signcryption from randomness recoverable public key encryption | |
US20110064216A1 (en) | Cryptographic message signature method having strengthened security, signature verification method, and corresponding devices and computer program products | |
Ki et al. | Constructing Strong Identity‐Based Designated Verifier Signatures with Self‐Unverifiability | |
Shen et al. | Identity-based authenticated encryption with identity confidentiality | |
CN108964906B (en) | Digital signature method for cooperation with ECC | |
Yang et al. | Efficient certificateless encryption withstanding attacks from malicious KGC without using random oracles | |
Mu et al. | Compact sequential aggregate signatures | |
Wang et al. | A secure ring signcryption scheme for private and anonymous communication | |
Krzywiecki et al. | Deniable key establishment resistance against eKCI attacks | |
Tseng et al. | Enhancement on strongly secure group key agreement | |
Zhang et al. | A novel authenticated encryption scheme and its extension | |
Zhu et al. | A secure non-interactive chaotic maps-based deniable authentication scheme with privacy protection in standard model | |
Rastaghi | Cryptanalysis and Improvement of Akleylek et al.'s cryptosystem |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
121 | Ep: the epo has been informed by wipo that ep was designated in this application |
Ref document number: 15775573 Country of ref document: EP Kind code of ref document: A1 |
|
NENP | Non-entry into the national phase |
Ref country code: DE |
|
122 | Ep: pct application non-entry in european phase |
Ref document number: 15775573 Country of ref document: EP Kind code of ref document: A1 |