WO2016049406A1 - Method and apparatus for secure non-interactive threshold signatures - Google Patents

Method and apparatus for secure non-interactive threshold signatures Download PDF

Info

Publication number
WO2016049406A1
WO2016049406A1 PCT/US2015/052129 US2015052129W WO2016049406A1 WO 2016049406 A1 WO2016049406 A1 WO 2016049406A1 US 2015052129 W US2015052129 W US 2015052129W WO 2016049406 A1 WO2016049406 A1 WO 2016049406A1
Authority
WO
WIPO (PCT)
Prior art keywords
signature
partial
signatures
key
responsive
Prior art date
Application number
PCT/US2015/052129
Other languages
French (fr)
Inventor
Marc Joye
Benoit Libert
Original Assignee
Technicolor Usa, Inc.
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Technicolor Usa, Inc. filed Critical Technicolor Usa, Inc.
Publication of WO2016049406A1 publication Critical patent/WO2016049406A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
    • H04L9/3255Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures using group based signatures, e.g. ring or threshold signatures

Definitions

  • This invention relates to a method and an apparatus for cryptography, and more particularly, to a method and an apparatus for secure non-interactive threshold signatures.
  • threshold signatures the private key is shared among n players in such a way that at least t out of these n players have to contribute to each signature generation.
  • most existing threshold signature schemes either require interaction among the players during the signing process or only provide security against static corruptions.
  • Gap-Diffie-Hellman-Group Signature Scheme in Public-Key Cryptography - PKC 2003, LNCS 2567, pp. 31-46, Springer, 2003, or in an article by H. Wee, entitled “Threshold and Revocation Cryptosystems via Extractable Hash Proofs,” in Advances in Cryptology - Eurocrypt 2011, LNCS 6632, pp. 589-609, Springer, 2011 are only known to resist static adversaries, who have to choose which players they want to corrupt before even seeing the public key.
  • Adaptively secure threshold signatures can be obtained from distributed RSA (Rivest, Shamir, and Adleman) signatures, which are deterministic and thus potentially easier to thresholdize in the non-interactive setting: indeed, threshold RSA signatures do not require the players to jointly generate a randomized signature component in a first round before starting a second round.
  • distributed RSA Raster, Shamir, and Adleman
  • the constructions of adaptively secure threshold signatures may rely on a technique, called “single inconsistent player” (SIP) technique, which inherently requires interaction.
  • SIP single inconsistent player
  • the SIP technique basically consists in converting a t-out-of-n secret sharing into an n-out-of-n secret sharing in such a way that, in the latter case, there is only one player whose internal state cannot consistently be revealed to the adversary. Since this player is chosen at random by the simulator among the n players, it is only corrupted with probability 1 /2 and, when this undesirable event occurs, the simulator can simply rewind the adversary back to one of its previous states. After this backtracking operation, the simulator uses different random coins to simulate the view of the adversary, hoping that the inconsistent player will not be corrupted again.
  • threshold RSA signatures A variant of Rabin' s threshold RSA signatures is proved to be adaptively secure using the SIP technique. While the SIP technique does provide adaptively secure threshold RSA signatures, it may fall short of minimizing the amount of interaction.
  • the constructions of threshold RSA signatures can proceed by turning a (t,n) polynomial secret sharing into a (t, t) additive secret sharing by first selecting a pool of at least t participants. However, if only one of these fails to provide a valid contribution to the signing process, the whole protocol must be restarted from scratch.
  • the protocol of threshold RSA signatures can also proceed by sharing an RSA private key in an additive (n, n) fashion (i.e. , the private RSA exponent d is split into shares d 1 , ... , d n such that In turn, each additive share d i is shared in a (t, n)
  • the present principles provide a method for signing a message using threshold signatures, comprising: accessing a plurality of linearly independent vectors, each vector including one or more of generators g, h, g, h, , X and Y; determining a partial homomorphic signature on one of the plurality of linearly independent vectors, wherein the partial homomorphic signature is suitable for use in determining a public key; determining a private key share responsive to a set of random polynomials; and determining a partial signature for the message responsive to the private key share, the partial signature, in combination with other partial signatures, suitable for generating a signature of the message, and the signature suitable for verification using the public key.
  • the present principles also provide an apparatus for performing these steps.
  • the present principles also provide a computer readable storage medium having stored thereon instructions for signing a message using threshold signatures according to the methods described above.
  • the present principles also provide a method for verifying a signature of a message, comprising: accessing the message, the signature, a public key and a verification key, wherein the signature is generated from a plurality of partial signatures, each one of the plurality of partial signatures being generated responsive to a private key share, wherein the private key share is determined responsive to a set of random polynomials, and wherein the public key is generated responsive to a partial homomorphic signature, the partial homomorphic signature being determined responsive to one of a plurality of linearly independent vectors, each vector including one or more of generators
  • the present principles also provide an apparatus for performing these steps. [12]
  • the present principles also provide a computer readable storage medium having stored thereon instructions for verifying a signature of a message according to the methods described above.
  • FIG. 1 depicts a block diagram of an exemplary threshold signature system, in accordance with an embodiment of the present principles.
  • FIG. 2 is a flow diagram depicting an exemplary threshold signature scheme, in accordance with an embodiment of the present principles.
  • FIG. 3 is a flow diagram depicting an exemplary method for generating the public key, private key shares and verification key, in accordance with an embodiment of the present principles.
  • FIG. 4 is a block diagram depicting an exemplary system where threshold signatures can be used, in accordance with an embodiment of the present principles.
  • a non- interactive (t, n) -threshold signature scheme consists of a tuple
  • Dist-Keygen(para ms, ⁇ , t, n) This is an protocol involving n players P 1 , ... , P n , which all take as input common public parameters pa ra ms, a security parameter as well as a pair of integers such that where ⁇ means that t
  • n are polynomial in The outcome of the protocol is the generation of a public key PK, a vector of private key shares where only obtains for each and a public vector of verification keys
  • [21] is a possibly randomized algorithm that takes in a message M and a private key share SK i . It outputs a signature share
  • [22] is a deterministic algorithm that takes as input a message M, the public key PK, the verification key VK and a pair consisting of an index and signature share It outputs 1 or 0 depending on whether is deemed as a valid signature share or not.
  • [23] takes as input a public key PK, a message M and a subset with pairs
  • ⁇ i is a signature share. This algorithm outputs either a full signature contains ill-formed partial signatures.
  • [24] is a deterministic algorithm that takes as input a message M, the
  • FIG. 1 depicts a block diagram of an exemplary threshold signature system according to an embodiment of the present principles, which includes key generator 110, broadcast channel 120, players P 1 , ... , P n (130, 140, 150), combiner 160 and verifier 170.
  • Private key share SK i is distributed to player P i via broadcast channel 120.
  • the verification key and public key are also distributed to the players, combiner and verifier via broadcast channel 120.
  • each player may define its private key share and the verification key for its signature share.
  • a player in the threshold signature scheme may correspond to a device (for example, a computer, a tablet, a mobile phone) or a software application (for example, a web browser that supports secure communication).
  • Player P i (130, 140, 150) takes in message M and private key share SK i , and outputs signature share Any player P i (130, 140, 150), the combiner (160) or the verifier (170) may also verify whether signature share ⁇ i is a valid signature share or not.
  • Combiner 160 takes as input public key PK, message M and t signature shares, and outputs either a full signature ⁇ or 1 if some signature shares are ill-formed.
  • Verifier 170 takes as input message M, public key PK and signature ⁇ , and verifies whether ⁇ is a valid share or not.
  • non-interactive threshold signatures can be defined as follows. [29] Definition 1. A non- interactive threshold signature scheme is adaptively secure against chosen-message attacks if no PPT adversary has non-negligible advantage in the game hereunder. At any time, we denote by
  • the challenger plays the role of honest players P i and the adversary is allowed to corrupt
  • the challenger sets and returns the internal state of P i . Moreover, is allowed to act on behalf
  • the protocol ends with the generation of a public key PK, a vector of private key shares and the corresponding verification keys
  • Signing query For any can also submit a pair (i, M) and ask for a
  • the private key is while the public key consists of
  • the present principles are directed to devise a new construction of threshold signatures in the standard model which is as efficient as the PF 140044 reference from a computational standpoint and in terms of signature and private storage.
  • the public key should be jointly generated by all players while guaranteeing the security of the scheme against an adaptive adversary.
  • the key generation phase should be as communication-efficient as possible. Ideally, a single communication round should be needed when the players follow the protocol.
  • the present principles attempt to avoid interaction during the distributed signing process: each player should only send a single message to the combiner without having to interact with other players at any time.
  • the construction is a variant of a signature scheme described in an article by C. Jutla and A. Roy, entitled “Shorter Quasi- Adaptive NIZK Proofs for Linear Subspaces," in Advances in Cryptology - Asiacrypt 2013, LNCS 8269, pp.
  • the Jutla reference teaches signing messages by encrypting a secret value, which is part of the private key, using the message as a label.
  • the signature also contains a NIZK (Non-Interactive Zero- Knowledge) proof that the ciphertext encrypts a persistent hidden value.
  • NIZK proof is a quasi- adaptive NIZK proof generated for an affine subspace, where the verifier only uses a portion of the CRS (Common Reference String) that does not depend on the statement. [47] In its centralized ⁇ i.e.
  • NIZK proof In the security proof, we use a sequence of hybrid games where we gradually move to a game where all signatures contain encryptions of random group elements (instead of an opening of the Pedersen commitment).
  • FIG. 2 illustrates a flowchart for an exemplary threshold signature scheme 200 according to an embodiment of the present principles.
  • it generate public key, verification key, and private key shares.
  • partial signatures are created based on private key shares for a message.
  • it verifies if individual partial signatures are valid.
  • valid partial signatures are combined to generate a signature.
  • it verifies whether the signature generated at step 240 is valid or not. In the present application, these steps are also denoted as Dist-Keygen, Share-Sign,
  • FIG. 3 illustrates an exemplary method 300 for generating the public key, private key shares and verification key.
  • Method 300 starts at step 310.
  • it performs initialization, for example, determining public parameters para ms, security parameter ⁇ and integers t, n.
  • Each player P t does the following: a. At step 320, choose a set of random (t— 1)-degree polynomials over
  • step 330 generate a partial homomorphic signature on the linearly independent vectors
  • player P verifies that
  • Phase 4 The public key PK may be obtained at step 360 as
  • the public key may also be obtained as
  • step 330 may be performed before step 325, and/or step 390 may be performed before step 380.
  • step 330 may be performed before step 325, and/or step 390 may be performed before step 380.
  • step 380 In order to create a partial signature on a message using his private key share > player P i chooses and
  • the random coins are erased from the memory such that an attacker cannot access
  • FIG. 4 depicts an exemplary system 400 wherein threshold signatures can be used according to an embodiment of the present principles.
  • Multiple devices may be connected through a network 490, for example, through Internet or mobile network.
  • the devices (410, 420, 430) may receive a message through input devices, for example, a keyboard, touchscreen or voice/video input.
  • the devices communicate with each other to generate private key shares, public key and verification key.
  • the keys may then be stored in the memory of devices.
  • the players generate partial signatures, which may then be combined to generate a signature.
  • the device used to combine the partial signatures can be the same as the device that acts as the player.
  • Another device 440 acts as a verifier.
  • FIG. 4 we show that there are multiple devices in the system. In different variations, there may be a different number of devices in the system.
  • the threshold signature scheme according to the present principles can be used , for example, but not limited to, a large bank transaction, a certification authority, a bitcoin ecosystem, routing in a wireless or ad hoc network, or other places where secure
  • Key generator 110 may be a computer employed by the bank
  • Broadcast channel 120 may be internet or wireless network
  • Players (130, 140, 150) may be computers employed by the bank, or computers employed by the organization/group who performs the bank transaction with the bank
  • Combiner 160 may be another computer employed by the bank, or the same computer used as Key generator
  • Verifier 170 may be yet another computer employed by the bank, or the same computer used as Key generator/Combiner. All computers employed by the bank may be operated by a third party who provides security service to the bank.
  • the different computers in the system may run a web browser or a software module to collectively perform the threshold signature scheme.
  • the implementations described herein may be implemented in, for example, a method or a process, an apparatus, a software program, a data stream, or a signal. Even if only discussed in the context of a single form of implementation (for example, discussed only as a method), the implementation of features discussed may also be implemented in other forms (for example, an apparatus or program).
  • An apparatus may be implemented in, for example, appropriate hardware, software, and firmware.
  • the methods may be implemented in, for example, an apparatus such as, for example, a processor, which refers to processing devices in general, including, for example, a computer, a microprocessor, an integrated circuit, or a programmable logic device. Processors also include communication devices, such as, for example, computers, cell phones, portable/personal digital assistants ("PDAs”), and other devices that facilitate communication of information between end-users.
  • PDAs portable/personal digital assistants
  • the appearances of the phrase “in one embodiment” or “in an embodiment” or “in one implementation” or “in an implementation”, as well any other variations, appearing in various places throughout the specification are not necessarily all referring to the same embodiment.
  • Determining the information may include one or more of, for example, estimating the information, calculating the information, predicting the information, or retrieving the information from memory.
  • Accessing the information may include one or more of, for example, receiving the information, retrieving the information (for example, from memory), storing the information, processing the information, transmitting the information, moving the information, copying the information, erasing the information, calculating the information, determining the information, predicting the information, or estimating the information.
  • this application or its claims may refer to "receiving" various pieces of information. Receiving is, as with "accessing", intended to be a broad term. Receiving the information may include one or more of, for example, accessing the information, or retrieving the information (for example, from memory).
  • receiving is typically involved, in one way or another, during operations such as, for example, storing the information, processing the information, transmitting the information, moving the information, copying the information, erasing the information, calculating the information, determining the information, predicting the information, or estimating the information.
  • implementations may produce a variety of signals formatted to carry information that may be, for example, stored or transmitted.
  • the information may include, for example, instructions for performing a method, or data produced by one of the described implementations.
  • a signal may be formatted to carry the bitstream of a described embodiment.
  • Such a signal may be formatted, for example, as an electromagnetic wave (for example, using a radio frequency portion of spectrum) or as a baseband signal.
  • the formatting may include, for example, encoding a data stream and modulating a carrier with the encoded data stream.
  • the information that the signal carries may be, for example, analog or digital information.
  • the signal may be transmitted over a variety of different wired or wireless links, as is known.
  • the signal may be stored on a processor-readable medium.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Financial Or Insurance-Related Operations Such As Payment And Settlement (AREA)

Abstract

The present principles provide a threshold signature scheme. Considering n players, given asymmetric bilinear groups (G, Ĝ, G T ) with generators g, h, g̃, h̃, X, Y ∈R G and g̃z, g̃rR Ĝ, each player chooses a set of random t-degree polynomials, and generate a set of partial homomorphic signature on several linearly independent vectors. The public key PK may be obtained based on the set of polynomials and the partial homomorphic signatures of n players. The private key share and verification key for a player can be defined based on the set of polynomials. The signature for the message can be obtained from t partial signatures, wherein each partial signature can be generated based on the player's private key share and some random variables. Whether a partial signature is valid can be determined based on the public key PK and the verification key. Whether the signature for the message is valid can be determined based on the public key PK.

Description

Method and Apparatus for Secure Non-Interactive Threshold Signatures
TECHNICAL FIELD
[1] This invention relates to a method and an apparatus for cryptography, and more particularly, to a method and an apparatus for secure non-interactive threshold signatures.
BACKGROUND
[2] In threshold signatures, the private key is shared among n players in such a way that at least t out of these n players have to contribute to each signature generation. Until recently, most existing threshold signature schemes either require interaction among the players during the signing process or only provide security against static corruptions.
Currently known fully non-interactive adaptively secure constructions suffer from certain shortcomings. For example, the solutions proposed in an article by A. Boldyreva, entitled "Threshold Signatures, Multisignatures and Blind Signatures Based on the
Gap-Diffie-Hellman-Group Signature Scheme," in Public-Key Cryptography - PKC 2003, LNCS 2567, pp. 31-46, Springer, 2003, or in an article by H. Wee, entitled "Threshold and Revocation Cryptosystems via Extractable Hash Proofs," in Advances in Cryptology - Eurocrypt 2011, LNCS 6632, pp. 589-609, Springer, 2011 are only known to resist static adversaries, who have to choose which players they want to corrupt before even seeing the public key. [3] Adaptively secure threshold signatures can be obtained from distributed RSA (Rivest, Shamir, and Adleman) signatures, which are deterministic and thus potentially easier to thresholdize in the non-interactive setting: indeed, threshold RSA signatures do not require the players to jointly generate a randomized signature component in a first round before starting a second round.
[4] The constructions of adaptively secure threshold signatures may rely on a technique, called "single inconsistent player" (SIP) technique, which inherently requires interaction. The SIP technique basically consists in converting a t-out-of-n secret sharing into an n-out-of-n secret sharing in such a way that, in the latter case, there is only one player whose internal state cannot consistently be revealed to the adversary. Since this player is chosen at random by the simulator among the n players, it is only corrupted with probability 1 /2 and, when this undesirable event occurs, the simulator can simply rewind the adversary back to one of its previous states. After this backtracking operation, the simulator uses different random coins to simulate the view of the adversary, hoping that the inconsistent player will not be corrupted again.
[5] A variant of Rabin' s threshold RSA signatures is proved to be adaptively secure using the SIP technique. While the SIP technique does provide adaptively secure threshold RSA signatures, it may fall short of minimizing the amount of interaction. The constructions of threshold RSA signatures can proceed by turning a (t,n) polynomial secret sharing into a (t, t) additive secret sharing by first selecting a pool of at least t participants. However, if only one of these fails to provide a valid contribution to the signing process, the whole protocol must be restarted from scratch.
[6] The protocol of threshold RSA signatures can also proceed by sharing an RSA private key in an additive (n, n) fashion (i.e. , the private RSA exponent d is split into shares d1, ... , dn such that In turn, each additive share di is shared in a (t, n)
Figure imgf000003_0001
fashion using a polynomial verifiable secret sharing and each share di,j of di is distributed to another player j. This is done in such a way that, if one participant fails to provide a valid RSA signature share H(M)di, the missing signature share can be reconstructed by running the reconstruction algorithm of the verifiable secret sharing scheme that was used to share di. The first drawback of this approach is that it is only non- interactive when all players are honest: if even only one additive signature share H(M)di is missing, the remaining participants have to conduct a second round of interaction to reconstruct the missing signature shares H(M)di. Another drawback of this approach is that each player has to store 0 (n) values, where n is the number of players (as each player has to store a polynomial share of other players' additive share). Ideally, we would like a solution where each player only stores 0(1) elements, regardless of the number of players.
[7] An adaptively secure threshold variant of Waters signatures using groups of composite order is suggested in an article by B. Libert and M. Yung, entitled "Adaptively Secure Non-Interactive Threshold Cryptosystems," Theoretical Computer Science, vol. 478, pp. 76-100, March 2013. Extended abstract in ICALP 2011, LNCS 6756, pp. 588-600, Springer, 2011. The use of composite order groups makes the scheme very expensive when it comes to verify signatures: computing a bilinear map in composite order groups is at least 50 times slower than evaluating the same bilinear map in prime order groups at the 80-bit security level (things can only get worse at higher security levels). In the resulting construction, each signature consists of 6 group elements. The use of asymmetric bilinear maps allows reducing the signature size to 4 group elements.
[8] A commonly owned EP patent application, titled "Round-Optimal Adaptively Secure Threshold Signatures in the Standard Model" by M. Joye and B. Libert (EP Patent
Application No. 14305175.3, Attorney Docket No. PF140044, hereinafter "PF140044"), the teachings of which are specifically incorporated herein by reference, discloses a
round-optimal adaptively secure non-interactive threshold signatures in the standard model. The scheme was shown to remain secure when used in combination with Pedersen' s distributed key generation protocol, and may be currently the most efficient adaptively secure non-interactive threshold signature in the standard model. However, it requires common public parameters (possibly shared by several distributed signers) comprising 0 (λ) group elements, where
Figure imgf000005_0001
is the security parameter. SUMMARY
[9] The present principles provide a method for signing a message using threshold signatures, comprising: accessing a plurality of linearly independent vectors, each vector including one or more of generators g, h, g, h, , X and Y; determining a partial homomorphic signature on one of the plurality of linearly independent vectors, wherein the partial homomorphic signature is suitable for use in determining a public key; determining a private key share responsive to a set of random polynomials; and determining a partial signature for the message responsive to the private key share, the partial signature, in combination with other partial signatures, suitable for generating a signature of the message, and the signature suitable for verification using the public key. The present principles also provide an apparatus for performing these steps.
[10] The present principles also provide a computer readable storage medium having stored thereon instructions for signing a message using threshold signatures according to the methods described above.
[11] The present principles also provide a method for verifying a signature of a message, comprising: accessing the message, the signature, a public key and a verification key, wherein the signature is generated from a plurality of partial signatures, each one of the plurality of partial signatures being generated responsive to a private key share, wherein the private key share is determined responsive to a set of random polynomials, and wherein the public key is generated responsive to a partial homomorphic signature, the partial homomorphic signature being determined responsive to one of a plurality of linearly independent vectors, each vector including one or more of generators
Figure imgf000006_0001
and verifying whether the signature is valid. The present principles also provide an apparatus for performing these steps. [12] The present principles also provide a computer readable storage medium having stored thereon instructions for verifying a signature of a message according to the methods described above.
BRIEF DESCRIPTION OF THE DRAWINGS
[13] FIG. 1 depicts a block diagram of an exemplary threshold signature system, in accordance with an embodiment of the present principles.
[14] FIG. 2 is a flow diagram depicting an exemplary threshold signature scheme, in accordance with an embodiment of the present principles.
[15] FIG. 3 is a flow diagram depicting an exemplary method for generating the public key, private key shares and verification key, in accordance with an embodiment of the present principles.
[16] FIG. 4 is a block diagram depicting an exemplary system where threshold signatures can be used, in accordance with an embodiment of the present principles.
DETAILED DESCRIPTION
[17] In the present application, we use the terms "player" and "signer" interchangeably, and use the terms "partial signature" and "signature share" interchangeably. TABLE 1 summarizes some abbreviations used in the present application. TABLE 1
Figure imgf000007_0022
[18] Definitions for Threshold Signatures
[19] A non- interactive (t, n) -threshold signature scheme consists of a tuple
Figure imgf000007_0001
(Dist-Keygen, Share-Sign, Share-Verify, Verify, Combine) of efficient algorithms or protocols.
[20] Dist-Keygen(para ms, λ, t, n): This is an protocol involving n players P1, ... , Pn, which all take as input common public parameters pa ra ms, a security parameter
Figure imgf000007_0002
as well as a pair of integers such that where ρο^ means that t
Figure imgf000007_0008
Figure imgf000007_0003
Figure imgf000007_0004
and n are polynomial in
Figure imgf000007_0021
The outcome of the protocol is the generation of a public key PK, a vector of private key shares where only obtains for
Figure imgf000007_0007
Figure imgf000007_0019
Figure imgf000007_0020
each and a public vector of verification keys
Figure imgf000007_0005
[21]
Figure imgf000007_0013
is a possibly randomized algorithm that takes in a message M and a private key share SKi. It outputs a signature share
Figure imgf000007_0018
[22]
Figure imgf000007_0009
is a deterministic algorithm that takes as input a message M, the public key PK, the verification key VK and a pair
Figure imgf000007_0015
consisting of an index
Figure imgf000007_0010
and signature share It outputs 1 or 0 depending on whether
Figure imgf000007_0016
Figure imgf000007_0017
is deemed as a valid signature share or not.
[23]
Figure imgf000007_0011
takes as input a public key PK, a message M and a subset with pairs
Figure imgf000007_0012
Figure imgf000007_0014
and σi is a signature share. This algorithm outputs either a full signature
Figure imgf000008_0003
Figure imgf000008_0001
contains ill-formed partial signatures.
[24] is a deterministic algorithm that takes as input a message M, the
Figure imgf000008_0002
public key PK and a signature σ. It outputs 1 or 0 depending on whether σ is deemed valid share or not.
[25] We use the same communication model as in, e.g. , an article by R. Gennaro, S.
Jarecki, H. Krawczyk, and T. Rabin, entitled "Secure Distributed Key Generation for
Discrete-Log Based Cryptosystems," in Advances in Cryptology— Eurocrypt'99, LNCS 1592, pp. 295-310, Springer, 1999. Namely, all players have access to a public broadcast channel, which the adversary can use as a sender and a receiver. However, the adversary cannot modify messages sent over this channel, nor prevent their delivery. In addition, we assume private and authenticated channels between all pairs of players.
[26] FIG. 1 depicts a block diagram of an exemplary threshold signature system according to an embodiment of the present principles, which includes key generator 110, broadcast channel 120, players P1, ... , Pn (130, 140, 150), combiner 160 and verifier 170. Key generator 110 takes security parameter λ, public parameters params and integers (t, ri) as input, and outputs a public key PK, a vector of private key shares SK = (SK1, ... , SKn) and a vector of verification keys VK = (Vk1 ,.. , VKn). Private key share SKi is distributed to player Pi via broadcast channel 120. The verification key and public key are also distributed to the players, combiner and verifier via broadcast channel 120. Alternatively, each player may define its private key share and the verification key for its signature share. A player in the threshold signature scheme may correspond to a device (for example, a computer, a tablet, a mobile phone) or a software application (for example, a web browser that supports secure communication). [27] Player Pi (130, 140, 150) takes in message M and private key share SKi, and outputs signature share
Figure imgf000009_0001
Any player Pi (130, 140, 150), the combiner (160) or the verifier (170) may also verify whether signature share σi is a valid signature share or not. Combiner 160 takes as input public key PK, message M and t signature shares, and outputs either a full signature σ or 1 if some signature shares are ill-formed. Verifier 170 takes as input message M, public key PK and signature σ, and verifies whether σ is a valid share or not.
[28] In the adaptive corruption setting, the security of non-interactive threshold signatures can be defined as follows. [29] Definition 1. A non- interactive threshold signature scheme
Figure imgf000009_0013
is adaptively secure against chosen-message attacks if no PPT adversary
Figure imgf000009_0012
has non-negligible advantage in the game hereunder. At any time, we denote by
Figure imgf000009_0002
dynamically evolving subsets of corrupted and honest players, respectively. Initially, we set
Figure imgf000009_0011
[30] 1. The game begins with an execution of during which
Figure imgf000009_0003
the challenger plays the role of honest players Pi and the adversary is allowed to corrupt
Figure imgf000009_0004
players at any time. When
Figure imgf000009_0015
chooses to corrupt player Pt, the challenger sets
Figure imgf000009_0005
Figure imgf000009_0010
and returns the internal state of Pi . Moreover, is allowed to act on behalf
Figure imgf000009_0006
of Pi from this point forward. The protocol ends with the generation of a public key PK, a vector of private key shares and the corresponding verification keys
Figure imgf000009_0014
Figure imgf000009_0009
At the end of this phase, the public key PK and are
Figure imgf000009_0007
available to the adversary
Figure imgf000009_0008
[31] 2. On polynomially many occasions, adaptively interleaves two kinds of queries. Corruption query: At any time, can choose to corrupt a player. To this end,
Figure imgf000010_0013
chooses and the challenger returns SKi before setting and
Figure imgf000010_0017
Figure imgf000010_0014
Figure imgf000010_0016
Signing query: For any can also submit a pair (i, M) and ask for a
Figure imgf000010_0001
signature share on an arbitrary message M on behalf of player Pi . The challenger responds by computing and returning
Figure imgf000010_0009
Figure imgf000010_0008
[32] 3. outputs a message M* and a signature
Figure imgf000010_0002
The adversary wins if the following conditions hold: (i)
Figure imgf000010_0015
did not obtain any partial signature on
Figure imgf000010_0010
Figure imgf000010_0003
[33 advantage is defined as its probability of success, taken over all coin tosses. [34] Hardness Assumptions
[35] We first recall the definition of the Decision Diffie-Hellman problem.
[36] Definition 2. In a cyclic group
Figure imgf000010_0007
of prime order p, the Decision Diffie-Hellman
Problem (DDH) in G, is to distinguish the distributions
Figure imgf000010_0011
and
Figure imgf000010_0012
with wherein "R" indicates a probabilistic process. The Decision
Figure imgf000010_0004
Diffie-Hellman Assumption is the intractability of DDH for any PPT algorithm D.
[37] We use bilinear maps over groups of prime order p. We will work
Figure imgf000010_0005
in asymmetric pairings, where we have
Figure imgf000010_0006
so as to allow the DDH assumption to hold in (see, e.g. , an article by M. Scott, entitled "Authenticated ID-based Key Exchange and remote log-in with simple token and PIN number," Cryptology ePrint Archive: Report 2002/164, 2002). In certain asymmetric pairing configurations, DDH is even believed to hold in both G and G. This assumption is called Symmetric external Diffie-Hellman (SXDH) assumption and it implies that no isomorphism from
Figure imgf000011_0001
be efficiently computable.
[38] One-Time Linearly Homomorphic Structure-Preserving Signatures
[39] In an article by B. Libert, T. Peters, M. Joye, and M. Yung, entitled "Linearly Homomorphic Structure-Preserving Signatures and their Applications," in Advances in
Cryptology - Crypto 2013, LNCS 8043, pp. 289-307, Springer, 2013, Libert et al. described linearly homomorphic signatures where messages and signatures only consist of group elements. They suggested the following scheme, which is a one-time linearly homomorphic signature (i.e. , it only allows signing one linear subspace) based on the DDH assumption in
[40] Key gen
Figure imgf000011_0015
Given a security parameter λ and the dimension of the
Figure imgf000011_0002
subspace to be signed, choose bilinear group of prime order Then,
Figure imgf000011_0003
Figure imgf000011_0004
conduct the following steps.
1. Choose
Figure imgf000011_0010
2. For k = 1 to N, choose
Figure imgf000011_0005
is the set of integers between 0 and p— 1, where p is a prime, and compute
Figure imgf000011_0006
The private key is
Figure imgf000011_0007
while the public key consists of
Figure imgf000011_0008
[41]
Figure imgf000011_0013
To sign a vector
Figure imgf000011_0012
using compute and output where
Figure imgf000011_0009
Figure imgf000011_0011
Figure imgf000011_0014
[42] each
Figure imgf000011_0016
Figure imgf000012_0001
[44] The present principles are directed to devise a new construction of threshold signatures in the standard model which is as efficient as the PF 140044 reference from a computational standpoint and in terms of signature and private storage. In particular, we want to retain private key shares of 0 (1) size, regardless of the number of players involved in the protocol. Moreover, we do not want to rely on a trusted dealer in the key generation phase. The public key should be jointly generated by all players while guaranteeing the security of the scheme against an adaptive adversary.
[45] In addition, the key generation phase should be as communication-efficient as possible. Ideally, a single communication round should be needed when the players follow the protocol. The present principles attempt to avoid interaction during the distributed signing process: each player should only send a single message to the combiner without having to interact with other players at any time. We also aim at improving the PF140044 reference by reducing the size of common public parameters to a constant number of group elements. [46] The construction is a variant of a signature scheme described in an article by C. Jutla and A. Roy, entitled "Shorter Quasi- Adaptive NIZK Proofs for Linear Subspaces," in Advances in Cryptology - Asiacrypt 2013, LNCS 8269, pp. 1-20, Springer, 2013 (hereinafter "Jutla"). The Jutla reference teaches signing messages by encrypting a secret value, which is part of the private key, using the message as a label. The signature also contains a NIZK (Non-Interactive Zero- Knowledge) proof that the ciphertext encrypts a persistent hidden value. In the Jutla reference, the NIZK proof is a quasi- adaptive NIZK proof generated for an affine subspace, where the verifier only uses a portion of the CRS (Common Reference String) that does not depend on the statement. [47] In its centralized {i.e. , non-threshold) version, the underlying idea of the signature scheme is that each signature demonstrates that the signer "knows" an opening of a Pedersen commitment Ω = g^h^ . Each signature is made of two components which can be seen as (a weak form of) Cramer-Shoup encryptions of g^ and h$ , respectively, augmented with a quasi-adaptive NIZK proof that the encrypted value is an opening of the Pedersen commitment Ω = g^h? . In the security proof, we use a sequence of hybrid games where we gradually move to a game where all signatures contain encryptions of random group elements (instead of an opening of the Pedersen commitment). At the same time, unless the semantic security (which relies on the DDH assumption in Q) of the weak encryption system can be broken, the adversary should remain able to output an opening of the Pedersen commitment in the last game. However, we can prove that it is impossible unless the DDH assumption is false in Q.
[48] In the threshold setting, we would like to minimize the number of public parameters that are trusted to be uniformly distributed, which implies that the CRS of the quasi-adaptive NIZK proof system must be generated during the distributed key generation phase. Using Pedersen's protocol, it is not clear how this can be achieved for the quasi-adaptive NIZK proofs of the Jutla reference (see also C. Jutla, A. Roy, "Switching Lemma for Bilinear Tests and Constant-size NIZK Proofs for Linear Subspaces," in Cryptology ePrint Archive: Report 2013/670, 2013) as their CRS generation entails to exponentiate matrices that are inverses of one another. It was observed in an article by B. Libert, T. Peters, M. Joye, and M. Yung, entitled "Non-Malleability from Malleability: Simulation-Sound Quasi- Adaptive NIZK Proofs and CCA2-Secure Encryption from Homomorphic Signatures," in Advances in Cryptology - Eurocrypt 2014, LNCS 8441, pp. 514— 532, Springer, 2014 (hereinafter "Libert"), that LHSPS (Linearly Homomorphic Structure Preserving Signatures) schemes can be used to build very short quasi- adaptive NIZK proofs, where the generation of the CRS only requires linear operations. We thus use a quasi- adaptive NIZK proof for affine subspaces and exploit the property that, in the quasi- adaptive proofs of the Libert reference, the CRS is the verification key of a one-time LHSPS. Consequently, in the threshold setting, if Pedersen's protocol is used to generate the CRS, we can still prove security if the latter is not uniformly distributed.
[49] FIG. 2 illustrates a flowchart for an exemplary threshold signature scheme 200 according to an embodiment of the present principles. At step 210, it generate public key, verification key, and private key shares. At step 220, partial signatures are created based on private key shares for a message. Optionally, at step 230, it verifies if individual partial signatures are valid. At step 240, valid partial signatures are combined to generate a signature. At step 250, it verifies whether the signature generated at step 240 is valid or not. In the present application, these steps are also denoted as Dist-Keygen, Share-Sign,
Share- Verify, Combine, Verify, respectively, and are discussed in further detail below.
[50] First Embodiment [51] In one embodiment, we assume that the players agree on public parameters pa rams comprising asymmetric bilinear groups of prime order with generators
Figure imgf000015_0004
Figure imgf000015_0005
and
Figure imgf000015_0006
[52] Given para ms
Figure imgf000015_0016
Figure imgf000015_0001
security parameter and integers
Figure imgf000015_0003
with n
Figure imgf000015_0002
the players proceed as
Figure imgf000015_0015
follows.
[53] FIG. 3 illustrates an exemplary method 300 for generating the public key, private key shares and verification key. Method 300 starts at step 310. At step 310, it performs initialization, for example, determining public parameters para ms, security parameter λ and integers t, n.
[54] Phase 1. Each player Pt does the following: a. At step 320, choose a set of random (t— 1)-degree polynomials over
Figure imgf000015_0008
Figure imgf000015_0009
as well as
Figure imgf000015_0011
Figure imgf000015_0012
following values:
Figure imgf000015_0007
Then, at step 330, generate a partial homomorphic signature on the linearly independent vectors
Figure imgf000015_0013
with respect to the public key
Figure imgf000015_0014
Figure imgf000016_0001
i 340.
[55] Phase 2. For each received shares
Figure imgf000016_0002
order to verify whether the share is valid, player P; verifies that
and
Figure imgf000016_0003
If equalities (1) do not hold, Pi broadcasts a complaint against Pj.
[56] Phase 3. Any player P; who sent incorrect verification values
Figure imgf000016_0004
received more than t complaints from other players is immediately disqualified. Each player Pj who received a complaint from another player Pj returns the corresponding (supposedly correct) shares
Figure imgf000016_0005
If any of these new shares fail to satisfy (1), then Pi is disqualified. Let be the set of
Figure imgf000016_0006
non-disqualified players at the end of Phase 3.
[57] Phase 4. The public key PK may be obtained at step 360 as
Figure imgf000017_0001
for each Each Pi erases his polynomials
Figure imgf000017_0010
Figure imgf000017_0009
at step 370 and locally (i.e., by the player itself) defines his private key share at step 380
Figure imgf000017_0002
Anyone can publicly (i.e., without extra secret information) compute his verification key at step 390 as
Figure imgf000017_0003
For any disqualified player
Figure imgf000017_0006
the i-th private key share (resp. verification key) implicitly set as
Figure imgf000017_0005
[58] The public key may also be obtained as
Figure imgf000017_0004
[59] When the protocol ends, the private key shares and the
Figure imgf000017_0011
polynomials have not been constructed as
Figure imgf000017_0007
they are not used in the scheme. In the security proof, however, it will be useful to consider the additive shares
Figure imgf000017_0008
[60] The steps in method 300 may proceed at a different order from what is shown in FIG. 3, for example, step 330 may be performed before step 325, and/or step 390 may be performed before step 380. [61] In order to create a partial signature on a message
Figure imgf000018_0019
Figure imgf000018_0001
using his private key share > player Pi chooses and
Figure imgf000018_0003
Figure imgf000018_0002
computes his signature share as
Figure imgf000018_0004
where
Figure imgf000018_0005
The random coins are erased from the memory such that an attacker cannot access
Figure imgf000018_0006
their values. The pair
Figure imgf000018_0007
will provide evidence that
Figure imgf000018_0008
is in the linear span of
Figure imgf000018_0009
[62]
Figure imgf000018_0010
(and return 0 if it does not parse properly) and
Figure imgf000018_0011
Then, return 1 if and only if
Figure imgf000018_0012
[63] Given a t-set with valid partial signatures
Figure imgf000018_0013
Figure imgf000018_0014
Then, compute a tuple as
Figure imgf000018_0015
Figure imgf000018_0016
Then, re-randomize the obtained tuple
Figure imgf000018_0017
and return the resulting
Figure imgf000018_0018
as the signature. [64]
Figure imgf000019_0001
and return 0 if it does not parse properly. Then, return 1 if and only if is a valid homomorphic
Figure imgf000019_0004
signature on the vector
Figure imgf000019_0002
if and only if
Figure imgf000019_0003
[65] FIG. 4 depicts an exemplary system 400 wherein threshold signatures can be used according to an embodiment of the present principles. Multiple devices may be connected through a network 490, for example, through Internet or mobile network. The devices (410, 420, 430) may receive a message through input devices, for example, a keyboard, touchscreen or voice/video input. The devices communicate with each other to generate private key shares, public key and verification key. The keys may then be stored in the memory of devices. The players generate partial signatures, which may then be combined to generate a signature. The device used to combine the partial signatures can be the same as the device that acts as the player. Another device 440 acts as a verifier. In FIG. 4, we show that there are multiple devices in the system. In different variations, there may be a different number of devices in the system.
[66] The threshold signature scheme according to the present principles can be used , for example, but not limited to, a large bank transaction, a certification authority, a bitcoin ecosystem, routing in a wireless or ad hoc network, or other places where secure
communication is desired. When the threshold signature scheme is used in bank transactions, Key generator 110 may be a computer employed by the bank, Broadcast channel 120 may be internet or wireless network, Players (130, 140, 150) may be computers employed by the bank, or computers employed by the organization/group who performs the bank transaction with the bank, Combiner 160 may be another computer employed by the bank, or the same computer used as Key generator, Verifier 170 may be yet another computer employed by the bank, or the same computer used as Key generator/Combiner. All computers employed by the bank may be operated by a third party who provides security service to the bank. The different computers in the system may run a web browser or a software module to collectively perform the threshold signature scheme. [67] At the 128-bit security level, if each element of
Figure imgf000020_0001
has a 256-bit representation on Barreto-Naehrig curves, we only need 2048 bits per signature.
[68] In the security proof, we use the fact that several kinds of signature shares satisfy the share verification algorithm. The reason why we need erasures is to make sure that, if a simulated honest player is dynamically corrupted, it will not have to explain its old Type B partial signatures as a Type A signatures. The solution is to have the reduction pretends that the player erased its random coins after the generation of each partial signature.
[69] The strategy of the proof is to show that, if the adversary only observes Type A signature shares, it can only output a Type A forgery unless the DDH assumption is false in G. Then, we gradually move to a game where all partial signatures are progressively turned into Type B signature shares. Still, we argue that, unless the assumption is false in G,
Figure imgf000020_0003
the adversary's forgery will still be a Type A forgery. In the last game, the adversary only observes Type B signatures shares, which are generated without using the opening of the commitment Yet, it can be argued that the adversary cannot output a Type B
Figure imgf000020_0002
forgery if the DDH assumption holds in
Figure imgf000020_0005
At this point, in the last game, it is easy to show that a Type A forgery also contradicts the DDH assumption in
Figure imgf000020_0004
[70] We can prove that our proposed scheme provides adaptive security in the erasure-enabled model under the SXDH assumption. For any PPT adversary there exist
Figure imgf000020_0007
DDH distinguishers with comparable running times in the groups G and G,
Figure imgf000020_0006
respectively. [71] The implementations described herein may be implemented in, for example, a method or a process, an apparatus, a software program, a data stream, or a signal. Even if only discussed in the context of a single form of implementation (for example, discussed only as a method), the implementation of features discussed may also be implemented in other forms (for example, an apparatus or program). An apparatus may be implemented in, for example, appropriate hardware, software, and firmware. The methods may be implemented in, for example, an apparatus such as, for example, a processor, which refers to processing devices in general, including, for example, a computer, a microprocessor, an integrated circuit, or a programmable logic device. Processors also include communication devices, such as, for example, computers, cell phones, portable/personal digital assistants ("PDAs"), and other devices that facilitate communication of information between end-users.
[72] Reference to "one embodiment" or "an embodiment" or "one implementation" or "an implementation" of the present principles, as well as other variations thereof, mean that a particular feature, structure, characteristic, and so forth described in connection with the embodiment is included in at least one embodiment of the present principles. Thus, the appearances of the phrase "in one embodiment" or "in an embodiment" or "in one implementation" or "in an implementation", as well any other variations, appearing in various places throughout the specification are not necessarily all referring to the same embodiment.
[73] Additionally, this application or its claims may refer to "determining" various pieces of information. Determining the information may include one or more of, for example, estimating the information, calculating the information, predicting the information, or retrieving the information from memory.
[74] Further, this application or its claims may refer to "accessing" various pieces of information. Accessing the information may include one or more of, for example, receiving the information, retrieving the information (for example, from memory), storing the information, processing the information, transmitting the information, moving the information, copying the information, erasing the information, calculating the information, determining the information, predicting the information, or estimating the information. [75] Additionally, this application or its claims may refer to "receiving" various pieces of information. Receiving is, as with "accessing", intended to be a broad term. Receiving the information may include one or more of, for example, accessing the information, or retrieving the information (for example, from memory). Further, "receiving" is typically involved, in one way or another, during operations such as, for example, storing the information, processing the information, transmitting the information, moving the information, copying the information, erasing the information, calculating the information, determining the information, predicting the information, or estimating the information.
[76] As will be evident to one of skill in the art, implementations may produce a variety of signals formatted to carry information that may be, for example, stored or transmitted. The information may include, for example, instructions for performing a method, or data produced by one of the described implementations. For example, a signal may be formatted to carry the bitstream of a described embodiment. Such a signal may be formatted, for example, as an electromagnetic wave (for example, using a radio frequency portion of spectrum) or as a baseband signal. The formatting may include, for example, encoding a data stream and modulating a carrier with the encoded data stream. The information that the signal carries may be, for example, analog or digital information. The signal may be transmitted over a variety of different wired or wireless links, as is known. The signal may be stored on a processor-readable medium.

Claims

CLAIMS:
1. A method for signing a message using threshold signatures, comprising:
accessing a plurality of linearly independent vectors, each vector including one or more of generators
Figure imgf000023_0003
determining a partial homomorphic signature on one of the plurality of linearly independent vectors, wherein the partial homomorphic signature is suitable for use in determining a public key;
determining a private key share responsive to a set of random polynomials; and determining a partial signature for the message responsive to the private key share, the partial signature, in combination with other partial signatures, suitable for generating a signature of the message, and the signature suitable for verification using the public key.
2. The method of claim 1, wherein the plurality of linearly independent vectors are
Figure imgf000023_0002
3. The method of claim 1, wherein the partial homomorphic signature is one of
Figure imgf000023_0001
Figure imgf000023_0004
4. The method of claim 1, wherein the partial signature is determined by a first signer, and wherein each of the other partial signatures is determined by a respective one of other signers, further comprising:
sending the partial signature and the partial homomorphic signature to the other signers.
5. The method of claim 1, further comprising:
determining a verification key responsive to the generators g, h and the set of random polynomials.
6. The method of claim 5, further comprising:
verifying the partial signature responsive to the verification key and the public key.
7. A method for verifying a signature of a message, comprising:
accessing the message, the signature, a public key and a verification key,
wherein the signature is generated from a plurality of partial signatures, each one of the plurality of partial signatures being generated responsive to a private key share, wherein the private key share is determined responsive to a set of random polynomials, and
wherein the public key is generated responsive to a partial homomorphic signature, the partial homomorphic signature being determined responsive to one of a plurality of linearly independent vectors, each vector including one or more of generators
Figure imgf000024_0002
verifying whether the signature is valid.
8. The method of claim 7, wherein the plurality of linearly independent vectors are
Figure imgf000024_0001
9. The method of claim 7, wherein the partial homomorphic signature for signer i is one of
Figure imgf000025_0001
10. The method of claim 7, wherein the verification key is generated responsive to the generators g, h and the set of random polynomials.
11. An apparatus for signing a message using threshold signatures, comprising: a signer (130, 140, 150) configured to
access a plurality of linearly independent vectors, each vector including one or more of generators
Figure imgf000025_0002
determine a partial homomorphic signature on one of the plurality of linearly independent vectors, wherein the partial homomorphic signature is suitable for use in determining a public key;
determine a private key share responsive to a set of random polynomials; and determine a partial signature for the message responsive to the private key share, the partial signature, in combination with other partial signatures, suitable for generating a signature of the message, and the signature suitable for verification using the public key.
12. The apparatus of claim 11, wherein the plurality of linearly independent vectors
Figure imgf000026_0001
13. The apparatus of claim 11, wherein the partial homomorphic signature is one of
Figure imgf000026_0002
14. The apparatus of claim 11, wherein the partial signature is determined by a first signer, and wherein each of the other partial signatures is determined by a respective one of other signers, and wherein the first signer is further configured to send the partial signature and the partial homomorphic signature to the other signers.
15. The apparatus of claim 11, wherein the signer is further configured to determine a verification key responsive to the generators g, h and the set of random polynomials.
16. The apparatus of claim 15, wherein the signer is further configured to verify the partial signature responsive to the verification key and the public key.
17. A apparatus for verifying a signature of a message, comprising: a verifier (170) configured to access the message, the signature, a public key and a verification key, wherein the signature is generated from a plurality of partial signatures, each one of the plurality of partial signatures being generated responsive to a private key share, wherein the private key share is determined responsive to a set of random polynomials, and wherein the public key is generated responsive to a partial homomorphic signature, the partial homomorphic signature being determined responsive to one of a plurality of linearly independent vectors, each vector including one or more of generators
Figure imgf000027_0001
verify whether the signature is valid.
18. The apparatus of claim 17, wherein the plurality of linearly independent vectors
Figure imgf000027_0002
19. The apparatus of claim 17, wherein the partial homomorphic signature for signer i is one of
Figure imgf000027_0003
20. The apparatus of claim 17, wherein the verification key is generated responsive to the generators g, h and the set of random polynomials.
PCT/US2015/052129 2014-09-26 2015-09-25 Method and apparatus for secure non-interactive threshold signatures WO2016049406A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
US201462055804P 2014-09-26 2014-09-26
US62/055,804 2014-09-26

Publications (1)

Publication Number Publication Date
WO2016049406A1 true WO2016049406A1 (en) 2016-03-31

Family

ID=54256862

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/US2015/052129 WO2016049406A1 (en) 2014-09-26 2015-09-25 Method and apparatus for secure non-interactive threshold signatures

Country Status (1)

Country Link
WO (1) WO2016049406A1 (en)

Cited By (14)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP3379767A1 (en) * 2017-03-24 2018-09-26 Hewlett-Packard Development Company, L.P. Distributed authentication
US10397003B2 (en) 2017-02-10 2019-08-27 International Business Machines Corporation Signature scheme for homomorphic message encoding functions
WO2019193452A1 (en) * 2018-04-05 2019-10-10 nChain Holdings Limited Computer implemented method and system for transferring access to a digital asset
CN110999207A (en) * 2017-08-15 2020-04-10 区块链控股有限公司 Computer-implemented method of generating a threshold library
JP2020515885A (en) * 2018-12-21 2020-05-28 アリババ・グループ・ホールディング・リミテッドAlibaba Group Holding Limited Blockchain data protection based on universal account model and homomorphic encryption
CN111342976A (en) * 2020-03-04 2020-06-26 中国人民武装警察部队工程大学 Verifiable ideal lattice upper threshold proxy re-encryption method and system
CN111480315A (en) * 2017-12-15 2020-07-31 区块链控股有限公司 Computer-implemented system and method for authorizing blockchain transactions using low-entropy ciphers
JP2020532928A (en) * 2017-09-05 2020-11-12 深▲せん▼奥聯信息安全技術有限公司Shenzhen Olym Information Security Techology Co.,Ltd. Digital signature methods, devices and systems
JP2021516902A (en) * 2018-03-09 2021-07-08 エヌチェーン ホールディングス リミテッドNchain Holdings Limited Methods and systems for controlling access and integrity of resources on the blockchain
US11063769B2 (en) 2018-12-21 2021-07-13 Advanced New Technologies Co., Ltd. Blockchain data protection based on generic account model and homomorphic encryption
US11316668B2 (en) 2018-11-16 2022-04-26 Safetech Bv Methods and systems for cryptographic private key management for secure multiparty storage and transfer of information
US11329807B2 (en) 2017-06-26 2022-05-10 Nchain Licensing Ag Controlled cryptographic private key release
CN117455488A (en) * 2023-11-13 2024-01-26 电子科技大学 Threshold supervision method for privacy protection cryptocurrency
EP4097914A4 (en) * 2020-01-31 2024-02-21 Visa International Service Association Distributed symmetric encryption

Non-Patent Citations (13)

* Cited by examiner, † Cited by third party
Title
"ICALP 2011, LNCS", 2011, SPRINGER, pages: 588 - 600
A. BOLDYREVA: "Public-Key Cryptography - PKC 2003, LNCS", vol. 2567, 2003, SPRINGER, article "Threshold Signatures, Multisignatures and Blind Signatures Based on the Gap-Diffie-Hellman-Group Signature Scheme", pages: 31 - 46
B. LIBERT; M. YUNG: "Adaptively Secure Non-Interactive Threshold Cryptosystems", THEORETICAL COMPUTER SCIENCE, vol. 478, March 2013 (2013-03-01), pages 76 - 100
B. LIBERT; T. PETERS; M. JOYE; M. YUNG: "Advances in Cryptology -- Crypto 2013", vol. LNCS 804, 2013, SPRINGER, article "Linearly Homomorphic Structure-Preserving Signatures and their Applications", pages: 289 - 307
B. LIBERT; T. PETERS; M. JOYE; M. YUNG: "Advances in Cryptology -- Eurocrypt 2014, LNCS", vol. 8441, 2014, SPRINGER, article "Non-Malleability from Malleability: Simulation-Sound Quasi-Adaptive NIZK Proofs and CCA2-Secure Encryption from Homomorphic Signatures", pages: 514 - 532
BENOÎT LIBERT ET AL: "Born and raised distributively", PRINCIPLES OF DISTRIBUTED COMPUTING, ACM, 2 PENN PLAZA, SUITE 701 NEW YORK NY 10121-0701 USA, 15 July 2014 (2014-07-15), pages 303 - 312, XP058052840, ISBN: 978-1-4503-2944-6, DOI: 10.1145/2611462.2611498 *
BENOIT LIBERT ET AL: "Linearly Homomorphic Structure-Preserving Signatures and Their Applications", INTERNATIONAL ASSOCIATION FOR CRYPTOLOGIC RESEARCH,, vol. 20130717:182901, 17 July 2013 (2013-07-17), pages 1 - 31, XP061007919 *
C. JUTLA; A. ROY: "Advances in Cryptology -- Asiacrypt 2013", vol. LNCS 826, 2013, SPRINGER, article "Shorter Quasi-Adaptive NIZK Proofs for Linear Subspaces", pages: 1 - 20
C. JUTLA; A. ROY: "Switching Lemma for Bilinear Tests and Constant-size NIZK Proofs for Linear Subspaces", CRYPTOLOGY EPRINT ARCHIVE: REPORT 2013/670, 2013
H. WEE: "Advances in Cryptology - Eurocrypt 2011, LNCS", vol. 6632, 2011, SPRINGER, article "Threshold and Revocation Cryptosystems via Extractable Hash Proofs", pages: 589 - 609
LIBERT BENOÎT ET AL: "Adaptively secure non-interactive threshold cryptosystems", THEORETICAL COMPUTER SCIENCE, AMSTERDAM, NL, vol. 478, 1 February 2013 (2013-02-01), pages 76 - 100, XP028991064, ISSN: 0304-3975, DOI: 10.1016/J.TCS.2013.01.001 *
M. SCOTT: "Authenticated ID-based Key Exchange and remote log-in with simple token and PIN number", CRYPTOLOGY EPRINT ARCHIVE: REPORT 2002/164, 2002
R. GENNARO; S. JARECKI; H. KRAWCZYK; T. RABIN: "Advances in Cryptology -- Eurocrypt'99", vol. LNCS 159, 1999, SPRINGER, article "Secure Distributed Key Generation for Discrete-Log Based Cryptosystems", pages: 295 - 310

Cited By (25)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US10397003B2 (en) 2017-02-10 2019-08-27 International Business Machines Corporation Signature scheme for homomorphic message encoding functions
US10397002B2 (en) 2017-02-10 2019-08-27 International Business Machines Corporation Signature scheme for homomorphic message encoding functions
EP3379767A1 (en) * 2017-03-24 2018-09-26 Hewlett-Packard Development Company, L.P. Distributed authentication
US10771444B2 (en) 2017-03-24 2020-09-08 Hewlett-Packard Development Company, L.P. Distributed authentication
US11870894B2 (en) 2017-06-26 2024-01-09 Nchain Licensing Ag Controlled cryptographic private key release
US11329807B2 (en) 2017-06-26 2022-05-10 Nchain Licensing Ag Controlled cryptographic private key release
CN110999207B (en) * 2017-08-15 2024-05-31 区块链控股有限公司 Computer-implemented method of generating a threshold library
CN110999207A (en) * 2017-08-15 2020-04-10 区块链控股有限公司 Computer-implemented method of generating a threshold library
JP2020532928A (en) * 2017-09-05 2020-11-12 深▲せん▼奥聯信息安全技術有限公司Shenzhen Olym Information Security Techology Co.,Ltd. Digital signature methods, devices and systems
JP7105308B2 (en) 2017-09-05 2022-07-22 深▲せん▼奥聯信息安全技術有限公司 Digital signature method, device and system
CN111480315A (en) * 2017-12-15 2020-07-31 区块链控股有限公司 Computer-implemented system and method for authorizing blockchain transactions using low-entropy ciphers
JP2021516902A (en) * 2018-03-09 2021-07-08 エヌチェーン ホールディングス リミテッドNchain Holdings Limited Methods and systems for controlling access and integrity of resources on the blockchain
JP7275155B2 (en) 2018-03-09 2023-05-17 エヌチェーン ライセンシング アーゲー Methods and systems for controlling access and integrity to resources on blockchain
EP4152683A1 (en) * 2018-04-05 2023-03-22 nChain Licensing AG Computer implemented method and system for transferring access to a digital asset
EP4340295A3 (en) * 2018-04-05 2024-05-01 nChain Licensing AG Computer implemented method and system for transferring access to a digital asset
US11641283B2 (en) 2018-04-05 2023-05-02 Nchain Licensing Ag Computer implemented method and system for transferring access to a digital asset
WO2019193452A1 (en) * 2018-04-05 2019-10-10 nChain Holdings Limited Computer implemented method and system for transferring access to a digital asset
US11979507B2 (en) 2018-04-05 2024-05-07 Nchain Licensing Ag Computer implemented method and system for transferring access to a digital asset
US11316668B2 (en) 2018-11-16 2022-04-26 Safetech Bv Methods and systems for cryptographic private key management for secure multiparty storage and transfer of information
US11063769B2 (en) 2018-12-21 2021-07-13 Advanced New Technologies Co., Ltd. Blockchain data protection based on generic account model and homomorphic encryption
JP2020515885A (en) * 2018-12-21 2020-05-28 アリババ・グループ・ホールディング・リミテッドAlibaba Group Holding Limited Blockchain data protection based on universal account model and homomorphic encryption
EP4097914A4 (en) * 2020-01-31 2024-02-21 Visa International Service Association Distributed symmetric encryption
CN111342976A (en) * 2020-03-04 2020-06-26 中国人民武装警察部队工程大学 Verifiable ideal lattice upper threshold proxy re-encryption method and system
CN111342976B (en) * 2020-03-04 2023-06-30 中国人民武装警察部队工程大学 Verifiable ideal on-grid threshold proxy re-encryption method and system
CN117455488A (en) * 2023-11-13 2024-01-26 电子科技大学 Threshold supervision method for privacy protection cryptocurrency

Similar Documents

Publication Publication Date Title
WO2016049406A1 (en) Method and apparatus for secure non-interactive threshold signatures
Castagnos et al. Bandwidth-efficient threshold EC-DSA
US11722305B2 (en) Password based threshold token generation
Ling et al. Group signatures from lattices: simpler, tighter, shorter, ring-based
Libert et al. Born and raised distributively: Fully distributed non-interactive adaptively-secure threshold signatures with short shares
Chang et al. A secure single sign-on mechanism for distributed computer networks
Jonsson et al. On the security of RSA encryption in TLS
US9356783B2 (en) Method for ciphering and deciphering, corresponding electronic device and computer program product
US20170061833A1 (en) Method for ciphering and deciphering digital data, based on an identity, in a multi-authorities context
Vergnaud RSA-based secret handshakes
Blazy et al. Short blind signatures
TWI455555B (en) Authentication device, authentication method, and program
Li et al. Signcryption from randomness recoverable public key encryption
US20110064216A1 (en) Cryptographic message signature method having strengthened security, signature verification method, and corresponding devices and computer program products
Ki et al. Constructing Strong Identity‐Based Designated Verifier Signatures with Self‐Unverifiability
Shen et al. Identity-based authenticated encryption with identity confidentiality
CN108964906B (en) Digital signature method for cooperation with ECC
Yang et al. Efficient certificateless encryption withstanding attacks from malicious KGC without using random oracles
Mu et al. Compact sequential aggregate signatures
Wang et al. A secure ring signcryption scheme for private and anonymous communication
Krzywiecki et al. Deniable key establishment resistance against eKCI attacks
Tseng et al. Enhancement on strongly secure group key agreement
Zhang et al. A novel authenticated encryption scheme and its extension
Zhu et al. A secure non-interactive chaotic maps-based deniable authentication scheme with privacy protection in standard model
Rastaghi Cryptanalysis and Improvement of Akleylek et al.'s cryptosystem

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 15775573

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 15775573

Country of ref document: EP

Kind code of ref document: A1