WO2023093278A1

WO2023093278A1 - Digital signature thresholding method and apparatus

Info

Publication number: WO2023093278A1
Application number: PCT/CN2022/121597
Authority: WO
Inventors: 李哲; 邢朝平; 杨艳江
Original assignee: 华为技术有限公司
Priority date: 2021-11-24
Filing date: 2022-09-27
Publication date: 2023-06-01
Also published as: CN116167093A

Abstract

Provided in the embodiments of the present application is a digital signature thresholding method. The method comprises: a first computer device acquiring a first matrix; determining a first vector and a second vector; determining a first key parameter part according to the first matrix, the first vector and the second vector; receiving a key parameter parts from a computer devices; determining a high-order bit and a low-order bit of a key parameter according to the first key parameter part and the a key parameter parts; determining a first random number according to a matrix seed and the high-order bit of the key parameter; determining signature information of a first message according to the first vector, the second vector, the low-order bit of the key parameter, the first random number, and the matrix seed; and the first computer device sending the first message and the signature information of the first message to a second computer device. By means of the technical solution of the present application, the security of key management can be improved, and a side channel attack can be resisted.

Description

Digital signature threshold method and device

This application claims the priority of the Chinese patent application with the application number 202111401610.9 and the application title "Digital Signature Threshold Method and Device" filed with the China Patent Office on November 24, 2021, the entire contents of which are incorporated by reference in this application.

technical field

This application relates to the field of cryptography, in particular to a digital signature threshold method and device.

Background technique

The working principle of the threshold cipher is to split the key into n parts through the secret sharing scheme (t-out-of-n secret sharing) and distribute it to n parties for independent storage. The function of the key is performed under the circumstances, such as decryption or signing. The privacy of the key is of information theory significance for any party smaller than t, that is, no valid information about the key can be obtained at all. With the development of quantum computers, traditional digital signature algorithms are at risk of being cracked. The post-quantum digital signature algorithm is a new generation of cryptographic algorithms that can resist the attack of quantum computers on existing cryptographic algorithms. Although the research on threshold traditional cryptography has been quite sufficient, there is little research on threshold post-quantum signature algorithms at this stage.

Therefore, how to threshold the post-quantum digital signature algorithm to ensure the security of the post-quantum key is an urgent problem to be solved.

Contents of the invention

The embodiments of the present application provide a digital signature threshold method and device, which can improve the security of key management and can resist side channel attacks to a certain extent.

In a first aspect, a digital signature threshold method is provided, the method includes: a first computer device acquires a first matrix, the first matrix is a matrix with k rows and l columns, and k and l are positive integers greater than or equal to 1; The first computer device determines a first vector and a second vector; the first computer device determines a first key parameter share according to the first matrix, the first vector and the second vector; the The first computer device receives a key parameter shares from a computer device, a is a positive integer greater than or equal to p-1, and p is the minimum number of computer devices for the secret sharing scheme; the first computer device according to the The first key parameter share and the a key parameter shares determine the high-order bits and low-order bits of the key parameter; the first computer device determines the first key parameter according to the matrix seed and the high-order bits of the key parameter A random number: the first computer device determines the signature information of the first message according to the first vector, the second vector, the lower bits of the key parameter, the first random number and the matrix seed ; The first computer device sends the first message and the signature information of the first message to a second computer device, and the second computer device is one of the a computer devices.

It should be understood that there are m computer devices in the system, p is the minimum number of computer devices in the secret sharing scheme, and p is less than or equal to m.

Exemplarily, the first matrix can be represented by matrix A. Optionally, the matrix A can be determined according to the formula A∈R _q ^k×l :=ExpandA(ρ). Among them, matrix A is a matrix of k×l, each element in matrix A is a polynomial, each polynomial can be randomly generated by the public seed ρ, and the coefficient of each polynomial is an integer smaller than q, q is a prime number .

Optionally, the way to obtain matrix A may be that the first computer device randomly generates matrix A by publicizing the seed ρ, or a preset matrix A may be used, or matrix A may also be jointly generated by multiple computer devices. For example, k=5, l=6, then the matrix A is a matrix with 5 rows and 6 columns. Wherein, the first computer device generates one row of elements of the matrix A, and the second computer device generates the remaining four rows of elements. Alternatively, the first computer device generates one column of elements of matrix A, the second computer device generates another column of elements, and the third computer device generates the remaining four columns of elements. The specific way of generating the matrix A is not limited in this application.

It should be understood that the matrix A is public to the m computer devices in the system, that is, each computer device can obtain the matrix A. The computer device that generates matrix A can distribute the obtained matrix A to m computer devices in the system. The m computer devices can also directly use the preset matrix A.

It should be understood that this application will use the following important signs: For a value x, [x] means that according to the agreed secret sharing scheme, x has been split into secret shares (shares) and each share has been delivered to the corresponding user , [x] can also be represented by _xi , which represents the i-th copy of x obtained by the i-th user.

Exemplarily, the first vector may be s _i1 , and the second vector may be s _i2 . The first vector can also be expressed as [s ₁ ], and the second vector can also be expressed as [s ₂ ]. The first vector and the second vector may be referred to as random key vector shares, because the first vector and the second vector participate in key generation in a random manner. The first computer device generates random key vector shares s _i1 and s _i2 , optionally, the random key vector shares s _i1 and s _i2 can be formulated by the formula ([s ₁ ],[s ₂ ])←Thr-RandNum(η ) ^n×l+n×k is determined. The Thr-RandNum(η) algorithm is used to generate a random number whose absolute value ≤ η. Among them, s _i1 has l polynomials, s _i2 has k polynomials, each polynomial contains n items, and the absolute value of the coefficient of each item is less than or equal to η. η is a preset parameter, and n is a positive integer.

Exemplarily, the first key parameter share can be represented by [t]. The first key parameter share [t] can be determined according to the formula [t]=A×[s ₁ ]+[s ₂ ]. It should be understood that on the premise that a ₁ and b ₁ both represent vectors, a ₁ ·b ₁ is the inner product of the two vectors, and a ₁ ×b ₁ is the outer product of the two vectors.

It should be understood that the key parameter t can be obtained according to [t] of more than or equal to p users. Therefore, the first computer device can obtain a key parameter t after receiving a key parameter shares from a computer device, where a is a positive integer greater than or equal to p-1.

Optionally, the first computer device may determine the key parameter t according to the first key parameter share and the a key parameter shares, and then according to the formula (t ₁ ,t ₀ )←Power2Round _q (t,d ) to get the high-order bits and low-order bits of the key parameter t. The Power2Round _q function can decompose t into t=t ₁ ·2 ^d +t ₀ , where d is an integer greater than 0, t ₁ is the high-order bit of the key parameter t, and t ₀ is the low-order bit of the key parameter t.

Exemplarily, the first random number may be represented by tr. Optionally, tr can be determined according to the formula tr∈{0,1} ³⁸⁴ ←CRH(ρ||t ₁ ). Concatenate the public seed ρ and the high-order bit t ₁ of the key parameter t, and use the collision-resistant hash function (collision-resistant hashing, CRH) to connect the public seed ρ and the high-order bit t ₁ of the key parameter t Map to {0,1} ³⁸⁴ field to get tr, that is, intercept the first 384 bits of the connection value, if the connection value has less than 384 bits, randomly generate the specified bits (±1 or 0) to fill in, and The resulting value is assigned to tr.

It should be understood that the private key share of the first computer device includes the first vector [s ₁ ] and the second vector [s ₂ ], optionally, the private key share of the first computer device may also include matrix A or public seed ρ, The first random number tr, the key parameter t or the lower bit t ₀ of the key parameter t.

In the embodiment of the present application, through the threshold digital signature method, the function of the key is divided into multiple computer devices, which can realize the security management of the key and resist side channel attacks to a certain extent.

With reference to the first aspect, in some implementation manners of the first aspect, the signature information of the first message includes: a challenge, a response, and a prompt, and the first computer device according to the first vector, the second Two vectors, the lower bits of the key parameter, the first random number and the matrix seed, determine the signature information of the first message, including: the first computer device according to the first random number and the The first message determines the challenge parameter; the first computer device determines the challenge according to the first preset parameter, the first matrix and the challenge parameter; the first computer device determines the challenge according to the first preset parameter, the challenge and the first vector, determine the response; the first computer device determines the response according to the challenge, the lower bits of the key parameter, the first matrix, and the first preset parameter and the second vector, determine the hint.

Optionally, according to the first random number and the first message, determining a challenge parameter may be expressed by a formula μ∈{0,1} ³⁸⁴ :=CRH(tr||M). Concatenate the first random number tr and the message M, and use the anti-collision hash function to map the connection value of the first random number tr and the message M to the {0,1} ³⁸⁴ domain to obtain the challenge parameter μ, that is, intercept the connection The first 384 bits of the value, if the number of bits of the connection value is less than 384, randomly generate the specified bits (±1 or 0) to fill in, and assign the final value to μ.

With reference to the first aspect, in some implementation manners of the first aspect, the first computer device determines the challenge according to first preset parameters, the first matrix, and the signature of the first message, It includes: the first computer device generates a masking vector according to the first preset parameter, wherein the masking vector includes l polynomials, and the coefficient of each polynomial in the l polynomials is less than or equal to the first Preset parameters; the first computer device determines a first promised intermediate share according to the first matrix and the masked vector; the first computer device obtains a promised intermediate share from the a computer device The high-order bits of the first computer device determine the promise according to the high-order bits of the first promise middle part and the high-order bits of the a promise middle part; the first computer device determines the promise according to the promise and the first promise A signature of a message identifying the challenge.

Exemplarily, the masking vector may be represented by [y], and the first preset parameter may be represented by _γ1 . Optionally, the masking vector [y] can be determined according to the formula [y]←Thr-RandNum(γ ₁ ) ^n×l . The masking vector [y] includes l polynomials, each polynomial has n items, and the coefficient of each item is generated by Thr-RandNum(γ ₁ ) function and the absolute value does not exceed γ ₁ .

Exemplarily, the first committed intermediate share can be represented by [w]. Optionally, the first promised intermediate share [w] can be determined according to the formula [w]←A×[y], that is, [w] is the cross product of the matrix A and the masked vector [y].

Exemplarily, the high-order bits of the middle part of the promise can be represented by [w ₁ ]. Optionally, the upper bits [w ₁ ] of the middle portion of the promise can be determined according to the formula [w ₁ ]←Thr-HighBits _q ([w],2γ ₂ ). Among them, each coefficient of the promised intermediate share [w] can be expressed by [w]=[w ₁ ]·2γ ₂ +[w ₀ ], where γ ₂ is a preset parameter, and [w ₁ ] is the promised intermediate share [w] [w ₀ ] is the low-order bit of the middle portion [w] of the promise. The Thr-HighBits _q function is used to extract the upper bits [w ₁ ] of the first committed middle share [w].

Optionally, to obtain the high-order bits of the a promised intermediate shares from the a computer equipment, each computer equipment in the a computer equipment may first determine its own promised intermediate shares and its own promised intermediate shares. The high bit, and then send the middle part of the promise and the high bit of the middle part of the promise to the first computer device. Or, it can also be that each user only determines and sends his own promised middle share, and the first computer device extracts high bits from the received promised middle share by itself.

It should be understood that the promise w ₁ can be obtained according to the high-order bits [w ₁ ] of the first middle part of the promise and the high-order bits of the a middle part of the promises.

Exemplarily, the challenge can be

express. Optionally, challenge

according to the formula

Sure. Concatenate the signature μ of the first message and the promise w ₁ , and use the hash function to map the concatenated value of the signature μ of the first message and the promise w ₁ to {0,1} ²⁵⁶ fields to get the challenge

That is, the first 256 bits of the connection value are intercepted. If the connection value has less than 256 bits, the specified bits (±1 or 0) are randomly generated to fill in, and the final value is assigned to the challenge

With reference to the first aspect, in some implementation manners of the first aspect, the first computer device determines the response according to the first preset parameter, the challenge, and the first vector, including: The first computer device determines a first response share according to the mask vector, the challenge and the first vector; the first computer device acquires a response shares from the a computer device; The first computer device determines the response according to the first response share and the a response shares.

Exemplarily, the challenge can be

express. Optionally, to facilitate the identification of challenges

The scope of the challenge can be specified

There are τ terms in which the coefficients are ±1, and 256-τ terms have coefficients of 0. If challenge is specified

With a factor of ±1, the challenge at this time can be

Defined as challenge c.

Exemplarily, the first response share can be represented by [z]. Optionally, the first response share [z] can be determined according to the formula [z]←[y]+c×[s ₁ ]. It should be understood that the first response share [z] is a polynomial.

Exemplarily, to obtain a response share from the a computer device, it may be that a computer device calculates the respective response share according to the masked vector share [y], the challenge c and the first vector s _i1 and sends it to A first computer device. It may also be that some or all of the computer devices in a computer device send their respective response shares to at least one intermediary, and at least one intermediary forwards them to the first computer device.

It should be understood that the response z can be obtained according to the first response share [z] and the response share of the a computer device.

With reference to the first aspect, in some implementation manners of the first aspect, the first computer device according to the challenge, the lower bits of the key parameter, the first matrix, the first preset parameter and the second vector, and determining the hint includes: the first computer device determining the first promise according to the challenge, the low-order bits of the key parameter, the first promise intermediate share, and the second vector One prompt share; the first computer device obtains a prompt share from the a computer device; the first computer device determines the prompt according to the first prompt share and the a prompt share .

Exemplarily, the first prompt share can be represented by [h]. Optionally, the first hint share [h] can be determined according to the formula [h]←Thr-MakeHint(-c×t ₀ ,[w]-c×[s ₂ ]+c×t ₀ ,2γ ₂ ). Among them, Thr-MakeHint is used to generate a one-bit hint [h]. One by one compare [w]-c×[s ₂ ]+c×t ₀ and [w]-c×[s ₂ ] the size of the corresponding bit, if the two are equal, the bit corresponding to [h] is 1 , otherwise the bit corresponding to [h] is 0, and [h] is a sequence consisting of 0 and 1.

Exemplarily, to obtain a reminder share from said a computer device, a computer device may calculate the respective reminder share and send it to the first computer device. It may also be that some or all of the computer devices in a computer device send their reminder shares to at least one intermediary, and the at least one intermediary forwards them to the first computer device.

It should be understood that the prompt h can be obtained according to the first prompt share [h] and the prompt share of the a computer device.

With reference to the first aspect, in some implementations of the first aspect, the method further includes: the first computer device receiving the second message and the signature information of the second message from the second computer device ; The first computer device verifies the signature information of the second message according to the high order bits of the matrix seed and the key parameter.

It should be understood that the first computer device can not only sign the message M, but also receive the second message sent by other computer devices and the signature information of the second message, and then verify it.

In a second aspect, an embodiment of the present application provides a computer device, where the computer device includes a unit for implementing the first aspect or any possible implementation manner of the first aspect.

In a third aspect, an embodiment of the present application provides a computer device, the computer device includes a processor, the processor is used to be coupled with a memory, read and execute instructions and/or program codes in the memory, to perform the first aspect or Any possible implementation of the first aspect.

In a fourth aspect, an embodiment of the present application provides a chip system, the chip system includes a logic circuit, the logic circuit is used to couple with an input/output interface, and transmit data through the input/output interface to perform the first aspect or the first Any possible implementation of the aspect.

In the fifth aspect, the embodiment of the present application provides a computer-readable storage medium, the computer-readable storage medium stores program codes, and when the computer storage medium is run on a computer, the computer executes the first aspect or the first aspect. any possible implementation of .

In a sixth aspect, an embodiment of the present application provides a computer program product, the computer program product comprising: computer program code, when the computer program code is run on a computer, the computer is made to execute any of the first aspect or the first aspect. One possible implementation.

Description of drawings

FIG. 1 is a schematic diagram of a scenario of a key generation algorithm provided by an embodiment of the present application.

Fig. 2 is a schematic diagram of a joint signature algorithm scenario provided by the embodiment of the present application.

Fig. 3 is a schematic flowchart of a digital signature threshold method provided by an embodiment of the present application.

Fig. 4 is a schematic flow chart of verifying message signature information provided by an embodiment of the present application.

Fig. 5 is a structural example diagram of a computer device provided by an embodiment of the present application.

FIG. 6 is a structural example diagram of another computer device provided by an embodiment of the present application.

Fig. 7 is an exemplary diagram of a computer program product provided by an embodiment of the present application.

Detailed ways

The main purpose of the threshold cipher is for key security management: in order to solve the problem of single-point theft/invalidation of key management, the threshold cipher splits the key into n Shares are distributed to n parties for independent storage, among which any ≥t parties can exercise the function of the key without recovering the key, such as decryption or signature. The privacy of the key is information-theoretic for any party smaller than t. In addition to key security management, threshold ciphers can also be used as a means of resisting a certain degree of side channel attacks (first-order side channel attacks). Although the research on threshold traditional cryptography has been quite sufficient, there is little research on threshold post-quantum signature algorithms at this stage. Therefore, research on the thresholding of post-quantum signature algorithms has certain practical significance no matter from the perspective of technical card position or practical application.

This application takes Crystals-Dilithium (Dilithium for short) and its previous evolution algorithms GLP12 and BG14 as examples to conduct threshold research on post-quantum digital signature algorithms. There are two technical routes for designing lattice-based post-quantum digital signature schemes, namely the hash&sign route and the Fiat-Shamir route. Dilithium belongs to the Fiat-Shamir route. The calculation process of the Fiat-Shamir route can be summarized into three steps: "commitment", using the random oracle (random oracle, RO) to generate a "challenge" (challenge) from the promise and the signed message, and the random oracle in the commitment Number and signing key to generate a "response". The development of Dilithium roughly went through L09→L12→GLP12→BG14→Dilithium.

Dilithium mainly includes key generation algorithm Gen, signature algorithm Sign, and signature verification algorithm Verify. The "promise", "challenge" and "response" of the Fiat-Shamir route are included in Dilithium's signature algorithm Sign.

In order to facilitate the understanding of the embodiments of the present application, some definitions involved in the present application are briefly described first.

1. R _q =Z _q [x]/(x ⁿ +1), where R is a real number and Z is an integer. Z _q represents the set of integers smaller than q. Z _q [x] represents a polynomial about x, and the coefficient of each item of the polynomial is an integer smaller than q. R _q represents a polynomial with respect to x whose highest term is less than x ⁿ , and whose coefficients are also integers less than q. where q is a prime number and n is a power of 2. For example, q=2 ²³ -2 ¹³ +1, n=256.

2. S _k is a subset of R=Z[x]/(x ⁿ +1), and the coefficient value range of each item of polynomial S _k is [-k, k], Z[x]/( x ⁿ + 1) represents a polynomial with respect to x whose coefficients are integers and whose highest term is less than x ⁿ .

3. Hash function

in

It is an overall polynomial with the highest order n-1 and at most 32 coefficients of -1 or 1 (the remaining coefficients are 0). The degree of the item with the highest degree is called the order of the polynomial, and the overall polynomial with the highest order n-1 is the set of all polynomials whose order is less than or equal to n-1, that is, a constant, a linear, a quadratic,... ..., a set of n-1 formulas. For example,

is a polynomial with 5 terms having a coefficient of -1 or 1 and 27 terms having a coefficient of 0.

4. Hash function H: {0,1} ^* → B _τ , B _τ means that in the polynomial, there are τ coefficients whose value is 1 or -1, and the remaining coefficients are 0.

5.

Represents a judgment expression that returns true or false.

6. A hash function is a function that compresses a long input into a short output. When the hash function is anti-collision, it becomes an anti-collision hash function. A collision-resistant hash function mapped to {0,1} ³⁸⁴ is used in the signature scheme of this application. Anti-collision means that for a hash function, it is impossible to find two different inputs with the same output, that is, for x and x' satisfying x≠x', it is difficult to find H(x)=H(x') .

7. The floor(x) function can also be used

express. Its function is to "round down", or "round down", "round to zero", that is, to take the largest integer not greater than x.

8.

Its function is to "round up", that is, to take the largest integer not less than x.

9.mod is a modulo operation, which finds the remainder of the division of two numbers.

10. Masking vector (masking vector), in order to avoid the exposure of some secret vectors that need to be protected, a random vector used to cover up the secret vector is generated. For example, the first vector and the second vector in the private key are secret vectors. The secret vector is a vector composed of private keys of participating computer equipment, which needs to be kept secret.

11. γ ₁ and γ ₂ are preset parameters. γ ₁ and γ ₂ should be large enough that the key will not be displayed in the final signature, and should be small enough that the signature cannot be easily forged.

12. |||| _∞ represents the largest value among the absolute values of the coefficients in the polynomial.

13. In asymmetric cryptography, the keys used for encryption and decryption are different: usually one is public, called the public key (pk). The other is kept secret, called the private key (secret key, sk).

14. The function ExpandA is used to map the seed ρ∈{0,1} ²⁵⁶ to the matrix A∈R _q ^k×l represented by the number theory transform (NTT) domain. The number-theoretic transformation is a fast algorithm for computing convolutions. The most commonly used fast algorithm for calculating the convolution product is to use the fast Fourier transform. However, the fast Fourier transform must perform complex and floating-point operations, so the amount of calculation will be relatively large, and the error generated by floating-point operations will be relatively large. big. Using number-theoretic transformations to perform operations on integers only reduces the complexity of calculating the convolution product.

15. For a positive integer α, define r'=r mod ± α as a unique element r', satisfying -α/2<r'≤α/2 (when α is an even number), and (α-1)/2 ≤r'≤(α-1)/2 (when α is an odd number).

16. For a positive integer α, define r'=r mod ⁺ α as a unique element r', satisfying 0<r'≤α.

17. On the premise that both a and b represent vectors, a·b is the inner product of two vectors, and a×b is the outer product of two vectors.

18. If the string a is 01 and the string b is 10, then the two strings a and b can be connected to get 0110.

In order to better understand the scheme of thresholding the post-quantum digital signature algorithm in this application, this application first introduces GLP12 and BG14, which present the Fiat-Shamir route well:

The basic code of GLP12's key generation algorithm Gen is as follows:

The disadvantage of the GLP12 scheme is that since s ₁ and s ₂ need to be proved separately, corresponding z ₁ and z ₂ need to be generated, resulting in a larger size of the signature. BG14 solves this problem, only needs to prove s ₁ , thus only needs to generate z ₁ , greatly reducing the size of the signature. But this also leads to another problem, that is, since z ₂ is not included in the signature, t cannot be verified. The solution of BG14 is to use the rounding method, that is, the signature verification algorithm only verifies the part of t corresponding to s ₁ . The following introduces BG14, which is developed based on GLP12.

The basic code of the key generation algorithm Gen of BG14 is as follows:

Among them, HighBits is used to extract high-order bits, and LowBits is used to extract low-order bits.

Each coefficient w in A×y can be expressed as w=w ₁ ·2γ ₂ +w ₀ ,|w ₀ |≤γ ₂ , so HighBits(A×y,2γ ₂ ) returns a vector consisting of all w ₁ , that is, the upper bits of A×y. c is a polynomial in R _q , among its coefficients, τ coefficients are 1 or -1, and the remaining coefficients are 0. If the first step is to calculate z:=y+c×s ₁ , it is not safe to output the response z, because the key will be leaked, so BG14 uses the method of rejecting sampling to avoid the possible key exposure risk of z. Set the parameter β to the largest possible coefficient of the polynomial c×s _i , s _i includes s ₁ and s ₂ , the largest possible coefficient of c×s _i is the largest of the absolute values of the coefficients in the polynomial vectors c×s ₁ and c×s ₂ value. Since c has τ coefficients with values of 1 or -1 and the largest coefficient in _si is η, β≤τ·η. If any coefficient of response z is greater than or equal to γ ₁ -β, or A×yc×s ₂ has any coefficient of lower bits greater than or equal to γ ₂ -β, reject sampling and restart the signature process. Checking ||z|| _∞ ≥γ ₁ -β is for safety, and checking ||LowBits(A×yc×s ₂ ,2γ ₂ )|| _∞ ≥γ ₂ -β is for safety and correctness sex. The signing process is repeated in a loop until these two conditions are not met.

The basic code of BG14's signature verification algorithm Verify is as follows:

The verifier first calculates the high-order bit w' ₁ of A×zc×t, if ||z|| _∞ <γ ₁ -β and c is the hash value obtained from the message M and w' ₁ , the signature verification is passed. The main work of verifier verification is to verify HighBits(A×y,2γ ₂ )=HighBits(A×zc×t,2γ ₂ ), since z=y+c×s ₁ , t=A×s ₁ +s ₂ , Therefore, A×zc×t=A×yc×s ₂ , that is, verify HighBits(A×y,2γ ₂ )=HighBits(A×yc×s ₂ ,2γ ₂ ). The reason is that the maximum value of the low bit coefficient of A×yc×s ₂ ||LowBits(A×yc×s ₂ ,2γ ₂ )|| _∞ is less than γ ₂ -β, and the coefficient value of c×s ₂ is smaller than β, so Adding the lower bits of c×s ₂ to A×yc×s ₂ is not enough to cause a carry to affect the upper bits of A×yc×s ₂ (that is, the upper bits of A×y).

Dilithium is formed by optimizing the basic scheme of BG14 above, and its optimization ideas are as follows:

The most prominent problem of the basic scheme of BG14 is that the size of the public key pk is very large, which includes a matrix A composed of k×l polynomials, and each polynomial has up to 256 coefficients of 23 bits. The solution adopted by Dilithium is to use a public seed ρ to generate the matrix A.

Dilithium uses additional compression techniques to compress the size of the public key element t. The reason is that when the verifier calculates w' ₁ (line 1 of the signature verification function Verify), the high-order bits of A×zc×t actually do not depend much on the low-order bits of t, because t will be related to a polynomial with a very low weight c is multiplied. In the real Dilithium scheme, some low-order bits of t will be discarded, so the sign verifier may not be able to calculate some high-order bits of A×zc×t. In order to make up for the discarding of the low-order bits of t, the digital signature generation algorithm will add some hints (hints) bits as part of the signature. These "hints" bits are actually the carry obtained by adding the discarded low-order bits of c×t .

In order to compress the size of the public key, Dilithium needs to extract the high-order bits and low-order bits of the Z _q element. Its purpose is as follows: when given an arbitrary element r∈Z _q and another small element z∈Z _q , Dilithium wants to recover the upper bits of r+z without saving z. To this end, it is necessary to define such an algorithm, which takes r and z as input and generates a "hint" h of one bit, and then only r and h can be used to calculate the high-order bits of r+z. This one bit h actually makes the carry generated during the calculation of r+z. Power2Round _q and Decompose _q algorithms can be used to extract high and low bits.

Power2Round _q : Decompose the element r into r=r ₁ ×2 ^d +r ₀ intuitively on the bit representation of Z _q elements, where r ₀ =r mod ^± 2 ^d , r ₁ =(rr ₀ )/2 ^d . For a positive integer α, define r ₀ =r mod ^± α as a unique element r ₀ , satisfying -α/2<r ₀ ≤α/2 (when α is an even number), and (α-1)/2≤r ₀ ≤ (α-1)/2 (when α is an odd number).

Decompose _q : The problem with Power2Round _q is that the distance between floor(q/2 ^d ) and q may be small for the boundary case. The reason is that if r is chosen to be ₁ from 0 to

Between non-negative integers, the distance mod q between any r ₁ ·2 ^d and r ₁ '·2 ^d is usually ≥2 ^d (because |r ₁ -r ₁ '|≥1). Except for edge cases, in particular,

The distance mod q from 0 will be very small. Thus adding a small element to r may cause the high-order bits of r to change by more than 1. This contradicts the idea that Dilithium only wants to generate a one-bit "hint".

The solution is to choose α as the divisor of q-1, q-1 can be divisible by α, and decompose r=r ₁ ·α+r ₀ . At this point select r ₁ from 0 to

The non-negative integers between, the possible r ₁ ·α's are {0,α,2α,...,q-1}, equidistant between each pair, at this time r ₁ ·α's represents r ₁ ·α possible value. Since the distance between q-1 and 0 is 1 (since (q-1+1) mod q=0), remove q-1 from the set and simply treat the corresponding r _{+ 1} as 0 . Since q-1 and 0 only differ by 1, just subtract 1 from r ₀ .

Dilithium will use the following supporting algorithms:

The basic code of Power2Round _q is as follows:

Dilithium includes two versions, randomized signing and deterministic signing. The difference between the two lies in the way the random numbers used in the signature algorithm are generated. The former uses random numbers directly, while the latter uses random number generators to generate signed messages and signature private keys.

The following takes the random signature scheme as an example to introduce the basic scheme of Dilithium.

Among them, the basic code of Dilithium's key generation algorithm Gen is as follows:

The key generation algorithm Gen uses a public seed ρ to generate a k×l matrix A, each element in the matrix is a polynomial in R _q =Z _q [x]/(x ⁿ +1), and each polynomial is There are n items. The algorithm samples random key vectors s ₁ and s ₂ , that is, s ₁ is randomly generated from S _η ^l , and s ₂ is randomly generated from S _η ^k . Each entry of the random key vectors _s1 and _s2 is an element of _Rq with a coefficient up to η. Finally, the second part t ₁ and t ₀ of the key are calculated. All algebraic operations in this scheme are on the polynomial ring _Rq .

The basic code of Dilithium's signature algorithm Sign is as follows:

The embodiment of the present application implements the threshold Dilithium scheme by using secure multiparty computation technology (multiparty computation, MPC) under the condition of fully following the parameters in the above-mentioned Dilithium algorithm specification.

The threshold Dilithium scheme designed in the embodiment of the present application completely complies with the parameters in the original Dilithium specification. The main idea is to use a specific practical secure multi-party computing technology to threshold Dilithium. Since the thresholded Dilithium will not affect the signature verification algorithm Verify of the original scheme, this application only needs to threshold the key generation function and signature function, and keep the verification function unchanged.

Since the specifications of Dilithium have not been changed at all, and supplemented by secure multi-party computing technology, the process does not leak secret information, such as keys, intermediate states, etc., so the security of the threshold Dilithium scheme is guaranteed, so there is no need to re-prove the security of the threshold scheme . In the case of ensuring security, due to the low efficiency of secure multi-party computing, secure multi-party computing is only used when absolutely necessary for efficiency.

The technical solutions in the embodiments of the present application will be described below with reference to the accompanying drawings.

Assuming that there are m computer devices in the system, any ≥p parties among them can exercise the function of the private key sk without recovering the key. m users divide the private key sk into m shares through the secret sharing scheme, so that each computer device i obtains a private key share sk _i of the private key sk.

It should be understood that in an actual scenario, only m computer devices are required to generate their own key shares sk _i , and when a joint signature is required, ≥ p computer devices can jointly sign to complete the function of the private key sk.

Exemplarily, when m=5, p=3, there are 5 computer devices A, B, C, D, E in the system, and they respectively correspond to private key shares sk ₁ , sk ₂ , sk ₃ , sk ₄ , sk ₅ . A piece of information M needs at least three computer devices to use their respective private keys to sign the message, that is, the ski of any at least three computer devices among the five computer devices A, B, C, D, and _E can be in Complete the signing of the message M without recovering the private key sk. During the signature process, any computer device cannot obtain the private key shares of other computer devices or useful information related to the private key sk.

The threshold Dilithium scheme includes two algorithms, the threshold key generation algorithm and the threshold joint signature algorithm.

Secure multi-party computation will use the following important signs: For a value x, [x] means that according to the agreed secret sharing scheme, x has been split into secret shares (shares) and each share has been delivered to the corresponding user, [ x] can also be represented by _xi , representing the i-th share of x obtained by the i-th user. The operation acting on [x] means that ≥p users use their respective secret shares to participate in the corresponding secure multi-party computing operation, such as [x]+[y] means that ≥p users use their own secret shares of x and the secret share of y to participate in the calculation of x+y. Commonly used secret sharing schemes are Shamir t-out-of-n secret sharing schemes, n-out-of-n secret sharing schemes, or other linear secret sharing schemes.

S310. Acquire a first matrix.

S320. Determine a first vector and a second vector.

S330. Determine a first key parameter share.

S340. Receive a key parameter shares from a computer device.

a is a positive integer greater than or equal to p-1, and p is the minimum number of users in the secret sharing scheme. The key parameter t can be obtained according to the key parameter shares [t] of more than or equal to p users. Therefore, the first computer device receives a key parameter share from a computer device to obtain the key parameter t.

It should be understood that s ₁ and s ₂ satisfy s ₁ =MPC(s ₁₁ ,...,s _i1 ,...), s ₂ =MPC(s ₁₂ ,...,s _i2 ,...). That is, after the secure multi-party computing scheme is selected, the parameter can be obtained according to the parameter shares of more than or equal to p computer devices. Exemplarily, a linear secret sharing scheme (LSSS) may be selected, that is, s ₁ =LSSS(s ₁₁ ,...,s _i1 ,...), s ₂ =LSSS(s ₁₂ ,...,s _i2 , ...), t=LSSS(t ₁ ,...,t _i ,...), i is less than or equal to p. Exemplarily, if the first computer device receives p-1 key parameter shares of p-1 computer devices, then t=LSSS(t ₁ ,...,t _i ,...,t _p ).

It should be understood that a computer device only needs to send its own key parameter share [t], that is to say, the generation of the key parameter t does not expose [s ₁ ] and [s ₂ ] of each computer device.

S350. Determine the high-order bits and low-order bits of the key parameter.

Exemplarily, the high-order bits and low-order bits of the key parameter t can be obtained according to the formula (t ₁ ,t ₀ )←Power2Round _q (t,d). The Power2Round _q function can decompose t into t=t ₁ ·2 ^d +t ₀ , where d is an integer greater than 0, t ₁ is the high-order bit of the key parameter t, and t ₀ is the low-order bit of the key parameter t.

S360. Determine a first random number.

Exemplarily, the first random number may be represented by tr. Optionally, tr can be determined according to the formula tr∈{0,1} ³⁸⁴ ←CRH(ρ||t ₁ ). Concatenate the public seed ρ and the high-order bit t ₁ of the key parameter t, and map the concatenated value of the public seed ρ and the high-order bit t ₁ of the key parameter t to {0,1} using a collision-resistant hash function ³⁸⁴ domain to obtain tr, that is, intercept the first 384 bits of the connection value, if the connection value has less than 384 bits, randomly generate the specified bits (±1 or 0) to fill in, and assign the final value to tr.

S370. Determine signature information of the first message.

The signature information of the first message may be determined according to the first vector, the second vector, the lower bits of the key parameter, the first random number and the matrix seed. Exemplarily, the signature information of the first message can be expressed as

The signature information of the first message includes answer z, prompt h and challenge

S380. The first computer device sends the first message and signature information of the first message to a second computer device.

The first computer device sends the first message and the signature information of the first message to the verifier, and the verifier will verify the message according to the information received from the first computer device.

S410. Receive a second message and signature information of the second message from the second computer device.

When the first computer device is a verifier of the signed message, receiving the second message and the signature information of the second message from the second computer device.

S410. Verify the signature information of the second message.

The first computer device verifies the signature information of the second message by using the public key. The public key may include the public seed ρ of the generator matrix, and the upper bits t ₁ of the key parameters.

The specific secure multi-party computation algorithm required by this application is as follows:

Random bit generation (random bit generation)[b]=MPCRb(): This algorithm generates a shared random bit[b] among ≥p users, that is, each user gets a secret share about this bit.

Less than comparison (less than comparison)[b]=MPCLt([x],[y]): Given two shared values [x] and [y] as input (that is, each user holds a secret share of x and A secret share of y), the algorithm outputs a shared bit [b] (that is, each user gets a secret share about this bit): if x<y, then b=1, otherwise b=0.

Equality comparison [b] = MPCEq([x], [y]): given two shared values [x] and [y] as input, the algorithm outputs a shared bit [b]: if x = y, then b=1, otherwise b=0.

Modulo reduction [x'] = MPCMod([x], m): Given a shared value [x] and a public modulus m as input, the algorithm outputs a shared value [x']: x '=x mod m.

The digital signature threshold method of this application needs to use the following supporting algorithms, and the header Thr of the algorithm name represents the threshold (threshold):

Optionally, in line 15 of the joint signature algorithm Thr-Sign of the threshold Dilithium, set the bit corresponding to [h] to be 0 when the two are equal, otherwise the bit corresponding to [h] is 1, and then Line 16 counts the number of 0s in [h], and in line 17, change the judgment condition to the number of 0s in h greater than the preset parameter.

The above is only the specific implementation of this application. Within the technical scope disclosed in this application, those skilled in the art can easily think of the threshold method about Dilithium and its evolution and deformation algorithm, which should be covered in this application. within the scope of protection. For example, the BG14 and GLP12 algorithms can also be thresholded using a similar secret sharing method and the corresponding threshold support algorithm.

The digital signature threshold method according to the embodiment of the present application has been described above, and the apparatus and equipment according to the embodiment of the present application will be described below with reference to FIG. 5 and FIG. 6 respectively.

The embodiment of the present application also provides a computer storage medium, the computer storage medium stores program instructions, and when the program is executed, it may include some or all steps of the digital signature threshold method in the corresponding embodiments as shown in Fig. 3 and Fig. 4 .

FIG. 5 is a structural example diagram of a computer device provided by an embodiment of the present application. The computer device 600 includes an acquisition module 610 , a processing module 620 and a sending module 630 .

Wherein, the obtaining module 610 is configured to obtain the first matrix and key parameter shares of at least p-1 users, and execute S310 and S340 in the method in FIG. 3 .

The acquiring module 610 is further configured to acquire the second message and the signature information of the second message, and execute S410 in the method in FIG. 4 .

The processing module 620 is configured to determine the signature information of the first message according to the first matrix, the first vector, the first key parameter share, the key parameter and the first random number, and execute some or all of the steps in the method in FIG. 3 .

The processing module 620 is configured to verify the signature information of the second message, and execute S420 in the method in FIG. 4 .

A sending module 630, configured to send the first message and the signature information of the first message to the second computer device.

FIG. 6 is a structural example diagram of another computer device 1300 provided in the embodiment of the present application. The computer device 1300 includes a processor 1302 , a communication interface 1303 and a memory 1304 . One example of computer device 1300 is a chip. Another example of computer apparatus 1300 is a computing device.

The methods disclosed in the foregoing embodiments of the present invention may be applied to the processor 1302 or implemented by the processor 1302 . Processor 1302 can be a central processing unit (central processing unit, CPU), and can also be other general-purpose processors, digital signal processors (digital signal processors, DSP), application specific integrated circuits (application specific integrated circuits, ASICs), on-site Programmable gate array (field programmable gate array, FPGA) or other programmable logic devices, discrete gate or transistor logic devices, discrete hardware components, etc. A general purpose processor may be a microprocessor or any conventional processor or the like. In the implementation process, each step of the above method may be completed by an integrated logic circuit of hardware in the processor 1302 or instructions in the form of software. Various methods, steps and logic block diagrams disclosed in the embodiments of the present invention may be implemented or executed. A general-purpose processor may be a microprocessor, or the processor may be any conventional processor, and the like. The steps of the methods disclosed in the embodiments of the present invention may be directly implemented by a hardware decoding processor, or implemented by a combination of hardware and software modules in the decoding processor.

Memory 1304 can be volatile memory or nonvolatile memory, or can include both volatile and nonvolatile memory. Among them, the non-volatile memory can be read-only memory (read-only memory, ROM), programmable read-only memory (programmable ROM, PROM), erasable programmable read-only memory (erasable PROM, EPROM), electrically programmable Erases programmable read-only memory (electrically EPROM, EEPROM) or flash memory. Volatile memory can be random access memory (RAM), which acts as external cache memory. By way of illustration and not limitation, many forms of RAM are available such as static random access memory (static RAM, SRAM), dynamic random access memory (dynamic RAM, DRAM), synchronous dynamic random access memory (synchronous DRAM, SDRAM), double data rate synchronous dynamic random access memory (double data rate SDRAM, DDR SDRAM), enhanced synchronous dynamic random access memory (enhanced SDRAM, ESDRAM), synchronous connection dynamic random access memory (synchlink DRAM, SLDRAM ) and direct memory bus random access memory (direct rambus RAM, DR RAM). It should be noted that the memory of the systems and methods described herein is intended to include, but not be limited to, these and any other suitable types of memory.

The processor 1302, the memory 1304, and the communication interface 1303 may communicate through a bus. Executable codes are stored in the memory 1304, and the processor 1302 reads the executable codes in the memory 1304 to execute a corresponding method. The memory 1304 may also include an operating system and other software modules required for running processes. The operating system can be LINUX ^TM , UNIX ^TM , WINDOWS ^TM and so on.

For example, the executable code in the memory 1304 is used to implement the methods shown in FIG. 3 and FIG. 4 , and the processor 1302 reads the executable code in the memory 1304 to execute the methods shown in FIG. 3 and FIG. 4 .

In some embodiments of the present application, the disclosed methods may be implemented as computer program instructions encoded in a machine-readable format on a computer-readable storage medium or on other non-transitory media or articles of manufacture. Figure 7 schematically illustrates a conceptual partial view of an example computer program product comprising a computer program for executing a computer process on a computing device, arranged in accordance with at least some embodiments presented herein. In one embodiment, the example computer program product 1400 is provided using a signal bearing medium 1401 . The signal bearing medium 1401 may include one or more program instructions 1402, which may provide the functions or part of the functions described above with respect to the methods shown in FIG. 3 and FIG. 4 when executed by one or more processors. Thus, for example, with reference to the embodiments shown in FIGS. 3 and 4 , one or more features therein may be undertaken by one or more instructions associated with the signal bearing medium 1401 .

In some examples, signal bearing medium 1401 may comprise computer readable medium 1403 such as, but not limited to, a hard drive, compact disc (CD), digital video disc (DVD), digital tape, memory, read-only memory (read only memory) -only memory, ROM) or random access memory (random access memory, RAM) and so on. In some implementations, signal bearing media 1401 may comprise computer recordable media 1404 such as, but not limited to, memory, read/write (R/W) CDs, R/W DVDs, and the like. In some implementations, signal bearing media 1401 may include communication media 1405 such as, but not limited to, digital and/or analog communication media (eg, fiber optic cables, waveguides, wired communication links, wireless communication links, etc.). Thus, for example, signal bearing medium 1401 may be conveyed by a wireless form of communication medium 1405 (eg, a wireless communication medium that complies with the IEEE 802.11 standard or other transmission protocol). One or more program instructions 1402 may be, for example, computer-executable instructions or logic-implemented instructions. In some examples, the aforementioned computing device may be configured to, in response to program instructions 1402 communicated to the computing device via one or more of computer-readable media 1403, computer-recordable media 1404, and/or communication media 1405, Various operations, functions, or actions are provided. It should be understood that the arrangements described herein are for example purposes only. Accordingly, those skilled in the art will appreciate that other arrangements and other elements (e.g., machines, interfaces, functions, sequences, and groups of functions, etc.) can be used instead, and some elements may be omitted altogether depending on the desired result. . In addition, many of the described elements are functional entities that may be implemented as discrete or distributed components, or implemented in conjunction with other components in any suitable combination and location.

Those skilled in the art can appreciate that the units and algorithm steps of the examples described in conjunction with the embodiments disclosed herein can be implemented by electronic hardware, or a combination of computer software and electronic hardware. Whether these functions are executed by hardware or software depends on the specific application and design constraints of the technical solution. Skilled artisans may use different methods to implement the described functions for each specific application, but such implementation should not be regarded as exceeding the scope of the present application.

Those skilled in the art can clearly understand that for the convenience and brevity of the description, the specific working process of the above-described system, device and unit can refer to the corresponding process in the foregoing method embodiment, which will not be repeated here.

In the several embodiments provided in this application, it should be understood that the disclosed systems, devices and methods may be implemented in other ways. For example, the device embodiments described above are only illustrative. For example, the division of the units is only a logical function division. In actual implementation, there may be other division methods. For example, multiple units or components can be combined or May be integrated into another system, or some features may be ignored, or not implemented. In another point, the mutual coupling or direct coupling or communication connection shown or discussed may be through some interfaces, and the indirect coupling or communication connection of devices or units may be in electrical, mechanical or other forms.

The units described as separate components may or may not be physically separated, and the components shown as units may or may not be physical units, that is, they may be located in one place, or may be distributed to multiple network units. Part or all of the units can be selected according to actual needs to achieve the purpose of the solution of this embodiment.

In addition, each functional unit in each embodiment of the present application may be integrated into one processing unit, each unit may exist separately physically, or two or more units may be integrated into one unit.

If the functions described above are realized in the form of software function units and sold or used as independent products, they can be stored in a computer-readable storage medium. Based on this understanding, the technical solution of the present application is essentially or the part that contributes to the prior art or the part of the technical solution can be embodied in the form of a software product, and the computer software product is stored in a storage medium, including Several instructions are used to make a computer device (which may be a personal computer, a server, or a network device, etc.) execute all or part of the steps of the methods described in the various embodiments of the present application. The aforementioned storage media include: U disk, mobile hard disk, read-only memory (Read-Only Memory, ROM), random access memory (Random Access Memory, RAM), magnetic disk or optical disc and other media that can store program codes. .

The above is only a specific implementation of the application, but the scope of protection of the application is not limited thereto. Anyone familiar with the technical field can easily think of changes or substitutions within the technical scope disclosed in the application. Should be covered within the protection scope of this application. Therefore, the protection scope of the present application should be determined by the protection scope of the claims.

Claims

A digital signature threshold method, characterized in that, comprising:

The first computer device acquires a first matrix, the first matrix is a matrix with k rows and l columns, and k and l are positive integers greater than or equal to 1;

said first computer device determines a first vector and a second vector;

The first computer device determines a first key parameter share based on the first matrix, the first vector, and the second vector;

The first computer device receives a key parameter shares from a computer device, a is a positive integer greater than or equal to p-1, and p is the minimum number of computer devices in the secret sharing scheme;

The first computer device determines the high-order bits and low-order bits of key parameters according to the first key parameter share and the a key parameter shares;

The first computer device determines a first random number according to the matrix seed and the upper bits of the key parameter;

The first computer device determines the signature information of the first message according to the first vector, the second vector, the lower bits of the key parameter, the first random number and the matrix seed;

The first computer device sends the first message and the signature information of the first message to a second computer device, and the second computer device is one of the a computer devices.
The method according to claim 1, wherein the signature information of the first message includes: challenge, response and prompt,

The first computer device determines the signature information of the first message according to the first vector, the second vector, the lower bits of the key parameter, the first random number and the matrix seed, include:

The first computer device determines a challenge parameter according to the first random number and the first message;

The first computer device determines the challenge according to a first preset parameter, the first matrix and the challenge parameter;

The first computer device determines the response based on the first preset parameter, the challenge and the first vector;

The first computer device determines the hint according to the challenge, the lower bits of the key parameter, the first matrix, the first preset parameter, and the second vector.
The method according to claim 2, wherein the first computer device determines the challenge according to the first preset parameters, the first matrix and the signature of the first message, comprising:

The first computer device generates a masking vector according to the first preset parameter, wherein the masking vector includes l polynomials, and the coefficient of each polynomial in the l polynomials is less than or equal to the first preset parameter;

The first computer device determines a first promised intermediate share based on the first matrix and the masked vector;

The first computer device acquires high-order bits of a promise intermediate shares from the a computer device;

The first computer device determines the promise according to the upper bits of the first middle part of the promise and the upper bits of the a middle parts of the promise;

The first computer device determines the challenge based on the promise and the signature of the first message.
The method according to claim 3, wherein said first computer device determines said response according to said first preset parameter, said challenge and said first vector, comprising:

The first computer device determines a first response share according to the masked vector, the challenge and the first vector;

The first computer device obtains a response shares from the a computer device;

The first computer device determines the response according to the first response share and the a response shares.
The method according to claim 4, wherein the first computer device is based on the challenge, the lower bits of the key parameter, the first matrix, the first preset parameter and the The second vector, determining the prompt, includes:

The first computer device determines a first hint share according to the challenge, the low-order bits of the key parameter, the first promise intermediate share, and the second vector;

The first computer device acquires a reminder shares from the a computer device;

The first computer device determines the reminder according to the first reminder share and the a reminder shares.
The method according to any one of claims 2 to 5, wherein the method further comprises:

The first computer device receives a second message from the second computer device and signature information for the second message;

The first computer device verifies the signature information of the second message according to the matrix seed and the upper bits of the key parameter.
A computer device, characterized in that it includes:

An acquisition module, configured to acquire a first matrix, the first matrix is a matrix with m rows and l columns, and k and l are positive integers greater than or equal to 1;

a processing module, configured to determine the first vector and the second vector;

The processing module is further configured to determine a first key parameter share according to the first matrix, the first vector, and the second vector;

The acquisition module is also used to receive a key parameter share from a computer device, where a is a positive integer greater than or equal to p-1, and p is the minimum number of users of the secret sharing scheme;

The processing module is further configured to determine high-order bits and low-order bits of key parameters according to the first key parameter share and the a key parameter shares;

The processing module is further configured to determine a first random number according to the matrix seed and the upper bits of the key parameter;

The processing module is further configured to determine the signature information of the first message according to the first vector, the second vector, the lower bits of the key parameter, the first random number and the matrix seed;

A sending module, configured to send the first message and the signature information of the first message to another computer device, where the other computer device is one of the a computer devices.
The device according to claim 7, wherein the processing module is specifically used for:

Determine a challenge parameter according to the first random number and the first message;

determining a challenge according to a first preset parameter, the first matrix, and the challenge parameter;

determining a response according to the first preset parameter, the challenge and the first vector;

A hint is determined according to the challenge, the lower bits of the key parameter, the first matrix, the first preset parameter, and the second vector.
The device according to claim 8, wherein the obtaining module is further configured to obtain high-order bits of a promised intermediate portion from the a computer equipment;

The processing module is specifically used for:

Generate a masking vector according to the first preset parameter, wherein the masking vector includes l polynomials, and the coefficient of each polynomial in the l polynomials is less than or equal to the first preset parameter;

determining a first promised intermediate share based on the first matrix and the masked vector;

determining the promise according to the high-order bits of the first committed middle part and the high-order bits of the a promised middle parts;

The challenge is determined based on the promise and the signature of the first message.
The apparatus according to claim 9, wherein the acquisition module is further configured to acquire a response shares from the a computer equipment;

The processing module is specifically used for:

determining a first response share based on the masked vector, the challenge, and the first vector;

The response is determined according to the first response share and the a response shares.
The device according to claim 10, wherein the acquisition module is further configured to acquire a reminders from the a computer equipment;

The processing module is specifically used for:

determining a first hint share based on the challenge, the lower bits of the key parameter, the first promise intermediate share, and the second vector;

The prompt is determined according to the first prompt share and the k prompt shares.
The apparatus according to any one of claims 8 to 11, wherein the obtaining module is further configured to receive a second message from the other computer device and signature information of the second message;

The processing module is further configured to verify the signature information of the second message according to the high order bits of the matrix seed and the key parameter.
A computer device, characterized in that it comprises: a processor, configured to be coupled to a memory, read and execute instructions and/or program codes in the memory, so as to perform any one of claims 1-6 method described in the item.
A system on a chip, characterized in that it includes: a logic circuit, the logic circuit is used to couple with an input/output interface, and transmit data through the input/output interface, so as to perform the operation described in any one of claims 1-6. described method.
A computer-readable medium, characterized in that the computer-readable medium stores program codes, and when the computer program codes run on a computer, the computer executes the method described in any one of claims 1-6. method.