WO2023124364A1 - Anti-fraud secret sharing methods and apparatuses - Google Patents
Anti-fraud secret sharing methods and apparatuses Download PDFInfo
- Publication number
- WO2023124364A1 WO2023124364A1 PCT/CN2022/124345 CN2022124345W WO2023124364A1 WO 2023124364 A1 WO2023124364 A1 WO 2023124364A1 CN 2022124345 W CN2022124345 W CN 2022124345W WO 2023124364 A1 WO2023124364 A1 WO 2023124364A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- secret
- polynomial
- slice
- commitment
- slices
- Prior art date
Links
- 238000000034 method Methods 0.000 title claims abstract description 85
- 238000011084 recovery Methods 0.000 claims abstract description 24
- 238000012545 processing Methods 0.000 claims description 28
- 238000012795 verification Methods 0.000 claims description 23
- 238000004891 communication Methods 0.000 claims description 13
- 238000004590 computer program Methods 0.000 claims description 10
- 238000003860 storage Methods 0.000 claims description 10
- 238000013467 fragmentation Methods 0.000 claims description 3
- 238000006062 fragmentation reaction Methods 0.000 claims description 3
- 230000008569 process Effects 0.000 abstract description 19
- 238000009826 distribution Methods 0.000 abstract description 16
- 239000012634 fragment Substances 0.000 abstract description 11
- 238000013461 design Methods 0.000 description 24
- 238000010586 diagram Methods 0.000 description 12
- 238000004422 calculation algorithm Methods 0.000 description 5
- 230000006870 function Effects 0.000 description 5
- 238000012986 modification Methods 0.000 description 3
- 230000004048 modification Effects 0.000 description 3
- 238000005516 engineering process Methods 0.000 description 2
- 230000003068 static effect Effects 0.000 description 2
- 238000004364 calculation method Methods 0.000 description 1
- 238000004519 manufacturing process Methods 0.000 description 1
- 230000007246 mechanism Effects 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F16/00—Information retrieval; Database structures therefor; File system structures therefor
- G06F16/90—Details of database functions independent of the retrieved data types
- G06F16/95—Retrieval from the web
- G06F16/953—Querying, e.g. by the use of web search engines
- G06F16/9535—Search customisation based on user profiles and personalisation
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F16/00—Information retrieval; Database structures therefor; File system structures therefor
- G06F16/90—Details of database functions independent of the retrieved data types
- G06F16/95—Retrieval from the web
- G06F16/953—Querying, e.g. by the use of web search engines
- G06F16/9536—Search customisation based on social or collaborative filtering
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06Q—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
- G06Q50/00—Information and communication technology [ICT] specially adapted for implementation of business processes of specific business sectors, e.g. utilities or tourism
Definitions
- the present application relates to the field of computer technology, in particular to a fraud-proof secret sharing method and device.
- the security of the secret is of paramount importance. If the secret is in the hands of a single point, there will be a single point of risk, and the single point can do whatever it wants. If the secret is divided into w parts and handed over to w single points for management, the secret can be restored by collecting the secret fragments in the hands of w single points when necessary. Dissatisfied decisions or lost secret slices will make it impossible to recover the secret.
- the above secret sharing algorithm is based on some security assumptions, that is, the secret distributor and the secret slice holder are honest. However, in practical situations, participants may be dishonest, so there must be some security risks. For example, if the secret distributor is malicious and the secret shard sent to the shard holder is wrong, then in the secret recovery phase, enough secret shards cannot recover the correct secret. If the shard holder does evil and provides wrong secret shards, then in the secret recovery phase, the correct secret cannot be recovered based on the collected secret shards.
- the present application provides an anti-fraud secret sharing method and device, which are used to prevent fraud during the secret sharing process and improve the security of secret sharing.
- the embodiment of the present application provides a fraud-proof secret sharing method, which can be applied to secret distributors.
- the method includes: according to the secret polynomial f(x) and the number W of secret slice holders, generating W secret slices of the secret S; generate a polynomial commitment C corresponding to the secret S, and broadcast the polynomial commitment C to the W secret slice holders, and the polynomial commitment C is used for the secret slice
- the slice holder verifies the received secret slice; distributes the W secret slices to the W secret slice holders.
- the secret distributor in the secret distribution stage, not only needs to provide the secret slice, but also needs to provide a polynomial commitment that can prove that the secret slice is correct, and the promise will not disclose any information about the secret slice and the original secret. Therefore, the secret distribution phase and the secret recovery phase can verify the correctness of the secret slice, thereby ensuring that the secret sharing algorithm is fraud-proof.
- a j is a polynomial coefficient, 0 ⁇ j ⁇ t-1, p is a prime number.
- the embodiment of this application provides another anti-fraud secret sharing method, which can be applied to the secret slice holder, and the method includes: receiving the polynomial commitment C corresponding to the secret S from the secret distributor; receiving A secret slice S i of the secret S from the secret distributor; according to the polynomial commitment C, the correctness of the secret slice S i is verified.
- the secret slice holder in the secret distribution stage, after receiving the polynomial commitment broadcast by the secret distributor and the secret slice distributed to itself, the secret slice holder can verify the correctness of the received secret slice according to the polynomial commitment. Verification, in order to timely identify the situation where the secret distributor distributes the wrong secret slice, so as to avoid security risks caused by the dishonesty of the secret distributor.
- the verification of the secret slice S i according to the polynomial commitment C includes: if the secret slice S i (xi , y i ) satisfies the formula: Then it is determined that the verification is successful, otherwise the verification fails.
- the embodiment of the present application provides another anti-fraud secret sharing method, which can be applied to the secret restorer, and the method includes: collecting t secret slices S i of the secret S; according to the t secret slices S i , recover the secret S; verify the correctness of the recovered secret S according to the polynomial commitment C corresponding to the secret S.
- the secret recoverer in the secret recovery phase, can verify the correctness of the secret S recovered by using at least t secret slices S i collected according to the parameters in the polynomial commitment, so as to identify the secret slices in time
- the holder provides the wrong secret slice, so as to avoid the security risks caused by the dishonesty of the secret slice holder.
- the verifying the correctness of the restored secret S according to the polynomial commitment C corresponding to the secret S includes: if the restored secret S satisfies the formula: g S mod p, it is determined that the recovery is successful, otherwise the recovery fails.
- the embodiment of the present application provides a fraud-proof secret sharing device, which may be a device of the secret distributor or a chip or circuit configured in the device of the secret distributor, and the device includes:
- a processing module configured to generate W secret slices of the secret S according to the secret polynomial f(x) and the number W of secret slice holders;
- the processing module is further configured to generate a polynomial commitment C corresponding to the secret S, and broadcast the polynomial commitment C to the W secret slice holders, and the polynomial commitment C is used for the secret slice The holder verifies the received secret slice;
- a communication module configured to distribute the W secret slices to the W secret slice holders.
- a j is a polynomial coefficient, 0 ⁇ j ⁇ t-1, p is a prime number.
- the embodiment of the present application provides another anti-fraud secret sharing device, which can be the device of the secret slice holder or a chip or circuit configured in the device of the secret slice holder.
- another anti-fraud secret sharing device which can be the device of the secret slice holder or a chip or circuit configured in the device of the secret slice holder.
- the communication module is used to receive the polynomial commitment C corresponding to the secret S from the secret distributor;
- the communication module is further configured to receive a secret slice S i of the secret S from the secret distributor;
- a processing module configured to verify the correctness of the secret slice S i according to the polynomial commitment C.
- the processing module is specifically configured to: if the secret slice S i ( xi , y i ) satisfies the formula: Then it is determined that the verification is successful, otherwise the verification fails.
- the embodiment of the present application provides another anti-fraud secret sharing device, which may be the device of the secret restorer or a chip or circuit configured in the device of the secret restorer, and the device includes:
- a communication module configured to collect at least t secret slices S i of said secret S
- a processing module configured to restore the secret S according to the collected at least t secret slices S i ;
- the processing module is further configured to verify the correctness of the recovered secret S according to the polynomial commitment C corresponding to the secret S.
- the processing module is specifically configured to: if the restored secret S satisfies the formula: Then it is determined that the recovery is successful, otherwise the recovery fails.
- the embodiment of the present application also provides a computer device, including:
- the processor is configured to call the program instructions stored in the memory, and execute the method as described in various possible designs of the first aspect or the second aspect or the third aspect according to the obtained program instructions.
- the embodiment of the present application also provides a computer-readable storage medium, in which computer-readable instructions are stored, and when the computer reads and executes the computer-readable instructions, the above-mentioned first aspect or the second aspect or The method described in any possible design of the third aspect is realized.
- the embodiment of the present application also provides a computer program product, including computer-readable instructions.
- the computer-readable instructions are executed by a processor, any one of the above-mentioned first aspect, second aspect, or third aspect The method implementation described in Possible Design.
- FIG. 1 is a schematic flowchart of a fraud-proof secret sharing method provided by an embodiment of the present application
- Fig. 2 is a schematic diagram of the secret slice calculation process in the embodiment of the present application.
- FIG. 3 is a schematic flowchart of another anti-fraud secret sharing method provided by the embodiment of the present application.
- FIG. 4 is a schematic flow diagram of the secret distribution process in the embodiment of the present application.
- FIG. 5 is a schematic flowchart of another anti-fraud secret sharing method provided by the embodiment of the present application.
- FIG. 6 is a schematic flow diagram of the secret recovery process in the embodiment of the present application.
- FIG. 7 is a schematic structural diagram of an anti-fraud secret sharing device provided by an embodiment of the present application.
- FIG. 8 is a schematic structural diagram of a computer device provided by an embodiment of the present application.
- a plurality refers to two or more than two. Words such as “first” and “second” are only used for the purpose of distinguishing descriptions, and cannot be understood as indicating or implying relative importance, nor can they be understood as indicating or implying order.
- Fragmentation and restoration The process in which a data is decomposed into several fragments is called fragmentation. The process of restoring these fragments to original data is called restoration.
- Threshold sharding restoration If a piece of data is decomposed into n pieces, the original data can be restored if and only after k pieces are collected, which is called (n,k) threshold sharding and restoration.
- the embodiment of the present application provides a fraud-proof secret sharing method, which can ensure the secret distribution stage and the secret
- the recovery phase can verify the correctness of the secret slice, so that the secret sharing process can prevent fraud, and the correct secret S can be recovered according to the normal logic.
- the secret sharing process in this application includes the secret distribution stage and the secret sharing stage, wherein the secret distribution stage is mainly: the secret distributor divides the secret and distributes it to multiple secret fragment holders, and provides a computable commitment at the same time, The secret slice holder verifies the correctness of the received secret slice according to the computable commitment; the secret recovery stage is mainly: the secret restorer collects enough secret slices, restores the secret, and restores the secret according to the computable commitment The final secret is verified for correctness.
- the secret distribution stage is mainly: the secret distributor divides the secret and distributes it to multiple secret fragment holders, and provides a computable commitment at the same time, The secret slice holder verifies the correctness of the received secret slice according to the computable commitment
- the secret recovery stage is mainly: the secret restorer collects enough secret slices, restores the secret, and restores the secret according to the computable commitment The final secret is verified for correctness.
- Fig. 1 exemplarily shows a fraud-proof secret sharing method provided by the embodiment of the present application, which is applicable to the secret distribution stage in the secret sharing process, and can be specifically executed by the secret distributor.
- the method includes:
- Step 101 the secret distributor generates W secret slices of the secret S according to the secret polynomial f(x) and the number W of secret slice holders.
- the secret polynomial f(x) can be expressed as follows:
- a j is a polynomial coefficient
- t is the secret restoration threshold
- mod means modulo
- p is a prime number.
- the polynomial coefficients in the above secret polynomial f(x) may be randomly generated by the secret distributor, and only known by the secret distributor. Furthermore, S ⁇ p.
- the secret distributor can perform specific operations on the secret S based on the secret polynomial f(x) to obtain W secret slices S i (0 ⁇ i ⁇ w).
- the secret distributor can randomly select W unequal values of x ⁇ x 1 ,x 2 ,...,x w ⁇ , and substitute them into the Describe the secret polynomial f(x), calculate the corresponding y value ⁇ y 1 ,y 2 ,...,y w ⁇ , and get w points: ⁇ (x 1 ,y 1 ),(x 2 ,y 2 ),..., (x w ,y w ) ⁇ .
- the secret slice S i contains part of the secret, but it is impossible to get all of the secret, the security of the secret can be ensured by distributing the secret slice S i .
- Step 102 the secret distributor generates a polynomial commitment C corresponding to the secret S, and broadcasts the polynomial commitment C to the W secret slice holders, and the polynomial commitment C is used for the secret slice holding The author verifies the received secret slice.
- the secret distributor After the secret distributor calculates the polynomial commitment C, it can broadcast the polynomial commitment C to W secret slice holders. Since the polynomial commitment C is an operation on a finite field, obtaining the polynomial commitment C cannot obtain (or calculate) the secret slice S i or the original secret S.
- the polynomial commitment C may also be called a computable commitment or a verifiable commitment, which is not specifically limited in this application.
- Step 103 the secret distributor distributes the W secret slices to the W secret slice holders.
- Fig. 3 exemplarily shows another anti-fraud secret sharing method provided by the embodiment of the present application, which is applicable to the secret distribution stage in the secret sharing process, and can be specifically executed by the secret slice holder.
- the method includes:
- Step 301 the secret slice holder receives the polynomial commitment C corresponding to the secret S from the secret distributor.
- Step 302 the secret slice holder receives a secret slice S i of the secret S from the secret distributor.
- Step 303 the secret slice holder verifies the correctness of the secret slice S i according to the polynomial commitment C.
- the secret slice holder Pi can reject the secret slice S i , for example The secret slice S i can be discarded.
- the secret slice holder P i may send feedback information to the secret distributor, and the feedback information is used to indicate acceptance or rejection of the secret slice S i , or Said is used to indicate the success or failure of the verification of the secret segment S i .
- each secret slice holder among the W secret slice holders after receiving the secret slice distributed to him by the secret distributor, can follow the steps shown in Figure 2.
- Fig. 4 exemplarily shows another anti-fraud secret sharing method provided by the embodiment of the present application, which is applied to a secret restorer and executed in the secret restoration phase.
- the method includes:
- Step 401 the secret recoverer recovers the secret S according to at least t secret slices S i of the secret S collected.
- each secret slice holder P i can send its own secret slice S i to the secret restorer.
- the secret restorer can be the secret distributor or W secret slice holders One of the participants, or other participants in the secret sharing process except the secret distributor and the W secret slice holders, which is not specifically limited in this application.
- the secret restorer can calculate the secret S using the Lagrangian interpolation theorem:
- Step 402 the secret recoverer verifies the correctness of the recovered secret S according to the polynomial commitment C corresponding to the secret S.
- the secret restorer verifies the correctness of the recovered secret S according to the following formula:
- the verification is passed, indicating that the secret S is recovered correctly. If the above formula is not satisfied, the verification fails, indicating that the currently obtained secret slice is not completely correct.
- This method helps the secret restorer to timely identify the situation that the secret slice holder provides the wrong secret slice, so as to avoid the potential safety hazard caused by the dishonesty of the secret slice holder.
- the secret distributor not only needs to provide the secret slice, but also needs to provide a computable commitment that can prove that the secret slice is correct, and the promise will not reveal any information about the secret slice and the original secret. Therefore, the secret distribution phase and the secret recovery phase can verify the correctness of the secret slice, thereby ensuring that the secret sharing algorithm is fraud-proof.
- Fig. 5 exemplarily shows a schematic flow chart of the secret distribution process in the embodiment of the present application.
- the secret distribution process includes the following steps:
- Step 501 the secret distributor constructs a secret polynomial according to the secret restoration threshold t.
- Step 502 the secret distributor generates W secret slices according to the number W of secret slice holders and the secret polynomial f(x).
- Step 503 the secret distributor calculates the polynomial commitment C, and broadcasts the polynomial commitment C to W secret slice holders.
- Step 504 the secret distributor distributes W secret slices to corresponding secret slice holders respectively.
- Step 505 the secret slice holder verifies whether the secret slice is correct.
- Step 506 judging whether the verification is passed.
- Step 507 if the verification is passed, the secret slice holder accepts the secret slice.
- Step 508 if the verification fails, the secret slice holder rejects the secret slice.
- Figure 6 exemplarily shows a schematic flow chart of the secret recovery process in the embodiment of the present application.
- the secret recovery process includes the following steps:
- Step 601 the secret restorer receives the secret slice sent by the secret slice holder.
- Step 602 the secret restorer judges whether the number of collected secret fragments is greater than the secret restoration threshold t.
- Step 603 if it is greater than the secret restoration threshold t, the secret restorer calculates the secret S according to Lagrangian theorem.
- Step 604 the secret restorer verifies the correctness of the recovered secret S according to the polynomial commitment C.
- Step 605 judging whether the verification is passed? If the verification is passed, end.
- Step 606 if the verification fails, the secret restorer judges whether there are unreceived secret fragments.
- step 601 If there are unreceived secret slices, jump to step 601, recalculate and verify the secret S, otherwise, end.
- this application provides a fraud-proof secret sharing scheme, which can solve the security assumption problem in the secret sharing process.
- the core is that in the secret distribution process, the secret distributor not only provides the The verifiability commitment of the slice, under the premise of ensuring that the secret slice and the original secret information are not leaked, the secret slice holder can verify the correctness of the received secret slice according to the verifiability promise, and ensure the secret recovery The stage is able to restore the original secret and verify correctness.
- the present application also provides an anti-fraud secret sharing device, which is used to implement the anti-fraud secret sharing method in the above method embodiment.
- the device can be a secret distributor or a secret slice holder or a secret restorer in the secret sharing process.
- the apparatus 700 includes: a communication module 710 and a processing module 720 .
- the processing module 720 is configured to generate W secret slices of the secret S according to the secret polynomial f(x) and the number W of secret slice holders; and, to generate The polynomial commitment C corresponding to the secret S.
- the communication module 710 is configured to broadcast the polynomial commitment C to the W secret slice holders, and the polynomial commitment C is used for the secret slice holders to verify the received secret slice and, for distributing the W secret slices to the W secret slice holders.
- a j is a polynomial coefficient, 0 ⁇ j ⁇ t-1, p is a prime number.
- the communication module 710 is configured to receive the polynomial commitment C corresponding to the secret S from the secret distributor; and is configured to receive the secret S from the secret distributor A secret slice S i of .
- the processing module 720 is configured to verify the correctness of the secret slice S i according to the polynomial commitment C.
- the processing module 720 is specifically configured to: if the secret slice S i ( xi , y i ) satisfies the formula: Then it is determined that the verification is successful, otherwise the verification fails.
- the communication module 710 is configured to collect at least t secret slices S i of the secret S.
- the processing module 720 is configured to recover the secret S according to the collected at least t secret slices S i ; and, according to the polynomial commitment C corresponding to the secret S, the recovered secret S Verify correctness.
- the processing module 720 is specifically configured to: if the recovered secret S satisfies the formula: Then it is determined that the recovery is successful, otherwise the recovery fails.
- the embodiment of the present application also provides a computer device, as shown in FIG. 8 , including at least one processor 801, and a memory 802 connected to the at least one processor.
- the specific connection medium between the processor 801 and the memory 802, the bus connection between the processor 801 and the memory 802 in FIG. 8 is taken as an example.
- the bus can be divided into address bus, data bus, control bus and so on.
- the memory 802 stores instructions executable by at least one processor 801, and the at least one processor 801 can implement the steps of the secret sharing method above by executing the instructions stored in the memory 802.
- the processor 801 is the control center of the computer equipment, which can use various interfaces and lines to connect various parts of the computer equipment, by running or executing the instructions stored in the memory 802 and calling the data stored in the memory 802, so as to perform resource set up.
- the processor 801 may include one or more processing units, and the processor 801 may integrate an application processor and a modem processor.
- the tuner processor mainly handles wireless communication. It can be understood that the foregoing modem processor may not be integrated into the processor 801 .
- the processor 801 and the memory 802 can be implemented on the same chip, and in some embodiments, they can also be implemented on independent chips.
- the processor 801 can be a general-purpose processor, such as a central processing unit (CPU), a digital signal processor, an application specific integrated circuit (Application Specific Integrated Circuit, ASIC), a field programmable gate array or other programmable logic devices, discrete gates or transistors Logic devices and discrete hardware components can implement or execute the methods, steps and logic block diagrams disclosed in the embodiments of the present application.
- a general purpose processor may be a microprocessor or any conventional processor or the like. The steps of the methods disclosed in connection with the embodiments of the present application may be directly implemented by a hardware processor, or implemented by a combination of hardware and software modules in the processor.
- the memory 802 can be used to store non-volatile software programs, non-volatile computer-executable programs and modules.
- Memory 802 may include at least one type of storage medium, for example, may include flash memory, hard disk, multimedia card, card memory, random access memory (Random Access Memory, RAM), static random access memory (Static Random Access Memory, SRAM), Programmable Read Only Memory (PROM), Read Only Memory (ROM), Electrically Erasable Programmable Read-Only Memory (EEPROM), Magnetic Memory, Disk , CD, etc.
- Memory 802 is, but is not limited to, any other medium that can be used to carry or store desired program code in the form of instructions or data structures and that can be accessed by a computer.
- the memory 802 in the embodiment of the present application may also be a circuit or any other device capable of implementing a storage function, and is used for storing program instructions and/or data.
- the embodiment of the present application also provides a computer-readable storage medium, the computer-readable storage medium stores computer-readable instructions, and when the computer reads and executes the computer-readable instructions, the above method is implemented implementation of the method in the example.
- the embodiments of the present application further provide a computer program product, including computer readable instructions, and when the computer readable instructions are executed by a processor, the methods in the above method embodiments are implemented.
- the embodiments of the present application may be provided as methods, systems, or computer program products. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment, or an embodiment combining software and hardware aspects. Furthermore, the present application may take the form of a computer program product embodied on one or more computer-usable storage media (including but not limited to disk storage, CD-ROM, optical storage, etc.) having computer-usable program code embodied therein.
- computer-usable storage media including but not limited to disk storage, CD-ROM, optical storage, etc.
- These computer program instructions may also be stored in a computer-readable memory capable of directing a computer or other programmable data processing apparatus to operate in a specific manner, such that the instructions stored in the computer-readable memory produce an article of manufacture comprising instruction means, the instructions
- the device realizes the function specified in one or more procedures of the flowchart and/or one or more blocks of the block diagram.
Landscapes
- Engineering & Computer Science (AREA)
- Databases & Information Systems (AREA)
- Theoretical Computer Science (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Data Mining & Analysis (AREA)
- General Engineering & Computer Science (AREA)
- Business, Economics & Management (AREA)
- Health & Medical Sciences (AREA)
- Economics (AREA)
- General Health & Medical Sciences (AREA)
- Human Resources & Organizations (AREA)
- Marketing (AREA)
- Primary Health Care (AREA)
- Strategic Management (AREA)
- Tourism & Hospitality (AREA)
- General Business, Economics & Management (AREA)
- Storage Device Security (AREA)
Abstract
Provided in the present application are anti-fraud secret sharing methods and apparatuses, which are used for solving the safety hypothesis problem in a secret sharing process. A method comprises: in a secret distribution process, a secret distributor not only provides secret fragments, but also provides a verifiable commitment of the secret fragments. Therefore, while ensuring no leakage of the secret fragments and original secret information, secret fragment holders can verify the correctness of the received secret fragments according to the verifiable commitment, thus ensuring that the original secret can be restored and the correctness can be verified at the secret recovery stage.
Description
相关申请的交叉引用Cross References to Related Applications
本申请要求在2021年12月27日提交中国专利局、申请号为202111617418.3、申请名称为“一种防欺诈的秘密分享方法及装置”的中国专利申请的优先权,其全部内容通过引用结合在本申请中。This application claims priority to a Chinese patent application filed with the China Patent Office on December 27, 2021, with application number 202111617418.3 and titled "An Anti-fraud Secret Sharing Method and Device", the entire contents of which are hereby incorporated by reference In this application.
本申请涉及计算机技术领域,尤其涉及一种防欺诈的秘密分享方法及装置。The present application relates to the field of computer technology, in particular to a fraud-proof secret sharing method and device.
对于任何秘密S,尤其是涉及集体利益的秘密而言,秘密的安全性至关重要。如果秘密掌握在一个单点手中,会存在单点风险,单点可以为所欲为。如果把秘密切分成w份,分别交给w个单点管理,需要时集齐w个单点手中的秘密分片即可恢复秘密,但是这种方式也存在风险,比如某一个单点对集体决策不满或者丢失了秘密分片,则会导致无法恢复秘密。For any secret S, especially one involving collective interests, the security of the secret is of paramount importance. If the secret is in the hands of a single point, there will be a single point of risk, and the single point can do whatever it wants. If the secret is divided into w parts and handed over to w single points for management, the secret can be restored by collecting the secret fragments in the hands of w single points when necessary. Dissatisfied decisions or lost secret slices will make it impossible to recover the secret.
针对该问题,现有技术中的秘密分享方法提供了一定的容错机制,即:将秘密切分为w份,分别交给w个单点管理,但是只需要t(t<=w)个单点手中的秘密分片即可恢复秘密原文,不需要所有的秘密分片持有者都参与,以确保秘密的安全。To solve this problem, the secret sharing method in the prior art provides a certain fault-tolerant mechanism, that is, the secret is divided into w shares, which are respectively handed over to w single points for management, but only t (t<=w) single points are required. Click on the secret slice in your hand to restore the original secret text, and it is not necessary for all secret slice holders to participate to ensure the security of the secret.
但是上述秘密分享算法是建立在一些安全假设之上的,即秘密分发者、秘密分片持有者都是诚实的。然而,在实际情况中,参与者可能是不诚实的,那么必然存在一些安全风险。例如,如果秘密分发者作恶,发送给分片持有者的秘密分片是错误的,那么在秘密恢复阶段,足够的秘密分片并不能恢复出正确的秘密。如果分片持有者作恶,提供错误的秘密分片,那么在秘密恢复阶段,无法根据收集到的秘密分片恢复出正确的秘密。However, the above secret sharing algorithm is based on some security assumptions, that is, the secret distributor and the secret slice holder are honest. However, in practical situations, participants may be dishonest, so there must be some security risks. For example, if the secret distributor is malicious and the secret shard sent to the shard holder is wrong, then in the secret recovery phase, enough secret shards cannot recover the correct secret. If the shard holder does evil and provides wrong secret shards, then in the secret recovery phase, the correct secret cannot be recovered based on the collected secret shards.
综上,现有的秘密分享算法是不安全的,不具备抗欺诈性。To sum up, the existing secret sharing algorithm is insecure and not anti-fraud.
发明内容Contents of the invention
本申请提供一种防欺诈的秘密共享方法及装置,用以使秘密分享过程能够防欺诈,提高秘密分享的安全性。The present application provides an anti-fraud secret sharing method and device, which are used to prevent fraud during the secret sharing process and improve the security of secret sharing.
第一方面,本申请实施例提供一种防欺诈的秘密分享方法,该方法可应用于秘密分发者,该方法包括:根据秘密多项式f(x)和秘密分片持有者的数量W,生成秘密S的W个秘密分片;生成所述秘密S对应的多项式承诺C,并向所述W个秘密分片持有者广播所述多项式承诺C,所述多项式承诺C用于所述秘密分片持有者对接收到的秘密分片进行验证;将所述W个秘密分片分发给所述W个秘密分片持有者。In the first aspect, the embodiment of the present application provides a fraud-proof secret sharing method, which can be applied to secret distributors. The method includes: according to the secret polynomial f(x) and the number W of secret slice holders, generating W secret slices of the secret S; generate a polynomial commitment C corresponding to the secret S, and broadcast the polynomial commitment C to the W secret slice holders, and the polynomial commitment C is used for the secret slice The slice holder verifies the received secret slice; distributes the W secret slices to the W secret slice holders.
上述技术方案,在秘密分发阶段,秘密分发者不仅需要提供秘密分片,同时需要提供能够证明该秘密分片正确的多项式承诺,且该承诺不会泄露该秘密分片及原始秘密的任何信息,因此,可使秘密分发阶段和秘密恢复阶段能够验证秘密分片的正确性,从而确保秘密共享算法具备防欺诈性。In the above technical solution, in the secret distribution stage, the secret distributor not only needs to provide the secret slice, but also needs to provide a polynomial commitment that can prove that the secret slice is correct, and the promise will not disclose any information about the secret slice and the original secret. Therefore, the secret distribution phase and the secret recovery phase can verify the correctness of the secret slice, thereby ensuring that the secret sharing algorithm is fraud-proof.
在一种可能的设计中,所述秘密多项式f(x)为:f(x)=S+a
1*x
1+a
2*x
2+…+a
t-1* x
t-1mod p;其中,a
j为多项式系数,0≤j≤t-1,p为素数。
In a possible design, the secret polynomial f(x) is: f(x)=S+a 1 *x 1 +a 2 *x 2 +...+a t-1 * x t-1 mod p ; Among them, a j is a polynomial coefficient, 0≤j≤t-1, p is a prime number.
在一种可能的设计中,所述根据秘密多项式f(x)和秘密分片持有者的数量W,生成秘密S的W个秘密分片,包括:随机选择W个不相等的x值{x
1,x
2,…,x
w},分别代入所述秘密多项式f(x),计算对应的y值{y
1,y
2,…,y
w},得到所述到W个秘密分片{S
1,S
2,…,S
w};其中,第i个秘密分片S
i=(x
i,y
i),0<i≤w。
In a possible design, generating W secret slices of the secret S according to the secret polynomial f(x) and the number W of secret slice holders includes: randomly selecting W unequal x values { x 1 , x 2 ,…,x w }, respectively substitute into the secret polynomial f(x), calculate the corresponding y value {y 1 ,y 2 ,…,y w }, and obtain the W secret slices {S 1 , S 2 ,...,S w }; where, the i-th secret slice S i =( xi ,y i ), 0<i≤w.
在一种可能的设计中,所述多项式承诺C={c
0,c
1,…,c
t-1},t为秘密还原门限,0<t≤W;所述方法还包括:根据公式
生成所述多项式承诺C;其中,a
0=S,g为常质数。
In a possible design, the polynomial commitment C={c 0 ,c 1 ,...,c t-1 }, t is the secret recovery threshold, 0<t≤W; the method further includes: according to the formula Generate the polynomial commitment C; wherein, a 0 =S, g is a constant prime number.
第二方面,本申请实施例提供另一种防欺诈的秘密分享方法,该方法可应用于秘密分片持有者,该方法包括:接收来自秘密分发者的秘密S对应的多项式承诺C;接收来自所述秘密分发者的所述秘密S的一个秘密分片S
i;根据所述多项式承诺C,对所述秘密分片S
i的正确性进行验证。
In the second aspect, the embodiment of this application provides another anti-fraud secret sharing method, which can be applied to the secret slice holder, and the method includes: receiving the polynomial commitment C corresponding to the secret S from the secret distributor; receiving A secret slice S i of the secret S from the secret distributor; according to the polynomial commitment C, the correctness of the secret slice S i is verified.
上述技术方案,在秘密分发阶段,秘密分片持有者在接收到秘密分发者广播的多项式承诺和分发给自己的秘密分片后,可根据多项式承诺对接收到的秘密分片的正确性进行验证,以便及时识别秘密分发者分发了错误的秘密分片的情形,从而避免因秘密分发者不诚信,带来的安全隐患。In the above technical solution, in the secret distribution stage, after receiving the polynomial commitment broadcast by the secret distributor and the secret slice distributed to itself, the secret slice holder can verify the correctness of the received secret slice according to the polynomial commitment. Verification, in order to timely identify the situation where the secret distributor distributes the wrong secret slice, so as to avoid security risks caused by the dishonesty of the secret distributor.
在一种可能的设计中,所述多项式承诺C={c
0,c
1,…,c
t-1};其中,
0≤j≤t-1,0<t≤W,t为秘密还原门限,W为秘密分片持有者的数量,a
j为多项式系数,a
0=S,g为常质数,p为素数。
In one possible design, the polynomial commitment C={c 0 ,c 1 ,...,c t-1 }; where, 0≤j≤t-1, 0<t≤W, t is the secret restoration threshold, W is the number of secret slice holders, a j is the polynomial coefficient, a 0 =S, g is a constant prime number, p is a prime number .
在一种可能的设计中,所述根据所述多项式承诺C,对所述秘密分片S
i进行验证,包括:若所述秘密分片S
i(x
i,y
i)满足公式:
则确定验证成功,否则验证失败。
In a possible design, the verification of the secret slice S i according to the polynomial commitment C includes: if the secret slice S i (xi , y i ) satisfies the formula: Then it is determined that the verification is successful, otherwise the verification fails.
第三方面,本申请实施例提供又一种防欺诈的秘密分享方法,该方法可应用于秘密恢复者,所述方法包括:收集所述秘密S的t个秘密分片S
i;根据所述t个秘密分片S
i,恢复所述秘密S;根据所述秘密S对应的多项式承诺C,对恢复后的所述秘密S的正确性进行验证。
In the third aspect, the embodiment of the present application provides another anti-fraud secret sharing method, which can be applied to the secret restorer, and the method includes: collecting t secret slices S i of the secret S; according to the t secret slices S i , recover the secret S; verify the correctness of the recovered secret S according to the polynomial commitment C corresponding to the secret S.
上述技术方案,在秘密恢复阶段,秘密恢复者可根据多项式承诺中的参数,对利用收集到的至少t个秘密分片S
i恢复出的秘密S的正确性进行验证,以便及时识别秘密分片持有者提供了错误的秘密分片的情形,从而避免因秘密分片持有者不诚信,带来的安全隐患。
In the above technical solution, in the secret recovery phase, the secret recoverer can verify the correctness of the secret S recovered by using at least t secret slices S i collected according to the parameters in the polynomial commitment, so as to identify the secret slices in time The holder provides the wrong secret slice, so as to avoid the security risks caused by the dishonesty of the secret slice holder.
在一种可能的设计中,所述多项式承诺C={c
0,c
1,…,c
t-1};其中,
0≤j≤t-1,0<t≤W,t为秘密还原门限,W为秘密分片持有者的数量,a
j为多项式系数,a
0=S,g为常质数,p为素数。
In one possible design, the polynomial commitment C={c 0 ,c 1 ,...,c t-1 }; where, 0≤j≤t-1, 0<t≤W, t is the secret restoration threshold, W is the number of secret slice holders, a j is the polynomial coefficient, a 0 =S, g is a constant prime number, p is a prime number .
在一种可能的设计中,所述根据所述秘密S对应的多项式承诺C,对还原到的所述秘密S的正确性进行验证,包括:若恢复后的所述秘密S满足公式:
g
S mod p,则确定恢复成功,否则恢复失败。
In a possible design, the verifying the correctness of the restored secret S according to the polynomial commitment C corresponding to the secret S includes: if the restored secret S satisfies the formula: g S mod p, it is determined that the recovery is successful, otherwise the recovery fails.
第四方面,本申请实施例提供一种防欺诈的秘密分享装置,该装置可以是秘密分发者的设备或配置于秘密分发者的设备中的芯片或电路,该装置包括:In the fourth aspect, the embodiment of the present application provides a fraud-proof secret sharing device, which may be a device of the secret distributor or a chip or circuit configured in the device of the secret distributor, and the device includes:
处理模块,用于根据秘密多项式f(x)和秘密分片持有者的数量W,生成秘密S的W个秘密分片;A processing module, configured to generate W secret slices of the secret S according to the secret polynomial f(x) and the number W of secret slice holders;
所述处理模块,还用于生成所述秘密S对应的多项式承诺C,并向所述W个秘密分片持有者广播所述多项式承诺C,所述多项式承诺C用于所述秘密分片持有者对接收到的秘密分片进行验证;The processing module is further configured to generate a polynomial commitment C corresponding to the secret S, and broadcast the polynomial commitment C to the W secret slice holders, and the polynomial commitment C is used for the secret slice The holder verifies the received secret slice;
通信模块,用于将所述W个秘密分片分发给所述W个秘密分片持有者。A communication module, configured to distribute the W secret slices to the W secret slice holders.
在一种可能的设计中,所述秘密多项式f(x)为:f(x)=S+a
1*x
1+a
2*x
2+…+a
t-1*x
t-1mod p;其中,a
j为多项式系数,0≤j≤t-1,p为素数。
In a possible design, the secret polynomial f(x) is: f(x)=S+a 1 *x 1 +a 2 *x 2 +...+a t-1 *x t-1 mod p ; Among them, a j is a polynomial coefficient, 0≤j≤t-1, p is a prime number.
在一种可能的设计中,所述处理模块具体用于:随机选择W个不相等的x值{x
1,x
2,…,x
w},分别代入所述秘密多项式f(x),计算对应的y值{y
1,y
2,…,y
w},得到所述到W个秘密分片{S
1,S
2,…,S
w};其中,第i个秘密分片S
i=(x
i,y
i),0<i≤w。
In a possible design, the processing module is specifically configured to: randomly select W unequal x values {x 1 , x 2 ,...,x w }, respectively substitute them into the secret polynomial f(x), and calculate The corresponding y values {y 1 , y 2 ,...,y w }, get the W secret slices {S 1 , S 2 ,...,S w }; where, the i-th secret slice S i = (x i ,y i ), 0<i≤w.
在一种可能的设计中,所述多项式承诺C={c
0,c
1,…,c
t-1},t为秘密还原门限,0<t≤W;所述处理模块具体用于:根据公式
生成所述多项式承诺C;其中,a
0=S,g为常质数。
In a possible design, the polynomial commitment C={c 0 ,c 1 ,...,c t-1 }, t is the secret recovery threshold, 0<t≤W; the processing module is specifically used for: according to formula Generate the polynomial commitment C; wherein, a 0 =S, g is a constant prime number.
第五方面,本申请实施例提供另一种防欺诈的秘密分享装置,该装置可以是秘密分片持有者的设备或配置于秘密分片持有者的设备中的芯片或电路,该装置包括:In the fifth aspect, the embodiment of the present application provides another anti-fraud secret sharing device, which can be the device of the secret slice holder or a chip or circuit configured in the device of the secret slice holder. include:
通信模块,用于接收来自秘密分发者的秘密S对应的多项式承诺C;The communication module is used to receive the polynomial commitment C corresponding to the secret S from the secret distributor;
所述通信模块,还用于接收来自所述秘密分发者的所述秘密S的一个秘密分片S
i;
The communication module is further configured to receive a secret slice S i of the secret S from the secret distributor;
处理模块,用于根据所述多项式承诺C,对所述秘密分片S
i的正确性进行验证。
A processing module, configured to verify the correctness of the secret slice S i according to the polynomial commitment C.
在一种可能的设计中,所述多项式承诺C={c
0,c
1,…,c
t-1};其中,
0≤j≤t-1,0<t≤W,t为秘密还原门限,W为秘密分片持有者的数量,a
j为多项式系数,a
0=S,g为常质数,p为素数。
In one possible design, the polynomial commitment C={c 0 ,c 1 ,...,c t-1 }; where, 0≤j≤t-1, 0<t≤W, t is the secret restoration threshold, W is the number of secret slice holders, a j is the polynomial coefficient, a 0 =S, g is a constant prime number, p is a prime number .
在一种可能的设计中,所述处理模块具体用于:若所述秘密分片S
i(x
i,y
i)满足公式:
则确定验证成功,否则验证失败。
In a possible design, the processing module is specifically configured to: if the secret slice S i ( xi , y i ) satisfies the formula: Then it is determined that the verification is successful, otherwise the verification fails.
第六方面,本申请实施例提供又一种防欺诈的秘密分享装置,该装置可以是秘密恢复者的设备或配置于秘密恢复者的设备中的芯片或电路,该装置包括:In the sixth aspect, the embodiment of the present application provides another anti-fraud secret sharing device, which may be the device of the secret restorer or a chip or circuit configured in the device of the secret restorer, and the device includes:
通信模块,用于收集所述秘密S的至少t个秘密分片S
i;
A communication module, configured to collect at least t secret slices S i of said secret S;
处理模块,用于根据收集到的所述至少t个秘密分片S
i,恢复所述秘密S;
A processing module, configured to restore the secret S according to the collected at least t secret slices S i ;
所述处理模块,还用于根据所述秘密S对应的多项式承诺C,对恢复的所述秘密S的正确性进行验证。The processing module is further configured to verify the correctness of the recovered secret S according to the polynomial commitment C corresponding to the secret S.
在一种可能的设计中,所述多项式承诺C={c
0,c
1,…,c
t-1};其中,
0≤j≤t-1,0<t≤W,t为秘密还原门限,W为秘密分片持有者的数量,a
j为多项式系数,a
0=S,g为常质数,p为素数。
In one possible design, the polynomial commitment C={c 0 ,c 1 ,...,c t-1 }; where, 0≤j≤t-1, 0<t≤W, t is the secret restoration threshold, W is the number of secret slice holders, a j is the polynomial coefficient, a 0 =S, g is a constant prime number, p is a prime number .
在一种可能的设计中,所述处理模块具体用于:若恢复后的所述秘密S满足公式:
则确定恢复成功,否则恢复失败。
In a possible design, the processing module is specifically configured to: if the restored secret S satisfies the formula: Then it is determined that the recovery is successful, otherwise the recovery fails.
第七方面,本申请实施例还提供一种计算机设备,包括:In the seventh aspect, the embodiment of the present application also provides a computer device, including:
存储器,用于存储程序指令;memory for storing program instructions;
处理器,用于调用所述存储器中存储的程序指令,按照获得的程序指令执行如第一方面或第二方面或第三方面的各种可能的设计中所述的方法。The processor is configured to call the program instructions stored in the memory, and execute the method as described in various possible designs of the first aspect or the second aspect or the third aspect according to the obtained program instructions.
第八方面,本申请实施例还提供一种计算机可读存储介质,其中存储有计算机可读指令,当计算机读取并执行所述计算机可读指令时,使得上述第一方面或第二方面或第三方 面的任一种可能的设计中所述的方法实现。In the eighth aspect, the embodiment of the present application also provides a computer-readable storage medium, in which computer-readable instructions are stored, and when the computer reads and executes the computer-readable instructions, the above-mentioned first aspect or the second aspect or The method described in any possible design of the third aspect is realized.
第九方面,本申请实施例还提供一种计算机程序产品,包括计算机可读指令,当计算机可读指令被处理器执行时,使得上述第一方面或第二方面或第三方面的任一种可能的设计中所述的方法实现。In the ninth aspect, the embodiment of the present application also provides a computer program product, including computer-readable instructions. When the computer-readable instructions are executed by a processor, any one of the above-mentioned first aspect, second aspect, or third aspect The method implementation described in Possible Design.
为了更清楚地说明本申请实施例中的技术方案,下面将对实施例描述中所需要使用的附图作简要介绍,显而易见地,下面描述中的附图仅仅是本申请的一些实施例,对于本领域的普通技术人员来讲,在不付出创造性劳动性的前提下,还可以根据这些附图获得其他的附图。In order to more clearly illustrate the technical solutions in the embodiments of the present application, the following will briefly introduce the drawings that need to be used in the description of the embodiments. Obviously, the drawings in the following description are only some embodiments of the present application. For Those skilled in the art can also obtain other drawings based on these drawings without any creative effort.
图1为本申请实施例提供的一种防欺诈的秘密分享方法的流程示意图;FIG. 1 is a schematic flowchart of a fraud-proof secret sharing method provided by an embodiment of the present application;
图2为本申请实施例中秘密分片计算过程的示意图;Fig. 2 is a schematic diagram of the secret slice calculation process in the embodiment of the present application;
图3为本申请实施例提供的另一种防欺诈的秘密分享方法的流程示意图;FIG. 3 is a schematic flowchart of another anti-fraud secret sharing method provided by the embodiment of the present application;
图4为本申请实施例中的秘密分发过程的流程示意图;FIG. 4 is a schematic flow diagram of the secret distribution process in the embodiment of the present application;
图5为本申请实施例提供的又一种防欺诈的秘密分享方法的流程示意图;FIG. 5 is a schematic flowchart of another anti-fraud secret sharing method provided by the embodiment of the present application;
图6为本申请实施例中的秘密恢复过程的流程示意图;FIG. 6 is a schematic flow diagram of the secret recovery process in the embodiment of the present application;
图7为本申请实施例提供的一种防欺诈的秘密分享装置的结构示意图;FIG. 7 is a schematic structural diagram of an anti-fraud secret sharing device provided by an embodiment of the present application;
图8为本申请实施例提供的一种计算机设备的结构示意图。FIG. 8 is a schematic structural diagram of a computer device provided by an embodiment of the present application.
为了使本申请的目的、技术方案和优点更加清楚,下面将结合附图对本申请作进一步地详细描述,显然,所描述的实施例仅仅是本申请一部分实施例,而不是全部的实施例。基于本申请中的实施例,本领域普通技术人员在没有做出创造性劳动前提下所获得的所有其它实施例,都属于本申请保护的范围。In order to make the purpose, technical solution and advantages of the application clearer, the application will be further described in detail below in conjunction with the accompanying drawings. Apparently, the described embodiments are only some of the embodiments of the application, not all of them. Based on the embodiments in this application, all other embodiments obtained by persons of ordinary skill in the art without making creative efforts belong to the scope of protection of this application.
在本申请实施例中,多个是指两个或两个以上。“第一”、“第二”等词汇,仅用于区分描述的目的,而不能理解为指示或暗示相对重要性,也不能理解为指示或暗示顺序。In the embodiment of the present application, a plurality refers to two or more than two. Words such as "first" and "second" are only used for the purpose of distinguishing descriptions, and cannot be understood as indicating or implying relative importance, nor can they be understood as indicating or implying order.
首先,对本申请实施例涉及的相关技术术语进行解释。First, the relevant technical terms involved in the embodiment of the present application are explained.
分片与还原:一个数据被分解为几个碎片的过程,叫做分片。将这些碎片还原为原始数据的过程,叫还原。Fragmentation and restoration: The process in which a data is decomposed into several fragments is called fragmentation. The process of restoring these fragments to original data is called restoration.
门限分片还原:如果一个数据被分解为n片,当且仅当收集其中k片之后,可以恢复出原始数据,叫(n,k)门限的分片与还原。Threshold sharding restoration: If a piece of data is decomposed into n pieces, the original data can be restored if and only after k pieces are collected, which is called (n,k) threshold sharding and restoration.
针对现有技术中秘密分享算法存在的安全假设问题,本申请实施例提供一种防欺诈的秘密分享方法,该方法可以在不泄露原始秘密S和秘密分片的同时,确保秘密分发阶段和秘密恢复阶段能够验证秘密分片的正确性,使得秘密分享过程能够防欺诈,并且能够按照正常的逻辑恢复出正确的秘密S。Aiming at the security assumptions existing in the secret sharing algorithm in the prior art, the embodiment of the present application provides a fraud-proof secret sharing method, which can ensure the secret distribution stage and the secret The recovery phase can verify the correctness of the secret slice, so that the secret sharing process can prevent fraud, and the correct secret S can be recovered according to the normal logic.
本申请中的秘密分享过程包括秘密分发阶段和秘密共享阶段,其中,秘密分发阶段主要是:秘密分发者对秘密进行分片后分发给多个秘密分片持有者,同时提供可计算承诺,秘密分片持有者根据可计算承诺对接收到的秘密分片进行正确性验证;秘密恢复阶段主要是:秘密恢复者收集足够的秘密分片,对秘密进行恢复,并根据可计算承诺对恢复后的秘密进行正确性验证。The secret sharing process in this application includes the secret distribution stage and the secret sharing stage, wherein the secret distribution stage is mainly: the secret distributor divides the secret and distributes it to multiple secret fragment holders, and provides a computable commitment at the same time, The secret slice holder verifies the correctness of the received secret slice according to the computable commitment; the secret recovery stage is mainly: the secret restorer collects enough secret slices, restores the secret, and restores the secret according to the computable commitment The final secret is verified for correctness.
图1示例性示出了本申请实施例提供的一种防欺诈的秘密分享方法,该方法适用于秘密分享过程中的秘密分发阶段,并可具体由秘密分发者执行。Fig. 1 exemplarily shows a fraud-proof secret sharing method provided by the embodiment of the present application, which is applicable to the secret distribution stage in the secret sharing process, and can be specifically executed by the secret distributor.
如图1所示,该方法包括:As shown in Figure 1, the method includes:
步骤101,秘密分发者根据秘密多项式f(x)和秘密分片持有者的数量W,生成秘密S的W个秘密分片。Step 101, the secret distributor generates W secret slices of the secret S according to the secret polynomial f(x) and the number W of secret slice holders.
本申请中,秘密分发者可在需要分享秘密S时,首先构造一个秘密多项式f(x),用于对秘密进行混淆加密。所述秘密多项式f(x)可以表示为如下形式:In this application, when the secret distributor needs to share the secret S, he first constructs a secret polynomial f(x) for obfuscating and encrypting the secret. The secret polynomial f(x) can be expressed as follows:
f(x)=S+a
1*x
1+a
2*x
2+…+a
t-1*x
t-1mod p
f(x)=S+a 1 *x 1 +a 2 *x 2 +…+a t-1 *x t-1 mod p
其中,a
j为多项式系数,0≤j≤t-1,t为秘密还原门限,0<t≤W,mod表示取模,p为素数。需要说明的是,上述秘密多项式f(x)中的多项式系数可以是秘密分发者随机生成的,并且只有秘密分发者知道。此外,S<p。
Among them, a j is a polynomial coefficient, 0≤j≤t-1, t is the secret restoration threshold, 0<t≤W, mod means modulo, and p is a prime number. It should be noted that the polynomial coefficients in the above secret polynomial f(x) may be randomly generated by the secret distributor, and only known by the secret distributor. Furthermore, S<p.
进而,秘密分发者可基于该秘密多项式f(x)对秘密S进行特定运算,得到W个秘密分片S
i(0<i≤w)。具体的,如图2所示,由于f(x)是关于x的一元函数,秘密分发者可随机选择W个不相等的x值{x
1,x
2,…,x
w},分别代入所述秘密多项式f(x),计算对应的y值{y
1,y
2,…,y
w},得到w个点:{(x
1,y
1),(x
2,y
2),…,(x
w,y
w)}。每个点即是一个秘密分片S
i=(x
i,y
i),0<i≤w,共W个秘密分片{S
1,S
2,…,S
w}。
Furthermore, the secret distributor can perform specific operations on the secret S based on the secret polynomial f(x) to obtain W secret slices S i (0<i≤w). Specifically, as shown in Figure 2, since f(x) is a unary function of x, the secret distributor can randomly select W unequal values of x {x 1 ,x 2 ,…,x w }, and substitute them into the Describe the secret polynomial f(x), calculate the corresponding y value {y 1 ,y 2 ,…,y w }, and get w points: {(x 1 ,y 1 ),(x 2 ,y 2 ),…, (x w ,y w )}. Each point is a secret slice S i =(x i , y i ), 0<i≤w, a total of W secret slices {S 1 , S 2 ,...,S w }.
由于秘密分片S
i中包含了部分秘密,但是又无法得到秘密的全部,因此,通过分发秘密分片S
i,可确保秘密的安全性。
Since the secret slice S i contains part of the secret, but it is impossible to get all of the secret, the security of the secret can be ensured by distributing the secret slice S i .
步骤102,秘密分发者生成所述秘密S对应的多项式承诺C,并向所述W个秘密分片持有者广播所述多项式承诺C,所述多项式承诺C用于所述秘密分片持有者对接收到的秘密分片进行验证。Step 102, the secret distributor generates a polynomial commitment C corresponding to the secret S, and broadcasts the polynomial commitment C to the W secret slice holders, and the polynomial commitment C is used for the secret slice holding The author verifies the received secret slice.
本申请中,所述多项式承诺C可以表示为C={c
0,c
1,…,c
t-1};其中,
0≤j≤t-1,g为常质数,a
0=S。也就是说:
In this application, the polynomial commitment C can be expressed as C={c 0 ,c 1 ,...,c t-1 }; where, 0≤j≤t-1, g is a constant prime number, a 0 =S. That is to say:
……...
秘密分发者计算得到所述多项式承诺C后,可将所述多项式承诺C广播给W个秘密分片持有者。由于多项式承诺C为有限域上的运算,所以获得该多项式承诺C并不能获得(或者计算出)秘密分片S
i或原始的秘密S。
After the secret distributor calculates the polynomial commitment C, it can broadcast the polynomial commitment C to W secret slice holders. Since the polynomial commitment C is an operation on a finite field, obtaining the polynomial commitment C cannot obtain (or calculate) the secret slice S i or the original secret S.
所述多项式承诺C也可以称为可计算承诺或验证性承诺,本申请不作具体限定。The polynomial commitment C may also be called a computable commitment or a verifiable commitment, which is not specifically limited in this application.
步骤103,秘密分发者将所述W个秘密分片分发给所述W个秘密分片持有者。Step 103, the secret distributor distributes the W secret slices to the W secret slice holders.
在完成多项式承诺C的广播后,秘密分发者可将W个秘密分片分发给对应的秘密分片持有者,即将秘密分片S
i=(x
i,y
i)分发给秘密分片持有者P
i,0<i≤w。
After completing the broadcast of the polynomial commitment C, the secret distributor can distribute W secret slices to the corresponding secret slice holders, that is, distribute the secret slice S i =( xi ,y i ) to the secret slice holders There are P i , 0<i≤w.
在完成秘密分片的分发后,秘密分发者可公开所述秘密多项式中的p值,并销毁所述秘密多项式。至此,每一个秘密分片持有者P
i都拥有一个秘密分片S
i和一组相同的多项式承诺C={c
0,c
1,…,c
t-1}。
After completing the distribution of the secret slices, the secret distributor can disclose the p value in the secret polynomial and destroy the secret polynomial. So far, each secret slice holder Pi has a secret slice S i and a set of identical polynomial commitments C={c 0 ,c 1 ,…,c t-1 }.
图3示例性示出了本申请实施例提供的另一种防欺诈的秘密分享方法,该方法适用于秘密分享过程中的秘密分发阶段,并可具体由秘密分片持有者执行。如图3所示,该方法包括:Fig. 3 exemplarily shows another anti-fraud secret sharing method provided by the embodiment of the present application, which is applicable to the secret distribution stage in the secret sharing process, and can be specifically executed by the secret slice holder. As shown in Figure 3, the method includes:
步骤301,秘密分片持有者接收来自秘密分发者的秘密S对应的多项式承诺C。Step 301, the secret slice holder receives the polynomial commitment C corresponding to the secret S from the secret distributor.
步骤302,秘密分片持有者接收来自所述秘密分发者的所述秘密S的一个秘密分片S
i。
Step 302, the secret slice holder receives a secret slice S i of the secret S from the secret distributor.
步骤303,秘密分片持有者根据所述多项式承诺C,对所述秘密分片S
i的正确性进行验证。
Step 303, the secret slice holder verifies the correctness of the secret slice S i according to the polynomial commitment C.
本申请中,秘密分片持有者接收到秘密分发者分发的秘密分片后,可根据如下公式对秘密分片的正确性进行验证:In this application, after the secret slice holder receives the secret slice distributed by the secret distributor, he can verify the correctness of the secret slice according to the following formula:
秘密分片持有者P
i可将自己持有的秘密分片S
i=(x
i,y
i)代入上式,分别计算等号左右两边的结果。由于多项式承诺C绑定了秘密多项式f(x)的系数,因此,如果秘密分片S
i是正确的,则上述等式将成立,即等号左右两边的结果相等,表示验证成功,秘密分片持有者P
i可接受该秘密分片S
i。如果秘密分片S
i是不正确的,则上述等式将不成立,即等号左右两边的结果不相等,表示验证失败,秘密分片持有者P
i可拒绝该秘密分片S
i,例如可以丢弃该秘密分片S
i。
The secret slice holder P i can substitute the secret slice S i =( xi ,y i ) held by him into the above formula, and calculate the results on the left and right sides of the equal sign respectively. Since the polynomial commitment C binds the coefficients of the secret polynomial f(x), if the secret slice S i is correct, the above equation will be established, that is, the results on the left and right sides of the equal sign are equal, indicating that the verification is successful, and the secret slice The slice holder Pi can accept the secret slice S i . If the secret slice S i is incorrect, the above equation will not hold true, that is, the results on the left and right sides of the equal sign are not equal, indicating that the verification fails, and the secret slice holder Pi can reject the secret slice S i , for example The secret slice S i can be discarded.
当秘密分片S
i正确时,等式为什么会成立呢。
Why does the equation hold when the secret slice S i is correct.
对于等式左边而言,证明如下所示:For the left side of the equation, the proof is as follows:
可选的,秘密分片持有者P
i在完成秘密分片S
i的验证之后,可向秘密分发者发送反馈信息,该反馈信息用于指示接受或拒绝所述秘密分片S
i,或者说用于指示所述秘密分片S
i验证成功或失败。
Optionally, after completing the verification of the secret slice S i , the secret slice holder P i may send feedback information to the secret distributor, and the feedback information is used to indicate acceptance or rejection of the secret slice S i , or Said is used to indicate the success or failure of the verification of the secret segment S i .
需要说明的是,在秘密分享过程中,W个秘密分片持有者中的每个秘密分片持有者在接收到秘密分发者分发给自己的秘密分片后,均可按照图2所示的方法,来验证自己接收到的秘密分片的正确性。该方法有助于秘密分片持有者及时识别秘密分发者分发了错误的秘密分片的情形,从而避免因秘密分发者不诚信,带来的安全隐患。It should be noted that, in the process of secret sharing, each secret slice holder among the W secret slice holders, after receiving the secret slice distributed to him by the secret distributor, can follow the steps shown in Figure 2. The method shown to verify the correctness of the secret slice received by itself. This method helps the holder of the secret slice to identify the situation that the secret distributor distributes the wrong secret slice in time, so as to avoid the potential safety hazard caused by the dishonesty of the secret distributor.
图4示例性示出了本申请实施例提供的另一种防欺诈的秘密分享方法,该方法应用于秘密恢复者,并在秘密恢复阶段执行。如图4所示,该方法包括:Fig. 4 exemplarily shows another anti-fraud secret sharing method provided by the embodiment of the present application, which is applied to a secret restorer and executed in the secret restoration phase. As shown in Figure 4, the method includes:
步骤401,秘密恢复者根据收集到的秘密S的至少t个秘密分片S
i,恢复所述秘密S。
Step 401, the secret recoverer recovers the secret S according to at least t secret slices S i of the secret S collected.
在秘密恢复阶段,各个秘密分片持有者P
i可以将自己的秘密分片S
i发送给秘密恢复者,所述秘密恢复者可以是秘密分发者,也可以是W个秘密分片持有者之一,也可以是除秘密分发者和W个秘密分片持有者之外的其他秘密分享过程的参与者,本申请不作具体限定。
In the secret recovery phase, each secret slice holder P i can send its own secret slice S i to the secret restorer. The secret restorer can be the secret distributor or W secret slice holders One of the participants, or other participants in the secret sharing process except the secret distributor and the W secret slice holders, which is not specifically limited in this application.
当秘密恢复者收集到至少t个秘密分片S
i后,秘密恢复者可拉格朗日插值定理,计算秘密S:
When the secret restorer has collected at least t secret slices S i , the secret restorer can calculate the secret S using the Lagrangian interpolation theorem:
步骤402,秘密恢复者根据所述秘密S对应的多项式承诺C,对恢复的所述秘密S的正确性进行验证。Step 402, the secret recoverer verifies the correctness of the recovered secret S according to the polynomial commitment C corresponding to the secret S.
当计算出秘密S后,秘密恢复者根据如下公式对恢复出的秘密S的正确性进行验证:After calculating the secret S, the secret restorer verifies the correctness of the recovered secret S according to the following formula:
如果恢复出的秘密S满足上述公式,则验证通过,说明秘密S恢复正确。如果不满足上述公式,则验证不通过,说明目前获得的秘密分片不完全正确。If the recovered secret S satisfies the above formula, the verification is passed, indicating that the secret S is recovered correctly. If the above formula is not satisfied, the verification fails, indicating that the currently obtained secret slice is not completely correct.
由于g和c
0是多项式承诺中公开已知的参数,因此,很容易验证。
Since g and c 0 are publicly known parameters in polynomial commitments, they are easy to verify.
该方法有助于秘密恢复者及时识别秘密分片持有者提供了错误的秘密分片的情形,从而避免因秘密分片持有者不诚信,带来的安全隐患。This method helps the secret restorer to timely identify the situation that the secret slice holder provides the wrong secret slice, so as to avoid the potential safety hazard caused by the dishonesty of the secret slice holder.
综上,在秘密分发阶段,秘密分发者不仅需要提供秘密分片,同时需要提供能够证明该秘密分片正确的可计算承诺,且该承诺不会泄露该秘密分片及原始秘密的任何信息,因此,可使秘密分发阶段和秘密恢复阶段能够验证秘密分片的正确性,从而确保秘密共享算法具备防欺诈性。To sum up, in the secret distribution phase, the secret distributor not only needs to provide the secret slice, but also needs to provide a computable commitment that can prove that the secret slice is correct, and the promise will not reveal any information about the secret slice and the original secret. Therefore, the secret distribution phase and the secret recovery phase can verify the correctness of the secret slice, thereby ensuring that the secret sharing algorithm is fraud-proof.
图5示例性示出了本申请实施例中秘密分发过程的流程示意图,如图4所述,秘密分发过程包括如下步骤:Fig. 5 exemplarily shows a schematic flow chart of the secret distribution process in the embodiment of the present application. As shown in Fig. 4, the secret distribution process includes the following steps:
步骤501,秘密分发者根据秘密还原门限t,构造秘密多项式。Step 501, the secret distributor constructs a secret polynomial according to the secret restoration threshold t.
步骤502,秘密分发者根据秘密分片持有者数量W和秘密多项式f(x),生成W个秘密分片。Step 502, the secret distributor generates W secret slices according to the number W of secret slice holders and the secret polynomial f(x).
步骤503,秘密分发者计算多项式承诺C,并将该多项式承诺C广播给W个秘密分片持有者。Step 503, the secret distributor calculates the polynomial commitment C, and broadcasts the polynomial commitment C to W secret slice holders.
步骤504,秘密分发者将W个秘密分片分别分发给对应的秘密分片持有者。Step 504, the secret distributor distributes W secret slices to corresponding secret slice holders respectively.
步骤505,秘密分片持有者验证秘密分片是否正确。Step 505, the secret slice holder verifies whether the secret slice is correct.
步骤506,判断验证是否通过。Step 506, judging whether the verification is passed.
步骤507,如果验证通过,秘密分片持有者接受秘密分片。Step 507, if the verification is passed, the secret slice holder accepts the secret slice.
步骤508,如果验证不通过,秘密分片持有者拒绝秘密分片。Step 508, if the verification fails, the secret slice holder rejects the secret slice.
图6示例性示出了本申请实施例中秘密恢复过程的流程示意图,如图6所述,秘密恢复过程包括如下步骤:Figure 6 exemplarily shows a schematic flow chart of the secret recovery process in the embodiment of the present application. As shown in Figure 6, the secret recovery process includes the following steps:
步骤601,秘密恢复者接收来自秘密分片持有者发送的秘密分片。Step 601, the secret restorer receives the secret slice sent by the secret slice holder.
步骤602,秘密恢复者判断收集到的秘密分片的数量是否大于秘密还原门限t。Step 602, the secret restorer judges whether the number of collected secret fragments is greater than the secret restoration threshold t.
步骤603,如果大于秘密还原门限t,秘密恢复者根据拉格朗日定理计算秘密S。Step 603, if it is greater than the secret restoration threshold t, the secret restorer calculates the secret S according to Lagrangian theorem.
步骤604,秘密恢复者根据多项式承诺C验证恢复出的秘密S的正确性。Step 604, the secret restorer verifies the correctness of the recovered secret S according to the polynomial commitment C.
步骤605,判断是否验证通过?如果验证通过,则结束。Step 605, judging whether the verification is passed? If the verification is passed, end.
步骤606,如果验证不通过,秘密恢复者判断是否还有未接收的秘密分片。Step 606, if the verification fails, the secret restorer judges whether there are unreceived secret fragments.
如果还有未接收的秘密分片,则跳转到步骤601,重新计算秘密S并验证,否则,结束。If there are unreceived secret slices, jump to step 601, recalculate and verify the secret S, otherwise, end.
综上,本申请提供了一种防欺诈的秘密分享方案,可以解决秘密分享过程中的安全假设问题,其核心是在秘密分发过程中,秘密分发者不仅提供秘密分片,同时还提供秘密分片的可验证性承诺,在确保秘密分片和原始秘密信息不泄露的前提下,秘密分片持有者能够根据可验证性承诺对收到的秘密分片的正确性进行验证,确保秘密恢复阶段能够还原原 始秘密并验证正确性。To sum up, this application provides a fraud-proof secret sharing scheme, which can solve the security assumption problem in the secret sharing process. The core is that in the secret distribution process, the secret distributor not only provides the The verifiability commitment of the slice, under the premise of ensuring that the secret slice and the original secret information are not leaked, the secret slice holder can verify the correctness of the received secret slice according to the verifiability promise, and ensure the secret recovery The stage is able to restore the original secret and verify correctness.
本申请还提供一种防欺诈的秘密分享装置,该装置用于实现上述方法实施例中的防欺诈的秘密分享方法。该装置可以是秘密分享过程中的秘密分发者或秘密分片持有者或秘密恢复者。The present application also provides an anti-fraud secret sharing device, which is used to implement the anti-fraud secret sharing method in the above method embodiment. The device can be a secret distributor or a secret slice holder or a secret restorer in the secret sharing process.
如图7所示,该装置700包括:通信模块710和处理模块720。As shown in FIG. 7 , the apparatus 700 includes: a communication module 710 and a processing module 720 .
当该装置为秘密分发者时,所述处理模块720,用于根据秘密多项式f(x)和秘密分片持有者的数量W,生成秘密S的W个秘密分片;以及,用于生成所述秘密S对应的多项式承诺C。所述通信模块710,用于向所述W个秘密分片持有者广播所述多项式承诺C,所述多项式承诺C用于所述秘密分片持有者对接收到的秘密分片进行验证;以及,用于将所述W个秘密分片分发给所述W个秘密分片持有者。When the device is a secret distributor, the processing module 720 is configured to generate W secret slices of the secret S according to the secret polynomial f(x) and the number W of secret slice holders; and, to generate The polynomial commitment C corresponding to the secret S. The communication module 710 is configured to broadcast the polynomial commitment C to the W secret slice holders, and the polynomial commitment C is used for the secret slice holders to verify the received secret slice and, for distributing the W secret slices to the W secret slice holders.
在一种可能的设计中,所述秘密多项式f(x)为:f(x)=S+a
1*x
1+a
2*x
2+…+a
t-1*x
t-1mod p;其中,a
j为多项式系数,0≤j≤t-1,p为素数。
In a possible design, the secret polynomial f(x) is: f(x)=S+a 1 *x 1 +a 2 *x 2 +...+a t-1 *x t-1 mod p ; Among them, a j is a polynomial coefficient, 0≤j≤t-1, p is a prime number.
在一种可能的设计中,所述处理模块720具体用于:随机选择W个不相等的x值{x
1,x
2,…,x
w},分别代入所述秘密多项式f(x),计算对应的y值{y
1,y
2,…,y
w},得到所述到W个秘密分片{S
1,S
2,…,S
w};其中,第i个秘密分片S
i=(x
i,y
i),0<i≤w。
In a possible design, the processing module 720 is specifically configured to: randomly select W unequal values of x {x 1 , x 2 ,...,x w }, and respectively substitute them into the secret polynomial f(x), Calculate the corresponding y value {y 1 , y 2 ,…,y w }, and obtain the W secret slices {S 1 , S 2 ,…,S w }; among them, the i-th secret slice S i =(x i , y i ), 0<i≤w.
在一种可能的设计中,所述多项式承诺C={c
0,c
1,…,c
t-1},t为秘密还原门限,0<t≤W;所述处理模块720具体用于:根据公式
生成所述多项式承诺C;其中,a
0=S,g为常质数。
In a possible design, the polynomial commitment C={c 0 , c 1 ,...,c t-1 }, t is the secret restoration threshold, 0<t≤W; the processing module 720 is specifically used for: According to the formula Generate the polynomial commitment C; wherein, a 0 =S, g is a constant prime number.
当该装置为秘密分片持有者时,所述通信模块710,用于接收来自秘密分发者的秘密S对应的多项式承诺C;以及,用于接收来自所述秘密分发者的所述秘密S的一个秘密分片S
i。处理模块720,用于根据所述多项式承诺C,对所述秘密分片S
i的正确性进行验证。
When the device is a secret slice holder, the communication module 710 is configured to receive the polynomial commitment C corresponding to the secret S from the secret distributor; and is configured to receive the secret S from the secret distributor A secret slice S i of . The processing module 720 is configured to verify the correctness of the secret slice S i according to the polynomial commitment C.
在一种可能的设计中,所述多项式承诺C={c
0,c
1,…,c
t-1};其中,
0≤j≤t-1,0<t≤W,t为秘密还原门限,W为秘密分片持有者的数量,a
j为多项式系数,a
0=S,g为常质数,p为素数。
In one possible design, the polynomial commitment C={c 0 ,c 1 ,...,c t-1 }; where, 0≤j≤t-1, 0<t≤W, t is the secret restoration threshold, W is the number of secret slice holders, a j is the polynomial coefficient, a 0 =S, g is a constant prime number, p is a prime number .
在一种可能的设计中,所述处理模块720具体用于:若所述秘密分片S
i(x
i,y
i)满足公式:
则确定验证成功,否则验证失败。
In a possible design, the processing module 720 is specifically configured to: if the secret slice S i ( xi , y i ) satisfies the formula: Then it is determined that the verification is successful, otherwise the verification fails.
当该装置为秘密恢复者时:所述通信模块710,用于收集所述秘密S的至少t个秘密分片S
i。所述处理模块720,用于根据收集大的所述至少t个秘密分片S
i,恢复所述秘密S;以及,根据所述秘密S对应的多项式承诺C,对恢复的所述秘密S的正确性进行验证。
When the device is a secret restorer: the communication module 710 is configured to collect at least t secret slices S i of the secret S. The processing module 720 is configured to recover the secret S according to the collected at least t secret slices S i ; and, according to the polynomial commitment C corresponding to the secret S, the recovered secret S Verify correctness.
在一种可能的设计中,所述多项式承诺C={c
0,c
1,…,c
t-1};其中,
0≤j≤t-1,0<t≤W,t为秘密还原门限,W为秘密分片持有者的数量,a
j为多项式系数,a
0=S,g为常质数,p为素数。
In one possible design, the polynomial commitment C={c 0 ,c 1 ,...,c t-1 }; where, 0≤j≤t-1, 0<t≤W, t is the secret restoration threshold, W is the number of secret slice holders, a j is the polynomial coefficient, a 0 =S, g is a constant prime number, p is a prime number .
在一种可能的设计中,所述处理模块720具体用于:若恢复的所述秘密S满足公式:
则确定恢复成功,否则恢复失败。
In a possible design, the processing module 720 is specifically configured to: if the recovered secret S satisfies the formula: Then it is determined that the recovery is successful, otherwise the recovery fails.
基于相同的技术构思,本申请实施例还提供了一种计算机设备,如图8所示,包括至少一个处理器801,以及与至少一个处理器连接的存储器802,本申请实施例中不限定处理器801与存储器802之间的具体连接介质,图8中处理器801和存储器802之间通过总线连接为例。总线可以分为地址总线、数据总线、控制总线等。Based on the same technical concept, the embodiment of the present application also provides a computer device, as shown in FIG. 8 , including at least one processor 801, and a memory 802 connected to the at least one processor. The specific connection medium between the processor 801 and the memory 802, the bus connection between the processor 801 and the memory 802 in FIG. 8 is taken as an example. The bus can be divided into address bus, data bus, control bus and so on.
在本申请实施例中,存储器802存储有可被至少一个处理器801执行的指令,该至少一个处理器801通过执行存储器802存储的指令,可以实现上述秘密分享方法的步骤。In the embodiment of the present application, the memory 802 stores instructions executable by at least one processor 801, and the at least one processor 801 can implement the steps of the secret sharing method above by executing the instructions stored in the memory 802.
其中,处理器801是计算机设备的控制中心,可以利用各种接口和线路连接计算机设备的各个部分,通过运行或执行存储在存储器802内的指令以及调用存储在存储器802内的数据,从而进行资源设置。可选的,处理器801可包括一个或多个处理单元,处理器801可集成应用处理器和调制解调处理器,其中,应用处理器主要处理操作系统、用户界面和应用程序等,调制解调处理器主要处理无线通信。可以理解的是,上述调制解调处理器也可以不集成到处理器801中。在一些实施例中,处理器801和存储器802可以在同一芯片上实现,在一些实施例中,它们也可以在独立的芯片上分别实现。Among them, the processor 801 is the control center of the computer equipment, which can use various interfaces and lines to connect various parts of the computer equipment, by running or executing the instructions stored in the memory 802 and calling the data stored in the memory 802, so as to perform resource set up. Optionally, the processor 801 may include one or more processing units, and the processor 801 may integrate an application processor and a modem processor. The tuner processor mainly handles wireless communication. It can be understood that the foregoing modem processor may not be integrated into the processor 801 . In some embodiments, the processor 801 and the memory 802 can be implemented on the same chip, and in some embodiments, they can also be implemented on independent chips.
处理器801可以是通用处理器,例如中央处理器(CPU)、数字信号处理器、专用集成电路(Application Specific Integrated Circuit,ASIC)、现场可编程门阵列或者其他可编程逻辑器件、分立门或者晶体管逻辑器件、分立硬件组件,可以实现或者执行本申请实施例中公开的各方法、步骤及逻辑框图。通用处理器可以是微处理器或者任何常规的处理器等。结合本申请实施例所公开的方法的步骤可以直接体现为硬件处理器执行完成,或者用处理器中的硬件及软件模块组合执行完成。The processor 801 can be a general-purpose processor, such as a central processing unit (CPU), a digital signal processor, an application specific integrated circuit (Application Specific Integrated Circuit, ASIC), a field programmable gate array or other programmable logic devices, discrete gates or transistors Logic devices and discrete hardware components can implement or execute the methods, steps and logic block diagrams disclosed in the embodiments of the present application. A general purpose processor may be a microprocessor or any conventional processor or the like. The steps of the methods disclosed in connection with the embodiments of the present application may be directly implemented by a hardware processor, or implemented by a combination of hardware and software modules in the processor.
存储器802作为一种非易失性计算机可读存储介质,可用于存储非易失性软件程序、非易失性计算机可执行程序以及模块。存储器802可以包括至少一种类型的存储介质,例如可以包括闪存、硬盘、多媒体卡、卡型存储器、随机访问存储器(Random Access Memory,RAM)、静态随机访问存储器(Static Random Access Memory,SRAM)、可编程只读存储器(Programmable Read Only Memory,PROM)、只读存储器(Read Only Memory,ROM)、带电可擦除可编程只读存储器(Electrically Erasable Programmable Read-Only Memory,EEPROM)、磁性存储器、磁盘、光盘等等。存储器802是能够用于携带或存储具有指令或数据结构形式的期望的程序代码并能够由计算机存取的任何其他介质,但不限于此。本申请实施例中的存储器802还可以是电路或者其它任意能够实现存储功能的装置,用于存储程序指令和/或数据。The memory 802, as a non-volatile computer-readable storage medium, can be used to store non-volatile software programs, non-volatile computer-executable programs and modules. Memory 802 may include at least one type of storage medium, for example, may include flash memory, hard disk, multimedia card, card memory, random access memory (Random Access Memory, RAM), static random access memory (Static Random Access Memory, SRAM), Programmable Read Only Memory (PROM), Read Only Memory (ROM), Electrically Erasable Programmable Read-Only Memory (EEPROM), Magnetic Memory, Disk , CD, etc. Memory 802 is, but is not limited to, any other medium that can be used to carry or store desired program code in the form of instructions or data structures and that can be accessed by a computer. The memory 802 in the embodiment of the present application may also be a circuit or any other device capable of implementing a storage function, and is used for storing program instructions and/or data.
基于相同的技术构思,本申请实施例还提供一种计算机可读存储介质,计算机可读存储介质存储有计算机可读指令,当计算机读取并执行所述计算机可读指令时,使得上述方法实施例中的方法实现。Based on the same technical concept, the embodiment of the present application also provides a computer-readable storage medium, the computer-readable storage medium stores computer-readable instructions, and when the computer reads and executes the computer-readable instructions, the above method is implemented implementation of the method in the example.
基于相同的技术构思,本申请实施例还提供一种计算机程序产品,包括计算机可读指令,当计算机可读指令被处理器执行时,使得上述方法实施例中的方法实现。Based on the same technical concept, the embodiments of the present application further provide a computer program product, including computer readable instructions, and when the computer readable instructions are executed by a processor, the methods in the above method embodiments are implemented.
本领域内的技术人员应明白,本申请的实施例可提供为方法、系统、或计算机程序产品。因此,本申请可采用完全硬件实施例、完全软件实施例、或结合软件和硬件方面的实施例的形式。而且,本申请可采用在一个或多个其中包含有计算机可用程序代码的计算机可用存储介质(包括但不限于磁盘存储器、CD-ROM、光学存储器等)上实施的计算机程序产品的形式。Those skilled in the art should understand that the embodiments of the present application may be provided as methods, systems, or computer program products. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment, or an embodiment combining software and hardware aspects. Furthermore, the present application may take the form of a computer program product embodied on one or more computer-usable storage media (including but not limited to disk storage, CD-ROM, optical storage, etc.) having computer-usable program code embodied therein.
本申请是参照根据本申请的方法、设备(系统)、和计算机程序产品的流程图和/或方框图来描述的。应理解可由计算机程序指令实现流程图和/或方框图中的每一流程和/或方框、以及流程图和/或方框图中的流程和/或方框的结合。可提供这些计算机程序指令到通用计算机、专用计算机、嵌入式处理机或其他可编程数据处理设备的处理器以产生一个机器,使得通过计算机或其他可编程数据处理设备的处理器执行的指令产生用于实现在流程图一个流程或多个流程和/或方框图一个方框或多个方框中指定的功能的装置。The present application is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to the present application. It should be understood that each procedure and/or block in the flowchart and/or block diagram, and a combination of procedures and/or blocks in the flowchart and/or block diagram can be realized by computer program instructions. These computer program instructions may be provided to a general purpose computer, special purpose computer, embedded processor, or processor of other programmable data processing equipment to produce a machine such that the instructions executed by the processor of the computer or other programmable data processing equipment produce a An apparatus for realizing the functions specified in one or more procedures of the flowchart and/or one or more blocks of the block diagram.
这些计算机程序指令也可存储在能引导计算机或其他可编程数据处理设备以特定方 式工作的计算机可读存储器中,使得存储在该计算机可读存储器中的指令产生包括指令装置的制造品,该指令装置实现在流程图一个流程或多个流程和/或方框图一个方框或多个方框中指定的功能。These computer program instructions may also be stored in a computer-readable memory capable of directing a computer or other programmable data processing apparatus to operate in a specific manner, such that the instructions stored in the computer-readable memory produce an article of manufacture comprising instruction means, the instructions The device realizes the function specified in one or more procedures of the flowchart and/or one or more blocks of the block diagram.
这些计算机程序指令也可装载到计算机或其他可编程数据处理设备上,使得在计算机或其他可编程设备上执行一系列操作步骤以产生计算机实现的处理,从而在计算机或其他可编程设备上执行的指令提供用于实现在流程图一个流程或多个流程和/或方框图一个方框或多个方框中指定的功能的步骤。These computer program instructions can also be loaded onto a computer or other programmable data processing device, causing a series of operational steps to be performed on the computer or other programmable device to produce a computer-implemented process, thereby The instructions provide steps for implementing the functions specified in the flow chart or blocks of the flowchart and/or the block or blocks of the block diagrams.
显然,本领域的技术人员可以对本申请进行各种改动和变型而不脱离本申请的精神和范围。这样,倘若本申请的这些修改和变型属于本申请权利要求及其等同技术的范围之内,则本申请也意图包含这些改动和变型在内。Obviously, those skilled in the art can make various changes and modifications to the application without departing from the spirit and scope of the application. In this way, if these modifications and variations of the present application fall within the scope of the claims of the present application and their equivalent technologies, the present application is also intended to include these modifications and variations.
Claims (16)
- 一种防欺诈的秘密分享方法,其特征在于,所述方法应用于秘密分发者,所述方法包括:A fraud-proof secret sharing method, characterized in that the method is applied to a secret distributor, and the method includes:根据秘密多项式f(x)和秘密分片持有者的数量W,生成秘密S的W个秘密分片;Generate W secret slices of secret S according to the secret polynomial f(x) and the number W of secret slice holders;生成所述秘密S对应的多项式承诺C,并向所述W个秘密分片持有者广播所述多项式承诺C,所述多项式承诺C用于所述秘密分片持有者对接收到的秘密分片进行验证;Generate a polynomial commitment C corresponding to the secret S, and broadcast the polynomial commitment C to the W secret slice holders, and the polynomial commitment C is used for the secret slice holder to confirm the received secret Fragmentation for verification;将所述W个秘密分片分发给所述W个秘密分片持有者。Distributing the W secret slices to the W secret slice holders.
- 根据权利要求1所述的方法,其特征在于,所述秘密多项式f(x)为:The method according to claim 1, wherein the secret polynomial f (x) is:f(x)=S+a 1*x 1+a 2*x 2+…+a t-1*x t-1 mod p f(x)=S+a 1 *x 1 +a 2 *x 2 +…+a t-1 *x t-1 mod p其中,a j为多项式系数,0≤j≤t-1,t为秘密还原门限,0<t≤W,p为素数。 Among them, a j is a polynomial coefficient, 0≤j≤t-1, t is a secret restoration threshold, 0<t≤W, and p is a prime number.
- 根据权利要求2所述的方法,其特征在于,所述根据秘密多项式f(x)和秘密分片持有者的数量W,生成秘密S的W个秘密分片,包括:The method according to claim 2, wherein generating W secret slices of the secret S according to the secret polynomial f(x) and the number W of secret slice holders includes:随机选择W个不相等的x值{x 1,x 2,…,x w},分别代入所述秘密多项式f(x),计算对应的y值{y 1,y 2,…,y w},得到所述W个秘密分片{S 1,S 2,…,S w}; Randomly select W unequal x values {x 1 , x 2 ,…,x w }, respectively substitute into the secret polynomial f(x), and calculate the corresponding y values {y 1 , y 2 ,…,y w } , to obtain the W secret slices {S 1 , S 2 ,...,S w };其中,第i个秘密分片S i=(x i,y i),0<i≤w。 Wherein, the i-th secret slice S i =(x i , y i ), 0<i≤w.
- 根据权利要求2所述的方法,其特征在于,所述多项式承诺C={c 0,c 1,…,c t-1}; The method according to claim 2, wherein the polynomial commitment C={c 0 ,c 1 ,...,c t-1 };所述方法还包括:The method also includes:根据公式生成所述多项式承诺C; According to the formula
generating said polynomial commitment C;其中,a 0=S,g为常质数。 Wherein, a 0 =S, g is a constant prime number. - 一种防欺诈的秘密分享方法,其特征在于,所述方法应用于秘密分片持有者,所述方法包括:A fraud-proof secret sharing method, characterized in that the method is applied to a secret slice holder, and the method comprises:接收来自秘密分发者的秘密S对应的多项式承诺C;Receive the polynomial commitment C corresponding to the secret S from the secret distributor;接收来自所述秘密分发者的所述秘密S的一个秘密分片S i; receiving a secret slice S i of said secret S from said secret distributor;根据所述多项式承诺C,对所述秘密分片S i的正确性进行验证。 According to the polynomial commitment C, the correctness of the secret slice S i is verified.
- 根据权利要求5所述的方法,其特征在于,所述多项式承诺C={c 0,c 1,…,c t-1}; The method according to claim 5, wherein the polynomial commitment C={c 0 ,c 1 ,...,c t-1 };其中,0≤j≤t-1,0<t≤W,t为秘密还原门限,W为秘密分片持有者的数量,a j为多项式系数,a 0=S,g为常质数,p为素数。 in,
0≤j≤t-1, 0<t≤W, t is the secret restoration threshold, W is the number of secret slice holders, a j is the polynomial coefficient, a 0 =S, g is a constant prime number, p is a prime number . - 根据权利要求6所述的方法,其特征在于,所述根据所述多项式承诺C,对所述秘密分片S i进行验证,包括: The method according to claim 6, wherein said verifying said secret slice S i according to said polynomial commitment C comprises:若所述秘密分片S i(x i,y i)满足公式:则确定验证成功,否则验证失败。 If the secret slice S i (xi , y i ) satisfies the formula:
Then it is determined that the verification is successful, otherwise the verification fails. - 一种防欺诈的秘密分享方法,其特征在于,所述方法应用于秘密恢复者,所述方法包括:A fraud-proof secret sharing method, characterized in that the method is applied to a secret restorer, and the method comprises:根据收集到的秘密S的至少t个秘密分片S i,恢复所述秘密S; Recover the secret S from the collected at least t secret slices S i of the secret S;根据所述秘密S对应的多项式承诺C,对恢复的所述秘密S的正确性进行验证。According to the polynomial commitment C corresponding to the secret S, the correctness of the recovered secret S is verified.
- 根据权利要求8所述的方法,其特征在于,所述多项式承诺C={c 0,c 1,…,c t-1}; The method according to claim 8, wherein the polynomial commitment C={c 0 ,c 1 ,...,c t-1 };其中,0≤j≤t-1,0<t≤W,t为秘密还原门限,W为秘密分片 持有者的数量,a j为多项式系数,a 0=S,g为常质数,p为素数。 in,
0≤j≤t-1, 0<t≤W, t is the secret restoration threshold, W is the number of secret slice holders, a j is the polynomial coefficient, a 0 =S, g is a constant prime number, p is a prime number . - 根据权利要求9所述的方法,其特征在于,所述根据所述秘密S对应的多项式承诺C,对恢复的所述秘密S的正确性进行验证,包括:The method according to claim 9, wherein the verifying the correctness of the recovered secret S according to the polynomial commitment C corresponding to the secret S includes:若恢复后所述秘密S满足公式:则确定恢复成功,否则恢复失败。 If the secret S satisfies the formula after recovery:
Then it is determined that the recovery is successful, otherwise the recovery fails. - 一种防欺诈的秘密分享装置,其特征在于,包括:An anti-fraud secret sharing device, characterized by comprising:处理模块,用于根据秘密多项式f(x)和秘密分片持有者的数量W,生成秘密S的W个秘密分片;A processing module, configured to generate W secret slices of the secret S according to the secret polynomial f(x) and the number W of secret slice holders;所述处理模块,还用于生成所述秘密S对应的多项式承诺C,并向所述W个秘密分片持有者广播所述多项式承诺C,所述多项式承诺C用于所述秘密分片持有者对接收到的秘密分片进行验证;The processing module is further configured to generate a polynomial commitment C corresponding to the secret S, and broadcast the polynomial commitment C to the W secret slice holders, and the polynomial commitment C is used for the secret slice The holder verifies the received secret slice;通信模块,用于将所述W个秘密分片分发给所述W个秘密分片持有者。A communication module, configured to distribute the W secret slices to the W secret slice holders.
- 一种防欺诈的秘密分享装置,其特征在于,包括:An anti-fraud secret sharing device, characterized by comprising:通信模块,用于接收来自秘密分发者的秘密S对应的多项式承诺C;The communication module is used to receive the polynomial commitment C corresponding to the secret S from the secret distributor;所述通信模块,还用于接收来自所述秘密分发者的所述秘密S的一个秘密分片S i; The communication module is further configured to receive a secret slice S i of the secret S from the secret distributor;处理模块,用于根据所述多项式承诺C,对所述秘密分片S i的正确性进行验证。 A processing module, configured to verify the correctness of the secret slice S i according to the polynomial commitment C.
- 一种防欺诈的秘密分享装置,其特征在于,包括:An anti-fraud secret sharing device, characterized by comprising:通信模块,用于收集秘密S的至少t个秘密分片S i; A communication module for collecting at least t secret slices S i of the secret S;处理模块,用于根据收集到的所述秘密S的所述至少t个秘密分片S i,恢复所述秘密S; A processing module, configured to restore the secret S according to the collected at least t secret slices S i of the secret S;所述处理模块,还用于根据所述秘密S对应的多项式承诺C,对恢复后的所述秘密S的正确性进行验证。The processing module is further configured to verify the correctness of the recovered secret S according to the polynomial commitment C corresponding to the secret S.
- 一种计算机设备,其特征在于,包括:A computer device, characterized in that it includes:存储器,用于存储程序指令;memory for storing program instructions;处理器,用于调用所述存储器中存储的程序指令,按照获得的程序指令执行如权利要求1至10中任一项所述的方法。The processor is configured to call the program instructions stored in the memory, and execute the method according to any one of claims 1 to 10 according to the obtained program instructions.
- 一种计算机可读存储介质,其特征在于,包括计算机可读指令,当计算机读取并执行所述计算机可读指令时,使得如权利要求1至10中任一项所述的方法实现。A computer-readable storage medium, which is characterized by comprising computer-readable instructions, and when a computer reads and executes the computer-readable instructions, the method according to any one of claims 1 to 10 is implemented.
- 一种计算机程序产品,其特征在于,包括计算机可读指令,当计算机可读指令被处理器执行时,使得如权利要求1至10中任一项所述的方法实现。A computer program product, characterized by comprising computer-readable instructions, which enable the method according to any one of claims 1 to 10 to be implemented when the computer-readable instructions are executed by a processor.
Applications Claiming Priority (2)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111617418.3 | 2021-12-27 | ||
| CN202111617418.3A CN114297487A (en) | 2021-12-27 | 2021-12-27 | Anti-fraud secret sharing method and device |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| WO2023124364A1 true WO2023124364A1 (en) | 2023-07-06 |
Family
ID=80969578
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| PCT/CN2022/124345 WO2023124364A1 (en) | 2021-12-27 | 2022-10-10 | Anti-fraud secret sharing methods and apparatuses |
Country Status (2)
| Country | Link |
|---|---|
| CN (1) | CN114297487A (en) |
| WO (1) | WO2023124364A1 (en) |
Families Citing this family (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114297487A (en) * | 2021-12-27 | 2022-04-08 | 深圳前海微众银行股份有限公司 | Anti-fraud secret sharing method and device |
| CN114513304A (en) * | 2022-04-19 | 2022-05-17 | 浙商银行股份有限公司 | Decentralized secure multiparty privacy summation calculation method and system |
| CN117195060B (en) * | 2023-11-06 | 2024-02-02 | 上海零数众合信息科技有限公司 | Telecom fraud recognition method and model training method based on multiparty security calculation |
Citations (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20090136024A1 (en) * | 2007-10-29 | 2009-05-28 | Schneider James P | Sharing a secret using polynomials |
| CN103259650A (en) * | 2013-04-25 | 2013-08-21 | 河海大学 | Fair and rational multi-secret sharing method for honest participants |
| US9443089B1 (en) * | 2013-03-13 | 2016-09-13 | Hrl Laboratories, Llc | System and method for mobile proactive secret sharing |
| CN107425967A (en) * | 2017-06-15 | 2017-12-01 | 武汉理工大学 | A kind of flexible multiple secret sharing method of theory α coefficient |
| CN111447057A (en) * | 2020-03-25 | 2020-07-24 | 南方电网科学研究院有限责任公司 | Safe storage method and device based on threshold secret sharing technology |
| CN113254410A (en) * | 2021-05-29 | 2021-08-13 | 陕西师范大学 | Provable and safe public verification multi-level multi-secret sharing method and system |
| US11115196B1 (en) * | 2015-12-08 | 2021-09-07 | EMC IP Holding Company LLC | Methods and apparatus for secret sharing with verifiable reconstruction type |
| CN113505392A (en) * | 2021-07-27 | 2021-10-15 | 深圳前海微众银行股份有限公司 | Secret sharing method and device |
| CN113591116A (en) * | 2021-08-04 | 2021-11-02 | 天津大学 | Efficient threshold verifiable multi-secret sharing method |
| CN114297487A (en) * | 2021-12-27 | 2022-04-08 | 深圳前海微众银行股份有限公司 | Anti-fraud secret sharing method and device |
-
2021
- 2021-12-27 CN CN202111617418.3A patent/CN114297487A/en active Pending
-
2022
- 2022-10-10 WO PCT/CN2022/124345 patent/WO2023124364A1/en unknown
Patent Citations (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20090136024A1 (en) * | 2007-10-29 | 2009-05-28 | Schneider James P | Sharing a secret using polynomials |
| US9443089B1 (en) * | 2013-03-13 | 2016-09-13 | Hrl Laboratories, Llc | System and method for mobile proactive secret sharing |
| CN103259650A (en) * | 2013-04-25 | 2013-08-21 | 河海大学 | Fair and rational multi-secret sharing method for honest participants |
| US11115196B1 (en) * | 2015-12-08 | 2021-09-07 | EMC IP Holding Company LLC | Methods and apparatus for secret sharing with verifiable reconstruction type |
| CN107425967A (en) * | 2017-06-15 | 2017-12-01 | 武汉理工大学 | A kind of flexible multiple secret sharing method of theory α coefficient |
| CN111447057A (en) * | 2020-03-25 | 2020-07-24 | 南方电网科学研究院有限责任公司 | Safe storage method and device based on threshold secret sharing technology |
| CN113254410A (en) * | 2021-05-29 | 2021-08-13 | 陕西师范大学 | Provable and safe public verification multi-level multi-secret sharing method and system |
| CN113505392A (en) * | 2021-07-27 | 2021-10-15 | 深圳前海微众银行股份有限公司 | Secret sharing method and device |
| CN113591116A (en) * | 2021-08-04 | 2021-11-02 | 天津大学 | Efficient threshold verifiable multi-secret sharing method |
| CN114297487A (en) * | 2021-12-27 | 2022-04-08 | 深圳前海微众银行股份有限公司 | Anti-fraud secret sharing method and device |
Also Published As
| Publication number | Publication date |
|---|---|
| CN114297487A (en) | 2022-04-08 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| WO2023124364A1 (en) | Anti-fraud secret sharing methods and apparatuses | |
| EP3780553B1 (en) | Blockchain-based transaction consensus processing method and apparatus, and electrical device | |
| CN109345386B (en) | Transaction consensus processing method and device based on block chain and electronic equipment | |
| US11921706B2 (en) | Methods and systems for controlling access to, and integrity of, resources on a blockchain | |
| WO2018076762A1 (en) | Block chain-based transaction verification method and system, electronic device, and medium | |
| CN111242617B (en) | Method and apparatus for performing transaction correctness verification | |
| JP6034927B1 (en) | Secret calculation system, secret calculation device, and program | |
| CN108985772A (en) | A kind of verification method, device, equipment and the storage medium of block chain | |
| CN110784320A (en) | Distributed key implementation method and system and user identity management method and system | |
| CN112347508A (en) | Block chain data sharing encryption and decryption method and system | |
| CN109754226B (en) | Data management method, device and storage medium | |
| CN114884697B (en) | Data encryption and decryption method and related equipment based on cryptographic algorithm | |
| CN111010284B (en) | Processing method of block to be identified, related device and block chain system | |
| CN112202779B (en) | Block chain based information encryption method, device, equipment and medium | |
| CN112948851A (en) | User authentication method, device, server and storage medium | |
| CN112036878A (en) | Data processing method and device | |
| CN114172659B (en) | Message transmission method, device, equipment and storage medium in block chain system | |
| CN110060055B (en) | Digital asset hosting method and device in block chain and electronic equipment | |
| CN117478303B (en) | Block chain hidden communication method, system and computer equipment | |
| CN110796448A (en) | Intelligent contract verification method based on block chain, participating node and medium | |
| CN111787034A (en) | Block generation method, synchronization method, device, block chain system and storage medium | |
| CN113988831A (en) | Transfer method based on alliance chain | |
| CN108900310A (en) | Block chain signature processing method and block chain signature processing unit | |
| CN110381114B (en) | Interface request parameter processing method and device, terminal equipment and medium | |
| CN113094735B (en) | Privacy model training method |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| 121 | Ep: the epo has been informed by wipo that ep was designated in this application |
Ref document number: 22913628 Country of ref document: EP Kind code of ref document: A1 |