CN101325596A - Cryptography distributed calculation and step-by-step verification method with fault-tolerant function - Google Patents

Abstract

The invention discloses a fault tolerant cryptography distributed computing and multiple step testing method which belongs to the distributed computing field. The method comprises: 1) each member carries out the shared operation separately; 2) every member generates stochastic polynomial according to the required access structure and exchanges the datum induced from the stochastic polynomial; 3) every member generates combined stochastic polynomial by the received stochastic polynomial data together; 4) the result of step1) is re-shared by the combined stochastic polynomial and the re-shared result is distributed to every member; 5) each member further combines and reconstructs the receives re-shared data to gains the final result and a new re-share; 6) every member reconstructs the true result by exchanging the new re-share. The invention is a fault-tolerant and high efficient method with protocol safety, solves the problems of mass traffic and low efficiency in traditional algorithm and assures the continuity in secure computation.

Description

A kind of cryptography distributed calculating and step-by-step verification method with fault tolerance

Technical field:

The present invention relates to a kind of cryptography distributed calculating and step-by-step verification method with fault tolerance, for the safe handling of handling data in the distributed system, particularly secure data is handled in many ways, provide a kind of and supported efficiently, and this method has good fault-tolerant ability; The method can be applied to such as fields such as fault-tolerant calculation, Distributed Calculation, grid computings.

Background technology:

Distributed Calculation is a kind of new account form that proposes in recent years.What so-called Distributed Calculation just referred to participation calculating is not a computer, but a network that constitutes by many computers, these computers are shared information mutually, and the collaborative calculation task of finishing.Distributed Calculation has following advantage compared with other algorithm: variety classes dynamically obtains with data resource between different regions and shares; Can be placed on program on the computer of the most suitable bootup window, realize the computational load balance; Wherein, shared resource and balanced load are one of core concepts of computer distribution type calculating.Distributed computing fabric is the inevitable outcome of computer and network development, can satisfy open, dynamically, multi-level, omnibearing data sharing and assist process under the network environment of loose coupling, simultaneously also be the inevitable requirement that the region disperses enterprises and institutions, all have distributed nature as bank or civil aviaton's settlement system, government system, population archives economy, identity card management system etc.

Because the opening of resource in the distributed system, Distributed Calculation is easier under attack, the unusual paralysis that can cause whole system of individual nodes, so the safety of distributed computing system is very urgent problem always.In the reality life, various distributed computing systems is arranged, not only need the speed of computing very fast, and proposed very high requirement for the fail safe of calculating itself, this just requires us should consider the implementation efficiency that calculates, and more will consider fail safe and the correctness calculated.Along with network further develop and perfect, network can be given increasing service is provided, and is very easy to our life, and how guarantees that this network service safe has also proposed very big challenge.

On the other hand, distributed system has the characteristics with calculation task problem dispersion treatment on difference, also can provide general computer system unexistent fail safe, for example, by data redundancy being provided and data being disperseed storage, the paralysis of single or multiple nodes be can avoid, fault-tolerant disaster tolerance, disaster recovery realized; For another example, can constitute CA system (CA is the mechanism of signing and issuing of certificate, and it is the core of PKI) by arranging a plurality of nodes, can realize so-called " trusted party " by the cooperative computation between each node, even if individual nodes is broken through by the opponent, also be not enough to cheat and forge.

In view of above analysis, in order to solve the potential safety hazard that exists in the Distributed Calculation, the security advantages that makes full use of distributed system simultaneously and had, the present invention will be referred to data sharing method and a kind of new fault-tolerant calculation and the step-by-step verification method under the distributed computing environment (DCE).Every kind of service that the present invention provides network is considered as a kind of realization of computational process, realize simple algebraic operation as CPU, complex task in the Distributed Calculation is also by distributed algebraic operation realization simply, these computings include adding in the confinement, subtract, the multiplication and division computing, and add with subtract, multiply and divide is identical, therefore, addition and the multiplying in the needs consideration finite field in realization.For this reason, the present invention has realized the shared method of a kind of safety of distributed data, and quick " addition " and " multiplication " algorithm under should sharing, and in order to realize fail safe, the fault-tolerant and checking function of this algorithm substep.The realization of these safe distribution algorithms will provide the basis for the structure of other distributed algorithm.

Security requirement for Distributed Calculation, can consider such sight: in simple network merchandise sales, the participant comprises: buyer, distributors, bank, buyer provide purchase information and electronic money, distributors to receive purchase information and ask that bank carries out that currency is transferred accounts, bank with currency transfer accounts distributors, send product to the buyer by distributors again.This is a typical distribution formula system, in this course, each participant's the input information privacy that needs protection, for example, buyer's the electronic money and the amount of money, distributors's sales figure, bank account information are exactly privacy information, need maintain secrecy; Simultaneously, this sales process is that the three parts will buy the commodity amount of money by deduction in user's the electronic money by calculating, and this transfer of financial resources is arrived distributors, and the excess electron currency is returned the buyer, and this computational process requires to guarantee the correctness of result of calculation.Hence one can see that, and the essential safety requirements of a Distributed Calculation comprises two parts:

1, guarantees respectively to calculate the secret privacy of participant input;

2, guarantee Distributed Calculation result's correctness;

Simultaneously, also to guarantee the efficientibility of system-computed as a kind of utility system.

The object of the present invention is to provide the addition under a kind of distributed condition and the highly effective and safe data processing method of multiplication.The present invention has used for reference the thought that safety is calculated in many ways in the cryptography, and it is the theoretical foundation of security protocol structure that safety is calculated in many ways, and this algorithm can be applied in ecommerce, E-Government, online transaction even the military network of recent rise.

Safety is calculated the problem that agreement will solve in many ways and can be described below: the mutual unbelieving participant (P of n name ₁, P ₂..., P _n), wish the common function y=f (x that calculates certain agreement ₁, x ₂..., x _n), each participant P _iAn input x of function is provided _i, for security consideration, the input that requires the participant to provide is maintained secrecy to other people, and is final, and a true blue obtains _yA.C.Yao has proposed two sides safety the earliest in nineteen eighty-two and has calculated agreement.After this, Goldreich etc. have proposed to calculate the safety based on the cryptography security model of arbitrary function and have calculated agreement in many ways, have proved that the agreement of n-Secure when having passive attack person exists; The agreement of (n-1)-Secure exists when having active attack; D.Chaum, among C.Crepeau and the I.Damgard safety under the information theory security model calculated in many ways and study, the agreement that has proved (n-1)-Secure under passive attack exists, and the agreement of ([n/2-1])-secure exists under active attack.After this, how many scholars improve the efficient that safety is calculated agreement in many ways, how safety is calculated in many ways and carried out formal definition, how general safety being calculated agreement in many ways cuts out and makes it more effectively to be applicable to different applied environments, new safety is calculated the building method of agreement in many ways, and safety is calculated aspect such as assailant's organization definition in many ways and studied.

Suggest plans at present and all be based on the theoretical study results of Boolean algebraically usually, still do not have at present both at home and abroad can practicability scheme and system, research still is primarily aimed at security of operation passive opponent (eavesdropping) or equipment fault under, and the subject matter that exists in the existing research comprises: consider not have under the continuity, active attack of calculating system comparatively method, can't support that calculating, computational complexity height, the communication cost of general data under shared is high.Particularly, existing computational methods are based upon on Byzantium's agreement protocol, and the traffic is bigger between the member, and these schemes are easy to be subjected to active attack, and for example, data tampering, increase postpone, non-loyalty is carried out etc.At these problems, the present invention proposes fault-tolerant calculation and step-by-step verification method under a kind of distributed computing environment (DCE).

Summary of the invention:

The object of the present invention is to provide a kind of cryptography distributed calculating and step-by-step verification method, make that safely data handling procedure is efficient and accurate in many ways, both improved efficient, guaranteed fail safe and consistency simultaneously again with fault tolerance.In addition, method of the present invention has also realized in the implementation of algorithm, having added the thought of error correcting code for the processing of the EDC error detection and correction of transmission information, makes the correctness of whole process be guaranteed.

Technical scheme of the present invention is:

A kind of cryptography distributed calculating and step-by-step verification method with fault tolerance the steps include:

1) each member independently finish have a shared computing;

2) each member selects to generate multinomial or random matrix at random according to required access structure at random by data, and to this at random the data that induce of multinomial or random matrix carry out mutual exchange;

3) each member utilizes the described multinomial at random or the generation of random matrix data that receive to unite multinomial or associating random matrix at random;

4) adopt described associating at random multinomial or associating random matrix the result of calculation of step 1) is carried out sharing again, and this shared result again be distributed to each member;

5) judge whether whole calculation task finishes, if do not finish then repeat above-mentioned steps 1)～4), if finish then each member makes up and reconstruct the shared data of receiving again, obtain the new of final calculation result and share;

6) each member reconstructs real final calculation result by exchanging described new sharing each other.

Describedly select to generate multinomial at random at random by data, and to this at random the data that induce of multinomial carry out mutual switching method and be: member P arbitrarily _iStructure one is binary polynomial h at random _i(x, y)=ξ ' _{I, 1}Xy+...+ ξ ' _{I, t-1}(xy) ^T-1+ v ' _{I, 1}Y+...+v ' _{I, t-1}y ^T-1, and result of calculation sent to each member, wherein x _jAnd x _kFor the member identifies the mathematical notation of ID, t is improper member's sum, and satisfies n 〉=3t+1, k=1, and 2 ..., n, i=1,2 ..., n, j=1,2 ..., n, the member sum of n for participating in calculating.

Described each member utilizes the described polynomial data at random that receives to generate the polynomial at random method of associating: described member P _iAccording to the n*n that receives a data h _I(x _i, x _k) calculate $h_i\left(x_k\right)={\mathrm{\Σ}}_{I=1}^n{h}_I(x_i,x_k),$ And according to n the data { h that obtains _i(x ₁), h _i(x ₂) ..., h _i(x _n) generate and unite binary polynomial h at random _i(y)=ξ ₁x _iY+...+ ξ _T-1(x _iY) ^T-1+ v ₁Y+...+v _T-1y ^T-1, wherein l ∈ 1,2 ..., n, k ∈ 1,2 ..., n, ${\mathrm{\ξ}}_j={\mathrm{\Σ}}_{I=1}^n{\mathrm{\ξ}}_{i,j}^{\text{'}},$ $v_j={\mathrm{\Σ}}_{I=1}^n{v}_{i,j}^{\text{'}}(j=\mathrm{1,2},...,n.).$

The implementation method of described step 4) is: described member P _iAccording to data { h _i(x ₁), h _i(x ₂) ..., h _i(x _n) calculate ${\tilde{c}}_{i,k}=g_i\left(x_k\right)={\tilde{c}}_i+h_i\left(x_k\right),$ Generate one group and share fragment

And will

Send to member P _j

The new generation method of sharing is in the described step 5): described member P _jUtilize the one group of shared fragment that receives Calculate $c_j=\underset{i=1}{\overset{n}{\mathrm{\Σ}}}{r}_i{\tilde{c}}_{\mathrm{ij}},$ Wherein, $r_i={\mathrm{\Σ}}_{j=1,j\≠i}^{n}j/(j-i)$ Be the vector of recombinating.

In the described method, adopt and to verify described step 2 based on the method for inspection of error correcting code) in binary polynomial at random, its method is: P _jUtilize the one group of shared fragment that receives Calculate $\underset{i=1}{\overset{n}{\mathrm{\Σ}}}{w}_i^{r\·i}{f}_j\left(w_i\right)=0,$ R=1,2 ..., n-2t+1 if this equation is non-vanishing, can find out the member who makes mistakes, and then utilizes the Welch-Berlekamp algorithm location in the Reed-Solomon sign indicating number and right a wrong; Wherein, w _iMathematical notation for member's sign.

Described step 2) in, when the data that induce of multinomial are carried out mutual exchange at random to this, as a certain member P _jReceive member P _iThe h of binary polynomial at random that sends _i(x _j, x _k) after, described member P _jDetect set { h _i(x _j, x ₁), h _i(x _j, x ₂) ... h _i(x _j, x _n) and correct a mistake; Further, described member P _jUtilize described associating binary polynomial h at random _i(x) detect described data acquisition system { h _i(x ₁), h _i(x ₂) ... h _i(x _n) on mistake.

In the described step 4), when this shared again result is distributed to each member, each member P _jBy checking described shared fragment

The consistency that checking is shared.

In the described method, adopt a honest verifier and utilize the consistency of the described final calculation result of all described new shared authentications.

Further, described step 2) in, share agreement but follow authenticating security when the data that induce of multinomial are carried out mutual exchange at random:

The distribution of 1) sharing: the promoter chooses two Z _qOn be at most t-1 time multinomial at random:

$f\left(x\right)={\mathrm{\Σ}}_{j=0}^{t-1}{a}_j{x}^j,g\left(x\right)={\mathrm{\Σ}}_{j=1}^{t-1}{b}_j{x}^j$

Wherein, for secret value s to be tested, u makes a ₀=s, b ₀=u, the promoter maintains secrecy to multinomial but announces relevant promise $C_j=g^{a_j}{h}^{b_j},0\&le;j<t.$ The promoter will share s by hidden passageway _i=f (x _i), u _i=g (x _i) distribute to P _i

The checking of 2) sharing: P _iUtilize C _jValue calculate $E_i={\mathrm{\&Pi;}}_{j=0}^{t-1}{C}_j^{x_i^j},$ Utilize g, h, s _i, u _i, P _iCalculate and promise to undertake $E_i=g^{s_i}{h}^{u_i}$ And checking equation E (s _i, u _i)=E _iIf the promoter receives from participant's complaint then will refuse this execution;

Wherein, a _jAnd b _jFor the random coefficient of polynomial f (x) and g (x) (j=0 ..., t-1), the member sum of n for participating in calculating, t is improper member's sum, x _kIdentify the mathematical notation of ID for the member; G is group G _pIn generator, h is an open parameter, and satisfies x=log _g ^h, x as key by system secrecy.

The present invention is based upon distributed data or secret sharing on the basis, so-called data sharing or secret sharing are meant and a kind of secret are distributed in group membership's hand, make the member who has only appointment make up just and can reconstruct secret, and can't recover secret safe practice between other members or the member.And the member of this appointment combination is called as " access structure ", and different data are determined access structure according to its safety requirements, so the access structure that different pieces of information had is different.A design feature of the present invention is, when can calculate the data that are in shared state, does not limit concrete " data sharing method " and " access structure ".

It is considered herein that any complicated distributed calculation task can be decomposed into a series of simple distributed algebraic operations, these calculating comprise adding between the numerical value, subtract, multiplication and division, situation for each this simple algebraic operation maintenance computationally secure could guarantee whole distributed arithmetic safety.Therefore, the present invention mainly solves the distributed arithmetic method of these simple algebraic operations, and particularly, the present invention is divided into following 5 stages for each distributed arithmetic:

● the 1st step, calculation stages:

Each member in the distributed environment independently finish have a shared computing (addition, subtraction, multiplication or division etc.);

● the 2nd step, configuration phase:

Each member selects to generate multinomial or random matrix at random according to required access structure at random by data, and the data that this multinomial or matrix induce are carried out mutual exchange;

● the 3rd step, the recombination stage:

Each member utilizes multinomial at random or the random matrix data that receive, and generates the common associating that generates of each member multinomial or associating random matrix at random;

● in the 4th step, share the stage again:

To first step result of calculation, adopt and to unite at random multinomial or the associating random matrix carries out sharing again, and this is shared the result again be distributed to each member;

● the 5th step, reconstruction stage:

Each member obtains the new of final calculation result and shares data made up and reconstruct sharing again of receiving.

For above-mentioned five step calculated result, each member can reconstruct real result of calculation by exchange is shared each other.

Characteristics of the present invention are, are the same to the performed computational process of every member of participating in calculating, and guarantee that above-mentioned steps is inner independent execution of each member.Whole processor active task is finished by common calculating of each member, and each member moves 5 identical stages, and realizes for working in coordination with between each member by above-mentioned 5 steps.

A notable feature of the present invention is, the associating of being adopted is multinomial or matrix at random, can be general binary at random multinomial, have a cross term simplify binary polynomial, general access structure matrix, can reach and resist the initiatively purpose of opponent's attack, also can under passive opponent's environment, adopt polynomial of one indeterminate.

Another characteristics of the present invention are, can guarantee the continuity that safety is calculated, and prevent the change of access structure, and can share the access structure that changes the result by secondary.Whether so-called calculating continuity is meant twice or repeatedly can smooth transition between the computing.Because Distributed Calculation described herein relies on the sharing mode of data, can prove that some computing will make " access structure " of computing front and back to change, thereby can't make the shared result after the calculating be used for subsequent calculations, even if carry out computing for two data with identical access structure, also can produce the variation on the access structure, for example " multiplication and division " computing.The shared secondary that carries out that " access structure " that the present invention has adopted " configuration phase ", " recombination stage " and " sharing the stage " that phase I result of calculation is obtained again changes is shared, and will remove for the first time by " reconstruction stage " and share, make the access structure of sharing for the second time replace the access structure of sharing for the first time, the shared structure that this method obtained is by the access structure appointment of " secondary share ", therefore can guarantee the continuity of calculating.In addition, calculate usually and only need finish in above-mentioned steps preceding 1 to 4 step, the result in the 4th step promptly can be used for later computing.And in each computing the 5th step be optionally, only after whole calculation task finishes, can move final step, for all members provide final calculation result.

Another characteristics of the present invention are, can realize the strick precaution that mistake in computation, opponent are attacked.In above 5 steps, need carry out the exchange of 3 secondary data:

● be for the first time multinomial or random matrix exchange at random in the 3rd step;

● be for the second time to uniting multinomial or associating random matrix at random in the 4th step;

● be exchange and the reconstruct shared again in the 5th step for the third time.

The present invention emphasizes the requirement of fail safe, has utilized cryptography to promise to undertake the thought of checking and error correcting code in the execution of algorithm, has added an indentification protocol, accomplishes to realize in the execution in each step checking.The execution of indentification protocol also is divided into three steps:

● in the 3rd recombination stage in step, after each member received information, this member can utilize the method detection of error correcting code and the mistake in the correction transmission;

● share the stage in the 4th step, each member can verify the consistency of sharing again, and therefore can find some configuration phases and share transient error and the group's mistake that occurs in the stage again;

● in the 5th step reconstruction stage, each member obtains uniting sharing of multinomial at random or associating random matrix, can verify result's consistency by error correcting code.

Another characteristics of the present invention are, only need less computational complexity and communication complexity.Calculating of the present invention only relates to random number selection, addition, multiplication, the power operation in integer or the finite field, and the power operation that wherein relates to can be decomposed into the addition and the multiplying of limited number of time, realizes simple.Carried out the exchange of 3 secondary data in above-mentioned 5 steps, considered the only use after all calculating are finished of the 5th step, therefore, each computing only need be finished 2 exchanges, than taking turns the Byzantine agreement protocol, the bigger again minimizing of the traffic more.

A notable feature of the present invention is, computational methods in many ways under institute's extracting method is not limited to share based on the multinomial of " thresholding or threshold value " access structure, the linearity that is equally applicable to is generally speaking shared scheme and access structure, for example, data are opened into algorithm, diffusion of information algorithm, generally linear secret shares, can take advantage of linear secret to share, and the secret that support has under the general access structure is shared structure.

Good effect of the present invention:

In sum, method of the present invention and agreement have realized the fail safe of high efficiency, fault-tolerance and the agreement of algorithm.In general algebra (comprise add, subtract, multiplication and division) calculating process, the present invention has overcome needs in traditional algorithm to consider that the traffic that Byzantium's consistency protocol carries out is huge, the problem that efficiency of algorithm is low; Another characteristics of the present invention have been to propose the order reducing method of multiplication and division computings; At Qualify Phase, the present invention has realized the check to each step correctness of computing; In the secret sharing stage, the present invention has adopted the secret sharing system that can verify, thereby has just realized correctness of algorithm and legitimacy at the beginning of the sharing of secret.

Description of drawings:

Fig. 1 is the flow chart of the inventive method.

Fig. 2 is the schematic diagram of the inventive method when specifically implementing.

Embodiment:

Below in conjunction with specific embodiment and schematic diagram the calculating process among the present invention is further described, this process is applicable to other distributed algebraic operations, as add, subtract, number is taken advantage of, multiplication and division, power operation etc.

In the present embodiment, suppose to exist n name member to participate in calculating that link of existence between the member, and hypothetical network time delay in twos can be ignored, every member has a uniqueness identify label ID _i, and this sign can be expressed as positive number x _iBe used for calculating.Simultaneously, supposing may exist in the said system has t name member to be controlled by the opponent at the most or equipment or network failure have occurred, and satisfies n 〉=3t+1.

In order to realize calculating in many ways, the calculating input that at first needs to maintain secrecy is distributed in each member's hand, has adopted here based on t the polynomial at random scheme of sharing, and concrete linearity is shared and reconstructing method is as follows:

Linear sharing and reconstruct: at territory G _qIn, a given secret value s, t-1 random number (r of sender's picked at random ₁, r ₂..., r _I-1), constitute Equation f _s(x)=s+r ₁X+...+r _I-1x ^T-1For any member P in the Distributed Calculation _i(i=[1 wherein, n], n is member's sum), have identify label ID _i, so, the shared value of secret s that this member obtains is c _i=f _s(ID _i).If m is arranged, and (name of m 〉=t) member wishes the { s that shares that had by them ₁, s ₂..., s _mRecovering original secret value s, can solve so $s=\underset{i=1}{\overset{m}{\mathrm{\&Sigma;}}}{r}_i{s}_i,$ Wherein $r_i={\mathrm{\&Sigma;}}_{j=1.j\&NotEqual;i}^{n}j/(j-i),$ Claim (r ₁, r ₂..., r _n) be a reorganization vector.

After having realized that some being calculated input is distributed in each member's hand, we wish to realize the computing between these inputs, and it is as follows to be with addition and multiplication that example describes here:

Common calculating in many ways: at territory G _qIn, given two secret value a, b is respectively by two t-1 order polynomial f _a(x), f _b(x) be divided into and share fragment a ₁, a ₂..., a _nAnd b ₁, b ₂..., b _n, each member P wherein _iHas a _i, b _i, i=1,2 ..., n, member wish to calculate a+b and ab.Can obtain according to polynomial character:

f _a(x) and f _b(x) and be:

f _a+b(x)＝f _a(x)+f _b(x)＝(a+b)+γ ₁x+...+γ _i-1x ^t-1 (1)

f _a(x) and f _b(x) product is:

f _ab(x)＝f _a(x)f _b(x)＝ab+λ ₁x+...+λ _2(t-1)x ^2(t-1) (2)

The Lagrange interpolation formula allows us can be respectively by the individual different shared decision f of t and (2t-1) _A+b(x) and f _Ab(x).But, in order to calculate successional needs, wish to keep polynomial number of times constant, (2) formula of being about to becomes the t-1 order polynomial.

In order to realize the function among the present invention, with select one about x and y be t-1 time binary at random multinomial g (x, y), wherein g (0,0)=and c, simultaneously, to guarantee that also all members can both obtain this multinomial, and, this multinomial generates at random, rather than is assigned by certain member, therefore, need all members to construct this multinomial jointly, and claim this multinomial to be " binary random association multinomial ".Be without loss of generality, suppose for any member P _i(i=1,2 ..., n) have, $g_i\left(y\right)=g(x_i,y)={\tilde{c}}_i+{\mathrm{\&xi;}}_1{x}_{i}y+...+{\mathrm{\&xi;}}_{t-1}{\left(x_{i}y\right)}^{t-1}{+v}_{1}y+...+v_{t-1}{y}^{t-1},$ As can be known, g _i(y) be a t-1 order polynomial for y.Again by g _i(y) generate obtain g (x y), can access other people information in order to prevent the promoter, and we add a configuration phase in computing, and specific algorithm is as follows:

Calculate agreement (Computation Protocol)

■ algorithm input: n name member finishes computing c=a Θ b jointly, and wherein, a and b be secret the input, computings such as Θ can represent to add, subtracts, multiplication and division.For every member P _i(i=1,2 ..., n), it has a pair of shared a of secret input _iAnd b _i

■ algorithm output: calculate c=a Θ b as a result, and every member obtains the c that shares of c as a result ₁, c ₂..., c _n

● calculation stages:

Known two secret value a, b shares fragment a ₁, a ₂..., a _nAnd b ₁, b ₂..., b _n, for i=1,2 ..., n, member P arbitrarily _iCalculate

${\tilde{c}}_i=a_i\mathrm{\&Theta;}{b}_i;$

● configuration phase:

Each member P _i, adopt pseudo random number algorithm to construct a binary polynomial at random:

h _i(x，y)＝ξ′ _i，1xy+...+ξ′ _i，t-1(xy) ^t-1+v′ _i，1y+...+v′ _i，t-1y ^t-1 (4)

Be used to calculate h _i(x _j, x _k), wherein, x _jAnd x _kIdentify the mathematical notation of ID for the member.And to member P _j(j=1,2 ..., n) send h _i(x _j, x _k), k=1 wherein, 2 ..., n.

● the recombination stage:

Then, P _iCollect the h that all send to him _l(x _i, x _k), wherein, l ∈ 1,2 ..., n and k ∈ 1,2 ..., n, i.e. P _iReceive n*n data altogether, and according to above-mentioned data computation:

$h_i\left(x_k\right)={\mathrm{\&Sigma;}}_{I=1}^n{h}_I(x_i,x_k)---\left(5\right)$

Thus, P _iObtain n data { h _i(x ₁), h _i(x ₂) ..., h _i(x _n).Its generator polynomial is for uniting binary polynomial h at random _i(y)=ξ ₁x _iY+...+ ξ _T-1(x _iY) ^I-1+ v ₁Y+...+v _T-1y ^T-1(6)

Wherein, ${\mathrm{\&xi;}}_j={\mathrm{\&Sigma;}}_{I=1}^n{\mathrm{\&xi;}}_{i,j}^{\&prime;}$ With $v_j={\mathrm{\&Sigma;}}_{I=1}^n{v}_{i,j}^{\&prime;}(j=\mathrm{1,2},...,n.).$

● share the stage again:

Any member P _iUtilize t-1 time associating binary polynomial h at random _i(y) right

Carry out sharing again, promptly to { h _i(x ₁), h _i(x ₂) ..., h _i(x _n) calculate:

${\tilde{c}}_{i,k}{=g}_i\left(x_k\right)={\tilde{c}}_i+h_i\left(x_k\right),k=\mathrm{1,2},\&CenterDot;\&CenterDot;\&CenterDot;,n---\left(7\right)$

Generate one group at last and share fragment

And will

Send to P _j

● reconstruction stage:

For any member P _j(j=1,2 ..., n), obtain one group and share fragment

Utilize this group data computation:

$c_j=\underset{i=1}{\overset{n}{\mathrm{\&Sigma;}}}{r}_i{\tilde{c}}_{\mathrm{ij}}---\left(8\right)$

Wherein, $r_i={\mathrm{\&Sigma;}}_{j=1,j\&NotEqual;i}^{n}j/(j-i)$ Be the vector of recombinating.

By above-mentioned steps, every member P _iObtain the shared c of c=a Θ b _i, all shared c ₁, c ₂..., c _nDecision c=ab.

In the aforementioned calculation process, wish that the multinomial at random that each member generates in the 2nd step is real and believable, rather than some random numbers, or the data of opponent after distorting, and, wish under the situation of not knowing any information that secret or its are shared, to accomplish this checking.Obviously, can utilize the zero-knowledge proof in the cryptography to realize, but can utilize a kind of more simple verification method, and guarantee there is not error probability, concrete grammar is as follows:

(1) based on the method for inspection of error correcting code

Here verify by error correcting code (Error Correcting Codes) theory.If configuration phase is correct, and sharing stage P again _iSend ${\tilde{c}}_i=g_i\left(0\right)$ Share ${\tilde{c}}_{i,j}=g_i\left(w_j\right)$ To P _jThen, work as P _jReception obtains sequence

Data should be same polynomial f in this sequence _j(x)=g (x, w _j) in point, this multinomial is 2t-2 time about x.So P _jCan pass through to utilize the value accounting equation that receives:

$\underset{i=1}{\overset{n}{\mathrm{\&Sigma;}}}{w}_i^{r\&CenterDot;i}{f}_i\left(w_i\right)=0,r=\mathrm{1,2},\&CenterDot;\&CenterDot;\&CenterDot;,n-2t+1$

Wherein, w _iMathematical notation for member's sign.If this equation is non-vanishing, can finds out which value and make mistakes.And then utilize the Welch-Berlekamp algorithm in the Reed-Solomon sign indicating number to locate and to right a wrong.Above-mentioned verification method can authentication error and is corrected a mistake.

According to above-mentioned error correcting code thought and in conjunction with the present invention, the step of the 2nd, 4,5 in the above-mentioned algorithm comprises a verification respectively, is designated as V1 respectively, V2, V3 criterion.These criterions are defined as follows:

Indentification protocol (Verification Protocol)

● criterion V1: at configuration phase, each member P _jReceive h _i(x _j, x _k), i, k ∈ [1, n], he can utilize the theory of error correcting code at set { h _i(x _j, x ₁), h _i(x _j, x ₂) ... h _i(x _j, x _n) detect and correct a mistake, because these elements are by generator polynomial h _i(x y) connects.If certain wrong generation is printed from data P _iTo P _jData.Further, P _jCan pass through multinomial h _i(x) detect set { h _i(x ₁), h _i(x ₂) ... h _i(x _n) on mistake.

● criterion V2: sharing stage, each P again _jShared by checking

The consistency that checking is shared, these are shared by binary polynomial g _i(x)=g (x, x _i) generate.Such checking can be found in configuration and share accidental error and group's mistake in stage again.

● criterion V3: in reconstruction stage, each participant P _iHave to the polynomial shared c of depression of order _i, result's consistency can be utilized all to share under a honest verifier's help and be verified.

These criterions do not have only to depend on based on the hypothesis of difficult problem the notion of error correcting code.Indentification protocol guarantees that honest member can untie unique secret.

(2) based on verifying the shared method of inspection

But authenticating security is shared in the agreement structure and safety plays an important role in the calculating in many ways.Another of embodiment that the present invention carries effectively attack be in second step to the modification of polynomial construction at random, comprising: increase constant term, increase the degree of polynomial, increase outlier etc.How checking these to attack employing information theory safety is difficulty and bothersome, and we propose a kind of detection method based on computationally secure here.This method is that multinomial is shared framework and G _pOn promise function (Commitment) combine that design realizes, and rely on and find the solution logarithm problem hard hypothesis on the finite field, and do not need to carry out mutual between the member, therefore, share agreement but this method is also referred to as the nonreciprocal authenticating security.

In the present embodiment, this safety share agreement can guarantee the member at random multinomial distribute to each member in the system, and must guarantee polynomial at random correctness and legitimacy, he has also solved from territory G simultaneously _pIn effectively share the problem of a secret.In order to reach this target, suppose group G _p, generator is g, h is an open parameter, and satisfies x=log _g ^h, wherein, x as key by system secrecy.It is as follows that but the authenticating security of carrying is shared protocol definition:

But authenticating security is shared agreement (VSSP)

● the distribution of sharing: the promoter chooses two Z _qOn be at most t-1 time multinomial at random:

$f\left(x\right)={\mathrm{\&Sigma;}}_{j=0}^{t-1}{a}_j{x}^j,g\left(x\right)={\mathrm{\&Sigma;}}_{j=0}^{t-1}{b}_j{x}^j$

A wherein ₀=s, b ₀=u.The promoter maintains secrecy to multinomial but announces relevant promise $C_j=g^{a_j}{h}^{b_j},0\&le;j<t.$ The promoter will share s by hidden passageway _i=f (x _i), u _i=g (x _i) distribute to P _i

● the checking of sharing: P _iUtilize C _jValue calculate $E_i={\mathrm{\&Pi;}}_{j=0}^{t-1}{C}_j^{x_i^j}.$ Utilize g, h, s _i, u _i, P _iCalculate and promise to undertake $E_i=g^{s_i}{h}^{u_i}$ And checking equation:

E(s _i，u _i)＝E _i

If the promoter receives the complaint from the participant, he will refuse current the execution.

The reason that top agreement is set up is: $E(s_i,u_i)=g^{{\mathrm{\&Sigma;}}_{j=1}^{t-1}{a}_j{x}^j}{h}^{{\mathrm{\&Sigma;}}_{j=1}^{t-1}{b}_j{x}^j}=E_i.$ When in second step, checking at random multinomial, member P _iEquation f (x) must be changed into the h in the equation (4) _i(x, y), this can cause the multinomial item number to increase, and g (x) also should the corresponding h that is adjusted into _i(x, y) form, and guarantee $C_j=g^{{v^{\&prime;}}_j}{h}^{b_j},{C^{\&prime;}}_j=g^{{{\mathrm{\&xi;}}^{\&prime;}}_j}{h}^{{b^{\&prime;}}_j},0\&le;j<t;$ Simultaneously, s=0 in addition, u=0 is a sky to guarantee constant term.In the checking of sharing again, $E_i={\mathrm{\&Pi;}}_{j=1}^{t-1}{C}_j^{\&prime;x_i^j{y}_i^j}{C}_j^{y_i^j}.$

Claims (10)

1. a cryptography distributed calculating and the step-by-step verification method with fault tolerance the steps include:

1) each member independently finish have a shared computing;

2) each member selects to generate multinomial or random matrix at random according to required access structure at random by data, and to this at random the data that induce of multinomial or random matrix carry out mutual exchange;

3) each member utilizes the described multinomial at random or the generation of random matrix data that receive to unite multinomial or associating random matrix at random;

4) adopt described associating at random multinomial or associating random matrix the result of calculation of step 1) is carried out sharing again, and this shared result again be distributed to each member;

5) judge whether whole calculation task finishes, if do not finish then repeat above-mentioned steps 1)～4), if finish then each member makes up and reconstruct the shared data of receiving again, obtain the new of final calculation result and share;

6) each member reconstructs real final calculation result by exchanging described new sharing each other.

2. the method for claim 1 is characterized in that describedly selecting to generate multinomial at random at random by data, and to this at random the data that induce of multinomial carry out mutual switching method and be: member P arbitrarily _iStructure one is binary polynomial at random $h_i(x,y)={\mathrm{\&xi;}}_{i,1}^{\&prime;}\mathrm{xy}+...+{\mathrm{\&xi;}}_{i,i-1}^{\&prime;}{\left(\mathrm{xy}\right)}^{i-1}+v_{i,1}^{\&prime;}y+...+v_{i,t-1}^{\&prime;}{y}^{t-1},$ And result of calculation sent to each member, wherein x _jAnd x _kFor the member identifies the mathematical notation of ID, t is improper member's sum, and satisfies n 〉=3t+1, k=1, and 2 ..., n, i=1,2 ..., n, j=1,2 ..., n, the member sum of n for participating in calculating.

3. method as claimed in claim 2 is characterized in that described each member utilizes the described polynomial data at random that receives to generate the polynomial at random method of associating and is: described member P _iAccording to the n*n that receives a data h _l(x _i, x _k) calculate $h_i\left(x_k\right)={\mathrm{\&Sigma;}}_{l=1}^n{h}_l(x_i,x_k),$ And according to n the data { h that obtains _i(x ₁), h _i(x ₂) ..., h _i(x _n) generate and unite binary polynomial h at random _i(y)=ξ ₁x _iY+ ... + ξ _T-1(x _iY) ^T-1+ v ₁Y+ ... + v _T-1y ^T-1, wherein l ∈ 1,2 ..., n, k ∈ 1,2 ..., n, ${\mathrm{\&xi;}}_j={\mathrm{\&Sigma;}}_{l=1}^n{\mathrm{\&xi;}}_{i,j}^{\&prime;},$ $v_j={\mathrm{\&Sigma;}}_{l=1}^n{v}_{i,j}^{\&prime;},(j=\mathrm{1,2},...,n.).$

4. method as claimed in claim 3 is characterized in that the implementation method of described step 4) is: described member P _iAccording to data { h _i(x ₁), h _i(x ₂) ..., h _i(x _n) calculate ${\tilde{c}}_{i,k}{g}_i\left(x_k\right)={\tilde{c}}_i+h_i\left(x_k\right),$ Generate one group and share fragment

And will

Send to member P _j

5. method as claimed in claim 4 is characterized in that the new generation method of sharing is in the described step 5): described member P _jUtilize the one group of shared fragment that receives

Calculate $c_j=\underset{i=1}{\overset{n}{\mathrm{\&Sigma;}}}{r}_i{\tilde{c}}_{\mathrm{ij}},$ Wherein, $r_i={\mathrm{\&Sigma;}}_{j=1,j\&NotEqual;i}^{n}j/(j-1)$ Be the vector of recombinating.

6. method as claimed in claim 4 is characterized in that adopting based on the method for inspection of error correcting code and verifies described step 2) in binary polynomial at random, its method is: P _jUtilize the one group of shared fragment that receives

Calculate $\underset{i=1}{\overset{n}{\mathrm{\&Sigma;}}}{w}_i^{r\&CenterDot;i}{f}_j\left(w_i\right)=0,r=\mathrm{1,2},\&CenterDot;\&CenterDot;\&CenterDot;,n-2t+1,$ If this equation is non-vanishing, can finds out the member who makes mistakes, and then utilize the Welch-Berlekamp algorithm location in the Reed-Solomon sign indicating number and right a wrong; Wherein, w _iMathematical notation for member's sign.

7. method as claimed in claim 3 is characterized in that described step 2) in, when the data that induce of multinomial are carried out mutual exchange at random to this, as a certain member P _jReceive member P _iThe h of binary polynomial at random that sends _i(x _j, x _k) after, described member P _jDetect set { h _i(x _j, x ₁), h _i(x _j, x ₂) ... h _i(x _j, x _n) and correct a mistake; Further, described member P _jUtilize described associating binary polynomial h at random _i(x) detect described data acquisition system { h _i(x ₁), h _i(x ₂) ... h _i(x _n) on mistake.

8. method as claimed in claim 4 is characterized in that in the described step 4), when this shared again result is distributed to each member, and each member P _jBy checking described shared fragment

The consistency that checking is shared.

9. the method for claim 1 is characterized in that the consistency that adopts a honest verifier and utilize the described final calculation result of all described new shared authentications.

10. the method for claim 1 is characterized in that described step 2) in, share agreement but follow authenticating security when the data that induce of multinomial are carried out mutual exchange at random:

The distribution of 1) sharing: the promoter chooses two Z _qOn be at most t-1 time multinomial at random:

$f\left(x\right)={{\mathrm{\&Sigma;}}_{j=0}^{t-1}a}_j{x}^j,g\left(x\right)={\mathrm{\&Sigma;}}_{j=0}^{t-1}{b}_j{x}^j$

Wherein, for secret value s to be tested, u makes a ₀=s, b ₀=u, the promoter maintains secrecy to multinomial but announces relevant promise $C_j=g^{a_j}{h}^{b_j},0\&le;j<t.$ The promoter will share s by hidden passageway _i=f (x _i), u _i=g (x _i) distribute to P _i

The checking of 2) sharing: P _iUtilize C _jValue calculate $E_i={\mathrm{\&Pi;}}_{j=0}^{t-1}{C}_j^{x_i^j},$ Utilize g, h, s _i, u _i, P _iCalculate and promise to undertake $E_i=g^{s_i}{h}^{u_i}$ And checking equation E (s _i, u _i)=E _iIf the promoter receives from participant's complaint then will refuse this execution;

Wherein, a _jAnd b _jFor the random coefficient of polynomial f (x) and g (x) (j=0 ..., t-1), the member sum of n for participating in calculating, t is improper member's sum, x _kIdentify the mathematical notation of ID for the member; G is group G _pIn generator, h is an open parameter, and satisfies x=log _g ^h, as key by system secrecy.

Images