CN105827402B - A kind of distribution is open to can verify that random digit generation method - Google Patents
A kind of distribution is open to can verify that random digit generation method Download PDFInfo
- Publication number
- CN105827402B CN105827402B CN201610328910.1A CN201610328910A CN105827402B CN 105827402 B CN105827402 B CN 105827402B CN 201610328910 A CN201610328910 A CN 201610328910A CN 105827402 B CN105827402 B CN 105827402B
- Authority
- CN
- China
- Prior art keywords
- participant
- verify
- public
- random number
- private key
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Fee Related
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0861—Generation of secret information including derivation or calculation of cryptographic keys or passwords
- H04L9/0869—Generation of secret information including derivation or calculation of cryptographic keys or passwords involving random numbers or seeds
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F7/00—Methods or arrangements for processing data by operating upon the order or content of the data handled
- G06F7/58—Random or pseudo-random number generators
- G06F7/588—Random number generators, i.e. based on natural stochastic processes
Landscapes
- Engineering & Computer Science (AREA)
- Physics & Mathematics (AREA)
- Theoretical Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Signal Processing (AREA)
- Computational Mathematics (AREA)
- Computer Networks & Wireless Communication (AREA)
- Mathematical Analysis (AREA)
- Mathematical Optimization (AREA)
- Pure & Applied Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Storage Device Security (AREA)
Abstract
The invention discloses a kind of distributed disclosures can verify that random digit generation method, is cooperated by participant and generates random number, discloses ciphertext during generating random number for verifying.It is secret before publication that unpredictability, which requires random number, and open verifiability requires to disclose some information for verifying, and solving the contradiction between the two characteristics is one of main contributions of this patent.In addition, the contribution of this patent second is that eliminating trusted third party during can verify that generating random number, one side can prevent single participant to know random number outcome in advance, improve the safety of agreement, on the other hand help to solve the problems, such as single point failure, improve the robustness of agreement.
Description
Technical field
The invention belongs to cryptographies and information security field, and in particular to a kind of disclosure can verify that random digit generation method.
Background technique
Important component of the random number as information technology plays important work at many aspects of daily life for a long time
With.Such as China's lottery industry issue amount is in explosive growth in recent years, random number determines prize-winning number;Domestic multiple cities
The license plate number of shaking policy is put into effect to alleviate traffic congestion, random number determines the number plate distribution of new car;Using key generation, body
In all kinds of software and hardware systems and computer network of security protocols such as part certification, random number affects the safety level of these systems
Not.Therefore in different practical applications, random number is to be related to huge interests, fairness, the key factor of safety, how to be given birth to
Random number at high quality is always a popular research direction of information security field.
It is believed that random number should have following two characteristic: 1) randomness: every number of generation should be in output space
It is uniformly distributed;2) unpredictability: the next output number for exporting space can not be predicted.There are many methods to generate respectively at present
Class random number: it can be extracted very by the physical noises such as ionizing radiation pulse detector, gas-discharge tube, drain capacitance generator
Random number, this method are normally only used for generating a limited number of random numbers because of a high price;(such as using pseudo-random number generator
ANSIX9.17 standard) a large amount of pseudo random numbers can be efficiently generated using a small amount of true random number as seed.However due to random number
Generation and use process lack the transparency, the various problem layers generated both at home and abroad by random number improper use for a long time go out
Not poor: International Football Union in 2009 is exposed repeatedly during world cup group round robin is drawn lots by way of to the heating of lot bead
Manipulate the grouping situation of group round robin;" BEAST Attack " security breaches found in tls protocol for 2011 are due to random
Several initialization is improper to be caused, it may cause global number with the privacies such as the password of hundred million grades of Internet user and credit number letter
Breath is leaked;2015, betting office, U.S. senior executive Ai Didipudun was found at least 3 times manipulation winners' announcement in lotterys as a result, making
The bonus more than 22,000,000 dollars oneself is won.
For this above a series of problems, academia and scientific research institution surround and can verify that random number is carried out both at home and abroad recently
Numerous studies, main thought are by guaranteeing that random number is efficiently generated and used based on the verifying of mathematics.Figure spirit prize obtains
It obtains person, america's MIT university Micali et al. and has been put forward for the first time within 1999 the concept and theoretical model that can verify that random number, but they
Specific building method is not provided.In subsequent research, Lysyanskaya et al. proposes one based on key exchange association
The random digit generation method of view;Dodis et al. proposes the random digit generation method based on Bilinear Groups;In addition Naor et al. is ground
Study carefully and how to have generated random function in distribution, it may be verified that random number is by can verify that random function is derived.2010, osmanthus
Woods University of Electronic Science and Technology Liu Yi peace Xian Electronics Science and Technology University Chen Xiaofeng et al. propose based on Lagrange's interpolation can
Verify random number building method, this method can quickly generate random number and make each participating user can individual authentication its participation
The generation of random number.However, prior art arrangement still has some limitations: 1) scheme is needed using a trusted third party;
2) participant for only generating random number is just able to verify that the safety and validity of random number, and other people can not verify.
Summary of the invention:
In order to overcome the defect of above-mentioned background technique, the present invention is based on Verified secret sharing technology, use is distributed
The distribution disclosure that design concept proposes a kind of without TTP can verify that random digit generation method.
In order to solve the above-mentioned technical problem used technical solution of the invention are as follows:
A kind of distribution is open to can verify that random digit generation method, comprising:
Step 1, discrete logarithm environment, each each self-generating public private key pair of participant are initialized;
Step 2, it is verified to whether public private key pair matches, rejects the participant for generating and mismatching public private key pair, it is remaining
Participant is to retain participant for the first time;
Step 3, retaining participant for the first time respectively selects t true random number as multinomial coefficient, generates respective t-1
Rank multinomial, and issue n secret encryption share of institute's generator polynomial;
Step 4, verify whether each secret encryption share is correct, reject and issue the first of incorrect secret encryption share
Secondary reservation participant, remaining participant are second of reservation participant;
Step 5, each second n secret encryption share homomorphism for retaining that participant receives be multiplied composition encryption with it is secret
The complete information of close share;
Step 6, each second of reservation participant solves received secret encryption share with respective private key
It is close, obtain respective secret shadow;
Step 7, whether the decryption for verifying each second of reservation participant is correct, rejects incorrect second of decryption and protects
Participant is stayed, remaining participant is honest participant;
Step 8, interpolation calculation is carried out to the secret shadow of honest participant to obtain final public can verify that random number R.
Preferably, in step 1, initialization discrete logarithm environment specifically refers to:
Setting prime number p and q, p and q meet p=2q+1, and p-1 is the integral multiple of q;
Find out GqGeneration member g and h, wherein GqFor Z* pCyclic subgroup, Z* pIt is coprime with p in { 0,1 ..., p-1 }
Element set, h=r(p-1)/qMod p, wherein h ≠ 1, r are in Zp *One random number of middle selection.
Preferably, in step 1, each participant PiEach self-generating public private key pair, public private key pair include private key xiAnd public key
yi, private key xiIt is in ZqIn a randomly selected odd number, public keyWherein, ZqFor the remaining equivalence class of q.
Preferably, including: each participant P to whether public private key pair matches the specific method verified in step 2i
To the public and the complete proof of other participants publication, it was demonstrated that includingci=hash (wi||yi), si=ri
+xicimod q;The public and other participants can verify that equationIt is whether true, if so, illustrating participant Pi
Publication it is public and private will to matching, whereinIf it is not, then illustrating participant PiThe public and private of publication will be to mismatch, wherein ri
It is participant PiIn ZqThe random number of middle selection.
Preferably, step 3 specifically refers to:
Each participant PiIn ZqT random number a of interior selectioni0,ai1,...,ai,t-1, and generated by coefficient of t random number
T-1 order polynomial fi(x)=ai0+ai1x+ai2x2+...+ai,t-1xt-1Mod q, and enable secret si=ai0;
Each participant PiPublication is to polynomial fi(x) promiseAnd secret encryption share
Wherein k=0,1,2 ..., t-1, wherein j=1,2 ..., n, wherein yjIt is participant PjPublic key.
Preferably, verifying the whether correct specific method of each secret encryption share includes: in step 4
Each participant PiIssue public information (w1,ij,w2,ij,cij,sij), wherein cij=
hash(w1,ij||Xij||w2,ij||Yij),sij=rij+fi(j)cijMod q, wherein rijFor from Zq
The random number of middle selection
Other participants and the public verify equationWithIt is whether true, if so, illustrating that secret encryption share is correct, if it is not, then illustrating
Secret encryption share is incorrect, wherein rijFor from ZqThe random number of middle selection, δijFor from ZqThe random number of middle selection.
Preferably, step 5 specifically refers to: each second of reservation participant PjUtilize the additive homomorphism attribute of privacy sharing
All Y that he is receivedijValue be multiplied to obtain complete information γj:
Preferably, step 6 specifically refers to:
Each second of reservation participant PjThe private key x of oneself can be usedjDecrypt γj, obtain respective secret shadowWherein xj -1Operation is to seek x in the group of mould qjIt is inverse.
Preferably, step 7 verify each second retain participant decryption it is whether correct, specific method include:
Each second of reservation participant PjIssue public information (w1j,w2j,cj,sj), cj
=hash (w1j||yj||w2j||γj)sj=rj+xjcjMod q,
Other participants and the public verify equationWith
It is whether true, wherein, wherein rj、δjIt is from ZqThe random number of middle selection, if so, second of explanation retains participant PjDecryption
Correctly, if it is not, then explanation retains participant P for the second timejIt decrypts incorrect.
Preferably, the secret shadow of step 8 pair honesty participant carry out interpolation calculation obtain it is final it is public can verify that with
Machine number R, in particular to:Wherein
Disclosing the present invention provides a kind of without TTP can verify that random digit generation method, is cooperated and is given birth to by participant
At random number, ciphertext is disclosed during generating random number for verifying.Unpredictability require random number be before publication
Secret, and open verifiability requires to disclose some information for verifying, solving the contradiction between the two characteristics is that this is special
One of the main contributions of benefit.In addition, the contribution of this patent second is that eliminating credible third during can verify that generating random number
Side, one side can prevent single participant to know random number outcome in advance, improve the safety of agreement, on the other hand help
In solving the problems, such as single point failure, the robustness of agreement is improved.The present invention generates random number using distributed thought, without credible the
Tripartite.Compared to existing method, new method improves safety;The random number that this method generates has following security attribute: random
Property, if all participants (participant is the people for participating in generating random number) correctly act up to an agreement, exporting result has well
Randomness;Unpredictability, the random number that agreement generates have privacy before output and can not be predicted;It is open to can verify that
Property, the randomness and unpredictability of agreement can be by anyone open verifyings;Robustness, even if a small number of participant's refusals to perform
Agreement mistakenly acts up to an agreement, and agreement can also export correct effective result.Compared to random number in the existing method present invention
Generating process can not only be verified by the participant of agreement, but also can be verified by all other men, and the transparency is improved.It can be with
Security proving is carried out to the randomness and unpredictability that generate random number in the present invention.All information is all in public affairs in the present invention
It opens and is transmitted on channel, therefore have calculation amount small, the speed of service is fast, highly-safe feature.
Detailed description of the invention
Fig. 1 is the flow chart of the embodiment of the present invention.
Specific embodiment
The present invention is described further with reference to the accompanying drawings and examples.
A kind of distribution is open to can verify that random digit generation method, comprising:
Step 1, discrete logarithm environment, each each self-generating public private key pair of participant are initialized;Main includes the peace of system
Congruent grade, the generation member of two Big primes of discrete logarithm environment and a finite cyclic group.Each each self-generating of participant
The public private key pair met certain condition, wherein only participant's private key for knowing him, all public keys are disclosed.
Step 1.1, discrete logarithm environment is initialized:
Setting prime number p and q, p and q meet p=2q+1, and p-1 is the integral multiple of q;
Find out GqGeneration member g and h, wherein GqFor Z* pCyclic subgroup, Z* pIt is coprime with p in { 0,1 ..., p-1 }
Element set, h=r(p-1)/qMod p, wherein h ≠ 1, r are in Zp *One random number of middle selection.
Specifically, defining GqFor Zp *A rank be q cyclic subgroup.Find GqA generation member g, then in Zp *In
A several r is randomly choosed, h=r is calculated(p-1)/qmod p.If h=1, r is reselected until h ≠ 1.The purpose of the calculating
It is to generate GqAnother generate member h, and nobody knows discrete logarithm of the h about g.In the present embodiment unless specifically indicated,
Assuming that all operations are all mould p operations.
Step 1.2, each participant PiEach self-generating public private key pair, each participant know by the zero of a non-interactive type
Knowing identification protocol proves that he possesses private key, and the public key and system parameter that all other men can use him verify whether he possesses this
Private key, and whether the private key meets certain condition.Public private key pair includes private key xiWith public key yi, private key xiIt is in ZqIn select at random
The odd number selected, public keyWherein, ZqFor the remaining equivalence class of q.
Each participant PiIn ZqOne odd number x of middle random selectioniAs his private key, and registerAs his
Public key.xiOddness quality guarantee demonstrate,prove gcd (xi, p-1) and=1 (greatest common divisor is sought in gcd () expression), which can lead to
Cross Legendre symbolWhether it is equal to -1 to be verified.Wherein, PiIndicate i-th of participant, xiIndicate i-th of participant
The odd number of selection, hereinafter the usage of i similarly, indicates " i-th ").
Step 2, it is verified to whether public private key pair matches, rejects the participant for generating and mismatching public private key pair, it is remaining
Participant is to retain participant for the first time;In this step, each participant PiIt need to prove that he possesses private key, i.e. public private key pair is
No matching includes: to whether public private key pair matches the specific method verified
Each participant PiTo the public and the complete proof of other participants publication, it was demonstrated that includingci
=hash (wi||yi), si=ri+xicimod q;The public and other participants can verify that equationIt is whether true,
If so, illustrating participant PiThe public and private of publication will match explanation to matchingIf it is not, then illustrating participant PiHair
The public and private of cloth will be to mismatch, wherein riIt is participant PiIn ZqThe random number of middle selection.
Each participant PiComplete (the w of publicationi,ci,si) generating process includes:
1) each participant PiSelect random number ri∈RZq, building promise
2) each participant PiCalculate challenging value ci=hash (wi||yi) (| | indicate connector, a | | b is indicated a and b
Head and the tail connect), wherein hash () is a secure hash function;
3) next, PiCalculate response value si=ri+xicimod q。
The multinomial that each participant is generated previous step using Verified secret sharing technology is total between all participants
It enjoys.Each multinomial is divided into n sub- shares, and only more than t sub- shares can recover this multinomial.At this
In the process, each participant has issued the polynomial n sub- shares about him, also has received polynomial about all differences
N sub- shares.Every sub- share is all encrypted using the public key of recipient respectively before sending, and the process of transmission is exactly open
The process of this ciphertext.
One complete proof includes (wi,ci,si), PiAfter these information are broadcasted, anyone can pass through this
A little public informations verify equationIt is whether true.It particularly, can be with if verifier thinks to verify multiple users simultaneously
Batch validation is carried out using following methods:Wherein δiFor ZqIn random number.If with first-class
Formula is set up, then illustrates that all participants both know about his private key.Otherwise, an at least participant does not know his private key,
At this moment further every participant can be verified respectively to find out dishonest participant, and they is moved from agreement
It removes.
Step 3, retaining participant for the first time respectively selects t true random number as multinomial coefficient, generates respective t-1
Rank multinomial, and issue n secret encryption share of institute's generator polynomial;
Step 3.1, each participant PiIn ZqT random number a of interior selectioni0,ai1,...,ai,t-1, and with t random number be
Coefficient generates t-1 order polynomial fi(x)=ai0+ai1x+ai2x2+...+ai,t-1xt-1Mod q, and enable secret si=ai0;
Step 3.2, each participant PiPublication is to polynomial fi(x) promiseAnd secret encryption shareWherein k=0,1,2 ..., t-1, wherein j=1,2 ..., n, wherein yjIt is participant PjPublic key.
fi(j) it indicates to substitute into the value of j into the value that i-th of multinomial obtains respectively, i-th of participant has issued n secret
Share, j-th of participant issue j-th of secret shadow, as shown in table 1.Participant PiIt need to prove fiIt (j) is polynomial fi(x) exist
Relative to participant P in privacy sharingjSecret shadow, YijInclude correct fi(j) information.
Table 1: key distribution table (YijFor secret shadow)
Step 4, verify whether each secret encryption share is correct, reject and issue the first of incorrect secret encryption share
Secondary reservation participant, remaining participant are second of reservation participant;
Step 4.1, each participant PiIssue public information (w1,ij,w2,ij,cij,sij), whereincij=hash (w1,ij||Xij||w2,ij||Yij),sij=rij+
fi(j)cijmod q;
Step 4.2, other participants and the public verify equationWithIt is whether true, if so, illustrating that secret encryption share is correct, if it is not, then illustrating
Secret encryption share is incorrect, wherein rijFor from ZqThe random number of middle selection, δijFor from ZqThe random number of middle selection.With first-class
It all includes correct sub- share that formula demonstrates the ciphertext that all participants receive simultaneously.If two above equation is invalid,
Further participant can be separately verified to find out dishonest participant, any dishonest participant will be from agreement
Middle removal.
Each participant PiPublic information (the w of publication1,ij,w2,ij,cij,sij), generating process includes:
Each participant PiPolynomial f is all issuedi(x) relative to being sent to participant PjSecret shadow fi(j), and
YijInclude correct message fi(j).Firstly, verifier is calculated by public informationWherein k=0,1,2,
..t.,-1.Then PiNeed to prove encryption information (g, Xij,yj,Yij), i, j=1,2 ..., n meet the following conditions:Verification process two executes following operation:
1) each participant PiRandomly choose a several rij, building promise
2) each participant PiGenerate challenging value cij=hash (w1,ij||Xij||w2,ij||Yij), wherein hash () is one
Secure hash function.
3)PiCalculate response value sij=rij+fi(j)cijmod q。
This step is that the participant of malice in order to prevent sends invalid share, and agreement needs each participant to each
The sub- share sent all encloses the zero-knowledge proof of a non-interactive type.This proves the specifying information for not revealing sub- share, but
Be it is any can use per capita this prove and system parameter whether verify this share effective.If some authentication failed,
The participant for then sending this proof will be considered as practising fraud, he will be removed agreement out, and all data that he issues will also be deleted
It removes.
Step 5, each second n secret encryption share homomorphism for retaining that participant receives be multiplied composition encryption with it is secret
The complete information of close share;
Each second of reservation participant PjAll Y for being received him using the additive homomorphism attribute of privacy sharingijValue
Multiplication obtains complete information γj:
Using the morphism attribute of privacy sharing, the n ciphertexts about sub- share that each participant receives him carry out phase
Multiply.The result of calculating is these sub-secrets ciphertext after being added.This process is therefore any without using any confidential information
People can repeat this process.
Step 6, each second of reservation participant solves received secret encryption share with respective private key
It is close, obtain respective secret shadow;
Specifically, retain participant P each secondjThe private key x of oneself can be usedjDecrypt γj, obtain respective secret
Close shareWherein xj -1Operation is to seek x in the group of mould qjIt is inverse.
In this step, it needs to calculate xjInverse 1/x in the group in integer mould p-1j, due to initial phase we
Guarantee for j=1,2 ..., n, gcd (xj, p-1)=1 all set up, therefore 1/xjThe Euclidean algorithm of extension can be passed through
It acquires.Each participant PjIt need to prove SjIt is to γjBe decrypted correctly, verification process is as described in step 7.
Each participant is decrypted the calculated result of previous step using the private key of oneself, obtains the sum of sub-secret.
At this point, the sum of the sub-secret of all participants is effective privacy sharing of the sum of their multinomials.In addition, each participant's hair
The zero-knowledge proof of one non-interactive type of cloth, it was demonstrated that he performs correct decryption oprerations.
Step 7, whether the decryption for verifying each second of reservation participant is correct, rejects incorrect second of decryption and protects
Participant is stayed, remaining participant is honest participant;This process guarantees each participant PjTo the sum of secret shadow γjIt carries out
Correct decryption, i.e. proof information (h, yj,Sj,γj) meet the following conditions:Specific method packet
It includes:
Step 7.1, retain participant P each secondjIssue public information (w1j,w2j,cj,sj),cj=hash (w1j||yj||w2j||γj), sj=rj+xjcjMod q,
Step 7.2, other participants and the public verify equationWithIt is whether true, if so, second of explanation retains participant PjDecryption is correct, if it is not, then
Illustrate second and retains participant PjDecrypt incorrect, wherein rj、δjIt is from ZqThe random number of middle selection.
Each second of reservation participant PjPublic information (the w of publication1j,w2j,cj,sj) generating process includes:
1) each participant PjRandomly choose a several rj, building promise
2) each participant PjGenerate challenging value cj=hash (w1j||yj||w2j||γj), wherein hash () is a peace
Full hash function;
3)PjCalculate response value sj=rj+xjcjmod q。
Step 8, remaining participant namely the participant of honesty cooperate that secret shadow interpolation can be recovered one it is multinomial
Formula executes a Hash operation using this polynomial all coefficient as input, obtained result be agreement output with
Machine number.
Specifically, interpolation calculation is carried out to the secret shadow of honest participant to obtain final public can verify that random number R.
Wherein
As can be seen that the random number R of agreement output is related to the sum of sub-secret share.Therefore, the son of each participant is secret
Close be involved in has obscured output random number R, it ensure that the randomness and unpredictability of random number R.
The system model of the present embodiment: agreement includes a participant, is greater than a honest participant wherein existing.Honest
Participant verily acts up to an agreement always, and dishonest participant can violate the agreement in any way.Moreover, it is assumed that all
Participant has polynomial computation ability, and each participant has the ability to extract true random number by physical means.
Traffic model: all participants shared one can verify that the overt channel of informed source.What any participant issued
Other participants of information can receive, and the source of information can be verified.In addition, agreement does not require disappearing for each step
Breath is simultaneously emitted by while arriving at the destination, and only requires that all message of previous step issue before latter step starts
And it arrives at the destination.
Opponent's model: we assume that there is the attacker A with polynomial computation ability.He can with it is all dishonest
Participant conspires.Such as all private informations of his available dishonest participant, he may also require that dishonest participant
It fails to carry out agreement or mistakenly acts up to an agreement.
Safety is assumed: any participant or attacker with polynomial computation ability can not crack discrete logarithm and ask
Topic.Academic circles at present is generally approved in the finite cyclic group or elliptic curve of one Big prime of mould, and polynomial time is not present
Algorithm solves discrete logarithm problem, therefore discrete logarithm problem is difficult in these groups.
It should be understood that for those of ordinary skills, it can be modified or changed according to the above description,
And all these modifications and variations should all belong to the protection domain of appended claims of the present invention.
Claims (10)
1. a kind of distributed disclosure can verify that random digit generation method characterized by comprising
Step 1, discrete logarithm environment, each each self-generating public private key pair of participant are initialized;
Step 2, it is verified to whether the public private key pair matches, rejects the participant for generating and mismatching the public private key pair,
Remaining participant is to retain participant for the first time;
Step 3, the first time reservation participant respectively selects t true random number as multinomial coefficient, generates respective t-1
Rank multinomial, and issue n secret encryption share of institute's generator polynomial;
Step 4, it whether correct verifies each secret encryption share, rejects and issue the incorrect secret encryption share
The first time retains participant, and remaining participant is second of reservation participant;
Step 5, retain the n secret encryption share homomorphisms multiplication composition encryptions that participant receives each described second
With the complete information of secret shadow;
Step 6, retain participant with the respective private key to received described secret encryption part each described second
Volume is decrypted, and obtains respective secret shadow;
Step 7, whether the decryption for verifying each second of reservation participant is correct, rejects decryption incorrect described second
Secondary reservation participant, remaining participant are honest participant;
Step 8, to the secret shadow of the honest participant carry out interpolation calculation obtain it is final it is public can verify that it is random
Number R.
2. a kind of distributed disclosure according to claim 1 can verify that random digit generation method, which is characterized in that described
In step 1, initialization discrete logarithm environment is specifically referred to:
Setting prime number p and q, p and q meet p=2q+1, and p-1 is the integral multiple of q;
Find out GqGeneration member g and h, wherein GqForCyclic subgroup,It is coprime with p in { 0,1 ..., p-1 }
The set of element, h=r(p-1)/qMod p, wherein h ≠ 1, r beOne random number of middle selection.
3. a kind of distributed disclosure according to claim 2 can verify that random digit generation method, which is characterized in that described
In step 1, each participant PiEach self-generating public private key pair, the public private key pair include private key xiWith public key yi, the private key xi
It is in ZqIn a randomly selected odd number, the public keyWherein, ZqFor the remaining equivalence class of q.
4. a kind of distributed disclosure according to claim 3 can verify that random digit generation method, which is characterized in that the step
It include: each participant P to whether the public private key pair matches the specific method verified in rapid 2iTo the public and other ginsengs
Complete proof is issued with person, it is described to prove to include (wi,ci,si),ci=hash (wi||yi), si=ri+xici mod
q;The public and other participants can verify that equationIt is whether true, if so, illustrating participant PiThe public affairs of publication
Private key to matching, whereinIf it is not, then illustrating participant PiThe public private key pair of publication mismatches, wherein riIt is ginseng
With person PiIn ZqThe random number of middle selection.
5. a kind of distributed disclosure according to claim 4 can verify that random digit generation method, which is characterized in that the step
Rapid 3 specifically refer to:
Each participant PiIn ZqT random number a of interior selectioni0,ai1,...,ai,t-1, and generated by coefficient of the t random number
T-1 order polynomial fi(x)=ai0+ai1x+ai2x2+...+ai,t-1xt-1Mod q, and enable secret si=ai0;
Each participant PiPublication is to polynomial fi(x) promiseAnd secret encryption shareWherein k
=0,1,2 ..., t-1, wherein j=1,2 ..., n, wherein yjIt is participant PjPublic key.
6. a kind of distributed disclosure according to claim 5 can verify that random digit generation method, which is characterized in that the step
In rapid 4, verifying each whether correct specific method of secret encryption share includes:
Each participant PiIssue public information (w1,ij,w2,ij,cij,sij), wherein cij=hash
(w1,ij||Xij||w2,ij||Yij),sij=rij+fi(j)cijMod q, wherein rijFor from ZqInterior choosing
The random number taken,
Other participants and the public verify equationWithIt is whether true, if so, illustrating that the secret encryption share is correct, if it is not, then
Illustrate that the secret encryption share is incorrect, wherein rijFor from ZqThe random number of middle selection, δijFor from ZqMiddle selection it is random
Number.
7. a kind of distributed disclosure according to claim 6 can verify that random digit generation method, which is characterized in that the step
Rapid 5 specifically refer to: each second of reservation participant PjAll Y for being received him using the additive homomorphism attribute of privacy sharingij
Value be multiplied to obtain complete information γj:
8. a kind of distributed disclosure according to claim 7 can verify that random digit generation method, which is characterized in that the step
Rapid 6 specifically refer to:
Each second of reservation participant PjThe private key x of oneself can be usedjDecrypt γj, obtain respective secret shadowWherein xj -1Operation is to seek x in the group of mould qjIt is inverse.
9. a kind of distributed disclosure according to claim 8 can verify that random digit generation method, which is characterized in that the step
Whether the decryption that rapid 7 verifying each described second retains participant correct, specific method include:
Each second of reservation participant PjIssue public information (w1j,w2j,cj,sj), cj=hash
(w1j||yj||w2j||γj), sj=rj+xjcjMod q,
Other participants and the public verify equationWithWhether
It sets up, if so, described second of explanation retains participant PjDecryption is correct, if it is not, then illustrating described second retains participation
Person PjIt decrypts incorrect, wherein δjIt is from ZqThe random number of middle selection, wherein rj、δjIt is from ZqThe random number of middle selection.
10. a kind of distributed disclosure according to claim 9 can verify that random digit generation method, which is characterized in that described
Step 8 carries out interpolation calculation to the secret shadow of the honest participant and obtains final public can verify that random number R, tool
Body refers to:Wherein
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201610328910.1A CN105827402B (en) | 2016-05-18 | 2016-05-18 | A kind of distribution is open to can verify that random digit generation method |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201610328910.1A CN105827402B (en) | 2016-05-18 | 2016-05-18 | A kind of distribution is open to can verify that random digit generation method |
Publications (2)
Publication Number | Publication Date |
---|---|
CN105827402A CN105827402A (en) | 2016-08-03 |
CN105827402B true CN105827402B (en) | 2019-08-20 |
Family
ID=56529900
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201610328910.1A Expired - Fee Related CN105827402B (en) | 2016-05-18 | 2016-05-18 | A kind of distribution is open to can verify that random digit generation method |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN105827402B (en) |
Families Citing this family (14)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN107248080A (en) * | 2017-04-17 | 2017-10-13 | 华南农业大学 | A kind of commodity counterfeit prevention and lottery drawing method based on polynomial interopolation |
CN106972930B (en) * | 2017-05-24 | 2019-11-08 | 武汉理工大学 | Unconditional security can verify that random digit generation method |
CN107832258A (en) * | 2017-11-16 | 2018-03-23 | 上海理工大学 | A kind of acquisition can test several devices and methods therefors at random |
CN108762725B (en) * | 2018-05-31 | 2021-01-01 | 飞天诚信科技股份有限公司 | Distributed random number generation and detection method and system |
CN109067522B (en) * | 2018-07-27 | 2023-07-25 | 深圳市汇尊区块链技术有限公司 | Random number verifiable secret sharing method |
CN108768647B (en) * | 2018-08-04 | 2022-06-14 | 深圳市汇尊区块链技术有限公司 | Random number generation method for block chain |
CN109471610B (en) * | 2018-10-25 | 2021-03-19 | 北京链化未来科技有限公司 | Serial random number generation method, device and storage medium |
CN109544129B (en) | 2018-10-26 | 2021-04-27 | 创新先进技术有限公司 | Block chain transaction method and device and electronic equipment |
CN109544900B (en) * | 2018-11-21 | 2019-11-26 | 长安大学 | A kind of route matching method that the privacy multiplying trip altogether towards passenger and driver retains |
CN109902515B (en) * | 2019-01-10 | 2021-07-20 | 西安纸贵互联网科技有限公司 | True data verification method and system |
US11496287B2 (en) | 2020-08-18 | 2022-11-08 | Seagate Technology Llc | Privacy preserving fully homomorphic encryption with circuit verification |
US11575501B2 (en) | 2020-09-24 | 2023-02-07 | Seagate Technology Llc | Preserving aggregation using homomorphic encryption and trusted execution environment, secure against malicious aggregator |
CN113242125A (en) * | 2021-05-17 | 2021-08-10 | 长沙理工大学 | Verifiable multi-secret sharing scheme of general access structure based on bilinear mapping |
CN114090943A (en) * | 2021-11-22 | 2022-02-25 | 杭州萝卜智能技术有限公司 | Random shaking number based on interval grouping and shaking number result verification method and system |
Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101267308A (en) * | 2008-04-24 | 2008-09-17 | 上海交通大学 | Democratic signature method with threshold tracking |
CN101364928A (en) * | 2007-08-06 | 2009-02-11 | 曹炜斌 | Method and system enhancing network information resource distribution |
CN102340483A (en) * | 2010-07-15 | 2012-02-01 | 航天信息股份有限公司 | Methods for generation, verification and tracking of democratic group signature and democratic group signature system |
US8229939B2 (en) * | 2004-10-19 | 2012-07-24 | Palo Alto Research Center Incorporated | Server-implemented system and method for providing private inference control |
CN103678254A (en) * | 2013-12-04 | 2014-03-26 | 四川理工学院 | Method capable of verifying random number generation based on linear equation set |
US8837715B2 (en) * | 2011-02-17 | 2014-09-16 | Gradiant, Centro Tecnolóxico de Telecomunicacións de Galica | Method and apparatus for secure iterative processing and adaptive filtering |
-
2016
- 2016-05-18 CN CN201610328910.1A patent/CN105827402B/en not_active Expired - Fee Related
Patent Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US8229939B2 (en) * | 2004-10-19 | 2012-07-24 | Palo Alto Research Center Incorporated | Server-implemented system and method for providing private inference control |
CN101364928A (en) * | 2007-08-06 | 2009-02-11 | 曹炜斌 | Method and system enhancing network information resource distribution |
CN101267308A (en) * | 2008-04-24 | 2008-09-17 | 上海交通大学 | Democratic signature method with threshold tracking |
CN102340483A (en) * | 2010-07-15 | 2012-02-01 | 航天信息股份有限公司 | Methods for generation, verification and tracking of democratic group signature and democratic group signature system |
US8837715B2 (en) * | 2011-02-17 | 2014-09-16 | Gradiant, Centro Tecnolóxico de Telecomunicacións de Galica | Method and apparatus for secure iterative processing and adaptive filtering |
CN103678254A (en) * | 2013-12-04 | 2014-03-26 | 四川理工学院 | Method capable of verifying random number generation based on linear equation set |
Non-Patent Citations (2)
Title |
---|
一种可验证的多候选人电子投票方案;刘高等;《计算机工程与科学》;20150930;第1667-1670页 |
基于插值多项式的可验证随机数;刘忆宁等;《计算机工程》;20100530;第179-183页 |
Also Published As
Publication number | Publication date |
---|---|
CN105827402A (en) | 2016-08-03 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN105827402B (en) | A kind of distribution is open to can verify that random digit generation method | |
CN107947913B (en) | Anonymous authentication method and system based on identity | |
US5796833A (en) | Public key sterilization | |
CN103563288B (en) | Single-round password-based key exchange protocols | |
EP0786178B1 (en) | Secret-key certificates | |
CN107342859B (en) | A kind of anonymous authentication method and its application | |
CN107659395B (en) | Identity-based distributed authentication method and system in multi-server environment | |
CN107707358A (en) | A kind of EC KCDSA digital signature generation method and system | |
CN107248909A (en) | It is a kind of based on SM2 algorithms without Credential-Security endorsement method | |
CN110995412B (en) | Certificateless ring signcryption method based on multiplicative group | |
CN106506165B (en) | Fictitious assets anonymity sort method based on homomorphic cryptography | |
Araújo et al. | Towards practical and secure coercion-resistant electronic elections | |
CN107888380A (en) | A kind of the RSA digital signature generation method and system of two sides distribution identity-based | |
Abe et al. | Flaws in some robust optimistic mix-nets | |
Damgård et al. | Stronger security and constructions of multi-designated verifier signatures | |
Tian | A new strong multiple designated verifiers signature | |
Huang et al. | Ambiguous optimistic fair exchange: Definition and constructions | |
CN110992010B (en) | Digital currency issue total amount control method and verification method | |
Jaafar et al. | Visual zero-knowledge proof of identity scheme: a new approach | |
Tang et al. | Identity‐Based Identification Scheme without Trusted Party against Concurrent Attacks | |
Huang et al. | How to protect privacy in optimistic fair exchange of digital signatures | |
Krzywiecki et al. | Deniable key establishment resistance against eKCI attacks | |
Chin et al. | On the security of a modified Beth identity-based identification scheme | |
Wang et al. | Generic Construction of Fair Exchange Scheme with Semi-Trusted Adjudicator. | |
Vangujar et al. | A Novel Approach to e-Voting with Group Identity Based Identification and Homomorphic Encryption |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
C10 | Entry into substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant | ||
CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20190820 Termination date: 20200518 |
|
CF01 | Termination of patent right due to non-payment of annual fee |