CN108964906A - The digital signature method of co-EC C - Google Patents
The digital signature method of co-EC C Download PDFInfo
- Publication number
- CN108964906A CN108964906A CN201810796674.5A CN201810796674A CN108964906A CN 108964906 A CN108964906 A CN 108964906A CN 201810796674 A CN201810796674 A CN 201810796674A CN 108964906 A CN108964906 A CN 108964906A
- Authority
- CN
- China
- Prior art keywords
- participant
- signature
- share
- ciphertext
- factor
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0816—Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
- H04L9/0819—Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0816—Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
- H04L9/085—Secret sharing or secret splitting, e.g. threshold schemes
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/30—Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3247—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computing Systems (AREA)
- Theoretical Computer Science (AREA)
- Storage Device Security (AREA)
- Mobile Radio Communication Systems (AREA)
Abstract
This application discloses the digital signature methods of co-EC C a kind of, method in one embodiment includes: the abstract that the first participant calculates data to be signed, data summarization is obtained, and sends first message to the second participant, the first message carries the data summarization;Second participant receives the first message, and the signature share of the second participant based on the second participant and the data summarization are synthesized, and obtains the first participant signature share ciphertext;Second, which participates in the first participant of direction, sends second message, and the second message carries the first participant signature share ciphertext;First participant decrypts the first participant signature share ciphertext, obtains the first participant signature share.This embodiment avoids multiple data exchange and operations, reduce the complexity of communication and calculating.
Description
Technical field
This application involves technical field of cryptology more particularly to a kind of digital signature methods of co-EC C.
Background technique
Cooperated computing is computation model common in contemporary distributed network;The mutual incredible participation in network
Side, needs the cooperated computing in the case where not revealing oneself secret to go out the scheduled task of each side, provides the hidden of multi-party computations
Private, the core functions such as correctness.Collaboration signature based on cooperated computing thought, offer can not be pseudo- during becoming cooperated computing
Make the core mode of function, wherein elliptic curve digital signature algorithm of the ECDSA signature algorithm as international endorsement exists
It is widely used in global range, the core features such as the integrality, verifiability and non repudiation of digital signature is provided.However,
Under certain application scenarios, in order to ensure the fairness and collaborative of signature process, ECDSA signed data is needed in multiparty collaboration
In the case where generate jointly, and to guarantee the privacy, correct and efficiently of the process.And the generally existing participation of traditional solution
Fang Tongxin and the higher situation of computation complexity.
Summary of the invention
Based on this, it is necessary to provide the digital signature method of co-EC C a kind of.
A kind of digital signature method of co-EC C, comprising:
First participant calculates the abstract of data to be signed, obtains data summarization, and send first to the second participant and disappear
Breath, the first message carry the data summarization;
Second participant receives the first message, and the signature share of the second participant based on the second participant and institute
It states data summarization to be synthesized, obtains the first participant signature share ciphertext;
Second, which participates in the first participant of direction, sends second message, and the second message carries the first participant signature
Share ciphertext;
First participant decrypts the first participant signature share ciphertext, obtains the first participant signature share.
Based on the scheme in embodiment as described above, the data summarization of data to be signed is obtained in the first participant
Afterwards, the second participant is based on the data summarization and the second participant signature share, and the first participation is obtained by way of synthesis
Side's signature share ciphertext, and it is sent to the first participant.It carries out operation by the cipher system with homomorphism property, avoids
Multiple data exchange and operation, reduces the complexity of communication and calculating.
Detailed description of the invention
Fig. 1 is the flow diagram of the digital signature method of the co-EC C in one embodiment;
Fig. 2 is the flow diagram that the first participant signature share ciphertext is obtained in one embodiment;
Fig. 3 is the flow diagram that the first participant signature share ciphertext is obtained in another embodiment;
Fig. 4 is the interaction flow schematic diagram of the digital signature method of co-EC C in one embodiment;
Fig. 5 is the interaction flow schematic diagram of the digital signature method of co-EC C in another embodiment.
Specific embodiment
It is with reference to the accompanying drawings and embodiments, right in order to which the objects, technical solutions and advantages of the application are more clearly understood
The application is further elaborated.It should be appreciated that specific embodiment described herein is only used to explain the application, not
For limiting the application.
As shown in Figure 1, the digital signature method of the co-EC C in one embodiment, includes the following steps S11 to step
S14。
The S11: the first participant of step calculates the abstract of data to be signed, obtains data summarization, and send out to the second participant
First message is sent, the first message carries the data summarization.
Data to be signed refer to the data for needing participant to sign it, calculate the data summarization of data to be signed
Mode can be carried out using any possible mode.
In one embodiment, which can also carry the first public key share and that the first participant is held
The first temporary public key share that one participant is held.Wherein, the first public key share and the second participant that the first participant is held
The the second public key share held, collectively constitutes the complete public key of cipher key pair.First participant and the second participant can be with additive
The complete public key is shared, i.e., complete public key is the sum of the first public key share and the second public key share.First participant and the second ginseng
The complete public key can also be shared with multiplication with side, i.e., complete public key is the product of the first public key share and the second private key share.First
Participant and the second participant can also share the complete public key in other way, and the present embodiment is not specifically limited.The
One participant is similar with the mode that the second participant shares complete temporary public key, i.e. the first participant can add with the second participant
Method shares complete temporary public key, and complete temporary public key can also be shared with multiplication.
Correspondingly, the first private key share that the first participant is held, the second participant hold the second private key share, and first is private
Key share and the second private key share collectively constitute the complete private key of cipher key pair.First participant and the second participant can be with additive
The complete private key is shared, the complete private key can also be shared with multiplication, the complete private key can also be shared by other means.
The S12: the second participant of step receives the first message, and the second participant based on the second participant is signed part
Volume and the data summarization are synthesized, and the first participant signature share ciphertext is obtained.
In one embodiment, the first public key share that the first participant is held and the first participation are also carried in first message
In the case where the first temporary public key share of Fang Chiyou, the second participant is also based on the first public key share and the second participant is held
The second private key share having obtains complete public key, and faces based on the first temporary public key share and the second participant are held second
When private key share obtain complete temporary public key.
In one embodiment, the second participant is held second private based on the first public key share and the second participant
Key share obtains complete public key, may include: the second private key share that the second participant is held based on the second participant, determines the
The second public key share that two participants are held;Second participant is based on the first public key share and the second public key share obtains
Obtain complete public key.The second temporary private that second participant is held based on the first temporary public key share and the second participant
Share obtains complete temporary public key, may include: the second temporary private share that the second participant is held based on the second participant,
Determine the second temporary public key share that the second participant is held;Second participant is based on the first temporary public key share and described
Second temporary public key share obtains complete temporary public key.
Wherein, in the case that the first participant and the second participant addition share the complete public key, complete public key is first
The sum of public key share and the second public key share, the case where the first participant and the second participant multiplication share the complete public key
Under, complete public key is the product of the first public key share and the second private key share.First participant can also pass through with the second participant
Other modes share the complete public key, and the present embodiment is not specifically limited.Similarly, it is participated in based on the first participant and second
Side is shared to the multiplication of complete temporary public key or addition is shared, and complete temporary public key can be the first temporary public key share and the
The product of two temporary private shares or the first temporary public key share and the second temporary public key share and.
In one embodiment, after the second participant synthesizes complete public key, ECC number corresponding with complete public key is also generated
Certificate.Second participant can calculate the second participant signature share based on complete temporary public key.
In one embodiment, after the second participant receives the first message, the second participant is based on second and participates in
The second participant signature share, the first participant signature parameter ciphertext and the data summarization of side carry out synthesizing it
Before, can with comprising steps of
Second participant and the first participant are performed in unison with the proof knowledge association for the first participant signature parameter ciphertext
The proof and verifying of view.
In one embodiment, the first participant can also above-mentioned proof Knowledge Protocols proof and verifying execution it
Before, determine the first participant signature parameter ciphertext, the first participant signature parameter ciphertext determined can also be transferred to second
Participant.First participant signature parameter ciphertext can be transferred to the second participation by various possible modes by the first participant
Side.
In the specific embodiment of the application, the first participant can holding in the proof of above-mentioned proof Knowledge Protocols
The first participant signature parameter ciphertext is determined during row.
First participant signature parameter ciphertext can be determined using various possible modes.
In one embodiment, the first participant signature parameter ciphertext may include: to encrypt to the first private key share
The the first private key share ciphertext obtained, and the first temporary private share for carrying out encryption acquisition to the first temporary private share are close
Text.
At this point, the second participant and the first participant are performed in unison with the proof to the first participant signature parameter ciphertext
The proof and verifying of Knowledge Protocols may include:
Second participant and the first participant are performed in unison with to the proof Knowledge Protocols of the first private key share ciphertext
It proves and verifies;
Second participant and the first participant are performed in unison with the proof knowledge association to the first temporary private share ciphertext
The proof and verifying of view.
Wherein, for the first private key share ciphertext and the first temporary private share ciphertext proof Knowledge Protocols proof and
Verifying, the two sequence can be executed serially in no particular order, or be executed parallel.
In one embodiment, the proof of the first private key share ciphertext can be known based on the completion of plaintext Knowledge Protocols is proved
Know the proof and verifying of agreement.It specifically can be and completed based on interacting between the first participant and the second participant to the first private
The proof and verifying of the proof Knowledge Protocols of key share ciphertext.At this point, the second participant and the first participant are performed in unison with to institute
State the proof and verifying of the proof Knowledge Protocols of the first private key share ciphertext, comprising:
First participant is based on the first private key share and calculates the first private key share ciphertext, calculates the first participant and promises to undertake,
And the first proof message is sent to the second participant, described first proves that message includes: the first private key share ciphertext and institute
State the first participant promise;
Second participant, which receives first, proves message, selects the second participant challenge, and the second participant challenge is sent
To the first participant;
First participant receives the second participant challenge, calculates the first response and the second sound based on the second participant challenge
It answers, and send second to the second participant to prove that message, the second proof message include: first response and described second
Response;
Second participant, which receives second, proves message, and meets scheduled number in the second proof message and the first proof message
When learning operation relation, the process for proving and verifying is completed.
In one embodiment, interaction times can also be reduced on the basis of above-mentioned proof plaintext Knowledge Protocols, come
The proof and verifying of the proof Knowledge Protocols of pairs of first private key share ciphertext.At this point, the second participant and the first participant are assisted
With the proof and verifying executed to the proof Knowledge Protocols of the first private key share ciphertext, comprising:
First participant is based on the first private key share and calculates the first private key share ciphertext, and calculates the first participant and hold
Promise;
First participant calculates the first participant challenge, calculates third response and the 4th sound based on the first participant challenge
It answers, and sends proof message to the second participant, the proof message includes: the first private key share ciphertext, described first
Participant is promised to undertake, third response and the described 4th responds;
Second participant calculates the second participant challenge, and is based on the second participant challenge, and the first private key share of verifying is close
Text and the first participant are promised to undertake, when meeting scheduled mathematical operation relationship between third response and the 4th response, complete to prove
With the process of verifying.
Second participant and the first participant are performed in unison with the proof knowledge association to the first temporary private share ciphertext
The proof of view and the process of verifying are performed in unison with the second participant and the first participant to the first private key share ciphertext
Prove that the proof of Knowledge Protocols is similar with the process of verifying, it is not reinflated herein to repeat.
In one embodiment, the first participant signature parameter ciphertext includes: that first generated to the first participant participates in
Side's signature factor carries out the first participant signature factor ciphertext of encryption acquisition.Wherein, the number of the first participant signature factor
It can be set in conjunction with actual needs, the first participant signature factor in one embodiment includes: that the first participant generates
First signature the factor and third sign the factor.At this point, the first participant signature factor ciphertext includes: to add to the first signature factor
First signature factor ciphertext of close acquisition, and to the third signature factor ciphertext that third signature factor encryption obtains.
The first signature factor and the third signature factor can be generated using various possible modes.In one embodiment, the
One participant can calculate the first signature factor based on the first temporary private share, and based on the first temporary private share and the
One private key share calculates the third signature factor.In another embodiment, can the first participant select one blind because
After son (in the present embodiment be known as the second blinding factor), the first participant be based on the first temporary private share, second blind because
Son calculates the first signature factor, and is calculated based on the first temporary private share, the first private key share and the second blinding factor
The third signature factor.
At this point, the second participant and the first participant are performed in unison with the proof to the first participant signature parameter ciphertext
The proof and verifying of Knowledge Protocols may include:
Second participant and the first participant are performed in unison with to the proof Knowledge Protocols of the first signature factor ciphertext
It proves and verifies;
Second participant and the first participant are performed in unison with to the proof Knowledge Protocols of third signature factor ciphertext
It proves and verifies.
Wherein, for first signature factor ciphertext and third signature factor ciphertext proof Knowledge Protocols proof and test
Card, the two sequence can be executed serially in no particular order, or be executed parallel.
By taking the first signature factor ciphertext as an example, the second participant and the first participant be performed in unison with to described first sign because
The proof and verifying of the proof Knowledge Protocols of sub- ciphertext may include:
Second participant and the first participant are performed in unison with the proof null element knowledge association to the first signature factor ciphertext
The proof and verifying of view;
Second participant and the first participant are performed in unison with the proof plaintext knowledge association to the first signature factor ciphertext
The proof and verifying of view.
In one embodiment, the second participant and the first participant are performed in unison with to the first signature factor ciphertext
When proving the proof and verifying of null element Knowledge Protocols, specifically it can be based on the interaction between the first participant and the second participant
Complete the proof and verifying of the proof Knowledge Protocols to the first signature factor ciphertext.At this point, the second participant and the first participant
It is performed in unison with the proof and verifying of the proof null element Knowledge Protocols to the first signature factor ciphertext, comprising:
First participant calculates the first signature factor ciphertext, calculates the first participant and promises to undertake, and sends to the second participant
First proves that message, the first proof message include: that the first signature factor ciphertext and the first participant are promised to undertake;
Second participant, which receives first, proves message, selects the second participant challenge, and the second participant challenge is sent
To the first participant;
First participant receives the second participant challenge, calculates the 5th response based on the second participant challenge, and to the
Two participants, which send second, proves that message, the second proof message include: the 5th response;
Second participant, which receives second, proves message, and meets scheduled number in the second proof message and the first proof message
When learning operation relation, the process for proving and verifying is completed.
In one embodiment, interaction times can also be reduced on the basis of above-mentioned proof null element Knowledge Protocols, come
The proof and verifying of the proof Knowledge Protocols of pairs of first signature factor ciphertext.At this point, the second participant and the first participant are assisted
With the proof and verifying for executing the proof null element Knowledge Protocols to the first signature factor ciphertext, comprising:
First participant calculates the first signature factor ciphertext, and calculates the first participant and promise to undertake;
First participant calculates the first participant challenge, calculates the 6th response based on the first participant challenge, and to second
Participant send prove message, the proofs message include: it is described first signature factor ciphertext, first participant promise and
6th response;
Second participant calculates the second participant challenge, and is based on the second participant challenge, and verifying the first signature factor is close
When meeting scheduled mathematical operation relationship between text, the first participant promise and the 6th response, the process of proof and verifying is completed.
Wherein, the second participant is performed in unison with the first participant and is known in plain text the proof of the first signature factor ciphertext
Know the proof of agreement and the process of verifying, it is identical as the principle of process of the proof of above-mentioned proof plaintext Knowledge Protocols and verifying,
It is not reinflated herein to repeat.
In one embodiment, the first participant also generates the relevant parameter of homomorphism cipher mechanism, and the first participant can be with
Relevant parameter based on homomorphism cipher mechanism carries out associated encryption, obtains above-mentioned first participant signature parameter ciphertext.
In one embodiment, in the case where the first participant has determined the first participant signature parameter ciphertext, the second ginseng
It is synthesized with side based on the second participant signature share of the second participant and the data summarization, obtains the first participant
Signature share ciphertext can be carried out using following manner:
Second participant signature share, the first participant signature parameter of second participant based on the second participant are close
The literary and described data summarization is synthesized, and the first participant signature share ciphertext is obtained.
Wherein, in one embodiment, if the first participant signature parameter ciphertext includes the first private key share ciphertext and the
When one temporary private share ciphertext, second participant signature share, first ginseng of second participant based on the second participant
It is synthesized with square signature parameter ciphertext and the data summarization, obtains the first participant and sign share ciphertext, it specifically can be with
Including step S1211 to step S1214.
The S1211: the second participant of step determines the first blinding factor.
The S1212: the second participant of step and the first participant are performed in unison with for the card for blinding interim signature share ciphertext
The obviously proof and verifying of literary Knowledge Protocols, it is described blind interim signature share ciphertext be based on the first temporary private share ciphertext,
Second temporary private share and the first blinding factor obtain.
The S1213: the first participant of step and the second participant, which are performed in unison with, blinds signature share ciphertext progress for first
Prove the proof and verifying of plaintext Knowledge Protocols;By blinding interim signature share ciphertext described in decryption, acquisition blinds interim label
Name share;And signature share is blinded based on interim signature share acquisition first is blinded, encryption described first blinds signature share and obtains
It obtains described first and blinds signature share ciphertext.In one embodiment, it can be obtained by blinding interim signature share to described and taking inverse
It obtains described first and blinds signature share.
The S1214: the second participant of step calculates the second participant signature share;And based on the first blinding factor, first blind
Change signature share ciphertext, the first private key share ciphertext, the second private key share, the second participant signature share and data summarization to carry out
Synthesis obtains the first participant signature share ciphertext.
In one embodiment, in above-mentioned steps S1214, the second participant blinds label based on the first blinding factor, first
Name share ciphertext, the first private key share ciphertext, the second private key share, the second participant signature share and data summarization are closed
At acquisition the first participant signature share ciphertext, may include step S12141 to step S12143.
The S12141: the second participant of step be based on the first blinding factor and first blind signature share ciphertext carry out synthesis obtain
Obtain the first son signature share ciphertext.
The S12142: the second participant of step signs part to the first private key share ciphertext, the second private key share, the second participant
Volume and data summarization are synthesized, and the second son signature share ciphertext is obtained.
The S12143: the second participant of step is based on the first son signature share ciphertext and the second son signature share ciphertext is closed
At acquisition the first participant signature share ciphertext.
In another embodiment, if the first participant signature parameter ciphertext includes the first signature factor ciphertext and third label
When name factor ciphertext, the second participant is based on the second participant signature share of the second participant, first participant signature
Parameter ciphertext and the data summarization are synthesized, and are obtained the first participant signature share ciphertext, be can specifically include step
S1221 to step S1222.
The S1221: the second participant of step is plucked based on the second participant signature share of the second participant and the data
It wants, generates the second participant signature factor.
In one embodiment, second participant signature factor may include two signature factors, remember in the present embodiment
Are as follows: the second signature factor and the 4th signature factor.Wherein, the second participant can be plucked based on the second temporary private share and data
The second signature factor is calculated, and based on the second temporary private share, the second private key share and the second participant signature share
Calculate the 4th signature factor.On the other hand, it is interim private based on second after the second participant can also select third blinding factor
Key share, data summarization and third blinding factor calculate the second signature factor, and based on the second temporary private share, the second private
Key share, the second participant signature share and third blinding factor calculate the 4th signature factor.
In another embodiment, second participant signature factor may include three signature factors, in the present embodiment
It is denoted as: the second signature factor, the 4th signature factor and the 5th signature factor.Wherein, the second participant can be interim based on second
Private key share and data digest calculations go out the second signature factor, and are signed part based on the second temporary private share and the second participant
Volume calculates the 4th signature factor, and based on the second temporary private share, the second private key share and the second participant signature share
Calculate the 5th signature factor.On the other hand, it is interim private based on second after the second participant can also select the 4th blinding factor
Key share, data summarization and the 4th blinding factor calculate the second signature factor, are participated in based on the second temporary private share, second
Side's signature share and the 4th blinding factor calculate the 4th signature factor, and are based on the second temporary private share, second private key part
Volume, the second participant signature share and the 4th blinding factor calculate the 5th signature factor.
The S1222: the second participant of step is based on the first participant signature factor ciphertext and the second participant signature factor
It is synthesized, obtains the first participant signature share ciphertext.
Second participant is synthesized based on the first participant signature factor ciphertext and the second participant signature factor
Mode can be carried out using any possible mode, and the present embodiment is not specifically limited.
Step S13: the second participates in the first participant of direction and sends second message, and the second message carries first ginseng
With side's signature share ciphertext.
The S14: the first participant of step decrypts the first participant signature share ciphertext, obtains the first participant signature share.
Explanation is explained in detail below in conjunction with wherein several embodiments.In this embodiment, participating in both sides, (first participates in
Side and the second participant, are denoted as participant 1 and participant 2 in the present embodiment respectively), both sides arrange elliptic curve cryptosystem ginseng
It counts and chooses the generation member G that rank is prime number n.Wherein, generating member G is a point on elliptic curve, and effect is to pass through G operation
Other points on elliptic curve are generated, by choosing the generation member G that rank is prime number n, it can be ensured that the operation on elliptic curve can
To carry out operation based on elliptic curves discrete logarithm problem, it is ensured that safety.
Wherein, the first participant holds the first private key share d1, the second participant holds the second private key share d2, first is private
Key share d1With the second private key share d2Collectively form complete private key d.First participant holds the first temporary private share k1,
Second participant holds the second temporary private share k2, the first temporary private share k1With the second temporary private share k2Common structure
At complete temporary private k.
The difference of structural form based on private key and temporary private can have different modes.Such as private key can pass through
The shared mode of addition constructs acquisition, can also construct acquisition in such a way that multiplication is shared.Correspondingly, temporary private can lead to
It crosses the shared mode of addition and constructs acquisition, acquisition can also be constructed in such a way that multiplication is shared.
Individually below by taking temporary private is shared by addition is shared with multiplication respectively as an example, it is illustrated respectively.
Embodiment one: temporary private is shared shaped like addition.
In one embodiment, the mode of temporary private is constructed based on addition sharing, is referred to as total shaped like addition
It enjoys.When by addition sharing to construct temporary private, form can be denoted as k=k1+k2。
Under the premise of addition sharing constructs temporary private, private key can be constructed by addition sharing, form can
It is denoted as d=d1+d2;It can also be shared by multiplication and construct private key, form can be denoted as d=d1d2.Wherein d is shared private key,
It is a complete private key, d1It is the private key share (the first private key share is denoted as in the embodiment of the present application) that participant 1 is held, d2
It is the private key share (the second private key share is denoted as in the embodiment of the present application) that participant 2 is held.K is temporarily to share private key, is one
The complete temporary private of part, k1It is that the temporary private share that participant 1 is held (is denoted as the first temporary private in the embodiment of the present application
Share), k2It is the temporary private share (the second temporary private share is denoted as in the embodiment of the present application) that participant 2 is held.
Therefore, in the present embodiment, may include two schemes: one of which is that addition shares temporary private k=k1+k2
Share private key d=d with addition1+d2;Another shares temporary private k=k for addition1+k2Share private key d=d with multiplication1d2。
Refering to what is shown in Fig. 4, in this embodiment, in the specific implementation, participant 1 carries out abstract fortune to data to be signed M
It calculates, obtains data summarization e=H (M).Then, participant 1 generates the first private key share d that participant 1 is held1∈ [1, n-1],
First private key share d1It can be generated by random manner, and based on the first private key share d held1Calculate the of participant 1
One public key share D1=d1G.Participant 1 also generates the first temporary private share k that participant 1 is held1∈ [1, n-1], and be based on
The the first temporary private share k held1Calculate the first temporary public key share K of participant 11=k1G.Wherein, G is elliptic curve
The generation member that cipher system parameter scala media is prime number n, generation member G can be arranged jointly by participant 1 and participant 2.It participates in
The key schedule KeyGen of homomorphism cipher system is also called to generate key pair (pk, sk) in side 1.
Then, participant 1 sends first message to participant 2, which carries data summarization e, first public key part
Volume D1With the first temporary public key share K1。
After participant 2 receives the first message of the transmission of participant 1, it is performed in unison with participant 1 for the first participant
The proof and Qualify Phase of the proof Knowledge Protocols of signature parameter ciphertext.In the present embodiment, the first participant signature parameter is close
Text includes the first private key share ciphertext and the first temporary private share ciphertext.In one embodiment, the first private key share ciphertext and
First temporary private share ciphertext can generate in the proof procedure for proving Knowledge Protocols, wherein participant 1 is to the first private key
Share d1 is encrypted, and obtains the first private key share ciphertext, and to the first temporary private share k1It is encrypted, obtains first and face
When private key share ciphertext.Specific cipher mode can be carried out using any possible mode, indicated Encryption Algorithm with Enc, obtained
The the first private key share ciphertext obtained can be denoted as de=Enc (d1), the first temporary private share ciphertext of acquisition can be denoted as ke=Enc
(k1)。
When executing the proof and verifying that prove Knowledge Protocols, different proof Knowledge Protocols can be used.Such as, it was demonstrated that
Plaintext Knowledge Protocols.In proving plaintext Knowledge Protocols, under the premise of not betraying the pot to the roses information, it was demonstrated that person proves to verifier
Know the corresponding plaintext m of ciphertext c, meets certain relationship, such as REnc=((c, pk), (m, r)) | c=Encpk(m, r) }.This
When, in this process, after participant 2 receives the first message of the transmission of participant 1, participant 1 is used as certifier, participant 2
As verifier, the proof and verifying that prove plaintext Knowledge Protocols are completed.
Due to proving that plaintext Knowledge Protocols are related to two types, one kind is interactive, is indicated with PPK (c, m);One kind is
Non-interactive is indicated with NIPPK (c, m).
The principle of the proof plaintext Knowledge Protocols PPK (c, m) of interactive is as described below.In the stage of proof, it was demonstrated that person is based on
Plaintext m calculates ciphertext c, and calculates and promise to undertake B.Calculated ciphertext c can be c=g in one embodimentmrnmod n2, hold
Promise B can be B=gxunmod n2, wherein g, r, n are the relevant parameter of homomorphism cipher system, x ∈ Zn,Then,
Certifier is by ciphertext c and promises to undertake that B is sent to verifier.Verifier selects random challenge q ∈ ZnAnd it is sent to certifier.Certifier
Receive random challenge q ∈ ZnLater, in conjunction with plaintext m and challenge q ∈ ZnResponse w and Z is calculated, is calculated in one embodiment
Response w and Z can be with are as follows: w=(x+qm) mod n and Z=urqgtmod n2, wherein t meets condition x+qm=w+tn.Then,
Calculated response w and Z is sent to verifier by certifier.In Qualify Phase, verifier calculates the ciphertext c received and promise
B, with this received response w and Z, if meet certain mathematical operation relationship, g can be calculated in an application examplewZnmod
n2Whether Bc is equal toqmod n2.If meet (such as g in above-mentioned examplewZnmod n2Equal to Bcqmod n2), then show ciphertext c
It is the encryption of plaintext m.
Wherein, g be fromThe generation member of middle selection;M is from ZnThe plaintext of middle selection;R be fromMiddle selection it is random
Number;N is RSA modulus;X is from ZnThe random number of middle selection;U be fromThe random number of middle selection;ZnIt is all just whole less than n
Array at set;Q is cryptographic Hash.
Specifically in the present embodiment, the detailed proof plaintext Knowledge Protocols PPK (c, m) based on interactive, for first
Participant signature parameter ciphertext (being the first private key share ciphertext and the first temporary private share ciphertext in the present embodiment) is demonstrate,proved
When the proof and verifying of bright Knowledge Protocols, to the proof and verifying of the first private key share ciphertext and the first temporary private share ciphertext
It can be in no particular order sequentially parallel to execute.
For the first private key share ciphertext is proved and be verified, the detailed proof plaintext knowledge based on interactive
The proof of agreement and the detailed process of verifying may include steps of A1 to step A4.
Step A1: participant 1 is used as certifier, calculates the first private key share ciphertext based on the first private key share, and count
It calculates and promises to undertake and (be known as the first participant in the present embodiment to promise to undertake), and send first to participant 2 to prove message, first proves message
It include: that the first private key share ciphertext and the first participant are promised to undertake.
Step A2: participant 2 is used as verifier, and receiving first proves message, and random challenge is selected (to claim in the present embodiment
For the second participant challenge), and the second participant challenge is sent to participant 1.
Step A3: participant 1 receives the second participant challenge, and calculates response w and Z based on the second participant challenge,
The w and Z that the challenge that will be returned based on participant 2 in the present embodiment is generated are referred to as the first response and the second response, and to ginseng
Sending second with side 2 proves that message, the second proof message include: the first response and the second response.
In one application example, the first response can be calculated based on plaintext m and the second participant challenge, and be based on second
The relevant parameter of participant challenge and homomorphism cipher system calculates the second response.
Step A4: participant 2, which receives second, proves message, and proves that message and first proves that message satisfaction is certain second
Mathematical operation relationship when, it was demonstrated that participant 1 knows the corresponding plaintext of the first private key share ciphertext, completes to prove and the mistake of verifying
Journey.Wherein, second prove message and first prove message meet mathematical operation relationship, can be the first private key share ciphertext and
First participant is promised to undertake, responds the mathematical operation relationship met between the second response, in above-mentioned example, example first
It such as can be gwZnmod n2Equal to Bcqmod n2。
Proof plaintext Knowledge Protocols based on interactive, can to the proof and verification process of the first temporary private share ciphertext
With similar with proof and verification process of the above-mentioned proof plaintext Knowledge Protocols based on interactive to the first private key share ciphertext,
This is not reinflated to repeat.
The principle of the proof plaintext Knowledge Protocols NIPPK (c, m) of non-interactive is as described below.In the stage of proof, it was demonstrated that person
Ciphertext c is calculated based on plaintext m, and calculates and promises to undertake B.Calculated ciphertext c can be c=g in one embodimentmrnmod
n2, promise to undertake that B can be B=gxunmod n2, wherein g, r, n are the relevant parameter of homomorphism cipher system, x ∈ Zn,
Then, it was demonstrated that person calculate challenge q, as long as can guarantee challenge q randomness and uncertainty, it was demonstrated that person can by it is any can
The mode of energy calculates can calculate challenge q by hash function in challenge q, such as one embodiment, such as q=H (c | | B)
Mod n, wherein H () is secure hash function, and calculates response w and Z, and calculated response w and Z can be in one embodiment
Are as follows: w=(x+qm) mod n and Z=urqgtmod n2, wherein t meets condition x+qm=w+tn.Then, it was demonstrated that person by c, B, w and
Z is sent to verifier.In Qualify Phase, verifier calculates challenge q=H (c | | B) mod n, and calculate the ciphertext c received and
B is promised to undertake, with the response w and Z received, if meet certain mathematical operation relationship, can calculate in an application example
gwZnmod n2Whether Bc is equal toqmod n2;If meet (such as g in above-mentioned examplewZnmod n2Equal to Bcqmod n2), then table
Bright ciphertext c is the encryption of plaintext m.
Wherein, g be fromThe generation member of middle selection;M is from ZnThe plaintext of middle selection;R be fromMiddle selection it is random
Number;N is RSA modulus;X is from ZnThe random number of middle selection;U be fromThe random number of middle selection;ZnIt is all just whole less than n
Array at set;Q is cryptographic Hash.
Specifically in the present embodiment, the detailed proof plaintext Knowledge Protocols NIPPK (c, m) based on non-interactive, for
First participant signature parameter ciphertext (in the present embodiment for the first private key share ciphertext and the first temporary private share ciphertext) into
When the proof and verifying of line justification Knowledge Protocols, to the proof of the first private key share ciphertext and the first temporary private share ciphertext and
Verifying can be in no particular order sequentially parallel to execute.
For the first private key share ciphertext is proved and be verified, the detailed proof based on non-interactive is known in plain text
The detailed process of the proof and verifying of knowing agreement may include steps of B1 to step B3.
Step B1: participant 1 is used as certifier, calculates the first private key share ciphertext based on the first private key share, and count
It calculates and promises to undertake and (be known as the first participant in the present embodiment to promise to undertake).
Step B2: participant 1 is used as certifier, calculates challenge (being known as the first participant challenge in the present embodiment), and base
Response w and Z, the w and Z that will be generated based on the challenge that participant 1 itself generates in the present embodiment are calculated in the first participant challenge
It is referred to as third response and the 4th response, and sends proof message to participant 2, it was demonstrated that message includes: the first private key share
Ciphertext, the first participant are promised to undertake, third response and the 4th responds.
In one application example, third response can be calculated based on plaintext m and the first participant challenge, and be based on first
The relevant parameter of participant challenge and homomorphism cipher system calculates the 4th response.
Step B3: participant 2 calculates challenge (being known as the second participant challenge in the present embodiment), wherein the second participant
Challenge is equal with the challenge of the first participant, and is based on the second participant challenge, verifies the first private key share ciphertext and first and participates in
When meeting certain mathematical operation relationship between Fang Chengnuo, with third response and the 4th response, in above-mentioned example, such as
It can be gwZnmod n2Equal to Bcqmod n2, it was demonstrated that participant 1 knows the corresponding plaintext of the first private key share ciphertext, completes card
Bright and verifying process.
Proof plaintext Knowledge Protocols based on non-interactive to the proof and verification process of the first temporary private share ciphertext,
It can be with the above-mentioned proof plaintext Knowledge Protocols based on non-interactive to the proof and verification process class of the first private key share ciphertext
Seemingly, not reinflated herein to repeat.
It accordingly, in the present embodiment, (is the first private in the present embodiment executing for the first participant signature parameter ciphertext
Key share ciphertext and the first temporary private share ciphertext) proof Knowledge Protocols proof and Qualify Phase when, can combine upper
The mode of stating proves and verifies the encryption that the first private key share ciphertext is the first private key share of the first participant, the first temporary private
Share ciphertext is the encryption of the first temporary private share.
If proving the authentication failed of plaintext Knowledge Protocols, terminates process and exit.If proving plaintext Knowledge Protocols
Be verified, then enter subsequent step.
Participant 2 generates the second private key share d2∈ [[1, n-1], the second private key share d2It can be raw by random manner
At, and it is based on the second private key share d2With the first public key share D1Obtain complete public key D.In one embodiment, complete public key D can
Being shared by participant 1 and 2 multiplication of participant, D=d at this time2D1=d1d2G=dG.In another embodiment, complete public key D
It can be and shared by participant 1 and 2 addition of participant, at this point, being also possible to based on the second private key share d2Calculate the second public affairs
Key share D2=d2After G, it is based on the first public key share D1With the second public key share D2Obtain complete public key D=D1+D2=(d1+
d2) G=dG.After obtaining complete public key D, ECC digital certificate corresponding with complete public key D is generated.
Participant 2 generates the second temporary private share k2∈ [1, n-1], the second temporary private share k2∈ [1, n-1] can
It is generated by random manner, and is based on the second temporary private share k2Calculate the second temporary public key share K2=k2After G,
Based on the first temporary public key share K1With the second temporary public key share K2Obtain complete temporary public key K=K1+K2=(k1+k2) G=
KG=(x1, y1)。
Then, participant 2 selects provisional random number as blinding factor x ' ∈ [1, n-1] and (is denoted as first in the present embodiment
Blinding factor), and to the first temporary private share ciphertext ke=Enc (k1), the second temporary private share k2∈ [1, n-1] and
First blinding factor x ' ∈ [1, n-1] is synthesized, and acquisition blinds interim signature share ciphertext: reversee=(ke·Enc
(k2))x′=(Enc (k1)·Enc(k2))x′=Enc ((k1+k2)x′mod n)。
Then, participant 2 is used as certifier, and participant 1 is used as verifier, and participant 2 and participant 1 are to blinding interim label
Name share ciphertext prove the proof and verifying of Knowledge Protocols.
Wherein, when prove the proof and verifying of Knowledge Protocols, the proof for proving plaintext Knowledge Protocols can be carried out
And verifying.As set forth above, it is possible to which the proof plaintext Knowledge Protocols PPK (c, m) using interactive is carried out, nonreciprocal can also be used
The proof plaintext Knowledge Protocols NIPPK (c, m) of type is carried out.Specifically to blinding interim signature share ciphertext reverseeIt is demonstrate,proved
The obviously literary proof of Knowledge Protocols and the principle of verifying, it is identical as the principle of above-mentioned proof plaintext Knowledge Protocols, it no longer opens up herein
It opens and repeats.
If proving the authentication failed of Knowledge Protocols, terminates process and exit.If proving that the verifying of Knowledge Protocols is logical
It crosses, then enters subsequent step.
The decryption of participant 1 blinds interim signature share ciphertext reversee, obtain blinding interim signature share reverse=
Dec(Enc(reversee))=(k1+k2)x′mod n.Then, participant 1 is based on blinding interim signature share reverse acquisition
First blinds signature share reverse '.Signature share is blinded being based on blinding temporarily signature share reverse acquisition first
When reverse ', it can be carried out using any possible mode, it in one embodiment, can be by blinding interim signature part
Volume reverse take it is inverse, thus obtain first blind signature share reverse ', i.e. reverse '=((k1+k2)x′)-1mod n
=(k1+k2)-1x′-1mod n.It obtains first and blinds signature share reverse ' later, participant 1 blinds signature share to first
Reverse ' is encrypted, and is obtained first and is blinded signature share ciphertext reverse 'e=Enc (reverse ').
Then, participant 1 is used as certifier, and participant 2 is used as verifier, and participant 1 and participant 2 blind label to first
Name share ciphertext reverse 'eProve the proof and verifying of Knowledge Protocols.
Wherein, when prove the proof and verifying of Knowledge Protocols, the proof for proving plaintext Knowledge Protocols can be carried out
And verifying.As set forth above, it is possible to which the proof plaintext Knowledge Protocols PPK (c, m) using interactive is carried out, nonreciprocal can also be used
The proof plaintext Knowledge Protocols NIPPK (c, m) of type is carried out.Specifically signature share ciphertext reverse ' is blinded to firsteIt carries out
Prove the proof of plaintext Knowledge Protocols and the principle of verifying, it is identical as the principle of above-mentioned proof plaintext Knowledge Protocols, herein no longer
Expansion repeats.
As noted previously, as proving that Knowledge Protocols are related to interactive PPK (c, m) and non-interactive NIPPK (c, m).Therefore,
When using the proof Knowledge Protocols of interactive, then PPK (reverse ' is executede, reverse ') proof and verifying, using
When the proof Knowledge Protocols of non-interactive, then NIPPK (reverse ' is executede, reverse ') proof and verifying.
If proving the authentication failed of Knowledge Protocols, terminates process and exit.If proving that the verifying of Knowledge Protocols is logical
It crosses, then enters subsequent step.
Participant 2 calculates the second participant signature share, and second participant signature share can be ECC signature share,
Second participant signature share can be based on complete temporary public key K=(x1, y1) parameter x1Depending on, such as the second participant is signed
Share is r=x1mod n.If calculated result is r=0, participant 2 returns to the step of above-mentioned the second temporary private of generation share
Suddenly, the second new temporary private share is regenerated, and is repeated the above process.Otherwise, into subsequent step.
Then, participant 2 blinds signature share ciphertext reverse ' to the first blinding factor x ' and firsteSynthesize
To the first son signature share ciphertext s '1, one of composite calulation mode can be denoted as:
Participant 2 is to the first private key share ciphertext de, the second private key share d2, the second participant signature share r and data pluck
It wants e to be synthesized, obtains the second son signature share ciphertext s '2。
In one embodiment, in the case where complete public key D is by participant 1 and shared 2 addition of participant, it can be denoted as:
In another embodiment, in the case where complete public key D is by participant 1 and shared 2 multiplication of participant, Ke Yiji
Are as follows:
Participant 2 is to the first son signature share ciphertext s '1With the second son signature share ciphertext s '2It is synthesized, obtains first
Participant signature share ciphertext se, s can be denoted ase=s '1·s′2=Enc (k-1(e+dr)mod n)。
Then, participant 2 sends second message to participant 1, and second message includes the second participant signature share r and the
One participant signature share ciphertext se。
Participant 1 receives the second message, to the first participant signature share ciphertext seIt is decrypted, to obtain first
Participant signature share s=Dec (Enc (se))=k-1(e+dr)mod n.The share s=if the first participant obtained is signed
0, then the step of above-mentioned participant 2 generates the second temporary private share is returned to, participant 2 regenerates the second new temporary private
Share, and repeat the above process.Otherwise, acquisition by the second participant sign share r and the first participant signature share s form
Signature be exactly that legal ECC signs to (r, s).
Embodiment two: temporary private is shared shaped like multiplication.
In one embodiment, the mode of temporary private is constructed based on multiplication sharing, is referred to as total shaped like multiplication
It enjoys.When by multiplication sharing to construct temporary private, form can be denoted as k=k1*k2。
Under the premise of multiplication sharing constructs temporary private, private key can be constructed by multiplication sharing, form can
It is denoted as d=d1d2;Private key can also be constructed by addition sharing, form can be denoted as d=d1+d2.Wherein d is shared private
Key is a complete private key, d1It is that the private key share that participant 1 is held (is denoted as first private key part in the embodiment of the present application
Volume), d2It is the private key share (the second private key share is denoted as in the embodiment of the present application) that participant 2 is held.K is interim shared private
Key is a complete temporary private, k1It is that the temporary private share that participant 1 is held (is denoted as first in the embodiment of the present application
Temporary private share), k2It is that the temporary private share that participant 2 is held (is denoted as second temporary private part in the embodiment of the present application
Volume).
Therefore, in the present embodiment, may include two schemes: one of which is that multiplication shares temporary private k=k1*k2
Share private key d=d with multiplication1d2;Another shares temporary private k=k for multiplication1*k2Share private key d=d with addition1+d2。
In this embodiment, refering to what is shown in Fig. 5, in the specific implementation, participant 1 carries out abstract fortune to data to be signed M
It calculates, obtains data summarization e=H (M).Then, participant 1 generates the first private key share d that participant 1 is held1∈ [1, n-1].
First private key share d1It can be generated by random manner, and calculate the of participant 1 based on the first private key share for holding
One public key share D1=d1G.Participant 1 also generates the first temporary private share k that participant 1 is held1∈ [1, n-1], and be based on
The the first temporary private share k held1Calculate the first temporary public key share K of participant 11=k1G.Participant 1 also calls homomorphism
The key schedule KeyGen of cipher system generates key pair (pk, sk).
Then, participant 1 sends first message to participant 2, which carries data summarization e, first public key part
Volume D1With the first temporary public key share K1。
Participant 2 receive participant 1 transmission first message after, with participant 1 be performed in unison with for first signature because
The proof and Qualify Phase of the proof Knowledge Protocols of sub- ciphertext and third signature factor ciphertext.In the present embodiment, it first participates in
Square signature parameter ciphertext includes the first signature factor ciphertext and third signature factor ciphertext.
In one embodiment, the first signature factor ciphertext and third signature factor ciphertext can be in the cards for proving Knowledge Protocols
It is generated during bright.During proving the proof and verifying of Knowledge Protocols, participant 1 calculates the first signature factor ciphertext
With third signature factor ciphertext.
In one embodiment, the first temporary private share k can be based on1The first signature factor u is calculated, such asAnd it is based on the first temporary private share k1With the first private key share d1Third signature factor v is calculated, such as
In another embodiment, participant 1 (can also be denoted as second to blind selecting blinding factor x in the present embodiment
The factor) after, it is based on the first temporary private share k1The first signature factor u is calculated with the second blinding factor x, such asAnd it is based on the first temporary private share k1, the first private key share d1And second blinding factor x calculate
Three signature factor v, such asIt is appreciated that in actual techniques application, it can also be using other mode meters
Calculate the first signature factor u and third signature factor v.
Then, first signature of the encryption of participant 1 factor u obtains the first signature factor ciphertext, and encrypts the third signature factor
V obtains third signature factor ciphertext.Specific cipher mode can be carried out using any possible mode, indicate encryption with Enc
First signature factor ciphertext of algorithm, acquisition can be denoted as ueThe third signature factor ciphertext of=Enc (u), acquisition can be denoted as ve=
Enc(v)。
When executing the proof and verifying that prove Knowledge Protocols, different proof Knowledge Protocols can be used.For example, this reality
After applying the proof and verifying that can complete to prove null element Knowledge Protocols in example, then completes to prove the proof of plaintext Knowledge Protocols and test
Card.Prove the protocol theory of plaintext Knowledge Protocols in the above-described embodiments it is stated that details are not described herein.
It proves in null element Knowledge Protocols, under the premise of not betraying the pot to the roses information, it was demonstrated that person proves that ciphertext c is to verifier
The encryption of null element 0 meets certain relationship, such as: LZero=((c, pk), (0, r)) | c=EncpK (0, r) }.At this point, at this
In the process, after participant 2 receives the first message that participant 1 is sent, participant 1 is used as certifier, and participant 2 is as verifying
Person completes the proof and verifying that prove null element Knowledge Protocols.
Due to proving that null element Knowledge Protocols are related to two types, one kind is interactive, is indicated with PZK (c, m);One kind is
Non-interactive is indicated with NIPZK (c, m).
The principle of the proof null element Knowledge Protocols PZK (c, m) of interactive is as described below.In the stage of proof, it was demonstrated that person is based on
Plaintext m calculates ciphertext c, and calculates and promise to undertake B.Calculated ciphertext c can be c=g in one embodimentmrnmod n2If (
M=0, then c=rnmod n2), promise to undertake that B can be B=unmod n2, wherein g, r, n are the related ginsengs of homomorphism cipher system
Number,Then, it was demonstrated that person is by ciphertext c and promises to undertake that B is sent to verifier.Verifier selects random challenge q ∈ ZnConcurrently
Give certifier.Certifier receives random challenge q ∈ ZnLater, in conjunction with challenge q ∈ ZnIt calculates and responds Z, in one embodiment
Calculated response Z can be with are as follows: Z=urqmod n2.Then, it was demonstrated that calculated response Z is sent to verifier by person.It is verifying
Stage, verifier calculate the ciphertext c received, promise to undertake B and this received response Z, if meet certain mathematical operation and close
It is that can calculate Z in an application examplenmod n2Whether Bc is equal toqmod n2;If equal, show that ciphertext c is null element 0
Encryption.
Wherein, g be fromThe generation member of middle selection;M is from ZnThe plaintext of middle selection;R be fromMiddle selection it is random
Number;N is RSA modulus;U be fromThe random number of middle selection;ZnIt is the set of all positive integer compositions less than n;Q is Hash
Value.
Specifically in the present embodiment, the detailed proof null element Knowledge Protocols PZK (c, m) based on interactive, for first
Participant signature parameter ciphertext (being the first signature factor ciphertext and third signature factor ciphertext in the present embodiment) carries out proving to know
It, can be regardless of to the proof and verifying of the first signature factor ciphertext and the third signature factor ciphertext when knowing the proof and verifying of agreement
Sequencing, it is parallel to execute.
For the first signature factor ciphertext is proved and be verified, the detailed proof null element knowledge based on interactive
The proof of agreement PZK (c, m) and the detailed process of verifying may include steps of C1 to step C4.
Step C1: participant 1 is used as certifier, calculates the first signature factor ciphertext, and calculate promise (in the present embodiment
Referred to as the first participant is promised to undertake), and the first proof message is sent to participant 2, first proves that message includes: the first signature factor
Ciphertext and the first participant are promised to undertake.
Step C2: participant 2 is used as verifier, and receiving first proves message, and random challenge is selected (to claim in the present embodiment
For the second participant challenge), and the second participant challenge is sent to participant 1.
Step C3: participant 1 receives the second participant challenge, and calculates response Z, this reality based on the second participant challenge
It applies in example and the Z generated based on the challenge that participant 2 returns is known as the 5th response, and send second to participant 2 to prove message,
Second proof message includes: the 5th response.
In one embodiment, the 5th sound can be calculated with the relevant parameter of the second participant challenge and homomorphism cipher system
It answers.
Step C4: participant 2, which receives second, proves message, and proves that message and first proves that message satisfaction is certain second
Mathematical operation relationship when, it was demonstrated that participant 1 knows the corresponding plaintext of the first signature factor ciphertext, completes to prove and the mistake of verifying
Journey.Wherein, it second proves that message and first proves the operation relation of message satisfaction, can be the first signature factor ciphertext and first
Participant promises to undertake that the mathematical operation relationship met between the 5th response in above-mentioned example, such as can be Znmod
n2Whether Bc is equal toqmod n2。
Proof and verification process of the proof null element Knowledge Protocols based on interactive to third signature factor ciphertext, Ke Yiyu
The above-mentioned proof null element Knowledge Protocols based on interactive are similar with verification process to the proof of the first signature factor ciphertext, herein not
It is reinflated to repeat.
The principle of the proof null element Knowledge Protocols NIPZK (c, m) of non-interactive is as described below.In the stage of proof, it was demonstrated that person
Ciphertext c is calculated based on plaintext m, and calculates and promises to undertake B.Calculated ciphertext c can be c=g in one embodimentmrnmod
n2If (m=0, c=rnmod n2), promise to undertake that B can be B=unmod n2, wherein g, r, n are the phases of homomorphism cipher system
Parameter is closed,Then, it was demonstrated that person calculates challenge q, as long as can guarantee the randomness and uncertainty of challenge q, it was demonstrated that
Person can be calculated by any possible mode in challenge q, such as one embodiment can calculate challenge by hash function
Q, for example, q=H (c | | B) mod n, wherein H () is secure hash function, and calculates response Z, is calculated in one embodiment
Response Z can be with are as follows: Z=urqmod n2.Then, it was demonstrated that c, B and Z are sent to verifier by person.In Qualify Phase, verifier's meter
Calculation challenge q=H (c | | B) mod n, and calculate the ciphertext c received and promise to undertake B, with the response Z received, if satisfaction is certain
Mathematical operation relationship, one application example in can calculate Znmod n2Whether Bc is equal toqmod n2;If equal, show close
Literary c is the encryption of null element 0.
Wherein, g be fromThe generation member of middle selection;M is from ZnThe plaintext of middle selection;R be fromMiddle selection it is random
Number;N is RSA modulus;U be fromThe random number of middle selection;ZnIt is the set of all positive integer compositions less than n;Q is Hash
Value.
Specifically in the present embodiment, the detailed proof null element Knowledge Protocols NIPZK (c, m) based on non-interactive, for
First participant signature parameter ciphertext (being the first signature factor ciphertext and third signature factor ciphertext in the present embodiment) is demonstrate,proved
It, can be with to the proof and verifying of the first signature factor ciphertext and the third signature factor ciphertext when proof and verifying of bright Knowledge Protocols
Sequence in no particular order, it is parallel to execute.
For the first signature factor ciphertext is proved and be verified, the detailed proof null element based on non-interactive is known
The detailed process of the proof and verifying of knowing agreement NIPZK (c, m) may include steps of D1 to step D4.
Step D1: participant 1 is used as certifier, calculates the first signature factor ciphertext, and calculate promise (in the present embodiment
Referred to as the first participant is promised to undertake).
Step D2: participant 1 is used as certifier, calculates challenge (being known as the first participant challenge in the present embodiment), and base
Response Z is calculated in the first participant challenge, the Z of the challenge generation generated based on participant 1 itself is known as the in the present embodiment
Six response, and to participant 2 send prove message, it was demonstrated that message include: the first signature factor ciphertext, the first participant promise to undertake and
6th response.
In one application example, the can be calculated based on the relevant parameter of the first participant challenge and homomorphism cipher system
Six responses.
Step D3: participant 2 calculates challenge (being known as the second participant challenge in the present embodiment), wherein the second participant is chosen
It fights equal with the challenge of the first participant, and is based on the second participant challenge, the first signature factor ciphertext of verifying and the first participant
It promises to undertake, when meeting certain mathematical operation relationship between the 6th response, in above-mentioned example, such as can be Znmod
n2Whether Bc is equal toqmod n2, it was demonstrated that participant 1 knows the corresponding plaintext of the first signature factor ciphertext, what completion was proved and verified
Process.
Proof null element Knowledge Protocols based on non-interactive, can be with to the proof and verification process of third signature factor ciphertext
It is similar with proof and verification process of the above-mentioned proof null element Knowledge Protocols based on non-interactive to the first signature factor ciphertext,
This is not reinflated to repeat.
Accordingly, in the present embodiment, the proof for the first signature factor ciphertext and third signature factor ciphertext is being executed
, can be in conjunction with aforesaid way when the proof and Qualify Phase of Knowledge Protocols, the advanced hand-manipulating of needle is to the first signature factor ciphertext and third
Factor ciphertext of signing executes the proof and verifying for proving null element Knowledge Protocols, if proving being proved to be successful for null element Knowledge Protocols,
Then terminate process and exit, if proving the authentication failed of null element Knowledge Protocols, then for the first signature factor ciphertext and third
Factor ciphertext of signing executes the proof and verifying for proving plaintext Knowledge Protocols, if proving the authentication failed of plaintext Knowledge Protocols,
Then terminate process and exits.If proving being verified for plaintext Knowledge Protocols, enter subsequent step.
Participant 2 generates the second private key share d2∈ [1, n-1], the second private key share d2It can be raw by random manner
At, and it is based on the second private key share d2With the first public key share D1Obtain complete public key D.In one embodiment, complete public key D can
Being shared by participant 1 and 2 multiplication of participant, D=d at this time2D1=d1d2G=dG.In another embodiment, complete public key D
It can be and shared by participant 1 and 2 addition of participant, at this point, being also possible to based on the second private key share d2Calculate the second public affairs
Key share D2=d2After G, it is based on the first public key share D1With the second public key share D2Obtain complete public key D=D1+D2=(d1+
d2) G=dG.After obtaining complete public key D, ECC digital certificate corresponding with complete public key D is generated.
Participant 2 generates the second temporary private share k2∈ [1, n-1], the second temporary private share k2∈ [1, n-1] can
It is generated by random manner, and is based on the second temporary private share k2With the first temporary public key share K1It obtains complete interim public
Key K=k2K1=k1k2G=kG=(x1, y1)。
Then, participant 2 calculates the second participant signature share, and second participant signature share can be ECC signature
Share, second participant signature share can be based on complete temporary public key K=(x1, y1) parameter x1Depending on, such as the second participant
Signature share is r=x1mod n.If calculated result is r=0, participant 2 returns to above-mentioned the second temporary private of generation share
Step regenerates the second new temporary private share, and repeats the above process.Otherwise, into subsequent step.
Then, participant 2 calculates the first participant signature share ciphertext se。
In one embodiment, in the case where complete public key D is by participant 1 and shared 2 multiplication of participant, participant 2 can
The first participant signature share ciphertext s is calculated by following mannere。
Participant 2 calculates the second signature factor a and the 4th signature factor b.It, can be interim based on second in one embodiment
Private key share k2The second signature factor a is calculated with data summarization e, such asAnd it is based on second temporary private part
Volume k2, the second private key share d2The 4th signature factor b is calculated with the second participant signature share r, such as
In another embodiment, participant 2 can also after selecting blinding factor y (in the present embodiment be known as third blinding factor),
Based on the second temporary private share k2, data summarization e and third blinding factor y calculate the second signature factor a, such asAnd it is based on the second temporary private share k2, the second private key share d2, the second participant signature share r and the
Three blinding factor y calculate the 4th signature factor b, such asIt is appreciated that in actual techniques application,
The signature of the second signature factor a and the 4th factor b can be calculated using other modes.
Then, participant 2 is based on the first signature factor ciphertext ue, second signature factor a, third sign factor ciphertext veWith
And the 4th signature factor b synthesized, obtain the first participant sign share ciphertext se.It can be denoted as:
In another embodiment, in the case where complete public key D is by participant 1 and shared 2 addition of participant, participant
2 can calculate the first participant signature share ciphertext s by following mannere。
Participant 2 calculates the second signature factor a, the 4th signature factor b and the 5th signature factor c.
In one Application Example, the second temporary private share k can be based on2The second signature is calculated with data summarization e
Factor a, such asAnd it is based on the second temporary private share k2The 4th is calculated with the second participant signature share r
Sign factor b, such asAnd it is based on the second temporary private share k2, the second private key share d2With the second participant label
Name share r calculates the 5th signature factor c, such as
In another Application Example, participant 2 (can also be known as the 4th selecting blinding factor z in the present embodiment
Blinding factor) after, it is based on the second temporary private share k2, data summarization e and the 4th blinding factor z calculate the second signature factor
A, such asAnd it is based on the second temporary private share k2, the second participant sign share r and the 4th blinding factor z
The 4th signature factor b is calculated, such asAnd it is based on the second temporary private share k2, the second private key share d2,
Two participants signature share r and the 4th blinding factor z calculates the 5th signature factor c, such asIt can manage
Solution can also calculate the second signature factor a, the 4th signature factor b and the in actual techniques application using other modes
Five signature factor c.
At this point, in the case where having calculated the second signature factor a, the 4th signature factor b and the 5th signature factor c, ginseng
It can be based on the first signature factor ciphertext u with side 2e, second signature factor a, third sign factor ciphertext ve, the 4th signature factor b with
And the 5th signature factor c synthesized, obtain the first participant sign share ciphertext se.It can be denoted as:
Obtaining the first participant signature share ciphertext seLater, participant 2 to participant 1 send second message, second
Message includes the second participant signature share r and the first participant signature share ciphertext se。
Participant 1 receives the second message, to the first participant signature share ciphertext seIt is decrypted, to obtain first
Participant signature share s=Dec (Enc (se))=k-1(e+dr)mod n.The share s=if the first participant obtained is signed
0, then the step of above-mentioned participant 2 generates the second temporary private share is returned to, participant 2 regenerates the second new temporary private
Share, and repeat the above process.Otherwise, acquisition by the second participant sign share r and the first participant signature share s form
Signature be exactly that legal ECC signs to (r, s).
Each technical characteristic of above embodiments can be combined arbitrarily, for simplicity of description, not to above-described embodiment
In each technical characteristic it is all possible combination be all described, as long as however, the combination of these technical characteristics be not present lance
Shield all should be considered as described in this specification.
The several embodiments of the application above described embodiment only expresses, the description thereof is more specific and detailed, but simultaneously
It cannot therefore be construed as limiting the scope of the patent.It should be pointed out that coming for those of ordinary skill in the art
It says, without departing from the concept of this application, various modifications and improvements can be made, these belong to the protection of the application
Range.Therefore, the scope of protection shall be subject to the appended claims for the application patent.
Claims (23)
1. a kind of digital signature method of co-EC C characterized by comprising
First participant calculates the abstract of data to be signed, obtains data summarization, and send first message, institute to the second participant
It states first message and carries the data summarization;
Second participant receives the first message, and the signature share of the second participant based on the second participant and the number
It is synthesized according to abstract, obtains the first participant signature share ciphertext;
Second, which participates in the first participant of direction, sends second message, and the second message carries the first participant signature share
Ciphertext;
First participant decrypts the first participant signature share ciphertext, obtains the first participant signature share.
2. the method according to claim 1, wherein being based on after the second participant receives the first message
The second participant signature share of second participant and the data summarization are synthesized, and the first participant signature share is obtained
Before ciphertext, further includes:
Second participant and the first participant are performed in unison with the proof knowledge association for the first participant signature parameter ciphertext
The proof and verifying of view.
3. according to the method described in claim 2, it is characterized in that, the first participant signature parameter ciphertext includes: to
One private key share carries out the first private key share ciphertext of encryption acquisition, and carries out encryption acquisition to the first temporary private share
First temporary private share ciphertext.
4. according to the method described in claim 3, it is characterized in that, the second participant is performed in unison with the first participant to described
The proof and verifying of the proof Knowledge Protocols of first participant signature parameter ciphertext, comprising:
Second participant and the first participant are performed in unison with the proof of the proof Knowledge Protocols to the first private key share ciphertext
And verifying;
Second participant and the first participant are performed in unison with to the proof Knowledge Protocols of the first temporary private share ciphertext
It proves and verifies.
5. according to the method described in claim 4, it is characterized in that, the second participant is performed in unison with the first participant to described
The proof and verifying of the proof plaintext Knowledge Protocols of first private key share ciphertext, comprising:
First participant is based on the first private key share and calculates the first private key share ciphertext, calculates the first participant and promises to undertake, and to
Second participant, which sends first, proves message, and the first proof message includes: the first private key share ciphertext and described the
One participant is promised to undertake;
Second participant, which receives first, proves message, selects the second participant challenge, and the second participant challenge is sent to the
One participant;
First participant receives the second participant challenge, calculates the first response and the second response based on the second participant challenge, and
Sending second to the second participant proves that message, the second proof message include: first response and second response;
Second participant, which receives second, proves message, and meets scheduled operation in the second proof message and the first proof message and close
When being, the process for proving and verifying is completed.
6. according to the method described in claim 4, it is characterized in that, the second participant is performed in unison with the first participant to described
The proof and verifying of the proof plaintext Knowledge Protocols of first private key share ciphertext, comprising:
First participant is based on the first private key share and calculates the first private key share ciphertext, and calculates the first participant and promise to undertake;
First participant calculates the first participant challenge, calculates third response and the 4th response based on the first participant challenge, and
Sending to the second participant proves message, and the proof message includes: the first private key share ciphertext, first participant
It promises to undertake, third response and the described 4th responds;
Second participant calculate the second participant challenge, and be based on the second participant challenge, verifying the first private key share ciphertext and
When meeting scheduled operation relation between the first participant promise, third response and the 4th response, what completion was proved and verified
Process.
7. according to method described in claim 3 to 6 any one, which is characterized in that the second participant is based on the second participant
The second participant signature share and the data summarization synthesized, obtain the first participant sign share ciphertext, comprising:
Second participant based on the second participant the second participant signature share, the first participant signature parameter ciphertext with
And the data summarization is synthesized, and the first participant signature share ciphertext is obtained.
8. the method according to the description of claim 7 is characterized in that second participant of second participant based on the second participant
Signature share, the first participant signature parameter ciphertext and the data summarization are synthesized, and the first participant label are obtained
Name share ciphertext, comprising:
Second participant determines the first blinding factor;
Second participant and the first participant are performed in unison with for the proof plaintext Knowledge Protocols for blinding interim signature share ciphertext
Proof and verifying, it is described to blind interim signature share ciphertext and be based on the first temporary private share ciphertext, second temporary private part
Volume and the first blinding factor carry out synthesis acquisition;
First participant and the second participant be performed in unison with for first blind signature share ciphertext carry out prove plaintext knowledge association
The proof and verifying of view;By blinding interim signature share ciphertext described in decryption, acquisition blinds interim signature share;And based on blind
Change temporarily signature share acquisition first and blind signature share, encryption described first blinds signature share acquisition described first and blinds label
Name share ciphertext;
Second participant calculates the second participant signature share;And based on the first blinding factor, first blind signature share ciphertext,
First private key share ciphertext, the second private key share, the second participant signature share and data summarization are synthesized, and the first ginseng is obtained
With side's signature share ciphertext.
9. according to the method described in claim 8, it is characterised in that it includes it is following items at least one of:
First item:
First participant blinds interim signature share and takes inverse to described, obtains described first and blinds signature share;
Section 2:
Second participant blinds signature share ciphertext, the first private key share ciphertext, the second private key based on the first blinding factor, first
Share, the second participant signature share and data summarization are synthesized, and the first participant signature share ciphertext is obtained, comprising:
Second participant blinds signature share ciphertext based on the first blinding factor and first and carries out the sub part of signing of synthesis acquisition first
Volume ciphertext;
Second participant to the first private key share ciphertext, the second private key share, the second participant signature share and data summarization into
Row synthesis obtains the second son signature share ciphertext;
Second participant is based on the first son signature share ciphertext and the second son signature share ciphertext is synthesized, and obtains first and participates in
Side's signature share ciphertext.
10. according to the method described in claim 2, it is characterized in that, the first participant signature parameter ciphertext includes: first
The first participant signature factor that participant carries out encryption acquisition to the first participant signature factor that the first participant generates is close
Text.
11. according to the method described in claim 10, it is characterized in that, first participant signature factor includes: the first ginseng
With the first signature factor and the third signature factor that just generate, the first participant signature factor ciphertext includes: the first signature
Factor ciphertext and third signature factor ciphertext.
12. according to the method for claim 11, which is characterized in that the second participant and the first participant are performed in unison with to institute
State the proof and verifying of the proof Knowledge Protocols of the first participant signature parameter ciphertext, comprising:
Second participant and the first participant are performed in unison with the proof of the proof Knowledge Protocols to the first signature factor ciphertext
And verifying;
Second participant and the first participant are performed in unison with the proof of the proof Knowledge Protocols to third signature factor ciphertext
And verifying.
13. according to the method for claim 12, which is characterized in that the second participant and the first participant are performed in unison with to institute
State the proof and verifying of the proof Knowledge Protocols of the first signature factor ciphertext, comprising:
Second participant and the first participant are performed in unison with to the proof null element Knowledge Protocols of the first signature factor ciphertext
It proves and verifies;
Second participant and the first participant are performed in unison with to the proof plaintext Knowledge Protocols of the first signature factor ciphertext
It proves and verifies.
14. according to the method for claim 13, which is characterized in that the second participant and the first participant are performed in unison with to institute
State the proof and verifying of the proof null element Knowledge Protocols of the first signature factor ciphertext, comprising:
First participant calculates the first signature factor ciphertext, calculates the first participant and promises to undertake, and sends first to the second participant
Prove that message, the first proof message include: that the first signature factor ciphertext and the first participant are promised to undertake;
Second participant, which receives first, proves message, selects the second participant challenge, and the second participant challenge is sent to the
One participant;
First participant receives the second participant challenge, calculates the 5th response based on the second participant challenge, and join to second
Sending second with side proves that message, the second proof message include: the 5th response;
Second participant, which receives second, proves message, and meets scheduled operation in the second proof message and the first proof message and close
When being, the process for proving and verifying is completed.
15. according to the method for claim 13, which is characterized in that the second participant and the first participant are performed in unison with to institute
State the proof and verifying of the proof null element Knowledge Protocols of the first signature factor ciphertext, comprising:
First participant calculates the first signature factor ciphertext, and calculates the first participant and promise to undertake;
First participant calculates the first participant challenge, calculates the 6th response based on the first participant challenge, and participate in second
Side send prove message, the proofs message include: it is described first signature factor ciphertext, first participant promise and it is described
6th response;
Second participant calculates the second participant challenge, and is based on the second participant challenge, the first signature of verifying factor ciphertext, the
When meeting scheduled operation relation between one participant promise and the 6th response, the process for proving and verifying is completed.
16. according to the method for claim 11, which is characterized in that including any one in following two:
First item:
First participant is based on the first temporary private share and calculates the first signature factor;
First participant is based on the first temporary private share and the first private key share calculates the third signature factor;
Section 2:
First participant selects the second blinding factor;
First participant is based on the first temporary private share, the second blinding factor calculates the first signature factor;
First participant be based on the first temporary private share, the first private key share and the second blinding factor calculate third signature because
Son.
17. method described in 0 to 16 any one according to claim 1, which is characterized in that the second participant is based on second and participates in
The second participant signature share, the first participant signature parameter ciphertext and the data summarization of side are synthesized, and are obtained
Obtain the first participant signature share ciphertext, comprising:
Second participant is generated second and is participated in based on the second participant signature share of the second participant and the data summarization
Side's signature factor;
Second participant is based on the first participant signature factor ciphertext and the second participant signature factor is synthesized, and obtains the
One participant signature share ciphertext.
18. according to the method for claim 17, which is characterized in that the second participant signature factor includes the second signature factor
With the 4th signature factor.
19. according to the method for claim 18, which is characterized in that including any one in following two:
First item:
Second participant generates the second participant signature factor, comprising:
Second participant is based on the second temporary private share and data digest calculations go out the second signature factor;
Second participant is based on the second temporary private share, the second private key share and the second participant signature share and calculates the 4th
The signature factor;
Section 2:
Second participant generates the second participant signature factor, comprising:
Second participant selects third blinding factor;
Second participant is based on the second temporary private share, data summarization and third blinding factor and calculates the second signature factor;
Second participant is based on the second temporary private share, the second private key share, the second participant signature share and third and blinds
The factor calculates the 4th signature factor.
20. according to the method for claim 17, which is characterized in that the second participant sign the factor include second signature because
Son, the 4th signature factor and the 5th signature factor.
21. according to the method for claim 20, which is characterized in that including any one in following two:
First item:
Second participant generates the second participant signature factor, comprising:
Second participant is based on the second temporary private share and data digest calculations go out the second signature factor;
Second participant is based on the second temporary private share and the second participant signature share calculates the 4th signature factor;
Second participant is based on the second temporary private share, the second private key share and the second participant signature share and calculates the 5th
The signature factor;
Section 2:
Second participant generates the second participant signature factor, comprising:
Second participant selects the 4th blinding factor;
Second participant is based on the second temporary private share, data summarization and the 4th blinding factor and calculates the second signature factor;
Second participant is based on the second temporary private share, the second participant signature share and the 4th blinding factor and calculates the 4th
The signature factor;
It is blind that second participant is based on the second temporary private share, the second private key share, the second participant signature share and the 4th
Change the factor and calculates the 5th signature factor.
22. the method according to claim 1, wherein the second participant, which is based on complete temporary public key, calculates second
Participant signature share.
23. according to the method for claim 11, which is characterized in that the first message also carries what the first participant was held
The first temporary public key share that first public key share and the first participant are held;
Second participant is obtained complete public based on the second private key share that the first public key share and the second participant are held
Key, and it is complete interim based on the second temporary private share acquisition that the first temporary public key share and the second participant are held
Public key.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201810796674.5A CN108964906B (en) | 2018-07-19 | 2018-07-19 | Digital signature method for cooperation with ECC |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201810796674.5A CN108964906B (en) | 2018-07-19 | 2018-07-19 | Digital signature method for cooperation with ECC |
Publications (2)
Publication Number | Publication Date |
---|---|
CN108964906A true CN108964906A (en) | 2018-12-07 |
CN108964906B CN108964906B (en) | 2021-05-28 |
Family
ID=64482015
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201810796674.5A Active CN108964906B (en) | 2018-07-19 | 2018-07-19 | Digital signature method for cooperation with ECC |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN108964906B (en) |
Cited By (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN111565108A (en) * | 2020-07-15 | 2020-08-21 | 北京信安世纪科技股份有限公司 | Signature processing method, device and system |
CN113158258A (en) * | 2021-03-31 | 2021-07-23 | 郑州信大捷安信息技术股份有限公司 | Collaborative signature method, device and system based on elliptic curve |
US20210334809A1 (en) * | 2019-03-22 | 2021-10-28 | Beijing Wodong Tianjun Information Technology Co., Ltd. | Transaction method and apparatus based on blind signature |
Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20160358165A1 (en) * | 2015-06-08 | 2016-12-08 | Blockstream Corporation | Cryptographically concealing amounts transacted on a ledger while preserving a network's ability to verify the transaction |
CN106685651A (en) * | 2016-12-22 | 2017-05-17 | 北京信安世纪科技有限公司 | Method for creating digital signatures by cooperation of client and server |
CN106789087A (en) * | 2017-01-26 | 2017-05-31 | 数安时代科技股份有限公司 | Determine the data summarization of message, the method and system based on multi-party digital signature |
CN107682151A (en) * | 2017-10-30 | 2018-02-09 | 武汉大学 | A kind of GOST digital signature generation method and system |
-
2018
- 2018-07-19 CN CN201810796674.5A patent/CN108964906B/en active Active
Patent Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20160358165A1 (en) * | 2015-06-08 | 2016-12-08 | Blockstream Corporation | Cryptographically concealing amounts transacted on a ledger while preserving a network's ability to verify the transaction |
CN106685651A (en) * | 2016-12-22 | 2017-05-17 | 北京信安世纪科技有限公司 | Method for creating digital signatures by cooperation of client and server |
CN106789087A (en) * | 2017-01-26 | 2017-05-31 | 数安时代科技股份有限公司 | Determine the data summarization of message, the method and system based on multi-party digital signature |
CN107682151A (en) * | 2017-10-30 | 2018-02-09 | 武汉大学 | A kind of GOST digital signature generation method and system |
Non-Patent Citations (2)
Title |
---|
ROSARIO GENNARO: "Fast Multiparty Threshold ECDSA with Fast Trustless Setup", 《CCS"18-SESSION 6C: CRYPTO 3》 * |
YEHUDA LINDELL: "Fast secure two-party ecdsa signing", 《ADVANCES IN CRYPTOLOGY –CRYPTO 2017. LECTURE NOTES IN COMPUTER SCIENCE》 * |
Cited By (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20210334809A1 (en) * | 2019-03-22 | 2021-10-28 | Beijing Wodong Tianjun Information Technology Co., Ltd. | Transaction method and apparatus based on blind signature |
CN111565108A (en) * | 2020-07-15 | 2020-08-21 | 北京信安世纪科技股份有限公司 | Signature processing method, device and system |
CN113158258A (en) * | 2021-03-31 | 2021-07-23 | 郑州信大捷安信息技术股份有限公司 | Collaborative signature method, device and system based on elliptic curve |
CN113158258B (en) * | 2021-03-31 | 2022-02-11 | 郑州信大捷安信息技术股份有限公司 | Collaborative signature method, device and system based on elliptic curve |
Also Published As
Publication number | Publication date |
---|---|
CN108964906B (en) | 2021-05-28 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN108667625A (en) | Cooperate with the digital signature method of SM2 | |
Ling et al. | Group signatures from lattices: simpler, tighter, shorter, ring-based | |
Jakobsson et al. | An optimally robust hybrid mix network | |
Diffie et al. | Authentication and authenticated key exchanges | |
CN107707358B (en) | EC-KCDSA digital signature generation method and system | |
JP4790122B2 (en) | Robust and efficient distributed RSA key generation | |
CN114157427B (en) | SM2 digital signature-based threshold signature method | |
CN109309569A (en) | The method, apparatus and storage medium of collaboration signature based on SM2 algorithm | |
Backes et al. | Asynchronous computational VSS with reduced communication complexity | |
Morrissey et al. | The TLS handshake protocol: A modular analysis | |
CN111162912B (en) | Verification method and device suitable for block chain and storage medium | |
CN110011803A (en) | A kind of method that two side of lightweight SM2 cooperates with generation digital signature | |
CN109639439A (en) | A kind of ECDSA digital signature method based on two sides collaboration | |
CN108964906A (en) | The digital signature method of co-EC C | |
CN109547199A (en) | A kind of method that multi-party joint generates SM2 digital signature | |
CN111159745A (en) | Verification method and device suitable for block chain | |
Gennaro et al. | Okamoto-Tanaka revisited: Fully authenticated Diffie-Hellman with minimal overhead | |
JP2023552263A (en) | Redistribution of secret sharing | |
Ranjani et al. | An Extended Identity Based Authenticated Asymmetric Group Key Agreement Protocol. | |
Battagliola et al. | Threshold ecdsa with an offline recovery party | |
Kiayias et al. | Concurrent blind signatures without random oracles | |
CN113132104A (en) | Active and safe ECDSA (electronic signature SA) digital signature two-party generation method | |
CN108768634B (en) | Verifiable cryptographic signature generation method and system | |
Zeng et al. | A Practical Framework for $ t $-Out-of-$ n $ Oblivious Transfer With Security Against Covert Adversaries | |
CN108055134B (en) | Collaborative computing method and system for elliptic curve point multiplication and pairing operation |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |