CN108964906B - Digital signature method for cooperation with ECC - Google Patents

Digital signature method for cooperation with ECC Download PDF

Info

Publication number
CN108964906B
CN108964906B CN201810796674.5A CN201810796674A CN108964906B CN 108964906 B CN108964906 B CN 108964906B CN 201810796674 A CN201810796674 A CN 201810796674A CN 108964906 B CN108964906 B CN 108964906B
Authority
CN
China
Prior art keywords
participant
signature
share
party
ciphertext
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201810796674.5A
Other languages
Chinese (zh)
Other versions
CN108964906A (en
Inventor
卢伟龙
张永强
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Guangdong Xinjian Information Technology Co ltd
Shuan Times Technology Co ltd
Original Assignee
Guangdong Xinjian Information Technology Co ltd
Shuan Times Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Guangdong Xinjian Information Technology Co ltd, Shuan Times Technology Co ltd filed Critical Guangdong Xinjian Information Technology Co ltd
Priority to CN201810796674.5A priority Critical patent/CN108964906B/en
Publication of CN108964906A publication Critical patent/CN108964906A/en
Application granted granted Critical
Publication of CN108964906B publication Critical patent/CN108964906B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0819Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/085Secret sharing or secret splitting, e.g. threshold schemes
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/30Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computing Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Storage Device Security (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

The application discloses a digital signature method for cooperating with ECC (error correction code), and the method in one embodiment comprises the following steps: a first participant calculates the abstract of data to be signed, obtains a data abstract and sends a first message to a second participant, wherein the first message carries the data abstract; the second party receives the first message, and synthesizes a second party signature share of the second party and the data digest to obtain a first party signature share ciphertext; a second participant sends a second message to a first participant, wherein the second message carries a signature share ciphertext of the first participant; and the first participant decrypts the first participant signature share ciphertext to obtain the first participant signature share. The embodiment avoids multiple data exchange and operation, and reduces the complexity of communication and calculation.

Description

Digital signature method for cooperation with ECC
Technical Field
The application relates to the technical field of cryptography, in particular to a digital signature method for cooperating with ECC.
Background
Collaborative computing is a common computational model in contemporary distributed networks; the mutually untrusted parties in the network need to collaboratively calculate the tasks predetermined by each party without revealing the secret of the parties, and core functions of privacy, correctness and the like of safe multi-party calculation are provided. The collaborative signature based on the collaborative computing idea becomes a core mode for providing an unforgeable function in the collaborative computing process, wherein the ECDSA signature algorithm is widely used in the global scope as an internationally recognized elliptic curve digital signature algorithm, and provides core characteristics of the digital signature, such as integrity, verifiability and non-repudiation. However, in some application scenarios, in order to ensure fairness and collaboration of the signature process, ECDSA signature data needs to be generated together in the case of multi-party collaboration, and privacy, correctness and efficiency of the process are guaranteed. The traditional solution generally has the situation that the communication and the computation complexity of the participants are high.
Disclosure of Invention
Based on this, there is a need to provide a digital signature method in conjunction with ECC.
A digital signature method in conjunction with ECC, comprising:
a first participant calculates the abstract of data to be signed, obtains a data abstract and sends a first message to a second participant, wherein the first message carries the data abstract;
the second party receives the first message, and synthesizes a second party signature share of the second party and the data digest to obtain a first party signature share ciphertext;
a second participant sends a second message to a first participant, wherein the second message carries a signature share ciphertext of the first participant;
and the first participant decrypts the first participant signature share ciphertext to obtain the first participant signature share.
Based on the scheme in the embodiment, after the first party obtains the data digest of the data to be signed, the second party obtains the first party signature share ciphertext in a synthesizing manner based on the data digest and the second party signature share, and sends the first party signature share ciphertext to the first party. The operation is carried out through the cryptosystem with homomorphic property, so that repeated data exchange and operation are avoided, and the complexity of communication and calculation is reduced.
Drawings
FIG. 1 is a flow chart illustrating a digital signature method for collaborative ECC in an embodiment;
FIG. 2 is a schematic flow diagram illustrating the process of obtaining a first participant signature share ciphertext in one embodiment;
FIG. 3 is a schematic diagram of a process for obtaining a first participant signature share ciphertext in another embodiment;
FIG. 4 is a schematic diagram illustrating an interaction flow of a digital signature method in conjunction with ECC in an embodiment;
fig. 5 is an interaction flow diagram of a digital signature method for cooperative ECC in another embodiment.
Detailed Description
In order to make the objects, technical solutions and advantages of the present application more apparent, the present application is described in further detail below with reference to the accompanying drawings and embodiments. It should be understood that the specific embodiments described herein are merely illustrative of the present application and are not intended to limit the present application.
As shown in fig. 1, the digital signature method for collaborative ECC in one embodiment includes the following steps S11 to S14.
Step S11: the first party calculates the abstract of the data to be signed, obtains the data abstract, and sends a first message to the second party, wherein the first message carries the data abstract.
The data to be signed refers to data which needs to be signed by the participant, and the data digest of the data to be signed is calculated in any possible way.
In one embodiment, the first message may also carry a first public key share held by the first participant and a first temporary public key share held by the first participant. The first public key share held by the first party and the second public key share held by the second party jointly form a complete public key in the key pair. The first and second parties may share the full public key additively, i.e., the full public key is the sum of the first and second public key shares. The first party and the second party may also multiply share the complete public key, i.e. the complete public key is the product of the first public key share and the second private key share. The first party and the second party may also share the complete public key in other manners, which is not specifically limited in this embodiment. The first and second parties share the complete ephemeral public key in a similar manner, i.e., the first and second parties may share the complete ephemeral public key additively or multiplicatively.
Accordingly, a first private key share held by a first participant and a second private key share held by a second participant, the first private key share and the second private key share together forming a complete private key of a key pair. The first party and the second party may share the complete private key by addition, or may share the complete private key by multiplication, or may share the complete private key by other means.
Step S12: and the second party receives the first message, and synthesizes a second party signature share of the second party and the data digest to obtain a first party signature share ciphertext.
In one embodiment, in a case where the first message also carries a first public key share held by the first participant and a first temporary public key share held by the first participant, the second participant further obtains the complete public key based on the first public key share and a second private key share held by the second participant, and obtains the complete temporary public key based on the first temporary public key share and a second temporary private key share held by the second participant.
In one embodiment, the obtaining, by the second party, the full public key based on the first public key share and a second private key share held by the second party may include: the second participant determines a second public key share held by the second participant based on a second private key share held by the second participant; the second participant obtains a full public key based on the first public key share and the second public key share. The second participant obtaining the complete temporary public key based on the first temporary public key share and a second temporary private key share held by the second participant may include: the second participant determines a second temporary public key share held by the second participant based on a second temporary private key share held by the second participant; the second participant obtains a complete temporary public key based on the first temporary public key share and the second temporary public key share.
The complete public key is the sum of the first public key share and the second public key share under the condition that the first participant and the second participant share the complete public key in addition, and the complete public key is the product of the first public key share and the second private key share under the condition that the first participant and the second participant multiply share the complete public key. The first party and the second party may also share the complete public key in other manners, which is not specifically limited in this embodiment. Similarly, the complete ephemeral public key may be a product of the first ephemeral public key share and the second ephemeral private key share or a sum of the first ephemeral public key share and the second ephemeral public key share based on a multiplicative or additive share of the complete ephemeral public key by the first and second parties.
In one embodiment, after the second party synthesizes the complete public key, an ECC digital certificate corresponding to the complete public key is also generated. The second party may calculate a second party signature share based on the full ephemeral public key.
In one embodiment, after the second party receives the first message, before the second party synthesizes the second party signature share of the second party, the first party signature parameter ciphertext and the data digest, the method may further include the steps of:
the second party performs proof and verification of the proof knowledge protocol against the first party signature parameter ciphertext in cooperation with the first party.
In one embodiment, the first party may also determine a first party signature parameter ciphertext prior to execution of the proof and verification of the proof knowledge protocol described above, which determined first party signature parameter ciphertext may also be transmitted to the second party. The first party may transmit the first party signature parameter ciphertext to the second party in various possible ways.
In one embodiment of the present application, the first party may determine the first party signature parameter ciphertext during performance of the proof knowledge protocol described above.
The first party signature parameter ciphertext may be determined in a variety of possible ways.
In one embodiment, the first party signature parameter ciphertext may include: the first private key share ciphertext is obtained by encrypting the first private key share, and the first temporary private key share ciphertext is obtained by encrypting the first temporary private key share.
At this time, the second party performs proof and verification of the proof knowledge protocol of the first party signature parameter ciphertext in cooperation with the first party, which may include:
the second party and the first party cooperate to perform proof and verification of the proof knowledge protocol of the first private key share ciphertext;
the second party performs proof and verification of the proof knowledge protocol of the first ephemeral private key share ciphertext in cooperation with the first party.
The proof and verification of the proof knowledge protocol for the first private key share ciphertext and the first temporary private key share ciphertext can be performed in series without being in a sequential order or in parallel.
In one embodiment, the proof and verification of the proof knowledge protocol for the first private key share ciphertext may be accomplished based on a proof plaintext knowledge protocol. In particular, the proof and verification of the proof knowledge protocol for the first private key share ciphertext may be accomplished based on an interaction between the first party and the second party. At this time, the second party performs proof and verification of the proof knowledge protocol of the first private key share ciphertext in cooperation with the first party, including:
the first participant computes a first private key share ciphertext based on the first private key share, computes a first participant commitment, and sends a first attestation message to the second participant, the first attestation message comprising: the first private key share ciphertext is committed with the first participant;
the second party receives the first proving message, selects a challenge of the second party, and sends the challenge of the second party to the first party;
the first party receives the second party challenge, computes a first response and a second response based on the second party challenge, and sends a second attestation message to the second party, the second attestation message including: the first response and the second response;
the second party receives the second attestation message and completes the attestation and verification process when the second attestation message and the first attestation message satisfy a predetermined mathematical operational relationship.
In one embodiment, the proof and verification of the proof knowledge protocol for the ciphertext of the first private key share may also be accomplished by reducing the number of interactions based on the proof plaintext knowledge protocol described above. At this time, the second party performs proof and verification of the proof knowledge protocol of the first private key share ciphertext in cooperation with the first party, including:
the first participant calculates a first private key share ciphertext based on the first private key share and calculates a first participant commitment;
the first participant calculates a first participant challenge, calculates a third response and a fourth response based on the first participant challenge, and sends a attestation message to the second participant, the attestation message including: the first private key share ciphertext, the first participant commitment, the third response, and the fourth response;
and the second participant calculates a challenge of the second participant, verifies the first private key share ciphertext and the commitment of the first participant based on the challenge of the second participant, and completes the process of proving and verifying when a predetermined mathematical operation relation is satisfied between the first private key share ciphertext and the commitment of the first participant and the third response and the fourth response.
The process of the second party performing the proof and verification of the proof knowledge protocol of the first temporary private key share ciphertext in cooperation with the first party is similar to the process of the second party performing the proof and verification of the proof knowledge protocol of the first private key share ciphertext in cooperation with the first party, and details are not repeated herein.
In one embodiment, the first party signature parameter ciphertext includes: and encrypting the first party signature factor generated by the first party to obtain a first party signature factor ciphertext. The number of the first party signature factors may be set according to actual needs, and in one embodiment, the first party signature factors include: a first signature factor and a third signature factor generated by the first party. At this time, the first party signature factor ciphertext includes: and the third signature factor is encrypted to obtain a third signature factor ciphertext.
The first and third signature factors may be generated in various possible ways. In one embodiment, the first participant may calculate a first signing factor based on the first ephemeral private key share and a third signing factor based on the first ephemeral private key share and the first private key share. In another embodiment, after the first participant picks one blinding factor (referred to as the second blinding factor in this embodiment), the first participant calculates a first signature factor based on the first ephemeral private key share and the second blinding factor, and calculates a third signature factor based on the first ephemeral private key share, the first private key share, and the second blinding factor.
At this time, the second party performs proof and verification of the proof knowledge protocol of the first party signature parameter ciphertext in cooperation with the first party, which may include:
the second party and the first party cooperate to perform proof and verification of the proof knowledge protocol of the first signature factor ciphertext;
and the second party and the first party cooperate to perform the proof and verification of the proof knowledge protocol of the third signature factor ciphertext.
The proof and verification of the proof knowledge protocol aiming at the first signature factor ciphertext and the third signature factor ciphertext can be executed in series without the sequence or in parallel.
Taking the first signature factor ciphertext as an example, the performing, by the second party and the first party, the proof and verification of the proof knowledge protocol of the first signature factor ciphertext by the second party may include:
the second party and the first party cooperate to perform the proof and verification of the proof zero-element knowledge protocol of the first signature factor ciphertext;
the second party performs proof and verification of proof plaintext knowledge protocol for the first signing factor ciphertext in cooperation with the first party.
In one embodiment, when the second party performs the proof and verification of the proof zero-element knowledge protocol of the first signature factor ciphertext in cooperation with the first party, the proof and verification of the proof knowledge protocol of the first signature factor ciphertext may be specifically completed based on the interaction between the first party and the second party. At this time, the second party performs certification and verification of the certification zero-element knowledge protocol of the first signature factor ciphertext in cooperation with the first party, including:
the first party computes a first signature factor ciphertext, computes a first party commitment, and sends a first attestation message to the second party, the first attestation message comprising: the first signature factor ciphertext is committed with the first participant;
the second party receives the first proving message, selects a challenge of the second party, and sends the challenge of the second party to the first party;
the first party receives the second party challenge, computes a fifth response based on the second party challenge, and sends a second attestation message to the second party, the second attestation message including: a fifth response;
the second party receives the second attestation message and completes the attestation and verification process when the second attestation message and the first attestation message satisfy a predetermined mathematical operational relationship.
In one embodiment, the proof and verification of the proof knowledge protocol of the first signature factor ciphertext can be completed by reducing the number of interactions on the basis of the proof zero element knowledge protocol. At this time, the second party performs certification and verification of the certification zero-element knowledge protocol of the first signature factor ciphertext in cooperation with the first party, including:
the first participant calculates a first signature factor ciphertext and calculates a first participant commitment;
the first participant calculates a first participant challenge, calculates a sixth response based on the first participant challenge, and sends a attestation message to the second participant, the attestation message including: the first signing factor cryptogram, the first participant commitment, and the sixth response;
and the second participant calculates a second participant challenge, and completes the process of proving and verifying when the first signature factor ciphertext, the first participant commitment and the sixth response meet the preset mathematical operation relation based on the second participant challenge.
The principle of the process of proving and verifying the plaintext knowledge protocol is the same as that of the above process of proving and verifying the plaintext knowledge protocol, and details are not repeated here.
In an embodiment, the first party further generates a relevant parameter of the homomorphic cryptographic mechanism, and the first party may perform relevant encryption based on the relevant parameter of the homomorphic cryptographic mechanism to obtain the first party signature parameter ciphertext.
In one embodiment, in a case where the first participant determines the first participant signature parameter ciphertext, the second participant synthesizes the second participant signature share of the second participant and the data digest to obtain the first participant signature share ciphertext, which may be performed as follows:
and the second party synthesizes the second party signature share of the second party, the first party signature parameter ciphertext and the data digest to obtain a first party signature share ciphertext.
In an embodiment, if the first participant signature parameter ciphertext includes the first private key share ciphertext and the first temporary private key share ciphertext, the second participant synthesizes the second participant signature share of the second participant, the first participant signature parameter ciphertext and the data digest to obtain the first participant signature share ciphertext, which may specifically include steps S1211 to S1214.
Step S1211: the second participant determines a first blinding factor.
Step S1212: the second party performs proof and verification of a proof plaintext knowledge protocol for a blinded ephemeral signature share ciphertext in cooperation with the first party, the blinded ephemeral signature share ciphertext obtained based on the first ephemeral private key share ciphertext, the second ephemeral private key share, and the first blinding factor.
Step S1213: the first participant and the second participant cooperatively perform proof and verification of a proof plaintext knowledge protocol for the first blinded signature share ciphertext; obtaining a blind temporary signature share by decrypting the blind temporary signature share ciphertext; and obtaining a first blinded signature share based on the blinded temporary signature share, and encrypting the first blinded signature share to obtain the first blinded signature share ciphertext. In one embodiment, the first blinded signature share may be obtained by inverting the blinded temporary signature share.
Step S1214: the second party calculates a second party signature share; and synthesizing based on the first blinding factor, the first blinded signature share ciphertext, the first private key share ciphertext, the second private key share, the second participant signature share and the data digest to obtain the first participant signature share ciphertext.
In one embodiment, in the above step S1214, the second party synthesizes the first blinding factor, the first blinded signature share ciphertext, the first private key share ciphertext, the second private key share, the second party signature share, and the data digest to obtain the first party signature share ciphertext, which may include steps S12141 to S12143.
Step S12141: and the second party synthesizes the first sub-signature share ciphertext based on the first blinding factor and the first blinded signature share ciphertext.
Step S12142: and the second participant synthesizes the first private key share ciphertext, the second private key share, the second participant signature share and the data digest to obtain a second sub-signature share ciphertext.
Step S12143: and the second participant synthesizes the first sub-signature share ciphertext and the second sub-signature share ciphertext to obtain the first participant signature share ciphertext.
In another embodiment, if the first participant signature parameter ciphertext includes the first signature factor ciphertext and the third signature factor ciphertext, the second participant synthesizes a second participant signature share of the second participant, the first participant signature parameter ciphertext and the data digest to obtain the first participant signature share ciphertext, which may specifically include steps S1221 to S1222.
Step S1221: the second participant generates a second participant signature factor based on a second participant signature share of the second participant and the data digest.
In one embodiment, the second party signature factor may include two signature factors, which are noted in this embodiment as: a second signature factor and a fourth signature factor. The second participant may calculate a second signature factor based on the second ephemeral private key share and the data digest, and calculate a fourth signature factor based on the second ephemeral private key share, the second private key share, and the second participant signature share. On the other hand, after the second participant selects the third blinding factor, the second signature factor is calculated based on the second temporary private key share, the data digest and the third blinding factor, and the fourth signature factor is calculated based on the second temporary private key share, the second participant signature share and the third blinding factor.
In another embodiment, the second party signature factor may include three signature factors, which are noted in this embodiment as: a second signature factor, a fourth signature factor, and a fifth signature factor. The second participant may calculate a second signature factor based on the second temporary private key share and the data digest, calculate a fourth signature factor based on the second temporary private key share and the second participant signature share, and calculate a fifth signature factor based on the second temporary private key share, the second private key share, and the second participant signature share. On the other hand, after the second participant selects the fourth blinding factor, the second signature factor is calculated based on the second temporary private key share, the data digest and the fourth blinding factor, the fourth signature factor is calculated based on the second temporary private key share, the second participant signature share and the fourth blinding factor, and the fifth signature factor is calculated based on the second temporary private key share, the second participant signature share and the fourth blinding factor.
Step S1222: and the second party synthesizes the first party signature factor ciphertext and the second party signature factor to obtain the first party signature share ciphertext.
The second party may perform the synthesis based on the first party signature factor ciphertext and the second party signature factor in any possible manner, which is not limited in this embodiment.
Step S13: and the second participant sends a second message to the first participant, wherein the second message carries the signature share ciphertext of the first participant.
Step S14: and the first participant decrypts the first participant signature share ciphertext to obtain the first participant signature share.
The following detailed description is given in conjunction with several examples thereof. In this embodiment, two parties (a first party and a second party, which are denoted as party 1 and party 2 in this embodiment) engage in the elliptic curve cryptosystem parameter and select the generator G with the order of prime number n. The generator G is a point on the elliptic curve, the function of the generator G is to generate other points on the elliptic curve through G operation, and the generator G with the order of prime number n is selected, so that the operation on the elliptic curve can be ensured to be operated based on the elliptic curve discrete logarithm problem, and the safety is ensured.
Wherein the first party holds a first private key share d1The second party holds a second private key share d2First private key share d1And a second private key share d2Together forming the complete private key d. The first participant holds a first temporary private key share k1The second party holds a second temporary private key share k2First temporary private key share k1And a second temporary private key share k2Together forming the complete temporary private key k.
There may be different ways based on the different forms of construction of the private key and the temporary private key. For example, the private key may be constructed and obtained in an addition sharing manner, or may be constructed and obtained in a multiplication sharing manner. Accordingly, the temporary private key can be constructed and obtained in an addition sharing manner, and can also be constructed and obtained in a multiplication sharing manner.
The following description will be made by taking the temporary private keys as an example of sharing by addition and sharing by multiplication.
The first embodiment is as follows: the temporary private key shape is shared as an addition.
In one embodiment, the way the ephemeral private key is constructed based on additive sharing, which may also be referred to as additive sharing. When the temporary private key is constructed by additive sharing, its form can be denoted as k ═ k1+k2
On the premise of constructing the temporary private key by addition sharing, the private key can be constructed by addition sharing, and the form of the private key can be recorded as d ═ d1+d2(ii) a The private key may also be constructed by multiplicative sharing, which may be denoted as d ═ d1d2. Where d is the shared private key, which is a complete private key, d1Is a private key share held by party 1 (denoted as the first private key share in this application), d2Is a private key share held by party 2 (denoted as the second private key share in the present embodiment). k is a temporary shared private key, a complete temporary private key, k1Is a temporary private key share (denoted as the first temporary private key share in the present embodiment), k, held by party 12Is a temporary private key share held by party 2 (denoted as the second temporary private key share in this embodiment of the application).
Therefore, in this embodiment, two schemes may be included: one of them is to add and share the temporary private key k ═ k1+k2Sharing the private key d ═ d with the addition1+d2(ii) a Another way to share the temporary private key k for addition1+k2And multiply share the private key d ═ d1d2
Referring to fig. 4, in this embodiment, in implementation, the party 1 performs a digest operation on the data M to be signed, and obtains a data digest e ═ h (M). Subsequently, party 1 generates a first private key share d held by party 11∈[1,n-1]The first private key share d1Can be generated in a random manner and based on the held first private key share d1Calculating a first public key share D of participant 11=d1G. Participant 1 also generates a first temporary private key share k held by participant 11∈[1,n-1]And based on the held first temporary private key share k1Calculating a first temporary public key share K of participant 11=k1G. Wherein, G is a generator with a prime number n in the order of the elliptic curve cryptosystem parameter, and the generator G can be agreed by the participator 1 and the participator 2. Party 1 also invokes the key generation algorithm KeyGen of the homomorphic cryptosystem to generate a key pair (pk, sk).
Participant 1 then sends a first message to participant 2, the first message carrying the data digest e, the first public key share D1And a first temporary public key share K1
After receiving the first message sent by the participant 1, the participant 2 cooperates with the participant 1 to execute the certification and verification phase of the certification knowledge protocol for the first participant signature parameter ciphertext. In this embodiment, the first party signature parameter ciphertext includes a first private key share ciphertext and a first ephemeral private key share ciphertext. In one embodiment, the first private key share ciphertext and the first ephemeral private key share ciphertext may be generated during a proof process of a proof knowledge protocol, in which party 1 encrypts the first private key share d1, obtains the first private key share ciphertext, and encrypts the first ephemeral private key share k1And encrypting to obtain a first temporary private key share ciphertext. The specific encryption mode can be performed in any possible mode, Enc represents an encryption algorithm, and the obtained first private key share ciphertext can be recorded as de=Enc(d1) And the obtained first temporary private key share ciphertext can be recorded as ke=Enc(k1)。
In performing the attestation and verification of the attestation knowledge protocol, different attestation knowledge protocols may be employed. For example, a proof-of-plaintext-knowledge protocol. In the protocol for proving plaintext knowledge, on the premise of not revealing secret information, a prover proves to a verifier that a plaintext m corresponding to a ciphertext c meets a certain relation, such as REnc={((c,pk),(m,r))|c=Encpk(m, r) }. At this point in the process, after party 2 receives the first message sent by party 1, party 1 acts as a certificateThe participant, party 2, acts as a verifier, and performs the proof and verification of the proof-plaintext-knowledge protocol.
Since the proof-of-plaintext-knowledge protocol involves two types, one is interactive and is denoted by PPK (c, m); one is non-interactive, denoted NIPPK (c, m).
The principle of the interactive proof-plaintext-knowledge protocol PPK (c, m) is as follows. In the certification phase, the prover computes the ciphertext c based on the plaintext m and computes the commitment B. The ciphertext c calculated in one embodiment may be c-gmrnmod n2The commitment B may be B ═ gxunmod n2Wherein g, r and n are all related parameters of homomorphic cryptosystem, and x belongs to Zn
Figure BDA0001736092380000121
The prover then sends the ciphertext c and the commitment B to the verifier. The verifier selects a random challenge q E ZnAnd sent to the prover. The prover receives a random challenge q ∈ ZnThen, combining the plaintext m and the challenge q ∈ ZnThe responses w and Z are calculated, which in one embodiment may be: w ═ x + qm) mod n and Z ═ urqgtmod n2Where t satisfies the condition x + qm ═ w + tn. The prover then sends the calculated responses w and Z to the verifier. In the verification stage, the verifier calculates the received ciphertext c and the commitment B, and whether the responses w and Z received at the time satisfy a certain mathematical operation relation, and in an application example, g can be calculatedwZnmod n2Whether or not equal to Bcqmod n2. If it is satisfied (e.g., g in the above example)wZnmod n2Is equal to Bcqmod n2) Then it indicates that the ciphertext c is an encryption of the plaintext m.
Wherein g is selected from
Figure BDA0001736092380000131
The selected generator is selected; m is from ZnSelecting a plaintext; r is from
Figure BDA0001736092380000132
The random number selected in (1); n is the RSA modulus; x is from ZnThe random number selected in (1); u is from
Figure BDA0001736092380000133
The random number selected in (1); znIs a set of all positive integers less than n; q is a hash value.
Specifically, in this embodiment, when the proof and verification of the proof knowledge protocol is performed on the first party signature parameter ciphertext (in this embodiment, the first private key share ciphertext and the first temporary private key share ciphertext) based on the detailed interactive proof plaintext knowledge protocol PPK (c, m), the proof and verification of the first private key share ciphertext and the first temporary private key share ciphertext may be performed in parallel without being in order.
Taking the proof and verification of the first private key share ciphertext as an example, a detailed process of the proof and verification of the detailed interactive-based proof-plaintext-knowledge protocol may include the following steps a1 through a 4.
Step A1: participant 1, acting as a prover, computes a first private key share ciphertext based on the first private key share, computes a commitment (referred to as a first participant commitment in this embodiment), and sends a first attestation message to participant 2, the first attestation message including: the first private key share ciphertext is committed with the first participant.
Step A2: party 2, acting as a verifier, receives the first attestation message and selects a random challenge (referred to as the second party challenge in this embodiment) and sends the second party challenge to party 1.
Step A3: participant 1 receives the second participant challenge and computes responses w and Z based on the second participant challenge, where w and Z generated based on the challenge returned by participant 2 are referred to as a first response and a second response, respectively, in this embodiment, and sends a second attestation message to participant 2, where the second attestation message includes: a first response and a second response.
In one example, a first response may be calculated based on plaintext m and a second participant challenge, and a second response may be calculated based on the second participant challenge and a parameter associated with the homomorphic cryptosystem.
Step A4: and the participant 2 receives the second proving message, proves that the participant 1 knows the plaintext corresponding to the ciphertext of the first private key share when the second proving message and the first proving message meet a certain mathematical operation relation, and completes the proving and verifying process. The mathematical operation relationship satisfied by the second certification message and the first certification message may be the mathematical operation relationship satisfied between the first private key share ciphertext and the first participant commitment and the first response and the second response, which is exemplified in the above example, and may be gwZnmod n2Is equal to Bcqmod n2
The process of proving and verifying the ciphertext of the first temporary private key share by using the interactive-type proof plaintext knowledge protocol may be similar to the process of proving and verifying the ciphertext of the first private key share by using the interactive-type proof plaintext knowledge protocol, and will not be further described herein.
The principle of the non-interactive proof-plaintext knowledge protocol NIPPK (c, m) is as follows. In the certification phase, the prover computes the ciphertext c based on the plaintext m and computes the commitment B. The ciphertext c calculated in one embodiment may be c-gmrnmod n2The commitment B may be B ═ gxunmod n2Wherein g, r and n are all related parameters of homomorphic cryptosystem, and x belongs to Zn
Figure BDA0001736092380000141
The prover then computes the challenge q, which may be computed in any possible way, for example, in one embodiment by a hash function, e.g., q ═ H (c | | B) mod n, where H (·) is a secure hash function, and computes responses w and Z, which in one embodiment may be: w ═ x + qm) mod n and Z ═ urqgtmod n2Where t satisfies the condition x + qm ═ w + tn. The prover then sends c, B, w and Z to the verifier. In the verification phase, the verifier calculates a challenge q ═ H (c | | B) mod n,and calculating whether the received ciphertext c and the commitment B and the received responses w and Z meet a certain mathematical operation relation, wherein g can be calculated in an application examplewZnmod n2Whether or not equal to Bcqmod n2(ii) a If it is satisfied (e.g., g in the above example)wZnmod n2Is equal to Bcqmod n2) Then it indicates that the ciphertext c is an encryption of the plaintext m.
Wherein g is selected from
Figure BDA0001736092380000142
The selected generator is selected; m is from ZnSelecting a plaintext; r is from
Figure BDA0001736092380000143
The random number selected in (1); n is the RSA modulus; x is from ZnThe random number selected in (1); u is from
Figure BDA0001736092380000144
The random number selected in (1); znIs a set of all positive integers less than n; q is a hash value.
Specifically, in this embodiment, when the proof and verification of the proof knowledge protocol is performed on the first party signature parameter ciphertext (in this embodiment, the first private key share ciphertext and the first temporary private key share ciphertext) based on the non-interactive proof plaintext knowledge protocol NIPPK (c, m), the proof and verification of the first private key share ciphertext and the first temporary private key share ciphertext may be performed in parallel without being in a sequential order.
Taking the proof and verification of the first private key share ciphertext as an example, a detailed process of the proof and verification based on the non-interactive proof plaintext knowledge protocol may include the following steps B1 through B3.
Step B1: party 1, acting as a prover, computes a first private key share ciphertext based on the first private key share and computes a commitment (referred to as the first party commitment in this embodiment).
Step B2: party 1, as a prover, computes a challenge (referred to as a first party challenge in this embodiment) and computes responses w and Z based on the first party challenge, where w and Z generated based on the challenge generated by party 1 itself are referred to as a third response and a fourth response, respectively, and sends a attestation message to party 2, the attestation message including: a first private key share ciphertext, a first participant commitment, a third response, and a fourth response.
In one example, a third response may be calculated based on plaintext m and the first participant challenge, and a fourth response may be calculated based on the first participant challenge and a parameter associated with the homomorphic cryptosystem.
Step B3: participant 2 calculates a challenge (referred to as a second participant challenge in this embodiment), where the second participant challenge is equal to the first participant challenge, and verifies that the first private key share ciphertext and the first participant commitment satisfy a certain mathematical operation relationship with the third response and the fourth response based on the second participant challenge, which is exemplified in the above example and may be gwZnmod n2Is equal to Bcqmod n2And the proving participant 1 knows the plaintext corresponding to the ciphertext of the first private key share, and the proving and verifying process is completed.
The process of proving and verifying the ciphertext of the first temporary private key share based on the non-interactive plaintext knowledge protocol may be similar to the process of proving and verifying the ciphertext of the first private key share based on the non-interactive plaintext knowledge protocol, and will not be further described herein.
Accordingly, in this embodiment, when performing the proof and verification phase of the proof knowledge protocol for the first party signature parameter ciphertext (in this embodiment, the first private key share ciphertext and the first ephemeral private key share ciphertext), the first private key share ciphertext that is the encryption of the first ephemeral private key share of the first party may be proof and verified in combination with the above.
If the verification of the plaintext knowledge protocol fails, the process is ended and exits. And if the verification of the plaintext knowledge protocol is proved to pass, the subsequent steps are carried out.
Party 2 generationSecond private key share d2∈[[1,n-1]The second private key share d2Can be generated in a random manner and based on the second private key share d2And a first public key share D1The complete public key D is obtained. In one embodiment, the full public key D may be multiplicatively shared by party 1 and party 2, where D ═ D2D1=d1d2G ═ dG. In another embodiment, the complete public key D may be additively shared by party 1 and party 2, and in this case, may also be based on the second private key share D2Calculating a second public key share D2=d2G is followed by a share D based on the first public key1And a second public key share D2Obtaining the complete public key D ═ D1+D2=(d1+d2) G ═ dG. And after the complete public key D is obtained, generating an ECC digital certificate corresponding to the complete public key D.
Participant 2 generates a second temporal private key share k2∈[1,n-1]The second temporary private key share k2∈[1,n-1]Can be generated in a random manner and based on the second temporary private key share k2Calculating a second temporary public key share K2=k2G is followed by K based on the first temporary public key share1And a second temporary public key share K2Obtaining a complete temporary public key K ═ K1+K2=(k1+k2)G=kG=(x1,y1)。
Subsequently, participant 2 picks a nonce as a blinding factor x' e [1, n-1 ]](denoted as the first blinding factor in this embodiment), and applying the first temporary private key share ciphertext ke=Enc(k1) Second temporary private key share k2∈[1,n-1]And a first blinding factor x' e [1, n-1 ]]Synthesizing to obtain a blinded temporary signature share ciphertext: reversee=(ke·Enc(k2))x′=(Enc(k1)·Enc(k2))x′=Enc((k1+k2)x′mod n)。
Subsequently, party 2 acts as a prover, party 1 acts as a verifier, and party 2 and party 1 perform proof and verification of the proof knowledge protocol on the blinded ephemeral signature share ciphertext.
Wherein, when the proof and verification of the proof knowledge protocol are carried out, the proof and verification of the proof plaintext knowledge protocol can be carried out. As described above, the process may be performed using the interactive plaintext knowledge proof protocol PPK (c, m) or may be performed using the non-interactive plaintext knowledge proof protocol NIPPK (c, m). Specific to blinded temporary signature share ciphertext reverseeThe principle of proving and verifying the plaintext knowledge protocol is the same as the above-mentioned principle of proving the plaintext knowledge protocol, and is not described herein again.
If the proof of knowledge protocol fails verification, the flow ends and exits. If the proof of knowledge protocol is verified, the subsequent steps are entered.
Party 1 decrypts the blinded ephemeral signature share ciphertext reverseeObtaining the blind temporary signature share Dec (Enc (reverse)e))=(k1+k2) x' mod n. Subsequently, participant 1 obtains a first blinded signature share reverse' based on the blinded temporary signature share reverse. In obtaining the first blinded signature share reverse ' based on the blinded temporary signature share reverse may be performed in any possible manner, and in one embodiment, the first blinded signature share reverse ', i.e., reverse ' ((k) — (k) may be obtained by inverting the blinded temporary signature share reverse1+k2)x′)-1mod n=(k1+k2)-1x′-1mod n. After obtaining the first blinded signature share reverse ', party 1 encrypts the first blinded signature share reverse ' to obtain a first blinded signature share ciphertext reverse 'e=Enc(reverse′)。
Subsequently, Party 1 acts as a prover, Party 2 acts as a verifier, Party 1 and Party 2 have a first blinded signature share ciphertext reverse'eAttestation and verification of the attestation knowledge protocol is performed.
Wherein, when the proof and verification of the proof knowledge protocol are carried out, the proof and verification of the proof plaintext knowledge protocol can be carried out. As described above, interactive proofs of plaintext may be employedThe knowledge protocol PPK (c, m) may be performed using the non-interactive proof-plaintext-knowledge protocol NIPPK (c, m). Specific to first blinded signature share ciphertext reverse'eThe principle of proving and verifying the plaintext knowledge protocol is the same as the above-mentioned principle of proving the plaintext knowledge protocol, and is not described herein again.
As described above, since the proof knowledge protocol involves interactive PPK (c, m) and non-interactive NIPPK (c, m). Thus, when an interactive proof knowledge protocol is employed, then PPK (reverse ') is executed'eReverse ') if a non-interactive proof knowledge protocol is employed, then NIPPK (reverse ') is performed 'eReverse') and verification.
If the proof of knowledge protocol fails verification, the flow ends and exits. If the proof of knowledge protocol is verified, the subsequent steps are entered.
Participant 2 calculates a second participant signature share, which may be an ECC signature share, which may be based on the full temporal public key K ═ x1,y1) Parameter x of1And if the second party signature share is r ═ x1mod n. If the calculation result is that r is 0, the participant 2 returns to the step of generating the second temporary private key share, regenerates a new second temporary private key share, and repeats the above process. Otherwise, the subsequent step is entered.
Party 2 then replies to the first blinding factor x 'and the first blinded signature share ciphertext reverse'eSynthesizing to obtain a first sub-signature share ciphertext s'1One of the synthetic calculation modes can be written as:
Figure BDA0001736092380000181
participant 2 shares ciphertext d to the first private keyeSecond private key share d2The second participant signature share r and the data digest e are synthesized to obtain a second sub-signature share ciphertext s'2
In one embodiment, where the full public key D is additively shared by party 1 and party 2, it may be written as:
Figure BDA0001736092380000182
in another embodiment, in the case where the complete public key D is multiply shared by party 1 and party 2, it can be written as:
Figure BDA0001736092380000183
participant 2's first sub-signpost share ciphertext s'1And a second sub-signature share ciphertext s'2Synthesizing to obtain a first party signature share ciphertext seCan be recorded as se=s′1·s′2=Enc(k-1(e+dr)mod n)。
Subsequently, party 2 sends a second message to party 1, the second message including the second party signature share r and the first party signature share ciphertext se
Participant 1 receives the second message, signs the first participant with the share ciphertext seDecryption is performed, so that the first party signature share s ═ Dec (Enc(s)e))=k-1(e + dr) mod n. If the obtained first party signature share s is 0, the above step of generating the second temporary private key share by the party 2 is returned, the party 2 regenerates a new second temporary private key share, and the above process is repeated. Otherwise, the obtained signature pair (r, s) consisting of the second party signature share r and the first party signature share s is a legitimate ECC signature.
Example two: a temporary private key is shared as a multiplication.
In one embodiment, the way the temporary private key is constructed based on multiplicative sharing may also be referred to as multiplicative sharing. When the temporary private key is constructed by multiplication sharing, its form can be denoted as k ═ k1*k2
Under the premise of constructing the temporary private key by multiplication sharing, the private key can be constructed by multiplication sharing, and the form of the private key can be recorded as d ═ d1d2(ii) a The private key may also be constructed by additive sharing, which may be denoted as d ═ d1+d2. Where d is the shared private key, which is a complete private key, d1Is a private key share held by party 1 (denoted as the first private key share in this application), d2Is a private key share held by party 2 (denoted as the second private key share in the present embodiment). k is a temporary shared private key, a complete temporary private key, k1Is a temporary private key share (denoted as the first temporary private key share in the present embodiment), k, held by party 12Is a temporary private key share held by party 2 (denoted as the second temporary private key share in this embodiment of the application).
Therefore, in this embodiment, two schemes may be included: one of them is to multiply and share the temporary private key k ═ k1*k2And multiply share the private key d ═ d1d2(ii) a Another way to share the temporary private key k for multiplication1*k2Sharing the private key d ═ d with the addition1+d2
In this embodiment, referring to fig. 5, in practical implementation, the party 1 performs a digest operation on the data M to be signed, and obtains a data digest e ═ h (M). Subsequently, party 1 generates a first private key share d held by party 11∈[1,n-1]. The first private key share d1The first public key share D of the participant 1 can be generated in a random manner and calculated on the basis of the held first private key share1=d1G. Participant 1 also generates a first temporary private key share k held by participant 11∈[1,n-1]And based on the held first temporary private key share k1Calculating a first temporary public key share K of participant 11=k1G. Party 1 also invokes the key generation algorithm KeyGen of the homomorphic cryptosystem to generate a key pair (pk, sk).
Participant 1 then sends a first message to participant 2, the first message carrying the data digest e, the first public key share D1And a first temporary public key share K1
After receiving the first message sent by the participant 1, the participant 2 cooperates with the participant 1 to execute a certification and verification phase of the certification knowledge protocol for the first signature factor ciphertext and the third signature factor ciphertext. In this embodiment, the first party signature parameter ciphertext includes the first signature factor ciphertext and the third signature factor ciphertext.
In one embodiment, the first signing factor ciphertext and the third signing factor ciphertext may be generated during a proof process of a proof knowledge protocol. In the process of proving and verifying the proof knowledge protocol, the participant 1 calculates a first signature factor ciphertext and a third signature factor ciphertext.
In one embodiment, the first temporal private key share k may be based on1Calculating a first signature factor u, e.g.
Figure BDA0001736092380000201
And based on the first temporary private key share k1And a first private key share d1Calculating a third signature factor v, e.g.
Figure BDA0001736092380000202
In another embodiment, participant 1 may also choose a blinding factor x (denoted as a second blinding factor in this embodiment) based on the first temporary private key share k1And a second blinding factor x to calculate a first signature factor u, e.g.
Figure BDA0001736092380000203
And based on the first temporary private key share k1First private key share d1And the second blinding factor x calculates a third signature factor v, e.g.
Figure BDA0001736092380000204
It will be appreciated that in practical technical applications, the first signature factor u and the third signature factor v may also be calculated in other ways.
Subsequently, party 1 encrypts the first signature factor u to obtainAnd encrypting the third signature factor v to obtain a third signature factor ciphertext. The specific encryption mode can be performed in any possible mode, Enc represents an encryption algorithm, and the obtained first signature factor ciphertext can be recorded as ueThe third signature factor ciphertext obtained may be denoted as v (u)e=Enc(v)。
In performing the attestation and verification of the attestation knowledge protocol, different attestation knowledge protocols may be employed. For example, in this embodiment, after the proof and verification of the proof zero-element knowledge protocol is completed, the proof and verification of the proof plaintext knowledge protocol may be completed. The protocol principle for proving the plaintext knowledge protocol is described in the above embodiments, and is not described herein.
In the proof zero-element knowledge protocol, on the premise of not revealing secret information, a prover proves that a ciphertext c is the encryption of zero element 0 to a verifier, and a certain relation is satisfied, for example: l isZero={((c,pk),(0,r))|c=Encpk (0, r) }. At this time, in this process, after the party 2 receives the first message sent by the party 1, the party 1 serves as a prover, and the party 2 serves as a verifier, and thus, the proving and verifying of the zero-element knowledge protocol are completed.
Since the proof zero element knowledge protocol involves two types, one is interactive and is denoted by PZK (c, m); one is non-interactive, denoted by NIPZK (c, m).
The principle of the interactive proof zero-element knowledge protocol PZK (c, m) is as follows. In the certification phase, the prover computes the ciphertext c based on the plaintext m and computes the commitment B. The ciphertext c calculated in one embodiment may be c-gmrnmod n2(if m is 0, then c is rnmod n2) The commitment B may be B ═ unmod n2Wherein g, r and n are related parameters of homomorphic cryptosystem,
Figure BDA0001736092380000211
the prover then sends the ciphertext c and the commitment B to the verifier. The verifier selects a random challenge q E ZnAnd sent to the prover. The prover receives a random challenge q∈ZnThen, combine the challenge q ∈ ZnThe response Z is calculated, which in one embodiment may be: z ═ urqmod n2. Subsequently, the prover sends the calculated response Z to the verifier. In the verification stage, the verifier calculates whether the received ciphertext c, the commitment B and the response Z received at this time meet a certain mathematical operation relation, and in an application example, Z can be calculatednmod n2Whether or not equal to Bcqmod n2(ii) a If equal, it indicates that the ciphertext c is an encryption of zero-0.
Wherein g is selected from
Figure BDA0001736092380000212
The selected generator is selected; m is from ZnSelecting a plaintext; r is from
Figure BDA0001736092380000213
The random number selected in (1); n is the RSA modulus; u is from
Figure BDA0001736092380000214
The random number selected in (1); znIs a set of all positive integers less than n; q is a hash value.
Specifically, in this embodiment, when the proof knowledge protocol is proved and verified based on the interactive proof zero-element knowledge protocol PZK (c, m) with respect to the first party signature parameter ciphertext (in this embodiment, the first signature factor ciphertext and the third signature factor ciphertext), the proof and verification of the first signature factor ciphertext and the third signature factor ciphertext may be performed in parallel without being in order.
Taking the proof and verification of the first signature factor ciphertext as an example, the detailed process of the proof and verification based on the interactive proof zero-element knowledge protocol PZK (C, m) may include the following steps C1 to C4.
Step C1: party 1, acting as a prover, computes a first signature factor ciphertext and computes a commitment (referred to as a first party commitment in this embodiment), and sends a first attestation message to party 2, the first attestation message including: the first signature factor ciphertext is promised with the first party.
Step C2: party 2, acting as a verifier, receives the first attestation message and selects a random challenge (referred to as the second party challenge in this embodiment) and sends the second party challenge to party 1.
Step C3: participant 1 receives the second participant challenge and calculates a response Z based on the second participant challenge, where Z generated based on the challenge returned by participant 2 is referred to as a fifth response in this embodiment, and sends a second attestation message to participant 2, where the second attestation message includes: and a fifth response.
In one embodiment, the fifth response may be calculated with the second participant challenge and the parameters associated with the homomorphic cryptosystem.
Step C4: and the participator 2 receives the second proving message, proves that the participator 1 knows the plaintext corresponding to the first signature factor ciphertext when the second proving message and the first proving message meet a certain mathematical operation relation, and completes the proving and verifying process. The arithmetic relationship satisfied by the second certification message and the first certification message may be a mathematical arithmetic relationship satisfied between the first signature factor ciphertext and the first participant commitment, and the fifth response, which is exemplified in the above example, and may be, for example, Znmod n2Whether or not equal to Bcqmod n2
The process of proving and verifying the third signature factor ciphertext by the interactive proof zero-element knowledge protocol may be similar to the process of proving and verifying the first signature factor ciphertext by the interactive proof zero-element knowledge protocol, and is not further described herein.
The principle of the non-interactive proof zero-element knowledge protocol NIPZK (c, m) is as follows. In the certification phase, the prover computes the ciphertext c based on the plaintext m and computes the commitment B. The ciphertext c calculated in one embodiment may be c-gmrnmod n2(if m is 0, then c is rnmod n2) The commitment B may be B ═ unmod n2Wherein g, r and n are related parameters of homomorphic cryptosystem,
Figure BDA0001736092380000221
the prover then computes the challenge q, which may be computed in any possible way as long as the randomness and uncertainty of the challenge q can be guaranteed, for example, in one embodiment, the challenge q may be computed by a hash function, e.g., q ═ H (c | | B) mod n, where H (·) is a secure hash function, and computes a response Z, which in one embodiment may be: z ═ urqmod n2. The prover then sends c, B and Z to the verifier. In the verification stage, the verifier calculates a challenge q ═ H (c | | | B) mod n, calculates whether the received ciphertext c and the commitment B satisfy a certain mathematical operation relationship with the received response Z, and can calculate Z in one application examplenmod n2Whether or not equal to Bcqmod n2(ii) a If equal, it indicates that the ciphertext c is an encryption of zero-0.
Wherein g is selected from
Figure BDA0001736092380000231
The selected generator is selected; m is from ZnSelecting a plaintext; r is from
Figure BDA0001736092380000232
The random number selected in (1); n is the RSA modulus; u is from
Figure BDA0001736092380000233
The random number selected in (1); znIs a set of all positive integers less than n; q is a hash value.
Specifically, in this embodiment, when the proof and verification of the proof knowledge protocol is performed on the first party signature parameter ciphertext (in this embodiment, the first signature factor ciphertext and the third signature factor ciphertext) based on the non-interactive proof zero-element knowledge protocol NIPZK (c, m), the proof and verification of the first signature factor ciphertext and the third signature factor ciphertext may be performed in parallel without being in sequence.
Taking the proof and verification of the first signature factor ciphertext as an example, the detailed process of the proof and verification based on the non-interactive proof zero-element knowledge protocol NIPZK (c, m) may include the following steps D1 to D4.
Step D1: party 1, acting as a prover, computes a first signature factor ciphertext and computes a commitment (referred to as the first party commitment in this embodiment).
Step D2: party 1, as a prover, computes a challenge (referred to as a first party challenge in this embodiment) and computes a response Z based on the first party challenge, where Z generated based on the challenge generated by party 1 itself is referred to as a sixth response in this embodiment, and sends a attestation message to party 2, the attestation message including: a first signature factor ciphertext, a first participant commitment, and a sixth response.
In one example of an application, the sixth response may be calculated based on the first participant challenge and the relevant parameters of the homomorphic cryptosystem.
Step D3: participant 2 calculates a challenge (referred to as a second participant challenge in this embodiment), where the second participant challenge is equal to the first participant challenge, and verifies that the first signature factor ciphertext and the first participant commitment satisfy a certain mathematical operation relationship with the sixth response based on the second participant challenge, which is exemplified in the above example, for example, Z may be usednmod n2Whether or not equal to Bcqmod n2And proving that the participant 1 knows the plaintext corresponding to the first signature factor ciphertext to complete the proving and verifying process.
The process of proving and verifying the third signature factor ciphertext based on the non-interactive proof zero-element knowledge protocol may be similar to the process of proving and verifying the first signature factor ciphertext based on the non-interactive proof zero-element knowledge protocol, and is not further described herein.
Accordingly, in this embodiment, in the certification and verification stage of the proof knowledge protocol for the first signature factor ciphertext and the third signature factor ciphertext, the above-mentioned manner may be combined, the certification and verification of the proof zero-element knowledge protocol for the first signature factor ciphertext and the third signature factor ciphertext may be performed first, if the verification of the proof zero-element knowledge protocol is successful, the process is ended and exited, if the verification of the proof zero-element knowledge protocol fails, the certification and verification of the proof plaintext knowledge protocol for the first signature factor ciphertext and the third signature factor ciphertext may be performed, and if the verification of the proof knowledge plaintext protocol fails, the process is ended and exited. And if the verification of the plaintext knowledge protocol is proved to pass, the subsequent steps are carried out.
Participant 2 generates a second private key share d2∈[1,n-1]The second private key share d2Can be generated in a random manner and based on the second private key share d2And a first public key share D1The complete public key D is obtained. In one embodiment, the full public key D may be multiplicatively shared by party 1 and party 2, where D ═ D2D1=d1d2G ═ dG. In another embodiment, the complete public key D may be additively shared by party 1 and party 2, and in this case, may also be based on the second private key share D2Calculating a second public key share D2=d2G is followed by a share D based on the first public key1And a second public key share D2Obtaining the complete public key D ═ D1+D2=(d1+d2) G ═ dG. And after the complete public key D is obtained, generating an ECC digital certificate corresponding to the complete public key D.
Participant 2 generates a second temporal private key share k2∈[1,n-1]The second temporary private key share k2∈[1,n-1]Can be generated in a random manner and based on the second temporary private key share k2And a first temporary public key share K1Obtain the complete temporary public key K ═ K2K1=k1k2G=kG=(x1,y1)。
Subsequently, participant 2 calculates a second participant signature share, which may be an ECC signature share, which may be based on (x) the full ephemeral public key K ═1,y1) Parameter x of1And if the second party signature share is r ═ x1mod n. If the calculation result is that r is equal to 0, the participant 2 returns to the step of generating the second temporary private key share, regenerates a new second temporary private key share, and repeats the above stepsThe process is described. Otherwise, the subsequent step is entered.
Subsequently, party 2 calculates the first party signature share ciphertext se
In one embodiment, where the full public key D is multiply shared by party 1 and party 2, party 2 may calculate the first party signature share ciphertext s in the following mannere
Party 2 calculates a second signature factor a and a fourth signature factor b. In one embodiment, the second temporal private key share k may be based on2And the data digest e to calculate a second signature factor a, e.g.
Figure BDA0001736092380000251
And based on the second temporary private key share k2Second private key share d2And the second party signature share r, e.g. to calculate a fourth signature factor b
Figure BDA0001736092380000252
In another embodiment, the participant 2 may also choose the blinding factor y (referred to as the third blinding factor in this embodiment) and then base on the second temporary private key share k2Calculating a second signature factor a by using the data summary e and a third blinding factor y, e.g.
Figure BDA0001736092380000253
And based on the second temporary private key share k2Second private key share d2The second participant signature share r and the third blinding factor y calculate a fourth signature factor b, e.g.
Figure BDA0001736092380000254
It will be appreciated that in practical technical applications, the second signature factor a and the fourth signature factor b may also be calculated in other ways.
Subsequently, party 2 bases on the first signature factor ciphertext ueA second signature factor a and a third signature factor ciphertext veAnd synthesizing a fourth signature factor b to obtain a first participant signature share ciphertext se. Can be described as:
Figure BDA0001736092380000255
In another embodiment, where the full public key D is additively shared by party 1 and party 2, party 2 may calculate the first party signature share ciphertext s in the following mannere
The participant 2 calculates a second signature factor a, a fourth signature factor b and a fifth signature factor c.
In one application embodiment, the second temporary private key share k may be based on2And the data digest e to calculate a second signature factor a, e.g.
Figure BDA0001736092380000256
And based on the second temporary private key share k2And the second party signature share r, e.g. to calculate a fourth signature factor b
Figure BDA0001736092380000257
And based on the second temporary private key share k2Second private key share d2And the second participant signature share r, e.g. to calculate a fifth signature factor c
Figure BDA0001736092380000258
In another application embodiment, the participant 2 may also choose the blinding factor z (referred to as the fourth blinding factor in this embodiment) and then base on the second temporary private key share k2A second signature factor a is calculated from the data summary e and a fourth blinding factor z, e.g.
Figure BDA0001736092380000259
And based on the second temporary private key share k2The second participant signature share r and a fourth blinding factor z calculate a fourth signature factor b, e.g.
Figure BDA00017360923800002510
And based on the second temporary private key shareForehead k2Second private key share d2A fifth signature factor c is calculated from the second participant signature share r and a fourth blinding factor z, e.g.
Figure BDA00017360923800002511
It is understood that in practical technical applications, the second signature factor a, the fourth signature factor b and the fifth signature factor c may be calculated in other manners.
At this time, in the case where the second, fourth, and fifth signature factors a, b, and c are calculated, the participant 2 may encrypt the ciphertext u based on the first signature factoreA second signature factor a and a third signature factor ciphertext veThe fourth signature factor b and the fifth signature factor c are synthesized to obtain a first participant signature share ciphertext se. Can be written as:
Figure BDA0001736092380000261
after obtaining the first party signature share ciphertext seThereafter, participant 2 sends a second message to participant 1, the second message including the second participant signature share r and the first participant signature share ciphertext se
Participant 1 receives the second message, signs the first participant with the share ciphertext seDecryption is performed, so that the first party signature share s ═ Dec (Enc(s)e))=k-1(e + dr) mod n. If the obtained first party signature share s is 0, the above step of generating the second temporary private key share by the party 2 is returned, the party 2 regenerates a new second temporary private key share, and the above process is repeated. Otherwise, the obtained signature pair (r, s) consisting of the second party signature share r and the first party signature share s is a legitimate ECC signature.
The technical features of the above embodiments can be arbitrarily combined, and for the sake of brevity, all possible combinations of the technical features in the above embodiments are not described, but should be considered as the scope of the present specification as long as there is no contradiction between the combinations of the technical features.
The above-mentioned embodiments only express several embodiments of the present application, and the description thereof is more specific and detailed, but not construed as limiting the scope of the invention. It should be noted that, for a person skilled in the art, several variations and modifications can be made without departing from the concept of the present application, which falls within the scope of protection of the present application. Therefore, the protection scope of the present patent shall be subject to the appended claims.

Claims (20)

1. A digital signature method for collaborative ECC, comprising:
a first participant calculates the abstract of data to be signed, obtains a data abstract and sends a first message to a second participant, wherein the first message carries the data abstract;
a second party receiving the first message;
the second party performs proof and verification of a proof knowledge protocol in cooperation with the first party against a first party signature parameter ciphertext, the first party signature parameter ciphertext comprising: the method comprises the steps that a first private key share ciphertext obtained by encrypting a first private key share and a first temporary private key share ciphertext obtained by encrypting a first temporary private key share are obtained;
the second participant is synthesized based on the second participant signature share of the second participant and the data digest to obtain a first participant signature share ciphertext;
a second participant sends a second message to a first participant, wherein the second message carries a signature share ciphertext of the first participant;
the first participant decrypts the first participant signature share ciphertext to obtain a first participant signature share;
the second party and the first party cooperate to execute the proof and verification of the proof knowledge protocol of the first party signature parameter ciphertext, comprising: the second party and the first party cooperate to perform proof and verification of the proof knowledge protocol of the first private key share ciphertext; the second party and the first party cooperate to perform proof and verification of a proof knowledge protocol of the first temporary private key share ciphertext;
the second party performs proof and verification of proof plaintext knowledge protocol for the first private key share ciphertext in cooperation with the first party, comprising:
the first participant calculates a first private key share ciphertext based on the first private key share and calculates a first participant commitment;
the first participant calculates a first participant challenge, calculates a third response and a fourth response based on the first participant challenge, and sends a attestation message to the second participant, the attestation message including: the first private key share ciphertext, the first participant commitment, the third response, and the fourth response;
and the second participant calculates a challenge of the second participant, verifies the first private key share ciphertext and the commitment of the first participant based on the challenge of the second participant, and completes the process of proving and verifying when a predetermined operation relation is satisfied between the first private key share ciphertext and the commitment of the first participant and the third response and the fourth response.
2. The method of claim 1, wherein the second participant synthesizes the second participant signature share of the second participant with the data digest to obtain a first participant signature share ciphertext, and the method comprises:
and the second party synthesizes the second party signature share of the second party, the first party signature parameter ciphertext and the data digest to obtain a first party signature share ciphertext.
3. The method of claim 2, wherein the second participant synthesizes a second participant signature share of the second participant, the first participant signature parameter ciphertext, and the data digest to obtain a first participant signature share ciphertext, comprising:
the second party determines a first blinding factor;
the second party and the first party cooperatively execute proof and verification of a proof plaintext knowledge protocol for a blinded temporary signature share ciphertext, wherein the blinded temporary signature share ciphertext is obtained by synthesizing based on a first temporary private key share ciphertext, a second temporary private key share and a first blinding factor;
the first participant and the second participant cooperatively perform proof and verification of a proof plaintext knowledge protocol for the first blinded signature share ciphertext; obtaining a blind temporary signature share by decrypting the blind temporary signature share ciphertext; obtaining a first blinded signature share based on the blinded temporary signature share, and encrypting the first blinded signature share to obtain a first blinded signature share ciphertext;
the second party calculates a second party signature share; and synthesizing based on the first blinding factor, the first blinded signature share ciphertext, the first private key share ciphertext, the second private key share, the second participant signature share and the data digest to obtain the first participant signature share ciphertext.
4. The method of claim 3, wherein: and the first participant reverses the blinded temporary signature share to obtain the first blinded signature share.
5. The method of claim 3, wherein the second participant synthesizes the first blinded signature share ciphertext, the first private key share ciphertext, the second private key share, the second participant signature share, and the data digest to obtain the first participant signature share ciphertext, comprising:
the second participant synthesizes the first sub-signature share ciphertext based on the first blinding factor and the first blinding signature share ciphertext;
the second participant synthesizes the first private key share ciphertext, the second private key share, the second participant signature share and the data summary to obtain a second sub-signature share ciphertext;
and the second participant synthesizes the first sub-signature share ciphertext and the second sub-signature share ciphertext to obtain the first participant signature share ciphertext.
6. The method of claim 1, wherein the first party signature parameter ciphertext comprises: the first participant encrypts a first participant signature factor generated by the first participant to obtain a first participant signature factor ciphertext.
7. The method of claim 1, wherein the second party computes the second party signature share based on the full ephemeral public key.
8. The method of claim 1, wherein the first message further carries a first public key share held by the first participant and a first temporary public key share held by the first participant;
the second participant obtains a complete public key based on the first public key share and a second private key share held by the second participant, and obtains a complete temporary public key based on the first temporary public key share and a second temporary private key share held by the second participant.
9. A digital signature method for collaborative ECC, comprising:
a first participant calculates the abstract of data to be signed, obtains a data abstract and sends a first message to a second participant, wherein the first message carries the data abstract;
a second party receiving the first message;
the second party performs proof and verification of a proof knowledge protocol in cooperation with the first party against a first party signature parameter ciphertext, the first party signature parameter ciphertext comprising: a first party signing factor ciphertext obtained by encrypting, by a first party, a first party signing factor generated by the first party, the first party signing factor including: a first signature factor and a third signature factor generated by a first participant, the first participant signature factor ciphertext comprising: a first signature factor ciphertext and a third signature factor ciphertext;
the second participant is synthesized based on the second participant signature share of the second participant and the data digest to obtain a first participant signature share ciphertext;
a second participant sends a second message to a first participant, wherein the second message carries a signature share ciphertext of the first participant;
the first participant decrypts the first participant signature share ciphertext to obtain a first participant signature share;
the second party and the first party cooperate to execute the proof and verification of the proof knowledge protocol of the first party signature parameter ciphertext, comprising: the second party and the first party cooperate to perform proof and verification of the proof knowledge protocol of the first signature factor ciphertext; the second party and the first party cooperate to perform proof and verification of the proof knowledge protocol of the third signature factor ciphertext;
the second party and the first party cooperate to execute the proof and verification of the proof knowledge protocol of the first signature factor ciphertext, comprising: the second party and the first party cooperate to perform the proof and verification of the proof zero-element knowledge protocol of the first signature factor ciphertext; the second party and the first party cooperate to perform proof and verification of a proof plaintext knowledge protocol of the first signature factor ciphertext;
the second party and the first party cooperate to execute the proof and verification of the proof zero-element knowledge protocol of the first signature factor ciphertext, comprising:
the first participant calculates a first signature factor ciphertext and calculates a first participant commitment;
the first participant calculates a first participant challenge, calculates a sixth response based on the first participant challenge, and sends a attestation message to the second participant, the attestation message including: the first signing factor cryptogram, the first participant commitment, and the sixth response;
and the second participant calculates a challenge of the second participant, and completes the processes of proving and verifying when the first signature factor ciphertext, the first participant commitment and the sixth response meet the preset operational relationship based on the challenge of the second participant.
10. The method of claim 9, wherein:
the first participant calculates a first signature factor based on the first temporary private key share;
the first participant computes a third signing factor based on the first ephemeral private key share and the first private key share.
11. The method of claim 9, wherein:
the first participant selects a second blinding factor;
the first participant calculates a first signature factor based on the first temporary private key share and the second blinding factor;
the first participant calculates a third signing factor based on the first ephemeral private key share, the first private key share, and the second blinding factor.
12. The method of any one of claims 9 to 11, wherein the second participant synthesizes a second participant signature share of the second participant, the first participant signature parameter ciphertext, and the data digest to obtain a first participant signature share ciphertext, and the method comprises:
the second participant generates a second participant signature factor based on a second participant signature share of the second participant and the data digest;
and the second party synthesizes the first party signature factor ciphertext and the second party signature factor to obtain the first party signature share ciphertext.
13. The method of claim 12, wherein the second party signature factor comprises a second signature factor and a fourth signature factor.
14. The method of claim 13, wherein the second party generating a second party signature factor comprises:
the second participant calculates a second signature factor based on the second temporary private key share and the data digest;
the second participant calculates a fourth signing factor based on the second ephemeral private key share, the second private key share, and the second participant signature share.
15. The method of claim 13, wherein the second party generating a second party signature factor comprises:
the second participant selects a third blinding factor;
the second participant calculates a second signature factor based on the second temporary private key share, the data summary and the third blinding factor;
the second participant calculates a fourth signature factor based on the second ephemeral private key share, the second participant signature share, and the third blinding factor.
16. The method of claim 12, wherein the second party signature factor comprises a second signature factor, a fourth signature factor, and a fifth signature factor.
17. The method of claim 16, wherein the second party generating a second party signature factor comprises:
the second participant calculates a second signature factor based on the second temporary private key share and the data digest;
the second participant calculates a fourth signature factor based on the second temporary private key share and the second participant signature share;
the second participant calculates a fifth signing factor based on the second ephemeral private key share, the second private key share, and the second participant signature share.
18. The method of claim 16, wherein the second party generating a second party signature factor comprises:
the second participant selects a fourth blinding factor;
the second participant calculates a second signature factor based on the second temporary private key share, the data summary and the fourth blinding factor;
the second participant calculates a fourth signature factor based on the second temporary private key share, the second participant signature share and the fourth blinding factor;
the second participant calculates a fifth signature factor based on the second ephemeral private key share, the second participant signature share, and the fourth blinding factor.
19. The method of claim 9, wherein the second party computes the second party signature share based on the full ephemeral public key.
20. The method of claim 19, wherein the first message further carries a first public key share held by the first participant and a first temporary public key share held by the first participant;
the second participant obtains a complete public key based on the first public key share and a second private key share held by the second participant, and obtains a complete temporary public key based on the first temporary public key share and a second temporary private key share held by the second participant.
CN201810796674.5A 2018-07-19 2018-07-19 Digital signature method for cooperation with ECC Active CN108964906B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201810796674.5A CN108964906B (en) 2018-07-19 2018-07-19 Digital signature method for cooperation with ECC

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201810796674.5A CN108964906B (en) 2018-07-19 2018-07-19 Digital signature method for cooperation with ECC

Publications (2)

Publication Number Publication Date
CN108964906A CN108964906A (en) 2018-12-07
CN108964906B true CN108964906B (en) 2021-05-28

Family

ID=64482015

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201810796674.5A Active CN108964906B (en) 2018-07-19 2018-07-19 Digital signature method for cooperation with ECC

Country Status (1)

Country Link
CN (1) CN108964906B (en)

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111565108B (en) * 2020-07-15 2020-11-24 北京信安世纪科技股份有限公司 Signature processing method, device and system
CN113158258B (en) * 2021-03-31 2022-02-11 郑州信大捷安信息技术股份有限公司 Collaborative signature method, device and system based on elliptic curve

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106685651A (en) * 2016-12-22 2017-05-17 北京信安世纪科技有限公司 Method for creating digital signatures by cooperation of client and server
CN106789087A (en) * 2017-01-26 2017-05-31 数安时代科技股份有限公司 Determine the data summarization of message, the method and system based on multi-party digital signature
CN107682151A (en) * 2017-10-30 2018-02-09 武汉大学 A kind of GOST digital signature generation method and system

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2016200885A1 (en) * 2015-06-08 2016-12-15 Blockstream Corporation Cryptographically concealing amounts transacted on a ledger while preserving a network's ability to verify the transaction

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106685651A (en) * 2016-12-22 2017-05-17 北京信安世纪科技有限公司 Method for creating digital signatures by cooperation of client and server
CN106789087A (en) * 2017-01-26 2017-05-31 数安时代科技股份有限公司 Determine the data summarization of message, the method and system based on multi-party digital signature
CN107682151A (en) * 2017-10-30 2018-02-09 武汉大学 A kind of GOST digital signature generation method and system

Non-Patent Citations (3)

* Cited by examiner, † Cited by third party
Title
Fast Multiparty Threshold ECDSA with Fast Trustless Setup;Rosario Gennaro;《CCS"18-Session 6C: Crypto 3》;20180131;全文 *
Fast secure two-party ecdsa signing;Yehuda Lindell;《Advances in Cryptology –CRYPTO 2017. Lecture Notes in Computer Science》;20170729;第10402卷;正文2-6节 *
Yehuda Lindell.Fast secure two-party ecdsa signing.《Advances in Cryptology –CRYPTO 2017. Lecture Notes in Computer Science》.2017,第10402卷第613-644页. *

Also Published As

Publication number Publication date
CN108964906A (en) 2018-12-07

Similar Documents

Publication Publication Date Title
CN108667625B (en) Digital signature method of cooperative SM2
CN107707358B (en) EC-KCDSA digital signature generation method and system
Blake-Wilson et al. Authenticated Diffe-Hellman key agreement protocols
US6490352B1 (en) Cryptographic elliptic curve apparatus and method
US8918648B2 (en) Digital signature and key agreement schemes
Schindler et al. Ethdkg: Distributed key generation with ethereum smart contracts
CN114157427B (en) SM2 digital signature-based threshold signature method
Chang et al. A threshold signature scheme for group communications without a shared distribution center
CN113507374B (en) Threshold signature method, device, equipment and storage medium
Fiore et al. Making the Diffie-Hellman protocol identity-based
Al-Riyami Cryptographic schemes based on elliptic curve pairings
WO2014205570A1 (en) Key agreement protocol
JP2005253083A (en) New fair blind signature process
CN104301108A (en) Signcryption method based from identity environment to certificateless environment
CN110011803A (en) A kind of method that two side of lightweight SM2 cooperates with generation digital signature
CN111030821B (en) Encryption method of alliance chain based on bilinear mapping technology
US20160352689A1 (en) Key agreement protocol
CN113132104A (en) Active and safe ECDSA (electronic signature SA) digital signature two-party generation method
CN108964906B (en) Digital signature method for cooperation with ECC
Wang et al. Dynamic threshold ECDSA signature and application to asset custody in blockchain
CN108768634B (en) Verifiable cryptographic signature generation method and system
US20050135610A1 (en) Identifier-based signcryption
EP2363976A1 (en) Improved digital signature and key agreement schemes
CN116915414A (en) Method for realizing threshold signature, computer equipment and storage medium
WO2016187690A1 (en) Key agreement protocol

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant