TWI799286B - Random number generation system for threshold signature scheme and method thereof - Google Patents
Random number generation system for threshold signature scheme and method thereof Download PDFInfo
- Publication number
- TWI799286B TWI799286B TW111121123A TW111121123A TWI799286B TW I799286 B TWI799286 B TW I799286B TW 111121123 A TW111121123 A TW 111121123A TW 111121123 A TW111121123 A TW 111121123A TW I799286 B TWI799286 B TW I799286B
- Authority
- TW
- Taiwan
- Prior art keywords
- parameter
- host
- value
- circuit
- bollinger
- Prior art date
Links
Images
Landscapes
- Two-Way Televisions, Distribution Of Moving Picture Or The Like (AREA)
- Compression, Expansion, Code Conversion, And Decoders (AREA)
- Storage Device Security (AREA)
- Detection And Prevention Of Errors In Transmission (AREA)
Abstract
Description
本發明涉及一種亂數生成系統及其方法,特別是門檻式簽章的亂數生成系統及其方法。 The invention relates to a random number generating system and method thereof, in particular to a threshold type signature random number generating system and method thereof.
近年來,隨著區塊鏈的普及與蓬勃發展,各種基於區塊鏈的交易技術如雨後春筍般湧現,而為了強化交易的安全性,便有廠商提出改用多方共同簽章(或稱為簽名)的方式,在不還原私鑰的前提下產生簽章來避免因私鑰外洩導致簽章可能被偽造的問題。 In recent years, with the popularization and vigorous development of blockchain, various transaction technologies based on blockchain have sprung up like mushrooms. In order to strengthen the security of transactions, some manufacturers have proposed to use multi-party joint signature (or signature ) method to generate a signature without restoring the private key to avoid the problem that the signature may be forged due to the leakage of the private key.
一般而言,傳統橢圓曲線數位簽章演算法(Elliptic Curve Digital Signature Algorithm,ECDSA)的簽章是透過請求意見稿(Request for Comments,RFC)6979標準所定義的方式生成簽章過程中所使用的亂數k,此亂數k是由私鑰和訊息以函數(如:HMAC-SHA256)透過RFC 6979定義的流程生成。然而,由於原本的ECDSA的簽章方法並未強制亂數k必須使用定義的方式來生成,所以在不還原私鑰的前提下,改用N個使用者共同執行ECDSA時,通常是使用各自隨機選取的亂數ki來產生亂數k且其滿足「k=k1+...+kn」,在這種情況下,亂數 k並不符合RFC 6979定義的方式所計算出來的值,這將導致在以太坊(Ethereum)需要生成第二層(Layer 2)私鑰的情況中發生問題,舉例來說,在生成第二層私鑰時會將已產生的ECDSA簽章作為一個種子(Seed),再基於此種子以演算法生成第二層私鑰,但是使用非RFC 6979定義的方式產生的亂數k所生成的簽章,存在無法確保第二層私鑰的生成且不洩漏原本私鑰的問題。 Generally speaking, the signature of the traditional Elliptic Curve Digital Signature Algorithm (ECDSA) is used in the process of generating the signature through the method defined in the Request for Comments (RFC) 6979 standard Random number k, this random number k is generated by the process defined by RFC 6979 by a private key and a message using a function (eg: HMAC-SHA256). However, since the original ECDSA signature method does not force the random number k to be generated in a defined way, without restoring the private key, when using N users to jointly execute ECDSA, usually use their own random number k. Select random number k i to generate random number k and satisfy "k=k 1 +...+k n ", in this case, random number k does not conform to the value calculated by the method defined in RFC 6979 , which will cause problems in the case where Ethereum needs to generate the second layer (Layer 2) private key, for example, when generating the second layer private key, the generated ECDSA signature will be used as a seed (Seed), and then generate the second-level private key with an algorithm based on this seed, but the signature generated by using the random number k generated in a way not defined by RFC 6979 cannot ensure the generation of the second-level private key without leakage The original private key problem.
綜上所述,可知先前技術中長期以來一直具有在不還原私鑰的前提下,門檻式簽章的亂數合規性不佳的問題,因此實有必要提出改進的技術手段,來解決此一問題。 To sum up, it can be seen that the previous technology has long had the problem of poor compliance of the random numbers of threshold signatures without restoring the private key. Therefore, it is necessary to propose improved technical means to solve this problem. a question.
本發明揭露一種門檻式簽章的亂數生成系統及其方法。 The invention discloses a random number generation system and method for a threshold signature.
首先,本發明揭露一種門檻式簽章的亂數生成系統,其包含:二個主機,分別為第一主機及第二主機,所述第一主機具有秘密d1、X座標x1及層級值n1,所述第二主機具有秘密d2、X座標x2及層級值n2,並且該秘密d1、該X座標x1、該層級值n1、該秘密d2、該X座標x2及該層級值n2滿足下列運算式以與私鑰d相等:「d=B(x1,n1)* d1+B(x2,n2)* d2」,其中,B(xi,ni)代表伯克霍夫係數(Birkhoff coefficient),以及i為1或2,每一所述主機皆包含:混淆模組、生成模組、第一計算模組、第二計算模組、驗證模組及確認模組。其中,混淆模組用以建立作為混淆電路的第一布林電路及第二布林電路,所述第一布林電路允許輸入多個輸入參數,所述輸入參數包含參數v1、參數v2、參數r1、參數r2、參數n及訊息m且輸出第一評估 值,每一所述輸入參數允許各自帶入一組位元值,所述第二布林電路允許輸入參數v1、參數v2、參數r1及參數r2且輸出第二評估值,所述第一評估值的運算式為「RFC6979(d,m)+r1+r2 mod n」,所述第二評估值的運算式為「d+r1+r2」,其中,RFC6979(d,m)的值與根據私鑰d及訊息m所生成的亂數k相同、參數n為給定橢圓曲線群的個數,參數v1的運算式為「B(x1,n1)d1 mod n」、參數v2的運算式為「B(x2,n2)d2 mod n」;生成模組用以在所述主機為第一主機時,產生隨機亂數以作為參數r1且公開第一雜湊值,以及在所述主機為第二主機時,產生隨機亂數以作為參數r2且公開第二雜湊值,其中,第一雜湊值的運算式為「H(r1 * G)」,第二雜湊值的運算式為「H(r2 * G)」,H代表雜湊函式,G為橢圓曲線群的基點(Base Point);第一計算模組連接生成模組及混淆模組,當所述主機為第一主機時,使用本身的參數v1、參數r1及訊息m輸入至第一布林電路,以及當所述主機為第二主機時,使用本身的參數v2及參數r2輸入至第一布林電路,用以共同執行第一布林電路,使第二主機根據第一布林電路獲得第一評估值且計算k2值,此k2值的運算式為「k2=(m2-2 * r2)/2 mod n」,其中,m2為第二主機獲得的第一評估值,第一主機及第二主機再使用相同的參數v1、參數v2、參數r1及參數r2共同執行第二布林電路以獲得第二評估值,以及公開第一公開值,所述第一公開值的運算式為「r1 * G」;第二計算模組連接生成模組及混淆模組,用以在所述主機為第二主機時,使用本身的參數v2、參數r2及訊息m輸入至第一布林電路,以及在所述主機為第一主機時,使用本身的參數v1及參數r1輸入至第一布林電路,用以共同執行第一布林電路,使第一主機根據第一布林電路獲得第一評估值且計算k1值,此k1值的運算式為「k1=(m1-2 * r1)/2 mod n」,其中,m1為第一主機獲得的第一評估值,第一主機及第二主機再使用相同的參數v1、參 數v2、參數r1及參數r2共同執行第二布林電路以獲得第二評估值,以及公開第二公開值,所述第二公開值的運算式為「r2 * G」;驗證模組連接第一計算模組及第二計算模組,用以驗證私鑰d、參數r1、參數r2、第一公開值、第二公開值及公鑰P是否滿足下列運算式:(d+r1+r2)* G=P+r1 * G+r2 * G,當滿足時,第一主機及第二主機再執行安全驗證協定(Secure Validation Protocol)以驗證雙方在第一布林電路所獲得的第一評估值是否相同;以及在驗證結果為相同時,第一主機將k1值作為本身執行門檻式簽章時使用的亂數,以及第二主機將k2值作為本身執行門檻式簽章時使用的亂數。 First of all, the present invention discloses a random number generation system for a threshold signature, which includes: two hosts, namely the first host and the second host, the first host has a secret d 1 , an X coordinate x 1 and a level value n 1 , the second host has secret d 2 , X coordinate x 2 and level value n 2 , and the secret d 1 , the X coordinate x 1 , the level value n 1 , the secret d 2 , the X coordinate x 2 and the level value n 2 satisfy the following formula to be equal to the private key d: "d=B(x 1 ,n 1 )* d 1 +B(x 2 ,n 2 )* d 2 ", where B( x i , ni ) represent the Birkhoff coefficient (Birkhoff coefficient), and i is 1 or 2, and each host includes: a confusion module, a generation module, a first calculation module, and a second calculation module group, verification module and validation module. Among them, the confusion module is used to establish the first Bollinger circuit and the second Bollinger circuit as a confusing circuit, and the first Bollinger circuit allows input of multiple input parameters, and the input parameters include parameter v1, parameter v2, parameter r1, parameter r2, parameter n, and message m and output the first evaluation value, each of the input parameters is allowed to bring in a set of bit values, and the second Bollinger circuit allows input of parameter v1, parameter v2, and parameter r1 and parameter r2 and output the second evaluation value, the calculation formula of the first evaluation value is "RFC6979(d,m)+r1+r2 mod n", the calculation formula of the second evaluation value is "d+r1+ r2", where the value of RFC6979(d,m) is the same as the random number k generated according to the private key d and message m, the parameter n is the number of given elliptic curve groups, and the calculation formula of the parameter v1 is "B( x 1 ,n 1 )d 1 mod n", the calculation formula of parameter v2 is "B(x 2 ,n 2 )d 2 mod n"; the generation module is used to generate random A random number is used as a parameter r1 and a first hash value is disclosed, and when the host is a second host, a random random number is generated as a parameter r2 and a second hash value is disclosed, wherein the calculation formula of the first hash value is " H(r1 * G)", the calculation formula of the second hash value is "H(r2 * G)", H represents the hash function, G is the base point (Base Point) of the elliptic curve group; the first calculation module is connected to generate module and confusion module, when the host is the first host, use its own parameter v1, parameter r1 and message m to input to the first Bollinger circuit, and when the host is the second host, use its own Parameter v2 and parameter r2 are input to the first Bollinger circuit to jointly execute the first Bollinger circuit, so that the second host can obtain the first evaluation value and calculate the k2 value according to the first Bollinger circuit. The calculation formula of the k2 value is "k2=(m2-2 * r2)/2 mod n", where m2 is the first evaluation value obtained by the second host, and the first host and the second host use the same parameter v1, parameter v2, parameter r1 and The parameter r2 jointly executes the second Bollinger circuit to obtain the second evaluation value, and discloses the first public value. The calculation formula of the first public value is "r1 * G"; the second calculation module is connected to the generation module and the confusion A module for inputting its own parameter v2, parameter r2 and message m to the first Bollinger circuit when the host is the second host, and using its own parameter v1 when the host is the first host and the parameter r1 are input to the first Bollinger circuit to jointly execute the first Bollinger circuit, so that the first host can obtain the first evaluation value and calculate the value of k1 according to the first Bollinger circuit. The formula for the value of k1 is "k1 =(m1-2 * r1)/2 mod n", where m1 is the first evaluation value obtained by the first host, and the first host and the second host use the same parameter v1, parameter v2, parameter r1 and parameter r2 Jointly execute the second Bollinger circuit to obtain the second evaluation value, and disclose the second public value, the calculation formula of the second public value is "r2 * G"; the verification module is connected to the first calculation module and the second calculation module The module is used to verify whether the private key d, parameter r1, parameter r2, first public value, second public value and public key P satisfy the following formula: (d+r1+r2)* G=P+r1 * G + r2 * G, when satisfied, the first host and the second host then execute the Secure Validation Protocol to verify whether the first evaluation values obtained by the two parties in the first Bollinger circuit are the same; and when the verification result is At the same time, the first host uses the k1 value as the random number used when it performs the threshold signature, and the second host uses the k2 value as the random number it uses when it executes the threshold signature.
接著,本發明揭露一種門檻式簽章的亂數生成方法,其步驟包括:(A)第一主機具有秘密d1、X座標x1及層級值n1,第二主機具有秘密d2、X座標x2及層級值n2,並且秘密d1、X座標x1、層級值n1、秘密d2、X座標x2及層級值n2滿足下列運算式以與私鑰d相等:「d=B(x1,n1)* d1+B(x2,n2)* d2」,其中,B(xi,ni)代表伯克霍夫係數,以及i為1或2;(B)第一主機及第二主機皆提供作為混淆電路的第一布林電路及第二布林電路,第一布林電路允許輸入多個輸入參數,所述輸入參數包含參數v1、參數v2、參數r1、參數r2、參數n及訊息m且輸出第一評估值,每一所述輸入參數允許各自帶入一組位元值,第二布林電路允許輸入參數v1、參數v2、參數r1及參數r2且輸出第二評估值,所述第一評估值的運算式為「RFC6979(d,m)+r1+r2 mod n」,所述第二評估值的運算式為「d+r1+r2」,其中,「RFC6979(d,m)」的值與根據私鑰d及訊息m所生成的亂數k相同、參數n為給定橢圓曲線群的個數、參數v1的運算式為 「B(x1,n1)d1 mod n」、參數v2的運算式為「B(x2,n2)d2 mod n」;(C)第一主機產生隨機亂數以作為參數r1且公開第一雜湊值,第二主機產生隨機亂數以作為參數r2且公開第二雜湊值,其中,第一雜湊值的運算式為「H(r1 * G)」,第二雜湊值的運算式為「H(r2 * G)」,H代表雜湊函式,G為橢圓曲線群的基點;(D)第一主機使用本身的參數v1、參數r1及訊息m與第二主機使用本身的參數v2及參數r2共同執行第一布林電路,使第二主機根據第一布林電路獲得第一評估值且計算k2值,此k2值的運算式如下:k2=(m2-2 * r2)/2 mod n,其中,m2為第二主機獲得的第一評估值,第一主機及第二主機再使用相同的參數v1、參數v2、參數r1及參數r2共同執行第二布林電路以獲得第二評估值,以及公開第一公開值,所述第一公開值的運算式為「r1 * G」;(E)第二主機使用本身的參數v2、參數r2及訊息m與第一主機使用本身的參數v1及參數r1共同執行第一布林電路,使第一主機根據第一布林電路獲得第一評估值且計算k1值,此k1值的運算式如下:k1=(m1-2 * r1)/2 mod n,其中,m1為第一主機獲得的第一評估值,第一主機及第二主機再使用相同的參數v1、參數v2、參數r1及參數r2共同執行第二布林電路以獲得第二評估值,以及公開第二公開值,所述第二公開值的運算式為「r2 * G」;(F)第一主機及第二主機均驗證私鑰d、參數r1、參數r2、第一公開值、第二公開值及公鑰P是否滿足下列運算式:(d+r1+r2)* G=P+r1 * G+r2 * G, 當滿足時,第一主機及第二主機再執行安全驗證協定(Secure Validation Protocol)以驗證雙方在第一布林電路所獲得的第一評估值是否相同;(G)當驗證結果為相同時,第一主機將k1值作為本身執行門檻式簽章時使用的亂數,以及第二主機將k2值作為本身執行門檻式簽章時使用的亂數。其中,步驟(D)及步驟(E)允許同時執行。 Next, the present invention discloses a random number generation method of a threshold signature, the steps of which include: (A) the first host has secret d 1 , X coordinate x 1 and level value n 1 , the second host has secret d 2 , X The coordinate x 2 and the level value n 2 , and the secret d 1 , the X coordinate x 1 , the level value n 1 , the secret d 2 , the X coordinate x 2 and the level value n 2 satisfy the following formula to be equal to the private key d: "d =B(x 1 ,n 1 )* d 1 +B(x 2 ,n 2 )* d 2 ”, where B(x i ,n i ) represents the Burkhoff coefficient, and i is 1 or 2; (B) Both the first host and the second host provide the first Bollinger circuit and the second Bollinger circuit as confusing circuits, the first Bollinger circuit allows input of multiple input parameters, and the input parameters include parameter v1 and parameter v2 , parameter r1, parameter r2, parameter n, and message m, and output the first evaluation value, each of the input parameters is allowed to bring in a set of bit values, and the second Boolean circuit allows input of parameter v1, parameter v2, and parameter r1 and parameter r2 and output the second evaluation value, the calculation formula of the first evaluation value is "RFC6979(d,m)+r1+r2 mod n", the calculation formula of the second evaluation value is "d+r1+ r2", where the value of "RFC6979(d,m)" is the same as the random number k generated according to the private key d and message m, the parameter n is the number of given elliptic curve groups, and the expression of the parameter v1 is " B(x 1 ,n 1 )d 1 mod n", the calculation formula of parameter v2 is "B(x 2 ,n 2 )d 2 mod n"; (C) the first host generates a random random number as parameter r1 and The first hash value is disclosed, and the second host generates a random random number as parameter r2 and discloses the second hash value, wherein the calculation formula of the first hash value is "H(r1 * G)", and the calculation formula of the second hash value It is "H(r2 * G)", H represents the hash function, G is the base point of the elliptic curve group; (D) the first host uses its own parameter v1, parameter r1 and message m, and the second host uses its own parameter v2 Execute the first Bollinger circuit together with the parameter r2, so that the second host can obtain the first evaluation value and calculate the k2 value according to the first Bollinger circuit. The calculation formula of the k2 value is as follows: k2=(m2-2 * r2)/2 mod n, where m2 is the first evaluation value obtained by the second host, and the first host and the second host use the same parameter v1, parameter v2, parameter r1 and parameter r2 to jointly execute the second Bollinger circuit to obtain the second Evaluation value, and disclose the first public value, the calculation formula of the first public value is "r1 * G"; (E) The second host uses its own parameter v2, parameter r2 and message m and the first host uses its own The parameters v1 and r1 jointly execute the first Bollinger circuit, so that the first host can obtain the first evaluation value and calculate the k1 value according to the first Bollinger circuit. The calculation formula of the k1 value is as follows: k1=(m1-2 * r1) /2 mod n, where m1 is the first evaluation value obtained by the first host, and the first host and the second host use the same parameter v1, parameter v2, parameter r1 and parameter r2 to jointly execute the second Bollinger circuit to obtain The second evaluation value, and disclose the second public value, the calculation formula of the second public value is "r2 * G"; (F) Both the first host and the second host verify the private key d, parameter r1, parameter r2, Whether the first public value, the second public value, and the public key P satisfy the following calculation formula: (d+r1+r2)* G=P+r1 * G+r2 * G, when satisfied, the first host and the second host Then execute the Secure Validation Protocol to verify whether the first evaluation values obtained by both parties in the first Bollinger circuit are the same; (G) when the verification results are the same, the first host uses the k1 value as its own execution threshold The random number used when signing, and the random number used when the second host uses the k2 value as its own threshold signature. Wherein, step (D) and step (E) are allowed to be executed at the same time.
本發明所揭露之系統與方法如上,與先前技術的差異在於本發明是透過提供作為混淆電路的第一布林電路及第二布林電路以供二個主機輸入多個輸入參數並共同執行安全多方計算,使二個主機各自獲得第一布林電路的第一評估值及第二布林電路的第二評估值,以及分別計算出各自用於門檻式簽章的亂數值,再廣播各主機的隨機亂數與基點的乘積,用以驗證雙方的輸入參數是否正確及通過混淆電路獲得的結果是否相同,進而確定計算出的亂數值符合RFC 6979標準,以便使基於此亂數值生成的簽章能夠用於生成第二層私鑰且不洩漏原私鑰。 The system and method disclosed in the present invention are as above, and the difference from the prior art is that the present invention provides the first Bollinger circuit and the second Bollinger circuit as a confusing circuit for two hosts to input multiple input parameters and jointly execute security Multi-party calculation, so that the two hosts can respectively obtain the first evaluation value of the first Bollinger circuit and the second evaluation value of the second Bollinger circuit, and respectively calculate the random value used for the threshold signature, and then broadcast to each host The product of the random random number and the base point is used to verify whether the input parameters of both parties are correct and whether the results obtained through the confusion circuit are the same, and then determine that the calculated random value conforms to the RFC 6979 standard, so that the signature generated based on this random value It can be used to generate the second layer private key without revealing the original private key.
透過上述的技術手段,本發明可以達成提高簽章的可用性之技術功效。 Through the above-mentioned technical means, the present invention can achieve the technical effect of improving the usability of the signature.
100a,100b:主機 100a, 100b: host
110:混淆模組 110: Confusion Module
120:生成模組 120: Generate modules
130:第一計算模組 130: The first computing module
140:第二計算模組 140: Second computing module
150:驗證模組 150: Verification module
160:確認模組 160: Confirm the module
310:第一布林電路 310: The first Bollinger circuit
320:第二布林電路 320: Second Bollinger circuit
步驟210:一第一主機具有一秘密d1、一X座標x1及一層級值n1,以及一第二主機具有一秘密d2、一X座標x2及一層級值n2,並且該秘密d1、該X座標x1、該層級值n1、該秘密d2、該X座標x2及該層級值n2滿足下列運算式以與一私鑰d相等:d=B(x1,n1)* d1+B(x2,n2)* d2,其中,B(xi,ni)代表伯克霍夫係數(Birkhoff coefficient),以及i為1或2 Step 210: A first host has a secret d 1 , an X coordinate x 1 and a level value n 1 , and a second host has a secret d 2 , an X coordinate x 2 and a level value n 2 , and the The secret d 1 , the X coordinate x 1 , the level value n 1 , the secret d 2 , the X coordinate x 2 and the level value n 2 satisfy the following formula to be equal to a private key d: d=B(x 1 ,n 1 )* d 1 +B(x 2 ,n 2 )* d 2 , where B( xi ,n i ) represents the Birkhoff coefficient, and i is 1 or 2
步驟220:提供作為混淆電路的一第一布林電路及一第二布林電路,該第一布林電路允許輸入多個輸入參數,所述輸入參數包含一參數v1、一參數v2、一參數r1、一參數r2、一參數n及一訊息m且輸出一第一評估值,每一所述輸入參數允許各自帶入一組位元值,該第二布林電路允許輸入該參數v1、該參數v2、該參數r1及該參數r2且輸出一第二評估值,所述第一評估值的運算式為RFC6979(d,m)+r1+r2 mod n,所述第二評估值的運算式為d+r1+r2,其中,RFC6979(d,m)的值與根據該私鑰d及一訊息m所生成的一亂數k相同、該參數n為給定橢圓曲線群的個數、該參數v1的運算式為B(x1,n1)d1 mod n、該參數v2的運算式為B(x2,n2)d2 mod n Step 220: provide a first Bollinger circuit and a second Bollinger circuit as a confusing circuit, the first Bollinger circuit allows input of multiple input parameters, the input parameters include a parameter v1, a parameter v2, a parameter r1, a parameter r2, a parameter n and a message m and output a first evaluation value, each of the input parameters is allowed to bring in a set of bit values, the second Boolean circuit allows input of the parameters v1, the Parameter v2, the parameter r1 and the parameter r2 and output a second evaluation value, the calculation formula of the first evaluation value is RFC6979(d, m)+r1+r2 mod n, the calculation formula of the second evaluation value is d+r1+r2, wherein, the value of RFC6979(d, m) is the same as a random number k generated according to the private key d and a message m, the parameter n is the number of given elliptic curve groups, the The calculation formula of the parameter v1 is B(x 1 ,n 1 )d 1 mod n, and the calculation formula of the parameter v2 is B(x 2 ,n 2 )d 2 mod n
步驟230:該第一主機產生隨機亂數以作為該參數r1且公開一第一雜湊值,該第二主機產生隨機亂數以作為該參數r2且公開一第二雜湊值,其中,該第一雜湊值的運算式為H(r1 * G),該第二雜湊值的運算式為H(r2 * G),H代表雜湊函式,G為橢圓曲線群的基點(Base Point) Step 230: The first host generates a random random number as the parameter r1 and discloses a first hash value, the second host generates a random random number as the parameter r2 and discloses a second hash value, wherein the first The calculation formula of the hash value is H(r1 * G), the calculation formula of the second hash value is H(r2 * G), H represents the hash function, and G is the base point of the elliptic curve group (Base Point)
步驟240:該第一主機使用本身的該參數v1、該參數r1及該訊息m與該第二主機使用本身的該參數v2及該參數r2共同執行該第一布林電路,使該第二主機根據該第一布林電路獲得該第一評估值且計算一k2值,該k2值的運算式如下:k2=(m2-2 * r2)/2 mod n,其中,m2為該第二主機獲得的該第一評估值,該第一主機及該第二主機再使用相同的該參數v1、該參數v2、該參數r1及該參數r2共同執行該第二布林電路以獲得該第二評估值,以及公開一第一公開值,該第一公開值的運算式為r1 * G Step 240: The first host uses its own parameter v1, the parameter r1, and the message m and the second host uses its own parameter v2 and the parameter r2 to jointly execute the first Bollinger circuit, so that the second host The first evaluation value is obtained according to the first Bollinger circuit and a k2 value is calculated. The calculation formula of the k2 value is as follows: k2=(m2-2*r2)/2 mod n, wherein, m2 is obtained by the second host The first evaluation value, the first host and the second host then use the same parameter v1, the parameter v2, the parameter r1 and the parameter r2 to jointly execute the second Bollinger circuit to obtain the second evaluation value , and disclose a first public value, the formula of the first public value is r1 * G
步驟250:該第二主機使用本身的該參數v2、該參數r2及該訊息m與該第一主機使用本身的該參數v1及該參數r1共同執行該第一布林電路,使該第一主機根據該第一布林電路獲得該第一評估值且計算一k1值,該k1值的運算式如下:k1=(m1-2 * r1)/2 mod n,其中,m1為該第一主機獲得的該第一評估值,該第一主機及該第二主機再使用相同的該參數v1、該參數v2、該參數r1及該參數r2共同執行該第二布林電路以獲得該第二評估值,以及公開一第二公開值,該第二公開值的運算式為r2 * G Step 250: The second host uses its own parameter v2, the parameter r2 and the message m to execute the first Bollinger circuit with the first host using its own parameter v1 and the parameter r1, so that the first host The first evaluation value is obtained according to the first Bollinger circuit and a k1 value is calculated. The calculation formula of the k1 value is as follows: k1=(m1-2*r1)/2 mod n, wherein, m1 is obtained by the first host The first evaluation value, the first host and the second host then use the same parameter v1, the parameter v2, the parameter r1 and the parameter r2 to jointly execute the second Bollinger circuit to obtain the second evaluation value , and disclose a second public value, the calculation formula of the second public value is r2 * G
步驟260:該第一主機及該第二主機均驗證該私鑰d、該參數r1、該參數r2、該第一公開值、該第二公開值及一公鑰P是否滿足下列運算式:(d+r1+r2)* G=P+r1 * G+r2 * G, 當滿足時,該第一主機及該第二主機再執行一安全驗證協定(Secure Validation Protocol)以驗證雙方在該第一布林電路所獲得的該第一評估值是否相同 Step 260: Both the first host and the second host verify whether the private key d, the parameter r1, the parameter r2, the first public value, the second public value, and a public key P satisfy the following formula: ( d+r1+r2)*G=P+r1*G+r2*G, When satisfied, the first host and the second host execute a Secure Validation Protocol (Secure Validation Protocol) to verify whether the first evaluation value obtained by the two parties in the first Bollinger circuit is the same
步驟270:當驗證結果為相同時,該第一主機將該k1值作為本身執行門檻式簽章時使用的亂數,以及該第二主機將該k2值作為本身執行門檻式簽章時使用的亂數 Step 270: When the verification results are the same, the first host uses the k1 value as the random number used when it performs the threshold signature, and the second host uses the k2 value as the random number used when it executes the threshold signature. random number
第1圖為本發明門檻式簽章的亂數生成系統的系統方塊圖。 Fig. 1 is a system block diagram of the random number generating system of the threshold type signature of the present invention.
第2A圖至第2C圖為本發明門檻式簽章的亂數生成方法的方法流程圖。 Fig. 2A to Fig. 2C are method flow charts of the random number generation method of the threshold type signature of the present invention.
第3圖為應用本發明的混淆電路的示意圖。 Fig. 3 is a schematic diagram of an obfuscation circuit applying the present invention.
以下將配合圖式及實施例來詳細說明本發明之實施方式,藉此對本發明如何應用技術手段來解決技術問題並達成技術功效的實現過程能充分理解並據以實施。 The implementation of the present invention will be described in detail below in conjunction with the drawings and examples, so as to fully understand and implement the implementation process of how the present invention uses technical means to solve technical problems and achieve technical effects.
首先,在說明本發明所揭露之門檻式簽章的亂數生成系統及其方法之前,先對本發明的目的作說明,本發明的目的是要在門檻式簽章的環境下,以不還原私鑰為基礎,使每個主機共同執行ECDSA時,用於生成簽章的亂數需符合RFC 6979定義的生成方式,以便產生的簽章能夠應用在如:零知識匯總(ZK-Rollups)的環境以作為生成第二層私鑰之用,並且不會洩漏原私鑰。 First of all, before explaining the random number generation system and method of the threshold signature disclosed in the present invention, the purpose of the present invention will be described first. The purpose of the present invention is to avoid restoring private Key-based, so that when each host executes ECDSA together, the random number used to generate the signature must conform to the generation method defined by RFC 6979, so that the generated signature can be applied in an environment such as: zero-knowledge rollup (ZK-Rollups) It is used to generate the second-level private key, and the original private key will not be disclosed.
以下配合圖式對本發明門檻式簽章的亂數生成系統及其方法做進一步說明,請先參閱「第1圖」,「第1圖」為本發明門檻式簽章的亂數生成系統的第一實施例之系統方塊圖,此系統包含:二個主機(100a、100b),分別為第一主機100a及第二主機100b,所述第一主機100a具有秘密d1、X座標x1及層級值(Rank)n1,所述第二主機100b具有秘密d2、X座標x2及層級值n2,並且秘密d1、X座標x1、層級值n1、秘密d2、X座標x2及層級值n2兩足下列運算式以與私鑰d相等:「d=B(x1,n1)* d1+B(x2,n2)* d2」;以及。
The random number generation system and method of the threshold-type signature of the present invention will be further described below in conjunction with the drawings. Please refer to "Fig. 1" first. "Fig. 1" is the first random number generation system of the threshold-type signature of the present invention. A system block diagram of an embodiment, the system includes: two hosts (100a, 100b), respectively the
其中,B(xi,ni)代表伯克霍夫係數,以及i為1或2,每一所述主機(100a、100b)皆包含:混淆模組110、生成模組120、第一計算模組130、第二計算模組140、驗證模組150及確認模組160。其中,混淆模組110用以建立作為混淆電路的第一布林電路及第二布林電路,所述第一布林電路允許輸入多個輸入參數,所述輸入參數包含參數v1、參數v2、參數r1、參數r2、參數n及訊息m
且輸出第一評估值,每一所述輸入參數允許各自帶入一組位元值,所述第二布林電路允許輸入參數v1、參數v2、參數r1及參數r2且輸出第二評估值,所述第一評估值的運算式為「RFC6979(d,m)+r1+r2 mod n」,所述第二評估值的運算式為「d+r1+r2」,其中,RFC6979(d,m)的值與根據私鑰d及訊息m所生成的亂數k相同、所述參數n為給定橢圓曲線群的個數,所述訊息m為訊息m的雜湊值、所述參數v1的運算式為「B(x1,n1)d1 mod n」、所述參數v2的運算式為「B(x2,n2)d2 mod n」。具體而言,混淆電路本質上是一個布林電路(Boolean circuit),其通過布林電路的觀點構造函式以進行計算,以便參與者可以針對某個數值來計算答案,而不需要知道參與者在函式中輸入的具體數字,混淆電路裡的安全多方計算可通過電路的方式來實現。在實際實施上,第一布林電路及該第二布林電路可通過及運算(AND)與互斥或運算(XOR)至少其中之一的方式實現混淆電路及安全多方計算(Multi-Party Computation,MPC),並且具有多個輸入線(Wire)以輸入所述輸入參數,每一所述輸入參數帶入的該組位元值為256位元的值,以六個輸入參數為例,合計帶入六個256位元的值。所述第一布林電路為滿足條件「MPCRFC6979(v1,v2,r1,r2,n,m)=RFC6979(d,m)+r1+r2 mod n」的邏輯電路,所述第二布林電路為滿足條件「ModAdd(v1,v2,r1,r2)=d+r1+r2」的邏輯電路。其中,「MPCRFC6979(v1,v2,r1,r2,n,m)」代表所述第一布林電路,「ModAdd(v1,v2,r1,r2)」代表第二布林電路。另外,所述亂數k係基於RFC 6979標準以私鑰d及訊息m,搭配雜湊訊息認證碼(Hash-based Message Authentication Code,HMAC)及雜湊演算法生成,但是實際上,第一主機100a及第二主機100b皆不知道亂數k的值。
Wherein, B( xi ,n i ) represents the Berkhoff coefficient, and i is 1 or 2, and each host (100a, 100b) includes:
生成模組120用以在所述主機(100a、100b)為第一主機100a時,產生隨機亂數以作為參數r1且公開第一雜湊值,以及在所述主機(100a、100b)為第二主機100b時,產生隨機亂數以作為參數r2且公開第二雜湊值,其中,第一雜湊值的運算式為「H(r1 * G)」,第二雜湊值的運算式為「H(r2 * G)」,G為橢圓曲線群的基點。
The
第一計算模組130連接生成模組120及混淆模組110,當所述主機(100a、100b)為第一主機100a時,使用本身的參數v1、參數r1及訊息m輸入至第一布林電路,以及當所述主機(100a、100b)為第二主機100b時,使用本身的參數v2及參數r2輸入至第一布林電路,用以共同執行第一布林電路,使第二主機根據第一布林電路獲得第一評估值且計算k2值,所述k2值的運算式為k2=(m2-2 * r2)/2 mod n,其中,m2為第二主機100b獲得的第一評估值,第一主機100a及第二主機100b再使用相同的參數v1、參數v2、參數r1及參數r2共同執行第二布林電路以獲得第二評估值,以及公開第一公開值,所述第一公開值的運算式為「r1 * G」。在實際實施上,可通過廣播(Broadcast)的方式公開第一公開值。
The
第二計算模組140連接生成模組120及混淆模組110,用以在所述主機(100a、100b)為第二主機100b時,使用本身的參數v2、參數r2及訊息m輸入至第一布林電路,以及在所述主機(100a、100b)為第一主機100a時,使用本身的參數v1及參數r1輸入至第一布林電路,用以共同執行第一布林電路,使第一主機根據第一布林電路獲得第一評估值且計算k1值,此k1值的運算式為k1=(m1-2 * r1)/2 mod n,其中,m1為第一主機100a獲得的第一評估值,第一主機100a及第二主機100b再使用相同的參數v1、參數v2、參數r1及參數r2共同執行第二布
林電路以獲得第二評估值,以及公開第二公開值,所述第二公開值的運算式為「r2 * G」。同樣地,在實際實施上,可通過廣播的方式公開第二公開值。
The
驗證模組150連接第一計算模組130及第二計算模組140,用以驗證私鑰d、參數r1、參數r2、第一公開值、第二公開值及公鑰P是否滿足運算式「(d+r1+r2)* G=P+r1 * G+r2 * G」,當滿足時,第一主機100a及第二主機100b再執行安全驗證協定以驗證雙方在第一布林電路所獲得的第一評估值是否相同。在實際實施上,驗證模組150在驗證結果為不同時,將驅動所述主機(100a、100b)重新產生k1值及k2值,直到驗證結果為相同為止,也就是第一主機100a會重新產生k1值、第二主機100b會重新產生k2值。
The
確認模組160連接驗證模組150,用以在驗證結果為相同時,第一主機100a將k1值作為本身執行門檻式簽章時使用的亂數,以及第二主機100b將k2值作為本身執行門檻式簽章時使用的亂數。如此一來,即可獲得門檻式簽章中使用的亂數k1和k2,同時滿足RFC 6979所定義的亂數生成方式所計算出的值,以便在雙方都不知道真正的亂數k的情況下,使得「k=k1+k2」且k1值只有第一主機100a知道,k2值只有第二主機100b知道,進而利用k1值和k2值生成符合RFC 6979定義的ECDSA簽章。
The
特別要說明的是,在實際實施上,本發明所述的模組皆可利用各種方式來實現,包含軟體、硬體或其任意組合,例如,在某些實施方式中,各模組可利用軟體及硬體或其中之一來實現,除此之外,本發明亦可部分地或完全地基於硬體來實現,例如,系統中的一個或多個模組可以透過積體電路晶片、系統單晶片(System on Chip,SoC)、複雜可程式邏輯裝置(Complex Programmable Logic Device,CPLD)、現場可程式邏輯閘陣列(Field Programmable Gate Array, FPGA)等來實現。本發明可以是系統、方法及/或電腦程式。電腦程式可以包括電腦可讀儲存媒體,其上載有用於使處理器實現本發明的各個方面的電腦可讀程式指令,電腦可讀儲存媒體可以是可以保持和儲存由指令執行設備使用的指令的有形設備。電腦可讀儲存媒體可以是但不限於電儲存設備、磁儲存設備、光儲存設備、電磁儲存設備、半導體儲存設備或上述的任意合適的組合。電腦可讀儲存媒體的更具體的例子(非窮舉的列表)包括:硬碟、隨機存取記憶體、唯讀記憶體、快閃記憶體、光碟、軟碟以及上述的任意合適的組合。此處所使用的電腦可讀儲存媒體不被解釋為瞬時訊號本身,諸如無線電波或者其它自由傳播的電磁波、通過波導或其它傳輸媒介傳播的電磁波(例如,通過光纖電纜的光訊號)、或者通過電線傳輸的電訊號。另外,此處所描述的電腦可讀程式指令可以從電腦可讀儲存媒體下載到各個計算/處理設備,或者通過網路,例如:網際網路、區域網路、廣域網路及/或無線網路下載到外部電腦設備或外部儲存設備。網路可以包括銅傳輸電纜、光纖傳輸、無線傳輸、路由器、防火牆、交換器、集線器及/或閘道器。每一個計算/處理設備中的網路卡或者網路介面從網路接收電腦可讀程式指令,並轉發此電腦可讀程式指令,以供儲存在各個計算/處理設備中的電腦可讀儲存媒體中。執行本發明操作的電腦程式指令可以是組合語言指令、指令集架構指令、機器指令、機器相關指令、微指令、韌體指令、或者以一種或多種程式語言的任意組合編寫的原始碼或目的碼(Object Code),所述程式語言包括物件導向的程式語言,如:Common Lisp、Python、C++、Objective-C、Smalltalk、Delphi、Java、Swift、C#、Perl、Ruby與PHP等,以及常規的程序式(Procedural)程式語言,如:C語言或類似的程式語言。所述電腦程式指令可以完全地在電腦上執行、部分地在電腦上執行、作 為一個獨立的軟體執行、部分在客戶端電腦上部分在遠端電腦上執行、或者完全在遠端電腦或伺服器上執行。 In particular, it should be noted that in actual implementation, the modules described in the present invention can be implemented in various ways, including software, hardware or any combination thereof. For example, in some implementations, each module can use software and hardware or one of them. In addition, the present invention can also be realized partially or completely based on hardware. For example, one or more modules in the system can be implemented through integrated circuit chips, system Single chip (System on Chip, SoC), complex programmable logic device (Complex Programmable Logic Device, CPLD), field programmable logic gate array (Field Programmable Gate Array, FPGA) etc. to achieve. The present invention can be a system, method and/or computer program. The computer program may include a computer-readable storage medium loaded with computer-readable program instructions for causing a processor to implement various aspects of the present invention, the computer-readable storage medium may be a tangible and equipment. A computer readable storage medium may be, but is not limited to, an electrical storage device, a magnetic storage device, an optical storage device, an electromagnetic storage device, a semiconductor storage device, or any suitable combination of the foregoing. More specific examples (non-exhaustive list) of computer-readable storage media include hard disks, random access memory, read-only memory, flash memory, optical disks, floppy disks, and any suitable combination of the foregoing. As used herein, computer-readable storage media are not to be construed as transient signals per se, such as radio waves or other freely propagating electromagnetic waves, electromagnetic waves propagating through waveguides or other transmission media (for example, optical signals through fiber optic cables), or transmitted electrical signals. In addition, the computer-readable program instructions described herein can be downloaded from a computer-readable storage medium to each computing/processing device, or downloaded over a network, such as the Internet, a local area network, a wide area network, and/or a wireless network to an external computer device or external storage device. The network may include copper transmission cables, fiber optic transmission, wireless transmission, routers, firewalls, switches, hubs and/or gateways. The network card or network interface in each computing/processing device receives computer-readable program instructions from the network, and forwards the computer-readable program instructions for storage in computer-readable storage media in each computing/processing device middle. The computer program instructions for performing the operations of the present invention may be assembly language instructions, instruction set architecture instructions, machine instructions, machine-related instructions, micro instructions, firmware instructions, or source code or object code written in any combination of one or more programming languages (Object Code), the programming language includes object-oriented programming language, such as: Common Lisp, Python, C++, Objective-C, Smalltalk, Delphi, Java, Swift, C#, Perl, Ruby and PHP, etc., as well as conventional programs Procedural programming language, such as: C language or similar programming language. The computer program instructions can be completely executed on the computer, partially executed on the computer, or Execute as a stand-alone piece of software, partly on the client computer and partly on the remote computer, or entirely on the remote computer or server.
請參閱「第2A圖」至「第2C圖」,「第2A圖」至「第2C圖」為本發明門檻式簽章的亂數生成方法的第一實施例之方法流程圖,其步驟包括:第一主機具有秘密d1、X座標x1及層級值n1,第二主機具有秘密d2、X座標x2及層級值n2,並且秘密d1、X座標x1、層級值n1、秘密d2、X座標x2及層級值n2滿足下列運算式以與私鑰d相等:d=B(x1,n1)* d1+B(x2,n2)* d2,其中,B(xi,ni)代表伯克霍夫係數,以及i為1或2(步驟210);提供作為混淆電路的第一布林電路及第二布林電路,所述第一布林電路允許輸入多個輸入參數,所述輸入參數包含參數v1、參數v2、參數r1、參數r2、參數n及訊息m且輸出第一評估值,每一所述輸入參數允許各自帶入一組位元值,所述第二布林電路允許輸入參數v1、參數v2、參數r1及參數r2且輸出第二評估值,所述第一評估值的運算式為「RFC6979(d,m)+r1+r2 mod n」,所述第二評估值的運算式為「d+r1+r2」,其中,RFC6979(d,m)的值與根據私鑰d及訊息m所生成的亂數k相同、參數n為給定橢圓曲線群的個數、參數v1的運算式為「B(x1,n1)d1 mod n」、參數v2的運算式為「B(x2,n2)d2 mod n」(步驟220);第一主機產生隨機亂數以作為參數r1且公開第一雜湊值,第二主機產生隨機亂數以作為參數r2且公開第二雜湊值,其中,第一雜湊值的運算式為「H(r1 * G)」,第二雜湊值的運算式為「H(r2 * G)」,H代表雜湊函式,G為橢圓曲線群的基點(Base Point)(步驟230);第一主機使用本身的參數v1、參數r1及訊息m與第二主機使用本身的參數v2及參數r2共同執行第一布林電路,使第二主機根據第一布林電路獲得第一
評估值且計算k2值,此k2值的運算式為「k2=(m2-2 * r2)/2 mod n」,其中,m2為第二主機100b獲得的第一評估值,第一主機100a及第二主機100b再使用相同的參數v1、參數v2、參數r1及參數r2共同執行第二布林電路以獲得第二評估值,以及公開第一公開值,所述第一公開值的運算式為「r1 * G」(步驟240);第二主機使用本身的參數v2、參數r2及訊息m與第一主機使用本身的參數v1及參數r1共同執行第一布林電路,使第一主機100a根據第一布林電路獲得第一評估值且計算k1值,此k1值的運算式為「k1=(m1-2 * r1)/2 mod n」,第一主機100a及第二主機100b再使用相同的參數v1、參數v2、參數r1及參數r2共同執行第二布林電路以獲得第二評估值,以及公開第二公開值,所述第二公開值的運算式為「r2 * G」(步驟250);第一主機100a及第二主機100b均驗證私鑰d、參數r1、參數r2、第一公開值、第二公開值及公鑰P是否滿足運算式「(d+r1+r2)* G=P+r1 * G+r2 * G」,當滿足時,第一主機100a及第二主機100b再執行安全驗證協定以驗證雙方在第一布林電路所獲得的第一評估值是否相同(步驟260);以及當驗證結果為相同時,第一主機100a將k1值作為本身執行門檻式簽章時使用的亂數,以及第二主機100b將k2值作為本身執行門檻式簽章時使用的亂數(步驟270)。其中,步驟240及步驟250允許同時執行。藉由上述步驟即可透過提供作為混淆電路的第一布林電路及第二布林電路以供二個主機輸入多個輸入參數並共同執行安全多方計算,使二個主機各自獲得第一布林電路的第一評估值及第二布林電路的第二評估值,以及分別計算出各自用於門檻式簽章的亂數值,再廣播各主機的隨機亂數與基點的乘積,用以驗證雙方的輸入參數是否正確及通過混淆電路獲得的結果是否相同,進而確定計算出的亂數值符合RFC 6979標準,以便使基於此亂數值生成的簽章能夠用於生成第二層私鑰且不洩漏原私鑰。
Please refer to "Fig. 2A" to "Fig. 2C". "Fig. 2A" to "Fig. 2C" are the method flow chart of the first embodiment of the random number generation method of the threshold type signature of the present invention, and the steps include : The first host has secret d 1 , X coordinate x 1 and level value n 1 , the second host has secret d 2 , X coordinate x 2 and level value n 2 , and secret d 1 , X coordinate x 1 , level value n 1. Secret d 2 , X coordinate x 2 and level value n 2 satisfy the following formula to be equal to private key d: d=B(x 1 ,n 1 )* d 1 +B(x 2 ,n 2 )* d 2 , wherein, B( xi , ni ) represents the Birkhoff coefficient, and i is 1 or 2 (step 210); provide the first Bollinger circuit and the second Bollinger circuit as a confusing circuit, the first Bollinger circuit A Bollinger circuit allows multiple input parameters to be input. The input parameters include parameter v1, parameter v2, parameter r1, parameter r2, parameter n and message m and output the first evaluation value. Each of the input parameters is allowed to be brought in A set of bit values, the second Bollinger circuit allows input of parameter v1, parameter v2, parameter r1 and parameter r2 and outputs a second evaluation value, the calculation formula of the first evaluation value is "RFC6979(d, m) +r1+r2 mod n", the calculation formula of the second evaluation value is "d+r1+r2", wherein, the value of RFC6979 (d, m) and the random number k generated according to the private key d and the message m Same, the parameter n is the number of given elliptic curve groups, the calculation formula of the parameter v1 is "B(x 1 ,n 1 )d 1 mod n", the calculation formula of the parameter v2 is "B(x 2 ,n 2 ) d 2 mod n" (step 220); the first host generates a random random number as parameter r1 and discloses the first hash value, and the second host generates random random number as parameter r2 and discloses the second hash value, wherein the first The calculation formula of the hash value is "H(r1 * G)", the calculation formula of the second hash value is "H(r2 * G)", H represents the hash function, and G is the base point of the elliptic curve group (Base Point) ( Step 230); the first host uses its own parameter v1, parameter r1 and message m and the second host uses its own parameter v2 and parameter r2 to jointly execute the first Bollinger circuit, so that the second host can obtain the first Bollinger circuit according to the first Bollinger circuit. an evaluation value and calculate the k2 value, the calculation formula of the k2 value is "k2=(m2-2*r2)/2 mod n", wherein, m2 is the first evaluation value obtained by the
以下配合「第3圖」以實施例的方式進行如下說明,「第3圖」為應用本發明的混淆電路的示意圖。在實際實施上,本發明的混淆電路包含第一布林電路310及第二布林電路320。其中,第一布林電路310提供輸入線以輸入參數v1(即:「B(x1,n1)d1 mod n」)、參數v2(即:「B(x2,n2)d2 mod n」)、參數r1(即:第一主機100a隨機挑選的亂數)、參數r2(即:第二主機100b隨機挑選的亂數)、參數n(即:給定橢圓曲線群的個數)及訊息m,可示意為「MPCEdDSA(v1,v2,r1,r2,n,m)」,並且輸出第一評估值「RFC6979(d,m)+r1+r2 mod n」其中,「RFC6979(d,m)」基本上是由雜湊函數「H(d∥m∥其他填補資訊)」為基底所組合而成,符號「∥」代表串聯,例如:「A∥B」代表「A」與「B」串聯即為「AB」,「AA∥BB」代表「AA」與「BB」串聯即為「AABB」;第二布林電路320提供輸入線以輸入參數v1、參數v2、參數r1及參數r2,可示意為「ModAdd(v1,v2,r1,r2)」,並且輸出第二評估值「d+r1+r2」。在建立上述第一布林電路310時,可使用「及運算(AND)」與「互斥或運算(XOR)」至少其中之一架構滿足條件「MPCEdDSA(v1,v2,r1,r2,n,m)=RFC6979(d,m)+r1+r2 mod n」的邏輯電路,而在建立第二布林電路時320,則同樣使用「及運算(AND)」與「互斥或運算(XOR)」至少其中之一架構滿足條件「ModAdd(v1,v2,r1,r2)=d+r1+r2」的邏輯電路。特別要說明的是,在同一次簽章中,第一布林電路310輸入的參數v1、參數v2、參數r1及參數r2等,同時也是第二布林電路320輸入的參數v1、參數v2、參數r1及參數r2,而每次簽章都會重新選取參數r1及參數r2。
The following description will be made in the form of an embodiment in conjunction with "Fig. 3", where "Fig. 3" is a schematic diagram of an obfuscation circuit applying the present invention. In practice, the confusion circuit of the present invention includes a
綜上所述,可知本發明與先前技術之間的差異在於透過提供作為混淆電路的第一布林電路及第二布林電路以供二個主機輸入多個輸入參數並共同執行安全多方計算,使二個主機各自獲得第一布林電路的第一評估值及第二 布林電路的第二評估值,以及分別計算出各自用於門檻式簽章的亂數值,再廣播各主機的隨機亂數與基點的乘積,用以驗證雙方的輸入參數是否正確及通過混淆電路獲得的結果是否相同,進而確定計算出的亂數值符合RFC 6979標準,以便使基於此亂數值生成的簽章能夠用於生成第二層私鑰且不洩漏原私鑰,藉由此一技術手段可以解決先前技術所存在的問題,進而達成提高簽章的可用性之技術功效。 In summary, it can be seen that the difference between the present invention and the prior art lies in that by providing the first Bollinger circuit and the second Bollinger circuit as confusing circuits for two hosts to input multiple input parameters and jointly execute secure multi-party calculations, Make the two hosts respectively obtain the first evaluation value and the second evaluation value of the first Bollinger circuit The second evaluation value of the Bollinger circuit, and calculate the respective random value for the threshold signature, and then broadcast the product of the random random number and the base point of each host to verify whether the input parameters of both parties are correct and pass the confusion circuit Whether the results obtained are the same, and then determine that the calculated random value conforms to the RFC 6979 standard, so that the signature generated based on this random value can be used to generate the second-level private key without revealing the original private key. By this technical means The problems existing in the prior art can be solved, and then the technical effect of improving the usability of the signature can be achieved.
雖然本發明以前述之實施例揭露如上,然其並非用以限定本發明,任何熟習相像技藝者,在不脫離本發明之精神和範圍內,當可作些許之更動與潤飾,因此本發明之專利保護範圍須視本說明書所附之申請專利範圍所界定者為準。 Although the present invention is disclosed above with the aforementioned embodiments, it is not intended to limit the present invention. Any person familiar with similar skills may make some changes and modifications without departing from the spirit and scope of the present invention. Therefore, the present invention The scope of patent protection shall be subject to what is defined in the scope of patent application attached to this specification.
100a,100b:主機 100a, 100b: host
110:混淆模組 110: Confusion Module
120:生成模組 120: Generate modules
130:第一計算模組 130: The first computing module
140:第二計算模組 140: Second computing module
150:驗證模組 150: Verification module
160:確認模組 160: Confirm the module
Claims (10)
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
TW111121123A TWI799286B (en) | 2022-06-07 | 2022-06-07 | Random number generation system for threshold signature scheme and method thereof |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
TW111121123A TWI799286B (en) | 2022-06-07 | 2022-06-07 | Random number generation system for threshold signature scheme and method thereof |
Publications (2)
Publication Number | Publication Date |
---|---|
TWI799286B true TWI799286B (en) | 2023-04-11 |
TW202349241A TW202349241A (en) | 2023-12-16 |
Family
ID=86948727
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
TW111121123A TWI799286B (en) | 2022-06-07 | 2022-06-07 | Random number generation system for threshold signature scheme and method thereof |
Country Status (1)
Country | Link |
---|---|
TW (1) | TWI799286B (en) |
Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20110197068A1 (en) * | 1996-07-30 | 2011-08-11 | Holden James M | Methods for providing security over untrusted networks |
US20110225223A1 (en) * | 2010-03-12 | 2011-09-15 | Plx Technology, Inc. | Generating unique random numbers for multiple instantiations |
TW201242391A (en) * | 2011-04-06 | 2012-10-16 | A Men Technology Corp | A method of the data transmission of the mobile phone and the system therefore |
TW201426395A (en) * | 2012-12-26 | 2014-07-01 | Chunghwa Telecom Co Ltd | Data security system and method |
-
2022
- 2022-06-07 TW TW111121123A patent/TWI799286B/en active
Patent Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20110197068A1 (en) * | 1996-07-30 | 2011-08-11 | Holden James M | Methods for providing security over untrusted networks |
US20110225223A1 (en) * | 2010-03-12 | 2011-09-15 | Plx Technology, Inc. | Generating unique random numbers for multiple instantiations |
TW201242391A (en) * | 2011-04-06 | 2012-10-16 | A Men Technology Corp | A method of the data transmission of the mobile phone and the system therefore |
TW201426395A (en) * | 2012-12-26 | 2014-07-01 | Chunghwa Telecom Co Ltd | Data security system and method |
Also Published As
Publication number | Publication date |
---|---|
TW202349241A (en) | 2023-12-16 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US11601407B2 (en) | Fast oblivious transfers | |
US8891766B2 (en) | Input consistency verification for two-party secure function evaluation | |
Schneider et al. | GMW vs. Yao? Efficient secure two-party computation with low depth circuits | |
WO2021228239A1 (en) | Asset type consistency evidence generation method and system, transaction method and system, and transaction verification method and system | |
US11050762B2 (en) | High throughput secure multi-party computation with identifiable abort | |
JP2021507563A (en) | Systems and methods for multi-party generation of blockchain-based smart contracts | |
US12034840B2 (en) | Computer implemented system and method for sharing a common secret preliminary class | |
JP2021515270A (en) | Computer-implemented methods and systems for transferring control of digital assets | |
CN113408001B (en) | Method, device, equipment and storage medium for determining most value safely by multiple parties | |
TWI799286B (en) | Random number generation system for threshold signature scheme and method thereof | |
US10795658B2 (en) | Updatable random functions | |
CN113362065A (en) | Online signature transaction implementation method based on distributed private key | |
TWI776416B (en) | Threshold signature scheme system for hierarchical deterministic wallet and method thereof | |
TWI795284B (en) | Threshold signature generation system based on garbled circuit and method thereof | |
TWI759138B (en) | Threshold signature scheme system based on inputting password and method thereof | |
TWI764811B (en) | Key generating system for hierarchical deterministic wallet and method thereof | |
TWI737956B (en) | Threshold signature system based on secret sharing and method thereof | |
TWI694349B (en) | Threshold signature system with prevent memory dump and method thereof | |
TWI689194B (en) | Threshold signature system based on secret sharing without dealer and method thereof | |
TWI702820B (en) | Secret sharing signature system with hierarchical mechanism and method thereof | |
US12063304B1 (en) | Line-point zero-knowledge proof system | |
TWI734087B (en) | Signature system based on homomorphic encryption and method thereof | |
CN114461998B (en) | Secret handshake method of base Yu Ge under full-dynamic traceable environment | |
CN115883100A (en) | Identity authentication method based on twin block chain and related equipment | |
Tyagi | A Review on Zero Knowledge Proof Vulnerabilities in Zcash |