阅读说明：本技术 一种用于向消息提供数字签名的方法 (Method for providing digital signature to message ) 是由 T·P·雅各布森 I·B·达姆加德 M·B·奥斯特加德 J·B·尼尔森 于 2020-02-07 设计创作，主要内容包括：公开了一种用于按照数字签名算法(DSA)或椭圆曲线数字签名算法(ECDSA),向消息M提供数字签名的方法。生成秘密密钥x作为至少两个参与方之间,比如至少三个参与方之间的随机秘密共享[x]。在至少两个参与方之间产生随机秘密共享[a]和[k],并计算[w]＝[a][k],R＝g～(k)和W＝R～(a),和验证它们的正确性。通过检查是否g～(w)＝W来验证[w]。通过至少使用M、[w]、R和[x],在所述至少两个参与方之间生成共享[s]来对消息M签名。(A method for providing a digital signature to a message M in accordance with a Digital Signature Algorithm (DSA) or Elliptic Curve Digital Signature Algorithm (ECDSA) is disclosed. Generating a secret key x as a random secret sharing [ x ] between at least two parties, such as at least three parties]. Generating a random secret sharing between at least two parties [ a ]]And [ k ]]And calculate [ w]＝[a][k]，R＝g k And W ═ R a And verifying their correctness. By checking whether or notg w Verify [ W ] with W]. By using at least M, [ w ]]R and [ x ]]Generating a share [ s ] between the at least two participants]To sign the message M.)

1. A method for providing a digital signature to a message M according to a digital signature algorithm, DSA, or an elliptic curve digital signature algorithm, ECDSA, the method comprising the steps of:

providing a generator G, a function F and a function H of a cyclic group G of order q, wherein G ∈ G and G, G, F and H are specified by DSA or ECDSA,

-generating a secret key x as a random secret sharing [ x ] between at least two parties,

-generating random secret shares [ a ] and [ k ] between the at least two participants, and calculating [ w ] ═ a ] [ k ],

-in the absence of exposure k, the calculated value R is R ═ g^k，

-by verifying that R ═ g^kIs based on k originating from honest participants]Is calculated, ensuring that R is correct,

by calculating R in the absence of a or k^aCalculating the authentication element W as W ═ g^ak，

-passing verification W ═ R^aIs based on [ a ] originating from honest participants]Is calculated, ensures that W is correct,

by checking whether g is present^wWhen W, verify [ W]And an

By calculating [ k ]^-1]＝[a]·w^-1Calculating [ x.k ]^-1]＝[x]·[k^-1]And as M, R, [ k ]^-1]And [ x.k ]^-1]Is generated between the at least two participants]Message M is signed.

2. The method of claim 1, wherein the step of calculating a value R comprises the steps of:

-calculating a share R of the value R for each of the at least two parties_jIs R_j＝g^k_jAnd distribute the shares to each of the other participants, an

According to the fraction R_jCalculated value R, and

wherein the step of ensuring that R is correct comprises the steps of:

-each participant is based on the share R received from the other participants_jCheck if R is correct.

3. A method according to claim 1 or 2, wherein the step of calculating a value R and the step of calculating an authentication element W are performed using the same protocol.

4. A method according to any preceding claim, further comprising the step of aborting the signing process in the event that either R or W is revealed to be incorrect.

5. The method according to any one of the preceding claims, further comprising verifying [ w ]]Step (a) reveals g^wAnd terminating the signature process in the case of not equal to W.

6. Method according to any one of the preceding claims, wherein the step of signing the message M is performed by calculating [ s ]]＝m·w^-1·[a]+r·w^-1·[a]·[x]+[d]+m·[e]Wherein r ═ f (r), m ═ h (m), and [ d ═ f (r) (-), (m), and]and [ e]Is a random share of zeros.

7. Method according to any one of the preceding claims, wherein at least the steps of generating a secret key x, generating random secret shares [ a ] and [ k ], calculating a value R and calculating an authentication element W are performed by pre-processing prior to the generation of the message M.

8. The method of any preceding claim, further comprising calculating the public key y as y-g^xAnd disclosing y to each of the at least two parties.

9. The method of claim 8, further comprising the step of verifying the signature using the public key y.

10. The method of claim 9, wherein the step of verifying the signature comprises checking if r ═ F (g)^m/s·y^r/s)。

11. A method according to claim 9 or 10, wherein the step of verifying the signature comprises checking whether R^s＝g^m·y^r。

12. The method according to any one of claims 8 to 11, further comprising the step of checking the correctness of y.

Technical Field

The present invention relates to a method of providing a digital signature to a message according to a Digital Signature Algorithm (DSA) or Elliptic Curve Digital Signature Algorithm (ECDSA). In accordance with the present invention, a multi-party threshold DSA or ECDSA protocol is used to generate the digital signature.

Background

Digital signatures may be used to ensure the integrity of data sent online, for authentication of data and/or entities online, and the like. By using a secret signing key generated as a secret share between multiple parties, each party holding a share (share) of the secret signing key, rather than allowing a single party to hold the entire secret signing key, the risk of compromise of the signing system is reduced. Such a scheme is sometimes referred to as a "multi-party signature scheme". In a multi-party signature scheme, it is possible to generate a digital signature even if some parties are unavailable, corrupted or compromised. The maximum number of corrupted parties that can be tolerated without violating security is sometimes referred to as the security threshold of the scheme, which can be denoted by't'.

Digital signature algorithms have previously been used to generate digital signatures. One example is the DSA standard. The method designs a cyclic group G and a generator G belonging to G and two functions H, wherein the cyclic group G and the generator G belong to G, and the functions are represented by the following formula: {0,1}^*→Z_qAnd F: g → Z_qParameterized signature schemes. The secret signing key x is randomly selected from Z_qThe corresponding public verification key is calculated as y ═ g^xTo sign a message M, first a random number K ∈ Z is selected_qThe signature is then calculated as (r, s), where r ═ F (g)^k)，s＝k^-1H (m) + r · x. Knowing the public authentication key y and the signature (r, s), by calculating m h (m) and checking rF(g^m/s·y^r/s) The signature may be verified.

Another example is the ECDSA standard, which defines a signature scheme that operates in essentially the same way as DSA, but where G instead results from a point G on the elliptic curve. Digital signature algorithms that apply elliptic curve cryptography, commonly referred to as elliptic curve digital signature algorithms or ECDSAs, have previously been used to generate digital signatures. Such algorithms are known to be suitable for providing reliable digital signatures.

Multiplication representation is commonly used in describing DSA, but addition representation is used for ECDSA. Here we will use a multiplicative representation, even though our method can be applied to both DSA and ECDSA. That is, for elements a, b in group G, we will use a · b, or just ab, to represent the group operation applied to these two elements. For domain Z_qThe calculation of the element in (b) is assumed to take place in this domain, i.e. the reduction modulus q is implicit when we write r · x or m/s down.

WO 2015/160839a1 discloses a system and method for distributed generation of Elliptic Curve Digital Signature Algorithm (ECDSA) -based digital signatures, wherein a secret sharing protocol is initialized between a client and a set of n servers to share a set of shares of a private key between the set of n servers. The set of servers initiates a protocol to generate a digital signature on a message using a set of shares of a private key without reconstructing or disclosing the private key. The threshold t (up to n/2 (i.e., t ≦ n/2)) among the n servers may be maliciously and completely corrupted or compromised without compromising the confidentiality of the private key or the correctness of the generated signature.

The system and method disclosed in WO 2015/160839a1 requires a large number of rounds of interaction in order to generate a digital signature. In addition, the system and method require high processing power and communication bandwidth.

Rosario Gennaro et al: "Robust Threshold DSS Signatures", Information and Computation, volume 164, pages 54-84 (2001)) discloses a method for providing digital Signatures using a multi-party Threshold signature scheme. The protocol described therein applies polynomial interpolation and is robust and unforgeable to up to t malicious adversaries when the number of participants, n, is greater than or equal to 3t + 1. Thus, to tolerate 1 malicious adversary, the number of participants should be at least 4. Furthermore, this approach requires a large number of rounds of interaction in order to generate the digital signature.

Disclosure of Invention

It is an object of embodiments of the present invention to provide a method for providing multi-party DSA or ECDSA based digital signatures, wherein the number of interaction rounds required to generate the digital signature is reduced without compromising confidentiality.

It is a further object of embodiments of the present invention to provide a method for providing multi-party DSA or ECDSA based digital signatures, wherein the requirements on processing power are reduced without compromising confidentiality.

It is a further object of embodiments of the present invention to provide a method for providing multi-party DSA or ECDSA based digital signatures, wherein the requirements on communication bandwidth are reduced without compromising confidentiality.

It is another object of embodiments of the present invention to provide a method for providing multi-party DSA or ECDSA based digital signatures, which is capable of tolerating up to t parties to be maliciously corrupted, where t > n/3.

The invention provides a method for providing a digital signature to a message M according to a digital signature algorithm DSA or elliptic curve digital signature algorithm ECDSA, the method comprising the steps of:

providing a generator G, a function F and a function H of a cyclic group G of order q, wherein G ∈ G, G, G, F and H are specified by DSA or ECDSA,

-generating a secret key x as a random secret sharing [ x ] between at least two parties,

-generating random secret shares [ a ] and [ k ] between the at least two participants, and calculating [ w ] ═ a ] [ k ],

-in the absence of exposure k, the calculated value R is R ═ g^k，

-by verifying that R ═ g^kIs based on k originating from honest participants]Is calculated with at least t +1 shares, ensuring that R isIn the right way, the user can select the specific type of the target,

by calculating R in the absence of a or k^aCalculating the authentication element W as W ═ g^ak，

-passing verification W ═ R^aIs based on [ a ] originating from honest participants]Is calculated, ensures that W is correct,

by checking whether g is present^wWhen W, verify [ W]And an

By calculating [ k ]^-1]＝[a]·w^-1Calculating [ x.k ]^-1]＝[x]·[k^-1]And as M, R, [ k ]^-1]And [ x.k ]^-1]Generating a share s between said at least two participants]Message M is signed.

Thus, the method of the present invention is a method for providing a DSA-based or ECDSA-based digital signature to a message M. The digital signature applied according to the method of the invention may be used, for example, to ensure the authenticity of the sender, to ensure the integrity of the data sent, for example during an online financial transaction or the like.

According to the method of the invention, first a generator G of a cyclic group G of order q, a function F and a function H are provided. The generator G is an element of the cyclic group G, i.e., G ∈ G. The cyclic group G, generator G, and functions F and H are all specified by DSA or ECDSA, so that once it is determined which particular DSA or ECDSA is to be used, these are defined.

Next, a secret key [ x ] is generated as a random secret share between at least two parties, such as at least three parties. In this context, the term "secret sharing" should be interpreted to mean that the secret key is distributed between at least two parties in such a way that each party holds a share of the secret key and no one party possesses the entire secret key. Thus, the method of the present invention is applicable to a multi-party system. Thus, no one party constitutes a single point of trust, and several parties, i.e. at least t +1 parties, require a malicious collusion to gain access to the entire secret key. This improves the security of the system, especially in terms of confidentiality.

Secret sharing partyAn example of a case is additive sharing. When each party P_iHold random shares x_iSo that x is x₁+x₂+...+x_nThen, the secret x is considered to be among the N participants P₁、P₂、...、P_nAre shared by addition. The additive share has a threshold t-n-1 because reconstructing the secret requires all n shares, i.e. reconstructing x requires the cooperation of all n participants, while having up to all but one share does not allow the reconstruction of x. Another example is the Shamir sharing scheme. Here, when each party P_iThe secret x is shared, holding as its share the value f (i) of the random polynomial f, constrained by f (0) ═ x. The degree of Shamir sharing is defined as the degree of polynomial f (degree). If this degree is t, then any party t +1 can recombine their shares into a secret by using polynomial interpolation, while shares held by any subset of the t or fewer parties are opaque to any information about x.

In this context, the term 'random secret sharing' should be interpreted as secret sharing in which shares are randomly selected, such that the shared secret is also a random value. For additive sharing, this means that the shares are completely random. For Shamir sharing with a threshold t, it means that the share is a point on a random t-th degree polynomial.

Throughout this disclosure, letters placed in brackets '[ ]' represent the sharing of elements among multiple participants. The same letters without square brackets represent the entire element. Thus, for example, 'x' represents the entire secret key, and [ x ] represents the secret sharing of the secret key x.

The secret sharing may be calculated without revealing the secret. This is the subject of 'secure multiparty computing' in the research field. For most types of secret sharing, the respective parties can easily compute the sum of the two secret shares, i.e. knowing [ x ] and [ y ], they can compute the share [ x + y ] without revealing x or y. Similarly, if all participants agree to a common constant c, they can easily compute the share [ c · x ] from c and [ x ] without revealing x. We will use the expressions [ x ] + [ y ] and c.x ] for these operations.

The product [ xy ] can also be calculated from [ x ] and [ y ]. This is possible without revealing x and y, but is often difficult and inefficient, when up to a given security threshold (t) the participants may collude maliciously. Thus, for two random shares [ x ] and [ y ], a 'weak' multiplication representation is sometimes used. The weak multiplication guarantees confidentiality in the sense that information about x and y is not revealed as long as at most t participants are malicious. But weak multiplication does not guarantee the correctness of the result. Instead, it only calculates the correct result [ xy ] only if all participants are behaving correctly. A single malicious party may, for example, corrupt the result such that the resulting share [ z ] is not a share of xy. In the following, for the sake of simplicity, we use the notation [ z ] ═ x ] [ y ] to denote weak multiplications, unless otherwise stated.

For example, as long as the security threshold t satisfies t < n/2, a weak multiplication can be constructed for Shamir sharing. For larger thresholds, i.e. up to a maximum threshold t ═ n-1, weak multiplications can be obtained for addition sharing, for example by combining an addition homomorphic encryption scheme such as the Paillier encryption scheme with a so-called zero knowledge proof. Examples of such constructions of weak multiplications can be found in the secure multiparty computation research literature.

The participants may take the form of, for example, separate servers that are physically separated from each other. The participants are preferably separate or independent in the sense that information available to one party is not available to the other participants. However, as long as a subset of t +1 or more participants does not possess all information, it is not excluded that some participants share some information.

Next, random secret shares [ a ] and [ k ] are generated between at least two participants. Thus, each of the at least two participants holds a share a and a share k. Furthermore, calculating [ w ] ═ a ] [ k ] also serves as a secret share between the at least two parties. This can be done by each of the at least two participants calculating a share w from its shares a and k. Further, [ w ] may be "open," i.e., the secret w is revealed to each of the at least two parties. This can be achieved, for example, by each of the at least two parties disclosing its share w to each of the other parties. It should be noted that [ w ] can be opened without opening [ a ] and/or [ k ], i.e., keeping the values of a and k secret at the same time.

Next, in the case of no exposure k, the calculated value R is R ═ g^k. For example, this may include each of the at least two participants calculating a share R based on their share k. This will be described in further detail below. Alternatively, R may be calculated in another way, as long as it is ensured that k is not revealed. However, R may be revealed to each of the at least two parties. Note that due to the commonly accepted encryption assumption called the 'discrete log' assumption (which standard DSA/ECDSA is also based on), it is not possible to pass the value R-g^kTo infer any information about k.

Further ensuring that R is correct. In this context, this should be interpreted to mean that R equals g^kWhere k is shared by secrets [ k ]]A defined unique value k. By verifying that R is g^kIs based on k originating from honest participants]Is calculated, a step is performed to ensure that R is correct, where t represents a threshold value for the signature scheme, i.e. up to t malicious, corrupt, dishonest or unavailable participants may be tolerated. Thus, when the correctness of R is ensured, the honesty of the participants is investigated, and it can only be concluded that R is correct if at least t +1 participants can be proved to be honest. This will be described in further detail below.

If the result is that R is incorrect, the signature process may be aborted. For example, each honest participant may be guaranteed or (1) a value of R ═ g may be obtained^kOr (2) the output is suspended at this time. That is, even if up to t participants are destroyed, the remaining n-t participants will either get R ═ g^kOr otherwise suspended. This will be described in further detail below.

Then, the authentication element W is calculated as W ═ g^ak. This is done by calculating R without revealing a or k^aRather than by calculating g directly^akTo proceed with. This can be done in the same way as R is calculated, except that instead of g, R is used as the base. In addition, in this case, W ═ R is verified^aIs based on [ a ] originating from honest participants]Is calculated to ensure that W is correct, and if this is not the case, the signature process may be aborted.

Thus, at this stage of the process, the correct R ═ g is calculated^kAnd the correct W ═ g^akWhile the values k and a are still secret.

Next, by checking whether g is present^wWhen W, verify [ W]. This may include opening to each side w]. Note that [ w ] is calculated using shared weak multiplication]So w is equal to the product ak only if all participants are honest and obey the protocol until now. Since W is known to be g^akIs correct, thus verifying g^wW ensures W ak. At this point W, g and w are known to all parties so that any party can verify the correctness of its value w in this way. Furthermore, this can be done without the presence of an opaque a, and without the presence of an opaque k.

Thus, at this stage of the process it has been ensured that the correct value of w has been calculated by each honest participant of the at least two participants.

All the steps described above can be carried out without knowing the message M to be signed. Thus, these steps may be performed in a pre-processing procedure, for example, during off-peak periods. This may balance the load on the processing device and increase the number of transactions that can be performed during the peak period, and may reduce the response time from presenting the message M until the signature on the message M is calculated.

Finally, by calculating [ k ]^-1]＝[a]·w^-1Calculating [ x.k ]^-1]＝[x]·[k^-1]And as M, R, [ k ]^-1]And [ x.k ]^-1]Generating a share between at least two participants s]Message M is signed.

DSA or ECDSA digital signatures for M typically consist of a pair of (r, s), where r ═ F (g)^k) And S ═ k^-1(H (M) + rx). The pair (r, s) may be revealed and verified using the public key y. Generated shares [ s ]]Is the sharing of the latter part s of the signature pair. The first part r of the pair may be generated as r ═ F (r), where F is one of the functions originally provided and specified by ECDSA. Generating a share [ s ] as follows]: first, the share of the reciprocal of k is calculated as k^-1]＝w^-1[a]. Since w has been verified to be equal to ak, this yields k^-1Because w is correctly shared^-1[a]＝[aw^-1]＝[a(ak)^-1]＝[(aa^-1)k^-1]＝[k^-1]. Further, [ x.k ] is shared^-1]Is calculated as [ x ]]·[k^-1]. Then e.g. by first calculating [ A ]]＝H(M)[k^-1],[B]＝[k^-1][x]Finally calculate [ s ]]＝[A]+r[B]The share [ s ] can be computed]。

Furthermore, in the method according to the invention, aborts are allowed in case of any doubt about the correctness of the process, i.e. no termination guarantee is provided, even though this is a requirement in many prior art methods. Such a question may be due, for example, to one or more of the parties being compromised or malicious, or may be due simply to packet loss during communication between the parties. Aborting the process will simply result in the process being restarted in an attempt to provide the correct signature.

Signature methods that provide termination guarantees typically achieve termination guarantees by assuming synchronous networks, i.e., networks that guarantee an upper bound on packet delay. Such an approach using an inherently asynchronous open communication network (such as the internet) application requires that each participant must have a local clock and that if a participant does not receive the intended message within some fixed timeout according to the local clock, it will simply treat the sender as corrupted.

This leads to a dilemma. If the timeout is small, then there is a high risk that packet delays that occur often on the Internet will quickly cause more participants (e.g., n/2 or n/3 out of more than n participants) than the protocol can tolerate to be considered corrupted, so that the secret signing key may be compromised. To avoid this, the timeout must be set high. But this has the disadvantage that it allows a single malicious party to introduce very high latency in the system by deliberately delaying each message it sends to the other parties (i.e. it may retain messages until it ends when a timeout occurs). The method according to the invention avoids this dilemma by allowing protocol termination. This allows the use of a relatively small time-out, resulting in only a small overall time delay in the system. This is possible because the method is designed to ensure that even when all messages are delayed, the worst case that can occur is simply a protocol abort, rather than a secret signing key leak as in some methods previously disclosed.

The step of calculating the value R may comprise the steps of:

-calculating a share R of the value R for each of the at least two parties_jIs R_j＝g^k_jAnd distribute the share to each of the other participants, an

According to the fraction R_jCalculate a value R, and

the step of ensuring that R is correct may comprise the steps of:

-each participant is based on the share R received from the other participants_jCheck that R is correct.

Recall that each participant P_jShare k holding secret k_j. According to this embodiment, the at least two parties calculate the value R in the following manner. Each of the at least two participants calculates a share R of R_jWherein R is_jRepresenting the share of R calculated by participant j. R_jIs calculated as R_j＝g^k_jWhere k _ j represents [ k ] held by participant j]The fraction of (c). Thus, each participant is based on its own [ k ]]Is calculated from the fraction of (1), the fraction R is calculated_j。

Each of the at least two participants then shares R of its own R_jTo each of the other participants, i.e. to disclose the share R_j. However, due to the discrete log assumption, the share k _ j is still secret, and thus, the following of the secretThe number k is still secret.

Subsequent fraction R from the disclosure_jCalculate the value R. For example, this may include interpolating the share R "in the exponent_j. For example, the value R may be calculated by the at least two parties and/or it may be centrally calculated. In this context, the term "interpolate in the index" should be interpreted to mean where the secret "in the index" is reconstructed (e.g. from g)^k_1、g^k_2Wait for g^k) Is interpolated.

Finally, each of the at least two participants is based on the share R received from the other participants_jCheck if R is correct.

According to one embodiment of the method, the share may be a Shamir share, and there are at least three parties (i.e., n ≧ 3) and the safety threshold t satisfies t<n/2. In this embodiment, each of the at least three participants may be enabled by examining each share R received from the other participants_jWhether R is correct is verified in agreement with a polynomial f of degree t uniquely defined by the first t +1 shares. This can be done, for example, by comparing each share R_t+2、R_t+3、...、R_nAnd an expected share, which can be made from the first t +1 shares R using, for example, lagrange interpolation in the exponent₁、R₂、...、R_t+1To calculate. If in all cases the received shares are equal to the expected shares, it is possible to conclude that all received shares R are equal_jAre all correct. Since at least t +1 contributions R are known_jReceived from honest participants and thus correct, so this can be inferred. If either party finds some share R_jMissing or inconsistent with the polynomial determined by the first t +1 received shares, the participant may abort the protocol.

According to an alternative embodiment of the method, the shares may be additive shares and the safety threshold may be up to t-n-1. In this embodiment, each participant P_iFraction g of^k_iZero knowledge proofs may be included, e.g., non-interactive zero knowledge proofs, such that P_iProving shares to other participantsR_iIs correctly calculated without revealing information about k_iAny of (3). In this alternative embodiment, verifying the correctness of R may include receiving a share R from another participant_jVerifies the zero knowledge proof and aborts if the proof is invalid.

According to one embodiment, the correctness of R can be ensured in the following manner. Assuming that there are three participants, n-3, and one participant that is compromised or unavailable may be tolerated, i.e., t-1. In this case, the share R from two or more honest participants may be based on_jAnd calculating the correct value of R. Each of the three participants may then calculate its share of R based on their respective shares of k and distribute the calculated share of R to each of the other two participants, as described above. Each participant will then have three shares of R, i.e., the own computed share and the two shares received from the other two participants. If all three participants are honest, then R can be calculated correctly from the combination of any two of these shares. Thus, the participants are based on a possible combination of any two of the available shares (in this example, three combinations in total, i.e., (R)₁,R₂),(R₁,R₃) And (R)₂,R₃) To calculate R. If all three combinations yield the same value of R, it can be concluded that all three participants are honest and that R is correct. If the value of R calculated based on at least one of the combinations is different from the value of R calculated based on any other combination, then at least one participant dishonest may be inferred. However, it is not possible to determine which party is dishonest, and it is then not possible to determine which calculated value of R is correct. In this case, it is merely determined that R is incorrect and the signature process may be aborted. This may delay the signing process but does not reveal the secret.

The step of calculating the value R and the step of checking whether R is correct may be performed in the reverse order, i.e. the participant may check the received share R before calculating the value R_jWhether it is correct. In this case, only if a received share is foundForehead R_jWhen correct, the value R can be calculated.

The step of calculating the value R and the step of calculating the authentication element W may be performed using the same protocol. For example, the step of calculating the authentication element W may be performed substantially in the manner described above with respect to the value R, but using R as a base instead of g. Thus, in this case, each of the at least two parties calculates a share W of the authentication element W_jIs W_j＝R^a_jAnd distribute the share to each of the other participants, from share W_jAn authentication element W is calculated and each participant is based on the shares W received from the other participants, e.g., in the manner described above_jCheck if W is correct.

The method may further comprise the step of aborting the signing process in case it is revealed that R or W is incorrect. Thereby ensuring that the secret key is not revealed to malicious parties. However, in the event that the signature process is aborted, it may prove safe to restart the process in order to attempt to obtain a valid signature again.

The method may further comprise revealing g at the step of verifying w^wAnd terminating the signature process in the case of not equal to W. If the result is g^wNot equal to W, then we can conclude that W not equal ak and thus cannot be based on [ W ≠ ak]A valid signature is obtained. In such a case, attempting to compute and reveal the signature value s may potentially compromise confidentiality by revealing information about the secret key x to a malicious party. Then, if this is the case, the signature process is aborted similarly to the above case, and the signature process can be restarted.

The step of signing message M may be opened w]And calculating [ s ]]＝mw^-1[a]+rw^-1[a][x]+[d]+m[e]Wherein r ═ f (r), m ═ h (m), and [ d ═ f (r) ]]And [ e]Is a random share of zeros (so-called "masked" share ").

For some types of secret sharing schemes, once the product [ ax ] is computed [ a ] [ x ], it is unsafe to open share [ ax ] because the share of [ ax ] may reveal too much information about the secrets a and x.

This is the case, for example, in the first embodiment of our method, where the shares are Shamir shares, and where the share of a participant [ ax ] is obtained by each participant multiplying its share of [ a ] and [ x ]. In this case, the share of [ ax ] is no longer random and information about a or x may be leaked when [ ax ] is opened. To avoid this, the participant first computes a share of zeros known to have a random share [0], and instead opens [ ax ] + [0 ]. Increasing [0] does not change the result, but ensures that the value ax is the only information revealed when [ ax ] is opened.

Thus, [ s ]]Is first calculated as mw^-1[a]+rw^-1[a][x]. Note that since at this point w is known to be correct, and [ a ] is assumed][x]Is correct, which means s]＝[k^-1(m+rx)]I.e., [ s ]]Is the sharing of the correct signature value s as defined by DSA or ECDSA. But in the open [ s ]]Before, zero-sharing is added [ d ]]I.e. open [ s ]]+[d]. Adding d to s does not change the value of s, since d is 0.

Assuming that the correctness of w is mandatory, as described above, in some embodiments it may be mathematically proven that even in the case where the multiplication [ a ] [ x ] is a weak multiplication that may not be correct, revealing the signature (r, s) computed above does not reveal any more information about the secret key x than the signature computed correctly. If [ a ] [ x ] is incorrect, the only thing that can happen is that the result value (r, s) will not be a valid signature. This can be determined by each party by simply verifying the signature (r, s) using the message M and the public verification key y. If not, the participant may restart the signing process.

In some embodiments, the opening [ s ] + [ d ] may prove secure, but the evidence assumes that honest participants initially agree on the message M to be signed. If they do not agree with M, then unexpected information about the secret key x may be revealed. Thus, in some embodiments, such as the first embodiment described herein, a participant may instead calculate and open [ s ] + [ d ] + m · e ], a random share where [ d ] and [ e ] are both zero, and where m ═ h (m). In these embodiments, opening the share may prove secure even if not all honest participants use the same value M. If they agree to M, [ d ] + M. [ e ] will become a zero-share that ensures that the result [ s ] can be opened without revealing information about x. Conversely, if some participants hold different values of M, adding [ d ] + M. [ e ] to [ s ] changes [ s ] to a completely random share, which causes the protocol to abort, but does not reveal any information about x. Thus, we achieve the property that participants do not have to first ensure that they use the same value of M before they open [ s ]. This may be important in practice as it means that the participants do not have to spend an additional round of interaction to ensure that they agree with the value of M before they open s.

In an alternative embodiment of the method, the shares may be additive shares, and the multiplication [ ax ] ═ a ] [ x ] may be implemented using an additive homomorphic encryption scheme such as the Paillier encryption scheme. Here, in order to be able to safely reveal a share of the product [ ax ] ═ a ] [ x ] without revealing information about a or x, it may be necessary to include a zero knowledge proof, such as a non-interactive zero knowledge proof, in the process of calculating [ ax ]. For example, when using Paillier encryption, including such a zero knowledge proof in the process is a well-known technique that can be applied by those skilled in the art.

Generating at least a secret x, generating a random secret share [ a ]]And [ k ]]The steps of calculating the value R and calculating the authentication element W may be performed by preprocessing before the generation of the message M. According to this embodiment, some steps, for example, include generating a key pair ([ x ]]Y), calculate R and W, ensure the correctness of R or W, generate zero-share [ d ]]And [ e]Computing shared [ w]Open [ w ]]Verification of g^wW and/or calculating [ ax [ ]]＝[a][x]This may be done before the message M to be signed is known to the participants. As described above, this reduces the number of steps to be performed in providing the digital signature, thereby reducing processing requirements and response time.

Many types of secret sharing, such as, for example, Shamir secret sharing, have the following properties: given two shares, e.g. [ a ] and [ x ], a share [ a + x ] of the sum of these two secrets can be computed without requiring any interaction between the parties. Furthermore, if all participants know a given common value c, the participants may not need to interactively compute the share of the product [ c · x ]. Such a secret sharing scheme is referred to as a 'linear' secret sharing scheme.

According to some embodiments of the invention in which such linear secret sharing is used, by generating [ x ], [ a ], y, R, W, [ ax ], and W in a pre-processing stage and verifying the correctness of R and W before knowing the message M to be signed, the participants can generate R and [ s ] once M is known to them, without any interaction with each other. This is because r can be calculated locally by each participant as r ═ f (r) by using the shared sum value that has been generated and verified in the preprocessing, and furthermore [ s ] can be calculated only by the addition and sharing of the share with the multiplication of the common constant.

Furthermore, by using preprocessing to perform some steps, according to some embodiments, once M is known to the participants, the final signature (R, s) can be revealed to the recipients in a single round of interaction, where each party sends R and its share of s to the recipients.

Furthermore, by using preprocessing to perform some steps, according to some embodiments, once M is known to the various participants, the final signature (r, s) can be revealed to the recipient in a single round of interaction, with only some of the participants sending their share of s to the recipient. For example, in a first embodiment, [ s ] is 2t Shamir shares, so that it is sufficient for 2t +1 participants to send their shares to the recipient in a single round of interaction.

According to some embodiments, where linear secret sharing is used, by performing an additional pre-processing step, the final signature (R, s) can be revealed to the recipient in a single round of interaction, given M, where only t +1 participants send shares of R and their s to the recipient. For example, in some embodiments where [ ax ] is 2t Shamir shares, the number of [ ax ] may be reduced to t in the preprocessing step by using standard techniques known from the secure multiparty computing arts. Thus, the number of times [ s ] also becomes t, so that the receiver can reconstruct s based on only t +1 shares of [ s ].

Furthermore, in accordance with embodiments of the present invention, an additional pre-processing step may be performed to ensure that share [ ax ] is the correct share of value ax. This can be done using standard techniques from the secure multiparty computing field. In this way, the following properties are achieved: if the process is not aborted during the preprocessing step, it can be guaranteed that a certain number of honest participants, e.g. 2t +1 or t +1 honest participants, can open a valid signature (r, s), even if up to t malicious participants try to prevent the opening of a valid signature.

Simplifying the communication like this may for example bring benefits in the practical application of a multiparty signature scheme by minimizing the number of interaction rounds needed as soon as the message M to be signed is known to the participants and the number of shares needed to reconstruct s.

The method may further include calculating the public key y as y-g^xAnd disclosing y to each of the at least two parties. According to this embodiment, a secret key [ x ] is generated to be taken]And the public key y is g^xA cryptographic key pair of the form. The key pair is used to generate a digital signature.

The method may further comprise the step of verifying the signature using the public key y. For example, this may include checking whether r ═ F (g)^m/s·y^r/s). Alternatively or additionally, this step may comprise checking whether R is^s＝g^m·y^r。

This may include, for example, each of the at least two parties verifying the correctness of the signature using the public verification key y. For example, this may include checking whether R is^s＝g^m·y^r. If a participant finds this to be the case, the participant accepts the signature (r, s) and outputs it as a result. If not, it may abort the signing process.

In another embodiment of the method, it is not the party itself, but an external party, who should receive the resulting signature (r, s). In this case, each participant P_jCalculate R and its secret sharing s as described above]Fraction s of_j. Then, each participant will sum R and s_jAnd sent to the external party. The external party compares all received values R and if they are not equalAnd (6) stopping. It then calculates r ═ f (r) and interpolates from the fraction s by a polynomial_jCalculate s and verify if R is Using public Key y^s＝g^m·y^r. If so, he accepts (r, s) as the final signature.

The method may further comprise the step of checking the correctness of y. According to embodiments of the invention, this step may include sharing k with the generation of the random]And opens and verifies that R ═ g^kIn the same way as for correctness, a random share x is first generated]Then open y ═ g^xAnd checking the correctness of y.

Drawings

The invention will be explained in more detail below with reference to the drawing, in which

Figure 1 is a block diagram illustrating key generation and signature generation using a method according to a first embodiment of the invention,

figure 2 is a block diagram illustrating key generation using a method according to a second embodiment of the invention,

figure 3 is a block diagram illustrating signature generation using a method according to a third embodiment of the invention,

figure 4 is a block diagram illustrating signature generation using a method according to a fourth embodiment of the invention,

fig. 5 is a block diagram illustrating key generation and signature generation using a method according to a fifth embodiment of the invention, an

FIG. 6 is a flow chart illustrating a method according to an embodiment of the invention.

Detailed Description

Fig. 1 is a block diagram illustrating key generation and signature generation using a method according to a first embodiment of the invention. The method involves the use of three participants P1, P2, and P3, the participants P1, P2, P3 being separate or disjunctive in the sense that information available to one of the participants P1, P2, P3 may not be available to the other participants P1, P2, P3. For example, the participants P1, P2, P3 may be in the form of physically separate hardware servers. In this example, the security threshold (t) is 1, i.e. if one of the parties P1, P2, P3 is malicious, that party will not be able to learn anything about x or sign the message M with the secret key x unless the other (honest) party agrees to sign M.

The client 1 sends a request KeyGen to each participant P1, P2, P3 requesting the participants P1, P2, P3 to generate a key pair ([ x ], y) containing a secret key [ x ] and a public key y. The client 1 is arranged in an environment surrounding a system comprising three parties P1, P2, P3, i.e. the client does not form part of the system to generate keys and signatures.

In response to receipt of the request KeyGen, the three parties P1, P2, P3 generate a key [ x ] as a random secret share among the three parties P1, P2, P3. This may include several rounds of interaction between the participants P1, P2, P3, and it may be done, for example, in the manner described below with reference to fig. 2. Thus, each participant P1, P2, P3 holds a share x1, x2, x3 of the secret key x, but none of the participants P1, P2, P3 possess the entire secret key x.

The three parties P1, P2, P3 also calculate the public key y as y-g^x. The public key y is disclosed in the sense that each participant P1, P2, P3 owns y, and in the sense that y is communicated to the client 1 by each participant P1, P2, P3. So that y is equal to g^xPublic or 'open', but x is still secret.

In the event that none of the participants P1, P2, P3 are malicious or are not compromised, the public key y transmitted by each participant P1, P2, P3 to client 1 will be the same, i.e. client 1 will receive three identical versions of y from the three participants P1, P2, P3. Thus, if client 1 receives three identical versions of y, it can conclude that none of the participants P1, P2, P3 are malicious or have been corrupted, i.e. that all participants P1, P2, P3 have acted correctly so far. On the other hand, in case the three versions of y received from the three parties P1, P2, P3 are different from each other, it may be concluded that at least one of the parties P1, P2, P3 is malicious or corrupted. In this case, the client 1 aborts the process.

When the key pair ([ x ], y) is generated, the client 1 initiates the signing process applying the generated key pair ([ x ], y) by sending a request Sign and a message M to be signed to each participant P1, P2, P3.

In response to the receipt of the request Sign and message M, the participants P1, P2, P3 participate in the signature generation process, which may require several rounds of interaction between the participants, and where each participant P1, P2, P3 applies its share x1, x2, x3 of [ x ] without disclosing the shares x1, x2, x3 to the other participants. At the end of the signature generation process, each participant P1, P2, P3 possesses a share s1, s2, s3 of the values R and s. The signature generation process may be performed, for example, in the manner described below with reference to fig. 3.

Each participant P1, P2, P3 then binds R and its [ s ]]The shares s1, s2, s3 are returned to client 1. In response to this, the client 1 calculates s from the received shares s1, s2, s3, e.g. using interpolation. Furthermore, client 1 calculates R ═ f (R), and accepts (R, s) as a valid signature only when the same version of R is received from at least two of the three participants P1, P2, P3. In addition, the client 1 may perform additional authentication checks, such as authentication R^s＝g^m·y^rIn order to make it accept the signature (r, s) as a valid signature.

Fig. 2 is a block diagram illustrating key generation using a method according to a second embodiment of the invention. The key generation illustrated in fig. 2 may be applied, for example, as part of the method illustrated in fig. 1.

In the embodiment illustrated in fig. 2, the three parties P1, P2, P3 cooperate to compute a key pair ([ x ], y), where [ x ] is a secret key in the form of a secret share between the three parties P1, P2, P3, and y is a public key. According to this embodiment, the share is a Shamir secret share with a security threshold of 1, i.e., t ═ 1.

In the first round of interaction between the parties P1, P2, P3, a secret key [ x ] is generated as random t Shamir secret shares between the parties P1, P2, P3. To this end, each participant P1, P2, P3 generates three random values, one for itself and one for each of the other participants P1, P2, P3, and forwards the generated values to the respective other participants P1, P2, P3. Thus, participant P1 generates and holds the value x1,1 itself, generates and forwards the value x1,2 to participant P2, and generates and forwards the value x1,3 to participant P3. Similarly, participant P2 generates and forwards the value x2,1 to participant P1, generates and holds the value x2,2 by itself, and generates and forwards the value x2,3 to participant P3. Finally, participant P3 generates and forwards the value x3,1 to participant P1, generates and forwards the value x3,2 to participant P2, and generates and maintains the value x3,3 by itself.

Thus, at the end of the first round of interaction between the participants P1, P2, P3, each participant P1, P2, P3 possesses three random values, namely the value generated by itself and the value received from each other participant P1, P2, P3. Based on these three values, each participant P1, P2, P3 generates a share of [ x ] x1, x2, x 3.

In a second round of interaction between the participants P1, P2, P3, the participants P1, P2, P3 calculate the public key y. To this end, each participant calculates yi ═ g^xiWhere G is the generator of the cyclic group G, yi is the value generated by the participant Pi, and xi is [ x ] held by the participant Pi]The fraction of (c). In addition, each participant P1, P2, P3 communicates the value yi to each other participant P1, P2, P3. Thus, participant P1 calculates y1 ═ g^x1And passes y1 to participants P2 and P3, etc. Thus, each participant P1, P2, P3 now possesses each of the three values y1, y2, and y 3.

Each participant P1, P2, P3 then checks whether the value yi received from the other two participants is authentic. This may include, for example, interpolation in the exponent. In case one of the participants P1, P2, P3 concludes that the value yi received from at least one of the other participants is not authentic, that participant P1, P2, P3 outputs a 'abort' signal, thereby aborting the signing process.

Without the participants P1, P2, P3 outputting 'abort' as described above, the signing process is allowed to continue and each participant P1, P2, P3 generates the public key y based on the values y1, y2, and y3 and using interpolation. According to the DSA/ECDSA standard, y ═ 1 is an illegal public key, so that if this is the case, the process should be aborted. It should be noted that if the protocol aborts, it may be restarted, resulting in the generation of another key pair. If y ≠ 1 is found, each participant P1, P2, P3 forwards an 'OK' signal to each other participant P1, P2, P3 as part of the third round of interaction between participants P1, P2, P3. Each participant P1, P2, P3 accepts its own version of y only when it receives an "OK" signal from each other participant P1, P2, P3. Otherwise, the signature process will be aborted.

In the case of receiving the "OK" signal from the other participants P1, P2, P3 as described above, the public key y is output.

Fig. 3 is a block diagram illustrating signature generation using a method according to a third embodiment of the invention. As in fig. 2, the secret sharing is Shamir sharing, and the security threshold is 1(t ═ 1). The process starts in fig. 3a and continues in fig. 3 b. The signature generation illustrated in fig. 3 may be applied, for example, as part of the method illustrated in fig. 1.

In the embodiment illustrated in fig. 3, the three parties P1, P2, P3 cooperate to generate a signature (r, s) for the message M by using a secret key [ x ] in the form of a secret share between the three parties P1, P2, P3. For example, the secret key [ x ] may be generated as t times Shamir share in the manner described above with reference to fig. 2.

In the first round of interaction between the parties P1, P2, P3 illustrated in fig. 3a, each party generates random t secret shares [ k ] and [ a ]. This is basically done in the manner described above with reference to fig. 2 with respect to the generation of [ x ]. The participants also generate three random 2t zero shares [ b ], [ d ], and [ e ], i.e., masked shares. Thus, at the end of the first round of interaction between participants P1, P2, P3, each participant P1, P2, P3 holds shares of each of [ k ], [ a ], [ b ], [ d ], and [ e ], and none of participants P1, P2, P3 possess any information about the secrets a and k.

Next, it is illustrated in FIG. 3a as wellIn the second round of interaction shown between participants P1, P2, P3, each participant P1, P2, P3 calculates the value Ri of g^kiWhere G is the generator of the cyclic group G, Ri is the value calculated by the participant Pi, and ki is [ k ] held by the participant Pi]The fraction of (c). Thus, the participant Pi calculates R1 ═ g^k1The participant P2 calculates R2 ═ g^k2And participant P3 calculates R3 ═ g^k3。

Further, each participant P1, P2, P3 calculates a value wi as wi-ki · ai + bi, where wi is the value calculated by the participant Pi, and ki, ai, and bi are the shares of [ k ], [ a ], and [ b ] held by the participant Pi, respectively. Thus, participant P1 calculates w1 ═ k1 · al + b1, participant P2 calculates w2 ═ k2 · a2+ b2, and participant P3 calculates w3 ═ k3 · a3+ b 3. If all participants are performing the prescribed action correctly, the shares w1, w2, w3 held by the participants form 2t Shamir shares [ w ], where w equals ak.

Each participant then discloses the calculated values Ri and wi to each of the other participants. Thus, each participant P1, P2, P3 now has each of the three values R1, R2 and R3 and each of the three shares wl, w2 and w3, so that R ═ g^kAnd w k a + b is now known to each participant P1, P2, P3, even though both k and a are still secret. This may be referred to as "open" R and w. Sharing [ b ]]It may be called "mask sharing" because it is added to [ ak]Does not change the secret, but "blinded" shares ak]So that it is impossible to see [ ak ] from outside the product ak]Derives any information about a or k.

At the end of the second round of interaction between participants P1, P2, P3, each participant P1, P2, P3 checks the correctness of R. This is based on the received values R1, R2 and R3 and using interpolation in the exponent. In case at least one of the participants P1, P2, P3 finds R incorrect, the process is aborted. Otherwise, the process continues.

Next, in a third round of interaction between the participants P1, P2, P3 illustrated in fig. 3b, each participant P1, P2, P3 calculates the value Wi as Wi-R^aiWhere Wi is the value calculated by the participant PiAi is held by party Pi]The fraction of (c). Furthermore, each participant P1, P2, P3 discloses the calculated value Wi to each other participant P1, P2, P3. Thus, each participant P1, P2, P3 now possesses each of the values W1, W2, W3, and by interpolation in the usage index, each participant P1, P2, P3 can calculate W ═ R^aWhile the value a is still secret. This may be referred to as "open" W.

At the end of the third round of interaction between the participants P1, P2, P3, each participant P1, P2, P3 checks the correctness of W based on the received values W1, W2, W3 and by using interpolation in the index. This is done using the value Wi in the same way as checking the correctness of R using the value Ri in the second round of interaction. In case at least one of the participants P1, P2, P3 finds W incorrect, the process is aborted. Otherwise, the process continues.

Finally, in the fourth round of interaction between participants P1, P2, P3, each participant P1, P2, P3 is based on the values w1, w2, and w3 and uses interpolation to calculate w.

In addition, each participant P1, P2, P3 is checked whether W is g^wTo verify w. As described above, it is mandatory to specify W ═ R^aAnd R ═ g^k. If this is not the case, the process is previously aborted. From this, it follows that W is g^ka. Thereby passing through the check whether g is^wEnsure W as a · k. It should be noted that [ w ]]Is not calculated as [ a ]][k]But is instead calculated as [ a ]][k]+[b]However, due to [ b]Is a share of 0, i.e., [ b ]]＝[0]Thus increasing [ b ]]There is no effect on this check.

At least one of the participants P1, P2 and P3 finds that W ≠ g^wIn case (2), the signature process is aborted. Otherwise, the process continues and each participant P1, P2, P3 computes the share s]The fraction si of (A) is:

si＝m·hi+r·hi·xi+m·di+ei

wherein:

hi＝ai·w^-1，

r ═ F (r), where F is a predefined function, and

h (M), where M is the message to be signed and H is a predefined function.

xi, di and ei are each [ x ] held by the participants Pi]、[d]And [ e]The fraction of (c). When each participant calculates its share si as described above, this means that the participants collectively calculate s]＝m[k^-1]+r[k^-1][x]+m[d]+[e]. If all participants do the prescribed action, this results in s]＝[k^-1(m+rx)]I.e. s-k required for DSA or ECDSA^-1(m+rx)。

Each participant P1, P2, P3 discloses the share si to each other participant P1, P2, P3, and each participant P1, P2, P3 uses interpolation to calculate s based on the received shares s1, s2 and s3, and then verifies the signature on the message M by using the public key y, i.e. by checking whether R ═ g^m·y^rTo check the correctness of s. If the correctness of S is confirmed, the signature (r, S) is accepted as the final signature of the message M.

Fig. 4 is a block diagram illustrating signature generation using a method according to a fourth embodiment of the invention. The process illustrated in fig. 4 includes six rounds of interaction between the three parties P1, P2, P3. The first three rounds of interaction between participants P1, P2, P3 are the same as those illustrated in fig. 3 and described above.

In the fourth round of interactions between participants P1, P2, P3, only participant P1 calculates s1 in the manner described above with reference to fig. 3, namely:

s1＝m·h1+r·h1·x1+m·d1+e1.

p1 then forwards s1 to participant P2, and in a fifth round of interactions between participants P1, P2, P3, participant P2 calculates s2 in the manner explained above with reference to fig. 3, and forwards s1 and s2 to participant P3.

In a sixth round of interaction between participants P1, P2, P3, participant P3 calculates s3 in the manner explained above with reference to fig. 3, and calculates s based on three shares s1, s2 and s3 and using interpolation. Participant P3 then checks s for correctness, and if s is correct, participant P3 accepts the signature (r, s) as the final signature (r, s) for message M.

Thus, in the embodiment illustrated in fig. 4, the signature (r, s) is received only by the participant P3, whereas in the embodiment illustrated in fig. 3, each participant P1, P2, P3 receives the signature (r, s). An embodiment like this may be practical because in the online phase, each participant P1, P2, P3 only needs to send a single message to one participant, whereas in the embodiment of fig. 3, each participant has to send a message to every other participant.

Fig. 5 is a block diagram illustrating key generation and signature generation using a method according to a fifth embodiment of the invention. The embodiment illustrated in fig. 5 is very similar to the embodiment illustrated in fig. 1 and will not be described in detail here.

However, in the embodiment illustrated in fig. 5, the process is initiated by one of the participants, i.e., participant P1, rather than by an external client. Thus, participant P1 performs the steps performed by the client in the embodiment of fig. 1, and the steps performed by participant P1 in the embodiment of fig. 1.

FIG. 6 is a flow chart illustrating a method according to an embodiment of the invention. The process starts at step 2. In step 3, a cyclic group G and a generator G of the cyclic group G are defined. In addition, functions F and H are defined. G. g, F, and H are each specified by the Digital Signature Algorithm (DSA) or Elliptic Curve Digital Signature Algorithm (ECDSA) to be used to generate the digital signature.

At step 4, a random secret share [ x ] is generated between at least two parties, where x is a secret key.

At step 5, random secret shares [ a ] and [ k ] are generated between the at least two parties.

At step 6, the participant calculates [ w ]]＝[a]·[k]Then, at step 7, the participant calculated value R ═ g^k. For example, R may calculate a share R by each participant_jIs R_j＝g^k_jAnd according to the fraction R_jCalculated by calculating a value R, where k _ j is [ k ] held by participant j]The fraction of (c).

In step 8, it is investigated whether R is correct. If this is not the case, the process passes to step 9, at step 9 the signature process is aborted, and the process then returns to step 5 to generate new secret shares [ a ] and [ k ].

In the event that step 8 reveals that R is correct, the signing process is allowed to continue and the process passes to step 10 where the party calculates the authentication element W-g, step 10^ak. This is done by calculating R^aTo proceed with.

In step 11, it is investigated whether W is correct. If this is not the case, the process passes to step 9, at step 9 the signing process is aborted, and the process then returns to step 5 in order to generate new secret shares [ a ] and [ k ].

In case step 11 reveals that W is correct, the process goes to step 12, where step 12 it is investigated whether g is correct or not^wW. Since W is R^aAnd R ═ g^kIf W is equal to g^ak. Since w is a · k, g is calculated correctly if w has already been calculated correctly^wW. Thus, if g can be verified^wThen it can be inferred that W has been correctly calculated. Thus, g is revealed at step 12^wIn case of not equal W, the procedure goes to step 9, where the signing process is aborted, step 9, and the procedure then returns to step 5, in order to generate a new secret share a]And [ k ]]。

In step 12, g is verified^wIn the case of W, the process passes to step 13, where a share is generated between the participants s, step 13]And the signature is applied to the message. Finally, the process ends at step 14.