Computer-implemented method and system for acquiring digitally signed data
阅读说明:本技术 获取数字签名的数据的计算机实现方法和系统 (Computer-implemented method and system for acquiring digitally signed data ) 是由 C·S·赖特 于 2019-01-10 设计创作,主要内容包括:公开了一种获得数字签名的数据的方法。该方法包括从多个第一参与者中的至少一个第一参与者向至少一个第二参与者发送第一数据(e<Sub>2</Sub>),其中,第一数据基于至少一个所述第一参与者可访问的第二数据(e),并且第二数据对于第二参与者或每个所述第二参与者是不可访问的。从至少一个所述第二参与者接收第一数据的数字签名(s<Sub>1</Sub>),以及由多个第一参与者处理第一数据的数字签名以提供第二数据的数字签名(s)的共享,其中,所述第二数据的数字签名通过阈值数量的所述共享是可访问的,并且对于少于所述阈值数量的共享是不可访问的。(A method of obtaining digitally signed data is disclosed. The method comprises sending first data from at least one first participant to at least one second participant from a plurality of first participants (e) 2 ) Wherein the first data is based on second data (e) accessible by at least one said first participant and the second data is not accessible to the or each said second participant. Receiving a digital signature(s) of first data from at least one of said second participants 1 ) And processing the digital signature of the first data by the plurality of first participants to provide a second signatureA share of a digital signature(s) of second data, wherein the digital signature of the second data is accessible through a threshold number of the shares and is inaccessible for less than the threshold number of shares.)
1. A method of obtaining digitally signed data, the method comprising:
transmitting first data from at least one first participant to at least one second participant from among a plurality of first participants, wherein the first data is based on second data accessible to at least one of the first participants, and wherein the second data is not accessible to the or each second participant;
receiving a digital signature of the first data from at least one of the second participants; and
processing, by a plurality of the first participants, the digital signature of the first data to provide a share of a digital signature of the second data, wherein the digital signature of the second data is accessible through a threshold number of the shares and is inaccessible for less than the threshold number of shares.
2. The method of claim 1, wherein each said share of said digital signature of said second data comprises a share of a plurality of first secret values shared among a plurality of said first participants through federated random secret sharing, JRSS.
3. The method of claim 2, wherein each said share of said digital signature of said second data comprises at least one first mask share shared among said plurality of first participants by a joint zero secret sharing, JZSS.
4. The method of any preceding claim, wherein the first data is generated by sharing of the first data such that the first data is accessible by a threshold number of the shares and is inaccessible to less than the threshold number of shares.
5. The method of claim 4, wherein each said share of said first data comprises a share of a plurality of said first secret values shared among said plurality of said first participants through federated random secret sharing, JRSS.
6. The method of claim 5, wherein each of the shares of the first data comprises at least one second mask share shared among the plurality of first participants by a Joint Zero Secret Sharing (JZSS).
7. The method of any of the preceding claims, further comprising: receiving third data based on the second secret value from at least one of the second participants.
8. The method of any preceding claim, wherein the digital signature of the first data is generated by a sharing of the digital signature of the first data shared between a plurality of the second participants, wherein the digital signature of the first data is accessible by a threshold number of the shares and is inaccessible for less than the threshold number of the shares.
9. The method of claim 8, wherein each said share of said digital signature of said first data comprises a share of a plurality of second secret values shared among a plurality of said second participants through federated random secret sharing, JRSS.
10. The method of claim 9, wherein each said share of said digital signature of said first data comprises at least one third mask share shared among said plurality of said second participants by a joint zero secret share JZSS.
11. The method of any preceding claim, wherein the second data is a message.
12. The method of any of claims 1 to 10, wherein the second data is a hash value of a message.
13. The method of any preceding claim, wherein the first data is a blockchain transaction.
14. The method according to any of the preceding claims, wherein at least one of the digital signatures is based on a cryptographic system having a homomorphic nature.
15. The method of claim 14, wherein at least one of the digital signatures is based on an elliptic curve cryptography system.
16. A computer-implemented system, comprising:
a processor; and
memory including executable instructions that, as a result of execution by the processor, cause the system to perform any embodiment of the computer-implemented method according to any one of claims 1 to 15.
17. A non-transitory computer-readable storage medium having stored thereon executable instructions that, as a result of being executed by a processor of a computer system, cause the computer system to perform at least an embodiment of a method according to any one of claims 1 to 15.
Technical Field
The present invention relates generally to security of data and computer-based resources. More particularly, the present invention relates to cryptocurrency and cryptography, and also to elliptic curve cryptography, Elliptic Curve Digital Signature Algorithm (ECDSA), and threshold cryptography. The invention may be used to advantage in connection with blockchain implemented cryptocurrencies, such as (for example) bitcoins, but is not limited in this respect and may have broader applicability. In one embodiment, the present invention may be described as providing a distribution protocol for blind dealership thresholds.
Background
In this document, we use the term "blockchain" to include all forms of electronic computer-based distributed ledgers (leggers). These include consensus-based blockchain and transaction chain techniques, licensed and unlicensed ledgers, shared ledgers, and variations thereof. Although other blockchain implementations have been proposed and developed, the most well known application of blockchain technology is the bitcoin ledger. Although reference may be made herein to bitcoins for purposes of convenience and explanation, it should be noted that the present invention is not limited to use with bitcoin blockchains, and that alternative blockchain implementations and protocols fall within the scope of the present invention. The term "user" may refer herein to a human or processor-based resource.
A blockchain is a point-to-point electronic ledger implemented as a computer-based decentralized distributed system consisting of blocks that in turn consist of transactions. Each transaction is a data structure encoding a transfer of digital asset control between participants in the blockchain system and including at least one input and at least one output. Each block contains the hash value of the previous block, so the blocks are linked together to create a permanent, unalterable record of all transactions that have been written to the chain of blocks since their beginning. The transaction contains applets, called scripts, embedded in its input and output that specify how and by whom the output of the transaction can be accessed. On bitcoin platforms, these scripts are written using a stack-based scripting language.
In order to write a transaction to a blockchain, it must be "verified". The network node (miners) performs work to ensure that each transaction is valid, while invalid transactions are rejected by the network. A software client installed on a node performs this verification work on the unspent transaction output (UTXO) by executing its lock and unlock script. If execution of the lock and unlock script evaluates to true, the transaction is valid and written to the blockchain. Therefore, in order to write a transaction to a blockchain, it is necessary to: i) validating the transaction by a first node receiving the transaction-if the transaction is validated, the node relays it to other nodes in the network; ii) adding the transaction to a new block built by the miners; and iii) the transaction is mined, i.e., added to the public ledger of past transactions.
Although blockchain technology is widely known for implementation using cryptocurrency, digital entrepreneurs have begun exploring both the cryptosecurity system on which bitcoins are used and the data that can be stored on the blockchain to implement new systems. It would be advantageous if blockchains could be used for automation tasks and processes that are not limited to the field of cryptocurrency. Such a scheme would be able to take advantage of the benefits of blockchains (e.g., permanence of events, tamper-resistant logging, distributed processing, etc.) while having more utility in its applications.
The concept of decentralization is the basis of bitcoin methodology. Unlike distributed or centralized systems, decentralized systems have the following advantages: there is no single point of failure. Therefore, they provide a higher level of security and resiliency. This security can be further enhanced by using known cryptographic techniques such as elliptic curve cryptography and ECDSA.
However, while bitcoin protocols have proven themselves to be resistant to any significant attack at the time of filing this application, there are attacks on exchanges and wallets that complement or build on bitcoin networks. As the bitcoin value increases, more events may occur in standard centralized systems, such as those involving Mt Gox and Bitfinex.
Disclosure of Invention
Therefore, a solution is needed to further enhance the security of such systems. The present invention provides such advantages, among others.
The present invention provides a method and system as defined in the appended claims.
According to the present invention, there may be provided a method of obtaining digitally signed data, the method comprising: -
Sending first data from at least one first participant to at least one second participant from among a plurality of first participants, wherein the first data is based on second data accessible to at least one of the first participants, and wherein the second data is not accessible to the or each second participant;
receiving a digital signature of the first data from at least one of the second participants; and
processing, by a plurality of the first participants, the digital signature of the first data to provide a share of a digital signature of the second data, wherein the digital signature of the second data is accessible through a threshold number of the shares and is inaccessible for less than the threshold number of shares.
Providing for sharing of a digital signature of second data by processing the digital signatures of the first data by a plurality of first participants, wherein the digital signatures of the second data are accessible by a threshold number of shares and are inaccessible to less than the threshold number of shares provides the advantage of improved security because the second participants do not have access to the second data, but sign the first data and enable provision of a digital signature of the second data, while further improving security by the threshold setting. This provides the following advantages: the first participant may assign the second participant as a custodian of a private key used to sign a message (e.g., a blockchain transaction), while preventing the second participant from being able to use the key without authorization because the second participant has no access to the second data.
Each of the shares of the digital signature of the second data may include a share of a plurality of first secret values shared among a plurality of the first participants through Joint Random Secret Sharing (JRSS).
This provides the advantage of increased security by providing a reseller-less secret value sharing scheme in which the first participant jointly selects the first secret value, thereby avoiding the weakness of a single reseller form of the system.
Each of the shares of the digital signature of the second data may include at least one first masking share shared among the plurality of first participants by federated zero secret sharing (JZSS).
The first data may be generated by sharing of the first data such that the first data is accessible through a threshold number of the shares and is inaccessible for less than the threshold number of shares.
Each of the shares of the first data may include a share of a plurality of the first secret values shared among the plurality of the first participants through Joint Random Secret Sharing (JRSS).
Each of the shares of the first data may include at least one second mask share shared among the plurality of first participants by federated zero secret sharing (JZSS).
The method may further include receiving third data from at least one of the second participants based on the second secret value.
This provides the advantage of facilitating the generation of a digital signature of the second data from a digital signature of the first data.
A digital signature of first data may be generated by a sharing of the digital signature of the first data shared among a plurality of the second participants, wherein the digital signature of the first data is accessible through a threshold number of the sharing and is inaccessible for less than the threshold number of the sharing.
Each of the shares of the digital signature of the first data may include a share of a plurality of second secret values shared among a plurality of the second participants through Joint Random Secret Sharing (JRSS).
Each of the shares of the digital signature of the first data may include at least one third mask share shared among the plurality of the second participants by federated zero secret sharing (JZSS).
The second data may be a message.
The second data may be a hash value of the message.
The first data may be a blockchain transaction.
At least one of the digital signatures may be based on a cryptographic system having a homomorphic nature.
At least one of the digital signatures may be based on an elliptic curve cryptosystem.
The present invention also provides a system comprising:
a processor; and
a memory including executable instructions that, as a result of being executed by the processor, cause the system to perform any embodiment of the computer-implemented method described herein.
The present invention also provides a non-transitory computer-readable storage medium having stored thereon executable instructions that, as a result of being executed by a processor of a computer system, cause the computer system to perform at least the embodiments of the computer-implemented method described herein.
Drawings
These and other aspects of the invention are apparent from and will be elucidated with reference to the embodiments described herein. Embodiments of the invention will now be described, by way of example only, with reference to the accompanying drawings, in which:
FIG. 1 is a schematic diagram of a blind signature distribution system embodying the present invention; and
FIG. 2 is a schematic diagram illustrating a computing environment in which various embodiments may be implemented.
Detailed Description
SUMMARY
In this application, a threshold-based, reseller-less blind signature distribution system is described that is fully compatible with bitcoin. The system builds on a group signature scheme that is different from the traditional individual signature system deployed in bitcoin purses, and adds a new system designed to allow distributed threshold blind signature of messages. The system so deployed is scalable and robust, tolerant to errors and malicious attackers. The system supports both distributor and non-distributor systems and supports deployment with unlimited flexible combinations of distribution.
Blind signature schemes allow messages to be signed without knowledge of the message content. In bitcoin, this includes the ability to act as the delegate for the bitcoin private key without knowing which addresses or keys were delegated.
In conjunction with a threshold signature scheme, where a document can be effectively digitally signed by a threshold number of participants, but cannot be effectively digitally signed by less than the threshold number of participants, this allows the holder of the bitcoin private key to create a trust system in which messages can be signed by a party managing the address without knowing the amount of maintenance. Thus, the second participant alice (the owner of a certain amount of bitcoins) can utilize the first participant bob to store alice's key in a manner that does not allow bob to know how many bitcoins alice controls. Alice can send more to the blind address (or receive from other parties) and bob cannot find out how many bitcoins alice holds and controls (or the bitcoin address associated with it).
When combined with a threshold system, alice can have multiple parties act together without:
1) knowing the identity of other blind parties
2) Her bitcoin is protected on several systems in a way that allows a party to access her own funds even though she is no longer available.
Since the threshold blind key results in a message involving a signature using a blind signature, parties cannot collude to access alice's funds even though they may also access the identity of other parties and obtain a sufficient number of threshold shares to be able to blindly sign the message, since this message is only valid when entering a standard ECDSA bitcoin signed transaction blindly.
Threshold blinding technique (threshold blanking technique) also increases the security of the underlying system by: addresses add randomness that can be injected, helping to protect against erroneous RNGs (random number generators). The blind signer may act as a key escrow or custodian. This may be used as a backup for the master key to prevent loss of the master key, or may be used as a backup to add a second layer of authorization and control. The use of several systems or operators allows for a RAID-like key management system with increased redundancy and increased security when several independent parties are used as trust protectors.
In existing implementations of bitcoin, the payer wallet may be lost, damaged, or stolen. The funds are lost or cannot be recovered. The hardware crypto currency wallet may be compromised or lost. In the system described herein, the hardware system may be divided into multiple parts, and the hardware devices may be safely removed or recreated. In the present application, the following notation is used:
the standard ECDSA values apply:
w=s-1mod n
u1=e.w mod n
u2=r.w mod n
x=u1G+u2DA
all standard ECDSA rules apply. A linear transformation may be constructed such that:
s=x.e+b
this relationship is used in blinding the message to be signed. Now, the second participant (alice) can sign a blind message to replace the message to be used, maintain the message and send only the blind message hash.
1) Alice sends a blind hash of a message to the first participant Bob
2) Bob signs 'blind hash' and returns the signed value to Alice
3) Alice "blinds" the bob value to obtain a signature. This can be used to reconstruct an efficient bitcoin transaction
Threshold blinding can be done scalably by:
1) alice's key is split
2) Bob's value is partitioned
3) The key of bob and alice is split
4) The keys of alice and bob are complete but the values for blinding are partitioned
Let alice choose the value alpha within the range [1, (n-1) ]. Next, calculate:
β=hash(α+1)
γ=hash(α+β)
=hash(α+γ)
if β is the threshold, Alice may be considered TuGroup of individuals, wherein A1To ATvIs a sliced or thresholded version of alice, a particular instance being denoted aiHere, α is selected using algorithm #1, which will be described in detail below.
Previous work
Samite Secret Sharing Scheme (Shamir Secret Sharing Scheme, SSSS)
Shamir (1979) first introduced a vendor-based secret sharing scheme that allowed distributed management of keys. The problem associated with this solution arises from having to trust a dealer that cannot be verified. This form of the scheme is fully compatible with the system disclosed in this application and can be used for group distribution of individual key slices created by the process described herein.
Joint Random Secret Sharing (Joint Random Secret Sharing, JRSS) (Pedersen, 1992)
The intended goal of the process is to create a method in which a group of participants can share a secret collectively without any of the participants knowing the secret. Each participant chooses a random value as its local secret and uses the SSSS to distribute to the group a value derived from the random value. Each participant then adds all the shares received from the participant, including its own shares. The sum is a joint random secret sharing. The randomness provided by the individual honest participants is sufficient to maintain the confidentiality of the combined secret value. This state remains true even if all (n-1) other participants intentionally choose a non-random secret value.
Joint Zero Secret Sharing (Joint Zero Secret Sharing, JZSS) (Ben-Or, 1988)
JZSS is similar to JRSS except that each participant shares 0 as a substitute for a random value. The sharing created using this technique helps to eliminate any potential weaknesses in the JRSS algorithm.
Desmedt [1987 ] introduced the concept of group-oriented cryptography. The process allows participants to send messages to a group of people in a manner that allows only a selected subset of participants to decrypt the message. In a system, a member is said to be known if the sender must know the member using the public key; a group is anonymous if it has a single public key that is maintained independently of the members. The system disclosed in this application aggregates these two approaches and allows both known and anonymous senders and signers to exist in one group at the same time.
Blind signature (Chaum 1982)
Blind signatures allow one party to create a valid signature for another party in a secure manner, without the signer ever seeing the message. In this system, only the signer can generate a valid signature, and the owner of the message to be signed can ensure that their message has not been altered and is distributed correctly, allowing them to redeem their funds in the system, such as in-bitcoin use. Furthermore, the system is not imaginable in that no party other than the party requesting the application of the signature can derive the relationship between the blinded and unblinded values and signature pairs.
The inclusion of a blind signature in the threshold system allows messages to be signed in bitcoin protocols where the signer cannot link ownership to a bitcoin address. Thus, the signer cannot determine neither the amount of funds they hold by the party they protect, nor the amount of transfer. This additional level of privacy adds additional security since it is no longer possible to collude within the threshold set of protected keys to steal funds. This becomes infeasible because it is necessary to know which blind keys will be associated with which credits. In a peer-to-peer group, a system may be constructed in which a threshold set of members is used to protect the keys of other members. In this scheme, a group of depositors will each split the signature function among the other members so that no member knows the hold shares (holings) of the other members in the group.
This scheme can also be used for other forms of message exchange, allowing a distributed peer-to-peer group to maintain the privacy of all members while not being able to reveal sensitive information about the members of the group.
Method and implementation
The protocol of the present embodiment may be based on a hierarchical derivation of private keys, using Elliptic Curve Cryptography (ECC) to encrypt the secret information that needs to be sent between participants, in which case it is both feasible and desirable to marshal all messages into a single data packet that is sent to all users so that it can be authenticated against potentially compromised or hostile participants when necessary.
Signature generation is by the coordinating participant p(c)It is proposed. By default, any key fob may act as a coordinating participant and require a separate implementation depending on the protocol. The algorithms used are recorded below, and their deployment will be described in detail in the following sections.
Creating distributor-less blind ECDSA threshold keys
In the system of this embodiment, a first participant, Alice, is defined(i)The ownership group of (2). The group is to makeWith a group of second participants Bob(i)The ability of a group or system to be blindly signed by a beneficial controller of the private key.
Alice group
First, the deblocked threshold group Alice(i)A set of first secret values is selected in the form of a random number.
In [1, (n-1)]Inner part
The group has a structure represented by TuT being a threshold valuevA member of, make AaiIs a secret AaThe slice of the ith member of (1).
Algorithm 1-Key Generation-for a more detailed version of Algorithm 1, see the appendix below
Domain parameters (Curve, radix n, Generator G)
Inputting: N/A
And (3) outputting: blind key sharing Aa1,..Aai,Ab1,…Abi,Ac1…Aci,Ad1…Adi。
Using Algorithm 1, members of Alice group can participate in T of JRSSvT in (1)uThe thresholds are swapped. Here, Alice's T is requiredvThreshold number of members TuIndividual members create or use a second secret value aa。
Similarly, the JRSS process is used with Algorithm 1 to create other second secret values, using AbiCreation AbBy using AciCreation AcAnd using AdiCreation Ad。
Each value may be used and created using the same set of thresholds (u, v), or may be partitioned and created using separate thresholds and members.
In this system, the secrets Aai、Abi、AciAnd AdiIt is used only once. If these values need to be used again, algorithm 2, which will be described in more detail below, is used to re-share the secret using the JZSS variant.
Algorithm 2 updates the private key-for a more detailed version of Algorithm 2, see appendix below
Inputting: participant PiPrivate key A ofa、Ab、Ac、AdAre respectively represented as Aai、Abi、Aci、Adi。
And (3) outputting: participant PiNew private Key of A'ai、A’bi、A’ci、A’di
In the ideal case where there is only a single alice group (only one group sharing (T)u,Tv) T) is required for the processvEach broadcast as a value.
Aai、Abi、Aci、AdiEach may be sent in a single broadcast message.
Bob group
Bob group Bob of the first participant(i)Is defined as a signature group. The group has (T)u',Tv') or desired Tv' T of Total Memberu' members to share and use a first secret value (Bp, Bq), where Bp and Bq are recreated blind values used by Bob's group to sign blind messages for Alice's group.
Algorithm 4-blind key for Bob group
1) Bob, a member of Bob's group(i)Selecting a set of second secret values in the form of random numbers:
2) bob group calculated the following values
a)BP=(Bp-1.G)
b)BQ=(Bq.Bp-1.G)
Here, BP is calculated using a variant of algorithm 3, algorithm 3 being described in more detail in the appendix of the present application.
3) Generation mask sharing-
bai←ZqUsing JRSS
bbi,bci←Zq 2Using JZSS
4) Broadcast-
αi=Bpi.bai+bbimodq
βi=G×bai
5)χ=Interpolate(αi,...,αTv)
[=Bp.bamod q]
Wherein interplate (α) is computedi,…,αTv) Representation through sharing αiThe secret value shared between the participants is recovered.
6)=Exp-Interpolate(βi,...,βTv)
=G x ba
Wherein the operation Exp-interplate (β)i,…,βTv) Representation through sharing βiThe elliptic curve point secret values shared between the participants are recovered.
7)((Bp-1.ba -1)x bax G)=xχ-1
[=G x Bp-1]
This is a point function, we can use (Bp)-1x G) as input in the modified algorithm 1.
8) Using BqiI.e. BqAnd (Bp) from step (7), and-1each of G), Bob (i)
Individual members will broadcast:
fi=Bqix(Bp-1.G)
9)BQ=Exp-Interpolate(f1,...,fTv)
[Bq.Bp-1G]
10) the two EC points BP and BQ are transmitted to alice group in the form of third data. The secret exchange may be used to maintain confidentiality, e.g. as disclosed in international patent application WO 2017/145016.
Threshold messages to be blinded
Next, alice (i) group uses the value from bob (i) group to compute a value that can be safely released because it has been blinded using (5).
Algorithm 5-Alice (Single group)
Alice knows BP and BQ from previous broadcasts by bob (i) group.
Alice starts by calculating a secret value:
AK=(Ac.Aa)-1BP
this is done as follows:
1) creating mask sharing:
Maiusing JZSS, therefore with JZSS,
2) alice (i) broadcast value:
Aμi=(Aci.Aai)+Maimodq
3) now, Alice (i) group calculates A μ, where
Aμ=Interpolate(Aμ1,…,AμTv)mod q
=Ac.Aamodq
Thus, Aμ -1=(Ac.Aa)-1
4)Ak=Aμ -1BP
Next, alice (i) computes a blinded B public key.
AT=(Aa.AK(x))-1(AbG+BQ+Ad.Ac -1×BP]
Wherein A isK(x)Represents the point A of the elliptic curveKX coordinate of
Bob group does not know ATOr AKAnd A is not founda、Ab、AcAnd AdIn case of (A), it cannot be determined whether any of his values or efforts are going to and coming from ATAnd the associated bitcoin address, are involved in any transfer of funds. If alice's group retains these as safe thresholds, bob or any other party never knows alice's details.
Alice can now use the public key a in the standard creation of bitcoin addressesTAnd even if bob had a role in helping sign transactions, alice would further obscure bob's ability to determine her address.
Algorithm 6-Alice computing public key
1) Generating mask sharing:
with the use of the JRSS,
2) generating mask sharing:
the use of a JZSS is used,
3) and (3) calculating:
Aμi=(Aai.AK(x))
to all Alice (i)Member broadcasts A mui。
(wherein, A)K(x)Is point AKX coordinate of (1)
4) Calculate (A) using Algorithm 1b.G)。
Here, Afi=G×Abi
Broadcast of Af to all Alice (i) membersi。
(Ab.G)=Exp-Interpolate(Afi,...AfTv)
5) Calculating [ A ]a.AK(x)]-1
First, take Aμ
Now, Aμ=Interpolate(Aμi,…,AμTv)mod q
Thus, this can be used to calculate [ A ] lateraAK(x)]-1。
6) First, the value (A) is calculated using the same method as in Algorithm 4C -1.BP)。
7) This is used to calculate the value (A)d.Ac -1.BP)
8) Generating mask sharing:
using JRSS, Mdi←Zq
The use of a JZSS is used,
9) broadcast values to alice (i) set:
αi=Aci.Mdi+Meimodq
βi=BP×Mdi
10)χ=Interpolate(αi,...,αTV)
[=(Ac.Md)mod q]
11)=Exp-Interpolate(β1,…βTV)
12)(Ac -1.BP)=χ-1x
[=(BP×Ac -1)]
return to Ac -1BP as a point on curve BP. This is used as input in algorithm 1.
13) Using AdiAnd EC Point (A)c -1BP), each member of alice (i) broadcasts:
fi=Adi×(Ac -1BP)
14)Ad.Ac -1.BP=Exp-Interpolate(f1,...,fTv)
15) now there is a system for computing the public key ATAll of (a). Calculated using the following formula:
AT=(Aa.AK(x))-1.(Ab.G+BQ+Ad.Ac -1BP)
=Aa -1AK(x) -1(Ab+Bq Bp-1+AdAc-1Bp-1)G (1)
namely:
algorithm (5.4) × [ (6.4) + BQ + (6.14)]It returns to EC Point AT,ATUsed as a blinded public key.
Creating bitcoin addresses
The public key is converted in a standard way to create a bitcoin address:
AT=AT(x,y)
1) using ATParity bits and complete A of (y)T(x) The coordinates represent a public key.
2) Hashing a public key twice
a) Using SHA256
b) Using RIPEMD160
3) A (Prepend) version number (this is the bitcoin address version number) is added before. If the protocol is standard, version 01 is used. If P2SH is to be used, its version may also be 03.
4) The checksum is appended to the end of the versioned public key hash from (3). The checksum is the first 4 bytes of the double SHA256 hash of the value returned from (3).
5) BASE58 encodes the value created in (4). This is a standard format bitcoin address and alice (i) group may receive a payment for this address and this address will be displayed in accordance with any ordinary bitcoin address at that time.
Unless alice leaks value aa,Ab,Ac&AdOtherwise, anyone including Bob cannot see who owns ATThe address of (2).
Even if these values are compromised, Alice (i) does not have to let others know that these values are related to Bob (i) signature set. If alice has a poor RNG, she is still safe because bob (i) can inject randomness into the process.
A blinded signature in the set of thresholds.
To sign a message, require a fee in bitcoin, or to sign any other message (e.g., an email on an anonymous host), alice (i) group needs to have a hash e (m) of the message or transaction. Hashing using messages (or transactions) and signatures, Alice (i) the message (transaction) can be reconstructed and derived from the bitcoin public key ATAnd the associated bitcoin base58 address to redeem the funds.
Algorithm 3 signature Generation-for a detailed version of Algorithm 3, see the appendix below
Domain parameters: curve, base n, generator G
Inputting: message to sign e ═ h (m)
Private key sharing
And (3) outputting: signature
Alice maintains privacy by not letting bob (i) know the content of the message (transaction). So Bob (i) does not find that he is signing with ATThe relevant message, Alice (i), blindes the hash value.
Algorithm 7-blinded hashing
Alice creates the first data, i.e. the hashed message (transaction) e, in the form of a blinded version of the second data.
Where e is2=Aa.e+Ab(modq). Created as follows:
1) first Alice (i) generates a mask share, Mai ← Zq, using JZSS
2) Alice (i) compares the transmission value av (i) ═ aa (i) e + ab (i) + ma (i) modq
Alice (i) sends the value Av (i) to other Alice members who can interpolate the set of values
3)e2=Interpolate(Av1,...,Avv)
=Aa.e+Abmodq
4)e2Is broadcast to bob (i) group. This would be done using an encrypted channel, where bob verifies alice's identity. This can be achieved, for example, by the arrangement disclosed in international patent application WO 2017/145016. Here, Alice pays Bob for the signature and passes through the sealThe encrypted session channels are exchanged.
If bob receives and signs a message from a non-alice, the value cannot be de-blinded, thus remaining secure. Even if bob has a payment and a record, he does not have information about the signed alice transaction because the value e2Is blinded and alice does not send the message to bob, but only sends the blinded hash.
Bob now signs the blinded hash and then returns it (i.e., the digital signature of the first data) to alice.
Bob (i) is creating a message s1=Bp.e2+Bqmodq
s1Will return to alice, and s1Is a blinded version of the signature.
To do this, bob (i) uses algorithm 8 to sign from its threshold set and return s to alice (i)1。
Algorithm 8
s1=Bp.e2+Bqmodq
1) Bob (i) creates mask sharing using JZSS.
The use of a JZSS is used,
2) bob (i) broadcast
Bsi=Bp(i).e2+Bq(i)+Mb(i)mod q
3)s1=Interpolate(Bs1,...,BsTv)
[=Bp.e2+Bq modq]
4) Bob (i) sends s to Alice (i)1Blind s1Signature value
Alice now has a blinded s of the signature1Moiety and as (A)K(x)) R part of
Alice (i) available thresholdValue de-blinding method to use Algorithm 9 to remove blinded s1The value recovers the s-signature value, i.e. the digital signature of the second data.
Algorithm 9
Alice (i) wants to receive from s1The blinding part obtains the de-blinded s-signature component (signature component). She calculates s as ac.s1+Ad(modq).
To this end, alice (i):
1) creating hash shares using JZSS
By means of the JZSS, the method,
2) alice (i) broadcasts to all other Alice members
si=Ac(i)s1+Ad(i)+Ma(i)
3)s=Interpolate(s1,…sTv)
Now, each party in Alice (i) group has (A)K(x)S) of (A)K(x)S) is a valid ECDSA signature and may use public key aTOr the associated bitcoin address, is verified in the bitcoin protocol as usual.
S can be shown as the valid ECDSA signature of e, as follows.
Extension s
s=Acs1+Ad=Ac(Bpe2+Bq)+Ad
=AcBp(Aae+Ab)+AcBq+Ad=AcBp Aae+AcBp Ab+AcBq+Ad
=(AcBp Aa)(e+Aa -1[Ab+Bq Bp-1+AdAc -1Bp-1)
But from equation 1 above, corresponds to public key aTPrivate key d ofAIs that
Aa -1AK(x) -1(Ab+Bq Bp-1+AdAc -1Bp-1)
Thus, next is
s=(AcBp Aa)[e+AK(x)dA]=k-1[e+AK(x)dA]Wherein k is (A)cBp Aa)-1It can be seen that s is a valid ECDSA signature for e, and passes through public key aTIs verified.
This signature accompanying the message will be able to form a standard bitcoin transaction in which alice (i) can redeem the funds if it is broadcast to the bitcoin network.
Bob (i) will not have any information about which address alice has used.
He will not know either the bitcoin address, the transaction amount, or where it was sent.
Even though bob (i) owns and protects the key, he does not know about the transaction.
Safety considerations
Benger et al (2014) provided an example of ECDSA private key recovery using flash memory and a reload method. This scenario is just one example of an attack on system RAM and cache. These methods make it insufficient to use a program such as the Sammil SSS [1979] in reconstructing the private key. Furthermore, in any case where the private key is reconstructed, a requirement for trust is introduced. In this case, it is necessary to rely on systems and processes of the entity holding the private key. Even if the trusted party is not malicious, it is necessary to rely on its procedures. As can be seen from many recent compromises, this reliance on reconstructed private keys provides a way to attack.
Since it is both a direct substitute for existing ECDSA implementations, and is completely transparent and compatible with current bitcoin protocols, its implementation does not require hard or soft forking, and it is indistinguishable from any current transaction. The present invention may treat an individual as an individual participant, allowing group signatures with keys for recovery functions. For example, a two-out scheme (a two of two scheme) may be implemented using four key pads, where the online wallet provider or exchange maintains two key pads and the end user maintains two pads. The exchange and the user each have a two-out-of-two process on their key fob, and then combine them with each other as needed for secure signing of messages.
In this scenario, group bob (i) may view at least the hash of the message provided from alice (i).
1. Since the members of Bob (i) cannot know the value A jointly or independentlyaOr AbAnd therefore no member of the group can determine e2Whether it is a blinded version of the message hash e.
2. Also, Bob (i) does not know the value AcOr AdAnd therefore the signature values s and s cannot be determined1The relationship between them.
3. In a similar manner as used in computing Rabin () signatures, Bob (i) cannot easily determine the value AaAc. Under the assumption of the elliptic curve discrete logarithm problem, Bob (i) cannot determine AT(x) And the elliptic curve point BP.
4. In a similar manner, Bob (i) does not know whether the values BP or BQ are already constructing Alice (i) set public Key AT(x, y) used herein.
5. Here, once alice (i) has broadcast the de-blinding message, the value of the public key associated with the transaction remains ambiguous. If Alice (i) delays broadcasting the blind message signature received from Bob (i), including many other transactions in the bit currency block means that Bob (i) cannot be certain more than Alice (i) owns the signed message and possibly transacts it after receiving the signed message.
6. Neither of the external parties need to have any information about the transaction between alice (i) and bob (i), and therefore the privacy level between these parties can be improved.
A valid result of this process is that a threshold group, which may or may not represent alice (i) members of the entire group, can be sent to a Guardian (Guardian) group, bob (i), which can assist in signing transactions or other messages while the content of the message provided by alice (i) remains hidden.
As long as alice (i) remains in a position where it has a reasonable confidence in the transmission of the message, and the amount of messages (e.g., bitcoins) within the system remains significantly above zero, bob (i) cannot determine messages that may come from alice (i).
In this scheme, it is important that Alice (i) not reuse the parameter A when signing different hash valuesa&Ab. If these values are reused with different values e, this will enable the calculation of a hash e that causes Bob (i) to be blurred2Information linked to the original hash value of the broadcast message e. This is due to the addition of a further linear equation leading to the following: bob (i) can be applied to Aa&AbThe relationship between them interpolates so that the message e can be interpolated. As a result, Bob (i) will be able to search for the value e on the blockchain and link to the corresponding Alice (i) set public key AT(x, y), and possibly to other derived public keys associated with the group.
In a similar manner, it is important that Alice (i) not reuse the parameter Ac&AdSince this would result in bob (i) being able to calculate the relationship between the blinded signature used by alice (i) and the published signature, and thus to use the parameter a in a manner similar to the reuse ofa&AbIn such a way that it searches the block chain, so that he can determine the public key A of the Alice (i) groupT(x,y)。
Similarly, parameter B generated by Bob (i)p&BqAnd BP&BQ should not be reused, without these parameters, Alice (i) cannot create a blinded signed counterfeit created by Bob (i), and therefore also cannot unblind what would appear to be public Key AT(x, y) generated such signature. Due to the value Bp&BqIs an arrangement disclosed by Bob (i), for example by International patent application WO2017/145016Calculated using the derived key scheme, Bp&BqIs unique for each message generated by alice (i), and any party using the service will have their own B generated for each message never reused under the assumption of a collision-free hashing algorithmp&BqThe version of (1).
The present invention seeks to enhance cryptocurrency by introducing a group signature process. The addition of the distributed key creation system coupling to the fault tolerant signature system eliminates all centralization and trust requirements. Many system developments will require trust. Furthermore, the introduction of an implicit decentralized system allows for the creation of more robust and flexible protocols. The compatibility between ECDSA [ Johnson, 2001] and Shamir's SSS [ Shamir, 1979] allowed the introduction of a system that extended bitcoins using a new verifiable secret sharing scheme. The system is far more efficient than any of the Feldman [ Feldman, 1987] or Pedersen [ Pedersen, 1992] derived systems, without any loss of safety.
Introduction of threshold signature blinding, which extends the work of Chaum (1982), leads to a situation where there is no need for a trusted party to be present even in a network-based exchange. In this way, a true form of anonymous digital cash or asset transfer system can be maintained, and even linked into a secure private voting system.
In this application, a system is disclosed that extends bitcoin functionality without requiring changes to the basic protocol. Using the system of the invention:
1. selecting or distributing key secrets no longer requires a trusted third party,
2. a distributed banking system may be created that does not rely on trust of third parties,
3. each member or group of members can independently verify that the share of the held secret key corresponds to the notified bitcoin address and public key,
4. there is a protocol to refresh the private key slice to mitigate the effects of eavesdropping and related attacks, an
5. Group signatures of transactions and messages do not require a trusted third party.
6. A third party may maintain the integrity of the keys in the set of thresholds. The group of signers do not know how many bitcoins or other assets they hold under their protection. Since this is a threshold system, if some members of the signature group are not available, other members can still blind sign transactions, allowing for the movement of protected funds.
Since sensitive data never appears in memory in the system of the present invention, it addresses many of the existing security risks. In addition, it allows for the distribution of exchange-based systems, network wallets, and other forms of commerce. In this system, the hierarchical set of thresholds can interact with other hierarchical sets of thresholds to ensure the integrity of the key over time. In this case, a scheme may be created that allows funds to be transferred on a given event. Such situations would include orders and property transfers that can be controlled and protected, allowing keys to be recovered in various situations.
Turning now to fig. 2, an illustrative simplified block diagram of a computing device 2600 that may be used to practice at least one embodiment of the present disclosure is provided. In various embodiments, computing device 2600 may be used to implement any of the systems shown and described above. For example, computing device 2600 may be configured to function as a data server, a web server, a portable computing device, a personal computer, or any electronic computing device. As shown in fig. 2, computing device 2600 may include one or more processors (collectively 2602) having one or more levels of cache memory and a memory controller, which may be configured to communicate with a storage subsystem 2606 including a main memory 2608 and persistent storage 2610. As shown, main memory 2608 may include a Dynamic Random Access Memory (DRAM)2618 and a Read Only Memory (ROM) 2620. Storage subsystem 2606 and cache 2602 may be used to store information, such as details associated with transactions and blocks described in this disclosure. The processor 2602 may be used to provide the steps or functions of any of the embodiments described in this disclosure.
The processor 2602 may also communicate with one or more user interface input devices 2612, one or more user interface output devices 2614, and a network interface subsystem 2616.
Bus subsystem 2604 may provide a mechanism for enabling the various components and subsystems of computing device 2600 to communicate with one another as intended. Although bus subsystem 2604 is shown schematically as a single bus, alternative embodiments of the bus subsystem may utilize multiple buses.
The network interface subsystem 2616 may provide an interface to other computing devices and networks. The network interface subsystem 2616 may serve as an interface to receive data from and transmit data to other systems other than the computing device 2600. For example, the network interface subsystem 2616 may enable a data technician to connect the device to a network such that the data technician may transmit data to and receive data from the device while located at a remote location (e.g., a data center).
The user interface input devices 2612 may include one or more user input devices, such as a keypad; a pointing device such as an integrated mouse, trackball, touchpad, or tablet; a scanner; a bar code scanner; a touch screen incorporated into the display; audio input devices such as voice recognition systems, microphones, etc.; and other types of input devices. In general, use of the term "input device" is intended to include all possible types of devices and mechanisms for inputting information to computing device 2600.
One or more user interface output devices 2614 may include a display subsystem, a printer, or a non-visual display such as an audio output device. The display subsystem may be a Cathode Ray Tube (CRT), a flat panel device such as a Liquid Crystal Display (LCD), a Light Emitting Diode (LED) display, or a projector, or other display device. In general, use of the term "output device" is intended to include all possible types of devices and mechanisms for outputting information from computing device 2600. One or more user interface output devices 2614 may be used, for example, to present a user interface to facilitate user interaction with applications that perform the described processes and variations therein, when such interaction is appropriate.
Storage subsystem 2606 may provide a computer-readable storage medium for storing the basic programming and data constructs that may provide the functionality of at least one embodiment of the present disclosure. Applications (programs, code modules, instructions) when executed by one or more processors may provide the functionality of one or more embodiments of the present disclosure and may be stored in storage subsystem 2606. These application modules or instructions may be executed by one or more processors 2602. Additionally, storage subsystem 2606 may provide a repository for storing data used in accordance with the present disclosure. For example, main memory 2608 and cache memory 2602 may provide volatile storage for programs and data. The persistent storage 2610 may provide persistent (non-volatile) storage for programs and data and may include flash memory, one or more solid state drives, one or more magnetic hard drives, one or more floppy drives with associated removable media, one or more optical drives with associated removable media (e.g., CD-ROM or DVD or Blue-Ray) drives, and other like storage media. Such programs and data may include programs for performing the steps of one or more embodiments as described in the present disclosure as well as data associated with transactions and blocks described in the present disclosure.
Computing device 2600 may be of various types, including a portable computer device, a tablet computer, a workstation, or any other device described below. Additionally, computing device 2600 may include another device that may be connected to computing device 2600 through one or more ports (e.g., USB, headphone jack, lightning connector, etc.). Devices that can connect to the computing device 2600 can include a plurality of ports configured to accept fiber optic connectors. Thus, the device may be configured to convert optical signals to electrical signals that may be transmitted for processing through a port connecting the device to the computing device 2600. Due to the ever-changing nature of computers and networks, the description of computing device 2600 depicted in fig. 2 is intended only as a specific example for purposes of illustrating the preferred embodiments of the device. Many other configurations are possible with more or fewer components than the system depicted in fig. 2.
It should be noted that the above-mentioned embodiments illustrate rather than limit the invention, and that those skilled in the art will be able to design many alternative embodiments without departing from the scope of the appended claims. In the claims, any reference signs placed between parentheses shall not be construed as limiting the claim. The words "comprising" and "comprises", and the like, do not exclude the presence of elements or steps other than those listed in any claim or the specification as a whole. In the present specification, "comprising" means "including" or consisting of … … (containing of) ", and" comprising "means" including "or consisting of … … (containing of)". The singular reference of an element does not exclude the plural reference of such elements and vice-versa. The invention can be implemented by means of hardware comprising several distinct elements, and by means of a suitably programmed computer. In the device claim enumerating several means, several of these means may be embodied by one and the same item of hardware. The mere fact that certain measures are recited in mutually different dependent claims does not indicate that a combination of these measures cannot be used to advantage.
Appendix
Algorithm 1 key generation
Domain parameters (Curve, radix n, Generator G)
Inputting: N/A
Output blind key sharing αA(1),αA(2),...,αA(i),...,αA(m)
For a threshold of l shards from (m) participants, a blind key segment α is constructedA(i)The blind key segment is associated with participant (i) and (m-1) participants designated as participant (h), who is another party that exchanges secrets with participant (i) to sign the blind key.
In this scheme, m is the total number of participants, where l ≦ m, so i ═ m-1
Therefore, there is an (l +1, m) -threshold sharing scheme.
The method of algorithm 1 is as follows:
1) each participant p in (j)(i)Are all in harmony withThere are other participants exchanging the ECC public key (or in this implementation, the bitcoin address). This address is a group identity address and need not be used for any other purpose.
It should be noted that this is a derived address, for example disclosed in international patent application WO2017/145016, and is a key based on a shared value between each participant from the process disclosed therein.
2) Each participant p(i)(k-1) th order polynomial f with random coefficients is selected in a way that is not known to all other partiesi(x)。
The function being secret by the participants selected as polynomial libertyOf (3) is performed. The value is not shared. The value is calculated using the derived private key.
fi(h) Is defined as a function f(x)Result of (3), function f(x)By participant p(i)Chosen for the value at point (x ═ h), participant p(i)Is defined as a function:
in the equation, a0Is each participant p(i)And is not shared.
Thus, each participant p(i)All having functions f kept secreti(x) The function is expressed as a (k-1) -th order polynomial in which the free term
3) each participant uses P as described above(h)To the participant P(h)F of (a)i(h),
It should be noted that, for any base point G,
thus, for a signal that can be represented as (b, b)1,b2,..) any integer set B: { bi∈ZnIf bG ═ b }1G+b2G+...]mod p, then b ═ b1+b2+...]mod n. Further, if bG ═ b1b2...]mod p, then b ═ b1b2...]modn。
In view of ZnIs a field and the value chosen as the ECC private key can be effectively lagrange interpolated modulo n, there is a conclusion that Shamir's secret sharing scheme SSSS [5 ]]Can be at ZnThe conditions achieved above.
4) Each participant P(i)The following values are broadcast to all participants.
The value associated with the variable h in the above equation may be the participant P(h)Such that if participant P(h)Representing the third participant in the scheme, then h-3, or equivalently may represent the value of the ECC public key used by the participant as an integer. There are use cases and scenarios for either implementation. In the latter implementation, the value h ═ { 1., j } would be replaced by an array of values that map to the public key of the individual participants' use.
5) Each participant P(h≠i)The received shares are verified for consistency with the shares received from each of the other participants. Namely:
fi(h) g is consistent with participant sharing.
6) Each participant P(h≠i)Authenticating the participant (P)(h≠i)) The owned and received shares are consistent with other received shares:
if not, the participant rejects the protocol and restarts.
7) Now, participant p(i)Share it with dA(i)The calculation is as follows:
wherein SHARE (p)(i))∈ZnAnd d isA(j)
And
wherein:
return to(dA(i),QA)
Now, participant p(i)The share will be used in computing the signature. A party p that can act as a coordinator by any participant or in the collection of signatures(c)To assume this role. Participant p(c)May vary and need not be the same party on each attempt to collect enough shares to sign a transaction.
Thus, private key sharing has been created without knowledge of the sharing of other participants
Algorithm 2 updating private keys
Inputting: private key dAParticipant P ofiIs denoted by dA(i)。
And (3) outputting: participant PiShare d with the new private keyA(i)‘。
Algorithm 2 can be used to update the private key and add randomness to the protocol.
Recalculation of the hierarchical subkeys can be performed without reconstruction or even without the presence of the calculated private key. In this way, a hierarchy of bitcoin addresses and private key slices can be constructed that, when properly deployed, will eliminate any massive fraud or database theft that occurred in the past.
1) Each participant selects a (k-1) degree random polynomial constrained by 0 as its free term. This is similar to algorithm 1, but the participant must verify that the chosen secret of all other participants is zero.
It should be noted that:
Using this equation, the participant verification function for all activities:
see Feldman (1987) for analogy.
Generating zero sharing:
2)
3) and returning: dA(i)′
The result of this algorithm is a new key share associated with the original private key. A variation of this algorithm enables the randomness of the first algorithm to be increased or to participate in a re-sharing exercise, which results in a new keyblob without changing the bitcoin address. In this manner, the protocol of the present invention allows the group to additionally mask private key sharing without changing the underlying private key. This process can be used to minimize any potential key leakage associated with continuing use and deployment of individual key shares without changing the underlying bitcoin address and private key.
Algorithm 3 signature generation
Domain parameters: curve, base n, generator G
Inputting: message to sign e ═ h (m)
Private key sharing
And (3) outputting: signatureFor e ═ H (m)
A) Distributed key generation
1) Temporary key sharing was generated using algorithm 1:
2) mask sharing was generated using algorithm 1:
αi←Zn
3) mask sharing was generated using algorithm 2:
B) signature generation
4) Hash of e ═ h (m) verification message m
5) Broadcasting
And
ωi=G×αi
6)
[=Dkαmod n]
7)θ=Exp-Interpolate(ω1,...,ωn)
8) calculation of (R)x,Ry) Wherein r isx,y=(Rx,Ry)=θ×μ-1
9)r=rx=Rxmod n
If r is 0, then restart (i.e., from initial distribution)
10) Broadcasting Si=Dk(i)(e+DA(i)r)+Cimod n
11)S=Interpolate(si,...,sn)mod n
If s is 0, algorithm 3 is redone from scratch (A.1).
12) Returning (r, s)
13) In bitcoin, the (r, s) pairs are used to reconstruct the transaction to form a standard transaction.
Reference data
1) Bar-Ilan, J.Beaver, "Non-Cryptographic factory-Tolerant Computing in a consistent Number of Rounds" Proc., p.201-209, 1989, eighth term PODC.
2) Berlekamp, Elwyn R. (1968), Algebraic Coding Theory, McGraw-Hill, New York, NY.
3) Benger, n., van de Pol, j., Smart, n.p., Yarom, y.: Ooh aa.. jus a little Bit pet (o … …) ": a Small Amount of Side Channel Can Go a Longway (a Small number of Side channels Can Go a long way), in: batina, l., Robshaw, M. (eds.) cryptographic hardware and Embedded Systems (cryptographic hardware and Embedded Systems) | CHES 2014, LNCS, volume 8731, pages 75-92. Springer (2014)4) Ben-Or, m., gold wasser, s., Wigderson, a., "complete principles of non-cryptographic fault-tolerant distributed computing", in: proceedings of the Twentieth Annual ACMSymposium on the Theory of Computing (Proceedings of the Twentieth Annual computer Theory symposium), pages 1-10, STOC' 88, ACM, New York, NY, USA (1988)
5)BIP 65OP_CHECKLOCKTIMEVERIFY https://github.com/bitcoin/bips/blob/master/bip-0065.mediawiki
6) Chaum, David (1983), "Blind signatures for traceable payments" (PDF), Advances in cryptography Proceedings of Cryptoto, 82 (3): 199-203.
7) chen T.S.Huang G.S.Liu T.P. and Chung Y.F (2002), "Digital signature scheme for Elliptic Curve cryptography from Identification Protocol for Elliptic Curve cryptography" Proceedings of IEEE TENCON' 02, page 192-
8) Chinnici M. (1995), "CUDA Based Implementation of parallel polarized's algorithm for Menezes A.and Vanstone S.Elliptic Current Systems (Implementation of the CUDA Based parallel polarized rho algorithm for Menezes A.and Vanstone S.elliptic Curve Systems)", deployed IEEE P1363 Standard, page 142.
9) Chwei-selling Tsai, Min-Shiang Hwang, pei-ChenSung, "Black Signaturschem Based on Elliptic Current Cryptography" Blind signature scheme Based on Elliptic Curve Cryptography (http:// mshwang. ccs. asia. edi. tw/www/myjournal/P191.pdf.)
10) Dawson, e.; donovan, D. (1994), "The breakdown of Shamir's secret-sharing scheme (breadth of Shamir secret sharing scheme)," Computers & Security,13: pages 69-78
11) Desmedt. Yuo (1987), "Society and Group organized Cryptography: A NewConcept (Society and Group Oriented Cryptography: a novel concept) ", in A Conference on the society and applications of Cryptographic technologies on Advances in cryptography (CRYPTO'87), Carl Pomerance (eds.). Springer-Verlag, London, UK, UK, 120-Amp 127
12) ElGamal T. (1985), "A Public-Key Cryptosystem and a Signature scheme based on Discrete Logarithms", IEEEtransactions on Information Theory, Vol.31, p.469-.
13) "A practical scheme for non-interactive verifiable secret sharing", Proceedings of the28th IEEE Annual Symposium on Foundation of Computer Science, 1987, p.427, p.437.
14) Gennaro, r., jareki, s., Krawczyk, h., Rabin, t.: "Robust threshold DSSsignatures", at: proceedings of the 15th Annual International conference on the Theory and Application of Cryptographic Techniques (the fifteenth set of International conference on cryptography and applications), page 354-371, EUROCRYPT' 96, Springer Verlag, Berlin, Heidelberg (1996)
15) Ibrahim, M., Ali, I., Ibrahim, I., El-sawi, A.: a robust threshold secure digital signature of a new verifiable secret sharing scheme) in: circuits and Systems,2003 IEEE 46th Midwest Symposium on, volume 1, pages 276 and 280 (2003)
16) Johnson, D.D., Menezes, A.A., Vanstone, S.: The elliptical current digital signature algorithm (ecdsa))', International journal of Information Security 1(1), 36-63 (2001)
17) Chakraborty, Kalyan & Mehta, Jay (2011) "A Stamped bland SignatureScheme based on Elliptic Curve descriptor Lorithm Problem (stamping Blind signature scheme based on Elliptic Curve Discrete Logarithm Problem)" (http:// ijns. femto. com. tw/contents/ijns-v14-n6/ijns-2012-v14-n6-p316-319.pdf)
18) Kapor, Vivek, Vivek Sonny Abraham, and Ramesh Singh, "Elliptic Curveccryptograph" Ubiquity 2008, No. May (2008):1-8
19) Knuth, D.E, (1997), "The Art of Computer Programming, II.Seminumescal Algorithms (Computer programmed Art, II: seminumerical algorithm) "(3 rd edition), Addison-Wesley, page 505.
20) Koblitz, N. "An electrolytic Current Implementation of the Fine field digital Signature Algorithm" in: advances in cryptography- -Cryptology' 98. feature Notes in Computer Science, Vol.1462, pp.327 and 337, 1998, Springer-Verlag
21) Liu c.l. (1968), "Introduction to Combinatorial chemistry," new york: McGraw-Hill.
22) National Institute of Standards and Technology FIPS PUB 186-4: "Digital Signature Standard" (DSS) (2003)23) Pedersen, T.: Non-interactive and information-electronic security verifyiceable secret sharing ", at: feigenbaum, J. (eds.) Advances in cryptography-CRYPTO' 91, LNCS, Vol.576, p.129-140, Springer (1992)
24) Rabin T. & Ben-Or. M. (1989) "Verifiable secret sharing and multiparty protocols with host major" in: proc.21st ACM Symposium on Theory of Computing, pp.73-85, 1989
25) Shamir, Adi (1979), "How secret is shared with" communication of the ACM,22(11), "page 612-
26) Wright, C. & Savanah, S. (2016) "Determining a common secret for two blockchain nodes for securely exchanging information" and "application No.: 15087315', 2016, n.pag.UK
- 上一篇:一种医用注射器针头装配设备
- 下一篇:通信方法与通信装置