CN1207866C

CN1207866C - Safe digital signature system and method

Info

Publication number: CN1207866C
Application number: CN 01136017
Authority: CN
Inventors: 荆继武; 冯登国; 周天阳
Original assignee: University of Chinese Academy of Sciences
Current assignee: University of Chinese Academy of Sciences; Institute of Information Engineering of CAS
Priority date: 2001-09-28
Filing date: 2001-09-28
Publication date: 2005-06-22
Anticipated expiration: 2021-09-28
Also published as: CN1411201A

Abstract

The invention relates to a safe digital signature system and method. The system includes a task allocator, k operators, m synthesizers and sub-key distributors connected through a broadcast channel. The sub-key distribution operation includes: the sub-key distributor expresses the private key d as the sum of t sub-keys d _j and a sub-key _ci , and makes t<k; the distributor distributes k random d _j is distributed to k operators, and a set of equation combination representations of c _i are obtained, all equation combination representations and their corresponding c _i are exhaustively searched according to the synthesizer safety conditions to obtain m groups, and distributed to m synthesizers Prestored. The digital signature operation includes: the task allocator broadcasts the HASH value M that needs to be signed and sends it to k operators; the operator calculates the power M ^dj and broadcasts it to the synthesizer; the synthesizer compares it with the pre-stored _ci equation combination representation , find the matching equation combination representation and get the corresponding c _i , multiply the corresponding raising power M ^dj to get the result R, calculate M ^ci , and finally get the digital signature S=M ^d .

Description

A secure digital signature system and method

技术领域technical field

本发明涉及网络通信安全技术，更确切地说是涉及一种能容忍入侵的确保数字签名安全的系统与方法。The present invention relates to network communication security technology, more specifically to a system and method for ensuring digital signature security that can tolerate intrusion.

背景技术Background technique

数字签名(Digital Signature)是当今网络通信安全中最基本的技术，是利用非对称算法(Asymmetric Algorithm)，来达到其他人可以验证该签名但却无法假冒该签名的目的。最常用的非对称算法有RSA、DSA和椭圆曲线算法等，目前不少数字签名系统都是基于RSA算法的。Digital Signature (Digital Signature) is the most basic technology in today's network communication security. It uses an asymmetric algorithm (Asymmetric Algorithm) to achieve the purpose that others can verify the signature but cannot counterfeit the signature. The most commonly used asymmetric algorithms are RSA, DSA, and elliptic curve algorithms, etc. Currently, many digital signature systems are based on the RSA algorithm.

所谓非对称算法，就是一个人无法通过已知的正向计算参数推导出反向计算的参数，即已知正向计算过程，无反向计算能力。这种非对称算法本身是公开的，但每个人可以选择不同的参数，参数不同，所构成的变换函数就不同。对某个人来说，他可以选择一组参数，其中一部分是用于逆向计算的，称为秘密参数，技术上称为保密密钥或私钥；另一部分是用于正向计算的，是公开的参数，技术上称为公开密钥或公钥。The so-called asymmetric algorithm means that a person cannot derive the parameters of the reverse calculation through the known forward calculation parameters, that is, the known forward calculation process has no reverse calculation ability. This asymmetric algorithm itself is public, but everyone can choose different parameters, and the transformation functions formed by different parameters are different. For someone, he can choose a set of parameters, some of which are used for reverse calculation, called secret parameters, technically called secret key or private key; the other part is used for forward calculation, which is public parameters, technically known as the public key or public key.

数字签名就是基于这种非对称算法得以实施的。一方面保护自己的秘密参数-私钥，以保证他人无法冒充自己进行签名，另一方面通过公开可以公开的部分-公钥，供相关人士能够验证该签名(从理论上说，利用公开的参数来推导秘密的参数，在计算上是不可行的)。Digital signatures are implemented based on this asymmetric algorithm. On the one hand, protect your own secret parameter - the private key to ensure that others cannot pretend to be yourself to sign; is computationally infeasible to derive the secret parameters).

数字签名首先是网络通信与交互的保证，可以保证通信对方是真实的，可以保证在网上的就是自己，还可作为签署电子文档时的工具，以保护自己的文档与签名。当今许多国家，已将数字签名视作手写签名，两者具有同样的法律效率。Digital signature is first of all a guarantee for network communication and interaction. It can ensure that the other party is authentic and that the one on the Internet is yourself. It can also be used as a tool when signing electronic documents to protect your own documents and signatures. Many countries today regard digital signatures as handwritten signatures, and both have the same legal efficiency.

数字签名算法还可以用于协商秘密(secret)参数。如A用户需要与B用户进行秘密通信时，A用户可以先设定一些秘密参数，然后用B用户的公开密钥(公钥)作用一下，此时只有B用户能够恢复原来的值，因为只有B用户知道自己的保密(private)密钥(私钥)。Digital signature algorithms can also be used to negotiate secret parameters. For example, when user A needs to communicate secretly with user B, user A can set some secret parameters first, and then use the public key (public key) of user B to act. At this time, only user B can restore the original value, because only User B knows his private key (private key).

此外，数字签名还可以用于需要保密的场所、需要身份认证的场所及其他需要不可否认服务的场所。In addition, digital signatures can also be used in places that require confidentiality, places that require identity authentication, and other places that require non-repudiation services.

现在国际上大力推行的PKI(Public Key Infrastructure：公开密钥基础设施)就是数字签名的一种应用，是网络数字社会中最重要的一种基础设施，这种技术的重要性，就象电力基础设施对于工业的作用一样。The PKI (Public Key Infrastructure: public key infrastructure) that is being vigorously promoted internationally is an application of digital signatures, and it is the most important infrastructure in the network digital society. The importance of this technology is just like the power infrastructure. Facilities do the same for industry.

为了保证数字签名的安全和速度，在签名前，必须对所签的内容进行HASH计算，求出一个HASH值M(HASH值有时又叫文摘值或杂凑值)，然后利用保密密钥(私钥)对文摘结果作变换得到签名值；验证签名时，先对内容作HASH计算，然后再用公开的参数(公钥)作用于签名值，再将得到的结果与上述HASH结果进行比较，若相等，就表示签名正确，否则为验证不通过。In order to ensure the security and speed of digital signatures, before signing, HASH calculation must be performed on the signed content to find a HASH value M (HASH value is sometimes called digest value or hash value), and then use the secret key (private key) ) to transform the digest result to obtain the signature value; when verifying the signature, first perform HASH calculation on the content, then use the public parameters (public key) to act on the signature value, and then compare the obtained result with the above HASH result, if they are equal , it means that the signature is correct, otherwise the verification fails.

然而，当一用户A有了自己的私钥并公开了公钥时，如果有一个攻击者B重新生成公钥和私钥，并用攻击者B的公钥替换了A用户公开的公钥，此时A用户的朋友发给A用户的信息就只有攻击者B知道了，因为A用户已无法知道由攻击者B假冒的公钥所对应的私钥。这时就需要由一个CA(CertificateAuthority：证书权威或证书机构)，来证明哪个公钥是A用户的，或者证明哪个公钥不是A用户的。However, when a user A has his own private key and discloses the public key, if an attacker B regenerates the public key and private key, and replaces the public key released by user A with the public key of the attacker B, the At this time, only the attacker B knows the information sent by the friend of user A to user A, because user A has no way of knowing the private key corresponding to the public key faked by attacker B. At this time, a CA (CertificateAuthority: Certificate Authority or Certificate Authority) is required to prove which public key belongs to user A, or which public key does not belong to user A.

CA拥有一个比一般用户私钥更长的私钥，也就是说，CA的私钥更安全，而CA的公钥可以通过各种方式广为人知，这样各个用户就可以验证什么是CA所签发的。当一个用户将其身份与其公钥绑定在一起，并由CA签名后，就得到了一个电子证书。这个证书能够证明该公钥拥有者的身份，且任何人都可以验证而任何人却都不能假冒。The CA has a longer private key than the private key of ordinary users, that is to say, the private key of the CA is more secure, and the public key of the CA can be widely known in various ways, so that each user can verify what is issued by the CA. When a user binds his identity with his public key and is signed by a CA, he gets an electronic certificate. This certificate can prove the identity of the owner of the public key, and anyone can verify but no one can impersonate.

目前，电子证书已成为PKI基础设施中最为关键的部分，CA是PKI中最为重要的基本单元。利用电子证书，就可以有效解决网络上的保密性、完整性以及不可否认性等安全问题。At present, electronic certificate has become the most critical part of PKI infrastructure, and CA is the most important basic unit in PKI. Using electronic certificates can effectively solve security issues such as confidentiality, integrity and non-repudiation on the network.

基于PKI的安全性，最终都会归结到对CA私钥的保护，一旦CA的私钥泄露，由CA所颁发的所有证书就都必须作废，整个由CA管辖的网络安全就会变得毫无安全可言。随着网络上各种攻击手段的不断增加，系统漏洞不断被发现，因此如何保证既能在线提供数字签名服务又能保证安全，已成为现代网络安全研究的一个重要课题。PKI-based security will ultimately come down to the protection of the CA's private key. Once the CA's private key is leaked, all certificates issued by the CA must be invalidated, and the entire network security under the jurisdiction of the CA will become insecure. to speak of. With the continuous increase of various attack methods on the network, system loopholes are constantly being discovered, so how to ensure that digital signature services can be provided online while ensuring security has become an important topic in modern network security research.

对RSA算法来说，秘密的密钥一般记为d，是一个可以长达2048bits的整数(一般认为，1024bits长度的私钥已经能够保证安全，但对CA来说，采用2048bits或以上则是必须的)。在RSA算法中，用到了对一个数N的模幂计算，即求M^d mod N，该计算是完成数字签名所需要的，当所需公开的参数(公钥)公开后，保护数字d就是保护了私钥。For the RSA algorithm, the secret key is generally recorded as d, which is an integer that can be as long as 2048 bits (it is generally believed that a private key with a length of 1024 bits can already guarantee security, but for CA, it is necessary to use 2048 bits or more. of). In the RSA algorithm, the modular exponentiation calculation of a number N is used, that is, to find M ^d mod N. This calculation is required to complete the digital signature. When the required public parameters (public key) are disclosed, the protection number d is The private key is protected.

安全的数字签名所追求的目标是既完成签名又不能泄露私钥，针对该课题国际上已有许多理论方面的研究，其中不少理论与方法因难度太大而无法实现。另一方面，国际上目前开发的重点也是如何实现相互兼容的数字签名产品，而在入侵容忍的安全签名方面则开发的非常少，工业界也没有推出相关的产品。所谓入侵容忍(Intrusion Tolerance)是相对于从检测入侵出发来保证CA安全的技术而言的，即在系统的部分部件被攻击或被占领后，仍不会暴露CA系统的机密信息。The goal of a secure digital signature is to complete the signature without divulging the private key. There have been many theoretical studies on this topic in the world, many of which cannot be realized due to the difficulty. On the other hand, the focus of current development in the world is how to realize mutually compatible digital signature products, but there are very few developments in terms of intrusion-tolerant security signatures, and the industry has not launched related products. The so-called intrusion tolerance (Intrusion Tolerance) is relative to the technology to ensure the security of CA by detecting intrusion, that is, after some parts of the system are attacked or occupied, the confidential information of the CA system will not be exposed.

综上所述，PKI是基于公开密钥密码算法的，在PKI系统中，CA又是一个域中的信任中心，网络上设备或个人间的通信与验证都依赖于CA颁发的数字证书(签名)。数字证书是一个将公开密钥与个人身份绑在一起、用CA的私钥签名后得到的数据。在一方要验证通信对方的身份时，可以通过两个步骤完成，首先验证对方的证书签名是否正确(签名只能由CA的私钥完成，只有CA才能够进行签名)；再验证对方是否拥有与证书中公钥相对应的私钥，如果两项都能成立，则对方的身份就能被确定，是可以信任的。To sum up, PKI is based on the public key cryptography algorithm. In the PKI system, the CA is also a trust center in a domain. The communication and verification between devices or individuals on the network depend on the digital certificate (signature) issued by the CA. ). A digital certificate is a data obtained by binding a public key with a personal identity and signing it with a CA's private key. When one party wants to verify the identity of the other party, it can be done in two steps. First, verify whether the certificate signature of the other party is correct (the signature can only be completed by the private key of the CA, and only the CA can sign); If the private key corresponding to the public key in the certificate can be established, the identity of the other party can be determined and can be trusted.

因此CA的私钥是CA安全的核心，保护其不泄露是整个CA域安全的基础。一般来说，CA必须是一个在线的网络设备，特别是直接面向用户以便提供相应证书服务的CA，则其遭遇网络攻击就不可避免，当一个黑客成功攻击一台CA时，攻击者就可能获得它的内部资源，从而找到CA的私钥，会给PKI系统造成致命打击，同时在PKI系统的内部雇员完全控制一台CA设备的情况下，为预防起见，也应该确保其没有得到CA的私钥。Therefore, the CA's private key is the core of CA security, and protecting it from disclosure is the basis for the security of the entire CA domain. Generally speaking, a CA must be an online network device, especially a CA that directly faces users in order to provide corresponding certificate services, so it is inevitable to encounter network attacks. When a hacker successfully attacks a CA, the attacker may obtain Its internal resources, so as to find the private key of the CA, will cause a fatal blow to the PKI system. key.

下面仅从将签名等价于实现公式M^d mod N(其中d为应该保密的私钥)方面，说明现有的几种安全数字签名方法。In the following, several existing secure digital signature methods are described only from the aspect of equating the signature to realizing the formula M ^d mod N (where d is the private key that should be kept secret).

参见图1，图中示出美国Stanford大学的ITTC项目方案的原型系统框图。该系统通过门槛密码学技术实现系统入侵容忍，系统包括签名方(Clients)、服务器方(Servers)和管理方(Admin)。签名方的Web Server是指需要签名的Web服务器，CA是证书权威或证书机构；服务器方包括多个分享服务器(ShareServer，也可称分享计算器或分享运算器)，如图中的分享服务器1至3，负责进行安全的数字签名；管理方(Admin)是一个可选的用于管理各分享服务器的设备。该方案的特点是：结构简单和具有很好的安全性，系统中采用了成单层结构的多个分享服务器。Referring to FIG. 1 , it shows a block diagram of a prototype system of the ITTC project scheme of Stanford University in the United States. The system implements system intrusion tolerance through threshold cryptography technology, and the system includes signing parties (Clients), servers (Servers) and administrators (Admin). The web server of the signing party refers to the web server that needs to be signed, and the CA is the certificate authority or certificate authority; the server side includes multiple sharing servers (ShareServer, also called sharing calculator or sharing calculator), as shown in the figure Share server 1 To 3, responsible for secure digital signature; the administrator (Admin) is an optional device used to manage each shared server. The characteristics of this scheme are: simple structure and good security, the system adopts multiple shared servers in a single-layer structure.

该系统实现安全性的原理是：先将私钥d分解成t个数的和：d＝d₁+d₂+...+d_t；再将各数(d_i)分配到各个分享服务器中。当需要签名时，客户机(Web或CA)将需要的签名信息-HASH结果M值发给t个分享服务器；各分享服务器再将计算结果 $M_{i} = M^{d_{i}}$ 送回客户机(Web或CA)；由客户机(Web或CA)进行乘法计算：The security principle of the system is: first decompose the private key d into the sum of t numbers: d=d ₁ +d ₂ +...+d _t ; then distribute each number (d _i ) to each shared server middle. When a signature is required, the client (Web or CA) sends the required signature information-HASH result M value to t sharing servers; each sharing server then sends the calculation result $m_{i} = m^{d_{i}}$ Send back to client (Web or CA); multiplication by client (Web or CA):

$S S = = {Π Π}_{i i = = 11}^{t t} {M m}^{{d d}_{i i}} = = {M m}^{{Σ Σ}_{i i = = 11}^{t t} {d d}_{i i}} = = {M m}^{d d}$

就得到了需要的结果。The desired result is obtained.

由于不能实现冗余，可进一步采用多组方程来产生冗余配置，即随机找到若干组数，如：Since redundancy cannot be achieved, multiple sets of equations can be further used to generate redundant configurations, that is, several sets of numbers are randomly found, such as:

第一组：d＝d₁₁+d₁₂+...+d_1t；The first group: d=d ₁₁ +d ₁₂ +...+d _1t ;

第二组：d＝d₂₁+d₂₂+...+d_2t；The second group: d=d ₂₁ +d ₂₂ +...+d _2t ;

………，………,

然后将多组数(d_ij)分到不同的分享服务器中，每个分享服务器得到多个d_ij，但只得到同组数据中的一个数据(如分享服务器1得到一个第一组数据d₁₁和另一个第二组数据d₂₃)。如，对于有4个分享服务器的情况，在t＝3时，可以按下表进行分配：分享服务器1 分享服务器2 分享服务器3 分享服务器4 d₁₁ d₁₂ d₁₃ d₁₃ d₂₃ d₂₁ d₂₂ d₂₃ Then divide multiple sets of numbers (d _ij ) into different sharing servers, and each sharing server gets multiple d _ij , but only gets one data in the same set of data (for example, sharing server 1 gets a first set of data d ₁₁ and another second set of data d ₂₃ ). For example, in the case of 4 shared servers, when t=3, they can be allocated according to the following table: shared server 1 share server 2 share server 3 share server 4 d ₁₁ d ₁₂ d ₁₃ d ₁₃ d ₂₃ d ₂₁ d ₂₂ d ₂₃

当客户机(Web或CA)需要计算时，由客户机(Web或CA)选定t个完好的分享服务器，然后告诉这些分享服务器使用第几组数据(参数)，然后，分享服务器就可以计算相应的签名了。When the client (Web or CA) needs to calculate, the client (Web or CA) selects t intact sharing servers, and then tells these sharing servers which set of data (parameters) to use, and then the sharing server can calculate Signed accordingly.

该技术方案的优点是明显的，其不足之处有如下几点：The advantage of this technical solution is obvious, and its weak point has the following points:

1.密钥的分发和管理比较困难，当增加一个分享服务器时，必须对每一个在线的分享服务器分配密钥数据，同时还要让客户机也知道这个增加；1. The distribution and management of the key is difficult. When adding a shared server, the key data must be distributed to each online shared server, and the client must also know the increase;

2.当分享服务器很多时，会迅速增加分享服务器的密钥存储量，若设分享服务器的总数量为k，要求完好的分享服务器的总数量为t，则每个分享服务器存储密钥的数量至少为C_k ^t-1个(C表示组合)，当k＝10，t＝3时，每个分享服务器存储密钥的数量就为45个；2. When there are many sharing servers, the key storage capacity of the sharing servers will increase rapidly. If the total number of sharing servers is k, and the total number of intact sharing servers is required to be t, then the number of keys stored in each sharing server At least C _k ^t-1 (C represents a combination), when k=10, t=3, the number of each shared server storage key is 45;

3.存在必须先同步的问题，在进行计算前，客户机必须先选定t个分享服务器，当t个分享服务器选择完成后，还必须找到与这t个分享服务器匹配的数据组并通知他们，当其中有一个服务器被破坏时必须重复上述选择分享服务器的整个过程；3. There is a problem that must be synchronized first. Before calculation, the client must first select t shared servers. After the selection of t shared servers is completed, it must also find a data group that matches the t shared servers and notify them , when one of the servers is destroyed, the entire process of selecting the shared server above must be repeated;

4.让客户机(CA或Web服务器)记住每次分享服务器的改变是困难的，不容易进行管理与扩展，当客户机在线时，扩展就更加困难，导致每次改变分享服务器时都必须更新客户机。4. It is difficult for the client (CA or Web server) to remember the change of the shared server every time, and it is not easy to manage and expand. When the client is online, it is even more difficult to expand, resulting in the need to Update the client.

IBM Research-Zurich研究院的Victor Shoup，在2000年的欧洲密码学年会上发表了名称为“Practical threshold signatures”的文章，介绍的也是一种理论上的方案。该方案使用RSA强素数，其保密的素数p＝2p’+1，q＝2q’+1。所有的插值方程都在模m＝p’q’的环中进行。因为M^4m模N等于1，分开计算时增加一次平方，由合成器(Combiner)再分别对各个结果平方一次，从而得到M^4Δ(gm+d)。其中Δ＝(k！)²，而g为整数。该方案中c_i是由合成器(Combiner)完成的，从而消除了计算前的同步问题，但带来了合成器的计算难度，并使计算性能下降。如合成器必须计算：Victor Shoup of IBM Research-Zurich Institute published an article called "Practical threshold signatures" at the European Cryptography Annual Conference in 2000, which also introduced a theoretical scheme. This scheme uses RSA strong prime number, its secret prime number p=2p'+1, q=2q'+1. All interpolation equations are performed in rings modulo m=p'q'. Because M ^4m modulo N is equal to 1, the square is added once when calculating separately, and the combiner (Combiner) squares each result again to obtain M ^4Δ(gm+d) . where Δ=(k!) ² , and g is an integer. In this scheme, _ci is completed by a combiner, which eliminates the synchronization problem before calculation, but brings the calculation difficulty of the combiner and reduces the calculation performance. As the synthesizer must compute:

$W W = = {y the y}_{{i i}_{11}}^{22 λ λ {c c}_{{i i}_{11}}} {y the y}_{{i i}_{22}}^{22 λ λ {c c}_{{i i}_{22}}} \cdot &Center Dot; \cdot &Center Dot; \cdot &Center Dot; {y the y}_{{i i}_{t t}}^{22 λ λ {c c}_{{i i}_{t t}}}$

其中y_i为各分享服务器的计算结果，λ＝k！。Among them, y _i is the calculation result of each sharing server, λ=k! .

可以看出该方案的特点及存在的不足是：It can be seen that the characteristics and shortcomings of this scheme are:

1.仍是一种由各分享服务器组成的单层式分享结构，其合成器不存储任何秘密，可以由任何设备完成合成工作；1. It is still a single-layer sharing structure composed of sharing servers. Its synthesizer does not store any secrets and can be synthesized by any device;

2.合成器的计算量接近或相当于t次签名，这样的计算量远远大于分享服务器的计算量，即使能实现该算法，也是不能用于实际签名的；2. The calculation amount of the synthesizer is close to or equivalent to t signatures, which is far greater than the calculation amount of the sharing server. Even if the algorithm can be implemented, it cannot be used for actual signatures;

3.要求使用强素数，会对某些应用带来限制；3. Requiring the use of strong prime numbers will limit some applications;

4.仅从理论上说明当增加或删除分享服务器时不会影响其他设备，但只提供了数学公式，没有任何实现上和系统结构上的说明。4. It is only theoretically stated that when adding or deleting a shared server will not affect other devices, but only provides mathematical formulas, without any implementation and system structure instructions.

纽约CertCo公司的Yair Frankel等人提出了又一种方案，但没有提供系统实现的框架和细节。在他们的方案中，提出让多项式的系数a_i在{0，L，...，2L³N^2+et)中，其中L＝k！。并取x_i属于[1，2，...，k-1]。由于所有f(x_i)都能够整除以L，故b_i的计算去掉了求逆的操作，可以在整数中进行。该方案可以用一般的RSA算法进行而不需要RSA的强素数。由于其参数的选取大大受限，带来了算法原理及安全证明的复杂性。当分享服务器计算b_i时，因为b_i依赖x_i的选取，也存在着同步问题。Yair Frankel of New York CertCo Company and others proposed another scheme, but did not provide the framework and details of system realization. In their scheme, it is proposed to let the coefficients a _i of polynomials be in {0, L, . . . , 2L ³ N ^2+e t), where L=k! . And take x _i belongs to [1, 2, ..., k-1]. Since all f( _xi ) can be divided by L, the calculation of _bi can be performed in integers without the inverse operation. The scheme can be performed with the general RSA algorithm without strong prime numbers of RSA. Because the selection of its parameters is greatly limited, it brings the complexity of the algorithm principle and security proof. When the shared server calculates _bi , because _bi depends on the selection of _xi , there is also a synchronization problem.

从其数学方案的描述中可以看出，该方案具有以下缺点：As can be seen from the description of its mathematical scheme, this scheme has the following disadvantages:

1.采用平等的秘密分享，即分享为单层式结构；1. Adopt equal secret sharing, that is, sharing is a single-layer structure;

2.参数的选取是受限的，证明其安全性十分复杂，增加了出现漏洞的可能性；2. The selection of parameters is limited, which proves that its security is very complicated and increases the possibility of loopholes;

3.存在着需要同步的问题，而如果去掉同步，则又会大大增加合成器的计算量。3. There is a problem of synchronization, and if the synchronization is removed, the calculation amount of the synthesizer will be greatly increased.

以上IBM Research-Zurich研究院的方案及纽约CertCo公司的方案，都是基于Shamir秘密共享的方案，使用LaGrange插值方程。在原Shamir秘密共享方案中，任意取t个密钥就能够生成秘密密钥。但在原Shamir方案中必须先恢复秘密密钥，这是任何方案都不希望的。因为安全签名方案必须首先保证在任何一台设备内都不能恢复出秘密密钥。The above scheme of IBM Research-Zurich Institute and the scheme of New York CertCo are both based on the scheme of Shamir's secret sharing, using the LaGrange interpolation equation. In the original Shamir secret sharing scheme, a secret key can be generated by randomly taking t keys. However, in the original Shamir scheme, the secret key must be recovered first, which is undesirable in any scheme. Because the secure signature scheme must first ensure that the secret key cannot be recovered in any device.

这种基于Shamir秘密共享方案的基本原理是：The basic principle of this Shamir-based secret sharing scheme is:

给出一个多项式 $f (x) = Σ_{i = 0}^{t - 1} a_{i} x_{i},$ 利用LaGrange插值公式，有：given a polynomial $f (x) = Σ_{i = 0}^{t - 1} a_{i} x_{i},$ Using the LaGrange interpolation formula, there are:

$f f ((x x)) = = {Σ Σ}_{i i = = 11}^{t t} ((f f (({x x}_{i i})) {Π Π}_{j j = = 11,, t t}^{j j &NotEqual; &NotEqual; i i} \frac{x x - - {x x}_{j j}}{{x x}_{i i} - - {x x}_{j j}})) - - - - - - ((11))$

任选t个x_i和f(x_i)，可以得到：Choose t x _i and f( _xi ), you can get:

${a a}_{00} = = f f ((00)) = = {Σ Σ}_{i i = = 11}^{t t} ((f f (({x x}_{i i})) {Π Π}_{j j = = 11,, t t}^{j j &NotEqual; &NotEqual; i i} \frac{- - {x x}_{j j}}{{x x}_{i i} - - {x x}_{j j}})) - - - - - - ((22))$

可以设置a₀为秘密密钥d，此时，对一个HASH值M的签名计算为：You can set a ₀ as the secret key d, at this time, the signature calculation for a HASH value M is:

${M m}^{d d} = = {M m}^{f f ((00))} = = {Π Π}_{i i = = 11}^{t t} {M m}^{f f (({x x}_{i i})) {Π Π}_{j j = = 11,, t t}^{j j &NotEqual; &NotEqual; i i} \frac{- - {x x}_{j j}}{{x x}_{i i} - - {x x}_{j j}}} = = {Π Π}_{i i = = 11}^{t t} {M m}^{{b b}_{i i}} - - - - - - ((33))$

其中 $b_{i} = f (x_{i}) * c_{i} = f (x_{i}) Π_{j = 1, t}^{j &NotEqual; i} \frac{- x_{j}}{x_{i} - x_{j}} - - - (4)$ in $b_{i} = f (x_{i}) * c_{i} = f (x_{i}) Π_{j = 1, t}^{j &NotEqual; i} \frac{- x_{j}}{x_{i} - x_{j}} - - - (4)$

这样就可以将秘密密钥d分到k个分享服务器中去(k≥t)。每个分享服务器计算M^bi，然后由一个合成器将各个分享服务器的计算结果乘起来，就得到M^d，而任何分享服务器都不会泄露秘密密钥d。由于式(4)的b_i中有除法计算，这很容易让人想到找一个域或环Z_v来进行计算。其中，必须满足的条件是：v为素数，或者保证所有由x_i构成的t阶(Vandermonde)矩阵的行列式的值与v互素。In this way, the secret key d can be divided into k shared servers (k≥t). Each sharing server calculates M ^bi , and then a synthesizer multiplies the calculation results of each sharing server to obtain M ^d , and any sharing server will not disclose the secret key d. Since there is a division calculation in b _i in formula (4), it is easy to think of finding a field or ring Z _v for calculation. Among them, the condition that must be satisfied is: v is a prime number, or the value of the determinant of all t-order (Vandermonde) matrices formed by x _i is guaranteed to be mutually prime to v.

在一般情况下，分开计算M^bi后带来的结果就是要做乘法： $Π_{i = 1}^{t} M^{b_{i}} = M^{d + wv} .$ 如何去掉v的影响，许多人想到了用Φ(N)，因为M^Φ(N)＝1。但选择v＝Φ(N)会使x_i的选取大大受限于上述条件，并且知道了某元素o与其对Φ(N)的逆o^-1，就可以求出Φ(N)，显然这是不安全的。In general, the result of calculating M ^bi separately is to do multiplication: $Π_{i = 1}^{t} m^{b_{i}} = m^{d + wv} .$ How to remove the influence of v, many people think of using Φ(N), because M ^Φ(N) =1. But choosing v=Φ(N) will make the selection of x _i greatly limited by the above conditions, and knowing a certain element o and its inverse o ^-1 to Φ(N), we can find Φ(N), obviously this is not safe.

因此，从理论上可以看出上述方案都有明显的弱点，距离实际应用还有很多问题需要解决。Therefore, it can be seen from the theory that the above schemes have obvious weaknesses, and there are still many problems to be solved before the actual application.

发明内容Contents of the invention

本发明的目的是设计一种数字签名系统与安全签名方法，是一种入侵容忍的安全签名系统与方法，在现有实现CA安全的基本原理基础上，消除预先同步的问题，能满足在线CA的安全要求，当系统的部分部件被攻击或被占领，或当系统的部分关键部件进行合谋时也能确保系统机密不泄露。The purpose of the present invention is to design a digital signature system and security signature method, which is an intrusion-tolerant security signature system and method. On the basis of the existing basic principles of CA security, the problem of pre-synchronization can be eliminated, and online CA can be satisfied. The security requirements of the system can also ensure that the system secrets are not leaked when some components of the system are attacked or occupied, or when some key components of the system conspire.

本发明的安全数字签名方法，CA以RSA算法为基础。该方法至少应该满足以下条件：In the secure digital signature method of the present invention, the CA is based on the RSA algorithm. The method should at least meet the following conditions:

1.入侵者虽然攻击或占有了系统中的若干部件，或某些关键部件合谋起来进行攻击，也不能得到私钥；1. Although the intruder attacks or occupies several components in the system, or some key components conspire to attack, they cannot obtain the private key;

2.系统很容易扩充，当需要增加一个分享运算器时，不影响整个系统的工作；2. The system is easy to expand. When a shared calculator needs to be added, it will not affect the work of the entire system;

3.运行时的管理简单，管理包括增加，撤除，修改服务硬件与软件等，在有系统管理与配置活动时，不能影响系统运行；3. The management during operation is simple. Management includes adding, removing, and modifying service hardware and software. When there are system management and configuration activities, the system operation cannot be affected;

4.一个或多个设备损坏时不影响正常的服务；4. When one or more devices are damaged, the normal service will not be affected;

5.当一个分享运算器损坏时，整个系统的运行效率不会降低太多，即任务分配单元不需要知道任务执行者的任何信息；5. When a shared computing unit is damaged, the operating efficiency of the entire system will not decrease too much, that is, the task allocation unit does not need to know any information about the task executor;

6.开始计算时，任何设备都不需要知道他的合作者是谁，故不需要一个合作群的指定机构(预先同步)；6. When starting the calculation, any device does not need to know who its partner is, so there is no need for a designated organization of the cooperation group (pre-synchronization);

7.该系统的算法和原理都应该非常简单；7. The algorithm and principle of the system should be very simple;

8.设计完成后，整个系统的运行效率应该与常规系统保持在同一个档次。8. After the design is completed, the operating efficiency of the entire system should be kept at the same level as the conventional system.

实现本发明目的的技术方案是这样的：一种安全的数字签名系统，用于得到数字签名，其特征在于：The technical scheme that realizes the object of the present invention is such: a kind of safe digital signature system, is used for obtaining digital signature, is characterized in that:

包括至少一个在线的任务分配器、k个在线的秘密分享运算器、m个在线的秘密分享合成器和离线的子密钥分发器；离线的子密钥分发器在系统初始化或进行系统配置时与k个秘密分享运算器及m个秘密分享合成器分别连接进行子密钥发放，包括：对应k个秘密分享运算器生成随机数，并作为第一子密钥分发到k个秘密分享运算器中，和对应m个秘密分享合成器计算第二子密钥并预存在m个秘密分享合成器中；在线的任务分配器通过第一广播信道与k个秘密分享运算器连接，在计算数字签名处理过程中将需要签名的M值送k个秘密分享运算器，每个秘密分享运算器根据M值和第一子密钥进行计算，并将计算结果和M值通过第二广播信道送m个秘密分享合成器，每个秘密分享合成器根据接收结果、M值及预存的第二子密钥计算得到数字签名，k、m为正整数。Including at least one online task distributor, k online secret sharing operators, m online secret sharing synthesizers and offline sub-key distributors; the offline sub-key distributors are used during system initialization or system configuration Connect with k secret-sharing operators and m secret-sharing synthesizers to issue sub-keys, including: generating random numbers corresponding to k secret-sharing operators and distributing them as the first sub-key to k secret-sharing operators , and the corresponding m secret-sharing synthesizers calculate the second sub-key and pre-store it in m secret-sharing synthesizers; the online task distributor connects with k secret-sharing operators through the first broadcast channel, and calculates the digital signature During the processing, the M value that needs to be signed is sent to k secret sharing operators, and each secret sharing operator calculates according to the M value and the first subkey, and sends the calculation result and the M value to m secret sharing operators through the second broadcast channel. A secret sharing synthesizer, each secret sharing synthesizer calculates and obtains a digital signature according to the receiving result, the M value and the pre-stored second subkey, and k and m are positive integers.

更佳的是还包括一单独设置的输出接口设备，通过第三广播信道与m个秘密分享合成器连接。More preferably, it also includes a separately set output interface device, which is connected with m secret sharing synthesizers through the third broadcast channel.

更佳的是在所述的在线的任务分配器中设置一输出接口设备，通过所述的第一广播信道与所述的m个秘密分享合成器连接。More preferably, an output interface device is set in the online task allocator to connect with the m secret sharing synthesizers through the first broadcast channel.

所述的至少一个在线的任务分配器、k个在线的秘密分享运算器、m个在线的秘密分享合成器、离线的子密钥分发器均采用普通计算机或服务器。The at least one online task distributor, k online secret sharing operators, m online secret sharing synthesizers, and offline subkey distributors all use common computers or servers.

所述的第一广播信道、第二广播信道及第三广播信道是物理相连的一个信道或完全不相连的独立信道。The first broadcast channel, the second broadcast channel and the third broadcast channel are physically connected channels or independent channels that are not connected at all.

实现本发明目的的技术方案还是这样的：一种安全的数字签名方法，包括子密钥的发放和计算数字签名，其特征在于：The technical solution for realizing the purpose of the present invention is still like this: a safe digital signature method, including issuing and calculating digital signatures of subkeys, is characterized in that:

所述的子密钥的发放包括以下处理步骤：The issuance of the subkey includes the following processing steps:

A.设置一个安全数字签名系统，包括在线的任务分配器、在线的k个秘密分享运算器、在线的m个秘密分享合成器、广播信道和离线的子密钥分发器，k、m为正整数；A. Set up a secure digital signature system, including online task distributors, online k secret sharing operators, online m secret sharing synthesizers, broadcast channels and offline subkey distributors, where k and m are positive integer;

B.离线的子密钥分发器将保存的数字签名私钥d表示成由t个第一子密钥dj及一个第二子密钥ci的和，d、t、c、j、i均为正整数并让t＜k，j是第一子密钥dj变量的序号；B. The offline subkey distributor expresses the saved digital signature private key d as the sum of t first subkeys dj and a second subkey ci, where d, t, c, j, and i are all Positive integer and let t<k, j is the serial number of the first subkey dj variable;

C.离线的子密钥分发器将k个随机数作为第一子密钥d_j对应分发到k个秘密分享运算器中，并根据步骤B中的和式通过相减获得一组第二子密钥c_i及其方程组合表示，将全部第二子密钥c_i及其方程组合表示放在一个大组中；C. The offline sub-key distributor distributes k random numbers as the first sub-key d _j to k secret sharing operators, and obtains a set of second sub-keys by subtraction according to the sum formula in step B Key c _i and its equation combination representation, put all the second subkey c _i and its equation combination representation in a large group;

D.离线的子密钥分发器按合成器安全条件对该大组中的全部第二子密钥c_i及其方程组合表示进行穷搜，获得m个分组的第二子密钥c_i及其方程组合表示：D. The off-line sub-key distributor conducts an exhaustive search for all the second sub-keys _ci and their equation combination representations in the large group according to the security conditions of the synthesizer, and obtains the second sub-keys _ci and Its equation combination expresses:

E离线的子密钥分发器将m个分组的第二子密钥c_i及其方程组合表示对应送到m个秘密分享合成器中预存；E offline sub-key distributor sends m grouped second sub-keys _ci and their equation combination representations to m secret sharing synthesizers for pre-stored;

所述的计算数字签名包括以下处理步骤：The described computing digital signature includes the following processing steps:

F.在线的任务分配器将需要签名的HASH值M通过广播数据包经第一广播信道送往k个秘密分享运算器；F. The online task distributor sends the HASH value M that needs to be signed to k secret sharing operators through the broadcast data packet through the first broadcast channel;

G.k个秘密分享运算器中的t个或t个以上的秘密分享运算器根据接收的M值计算升幂M^dj，并将本秘密分享运算器的代号j、需要签名的HASH值M及计算结果M^dj通过广播数据包经第二广播信道送往m个秘密分享合成器；Among the Gk secret sharing operators, t or more secret sharing operators calculate the raising power M ^dj according to the received M value, and send the code j of the secret sharing operator, the HASH value M to be signed and the calculation result M ^dj sends the broadcast data packet to m secret sharing synthesizers through the second broadcast channel;

H.m个秘密分享合成器将接收结果与预存分组的第二子密钥c_i的方程组合表示进行比较，找到可以匹配的方程组合表示并得到相应的第二子密钥c_i，再将与组合匹配的t个秘密分享运算器的升幂运算结果相乘得到结果R，根据找到的第二子密钥c_i求出M^ci，最后将M^ci与R相乘得到数字签名S＝M^d。Hm secret sharing synthesizers compare the received result with the equation combination representation of the second subkey c _i of the pre-stored group, find a matching equation combination representation and obtain the corresponding second subkey c _i , and then combine with Multiply the exponentiation results of the matching t secret sharing operators to obtain the result R, calculate M ^ci according to the found second subkey _ci , and finally multiply M ^ci and R to obtain the digital signature S=M ^d .

更佳的是，所述的步骤A中还包括给在线的任务分配器任意给定一个代号、给k个秘密分享运算器分别给定不相同的代号、给m个秘密分享合成器分别给定不相同的代号和设定t的初始值。More preferably, the step A also includes randomly assigning a code name to the online task allocator, assigning different code names to k secret sharing operators, and assigning m secret sharing synthesizers respectively Not the same code and set the initial value of t.

更佳的是，所述的步骤C，进一步包括：More preferably, said step C further includes:

c1．由离线的子密钥分发器取k个小于d/t的随机数作为第一子密钥d_j；c1. Take k random numbers less than d/t as the first subkey d _j by the offline subkey distributor;

c2．由离线的子密钥分发器通过管理许可的方式将k个第一子密钥d_j对应送到k个秘密分享运算器中；c2. The offline sub-key distributor sends the k first sub-keys d _j to the k secret sharing operators correspondingly through management permission;

c3．由离线的子密钥分发器从k个第一子密钥(d₁、d₂、d₃、...、d_k)中取出t个d_j，按组合算式形成 $n = C_{k}^{t}$ 种组合表示，并根据所述的和式计算所有组合表示所对应的第二子密钥c_i，(i＝1、2、...、n)，构成所述的方程组合表示大组。c3. Take t d _j from the k first sub-keys (d ₁ , d ₂ , d ₃ , ..., d _k ) by the offline sub-key distributor, and form them according to the combination formula $no = C_{k}^{t}$ combination representations, and calculate the second sub-keys c _i corresponding to all combination representations according to the sum formula (i=1, 2, . . .

更佳的是，所述的步骤D进一步包括：More preferably, described step D further comprises:

d1．对所述的大组中的组合随机设定一个顺序，并随机设定一个空的分组B；d1. Randomly setting an order for the combinations in the large group, and randomly setting an empty group B;

d2．从大组中顺序取出一个第二子密钥c_i及其方程组合表示，记为组合表示A，判断A放入B中是否满足合成器安全条件，如果满足就放入分组B中并从大组中删除该组合及对应的第二子密钥，如果不满足合成器安全条件，就将该组合及对应的第二子密钥仍旧保持在大组中；d2. Take out a second subkey _ci and its equation combination representation from the large group sequentially, record it as the combination representation A, judge whether putting A into B satisfies the safety condition of the synthesizer, if so, put it into group B and start from the large group delete the combination and the corresponding second subkey from the group, and if the security condition of the synthesizer is not satisfied, the combination and the corresponding second subkey are still kept in the large group;

d3．针对大组中所有的组合重复执行步骤d2；d3. Repeat step d2 for all combinations in the large group;

d4．如果大组中还有组合表示，确定第二个空的分组为B，并重复执行步骤d2、d3，直至大组中已没有任何第二子密钥c_i及其方程组合表示时为止：d4. If there is still a combination representation in the large group, determine the second empty group as B, and repeat steps d2 and d3 until there is no second subkey _ci and its equation combination representation in the large group:

d5．统计形成的不空的分组个数m，是所述的m个分组。d5. The number m of non-empty groups formed by statistics is the m groups mentioned above.

所述的判断是否满足合成器安全条件，进一步包括：将组合表示A中变量的序号与分组B中的组合表示q_s中变量的序号进行比较，如果组合表示A中有且组合表示q_s中没有的变量的序号个数大于t/2，该组合表示A对组合表示q_s是满足安全条件的；如果组合表示A对分组B中的每一个组合都满足安全条件，则组合表示A放入分组B中是满足合成器安全条件的。Whether the described judgment meets the safety condition of the synthesizer further includes: comparing the serial number of the variable in the combined representation A with the serial number of the variable in the combined representation q _s in the group B, if there is in the combined representation A and in the combined representation q _s The number of serial numbers of the variables that do not exist is greater than t/2, and this combination indicates that A meets the security conditions for the combination of q _s ; if the combination indicates that A meets the security conditions for each combination in group B, the combination indicates that A is put In group B, the synthesizer security condition is satisfied.

更佳的是，所述的步骤E，由离线的子密钥分发器通过管理允许的方式将所述m个分组的第二子密钥c_i及其对应的方程组合表示对应分送到所述的m个秘密分享合成器中。More preferably, in the step E, the offline sub-key distributor distributes the second sub-keys c _i of the m groups and their corresponding equation combination representations to the In the m secret sharing synthesizer described above.

更佳的是，所述的离线的子密钥分发器在执行完步骤A、B、C、D、E完成子密钥的分发后，处于物理隔离状态或处于关机状态。More preferably, the offline subkey distributor is in a physically isolated state or shut down after executing steps A, B, C, D, and E to distribute the subkeys.

更佳的是，所述的步骤F进一步包括：More preferably, described step F further comprises:

f1.由在线的任务分配器接收数字签名任务，并进行安全检查与核对；f1. The online task distributor receives digitally signed tasks, and conducts security checks and checks;

f2.由在线的任务分配器为该任务确定一个在预定的时间内对任务分配器是唯一的任务号；f2. Determine a task number that is unique to the task distributor within a predetermined time for the task by the online task distributor;

f3.由在线的任务分配器将其代号及任务号随需要签名的HASH值M组成所述的广播数据包广播到所述的第一广播信道上；f3. Broadcast the broadcast data packet composed of its code name and task number along with the HASH value M that needs to be signed to the first broadcast channel by the online task distributor;

所述的步骤G进一步包括：Described step G further comprises:

g1.接收到广播后的t个或t个以上的秘密分享运算器向该在线的任务分配器发出已经接收的通知；g1. After receiving the broadcast, t or more secret sharing operators send a notification to the online task allocator that they have been received;

g2.t个或t个以上的秘密分享运算器检查任务的唯一性，在确定为新任务时进行所述升幂的计算；g2. t or more secret sharing calculators check the uniqueness of the task, and perform the calculation of raising the power when it is determined to be a new task;

g3.t个或t个以上的秘密分享运算器还将该在线的任务分配器的代号、任务的任务号随本秘密分享运算器的代号j、需要签名的HASH值M及计算结果M^dj组成所述的广播数据包广播到所述的第二广播信道上；g3. t or more secret sharing calculators will also form the code name of the online task allocator and the task number along with the code j of the secret sharing calculator, the HASH value M to be signed and the calculation result M ^dj The broadcast data packet is broadcast to the second broadcast channel;

所述的步骤H，进一步包括：Described step H, further comprises:

h1.接收到广播的秘密分享合成器将具有相同任务分配器代号及任务号的广播数据包放在一组中；h1. The secret sharing synthesizer that receives the broadcast puts the broadcast data packets with the same task dispatcher code and task number in one group;

h2.上述秘密分享合成器至少找出t个广播数据包，再从中找出与所述预存的方程组合表示匹配的一个方程组合表示，并得到对应的第二子密钥c_i。h2. The above-mentioned secret sharing synthesizer finds at least t broadcast data packets, and then finds an equation combination representation matching the pre-stored equation combination representation, and obtains the corresponding second subkey c _i .

所述的步骤F、G、H是顺序执行完成数字签名的计算操作。The steps F, G, and H are executed sequentially to complete the calculation operation of the digital signature.

更佳的是，所述的步骤H后还包括一步骤I，由在线的秘密分享合成器，将数字签名S＝M^d与任务分配器代号、任务号组成广播数据包广播到一在线的输出接口设备上，并由该输出接口设备用公开密钥检查签名结果，是正确时结束数字签名，是错误时进行错误处理或告警。More preferably, said step H also includes a step I, by the online secret sharing synthesizer, the digital signature S=M ^d and the task distributor code number, task number to form a broadcast data packet and broadcast to an online output On the interface device, the output interface device checks the signature result with the public key, ends the digital signature if it is correct, and performs error handling or alarm if it is wrong.

更佳的是，所述步骤I，是由在线的秘密分享合成器通过一第三广播信道将所述的广播数据包广播到一单独设置的在线的输出接口设备上。More preferably, in the step I, the online secret sharing synthesizer broadcasts the broadcast data packet to a separately set online output interface device through a third broadcast channel.

更佳的是，所述步骤I，是由在线的秘密分享合成器通过所述的第一广播信道将所述的广播数据包广播到设置在任务分配器中的输出接口设备上。More preferably, in the step I, the online secret sharing synthesizer broadcasts the broadcast data packet to the output interface device set in the task allocator through the first broadcast channel.

本发明的安全的数字签名系统及方法，基于RSA算法，通过一种不平衡的双层结构的秘密分享，克服了背景技术中系统管理与实现上的困难，达到发明的目的。The secure digital signature system and method of the present invention is based on the RSA algorithm, through an unbalanced double-layer structure of secret sharing, overcomes the difficulties in system management and implementation in the background technology, and achieves the purpose of the invention.

本发明的方法与系统具有下列特点：The method and system of the present invention have the following characteristics:

1.在线的任务分配器无须选定秘密分享运算器和指定密钥就可以广播数字签名任务，在系统更新时可保证不影响在线任务分配器的工作，在某台秘密分享运算器突然损坏时也不会影响广播任务的执行时间(如果指定由某台秘密分享运算器计算，而此台设备最后并没有响应，则必须重新指定设备与密钥并重新开始)；1. The online task distributor can broadcast digital signature tasks without selecting a secret sharing calculator and specifying a key. When the system is updated, it can guarantee that the work of the online task distributor will not be affected. When a secret sharing calculator is suddenly damaged It will also not affect the execution time of the broadcast task (if it is designated to be calculated by a secret sharing calculator, but this device does not respond in the end, you must re-designate the device and key and start again);

2.在增加一台秘密分享运算器时只需给它生成一个子密钥，离线的子密钥分发器会根据新加的秘密分享运算器的序号与已有的秘密分享运算器的序号进行方程组合，计算出相应的第二子密钥c，然后将这些新增的方程组合表示与计算出的c以密钥管理认可的方式添加到秘密分享合成器中去，这种添加是不影响系统工作的；2. When adding a secret sharing operator, you only need to generate a sub-key for it, and the offline sub-key distributor will compare the serial number of the newly added secret sharing operator with the serial number of the existing secret sharing operator. Equation combination, calculate the corresponding second subkey c, and then add these newly added equation combination expressions and calculated c to the secret sharing synthesizer in a way approved by key management. This addition does not affect the system works;

3.在撤除一台秘密分享运算器时，只需关闭该设备，为保证效率起见，可以删除秘密分享合成器中有关该秘密分享计算器序号的组合表示和相应的c_n；3. When dismantling a secret sharing calculator, it is only necessary to turn off the device. For the sake of efficiency, the combined representation of the serial number of the secret sharing calculator and the corresponding c _n in the secret sharing synthesizer can be deleted;

4.同时，本发明同其他背景技术一样，也具有入侵容忍的能力，当小于t台秘密分享计算器被入侵以后，不会泄露系统秘密d，而且由于增加了秘密分享合成器的结构，即使所有的秘密分享计算器都被入侵，也不会泄露系统秘密d(从理论上也可以证明，攻击秘密分享合成器也无法得到系统秘密d，尽管方程个数很多，但所有方程的系数矩阵的秩小于变量的个数)；4. Simultaneously, the present invention, like other background technologies, also has the ability of intrusion tolerance, when less than t sets of secret sharing calculators are invaded, the system secret d will not be revealed, and because the structure of the secret sharing synthesizer is added, even if All secret-sharing calculators are hacked, and the system secret d will not be disclosed (it can also be proved theoretically that the system secret d cannot be obtained by attacking the secret-sharing synthesizer. Although there are many equations, the coefficient matrix of all equations rank is less than the number of variables);

5.可抵制秘密分享运算器与秘密分享合成器合谋对系统的攻击，即当一台秘密分享运算器与一台秘密分享合成器联合攻击系统时也不能求出秘密d。5. It can resist the attack of the secret sharing calculator and the secret sharing synthesizer colluding with the system, that is, when a secret sharing calculator and a secret sharing synthesizer jointly attack the system, the secret d cannot be obtained.

附图说明Description of drawings

图1是Stanford大学研究的ITTC项目方案中关于CA系统的原型结构示意图。Figure 1 is a schematic diagram of the prototype structure of the CA system in the ITTC project plan studied by Stanford University.

图2是本发明的一种安全数字签名系统的结构示意图。Fig. 2 is a schematic structural diagram of a secure digital signature system of the present invention.

图3是本发明的另一种安全数字签名系统的结构示意图。Fig. 3 is a schematic structural diagram of another secure digital signature system of the present invention.

图4是一种秘密分享运算器的实施流程框图。Fig. 4 is a block diagram of an implementation flow of a secret sharing calculator.

图5是一种秘密分享合成器的实施流程框图。Fig. 5 is a block diagram of an implementation flow of a secret sharing synthesizer.

具体实施方式Detailed ways

参见图2，图中示意出一种安全的数字签名系统结构，该系统结构采用RSA算法为基本算法。Referring to Fig. 2, the figure schematically shows a secure digital signature system structure, which adopts the RSA algorithm as the basic algorithm.

该结构中包含一台离线的子密钥分发机(器，以下同)21，至少一台在线的任务分配机22、k台在线的秘密分享运算器23、m台在线的秘密分享合成器24和一台独立设置的在线的输出接口设备25。这些设备都可以由不同的普通计算机或服务器来担任。在线的任务分配机22通过广播信道B1(如UDP协议信道)与k台子秘密分享运算器23连接，k台子秘密分享运算器23通过广播信道B2与m台秘密分享合成器24连接，m台秘密分享合成器24通过广播信道B3与输出接口设备25连接，离线的子密钥分发机在系统初始化或进行系统配置时分别连接k台子秘密分享运算器23及m台秘密分享合成器24(如图中虚线所示)。This structure includes an offline sub-key distribution machine (device, the same below) 21, at least one online task distribution machine 22, k online secret sharing calculators 23, and m online secret sharing synthesizers 24 And an independently set online output interface device 25. These devices can all be served by different ordinary computers or servers. The online task distribution machine 22 is connected with the k station secret sharing computing unit 23 through the broadcast channel B1 (such as UDP protocol channel), and the k station secret sharing computing unit 23 is connected with the m station secret sharing synthesizer 24 through the broadcast channel B2. The sharing synthesizer 24 is connected to the output interface device 25 through the broadcast channel B3, and the offline sub-key distribution machine is respectively connected to the k sub-secret sharing computing unit 23 and the m sub-secret sharing computing unit 24 (as shown in the figure) when the system is initialized or the system is configured. shown by the dotted line).

离线的子密钥分发器21保存秘密d，不与其他系统有网络连接。广播信道B1、B2、B3可以是物理相连的一个广播信道或完全不相连、彼此独立的广播信道。The off-line sub-key distributor 21 keeps the secret d and does not have network connection with other systems. The broadcast channels B1, B2, and B3 may be one broadcast channel that is physically connected, or broadcast channels that are completely unconnected and independent of each other.

实现整个系统结构的基础原理是将一个大整数表示成若干个整数的和，采用如d＝d₁+d₂+d₃+...+d_t+c_j的表达式，用d_j表示方程中d₁至d_t中的任意一项，将数字签名中的私钥设为方程中的d，d_j的个数有t个，d、d₁、d₂、d₃...d_t、c_j均为正整数，d_j采用随机数以实现简单管理。该方程表达式不同于背景技术中方程表达式d＝d₁+d₂+d₃+...+d_t的地方是增加了一个c_j项(i＝1，2，...，n)，从而形成一种新的安全的且易于管理的系统结构。The basic principle of realizing the whole system structure is to express a large integer as the sum of several integers, using an expression such as d=d ₁ +d ₂ +d ₃ +...+d _t +c _j , expressed by d _j Any one of d ₁ to d _t in the equation, set the private key in the digital signature as d in the equation, the number of d _j is t, d, d ₁ , d ₂ , d ₃ ...d Both _t and c _j are positive integers, and d _j uses random numbers to realize simple management. This equation expression differs from the equation expression d=d ₁ +d ₂ +d ₃ +...+d _t in the background technology in that a c _j term (i=1, 2,..., n ), thus forming a new secure and easy-to-manage system structure.

该系统结构对秘密d的分享采用由两层部件共同作用完成，一层部件是由简单的秘密分享运算器23组成的，另一层部件是由秘密分享合成器24组成的，在秘密分享运算器23中分别保存各d_j项，在秘密分享合成器中保存c_j项，从而形成两层式的秘密分享结构，这两层设备中都存有子密钥，分别为第一子密钥d_j与第二子密钥c_j。该两层式的分享结构还表现在：只有第一层的秘密分享运算器完成计算后，第二层的秘密分享合成器才能开始工作；由于秘密分享合成器中也保存有子密钥c_j，因而秘密分享合成器是不可能被其他设备取代的。In this system structure, the sharing of secret d is completed by two layers of components. One layer of components is composed of a simple secret sharing calculator 23, and the other layer of components is composed of a secret sharing synthesizer 24. The d _j items are respectively stored in the device 23, and the c _j items are stored in the secret sharing synthesizer, thereby forming a two-layer secret sharing structure. Subkeys are stored in the two layers of equipment, respectively the first subkey d _j and the second subkey c _j . The two-layer sharing structure is also manifested in: only after the secret sharing operator of the first layer completes the calculation, the secret sharing synthesizer of the second layer can start to work; since the secret sharing synthesizer also saves the subkey c _j , so it is impossible for the secret sharing synthesizer to be replaced by other devices.

系统首先完成子密钥的分发，采用的操作过程如下：The system first completes the distribution of subkeys, and the operation process adopted is as follows:

离线的子密钥分发器21为每个秘密分享运算器23产生一个随机的d_j，对有k台秘密运算分享器23的系统来说，就会有k个第一子密钥d_j，j＝1，2，3，4，...，k。将这些第一子密钥通过密钥管理认可的方式送至对应的秘密分享运算器23。The off-line sub-key distributor 21 generates a random d _j for each secret sharing operator 23, for a system with k secret operation sharers 23, there will be k first sub-keys d _j , j=1, 2, 3, 4, . . . , k. These first subkeys are sent to the corresponding secret sharing calculator 23 in a manner approved by key management.

需预先设计合适的t，t的含义就是当t-1台秘密分享运算器23被入侵后不会影响系统的安全性。应该保证t＜k，以保证系统可以从k个秘密分享运算器23中取到t个结果完成运算。It is necessary to design a suitable t in advance, and the meaning of t is that when t-1 secret sharing calculators 23 are invaded, the security of the system will not be affected. It should be guaranteed that t<k, so as to ensure that the system can obtain t results from k secret sharing calculators 23 to complete the calculation.

离线的子密钥分发器21从k个子密钥中取出t个子密钥，根据方程d＝d₁+d₂+d₃+...+d_t+c_i再通过作减法可以求出c_i。由于从k个中取t个共有C_k ^t种取法，故可以计算出C_k ^t个方程的c_i。这里， $n = C_{k}^{t}$ 代表组合，如 $C_{5}^{3} = 10,$ 就有10个c_i值和10个方程组合表示，每一个方程组合表示是所对应的t个第一子密钥d_j下标标号(或者说是变量的序号)的组合，这样的一个方程所对应的密钥d_j的标号为密钥组合。显然，一个方程组合内的不同的第一子密钥是在不同的秘密分享运算器内，方程组合表示只与第一子密钥d_j下标标号j(或者说是变量的序号)有关，不泄露任何子密钥的信息。The offline sub-key distributor 21 takes t sub-keys out of k sub-keys, according to the equation d=d ₁ +d ₂ +d ₃ +...+d _t +c _i can then calculate c by subtraction _i . Since there are C _k ^t methods of taking t out of k, the c _i of C _k ^t equations can be calculated. here, $no = C_{k}^{t}$ represents combinations such as $C_{5}^{3} = 10,$ There are 10 _ci values and 10 equation combinations, and each equation combination is a combination of the corresponding t first subkey d _j subscripts (or serial numbers of variables), such an equation The label of the corresponding key d _j is the key combination. Obviously, different first subkeys in an equation combination are in different secret sharing operators, and the equation combination is only related to the subscript j of the first subkey d _j (or the serial number of the variable), Do not disclose any subkey information.

d_j的比特数远小于c_i比特数的1/4，如当d为2048bits的数时，c_i为2048bits的数，d_j为500bits的数或更少，以保证秘密分享运算器23的运算速度，从而提高整个数字签名系统的运算速度。The number of bits of d _j is far less than 1/4 of the number of bits of c _i , such as when d is a number of 2048 bits, c _i is a number of 2048 bits, and d _j is a number of 500 bits or less, so as to ensure the secret sharing operation unit 23 Operation speed, thereby improving the operation speed of the entire digital signature system.

离线的子密钥分发器21对所有的方程组合表示以及对应的c_i值，按合成器安全条件通过穷搜进行分组，每一分组内的方程组合表示是有限的，再按分组的个数(m)对应设置秘密分享合成器(m个)，来对应存储这些分组的方程组合表示以及对应的c_i值。以图中设置5台秘密分享运算器23(k＝5)和设t＝3为例说明。The off-line sub-key distributor 21 groups all equation combinations and corresponding _ci values according to the security conditions of the synthesizer through exhaustive search. The equation combinations in each group are limited, and then according to the number of groups (m) Correspondingly set secret sharing synthesizers (m) to store the equation combination representations of these groups and the corresponding c _i values. In the figure, five secret sharing calculators 23 (k=5) and t=3 are set as an example for illustration.

如将十个方程分成如下5组：For example, the ten equations are divided into the following five groups:

第一组First group

c₁＝d-d₁-d₂-d₃ 方程组合表示(1，2，3)c ₁ ＝dd ₁ -d ₂ -d ₃ Equation combination representation (1, 2, 3)

c₆＝d-d₁-d₄-d₅ 方程组合表示(1，4，5)c ₆ ＝dd ₁ -d ₄ -d ₅ Equation combination representation (1, 4, 5)

第二组Second Group

c₁₀＝d-d₃-d₄-d₅ 方程组合表示(3，4，5)c ₁₀ = dd ₃ -d ₄ -d ₅ Equation combination representation (3, 4, 5)

c₃＝d-d₁-d₂-d₅ 方程组合表示(1，2，5)c ₃ ＝dd ₁ -d ₂ -d ₅ Equation combination representation (1, 2, 5)

第三组The third group

c₂＝d-d₁-d₂-d₄ 方程组合表示(1，2，4)c ₂ ＝dd ₁ -d ₂ -d ₄ Equation combination representation (1, 2, 4)

c₈＝d-d₂-d₃-d₅ 方程组合表示(2，3，5)c ₈ ＝dd ₂ -d ₃ -d ₅ Equation combination representation (2, 3, 5)

第四组Fourth group

c₄＝d-d₁-d₃-d₄ 方程组合表示(1，3，4)c ₄ ＝dd ₁ -d ₃ -d ₄ Equation combination representation (1, 3, 4)

c₉＝d-d₂-d₄-d₅ 方程组合表示(2，4，5)c ₉ ＝dd ₂ -d ₄ -d ₅ Equation combination representation (2, 4, 5)

第五组fifth group

c₇＝d-d₂-d₃-d₅ 方程组合表示(2，3，4)c ₇ ＝dd ₂ -d ₃ -d ₅ Equation combination representation (2, 3, 4)

c₅＝d-d₁-d₃-d₅ 方程组合表示(1，3，5)c ₅ ＝dd ₁ -d ₃ -d ₅ Equation combination representation (1, 3, 5)

则选用5台秘密分享合成器24，分别存储这五组参数。Then select five secret sharing synthesizers 24 to store these five groups of parameters respectively.

如何分组是实施本发明方案的关键问题。从秘密分享合成器24看来，其c_i是已知的，其他都是未知的变量。合成器安全条件是根据其方程和系统安全性要求提出的，即：一个秘密分享合成器内所含方程经线性组合得到的新的方程，其变量的个数大于t。How to group is the key problem of implementing the scheme of the present invention. From the perspective of the secret sharing combiner 24, its _ci is known, and the others are all unknown variables. The security condition of the synthesizer is put forward according to its equation and system security requirements, namely: a new equation obtained by linear combination of the equations contained in a secret sharing synthesizer, and the number of variables is greater than t.

满足该条件，就可以避免合成器与分享运算器对系统的合谋攻击。但是，该条件过于复杂，无法用程序或流程实现。因此为了实现安全的合成，必须有一个可行的算法。If this condition is met, the collusion attack on the system by the synthesizer and the shared operator can be avoided. However, this condition is too complex to be implemented with a program or process. Therefore, in order to achieve safe synthesis, there must be a feasible algorithm.

利用方程的特殊性，可使安全条件简化为：一个合成器内由任意两个方程的线性组合得到的方程，其变量的个数大于t。By using the particularity of the equation, the security condition can be simplified as: an equation obtained by a linear combination of any two equations in a synthesizer, and the number of variables is greater than t.

对于该简化的安全条件，其实施包括以下步骤：For this simplified security condition, its implementation includes the following steps:

步骤1，根据d＝d_j+...+d_t+c_i的表示式及组合式C_k ^t，有全部10种c_i的方程组合表示，分别为：Step 1, according to the expression of d=d _j +...+d _t + _ci and the combined formula C _k ^t , there are all 10 kinds of combined expressions of c _i , which are respectively:

将他们全部放入一大组中，并指定以上顺序；Put them all into one big group, specifying the above order;

步骤2，从该大组中顺序取出一个组合，如方程组合表示(1，2，3)，c₁＝d-d₁-d₂-d₃，并将其放入第一个分组中，该分组记为B；Step 2, take out a combination sequentially from the large group, such as the equation combination expression (1, 2, 3), c ₁ =dd ₁ -d ₂ -d ₃ , and put it into the first grouping, the grouping denoted as B;

步骤3，再从大组中顺序取出一个组合，如方程组合表示(1，2，4)，c₂＝d-d₁-d₂-d₄，记为组合表示A，并将分组B中组合表示均记为q_s；Step 3, take out a combination from the large group sequentially, such as the combination expression of the equation (1, 2, 4), c ₂ =dd ₁ -d ₂ -d ₄ , record it as combination expression A, and express the combination in group B Both are recorded as q _s ;

步骤4，将该组合表示A与第一分组B中的已有组合表示进行比较，判断比较结果是否满足安全条件，包括：Step 4, comparing the combination representation A with the existing combination representation in the first group B, and judging whether the comparison result meets the security conditions, including:

步骤41，将组合表示A中变量的序号与分组中各组合表示q_s中变量的序号进行比较，如果组合表示A中有的且组合表示q_s中没有的变量的序号个数大于3/2(t/2)，该组合表示q_s就算满足安全条件，如组合表示(1，2，3)与(3，4，5)比较，其不同序号的个数为2，在t＝3时组合表示(3，4，5)就满足安全条件，显然方程组合表示(1，2，3)，c₁＝d-d₁-d₂-d₃与组合表示A(1，3，5)，c₅＝d-d₁-d₃-d₅，相比较时，其不同序号的个数为1，不能满足安全条件；将对B中所有组合满足安全条件的组合表示A放在分组B中，将不能满足安全条件的分组表示仍保持在大组中；Step 41, compare the sequence numbers of the variables in combination representation A with the sequence numbers of the variables in each combination representation q _s in the grouping, if the sequence numbers of the variables that are present in combination representation A and not in combination representation q _s are greater than 3/2 (t/2), the combination means that even if q _s satisfies the safety condition, if the combination means (1, 2, 3) is compared with (3, 4, 5), the number of different serial numbers is 2, and when t=3 The combination expression (3, 4, 5) meets the safety condition, obviously the combination expression of the equation (1, 2, 3), c ₁ = dd ₁ -d ₂ -d ₃ and the combination expression A(1, 3, 5), c ₅ = dd ₁ -d ₃ -d ₅ , when compared, the number of its different serial numbers is 1, can not meet the safety condition; put the combination representation A that satisfies the safety condition for all the combinations in B in the group B, will not be able to Group representations that meet the security conditions remain in the large group;

步骤42，对大组中的所有组合表示逐一比较，让满足安全条件的组合表示继续放入分组B中，操作的结果是大组中已没有一个组合表示能符合合成器安全条件，即此时分组B中能满足合成器安全条件的所有组合表示只是(1，2，3)与(3，4，5)；Step 42, compare all combination representations in the large group one by one, let the combination representations that meet the safety conditions continue to be put into group B, the result of the operation is that there is no combination representation in the large group that can meet the synthesizer safety conditions, that is, at this time All combinations that can satisfy the synthesizer safety condition in group B are only (1, 2, 3) and (3, 4, 5);

步骤5，然后确定第二个分组，并重复步骤2、3、4，直至大组中已没有组合表示时为止，而形成如前所述的五个分组。Step 5, then determine the second group, and repeat steps 2, 3, and 4 until there is no combination representation in the large group, and five groups as mentioned above are formed.

该过程执行完成后，将所有不空分组的组合表示取出，每个分组中的组合表示通过管理允许的方式对应预存入一个秘密分享合成器中。After the process is completed, the combination representations of all non-empty groups are taken out, and the combination representations in each group are correspondingly pre-stored in a secret sharing synthesizer in a way allowed by management.

根据随机选取组合表示的不同，所形成的m个分组的组合表示也会是不同的，如：According to the different combination representations randomly selected, the combination representations of the formed m groups will also be different, such as:

第一组First group

第二组Second Group

第三组The third group

第四组Fourth group

第五组fifth group

第六组The sixth group

这种分组方法的最后结果就是要设置六个秘密分享合成器，来分别预存这六组c_i及其方程组合表示。The final result of this grouping method is to set up six secret sharing synthesizers to pre-store the six groups of _ci and their equation combination representations respectively.

因此，每个秘密分享合成器24并不存储针对所有子密钥d_j的所有组合，但所有秘密分享合成器24存储内容和的结果能保证包含针对秘密分享运算器的所有d_j组合。Therefore, each secret sharing combiner 24 does not store all combinations for all subkeys d _j , but all secret sharing combiners 24 store content and results that can guarantee to contain all d _j combinations for secret sharing operators.

系统进行计算数字签名的操作过程，运算时，秘密分享运算器23针对其拥有的子密钥计算升幂，秘密分享合成器寻找匹配组合，计算并合成结果。The system performs the operation process of calculating the digital signature. During the operation, the secret sharing calculator 23 calculates the raising power for the subkey it owns, and the secret sharing combiner finds a matching combination, calculates and synthesizes the result.

计算数字签名时：任务分配器将需要签名的HASH值M，经广播信道B1通过广播方式送往k个秘密分享运算器23，只要有超过t个正确的秘密分享运算器(指未被攻击的秘密分享运算器)收到数据就可以保证得到计算结果；When calculating a digital signature: the task distributor sends the HASH value M that needs to be signed to k secret sharing operators 23 via the broadcast channel B1, as long as there are more than t correct secret sharing operators (referring to the unattacked The secret sharing calculator) can guarantee the calculation result after receiving the data;

其中的第j个秘密分享运算器在收到数据后先计算升幂M^dj，每一个秘密分享运算器针对其拥有的第一子密钥计算升幂，并将自己的代号j、需要签名的HASH值M及计算结果M^dj经广播信道B2通过广播方式送到秘密分享合成器24；The j-th secret sharing operator calculates the raising power M ^dj after receiving the data, each secret sharing operator calculates the raising power for the first subkey it owns, and uses its own code j, The HASH value M and the calculation result M ^dj are sent to the secret sharing synthesizer 24 through the broadcast channel B2;

秘密分享合成器24对接收的数据包采用遍历方法与自己预存的方程组合表示进行比较，找到可以匹配的t个组合表示并得到相应的子密钥c_i，再将经组合匹配后的几个升幂结果相乘得到结果R，再根据找到的c_i求出M^ci，最后将M^ci与R相乘就得到应该得到的数字签名S＝M^d；The secret sharing combiner 24 compares the received data packets with the combination expressions of the equations stored in it by traversal method, finds t combination expressions that can be matched and obtains the corresponding sub-keys c _i , and then combines the matched Multiply the results of raising the power to get the result R, then calculate M ^ci according to the found _ci , and finally multiply M ^ci by R to get the digital signature S=M ^d that should be obtained;

秘密分享合成器24将数字签名结果S送到输出接口设备25，输出接口设备25根据公开密钥检查签名结果的正确性。The secret sharing synthesizer 24 sends the digital signature result S to the output interface device 25, and the output interface device 25 checks the correctness of the signature result according to the public key.

以上计算流程中，所有广播的数据包内还应包括：任务分配器的代号，任务分配器分配的任务代号等。以保证系统能够区分不同的任务，支持多任务并行操作。In the above calculation process, all broadcast data packets should also include: the code name of the task allocator, the task code assigned by the task allocator, etc. To ensure that the system can distinguish different tasks and support multi-task parallel operation.

参见图3，是一个安全数字签名系统的实施例结构，使用一台离线的子密钥分发器31，5台秘密分享运算器33(k＝5)，五台秘密分享合成器34，一台在线的任务分配器32并兼做输出接口设备，在线的任务分配器32通过广播信道B1与5台秘密分享运算器33连接，5台秘密分享运算器33通过广播信道B2与五台秘密分享合成器34连接，五台秘密分享合成器34还通过广播信道B1与在线的任务分配器32连接，一台离线的子密钥分发器31在系统初始化或系统配置时分别连接5台秘密分享运算器33及两台秘密分享合成器34。Referring to Fig. 3, it is an embodiment structure of a secure digital signature system, using an offline sub-key distributor 31, five secret sharing operators 33 (k=5), five secret sharing synthesizers 34, one The online task allocator 32 also serves as an output interface device. The online task allocator 32 is connected to five secret sharing calculators 33 through the broadcast channel B1, and the five secret sharing calculators 33 are synthesized with five secret sharing calculators through the broadcast channel B2. The five secret sharing synthesizers 34 are also connected to the online task distributor 32 through the broadcast channel B1, and an offline sub-key distributor 31 is respectively connected to five secret sharing operators during system initialization or system configuration. 33 and two secret sharing synthesizers 34.

先进行子密钥的发放操作：First perform the issuing operation of the subkey:

给定在线的任务分配器32任意一个代号，如22，给定各秘密分享计算器33一个代号，如1，2，3，4，5，给定各秘密分享合成器34一个代号，如1，2，3，4，5，系统设定初始值t＝3，由离线的子密钥分发器31掌握秘密密钥d；Given any code number of the online task distributor 32, such as 22, a code name of each secret sharing calculator 33, such as 1, 2, 3, 4, 5, and a code name of each secret sharing synthesizer 34, such as 1 , 2, 3, 4, 5, the system sets the initial value t=3, and the offline subkey distributor 31 grasps the secret key d;

离线的子密钥分发器31任意选定5个小于d/3(d/t)的随机数d₁，d₂，d₃，d₄，d₅，通过某种管理许可的方式将d₁送到1号秘密分享计算器，将d₂送到2号秘密分享计算器，将d₃送到3号秘密分享计算器，将d₄送到4号秘密分享计算器，将d₅送到5号秘密分享计算器；Offline sub-key distributor 31 arbitrarily selects 5 random numbers d ₁ , d ₂ , d ₃ , d ₄ , d ₅ less than d/3(d/t), and assigns d ₁ Send to secret sharing calculator #1, send _d2 to secret sharing calculator #2, send d3 to secret sharing calculator # ₃ , send _d4 to secret sharing calculator #4, send _d5 to No. 5 Secret Sharing Calculator;

根据d＝d_j+...+d_t+c_i的表示式及组合式C_k ^t，组成一个大组，含有10种c_i的方程组合表示及10个c_i；According to the expression of d=d _j +...+d _t + _ci and the combination formula C _k ^t , a large group is formed, which contains 10 kinds of equation combination expressions of _ci and 10 _ci ;

按分享器安全条件通过穷搜获得五个分组及其c_i的组合表示；Obtain the combined representation of five groups and their c _i through exhaustive search according to the security conditions of the sharer;

离线的子密钥分发器31将这五个分组的c_i值及相应的方程组合表示一起以管理允许的方式对应送到五个秘密分享合成器34中，即每个秘密分享合成器34中各有二个方程组合表示和二个对应的c_i值。The off-line sub-key distributor 31 sends the _ci values of the five groups and the corresponding equation combination expressions to the five secret sharing synthesizers 34 in a management-allowed manner, that is, each secret sharing synthesizer 34 Each has two equation combination representations and two corresponding _ci values.

子密钥发放完成后，离线的子密钥分发器31就可以关机了。After the subkey distribution is completed, the off-line subkey distributor 31 can be shut down.

计算数字签名的工作流程为：The workflow for computing a digital signature is:

由在线的任务分配器32接收必须签名的任务，并做相应的安全检查和核对，然后求需要签名的HASH值M；The task that must be signed is received by the online task distributor 32, and corresponding security checks and checks are performed, and then the HASH value M that needs to be signed is obtained;

由在线的任务分配器32为当前的签名确定一个任务号，该任务号应该在一定时间范围内(如两天)对该任务分配器来说是唯一的；Determine a task number for the current signature by the online task distributor 32, which should be unique to the task distributor within a certain time frame (such as two days);

任务分配器将自己的代号(22)，该任务的任务号，HASH值M组成一个数据包广播到广播信道B1上；The task allocator broadcasts its own code (22), the task number of the task, and the HASH value M into a data packet to the broadcast channel B1;

秘密分享计算器j(秘密分享计算器33中的至少3个秘密分享计算器，t＝3)收到广播后，通知任务分配器32已经成功接收；After the secret sharing calculator j (at least 3 secret sharing calculators in the secret sharing calculator 33, t=3) receives the broadcast, it notifies the task distributor 32 that it has successfully received;

秘密分享计算器j检查任务的唯一性，当该任务为新任务时，计算M^dj；The secret sharing calculator j checks the uniqueness of the task, and calculates M ^dj when the task is a new task;

秘密分享计算器j将自己的代号j，任务分配器代号22，任务号，HASH值M和计算结果M^dj向广播信道B2广播；Secret sharing calculator j broadcasts its own code j, task dispatcher code 22, task number, HASH value M and calculation result M ^dj to the broadcast channel B2;

秘密分享合成器34接收该广播数据包，并将具有相同任务分配器代号和任务号的信息放在同一组中；The secret sharing synthesizer 34 receives the broadcast data packet, and puts information with the same task distributor code number and task number in the same group;

秘密分享合成器34在一组结果中检查是否有三个以上结果且有3个与存储的方程组合表示匹配，如果有，找到相应匹配的方程组合表示，得到对应的c_i，根据c_i求M^ci，然后计算R(是对应的三个与组合表示匹配的结果的乘积)，最后将M^ci与R相乘就得到应该得到的数字签名S＝M^d；The secret sharing synthesizer 34 checks whether there are more than three results in a set of results and three of them match the stored equation combination representation, if so, find the corresponding matching equation combination representation, obtain the corresponding c _i , and calculate M according to c _i ^ci , then calculate R (which is the product of the corresponding three results matched with the combined representation), and finally multiply M ^ci with R to get the digital signature S=M ^d that should be obtained;

秘密分享合成器34将任务分配器的代号，任务号和数字签名结果S＝M^d送到广播信道B1上；The secret sharing synthesizer 34 sends the code name of the task distributor, task number and digital signature result S= ^Md to the broadcast channel B1;

任务分配器32接收数字签名结果后，用公开密钥检查签名结果是否正确，如果错误，进入错误处理或告警，如果检查合格即结束计算任务。After the task distributor 32 receives the digital signature result, it uses the public key to check whether the signature result is correct. If it is wrong, it will enter error processing or alarm, and if it passes the check, it will end the calculation task.

本实施例中各细化的执行步骤同样适用于图2实施例。The detailed execution steps in this embodiment are also applicable to the embodiment in FIG. 2 .

本发明的方法能有效地抵制秘密分享合成器和秘密分享计算器联合时对系统的合谋攻击。如上例中，任何一个分享合成器要与至少三台秘密分享运算器合谋才能得到秘密d。而能有力地抵制分享合成器与分享运算器的合谋攻击。The method of the invention can effectively resist the collusion attack on the system when the secret sharing synthesizer and the secret sharing calculator are united. As in the above example, any sharing synthesizer must collude with at least three secret sharing operators to obtain the secret d. And it can effectively resist the collusion attack of sharing synthesizers and sharing operators.

参见图4、图5，分别为图2、图3中秘密分享运算器和秘密分享合成器的实施流程框图，是一种具体的实用流程。其实现是采用多线程技术，即计算机操作系统中使用的多任务并行技术，如图中所示的三个线程：任务处理程序、监听程序和界面程序，来实现一个秘密分享运算器或秘密分享合成器。所有需要计算的任务由一个任务队列来进行管理，而计算所需的系统参数(包括子密钥)也是三个线程都能够存取的。Referring to Fig. 4 and Fig. 5, they are block diagrams of the implementation flow of the secret sharing calculator and the secret sharing synthesizer in Fig. 2 and Fig. 3 respectively, which are a specific practical flow. Its realization is to use multi-threading technology, that is, the multi-task parallel technology used in computer operating systems, as shown in the figure, three threads: task processing program, listening program and interface program, to realize a secret sharing calculator or secret sharing synthesizer. All tasks that need to be calculated are managed by a task queue, and system parameters (including subkeys) required for calculation are also accessible to all three threads.

其中的任务处理程序是专门用于计算的，由于计算是最费时的一项工作，所以单独创建一个线程进行计算，以保证在计算时能够继续保持与用户间的交互，同时能够保持对网络数据的监听从而不丢失网络数据。该线程首先利用事件同步机制进行等候，可以在没有任务的时候节约CPU的时间，可以使用象NT中的EVENT之类的系统事件来进行同步；当任务执行线程被唤醒后，它扫描系统的任务队列，找到应该处理的任务进行处理，包括应该重新发送的数据包的发送。The task handler is specially used for calculation. Since calculation is the most time-consuming work, a separate thread is created for calculation to ensure that the interaction with the user can be maintained during calculation, and at the same time, the network data can be maintained. monitoring so as not to lose network data. The thread first uses the event synchronization mechanism to wait, which can save CPU time when there is no task, and can use system events such as EVENT in NT to perform synchronization; when the task execution thread is awakened, it scans the tasks of the system Queue, find the tasks that should be processed and process them, including the sending of data packets that should be resent.

监听程序是为了保证网络通信的数据不丢失而设置的，单独采用一个线程来监听网络的广播数据，该流程只进行简单的任务处理，如删除一个任务或增加一个任务，当有新的计算任务时，唤醒任务处理线程。The listener is set up to ensure that the data of network communication is not lost. A single thread is used to monitor the broadcast data of the network. This process only performs simple task processing, such as deleting a task or adding a task. When there is a new computing task , wake up the task processing thread.

界面程序用于用户界面处理，也单独采用一个线程，以保证在不影响系统运行的情况下修改系统的参数、增加子密钥等。The interface program is used for user interface processing, and a separate thread is also used to ensure that system parameters can be modified, subkeys can be added, etc. without affecting system operation.

按本发明技术方案设计的具有安全功能的数字签名设备，可以广泛应用于企事业中，每个设备针对每个企业存储一套相应数据，任务分配器在广播任务时就将企业代号放在数据包中，以区分不同的企业，秘密分享运算器根据企业代号找到相应的密钥并计算，计算结果连同企业代号一起送往合成器。The digital signature device with security function designed according to the technical scheme of the present invention can be widely used in enterprises and institutions. Each device stores a set of corresponding data for each enterprise, and the task distributor puts the enterprise code in the data when broadcasting tasks. In order to distinguish different enterprises, the secret sharing calculator finds and calculates the corresponding key according to the enterprise code, and the calculation result is sent to the synthesizer together with the enterprise code.

整个系统增加企业代号的管理以后，系统可以成为多个不同层次的用户、企业的代理，代理他们进行安全的数字签名。而子密钥分发器和任务分配器可以由企业或个人自己控制。在这种结构下，就构成了多个子密钥分发中心、多个任务分配器、多个密秘分享运算器，多个秘密分享合成器的格局，而成为一个完善的安全数字签名服务体系。After the management of enterprise code is added to the whole system, the system can become the agent of users and enterprises at different levels, and carry out secure digital signatures on behalf of them. And the sub-key distributor and task distributor can be controlled by the enterprise or individual themselves. Under this structure, multiple sub-key distribution centers, multiple task distributors, multiple secret sharing calculators, and multiple secret sharing synthesizers are formed, forming a complete secure digital signature service system.

本发明的系统结构简单，易于实现，有入侵容忍能力，虽然签一次名的总工作量与一般签名相比是增加了，但是能确保系统安全，通过采用并行计算并使d_j的比特数远小于c_i的比特数(至少4倍)，而能使总的签名时间基本与一般签名时间相等，更重要的是能对付秘密分享运算器与秘密分享合成器联合对系统的攻击。The system structure of the present invention is simple, easy to implement, and has intrusion tolerance. Although the total workload of signing a signature is increased compared with the general signature, it can ensure system security. By adopting parallel computing and making the number of bits of _dj far The number of bits is smaller than _ci (at least 4 times), so that the total signature time is basically equal to the general signature time, and more importantly, it can deal with the joint attack of the secret sharing operator and the secret sharing synthesizer on the system.

本发明方案的不足之处是：为抵制秘密分享合成器与秘密分享运算器合谋对系统进行攻击，会使秘密分享合成器的数量大幅攀升，如当秘密分享计算器的台数变为6时，秘密分享合成器的台数会涨到8，从而消耗了太多的硬件资源；此外，如此组合秘密分享合成器与秘密分享运算器，会导致任务的不均衡，即一个数字签名任务需要至少t个秘密分享运算器计算一次，但却只需要一台秘密分享合成器参与工作，如上述举例中，秘密分享合成器的个数多于秘密分享运算器的个数，这存在着两者工作不均衡的问题。The weak point of the scheme of the present invention is: in order to resist the conspiracy of the secret sharing synthesizer and the secret sharing calculator to attack the system, the number of secret sharing synthesizers will be greatly increased. For example, when the number of secret sharing calculators becomes 6, The number of secret-sharing synthesizers will increase to 8, thus consuming too many hardware resources; in addition, such a combination of secret-sharing synthesizers and secret-sharing calculators will lead to task imbalance, that is, a digital signature task requires at least t The secret sharing calculator calculates once, but only one secret sharing synthesizer is required to participate in the work. For example, in the above example, the number of secret sharing synthesizers is more than the number of secret sharing calculators, and there is an imbalance between the two. The problem.

Claims

1. A safe digital signature system for obtaining a digital signature, characterized in that:

Including at least one online task distributor, k online secret sharing operators, m online secret sharing synthesizers and offline sub-key distributors; the offline sub-key distributors are used during system initialization or system configuration Connect with k secret-sharing operators and m secret-sharing synthesizers to issue sub-keys, including: generating random numbers corresponding to k secret-sharing operators and distributing them as the first sub-key to k secret-sharing operators , and the corresponding m secret-sharing synthesizers calculate the second sub-key and pre-store it in m secret-sharing synthesizers; the online task distributor connects with k secret-sharing operators through the first broadcast channel, and calculates the digital signature During the processing, the M value that needs to be signed is sent to k secret sharing operators, and each secret sharing operator calculates according to the M value and the first subkey, and sends the calculation result and the M value to m secret sharing operators through the second broadcast channel. A secret sharing synthesizer, each secret sharing synthesizer calculates and obtains a digital signature according to the receiving result, the M value and the pre-stored second subkey, and k and m are positive integers.

2. A secure digital signature system according to claim 1, characterized in that it further comprises a separate output interface device connected to m secret sharing synthesizers through a third broadcast channel.

3. A kind of safe digital signature system according to claim 1, characterized in that: said online task distributor is also provided with an output interface device, through said first broadcast channel and said m Secretly share synthesizer connections.

4. A secure digital signature system according to claim 1, 2 or 3, characterized in that: said at least one online task distributor, k online secret sharing operators, m online secret Shared synthesizers and offline sub-key distributors all use ordinary computers or servers.

5. A secure digital signature system according to claim 1, 2 or 3, characterized in that: the first broadcast channel, the second broadcast channel and the third broadcast channel are physically connected channels or completely Independent channels that are not connected.

6. A safe digital signature method, comprising the issuing of subkeys and calculating digital signatures, characterized in that:

The issuance of the subkey includes the following processing steps:

A. Set up a secure digital signature system, including online task distributors, online k secret sharing operators, online m secret sharing synthesizers, broadcast channels and offline subkey distributors, where k and m are positive integer;

B. The offline sub-key distributor expresses the stored digital signature private key d as the sum of t first sub-keys d _j and a second sub-key c _i , d, t, c, j, i Both are positive integers and let t<k, j is the serial number of the first subkey d _j variable;

C. The offline sub-key distributor uses k random numbers as the first sub-key d _j , distributes them to k secret sharing operators, and obtains a set of second sub-keys by subtraction according to the sum formula in step B Subkey _ci and its equation combination representation, put all the second subkey _ci and its equation combination representation in a large group;

D. The off-line sub-key distributor conducts an exhaustive search for all the second sub-keys _ci and their equation combination representations in the large group according to the security conditions of the synthesizer, and obtains the second sub-keys _ci and Its equation combination expresses:

E offline sub-key distributor sends m grouped second sub-keys _ci and their equation combination representations to m secret sharing synthesizers for pre-stored;

The described computing digital signature includes the following processing steps:

F. The online task distributor sends the HASH value M that needs to be signed to k secret sharing operators through the broadcast data packet through the first broadcast channel;

Among the Gk secret sharing operators, t or more secret sharing operators calculate the raising power M ^dj according to the received M value, and send the code j of the secret sharing operator, the HASH value M to be signed and the calculation result M ^dj sends the broadcast data packet to m secret sharing synthesizers through the second broadcast channel;

Hm secret sharing synthesizers compare the received result with the equation combination representation of the second subkey c _i of the pre-stored group, find a matching equation combination representation and obtain the corresponding second subkey c _i , and then combine with Multiply the exponentiation results of the matching t secret sharing operators to obtain the result R, calculate M ^ci according to the found second subkey _ci , and finally multiply M ^ci and R to obtain the digital signature S=M ^d .

7. A kind of safe digital signature method according to claim 6, characterized in that: in the described step A, also includes arbitrarily given a code name to the online task distributor, and given to k secret sharing operators respectively Set different code names, give different code names to m secret sharing synthesizers and set the initial value of t.

8. A safe digital signature method according to claim 6, characterized in that: said step C further comprises:

c1. Take k random numbers less than d/t as the first subkey d _j by the offline subkey distributor;

c2. The offline sub-key distributor sends the k first sub-keys d _j to the k secret sharing operators through management permission;

c3. Take t d j from the k first sub-keys (d ₁ , d ₂ , d ₃ , ..., d _k ) by the offline sub-key distributor, and form _them according to the combination formula

no = C_{k}^{t}

combination representations, and calculate the second sub-keys c _i corresponding to all combination representations according to the sum formula (i=1, 2, . . .

9. A kind of safe digital signature method according to claim 6, characterized in that:

Described step D further comprises:

d1. Randomly set an order for the combinations in the large group, and randomly set an empty group B;

d2. Take a second subkey ci _and its equation combination representation from the large group sequentially, record it as the combination representation A, judge whether putting A into B satisfies the safety condition of the synthesizer, if so, put it into group B and Delete the combination and the corresponding second subkey from the large group, and if the synthesizer security condition is not satisfied, the combination and the corresponding second subkey remain in the large group;

d3. Repeat step d2 for all combinations in the large group;

d4. If there is still a combination representation in the large group, determine the second empty group as B, and repeat steps d2 and d3 until there is no second subkey _ci and its equation combination representation in the large group ;

d5. The number m of non-empty groups formed by statistics is the m groups mentioned above.

10. A kind of safe digital signature method according to claim 9, it is characterized in that whether said judging satisfies the safety condition of the synthesizer, further comprising: combining the sequence number of the variable in the combination representation A and the combination representation q in the group B Compare the sequence numbers of the variables in _s , if the combination indicates that there are variables in A and the combination indicates that the number of variables that are not in q _s is greater than t/2, this combination indicates that A meets the security conditions for the combination of q _s ; if the combination indicates A satisfies the security condition for each combination in group B, then the combination means that A put into group B satisfies the security condition of the combiner.

11. A kind of safe digital signature method according to claim 6, characterized in that: in the step E, the second subkey of the m groups is distributed by the off-line subkey distributor in a manner permitted by management. Key _ci and its corresponding equation combination representations are correspondingly distributed to the m secret sharing synthesizers.

12. A kind of safe digital signature method according to claim 6, characterized in that: said off-line sub-key distributor completes the distribution of sub-keys after executing steps A, B, C, D, E After that, it is physically isolated or shut down.

13. A safe digital signature method according to claim 6, characterized in that: said step F further comprises:

f1. The online task distributor receives digitally signed tasks, and conducts security checks and checks;

f2. Determine a task number that is unique to the task distributor within a predetermined time for the task by the online task distributor;

f3. Broadcast the broadcast data packet composed of its code name and task number along with the HASH value M that needs to be signed to the first broadcast channel by the online task distributor;

Described step G further comprises:

g1. After receiving the broadcast, t or more secret sharing operators send a notification to the online task allocator that they have been received;

g2. t or more secret sharing calculators check the uniqueness of the task, and perform the calculation of raising the power when it is determined to be a new task;

g3. t or more secret sharing calculators will also form the code name of the online task allocator and the task number along with the code j of the secret sharing calculator, the HASH value M to be signed and the calculation result M ^dj The broadcast data packet is broadcast to the second broadcast channel;

Described step H, further comprises:

h1. The secret sharing synthesizer that receives the broadcast puts the broadcast data packets with the same task dispatcher code and task number in one group;

h2. The above-mentioned secret sharing synthesizer finds at least t broadcast data packets, and then finds an equation combination representation matching the pre-stored equation combination representation, and obtains the corresponding second subkey c _i .

14. A safe digital signature method according to claim 6 or 13, characterized in that: said steps F, G, H are performed sequentially to complete the calculation operations of the digital signature.

15. A safe digital signature method according to claim 6, characterized in that:

Also include a step I after the described step H, by the online secret sharing synthesizer, the digital signature S= ^Md and the task allocator code name, task number form the broadcast data packet and broadcast it to an online output interface device, and The output interface device checks the signature result with the public key, ends the digital signature if it is correct, and performs error handling or alarm if it is wrong.

16. A kind of safe digital signature method according to claim 15, is characterized in that: described step 1 is to broadcast described broadcast packet to a third broadcast channel by an online secret sharing synthesizer Separately set on the online output interface device.

17. A kind of safe digital signature method according to claim 15, is characterized in that: described step 1, is to broadcast described broadcast data packet by described first broadcast channel by online secret sharing combiner to the output interface device set in the task distributor.