CN1207868C

CN1207868C - Safety digital signature method and system

Info

Publication number: CN1207868C
Application number: CN 01136019
Authority: CN
Inventors: 冯登国; 胡海峰; 荆继武
Original assignee: University of Chinese Academy of Sciences
Current assignee: University of Chinese Academy of Sciences; Institute of Information Engineering of CAS
Priority date: 2001-09-28
Filing date: 2001-09-28
Publication date: 2005-06-22
Anticipated expiration: 2021-09-28
Also published as: CN1411203A

Abstract

The present invention relates to a safe digital signature method and a system. The system comprises an on-line task distributor connected through a broadcast channel, k secret sharing arithmetic units, m secret sharing synthesizers and an off-line sub cryptographic key distributor. The distribution operation of sub cryptographic keys has the following steps: a private key d is divided into the sum of t sub cryptographic keys dj and one sub cryptographic key ci by the sub cryptographic key distributor, and t is less than k; k random sub cryptographic keys dj are distributed into the k arithmetic units by the distributor, the assembled representation of one group of ci equations is obtained and is sent to the synthesizers for prestore. The digital signature operation comprises the following steps: the task distributors send HASH value M required to be signed to the k arithmetic units by broadcast; ascending power M<dj> is calculated by the arithmetic units according to received M value, etc. and is sent to the synthesizers by broadcast; the synthesizers are compared with the equation combination of the prestored sub cryptographic keys ci, the combined presentation of a matched equation is found, and the corresponding sub cryptographic keys ci are obtained; M<ci> is solved through a result R obtained by the multiplication of the corresponding ascending power M<dj>; the digital signature S equal to M<d> is obtained.

Description

A Safe Digital Signature Method and System

技术领域technical field

本发明涉及网络通信安全技术，更确切地说是涉及一种能容忍入侵的确保数字签名安全的方法与系统。The present invention relates to network communication security technology, more specifically to a method and system for ensuring digital signature security that can tolerate intrusion.

背景技术Background technique

数字签名(Digital Signature)是当今网络通信安全中最基本的技术，是利用非对称算法(Asymmetric Algorithm)，来达到其他人可以验证该签名但却无法假冒该签名的目的。最常用的非对称算法有RSA、DSA和椭圆曲线算法等，目前的不少数字签名系统都是基于RSA算法的。Digital Signature (Digital Signature) is the most basic technology in today's network communication security. It uses an asymmetric algorithm (Asymmetric Algorithm) to achieve the purpose that others can verify the signature but cannot counterfeit the signature. The most commonly used asymmetric algorithms are RSA, DSA, and elliptic curve algorithms, etc. Many current digital signature systems are based on the RSA algorithm.

所谓非对称算法，就是一个人无法通过已知的正向计算参数推导出反向计算的参数，即已知正向计算过程，无反向计算能力。这种非对称算法本身是公开的，但每个人可以选择不同的参数，参数不同，所构成的变换函数就不同。对某个人来说，他可以选择一组参数，其中一部分是用于逆向计算的，称为秘密参数，技术上称为保密密钥或私钥；另一部分是用于正向计算的，是公开的参数，技术上称为公开密钥或公钥。The so-called asymmetric algorithm means that a person cannot derive the parameters of the reverse calculation through the known forward calculation parameters, that is, the known forward calculation process has no reverse calculation ability. This asymmetric algorithm itself is public, but everyone can choose different parameters, and the transformation functions formed by different parameters are different. For someone, he can choose a set of parameters, some of which are used for reverse calculation, called secret parameters, technically called secret key or private key; the other part is used for forward calculation, which is public parameters, technically known as the public key or public key.

数字签名就是基于这种非对称算法得以实施的。一方面保护自己的秘密参数-私钥，以保证他人无法冒充自己进行签名，另一方面通过公开可以公开的部分-公钥，供相关人士能够验证该签名(从理论上说，利用公开的参数来推导秘密的参数，在计算上是不可行的)。Digital signatures are implemented based on this asymmetric algorithm. On the one hand, protect your own secret parameter - the private key to ensure that others cannot pretend to be yourself to sign; is computationally infeasible to derive the secret parameters).

数字签名首先是网络通信与交互的保证，可以保证通信对方是真实的，可以保证在网上的就是自己，还可作为签署电子文档时的工具，以保护自己的文档与签名。当今许多国家，已将数字签名视作手写签名，两者具有同样的法律效率。Digital signature is first of all a guarantee for network communication and interaction. It can ensure that the other party is authentic and that the one on the Internet is yourself. It can also be used as a tool when signing electronic documents to protect your own documents and signatures. Many countries today regard digital signatures as handwritten signatures, and both have the same legal efficiency.

数字签名算法还可以用于协商秘密(secret)参数。如A用户需要与B用户进行秘密通信时，A用户可以先设定一些秘密参数，然后用B用户的公开密钥(公钥)作用一下，此时只有B用户能够恢复原来的值，因为只有B用户知道自己的保密(private)密钥(私钥)。Digital signature algorithms can also be used to negotiate secret parameters. For example, when user A needs to communicate secretly with user B, user A can set some secret parameters first, and then use the public key (public key) of user B to act. At this time, only user B can restore the original value, because only User B knows his private key (private key).

此外，数字签名还可以用于需要保密的场所、需要身份认证的场所及其他需要不可否认服务的场所。In addition, digital signatures can also be used in places that require confidentiality, places that require identity authentication, and other places that require non-repudiation services.

现在国际上大力推行的PKI(Public Key Infrastructure：公开密钥基础设施)就是数字签名的一种应用，是网络数字社会中最重要的一种基础设施，这种技术的重要性，就象电力基础设施对于工业的作用一样。The PKI (Public Key Infrastructure: public key infrastructure) that is being vigorously promoted internationally is an application of digital signatures, and it is the most important infrastructure in the network digital society. The importance of this technology is just like the power infrastructure. Facilities do the same for industry.

为了保证数字签名的安全和速度，在签名前，必须对所签的内容进行HASH计算，求出一个HASH值M(HASH值有时又叫文摘值或杂凑值)，然后利用保密密钥(私钥)对文摘结果作变换得到签名值；验证签名时，先对内容作HASH计算，然后再用公开的参数(公钥)作用于签名值，再将得到的结果与上述HASH结果进行比较，若相等，就表示签名正确，否则为验证不通过。In order to ensure the security and speed of digital signatures, before signing, HASH calculation must be performed on the signed content to find a HASH value M (HASH value is sometimes called digest value or hash value), and then use the secret key (private key) ) to transform the digest result to obtain the signature value; when verifying the signature, first perform HASH calculation on the content, then use the public parameter (public key) to act on the signature value, and then compare the obtained result with the above HASH result, if they are equal , it means that the signature is correct, otherwise the verification fails.

然而，当一用户A有了自己的私钥并公开了公钥时，如果有一个攻击者B重新生成公钥和私钥，并用攻击者B的公钥替换了A用户公开的公钥，此时A用户的朋友发给A用户的信息就只有攻击者B知道了，因为A用户已无法知道由攻击者B假冒的公钥所对应的私钥。这时就需要由一个CA(CertificateAuthority：证书权威或证书机构)，来证明哪个公钥是A用户的，或者证明哪个公钥不是A用户的。However, when a user A has his own private key and discloses the public key, if an attacker B regenerates the public key and private key, and replaces the public key released by user A with the public key of the attacker B, the At this time, only the attacker B knows the information sent by the friend of user A to user A, because user A has no way of knowing the private key corresponding to the public key faked by attacker B. At this time, a CA (CertificateAuthority: Certificate Authority or Certificate Authority) is required to prove which public key belongs to user A, or which public key does not belong to user A.

CA拥有一个比一般用户私钥更长的私钥，也就是说，CA的私钥更安全，而CA的公钥可以通过各种方式广为人知，这样各个用户就可以验证什么是CA所签发的。当一个用户将其身份与其公钥绑定在一起，并由CA签名后，就得到了一个电子证书。这个证书能够证明该公钥拥有者的身份，且任何人都可以验证而任何人却都不能假冒。The CA has a longer private key than the private key of ordinary users, that is to say, the private key of the CA is more secure, and the public key of the CA can be widely known in various ways, so that each user can verify what is issued by the CA. When a user binds his identity with his public key and is signed by a CA, he gets an electronic certificate. This certificate can prove the identity of the owner of the public key, and anyone can verify but no one can impersonate.

目前，电子证书已成为PKI基础设施中最为关键的部分，CA是PKI中最为重要的基本单元。利用电子证书，就可以有效解决网络上的保密性、完整性以及不可否认性等安全问题。At present, electronic certificate has become the most critical part of PKI infrastructure, and CA is the most important basic unit in PKI. Using electronic certificates can effectively solve security issues such as confidentiality, integrity and non-repudiation on the network.

基于PKI的安全性，最终都会归结到对CA私钥的保护，一旦CA的私钥泄露，由CA所颁发的所有证书就都必须作废，整个由CA管辖的网络安全就会变得毫无安全可言。随着网络上各种攻击手段的不断增加，系统漏洞不断被发现，因此如何保证既能在线提供数字签名服务又能保证安全，已成为现代网络安全研究的一个重要课题。PKI-based security will ultimately come down to the protection of the CA's private key. Once the CA's private key is leaked, all certificates issued by the CA must be invalidated, and the entire network security under the jurisdiction of the CA will become insecure. to speak of. With the continuous increase of various attack methods on the network, system loopholes are constantly being discovered, so how to ensure that digital signature services can be provided online while ensuring security has become an important topic in modern network security research.

对RSA算法来说，秘密的密钥一般记为d，是一个可以长达2048bits的整数(一般认为，1024bits长度的私钥已经能够保证安全，但对CA来说，采用2048bits或以上则是必须的)。在RSA算法中，用到了对一个数N的模幂计算，即求M^d mod N，该计算是完成数字签名所需要的，当所需公开的参数(公钥)公开后，保护数字d就是保护了私钥。For the RSA algorithm, the secret key is generally recorded as d, which is an integer that can be as long as 2048 bits (it is generally believed that a private key with a length of 1024 bits can already guarantee security, but for CA, it is necessary to use 2048 bits or more. of). In the RSA algorithm, the modular exponentiation calculation of a number N is used, that is, to find M ^d mod N. This calculation is required to complete the digital signature. When the required public parameters (public key) are disclosed, the protection number d is The private key is protected.

安全的数字签名所追求的目标是既完成签名又不能泄露私钥，针对该课题国际上已有许多理论方面的研究，其中不少理论与方法因难度太大而无法实现。另一方面，国际上目前开发的重点也是如何实现相互兼容的数字签名产品，而在入侵容忍的安全签名方面则开发的非常少，工业界也没有推出相关的产品。所谓入侵容忍(Intrusion Tolerance)是相对于从检测入侵出发来保证CA安全的技术而言的，即在系统的部分部件被攻击或被占领后，仍不会暴露CA系统的机密信息。The goal of a secure digital signature is to complete the signature without divulging the private key. There have been many theoretical studies on this topic in the world, many of which cannot be realized due to the difficulty. On the other hand, the focus of current development in the world is how to realize mutually compatible digital signature products, but there are very few developments in terms of intrusion-tolerant security signatures, and the industry has not launched related products. The so-called intrusion tolerance (Intrusion Tolerance) is relative to the technology to ensure the security of CA by detecting intrusion, that is, after some parts of the system are attacked or occupied, the confidential information of the CA system will not be exposed.

综上所述，PKI是基于公开密钥密码算法的，在PKI系统中，CA又是一个域中的信任中心，网络上设备或个人间的通信与验证都依赖于CA颁发的数字证书(签名)。数字证书是一个将公开密钥与个人身份绑在一起、用CA的私钥签名后得到的数据。在一方要验证通信对方的身份时，可以通过两个步骤完成，首先验证对方的证书签名是否正确(签名只能由CA的私钥完成，只有CA才能够进行签名)；再验证对方是否拥有与证书中公钥相对应的私钥，如果两项都能成立，则对方的身份就能确定，是可以信任的。To sum up, PKI is based on the public key cryptography algorithm. In the PKI system, the CA is also a trust center in a domain. The communication and verification between devices or individuals on the network depend on the digital certificate (signature) issued by the CA. ). A digital certificate is a data obtained by binding a public key with a personal identity and signing it with a CA's private key. When one party wants to verify the identity of the other party, it can be done in two steps. First, verify whether the certificate signature of the other party is correct (the signature can only be completed by the private key of the CA, and only the CA can sign); If the private key corresponding to the public key in the certificate can be established, the identity of the other party can be determined and can be trusted.

因此CA的私钥是CA安全的核心，保护其不泄露是整个CA域安全的基础。一般来说，CA必须是一个在线的网络设备，特别是直接面向用户以便提供相应证书服务的CA，则其遭遇网络攻击就不可避免，当一个黑客成功攻击一台CA时，攻击者就可能获得它的内部资源，从而找到CA的私钥，会给PKI系统造成致命打击，同时在PKI系统的内部雇员完全控制一台CA设备的情况下，为预防起见，也应该确保其没有得到CA的私钥。Therefore, the CA's private key is the core of CA security, and protecting it from disclosure is the basis for the security of the entire CA domain. Generally speaking, a CA must be an online network device, especially a CA that directly faces users in order to provide corresponding certificate services, so it is inevitable to encounter network attacks. When a hacker successfully attacks a CA, the attacker may obtain Its internal resources, so as to find the private key of the CA, will cause a fatal blow to the PKI system. key.

下面仅从将签名等价于实现公式M^d mod N(其中d为应该保密的私钥)方面，说明现有的几种安全数字签名方法。In the following, several existing secure digital signature methods are described only from the aspect of equating the signature to realizing the formula M ^d mod N (where d is the private key that should be kept secret).

参见图1，图中示出美国Stanford大学的ITTC项目方案的原型系统框图。系统通过门槛密码学技术实现系统入侵容忍。系统包括签名方(Clients)、服务器方(Servers)和管理方(Admin)。签名方的Web Server是指需要签名的Web服务器，CA是证书权威或证书机构；服务器方包括多个分享服务器(ShareServer，也可称分享计算器或分享运算器)，如图中的分享服务器1至3，负责进行安全的数字签名；管理方(Admin)是一个可选的用于管理各分享服务器的设备。该方案的特点是：结构简单和具有很好的安全性，系统中采用了成单层结构的多个分享服务器。Referring to FIG. 1 , it shows a block diagram of a prototype system of the ITTC project scheme of Stanford University in the United States. The system implements system intrusion tolerance through threshold cryptography technology. The system includes the signing party (Clients), the server side (Servers) and the management side (Admin). The web server of the signing party refers to the web server that needs to be signed, and the CA is the certificate authority or certificate authority; the server side includes multiple sharing servers (ShareServer, also called sharing calculator or sharing calculator), as shown in the figure Share server 1 To 3, responsible for secure digital signature; the administrator (Admin) is an optional device used to manage each shared server. The characteristics of this scheme are: simple structure and good security, the system adopts multiple shared servers in a single-layer structure.

该系统实现安全性的原理是：先将私钥d分解成t个数的和：d＝d₁+d₂+...+d_t；再将各数(d_i)分配到各个分享服务器中。当需要签名时，客户机(Web或CA)将需要的签名信息-HASH结果M值发给t个分享服务器；各分享服务器再将计算结果 $M_{i} = M^{d_{i}}$ 送回客户机(Web或CA)；由客户机(Web或CA)进行乘法计算：The security principle of the system is: first decompose the private key d into the sum of t numbers: d=d ₁ +d ₂ +...+d _t ; then distribute each number (d _i ) to each shared server middle. When a signature is required, the client (Web or CA) sends the required signature information-HASH result M value to t sharing servers; each sharing server then sends the calculation result $m_{i} = m^{d_{i}}$ Send back to client (Web or CA); multiplication by client (Web or CA):

$S S = = {Π Π}_{i i = = 11}^{t t} {M m}^{{d d}_{i i}} = = {M m}^{{Σ Σ}_{i i = = 11}^{l l} {d d}_{i i}} = = {M m}^{d d}$

就得到了需要的结果。The desired result is obtained.

由于不能实现冗余，可进一步采用多组方程来产生冗余配置，即随机找到若干组数，如：Since redundancy cannot be achieved, multiple sets of equations can be further used to generate redundant configurations, that is, several sets of numbers are randomly found, such as:

第一组：d＝d₁₁+d₁₂+…+d_1t；The first group: d=d ₁₁ +d ₁₂ +...+d _1t ;

第二组：d＝d₂₁+d₂₂+…+d_2t；The second group: d=d ₂₁ +d ₂₂ +...+d _2t ;

然后将多组数(d_ij)分到不同的分享服务器中，每个分享服务器得到多个d_ij，但只得到同组数据中的一个数据(如分享服务器1得到一个第一组的数据d₁₁和另一个第二组的数据d₂₃)。如，对于有4个分享服务器的情况，在t＝3时，可以按下表进行分配：分享服务器1 分享服务器2 分享服务器3 分享服务器4 d₁₁ d₁₂ d₁₃ d₁₃ d₂₃ d₂₁ d₂₂ d₂₃ Then divide multiple sets of numbers (d _ij ) into different sharing servers, each sharing server gets multiple d _ij , but only gets one data in the same set of data (for example, sharing server 1 gets a data d of the first set ₁₁ and another second set of data d ₂₃ ). For example, in the case of 4 shared servers, when t=3, they can be allocated according to the following table: shared server 1 share server 2 share server 3 share server 4 d ₁₁ d ₁₂ d ₁₃ d ₁₃ d ₂₃ d ₂₁ d ₂₂ d ₂₃

当客户机(Web或CA)需要计算时，由客户机(Web或CA)选定t个完好的分享服务器，然后告诉这些分享服务器使用第几组数据(参数)，然后，分享服务器就可以计算相应的签名了。When the client (Web or CA) needs to calculate, the client (Web or CA) selects t intact sharing servers, and then tells these sharing servers which set of data (parameters) to use, and then the sharing server can calculate Signed accordingly.

该技术方案的优点是明显的，其不足之处有如下几点：The advantage of this technical solution is obvious, and its weak point has the following points:

1.密钥的分发和管理比较困难，当增加一个分享服务器时，必须对每一个在线的分享服务器分配密钥数据，同时还要让客户机也知道这个增加；1. The distribution and management of the key is difficult. When adding a shared server, the key data must be distributed to each online shared server, and the client must also know the increase;

2.当分享服务器很多时，会迅速增加分享服务器的密钥存储量，若设分享服务器的总数量为k，要求完好的分享服务器的总数量为t，则每个分享服务器存储密钥的数量至少为C_k ^n-1个(C表示组合)，当k＝10，t＝3时，每个分享服务器存储密钥的数量就为45个；2. When there are many sharing servers, the key storage capacity of the sharing servers will increase rapidly. If the total number of sharing servers is k, and the total number of intact sharing servers is required to be t, then the number of keys stored in each sharing server At least C _k ^n-1 (C represents a combination), when k=10, t=3, the number of each shared server storage key is 45;

3.存在必须先同步的问题，在进行计算前，客户机必须先选定t个分享服务器，当t个分享服务器选择完成后，还必须找到与这t个分享服务器匹配的数据组并通知他们，当其中有一个服务器被破坏时必须重复上述选择分享服务器的整个过程；3. There is a problem that must be synchronized first. Before calculation, the client must first select t shared servers. After the selection of t shared servers is completed, it must also find a data group that matches the t shared servers and notify them , when one of the servers is destroyed, the entire process of selecting the shared server above must be repeated;

4.让客户机(CA或Web服务器)记住每次分享服务器的改变是困难的，不容易进行管理与扩展，当客户机在线时，扩展就更加困难，导致每次改变分享服务器时都必须更新客户机。4. It is difficult for the client (CA or Web server) to remember the change of the shared server every time, and it is not easy to manage and expand. When the client is online, it is even more difficult to expand, resulting in the need to Update the client.

IBM Research-Zurich研究院的Victor Shoup，在2000年的欧洲密码学年会上发表了名称为“Practical threshold signatures”的文章，介绍的也是一种理论上的方案。该方案使用RSA强素数，其保密的素数p＝2p’+1，q＝2q’+1。所有的插值方程都在模m＝p’q’的环中进行。因为M^4m模N等于1，分开计算时增加一次平方，由合成器(Combiner)再分别对各个结果平方一次，从而得到M^4Δ(gm+d)。其中Δ＝(k！)²，而g为整数。该方案中c_i是由合成器(Combiner)完成的，从而消除了计算前的同步问题，但带来了合成器的计算难度，并使计算性能下降。如合成器必须计算：Victor Shoup of IBM Research-Zurich Institute published an article called "Practical threshold signatures" at the European Cryptography Annual Conference in 2000, which also introduced a theoretical scheme. This scheme uses RSA strong prime number, its secret prime number p=2p'+1, q=2q'+1. All interpolation equations are performed in rings modulo m=p'q'. Because M ^4m modulo N is equal to 1, the square is added once when calculating separately, and the combiner (Combiner) squares each result again to obtain M ^4Δ(gm+d) . where Δ=(k!) ² , and g is an integer. In this scheme, _ci is completed by a combiner, which eliminates the synchronization problem before calculation, but brings the calculation difficulty of the combiner and reduces the calculation performance. As the synthesizer must compute:

$W W = = {y the y}_{{i i}_{11}}^{22 λ λ {c c}_{{i i}_{11}}} {y the y}_{{i i}_{22}}^{22 λ λ {c c}_{{i i}_{22}}} . . . . . . {y the y}_{{i i}_{l l}}^{22 λ λ {c c}_{{i i}_{l l}}}$

其中y_i为各分享服务器的计算结果，λ＝k！。Among them, y _i is the calculation result of each sharing server, λ=k! .

可以看出该方案的特点及存在的不足是：It can be seen that the characteristics and shortcomings of this scheme are:

1.仍是一种由各分享服务器组成的单层式分享结构，其合成器不存储任何秘密，可以由任何设备完成合成工作；1. It is still a single-layer sharing structure composed of sharing servers. Its synthesizer does not store any secrets and can be synthesized by any device;

2.合成器的计算量接近或相当于t次签名，这样的计算量远远大于分享服务器的计算量，即使能实现该算法，也是不能用于实际签名的；2. The calculation amount of the synthesizer is close to or equivalent to t signatures, which is far greater than the calculation amount of the sharing server. Even if the algorithm can be implemented, it cannot be used for actual signatures;

3.要求使用强素数，会对某些应用带来限制；3. Requiring the use of strong prime numbers will limit some applications;

4.仅从理论上说明当增加或删除分享服务器时不会影响其他设备，但只提供了数学公式，没有任何实现上和系统结构上的说明。4. It is only theoretically stated that when adding or deleting a shared server will not affect other devices, but only provides mathematical formulas, without any implementation and system structure instructions.

纽约CertCo公司的Yair Frankel等人提出了又一种方案，但没有提供系统实现的框架和细节。在他们的方案中，提出让多项式的系数a_i在{0，L，...，2L³N^2+et}中，其中L＝k！。并取x_i属于[1，2，...，k-1]。由于所有f(x_i)都能够整除以L，故b_i的计算去掉了求逆的操作，可以在整数中进行。该方案可以用一般的RSA算法进行而不需要RSA的强素数。由于其参数的选取大大受限，带来了算法原理及安全证明的复杂性。当分享服务器计算b_i时，因为b_i依赖x_i的选取，也存在着同步问题。Yair Frankel of New York CertCo Company and others proposed another scheme, but did not provide the framework and details of system realization. In their scheme, it is proposed to let the coefficients a _i of polynomials be in {0, L, . . . , 2L ³ N ^2+e t}, where L=k! . And take x _i belongs to [1, 2, ..., k-1]. Since all f( _xi ) can be divided by L, the calculation of _bi can be performed in integers without the inverse operation. The scheme can be performed with the general RSA algorithm without strong prime numbers of RSA. Because the selection of its parameters is greatly limited, it brings the complexity of the algorithm principle and security proof. When the shared server calculates _bi , because _bi depends on the selection of _xi , there is also a synchronization problem.

从其数学方案的描述中可以看出，该方案具有以下缺点：As can be seen from the description of its mathematical scheme, this scheme has the following disadvantages:

1.采用平等的秘密分享，即分享为单层式结构；1. Adopt equal secret sharing, that is, sharing is a single-layer structure;

2.参数的选取是受限的，证明其安全性十分复杂，增加了出现漏洞的可能性；2. The selection of parameters is limited, which proves that its security is very complicated and increases the possibility of loopholes;

3.存在着需要同步的问题，而如果去掉同步，则又会大大增加合成器的计算量。3. There is a problem of synchronization, and if the synchronization is removed, the calculation amount of the synthesizer will be greatly increased.

以上IBM Research-Zurich研究院的方案及纽约CertCo公司的方案，都是基于Shamir秘密共享的方案，使用LaGrange插值方程。在原Shamir秘密共享方案中，任意取t个密钥就能够生成秘密密钥。但在原Shamir方案中必须先恢复秘密密钥，这是任何方案都不希望的。因为安全签名方案必须首先保证在任何一台设备内都不能恢复出秘密密钥。The above scheme of IBM Research-Zurich Research Institute and the scheme of New York CertCo are all based on the scheme of Shamir's secret sharing, using LaGrange interpolation equation. In the original Shamir secret sharing scheme, a secret key can be generated by randomly taking t keys. However, in the original Shamir scheme, the secret key must be recovered first, which is undesirable in any scheme. Because the secure signature scheme must first ensure that the secret key cannot be recovered in any device.

这种基于Shamir秘密共享方案的基本原理是：The basic principle of this Shamir-based secret sharing scheme is:

给出一个多项式 $f (x) = Σ_{i = 0}^{t - 1} a_{1} x_{i,}$ 利用LaGrange插值公式，有：given a polynomial $f (x) = Σ_{i = 0}^{t - 1} a_{1} x_{i,}$ Using the LaGrange interpolation formula, there are:

$f f ((x x)) = = {Σ Σ}_{i i = = 11}^{t t} ((f f (({x x}_{i i})) {Π Π}_{j j = = 11,, t t}^{j j &NotEqual; &NotEqual; i i} \frac{x x - - {x x}_{j j}}{{x x}_{i i} - - {x x}_{j j}})) - - - - - - ((11))$

任选t个x_i和f(x_i)，可以得到：Choose t x _i and f( _xi ), you can get:

${a a}_{00} = = f f ((00)) = = {Σ Σ}_{i i = = 11}^{t t} ((f f (({x x}_{i i})) {Π Π}_{j j = = 11,, t t}^{j j &NotEqual; &NotEqual; i i} \frac{- - {x x}_{j j}}{{x x}_{i i} - - {x x}_{j j}})) - - - - - - ((22))$

可以设置a₀为秘密密钥d，此时，对一个HASH值M的签名计算为：You can set a ₀ as the secret key d, at this time, the signature calculation for a HASH value M is:

${M m}^{d d} = = {M m}^{f f ((00))} = = {Π Π}_{i i = = 11}^{t t} {M m}^{f f (({x x}_{i i})) {\prod \prod}_{j j = = 11,, t t}^{j j &NotEqual; &NotEqual; i i} \frac{- - {x x}_{j j}}{{x x}_{i i} - - {x x}_{j j}}} = = {Π Π}_{i i = = 11}^{t t} {M m}^{{b b}_{i i}} - - - - - - ((33))$

其中 $b_{i} = f (x_{i}) * c_{i} = f (x_{i}) Π_{j = 1, t}^{j &NotEqual; i} \frac{- x_{j}}{x_{i} - x_{j}} - - - (4)$ in $b_{i} = f (x_{i}) * c_{i} = f (x_{i}) Π_{j = 1, t}^{j &NotEqual; i} \frac{- x_{j}}{x_{i} - x_{j}} - - - (4)$

这样就可以将秘密密钥d分到k个分享服务器中去(k≥t)。每个分享服务器计算M^bi，然后由一个合成器将各个分享服务器的计算结果乘起来，就得到M^d，而任何分享服务器都不会泄露秘密密钥d。由于式(4)的b_i中有除法计算，这很容易让人想到找一个域或环Z_v来进行计算。其中，必须满足的条件是：v为素数，或者保证所有由x_i构成的t阶(Vandermonde)矩阵的行列式的值与v互素。In this way, the secret key d can be divided into k shared servers (k≥t). Each sharing server calculates M ^bi , and then a synthesizer multiplies the calculation results of each sharing server to obtain M ^d , and any sharing server will not disclose the secret key d. Since there is a division calculation in b _i in formula (4), it is easy to think of finding a field or ring Z _v for calculation. Among them, the condition that must be satisfied is: v is a prime number, or the value of the determinant of all t-order (Vandermonde) matrices formed by x _i is guaranteed to be mutually prime to v.

在一般情况下，分开计算M^bi后带来的结果就是要做乘法： $Π_{i = 1}^{t} M^{b_{i}} = M^{d + wv} .$ 如何去掉v的影响，许多人想到了用Φ(N)，因为M^Φ(N)＝1。但选择v＝Φ(N)会使x_i的选取大大受限于上述条件，并且知道了某元素o与其对Φ(N)的逆o^-1，就可以求出Φ(N)，显然这是不安全的。In general, the result of calculating M ^bi separately is to do multiplication: $Π_{i = 1}^{t} m^{b_{i}} = m^{d + wv} .$ How to remove the influence of v, many people think of using Φ(N), because M ^Φ(N) =1. But choosing v=Φ(N) will make the selection of x _i greatly limited by the above conditions, and knowing a certain element o and its inverse o ^-1 to Φ(N), we can find Φ(N), obviously this is not safe.

因此，从理论上可以看出上述方案都有明显的弱点，距离实际应用还有很多问题需要解决。Therefore, it can be seen from the theory that the above schemes have obvious weaknesses, and there are still many problems to be solved before the actual application.

发明内容Contents of the invention

本发明的目的是设计一种安全的数字签名方法与系统，是一种入侵容忍的安全签名方法与系统，在现有实现CA安全的基本原理基础上，消除预先同步的问题，能满足在线CA的安全要求，当系统的部分部件被攻击或被占领时，确保系统机密不泄露。The purpose of the present invention is to design a safe digital signature method and system, which is an intrusion-tolerant safe signature method and system. On the basis of the existing basic principles of CA security, the problem of pre-synchronization can be eliminated, and online CA can be satisfied. When some components of the system are attacked or occupied, ensure that the system secrets are not leaked.

本发明的安全数字签名方法，以RSA算法为基础。该方法必须满足以下条件：The secure digital signature method of the present invention is based on the RSA algorithm. The method must meet the following conditions:

1.入侵者虽然攻击或占有了系统中的若干部件，但并不能得到私钥；1. Although the intruder attacks or occupies several components in the system, he cannot obtain the private key;

2.系统很容易扩充，当需要增加一个分享运算器时，不影响整个系统的工作；2. The system is easy to expand. When a shared calculator needs to be added, it will not affect the work of the entire system;

3.运行时的管理简单，管理包括增加、撤除、修改服务硬件与软件等，在有系统管理与配置活动时，不能影响系统运行；3. The management during operation is simple. Management includes adding, removing, and modifying service hardware and software. When there are system management and configuration activities, the system operation cannot be affected;

4.系统中一个或多个设备损坏时不影响正常的服务；4. When one or more devices in the system are damaged, the normal service will not be affected;

5.当一个分享运算器损坏时，整个系统的运行效率不会降低太多，即任务分配单元不需要知道任务执行者的任何信息；5. When a shared computing unit is damaged, the operating efficiency of the entire system will not decrease too much, that is, the task allocation unit does not need to know any information about the task executor;

6.开始计算时，任何设备都不需要知道他的合作者是谁，故不需要一个合作群的指定机构(预先同步)；6. When starting the calculation, any device does not need to know who its partner is, so there is no need for a designated organization of the cooperation group (pre-synchronization);

7.该系统的算法和原理都应该非常简单；7. The algorithm and principle of the system should be very simple;

8.设计完成后，整个系统的运行效率至少应该与常规系统保持在同一档次上。8. After the design is completed, the operating efficiency of the entire system should at least be at the same level as the conventional system.

实现本发明目的的技术方案是这样的：一种安全的数字签名方法，包括The technical scheme that realizes the object of the present invention is such: a kind of safe digital signature method, comprises

子密钥的发放和计算数字签名，其特征在于：The issuance and calculation of the digital signature of the sub-key is characterized in that:

所述的子密钥的发放包括以下处理步骤：The issuance of the subkey includes the following processing steps:

A.设置一个安全数字签名系统，包括在线的任务分配器、在线的k个秘密分享运算器、在线的m个秘密分享合成器、广播信道和离线的子密钥分发器，k、m为正整数；A. Set up a secure digital signature system, including online task distributors, online k secret sharing operators, online m secret sharing synthesizers, broadcast channels and offline subkey distributors, where k and m are positive integer;

B.离线的子密钥分发器将保存的数字签名私钥d表示成由t个第一子密钥d_j及一个第二子密钥c_i的和，d、t、c、j、i均为正整数并让t＜k；B. The offline sub-key distributor expresses the stored digital signature private key d as the sum of t first sub-keys d _j and a second sub-key c _i , d, t, c, j, i Both are positive integers and let t<k;

C.离线的子密钥分发器将k个随机数作为第一子密钥d_j，对应分发到k个秘密分享运算器中，并根据步骤B中的和式通过相减获得一组第二子密钥c_i及其方程组合表示，将该组第二子密钥c_i的方程组合表示及对应的c_i分别送到m个秘密分享合成器中预存；C. The offline sub-key distributor uses k random numbers as the first sub-key d _j , distributes them to k secret sharing operators, and obtains a set of second sub-keys by subtraction according to the sum formula in step B The subkey _ci and its equation combination representation, the group of second subkey _ci 's equation combination representation and the corresponding _ci are respectively sent to m secret sharing synthesizers for pre-stored;

所述的计算数字签名包括以下处理步骤：The described computing digital signature includes the following processing steps:

D.在线的任务分配器将需要签名的HASH值M通过广播数据包经第一广播信道送往k个秘密分享运算器；D. The online task distributor sends the HASH value M that needs to be signed to k secret sharing operators through the broadcast data packet through the first broadcast channel;

E.k个秘密分享运算器中的t个或t个以上的秘密分享运算器根据接收的M值计算升幂M^di，并将本秘密分享运算器的代号j、需要签名的HASH值M及计算结果M^dj通过广播数据包经第二广播信道送往m个秘密分享合成器；Among the Ek secret sharing operators, t or more secret sharing operators calculate the raising power M ^di according to the received M value, and send the code j of the secret sharing operator, the HASH value M to be signed and the calculation result M ^dj sends the broadcast data packet to m secret sharing synthesizers through the second broadcast channel;

F.秘密分享合成器将接收结果与预存的一组第二子密钥c_i的方程组合表示进行比较，找到可以匹配的方程组合表示得到相应的第二子密钥c_i，再将与组合匹配的t个秘密分享运算器的升幂运算结果相乘得到结果R，根据找到的第二子密钥c_i求出M^ci，最后将M^ci与R相乘得到数字签名S＝M^d。F. The secret sharing combiner compares the received result with the expression combination of equations of a set of pre-stored second sub-keys c _i , finds a combination of equations that can be matched to obtain the corresponding second sub-key c _i , and then combines Multiply the exponentiation results of the matching t secret sharing operators to obtain the result R, calculate M ^ci according to the found second subkey _ci , and finally multiply M ^ci and R to obtain the digital signature S=M ^d .

所述的步骤A中还包括给在线的任务分配器任意给定一个代号、给k个秘密分享运算器分别给定不相同的代号、给m个秘密分享合成器分别给定不相同的代号和设定t的初始值。Said step A also includes arbitrarily giving a code name to the online task distributor, giving different code names to k secret sharing operators, giving different code names and Set the initial value of t.

所述的步骤C，进一步包括：Described step C, further comprises:

c1.由离线的子密钥分发器取k个小于d/t的随机数作为第一子密钥d_j；c1. Take k random numbers less than d/t as the first subkey d _j by the offline subkey distributor;

c2.由离线的子密钥分发器通过管理许可的方式将k个第一子密钥d_j对应送到k个秘密分享运算器中；c2. The offline sub-key distributor sends the k first sub-keys d _j to the k secret sharing operators through management permission;

c3.由离线的子密钥分发器从k个第一子密钥d_j(d₁、d₂、d₃、...、d_k)中取出t个d_j，按组合算式形成 $n = C_{k}^{t}$ 种组合表示，并根据所述的和式计算所有组合表示所对应的第二子密钥c_i(i＝1、2、...、n)，构成所述的一组方程组合表示；c3. Take t d j from the k first sub-keys d _j (d ₁ , d ₂ , d ₃ ,..., d _k ) by the offline sub-key distributor, and form _them according to the combination formula $no = C_{k}^{t}$ a combination representation, and calculate the second subkey c _i (i=1, 2, .

c4.由离线的子密钥分发器通过管理允许的方式将该组第二子密钥c_i的方程组合表示及对应的c_i送到所述的m个秘密分享合成器中。c4. The offline sub-key distributor sends the group of second sub-keys _ci 's equation combination representation and the corresponding _ci to the m secret sharing synthesizers in a manner permitted by management.

所述的离线的子密钥分发器在执行完步骤A、B、C完成子密钥的分发后，处于物理隔离状态或处于关机状态。The offline sub-key distributor is in a physically isolated state or in a shutdown state after executing steps A, B, and C to complete the distribution of sub-keys.

所述的步骤D进一步包括：Described step D further comprises:

d1.由一个在线的任务分配器接收数字签名任务，并进行安全检查与核对；d1. An online task distributor receives digitally signed tasks and performs security checks and checks;

d2.由在线的任务分配器为该任务确定一个在预定的时间内对任务分配器是唯一的任务号；d2. Determine a task number that is unique to the task distributor within a predetermined time for the task by the online task distributor;

d3.由在线的任务分配器将其代号及任务号随需要签名的HASH值M组成所述的广播数据包广播到所述的第一广播信道上；d3. Broadcast the broadcast data packet composed of its code name and task number along with the HASH value M that needs to be signed to the first broadcast channel by the online task distributor;

所述的步骤E进一步包括：Described step E further comprises:

e1.接收到广播后的t个或t个以上的秘密分享运算器向该在线的任务分配器发出已经接收的通知；e1. After receiving the broadcast, t or more secret sharing operators send a notification to the online task allocator that they have been received;

e2.t个或t个以上的秘密分享运算器检查任务的唯一性，在确定为新任务时进行所述升幂的计算；e2. t or more secret sharing calculators check the uniqueness of the task, and perform the calculation of the raising power when it is determined to be a new task;

e3.t个或t个以上的秘密分享运算器还将该在线的任务分配器的代号、任务的任务号随本秘密分享运算器的代号j、需要签名的HASH值M及计算结果M^dj组成所述的广播数据包广播到所述的第二广播信道上；e3. t or more secret sharing calculators will also form the code name of the online task distributor, the task number of the task along with the code j of the secret sharing calculator, the HASH value M to be signed and the calculation result M ^dj The broadcast data packet is broadcast to the second broadcast channel;

所述的步骤F，进一步包括：Described step F, further comprises:

f1.接收到广播的秘密分享合成器将具有相同任务分配器代号及任务号的广播数据包放在一组中；f1. The secret sharing synthesizer that receives the broadcast puts the broadcast data packets with the same task allocator code and task number in one group;

f2.上述秘密分享合成器至少找出t个广播数据包，再从中找出与所述预存的方程组合表示匹配的一个方程组合表示，并得到对应的第二子密钥c_i。f2. The above-mentioned secret sharing synthesizer finds at least t broadcast data packets, and then finds an equation combination representation matching the pre-stored equation combination representation, and obtains the corresponding second subkey c _i .

所述的步骤D、E、F是顺序执行完成数字签名的计算操作。The steps D, E, and F are performed sequentially to complete the calculation operation of the digital signature.

所述的步骤F后还包括一步骤G，由在线的秘密分享合成器，将数字签名S＝M^d与任务分配器代号、任务号组成广播数据包广播到一在线的输出接口设备上，并由该输出接口设备用公开密钥检查签名结果，是正确时结束数字签名，是错误时进行错误处理或告警。After the step F, a step G is also included, and the online secret sharing synthesizer broadcasts the digital signature S=M ^d , the task distributor code number and the task number to form a broadcast data packet to an online output interface device, and The output interface device checks the signature result with the public key, ends the digital signature if it is correct, and performs error handling or alarm if it is wrong.

所述的步骤G中，是由在线的秘密分享合成器通过一第三广播信道将所述的广播数据包广播到一单独设置的在线的输出接口设备上。In the step G, the online secret sharing combiner broadcasts the broadcast data packet to a separately set online output interface device through a third broadcast channel.

所述的步骤G中，是由在线的秘密分享合成器通过所述的第一广播信道将所述的广播数据包广播到设置在任务分配器中的输出接口设备上。In the step G, the online secret sharing combiner broadcasts the broadcast data packet to the output interface device set in the task distributor through the first broadcast channel.

实现本发明目的的技术方案还是这样的：一种安全的数字签名系统，其特征在于包括：The technical solution for realizing the object of the present invention is still like this: a kind of safe digital signature system is characterized in that comprising:

至少一个在线的任务分配器、k个在线的秘密分享运算器、m个在线的秘密分享合成器和离线的子密钥分发器；在线的任务分配器通过第一广播信道与k个秘密分享运算器连接，k个秘密分享运算器通过第二广播信道与m个秘密分享合成器连接，离线的子密钥分发器在系统初始化或进行系统配置时与k个秘密分享运算器及m个秘密分享合成器分别连接，k、m为正整数。At least one online task distributor, k online secret sharing operators, m online secret sharing synthesizers and offline subkey distributors; the online task distributor communicates with k secret sharing operators through the first broadcast channel The k secret sharing operators are connected with the m secret sharing synthesizers through the second broadcast channel, and the offline sub-key distributor is connected with the k secret sharing operators and m secret sharing synthesizers during system initialization or system configuration. The synthesizers are connected respectively, and k and m are positive integers.

更佳地是，在系统中，还包括一单独设置的输出接口设备，通过第三广播信道与m个秘密分享合成器连接。More preferably, the system further includes a separately provided output interface device, which is connected to the m secret sharing synthesizers through the third broadcast channel.

更佳地是，在系统中，所述在线的任务分配器中还设置有一输出接口设备，通过所述的第一广播信道与所述的m个秘密分享合成器连接。More preferably, in the system, the online task allocator is also provided with an output interface device, which is connected to the m secret sharing combiners through the first broadcast channel.

所述的至少一个在线的任务分配器、k个在线的秘密分享运算器、m个在线的秘密分享合成器、离线的子密钥分发器均采用普通计算机或服务器。The at least one online task distributor, k online secret sharing operators, m online secret sharing synthesizers, and offline subkey distributors all use common computers or servers.

所述的第一广播信道、第二广播信道及第三广播信道是物理相连的一个信道或完全不相连的独立信道。The first broadcast channel, the second broadcast channel and the third broadcast channel are physically connected channels or independent channels that are not connected at all.

本发明的安全的数字签名方法及系统，基于RSA算法，通过一种不平衡的由分享运算器与分享合成器构成的双层结构的秘密分享，克服了背景技术中系统管理与实现上的困难，达到发明的目的。The secure digital signature method and system of the present invention, based on the RSA algorithm, overcomes the difficulties in system management and implementation in the background technology through an unbalanced secret sharing with a double-layer structure composed of a sharing operator and a sharing synthesizer , to achieve the purpose of the invention.

本发明的方法与系统具有下列特点：The method and system of the present invention have the following characteristics:

1.在线的任务分配器无须选定秘密分享运算器和指定密钥就可以广播数字签名任务，在系统更新时可保证不影响在线任务分配器的工作，在某台秘密分享运算器突然损坏时也不会影响广播任务的执行时间(如果指定由某台秘密分享运算器计算，而此台设备最后并没有响应，则必须重新指定设备与密钥并重新开始)；1. The online task distributor can broadcast digital signature tasks without selecting a secret sharing calculator and specifying a key. When the system is updated, it can guarantee that the work of the online task distributor will not be affected. When a secret sharing calculator is suddenly damaged It will also not affect the execution time of the broadcast task (if it is designated to be calculated by a secret sharing calculator, but this device does not respond in the end, you must re-designate the device and key and start again);

2.在增加一台秘密分享运算器时只需给它生成一个子密钥，离线的子密钥分发器会根据新加的秘密分享运算器的序号与已有的秘密分享运算器的序号进行方程组合，计算出相应的第二子密钥c_n，然后将这些新增的方程组合表示与计算出的c_n以密钥管理认可的方式添加到秘密分享合成器中去，这种添加是不影响系统工作的；2. When adding a secret sharing operator, you only need to generate a sub-key for it, and the offline sub-key distributor will compare the serial number of the newly added secret sharing operator with the serial number of the existing secret sharing operator. Equation combination, calculate the corresponding second sub-key c _n , then add these newly added equation combination expressions and the calculated c _n to the secret sharing synthesizer in a way approved by key management, this addition is Does not affect the system work;

3.在撤除一台秘密分享运算器时，只需关闭该设备，为保证效率起见，可以删除秘密分享合成器中有关该秘密分享运算器序号的方程组合表示和相应的c；3. When dismantling a secret sharing calculator, you only need to turn off the device. For the sake of efficiency, you can delete the equation combination representation and the corresponding c of the secret sharing calculator serial number in the secret sharing synthesizer;

4.同时，本发明同其他背景技术一样，也具有入侵容忍的能力，当小于t台秘密分享运算器被入侵以后，不会泄露系统秘密d，而且由于增加了秘密分享合成器的结构，即使所有的秘密分享运算器都被入侵，也不会泄露系统秘密d(从理论上也可以证明，攻击秘密分享合成器也无法得到系统秘密d，尽管方程个数很多，但所有方程的系数矩阵的秩小于变量的个数)。4. At the same time, the present invention, like other background technologies, also has the ability of intrusion tolerance. When less than t sets of secret sharing arithmetic units are invaded, the system secret d will not be disclosed, and because the structure of the secret sharing synthesizer is added, even if All secret sharing operators are hacked, and the system secret d will not be disclosed (it can also be proved theoretically that the system secret d cannot be obtained by attacking the secret sharing synthesizer. Although there are many equations, the coefficient matrix of all equations rank is less than the number of variables).

附图说明Description of drawings

图1是Stanford大学研究的ITTC项目方案中关于CA系统的原型结构示意图。Figure 1 is a schematic diagram of the prototype structure of the CA system in the ITTC project plan studied by Stanford University.

图2是本发明的一种安全数字签名系统的实施结构示意图。Fig. 2 is a schematic diagram of the implementation structure of a secure digital signature system of the present invention.

图3是本发明的另一种安全数字签名系统的实施结构示意图。Fig. 3 is a schematic diagram of the implementation structure of another secure digital signature system of the present invention.

图4是一种秘密分享运算器的实施流程框图。Fig. 4 is a block diagram of an implementation flow of a secret sharing calculator.

图5是一种秘密分享合成器的实施流程框图。Fig. 5 is a block diagram of an implementation flow of a secret sharing synthesizer.

具体实施方式Detailed ways

参见图2，图中示意出一种安全的数字签名系统结构，该系统结构采用RSA算法为基本算法。Referring to Fig. 2, the figure schematically shows a secure digital signature system structure, which adopts the RSA algorithm as the basic algorithm.

该结构中包含一台离线的子密钥分发机(器，以下同)21，至少一台在线的任务分配机22、k台在线的子秘密分享运算器23、m台在线的秘密分享合成器24和一台独立设置的在线的输出接口设备25。这些设备都可以由不同的普通计算机或服务器来担任。在线的任务分配机22通过广播信道B1(如UDP协议信道)与k台子秘密分享运算器23连接，k台子秘密分享运算器23通过广播信道B2与m台秘密分享合成器24连接，m台秘密分享合成器24通过广播信道B3与输出接口设备25连接，离线的子密钥分发机在系统初始化或进行系统配置时分别连接k台子秘密分享运算器23及m台秘密分享合成器24(如图中虚线所示)。The structure includes an offline sub-key distribution machine (device, the same below) 21, at least one online task distribution machine 22, k online sub-secret sharing operators 23, and m online secret sharing synthesizers 24 and an independently set online output interface device 25. These devices can all be served by different ordinary computers or servers. The online task distribution machine 22 is connected with the k station secret sharing computing unit 23 through the broadcast channel B1 (such as UDP protocol channel), and the k station secret sharing computing unit 23 is connected with the m station secret sharing synthesizer 24 through the broadcast channel B2. The sharing synthesizer 24 is connected to the output interface device 25 through the broadcast channel B3, and the offline sub-key distribution machine is respectively connected to the k sub-secret sharing computing unit 23 and the m sub-secret sharing computing unit 24 (as shown in the figure) when the system is initialized or the system is configured. shown by the dotted line).

离线的子密钥分发器21保存秘密d，不与其他系统有网络连接。广播信道B1、B2、B3可以是物理相连的一个广播信道或完全不相连、彼此独立的广播信道。The off-line sub-key distributor 21 keeps the secret d and does not have network connection with other systems. The broadcast channels B1, B2, and B3 may be one broadcast channel that is physically connected, or broadcast channels that are completely unconnected and independent of each other.

实现整个系统结构的基础原理是将一个大整数表示成若干个整数的和，采用如d＝d₁+d₂+d₃+...+d_t+c_i的表达式，用d_j表示方程中d₁至d_t中的任意一项，将数字签名中的私钥设为方程中的d，d_j的个数有t个，d、d₁、d₂、d₃...d₁、c_i均为正整数，d_j采用随机数以实现简单管理。该方程表达式不同于背景技术中方程表达式d＝d₁+d₂+d₃+...+d_t的地方是增加了一个c_j项，从而形成一种新的安全的且易于管理的系统结构。The basic principle of realizing the whole system structure is to express a large integer as the sum of several integers, using an expression such as d=d ₁ +d ₂ +d ₃ +...+d _t +c _i , expressed by d _j Any one of d ₁ to d _t in the equation, set the private key in the digital signature as d in the equation, the number of d _j is t, d, d ₁ , d ₂ , d ₃ ...d _1. Both c _{and i} are positive integers, and d _{and j} use random numbers to realize simple management. The difference between this equation expression and the equation expression d=d ₁ +d ₂ +d ₃ +...+d _t in the background technology is that a c _j item is added, thus forming a new safe and easy-to-manage system structure.

该系统结构对秘密d的分享采用由两层部件共同作用完成，一层部件是由简单的秘密分享运算器23组成的，另一层部件是由秘密分享合成器24组成的，在秘密分享运算器23中分别保存各d_j项，在秘密分享合成器中保存c_i项，从而形成两层式的秘密分享结构，这两层设备中都存有子密钥，分别为第一子密钥d_j与第二子密钥c_i。该两层式的分享结构还表现在：只有第一层的秘密分享运算器完成计算后，第二层的秘密分享合成器才能开始工作；由于秘密分享合成器中也保存有子密钥c_i，因而秘密分享合成器是不可能被其他设备取代的。In this system structure, the sharing of secret d is completed by two layers of components. One layer of components is composed of a simple secret sharing calculator 23, and the other layer of components is composed of a secret sharing synthesizer 24. Each d _j item is stored in the device 23 respectively, and the c _i item is stored in the secret sharing synthesizer, thus forming a two-layer secret sharing structure. Subkeys are stored in the two layers of equipment, respectively the first subkey d _j and the second subkey c _i . The two-layer sharing structure is also manifested in: only after the secret sharing operator of the first layer completes the calculation, the secret sharing synthesizer of the second layer can start to work; since the secret sharing synthesizer also saves the subkey c _i , so it is impossible for the secret sharing synthesizer to be replaced by other devices.

系统首先完成子密钥的分发，采用的操作过程如下：The system first completes the distribution of subkeys, and the operation process adopted is as follows:

离线的子密钥分发器21为每个秘密分享运算器23产生一个随机的d_j，对于有k台秘密运算分享器23的系统来说，就会有k个第一子密钥d_j，j＝1，2，3，4，...，k。将这些第一子密钥通过密钥管理认可的方式送至对应的秘密分享运算器23。The off-line sub-key distributor 21 generates a random d _j for each secret sharing operator 23, for a system with k secret operation sharers 23, there will be k first sub-keys d _j , j=1, 2, 3, 4, . . . , k. These first subkeys are sent to the corresponding secret sharing calculator 23 in a manner approved by key management.

需预先设计合适的t，t的含义就是当t-1台秘密分享运算器23被入侵后不会影响系统的安全性。应该保证t＜k，以保证系统可以从k个秘密分享运算器23中取到t个结果完成运算。It is necessary to design a suitable t in advance, and the meaning of t is that when t-1 secret sharing calculators 23 are invaded, the security of the system will not be affected. It should be guaranteed that t<k, so as to ensure that the system can obtain t results from k secret sharing calculators 23 to complete the calculation.

离线的子密钥分发器21从k个子密钥中取出t个子密钥，根据方程d＝d₁+d₂+d₃+...+d_t+c_i再通过作减法可以求出c_i。由于从k个中取t个共有C_k ^t种取法，故可以计算出C_k ^t个方程的c_i。这里， $n = C_{k}^{t}$ 代表组合，如 $C_{5}^{3} = 10,$ 就有10个c_i值和10个方程组合表示，每一个方程组合表示是所对应的t个第一子密钥d_j标号的组合，这样的一个方程所对应的密钥d_j的标号为密钥组合，显然，一个方程组合内的不同的第一子密钥是在不同的秘密分享运算器内，方程组合表示只与密钥d_j的下标标号j有关，不泄露任何子密钥的信息。The off-line sub-key distributor 21 takes t sub-keys out of k sub-keys, according to the equation d=d ₁ +d ₂ +d ₃ +...+d _t +c _i can then calculate c _i . Since there are C _k ^t methods of taking t out of k, the c _i of C _k ^t equations can be calculated. here, $no = C_{k}^{t}$ represents combinations such as $C_{5}^{3} = 10,$ There are 10 _ci values and 10 equation combinations, and each equation combination is a combination of the corresponding t first subkey d _j labels, and the key d _j labels corresponding to such an equation are Key combinations, obviously, different first subkeys in an equation combination are in different secret sharing operators, and the equation combination is only related to the subscript j of the key d _j , without revealing any subkeys Information.

d_j的比特数远小于c_i比特数的1/4，如当d为2048bits的数时，c_i为2048bits的数，d_j为500bits的数或更少，以保证秘密分享运算器23的运算速度，从而能提高系统的运算速度。The number of bits of d _j is far less than 1/4 of the number of bits of c _i , such as when d is a number of 2048 bits, c _i is a number of 2048 bits, and d _j is a number of 500 bits or less, so as to ensure the secret sharing operation unit 23 operation speed, so as to improve the operation speed of the system.

离线的子密钥分发器21将所有方程组合表示以及对应的c_i值通过管理允许的方式送到秘密分享合成器24中去预存。The off-line sub-key distributor 21 sends all equation combination representations and corresponding _ci values to the secret sharing synthesizer 24 for pre-storage in a manner permitted by management.

运算时，秘密分享运算器针对其拥有的子密钥计算升幂，秘密分享合成器寻找组合，计算并合成结果。During the operation, the secret sharing operator calculates the raising power for the subkeys it owns, and the secret sharing combiner finds the combination, calculates and synthesizes the result.

系统进行计算数字签名的操作过程：The operation process of the system to calculate the digital signature:

计算数字签名时，任务分配器将需要签名的HASH值M，经广播信道B1通过广播方式送往k个秘密分享运算器23，只要有超过t个正确的秘密分享运算器(指未被攻击的秘密分享运算器)收到数据就可以保证得到计算结果；When calculating the digital signature, the task allocator will send the signed HASH value M to k secret sharing operators 23 via the broadcast channel B1, as long as there are more than t correct secret sharing operators (referring to the unattacked The secret sharing calculator) can guarantee the calculation result after receiving the data;

其中的第j个秘密分享运算器在收到数据后先计算升幂M^dj，每一个秘密分享运算器针对其拥有的第一子密钥计算升幂，并将自己的代号j、需要签名的HASH值M及计算结果M^dj经广播信道B2通过广播方式送到秘密分享合成器24；The j-th secret sharing operator calculates the raising power M ^dj after receiving the data, each secret sharing operator calculates the raising power for the first subkey it owns, and uses its own code j, The HASH value M and the calculation result M ^dj are sent to the secret sharing synthesizer 24 through the broadcast channel B2;

秘密分享合成器24对接收的数据包采用遍历方法与自己预存的方程组合表示进行比较，找到可以匹配的t个组合表示，并得到相应的子密钥c_i，再将经组合匹配后的几个升幂结果相乘得到结果R，再根据找到的c_i求出M^ci，最后将M^ci与R相乘就得到应该得到的数字签名S＝M^d；The secret sharing synthesizer 24 compares the received data packet with its pre-stored equation combination expression by traversal method, finds t combination expressions that can be matched, and obtains the corresponding subkey c _i , and then combines and matches the combined expression Multiply the results of raising the power to get the result R, and then calculate M ^ci according to the found _ci , and finally multiply M ^ci by R to get the digital signature S=M ^d that should be obtained;

秘密分享合成器24将数字签名结果S送到输出接口设备25，输出接口设备25根据公开密钥检查签名结果的正确性。The secret sharing synthesizer 24 sends the digital signature result S to the output interface device 25, and the output interface device 25 checks the correctness of the signature result according to the public key.

以上计算流程中，所有广播的数据包内还应包括：任务分配器的代号，任务分配器分配的任务代号等。以保证系统能够区分不同的任务，支持多任务并行操作。In the above calculation process, all broadcast data packets should also include: the code name of the task allocator, the task code assigned by the task allocator, etc. To ensure that the system can distinguish different tasks and support multi-task parallel operation.

参见图3，是一个安全数字签名系统的实施例结构，使用一台离线的子密钥分发器31，5台在线的秘密分享运算器33(k＝5)，三台在线的秘密分享合成器34，一台在线的任务分配器32并兼做输出接口设备，在线的任务分配器32通过广播信道B1与5台秘密分享运算器33连接，5台秘密分享运算器33通过广播信道B2与两台秘密分享合成器34连接，两台秘密分享合成器34还通过广播信道B1与在线的任务分配器32连接，一台离线的子密钥分发器31在系统初始化或系统配置时分别连接5台秘密分享运算器33及两台秘密分享合成器34。Referring to Fig. 3, it is an embodiment structure of a secure digital signature system, using an offline sub-key distributor 31, five online secret sharing operators 33 (k=5), and three online secret sharing synthesizers 34. An online task allocator 32 is also used as an output interface device. The online task allocator 32 is connected to five secret sharing computing units 33 through the broadcast channel B1, and the five secret sharing computing units 33 are connected to the two secret sharing computing units through the broadcast channel B2. Two secret sharing synthesizers 34 are connected, and the two secret sharing synthesizers 34 are also connected to the online task distributor 32 through the broadcast channel B1, and an offline subkey distributor 31 is connected to 5 units respectively during system initialization or system configuration. A secret sharing calculator 33 and two secret sharing synthesizers 34 .

先进行子密钥的发放操作：First perform the issuing operation of the subkey:

给定在线的任务分配器32任意一个代号，如22，给定各秘密分享计算器33一个代号，如1，2，3，4，5，给定各秘密分享合成器34一个代号，如1，2，系统设定初始值t＝3，由离线的子密钥分发器31掌握秘密密钥d；Given any code number of the online task distributor 32, such as 22, a code name of each secret sharing calculator 33, such as 1, 2, 3, 4, 5, and a code name of each secret sharing synthesizer 34, such as 1 , 2, the system sets the initial value t=3, and the offline subkey distributor 31 grasps the secret key d;

离线的子密钥分发器31任意选定5个小于d/3(d/t)的随机数d₁，d₂，d₃，d₄，d₅，通过某种管理许可的方式将d₁送到1号秘密分享计算器，将d₂送到2号秘密分享计算器，将d₃送到3号秘密分享计算器，将d₄送到4号秘密分享计算器，将d₅送到5号秘密分享计算器；Offline sub-key distributor 31 arbitrarily selects 5 random numbers d ₁ , d ₂ , d ₃ , d ₄ , d ₅ less than d/3(d/t), and assigns d ₁ Send to secret sharing calculator #1, send _d2 to secret sharing calculator #2, send d3 to secret sharing calculator # ₃ , send _d4 to secret sharing calculator #4, send _d5 to No. 5 Secret Sharing Calculator;

根据d＝d_j+...+d_t+c_i的分解表达式及组合式C_k ^t，有10种c_i的方程组合表示，分别为：According to the decomposed expression of d=d _j +...+d _t + _ci and the combination formula C _k ^t , there are 10 kinds of equation combinations of c _i , which are respectively:

c₁＝d-d₁-d₂-d₃ 方程组合表示(1，2，3)c ₁ ＝dd ₁ -d ₂ -d ₃ Equation combination representation (1, 2, 3)

c₂＝d-d₁-d₂-d₄ 方程组合表示(1，2，4)c ₂ ＝dd ₁ -d ₂ -d ₄ Equation combination representation (1, 2, 4)

c₃＝d-d₁-d₂-d₅ 方程组合表示(1，2，5)c ₃ ＝dd ₁ -d ₂ -d ₅ Equation combination representation (1, 2, 5)

c₄＝d-d₁-d₃-d₄ 方程组合表示(1，3，4)c ₄ ＝dd ₁ -d ₃ -d ₄ Equation combination representation (1, 3, 4)

c₅＝d-d₁-d₃-d₅ 方程组合表示(1，3，5)c ₅ ＝dd ₁ -d ₃ -d ₅ Equation combination representation (1, 3, 5)

c₆＝d-d₁-d₄-d₅ 方程组合表示(1，4，5)c ₆ ＝dd ₁ -d ₄ -d ₅ Equation combination representation (1, 4, 5)

c₇＝d-d₂-d₃-d₅ 方程组合表示(2，3，4)c ₇ ＝dd ₂ -d ₃ -d ₅ Equation combination representation (2, 3, 4)

c₈＝d-d₂-d₃-d₅ 方程组合表示(2，3，5)c ₈ ＝dd ₂ -d ₃ -d ₅ Equation combination representation (2, 3, 5)

c₉＝d-d₂-d₄-d₅ 方程组合表示(2，4，5)c ₉ ＝dd ₂ -d ₄ -d ₅ Equation combination representation (2, 4, 5)

c₁₀＝d-d₃-d₄-d₅ 方程组合表示(3，4，5)c ₁₀ = dd ₃ -d ₄ -d ₅ Equation combination representation (3, 4, 5)

离线的子密钥分发器31将这10个c_i的值及相应的方程组合表示一起以管理允许的方式送到各秘密分享合成器34，即每个秘密分享合成器34中有十个方程组合表示和十个对应的c_i值。The off-line sub-key distributor 31 sends the 10 values of _ci and the corresponding equation combination expressions to each secret sharing synthesizer 34 in a management-approved manner, that is, there are ten equations in each secret sharing synthesizer 34 Combined representation and ten corresponding _ci values.

子密钥发放完成后，离线的子密钥分发器31就可以关机了(或处于物理隔离状态)。After the subkey distribution is completed, the off-line subkey distributor 31 can be shut down (or in a physically isolated state).

计算数字签名的工作流程为：The workflow for computing a digital signature is:

由在线的任务分配器32接收必须签名的任务，并做相应的安全检查和核对，然后求需要签名的HASH值M；The task that must be signed is received by the online task distributor 32, and corresponding security checks and checks are performed, and then the HASH value M that needs to be signed is obtained;

由在线的任务分配器32为当前的签名确定一个任务号，该任务号应该在一定时间范围内(如两天)对该任务分配器来说是唯一的；Determine a task number for the current signature by the online task distributor 32, which should be unique to the task distributor within a certain time frame (such as two days);

任务分配器将自己的代号(22)，该任务的任务号，HASH值M组成一个数据包广播到广播信道B1上；The task allocator broadcasts its own code (22), the task number of the task, and the HASH value M into a data packet to the broadcast channel B1;

秘密分享计算器j(秘密分享计算器33中的至少3个秘密分享计算器)收到广播后，通知任务分配器32已经成功接收；After receiving the broadcast, the secret sharing calculator j (at least 3 secret sharing calculators in the secret sharing calculator 33) notifies the task distributor 32 that it has successfully received;

秘密分享计算器j检查任务的唯一性，当该任务为新任务时，计算M^dj；The secret sharing calculator j checks the uniqueness of the task, and calculates M ^dj when the task is a new task;

秘密分享计算器j将自己的代号j，任务分配器代号22，任务号，HASH值M和计算结果M^dj向广播信道B2广播；Secret sharing calculator j broadcasts its own code j, task dispatcher code 22, task number, HASH value M and calculation result M ^dj to the broadcast channel B2;

秘密分享合成器34接收该广播信息，并将具有相同任务分配器代号和任务号的信息放在一组中；The secret sharing synthesizer 34 receives the broadcast information, and puts the information with the same task allocator code number and task number into a group;

秘密分享合成器34在一组结果中检查是否有三个以上结果且有3个与存储的方程组合表示匹配，如果有，找到相应匹配的方程组合表示，得到对应的c_i，根据c_i求M^ci，然后计算R(是对应的三个与组合表示匹配的升幂结果的乘积)，最后将M^ci与R相乘就得到应该得到的数字签名S＝M^d；The secret sharing synthesizer 34 checks whether there are more than three results in a set of results and three of them match the stored equation combination representation, if so, find the corresponding matching equation combination representation, obtain the corresponding c _i , and calculate M according to c _i ^ci , and then calculate R (which is the product of the corresponding three power-raising results that match the combination representation), and finally multiply M ^ci and R to get the digital signature S=M ^d that should be obtained;

秘密分享合成器34将任务分配器的代号，任务号和数字签名结果S＝M^d送到广播信道B1上；The secret sharing synthesizer 34 sends the code name of the task distributor, task number and digital signature result S= ^Md to the broadcast channel B1;

任务分配器32接收数字签名结果后，用公开密钥检查签名结果是否正确，如果错误，进入错误处理或告警，如果检查合格即结束计算任务。After the task distributor 32 receives the digital signature result, it uses the public key to check whether the signature result is correct. If it is wrong, it will enter error processing or alarm, and if it passes the check, it will end the calculation task.

图3实施例中较详细的执行步骤同样适用于图2实施例。The more detailed execution steps in the embodiment in FIG. 3 are also applicable to the embodiment in FIG. 2 .

参见图4、图5，分别为图2、图3中秘密分享运算器和秘密分享合成器的实施流程框图，是一种具体的实用流程。其实现是采用多线程技术，即计算机操作系统中使用的多任务并行技术，如图中所示的三个线程：任务处理程序、监听程序和界面程序，来实现一个秘密分享运算器或秘密分享合成器。所有需要计算的任务由一个任务队列来进行管理，而计算所需的系统参数(包括子密钥)也是三个线程都能够存取的。Referring to Fig. 4 and Fig. 5, they are block diagrams of the implementation flow of the secret sharing calculator and the secret sharing synthesizer in Fig. 2 and Fig. 3 respectively, which are a specific practical flow. Its realization is to use multi-threading technology, that is, the multi-task parallel technology used in computer operating systems, as shown in the figure, three threads: task processing program, listening program and interface program, to realize a secret sharing calculator or secret sharing synthesizer. All tasks that need to be calculated are managed by a task queue, and system parameters (including subkeys) required for calculation are also accessible to all three threads.

其中的任务处理程序是专门用于计算的，由于计算是最费时的一项工作，所以单独创建一个线程进行计算，以保证在计算时能够继续保持与用户间的交互，同时能够保持对网络数据的监听从而不丢失网络数据。该线程首先利用事件同步机制进行等候，可以在没有任务的时候节约CPU的时间，可以使用象NT中的EVENT之类的系统事件来进行同步；当任务执行线程被唤醒后，它扫描系统的任务队列，找到应该处理的任务进行处理，包括应该重新发送的数据包的发送。The task handler is specially used for calculation. Since calculation is the most time-consuming work, a separate thread is created for calculation to ensure that the interaction with the user can be maintained during calculation, and at the same time, the network data can be maintained. monitoring so as not to lose network data. The thread first uses the event synchronization mechanism to wait, which can save CPU time when there is no task, and can use system events such as EVENT in NT to perform synchronization; when the task execution thread is awakened, it scans the tasks of the system Queue, find the tasks that should be processed and process them, including the sending of data packets that should be resent.

监听程序是为了保证网络通信的数据不丢失而设置的，单独采用一个线程来监听网络的广播数据，该流程只进行简单的任务处理，如删除一个任务或增加一个任务，当有新的计算任务时，唤醒任务处理线程。The listener is set up to ensure that the data of network communication is not lost. A single thread is used to monitor the broadcast data of the network. This process only performs simple task processing, such as deleting a task or adding a task. When there is a new computing task , wake up the task processing thread.

界面程序用于用户界面处理，也单独采用一个线程，以保证在不影响系统运行的情况下修改系统的参数、增加子密钥等。The interface program is used for user interface processing, and a separate thread is also used to ensure that system parameters can be modified, subkeys can be added, etc. without affecting system operation.

本发明的系统结构简单，易于实现，有入侵容忍能力，虽然签一次名的总工作量与一般签名相比是增加了，但能确保系统安全，通过采用并行计算和让d_j的比特数远小于c_i的比特数，可做到与一般签名时间基本相等。The system structure of the present invention is simple, easy to implement, and has intrusion tolerance. Although the total workload of signing a signature is increased compared with general signatures, it can ensure system security. By using parallel computing and making the number of bits of d _j far The number of bits less than _ci can be basically equal to the general signature time.

按本发明技术方案设计的具有安全功能的数字签名设备，可以广泛应用于企事业中，每个设备针对每个企业存储一套相应数据，任务分配器在广播任务时就将企业代号放在数据包中，以区分不同的企业，秘密分享运算器根据企业代号找到相应的密钥并计算，计算结果连同企业代号一起送往合成器。The digital signature device with security function designed according to the technical scheme of the present invention can be widely used in enterprises and institutions. Each device stores a set of corresponding data for each enterprise, and the task distributor puts the enterprise code in the data when broadcasting tasks. In order to distinguish different enterprises, the secret sharing calculator finds and calculates the corresponding key according to the enterprise code, and the calculation result is sent to the synthesizer together with the enterprise code.

整个系统增加企业代号的管理以后，系统可以成为多个不同层次的用户、企业的代理，代理他们进行安全的数字签名。而子密钥分发器和任务分配器可以由企业或个人自己控制。在这种结构下，就构成了多个子密钥分发中心、多个任务分配器、多个密秘分享运算器，多个秘密分享合成器的格局，而成为一个完善的安全数字签名服务体系。After the management of enterprise code is added to the whole system, the system can become the agent of users and enterprises at different levels, and carry out secure digital signatures on behalf of them. And the sub-key distributor and task distributor can be controlled by the enterprise or individual themselves. Under this structure, multiple sub-key distribution centers, multiple task distributors, multiple secret sharing calculators, and multiple secret sharing synthesizers are formed, forming a complete secure digital signature service system.

本发明方案存在的缺陷是：无法抵制分享运算器与分享合成器合谋对系统的攻击，即当一台分享运算器与一台分享合成器联合起来对系统进行攻击时，是能够求出秘密d的。The defect in the scheme of the present invention is that it is impossible to resist the attack on the system by the collusion of the shared computing unit and the shared synthesizer, that is, when a shared computing unit and a shared synthesizer jointly attack the system, it is possible to obtain the secret d of.

Claims

1. the digital signature method of a safety comprises the granting of sub-key and calculates digital signature, its

Be characterised in that:

The granting of described sub-key comprises following treatment step:

A., a secure digital signature system is set, comprises the quantum key distribution device of online task distributor, online k secret sharing arithmetic unit, online m secret sharing synthesizer, broadcast channel and off-line, k, m are positive integer;

B. the quantum key distribution device of off-line is expressed as the digital signature private key d that preserves by t the first sub-key d _jAnd one second sub-key c _iAnd, d, t, c, j, i are positive integer and allow t＜k;

C. the quantum key distribution device of off-line with k random number as the first sub-key d _j, correspondence is distributed in k the secret sharing arithmetic unit, and according to obtaining one group of second sub-key c with formula by subtracting each other among the step B _iAnd equation combination expression, should organize the second sub-key c _iEquation combination expression and corresponding c _iDeliver to respectively in m the secret sharing synthesizer and prestore;

Described calculating digital signature comprises following treatment step:

D. online task distributor will need the HASH value M that signs to be sent to k secret sharing arithmetic unit by broadcast data packet through first broadcast channel;

T in E.k secret sharing arithmetic unit or t above secret sharing arithmetic unit are according to the M value calculating ascending power M that receives ^Dj, and with the code name j of this secret sharing arithmetic unit, the HASH value M and the result of calculation M that need sign ^DjBe sent to m secret sharing synthesizer by broadcast data packet through second broadcast channel;

F. the secret sharing synthesizer is with reception result and the one group of second sub-key c that prestores _iEquation combination expression compare, find the equation combination expression that can mate to obtain the corresponding second sub-key c _i, will multiply each other with the ascending power operation result of t secret sharing arithmetic unit of combinations matches obtains R as a result again, according to the second sub-key c that finds _iObtain M ^Ci, at last with M ^CiMultiply each other with R and to obtain digital signature S=M ^d

2. a kind of safe digital signature method according to claim 1 is characterized in that: also comprise to any given code name of online task distributor in the described steps A, give the given respectively code name inequality of k secret sharing arithmetic unit, give given respectively code name inequality of m secret sharing synthesizer and the initial value of setting t.

3. a kind of safe digital signature method according to claim 1, it is characterized in that: described step C further comprises:

C1. by the quantum key distribution device of off-line get k less than the random number of d/t as the first sub-key d _j

C2. the quantum key distribution device by off-line passes through the mode of management permission with k the first sub-key d _jCorrespondence is delivered in k the secret sharing arithmetic unit;

C3. by the quantum key distribution device of off-line from k the first sub-key d _j(d ₁, d ₂, d ₃..., d _k) t d of middle taking-up _j, form by the combination formula

n = C_{k}^{t}

Plant the combination expression, and calculate all combinations according to described and formula and represent the pairing second sub-key c _i(i=1,2 ..., n), constitute described set of equations combination expression;

C4. should organize the second sub-key c by the quantum key distribution device of off-line by the mode that management allows _iEquation combination expression and corresponding c _iDeliver in described m the secret sharing synthesizer.

4. a kind of safe digital signature method according to claim 1 is characterized in that: after the quantum key distribution device of described off-line is finished the distribution of sub-key at execution of step A, B, C, be in physical segregation state or be in off-mode.

5. a kind of safe digital signature method according to claim 1 is characterized in that:

Described step D further comprises:

D1. receive the digital signature task by an online task distributor, and carry out safety inspection and check;

D2. determine that for this task one is unique task number to task distributor within the predetermined time by online task distributor;

D3. the HASH value M that its code name and task number is signed with the need by online task distributor forms described broadcast data packet and is broadcast on described first broadcast channel;

Described step e further comprises:

E1. receive after the broadcasting t or t above secret sharing arithmetic unit and send the notice that has received to this online task distributor;

The uniqueness of e2.t or t above secret sharing arithmetic unit inspection task is carried out the calculating of described ascending power when being defined as new task;

The code name that e3.t or t above secret sharing arithmetic unit also will this online task distributor, the task number of task with the code name j of this secret sharing arithmetic unit, need the HASH value M and the result of calculation M that sign ^DjForming described broadcast data packet is broadcast on described second broadcast channel;

Described step F further comprises:

F1. the broadcast data packet that the secret sharing synthesizer that receives broadcasting will have same task distributor code name and task number is placed in one group;

F2. above-mentioned secret sharing synthesizer is found out t broadcast data packet at least, therefrom finds out with an equation combination of the described equation combination expression coupling that prestores again and represents, and obtain the second corresponding sub-key ci.

6. a kind of according to claim 1 or 5 safe digital signature method is characterized in that: described step D, E, F are the calculating operations of the complete digital signature of order.

7. a kind of safe digital signature method according to claim 1 is characterized in that:

Also comprise a step G after the described step F, by online secret sharing synthesizer, with digital signature S=M ^dForm broadcast data packet with task distributor code name, task number and be broadcast on the online output interface device, and by this output interface device with public-key cryptography inspection signature result, the end number signature carries out fault processing or alarm when being correct when being mistake.

8. a kind of safe digital signature method according to claim 7 is characterized in that: be described broadcast data packet to be broadcast on the online output interface device that is provided with separately by one the 3rd broadcast channel by online secret sharing synthesizer.

9. a kind of safe digital signature method according to claim 7 is characterized in that: be described broadcast data packet to be broadcast on the output interface device that is arranged in the task distributor by described first broadcast channel by online secret sharing synthesizer.