TREA

DYNAMICALLY TRACEABLE PRIVACY-PRESERVING DISTRIBUTED THRESHOLD SIGNATURE SYSTEM AND METHOD

Follow

Information

  • Patent Application
  • 20240396738
  • Publication Number
    20240396738
  • Date Filed
    February 21, 2024
    11 months ago
  • Date Published
    November 28, 2024
    2 months ago
Information
Abstract
The present disclosure discloses a dynamically traceable privacy-preserving distributed threshold signature system and method, which are applied to an environment composed of multiple signer modules, multiple aggregator modules, multiple notary modules, multiple tracer modules and a blockchain module; where the signer module signs data, encrypts a signature and uploads encrypted signature to the blockchain module; the aggregator module receives the encrypted signatures from the blockchain module and aggregates them into a synthetic signature, and at the same time sends a corresponding transaction to the blockchain module; the notary module locates the synthetic signature in the blockchain module and partially decrypts the synthetic signature into multiple synthetic signature fragments; the tracer module aggregates synthetic signature fragments and traces a set of signers; and the blockchain module consists of multiple nodes and is responsible for receiving transactions sent by each module.
Description
CROSS-REFERENCE TO RELATED APPLICATION

This application claims the priority benefit of China application serial no. 202310585847.X, filed on May 23, 2023. The entirety of the above-mentioned patent application is hereby incorporated by reference herein and made a part of this specification.


TECHNICAL FIELD

The present disclosure is a dynamically traceable privacy-protecting distributed threshold signature method and system, which belongs to the technical fields of privacy protection, threshold signature and blockchain.


BACKGROUND

Threshold signature allows a message to be signed when no less than t parties in a team of n parties participate in a signing process. A threshold signature is a key tool for many practical applications. Among them, there are two types of threshold signatures that are more eye-catching: an accountable threshold signature and a privacy threshold signature. The accountable threshold signature can reveal identities of all t signers who jointly generated the signature. Privacy threshold signature does not reveal a value of t or the identities of the t signers. In addition to being unforgeable, these two signatures provide traceability and privacy to a set of the signers, respectively.


However, previous threshold signature schemes require centralized servers to implement aggregation and traceability. If a single point of failure occurs, it may cause an entire system to collapse. At the same time, aggregators and tracers are not completely trustworthy, which may cause some privacy leak issues. Therefore, while ensuring traceability and privacy in the threshold signature scheme, it is also particularly important to implement a decentralized mechanism.


Generally speaking, in a traceability process of threshold signature, there is only one participant, the tracer, to realize the entire traceability process. However, the traceability process is a sensitive process and it should be notarized by a dynamic and relevant notarization group. However, previous threshold signature schemes do not use a notarization group to notarize the traceability process, which may result in a traceability result being unconvincing.


SUMMARY

In order to solve the above-mentioned deficiencies in the prior art, the present disclosure proposes a dynamically traceable privacy-preserving distributed threshold signature system and method. It is expected that during an aggregation or traceability process, it can resist the security threats of untrustworthy aggregators or tracers, and realize a dynamic notarization and traceability process, thereby protecting the unforgeability, traceability and privacy of the threshold signature.


In order to achieve the above-mentioned object, the present disclosure adopts the following technical solutions.


Characteristics of a dynamically traceable privacy-preserving distributed threshold signature system of the present disclosure include: n signer modules, n1 aggregator modules, n3 notary modules, n2 tracer modules and a blockchain module;

    • any of the signer modules includes: a message signing unit, a signature encryption unit, and a transaction sending unit;
    • any of the aggregator modules includes: an encrypted signature receiving unit, a trusted execution environment unit, a blockchain signature unit, and a transaction sending unit;
    • any of the notary modules includes: a synthetic signature receiving unit, a token generation unit, a data partial decryption unit, and a transaction sending unit;
    • any of the tracer modules includes: a blockchain signature verification unit and a trusted execution environment unit;
    • the blockchain module includes: a transaction receiving unit and a consensus unit;
    • where the message signing unit of the i-th signer module signs a message m to obtain i-th signature data σ1, and uses the signature encryption unit to encrypt the i-th signature data σi to obtain an i-th encrypted signature σi; the transaction sending unit of the i-th signer module sends the i-th encrypted signature σi to the transaction receiving unit of the blockchain module; where, i∈[1,t], t is a threshold value for selecting a group of signers from n signers, t∈[1,n];
    • the encrypted signature receiving unit of the j-th aggregator module obtains the i-th encrypted signature σi from the blockchain module and forwards the i-th encrypted signature σi to the trusted execution environment unit of the j-th aggregator module; the trusted execution environment unit decrypts the i-th encrypted signature σi to obtain i-th decrypted signature data σij so as to obtain t pieces of decrypted signature data {σij}i=1t; the trusted execution environment unit of the j-th aggregator module aggregates t pieces of decrypted signature data {σij}i=1t to obtain a j-th aggregate signature σjm of the message m;
    • the trusted execution environment unit of the j-th aggregator module selects t′ notaries from n3 notaries to form a notary set Nj, and encrypts the j-th aggregate signature σjm according to the notary set Nj to obtain a j-th synthetic signature oNj; the blockchain signature unit of the j-th aggregator module signs the j-th synthetic signature σNj to obtain a j-th blockchain signature ηj; the transaction sending unit of the j-th aggregator module sends the j-th blockchain signature ηj to the transaction receiving unit of the blockchain module; where j∈[1,n1].
    • the token generation unit of the o-th notary module generates an o-th query token tdo according to an identity attribute of the o-th notary module, and the transaction sending unit of the o-th notary module sends the o-th query token to the transaction receiving unit of the blockchain module;
    • the transaction receiving unit of the blockchain module receives the o-th query token and uses a smart contract to locate the synthetic signature σNj, and sends the synthetic signature σNj to the synthetic signature receiving unit of the o-th notary module; where o∈[1,t′].
    • after receiving the synthetic signature σNj, the synthetic signature receiving unit of the o-th notary module forwards the synthetic signature σNj to the data partial decryption unit of the o-th notary module; the data partial decryption unit partially decrypts the synthetic signature σNj to obtain a decrypted fragment σojm of the message m, and encrypts the decrypted fragment σojm to obtain a synthetic signature fragment uvkoj; such that the transaction sending unit of the o-th notary module sends the synthetic signature fragment uvkoj to the transaction receiving unit of the blockchain module;
    • the l-th tracer module obtains the j-th blockchain signature nj from the blockchain module, and uses the blockchain signature verification unit to verify the j-th blockchain signature ηj; after the verification is passed, obtains the synthetic signature fragment uvkoj and the notary set N and forwards the synthetic signature fragment uvkoj and the notary set to the Nj trusted execution environment unit of the l-th tracer module; the trusted execution environment unit of the l-th tracer module decrypts the synthetic signature fragment uvkoj to obtain a decrypted fragment σojm, so as to obtain t′ decrypted fragments {σojm}o=1t′; the trusted execution environment unit of the l-th tracer module aggregates t′ decryption fragments {σojm}o=1t′ into the synthetic signature σNj, so as to perform tracing according to the synthetic signature σNj to obtain the i-th signer module participating in the signature.


Characteristics of a dynamically traceable privacy-preserving distributed threshold signature method of the present disclosure are that it is applied in an environment composed of n signers, n1 aggregators, n3 notaries, n2 tracers and a blockchain, where the threshold signature method is executed as follows:


step 1: initialization:

    • step 1.1: setting a security parameter 1λ, where λ is a length of the security parameter; defining a threshold value as t, and then using a key generation algorithm ATS.KeyGen(1λ,n,t) of an accountable threshold signature to generate a public key pk and a private key set (sk1, sk2, . . . , ski, . . . , skt) of the accountable threshold signature, where ski represents a private key of the i-th signer; i∈[1,t];


selecting a random number rpk from a group Rλ to generate a cryptographic commitment compk of the public key pk, where Rλ is a real number group with a security parameter length of λ;

    • using a key generation algorithm SIG.KeyGen(1λ, j) of a blockchain signature to obtain a public key pkjs and a private key skjs of the blockchain signature of the j-th aggregator, where j is an identity attribute of the aggregator, j∈[1,n1];
    • using an encryption algorithm PKE.KeyGen(1λ, j) to obtain a public key pkje and a private key skje of a trusted execution environment of the j-th aggregator;
    • using an encryption algorithm PKE.KeyGen(1λ, l) to obtain a public key pklenc and a private key sklenc of a trusted execution environment of the l-th tracer, where l is an identity attribute of the aggregator, l∈[1,n2];
    • step 1.2: using an initialization algorithm DTPKE.Setup(1λ) of a dynamic threshold public key encryption to obtain a master key mk, an encryption key ek, a decryption key dk, a verification key vk and a combined key ck;


using a user joining algorithm DTPKE.Join(mk,o) of the dynamic threshold public key encryption to obtain a user private key usko of the o-th notary, a user public key upko of the o-th notary and a user version number uvko of the o-th notary, o∈[1,t′];

    • using a key generation algorithm KASE.KeyGen(λ) of a key aggregation searchable encryption to obtain a public key mpk and a private key msk of the key aggregation searchable encryption;
    • using an extraction algorithm KASE.Extract(msk,G) of the key aggregation searchable encryption to obtain an aggregate key ka;
    • step 1.3: combining pk skje, t, ek and rpk to obtain a j-th aggregate key skjc=(pk,skje,t,ek,rpk).
    • combining sklenc, ck, and pk to obtain a l-th traceability key sklt=(sklenc,ck,pk).
    • using a hash algorithm Hash(GID,time) to obtain an identifier gid of a signature group S, where GID is a group number of the signature group S, time is a signature time of the signature group S, GID∈G; the signature group S is composed of t signers;
    • step 1.4: combining Compk, ek, dk, vk, {pkjs}j=1nt, {pkje}j=1nt, B, PK, H, mpk gid and ka, to obtain a system public key
    • PK=(compk,ek,dk,vk,{pkjs}j=1nt, {pkje}j=1nt, B, PK, H, mpk, gid, ka), where gid represents an identifier set of the signature group S;


Step 2: Message Signature:





    • step 2.1: according to the private key Ski, a message m and the signature group S, using, by the i-th signer, a signature algorithm ATS.Sign(ski, m, S) of the accountable threshold signature to obtain signature data σi of the message m;

    • obtaining, by the i-th signer, the encrypted signature σi according to the public key pkje of the j-th trusted execution environment and a string m∥σi∥Nj∥gid to be encrypted, sending the encrypted signature σi to the blockchain, where ∥ represents a string connector, Nj represents a set of notaries selected by the j-th aggregator, i∈[1,t].





Step 3: Aggregating Signatures:





    • step 3.1: obtaining, by any j-th aggregator, all encrypted signatures {σi}i=1t of the signature group S from the blockchain, where σi represents an encrypted signature of the i-th signer;

    • in the trusted execution environment, decrypting the encrypted signature {σi}i=1t sequentially by using the private key skje of the trusted execution environment, to obtain a signature set {σi}i=1t, the notary set N j and the identifier gid of the signature group S; where σi represents a signature of the i-th signer;

    • according to the public key pk, the message m, the signature group S and the signature set {σi}i=1t, obtaining the j-th aggregate signature σjm of the message m by using an aggregation algorithm ATS.Combine(pk,m,S,{σ}i=1t) of the accountable threshold signature;

    • according to the j-th aggregate signature σjm, the notary set Nj and the encryption N key ek, obtaining the synthetic signature σNj by using the encryption algorithm DTPKE.Enc(ek,Nj,ojm) of a dynamic threshold public key encryption;

    • according to the public key mpk, the identifier gid of the signature group S and the notary set Nj, obtaining an encrypted cipher text pair (c1gid, c2gid) and an encrypted index set {indo}o=1t′ by using an encryption algorithm KASE.Enc(mpk,gid,Nj) of the key aggregation searchable encryption, where indo represents an o-th security index, o∈[1,t′];

    • processing required proof data t′, compk, ek, mpk, gid, m, (c1gid, c2gid), {indo}o=1n3, Nj, σjm, rpk, pk by using a zero-knowledge proof generation algorithm to obtain a zero-knowledge proof π;

    • step 3.2: signing, by the j-th aggregator, the message m, the synthetic signature oNj, the encrypted cipher text pair (c1gid, c2gid), an encrypted index set {indo}o=1|Nj| and the zero-knowledge proof π by using the private key skjs, to obtain the j-th blockchain signature nj;

    • combining, by the j-th aggregator m, σNj, (c1gid, c2gid) {indo}o=1|Nj|, π and ηj, to obtain a dynamically traceable privacy-preserving distributed threshold signature σ, and sending m and σ to the blockchain;

    • step 4: tracing a set of signers:

    • step 4.1: according to an aggregation key ka in the system public key PK and an identity attribute o of the system public key PK, obtaining, by the o-th notary, a query token tdo by using a token generation algorithm KASE.Trapdoor(ka,o) of the key aggregation searchable encryption, and sending the query token tdo to the blockchain;

    • after receiving the query token tdo, obtaining, by a smart contract in the blockchain, an adjusted query token tdosid by using an adjustment algorithm of the key aggregation searchable encryption;

    • according to the adjusted query token tdosid, obtaining, by the smart contract, the synthetic signature σNj corresponding to the o-th notary by using a test algorithm of the key aggregation searchable encryption;

    • obtaining, by the o-th notary, the synthetic signature σNj from the blockchain, and according to the identity attribute o, the decryption key dk and the user private key usko, obtaining a decrypted fragment σojm of the message m by using a data partial decryption algorithm DTPKE.ShareDecrypt(dk,o,usko,σNj) of the dynamic threshold public key encryption;

    • encrypting, by the o-th notary, the decrypted fragment σojm by using the public key pklenc of a trusted execution environment of the l-th tracer to obtain a synthetic signature fragment uvkoj, and sending the synthetic signature fragment uvkoj to the blockchain;

    • step 4.2: receiving, by the l-th tracer, the synthetic signature fragment uvkoj and the synthetic signature σNj from the blockchain, decrypting the encrypted synthetic signature fragment uvko according to the private key sklenc of the trusted execution environment, to obtain the decrypted fragment σojm;

    • according to the encryption key ek, the notary set Nj and the synthetic signature σNj, using, by the l-th tracer, a cipher text verification algorithm DTPKE.ValidateCT(ek,Nj,oNj) of the dynamic threshold public key encryption in the trusted execution environment to verify whether the synthetic signature σNj is a valid encrypted cipher text of the notary set Nj if so, outputting 1, otherwise, outputting 0;

    • according to the verification key vk, the identity attribute o of the o-th notary, the user version number uvko, the synthetic signature σNj and a decryption fragment σojm, using, by the l-th tracer, a fragment verification algorithm of the dynamic threshold public key encryption in the trusted execution environment to verify whether the decrypted fragment σojm is generated by the o-th notary, if so, outputting 1, otherwise, outputting 0;

    • according to the combined key ck, the notary set Nj, the synthetic signature σNj and a decrypted fragment set {σojm}o=1t′, using, by the l-th tracer, a fragment combination algorithm DTPKE.Combine(ck, Nj,oNj,{σojm}o=1t′) of the dynamic threshold public key encryption in the trusted execution environment to obtain the j-th aggregate signature σjm corresponding to the notary set Nj:





according to the public key pk, the message m and the j-th aggregate signature σjm, using, by the l-th tracer, a traceability algorithm ATS.Trace(pk,m,ojm) of the accountable threshold signature in the trusted execution environment to obtain the signature group S participating in signing the j-th aggregate signature σjm.


Compared with the prior art, beneficial effects of the present disclosure are as follows.

    • 1. A blockchain framework is used in the present disclosure. By distributing an aggregation (traceability) function in threshold signatures to multiple aggregators (tracers), attacks by untrusted aggregators (tracers) are prevented, decentralized aggregation and traceability are achieved and the occurrence of single point of failure in centralized server is effectively prevented.
    • 2. The present disclosure uses trusted hardware as an execution environment for a partial aggregation (traceability) process, which ensures that the aggregation (traceability) process is not affected by untrusted aggregators (tracers).
    • 3. The present disclosure uses dynamic threshold public key encryption to dynamically notarize the traceability process, and wakes up the notary through key aggregation searchable encryption, which effectively guarantees the dynamic traceability of the threshold signature.
    • 4. The present disclosure uses a non-interactive zero-knowledge proof method to achieve public verification of a notary's identity, which ensures the correctness of the traceability result.





BRIEF DESCRIPTION OF THE DRAWINGS


FIG. 1 is a flowchart of the present disclosure.



FIG. 2 is a detailed diagram of an implementation of the present disclosure.





DESCRIPTION OF THE EMBODIMENTS

In this embodiment, a dynamically traceable privacy-preserving distributed threshold signature system, as shown in FIG. 1, includes multiple signer modules, multiple aggregator modules, multiple notary modules, multiple tracer modules, and a blockchain module.


As shown in FIG. 2, the signer module is implemented in the Android platform or a personal computer, while the aggregator module and the tracer module are implemented in a hardware platform of the Windows system. Where the processor needs to support the IntelSGX technology to run relevant protocols in a trusted memory area, the blockchain module uses a running Geth Ethereum client to build a blockchain, and a trusted third-party notary module is implemented in the Android platform or the personal computer.


Taking a once traceability threshold signature as an example, the signer module is a member of a signature group that wants to sign a message, the aggregator module and the tracer module are winning nodes that have dug the mine in the blockchain, a notary is a person from a third-party notary institution; and the blockchain module is a public blockchain composed of multiple full nodes.


Any of the signer modules includes: a message signing unit, a signature encryption unit, and a transaction sending unit.


Any of the aggregator modules includes: an encrypted signature receiving unit, a trusted execution environment unit, a blockchain signature unit, and a transaction sending unit.


Any of the notary modules includes: a synthetic signature receiving unit, a token generation unit, a data partial decryption unit, and a transaction sending unit.


Any of the tracer modules includes: a blockchain signature verification unit and a trusted execution environment unit.


The blockchain module includes: a transaction receiving unit and a consensus unit.


The message signing unit of the i-th signer module signs a message m to obtain i-th signature data σi, and uses the signature encryption unit to encrypt the i-th signature data σi to obtain an i-th encrypted signature σi; the transaction sending unit of the i-th signer module sends the i-th encrypted signature σi to the transaction receiving unit of the blockchain module; where, i∈[1,t], t is a threshold value for selecting a group of signers from n signers, t∈[1,n].


The encrypted signature receiving unit of the j-th aggregator module obtains the i-th encrypted signature σi from the blockchain module and forwards the i-th encrypted signature σi to the trusted execution environment unit of the j-th aggregator module; the trusted execution environment unit decrypts the i-th encrypted signature σi to obtain i-th decrypted signature data σij, so as to obtain t pieces of decrypted signature data {σij}i=1t; the trusted execution environment unit of the j-th aggregator module aggregates t pieces of decrypted signature data {σij}i=1t to obtain a j-th aggregate signature σjm of the message m.


The trusted execution environment unit of the j-th aggregator module selects t′ notaries from n3 notaries to form a notary set Nj, and encrypts the j-th aggregate signature σjm according to the notary set Nj to obtain a j-th synthetic signature σNj; the blockchain signature unit of the j-th aggregator module signs the j-th synthetic signature σNj to obtain a j-th blockchain signature ηj; the transaction sending unit of the j-th aggregator module sends the j-th blockchain signature ηj to the transaction receiving unit of the blockchain module; where j∈[1,n1].


The token generation unit of the o-th notary module generates an o-th query token tdo according to an identity attribute of the o-th notary module, and the transaction sending unit of the o-th notary module sends the o-th query token to the transaction receiving unit of the blockchain module.


The transaction receiving unit of the blockchain module receives the o-th query token and uses the smart contract to locate the synthetic signature σNj, and sends the synthetic signature σNj to the synthetic signature receiving unit of the o-th notary module; where o∈[1,t′].


After receiving the synthetic signature σNj, the synthetic signature receiving unit of the o-th notary module forwards the synthetic signature σNj to the data partial decryption unit of the o-th notary module; the data partial decryption unit partially decrypts the synthetic signature σNj to obtain a decrypted fragment σojm of the message m, and encrypts the decrypted fragment σojm to obtain a synthetic signature fragment uvkoj; such that the transaction sending unit of the o-th notary module sends the synthetic signature fragment uvkoj to the transaction receiving unit of the blockchain module.


The l-th tracer module obtains the j-th blockchain signature ηj from the blockchain module, and uses the blockchain signature verification unit to verify the j-th blockchain signature ηj; after the verification is passed, obtains the synthetic signature fragment uvkoj and the notary set Nj and forwards the synthetic signature fragment uvkoj and the notary set Nj to the trusted execution environment unit of the l-th tracer module; the trusted execution environment unit of the l-th tracer module decrypts the synthetic signature fragment uvkoj to obtain a decrypted fragment σojm, so as to obtain t′ decrypted fragments {σojm}o=1t′; the trusted execution environment unit of the l-th tracer module aggregates t′ decryption fragments {σojm}o=1t′ into the synthetic signature σNj, so as to perform tracing according to the synthetic signature σNj to obtain the i-th signer module participating in the signature.


In this embodiment, a dynamically traceable privacy-preserving distributed threshold signature method is applied in an environment composed of n signers, n1 aggregators, n3 notaries, n2 tracers and a blockchain. The threshold signature method is executed as follows.


Step 1: Initialization.

Step 1.1: setting a security parameter 1λ, where λ is a length of the security parameter; defining a threshold value as, and then using a key generation algorithm ATS.KeyGen(1λ,n,t) of an accountable threshold signature to generate a public key pk and a private key set (sk1,sk2, . . . , ski, . . . , ski) of the accountable threshold signature, where ski represents a private key of the i-th signer; i∈[1,t].


A random number rpk is selected from a group Rλ to generate a cryptographic commitment compk of the public key pk, where Rλ is a real number group with a security parameter length of 2.


A key generation algorithm SIG.KeyGen(1λ,l) of a blockchain signature is used to obtain a public key pkjs and a private key skjs of the blockchain signature of the j-th aggregator, where j is an identity attribute of the aggregator, j∈[1,n1].


An encryption algorithm PKE.KeyGen(1λ,j) is used to obtain a public key pkje and a private key skje of a trusted execution environment of the j-th aggregator.


An encryption algorithm PKE.KeyGen(1λ,l) is used to obtain a public key pklenc and a private key sklenc of a trusted execution environment of the l-th tracer, where l is an identity attribute of the aggregator, l∈[1,n2] and each aggregator and tracer has a trusted execution environment.


Step 1.2: using an initialization algorithm DTPKE.Setup(1λ) of a dynamic threshold public key encryption to obtain a master key mk, an encryption key ek, a decryption key dk, a verification key vk and a combined key ck.


A user joining algorithm DTPKE.Join(mk,o) of the dynamic threshold public key encryption is used to obtain a user private key usko of the o-th notary, a user public key upko of the o-th notary and a user version number uvko of the o-th notary, o∈[1,t′].


An initialization algorithm KASE.Setup(λ,|G|) of key aggregation searchable encryption is used to obtain a bilinear mapping system B, a key aggregation searchable encryption public key PK, and a one-way hash function H. Where B consists of three p-order cyclic groups G1, G2, GT, and a bilinear mapping relationship e: G1×G2→GT, where × represents pairing, →represents mapping, e is a bilinear mapping calculation function, G is a cyclic group, and |G| represents an order of the group G.


A key generation algorithm KASE.KeyGen(λ) of a key aggregation searchable encryption is used to obtain a public key mpk and a private key msk of the key aggregation searchable encryption.


An extraction algorithm KASE.Extract(msk,G) of the key aggregation searchable encryption is used to obtain an aggregate key ka.


Step 1.3: combining pk, skje, t, ek and rpk to obtain a j-th aggregate key skjc=(pk,skje,t,ek,rpk); and

    • combining sklenc, ck, and pk to obtain a l-th traceability key sklt=(sklenc,ck,pk).


A hash algorithm Hash(GID,time) is used to obtain an identifier gid of a signature group S, where the hash algorithm uses a 256 bit secure hash algorithm, GID is a group number of the signature group S, time is a signature time of the signature group S, GID∈G; and the signature group S is composed of t signers.


Step 1.4: combining compk, ek, dk, vk, {pkjs}j=1nt, {pkje}=j=1nt, B, PK, H, mpk gid and ka), to obtain a system public key





PK=(compk,ek,dk,vk,{pkjs}j=1nt,{pkje}j=1nt,B,PK,H,mpk,gid,ka),


where gid represents an identifier set of the signature group S.


Step 2: Message Signature.

Step 2.1: according to the private key ski, a message m and the signature group S, using, by the i-th signer, a signature algorithm ATS.Sign(ski,m,S) of the accountable threshold signature to obtain signature data σi of the message m.


The i-th signer obtains the encrypted signature σi according to the public key pkje oj the j-th trusted execution environment and a string m∥σi∥Nj∥gid to be encrypted, and sends the encrypted signature σi to the blockchain, where ∥ represents a string connector, Nj represents a set of notaries selected by the j-th aggregator, i∈[1,t].


Step 3: Aggregating Signatures.

Step 3.1: obtaining, by any j-th aggregator, all encrypted signatures {σi}i=1t of the signature group S from the blockchain, where σi represents an encrypted signature of the i-th signer.


In the trusted execution environment, the encrypted signature {σi}i=1t is sequentially decrypted by using the private key skje of the trusted execution environment, to obtain a signature set {σi}i=1t, the notary set Nj and the identifier gid of the signature group S; where σi represents a signature of the i-th signer.


According to the public key pk, the message m, the signature group S and the signature set {σi}i=1t, the j-th aggregate signature σjm of the message m is obtained by using an aggregation algorithm ATS.Combine(pk,m,S,{σ}i=1t) of the accountable threshold signature.


According to the j-th aggregate signature σjm, the notary set Nj and the encryption key ek, the synthetic signature σNj is obtained by using the encryption algorithm DTPKE.Enc(ek,Njjm) of a dynamic threshold public key encryption.


According to the public key mpk, the identifier gid of the signature group S and the notary set Nj, an encrypted cipher text pair (c1gid,c2gid) and an encrypted index set {indo}o=1t′ are obtained by using an encryption algorithm KASE.Enc(mpk,gid,Nj) of the key aggregation searchable encryption, where indo represents an o-th security index, o∈[1,t′].


Required proof data t′, compk, ek, mpk, gid, m, (c1gid, c2gid), {indo}o=1n3,Nj, σjm, rpk, pk is performed by using a zero-knowledge proof generation algorithm, to obtain a zero-knowledge proof π.


Step 3.2: signing, by the j-th aggregator, the message m, the synthetic signature σNj the encrypted cipher text pair (c1gid, c2gid), an encrypted index set {indo}o=1|Nj| and the zero-knowledge proof π by using the private key skjs, to obtain the j-th blockchain signature ηj.


The j-th aggregator combines m, σNj, (c1gid, c2gid), {indo}o=1|Nj|, π and ηj, to obtain a dynamically traceable privacy-preserving distributed threshold signature σ, and sends m and σ to the blockchain.


Step 4: Tracing a Set of Signers.

Step 4.1: according to an aggregation key ka in the system public key PK and an identity attribute o of the system public key PK, obtaining, by the o-th notary, a query token tdo by using a token generation algorithm KASETrapdoor(ka,o) of the key aggregation searchable encryption, and sending the query token tdo to the blockchain.


After receiving the query token tdo, a smart contract in the blockchain obtains an adjusted query token td sid by using an adjustment algorithm of the key aggregation searchable encryption.


According to the adjusted query token tdogid, the smart contract obtains the synthetic signature σNj corresponding to the o-th notary by using a test algorithm of the key aggregation searchable encryption.


The o-th notary obtains the synthetic signature σNj from the blockchain, and according to the identity attribute o, the decryption key dk and the user private key usko, obtains a decrypted fragment σojm of the message m by using a data partial decryption algorithm DTPKE.ShareDecrypt(dk,o,usko,σNj) of the dynamic threshold public key encryption.


The o-th notary encrypts the decrypted fragment σojm by using the public key pklenc of a trusted execution environment of the l-th tracer to obtain a synthetic signature fragment uvkoj, and sends the synthetic signature fragment uvkoj to the blockchain.


Step 4.2: receiving, by the l-th tracer, the synthetic signature fragment uvkoj and the synthetic signature σNj from the blockchain, decrypting the encrypted synthetic signature fragment uvko according to the private key sklenc of the trusted execution environment, to obtain the decrypted fragment σojm.


According to the encryption key ek, the notary set Nj and the synthetic signature σNj, the l-th tracer uses a cipher text verification algorithm DTPKE.ValidateCT(ek,Nj,σNj) of the dynamic threshold public key encryption in the trusted execution environment to verify whether the synthetic signature σNj is a valid encrypted cipher text of the notary set Nj if so, outputs 1, otherwise, outputs 0.


According to the verification key vk, the identity attribute o of the o-th notary, the user version number uvko, the synthetic signature σNj and a decryption fragment σojm, the l-th tracer uses a fragment verification algorithm of the dynamic threshold public key encryption in the trusted execution environment to verify whether the decrypted fragment σojm is generated by the o-th notary, if so, outputs 1, otherwise, outputs 0.


According to the combined key ck, the notary set Nj, the synthetic signature σNj and a decrypted fragment set {σojm}o=1t′, the l-th tracer uses a fragment combination algorithm DTPKE.Combine(ck, NjNj,{σojm}o=1t′) of the dynamic threshold public key encryption in the trusted execution environment to obtain the j-th aggregate signature σjm corresponding to m the notary set Nj.


According to the public key pk, the message m and the j-th aggregate signature σjm, the l-th tracer uses a traceability algorithm ATS.Trace(pk,m,ojm) of the accountable threshold signature in the trusted execution environment to obtain the signature group S participating in signing the j-th aggregate signature σjm.


In summary, the present disclosure has made improvements on the basis of previous threshold signatures, which implements a dynamically traceable privacy-preserving distributed threshold signature method and system. The present disclosure can effectively resist attacks by untrustworthy tracers and aggregators, and protect the unforgeability, traceability and privacy of the threshold signatures.

Claims
  • 1. A dynamically traceable privacy-preserving distributed threshold signature system, comprising: n signer modules, n1 aggregator modules, n3 notary modules, n2 tracer modules and a blockchain module; any of the signer modules comprises: a message signing unit, a signature encryption unit, and a transaction sending unit;any of the aggregator modules comprises: an encrypted signature receiving unit, a trusted execution environment unit, a blockchain signature unit, and a transaction sending unit;any of the notary modules comprises: a synthetic signature receiving unit, a token generation unit, a data partial decryption unit, and a transaction sending unit;any of the tracer modules comprises: a blockchain signature verification unit and a trusted execution environment unit;the blockchain module comprises: a transaction receiving unit and a consensus unit;wherein the message signing unit of the i-th signer module signs a message m to obtain i-th signature data σi, and uses the signature encryption unit to encrypt the i-th signature data σi to obtain an i-th encrypted signature σi; the transaction sending unit of the i-th signer module sends the i-th encrypted signature σi to the transaction receiving unit of the blockchain module; wherein, i∈[1,t], t is a threshold value for selecting a group of signers from n signers, t∈[1,n];the encrypted signature receiving unit of the j-th aggregator module obtains the i-th encrypted signature σi from the blockchain module and forwards the i-th encrypted signature σi to the trusted execution environment unit of the j-th aggregator module; the trusted execution environment unit decrypts the i-th encrypted signature σi to obtain i-th decrypted signature data σij, so as to obtain t pieces of decrypted signature data {σij}i=1t; the trusted execution environment unit of the j-th aggregator module aggregates t pieces of decrypted signature data {σij}i=1t to obtain a j-th aggregate signature σjm of the message m;the trusted execution environment unit of the j-th aggregator module selects t′ notaries from n3 notaries to form a notary set Nj, and encrypts the j-th aggregate signature σjm according to the notary set Nj to obtain a j-th synthetic signature σNj; the blockchain signature unit of the j-th aggregator module signs the j-th synthetic signature σNj to obtain a j-th blockchain signature ηj; the transaction sending unit of the j-th aggregator module sends the j-th blockchain signature ηj to the transaction receiving unit of the blockchain module; wherein j∈[1,n1];the token generation unit of the o-th notary module generates an o-th query token tdo according to an identity attribute of the o-th notary module, and the transaction sending unit of the o-th notary module sends the o-th query token to the transaction receiving unit of the blockchain module;the transaction receiving unit of the blockchain module receives the o-th query token and uses a smart contract to locate the synthetic signature, and sends the synthetic signature σNj to the synthetic signature receiving unit of the o-th notary module; wherein o∈[1,t′];after receiving the synthetic signature σNj, the synthetic signature receiving unit of the o-th notary module forwards the synthetic signature σNj to the data partial decryption unit of the o-th notary module; the data partial decryption unit partially decrypts the synthetic signature σNj to obtain a decrypted fragment σojm of the message m, and encrypts the decrypted fragment σojm to obtain a synthetic signature fragment uvkoj; such that the transaction sending unit of the o-th notary module sends the synthetic signature fragment uvkoj to the transaction receiving unit of the blockchain module;the l-th tracer module obtains the j-th blockchain signature ηj from the blockchain module, and uses the blockchain signature verification unit to verify the j-th blockchain signature ηj; after the verification is passed, obtains the synthetic signature fragment uvkoj and the notary set Nj and forwards the synthetic signature fragment uvkoj and the notary set Nj to the trusted execution environment unit of the l-th tracer module; the trusted execution environment a unit of the l-th tracer module decrypts the synthetic signature fragment uvkoj to obtain a decrypted fragments σojm, so as to obtain t′ decrypted fragments {σojm}o=1t′, the trusted execution environment unit of the l-th tracer module aggregates t′ decryption fragments {σojm}o=1t′ into the synthetic signature σNj, so as to perform tracing according to the synthetic signature σNj to obtain the i-th signer module participating in the signature.
  • 2. A dynamically traceable privacy-preserving distributed threshold signature method, applied in an environment composed of n signers, n1 aggregators, n3 notaries, n2 tracers and a blockchain, wherein the threshold signature method is executed as follows: step 1: initialization:step 1.1: setting a security parameter 1λ, wherein λ is a length of the security parameter; defining a threshold value as t, and then using a key generation algorithm ATS.KeyGen(1λ,n,t) of an accountable threshold signature to generate a public key pk and a private key set (sk1, sk2, . . . , ski, . . . , skt) of the accountable threshold signature, wherein ski represents a private key of the i-th signer; i∈[1,t];selecting a random number rpk from a group Rλ to generate a cryptographic commitment compk of the public key pk, wherein Rλ is a real number group with a security parameter length of λ;using a key generation algorithm SIG.KeyGen(1λ,j) of a blockchain signature to obtain a public key pkjs and a private key skjs of the blockchain signature of the j-th aggregator, wherein j is an identity attribute of the aggregator, j∈[1,n1];using an encryption algorithm PKE.KeyGen(1λ,j) to obtain a public key pkje and a private key skje of a trusted execution environment of the j-th aggregator;using an encryption algorithm PKE.KeyGen(1λ,l) to obtain a public key pklenc and a private key sklenc of a trusted execution environment of the l-th tracer, wherein l is an identity attribute of the aggregator, l∈[1,n2];step 1.2: using an initialization algorithm DTPKE.Setup(1λ) of a dynamic threshold public key encryption to obtain a master key mk, an encryption key ek, a decryption key dk, a verification key vk and a combined key Ck;using a user joining algorithm DTPKE.Join(mk,o) of the dynamic threshold public key encryption to obtain a user private key usko of the o-th notary, a user public key upko of the o-th notary and a user version number uvko of the o-th notary, o∈[1,t′];using a key generation algorithm KASE.KeyGen(λ) of a key aggregation searchable encryption to obtain a public key mpk and a private key msk of the key aggregation searchable encryption;using an extraction algorithm KASE.Extract(msk,G) of the key aggregation searchable encryption to obtain an aggregate key ka;step 1.3: combining pk, skje, t, ek and rpk to obtain a j-th aggregate key skjc=(pk,skje,t,ek,rpk); combining sklenc, ck, and pk to obtain a l-th traceability key sklt=(sklenc,ck,pk);using a hash algorithm Hash(GID,time) to obtain an identifier gid of a signature group S wherein GID is a group number of the signature group S, time is a signature time of the signature group S, GID∈G; the signature group S is composed of t signers;step 1.4: combining compk, ek, dk, vk, {pkjs}j=1n1, {pkje}j=1n1, B, PK, H, mpk, gid and ka, to obtain a system public key PK=(compk,ek,dk,vk,{pkjs}j=1n1,{pkje}j=1n1,B,PK,H,mpk,gid,ka), wherein gid represents an identifier set of the signature group S;step 2: message signature:step 2.1: according to the private key ski, a message m and the signature group S using, by the i-th signer, a signature algorithm ATS.Sign(ski,m,S) of the accountable threshold signature to obtain signature data σi of the message m;obtaining, by the i-th signer, the encrypted signature σi according to the public key pkje of the j-th trusted execution environment and a string m∥σi∥Nj∥gid to be encrypted, sending the encrypted signature σi to the blockchain, wherein ∥ represents a string connector, Nj represents a set of notaries selected by the j-th aggregator, i∈[1,t];step 3: aggregating signatures:step 3.1: obtaining, by any j-th aggregator, all encrypted signatures {σi}i=1t of the signature group S from the blockchain, wherein σi represents an encrypted signature of the i-th signer;in the trusted execution environment, decrypting the encrypted signature {σi}i=1t sequentially by using the private key skje of the trusted execution environment, to obtain a signature set {σi}i=1t, a notary set Nj and the identifier gid of the signature group S; wherein σi represents a signature of the i-th signer;according to the public key pk, the message m, the signature group S and the signature set {σi}i=1t, obtaining a j-th aggregate signature σjm of the message m by using an aggregation algorithm ATS.Combine(pk, m, S, {σ}i=1t) of the accountable threshold signature;according to the j-th aggregate signature σjm, the notary set Nj and the encryption key ek, obtaining a synthetic signature θNj by using the encryption algorithm DTPKE.Enc(ek, Nj, σjm) of a dynamic threshold public key encryption;according to the public key mpk, the identifier gid of the signature group S and the notary set t Nj, obtaining an encrypted cipher text pair (c1gid, c2gid) and an encrypted index set {indo}o=1t′ by using an encryption algorithm KASE.Enc(mpk, gid, Nj) of the key aggregation searchable encryption, wherein indo represents an o-th security index, o∈[1,t′];processing required proof data t′, compk, ek, mpk, gid, m, (c1gid, c2gid) {indo}o=1t′, Nj, σjm, rpk, pk by using a zero-knowledge proof generation algorithm to obtain a zero-knowledge proof π;step 3.2: signing, by the j-th aggregator, the message m, the synthetic signature σNj, the encrypted cipher text pair (c1gid, c2gid),an encrypted index set {indo}o=1|Nj| and the zero-knowledge proof π by using the private key skjs, to obtain a j-th blockchain signature ηj;combining, by the j-th aggregator m, σNj, (c1gid, c2gid), {indo}o=1|Nj|, π and ηj, to obtain a dynamically traceable privacy-preserving distributed threshold signature σ, and sending m and σ to the blockchain;step 4: tracing a set of signers:step 4.1: according to an aggregation key ka in the system public key PK and an identity attribute o of the system public key PK, obtaining, by the o-th notary, a query token tdo by using a token generation algorithm KASETrapdoor(ka, o) of the key aggregation searchable encryption, and sending the query token tdo to the blockchain;after receiving the query token tdo, obtaining, by a smart contract in the blockchain, an adjusted query token tdogid by using an adjustment algorithm of the key aggregation searchable encryption;according to the adjusted query token tdogid, obtaining, by the smart contract, the synthetic signature σNj corresponding to the o-th notary by using a test algorithm of the key aggregation searchable encryption;obtaining, by the o-th notary, the synthetic signature σNj from the blockchain, and according to the identity attribute o, the decryption key dk and the user private key usko, obtaining a decrypted fragment σojm of the message m by using a data partial decryption algorithm DTPKE.ShareDecrypt(dk,o,usko,σNj) of the dynamic threshold public key encryption;encrypting, by the o-th notary, the decrypted fragment σojm by using the public key pklenc of a trusted execution environment of the l-th tracer to obtain a synthetic signature fragment uvkoj, and sending the synthetic signature fragment uvkoj to the blockchain;step 4.2: receiving, by the l-th tracer, the synthetic signature fragment uvkoj and the synthetic signature σNj from the blockchain, decrypting the encrypted synthetic signature fragment uvko according to the private key sklenc of the trusted execution environment, to obtain the decrypted fragment σojm;according to the encryption key ek, the notary set Nj and the synthetic signature σNj, using, by the l-th tracer, a cipher text verification algorithm DTPKE.ValidateCT(ek,Nj,σNj) of the dynamic threshold public key encryption in the trusted execution environment to verify whether the synthetic signature σNj is a valid encrypted cipher text of the notary set Nj if so, outputting 1, otherwise, outputting 0;according to the verification key vk, the identity attribute o of the o-th notary, the user version number uvko, the synthetic signature σNj and a decryption fragment σojm, using, by the l-th tracer, a fragment verification algorithm of the dynamic threshold public key encryption in the trusted execution environment to verify whether the decrypted fragment σojm is generated by the o-th notary, if so, outputting 1, otherwise, outputting 0;according to the combined key ck, the notary set Nj, the synthetic signature σNj and a decrypted fragment set {σojm}o=1t′, using, by the l-th tracer, a fragment combination algorithm DTPKE.Combine(ck,Nj,σNj,{σojm}o=1t′) of the dynamic threshold public key encryption in the trusted execution environment to obtain the j-th aggregate signature σjm corresponding to the notary set Nj;according to the public key pk, the message m and the j-th aggregate signature ojm, using, by the l-th tracer, a traceability algorithm ATS.Trace(pk,m,ojm) of the accountable threshold signature in the trusted execution environment to obtain the signature group S participating in signing the j-th aggregate signature ojm.
Priority Claims (1)
Number Date Country Kind
202310585847.X May 2023 CN national