Random beacon generation method, apparatus, device and readable storage medium

By filtering and generating threshold signatures and utilizing the registration address information bound to the secure element and the blockchain, the problem of insufficient randomness in the random beacon generation process is solved, thereby improving the credibility and accuracy of random beacons.

CN122394800APending Publication Date: 2026-07-14CHINA MOBILE FINANCIAL TECHNOLOGY CO LTD +1

Patent Information

Authority / Receiving Office
CN · China
Patent Type
Applications(China)
Current Assignee / Owner
CHINA MOBILE FINANCIAL TECHNOLOGY CO LTD
Filing Date
2026-03-04
Publication Date
2026-07-14

AI Technical Summary

Technical Problem

In existing technologies, the randomness in the generation of random beacons is insufficient, and their authenticity cannot be verified, resulting in low credibility.

Method used

By receiving random values ​​from candidate members, a second candidate member is selected, target parameters are generated, and a random beacon is generated based on a threshold signature. The reliability of the random value and the accuracy of the selection are improved by utilizing the registration address information bound to the secure element and the blockchain.

Benefits of technology

It improves the accuracy of generated random beacons, prevents individual manipulation, and enhances the reliability and accuracy of the generation process.

✦ Generated by Eureka AI based on patent content.

Smart Images

  • Figure CN122394800A_ABST
    Figure CN122394800A_ABST
Patent Text Reader

Abstract

The application discloses a random beacon generation method and device, equipment and a readable storage medium, and relates to the technical field of communication. The method comprises the following steps: receiving random values sent by M first candidate members in a first candidate pool, wherein the random values are values generated by the first candidate members based on registration address information by calling a random number generator, the registration address information corresponds to the first candidate members, M is an integer greater than 1; selecting N second candidate members from the M first candidate members through the random values, wherein the N second candidate members belong to a second candidate pool, N is an integer greater than 1; obtaining target parameters generated by each second candidate member in the N second candidate members, wherein the target parameters are parameters used for generating a threshold signature; generating the threshold signature based on the N target parameters, and generating a random beacon based on the threshold signature. In this way, the accuracy of the generated random beacon can be improved.
Need to check novelty before this filing date? Find Prior Art

Description

Technical Field

[0001] This application belongs to the field of communication technology, specifically relating to a method, apparatus, device, and readable storage medium for generating random beacons. Background Technology

[0002] With the continuous development of communication technology, its application in people's lives is becoming increasingly widespread. Currently, the generation of random beacons typically relies on participants providing random values. However, in reality, the participants' software environments may generate pseudo-random numbers or even be manipulated by attackers, resulting in insufficient randomness in the output. Without trusted hardware intervention, malicious nodes can easily submit pre-predicted or pre-selected random values ​​to influence the outcome, and their authenticity cannot be verified externally, leading to low credibility of the generated random beacons. Summary of the Invention

[0003] This application provides a method, apparatus, device, and readable storage medium for generating random beacons to address the problem of low reliability of generated random beacons.

[0004] To solve the above problems, this application is implemented as follows:

[0005] In a first aspect, embodiments of this application provide a method for generating random beacons, including:

[0006] Receive random values ​​sent by M first candidate members in the first candidate pool. The random values ​​are generated by the first candidate members calling a random number generator based on the registration address information. The registration address information corresponds to the first candidate members, and M is an integer greater than 1.

[0007] N second candidate members are selected from the M first candidate members using the random value. The N second candidate members belong to the second candidate pool, where N is an integer greater than 1 and N is less than or equal to M.

[0008] Obtain the target parameters generated for each of the N second candidate members, where the target parameters are parameters used to generate the threshold signature;

[0009] The threshold signature is generated based on the N target parameters, and a random beacon is generated based on the threshold signature.

[0010] Secondly, embodiments of this application provide a random beacon generation apparatus, comprising:

[0011] The receiving module is used to receive random values ​​sent by M first candidate members in the first candidate pool. The random values ​​are generated by the first candidate members calling a random number generator based on the registration address information. The registration address information corresponds to the first candidate members, and M is an integer greater than 1.

[0012] The filtering module is used to filter N second candidate members from the M first candidate members using the random value. The N second candidate members belong to the second candidate pool, where N is an integer greater than 1 and N is less than or equal to M.

[0013] The acquisition module is used to acquire the target parameters generated by each of the N second candidate members, wherein the target parameters are parameters used to generate the threshold signature;

[0014] The generation module is used to generate the threshold signature based on the N target parameters, and to generate a random beacon based on the threshold signature.

[0015] Thirdly, embodiments of this application also provide an electronic device, including: a memory, a processor, and a program stored in the memory and executable on the processor; the processor is configured to read the program in the memory to implement the steps in the method described in the first aspect above.

[0016] Fourthly, embodiments of this application also provide a readable storage medium for storing a program, which, when executed by a processor, implements the steps of the method described in the first aspect above.

[0017] Fifthly, embodiments of this application also provide a computer program product, including computer instructions, which, when executed by a processor, implement the steps of the method described in the first aspect above.

[0018] In this embodiment, random values ​​sent by M first candidate members in the first candidate pool are received. N second candidate members are selected from the M first candidate members using the random values. In this way, N second candidate members are selected through two elections, which makes the accuracy of the selected N second candidate members higher. At the same time, the target parameters generated by each of the N second candidate members are obtained. The target parameters are the parameters used to generate the threshold signature. The threshold signature is generated based on the N target parameters, and a random beacon is generated based on the threshold signature. Since the threshold signature is generated based on the target parameters of the N second candidate members, no single second candidate member can manipulate the generation of the threshold signature, which improves the accuracy of the generated threshold signature. The random beacon is generated based on the above threshold signature, which improves the accuracy of the generated random beacon. Attached Figure Description

[0019] To more clearly illustrate the technical solutions of the embodiments of this application, the drawings used in the description of the embodiments of this application will be briefly introduced below. Obviously, the drawings described below are only some embodiments of this application. For those skilled in the art, other drawings can be obtained based on these drawings without creative effort.

[0020] Figure 1 This is one of the flowcharts of the random beacon generation method provided in the embodiments of this application;

[0021] Figure 2 This is a schematic diagram of the structure of the decentralized random beacon provided in the embodiments of this application;

[0022] Figure 3 This is a schematic diagram of the structure of the smart contract provided in the embodiments of this application;

[0023] Figure 4 This is the second flowchart of the random beacon generation method provided in the embodiments of this application;

[0024] Figure 5 This is a schematic diagram of the structure of the random beacon generation device provided in the embodiments of this application;

[0025] Figure 6 This is a schematic diagram of the structure of the electronic device provided in the embodiments of this application. Detailed Implementation

[0026] The technical solutions of the embodiments of this application will be clearly and completely described below with reference to the accompanying drawings. Obviously, the described embodiments are only some embodiments of this application, not all embodiments. Based on the embodiments of this application, all other embodiments obtained by those skilled in the art without creative effort are within the scope of protection of this application.

[0027] The terms "first," "second," etc., used in the embodiments of this application are used to distinguish similar objects and are not necessarily used to describe a specific order or sequence. Furthermore, the terms "comprising" and "having," and any variations thereof, are intended to cover non-exclusive inclusion. For example, a process, method, system, product, or device that includes a series of steps or units is not necessarily limited to those steps or units explicitly listed, but may include other steps or units not explicitly listed or inherent to these processes, methods, products, or devices. Additionally, the use of "and / or" in this application indicates at least one of the connected objects, such as A and / or B and / or C, representing seven possibilities: including A alone, B alone, C alone, and the presence of both A and B, both B and C, both A and C, and the presence of A, B, and C.

[0028] Please see Figure 1 , Figure 1 This is a flowchart illustrating the random beacon generation method provided in the embodiments of this application. Figure 1 The random beacon generation method shown can be executed by an electronic device. Optionally, the electronic device may include a smart contract, that is, the execution subject of the embodiments of this application may also be a smart contract.

[0029] like Figure 1 As shown, the random beacon generation method may include the following steps:

[0030] Step 101: Receive random values ​​sent by M first candidate members in the first candidate pool. The random values ​​are generated by the first candidate members calling a random number generator based on the registration address information. The registration address information corresponds to the first candidate members, and M is an integer greater than 1.

[0031] The random value, generated by the first candidate member using the random number generator based on the registration address information, can be understood as follows: the first candidate member can input the registration address information into the random number generator to generate the aforementioned random value. This simplifies the random value generation process, and since the random value generated by the random number generator has high reliability, it also improves the reliability of the generated random value.

[0032] As an optional implementation, the registration address information is stored in a secure element and a blockchain, respectively, and the secure element is bound to the blockchain.

[0033] A secure element is a dedicated hardware component that exists in the form of a chip. It protects sensitive data from unauthorized access through physical isolation and tamper-proof design, and incorporates encryption / decryption logic circuitry that operates in isolation from the main processor. The specific type of secure element is not limited here, but optionally, it may include at least one of the following: a Subscriber Identity Module (SIM) card, an embedded SIM (eSIM) card, a Trusted Platform Module (TPM) chip, and a security chip.

[0034] Both blockchain and security elements can be applied to the electronic devices in this application embodiment, that is, the electronic devices in this application embodiment can integrate the above-mentioned blockchain and security elements.

[0035] In this embodiment, the registration address information is stored in a secure element and a blockchain, respectively, and the secure element is bound to the blockchain. This reduces the possibility of the registration address information being tampered with and further enhances the security of the registration address information.

[0036] It should be noted that the registration address information is stored in the secure element and the blockchain respectively, and the implementation process of binding the secure element and the blockchain can be seen in the following description:

[0037] During the manufacturing process of the secure element, the manufacturer generates a key pair and a unique device identifier, incorporates signature-related cryptographic algorithms, and injects the user's identity information (which may include the identity information of the first candidate member) into the secure element. The secure element then internally signs to generate identity binding information. The specific steps are shown below:

[0038] Step 1: During the manufacturing process of the secure element, the manufacturer generates a non-derivative key pair. This generates a unique device identifier (UDID), and the Certificate Authority (CA) is responsible for this process. Certificate Award The secure element comes pre-installed with the root signature algorithm RSign and the root verification algorithm RVerify. The root signature algorithm RSign uses a private key. The input is the message to be signed, and the output is the signature; the root verification algorithm RVerify uses the public key. The input is the signature, and the output is the single-bit verification result.

[0039] Step 2: User identity information (e.g., may include user identity ID) is injected into the secure element through a trusted registration process to generate an internal association. The secure element internally signs and generates an identity binding statement M and calculates the signature of the binding statement. , where M and The calculation process is as follows:

[0040] ;

[0041] ;

[0042] The "||" operator is used to concatenate strings. Used to represent a family of one-way functions, generally including collision-resistant hash functions, ts is used to represent real-time timestamp information.

[0043] Step 3: The initial candidates (including the M first-candidate members) bind their factory-issued identities to signature information. As a seed, a public-private key pair is generated on the blockchain, which is then used to generate an address on the blockchain (i.e., registration address information) to bind identity information and blockchain address.

[0044] Optionally, the specific generation steps can be as follows: the initial candidate's security element is... For seeds, through Generate chain private key in the following way Further generate chain public keys The chain address addr is calculated as follows:

[0045] ;

[0046] ;

[0047] Among them, the chain public key Chain private key It is generated using a trapdoor one-way function, and the choice of the trapdoor one-way function is related to the key generation algorithm used for the corresponding blockchain transaction signature.

[0048] Among them, the registered address information can be referred to as The registration address information may be part of the registration credential information of the first candidate member. Optionally, the registration credential information of the first candidate member may also include the registration count (nonce) and the session context (ctx). The registration count serves as an identifier, automatically incrementing by 1 with each registration to prevent replay attacks. The session context is an abstract concept in cryptography, which can be understood as some random information including the current timestamp. Its function is to serve as a unique field so that the registration credential cannot be easily forged, further preventing previous or future registration credentials from being used for this registration.

[0049] Optionally, the registration address information may also refer to the registration chain address information of the first candidate member on the blockchain.

[0050] It should be noted that, optionally, the above-mentioned registration count (nonce), session context (ctx), and registration address information... All of these can be stored within the secure element, thereby enhancing the aforementioned registration count (nonce), session context (ctx), and registration address information. Security.

[0051] The aforementioned random number generator can be a component included in the secure element. In this application, a secure element with true random number generator and key protection capabilities can be embedded in a decentralized random beacon protocol. In this way, each participating node holds a hardware security module (such as a super SIM card, eSIM, TPM chip, or security chip), which is given a unique device identity and public-private key pair by the root certificate authority. The true random number generation circuit can be built into the secure element during manufacturing, thereby making the random numbers generated by the secure element physically unpredictable, far superior to the random numbers generated by software pseudo-randomization in related technologies. At the same time, its internal private key is used to sign the output, constituting a trusted proof of the random number.

[0052] Step 102: Select N second candidate members from the M first candidate members using the random value. The N second candidate members belong to the second candidate pool, where N is an integer greater than 1 and N is less than or equal to M.

[0053] Optionally, the first candidate pool and the second candidate pool may belong to different candidate pools. For example, the first candidate pool may refer to the first storage area in the electronic device, while the second candidate pool may refer to the second storage area in the electronic device. The first storage area and the second storage area may refer to different storage areas.

[0054] Alternatively, the second candidate pool may refer to at least a portion of the first candidate pool, i.e., the first candidate pool may be greater than or equal to the second candidate pool, and the second candidate member may refer to at least a portion of the first candidate member in the first candidate pool.

[0055] Step 103: Obtain the target parameters generated for each of the N second candidate members. The target parameters are the parameters used to generate the threshold signature.

[0056] The specific content of the target parameter is not limited here. Optionally, the target parameter may include the signature share, and alternatively, the target parameter may include the identity information of the second candidate member.

[0057] The specific method by which each second candidate member generates the target parameter is not limited here. Optionally, a second candidate member can send information to other second candidate members, and each second candidate member can generate the target parameter based on the information received from other second candidate members.

[0058] Step 104: Generate the threshold signature based on the N target parameters, and generate a random beacon based on the threshold signature.

[0059] The specific method for generating the threshold signature based on the N target parameters is not limited here. Optionally, the N target parameters can be directly synthesized into a threshold signature. Alternatively, the N target parameters can be corrected separately, and a threshold signature can be generated based on the corrected N target parameters.

[0060] The generation of random beacons based on threshold signatures can be understood as follows: when the threshold signature matches the pre-set standard signature, a random beacon can be generated; when the threshold signature does not match the pre-set standard signature, a random beacon can not be generated.

[0061] In addition, when generating random beacons, they can be generated based on the aforementioned N target parameters, or they can be generated based on other parameters. For example, other parameters may include parameters sent by the N second candidate members for generating random beacons.

[0062] It should be noted that the random beacon in this application embodiment can be referred to as a decentralized random beacon or a decentralized random beacon.

[0063] In this embodiment, through steps 101 to 104, random values ​​sent by M first candidate members in the first candidate pool are received. N second candidate members are selected from the M first candidate members using the random values. In this way, N second candidate members are selected through two elections, resulting in higher accuracy and reliability of the selected N second candidate members. At the same time, the target parameters generated by each of the N second candidate members are obtained. The target parameters are the parameters used to generate the threshold signature. A threshold signature is generated based on the N target parameters, and a random beacon is generated based on the threshold signature. Since the threshold signature is generated based on the target parameters of the N second candidate members, no single second candidate member can manipulate the generation of the threshold signature, thus improving the accuracy of the generated threshold signature. The random beacon is generated based on the aforementioned threshold signature, thereby improving the accuracy of the generated random beacon.

[0064] It should be noted that the specific method of selecting N second candidate members from M first candidate members by random value is not limited here. Optionally, the first candidate member corresponding to the random value within the preset range can be directly determined as the second candidate member. Alternatively, the first candidate member corresponding to the random value greater than the preset threshold can also be determined as the second candidate member.

[0065] As an optional implementation, the step of selecting N second candidate members from the M first candidate members using the random value includes:

[0066] Receive a first hash value sent by each of the M first candidate members, wherein the first hash value is a hash value calculated by the first candidate member using the corresponding random value;

[0067] If the current time is after the sending deadline of the first hash value, and the second hash value sent by the first candidate member is received, verify whether the first hash value and the second hash value match.

[0068] If the first hash value matches the second hash value, the first candidate member is determined as the second candidate member by the random value, so as to obtain the N second candidate members.

[0069] To more fully illustrate the implementation methods of this application, an optional implementation method is provided below as an example:

[0070] Step 1: Start the election round and determine the sequence number (sessionID) of an election event. This election event can be used to elect the second candidate member.

[0071] Step 2: For each first candidate member in the first candidate pool, call the random number generator to obtain a random value. The first hash value is calculated based on the above random values. The calculation method is as follows:

[0072] ;

[0073] ;

[0074] Optionally, the election random parameter comdata can be based on a random value. , chain address Generated with the election event sequence number (sessionID), and the first hash value It can be generated based on the election random parameter comdata and a preset function. The preset function can be used... express, This represents a family of one-way functions, generally including collision-resistant hash functions such as Secure Hash Algorithm (SHA)-256, SHA3-256, or Keccak-256; optionally, the above functions can also be cascaded with RIPEMD-160, so that the preset function can satisfy the one-wayness and collision resistance of retrieving the input from the output.

[0075] Step 3: The first candidate member can use the first hash value. Submissions are made to the beacon management module of the smart contract included in the electronic device. First-choice members can also stake a small amount of on-chain tokens (such as cryptocurrencies). Internal records are stored within the secure element. The plaintext is bound to the sessionID and not leaked to the outside world.

[0076] Step 4: After the commitment phase ends (i.e., the deadline for sending the first hash value), the smart contract opens the disclosure window. The user submits a disclosure (i.e., the second hash value) through a secure element, and the secure element verifies that the submitted second hash value matches the first hash value. corresponding Check if sessionID and addr match, then... The information must be disclosed in plaintext to the smart contract. If the user fails to disclose this information, the staked on-chain tokens will be forfeited.

[0077] It should be noted that this implementation uses a two-tiered candidate pool election combined with threshold signatures. First, all initial candidates with secure elements enter the first candidate pool as first candidate members, participating in a commitment-disclosure random lottery. Each node (i.e., each first candidate member) generates a random candidate value through its secure element, submits its hash value on-chain as a commitment, and simultaneously pledges collateral (i.e., staked on-chain tokens). Subsequently, the node submits its original value during the disclosure phase. The smart contract verifies the disclosure and randomly selects a certain number of nodes (first candidate members) from the successfully disclosed set to form the second candidate pool. This stage is equivalent to using the commitment mechanism for node screening / lottery, combined with economic penalties to ensure the disclosure rate, unbiasedly selecting threshold signature participants from a large pool of candidates, thereby resisting Sybil attacks and malicious abstention. This implementation can combine the commitment-disclosure public random selection function with the staking penalty mechanism to dynamically determine threshold signature group members (i.e., second candidate members).

[0078] In this embodiment of the application, when the first hash value matches the second hash value, the first candidate member is determined as the second candidate member by a random value, so as to obtain N second candidate members. In this way, the accuracy of the determined second candidate members can be further improved.

[0079] It should be noted that when the first hash value matches the second hash value, the first candidate member can be determined as the second candidate member through a random value, thus obtaining N second candidate members. The specific method of determining the first candidate member as the second candidate member through a random value is not limited here. Optionally, the random values ​​can be filtered to directly determine the first candidate member corresponding to the random value within a preset range as the second candidate member, thus obtaining N second candidate members.

[0080] As an optional implementation, the step of determining the first candidate member as the second candidate member by the random value when the first hash value matches the second hash value, to obtain the N second candidate members, includes:

[0081] If the first hash value matches the second hash value, the M first candidate members are sorted based on the obtained registration address information and the random value.

[0082] The first N first candidate members among the sorted M first candidate members are determined as second candidate members to obtain the N second candidate members.

[0083] The number of second hash values ​​is not limited here. Optionally, the number of second hash values ​​can be at least one. For example, the number of second hash values ​​can be K, where K is greater than or equal to n, and n can be a positive integer.

[0084] In this embodiment of the application, the top N first candidate members out of the M first candidate members after sorting are determined as second candidate members. This can further increase the diversity and flexibility of the methods for determining second candidate members.

[0085] It should be noted that the specific method for sorting the M first candidate members based on their registration address information and random values ​​is not limited here. Optionally, a comprehensive value can be calculated based on the registration address information and random values ​​of the first candidate members, and the M first candidate members can be sorted in ascending or descending order of the comprehensive value. The comprehensive value can be the sum of the normalized value obtained by normalizing the registration address information and the random value, or the comprehensive value can be the weighted sum of the normalized value and the random value.

[0086] As an optional implementation, the step of sorting the M first candidate members based on the obtained registration address information and the random value includes:

[0087] Based on the registration address information and random value of the M first candidate members, generate random sequence information for each first candidate member;

[0088] The M first candidate members are sorted based on the random sequence information.

[0089] To more fully illustrate the implementation methods of this application, a specific implementation method is provided below as an example, which may include the following:

[0090] When the number of second hash values ​​is K, that is, after the smart contract collects K legally revealed second hash values, all A pseudo-random sequence can be generated using addr as follows:

[0091] ;

[0092] Sort the addr values ​​of the first candidate members corresponding to the K valid disclosures (e.g., by addr size or registration order). Then, using R as a random seed, perform pseudo-random sorting on the M first candidate members. Finally, select the first candidate members corresponding to the first n addr values ​​as the second candidate members in the second candidate pool. Assign numbers i (from 1 to n) to the second candidates in the second pool according to the final sorting order.

[0093] Optionally, for each i, a call is made via a smart contract or a secure element. The function family yields a function input value cid(i), calculated as follows:

[0094] ;

[0095] Among them, cid(i) is bound to sessionID and addr, and is guaranteed by the security element to be used only by the corresponding sessionID. Its cid(i) can be obtained.

[0096] Among them, smart contracts can be made public. The list of addr and the hash promise plaintext of cid(i).

[0097] In this embodiment of the application, random sequence information for each first candidate member can be generated based on the registration address information and random value. Then, the M first candidate members are sorted based on the random sequence information. In this way, the M first candidate members can be sorted based on the random sequence information, thereby further increasing the diversity and flexibility of the sorting method for the M first candidate members.

[0098] As an optional implementation, the target parameter includes a signature share, and the method further includes:

[0099] Obtain the zero-knowledge proof generated for each of the N second candidate members;

[0100] The step of generating the threshold signature based on the N target parameters and generating a random beacon based on the threshold signature includes:

[0101] The threshold signature is generated based on the N target parameters;

[0102] If the N zero-knowledge proofs and the threshold signature are verified to be successful, the random beacon is generated based on the threshold signature.

[0103] The generation process of signature shares and zero-knowledge proofs can be seen in the following content:

[0104] Step 1: Second candidate members in each second candidate pool ( In the secure element, sign message m (which can be a message used to generate a signature share; the specific content of message m is not limited here) to obtain: group members. Signature share , The calculation method is as follows:

[0105] ;

[0106] in, and There are three different collision-resistant hash functions, where X is the message space of the message to be signed. It is a prime p-order cyclic group that satisfies the assumptions of the Diffie-Hellman Problem (DDH), and a bilinear group. Satisfying the assumptions of the co-computational Diffie–Hellman (co-CDH) hard problem, the bilinear mapping e is expressed as: ,in and They are all prime number p-order cyclic groups. (Using...) Indicates two in the group Generators are generated uniformly, randomly, and independently. It is a group Another fixed generator. SHAX can represent a collision-resistant hash function that maps strings of arbitrary length to beacon value fields.

[0107] Step 2: Second candidate members in each second candidate pool ( Randomly generated in the safety element The above This can be understood as randomly generated related parameters;

[0108] Step 3: Second candidate members in each second candidate pool ( Generate zero-knowledge proofs The calculation process is as follows:

[0109] a. Calculation ;

[0110] b. Calculation ;

[0111] c. Calculation ;

[0112] d. Calculation ;

[0113] e. Return .

[0114] in, It is the first linear bias parameter. It is the second linear bias parameter. It is a set hash value. These are the parameters for the first linear proof. These are the parameters for the second linear proof. It is the third linear proof parameter. , , These are all fixed parameters, used to represent polynomial shares.

[0115] Step 4: Second candidate members in each second candidate pool ( The signature share can be and zero-knowledge proof Submit to the beacon management module of the smart contract.

[0116] In this embodiment, a random beacon is generated based on the threshold signature only after N zero-knowledge proofs and threshold signatures have passed verification. This can further improve the accuracy of the random beacon generation result and reduce the probability of the random beacon being generated incorrectly.

[0117] As an optional implementation, the step of generating the random beacon based on the threshold signature after the N zero-knowledge proofs and the threshold signature have passed verification includes:

[0118] Obtain the shared public key and the threshold public key sent by the second candidate member, wherein the shared public key and the threshold public key are public keys calculated and generated from the N second candidate members;

[0119] The threshold public key is used to verify the N zero-knowledge proofs, and the shared public key is used to verify the threshold signature.

[0120] If the zero-knowledge proof verification and the threshold signature verification pass, the random beacon is generated based on the threshold signature.

[0121] The generation process of the shared public key and the threshold public key can be found in the following content:

[0122] Each second-candidate member in the second candidate pool constructs a secret polynomial and selects values ​​for some variables to send to other second-candidate members; each second-candidate member calculates its own aggregate polynomial share, shared public key, threshold public key, and other parameters based on the information sent by other second-candidate members. The specific generation steps are as follows:

[0123] Step 1: Second candidate members in each second candidate pool ( Three are randomly generated in the safety element. polynomial of degree ,in .

[0124] Step 2: Second candidate members in each second candidate pool ( To all ( and Send the following: Second candidate member For the second candidate polynomial share Second candidate public key share .

[0125] Step 3: Second candidate members in each second candidate pool ( Calculate the following in the safety element: second candidate member Aggregate polynomial share The calculation formula can be found in the following formula:

[0126] ;

[0127] Step 4: Second candidate members in each second candidate pool ( Calculate the following in the secure element: shared public key Second candidate Threshold public key The calculation formula can be found in the following formula:

[0128] ;

[0129] .

[0130] In this application, zero-knowledge proofs are verified based on threshold public keys, and threshold signatures are verified based on shared public keys. This can further improve the accuracy of zero-knowledge proof results and threshold signature verification results.

[0131] It should be noted that the second candidate members entering the second candidate pool can execute a distributed key generation protocol to jointly generate the public and private key fragments required for threshold signatures without a central authority. Each second candidate member holds a share of the private key within their secure element. Subsequently, each second candidate member generates a signature share and a zero-knowledge proof for a specific message and submits them to the on-chain smart contract. After the smart contract verifies at least a certain number of valid signature shares, it uses a threshold recovery algorithm to synthesize the complete signature. This signature is the random beacon output for that round. Due to the uniqueness and unpredictability of threshold signatures, the signature result is consistent regardless of which second candidate members participate and cannot be predetermined by a single member. This implementation combines threshold signatures with blockchain smart contracts, thereby enabling automated and secure generation of random beacons.

[0132] Furthermore, this implementation introduces digital signatures and zero-knowledge proofs as dual verification methods. Specifically, each secure element performs a device signature on its generated random value or signature share, which can be verified externally using a pre-set device public key to ensure that the data was indeed generated by the corresponding secure hardware and has not been tampered with. Simultaneously, a zero-knowledge proof mechanism is introduced, enabling nodes to prove that their submitted signature share correctly corresponds to the threshold public key without revealing their private key share. Zero-knowledge proofs ensure that even if a member attempts to submit invalid data or replay old random values, the smart contract can detect the inconsistency and reject it. Through signature and zero-knowledge proof verification, this implementation guarantees the authenticity and non-repudiation of the results at each stage of the random beacon, solving the problem that hardware alone cannot verify the trusted output on the chain.

[0133] As an optional implementation, generating the threshold signature based on the N target parameters includes:

[0134] The Lagrange coefficients are determined based on the numbering information of the N signature shares and the N second candidate members, wherein the numbering information of the Lagrange coefficients matches the numbering information of the signature shares.

[0135] The threshold signature is calculated using the Lagrange coefficients and N signature shares.

[0136] The process of calculating the threshold signature can be seen in the following:

[0137] Step 1: For each submitted signature share and zero-knowledge proof Second candidate members in the second candidate pool ( ), zero-knowledge proof for smart contract verification The calculation process is as follows:

[0138] a. Disassembled into ;

[0139] b. Calculation ;

[0140] c. Calculation ;

[0141] d. If and If all conditions are met, the verification passes; otherwise, the verification fails.

[0142] Step 2: For the set T composed of the second candidate members in the second candidate pool that have passed the zero-knowledge proof verification, the smart contract calculates the threshold signature. for ,in It is the i-th Lagrange coefficient.

[0143] In this embodiment, the asterisk (*) around some parameters indicates that the calculation was performed by the prover in the above embodiments, while it is performed by the verifier in this embodiment. If the prover is dishonest or semi-honest, they may not follow the agreed calculation method and obtain different results. Therefore, for the sake of process rigor, an asterisk is used in this embodiment to distinguish it from the parameters in the above embodiments. In fact, the definitions of the parameters with and without asterisks are the same; the difference lies in the stage at which they are performed.

[0144] In this embodiment, the threshold signature is calculated using the Lagrange multiplier and the signature share, which improves the accuracy of the calculated threshold signature.

[0145] It should be noted that in this embodiment, two rounds of costly election of candidate members (i.e., the first candidate member and the second candidate member) are used to combine the advantages of the commitment-disclosure mechanism and the threshold signature mechanism. At the same time, secure hardware is introduced to ensure the trustworthiness of the random source. This overcomes the difficulties in related technologies such as "last revealer" attacks, dynamic management of participants, verification of the authenticity of random number sources and compliance with national cryptographic standards, and provides a trustworthy, unbiased, malicious, and publicly verifiable public random number service.

[0146] It should be noted that the process of a smart contract verifying the aforementioned threshold signature and calculating and generating a decentralized random beacon can be as follows:

[0147] Step 1: The smart contract verifies the threshold signature calculated in the above implementation method if and only if Signature verification passed.

[0148] Step 2: The smart contract uses relevant algorithms to... Use it as the initial seed to generate decentralized random beacons.

[0149] Among them, smart contracts use relevant algorithms to... The specific steps for generating decentralized random beacons using the initial seed can be found below:

[0150] a. Calculate the version number The version number of the decentralized random beacon is calculated for the first time after the smart contract is deployed. Take 0 (for detailed implementation, you can select the hex field of 0).

[0151] b. Calculate the latest block information Smart contracts can directly read the hash value of the highest block in the current blockchain through the blockchain application programming interface (API). .

[0152] c. For all Calculate sequentially:

[0153] beacon value ;

[0154] beacon location for The hexadecimal hex string representation;

[0155] beacon check value for The first specific byte;

[0156] beacon data Record .

[0157] beacon data sequence denoted as .

[0158] d. The calculation process of the beacon root is as follows: Construct a beacon root with A binary tree with n leaf nodes, where each leaf node is numbered from left to right. , where any of the first The value of each leaf node is... Then, starting from the nodes whose child nodes are leaf nodes, the calculation proceeds layer by layer to the root node, with the value of each node being... ,in and These are the values ​​of the left and right child nodes of the given node, respectively. Finally, the beacon root... Get the value of the root node.

[0159] In summary, decentralized random beacons It can be represented as: .

[0160] like Figure 2 As shown, the decentralized random beacon S170 can be composed of version number S171, latest block information S172, beacon root S173, and beacon data sequence S174. The function of each part is as follows:

[0161] Version number S171: Used to indicate the sequence number of the current decentralized random beacon, which is generally incremented by 1 each time.

[0162] Latest block information S172: The hash value of the previous block obtained by calling the chain API interface when the smart contract calculates the current decentralized random beacon.

[0163] Beacon root S173: A field that embodies the summary information of the beacon data sequence S174, calculated from each segment of beacon data using a Merkle hash tree.

[0164] Beacon data sequence S174: by A sequence of beacon data segments. Specifically, beacon data S175 consists of... The segments are respectively represented as beacon data 1, beacon data 2, ..., beacon data. Among them, for a certain segment of beacon data S176 consists of the beacon value S177, the beacon position S178, and the beacon check value S179. The beacon value S177 is the value of the random number corresponding to the beacon data k, and the beacon position S178 is... The corresponding hexadecimal encoded value, the beacon check value S179, is the truncation of the digest value of the combined field of beacon value S177 and beacon position S178.

[0165] In addition, for a more complete illustration of the embodiments of this application, see [link to relevant documentation]. Figure 3 This application also provides a schematic diagram of the structure of a smart contract, as shown in the embodiments. Figure 3 As shown, smart contract S20 mainly consists of a self-deployed contract S21 and a pre-compiled contract S25. The self-deployed contract S21 is a contract freely written and deployed by an account on the blockchain, while the pre-compiled contract S25 is a contract that needs to be pre-compiled on the client side to generate a fixed address.

[0166] The self-deployment contract S21 consists of a registration module S22, a token management module S23, and a beacon management module S24.

[0167] The registration module S22 is responsible for managing candidate registration and information recording. Initial candidates join the first candidate pool by calling the registration module and establish the identifiers and credentials required for subsequent participation in the process. The registration module ensures that each candidate registers a unique identity on the blockchain and initializes the necessary session context for tracking subsequent interactions.

[0168] The token management module S23 is used to store or redeem digital asset tokens that users have pledged or are waiting to withdraw. It is generally called between contracts by the beacon management module.

[0169] The beacon management module S24 is the scheduling and result output module throughout the entire process. It is responsible for initiating each stage at the appropriate time and maintaining the process state, including calling the token management module, the national cryptographic signature share verification module, and the national cryptographic signature verification module. Finally, after obtaining the threshold signature, it generates and outputs a decentralized random beacon. This module ensures that each stage is executed in sequence and that the state transitions correctly, and writes the finally calculated random beacon to on-chain storage or an event for use.

[0170] The pre-compiled contract S25 is divided into the national cryptographic signature share verification module S26, the national cryptographic signature share reconstruction module S27, and the national cryptographic signature verification module S28.

[0171] The national cryptographic signature share verification module S26 mainly pre-compiles the following calculation process, namely, for each submitted signature share... and zero-knowledge proof Second candidate members in the second candidate pool ( The national cryptographic signature share verification module verifies zero-knowledge proofs. The calculation process is as follows:

[0172] ① will Disassembled into ;

[0173] ② Calculation , ;

[0174] ③ Calculation ;

[0175] ④ If and If all conditions are met, the verification passes; otherwise, the verification fails.

[0176] The national cryptographic signature share reconstruction module S27 mainly pre-compiles the following calculation process: For the set T composed of the second candidate members in the second candidate pool that has passed the zero-knowledge proof verification, the smart contract calculates the threshold signature. for ,in It is the i-th Lagrange coefficient.

[0177] The national cryptographic signature verification module S28 mainly pre-compiles the following calculation process: if and only if Signature verification passed.

[0178] It should be noted that in this implementation, the national cryptographic algorithms are executed efficiently in a native manner through mechanisms such as pre-compiled contracts. The Ethereum Virtual Machine (EVM) already has fixed pre-compiled contracts for complex computations. This implementation continues this approach, adding pre-compiled support for major national cryptographic algorithms on-chain, allowing nodes to directly call hardware implementations or underlying optimized code to complete national cryptographic calculations. This ensures that in the random beacon protocol, whether for device certificate verification, hash calculation, or threshold signature, national cryptographic algorithms can be used with acceptable performance.

[0179] It should be noted that, to more fully illustrate the above embodiments, this application also provides a flowchart of a random beacon generation method, the specific steps of which can be found in [reference needed]. Figure 4 ,like Figure 4 As shown, it may include the following steps:

[0180] S10, Secure Element Root Trust and Unique Identity Generation Step;

[0181] S11, the user's address binding process on the blockchain;

[0182] S12, User registration to join the first candidate pool;

[0183] S13, members of the first candidate pool join the second candidate pool stage through election contracts;

[0184] S14, Distributed key generation stage for the second candidate pool group;

[0185] S15, the second candidate pool members generate signature shares and zero-knowledge proof stage;

[0186] S16, the smart contract resumes the complete signature process;

[0187] S17, the stage where smart contracts generate decentralized random beacon sequences.

[0188] See Figure 5 , Figure 5 This is a structural diagram of the random beacon generation device provided in the embodiments of this application. The random beacon generation device 500 includes:

[0189] The receiving module 501 is used to receive random values ​​sent by M first candidate members in the first candidate pool. The random values ​​are generated by the first candidate members calling a random number generator based on the registration address information. The registration address information corresponds to the first candidate members, and M is an integer greater than 1.

[0190] The filtering module 502 is used to filter N second candidate members from the M first candidate members using the random value. The N second candidate members belong to the second candidate pool, where N is an integer greater than 1 and N is less than or equal to M.

[0191] The acquisition module 503 is used to acquire the target parameters generated by each of the N second candidate members, wherein the target parameters are parameters used to generate the threshold signature;

[0192] The generation module 504 is used to generate the threshold signature based on the N target parameters, and to generate a random beacon based on the threshold signature.

[0193] As an optional implementation, the screening module 502 includes:

[0194] The first receiving submodule is configured to receive a first hash value sent by each of the M first candidate members, wherein the first hash value is a hash value calculated by the first candidate member using the corresponding random value.

[0195] The verification submodule is used to verify whether the first hash value and the second hash value match when the current time is greater than the sending deadline of the first hash value and the second hash value sent by the first candidate member is received.

[0196] The first determining submodule is used to determine the first candidate member as the second candidate member by means of the random value when the first hash value matches the second hash value, so as to obtain the N second candidate members.

[0197] As an optional implementation, the first determining submodule includes:

[0198] A sorting unit is configured to sort the M first candidate members based on the obtained registration address information and the random value when the first hash value matches the second hash value;

[0199] The first determining unit is used to determine the first N first candidate members among the sorted M first candidate members as second candidate members, so as to obtain the N second candidate members.

[0200] As an optional implementation, the sorting unit includes:

[0201] A generation subunit is used to generate random sequence information for each of the M first candidate members based on the registration address information and the random value.

[0202] The sorting subunit is used to sort the M first candidate members based on the random sequence information.

[0203] As an optional implementation, the target parameter includes a signature share, and further includes:

[0204] The zero-knowledge proof acquisition module is used to acquire the zero-knowledge proof generated by each of the N second candidate members;

[0205] Module 504 is generated, including:

[0206] The first generation submodule generates the threshold signature based on the N target parameters;

[0207] The second generation submodule is used to generate the random beacon based on the threshold signature if the N zero-knowledge proofs and the threshold signature are verified to be passed.

[0208] As an optional implementation, a submodule is generated, including:

[0209] The acquisition unit is used to acquire the shared public key and the threshold public key sent by the second candidate member, wherein the shared public key and the threshold public key are public keys calculated and generated from the N second candidate members;

[0210] The verification unit is used to verify the N zero-knowledge proofs based on the threshold public key, and to verify the threshold signature based on the shared public key;

[0211] The generation unit is configured to generate the random beacon based on the threshold signature, provided that the N zero-knowledge proofs and the threshold signature have passed verification.

[0212] As an optional implementation, the first generation submodule includes:

[0213] The second determining unit is used to determine the Lagrange coefficients based on the numbering information of the N signature shares and the N second candidate members, wherein the numbering information of the Lagrange coefficients matches the numbering information of the signature shares;

[0214] A calculation unit is used to calculate the threshold signature using the Lagrange coefficients and N signature shares.

[0215] As an optional implementation, the registration address information is stored in a secure element and a blockchain, respectively, and the secure element is bound to the blockchain.

[0216] The random beacon generation device 500 can realize the embodiments of this application. Figure 1 The various processes in the method embodiments, and the ways to achieve the same beneficial effects, will not be repeated here to avoid repetition.

[0217] This application also provides an electronic device. Please refer to [link to relevant documentation]. Figure 6 The electronic device may include a processor 601, a memory 602, and a program 6021 stored in the memory 602 and executable on the processor 601. When the program 6021 is executed by the processor 601, it can achieve... Figure 1 Any steps in the corresponding method embodiments and the achievement of the same beneficial effects will not be repeated here.

[0218] Those skilled in the art will understand that all or part of the steps of the methods described in the above embodiments can be implemented by hardware related to program instructions, and the program can be stored in a readable medium. This application also provides a readable storage medium storing a computer program, which, when executed by a processor, can implement the above-described methods. Figure 1 Any step in the corresponding method embodiment can achieve the same technical effect, and will not be repeated here to avoid repetition.

[0219] The storage medium may be a read-only memory (ROM), a random access memory (RAM), a magnetic disk, or an optical disk.

[0220] This application also provides a computer program product, including computer instructions, which, when executed by a processor, can perform the above-described functions. Figure 1 Any step in the corresponding method embodiment can achieve the same technical effect, and will not be repeated here to avoid repetition.

[0221] The above description represents the preferred embodiments of this application. It should be noted that those skilled in the art can make various improvements and modifications without departing from the principles described in this application, and these improvements and modifications should also be considered within the scope of protection of this application.

Claims

1. A method for generating random beacons, characterized in that, include: Receive random values ​​sent by M first candidate members in the first candidate pool. The random values ​​are generated by the first candidate members calling a random number generator based on the registration address information. The registration address information corresponds to the first candidate members, and M is an integer greater than 1. N second candidate members are selected from the M first candidate members using the random value. The N second candidate members belong to the second candidate pool, where N is an integer greater than 1 and N is less than or equal to M. Obtain the target parameters generated for each of the N second candidate members, where the target parameters are parameters used to generate the threshold signature; The threshold signature is generated based on the N target parameters, and a random beacon is generated based on the threshold signature.

2. The method according to claim 1, characterized in that, The step of selecting N second candidate members from the M first candidate members using the random value includes: Receive a first hash value sent by each of the M first candidate members, wherein the first hash value is a hash value calculated by the first candidate member using the corresponding random value; If the current time is after the sending deadline of the first hash value, and the second hash value sent by the first candidate member is received, verify whether the first hash value and the second hash value match. If the first hash value matches the second hash value, the first candidate member is determined as the second candidate member by the random value, so as to obtain the N second candidate members.

3. The method according to claim 2, characterized in that, When the first hash value matches the second hash value, determining the first candidate member as the second candidate member using the random value to obtain the N second candidate members includes: If the first hash value matches the second hash value, the M first candidate members are sorted based on the obtained registration address information and the random value. The first N first candidate members among the sorted M first candidate members are determined as second candidate members to obtain the N second candidate members.

4. The method according to claim 3, characterized in that, The step of sorting the M first candidate members based on the obtained registration address information and the random value includes: Based on the registration address information and random value of the M first candidate members, generate random sequence information for each first candidate member; The M first candidate members are sorted based on the random sequence information.

5. The method according to any one of claims 1 to 4, characterized in that, The target parameter includes the signature share, and the method further includes: Obtain the zero-knowledge proof generated for each of the N second candidate members; The step of generating the threshold signature based on the N target parameters and generating a random beacon based on the threshold signature includes: The threshold signature is generated based on the N target parameters; If the N zero-knowledge proofs and the threshold signature are verified to be successful, the random beacon is generated based on the threshold signature.

6. The method according to claim 5, characterized in that, The step of generating the random beacon based on the threshold signature after the N zero-knowledge proofs and the threshold signature have passed verification includes: Obtain the shared public key and the threshold public key sent by the second candidate member, wherein the shared public key and the threshold public key are public keys calculated and generated from the N second candidate members; The threshold public key is used to verify the N zero-knowledge proofs, and the shared public key is used to verify the threshold signature. If the N zero-knowledge proofs and the threshold signature are verified to be successful, the random beacon is generated based on the threshold signature.

7. The method according to claim 5, characterized in that, The generation of the threshold signature based on the N target parameters includes: The Lagrange coefficients are determined based on the numbering information of the N signature shares and the N second candidate members, wherein the numbering information of the Lagrange coefficients matches the numbering information of the signature shares. The threshold signature is calculated using the Lagrange coefficients and N signature shares.

8. The method according to any one of claims 1 to 4, characterized in that, The registration address information is stored in a secure element and a blockchain, respectively, and the secure element is bound to the blockchain.

9. A random beacon generation device, characterized in that, include: The receiving module is used to receive random values ​​sent by M first candidate members in the first candidate pool. The random values ​​are generated by the first candidate member calling a random number generator based on the registration address information. The registration address information corresponds to the first candidate member, and M is an integer greater than 1. The filtering module is used to filter N second candidate members from the M first candidate members using the random value. The N second candidate members belong to the second candidate pool, where N is an integer greater than 1 and N is less than or equal to M. The acquisition module is used to acquire the target parameters generated by each of the N second candidate members, wherein the target parameters are parameters used to generate the threshold signature; The generation module is used to generate the threshold signature based on the N target parameters, and to generate a random beacon based on the threshold signature.

10. An electronic device, comprising: A memory, a processor, and a program stored in the memory and executable on the processor; characterized in that the processor is configured to read the program from the memory to implement the steps of the random beacon generation method as described in any one of claims 1 to 8.

11. A readable storage medium for storing a program, characterized in that, When the program is executed by a processor, it implements the steps in the random beacon generation method as described in any one of claims 1 to 8.

12. A computer program product, characterized in that, It includes computer instructions that, when executed by a processor, implement the steps in the random beacon generation method as described in any one of claims 1 to 8.