Grid-based threshold signature method and threshold decryption method

The threshold signature and decryption methods address post-quantum cryptography challenges by using error-filled learning samples and blinding techniques, enhancing security and efficiency in distributed computations for digital signatures and encrypted messages.

JP2026520312APending Publication Date: 2026-06-23PQSHIELD LTD

Patent Information

Authority / Receiving Office
JP · JP
Patent Type
Applications
Current Assignee / Owner
PQSHIELD LTD
Filing Date
2024-03-27
Publication Date
2026-06-23

AI Technical Summary

Technical Problem

Existing threshold signature and decryption schemes face challenges in post-quantum cryptography, particularly in efficiency and security, especially when quantum computers become prevalent, and existing lattice-based methods have issues with response dependency and practicality in distributed computations.

Method used

A threshold signature method using error-filled learning samples and blinding techniques to generate signatures and decryption methods involving masked shares to ensure security and efficiency, leveraging Shamir secret sharing and lattice assumptions, with verification and decryption processes to validate and decode messages.

Benefits of technology

The proposed methods enhance security and efficiency in post-quantum cryptography by reducing dependency on signing keys and enabling secure, distributed computations, ensuring validity and integrity of digital signatures and encrypted messages.

✦ Generated by Eureka AI based on patent content.

Smart Images

  • Figure 2026520312000001_ABST
    Figure 2026520312000001_ABST
Patent Text Reader

Abstract

Lattice-based threshold signing and threshold decryption schemes are described. The threshold signing scheme is described in two or three rounds and is secure under the assumption of error-inducing module learning and module short integer solutions. In both the signing and threshold decryption schemes, a blinder may be introduced to block information about the private key that would normally be leaked by honest participants in the scheme.
Need to check novelty before this filing date? Find Prior Art

Description

[Technical Field]

[0001] The present invention relates to a threshold signature method and a threshold decryption method, as well as one or more information processing devices for applying such methods. [Background technology]

[0002] Recently, the U.S. National Institute of Standards and Technology (NIST) has called for threshold schemes, including signature and cryptographic schemes. A threshold signature scheme is a special type of multi-party computation aimed at generating digital signatures. In threshold signing, it is assumed that there are N signers, and of those N signers, an arbitrary threshold of T can sign the message, while T-1 cannot. Practical and secure threshold signature solutions exist even in a world without quantum computers and under highly adversarial conditions. Examples of pre-quantum threshold signature schemes include, for example, implementations of Schnorr, ECDSA, RSA, or BLS signature schemes. These signature schemes are well-developed and include security features such as robustness, identifiable termination, low round complexity, and backward compatibility with existing applications. In a world with sufficiently powerful quantum computers, the problems on which pre-quantum cryptographic algorithms are based will become solvable, requiring modifications to cryptographic methods. Designing post-quantum cryptographic threshold signature schemes presents challenges that previous research has attempted to address.

[0003] A threshold decryption scheme requires that a message can only be decrypted if T authorized individuals out of N agree to the decryption. While a wide range of threshold classical cryptography schemes exist, their post-quantum counterparts suffer from efficiency issues. In particular, the Fujisaki-Okamoto transformation used in Kyber and other notable schemes is not readily applicable to threshold decryption.

[0004] Currently, there are five common assumptions that are presumed to be resistant to quantum computers: multivariable equations, one-way functions, error correction codes, isogeneic mappings, and lattice type assumptions. Nevertheless, so far, the success of constructing schemes based on these assumptions has been limited. Therefore, there is a need to develop post-quantum threshold signature and post-quantum threshold decoding schemes. [Overview of the project] [Means for solving the problem]

[0005] According to a first aspect of the present invention, a threshold signature method is provided which is performed by one or more information processing devices to generate a signature using a threshold number T of secret shares among the number of secret shares N generated from a secret s (the number of secret shares N is greater than the threshold number T), and this method is To generate a public matrix A and a secret matrix s, The process involves generating a small noise e and a public key vk=(A,t) (which includes a portion of the public key t, which is the sum of the product of the public matrix A and the secret s, and the small noise e), N secrets shared from secret s i To generate, For each secret sharing with threshold number T, Error-filled learning sample w j To generate, At least the generated error-bearing training sample w j The hash of the commitment cmt j To generate, and Commitment in the first round of signing methods (cmt) i Making it available, and the second round of the signing method with error-free learning samples w j To make it available, For each of the T secret shares in the third round of the signing method, Error-filled training samples across T secret sharing w j By summing these, an aggregated commitment w is generated. Generate a challenge c that is a hash of the public key vk, the message msg to be signed, and the aggregated commitment w. The challenge c, the secret share s j and the temporary randomness r used to generate error learning samples j Based on this, generate an individual response z j and Make the individual response z j available in the third round, and Combine the contributions regarding the T secret shares in the first round, the second round, and the third round, Over the T secret shares, sum the error learning samples w j to generate the aggregated commitment w, Sum the individual responses z j to generate an aggregated response z, Generate a global challenge c that is a hash of the public key vk, the message msg to be signed, and the aggregated commitment w, Generate a hint h, By subtracting the product of the global challenge c and a part t of the public key from the product of the aggregated response z and the public matrix A, determine a noisy commitment y, Subtract the noisy commitment y from the aggregated commitment w to generate the hint h, and generate the hint h in this way, and Output a signature including the global challenge c, the aggregated response z, and the hint h, Combining the contributions by is included.

[0006] According to a second aspect of the present invention, one or more information processing devices are provided, each including a processor and a storage medium storing computer-readable instructions, and the computer-readable instructions are configured to cause the one or more information processing devices to perform the method according to the first aspect.

[0007] According to a third aspect of the present invention, one or more programs are provided, and when one or more programs are executed by one or more information processing devices, they cause one or more information processing devices to perform the method according to the first aspect.

[0008] According to a fourth aspect of the present invention, a method is provided which is performed by one or more information processing devices to compute a linear function that includes the product of secrets s and linear function components, using a threshold number T of secret shares among the number of secret shares N generated from secrets s (where the number of secret shares N is greater than the threshold number T), and this method is To generate a public matrix A and a secret matrix s, To generate a small noise e and a public key ek (which includes the sum of the product of the public matrix A and the secret key s and the small noise e), N secrets shared from secret s i To generate, For each secret sharing with threshold number T, To generate a blinder, and Computing a first component based on the product of the secret sharing and the linear function components, and generating a masked sharing of the linear function calculation by adding the first component to noise and a blur, or subtracting noise and a blur from the first component, During the aggregation phase, The summation involves summing the combinations of masked shares associated with each secret share, thereby allowing the blinder to cancel out over the sum of masked shares and enable the determination of a linear function. Includes.

[0009] A linear function can be at least part of either the signature function or the cryptanalysis function.

[0010] In some embodiments, generating a blinder includes generating a first blinder and a second blinder, and for each of the T secret shares used to compute a linear function, generating one of the first and second blinders as the sum of a first set of T subblinders (the first set of subblinders is formed from subblinders generated with respect to the secret share for the secret share itself) and T-1 subblinders (generated with respect to the secret share for each of the T-1 other secret shares). In some embodiments, the other of the first and second blinders includes generating the sum of subblinders in the second set of subblinders, the second set being formed from T subblinders for a secret share, including subblinders formed with respect to the secret share for the secret share.

[0011] Each subblinder may be generated using a generator function, which may take a seed as input. The method comprises, for each of the N secret shares, 1) generating N seeds, each containing a seed for the secret share and a seed for each of the other N-1 secret shares, and 2) distributing the N-1 seeds for the other secret shares to each of the other secret shares such that each other secret share receives a single seed, and following the completion of the two steps for all of the N secret shares, each secret share is associated with 2N-1 seeds, each containing the N seeds generated for that secret share and the N-1 seeds received during the distribution that were generated for that secret share.

[0012] In some embodiments, generating a blurr includes generating a first blurr and a second blurr. The method may include generating a masked share of the calculation of a linear function, which includes calculating a first component based on the product of a secret share and a linear function component, and adding the first component with noise and the first blurr, or subtracting noise and the first blurr from the first component. The method may include summing the combinations of the masked share and the second blurr associated with each secret share, so that the first and second blurrs cancel each other out over the sum of the masked shares, enabling the determination of the linear function.

[0013] In other embodiments, generating a blur includes determining the difference between a first blur and a second blur.

[0014] In some embodiments, N secret shares are secret shares generated from secrets s using the Shamir secret share algorithm, which is based on a polynomial of degree T-1 at most.

[0015] According to a fifth aspect of the present invention, a threshold signature method is provided which is performed by one or more information processing devices to generate a signature using a threshold number T of secret shares among the number of secret shares N generated from a secret s (where the number of secret shares N is greater than the threshold number T), and this method is To generate a public matrix A and a secret matrix s, The process involves generating a small noise e and a public key vk=(A,t) (which includes a portion of the public key t, which contains the sum of the product of the public matrix A and the secret s, and the small noise e), N secrets shared from secret s i To generate, For each secret sharing with threshold number T, T individual commitments w i The process involves generating one or more error-bearing training samples w j Including generating, T individual commitments wi To aggregate and generate aggregated commitment w, At a minimum, generate a challenge c which is the hash of the message to be signed (msg) and the aggregate commitment (w). Challenge C and secret sharing S j and one or more transient randomness r used to generate one or more training samples with errors. j Based on this, T individual responses z j To generate, During the aggregation phase, Error-filled training samples across T secret sharing w j By summing these, an aggregated commitment w is generated. Individual response z j By summing these, an aggregated response z is generated. At a minimum, generate a global challenge c by hashing the message to be signed (msg) and the aggregate commitment (w). The hint is to generate h, The noisy commitment y is determined by subtracting the product of the global challenge c and a portion of the public key t from the product of the aggregated response z and the public matrix A, and The process involves generating hint h by subtracting the noisy commitment y from the aggregated commitment w, and generating hint h by... Outputting a signature that includes global challenge c, aggregated response z, and hint h, Includes.

[0016] Some embodiments of the method according to the fifth aspect include at least the generated error-bearing training sample w j Commitment cmt containing the hash j To generate and commit to the first round of the signing method CMT i Making it available, and the second round of the signing method with error-free learning samples w jMaking available and further including, in the third round of the signing method, for each of the T secret shares, the steps of generating an aggregate commitment, generating a challenge, and generating individual responses are performed, and for each individual response z j It will be available in the third round.

[0017] In another embodiment of the method according to the fifth aspect, T individual commitments w i To generate this, for each of the T shared elements, a vector of error-bearing training samples.

number

[0018] A fifth embodiment of the present invention may further include generating a first and second blinder associated with each of the T secret shares, challenge c and secret shares s j and one or more transient randomness r used to generate one or more training samples with errors. j Based on this, individual response z j Generating this involves adding a first blurr and individual response z j Generating the aggregated response z by summing them up involves canceling the first blurr by adding a second blurr associated with each secret share from the corresponding individual responses.

[0019] In other embodiments, the method may further include, for each of the T secret shares, generating a first and a second blinder associated with each secret share, and generating a blinder which is the difference between the first and second blinders. Challenge c and secret shares s j and one or more transient randomness r used to generate one or more training samples with errors. j Based on this, individual response z j Generating this involves adding a blurr, which is then canceled during the generation of the aggregated response z.

[0020] In such embodiments, generating a first and a second blinder may involve generating one of the first and second blinders for each of the T secret shares used to compute a linear function as the sum of a first set of T subblinders (the first set of subblinders is formed from subblinders generated with respect to the secret share of the secret share itself) and T-1 subblinders (generated with respect to the secret share of each of the T-1 other secret shares). In such embodiments, the other of the first and second blinders may involve generating the sum of subblinders in the second set of subblinders, the second set being formed from T subblinders for a secret share, including subblinders formed with respect to the secret share of the secret share.

[0021] Each subblinder may be generated using a generator function, which may take a seed as input. The method comprises, for each of the N secret shares, 1) generating N seeds, each containing a seed for the secret share and a seed for each of the other N-1 secret shares, and 2) distributing the N-1 seeds for the other secret shares to each of the other secret shares such that each other secret share receives a single seed, and following the completion of the two steps for all of the N secret shares, each secret share is associated with 2N-1 seeds, each containing the N seeds generated for that secret share and the N-1 seeds received during the distribution that were generated for that secret share.

[0022] In some embodiments, generating a blurr based on a seed may involve generating a blurr based on the output of a pseudo-random function, which is input with the seed in combination with a session-specific value.

[0023] Generating an aggregated commitment w may involve subtracting a predetermined number of bits from the sum.

[0024] In some embodiments, N secret shares are secret shares generated from secret s using the Shamir secret share algorithm based on a polynomial of degree T-1 at most. In such embodiments, generating a separate response for each secret share is a challenge c, secret share s j The Lagrangian coefficient λ from the Shamir secret sharing algorithm associated with this algorithm. j , and secret sharing j The product of and then one or more transient random numbers r used to generate one or more error-bearing training samples j This may include combining the products of and .

[0025] A fifth aspect of the present invention may further include verifying a signature. Verifying a signature may include generating a signature derivation value by subtracting the product of the global challenge c from the signature and a part t of the public key from the product of the public matrix A and the aggregated response z from the signature; generating a new challenge value c' by hashing the public key vk, message msg, and signature derivation value with a hint h from the signature; and determining whether the signature is valid by comparing the new challenge value c' with the global challenge c.

[0026] Verifying a signature may further involve comparing the length of the aggregated response z and the hint h from the signature to one or more thresholds. A signature may be determined to be valid if the new challenge value c' is equal to the global challenge c from the signature, and the lengths of the aggregated response and hint are less than one or more thresholds.

[0027] In some embodiments of the fifth aspect, one or more error-bearing training samples w j Generating each of these involves temporary randomness r j and minor error e j Sampling and small error e j This involves a public matrix A and a temporary randomness r j By adding it to the product, we get a learning sample with errors w j This includes generating [something].

[0028] Commitment (cmt) j In an embodiment that generates a commitment, generating the generated error-bearing training sample w j This may include generating a hash of the message, the message msg, and one or more of the signer identifier act.

[0029] In some embodiments, the following steps are performed by a distributed multi-party computation, namely generating a public matrix A and secrets s; generating small noise e and a public key vk=(A,t) for t which is the sum of the small noise e and the product of public matrix A and secrets s; and generating N shared secrets from si from secrets s.

[0030] According to a sixth aspect of the present invention, a threshold decryption method is provided which is performed by one or more information processing devices to decrypt a ciphertext using a threshold number T among the number of shared secrets N generated from a secret s (where the number of shared secrets N is greater than the threshold number T), and the ciphertext is, To generate a public matrix A and a secret matrix s, The process involves generating small noise e and a public key ek (which is the sum of the product of the public matrix A and the secret key s), The first small encryption noise z1 is used to generate the first ciphertext portion ct1, which is the sum of the product of the public matrix A and the sample value r. The process involves generating a second ciphertext portion ct2, which is the sum of the encoded message, the product of the sample value r and the public key ek, and a second small encryption noise z2. It is generated by, This method, N secrets from secret s are shared in secret con. i To generate, For each secret decryption and sharing with threshold number T, To generate a blinder, The process involves forming a product containing the secret share and the first ciphertext portion ct1, and then combining this product with sampled noise e' and a blur to generate a masked decrypted share. During the aggregation phase, Summing up each masked decryption share combination, This includes decoding encoded messages.

[0031] In some embodiments, generating a blurr includes generating a first blurr and a second blurr. Generating a masked decryption share may include forming a product containing the secret share and the first ciphertext portion ct1, and combining the product with sampled noise e' and the first blurr. Summing up each combination of masked decryption shares may include combining each masked decryption share with the associated second blurr, so that the first and second blurrs cancel out the sum of the masked decryption shares.

[0032] In other embodiments, the blinder may be the difference between a first blinder and a second blinder.

[0033] The encoded message may be an encoded extended message, which includes the message to be encoded and a random string, and the ciphertext includes a hash of the extended message, so that after decoding the encoded extended message, the random string from the decoded extended message can be compared with the hash of the extended message to check for correct threshold decoding.

[0034] In some embodiments, the ciphertext further includes a zero-knowledge proof that encrypts a zero message under the first ciphertext portion. In such embodiments, the method may include verifying the zero-knowledge proof for each of the T secret shares before generating each masked decryption share, and in the aggregation stage, verifying the zero-knowledge proof before summing up each combination of masked decryption shares.

[0035] Generating a first and a second blinder may include, for each of the T secret shares used to compute a linear function, generating one of the first and second blinders as the sum of a first set of T subblenders (the first set of subblenders being formed from subblenders generated with respect to the secret share of the secret share itself) and T-1 subblenders (generated with respect to the secret share of each of the T-1 other secret shares), and generating the other of the first and second blinders as the sum of the subblenders in the second set of subblenders, the second set being formed from T subblenders for a secret share, including subblenders formed with respect to the secret share of the secret share.

[0036] Each subblinder may be generated using a generator function, which may take a seed as input. In such embodiments, the method may include, for each of the N secret shares, 1) generating N seeds, each containing a seed for the secret share and a seed for each of the other N-1 secret shares; and 2) distributing the N-1 seeds for the other secret shares to each of the other secret shares such that each other secret share receives a single seed, following the completion of the two steps for all N secret shares, each secret share being associated with 2N-1 seeds, each containing the N seeds generated for that secret share and the N-1 seeds received during the distribution that were generated for the secret share.

[0037] The encoded message may be generated using an error-based decision learning method, and decoding the encoded message involves applying a corresponding decoding method. The error-based decision learning method may be Regev encryption.

[0038] The present invention may include one or more information processing devices, each including a processor and a storage medium for storing computer-readable instructions, wherein the computer-readable instructions are configured to cause one or more information processing devices to perform the method described in any of the prior arts.

[0039] The present invention may include one or more programs, which, when executed by one or more information processing devices, cause one or more information processing devices to perform the method described in any of the prior art.

[0040] Further features and advantages of the present invention will become apparent from the following description of preferred embodiments of the invention, given only as examples, with reference to the accompanying drawings. [Brief explanation of the drawing]

[0041] [Figure 1] This is a schematic diagram of the components of an exemplary information processing device. [Figure 2] This shows the steps of the key generation method performed by the central actor. [Figure 3] This example illustrates the relationship between the seed, signers, and blinder in a case where there are three signers. [Figure 4a] The steps of the first and second rounds of the 3-round threshold signing method are shown. [Figure 4b] This shows the third round step of the threshold signing method and the step of generating a signature by combining contributions from the three rounds of the threshold signing method. [Figure 5] The steps for verifying a signature are shown below. [Figure 6a] The steps of the first and second rounds of the three-round threshold signing method according to the second embodiment are shown. [Figure 6b] The following describes a third round step of the threshold signing method according to a further embodiment, and a step of generating a signature by combining contributions from the three rounds of the threshold signing method. [Figure 7a]This presents a third embodiment of a three-round threshold signing method that introduces signing in the second round. [Figure 7b] This presents a third embodiment of a three-round threshold signing method that introduces signing in the second round. [Figure 7c] This presents a third embodiment of a three-round threshold signing method that introduces signing in the second round. [Figure 7d] This presents a third embodiment of a three-round threshold signing method that introduces signing in the second round. [Figure 8a] A fourth embodiment, a two-round threshold signing scheme, is shown. [Figure 8b] A fourth embodiment, a two-round threshold signing scheme, is shown. [Figure 8c] A fourth embodiment, a two-round threshold signing scheme, is shown. [Figure 9a] A threshold decoding scheme forming a fifth embodiment is shown. [Figure 9b] A threshold decoding scheme forming a fifth embodiment is shown. [Figure 9c] A threshold decoding scheme forming a fifth embodiment is shown. [Figure 10] The steps of the zero-knowledge proof used in the fifth embodiment are shown. [Figure 11a] A second threshold decoding scheme forming a sixth embodiment is shown. [Figure 11b] A second threshold decoding scheme forming a sixth embodiment is shown. [Figure 11c] A second threshold decoding scheme forming a sixth embodiment is shown. [Figure 11d] A second threshold decoding scheme forming a sixth embodiment is shown. [Figure 12] This flowchart shows the steps involved in generating ciphertext (CT). [Modes for carrying out the invention]

[0042] Digital signatures are a method of ensuring the authenticity and non-repudiation of electronic documents and messages. They are an essential component of secure electronic communications and are widely used in applications such as electronic contracts, financial transactions, and email communications.

[0043] The use of digital signatures offers several advantages over traditional paper-based signatures. Firstly, digital signatures provide a high level of security, being far more difficult to forge than handwritten signatures. Secondly, because changes to the original document alter the signature and render it invalid, there is a higher level of assurance regarding the authenticity and integrity of the signed document or message. Typically, a digital signature can be verified by anyone with access to the signer's public key, the message to which the signature is applied, and the signature itself.

[0044] The following describes a threshold signature scheme based on the lattice assumption. Previous signature schemes that relied on lattice-based methods had the characteristic that responses may depend on the signing key, and therefore information about the signing key could be leaked. A commonly used method to mitigate this dependency is rejection sampling, which removes a portion of the potential signature so that the resulting distribution of responses does not depend on the secret information. However, rejection sampling is not practical for distributing computation in threshold schemes. This is because none of the signers know the complete signature, and therefore, signers cannot perform checks to reject the signature. More precisely, performing rejection checks in a distributed manner on signatures that have not yet been made public is an extremely complex task.

[0045] The following threshold signature scheme assumes that solving the error-based module learning (MLWE) problem and the module short integer solution (MSIS) problem is difficult.

[0046] Preliminary survey The signing and encryption / decryption schemes described below may run on one or more information processing devices, such as servers, computers, and / or mobile devices. The central actor is described below. The central actor may be a separate information processing device, such as a server or a cloud service, and other steps of the signing scheme may run on user devices associated with different signers of the signing scheme. In one example, a group of signers in a group may want to be able to sign a message as long as a threshold number T of signers in the group contribute to the signing process. Signers may participate in the signing scheme using separate user devices. This applies similarly to threshold decryption schemes where each decryption party may use a separate user device.

[0047] In other embodiments, all processing may be performed on a single information processing device, and a single user may be present. For example, a user may have a signing key associated with a cryptographic asset, such as an asset on a blockchain. The user may want to keep the signing key secure and tolerable of loss. The user may, as appropriate, generate a share of signing keys and store them on different storage devices. In this case, the user can sign documents using the storage devices, as long as the user has access to at least a threshold number of devices. Similarly, a malicious actor would need access to a threshold number of storage devices to apply the signature. In some embodiments, the storage devices may be drives, such as solid-state drives. In this case, all steps of the method can be performed on a single information processing device based on information about the key shares stored on the storage devices. The following description will focus on potential signers. However, the terms “potential signer” or “signer” can be used interchangeably with the term “secret share,” as each secret share can be performed by a single user, as previously described. Therefore, the term “signer” should not be interpreted as requiring a separate user or separate information processing device.

[0048] Similarly, when threshold decoding is described, the term "user" should be understood as interchangeable with the secret sharing and not necessarily mean a separate user or separate information processing device.

[0049] Figure 1 is a schematic diagram of exemplary components of an information processing device suitable for use in embodiments described later. The figure is illustrative, and as is well known in the art, different hardware configurations of the information processing device are possible. The information processing device includes an I / O interface 10, such as a USB port or Thunderbolt port, to which additional devices such as storage devices can be connected. The information processing device 1 comprises a processor 11, storage in the form of memory 12, a network module 13, a display 14, and a user interface 15. The network module may enable the information processing device 1 to communicate over a network such as a Wi-Fi network, a mobile communication network, or a local area network. The user interface may include components such as a keyboard, mouse, and camera. The components of the information processing device may communicate with each other via a bus 16. Further components may be provided but are not shown or described. Any of the steps of the subsequent described method may be executed by computer-readable instructions of one or more programs stored in storage and executed by a processor on one or more information processing devices.

[0050] First Embodiment Figure 2 shows the steps of the key generation method performed by the central actor. In step 1, the central actor generates a polynomial ring R q A uniform matrix A is generated above. q R is a polynomial ring where q is modulo q. The ring, R, is defined for n and q as follows:

number

number

[0051] In step 2, the central actor generates secrets s from distribution D. D is R q It is a distribution that spans across multiple distributions. Distribution D is designated D to distinguish it from other distributions. vk It is labeled as such. Therefore, the secret s is a sampled polynomial modulo q. In some examples, a discrete Gaussian distribution is used. A discrete Gaussian distribution around a point v with a standard deviation σ is given by the following equation:

number

[0052] In step 3, the central actor uses linear Shamir secret sharing to create N secret shares s i This generates R. q For this, a polynomial P of degree T-1 is generated, where T is the threshold number of shares required to perform the signature. In some examples, the threshold number of shares T can be considered as the number of active signers required to generate the signature. The polynomial at zero is equal to the selected secret s, i.e., P(0)=s.

[0053] In step 4, the Shamir secret sharing continues, generating N secret shares from the polynomial P. The value N is the number of secret shares generated, and N is greater than or equal to the threshold number T of secret shares required to complete the signing process. The N secret shares are provided to the set S of potential signers.

[0054] The reconstruction of the polynomial P will be performed later, as described below in relation to Figure 4b. The reconstruction is performed using Lagrangian polynomials. For i∈S, the following is defined:

number

number

[0055] In steps 5 and 6, a shared seed, which is a random binary value of length k, is generated by each potential signer and distributed to each pair. That is, each of the N potential signers generates or receives a seed for itself and a separate seed for each potential signer. Each potential signer sends its associated seed to the other potential signers. For the case N=3, the generated seeds are shown in Figure 3. The potential signer identifiers (A1-A3) are shown on the edges of the matrix corresponding to each potential signer. Seed 1,1 is generated for potential signer A1 and stored locally in relation to the first secret share, but is not distributed to the other potential signers. Similarly, seeds 2,2 are generated by potential signer A2 and stored locally, and seeds 3,3 are generated by potential signer A3 and stored locally. Other seeds are generated and distributed to their respective potential signers. Thus, for example, potential signer A2 receives seeds 1,2 from potential signer A1 and seeds 3,2 from potential signer A3. Correspondingly, potential signer A2 generates seed 2,1 and distributes it to potential signer A1, generates seed 2,3 and distributes it to potential signer A3. However, potential signer A2 does not learn seed values ​​that it has not generated itself (seeds 2,1, 2,2, and 2,3) or seed values ​​that it has not received from other potential signers (seeds 1,2, and 3,2). In other words, in this example, potential signer A2 does not know seed 1,1, seed 3,1, seed 1,3, and seed 3,3. The same is true for the other potential signers A1 and A3.

[0056] In this example, the shared seed is generated by potential signers. However, those skilled in the art will understand that the shared seed can also be generated by a central actor and appropriately distributed.

[0057] Returning to Figure 2, in step 7, the central actor samples a small amount of noise (or error) e from distribution D.

[0058] In step 8, the central actor generates a public key vk which is A, As + e. The seed is generated and distributed as described above. Otherwise, the matrix, A, and public key vk are made public by the central actor. The secret s is discarded by the central actor after key sharing and public key generation. Similarly, small noise (error) e is discarded after public key generation.

[0059] The signing scheme proceeds in three rounds. In some embodiments, each round is time-limited such that each of the N potential signers, a threshold number of active signers (hereinafter, "signers"), must complete the specified steps within a time limit. If the threshold number of signers do not complete the steps required for the round within the time limit, the signing method may be terminated. In the first round, each signer submits a commitment CMT j , and Blinder m jを Generate and make available. In the second round, each signatory will make an LWE commitment w jを Make it available. In the third round, each signatory will respond z j This makes it available. The central actor can then generate a signed message based on the available information. Each round may be completed sequentially to maintain the security of the signing scheme. At the end of each round, the signers may check that the round is complete before starting the steps of the next round.

[0060] Commitment (cmt) j , and Blinder m j The first round to make it available is shown at the top of Figure 4a. In step 1, the session identifier is checked, and the session identifier changes with each iteration of the signing method. The session identifier can be implemented as a counter, or it can be randomly generated for each iteration of the signing method.

[0061] In step 2 of the first round, each signatory will be given a small temporary random number r j and small noise (or error) e'j And are sampled. Each sample is R as described above. q ,

number

[0062] In step 3, each signer obtains the seed they generated and / or received during the key generation stage, and in step 4, the row blinder m j Generates a row blinder m j The Blinder is generated based on the seeds associated with the threshold T signers involved in the threshold signature scheme. At a simple conceptual level, considering a specific matrix of seeds shown in Figure 3 and signer A2, signer A2 would sum along the rows containing seeds 2,2 to generate a Blinder, which is the sum of the rows. Thus, signer A2 would generate a first Blinder based on the shared seeds (seeds 2,2) generated for its own secret sharing and the T-1 shared seeds (seeds 2,1 and 2,3) generated for other T-1 signers in relation to it. Returning to step 3 at the top of Figure 4a, each seed, along with the session identifier sid, is used as a seed for the pseudo-random function (PRF). If the session identifier changes between sessions, the value of the Blinder also changes, thereby improving security.

[0063] Step 5 involves the grid A generated during the key generation stage and a small transient randomness r generated by the signer. j And a small noise (error) e' j Based on this, error-based learning (LWE) commitment w j This is generated. LWE commitment w j This is a small noise (error) e' j And, a uniform matrix A and the generated small transient randomness r j It is the sum of the product of and .

[0064] Step 6 is the hash commitment cmt jis generated. Each signer uses the function H j to generate a hash based on the session ID (sid), the message to be signed (msg), the signer's identification information act, and the generated LWE commitment w com . The hash function H is labeled "com" to distinguish it from other hash functions. In some examples, the hash function can be selected from the four hash functions recommended in NIST Special Publication 800-185: SHA-3 Derived Functions: cSHAKE, KMAC, TupleHash, and Parallel Hash.

[0065] Each signer's commitment cmt j and row blinding factor m j become available to each other signer with the contribution contrib1 at the end of the first round.

[0066] The second round of the signing method is shown in the lower part of Figure 4a. In the first step of the second round, checks are made to ensure that the contributions from the first round are complete and that the session identifier is consistent among the contributions contrib1 from the first round.

[0067] In the remaining steps of the second round, each signer retrieves the LWE commitments w j that each generated in the first round and makes those LWE commitments w j available to the other signers with the second contribution contrib2.

[0068] The upper part of Figure 4b shows the third round of the signing method. In steps 1 and 2, the session ID is checked and it is checked that the first and second rounds were successfully completed with the contributions received from each signer. In step 3, each signer retrieves the row blinding factor m j that became available at the end of round 1.

[0069] In step 4, each signer calculates the aggregated commitment w, which is obtained by combining the LWE commitment w j available at the end of the second round with the product of the row blinding factor m i and the uniform matrix A and summing over all signers. The aggregated commitment w is a parameter [Number] that is subject to bit dropping according to [Number]. Bit dropping has several purposes. The bit drop

[0070] functions to shorten the commitment and thus the resulting signature, and also helps improve the raccoon scheme's resistance to direct forgery attacks by hiding the temporary randomness in the aggregated commitment w. Bit dropping is similar to the bit dropping technique used in relation to CRYSTALS-Dilithium.

[0071] In steps 6 and 7, the column blinding factor m* j is calculated. This column blinding factor is calculated in a similar way to the above row blinding factor. The column blinding factor m jThe `blind` is generated based on the seeds associated with the threshold T signers involved in the threshold signature scheme. Returning to the specific example in Figure 3, and considering signer A2, signer A2 sums along the column containing seed 2,2 to generate a `blind` which is the sum of the column. That is, the `blind` is based on each of T of the N shared seeds generated for the signer (i.e., seeds 1,2, seeds 2,2, and seeds 3,2). Returning to steps 6 and 7, each seed, along with the session identifier sid, is used as a seed for a pseudo-random function (PRF). Many PRFs can be used in a signature scheme. In some embodiments, the PRF is based on HMAC with SHA-256 (details of which are described in IETF RFC2104). In other examples, a PRF derived from SHAKE:NIST publication FIPS PUB202:SHA-3 standard:Permutation-basedHashandExtendable-OutputFunctions may be used. The output of these techniques may be a bit string that needs to be mapped to a mathematical object such as a vector or matrix. Techniques for performing this mapping are known in the art from schemes such as Dilithium, Kyber, and Falcon. Security is improved because when the session identifier changes between sessions, the column blurr value also changes.

[0072] In step 8, each signatory will respond individually. j This generates the following: The individual response is the sum of three components. The first component is the global challenge c, and the signatory's Lagrangian coefficient λ. j,act , and the confidentiality of the signatories j It is the product of the two. The second component is the transient randomness r generated in the first round. j The third component is the generated column blur m * j That is the case.

[0073] In Step 9, each signatory responds individually to the other signatories and the central actor. j Make it available.

[0074] The method shown in the lower part of Figure 4b illustrates the coupling operation performed by the central actor. In steps 1 and 2, the central actor controls the row blinder m i LWE commitment w i , and individual responses z generated by signatory i i Each of these is obtained. The central actor also obtains the public key vk=(A,t) generated in the key generation phase. Note that t=As+e.

[0075] In Step 3, the central actor generates an aggregated commitment w. This step is the same as what each signatory did in Step 4 of the third round described above. The aggregated commitment w is the LWE commitment w that became available at the end of the second round. j , row blinder m i It is obtained by combining it with the product of a uniform matrix A and summing it up across all signers. The aggregate commitment is a parameter that is exposed to signers using the signing method.

number

[0076] In step 4, the central actor uses the individual response z that became available at the end of the third round. i The aggregated response z is generated by summing each of these values.

[0077] In step 5, the central actor generates a global challenge c. The global challenge c is generated by hashing the public key vk, the message msg to be signed, and the total commitment w calculated in step 3. The central actor then uses function H raccoonThe hash is generated using the hash function H. The hash function H is labeled "raccoon" to distinguish it from other hash functions, such as the previous "com" hash function. In some examples, the hash function can be selected from the four hash functions recommended in NIST Special Publication 800-185: SHA-3 Derived Functions: cSHAKE, KMAC, TupleHash, and Parallel Hash. Further examples may use SHAKE, as described in NIST publication FIPS PUB202: SHA-3 Standard: Permutation-based HashandExtendable-OutputFunctions. Hash function H com and H raccoonは Preferably, at least the parameters used are different. Choosing different hash functions has the effect of domain isolation and can improve the security of the signature scheme.

[0078] In step 6, a noisy commitment y is generated by the central actor. The noisy commitment is generated from the difference of two components. The first component is the product of the uniform matrix A and the aggregated response z. The second component is the product of the global challenge c calculated in step 5 and t=As+e generated in the key generation phase. The calculated difference has a value of 2.

number

number

number

number

[0079] In step 7, hint h is generated by the central actor. The hint is the difference between the aggregated commitment w and the noisy commitment y.

[0080] In step 8, the signature for message msg is provided. The signature includes three components: global challenge c, aggregate response z, and hint h.

[0081] Public parameters

number

number

number

number

number

number

number

number

number

number

[0082] Signature Verification The steps for verifying a signature are shown in Figure 5. It is assumed that the party verifying the signature also has a copy of the signed and checked message (msg), as well as a copy of the public key (vk).

number

number

[0083] In Step 2, the party verifying the signature generates a signature derivation value. The signature derivation value is the product of the uniform matrix A and the aggregated response z, minus the product of the global challenge c and t = As + e from the public key. The derivation value is

number

[0084] In step 3, the party verifying the signature determines whether the new challenge value c' is equal to the challenge value c in the signature. Furthermore, the aggregated response z and the two

number

[0085] The following is an example.

number

[0086] A modular short integer solution is defined as follows:

number

[0087] Second Embodiment Figure 6a shows the steps of the first and second rounds of the threshold signing method according to a further embodiment. The key generation step in this further embodiment is the same as the step shown and described with respect to Figure 2 above, and the method for verifying the signature is also unchanged. There are many similarities between the second embodiment and the embodiments described above with respect to Figures 4a and 4b. Therefore, only the differences will be described. In the first round, the notation is D σ l From D W l It was changed to . However, small transient randomness r j and small noise (or error) e' jThe sampling is the same between both methods. Therefore, there is no difference in the first round compared to the embodiments described above.

[0088] The lower portion of Figure 6a shows a second round of further embodiments. Again, the second round is no different from the previously described embodiments.

[0089] Figure 6b shows the steps of the third round of the threshold signing method according to a further embodiment, and the step of generating a signature by combining contributions from the three rounds of the threshold signing method. In step 4 of the third round shown at the top of Figure 6b, each signer calculates an aggregated commitment w, which is the LWE commitment w that becomes available at the end of the second round. j It is obtained by summing up across all signatories. The aggregated commitment w is obtained by the parameter

number

[0090] In the joining process shown at the bottom of Figure 6b, in step 3, each signatory calculates an aggregated commitment w, which becomes the LWE commitment w that becomes available at the end of the second round. j It is obtained by summing up across all signatories. The aggregated commitment w is obtained by the parameter

number

[0091] In step 4, the central actor uses the individual response z that became available at the end of the third round.i And, the row of Blinder m that became available at the end of the first round i The differences are summed up to generate the aggregated response z. The difference between this step and the previously described method is the row blurr m i This involves subtracting.

[0092] In step 6, 2

number

[0093] The difference between the above-described embodiment and further embodiments is that it helps to reduce the size of the aggregated response z and make the signing method more efficient.

[0094] The embodiments described above are to be understood as illustrative examples of the present invention. Further embodiments of the present invention are conceivable. For example, in the above description, the key generation step shown in Figure 2 is performed by a trusted central actor. In other embodiments, a distributed key generation method can be used. Such distributed key generation can be performed using known techniques for secure multi-party computation. If the signers represent different devices, the security of the entire scheme can be improved at the expense of additional computational load by distributing key generation among the signers or among multiple other information processing devices.

[0095] In the example above, the blinder is calculated based on a pseudo-random function that takes a shared seed and a session identifier as input. However, the use of the pseudo-random function and the session identifier is optional. The blinder can also be generated simply by using the sum of the shared seeds. In this case, the blinder does not change with each iteration of the signing method. The session identifier described will differ with each execution of the signing scheme and will change the blinder between each execution of the signing scheme. In the embodiment above, the session identifier may be a counter or may be randomly generated for each session.

[0096] The above examples include the use of a blinder. In further examples, the blinder may be omitted. By omitting the generation of row and column blinders from the described method, omitting the exposure of the column blinder in the first round, and omitting terms related to row or column blinders that appear in the method, such as during the generation of aggregated commitments, a working threshold signing method is obtained. The blinder is included in the threshold signing method above for security considerations. More specifically, the blinder is used in individual responses z j When returning the secret share, protect information about the private key that could be leaked by honest participants in the signing method. In the example above, two sets of blinders are generated using a T-out-of-T thresholding scheme as follows:

number

number

number

[0097] The above m and m * The calculation is symmetrical, as explained above in relation to Figure 3. Therefore, the use of row and column blurs can be swapped (i.e., row blurs can be used when column blurs are used, and vice versa).

[0098] Third Embodiment Figures 7a to 7d show further embodiments of the threshold signature scheme.

[0099] Figure 7a is a glossary of terms used in Figures 7b to 7d.

[0100] The third embodiment is very similar to the second embodiment, so only the differences will be described. In the third embodiment, a signing step is introduced within the signing scheme to prove that each party acknowledged the same contribution in the first round of the signing scheme, as described below.

[0101] Figure 7b shows the key generation steps corresponding to the key generation steps described in relation to Figure 2. The notation is slightly different from Figure 2, but steps 7 and 8 differ in that a public / private signing key pair is generated for each user device using the key generation function. Steps 12 and 13 also differ from the corresponding step 9 in Figure 2. This is because the key generation steps now return the private signing key to each device in addition to the secret share and seed.

[0102] The correspondence between the similar steps in Figure 7b and Figure 2 is shown below.

[0103] Step 1 in Figure 7b corresponds to Step 1 in Figure 2.

[0104] Step 2 of FIG. 7b corresponds to Steps 2 and 7 of FIG. 2.

[0105] Steps 3 and 4 of FIG. 7b correspond to Step 8 of FIG. 2 and define the public key vk with slightly different notations.

[0106] Steps 4 and 6 of FIG. 7b are the same as Steps 4 and 5 of FIG. 2.

[0107] Steps 9 and 10 of FIG. 7b correspond to Steps 5 and 6 of FIG. 2.

[0108] FIG. 7c shows the first two rounds of the signature scheme. Except for slight differences in non-important terms, the steps of the first round (ShareSign1) of FIG. 7c are identical step-by-step to the corresponding first-round method (ShareSign1) illustrated and described with reference to FIG. 6a. Therefore, no further explanation of this process is provided.

[0109] The lower part of FIG. 7c shows the second round of the signature scheme. This second round is very similar between the scheme shown in FIG. 6a and the scheme shown in FIG. 7c. However, an additional step, Step 3 of FIG. 7c, is provided. In Steps 2 and 3, each device signs the concatenation of the session ID and the contributions received in the first round using the secret signature key received from the key generation stage. In some embodiments, one or more of the identification information act of the signatory and the message msg may be further included in the signature. The contributions in the first round are the set of all received contributions, including the contributions generated by the device. In other words, contrib1 is all the contributions contrib1[j] from each device within the signature set of index j. The purpose of this signature is to prove that each device has verified the contributions from the first round and to make it verifiable that those contributions were the same.

[0110] In Step 6 of ShareSign2 of FIG. 7c, the returned contribution is the signature generated in Step 3

number

[0111] Step 1 of ShareSign2 in Figure 7c corresponds to Step 1 of ShareSign2 in Figure 6a.

[0112] Steps 4 and 5 of ShareSign2 in Figure 7c correspond to steps 2 and 3 in Figure 6a.

[0113] Figure 7d shows the third round step of a threshold signing method (ShareSign3) according to a further embodiment, and the step of generating a signature by combining contributions from the three rounds of the threshold signing method. This process is labeled "Combine" in Figure 7d.

[0114] Step 1 involves several consistency checks to verify that the session state indicates that the ShareSign3 process should be executed according to the session state associated with the session ID (sid) and which has a contribution (contrib2) from the previous round of the signing scheme.

[0115] In step 2, the session state is restored. This includes the information contained in the session state in step 5 of ShareSign2, as shown in Figure 7c. Specifically, in step 3, the session ID (sid), actor ID (act), and message to be signed (msg) are obtained from the session state of the device running ShareSign3.

[0116] Step 4 involves temporary randomness, r j , key sharing j The public signing keys of the parties signing the threshold signing group, and the seeds of the parties signing the signing group are obtained.

[0117] The total contributions from previous rounds, contrib1 and contrib2, are also retrieved.

[0118] Steps 7-9 perform various checks. In particular, each device checks the consistency of the hash commitment. The commitment from the first round has the commitment hash function H com hash commitment cmt generated using j This was included. The second round contribution (contrib2) was LWE commitment w j It includes the hash commitment cmt. j This can be checked to confirm that the commitment has not changed between the first and second rounds. In step 9, the signature ShareSign2 generated in the second round is checked using the signature verification function and the signing party's public key. This verifies that other user devices had the same contribution contrib1 from the first round.

[0119] In step 10 of the third round, shown at the top of Figure 7d, each signatory calculates their aggregated commitment w, which becomes the LWE commitment w available at the end of the second round. i It is obtained by summing up across all signatories. The aggregated commitment w is obtained by the parameter

number

[0120] In step 11, each signer calculates a global challenge c, which is a hash of the public key vk, message msg, and aggregated commitment w. Although not shown in Figure 7d, the hash function used is Hc H described in relation to the above embodiment raccoon Similarly, the hash function H is labeled "c" to distinguish it from other hash functions, such as the earlier "com" hash function. The hash function can be selected from the examples given in relation to the embodiments described above.

[0121] Step 12 involves a column blur m* j This is calculated. This column binder is calculated in a similar way to the row binder above. Column Binder m j The results are generated based on a seed associated with a threshold T signer involved in the threshold signature scheme. Each seed, along with the session identifier sid, is used as a seed for a pseudo-random function (PRF). Many PRFs can be used in the signature scheme. In some embodiments, the PRF is based on HMAC with SHA-256 (details of which are described in IETF RFC2104). In other examples, a PRF derived from SHAKE:NIST publication FIPS PUB202:SHA-3 standard:Permutation-basedHashandExtendable-OutputFunctions may be used. The output of these techniques may be a bit string that needs to be mapped to a mathematical object such as a vector or matrix. Techniques for performing this mapping are known in the art, for example, from schemes such as Dilithium, Kyber, and Falcon. Security is enhanced because if the session identifier changes between sessions, the row blurr value also changes.

[0122] In step 13, each signatory will respond individually z j This generates the following: The individual response is the sum of three components. The first component is the global challenge c, and the signatory's Lagrangian coefficient λ. j,act , and the confidentiality of the signatories j It is the product of the two. The second component is the transient randomness r generated in the first round. j The third component is the generated column blur m* j That is the case.

[0123] In step 14, each signer makes the individual response z j available to the other signers and the central actor of contrib3[j].

[0124] The Combine method executed by the central actor is shown at the bottom of Figure 7d. This method is the same as the method described in relation to the Combine method shown at the bottom of Figure 6b, except that the notation has been changed from H raccoon to H c . Therefore, the description of the method will not be repeated.

[0125]

Number

Number

[0126] The challenge c is an element of the challenge space C. The challenge space C is a polynomial of R q and its size depends on the commitment w. Therefore, the definition in Figure 7a formally defines that the scheme is secure because the challenge set is large enough (i.e., sufficiently different challenge values are possible).

[0127] Fourth Embodiment - 2-Round Signature Scheme The first to third embodiments relate to 3-round signature schemes. The fourth embodiment relates to a 2-round signature scheme. As a general comment, the steps ShareSign1 and ShareSign2 of the aforementioned schemes are the LWE commitment w iThis relates to a shared commitment scheme. As will be further explained below, Figures 8a to 8c illustrate a two-round threshold signing scheme in which commitments take the form of vectors and can be generated in a pre-processing process prior to a single-stage signing process.

[0128] Figure 8a is a table providing a glossary of terms used in Figures 8b and 8c. Explanations of the terms are provided below.

[0129] Figure 8b shows the three processes: Setup, KeyGen, and Preprocessing (PP).

[0130] The setup process begins in step 1 by defining a polynomial ring A. The polynomial ring is of the same type as described in the previously mentioned embodiment. Other options are discussed further below.

[0131] In Step 2, the parameters of the polynomial ring and the signing scheme are called tspar. The object tspar contains the details of the polynomial ring A, the number of users N, and the number of signers T required to complete the signing. In Step 3, tspar is made available to all members of the signer group and the central actor.

[0132] In the KeyGen key generation process, the tspar parameters are analyzed in step 1.

[0133] In step 2, the central actor is distributed D t A secret s is generated from D. As shown in Figure 8a, t is a Gaussian distribution for Rq. Therefore, s is a sampled polynomial modulo q. Similarly, there is a small error e with respect to the lattice of the polynomial ring A such that t is close to a polynomial in the polynomial ring A.

[0134] In step 3, t is defined as the learning with error (LWE) problem 2 (As+e). In the specific example illustrated, the LWE problem involves a multiple of 2. However, in other embodiments, this term may change. The LWE problem involves a quantity

number

[0135] Steps 4 and 5 define seed generation in which a binary seed of length λ is generated for each combination of users within the signer group. This process is the same as seed generation described in relation to the previously mentioned embodiment. As previously stated, the seed may be generated locally by each user or created and distributed by a central actor.

[0136] In steps 4, 6, and 7, the Shamir secret share is shared with each of the N users. i This is performed to generate the polynomial. The polynomial is of degree T-1, and T secret sharing is sufficient to reconstruct the polynomial P. The value of polynomial P at 0 is equal to twice the number of secrets s.

[0137] In step 8, the public key vk is defined, which is the polynomial ring, the signature scheme tspar, and the parameters of the LWE problem t.

[0138] In step 9, the private key sk i This is defined for each user in the signer group. (private key sk) i This is a set of user and seed (received seed). i,j and send seed j,iと It is a secret shared between both parties.

[0139] In step 10, the public key becomes available. Each user has their own private key, sk i The user receives the private key, which is not made public or available to other users in the signer group. Therefore, each user has their own private sharing. i Only receive.

[0140] The preprocessing (PP) process is performed by at least each user in the T user's signature set. The steps in the PP process do not need to use the message (msg) to be signed. Therefore, the PP process may be run as an offline process before signing in the signing process.

[0141] In step 1 of the PP process, the user parses the public key vk to obtain the tspar and LWE problem t.

[0142] In step 2, the user analyzes tspar to obtain ring A, the number of users N, and the number of user thresholds T.

[0143] In steps 3 through 5, a number of commitment values, rep, indicated by index b, are generated by each user. As shown in Figure 8a, rep is:

number

number

[0144] Step 4 involves the randomness of rep r i,b and the related error e' i,bThese are sampled using a Gaussian distribution. In step 5, each user has an individual commitment w which is the product of randomness and the polynomial ring A plus an error. i,b This generates individual commitment w. i,b This is the individual commitment vector.

number

[0145] Figure 8c illustrates the steps of the signing process (Sign), the aggregation process (Agg) which may be performed by a central actor such as a server, and the signature verification process (Verify) which is performed by the party receiving the signature.

[0146] The signing process is performed by each user in the signature set SS of at least T users. In step 1, the user first signs the private key sk i Analyze the following. In step 2, the user enters state st sid Analyze it.

[0147] Step 3 involves a series of checks to identify that the signing process is performed by users of signature set SS, which is a subset of a set of N user devices. Index i is used to identify each user of signature set SS. The status is checked to verify that each user in the signature set has performed the preprocessing method.

[0148] In step 4, the user device obtains individual commitment vectors from tokens from other users in the signature set.

[0149] In step 5, a commitment ctnt is generated, which is the concatenation of the session ID, the user identification information within the signature set, the message M to be signed, and the individual commitment vectors of all users within the signature set.

[0150] In step 6, a random oracle such as a hash function G is used to generate a set of rep random weights β with index b. b G is generated.

number

[0151] Steps 9 and 10 aggregate the commitments. In step 9, the rep component of each commitment vector is summed using the random weights generated in step 9, resulting in the aggregated commitments per user w j Next, the aggregated commitments for each user are summed up across the users in the signature set in step 10 to generate the overall commitment w. The overall commitment w is

number

[0152] In step 11, challenge c is generated using hash function H, which is different from hash function G. The hash function can be derived from a single hash function using appropriate domain isolation. The challenge is generated by taking the hash of the public key vk, message M, and overall commitment w.

[0153] Challenge c is an element of challenge set C. Challenge set C consists of a {-1,0,1} coefficient polynomial with fixed Hamming weights W>0. The definition in Figure 8a formally defines that the scheme is secure given a security parameter λ because the challenge set is sufficiently large (i.e., a sufficient number of different challenge values ​​are possible).

[0154] In step 12, row blinder m i However, by summing up over the entire j, it is generated for each user device i. The sum is the seed generated in the key generation process. i,j This is the sum of the outputs of the pseudo-random function PRF, which takes the generated commitment (ctnt) as input.

[0155] In step 13, the column blinder m* i However, this is generated for each user device i by summing it up over j. The sum is the sum of the outputs of a pseudo-random function PRF that takes the seed (seedj,i) and the generated commitment (ctnt) generated in the key generation process as input.

[0156] As described above, the characteristics of the row blinder and column blinder shown in Figure 3 are as follows:

number

[0157] In step 14, individual response z i The following is generated. The individual response is formed as the sum of three terms. The first term is the challenge c, and the Lagrangian coefficient L associated with the device. SS,i , devices, and secrets shared by devices i It is the product of the two terms. The second term is a random weight β b , and randomness r i,b This is the sum with respect to b. The third term is the column brinder m*.

[0158] In step 15, state st sid It is set to null.

[0159] In step 16, individual signature contributions

number

[0160] The aggregation process Agg shown in Figure 8c is a join operation performed by the central actor. In step 1, the central actor obtains the public key vk=(tspar,t) generated in the key generation phase. Note that t=2(As+e).

[0161] In step 2, tspar is parsed to obtain the polynomial ring A, the number of users N, and the signature threshold number of users T.

[0162] Step 3 involves individual signature contributions.

number

[0163] In step 4, the central actor generates the final commitment w. The final commitment w is the overall commitment w that is included in each individual signature contribution across all signers. i It is obtained by summing the following. The final commitment is the parameter

number

[0164] In step 5, the central actor responds to individual responses z i From the difference, row of blinder m j Subtracting this, the aggregated response z is generated. As described above, the row blurr cancels out the column blurr included in the individual response, hiding the information.

[0165] In step 6, the central actor generates a global challenge c. The global challenge c is generated by hashing the public key vk, the message M to be signed, and the total commitment w calculated in step 4. The central actor generates the hash using function H. In some examples, the hash function may be selected from the four hash functions recommended in NIST Special Publication 800-185: SHA-3 Derived Functions: cSHAKE, KMAC, TupleHash, and Parallel Hash. In further examples, SHAKE, as described in NIST publication FIPS PUB202: SHA-3 Standard: Permutation-basedHashandExtendable-OutputFunctions, may be used. The hash functions used in the fourth embodiment are preferably different in at least the parameters used. The selection of different hash functions has the effect of domain separation and can improve the security of the signature scheme.

[0166] In step 7, a noisy commitment y is generated by the central actor. The noisy commitment is generated from the difference of two components. The first component is the product of the polynomial ring A and the aggregated response z. The second component is the product of the global challenge c calculated in step 5 and t=2(As+e) generated in the key generation phase. The calculated difference has a value of 2.

number

number

number

number

[0167] In step 8, hint h is generated by the central actor. The hint is the difference between total commitment w and noisy commitment y.

[0168] In step 9, the signature for message M is provided. The signature includes three components: global challenge c, aggregate response z, and hint h.

[0169] Public parameters

number

number

[0170] Since the signature generated by the fourth embodiment is the same as that generated in the previous embodiment, the verification process shown in Figure 8c is the same as that described above in relation to Figure 5. Therefore, the description of Figure 5 is not repeated.

[0171] In the embodiments described above, a session ID (sid) is used. In further embodiments, a session ID may not be included. The session identifier appears in step 5 of the signing process, except for forming an index that labels the parameters in Figures 8a-8c. In step 5, a commitment ctnt may be generated as a concatenation of the session ID, the user identification information in the signature set, the message M to be signed, and the individual commitment vectors of all users in the signature set. Furthermore, the step of analyzing the state (step 2 of the signing process shown in Figure 8c) may be omitted. Information from the preprocessing PP process may be transmitted via tokens, PP.

[0172] Fifth Embodiment - Threshold Decoding Scheme The first to fourth embodiments relate to threshold signature schemes. In contrast, the fifth embodiment relates to threshold decryption schemes.

[0173] A threshold decryption scheme requires that a message can only be decrypted if T authorized individuals out of N agree to the decryption.

[0174] According to the method described below, the decryption algorithm first performs an accuracy check, and then performs decryption only if the check passes. In this approach, the cryptographic party must generate evidence that the ciphertext is correct. Anyone, even someone who does not know the private key, can perform the accuracy check. Therefore, this step is easier to adapt to a threshold number of decrypting parties than in previous techniques.

[0175] Figure 9a shows the key generation process KeyGen for generating an encryption key and the encryption process Enc for encrypting the message msg using the encryption key. First, the key generation process will be described.

[0176] Step 1 of the key generation process involves the central actor or user defining a polynomial ring A. The polynomial ring is of the same type as described above. Other options are discussed further below.

[0177] In step 2, the key generation algorithm is short secret (s,e) ←D k t ×D k t Sample the following. The encryption key ek is the LWE sample As+e for the polynomial ring A, as shown in step 3.

[0178] Step 4 involves setting up a zero-knowledge proof system for the encryption key ek. The zero-knowledge proof system includes three functions: setup, proof, and verification, as will be explained in more detail below. Setup is performed using (crs,τ Extract)←ZKSetup(pp,ek), and the common reference string crs and extractor trap door τ Extract This generates the extractor trapdoor, which is discarded and not used in the rest of the method.

[0179] Step 5 defines that the complete encryption key EK consists of a polynomial ring A, the encryption key ek, and the common reference string crs. The decryption key dk is simply s. The generated complete encryption key EK and secret s are returned in Step 6.

[0180] The lower part of Figure 9a shows the encryption process Enc.

[0181] The first step in the encryption process is the randomness of the message, which is a random 256-bit binary string. r The randomness of the message is concatenated with the encrypted message (msg) to generate an extended message (msg').

[0182] In step 2, the encryption key EK and the extended message msg' are used with the hash function H msg It is hashed using [this method].

[0183] In step 3, a transient randomness r, which is a polynomial from the polynomial ring A, is sampled. Two small error terms z1 and z2 are sampled using a Gaussian distribution.

[0184] In step 4, the encryption process calculates the first ciphertext component ct1 (where ct1 := Ar + z1).

[0185] In step 5, the second ciphertext component, ct2, is calculated, where ct2 := Encode(msg') + ek·r + z2. The encryption used here is Regev encryption, a form of Decisional LWE. The message recipient needs to determine whether the received value is calculated as Ar+z (i.e., as a polynomial close to the polynomial in the ring) in order to recover 1 bit or 0 bits. Thus, Encode(msg') encodes the extended message by generating a polynomial bit by bit for encoding the bits. Since Regev encryption is a well-known encoding scheme, the details of Encode are not provided here.

[0186] Step 6 provides a zero-knowledge proof that the ciphertext contains an LWE instance. The zero-knowledge proof ensures, under threshold settings, that no sensitive information is leaked from the decrypted transcript by an adversarial ciphertext. The zero-knowledge proof proves that ct1 is properly formed and that the signer can use ct1 to generate an encrypted plaintext 0 message. Step 6 provides ct1,aux)∈Rel MLWE A zero-code extractable zero-knowledge proof π ct This generates aux=(hmsg,ct2) and Rel MLWE The relationship is as described below. hmsg was defined in step 2. The function "Prove" is from the zero-knowledge proof system described above and is explained next. The zero-knowledge proof system has three functions: setup, proof, and verification. These functions are shown in Figure 10 and work as follows.

[0187] Setup (ZKSetup): The setup algorithm shown in Figure 10 takes system parameters along with the CPA public key (A, ek) as input. In step 1, it samples small values ​​s' and e'. In step 2, the shift encryption key ek' = ek + As' + e' is generated. Then, in step 3, it performs the relationship Rel with respect to the shift encryption key ek'. zeroctThe setup is performed. The ZKSetup, Prove, and ZKVfy functions are zero-knowledge proof functions. For example, these functions implement the "commit and prove" system described in "Lattice-based zero-knowledge proofs under a few dozen kilobytes" by NK Nguyen, 2022 (see, for example, Figure 6.3 in that paper). The common reference string crs is a set of public parameters used to generate zero-knowledge proofs and to verify those proofs.

[0188] In steps 4 and 5, the setup process uses the MLWE Common Reference String (CRS) MLWE =(A,ek,ek′,crs zeroct ) returns as extraction trapdoor τ Extract It returns (s',e'). As shown above, the extracted trapdoor is discarded.

[0189] Proof: The proof process involves the MLWE Common Reference String crs MLWE The CPA ciphertext ct1 generated during the encryption step, and the evidence (r,z1) are received as input.

[0190] In step 1, a small random value Z2 is sampled.

[0191] In step 2, the CPA ciphertext of message 0 is computed under the shifted public key 'ek'.

[0192] Step 3 is the proof of π. ct This is generated. This proof proves that the signer can sign the zero ciphertext ct2 generated in the previous step based on the first component ct1 of the encryption shown in Figure 9a. The "Prove" function generates crs zeroct (i.e., public parameters previously generated to run ZKP), take the first component, ct1 (which is the LWE sample), and prove π ctThis generates the following. Similar to the setup function, the Prove function implements the technique described in "Lattice-based zero-knowledge proofs under a few dozen kilobytes" by NK Nguyen 2022.

[0193] Step 4 is the proof of π. ct The CPA ciphertext ct2 for message 0 is output.

[0194] verification: The validation algorithm uses the MLWE Common Reference String crs MLWE , the first component ct1, the CPA ciphertext of message 0 ct2, and proof π ct It accepts as input. The validation algorithm is (ct1,ct2)π ct It returns true only if it verifies, and only if it does. In other words, (ct1, ct2) encrypts 0 under ek'.

[0195] The relationships that have been proven are as follows:

number

[0196] (ct1,aux)∈Rel MLWE In this case, decryption would not reveal any useful information about the secret key to the adversary.

[0197] Returning to the encryption function Enc at the bottom of Figure 9a, in step 7, (hmsg,ct1,ct2,π ct A complete ciphertext consisting of ) is returned.

[0198] The key generation algorithm KeyGen for threshold decryption is shown in Figure 9b. Some steps overlap with the key generation described above in relation to KeyGen shown in the encryption in Figure 9a. In practice, these steps do not overlap. Steps 1 and 2 are such overlapping steps, corresponding to the creation of the polynomial ring A and the sampling of the secret s described in steps 1 and 2 of KeyGen described on the encryption side. Steps 3 and 4 use the secret s to generate the Shamir secret share s from a polynomial of degree T-1. i This generates the polynomial. Here, the evaluation of the polynomial at zero reveals the secret s. The sharing of the secret corresponds to the evaluation of the polynomial P at non-zero positions.

[0199] In steps 5 and 6, pairwise shared seeds are generated using the same method described above in relation to the previous embodiment.

[0200] In step 7, a small noise e is sampled.

[0201] In step 8, the public key vk containing ring A and the LWE sample As+e is returned. The LWE sample is:

number

[0202] In step 9, the key generation algorithm returns a public key, which is made public. Each user has their own secret share. i And a corresponding set of seeds is provided.

[0203] Figure 9c shows the ShareDecrypt process, which is executed by each of a threshold T number of users to generate decryption shares for the decryption process. The lower part of Figure 9c shows the join method, which combines the decryption shares to decrypt the message.

[0204] In step 1 of the ShareDecrypt process, the zero-knowledge proof verification function is executed. This was previously mentioned in relation to Figure 10. As described above, this proves that the signer could have used the first ciphertext component ct1 to encrypt the second component containing the zero message.

[0205] In step 2, various parameters are used to share the decryption key (dk). j It is obtained from. For example, for decryption key sharing, a polynomial ring A, t (where t = As + e forms part of the previously generated public key vk), and a common reference string crs (crs MLWE (is), secret sharing s j , and also include the seed generated during the key generation process.

[0206] In step 3, a small noise e j ' is sampled.

[0207] Step 4 involves row blinder m j This includes the row seed described with reference to the embodiments described above, the ID of the party performing ShareDecrypt, the first ciphertext component ct1, the second ciphertext component ct2, and the proof π. ct It is generated by summing the outputs of the pseudo-random number function PRF, which takes the input as [the input].

[0208] In step 5, the column blur m j This includes the column seed described with reference to the embodiments above, the ID of the party performing ShareDecrypt, the first ciphertext component ct1, the second ciphertext component ct2, and proof π. ct It is generated by summing the outputs of the pseudo-random number function PRF, which takes the input as [the input].

[0209] Step 6 defines the Lagrangian coefficients from the Shamir secret-sharing scheme. As shown, the sum of the products of the secret-sharing and the Lagrangian coefficients allows for the recovery of the original secret. This relationship is explained above and is known in the art in relation to the Shamir secret-sharing scheme.

[0210] Step 7 involves masked decryption and sharing. j The following is generated. The masked decryption share is formed as the product of the Lagrangian coefficient, the secret share, and the first ciphertext component, with a small amount of noise added and a column blurr subtracted. The small amount of noise and the column blurr serve to mask the product of the Lagrangian coefficient, the secret share, and the first ciphertext component. The product of the Lagrangian coefficient, the secret share, and the first ciphertext component makes it possible for the combined process to decrypt the ciphertext.

[0211] In step 8, each of the threshold T users will have their masked contribution shared w j and row brinder m j It returns.

[0212] The lower part of Figure 9c shows the Combine process executed by the central actor to combine contributions from a threshold number T of users who performed the ShareDecrypt process.

[0213] In Step 1, the central actor verifies the zero-knowledge proof by performing the verification process described above in relation to Figure 10. As described above, this proves that the signer could have used the first ciphertext component ct1 to encrypt the second component containing the zero message.

[0214] Step 2 involves masked decryption and sharing w j and the product of the row blinder m j This is summed up over a threshold number of users. Please note the following:

number

[0215] Next is decoding. msg' :=Decode(Encode(msg')+z2-sz1+d) Since z2, s, z1, and d are selected from a sufficiently small distribution, the extended message msg' can be reconstructed. The extended message msg' is msg r It can be separated into =msg'[:256] (i.e., the first 256 bits) and msg=msg'[256:] (i.e., the second 256 bits). Here, msg is plain text, and msg r This is evidence of correct decryption. This Combine process is (msg, msg r The Combine process checks whether msg' is validated against hmsg contained in the ciphertext and whether the verification of the plaintext depends on an external algorithm that implements Regev decryption corresponding to the above encoding. As described above, this is done using deterministic LWE.

[0216] Sixth Embodiment - Variation of Threshold Decoding Scheme Next, a threshold decoding method similar to the method described in the fifth embodiment will be explained with reference to Figures 11a to 11d and Figure 12.

[0217] The following method utilizes a key encapsulation mechanism (KEM), such as CRYSTAL-KYBER. KEM consists of the following four functions:

[0218] Setup(1 k )→pp: The setup algorithm takes security parameter k as input and outputs public parameter pp. In Figures 11a to 11d, it is assumed that pp is provided, and the step of generating pp is not shown.

[0219] keyGen(pp)→(ek, dk): The key generation algorithm takes the public parameter pp as input and outputs a key pair (ek, dk).

[0220] Encap(ek)→(K,ct): The encapsulation algorithm takes the encapsulation key ek as input and outputs the shared key K and the ciphertext ct that encrypts the shared key K.

[0221] The Decap(dk,ct)→K algorithm takes the decapsulation key dk and the ciphertext ct as input and outputs the shared key K.

[0222] This method further utilizes IND-CPA Secure KEM, as proposed by Lindner and Peikert ('BetterKeySizes(andAttacks)forLWE-BasedEncryption'-TopicsinCryptology-CT-RSA2011), or Lyubashevsky, Peikert, and Regev ('A Toolkit for Ring-LWE Cryptography' - Advances in Cryptology - EUROCRYPT 2013). IND-CPA Secure KEM includes two algorithms: encoding and decoding. Encoding: {0,1} n →R q is K∈{0,1} n ⊂Rq

number

number

number

[0223] Figure 11a shows a set of setup and KeyGen procedures. These two procedures formed part of the single KeyGen procedure in Figure 9a.

[0224] The first step in the setup procedure is for the central actor or user to define a polynomial ring A. The polynomial ring is of the same type as described above. Other options are described further below.

[0225] In the second step, the common reference string crs is a binary string of length L. zc This is sampled. This method uses ring A and the common reference string crs zc It returns these as public parameters. The number of users and threshold number required for decryption are also defined at this stage.

[0226] The keyGen procedure begins in step 1, where the KeyGen algorithm from KEM is used to generate a public key b and a private key s. In step 2, the public key b is set as the complete encryption key EK. As previously mentioned, the public key b is the sum of the product of the private key s and the public matrix A, and the error e.

[0227] In steps 3 and 4, the secret key s is shared among all users in a manner that conforms to the threshold. To achieve (T,N) threshold decryption, the secret is partitioned using a Shamir secret share as an evaluation of a polynomial of degree T-1 over the set [N]. This involves sampling a polynomial of degree T-1 P which evaluates to s at P(0). The secret share is an evaluation of P at N distinct values ​​i.

[0228] Steps 6 and 7 involve seed i,jThis explains how to generate the random values. The random values ​​are generated as an N×N random value grid by repeatedly sampling random strings. The seed is generated from each random value in the grid and concatenated with the associated values ​​i and j on the row and column axes so that there is a pairwise seed for each of the N potential signers in the threshold signature scheme.

[0229] In step 9, a decryption key share is formed for each potential signer i, which includes the complete encryption key EK and a set of grid column and row seeds associated with the potential signer i.

[0230] Referring to Figure 11b, the encryption procedure for generating ciphertext is explained. This method is performed by the parties before threshold decryption, which will be described later. Encryption is not thresholded and can be performed by any party using a public key. Only the decryption key is shared as a secret. The encryption procedure encrypts the message (msg).

[0231] In Step 1, the public matrix A and public secret b generated in the setup procedure are obtained. In Step 2, the encoder selects a random key K, which is a binary string.

[0232] In step 3, the random key K is hashed with the fully encrypted key EK, and the message randomizer msg r And generate a DEM key.

[0233] In step 4, the encoder is hash hmsg=Hmsg(EK, msg r The `msg` (error message) is calculated. This is later used by the combiner algorithm to ensure that the combiner generates either an error or a correct message.

[0234] In step 5, the message msg is encrypted under DEMkey using the KEM encapsulation function, and a symmetric ciphertext DEMct is generated using a symmetric encryption scheme such as AES.

[0235] In steps 6 through 8, the encryptor encrypts the random key K under the encryption key EK. In step 6, small vectors r, z 0、 And z1 is sampled from the distribution. In step 8, the encoding function is from the IND-CPA Secure KEM described above, and the random key is encoded using the Decision LWE. Thus, in step 7, the first ciphertext value ct0 is calculated as the sum of the small vector z0 and the product of the public matrix A and the small vector r. The second ciphertext value ct1 is calculated in step 8 as the sum of the encoded random key K, the product of the public key b and the small vector r, and the small vector z1.

[0236] In steps 9 and 10, the encryptor proves the truth of (ct0, ct1) using an extractable proof of a zero-ciphertext. In general, there are two algorithms for non-interactive zero-knowledge (NIZK) proofs: ZKPr and ZKVfy.

[0237] ZKPr(crs,X,W)→π: The prover algorithm is a common random string crs∈{0,1} L It takes a statement and proof pair (X,W)∈R as input and outputs proof π.

[0238] ZKVfyH(crs,X,π)→b: The verifier algorithm takes crs, statement X, and proof π as input and outputs a bit b that is either 1 (accept) or 0 (reject).

[0239] More specifically, the method shown in Figure 11b includes a proof of statement X. X=(ct0,ct1,aux=(hmsg,DEMct)) The evidence W is (r, z0).

[0240] Steps 11 and 12 are used to ciphertext

number

[0241] Figure 12 shows ct in Figure 12. cca A coded message

number

[0242] Figure 11c shows the steps of the ShareDecrypt procedure performed by each of at least a threshold number T users to decrypt a message. By performing this method separately, the users aim to jointly compute w = s·ct0 + d, where d is a small secret error chosen to mask leaks from s·ct0.

[0243] Steps 1 and 2 of the ShareDecrypt procedure involve sharing the decryption key (dk) for each user. j The information inside is analyzed, and the ciphertext to be decoded is analyzed. In step 3, statement X is read.

[0244] In step 4, statement X is given by statement X, proof π, common reference string crs zc Based on this, the proof is verified using the function ZKVfy. If the proof cannot be verified, the method is aborted. Otherwise, if the proof is verified, the method proceeds to step 5. This step prevents man-in-the-middle attacks.

[0245] In step 5, the randomness d is shared d j However, user group identification information, decryption key sharing, dk j , and ciphertext

number

[0246] To calculate the s·ct0 component in step 9, the user will each have λ i ·s i Calculate ct0. Here, {λi} i ∈ act These are the Lagrange coefficients such that the following conditions apply:

number

number

number

[0247] Therefore, in step 9, each user is λ i ·s i ·ct0, Blinder m j , and the sharing of randomness d j The sum of the decryption and sharing w j The decrypted share w is calculated at the end of the ShareDecrypt procedure for use in the join procedure shown in Figure 11d. j It will be broadcast or otherwise made public.

[0248] The joining procedure shown in Figure 11d involves a central actor or other party that owns at least a threshold number T of decryption shares, and the ciphertext

number

number

[0249] In step 4, statement X is given by statement X, proof π, common reference string crs zc Based on this, the proof is verified using the function ZKVfy. If the proof cannot be verified, the method is aborted. Otherwise, if the proof is verified, the method proceeds to step 5. Similar to step 4 of the ShareDecrypt procedure, this step prevents man-in-the-middle attacks.

[0250] Step 5 is decryption sharing w j These are summed up to obtain the overall decryption share. In this step, the blinder m is used during the summing. j Note that this is canceled to zero. Therefore, the algorithm is s·ct 0+ Restore d.

[0251] In step 6, K is determined using the decoding algorithm from the IND-CPA Secure KEM applied to ct1-w. Since d, z0, and z1 are small, s·ct0 is approximately equal to b·r. Therefore, the decoding function is applied to a value similar to the value obtained using the encoding function for K (see step 8 in Figure 11b).

[0252] In step 7, the message randomizer and the symmetric ciphertext DEMct are obtained using the random key K and the complete encryption key EK obtained in step 6.

[0253] In step 8, the message msg is reconstructed using the KEM deencapsulation algorithm and the DEM key obtained in step 7.

[0254] Step 9 involves messages (msg) and message randomizers (msg) r The decrypted message (msg) is checked against the hash (hmsg) using the full encryption key EK. This assertion ensures that the msg is correct plaintext and that a malicious decryption share cannot alter the message.

[0255] Finally, in step 10, the merging procedure returns the decrypted message.

[0256] Further embodiments The above embodiment is a polynomial ring

number

number

number

[0257] In the embodiments described above, row and column liners are generated using a seed and a pseudo-random function (PRF). In further embodiments, partial blinders can be generated directly. For example, N blinders may be generated in relation to each secret share, and the blinders can be distributed to each other secret shares as steps in each session, as described above. Therefore, the use of a seed and generator function (such as a PRF) is not mandatory.

[0258] In relation to the sixth embodiment, a single blinder was obtained as the difference between the column blinder and the row blinder. The resulting blinder has a sum of zero, as described in that embodiment. The same technique can be applied to other embodiments to eliminate the need to send the other of the row blinder and column blinder for use in a join or aggregate procedure. For example, in Figure 6b, in step 8 of ShareSign3, the individual response z j However, column blinder m j It may be generated by replacing with the difference between rows and columns. Next, in step 4 of the join procedure, the aggregated response z is generated by summing the individual responses, and there is no need to subtract the row blurr. The same principle may be applied to step 13 of ShareSign3 and step 4 of Combine shown in Figure 7d. Furthermore, the same principle may be applied to step 14 of TS.Sign and step 5 of TS.Agg shown in Figure 8c.

[0259] Since the row and column blinders are generated as grids of random values, the difference between the row and column blinders may be used as the blinder value, or the difference between the column and row blinders may be used as the blinder value.

[0260] The setup steps in the above method, such as key generation, can be performed in fewer steps than the signing or decryption steps. Therefore, according to the embodiments described above, once the public parameters are generated and the seed is generated and distributed, multiple messages can be signed or multiple messages can be encrypted and threshold-decrypted.

[0261] Any feature described in relation to any one embodiment may be used alone or in combination with other features described, or in combination with one or more features of any other embodiment, or any combination of any other embodiment. Furthermore, the above equivalents and modifications may be adopted without departing from the scope of the invention as defined in the appended claims.

Claims

1. A method performed by one or more information processing devices to compute a linear function including the product of a secret s and a linear function component, using a threshold number T of secret shares among the number of secret shares N generated from a secret s, wherein the number of secret shares N is greater than the threshold number T, and the method is To generate the public matrix A and the secret s, A small noise e and a public key ek are used to generate a public key ek that includes the sum of the small noise e and the product of the public matrix A and the secret s, From the aforementioned secrets, N shared secrets s i To generate, For each of the aforementioned threshold number T secret sharing, To generate a blinder, and Calculating a first component based on the product of the shared secret and the linear function component, and generating a masked shared of the calculation of the linear function by adding the first component, noise and the blurr, or subtracting the noise and the blurr from the first component, During the aggregation phase, The summation of the masked share combinations associated with each secret share, wherein the blinder cancels out over the sum of the masked shares to enable the determination of the linear function, The method, including the method described above.

2. The method according to claim 1, wherein the linear function is at least a part of one of a signature function and a cryptanalysis function.

3. Generating the aforementioned blinder is done for each of the T secret shares used to compute the linear function, A first set of T partial blinders, the first set of partial blinders being formed from a first set of T partial blinders generated with respect to the secret share itself, and T-1 partial blinders, the sum of which T-1 partial blinders are generated with respect to each of the T-1 other secret shares, to generate one of a first blinder and a second blinder. The other of the first and second blinders is to generate a sum of partial blinders in a second set of partial blinders, wherein the second set is formed of T partial blinders for the secret share, including the partial blinder formed with respect to the secret share. The method according to claim 1 or 2, comprising generating the first and second blinders.

4. The method according to claim 3, wherein each subblender is generated using a generator function.

5. The generator function receives a seed as input, and the method applies to each of the N secret shares. 1) Generate N seeds, each of which includes a seed for the aforementioned secret sharing and a seed for each of the other N-1 secret sharings. 2) Distributing the N-1 seeds for the other secret shares to each of the other secret shares such that each other secret share receives a single seed, Includes, Following the completion of the two steps for all of the N secret shares, each secret share is associated with 2N-1 seeds, which include the N seeds generated for that secret share and the N-1 seeds received during the distribution and generated for that secret share. The method according to claim 4.

6. The method according to any one of claims 1 to 5, wherein the N secret shares are secret shares generated from secret s using the Shamir secret sharing algorithm based on a polynomial of degree T-1 at most.

7. A threshold signature method performed by one or more information processing devices to generate a signature using a threshold number T of secret shares among the number of secret shares N generated from secret s, wherein the number of secret shares N is greater than the threshold number T, and the method is To generate the public matrix A and the secret s, To generate a public key vk = (A, t) which includes a small noise e and a public key vk = (A, t), and which includes a part t of the public key that includes the sum of the small noise e and the product of the public matrix A and the secret s, From the aforementioned secrets, N shared secrets s i To generate, For each of the aforementioned threshold number T secret sharing, T individual commitments w i The goal is to generate one or more error-laden training samples. j Including the generation of the above, The aforementioned T individual commitments w i To aggregate and generate aggregated commitment w, At a minimum, generate a challenge c which is a hash of the message to be signed (msg) and the aggregate commitment (w). The aforementioned challenge c and the aforementioned secret sharing s j and one or more transient randomness r used to generate the one or more error-bearing training samples j Based on this, T individual responses z j To generate, During the aggregation phase, By summing up the error learning sample w over the T secret sharings j generate the aggregated commitment w The individual response z j By summing these, an aggregated response z is generated. At least the global challenge c is generated by hashing the signed message msg and the aggregate commitment w. The hint is to generate h, The noisy commitment y is determined by subtracting the product of the global challenge c and a part t of the public key from the product of the aggregated response z and the public matrix A, and Subtracting the noisy commitment y from the aggregate commitment w generates the hint h. To generate the aforementioned hint h, and Outputting a signature including the global challenge c, the aggregated response z, and the hint h, The method, including the method described above.

8. At least the generated error-filled training sample lol j Commitment cmt containing the hash j To generate, In the first round of the signing method, the commitment cmt i To make available the error-bearing training sample w in the second round of the signing method j To make it available, and It further includes, In the third round of the signing method, for each of the T secret shares, the steps of generating the aggregate commitment, generating the challenge, and generating the individual response are performed, and each individual response z j This will be made available in the third round. The method according to claim 7.

9. T individual commitments w i To generate the vector of error-bearing training samples for each of the T shared elements, [Math 1] This includes generating, and in the signing stage, The generation of the aggregated commitment w involves generating random weights β, summing the components of each vector of the error-bearing training sample with the random weights, and reducing the individual commitment w j To generate, and then the reduced individual commitment w over the T secret sharing j This includes summing them up to generate the aggregated commitment w, The method according to claim 7.

10. For each of the T secret shares, the method further includes generating a first blinder and a second blinder associated with each secret share. The aforementioned challenge c and the aforementioned secret sharing s j and one or more transient randomness r used to generate the one or more error-bearing training samples j Based on the above, the individual response z j Generating the first blurr includes adding the first blurr, The individual response z j The method according to any one of claims 7 to 9, wherein generating an aggregated response z by summing the following includes adding the second blurr associated with each secret share from the corresponding individual responses and canceling the first blurr.

11. Generating the first and second blinders is done for each of the T secret shares used to compute the linear function, A first set of T partial blinders, the first set of partial blinders being formed from a first set of T partial blinders generated with respect to the secret share itself, and T-1 partial blinders, the sum of which T-1 partial blinders are generated with respect to each of the T-1 other secret shares, to generate one of a first blinder and a second blinder. The other of the first and second blinders is to generate a sum of partial blinders in a second set of partial blinders, wherein the second set is formed of T partial blinders for the secret share, including the partial blinder formed with respect to the secret share. The method according to claim 10, including the method described in claim 10.

12. The method according to claim 11, wherein each subblender is generated using a generator function.

13. The generator function receives a seed as input, and the method applies to each of the N secret shares. 1) Generate N seeds, each of which includes a seed for the aforementioned secret sharing and a seed for each of the other N-1 secret sharings. 2) Distributing the N-1 seeds for the other secret shares to each of the other secret shares such that each other secret share receives a single seed, Includes, Following the completion of the two steps for all of the N secret shares, each secret share is associated with 2N-1 seeds, which include the N seeds generated for that secret share and the N-1 seeds received during the distribution and generated for that secret share. The method according to claim 12.

14. The method according to claim 12 or 13, wherein generating a blurr based on a seed includes generating the blurr based on the output of a pseudo-random function, the input being the seed in combination with a session-specific value.

15. The method according to any one of claims 7 to 14, wherein generating the aggregated commitment w includes subtracting a predetermined number of bits from the sum.

16. The method according to any one of claims 7 to 15, wherein the N secret shares are secret shares generated from secret s using the Shamir secret sharing algorithm based on a polynomial of degree T-1 at most.

17. Generating individual responses for each secret share is the challenge c, the secret share s j The Lagrangian coefficient λ from the Shamir secret sharing algorithm associated with the aforementioned Shamir secret sharing algorithm. j , and the secret sharing s j The product of the two, and then the one or more transient random numbers r used to generate the one or more error-bearing training samples. j The method according to claim 16, comprising combining the aforementioned products of the two.

18. Further including verifying the aforementioned signature, verifying the aforementioned signature means The process involves generating a signature derivation value by subtracting the product of the global challenge c from the signature and the part t of the public key from the product of the public matrix A and the aggregated response z from the signature, A new challenge value c' is generated by hashing the public key vk, the message msg, and the signature derived value with a hint h from the signature. The new challenge value c' is compared with the global challenge c to determine whether the signature is valid. The method according to any one of claims 7 to 17, including the method described in any one of claims 7 to 17.

19. The method according to claim 18, further comprising comparing the length of the aggregated response z and the hint h from the signature with one or more thresholds.

20. The method of claim 19, wherein the signature is determined to be valid if the new challenge value c' is equal to the global challenge c from the signature, and the lengths of the aggregated response and the hint are less than one or more thresholds.

21. The aforementioned one or more error-filled training samples lol j Generating each of these involves the aforementioned temporary randomness r j and minor error e j Sampling the small error e j The public matrix A and the temporary randomness r j By adding it to the product, the aforementioned error-equipped learning sample w j The method according to any one of claims 7 to 20, comprising generating a ...

22. Commitment cmt j To generate the aforementioned error-bearing training sample w j The method according to claim 8, comprising generating a hash of, a message msg, and one or more of the signer identifier act.

23. The following steps constitute distributed multi-party computing, i.e., To generate the public matrix A and the secret s, To generate a small noise e and a public key vk = (A, t) for which t is the sum of the small noise e and the product of the public matrix A and the secret s, From the aforementioned secret s i Therefore, to generate N shared secrets, The method according to any one of claims 7 to 22, as performed by...

24. One or more information processing devices, each including a processor and a storage medium for storing computer-readable instructions, wherein the computer-readable instructions are configured to cause the one or more information processing devices to perform the method described in any one of claims 1 to 23.

25. One or more programs, wherein, when executed by one or more information processing devices, the one or more programs cause the one or more information processing devices to perform the method described in any one of claims 1 to 24.