In recent years, threshold cryptography has been gradually applied in blockchain system, which is divided into threshold encryption and threshold signature. It is generally seen in random oracle, anti censorship, reduction of communication complexity (hotstuff), common coin for Ba link in consensus network and distributed pseudo-random number generator (coin) As an important primitive of tossing, its superior property of asset cooperative anti-theft has been paid more and more attention by the emerging digital asset escrow mechanism. Today we mainly discuss the threshold signature mechanism in public key cryptography (PKC). An ideal threshold signature system can achieve non forgeability in asynchronous network environment, and has extremely reliable and secure message transmission channels. The generation and verification of signature shares are completely non interactive. In the initial key stage, there is an asynchronous distributed key generation (dkg) mechanism that can prevent Byzantine behavior.

Similar to the basic signature mechanism, threshold signature schemes are divided into two parts:

Threshold key Gen: a distributed key generation protocol dkg is constructed based on the security parameters. The protocol outputs a common public key PK and all private key shares ski of different participants. The real private key SK can be constructed by aggregating the private key shares that meet the threshold number.

Threshold sig: Based on the distributed communication network, each participant completes the distributed cooperative signature of message M through their private key share ski and outputs the final verifiable signature sig (sk, M), as like as two peas that are checked out by SK private key, the signature can be verified locally by the verification function in the underlying signature mechanism, without communication and interaction verification.

But in most cases, the private key share is generated and distributed by using a trusted central node (dealer). Shamir secret sharing i s the simplest threshold key generation method which depends on the central dealer node. The basic principle is Lagrange interpolation. I n the (T, n) threshold construction, dealer will select a (t-1) power random polynomial f, Let f (0) = s, s is the secret value to be shared, and then distribute the points s i = f (I) on the polynomial curve to each node As their secret share values, simply speaking, three points determine a quadratic equation curve. In order to solve the problem of central evildoing, people continue to explore verifiable secret sharing (VSS, PVSS) based on commitment and VSS applied to asynchronous network (cobalt BFT also tries AVSS combined with pow admission mechanism in blockchain system). Many excellent and mature commitment schemes can be used for reference. In short, commitment algorithm [C (m), D (m)] = com (PK, m, r) Among them, PK is the public key related to the commitment mechanism, M is the original value to be committed, R is a random die, the algorithm output C is the commitment, D is the commitment value to be kept in secret. Before the formal disclosure of M, the commitment C of M should be disclosed, that is to say, a god guarantee should be made for the information to be published, and the M cannot be replaced The audiences or receivers of can verify the uniqueness through the previously announced commitment and verification algorithm. Here we focus on non interactive VSS implementation.

In addition, in the past research, the generation and verification of SIG are mostly interactive, and rely on a synchronous communication network and broadcast channel. Nodes start the signature protocol at the same time after receiving specific messages under certain settings, and strictly follow the timeout mechanism. In the Internet environment and blockchain network, the limitation of network hypothesis is limited, so in order to operate the threshold system successfully, we need not only to construct the real dkg protocol and non interactive signature mechanism, but also to have a commercial network system and a proven mature code implementation. Here we (Bytom) try to propose and build a threshold signature distributed system under the assumption of weak synchronization network. We mainly combine and apply the network model, dkg construction and signature mechanism to explore the minimum practical threshold signature system prototype in the actual network environment.

The threshold system is a kind of (T, K, n) In the type of fault tolerance system, T represents the maximum fault tolerance of the network, K represents the minimum threshold, n is the number of nodes, and k > = t + 1 is generally set, but this kind of network partition is powerless, so in an asynchronous Byzantine network, we still choose the classic setting k = N-t & T < n / 3 to reach a majority of consensus in the system.

Threshold network or communication model is a key point to realize practical threshold system. Similar to the asynchronous communication network built by Honeywell BFT is rare in real cases, which generally increases the message complexity and communication rounds. The asynchronous network model mainly depends on the type and number of messages received to judge, because time-based can not distinguish who is the slow node and who is the malicious node. But here we prefer to adopt efficient weak synchronization network hypothesis, that is, message delay and clock offset have upper limit (actually acceptable), but it is unknown, the gradual delay is reasonable, to ensure that liveness (safety can be handled by compromise); to be able to crash, network failure, Byzantine Different situations should be handled separately as far as possible, such as setting the threshold value of crashing that can be tolerated within the specified time, being able to recover from a specified state after crashing for honest nodes, etc.; and assuming that network faults can always be repaired and DOS attacks suffered will always stop; finally, in building communication channels, TLS can be built with PKI and external ca Link, and with the help of the classic RBC protocol (reliable broadcast channel).

Dkg is the core and the first stage of threshold signature, which is responsible for the generation and distribution of threshold key. VSS is an important part of dkg. The basic principle of VSS mentioned above is the commitment mechanism. Generally, based on Pedersen commitment, we construct commitments in the form of C = Mg + NH (here we omit some definitions and assumptions on the operation characteristics of elliptic curve group, which can be simply understood as elliptic curve calculation). M comes from the key construction polynomial f (x) coefficient, and N comes from a random polynomial constructed by dealer H (x) coefficient, commitment set {Ci, 0 < I < T} is a kind of publicly available coefficient “evidence”, which is used to prove that dealer only recognizes one legitimate key polynomial. After obtaining the key share f (I) and secret value share H (I) distributed by the dealer, each participant calculates f (I) G + H (I) H. if it is equal to the corresponding commitment value (polynomial calculation), it is considered as legal. If it is inconsistent, it is considered that the dealer has done evil and begins to submit its protest to the network Complaint. Other people can verify it. If it is found that this is the case, the protocol will be stopped immediately. If other people find that the complaint is illegal after verification, the node that initiated the complaint will be marked as untrusted. VSS The process is simple, including three parts: Central initialization key distribution, construction commitment and key reconstruction. There are two rounds of synchronous all to all in the whole network interaction to reach an agreement, and finally pass the key share and commitment to each participating node. Here, we will define three message types to mark multiple rounds of message sequences and carry enough information for Calculate the threshold key.

The real dkg needs to get rid of the center in VSS, generate secrets in distributed collaboration, and avoid the risk of single point leakage. Its principle is also very simple, which is equivalent to N nodes choosing their own secret values and running their own VSS, each node collects the secret shares from other nodes to complete the assembly, and the result after assembly is the share of the real private key, while the aggregation of the secret values distributed by each legal node is the final construction of the private key, and the final commitment verification is in progress. It seems like a multi valued validated Byzantine agreement (mvba) protocol (a consensus protocol algorithm that can reach consensus on multiple proposals efficiently and widely studied, with multiple variants, such as asynchronous common subset).

However, we try to avoid this kind of complex implementation. Generally, by selecting the leader node, handling the completion and final consensus of these VSS in a unified way, defining the sequence. When most nodes (N-t) complete their respective VSS stages and are confirmed by all other honest nodes, the leader will take these completed VSS Information is collected and recombined. After two rounds of broadcasting, each node will determine its own final secret share. Therefore, it is very important for our system to guarantee liveness. If any party in the dkg agreement acts maliciously, the agreement will stop immediately, that is, dkg needs to ensure the honest behavior of all participants. At this point, a public threshold public key and the share of threshold private key belonging to different participants are constructed.

In the stage of signature, the key share obtained above is used to sign their own signature share, and then the unified assembly is completed to get the final threshold signature. The specific implementation of the thresh sig phase has a lot to do with the digital signature algorithm based on. For example, the secret value k that Schnorr algorithm relies on when calculating the signature s value is a constant term, s = k-z (H (k||m)), so it can simply group the secret value shares. In ECDSA, the secret value k is nonlinear, i.e. s = (H (m) + Z R) / K (where R is also obtained by exponential operation), and there are two secret values (K and z) multiplication operations, so each node can not only complete the assembly of the final signature value by owning the share of K secret value, but also needs to deform the formula, redefine the combined secret value KZ, and complete the KZ distributed The calculation and distribution of secret share of K Z even need the help of secure multi-party calculation (on the premise of not leaking their K and Z shares, complete the calculation of KZ results and output the secret share of KZ to the corresponding participants), homomorphic encryption mechanism and range proof, because the ECDSA of these multi-party Threshold signature will be more complex in implementation and efficiency. At present, practical 2-2 schemes are mostly studied.

Whether ECDSA or Schnorr algorithm is used, the core problem is still to generate and distribute the secret values needed in the signature algorithm based on the principle of dkg and multi-party computing. Each participant completes its own signature process based on their own share of key and secret value, and finally obtains the final legal signature through the overall interactive assembly. In the same way, if the number of legal signers can not reach the threshold, the signing protocol will stop immediately. According to the requirements of different application scenarios, we need to carefully study the underlying signature algorithms used to implement threshold signature mechanism, such as ECDSA, eddsa, Schnorr, BLS, etc. the complexity and efficiency of threshold mechanism implementation corresponding to different signature algorithms are different.

In addition, a complete threshold system may have the need of member change, and the original key share needs a new round of change. The most intuitive way is to introduce the concept of cycle, initiate a new round of key generation through synchronous network and consensus protocol, generate a new master key and private key share, and use the timeout mechanism to prevent blocking. Member change and dkg are a kind of delicate (or fragile) system. Any member failure or fault will cause the situation. In the implementation, we use the principle of state machine replication to build a threshold (dkg) node, and change its state based on the message input (for example, node remove, leader change, group update).

Threshold cryptography is constantly improving its own maturity with the increase of research on application scenarios, especially with the increase of highly reliable code implementation, and with the maturity of system architecture in complex network environment, it is expected to play a significant role in value network, and promote the further scenario application of zero knowledge proof and homomorphic encryption technology There are few areas of new blockchain technology worthy of in-depth research and practical research. Modern cryptography and value network complement each other, the former gives the latter “God protection”, the latter gives the former “great battlefield”.

Liu Qiushan, Biyuan Chain Research Institute